Frank Lyons
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

Frank Lyons

on

  • 1,268 views

 

Statistics

Views

Total Views
1,268
Views on SlideShare
1,268
Embed Views
0

Actions

Likes
0
Downloads
40
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Frank Lyons Presentation Transcript

  • 1.  
  • 2. Agenda
    • Database Overview
    • Oracle Audit/Security/Control
  • 3. Objectives
    • Your objectives
    • Magic Disk
      • Database Control Objectives
      • Frank W. Lyons
      • [email_address]
      • 407-774-8397
  • 4. Terminology
    • Database
      • A set of data
    • Tablespaces
      • Logical division of a database
    • Files
      • datafile
    • Instances
      • Also known as a server
    • Table, columns and datatypes
  • 5. Columns
    • The characteristics of a column are made up of two parts: its datatype and its length.
    • For columns using the NUMBER datatype, the additional characteristics of precision and scale can be specified. Precision determines the number of significant digits and Scale determines the placement of the decimal point
  • 6.
    • Structure Query Language (SQL)
        • Data Definition Language
          • DDL
            • Create, Drop, Alter
        • Data Manipulation Language
          • DML
            • Select, Insert, Update, Delete
        • Data Control Language
          • DCL
            • Grant, Revoke
    The Database Language
  • 7.
    • Obtain the Data Structure Diagram
    Customer Table Warehouse Table Order Table The data structure diagram provides all the tables and columns Database Structure
  • 8. Tables
    • Tables owned by the user SYS are called the data dictionary tables
    • Dictionary tables provide a system catalog that the database uses to manage itself
    • The database maintains the relationship between table by using referential integrity
  • 9.
    • Object Dependencies
    Database Tablespace Table Index Synonym View Synonym This is the file name under the operating system Database Structure
  • 10. Databases
    • A database is a set of data.
    • Oracle provides the ability to store and access data in a manner consistent with a defined model known as the Relational Model.
  • 11. Tablespaces
    • A tablespace is a logical division of a database
    • Each tablespace is constituted of one or more files, called datafiles, on a disk. A datafile can belong to one and only one tablespace
  • 12.
    • To prevent users from creating objects in the SYSTEM tablespace, any quotas on SYSTEM, which could give a user the ability to create objects in the SYSTEM tablespace, must be revoked:
      • alter user Frank quota 0 on SYSTEM
    • When you create a new user via the create user command, you can specify a default tablespace:
      • create user Frank identified by excellence
      • default tablespace Human_Resources
    Tablespaces
  • 13.
    • SYSTEM Data Dictionary
    • DATA Standard-operation tables
    • DATA_2 Static tables used during standard operation
    • INDEXES Indexes for the standard operation tables
    • INDEXES_2 Indexes for the static tables
    • RBS Standard operation rollback segment
    • RBS_2 Specialty rollback segments used for data loads
    • TEMP Standard operation temporary segments
    • TEMP_USER Temporary segments created by a user
    • TOOLS RDBMS tools tables
    • TOOLS_1 Indexes for RDBMS tools tables
    • USERS User objects, in development databases
    Tablespaces
  • 14. Instance
    • In order to access the data in the database, Oracle uses a set of background processes that are shared by all users.
    • A database instance (also known as a server) is a set of memory structures and background processes that access a set of database files.
  • 15. Views
    • Views appear to be a table containing columns and is queried in the same manner that a table is queried
    • Views do not use physical storage to store data
    • Views can not be indexed.
  • 16. Typical Authentication Pyramid
    • Application Logon
    Reporting Tool Database Data Accountability lessens as you move down the pyramid
  • 17. Where Are the Application Controls?
    • Direct access usually by-passes application controls
      • User profiling is normally only used within the application
      • Views of reporting data could be incorporated
      • Summarized data could be used to reduce sensitivity
  • 18. Relational Data Storage Employee Table
  • 19. Views Based on User Profile View of the Commercial Division Security is based on data value
  • 20. Reduced Data Sensitivity Employee Locator View Security is based on columns selected
  • 21. Summarized Views View Summarized by Division
  • 22. Access Type Difference
    • Id and Passwords
    • User Profiles
    • Accountability and audit ability
  • 23. Data Access
    • Application interfaces
    • Reporting Tools
    • Direct access
  • 24. ID and Password Controls
    • Where is the ID and Password Stored for verification?
    • How is the password stored?
    • Is the same user ID used for multiple applications?
    • Is the password stored in multiple locations?
  • 25. User Profiles
    • Profiles allow access according to job responsibilities
      • Division
      • Position
      • Security Clearance
  • 26. User Profiles Controls
    • Who creates and modifies the user profile?
    • What audit trails are in place for profile changes?
    • What approvals are required for changes to the user profile?
    • What is the notification process for job responsibility changes?
  • 27. Accountability and Auditability
    • Is the user id translated to a high powered id during application access to the data?
    • Does the application record read access?
    • When data is inserted, modified, or deleted is the change logged?
      • If there is a log who is reviewing the log?
  • 28. ID Translation
    • Used to prevent users from accessing data directly
    • Prevents authentication by the database management system
    • Creates tuning and monitoring challenges
  • 29. Reporting Tools and Direct Access
    • Ad-hoc reporting
      • User flexibility
      • Less labor to support user reporting requirements
      • Checks and balance to insure information accuracy
  • 30. Separate Reporting Database On-line Database Reporting Database Synchronization can be done real time or on intervals
  • 31. Advantages of Separate Reporting Databases
    • Design for reporting efficiencies
    • On-line environment not impacted by the reporting workload
    • Data can be summarized to reduce data sensitivity
    • Multiple reporting databases can be defined to limit access to sensitive information
  • 32. Disadvantages of Separate Reporting Databases
    • Extra storage and processor resources are required
    • Extra labor resources are required to support replication process
    • Special controls needed for direct access authority
    • Read activity needs to be logged for audit ability
  • 33. Reporting Tools Reporting Database Reporting Tool View of Data Reporting tools can limit access by column, data value, or through summarization.
  • 34. Web Access
    • Reporting Tools can push static or dynamic information
    • Design should balance performance differences with flexibility
    • Security at the data level needs to be well understood so that access is based on data sensitivity and job responsibilities
  • 35. Application Recovery
    • Code is normally static
    • Code changes should be installed on well defined intervals
    • Recovery usually requires reboot of application server
    • Corrupted application files can be restored from the last copy
  • 36. Database Recovery
    • Data is a constantly changing resource
    • Rebooting the database server causes the database system to recovery any in-flight units of work
    • Restoring data from backup requires the database logs to be applied to the data in order to restore data consistency
  • 37. Database Logs Data Identification (Record Header) Before Image of Data After Image of Data
  • 38. Log Contains All Data Modifications Database Log Database User Activity
  • 39. Backout Due to Abort or Abend Database Log Database User Activity Aborted Unit of Work Log Records are read to backout the changes to the data
  • 40. Protecting Database Log
    • Critical Recovery Resource
    • Contains Sensitive Information
    • Needed for on-site and off-site recovery
    • Log shipping often done for off-site recovery
  • 41. Log Shipping Database Log Copy Off-site Database Log Database On-site
  • 42. Criteria for Server Selection in the Database Environment
    • Stability
    • Security
    • Recoverability
    • Performance
  • 43. Key Points
    • Application access controls are by-passed through most reporting interfaces
    • Security design MUST be centered on the data and incorporated in each interface
    • Data and application recovery have key differences and need special considerations
  • 44. Key Points
    • Security should be designed around the DATA
    • All interface points must be reviewed
    • Data recoverability needs differ between application and data
    • Database logs contain sensitive information
  • 45. Oracle
  • 46. Identify Risks
    • Default Users
    • Operating System configuration
    • Database server configuration
    • Listener process
    • Privileges
    • Database links
    • Patches
  • 47. Init.ora
    • Database startup file
    • This file is read during the instance startup and may be modified by the DBA. Any modifications to this file will not take affect until the next startup that uses this file
  • 48.
    • In the default directory configuration, the init.ora file is stored in a directory named
      • /orasw/app/oracle/admin/instance_name/pfile
    • The init.ora file does not list the names of the datafiles or online redo log files for the database as these are stored in the data dictionary.
    • Init.ora does list the names of the control files for the database
    Init.ora
  • 49. Config.ora
    • A second configuration file is typically used to store the settings of variables that do not change after database creation
    • Such as the database block size
    • In order for the config.ora settings to be used, the file must be listed as an include file via the IFILE parameter in the instance’s init.ora file
  • 50. Procedures
    • A procedure is a block of PL/SQL statements that is stored in the data dictionary and is called by applications
    • Stored procedures help to enforce data security
  • 51. Functions
    • Functions, like procedures are blocks of code that are stored in the database.
    • Function are capable of returning values to the calling program
  • 52. Packages
    • Packages are used to arrange procedures and functions into logical groupings
    • Packages have a public and private elements
    • Private elements may include procedures called by other procedures within the package
    • Source code for the functions, procedures, and packages are stored in the data dictionary tables
  • 53. Triggers
    • Triggers are procedures that are executed when a specified database event takes place against a specified table
    • Used as part of referential integrity
    • Used to enforce additional security
    • Used to enhance the available auditing options
  • 54.
    • Two types of triggers
      • Statement triggers
        • Fire once for each triggering statement
      • Row triggers
        • Fire once for each row in a table affected by the statement
    • For each type a BEFORE trigger and AFTER trigger can be created
    • Triggering events include inserts, updates, and deletes
    Triggers
  • 55. Synonyms
    • To completely identify a database object such as a table or a view, the host machine name, the server instance name, the object’s owner, and the object’s name must be specified
    • Synonyms reduce this effort
    • Public synonyms are shared by all users
    • Synonyms can provide pointers for tables, views, procedures, functions, packages, and sequences
  • 56. Database Life Cycles
    • Planning
    • Creating
    • Monitoring
    • Tuning
    • Securing
    • Auditing
  • 57. Operating system configuration
    • Use file system security to protect the DBMS software and data files (Only allow the Oracle user and Oracle group access to the files)
    • Turn off all operating system functionality/services that are not required by the DATABASE SERVER (mail,ftp,telnet)
    • Turn on O/S level auditing and review the audit log daily
    • Secure the backup of the database
    • Audit regularly
  • 58. Database System Configuration Remove non-essential users and enforce password management (see appendix) Change the default passwords on accounts Do not allow development in a production database/server Secure the development database (may contain production data) Keep the software up to date and patched
  • 59. Database System Configuration Oracle Database - Physical Structures
    • When a backup of a database occurs, the backup software is making copies of the physical structures of an Oracle instance.
    • Physical Structures stored in the operating system
      • Control File
      • Online Redo Log
      • Data File
      • INIT.ORA
      • SPFILE (Oracle9i)
      • ORACLE_HOME (Oracle software)
      • Backup destination
  • 60. Database System Configuration Oracle Database/Physical Structures
    • Control File
      • Contains information about the instance and all of it’s external files.
      • Used by Oracle to know if a data file needs recovery.
      • Audit view: V$CONTROLFILE
    • Online Redo Log
      • Keeps track of all the transactional activity that makes changes to the database.
      • Audit view: V$LOGFILE
  • 61. Database System Configuration Oracle Database/Physical Structures
    • Data File
      • Associated with a single tablespace.
      • Oracle server creates a data file for a tablespace by allocating the specified amount of disk storage + a small overhead.
      • Can contain data segment (table), index segment (primary keys, unique constraints or tuning indexes), rollback and temporary segments.
      • Audit view DBA_DATA_FILES
    • INIT.ORA
      • Used by the Oracle instance to configure how much of the OS resources will be used by the instance.
      • Parameters can be placed here for optional processes
      • Audit view V$PARAMETER
  • 62. Database System Configuration Oracle Database/Physical Structures
    • Data File
      • Audit view DBA_DATA_FILES
      • SQL> select file_name from dba_data_files
      • order by file_name
    • Control File
      • Audit view: V$CONTROLFILE
      • SQL> select * from v$controlfile;
    • Online Redo Log
      • Audit view: V$LOGFILE
      • SQL> select * from v$logfile
      • order by group#
  • 63. Database System Configuration Oracle Database/Physical Structures
    • INIT.ORA
      • Audit view V$PARAMETER
      • SQL> select name,value from v$parameter
      • License/version
      • Audit view v$version
      • SQL> select * from v$version
  • 64. Privileges Third party application owner will typically have the ‘DBA’ role granted to them This is needed for installs/upgrades of software, but typically can be removed for day to day activities SELECT ANY TABLE privilege should not be allowed on any ‘end user’
  • 65. Privileges
    • SELECT ANY TABLE privilege gives users the ability to select from ANY table
      • including SYS.USER$ and SYS.LINK$
      • These tables will show passwords
  • 66. Privileges Audit Checklist SQL> select privilege privilege_granted, grantee,admin_option from sys.dba_sys_privs where not exists (select 'x' from sys.dba_users where username = grantee) order by privilege_granted,admin_option;
  • 67. Privileges Audit Checklist PRIVILEGE_GRANTED GRANTEE ADM ------------------------------------------------- --- QUERY REWRITE AROLE NO QUERY REWRITE DBA YES RESTRICTED SESSION DBA YES SELECT ANY DICTIONARY OEM_MONITOR NO SELECT ANY DICTIONARY DBA YES SELECT ANY TABLE DBA YES SELECT ANY TABLE IMP_FULL_DATABASE NO
  • 68. Database Link
    • Used to connect one database to another
    • The Database link contains:
    •  
      • USER ACCOUNT TO CONNECT TO THE TARGET DATABASE
    • LOCAL USERNAME AND PASSWORD
    • (HARD CODED) or pass through authentication
    • CONNECT STRING (Oracle / SQLNET/ NET8)
    • Audit view: dba_db_links
  • 69. Oracle NET / NET8 /SQL*NET LISTENER Configuration Client Server 1 listener.ora Listener On port sqlplus user/pw@DB1 User DB1 tnsnames.ora/sqlnet.ora 2 3 4 Server
  • 70. Oracle NET / NET8 /SQL*Net LISTENER
    • Oracle NET enables communications between partners in a distributed transaction
    • Applies to client/server or server/server environment.
    • During the life of a connection, resolves all differences between the internal data representations and/or character sets of the computer.
    • Net8 has been renamed to Oracle NET for 9i
  • 71. Harden the Listener Process
    • The configuration file for the listener is LISTENER.ORA.
    • LISTENER.ORA resides on the server and defines…
      • Listener name, a database can have multiple listeners
      • The network listener address
      • The SID of the database for which it listens
      • Parameters that influence the network listener’s behavior, including tracing, timeout and logging and password
  • 72. Harden the Listener Process
      • Prevent unauthorized administration of the Oracle Listener by:
      • ADMIN_RESTRICTIONS_listener_name=ON
        • Use a password on all listeners
          • At the lsnrctl prompt enter change_password
  • 73. Oracle NET / Net8 /SQL*NET Configuration
    • Oracle Names
      • Network service that provides centralized name resolution to Oracle clients and servers.
      • Consists of one or more administrative regions, each having a single installation of the Oracle Network Manager tool.
      • Oracle Network Manager enables the administrator to administer the following in it’s administrative region…
        • All database listeners
        • Global database links
        • Clients, interchanges and Names Servers.
  • 74. Oracle NET/ NET8 / SQL*Net Configuration
    • Oracle Names (continued)
      • Clients do not need a TNSNAMES.ORA file if an Oracle Names Server is used.
      • If a TNSNAMES.ORA file is created, the client may use it to resolve the service name before resolving it through the Names Server.
      • Clients have a SQLNET.ORA file that identifies Oracle Names Server. This file can reference a file on a server so that it doesn’t have to change if the Names Server changes.
  • 75. Oracle NET / NET8 /SQL*NET Configuration Names Server 3 Server 1 2 4 Client
  • 76. Oracle NET/ NET8 /SQL*Net Audit checklist
    • Listener password protected
    • Is ADMIN_RESTRICTION turned on
    • Is a protocol.ora in place for node checking
    • How is tnsnames protected
    • ONAMES is used, this adds an additional server to be audited
  • 77. Oracle listener Audit checklist
    • Set up the listener with password
    • Set up a strong password
    • Protect the listener .ora file (this is where the password is kept)
  • 78. Patches Audit checklist Verify patches using the V$VERSION view Keep informed on the latest security patches http://otn.oracle.com/deploy/security/alerts.htm Have a policy on how quickly a critical security patch should be applied Oracle rates severity of patches one is most severe
  • 79. Patches Alerts ( Subscribe to security alerts  ) PDF Buffer Overflows in EXTPROC of Oracle Database Server Alert #57, Rev 2, 07August 2003 PDF Buffer Overflow Vulnerability in Oracle E-Business Suite Alert #56, Rev 1, 23 July 2003 PDF Unauthorized Disclosure of Information in Oracle E-Business Suite Alert #55, Rev 1, 23 July 2003 PDF Buffer Overflow in Net Services for Oracle Database Server Alert #54, Rev 2, 30 April 2003 PDF Report Review Agent Vulnerability in Oracle E-Business Suite Alert #53, Rev 1, 10 April 2003 PDF Two Security Vulnerabilities in Oracle9 i Application Server Alert #52, Rev 3, Updated 03 March 2003 PDF Buffer Overflow in ORACLE executable of Oracle9 i Database Server Alert #51, Rev 6, Updated 18 April 2003 PDF Buffer Overflow in Oracle9 i Database Server Alert #50, Rev 6, Updated 18 April 2003
  • 80. Oracle's built-in tools USERS / SCHEMAS Security Domain Defines the security settings that Apply to the user Authentication Mechanism Database Operating system Network Privileges—Direct/Indirect (via roles)
  • 81. Oracle's built-in tools USERS / Database SCHEMAS Authentication Mechanism Database – passwords are kept internally in a database table encrypted Operating system —Passwords are kept in the operating system
  • 82. Oracle's tools to purchase
    • Authentication Mechanism using
    • Oracle Advanced Security option
    • Network – Uses third party network authentication services (like Kerberos and SESAME)
    • Token Devices , one time passwords are used to authenticate
    • Biometrics Devices , use physical features of users to authenticate
    • Advanced Encryption Standard (AES)
          • AES is symmetric block cipher
          • AES-128,AES-192 and AES-256
  • 83. Oracle's built-in tools USERS / Database SCHEMAS Predefined users Sys/change_on_install (super user in Oracle,schema for Oracle dictionary tables) System/manager (Owner of internal tables used by Oracle tools) Scott/tiger (created by demo files, sometimes left in production) Note: 9i passwords are custom, unless you create the Database using the Database creation assistant in batch mode Additional users defined later in the Oracle9i section
  • 84. Oracle's built-in tools Password File to authenticate DBAs A password file for DBAs is optional and can be setup using the ORAPWD password utility. The password file will restrict administration privilege to only the users who know the password and have been granted a special role. The roles are SYSDBA and SYSOPER.
  • 85. Oracle's built-in tools Two special roles SYSOPER/SYSDBA SYSOPER Permits you to perform STARTUP, SHUTDOWN, ALTER DATABASE OPEN/MOUNT, ALTER DATABASE BACKUP, ARCHIVE LOG, and RECOVER, and includes the RESTRICTED SESSION privilege.  
  • 86. Oracle's built-in tools SYSDBA Contains all system privileges with ADMIN OPTION, and the SYSOPER system privilege; CREATE DATABASE and time-based recovery. Listing Password File Members Audit view: V$PWFILE_USERS will show all users that have been granted SYSDBA and SYSOPER system privileges for a database.
  • 87. Oracle's built-in tools ADMINISTERING PRIVILEGES Two types of privileges: System– Enables users to perform ADMIN type activities in the database OBJECT– Enables users to access and manipulate objects
  • 88. Oracle's built-in tools SYSTEM PRIVILEGES Administering privileges System– 80 system privileges The ANY keyword means that the user has the privilege for any schema. The GRANT command is used to add a privilege to a user or group of users GRANT CREATE SESSION to smith; GRANT CREATE SESSION to smith with ADMIN OPTION; The REVOKE command deletes the privilege REVOKE CREATE SESSION to smith;
  • 89. Oracle's built-in tools SYSTEM PRIVILEGES Administering privileges—Displaying System Privileges DATABASE LEVEL SESSION LEVEL DBA_SYS_PRIVS SESSION_PRIVS Grantee Privilege Privilege Admin option
  • 90. Oracle's built-in tools OBJECT PRIVILEGES OBJECT SQL STATEMENT Allowed ALTER   ALTER object (table or sequence)   DELETE DELETE FROM object (table or view)   EXECUTE EXECUTE object (procedure or function). References to public package variables   INDEX CREATE INDEX ON object (tables only)   INSERT INSERT INTO object (table or view)   REFERENCES CREATE or ALTER TABLE statement defining a FOREIGN KEY integrity constraint on object (tables only)   SELECT   SELECT...FROM object (table, view, or snapshot). SQL statements using a sequence  
  • 91. Oracle's built-in tools DISPLAYING OBJECT PRIVILEGES DBA_TAB_PRIVS DBA_COL_PRIVS Grantee Grantee Owner Owner Table_name Table_name Grantor Column_name Privilege Grantor grantable  Privilege Grantable
  • 92. Oracle's built-in tools USERS / Database SCHEMAS Restriction privilege system by enabling O7_DICTIONARY_ACCESSIBILITY=FALSE This prevents users with the system ‘ANY’ from being able to execute against the SYS schema The default is TRUE This allows the user with the ‘ANY’ privilege to execute against the SYS schema
  • 93. Oracle's built-in tools Administering privileges A role is a database entity that is a named group of privileges. It is unique within the database and not owned by a user. A role can be authenticated by a password. Special role SELECT_CATALOG_ROLE , which enable access to the data dictionary
  • 94. Oracle's built-in tools Predefined roles ROLENAME DESCRIPTION ============================================== CONNECT Provided for backward RESOURCE compatibility DBA All systems privileges w/admin EXP_FULL_DATABASE Privileges to export the DB IMP_FULL_DATABASE Privileges to Import the DB DELETE_CATALOG_ROLE Delete privileges on dictionary EXECUTE_CATALOG_ROLE Execute privilege on dictionary SELECT_CATALOG_ROLE Select privilege dictionary tables PUBLIC Role that all users have
  • 95. Oracle's built-in tools Displaying information on roles DATABASE ROLE VIEW DESCRIPTION DBA_ROLES All roles which exist in the DB DBA_ROLE_PRIVS Roles granted to users and roles ROLE_ROLE_PRIVS Roles which are granted to roles DBA_SYS_PRIVS System privileges grated to users and roles ROLE_SYS_PRIVS System privileges granted to roles ROLE_TAB_PRIVS Table privileges granted to roles SESSION_ROLES Roles which the user currently has enabled
  • 96. Oracle's built-in tools PROFILES used for password management
    • A PROFILE is a named set of limits for passwords and system resources
    • Are assigned to users
    • Can become the default for all users
    • Can be enabled or disabled
  • 97. Oracle's built-in tools PROFILES
    • A PROFILE is a named set of limits for passwords
    • And system resources
    • CPU time
    • I/O operations
    • IDLE time (inactive time measured in minutes)
    • Connect time (measured in minutes)
    • Memory space
    • Concurrent sessions
    • Passwords aging and expiration
    • Password history
    • Password complexity verification
    • Account locking
  • 98. Oracle's built-in tools PROFILES management Create a profile CREATE PROFILE end_user_prof LIMIT SESSIONS_PER_USER 1 IDLE_TIME 60 CONNECT TIME 600; Modify a profile ALTER PROFILE end_user_prof limit IDLE_TIME 10; Remove a profile DROP PROFILE end_user_prof; DROP PROFILE end_user_prof CASCADE;
  • 99. Oracle's built-in tools PROFILES management
    • Associate a user to a profile
    • ALTER USER smith
    • PROFILE end_user_prof;
    • Resource limits must be enable to enforce profile limits,
    • This does not include password management.
    • Two ways to enable :
    • ALTER SYSTEM SET RESOURCE_LIMIT=TRUE
    • 1. Modify the init.ora file and set RESOURCE_LIMIT=TRUE,
    • 2. Restart the instance
  • 100. Oracle's built-in tools PROFILES displaying resource limits DBA_USERS Profile username DBA_PROFILES Profile Resource_name Resource_type Limit Join the views DBA_USERS and DBA_PROFILES To display the resource limits
  • 101. Oracle's built-in tools PASSWORD MANAGEMENT PARAMETER DESCRIPTION FAILED_LOGIN_ATTEMPTS Number of failed login attempts before lockout PASSWORD_LOCK_TIME Number of days password will remain locked upon password expiring PASSWORD_LIFE_TIME Lifetime of password measured in days PASSWORD_GRACE_TIME Grace period in days for changing the password, after it has expired
  • 102. Oracle's built-in tools PASSWORD MANAGEMENT PARAMETER DESCRIPTION PASSWORD_REUSE_TIME Number of days before a password can be reused PASSWORD_REUSE_MAX Maximum number of times a password can be reused PASSWORD_VERIFY_FUNCTION PL/SQL package that makes a complexity check before a password is assigned Note: The script utlpwdmg.sql must be run in the SYS schema to enable
  • 103. Oracle's built-in tools PASSWORD MANAGEMENT
    • VERIFY_FUNCTION
    • Minimum length of four characters
    • Password not equal to user name
    • Password must have at least one alpha, numeric,special character
    • Password must differ from the last password by three characters
  • 104. Oracle's built-in tools PASSWORD MANAGEMENT CREATE PROFILE passwd_mgt FAILED_LOGIN_ATTEMPTS 3 PASSWORD_LIFE_TIME 30 PASSWORD_REUSE_TIME 30 PASSWORD_VERIFIY_FUNCTION verify_function PASSWORD_GRACE_TIME 5;
  • 105. Oracle's built-in tools Displaying PROFILES information DBA_PROFILES Profile Resource_name Resource_type =PASSWORD limit
  • 106. Auditing the Database
    • Audit a specific user
    • Audit for a specific statement
    • Audit for a specific statement on a schema user
    • Audit to know what happens on your database
    • Audit failed logon attempts
    • Audit to know who changed what and when
  • 107. Auditing the Database
    • Audit by session or access
    • Audit by successful or not successful status
    • Audit with discretion
    • Audit actions:
    • Alter, audit,comment,create,delete,execute, grant,index,insert,lock,read,reference,rename,select,update,write
  • 108. Auditing the Database syntax
    • AUDIT { statement|system_priv}
      • BY user
      • BY SESSION|ACCESS
      • WHENEVER {NOT} SUCCESSFUL;
      • NOTE:
      • BY SESSION will create only one audit record
      • Per session
      • BY ACCESS will create a record for each auditable activity
  • 109. Auditing the Database(cont)
    • Audit to know what happens on your database
      • High level of unsuccessful logins
      • Audit through the middle tier
      • Audit the user statement
      • Audit the audit table
  • 110. Auditing the Database connect internal (Oracle8i)
      • NT Systems :  On NT Systems you can see auditing for INTERNAL in the event viewer. The INTERNAL connections are written to the operating system audit trail .
      •   Unix Systems :  On Unix Systems the INTERNAL connections are logged to special log files stored in the $Oracle_HOME/rdbms/audit directory.
  • 111. Auditing the Database SYSDBA/SYSOPER
      • Initialization parameter
      • AUDIT_SYS_OPERATIONS=TRUE
      • Will write all activities to an O/S audit log
  • 112. Auditing the Database(cont)
    • TIPS on auditing
      • Run reports on a daily basis
      • Truncate the audit table on a daily basis
      • Use whenever not successful option (whenever you can)
      • Use the by session clause
      • Auditing is now optimized (statements are parsed once for execution and audit
      • Set default audit options
      • May need to create an alarm facility
  • 113. Auditing the Database(cont)
    • TIPS on auditing
      • Oracle preserves the identify of the user on the middle tier and can capture the user id of who logged into the database via the TP monitor
        • This means that oracle can audit the true user who initiated the transaction and the user who logged into the database (TP monitor)
        • Protect the audit trail
        • AUDIT delete ON sys.aud$ BY ACCESS
        • Only the DBA or SECURITY personnel should
        • Have the DELETE_CATALOG_ROLE
  • 114. Auditing the Database Views to the AUDIT Table
    • ALL_DEF_AUDIT_OPTS
    • AUDIT_ACTIONS
    • DBA_AUDIT_EXISTS
    • DBA_AUDIT_OBJECT
    • DBA_AUDIT_SESSION
    • DBA_AUDIT_STATEMENT
    • DBA_AUDIT_TRAIL
    • DBA_OBJ_AUDIT_OPTS
    • DBA_PRIV_AUDIT_OPTS
    • DBA_STMT_AUDIT_OPTS
  • 115. Audit/Security Approach
    • Account Security
    • Object Privileges
    • System Level Roles and Privileges
  • 116.
    • Create User
      • Username
      • Password
      • Default Tablespace
      • Temporary Tablespace
      • Quota (on Tablespaces)
      • Profile
      • Assigns a profile to the user, if none is specified, then the default profile is used. Profiles are used to restrict the usage of system resources and to enforce password management rules. The default is set to UNLIMITED resource consumption
    Audit/Security Approach
  • 117. Audit/Security Approach
    • System Level Privileges
      • ANY and PUBLIC are not synonymous. A PUBLIC object is accessible to all users in a database; all other objects are privately owned. The ANY option allows you to create private objects in other users’ schemas
      • There are eight system level roles provided with Oracle
        • Connect EXP_FULL_DATABASE
        • Resource Select_Catalog_Role
        • DBA Execute_Catalog_Role
        • IMP_FULL_DATABASE Delete_Catalog_Role
  • 118. Audit/Security Approach
    • User Profile
      • SESSION_PER_USER
      • CPU_PER_SESSION
      • CPU_PER_CALL
      • CONNECT_TIME
      • IDLE_TIME
      • LOGICAL_READS_PER_SESSION
      • LOGICAL_READS_PER_CALL
      • PRIVATE_SGA
      • COMPOSITE_LIMIT
      • FAILED_LOGIN_ATTEMPTS
      • PASSWORD_LIFE_TIME
      • PASSWORD_REUSE_TIME
      • PASSWORD_REUSE_MAX
      • PASSWORD_LOCK-TIME
      • PASSWORD_GRACE_TIME
      • PASSWORD_VERIFY_FUNCTION
  • 119. Audit/Security Approach
    • Object Level Privileges
      • Grants
      • Grant with grant option
      • Privileges
        • SELECT
        • INSERT
        • UPDATE
        • DELETE
        • ALTER
        • INDEX
        • REFERENCES
        • EXECUTE
        • READ
  • 120. Audit/Security Approach
    • Dictionary Views
      • DBA_ROLES Names of roles and their password status
      • DBA_ROLE_PRIVS Users who have been granted roles
      • DBA_SYS_PRIVS Users who have been granted system privileges
      • DBA_TAB_PRIVS Users who have been granted privileges on tables
      • DBA_COL_PRIVS Users who have been granted privileges on columns
      • ROLE_ROLE_PRIVS Roles that have been granted to other roles
      • ROLE_SYS_PRIVS System privileges that have been granted to roles
      • ROLE_TAB_PRIVS Table privileges that have been granted to roles
  • 121. Audit/Security Approach
    • Password Security During Logins
      • When you connect to a database server from a client machine, or from one database to another via a database link, Oracle transmits the password you enter in an unencrypted format unless you specify otherwise. As of Oracle8, you can set parameters that forces Oracle to encrypt the password values prior to transmitting them.
      • To enable password encryption, set the following parameters:
        • On the client set the ORA_ENCRYPT_LOGIN parameter in your sqlnet.ora file to TRUE
        • On the server set the DBLINK_ENCRYPT_LOGIN parameter in your init.ora file to TRUE
        • Shut down and restart the database
  • 122.
    • Password
      • Password specified for a user account or a role are stored in an encrypted version in the data dictionary
      • Setting the same password for two different accounts will result in different encryption
      • For all passwords, the encrypted value is 16 characters long and contains numbers and capital letters.
      • When a password is entered during a user validation, that password is encrypted, and the encryption that is generated is compared to the one in the data dictionary for that account, if they match, then the password is correct and the authorization succeeds.
    Audit/Security Approach
  • 123. Audit/Security Approach
    • Passwords
      • Knowing how the database stores passwords is important because it adds new options to account security.
      • To query the Username and Password fields from DBA_USERS
        • select
          • Username, /*Username*/
          • Password */Encrypted password*/
          • from DBA_USERS
          • where Username is (‘Lyons’)
  • 124. Audit/Security Approach
    • Becoming Another User
      • Since the encrypted password can be set, you can temporarily take over any account and then set it back to its original password without ever knowing the account’s password. This capability allows you to become another user
      • Query DBA_USERS to determine the current encrypted password to the account
      • Generate the alter user command that will be needed to reset the encrypted password to its current value after you are done
      • Spool the alter user command to a file
      • Change the user’s password
      • Access the user’s account
      • Run the file containing the alter user command to reset the user’s encrypted password to its original value.
  • 125. Database
    • Determine Permission Levels
      • Do not give direct table level permissions to an end user
        • No - Select (Query from “Hell”), Update, Insert, Delete
      • Instead, use stored procedures
      • Better yet, do not let user know how to sign on to the database application
        • Authenticate the user and then supply a new password that they do not even know about. In this way the user must first authenticate to the application and cannot go around this authentication process to access the database
  • 126. Privileges and Roles
    • Access to an object owned by another account
    • Privilege must have been granted
    • Privileges such as insert, select, update, and delete
    • Privileges can be granted to users, groups, roles, or to Public
    • Roles are groups of privileges
    • Use roles to grant system level privileges such as create table
  • 127. Role Definitions
    • System Level Roles
      • Connect
      • Resource
      • DBA
    • User Defined System Level Roles
  • 128. Role Definitions
    • Connect Role
      • Gives users privileges beyond just creating sessions in the database. In addition to the Create Session system privilege, the Connect role gives the users the following system privileges
        • Alter Session
        • Create Cluster
        • Create Database Link
        • Create Sequence
        • Create Synonym
        • Create Table
        • Create View
  • 129. Role Definitions
    • Resource Role
      • The resource role has the following system privileges
        • Create Cluster
        • Create Index
        • Create Procedure
        • Create Sequence
        • Create Table
        • Create Trigger
        • Create Type
  • 130. Role Definitions
    • DBA Role
      • The DBA role has all system privileges with admin option, which means that the DBA can grant the system privileges to any other user
  • 131. Auditing
    • The database has the ability to audit all actions that take place within it. Audit records may be written to either the SYS.AUD$ or the operating system’s audit trail. The ability to use the operating system’s audit trail is operating system-dependent
    • Three different types of actions may be audited:
    • Login attempts, Object accesses and Database actions
    • The database’s default functionality is to record both successful and unsuccessful commands
    • To enable auditing in a database, the init.ora file for the database must contain an entry for the AUDIT_TRAIL parameter.
  • 132. Auditing
    • The AUDIT_TRAIL values are:
        • NONE - Disable auditing
        • DB - Enables auditing, writing to the SYS.AUD$ table
        • OS - Enables auditing, writing to the operating system’s audit trails
  • 133. Auditing
    • Audit command
      • Can be issued regardless of the setting of the AUDIT_TRAIL parameter. They will not be activated unless the database is started using an init.ora AUDIT_TRAIL value that enables auditing
      • If you elect to store the audit records in the SYS.AUD$ table, then that table’s records should be periodically archived and the table should then be truncated. Since it is the data dictionary, this table is in the SYSTEM tablespace and may cause space problems if its records are not periodically cleaned out. You can grant DELETE_CATLOG_ROLE to a user to give the user the ability to delete from the SYS.AUD$ table.
      • Every attempt to connect to the database can be audited. The command to begin auditing of login attempts is:
        • audit session
        • audit session whenever successful
        • audit session whenever not successful
  • 134.
    • Establish minimum audit standards
      • Login/Logoffs
        • Adding of New Users
        • Adding Users to Groups
        • All Grants and Revokes
    • Remember that auditing takes up much storage and processing time
    • Audit Features
  • 135. Trace Files
    • Each of the background processes running in an instance has a trace file associated with it.
    • The trace file will contain information about significant events encountered by the background process
    • In addition, Oracle maintains a file called the alert log
    • The alert log records the commands and command results of major events. This includes, tablespace creations, redo log switches, recovery operations, and database startups
  • 136. Alert Log
    • The alert log is a vital source of information for day-to-day operations
    • Trace files are most useful when attempting to discover the cause of a major failure.
  • 137. Database Constraints
    • A table can have constraints placed upon it
    • A constraint is applied to a table and every row in the table must satisfy the conditions specified in the constraint definition
  • 138. Database
    • DBMS Journal Redo Logs
    • SVRMGR program for Database Administration tasks
        • Performs backup of the redo logs
    • SQL COMMIT statements
        • Used by application programs
    • Backup is on-line
  • 139. Backup/Recovery
    • Backup and Recovery Options
    • Export/Import
    • Offline Backups
    • Online Backups
  • 140. Users
    • A user account is not a physical structure in the database
    • Users own the database objects
    • The user SYS owns the data dictionary tables
    • The user SYSTEM owns views that access the data dictionary tables for use by the rest of the users in the database
  • 141. Users
    • User accounts can be connected to an operating system
    • This allows the user to enter only one password to obtain access to the operating system and the database
  • 142. Database
    • Responsibility for the Security Officer
      • Should Perform:
        • All Grants and Revokes
        • Review Security and Audit Logs
        • Maintain a copy of Audit Logs for the Auditors
  • 143. Exposures
    • Clear text transmission over the network
    • Connect ID and Access ID for application
    • Direct connection to the database from the desktop
  • 144. Securing the SQL* Plus Tool
    • PRODUCT_PROFILE table to provide product-level
    •  
    • Security for oracle products and augment user-level  Security
    • With this table, you can enforce security on a per-user basis and restrict certain SQL and SQL*plus commands.
  • 145. Securing the SQL* Plus Tool
    •   SQL*plus commands:
    • EDIT EXECUTE EXIT GET HOST (or your operating system’s alias for HOST, such as $ on VMS and ! on UNIX)
    • QUIT RUN SAVE SET (Spool start
    •  
    • SQL commands:
    • Alter analyze audit connect create delete
    • Drop grant insert lock NOAUDIT rename revoke
    • Select set role set transaction truncate update
    •  
  • 146. Securing the SQL* Plus Tool Recommended commands to restrict
    • C ommands reason
    •  
    • HOST allows user access to a operating-system prompt
    •  
    • SET ROLE allows a user to set a new security role
    •  
    • GRANT allows a user to grant privileges
    •  
    • NOAUDIT allows a user to turn off auditing
    •  
    • You should restrict access to the PRODUCT_PROFILE
  • 147. Oracle Security Checklist
      • Revoke unnecessary privileges from PUBLIC ROLE
        • Revoke all unnecessary privileges and roles from the database server
        • PUBLIC is the default role granted to every user
      • Privileges include EXECUTE on various powerful packages that may potentially be misused include:
      • UTL_SMTP
        • This package permits arbitrary mail messages to be sent from one arbitrary user to another arbitrary user.
  • 148. Oracle Security Checklist
      • Revoke unnecessary privileges from PUBLIC ROLE
        • UTL_TCP
        • This package permits outgoing network connections to be established by the database server to any receiving (or waiting) network service.
        • UTL_HTTP
        • This package allows the database server to request and retrieve data via HTTP. Granting this package to PUBLIC may permit data to be sent via HTML forms to a malicious web site.
  • 149. Oracle Security Checklist
      • Revoke unnecessary privileges from PUBLIC ROLE
        • UTL_FILE
        • If configured improperly, this package allows text level access to any file on the host operating system. Even when properly configured, this package does not distinguish between its calling applications with the result that one application with access to UTL_FILE may write arbitrary data into the same location that is written to by another application.
  • 150. Oracle Security Checklist
      • Revoke unnecessary privileges from PUBLIC ROLE
      • DBMS_RANDOM
        • Is used to encrypt stored data.
        • encrypted data may be non-recoverable if the keys are not securely generated
        • Do not assign “all permissions” to any database server run-time facility
        • Oracle Java Virtual Machine (OJVM)
        • Grant specific permissions to the explicit document root file paths for such facilities that may execute files and packages outside the database server.
          • call dbms_java.grant_permission('SCOTT', 'SYS:java.io.FilePermission','<<ALL FILES>>','read');
  • 151. Oracle Security Checklist
      • Authenticate clients properly
        • Remote authentication is a security feature provided by Oracle 9i such that if turned on (TRUE), it defers authentication of users to the remote client connecting to an Oracle database.
        • configuration parameter in the following manner: REMOTE_OS_AUTHENT = FALSE will be more secure
        • RESTRICT NETWORK ACCESS
          • Utilize a firewall
          • Keep the database server behind a firewall. Oracle 9 i’ s network infrastructure, Oracle Net (formerly known as Net8 and
          • SQL*Net), offers support for a variety of firewalls from various vendors. Supported proxy-enabled firewalls
  • 152. Oracle Tools
    • Virtual Private Database/label security
      • Attach security policies at the Table or View level, allows for easy integration to existing systems.
      • One to many policies per Table.
      • Different policies for different type of accesses (SELECT,UPDATE..).
  • 153. Oracle Security Checklist
    • Virtual Private Database using application contexts.
      • User-definable can allow security based on categories (Employee number, Cost Center). These contexts are used in the security policy function.
      • Access to session primitives (information about a user session) using USERENV application context
  • 154. Oracle Tools
      • Oracle Enterprise Manger
        • Security Manager
        • Application Security, Inc
        • http://www.appsecinc.com/products/
        • APPLICATION VULNERABILITY ASSESSMENT
        • AppDetective ™ Network-based vulnerability assessment tool that rates the security strength of applications within your network. Armed with a revolutionary security methodology together with an extensive knowledgebase of application vulnerabilities, AppDetective™ will locate, examine, report, and help fix your security holes and miss-configurations at your command .
  • 155. Oracle Tools
      • DATABASE ENCRYPTION
        • DbEncrypt ™ Easy-to-use, affordable, and effective security solution for encrypting column and row data within the database. Provided with DbEncrypt™ are encryption algorithms, templates, and an intuitive point-and-click interface.
        • APPLICATION INTRUSION DETECTION
        • AppRadar ™ Intrusion detection solution strictly for application-specific attacks and malicious behavior. As a complementary solution to existing intrusion detection systems, AppRadar™ empowers organizations with a real-time security solution able to thwart attacks and malicious behavior against all of your mission-critical enterprise applications.
  • 156. Oracle Security checklist
    • Important web sites
      • http://otn.oracle.com/deploy/security/alerts.htm
      • http://technet.oracle.com/deploy/security/alerts.htm
      • http://www.nessus.org/
      • http://www.insecure.org/
      • http://www.atstake.com/research/
      • http://www.securityfocus.com/
  • 157. Summary
      • Oracle was built to be secure
      • Audit at the database, network, and server level
      • Takes time and is complex
      • Limited tools available
      • Requires outages for patches
  • 158. Checklist Predefined Users
    • USERNAME ACCOUNT_STATUS
    • JONES EXPIRED & LOCKED
    • LBACSYS EXPIRED & LOCKED
    • MDSYS EXPIRED & LOCKED
    • OE EXPIRED & LOCKED
  • 159. Checklist Predefined Users
    • USERNAME ACCOUNT_STATUS
    • OLAPDBA EXPIRED & LOCKED
    • OLAPSVR EXPIRED & LOCKED
    • OLAPSYS EXPIRED & LOCKED
    • ORDPLUGINS EXPIRED & LOCKED
    • ORDSYS EXPIRED & LOCKED
    • OSE$HTTP$ADMIN OPEN
    • OUTLN OPEN
  • 160. Checklist Predefined Users
    • USERNAME ACCOUNT_STATUS
    • PM EXPIRED & LOCKED
    • QS EXPIRED & LOCKED
    • QS_ADM EXPIRED & LOCKED
    • QS_CB EXPIRED & LOCKED
    • QS_CBADM EXPIRED & LOCKED
    • QS_CS EXPIRED & LOCKED
    • QS_ES EXPIRED & LOCKED
    • QS_OS EXPIRED & LOCKED
    • QS_WS EXPIRED & LOCKED
    • SCOTT OPEN
    • SH EXPIRED & LOCKED
    • SYS OPEN
    • SYSTEM OPEN
  • 161. Checklist Predefined Users
    • USERNAME ACCOUNT_STATUS
    • ADAMS EXPIRED & LOCKED
    • AURORA$JIS$UTILITY$ OPEN
    • AURORA$ORB$UNAUTHENTICATED OPEN
    • BLAKE EXPIRED & LOCKED
    • CLARK EXPIRED & LOCKED
    • CTXSYS EXPIRED & LOCKED
    • DBSNMP OPEN
    • HR EXPIRED & LOCKED