OCI Data Safe - Oracle Database Configuration Security Assessment

 

Introduction:

• Poor database configurations, such as weak password policies, insufficient control of overprivileged accounts, and lack of activity monitoring, are the most common causes of database vulnerabilities.
• In Data Safe, Security Assessment provides you an overall picture of your database and security posture. It analyzes database configurations, users and user entitlements, and security policies to uncover security risks and improve the security posture of Oracle databases within your organization.
• Security Assessment helps you assess the security of your database configurations. It analyzes database configurations, user accounts, and security controls, and then reports the findings with recommendations for remediation activities that follow best practices to reduce or mitigate risk.
• Oracle Data Safe automatically creates a security assessment of your target database during registration. This assessment is referred to as the latest assessment and is automatically updated on a weekly basis. All assessments are stored in the Assessment History.
  
•  You can analyze assessment data across all your target databases and for each target database. You can monitor security drift on your target databases by comparing the latest assessment to a baseline or to another assessment.

In my previous Data Safe blog, we walked through the steps to register Autonomous AI database into Data Safe, and explore Data Safe security center.

In this blog, we will walk through the steps to:

• View Security Assessment's overview page and the latest security assessment for your target database
• Create a risk on the target database and adjust the risk level of a risk finding
• Set the latest assessment as the baseline assessment
• Compare new assessment with the baseline

Prerequisites:

• A free tier or paid Oracle Cloud account
• A provisioned Always free Autonomous AI database
• Access to a registered target database. Covered in my previous Data Safe blog 

Task #1: View Security Assessment overview page

1. From the navigation menu, select Oracle AI Database, and then Data Safe - Database Security.

2. Under Security center, click Security assessment.

3. Under List scope, select your compartment. Deselect Include child compartments. The overview page shows statistics for your all target databases under the selected compartment. 

4. Review charts.

• Risk level chart: shows you a percentage breakdown of the different risk levels (High, Medium, Low, Advisory, and Evaluate) across all target databases in the selected compartment.
• Risks by category chart: shows you a percentage breakdown of the different risk categories (User accounts, Privileges and roles, Authorization control, Data encryption, Fine-grained access, Auditing, and Database configurations) across target databases in the selected compartment.
• Top 5 common security controls chart: shows a bar graph of the number of target databases at each risk level for each of the top five common controls. The top five common controls are the five security controls that Oracle considers the most important to the security of your target databases. Clicking on any of the bars will show you the list of target databases associated with the selected data.

5. Review Risk summary tab. 

• It shows you how much risk you have across all target databases in the specified compartment.
• You can compare the number of high, medium, low, advisory, and evaluate risk findings across all target databases, and view which risk categories have the greatest numbers.
• Risk categories include Target databases, User accounts, Privileges and roles, Authorization control, Fine-grained access control, Data encryption, Auditing, and Database configuration.

6. Review Target summary tab. 

• It shows you the security posture of each target database.
• You can view the number of high, medium, low, advisory, and evaluate risk findings for each target database.
• You can view the lastest assessment date and find out if the latest assessment deviates from a baseline (if one is set).
• You can access the latest assessment report for each target database.

 

Task #2: View the latest Security Assessment for your Target Database

1. On the Target summary tab, locate your target database and click View report. 

The latest security assessment for your target database is displayed.

2. Review the top 5 common security controls that Oracle considers to be the most important to the security of your target databases. You can click the links to quickly navigate to more detail below.

3. Review the information in the Summary table. This table compares the number of findings for each category in the report and counts the number of findings per risk level.

4. Click the Assessment information tab to view details about security assessment like OCID, compartment name, target database name, target database version, assessment date and time, schedule, name, name of the baseline assessment.

5. Scroll down and view Assessment details section. 

This section shows you all findings for each risk category. Risks are color-coded to help you easily identify categories that have high risk findings (red).

Under Filters by risks on the left, you can select the risk levels that you want displayed. Also you can filter by references security standards.

6. Expand categories and review the findings. 

In this demo, the Transparent Data Encryption finding is low risk (orange) and has three references.

Task #3: Adjust Finding Risk Level

You can defer or change the risk level of a risk finding. In this demo, we will defer the Users with Unlimited Concurrent Sessions risk finding.

1. Click the pencil icon for the Users with Unlimited Concurrent Sessions finding.

2. In the Update risk for finding panel, select Defer risk. Optionally, enter a justification and set an expiration date. Click Save. Notice that the risk finding is recategorized in the Assessment details section.

Setting an expiration date is optional. Upon expiry, the next assessment resumes evaluating the finding and displays as found. With no expiration date, the risk finding is deferred indefinitely.

Task #4: Set the latest Assessment as a Baseline

1. At the top pf the Assessment report page, click Set as baseline. Click Yes to confirm.

Task #5: Create a risk on the Target Database

1. Access the SQL worksheet in Database Actions of your Autonomous AI Database.

2. As ADMIN, execute below grant command.

grant ALTER ANY ROLE to PUBLIC;

Task #6: Refresh the latest Security Assessment and analyze the results

1. At the top of the latest security assessment report page, click Refresh now to get the latest data. The Refresh now panel is displayed. Leave the default name as is, and click Refresh now. Wait for the status to read as SUCCEEDED.

2. Click the Assessment information tab. Notice that the assessment date and time is right now, and that Complies with baseline is equal to No.

3. Scroll down and expand finding System Privileges Granted to PUBLIC. Notice this is a high risk finding. 

Task #7: Compare new Assessment with the Baseline

1. With the latest security assessment displayed, under Resources on the left, click Compare with baseline.

2. From the Baseline drop-down list, select your baseline. Click Compare.

3. When the comparison operation is completed, scroll down the page to the Comparison with baseline section and review the information.

• You can identify where the changes have occurred on your target database by viewing cells that contain the word Modified. The number represents the total count of new, remediated, and modified risks on the target database.
• In the details table, you can view the risk level for each finding, the category to which the finding belongs, the finding name, and a description of what has changed on your target database. The Comparison Report column is important because it explains what is changed, added, or removed from the target database since the baseline report was generated.

Thanks for reading !!!