Top 10 Oracle Database: Controls - Test of Control Template
Top 10 Oracle Database: Controls - Test of Control Template
Top 10 Oracle Database: Controls - Test of Control Template
Top 10
Oracle Database
Controls - Test of
Control Template
576929352.doc
kpmg
Oracle Database Control Templates
Page 2 of 30
kpmg
Oracle Database Control Templates
3 Users and Profiles - Ensure that users and profiles have been
appropriately created 11
3.1 Determine if database users use the same user ID and ‘plain-text’
password as their database link. 11
3.2 Determine if users have session, connect time or idle time
restrictions. 11
3.3 Determine if any database users are using the ‘DEFAULT’ profile.
The LIMIT values for these resources are typically ‘UNLIMITED’
as provided by the software-vendor. 11
3.4 Determine the restrictions placed on users accessing the database
from tools such as SQL*Plus 12
3.5 Determine if passwords for vendor-provided database user IDs have
been changed 12
3.6 Determine if database passwords are the same as the database user
IDs. 12
3.7 Determine if profiles with the FAILED_LOGIN_ATTEMPTS
parameter have a value that is greater than the limit specified by the
security policy. 12
3.8 Check for profiles with the PASSWORD_LOCK_TIME parameter
less than the limit specified by the security policy. 13
3.9 Check for profiles with the PASSWORD_LIFE_TIME parameter
greater than the limit specified by the security policy. 13
3.10 Check for profiles with the PASSWORD_GRACE_TIME
parameter greater than the limit specified by the security policy. 13
3.11 Check for profiles with the PASSWORD_REUSE_MAX parameter
greater than the limit specified by the security policy. 13
3.12 Check for profiles with the PASSWORD_REUSE_TIME parameter
greater than the limit specified by the security policy. 14
3.13 Check for profiles with the PASSWORD_VERIFY_FUNCTION
feature not enabled. 14
3.14 Check that users change their passwords per the designated security
policy. 14
3.15 Check that users have changed their passwords within the
designated security policy requirements. 14
Page 3 of 30
kpmg
Oracle Database Control Templates
Page 4 of 30
kpmg
Oracle Database Control Templates
5.6 Ensure that the Unix group owner is the group dba 20
5.7 Ensure that Unix directory permissions are 755 or less 20
5.8 Ensure that Unix file permissions are 750 for executable Oracle
binary files 21
5.9 Ensure that the Unix umask parameter is set so that log files are not
world writeable or readable 21
5.10 Ensure that NT/Windows 2000 file permissions are restricted so
that there is no access to the group Everyone 21
5.11 Ensure that NT/Windows 2000 file permissions are set for files to
inherit the permissions of their directory 21
5.12 Ensure that use of the Oracle account is restricted to the database
administrator 21
5.13 Review the Unix /etc/group file to ensure that membership in the
group ‘DBA’ is limited to the Oracle account to prevent
unauthorized connects that are internal to the database 21
5.14 Review file permissions for the SQLDBA and server manager
programs to ensure that their use is restricted to the Oracle
administration account 21
5.15 Determine if there any ops$ accounts used in the database? 21
Page 5 of 30
kpmg
Oracle Database Control Templates
Page 6 of 30
kpmg
Oracle Database Control Templates
10.2 Ensure that tablespaces have been distributed across multiple disks
to distribute input/output 27
10.3 Review the df output to ensure that redo logs, archived redo logs,
and control files have been mounted on separate disks and these
disks have been mirrored on two separate disks each 27
10.4 Review contents of the file config.ora for control file names, and
ensure that control files are located in three differeNT/Windows
2000 file systems on three different disk drives. 27
10.5 Review and ensure that critical data file tablespaces are mirrored for
faster recovery 27
10.6 Ensure that each disk uses a separate controller unit (see the device
file name standard in the df output) to minimize the impact of
controller failure 27
10.7 Ensure that disk and tablespace monitoring procedures are in place
to ensure that growing requirements are known in advance of the
need to resize or perform a tablespace reorganization 27
10.8 Determine that overall system memory and disk space requirements
and future projections have been incorporated into the system's
design 27
10.9 Review the db_block_size parameter in the init<System/Instance
ID>.ora file and ensure that it is equal to the operating system block
size (except for IBM AIX operating systems) 28
10.10 Ensure that the init<System/Instance ID>.ora file for parameter
called the log_archive_set = is set on true so that the archive log
mode is initialized. 28
10.11 Ensure that the init<System/Instance ID>.ora file for the parameter
called Checkpoint_process = is set on true so that checkpoints are
recorded in control files. Also ensure that the parameter called
Log_Checkpoint_Interval is set at an appropriate frequency in
relation to database size and use. 28
10.12 Ensure that at a minimum, incremental backups (INCTYPE Export)
are made every night (i.e., backup of objects changed since the prior
backup) 28
10.13 Ensure that database backups (logical backups while the database is
up and running) are scheduled at night when users are off the
system, and overnight reports and other batch processing is finished28
10.14 Ensure that the consistent feature is used with logical backups, to
maintain rollback files to help protect database integrity 28
10.15 Assess the appropriateness of running logical backups with the
database in the restricted mode, which ensures that users other than
the database administrator may not be logged in during the backup28
Page 7 of 30
kpmg
Oracle Database Control Templates
10.16 Determine that weekly logical backups (if not full system cold
backups) are made with the full mode, using the complete option
(the default), to ensure that the entire database is backed up 29
10.17 Review and ensure that complete file system backups (e.g., image
backups) are made on a weekly or at a minimum, a monthly basis 29
10.18 Review backup storage media cataloging, storage, and control
procedures to ensure that backups are completed successfully, are
labeled internally and externally, and are rotated off-site to a secure
location. 29
10.19 Obtain and review documentation of database recovery testing
documentation and test results. Ensure that the eight disk-failure
recovery scenarios have been tested successfully. 29
Page 8 of 30
kpmg
Oracle Database Control Templates
Page 9 of 30
kpmg
Oracle Database Control Templates
Page 10 of 30
kpmg
Oracle Database Control Templates
Page 11 of 30
kpmg
Oracle Database Control Templates
3 Users and Profiles - Ensure that users and profiles have been
appropriately created
Page 12 of 30
kpmg
Oracle Database Control Templates
Page 13 of 30
kpmg
Oracle Database Control Templates
Page 14 of 30
kpmg
Oracle Database Control Templates
Page 15 of 30
kpmg
Oracle Database Control Templates
Page 16 of 30
kpmg
Oracle Database Control Templates
Page 17 of 30
kpmg
Oracle Database Control Templates
Page 18 of 30
kpmg
Oracle Database Control Templates
(Use ‘Public’ as the input parameter and then find utl_file in the output file)
(Use ‘Public’ for the first prompt and ‘Sys’ for the second prompt)
Page 19 of 30
kpmg
Oracle Database Control Templates
Page 20 of 30
kpmg
Oracle Database Control Templates
1.46 Ensure that the Unix group owner is the group dba
Page 21 of 30
kpmg
Oracle Database Control Templates
Page 22 of 30
kpmg
Oracle Database Control Templates
Page 23 of 30
kpmg
Oracle Database Control Templates
Page 24 of 30
kpmg
Oracle Database Control Templates
1.68 Review the list of all audit options set for all “system”
privileges within the database for appropriateness
SQL Script 42 - chk_dba_priv_audit_opts
1.69 Review the list of all “object” audit options set for all
objects in the database for appropriateness
SQL Script 43 - chk_dba_obj_audit_opts
Page 25 of 30
kpmg
Oracle Database Control Templates
Page 26 of 30
kpmg
Oracle Database Control Templates
Page 27 of 30
kpmg
Oracle Database Control Templates
Page 28 of 30
kpmg
Oracle Database Control Templates
Page 29 of 30
kpmg
Oracle Database Control Templates
Page 30 of 30