Skip to main content
Waters Employee Login
 
Waters

What are Waters' recommendations for securing a NuGenesis database server? - WKB206780

  1. Last updated
  2. Save as PDF
Article number: 206780

ENVIRONMENT

  • NuGenesis 9.3
    • Oracle 19c on RHEL 8.4 or Windows Server 2016 / 2019
  • NuGenesis 9.2 / Empower LMS 1.0
    • Oracle 19c on RHEL 7.7 or Windows Server 2016 / 2019
  • NuGenesis 9.1
    • Oracle 19c on RHEL 7.7 or Windows Server 2016 / 2019
  • NuGenesis 9.0.x
    • Oracle 12c on RHEL 7.5 or Windows Server 2012 / 2016
    • Oracle 19c on RHEL 7.7
  • NuGenesis 8 SR2
    • Oracle 11.2 on RHEL 5.6 or 6.2 or Windows Server 2012

ANSWER

  • OS:
    • Limit OS logons via SSH/RDP/etc to the few DBAs who need access to the system
    • Configure the OS firewall to permit connections only via port 1521, or the TNS listener port (if modified from the default), and via the remote access protocol
    • Limit sudo access to the Oracle software owner account to only those who require it (Linux)
    • Configure ownership and privileges to only what is required for mounts used by Oracle (Linux)
    • Run the OracleService and TNS Listener services with a limited-rights local or domain account instead of LocalSystem (the default service account for Oracle).  The account will need to be in the ORA_DBA group (Windows); have Read/Write/Modify permissions on all files/folders in the Oracle Home path, the data file path, the control files, and the redo/archive logs; and in Windows, have the "Log on as a service" and "Log on as a batch job" privileges
  • Oracle:
    • Manage the NuGenesis schema accounts as per Waters' recommendations
    • If the NuGenesis Stability module will be used, then set a limit on failed login attempts on the profile "slimprofile":
      • ALTER PROFILE slimprofile LIMIT failed_login_attempts 5;
    • Use SQLNet encryption in the sqlnet.ora files on the Oracle database and clients.  By default, in NG 9.x, the sqlnet.ora sets "sqlnet.encryption_server" and "sqlnet.encryption_client" to Requested, and "sqlnet.encryption_types_server"/"sqlnet.encryption_types_client" to AES256
    • Evaluate whether the installed Oracle Database components or options corresponds with the list in the linked article.  Vulnerabilities in database components/options which are not used by NuGenesis are not expected to impact NuGenesis databases; however, if the database has components/options beyond those which are required for NuGenesis, then those excess components/options could pose a security risk, and they should be removed.  The NuGenesis Database installer for Windows platforms installs only the required component/options, and the embedded license agreement does not allow customers to modify the database directly, so the risk of excess DB components is low for Windows.  On Linux platforms, the customer provides the Oracle Binaries installation and creates the instances/PDBs for NuGenesis under the terms of their own license with Oracle, and therefore there may be excess components/options installed
    • Use LDAP authentication (with TLS encryption) in NuGenesis SDMS and LMS so that application users do not need Oracle Database accounts
    • Lock or drop any non-NuGenesis-schema accounts which are not needed
    • Apply the principle of "least privilege" to the accounts which must remain active.  Restrict SYSDBA access to only the few users who need it
    • In Oracle 12c and 19c databases, enable the default Unified Audit Trail policies ORA_SECURECONFIG and ORA_LOGON_FAILURES, as a minimum.  Those two default policies allow system administrators to check for excess logon failures

ADDITIONAL INFORMATION

See also: What are the security recommendations for Waters software systems?

id206780, SUPNG

Not able to find a solution? Click here to request help.