Best Practices: Secure Oracle Configuration and Database Auditing

In our last post, we shared the 4 most important areas of database security and discussed how to safeguard your Oracle environment with best practices for Authentication and Access Controls. In this post, we continue with a breakdown of Oracle database security best practices for Secure Oracle Configuration and Database Auditing.

Secure Oracle Configuration

Secure Listener Configuration

Listener authentication should be local OS user. Implement standard configuration for inbound connection timeout and sqlnet expire timeout.

Listener Ports

Do not use default ports for Oracle listener configuration. Change the default listener port to prevent default SQL attacks.

Configuration for Oracle external procedures

External procedures can be used for SQL injection/hacks. They need to be secured for application-specific use only.

Patching

Perform regular Oracle security patching. MiCORE recommends applying patches at least twice per year. You can check the Oracle Technology Network (OTN) security site for details on security alerts released by Oracle.

Non-Production Data Refreshes

Leverage data cleansing and data masking procedures for data migration from production to non-production environments.

Secure Backups

Implement policies for data encryption for operational procedures such as RMAN backups or data exports.

TDE 

Ensure that PII elements are identified and Column encryption is in place. Create metadata repository for PII elements in Oracle databases.

Database Auditing

Monitor your environment and identify potential attacks by implementing a unified auditing policy. Basic auditing should be configured for all databases and system operations. Centralize audit data and create reports so you can view the audit records. Select the right type of auditing for your Oracle database based on your specific needs:

• Statement level auditing: Audits on the type of SQL statement used, such as any SQL statement on a table (which records each CREATE, TRUNCATE, and DROP TABLE statement)
• Privilege level auditing: Audits use of a particular system privilege, such as CREATE TABLE
• Object level auditing: Audits specific statements on specific object, such as ALTER TABLE on the EMP table
• Fine-grain auditing: Provides added functionality of auditing specific columns that hold sensitive information such as PII or salaries, as well as using event handlers which allows you to write a function that send email alerts to security administrators when unauthorized updates are made to audited table elements.

Proactive Security Assessments

In addition to the ongoing auditing discussed above, we recommend performing a holistic review of all security components of your Oracle databases once per year. The holistic security assessment should include a high-level analysis of:

• Database user accounts
• Password policies
• Operational procedures
• Data migration and refresh
• Database configuration
• Oracle security patches
• Database access control

Compare your current configuration with Oracle best practices for secured and hardened database environments. You may also choose to analyze the current environment based on the Center for Internet Security (CIS) benchmarks.