Years ago I was fortunate enough to be a contributing author to the original DISA Database Secure Technical Implementation Guide (STIG), which primarily addressed Oracle 7 and 8. Over the years the STIG has changed quite a bit, and I thought it would be interesting to review it piece by piece with some tips and tricks and advice for implementing its various provisions.
I’ll be basing my thoughts on the most recent version of the Database STIG – Version 8 Release 1.10, dated 24 January 2014. The STIG comes in two major parts: the first covers the installation of Oracle software and basic infrastructure, and the second covers the configuration of the Oracle instance. Each has over 100 items to review and secure, some of which are technical and some of which are procedural. I will mostly focus on the technical items, though I may comment on some of the procedural things if I think they are particularly appropriate. My comments will also focus almost exclusively on Linux/UNIX installations, as that is where my primary experience lies.
I will include some of the STIG text in my reviews, but if you want to follow along with the original, it is available to the public here: http://iase.disa.mil/stigs/app-security/database/Pages/index.aspx