Five Thoughts on Oracle Security


Five different security related posts to which I have contributed on dba.stackexchange.com. I did not necessarily provide the accepted answer for these, but felt that the questions posed were interesting enough to warrant a mention.

Top STIG – Part 6 (OS Accounts)


The final installment in my series on CAT I STIG controls is all about the use (or not) of the server operating system accounts that support the Oracle database. Two controls address the use of and access to the Oracle software installation account, and one addresses the privileges associated with individual user accounts for DBAs. … Continue reading Top STIG – Part 6 (OS Accounts)

Top STIG – Part 5 (Default Passwords)


One of the most common attack vectors for any hacker is checking to see if you have reset default passwords on service and administrator accounts. Almost every piece of hardware or software comes with some default way to login the first time, and a lot of people are really bad at changing those credentials to be more secure. Oracle databases and DBAs are no exception...

Top STIG – Part 3 (Software Support)


The next CAT I STIG control in this series is less technical and more about policy. Like all of the others, however, it requires the DBA to be aware of things beyond their immediate day to day workload, and involved in the planning, design, and development of the system technology stack...

Top STIG – Part 2 (Obscuring Credentials)


Applications must obscure feedback of authentication information; when using command-line tools such as Oracle SQL*Plus, which can accept a plain-text password, users must use an alternative logon method that does not expose the password.

Well That’s Random…


Increasingly we are asked to provide more secure passwords for accounts of all kinds. As I have written previously, because coming up with new ones that meet all complexity requirements can be a real pain, I try to avoid passwords whenever possible in favor of PKE authentication. Sometimes, however, they are unavoidable.

Oracle 12c Database STIG Breakdown


This post contains a listing of all 199 Oracle 12c Database STIG controls from Release 16 (24 January 2020), organized by the five major categories of database security...