databse & technology 2 _ francisco munoz alvarez _ oracle security tips - some easyways to make...

ORACLE SECURITY

Francisco Munoz Alvarez Oracle ACE Director President CLOUG, LAOUC & NZOUG 8/9/10g/11g OCP, RAC OCE, AS OCA, E-‐Business OCP, SQL/PLSQL OCA, Oracle 7 OCM Oracle 7 & 11GR2 Beta Tester ITIL CerKfied 2010 Oracle Ace Director of the year by Oracle Magazine Blog: www.oraclenz.com -‐ Email: [email protected] – TwiXer : fcomunoz Blog: www.oracleenespanol.com -‐ Comunidad Oracle: www.oraclemania.ning.com

Oracle Professional Services Manager Revera

www.revera.co.nz

ORACLE SECURITY TIPS By: Francisco Munoz Alvarez

Insync 2011 Sydney, Australia

DBIS - Copyright 2010 3

Born here Grow up here

Got Married Here Mature here Now Living here

The Rule: “The most important rule with respect to data is to never put yourself into an unrecoverable situaKon.”

The importance of this guideline cannot be stressed enough, but it does not mean that you can never use time saving or performance enhancing options.

5

Always Try it Before!

When it comes to theory, “NEVER” believe anything you hear

or read unKl you have tried it yourself.

7

Backup, Backup &

Backup

Why? Because bad stuff

happens…

InformaBon Security Has Changed

Hacking Steps

OFFICIAL STATISTICS from Secret Service Germany

SOME SHORT FACTS

HIGH SCORE LIST

2007/2008 SHOPPING LIST

CRISIS SHOPPING LIST 2009

CONCLUSION

Oracle Security SoluBons

Oracle Security Components

DB ENVIRONMENT

Security Data in Rest/Access Control

WHAT IS ASO?

What Security Problems does ASO solve?

ASO BENEFITS

TDE – Transparent Data EncrypBon

SECURING DATA IN MOTION

NETWORK ENCRYPTION

SECURING BACKUP

SECURING BACKUP Examples

DATAMASKING

WHAT IS DATAMASKING?

PREVENT MODIFICATIONS BY UNAUTHORIZED USERS

WHAT IS DATA VAULT?

DATA VAULT HELP TO SOLVE:

DATA VAULT Vs VPD and OLS

DATABASE VAULT Realms and Rule

DATA VAULT REPORTS

DATA VAULT EXAMPLES

HIGHLY SECURED ENVIROMENTS AUDIT VALT

AUDIT VAULT EXAMPLES

AUDIT VAULT REPORTS Who, What, When, Where

AUDIT VAULT DASHBOARD

AUDIT VAULT SUMMARY

26 Security Tips

Some Oracle Security Tips

1) Grant privileges only to a user or applicaKon which requires the privilege to accomplish necessary work. Excessive granKng of unnecessary privileges can compromise security.


2)No administraKve funcKons are to be performed by an applicaKon. For example create user, delete user, grant role, grant object privileges, etc.


3) Privileges for schema or database owner objects should be granted via a role and not explicitly. Do not use the “ALL” opKon when granKng object privileges, instead specify the exact privilege needed, such as select, update, insert, delete.


4 )Pas sword p ro tec ted ro le s may be implemented to allow an applicaKon to control access to its data. Thereby, end users may not access the applicaKon’s data from outside the applicaKon.


5)Access to AdministraKve or System user accounts should be restricted to authorized DBAs.


6) Do not grant system supplied database roles. These roles may have administraKve privileges and the role privileges may change with new releases of the database.


7) Database catalog access should be restricted. Example: Use “USER_VIEWS” instead of “DBA_VIEWS” for an Oracle database.


8) Privileges granted to PUBLIC are accessible to every user and should be granted only when necessary.


9) Any password stored by applicaKons in the database should be encrypted.


10) ApplicaKons should not “DROP”, “CREATE” or “ALTER” objects within the applicaKon.


11) UKlize the shared database infrastructure to share cost whenever possible.


12) ApplicaKons should not access the database with the same security as the owner of the database objects. For example on SQL Server do not grant the “dbowner” role and on Oracle do not use the Schema userid to connect to the database. Setup another userid with the necessary privileges to run the applicaKon.


13) Database integrity should be enforced on the database using foreign keys not in the applicaKon code. This helps prevent code outside the applicaKon from creaKng orphan records and/or invalid data.


14) Do not hard code username and passwords in the applicaKon source code.

•  Sqlplus /nolog @myscript

–  Create a password file (.password) fmunoz evelyn scoX Kger

–  Create a shell script getpwd.sh fgrep $1 $HOME/tools/.password | cut –d “ “ –f2

–  Use the script and the password file Getpwd.sh fmunoz | sqlplus –s fmunoz @script

•  RMAN rman target / connect catalog user/pwd@catdb


15) Protect your Listener (Cont.):

–  LSNRCTL> Set Current Listener <ip_address> –  LSNRCTL> Set rawmode on –  LSNRCTL> Services –  LSNRCTL> Stop –  LSNRCTL> Set startup_waitme 20 –  LSNRCTL> Set logfile redo01a –  LSNRCTL> Set log_directory ‘/u01/app/oracle/redo’


15) Protect your Listener: –  Disable online modificaKons

•  LSNRCTL> Admin_restricKons _<listener_name>=ON •  LSNRCTL> Change_password •  LSNRCTL> Save_config


16) Ensure external users have the least privilege possible.


17) Have a clear and well documented Backup and Recovery Strategy


18) Implement an strong password policy (user profile) and force all users to change their passwords constantly .


19) All important passwords need to be saved in a safe and replaced when changed.


20) Install only what’s really required.


21) Implement Audit, soon or later you will be ask to tell who changed that. Please, implement a purge strategy.


22) Create promoKon procedures (DEV-‐>TEST-‐>PROD), lock your producKon environment and test environment. Don’t forget to implement and document a change register.


23) Implement an Indirect Login Policy – Each user have their own login account – Allow connecKons to oracle account (OS) only thru sudo

– This will leaves an audit trail of acKons


24) Prevent SYSDBA connecKon –  Sqlplus / as sysdba

•  Change SQLNET.ORA SQLNET.AUTHENTICATION_SERVICES=(NONE)


25) Avoid Risk ConnecKons (Ext. Procedures) –  Listener.ora

•  (ADDRESS_LIST = (ADDRESS = (PROTOCOL = IPC) (KEY = EXTPROC))

Remove this lines, or move to a different listener


26) Enable Data DicKonary ProtecKon

Oracle Recommends that customers implement data dicKonary protecKon to prevent users who have the “ANY” system privileges to modify or harm the Oracle data dicKonary.

Set 07_DICTIONARY_ACCESSIBILITY parameter to FALSE.

PROGRAM

The Oracle ACE Program is designed to recognize and reward members of the Oracle Technology and Applications communities for their contributions to those communities. These individuals are technically proficient (when applicable) and willingly share their knowledge and experiences.

The program comprises two levels: Oracle ACE and Oracle ACE Director. The former designation is Oracle's way of saying "thank you" to community contributors for their efforts; we (and the community) appreciate their enthusiasm. The latter designation is for community enthusiasts who not only share their knowledge (usually in extraordinary ways), but also want to increase their community advocacy and work more proactively with Oracle to find opportunities for the same. In this sense, Oracle ACE is "backward looking" and Oracle ACE Director is "forward looking."

PROGRAM

QuesBons?

Thank you !