Arup Nanda has released an update for „Project Lockdown“. This new version covers Oracle 11g (R1/R2) as well.
I found a few minor things which are not 100% correct but in general it is a good introduction.
But there is something I never liked. It’s the recommendation how to check the Oracle database for weak passwords (according to my experience) this is the biggest problem in nearly every organization.
Just using dba_users_with_defpwd or comparing password hashes is not sufficient and misleading (password=username not found). Oracle 11g is using salted hashes and this concept does not work with the view dba_users_with_defpwd.
Why not using a real password checker like woraauthbf, ops_sse or Repscan? They check all the passwords independent from the database version.
My recommendation for the action plan:
Use a real password checker instead of only comparing password hashes