Oracle Database Security Guide 10g Release 1 (10.1) Part No. B10773-01 December 2003 Oracle Database Security Guide, 10g Release 1 (10.1) Part No. B10773-01 Copyright © 2003 Oracle Corporation. All rights reserved. Primary Authors: Laurel P. Hale, Jeffrey Levinger Contributing Authors: Ruth Baylis, Michele Cyran, John Russell Graphic Designer: Valarie Moore The Programs (which include both the software and documentation) contain proprietary information of Oracle Corporation; they are provided under a license agreement containing restrictions on use and disclosure and are also protected by copyright, patent and other intellectual and industrial property laws. Reverse engineering, disassembly or decompilation of the Programs, except to the extent required to obtain interoperability with other independently created software or as specified by law, is prohibited. The information contained in this document is subject to change without notice. If you find any problems in the documentation, please report them to us in writing. Oracle Corporation does not warrant that this document is error-free. Except as may be expressly permitted in your license agreement for these Programs, no part of these Programs may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of Oracle Corporation. If the Programs are delivered to the U.S. Government or anyone licensing or using the programs on behalf of the U.S. Government, the following notice is applicable: Restricted Rights Notice Programs delivered subject to the DOD FAR Supplement are "commercial computer software" and use, duplication, and disclosure of the Programs, including documentation, shall be subject to the licensing restrictions set forth in the applicable Oracle license agreement. Otherwise, Programs delivered subject to the Federal Acquisition Regulations are "restricted computer software" and use, duplication, and disclosure of the Programs shall be subject to the restrictions in FAR 52.227-19, Commercial Computer Software - Restricted Rights (June, 1987). Oracle Corporation, 500 Oracle Parkway, Redwood City, CA 94065. The Programs are not intended for use in any nuclear, aviation, mass transit, medical, or other inherently dangerous applications. It shall be the licensee's responsibility to take all appropriate fail-safe, backup, redundancy, and other measures to ensure the safe use of such applications if the Programs are used for such purposes, and Oracle Corporation disclaims liability for any damages caused by such use of the Programs. Oracle is a registered trademark, and Oracle Store, Oracle8i, Oracle9i, PL/SQL, SQL*Net, and SQL*Plus are trademarks or registered trademarks of Oracle Corporation. Other names may be trademarks of their respective owners. iii Contents List of Figures List of Tables Send Us Your Comments xxi Preface xxiii Audience xxiv Organization xxiv Related Documentation xxvii Conventions xxviii Documentation Accessibility xxxii What's New in Oracle Database Security? xxxv New Features in Virtual Private Database xxxvi New Features in Auditing xxxvii New PL/SQL Encryption Package: DBMS_CRYPTO xxxviii Part I Overview of Security Considerations and Requirements 1 Security Requirements, Threats, and Concepts Identity Management: Security in Complex, High Volume Environments 1-4 Desired Benefits of Identity Management 1-5 Components of Oracle's Identity Management Infrastructure 1-6 iv 2 Security Checklists and Recommendations Physical Access Control Checklist 2-2 Personnel Checklist 2-2 Secure Installation and Configuration Checklist 2-3 Networking Security Checklists 2-7 SSL (Secure Sockets Layer) Checklist 2-7 Client Checklist 2-8 Listener Checklist 2-9 Network Checklist 2-9 3 Security Policies and Tips Introduction to Database Security Policies 3-1 Security Threats and Countermeasures 3-1 What Information Security Policies Can Cover 3-2 Recommended Application Design Practices to Reduce Risk 3-4 Tip 1: Enable and Disable Roles Promptly 3-5 Tip 2: Encapsulate Privileges in Stored Procedures 3-6 Tip 3: Use Role Passwords Unknown to the User 3-7 Tip 4: Use Proxy Authentication and a Secure Application Role 3-7 Tip 5: Use Secure Application Role to Verify IP Address 3-8 Tip 6: Use Application Context and Fine-Grained Access Control 3-9 Part II Security Features, Concepts, and Alternatives 4 Authentication Methods Authentication by the Operating System 4-2 Authentication by the Network 4-2 Authentication by the Secure Socket Layer Protocol 4-3 Authentication Using Third-Party Services 4-3 DCE Authentication 4-4 Kerberos Authentication 4-4 Public Key Infrastructure-Based Authentication 4-4 Authentication with RADIUS 4-6 Directory-based Services 4-7 v Authentication by the Oracle Database 4-8 Password Encryption While Connecting 4-8 Account Locking 4-9 Password Lifetime and Expiration 4-9 Password History 4-9 Password Complexity Verification 4-10 Multitier Authentication and Authorization 4-10 Clients, Application Servers, and Database Servers 4-11 Security Issues for Middle-Tier Applications 4-13 Identity Issues in a Multitier Environment 4-14 Restricted Privileges in a Multitier Environment 4-14 Client Privileges 4-14 Application Server Privileges 4-14 Authentication of Database Administrators 4-14 5 Authorization: Privileges, Roles, Profiles, and Resource Limitations Introduction to Privileges 5-2 System Privileges 5-3 Granting and Revoking System Privileges 5-3 Who Can Grant or Revoke System Privileges? 5-4 Schema Object Privileges 5-4 Granting and Revoking Schema Object Privileges 5-5 Who Can Grant Schema Object Privileges? 5-5 Using Privileges with Synonyms 5-6 Table Privileges 5-6 Data Manipulation Language (DML) Operations 5-6 Data Definition Language (DDL) Operations 5-7 View Privileges 5-7 Privileges Required to Create Views 5-8 Increasing Table Security with Views 5-8 Procedure Privileges 5-9 Procedure Execution and Security Domains 5-10 System Privileges Needed to Create or Alter a Procedure 5-12 Packages and Package Objects 5-12 Type Privileges 5-14 vi System Privileges for Named Types 5-14 Object Privileges 5-15 Method Execution Model 5-15 Privileges Required to Create Types and Tables Using Types 5-15 Example of Privileges for Creating Types and Tables Using Types 5-16 Privileges on Type Access and Object Access 5-17 Type Dependencies 5-19 Introduction to Roles 5-19 Properties of Roles 5-20 Common Uses for Roles 5-21 Application Roles 5-22 User Roles 5-22 Granting and Revoking Roles 5-22 Who Can Grant or Revoke Roles? 5-23 Security Domains of Roles and Users 5-23 PL/SQL Blocks and Roles 5-24 Named Blocks with Definer’s Rights 5-24 Anonymous Blocks with Invoker’s Rights 5-24 Data Definition Language Statements and Roles 5-24 Predefined Roles 5-26 The Operating System and Roles 5-26 Roles in a Distributed Environment 5-26 Secure Application Roles 5-27 Creation of Secure Application Roles 5-27 User Resource Limits 5-28 Types of System Resources and Limits 5-29 Session Level 5-29 Call Level 5-30 CPU Time 5-30 Logical Reads 5-30 Limiting Other Resources 5-30 Profiles 5-32 Determining Values for Resource Limits 5-32 vii 6 Access Controls on Tables, Views, Synonyms, or Rows Introduction to Views 6-2 Fine-Grained Access Control 6-3 Dynamic Predicates 6-5 Application Context 6-6 Dynamic Contexts 6-8 Security Followup: Auditing as well as Prevention 6-9 7 Security Policies System Security Policy 7-1 Database User Management 7-2 User Authentication 7-2 Operating System Security 7-2 Data Security Policy 7-3 User Security Policy 7-4 General User Security 7-4 Password Security 7-4 Privilege Management 7-5 End-User Security 7-5 Using Roles for End-User Privilege Management 7-5 Using a Directory Service for End-User Privilege Management 7-7 Administrator Security 7-7 Protection for Connections as SYS and SYSTEM 7-7 Protection for Administrator Connections 7-7 Using Roles for Administrator Privilege Management 7-8 Application Developer Security 7-9 Application Developers and Their Privileges 7-9 The Application Developer's Environment: Test and Production Databases 7-10 Free Versus Controlled Application Development 7-10 Roles and Privileges for Application Developers 7-10 Space Restrictions Imposed on Application Developers 7-11 Application Administrator Security 7-11 Password Management Policy 7-12 Account Locking 7-12 Password Aging and Expiration 7-13 viii Password History 7-15 Password Complexity Verification 7-16 Password Verification Routine Formatting Guidelines 7-16 Sample Password Verification Routine 7-17 Auditing Policy 7-20 A Security Checklist 7-20 8 Database Auditing: Security Considerations Auditing Types and Records 8-2 Audit Records and the Audit Trails 8-3 Database Audit Trail (DBA_AUDIT_TRAIL) 8-4 Operating System Audit Trail 8-5 Operating System Audit Records 8-6 Records Always in the Operating System Audit Trail 8-7 When Are Audit Records Created? 8-7 Statement Auditing 8-9 Privilege Auditing 8-9 Schema Object Auditing 8-10 Schema Object Audit Options for Views, Procedures, and Other Elements 8-10 Focusing Statement, Privilege, and Schema Object Auditing 8-12 Auditing Statement Executions: Successful, Unsuccessful, or Both 8-12 Number of Audit Records from Multiple Executions of a Statement 8-13 BY SESSION 8-13 BY ACCESS 8-14 Audit By User 8-15 Auditing in a Multitier Environment 8-15 Fine-Grained Auditing 8-16 Part III Security Implementation, Configuration, and Administration 9 Administering Authentication User Authentication Methods 9-1 Database Authentication 9-1 Creating a User Who is Authenticated by the Database 9-2 ix Advantages of Database Authentication 9-3 External Authentication 9-3 Creating a User Who is Authenticated Externally 9-4 Operating System Authentication 9-4 Network Authentication 9-5 Advantages of External Authentication 9-5 Global Authentication and Authorization 9-5 Creating a User Who is Authorized by a Directory Service 9-6 Advantages of Global Authentication and Global Authorization 9-7 Proxy Authentication and Authorization 9-8 Authorizing a Middle Tier to Proxy and Authenticate a User 9-9 Authorizing a Middle Tier to Proxy a User Authenticated by Other Means 9-9 10 Administering User Privileges, Roles, and Profiles Managing Oracle Users 10-1 Creating Users 10-2 Specifying a Name 10-3 Setting a User's Authentication 10-3 Assigning a Default Tablespace 10-3 Assigning Tablespace Quotas 10-4 Assigning a Temporary Tablespace 10-5 Specifying a Profile 10-6 Setting Default Roles 10-6 Altering Users 10-7 Changing a User's Authentication Mechanism 10-7 Changing a User's Default Roles 10-8 Dropping Users 10-8 Viewing Information About Database Users and Profiles 10-9 User and Profile Information in Data Dictionary Views 10-9 Listing All Users and Associated Information 10-11 Listing All Tablespace Quotas 10-11 Listing All Profiles and Assigned Limits 10-11 Viewing Memory Use for Each User Session 10-12 Managing Resources with Profiles 10-13 Dropping Profiles 10-14 x Understanding User Privileges and Roles 10-15 System Privileges 10-15 Restricting System Privileges 10-15 Accessing Objects in the SYS Schema 10-16 Object Privileges 10-17 User Roles 10-18 Managing User Roles 10-20 Creating a Role 10-20 Specifying the Type of Role Authorization 10-21 Role Authorization by the Database 10-21 Role Authorization by an Application 10-22 Role Authorization by an External Source 10-22 Role Authorization by an Enterprise Directory Service 10-23 Dropping Roles 10-24 Granting User Privileges and Roles 10-24 Granting System Privileges and Roles 10-24 Granting the ADMIN OPTION 10-25 Creating a New User with the GRANT Statement 10-26 Granting Object Privileges 10-26 Specifying the GRANT OPTION 10-27 Granting Object Privileges on Behalf of the Object Owner 10-27 Granting Privileges on Columns 10-29 Row-Level Access Control 10-29 Revoking User Privileges and Roles 10-29 Revoking System Privileges and Roles 10-30 Revoking Object Privileges 10-30 Revoking Object Privileges on Behalf of the Object Owner 10-31 Revoking Column-Selective Object Privileges 10-32 Revoking the REFERENCES Object Privilege 10-32 Cascading Effects of Revoking Privileges 10-32 System Privileges 10-33 Object Privileges 10-33 Granting to and Revoking from the User Group PUBLIC 10-34 When Do Grants and Revokes Take Effect? 10-35 The SET ROLE Statement 10-35 [...]... dynamic predicates establishing the restrictions Chapter 7, "Security Policies" This chapter discusses security policies in separate sections dealing with system security, data security, user security, password management, and auditing It concludes with a more detailed version of the checklist first presented in Chapter 2 Chapter 8, "Database Auditing: Security Considerations" This chapter presents auditing... contains: Part I, "Overview of Security Considerations and Requirements" Part I presents fundamental concepts of data security, and offers checklists and policies to aid in securing your site's data, operations, and users Chapter 1, "Security Requirements, Threats, and Concepts" This chapter presents fundamental concepts of data security requirements and threats Chapter 2, "Security Checklists and Recommendations"... DISABLE_POLICY Procedure Syntax Parameters 12 Introducing Database Security for Application Developers About Application Security Policies Considerations for Using Application-Based Security Are Application Users Also Database Users? Is Security Enforced in the Application or in the Database? Managing Application Privileges ... Documentation s Conventions s Documentation Accessibility xxiii Audience The Oracle Database Security Guide is intended for database administrators (DBAs), security administrators, application developers, and others tasked with performing the following operations securely and efficiently: s s s s Designing and implementing security policies to protect the organization's data, users, and applications from accidental,... and enable finely-tuned security responses Chapter 12, "Introducing Database Security for Application Developers" This chapter provides an introduction to the security challenges that face application developers and includes an overview of Oracle Database features they can use to develop secure applications Chapter 13, "Using Virtual Private Database to Implement Application Security Policies" This... 13-16 Using Application Context to Return a Specific Predicate (Security Policy) 13-16 Using Application Context to Provide Attributes Similar to Bind Variables in a Predicate 13-17 Introduction to Global Application Context 13-17 Enforcing Application Security 13-18 Use of Ad Hoc Tools a Potential Security Problem 13-18 Restricting SQL*Plus Users from... installation's vulnerabilities Chapter 3, "Security Policies and Tips" This chapter presents basic general security policies, with specific chapter references, that apply to every site These you must understand and apply to the xxiv unique considerations of your own site The chapter also introduces general application design practices regarding roles and privileges Part II, "Security Features, Concepts, and Alternatives"... the software, please contact your local Oracle Support Services xxi xxii Preface This document provides a comprehensive overview of security for Oracle Database It includes conceptual information about security requirements and threats, descriptions of Oracle Database security features, and procedural information that explains how to use those features to secure your database This preface contains... user name, application, time, and so on Security policies can trigger auditing when specified elements in an Oracle database are accessed or altered, including the contents within a specified object xxv Part III, "Security Implementation, Configuration, and Administration" Part III presents the details of setting up, configuring, and administering Oracle Database security features Chapter 9, "Administering... Control 13-6 Features of Fine-Grained Access Control 13-6 Table-, View-, or Synonym-Based Security Policies 13-6 Multiple Policies for Each Table, View, or Synonym 13-7 Grouping of Security Policies 13-7 High Performance 13-8 Default Security Policies 13-8 About Creating a Virtual Private Database Policy with Oracle Policy Manager . System Security 7-2 Data Security Policy 7-3 User Security Policy 7-4 General User Security 7-4 Password Security 7-4 Privilege Management 7-5 End-User Security. Oracle Database Security Guide 10g Release 1 (10.1) Part No. B10773-01 December 2003 Oracle Database Security Guide, 10g Release 1 (10.1) Part