This document discusses administering user security in an Oracle database. It covers how to create and manage database user accounts, including authenticating users and assigning privileges. It also covers creating and managing roles to simplify privilege management, and creating profiles to implement password security and control resource usage. Profiles allow enforcing standards for password complexity, aging, locking accounts, and limiting resource consumption. The document stresses applying the principle of least privilege and separating administrative duties for security.
Oracle security 08-oracle network securityZhaoyang Wang
The document discusses securing Oracle Network services. It provides checklists and procedures for securing clients, the network, and the listener. It recommends configuring clients and browsers with authentication and encryption. It also recommends restricting network access through firewalls and IP address validation. For the listener, it suggests restricting privileges, password protecting administration, and monitoring logs to analyze activity and potential attacks. The goal is to describe how to securely administer the network and listener to restrict access and analyze logs for security.
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015Scott Sutherland
This presentation will cover 10 common weak SQL Server configurations and the practical attacks that help hackers gain unauthorized access to data, applications, and systems. This will include a few demonstrations of the techniques that are being used during real-world attacks and penetration tests. This should be interesting to developers, new database admins, and aspiring penetration testers looking to gain a better understanding of the risks associated with weak SQL Server configurations.
Full Video Presentation: http://youtu.be/SIeMz6gCK3Q
2017 Secure360 - Hacking SQL Server on Scale with PowerShellScott Sutherland
The document discusses hacking SQL Server at scale using PowerShell. It provides an overview of PowerUpSQL, an open source PowerShell toolkit for SQL Server discovery, auditing, and privilege escalation. Key sections include SQL Server discovery techniques using PowerUpSQL, methods for escalating privileges such as from a domain user to SQL login or SQL login to sysadmin, and post-exploitation activities like impersonation. The presentation emphasizes the benefits of using PowerShell for SQL attacks including avoiding detection by running commands in memory and leveraging existing trusted tools.
PowerUpSQL - 2018 Blackhat USA Arsenal PresentationScott Sutherland
This is the presentation we provided at the 2018 Blackhat USA Arsenal to introduce PowerUpSQL. PowerUpSQL includes functions that support SQL Server discovery, weak configuration auditing, privilege escalation on scale, and post exploitation actions such as OS command execution. It is intended to be used during internal penetration tests and red team engagements. However, PowerUpSQL also includes many functions that can be used by administrators to quickly inventory the SQL Servers in their ADS domain and perform common threat hunting tasks related to SQL Server. This should be interesting to red, blue, and purple teams interested in automating day to day tasks involving SQL Server.
More information can be found at:
https://github.com/NetSPI/PowerUpSQL/wiki
SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012Scott Sutherland
During this presentation attendees will be introduced to lesser known, yet significant vulnerabilities in SQL Server implementations related to common trust relationships, misconfigurations, and weak default settings. The issues that will be covered are often leveraged by attackers to gain unauthorized access to high value systems, applications, and sensitive data. An overview of each issue, common vectors of attack, and manual techniques will be covered. Finally newly created Metasploit modules and TSQL scripts will be demonstrated that help automate the attacks. This presentation will be valuable to penetration testers who are looking for faster ways to gain access to critical data and systems. Additionally, it should be worth while for developers and database administrators who are interested in gaining a better understanding of how to protect their applications and databases from these attacks.
More security blogs by the authors can be found @
https://www.netspi.com/blog/
Helpful Juniper Tips and Tricks for New Network EngineersLizbeth E. Melendez
These Juniper commands will help new engineers learn how to configure and troubleshoot a network much quicker and more efficiently.
Connect with J.B.C. for more IT resources and industry insights:
YouTube ▶️youtube.com/channel/UCmJJUewPWfnyzvZRrFHlykA
J.B.C.'s Site ▶️https://www.jbcsec.com/insights
Newsletter ▶️ https://mailchi.mp/e7b56addb7fc/cybersightblog
Swag Store ▶️ https://www.teepublic.com/user/jbc
Twitter ▶️ http://www.twitter.com/JBC_SEC
Author ▶️ https://twitter.com/JBizzle703
-----C-----Y-----B-----E-----R-----&----S-----I-----G-----H-----T
Secure360 - Beyond xp cmdshell - Owning the Empire through SQL ServerScott Sutherland
During this presentation, we’ll cover interesting techniques for executing operating system commands through SQL Server that can be used to avoid detection and maintain persistence during red team engagements. We’ll also talk about automating attacks through PowerShell Empire and PowerUpSQL. This will include a review of command execution through custom extended stored procedures, CLR assemblies, WMI providers, R scripts, python scripts, agent jobs, and custom ole objects. We’ll also dig into some new integrations with PowerShell Empire. All code and slide decks will be released during the presentation. This should be interesting to blue teamers looking for a faster way to test their detective control capabilities and red teamers looking for a practical way to avoid detection while trying to maintain access to their target environments.
Oracle security 08-oracle network securityZhaoyang Wang
The document discusses securing Oracle Network services. It provides checklists and procedures for securing clients, the network, and the listener. It recommends configuring clients and browsers with authentication and encryption. It also recommends restricting network access through firewalls and IP address validation. For the listener, it suggests restricting privileges, password protecting administration, and monitoring logs to analyze activity and potential attacks. The goal is to describe how to securely administer the network and listener to restrict access and analyze logs for security.
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015Scott Sutherland
This presentation will cover 10 common weak SQL Server configurations and the practical attacks that help hackers gain unauthorized access to data, applications, and systems. This will include a few demonstrations of the techniques that are being used during real-world attacks and penetration tests. This should be interesting to developers, new database admins, and aspiring penetration testers looking to gain a better understanding of the risks associated with weak SQL Server configurations.
Full Video Presentation: http://youtu.be/SIeMz6gCK3Q
2017 Secure360 - Hacking SQL Server on Scale with PowerShellScott Sutherland
The document discusses hacking SQL Server at scale using PowerShell. It provides an overview of PowerUpSQL, an open source PowerShell toolkit for SQL Server discovery, auditing, and privilege escalation. Key sections include SQL Server discovery techniques using PowerUpSQL, methods for escalating privileges such as from a domain user to SQL login or SQL login to sysadmin, and post-exploitation activities like impersonation. The presentation emphasizes the benefits of using PowerShell for SQL attacks including avoiding detection by running commands in memory and leveraging existing trusted tools.
PowerUpSQL - 2018 Blackhat USA Arsenal PresentationScott Sutherland
This is the presentation we provided at the 2018 Blackhat USA Arsenal to introduce PowerUpSQL. PowerUpSQL includes functions that support SQL Server discovery, weak configuration auditing, privilege escalation on scale, and post exploitation actions such as OS command execution. It is intended to be used during internal penetration tests and red team engagements. However, PowerUpSQL also includes many functions that can be used by administrators to quickly inventory the SQL Servers in their ADS domain and perform common threat hunting tasks related to SQL Server. This should be interesting to red, blue, and purple teams interested in automating day to day tasks involving SQL Server.
More information can be found at:
https://github.com/NetSPI/PowerUpSQL/wiki
SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012Scott Sutherland
During this presentation attendees will be introduced to lesser known, yet significant vulnerabilities in SQL Server implementations related to common trust relationships, misconfigurations, and weak default settings. The issues that will be covered are often leveraged by attackers to gain unauthorized access to high value systems, applications, and sensitive data. An overview of each issue, common vectors of attack, and manual techniques will be covered. Finally newly created Metasploit modules and TSQL scripts will be demonstrated that help automate the attacks. This presentation will be valuable to penetration testers who are looking for faster ways to gain access to critical data and systems. Additionally, it should be worth while for developers and database administrators who are interested in gaining a better understanding of how to protect their applications and databases from these attacks.
More security blogs by the authors can be found @
https://www.netspi.com/blog/
Helpful Juniper Tips and Tricks for New Network EngineersLizbeth E. Melendez
These Juniper commands will help new engineers learn how to configure and troubleshoot a network much quicker and more efficiently.
Connect with J.B.C. for more IT resources and industry insights:
YouTube ▶️youtube.com/channel/UCmJJUewPWfnyzvZRrFHlykA
J.B.C.'s Site ▶️https://www.jbcsec.com/insights
Newsletter ▶️ https://mailchi.mp/e7b56addb7fc/cybersightblog
Swag Store ▶️ https://www.teepublic.com/user/jbc
Twitter ▶️ http://www.twitter.com/JBC_SEC
Author ▶️ https://twitter.com/JBizzle703
-----C-----Y-----B-----E-----R-----&----S-----I-----G-----H-----T
Secure360 - Beyond xp cmdshell - Owning the Empire through SQL ServerScott Sutherland
During this presentation, we’ll cover interesting techniques for executing operating system commands through SQL Server that can be used to avoid detection and maintain persistence during red team engagements. We’ll also talk about automating attacks through PowerShell Empire and PowerUpSQL. This will include a review of command execution through custom extended stored procedures, CLR assemblies, WMI providers, R scripts, python scripts, agent jobs, and custom ole objects. We’ll also dig into some new integrations with PowerShell Empire. All code and slide decks will be released during the presentation. This should be interesting to blue teamers looking for a faster way to test their detective control capabilities and red teamers looking for a practical way to avoid detection while trying to maintain access to their target environments.
DerbyCon2016 - Hacking SQL Server on Scale with PowerShellScott Sutherland
This presentation will provide an overview of common SQL Server discovery, privilege escalation, persistence, and data targeting techniques. Techniques will be shared for escalating privileges on SQL Server and associated Active Directory domains. Finally we?ll show how PowerShell automation can be used to execute the SQL Server attacks on scale. All scripts created and demonstrated during the presentation will be open sourced. This should be useful to penetration testers and system administrators trying to gain a better understanding of their SQL Server attack surface and how it can be exploited.
This document discusses SQL injection attacks and how to mitigate them. It begins by defining injection attacks as tricks that cause an application to unintentionally include commands in user-submitted data. It then explains how SQL injection works by having the attacker submit malicious SQL code in a web form. The document outlines several examples of SQL injection attacks, such as unauthorized access, database modification, and denial of service. It discusses techniques for finding and exploiting SQL injection vulnerabilities. Finally, it recommends effective mitigation strategies like prepared statements and input whitelisting to protect against SQL injection attacks.
This document provides an overview and demonstration of using open source tools for security information and event management (SIEM). It begins with an introduction to SIEM and the ELK stack (Elasticsearch, Logstash, Kibana) for data aggregation, correlation, alerting and dashboards. The document demonstrates using Logstash to parse Apache logs and load them into Elasticsearch. It also discusses clustering and sizing requirements. Finally, it introduces Wazuh as an open source SIEM solution built on OSSEC and the ELK stack.
This document discusses securing Hadoop clusters with OSSEC host-based intrusion detection. It provides an overview of OSSEC and how to configure it to monitor Hadoop and HBase logs. Specific steps are outlined to configure file integrity checking, select logs to monitor, add decoders and rules to generate alerts for security events like unauthorized access attempts. Sending alerts to Splunk for further analysis is also recommended for security event monitoring and trend analysis.
Palo Alto Networks Next-Gen Firewall PANOS 5.0 integration guide with Cisco SecureACS 4 using VSA attributes.
the second section talks about how to integrate Yubikey with Palo Alto Networks firewall
Is your data secured? Are you a victim of SQL Injection? You'll discover some commonly overlooked practices in securing your SQL Server databases. Learn about physical security, passwords, privileges and roles, and preventative best practices. I'll demonstrate auditing and we will take a quick look at some .Net code samples to use on your applications. Get up to speed on the new security features in "Denali", the next version of SQL Server. Takeaway the 20/20 vision to identify SQL Injection and other database vulnerabilities and how to prevent them.
This document provides an overview of security and auditing in SQL Server 2008 R2. It discusses SQL Server security concepts like principals, securables and permissions. It also covers protecting the server and database scope through authentication methods, roles, logins and permissions. The document reviews keys, certificates and transparent data encryption. It concludes with an introduction to auditing security in SQL Server through tools like SQL Server Profiler, DDL triggers and the SQL Server Audit feature.
Oracle Audit Vault allows monitoring of auditing information from multiple databases in a single centralized location. The key steps to implement Oracle Audit Vault are:
1. Download the Audit Vault software and install it on a server.
2. Register databases as hosts and deploy agents to these databases to capture and send audit records.
3. Configure audit settings in the databases to define what activities to audit.
4. Access the Audit Vault console to view reports, alerts, and retrieve audit records from registered databases.
Cloud Security Hardening та аудит хмарної безпеки за допомогою Scout SuiteOWASP Kyiv
This document discusses using ScoutSuite to audit cloud security in AWS. It provides instructions for installing and running ScoutSuite against an AWS account to check for common misconfigurations. The document concludes with recommendations for quick wins like restricting security groups and enabling encryption, as well as longer-term work such as enabling CloudTrail logging and meeting PCI DSS requirements.
The document discusses various methods for hardening Linux security, including securing physical and remote access, addressing top vulnerabilities like weak passwords and open ports, implementing security policies, setting BIOS passwords, password protecting GRUB, choosing strong passwords, securing the root account, disabling console programs, using TCP wrappers, protecting against SYN floods, configuring SSH securely, hardening sysctl.conf settings, leveraging open source tools like Mod_Dosevasive, Fail2ban, Shorewall, and implementing security at the policy level with Shorewall.
This document provides an agenda for hardening Windows 2003 web servers. It covers various topics including physical security, OS installation, account policies, local policies, services configuration, user accounts, IP policies, permissions, hardening IIS, and additional hardening techniques. The goal is to create a secure environment and maintain security by configuring the OS, services, user accounts, permissions and IIS according to security best practices.
This document provides a summary of key Volatility plugins and memory analysis steps. It outlines plugins for identifying rogue processes, analyzing process DLLs and handles, reviewing network artifacts, checking for code injection evidence, looking for rootkit signs, and dumping suspicious processes/drivers. The document also provides information on memory acquisition, converting hibernation files and dumps, artifact timelining, and registry analysis plugins.
Audit Vault Database Firewall 12.2.0.1.0 installationPinto Das
This document outlines the steps to install an Audit Vault server and Database Firewall server on two separate VMs. It describes creating the VMs, configuring memory, storage, and network settings, and starting the installation processes. The Audit Vault installation initially failed due to insufficient hard drive space but succeeded after allocating a 200GB drive. Both memory tests passed and installations began on the VMs.
The document provides steps to install Microsoft SQL Server on Linux. It begins with downloading the repository configuration file and then running commands to install SQL Server. The SQL Server service is then started and its status is checked. Issues are encountered when trying to install the SQL Server tools due to conflicts with the unixODBC package. Workarounds are demonstrated to address the issue by removing unixODBC and importing an additional key.
Install oracle database 12c software on windowsBiju Thomas
Install Oracle Database 12c software on Windows by reviewing system requirements and installation instructions on Oracle's website. Download the software from Oracle Technet and unzip the files to the current folder. Run the setup file and click the "?" icon or "Help" button if any questions arise during installation. The installation will complete and create top level folders under the Start menu. Example databases can then be installed by running scripts located in the %ORACLE_HOME%\demo\schema folder.
This document discusses using deep neural networks to profile malicious users based on log data. It proposes moving from rule-based detection to AI-based detection using machine learning models like CNNs. The CNN model is trained on process lists from honeypot VMs to learn patterns distinguishing malicious from benign activity. It represents processes as embeddings to handle new/random names. When trained on Linux audit logs, the CNN can identify suspicious sequences of events that single-event detectors may miss. Overall, the approach aims to better detect attacks by leveraging AI to find complex patterns in log data.
Trusted Extensions is an extension of the Solaris 10 security foundation that provides access control policies based on the sensitivity/label of objects. It adds additional software packages and label-aware services to implement multilevel security on a standard Solaris 10 system according to government security standards. Trusted Extensions allows selective access to objects like files, processes, and network services based on sensitivity labels.
Oracle Berkeley DB is Oracle's open source, embeddable database designed for devices, appliances and applications. It provides low latency and high throughput storage with reliability and scalability. Berkeley DB 11gR2 offers the performance and features of a key-value store with the transactional capabilities of SQLite in a small footprint package requiring no administration. Customers across various industries have adopted Berkeley DB for its benefits over flat files such as better performance, reliability and reduced development costs.
DerbyCon2016 - Hacking SQL Server on Scale with PowerShellScott Sutherland
This presentation will provide an overview of common SQL Server discovery, privilege escalation, persistence, and data targeting techniques. Techniques will be shared for escalating privileges on SQL Server and associated Active Directory domains. Finally we?ll show how PowerShell automation can be used to execute the SQL Server attacks on scale. All scripts created and demonstrated during the presentation will be open sourced. This should be useful to penetration testers and system administrators trying to gain a better understanding of their SQL Server attack surface and how it can be exploited.
This document discusses SQL injection attacks and how to mitigate them. It begins by defining injection attacks as tricks that cause an application to unintentionally include commands in user-submitted data. It then explains how SQL injection works by having the attacker submit malicious SQL code in a web form. The document outlines several examples of SQL injection attacks, such as unauthorized access, database modification, and denial of service. It discusses techniques for finding and exploiting SQL injection vulnerabilities. Finally, it recommends effective mitigation strategies like prepared statements and input whitelisting to protect against SQL injection attacks.
This document provides an overview and demonstration of using open source tools for security information and event management (SIEM). It begins with an introduction to SIEM and the ELK stack (Elasticsearch, Logstash, Kibana) for data aggregation, correlation, alerting and dashboards. The document demonstrates using Logstash to parse Apache logs and load them into Elasticsearch. It also discusses clustering and sizing requirements. Finally, it introduces Wazuh as an open source SIEM solution built on OSSEC and the ELK stack.
This document discusses securing Hadoop clusters with OSSEC host-based intrusion detection. It provides an overview of OSSEC and how to configure it to monitor Hadoop and HBase logs. Specific steps are outlined to configure file integrity checking, select logs to monitor, add decoders and rules to generate alerts for security events like unauthorized access attempts. Sending alerts to Splunk for further analysis is also recommended for security event monitoring and trend analysis.
Palo Alto Networks Next-Gen Firewall PANOS 5.0 integration guide with Cisco SecureACS 4 using VSA attributes.
the second section talks about how to integrate Yubikey with Palo Alto Networks firewall
Is your data secured? Are you a victim of SQL Injection? You'll discover some commonly overlooked practices in securing your SQL Server databases. Learn about physical security, passwords, privileges and roles, and preventative best practices. I'll demonstrate auditing and we will take a quick look at some .Net code samples to use on your applications. Get up to speed on the new security features in "Denali", the next version of SQL Server. Takeaway the 20/20 vision to identify SQL Injection and other database vulnerabilities and how to prevent them.
This document provides an overview of security and auditing in SQL Server 2008 R2. It discusses SQL Server security concepts like principals, securables and permissions. It also covers protecting the server and database scope through authentication methods, roles, logins and permissions. The document reviews keys, certificates and transparent data encryption. It concludes with an introduction to auditing security in SQL Server through tools like SQL Server Profiler, DDL triggers and the SQL Server Audit feature.
Oracle Audit Vault allows monitoring of auditing information from multiple databases in a single centralized location. The key steps to implement Oracle Audit Vault are:
1. Download the Audit Vault software and install it on a server.
2. Register databases as hosts and deploy agents to these databases to capture and send audit records.
3. Configure audit settings in the databases to define what activities to audit.
4. Access the Audit Vault console to view reports, alerts, and retrieve audit records from registered databases.
Cloud Security Hardening та аудит хмарної безпеки за допомогою Scout SuiteOWASP Kyiv
This document discusses using ScoutSuite to audit cloud security in AWS. It provides instructions for installing and running ScoutSuite against an AWS account to check for common misconfigurations. The document concludes with recommendations for quick wins like restricting security groups and enabling encryption, as well as longer-term work such as enabling CloudTrail logging and meeting PCI DSS requirements.
The document discusses various methods for hardening Linux security, including securing physical and remote access, addressing top vulnerabilities like weak passwords and open ports, implementing security policies, setting BIOS passwords, password protecting GRUB, choosing strong passwords, securing the root account, disabling console programs, using TCP wrappers, protecting against SYN floods, configuring SSH securely, hardening sysctl.conf settings, leveraging open source tools like Mod_Dosevasive, Fail2ban, Shorewall, and implementing security at the policy level with Shorewall.
This document provides an agenda for hardening Windows 2003 web servers. It covers various topics including physical security, OS installation, account policies, local policies, services configuration, user accounts, IP policies, permissions, hardening IIS, and additional hardening techniques. The goal is to create a secure environment and maintain security by configuring the OS, services, user accounts, permissions and IIS according to security best practices.
This document provides a summary of key Volatility plugins and memory analysis steps. It outlines plugins for identifying rogue processes, analyzing process DLLs and handles, reviewing network artifacts, checking for code injection evidence, looking for rootkit signs, and dumping suspicious processes/drivers. The document also provides information on memory acquisition, converting hibernation files and dumps, artifact timelining, and registry analysis plugins.
Audit Vault Database Firewall 12.2.0.1.0 installationPinto Das
This document outlines the steps to install an Audit Vault server and Database Firewall server on two separate VMs. It describes creating the VMs, configuring memory, storage, and network settings, and starting the installation processes. The Audit Vault installation initially failed due to insufficient hard drive space but succeeded after allocating a 200GB drive. Both memory tests passed and installations began on the VMs.
The document provides steps to install Microsoft SQL Server on Linux. It begins with downloading the repository configuration file and then running commands to install SQL Server. The SQL Server service is then started and its status is checked. Issues are encountered when trying to install the SQL Server tools due to conflicts with the unixODBC package. Workarounds are demonstrated to address the issue by removing unixODBC and importing an additional key.
Install oracle database 12c software on windowsBiju Thomas
Install Oracle Database 12c software on Windows by reviewing system requirements and installation instructions on Oracle's website. Download the software from Oracle Technet and unzip the files to the current folder. Run the setup file and click the "?" icon or "Help" button if any questions arise during installation. The installation will complete and create top level folders under the Start menu. Example databases can then be installed by running scripts located in the %ORACLE_HOME%\demo\schema folder.
This document discusses using deep neural networks to profile malicious users based on log data. It proposes moving from rule-based detection to AI-based detection using machine learning models like CNNs. The CNN model is trained on process lists from honeypot VMs to learn patterns distinguishing malicious from benign activity. It represents processes as embeddings to handle new/random names. When trained on Linux audit logs, the CNN can identify suspicious sequences of events that single-event detectors may miss. Overall, the approach aims to better detect attacks by leveraging AI to find complex patterns in log data.
Trusted Extensions is an extension of the Solaris 10 security foundation that provides access control policies based on the sensitivity/label of objects. It adds additional software packages and label-aware services to implement multilevel security on a standard Solaris 10 system according to government security standards. Trusted Extensions allows selective access to objects like files, processes, and network services based on sensitivity labels.
Oracle Berkeley DB is Oracle's open source, embeddable database designed for devices, appliances and applications. It provides low latency and high throughput storage with reliability and scalability. Berkeley DB 11gR2 offers the performance and features of a key-value store with the transactional capabilities of SQLite in a small footprint package requiring no administration. Customers across various industries have adopted Berkeley DB for its benefits over flat files such as better performance, reliability and reduced development costs.
This document provides an overview of PL/SQL subprograms, including anonymous blocks, stored PL/SQL units like procedures and functions, and PL/SQL packages. It defines each component and provides examples. Anonymous blocks allow executing PL/SQL code without a name. Stored procedures and functions can be invoked by many users. Packages organize related objects and allow overloading subprograms. The document demonstrates package specifications that declare objects and package bodies that define objects and private components.
Auditing security of Oracle DB (Karel Miko)DCIT, a.s.
The document discusses auditing security of Oracle databases. It divides the audit into four technical phases:
1) Auditing the operating system level, including checking permissions on the Oracle home directory and verifying the OS account used for Oracle has appropriate privileges.
2) Auditing the Oracle RDBMS level, including validating the Oracle version and installed patches.
3) Auditing Oracle database instances, including verifying database options and privileges granted to users and roles.
4) Auditing related processes, such as the Oracle listener and associated configuration files.
The document provides sample questions and answers from Oracle Database certification exam 1Z0-052. It includes 27 multiple choice questions covering topics like database backups, undo tablespaces, Data Pump utilities, and database initialization parameters. For each question, the stem presents a scenario and possible answer choices, and the answer identifies the correct choices. The questions test knowledge of Oracle database concepts, features, and troubleshooting techniques.
Kangaroot EDB Webinar Best Practices in Security with PostgreSQLKangaroot
The webinar will review a multi-layered framework for PostgreSQL security, with a deeper focus on limiting access to the database and data, as well as securing the data.
Using the popular AAA (Authentication, Authorisation, Auditing) framework EnterpriseDB will cover:
- Best practices for authentication (trust, certificate, MD5, Scram, etc).
- Advanced approaches, such as password profiles.
- Deep dive of authorisation and data access control for roles, database objects (tables, etc), view usage, row-level security, and data redaction.
- Auditing, encryption, and SQL injection attack prevention
This document discusses administering user security in an Oracle database. It covers creating and managing database user accounts, granting and revoking privileges, creating and managing roles, and creating and managing profiles to implement password security and control resource usage. The objectives are to authenticate users, assign tablespaces, grant privileges, create roles, implement standard password features, and control user resources. It also summarizes the key points and provides an overview of tasks for a practice on administering users.
This document summarizes a seminar presentation on Oracle. It provides an overview of Oracle as a company, including that it is the second largest independent software company and the first to develop 100% internet-enabled enterprise software. It then discusses Oracle database features like user access control using usernames, passwords, and privileges at both the system and object level. The presentation also covers creating and granting privileges to users and roles, as well as using database links to access data on remote databases.
Reviewing sql server permissions tech republicKaing Menglieng
The document reviews SQL Server permissions. It discusses reviewing login information using the sys.server_principals view, determining database users using sys.database_principals, viewing roles assignments with other system views, and identifying object permissions with sys.database_permissions. Examples are provided to test adding a login, user, and role membership. The document aims to help administrators understand permissions on their SQL Server instance.
The document discusses database security and administration. It covers topics like database security concepts including permissions, logins, and accounts. It also discusses server-level security, database-level security, object permissions, and authentication. Additionally, it summarizes database server roles, backups, restores, and other administrative tasks.
The document discusses SQL Server security and authentication methods when connecting from an application using ADO.NET, including SQL Server authentication with usernames and passwords versus Windows authentication using Windows credentials, as well as ways to control access to databases and objects using roles, permissions, and application roles within SQL Server. It also provides examples of managing authentication and security programmatically using Transact-SQL, SQL-DMO, and ADO.NET code samples.
Securing your Oracle Fusion Middleware Environment, On-Prem and in the CloudRevelation Technologies
Oracle WebLogic Server (and Oracle HTTP Server) form the foundation for practically all Oracle Fusion Middleware products. For the most part, securing your on-prem installation is similar to their Oracle Cloud equivalent counterparts, with some notable differences which we intend to cover. In this presentation, we discuss security patching, configuration hardening, web service security, network lockdowns, transport security, OS best practices, access policies, and much more - all intended to increase the security of your Oracle Fusion Middleware environments.
This document provides a summary of a session on SQL Server security and authentication using ADO.NET. The session discusses SQL Server authentication modes including Windows authentication and SQL Server authentication. It demonstrates how to programmatically manage SQL Server logins, roles, and permissions from VB.NET. The document also covers application security techniques using views, stored procedures and SQL Server application roles to restrict database access.
Web Component Development Using Servlet & JSP Technologies (EE6) - Chapter 1...WebStackAcademy
Security Implementation Mechanisms
The characteristics of an application should be considered when deciding the layer and type of security to be provided for applications. The following sections discuss the characteristics of the common mechanisms that can be used to secure Java EE applications. Each of these mechanisms can be used individually or with others to provide protection layers based on the specific needs of your implementation.
Java SE Security Implementation Mechanisms
Java SE provides support for a variety of security features and mechanisms, including:
Java Authentication and Authorization Service (JAAS): JAAS is a set of APIs that enable services to authenticate and enforce access controls upon users. JAAS provides a pluggable and extensible framework for programmatic user authentication and authorization. JAAS is a core Java SE API and is an underlying technology for Java EE security mechanisms.
Java Generic Security Services (Java GSS-API): Java GSS-API is a token-based API used to securely exchange messages between communicating applications. The GSS-API offers application programmers uniform access to security services atop a variety of underlying security mechanisms, including Kerberos.
Java Cryptography Extension (JCE): JCE provides a framework and implementations for encryption, key generation and key agreement, and Message Authentication Code (MAC) algorithms. Support for encryption includes symmetric, asymmetric, block, and stream ciphers. Block ciphers operate on groups of bytes while stream ciphers operate on one byte at a time. The software also supports secure streams and sealed objects.
Java Secure Sockets Extension (JSSE): JSSE provides a framework and an implementation for a Java version of the SSL and TLS protocols and includes functionality for data encryption, server authentication, message integrity, and optional client authentication to enable secure Internet communications.
Simple Authentication and Security Layer (SASL): SASL is an Internet standard (RFC 2222) that specifies a protocol for authentication and optional establishment of a security layer between client and server applications. SASL defines how authentication data is to be exchanged but does not itself specify the contents of that data. It is a framework into which specific authentication mechanisms that specify the contents and semantics of the authentication data can fit.
This document provides instructions for installing and configuring Adobe Connect and integrating it with Moodle. It discusses installing Adobe Connect on-premises or using the SaaS version. It then covers configuring settings in Connect and Moodle to enable single sign-on between the two systems. Troubleshooting tips are also provided for issues with multi-byte user/meeting names and possible bugs. Lastly, using multiple IP addresses with Connect on Amazon EC2 is discussed.
Presentation by Shree Prasad Khanal, Leader, Himalayan SQL Server User Group, on "Where should I be encrypting my data? " at "Braindigit 9th National ICT Conference 2013" organized by Information Technology Society, Nepal at Alpha House, Kathmandu, Nepal on 26th January, 2013
This session was presented at Global Microsoft 365 Developer Bootcamp, 2020, Hyderabad, India on 17 October, 2020.
Agenda:
- Manage User Identity
- Role Based Access Control (RBAC)
- Principle of least privilege
- Privileged Identity Management (PIM)
- Real world use cases
This document discusses various techniques for bypassing input filtering and conducting SQL injection attacks, including:
1) Using functions, comments, and alternate syntax to inject queries containing blocked characters.
2) Exploiting second-order SQL injection where user input is initially handled safely but later processed unsafely.
3) Conducting "blind" SQL injection attacks without direct output by using conditional responses, time delays, and error messages.
4) Escalating database attacks beyond simple data retrieval by enabling extended functionality or compromising the operating system.
The document discusses advanced Caché security techniques presented at the Caché Security II Academy. Topics included building custom authentication methods, incorporating LDAP, and implementing two-factor authentication. The agenda covered reviewing Caché's security model, configuring LDAP and delegated authentication, two-factor authentication, authorization using row-level security, encrypting databases, and managing audit logs. Hands-on exercises demonstrated LDAP authentication and setting up delegated authentication for the Service Console.
Geek Sync | SQL Security Principals and Permissions 101IDERA Software
You can watch the replay for this Geek Sync webcast, SQL Security Principals and Permissions 101, in the IDERA Resource Center, http://ow.ly/Sos650A4qKo.
Join IDERA and William Assaf for a ground-floor introduction to SQL Server permissions. This webinar will start with the basics and move into the security implications behind stored procedures, views, database ownership, application connections, consolidated databases, application roles, and much more. This session is perfect for junior DBAs, developers, and system admins of on-premises and Azure-based SQL platforms.
Speaker: William Assaf, MCSE, is a principal consultant and DBA Manager in Baton Rouge, LA. Initially a .NET developer, and later into database administration and architecture, William currently works with clients on SQL Server and Azure SQL platform optimization, management, disaster recovery and high availability, and manages a multi-city team of SQL DBAs at Sparkhound. William has written for Microsoft SQL Certification exams since 2011 and was the lead author of "SQL Server 2017 Administration Inside Out" by Microsoft Press, its second edition due out in 2019. William is a member of the Baton Rouge User Groups Board, a regional mentor for PASS, and head of the annual SQLSaturday Baton Rouge Planning Committee.
The document provides instructions for recovering a lost Oracle database password in 3 steps:
1) Connect to the database as sysdba using sqlplus to alter the password for a specific user.
2) To reset the overall Oracle database password, delete the password file and run the Oracle password utility to generate a new one.
3) After logging in with the new sys password, you can change it and create new passwords for other users. Recovering the password requires connecting under command line mode on the server.
SQL Server 2016: Just a Few of Our DBA's Favorite ThingsHostway|HOSTING
Join Rodney Landrum, Senior DBA Consultant for Ntirety, a division of HOSTING, as he demonstrates his favorite new features of the latest Microsoft SQL Server 2016 Service Pack 1.
During the accompanying webinar and slides, Rodney will touch on the following:
• A demo of his favorite new features in SQL Server 2016 and SP1 including:
o Query Store
o Database Cloning
o Dynamic Data Masking
o Create or Alter
• A review of Enterprise features that are now available in standard edition
• New information in Dynamic Management Views and SQL Error Log that will make your DBAs job easier.
Similar to Oracle security 02-administering user security (20)
MySQL 5.7 includes several new features that improve performance, replication, and high availability. Key features include performance improvements from the performance schema and optimizer enhancements, replication improvements like multi-source replication and transaction-based parallel replication, and InnoDB improvements such as online operations and general tablespaces.
SQL Tuning02-Intorduction to the CBO OptimizerZhaoyang Wang
This document provides an introduction to the Cost-Based Oracle Optimizer (CBO). It describes the main components of the CBO including the estimator, plan generator, and OPTIMIZER_MODE. It also discusses important CBO concepts like selectivity, cardinality, cost and how they are estimated. The document provides examples of how to view CBO statistics and use 10053 tracing to analyze plans.
SQL Tuning04-Interpreting Execution PlansZhaoyang Wang
This document discusses various methods for interpreting SQL execution plans in Oracle databases, including using the PLAN_TABLE, views like V$SQL_PLAN, and tools like DBMS_XPLAN and AUTOTRACE. It also covers gathering plan statistics and interpretation from sources like the Automatic Workload Repository (AWR).
SQL Tuning01-Introduction to SQL TuningZhaoyang Wang
This document provides an introduction to SQL tuning. It discusses common causes of poor SQL performance such as stale statistics, missing indexes, and suboptimal execution plans. It then describes Oracle tools that can be used for SQL tuning such as the Automatic Database Diagnostic Monitor and SQL Tuning Advisor. Various SQL performance metrics are covered like wait time and how it relates to CPU and I/O times. Common SQL performance problems are also listed like parsing issues, full table scans, and redo log configuration errors. Finally, techniques for SQL tuning are discussed such as query rewrites, materialized views, and cursor sharing.
This document provides an overview of MySQL full-text search capabilities. It discusses the three types of full-text searches supported: natural language, boolean, and query expansion searches. It also covers stopwords, relevance ranking calculations, and techniques for fine-tuning full-text search performance such as configuring minimum/maximum word lengths and optimizing indexes. The document concludes with some restrictions and best practices for MySQL full-text search.
The document summarizes the key data structures used to organize data in InnoDB:
- InnoDB stores data in tablespaces which consist of data files. A tablespace header tracks free/used extents within these files.
- Data files contain fixed-size pages which are organized into extents of 1MB each. Page headers identify page types like interior, leaf, etc.
- File segments allocate ranges of pages to index trees. The root node of each index references two segment headers to allocate leaf/non-leaf pages separately.
MYSQLCLONE is a free and simple tool used to clone MySQL databases from one server to another. It can transfer the entire database including data, schemas, stored procedures, functions and events. The tool connects to the source and destination databases using connection parameters and then transfers the database objects and data in either LOAD or INSERT mode. Quick usage examples are provided to demonstrate transferring the full database, schema objects only, and row data in INSERT mode.
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Speck&Tech
ABSTRACT: A prima vista, un mattoncino Lego e la backdoor XZ potrebbero avere in comune il fatto di essere entrambi blocchi di costruzione, o dipendenze di progetti creativi e software. La realtà è che un mattoncino Lego e il caso della backdoor XZ hanno molto di più di tutto ciò in comune.
Partecipate alla presentazione per immergervi in una storia di interoperabilità, standard e formati aperti, per poi discutere del ruolo importante che i contributori hanno in una comunità open source sostenibile.
BIO: Sostenitrice del software libero e dei formati standard e aperti. È stata un membro attivo dei progetti Fedora e openSUSE e ha co-fondato l'Associazione LibreItalia dove è stata coinvolta in diversi eventi, migrazioni e formazione relativi a LibreOffice. In precedenza ha lavorato a migrazioni e corsi di formazione su LibreOffice per diverse amministrazioni pubbliche e privati. Da gennaio 2020 lavora in SUSE come Software Release Engineer per Uyuni e SUSE Manager e quando non segue la sua passione per i computer e per Geeko coltiva la sua curiosità per l'astronomia (da cui deriva il suo nickname deneb_alpha).
Building Production Ready Search Pipelines with Spark and MilvusZilliz
Spark is the widely used ETL tool for processing, indexing and ingesting data to serving stack for search. Milvus is the production-ready open-source vector database. In this talk we will show how to use Spark to process unstructured data to extract vector representations, and push the vectors to Milvus vector database for search serving.
Removing Uninteresting Bytes in Software FuzzingAftab Hussain
Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process.
In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds.
- These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfMalak Abu Hammad
Discover how MongoDB Atlas and vector search technology can revolutionize your application's search capabilities. This comprehensive presentation covers:
* What is Vector Search?
* Importance and benefits of vector search
* Practical use cases across various industries
* Step-by-step implementation guide
* Live demos with code snippets
* Enhancing LLM capabilities with vector search
* Best practices and optimization strategies
Perfect for developers, AI enthusiasts, and tech leaders. Learn how to leverage MongoDB Atlas to deliver highly relevant, context-aware search results, transforming your data retrieval process. Stay ahead in tech innovation and maximize the potential of your applications.
#MongoDB #VectorSearch #AI #SemanticSearch #TechInnovation #DataScience #LLM #MachineLearning #SearchTechnology
For the full video of this presentation, please visit: https://www.edge-ai-vision.com/2024/06/building-and-scaling-ai-applications-with-the-nx-ai-manager-a-presentation-from-network-optix/
Robin van Emden, Senior Director of Data Science at Network Optix, presents the “Building and Scaling AI Applications with the Nx AI Manager,” tutorial at the May 2024 Embedded Vision Summit.
In this presentation, van Emden covers the basics of scaling edge AI solutions using the Nx tool kit. He emphasizes the process of developing AI models and deploying them globally. He also showcases the conversion of AI models and the creation of effective edge AI pipelines, with a focus on pre-processing, model conversion, selecting the appropriate inference engine for the target hardware and post-processing.
van Emden shows how Nx can simplify the developer’s life and facilitate a rapid transition from concept to production-ready applications.He provides valuable insights into developing scalable and efficient edge AI solutions, with a strong focus on practical implementation.
Best 20 SEO Techniques To Improve Website Visibility In SERPPixlogix Infotech
Boost your website's visibility with proven SEO techniques! Our latest blog dives into essential strategies to enhance your online presence, increase traffic, and rank higher on search engines. From keyword optimization to quality content creation, learn how to make your site stand out in the crowded digital landscape. Discover actionable tips and expert insights to elevate your SEO game.
Full-RAG: A modern architecture for hyper-personalizationZilliz
Mike Del Balso, CEO & Co-Founder at Tecton, presents "Full RAG," a novel approach to AI recommendation systems, aiming to push beyond the limitations of traditional models through a deep integration of contextual insights and real-time data, leveraging the Retrieval-Augmented Generation architecture. This talk will outline Full RAG's potential to significantly enhance personalization, address engineering challenges such as data management and model training, and introduce data enrichment with reranking as a key solution. Attendees will gain crucial insights into the importance of hyperpersonalization in AI, the capabilities of Full RAG for advanced personalization, and strategies for managing complex data integrations for deploying cutting-edge AI solutions.
Generating privacy-protected synthetic data using Secludy and MilvusZilliz
During this demo, the founders of Secludy will demonstrate how their system utilizes Milvus to store and manipulate embeddings for generating privacy-protected synthetic data. Their approach not only maintains the confidentiality of the original data but also enhances the utility and scalability of LLMs under privacy constraints. Attendees, including machine learning engineers, data scientists, and data managers, will witness first-hand how Secludy's integration with Milvus empowers organizations to harness the power of LLMs securely and efficiently.
Your One-Stop Shop for Python Success: Top 10 US Python Development Providersakankshawande
Simplify your search for a reliable Python development partner! This list presents the top 10 trusted US providers offering comprehensive Python development services, ensuring your project's success from conception to completion.
AI 101: An Introduction to the Basics and Impact of Artificial IntelligenceIndexBug
Imagine a world where machines not only perform tasks but also learn, adapt, and make decisions. This is the promise of Artificial Intelligence (AI), a technology that's not just enhancing our lives but revolutionizing entire industries.
Things to Consider When Choosing a Website Developer for your Website | FODUUFODUU
Choosing the right website developer is crucial for your business. This article covers essential factors to consider, including experience, portfolio, technical skills, communication, pricing, reputation & reviews, cost and budget considerations and post-launch support. Make an informed decision to ensure your website meets your business goals.
In his public lecture, Christian Timmerer provides insights into the fascinating history of video streaming, starting from its humble beginnings before YouTube to the groundbreaking technologies that now dominate platforms like Netflix and ORF ON. Timmerer also presents provocative contributions of his own that have significantly influenced the industry. He concludes by looking at future challenges and invites the audience to join in a discussion.
1. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Administering User Security
2. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Objectives
After completing this lesson, you should be able to:
• Create and manage database user accounts:
– Authenticate users
– Assign default storage areas (tablespaces)
• Grant and revoke privileges
• Create and manage roles
• Create and manage profiles:
– Implement standard password security features
– Control resource usage by users
3. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Database User Accounts
Each database user account has:
• A unique username
• An authentication method
• A default tablespace
• A temporary tablespace
• A user profile
• An initial consumer group
• An account status
A schema:
• Is a collection of database objects that are owned by a
database user
• Has the same name as the user account
4. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Predefined Administrative Accounts
• SYS account:
– Is granted the DBA role, as well as several other roles.
– Has all privileges with ADMIN OPTION
– Is required for startup, shutdown, and some
maintenance commands
– Owns the data dictionary and the Automatic Workload
Repository (AWR)
• SYSTEM account is granted the DBA, MGMT_USER, and
AQ_ADMINISTRATOR_ROLE roles.
• DBSNMP account is granted the OEM_MONITOR role.
• SYSMAN account is granted the MGMT_USER, RESOURCE
and SELECT_CATALOG_ROLE roles.
• These accounts are not used for routine operations.
5. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
SYSOPER and SYSDBA
6. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Creating a User
Select Server > Users, and then click the Create button.
7. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Authenticating Users
• Password
• External
• Global
8. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Fixed Database Links
• Create a public fixed database link:
• Use a public database link:
CREATE PUBLIC DATABASE LINK dblk_orcl10g_hr
CONNECT TO hr IDENTIFIED BY oracle USING
‘ORCL10g’;
SELECT * FROM employees@dblk_orcl10g_hr;
ORCL10g
connect hr/oracle
9. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Viewing Database Link Passwords
• A privileged user may view database link
passwords:
• The passwords for fixed links are stored in clear
text in 10g:
SELECT USERID,PASSWORD
FROM SYS.LINK$
WHERE PASSWORD IS NOT NULL;
USERID PASSWORD
---------- ----------
SYSTEM ORACLE
SCOTT TIGER
10. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Database Links Without Credentials
• Creating a connected user database link:
• Creating a current user database link:
CREATE DATABASE LINK sales.division3.acme.com
USING 'sales';
CREATE DATABASE LINK sales
CONNECT TO CURRENT_USER USING 'sales';
11. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Audit Database Links
Local database audits
jane
FINANCE
connect scott/tigerconnect jane/doe
Remote database audits
scott
12. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Administrator Authentication
Operating system security:
• DBAs must have the OS privileges to create and delete
files.
• Typical database users should not have the OS
privileges to create or delete database files.
Administrator security:
• For SYSDBA, SYSOPER, and SYSASM connections:
– DBA user by name is audited for password file and
strong authentication methods
– OS account name is audited for OS authentication
– OS authentication takes precedence over password file
authentication for privileged users
– Password file uses case-sensitive passwords
13. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Locking and Expiring Default
User Accounts
• The Database Configuration Assistant (DBCA)
expires and locks all accounts, except:
– SYS
– SYSTEM
– SYSMAN
– DBSNMP
• For a manual installation, lock and
expire accounts by using:
ALTER USER hr PASSWORD EXPIRE ACCOUNT LOCK;
14. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Privileges
There are two types of user privileges:
• System: Enables users to perform particular actions in
the database
• Object: Enables users to access and manipulate a
specific object
System privilege:
Create session
HR_DBA
Object privilege:
Update employees
15. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
System Privileges
16. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Object Privileges
To grant object privileges:
• Choose the object type.
• Select objects.
• Select privileges.
Search
and
select
objects.
1
2
3
17. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
GRANT
REVOKE
Revoking System Privileges
with ADMIN OPTION
REVOKE CREATE
TABLE FROM joe;
User
Privilege
Object
DBA Joe Emily
Joe EmilyDBA
18. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
GRANT
REVOKE
Revoking Object Privileges
with GRANT OPTION
Bob Joe Emily
EmilyJoeBob
19. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Benefits of Roles
• Easier privilege management
• Dynamic privilege management
• Selective availability of privileges
20. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Assigning Privileges to Roles and
Assigning Roles to Users
Users
Privileges
Roles HR_CLERKHR_MGR
Jenny David Rachel
Delete
employees.
Select
employees.
Update
employees.
Insert
employees.
Create
Job.
21. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Predefined Roles
Role Privileges Included
CONNECT CREATE SESSION
RESOURCE CREATE CLUSTER, CREATE INDEXTYPE, CREATE
OPERATOR, CREATE PROCEDURE, CREATE SEQUENCE,
CREATE TABLE, CREATE TRIGGER, CREATE TYPE
SCHEDULER_ ADMIN CREATE ANY JOB, CREATE EXTERNAL JOB, CREATE
JOB, EXECUTE ANY CLASS, EXECUTE ANY PROGRAM,
MANAGE SCHEDULER
DBA Most system privileges; several other roles. Do not grant
to nonadministrators.
SELECT_
CATALOG_ROLE
No system privileges; HS_ADMIN_ROLE and over 1,700
object privileges on the data dictionary
22. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Creating a Role
Select Server > Roles.
Click OK
when
finished.
Add privileges and roles
from the appropriate tab.
Add privileges and roles
from the appropriate tab.
Add privileges and roles
from the appropriate tab.
23. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
CREATE ROLE secure_application_role
IDENTIFIED USING <security_procedure_name>;
Secure Application Roles
• Roles can be nondefault and enabled when required.
• Roles can be protected
through authentication.
• Roles can also be secured programmatically.
SET ROLE vacationdba;
24. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Implementing a Secure Application Role
1. Create the role.
2. Create the package that sets the role:
a. Create the package specification.
b. Create the package body.
3. Grant the execute privilege on the package.
4. Write the application server code that sets the role.
25. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
CREATE ROLE oe_sales_rep
IDENTIFIED USING secure.oe_roles;
Step 1: Create the Role
• The CREATE ROLE command identifies the package
that sets the role.
• The package does not need to exist.
• Example:
26. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
CREATE OR REPLACE PACKAGE oe_roles
AUTHID CURRENT_USER
IS
PROCEDURE set_sales_rep_role;
END;
/
Step 2.1: Create the Package Specification
• The OE_ROLES package is referenced in the
CREATE ROLE command.
• The AUTHID CURRENT_USER clause is required to
properly set the role.
• Example:
27. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
...
SELECT id
INTO v_id
FROM oe.app_roles
WHERE username = sys_context
('userenv','current_user')
AND role = 'SALES_REP'
AND ip_address = sys_context
('userenv','ip_address');
dbms_session.set_role('oe_sales_rep');
...
Step 2.2: Create the Package Body
28. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
GRANT execute
ON oe_roles
TO appsrv;
Step 3: Grant the EXECUTE Privilege
on the Package
• The application server connects as the appsrv
user.
• It sets the role after it starts the user’s session.
• Example:
29. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Step 4: Write the Application Server
Code That Sets the Role
• When starting, the application server:
– Connects as the APPSRV user
– Creates a connection pool
• When starting a session for a user, the application
server:
– Gets a connection from the pool
– Starts a session for the user
– Sets the user’s role
• Set the user’s role by using:
secure.oe_roles.set_sales_rep_role;
30. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Data Dictionary Views
SQL> SELECT *
2 FROM dba_application_roles
3 WHERE ROLE = 'OE_SALES_REP';
ROLE SCHEMA PACKAGE
------------- ------- --------
OE_SALES_REP SECURE OE_ROLES
SQL>
31. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Assigning Roles to Users
32. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Quiz
All passwords created in Oracle Database 11g are not
case-sensitive by default.
1. True
2. False
33. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Quiz
A database role:
1. Can be enabled or disabled
2. Can consist of system and object privileges
3. Is owned by its creator
4. Cannot be protected by a password
34. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Profiles and Users
Users are assigned only
one profile at a time.
Profiles:
• Control resource
consumption
• Manage account
status and
password
expiration
Note: RESOURCE_LIMIT must be set to TRUE before profiles can impose
resource limitations.
35. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Implementing Password
Security Features
Password
history
Account
locking
Password aging
and expiration
Password
complexity
verification
User Setting up
profiles
Note: Do not use profiles that cause the SYS, SYSMAN, and DBSNMP
passwords to expire and the accounts to be locked.
36. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Creating a Password Profile
37. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Supplied Password Verification Function:
VERIFY_FUNCTION_11G
The VERIFY_FUNCTION_11G function insures that the
password is:
• At least eight characters
• Different from the username, username with a number,
or username reversed
• Different from the database name or the database
name with a number
• A string with at least one alphabetic and one numeric
character
• Different from the previous password by
at least three letters
Tip: Use this function as a template to create
your own customized password verification.
38. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Assigning Quotas to Users
Users who do not have the UNLIMITED TABLESPACE
system privilege must be given a quota before they can
create objects in a tablespace.
Quotas can be:
• A specific value in megabytes or kilobytes
• Unlimited
39. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Applying the Principle of Least Privilege
• Protect the data dictionary:
• Revoke unnecessary privileges from PUBLIC.
• Use access control lists (ACL) to control network
access.
• Restrict the directories accessible by users.
• Limit users with administrative privileges.
• Restrict remote database authentication:
O7_DICTIONARY_ACCESSIBILITY=FALSE
REMOTE_OS_AUTHENT=FALSE
40. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Protect Privileged Accounts
Privileged accounts can be protected by:
• Using password file with case-sensitive passwords
• Enabling strong authentication for administrator roles
SYSDBA
41. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Separation of Responsibilities
Users with DBA privileges must be trusted, but
separation of responsibilities can:
• Prevent abuse of trust
• Allow audit trails to protect the trusted position
To implement separation of trust:
• DBA responsibilities must be shared
• Accounts must never be shared
• DBA and system administrator must be different
people
• SYSOPER and SYSDBA responsibilities must be
separated.
42. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
43. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
44. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Quiz
Applying the principle of least privilege is not enough to
harden the Oracle database.
1. True
2. False
45. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Quiz
With RESOURCE_LIMIT set at its default value of FALSE,
profile password limitations are ignored.
1. True
2. False
46. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Summary
In this lesson, you should have learned how to:
• Create and manage database user accounts:
– Authenticate users
– Assign default storage areas (tablespaces)
• Grant and revoke privileges
• Create and manage roles
• Create and manage profiles:
– Implement standard password security features
– Control resource usage by users
47. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Q&A