Checklist Summary:

This guide provides high-level recommendations to secure an Oracle database. By configuring the database to the new benchmark, a secure baseline configuration is introduced to protect the system from the common out of the box vulnerabilities. The guide presents steps that can be adopted to securely install, setup, configure, and operate an Oracle database. The guide also contains many specific security recommendations, which are divided into three categories: Level 1, Level 2, and Appendix. Level 1 recommendations represent a minimum baseline that is suggested for most environments, are easily implemented by someone with minimal background and are not likely to break database or application functionality, and can be scored with a tool provided by the Center for Internet Security. Level 2 recommendations provide greater security but may require an advanced level DBA to implement andor break database or application functionality. Appendix items are suggestions rather than recommendations for further hardening of the database environment. They are likely not applicable to most environments or may not be strictly within the realm of database security.

Checklist Role:

• Database Server

Known Issues:

This guide provides high-level recommendations to secure an Oracle database. By configuring the database to the benchmark, a secure baseline configuration is introduced to protect the system from the common out of the box vulnerabilities. It is strongly recommended that these settings be reviewed to comply with local policy and tested on non-production systems before being deployed. The recommendations should be implemented with consideration to the particular database and application environment. Some of the suggested security settings may be overridden by local policy. It is important to note that the parameters and their values need to be spelled correctly to ensure the desired policy has been implemented. Many of the parameters and settings, if misspelled, will not cause an error or warning message to be generated. Level 2 recommendations may require an advanced level DBA to implement andor may break database or application functionality.

Target Audience:

This checklist has been created for IT professionals, information security and database personnel. The document assumes that the reader has experience installing and administering Oracle Server databases.

Target Operational Environment:

• Managed

Testing Information:

Not provided.

Regulatory Compliance:

Not provided.

Comments/Warnings/Miscellaneous:

Refer to Known Issues.

Disclaimer:

Proper use of the recommendations requires careful analysis and adaptation to specific user requirements. The recommendations are not in any way intended to be a quick fix for anyone's information security needs. CIS makes no representations, warranties or covenants whatsoever as to (i) the positive or negative effect of the products or the recommendations on the operation or the security of any particular network, computer system, network device, software, hardware, or any component of any of the foregoing or (ii) the accuracy, reliability, timeliness or completeness of any product or recommendation. CIS is providing the products and the recommendations as is and as available without representations, warranties or covenants of any kind.

Product Support:

Not provided.

Point of Contact:

oracle-feedback@cisecurity.org

Sponsor:

Not provided.

Licensing:

Not provided.

Change History:

Updated reference link per instruction from CIS - 1/28/19
updated URLs - 7/25/19
updated URLs - 3/15/2022
Archive - 8/31/23
updated status to archived - 2/23/24

Dependency/Requirements:

URL	Description

References:

Reference URL	Description

NIST checklist record last modified on 02/23/2024