Presentation is loading. Please wait.

Presentation is loading. Please wait.

2 Agenda l Database Overview l Oracle Audit/Security/Control.

Similar presentations

Presentation on theme: "2 Agenda l Database Overview l Oracle Audit/Security/Control."— Presentation transcript:


2 2 Agenda l Database Overview l Oracle Audit/Security/Control

3 3 Objectives l Your objectives l Magic Disk – Database Control Objectives – Frank W. Lyons – –

4 4 Terminology l Database – A set of data l Tablespaces – Logical division of a database l Files – datafile l Instances – Also known as a server l Table, columns and datatypes

5 5 Columns l The characteristics of a column are made up of two parts: its datatype and its length. l For columns using the NUMBER datatype, the additional characteristics of precision and scale can be specified. Precision determines the number of significant digits and Scale determines the placement of the decimal point

6 6 l Structure Query Language (SQL) Data Definition Language –DDL »Create, Drop, Alter Data Manipulation Language –DML »Select, Insert, Update, Delete Data Control Language –DCL »Grant, Revoke The Database Language

7 7 l Obtain the Data Structure Diagram Customer Table Warehouse Table Order Table The data structure diagram provides all the tables and columns Database Structure

8 8 Tables l Tables owned by the user SYS are called the data dictionary tables l Dictionary tables provide a system catalog that the database uses to manage itself l The database maintains the relationship between table by using referential integrity

9 9 l Object Dependencies Database Tablespace Table IndexSynonym View Synonym This is the file name under the operating system Database Structure

10 10 Databases l A database is a set of data. l Oracle provides the ability to store and access data in a manner consistent with a defined model known as the Relational Model.

11 11 Tablespaces l A tablespace is a logical division of a database l Each tablespace is constituted of one or more files, called datafiles, on a disk. A datafile can belong to one and only one tablespace

12 12 l To prevent users from creating objects in the SYSTEM tablespace, any quotas on SYSTEM, which could give a user the ability to create objects in the SYSTEM tablespace, must be revoked: – alter user Frank quota 0 on SYSTEM l When you create a new user via the create user command, you can specify a default tablespace: – create user Frank identified by excellence – default tablespace Human_Resources Tablespaces

13 13 l SYSTEMData Dictionary l DATAStandard-operation tables l DATA_2Static tables used during standard operation l INDEXESIndexes for the standard operation tables l INDEXES_2Indexes for the static tables l RBSStandard operation rollback segment l RBS_2Specialty rollback segments used for data loads l TEMPStandard operation temporary segments l TEMP_USERTemporary segments created by a user l TOOLSRDBMS tools tables l TOOLS_1Indexes for RDBMS tools tables l USERSUser objects, in development databases Tablespaces

14 14 Instance l In order to access the data in the database, Oracle uses a set of background processes that are shared by all users. l A database instance (also known as a server) is a set of memory structures and background processes that access a set of database files.

15 15 Views l Views appear to be a table containing columns and is queried in the same manner that a table is queried l Views do not use physical storage to store data l Views can not be indexed.

16 16 Typical Authentication Pyramid Application Logon Reporting Tool Database Data Accountability lessens as you move down the pyramid

17 17 Where Are the Application Controls? l Direct access usually by-passes application controls – User profiling is normally only used within the application – Views of reporting data could be incorporated – Summarized data could be used to reduce sensitivity

18 18 Relational Data Storage Employee Table

19 19 Views Based on User Profile View of the Commercial Division Security is based on data value

20 20 Reduced Data Sensitivity Employee Locator View Security is based on columns selected

21 21 Summarized Views View Summarized by Division

22 22 Access Type Difference l Id and Passwords l User Profiles l Accountability and audit ability

23 23 Data Access l Application interfaces l Reporting Tools l Direct access

24 24 ID and Password Controls l Where is the ID and Password Stored for verification? l How is the password stored? l Is the same user ID used for multiple applications? l Is the password stored in multiple locations?

25 25 User Profiles l Profiles allow access according to job responsibilities – Division – Position – Security Clearance

26 26 User Profiles Controls l Who creates and modifies the user profile? l What audit trails are in place for profile changes? l What approvals are required for changes to the user profile? l What is the notification process for job responsibility changes?

27 27 Accountability and Auditability l Is the user id translated to a high powered id during application access to the data? l Does the application record read access? l When data is inserted, modified, or deleted is the change logged? – If there is a log who is reviewing the log?

28 28 ID Translation l Used to prevent users from accessing data directly l Prevents authentication by the database management system l Creates tuning and monitoring challenges

29 29 Reporting Tools and Direct Access l Ad-hoc reporting – User flexibility – Less labor to support user reporting requirements – Checks and balance to insure information accuracy

30 30 Separate Reporting Database On-line Database Reporting Database Synchronization can be done real time or on intervals

31 31 Advantages of Separate Reporting Databases l Design for reporting efficiencies l On-line environment not impacted by the reporting workload l Data can be summarized to reduce data sensitivity l Multiple reporting databases can be defined to limit access to sensitive information

32 32 Disadvantages of Separate Reporting Databases l Extra storage and processor resources are required l Extra labor resources are required to support replication process l Special controls needed for direct access authority l Read activity needs to be logged for audit ability

33 33 Reporting Tools Reporting Database Reporting Tool View of Data Reporting tools can limit access by column, data value, or through summarization.

34 34 Web Access l Reporting Tools can push static or dynamic information l Design should balance performance differences with flexibility l Security at the data level needs to be well understood so that access is based on data sensitivity and job responsibilities

35 35 Application Recovery l Code is normally static l Code changes should be installed on well defined intervals l Recovery usually requires reboot of application server l Corrupted application files can be restored from the last copy

36 36 Database Recovery l Data is a constantly changing resource l Rebooting the database server causes the database system to recovery any in-flight units of work l Restoring data from backup requires the database logs to be applied to the data in order to restore data consistency

37 37 Database Logs Data Identification (Record Header) Before Image of Data After Image of Data

38 38 Log Contains All Data Modifications Database Log Database User Activity

39 39 Backout Due to Abort or Abend Database Log Database User Activity Aborted Unit of Work Log Records are read to backout the changes to the data

40 40 Protecting Database Log l Critical Recovery Resource l Contains Sensitive Information l Needed for on-site and off-site recovery l Log shipping often done for off-site recovery

41 41 Log Shipping Database Log Database On-site Database Log Copy Off-site

42 42 Criteria for Server Selection in the Database Environment l Stability l Security l Recoverability l Performance

43 43 Key Points l Application access controls are by-passed through most reporting interfaces l Security design MUST be centered on the data and incorporated in each interface l Data and application recovery have key differences and need special considerations

44 44 Key Points l Security should be designed around the DATA l All interface points must be reviewed l Data recoverability needs differ between application and data l Database logs contain sensitive information

45 Oracle

46 46 Identify Risks l Default Users l Operating System configuration l Database server configuration l Listener process l Privileges l Database links l Patches

47 47 Init.ora l Database startup file l This file is read during the instance startup and may be modified by the DBA. Any modifications to this file will not take affect until the next startup that uses this file

48 48 l In the default directory configuration, the init.ora file is stored in a directory named – /orasw/app/oracle/admin/instance_name/pfile l The init.ora file does not list the names of the datafiles or online redo log files for the database as these are stored in the data dictionary. l Init.ora does list the names of the control files for the database Init.ora

49 49 Config.ora l A second configuration file is typically used to store the settings of variables that do not change after database creation l Such as the database block size l In order for the config.ora settings to be used, the file must be listed as an include file via the IFILE parameter in the instances init.ora file

50 50 Procedures l A procedure is a block of PL/SQL statements that is stored in the data dictionary and is called by applications l Stored procedures help to enforce data security

51 51 Functions l Functions, like procedures are blocks of code that are stored in the database. l Function are capable of returning values to the calling program

52 52 Packages l Packages are used to arrange procedures and functions into logical groupings l Packages have a public and private elements l Private elements may include procedures called by other procedures within the package l Source code for the functions, procedures, and packages are stored in the data dictionary tables

53 53 Triggers l Triggers are procedures that are executed when a specified database event takes place against a specified table l Used as part of referential integrity l Used to enforce additional security l Used to enhance the available auditing options

54 54 l Two types of triggers – Statement triggers Fire once for each triggering statement – Row triggers Fire once for each row in a table affected by the statement l For each type a BEFORE trigger and AFTER trigger can be created l Triggering events include inserts, updates, and deletes Triggers

55 55 Synonyms l To completely identify a database object such as a table or a view, the host machine name, the server instance name, the objects owner, and the objects name must be specified l Synonyms reduce this effort l Public synonyms are shared by all users l Synonyms can provide pointers for tables, views, procedures, functions, packages, and sequences

56 56 Database Life Cycles l Planning l Creating l Monitoring l Tuning l Securing l Auditing

57 57 Operating system configuration Use file system security to protect the DBMS software and data files (Only allow the Oracle user and Oracle group access to the files) Turn off all operating system functionality/services that are not required by the DATABASE SERVER (mail,ftp,telnet) Turn on O/S level auditing and review the audit log daily Secure the backup of the database Audit regularly

58 58 Database System Configuration Remove non-essential users and enforce password management (see appendix) Change the default passwords on accounts Do not allow development in a production database/server Secure the development database (may contain production data) Keep the software up to date and patched

59 59 Database System Configuration Oracle Database - Physical Structures When a backup of a database occurs, the backup software is making copies of the physical structures of an Oracle instance. Physical Structures stored in the operating system Control File Online Redo Log Data File INIT.ORA SPFILE (Oracle9i) ORACLE_HOME (Oracle software) Backup destination

60 60 Database System Configuration Oracle Database/Physical Structures Control File Contains information about the instance and all of its external files. Used by Oracle to know if a data file needs recovery. Audit view: V$CONTROLFILE Online Redo Log Keeps track of all the transactional activity that makes changes to the database. Audit view: V$LOGFILE

61 61 Database System Configuration Oracle Database/Physical Structures Data File Associated with a single tablespace. Oracle server creates a data file for a tablespace by allocating the specified amount of disk storage + a small overhead. Can contain data segment (table), index segment (primary keys, unique constraints or tuning indexes), rollback and temporary segments. Audit view DBA_DATA_FILES INIT.ORA Used by the Oracle instance to configure how much of the OS resources will be used by the instance. Parameters can be placed here for optional processes Audit view V$PARAMETER

62 62 Database System Configuration Oracle Database/Physical Structures Data File Audit view DBA_DATA_FILES SQL> select file_name from dba_data_files order by file_name Control File Audit view: V$CONTROLFILE SQL> select * from v$controlfile; Online Redo Log Audit view: V$LOGFILE SQL> select * from v$logfile order by group#

63 63 Database System Configuration Oracle Database/Physical Structures INIT.ORA Audit view V$PARAMETER SQL> select name,value from v$parameter License/version Audit view v$version SQL> select * from v$version

64 64 Privileges Third party application owner will typically have the DBA role granted to them This is needed for installs/upgrades of software, but typically can be removed for day to day activities SELECT ANY TABLE privilege should not be allowed on any end user

65 65 Privileges SELECT ANY TABLE privilege gives users the ability to select from ANY table –including SYS.USER$ and SYS.LINK$ –These tables will show passwords

66 66 Privileges Audit Checklist SQL> select privilege privilege_granted, grantee,admin_option from sys.dba_sys_privs where not exists (select 'x' from sys.dba_users where username = grantee) order by privilege_granted,admin_option;


68 68 Database Link Used to connect one database to another The Database link contains: USER ACCOUNT TO CONNECT TO THE TARGET DATABASE LOCAL USERNAME AND PASSWORD (HARD CODED) or pass through authentication CONNECT STRING (Oracle / SQLNET/ NET8) Audit view: dba_db_links

69 69 Oracle NET / NET8 /SQL*NET LISTENER Configuration 1 listener.ora Client Server Listener On port sqlplus User DB1 tnsnames.ora/sqlnet.ora Server

70 70 Oracle NET / NET8 /SQL*Net LISTENER Oracle NET enables communications between partners in a distributed transaction Applies to client/server or server/server environment. During the life of a connection, resolves all differences between the internal data representations and/or character sets of the computer. Net8 has been renamed to Oracle NET for 9i

71 71 Harden the Listener Process The configuration file for the listener is LISTENER.ORA. LISTENER.ORA resides on the server and defines… Listener name, a database can have multiple listeners The network listener address The SID of the database for which it listens Parameters that influence the network listeners behavior, including tracing, timeout and logging and password

72 72 Harden the Listener Process Prevent unauthorized administration of the Oracle Listener by: ADMIN_RESTRICTIONS_listener_name=ON Use a password on all listeners At the lsnrctl prompt enter change_password

73 73 Oracle NET / Net8 /SQL*NET Configuration Oracle Names Network service that provides centralized name resolution to Oracle clients and servers. Consists of one or more administrative regions, each having a single installation of the Oracle Network Manager tool. Oracle Network Manager enables the administrator to administer the following in its administrative region… All database listeners Global database links Clients, interchanges and Names Servers.

74 74 Oracle NET/ NET8 / SQL*Net Configuration Oracle Names (continued) Clients do not need a TNSNAMES.ORA file if an Oracle Names Server is used. If a TNSNAMES.ORA file is created, the client may use it to resolve the service name before resolving it through the Names Server. Clients have a SQLNET.ORA file that identifies Oracle Names Server. This file can reference a file on a server so that it doesnt have to change if the Names Server changes.

75 75 Oracle NET / NET8 /SQL*NET Configuration Server Names Server Client

76 76 Oracle NET/ NET8 /SQL*Net Audit checklist Listener password protected Is ADMIN_RESTRICTION turned on Is a protocol.ora in place for node checking How is tnsnames protected ONAMES is used, this adds an additional server to be audited

77 77 Oracle listener Audit checklist Set up the listener with password Set up a strong password Protect the listener.ora file (this is where the password is kept)

78 78 Patches Audit checklist Verify patches using the V$VERSION view Keep informed on the latest security patches Have a policy on how quickly a critical security patch should be applied Oracle rates severity of patches one is most severe

79 79 Patches Alerts (Subscribe to security alerts )Subscribe to security alerts PDFPDFBuffer Overflows in EXTPROC of Oracle Database ServerAlert #57, Rev 2, 07August 2003 PDFBuffer Overflow Vulnerability in Oracle E-Business SuiteAlert #56, Rev 1, 23 July 2003 PDFUnauthorized Disclosure of Information in Oracle E- Business SuiteAlert #55, Rev 1, 23 July 2003 PDFBuffer Overflow in Net Services for Oracle Database ServerAlert #54, Rev 2, 30 April 2003 PDFReport Review Agent Vulnerability in Oracle E-Business SuiteAlert #53, Rev 1, 10 April 2003 PDFTwo Security Vulnerabilities in Oracle9i Application ServerAlert #52, Rev 3, Updated 03 March 2003 PDFBuffer Overflow in ORACLE executable of Oracle9i Database ServerAlert #51, Rev 6, Updated 18 April 2003 PDFBuffer Overflow in Oracle9i Database ServerAlert #50, Rev 6, Updated 18 April 2003 PDF

80 80 Oracle's built-in tools USERS / SCHEMAS Security Domain Defines the security settings that Apply to the user Authentication Mechanism Database Operating system Network PrivilegesDirect/Indirect (via roles)

81 81 Oracle's built-in tools USERS / Database SCHEMAS Authentication Mechanism Database– passwords are kept internally in a database table encrypted Operating systemPasswords are kept in the operating system

82 82 Oracle's tools to purchase Authentication Mechanism using Oracle Advanced Security option Network– Uses third party network authentication services (like Kerberos and SESAME) Token Devices, one time passwords are used to authenticate Biometrics Devices, use physical features of users to authenticate Advanced Encryption Standard (AES) AES is symmetric block cipher AES-128,AES-192 and AES-256

83 83 Oracle's built-in tools USERS / Database SCHEMAS Predefined users Sys/change_on_install (super user in Oracle,schema for Oracle dictionary tables) System/manager (Owner of internal tables used by Oracle tools) Scott/tiger (created by demo files, sometimes left in production) Note: 9i passwords are custom, unless you create the Database using the Database creation assistant in batch mode Additional users defined later in the Oracle9i section

84 84 Oracle's built-in tools Password File to authenticate DBAs A password file for DBAs is optional and can be setup using the ORAPWD password utility. The password file will restrict administration privilege to only the users who know the password and have been granted a special role. The roles are SYSDBA and SYSOPER.

85 85 Oracle's built-in tools Two special roles SYSOPER/SYSDBA SYSOPER Permits you to perform STARTUP, SHUTDOWN, ALTER DATABASE OPEN/MOUNT, ALTER DATABASE BACKUP, ARCHIVE LOG, and RECOVER, and includes the RESTRICTED SESSION privilege.

86 86 Oracle's built-in tools SYSDBA Contains all system privileges with ADMIN OPTION, and the SYSOPER system privilege; CREATE DATABASE and time-based recovery. Listing Password File Members Audit view: V$PWFILE_USERS will show all users that have been granted SYSDBA and SYSOPER system privileges for a database.

87 87 Oracle's built-in tools ADMINISTERING PRIVILEGES Two types of privileges: System– Enables users to perform ADMIN type activities in the database OBJECT– Enables users to access and manipulate objects

88 88 Oracle's built-in tools SYSTEM PRIVILEGES Administering privileges System– 80 system privileges The ANY keyword means that the user has the privilege for any schema. The GRANT command is used to add a privilege to a user or group of users GRANT CREATE SESSION to smith; GRANT CREATE SESSION to smith with ADMIN OPTION; The REVOKE command deletes the privilege REVOKE CREATE SESSION to smith;

89 89 Oracle's built-in tools SYSTEM PRIVILEGES Administering privilegesDisplaying System Privileges DATABASE LEVELSESSION LEVEL DBA_SYS_PRIVSSESSION_PRIVS GranteePrivilege Privilege Admin option

90 90 Oracle's built-in tools OBJECT PRIVILEGES OBJECT SQL STATEMENT Allowed ALTER ALTER object (table or sequence) DELETE DELETE FROM object (table or view) EXECUTE EXECUTE object (procedure or function). References to public package variables INDEX CREATE INDEX ON object (tables only) INSERT INSERT INTO object (table or view) REFERENCES CREATE or ALTER TABLE statement defining a FOREIGN KEY integrity constraint on object (tables only) SELECT SELECT...FROM object (table, view, or snapshot). SQL statements using a sequence

91 91 Oracle's built-in tools DISPLAYING OBJECT PRIVILEGES DBA_TAB_PRIVSDBA_COL_PRIVSGranteeOwnerTable_name GrantorColumn_name PrivilegeGrantor grantable Privilege Grantable

92 92 Oracle's built-in tools USERS / Database SCHEMAS Restriction privilege system by enabling O7_DICTIONARY_ACCESSIBILITY=FALSE This prevents users with the system ANY from being able to execute against the SYS schema The default is TRUE This allows the user with the ANY privilege to execute against the SYS schema

93 93 Oracle's built-in tools Administering privileges A role is a database entity that is a named group of privileges. It is unique within the database and not owned by a user. A role can be authenticated by a password. Special role SELECT_CATALOG_ROLE, which enable access to the data dictionary

94 94 Oracle's built-in tools Predefined roles ROLENAMEDESCRIPTION ============================================== CONNECTProvided for backward RESOURCEcompatibility DBAAll systems privileges w/admin EXP_FULL_DATABASEPrivileges to export the DB IMP_FULL_DATABASEPrivileges to Import the DB DELETE_CATALOG_ROLEDelete privileges on dictionary EXECUTE_CATALOG_ROLEExecute privilege on dictionary SELECT_CATALOG_ROLESelect privilege dictionary tables PUBLICRole that all users have

95 95 Oracle's built-in tools Displaying information on roles DATABASE ROLE VIEWDESCRIPTION DBA_ROLESAll roles which exist in the DB DBA_ROLE_PRIVSRoles granted to users and roles ROLE_ROLE_PRIVSRoles which are granted to roles DBA_SYS_PRIVSSystem privileges grated to users and roles ROLE_SYS_PRIVSSystem privileges granted to roles ROLE_TAB_PRIVSTable privileges granted to roles SESSION_ROLESRoles which the user currently has enabled

96 96 Oracle's built-in tools PROFILES used for password management A PROFILE is a named set of limits for passwords and system resources Are assigned to users Can become the default for all users Can be enabled or disabled

97 97 Oracle's built-in tools PROFILES A PROFILE is a named set of limits for passwords And system resources 1.CPU time 2.I/O operations 3.IDLE time (inactive time measured in minutes) 4.Connect time (measured in minutes) 5.Memory space 6.Concurrent sessions 7.Passwords aging and expiration 8.Password history 9.Password complexity verification 10.Account locking

98 98 Oracle's built-in tools PROFILES management Create a profile CREATE PROFILE end_user_prof LIMIT SESSIONS_PER_USER 1 IDLE_TIME 60 CONNECT TIME 600; Modify a profile ALTER PROFILE end_user_prof limit IDLE_TIME 10; Remove a profile DROP PROFILE end_user_prof; DROP PROFILE end_user_prof CASCADE;

99 99 Oracle's built-in tools PROFILES management Associate a user to a profile ALTER USER smith PROFILE end_user_prof; Resource limits must be enable to enforce profile limits, This does not include password management. Two ways to enable: 1.ALTER SYSTEM SET RESOURCE_LIMIT=TRUE 1. Modify the init.ora file and set RESOURCE_LIMIT=TRUE, 2. Restart the instance

100 100 Oracle's built-in tools PROFILES displaying resource limits DBA_USERS Profile username DBA_PROFILES Profile Resource_name Resource_type Limit Join the views DBA_USERS and DBA_PROFILES To display the resource limits

101 101 Oracle's built-in tools PASSWORD MANAGEMENT PARAMETERDESCRIPTION FAILED_LOGIN_ATTEMPTSNumber of failed login attempts before lockout PASSWORD_LOCK_TIMENumber of days password will remain locked upon password expiring PASSWORD_LIFE_TIMELifetime of password measured in days PASSWORD_GRACE_TIMEGrace period in days for changing the password, after it has expired

102 102 Oracle's built-in tools PASSWORD MANAGEMENT PARAMETERDESCRIPTION PASSWORD_REUSE_TIMENumber of days before a password can be reused PASSWORD_REUSE_MAXMaximum number of times a password can be reused PASSWORD_VERIFY_FUNCTIONPL/SQL package that makes a complexity check before a password is assigned Note: The script utlpwdmg.sql must be run in the SYS schema to enable

103 103 Oracle's built-in tools PASSWORD MANAGEMENT VERIFY_FUNCTION Minimum length of four characters Password not equal to user name Password must have at least one alpha, numeric,special character Password must differ from the last password by three characters


105 105 Oracle's built-in tools Displaying PROFILES information DBA_PROFILES Profile Resource_name Resource_type =PASSWORD limit

106 106 Auditing the Database l Audit a specific user l Audit for a specific statement l Audit for a specific statement on a schema user l Audit to know what happens on your database l Audit failed logon attempts l Audit to know who changed what and when

107 107 Auditing the Database l Audit by session or access l Audit by successful or not successful status l Audit with discretion Audit actions: Alter, audit,comment,create,delete,execute, grant,index,insert,lock,read,reference,rename,select, update,write

108 108 Auditing the Database syntax l AUDIT {statement|system_priv} BY user BY SESSION|ACCESS WHENEVER {NOT} SUCCESSFUL; NOTE: BY SESSION will create only one audit record Per session BY ACCESS will create a record for each auditable activity

109 109 Auditing the Database(cont) l Audit to know what happens on your database – High level of unsuccessful logins – Audit through the middle tier – Audit the user statement – Audit the audit table

110 110 Auditing the Database connect internal (Oracle8i) – NT Systems: On NT Systems you can see auditing for INTERNAL in the event viewer. The INTERNAL connections are written to the operating system audit trail. – Unix Systems: On Unix Systems the INTERNAL connections are logged to special log files stored in the $Oracle_HOME/rdbms/audit directory.

111 111 Auditing the Database SYSDBA/SYSOPER – Initialization parameter AUDIT_SYS_OPERATIONS=TRUE Will write all activities to an O/S audit log

112 112 Auditing the Database(cont) l TIPS on auditing – Run reports on a daily basis – Truncate the audit table on a daily basis – Use whenever not successful option (whenever you can) – Use the by session clause – Auditing is now optimized (statements are parsed once for execution and audit – Set default audit options – May need to create an alarm facility

113 113 Auditing the Database(cont) l TIPS on auditing – Oracle preserves the identify of the user on the middle tier and can capture the user id of who logged into the database via the TP monitor This means that oracle can audit the true user who initiated the transaction and the user who logged into the database (TP monitor) Protect the audit trail AUDIT delete ON sys.aud$ BY ACCESS Only the DBA or SECURITY personnel should Have the DELETE_CATALOG_ROLE


115 115 Audit/Security Approach l Account Security l Object Privileges l System Level Roles and Privileges

116 116 l Create User – Username – Password – Default Tablespace – Temporary Tablespace – Quota (on Tablespaces) – Profile Assigns a profile to the user, if none is specified, then the default profile is used. Profiles are used to restrict the usage of system resources and to enforce password management rules. The default is set to UNLIMITED resource consumption Audit/Security Approach

117 117 Audit/Security Approach l System Level Privileges – ANY and PUBLIC are not synonymous. A PUBLIC object is accessible to all users in a database; all other objects are privately owned. The ANY option allows you to create private objects in other users schemas – There are eight system level roles provided with Oracle Connect EXP_FULL_DATABASE Resource Select_Catalog_Role DBA Execute_Catalog_Role IMP_FULL_DATABASE Delete_Catalog_Role


119 119 Audit/Security Approach l Object Level Privileges – Grants – Grant with grant option – Privileges SELECT INSERT UPDATE DELETE ALTER INDEX REFERENCES EXECUTE READ

120 120 Audit/Security Approach l Dictionary Views – DBA_ROLES Names of roles and their password status – DBA_ROLE_PRIVS Users who have been granted roles – DBA_SYS_PRIVS Users who have been granted system privileges – DBA_TAB_PRIVS Users who have been granted privileges on tables – DBA_COL_PRIVS Users who have been granted privileges on columns – ROLE_ROLE_PRIVS Roles that have been granted to other roles – ROLE_SYS_PRIVS System privileges that have been granted to roles – ROLE_TAB_PRIVS Table privileges that have been granted to roles

121 121 Audit/Security Approach l Password Security During Logins – When you connect to a database server from a client machine, or from one database to another via a database link, Oracle transmits the password you enter in an unencrypted format unless you specify otherwise. As of Oracle8, you can set parameters that forces Oracle to encrypt the password values prior to transmitting them. – To enable password encryption, set the following parameters: On the client set the ORA_ENCRYPT_LOGIN parameter in your sqlnet.ora file to TRUE On the server set the DBLINK_ENCRYPT_LOGIN parameter in your init.ora file to TRUE Shut down and restart the database

122 122 l Password – Password specified for a user account or a role are stored in an encrypted version in the data dictionary – Setting the same password for two different accounts will result in different encryption – For all passwords, the encrypted value is 16 characters long and contains numbers and capital letters. – When a password is entered during a user validation, that password is encrypted, and the encryption that is generated is compared to the one in the data dictionary for that account, if they match, then the password is correct and the authorization succeeds. Audit/Security Approach

123 123 Audit/Security Approach l Passwords – Knowing how the database stores passwords is important because it adds new options to account security. – To query the Username and Password fields from DBA_USERS select –Username, /*Username*/ –Password */Encrypted password*/ –from DBA_USERS –where Username is (Lyons)

124 124 Audit/Security Approach l Becoming Another User – Since the encrypted password can be set, you can temporarily take over any account and then set it back to its original password without ever knowing the accounts password. This capability allows you to become another user – Query DBA_USERS to determine the current encrypted password to the account – Generate the alter user command that will be needed to reset the encrypted password to its current value after you are done – Spool the alter user command to a file – Change the users password – Access the users account – Run the file containing the alter user command to reset the users encrypted password to its original value.

125 125 Database l Determine Permission Levels – Do not give direct table level permissions to an end user No - Select (Query from Hell), Update, Insert, Delete – Instead, use stored procedures – Better yet, do not let user know how to sign on to the database application Authenticate the user and then supply a new password that they do not even know about. In this way the user must first authenticate to the application and cannot go around this authentication process to access the database

126 126 Privileges and Roles l Access to an object owned by another account l Privilege must have been granted l Privileges such as insert, select, update, and delete l Privileges can be granted to users, groups, roles, or to Public l Roles are groups of privileges l Use roles to grant system level privileges such as create table

127 127 Role Definitions l System Level Roles – Connect – Resource – DBA l User Defined System Level Roles

128 128 Role Definitions l Connect Role – Gives users privileges beyond just creating sessions in the database. In addition to the Create Session system privilege, the Connect role gives the users the following system privileges Alter Session Create Cluster Create Database Link Create Sequence Create Synonym Create Table Create View

129 129 Role Definitions l Resource Role – The resource role has the following system privileges Create Cluster Create Index Create Procedure Create Sequence Create Table Create Trigger Create Type

130 130 Role Definitions l DBA Role – The DBA role has all system privileges with admin option, which means that the DBA can grant the system privileges to any other user

131 131 Auditing l The database has the ability to audit all actions that take place within it. Audit records may be written to either the SYS.AUD$ or the operating systems audit trail. The ability to use the operating systems audit trail is operating system-dependent l Three different types of actions may be audited: Login attempts, Object accesses and Database actions l The databases default functionality is to record both successful and unsuccessful commands l To enable auditing in a database, the init.ora file for the database must contain an entry for the AUDIT_TRAIL parameter.

132 132 Auditing l The AUDIT_TRAIL values are: NONE - Disable auditing DB - Enables auditing, writing to the SYS.AUD$ table OS - Enables auditing, writing to the operating systems audit trails

133 133 Auditing l Audit command – Can be issued regardless of the setting of the AUDIT_TRAIL parameter. They will not be activated unless the database is started using an init.ora AUDIT_TRAIL value that enables auditing – If you elect to store the audit records in the SYS.AUD$ table, then that tables records should be periodically archived and the table should then be truncated. Since it is the data dictionary, this table is in the SYSTEM tablespace and may cause space problems if its records are not periodically cleaned out. You can grant DELETE_CATLOG_ROLE to a user to give the user the ability to delete from the SYS.AUD$ table. – Every attempt to connect to the database can be audited. The command to begin auditing of login attempts is: audit session audit session whenever successful audit session whenever not successful

134 134 l Establish minimum audit standards Login/Logoffs Adding of New Users Adding Users to Groups All Grants and Revokes l Remember that auditing takes up much storage and processing time Audit Features

135 135 Trace Files l Each of the background processes running in an instance has a trace file associated with it. l The trace file will contain information about significant events encountered by the background process l In addition, Oracle maintains a file called the alert log l The alert log records the commands and command results of major events. This includes, tablespace creations, redo log switches, recovery operations, and database startups

136 136 Alert Log l The alert log is a vital source of information for day- to-day operations l Trace files are most useful when attempting to discover the cause of a major failure.

137 137 Database Constraints l A table can have constraints placed upon it l A constraint is applied to a table and every row in the table must satisfy the conditions specified in the constraint definition

138 138 Database l DBMS Journal Redo Logs l SVRMGR program for Database Administration tasks Performs backup of the redo logs l SQL COMMIT statements Used by application programs l Backup is on-line

139 139 Backup/Recovery l Backup and Recovery Options l Export/Import l Offline Backups l Online Backups

140 140 Users l A user account is not a physical structure in the database l Users own the database objects l The user SYS owns the data dictionary tables l The user SYSTEM owns views that access the data dictionary tables for use by the rest of the users in the database

141 141 Users l User accounts can be connected to an operating system l This allows the user to enter only one password to obtain access to the operating system and the database

142 142 Database l Responsibility for the Security Officer – Should Perform: All Grants and Revokes Review Security and Audit Logs Maintain a copy of Audit Logs for the Auditors

143 143 Exposures l Clear text transmission over the network l Connect ID and Access ID for application l Direct connection to the database from the desktop

144 144 Securing the SQL* Plus Tool PRODUCT_PROFILE table to provide product-level Security for oracle products and augment user- level Security With this table, you can enforce security on a per-user basis and restrict certain SQL and SQL*plus commands.

145 145 Securing the SQL* Plus Tool SQL*plus commands: EDIT EXECUTE EXIT GET HOST (or your operating systems alias for HOST, such as $ on VMS and ! on UNIX) QUIT RUN SAVE SET (Spool start SQL commands: Alter analyze audit connect create delete Drop grant insert lock NOAUDIT rename revoke Select set role set transaction truncate update

146 146 Securing the SQL* Plus Tool Recommended commands to restrict Commandsreason HOSTallows user access to a operating-system prompt SET ROLEallows a user to set a new security role GRANTallows a user to grant privileges NOAUDITallows a user to turn off auditing You should restrict access to the PRODUCT_PROFILE

147 147 Oracle Security Checklist – Revoke unnecessary privileges from PUBLIC ROLE Revoke all unnecessary privileges and roles from the database server PUBLIC is the default role granted to every user – Privileges include EXECUTE on various powerful packages that may potentially be misused include: UTL_SMTP This package permits arbitrary mail messages to be sent from one arbitrary user to another arbitrary user.

148 148 Oracle Security Checklist – Revoke unnecessary privileges from PUBLIC ROLE UTL_TCP This package permits outgoing network connections to be established by the database server to any receiving (or waiting) network service. UTL_HTTP This package allows the database server to request and retrieve data via HTTP. Granting this package to PUBLIC may permit data to be sent via HTML forms to a malicious web site.

149 149 Oracle Security Checklist – Revoke unnecessary privileges from PUBLIC ROLE UTL_FILE If configured improperly, this package allows text level access to any file on the host operating system. Even when properly configured, this package does not distinguish between its calling applications with the result that one application with access to UTL_FILE may write arbitrary data into the same location that is written to by another application.

150 150 Oracle Security Checklist – Revoke unnecessary privileges from PUBLIC ROLE – DBMS_RANDOM Is used to encrypt stored data. encrypted data may be non-recoverable if the keys are not securely generated Do not assign all permissions to any database server run-time facility Oracle Java Virtual Machine (OJVM) Grant specific permissions to the explicit document root file paths for such facilities that may execute files and packages outside the database server. –call dbms_java.grant_permission('SCOTT', '',' >','read');

151 151 Oracle Security Checklist – Authenticate clients properly Remote authentication is a security feature provided by Oracle9i such that if turned on (TRUE), it defers authentication of users to the remote client connecting to an Oracle database. configuration parameter in the following manner: REMOTE_OS_AUTHENT = FALSE will be more secure RESTRICT NETWORK ACCESS – Utilize a firewall –Keep the database server behind a firewall. Oracle9i s network infrastructure, Oracle Net (formerly known as Net8 and SQL*Net), offers support for a variety of firewalls from various vendors. Supported proxy-enabled firewalls

152 152 Oracle Tools l Virtual Private Database/label security – Attach security policies at the Table or View level, allows for easy integration to existing systems. – One to many policies per Table. – Different policies for different type of accesses (SELECT,UPDATE..).

153 153 Oracle Security Checklist l Virtual Private Database using application contexts. – User-definable can allow security based on categories (Employee number, Cost Center). These contexts are used in the security policy function. – Access to session primitives (information about a user session) using USERENV application context

154 154 Oracle Tools – Oracle Enterprise Manger Security Manager Application Security, Inc APPLICATION VULNERABILITY ASSESSMENT AppDetectiveAppDetective Network-based vulnerability assessment tool that rates the security strength of applications within your network. Armed with a revolutionary security methodology together with an extensive knowledgebase of application vulnerabilities, AppDetective will locate, examine, report, and help fix your security holes and miss- configurations at your command.

155 155 Oracle Tools DATABASE ENCRYPTION DbEncryptDbEncrypt Easy-to-use, affordable, and effective security solution for encrypting column and row data within the database. Provided with DbEncrypt are encryption algorithms, templates, and an intuitive point-and-click interface. APPLICATION INTRUSION DETECTION AppRadarAppRadar Intrusion detection solution strictly for application-specific attacks and malicious behavior. As a complementary solution to existing intrusion detection systems, AppRadar empowers organizations with a real-time security solution able to thwart attacks and malicious behavior against all of your mission-critical enterprise applications.

156 156 Oracle Security checklist l Important web sites

157 157 Summary – Oracle was built to be secure – Audit at the database, network, and server level – Takes time and is complex – Limited tools available – Requires outages for patches





Download ppt "2 Agenda l Database Overview l Oracle Audit/Security/Control."

Similar presentations

Ads by Google