cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

OS and DB Security patches and updates

Go to solution
Former Member

on ‎08-13-2008 2:03 PM

0 Kudos

Dear Experts,

We are going through SOX audits. Auditor is asking me about applied latest OS and Oracle patches to secure SAP systems from threats and attacks.

I told them that we are running on Solaris 9 with Oracle 9.2.0.5

and our severs are behind CHECKPOINT Firewall, and also we have never faced any security breaches and threats and also not facing any performance and efficiency problems in our system.

However, they still persist me about critical security patches for Solaris and Oracle.

Please tell me should I go for applying security patches of Solaris or Oracle if any. I am very worried about possible problems after applying of those security patches.

Please guide me about this issue and tell me about proven and trusted security patches for Solaris 9 and Oracle 9.2.0.5

Best Regards

Waqas Ahmad

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

markus_doehr2
Active Contributor
‎08-13-2008 2:28 PM
0 Kudos

> I told them that we are running on Solaris 9 with Oracle 9.2.0.5

First I would like to tell you that your current Oracle version is out of extended support (see and the notes the first chapter points to). To get actual (security) patches I would highly recommend upgrading to 10.2.0.4.

> However, they still persist me about critical security patches for Solaris and Oracle.

They do that because most of the "attacks" to server come from internal users, not from external.

> Please guide me about this issue and tell me about proven and trusted security patches for Solaris 9 and Oracle 9.2.0.5

For the operating system I would use pca (Patch Check Advanced) - a free too to download and install patches - works like charm (http://www.par.univie.ac.at/solaris/pca/). It can be configured to only download and install security relevant patches.

For Oracle you should install the latest patchset (for 9.2 it's 9.2.0.8 and all the necessary interim patches) and the critical patch updates. However, those CPUs may conflict with necessary other patches so you can either use CPU or the necessary interim patches.

Check note 938986 - Oracle Database 9.2: Patches for 9.2.0

Markus

Show replies
Show replies
Former Member
‎08-13-2008 4:04 PM
0 Kudos

Thanks a lot Markus for reply.

I heard from several Administrators that this is strong argument for auditors that our system are running normally and quite efficiently for past 2 or 3 years. All server landscape is behind good hardware and software Firewalls amd there is risk of system malfunction or crash to implement new patches into the server.

or do you think its not a reasonable argument for Auditors as security patches mentioned are proven and tested for SAP System 4.7 ext 200 and for my OS and DB platform and all a good Administrator have to do is to proper manage and plan patch application activity i.e. proper backup and failover plan.

Best Regards

Waqas

markus_doehr2
Active Contributor
‎08-13-2008 4:17 PM
0 Kudos

> I heard from several Administrators that this is strong argument for auditors that our system are running normally and quite efficiently for past 2 or 3 years. All server landscape is behind good hardware and software Firewalls amd there is risk of system malfunction or crash to implement new patches into the server.

Yes - that's SOX theory vs. stability. Usually I also say "if it ain't broken - don't fix it..." but those "auditors" see those things differently - VERY differently.

> or do you think its not a reasonable argument for Auditors as security patches mentioned are proven and tested for SAP System 4.7 ext 200 and for my OS and DB platform and all a good Administrator have to do is to proper manage and plan patch application activity i.e. proper backup and failover plan.

SAP doesn't certify OS patches, they certify the OS. In case of problems you will need to deal with the vendor, Sun Microsystems.

And yes - a good administrator ensures a stable system and stable access to it.

We install operating system security patches all three - six months, the databases are patched up as needed or if there's a downtime anyway planned or if the system is taken down for other reason.

I know, those Auditors have their own strategy but 99 % of them know only theory, they have no idea of the actual case and what it means to install patches.

Markus

fidel_vales
Employee
Employee
‎08-13-2008 7:53 PM
0 Kudos

Hi,

Only a little addition to what Markus has commented.

I had to review in few cases recommendations given by external auditors.

In all cases (it is bad to generalize) they have no clue whatsoever about SAP, How Oracle on SAP works and even how Oracle works. Usually they have a list and they follow it to the letter. Do not ask them "why"

Typical recommendation is to change oracle parameters, changes that several times cause SAP to stop working (anyone has set REMOTE_OS_AUTHENT to FALSE?)

For information about oracle security you should check also SAP notes 926023, 811174, 700548, 186119

And maybe that you can get SAP to review the recommendations via message.

Answers (0)

Ask a Question