OWASP Backend Security Project Oracle Hardening

= Overview =

= Overview =

= Description =

Installation security
This section is useful to understand how the installation will introduce vulnerabilities if it is not made “security oriented”.

Options and products
The Oracle Database installation pack contains a lot of options and products in addition to the database server, so it is suggest to do a custom installation to avoid installing options and products not needed. The Oracle components other than the list below have to be removed if not specifically required by any database applications.

Sample schemas
Oracle Corporation provides sample schemas in order to provide a common platform for examples. Review, after the installation, installed schema and remove any schema you do not need. 2.1.3 PATCHING Apply, always, all security patches for Oracle Database itself, and for all the options and components that are installed. Periodically check the security site on Oracle Technology Network for details on security alerts released by Oracle Corporation:

http://otn.oracle.com/deploy/security/alerts.htm

Further, if you subscribe the security mailing lists you will be able to catch any new security issues that are not reported to Oracle but are announced to the public (maybe without a patch). In such cases, it will be relevant to find a way to mitigate the risk of the new vulnerability in the absence of an Oracle-supplied patch.

Initialization parameters
This section cover the Oracle Initialization parameters that are relevant for the security aspects. All the following initialization parameters have to be specified for all Oracle instances.

Example SQL for setting the REMOTE_OS_AUTHENTICATION parameter:

SQL> ALTER SYSTEM SET REMOTE_OS_AUTHENTICATION = FALSE SCOPE=BOTH

Scope:
 * MEMORY: This affects the database now; but will not remain after a restart.
 * SPFILE: This does not change the instance immediately, but it will will take effect after a restart.
 * BOTH: changes the current instance as well as the spfile.

Owner account
The Oracle OS installation account, owner of all Oracle application and datafiles, should be used only for the update and maintenance of the Oracle software and will not be used during the standard DBA activities. The individual DBAs will have to use their assigned OS personal accounts, so the auditing process will be able to actions performed with the correct OS account. The Oracle software installation account will not be a member of the administrative group.

Files and directories
All files and directories generated during the installation process of Oracle will be restricted to the Oracle software owner or the DBA OS user group, especially the file list below:

= References =

= References =