Five different security related posts to which I have contributed on dba.stackexchange.com. I did not necessarily provide the accepted answer for these, but felt that the questions posed were interesting enough to warrant a mention.
This is an update to one of my very first posts, bringing it up to date to reflect current password verification techniques for Oracle 19c.
The final installment in my series on CAT I STIG controls is all about the use (or not) of the server operating system accounts that support the Oracle database. Two controls address the use of and access to the Oracle software installation account, and one addresses the privileges associated with individual user accounts for DBAs. … Continue reading Top STIG – Part 6 (OS Accounts)
One of the most common attack vectors for any hacker is checking to see if you have reset default passwords on service and administrator accounts. Almost every piece of hardware or software comes with some default way to login the first time, and a lot of people are really bad at changing those credentials to be more secure. Oracle databases and DBAs are no exception...
Part 4 of this series on top STIG controls takes a look at the encryption of data in motion and the use of Public Key Infrastructure (PKI).
The next CAT I STIG control in this series is less technical and more about policy. Like all of the others, however, it requires the DBA to be aware of things beyond their immediate day to day workload, and involved in the planning, design, and development of the system technology stack...
Applications must obscure feedback of authentication information; when using command-line tools such as Oracle SQL*Plus, which can accept a plain-text password, users must use an alternative logon method that does not expose the password.
In this post I'm going to start going over the Database STIG CAT I vulnerabilities in a little more detail. The first two relate to database initialization parameters and authentication.
This post contains a listing of all 199 Oracle 12c Database STIG controls from Release 16 (24 January 2020), organized by the five major categories of database security...
There are over 60 controls in the DISA Oracle 12c Database Secure Technical Implementation Guide (STIG) that contain the word "audit" or "auditing"...
The simplest way to complete a DISA Secure Technical Implementation Guide (STIG) review is to start at the beginning of the checklist and work through it, one control item at a time. As you read each control, the information will be broken down into several distinct areas: metadata, content, and findings. Each control has metadata … Continue reading How To Complete a STIG Review
FIPS is a four letter word. It is also a source of some confusion when it comes to the Oracle database and DISA STIG compliance, which I will attempt to sort out to the best of my ability in this post.
The code-obfuscation-toolkit allows you to obfuscate the source code of a variety of stored programs, including procedures, functions, package bodies, and type bodies. When wrapping an object, to further obfuscate the original code in the event that it is ever unwrapped, all comments and line breaks can also be removed.
I've seen a couple of Oracle Community and AskTom posts over the last year or two about installing anti-virus software on Oracle database servers. Usually it is because someone in security told the sysadmin or the DBA that they had to install some kind of AV software because it was required. Been there; done that. I found out the hard way that doing so was a bad idea...
Every once in a while over the years I have been asked, “Why don’t you patch the Java JDK included in an Oracle Home directory?”
What if you have a lot of potential PII data and you need to enforce some additional safeguards on it? How do I make this information actionable, and better yet how do I automate that action as much as possible?
This is the last post in this series, in which I have described configurations for the server wallet, server networking, client networking, and database. If you have completed all of the steps I laid out, then you are ready to test your SSL connection using your smart card. TNS Ping over TCPS First confirm that … Continue reading Database Authentication with a Smart Card – Part 5 (Testing)
In parts one, two, and three of this series I looked at configuring the database server and client software for smart card authentication. In this post I will discuss required updates to the database initialization parameters, how to gather the necessary information to create the externally authenticated database user, and how to create the user. … Continue reading Database Authentication with a Smart Card – Part 4 (Database)
In Part 1 and Part 2 of this series I described the process for configuring the server wallet, sqlnet.ora, and listener.ora files. In this post I will discuss how to configure the client for SSL authentication with a smart card. At this point it is assumed that an Oracle Client has already been installed. The … Continue reading Database Authentication with a Smart Card – Part 3 (Client)
In my previous post I discussed the first steps in the configuration of an Oracle database for user authentication using a smart card, such as the DoD Common Access Card (CAC). Along with some general considerations for setting up SSL/TLS authentication, I went over the construction of the database server's Oracle Wallet. In this post … Continue reading Database Authentication with a Smart Card – Part 2 (Server)
I hate changing passwords every so many days. Seems like I no sooner get all of my passwords reset than it is time to start changing them again. Working in a government environment, one of those things that I tried to figure out for years was how to log on to a database using my … Continue reading Database Authentication with a Smart Card – Part 1 (Wallet)
What needs to be done? Before a driver heads out on the road, it is important for him or her to know the rules. Not just common sense stuff like "don't drive on the wrong side of the road", but the actual rules and laws that govern what you're about to do, like obeying a … Continue reading The Rules of the Road
One of the most problematic STIG checklist items is this one: Rule Title: Database account passwords should be stored in encoded or encrypted format whether stored in database objects, external host files, environment variables or any other storage locations. STIG ID: DG0067-ORACLE11 Rule ID: SV-24641r1_rule Vuln ID: V-3812 Severity: CAT I Vulnerability Discussion: Database passwords stored … Continue reading Database Account Password Storage
There are several STIG items that deal with the differences between production and non-production systems. Rule Title: Developers should not be assigned excessive privileges on production databases. Vuln ID: V-15114 Severity: CAT III Rule Version (STIG-ID): DG0089-ORACLE11 Discussion: Developers play a unique role and represent a specific type of threat to the security of the DBMS. … Continue reading Production vs. Development Systems
Two DB Installation STIG items relate to the version of Oracle software in use: Rule Title: Vendor supported software is evaluated and patched against newly found vulnerabilities. STIG ID: DG0001-ORACLE11 Rule ID: SV-24339r1_rule Vuln ID: V-5658 Severity: CAT I Discussion: Unsupported software versions are not patched by vendors to address newly discovered security versions. An … Continue reading Software Version Support