Oracle® Database Security Guide 11g Release 1 (11.1) B28531-19 December 2012 Oracle Database Security Guide 11g Release 1 (11.1) B28531-19 Copyright © 2006, 2012, Oracle and/or its affiliates. All rights reserved. Primary Author: Patricia Huey Contributors: Priya Badkar, Tammy Bednar, Naveen Gopal, Don Gosselin, Sergei Kucherov,Nina Lewis, Bryn Llewellyn, Narendra Manappa, Gopal Mulagund, Paul Needham, Deb Owens, Robert Pang, Vipin Samar, Digvijay Sirmukaddam, Sachin Sonawane, James Spiller, Ashwini SurpurSrividya Tata, Kamal Tbeileh This software and related documentation are provided under a license agreement containing restrictions on use and disclosure and are protected by intellectual property laws. Except as expressly permitted in your license agreement or allowed by law, you may not use, copy, reproduce, translate, broadcast, modify, license, transmit, distribute, exhibit, perform, publish, or display any part, in any form, or by any means. Reverse engineering, disassembly, or decompilation of this software, unless required by law for interoperability, is prohibited. The information contained herein is subject to change without notice and is not warranted to be error-free. If you find any errors, please report them to us in writing. If this is software or related documentation that is delivered to the U.S. Government or anyone licensing it on behalf of the U.S. Government, the following notice is applicable: U.S. GOVERNMENT END USERS: Oracle programs, including any operating system, integrated software, any programs installed on the hardware, and/or documentation, delivered to U.S. Government end users are "commercial computer software" pursuant to the applicable Federal Acquisition Regulation and agency-specific supplemental regulations. As such, use, duplication, disclosure, modification, and adaptation of the programs, including any operating system, integrated software, any programs installed on the hardware, and/or documentation, shall be subject to license terms and license restrictions applicable to the programs. No other rights are granted to the U.S. Government. This software or hardware is developed for general use in a variety of information management applications. It is not developed or intended for use in any inherently dangerous applications, including applications that may create a risk of personal injury. If you use this software or hardware in dangerous applications, then you shall be responsible to take all appropriate fail-safe, backup, redundancy, and other measures to ensure its safe use. Oracle Corporation and its affiliates disclaim any liability for any damages caused by use of this software or hardware in dangerous applications. Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners. Intel and Intel Xeon are trademarks or registered trademarks of Intel Corporation. All SPARC trademarks are used under license and are trademarks or registered trademarks of SPARC International, Inc. AMD, Opteron, the AMD logo, and the AMD Opteron logo are trademarks or registered trademarks of Advanced Micro Devices. UNIX is a registered trademark of The Open Group. This software or hardware and documentation may provide access to or information on content, products, and services from third parties. Oracle Corporation and its affiliates are not responsible for and expressly disclaim all warranties of any kind with respect to third-party content, products, and services. Oracle Corporation and its affiliates will not be responsible for any loss, costs, or damages incurred due to your access to or use of third-party content, products, or services. iii Contents Preface xxiii Audience xxiii Documentation Accessibility xxiii Related Documents xxiv Conventions xxiv What's New in Oracle Database Security? xxvii Automatic Secure Configuration xxvii New Password Protections xxvii SYSDBA and SYSOPER Strong Authentication xxviii SYSASM Privilege for Automatic Storage Management xxviii Encryption Enhancements xxviii Fine-Grained Access Control on Network Services on the Database xxx Change to AUDIT BY SESSION xxx Oracle XML DB Security Enhancements xxx Directory Security Enhancements xxxi Oracle Call Interface Security Enhancements xxxi 1 Introducing Oracle Database Security About Oracle Database Security 1-1 Additional Database Security Resources 1-2 2 Managing Security for Oracle Database Users About User Security 2-1 Creating User Accounts 2-1 Creating a New User Account 2-2 Specifying a User Name 2-2 Assigning the User a Password 2-3 Assigning a Default Tablespace for the User 2-3 Assigning a Tablespace Quota for the User 2-4 Revoking the Ability for Users to Create Objects in a Tablespace 2-5 Granting Users the UNLIMITED TABLESPACE System Privilege 2-5 Assigning a Temporary Tablespace for the User 2-5 Specifying a Profile for the User 2-6 Setting a Default Role for the User 2-6 iv Altering User Accounts 2-7 About Altering User Accounts 2-7 Using the ALTER USER Statement to Alter a User Account 2-7 Changing Non-SYS User Passwords 2-7 Changing the SYS User Password 2-8 Configuring User Resource Limits 2-9 About User Resource Limits 2-9 Types of System Resources and Limits 2-9 Limiting the User Session Level 2-10 Limiting Database Call Levels 2-10 Limiting CPU Time 2-10 Limiting Logical Reads 2-10 Limiting Other Resources 2-10 Determining Values for Resource Limits of Profiles 2-11 Managing Resources with Profiles 2-12 Creating Profiles 2-12 Dropping Profiles 2-13 Deleting User Accounts 2-13 Finding Information About Database Users and Profiles 2-14 Using Data Dictionary Views to Find Information About Users and Profiles 2-15 Listing All Users and Associated Information 2-16 Listing All Tablespace Quotas 2-16 Listing All Profiles and Assigned Limits 2-16 Viewing Memory Use for Each User Session 2-17 3 Configuring Authentication About Authentication 3-1 Configuring Password Protection 3-1 What Are the Oracle Database Built-in Password Protections? 3-2 Minimum Requirements for Passwords 3-3 Using a Password Management Policy 3-3 About Managing Passwords 3-3 Finding User Accounts That Have Default Passwords 3-4 Configuring Password Settings in the Default Profile 3-4 Automatically Locking a User Account After a Failed Login 3-6 Controlling User Ability to Reuse Previous Passwords 3-7 Controlling Password Aging and Expiration 3-8 Setting the PASSWORD_LIFE_TIME Profile Parameter to a Low Value 3-9 Enforcing Password Complexity Verification 3-9 Enabling or Disabling Password Case Sensitivity 3-11 Ensuring Against Password Security Threats by Using the SHA-1 Hashing Algorithm 3-13 Managing the Secure External Password Store for Password Credentials 3-14 About the Secure External Password Store 3-14 How Does the External Password Store Work? 3-15 Configuring Clients to Use the External Password Store 3-16 Managing External Password Store Credentials 3-18 Authenticating Database Administrators 3-19 v Strong Authentication and Centralized Management for Database Administrators 3-20 Configuring Directory Authentication for Administrative Users 3-20 Configuring Kerberos Authentication for Administrative Users 3-21 Configuring Secure Sockets Layer Authentication for Administrative Users 3-21 Authenticating Database Administrators by Using the Operating System 3-22 Authenticating Database Administrators by Using Their Passwords 3-23 Authenticating Database Administrators on Windows Systems 3-23 Using the Database to Authenticate Users 3-24 About Database Authentication 3-24 Advantages of Database Authentication 3-24 Creating a User Who Is Authenticated by the Database 3-24 Using the Operating System to Authenticate Users 3-25 Using the Network to Authenticate Users 3-26 Authentication Using Secure Sockets Layer 3-26 Authentication Using Third-Party Services 3-26 Configuring Global User Authentication and Authorization 3-28 Creating a User Who Is Authorized by a Directory Service 3-28 Creating a Global User Who Has a Private Schema 3-29 Creating Multiple Enterprise Users Who Share Schemas 3-29 Advantages of Global Authentication and Global Authorization 3-29 Configuring an External Service to Authenticate Users and Passwords 3-30 About External Authentication 3-30 Advantages of External Authentication 3-31 Creating a User Who Is Authenticated Externally 3-31 Authenticating User Logins Using the Operating System 3-31 Authentication User Logins Using Network Authentication 3-32 Using Multitier Authentication and Authorization 3-32 Administration and Security in Clients, Application Servers, and Database Servers 3-32 Preserving User Identity in Multitiered Environments 3-34 Using a Middle Tier Server for Proxy Authentication 3-34 About Proxy Authentication 3-34 Advantages of Proxy Authentication 3-35 Who Can Create Proxy User Accounts? 3-36 Creating Proxy User Accounts and Authorizing Users to Connect Through Them 3-36 Using Proxy Authentication with the Secure External Password Store 3-38 Passing Through the Identity of the Real User by Using Proxy Authentication 3-38 Limiting the Privilege of the Middle Tier 3-39 Authorizing a Middle Tier to Proxy and Authenticate a User 3-40 Authorizing a Middle Tier to Proxy a User Authenticated by Other Means 3-40 Reauthenticating the User Through the Middle Tier to the Database 3-41 Using Client Identifiers to Identify Application Users Not Known to the Database 3-42 How Client Identifiers Work in Middle Tier Systems 3-42 Using the CLIENT_IDENTIFIER Attribute to Preserve User Identity 3-43 Using CLIENT_IDENTIFIER Independent of Global Application Context 3-43 Using the DBMS_SESSION PL/SQL Package to Set and Clear the Client Identifier 3-44 Finding Information About User Authentication 3-45 vi 4 Configuring Privilege and Role Authorization About Privileges and Roles 4-1 Who Should Be Granted Privileges? 4-2 Managing System Privileges 4-2 About System Privileges 4-2 Why Is It Important to Restrict System Privileges? 4-3 Restricting System Privileges by Securing the Data Dictionary 4-3 Securing Scheduler Jobs That Run in the Schema of a Grantee 4-4 Allowing Access to Objects in the SYS Schema 4-4 Granting and Revoking System Privileges 4-4 Who Can Grant or Revoke System Privileges? 4-5 About ANY Privileges and the PUBLIC Role 4-5 Managing User Roles 4-6 About User Roles 4-6 The Functionality of Roles 4-6 Properties of Roles and Why They Are Advantageous 4-7 Common Uses of Roles 4-8 How Roles Affect the Scope of a User's Privileges 4-9 How Roles Work in PL/SQL Blocks 4-9 How Roles Aid or Restrict DDL Usage 4-9 How Operating Systems Can Aid Roles 4-10 How Roles Work in a Distributed Environment 4-11 Predefined Roles in an Oracle Database Installation 4-11 Creating a Role 4-16 Specifying the Type of Role Authorization 4-17 Authorizing a Role by Using the Database 4-17 Authorizing a Role by Using an Application 4-18 Authorizing a Role by Using an External Source 4-18 Global Role Authorization by an Enterprise Directory Service 4-19 Granting and Revoking Roles 4-19 Who Can Grant or Revoke Roles? 4-20 Dropping Roles 4-20 Restricting SQL*Plus Users from Using Database Roles 4-21 Potential Security Problems of Using Ad Hoc Tools 4-21 Limiting Roles Through the PRODUCT_USER_PROFILE Table 4-21 Using Stored Procedures to Encapsulate Business Logic 4-22 Securing Role Privileges by Using Secure Application Roles 4-22 Managing Object Privileges 4-23 About Object Privileges 4-23 Granting or Revoking Object Privileges 4-23 Managing Object Privileges 4-24 Granting and Revoking Object Privileges 4-24 Who Can Grant Object Privileges? 4-24 Using Object Privileges with Synonyms 4-25 Managing Table Privileges 4-26 How Table Privileges Affect Data Manipulation Language Operations 4-26 How Table Privileges Affect Data Definition Language Operations 4-26 vii Managing View Privileges 4-27 About View Privileges 4-27 Privileges Required to Create Views 4-27 Increasing Table Security with Views 4-27 Managing Procedure Privileges 4-28 Using the EXECUTE Privilege for Procedure Privileges 4-28 Procedure Execution and Security Domains 4-29 How Procedure Privileges Affect Definer’s Rights 4-29 How Procedure Privileges Affect Invoker’s Rights 4-29 System Privileges Required to Create or Replace a Procedure 4-30 System Privileges Required to Compile a Procedure 4-31 How Procedure Privileges Affect Packages and Package Objects 4-31 Managing Type Privileges 4-32 System Privileges for Named Types 4-33 Object Privileges 4-33 Method Execution Model 4-33 Privileges Required to Create Types and Tables Using Types 4-33 Example of Privileges for Creating Types and Tables Using Types 4-34 Privileges on Type Access and Object Access 4-35 Type Dependencies 4-36 Granting a User Privileges and Roles 4-36 Granting System Privileges and Roles 4-37 Granting the ADMIN OPTION 4-37 Creating a New User with the GRANT Statement 4-37 Granting Object Privileges 4-38 Specifying the GRANT OPTION Clause 4-38 Granting Object Privileges on Behalf of the Object Owner 4-39 Granting Privileges on Columns 4-40 Row-Level Access Control 4-40 Revoking Privileges and Roles from a User 4-40 Revoking System Privileges and Roles 4-41 Revoking Object Privileges 4-41 Revoking Object Privileges on Behalf of the Object Owner 4-41 Revoking Column-Selective Object Privileges 4-42 Revoking the REFERENCES Object Privilege 4-42 Cascading Effects of Revoking Privileges 4-43 Cascading Effects When Revoking System Privileges 4-43 Cascading Effects When Revoking Object Privileges 4-43 Granting to and Revoking from the PUBLIC Role 4-44 Granting Roles Using the Operating System or Network 4-44 About Granting Roles Using the Operating System or Network 4-44 Using Operating System Role Identification 4-45 Using Operating System Role Management 4-46 Granting and Revoking Roles When OS_ROLES Is Set to TRUE 4-46 Enabling and Disabling Roles When OS_ROLES Is Set to TRUE 4-46 Using Network Connections with Operating System Role Management 4-47 When Do Grants and Revokes Take Effect? 4-47 viii How the SET ROLE Statement Affects Grants and Revokes 4-47 Specifying Default Roles 4-47 Restricting the Number of Roles That a User Can Enable 4-48 Managing Fine-Grained Access to External Network Services 4-48 About Fine-Grained Access to External Network Services 4-49 Upgrading Applications That Depend on the PL/SQL Network Utility Packages 4-49 Creating an Access Control List for External Network Services 4-49 Step 1: Create the Access Control List and Its Privilege Definitions 4-50 Step 2: Assign the Access Control List to One or More Network Hosts 4-52 Examples of Creating Access Control Lists 4-53 Example of an Access Control List for a Single Role and Network Connection 4-54 Example of an Access Control List with Multiple Roles Assigned to Multiple Hosts 4-54 Specifying a Group of Network Host Computers 4-56 Precedence Order for a Host Computer in Multiple Access Control List Assignments 4-56 Precedence Order for a Host in Access Control List Assignments with Port Ranges 4-57 Checking Privilege Assignments That Affect User Access to a Network Host 4-57 How a DBA Can Check User Network Connection and Domain Privileges 4-58 How Users Can Check Their Network Connection and Domain Privileges 4-59 Setting the Precedence of Multiple Users and Roles in One Access Control List 4-60 Finding Information About Access Control Lists 4-61 Finding Information About User Privileges and Roles 4-62 Listing All System Privilege Grants 4-63 Listing All Role Grants 4-64 Listing Object Privileges Granted to a User 4-64 Listing the Current Privilege Domain of Your Session 4-64 Listing Roles of the Database 4-65 Listing Information About the Privilege Domains of Roles 4-65 5 Managing Security for Application Developers About Application Security Policies 5-1 Considerations for Using Application-Based Security 5-1 Are Application Users Also Database Users? 5-2 Is Security Better Enforced in the Application or in the Database? 5-2 Securing Passwords in Application Design 5-3 General Guidelines for Securing Passwords in Applications 5-3 Platform-Specific Security Threats 5-3 Designing Applications to Handle Password Input 5-4 Configuring Password Formats and Behavior 5-5 Handling Passwords in SQL*Plus and SQL Scripts 5-5 Securing Passwords Using an External Password Store 5-7 Securing Passwords Using the orapwd Utility 5-7 Example of Reading Passwords in Java 5-7 Managing Application Privileges 5-11 Creating Secure Application Roles to Control Access to Applications 5-12 Step 1: Create the Secure Application Role 5-12 Step 2: Create a PL/SQL Package to Define the Access Policy for the Application 5-13 Associating Privileges with User Database Roles 5-14 ix Why Users Should Only Have the Privileges of the Current Database Role 5-15 Using the SET ROLE Statement to Automatically Enable or Disable Roles 5-15 Protecting Database Objects by Using Schemas 5-15 Protecting Database Objects in a Unique Schema 5-15 Protecting Database Objects in a Shared Schema 5-16 Managing Object Privileges in an Application 5-16 What Application Developers Need to Know About Object Privileges 5-16 SQL Statements Permitted by Object Privileges 5-17 Parameters for Enhanced Security of Database Communication 5-17 Reporting Bad Packets Received on the Database from Protocol Errors 5-18 Terminating or Resuming Server Execution After Receiving a Bad Packet 5-18 Configuring the Maximum Number of Authentication Attempts 5-19 Controlling the Display of the Database Version Banner 5-19 Configuring Banners for Unauthorized Access and Auditing User Actions 5-20 6 Using Application Contexts to Retrieve User Information About Application Contexts 6-1 What Is an Application Context? 6-1 Components of the Application Context 6-1 Where Are the Application Context Values Stored? 6-2 Benefits of Using Application Contexts 6-2 Types of Application Contexts 6-3 Using Database Session-Based Application Contexts 6-4 About Database Session-Based Application Contexts 6-4 Creating a Database Session-Based Application Context 6-5 Creating a PL/SQL Package to Set the Database Session-Based Application Context 6-6 About the Package That Manages the Database Session-Based Application Context 6-6 Using SYS_CONTEXT to Retrieve Session Information 6-7 Using Dynamic SQL with SYS_CONTEXT 6-8 Using SYS_CONTEXT in a Parallel Query 6-8 Using SYS_CONTEXT with Database Links 6-9 Using DBMS_SESSION.SET_CONTEXT to Set Session Information 6-9 Creating a Logon Trigger to Run a Database Session Application Context Package 6-11 Tutorial: Creating and Using a Database Session-Based Application Context 6-12 About This Tutorial 6-12 Step 1: Create User Accounts and Ensure the User SCOTT Is Active 6-12 Step 2: Create the Database Session-Based Application Context 6-13 Step 3: Create a Package to Retrieve Session Data and Set the Application Context 6-13 Step 4: Create a Logon Trigger for the Package 6-15 Step 5: Test the Application Context 6-15 Step 6: Remove the Components for This Tutorial 6-15 Initializing Database Session-Based Application Contexts Externally 6-16 Obtaining Default Values from Users 6-16 Obtaining Values from Other External Resources 6-16 Initializing Application Context Values from a Middle-Tier Server 6-17 Initializing Database Session-Based Application Contexts Globally 6-17 About Initializing Database Session-Based Application Contexts Globally 6-17 x Using Database Session-Based Application Contexts with LDAP 6-18 How Globally Initialized Database Session-Based Application Contexts Work 6-19 Example of Initializing a Database Session-Based Application Context Globally 6-19 Using Externalized Database Session-Based Application Contexts 6-21 Using Global Application Contexts 6-22 About Global Application Contexts 6-22 Creating a Global Application Context 6-23 Creating a PL/SQL Package to Manage a Global Application Context 6-23 About the Package That Manages the Global Application Context 6-24 Setting the DBMS_SESSION.SET_CONTEXT username and client_id Parameters 6-24 Sharing Global Application Context Values for All Database Users 6-25 Setting a Global Context for Database Users Who Move Between Applications 6-26 Setting a Global Application Context for Nondatabase Users 6-27 Clearing Session Data When the Session Closes 6-30 Embedding Calls in Middle-Tier Applications to Manage the Client Session ID 6-31 About Managing Client Session IDs Using a Middle-Tier Application 6-31 Retrieving the Client Session ID Using a Middle-Tier Application 6-31 Setting the Client Session ID Using a Middle-Tier Application 6-32 Clearing Session Data Using a Middle-Tier Application 6-33 Tutorial: Creating a Global Application Context That Uses a Client Session ID 6-34 About This Tutorial 6-34 Step 1: Create User Accounts 6-34 Step 2: Create the Global Application Context 6-34 Step 3: Create a Package for the Global Application Context 6-35 Step 4: Test the Global Application Context 6-36 Step 5: Remove the Components for This Tutorial 6-38 Global Application Context Processes 6-38 Simple Global Application Context Process 6-38 Global Application Context Process for Lightweight Users 6-39 Using Client Session-Based Application Contexts 6-41 About Client Session-Based Application Contexts 6-41 Setting a Value in the CLIENTCONTEXT Namespace 6-42 Retrieving the Client Session ID 6-42 Clearing a Setting in the CLIENTCONTEXT Namespace 6-43 Clearing All Settings in the CLIENTCONTEXT Namespace 6-44 Finding Information About Application Contexts 6-44 7 Using Oracle Virtual Private Database to Control Data Access About Oracle Virtual Private Database 7-1 What Is Oracle Virtual Private Database? 7-1 Benefits of Using Oracle Virtual Private Database Policies 7-2 Basing Security Policies on Database Objects Rather Than Applications 7-2 Controlling How Oracle Database Evaluates Policy Functions 7-3 Which Privileges Are Used to Run Oracle Virtual Private Database Policy Functions? 7-3 Using Oracle Virtual Private Database with an Application Context 7-3 Components of an Oracle Virtual Private Database Policy 7-4 Creating a Function to Generate the Dynamic WHERE Clause 7-4 [...]... more security- related information, see these Oracle resources: ■ Oracle Database Administrator's Guide ■ Oracle Database 2 Day DBA ■ Oracle Database 2 Day + Security Guide ■ Oracle Database Concepts ■ Oracle Database Reference ■ Oracle Database Vault Administrator's Guide Many of the examples in this guide use the sample schemas of the seed database, which you can create when you install Oracle Database. .. "Keeping Your Oracle Database Secure" provides guidelines that you should follow when you secure your Oracle Database installation Additional Database Security Resources In addition to the security resources described in this guide, Oracle Database provides the following database security products: ■ ■ ■ ■ ■ Advanced security features See Oracle Database Advanced Security Administrator's Guide for information... for Enhanced Security of Database Communication" on page 5-17 for more information See also Oracle Call Interface Programmer's Guide for detailed information on Oracle Call Interface xxxi xxxii 1 1 Introducing Oracle Database Security This chapter contains: ■ About Oracle Database Security ■ Additional Database Security Resources About Oracle Database Security You can use the default Oracle Database features... Oracle Database Secure About the Security Guidelines in This Chapter Downloading Security Patches and Contacting Oracle Regarding Vulnerabilities Applying Security Patches and Workaround Solutions Contacting Oracle Security Regarding Vulnerabilities in Oracle Database Guidelines for Securing User Accounts and Privileges Guidelines for Securing Roles Guidelines... Administrator's Guide explains how to administer Oracle Audit Vault Oracle Enterprise User Security Oracle Enterprise User Security enables you to manage user security at the enterprise level Oracle Database Enterprise User Security Administrator's Guide explains how to configure Oracle Enterprise User Security In addition to these products, you can find the latest information about Oracle Database security, ... Limits ■ Deleting User Accounts ■ Finding Information About Database Users and Profiles About User Security Each Oracle database has a list of valid database users To access a database, a user must run a database application, and connect to the database instance using a valid user name defined in the database Oracle Database enables you to set up security for your users in a variety of ways When you create... security, such as new products and important information about security patches and alerts, by visiting the Security Technology Center on Oracle Technology Network at http://www.oracle.com/technetwork/topics /security/ whatsnew/index.html 1-2 Oracle Database Security Guide 2 2 Managing Security for Oracle Database Users This chapter contains: ■ About User Security ■ Creating User Accounts ■ Altering User Accounts... encryption, see Oracle Database 2 Day + Security Guide For detailed information about transparent tablespace encryption, see Oracle Database Advanced Security Administrator's Guide xxix Fine-Grained Access Control on Network Services on the Database Oracle Database provides a set of PL/SQL utility packages, such as UTL_TCP, UTL_SMTP, UTL_MAIL, UTL_HTTP, and UTL_INADDR, that are designed to enable database users... and Flashback Query Using Oracle Virtual Private Database and Oracle Label Security Using Oracle Virtual Private Database to Enforce Oracle Label Security Policies Oracle Virtual Private Database and Oracle Label Security Exceptions User Models and Oracle Virtual Private Database Finding Information About Oracle Virtual Private Database Policies 8 7-29 7-30 7-31 7-32 7-33 7-33... Database Security Guide This guide describes how you can configure security for Oracle Database by using the default database features This preface contains these topics: ■ Audience ■ Documentation Accessibility ■ Related Documents ■ Conventions Audience Oracle Database Security Guide is intended for database administrators (DBAs), security administrators, application developers, and others tasked . Introducing Oracle Database Security About Oracle Database Security 1-1 Additional Database Security Resources 1-2 2 Managing Security for Oracle Database Users. Oracle® Database Security Guide 11g Release 1 (11.1) B28531-19 December 2012 Oracle Database Security Guide 11g Release 1 (11.1)