Title: Agenda
1(No Transcript)
2Agenda
- Database Overview
- Oracle Audit/Security/Control
3Objectives
- Your objectives
- Magic Disk
- Database Control Objectives
- Frank W. Lyons
- Entellusfl_at_aol.com
- 407-774-8397
4Terminology
- Database
- A set of data
- Tablespaces
- Logical division of a database
- Files
- datafile
- Instances
- Also known as a server
- Table, columns and datatypes
5Columns
- The characteristics of a column are made up of
two parts its datatype and its length. - For columns using the NUMBER datatype, the
additional characteristics of precision and scale
can be specified. Precision determines the
number of significant digits and Scale determines
the placement of the decimal point
6 - Structure Query Language (SQL)
- Data Definition Language
- DDL
- Create, Drop, Alter
- Data Manipulation Language
- DML
- Select, Insert, Update, Delete
- Data Control Language
- DCL
- Grant, Revoke
7 Database Structure
- Obtain the Data Structure Diagram
Customer Table
Warehouse Table
Order Table
The data structure diagram provides all the
tables and columns
8Tables
- Tables owned by the user SYS are called the data
dictionary tables - Dictionary tables provide a system catalog that
the database uses to manage itself - The database maintains the relationship between
table by using referential integrity
9 Database Structure
Database
This is the file name under the operating system
Tablespace
Table
Index
Synonym
View
Synonym
10Databases
- A database is a set of data.
- Oracle provides the ability to store and access
data in a manner consistent with a defined model
known as the Relational Model.
11Tablespaces
- A tablespace is a logical division of a database
- Each tablespace is constituted of one or more
files, called datafiles, on a disk. A datafile
can belong to one and only one tablespace
12 Tablespaces
- To prevent users from creating objects in the
SYSTEM tablespace, any quotas on SYSTEM, which
could give a user the ability to create objects
in the SYSTEM tablespace, must be revoked - alter user Frank quota 0 on SYSTEM
- When you create a new user via the create user
command, you can specify a default tablespace - create user Frank identified by excellence
- default tablespace Human_Resources
13 Tablespaces
- SYSTEM Data Dictionary
- DATA Standard-operation tables
- DATA_2 Static tables used during standard
operation - INDEXES Indexes for the standard operation
tables - INDEXES_2 Indexes for the static tables
- RBS Standard operation rollback segment
- RBS_2 Specialty rollback segments used for data
loads - TEMP Standard operation temporary segments
- TEMP_USER Temporary segments created by a user
- TOOLS RDBMS tools tables
- TOOLS_1 Indexes for RDBMS tools tables
- USERS User objects, in development databases
14 Instance
- In order to access the data in the database,
Oracle uses a set of background processes that
are shared by all users. - A database instance (also known as a server) is a
set of memory structures and background processes
that access a set of database files.
15Views
- Views appear to be a table containing columns and
is queried in the same manner that a table is
queried - Views do not use physical storage to store data
- Views can not be indexed.
16Typical Authentication Pyramid
Reporting Tool
Database
Accountability lessens as you move down the
pyramid
Data
17Where Are the Application Controls?
- Direct access usually by-passes application
controls - User profiling is normally only used within the
application - Views of reporting data could be incorporated
- Summarized data could be used to reduce
sensitivity
18Relational Data Storage
Employee Table
19Views Based on User Profile
View of the Commercial Division
Security is based on data value
20Reduced Data Sensitivity
Employee Locator View
Security is based on columns selected
21Summarized Views
View Summarized by Division
22Access Type Difference
- Id and Passwords
- User Profiles
- Accountability and audit ability
23Data Access
- Application interfaces
- Reporting Tools
- Direct access
24ID and Password Controls
- Where is the ID and Password Stored for
verification? - How is the password stored?
- Is the same user ID used for multiple
applications? - Is the password stored in multiple locations?
25User Profiles
- Profiles allow access according to job
responsibilities - Division
- Position
- Security Clearance
26User Profiles Controls
- Who creates and modifies the user profile?
- What audit trails are in place for profile
changes? - What approvals are required for changes to the
user profile? - What is the notification process for job
responsibility changes?
27Accountability and Auditability
- Is the user id translated to a high powered id
during application access to the data? - Does the application record read access?
- When data is inserted, modified, or deleted is
the change logged? - If there is a log who is reviewing the log?
28ID Translation
- Used to prevent users from accessing data
directly - Prevents authentication by the database
management system - Creates tuning and monitoring challenges
29Reporting Tools and Direct Access
- Ad-hoc reporting
- User flexibility
- Less labor to support user reporting requirements
- Checks and balance to insure information accuracy
30Separate Reporting Database
Reporting Database
On-line Database
Synchronization can be done real time or on
intervals
31Advantages of Separate Reporting Databases
- Design for reporting efficiencies
- On-line environment not impacted by the reporting
workload - Data can be summarized to reduce data sensitivity
- Multiple reporting databases can be defined to
limit access to sensitive information
32Disadvantages of Separate Reporting Databases
- Extra storage and processor resources are
required - Extra labor resources are required to support
replication process - Special controls needed for direct access
authority - Read activity needs to be logged for audit ability
33Reporting Tools
Reporting Tool View of Data
Reporting Database
Reporting tools can limit access by column, data
value, or through summarization.
34Web Access
- Reporting Tools can push static or dynamic
information - Design should balance performance differences
with flexibility - Security at the data level needs to be well
understood so that access is based on data
sensitivity and job responsibilities
35Application Recovery
- Code is normally static
- Code changes should be installed on well defined
intervals - Recovery usually requires reboot of application
server - Corrupted application files can be restored from
the last copy
36Database Recovery
- Data is a constantly changing resource
- Rebooting the database server causes the database
system to recovery any in-flight units of work - Restoring data from backup requires the database
logs to be applied to the data in order to
restore data consistency
37Database Logs
Data Identification (Record Header)
Before Image of Data
After Image of Data
38Log Contains All Data Modifications
User Activity
Database Log
Database
39Backout Due to Abort or Abend
User Activity
Database Log
Database
Aborted Unit of Work
Log Records are read to backout the changes to
the data
40Protecting Database Log
- Critical Recovery Resource
- Contains Sensitive Information
- Needed for on-site and off-site recovery
- Log shipping often done for off-site recovery
41Log Shipping
Off-site
Database Log Copy
42Criteria for Server Selection in the Database
Environment
- Stability
- Security
- Recoverability
- Performance
43Key Points
- Application access controls are by-passed through
most reporting interfaces - Security design MUST be centered on the data and
incorporated in each interface - Data and application recovery have key
differences and need special considerations
44Key Points
- Security should be designed around the DATA
- All interface points must be reviewed
- Data recoverability needs differ between
application and data - Database logs contain sensitive information
45 46Identify Risks
- Default Users
- Operating System configuration
- Database server configuration
- Listener process
- Privileges
- Database links
- Patches
47Init.ora
- Database startup file
- This file is read during the instance startup and
may be modified by the DBA. Any modifications to
this file will not take affect until the next
startup that uses this file
48 Init.ora
- In the default directory configuration, the
init.ora file is stored in a directory named - /orasw/app/oracle/admin/instance_name/pfile
- The init.ora file does not list the names of the
datafiles or online redo log files for the
database as these are stored in the data
dictionary. - Init.ora does list the names of the control files
for the database
49Config.ora
- A second configuration file is typically used to
store the settings of variables that do not
change after database creation - Such as the database block size
- In order for the config.ora settings to be used,
the file must be listed as an include file via
the IFILE parameter in the instances init.ora
file
50Procedures
- A procedure is a block of PL/SQL statements that
is stored in the data dictionary and is called by
applications - Stored procedures help to enforce data security
51Functions
- Functions, like procedures are blocks of code
that are stored in the database. - Function are capable of returning values to the
calling program
52Packages
- Packages are used to arrange procedures and
functions into logical groupings - Packages have a public and private elements
- Private elements may include procedures called by
other procedures within the package - Source code for the functions, procedures, and
packages are stored in the data dictionary tables
53Triggers
- Triggers are procedures that are executed when a
specified database event takes place against a
specified table - Used as part of referential integrity
- Used to enforce additional security
- Used to enhance the available auditing options
54 Triggers
- Two types of triggers
- Statement triggers
- Fire once for each triggering statement
- Row triggers
- Fire once for each row in a table affected by the
statement - For each type a BEFORE trigger and AFTER trigger
can be created - Triggering events include inserts, updates, and
deletes
55Synonyms
- To completely identify a database object such as
a table or a view, the host machine name, the
server instance name, the objects owner, and the
objects name must be specified - Synonyms reduce this effort
- Public synonyms are shared by all users
- Synonyms can provide pointers for tables, views,
procedures, functions, packages, and sequences
56 Database Life Cycles
- Planning
- Creating
- Monitoring
- Tuning
- Securing
- Auditing
57Operating system configuration
- Use file system security to protect the DBMS
software and data files (Only allow the Oracle
user and Oracle group access to the files) - Turn off all operating system functionality/servic
es that are not required by the DATABASE SERVER
(mail,ftp,telnet) - Turn on O/S level auditing and review the audit
log daily - Secure the backup of the database
- Audit regularly
58Database System Configuration
- Remove non-essential users and enforce password
management (see appendix) - Change the default passwords on accounts
- Do not allow development in a production
database/server - Secure the development database (may contain
production data) - Keep the software up to date and patched
59Database System Configuration Oracle Database -
Physical Structures
- When a backup of a database occurs, the backup
software is making copies of the physical
structures of an Oracle instance. - Physical Structures stored in the operating
system - Control File
- Online Redo Log
- Data File
- INIT.ORA
- SPFILE (Oracle9i)
- ORACLE_HOME (Oracle software)
- Backup destination
60Database System Configuration Oracle
Database/Physical Structures
- Control File
- Contains information about the instance and all
of its external files. - Used by Oracle to know if a data file needs
recovery. - Audit view VCONTROLFILE
- Online Redo Log
- Keeps track of all the transactional activity
that makes changes to the database. - Audit view VLOGFILE
61Database System Configuration Oracle
Database/Physical Structures
- Data File
- Associated with a single tablespace.
- Oracle server creates a data file for a
tablespace by allocating the specified amount of
disk storage a small overhead. - Can contain data segment (table), index segment
(primary keys, unique constraints or tuning
indexes), rollback and temporary segments. - Audit view DBA_DATA_FILES
- INIT.ORA
- Used by the Oracle instance to configure how much
of the OS resources will be used by the instance. - Parameters can be placed here for optional
processes - Audit view VPARAMETER
62Database System Configuration Oracle
Database/Physical Structures
- Data File
- Audit view DBA_DATA_FILES
- SQLgt select file_name from dba_data_files
- order by file_name
- Control File
- Audit view VCONTROLFILE
- SQLgt select from vcontrolfile
- Online Redo Log
- Audit view VLOGFILE
- SQLgt select from vlogfile
- order by group
63Database System Configuration Oracle
Database/Physical Structures
- INIT.ORA
- Audit view VPARAMETER
- SQLgt select name,value from vparameter
- License/version
- Audit view vversion
- SQLgt select from vversion
64Privileges
Third party application owner will typically have
the DBA role granted to them This is needed
for installs/upgrades of software, but typically
can be removed for day to day activities SELECT
ANY TABLE privilege should not be allowed on any
end user
65Privileges
- SELECT ANY TABLE privilege gives users the
ability to select from ANY table - including SYS.USER and SYS.LINK
- These tables will show passwords
66Privileges Audit Checklist
SQLgt select privilege privilege_granted,
grantee,admin_option from
sys.dba_sys_privs where not
exists (select
'x' from sys.dba_users where username
grantee) order by privilege_granted,admin_o
ption
67Privileges Audit Checklist
PRIVILEGE_GRANTED GRANTEE
ADM --------------------------------------------
----- --- QUERY REWRITE AROLE
NO QUERY REWRITE DBA
YES RESTRICTED SESSION DBA
YES SELECT ANY
DICTIONARY OEM_MONITOR NO
SELECT ANY DICTIONARY DBA
YES SELECT ANY TABLE DBA YES SELECT
ANY TABLE IMP_FULL_DATABASE NO
68Database Link
- Used to connect one database to another
- The Database link contains
-
- USER ACCOUNT TO CONNECT TO THE TARGET DATABASE
- LOCAL USERNAME AND PASSWORD
- (HARD CODED) or pass through authentication
- CONNECT STRING (Oracle / SQLNET/ NET8)
- Audit view dba_db_links
69Oracle NET / NET8 /SQLNET LISTENER Configuration
Server
Client
70Oracle NET / NET8 /SQLNet LISTENER
- Oracle NET enables communications between
partners in a distributed transaction - Applies to client/server or server/server
environment. - During the life of a connection, resolves all
differences between the internal data
representations and/or character sets of the
computer. - Net8 has been renamed to Oracle NET for 9i
71Harden the Listener Process
- The configuration file for the listener is
LISTENER.ORA. - LISTENER.ORA resides on the server and defines
- Listener name, a database can have multiple
listeners - The network listener address
- The SID of the database for which it listens
- Parameters that influence the network listeners
behavior, including tracing, timeout and
logging and password
72Harden the Listener Process
- Prevent unauthorized administration of the Oracle
Listener by - ADMIN_RESTRICTIONS_listener_nameON
- Use a password on all listeners
- At the lsnrctl prompt enter change_password
73Oracle NET / Net8 /SQLNET Configuration
- Oracle Names
- Network service that provides centralized name
resolution to Oracle clients and servers. - Consists of one or more administrative regions,
each having a single installation of the Oracle
Network Manager tool. - Oracle Network Manager enables the administrator
to administer the following in its
administrative region - All database listeners
- Global database links
- Clients, interchanges and Names Servers.
74Oracle NET/ NET8 / SQLNet Configuration
- Oracle Names (continued)
- Clients do not need a TNSNAMES.ORA file if an
Oracle Names Server is used. - If a TNSNAMES.ORA file is created, the client may
use it to resolve the service name before
resolving it through the Names Server. - Clients have a SQLNET.ORA file that identifies
Oracle Names Server. This file can reference a
file on a server so that it doesnt have to
change if the Names Server changes.
75Oracle NET / NET8 /SQLNET Configuration
3
Names Server
76Oracle NET/ NET8 /SQLNet Audit checklist
- Listener password protected
- Is ADMIN_RESTRICTION turned on
- Is a protocol.ora in place for node checking
- How is tnsnames protected
- ONAMES is used, this adds an additional server to
be audited
77Oracle listener Audit checklist
- Set up the listener with password
- Set up a strong password
- Protect the listener .ora file (this is where the
password is kept)
78Patches Audit checklist
Verify patches using the VVERSION view Keep
informed on the latest security
patches http//otn.oracle.com/deploy/security/aler
ts.htm Have a policy on how quickly a critical
security patch should be applied Oracle rates
severity of patches one is most severe
79Patches
Alerts (Subscribe to security alerts ) PDFBuffer
Overflows in EXTPROC of Oracle Database
ServerAlert 57, Rev 2, 07August 2003PDFBuffer
Overflow Vulnerability in Oracle E-Business
SuiteAlert 56, Rev 1, 23 July 2003PDFUnauthorize
d Disclosure of Information in Oracle E-Business
SuiteAlert 55, Rev 1, 23 July 2003PDFBuffer
Overflow in Net Services for Oracle Database
ServerAlert 54, Rev 2, 30 April 2003PDFReport
Review Agent Vulnerability in Oracle E-Business
SuiteAlert 53, Rev 1, 10 April 2003PDFTwo
Security Vulnerabilities in Oracle9i Application
ServerAlert 52, Rev 3, Updated 03 March
2003PDFBuffer Overflow in ORACLE executable of
Oracle9i Database ServerAlert 51, Rev 6, Updated
18 April 2003PDFBuffer Overflow in Oracle9i
Database ServerAlert 50, Rev 6, Updated 18 April
2003
80Oracle's built-in toolsUSERS / SCHEMAS
Security Domain Defines the security settings
that Apply to the user Authentication
Mechanism Database Operating system Network Pri
vilegesDirect/Indirect (via roles)
81Oracle's built-in toolsUSERS / Database SCHEMAS
Authentication Mechanism Database passwords
are kept internally in a database table
encrypted Operating systemPasswords are kept
in the operating system
82Oracle's tools to purchase
- Authentication Mechanism using
- Oracle Advanced Security option
- Network Uses third party network
authentication services (like Kerberos and
SESAME) - Token Devices, one time passwords are used to
authenticate - Biometrics Devices, use physical features of
users to authenticate - Advanced Encryption Standard (AES)
- AES is symmetric block cipher
- AES-128,AES-192 and AES-256
83Oracle's built-in toolsUSERS / Database SCHEMAS
Predefined users Sys/change_on_install (super
user in Oracle,schema for Oracle dictionary
tables) System/manager (Owner of internal tables
used by Oracle tools) Scott/tiger (created by
demo files, sometimes left in production) Note
9i passwords are custom, unless you create the
Database using the Database creation assistant in
batch mode Additional users defined later in the
Oracle9i section
84Oracle's built-in tools Password File to
authenticate DBAs
A password file for DBAs is optional and can be
setup using the ORAPWD password utility. The
password file will restrict administration
privilege to only the users who know the password
and have been granted a special role. The
roles are SYSDBA and SYSOPER.
85Oracle's built-in toolsTwo special roles
SYSOPER/SYSDBA
SYSOPER Permits you to perform STARTUP,
SHUTDOWN, ALTER DATABASE OPEN/MOUNT,
ALTER DATABASE BACKUP, ARCHIVE LOG, and RECOVER,
and includes the RESTRICTED SESSION privilege.
86Oracle's built-in tools
SYSDBA Contains all system privileges with ADMIN
OPTION, and the SYSOPER system privilege CREATE
DATABASE and time-based recovery. Listing
Password File Members Audit view VPWFILE_USERS
will show all users that have been granted
SYSDBA and SYSOPER system privileges for a
database.
87Oracle's built-in toolsADMINISTERING PRIVILEGES
Two types of privileges System Enables users
to perform ADMIN type activities in the
database OBJECT Enables users to access and
manipulate objects
88Oracle's built-in toolsSYSTEM PRIVILEGES
Administering privileges System 80 system
privileges The ANY keyword means that the user
has the privilege for any schema. The GRANT
command is used to add a privilege to a user or
group of users GRANT CREATE SESSION to
smith GRANT CREATE SESSION to smith with ADMIN
OPTION The REVOKE command deletes the
privilege REVOKE CREATE SESSION to smith
89Oracle's built-in toolsSYSTEM PRIVILEGES
Administering privilegesDisplaying System
Privileges DATABASE LEVEL SESSION
LEVEL DBA_SYS_PRIVS SESSION_PRIVS Grantee Priv
ilege Privilege Admin option
90Oracle's built-in toolsOBJECT PRIVILEGES
OBJECT SQL STATEMENT Allowed ALTER ALTER
object (table or sequence) DELETE DELETE FROM
object (table or view) EXECUTE EXECUTE object
(procedure or function). References to public
package variables INDEX CREATE INDEX ON
object (tables only) INSERT INSERT INTO
object (table or view) REFERENCES CREATE or
ALTER TABLE statement defining a FOREIGN KEY
integrity constraint on object (tables only)
SELECT SELECT...FROM object (table, view, or
snapshot). SQL statements using a sequence
91Oracle's built-in toolsDISPLAYING OBJECT
PRIVILEGES
DBA_TAB_PRIVS DBA_COL_PRIVS Grantee Grantee Ow
ner Owner Table_name Table_name Grantor Col
umn_name Privilege Grantor grantable Privile
ge Grantable
92Oracle's built-in toolsUSERS / Database SCHEMAS
Restriction privilege system by enabling
O7_DICTIONARY_ACCESSIBILITYFALSE This
prevents users with the system ANY from being
able to execute against the SYS schema The
default is TRUE This allows the user with the
ANY privilege to execute against the SYS schema
93Oracle's built-in toolsAdministering privileges
A role is a database entity that is a named
group of privileges. It is unique within the
database and not owned by a user. A role can be
authenticated by a password. Special role
SELECT_CATALOG_ROLE, which enable access to the
data dictionary
94Oracle's built-in toolsPredefined roles
ROLENAME DESCRIPTION
CONNECT Provided for
backward RESOURCE compatibility DBA All
systems privileges w/admin EXP_FULL_DATABASE Priv
ileges to export the DB IMP_FULL_DATABASE Privil
eges to Import the DB DELETE_CATALOG_ROLE Delete
privileges on dictionary EXECUTE_CATALOG_ROLE Exe
cute privilege on dictionary SELECT_CATALOG_ROLE
Select privilege dictionary tables PUBLIC Role
that all users have
95Oracle's built-in toolsDisplaying information on
roles
DATABASE ROLE VIEW DESCRIPTION DBA_ROLES All
roles which exist in the DB DBA_ROLE_PRIVS Roles
granted to users and roles ROLE_ROLE_PRIVS Role
s which are granted to roles DBA_SYS_PRIVS Syste
m privileges grated to users and
roles ROLE_SYS_PRIVS System privileges granted
to roles ROLE_TAB_PRIVS Table privileges
granted to roles SESSION_ROLES Roles which the
user currently has enabled
96Oracle's built-in toolsPROFILES used for
password management
- A PROFILE is a named set of limits for passwords
and system resources - Are assigned to users
- Can become the default for all users
- Can be enabled or disabled
97Oracle's built-in toolsPROFILES
- A PROFILE is a named set of limits for passwords
- And system resources
- CPU time
- I/O operations
- IDLE time (inactive time measured in minutes)
- Connect time (measured in minutes)
- Memory space
- Concurrent sessions
- Passwords aging and expiration
- Password history
- Password complexity verification
- Account locking
98Oracle's built-in toolsPROFILES management
Create a profile CREATE PROFILE end_user_prof
LIMIT SESSIONS_PER_USER 1 IDLE_TIME 60 CONNECT
TIME 600 Modify a profile ALTER PROFILE
end_user_prof limit IDLE_TIME 10 Remove a
profile DROP PROFILE end_user_prof DROP PROFILE
end_user_prof CASCADE
99Oracle's built-in toolsPROFILES management
- Associate a user to a profile
- ALTER USER smith
- PROFILE end_user_prof
- Resource limits must be enable to enforce profile
limits, - This does not include password management.
- Two ways to enable
- ALTER SYSTEM SET RESOURCE_LIMITTRUE
- 1. Modify the init.ora file and set
RESOURCE_LIMITTRUE, - 2. Restart the instance
100Oracle's built-in toolsPROFILES displaying
resource limits
DBA_USERS Profile username
DBA_PROFILES Profile Resource_name Resource_type L
imit
Join the views DBA_USERS and DBA_PROFILES To
display the resource limits
101Oracle's built-in toolsPASSWORD MANAGEMENT
PARAMETER DESCRIPTION FAILED_LOGIN_ATTEMPTS Nu
mber of failed login attempts before
lockout PASSWORD_LOCK_TIME Number of days
password will remain locked upon password
expiring PASSWORD_LIFE_TIME Lifetime of
password measured in days PASSWORD_GRACE_TIM
E Grace period in days for changing the
password, after it has expired
102Oracle's built-in toolsPASSWORD MANAGEMENT
PARAMETER DESCRIPTION PASSWORD_REUSE_TIME Numb
er of days before a password can be
reused PASSWORD_REUSE_MAX Maximum number of
times a password can be reused PASSWORD_VERI
FY_FUNCTION PL/SQL package that makes a
complexity check before a password is
assigned Note The script utlpwdmg.sql must
be run in the SYS schema to enable
103Oracle's built-in toolsPASSWORD MANAGEMENT
- VERIFY_FUNCTION
- Minimum length of four characters
- Password not equal to user name
- Password must have at least one alpha,
numeric,special character - Password must differ from the last password by
three characters
104Oracle's built-in toolsPASSWORD MANAGEMENT
CREATE PROFILE passwd_mgt FAILED_LOGIN_ATTEMPTS
3 PASSWORD_LIFE_TIME 30 PASSWORD_REUSE_TIME
30 PASSWORD_VERIFIY_FUNCTION verify_function PA
SSWORD_GRACE_TIME 5
105Oracle's built-in toolsDisplaying PROFILES
information
DBA_PROFILES Profile Resource_name Resource_type
PASSWORD limit
106Auditing the Database
- Audit a specific user
- Audit for a specific statement
- Audit for a specific statement on a schema user
- Audit to know what happens on your database
- Audit failed logon attempts
- Audit to know who changed what and when
107Auditing the Database
- Audit by session or access
- Audit by successful or not successful status
- Audit with discretion
- Audit actions
- Alter, audit,comment,create,delete,execute,
grant,index,insert,lock,read,reference,rename,sele
ct,update,write
108Auditing the Databasesyntax
- AUDIT statementsystem_priv
- BY user
- BY SESSIONACCESS
- WHENEVER NOT SUCCESSFUL
- NOTE
- BY SESSION will create only one audit record
- Per session
- BY ACCESS will create a record for each auditable
activity
109Auditing the Database(cont)
- Audit to know what happens on your database
- High level of unsuccessful logins
- Audit through the middle tier
- Audit the user statement
- Audit the audit table
110Auditing the Database connect internal (Oracle8i)
- NT Systems On NT Systems you can see auditing
for INTERNAL in the event viewer. The INTERNAL
connections are written to the operating system
audit trail . - Unix Systems On Unix Systems the INTERNAL
connections are logged to special log files
stored in the Oracle_HOME/rdbms/audit directory.
111Auditing the Database SYSDBA/SYSOPER
- Initialization parameter
- AUDIT_SYS_OPERATIONSTRUE
- Will write all activities to an O/S audit log
112Auditing the Database(cont)
- TIPS on auditing
- Run reports on a daily basis
- Truncate the audit table on a daily basis
- Use whenever not successful option (whenever you
can) - Use the by session clause
- Auditing is now optimized (statements are parsed
once for execution and audit - Set default audit options
- May need to create an alarm facility
113Auditing the Database(cont)
- TIPS on auditing
- Oracle preserves the identify of the user on the
middle tier and can capture the user id of who
logged into the database via the TP monitor - This means that oracle can audit the true user
who initiated the transaction and the user who
logged into the database (TP monitor) - Protect the audit trail
- AUDIT delete ON sys.aud BY ACCESS
- Only the DBA or SECURITY personnel should
- Have the DELETE_CATALOG_ROLE
114Auditing the DatabaseViews to the AUDIT Table
- ALL_DEF_AUDIT_OPTS
- AUDIT_ACTIONS
- DBA_AUDIT_EXISTS
- DBA_AUDIT_OBJECT
- DBA_AUDIT_SESSION
- DBA_AUDIT_STATEMENT
- DBA_AUDIT_TRAIL
- DBA_OBJ_AUDIT_OPTS
- DBA_PRIV_AUDIT_OPTS
- DBA_STMT_AUDIT_OPTS
115Audit/Security Approach
- Account Security
- Object Privileges
- System Level Roles and Privileges
116 Audit/Security Approach
- Create User
- Username
- Password
- Default Tablespace
- Temporary Tablespace
- Quota (on Tablespaces)
- Profile
- Assigns a profile to the user, if none is
specified, then the default profile is used.
Profiles are used to restrict the usage of system
resources and to enforce password management
rules. The default is set to UNLIMITED resource
consumption
117Audit/Security Approach
- System Level Privileges
- ANY and PUBLIC are not synonymous. A PUBLIC
object is accessible to all users in a database
all other objects are privately owned. The ANY
option allows you to create private objects in
other users schemas - There are eight system level roles provided with
Oracle - Connect
EXP_FULL_DATABASE - Resource
Select_Catalog_Role - DBA
Execute_Catalog_Role - IMP_FULL_DATABASE Delete_Catalog_Role
118 Audit/Security Approach
- User Profile
- SESSION_PER_USER
- CPU_PER_SESSION
- CPU_PER_CALL
- CONNECT_TIME
- IDLE_TIME
- LOGICAL_READS_PER_SESSION
- LOGICAL_READS_PER_CALL
- PRIVATE_SGA
- COMPOSITE_LIMIT
- FAILED_LOGIN_ATTEMPTS
- PASSWORD_LIFE_TIME
- PASSWORD_REUSE_TIME
- PASSWORD_REUSE_MAX
- PASSWORD_LOCK-TIME
- PASSWORD_GRACE_TIME
- PASSWORD_VERIFY_FUNCTION
119 Audit/Security Approach
- Object Level Privileges
- Grants
- Grant with grant option
- Privileges
- SELECT
- INSERT
- UPDATE
- DELETE
- ALTER
- INDEX
- REFERENCES
- EXECUTE
- READ
120 Audit/Security Approach
- Dictionary Views
- DBA_ROLES Names of
roles and their password status - DBA_ROLE_PRIVS Users who have
been granted roles - DBA_SYS_PRIVS Users who have
been granted system privileges - DBA_TAB_PRIVS Users who have
been granted privileges on tables - DBA_COL_PRIVS Users who have
been granted privileges on columns - ROLE_ROLE_PRIVS Roles that have
been granted to other roles - ROLE_SYS_PRIVS System privileges
that have been granted to roles - ROLE_TAB_PRIVS Table privileges
that have been granted to roles
121Audit/Security Approach
- Password Security During Logins
- When you connect to a database server from a
client machine, or from one database to another
via a database link, Oracle transmits the
password you enter in an unencrypted format
unless you specify otherwise. As of Oracle8, you
can set parameters that forces Oracle to encrypt
the password values prior to transmitting them. - To enable password encryption, set the following
parameters - On the client set the ORA_ENCRYPT_LOGIN
parameter in your sqlnet.ora file to TRUE - On the server set the DBLINK_ENCRYPT_LOGIN
parameter in your init.ora file to TRUE - Shut down and restart the database
122 Audit/Security Approach
- Password
- Password specified for a user account or a role
are stored in an encrypted version in the data
dictionary - Setting the same password for two different
accounts will result in different encryption - For all passwords, the encrypted value is 16
characters long and contains numbers and capital
letters. - When a password is entered during a user
validation, that password is encrypted, and the
encryption that is generated is compared to the
one in the data dictionary for that account, if
they match, then the password is correct and the
authorization succeeds.
123 Audit/Security Approach
- Passwords
- Knowing how the database stores passwords is
important because it adds new options to account
security. - To query the Username and Password fields from
DBA_USERS - select
- Username, /Username/
- Password /Encrypted password/
- from DBA_USERS
- where Username is (Lyons)
124 Audit/Security Approach
- Becoming Another User
- Since the encrypted password can be set, you can
temporarily take over any account and then set it
back to its original password without ever
knowing the accounts password. This capability
allows you to become another user - Query DBA_USERS to determine the current
encrypted password to the account - Generate the alter user command that will be
needed to reset the encrypted password to its
current value after you are done - Spool the alter user command to a file
- Change the users password
- Access the users account
- Run the file containing the alter user command to
reset the users encrypted password to its
original value.
125Database
- Determine Permission Levels
- Do not give direct table level permissions to an
end user - No - Select (Query from Hell), Update, Insert,
Delete - Instead, use stored procedures
- Better yet, do not let user know how to sign on
to the database application - Authenticate the user and then supply a new
password that they do not even know about. In
this way the user must first authenticate to the
application and cannot go around this
authentication process to access the database
126Privileges and Roles
- Access to an object owned by another account
- Privilege must have been granted
- Privileges such as insert, select, update, and
delete - Privileges can be granted to users, groups,
roles, or to Public - Roles are groups of privileges
- Use roles to grant system level privileges such
as create table
127Role Definitions
- System Level Roles
- Connect
- Resource
- DBA
- User Defined System Level Roles
128 Role Definitions
- Connect Role
- Gives users privileges beyond just creating
sessions in the database. In addition to the
Create Session system privilege, the Connect role
gives the users the following system privileges - Alter Session
- Create Cluster
- Create Database Link
- Create Sequence
- Create Synonym
- Create Table
- Create View
129 Role Definitions
- Resource Role
- The resource role has the following system
privileges - Create Cluster
- Create Index
- Create Procedure
- Create Sequence
- Create Table
- Create Trigger
- Create Type
130 Role Definitions
- DBA Role
- The DBA role has all system privileges with admin
option, which means that the DBA can grant the
system privileges to any other user
131Auditing
- The database has the ability to audit all actions
that take place within it. Audit records may be
written to either the SYS.AUD or the operating
systems audit trail. The ability to use the
operating systems audit trail is operating
system-dependent - Three different types of actions may be audited
- Login attempts, Object accesses and Database
actions - The databases default functionality is to record
both successful and unsuccessful commands - To enable auditing in a database, the init.ora
file for the database must contain an entry for
the AUDIT_TRAIL parameter.
132Auditing
- The AUDIT_TRAIL values are
- NONE - Disable auditing
- DB - Enables auditing, writing to the
SYS.AUD table - OS - Enables auditing, writing to the
operating systems audit trails
133Auditing
- Audit command
- Can be issued regardless of the setting of the
AUDIT_TRAIL parameter. They will not be
activated unless the database is started using an
init.ora AUDIT_TRAIL value that enables auditing - If you elect to store the audit records in the
SYS.AUD table, then that tables records should
be periodically archived and the table should
then be truncated. Since it is the data
dictionary, this table is in the SYSTEM
tablespace and may cause space problems if its
records are not periodically cleaned out. You
can grant DELETE_CATLOG_ROLE to a user to give
the user the ability to delete from the SYS.AUD
table. - Every attempt to connect to the database can be
audited. The command to begin auditing of login
attempts is - audit session
- audit session whenever successful
- audit session whenever not successful
134 - Establish minimum audit standards
- Login/Logoffs
- Adding of New Users
- Adding Users to Groups
- All Grants and Revokes
- Remember that auditing takes up much storage and
processing time
135Trace Files
- Each of the background processes running in an
instance has a trace file associated with it. - The trace file will contain information about
significant events encountered by the background
process - In addition, Oracle maintains a file called the
alert log - The alert log records the commands and command
results of major events. This includes,
tablespace creations, redo log switches, recovery
operations, and database startups
136Alert Log
- The alert log is a vital source of information
for day-to-day operations - Trace files are most useful when attempting to
discover the cause of a major failure.
137Database Constraints
- A table can have constraints placed upon it
- A constraint is applied to a table and every row
in the table must satisfy the conditions
specified in the constraint definition
138Database
- DBMS Journal Redo Logs
- SVRMGR program for Database Administration tasks
- Performs backup of the redo logs
- SQL COMMIT statements
- Used by application programs
- Backup is on-line
139Backup/Recovery
- Backup and Recovery Options
- Export/Import
- Offline Backups
- Online Backups
140Users
- A user account is not a physical structure in the
database - Users own the database objects
- The user SYS owns the data dictionary tables
- The user SYSTEM owns views that access the data
dictionary tables for use by the rest of the
users in the database
141Users
- User accounts can be connected to an operating
system - This allows the user to enter only one password
to obtain access to the operating system and the
database
142Database
- Responsibility for the Security Officer
- Should Perform
- All Grants and Revokes
- Review Security and Audit Logs
- Maintain a copy of Audit Logs for the Auditors
143Exposures
- Clear text transmission over the network
- Connect ID and Access ID for application
- Direct connection to the database from the desktop
144Securing the SQL Plus Tool
- PRODUCT_PROFILE table to provide product-level
-
- Security for oracle products and augment
user-level Security -
- With this table, you can enforce security on a
per-user basis and restrict certain SQL and
SQLplus commands.
145Securing the SQL Plus Tool
- SQLplus commands
- EDIT EXECUTE EXIT GET HOST (or your operating
systems alias for HOST, such as on VMS and !
on UNIX) - QUIT RUN SAVE SET (Spool start
-
- SQL commands
- Alter analyze audit connect create delete
- Drop grant insert lock NOAUDIT rename revoke
- Select set role set transaction truncate update
-
146Securing the SQL Plus ToolRecommended commands
to restrict
- Commands reason
-
- HOST allows user access to a operating-system
prompt -
- SET ROLE allows a user to set a new security
role -
- GRANT allows a user to grant privileges
-
- NOAUDIT allows a user to turn off auditing
-
- You should restrict access to the PRODUCT_PROFILE
147Oracle Security Checklist
- Revoke unnecessary privileges from PUBLIC ROLE
- Revoke all unnecessary privileges and roles from
the database server - PUBLIC is the default role granted to every user
- Privileges include EXECUTE on various powerful
packages that may potentially be misused include - UTL_SMTP
- This package permits arbitrary mail messages to
be sent from one arbitrary user to another
arbitrary user.
148Oracle Security Checklist
- Revoke unnecessary privileges from PUBLIC ROLE
- UTL_TCP
- This package permits outgoing network connections
to be established by the database server to any
receiving (or waiting) network service. - UTL_HTTP
- This package allows the database server to
request and retrieve data via HTTP. Granting this
package to PUBLIC may permit data to be sent via
HTML forms to a malicious web site.
149Oracle Security Checklist
- Revoke unnecessary privileges from PUBLIC ROLE
- UTL_FILE
- If configured improperly, this package allows
text level access to any file on the host
operating system. Even when properly configured,
this package does not distinguish between its
calling applications with the result that one
application with access to UTL_FILE may write
arbitrary data into the same location that is
written to by another application.
150Oracle Security Checklist
- Revoke unnecessary privileges from PUBLIC ROLE
- DBMS_RANDOM
- Is used to encrypt stored data.
- encrypted data may be non-recoverable if the keys
are not securely generated - Do not assign all permissions to any database
server run-time facility - Oracle Java Virtual Machine (OJVM)
- Grant specific permissions to the explicit
document root file paths for such facilities that
may execute files and packages outside the
database server. - call dbms_java.grant_permission('SCOTT',
'SYSjava.io.FilePermission','ltltALL
FILESgtgt','read')
151Oracle Security Checklist
- Authenticate clients properly
- Remote authentication is a security feature
provided by Oracle9i such that if turned on
(TRUE), it defers authentication of users to the
remote client connecting to an Oracle database. - configuration parameter in the following manner
REMOTE_OS_AUTHENT FALSE will be more secure - RESTRICT NETWORK ACCESS
- Utilize a firewall
- Keep the database server behind a firewall.
Oracle9i s network infrastructure, Oracle Net
(formerly known as Net8 and - SQLNet), offers support for a variety of
firewalls from various vendors. Supported
proxy-enabled firewalls
152Oracle Tools
- Virtual Private Database/label security
- Attach security policies at the Table or View
level, allows for easy integration to existing
systems. - One to many policies per Table.
- Different policies for different type of accesses
(SELECT,UPDATE..).
153Oracle Security Checklist
- Virtual Private Database using application
contexts. - User-definable can allow security based on
categories (Employee number, Cost Center). These
contexts are used in the security policy
function. - Access to session primitives (information about a
user session) using USERENV application context
154Oracle Tools
- Oracle Enterprise Manger
- Security Manager
- Application Security, Inc
- http//www.appsecinc.com/products/
- APPLICATION VULNERABILITY ASSESSMENT
- AppDetective Network-based vulnerability
assessment tool that rates the security strength
of applications within your network. Armed with a
revolutionary security methodology together with
an extensive knowledgebase of application
vulnerabilities, AppDetective will locate,
examine, report, and help fix your security holes
and miss-configurations at your command.
155Oracle Tools
- DATABASE ENCRYPTION
- DbEncrypt Easy-to-use, affordable, and
effective security solution for encrypting column
and row data within the database. Provided with
DbEncrypt are encryption algorithms, templates,
and an intuitive point-and-click interface. - APPLICATION INTRUSION DETECTION
- AppRadar Intrusion detection solution strictly
for application-specific attacks and malicious
behavior. As a complementary solution to existing
intrusion detection systems, AppRadar empowers
organizations with a real-time security solution
able to thwart attacks and malicious behavior
against all of your mission-critical enterprise
applications.
156Oracle Security checklist
- Important web sites
- http//otn.oracle.com/deploy/security/alerts.htm
- http//technet.oracle.com/deploy/security/alerts.h
tm - http//www.nessus.org/
- http//www.insecure.org/
- http//www.atstake.com/research/
- http//www.securityfocus.com/
157Summary
- Oracle was built to be secure
- Audit at the database, network, and server level
- Takes time and is complex
- Limited tools available
- Requires outages for patches
158Checklist Predefined Users
- USERNAME ACCOUNT_STATUS
- JONES EXPIRED LOCKED
- LBACSYS EXPIRED LOCKED
- MDSYS EXPIRED LOCKED
- OE EXPIRED LOCKED
159Checklist Predefined Users
- USERNAME ACCOUNT_STATUS
- OLAPDBA EXPIRED LOCKED
- OLAPSVR EXPIRED LOCKED
- OLAPSYS EXPIRED LOCKED
- ORDPLUGINS EXPIRED LOCKED
- ORDSYS EXPIRED LOCKED
- OSEHTTPADMIN OPEN
- OUTLN OPEN
160Checklist Predefined Users
- USERNAME ACCOUNT_STATUS
- PM EXPIRED LOCKED
- QS EXPIRED LOCKED
- QS_ADM EXPIRED LOCKED
- QS_CB EXPIRED LOCKED
- QS_CBADM EXPIRED LOCKED
- QS_CS EXPIRED LOCKED
- QS_ES EXPIRED LOCKED
- QS_OS EXPIRED LOCKED
- QS_WS EXPIRED LOCKED
- SCOTT OPEN
- SH EXPIRED LOCKED
- SYS OPEN
- SYSTEM OPEN
161Checklist Predefined Users
- USERNAME ACCOUNT_STATUS
- ADAMS EXPIRED LOCKED
- AURORAJISUTILITY OPEN
- AURORAORBUNAUTHENTICATED OPEN
- BLAKE EXPIRED LOCKED
- CLARK EXPIRED LOCKED
- CTXSYS EXPIRED LOCKED
- DBSNMP OPEN
- HR EXPIRED LOCKED
-