Are Your Oraclel 11g Databases Secure?

Author: Joseph Cuesta, DBA, Ross Group Inc.

March 2010

Situation

Your company has Oracle 11g databases with sensitive and confidential data and it is your responsibility to make sure the databases and the data are secure.

Problem

There have been numerous attempts to breach the security of your network and databases.

Tips and Tricks to keeping Your Oracle Databases Secure

User Account and Privilege Policies

Practice the principle of least privilege.

  1. Grant necessary privileges only.
  2. Restrict the CREATE ANY JOB, BECOME USER, EXP_FULL_DATABASE, and IMP_FULL_DATABASE privileges.
  3. Do not allow non-administrative users access to objects owned by the SYS schema.
  4. Revoke unnecessary privileges from the PUBLIC user group.
  5. Restrict permissions on run-time facilities.

Lock and expire default (predefined) user accounts.

Use the following views to ensure that access is granted. Only users and roles that need access should be granted access to them.

  1. DBA_*
  2. DBA_ROLES
  3. DBA_SYS_PRIVS
  4. DBA_ROLE_PRIVS
  5. DBA_TAB_PRIVS
  6. DBA_AUDIT_TRAIL (if standard auditing is enabled)
  7. DBA_FGA_AUDIT_TRAIL (if fine-grained auditing is enabled)

 

Monitor the granting of the following privileges only to users and roles who need these privileges.

By default, Oracle Database audits the following privileges:

  1. ALTER SYSTEM
  2. AUDIT SYSTEM
  3. o CREATE EXTERNAL JOB

 

Revoke access to the following:

 

  1. The SYS.USER_HISTORY$ table from all users except SYS and DBA accounts
  2. The RESOURCE role from typical application accounts
  3. The CONNECT role from typical application accounts
  4. The DBA role from users who do not need this role

 

Grant privileges only to roles.

Granting privileges to roles and not individual users makes the management and tracking of privileges much easier.

Role Policies

Guidelines for managing roles:

  1. Grant a role to users only if they need all privileges of the role.
  2. Do not grant user roles to application developers.
  3. Create and assign roles specific to each Oracle Database installation.
  4. For enterprise users, create global roles.

Password Policies

Simple management policies:

  1. Enable password complexity requirements.
  2. Change default user passwords.
  3. Change default passwords of administrative users.
  4. Enforce password management.
  5. Do not store user passwords in clear text in Oracle tables.

Secure Your Data

Guidelines to secure data on your system:

  1. Enable data dictionary protection.
  2. Restrict operating system access.
  3. Encrypt sensitive data and all backup media that contains database files.
  4. Enforce access controls effectively and authenticate clients stringently.
  5. Configure the connection to use encryption.
  6. Use Secure Sockets Layer (SSL) when administering the listener.
  7. Monitor listener activity.

Secure the Network

Secure the Network Connection

You can monitor listener activity by using Enterprise Manager Database Control.  In the Database Control home page, under General, click the link for your listener.  The Listener page appears.  This page provides detailed information, such as the category of alert generated, alert messages, when the alert was triggered, and so on. This page provides other information as well, such as performance statistics for the listener.

  1. Prevent online administration by requiring the administrator to have the write privilege on the listener password and on the listener.ora file on the server.
  2. Do not set the listener password.
  3. When a host computer has multiple IP addresses associated with multiple network interface controller (NIC) cards, configure the listener to the specific IP address.
  4. Restrict the privileges of the listener, so that it cannot read or write files in the database or the Oracle server address space.
  5. Use encryption to secure the data in flight.
  6. Use a firewall.

Prevent unauthorized administration of the Oracle listener.

Check network IP addresses.

      tcp.validnode_checking = YES
 
tcp.excluded_nodes = {list of IP addresses}
 
tcp.invited_nodes = {list of IP addresses}

Encrypt network traffic.

Secure SSL

  1. Ensure that configuration files (for example, for clients and listeners) use the correct port for SSL, which is the port configured upon installation.
  2. Ensure that TCPS is specified as the PROTOCOL in the ADDRESS parameter in the tnsnames.ora file (typically on the client or in the LDAP directory).
  3. Ensure that the SSL mode is consistent for both ends of every communication. For example, the database (on one side) and the user or application (on the other) must have the same SSL mode.
  4. Ensure that the server supports the client cipher suites and the certificate key algorithm in use.
  5. Enable DN matching for both the server and client, to prevent the server from falsifying its identity to the client during connections.
  6. Do not remove the encryption from your RSA private key inside your server.key file, which requires that you enter your pass phrase to read and parse this file.
  7. Audit Sensitive Information
  8. Enable Default Auditing of SQL Statements and Privileges
  9. Keep Audited Information Manageable
  10. Audit Typical Database Activity
  11. Audit Suspicious Database Activity

Audit

These are just a few of the highlights for keeping your Oracle databases secure, for more detailed information regarding database security for your Oracle databases, please see http://www.oracle.com/pls/db112/homepage.

If you have any questions or need support to protect and keep your Oracle databases secure, please contact Gary Codeluppi at 937-912-3273 or visit the Ross Group Inc web site at www.rossgroupinc.com.

rossgroup 

 

search | login