oracle database security risk assessment - stefan's blog · pdf filedatabase vault no ......
TRANSCRIPT
AssessmentDate&Time
DatabaseIdentity
Item ID Status ResultDatabaseVersion
SecurityFeatures Feature Currently Used------------------------------------- --------------AUTHORIZATION CONTROL Database Vault No Privilege Analysis No DATA ENCRYPTION Column Encryption No Tablespace Encryption No Network Encryption No FINE-GRAINED ACCESS CONTROL Data Redaction No Virtual Private Database Yes Real Application Security No Label Security No Transparent Sensitive Data Protection No AUDITING Traditional Audit Yes Fine Grained Audit No Unified Audit Yes USER AUTHENTICATION External Authentication No Global Authentication No
OracleDatabaseSecurityRiskAssessment-HighlyConfidential
Date of Data Collection Date of Report Reporter Version ------------------------ ------------------------ ---------------------------Wed Feb 01 2017 22:18:00 Wed Feb 01 2017 22:22:18 1.0.2 (October 2016) - 7409Name Platform Database Role Log Mode Created Container Database Container ID Container Name---- ---------------- ------------- ---------- ------------------------ ------------
BasicInformation
Oracle Database 12c Enterprise Edition Release 12.1.0.2.0 - 64bit ProductionSecurity options used: (none)
PatchCheck INFO.PATCH SevereRisk LatestOracleDatabasePSUnotfound.
Item ID Status ResultUserAccounts
UserAccountsinSYSTEMorSYSAUXTablespace
USER.TBLSPACE Pass NouserusesSYSTEMorSYSAUXtablespace.
SampleSchemas USER.SAMPLE Pass Nosampleschemasfound.
InactiveUsers USER.INACTIVE SomeRisk Found2unlockedusersinactiveformorethan30days.
UserAccounts
User Name Status Profile Tablespace Predefined Type --------- ------ ------- ---------- ---------- --------DBSNMP OPEN DEFAULT SYSAUX Yes PASSWORDSYS OPEN DEFAULT SYSTEM Yes PASSWORDSYSTEM OPEN DEFAULT SYSTEM Yes PASSWORD
Case-SensitivePasswords USER.CASE Pass Case-sensitivepasswordsareused.
UserswithExpiredPasswords
USER.EXPIRED Pass Nounlockeduserswithpasswordexpiredformorethan30daysfound.
UserswithDefaultPasswords
USER.DEFPWD SevereRisk Found1unlockeduseraccountwithdefaultpassword.
MinimumClientAuthenticationVersion
USER.AUTHVERS SomeRisk Minimumclientversionisnotconfiguredcorrectly.
PasswordVerifiers USER.VERIFIER Pass Alluseraccountssupportthelatestpasswordversion.NouseraccountshaveHTTPverifiers.
UserProfiles
UserswithUnlimitedPasswordLifetime
USER.NOEXPIRE Pass Passwordexpirationisconfiguredforallusers.
Profile Name Resource Value ---------------- ------------------------ -----------------------------DEFAULT (Number of Users) 3 DEFAULT CONNECT_TIME UNLIMITED DEFAULT FAILED_LOGIN_ATTEMPTS 10 DEFAULT IDLE_TIME UNLIMITED DEFAULT PASSWORD_GRACE_TIME 7 DEFAULT PASSWORD_LIFE_TIME 180 DEFAULT PASSWORD_LOCK_TIME 1 DEFAULT PASSWORD_REUSE_MAX UNLIMITED DEFAULT PASSWORD_REUSE_TIME UNLIMITED DEFAULT PASSWORD_VERIFY_FUNCTION NULL ORA_STIG_PROFILE (Number of Users) 0 ORA_STIG_PROFILE CONNECT_TIME UNLIMITED (DEFAULT) ORA_STIG_PROFILE FAILED_LOGIN_ATTEMPTS 3 ORA_STIG_PROFILE IDLE_TIME 15 ORA_STIG_PROFILE PASSWORD_GRACE_TIME 5 ORA_STIG_PROFILE PASSWORD_LIFE_TIME 60 ORA_STIG_PROFILE PASSWORD_LOCK_TIME UNLIMITED ORA_STIG_PROFILE PASSWORD_REUSE_MAX 10 ORA_STIG_PROFILE PASSWORD_REUSE_TIME 365 ORA_STIG_PROFILE PASSWORD_VERIFY_FUNCTION ORA12C_STRONG_VERIFY_FUNCTION
UserswithUnlimitedFailedLoginAttempts
USER.NOLOCK Pass Nousershaveunlimitedfailedloginattempts.
PasswordVerificationFunctions
USER.PASSWD SignificantRisk Found3usersnotusingpasswordverificationfunction.
Item ID Status ResultAllSystemPrivileges PRIV.SYSTEM Evaluate 234grantsofsystemprivileges
AllRoles PRIV.ROLES Evaluate 30grantsofroles
PrivilegesandRoles
AccountManagementPrivileges
PRIV.ACCT Evaluate 16grantsofaccountmanagementprivileges
PrivilegeManagementPrivileges
PRIV.MGMT Evaluate 32grantsofprivilegemanagementprivileges
AuditManagementPrivileges
PRIV.AUDIT Evaluate 10grantsofauditprivilege
DataAccessPrivileges PRIV.DATA Evaluate 52grantsofdataaccessprivileges
AccessControlExemptionPrivileges
PRIV.EXEMPT Evaluate 3grantsofaccesscontrolexemptionprivileges
AccesstoPasswordVerifierTables
PRIV.PASSWD Evaluate 8grantsofobjectprivilegesonrestrictedobjects
AccesstoRestrictedObjects
PRIV.OBJ Evaluate 66grantsofobjectprivilegesonrestrictedobjects
UserImpersonation PRIV.USER Pass NograntsofEXECUTEonrestrictedpackages
DataExfiltration PRIV.EXFIL Pass NograntsofEXECUTEonrestrictedpackages
SystemPrivilegesGrantedtoPUBLIC
PRIV.SYSPUB Pass NograntsofsystemprivilegestoPUBLIC
RolesGrantedtoPUBLIC PRIV.ROLEPUB Pass NograntsofrolestoPUBLIC
ColumnPrivilegesGrantedtoPUBLIC
PRIV.COLPUB Pass NograntsofcolumnprivilegestoPUBLIC
DBARole PRIV.DBA Evaluate 1grantofDBArole
OtherPowerfulRoles PRIV.BIGROLES Evaluate 9grantsofpowerfulroles(1withadminoption)
JavaPermissions PRIV.JAVA Evaluate Found4usersorroleswithJavapermission.
UserswithAdministrativePrivileges
PRIV.ADMIN SomeRisk Found1usergrantedadministrativeprivileges.Found3administrativeprivilegesnotgrantedtoanyuser.
Item ID Status ResultDatabaseVault AUTH.DV Opportunity DatabaseVaultisnotenabled.
PrivilegeAnalysis AUTH.PRIV Opportunity Noprivilegeanalysispoliciesfound.
Item ID Status Result
AuthorizationControl
DataEncryption
TransparentDataEncryption
CRYPT.TDE Opportunity Noencryptedtablespacesfound.Noencryptedcolumnsfound.
EncryptionKeyWallet CRYPT.WALLET Evaluate Found1wallet.Nowalletsarestoredinthedatafiledirectory.
Item ID Status ResultDataRedaction ACCESS.REDACT Opportunity Nodataredactionpoliciesfound.
Fine-GrainedAccessControl
VirtualPrivateDatabase ACCESS.VPD Evaluate Found1VPDpolicyprotecting51objects.
RealApplicationSecurity ACCESS.RAS Opportunity NoRASpoliciesfound.
LabelSecurity ACCESS.OLS Opportunity LabelSecurityisnotenabled.
TransparentSensitiveDataProtection
ACCESS.TSDP Opportunity Nosensitivetypesandcolumnsfound.Found0TSDPpolicies.
Item ID Status ResultAuditRecords AUDIT.RECORDS Evaluate Examined3audittrails.Found
recordsin1audittrail.Noerrorsfoundinauditinitializationparameters.
StatementAudit AUDIT.STMT Evaluate Auditingenabledfor17statements.
ObjectAudit AUDIT.OBJ Evaluate Auditingenabledfor223objects.
PrivilegeAudit AUDIT.PRIV Evaluate Auditingenabledfor29privileges.
AdministrativeUserAudit AUDIT.ADMIN Pass ActionsoftheSYSuserareaudited.
PrivilegeManagementAudit
AUDIT.PRIVMGMT Pass Actionsrelatedtoprivilegemanagementaresufficientlyaudited.
AccountManagementAudit
AUDIT.ACCTMGMT Pass Actionsrelatedtoaccountmanagementaresufficientlyaudited.
Auditing
DatabaseManagementAudit
AUDIT.DBMGMT SignificantRisk Actionsrelatedtodatabasemanagementarenotsufficientlyaudited.
PrivilegeUsageAudit AUDIT.PRIVUSE SignificantRisk Usagesofpowerfulsystemprivilegesarenotsufficientlyaudited.
DatabaseConnectionAudit
AUDIT.CONN Pass Databaseconnectionsaresufficientlyaudited.
FineGrainedAudit AUDIT.FGA Opportunity Nofinegrainedauditpoliciesfound.
UnifiedAudit AUDIT.UNIFIED Evaluate Found8unifiedauditpolicies.Found47objectsorstatementsbeingaudited.
Item ID Status ResultDatabaseConfiguration
InitializationParametersforSecurity
AccesstoDictionaryObjects
CONF.SYSOBJ Pass Accesstodictionaryobjectsisproperlylimited.
InferenceofTableData CONF.INFER SignificantRisk UPDATEandDELETEstatementscanbeusedtoinferdatavalues.
Name Value --------------------------------- --------------------------------AUDIT_FILE_DEST /u01/app/oracle/admin/orcl/adumpAUDIT_SYSLOG_LEVEL AUDIT_SYS_OPERATIONS TRUE AUDIT_TRAIL DB COMPATIBLE 12.1.0.2.0 DBFIPS_140 FALSE DISPATCHERS (PROTOCOL=TCP) (SERVICE=orclXDB)GLOBAL_NAMES FALSE LDAP_DIRECTORY_ACCESS NONE LDAP_DIRECTORY_SYSAUTH no O7_DICTIONARY_ACCESSIBILITY FALSE OS_AUTHENT_PREFIX ops$ OS_ROLES FALSE PDB_LOCKDOWN PDB_OS_CREDENTIAL REMOTE_LISTENER REMOTE_LOGIN_PASSWORDFILE EXCLUSIVE REMOTE_OS_AUTHENT FALSE REMOTE_OS_ROLES FALSE RESOURCE_LIMIT TRUE SEC_CASE_SENSITIVE_LOGON TRUE SEC_MAX_FAILED_LOGIN_ATTEMPTS 3 SEC_PROTOCOL_ERROR_FURTHER_ACTION (DROP,3) SEC_PROTOCOL_ERROR_TRACE_ACTION TRACE SEC_RETURN_SERVER_RELEASE_BANNER FALSE SQL92_SECURITY FALSE UNIFIED_AUDIT_SGA_QUEUE_SIZE 1048576 UTL_FILE_DIR
NetworkCommunications CONF.NETCOM Pass Examined3initializationparameters.Noissuesfound.
ExternalAuthorization CONF.EXTAUTH Pass Examined2initializationparameters.Noissuesfound.
FileSystemAccess CONF.FILESYS Pass Examined1initializationparameter.Noissuesfound.
Triggers CONF.TRIG Pass Nologontriggersfound.Nodisabledtriggersfound.
DisabledConstraints CONF.CONST Pass Nodisabledconstraintsfound.
ExternalProcedures CONF.EXTPROC Evaluate Found3externalprocedures.Noexternalservicesfound.
DirectoryObjects CONF.DIR Evaluate Found10directoryobjects.NodirectoryobjectsallowaccesstorestrictedOracledirectorypaths.Nodirectoryobjectsallowbothwriteandexecuteaccess.
DatabaseLinks CONF.LINKS Pass Nodatabaselinksfound.
NetworkAccessControl CONF.NETACL Evaluate Found1networkACL.
XMLDatabaseAccessControl
CONF.XMLACL Evaluate Found9XMLDatabaseACLs.
Item ID Status ResultNetworkEncryption NET.CRYPT SignificantRisk Nativeencryptionispartially
enabled.Integritycheckusingchecksumsispartiallyenabled.
ClientNodes NET.CLIENTS SignificantRisk Validnodecheckisnotenabled.NeitherTCP.INVITED_NODESnorTCP.EXCLUDED_NODESisset.
SQLNETBanners NET.BANNER SomeRisk Connectbannersarenotfullyconfigured.
NetworkConfiguration
NetworkListenerConfiguration
NET.COST SignificantRisk Examined1listener.Found1listenernotconfiguredproperly.
ListenerLoggingControl NET.LISTENLOG Pass Examined1listener.Found0listenersnotconfiguredproperly.
Item ID Status ResultOSAuthentication OS.AUTH Evaluate 1OSusercanconnecttothe
databaseviaOSauthentication.
ProcessMonitorProcess OS.PMON Pass Found1PMONprocess.TheownerofthePMONprocessmatchestheORACLE_HOMEowner.
AgentProcesses OS.AGENT SomeRisk SomeAgentprocessownersoverlapwithListenerorPMONprocessowners.
ListenerProcesses OS.LISTEN SomeRisk Found1Listenerprocess.SomeListenerprocessownersoverlapwithAgentorPMONprocessowners.
OperatingSystem
Thisreportisfocusedondetectingareasofpotentialsecurityvulnerabilitiesormisconfigurationsandprovidingrecommendationsonhowtomitigatethosepotentialvulnerabilities.
Thereportprovidesaviewonthecurrentstatus.Theserecommendationsareprovidedforinformationalpurposesonlyandshouldnotbeusedasasubstituteforathoroughanalysisorinterpretedtocontainanylegalorregulatoryadviceorguidance.
Youaresolelyresponsibleforyoursystem,andthedataandinformationgatheredduringtheproductionofthisreport.Youarealsosolelyresponsiblefortheexecutionofsoftwaretoproducethisreport,andfortheeffectandresultsoftheexecutionofanymitigatingactionsidentifiedherein.
Oracleprovidesthisanalysisonan"asis"basiswithoutwarrantyofanykindandOracleherebydisclaimsallwarrantiesandconditionswhetherexpress,impliedorstatutory.
Remarks
Feature Currently Used------------------------------------- --------------AUTHORIZATION CONTROL Database Vault No Privilege Analysis No DATA ENCRYPTION Column Encryption No Tablespace Encryption No Network Encryption No FINE-GRAINED ACCESS CONTROL Data Redaction No Virtual Private Database Yes Real Application Security No Label Security No Transparent Sensitive Data Protection No AUDITING Traditional Audit Yes Fine Grained Audit No Unified Audit Yes USER AUTHENTICATION External Authentication No Global Authentication No
OracleDatabaseSecurityRiskAssessment-HighlyConfidential
Date of Data Collection Date of Report Reporter Version ------------------------ ------------------------ ---------------------------Wed Feb 01 2017 22:18:00 Wed Feb 01 2017 22:22:18 1.0.2 (October 2016) - 7409Name Platform Database Role Log Mode Created Container Database Container ID Container Name---- ---------------- ------------- ---------- ------------------------ ------------
BasicInformation
Oracle Database 12c Enterprise Edition Release 12.1.0.2.0 - 64bit ProductionSecurity options used: (none)
Itisvitaltokeepthedatabasesoftwareup-to-datewithsecurityfixesastheyarereleased.OracleissuesPatchSetUpdates(PSU)onaregularquarterlyschedule.Theseupdatesshouldbeappliedassoonastheyareavailable.ForreleasespriortoOracleDatabase12c,quarterlyupdatesmaybedeliveredbypatchesnotmarkedasPSUs.
Remarks
TheSYSTEMandSYSAUXtablespacesarereservedforOracle-supplieduseraccounts.Toavoidapossibledenialofservicecausedbyexhaustingtheseresources,regularuseraccountsshouldnotusethesetablespaces.PriortoOracleDatabase12.2,theSYSTEMtablespacecannotbeencrypted,andthisisanotherreasontoavoiduserschemasinthistablespace.Sampleschemasarewell-knownaccountsprovidedbyOracletoserveassimpleexamplesfordevelopers.Theygenerallyservenopurposeinaproductiondatabaseandshouldberemovedbecausetheyunnecessarilyincreasetheattacksurfaceofthedatabase.Ifauseraccountisnolongerinuse,itincreasestheattacksurfaceofthesystemunnecessarilywhileprovidingnocorrespondingbenefit.Furthermore,unauthorizeduseislesslikelytobenoticedwhennooneisregularlyusingtheaccount.Accountsthathavebeenunusedformorethan30daysshouldbeinvestigatedtodeterminewhethertheyshouldremainactive.
UserAccounts
User Name Status Profile Tablespace Predefined Type --------- ------ ------- ---------- ---------- --------DBSNMP OPEN DEFAULT SYSAUX Yes PASSWORDSYS OPEN DEFAULT SYSTEM Yes PASSWORDSYSTEM OPEN DEFAULT SYSTEM Yes PASSWORD
Case-sensitivepasswordsarerecommendedbecauseincludingbothupperandlower-caselettersgreatlyincreasesthesetofpossiblepasswordsthatmustbesearchedbyanattackerwhoisattemptingtoguessapasswordbyexhaustivesearch.SettingSEC_CASE_SENSITIVE_LOGONtoTRUEensuresthatthedatabasedistinguishesbetweenupperandlower-caselettersinpasswords.
Passwordexpirationisusedtoensurethatuserschangetheirpasswordsonaregularbasis.Ifauser'spasswordhasbeenexpiredformorethan30days,itindicatesthattheuserhasnotloggedinforatleastthatlong.Accountsthathavebeenunusedforanextendedperiodoftimeshouldbeinvestigatedtodeterminewhethertheyshouldremainactive.DefaultaccountpasswordsforpredefinedOracleaccountsarewellknown.Openaccountswithdefaultpasswordsprovideatrivialmeansofentryforattackers,butwell-knownpasswordsshouldbechangedforlockedaccountsaswell.Overtime,Oraclereleaseshaveaddedsupportforincreasinglysecureversionsofthealgorithmusedforpasswordauthenticationofuseraccounts.Inordertoremaincompatiblewitholderclientsoftware,thedatabasecontinuestosupportpreviouspasswordversionsaswell.Thesqlnet.oraparameterALLOWED_LOGON_VERSION_SERVERdeterminestheminimumpasswordversionthatthedatabasewillaccept.Formaximumsecurity,thisparametershouldbesettothehighestvaluesupportedbythedatabaseonceallclientsystemshavebeenupgraded.
Foreachuseraccount,thedatabasemaystoremultipleverifiers,whicharehashesoftheuserpassword.Eachverifiersupportsadifferentversionofthepasswordauthenticationalgorithm.Everyuseraccountshouldincludeaverifierforthelatestpasswordversionsupportedbythedatabasesothattheusercanbeauthenticatedusingthelatestalgorithmsupportedbytheclient.Whenallclientshavebeenupdated,thesecurityofuseraccountscanbeimprovedbyremovingtheobsoleteverifiers.HTTPpasswordverifiersareusedforXMLDatabaseauthentication.UsetheALTERUSERcommandtoremovetheseverifiersfromuseraccountsthatdonotrequirethisaccess.
Passwordexpirationisusedtoensurethatuserschangetheirpasswordsonaregularbasis.Passwordsthatneverexpiremayremainunchangedforanextendedperiodoftime.Whenpasswordsdonothavetobechangedregularly,usersarealsomorelikelytousethesamepasswordsformultipleaccounts.
Profile Name Resource Value ---------------- ------------------------ -----------------------------DEFAULT (Number of Users) 3 DEFAULT CONNECT_TIME UNLIMITED DEFAULT FAILED_LOGIN_ATTEMPTS 10 DEFAULT IDLE_TIME UNLIMITED DEFAULT PASSWORD_GRACE_TIME 7 DEFAULT PASSWORD_LIFE_TIME 180 DEFAULT PASSWORD_LOCK_TIME 1 DEFAULT PASSWORD_REUSE_MAX UNLIMITED DEFAULT PASSWORD_REUSE_TIME UNLIMITED DEFAULT PASSWORD_VERIFY_FUNCTION NULL ORA_STIG_PROFILE (Number of Users) 0 ORA_STIG_PROFILE CONNECT_TIME UNLIMITED (DEFAULT) ORA_STIG_PROFILE FAILED_LOGIN_ATTEMPTS 3 ORA_STIG_PROFILE IDLE_TIME 15 ORA_STIG_PROFILE PASSWORD_GRACE_TIME 5 ORA_STIG_PROFILE PASSWORD_LIFE_TIME 60 ORA_STIG_PROFILE PASSWORD_LOCK_TIME UNLIMITED ORA_STIG_PROFILE PASSWORD_REUSE_MAX 10 ORA_STIG_PROFILE PASSWORD_REUSE_TIME 365 ORA_STIG_PROFILE PASSWORD_VERIFY_FUNCTION ORA12C_STRONG_VERIFY_FUNCTION
Attackerssometimesattempttoguessauser'spasswordbysimplytryingallpossibilitiesfromasetofcommonpasswords.Todefendagainstthisattack,itisadvisabletolockauseraccountwhentherearemultiplefailedloginattemptswithoutasuccessfullogin.
Passwordverificationfunctionsareusedtoensurethatuserpasswordsmeetminimumrequirementsforcomplexity,whichmayincludefactorssuchaslength,useofnumbersorpunctuationcharacters,differencefrompreviouspasswords,etc.Oraclesuppliesseveralpredefinedfunctions,oracustomPL/SQLfunctioncanbeused.Everyuserprofileshouldincludeapasswordverificationfunction.
RemarksSystemprivilegesprovidetheabilitytoaccessdataorperformadministrativeoperationsfortheentiredatabase.Consistentwiththeprincipleofleastprivilege,theseprivilegesshouldbegrantedsparingly.ThePrivilegeAnalysisfeatureofDatabaseVaultmaybehelpfultodeterminetheminimumsetofprivilegesrequiredbyauserorrole.Insomecases,itmaybepossibletosubstituteamorelimitedobjectprivilegegrantinplaceofasystemprivilegegrantthatappliestoallobjects.Systemprivilegesshouldbegrantedwithadminoptiononlywhentherecipientneedstheabilitytogranttheprivilegetoothers.Rolesareaconvenientwaytomanagegroupsofrelatedprivileges,especiallywhentheprivilegesarerequiredforaparticulartaskorjobfunction.Bewareofbroadlydefinedroles,whichmayconfermoreprivilegesthananindividualrecipientrequires.Rolesshouldbegrantedwithadminoptiononlywhentherecipientneedstheabilitytomodifytheroleorgrantittoothers.
PrivilegesandRoles
Usermanagementprivileges(ALTERUSER,CREATEUSER,DROPUSER)canbeusedtocreateandmodifyotheruseraccounts,includingchangingpasswords.Thispowercanbeabusedtogainaccesstoanotheruser'saccount,whichmayhavegreaterprivileges.Userswithprivilegemanagementprivileges(ALTERANYROLE,CREATEROLE,DROPANYROLE,GRANTANYOBJECTPRIVILEGE,GRANTANYPRIVILEGE,GRANTANYROLE)canchangethesetofprivilegesgrantedtothemselvesandotherusers.Thisabilityshouldbegrantedsparingly,sinceitcanbeusedtocircumventmanysecuritycontrolsinthedatabase.Auditmanagementprivileges(AUDITANY,AUDITSYSTEM)canbeusedtochangetheauditpoliciesforthedatabase.Thisabilityshouldbegrantedsparingly,sinceitmaybeusedtohidemaliciousactivity.Userswithdataaccessprivileges(ALTERANYTABLE,ALTERANYTRIGGER,CREATEANYINDEX,CREATEANYPROCEDURE,CREATEANYTRIGGER,DELETEANYTABLE,INSERTANYTABLE,READANYTABLE,SELECTANYDICTIONARY,SELECTANYTABLE,UPDATEANYTABLE)canoverridevariousaccesscontrolsondata.Mostadministrativetasksdonotrequireaccesstothedataitself,sotheseprivilegesshouldbegrantedrarelyeventoadministrators.Inadditiontominimizinggrantsoftheseprivileges,considertheuseofDatabaseVaultrealmstolimittheuseoftheseprivilegestoaccesssensitivedata.Userswithexemptionprivileges(EXEMPTACCESSPOLICY,EXEMPTREDACTIONPOLICY)canbypasstheaccesscontrolpoliciescreatedusingVirtualPrivateDatabaseandDataRedaction.Mostadministrativetasksdonotrequireaccesstothedataitself,sotheseprivilegesshouldbegrantedrarelyeventoadministrators.Userswiththeseprivilegescanaccessobjectsthatcontainuserpasswordverifiers.Theverifierscanbeusedinofflineattackstodiscoveruserpasswords.
UserswiththeseprivilegescandirectlymodifyobjectsintheSYS,DVSYS,orLBACSYSschemas.Manipulatingthesesystemobjectsmayallowsecurityprotectionstobecircumventedorotherwiseinterferewithnormaloperationofthedatabase.ThesePL/SQLpackages(DBMS_SCHEDULER,DBMS_SYS_SQL)allowforexecutionofSQLcodeorexternaljobsusingtheidentityofadifferentuser.Accessshouldbestrictlylimitedandgrantedonlytouserswithalegitimateneedforthisfunctionality.ThesePL/SQLpackages(DBMS_BACKUP_RESTORE)cansenddatafromthedatabaseusingthenetworkorfilesystem.Accessshouldbegrantedonlytouserswithalegitimateneedforthisfunctionality.
PrivilegesgrantedtoPUBLICareavailabletoallusers.Thisgenerallyshouldincludefew,ifany,systemprivilegessincethesewillnotbeneededbyordinaryuserswhoarenotadministrators.RolesgrantedtoPUBLICareavailabletoallusers.Mostrolescontainprivilegesthatarenotappropriateforallusers.PrivilegesgrantedtoPUBLICareavailabletoallusers.Thisshouldincludecolumnprivilegesonlyfordatathatisintendedtobeaccessibletoeveryone.TheDBAroleisverypowerfulandcanbeusedtobypassmanysecurityprotections.Itshouldbegrantedtoonlyasmallnumberoftrustedadministrators.Furthermore,eachtrustedusershouldhaveanindividualaccountforaccountabilityreasons.Aswithanypowerfulrole,avoidgrantingtheDBArolewithadminoptionunlessabsolutelynecessary.LiketheDBArole,theseroles(AQ_ADMINISTRATOR_ROLE,EM_EXPRESS_ALL,EXP_FULL_DATABASE,IMP_FULL_DATABASE,OEM_MONITOR)containpowerfulprivilegesthatcanbeusedtobypasssecurityprotections.Theyshouldbegrantedonlytoasmallnumberoftrustedadministrators.
JavapermissiongrantscontroltheabilityofdatabaseuserstoexecuteJavaclasseswithinthedatabaseserver.AdatabaseuserexecutingJavacodemusthavebothJavasecuritypermissionsanddatabaseprivilegestoaccessresourceswithinthedatabase.Theseresourcesincludedatabaseresources,suchastablesandPL/SQLpackages,operatingsystemresources,suchasfilesandsockets,OracleJVMclasses,anduser-loadedclasses.Makesurethatthesepermissionsarelimitedtotheminimumrequiredbyeachuser.Administrativeprivilegesallowausertoperformmaintenanceoperations,includingsomethatmayoccurwhilethedatabaseisnotopen.TheSYSDBAprivilegeallowstheusertorunasSYSandperformvirtuallyallprivilegedoperations.StartingwithOracleDatabase12.1,lesspowerfuladministrativeprivilegeswereintroducedtoallowuserstoperformcommonadministrativetaskswithlessthanfullSYSDBAprivileges.Toachievethebenefitofthisseparationofduty,eachoftheseadministrativeprivilegesshouldbegrantedtoatleastoneuseraccount.
RemarksDatabaseVaultprovidesforconfigurablepoliciestocontroltheactionsofprivilegedadministrativeusers,inordertoprotectagainstinsiderthreats,stolencredentials,andhumanerror.Datarealmspreventunauthorizedaccesstosensitivedataobjects,evenbyuserswithsystemprivileges.CommandruleslimittheSQLcommandsandoptionsthatadministratorscanexecute.PrivilegeAnalysisrecordstheprivilegesusedduringarealorsimulatedworkload.Aftercollectingdataabouttheprivilegesthatareactuallyused,thisinformationcanbeusedtorevokeprivilegegrantsthatarenolongerneeded.
Remarks
AuthorizationControl
DataEncryption
Encryptionofsomesensitivedataisarequirementincertainregulatedenvironments.TransparentDataEncryptionautomaticallyencryptsdataasitisstoredanddecryptsituponretrieval.Thisprotectssensitivedatafromattacksthatbypassthedatabasetoreaddatafilesdirectly.Encryptionkeysmaybestoredinwalletsonthedatabaseserveritself,orstoredremotelyinOracleKeyVaultforimprovedsecurity.Walletsareencryptedfilesusedtostoreencryptionkeys,passwords,andothersensitivedata.Walletfilesshouldnotbestoredinthesamedirectorywithdatabasedatafiles,toavoidaccidentallycreatingbackupsthatincludebothencrypteddatafilesandthewalletcontainingthemasterkeyprotectingthosefiles.Formaximumseparationofkeysanddata,considerstoringencryptionkeysinOracleKeyVaultinsteadofwalletfiles.
RemarksDataRedactionautomaticallymaskssensitivedatafoundintheresultsofadatabasequery.Thedataismaskedimmediatelybeforeitisreturnedaspartoftheresultset,soitdoesnotinterferewithanyconditionsspecifiedaspartofthequery.AccessbyuserswiththeEXEMPTREDACTIONPOLICYprivilegewillnotbeaffectedbytheredactionpolicy.UserswhocanexecutetheDBMS_REDACTpackageareabletocreateandmodifyredactionpolicies.AlsoconsidertheuseofOracleDataMaskingandSubsettingtopermanentlymasksensitivedatawhenmakingcopiesfortestordevelopmentuse.
Fine-GrainedAccessControl
VirtualPrivateDatabase(VPD)allowsforfine-grainedcontroloverwhichrowsandcolumnsofatablearevisibletoaSQLstatement.AccesscontrolusingVPDlimitseachdatabasesessiontoonlythespecificdataitshouldbeabletoaccess.AccessbyuserswiththeEXEMPTACCESSPOLICYprivilegewillnotbeaffectedbyVPDpolicies.UserswhocanexecutetheDBMS_RLSpackageareabletocreateandmodifythesepolicies.LikeVirtualPrivateDatabase,RealApplicationSecurity(RAS)providesfine-grainedcontrolovertherowsandcolumnsofatablethatarevisibletoaSQLstatement.SpecificationofRASdataaccesspoliciesusesadeclarativesyntaxbasedonaccesscontrollists.AccessbyuserswiththeEXEMPTACCESSPOLICYprivilegewillnotbeaffectedbyRASaccesspolicies.UserswithADMIN_SEC_POLICYandAPPLY_SEC_POLICYprivilegesareabletocreateandmodifythesepolicies.OracleLabelSecurityprovidestheabilitytotagdatawithadatalabeloradataclassification.Accesstosensitivedataiscontrolledbycomparingthedatalabelwiththerequestinguser'slabelorsecurityclearance.Auserlabelorsecurityclearancecanbethoughtofasanextensiontostandarddatabaseprivilegesandroles.AccessbyuserswiththeEXEMPTACCESSPOLICYprivilegewillnotbeaffectedbytheLabelSecuritypolicies.Eachpolicyhasacorrespondingrole;userswhohavethisroleareabletoadministerthepolicy.TransparentSensitiveDataProtection(TSDP),introducedinOracleDatabase12.1,allowsadatatypetobeassociatedwitheachcolumnthatcontainssensitivedata.TSDPcanthenapplyvariousdatasecurityfeaturestoallinstancesofaparticulartypesothatprotectionisuniformandconsistent.Datafromcolumnsmarkedassensitiveisalsoautomaticallyredactedinthedatabaseaudittrailandtracelogs.UserswhocanexecutetheDBMS_TSDP_MANAGEandDBMS_TSDP_PROTECTpackagesareabletomanagesensitivedatatypesandtheprotectionactionsthatareappliedtothem.
RemarksAuditingisanessentialcomponentforsecuringanysystem.Theaudittrailallowsformonitoringtheactivitiesofhighlyprivilegedusers.Foranyattackthatexploitsgapsinothersecuritypolicies,auditingcannotpreventtheattackbutitformsthecriticallastlineofdefensebydetectingthemaliciousactivity.Sendingauditdatatoaremotesystemisrecommendedinordertopreventanypossibletamperingwiththeauditrecords.TheAUDIT_SYSLOG_LEVELparametercanbesettosendanabbreviatedversionofsomeauditrecordstoaremotesyslogcollector.AbettersolutionistouseOracleAuditVaultandDatabaseFirewalltocentrallycollectfullauditrecordsfrommultipledatabases.
ThisfindingshowstheSQLstatementsthatareauditedbyenabledauditpolicies.Thisfindingshowstheobjectaccessesthatareauditedbyenabledauditpolicies.Thisfindingshowstheprivilegesthatareauditedbyenabledauditpolicies.ItisimportanttoauditadministrativeactionsperformedbytheSYSuser.TraditionalauditpoliciesdonotapplytoSYS,sotheAUDIT_SYS_OPERATIONSparametermustbesettorecordSYSactionstoaseparateaudittrail.BeginningwithOracle12c,thesameUnifiedAuditpoliciescanbeappliedtoSYSthatareusedtomonitorotherusers.Grantingadditionalprivilegestousersorrolespotentiallyaffectsmostsecurityprotectionsandshouldbeaudited.Eachactionorprivilegelistedhereshouldbeincludedinatleastoneenabledauditpolicy.Creationofnewuseraccountsormodificationofexistingaccountscanbeusedtogainaccesstotheprivilegesofthoseaccountsandshouldbeaudited.Eachactionorprivilegelistedhereshouldbeincludedinatleastoneenabledauditpolicy.
Auditing
Actionsthataffectthemanagementofdatabasefeaturesshouldalwaysbeaudited.Eachactionorprivilegelistedhereshouldbeincludedinatleastoneenabledauditpolicy.Usageofpowerfulsystemprivilegesshouldalwaysbeaudited.Eachprivilegelistedhereshouldbeincludedinatleastoneenabledauditpolicy.Successfuluserconnectionstothedatabaseshouldbeauditedtoassistwithfutureforensicanalysis.Unsuccessfulconnectionattemptscanprovideearlywarningofanattacker'sattempttogainaccesstothedatabase.FineGrainedAuditpoliciescanrecordhighlyspecificactivity,suchasaccesstoparticulartablecolumnsoraccessthatoccursunderspecifiedconditions.Thisisausefulwaytomonitorunexpecteddataaccesswhileavoidingunnecessaryauditrecordsthatcorrespondtonormalactivity.UnifiedAudit,availableinOracleDatabase12.1andlaterreleases,combinesmultipleaudittrailsintoasingleunifiedview.Italsointroducesnewsyntaxforspecifyingeffectiveauditpolicies.
RemarksDatabaseConfiguration
WhenO7_DICTIONARY_ACCESSIBILITYissettoFALSE,tablesownedbySYSarenotaffectedbytheANYTABLEsystemprivileges.ThisparametershouldalwaysbesettoFALSEbecausetablesownedbySYScontroltheoverallstateofthedatabaseandshouldnotbesubjecttomanipulationbyuserswithANYTABLEprivileges.WhenSQL92_SECURITYissettoTRUE,UPDATEandDELETEstatementsthatrefertoacolumnintheirWHEREclauseswillsucceedonlywhentheuserhastheprivilegetoSELECTfromthesamecolumn.ThisparametershouldbesettoTRUEsothatthisrequirementisenforcedinordertopreventusersfrominferringthevalueofacolumnwhichtheydonothavetheprivilegetoview.
Name Value --------------------------------- --------------------------------AUDIT_FILE_DEST /u01/app/oracle/admin/orcl/adumpAUDIT_SYSLOG_LEVEL AUDIT_SYS_OPERATIONS TRUE AUDIT_TRAIL DB COMPATIBLE 12.1.0.2.0 DBFIPS_140 FALSE DISPATCHERS (PROTOCOL=TCP) (SERVICE=orclXDB)GLOBAL_NAMES FALSE LDAP_DIRECTORY_ACCESS NONE LDAP_DIRECTORY_SYSAUTH no O7_DICTIONARY_ACCESSIBILITY FALSE OS_AUTHENT_PREFIX ops$ OS_ROLES FALSE PDB_LOCKDOWN PDB_OS_CREDENTIAL REMOTE_LISTENER REMOTE_LOGIN_PASSWORDFILE EXCLUSIVE REMOTE_OS_AUTHENT FALSE REMOTE_OS_ROLES FALSE RESOURCE_LIMIT TRUE SEC_CASE_SENSITIVE_LOGON TRUE SEC_MAX_FAILED_LOGIN_ATTEMPTS 3 SEC_PROTOCOL_ERROR_FURTHER_ACTION (DROP,3) SEC_PROTOCOL_ERROR_TRACE_ACTION TRACE SEC_RETURN_SERVER_RELEASE_BANNER FALSE SQL92_SECURITY FALSE UNIFIED_AUDIT_SGA_QUEUE_SIZE 1048576 UTL_FILE_DIR
TheSEC_PROTOCOL_ERRORparameterscontrolthedatabaseserver'sresponsewhenitreceivesmalformednetworkpacketsfromaclient.Becausethesemalformedpacketsmayindicateanattemptedattackbyamaliciousclient,theparametersshouldbesettologtheincidentandterminatetheconnection.SEC_RETURN_SERVER_RELEASE_BANNERshouldbesettoFALSEtolimittheinformationthatisreturnedtoanunauthenticatedclient,whichcouldbeusedtohelpdeterminetheserver'svulnerabilitytoaremoteattack.
TheOS_ROLESandREMOTE_OS_ROLESparametersdeterminewhetherrolesgrantedtousersarecontrolledbyGRANTstatementsinthedatabaseorbytheoperatingsystemenvironment.BothparametersshouldbesettoFALSEsothattheauthorizationsofdatabaseusersaremanagedbythedatabaseitself.TheUTL_FILE_DIRparametercontrolswhichpartoftheserver'sfilesystemcanbeaccessedbyPL/SQLcode.NotethatasthedirectoriesspecifiedintheUTL_FILE_DIRparametermaybeaccessedbyanydatabaseuser,itshouldbesettospecifyoneormoresafedirectoriesthatdonotcontainrestrictedfilessuchastheconfigurationordatafilesforthedatabase.Formaximumsecurity,usedirectoryobjectswhichallowfinergrainedcontrolofaccess,ratherthanrelyingonthisparameter.
Atriggeriscodethatexecuteswheneveraspecificeventoccurs,suchasinsertingdatainatableorconnectingtothedatabase.Disabledtriggersareapotentialcauseforconcernbecausewhateverprotectionormonitoringtheymaybeexpectedtoprovideisnotactive.Constraintsareusedtoenforceandguaranteespecificrelationshipsbetweendataitemsstoredinthedatabase.Disabledconstraintsareapotentialcauseforconcernbecausetheconditionstheyensurearenotenforced.
ExternalproceduresallowcodewritteninotherlanguagestobeexecutedfromPL/SQL.Notethatmodificationstoexternalcodecannotbecontrolledbythedatabase.Becarefultoensurethatonlytrustedcodelibrariesareavailabletobeexecuted.Althoughthedatabasecanspawnitsownprocesstoexecutetheexternalprocedure,itisadvisabletoconfigurealistenerserviceforthispurposesothattheexternalcodecanrunasaless-privilegedOSuser.ThelistenerconfigurationshouldsetEXTPROC_DLLStoidentifythespecificsharedlibrarycodethatcanbeexecutedratherthanusingthedefaultvalueANY.Directoryobjectsallowaccesstotheserver'sfilesystemfromPL/SQLcodewithinthedatabase.Accesstofilesthatareusedbythedatabasekernelitselfshouldnotbepermitted,asthismayaltertheoperationofthedatabaseandbypassitsaccesscontrols.DatabaselinksallowuserstoexecuteSQLstatementsthataccesstablesinotherdatabases.Thisallowsforbothqueryingandstoringdataontheremotedatabase.NetworkACLscontroltheexternalserversthatdatabaseuserscanaccessusingnetworkpackagessuchasUTL_TCPandUTL_HTTP.Specifically,adatabaseuserneedstheconnectprivilegetoanexternalnetworkhostcomputerifheorsheisconnectingusingtheUTL_TCP,UTL_HTTP,UTL_SMTP,andUTL_MAILutilitypackages.ToconvertbetweenahostnameanditsIPaddressusingtheUTL_INADDRpackage,theresolveprivilegeisrequired.Makesurethatthesepermissionsarelimitedtotheminimumrequiredbyeachuser.
XMLACLscontrolaccesstodatabaseresourcesusingtheXMLDBfeature.EveryresourceintheOracleXMLDBRepositoryhierarchyhasanassociatedACL.TheACLmechanismspecifiesaprivilege-basedaccesscontrolforresourcestoprincipals,whicharedatabaseusersorroles.Wheneveraresourceisaccessed,asecuritycheckisperformed,andtheACLdeterminesiftherequestinguserhassufficientprivilegestoaccesstheresource.Makesurethattheseprivilegesarelimitedtotheminimumrequiredbyeachuser.
RemarksNetworkencryptionprotectstheconfidentialityandintegrityofcommunicationbetweenthedatabaseserveranditsclients.EitherNativeEncryptionorTLSshouldbeenabled.ForNativeEncryption,bothENCRYPTION_SERVERandCRYPTO_CHECKSUM_SERVERshouldbesettoREQUIRED.IfTLSisused,TCPSshouldbespecifiedforallnetworkportsandSSL_CERT_REVOCATIONshouldbesettoREQUIRED.TCP.VALIDNODE_CHECKINGshouldbeenabledtocontrolwhichclientnodescanconnecttothedatabaseserver.Eitherawhitelistofclientnodesallowedtoconnect(TCP.INVITED_NODES)orablacklistofnodesthatarenotallowed(TCP.EXCLUDED_NODES)maybespecified.Configuringbothlistsisanerror;onlytheinvitednodelistwillbeusedinthiscase.Thesebannermessagesareusedtowarnconnectingusersthatunauthorizedaccessisnotpermittedandthattheiractivitiesmaybeaudited.
NetworkConfiguration
Theseparametersareusedtolimitchangestothenetworklistenerconfiguration.Oneofthefollowingrestrictionsshouldbeimplemented:(a)preventchangesbydisablingDYNAMIC_REGISTRATION,(b)limitthenodesthatcanmakechangesbyenablingVALID_NODE_CHECKING_REGISTRATION,or(c)limitthenetworksourcesforchangesusingtheCOSTparametersSECURE_PROTOCOL,SECURE_CONTROL,andSECURE_REGISTER.
Thisparameterenablesloggingoflisteneractivity.Loginformationcanbeusefulfortroubleshootingandtoprovideearlywarningofattemptedattacks.
RemarksOSauthenticationallowsoperatingsystemuserswithinthespecifiedusergrouptoconnecttothedatabasewithadministrativeprivileges.ThisshowstheOSgroupnamesandusersthatcanexerciseeachadministrativeprivilege.ThePMONprocessmonitorsuserprocessesandfreesresourceswhentheyterminate.ThisprocessshouldrunwiththeuserIDoftheORACLE_HOMEowner.AgentprocessesareusedbyOracleEnterpriseManagertomonitorandmanagethedatabase.TheseprocessesshouldrunwithauserIDseparatefromthedatabaseandlistenerprocesses.Listenerprocessesacceptincomingnetworkconnectionsandconnectthemtotheappropriatedatabaseserverprocess.TheseprocessesshouldrunwithauserIDseparatefromthedatabaseandagentprocesses.
OperatingSystem
Thisreportisfocusedondetectingareasofpotentialsecurityvulnerabilitiesormisconfigurationsandprovidingrecommendationsonhowtomitigatethosepotentialvulnerabilities.
Thereportprovidesaviewonthecurrentstatus.Theserecommendationsareprovidedforinformationalpurposesonlyandshouldnotbeusedasasubstituteforathoroughanalysisorinterpretedtocontainanylegalorregulatoryadviceorguidance.
Youaresolelyresponsibleforyoursystem,andthedataandinformationgatheredduringtheproductionofthisreport.Youarealsosolelyresponsiblefortheexecutionofsoftwaretoproducethisreport,andfortheeffectandresultsoftheexecutionofanymitigatingactionsidentifiedherein.
Oracleprovidesthisanalysisonan"asis"basiswithoutwarrantyofanykindandOracleherebydisclaimsallwarrantiesandconditionswhetherexpress,impliedorstatutory.