Professional Documents
Culture Documents
The following is a basic set of hardening guidelines for an Oracle 11g database along with some scripts you may find
useful. This list is by no means complete. It does not cover file permissions, authentication controls and user profiles,
encryption, grants or auditing but it is a good place to start.
Or perhaps takes Slavic's advice from his comment on this post and start with Oracle's Checklist for Database
Security. It gives a broader, though perhaps less detailed view, and covers some of the topics I have left out (for
now). Also check out Slavik's Musings on Database Security Blog.
1.
Put the database server behind a firewall. See prior post Wall It Off! for a discussion of the importance
of a firewall, even for trusted users on your Intranet.
2.
Apply latest security patches for OS and harden the operating system.
3.
Install only the components needed. When installing the Oracle software, Spatial, OLAP, Data Mining,
and Real Application Testing are all installed by default. Change the default behavior if you do not need
these components. The MDSYS schema used by Spatial has been the target of security vulnerabilities
in the past.
4.
11g defaults to installing Advanced Security; this is a default that should be accepted assuming you
have the license.
5.
Change the default name of the Listener (LISTENER) as well as the default port (1521).
6.
7.
When running the Database Configuration Assistant, select the Custom option so that you have the
ability to de-select any unneeded components.
8.
Do take the default security settings, new for 11g, that enable auditing and a more hardened default
profile. This setting also revokes CREATE EXTERNAL JOB from PUBLIC, sets
07_DICTIONARY_ACCESSIBILITY and REMOTE_OS_ROLES to FALSE as well as setting values for
PASSWORD_GRACE_TIME, PASSWORD_LOCK_TIME and PASSWORD_LIFE_TIME to 7, 1, and 180
respectively rather than their previous default of UNLIMITED. This is a great move by Oracle.
9.
10. Even more good news. With 11g, a new initialization parameter called
SEC_CASE_SENSITIVE_LOGON is available to allow case sensitive passwords. It even defaults to the
TRUE setting, meaning case sensitivity is supported. This can greatly increase password complexity
and make it harder to use brute force attacks to guess passwords. Make use of this new feature when
setting passwords.
11. Exit the installer. Prior versions of Oracle left encrypted passwords in the install logs which could be
easily decrypted by hackers. 11g appears to do a better job of this, instead displaying XXXXXXX or
*********** . However, I still consider it a best practice to change passwords at the command line rather
than through a tool. Make sure to use the "password <username>" syntax rather than the "alter user
<username> identified by <password>" syntax since the former encrypts the password over the network
and the later does not (at least in prior versions).
12. Change the default passwords for all the locked accounts. These passwords can be made very , very
strong since you will never use them.
13. Also change the passwords of SYS and SYSTEM. Again this is just a precaution in case the installer left
a remnant of the password you entered during the installation.
14. If you configured Enterprise Manager (OEM) then also change the SYSMAN and DBSNMP account
passwords using the appropriate procedure for those accounts in order not to break your OEM
installation.
15. Next you'll want to scan for default or weak passwords. I used to maintain my own script for this but now
I rely on Alexander Kornbrust's, founder of Red Database Security GmbH . This is the best tool I've
found and Alexander makes it freely available at: Oracle Password Checker (Cracker) .
16. With 11g, Oracle also supplies a DBA_USERS_WITH_DEFPWD view. Selecting * from this view will
return USERNAMEs with default passwords. This is nice to have but I still recommend Alexander's
script instead since it also checks for weak passwords.
17. You may be asking why all this checking for default and weak passwords when 11g does a good job of
this? First, you may be upgrading from a previous, less secure version and have some old defaults.
Second, DBAs are not infallible and sometimes create weak passwords. Scan regularly!
18. Next we'll check for demo accounts. If you've followed the above instructions you should have none but
it you are upgrading an existing database or forgot to change the default behavior of the installer, now is
the time to check. I use Randy Giefer's Demo Account Check SQL Script which you can download here.
Simply run the script and drop any demo accounts it finds.
19. Next we need to harden the database listener. Oracle created an EXTPROC entry in your listener.ora
configuration file whether you needed one or not. If you do not need to make external procedure calls
from the database then the EXTPROC listener is not needed and should be removed. External
procedure calls can give an attacker access to your operating system from within the database.
Removing this capability eliminates this attack vector.The entry will look something like this: (ADDRESS
= (PROTOCOL = IPC)(KEY = EXTPROC<your-non-default-listener-port>)) . Simply backup your current
listener.ora, remove the above line, and bounce the listener.
20. Next you'll want to set administration restrictions on your listener. This will prevent the use of the SET
command and require any listener configuration changes to be done by a user with write permissions on
the listener.ora file. Simply save a backup of the listener.ora file, add the following line:
ADMIN_RESTRICTIONS_LISTENER_<your-non-default-listener-name>=ON and then bounce the
listener.
21. Listener logging is turned on be default; however, it is generally a best practice to explicitly set values,
even if it is a default. To explicitly set this parameter, save a backup of the listener.ora file, add the
tcp.validnode_checking = yes
26. 11g comes with a more secure listener out of the box. You can only stop the listener as the local OS
account that started the listener. Therefore, it is now actually more secure to NOT set a listener
password since setting one enables remote administration. Scanners will likely ding you on this but it is
the appropriate practice for 11g.
27. By default, Oracle registers an XPT service. If you are not using DataGurad you should remove this
service by running the following as SYS:
o
o
2.
This one is a little off topic but useful to know. If you have an existing database with XML DB installed
but you do not need it, you can disable the functionality and reduce your attack vectors by running the
following as SYS: alter system reset dispatchers scope=spfile sid='*';
3.
Next you'll want to explicitly set the hidden parameter _trace_files_public to false. To do this:
o
shutdown immediate
startup pfile='<full-path-to-pfile>'
shutdown immediate
startup
Finally, download, read and run the basic CIS Hardening Script. Make sure to read the comments in
the script to make sure the settings as appropriate for your environment. The database will need to be
bounced for these changes to take effect. This script sets:
o
GLOBAL_NAMES=TRUE
SQL92_SECURITY=TRUE
AUDIT_SYS_OPERATIONS=TRUE