Database Reference
In-Depth Information
The main mitigation of the fact that the DB is still insecure remains monitoring, and Facet-based Real-Time
monitoring in EM12c is an excellent feature that, at minimum, enables DBAs to identify unauthorized state-changes
such as backdoored procedures, albeit with slower reaction time compared to my onhost state-checking. The main
challenge is that in order for this security monitoring to be worth the effort, it has to be done from an unpolluted
vantage point. So we need to separate Oracle SA tools from the Oracle DBA tools.
EM12c, with its scripted EMCLI, may provide large-scale automation to counter-balance the asymmetric nature
of preventing an attack, but EM12c blurs the lines between Oracle DBA and the OS SA. Oracle DBA practice has been
dangerously moving to DBAs expecting root access. This is not acceptable. In addition,
"oracle"
unix access should
only be given in time-limited chunks and tied to an identity for that session. Then the DB should be state-checked
before and after the session for recent backdoors, otherwise DBA for a day can be DBA for a year. PowerBroker aims
to secure privileged access, and the root-based backdoor checker that I have written in Chapter 14 can verify that a
time-limited break-glass session has not been usurped, - so with the knowledge in this topic it should be possible for
you to Protect Oracle 12c.