CODE
Oracle Code Library
JOBS
Find Or Post Oracle Jobs
FORUM
Oracle Discussion & Chat
PSOUG Home Code Snippets Oracle Reference Oracle Functions PSOUG Forum Oracle Blogs Bookmark and Share
 
 Search the Reference Library pages:  

Free
Oracle Magazine
Subscriptions
and Oracle White Papers

Oracle Security
Version 11.1
 
General
Note: This library page is far from complete and not intended to produce a locked-down database. Rather it is intended as a starting point. If you are not doing at least this ... you have a system at very high risk.
 
Secure Configuration

The 11g database contains a script specifically written to be a starting point for creating a secure configuration. The contents are to the right. 
$ORACLE_HOME/rdbms/admin/secconf.sql
ALTER PROFILE DEFAULT LIMIT
PASSWORD_LIFE_TIME 180
PASSWORD_GRACE_TIME 7
PASSWORD_REUSE_TIME UNLIMITED
PASSWORD_REUSE_MAX UNLIMITED
FAILED_LOGIN_ATTEMPTS 10
PASSWORD_LOCK_TIME 1;

-- Turn on auditing options
Audit alter any table by access;
Audit create any table by access;
Audit drop any table by access;
Audit Create any procedure by access;
Audit Drop any procedure by access;
Audit Alter any procedure by access;
Audit Grant any privilege by access;
Audit grant any object privilege by access;
Audit grant any role by access;
Audit audit system by access;
Audit create external job by access;
Audit create any job by access;
Audit create any library by access;
Audit create public database link by access;
Audit exempt access policy by access;
Audit alter user by access;
Audit create user by access;
Audit role by access;
Audit create session by access;
Audit drop user by access;
Audit alter database by access;
Audit alter system by access;
Audit alter profile by access;
Audit drop profile by access;

I personally find Oracle's file far too loose and thus am providing my own variant.

This is not substantially better but provides an incremental improvement.
conn / as sysdba

@?/rdbms/admin/utlpwdmg.sql

ALTER PROFILE DEFAULT LIMIT
PASSWORD_LIFE_TIME 90
PASSWORD_GRACE_TIME 10
PASSWORD_REUSE_TIME 0
PASSWORD_REUSE_MAX 0
FAILED_LOGIN_ATTEMPTS 3
PASSWORD_LOCK_TIME 30;
PASSWORD_VERIFY_FUNCTION verify_function;

Audit create any procedure by access;
Audit alter any procedure by access;
Audit grant any privilege by access;
Audit grant any object privilege by access;
Audit grant any role by access;
Audit audit system by access;
Audit create external job by access;
Audit create any job by access;
Audit create any library by access;
Audit create public database link by access;
Audit exempt access policy by access;
Audit alter user by access;
Audit create user by access;
Audit role by access;
Audit create session by access;
Audit alter database by access;
Audit alter system by access;
Audit alter profile by access;
Audit drop profile by access;
 
Additional Actions

DDL Event Triggers
CREATE OR REPLACE TRIGGER save_our_db
BEFORE DROP OR TRUNCATE
ON DATABASE

DECLARE
 oper VARCHAR2(30);
BEGIN
  SELECT ora_sysevent
  INTO oper
  FROM dual;

  IF oper = 'DROP' THEN
    RAISE_APPLICATION_ERROR(-20998, 'Attempt To Drop A Production Object Has Been Logged');
  ELSIF oper = 'TRUNCATE' THEN
    RAISE_APPLICATION_ERROR(-20999, 'Attempt To Truncate A Production Table Has Been Logged');
  END IF;
END save_our_db;
/

-- it is highly advisable to alter this basic trigger to include 
-- logging and and email created with UTL_MAIL routed to security

Enable Case Sensitive Passwords
set linesize 121
col name format a30
col value format a30

SELECT name, value
FROM gv$parameter
WHERE (name LIKE '%sensitive%');

SELECT username, password_versions
FROM dba_users;

alter user sh identified by Sh;

conn sh/sh

conn sh/Sh

Remove Default Passwords
SELECT d.username, u.account_status
FROM dba_users_with_defpwd d, dba_users u
WHERE d.username = u.username
ORDER BY 2,1;

SQLNET.ORA Alteration
tcp.validnode_checking=yes
tcp.invited_nodes=(<comma_delimited_list_of_specific_ip_addresses)
sqlnet.encryption_server=required
sqlnet.encryption_client=required

Secure Roles
SELECT grantee, granted_role
FROM dba_role_privs
WHERE granted_role IN ('CONNECT', 'RESOURCE')
ORDER BY 2,1;

Revoke CONNECT and RESOURCE from any unlocked account and create your own role with those specific privileges required only.
SQL Injection Click Here
System Event Triggers Click Here
System Events Click Here

System Privileges
Grant CREATE privileges such as CREATE TABLE and CREATE PROCEDURE only for the duration of schema creation. As soon as the application schemas has been created revoke those privileges and do not grant them again except during, and for the duration, of a maintenance window.
Tablespace Encryption Click Here
Transparent Data Encryption Click Here

Wallet
-- in sqlnet.ora
ENCRYPTION_WALLET_LOCATION = (SOURCE = (METHOD=FILE) (METHOD_DATA = (DIRECTORY = c:\oracle\admin\orabase\wallet)))

-- in SQL*Plus
conn / as sysdba

ALTER SYSTEM SET ENCRYPTION KEY AUTHENTICATED BY "N0way!iN";

desc gv$encryption_wallet

col wrl_parameter format a40

SELECT * FROM gv$encryption_wallet;
 
Related Topics
DDL Event Triggers
Net Services
Object Privileges
Profiles
Roles
SecureFiles
System Event Triggers
Transparent Data Encryption
 
Home      :      Code Library      :      Sponsors      :      Privacy      :      Terms of Use      :      Contact Us [95 users online]    © 2010 psoug.org