Which Of The Following Identifies An Operating System Or Network Service
7
Security Policies
The thought of security policies includes many dimensions. Broad considerations include requiring backups to be done regularly and stored off-site. Narrow table or information considerations include ensuring that unauthorized access to sensitive information, such every bit employee salaries, is precluded past built-in restrictions on every type of admission to the table that contains them.
This chapter discusses security policies in the following sections:
- System Security Policy
- Data Security Policy
- User Security Policy
- Password Management Policy
- Auditing Policy
- A Security Checklist
System Security Policy
This section describes aspects of system security policy, and contains the post-obit topics:
- Database User Direction
- User Authentication
- Operating Organisation Security
Each database has ane or more than administrators who are responsible for maintaining all aspects of the security policy: the security administrators. If the database system is small, the database administrator may have the responsibilities of the security administrator. Notwithstanding, if the database system is large, a special person or group of people may accept responsibilities limited to those of a security administrator.
Later on deciding who will manage the security of the arrangement, a security policy must exist developed for every database. A database's security policy should include several sub-policies, as explained in the following sections.
Database User Direction
Database users are the access paths to the information in an Oracle database. Therefore, tight security should be maintained for the direction of database users. Depending on the size of a database system and the amount of piece of work required to manage database users, the security ambassador may be the just user with the privileges required to create, alter, or drop database users. On the other hand, there may exist a number of administrators with privileges to manage database users. Regardless, only trusted individuals should accept the powerful privileges to administer database users.
User Hallmark
Database users can exist authenticated (verified equally the correct person) by Oracle using database passwords, the host operating system, network services, or past Secure Sockets Layer (SSL).
Note:
To be authenticated using network hallmark services or SSL, requires that you have installed Oracle Advanced Security. Refer to the Oracle Advanced Security Administrator'south Guide for information almost these types of authentication.
User authentication and how it is specified is discussed in "User Authentication Methods".
Operating Organisation Security
The following security issues must also be considered for the operating system surroundings executing Oracle and whatever database applications:
- Database administrators must take the operating arrangement privileges to create and delete files.
- Typical database users should not have the operating system privileges to create or delete files related to the database.
- If the operating organisation identifies database roles for users, the security administrators must have the operating organisation privileges to modify the security domain of operating organization accounts. See Likewise:
Your operating-system-specific Oracle documentation contains more information nearly operating system security problems
Data Security Policy
Data security includes the mechanisms that control the access to and employ of the database at the object level. Your data security policy determines which users have access to a specific schema object, and the specific types of actions allowed for each user on the object. For example, the policy could establish that user scott
tin can outcome SELECT
and INSERT
statements but not DELETE
statements using the emp
table. Your data security policy should likewise define the deportment, if whatsoever, that are audited for each schema object.
Your data security policy is determined primarily past the level of security you lot desire to institute for the data in your database.For example, it may be acceptable to accept fiddling data security in a database when you want to allow any user to create any schema object, or grant admission privileges for their objects to any other user of the organization. Alternatively, it might be necessary for information security to exist very controlled when you want to make a database or security administrator the only person with the privileges to create objects and grant access privileges for objects to roles and users.
Overall information security should be based on the sensitivity of data. If information is not sensitive, then the data security policy can be more lax. Withal, if data is sensitive, a security policy should be developed to maintain tight control over access to objects.
Some means of implementing data security include organization and object privileges, and through roles. A role is a ready of privileges grouped together that can be granted to users. Privileges and roles are discussed in Chapter 10, "Administering User Privileges, Roles, and Profiles".
Views can likewise implement data security because their definition can restrict access to tabular array data. They tin exclude columns containing sensitive data.
Another means of implementing data security is through fine-grained admission control and use of an associated awarding context. Fine-grained access command is a feature of Oracle Database that enables you to implement security policies with functions, and to associate those security policies with tables or views. In effect, the security policy function generates a WHERE
status that is appended to relevant SQL statements, thereby restricting user access to rows of data in the tabular array or view. An awarding context is a secure data enshroud for storing information used to make admission command decisions.
User Security Policy
This section describes aspects of user security policy, and contains the following topics:
- General User Security
- Cease-User Security
- Administrator Security
- Application Developer Security
- Application Administrator Security
General User Security
For all types of database users, consider the following general user security issues:
- Password Security
- Privilege Management
Countersign Security
If user authentication is managed by the database, security administrators should develop a password security policy to maintain database access security. For example, database users should be required to alter their passwords at regular intervals, and of course, when their passwords are revealed to others. By forcing a user to change passwords in such situations, unauthorized database access can be reduced.
Passwords are always automatically and transparently encrypted during network (customer/server and server/server) connections, using a modified DES (Data Encryption Standard) algorithm, earlier sending them beyond the network.
Privilege Management
Security administrators should consider issues related to privilege management for all types of users. For example, in a database with many usernames, it may be beneficial to use roles (which are named groups of related privileges that y'all grant to users or other roles) to manage the privileges available to users. Alternatively, in a database with a handful of usernames, information technology may be easier to grant privileges explicitly to users and avoid the use of roles.
Security administrators managing a database with many users, applications, or objects should accept advantage of the benefits offered by roles. Roles profoundly simplify the chore of privilege direction in complicated environments.
Finish-User Security
Security administrators must define a policy for end-user security. If a database has many users, the security administrator tin decide which groups of users can be categorized into user groups, and then create user roles for these groups. The security ambassador tin grant the necessary privileges or application roles to each user role, and assign the user roles to the users. To business relationship for exceptions, the security administrator must besides decide what privileges must exist explicitly granted to individual users.
Using Roles for Stop-User Privilege Direction
Roles are the easiest way to grant and manage the mutual privileges needed by unlike groups of database users.
Consider a situation where every user in the accounting department of a company needs the privileges to run the accounts receivable and accounts payable database applications (ACCTS_REC
and ACCTS_PAY
). Roles are associated with both applications, and they contain the object privileges necessary to execute those applications.
The following deportment, performed by the database or security administrator, accost this simple security situation:
- Create a function named
accountant
. - Grant the roles for the
ACCTS_REC
andACCTS_PAY
database applications to theaccountant
role. - Grant each user of the bookkeeping section the
auditor
function.
This security model is illustrated in Figure 7-1.
Figure 7-1 User Role
Text clarification of the illustration admin003.gif
This plan addresses the following potential situations:
- If accountants subsequently need a role for a new database application, that application's function tin be granted to the
accountant
role, and all users in the accounting department will automatically receive the privileges associated with the new database application. The application'south role does not demand to exist granted to private users requiring utilize of the application. - Similarly, if the accounting department no longer requires the need for a specific awarding, the application'south role can be dropped from the
auditor
role. - If the privileges required by the
ACCTS_REC
andACCTS_PAY
applications change, the new privileges can be granted to, or revoked from, the application'southward role. The security domain of theauditor
function, and all users granted theauditor
role, automatically reverberate the privilege modification.
Utilize roles in all possible situations to make terminate-user privilege management efficient and simple.
Using a Directory Service for End-User Privilege Management
You can also manage users and their authorizations centrally, in a directory service, through the enterprise user and enterprise role features of Oracle Advanced Security. See the Oracle Advanced Security Ambassador's Guide for information about this functionality.
Administrator Security
Security administrators should have a policy addressing database administrator security. For example, when the database is large and at that place are several types of database administrators, the security administrator may decide to group related administrative privileges into several administrative roles. The administrative roles can and so be granted to appropriate administrator users. Alternatively, when the database is small and has just a few administrators, it may exist more user-friendly to create ane administrative role and grant it to all administrators.
Protection for Connections as SYS and SYSTEM
After database creation, and if you used the default passwords for SYS
and System
, immediately change the passwords for the SYS
and Arrangement
administrative usernames. Connecting every bit SYS
or System
gives a user powerful privileges to modify a database. For example, connecting every bit SYS
allows a user to change data dictionary tables. The privileges associated with these usernames are extremely sensitive, and should only be available to select database administrators.
If y'all accept installed options that have caused other administrative usernames to exist created, such username accounts are initially created locked. To unlock these accounts, utilise the Change USER
statement. The ALTER USER
statement should as well be used to change the associated passwords for these accounts.
The passwords for these accounts can exist modified using the procedures described in "Altering Users".
Protection for Administrator Connections
Simply database administrators should take the capability to connect to a database with administrative privileges. For example:
CONNECT username/password AS SYSDBA/SYSOPER
Connecting as SYSOPER
gives a user the ability to perform basic operational tasks (such every bit STARTUP
, SHUTDOWN
, and recovery operations). Connecting as SYSDBA
gives the user these abilities plus unrestricted privileges to exercise anything to a database or the objects within a database (including, CREATE
, DROP
, and DELETE
). Connecting as SYSDBA
places a user in the SYS
schema, where he tin alter data dictionary tables.
Notes:
- Connections requested AS SYSDBA or AS SYSOPER must use these phrases; without them, the connection fails. The Oracle parameter 07_DICTIONARY_ACCESSIBILITY is set to FALSE by default, to limit sensitive data dictionary admission only to those authorized.
- Such connections are authorized just after verification with the password file or with the operating arrangement privileges and permissions. If operating arrangement authentication is used, the database does not use the supplied username/password. Operating system authentication is used if there is no password file, or if the supplied username/password is non in that file, or if no username/password is supplied.
- However, if authentication succeeds by means of the password file, the connection is logged with the username; if authentication succeeds by ways of the operating system, it'due south a CONNECT / connection that does not record the specific user.
Using Roles for Ambassador Privilege Management
Roles are the easiest way to restrict the powerful arrangement privileges and roles required past personnel administrating the database.
Consider a scenario where the database ambassador responsibilities at a big installation are shared among several database administrators, each responsible for the post-obit specific database management jobs:
- Object creation and maintenance
- Database tuning and performance
- Creation of new users and granting roles and privileges to database users
- Routine database operation (for instance:
STARTUP
,SHUTDOWN
, and fill-in and recovery operations) - Emergency situations, such as database recovery
There are likewise new, inexperienced database administrators needing limited capabilities to experiment with database management
In this scenario, the security administrator should structure the security for administrative personnel as follows:
- Define half dozen roles to contain the distinct privileges required to accomplish each type of task (for example,
dba_objects
,dba_tune
,dba_security
,dba_maintain
,dba_recov
,dba_new
). - Grant each part the appropriate privileges.
- Grant each blazon of database administrator the corresponding role.
This plan diminishes the likelihood of futurity problems in the post-obit ways:
- If a database administrator's chore clarification changes to include more responsibilities, that database administrator can be granted other administrative roles corresponding to the new responsibilities.
- If a database administrator's job clarification changes to include fewer responsibilities, that database administrator can have the advisable administrative roles revoked.
- The data dictionary e'er stores information almost each role and each user, so data is available to disclose the task of each administrator.
Application Developer Security
Security administrators must ascertain a special security policy for the awarding developers using a database. A security administrator could grant the privileges to create necessary objects to application developers. Or, alternatively, the privileges to create objects could be granted only to a database administrator, who then receives requests for object cosmos from developers.
Application Developers and Their Privileges
Database application developers are unique database users who crave special groups of privileges to accomplish their jobs. Unlike end users, developers need system privileges, such every bit CREATE Table
, CREATE Procedure
, and so on. Nonetheless, just specific system privileges should be granted to developers to restrict their overall capabilities in the database.
The Awarding Developer's Environment: Test and Production Databases
In many cases, application development is restricted to examination databases and is not immune on production databases. This restriction ensures that application developers do not compete with end users for database resources, and that they cannot detrimentally affect a production database.
After an application has been thoroughly adult and tested, information technology is permitted access to the production database and made bachelor to the appropriate end users of the production database.
Free Versus Controlled Awarding Evolution
The database ambassador can ascertain the following options when determining which privileges should exist granted to application developers:
- Complimentary evolution
An application developer is immune to create new schema objects, including tables, indexes, procedures, packages, and so on. This option allows the application developer to develop an awarding independent of other objects.
- Controlled Evolution
An application developer is not allowed to create new schema objects. All required tables, indexes, procedures, and and then on are created by a database ambassador, as requested by an application developer. This selection allows the database administrator to completely control a database's space usage and the access paths to data in the database.
Although some database systems use only i of these options, other systems could mix them. For example, application developers can be allowed to create new stored procedures and packages, but not allowed to create tables or indexes. A security administrator'due south decision regarding this issue should exist based on the following:
- The control desired over a database'due south space usage
- The control desired over the access paths to schema objects
- The database used to develop applications--if a test database is being used for application development, a more than liberal evolution policy would be in lodge
Roles and Privileges for Awarding Developers
Security administrators can create roles to manage the privileges required by the typical application developer. For instance, a typical role named APPLICATION_DEVELOPER
might include the CREATE TABLE
, CREATE VIEW
, and CREATE PROCEDURE
arrangement privileges. Consider the following when defining roles for awarding developers:
-
CREATE
system privileges are commonly granted to application developers so that they can create their own objects. Withal,CREATE ANY
system privileges, which allow a user to create an object in any user'south schema, are not usually granted to developers. This restricts the cosmos of new objects only to the developer'southward user account. - Object privileges are rarely granted to roles used by application developers, because granting object privileges through roles ofttimes restricts their usability in creating other objects (primarily views and stored procedures). It is more than practical to allow application developers to create their own objects for development purposes.
Space Restrictions Imposed on Application Developers
While awarding developers are typically given the privileges to create objects as office of the development process, security administrators must maintain limits on what and how much database infinite tin be used by each application developer. For example, every bit the security administrator, yous should specifically prepare or restrict the following limits for each application developer:
- The tablespaces in which the developer tin create tables or indexes
- The quota for each tablespace accessible to the developer
Both limitations can be set by altering a developer'southward security domain. This is discussed in "Altering Users".
Application Administrator Security
In large database systems with many database applications, yous might consider assigning application administrators. An application administrator is responsible for the following types of tasks:
- Creating roles for an application and managing the privileges of each application role
- Creating and managing the objects used by a database application
- Maintaining and updating the awarding code and Oracle procedures and packages, equally necessary
Often, an application ambassador is also the application developer who designed an application. All the same, an application administrator could be any individual familiar with the database awarding.
Password Direction Policy
Database security systems that are dependent on passwords require that passwords be kept hole-and-corner at all times. Since passwords are vulnerable to theft, forgery, and misuse, Oracle Database has DBAs and security officers control countersign direction policy through user profiles, enabling greater control over database security.
You utilise the CREATE PROFILE
statement to create a user contour. The contour is assigned to a user with the CREATE USER
or Alter USER
statement. Details of creating and altering database users are non discussed in this department. This section is concerned with the password parameters that can be specified using the CREATE Contour
(or ALTER PROFILE
) argument.
This section contains the following topics relating to Oracle password direction:
- Account Locking
- Password Crumbling and Expiration
- Password History
- Countersign Complication Verification
Account Locking
When a particular user exceeds a designated number of failed login attempts, the server automatically locks that user'southward account. Yous specify the permissible number of failed login attempts using the CREATE PROFILE
statement. You can also specify the amount of time accounts remain locked.
In the following example, the maximum number of failed login attempts for the user ashwini
is four, and the corporeality of time the business relationship will remain locked is thirty days. The business relationship will unlock automatically after the passage of thirty days.
CREATE PROFILE prof LIMIT FAILED_LOGIN_ATTEMPTS 4 PASSWORD_LOCK_TIME 30; Alter USER ashwini Profile prof;
If y'all do not specify a time interval for unlocking the business relationship, PASSWORD_LOCK_TIME
assumes the value specified in a default contour. If you lot specify PASSWORD_LOCK_TIME
equally UNLIMITED
, the business relationship must be explicitly unlocked using an Alter USER
statement. For example, assuming that PASSWORD_LOCK_TIME
UNLIMITED
is specified for ashwini
, and then the following statement must exist used to unlock the account:
Modify USER ashwini ACCOUNT UNLOCK;
After a user successfully logs into an account, that user's unsuccessful login attempt count, if there is ane, is reset to 0.
The security officeholder tin also explicitly lock user accounts. When this occurs, the business relationship cannot be unlocked automatically, and only the security officer should unlock the account. The CREATE USER
or ALTER USER
statements are used to explicitly lock or unlock user accounts. For instance, the following argument locks user business relationship susan
:
Change USER susan Business relationship LOCK;
Password Aging and Expiration
Employ the CREATE Contour
argument to specify a maximum lifetime for passwords. When the specified amount of time passes and the password expires, the user or DBA must alter the password. The following statements create and assign a contour to user ashwini
, and the PASSWORD_LIFE_TIME
clause specifies that ashwini
tin use the same password for 90 days before it expires.
CREATE PROFILE prof LIMIT FAILED_LOGIN_ATTEMPTS four PASSWORD_LOCK_TIME 30 PASSWORD_LIFE_TIME 90; ALTER USER ashwini PROFILE prof;
You tin also specify a grace period for password expiration. Users enter the grace menses upon the offset attempt to log in to a database business relationship after their password has expired. During the grace period, a warning message appears each fourth dimension users endeavor to log in to their accounts, and continues to appear until the grace period expires. Users must alter the countersign within the grace period. If the password is not inverse within the grace period, thereafter users are prompted for a new password each time an try is made to access their accounts. Access to an account is denied until a new password is supplied.
Effigy seven-ii shows the chronology of the password lifetime and grace menstruation.
Figure 7-2 Chronology of Password Lifetime and Grace Period
Text clarification of the illustration admin024.gif
In the following example, the profile assigned to ashwini
includes the specification of a grace menses: PASSWORD_GRACE_TIME = 3
. The first fourth dimension ashwini
tries to log in to the database afterwards 90 days (this tin be whatsoever 24-hour interval after the 90th day; that is, the 70th solar day, 100th day, or another twenty-four hour period), she receives a alarm message that her password will expire in three days. If three days pass, and she does non modify her password, the password expires. Thereafter, she receives a prompt to change her password on whatever attempt to log in, and cannot log in until she does and then.
CREATE Contour prof LIMIT FAILED_LOGIN_ATTEMPTS 4 PASSWORD_LOCK_TIME thirty PASSWORD_LIFE_TIME xc PASSWORD_GRACE_TIME 3; ALTER USER ashwini PROFILE prof;
Oracle provides a means of explicitly expiring a password. The CREATE USER
and ALTER USER
statements provide this functionality. The following statement creates a user with an expired password. This setting forces the user to change the countersign earlier the user can log in to the database.
CREATE USER jbrown IDENTIFIED By zX83yT ... PASSWORD Elapse;
Countersign History
The following two parameters command the user's power to reuse an old password:
Table 7-ane Parameters Controlling Re-Use of an Old Password
Parameter Name | Description and Employ |
---|---|
PASSWORD_REUSE_TIME | requires either
|
PASSWORD_REUSE_MAX | requires either
|
If you specify neither, the user can reuse passwords at any time, which is not a "security best practice."
If neither parameter is UNLIMITED, password reuse is immune, simply only later on meeting both conditions. The user must take changed the password the specified number of times, and the specified number of days must have passed since the old password was last used.
For example, suppose user A's profile had PASSWORD_REUSE_MAX ready to 10 and PASSWORD_REUSE_TIME set to 30. So user A could not reuse a password until she had reset her password 10 times, and 30 days had passed since she last used that countersign.
If either parameter is specified every bit UNLIMITED, the user can never reuse a password.
If both parameters are set up to UNLIMITED, Oracle ignores both, and the user tin reuse any password at any fourth dimension.
Note:
If you specify DEFAULT for either parameter, then Oracle uses the value defined in the DEFAULT profile, which by default sets all parameters to UNLIMITED. Oracle thus uses UNLIMITED for whatsoever parameter specified every bit DEFAULT, unless you lot change the setting for that parameter in the DEFAULT profile.
Password Complexity Verification
Oracle'due south sample password complexity verification routine can exist specified using a PL/SQL script (UTLPWDMG.SQL
), which sets the default profile parameters.
The password complexity verification routine ensures that the password meets the post-obit requirements:
- Is at least four characters long
- Differs from the username
- Has at least ane blastoff, one numeric, and one punctuation mark grapheme
- Is not simple or obvious, such as
welcome
,account
,database
, oruser
- Differs from the previous password by at to the lowest degree three characters
Note:The ALTER USER command now has a Supersede clause whereby users can change their own unexpired passwords past supplying the old countersign to authenticate themselves.
If the password has expired, the user cannot log in to SQL to issue the ALTER USER control. Instead, the OCIPasswordChange() role must be used, which likewise requires the former countersign.
A DBA with Change Whatever USER privilege can alter whatever user's password (forcefulness a new password) without supplying the sometime one.
Password Verification Routine Formatting Guidelines
You can enhance the existing password verification complexity routine or create other password verification routines using PL/SQL or tertiary-party tools.
The PL/SQL telephone call must adhere to the following format:
routine_name ( userid_parameter IN VARCHAR(30), password_parameter IN VARCHAR (xxx), old_password_parameter IN VARCHAR (30) ) Return BOOLEAN
Subsequently a new routine is created, it must be assigned every bit the countersign verification routine using the user's contour or the system default contour.
CREATE/Change Contour profile_name LIMIT PASSWORD_VERIFY_FUNCTION routine_name
The password verify routine must be endemic past SYS
.
Sample Password Verification Routine
You can utilise this sample password verification routine as a model when developing your own complexity checks for a new password.
The default password complexity function performs the following minimum complexity checks:
- The password satisfies minimum length requirements.
- The countersign is not the username. Yous can alter this function based on your requirements.
This function must be created in SYS
schema, and you must connect
SYS/ password
Equally
SYSDBA
before running the script.
CREATE OR Supervene upon FUNCTION verify_function (username varchar2, password varchar2, old_password varchar2) Return boolean IS n boolean; 1000 integer; differ integer; isdigit boolean; ischar boolean; ispunct boolean; digitarray varchar2(20); punctarray varchar2(25); chararray varchar2(52); BEGIN digitarray:= '0123456789'; chararray:= 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'; punctarray:='!"#$%&()''*+,-/:;<=>?_'; --Check if the password is same equally the username IF countersign = username And so raise_application_error(-20001, 'Countersign same every bit user'); Stop IF; --Check for the minimum length of the password IF length(password) < 4 And so raise_application_error(-20002, 'Password length less than 4'); END IF; --Check if the password is too elementary. A lexicon of words may be --maintained and a cheque may be fabricated so as non to allow the words --that are too simple for the countersign. IF NLS_LOWER(countersign) IN ('welcome', 'database', 'account', 'user', 'password', 'oracle', 'computer', 'abcd') THEN raise_application_error(-20002, 'Password too simple'); END IF; --Cheque if the password contains at least ane letter, --one digit and one punctuation marking. --i. Check for the digit --Y'all may delete 1. and supervene upon with 2. or 3. isdigit:=False; yard := length(password); FOR i IN i..10 LOOP FOR j IN i..m LOOP IF substr(password,j,ane) = substr(digitarray,i,1) So isdigit:=Truthful; GOTO findchar; END IF; END LOOP; Cease LOOP; IF isdigit = FALSE Then raise_application_error(-20003, 'Countersign should contain at to the lowest degree i \ digit, one graphic symbol and one punctuation'); END IF; --2. Check for the character <<findchar>> ischar:=FALSE; FOR i IN 1..length(chararray) LOOP FOR j IN 1..m LOOP IF substr(password,j,ane) = substr(chararray,i,i) THEN ischar:=TRUE; GOTO findpunct; END IF; Stop LOOP; END LOOP; IF ischar = FALSE So raise_application_error(-20003, 'Password should contain at least i digit,\ one character and ane punctuation'); Terminate IF; --3. Check for the punctuation <<findpunct>> ispunct:=False; FOR i IN one..length(punctarray) LOOP FOR j IN 1..chiliad LOOP IF substr(password,j,ane) = substr(punctarray,i,1) And so ispunct:=True; GOTO endsearch; Stop IF; Cease LOOP; Cease LOOP; IF ispunct = Simulated THEN raise_application_error(-20003, 'Password should \ incorporate at to the lowest degree i digit, one graphic symbol and one punctuation'); END IF; <<endsearch>> --Check if the password differs from the previous password by at least 3 letters IF old_password = '' So raise_application_error(-20004, 'Old password is null'); Cease IF; --Everything is fine; return Truthful ; differ := length(old_password) - length(password); IF abs(differ) < iii And so IF length(password) < length(old_password) THEN one thousand := length(password); ELSE m:= length(old_password); Finish IF; differ := abs(differ); FOR i IN one..one thousand LOOP IF substr(password,i,1) != substr(old_password,i,1) And so differ := differ + 1; END IF; Finish LOOP; IF differ < 3 So raise_application_error(-20004, 'Password should differ past at \ least 3 characters'); END IF; END IF; --Everything is fine; return TRUE ; Return(Truthful); END;
Auditing Policy
Security administrators should define a policy for the auditing procedures of each database. You may, for example, decide to accept database auditing disabled unless questionable activities are suspected. When auditing is required, the security ambassador must decide what level of detail to audit the database; usually, full general organisation auditing is followed by more specific types of auditing after the origins of suspicious action are determined. In addition to standard database auditing, Oracle supports fine-grained auditing using policies that can monitor multiple specific objects, columns, and statements, including INDEX.
Auditing is discussed in Chapter 8, "Database Auditing: Security Considerations" and Chapter 11, "Configuring and Administering Auditing".
A Security Checklist
Information security and privacy and protection of corporate assets and data are of pivotal importance in any business concern. Oracle Database comprehensively addresses the demand for information security by offering cutting-edge security features such as deep data protection, auditing, scalable security, secure hosting and data exchange.
The Oracle Database server leads the manufacture in security. However, in order to fully maximize the security features offered by Oracle Database in any business surround, it is imperative that the database itself be well-protected. Furthermore, proper use of its security features and adherence to basic security practices will assistance protect against database-related threats and attacks. Such an approach provides a much more secure operating environment for the Oracle Database database.
This security checklist provides guidance on configuring Oracle Database in a secure manner by adhering to and recommending industry-standard "best security practices" for operational database deployments.
In uncomplicated summary, earlier looking at the more detailed checklist: consider all paths the data travels and assess the threats that impinge on each path and node. Then take steps to lessen or eliminate both those threats and the consequences of a successful breach of security. Monitoring and auditing to detect either increased threat levels or successful penetration increases the likelihood of preventing or minimizing security losses.
Details on specific database-related tasks and actions can be found throughout the Oracle documentation set.
- INSTALL Just WHAT IS REQUIRED.
Options and Products
The Oracle Database CD pack contains a host of options and products in addition to the database server. Install additional products and options only as necessary. Use Custom Installation to avert installing unnecessary products or, post-obit a typical installation, deinstall unneeded options and products. There is no demand to maintain the boosted products and options if they are not beingness used. They can ever be properly and hands reinstalled equally required.
Sample Schemas
Oracle Corporation provides Sample Schemas to provide a mutual platform for examples. If your database volition exist used in a product environs, do non install the Sample Schema. If you lot have installed the Sample Schema on a test database, so earlier going production, remove or re-lock the Sample Schema accounts.
- LOCK AND Expire DEFAULT USER ACCOUNTS.
Oracle Database installs with a number of default (preset) database server user accounts. Upon successful installation of the database server, the Database Configuration Assistant automatically locks and expires most default database user accounts.
If a manual (non utilizing Database Configuration Banana) installation of Oracle Database is performed, no default database users are locked upon successful installation of the database server. If left open up in their default states, these user accounts can be exploited to proceeds unauthorized access to data or disrupt database operations.
Therefore, subsequently performing any kind of initial installation that does non employ Database Configuration Assistant, yous should lock and expire all default database user accounts. Oracle Database provides SQL to perform such operations.
Installing additional products and components afterwards as well results in creating more than default database server accounts. Database Configuration Assistant automatically locks and expires all additionally created database server user accounts. Unlock only those accounts that are need to be accessed on a regular basis and assign a strong, meaningful countersign to each of these unlocked accounts. Oracle provides SQL and password management to perform such operations.
Table 7-2 shows the database users afterward a typical Oracle Database installation utilizing Database Configuration Assistant.
Table 7-ii Default Accounts and Their Condition (Standard Installation)
USERNAME ACCOUNT_STATUS ANONYMOUS
EXPIRED
&LOCKED
CTXSYS
EXPIRED
&LOCKED
DBSNMP
EXPIRED
&LOCKED
DIP
EXPIRED
&LOCKED
DMSYS
EXPIRED
&LOCKED
EXFSYS
EXPIRED
&LOCKED
Hr
EXPIRED
&LOCKED
MDDATA
EXPIRED
&LOCKED
MDSYS
EXPIRED
&LOCKED
MGMT_VIEW
EXPIRED
&LOCKED
ODM
EXPIRED
&LOCKED
ODM_MTR
EXPIRED
&LOCKED
OE
EXPIRED
&LOCKED
OLAPSYS
EXPIRED
&LOCKED
ORDPLUGINS
EXPIRED
&LOCKED
ORDSYS
EXPIRED
&LOCKED
OUTLN
EXPIRED
&LOCKED
PM
EXPIRED
&LOCKED
QS
EXPIRED
&LOCKED
QS_ADM
EXPIRED
&LOCKED
QS_CB
EXPIRED
&LOCKED
QS_CBADM
EXPIRED
&LOCKED
QS_CS
EXPIRED
&LOCKED
QS_ES
EXPIRED
&LOCKED
QS_OS
EXPIRED
&LOCKED
QS_WS
EXPIRED
&LOCKED
RMAN
EXPIRED
&LOCKED
SCOTT
EXPIRED
&LOCKED
SH
EXPIRED
&LOCKED
SI_INFORMTN_SCHEMA
EXPIRED
&LOCKED
SYS
OPEN
SYSMAN
EXPIRED
&LOCKED
SYSTEM
Open
WK_TEST
EXPIRED
&LOCKED
WKPROXY
EXPIRED
&LOCKED
WKSYS
EXPIRED
&LOCKED
WMSYS
EXPIRED
&LOCKED
XDB
EXPIRED
&LOCKED
If any default database server user account other the ones left open is required for any reason, a database administrator (DBA) need only unlock and activate that account with a new, meaningful password.
Enterprise Manager Accounts
The preceding list of accounts depends on whether yous cull to install Enterprise Manager. If so, SYSMAN and DBSNMP are open besides, unless you configure Enterprise Manager for Primal Administration: and then the SYSMAN account (if present) will be locked besides.
If you practice non install Enterprise Manager, then just SYS and SYSTEM are open. Database Configuration Assistant locks and expires all other accounts (including SYSMAN and DBSNMP).
- CHANGE DEFAULT USER PASSWORDS.
The most lilliputian method by which Oracle Database can be compromised is a default database server user account which still has a default password associated with it even after installation.
- Change default passwords of administrative users.
Oracle Database 10g installation enables y'all to use the same or different passwords for the SYS, SYSTEM, SYSMAN and DBSNMP administrative accounts. Use different passwords for each: in whatever Oracle surround (production or test), assign strong, meaningful, and distinct passwords to these administrative accounts. If Database Configuration Banana is used, it requires you to enter passwords for the SYS and SYSTEM accounts, disallowing the use of the defaults
CHANGE_ON_INSTALL
andManager
.Similarly, for production environments, exercise not utilize default passwords for any administrative accounts, including SYSMAN and DBSNMP.
At the terminate of database creation, Database Configuration Assistant displays a page requiring you to enter and confirm new passwords for the SYS and SYSTEM user accounts.
- Modify default passwords of all users.
In Oracle Database,
SCOTT
no longer installs with default countersignTIGER
, simply instead is locked and expired, as is DBSNMP. Each of the other accounts install with a default password that is exactly the same as that user account (for instance, userMDSYS
installs with passwordMDSYS
).If whatsoever of the default user accounts that were locked and expired upon installation need to be activated, assign a new meaningful password to each such user account.
Even though Oracle does not explicitly mandate changing the default password for user
SCOTT
, Oracle yet recommends that this user account besides be locked in a production environs. - Enforce countersign management.
Oracle recommends that basic password direction rules (such as password length, history, complication, then forth) as provided by the database be applied to all user passwords and that all users exist required to change their passwords periodically.
Oracle also recommends, if possible, utilizing Oracle Avant-garde Security (an selection to the Enterprise Edition of Oracle Database) with network authentication services (such as Kerberos), token cards, smart cards or X.509 certificates. These services enable stiff authentication of users to provide better protection against unauthorized access to Oracle Database.
- Change default passwords of administrative users.
- ENABLE DATA Dictionary PROTECTION.
Oracle recommends that customers implement data dictionary protection to prevent users having the
Any
system privileges from using such privileges on the data dictionary.To enable dictionary protection, set the following configuration parameter to False, in the init<sid>.ora command file:
O7_DICTIONARY_ACCESSIBILITY = Imitation
By doing so, only those authorized users making DBA-privileged (for instance
CONNECT / Every bit SYSDBA
) connections tin can use theAny
system privilege on the data dictionary. If this parameter is non set to the value recommended earlier, any user with aDROP ANY TABLE
(for example) system privilege will exist able to maliciously drop parts of the data lexicon.Yet, if a user requires view admission to the data dictionary, it is permissible to grant that user the
SELECT Any Dictionary
system privilege.
Notes:- Regarding
O7_DICTIONARY_ACCESSIBILITY
, note that in Oracle Database, the default isFalse
; whereas in Oracle8i, this parameter is set toTrue
by default and must specifically be changed toImitation
to enable this security feature. - Regarding the SELECT Whatsoever DICTIONARY privilege: this privilege is not included in the GRANT ALL PRIVILEGES statement, just it tin can be granted through a role.
- Regarding
- Do PRINCIPLE OF LEAST PRIVILEGE.
- Grant necessary privileges only.
Do not provide database users more privileges than are necessary. In other words, principle of least privilege is that a user exist given just those privileges that are actually required to efficiently and succinctly perform his or her chore.
To implement least privilege, restrict: ane) the number of
System
andOBJECT
privileges granted to database users, and 2) the number of people who are allowed to makeSYS
-privileged connections to the database as much every bit possible. For case, there is by and large no need to grantCREATE Whatsoever TABLE
to any non DBA-privileged user. - Revoke unnecessary privileges from PUBLIC.
Revoke all unnecessary privileges and roles from the database server user group
PUBLIC
.PUBLIC
acts as a default role granted to every user in an Oracle database. Any database user tin can exercise privileges that are granted toPUBLIC
. Such privileges includeEXECUTE
on various PL/SQL packages that may permit a minimally privileged user to access and execute packages that he may non directly exist permitted to access. The more powerful packages that may potentially be misused are listed in the following tabular array:Package Description UTL_SMTP
(Foot 1
)This parcel permits arbitrary mail messages to exist sent from one arbitrary user to some other arbitrary user. Granting this package to
PUBLIC
may let unauthorized exchange of mail messages.UTL_TCP
(1)This package permits outgoing network connections to be established by the database server to any receiving (or waiting) network service. Thus, arbitrary data may be sent between the database server and any waiting network service.
UTL_HTTP
(1)This parcel allows the database server to request and recollect data using HTTP. Granting this package to
PUBLIC
may permit using HTML forms to send data to a malicious Web site.UTL_FILE
(1)If configured improperly, this package allows text level access to whatever file on the host operating system. Even when properly configured, this packet may let unauthorized access to sensitive operating system files, such equally trace files, because it does not distinguish betwixt its calling applications. The result can exist that one application accessing
UTL_FILE
may write arbitrary data into the same location that is written to by another application.DBMS_RANDOM
This package can be used to encrypt stored data. Generally, about users should non have the privilege to encrypt information since encrypted data may exist non-recoverable if the keys are not securely generated, stored, and managed.
ane These packages should be revoked from PUBLIC and fabricated executable for an application only when absolutely necessary.
These packages are extremely useful to some applications that need them. They require proper configuration and usage for safe and secure operation, and may not be suitable for most applications.
- Grant users roles only if they demand all of the part'southward privileges.
Roles (groups of privileges) are useful for quickly and hands granting permissions to users. If your application users practise not need all the privileges encompassed past an existing role, and so create your own roles containing only the advisable privileges for your requirements. Similary, ensure that roles contain simply the privileges that reverberate job responsibility.
For case, grant users the CREATE SESSION privilege to authorize them to log in to the database, rather than granting them the CONNECT role, which has many additional privileges. Unless users require all the extra privileges contained in the CONNECT role (or any other role), assign them individually merely the minimum set of private privileges truly needed. Alternatively, create your own roles and assign merely needed privileges.
For example, information technology is imperative to strictly limit the privileges of SCOTT. Drop the CREATE DBLINK privilege for SCOTT. Then drop the entire role for the user, since privileges acquired by means of a part cannot be dropped individually. Recreate your own role with only the privileges needed, and grant that new role to that user. Similarly, for even ameliorate security, drop the CREATE DBLINK privilege from all users who do non crave information technology.
- Restrict permissions on run-time facilities.
Do not assign "all permissions" to whatever database server run-fourth dimension facility such as the Oracle Java Virtual Machine (OJVM). Grant specific permissions to the explicit document root file paths for such facilities that may execute files and packages outside the database server.
Here is an example of a vulnerable run-time phone call:
call dbms_java.grant_permission('SCOTT', 'SYS:java.io.FilePermission','<<ALL FILES>>','read');
Here is an instance of a meliorate (more than secure) run-fourth dimension phone call:
call dbms_java.grant_permission('SCOTT', 'SYS:coffee.io.FilePermission','<<actual directory path>>','read');
- Grant necessary privileges only.
- ENFORCE Access CONTROLS Effectively.
Cosign clients properly.
By default, Oracle allows operating-system-authenticated logins just over secure connections, which precludes using Oracle Cyberspace and a shared server configuration. This default restriction prevents a remote user from impersonating some other operating arrangement user over a network connexion.
Setting the initialization parameter
REMOTE_OS_AUTHENT
toTrue
forces the RDBMS to accept the customer operating system user name received over a nonsecure connection and employ it for account admission. Since clients, in general, such as PCs, are not trusted to perform operating system authentication properly, information technology is very poor security practice to plow on this characteristic.The default setting,
REMOTE_OS_AUTHENT = False
, creates a more than secure configuration that enforces proper, server-based authentication of clients connecting to an Oracle database.You should not alter the default setting of the
REMOTE_OS_AUTHENT
initialization parameter, which isFALSE
.Setting this parameter to FALSE does not mean that users cannot connect remotely. It simply means that the database volition non trust that the customer has already authenticated, and volition therefore utilise its standard authentication processes.
- RESTRICT OPERATING Organisation ACCESS.
Limit the number of operating arrangement users.
Limit the privileges of the operating organisation accounts (administrative, root-privileged or DBA) on the Oracle Database host (physical car) to the least privileges needed for the user'southward tasks.
Oracle also recommends:
- Restricting the ability to modify the default file and directory permissions for the Oracle Database domicile (installation) directory or its contents. Fifty-fifty privileged operating system users and the Oracle owner should not change these permissions, unless instructed otherwise by Oracle Corporation.
- Restricting symbolic links. Ensure that when providing a path or file to the database, neither the file nor any office of the path is modifiable by an untrusted user. The file and all components of the path should be endemic by the DBA or some trusted account, such every bit root.
This recommendation applies to all types of files: information files, log files, trace files, external tables, bfiles, and then on.
- RESTRICT NETWORK ACCESS.
- Use a firewall.
Keep the database server behind a firewall. Oracle Database's network infrastructure, Oracle Cyberspace (formerly known equally Net8 and SQL*Net), offers support for a variety of firewalls from various vendors. Supported proxy-enabled firewalls include Network Assembly' Gauntlet and Axent's Raptor. Supported bundle-filtered firewalls include Cisco'due south PIX Firewall and supported stateful inspection firewalls (more sophisticated parcel-filtered firewalls) include CheckPoint's Firewall-1.
- Never poke a hole through a firewall.
If Oracle Database is behind a firewall, do not, under whatsoever circumstances, poke a hole through the firewall; for example, practise non leave open up Oracle Listener's 1521 port to brand a connection to the Net or vice versa.
Doing so will introduce a number of significant security vulnerabilities including more port openings through the firewall, multi-threaded operating organization server issues and revelation of crucial information on database(s) behind the firewall. Furthermore, an Oracle Listener running without an established password may be probed for disquisitional details about the database(s) on which it is listening such equally trace and logging information, banner data and database descriptors and service names.
Such a plethora of information and the availability of an ill-configured firewall will provide an attacker ample opportunity to launch malicious attacks on the target database(s).
- Protect the Oracle Listener.
Because the listener acts as the database'south gateway to the network, it is important to limit the consequences of malicious interference:
- Restrict the privileges of the listener, so that it cannot read or write files in the database or the Oracle server address space.
This restriction prevents external procedure agents spawned by the listener (or procedures executed by such an agent) from inheriting the ability to do such reads or writes. The possessor of this separate listener process should non exist the owner that installed Oracle or executes the Oracle instance (such as ORACLE, the default owner).
Sample configuration:
EXTPROC_LISTENER= (Description= (Accost= (PROTOCOL=ipc)(KEY=extproc))) SID_LIST_EXTPROC_LISTENER= (SID_LIST= (SID_DESC= (SID_NAME=plsextproc) (ORACLE_HOME=/u1/app/oracle/ix.0) (PROGRAM=extproc)))
- Secure administration by these three steps:
i. Prevent on-line administration by requiring the administrator to take write privileges on the
LISTENER.ORA
file and the listener'due south countersign:Add or alter this line in the LISTENER.ORA file
ADMIN_RESTRICTIONS_LISTENER=ON
Then RELOAD the configuration.
ii. Use SSL when administering the listener, by making the TCPS protocol the first entry in the address list:
LISTENER= (DESCRIPTION= (ADDRESS_LIST= (Accost= (PROTOCOL=tcps) (HOST = ed-pdsun1.u.s..oracle.com) (PORT = 8281)))
(To administer the listener remotely, yous need to define the listener in the client computer's LISTENER.ORA file. For instance, to access listener USER281 remotely., using the following configuration:)
user281 = (DESCRIPTION = (ADDRESS = (PROTOCOL = tcps) (HOST = ed-pdsun1.united states.oracle.com) (PORT = 8281)) ) )
three. Always establish a meaningful, well-formed password for the Oracle Listener to prevent remote configuration of the Oracle Listener. Password protect the listener:
LSNRCTL> CHANGE_PASSWORD Sometime password: lsnrc80 New password: lsnrc90 Reenter new password: lsnrc90 LSNRCTL> Gear up Password Password: The command completed successfully LSNRCTL> SAVE_CONFIG The command completed successfully
- Actually remove the external process configuration from the listener.ora file if you lot do not intend to utilise such procedures.
- Monitor listener activity.
- Restrict the privileges of the listener, so that it cannot read or write files in the database or the Oracle server address space.
- Be sure of who is accessing your systems.
Authenticating client computers over the Internet is problematic. Do user authentication instead, which avoids client organisation issues that include falsified IP addresses, hacked operating systems or applications, and falsified or stolen client system identities. The following steps improve client computer security:
- Configure the connection to utilise SSL. Using SSL (Secure Sockets Layer) communication makes eavesdropping unfruitful and enables the use of certificates for user and server authentication.
- Set up certificate authentication for clients and servers such that:
i. The organization is identified by unit and document issuer and the user is identified by distinguished proper name and certificate issuer.
ii. Applications test for expired certificates.
iii. Certificate revocation lists are audited.
- Bank check network IP addresses.
Utilize the Oracle Cyberspace "valid node checking" security feature to permit or deny access to Oracle server processes from network clients with specified IP addresses. To apply this feature, ready the post-obit
protocol.ora
(Oracle Net configuration file) parameters:tcp.validnode_checking = YES tcp.excluded_nodes = {list of IP addresses} tcp.invited_nodes = {list of IP addresses}
The outset parameter turns on the feature whereas the latter ii parameters respectively deny or allow specific client IP addresses from making connections to the Oracle Listener (and thereby preventing potential Deprival of Service attacks).
- Encrypt network traffic.
If possible, apply Oracle Advanced Security to encrypt network traffic between clients, databases, and application servers. (Notation that Oracle Advanced Security is available only with the Enterprise Edition of the Oracle database. It installs in Typical Installation mode and can exist configured, after licensing, with the Oracle Internet Managing director tool or by manually setting vi sqlnet.ora parameters to enable network encryption. )
- Harden the operating system.
Harden the host operating system by disabling all unnecessary operating system services. Both UNIX and Windows platforms provide a diversity of operating system services, most of which are not necessary for most deployments. Such services include FTP, TFTP, TELNET, and so forth. Exist sure to close both the UDP and TCP ports for each service that is being disabled. Disabling one type of port and not the other does non make the operating system more secure.
- Use a firewall.
- APPLY ALL SECURITY PATCHES AND WORKAROUNDS.
E'er apply all relevant and current security patches for both the operating arrangement on which Oracle Database resides and Oracle Database itself, and for all installed Oracle Database options and components thereof.
Periodically check the security site on Oracle Technology Network for details on security alerts released past Oracle Corporation.
http://otn.oracle.com/deploy/security/alerts.htm
Also bank check Oracle Worldwide Support Service'due south site, Metalink, for details on bachelor and upcoming security-related patches.
http://metalink.oracle.com
In summary, consider all paths the data travels and appraise the threats that impinge on each path and node. Then take steps to lessen or eliminate both those threats and the consequences of a successful breach of security. Also monitor and audit to detect either increased threat levels or successful penetration.
- CONTACT ORACLE SECURITY PRODUCTS.
If you believe that you have establish a security vulnerability in Oracle Database, submit an iTAR to Oracle Worldwide Support Services using Metalink, or east-mail a consummate description of the problem, including production version and platform, together with any exploit scripts and examples to the following address:
secalert_us@oracle.com
Source: https://docs.oracle.com/cd/B12037_01/network.101/b10773/policies.htm
Posted by: cashsyle1983.blogspot.com
0 Response to "Which Of The Following Identifies An Operating System Or Network Service"
Post a Comment