e17609
Transcript of e17609
-
8/13/2019 e17609
1/122
Oracle Database2 Day + Security Guide
12cRelease 1 (12.1)
E17609-16
September 2013
-
8/13/2019 e17609
2/122
Oracle Database 2 Day + Security Guide, 12cRelease 1 (12.1)
E17609-16
Copyright 2006, 2013, Oracle and/or its affiliates. All rights reserved.
Primary Author: Patricia Huey
Contributor: The Oracle Database 12c documentation is dedicated to Mark Townsend, who was aninspiration to all who worked on this release.
Contributors: Todd Bottger, Naveen Gopal, Peter Knaggs, Rahil Mir, Gopal Mulagund, Paul Needham,Deborah Owens, Sachin Sonawane, Kamal Tbeileh, Mark Townsend, Peter Wahl
This software and related documentation are provided under a license agreement containing restrictions onuse and disclosure and are protected by intellectual property laws. Except as expressly permitted in yourlicense agreement or allowed by law, you may not use, copy, reproduce, translate, broadcast, modify, license,transmit, distribute, exhibit, perform, publish, or display any part, in any form, or by any means. Reverseengineering, disassembly, or decompilation of this software, unless required by law for interoperability, isprohibited.
The information contained herein is subject to change without notice and is not warranted to be error-free. Ifyou find any errors, please report them to us in writing.
If this is software or related documentation that is delivered to the U.S. Government or anyone licensing iton behalf of the U.S. Government, the following notice is applicable:
U.S. GOVERNMENT END USERS: Oracle programs, including any operating system, integrated software,
any programs installed on the hardware, and/or documentation, delivered to U.S. Government end usersare "commercial computer software" pursuant to the applicable Federal Acquisition Regulation andagency-specific supplemental regulations. As such, use, duplication, disclosure, modification, andadaptation of the programs, including any operating system, integrated software, any programs installed onthe hardware, and/or documentation, shall be subject to license terms and license restrictions applicable tothe programs. No other rights are granted to the U.S. Government.
This software or hardware is developed for general use in a variety of information managementapplications. It is not developed or intended for use in any inherently dangerous applications, includingapplications that may create a risk of personal injury. If you use this software or hardware in dangerousapplications, then you shall be responsible to take all appropriate fail-safe, backup, redundancy, and othermeasures to ensure its safe use. Oracle Corporation and its affiliates disclaim any liability for any damagescaused by use of this software or hardware in dangerous applications.
Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks oftheir respective owners.
Intel and Intel Xeon are trademarks or registered trademarks of Intel Corporation. All SPARC trademarks
are used under license and are trademarks or registered trademarks of SPARC International, Inc. AMD,Opteron, the AMD logo, and the AMD Opteron logo are trademarks or registered trademarks of AdvancedMicro Devices. UNIX is a registered trademark of The Open Group.
This software or hardware and documentation may provide access to or information on content, products,and services from third parties. Oracle Corporation and its affiliates are not responsible for and expresslydisclaim all warranties of any kind with respect to third-party content, products, and services. OracleCorporation and its affiliates will not be responsible for any loss, costs, or damages incurred due to youraccess to or use of third-party content, products, or services.
-
8/13/2019 e17609
3/122
iii
Contents
Preface ................................................................................................................................................................. ix
Audience....................................................................................................................................................... ix
Documentation Accessibility..................................................................................................................... ix
Related Documents ..................................................................................................................................... x
Conventions ................................................................................................................................................. x
Changes in This Release for Oracle Database 2 Day + Security Guide ...................... xi
Changes in Oracle Database 12c Release 1 (12.1).................................................................................... xi
1 Introduction to Oracle Database Security
About This Guide..................................................................................................................................... 1-1
Before Using This Guide ............... .............. ............... .............. ................ ............. ................ ............ 1-1
What This Guide Is and Is Not......................................................................................................... 1-1
Common Database Security Tasks ....................................................................................................... 1-2
Tools for Securing Your Database ........................................................................................................ 1-2
Securing Your Database: A Roadmap..................................................................................................
1-3
2 Securing the Database Installation and Configuration
About Securing the Database Installation and Configuration ....................................................... 2-1
Securing Access to the Oracle Database Installation ........................................................................ 2-1
Using the Default Security Settings................................................................................................. 2-2
Securing the Oracle Data Dictionary............................................................................................... 2-2
About the Oracle Data Dictionary............................................................................................ 2-2
Enabling Data Dictionary Protection ............. ............... .............. .............. ................ .............. . 2-3
Initialization Parameters Used for Installation and Configuration Security............................. 2-4
Modifying the Value of an Initialization Parameter.................. ............... ............... .............. 2-4
Securing the Network.............................................................................................................................. 2-5About Securing the Network............................................................................................................ 2-5
Protecting Data on the Network by Using Network Encryption................................................ 2-5
About Network Encryption....................................................................................................... 2-6
Configuring Network Encryption ............. .............. ................ ............... .............. ................ .... 2-6
Initialization Parameters Used for Network Security................................................................... 2-8
Securing User Accounts .......................................................................................................................... 2-9
About Securing Oracle Database User Accounts .............. .............. ............... ................ ............... 2-9
Predefined User Accounts Provided by Oracle Database...................... ............... ............... ..... 2-10
-
8/13/2019 e17609
4/122
iv
Predefined Administrative Accounts ................................................................................... 2-10
Predefined Non-Administrative User Accounts ................................................................. 2-12
Predefined Sample Schema User Accounts ......................................................................... 2-13
Expiring and Locking Database Accounts .................................................................................. 2-14
Requirements for Creating Passwords............... .............. ............... ............... .............. ................ 2-15
Finding and Changing Default Passwords ................................................................................. 2-15
About Finding and Changing Default Passwords............... ............... ............... .............. ... 2-15Finding and Changing Default Passwords from SQL*Plus.............. ................ ............... .. 2-16
Finding and Changing Default Passwords from Enterprise Manager ............................ 2-16
Parameters Used to Secure User Accounts ................................................................................. 2-17
3 Managing User Privileges
About Privilege Management ................................................................................................................ 3-1
When to Grant Privileges to Users ........................................................................................................ 3-1
When to Grant Roles to Users ................................................................................................................ 3-2
Handling Privileges for the PUBLIC Role .......................................................................................... 3-2
Controlling Access to Applications with Secure Application Roles.............................................. 3-3
About Secure Application Roles .............. ............... .............. ................ .............. ............... .............. 3-3
Tutorial: Creating a Secure Application Role ................ .............. ............... ............... .............. ...... 3-4
Step 1: Create User Accounts for This Tutorial ............. ............... ................ .............. ............ 3-4
Step 2: Create a Security Administrator Account .............. ............... .............. ............... ........ 3-5
Step 3: Create a Lookup View .............. ............... .............. ............... ............... .............. ............ 3-6
Step 4: Create the PL/SQL Procedure to Set the Secure Application Role ................ ........ 3-7
Step 5: Create the Secure Application Role............................................................................. 3-9
Step 6: Grant SELECT for the EMP_ROLE Role to the OE.ORDERS Table .................... 3-10
Step 7: Grant the EXECUTE Privilege for the Procedure to Matthew and Winston...... 3-10
Step 8: Test the EMP_ROLE Secure Application Role ........................................................ 3-11
Step 9: Optionally, Remove the Components for This Tutorial........................................ 3-12Initialization Parameters Used for Privilege Security ................................................................... 3-12
4 Encrypting Data with Oracle Transparent Data Encryption
About Encrypting Sensitive Data.......................................................................................................... 4-1
When Should You Encrypt Data? ......................................................................................................... 4-2
How Transparent Data Encryption Works .......................................................................................... 4-2
Configuring Data to Use Transparent Data Encryption ................................................................... 4-3
Step 1: Configure the Keystore Location ............. ............... ............... .............. ............... ............... . 4-4
Step 2: Check the COMPATIBLE Initialization Parameter Setting............................................. 4-4
Step 3: Create the Software Password-Based Keystore .............. ............... ............... ............... ..... 4-5
Step 4: Open (or Close) the Keystore............................................................................................... 4-6Step 5: Create the Master Encryption Key...................................................................................... 4-7
Step 6: Encrypt Data .......................................................................................................................... 4-7
Encrypting Individual Table Columns ............... ............... .............. ............... .............. ........... 4-7
Encrypting a Tablespace ......................................................................................................... 4-10
Checking Existing Encrypted Data .................................................................................................... 4-11
Finding the Type of Keystore That Was Created ....................................................................... 4-11
Finding the Keystore Location ...................................................................................................... 4-11
Checking Whether a Keystore Is Open or Closed...................................................................... 4-12
-
8/13/2019 e17609
5/122
v
Checking Encrypted Columns of an Individual Table .............................................................. 4-12
Checking All Encrypted Table Columns in the Current Database Instance .......................... 4-12
Checking Encrypted Tablespaces in the Current Database Instance ...................................... 4-13
5 Controlling Access with Oracle Database Vault
About Oracle Database Vault ................................................................................................................ 5-1
Tutorial: Controlling Administrator Access to a User Schema ....................................................... 5-2
Step 1: Enable Oracle Database Vault ................ ............... .............. ................ ............... .............. ... 5-2
Step 2: Grant the SELECT Privilege on the OE.CUSTOMERS Table to User SCOTT.............. 5-3
Step 3: Select from the OE.CUSTOMERS Table as Users SYS and SCOTT .............. ................ . 5-4
Step 4: Create a Realm to Protect the OE.CUSTOMERS Table.................................................... 5-4
Step 5: Test the OE Protections Realm ............. ................ .............. ............... .............. ................ .... 5-6
Step 6: Optionally, Remove the Components for This Tutorial ............... ............... .............. ...... 5-7
6 Restricting Access with Oracle Virtual Private Database
About Oracle Virtual Private Database ............................................................................................... 6-1
Tutorial: Limiting Access to Data Based on the Querying User ..................................................... 6-2Step 1: Create User Accounts for This Tutorial.............................................................................. 6-3
Step 2: If Necessary, Create the Security Administrator Account .............. ............... ................ . 6-4
Step 3: Update the Security Administrator Account ................ ............... ............... ............... ....... 6-5
Step 4: Create the F_POLICY_ORDERS Policy Function ............................................................ 6-5
Step 5: Create the ACCESSCONTROL_ORDERS Virtual Private Database Policy ................ 6-7
Step 6: Test the ACCESSCONTROL_ORDERS Virtual Private Database Policy ................ .... 6-8
Step 7: Optionally, Remove the Components for This Tutorial ............... ............... .............. ...... 6-9
7 Limiting Access to Sensitive Data Using Oracle Data Redaction
About Oracle Data Redaction ................................................................................................................ 7-1
Tutorial: Redacting Data for a Select Group of Users ....................................................................... 7-2
Step 1: Create User Accounts and Grant Them the Necessary Privileges ............. ................ .... 7-2
Step 2: Create and Populate the SALES_OPPS Sales Opportunities Table ................ ............... 7-4
Step 3: Create the SALES_OPPS_POL Oracle Data Redaction Policy........................................ 7-5
Step 5: Test the SALES_OPPS_POL Oracle Data Redaction Policy ............. ................ ............... 7-6
Step 6: Optionally, Remove the Components for This Tutorial ............... ............... .............. ...... 7-8
8 Enforcing Row-Level Security with Oracle Label Security
About Oracle Label Security .................................................................................................................. 8-1
Choosing Between Virtual Private Database, Oracle Label Security, and Data Redaction ...... 8-2
Guidelines for Planning an Oracle Label Security Policy ............................................................... 8-3Tutorial: Creating Levels of Access to Table Data Based on the User ........................................... 8-4
Step 1: Enable Oracle Label Security ............... ............... ................ ............... ............... ................ ... 8-5
Step 2: Enable the LBACSYS Account............................................................................................. 8-6
Step 3: Create a Role and Three Users for the Oracle Label Security Tutorial.......................... 8-6
Step 4: Create the ACCESS_LOCATIONS Oracle Label Security Policy................................... 8-8
Step 5: Define the ACCESS_LOCATIONS Policy-Level Components....................................... 8-9
Step 6: Create the ACCESS_LOCATIONS Policy Data Labels................. ............... ............... .. 8-10
-
8/13/2019 e17609
6/122
vi
Step 7: Create the ACCESS_LOCATIONS Policy User Authorizations................... ............... 8-11
Step 8: Apply the ACCESS_LOCATIONS Policy to the HR.LOCATIONS Table ............... .. 8-13
Step 9: Add the ACCESS_LOCATIONS Labels to the HR.LOCATIONS Data ..................... 8-13
Step 10: Test the ACCESS_LOCATIONS Policy......................................................................... 8-16
Step 11: Optionally, Remove the Components for This Tutorial ....... ............... ................ ...... 8-18
9 Auditing Database Activity
About Auditing......................................................................................................................................... 9-1
Why Is Auditing Used? ........................................................................................................................... 9-2
Tutorial: Creating a Unified Audit Policy ........................................................................................... 9-3
Step 1: If Necessary, Enable Unified Auditing ............. .............. ............... .............. ................ ...... 9-3
Step 2: Grant the SEC_ADMIN User the AUDIT_ADMIN Role................................................. 9-5
Step 3: Create and Enable a Unified Audit Policy......................................................................... 9-5
Step 4: Test the Unified Audit Policy .............. ............... .............. ............... .............. ................ ...... 9-6
Step 5: Optionally, Remove the Components for This Tutorial .............. ................ .............. ...... 9-8
Step 6: Optionally, Remove the SEC_ADMIN Security Administrator Account............. ........ 9-8
Index
-
8/13/2019 e17609
7/122
vii
List of Tables
21 Default Security Settings for Initialization and Profile Parameters.................................... 2-222 Initialization Parameters Used for Installation and Configuration Security .............. ...... 2-423 Initialization Parameters Used for Network Security ............... ............... ............... ............. 2-824 Predefined Oracle Database Administrative User Accounts ........................................... 2-1025 Predefined Oracle Database Non-Administrative User Accounts .................................. 2-1326
Default Sample Schema User Accounts............. .............. ............... ............... ............... .......2-14
27 Initialization and Profile Parameters Used for User Account Security .......................... 2-1731 Initialization Parameters Used for Privilege Security ....................................................... 3-1241 Data Dictionary Views for Encrypted Tablespaces ........................................................... 4-1381 Comparing Virtual Private Database, Label Security, and Data Redaction...................... 8-2
-
8/13/2019 e17609
8/122
viii
-
8/13/2019 e17609
9/122
ix
Preface
Welcome to Oracle Database 2 Day + Security Guide. This guide is for anyone who wantsto perform common day-to-day security tasks with Oracle Database.
This preface contains:
Audience
Documentation Accessibility Related Documents
Conventions
AudienceOracle Database 2 Day + Security Guideexpands on the security knowledge that youlearned in Oracle Database 2 Day DBAto manage security in Oracle Database. Theinformation in this guide applies to all platforms. For platform-specific information,see the installation guide, configuration guide, and platform guide for your platform.
This guide is intended for the following users:
Oracle database administrators who want to acquire database securityadministrative skills
Database administrators who have some security administrative knowledge butare new to Oracle Database
This guide is not an exhaustive discussion about security. For detailed informationabout security, see the Oracle Database Security documentation set. This guide doesnot provide information about security for Oracle E-Business Suite applications. Forinformation about security in the Oracle E-Business Suite applications, see thedocumentation for those products.
Documentation AccessibilityFor information about Oracle's commitment to accessibility, visit the OracleAccessibility Program website athttp://www.oracle.com/pls/topic/lookup?ctx=acc&id=docacc.
Access to Oracle Support
Oracle customers have access to electronic support through My Oracle Support. Forinformation, visit http://www.oracle.com/pls/topic/lookup?ctx=acc&id=infoorvisit http://www.oracle.com/pls/topic/lookup?ctx=acc&id=trsif you are hearingimpaired.
-
8/13/2019 e17609
10/122
x
Related DocumentsFor more information, use the following resources:
Oracle Database Documentation
For more security-related information, see the following documents in the OracleDatabase documentation set:
Oracle Database 2 Day DBA
Oracle Database Administrator's Guide
Oracle Database Security Guide
Oracle Database Concepts
Oracle Database Reference
Oracle Database Vault Administrator's Guide
Many of the examples in this guide use the sample schemas of the seed database,which is installed by default when you install Oracle. See Oracle Database SampleSchemas for information about how these schemas were created and how you can use
them.
Oracle Technology Network (OTN)
You can download free release notes, installation documentation, updated versions ofthis guide, white papers, or other collateral from the Oracle Technology Network(OTN). Visit
http://www.oracle.com/technetwork/index.html
For security-specific information on OTN, visit
http://www.oracle.com/technetwork/topics/security/whatsnew/index.html
For the latest version of the Oracle documentation, including this guide, visit
http://www.oracle.com/technetwork/documentation/index.html
My Oracle Support (formerly OracleMetaLink)
You can find information about security patches, certifications, and the supportknowledge base by visiting My Oracle Support at
https://support.oracle.com
ConventionsThe following text conventions are used in this document:
Convention Meaning
boldface Boldface type indicates graphical user interface elements associatedwith an action, or terms defined in text or the glossary.
italic Italic type indicates book titles, emphasis, or placeholder variables forwhich you supply particular values.
monospace Monospace type indicates commands within a paragraph, URLs, codein examples, text that appears on the screen, or text that you enter.
-
8/13/2019 e17609
11/122
xi
Changes in This Release for Oracle Database2 Day + Security Guide
This preface contains:
Changes in Oracle Database 12c Release 1 (12.1)
Changes in Oracle Database 12cRelease 1 (12.1)The following are changes in Oracle Database 2 Day + Security Guidefor OracleDatabase 12cRelease 1 (12.1):
New Features
Deprecated Feature
Desupported Features
Other Changes
New Features
The following features are new in this release:
Key Management for Transparent Data Encryption and Other DatabaseComponents
Oracle Database Vault Enhancements
Oracle Data Redaction for Limiting Access to Sensitive Data
Easier and Quicker Way to Enable and Disable Oracle Label Security
Auditing Enhancements
Key Management for Transparent Data Encryption and Other DatabaseComponents
Oracle Database 12cRelease 1 (12.1) introduces a unified key managementinfrastructure for Transparent Data Encryption (TDE) and other database components.This eases key administration tasks, provides for better compliance and tracking, andalso leads to better separation of duty between the database administrator and securityadministrator. For better security and separation of duty, users who are responsible forconfiguring TDE must have the SYSKMsystem privilege.
See Chapter 4, "Encrypting Data with Oracle Transparent Data Encryption."
Oracle Database Vault Enhancements
Easier and quicker way to enable Database Vault.
-
8/13/2019 e17609
12/122
xii
Full inclusion of Database Vault functionality in the Enterprise Manager CloudControl pages. This feature replaces the Database Vault Administrator utility thatwas used in previous releases.
See Chapter 5, "Controlling Access with Oracle Database Vault."
Oracle Data Redaction for Limiting Access to Sensitive Data
Oracle Data Redaction disguises (redacts) data from low-privileged users orapplications. For example, you can redact the credit card number 5105 1051 05105100to appear as 5105 **** **** ****. The redaction occurs in real time, when theuser accesses the data and it preserves the back-end referential integrity andconstraints for the data. In addition to a partial redaction (as shown with the creditcard example here), you can replace the entire data set with a fixed value or withrandomized values. You also can easily apply Oracle Data Redaction policiesthroughout the databases in your enterprise.
See Chapter 7, "Limiting Access to Sensitive Data Using Oracle Data Redaction."
Easier and Quicker Way to Enable and Disable Oracle Label Security
See Chapter 8, "Enforcing Row-Level Security with Oracle Label Security."
Auditing Enhancements
Unified audit trail, which encompasses audit events from the default databaseinstallation, Oracle Database Vault, Oracle Label Security, Oracle Database RealApplication Security, Oracle Recovery Manager, Oracle Data Pump, and OracleSQL*Loader Direct Load Path. These events are available in a uniform format in aset of data dictionary views.
Faster audit performance
Ability to create named unified audit policies. The audit configuration issimplified by grouping a set of actions to be audited on specific conditions asnamed policies that you can enable and disable as needed. These policies define
set of events to be captured. New roles, AUDIT_ADMINand AUDIT_VIEWER, for better security and separation of
duty. (This guide only discusses the AUDIT_ADMINrole.)
See Chapter 9, "Auditing Database Activity."
Deprecated Feature
Database Vault Administrator (DVA) has been deprecated. Its functionality is now partof the of Oracle Enterprise Manager Cloud Control interface.
Desupported Features
Oracle Enterprise Manager Database Control is no longer supported by Oracle. See
Oracle Database Upgrade Guidefor a complete list of desupported features in thisrelease.
Other Changes
This section contains:
Oracle Enterprise Manager Cloud Control (Cloud Control) Graphical UserInterface
-
8/13/2019 e17609
13/122
xiii
Oracle Enterprise Manager Cloud Control (Cloud Control) Graphical User
Interface
In previous releases of Oracle Database, you used Oracle Enterprise Manager DatabaseControl (Database Control) to administer database security from a graphical userinterface. In this release, you can use the Cloud Control graphical user interface. CloudControl provides more functionality than Database Control.
You must install Cloud Control separately from Oracle Database.
See Also: Oracle Enterprise Manager Cloud Control Basic InstallationGuidefor information about installing Cloud Control
-
8/13/2019 e17609
14/122
xiv
-
8/13/2019 e17609
15/122
1
Introduction to Oracle Database Security 1-1
1Introduction to Oracle Database Security
This chapter contains:
About This Guide
Common Database Security Tasks
Tools for Securing Your Database
Securing Your Database: A Roadmap
About This GuideOracle Database 2 Day + Security Guideteaches you how to perform day-to-daydatabase security tasks. Its goal is to help you understand the concepts behind OracleDatabase security. You will learn how to perform common security tasks needed tosecure your database. The knowledge you gain from completing the tasks in OracleDatabase 2 Day + Security Guidehelps you to better secure your data and to meetcommon regulatory compliance requirements, such as the Sarbanes-Oxley Act.
The primary administrative interface used in this guide is Oracle Enterprise Manager,featuring all the self-management capabilities introduced in Oracle Database.
This section contains the following topics:
Before Using This Guide
What This Guide Is and Is Not
Before Using This GuideBefore using this guide:
Complete Oracle Database 2 Day DBA
Obtain the necessary products and tools described in "Tools for Securing YourDatabase"on page 1-2
What This Guide Is and Is NotOracle Database 2 Day + Security Guideis task oriented. The objective of this guide is todescribe why and when you must perform security tasks.
Where appropriate, this guide describes the concepts and steps necessary tounderstand and complete a task. This guide is not an exhaustive discussion of allOracle Database concepts. For this type of information, see Oracle Database Concepts.
-
8/13/2019 e17609
16/122
Common Database Security Tasks
1-2 Oracle Database 2 Day + Security Guide
Where appropriate, this guide describes the necessary Oracle Database administrativesteps to complete security tasks. This guide does not describe basic Oracle Databaseadministrative tasks. For this type of information, see Oracle Database 2 Day DBA.Additionally, for a complete discussion of administrative tasks, see Oracle Database
Administrator's Guide.
In addition, this guide is not an exhaustive discussion of all Oracle Database security
features and does not describe available APIs that provide equivalent command linefunctionality to the tools used in this guide. For this type of information, see OracleDatabase Security Guide.
Common Database Security TasksAs a database administrator for Oracle Database, you should be involved in thefollowing security-related tasks:
Ensuring that the database installation and configuration is secure
Managing the security aspects of user accounts: developing secure passwordpolicies, creating and assigning roles, restricting data access to only theappropriate users, and so on
Ensuring that network connections are secure
Encrypting sensitive data
Ensuring the database has no security vulnerabilities and is protected againstintruders
Deciding what database components to audit and how granular you want thisauditing to be
Downloading and installing security patches
In a small to midsize database environment, you might perform these tasks as welland all database administrator-related tasks, such as installing Oracle software,creating databases, monitoring performance, and so on. In large, enterpriseenvironments, the job is often divided among several database administratorseachwith their own specialtysuch as database security or database tuning.
Tools for Securing Your DatabaseTo achieve the goals of securing your database, you need the following products, tools,and utilities:
Oracle Database 12cEnterprise Edition
Oracle Database 12cEnterprise Edition provides enterprise-class performance,scalability, and reliability on clustered and single-server configurations. It includesmany security features that are used in this guide.
Oracle Enterprise Manager
Oracle Enterprise Manager is a Web application that you can use to performdatabase administrative tasks for a single database instance or a clustereddatabase. It enables you to manage multiple Oracle databases from one location.This guide explains how to use Enterprise Manager to perform databaseadministrative tasks.
SQL*Plus
-
8/13/2019 e17609
17/122
Securing Your Database: A Roadmap
Introduction to Oracle Database Security 1-3
SQL*Plus is a development environment that you can use to create and run SQLand PL/SQL code. It is part of the Oracle Database 12cRelease 1 (12.1) installation.
Database Configuration Assistant (DBCA)
Database Configuration Assistant enables you to perform general database tasks,such as creating, configuring, or deleting databases. In this guide, you use DBCAto enable default auditing.
Oracle Net Manager
Oracle Net Manager enables you to perform network-related tasks for OracleDatabase. In this guide, you use Oracle Net Manager to configure networkencryption.
Securing Your Database: A RoadmapTo learn the fundamentals of securing an Oracle database, follow these steps:
1. Secure your Oracle Database installation and configuration.
Complete the tasks in Chapter 2, "Securing the Database Installation
and Configuration"to secure access to an Oracle Database installation.2. Understand how privileges work.
Complete the tasks in Chapter 3, "Managing User Privileges". You learn about thefollowing:
How privileges work
Why you must be careful about granting privileges
How database roles work
How to create secure application roles
3. Encrypt data as it travels across the network.
Complete the tasks in Chapter 4, "Encrypting Data withOracle Transparent Data Encryption"to learn how to secure client connections andto configure network encryption.
4. Control system administrative access to sensitive data with Oracle DatabaseVault.
Complete the tasks in Chapter 5, "Controlling Access with Oracle Database Vault.".
5. Restrict the display of data with Oracle Virtual Private Database.
Complete the tasks in Chapter 6, "Restricting Access withOracle Virtual Private Database."
6. Control the display of data in real time by using data redaction.
Complete the tasks in Chapter 7, "Limiting Access to Sensitive DataUsing Oracle Data Redaction.".
7. Enforce row-level security with Oracle Label Security.
Chapter 8, "Enforcing Row-Level Security with Oracle Label Security."
8. Configure auditing so that you can monitor the database activities.
Complete the tasks in Chapter 9, "Auditing Database Activity"to learn aboutstandard auditing.
-
8/13/2019 e17609
18/122
Securing Your Database: A Roadmap
1-4 Oracle Database 2 Day + Security Guide
-
8/13/2019 e17609
19/122
2
Securing the Database Installation and Configuration 2-1
2Securing the Database Installationand Configuration
This chapter contains:
About Securing the Database Installation and Configuration
Securing Access to the Oracle Database Installation
Securing the Network
Securing User Accounts
About Securing the Database Installation and ConfigurationAfter you install Oracle Database, you should secure the database installation and
configuration. This section describes commonly used ways to do this, all of whichinvolve restricting permissions to specific areas of the database files.
Oracle Database is available on several operating systems. Consult the followingguides for detailed platform-specific information about Oracle Database:
Oracle Database Platform Guide for Microsoft Windows
Oracle Database Administrator's Reference for Linux and UNIX-Based OperatingSystems
Oracle Database Installation Guidefor your platform
Securing Access to the Oracle Database InstallationThis section contains:
Using the Default Security Settings
Securing the Oracle Data Dictionary
Initialization Parameters Used for Installation and Configuration Security
See Also:
Oracle Database Security Guidefor detailed information aboutsecurity
Oracle Database Security Guidefor important security guidelines
-
8/13/2019 e17609
20/122
-
8/13/2019 e17609
21/122
Securing Access to the Oracle Database Installation
Securing the Database Installation and Configuration 2-3
Auditing information, such as who has accessed or updated various schemaobjects
Other general database information
The data dictionary tables and views for a given database are stored in the SYSTEMtablespace for that database. All the data dictionary tables and views for a givendatabase are owned by the user SYS. Connecting to the database with the SYSDBA
administrative privilege gives full access to the data dictionary. Oracle stronglyrecommends limiting access to the SYSDBAadministrative privilege to only thoseoperations necessary such as patching and other administrative operations. The datadictionary is central to every Oracle database.
You can view the contents of the data dictionary by querying data dictionary views,which are described in Oracle Database Reference. Be aware that not all objects in thedata dictionary are exposed to users. A subset of data dictionary objects, such as thosebeginning with USER_are exposed as read only to all database users.
Example 21shows how you can find a list of database views specific to the datadictionary by querying the DICTIONARYview.
Example 21 Finding Views That Pertain to the Data Dictionarysqlplus system
Enter password:password
SQL> SELECT TABLE_NAME FROM DICTIONARY;
Enabling Data Dictionary Protection
You can protect the data dictionary by setting the O7_DICTIONARY_ACCESSIBILITYinitialization parameter to FALSE. This parameter prevents users who have the ANYsystem privilege from using those privileges on the data dictionary, that is, on objectsin the SYSschema.
Oracle Database provides highly granular privileges. One such privilege, commonly
referred to as the ANYprivilege, should typically be granted to only application ownersand individual database administrators. For example, you could grant the DROP ANYTABLEprivilege to an application owner. You can protect the Oracle data dictionaryfrom accidental or malicious use of the ANYprivilege by turning on or off the O7_DICTIONARY_ACCESSIBILITYinitialization parameter.
To enable data dictionary protection:
1. Access the Database home page.
See Oracle Database 2 Day DBAfor more information.
2. From the Administrationmenu, select Initialization Parameters.
If the Database Login page appears, then log in as SYSwith the SYSDBArole
selected.3. In the Initialization Parameters page, from the list, search for O7_DICTIONARY_
ACCESSIBILITY.
In the Namefield, enter O7_(the letter O), and then click Go. You can enter the firstfew characters of a parameter name. In this case, O7_displays the O7_DICTIONARY_ACCESSIBILTYparameter.
4. Set the value for O7_DICTIONARY_ACCESSIBILTYto FALSE.
5. Click Apply.
-
8/13/2019 e17609
22/122
Securing Access to the Oracle Database Installation
2-4 Oracle Database 2 Day + Security Guide
6. Restart the Oracle Database instance.
sqlplus sys as sysdba
Enter password:password
SQL> SHUTDOWN IMMEDIATE
SQL> STARTUP
Initialization Parameters Used for Installation and Configuration Security
Table 22lists initialization parameters that you can set to better secure your Oracle
Database installation and configuration.
Modifying the Value of an Initialization ParameterThis section explains how to use Enterprise Manager to modify the value of aninitialization parameter. To find detailed information about the initializationparameters available, see Oracle Database Reference.
To modify the value of an initialization parameter:
1. Access the Database home page.
See Oracle Database 2 Day DBAfor more information.
2. From the Administrationmenu, select Initialization Parameters.
Note:
In a default installation, the O7_DICTIONARY_ACCESSIBILITYparameter is set to FALSE.
The SELECT ANY DICTIONARYprivilege is not included in theGRANT ALL PRIVILEGESstatement, but you can grant it througha role. Roles are described in "When to Grant Roles to Users"onpage 3-2and Oracle Database Security Guide.
Table 22 Initialization Parameters Used for Installation and Configuration Security
Initialization Parameter Default Setting Description
SEC_RETURN_SERVER_RELEASE_BANNER FALSE Controls the display of the product versioninformation, such as the release number, in aclient connection. An intruder could use thedatabase release number to find informationabout security vulnerabilities that may be presentin the database software. You can enable ordisable the detailed product version display bysetting this parameter.
See Oracle Database Security Guidefor more
information about this and similar parameters.Oracle Database Referencedescribes this parameterin detail.
O7_DICTIONARY_ACCESSIBILITY FALSE Controls restrictions on SYSTEMprivileges. See"Enabling Data Dictionary Protection"onpage 2-3for more information about thisparameter. Oracle Database Referencedescribes thisparameter in detail.
See Also: Oracle Database Referencefor more information aboutinitialization parameters
-
8/13/2019 e17609
23/122
-
8/13/2019 e17609
24/122
Securing the Network
2-6 Oracle Database 2 Day + Security Guide
About Network Encryption
Network encryption refers to encrypting data as it travels across the network betweenthe client and server. The reason you should encrypt data at the network level, and notjust the database level, is because data can be exposed on the network level. Forexample, an intruder can use a network packet sniffer to capture information as ittravels on the network, and then spool it to a file for malicious use. Encrypting data onthe network prevents this sort of activity.
To encrypt data on the network, you need the following components:
An encryption seed.The encryption seed is a random string of up to 256characters. It generates the cryptographic keys that encrypts data as it travelsacross the network.
An encryption algorithm.You can specify any of the supported algorithm types:AES, RC4, DES, or 3DES.
Whether the settings apply to a client or server.You must configure the serverand each client to which it connects.
How the client or server should processes the encrypted data.The settings youselect (you have four options) must complement both server and client.
A mechanism for configuring the encryption. You can use Oracle Net Manager toconfigure the encryption. Alternatively, you can edit the sqlnet.oraconfigurationfile. Both Oracle Net Manager and the sqlnet.orafile are available in a defaultOracle Database installation.
Configuring Network Encryption
You can configure network encryption by using either Oracle Net Manager or byediting the sqlnet.orafile. This guide explains how to use Oracle Net Manager toconfigure network encryption.
To configure network encryption:
1. On the server computer, start Oracle Net Manager.
UNIX:From $ORACLE_HOME/bin, enter the following at the command line:
netmgr
Windows:From the Startmenu, click All Programs. Then, click Oracle -HOME_NAME , Configuration and Migration Tools, and then Net Manager
2. From the Oracle Net Configuration navigation tree, expand Local, and then selectProfile.
3. From the list, select Network Security.
-
8/13/2019 e17609
25/122
Securing the Network
Securing the Database Installation and Configuration 2-7
4. Under Network Security, select the Encryptiontab.
The Encryption settings pane appears.
5. Enter the following settings:
Encryption: From the list, select SERVERto configure the network encryptionfor the server. (For the client computer, you select CLIENT.)
Encryption Type: Select from the following values to specify the actions of theserver (or client) when negotiating encryption and integrity:
accepted: Service will be active if the other side of the connection specifieseither required or requested, and there is a compatible algorithm available
on the receiving database; it will otherwise be inactive.
rejected: Service must not be active, and the connection will fail if theother side requires any of the methods in this list.
requested: Service will be active if the other side of the connectionspecifies either accepted, required, or requested, and there is a compatiblealgorithm available on the other side. Otherwise, the service is inactive.
required: Service must be active, and the connection will fail if the otherside specifies rejected, or if there is no compatible algorithm on the otherside.
Encryption Seed: Enter a random string of up to 256 characters. OracleDatabase uses the encryption seed to generate cryptographic keys. This isrequired when either encryption or integrity is enabled.
If you choose to use special characters such as a comma [,] or a rightparenthesis [)] as a part of the Encryption Seedparameter, enclose the valuewithin single quotation marks.
Available Methods: Select one or more of the following algorithms, and usethe move button (>) to move them to the Selected Methods list. The order inwhich they appear in the Selected Methods list determines the preferred orderfor negotiation. That is, the first algorithm listed is selected first, and so on.
-
8/13/2019 e17609
26/122
Securing the Network
2-8 Oracle Database 2 Day + Security Guide
AES256: Advanced Encryption Standard (AES). AES was approved by theNational Institute of Standards and Technology (NIST) to replace DataEncryption Standard (DES). AES256 enables you to encrypt a block size of256 bits.
RC4_256: Rivest Cipher 4 (RC4), which is the most commonly used streamcipher that protects protocols such as Secure Sockets Layer (SSL). RC4_256
enables you to encrypt up to 256 bits of data. AES192: Enables you to use AES to encrypt a block size of 192 bits.
3DES168: Triple Data Encryption Standard (TDES) with a three-keyoption. 3DES168 enables you to encrypt up to 168 bits of data.
AES128: Enables you to use AES to encrypt a block size of 128 bits.
RC4_128: Enables you to use RC4 to encrypt up to 128 bits of data.
3DES112: Enables you to use Triple DES with a two-key (112 bit) option.
DES: Data Encryption Standard (DES) 56-bit key. Note that NationalInstitute of Standards and Technology (NIST) no longer recommends DES.
RC4_40: Enables you to use RC4 to encrypt up to 40 bits of data. (Notrecommended.)
DES40: Enables you to use DES to encrypt up to 40 bits of data. (Notrecommended.)
6. From the Filemenu, select Save Network Configuration, and then select Exittoexit Oracle Net Manager.
7. Repeat these steps for each client computer that connects to the server.
Initialization Parameters Used for Network SecurityTable 23lists initialization parameters that you can set to better secure user accounts.
See Also:
Oracle Database Net Services Referencefor information about editingthe sqlnet.orafile parameters to configure network encryption
Table 23 Initialization Parameters Used for Network Security
Initialization Parameter Default Setting Description
OS_AUTHENT_PREFIX OPS$ Specifies a prefix that Oracle Database uses to identify usersattempting to connect to the database. Oracle Databaseconcatenates the value of this parameter to the beginning of theuser operating system account name and password. When a userattempts a connection request, Oracle Database compares theprefixed username with user names in the database.
REMOTE_LISTENER No default setting Specifies a network name that resolves to an address or addresslist of Oracle Net remote listeners (that is, listeners that are notrunning on the same computer as this instance). The address oraddress list is specified in the tnsnames.orafile or other addressrepository as configured for your system.
REMOTE_OS_AUTHENT FALSE Specifies whether remote clients will be authenticated with thevalue of the OS_AUTHENT_PREFIXparameter.
REMOTE_OS_ROLES FALSE Specifies whether operating system roles are allowed for remoteclients. The default value, FALSE, causes Oracle Database toidentify and manage roles for remote clients.
-
8/13/2019 e17609
27/122
Securing User Accounts
Securing the Database Installation and Configuration 2-9
To modify an initialization parameter, see "Modifying the Value of an InitializationParameter"on page 2-4. For detailed information about initialization parameters, seeOracle Database ReferenceandOracle Database Administrator's Guide.
Securing User AccountsThis section contains:
About Securing Oracle Database User Accounts
Predefined User Accounts Provided by Oracle Database
Requirements for Creating Passwords
Finding and Changing Default Passwords
Parameters Used to Secure User Accounts
About Securing Oracle Database User Accounts
You can use many methods to secure both common and local database user accounts.For example, Oracle Database has a set of built-in protections for passwords. Thissection explains how you can safeguard default database accounts and passwords, anddescribes ways to manage database accounts.
Oracle Database 2 Day DBAdescribes the fundamentals of creating and administeringuser accounts, including how to manage user roles, what the administrative accountsare, and how to use profiles to establish a password policy.
After you create user accounts, you can use the procedures in this section to furthersecure these accounts by following these methods:
Safeguarding predefined database accounts.When you install Oracle Database, itcreates a set of predefined accounts. You should secure these accounts as soon aspossible by changing their passwords. You can use the same method to change allpasswords, whether they are with regular user accounts, administrative accounts,or predefined accounts. This guide also provides guidelines on how to create themost secure passwords.
Managing database accounts.You can expire and lock database accounts.
Managing passwords.You can manage and protect passwords by settinginitialization parameters. Oracle Database Referencedescribes the initialization
parameters in detail.
See Also:
Oracle Database Security Guidefor detailed information aboutsecuring user accounts
Oracle Database Security Guidefor important guidelines onsecuring user accounts
See Also:
Oracle Database Security Guidefor detailed information aboutmanaging user accounts and authentication
"Predefined User Accounts Provided by Oracle Database"onpage 2-10for a description of the predefined user accounts thatare created when you install Oracle Database
-
8/13/2019 e17609
28/122
Securing User Accounts
2-10 Oracle Database 2 Day + Security Guide
Predefined User Accounts Provided by Oracle DatabaseWhen you install Oracle Database, the installation process creates a set of predefinedaccounts in the database. These accounts are in the following categories:
Predefined Administrative Accounts
Predefined Non-Administrative User Accounts
Predefined Sample Schema User Accounts
Predefined Administrative Accounts
A default Oracle Database installation provides a set of predefined administrativeaccounts. These are accounts that have special privileges required to administer areasof the database, such as the CREATE ANY TABLEor ALTER SESSIONprivilege, or EXECUTEprivileges on packages owned by the SYSschema. The default tablespace foradministrative accounts is either SYSTEMor SYSAUX. In a multitenant environment, thepredefined administrative accounts reside in the root database.
To protect these accounts from unauthorized access, the installation process expiresand locks most of these accounts, except where noted in Table 24. As the databaseadministrator, you are responsible for unlocking and resetting these accounts, asdescribed in "Expiring and Locking Database Accounts"on page 2-14.
Table 24lists the administrative user accounts provided by Oracle Database.
Table 24 Predefined Oracle Database Administrative User Accounts
User Account Description Status After Installation
ANONYMOUS An account that allows HTTP access to Oracle XML DB.It is used in place of the APEX_PUBLIC_USERaccountwhen the Embedded PL/SQL Gateway (EPG) isinstalled in the database.
EPG is a Web server that can be used with OracleDatabase. It provides the necessary infrastructure tocreate dynamic applications.
Expired and locked
AUDSYS The internal account used by the unified audit feature tostore unified audit trail records.
See Oracle Database Security Guide.
Expired and locked
CTXSYS The account used to administer Oracle Text. Oracle Textenables you to build text query applications anddocument classification applications. It providesindexing, word and theme searching, and viewingcapabilities for text.
See Oracle Text Application Developer's Guide.
Expired and locked
DBSNMP The account used by the Management Agent componentof Oracle Enterprise Manager to monitor and managethe database.
See Oracle Enterprise Manager Grid Control Installation andBasic Configuration.
Open
Password is created at
installation or databasecreation time.
LBACSYS The account used to administer Oracle Label Security(OLS). It is created only when you install the LabelSecurity custom option.
See Chapter 8, "Enforcing Row-Level Security withOracle Label Security,"and Oracle Label Security
Administrator's Guide.
Expired and locked
-
8/13/2019 e17609
29/122
Securing User Accounts
Securing the Database Installation and Configuration 2-11
MDSYS The Oracle Spatial and Oracle Multimedia Locatoradministrator account.
See Oracle Spatial Developer's Guide.
Expired and locked
OLAPSYS The account that owns the OLAP Catalog (CWMLite).
This account has been deprecated, but is retained forbackward compatibility.
Expired and locked
ORDDATA This account contains the Oracle Multimedia DICOMdata model. See Oracle Multimedia DICOM Developer'sGuidefor more information.
Expired and locked
ORDPLUGINS The Oracle Multimedia user. Plug-ins supplied byOracle and third-party, format plug-ins are installed inthis schema.
Oracle Multimedia enables Oracle Database to store,manage, and retrieve images, audio, video, DICOMformat medical images and other objects, or otherheterogeneous media data integrated with otherenterprise information.
See Oracle Multimedia User's Guideand Oracle MultimediaReference.
Expired and locked
ORDSYS The Oracle Multimedia administrator account.
See Oracle Multimedia User's Guide, Oracle MultimediaReference, and Oracle Multimedia DICOM Developer'sGuide.
Expired and locked
SI_INFORMTN_SCHEMA The account that stores the information views for theSQL/MM Still Image Standard.
See Oracle Multimedia User's Guideand Oracle MultimediaReference.
Expired and locked
SYS An account used to perform database administrationtasks.
See Oracle Database 2 Day DBA.
Open
Password is created atinstallation or databasecreation time.
SYSBACKUP The account used to perform Oracle Recovery Managerrecovery and backup operations.
See Oracle Database Backup and Recovery User's Guide.
Expired and locked
SYSDG The account used to perform Oracle Data Guardoperations.
See Oracle Data Guard Concepts and Administration.
Expired and locked
SYSKM The account used to manage Transparent DataEncryption.
See Oracle Database Advanced Security Administrator's
Guide.
Expired and locked
Table 24 (Cont.) Predefined Oracle Database Administrative User Accounts
User Account Description Status After Installation
-
8/13/2019 e17609
30/122
Securing User Accounts
2-12 Oracle Database 2 Day + Security Guide
Predefined Non-Administrative User Accounts
Table 25lists default non-administrative user accounts that are created when youinstall Oracle Database. Non-administrative user accounts only have the minimumprivileges needed to perform their jobs. Their default tablespace is USERS. In amultitenant environment, the predefined non-administrative accounts reside in theroot database.
To protect these accounts from unauthorized access, the installation process locks andexpires these accounts immediately after installation, except where noted in Table 25.As the database administrator, you are responsible for unlocking and resetting theseaccounts, as described in "Expiring and Locking Database Accounts"on page 2-14.
SYSTEM A default generic database administrator account forOracle databases.
For production systems, Oracle recommends creatingindividual database administrator accounts and not
using the genericSYSTEM
account for databaseadministration operations.
See Oracle Database 2 Day DBA.
Open
Password is created atinstallation or databasecreation time.
WMSYS The account used to store the metadata information forOracle Workspace Manager.
See Oracle Database Workspace Manager Developer's Guide.
Expired and locked
XDB The account used for storing Oracle XML DB data andmetadata. For better security, never unlock the XDBuseraccount.
Oracle XML DB provides high-performance XMLstorage and retrieval for Oracle Database data.
See Oracle XML DB Developer's Guide.
Expired and locked
Note: If you create an Oracle Automatic Storage Management(Oracle ASM) instance, then the ASMSNMPaccount is created. OracleEnterprise Manager uses this account to monitor ASM instances toretrieve data from ASM-related data dictionary views. The ASMSNMPaccount status is set to OPENupon creation, and it is granted theSYSDBAadministrative privilege. For more information, see Oracle
Automatic Storage Management Administrator's Guide.
Table 24 (Cont.) Predefined Oracle Database Administrative User Accounts
User Account Description Status After Installation
-
8/13/2019 e17609
31/122
Securing User Accounts
Securing the Database Installation and Configuration 2-13
Predefined Sample Schema User Accounts
If you install the sample schemas, which you must do to complete the examples in thisguide, Oracle Database creates a set of sample user accounts. The sample schema useraccounts are all non-administrative accounts, and their tablespace is USERS.
To protect these accounts from unauthorized access, the installation process locks andexpires these accounts immediately after installation. As the database administrator,you are responsible for unlocking and resetting these accounts, as described in"Expiring and Locking Database Accounts"on page 2-14. For more information aboutthe sample schema accounts, see Oracle Database Sample Schemas.
Table 26lists the sample schema user accounts, which represent different divisions ofa fictional company that manufactures various products.
Table 25 Predefined Oracle Database Non-Administrative User Accounts
User Account Description Status After Installation
DIP The Oracle Directory Integration and Provisioning(DIP) account that is installed with Oracle LabelSecurity. This profile is created automatically as part ofthe installation process for Oracle InternetDirectory-enabled Oracle Label Security.
See Oracle Label Security Administrator's Guide.
Expired and locked
MDDATA The schema used by Oracle Spatial for storingGeocoder and router data.
Oracle Spatial provides a SQL schema and functionsthat enable you to store, retrieve, update, and querycollections of spatial features in an Oracle database.
See Oracle Spatial Developer's Guide.
Expired and locked
ORACLE_OCM The account used with Oracle Configuration Manager.This feature enables you to associate the configurationinformation for the current Oracle Database instancewith My Oracle Support. Then when you log a servicerequest, it is associated with the database instance
configuration information.
See Oracle Database Installation Guidefor your platform.
Expired and locked
SPATIAL_CSW_ADMIN_USR The Catalog Services for the Web (CSW) account. It isused by Oracle Spatial CSW Cache Manager to load allrecord-type metadata and record instances from thedatabase into the main memory for the record typesthat are cached.
See Oracle Spatial Developer's Guide.
Expired and locked
SPATIAL_WFS_ADMIN_USR The Web Feature Service (WFS) account. It is used byOracle Spatial WFS Cache Manager to load all featuretype metadata and feature instances from the databaseinto main memory for the feature types that are cached.
See Oracle Spatial Developer's Guide.
Expired and locked
XS$NULL An internal account that represents the absence ofdatabase user in a session and the actual session user isan application user supported by Oracle RealApplication Security. XS$NULLhas no privileges anddoes not own any database object. No one canauthenticate as XS$NULL, nor can authenticationcredentials ever be assigned to XS$NULL.
Expired and locked
-
8/13/2019 e17609
32/122
Securing User Accounts
2-14 Oracle Database 2 Day + Security Guide
In addition to the sample schema accounts, Oracle Database provides another sample
schema account, SCOTT. The SCOTTschema contains the tables EMP, DEPT, SALGRADE, andBONUS. The SCOTTaccount is used in examples throughout the Oracle Databasedocumentation set. When you install Oracle Database, the SCOTTaccount is locked andexpired.
Expiring and Locking Database Accounts
When you expire the password of a user, that password no longer exists. If you wantto unexpirethe password, you change the password of that account. Locking anaccount preserves the user password and other account information, but makes theaccount unavailable to anyone who tries to log in to the database using that account.Unlocking it makes the account available again.
Oracle Database 2 Day DBAexplains how you can use Enterprise Manager to unlockdatabase accounts. You also can use Enterprise Manager to expire or lock databaseaccounts.
To expire and lock a database account:
1. Access the Database home page.
See Oracle Database 2 Day DBAfor more information.
2. From the Administrationmenu, select Security, then Users.
If the Database Login page appears, then log in as an administrative user, such asSYSTEM.
The Users page lists the user accounts created for the current database instance.
The Account Status column indicates whether an account is expired, locked, oropen.
3. In the Select column, select the account you want to expire, and then click Edit.
4. In the Edit User page, do one of the following:
To expire a password, click Expire Password now.
To unexpire the password, enter a new password in the Enter PasswordandConfirm Passwordfields. See "Requirements for Creating Passwords"onpage 2-15for password requirements.
Table 26 Default Sample Schema User Accounts
User Account Description Status After Installation
HR The account used to manage the HR(Human Resources) schema. Thisschema stores information about the employees and the facilities ofthe company.
Expired and locked
OE The account used to manage the OE(Order Entry) schema. This
schema stores product inventories and sales of the companysproducts through various channels.
Expired and locked
PM The account used to manage the PM(Product Media) schema. Thisschema contains descriptions and detailed information about eachproduct sold by the company.
Expired and locked
IX The account used to manage the IX(Information Exchange) schema.This schema manages shipping through business-to-business (B2B)applications.
Expired and locked
SH The account used to manage the SH(Sales) schema. This schemastores business statistics to facilitate business decisions.
Expired and locked
-
8/13/2019 e17609
33/122
Securing User Accounts
Securing the Database Installation and Configuration 2-15
To lock the account, select Locked.
5. Click Apply.
Requirements for Creating Passwords
When you create a user account, Oracle Database assigns a default password policy for
that user. The password policy defines rules for how the password should be created,such as a minimum number of characters, when it expires, and so on. You canstrengthen passwords by using password policies.
For greater security, follow these guidelines when you create passwords:
Make the password between 12 and 30 characters and numbers.
Use mixed case letters and special characters in the password. (See Oracle DatabaseSecurity Guidefor more information.)
Use the database character set for the password characters, which can include theunderscore (_), dollar ($), and number sign (#) characters.
Do not use an actual word for the entire password.
Oracle Database Security Guidedescribes more ways that you can further securepasswords.
Finding and Changing Default PasswordsThis section describes how you can find and change default passwords that may havecome from earlier releases of Oracle Database.
This section contains:
About Finding and Changing Default Passwords
Finding and Changing Default Passwords from SQL*Plus
Finding and Changing Default Passwords from Enterprise Manager
About Finding and Changing Default Passwords
When you install Oracle Database, the default database user accounts, includingadministrative accounts, are created without default passwords. Except for theadministrative accounts whose passwords you create during installation (such as userSYS), the default user accounts arrive locked with their passwords expired. If you haveupgraded from a previous release of Oracle Database, you may have databaseaccounts that still have default passwords. These are default accounts that are createdwhen you create a database, such as the HR, OE, and SCOTTaccounts.
See Also:
"Finding and Changing Default Passwords"on page 2-15forinformation about changing user passwords
"Expiring and Locking Database Accounts"on page 2-14forinformation about locking accounts and expiring passwords
"Predefined User Accounts Provided by Oracle Database"onpage 2-10a description of the predefined user accounts that arecreated when you install Oracle Database
Oracle Database Security Guidefor detailed information aboutmanaging passwords
-
8/13/2019 e17609
34/122
Securing User Accounts
2-16 Oracle Database 2 Day + Security Guide
Security is most easily compromised when a default database user account still has adefault password after installation. This is particularly true for the user account SCOTT,which is a well known account that may be vulnerable to intruders. Find accounts thatuse default passwords and then change their passwords.
Finding and Changing Default Passwords from SQL*Plus
You can use SQL*Plus to find and change default passwords.
To find and change default passwords:
1. Log into the database instance with administrative privileges.
sqlplus system
Enter password:password
2. Select from the DBA_USERS_WITH_DEFPWDdata dictionary view.
SELECT * FROM DBA_USERS_WITH_DEFPWD;
The DBA_USERS_WITH_DEFPWDlists the accounts that still have user defaultpasswords. For example:
USERNAME
------------
SCOTT
3. Change the password for the accounts the DBA_USERS_WITH_DEFPWDdata dictionaryview lists.
For example, to change the password for user SCOTT, enter the following:
PASSWORD SCOTT
Changing password for SCOTT
New password:password
Retype new password:password
Password changed
Replacepasswordwith a password that is secure, according to the guidelines listedin "Requirements for Creating Passwords"on page 2-15. For greater security, donot reuse the same password that was used in previous releases of OracleDatabase.
Alternatively, you can use the ALTER USERSQL statement to change the password:
ALTER USER SCOTT IDENTIFIED BYpassword;
Finding and Changing Default Passwords from Enterprise Manager
You can use Enterprise Manager to change a user account passwords (not just thedefault user account passwords) if you have administrative privileges. Individualusers can also use Enterprise Manager to change their own passwords.
To use Enterprise Manager to change the password of a database account:
See Also:
Oracle Database Security Guidefor additional methods ofconfiguring password protection
"Predefined User Accounts Provided by Oracle Database"onpage 2-10
-
8/13/2019 e17609
35/122
Securing User Accounts
Securing the Database Installation and Configuration 2-17
1. Access the Database home page.
See Oracle Database 2 Day DBAfor more information.
2. From the Administrationmenu, select Security, then Users.
If the Database Login page appears, then log in as an administrative user, such asSYS. User SYSmust log in with the SYSDBArole selected.
The Users page lists the user accounts created for the current database instance.The Account Status column indicates whether an account is expired, locked, oropen.
3. In the Select column, select the account you want to change, and then click Edit.
4. In the Edit User page, enter a new password in the Enter Passwordand ConfirmPasswordfields.
5. Click Apply.
Parameters Used to Secure User Accounts
Table 27lists initialization and profile parameters that you can set to better secure
user accounts.
Table 27 Initialization and Profile Parameters Used for User Account Security
Parameter Default Setting Description
SEC_CASE_SENSITIVE_LOGON TRUE Controls case sensitivity in passwords. TRUEenables case sensitivity; FALSEdisables it.
SEC_MAX_FAILED_LOGIN_ATTEMPTS 10 Sets the maximum number of times a user isallowed to fail when connecting to an Oracle CallInterface (OCI) application.
FAILED_LOGIN_ATTEMPTS 10 Sets the maximum times a user login is allowed tofail before locking the account.
Note:You also can set limits on the number of
times an unauthorized user (possibly an intruder)attempts to log in to Oracle Call Interfaceapplications by using the SEC_MAX_FAILED_LOGIN_ATTEMPTSinitialization parameter.
PASSWORD_GRACE_TIME No default setting Sets the number of days that a user has to changehis or her password before it expires.
PASSWORD_LIFE_TIME No default setting Sets the number of days the user can use his orher current password.
PASSWORD_LOCK_TIME No default setting Sets the number of days an account will be lockedafter the specified number of consecutive failedlogin attempts.
PASSWORD_REUSE_MAX No default setting Specifies the number of password changes
required before the current password can bereused.
PASSWORD_REUSE_TIME No default setting Specifies the number of days before which apassword cannot be reused.
Note: You can use most of these parameters to create a user profile.See Oracle Database Security Guidefor more information about userprofile settings.
-
8/13/2019 e17609
36/122
Securing User Accounts
2-18 Oracle Database 2 Day + Security Guide
To modify an initialization parameter, see "Modifying the Value of an InitializationParameter"on page 2-4. For detailed information about initialization parameters, seeOracle Database ReferenceandOracle Database Administrator's Guide.
-
8/13/2019 e17609
37/122
3
Managing User Privileges 3-1
3Managing User Privileges
This chapter contains:
About Privilege Management
When to Grant Privileges to Users
When to Grant Roles to Users
Handling Privileges for the PUBLIC Role
Controlling Access to Applications with Secure Application Roles
Initialization Parameters Used for Privilege Security
About Privilege ManagementYou can control user privileges in the following ways:
Granting and revoking individual privileges.You can grant individualprivileges, for example, the privilege to perform the UPDATESQL statement, toindividual users or to groups of users.
Creating a role and assigning privileges to it.A role is a named group of relatedprivileges that you grant, as a group, to users or other roles.
Creating a secure application role.A secure application role enables you to defineconditions that control when a database role can be enabled. For example, a secureapplication role can check the IP address associated with a user session beforeallowing the session to enable a database role.
When to Grant Privileges to UsersBecause privileges are the rights to perform a specific action, such as updating ordeleting a table, do not provide database users more privileges than are necessary. Foran introduction to managing privileges, see "About User Privileges and Roles" inOracle Database 2 Day DBA. Oracle Database 2 Day DBAalso provides an example ofhow to grant a privilege.
In other words, theprinciple of least privilegeis that users be given only those privilegesthat are actually required to efficiently perform their jobs. To implement this principle,restrict the following as much as possible:
See Also:
Oracle Database Security Guide
Oracle Label Security Administrator's Guide
-
8/13/2019 e17609
38/122
When to Grant Roles to Users
3-2 Oracle Database 2 Day + Security Guide
The number of system and object privileges granted to database users
The number of people who are allowed to make SYS-privileged connections to thedatabase
For example, generally the CREATE ANY TABLEprivilege is not granted to a user whodoes not have database administrator privileges.
You can find excessive system and object privilege grants, even with large numbers ofuser accounts in complex Oracle Database installations, by creating a privilege analysispolicy. A privilege analysis policy finds privilege usage according to a specifiedcondition and then stores the results in data dictionary views.Oracle Database Vault
Administrator's Guidedescribes how to create a privilege analysis policy.
When to Grant Roles to UsersA role is a named group of related privileges that you grant, as a group, to users orother roles. To learn the fundamentals of managing roles, see "Administering Roles" inOracle Database 2 Day DBA. In addition, see "Example: Creating a Role" in OracleDatabase 2 Day DBA.
Roles are useful for quickly and easily granting permissions to users. Although youcan use Oracle Database-defined roles, you have more control and continuity if youcreate your own roles that contain only the privileges pertaining to your requirements.Oracle may change or remove the privileges in an Oracle Database-defined role, as ithas with the CONNECTrole, which now has only the CREATE SESSIONprivilege.Formerly, this role had eight other privileges.
Ensure that the roles you define contain only the privileges required for theresponsibility of a particular job. If your application users do not need all theprivileges encompassed by an existing role, then apply a different set of roles thatsupply just the correct privileges. Alternatively, create and assign a more restrictiverole.
Do not grant powerful privileges, such as the CREATE DATABASE LINKprivilege, to
regular users such as user SCOTT. (Particularly do not grant anypowerful privileges toSCOTT, because this is a well known default user account that may be vulnerable tointruders.) Instead, grant the privilege to a database role, and then grant this role tothe users who must use the privilege. And remember to only grant the minimumprivileges the user needs.
Handling Privileges for the PUBLIC RoleYou should revoke unnecessary privileges and roles from the PUBLICrole. The PUBLICrole is automatically assumed by every database user account. By default, it has noprivileges assigned to it, but it does have grants to many Java objects. You cannot dropthe PUBLICrole, and a manual grant or revoke of this role has no meaning, because the
user account will always assume this role. Because all database user accounts assumethe PUBLICrole, it does not appear in the DBA_ROLESand SESSION_ROLESdatadictionary views.
Because all users have the PUBLICrole, any database user can exercise privileges thatare granted to this role. These privileges include, potentially enabling someone withminimal privileges to access and execute functions that this user would not otherwisebe permitted to access directly.
-
8/13/2019 e17609
39/122
Controlling Access to Applications with Secure Application Roles
Managing User Privileges 3-3
Controlling Access to Applications with Secure Application RolesA secure application role is a role that can be enabled only by an authorized PL/SQLpackage. The PL/SQL package itself reflects the security policies necessary to controlaccess to the application.
This section contains:
About Secure Application Roles
Tutorial: Creating a Secure Application Role
About Secure Application Roles
A secure application role is a role that can be enabled only by an authorized PL/SQLpackage. This package defines one or more security policies that control access to theapplication. Both the role and the package are typically created in the schema of theperson who creates them, which is typically a security administrator. A securityadministrator is a database administrator who is responsible for maintaining thesecurity of the database.
The advantage of using a secure application role is you can create additional layers ofsecurity for application access, in addition to the privileges that were granted to therole itself. Secure application roles strengthen security because passwords are notembedded in application source code or stored in a table. This way, the decisions thedatabase makes are based on the implementation of your security policies. Becausethese definitions are stored in one place, the database, rather than in your applications,you modify this policy once instead of modifying the policy in each application. Nomatter how many users connect to the database, the result is always the same, becausethe policy is bound to the role.
A secure application role has the following components:
The secure application role itself.You create the role using the CREATE ROLEstatement with the IDENTIFIED USINGclause to associate it with the PL/SQLpackage. Then, you grant the role the privileges you typically grant a role.
A PL/SQL package, procedure, or function associated with the secureapplication role.The PL/SQL package sets a condition that either grants the roleor denies the role to the person trying to log in to the database. You must createthe PL/SQL package, procedure, or function using invokers rights, not definersrights. An invokers right procedure executes with the privileges of the current
user, that is, the user who invokes the procedure. This user must be granted theEXECUTEprivilege for the underlying objects that the PL/SQL package accesses.Invokers rights procedures are not bound to a particular schema. They can be runby a variety of users and enable multiple users to manage their own data by usingcentralized application logic. To create the invokers rights package, use theAUTHID CURRENT_USERclause in the declaration section of the procedure code.
The PL/SQL package also must contain a SET ROLEstatement or DBMS_SESSION.SET_ROLEcall to enable (or disable) the role for the user.
See Also:
About Privilege Management
When to Grant Privileges to Users
Initialization Parameters Used for Privilege Security
-
8/13/2019 e17609
40/122
Controlling Access to Applications with Secure Application Roles
3-4 Oracle Database 2 Day + Security Guide
After you create the PL/SQL package, you must grant the appropriate users theEXECUTEprivilege on the package.
A way to execute the PL/SQL package when the user logs on.To execute thePL/SQL package, you must call it directly from the application before the usertries to use the privileges the role grants. You cannot use a logon trigger to executethe PL/SQL package automatically when the user logs on.
When a user logs in to the application, the policies in the package perform the checksas needed. If the user passes the checks, then the role is granted, which enables accessto the application. If the user fails the checks, then the user is prevented from accessingthe application.
Tutorial: Creating a Secure Application Role
This tutorial shows how two employees, Matthew Weiss and Winston Taylor, try togain information from the OE.ORDERStable. Access rights to this table are defined inthe emp_rolesecure application role. Matthew is Winstons manager, so Matthew, asopposed to Winston, will be able to access the information in OE.ORDERS.
In this tutorial:
Step 1: Create User Accounts for This Tutorial
Step 2: Create a Security Administrator Account
Step 3: Create a Lookup View
Step 4: Create the PL/SQL Procedure to Set the Secure Application Role
Step 5: Create the Secure Application Role
Step 6: Grant SELECT for the EMP_ROLE Role to the OE.ORDERS Table
Step 7: Grant the EXECUTE Privilege for the Procedure to Matthew and Winston
Step 8: Test the EMP_ROLE Secure Application Role
Step 9: Optionally, Remove the Components for This Tutorial
Step 1: Create User Accounts for This Tutorial
Matthew and Winston both are sample employees in the HR.EMPLOYEEStable. Thistable provides columns for the manager ID and email address of the employees,among other information. You must create user accounts for these two employees sothat they can later test the secure application role.
To create the user accounts:
1. In Enterprise Manager, access the Database home page.
See Oracle Database 2 Day DBAfor more information.
2. Access your target database and then log in as user SYSTEM.
3. From the Administrationmenu, select Security, then Users.
4. In the Users page, click Create.
5. In the Create User page, enter the following information:
Name:mweiss(to create the user account for Matthew Weiss)
Profile: DEFAULT
Authentication: Password
-
8/13/2019 e17609
41/122
Controlling Access to Applications with Secure Application Roles
Managing User Privileges 3-5
Enter Passwordand Confirm Password: Enter a password that meets therequirements in "Requirements for Creating Passwords"on page 2-15.
Default Tablespace: EXAMPLE
Temporary Tablespace: TEMP
Status: Unlocked
6. Click System Privileges.
7. Click Edit List.
8. In the Modify System Privileges, from the Available System Privileges lists, selectthe CREATE SESSIONprivilege, and then click Moveto move it to the SelectedSystem Privileges list.
9. Click OK.
The Create User page appears, with CREATE SESSIONlisted as the system privilegefor usermweiss.
10. Ensure that the Admin Option for CREATE SESSIONis not selected, and then clickOK.
11. In the Users page, select the selection button for user MWEISSfrom the list ofusers, and then from the Actionslist, select Create Like. Then, click Go.
12. In the Create User page, enter the following information to create the user accountfor Winston, which will be almost identical to the user account for Matthew:
Name:wtaylor
Enter Passwordand Confirm Password: Enter a password that meets therequirements in "Requirements for Creating Passwords"on page 2-15.
You do not need to specify the default and temporary tablespaces, or the CREATESESSIONsystem privilege, for userwtaylorbecause they are already specified.
13. Click OK.
Now both Matthew Weiss and Winston Taylor have user accounts that have identicalprivileges.
Step 2: Create a Security Administrator Account
For greater security, you should apply separation of duty concepts when you assignresponsibilities to the system administrators on your staff. For the tutorials used in thisguide, you will create and use a security administrator account called sec_admin.
To create the sec_admin security administrator account:
1. From the Administrationmenu, select Security, then Users.
If the Database Login page appears, then log in as an administrative user, such as
SYS. User SYSmust log in with the SYSDBArole selected.2. In the Users page, click Create.
3. In the Create User page, enter the following information:
Name: sec_admin
Profile: Default
Authentication: Password
-
8/13/2019 e17609
42/122
Controlling Access to Applications with Secure Application Roles
3-6 Oracle Database 2 Day + Security Guide
Enter Passwordand Confirm Password: Enter a password that meets therequirements in "Requirements for Creating Passwords"on page 2-15.
Default Tablespace: EXAMPLE
Temporary Tablespace: TEMP
Status: UNLOCKED
4. Click