®

DB Sec. Review:
Checklist for
analyzing the script
outcome
 ®

Table of contents
1 Summary______________________________________________________________________________________ 3
2 Configuration __________________________________________________________________________________ 4
2.1 OS Access control configuration ______________________________________________________________ 5
2.2 SQL*Net Configuration _____________________________________________________________________ 5
2.1 Patch history ______________________________________________________________________________ 6
3 Auditing ______________________________________________________________________________________ 7
4 Availability ____________________________________________________________________________________ 8
5 Access Control _________________________________________________________________________________ 9
6 Additional Information _________________________________________________________________________ 11

Oracle DB Security Review Package: Inspection-Flight Checklist Page i

Document control

Change history

Datum Author Version Change reference

6.6.2012 Suvad Sahovic 1.0 Creation of checklist

20.6.2012 Suvad Sahovic 1.1 Some corrections

Reviewer

Name Position

Carsten Muetzlitz

Distribution

Copy-Nr. Name File location

1
2
3
4

Oracle DB Security Review Package: Inspection-Flight Checklist Page ii

 ®

SUMMARY
This checklist can be use to check the outcome logs from DB Sec. Review scripts.

The scripts are divided into several areas. Each area will generate a log file. For the analyzing these
log-files will be used for reviewing the database.

E.g. the first script outcome is the log-file 01_configuration11g.log which was generated by SQL-script
01_configuration11g.sql.

Within the SQL-script and log-file you will get above the select or generated outcome a so called SQL
identifier. This identifier will be used in this checklist, what we suggest to do with SQL select or
outcome. Be aware this is only a suggestion and maybe this checklist is not complete. Maybe you
think differently and finding other ways to analyze. Then it is your responsibility to create your own
checklist and execute you way of doing a DB Sec. Review. There is not only one way there are lot of
ways.

Oracle DB Security Review Package: Checklist for analyzing DB Sec. Review outcome Page 3 of 12
 ®

1 CONFIGURATION
Please follow the sql identifiers and the review suggestions for configuration.

1001. Check the DB SID? DB creation date? LOG_MODE status? Flashback enabled? New
patches available / patches installed?
1002. DB version? Are patches available? Was this patch before creation date available?
1003. Installed options? We do not cover option-review; this is not an LMS service!
1003.1 : Used DB Options
Please comment the SQL Statement if the customer want this.
1004. OEM packs in use? Pack access granted, pack access agreed? We do not cover option-
review; this is not an LMS service!
Please comment the SQL Statement if the customer want this.
1005. Old EM 9i repository in use? Do the customer use old OEM java fat client
1006. Network Encryption in use? Look for encryption algorithm, if no, then ASO was not used, we
do not cover options, this is not an LMS service!
1007. Check init.ora parameters.
1007.1 checks some hidden parameters. Comments are in the script.
1008. Check if UTL_FILE_DIR and directories are in use? Are they double entries? If yes, why?
1009. Check OPEN_LINKS parameter, how many DB Links in use? Is the configuration setup of the
DB Links ok?
1010. Check the tuning parameters.
1011. Check the control files status. Are they multiplexed?
1012. Check the redo log files status. Are they multiplexed? At least to members per Group?
1013. Check the Archive Log status? Enabled?
1014. Check the tablespaces information. Only standard oracle tablespaces, or customized
tablespaces?
1015. Check the tablespace extents. Are the tablespaces local managements?
1016. Check the tablespace contents. Permanent content?
1017. Check the TMP tablespace. Just for information.
1018. Check the TMP tablespaces size. Just for information.
1019. Check the TEMP extent pool. Just for information.
1020. Check the TMP tablespace used size. Just for information.
1021. Check the Data Files. Data file fragmentations? Please as well output of 3004 and 1005
Only if no locale managed tablespace then fragmentation could be problem, story
reorganization
1022. Check the SYSTEM Tablespace objects.
1023. Check which user has wrong default tablespace (SYSTEM).
1024. Check the SYSAUX tablespace status. Just information which internal Oracle objects will be
used.
1025. Check the dependencies others then Oracle internal. See if important functions will be
referenced.
1026. Check all Synonyms linked with external database.
1027. Check Comments on History. Upgraded from? Patchset?
1028. Oracle Standard USERS installed? Are they really used? Answer from interview, what does
the customer need and use.
1029. Standard Oracle DB Users with default password (if 10g DB in use)?
1030. Standard Oracle DB Users with default password (if 11g DB in use, with view
DBA_USERS_WITH_DEFPWD)?
1030.1 DB Users and password hashes. Can be used to crack the passwords with john the

Oracle DB Security Review Package: Checklist for analyzing DB Sec. Review outcome Page 4 of 12
 ®

ripper.
Please do not log hashes, if the customer do not want.
1031. Check the Password File users. How many SYSDBAs and SYSOPERS and SYSASMs?
1032. Check the Profiles. Anything changed from standard? How many user groups, how many
profiles, differences in profiles?
1033. Check the security related profile information!
1034. Check the Password Verify Function. Rootkit installed, logic clear?
1035. DB links setup?
1036. Maybe the USER from DB Link exists in this database:
Check Users and Roles with the same Privileges -> DB Link User/Remote User and Local
User! Same as 4013 in ACL
1037. Wallets in use?
1038. Check the DBA_WALLET_ACLS!
1039. Triggers in use? Logon Triggers etc.
1040. Check the ACLs for Network Packages (HOST).
1041. Which ACLs for Network Packages are in database?
1042. XMLDB in use? HTTP, FTP etc.
1043. Check OS ACLs
1044. Check embedded Gateway for APEX
1045. Check SQL*Net Configuration
1046. Check what is really installed
1047. Check patch history

1.1 OS Access control configuration

Check OS ACLs!
a) File Permission: Check the ownership of the OH/bin.
b) File Permission: Check the file permission of OH/bin. (755)
c) File Permission: Check the file permission of OH (750)
d) File Permission: Check the file permission of OH/dbs (750)
a. File Permission: Check the file permission of init.ora (644)
b. File Permission: Check the file permission of spfile.ora (640)
c. File Permission: Check the file permission of the password files
e) File Permission: Check the file permission of OH/network/admin (644)
f) File Permission: Check the file permission of listener.ora (660)
g) File Permission: Check the file permission of %_dest directory (600)
h) File Permission: Check the file permission of OH/network/trace (660)
i) File Permission: Check the file permission of OH/network/log (640)
j) File Permission: Check the file permission of sqlplus (750)
k) File Permission: Check the file permission of the oracle wallet

1.2 SQL*Net Configuration

Check the listener.ora!
a) listener.ora: Check if the listener is using default name
b) listener.ora: Check if the listener is using hostname or IP address
c) listener.ora: Check if the listener is using default port (1521)
d) listener.ora: Check if the parameter admin_restrictions_listener_name is set
e) listener.ora: Check if the parameter secure_control_listener_name is set
f) listener.ora: Check if the parameter secure_protocol_listener_name is set
g) listener.ora: Check if the parameter secure_register_listener_name is set
h) listener.ora: Check if the parameter dynamic_registration_listener_name is set

Oracle DB Security Review Package: Checklist for analyzing DB Sec. Review outcome Page 5 of 12
 ®

i) listener.ora: Check if the parameter extproc_dlls is set

j) listener.ora: Check if the parameter logging_listener is set
k) listener.ora: Check if the parameter inbound_connect_timeout_listener is set
l) listener.ora and tnsnames.ora: Check if the external procedures are enabled

Check the sqlnet.ora!

a) sqlnet.ora: What are the values of names.directory_path?
b) sqlnet.ora: What are the values of sqlnet.authentication_services?
c) sqlnet.ora: Check if the parameter sqlnet.encryption_client is set
d) sqlnet.ora: Check if the parameter sqlnet.crypto_checksum_server is set
e) sqlnet.ora: Check if the parameter sqlnet.crypto_checksum_client is set
f) sqlnet.ora: Check if the parameter tcp.validnode_checking is set
g) sqlnet.ora: Check if the parameter tcp.invited_nodes is set
h) sqlnet.ora: Check if the parameter tcp.excluded_nodes is set
i) sqlnet.ora: Check if the parameter sqlnet.inbound_connect_timeout is set
j) sqlnet.ora: Check if the parameter sqlnet.expire_time is set
k) sqlnet.ora: Check if the parameter sqlnet.allowed_logon_version is set
l) sqlnet.ora: Check if the parameter sec_user_audit_action_banner is set
m) sqlnet.ora: Check if the parameter sec_user_unauthorized_access_banner is set
n) sqlnet.ora: Check if the parameter wallet_override is set
o) sqlnet.ora: Check if Tracing is enabled

Check the protocol.ora!

Check the ldap.ora!

Check the tnsnames.ora!

Check other configuration files for sqlnet!

Check the listener status!

1.1 Patch history

Check the Patch Information /OPatch! Interim Patches?

Oracle DB Security Review Package: Checklist for analyzing DB Sec. Review outcome Page 6 of 12
 ®

2 AUDITING
Please follow the sql identifiers and the review suggestions for auditing.

2001. Check the Audit parameters.

2002. What are the audited system privs?
2003. Oracle Recommended Audit Privs, which are not audited?
2004. Check the System auditing options across the system and by user.
2005. Check the auditing options on all objects.
2006. Last 100 audit trail records from today. Do you see any unusual?
2007. Last 100 FGA audit trail records from today. Do you see any unusual?
2008. Check the system privileges audited across the system and by user.
2009. Check the complete Audit Configuration.
2010. Check if the problem described in note 455565.1 exists!
2011. Check if the problem described in bug 6636804 exists!
2012. Check if the problem described in bug 6124447 exists!
2013. Check audit privileges granted to users and roles. Is there a SoD setup?
2014. Check sharing database logons. Unallowed access?
2015. Check sharing database logons details from today
2016. Check orphaned users, that did not connect to the DB in the last 90 days
2017. Check the OEM login users
2018. Check audited failed logins (Brute Force?)
2019. Check current sessions. Here you can really find important statements: e.g. is there a direct
connection of an application owner, or of a application user not coming from apps-server or
who is using TOAD and MS Query (Excel) etc.
2020. Check if there are EM 9i current sessions
2021. Check all users, only for information in this case
2022. Check open, locked, expired, …db accounts. Lot of questions can be asked: Brute force
attacks, never locked a user, etc.
2023. Check the different profiles. Different profiles for different user groups?
2024. Check the locked users. Lot of questions: Why you do not delete a 10 years old locked user?
Etc.
2025. Check the expired accounts, same as 2024: like
2026. Check all NOT Oracle standard users. Here you can see the account management concept:
Is it more DB driven or application driven. Think about EUS, LDAP etc.
2027. Check the users in the password file, any unusual addings?
2028. Check the users with their profile and user pwd type (external, global)
2029. Show Invisible Users. Could this be a problem?
2030. Show root Kits. E.g. a hidden user in DBA_USERS or ALL_USERS
2031. Show Invisible Roles in DBA_ROLES
2032. Which Options/Functions are activated
2033. All Schema not registered. Show all schema in the database which are not named in
dba_registry. In common: customer schemas for enduser and applications (nothing Oracle
standard)
2034. Show all disabled triggers. Is the result a surprise? Special logon_trigger diabled?
2035. Show all disabled constraints. Do you see problems?
2036. Show all user with Objects. These are the Object Owners.
2037. Show all users without Objects. These are the Apps_user or functional users.

Oracle DB Security Review Package: Checklist for analyzing DB Sec. Review outcome Page 7 of 12
 ®

3 AVAILABILITY
Please follow the sql identifiers and the review suggestions for availability.

3001. Check the multiplexing

3002. Check the Control Files status, multiplexing?
3003. Check the Redo Log Files status, multiplexing?
3004. Check the objects with >200 extents. Fragmentation is a problem if not having local managed
tablespaces
3005. Check the objects which have a problem to create next extent
3006. Check if any invalid objects are in DB
3007. Infos about Recovery File Destination (FRA)
3008. Which data file types are stored in FRA
3009. Recylcebin of last 7 days (Tablespace UNDO)
3010. Show objects which was recycled out of the recycle bin.
Normally you will see this by indexes they still get the recycled name like BIN$%
3011. Check RMAN configuration chages, which policies does the customer change
3012. RMAN Status of the last 7 days, what the customer did with RMAN?
3013. Available backups. If there is no rman repository, backup information will stored in controlfile
3014. Show all corrupted backups
3015. Show corrupted Blocks in DB
3016. Show all current session with the highest CPU consumption
3017. Show all sessions with the highest time for a certain wait
3018. Show all sessions with highest DB Time usage
3019. Show all ASM attributes
3020. Show all ASM Files

Check additional information

 Have customer a load peak (end of month, end of year)

 Use of Standby DBs
 Do they need to scale their resources in a better way
 Backup & recovery Concept

If available check alert.log (, trace files,…).

Oracle DB Security Review Package: Checklist for analyzing DB Sec. Review outcome Page 8 of 12
 ®

4 ACCESS CONTROL
Please follow the sql identifiers and the review suggestions for access control.

4001. Check All Users in DB

4002. Check which users are with DBA privs
4003. Check which users are with SYSDBA/SYSOPER privs
4004. Check which users have audit privileges
4005. Check which users have access to dictionary tables
4006. Check which users have access to tables SYS.*$*
4007. Check the db roles
4008. Check which db roles are created by customer only
4009. Check db roles with pwd
4010. Check which users created roles or doing part of Acc. Mgmt.
4011. Check which user has which role
4012. Check the db links user and local roles in local DB of same user
4013. Check granted Roles to Role
4014. Check granted System privileges to Roles and Users
4015. Check users with ANY privileges
4016. Check users with EDITIONS privs
4017. Check users with POWERPRIVS ('CREATE ANY JOB','BECOME USER','EXPORT FULL
DATABASE','IMPORT FULL DATABASE')
4018. Check users with DROP USER and ALTER USER privs, is there a SoD in Account
Management configured?
4019. Check users with ALTER SESSION privs
4020. Check users with CONNECT privs (in earlier releases the connect role had a alter session
grant). In general no standard Oracle roles like connect, resource to enduser.
4021. Check users with deadly system privileges (for accounts different than Oracle standard
accounts)
4022. Check for users with EXPORT/IMPORT FULL DATABASE
4023. Check users with deadly roles for accounts different than Oracle standard accounts
4024. Check users with ALTER SYSTEM privs
4025. Check users with UNLIMITED TABLESPACE ACCESS
4026. Check which users can bypass CLS/RLS (‘EXEMPT ACCESS POLICY’)
4027. Check the security related init.ora parameter. Just for information only. Maybe you forgot sth.
In chapter configuration.
4028. Check users with LS_READ and LS_WRITE
4029. Check the dependencies for UTL_FILE, UTL_SMTP, UTL_HTTP, UTL_TCP
4030. Check grants to important PL/SQL Packages
4031. Check EXECUTE grants to non db standard users
4032. Check the SYSTEM-level End User Privs
4033. Check the ROLE-level End User Privs
4034. Check the OBJECT-level End User Privs without PUBLIC
4035. Check the Special/Sensitive Object Grants for
('DBMS_BACKUP_RESTORE','STATS$SQLTEXT','STATS$SQL_SUMMARY','SOURCE$','U
SER_HISTORY$')
4036. Check the OBJECT Privs to PUBLIC
4037. Check all proxy connections in the DB
4038. Check all proxy users
4039. Check proxy roles
4040. Check proxy user and roles

Oracle DB Security Review Package: Checklist for analyzing DB Sec. Review outcome Page 9 of 12
 ®

4041. Check VPD policies

4042. Check all contexts
4043. Check the Network ACL
4044. Check the privileges associated with the ACL (DBA_NETWORK_ACL_PRIVILEGES)
4045. Check the XML ACL from XDB
4046. Check the JAVA permissions
1008. As well in 01_CONF - Check all directories and grants on directories
4047. Check who has privileges to directory objects
4048. This script shows how many system privileges an user has. The most system privileges has
per default sys (around 200).

Check additional information (group members of dba, oinstall, oper) if available

The script 04_acl11g.sql will generate not only the log-file. Some additional csv-files will be generated.
These files focusing on access control in database. For a better analyzing we have setup a little load-
tool to bring the data into a database and start the analyzing in the database. You will find the tool in
this folder EvaluationDBSetup/. After Loading you can start your own queries. The file
Select_Collection4ACL.sql do have some examples for you collected.

Oracle DB Security Review Package: Checklist for analyzing DB Sec. Review outcome Page 10 of 12
 ®

5 ADDITIONAL INFORMATION
Please follow the sql identifiers and the review suggestions for additional information.

5001. Check if encrypted tablespaces in use

5002. Check if encrypted columns in use
5003. Check if Data Labels/OLS in use
5004. Check if objects with special data types in use
5005. Check the libraries, are there own libraries which will be called e.g. with extproc?
5005.1 All Libraries which have a file in OS-> file_spec is not null.
5006. Check listing of all failures
5007. Check the patchsets
5008. Check the patches
5009. Check the DB Vault realms. The queries are commented, because only the dbvowner can
read from dictionary tables. If DBV is enabled then query should be start manually.
5010. Check the DB Vault protected objects and authorizations
5011. Check the SCHEDULER jobs in the last 24h
5012. Check all SCHEDULER programs
5013. Check all SCHEDULER credentials.

Oracle DB Security Review Package: Checklist for analyzing DB Sec. Review outcome Page 11 of 12