2. Whoami
• Oracle Consultant since 2001
• Former developer (C, Java, perl, PL/SQL)
• Owner@Premiseo: Data Management on Premise and in the Cloud
• Blogger since 2004
• http://laurent.leturgez.free.fr (In french and discontinued)
• http://laurent-leturgez.com
• Twitter : @lleturgez
3. Improve your Oracle 12c Database Security
• Agenda
• Introduction
• Keep your software up to date
• Build the security policy that your data need
• Authenticate
• Authorize
• Encrypt
• Audit
• Divide and conquer
4. Improve your Oracle 12c Database Security
• Agenda
•Introduction
• Oracle software and component management
• Build the security policy that your data need
• Authenticate
• Authorize
• Encrypt
• Audit
• Divide and conquer
5. Improve your Oracle 12c Database Security
• Let’s start by a survey …
• Who really takes care about security of its databases ?
• How ?
• Patch Management
• Password complexity
• Profile Management
• Encryption
• Backup
6. Improve your Oracle 12c Database Security
• Less used methods
• OS hardening
• Listener hardening
• Code inspection and Code management (SQL Translation Framework)
• Key Management
• Auditing
• Timeout management
• Pen testing
7. Improve your Oracle 12c Database Security
•Why ?
•More attention
•More budget
Your data is the main
target of attackers
8. Improve your Oracle 12c Database Security
• Where to place the cursor ?
Less
Security
More
Security
9. Improve your Oracle 12c Database Security
• Fundamentals
• Build the security policy that your data really need
• Authenticate
• Authorize
• Encrypt
• Audit
• Keep your software up to date
• Evangelize your users
• Divide and conquer
10. Improve your Oracle 12c Database Security
• Agenda
• Introduction
•Oracle software and component management
• Build the security policy that your data need
• Authenticate
• Authorize
• Encrypt
• Audit
• Divide and conquer
11. Improve your Oracle 12c Database Security
• Oracle release management
• Previous releases contain security bugs
• Previous releases (and the oldest ones) are not maintained
• Previous releases use old password hashes
• Previous releases use old Java version in Java VM (if used)
• Oracle software components management
• Install only Oracle components that you really need
• CREATE DATABASE + manual components installation
• DBCA : Use “Custom Database” template and select the components you
need
12. Improve your Oracle 12c Database Security
• Patch Management
• Before Oracle 12c, Oracle released Patch updates every 3 months
• Patch Set Updates (PSU) for general issues (ORA-600, performance etc.)
• Security Patch updates (SPU) / Critical Patch Updates (CPU) for security related issues
• Oracle 12c and onwards
• PSU and SPU are merged (PSU)
• PSU are released every 3 months
• Oracle 11.1 to 12c : Oracle JVM Patch Updates
• Patch Updates for Oracle embedded JVM
• Availability : unpacked, packed with DB PSU, DB SPU/CPU, GI PSU
• PSU, CPU/SPU, OJVM patch are available from 8.1.7 to 12.1.0.2
• See : Quick Reference to Patch Numbers for Database PSU, SPU(CPU), Bundle
Patches and Patchsets (Doc ID 1454618.1)
Deploy the latest
PSU/SPU/OJVM on your
databases
13. Improve your Oracle 12c Database Security
• Agenda
• Introduction
• Oracle software and component management
•Build the security policy that your data need
•Authenticate
• Authorize
• Encrypt
• Audit
• Divide and conquer
14. Improve your Oracle 12c Database Security
• Use password verify function
• Oracle 12c implement new password verify function
• Used to verify password complexity
• By default : only ORA12C_STRONG_VERIFY_FUNCTION is created and
available for password verify ($ORACLE_HOME/rdbms/admin/catpvf.sql)
• 9 characters
• 2 upper case
• 2 lower case
• 2 digits
• 2 special characters
• The new password have to differ from
previous password by at least 4 characters.
Based on the Levenshtein
distance: the minimum number of
single-character edits (insertion,
deletion, substitution) required to
change one word into the other
15. Improve your Oracle 12c Database Security
• Use password verify function
• Other functions are available in
($ORACLE_HOME/rdbms/admin/utlpwdmg.sql)
• ORA12C_VERIFY_FUNCTION
• 8 characters long with at least 1 numeric and 1 alphabetic character
• Password cannot be the same as username
• Password cannot be the server name
• Password doesn’t contain “oracle”
• Password cannot be too simple
(welcome1, database1, account1, user1234, password1, oracle123, computer1, abc
defg1, or change_on_install)
• VERIFY_FUNCTION_11G
• VERIFY_FUNCTION
16. Improve your Oracle 12c Database Security
• Profile Management
• User Profiles: Collection of parameters that sets limits on database resources
• In 12.1.0.2 2 profiles
• DEFAULT: for all users
• ORA_STIG_PROFILE: for highly secured profiles
STIG : Security Technical Implementation
Guidelines
STIG is a set of rules enhanced by Oracle
(https://docs.oracle.com/cd/E24628_01/do
c.121/e36074/stig_rules.htm)
17. Improve your Oracle 12c Database Security
• Profile Management
• User Profiles and password verify function are mandatory for better security
(Authorization)
• Be careful …
• Exceptions: profiles with no password expiration policy (dbsnmp etc.)
• With application schema users
18. Improve your Oracle 12c Database Security
• Password complexity
• Choose the correct password verifier (New in 12c)
• SQLNET.ALLOWED_LOGON_VERSION_SERVER in sqlnet.ora (server side)
• This parameter set the minimum authentication protocol allowed when connecting to
Oracle Database instances
• It controls:
• Which password hashes are available
• Consequently, which version of the client can connect to the database
• ALLOWED_LOGON_VERSION_SERVER deprecates SEC_CASE_SENSITIVE_LOGON
19. Improve your Oracle 12c Database Security
SQLNET.ALLOWED_LOGON_VERSION_SERVER Password Hashes
(USER$.PASSWORD, USER$.SPARE4)
Client version allowed
12a + ALTER USER IDENTIFIED BY VALUES '<T:SHA2_HASH>' SHA512 >=12.1.0.2 (Except for XDB user)
12a HTML Digest, SHA512 >= 12.1.0.2
12 SHA1, HTML Digest, SHA512 Clients with CPU Oct 2012 (*) or later or 11.2.0.3 clients
with an equivalent update
11 DES, SHA1, HTML Digest, SHA512 Clients with 10g and later. (Clients < 11.2.0.3 without CPU
Oct 2012 must use 10g password version)
10 DES, SHA1, HTML Digest, SHA512 Clients with 10g and later. (Clients < 11.2.0.3 without CPU
Oct 2012 must use 10g password version)
9 DES, SHA1, HTML Digest, SHA512 >= 9i
8 DES, SHA1, HTML Digest, SHA512 >= 8i
(*) CPU Oct2012 introduces an encrypted session key
More about password hashes :
http://www.petefinnigan.com/UKOUG-Conference-
Passwords.pdf
20. Improve your Oracle 12c Database Security
• Agenda
• Introduction
• Oracle software and component management
•Build the security policy that your data need
• Authenticate
•Authorize
• Encrypt
• Audit
• Divide and conquer
21. Improve your Oracle 12c Database Security
• A strong authentication policy is not sufficient
• Oracle 12c improves default authorization policies:
• Users with privilege SELECT ANY DICTIONARY lost SELECT privilege on
dictionary tables that contains password hashes :
• USER$
• LINK$
• DEFAULT_PWD$
• Oracle tracks last login date is DBA_USERS.LAST_LOGIN (USER$.SPARE6)
• You can now lock account for non returning users (before dropping them if necessary)
Lock all accounts that aren’t
regularly connected to the database
22. Improve your Oracle 12c Database Security
• Managing authorization…
• Grant the required privilege/role, and no more !
• Roles are recursive
• Use WITH GRANT OPTION / WITH ADMIN OPTION with care
➢WITH GRANT OPTION
• Allows to cascade privileges grants to other users
• Only for object privileges
➢WITH ADMIN OPTION
• Allows to cascade privileges grants to other users
• Only for system privileges
• Granted users can revoke the privilege from the grantor !!
We all know a developer that needs
the DBA role to SELECT ANY TABLE
in the Dev Database ! ☺
23. Improve your Oracle 12c Database Security
• Privilege analysis
• New Oracle 12c feature
• Goal:
• Analyze all the privileges used by a user/role
• Grant only privileges that a user/role needs
• Revoke unnecessary privileges
• Increase the security of applications and database operations
• Based on a capture process
25. Improve your Oracle 12c Database Security
• Privilege analysis
• Types of capture
• DBMS_PRIVILEGE_CAPTURE.G_DATABASE
• All privileges are captured except from user SYS.
• DBMS_PRIVILEGE_CAPTURE.G_ROLE
• Captures privileges for the sessions that have the roles enabled. (It’s possible to capture many
roles at a time)
• DBMS_PRIVILEGE_CAPTURE.G_CONTEXT
• Captures privileges for the sessions that have a condition set by SYS_CONTEXT() evaluated to
TRUE
• DBMS_PRIVILEGE_CAPTURE.G_ROLE_AND_CONTEXT:
• Both Context and role capture types
26. Improve your Oracle 12c Database Security
• Privilege analysis : Example DBA role usage analysis for a specific user
BEGIN
DBMS_PRIVILEGE_CAPTURE.CREATE_CAPTURE(
name => 'DBA analysis for user A',
type => DBMS_PRIVILEGE_CAPTURE.G_CONTEXT,
condition => 'SYS_CONTEXT(''USERENV'', ''SESSION_USER'')=''A''');
END;
/
EXECUTE DBMS_PRIVILEGE_CAPTURE.ENABLE_CAPTURE('DBA analysis for user A');
Connect A/A
SELECT COUNT(*) FROM HR.EMPLOYEES;
EXPLAIN PLAN FOR UPDATE HR.EMPLOYEES SET SALARY=SALARY*1.1;
EXECUTE DBMS_PRIVILEGE_CAPTURE.DISABLE_CAPTURE('DBA analysis for user A');
EXECUTE DBMS_PRIVILEGE_CAPTURE.GENERATE_RESULT('DBA analysis for user A'); GENERATE_RESULT populates the
dictionary to analyze results
27. Improve your Oracle 12c Database Security
• Privilege analysis : Example DBA role usage analysis for a specific user
EXECUTE DBMS_PRIVILEGE_CAPTURE.GENERATE_RESULT('DBA analysis for user A');
SQL> SELECT USERNAME,SYS_PRIV,USED_ROLE,PATH
2 FROM DBA_USED_SYSPRIVS_PATH
3 WHERE USERNAME = 'A' order by 1,2,3;
USERNAME SYS_PRIV USED_ROLE PATH
-------- ---------------- ---------------- ---------------------------------------------------------------------------
…/…
A SELECT ANY TABLE OLAP_DBA GRANT_PATH('A', 'DBA', 'DATAPUMP_EXP_FULL_DATABASE', 'EXP_FULL_DATABASE')
A SELECT ANY TABLE OLAP_DBA GRANT_PATH('A', 'DBA', 'IMP_FULL_DATABASE')
A SELECT ANY TABLE OLAP_DBA GRANT_PATH('A', 'DBA', 'OLAP_DBA')
A SELECT ANY TABLE OLAP_DBA GRANT_PATH('A', 'DBA', 'DATAPUMP_IMP_FULL_DATABASE', 'EXP_FULL_DATABASE')
…/…
A UPDATE ANY TABLE OLAP_DBA GRANT_PATH('A', 'DBA', 'DATAPUMP_IMP_FULL_DATABASE', 'IMP_FULL_DATABASE')
A UPDATE ANY TABLE OLAP_DBA GRANT_PATH('A', 'DBA')
A UPDATE ANY TABLE OLAP_DBA GRANT_PATH('A', 'DBA', 'IMP_FULL_DATABASE')
A UPDATE ANY TABLE OLAP_DBA GRANT_PATH('A', 'DBA', 'OLAP_DBA')
28. Improve your Oracle 12c Database Security
• Privilege analysis : Example DBA role usage analysis for a specific user
• Other interesting views
• DBA_UNUSED_OBJPRIVS
• DBA_UNUSED_OBJPRIVS_PATH
• DBA_UNUSED_PRIVS
• DBA_UNUSED_SYSPRIVS
• DBA_UNUSED_SYSPRIVS_PATH
• DBA_UNUSED_USERPRIVS
• DBA_UNUSED_USERPRIVS_PATH
• DBA_USED_OBJPRIVS
• DBA_USED_OBJPRIVS_PATH
• DBA_USED_PRIVS
• DBA_USED_PUBPRIVS
• DBA_USED_SYSPRIVS
• DBA_USED_SYSPRIVS_PATH
• DBA_USED_USERPRIVS
• DBA_USED_USERPRIVS_PATH
29. Improve your Oracle 12c Database Security
• Agenda
• Introduction
• Oracle software and component management
•Build the security policy that your data need
• Authenticate
• Authorize
•Encrypt
• Audit
• Divide and conquer
31. Improve your Oracle 12c Database Security
• Encryption with TDE : Key Management
• TDE is a two levels encryption key architecture
• Master key
• Stored externally in a Wallet or HSM
• The Master key encrypts/decrypts secondary key
• Secondary keys
• Stored internally in the dictionary (column encryption) or in datafile header
(tablespace encryption)
• Secondary keys encrypt/decrypt column and tablespaces contents
32. Improve your Oracle 12c Database Security
• Encryption with TDE
• Need to have a Keystore (location declared in sqlnet.ora)
• Keystore can be
• A wallet stored in a file (Wallet). It can be located on ASM.
• A Hardware Security Module (HSM)
• Keystore Creation:
SQL> ADMINISTER KEY MANAGEMENT CREATE KEYSTORE '/var/opt/oracle' identified by encryptedWallet123;
keystore altered.
SQL> !ls /var/opt/oracle
ewallet.p12
33. Improve your Oracle 12c Database Security
• Encryption with TDE
• Open the Keystore before TDE master key creation or access
SQL> ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY encryptedWallet123;
keystore altered.
SQL> SELECT * from V$ENCRYPTION_WALLET;
WRL_TYPE WRL_PARAMETER STATUS WALLET_TYPE WALLET_OR FULLY_BAC CON_ID
-------- ----------------- ------------------ ----------- --------- --------- ----------
FILE /var/opt/oracle/ OPEN_NO_MASTER_KEY PASSWORD SINGLE UNDEFINED 0
34. Improve your Oracle 12c Database Security
• Encryption with TDE
• Master Key Creation
SQL> ADMINISTER KEY MANAGEMENT SET KEY USING TAG 'Laurent_key' IDENTIFIED BY encryptedWallet123
2 WITH BACKUP USING 'myBackup';
keystore altered.
SQL> !ls -l /var/opt/oracle
total 8
-rw-r--r-- 1 oracle oinstall 2400 Apr 19 11:48 ewallet_2016041909483023_myBackup.p12
-rw-r--r-- 1 oracle oinstall 4024 Apr 19 11:48 ewallet.p12
35. Improve your Oracle 12c Database Security
• Encryption with TDE
• Creating encrypted table
• Available algorithms : 3DES168, AES128, AES192 (default), AES256
• A Salt is added by default for plain text. NO SALT have to be used for indexed columns
• Creating encrypted tablespace
• Available algorithms : 3DES168, AES128 (default), AES192, AES256
• A Salt is added by default for plain text
SQL> create table laurent.t(id number, v varchar2(20) encrypt using 'AES256') tablespace users;
Table created.
SQL> create tablespace testtbs datafile '/u02/oradata/orcl/testtbs01.dbf' size 10M
2 encryption using 'AES256’
3 default storage (encrypt);
Tablespace created.
36. Improve your Oracle 12c Database Security
• Encryption with TDE
• Encrypted column are encrypted/decrypted at SQL level
• Data is kept encrypted in the SGA
• Encrypted tablespaces are encrypted/decrypted by Server Process/DBWn
• Data is not encrypted in SGA
• Using TDE has a small overhead on performance (5 – 8%)
37. Improve your Oracle 12c Database Security
Column Encryption vs Tablespace encryption in SGA
38. Improve your Oracle 12c Database Security
• Backup / Data export / DR / Replication
• Always use encrypted backups with TDE
• Always use datapump exports with TDE
• TDE is fully compatible with Dataguard (physical and logical)
• TDE (column) is supported in Golden Gate 11.1.1.1 and above for databases:
• 10.2.0.5 and above,
• 11.1.0.7 and above,
• 11.2.0.2 and above
• TDE (tablespace) is supported in Golden Gate 11.1.1.1 and above for
databases:
• 11.1.0.7 and above,
• 11.2.0.2 and above
See :
- TDE / TSE Supported Oracle RDBMS Versions for OGG (Doc ID 1341598.1)
- Step by Step Guide to Configure GoldenGate Extract in Classic Mode to capture
TDE in 11.1.1.1 and up (Doc ID 1451327.1)
39. Improve your Oracle 12c Database Security
• Transparent Network Encryption / Check-summing
• SQL*Net traffic can be
• Encrypted : the network traffic is encrypted
• Check-summed : Oracle checks that all the packets which have been transmitted :
• Have reached the target in the same order
• Have not been altered
• Encrypted and Check summed
Now available for
all editions (>12c)
40. Improve your Oracle 12c Database Security
• Transparent Network Encryption / Check-summing
• Encryption
• Decision to encrypt is taken between client and server
• Algorithms available
• AES : key length: 256, 192, 128 bits (Strongly recommended)
• RC4 : key length: 256, 128, 56, 40 bits
• 3DES : 2x56 bits keys (112bits), à 3x56 bits keys (168bits)
• DES : Key length: 40, 56 bits
• Configured in sqlnet.ora (client and server)
41. Improve your Oracle 12c Database Security
• tcpdump examples
Without network encryption With network encryption
42. Improve your Oracle 12c Database Security
• Transparent Network Encryption / Check-summing
• Check summing
• Decision to checksum is taken between client and server
• Hash algorithms available
• MD5
• SHA-1
• SHA-2 (SHA256, SHA284, SHA512)
• Configured in sqlnet.ora (client and server)
43. Improve your Oracle 12c Database Security
• Agenda
• Introduction
• Oracle software and component management
•Build the security policy that your data need
• Authenticate
• Authorize
• Encrypt
•Audit
• Divide and conquer
44. Improve your Oracle 12c Database Security
• Audit
• Auditing a database is mandatory for a strong security policy
• Improving database security without auditing is like a ultra high secured jail without
Watchtower
• An audit policy is based on :
• WHAT you want to Audit
• WHERE is located the audit trail
• Two types of audit trail
• Local: In the database, local OS
• Traditional Audit
• Unified Audit (12c)
• External
• Audit Vault
45. Improve your Oracle 12c Database Security
• Audit : WHAT to audit ?
• Regardless of whether database auditing is configured :
• Connection to the instance with administrator privileges (SYSOPER, SYSDBA, SYSBACKUP,
SYSKM, SYSDG, SYSASM)
• Database shutdown
• Database startup
• Produce an audit record file in AUDIT_FILE_DEST
OR
• Produce an audit record in OS syslog :
• AUDIT_SYSLOG_LEVEL configured
46. Improve your Oracle 12c Database Security
• Audit : WHAT to audit ?
• General (Old) auditing
• Use of AUDIT command
• All audit actions are detailed in AUDIT_ACTIONS table
• Audit records are located in the OS or AUD$ table (DBA_AUDIT_TRAIL view)
• Fine Grained Auditing
• Use for minimize false audit records
• Based on specific conditions (For example : Audit update statement on EMPLOYEES table for
lines with SALARY > 5000)
• Audit records are located in FGA_AUD$ table (DBA_FGA_AUDIT_TRAIL view)
47. Improve your Oracle 12c Database Security
• Unified Auditing
• Before 12c … Audit a database can be a complex thing to do
• Many audit destination : OS, DB (AUD$, FGA_AUD$, DVSYS.AUDIT_TRAIL$)
• Many format: Text, XML, extended or not
• Many parameters
…
• Oracle 12c introduces unified auditing
• Default : mixed mode ie. Unified auditing and traditional auditing work together
• Pure unified auditing mode : Unified auditing is only enabled
48. Improve your Oracle 12c Database Security
• Unified Auditing
• It unifies:
• General Auditing
• Fine Grained Auditing
• Database Vault Auditing
• Datapump operations audit (expdp, impdp)
• Backup/restore operation audit
• SQL*Loader in Direct mode
• Oracle Label Security
• Oracle DataMining
• Based on policies you need to create and enable
• Two roles are introduced for separation of duties
• AUDIT_ADMIN: Administration and Configuration
• AUDIT_VIEWER: View and analyze audit data
49. Improve your Oracle 12c Database Security
• Unified Auditing
• Pure Unified Auditing is not enabled by default
$ cd $ORACLE_HOME/rdbms/lib
$ make -f ins_rdbms.mk uniaud_on ioracle
Connected to:
Oracle Database 12c Enterprise Edition Release 12.1.0.2.0 - 64bit Production
With the Partitioning, OLAP, Advanced Analytics and Real Application Testing
options
Connected to:
Oracle Database 12c Enterprise Edition Release 12.1.0.2.0 - 64bit Production
With the Partitioning, OLAP, Advanced Analytics, Real Application Testing
and Unified Auditing options
No OS and DB audit (AUDIT_TRAIL) will
be generated (Pure unified auditing)
50. Improve your Oracle 12c Database Security
• Unified Auditing
• Queued Mode (default)
• Size of the queue configured by
UNIFIED_AUDIT_SGA_QUEUE_SIZE
• A direct mode exists
• DBMS_AUDIT_MGMT
• SET_AUDIT_TRAIL_PROPERTY to set
write mode and other properties
• Configuration available in
SYS.DAM_CONFIG_PARAM$
• Constants in DBMS_AUDIT_MGMT
package definition
Source: Oracle
51. Improve your Oracle 12c Database Security
• Audit : WHERE is located the
audit trail ?
• Usually … audit trail is locally
managed (server, database)
➢Not a very good idea ?
• Audit Vault get and store audit
data into a separate server
• Audit Vault is combined with
Database Firewall for better
security
Source: Oracle
52. Improve your Oracle 12c Database Security
• Agenda
• Introduction
• Oracle software and component management
• Build the security policy that your data need
• Authenticate
• Authorize
• Encrypt
• Audit
•Divide and conquer
53. Improve your Oracle 12c Database Security
• Divide and conquer
• Challenges:
• DBAs are the most powerful users
• They administer
• The database : Backup, performance etc.
• The security
• DBA have an absolute power of life and death over your data !
54. Improve your Oracle 12c Database Security
• Divide and conquer … with Database Vault
• With realms definition, it blocks access to protected objects from
privileged accounts (SYS for example)
Source: Oracle
55. Improve your Oracle 12c Database Security
• Divide and conquer … with Database Vault
• Oracle 12c introduces mandatory realms
• Mandatory realms seal off objects from all
access
… including the schema owner and privileged
users
• Mandatory realms access is granted specifically
• Mandatory realms can be enabled for specific
goals:
• Maintenance operations
• Provide additional check including for object owner
• Additional checks can be performed before gaining
access to application data
Source: Oracle
56. Improve your Oracle 12c Database Security
• Divide and conquer … with Database Vault
• Control Database configuration … including for the DBA role
Source: Oracle
57. Improve your Oracle 12c Database Security
• Divide and conquer … with
Database Vault
Installation is now included in DBCA
Security policy has to be done
Removing DBVault is an easy thing to do
But …
• Some role has been modified
• Some privileged users has been modified
too.
Evangelize your users specially DBAs
58. Improve your Oracle 12c Database Security
• Conclusion
• Build always the security policy you need !
• Security policies have to be engineered globally (Applications,
Application servers, OS, Network etc.)
• Your security policies are living things !
• Neglect your security can be expensive
• For you business
• For your company
REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on the protection of natural persons with regard to the processing
of personal data and on the free movement of such data, and repealing Directive 95/46/EC
http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.L_.2016.119.01.0001.01.ENG&toc=OJ:L:2016:119:TOC)
Penalties up to 4 % of the total worldwide annual turnover !!