1. Security Practices Guide
  2. Installation
  3. Database Operating Environment Security
  4. Hardening

4.2.2 Hardening

  • The directory $ORACLE_HOME/bin contains Oracle executables. Check that the operating system owner of these executables matches the operating system user under which the files have been installed. A typical mistake is to install the executables in user oracle’s directory but owned by root.
  • Prevent remote login to the Oracle (and root) accounts. Instead, require that legitimate users connect to their own accounts and su to the Oracle account. Better yet, use sudo to restrict access to executables.

Refer to the product installation documentation for the complete instructions on setting file permissions.

On UNIX systems:
  • Set the permissions on $ORACLE_HOME/bin to 0751 or less. Set all other directories in $ORACLE_HOME to 0750 or less. Note, this limits access to the Oracle user and its groups (probably DBA).
  • Set file permissions for listener.ora and sqlnet.ora to 0600.
  • Set file permissions for tnsnames.ora to 0644.
  • Ensure that the owner, group and modes of the Oracle files created upon installation are set to allow minimum privilege. The following commands make this change. Note, the group and owner are for illustration only, the correct group and owner should be substituted.

    $chgrp -R <dba> $ORACLE_HOME

    $chown -R <oracle> $ORACLE_HOME

  • Review owners and groups when cloning a database.
  • Protect the $ORACLE_HOME/rdbms/admin directory including catalog.sql, catproc.sql and backup scripts.
  • Secure scripts containing usernames and passwords.
  • Verify that set user id (SUID) and set group id (SGID) are not set on binaries. In general, Oracle recommends that the SUID and SGID bits to be removed from binaries shipped by Oracle.

The database and applications require that the underlying operating system provide certain services.

Electronic Mail

Application may require access to a SMTP Mail Transfer Agent (SMTP MTA) typically send mail. This is required for outbound emails, typically notifications from the application (if this feature is desired by the financial institution). If possible, restrict access to the operating system users who absolutely need the mail facility from the shell.

Remote Access

Use secure shell (ssh) to access middle-tier and database hosts. This replaces telnet, rsh, rlogin, rcp and ftp.

The following services may provide operational convenience:
  • NTP (Network Time Protocol) – for synchronizing the clock on the UNIX hosts to provide accurate audit records and simplify trouble-shooting.
  • CRON – for operating system cleanup and log file rotation.

Parent topic: Database Operating Environment Security