In our experience as IT auditors who review databases, we wanted to share a few excellent sources of Oracle database best practices.
The two main sources are the Center for Internet Security (CIS) ‘Configuration Benchmark’ and the US Defense Information Systems Agency (DISA) ‘Database Security Technical Implementation Guide’ (STIG). The following discussion provides a brief overview of each source.
CIS Security Configuration Benchmark. This benchmark for Oracle Database Server 11g is a consensus document based on input from consultants, software developers, auditors, compliance professionals and government workers.
The benchmark provides a ‘level-I’ configuration of settings that can be implemented by system administrators with basic security knowledge. These settings are designed to minimize disruption to an existing database. There is also a ‘level-II’ configuration which is targeted to network architecture and server function. This higher level requires stronger security experience but yields substantially greater security functionality.
The benchmark contains separate sections dedicated to system specific settings, installation and patching, directory and file permissions, database startup and shutdown, auditing policy, user setup and access settings.
This configuration benchmark provides the settings for an Oracle database that is secure against conventional threats. There is specific guidance for a secure installation, setup, configuration and operation of an Oracle 11g database environment. In addition to specific configuration settings there are also ‘best practice’ processes and procedures e.g. data backups, archive logs, hardware security.
DOD DISA Database Security Technical Implementation Guide (STIG). The STIG was published by the US Defense Information Systems Agency (DISA) for the Department of Defense (DOD). The objective of the STIG is to secure DOD database management systems (DBMS). The document covers known security configuration items, vulnerabilities and issues.
The STIG is a comprehensive and detailed configuration standard that consists of ‘security elements’ and ‘security requirements’. The STIG goes into much more depth than the vendor specific ‘checklists’ discussed below.
The ‘security elements’ section of the guide (STIG) includes the essentials of database security such as authentication, authorization, data integrity, system auditing, backup and recovery. These security elements are commonly found in a database management system (DBMS) which controls the security of the actual data.
The section on ‘security requirements’ contains the specific requirements for accessing data and operating the database. Guidance is provided on design and configuration, identification and authentication, boundary defense, disaster recovery, vulnerability and incident management, physical and environmental requirements.
DOD DISA Oracle 11 Database Security Checklist. DISA has also published vendor-specific database security checklists for Oracle and Microsoft SQL Server DBMS’s. The ‘Oracle 11 Database Security Checklist’ is the most current checklist as of the date of this writing – published in August 2010. Separate checklists have also been published for the previous Oracle versions 9 and 10. The Oracle 11 checklist includes security review procedures organized into specific security ‘items’ or ‘checks.’
Conclusion. The two documents discussed above emphasized different aspects of database security. The CIS document provides a basic security configuration (Level I) and an advanced security configuration (Level II). The STIG document provides ‘security elements’ and ‘security requirements’. A more detailed and specific document is the Database Security Checklist.
References. Database Security Technical Implementation Guide (STIG), Version 8, Release 1 (September 2007). US Department of Defense, Defense Information Systems Agency.
Oracle 11 Database Security Checklist, Version 8, Release 1.8 (August 2010). US Department of Defense, Defense Information Systems Agency.
Security Confguration Benchmark for Oracle Database Server 11g. Version 1.0.1 (January 2009). The Center for Internet Security.