e17609

8/13/2019 e17609

1/122

Oracle Database2 Day + Security Guide

12cRelease 1 (12.1)

E17609-16

September 2013

8/13/2019 e17609

2/122

Oracle Database 2 Day + Security Guide, 12cRelease 1 (12.1)

E17609-16

Copyright 2006, 2013, Oracle and/or its affiliates. All rights reserved.

Primary Author: Patricia Huey

Contributor: The Oracle Database 12c documentation is dedicated to Mark Townsend, who was aninspiration to all who worked on this release.

Contributors: Todd Bottger, Naveen Gopal, Peter Knaggs, Rahil Mir, Gopal Mulagund, Paul Needham,Deborah Owens, Sachin Sonawane, Kamal Tbeileh, Mark Townsend, Peter Wahl

This software and related documentation are provided under a license agreement containing restrictions onuse and disclosure and are protected by intellectual property laws. Except as expressly permitted in yourlicense agreement or allowed by law, you may not use, copy, reproduce, translate, broadcast, modify, license,transmit, distribute, exhibit, perform, publish, or display any part, in any form, or by any means. Reverseengineering, disassembly, or decompilation of this software, unless required by law for interoperability, isprohibited.

The information contained herein is subject to change without notice and is not warranted to be error-free. Ifyou find any errors, please report them to us in writing.

If this is software or related documentation that is delivered to the U.S. Government or anyone licensing iton behalf of the U.S. Government, the following notice is applicable:

U.S. GOVERNMENT END USERS: Oracle programs, including any operating system, integrated software,

any programs installed on the hardware, and/or documentation, delivered to U.S. Government end usersare "commercial computer software" pursuant to the applicable Federal Acquisition Regulation andagency-specific supplemental regulations. As such, use, duplication, disclosure, modification, andadaptation of the programs, including any operating system, integrated software, any programs installed onthe hardware, and/or documentation, shall be subject to license terms and license restrictions applicable tothe programs. No other rights are granted to the U.S. Government.

This software or hardware is developed for general use in a variety of information managementapplications. It is not developed or intended for use in any inherently dangerous applications, includingapplications that may create a risk of personal injury. If you use this software or hardware in dangerousapplications, then you shall be responsible to take all appropriate fail-safe, backup, redundancy, and othermeasures to ensure its safe use. Oracle Corporation and its affiliates disclaim any liability for any damagescaused by use of this software or hardware in dangerous applications.

Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks oftheir respective owners.

Intel and Intel Xeon are trademarks or registered trademarks of Intel Corporation. All SPARC trademarks

are used under license and are trademarks or registered trademarks of SPARC International, Inc. AMD,Opteron, the AMD logo, and the AMD Opteron logo are trademarks or registered trademarks of AdvancedMicro Devices. UNIX is a registered trademark of The Open Group.

This software or hardware and documentation may provide access to or information on content, products,and services from third parties. Oracle Corporation and its affiliates are not responsible for and expresslydisclaim all warranties of any kind with respect to third-party content, products, and services. OracleCorporation and its affiliates will not be responsible for any loss, costs, or damages incurred due to youraccess to or use of third-party content, products, or services.

8/13/2019 e17609

3/122

iii

Contents

Preface ................................................................................................................................................................. ix

Audience....................................................................................................................................................... ix

Documentation Accessibility..................................................................................................................... ix

Related Documents ..................................................................................................................................... x

Conventions ................................................................................................................................................. x

Changes in This Release for Oracle Database 2 Day + Security Guide ...................... xi

Changes in Oracle Database 12c Release 1 (12.1).................................................................................... xi

1 Introduction to Oracle Database Security

About This Guide..................................................................................................................................... 1-1

Before Using This Guide ............... .............. ............... .............. ................ ............. ................ ............ 1-1

What This Guide Is and Is Not......................................................................................................... 1-1

Common Database Security Tasks ....................................................................................................... 1-2

Tools for Securing Your Database ........................................................................................................ 1-2

Securing Your Database: A Roadmap..................................................................................................

1-3

2 Securing the Database Installation and Configuration

About Securing the Database Installation and Configuration ....................................................... 2-1

Securing Access to the Oracle Database Installation ........................................................................ 2-1

Using the Default Security Settings................................................................................................. 2-2

Securing the Oracle Data Dictionary............................................................................................... 2-2

About the Oracle Data Dictionary............................................................................................ 2-2

Enabling Data Dictionary Protection ............. ............... .............. .............. ................ .............. . 2-3

Initialization Parameters Used for Installation and Configuration Security............................. 2-4

Modifying the Value of an Initialization Parameter.................. ............... ............... .............. 2-4

Securing the Network.............................................................................................................................. 2-5About Securing the Network............................................................................................................ 2-5

Protecting Data on the Network by Using Network Encryption................................................ 2-5

About Network Encryption....................................................................................................... 2-6

Configuring Network Encryption ............. .............. ................ ............... .............. ................ .... 2-6

Initialization Parameters Used for Network Security................................................................... 2-8

Securing User Accounts .......................................................................................................................... 2-9

About Securing Oracle Database User Accounts .............. .............. ............... ................ ............... 2-9

Predefined User Accounts Provided by Oracle Database...................... ............... ............... ..... 2-10

8/13/2019 e17609

4/122

iv

Predefined Administrative Accounts ................................................................................... 2-10

Predefined Non-Administrative User Accounts ................................................................. 2-12

Predefined Sample Schema User Accounts ......................................................................... 2-13

Expiring and Locking Database Accounts .................................................................................. 2-14

Requirements for Creating Passwords............... .............. ............... ............... .............. ................ 2-15

Finding and Changing Default Passwords ................................................................................. 2-15

About Finding and Changing Default Passwords............... ............... ............... .............. ... 2-15Finding and Changing Default Passwords from SQL*Plus.............. ................ ............... .. 2-16

Finding and Changing Default Passwords from Enterprise Manager ............................ 2-16

Parameters Used to Secure User Accounts ................................................................................. 2-17

3 Managing User Privileges

About Privilege Management ................................................................................................................ 3-1

When to Grant Privileges to Users ........................................................................................................ 3-1

When to Grant Roles to Users ................................................................................................................ 3-2

Handling Privileges for the PUBLIC Role .......................................................................................... 3-2

Controlling Access to Applications with Secure Application Roles.............................................. 3-3

About Secure Application Roles .............. ............... .............. ................ .............. ............... .............. 3-3

Tutorial: Creating a Secure Application Role ................ .............. ............... ............... .............. ...... 3-4

Step 1: Create User Accounts for This Tutorial ............. ............... ................ .............. ............ 3-4

Step 2: Create a Security Administrator Account .............. ............... .............. ............... ........ 3-5

Step 3: Create a Lookup View .............. ............... .............. ............... ............... .............. ............ 3-6

Step 4: Create the PL/SQL Procedure to Set the Secure Application Role ................ ........ 3-7

Step 5: Create the Secure Application Role............................................................................. 3-9

Step 6: Grant SELECT for the EMP_ROLE Role to the OE.ORDERS Table .................... 3-10

Step 7: Grant the EXECUTE Privilege for the Procedure to Matthew and Winston...... 3-10

Step 8: Test the EMP_ROLE Secure Application Role ........................................................ 3-11

Step 9: Optionally, Remove the Components for This Tutorial........................................ 3-12Initialization Parameters Used for Privilege Security ................................................................... 3-12

4 Encrypting Data with Oracle Transparent Data Encryption

About Encrypting Sensitive Data.......................................................................................................... 4-1

When Should You Encrypt Data? ......................................................................................................... 4-2

How Transparent Data Encryption Works .......................................................................................... 4-2

Configuring Data to Use Transparent Data Encryption ................................................................... 4-3

Step 1: Configure the Keystore Location ............. ............... ............... .............. ............... ............... . 4-4

Step 2: Check the COMPATIBLE Initialization Parameter Setting............................................. 4-4

Step 3: Create the Software Password-Based Keystore .............. ............... ............... ............... ..... 4-5

Step 4: Open (or Close) the Keystore............................................................................................... 4-6Step 5: Create the Master Encryption Key...................................................................................... 4-7

Step 6: Encrypt Data .......................................................................................................................... 4-7

Encrypting Individual Table Columns ............... ............... .............. ............... .............. ........... 4-7

Encrypting a Tablespace ......................................................................................................... 4-10

Checking Existing Encrypted Data .................................................................................................... 4-11

Finding the Type of Keystore That Was Created ....................................................................... 4-11

Finding the Keystore Location ...................................................................................................... 4-11

Checking Whether a Keystore Is Open or Closed...................................................................... 4-12

8/13/2019 e17609

5/122

v

Checking Encrypted Columns of an Individual Table .............................................................. 4-12

Checking All Encrypted Table Columns in the Current Database Instance .......................... 4-12

Checking Encrypted Tablespaces in the Current Database Instance ...................................... 4-13

5 Controlling Access with Oracle Database Vault

About Oracle Database Vault ................................................................................................................ 5-1

Tutorial: Controlling Administrator Access to a User Schema ....................................................... 5-2

Step 1: Enable Oracle Database Vault ................ ............... .............. ................ ............... .............. ... 5-2

Step 2: Grant the SELECT Privilege on the OE.CUSTOMERS Table to User SCOTT.............. 5-3

Step 3: Select from the OE.CUSTOMERS Table as Users SYS and SCOTT .............. ................ . 5-4

Step 4: Create a Realm to Protect the OE.CUSTOMERS Table.................................................... 5-4

Step 5: Test the OE Protections Realm ............. ................ .............. ............... .............. ................ .... 5-6

Step 6: Optionally, Remove the Components for This Tutorial ............... ............... .............. ...... 5-7

6 Restricting Access with Oracle Virtual Private Database

About Oracle Virtual Private Database ............................................................................................... 6-1

Tutorial: Limiting Access to Data Based on the Querying User ..................................................... 6-2Step 1: Create User Accounts for This Tutorial.............................................................................. 6-3

Step 2: If Necessary, Create the Security Administrator Account .............. ............... ................ . 6-4

Step 3: Update the Security Administrator Account ................ ............... ............... ............... ....... 6-5

Step 4: Create the F_POLICY_ORDERS Policy Function ............................................................ 6-5

Step 5: Create the ACCESSCONTROL_ORDERS Virtual Private Database Policy ................ 6-7

Step 6: Test the ACCESSCONTROL_ORDERS Virtual Private Database Policy ................ .... 6-8


7 Limiting Access to Sensitive Data Using Oracle Data Redaction

About Oracle Data Redaction ................................................................................................................ 7-1

Tutorial: Redacting Data for a Select Group of Users ....................................................................... 7-2

Step 1: Create User Accounts and Grant Them the Necessary Privileges ............. ................ .... 7-2

Step 2: Create and Populate the SALES_OPPS Sales Opportunities Table ................ ............... 7-4

Step 3: Create the SALES_OPPS_POL Oracle Data Redaction Policy........................................ 7-5

Step 5: Test the SALES_OPPS_POL Oracle Data Redaction Policy ............. ................ ............... 7-6


8 Enforcing Row-Level Security with Oracle Label Security

About Oracle Label Security .................................................................................................................. 8-1

Choosing Between Virtual Private Database, Oracle Label Security, and Data Redaction ...... 8-2

Guidelines for Planning an Oracle Label Security Policy ............................................................... 8-3Tutorial: Creating Levels of Access to Table Data Based on the User ........................................... 8-4

Step 1: Enable Oracle Label Security ............... ............... ................ ............... ............... ................ ... 8-5

Step 2: Enable the LBACSYS Account............................................................................................. 8-6

Step 3: Create a Role and Three Users for the Oracle Label Security Tutorial.......................... 8-6

Step 4: Create the ACCESS_LOCATIONS Oracle Label Security Policy................................... 8-8

Step 5: Define the ACCESS_LOCATIONS Policy-Level Components....................................... 8-9

Step 6: Create the ACCESS_LOCATIONS Policy Data Labels................. ............... ............... .. 8-10

8/13/2019 e17609

6/122

vi

Step 7: Create the ACCESS_LOCATIONS Policy User Authorizations................... ............... 8-11

Step 8: Apply the ACCESS_LOCATIONS Policy to the HR.LOCATIONS Table ............... .. 8-13

Step 9: Add the ACCESS_LOCATIONS Labels to the HR.LOCATIONS Data ..................... 8-13

Step 10: Test the ACCESS_LOCATIONS Policy......................................................................... 8-16

Step 11: Optionally, Remove the Components for This Tutorial ....... ............... ................ ...... 8-18

9 Auditing Database Activity

About Auditing......................................................................................................................................... 9-1

Why Is Auditing Used? ........................................................................................................................... 9-2

Tutorial: Creating a Unified Audit Policy ........................................................................................... 9-3

Step 1: If Necessary, Enable Unified Auditing ............. .............. ............... .............. ................ ...... 9-3

Step 2: Grant the SEC_ADMIN User the AUDIT_ADMIN Role................................................. 9-5

Step 3: Create and Enable a Unified Audit Policy......................................................................... 9-5

Step 4: Test the Unified Audit Policy .............. ............... .............. ............... .............. ................ ...... 9-6

Step 5: Optionally, Remove the Components for This Tutorial .............. ................ .............. ...... 9-8

Step 6: Optionally, Remove the SEC_ADMIN Security Administrator Account............. ........ 9-8

Index

8/13/2019 e17609

7/122

vii

List of Tables

21 Default Security Settings for Initialization and Profile Parameters.................................... 2-222 Initialization Parameters Used for Installation and Configuration Security .............. ...... 2-423 Initialization Parameters Used for Network Security ............... ............... ............... ............. 2-824 Predefined Oracle Database Administrative User Accounts ........................................... 2-1025 Predefined Oracle Database Non-Administrative User Accounts .................................. 2-1326

Default Sample Schema User Accounts............. .............. ............... ............... ............... .......2-14

27 Initialization and Profile Parameters Used for User Account Security .......................... 2-1731 Initialization Parameters Used for Privilege Security ....................................................... 3-1241 Data Dictionary Views for Encrypted Tablespaces ........................................................... 4-1381 Comparing Virtual Private Database, Label Security, and Data Redaction...................... 8-2

8/13/2019 e17609

8/122

viii

8/13/2019 e17609

9/122

ix

Preface

Welcome to Oracle Database 2 Day + Security Guide. This guide is for anyone who wantsto perform common day-to-day security tasks with Oracle Database.

This preface contains:

Audience

Documentation Accessibility Related Documents

Conventions

AudienceOracle Database 2 Day + Security Guideexpands on the security knowledge that youlearned in Oracle Database 2 Day DBAto manage security in Oracle Database. Theinformation in this guide applies to all platforms. For platform-specific information,see the installation guide, configuration guide, and platform guide for your platform.

This guide is intended for the following users:

Oracle database administrators who want to acquire database securityadministrative skills

Database administrators who have some security administrative knowledge butare new to Oracle Database

This guide is not an exhaustive discussion about security. For detailed informationabout security, see the Oracle Database Security documentation set. This guide doesnot provide information about security for Oracle E-Business Suite applications. Forinformation about security in the Oracle E-Business Suite applications, see thedocumentation for those products.

Documentation AccessibilityFor information about Oracle's commitment to accessibility, visit the OracleAccessibility Program website athttp://www.oracle.com/pls/topic/lookup?ctx=acc&id=docacc.

Access to Oracle Support

Oracle customers have access to electronic support through My Oracle Support. Forinformation, visit http://www.oracle.com/pls/topic/lookup?ctx=acc&id=infoorvisit http://www.oracle.com/pls/topic/lookup?ctx=acc&id=trsif you are hearingimpaired.

8/13/2019 e17609

10/122

x

Related DocumentsFor more information, use the following resources:

Oracle Database Documentation

For more security-related information, see the following documents in the OracleDatabase documentation set:

Oracle Database 2 Day DBA

Oracle Database Administrator's Guide

Oracle Database Security Guide

Oracle Database Concepts

Oracle Database Reference

Oracle Database Vault Administrator's Guide

Many of the examples in this guide use the sample schemas of the seed database,which is installed by default when you install Oracle. See Oracle Database SampleSchemas for information about how these schemas were created and how you can use

them.

Oracle Technology Network (OTN)

You can download free release notes, installation documentation, updated versions ofthis guide, white papers, or other collateral from the Oracle Technology Network(OTN). Visit

http://www.oracle.com/technetwork/index.html

For security-specific information on OTN, visit

http://www.oracle.com/technetwork/topics/security/whatsnew/index.html

For the latest version of the Oracle documentation, including this guide, visit

http://www.oracle.com/technetwork/documentation/index.html

My Oracle Support (formerly OracleMetaLink)

You can find information about security patches, certifications, and the supportknowledge base by visiting My Oracle Support at

https://support.oracle.com

ConventionsThe following text conventions are used in this document:

Convention Meaning

boldface Boldface type indicates graphical user interface elements associatedwith an action, or terms defined in text or the glossary.

italic Italic type indicates book titles, emphasis, or placeholder variables forwhich you supply particular values.

monospace Monospace type indicates commands within a paragraph, URLs, codein examples, text that appears on the screen, or text that you enter.

8/13/2019 e17609

11/122

xi

Changes in This Release for Oracle Database2 Day + Security Guide

This preface contains:

Changes in Oracle Database 12c Release 1 (12.1)

Changes in Oracle Database 12cRelease 1 (12.1)The following are changes in Oracle Database 2 Day + Security Guidefor OracleDatabase 12cRelease 1 (12.1):

New Features

Deprecated Feature

Desupported Features

Other Changes

New Features

The following features are new in this release:

Key Management for Transparent Data Encryption and Other DatabaseComponents

Oracle Database Vault Enhancements

Oracle Data Redaction for Limiting Access to Sensitive Data

Easier and Quicker Way to Enable and Disable Oracle Label Security

Auditing Enhancements

Key Management for Transparent Data Encryption and Other DatabaseComponents

Oracle Database 12cRelease 1 (12.1) introduces a unified key managementinfrastructure for Transparent Data Encryption (TDE) and other database components.This eases key administration tasks, provides for better compliance and tracking, andalso leads to better separation of duty between the database administrator and securityadministrator. For better security and separation of duty, users who are responsible forconfiguring TDE must have the SYSKMsystem privilege.

See Chapter 4, "Encrypting Data with Oracle Transparent Data Encryption."

Oracle Database Vault Enhancements

Easier and quicker way to enable Database Vault.

8/13/2019 e17609

12/122

xii

Full inclusion of Database Vault functionality in the Enterprise Manager CloudControl pages. This feature replaces the Database Vault Administrator utility thatwas used in previous releases.

See Chapter 5, "Controlling Access with Oracle Database Vault."

Oracle Data Redaction for Limiting Access to Sensitive Data

Oracle Data Redaction disguises (redacts) data from low-privileged users orapplications. For example, you can redact the credit card number 5105 1051 05105100to appear as 5105 **** **** ****. The redaction occurs in real time, when theuser accesses the data and it preserves the back-end referential integrity andconstraints for the data. In addition to a partial redaction (as shown with the creditcard example here), you can replace the entire data set with a fixed value or withrandomized values. You also can easily apply Oracle Data Redaction policiesthroughout the databases in your enterprise.

See Chapter 7, "Limiting Access to Sensitive Data Using Oracle Data Redaction."

Easier and Quicker Way to Enable and Disable Oracle Label Security

See Chapter 8, "Enforcing Row-Level Security with Oracle Label Security."

Auditing Enhancements

Unified audit trail, which encompasses audit events from the default databaseinstallation, Oracle Database Vault, Oracle Label Security, Oracle Database RealApplication Security, Oracle Recovery Manager, Oracle Data Pump, and OracleSQL*Loader Direct Load Path. These events are available in a uniform format in aset of data dictionary views.

Faster audit performance

Ability to create named unified audit policies. The audit configuration issimplified by grouping a set of actions to be audited on specific conditions asnamed policies that you can enable and disable as needed. These policies define

set of events to be captured. New roles, AUDIT_ADMINand AUDIT_VIEWER, for better security and separation of

duty. (This guide only discusses the AUDIT_ADMINrole.)

See Chapter 9, "Auditing Database Activity."

Deprecated Feature

Database Vault Administrator (DVA) has been deprecated. Its functionality is now partof the of Oracle Enterprise Manager Cloud Control interface.

Desupported Features

Oracle Enterprise Manager Database Control is no longer supported by Oracle. See

Oracle Database Upgrade Guidefor a complete list of desupported features in thisrelease.

Other Changes

This section contains:

Oracle Enterprise Manager Cloud Control (Cloud Control) Graphical UserInterface

8/13/2019 e17609

13/122

xiii

Oracle Enterprise Manager Cloud Control (Cloud Control) Graphical User

Interface

In previous releases of Oracle Database, you used Oracle Enterprise Manager DatabaseControl (Database Control) to administer database security from a graphical userinterface. In this release, you can use the Cloud Control graphical user interface. CloudControl provides more functionality than Database Control.

You must install Cloud Control separately from Oracle Database.

See Also: Oracle Enterprise Manager Cloud Control Basic InstallationGuidefor information about installing Cloud Control

8/13/2019 e17609

14/122

xiv

8/13/2019 e17609

15/122

1

Introduction to Oracle Database Security 1-1

1Introduction to Oracle Database Security

This chapter contains:

About This Guide

Common Database Security Tasks

Tools for Securing Your Database

Securing Your Database: A Roadmap

About This GuideOracle Database 2 Day + Security Guideteaches you how to perform day-to-daydatabase security tasks. Its goal is to help you understand the concepts behind OracleDatabase security. You will learn how to perform common security tasks needed tosecure your database. The knowledge you gain from completing the tasks in OracleDatabase 2 Day + Security Guidehelps you to better secure your data and to meetcommon regulatory compliance requirements, such as the Sarbanes-Oxley Act.

The primary administrative interface used in this guide is Oracle Enterprise Manager,featuring all the self-management capabilities introduced in Oracle Database.

This section contains the following topics:

Before Using This Guide

What This Guide Is and Is Not

Before Using This GuideBefore using this guide:

Complete Oracle Database 2 Day DBA

Obtain the necessary products and tools described in "Tools for Securing YourDatabase"on page 1-2

What This Guide Is and Is NotOracle Database 2 Day + Security Guideis task oriented. The objective of this guide is todescribe why and when you must perform security tasks.

Where appropriate, this guide describes the concepts and steps necessary tounderstand and complete a task. This guide is not an exhaustive discussion of allOracle Database concepts. For this type of information, see Oracle Database Concepts.

8/13/2019 e17609

16/122

Common Database Security Tasks

1-2 Oracle Database 2 Day + Security Guide

Where appropriate, this guide describes the necessary Oracle Database administrativesteps to complete security tasks. This guide does not describe basic Oracle Databaseadministrative tasks. For this type of information, see Oracle Database 2 Day DBA.Additionally, for a complete discussion of administrative tasks, see Oracle Database

Administrator's Guide.

In addition, this guide is not an exhaustive discussion of all Oracle Database security

features and does not describe available APIs that provide equivalent command linefunctionality to the tools used in this guide. For this type of information, see OracleDatabase Security Guide.

Common Database Security TasksAs a database administrator for Oracle Database, you should be involved in thefollowing security-related tasks:

Ensuring that the database installation and configuration is secure

Managing the security aspects of user accounts: developing secure passwordpolicies, creating and assigning roles, restricting data access to only theappropriate users, and so on

Ensuring that network connections are secure

Encrypting sensitive data

Ensuring the database has no security vulnerabilities and is protected againstintruders

Deciding what database components to audit and how granular you want thisauditing to be

Downloading and installing security patches

In a small to midsize database environment, you might perform these tasks as welland all database administrator-related tasks, such as installing Oracle software,creating databases, monitoring performance, and so on. In large, enterpriseenvironments, the job is often divided among several database administratorseachwith their own specialtysuch as database security or database tuning.

Tools for Securing Your DatabaseTo achieve the goals of securing your database, you need the following products, tools,and utilities:

Oracle Database 12cEnterprise Edition

Oracle Database 12cEnterprise Edition provides enterprise-class performance,scalability, and reliability on clustered and single-server configurations. It includesmany security features that are used in this guide.

Oracle Enterprise Manager

Oracle Enterprise Manager is a Web application that you can use to performdatabase administrative tasks for a single database instance or a clustereddatabase. It enables you to manage multiple Oracle databases from one location.This guide explains how to use Enterprise Manager to perform databaseadministrative tasks.

SQL*Plus

8/13/2019 e17609

17/122


Introduction to Oracle Database Security 1-3

SQL*Plus is a development environment that you can use to create and run SQLand PL/SQL code. It is part of the Oracle Database 12cRelease 1 (12.1) installation.

Database Configuration Assistant (DBCA)

Database Configuration Assistant enables you to perform general database tasks,such as creating, configuring, or deleting databases. In this guide, you use DBCAto enable default auditing.

Oracle Net Manager

Oracle Net Manager enables you to perform network-related tasks for OracleDatabase. In this guide, you use Oracle Net Manager to configure networkencryption.

Securing Your Database: A RoadmapTo learn the fundamentals of securing an Oracle database, follow these steps:

1. Secure your Oracle Database installation and configuration.

Complete the tasks in Chapter 2, "Securing the Database Installation

and Configuration"to secure access to an Oracle Database installation.2. Understand how privileges work.

Complete the tasks in Chapter 3, "Managing User Privileges". You learn about thefollowing:

How privileges work

Why you must be careful about granting privileges

How database roles work

How to create secure application roles

3. Encrypt data as it travels across the network.

Complete the tasks in Chapter 4, "Encrypting Data withOracle Transparent Data Encryption"to learn how to secure client connections andto configure network encryption.

4. Control system administrative access to sensitive data with Oracle DatabaseVault.

Complete the tasks in Chapter 5, "Controlling Access with Oracle Database Vault.".

5. Restrict the display of data with Oracle Virtual Private Database.

Complete the tasks in Chapter 6, "Restricting Access withOracle Virtual Private Database."

6. Control the display of data in real time by using data redaction.

Complete the tasks in Chapter 7, "Limiting Access to Sensitive DataUsing Oracle Data Redaction.".

7. Enforce row-level security with Oracle Label Security.

Chapter 8, "Enforcing Row-Level Security with Oracle Label Security."

8. Configure auditing so that you can monitor the database activities.

Complete the tasks in Chapter 9, "Auditing Database Activity"to learn aboutstandard auditing.

8/13/2019 e17609

18/122



8/13/2019 e17609

19/122

2

Securing the Database Installation and Configuration 2-1

2Securing the Database Installationand Configuration


About Securing the Database Installation and Configuration

Securing Access to the Oracle Database Installation

Securing the Network

Securing User Accounts

About Securing the Database Installation and ConfigurationAfter you install Oracle Database, you should secure the database installation and

configuration. This section describes commonly used ways to do this, all of whichinvolve restricting permissions to specific areas of the database files.

Oracle Database is available on several operating systems. Consult the followingguides for detailed platform-specific information about Oracle Database:

Oracle Database Platform Guide for Microsoft Windows

Oracle Database Administrator's Reference for Linux and UNIX-Based OperatingSystems

Oracle Database Installation Guidefor your platform

Securing Access to the Oracle Database InstallationThis section contains:

Using the Default Security Settings

Securing the Oracle Data Dictionary

Initialization Parameters Used for Installation and Configuration Security

See Also:

Oracle Database Security Guidefor detailed information aboutsecurity

Oracle Database Security Guidefor important security guidelines

8/13/2019 e17609

20/122

8/13/2019 e17609

21/122



Auditing information, such as who has accessed or updated various schemaobjects

Other general database information

The data dictionary tables and views for a given database are stored in the SYSTEMtablespace for that database. All the data dictionary tables and views for a givendatabase are owned by the user SYS. Connecting to the database with the SYSDBA

administrative privilege gives full access to the data dictionary. Oracle stronglyrecommends limiting access to the SYSDBAadministrative privilege to only thoseoperations necessary such as patching and other administrative operations. The datadictionary is central to every Oracle database.

You can view the contents of the data dictionary by querying data dictionary views,which are described in Oracle Database Reference. Be aware that not all objects in thedata dictionary are exposed to users. A subset of data dictionary objects, such as thosebeginning with USER_are exposed as read only to all database users.

Example 21shows how you can find a list of database views specific to the datadictionary by querying the DICTIONARYview.

Example 21 Finding Views That Pertain to the Data Dictionarysqlplus system

Enter password:password

SQL> SELECT TABLE_NAME FROM DICTIONARY;

Enabling Data Dictionary Protection

You can protect the data dictionary by setting the O7_DICTIONARY_ACCESSIBILITYinitialization parameter to FALSE. This parameter prevents users who have the ANYsystem privilege from using those privileges on the data dictionary, that is, on objectsin the SYSschema.

Oracle Database provides highly granular privileges. One such privilege, commonly

referred to as the ANYprivilege, should typically be granted to only application ownersand individual database administrators. For example, you could grant the DROP ANYTABLEprivilege to an application owner. You can protect the Oracle data dictionaryfrom accidental or malicious use of the ANYprivilege by turning on or off the O7_DICTIONARY_ACCESSIBILITYinitialization parameter.

To enable data dictionary protection:

1. Access the Database home page.

See Oracle Database 2 Day DBAfor more information.

2. From the Administrationmenu, select Initialization Parameters.

If the Database Login page appears, then log in as SYSwith the SYSDBArole

selected.3. In the Initialization Parameters page, from the list, search for O7_DICTIONARY_

ACCESSIBILITY.

In the Namefield, enter O7_(the letter O), and then click Go. You can enter the firstfew characters of a parameter name. In this case, O7_displays the O7_DICTIONARY_ACCESSIBILTYparameter.

4. Set the value for O7_DICTIONARY_ACCESSIBILTYto FALSE.

5. Click Apply.

8/13/2019 e17609

22/122



6. Restart the Oracle Database instance.

sqlplus sys as sysdba


SQL> SHUTDOWN IMMEDIATE

SQL> STARTUP

Initialization Parameters Used for Installation and Configuration Security

Table 22lists initialization parameters that you can set to better secure your Oracle

Database installation and configuration.

Modifying the Value of an Initialization ParameterThis section explains how to use Enterprise Manager to modify the value of aninitialization parameter. To find detailed information about the initializationparameters available, see Oracle Database Reference.

To modify the value of an initialization parameter:



2. From the Administrationmenu, select Initialization Parameters.

Note:

In a default installation, the O7_DICTIONARY_ACCESSIBILITYparameter is set to FALSE.

The SELECT ANY DICTIONARYprivilege is not included in theGRANT ALL PRIVILEGESstatement, but you can grant it througha role. Roles are described in "When to Grant Roles to Users"onpage 3-2and Oracle Database Security Guide.

Table 22 Initialization Parameters Used for Installation and Configuration Security

Initialization Parameter Default Setting Description

SEC_RETURN_SERVER_RELEASE_BANNER FALSE Controls the display of the product versioninformation, such as the release number, in aclient connection. An intruder could use thedatabase release number to find informationabout security vulnerabilities that may be presentin the database software. You can enable ordisable the detailed product version display bysetting this parameter.

See Oracle Database Security Guidefor more

information about this and similar parameters.Oracle Database Referencedescribes this parameterin detail.

O7_DICTIONARY_ACCESSIBILITY FALSE Controls restrictions on SYSTEMprivileges. See"Enabling Data Dictionary Protection"onpage 2-3for more information about thisparameter. Oracle Database Referencedescribes thisparameter in detail.

See Also: Oracle Database Referencefor more information aboutinitialization parameters

8/13/2019 e17609

23/122

8/13/2019 e17609

24/122



About Network Encryption

Network encryption refers to encrypting data as it travels across the network betweenthe client and server. The reason you should encrypt data at the network level, and notjust the database level, is because data can be exposed on the network level. Forexample, an intruder can use a network packet sniffer to capture information as ittravels on the network, and then spool it to a file for malicious use. Encrypting data onthe network prevents this sort of activity.

To encrypt data on the network, you need the following components:

An encryption seed.The encryption seed is a random string of up to 256characters. It generates the cryptographic keys that encrypts data as it travelsacross the network.

An encryption algorithm.You can specify any of the supported algorithm types:AES, RC4, DES, or 3DES.

Whether the settings apply to a client or server.You must configure the serverand each client to which it connects.

How the client or server should processes the encrypted data.The settings youselect (you have four options) must complement both server and client.

A mechanism for configuring the encryption. You can use Oracle Net Manager toconfigure the encryption. Alternatively, you can edit the sqlnet.oraconfigurationfile. Both Oracle Net Manager and the sqlnet.orafile are available in a defaultOracle Database installation.

Configuring Network Encryption

You can configure network encryption by using either Oracle Net Manager or byediting the sqlnet.orafile. This guide explains how to use Oracle Net Manager toconfigure network encryption.

To configure network encryption:

1. On the server computer, start Oracle Net Manager.

UNIX:From $ORACLE_HOME/bin, enter the following at the command line:

netmgr

Windows:From the Startmenu, click All Programs. Then, click Oracle -HOME_NAME , Configuration and Migration Tools, and then Net Manager

2. From the Oracle Net Configuration navigation tree, expand Local, and then selectProfile.

3. From the list, select Network Security.

8/13/2019 e17609

25/122



4. Under Network Security, select the Encryptiontab.

The Encryption settings pane appears.

5. Enter the following settings:

Encryption: From the list, select SERVERto configure the network encryptionfor the server. (For the client computer, you select CLIENT.)

Encryption Type: Select from the following values to specify the actions of theserver (or client) when negotiating encryption and integrity:

accepted: Service will be active if the other side of the connection specifieseither required or requested, and there is a compatible algorithm available

on the receiving database; it will otherwise be inactive.

rejected: Service must not be active, and the connection will fail if theother side requires any of the methods in this list.

requested: Service will be active if the other side of the connectionspecifies either accepted, required, or requested, and there is a compatiblealgorithm available on the other side. Otherwise, the service is inactive.

required: Service must be active, and the connection will fail if the otherside specifies rejected, or if there is no compatible algorithm on the otherside.

Encryption Seed: Enter a random string of up to 256 characters. OracleDatabase uses the encryption seed to generate cryptographic keys. This isrequired when either encryption or integrity is enabled.

If you choose to use special characters such as a comma [,] or a rightparenthesis [)] as a part of the Encryption Seedparameter, enclose the valuewithin single quotation marks.

Available Methods: Select one or more of the following algorithms, and usethe move button (>) to move them to the Selected Methods list. The order inwhich they appear in the Selected Methods list determines the preferred orderfor negotiation. That is, the first algorithm listed is selected first, and so on.

8/13/2019 e17609

26/122



AES256: Advanced Encryption Standard (AES). AES was approved by theNational Institute of Standards and Technology (NIST) to replace DataEncryption Standard (DES). AES256 enables you to encrypt a block size of256 bits.

RC4_256: Rivest Cipher 4 (RC4), which is the most commonly used streamcipher that protects protocols such as Secure Sockets Layer (SSL). RC4_256

enables you to encrypt up to 256 bits of data. AES192: Enables you to use AES to encrypt a block size of 192 bits.

3DES168: Triple Data Encryption Standard (TDES) with a three-keyoption. 3DES168 enables you to encrypt up to 168 bits of data.

AES128: Enables you to use AES to encrypt a block size of 128 bits.

RC4_128: Enables you to use RC4 to encrypt up to 128 bits of data.

3DES112: Enables you to use Triple DES with a two-key (112 bit) option.

DES: Data Encryption Standard (DES) 56-bit key. Note that NationalInstitute of Standards and Technology (NIST) no longer recommends DES.

RC4_40: Enables you to use RC4 to encrypt up to 40 bits of data. (Notrecommended.)

DES40: Enables you to use DES to encrypt up to 40 bits of data. (Notrecommended.)

6. From the Filemenu, select Save Network Configuration, and then select Exittoexit Oracle Net Manager.

7. Repeat these steps for each client computer that connects to the server.

Initialization Parameters Used for Network SecurityTable 23lists initialization parameters that you can set to better secure user accounts.

See Also:

Oracle Database Net Services Referencefor information about editingthe sqlnet.orafile parameters to configure network encryption

Table 23 Initialization Parameters Used for Network Security

Initialization Parameter Default Setting Description

OS_AUTHENT_PREFIX OPS$ Specifies a prefix that Oracle Database uses to identify usersattempting to connect to the database. Oracle Databaseconcatenates the value of this parameter to the beginning of theuser operating system account name and password. When a userattempts a connection request, Oracle Database compares theprefixed username with user names in the database.

REMOTE_LISTENER No default setting Specifies a network name that resolves to an address or addresslist of Oracle Net remote listeners (that is, listeners that are notrunning on the same computer as this instance). The address oraddress list is specified in the tnsnames.orafile or other addressrepository as configured for your system.

REMOTE_OS_AUTHENT FALSE Specifies whether remote clients will be authenticated with thevalue of the OS_AUTHENT_PREFIXparameter.

REMOTE_OS_ROLES FALSE Specifies whether operating system roles are allowed for remoteclients. The default value, FALSE, causes Oracle Database toidentify and manage roles for remote clients.

8/13/2019 e17609

27/122



To modify an initialization parameter, see "Modifying the Value of an InitializationParameter"on page 2-4. For detailed information about initialization parameters, seeOracle Database ReferenceandOracle Database Administrator's Guide.

Securing User AccountsThis section contains:

About Securing Oracle Database User Accounts

Predefined User Accounts Provided by Oracle Database

Requirements for Creating Passwords

Finding and Changing Default Passwords

Parameters Used to Secure User Accounts

About Securing Oracle Database User Accounts

You can use many methods to secure both common and local database user accounts.For example, Oracle Database has a set of built-in protections for passwords. Thissection explains how you can safeguard default database accounts and passwords, anddescribes ways to manage database accounts.

Oracle Database 2 Day DBAdescribes the fundamentals of creating and administeringuser accounts, including how to manage user roles, what the administrative accountsare, and how to use profiles to establish a password policy.

After you create user accounts, you can use the procedures in this section to furthersecure these accounts by following these methods:

Safeguarding predefined database accounts.When you install Oracle Database, itcreates a set of predefined accounts. You should secure these accounts as soon aspossible by changing their passwords. You can use the same method to change allpasswords, whether they are with regular user accounts, administrative accounts,or predefined accounts. This guide also provides guidelines on how to create themost secure passwords.

Managing database accounts.You can expire and lock database accounts.

Managing passwords.You can manage and protect passwords by settinginitialization parameters. Oracle Database Referencedescribes the initialization

parameters in detail.

See Also:

Oracle Database Security Guidefor detailed information aboutsecuring user accounts

Oracle Database Security Guidefor important guidelines onsecuring user accounts

See Also:

Oracle Database Security Guidefor detailed information aboutmanaging user accounts and authentication

"Predefined User Accounts Provided by Oracle Database"onpage 2-10for a description of the predefined user accounts thatare created when you install Oracle Database

8/13/2019 e17609

28/122



Predefined User Accounts Provided by Oracle DatabaseWhen you install Oracle Database, the installation process creates a set of predefinedaccounts in the database. These accounts are in the following categories:

Predefined Administrative Accounts

Predefined Non-Administrative User Accounts

Predefined Sample Schema User Accounts

Predefined Administrative Accounts

A default Oracle Database installation provides a set of predefined administrativeaccounts. These are accounts that have special privileges required to administer areasof the database, such as the CREATE ANY TABLEor ALTER SESSIONprivilege, or EXECUTEprivileges on packages owned by the SYSschema. The default tablespace foradministrative accounts is either SYSTEMor SYSAUX. In a multitenant environment, thepredefined administrative accounts reside in the root database.

To protect these accounts from unauthorized access, the installation process expiresand locks most of these accounts, except where noted in Table 24. As the databaseadministrator, you are responsible for unlocking and resetting these accounts, asdescribed in "Expiring and Locking Database Accounts"on page 2-14.

Table 24lists the administrative user accounts provided by Oracle Database.

Table 24 Predefined Oracle Database Administrative User Accounts

User Account Description Status After Installation

ANONYMOUS An account that allows HTTP access to Oracle XML DB.It is used in place of the APEX_PUBLIC_USERaccountwhen the Embedded PL/SQL Gateway (EPG) isinstalled in the database.

EPG is a Web server that can be used with OracleDatabase. It provides the necessary infrastructure tocreate dynamic applications.

Expired and locked

AUDSYS The internal account used by the unified audit feature tostore unified audit trail records.

See Oracle Database Security Guide.

Expired and locked

CTXSYS The account used to administer Oracle Text. Oracle Textenables you to build text query applications anddocument classification applications. It providesindexing, word and theme searching, and viewingcapabilities for text.

See Oracle Text Application Developer's Guide.

Expired and locked

DBSNMP The account used by the Management Agent componentof Oracle Enterprise Manager to monitor and managethe database.

See Oracle Enterprise Manager Grid Control Installation andBasic Configuration.

Open

Password is created at

installation or databasecreation time.

LBACSYS The account used to administer Oracle Label Security(OLS). It is created only when you install the LabelSecurity custom option.

See Chapter 8, "Enforcing Row-Level Security withOracle Label Security,"and Oracle Label Security

Administrator's Guide.

Expired and locked

8/13/2019 e17609

29/122



MDSYS The Oracle Spatial and Oracle Multimedia Locatoradministrator account.

See Oracle Spatial Developer's Guide.

Expired and locked

OLAPSYS The account that owns the OLAP Catalog (CWMLite).

This account has been deprecated, but is retained forbackward compatibility.

Expired and locked

ORDDATA This account contains the Oracle Multimedia DICOMdata model. See Oracle Multimedia DICOM Developer'sGuidefor more information.

Expired and locked

ORDPLUGINS The Oracle Multimedia user. Plug-ins supplied byOracle and third-party, format plug-ins are installed inthis schema.

Oracle Multimedia enables Oracle Database to store,manage, and retrieve images, audio, video, DICOMformat medical images and other objects, or otherheterogeneous media data integrated with otherenterprise information.

See Oracle Multimedia User's Guideand Oracle MultimediaReference.

Expired and locked

ORDSYS The Oracle Multimedia administrator account.

See Oracle Multimedia User's Guide, Oracle MultimediaReference, and Oracle Multimedia DICOM Developer'sGuide.

Expired and locked

SI_INFORMTN_SCHEMA The account that stores the information views for theSQL/MM Still Image Standard.

See Oracle Multimedia User's Guideand Oracle MultimediaReference.

Expired and locked

SYS An account used to perform database administrationtasks.

See Oracle Database 2 Day DBA.

Open

Password is created atinstallation or databasecreation time.

SYSBACKUP The account used to perform Oracle Recovery Managerrecovery and backup operations.

See Oracle Database Backup and Recovery User's Guide.

Expired and locked

SYSDG The account used to perform Oracle Data Guardoperations.

See Oracle Data Guard Concepts and Administration.

Expired and locked

SYSKM The account used to manage Transparent DataEncryption.

See Oracle Database Advanced Security Administrator's

Guide.

Expired and locked

Table 24 (Cont.) Predefined Oracle Database Administrative User Accounts


8/13/2019 e17609

30/122



Predefined Non-Administrative User Accounts

Table 25lists default non-administrative user accounts that are created when youinstall Oracle Database. Non-administrative user accounts only have the minimumprivileges needed to perform their jobs. Their default tablespace is USERS. In amultitenant environment, the predefined non-administrative accounts reside in theroot database.

To protect these accounts from unauthorized access, the installation process locks andexpires these accounts immediately after installation, except where noted in Table 25.As the database administrator, you are responsible for unlocking and resetting theseaccounts, as described in "Expiring and Locking Database Accounts"on page 2-14.

SYSTEM A default generic database administrator account forOracle databases.

For production systems, Oracle recommends creatingindividual database administrator accounts and not

using the genericSYSTEM

account for databaseadministration operations.

See Oracle Database 2 Day DBA.

Open

Password is created atinstallation or databasecreation time.

WMSYS The account used to store the metadata information forOracle Workspace Manager.

See Oracle Database Workspace Manager Developer's Guide.

Expired and locked

XDB The account used for storing Oracle XML DB data andmetadata. For better security, never unlock the XDBuseraccount.

Oracle XML DB provides high-performance XMLstorage and retrieval for Oracle Database data.

See Oracle XML DB Developer's Guide.

Expired and locked

Note: If you create an Oracle Automatic Storage Management(Oracle ASM) instance, then the ASMSNMPaccount is created. OracleEnterprise Manager uses this account to monitor ASM instances toretrieve data from ASM-related data dictionary views. The ASMSNMPaccount status is set to OPENupon creation, and it is granted theSYSDBAadministrative privilege. For more information, see Oracle

Automatic Storage Management Administrator's Guide.

Table 24 (Cont.) Predefined Oracle Database Administrative User Accounts


8/13/2019 e17609

31/122



Predefined Sample Schema User Accounts

If you install the sample schemas, which you must do to complete the examples in thisguide, Oracle Database creates a set of sample user accounts. The sample schema useraccounts are all non-administrative accounts, and their tablespace is USERS.

To protect these accounts from unauthorized access, the installation process locks andexpires these accounts immediately after installation. As the database administrator,you are responsible for unlocking and resetting these accounts, as described in"Expiring and Locking Database Accounts"on page 2-14. For more information aboutthe sample schema accounts, see Oracle Database Sample Schemas.

Table 26lists the sample schema user accounts, which represent different divisions ofa fictional company that manufactures various products.

Table 25 Predefined Oracle Database Non-Administrative User Accounts


DIP The Oracle Directory Integration and Provisioning(DIP) account that is installed with Oracle LabelSecurity. This profile is created automatically as part ofthe installation process for Oracle InternetDirectory-enabled Oracle Label Security.

See Oracle Label Security Administrator's Guide.

Expired and locked

MDDATA The schema used by Oracle Spatial for storingGeocoder and router data.

Oracle Spatial provides a SQL schema and functionsthat enable you to store, retrieve, update, and querycollections of spatial features in an Oracle database.


Expired and locked

ORACLE_OCM The account used with Oracle Configuration Manager.This feature enables you to associate the configurationinformation for the current Oracle Database instancewith My Oracle Support. Then when you log a servicerequest, it is associated with the database instance

configuration information.

See Oracle Database Installation Guidefor your platform.

Expired and locked

SPATIAL_CSW_ADMIN_USR The Catalog Services for the Web (CSW) account. It isused by Oracle Spatial CSW Cache Manager to load allrecord-type metadata and record instances from thedatabase into the main memory for the record typesthat are cached.


Expired and locked

SPATIAL_WFS_ADMIN_USR The Web Feature Service (WFS) account. It is used byOracle Spatial WFS Cache Manager to load all featuretype metadata and feature instances from the databaseinto main memory for the feature types that are cached.


Expired and locked

XS$NULL An internal account that represents the absence ofdatabase user in a session and the actual session user isan application user supported by Oracle RealApplication Security. XS$NULLhas no privileges anddoes not own any database object. No one canauthenticate as XS$NULL, nor can authenticationcredentials ever be assigned to XS$NULL.

Expired and locked

8/13/2019 e17609

32/122



In addition to the sample schema accounts, Oracle Database provides another sample

schema account, SCOTT. The SCOTTschema contains the tables EMP, DEPT, SALGRADE, andBONUS. The SCOTTaccount is used in examples throughout the Oracle Databasedocumentation set. When you install Oracle Database, the SCOTTaccount is locked andexpired.

Expiring and Locking Database Accounts

When you expire the password of a user, that password no longer exists. If you wantto unexpirethe password, you change the password of that account. Locking anaccount preserves the user password and other account information, but makes theaccount unavailable to anyone who tries to log in to the database using that account.Unlocking it makes the account available again.

Oracle Database 2 Day DBAexplains how you can use Enterprise Manager to unlockdatabase accounts. You also can use Enterprise Manager to expire or lock databaseaccounts.

To expire and lock a database account:



2. From the Administrationmenu, select Security, then Users.

If the Database Login page appears, then log in as an administrative user, such asSYSTEM.

The Users page lists the user accounts created for the current database instance.

The Account Status column indicates whether an account is expired, locked, oropen.

3. In the Select column, select the account you want to expire, and then click Edit.

4. In the Edit User page, do one of the following:

To expire a password, click Expire Password now.

To unexpire the password, enter a new password in the Enter PasswordandConfirm Passwordfields. See "Requirements for Creating Passwords"onpage 2-15for password requirements.

Table 26 Default Sample Schema User Accounts


HR The account used to manage the HR(Human Resources) schema. Thisschema stores information about the employees and the facilities ofthe company.

Expired and locked

OE The account used to manage the OE(Order Entry) schema. This

schema stores product inventories and sales of the companysproducts through various channels.

Expired and locked

PM The account used to manage the PM(Product Media) schema. Thisschema contains descriptions and detailed information about eachproduct sold by the company.

Expired and locked

IX The account used to manage the IX(Information Exchange) schema.This schema manages shipping through business-to-business (B2B)applications.

Expired and locked

SH The account used to manage the SH(Sales) schema. This schemastores business statistics to facilitate business decisions.

Expired and locked

8/13/2019 e17609

33/122



To lock the account, select Locked.

5. Click Apply.

Requirements for Creating Passwords

When you create a user account, Oracle Database assigns a default password policy for

that user. The password policy defines rules for how the password should be created,such as a minimum number of characters, when it expires, and so on. You canstrengthen passwords by using password policies.

For greater security, follow these guidelines when you create passwords:

Make the password between 12 and 30 characters and numbers.

Use mixed case letters and special characters in the password. (See Oracle DatabaseSecurity Guidefor more information.)

Use the database character set for the password characters, which can include theunderscore (_), dollar ($), and number sign (#) characters.

Do not use an actual word for the entire password.

Oracle Database Security Guidedescribes more ways that you can further securepasswords.

Finding and Changing Default PasswordsThis section describes how you can find and change default passwords that may havecome from earlier releases of Oracle Database.


About Finding and Changing Default Passwords

Finding and Changing Default Passwords from SQL*Plus

Finding and Changing Default Passwords from Enterprise Manager

About Finding and Changing Default Passwords

When you install Oracle Database, the default database user accounts, includingadministrative accounts, are created without default passwords. Except for theadministrative accounts whose passwords you create during installation (such as userSYS), the default user accounts arrive locked with their passwords expired. If you haveupgraded from a previous release of Oracle Database, you may have databaseaccounts that still have default passwords. These are default accounts that are createdwhen you create a database, such as the HR, OE, and SCOTTaccounts.

See Also:

"Finding and Changing Default Passwords"on page 2-15forinformation about changing user passwords

"Expiring and Locking Database Accounts"on page 2-14forinformation about locking accounts and expiring passwords

"Predefined User Accounts Provided by Oracle Database"onpage 2-10a description of the predefined user accounts that arecreated when you install Oracle Database

Oracle Database Security Guidefor detailed information aboutmanaging passwords

8/13/2019 e17609

34/122



Security is most easily compromised when a default database user account still has adefault password after installation. This is particularly true for the user account SCOTT,which is a well known account that may be vulnerable to intruders. Find accounts thatuse default passwords and then change their passwords.

Finding and Changing Default Passwords from SQL*Plus

You can use SQL*Plus to find and change default passwords.

To find and change default passwords:

1. Log into the database instance with administrative privileges.

sqlplus system


2. Select from the DBA_USERS_WITH_DEFPWDdata dictionary view.

SELECT * FROM DBA_USERS_WITH_DEFPWD;

The DBA_USERS_WITH_DEFPWDlists the accounts that still have user defaultpasswords. For example:

USERNAME

------------

SCOTT

3. Change the password for the accounts the DBA_USERS_WITH_DEFPWDdata dictionaryview lists.

For example, to change the password for user SCOTT, enter the following:

PASSWORD SCOTT

Changing password for SCOTT

New password:password

Retype new password:password

Password changed

Replacepasswordwith a password that is secure, according to the guidelines listedin "Requirements for Creating Passwords"on page 2-15. For greater security, donot reuse the same password that was used in previous releases of OracleDatabase.

Alternatively, you can use the ALTER USERSQL statement to change the password:

ALTER USER SCOTT IDENTIFIED BYpassword;

Finding and Changing Default Passwords from Enterprise Manager

You can use Enterprise Manager to change a user account passwords (not just thedefault user account passwords) if you have administrative privileges. Individualusers can also use Enterprise Manager to change their own passwords.

To use Enterprise Manager to change the password of a database account:

See Also:

Oracle Database Security Guidefor additional methods ofconfiguring password protection

"Predefined User Accounts Provided by Oracle Database"onpage 2-10

8/13/2019 e17609

35/122






If the Database Login page appears, then log in as an administrative user, such asSYS. User SYSmust log in with the SYSDBArole selected.

The Users page lists the user accounts created for the current database instance.The Account Status column indicates whether an account is expired, locked, oropen.

3. In the Select column, select the account you want to change, and then click Edit.

4. In the Edit User page, enter a new password in the Enter Passwordand ConfirmPasswordfields.

5. Click Apply.

Parameters Used to Secure User Accounts

Table 27lists initialization and profile parameters that you can set to better secure

user accounts.

Table 27 Initialization and Profile Parameters Used for User Account Security

Parameter Default Setting Description

SEC_CASE_SENSITIVE_LOGON TRUE Controls case sensitivity in passwords. TRUEenables case sensitivity; FALSEdisables it.

SEC_MAX_FAILED_LOGIN_ATTEMPTS 10 Sets the maximum number of times a user isallowed to fail when connecting to an Oracle CallInterface (OCI) application.

FAILED_LOGIN_ATTEMPTS 10 Sets the maximum times a user login is allowed tofail before locking the account.

Note:You also can set limits on the number of

times an unauthorized user (possibly an intruder)attempts to log in to Oracle Call Interfaceapplications by using the SEC_MAX_FAILED_LOGIN_ATTEMPTSinitialization parameter.

PASSWORD_GRACE_TIME No default setting Sets the number of days that a user has to changehis or her password before it expires.

PASSWORD_LIFE_TIME No default setting Sets the number of days the user can use his orher current password.

PASSWORD_LOCK_TIME No default setting Sets the number of days an account will be lockedafter the specified number of consecutive failedlogin attempts.

PASSWORD_REUSE_MAX No default setting Specifies the number of password changes

required before the current password can bereused.

PASSWORD_REUSE_TIME No default setting Specifies the number of days before which apassword cannot be reused.

Note: You can use most of these parameters to create a user profile.See Oracle Database Security Guidefor more information about userprofile settings.

8/13/2019 e17609

36/122



To modify an initialization parameter, see "Modifying the Value of an InitializationParameter"on page 2-4. For detailed information about initialization parameters, seeOracle Database ReferenceandOracle Database Administrator's Guide.

8/13/2019 e17609

37/122

3

Managing User Privileges 3-1

3Managing User Privileges


About Privilege Management

When to Grant Privileges to Users

When to Grant Roles to Users

Handling Privileges for the PUBLIC Role

Controlling Access to Applications with Secure Application Roles

Initialization Parameters Used for Privilege Security

About Privilege ManagementYou can control user privileges in the following ways:

Granting and revoking individual privileges.You can grant individualprivileges, for example, the privilege to perform the UPDATESQL statement, toindividual users or to groups of users.

Creating a role and assigning privileges to it.A role is a named group of relatedprivileges that you grant, as a group, to users or other roles.

Creating a secure application role.A secure application role enables you to defineconditions that control when a database role can be enabled. For example, a secureapplication role can check the IP address associated with a user session beforeallowing the session to enable a database role.

When to Grant Privileges to UsersBecause privileges are the rights to perform a specific action, such as updating ordeleting a table, do not provide database users more privileges than are necessary. Foran introduction to managing privileges, see "About User Privileges and Roles" inOracle Database 2 Day DBA. Oracle Database 2 Day DBAalso provides an example ofhow to grant a privilege.

In other words, theprinciple of least privilegeis that users be given only those privilegesthat are actually required to efficiently perform their jobs. To implement this principle,restrict the following as much as possible:

See Also:

Oracle Database Security Guide

Oracle Label Security Administrator's Guide

8/13/2019 e17609

38/122

When to Grant Roles to Users


The number of system and object privileges granted to database users

The number of people who are allowed to make SYS-privileged connections to thedatabase

For example, generally the CREATE ANY TABLEprivilege is not granted to a user whodoes not have database administrator privileges.

You can find excessive system and object privilege grants, even with large numbers ofuser accounts in complex Oracle Database installations, by creating a privilege analysispolicy. A privilege analysis policy finds privilege usage according to a specifiedcondition and then stores the results in data dictionary views.Oracle Database Vault

Administrator's Guidedescribes how to create a privilege analysis policy.

When to Grant Roles to UsersA role is a named group of related privileges that you grant, as a group, to users orother roles. To learn the fundamentals of managing roles, see "Administering Roles" inOracle Database 2 Day DBA. In addition, see "Example: Creating a Role" in OracleDatabase 2 Day DBA.

Roles are useful for quickly and easily granting permissions to users. Although youcan use Oracle Database-defined roles, you have more control and continuity if youcreate your own roles that contain only the privileges pertaining to your requirements.Oracle may change or remove the privileges in an Oracle Database-defined role, as ithas with the CONNECTrole, which now has only the CREATE SESSIONprivilege.Formerly, this role had eight other privileges.

Ensure that the roles you define contain only the privileges required for theresponsibility of a particular job. If your application users do not need all theprivileges encompassed by an existing role, then apply a different set of roles thatsupply just the correct privileges. Alternatively, create and assign a more restrictiverole.

Do not grant powerful privileges, such as the CREATE DATABASE LINKprivilege, to

regular users such as user SCOTT. (Particularly do not grant anypowerful privileges toSCOTT, because this is a well known default user account that may be vulnerable tointruders.) Instead, grant the privilege to a database role, and then grant this role tothe users who must use the privilege. And remember to only grant the minimumprivileges the user needs.

Handling Privileges for the PUBLIC RoleYou should revoke unnecessary privileges and roles from the PUBLICrole. The PUBLICrole is automatically assumed by every database user account. By default, it has noprivileges assigned to it, but it does have grants to many Java objects. You cannot dropthe PUBLICrole, and a manual grant or revoke of this role has no meaning, because the

user account will always assume this role. Because all database user accounts assumethe PUBLICrole, it does not appear in the DBA_ROLESand SESSION_ROLESdatadictionary views.

Because all users have the PUBLICrole, any database user can exercise privileges thatare granted to this role. These privileges include, potentially enabling someone withminimal privileges to access and execute functions that this user would not otherwisebe permitted to access directly.

8/13/2019 e17609

39/122



Controlling Access to Applications with Secure Application RolesA secure application role is a role that can be enabled only by an authorized PL/SQLpackage. The PL/SQL package itself reflects the security policies necessary to controlaccess to the application.


About Secure Application Roles

Tutorial: Creating a Secure Application Role

About Secure Application Roles

A secure application role is a role that can be enabled only by an authorized PL/SQLpackage. This package defines one or more security policies that control access to theapplication. Both the role and the package are typically created in the schema of theperson who creates them, which is typically a security administrator. A securityadministrator is a database administrator who is responsible for maintaining thesecurity of the database.

The advantage of using a secure application role is you can create additional layers ofsecurity for application access, in addition to the privileges that were granted to therole itself. Secure application roles strengthen security because passwords are notembedded in application source code or stored in a table. This way, the decisions thedatabase makes are based on the implementation of your security policies. Becausethese definitions are stored in one place, the database, rather than in your applications,you modify this policy once instead of modifying the policy in each application. Nomatter how many users connect to the database, the result is always the same, becausethe policy is bound to the role.

A secure application role has the following components:

The secure application role itself.You create the role using the CREATE ROLEstatement with the IDENTIFIED USINGclause to associate it with the PL/SQLpackage. Then, you grant the role the privileges you typically grant a role.

A PL/SQL package, procedure, or function associated with the secureapplication role.The PL/SQL package sets a condition that either grants the roleor denies the role to the person trying to log in to the database. You must createthe PL/SQL package, procedure, or function using invokers rights, not definersrights. An invokers right procedure executes with the privileges of the current

user, that is, the user who invokes the procedure. This user must be granted theEXECUTEprivilege for the underlying objects that the PL/SQL package accesses.Invokers rights procedures are not bound to a particular schema. They can be runby a variety of users and enable multiple users to manage their own data by usingcentralized application logic. To create the invokers rights package, use theAUTHID CURRENT_USERclause in the declaration section of the procedure code.

The PL/SQL package also must contain a SET ROLEstatement or DBMS_SESSION.SET_ROLEcall to enable (or disable) the role for the user.

See Also:

About Privilege Management

When to Grant Privileges to Users

Initialization Parameters Used for Privilege Security

8/13/2019 e17609

40/122



After you create the PL/SQL package, you must grant the appropriate users theEXECUTEprivilege on the package.

A way to execute the PL/SQL package when the user logs on.To execute thePL/SQL package, you must call it directly from the application before the usertries to use the privileges the role grants. You cannot use a logon trigger to executethe PL/SQL package automatically when the user logs on.

When a user logs in to the application, the policies in the package perform the checksas needed. If the user passes the checks, then the role is granted, which enables accessto the application. If the user fails the checks, then the user is prevented from accessingthe application.

Tutorial: Creating a Secure Application Role

This tutorial shows how two employees, Matthew Weiss and Winston Taylor, try togain information from the OE.ORDERStable. Access rights to this table are defined inthe emp_rolesecure application role. Matthew is Winstons manager, so Matthew, asopposed to Winston, will be able to access the information in OE.ORDERS.

In this tutorial:

Step 1: Create User Accounts for This Tutorial

Step 2: Create a Security Administrator Account

Step 3: Create a Lookup View

Step 4: Create the PL/SQL Procedure to Set the Secure Application Role

Step 5: Create the Secure Application Role

Step 6: Grant SELECT for the EMP_ROLE Role to the OE.ORDERS Table

Step 7: Grant the EXECUTE Privilege for the Procedure to Matthew and Winston

Step 8: Test the EMP_ROLE Secure Application Role

Step 9: Optionally, Remove the Components for This Tutorial

Step 1: Create User Accounts for This Tutorial

Matthew and Winston both are sample employees in the HR.EMPLOYEEStable. Thistable provides columns for the manager ID and email address of the employees,among other information. You must create user accounts for these two employees sothat they can later test the secure application role.

To create the user accounts:

1. In Enterprise Manager, access the Database home page.


2. Access your target database and then log in as user SYSTEM.


4. In the Users page, click Create.

5. In the Create User page, enter the following information:

Name:mweiss(to create the user account for Matthew Weiss)

Profile: DEFAULT

Authentication: Password

8/13/2019 e17609

41/122



Enter Passwordand Confirm Password: Enter a password that meets therequirements in "Requirements for Creating Passwords"on page 2-15.

Default Tablespace: EXAMPLE

Temporary Tablespace: TEMP

Status: Unlocked

6. Click System Privileges.

7. Click Edit List.

8. In the Modify System Privileges, from the Available System Privileges lists, selectthe CREATE SESSIONprivilege, and then click Moveto move it to the SelectedSystem Privileges list.

9. Click OK.

The Create User page appears, with CREATE SESSIONlisted as the system privilegefor usermweiss.

10. Ensure that the Admin Option for CREATE SESSIONis not selected, and then clickOK.

11. In the Users page, select the selection button for user MWEISSfrom the list ofusers, and then from the Actionslist, select Create Like. Then, click Go.

12. In the Create User page, enter the following information to create the user accountfor Winston, which will be almost identical to the user account for Matthew:

Name:wtaylor


You do not need to specify the default and temporary tablespaces, or the CREATESESSIONsystem privilege, for userwtaylorbecause they are already specified.

13. Click OK.

Now both Matthew Weiss and Winston Taylor have user accounts that have identicalprivileges.

Step 2: Create a Security Administrator Account

For greater security, you should apply separation of duty concepts when you assignresponsibilities to the system administrators on your staff. For the tutorials used in thisguide, you will create and use a security administrator account called sec_admin.

To create the sec_admin security administrator account:


If the Database Login page appears, then log in as an administrative user, such as

SYS. User SYSmust log in with the SYSDBArole selected.2. In the Users page, click Create.

3. In the Create User page, enter the following information:

Name: sec_admin

Profile: Default

Authentication: Password

8/13/2019 e17609

42/122




Default Tablespace: EXAMPLE

Temporary Tablespace: TEMP

Status: UNLOCKED

4. Click

e17609

Documents

Transcript of e17609