18 Copyright © 2004, Oracle. All rights reserved. Implementing Oracle Database Security

18-2 Copyright © 2004, Oracle. All rights reserved. Objectives After completing this lesson, you should be able to do the following: Compare security features Implement security by applying the principle of least privilege Manage default user accounts Implement standard password security features Describe database auditing Describe Virtual Private Database (VPD)

18-3 Copyright © 2004, Oracle. All rights reserved. Comparing Oracle and SQL Server Security Features Both Oracle Database 10g and SQL Server support: Kerberos protocol and Radius server Centralized user management for Kerberos users Encrypted Network Traffic Lightweight Directory Access Protocol (LDAP) Strong authentication (PKI)

18-4 Copyright © 2004, Oracle. All rights reserved. Comparing Oracle and SQL Server Security Features Oracle Database 10g additionally supports: Virtual Private Database (VPD) Label security Fine-grained auditing (FGA) Column-level data encryption

18-5 Copyright © 2004, Oracle. All rights reserved. Database Security A secure system ensures the confidentiality of the data it contains. There are several aspects of security: Restricting access to data and services Authenticating users Monitoring for suspicious activity

18-6 Copyright © 2004, Oracle. All rights reserved. Database Security Full Notes Page

18-7 Copyright © 2004, Oracle. All rights reserved. Applying the Principle of Least Privilege Protect the data dictionary. O7_DICTIONARY_ACCESSIBILITY=FALSE Revoke unnecessary privileges from PUBLIC. REVOKE EXECUTE ON UTL_SMTP, UTL_TCP, UTL_HTTP, UTL_FILE, DBMS_OBSFUSCATION_TOOLKIT FROM PUBLIC; Restrict the directories accessible by users. Limit users with administrative privileges. Restrict remote database authentication. REMOTE_OS_AUTHENT=FALSE

18-8 Copyright © 2004, Oracle. All rights reserved. Apply the Principle of Least Privilege Full Notes Page

18-9 Copyright © 2004, Oracle. All rights reserved. Managing Default User Accounts DBCA expires and locks all accounts, except: – SYS – SYSTEM – SYSMAN – DBSNMP For a manually created database, lock and expire any unused accounts.

18-10 Copyright © 2004, Oracle. All rights reserved. User Password expiration and aging Password verification Setting up profiles Implementing Standard Password Security Features Password history Account locking

18-11 Copyright © 2004, Oracle. All rights reserved. Password Security Full Notes Page

18-12 Copyright © 2004, Oracle. All rights reserved. Supplied Password Verification Function: VERIFY_FUNCTION The supplied password verification function enforces password restrictions: Minimum length is four characters. Password cannot be the same as the username. Password must have at least one alphabetic, one numeric, and one special character. Password must differ from the previous password by at least three letters.

18-13 Copyright © 2004, Oracle. All rights reserved. Creating a Password Profile

18-14 Copyright © 2004, Oracle. All rights reserved. Assigning Users to a Password Profile

18-15 Copyright © 2004, Oracle. All rights reserved. Where Are We? Comparing security aspects Applying the principle of least privilege Managing default use accounts Implementing standard password security features Creating and using password profiles Auditing Virtual Private Database (VPD)

18-16 Copyright © 2004, Oracle. All rights reserved. Monitoring for Suspicious Activity Monitoring or auditing should be an integral part of your security procedures. Review the following: Mandatory auditing Standard database auditing Value-based auditing Fine-grained auditing (FGA) DBA auditing

18-17 Copyright © 2004, Oracle. All rights reserved. Standard Database Auditing Enabled through the AUDIT_TRAIL parameter NONE : Disables collection of audit records DB : Enables auditing with records stored in the database OS : Enables auditing with records stored in the operating system audit trail Can audit: Login events Exercise of system privileges Exercise of object privileges Use of SQL statements

18-18 Copyright © 2004, Oracle. All rights reserved. Audit trail Parameter file Specify audit options. Generate audit trail. Review audit information. Standard Database Auditing DBAUser Enable database auditing. executes command. Database OS audit trail Audit options Server process

18-19 Copyright © 2004, Oracle. All rights reserved. Specifying Audit Options SQL statement auditing System privilege auditing (nonfocused and focused) Object privilege auditing (nonfocused and focused) Session auditing AUDIT select any table, create any trigger; AUDIT select any table BY hr BY SESSION; AUDIT table; AUDIT ALL on hr.employees; AUDIT UPDATE,DELETE on hr.employees BY ACCESS; AUDIT session whenever not successful;

18-20 Copyright © 2004, Oracle. All rights reserved. Audit trail view DBA_AUDIT_TRAIL DBA_AUDIT_EXISTS DBA_AUDIT_OBJECT DBA_AUDIT_SESSION DBA_AUDIT_STATEMENT Description All audit trail entries Records for AUDIT EXISTS/NOT EXISTS Records concerning schema objects All connect and disconnect entries Statement auditing records Viewing Auditing Results

18-21 Copyright © 2004, Oracle. All rights reserved. Value-Based Auditing User’s change is made. Trigger fires.Audit record is created by trigger. And it is inserted into an audit trail table. User makes change.

18-22 Copyright © 2004, Oracle. All rights reserved. Value-Based Auditing Full Notes Page

18-23 Copyright © 2004, Oracle. All rights reserved. Fine-Grained Auditing Monitors data access based on content Audits SELECT or INSERT,UPDATE,DELETE Can be linked to a table or view May fire a procedure Is administered with the DBMS_FGA package employees Policy: AUDIT_EMPS_SALARY SELECT name, salary FROM employees WHERE department_id = 10;

18-24 Copyright © 2004, Oracle. All rights reserved. FGA Policy dbms_fga.add_policy ( object_schema=> 'hr', object_name=> 'employees', policy_name=> 'audit_emps_salary', audit_condition=> 'department_id=10', audit_column=> 'salary', handler_schema=> 'secure', handler_module=> 'log_emps_salary', enable=> TRUE, statement_types=>'select' ); SELECT name, job_id FROM employees; SELECT name, salary FROM employees WHERE department_id = 10; SECURE.LOG_ EMPS_SALARY employees Defines: –Audit criteria –Audit action Is created with DBMS_FGA.ADD_POLICY

18-25 Copyright © 2004, Oracle. All rights reserved. FGA Policy Full Notes Page

18-26 Copyright © 2004, Oracle. All rights reserved. DBMS_FGA Package Use DBMS_FGA to maintain FGA policies Grant the execute privilege only to administrators Includes the following subprograms: SubprogramDescription ADD_POLICY Creates an audit policy by using the supplied predicate as the audit condition DROP_POLICY Drops an audit policy ENABLE_POLICY Enables an audit policy DISABLE_POLICY Disables an audit policy

18-27 Copyright © 2004, Oracle. All rights reserved. FGA Guidelines To audit all statements, use a null condition. If you try to add a policy that already exists, error ORA is raised. The audited table or view must already exist when you create the policy. If the audit condition syntax is invalid, an ORA is raised when the audited object is accessed. If the audited column does not exist in the table, no rows are audited. If the event handler does not exist, no error is returned and the audit record is still created.

18-28 Copyright © 2004, Oracle. All rights reserved. Audit Tool Summary Type of AuditWhat Is Audited?What Is in the Audit Trail? Standard database auditing Privilege use including object access Fixed set of data Value-based auditing Data changed by DML statements Administrator defined Fine-grained auditing (FGA) SQL statements (insert, update, delete, and select) based on content Fixed set of data including the SQL statement

18-29 Copyright © 2004, Oracle. All rights reserved. DBA Auditing Users with SYSDBA or SYSOPER privileges can connect when the database is closed. Audit trail must be stored outside the database. Connecting as SYSDBA or SYSOPER is always audited. Enable additional auditing of SYSDBA or SYSOPER actions with audit_sys_operations. Control audit trail with audit_file_dest.

18-30 Copyright © 2004, Oracle. All rights reserved. Where Are We? Comparing security aspects Applying the principle of least privilege Managing default use accounts Implementing standard password security features Describing Auditing –Mandatory Auditing –Standard database auditing –Value-based auditing –Fine-grained auditing –DBA auditing Virtual Private Database (VPD)

18-31 Copyright © 2004, Oracle. All rights reserved. Virtual Private Database: Overview Virtual Private Database (VPD) consists of: –Fine-grained access control –Secure application context VPD uses policies to add conditions to SQL statements which protect sensitive data. Application attributes defined inside an application context are used by fine-grained access policies.

18-32 Copyright © 2004, Oracle. All rights reserved. Virtual Private Database: Enhancements Column-level VPD enforces row-level access control based on accessed security columns. Customization allows you to define static and nonstatic policies. Shared policies allow you to associate one policy with multiple objects. Policy type can be INDEX. Policy predicate text string DBMS_RLS.ADD_POLICY has the argument: – LONG_PREDICATE default: FALSE (up to 4 KB) – LONG_PREDICATE value: TRUE (up to 32 KB)

18-33 Copyright © 2004, Oracle. All rights reserved. Creating a Column-Level Policy BEGIN dbms_rls.add_policy(object_schema => 'hr', object_name => 'employees', policy_name => 'hr_policy', function_schema =>'hr', policy_function => 'hrsec', statement_types =>'select,insert', sec_relevant_cols=>'salary,commission_pct'); END; /

18-34 Copyright © 2004, Oracle. All rights reserved. Column-Level VPD: Example Statements are not always rewritten. Consider a policy protecting the SALARY and the COMMISSION_PCT columns of the EMPLOYEES table. The fine-grained access control is: –Not enforced for this query: –Enforced for these queries: SQL> SELECT last_name, salary 2 FROM employees; SQL> SELECT last_name FROM employees; SQL> SELECT * FROM employees;

18-35 Copyright © 2004, Oracle. All rights reserved. Sharing Policy Functions departments countries emp_v employees Same policy function

18-36 Copyright © 2004, Oracle. All rights reserved. Security Updates Oracle Corporation posts security alerts on the Oracle Technology Network Web site at: Oracle database administrators and developers can also subscribe to be notified about critical security alerts via by clicking the “Subscribe to Security Alerts Here” link.

18-37 Copyright © 2004, Oracle. All rights reserved. Summary In this lesson, you should have learned how to: Compare security features Apply the principle of least privilege Manage default user accounts Implement standard password security features Describe database auditing Describe Virtual Private Database (VPD)

18-38 Copyright © 2004, Oracle. All rights reserved. Practice Overview: Implementing Oracle Database Security This practice covers the following topics: Expiring passwords every 60 days Locking accounts after a grace period of 10 days Not allowing the reuse of passwords for 1,800 days Forcing accounts to lock for 10 minutes after four failed login attempts