Improve oracle 12c security

Improve your Oracle 12c
Database Security
Laurent Leturgez

Whoami
• Oracle Consultant since 2001
• Former developer (C, Java, perl, PL/SQL)
• Owner@Premiseo: Data Management on Premise and in the Cloud
• Blogger since 2004
• http://laurent.leturgez.free.fr (In french and discontinued)
• http://laurent-leturgez.com
• Twitter : @lleturgez

Improve your Oracle 12c Database Security
• Agenda
• Introduction
• Keep your software up to date
• Build the security policy that your data need
• Authenticate
• Authorize
• Encrypt
• Audit
• Divide and conquer

• Agenda
•Introduction
• Oracle software and component management
• Authenticate
• Authorize
• Encrypt
• Audit

• Let’s start by a survey …
• Who really takes care about security of its databases ?
• How ?
• Patch Management
• Password complexity
• Profile Management
• Encryption
• Backup

• Less used methods
• OS hardening
• Listener hardening
• Code inspection and Code management (SQL Translation Framework)
• Key Management
• Auditing
• Timeout management
• Pen testing

•Why ?
•More attention
•More budget
Your data is the main
target of attackers

• Where to place the cursor ?
Less
Security
More
Security

• Fundamentals
• Build the security policy that your data really need
• Authenticate
• Authorize
• Encrypt
• Audit
• Keep your software up to date
• Evangelize your users

• Agenda
• Introduction
•Oracle software and component management
• Authenticate
• Authorize
• Encrypt
• Audit

• Oracle release management
• Previous releases contain security bugs
• Previous releases (and the oldest ones) are not maintained
• Previous releases use old password hashes
• Previous releases use old Java version in Java VM (if used)
• Oracle software components management
• Install only Oracle components that you really need
• CREATE DATABASE + manual components installation
• DBCA : Use “Custom Database” template and select the components you
need

• Patch Management
• Before Oracle 12c, Oracle released Patch updates every 3 months
• Patch Set Updates (PSU) for general issues (ORA-600, performance etc.)
• Security Patch updates (SPU) / Critical Patch Updates (CPU) for security related issues
• Oracle 12c and onwards
• PSU and SPU are merged (PSU)
• PSU are released every 3 months
• Oracle 11.1 to 12c : Oracle JVM Patch Updates
• Patch Updates for Oracle embedded JVM
• Availability : unpacked, packed with DB PSU, DB SPU/CPU, GI PSU
• PSU, CPU/SPU, OJVM patch are available from 8.1.7 to 12.1.0.2
• See : Quick Reference to Patch Numbers for Database PSU, SPU(CPU), Bundle
Patches and Patchsets (Doc ID 1454618.1)
Deploy the latest
PSU/SPU/OJVM on your
databases

• Agenda
• Introduction
•Build the security policy that your data need
•Authenticate
• Authorize
• Encrypt
• Audit

• Use password verify function
• Oracle 12c implement new password verify function
• Used to verify password complexity
• By default : only ORA12C_STRONG_VERIFY_FUNCTION is created and
available for password verify ($ORACLE_HOME/rdbms/admin/catpvf.sql)
• 9 characters
• 2 upper case
• 2 lower case
• 2 digits
• 2 special characters
• The new password have to differ from
previous password by at least 4 characters.
Based on the Levenshtein
distance: the minimum number of
single-character edits (insertion,
deletion, substitution) required to
change one word into the other

• Use password verify function
• Other functions are available in
($ORACLE_HOME/rdbms/admin/utlpwdmg.sql)
• ORA12C_VERIFY_FUNCTION
• 8 characters long with at least 1 numeric and 1 alphabetic character
• Password cannot be the same as username
• Password cannot be the server name
• Password doesn’t contain “oracle”
• Password cannot be too simple
(welcome1, database1, account1, user1234, password1, oracle123, computer1, abc
defg1, or change_on_install)
• VERIFY_FUNCTION_11G
• VERIFY_FUNCTION

• User Profiles: Collection of parameters that sets limits on database resources
• In 12.1.0.2  2 profiles
• DEFAULT: for all users
• ORA_STIG_PROFILE: for highly secured profiles
STIG : Security Technical Implementation
Guidelines
STIG is a set of rules enhanced by Oracle
(https://docs.oracle.com/cd/E24628_01/do
c.121/e36074/stig_rules.htm)

• User Profiles and password verify function are mandatory for better security
(Authorization)
• Be careful …
• Exceptions: profiles with no password expiration policy (dbsnmp etc.)
• With application schema users

• Password complexity
• Choose the correct password verifier (New in 12c)
• SQLNET.ALLOWED_LOGON_VERSION_SERVER in sqlnet.ora (server side)
• This parameter set the minimum authentication protocol allowed when connecting to
Oracle Database instances
• It controls:
• Which password hashes are available
• Consequently, which version of the client can connect to the database
• ALLOWED_LOGON_VERSION_SERVER deprecates SEC_CASE_SENSITIVE_LOGON

SQLNET.ALLOWED_LOGON_VERSION_SERVER Password Hashes
(USER$.PASSWORD, USER$.SPARE4)
Client version allowed
12a + ALTER USER IDENTIFIED BY VALUES '<T:SHA2_HASH>' SHA512 >=12.1.0.2 (Except for XDB user)
12a HTML Digest, SHA512 >= 12.1.0.2
12 SHA1, HTML Digest, SHA512 Clients with CPU Oct 2012 (*) or later or 11.2.0.3 clients
with an equivalent update
11 DES, SHA1, HTML Digest, SHA512 Clients with 10g and later. (Clients < 11.2.0.3 without CPU
Oct 2012 must use 10g password version)
10 DES, SHA1, HTML Digest, SHA512 Clients with 10g and later. (Clients < 11.2.0.3 without CPU
Oct 2012 must use 10g password version)
9 DES, SHA1, HTML Digest, SHA512 >= 9i
8 DES, SHA1, HTML Digest, SHA512 >= 8i
(*) CPU Oct2012 introduces an encrypted session key
More about password hashes :
http://www.petefinnigan.com/UKOUG-Conference-
Passwords.pdf

• Agenda
• Introduction
• Authenticate
•Authorize
• Encrypt
• Audit

• A strong authentication policy is not sufficient
• Oracle 12c improves default authorization policies:
• Users with privilege SELECT ANY DICTIONARY lost SELECT privilege on
dictionary tables that contains password hashes :
• USER$
• LINK$
• DEFAULT_PWD$
• Oracle tracks last login date is DBA_USERS.LAST_LOGIN (USER$.SPARE6)
• You can now lock account for non returning users (before dropping them if necessary)
Lock all accounts that aren’t
regularly connected to the database

• Managing authorization…
• Grant the required privilege/role, and no more !
• Roles are recursive
• Use WITH GRANT OPTION / WITH ADMIN OPTION with care
➢WITH GRANT OPTION
• Allows to cascade privileges grants to other users
• Only for object privileges
➢WITH ADMIN OPTION
• Allows to cascade privileges grants to other users
• Only for system privileges
• Granted users can revoke the privilege from the grantor !!
We all know a developer that needs
the DBA role to SELECT ANY TABLE
in the Dev Database ! ☺

• Privilege analysis
• New Oracle 12c feature
• Goal:
• Analyze all the privileges used by a user/role
• Grant only privileges that a user/role needs
• Revoke unnecessary privileges
• Increase the security of applications and database operations
• Based on a capture process

• Types of capture
• DBMS_PRIVILEGE_CAPTURE.G_DATABASE
• All privileges are captured except from user SYS.
• DBMS_PRIVILEGE_CAPTURE.G_ROLE
• Captures privileges for the sessions that have the roles enabled. (It’s possible to capture many
roles at a time)
• DBMS_PRIVILEGE_CAPTURE.G_CONTEXT
• Captures privileges for the sessions that have a condition set by SYS_CONTEXT() evaluated to
TRUE
• DBMS_PRIVILEGE_CAPTURE.G_ROLE_AND_CONTEXT:
• Both Context and role capture types

• Privilege analysis : Example DBA role usage analysis for a specific user
BEGIN
DBMS_PRIVILEGE_CAPTURE.CREATE_CAPTURE(
name => 'DBA analysis for user A',
type => DBMS_PRIVILEGE_CAPTURE.G_CONTEXT,
condition => 'SYS_CONTEXT(''USERENV'', ''SESSION_USER'')=''A''');
END;
/
EXECUTE DBMS_PRIVILEGE_CAPTURE.ENABLE_CAPTURE('DBA analysis for user A');
Connect A/A
SELECT COUNT(*) FROM HR.EMPLOYEES;
EXPLAIN PLAN FOR UPDATE HR.EMPLOYEES SET SALARY=SALARY*1.1;
EXECUTE DBMS_PRIVILEGE_CAPTURE.DISABLE_CAPTURE('DBA analysis for user A');
EXECUTE DBMS_PRIVILEGE_CAPTURE.GENERATE_RESULT('DBA analysis for user A'); GENERATE_RESULT populates the
dictionary to analyze results

EXECUTE DBMS_PRIVILEGE_CAPTURE.GENERATE_RESULT('DBA analysis for user A');
SQL> SELECT USERNAME,SYS_PRIV,USED_ROLE,PATH
2 FROM DBA_USED_SYSPRIVS_PATH
3 WHERE USERNAME = 'A' order by 1,2,3;
USERNAME SYS_PRIV USED_ROLE PATH
-------- ---------------- ---------------- ---------------------------------------------------------------------------
…/…
A SELECT ANY TABLE OLAP_DBA GRANT_PATH('A', 'DBA', 'DATAPUMP_EXP_FULL_DATABASE', 'EXP_FULL_DATABASE')
A SELECT ANY TABLE OLAP_DBA GRANT_PATH('A', 'DBA', 'IMP_FULL_DATABASE')
A SELECT ANY TABLE OLAP_DBA GRANT_PATH('A', 'DBA', 'OLAP_DBA')
A SELECT ANY TABLE OLAP_DBA GRANT_PATH('A', 'DBA', 'DATAPUMP_IMP_FULL_DATABASE', 'EXP_FULL_DATABASE')
…/…
A UPDATE ANY TABLE OLAP_DBA GRANT_PATH('A', 'DBA', 'DATAPUMP_IMP_FULL_DATABASE', 'IMP_FULL_DATABASE')
A UPDATE ANY TABLE OLAP_DBA GRANT_PATH('A', 'DBA')
A UPDATE ANY TABLE OLAP_DBA GRANT_PATH('A', 'DBA', 'IMP_FULL_DATABASE')
A UPDATE ANY TABLE OLAP_DBA GRANT_PATH('A', 'DBA', 'OLAP_DBA')

• Other interesting views
• DBA_UNUSED_OBJPRIVS
• DBA_UNUSED_OBJPRIVS_PATH
• DBA_UNUSED_PRIVS
• DBA_UNUSED_SYSPRIVS
• DBA_UNUSED_SYSPRIVS_PATH
• DBA_UNUSED_USERPRIVS
• DBA_UNUSED_USERPRIVS_PATH
• DBA_USED_OBJPRIVS
• DBA_USED_OBJPRIVS_PATH
• DBA_USED_PRIVS
• DBA_USED_PUBPRIVS
• DBA_USED_SYSPRIVS
• DBA_USED_SYSPRIVS_PATH
• DBA_USED_USERPRIVS
• DBA_USED_USERPRIVS_PATH

• Agenda
• Introduction
• Authenticate
• Authorize
•Encrypt
• Audit

• Encryption
• Encryption with Transparent Data Encryption (TDE)
• Columns
• Datafiles
• Backupsets
• Datapump Exports
• Network Encryption (and check summing)

• Encryption with TDE : Key Management
• TDE is a two levels encryption key architecture
• Master key
• Stored externally in a Wallet or HSM
• The Master key encrypts/decrypts secondary key
• Secondary keys
• Stored internally in the dictionary (column encryption) or in datafile header
(tablespace encryption)
• Secondary keys encrypt/decrypt column and tablespaces contents

• Encryption with TDE
• Need to have a Keystore (location declared in sqlnet.ora)
• Keystore can be
• A wallet stored in a file (Wallet). It can be located on ASM.
• A Hardware Security Module (HSM)
• Keystore Creation:
SQL> ADMINISTER KEY MANAGEMENT CREATE KEYSTORE '/var/opt/oracle' identified by encryptedWallet123;
keystore altered.
SQL> !ls /var/opt/oracle
ewallet.p12

• Open the Keystore before TDE master key creation or access
SQL> ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY encryptedWallet123;
keystore altered.
SQL> SELECT * from V$ENCRYPTION_WALLET;
WRL_TYPE WRL_PARAMETER STATUS WALLET_TYPE WALLET_OR FULLY_BAC CON_ID
-------- ----------------- ------------------ ----------- --------- --------- ----------
FILE /var/opt/oracle/ OPEN_NO_MASTER_KEY PASSWORD SINGLE UNDEFINED 0

• Master Key Creation
SQL> ADMINISTER KEY MANAGEMENT SET KEY USING TAG 'Laurent_key' IDENTIFIED BY encryptedWallet123
2 WITH BACKUP USING 'myBackup';
keystore altered.
SQL> !ls -l /var/opt/oracle
total 8
-rw-r--r-- 1 oracle oinstall 2400 Apr 19 11:48 ewallet_2016041909483023_myBackup.p12
-rw-r--r-- 1 oracle oinstall 4024 Apr 19 11:48 ewallet.p12

• Creating encrypted table
• Available algorithms : 3DES168, AES128, AES192 (default), AES256
• A Salt is added by default for plain text. NO SALT have to be used for indexed columns
• Creating encrypted tablespace
• Available algorithms : 3DES168, AES128 (default), AES192, AES256
• A Salt is added by default for plain text
SQL> create table laurent.t(id number, v varchar2(20) encrypt using 'AES256') tablespace users;
Table created.
SQL> create tablespace testtbs datafile '/u02/oradata/orcl/testtbs01.dbf' size 10M
2 encryption using 'AES256’
3 default storage (encrypt);
Tablespace created.

• Encrypted column are encrypted/decrypted at SQL level
• Data is kept encrypted in the SGA
• Encrypted tablespaces are encrypted/decrypted by Server Process/DBWn
• Data is not encrypted in SGA
• Using TDE has a small overhead on performance (5 – 8%)

Column Encryption vs Tablespace encryption in SGA

• Backup / Data export / DR / Replication
• Always use encrypted backups with TDE
• Always use datapump exports with TDE
• TDE is fully compatible with Dataguard (physical and logical)
• TDE (column) is supported in Golden Gate 11.1.1.1 and above for databases:
• 10.2.0.5 and above,
• 11.1.0.7 and above,
• 11.2.0.2 and above
• TDE (tablespace) is supported in Golden Gate 11.1.1.1 and above for
databases:
• 11.1.0.7 and above,
• 11.2.0.2 and above
See :
- TDE / TSE Supported Oracle RDBMS Versions for OGG (Doc ID 1341598.1)
- Step by Step Guide to Configure GoldenGate Extract in Classic Mode to capture
TDE in 11.1.1.1 and up (Doc ID 1451327.1)

• Transparent Network Encryption / Check-summing
• SQL*Net traffic can be
• Encrypted : the network traffic is encrypted
• Check-summed : Oracle checks that all the packets which have been transmitted :
• Have reached the target in the same order
• Have not been altered
• Encrypted and Check summed
Now available for
all editions (>12c)

• Encryption
• Decision to encrypt is taken between client and server
• Algorithms available
• AES : key length: 256, 192, 128 bits (Strongly recommended)
• RC4 : key length: 256, 128, 56, 40 bits
• 3DES : 2x56 bits keys (112bits), à 3x56 bits keys (168bits)
• DES : Key length: 40, 56 bits
• Configured in sqlnet.ora (client and server)

• tcpdump examples
Without network encryption With network encryption

• Check summing
• Decision to checksum is taken between client and server
• Hash algorithms available
• MD5
• SHA-1
• SHA-2 (SHA256, SHA284, SHA512)
• Configured in sqlnet.ora (client and server)

• Agenda
• Introduction
• Authenticate
• Authorize
• Encrypt
•Audit

• Audit
• Auditing a database is mandatory for a strong security policy
• Improving database security without auditing is like a ultra high secured jail without
Watchtower
• An audit policy is based on :
• WHAT you want to Audit
• WHERE is located the audit trail
• Two types of audit trail
• Local: In the database, local OS
• Traditional Audit
• Unified Audit (12c)
• External
• Audit Vault

• Audit : WHAT to audit ?
• Regardless of whether database auditing is configured :
• Connection to the instance with administrator privileges (SYSOPER, SYSDBA, SYSBACKUP,
SYSKM, SYSDG, SYSASM)
• Database shutdown
• Database startup
• Produce an audit record file in AUDIT_FILE_DEST
OR
• Produce an audit record in OS syslog :
• AUDIT_SYSLOG_LEVEL configured

• Audit : WHAT to audit ?
• General (Old) auditing
• Use of AUDIT command
• All audit actions are detailed in AUDIT_ACTIONS table
• Audit records are located in the OS or AUD$ table (DBA_AUDIT_TRAIL view)
• Fine Grained Auditing
• Use for minimize false audit records
• Based on specific conditions (For example : Audit update statement on EMPLOYEES table for
lines with SALARY > 5000)
• Audit records are located in FGA_AUD$ table (DBA_FGA_AUDIT_TRAIL view)

• Unified Auditing
• Before 12c … Audit a database can be a complex thing to do
• Many audit destination : OS, DB (AUD$, FGA_AUD$, DVSYS.AUDIT_TRAIL$)
• Many format: Text, XML, extended or not
• Many parameters
…
• Oracle 12c introduces unified auditing
• Default : mixed mode ie. Unified auditing and traditional auditing work together
• Pure unified auditing mode : Unified auditing is only enabled

• It unifies:
• General Auditing
• Fine Grained Auditing
• Database Vault Auditing
• Datapump operations audit (expdp, impdp)
• Backup/restore operation audit
• SQL*Loader in Direct mode
• Oracle Label Security
• Oracle DataMining
• Based on policies you need to create and enable
• Two roles are introduced for separation of duties
• AUDIT_ADMIN: Administration and Configuration
• AUDIT_VIEWER: View and analyze audit data

• Pure Unified Auditing is not enabled by default
$ cd $ORACLE_HOME/rdbms/lib
$ make -f ins_rdbms.mk uniaud_on ioracle
Connected to:
Oracle Database 12c Enterprise Edition Release 12.1.0.2.0 - 64bit Production
With the Partitioning, OLAP, Advanced Analytics and Real Application Testing
options
Connected to:
Oracle Database 12c Enterprise Edition Release 12.1.0.2.0 - 64bit Production
With the Partitioning, OLAP, Advanced Analytics, Real Application Testing
and Unified Auditing options
No OS and DB audit (AUDIT_TRAIL) will
be generated (Pure unified auditing)

• Queued Mode (default)
• Size of the queue configured by
UNIFIED_AUDIT_SGA_QUEUE_SIZE
• A direct mode exists
• DBMS_AUDIT_MGMT
• SET_AUDIT_TRAIL_PROPERTY to set
write mode and other properties
• Configuration available in
SYS.DAM_CONFIG_PARAM$
• Constants in DBMS_AUDIT_MGMT
package definition
Source: Oracle

• Audit : WHERE is located the
audit trail ?
• Usually … audit trail is locally
managed (server, database)
➢Not a very good idea ?
• Audit Vault get and store audit
data into a separate server
• Audit Vault is combined with
Database Firewall for better
security
Source: Oracle

• Agenda
• Introduction
• Authenticate
• Authorize
• Encrypt
• Audit
•Divide and conquer

• Challenges:
• DBAs are the most powerful users
• They administer
• The database : Backup, performance etc.
• The security
• DBA have an absolute power of life and death over your data !

• Divide and conquer … with Database Vault
• With realms definition, it blocks access to protected objects from
privileged accounts (SYS for example)
Source: Oracle

• Oracle 12c introduces mandatory realms
• Mandatory realms seal off objects from all
access
… including the schema owner and privileged
users
• Mandatory realms access is granted specifically
• Mandatory realms can be enabled for specific
goals:
• Maintenance operations
• Provide additional check including for object owner
• Additional checks can be performed before gaining
access to application data
Source: Oracle

• Control Database configuration … including for the DBA role
Source: Oracle

• Divide and conquer … with
Database Vault
Installation is now included in DBCA
Security policy has to be done
Removing DBVault is an easy thing to do
But …
• Some role has been modified
• Some privileged users has been modified
too.
 Evangelize your users specially DBAs

• Conclusion
• Build always the security policy you need !
• Security policies have to be engineered globally (Applications,
Application servers, OS, Network etc.)
• Your security policies are living things !
• Neglect your security can be expensive
• For you business
• For your company
REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on the protection of natural persons with regard to the processing
of personal data and on the free movement of such data, and repealing Directive 95/46/EC
http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.L_.2016.119.01.0001.01.ENG&toc=OJ:L:2016:119:TOC)
Penalties up to 4 % of the total worldwide annual turnover !!

Improve oracle 12c security

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Improve oracle 12c security

Similar to Improve oracle 12c security (20)

More from Laurent Leturgez

More from Laurent Leturgez (6)

Recently uploaded

Recently uploaded (20)

Improve oracle 12c security