Database Security - Case Study for Enterprise License Features 1235 Case study of the Security Features in the Enterprise License of Oracle RDBMS April Sims @aprilcsims
Enterprise License Security Features Oracle External Password Store Encrypting Client Connections 12c Security Features of RDBMS – 12.1.0.2 Other Security Measures beyond Oracle Case Study – What did we implement? Security Checklist: 10 Basic Steps to Make Your Database Secure from Attacks (Doc ID 1545816.1)
Don't trust our slides - only believe what you've verified by yourself Mike Dietrich https://blogs.oracle.com/UPGRADE/
Now part of the Enterprise License Some features used to be part of the Advanced Security Option but now included in the Enterprise License License does have specific applications to RAC environments for COST Covers: PKI authentication Network Encryption – SSL/TLS TDE encryption Kerberos, PKI, Radius Native Network Encryption http://docs.oracle.com/cd/E11882_01/license.112/e47877/editions.htm#DBLIC116 "An Oracle Wallet is a PKCS#12 container used to store authentication and encryption keys. The Oracle database secure external password store feature stores passwords in an Oracle Wallet for password-based authentication to the Oracle database. The Oracle Wallet may also be used to store credentials for PKI authentication to the Oracle Database, configuration of network encryption (SSL/TLS), and Oracle Advanced Security transparent data encryption (TDE) master encryption keys. Strong authentication services (Kerberos, PKI, and RADIUS) and network encryption (native network encryption and SSL/TLS) are no longer part of Oracle Advanced Security and are available in all licensed editions of all supported releases of the Oracle database." Using The Secure External Password Store (Doc ID 340559.1) The feature Secure External Password Store can be used without any restriction in all product editions, you do not require a license for the Advanced Security Option (ASO). "Note that implementing COST restrictions in RAC environments require the use of SSL/TLS encryption. Such network encryption features were previously only available to customers who were licensed for Oracle Advanced Security. However, RAC customers who were previously not licensed for Oracle Advanced Security need not be concerned about a licensing restriction as Oracle has updated its licensing to allow these customers the use of these features (namely SSL and TLS) to protect themselves against vulnerability CVE-2012-1675. In other words, Oracle has added Oracle Advanced Security SSL/TLS to the Enterprise Edition Real Application Clusters (Oracle RAC) and RAC One Node options, and added Oracle Advanced Security SSL/TLS to the Oracle Database Standard Edition license when used with the Real Application Clusters."
Encryption Interoperability – see URL in Notes Transparent Data Encryption ASO Oracle Wallet OSB DG, Streams and GoldenGate Exadata RMAN Compression Transportable Tablespaces SQL Loader Incompatible Features – what is not encrypted http://www.oracle.com/technetwork/database/security/tde-faq-093689.html
Addressing Data at Rest Vulnerabilities Data at Rest Encrypted RMAN Backups – Encryption Password or Key Wallet DataPump – prompt for encryption key or Encryption Wallet Oracle Secure Backup – free …RMAN to tape – single node to single tape device What did we do? Encrypted all files at the OS level including datafiles, backup to local filesystem which is backed up to tape nightly.
Addressing Data in Use Vulnerabilities Fine Grained Access Data Masking Encrypting Client Connections Auditing Performance Tradeoffs related to Auditing based on implementation: DB, OS, and XML audit trail – see notes One last update on Fine-Grained Auditing. I've run a few simple tests to see what kind of effect an FGA policy on the SPBPERS_SSN column would have. This is the query I ran for each test (which selects 16,472 rows from our SPBPERS table) and with _no_ FGA policy defined it ran in only 9.02 seconds: DECLARE lv_ssn varchar(9); BEGIN FOR i IN (SELECT i.spbpers_pidm FROM spbpers i WHERE spbpers_confid_ind='Y') loop SELECT s.spbpers_ssn INTO lv_ssn FROM spbpers s WHERE s.spbpers_pidm = i.spbpers_pidm; END LOOP; END; / Prior to each test run of the above plsql I bounced the database (clearing the shared pool), truncated the FGA_LOG$ table and issued the 'set timing on' command. Also keep in mind that with FGA enabled for a column you have the option to store the SQL statement issued in addition to the username, timestamp, machine name, etc. And you can either send the audit trail to the FGA_LOG$ table or to an XML file on the OS. Below are the results of my tests (I hope the formatting of my columns display correctly): location SQL? time (sec) storage size ======== ==== ========== ============ FGA_LOG$ Y 35.81 ? (forgot to query) FGA_LOG$ N 19.96 2.2MB XML file Y 15.22 10MB (222K zipped) XML file N 9.14 8.5MB (141K zipped) Note that not storing the sql statement made a big difference in query time, as did storing the audit trail in an XML file on the operating system. Once I did both of those things (output to XML and no storing of the SQL statement) the query time was virtually the same as when FGA was disabled. If we don't store the SQL statement issued that is not going to tell us which SSNs were accessed, but it does at least tell us who accessed some SSNs, when, from which machine, and whether it was a select, update, or delete operation, which is more information that we currently have. Another thing to note is that querying SPBPERS and just specifying the SPBPERS_SSN in the WHERE clause does _not_ cause an audit record to be created (ie. select spbpers_pidm from spbpers where spbpers_ssn='123456789'). So forms and jobs that do queries based on that column should not be affected by an FGA policy, unless they are also selecting that SSN column too (ie. select * from spbpers where...). We will be implementing a FGA policy on the SPBPERS_SSN column in our develop database next week. I am very curious to see how real database jobs and forms will perform after doing so. In the end we may not be able to implement FGA on the SPBPERS_SSN column because it is such an active table tied to so many other tables. But even if that is the case I know there are some other less active tables with sensitive data that we could implement FGA on. Just food for thought. Mandy
Passwords Password Complexity controlled by Profiles 1. Password Function 2. Recommendations Is the Password Encrypted when I Logon and Other Related Questions (Doc ID 271825.1)
Database Auditing a. Table Privs b. System Privs c. We use a Logon/Logoff Trigger – see notes Minimal Auditing AUDIT SESSION WHENEVER NOT SUCCESSFUL; CREATE TABLE system.logonaudit ( event VARCHAR2(10), sid NUMBER, serial# NUMBER, timestamp DATE, username VARCHAR2(30), osuserid VARCHAR2(30), machinename VARCHAR2(64) ); CREATE OR REPLACE TRIGGER logoff_audit_users BEFORE LOGOFF ON database DECLARE machinename VARCHAR2(64); osuserid VARCHAR2(30); v_sid NUMBER(10); v_serial NUMBER(10); CURSOR c1 IS SELECT sid, serial#, osuser, machine FROM v$session WHERE audsid = userenv('sessionid'); BEGIN OPEN c1; FETCH c1 INTO v_sid, v_serial, osuserid, machinename; INSERT INTO system.logonaudit VALUES ( 'LOGOFF', v_sid, v_serial, sysdate, user, osuserid, machinename ); CLOSE c1; END; / CREATE OR REPLACE TRIGGER logon_audit_users AFTER LOGON ON database INSERT INTO system.logonaudit VALUES ( 'LOGON', v_sid, v_serial, sysdate, CREATE OR REPLACE TRIGGER host_logon_trg AFTER LOGON ON DATABASE v_username VARCHAR2(30) := sys_context('USERENV','SESSION_USER'); v_host_info VARCHAR2(200) := sys_context('USERENV','HOST'); IF v_username = 'TECHACCOUNT' THEN IF v_host_info IS NULL THEN write_log('failed: direct login', v_username, v_host_info); raise_application_error(-20101, 'Direct login not allowed.'); ELSIF v_host_info NOT LIKE ’NONTECHOS%' THEN write_log('failed: wrong hostink', v_username, v_host_info); raise_application_error(-20102, 'Login from wrong host not allowed.'); ELSE write_log('successful login', v_username, v_host_info); END IF; EXCEPTION WHEN OTHERS THEN RETURN; END host_logon_trg; ~
SELECT * FROM dba_stmt_audit_opts; audit DROP any TABLE BY access; audit DROP any PROCEDURE BY access; audit CREATE public DATABASE link BY access; audit ALTER USER BY access; audit CREATE USER BY access; audit DROP USER BY access; audit ALTER DATABASE BY access; audit ALTER system BY access; audit ALTER profile BY access; audit DROP profile BY access; audit DELETE ON sys.aud$;
Operating System Auditing Oracle MOS Notes Master Note for Auditing 1299033.1 Audit syslog setup 553225.1 *.audit_trail='OS' *.audit_syslog_level=LOCAL1.WARNING Integrated w/ OS LogRotate on Linux to maintain files, files are transferred to our LogSearch implementation for searching and archiving
Open Source LogSearch Storage of Auditing Records Integrated with Logstash , Kibana 1. Searching 2. Archiving Auditing Records – Last 15 minutes, last 24 hours, compressed/archived still available 3. Screenshot next slide is a Firewall Search
Oracle External Password Store Removing clear text passwords in batch files, limit access to username/passwords
Oracle External Password Store EPS TNS ALIAS to define a username/password combo for SQLNET connections Remove the need for storing username/password in clear-text for scripts, batch jobs Can be integrated with RMAN for backups Stored in an Oracle Wallet Removes the need for distributing username/password to programming staff Use both orapki and mkstore command - more secure method Oracle login - use DBMS_PRIVILEGE_CAPTURE
External Password Store Goal: Remove clear text passwords for jobs , tasks run on a regular basis Staff no longer needs to know the username/password combo Environment needs to support this methodology – clear lines between production and non-production environments Shell environment variables by user Production files separated by permissions Korn Shell , Bash Shell, Output directory, Git Hub Convert Wallet to Java Keystore – see notes HTTP/SSL How to Convert an Oracle Wallet to a Java Keystore (Doc ID 818274.1)
Oracle Key Manager – Another License “ What is the minimum configuration of Oracle Key Manger? The Oracle Key Manager 3 system at a minimum requires pair of key management appliances (KMAs), an encryption enabled storage device (i.e., Oracle's StorageTek T10000 tape drive), a connectivity kit to connect the encrypting device to the Oracle Key Manager cluster, and an encryption key for each device enrolled in the system.”
ORAPKI & MKSTORE command orapki wallet create -wallet . -pwd ”pass” -auto_login_local mkstore -wrl . -createCredential <service_name> <user> <password> sqlplus /@service_name Can only login to same host and same OS user Requires a correct /etc/hosts ORA-12578: TNS:wallet open failed error service_name matches the tnsnames.ora entry How To Prevent The Secure Password Store Wallet From Being Moved to Another Host (Doc ID 1114599.1)
NOTE:1114599.1 - How To Prevent The Secure Password Store Wallet From Being Moved to Another Host Since 11.2 – new parameter Copy the wallet (ewallet.p12 and cwallet.sso) to another host and test if it can be opened.If it fails,then the wallet is a local auto login wallet. OR The local auto login wallet is also tied to the operating system user.Try opening the wallet in the same host with another OS user.If it fails,then the wallet is auto login local wallet. How To Check Whether The Wallet Is A Local Auto Login Wallet (Doc ID 1505040.1)To Bottom In this Document Goal Fix References Applies to: Advanced Networking Option - Version 11.2.0.1 and later Information in this document applies to any platform. Goal How to determine if the wallet is an auto login wallet or a local auto login wallet? Fix There is no way to determine that via a query or by running a simple command. There is an enhancement request (Bug 9110182) filed to implement a method to determine whether the wallet is auto_login_local. Workaround: Copy the wallet (ewallet.p12 and cwallet.sso) to another host and test if it can be opened.If it fails,then the wallet is a local auto login wallet. OR The local auto login wallet is also tied to the operating system user.Try opening the wallet in the same host with another OS user.If it fails,then the wallet is auto login local wallet. References NOTE:1114599.1 - How To Prevent The Secure Password Store Wallet From Being Moved to Another Host
SQLNET.ora Client Side – Batch Job sqlnet.expire_time=10 DEFAULT_SDU_SIZE=32768 NAMES.DIRECTORY_PATH= (TNSNAMES, HOSTNAME) SQLNET.INBOUND_CONNECT_TIMEOUT=120 RECV_BUF_SIZE=11250000 SEND_BUF_SIZE=11250000 TCP.NODELAY=YES WALLET_LOCATION =(SOURCE = (METHOD = FILE) (METHOD_DATA = (DIRECTORY = /walletlocation))) SQLNET.WALLET_OVERRIDE = TRUE SSL_VERSION=1.0
SQLNET.WALLET_OVERRIDE = TRUE This setting causes all CONNECT /@db_connect_string statements to use the information in the wallet at the specified location to authenticate to databases. We choose FALSE….as part of our migration..why? It requires additional compile steps to integrate with Pro Cobol and Pro C programs 3rd party requirement mandated the current setting, in the process of migrating
Lessons Learned Each time an entry is modified it changes the wallet permissions Easy to Implement…takes a while to migrate all code to use new TNSALIAS New Oracle login - minimum grants Co-exists with Encrypted Connections We made different entries for production and non-production environments - environmental variable $PASS_FOR_JOB $PPASS_FOR_JOB $PASS_FOR_BJOB $PASS_FOR_CJOB Using The Secure External Password Store (Doc ID 340559.1) The Impact of the Sqlnet Settings on Database Security (sqlnet.ora Security Parameters and Wallet Location) (Doc ID 1240824.1) - Great for troubleshooting How To Prevent The Secure Password Store Wallet From Being Moved to Another Host (Doc ID 1114599.1) -- Also please be aware that besides the wallet being tied to the host, it is also tied to the operating system user, it cannot be used by another OS user, even if on the same host. ORA-15055 and ORA-12578 on database startup with external wallet store (Doc ID 1612712.1)To Bottom Modified:Mar 11, 2014Type:PROBLEM In this Document Symptoms Changes Cause Solution Applies to: Oracle Database - Enterprise Edition - Version 11.2.0.3 and later Information in this document applies to any platform. Symptoms Starting up a database using sqlplus fails with the following errors: SQL> startup nomount ; ORA-01078: failure in processing system parameters ORA-01565: error in identifying file '+data01/ilab14/spfileilab14.ora' ORA-17503: ksfdopn:2 Failed to open file +data01/ilab14/spfileilab14.ora ORA-15056: additional error message ORA-17503: ksfdopn:2 Failed to open file +DATA01/ilab14/spfileilab14.ora ORA-15055: unable to connect to ASM instance ORA-12578: TNS:wallet open failed ORA-06512: at line 4 Database startup using SRVCTL fails with following errors: oraenv14:/export/home/oraenv14>srvctl start database -d ilab14 PRCR-1079 : Failed to start resource ora.ilab14.db CRS-5017: The resource action "ora.ilab14.db start" encountered the following error: ORA-01078: failure in processing system parameters ORA-01565: error in identifying file '+data01/ilab14/spfileilab14.ora' ORA-17503: ksfdopn:2 Failed to open file +data01/ilab14/spfileilab14.ora ORA-15056: additional error message ORA-17503: ksfdopn:2 Failed to open file +DATA01/ilab14/spfileilab14.ora ORA-15055: unable to connect to ASM instance ORA-12578: TNS:wallet open failed ORA-06512: at line 4 . For details refer to "(:CLSN00107:)" in "/u001/oracle/env00gi/11.2.0.3/grid/log/selabu11/agent/crsd/oraagent_oraenv14/oraagent_oraenv14.log". CRS-2674: Start of 'ora.ilab14.db' on 'selabu11' failed CRS-2632: There are no more servers to try to place resource 'ora.ilab14.db' on that would satisfy its placement policy CRS-5017: The resource action "ora.ilab14.db start" encountered the following error: ORA-01078: failure in processing system parameters ORA-01565: error in identifying file '+data01/ilab14/spfileilab14.ora' ORA-17503: ksfdopn:2 Failed to open file +data01/ilab14/spfileilab14.ora ORA-15056: additional error message ORA-17503: ksfdopn:2 Failed to open file +DATA01/ilab14/spfileilab14.ora ORA-15055: unable to connect to ASM instance ORA-12578: TNS:wallet open failed ORA-06512: at line 4 . For details refer to "(:CLSN00107:)" in "/u001/oracle/env00gi/11.2.0.3/grid/log/selabu12/agent/crsd/oraagent_oraenv14/oraagent_oraenv14.log". CRS-2674: Start of 'ora.ilab14.db' on 'selabu12' failed - If the entry SQLNET.WALLET_OVERRIDE=TRUE in the sqlnet.ora file is commented out, everything works well. Changes Database uses ASM storage and external wallet store has been configured to allow RMAN connections to the database without providing password as per Note 1383938.1. As part of this the following entries have been added to the sqlnet.ora file : SQLNET.WALLET_OVERRIDE=TRUE WALLET_LOCATION=<wallet_location> Cause The setting SQLNET.WALLET_OVERRIDE=TRUE interferes with the authentication mechanism between database and ASM instances. Solution The solution is to change the permission on the wallet to 750 to allow both grid and oracle OS users access to the file. Furthermore the grid user should be a member of the group that owns the wallet ( tipically oinstall ) A workaround would be to simply comment out the entry SQLNET.WALLET_OVERRIDE=TRUE from the sqlnet.ora file before database startup.
Encrypting Client Connections
Encrypting Client Connections When using standard unencrypted connections the username/password is encrypted when connecting using SQLNET, everything else is clear text. Easy to confirm by running a SQL trace Oracle refers to this as Native Network Encryption – in My Oracle Support ******SSL Encryption also available with an Oracle Wallet using TCPS protocol Step by Step Guide To Configure SSL Authentication (Doc ID 736510.1) Security Checklist: 10 Basic Steps to Make Your Database Secure from Attacks (Doc ID 1545816.1) Consider to encrypt network traffic between clients, databases, and application servers. For an introduction to Oracle network encryption, see "Configuring Network Data Encryption and Integrity". With the Network Encryption feature liberated from the license for the Advanced Security Option there's no longer any reason for not implementing at least native network encryption for Oracle client / server connections. To mitigate a number of recent vulnerability issues with ssl / tls, please consider to add the following parameters to both sqlnet.ora and listener.ora: SSL_VERSION = 1.0 SSL_CIPHER_SUITES = (SSL_RSA_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_AES_256_CBC_SHA) This will have the following effect on secured connections originating or terminating from the database or oracle listener: - disable ssl v3 and thus cut-off any vulnerability in this deprecated protocol - by explicitly configuring only a limited number of cipher suites disable the use of RC4 and the dreaded export ciphers.
Client Types SQL PLUS , SQLNET ODBC JDBC SQL Developer C compile Cobol compiles Cold Fusion **** - this one has given us problems How To Configure Oracle External Password Store (Wallet) To Work With Oracle ODBC (Doc ID 1430666.1) Does the full Oracle client have to be installed to use SSL for database connections ? (Doc ID 2032844.1) The JDBC Thin driver is a full Java implementation of SQL*Net including most ASO features including native network encryption features that work seamlessly. However to work with an Oracle wallet and certificates for use with protocol TCPS it needs a special Java application side implementation, since Java applications making use of the JDBC Thin driver do not use typical client side configuration files such as sqlnet.ora to find and use the wallet_location. The following documents have examples to code it: End To End Examples of using SSL With Oracle's JDBC THIN Driver (Doc ID 762286.1) How To Setup The Database And The Client To Have SSL Mutual Authentication With An Oracle Jdbc Thin Client And The Database? (Doc ID 1190873.1) If application code changes are not an option, then consider to install an Oracle client home and use the JDBC OCI (thick) driver.
Listener Side Encryption LISTENER.ORA/SQLNET.ORA - see Notes Implemented in a separate 12c Oracle Home $TNS_ADMIN Requires a database restart/listener restart Live Since Sept 2013 No problems w/ Database Links to non-encrypted Very few client issues or compatibility problems No noticeable slowness seen SQL> @sessioninfo INST_ID SID SERIAL# USERNAME ---------- ---------- ---------- ------------------------------ ENCRYPTION_TYPE -------------------------------------------------------------------------------------------------------------------------- 1 2599 20385 SYS Oracle Advanced Security: RC4_40 encryption service adapter for Linux: Version 11.2.0.3.0 - Product --sessioninfo.sql with sessions as ( select /*+ MATERIALIZE */ inst_id, username, sid, serial# from gv$session where not ( type = 'BACKGROUND' or username is NULL ) ), session_connect_info as ( select /*+ MATERIALIZE */ inst_id, sid, serial#, regexp_replace( network_service_banner, '^Oracle Advanced Security: ([[:alnum:]]+) encryption service adapter.+$', '\1' ) encryption_type from gv$session_connect_info where network_service_banner like 'Oracle Advanced Security: %encryption service adapter%' ) select s.inst_id, s.sid, s.serial#, s.username, sci.encryption_type from sessions s join session_connect_info sci on ( sci.inst_id = s.inst_id and sci.sid = s.sid and sci.serial# = s.serial# order by s.sid;
Tracing Sessions Best way to determine if encryption is active Note Section has trace files from SQLNET connections on our Linux jobsub box to Linux Database server SQLNET Client = SQLNET.ORA/TNSNAMES.ORA Database Server = LISTENER.ORA/SQLNET.ORA Cross Platform Encryption Tracing is different as of 11g….recommended to disable adrci for control of output files New diagnostic messages have been added in Oracle Net 12c's sqlnet.log file trace_directory_server=<directory> trace_level_client=16 trace_level_server=16 Encryption ….. (3942959856) [04-SEP-2013 07:29:06:929] naeecom: The server chose the 'RC4_40' encryption algorithm (3942959856) [04-SEP-2013 07:29:06:929] naeecom: exit (3942959856) [04-SEP-2013 07:29:06:929] naeccom: entry (3942959856) [04-SEP-2013 07:29:06:929] naeccom: Crypto-Checksumming inactive(3942959856) [04-SEP-2013 07:29:06:929] naeccom: exit (3942959856) [04-SEP-2013 07:29:06:929] na_tns: entry (3942959856) [04-SEP-2013 07:29:06:929] na_tns: Secure Network Services is available. (3942959856) [04-SEP-2013 07:29:06:929] nau_adi: entry (3942959856) [04-SEP-2013 07:29:06:929] nau_adi: exit (3942959856) [04-SEP-2013 07:29:06:929] na_tns: authentication is not active (3942959856) [04-SEP-2013 07:29:06:929] na_tns: encryption is active, using RC4_40 (3942959856) [04-SEP-2013 07:29:06:929] na_tns: crypto-checksumming is not active No encryption….. Checksumming inactive(3231521520) [04-SEP-2013 07:31:43:105] naeccom: exit (3231521520) [04-SEP-2013 07:31:43:105] na_tns: entry (3231521520) [04-SEP-2013 07:31:43:105] na_tns: Secure Network Services is available. (3231521520) [04-SEP-2013 07:31:43:105] nau_adi: entry (3231521520) [04-SEP-2013 07:31:43:105] nau_adi: exit (3231521520) [04-SEP-2013 07:31:43:105] na_tns: authentication is not active (3231521520) [04-SEP-2013 07:31:43:105] na_tns: encryption is not active (3231521520) [04-SEP-2013 07:31:43:105] na_tns: crypto-checksumming is not active (3231521520) [04-SEP-2013 07:31:43:105] na_tns: exit
SQLNET.ora - Database Listener DISABLE_OOB = ON SQLNET.AUTHENTICATION_SERVICES= (TCPS) SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER= (MD5) SQLNET.ENCRYPTION_SERVER = required NAMES.DIRECTORY_PATH= (TNSNAMES, HOSTNAME) SSL_CLIENT_AUTHENTICATION = TRUE SQLNET.CRYPTO_SEED = ’YOURSEEDNUMBERS’ SQLNET.ENCRYPTION_TYPES_SERVER= (RC4_40, AES256, RC4_256, AES192, 3DES168, AES128, RC4_128, 3DES112, RC4_56) SEND_BUF_SIZE = 11250000 RECV_BUF_SIZE = 11250000 DEFAULT_SDU_SIZE = 32768 TCP.NODELAY = YES SQLNET.EXPIRE_TIME = 10 SQLNET.INBOUND_CONNECT_TIMEOUT = 120 ADR_BASE = /u01/app/oracle SQLNET.CRYPTO_CHECKSUM_SERVER = required USE_NS_PROBES_FOR_DCD=true SSL_VERSION=1.0 Consider to encrypt network traffic between clients, databases, and application servers. For an introduction to Oracle network encryption, see "Configuring Network Data Encryption and Integrity". With the Network Encryption feature liberated from the license for the Advanced Security Option there's no longer any reason for not implementing at least native network encryption for Oracle client / server connections. To mitigate a number of recent vulnerability issues with ssl / tls, please consider to add the following parameters to both sqlnet.ora and listener.ora: SSL_VERSION = 1.0 SSL_CIPHER_SUITES = (SSL_RSA_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_AES_256_CBC_SHA) This will have the following effect on secured connections originating or terminating from the database or oracle listener: - disable ssl v3 and thus cut-off any vulnerability in this deprecated protocol - by explicitly configuring only a limited number of cipher suites disable the use of RC4 and the dreaded export ciphers.
SQL Net Changes in 12c Dead Connection Detection Network/switches/routers may no longer recognize Oracle’s DCD packets (they are zero length) but they do recognize the OS packets for keep alive (non zero length) The host OS keep alive setting (tcp_keep_alive) can be modified to be less than the firewall inactivity timeout. This will cause the OS to send a test packet to the client when the timeout is reached and the client will respond with an ACK. To all intents and purposes this is the same as turning off the firewall inactivity timer for this host. Oracle Net 12c: New Implementation of Dead Connection Detection (DCD) (Doc ID 1591874.1)
SQLNET Changes in 12c – cont’d Larger Session Data Unit Sizes Advanced Network Compression Terminated Client Detection Intelligent Client Connection SQLNET.ALLOWED_LOGON_VERSION- Setting of 8 permits most password versions, and allows any combination of the DBA_USERS.PASSWORD_VERSIONS values 10G, 11G, and 12C. SQLNET.ALLOWED_LOGON_VERSION_SERVER setting of 12a permits only the 12C password version.
Client Compatibility Recently Released Oracle Products come with Encryption enabled, used by default if configured SQL DEVELOPER – uses encryption if available SQL PLUS/SQLNET - different implementation types – server and/or client configured JDBC – see Notes Recommendation: Use Listener-Side Encryption if all Clients Compatible Not all compatible – make encryption available but not mandatory, make plans to migrate or convert
Security Features in 12c
Security Features in 12c a. Verifier/ DBMS_PRIVILEGE_CAPTURE b. Case Sensitivity c. Password Hash d. Unified Auditing e. RMAN f. DataPump g. Other Notes/Tips for 12c - including bugs
Verifier DBMS_PRIVILEGE_CAPTURE – analyzes actual permissions needed during execution CAPTURE_ADMIN privilege Populates DBA_ views DATABASE – Ran in non-prod – 12:47 pm ROLE SYS_CONTEXT – sqlplus, session
Start Capture, Stop Capture, Report … Username Role Sys Priv Owner Object Name Type ObjPriv UserPriv Grant Path
Protecting the Database Change sys,system passwords Lock, expire,change passwords, default/unused accounts Restrict access to the Oracle binaries,audit, diag, logs Review database user privileges - VERIFIER Revoke privileges from PUBLIC - VERIFIER Protect the data dictionary - VERIFIER remote_os_authent = false sec_case_sensitive_logon = true global_names = true unset parameter utl_file_dir Protect listener and network connections Encrypt sqlnet connections using network encryption. Protect the database host Security Alerts, CPU - email notifications via MOS Security Checklist: 10 Basic Steps to Make Your Database Secure from Attacks (Doc ID 1545816.1)
Case Sensitive Passwords This doubled the number of passwords plus salt (makes it harder to reverse engineer http://docs.oracle.com/cd/E11882_01/network.112/e40393/asogls.htm#ASOAG10265 - - HTH -- Mark D Powell -- PS - Here is a link to Oratig's reference article 11g R1 New Feature : Case Sensitive Passwords and Strong User Authentication (Doc ID 429465.1)
Unified Auditing Oracle Database 12c Unified Auditing enables selective and effective auditing inside the Oracle database using policies and conditions. For example, audit policies can be configured to audit based on specific IP addresses, programs, time periods, or connection types such as proxy authentication. In addition, specific schemas can be easily exempted from auditing when the audit policy is enabled. New roles have been introduced for management of policies and the viewing of audit data. The AUDIT_ADMIN and AUDIT_VIEWER roles provide separation of duty and flexibility to organizations who wish to designate specific users to manage audit settings and view audit activity. The new architecture unifies the existing audit trails into a single audit trail, enabling simplified management and increasing the security of audit data generated by the database.
Unified Auditing Some Unified Auditing is ON by default in MIXED MODE when you create a fresh Oracle 12c database. Just two policies are enabled by default: ORA_SECURECONFIG and ORA_LOGON_FAILURES Upgrading from previous versions there are no rows to this query: select VALUE from V$OPTION where PARAMETER='Unified Auditing'; FALSE https://blogs.oracle.com/UPGRADE/entry/unified_auditing_is_it_on Bug 21133343 - *.aud File is Generated in Unified Auditing Environment Even When AUDIT_TRAIL=NONE (Doc ID 21133343.8)
Unified Auditing – cont’d You can try Unified Auditing without implementing pure Unified Audit mode Pure Unified Auditing,link oracle binary uniaud_on with instance restart required Unified Auditing records to database store generates REDO, use a physical standby for reporting on the UNIFIED_AUDIT_TRAIL view $ORACLE_BASE/audit/SID on standby is where the OS audit files are stored – monitor storage Auditing SYSBA is now different SQL> CREATE AUDIT POLICY all_actions_pol ACTIONS ALL; SQL> AUDIT POLICY all_actions_pol by SYS; Several Major Bugs – logon not audited, performance of the UNIFIED_AUDIT_TRAIL view, etc How To Enable The New Unified Auditing In 12c ? (Doc ID 1567006.1) 12c Unified Auditing used with Data Guard (Doc ID 2021747.1) 3) Since ADG is in Read-Only mode, the Unified Audit records generated on the Standby gets written to the OS .bin files. The UNIFIED_AUDIT_TRAIL (based on V$UNIFIED_AUDIT_TRAIL) view gets you the audit records from both database store and the OS .bin files. Unified Audit (as the name suggests) gives you a single view of the audit trail. It retrieves audit records from both .bin files and database store. When you clean the unified audit records using DBMS_AUDIT_MGMT.clean_audit_trail procedure with AUDIT_TRAIL_UNIFIED parameter, Server internally takes care of purging relevant audit records from both .bin files and database store. As a consumer of unified audit trail, you need not be concerned about where the records are stored and how they are cleaned. I recommend you to use UNIFIED_AUDIT_TRAIL documented view to query unified audit trail, and not the V$UNIFIED_AUDIT_TRAIL, an internal view. The OS files in the standby are binary files in: $ORACLE_BASE/audit/SID Therefore this location requires space for them. I don't have any requirements for the amount of space since it would be dependent on what is audited. Auditing everything is not realistic. Auditing specific sensitive columns is what is intended. Unified Audit Trail - LOGON Action Not Captured (Doc ID 1940793.1)
Securing RMAN in 12c Use external Password Store to remove the need for a username/combo in clear text If you use Doc ID 1383938.1 the wallet can be copied and used on other hosts….security flaw, use the command from slide 15. Every doc I have seen EPS have the less secure instructions! mkstore –wrl $ORACLE_HOME/network/admin –create In 12c Oracle, the UNIFIED_AUDIT_TRAIL data dictionary view has a set of fields (prefixed with RMAN_) which automatically record RMAN related events. However, you must have the AUDIT_ADMIN or AUDIT_VIEWER role in order to query the UNIFIED_AUDIT_TRAIL view to see these events. How To Configure The Secure External Password Store To Allow The Connection To RMAN Catalog? (Doc ID 1383938.1) RMAN Enhancements in Oracle 12c (Doc ID 1534487.1)
SYSBACKUP SYSBACKUP user must be unlocked and granted SYSDBA is still the default connection if not specified SYSBACKUP – no sql access to underlying data without grants Recreate the passwordfile with FORMAT=12 and sysbackup=Y orapwd file=[fname] entries=[users] force=[y/n] asm=[y/n] dbuniquename=[dbname] format=[legacy/12] sysbackup=[y/n] sysdg=[y/n] syskm=[y/n] delete=[y/n] input_file=[input-fname]
RMAN Encryption Methods Transparent – default, Oracle Key management infrastructure and Oracle Wallet Password - No wallet manager, but requires to specify a password for the encryption and decryption. Lost password = lost backup, lost restores Dual – both types, transparent and password Oracle Key Manager 3 – Hardware/software solution
RMAN Encryption & Oracle Secure Backup - OSB Advanced Security Option (ASO), Enterprise Edition – All options installed as of 12c Encrypted backups to tape not using OSB is not supported Encrypting backups to tape using OSB is supported without ASO, standard edition Oracle Secure Backup Express Edition (free) does not support backup encryption – one database on one node directly attached to tape device Our Environment – backup to encrypted OS file systems, nightly tape backups for the entire enterprise
DataPump Enhancements Prompt for Encryption Password Unified Auditing ASO Integration with Key Infrastructure http://download.oracle.com/otndocs/products/database/enterprise_edition/utilities/pdf/datapump11g_encrypted_1106.pdf
Extended Users & OS Groups SYSBACKUP, SYSDG - Standbys , SYSKM - TDE COSDBA Group OSOPER Group OSBACKUPDBA Group OSDGDBA Group OSKMDBA Group OSDBA Group OSASM Group To divide responsibilities – job role separation
Other Security Recommendations
Additional Encryption Information Encrypted FileSystems/Database Files using RH OS Linux/UNIX Filesystem Encryption – live several years no issues Not supported by ORACLE - opened SR , Initialization parameter affected disk_asynch_io FALSE Requires a password during reboots Protects files backed up to tape and if server is turned off We use a SSL encrypted tunnel in between standbys, archive logs vulnerable Encrypting REDO traffic using Oracle requires Advanced Security Option License Enabling Encryption for Data Guard Redo Transport (Doc ID 749947.1)
You may complete the session evaluation via the mobile app April C Sims aprilcsims.wordpress.com LinkedIn Please complete the session evaluation We appreciate your feedback and insight You may complete the session evaluation via the mobile app