oracle database security 12c - doag
TRANSCRIPT
www.pitss.com
The Oracle ModernizationExperts
© PITSS GmbH 2014
Jan‐Peter Timmermann, PITSS GmbH
Oracle Database Security 12c
2www.pitss.com © PITSS GmbH 2014
Forms und Reports Modernisierungsexperte
über 15 Jahre Erfahrung mit Oracle
Technologien
Oracle Gold Partner
Mitglied der Oracle Modernization
Alliance
Oracle Forms Migration Partner
PITSS America LLC PITSS GmbH Stuttgart/Bielefeldwww.pitssamerica.com www.pitss.de
www.pitss.com
PITSS GmbH
Geschichte
Wer wir sind:
3www.pitss.com © PITSS GmbH 2014
PITSS Standorte
PITSS Region Südwest
Tel.: +49 711 728 752‐00
PITSS Region Südwest (HQ)
D‐70567 [email protected]
eTel.: +49 711 728 752‐00
PITSS Region SüdostD‐82515 [email protected].: +49 8171 21 62‐10
PITSS Region NordD‐33604 Bielefeld
[email protected].: +49 521 546 795‐00
Troy (MI), USA
Milton Keynes, UK
4www.pitss.com © PITSS GmbH 2014
Data Access ControlData Access Control
Data Confidentiality
AuditingAuditing
Net ServicesNet Services
AuthenticationAuthentication
Security Requirements
Virtual Private Database
Privileges and Roles
Basic
Data Redaction
Strong Proxy
Privilege Analysis
Database and Enterprise Users
DBMS_CRYPTO
Oracle Label Security
Transparent Data Encryption
Data Masking
Basic Database Security
RMAN Virtual Private Catalog
Database Storage Security
Fine‐Grained AuditUnified Auditing
Firewall Listener SecurityNetwork Traffic Encryption
TDSP
Security Risks and Oracle Solutions
Oracle Solutions
5www.pitss.com © PITSS GmbH 2014
Use a firewall. Restrict IP addresses. Encrypt network traffic. Use network log files to monitor connections.
6www.pitss.com © PITSS GmbH 2014
Restricting Network IP Addresses
tcp.excluded_nodes = (135.245.234.44)
tcp.invited_nodes = (144.198.58.146, 144.198.58.147)
tcp.validnode_checking = YES
7www.pitss.com © PITSS GmbH 2014
Restricting Network IP Addresses
Do not use IP restrictions as your only security. IP addresses can be spoofed. Use listener node registration lists. Limit access by protocol: TCPS is a secure protocol and can be used
8www.pitss.com © PITSS GmbH 2014
9www.pitss.com © PITSS GmbH 2014
10www.pitss.com © PITSS GmbH 2014
11www.pitss.com © PITSS GmbH 2014
Listener Security: Checklist
Limit the privileges of the listener. Restrict node registration. Move the listener to a nondefault port. Secure administration. Protect against denial‐of‐service (DoS) attacks. Monitor listener activity.
12www.pitss.com © PITSS GmbH 2014
• Password‐protecting the listener is no longer supported. • Local listener administration is secured through local
• By default, remote listener administration is disabled.• Remote listener administration allows all commands except
START.
13www.pitss.com © PITSS GmbH 2014
INBOUND_CONNECT_TIMEOUT
Protect the listener from DoS attacks with the following network parameters: SQLNET.INBOUND_CONNECT_TIMEOUT
INBOUND_CONNECT_TIMEOUT_listener_name
These parameters: Set the time allowed for a connection to complete authentication
Log failures with source IP addresses
Default 60 Sekunden
14www.pitss.com © PITSS GmbH 2014
ORAPKI
Anlegen eines Wallet mit ORAPKI
Configuring SSL for Client Authentication and Encryption WithSelf Signed Certificates On Both Ends Using orapki Doc ID 401251.1)
15www.pitss.com © PITSS GmbH 2014
orapki wallet create ‐wallet /home/oracle/wallet/server_wallet ‐auto_login ‐pwd welcome1 orapki wallet add ‐wallet /home/oracle/wallet/server_wallet/ ‐dn "CN=server" ‐keysize 512 ‐
self_signed ‐validity 365 ‐pwd welcome1 orapki wallet export ‐wallet /home/oracle/wallet/server_wallet ‐dn "CN=server" ‐cert server_ca.cert
orapki wallet create ‐wallet /home/oracle/wallet/client_wallet ‐auto_login ‐pwd welcome1
orapki wallet add ‐wallet /home/oracle/wallet/client_wallet ‐dn "CN=client" ‐keysize 512 ‐self_signed‐validity 365 ‐pwd welcome1
orapki wallet export ‐wallet /home/oracle/wallet/client_wallet ‐dn "CN=client" ‐cert client_ca.cert
orapki wallet add ‐wallet /home/oracle/wallet/client_wallet ‐trusted_cert ‐cert server_ca.cert ‐pwdwelcome1
orapki wallet add ‐wallet /home/oracle/wallet/server_wallet ‐trusted_cert ‐cert client_ca.cert ‐pwdwelcome1
16www.pitss.com © PITSS GmbH 2014
LISTENER =(DESCRIPTION_LIST =(DESCRIPTION =(ADDRESS = (PROTOCOL = TCP)(HOST = fmw11gr2)(PORT = 1521))
)(DESCRIPTION =(ADDRESS = (PROTOCOL = TCPS)(HOST = fmw11gr2)(PORT = 1522)))
)
WALLET_LOCATION =(SOURCE=(METHOD=File)(METHOD_DATA=(DIRECTORY=/home/oracle/wallet/server_wallet)))
17www.pitss.com © PITSS GmbH 2014
Basic User Authentication by Password
A database user:
A common user connects with the same password in all containers of a CDB:
A local user connects with its own password in the PDB.
SQL> CREATE USER username IDENTIFIED BY password;
CONNECT paul/xxx
Audited
Identity: paul
Authentication method: password
Password: xxx
Schema
CONNECT c##u1/xxx@PDB1CDB1
PDB1 PDB2 PDB3CONNECT c##u1/xxx@PDB2
CONNECT local_u1/p1@PDB3
18www.pitss.com © PITSS GmbH 2014
New Administrative Privileges
Administrative Privilege Username Tasks
SYSDBA, SYSOPER SYS / PUBLIC
Same operations as in 11g
SYSASM SYS Specific to ASM instances only
SYSBACKUP SYSBACKUP Perform RMAN backup and recovery operations from RMAN or through SQL
SYSDG SYSDG Perform Data Guard operations with Data Guard Broker or DGMGRL
SYSKM SYSKM Manage transparent data encryption keystore operations
19www.pitss.com © PITSS GmbH 2014
New Administrative Privilege: SYSBACKUPSystem / Object Privileges
ALTER DATABASE ALTER SYSTEMCREATE SESSIONALTER SESSIONALTER TABLESPACEDROP TABLESPACEUNLIMITED TABLESPACERESUMABLE
CREATE ANY DIRECTORY CREATE ANY TABLECREATE ANY CLUSTERAUDIT ANYSELECT ANY DICTIONARYSELECT ANY TRANSACTION
SELECT X$ tables, V$ / GV$ viewsEXECUTESYS.DBMS_BACKUP_RESTORE
SYS.DBMS_RCVMANSYS.DBMS_IRSYS.DBMS_TTSSYS.DBMS_TDBSYS.DBMS_PLUGTSSYS.DBMS_PLUGTSP
Statements and Roles
CREATE PFILECREATE SPFILECREATE CONTROLFILEDROP DATABASESTARTUP , SHUTDOWN
CREATE / DROP RESTORE POINT (GUARANTEED restore points)FLASHBACK DATABASESELECT_CATALOG_ROLEHS_ADMIN_SELECT_ROLE
20www.pitss.com © PITSS GmbH 2014
New Administrative Privilege: SYSDG
System / Object privileges
CREATE SESSIONALTER SYSTEMALTER SESSIONALTER DATABASESELECT ANY DICTIONARY
SELECT X$ tables, V$ and GV$ viewsDELETE / SELECT APPQOSSYS.WLM_CLASSIFIER_PLAN EXECUTE SYS.DBMS_DRS
Statements and Roles
STARTUPSHUTDOWN
CREATE RESTORE POINTDROP RESTORE POINT(including GUARANTEED restore points)FLASHBACK DATABASE
21www.pitss.com © PITSS GmbH 2014
New Administrative Privilege: SYSKM
System / Object privileges
CREATE SESSIONADMINISTER KEY MANAGEMENTSELECT SYS.V$WALLETSELECT SYS.V$ENCRYPTION_WALLETSELECT SYS.V$ENCRYPTED_TABLESPACES
• Connected as SYSKM predefined user• Manage TDE operations
– Keystore creation, opening, closing– Master Key creation and changes– Column and tablespace keys management– Access to TDE information in appropriate views
• No access to application data
22www.pitss.com © PITSS GmbH 2014
Creating Common and Local Roles
In a CDB, a common role is created in all containers.
root
PDB_HR PDB_SALES
Container Database CDB1
SQL> CREATE ROLE c##r1 CONTAINER=ALL;
c##r1 A local role is created in onesingle container.SQL> CREATE ROLE l_role1 ;
c##r1 c##r1 r1
23www.pitss.com © PITSS GmbH 2014
Granting Common and Local Privileges
In a CDB, a common privilege is granted to a grantee in all containers.
root
PDB_HR PDB_SALES
Container Database CDB1
SQL> GRANT create session TO c##dba2 CONTAINER=ALL;
create session
create session
create session
A local privilege is granted to a grantee in one single container.SQL> GRANT advisor TO u1;
advisor
c##dba
c##dba c##dba
u1
24www.pitss.com © PITSS GmbH 2014
Controlling Backup Access Based on Privilege
PREVENTION
Privileged User Controls
RMAN Virtual Private Catalog (VPC)
RMANBase catalog
Enhancing securityby restricting access to metadata
Databases registered in RMAN catalog
• Avoid the inadvertent or malicious destruction of catalog data for other databases
• Keep clear separation of duty between administrators of various databases
25www.pitss.com © PITSS GmbH 2014
RMAN‐Encrypted Backups
RMAN
Password
Encrypted to disk
Encrypted to tape
(Oracle Advanced Security)
(Oracle Secure Backup)
Data files
Third-party media manager
26www.pitss.com © PITSS GmbH 2014
Controlling Data Access Based on Label
Oracle Label Security (OLS):
• Chooses your virtual information partitioning
• Classifies users and data using labels
• Creates labels based on business drivers
• Enforces row‐level access control automatically, transparent to applications
• Uses labels as factors in other policies (Database Vault)
Transactions
Report Data
Reports
Confidential Sensitive
Sensitive
Confidential
Public
OLS policies
27www.pitss.com © PITSS GmbH 2014
Oracle Audit Vault and Database Firewall
Built-inReports
Alerts
CustomReports
!
Firewall Events
Users
Applications
Database FirewallAllowLogAlertSubstituteBlock
Audit Data
Audit VaultOS, Directory, File System, &
Custom Audit LogsPolicies
SecurityAnalyst
Auditor
A single solution:Oracle Audit Vault and Database Firewall
28www.pitss.com © PITSS GmbH 2014
Security Risks and Oracle SolutionsSecurity Risks and Oracle Solutions
Data Access ControlData Access Control
Suggested Schedule
AuditingAuditing
Day
1D
ay 5
Day
s 3
& 4
Day
2
Net ServicesNet Services
AuthenticationAuthentication
Security Requirements
Virtual Private Database
Privileges and Roles
Basic Strong Proxy
Privilege Analysis
Oracle Solutions
Database and Enterprise Users
DBMS_CRYPTO
Oracle Label Security
Transparent Data Encryption
Data Masking
Basic Database Security
RMAN Virtual Private Catalog
Database Storage Security
Fine‐Grained AuditUnified Auditing
Firewall Listener SecurityNetwork Traffic Encryption
TDSP
Day
s 4
& 5Data
Confidentiality
Data Redaction
29www.pitss.com © PITSS GmbH 2014
Oracle Data Redaction: Overview
On‐the‐fly redaction based on username, IP address, application context, and other factors
Transparent, consistent enforcement in the database High performance for production applications Appropriate for call centers, decision support systems, and
systems with PII, PHI, and PCI data
Redacted data returned
XXXX-XXXX-XXXX-5100XXXX-XXXX-XXXX-1118XXXX-XXXX-XXXX-5454
CREDITCARD_NO
5105-1051-0510-51005111-1111-1111 -1118 5454-5454-5454-5454
Sensitive data
Redaction Policies
SELECT creditcard_noFROM …
Query executed
Redaction policy enforced
30www.pitss.com © PITSS GmbH 2014
Security Risks and Oracle SolutionsSecurity Risks and Oracle Solutions
Data Access ControlData Access Control
Suggested Schedule
AuditingAuditing
Day
1D
ay 5
Day
s 3
& 4
Day
2
Net ServicesNet Services
AuthenticationAuthentication
Security Requirements
Virtual Private Database
Privileges and Roles
Basic
Data Redaction
Strong Proxy
Privilege Analysis
Oracle Solutions
Database and Enterprise Users
DBMS_CRYPTO
Oracle Label Security
Transparent Data Encryption
Data Masking
Basic Database Security
RMAN Virtual Private Catalog
Database Storage Security
Fine‐Grained AuditUnified Auditing
Firewall Listener SecurityNetwork Traffic Encryption
Day
s 4
& 5Data
Confidentiality
TSDP
31www.pitss.com © PITSS GmbH 2014
Auditing and Alerting in Real‐Time
Oracle Audit Vault• Database audit streamline
• Powerful detection and alert of suspicious activities
• Out‐of‐the box compliance and custom reports
• Consolidated multi‐source reporting
• Built‐in segregation of duties
• Centralized secure repository
Audit Data &Event Logs
AV policies
Built-inReports
Alerts
CustomReports
!
OS & Storage
Directories
Databases
Oracle Database
Firewall
Custom Security Analyst
AuditorAuditing and Reporting• Oracle Audit Vault• Unified Audit• Fine-Grained Audit
32www.pitss.com © PITSS GmbH 2014
Fine‐Grained Auditing
Fine‐Grained Auditing (FGA):
• Monitors data access based on content• Audits SELECT and DML statements• May fire an event handler procedure
Audit Data
Security Officer
Users
Applications
Event handlerSecured audited columns
Policies configuration options
Auditing and Reporting• Oracle Audit Vault• Unified Audit• Fine-Grained Audit
33www.pitss.com © PITSS GmbH 2014
Enforcing Security at Different LevelsNetwork Security
• Encryption (sqlnet.ora)• Listener security
ClientsFirewall
ApplicationWeb server
FirewallUser Authentication
Authorization & Access ControlHR.EMP table
• Privileges• Views, VPD, OLS• Database Vault, Audit Vault• VPC Confidentiality
• Constraints, triggers• Unified audit, FGA• Audit Vault• Logminer• Temporal History• Compliance standards
Control• Basic• Strong• Proxy
Centralized with LDAP/EUS
Database Access• Database Firewall
• Data Masking, Data Redaction, TSDP• TDE, Data Pump & TDE, DBMS_CRYPTO• RMAN & TDE, Oracle Secure Backup
www.pitss.com
The Oracle ModernizationExperts
© PITSS GmbH 2014
Vielen Dank für Ihre Zeit.Hamburg, den 10.02.2015
Jan‐Peter Timmermann, Pitss [email protected]