oracle database security 12c - doag

www.pitss.com

The Oracle ModernizationExperts

© PITSS GmbH 2014

Jan‐Peter Timmermann, PITSS GmbH

Oracle Database Security 12c

2www.pitss.com © PITSS GmbH 2014

Forms und Reports Modernisierungsexperte

über 15 Jahre Erfahrung mit Oracle

Technologien

Oracle Gold Partner

Mitglied der Oracle Modernization

Alliance

Oracle Forms Migration Partner

PITSS America LLC PITSS GmbH Stuttgart/Bielefeldwww.pitssamerica.com www.pitss.de

www.pitss.com

PITSS GmbH

Geschichte

Wer wir sind:


PITSS Standorte

PITSS Region Südwest

Tel.: +49 711 728 752‐00

PITSS Region Südwest (HQ)

D‐70567 [email protected]

eTel.: +49 711 728 752‐00

PITSS Region SüdostD‐82515 [email protected].: +49 8171 21 62‐10

PITSS Region NordD‐33604 Bielefeld

[email protected].: +49 521 546 795‐00

Troy (MI), USA

Milton Keynes, UK


Data Access ControlData Access Control

Data Confidentiality

AuditingAuditing

Net ServicesNet Services

AuthenticationAuthentication

Security Requirements

Virtual Private Database

Privileges and Roles

Basic

Data Redaction

Strong Proxy

Privilege Analysis

Database and Enterprise Users

DBMS_CRYPTO

Oracle Label Security

Transparent Data Encryption

Data Masking

Basic Database Security

RMAN Virtual Private Catalog

Database Storage Security

Fine‐Grained AuditUnified Auditing

Firewall Listener SecurityNetwork Traffic Encryption

TDSP

Security Risks and Oracle Solutions

Oracle Solutions


Use a firewall. Restrict IP addresses. Encrypt network traffic. Use network log files to monitor connections.


Restricting Network IP Addresses

tcp.excluded_nodes = (135.245.234.44)

tcp.invited_nodes = (144.198.58.146, 144.198.58.147)

tcp.validnode_checking = YES


Restricting Network IP Addresses

Do not use IP restrictions as your only security. IP addresses can be spoofed. Use listener node registration lists. Limit access by protocol: TCPS is a secure protocol and can be used


Listener Security: Checklist

Limit the privileges of the listener. Restrict node registration. Move the listener to a nondefault port. Secure administration. Protect against denial‐of‐service (DoS) attacks. Monitor listener activity.


• Password‐protecting the listener is no longer supported. • Local listener administration is secured through local

• By default, remote listener administration is disabled.• Remote listener administration allows all commands except

START.


INBOUND_CONNECT_TIMEOUT

Protect the listener from DoS attacks with the following network parameters: SQLNET.INBOUND_CONNECT_TIMEOUT

INBOUND_CONNECT_TIMEOUT_listener_name

These parameters: Set the time allowed for a connection to complete authentication

Log failures with source IP addresses

Default 60 Sekunden


ORAPKI

Anlegen eines Wallet mit ORAPKI

Configuring SSL for Client Authentication and Encryption WithSelf Signed Certificates On Both Ends Using orapki Doc ID 401251.1)


orapki wallet create ‐wallet /home/oracle/wallet/server_wallet ‐auto_login ‐pwd welcome1 orapki wallet add ‐wallet /home/oracle/wallet/server_wallet/ ‐dn "CN=server" ‐keysize 512 ‐

self_signed ‐validity 365 ‐pwd welcome1 orapki wallet export ‐wallet /home/oracle/wallet/server_wallet ‐dn "CN=server" ‐cert server_ca.cert

orapki wallet create ‐wallet /home/oracle/wallet/client_wallet ‐auto_login ‐pwd welcome1

orapki wallet add ‐wallet /home/oracle/wallet/client_wallet ‐dn "CN=client" ‐keysize 512 ‐self_signed‐validity 365 ‐pwd welcome1

orapki wallet export ‐wallet /home/oracle/wallet/client_wallet ‐dn "CN=client" ‐cert client_ca.cert

orapki wallet add ‐wallet /home/oracle/wallet/client_wallet ‐trusted_cert ‐cert server_ca.cert ‐pwdwelcome1

orapki wallet add ‐wallet /home/oracle/wallet/server_wallet ‐trusted_cert ‐cert client_ca.cert ‐pwdwelcome1


LISTENER =(DESCRIPTION_LIST =(DESCRIPTION =(ADDRESS = (PROTOCOL = TCP)(HOST = fmw11gr2)(PORT = 1521))

)(DESCRIPTION =(ADDRESS = (PROTOCOL = TCPS)(HOST = fmw11gr2)(PORT = 1522)))

)

WALLET_LOCATION =(SOURCE=(METHOD=File)(METHOD_DATA=(DIRECTORY=/home/oracle/wallet/server_wallet)))


Basic User Authentication by Password

A database user:

A common user connects with the same password in all containers of a CDB:

A local user connects with its own password in the PDB.

SQL> CREATE USER username IDENTIFIED BY password;

CONNECT paul/xxx

Audited

Identity: paul

Authentication method: password

Password: xxx

Schema

CONNECT c##u1/xxx@PDB1CDB1

PDB1 PDB2 PDB3CONNECT c##u1/xxx@PDB2

CONNECT local_u1/p1@PDB3


New Administrative Privileges

Administrative Privilege Username Tasks

SYSDBA, SYSOPER SYS / PUBLIC

Same operations as in 11g

SYSASM SYS Specific to ASM instances only

SYSBACKUP SYSBACKUP Perform RMAN backup and recovery operations from RMAN or through SQL

SYSDG SYSDG Perform Data Guard operations with Data Guard Broker or DGMGRL

SYSKM SYSKM Manage transparent data encryption keystore operations


New Administrative Privilege: SYSBACKUPSystem / Object Privileges

ALTER DATABASE ALTER SYSTEMCREATE SESSIONALTER SESSIONALTER TABLESPACEDROP TABLESPACEUNLIMITED TABLESPACERESUMABLE

CREATE ANY DIRECTORY CREATE ANY TABLECREATE ANY CLUSTERAUDIT ANYSELECT ANY DICTIONARYSELECT ANY TRANSACTION

SELECT X$ tables, V$ / GV$ viewsEXECUTESYS.DBMS_BACKUP_RESTORE

SYS.DBMS_RCVMANSYS.DBMS_IRSYS.DBMS_TTSSYS.DBMS_TDBSYS.DBMS_PLUGTSSYS.DBMS_PLUGTSP

Statements and Roles

CREATE PFILECREATE SPFILECREATE CONTROLFILEDROP DATABASESTARTUP , SHUTDOWN

CREATE / DROP RESTORE POINT (GUARANTEED restore points)FLASHBACK DATABASESELECT_CATALOG_ROLEHS_ADMIN_SELECT_ROLE


New Administrative Privilege: SYSDG

System / Object privileges

CREATE SESSIONALTER SYSTEMALTER SESSIONALTER DATABASESELECT ANY DICTIONARY

SELECT X$ tables, V$ and GV$ viewsDELETE / SELECT APPQOSSYS.WLM_CLASSIFIER_PLAN EXECUTE SYS.DBMS_DRS

Statements and Roles

STARTUPSHUTDOWN

CREATE RESTORE POINTDROP RESTORE POINT(including GUARANTEED restore points)FLASHBACK DATABASE


New Administrative Privilege: SYSKM

System / Object privileges

CREATE SESSIONADMINISTER KEY MANAGEMENTSELECT SYS.V$WALLETSELECT SYS.V$ENCRYPTION_WALLETSELECT SYS.V$ENCRYPTED_TABLESPACES

• Connected as SYSKM predefined user• Manage TDE operations

– Keystore creation, opening, closing– Master Key creation and changes– Column and tablespace keys management– Access to TDE information in appropriate views

• No access to application data


Creating Common and Local Roles

In a CDB, a common role is created in all containers.

root

PDB_HR PDB_SALES

Container Database CDB1

SQL> CREATE ROLE c##r1 CONTAINER=ALL;

c##r1 A local role is created in onesingle container.SQL> CREATE ROLE l_role1 ;

c##r1 c##r1 r1


Granting Common and Local Privileges

In a CDB, a common privilege is granted to a grantee in all containers.

root

PDB_HR PDB_SALES

Container Database CDB1

SQL> GRANT create session TO c##dba2 CONTAINER=ALL;

create session

create session

create session

A local privilege is granted to a grantee in one single container.SQL> GRANT advisor TO u1;

advisor

c##dba

c##dba c##dba

u1


Controlling Backup Access Based on Privilege

PREVENTION

Privileged User Controls

RMAN Virtual Private Catalog (VPC)

RMANBase catalog

Enhancing securityby restricting access to metadata

Databases registered in RMAN catalog

• Avoid the inadvertent or malicious destruction of catalog data for other databases

• Keep clear separation of duty between administrators of various databases


RMAN‐Encrypted Backups

RMAN

Password

Encrypted to disk

Encrypted to tape

(Oracle Advanced Security)

(Oracle Secure Backup)

Data files

Third-party media manager


Controlling Data Access Based on Label

Oracle Label Security (OLS):

• Chooses your virtual information partitioning

• Classifies users and data using labels

• Creates labels based on business drivers

• Enforces row‐level access control automatically, transparent to applications

• Uses labels as factors in other policies (Database Vault)

Transactions

Report Data

Reports

Confidential Sensitive

Sensitive

Confidential

Public

OLS policies


Oracle Audit Vault and Database Firewall

Built-inReports

Alerts

CustomReports

!

Firewall Events

Users

Applications

Database FirewallAllowLogAlertSubstituteBlock

Audit Data

Audit VaultOS, Directory, File System, &

Custom Audit LogsPolicies

SecurityAnalyst

Auditor

A single solution:Oracle Audit Vault and Database Firewall


Security Risks and Oracle SolutionsSecurity Risks and Oracle Solutions


Suggested Schedule

AuditingAuditing

Day

1D

ay 5

Day

s 3

& 4

Day

2






Basic Strong Proxy

Privilege Analysis

Oracle Solutions


DBMS_CRYPTO



Data Masking






TDSP

Day

s 4

& 5Data

Confidentiality

Data Redaction


Oracle Data Redaction: Overview

On‐the‐fly redaction based on username, IP address, application context, and other factors

Transparent, consistent enforcement in the database High performance for production applications Appropriate for call centers, decision support systems, and

systems with PII, PHI, and PCI data

Redacted data returned

XXXX-XXXX-XXXX-5100XXXX-XXXX-XXXX-1118XXXX-XXXX-XXXX-5454

CREDITCARD_NO

5105-1051-0510-51005111-1111-1111 -1118 5454-5454-5454-5454

Sensitive data

Redaction Policies

SELECT creditcard_noFROM …

Query executed

Redaction policy enforced


Security Risks and Oracle SolutionsSecurity Risks and Oracle Solutions


Suggested Schedule

AuditingAuditing

Day

1D

ay 5

Day

s 3

& 4

Day

2






Basic

Data Redaction

Strong Proxy

Privilege Analysis

Oracle Solutions


DBMS_CRYPTO



Data Masking






Day

s 4

& 5Data

Confidentiality

TSDP


Auditing and Alerting in Real‐Time

Oracle Audit Vault• Database audit streamline

• Powerful detection and alert of suspicious activities

• Out‐of‐the box compliance and custom reports

• Consolidated multi‐source reporting

• Built‐in segregation of duties

• Centralized secure repository

Audit Data &Event Logs

AV policies

Built-inReports

Alerts

CustomReports

!

OS & Storage

Directories

Databases

Oracle Database

Firewall

Custom Security Analyst

AuditorAuditing and Reporting• Oracle Audit Vault• Unified Audit• Fine-Grained Audit


Fine‐Grained Auditing

Fine‐Grained Auditing (FGA):

• Monitors data access based on content• Audits SELECT and DML statements• May fire an event handler procedure

Audit Data

Security Officer

Users

Applications

Event handlerSecured audited columns

Policies configuration options

Auditing and Reporting• Oracle Audit Vault• Unified Audit• Fine-Grained Audit


Enforcing Security at Different LevelsNetwork Security

• Encryption (sqlnet.ora)• Listener security

ClientsFirewall

ApplicationWeb server

FirewallUser Authentication

Authorization & Access ControlHR.EMP table

• Privileges• Views, VPD, OLS• Database Vault, Audit Vault• VPC Confidentiality

• Constraints, triggers• Unified audit, FGA• Audit Vault• Logminer• Temporal History• Compliance standards

Control• Basic• Strong• Proxy

Centralized with LDAP/EUS

Database Access• Database Firewall

• Data Masking, Data Redaction, TSDP• TDE, Data Pump & TDE, DBMS_CRYPTO• RMAN & TDE, Oracle Secure Backup

www.pitss.com

The Oracle ModernizationExperts

© PITSS GmbH 2014

Vielen Dank für Ihre Zeit.Hamburg, den 10.02.2015

Jan‐Peter Timmermann, Pitss [email protected]

oracle database security 12c - doag

Documents