NIST Checklist Logo
NIST Security Configuration Checklists Repository
BETA
Browse Repository by
   Product Category
   Vendor
   Submitting
Organization

Our Sponsor
white space white space

Oracle Database Security Benchmark v1.2 for Oracle Version 8i

Name Oracle Database Security Benchmark v1.2 for Orcacle Version 8i
Version Version 1.2
Status Final
Creation Date 2003-09-23
Revision Date 2005-04-06
Product Category Database system
Vendor Oracle
Product Oracle 8i
Product Version Oracle 8i
Product Role Database server
Checklist Summary This guide provides high-level recommendations to secure an Oracle database. By configuring the database to the new benchmark, a secure baseline configuration is introduced to protect the system from the common "out of the box" vulnerabilities. The guide presents steps that can be adopted to securely install, setup, configure, and operate an Oracle database. The guide also contains many specific security recommendations, which are divided into three categories: Level 1, Level 2, and Appendix. Level 1 recommendations represent a minimum baseline that is suggested for most environments, are easily implemented by someone with minimal background and are not likely to break database or application functionality, and can be scored with a tool provided by the Center for Internet Security. Level 2 recommendations provide greater security but may require an advanced level DBA to implement and/or break database or application functionality. Appendix items are suggestions rather than recommendations for further hardening of the database environment. They are likely not applicable to most environments or may not be "strictly" within the realm of database security.
Known Issues This guide provides high-level recommendations to secure an Oracle database. By configuring the database to the benchmark, a secure baseline configuration is introduced to protect the system from the common "out of the box" vulnerabilities. It is strongly recommended that these settings be reviewed to comply with local policy and tested on non-production systems before being deployed. The recommendations should be implemented with consideration to the particular database and application environment. Some of the suggested security settings may be overridden by local policy. It is important to note that the parameters and their values need to be spelled correctly to ensure the desired policy has been implemented. Many of the parameters and settings, if misspelled, will not cause an error or warning message to be generated. Level 2 recommendations may require an advanced level DBA to implement and/or may break database or application functionality.
Target Audience This checklist has been created for IT professionals, information security and database personnel. The document assumes that the reader has experience installing and administering Oracle Server databases.
Target Operational Environment Enterprise
Checklist Installation Tools Not Available.
Rollback Capability Not Available.
Testing Information Not Available.
NIAP/CMVP Status  
Regulatory Compliance   
Comments, Warnings, Disclaimer, Miscellaneous
 Refer to Known Issues.
Disclaimer Proper use of the recommendations requires careful analysis and adaptation to specific user requirements. The recommendations are not in any way intended to be a "quick fix" for anyone's information security needs. CIS makes no representations, warranties or covenants whatsoever as to (i) the positive or negative effect of the products or the recommendations on the operation or the security of any particular network, computer system, network device, software, hardware, or any component of any of the foregoing or (ii) the accuracy, reliability, timeliness or completeness of any product or recommendation. CIS is providing the products and the recommendations "as is" and "as available" without representations, warranties or covenants of any kind.
Product Support  
Submitting Organization/Authors The Center for Internet Security (CIS)
Point of Contact oracle-feedback@cisecurity.org
Sponsor  
Licensing

Commercial use license

EDUCAUSE Member license

US Federal, state and local government agency license
Checklist Homepage http://www.cisecurity.org/
Download Package http://www.cisecurity.org/sub_form.html
Integrity sha1 (CIS_Oracle_Benchmark_v1.2.pdf) =
05374672f171e1c17c62628088d2e83afe666ff0

sha256 (CIS_Oracle_Benchmark_v1.2.pdf) =
05aa4e2c51d330d4745cebbd266d7c6430f0be
914b32dca66318b816c84a8e75
Change History

Version 1.1: 2004-03
Version 1.0: 2003-09-23
Version 1.2: 2005-04-06
Dependency/Requirement  
References SANS, "Securing Oracle Step-by-Step", January 2003.

Oracle Metalink.
http://metalink.oracle.com/

Pete Finnigan.com. http://www.petefinnigan.com/orasec.htm
NIST Identifier 1048


NIST and the checklist submitter do not guarantee or warrant the checklist's accuracy or completeness. NIST is not responsible for loss, damage, or problems that may be caused by using the checklist.

Last updated: May 31, 2005
Page created: October 28, 2004
Disclaimer Notice & Privacy Statement / Security Notice
Send comments or suggestions to checklists@nist.gov
NIST is an Agency of the U.S. Commerce Department's Technology Administration