Oracle® Database Security Guide 10g Release 2 (10.2) B14266-09 July 2012 Oracle Database Security Guide 10g Release 2 (10.2) B14266-09 Copyright © 2003, 2012, Oracle and/or its affiliates. All rights reserved. Primary Author: Sumit Jeloka Contributing Authors: Don Gosselin, Richard Smith Contributors: Gopal Mulagund, Nina Lewis, Janaki Narasinghanallur, Srividya Tata, Narendra Manappa This software and related documentation are provided under a license agreement containing restrictions on use and disclosure and are protected by intellectual property laws. Except as expressly permitted in your license agreement or allowed by law, you may not use, copy, reproduce, translate, broadcast, modify, license, transmit, distribute, exhibit, perform, publish, or display any part, in any form, or by any means. Reverse engineering, disassembly, or decompilation of this software, unless required by law for interoperability, is prohibited. The information contained herein is subject to change without notice and is not warranted to be error-free. If you find any errors, please report them to us in writing. If this is software or related documentation that is delivered to the U.S. Government or anyone licensing it on behalf of the U.S. Government, the following notice is applicable: U.S. GOVERNMENT RIGHTS Programs, software, databases, and related documentation and technical data delivered to U.S. Government customers are "commercial computer software" or "commercial technical data" pursuant to the applicable Federal Acquisition Regulation and agency-specific supplemental regulations. As such, the use, duplication, disclosure, modification, and adaptation shall be subject to the restrictions and license terms set forth in the applicable Government contract, and, to the extent applicable by the terms of the Government contract, the additional rights set forth in FAR 52.227-19, Commercial Computer Software License (December 2007). Oracle America, Inc., 500 Oracle Parkway, Redwood City, CA 94065. This software or hardware is developed for general use in a variety of information management applications. It is not developed or intended for use in any inherently dangerous applications, including applications that may create a risk of personal injury. If you use this software or hardware in dangerous applications, then you shall be responsible to take all appropriate fail-safe, backup, redundancy, and other measures to ensure its safe use. Oracle Corporation and its affiliates disclaim any liability for any damages caused by use of this software or hardware in dangerous applications. Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners. Intel and Intel Xeon are trademarks or registered trademarks of Intel Corporation. All SPARC trademarks are used under license and are trademarks or registered trademarks of SPARC International, Inc. AMD, Opteron, the AMD logo, and the AMD Opteron logo are trademarks or registered trademarks of Advanced Micro Devices. UNIX is a registered trademark of The Open Group. This software or hardware and documentation may provide access to or information on content, products, and services from third parties. Oracle Corporation and its affiliates are not responsible for and expressly disclaim all warranties of any kind with respect to third-party content, products, and services. Oracle Corporation and its affiliates will not be responsible for any loss, costs, or damages incurred due to your access to or use of third-party content, products, or services. iii Contents Preface xxi Audience xxi Documentation Accessibility xxi Organization xxii Related Documentation xxiv Conventions xxv What's New in Oracle Database Security? xxvii New Features in Virtual Private Database xxvii New Features in Auditing xxviii New PL/SQL Encryption Package: DBMS_CRYPTO xxix Part I Overview of Security Considerations and Requirements 1 Security Requirements, Threats, and Concepts Identity Management: Security in Complex, High-Volume Environments 1-3 Desired Benefits of Identity Management 1-4 Components of Oracle Identity Management Infrastructure 1-5 2 Security Checklists and Recommendations Physical Access Control Checklist 2-1 Personnel Checklist 2-2 Secure Installation and Configuration Checklist 2-2 Networking Security Checklists 2-5 SSL Checklist 2-5 Client Checklist 2-6 Listener Checklist 2-7 Network Checklist 2-7 3 Security Policies and Tips Introduction to Database Security Policies 3-1 Security Threats and Countermeasures 3-1 What Information Security Policies Can Cover 3-2 Recommended Application Design Practices to Reduce Risk 3-3 iv Tip 1: Enable and Disable Roles Promptly 3-4 Tip 2: Encapsulate Privileges in Stored Procedures 3-5 Tip 3: Use Role Passwords Unknown to the User 3-5 Tip 4: Use Proxy Authentication and a Secure Application Role 3-5 Tip 5: Use Secure Application Roles to Verify IP Address 3-6 Tip 6: Use Application Context and Fine-Grained Access Control 3-7 Part II Security Features, Concepts, and Alternatives 4 Authentication Methods Authentication by the Operating System 4-1 Authentication by the Network 4-2 Authentication Using SSL 4-2 Authentication Using Third-Party Services 4-2 Kerberos Authentication 4-3 PKI-Based Authentication 4-3 Authentication with RADIUS 4-4 Directory-Based Services 4-5 Authentication by Oracle Database 4-5 Password Encryption While Connecting 4-6 Account Locking 4-6 Password Lifetime and Expiration 4-6 Password History 4-6 Password Complexity Verification 4-7 Multitier Authentication and Authorization 4-7 Clients, Application Servers, and Database Servers 4-8 Security Issues for Middle-Tier Applications 4-9 Identity Issues in a Multitier Environment 4-9 Restricted Privileges in a Multitier Environment 4-9 Client Privileges 4-10 Application Server Privileges 4-10 Authentication of Database Administrators 4-10 5 Authorization: Privileges, Roles, Profiles, and Resource Limitations Introduction to Privileges 5-1 System Privileges 5-2 Granting and Revoking System Privileges 5-2 Who Can Grant or Revoke System Privileges? 5-3 Schema Object Privileges 5-3 Granting and Revoking Schema Object Privileges 5-3 Who Can Grant Schema Object Privileges? 5-4 Using Privileges with Synonyms 5-4 Table Privileges 5-5 DML Operations 5-5 DDL Operations 5-5 View Privileges 5-6 v Privileges Required to Create Views 5-6 Increasing Table Security with Views 5-6 Procedure Privileges 5-7 Procedure Execution and Security Domains 5-7 System Privileges Needed to Create or Alter a Procedure 5-9 Packages and Package Objects 5-9 Type Privileges 5-10 System Privileges for Named Types 5-11 Object Privileges 5-11 Method Execution Model 5-11 Privileges Required to Create Types and Tables Using Types 5-11 Example of Privileges for Creating Types and Tables Using Types 5-12 Privileges on Type Access and Object Access 5-13 Type Dependencies 5-14 Introduction to Roles 5-14 Properties of Roles 5-15 Common Uses of Roles 5-16 Application Roles 5-16 User Roles 5-17 Granting and Revoking Roles 5-17 Who Can Grant or Revoke Roles? 5-17 Security Domains of Roles and Users 5-17 PL/SQL Blocks and Roles 5-18 Named Blocks with Definer's Rights 5-18 Anonymous Blocks with Invoker's Rights 5-18 DDL Statements and Roles 5-18 Predefined Roles 5-19 Operating System and Roles 5-20 Roles in a Distributed Environment 5-20 Secure Application Roles 5-20 Creation of Secure Application Roles 5-20 User Resource Limits 5-21 Types of System Resources and Limits 5-22 Session Level 5-22 Call Level 5-22 CPU Time 5-22 Logical Reads 5-22 Limiting Other Resources 5-23 Profiles 5-24 Determining Values for Resource Limits 5-24 6 Access Control on Tables, Views, Synonyms, or Rows Introduction to Views 6-2 Fine-Grained Access Control 6-3 Dynamic Predicates 6-4 Application Context 6-5 Dynamic Contexts 6-6 vi Security Followup: Auditing and Prevention 6-7 7 Security Policies System Security Policy 7-1 Database User Management 7-1 User Authentication 7-2 Operating System Security 7-2 Data Security Policy 7-2 User Security Policy 7-3 General User Security 7-3 Password Security 7-3 Privilege Management 7-4 End-User Security 7-4 Using Roles for End-User Privilege Management 7-4 Using a Directory Service for End-User Privilege Management 7-5 Administrator Security 7-5 Protection for Connections as SYS and SYSTEM 7-6 Protection for Administrator Connections 7-6 Using Roles for Administrator Privilege Management 7-6 Application Developer Security 7-7 Application Developers and Their Privileges 7-7 Application Developer Environment: Test and Production Databases 7-7 Free Versus Controlled Application Development 7-8 Roles and Privileges for Application Developers 7-8 Space Restrictions Imposed on Application Developers 7-9 Application Administrator Security 7-9 Password Management Policy 7-9 Account Locking 7-10 Password Aging and Expiration 7-10 Setting the PASSWORD_LIFE_TIME Profile Parameter to a Low Value 7-11 Password History 7-12 Password Complexity Verification 7-12 Password Verification Routine Formatting Guidelines 7-13 Sample Password Verification Routine 7-13 Auditing Policy 7-15 A Security Checklist 7-16 8 Database Auditing: Security Considerations Auditing Types and Records 8-2 Audit Records and Audit Trails 8-3 Database Audit Trail (DBA_AUDIT_TRAIL) 8-3 Operating System Audit Trail 8-4 Syslog Audit Trail 8-5 Operating System and Syslog Audit Records 8-5 Records Always in the Operating System and Syslog Audit Trail 8-6 When Are Audit Records Created? 8-6 Statement Auditing 8-7 vii Privilege Auditing 8-7 Schema Object Auditing 8-8 Schema Object Audit Options for Views, Procedures, and Other Elements 8-8 Focusing Statement, Privilege, and Schema Object Auditing 8-9 Auditing Statement Executions: Successful, Unsuccessful, or Both 8-9 Number of Audit Records from Multiple Executions of a Statement 8-10 BY SESSION 8-10 BY ACCESS 8-11 Audit by User 8-11 Auditing in a Multitier Environment 8-12 Fine-Grained Auditing 8-12 Part III Security Implementation, Configuration, and Administration 9 Secure External Password Store How Does the External Password Store Work? 9-1 Configuring Clients to Use the External Password Store 9-2 Managing External Password Store Credentials 9-4 Listing External Password Store Contents 9-4 Adding Credentials to an External Password Store 9-4 Modifying Credentials in an External Password Store 9-5 Deleting Credentials from an External Password Store 9-5 10 Administering Authentication User Authentication Methods 10-1 Database Authentication 10-1 Creating a User Who Is Authenticated by the Database 10-2 Advantages of Database Authentication 10-2 External Authentication 10-2 Creating a User Who Is Authenticated Externally 10-3 Operating System Authentication 10-3 Network Authentication 10-4 Advantages of External Authentication 10-4 Global Authentication and Authorization 10-4 Creating a User Who Is Authorized by a Directory Service 10-5 Advantages of Global Authentication and Global Authorization 10-5 Proxy Authentication and Authorization 10-6 Authorizing a Middle Tier to Proxy and Authenticate a User 10-7 Authorizing a Middle Tier to Proxy a User Authenticated by Other Means 10-7 11 Administering User Privileges, Roles, and Profiles Managing Oracle Users 11-1 Creating Users 11-1 Specifying a Name 11-2 Setting Up User Authentication 11-3 Assigning a Default Tablespace 11-3 viii Assigning Tablespace Quotas 11-3 Assigning a Temporary Tablespace 11-4 Specifying a Profile 11-5 Setting Default Roles 11-5 Altering Users 11-5 Changing User Authentication Mechanism 11-6 Changing User Default Roles 11-6 Dropping Users 11-6 Viewing Information About Database Users and Profiles 11-7 User and Profile Information in Data Dictionary Views 11-7 Listing All Users and Associated Information 11-8 Listing All Tablespace Quotas 11-8 Listing All Profiles and Assigned Limits 11-9 Viewing Memory Use for Each User Session 11-10 Managing Resources with Profiles 11-10 Dropping Profiles 11-11 Understanding User Privileges and Roles 11-11 System Privileges 11-11 Restricting System Privileges 11-12 Accessing Objects in the SYS Schema 11-12 Object Privileges 11-13 User Roles 11-13 Managing User Roles 11-15 Creating a Role 11-15 Specifying the Type of Role Authorization 11-16 Role Authorization by the Database 11-16 Role Authorization by an Application 11-16 Role Authorization by an External Source 11-17 Role Authorization by an Enterprise Directory Service 11-17 Dropping Roles 11-18 Granting User Privileges and Roles 11-18 Granting System Privileges and Roles 11-18 Granting the ADMIN OPTION 11-19 Creating a New User with the GRANT Statement 11-19 Granting Object Privileges 11-19 Specifying the GRANT OPTION 11-20 Granting Object Privileges on Behalf of the Object Owner 11-20 Granting Privileges on Columns 11-21 Row-Level Access Control 11-22 Revoking User Privileges and Roles 11-22 Revoking System Privileges and Roles 11-22 Revoking Object Privileges 11-22 Revoking Object Privileges on Behalf of the Object Owner 11-23 Revoking Column-Selective Object Privileges 11-24 Revoking the REFERENCES Object Privilege 11-24 Cascading Effects of Revoking Privileges 11-24 System Privileges 11-24 ix Object Privileges 11-25 Granting to and Revoking from the PUBLIC Role 11-25 When Do Grants and Revokes Take Effect? 11-26 The SET ROLE Statement 11-26 Specifying Default Roles 11-26 Restricting the Number of Roles that a User Can Enable 11-27 Granting Roles Using the Operating System or Network 11-27 Using Operating System Role Identification 11-28 Using Operating System Role Management 11-29 Granting and Revoking Roles When OS_ROLES=TRUE 11-29 Enabling and Disabling Roles When OS_ROLES=TRUE 11-29 Using Network Connections with Operating System Role Management 11-29 Viewing Privilege and Role Information 11-29 Listing All System Privilege Grants 11-31 Listing All Role Grants 11-31 Listing Object Privileges Granted to a User 11-31 Listing the Current Privilege Domain of Your Session 11-32 Listing Roles of the Database 11-32 Listing Information About the Privilege Domains of Roles 11-33 12 Configuring and Administering Auditing Actions Audited by Default 12-1 Guidelines for Auditing 12-2 Keeping Audited Information Manageable 12-2 Auditing Normal Database Activity 12-3 Auditing Suspicious Database Activity 12-3 Auditing Administrative Users 12-3 Using Triggers 12-5 Deciding Whether to Use the Database or Operating System Audit Trail 12-5 What Information Is Contained in the Audit Trail? 12-6 Database Audit Trail Contents 12-7 Audit Information Stored in an Operating System File 12-8 Managing the Standard Audit Trail 12-9 Enabling and Disabling Standard Auditing 12-9 Setting the AUDIT_TRAIL Initialization Parameter 12-10 Specifying a Directory for the Operating System Auditing Trail 12-10 Specifying the Syslog Level 12-11 Standard Auditing in a Multitier Environment 12-11 Enabling Standard Auditing Options 12-12 Enabling Statement Auditing 12-13 Enabling Privilege Auditing 12-13 Enabling Object Auditing 12-14 Enabling Network Auditing 12-14 Disabling Standard Audit Options 12-15 Turning Off Statement and Privilege Auditing 12-15 Turning Off Object Auditing 12-16 Turning Off Network Auditing 12-16 x Controlling the Growth and Size of the Standard Audit Trail 12-16 Purging Audit Records from the Audit Trail 12-17 Archiving Audit Trail Information 12-18 Reducing the Size of the Audit Trail 12-18 Protecting the Standard Audit Trail 12-18 Auditing the Standard Audit Trail 12-18 Viewing Database Audit Trail Information 12-19 Audit Trail Views 12-19 Using Audit Trail Views to Investigate Suspicious Activities 12-20 Listing Active Statement Audit Options 12-21 Listing Active Privilege Audit Options 12-21 Listing Active Object Audit Options for Specific Objects 12-21 Listing Default Object Audit Options 12-22 Listing Audit Records 12-22 Listing Audit Records for the AUDIT SESSION Option 12-22 Deleting the Audit Trail Views 12-22 The SYS.AUD$ Auditing Table: Example 12-22 Fine-Grained Auditing 12-24 Policies in Fine-Grained Auditing 12-25 Advantages of Fine-Grained Auditing over Triggers 12-25 Extensible Interface Using Event Handler Functions 12-26 Functions and Relevant Columns in Fine-Grained Auditing 12-26 Audit Records in Fine-Grained Auditing 12-26 NULL Audit Conditions 12-27 Defining FGA Policies 12-27 An Added Benefit to Fine-Grained Auditing 12-27 The DBMS_FGA Package 12-29 ADD_POLICY Procedure 12-29 Syntax 12-29 Parameters 12-30 Usage Notes 12-30 V$XML_AUDIT_TRAIL View 12-33 Examples 12-34 DISABLE_POLICY Procedure 12-34 Syntax 12-34 Parameters 12-34 DROP_POLICY Procedure 12-35 Syntax 12-35 Parameters 12-35 Usage Notes 12-35 ENABLE_POLICY Procedure 12-35 Syntax 12-35 Parameters 12-35 13 Introducing Database Security for Application Developers About Application Security Policies 13-1 Considerations for Using Application-Based Security 13-2 [...]... people responsible for the physical security, system administration, and data security of the site must be reliable Performing background checks on DBAs before making hiring decisions is a wise protective measure 1-2 Oracle Database Security Guide Identity Management: Security in Complex, High-Volume Environments Table 1–1 (Cont.) Security Issues by Category Dimension Security Issues Procedural The procedures... predicates establishing the restrictions Chapter 7, "Security Policies" This chapter discusses security policies in separate sections dealing with system security, data security, user security, password management, and auditing It concludes with a more detailed version of the checklist first presented in Chapter 2 xxii Chapter 8, "Database Auditing: Security Considerations" This chapter presents auditing... stored in databases, detect suspicious activities, and enable finely-tuned security responses Chapter 13, "Introducing Database Security for Application Developers" This chapter provides an introduction to the security challenges that face application developers and includes an overview of Oracle Database features they can use to develop secure applications Chapter 14, "Using Virtual Private Database. .. Oracle resources: ■ Oracle Database Concepts ■ Oracle Database Administrator's Guide ■ Oracle Data Warehousing Guide ■ Oracle Streams Advanced Queuing Java API Reference ■ Oracle Streams Advanced Queuing User's Guide and Reference Many of the examples in this book use the sample schemas of the seed database, which is installed by default when you install Oracle Refer to Oracle Database Sample Schemas... that you enter xxv xxvi What's New in Oracle Database Security? The Oracle Database 10g Release 2 (10.2) security features and enhancements described in this section comprise the overall effort to provide superior access control, privacy, and accountability with this release of the database The following sections describe new security features of Oracle Database 10g Release 2 (10.2) and provide pointers... of security for Oracle Database It includes conceptual information about security requirements and threats, descriptions of Oracle Database security features, and procedural information that explains how to use those features to secure your database This preface contains these topics: ■ Audience ■ Documentation Accessibility ■ Organization ■ Related Documentation ■ Conventions Audience The Oracle Database. .. contains: Part I, "Overview of Security Considerations and Requirements" Part I presents fundamental concepts of data security, and offers checklists and policies to aid in securing your site's data, operations, and users Chapter 1, "Security Requirements, Threats, and Concepts" This chapter presents fundamental concepts of data security requirements and threats Chapter 2, "Security Checklists and Recommendations"... xxix xxx Part I Part I Overview of Security Considerations and Requirements Part I presents fundamental concepts of data security requirements and threats that pertain to connecting to a database, accessing and altering tables, and using applications In addition, security checklists are provided for DBAs and application developers, which cover installation preparation, database administration best practices,... customers access databases from anywhere on the Internet In the Internet age, the full spectrum of risks to valuable and sensitive data and to user access and confidentiality, is broader than ever before Figure 1–1 shows the complex computing environment that security plans must protect Security Requirements, Threats, and Concepts 1-1 Figure 1–1 Realms Needing Security in an Internet World Database Server... Application Web Server Databases Firewalls The diagram shows several important parts of the security picture, illustrating client communities, connections, databases, and servers, all of which must be secured against inappropriate access or use These different areas can require different techniques to achieve good security, and they must integrate so as to preclude or minimize security gaps or vulnerabilities . Oracle® Database Security Guide 10g Release 2 (10.2) B14266-09 July 2012 Oracle Database Security Guide 10g Release 2 (10.2). System Security 7-2 Data Security Policy 7-2 User Security Policy 7-3 General User Security 7-3 Password Security 7-3 Privilege Management 7-4 End-User Security