Oracle Database 2 Day Security

Agenda
• Introduction to Oracle Database Security
• Securing the Database Installation and Configuration
• Managing User Privileges
• Encrypting Data with Oracle Transparent Data Encryption
• Controlling Access with Oracle Database Vault
• Restricting Access with Oracle Virtual Private Database
• Limiting Access to Sensitive Data Using Oracle Data
Redaction
• Enforcing Row-Level Security with Oracle Label Security
• Auditing Database Activity
 Introduction to Oracle Database Security

• In a default Oracle Database installation, you can

manage security in a variety of ways. In addition
to controlling user authentication, you can use
built-in tools such as:
– Encryption
– Oracle Database Vault, Oracle Virtual Private
Database
– Oracle DataRedaction
– Oracle Label Security and auditing to manage security.
 Tools for Securing Your Database
• Oracle Database 12c Enterprise Edition
• Oracle Enterprise Manager
• SQL*Plus
 New Feature database 12c
• Transparent Data Encryption
• Oracle Database Vault
• Oracle Data Redaction
• Oracle Label Security
• auditing
 Securing the Database Installation
and Configuration
• After you install Oracle Database, you should
secure the database installation and
configuration.Oracle provides commonly used
ways to do secure the database installation
andconfiguration, all of which involve
restricting permissions to specific areas of the
database files.
 Default Security Settings
• Enables default auditing settings
• Creates stronger enforcements for new or changed
passwords. “Requirements for Creating Passwords”
describes the new password requirements.
• Removes the CREATE EXTERNAL JOB privilege from
the PUBLIC role. For greater security, grant the CREATE
EXTERNAL JOB privilege only to SYS,database
administrators, and those trusted users who need it.
• Sets security-related initialization and profile
parameter settings
Default Security Settings for Initialization
and Profile Parameters
Security for the Oracle Data Dictionary

• You should secure the data dictionary. The

data dictionary is a set of database tablesthat
provide information about the database, such
as schema definitions or default values.
 Oracle Data Dictionary
• The names of Oracle Database users
• Privileges and roles granted to each user
• The definitions of all schema objects in the database (tables, views, indexes,
• clusters, synonyms, sequences, procedures, functions, packages, triggers, and
soon)
• The amount of space allocated for, and is currently used by, the schema
objects
• Default values for columns
• Integrity constraint information
• Auditing information, such as who has accessed or updated various schema
objects
• Other general database information

The data dictionary tables and views for a given database are stored in the
SYSTEM tablespace for that database. All the data dictionary tables and views
for a given database are owned by the user SYS. Connecting to the database
with the SYSDBAadministrative privilege gives full access to the data dictionary.
 Finding Views That Pertain to the Data
Dictionary
• sqlplus system
• Enter password: password
• SQL> SELECT TABLE_NAME FROM DICTIONARY;
Enabling Data Dictionary Protection
• You can protect the data dictionary b `y setting
theO7_DICTIONARY_ACCESSIBILITYinitialization parameter to
FALSE.
• The O7_DICTIONARY_ACCESSIBILITY parameter prevents users
who have the ANY system privilege from using those privileges
on the data dictionary, that is, on objectsin the SYS schema.
 Enable data dictionary protection
1. Access the Database home page.
2. From the Administration menu, select Initialization Parameters. If the
Database Login page appears, then log in as SYS with the SYSDBA role selected.
3. In the Initialization Parameters page, from the list, search for
O7_DICTIONARY_ACCESSIBILITY. In the Name field, enter O7_ (the letter O), and then
click Go. You can enter the first few characters of a parameter name. In this case, O7_
displays the O7_DICTIONARY_ACCESSIBILTY parameter.
4. Set the value for O7_DICTIONARY_ACCESSIBILTY to FALSE.
5. Click Apply.
6. Restart the Oracle Database instance.
sqlplus sys as sysdba
Enter password: password
SQL> SHUTDOWN IMMEDIATE
SQL> STARTUP
Note:
In a default installation, the O7_DICTIONARY_ACCESSIBILITY parameter is set to
FALSE.
 Expiring and Locking Database Accounts

• When you expire the password of a user, that

password no longer exists. If you want to
unexpire the password, you change the
password of that account.
• Locking an account preserves the user password
and other account information, but makes the
account unavailable to anyone who tries to log
in to the database using that account. Unlocking
it makes the account available again.
 To expire and lock a database account
1. Access the Database home page.
2. From the Administration menu, select Security, then Users.
If the Database Login page appears, then log in as an administrative
user, such as
SYSTEM.The Users page lists the user accounts created for the current
database instance. The Account Status column indicates whether an
account is expired, locked, or open.
3. In the Select column, select the account you want to expire, and
then click Edit.
4. In the Edit User page, do one of the following:
• To expire a password, click Expire Password now.
To unexpire the password, enter a new password in the Enter
Password and Confirm Password fields.
• To lock the account, select Locked.
5. Click Apply.
 Requirements for Creating Passwords

• Make the password between 12 and 30

characters and numbers.
• Use mixed case letters and special characters in
the password.
• Use the database character set for the password
characters, which can include the underscore (_),
dollar ($), and number sign (#) characters.
• Do not use an actual word for the entire
password.
 Finding and Changing Default Passwords
from SQL*Plus
1. Log into the database instance with administrative privileges.
sqlplus system
Enter password: password
2. Select from the DBA_USERS_WITH_DEFPWD data dictionary view.
SELECT * FROM DBA_USERS_WITH_DEFPWD;
The DBA_USERS_WITH_DEFPWD lists the accounts that still have user defaultpasswords. For example:
USERNAME
------------
SCOTT
3. Change the password for the accounts the DBA_USERS_WITH_DEFPWD datadictionary view lists.
For example, to change the password for user SCOTT, enter the following:
PASSWORD SCOTT
Changing password for SCOTT
New password: password
Retype new password: password
Password changed
Alternatively, you can use the ALTER USER SQL statement to change thepassword:
– ALTER USER SCOTT IDENTIFIED BY password;
 To use Enterprise Manager to change the
password of a database account
1. Access the Database home page.
2. From the Administration menu, select Security, then Users.
If the Database Login page appears, then log in as an administrative
user, such asSYS. User SYS must log in with the SYSDBA role selected.
The Users page lists the user accounts created for the current database
instance.The Account Status column indicates whether an account is
expired, locked, oropen.
3. In the Select column, select the account you want to change, and
then click Edit.
4. In the Edit User page, enter a new password in the Enter Password
and Confirm Password fields.
5. Click Apply.
Managing User Privileges
 About Privilege Management
• Granting and revoking individual privileges. You can
grant individual privileges, for example, the privilege to
perform the UPDATE SQL statement, to individualusers
or to groups of users.
• Creating a role and assigning privileges to it. A role is
a named group of relatedprivileges that you grant, as a
group, to users or other roles.
• Creating a secure application role. A secure
application role enables you to defineconditions that
control when a database role can be enabled
 When to Grant Privileges to Users
• Because privileges are the rights to perform a specific action, such as
updating or deleting a table, do not provide database users more
privileges than are necessary.
• In other words, the principle of least privilege is that users be given
only those privileges that are actually required to efficiently perform
their jobs. To implement this principle, restrict the following as much
as possible:
– The number of system and object privileges granted to database user
– The number of people who are allowed to make SYS-privileged connections to
the database

For example, generally the CREATE ANY TABLE privilege is not granted to
a user who does not have database administrator privileges.
 When to Grant Roles to Users
• A role is a named group of related privileges that you
grant, as a group, to users or other roles.
• Roles are useful for quickly and easily granting permissions
to users. Although you can use Oracle Database-defined
roles, you have more control and continuity if you create
your own roles that contain only the privileges pertaining
to your requirements. Oracle may change or remove the
privileges in an Oracle Database-defined role, as it has
with the CONNECT role, which now has only the CREATE
SESSION privilege.Formerly, this role had eight other
privileges.
 Controlling Access to Applications with
Secure Application Roles
• A secure application role is a role that can be
enabled only by an authorized PL/SQL
package. The PL/SQL package itself reflects the
security policies necessary to control access to
the application.
 About Secure Application Roles
A secure application role has the following components
• The secure application role itself. You create the role using the CREATE ROLE statement
with the IDENTIFIED USING clause to associate it with the PL/SQL package. Then, you grant
the role the privileges you typically grant a role.
• A PL/SQL package, procedure, or function associated with the secure application role.
The PL/SQL package sets a condition that either grants the role or denies the role to the
person trying to log in to the database. You must create the PL/SQL package, procedure, or
function using invoker's rights, not definer's rights. An invoker's right procedure executes
with the privileges of the current user, that is, the user who invokes the procedure. This
user must be granted the EXECUTE privilege for the underlying objects that the PL/SQL
package accesses. Invoker's rights procedures are not bound to a particular schema. They
can be run by a variety of users and enable multiple users to manage their own data by
using centralized application logic. To create the invoker's rights package, use the AUTHID
CURRENT_USER clause in the declaration section of the procedure code.

The PL/SQL package also must contain a SET ROLE statement or DBMS_SESSION.SET_ROLE
call to enable (or disable) the role for the user.

After you create the PL/SQL package, you must grant the appropriate users the EXECUTE
privilege on the package.
About Secure Application Roles (Continue)

• A way to execute the PL/SQL package when the user logs on.
To execute the PL/SQL package, you must call it directly from
the application before the user tries to use the privileges the
role grants. You cannot use a logon trigger to execute the
PL/SQL package automatically when the user logs on.
• When a user logs in to the application, the policies in the
package perform the checks as needed. If the user passes the
checks, then the role is granted, which enables access to the
application. If the user fails the checks, then the user is
prevented from accessingthe application. Controlling Access
to Applications with Secure Application Roles Managing
Creating a Secure Application Role
Creating a Secure Application Role continue
Creating a Secure Application Role continue
Creating a Secure Application Role continue
Creating a Secure Application Role continue
Creating a Secure Application Role continue
Creating a Secure Application Role continue
Creating a Secure Application Role continue
Creating a Secure Application Role continue
Creating a Secure Application Role continue
Creating a Secure Application Role continue
Creating a Secure Application Role continue
Creating a Secure Application Role continue
Creating a Secure Application Role continue
Creating a Secure Application Role continue
Creating a Secure Application Role continue
Creating a Secure Application Role continue
Creating a Secure Application Role continue
Encrypting Data with Oracle Transparent
Data Encryption
 Key Management for Transparent Data
Encryption and Other Database Components
• Oracle Database 12c Release 1 (12.1) introduces a
unified key management infrastructure for Transparent
Data Encryption (TDE) and other database components.
• This eases key administration tasks, provides for better
compliance and tracking, and also leads to better
separation of duty between the database administrator
and security administrator. For better security and
separation of duty, users who are responsible for
configuring TDE must have the SYSKM system privilege.
 Encrypting Data with
Oracle Transparent Data Encryption
• Encrypted data is data that has been disguised
so that only an authorized recipient can read
it.
• In most cases, you must encrypt sensitive data
on your site to meet a regulatory compliance.
For example, sensitive data such as credit card
numbers, Social Security numbers, or patient
health information must be encrypted.
Configuring Data to Use Transparent Data
Encryption
Finding the Type of Keystore That Was
Created
Finding the Keystore Location
Checking Whether a Keystore Is Open or
Closed
Checking Encrypted Columns of an
Individual Table
Controlling Access with
Oracle Database Vault
About Oracle Database Vault
About Oracle Database Vault
Controlling Administrator Access to a User Schema
Tutorial Controlling Administrator Access to
a User Schema
Tutorial Controlling Administrator Access to
a User Schema continue
Tutorial Controlling Administrator Access to
a User Schema continue
Tutorial Controlling Administrator Access to
a User Schema continue
Tutorial Controlling Administrator Access to
a User Schema continue
Tutorial Controlling Administrator Access to
a User Schema continue
Tutorial Controlling Administrator Access to
a User Schema continue
Tutorial Controlling Administrator Access to
a User Schema continue
Tutorial Controlling Administrator Access to
a User Schema continue
Tutorial Controlling Administrator Access to
a User Schema continue
Tutorial Controlling Administrator Access to
a User Schema continue
Tutorial Controlling Administrator Access to
a User Schema continue
 Restricting Access with
Oracle Virtual Private Database
About Oracle Virtual Private Database
About Oracle Virtual Private Database
Continue
About Oracle Virtual Private Database
Continue
 Limiting Access to Data Based on the
Querying User
In this tutorial, you create a sales representative
user account and an account for a finance manager.
Then, you create an Oracle Virtual Private Database
policy that will limit the data access to these users
based on their roles. You can use Oracle Database
limit access to data based on who the querying user
is. For example, a sales representative should only
see the orders that he or she have reated, but other
employees should not.
About Limiting Access to Data Based on the
Querying User
About Limiting Access to Data Based on the
Querying User
Tutorial Limiting Access to Data Based on
the Querying User
Tutorial Limiting Access to Data Based on the
Querying User Continue
Tutorial Limiting Access to Data Based on the
Querying User Continue
Tutorial Limiting Access to Data Based on the
Querying User Continue
Tutorial Limiting Access to Data Based on the
Querying User Continue
Tutorial Limiting Access to Data Based on the
Querying User Continue
Tutorial Limiting Access to Data Based on the
Querying User Continue
Tutorial Limiting Access to Data Based on the
Querying User Continue
Tutorial Limiting Access to Data Based on the
Querying User Continue
Tutorial Limiting Access to Data Based on the
Querying User Continue
Tutorial Limiting Access to Data Based on the
Querying User Continue
Tutorial Limiting Access to Data Based on the
Querying User Continue
Tutorial Limiting Access to Data Based on the
Querying User Continue
Tutorial Limiting Access to Data Based on the
Querying User Continue
Tutorial Limiting Access to Data Based on the
Querying User Continue
Tutorial Limiting Access to Data Based on the
Querying User Continue
Limiting Access to Sensitive Data
Using Oracle Data Redaction
About Oracle Data Redaction
Tutorial: Redacting Data
Tutorial: Redacting Data Continue
Tutorial: Redacting Data Continue
Tutorial: Redacting Data Continue
Tutorial: Redacting Data Continue
Tutorial: Redacting Data Continue
Tutorial: Redacting Data Continue
Tutorial: Redacting Data Continue
Tutorial: Redacting Data Continue
Tutorial: Redacting Data Continue
Tutorial: Redacting Data Continue
Tutorial: Redacting Data Continue
Tutorial: Redacting Data Continue
Tutorial: Redacting Data Continue
Tutorial: Redacting Data Continue
Enforcing Row-Level Security with
Oracle Label Security
About Oracle Label Security
About Oracle Label Security Continue
Differences Between Virtual Private Database, Oracle
Label Security, and
Data Redaction
Compares the features of Oracle Virtual Private Database,
Oracle Label Security, and Oracle Data Redaction
How Does Oracle Label Security Work
How are row sensitivity labels assigned
How are user clearance levels decided?
Tutorial Oracle Label Security
Tutorial Oracle Label Security Continue
Tutorial Oracle Label Security Continue
Tutorial Oracle Label Security Continue
Tutorial Oracle Label Security Continue
Tutorial Oracle Label Security Continue
Tutorial Oracle Label Security Continue
Tutorial Oracle Label Security Continue
Tutorial Oracle Label Security Continue
Tutorial Oracle Label Security Continue
Tutorial Oracle Label Security Continue
Tutorial Oracle Label Security Continue
Tutorial Oracle Label Security Continue
Conclusion
Auditing Database Activity
About Auditing
Create Audit Policies
Create Audit Policies Continue
Create Audit Policies Continue
Create Audit Policies Continue
Create Audit Policies Continue
Create Audit Policies Continue
Create Audit Policies Continue
Create Audit Policies Continue
Create Audit Policies Continue
Create Audit Policies Continue
Create Audit Policies Continue
Create Audit Policies Continue
Create Audit Policies Continue
Role Auditing
Role Auditing Continue
Role Auditing Continue