Five different security related posts to which I have contributed on dba.stackexchange.com. I did not necessarily provide the accepted answer for these, but felt that the questions posed were interesting enough to warrant a mention.
The final installment in my series on CAT I STIG controls is all about the use (or not) of the server operating system accounts that support the Oracle database. Two controls address the use of and access to the Oracle software installation account, and one addresses the privileges associated with individual user accounts for DBAs. … Continue reading Top STIG – Part 6 (OS Accounts)
Part 4 of this series on top STIG controls takes a look at the encryption of data in motion and the use of Public Key Infrastructure (PKI).
The next CAT I STIG control in this series is less technical and more about policy. Like all of the others, however, it requires the DBA to be aware of things beyond their immediate day to day workload, and involved in the planning, design, and development of the system technology stack...
Applications must obscure feedback of authentication information; when using command-line tools such as Oracle SQL*Plus, which can accept a plain-text password, users must use an alternative logon method that does not expose the password.
In this post I'm going to start going over the Database STIG CAT I vulnerabilities in a little more detail. The first two relate to database initialization parameters and authentication.
This post contains a listing of all 199 Oracle 12c Database STIG controls from Release 16 (24 January 2020), organized by the five major categories of database security...
The simplest way to complete a DISA Secure Technical Implementation Guide (STIG) review is to start at the beginning of the checklist and work through it, one control item at a time. As you read each control, the information will be broken down into several distinct areas: metadata, content, and findings. Each control has metadata … Continue reading How To Complete a STIG Review
The code-obfuscation-toolkit allows you to obfuscate the source code of a variety of stored programs, including procedures, functions, package bodies, and type bodies. When wrapping an object, to further obfuscate the original code in the event that it is ever unwrapped, all comments and line breaks can also be removed.
Seriously, I find all the best questions about Oracle security on forums like Oracle Communities and AskTom. Sometimes I need to be careful, though. I have a tendency to jump right to implementation details in my head without always considering all of the ramifications of the original question. Sometimes the answers seem immediately obvious, but it doesn't usually take long before someone offers an observation that makes me sit back and think that maybe my first instinct needs some qualification. Case in point...
I've seen a couple of Oracle Community and AskTom posts over the last year or two about installing anti-virus software on Oracle database servers. Usually it is because someone in security told the sysadmin or the DBA that they had to install some kind of AV software because it was required. Been there; done that. I found out the hard way that doing so was a bad idea...
Authentication In my previous two posts, I discussed configuring the Apache web server and the APEX Workspace for smart card authentication. With those in mind, I will now look at basic smart authentication within an APEX application. In this architecture, individual APEX applications may now authenticate users through one of two methods: HTTP Header Variable: … Continue reading APEX Authentication with a Smart Card – Part 3 (Application)
I have written previously on how much I dislike password maintenance. Every chance I get to enable PKI certificate authentication, I take it. Most of my career I have worked in environments where certificate authentication was expected, if not explicitly required, so it wasn't a big leap for me to look at configuring Oracle APEX … Continue reading APEX Authentication with a Smart Card – Part 1 (Web Server)
Every once in a while over the years I have been asked, “Why don’t you patch the Java JDK included in an Oracle Home directory?”
An example of a method for scanning the Oracle data dictionary for potential PII data and automating specific responses, such as encrypting of columns or alerting the DBA, when new data is found.
What if you have a lot of potential PII data and you need to enforce some additional safeguards on it? How do I make this information actionable, and better yet how do I automate that action as much as possible?
I'm going to post this as a reminder to myself as much as anything else. A couple of times - most recently this week - I've had to apply patches for Oracle APEX into various databases that I work with and received the following error almost as soon as the apxpatch.sql script started to run: … Continue reading APEX Patches and NLS_LENGTH_SEMANTICS
What needs to be done? At this point it is important to stop and consider that if you have read my previous posts in this series and followed all the links that I recommended then you will have read a lot of other people's documentation and best practices. With a little luck you may have … Continue reading The Database, Your Way
What needs to be done? In my last post I talked about the legal rules of the road in regards to designing and implementing a database information system, starting from the top level and driving down to the nitty gritty step-by-step hardening instructions, including the STIG. Once the applicable rules are understood, it is important … Continue reading Passing the Test
What needs to be done? Before a driver heads out on the road, it is important for him or her to know the rules. Not just common sense stuff like "don't drive on the wrong side of the road", but the actual rules and laws that govern what you're about to do, like obeying a … Continue reading The Rules of the Road
One of the most problematic STIG checklist items is this one: Rule Title: Database account passwords should be stored in encoded or encrypted format whether stored in database objects, external host files, environment variables or any other storage locations. STIG ID: DG0067-ORACLE11 Rule ID: SV-24641r1_rule Vuln ID: V-3812 Severity: CAT I Vulnerability Discussion: Database passwords stored … Continue reading Database Account Password Storage
Two DB Installation STIG items relate to the version of Oracle software in use: Rule Title: Vendor supported software is evaluated and patched against newly found vulnerabilities. STIG ID: DG0001-ORACLE11 Rule ID: SV-24339r1_rule Vuln ID: V-5658 Severity: CAT I Discussion: Unsupported software versions are not patched by vendors to address newly discovered security versions. An … Continue reading Software Version Support
The very first item in the STIG reads as follows: Group ID (Vulid): V-2420 Group Title: DBMS software monitoring Rule ID: SV-24597r1_rule Severity: CAT III Rule Version (STIG-ID): DG0010-ORACLE11 Rule Title: Database executable and configuration files should be monitored for unauthorized modifications. Vulnerability Discussion: Changes to files in the DBMS software directory including executable, configuration, … Continue reading DBMS software monitoring