Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Mailing Lists -> Oracle-L -> RE: Asinine security in Oracle, Part Deux

RE: Asinine security in Oracle, Part Deux

From: Boivin, Patrice J <BoivinP_at_mar.dfo-mpo.gc.ca>
Date: Mon, 10 Jun 2002 12:19:30 -0800
Message-ID: <F001.004795F3.20020610121930@fatcity.com> 





I am working on notes re. how to secure iAS on Win32 for us here.  Pete
Finnigan is working with SANS (and Oracle) to put an Oracle security
step-by-step guide together.



I asked Oracle Canada if, when they talk about "Unbreakable Oracle", this
includes iAS on NT.  No response from the Oracle contact people.  Meanwhile
the MetaLink techs declined to provide guidelines as well, they said they
can only answer specific questions, one issue per TAR.  Now I see Oracle is
talking about unbreakable LINUX, perhaps because they may have more control
over OS configuration(?). 



If anyone has more info / suggestions / warnings on how to secure iAS on NT,
please bring them up.



Re. securing NT, for fun I tried the trial version of InfoStat scanner


(single user trial license) on my NT workstation here, to see the result

after having patched Windows NT workstation to the latest patchset and
windows update.  It found less than five critical vulnerabilities, but a
total of 108 vulnerabilities in all.  This includes the critical ones.  Most
of them do not appear to be major, it all depends on how high you want to
raise the bar I suppose.



C|Net e-mailed me a notice that their little application now scans for
vulnerabilities, it found nine on my workstation.



I am also doing searches on the 'net for info on how to secure Apache for
win32, not obvious since the apache group's focus is mostly LINUX and UNIX.



I am not endorsing one OS or the other but am a little frustrated with the
lack of info out there.  It's a bit of a cat and mouse game I think.  I also
find it hard to balance the opinions of people who like to see particular
vendors flounder on the one hand, and posturing and bravado on the part of
software and OS vendors on the other.



I like things to be cut and dry and this doesn't appear to be one of those
things.



Comments would be appreciated.



Regards,


Patrice Boivin


Systems Analyst (Oracle Certified DBA)


-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.com
-- 
Author: Boivin, Patrice J
  INET: BoivinP_at_mar.dfo-mpo.gc.ca

Fat City Network Services    -- (858) 538-5051  FAX: (858) 538-5051
San Diego, California        -- Public Internet access / Mailing Lists
--------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L


(or the name of mailing list you want to be removed from).  You may

also send the HELP command for other information (like subscribing).


Received on Mon Jun 10 2002 - 15:19:30 CDT












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US