Best Practices: Secure Oracle Configuration and Database Auditing
In our last post, we shared the 4 most important areas of database security and discussed how to safeguard your Oracle environment with best practices for Authentication and Access Controls. In this post, we continue with a breakdown of Oracle database security best practices for Secure Oracle Configuration and Database Auditing.
Secure Oracle Configuration
Secure Listener ConfigurationListener authentication should be local OS user. Implement standard configuration for inbound connection timeout and sqlnet expire timeout.
Listener PortsDo not use default ports for Oracle listener configuration. Change the default listener port to prevent default SQL attacks.
Configuration for Oracle external proceduresExternal procedures can be used for SQL injection/hacks. They need to be secured for application-specific use only.
PatchingPerform regular Oracle security patching. MiCORE recommends applying patches at least twice per year. You can check the Oracle Technology Network (OTN) security site for details on security alerts released by Oracle.
Non-Production Data RefreshesLeverage data cleansing and data masking procedures for data migration from production to non-production environments.
Secure BackupsImplement policies for data encryption for operational procedures such as RMAN backups or data exports.
TDEEnsure that PII elements are identified and Column encryption is in place. Create metadata repository for PII elements in Oracle databases.
Database AuditingMonitor your environment and identify potential attacks by implementing a unified auditing policy. Basic auditing should be configured for all databases and system operations. Centralize audit data and create reports so you can view the audit records. Select the right type of auditing for your Oracle database based on your specific needs:
- Statement level auditing: Audits on the type of SQL statement used, such as any SQL statement on a table (which records each CREATE, TRUNCATE, and DROP TABLE statement)
- Privilege level auditing: Audits use of a particular system privilege, such as CREATE TABLE
- Object level auditing: Audits specific statements on specific object, such as ALTER TABLE on the EMP table
- Fine-grain auditing: Provides added functionality of auditing specific columns that hold sensitive information such as PII or salaries, as well as using event handlers which allows you to write a function that send email alerts to security administrators when unauthorized updates are made to audited table elements.
Proactive Security AssessmentsIn addition to the ongoing auditing discussed above, we recommend performing a holistic review of all security components of your Oracle databases once per year. The holistic security assessment should include a high-level analysis of:
- Database user accounts
- Password policies
- Operational procedures
- Data migration and refresh
- Database configuration
- Oracle security patches
- Database access control