The following are five different security related posts to which I have contributed on dba.stackexchange.com. I did not necessarily provide the accepted answer for these, but felt that the questions posed were interesting enough to warrant a mention here.
1 Oracle – Is a separate database more secure than using the same database and a separate schema : a question about development and production environments being physically separated. I don’t think I’ve explicitly commented on this topic before, so I have included a couple of additional links to relevant STIG controls for shared development and production servers:
- DBMS production application and data directories must be protected from developers on shared production/development DBMS host systems.
- The DBMS must be protected from unauthorized access by developers on shared production/development host systems.
2 Oracle auditing: Is it possible to log when a permission is being used? : a question about auditing user privilege usage. I have previously commented on auditing in Auditing by the Numbers, which discusses minimal STIG requirements for privilege auditing, among others.
3 Where does data sit and where must it be encrypted : a question about encryption at rest. I have previously commented on STIG-compliant encryption for data at rest in FIPS is a Four Letter Word, and for encryption of data in motion in Top STIG – Part 4 (Encrypted Transmission and PKI).
4 Using SQL*Plus to connect to remote DB from local server, how do I export a backup to my local server? : a question about making backups to remote locations. This is another topic that I don’t think I’ve addressed much attention to in this blog yet. There are several relevant STIG controls for backups, which I have included here:
- The DBMS software libraries must be periodically backed up.
- DBMS must conduct backups of system-level information per organization-defined frequency that is consistent with recovery time and recovery point objectives.
- Database recovery procedures must be developed, documented, implemented, and periodically tested.
- Database backup procedures must be defined, documented, and implemented.
- DBMS backup and restoration files must be protected from unauthorized access.
- Oracle must back up user-level information per a defined frequency.
5 Quality Database Security Metrics : a question about capturing objective database metrics. I have commented on the components of a STIG review and how to complete a one in Oracle 12c Database STIG Breakdown, and How To Complete a STIG Review.