Sunday, May 28, 2006

Project Lockdown - Phased approach to securing your Oracle environment

Arup Nanda has written a four-part paper on securing your Oracle environment using a phased approach, Project Lockdown as it is called is available on OTN. I have not yet finished going through all four parts but so far, it is a pretty good write up although there are sections that I thought Arup could expand a little bit more and some that I don't totally agree with.

For example, changing default passwords and how passwords in Oracle are maintained could be expanded to include the fact that the username and clear text password are concatenated together as input for the one-way encryption so that if you set the SYS password as TEMMANAGER then you will get the encrypted value for the SYSTEM default password. I also don't agree with limiting the SYSDBA login as suggested. I think a better way is to forcing the DBAs to have individual accounts and doing a su to the Oracle account. The SYS and SYSTEM database accounts then can be secured by setting the encrypted password value to a constant string that will never be equated to by the encryption algorithm. I talked about this in my previous post.

Anyhow, what I wanted to point out in this entry is that the article is worth the read and a lot of the suggestions are very good suggestions and should be followed wherever possible according to your organization's needs and requirements.

A couple of good sites includes Pete Finningan and the Center for Internet Security

No comments: