kpmg

Top 10
Oracle Database
Controls - Test of
Control Template

576929352.doc
kpmg
Oracle Database Control Templates

Top 10 Oracle Database Controls

Contents
Place the cursor over the page number you are looking for to get a direct link.

Oracle Database Controls

1 Database Administration – Determine if database

administrative tasks are appropriately assigned. 8
1.1 Who has overall responsibility for Oracle database administration? 8
1.2 Has the responsibility for Oracle database security administration
been formally and clearly defined? 8
1.3 Are database administration procedures formally documented and
up to date? 8
1.4 Are database administration personnel involved in establishing
security policies and standards? 8
1.5 Are database administration personnel aware of relevant corporate
security policies and standards? 8

2 Database Configuration – Determine the appropriateness of the

database configuration. 9
2.1 Check the database version to determine if the latest patchset has
been installed. Check the version to determine if the database
contains vulnerabilities described by Critical Patch Update - April
2005. Check the version to determine if the database contains
vulnerabilities described by Oracle security alert 68. 9
2.2 Determine if the database is run in Archivelog mode or
Noarchivelog mode. 9
2.3 Determine database parameter settings. Verify that the
REMOTE_LOGIN_PASSWORDFILE parameter is set to NONE. 9
2.4 Determine the state of the current instance. 10
2.5 Determine the options that are installed with the Oracle Server. 10
2.6 Determine users with SYSDBA and SYSOPER privileges as
derived from the password file. 10

Page 2 of 30
kpmg
Oracle Database Control Templates

3 Users and Profiles - Ensure that users and profiles have been
appropriately created 11
3.1 Determine if database users use the same user ID and ‘plain-text’
password as their database link. 11
3.2 Determine if users have session, connect time or idle time
restrictions. 11
3.3 Determine if any database users are using the ‘DEFAULT’ profile.
The LIMIT values for these resources are typically ‘UNLIMITED’
as provided by the software-vendor. 11
3.4 Determine the restrictions placed on users accessing the database
from tools such as SQL*Plus 12
3.5 Determine if passwords for vendor-provided database user IDs have
been changed 12
3.6 Determine if database passwords are the same as the database user
IDs. 12
3.7 Determine if profiles with the FAILED_LOGIN_ATTEMPTS
parameter have a value that is greater than the limit specified by the
security policy. 12
3.8 Check for profiles with the PASSWORD_LOCK_TIME parameter
less than the limit specified by the security policy. 13
3.9 Check for profiles with the PASSWORD_LIFE_TIME parameter
greater than the limit specified by the security policy. 13
3.10 Check for profiles with the PASSWORD_GRACE_TIME
parameter greater than the limit specified by the security policy. 13
3.11 Check for profiles with the PASSWORD_REUSE_MAX parameter
greater than the limit specified by the security policy. 13
3.12 Check for profiles with the PASSWORD_REUSE_TIME parameter
greater than the limit specified by the security policy. 14
3.13 Check for profiles with the PASSWORD_VERIFY_FUNCTION
feature not enabled. 14
3.14 Check that users change their passwords per the designated security
policy. 14
3.15 Check that users have changed their passwords within the
designated security policy requirements. 14

4 System & Object Privileges - Ensure that user access is

restricted to authorized database objects and functions 15
4.1 Determine the appropriateness of default roles assigned to database
users and other database roles. 15
4.2 Determine the appropriateness of privileges granted directly to
database users and roles in the database 15

Page 3 of 30
kpmg
Oracle Database Control Templates

4.3 Determine the appropriateness of system privileges explicitly

assigned to database users 15
4.4 Determine the appropriateness of table object privileges (not
including column specific privileges) granted to specified database
users and roles 16
4.5 Determine the appropriateness of privileges on database column
privileges granted to specific database users and roles 16
4.6 Find all accounts or roles that have the system privilege CREATE
LIBRARY or CREATE ANY LIBRARY. Obtain business
justification for access to these privileges. 17
4.7 Check that permissions to execute the SYS.UTL_FILE package
have not been granted to the PUBLIC role. 18
4.8 Check for accounts (other than DBA, SYS, and SYSTEM) that have
been granted privileges to execute or create source code as SYS. 18
4.9 Check for accounts (other than DBA, SYS, and SYSTEM) that have
been granted the privileges BECOME USER or ALTER USER. 18
4.10 Check for accounts (other than DBA, SYS, and SYSTEM) that have
been granted the privilege CREATE PUBLIC SYNONYM. 18
4.11 Check for accounts (other than DBA, SYS, and SYSTEM) that have
been granted the privilege GRANT ANY ROLE. 19
4.12 Check for accounts granted the system privilege ALTER SYSTEM,
and obtain the associated business justification for such access. 19
4.13 Check for accounts (other than DBA, SYS, and SYSTEM) that have
been granted the role JAVA_ADMIN and obtain business
justification for such access. 19
4.14 Check for accounts that have been granted the predefined role
DBA. 19

5 Operating System Security - Ensure that user access is

restricted to authorized database objects and functions 20
5.1 Determine the appropriateness of locations for all control and
datafiles 20
5.2 Examine the host operating system login security to ensure that all
IDs represent valid, current users 20
5.3 Cross-reference the OS_AUTHENT_PREFIX parameter in the
ini<System/Instance ID>.ora file to the DBA_USERS listing 20
5.4 Ensure that remotely authenticated network users are not able to
connect to the database by determining that the OPS$OFF
parameter is used to start up the database 20
5.5 Ensure that the owner of all directories and files is the ‘Oracle’
account 20

Page 4 of 30
kpmg
Oracle Database Control Templates

5.6 Ensure that the Unix group owner is the group dba 20
5.7 Ensure that Unix directory permissions are 755 or less 20
5.8 Ensure that Unix file permissions are 750 for executable Oracle
binary files 21
5.9 Ensure that the Unix umask parameter is set so that log files are not
world writeable or readable 21
5.10 Ensure that NT/Windows 2000 file permissions are restricted so
that there is no access to the group Everyone 21
5.11 Ensure that NT/Windows 2000 file permissions are set for files to
inherit the permissions of their directory 21
5.12 Ensure that use of the Oracle account is restricted to the database
administrator 21
5.13 Review the Unix /etc/group file to ensure that membership in the
group ‘DBA’ is limited to the Oracle account to prevent
unauthorized connects that are internal to the database 21
5.14 Review file permissions for the SQLDBA and server manager
programs to ensure that their use is restricted to the Oracle
administration account 21
5.15 Determine if there any ops$ accounts used in the database? 21

6 Database Utilities - Ensure that database utilities are adequately

protected to prevent their misuse by unauthorized individuals22
6.1 Determine if restrictions have been placed on users for specific
tools 22
6.2 Determine that utilities such ase SQL*Plus, Server Manager,
Listener Control, and SQL*Loader cannot be executed by the world
or unauthorized individuals 22
6.3 Ensure that sqlplus.ora, init.ora and lsnrctl.ora files cannot be
written to by anyone other than the dba 22
6.4 Review access to stored procedures to ensure that users cannot
execute stored procedures that go beyond the authorization of which
users are permitted to perform 22
6.5 Print the sqlplus.ora and lsnrctl.ora and review to ensure that they
are appropriate 22

7 Database Links - Ensure that database links do not provide

access to unauthorized individuals 23
7.1 Determine the appropriateness of database links 23
7.2 Determine if database link passwords are in plain text 23
7.3 Determine if database link passwords are in plain text 23

Page 5 of 30
kpmg
Oracle Database Control Templates

7.4 Determine if the DBLINK_ENCRYPT_LOGIN parameter has been

set to TRUE in the init.ora file on the server machine 23
7.5 Check for accounts (other than DBA, SYS, and SYSTEM) that have
been granted the privileges DROP PUBLIC DATABASE LINK
and CREATE PUBLIC DATABASE LINK. 23

8 Auditing - Ensure that unauthorized access to the database is

adequately tracked 24
8.1 Review the INIT.ORA file for the parameter AUDIT_TRAIL 24
8.2 Review the list of all “statement” audit options set within the
database for appropriateness 24
8.3 Review the list of all audit options set for all “system” privileges
within the database for appropriateness 24
8.4 Review the list of all “object” audit options set for all objects in the
database for appropriateness 24
8.5 Ensure that the audit trail is adequately protected on the operating
system. Ensure that only the user ‘Oracle’ can write to the audit
trail file 24
8.6 Determine if the SYS.AUD$ table in the database is used. If so,
ensure that the table is adequately protected and that auditing is
turned on for that table. 25
8.7 Verify that no accounts or roles have been granted permissions to
modify or view the auditing table (SYS.AUD$). 25
8.8 Check that the AUDIT_TRAIL parameter has been enabled. 25
8.9 Check that auditing has been configured to record all connections
attempts to the database. 25
8.10 Verify that the AUDIT_SYS_OPERATIONS parameter is set to
TRUE. 25

9 Database Documentation - Ensure that adequate database

documentation exists, that the database has been planned and
implemented in an organized manner and that the roles and
responsibilities of database staff are defined. 26
9.1 Review the following for completeness 26
9.2 Determine if the duties and responsibilities of the DBA are defined
in writing and include 26

10 Database Availability, Backup and Recovery 27

10.1 Identify critical, dynamic tablespaces 27

Page 6 of 30
kpmg
Oracle Database Control Templates

10.2 Ensure that tablespaces have been distributed across multiple disks
to distribute input/output 27
10.3 Review the df output to ensure that redo logs, archived redo logs,
and control files have been mounted on separate disks and these
disks have been mirrored on two separate disks each 27
10.4 Review contents of the file config.ora for control file names, and
ensure that control files are located in three differeNT/Windows
2000 file systems on three different disk drives. 27
10.5 Review and ensure that critical data file tablespaces are mirrored for
faster recovery 27
10.6 Ensure that each disk uses a separate controller unit (see the device
file name standard in the df output) to minimize the impact of
controller failure 27
10.7 Ensure that disk and tablespace monitoring procedures are in place
to ensure that growing requirements are known in advance of the
need to resize or perform a tablespace reorganization 27
10.8 Determine that overall system memory and disk space requirements
and future projections have been incorporated into the system's
design 27
10.9 Review the db_block_size parameter in the init<System/Instance
ID>.ora file and ensure that it is equal to the operating system block
size (except for IBM AIX operating systems) 28
10.10 Ensure that the init<System/Instance ID>.ora file for parameter
called the log_archive_set = is set on true so that the archive log
mode is initialized. 28
10.11 Ensure that the init<System/Instance ID>.ora file for the parameter
called Checkpoint_process = is set on true so that checkpoints are
recorded in control files. Also ensure that the parameter called
Log_Checkpoint_Interval is set at an appropriate frequency in
relation to database size and use. 28
10.12 Ensure that at a minimum, incremental backups (INCTYPE Export)
are made every night (i.e., backup of objects changed since the prior
backup) 28
10.13 Ensure that database backups (logical backups while the database is
up and running) are scheduled at night when users are off the
system, and overnight reports and other batch processing is finished28
10.14 Ensure that the consistent feature is used with logical backups, to
maintain rollback files to help protect database integrity 28
10.15 Assess the appropriateness of running logical backups with the
database in the restricted mode, which ensures that users other than
the database administrator may not be logged in during the backup28

Page 7 of 30
kpmg
Oracle Database Control Templates

10.16 Determine that weekly logical backups (if not full system cold
backups) are made with the full mode, using the complete option
(the default), to ensure that the entire database is backed up 29
10.17 Review and ensure that complete file system backups (e.g., image
backups) are made on a weekly or at a minimum, a monthly basis 29
10.18 Review backup storage media cataloging, storage, and control
procedures to ensure that backups are completed successfully, are
labeled internally and externally, and are rotated off-site to a secure
location. 29
10.19 Obtain and review documentation of database recovery testing
documentation and test results. Ensure that the eight disk-failure
recovery scenarios have been tested successfully. 29

Page 8 of 30
kpmg
Oracle Database Control Templates

1 Database Administration – Determine if database

administrative tasks are appropriately assigned.
(Use ‘View |
Markup’ from the 1.1 Who has overall responsibility for Oracle database
main menu to turn administration?
comments on and
off)
1.2 Has the responsibility for Oracle database security
administration been formally and clearly defined?

1.3 Are database administration procedures formally

documented and up to date?

1.4 Are database administration personnel involved in

establishing security policies and standards?

1.5 Are database administration personnel aware of

relevant corporate security policies and standards?

Page 9 of 30
kpmg
Oracle Database Control Templates

2 Database Configuration – Determine the appropriateness of

the database configuration.
(Use ‘View |
Markup’ from the 1.6 Check the database version to determine if the latest
main menu to turn patchset has been installed. Check the version to
comments on and
off) determine if the database contains vulnerabilities described
by Critical Patch Update - April 2005. Check the version
to determine if the database contains vulnerabilities
described by Oracle security alert 68.
SQL Script 1 - chk_v$version

SQL Script 2 - chk_product_component_version

1.7 Determine if the database is run in Archivelog mode

or Noarchivelog mode.
SQL Script 3 - chk_v$database

Page 10 of 30
kpmg
Oracle Database Control Templates

1.8 Determine database parameter settings. Verify that

the REMOTE_LOGIN_PASSWORDFILE parameter is
set to NONE.
SQL Script 4 - chk_v$parameter

1.9 Determine the state of the current instance.

SQL Script 5 - chk_v$instance

1.10 Determine the options that are installed with the

Oracle Server.
SQL Script 6 - chk_v$option

1.11 Determine users with SYSDBA and SYSOPER

privileges as derived from the password file.
SQL Script 7 - chk_v$pwfile_users

Page 11 of 30
kpmg
Oracle Database Control Templates

3 Users and Profiles - Ensure that users and profiles have been
appropriately created

(Use ‘View | Markup’

from the main menu to 1.12 Determine if database users use the same user ID
turn comments on and and ‘plain-text’ password as their database link.
off)
SQL Script 8 - chk_dba_users

SQL Script 9 - chk_database_users_with_the_db_links

1.13 Determine if users have session, connect time or

idle time restrictions.
SQL Script 10 - chk_dba_profiles

SQL Script 11 - chk_dba_grantee_with_this_profile

1.14 Determine if any database users are using the

‘DEFAULT’ profile. The LIMIT values for these
resources are typically ‘UNLIMITED’ as provided by
the software-vendor.
SQL Script 12 - chk_dba_grantee_with_this_profile

Page 12 of 30
kpmg
Oracle Database Control Templates

1.15 Determine the restrictions placed on users

accessing the database from tools such as SQL*Plus
SQL Script 13 - chk_product_user_profile

SQL Script 14 - chk_sqlplus_product_profile

1.16 Determine if passwords for vendor-provided

database user IDs have been changed
SQL Script 15 – Oracle’s Password Scanner (NotePad version)

1.17 Determine if database passwords are the same as

the database user IDs.

1.18 Determine if profiles with the

FAILED_LOGIN_ATTEMPTS parameter have a
value that is greater than the limit specified by the
security policy.
SQL Script 16 - chk_dba_profiles_with_this_parameter

Page 13 of 30
kpmg
Oracle Database Control Templates

1.19 Check for profiles with the

PASSWORD_LOCK_TIME parameter less than the
limit specified by the security policy.
SQL Script 17 - chk_dba_profiles_with_this_parameter.sql

1.20 Check for profiles with the

PASSWORD_LIFE_TIME parameter greater than the
limit specified by the security policy.
SQL Script 18 - chk_dba_profiles_with_this_parameter

1.21 Check for profiles with the

PASSWORD_GRACE_TIME parameter greater than
the limit specified by the security policy.
SQL Script 19 - chk_dba_profiles_with_this_parameter

1.22 Check for profiles with the

PASSWORD_REUSE_MAX parameter greater than
the limit specified by the security policy.
SQL Script 20 - chk_dba_profiles_with_this_parameter

Page 14 of 30
kpmg
Oracle Database Control Templates

1.23 Check for profiles with the

PASSWORD_REUSE_TIME parameter greater than
the limit specified by the security policy.
SQL Script 21 - chk_dba_profiles_with_this_parameter

1.24 Check for profiles with the

PASSWORD_VERIFY_FUNCTION feature not
enabled.
SQL Script 22 - chk_dba_profiles_with_this_parameter

1.25 Check that users change their passwords per the

designated security policy.

1.26 Check that users have changed their passwords

within the designated security policy requirements.

Page 15 of 30
kpmg
Oracle Database Control Templates

4 System & Object Privileges - Ensure that user access is

restricted to authorized database objects and functions
(Use ‘View |
Markup’ from the 1.27 Determine the appropriateness of default roles
main menu to turn assigned to database users and other database roles.
comments on and
off) SQL Script 23 - chk_dba_grantee_roles

1.28 Determine the appropriateness of system privileges

granted directly to database users and roles in the database
SQL Script 24 - chk_dba_grantees_sys_privs

1.29 Determine the appropriateness of system privileges

explicitly assigned to database users
SQL Script 25 - chk_dba_exp_sys_privs

Page 16 of 30
kpmg
Oracle Database Control Templates

1.30 Determine the appropriateness of table object

privileges (not including column specific privileges)
granted to specified database users and roles
SQL Script 26 - chk_dba_tab_privs

SQL Script 27 - chk_dba_grantee_obj_privs

1.31 Determine the appropriateness of database column

privileges granted to specific database users and roles
SQL Script 28 - chk_dba_col_privs

SQL Script 29 - chk_dba_grantee_col_privs

Page 17 of 30
kpmg
Oracle Database Control Templates

1.32 Find all accounts or roles that have the system

privilege CREATE LIBRARY or CREATE ANY
LIBRARY. Obtain business justification for access to
these privileges.
SQL Script 30 - chk_dba_grantees_with_this_sys_priv

SQL Script 31 - chk_dba_role_with_this_sys_priv

Page 18 of 30
kpmg
Oracle Database Control Templates

1.33 Check that permissions to execute the

SYS.UTL_FILE package have not been granted to the
PUBLIC role.
SQL Script 32 - chk_dba_grantee_imp_exp_tab_privs

(Use ‘Public’ as the input parameter and then find utl_file in the output file)

SQL Script 33 - chk_dba_grantees_with_access_to_this_table.sql

(Use ‘UTL_FILE’ as the input parameter)

SQL Script 34 - chk_dba_grantee_grantor_tab_privs

(Use ‘Public’ for the first prompt and ‘Sys’ for the second prompt)

1.34 Check for accounts (other than DBA, SYS, and

SYSTEM) that have been granted privileges to execute or
create source code as SYS.

1.35 Check for accounts (other than DBA, SYS, and

SYSTEM) that have been granted the privileges BECOME
USER or ALTER USER.

Page 19 of 30
kpmg
Oracle Database Control Templates

1.36 Check for accounts (other than DBA, SYS, and

SYSTEM) that have been granted the privilege CREATE
PUBLIC SYNONYM.

1.37 Check for accounts (other than DBA, SYS, and

SYSTEM) that have been granted the privilege GRANT
ANY ROLE.

1.38 Check for accounts granted the system privilege

ALTER SYSTEM, and obtain the associated business
justification for such access.

1.39 Check for accounts (other than DBA, SYS, and

SYSTEM) that have been granted the role JAVA_ADMIN
and obtain business justification for such access.

1.40 Check for accounts that have been granted the

predefined role DBA.

Page 20 of 30
kpmg
Oracle Database Control Templates

5 Operating System Security - Ensure that user access is

restricted to authorized database objects and functions
(Use ‘View |
Markup’ from the 1.41 Determine the appropriateness of locations for all
main menu to turn control and datafiles
comments on and
off) SQL Script 35 - chk_v$datafile

SQL Script 36 - chk_v$controlfile

1.42 Examine the host operating system login security to

ensure that all IDs represent valid, current users

1.43 Cross-reference the OS_AUTHENT_PREFIX

parameter in the ini<System/Instance ID>.ora file to the
DBA_USERS listing

1.44 Ensure that remotely authenticated network users

are not able to connect to the database by determining that
the OPS$OFF parameter is used to start up the database

1.45 Ensure that the owner of all directories and files is

the ‘Oracle’ account

1.46 Ensure that the Unix group owner is the group dba

1.47 Ensure that Unix directory permissions are 755 or

less

Page 21 of 30
kpmg
Oracle Database Control Templates

1.48 Ensure that Unix file permissions are 750 for

executable Oracle binary files

1.49 Ensure that the Unix umask parameter is set so that

log files are not world writeable or readable

1.50 Ensure that NT/Windows 2000 file permissions are

restricted so that there is no access to the group Everyone

1.51 Ensure that NT/Windows 2000 file permissions are

set for files to inherit the permissions of their directory

1.52 Ensure that use of the Oracle account is restricted to

the database administrator

1.53 Review the Unix /etc/group file to ensure that

membership in the group ‘DBA’ is limited to the Oracle
account to prevent unauthorized connects that are internal
to the database

1.54 Review file permissions for the SQLDBA and server

manager programs to ensure that their use is restricted to
the Oracle administration account

1.55 Determine if there any ops$ accounts used in the

database?

Page 22 of 30
kpmg
Oracle Database Control Templates

6 Database Utilities - Ensure that database utilities are

adequately protected to prevent their misuse by unauthorized
individuals
(Use ‘View |
Markup’ from the 1.56 Determine if restrictions have been placed on users
main menu to turn for specific tools
comments on and
off) SQL Script 37 - chk_product_user_profile

1.57 Determine that utilities such ase SQL*Plus, Server

Manager, Listener Control, and SQL*Loader cannot be
executed by the world or unauthorized individuals

1.58 Ensure that sqlplus.ora, init.ora and lsnrctl.ora files

cannot be written to by anyone other than the dba

1.59 Review access to stored procedures to ensure that

users cannot execute stored procedures that go beyond the
authorization of which users are permitted to perform

1.60 Print the sqlplus.ora and lsnrctl.ora and review to

ensure that they are appropriate

Page 23 of 30
kpmg
Oracle Database Control Templates

7 Database Links - Ensure that database links do not

provide access to unauthorized individuals
(Use ‘View |
Markup’ from the 1.61 Determine the appropriateness of database links
main menu to turn
comments on and SQL Script 38 - chk_dba_links
off)

1.62 Determine if database link passwords are in plain

text
SQL Script 39 - chk_dba_links

1.63 Determine if database link passwords are in plain

text
SQL Script 40 - chk_sys_link$

1.64 Determine if the DBLINK_ENCRYPT_LOGIN

parameter has been set to TRUE in the init.ora file on the
server machine

1.65 Check for accounts (other than DBA, SYS, and

SYSTEM) that have been granted the privileges DROP
PUBLIC DATABASE LINK and CREATE PUBLIC
DATABASE LINK.

Page 24 of 30
kpmg
Oracle Database Control Templates

8 Auditing - Ensure that unauthorized access to the database is

adequately tracked
(Use ‘View |
Markup’ from the 1.66 Review the INIT.ORA file for the parameter
main menu to AUDIT_TRAIL
turn comments
on and off)
1.67 Review the list of all “statement” audit options set
within the database for appropriateness
SQL Script 41 - chk_dba_stmt_audit_opts

1.68 Review the list of all audit options set for all “system”
privileges within the database for appropriateness
SQL Script 42 - chk_dba_priv_audit_opts

1.69 Review the list of all “object” audit options set for all
objects in the database for appropriateness
SQL Script 43 - chk_dba_obj_audit_opts

1.70 Ensure that the audit trail is adequately protected on

the operating system. Ensure that only the user ‘Oracle’
can write to the audit trail file

Page 25 of 30
kpmg
Oracle Database Control Templates

1.71 Determine if the SYS.AUD$ table in the database is

used. If so, ensure that the table is adequately protected
and that auditing is turned on for that table.

1.72 Verify that no accounts or roles have been granted

permissions to modify or view the auditing table
(SYS.AUD$).

1.73 Check that the AUDIT_TRAIL parameter has been

enabled.

1.74 Check that auditing has been configured to record all

connections attempts to the database.

1.75 Verify that the AUDIT_SYS_OPERATIONS

parameter is set to TRUE.

Page 26 of 30
kpmg
Oracle Database Control Templates

9 Database Documentation - Ensure that adequate database

documentation exists, that the database has been planned and
implemented in an organized manner and that the roles and
responsibilities of database staff are defined.
(Use ‘View |
Markup’ from the 1.76 Review the following for completeness
main menu to
turn comments
on and off) 1.77 Determine if the duties and responsibilities of the
DBA are defined in writing and include

Page 27 of 30
kpmg
Oracle Database Control Templates

10 Database Availability, Backup and Recovery

1.78 Identify critical, dynamic tablespaces

1.79 Ensure that tablespaces have been distributed across

multiple disks to distribute input/output

1.80 Review the df output to ensure that redo logs,

archived redo logs, and control files have been mounted on
separate disks and these disks have been mirrored on two
separate disks each

1.81 Review contents of the file config.ora for control file

names, and ensure that control files are located in three
differeNT/Windows 2000 file systems on three different
disk drives.

1.82 Review and ensure that critical data file tablespaces

are mirrored for faster recovery

1.83 Ensure that each disk uses a separate controller unit

(see the device file name standard in the df output) to
minimize the impact of controller failure

1.84 Ensure that disk and tablespace monitoring

procedures are in place to ensure that growing
requirements are known in advance of the need to resize or
perform a tablespace reorganization

1.85 Determine that overall system memory and disk

space requirements and future projections have been
incorporated into the system's design

Page 28 of 30
kpmg
Oracle Database Control Templates

1.86 Review the db_block_size parameter in the

init<System/Instance ID>.ora file and ensure that it is
equal to the operating system block size (except for IBM
AIX operating systems)

1.87 Ensure that the init<System/Instance ID>.ora file for

parameter called the log_archive_set = is set on true so that
the archive log mode is initialized.

1.88 Ensure that the init<System/Instance ID>.ora file for

the parameter called Checkpoint_process = is set on true so
that checkpoints are recorded in control files. Also ensure
that the parameter called Log_Checkpoint_Interval is set
at an appropriate frequency in relation to database size
and use.

1.89 Ensure that at a minimum, incremental backups

(INCTYPE Export) are made every night (i.e., backup of
objects changed since the prior backup)

1.90 Ensure that database backups (logical backups while

the database is up and running) are scheduled at night
when users are off the system, and overnight reports and
other batch processing is finished

1.91 Ensure that the consistent feature is used with logical

backups, to maintain rollback files to help protect database
integrity

1.92 Assess the appropriateness of running logical

backups with the database in the restricted mode, which
ensures that users other than the database administrator
may not be logged in during the backup

Page 29 of 30
kpmg
Oracle Database Control Templates

1.93 Determine that weekly logical backups (if not full

system cold backups) are made with the full mode, using
the complete option (the default), to ensure that the entire
database is backed up

1.94 Review and ensure that complete file system backups

(e.g., image backups) are made on a weekly or at a
minimum, a monthly basis

1.95 Review backup storage media cataloging, storage,

and control procedures to ensure that backups are
completed successfully, are labeled internally and
externally, and are rotated off-site to a secure location.

1.96 Obtain and review documentation of database

recovery testing documentation and test results. Ensure
that the eight disk-failure recovery scenarios have been
tested successfully.

Page 30 of 30