| General |
| Note:
This library page is far from complete and not intended to produce
a locked-down database. Rather it is intended as a starting point.
If you are not doing at least this ... you have a system at very
high risk. |
| |
| Secure
Configuration |
The 11g database contains a script
specifically written to be a starting point for creating a secure
configuration. The contents are to the right. |
$ORACLE_HOME/rdbms/admin/secconf.sql |
ALTER PROFILE DEFAULT LIMIT
PASSWORD_LIFE_TIME 180
PASSWORD_GRACE_TIME 7
PASSWORD_REUSE_TIME UNLIMITED
PASSWORD_REUSE_MAX UNLIMITED
FAILED_LOGIN_ATTEMPTS 10
PASSWORD_LOCK_TIME 1;
-- Turn on auditing options
Audit alter any table by access;
Audit create any table by access;
Audit drop any table by access;
Audit Create any procedure by access;
Audit Drop any procedure by access;
Audit Alter any procedure by access;
Audit Grant any privilege by access;
Audit grant any object privilege by access;
Audit grant any role by access;
Audit audit system by access;
Audit create external job by access;
Audit create any job by access;
Audit create any library by access;
Audit create public database link by access;
Audit exempt access policy by access;
Audit alter user by access;
Audit create user by access;
Audit role by access;
Audit create session by access;
Audit drop user by access;
Audit alter database by access;
Audit alter system by access;
Audit alter profile by access;
Audit drop profile by access; |
I personally find Oracle's file far too loose and thus am
providing my own variant.
This is not substantially better but provides an incremental
improvement.
|
conn / as
sysdba
@?/rdbms/admin/utlpwdmg.sql
ALTER PROFILE DEFAULT LIMIT
PASSWORD_LIFE_TIME 90
PASSWORD_GRACE_TIME 10
PASSWORD_REUSE_TIME 0
PASSWORD_REUSE_MAX 0
FAILED_LOGIN_ATTEMPTS 3
PASSWORD_LOCK_TIME 30;
PASSWORD_VERIFY_FUNCTION verify_function;
Audit create any procedure by access;
Audit alter any procedure by access;
Audit grant any privilege by access;
Audit grant any object privilege by access;
Audit grant any role by access;
Audit audit system by access;
Audit create external job by access;
Audit create any job by access;
Audit create any library by access;
Audit create public database link by access;
Audit exempt access policy by access;
Audit alter user by access;
Audit create user by access;
Audit role by access;
Audit create session by access;
Audit alter database by access;
Audit alter system by access;
Audit alter profile by access;
Audit drop profile by access; |
| |
| Additional
Actions |
DDL Event Triggers |
CREATE OR
REPLACE TRIGGER save_our_db
BEFORE DROP OR TRUNCATE
ON DATABASE
DECLARE
oper VARCHAR2(30);
BEGIN
SELECT ora_sysevent
INTO oper
FROM dual;
IF oper = 'DROP' THEN
RAISE_APPLICATION_ERROR(-20998, 'Attempt To
Drop A Production Object Has Been Logged');
ELSIF oper = 'TRUNCATE' THEN
RAISE_APPLICATION_ERROR(-20999, 'Attempt To
Truncate A Production Table Has Been Logged');
END IF;
END save_our_db;
/
-- it is highly advisable to alter this
basic trigger to include
-- logging and and email created with UTL_MAIL routed to security |
Enable Case Sensitive Passwords |
set linesize
121
col name format a30
col value format a30
SELECT name, value
FROM gv$parameter
WHERE (name LIKE '%sensitive%');
SELECT username, password_versions
FROM dba_users;
alter user sh identified by Sh;
conn sh/sh
conn sh/Sh |
Remove Default Passwords |
SELECT
d.username, u.account_status
FROM dba_users_with_defpwd d, dba_users u
WHERE d.username = u.username
ORDER BY 2,1; |
SQLNET.ORA Alteration
|
tcp.validnode_checking=yes
tcp.invited_nodes=(<comma_delimited_list_of_specific_ip_addresses)
sqlnet.encryption_server=required
sqlnet.encryption_client=required |
Secure Roles |
SELECT
grantee, granted_role
FROM dba_role_privs
WHERE granted_role IN ('CONNECT', 'RESOURCE')
ORDER BY 2,1;
Revoke CONNECT and RESOURCE from any unlocked account and create
your own role with those specific privileges required only. |
| SQL
Injection |
Click
Here |
| System
Event Triggers |
Click
Here |
| System
Events |
Click
Here |
System Privileges |
Grant CREATE
privileges such as CREATE TABLE and CREATE PROCEDURE only for the
duration of schema creation. As soon as the application schemas
has been created revoke those privileges and do not grant them
again except during, and for the duration, of a maintenance
window. |
| Tablespace
Encryption |
Click
Here |
| Transparent
Data Encryption |
Click
Here |
Wallet |
--
in sqlnet.ora
ENCRYPTION_WALLET_LOCATION = (SOURCE = (METHOD=FILE) (METHOD_DATA
= (DIRECTORY = c:\oracle\admin\orabase\wallet)))
-- in SQL*Plus
conn / as sysdba
ALTER SYSTEM SET ENCRYPTION KEY AUTHENTICATED BY
"N0way!iN";
desc gv$encryption_wallet
col wrl_parameter format a40
SELECT * FROM gv$encryption_wallet; |
