CommitDBA

Database Management Simplified

Ross Group Inc  MemberzPlus  Blogs  |  News  |  Careers  |  Contact    Twitter CommitDBA LinkedIn CommitDBA

CommitDBA Blogs


See What we are Talking About!

CommitDBA Blog


Are your Oracle 11g Databases Secure?

By: Joseph Cuesta, CommitDBA staff Database Administrator

November 04, 2011


Situation

Your company has Oracle 11g databases with sensitive and confidential data and it is your responsibility to make sure the databases and the data are secure.

Problem

There have been numerous attempts to breach the security of your network and databases.

Solution & Tips

User Account and Privilege Policies


Practice the principle of least privilege.


  1. Grant necessary privileges only.
  2. Restrict the CREATE ANY JOB, BECOME USER, EXP_FULL_DATABASE, and IMP_FULL_DATABASE privileges.
  3. Restrict the CREATE ANY JOB, BECOME USER, EXP_FULL_DATABASE, and IMP_FULL_DATABASE privileges.
  4. Revoke unnecessary privileges from the PUBLIC user group.
  5. Restrict permissions on run-time facilities.

Lock and expire default (predefined) user accounts.


Use the following views to ensure that access is granted. Only users and roles that need access should be granted access to them.

  • DBA_*
  • DBA_ROLES
  • DBA_SYS_PRIVS
  • DBA_ROLE_PRIVS
  • DBA_TAB_PRIVS
  • DBA_AUDIT_TRAIL (if standard auditing is enabled)
  • DBA_FGA_AUDIT_TRAIL (if fine-grained auditing is enabled)

Monitor the granting of the following privileges only to users and roles who need these privileges.


By default, Oracle Database audits the following privileges:

  • ALTER SYSTEM
  • AUDIT SYSTEM
  • CREATE EXTERNAL JOB

Revoke access to the following:


  • The SYS.USER_HISTORY$ table from all users except SYS and DBA accounts
  • The RESOURCE role from typical application accounts
  • The CONNECT role from typical application accounts
  • The DBA role from users who do not need this role

Grant privileges only to roles.


Granting privileges to roles and not individual users makes the management and tracking of privileges much easier.

Role Policies

Guidelines for managing roles:


  1. Grant a role to users only if they need all privileges of the role.
  2. Do not grant user roles to application developers.
  3. Create and assign roles specific to each Oracle Database installation.
  4. For enterprise users, create global roles.

Password Policies

Simple management policies:


  1. Enable password complexity requirements.
  2. Change default user passwords.
  3. Change default passwords of administrative users.
  4. Enforce password management.
  5. Do not store user passwords in clear text in Oracle tables.

Secure Your Data

Guidelines to secure data on your system:


  1. Enable data dictionary protection.
  2. Restrict operating system access.
  3. Encrypt sensitive data and all backup media that contains database files.

Secure the Network

  1. Enforce access controls effectively and authenticate clients stringently.
  2. Configure the connection to use encryption.

Secure the Network Connection

  1. Use Secure Sockets Layer (SSL) when administering the listener.
  2. Monitor listener activity.
    You can monitor listener activity by using Enterprise Manager Database Control. In the Database Control home page, under General, click the link for your listener. The Listener page appears. This page provides detailed information, such as the category of alert generated, alert messages, when the alert was triggered, and so on. This page provides other information as well, such as performance statistics for the listener.
  3. Prevent online administration by requiring the administrator to have the write privilege on the listener password and on the listener.ora file on the server.
  4. Do not set the listener password.
  5. When a host computer has multiple IP addresses associated with multiple network interface controller (NIC) cards, configure the listener to the specific IP address.
  6. Restrict the privileges of the listener, so that it cannot read or write files in the database or the Oracle server address space.
  7. Use encryption to secure the data in flight.
  8. Use a firewall.
    Prevent unauthorized administration of the Oracle listener.
    Check network IP addresses.

  • tcp.validnode_checking = YES
  • tcp.excluded_nodes = {list of IP addresses}
  • tcp.invited_nodes = {list of IP addresses}
  • Encrypt network traffic.

Secure SSL

  1. Ensure that configuration files (for example, for clients and listeners) use the correct port for SSL, which is the port configured upon installation.
  2. Ensure that TCPS is specified as the PROTOCOL in the ADDRESS parameter in the tnsnames.ora file (typically on the client or in the LDAP directory).
  3. Ensure that the SSL mode is consistent for both ends of every communication. For example, the database (on one side) and the user or application (on the other) must have the same SSL mode.
  4. Ensure that the server supports the client cipher suites and the certificate key algorithm in use.
  5. Enable DN matching for both the server and client, to prevent the server from falsifying its identity to the client during connections.
  6. Do not remove the encryption from your RSA private key inside your server.key file, which requires that you enter your pass phrase to read and parse this file.

Audit

  1. Audit Sensitive Information
  2. Enable Default Auditing of SQL Statements and Privileges
  3. Keep Audited Information Manageable
  4. Audit Typical Database Activity
  5. Audit Suspicious Database Activity

These are just a few of the highlights for keeping your Oracle databases secure, for more detailed information regarding database security for your Oracle databases, please see Oracle.

From database assessments to complete database management, CommitDBA can assist your company today. For more information about how CommitDBA can work for you – give us a call at (800) 734-9304.



Got database support needs?
Professional and Affordable DBA and Data Services

Contact us Today