Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
D50323GC20
Edition 2.0
April 2010
D66808
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
Authors
Donna Keesling
James Spiller
Disclaimer
Tammy Bednar
Tom Best
Maria Billings
Herbert Bradbury
Howard Bradley
Tomohiko Fukuda
Philip Garm
Joel Goodman
Naveen Gopal
Xander Heemskerk
Uwe Hesse
Magnus Isaksson
Tomoki Ishii
Chandrasekharan Iyer
Sushma Jagannath
Martin Jensen
Dominique Jeunot
Victor Lu
Yi L Lu
Tom Minella
Sabiha Miri
Pam Moutrie
Lynn Munsinger
Paul Needham
Roman Niehoff
Preetam Ramakrishna
Surya Rekha
Kevin Reardon
Wayne Reeser
Walter Romanski
Ron Soltani
Kar Srinivasan
Glenn Tripp
Branislav Valny
Peter Wahl
Andrew Webber
Anthony Woodell
Paul Youn
Editors
Aju Kumar
Amitha Narayan
Raj Kumar
Graphic Designer
Satish Bettegowda
Publishers
Jayanthy Keshavamurthy
Shaik Mahaboob Basha
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
Sujatha Nagendra
COMPUTER IS STRICTLY PROHIBITED
Contributors and
Reviewers
Preface
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
Profile
Before You Begin This Course
Before you begin this course, you should have the following qualifications:
Working experience with Oracle Database 11g
Or have attended the following courses:
Oracle Database 11g: Administration Workshop II (D50079GC20) inClass
How This Course Is Organized
Oracle Database 11g: Security is an instructor-led course featuring lectures and hands-on
exercises. Online demonstrations and written practice sessions reinforce the concepts and
skills.
Preface - 3
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
Related Publications
Oracle Publications
Title
Part Number
E10595-06
E10746-01
E10713-05
E10574-03
E10836-03
E10577-04
E10820-03
E10574-03
E10592-04
B15991-01
E10744-01
Additional Publications
System release bulletins
Installation and users guides
read.me files
International Oracle Users Group (IOUG) articles
Oracle Magazine
Preface - 4
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
Typographic Conventions
Convention
Object or Term
Example
Uppercase
Commands,
functions,
column names,
table names,
PL/SQL objects,
schemas
Lowercase,
italic
Filenames,
syntax variables,
usernames,
passwords
where: role
Initial cap
Trigger and
button names
Select Cancel.
Italic
Quotation marks
Books, names of
courses and
manuals, and
emphasized
words or phrases
Lesson module
titles referenced
within a course
Preface - 5
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
The following table lists the typographical conventions that are used in text and code.
Typographic Conventions in Text
Convention
Object or Term
Example
Uppercase
Commands,
functions
SELECT employee_id
FROM employees;
Lowercase,
italic
Syntax variables
Initial cap
Forms triggers
Lowercase
Column names,
table names,
filenames,
PL/SQL objects
. . .
OG_ACTIVATE_LAYER
(OG_GET_LAYER ('prod_pie_layer'))
. . .
SELECT last_name
FROM
employees;
Bold
Preface - 6
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
Contents
iii
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
Preface
iv
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
v
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
vi
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
vii
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
viii
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
ix
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
x
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
Summary 12-56
Practice 12 Overview: Implementing a Virtual Private Database Policy 12-57
16 Encryption Concepts
Objectives 16-2
Understanding Encryption 16-3
What Problems Does Encryption Solve? 16-4
Cost of Encryption 16-5
Encryption Is Not Access Control 16-6
Access by Privileged Users 16-7
What to Encrypt 16-9
Quiz 16-10
Data Encryption: Challenges 16-11
Encryption Key Management: Key Generation 16-12
Encryption Key Management: Key Modification and Transmission 16-13
Encryption Key Management: Storage 16-14
Storing the Key in the Database 16-15
Storing the Key in the Operating System 16-17
Letting the User Manage the Key 16-18
Solutions 16-19
Summary 16-20
17 Using Application-Based Encryption
Objectives 17-2
Overview 17-3
DBMS_CRYPTO Package 17-4
Generating Keys Using RANDOMBYTES 17-6
Quiz 17-9
Using ENCRYPT and DECRYPT 17-10
Enhanced Security Using Cipher Block Modes 17-13
Hash and Message Authentication Code 17-14
Summary 17-17
Practice 17 Overview: Using DBMS_CRYPTO for Encryption 17-18
xiii
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
xvii
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
Course Objectives
Agenda
Lesson
Topic
Introduction to Database Security
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
Day
Day
Lesson
Topic
10
11
12
13
14
15
16
Encryption Concepts
17
18
19
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
Agenda
Day
Lesson
Topic
20
21
Optional
App B
Optional
App C
Securing SQL*Plus
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
Agenda
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
Prerequisites
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
Objectives
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
Identity theft
Insider threats
Data consolidation
Globalization
Right sourcing
Compliance
mandates
SOX
HIPAA
EU directives
PCI
FDA
GLBA
Basel II
SB1386
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
Industrial espionage
Security
threats
Compliance Mandates
Security requirements have been a matter of individual concern until recently. Unless you were
handling government or military data, there were few legal requirements. This is rapidly changing. A
variety of laws have been passed to enforce privacy and accuracy of data in North America and
Europe. Along with these laws comes a requirement to audit the security measures that are in place.
These laws are becoming a pattern for laws in other countries, such as India and Japan.
Legal: Each of the laws listed here has specific requirements. This list is representative of many
other laws that are being passed worldwide. These laws and industry standards are being held as a
measure of reasonable care.
Sarbanes-Oxley Act (SOX) requires that publicly traded companies in the United States
strengthen and document internal controls to prevent individuals from committing fraudulent
acts that may compromise an organizations financial position or the accuracy of its financial
statements. The chief executive officer and the chief financial officer must attest to the
adequacy of the internal controls and accuracy of the financial report. These officers are subject
to fines and imprisonment for a fraudulent report. The requirements of SOX include providing
information that is used to generate the reports and providing documentation about the internal
controls used to assure the integrity of the financial information. Other countries, such as Japan,
are implementing similar laws.
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
Compliance Mandates
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
Security Risks
External threats:
Internal threats:
Unauthorized users
Denial of service
Unauthorized data access
Exploits: SQL injection and others
Abuse: Data theft
Sabotage: Data or service corruption
Complexity
Recovery
Omission
External threats listed above
Partners
Copyright 2010, Oracle and/or its affiliates. All rights reserved.
Security Risks
Security risks come with accessibility. Accessibility makes your data valuable. If all your data were
in filing cabinets or vaults, you could be sure that it was secure, but the time to retrieve it would
make it worthless. External exploits by criminals breaking into systems get big headlines, but
industry specialists estimate that 80% to 90% of the damage to information systems is done by
insiders.
No system can be guaranteed to be 100% secure. The costs of securing a system are weighed against
the possible costs of a security breach, whether it is internal or external. A thorough review can be
expensive. But it is important to be aware of the issues, set the priorities, and determine the funding.
Some of the security standards, such as ISO/IEC 17799:2005, require a risk assessment and provide
guidance.
External Threats
Unauthorized users: These are outsiders who gain access to your system. They may use
software exploits, bypass login information, crack passwords, or use social engineering. They
may be helped by poor passwords, unattended terminal sessions, and unsecured servers or
modem lines. Even your trash may contain information that allows them to get into your
system.
Denial of service: It can be an attack from a malicious source that requests limited resources
such as port allocations to disrupt authorized users. It can be accidentally caused by authorized
users who make inappropriate requests.
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
Security Standards
Several organizations produce guidelines for industry standard practices. Some of these are:
SysAdmin, Audit, Network, Security (SANS) Institute, and the Computer Emergency Response
Team (CERT/CC) operated by Carnegie Mellon University for the United States of America
Department of Defense. More information about these organizations and the services that they
provide can be found at www.sans.org and www.cert.org
The International Standards Organization (ISO) produces standards for a broad range of industries.
ISO-17799/27002 is an international standard of computer security practices. It includes best
practices, certification, and risk assessment. It covers a broad range of issues and includes prewritten
policies. For more information about ISO-17799/27002, see: www.iso.org or
www.computersecuritynow.com
Security requirements are changing. It is important to be aware of the changes and their impact. The
organizations listed in the slide (and others) provide newsletters and study opportunities.
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
Security Standards
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
A set of rules
Specific to an area and site
Required
Approved by management
What is a standard?
Rules specific to a system or process
Required for everyone
Best practices
Legal Implications
The legal department must be consulted and must approve the policy or procedure. How the
policies are written and enforced can have a direct impact on whether you can prosecute
violations and on whether your company is financially liable when breaches occur. The legal
comment is critical. Security consultants have been sued for running password crackers on the
network without written permission, even when they were being proactive. Legal advice is also
critical when looking at warning banners and email monitoring. For your own protection,
establish approved procedures for all forms of monitoring, sniffing, and cracking; such procedures
should specify approved monitoring activities and should explicitly identify who performs these
activities.
Best Practices
Security policies can often include references to best practice recommendations. Oracle provides
a set of recommendations that can be accessed on the Oracle Database 11g: Maximum Security
Architecture Web page at http://www.oracle.com/technology/deploy/security/databasesecurity/maximum-security-architecture.html.
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
Answer: a
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
Quiz
Authentication
Authorization
Access control
Auditing
Encryption
Defense in Depth
Defense in depth means that you consider every level (OS, network, file system permissions,
database, firewall, password protection, user education, and software bug fixes). The defeat of one
security feature must not give full access to all data or services. A policy is a roadmap for security
implementation, but it must be implemented to be effective. Users must be trained to avoid activities
that could easily breach security. You may have a perfect firewall and antivirus checking on all
incoming traffic, but if a user working from home downloads a virus or a Trojan, it can infect the
network from behind the firewall.
The operating systems on machines that host the application server, the database, the mail server, and
other critical services must be hardened. The network services, firewalls, and proxies each add
another layer. Then, secure the database. Every layer shown in the slide needs to be in place. Each
level complements the others to achieve better security. Defense in depth considers everything.
The list presented in the slide is an outline of best practices. This course deals with database-related
items from several of these items.
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
Defense in Depth
Common Exploits
An exploit is a technique used to attack, sabotage, gain unauthorized access to data or services, or to
deny service to authorized users. There are several general classes of methods used. Some of the
most common are listed.
Phishing is a social engineering method. A carefully crafted email, Web page, or even a phone
call to unsuspecting end users can be used to obtain personal information that can then be used
for identity theft, or to access their accountsfor example, when users receive an email
apparently from their bank asking them to connect to a corporate Web site, and log in, a certain
percentage of people will do so. The malicious site then captures their login information.
Default accounts: Many applications have well-known demonstration or default accounts.
These accounts should have a method of being secured or deleted.
Back doors: A programmer builds in an undocumented method of bypassing authorization.
These should never be allowed to be coded. These can be prevented only by administrative
controls and code review.
Debug code: Often, debug code is included in the production code to help during development
and later to aid support. This code should have clearly documented methods to be enabled and
disabled. Debug code may give additional privileges or bypass authorizations.
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
Common Exploits
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
Preventing Exploits
The principles outlined in the slide can be applied to many types of attacks: SQL injection, crossscripting, and buffer overflow exploits. These methods are derived from the policies. Reducing the
attack surface and limiting privileges are applications of the principle of least privilege.
Applying the methods shown in the slide are covered in more detail in the case study at the end of
this lesson.
There are two white papers available on OTN that give more details about SQL and PL/SQL coding
practices: Doing SQL and SQL Best and Worst Practices at
www.oracle.com/technology/tech/pl_sql/pdf/doing_sqlfrom_plsql.pdf
and How to Write Injection-Proof PL/SQL at
www.oracle.com/technology/tech/pl_sql/pdf/how_to_write_injection_proof_plsql.pdf.
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
Preventing Exploits
Summary
Least privilege
Authorization
Authentication
Summary
Security is not easy. Developing and implementing thorough security policies require management
support.
The types of attacks on a secure environment are constantly changing. To counter these risks,
sometimes you need to think like a hacker. Maintaining a secure environment often requires a certain
level of paranoia. The exploits and attacks are becoming more sophisticated. The average
administrator or security officer may not have the time or the background to keep up with new attack
vectors. The recommendations presented here are derived from the best industry practices. Applying
these recommendations may not prevent an attack, but they can help mitigate the damage, reduce the
access, and track the offender.
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
Case Study:
Applying Security Practices
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
SQL injection:
Tricks the SQL engine into executing unintended
commands
Exploits a common vulnerability in the application
Supplies crafted user-supplied strings, which are used in
dynamic SQL statements
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
Now OE can no longer change the SYS (or any other account) password.
Note that the CHANGE_PASSWORD procedure contains dynamic SQL with concatenated input
values. This is a SQL injection vulnerability. Although using invokers rights does not guarantee the
elimination of SQL injection risks, it can help mitigate the exposure.
This is an extreme example, but shows clearly how a PL/SQL procedure that uses dynamic SQL and
definers rights can allow a user more privileges than intended.
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
Test:
Review:
Peer and self-reviews
Analysis tools
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
Dynamic testing
Static testing
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
Invokers rights
Definers rights
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
Objectives
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
Data Protection
California Security Breach LawsCA-SB-1386 and CA-AB-1950require that personally
identifiable information (PII) be protected. The Payment Card Industry Data Security Standard
(PCI-DSS) requires that credit card information be protected at several levels. Reasonable care
dictates that businesses must protect private information to avoid liability.
Restrict access: This is the first step. Use database hardening and access control to limit
the access to authorized persons.
Encrypt stored data: This step assumes that the OS can be compromised. Encrypting the
stored data protects data files from being scanned by OS utilities. Encrypting the data also
assures the protection of backups.
Encrypt network traffic: The data must be protected while in transit. For Oracle Net
traffic, end-to-end encryption is provided with Oracle Advanced Security.
Restrict network access: Restrict network access to authorized individuals. Departmental
or data center firewalls are another layer of protection.
Monitor activity: Monitor activity with intrusion detection tools and auditing tools.
Unusual activity on the network or database at odd times can signal an attack or illegal
access.
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
Data Protection
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
Networkwide Authentication
For secure systems, users must have strong passwords (longer than n characters, with digits and
special characters). When users have multiple accounts, this requirement is often met with
resistance and increases help-desk costs for password resets. If a user needs only one strong
enterprisewide password, the resistance and costs diminish. There are several solutions:
Oracle Identity Management provides single sign-on that is integrated with the Oracle
Applications server. Oracle Identity Management can provide self-service password resets
and account provisioning (creation). It can be integrated with the existing Lightweight
Directory Access Protocol (LDAP) v3 directories.
Enterprise User Security provides a single point of authentication. EUS can be
configured to use passwords, certificates, or Kerberos v5 tickets. It gives administrators a
centralized repository for user account information.
Integration with Active Directory from Microsoft can be used for networkwide
authentication. Oracle Database may be configured to use Active Directory as an
authentication source.
Integration with Kerberos can be used for networkwide authentication. Oracle Database
may be configured to use Kerberos as an authentication source.
Integration with Entrust PKI provides the ability to use a central sign system with
certificates.
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
Networkwide Authentication
Monitoring includes:
Applying auditing
Using Oracle Audit Vault
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
Answer: a, c
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
Quiz
Separation
of duty
Command
rules
Existing Oracle
database
Realm violation
reports
Multifactor
authorization
Security
Reports
Policies
Object-level
access control
(Oracle Database Vault)
Data Masking
Row-level security
(OLS or VPD)
Column
encryption
Secure (TDE)
audit logs
(Oracle Audit Vault)
Copyright 2010, Oracle and/or its affiliates. All rights reserved.
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
Encrypted communication
Oracle Advanced Security
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
Compliance Scanner
A compliance scanner is available through the Enterprise
Manager Security Advisor and the Policy Manager.
Compliance Scanner
Auditors need to have a consistent set of standards that are used to determine whether a system
is compliant. Administrators want to know the standards, to be prepared for audits and have
some assurance that most security issues are being addressed.
Oracle Enterprise Manager supplies the Security Advisor and Policies. You can access these
pages through Enterprise Manager Database Control, as shown in the slide, or through
Enterprise Manager Grid Control. Rules for the policies are set in the Policy Library. You can
enable or disable these rules as appropriate for your site.
User-defined policies may be created and managed using the
MGMT_USER_DEFINED_POLICY package. These policies can be applied to exiting targets.
For more details, see Oracle Enterprise Manager Extensibility.
For more information about policies, see the Oracle Enterprise Manager Policy Reference
Manual.
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
Policy Library
Both Enterprise Manager Grid Control and Database Control have a library of policies. Because
Grid Control can monitor more types of targets, the Policy Library is more extensive. Each
policy in the library has a description and can be enabled or disabled. In Grid Control, the
policies may be applied to particular targets. When the policies are violated, a violation is
generated as seen on the Violations page and the Security at a Glance page.
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
Policy Library
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
Summary
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
Practice 2 Overview:
Hardening Database Access
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
Objectives
More Information
This lesson also explains how to configure Oracle Database 11g in a secure manner by adhering to
industry standard best security practices for operational database deployments. Details about
specific database-related tasks and actions can be found in the following:
Other lessons in this course
Other courses, including the following:
- Oracle Database 11g: Administration Workshop I
- Oracle Database 11g: Administration Workshop II
- Oracle Application Server 10g R2: Administration I
- Oracle Application Server 10g R2: Administration II
Oracle Database 11g documentation set
For a detailed explanation of the topics covered in this lesson, refer to the Oracle Database Security
Guide.
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER
IS STRICTLY
PROHIBITED
Oracle Database
11g: Security
3-2
Objectives
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER
IS STRICTLY
PROHIBITED
Oracle Database
11g: Security
3-3
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER
IS STRICTLY
PROHIBITED
Oracle Database
11g: Security
3-5
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER
IS STRICTLY
PROHIBITED
Oracle Database
11g: Security
3-6
Are case-sensitive
May contain more different characters
Use more secure hash algorithm
Use salt in the hash algorithm
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER
IS STRICTLY
PROHIBITED
Oracle Database
11g: Security
3-8
Password Configuration
By default:
In upgrade:
Passwords are non-case-sensitive until changed.
Passwords become case-sensitive by ALTER USER.
On creation:
Passwords are case-sensitive.
Password Configuration
When creating a custom database by using the Database Configuration Assistant (DBCA), you can
specify the Oracle Database 11g default security configuration. By default, if a user tries to connect
to an Oracle instance multiple times using an incorrect password, logins are delayed after the third
try. This protection applies for attempts made from different IP addresses or multiple client
connections. Afterwards, it gradually increases the time elapsed before the user can try another
password, up to a maximum of about 10 seconds.
The default password profile is enabled with the following settings at database creation:
PASSWORD_LIFE_TIME 180
PASSWORD_GRACE_TIME 7
PASSWORD_REUSE_TIME UNLIMITED
PASSWORD_REUSE_MAX UNLIMITED
FAILED_LOGIN_ATTEMPTS 10
PASSWORD_LOCK_TIME 1
PASSWORD_VERIFY_FUNCTION NULL
When an Oracle Database is upgraded to 11g, passwords are non-case-sensitive until the ALTER
USER command is used to change the password.
When the database is created, the passwords will be case-sensitive by default.
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER
IS STRICTLY
PROHIBITED
Oracle Database
11g: Security
3-9
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER
IS STRICTLY
PROHIBITED
Oracle
Database
11g: Security
3 - 10
Database instance
Connect as SYSDBA
SYS
PUBLIC
Operator
Connect as SYSOPER
Connect as SYSASM
SYS
DBA
ASM instance
Copyright 2010, Oracle and/or its affiliates. All rights reserved.
DBA
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER
IS STRICTLY
PROHIBITED
Oracle
Database
11g: Security
3 - 12
If any default database server user account is required for any reason, you can simply unlock and
activate that account with a new password.
Installed Users
To get a complete list of installed accounts, issue the following SELECT statement:
SQL> COL account_status FORMAT A20
SQL> SELECT username, account_status FROM dba_users;
USERNAME
-----------------------------MGMT_VIEW
SYS
SYSTEM
DBSNMP
SYSMAN
SCOTT
ANONYMOUS
XDB
ORDPLUGINS
ACCOUNT_STATUS
-------------------OPEN
OPEN
OPEN
OPEN
OPEN
OPEN
USERNAME
-----------------------------SI_INFORMTN_SCHEMA
OLAPSYS
TSMSYS
MDDATA
DIP
ACCOUNT_STATUS
--------------------EXPIRED & LOCKED
EXPIRED & LOCKED
EXPIRED & LOCKED
EXPIRED & LOCKED
EXPIRED & LOCKED
27 rows selected.
The exact accounts that are returned depend on the installation type and the version of the Oracle
software.
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER
IS STRICTLY
PROHIBITED
Oracle
Database
11g: Security
3 - 14
User altered.
Oracle Corporation recommends that the database instance be managed through Enterprise
Manager Database Control or Enterprise Manager Grid Control.
For many sites, it is a common requirement to change passwords periodically. Changing the
DBSNMP password is a special case because it is used by the agent to monitor the database. Refer
to My Oracle Support note 259387.1, How to change the password of the 10g database user
dbsnmp. This note also applies to Oracle Database 11g.
Changing the MGMT_VIEW Password
The MGMT_VIEW password should not be changed. Changing the password will have a serious
effect on many pages displayed by Oracle Enterprise Manager Database Control and Enterprise
Manager Grid Control. The password is a long, random string, generated from a combination of
the user-provided SYSMAN password and the random output from
java.security.SecureRandom hashed together. The MGMT_VIEW account has only read
access to the tables that contain management data such as the percent CPU usage over time for
servers in the data center.
The MGMT_VIEW user is assigned to the DEFAULT profile. Any changes to the DEFAULT
profile that forces password expiration and changes could cause this account to become
unusable.
Best Practice Tip: Create a profile specifically for the MGMT_VIEW account, in which the
password never expires.
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER
IS STRICTLY
PROHIBITED
Oracle
Database
11g: Security
3 - 16
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER
IS STRICTLY
PROHIBITED
Oracle
Database
11g: Security
3 - 18
Answer: a, d
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER
IS STRICTLY
PROHIBITED
Oracle
Database
11g: Security
3 - 20
Quiz
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER
IS STRICTLY
PROHIBITED
Oracle
Database
11g: Security
3 - 21
Example:
CREATE DIRECTORY local AS '/user/local/dbs';
GRANT READ, WRITE ON DIRECTORY local TO scott;
BEGIN
DBMS_NETWORK_ACL_ADMIN.CREATE_ACL (
acl => 'us-oracle-com-permissions.xml',
description => Permissions for oracle network',
principal => SCOTT',
is_grant => TRUE,
privilege => 'connect');
END;
BEGIN
DBMS_NETWORK_ACL_ADMIN.ASSIGN_ACL (
acl => us-oracle-com-permissions.xml',
host => *.us.oracle.com',
lower_port => 80,
upper_port => null);
END;
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER
IS STRICTLY
PROHIBITED
Oracle
Database
11g: Security
3 - 25
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER
IS STRICTLY
PROHIBITED
Oracle
Database
11g: Security
3 - 26
External Jobs
External Jobs
A particularly important issue from a security point of view is handling external jobs. Only users that
need to run jobs outside of the database should be allowed to do so. Grant the CREATE EXTERNAL
JOB system privilege only to those users.
When upgrading from Oracle Database 10g Release 1 to 10g Release 2 or higher, CREATE
EXTERNAL JOB is automatically granted to all users and roles that have the CREATE JOB privilege.
It is recommended that you revoke this privilege from users that do not need it.
In Oracle Database 10g Release 2 and later, the security model allows you to edit the
external_job.ora file in the $ORACLE_HOME/rdbms/admin directory to specify which
user the extjob should run as. The external_job.ora file is owned by the root user and can
be modified only by root.
In Oracle Database 11g on UNIX and Linux, the extjob process is owned by root with the setuid
bit set, but the external jobs started by extjob run as the OS user nobody by default or the user
specified by the externaljob.ora file.
On Windows, the jobs will run as the user specified for the OracleJobScheduler<SID>Windows
service: either LocalSystem or a named user (local or domain).
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER
IS STRICTLY
PROHIBITED
Oracle
Database
11g: Security
3 - 27
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER
IS STRICTLY
PROHIBITED
Oracle
Database
11g: Security
3 - 28
The following example of a better and more secure run-time call restricts SCOTT to reading all the
files in the HR directory:
Example
The example in the slide lists all users who have the DBA role granted to them. The two users
displayed are the built-in users with the DBA role granted.
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER
IS STRICTLY
PROHIBITED
Oracle
Database
11g: Security
3 - 29
call dbms_java.grant_permission (
'SCOTT', 'SYS:java.io.FilePermission', '/hr/*', 'read' );
Separation of Responsibilities
Separation of Responsibilities
These are the main requirements for a satisfactory separation of duties. Many small companies do not
have enough people to fulfill all these requirements. For more stringent requirements, Oracle
Database Vault enforces separation of duties.
DBAs must be trusted. It is hard to restrict a DBA. To do their job, DBAs require high-level
privileges. A DBA has a position of trust and must be thoroughly vetted. Even a trusted DBA
must have accountability. A policy of separation of responsibility can:
- Prevent abuse of trust. A DBA can view the encrypted passwords in the DBA_USERS
table. The DBA can save any users encrypted password, change the password, and connect
as that user. When finished, the DBA can replace the users original password by using the
following command:
ALTER USER username IDENTIFIED BY VALUES 'encrypted_password';
The DBA need not know the original password. This action is not traceable unless auditing
for the ALTER ANY USER privilege is turned on. If the password profile
PASSWORD_REUSE_MAX is set to a number of days, the password cannot be set back to
the original value for a number of days (of course, a DBA can also change the profile
during this exploit). In Database Vault, by default, the DBA user cannot issue an ALTER
USER IDENTIFIED BY command. Only the database account manager would be
allowed to do that.
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER
IS STRICTLY
PROHIBITED
Oracle
Database
11g: Security
3 - 30
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER
IS STRICTLY
PROHIBITED
Oracle
Database
11g: Security
3 - 31
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER
IS STRICTLY
PROHIBITED
Oracle
Database
11g: Security
3 - 32
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER
IS STRICTLY
PROHIBITED
Oracle
Database
11g: Security
3 - 33
Summary
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER
IS STRICTLY
PROHIBITED
Oracle
Database
11g: Security
3 - 34
Practice 3 Overview:
Hardening Database Access
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
Objectives
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
Type of Audit
What Is Audited?
What Can Be in
the Audit Trail?
Standard database
auditing
Privileged user
auditing
Connections by default
When enabled, all the
statements that are issued
Fine-grained auditing
(FGA)
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
Can audit:
Login events
Exercise of system privileges
Exercise of object privileges
Use of SQL statements
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
DBA
Enable
database
auditing.
Parameter
file
User
executes
command.
Database
SYSLOG
files
Audit
options
syslog
Audit
trail
Server
process
Generate
audit trail.
OS audit
trail
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
SYSDBA
The DBA role
Anyone with the * ANY TABLE privileges
11.2
Use the
DBMS_AUDIT_MGMT.SET_AUDIT_TRAIL_LOCATION
procedure to move the audit trail tables from the current
tablespace to a user-specified tablespace:
DBMS_AUDIT_MGMT.SET_AUDIT_TRAIL_LOCATION(
AUDIT_TRAIL_TYPE=>DBMS_AUDIT_MGMT.AUDIT_TRAIL_DB_STD,
AUDIT_TRAIL_LOCATION_VALUE => 'AT_TBS')
SYSAUX tablespace
Moving the Database Audit Trail from the SYSTEM Tablespace (continued)
Note: The DBMS_AUDIT_MGMT package belongs to the SYS schema. The EXECUTE
privilege on this package is granted only to EXECUTE_CATALOG_ROLE. Because the
procedures in this package are used to manage audit records, the EXECUTE privilege on the
package should be carefully administered.
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
11.2
DBMS_AUDIT_MGMT.SET_AUDIT_TRAIL_PROPERTY(
AUDIT_TRAIL_TYPE=>DBMS_AUDIT_MGMT.AUDIT_TRAIL_OS,
AUDIT_TRAIL_PROPERTY=>DBMS_AUDIT_MGMT.OS_FILE_MAX_SIZE,
AUDIT_TRAIL_PROPERTY_VALUE=>100)
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
11.2
DBMS_AUDIT_MGMT.SET_AUDIT_TRAIL_PROPERTY(
AUDIT_TRAIL_TYPE=>DBMS_AUDIT_MGMT.AUDIT_TRAIL_OS,
AUDIT_TRAIL_PROPERTY=>DBMS_AUDIT_MGMT.OS_FILE_MAX_AGE,
AUDIT_TRAIL_PROPERTY_VALUE=>14)
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
11.2
Use the
DBMS_AUDIT_MGMT.SET_AUDIT_TRAIL_PROPERTY
procedure to clear the
DBMS_AUDIT_MGMT.OS_FILE_MAX_SIZE and
DBMS_AUDIT_MGMT.OS_FILE_MAX_AGE properties.
Setting USE_DEFAULT_VALUES to:
TRUE sets the property to the default value
FALSE clears the property so that no file size or age is set
DBMS_AUDIT_MGMT.CLEAR_AUDIT_TRAIL_PROPERTY(
AUDIT_TRAIL_TYPE=>DBMS_AUDIT_MGMT.AUDIT_TRAIL_OS,
AUDIT_TRAIL_PROPERTY=>DBMS_AUDIT_MGMT.OS_FILE_MAX_SIZE,
USE_DEFAULT_VALUES=>TRUE)
System-privilege auditing: This is used to audit the exercise of any system privilege (such
as DROP ANY TABLE).
Object-privilege auditing: This is used to audit actions on tables, views, procedures,
sequences, directories, and user-defined data types.
Network Auditing: This is typically used to uncover network layer configuration errors.
For more information, see Oracle Database Security Guide.
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
AUDIT table;
AUDIT SELECT TABLE BY SCOTT BY ACCESS;
Note: Often, your audit options start as unfocused because you are not sure what type of
activity you are looking for. The AUDIT ALL option is a convenient shortcut to audit a
broad range of activity. If used with object-privilege auditing (as shown in the slide), it
detects the following: ALTER, AUDIT, COMMENT, DELETE, GRANT, INDEX, INSERT,
LOCK, READ, RENAME, SELECT, and UPDATE.
If the AUDIT ALL option specifies a username such as AUDIT ALL BY hr, all DDL
statements for the following objects and actions are audited for the user:
ALTER SYSTEM
Cluster
Context
CREATE SESSION
Database Link Dimension
Directory
Index
Materialized
NOT EXISTS
View
Public
Public Synonym
Database Link
Sequence
Synonym
Procedure
Profile
Role
System Audit
Rollback
Segment
System Grant
Table
Tablespace
Trigger
Type
User
View
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
Auditing Sessions
Monitor DBA_AUDIT_SESSION:
USERNA
-----FRED
FRED
FRED
FRED
ACTION_NAME
RETURNCODE LOGOFF
-------------------- ---------- ---------LOGON
1017
LOGOFF
0 0829 22:39
LOGOFF BY CLEANUP
0 0829 22:40
LOGON
0
Check DBA_AUDIT_TRAIL.COMMENT_TEXT.
Auditing Sessions
The AUDIT SESSION option audits the creation of user sessions in the database by auditing the
CREATE SESSION privilege. It can be focused by username or by success or failure. This
option is unique because it generates a single audit record for each session created by
connections to an instance. An audit record is inserted into the audit trail at connection time and
updated at disconnection time. Cumulative information about a session (such as connection time,
disconnection time, and logical and physical I/Os processed) is stored in a single audit record
that corresponds to the session. In many databases, it is common to use the AUDIT SESSION
(unfocused) command. In almost all databases, you should audit unsuccessful login attempts
because this allows you to detect attempts to break into your database.
The AUDIT SESSION command is one of the primary sources of confusion for new auditors.
Records produced by this audit option are unusual in that they are updated after the initial write
to the audit trail. The initial record is written with an action of LOGON, and when the user
disconnects, the record is updated and the action is changed. This can cause confusion. You find
only a few LOGON records, but many LOGOFF records in the audit trail. If AUDIT SESSION is
enabled, session statistics are accumulated for each successful connection and written when the
session ends. This behavior changed starting with 11.1.0.7. The LOGON record will not be
updated, but a LOGOFF record will be created. This applies to both OS and database audit trails.
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
TS
---------0829 22:29
0829 22:36
0829 22:39
0829 22:41
ACTION_NAME
RETURNCODE LOGOFF
-------------------- ---------- ---------LOGON
1017
LOGOFF
0 0829 22:39
LOGOFF BY CLEANUP
0 0829 22:40
LOGON
0
Note that the elapsed time for the session is available by subtracting the logoff time from the
login time. Calculate the elapsed time in days, and then adjust it to the desired units.
select (LOGOFF_TIME-TIMESTAMP)*(60*24) AS
"session time in minutes"
from dba_audit_trail
where action_name like 'LOGOFF%'
and logoff_time is not null;
Description
ALL_DEF_AUDIT_OPTS
DBA_STMT_AUDIT_OPTS
DBA_PRIV_AUDIT_OPTS
DBA_OBJ_AUDIT_OPTS
The ALL_DEF_AUDIT_OPTS view shows the default object-auditing options that will be
applied when objects are created.
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
Description
DBA_AUDIT_TRAIL
DBA_AUDIT_EXISTS
DBA_AUDIT_OBJECT
DBA_AUDIT_SESSION
DBA_AUDIT_STATEMENT
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
Quiz
a. True
b. False
Answer: b
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
11.2
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
11.2
DBMS_AUDIT_MGMT.INIT_CLEANUP(
AUDIT_TRAIL_TYPE=>DBMS_AUDIT_MGMT.AUDIT_TRAIL_AUD_STD,
DEFAULT_CLEANUP_INTERVAL=>8)
11.2
DBMS_AUDIT_MGMT_SET_LAST_ARCHIVE_TIMESTAMP
is used to specify when the audit records were last
archived.
DBMS_AUDIT_MGMT.CLEAN_AUDIT_TRAIL uses the
timestamp to determine which audit records to purge.
Time zone of the timestamp must be:
Coordinated Universal Time (UTC) for database audit trail
tables
Local time zone time when the audit trail types are
AUDIT_TRAIL_OS or AUDIT_TRAIL_XML
DBMS_AUDIT_MGMT.SET_LAST_ARCHIVE_TIMESTAMP(
AUDIT_TRAIL_TYPE=>DBMS_AUDIT_MGMT.AUDIT_TRAIL_AUD_STD,
LAST_ARCHIVE_TIME=>'2010-01-13 2:00:00')
Copyright 2010, Oracle and/or its affiliates. All rights reserved.
11.2
DBMS_AUDIT_MGMT.CLEAN_AUDIT_TRAIL(
AUDIT_TRAIL_TYPE=>DBMS_AUDIT_MGMT.AUDIT_TRAIL_AUD_STD,
USE_LAST_ARCH_TIMESTAMP=>TRUE)
11.2
Use DBMS_AUDIT_MGMT.CREATE_PURGE_JOB to
automate audit trail purging.
Modify the status of the purge job (enable/disable) by
using DBMS_AUDIT_MGMT.SET_PURGE_JOB_STATUS.
Modify the purge interval of the purge job by using
DBMS_AUDIT_MGMT.SET_PURGE_JOB_INTERVAL.
DBMS_AUDIT_MGMT.CREATE_PURGE_JOB(
AUDIT_TRAIL_TYPE=>DBMS_AUDIT_MGMT.AUDIT_TRAIL_AUD_STD,
AUDIT_TRAIL_PURGE_INTERVAL=>8,
AUDIT_TRAIL_PURGE_NAME=>'AT_PURGE',
USE_LAST_ARCH_TIMESTAMP=>TRUE)
You can disable and enable the audit trail purge job by using
DBMS_AUDIT_MGMT.SET_PURGE_JOB_STATUS. You can modify the interval at which
the CLEAN_AUDIT_TRAIL procedure is called for the purge job by using
DBMS_AUDIT_MGMT.SET_PURGE_JOB_INTERVAL. Refer to Oracle Database PL/SQL
Packages and Types Reference 11g Release 2 (11.2) and Oracle Database Security Guide
11g Release 2 (11.2) for additional information about these procedures.
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
First: $ORACLE_BASE/admin/<ORACLE_SID>/adump
Second: $ORACLE_HOME/rdbms/audit
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
Standard audit
SYS operations audit records
Configuring syslog
The AUDIT_SYSLOG_LEVEL initialization parameter sets
facility.priority of the messages.
The syslog.conf file determines where syslog writes the
message.
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
Another machine
*.AUDIT_TRAIL=OS
*.AUDIT_SYSLOG_LEVEL='local1.info'
AUDIT_TRAIL = OS
AUDIT_SYSLOG_LEVEL = facility.priority
syslog Limitations
syslog Limitations
The syslog logging does not capture audit records from fine-grained auditing.
The syslog logging does not capture Oracle Database Vault audit records. OS and syslog
logging encode information, and this information can be decoded using data dictionary tables
and error messages as follows:
Action code: Describes the operation performed or attempted, using codes listed in the
AUDIT_ACTIONS data dictionary table, with their descriptions
Privileges used: Describes any system privileges used to perform the operation, using
codes listed in the SYSTEM_PRIVILEGE_MAP table, with their descriptions
Completion code or return code: Describes the result of the attempted operation, using
codes listed in Oracle Database Error Messages, with their descriptions. Successful
operations return a value of zero and unsuccessful operations return an Oracle error code
corresponding to the reason the operation was unsuccessful.
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
syslog limitations:
In the audit record, nnnnn in the Oracle Audit [nnnnn] entry is the Oracle server process
ID.
The syslog messages are limited and must meet the standards set by the Internet
Engineering Task Force. These standards are under review and may change to increase the
allowable message size, increase security, and provide a more reliable protocol.
Universal Datagram Protocol (UDP) is the protocol used by syslog to send messages to
another machine. This protocol is unreliable because no acknowledgement is required. This
means that the message is sent to the remote machine, and if for some reason the message
does not arrive, the contents are lost.
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
A user makes a
change.
Trigger fires.
An audit record is
created by the
trigger.
A record is
inserted into an
audit trail table.
Value-Based Auditing
Database auditing records that inserts, updates, and deletes have occurred on audited objects, but
does not capture the actual values that have been changed. Value-based auditing extends
database auditing, capturing the actual values that have been changed. Value-based auditing
leverages database triggers (event-driven PL/SQL constructs).
When a user inserts, updates, or deletes data into or from a table with the appropriate trigger
attached, the trigger works in the background to copy audit information to a table designed to
contain the audit information. Value-based auditing tends to degrade performance more than
standard database auditing because the audit trigger code must be executed each time the insert,
update, or delete operation occurs. The degree of degradation depends on the efficiency of the
trigger code. Value-based auditing should be used only in situations where the information
captured by standard database auditing is insufficient.
In Oracle Database, there are certain features that reduce the need for user-developed valuebased auditing. Flashback data archive (FDA) allows the database administrator to configure a
secure area in the database to capture all the changes to a specific table. Flashback transaction
can be used to view the data as it was at a particular point in time if either undo records exist or
FDA is enabled. The Log Miner utility also allows the database administrator to view all
transactions that have occurred by reconstructing the SQL statements that were issued from redo
log records if the archived redo logs are still available.
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
Value-Based Auditing
This trigger focuses auditing to capture changes to the salary column of the
HR.EMPLOYEES table. When a row is updated, the trigger checks the salary column. If the
old salary is not equal to the new salary, the trigger inserts an audit record into the
AUDIT_EMPLOYEES table (created via a separate operation in the SYSTEM schema). The
audit record includes the username, the IP address from which the change has been made,
the primary key identifying which record has been changed, and the actual salary values that
have been changed.
This trigger uses the SYS_CONTEXT function to capture information from the built-in
USERENV context. This function is shown in detail in the lesson titled Using Application
Contexts, and the attributes of the USERENV context are listed in the appendix titled
USERENV Context.
Database triggers can also be used to capture information about user connections in cases
where standard database auditing does not gather sufficient data. With triggers, the
administrator can capture any information that is available to the database through any of the
database tables or views. Examples of such information include:
- IP address of the person logging in
- First 48 characters of the program name used to connect to the instance
- Terminal name used to connect to the instance
- MODULE or ACTION that originated the audited action (This may be available if the
application is instrumented by using the DBMS_APPLICATION_INFO package.)
Flashback Archive
Flashback Archive provides a way to capture all the changes to a table and view the values
in the table at any point in time during the retention period. Flashback Archive provides an
alternative to value-based auditing.
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
Summary
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
Practice 4 Overview:
Implementing Basic Auditing
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
Objectives
EMPLOYEES
Policies:
Monitor data access based on content
Audit SELECT, INSERT, UPDATE, or DELETE
dbms_fga.add_policy
object_schema =>
object_name
=>
policy_name
=>
audit_condition=>
audit_column =>
handler_schema =>
handler_module =>
enable
=>
statement_types=>
Defines:
Audit criteria
Audit action
(
'hr',
'employees',
'audit_emps_salary',
'department_id=10',
'salary',
'sec',
'log_emps_salary',
TRUE,
'select' );
SELECT last_name,job_id
FROM employees;
SELECT last_name,salary
FROM employees
WHERE
department_id = 10;
SEC.LOG_
EMPS_SALARY
EMPLOYEES
FGA Policy
The slide illustrates an example where the SEC user uses the DBMS_FGA.ADD_POLICY
procedure to create an FGA policy on the HR.EMPLOYEES table. After an FGA policy has been
enabled, any SQL statement that matches the audit condition and audit column will generate an
audit record.
Note: The SEC user must be granted EXECUTE on the DBMS_FGA package.
The procedure accepts the following arguments:
Policy Name: Each FGA policy is assigned a name when you create it. The example in the
slide names the policy AUDIT_EMPS_SALARY, using the following argument:
policy_name => 'audit_emps_salary'
Object: The object is the table or view that is being audited. It is passed as two arguments:
- The schema that contains the object
- The name of the object
In the example in the slide, the HR.EMPLOYEES table is audited by using the following
arguments:
object_schema => 'hr'
object_name => 'employees'
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
FGA Policy
Audit Column: The audit column defines the data that is being audited. An audit
event occurs only if this column is included in the SELECT statement. In the example
in the slide, the SALARY column is audited by using the following argument:
audit_column => 'salary'
Status: The status indicates whether the FGA policy is enabled. In the example in the
slide, the following argument enables the policy:
enable => TRUE
The FGA policy can generate audit records when the SQL statement does not access the
columns or rows targeted. This is called a false positive. This can occur because the
evaluation takes place at parse time rather than when the rows are returned. False positives
can occur but not false negatives.
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
SELECT count(*)
FROM hr.employees
WHERE department_id = 10
AND salary > &v_salary;
SELECT salary
FROM hr.employees;
SELECT last_name
FROM hr.employees
WHERE department_id = 10;
View Name
Description
DBA_FGA_AUDIT_TRAIL
ALL_AUDIT_POLICIES
DBA_AUDIT_POLICIES
USER_AUDIT_POLICIES
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
AUDIT_EMPS_SALARY
DBA_FGA_AUDIT_TRAIL
Selecting from the FGA Audit Trail
The slide displays the two audit rows created by the valid examples from the previous page. The
SQL_BIND column has a value of #1(4):1000, which includes the following components:
#1indicates that this is the first bind variable in the statement.
(4)indicates that the bind variable has a length of 4.
1000 indicates that the bind variable has a value of 1000.
Note: This example shows a partial list of columns available in DBA_FGA_AUDIT_TRAIL.
For more information, see the Oracle Database Reference Guide.
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
DBA_FGA_AUDIT_TRAIL
Answer: c
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
Quiz
Subprogram
Description
ADD_POLICY
DROP_POLICY
ENABLE_POLICY
DISABLE_POLICY
DBMS_FGA Package
The DBMS_FGA package is the tool to manage FGA functions. The EXECUTE privilege on
DBMS_FGA is needed to administer FGA policies. Because the FGA audit trail can contain
sensitive information, the EXECUTE privilege on this package must be reserved only for
administrators.
To audit usage of the DBMS_FGA package, wrap it with a PL/SQL package that captures user
information and then executes the DBMS_FGA procedures. Grant EXECUTE on the wrapper to
users that need it. Revoke EXECUTE from the DBMS_FGA package except to the owner of the
wrapper package. The PL/SQL wrapper package must use definers rights.
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
DBMS_FGA Package
dbms_fga.enable_policy (
object_schema => 'hr',
object_name
=> 'employees',
policy_name
=> 'audit_emps_salary' );
Disable a policy:
dbms_fga.disable_policy (
object_schema => 'hr',
object_name
=> 'employees',
policy_name
=> 'audit_emps_salary' );
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
BEGIN
dbms_fga.drop_policy (
object_schema => 'hr',
object_name
=> 'employees',
policy_name
=> 'audit_emps_salary');
END;
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
Audit columns
If audit column is set to NULL, all columns are audited.
If the audit column name is valid but incorrect, the wrong
statements are audited.
If the audit condition has a valid syntax, but is incorrect, the wrong rows are audited.
Audit Columns
When the audit column is null, all columns are audited.
If the audit column name is valid but incorrect, the wrong statements are audited.
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
Policy-Name Error: Policy names must be unique within the database. They have no
owner. If a duplicate name is used, you receive the following error when creating the
policy:
ORA-28101: policy already exists
If the audit column does not exist, the ADD_POLICY procedure fails.
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
Summary
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
Practice 5 Overview:
Implementing Fine-Grained Auditing
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER
IS STRICTLY
PROHIBITED
Oracle Database
11g: Security
6-2
Objectives
User Authentication
Strong authentication
Enterprise User Security
Proxy authentication
User Authentication
A basic security requirement is that you must know your users. You must identify them before you
can determine their privileges and access rights, so that you can audit their actions on the data. In this
lesson, you create and audit database authenticated users and operating system authenticated users.
Users can be authenticated in a number of different ways before they are allowed to create a database
session. With database authentication, you define users such that the database performs the
authentication of users. With operating system (OS) authentication, you define users such that
authentication is performed by the operating system or an OS-based network service.
Later lessons cover the following user authentication related topics:
Strong authentication: You can define users such that they are authenticated by strong
authentication methods: certificates, smart cards, and Kerberos.
Enterprise User Security: Enterprise users are authenticated through an enterprise directory
and authorized for access to the database through enterprise roles.
Proxy users: You can specify users who are allowed to connect through a middle-tier server.
The middle-tier server authenticates and assumes the identity of the user and is allowed to
enable specific roles for the user. This is called proxy authentication.
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER
IS STRICTLY
PROHIBITED
Oracle Database
11g: Security
6-3
A database user:
Has a schema
Is easily audited
Is authenticated by a password in the database
CREATE USER username IDENTIFIED BY password;
A database user:
Has a schema
Is easily audited
Is authenticated by the operating system
CREATE USER username IDENTIFIED EXTERNALLY;
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER
IS STRICTLY
PROHIBITED
Oracle Database
11g: Security
6-5
Protecting Passwords
Protecting Passwords
Passwords used in scripts, job schedulers, and command lines are vulnerable. A password must never
be placed in script files in clear text. Even passwords embedded in executable files are vulnerable to
the strings command or a binary file editor.
Entering the password on the command line may seem safe if no one sees you type it. But on some
UNIX systems, it is possible to view the full command line, including the username and password,
by using the ps command with the appropriate switches. If an OS account is compromised, someone
viewing the shell command history file may find passwords to privileged database accounts. Using
environment variables to hold a password is also visible with the ps command and the show
environment switchfor example, ps ef e shows a full listing of every process followed by
the environment variables.
The externally authenticated database user account is a better way to protect the password:
CREATE OPS$FRED IDENTIFIED EXTERNALLY;
GRANT CREATE SESSION TO OPS$FRED;
Suppose Fred is a database administrator (DBA) and needs to run batch jobs on the server machine.
With the two preceding commands, an OS user with a login of fred can now connect to the
database with / and run a script without a password:
sqlplus / @script
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER
IS STRICTLY
PROHIBITED
Oracle Database
11g: Security
6-6
Quiz
a. True
b. False
Answer: a
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER
IS STRICTLY
PROHIBITED
Oracle Database
11g: Security
6-7
connect scott/tiger
Finance
The following statement creates a private fixed user link called JANE_FINANCE to the database
with the service name, FINANCE. The link connects to the remote database with the user ID and
password as JANE and doe, respectively:
CREATE DATABASE LINK jane_finance
CONNECT TO jane IDENTIFIED BY doe USING 'finance';
When an application uses a fixed user database link, the local server always establishes a connection
to the specified schema in the remote database. The local server also sends the fixed users
credentials across the network when an application uses the link to access the remote database.
Anyone who is granted access to a fixed database link has access to everything in the remote schema.
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER
IS STRICTLY
PROHIBITED
Oracle Database
11g: Security
6-8
PASSWORD
-------NULL
NULL
PASSWORDX
---------------------------------05D5C32321F5BE85A5647B59FA9E9C0ECC
050398267C2DAAA1535086BB5093B97AAF
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER
IS STRICTLY
PROHIBITED
Oracle Database
11g: Security
6-9
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER
IS STRICTLY
PROHIBITED
Oracle
Database
11g: Security
6 - 10
To use a current user database link, the current user must be a global user registered with a
Lightweight Directory Access Protocol (LDAP) directory service and be authorized to connect to
both the databases that are involved in the link. Because a current user link must be for a user
identified globally, this is available only through Oracle Advanced Security.
Controlling Access to Remote Databases
In many distributed applications, you do not want a user to have privileges in a remote database.
One simple way to achieve this result is to embed a fixed user or current user database link
within a procedure. This procedure performs the needed SQL operation with definers rights.
Thus, the user accessing the procedure temporarily assumes the privileges of the user defined in
the link. The fixed link connects to the remote database as the user defined in the link. The
current user link connects as the owner of the procedure.
In this definers rights example, the HR user creates a database link and a procedure, and then
grants EXECUTE on the procedure to a role: HR_CLERK. Anyone with the role can execute the
update_hr_salary procedure, but cannot access the remote HR schema through the
database link except through the procedure.
CONNECT HR
PASSWORD:****
CREATE DATABASE LINK hremp
CONNECT TO hr IDENTIFIED BY oracle_1 USING 'p0orcl';
CREATE OR REPLACE PROCEDURE update_hr_salary
(p_employee_id NUMBER, p_salary NUMBER)
IS
BEGIN
UPDATE employees@hremp SET salary = p_salary
WHERE employee_id = p_employee_id;
END;
GRANT execute on update_hr_salary to HR_CLERK;
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER
IS STRICTLY
PROHIBITED
Oracle
Database
11g: Security
6 - 11
This query reports the user that is named in the CONNECT TO clause, and the host where the user
account exists.
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER
IS STRICTLY
PROHIBITED
Oracle
Database
11g: Security
6 - 12
connect scott/tiger
Finance
connect jane/doe
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER
IS STRICTLY
PROHIBITED
Oracle
Database
11g: Security
6 - 14
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER
IS STRICTLY
PROHIBITED
Oracle
Database
11g: Security
6 - 15
PASSWORD:****
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER
IS STRICTLY
PROHIBITED
Oracle
Database
11g: Security
6 - 16
Summary
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER
IS STRICTLY
PROHIBITED
Oracle
Database
11g: Security
6 - 17
Practice 6 Overview:
Using Basic Authentication Methods
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
Objectives
Certificates
Kerberos
Remote authentication dial-in service (RADIUS)
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
User Authentication
Strong authentication
Enterprise User Security
Proxy authentication
User Authentication
User authentication is a basic security requirement. The users identity must be confirmed before
granting privileges and access rights. Auditing of user actions on data is essential, and user
authentication is the first step to having a valid audit trail of user actions on the data.
Authentication methods can be classified as:
Something you know (password)
Something you are (biometric)
Something you have (smart card)
Strong user authentication is a way of confirming the identity of the user with something other
than a password. Smart cards, biometrics, certificates, and Kerberos tokens provide strong user
authentication. Some of these methods are known as two-factor or multifactor authentication.
Two-factor authentication requires something that the user knows plus something that the user
has. Several of the strong authentication options use centralized authentication, which gives you
high confidence in the identity of users, clients, and servers in distributed environments. These
centralized servers may also include single sign-on.
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
Strong authentication:
Is stronger than password authentication
Often includes the single sign-on functionality
Is supported by the following authentication technologies:
Certificates, public key infrastructure (PKI)
RADIUS, token, and smart cards
Kerberos
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
Remote Authentication Dial-In User Service (RADIUS) is a flexible, lightweight protocol that
provides authentication, authorization, accounting, and centralized user information.
RADIUS provides two major benefits:
It enables support for authentication technologies, including token cards, smart cards, and
challenge-response.
It readily integrates into existing systems by making the Oracle database a RADIUS client,
thus capitalizing on the infrastructure and investment that organizations have already
made.
Supported RADIUS Services
With RADIUS, you can choose virtually any mechanism available to authenticate network users.
Many token and smart card manufacturers support RADIUS. Any RADIUS-compliant device
can integrate with Oracle Advanced Security to authenticate database users with little
modification required by the authentication provider. Because many organizations have
implemented RADIUS for remote access to their networks, the Oracle server easily integrates
into existing systems and takes advantage of the investments that an organization has already
made.
Kerberos Adapters
Kerberos is a trusted third-party authentication system that relies on shared secrets. It assumes
that the third party is secure. It provides the following:
Single sign-on capabilities
Centralized password storage
Database-link authentication
Enhanced PC security
Two adapters for the Kerberos authentication service are provided with Oracle Advanced
Security:
Kerberos Authentication Adapter (essentially a Kerberos client) is available with Oracle
Advanced Security. The Kerberos server can be obtained from third-party vendors. The
Massachusetts Institute of Technology Key Distribution Center (MIT KDC) is an open
source.
Microsoft provides a slightly different version of KDC that works with Active Directory on
the Windows servers. The Windows and UNIX versions of Kerberos are interoperable.
Entrust/PKI
Oracle Advanced Security supports the public key infrastructure provided by the Entrust/PKI
software from Entrust. Entrust-enabled Oracle Advanced Security enables Entrust users to
incorporate Entrust single sign-on into their Oracle applications, and it enables Oracle database
users to incorporate Entrust-based single sign-on into Oracle applications.
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
Single Sign-On
Single sign-on is a centralized authentication service.
The user has a single username and password.
Servers authenticate users through the central service.
Client
Authentication server
Server
Single Sign-On
Confidence in the identity of users and hosts can be achieved by using a centralized, secure
authentication service rather than relying on hosts and users identifying themselves to one
another directly. Single sign-on is a centralized authentication service that allows users to access
multiple services with a single login. Network authentication services, such as certificates, also
can provide the benefit of single sign-on for users. Oracle Application Server Single Sign-On
requires the Oracle Advanced Security option.
When a central authentication service is not available, users generally respond to multiple
accounts in one of the following ways:
The users may set the same passwords on all machines (which results in a potentially large
exposure in the event of a compromised password).
The users may just write the passwords down or forget them, either of which severely
compromises password secrecy and service availability.
To avoid these behaviors, provide a single sign-on or a centralized authentication server so that
users can access multiple accounts and applications with a single password. The need for
multiple passwords for users is eliminated and management of user accounts and passwords is
simplified for system administrators.
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
Oracle wallet
Oracle Advanced Security
Oracle Identity Management Infrastructure
Management tools:
Oracle Wallet Manager
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
Certificates
Certificates:
Are digital documents
Provide proof of identity
Are stored in Oracle Wallets
Certificate authority:
Is a trusted organization (trust point)
Attests the identity of the certificate
Issues trusted certificates X.509 v3
Certificate use:
Requires a secure sockets layer (SSL)
Requires a level of trust in the signing authority
Certificates
Certificates are digital documents that are used to provide proof of identity. For example,
a certificate from a banks URL convinces bank customers that they have connected to the bank
and not a spoofed site that is designed to collect their account numbers. When used in a PKI,
each certificate includes an issuing certificate authority (CA). The CA asserts that it is a valid
certificate.
The CA is also known as a trust point and is hierarchical. If George connects to a Web site that
presents a certificate signed by a CA that George does not recognize, he can check the signer of
the CA certificate and so on. The certificate contains identity credentials: name, public key,
expiration time, and a URL of a signing authority. Each signing authority provides a certificate
of another signing authority at a higher level. This chain of certificates repeats to a self-signed
root certificate provided by one of the root certificate authorities such as Verisign. This chain of
trust is the PKI.
For SSL sessions, certificates are exchanged, and the public keys are used to pass a shared key.
Then the much faster symmetric encryption algorithms are used for the session messages.
Certificates may be used between a client and a server without any centralized server. Note that
only the client and the server are involved in the authentication after the certificates have been
issued.
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
listener.ora
sqlnet.ora
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
SSL_ORCL =
(DESCRIPTION =
(ADDRESS_LIST =
(ADDRESS = (PROTOCOL = TCPS)
(HOST = edrsr24p1)
(PORT = 2484))
)
(CONNECT_DATA =
(SERVICE_NAME = orcl.us.oracle.com)
)
)
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
CONNECT /@SSL_ORCL;
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
The user that owns the client wallet may connect to the
database as shown in the following example:
Quiz
Answer: c, d
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
orapki Utility
orapki is a command-line utility for managing PKI elements, such as wallets and certificate
revocation lists. The orapki utility allows the DBA to script the management of PKI elements,
making it possible to automate many of the routine tasks of maintaining a PKI. This commandline utility can be used to perform the following tasks:
Creating and viewing signed certificates for testing purposes
Creating and displaying Oracle wallets:
- Adding and removing certificate requests
- Adding and removing certificates
- Adding and removing trusted certificates
- Managing certificate revocation lists (CRLs)
Managing Oracle wallets
Renaming CRLs with a hash value for certificate validation:
- Uploading, listing, viewing, and deleting CRLs in Oracle Internet Directory
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
orapki Utility
1. Install Kerberos.
2. Configure a service principal for the Oracle Database
server.
3. Extract a service key table from Kerberos.
4. Install an Oracle Database server and a client.
5. Install Oracle components.
6. Configure Oracle Net Services and Oracle Database.
7. Configure Kerberos authentication.
8. Create a Kerberos user.
9. Create an externally authenticated Oracle user.
10. Get an initial ticket for the Kerberos and Oracle user.
kservice is a case-sensitive string. It may be the same as the database service name.
kinstance is typically the fully qualified name of the system on which the Oracle
database is running.
REALM is the domain name of the database server. REALM must always be in uppercase
and is typically the DNS domain name.
Example: orcl/testp1.us.acme.com@US.ACME.COM
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
SQLNET.AUTHENTICATION_SERVICES=(KERBEROS5)
SQLNET.AUTHENTICATION_KERBEROS5_SERVICE=kservice
8. Create a Kerberos user: To create Oracle users that Kerberos can authenticate,
perform this task on the Kerberos authentication server where the administration tools
are installed. The realm must already exist. On UNIX, run
/krb5/admin/kadmin.local as root to create a new Kerberos user, such as
krbuser:
# ./kadmin.local
kadmin.local: addprinc krbuser
Enter password for principal: "krbuser@SOMECO.COM":
(password does not display)
Re-enter password for principal: "krbuser@SOMECO.COM":
(password does not display)
kadmin.local: exit
10. Get an initial ticket for the Kerberos and Oracle user: In Kerberos authentication,
an initial ticket or ticket granting ticket (TGT) identifies the user as having the right to
ask for additional service tickets. No tickets can be obtained without an initial ticket.
An initial ticket is retrieved by running the okinit program and providing a
password. Before you can connect to the database, you must ask the Key Distribution
Center (KDC) for an initial ticket. To do so, run the following on the client:
$ okinit username
At this point, the krbuser user can connect to any database with a kservice name
and krbuser defined with the string:
$ sqlplus /@orcl
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
$ sqlplus /@orcl
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
vkrama/?????@DEV
RAMA
CONNECT /@DEV
ramav/????@prod_db.acme.com
PROD
DEV
<wallet_location> is the path to the directory where you want to create and store
the wallet. This command creates an Oracle wallet with the auto login feature enabled at
the location you specify. When auto login is enabled for a wallet, only the operating
system user who created it can manage it.
$ mkstore -wrl $ORACLE_BASE/admin/wallet -create
Enter password: <wallet_password>
Enter password again: <wallet_password>
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
Configuring sqlnet.ora
WALLET_LOCATION =
(SOURCE =
(METHOD = FILE)
(METHOD_DATA =
(DIRECTORY =
/home/rama/admin/orcl/wallet)))
SQLNET.WALLET_OVERRIDE = TRUE
Configuring sqlnet.ora
The sqlnet.ora file has three parameters for configuring the secure external password store:
WALLET_LOCATION, SQLNET.WALLET_OVERRIDE, and
SQLNET.AUTHENTICATION.SERVICES.
WALLET_LOCATION points to the directory where the wallet resides; this parameter exists in
earlier versions.
Set the SQLNET.WALLET_OVERRIDE parameter to TRUE. This setting causes all CONNECT
/@db_connect_string statements to use the information in the wallet at the specified
location to authenticate to databases.
If an application uses SSL for encryption, the sqlnet.ora parameter,
SQLNET.AUTHENTICATION_SERVICES, specifies SSL and an SSL wallet is created. If this
application wants to use secret store credentials to authenticate to databases (instead of the SSL
certificate), those credentials must be stored in the SSL wallet. If
SQLNET.WALLET_OVERRIDE = TRUE, the usernames and passwords from the wallet are
used to authenticate to databases. If SQLNET.WALLET_OVERRIDE = FALSE, the SSL
certificate is used.
For more information, refer to Oracle Database Net Services Reference 11g.
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
To add database login credentials to an existing client wallet, enter the following command:
mkstore -wrl <wallet_location> \
-createCredential <db_alias> <username> <password>
You can store multiple credentials in one client wallet. For example, if a client batch job
connects to hr_database and a script connects to sales_database, you can store the
login credentials in the same client wallet. Each set of credentials requires a separate
<db_alias>.
If usernames or passwords change, you can modify the database login credentials that are stored
in the wallet. To modify database login credentials, enter the following command:
mkstore -wrl <wallet_location> \
-modifyCredential <dbase_alias> <username> <password>
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
Summary
Certificates
Kerberos
RADIUS
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
Practice 7 Overview:
Configuring the External Secure Password Store
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
Objectives
This lesson describes the basic components of Enterprise User Security. It shows the architecture
of this feature and describes the installation process. The components required to create and
manage an enterprise user are discussed. In addition, the lesson explains the techniques for using
the enterprise user in the context of the database server and integrating the enterprise user with
familiar security policies and auditing.
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
Objectives
User Authentication
Strong authentication
Enterprise User Security
Proxy authentication
User Authentication
A basic security requirement is that you must know your users. You must identify them before
you can determine their privileges and access rights, so that you can audit their actions on the
data. In this lesson, you create and audit enterprise users authenticated through Oracle Internet
Directory.
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
SSO
DAS
OCA
Oracle
Internet
Directory
Server
Identity
Management
Infrastructure
Database
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
sso.mydomain.com
OracleAS
Metadata
Repository
OID
Client
Oracle DB
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
Initial configuration may be more difficult because public key infrastructure (PKI)
credentials must be generated for all users. (The degree of difficulty depends on
administrators PKI knowledge.)
Kerberos authentication:
Provides strong authentication by using Kerberos (version 5) tickets
Supports single sign-on by using Kerberos (version 5) encrypted tickets and
authenticators, and authentication forwarding
Supports Oracle Database 10g (and later) clients with Oracle Database 10g and later
Initial configuration may be more difficult because Kerberos must be installed and
configured to authenticate database users.
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
dc=oracle
dc=us
cn=users
cn=groups
cn=oracle context
cn=orcladmin
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
dc=com
Answer: b
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
Quiz
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
The real user is shown by checking the EXTERNAL_NAME attribute of the USERENV context:
SQL> select sys_context ('userenv' , 'external_name') from dual;
SYS_CONTEXT('USERENV','EXTERNAL_NAME')
----------------------------------------------------------cn=Scott Taylor,cn=Users,dc=us,dc=oracle,dc=com
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
OIM
Metadata
Repository
OID
Username and
password
Client
Verifies user
Applies roles
Oracle DB
SSL
Oracle DB
Current user
database link
Copyright 2010, Oracle and/or its affiliates. All rights reserved.
External users
Local users
A supplied list of users
In a two-phase process:
Phase 1 populates a table in the database with user
information. The DBA is allowed to modify the table data as
required.
Phase 2 updates the directory and the database.
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
umu HELP=YES
For more information about the user migration utility, see the Oracle Database Enterprise
User Administrators Guide.
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
Exclusive schema
Shared schema
Standard audit
Standard audit
USERNAME
USERNAME
GLOBAL_UID
Fine-grained audit
Fine-grained audit
DB_USER
DB_USER
GLOBAL_UID
Enterprise-User Auditing
If auditing is turned on, the Oracle Database server captures the identity of enterprise users in its
audit trails. OID can store additional attributes for each user to help identify both authorized and
unauthorized users.
When an enterprise user has his or her own schema (an exclusive schema) in the database, the
database username represents the enterprise user. The enterprise user has a one-to-one mapping
to the database user or schema. When enterprise users access exclusive schemas:
In standard auditing: The USERNAME column shows the user identity in the database,
and the GLOBAL_UID column shows the same users global identity
In fine-grained auditing: The DB_USER column shows the user identity in the database,
and the GLOBAL_UID column shows the same users global identity
When enterprise users map to a shared schema in the database, the audit trails capture both the
username of the shared schema user and the identity of the actual user managed in the directory.
When enterprise users access shared schemas:
In standard auditing: The USERNAME column shows the shared schema, and the
GLOBAL_UID column shows the identity of the enterprise user
In fine-grained auditing: The DB_USER column shows the shared schema, and the
GLOBAL_UID column shows the identity of the enterprise user
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
Enterprise-User Auditing
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
Summary
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
Practice 8 Overview:
Implementing Enterprise User Security
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER
IS STRICTLY
PROHIBITED
Oracle Database
11g: Security
9-2
Objectives
User Authentication
Strong authentication
Enterprise User Security
Proxy authentication
User Authentication
A basic security requirement is that you must know your users. You must identify them before you
can determine their privileges and access rights, and so that you can audit their actions on the data.
Knowing the end user allows you to specify users who are allowed to connect through a middle-tier
server. In many cases, the middle-tier server authenticates and assumes the identity of the user and is
allowed to enable specific roles for the user. This is called proxy authentication.
Note: The term application or application server is used in the rest of this lesson to refer to a
generic application program or application server that may be a custom application or a third-party
application. It is not an Oracle Application Server.
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER
IS STRICTLY
PROHIBITED
Oracle Database
11g: Security
9-3
Security Challenges of
Three-Tier Computing
User
Application
server
Database
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER
IS STRICTLY
PROHIBITED
Oracle Database
11g: Security
9-4
Authentication
Data access control
Auditing
User
Application
server
Database
Abuser
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER
IS STRICTLY
PROHIBITED
Oracle Database
11g: Security
9-5
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER
IS STRICTLY
PROHIBITED
Oracle Database
11g: Security
9-6
User
Application
server
Database
Common Implementations
of Authentication
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER
IS STRICTLY
PROHIBITED
Oracle Database
11g: Security
9-8
Single authentication
Copyright 2010, Oracle and/or its affiliates. All rights reserved.
User Reauthentication
To meet the requirements of database-level security, every user must be identified to the database:
the application server, end users, and proxy users must be identified. Reauthentication occurs when a
user is identified to the middle tier and then is identified again to the database.
Types of Authentication
In client/server systems, authentication tends to be straightforward; the client authenticates to the
server. In three-tier systems, authentication is more difficult because there are several potential types
of authentication:
Middle tier-to-database authentication
End user-to-middle tier authentication
End-user reauthentication through the middle tier to the database
Middle Tier-to-Database Authentication
Because the middle tier usually initiates a connection to a database to retrieve data, whether on its
own behalf or on behalf of the user, this connection clearly must be authenticated. In fact, the Oracle
database does not allow unauthenticated connections. Middle tier-to-database authentication can also
be mutual if you are using a protocol that supports this, such as secure sockets layer (SSL).
If you are using connection pooling, the application server authenticates to the database when it
builds the pool during startup, before there are any end users.
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER
IS STRICTLY
PROHIBITED
Oracle Database
11g: Security
9-9
User Reauthentication
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER
IS STRICTLY
PROHIBITED
Oracle
Database
11g: Security
9 - 10
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER
IS STRICTLY
PROHIBITED
Oracle
Database
11g: Security
9 - 12
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER
IS STRICTLY
PROHIBITED
Oracle
Database
11g: Security
9 - 13
Answer: b, c, d
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER
IS STRICTLY
PROHIBITED
Oracle
Database
11g: Security
9 - 14
Quiz
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER
IS STRICTLY
PROHIBITED
Oracle
Database
11g: Security
9 - 15
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER
IS STRICTLY
PROHIBITED
Oracle
Database
11g: Security
9 - 16
The user can connect as PHALL by using the already authenticated credentials of the middle-tier
APPSVR. This method assumes that the middle tier is trusted to perform the authentication. The
created session behaves as if PHALL has been connected normally; PHALL does not have to divulge
his password to the middle tier. The proxy session accesses the schema of PHALL. This method is
sometimes appropriate for application servers in a trusted region.
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER
IS STRICTLY
PROHIBITED
Oracle
Database
11g: Security
9 - 17
The Oracle instance expects the proxy to authenticate the user, unless you specify the
AUTHENTICATION REQUIRED clause. The AUTHENTICATION REQUIRED clause is relevant
only as part of a GRANT CONNECT THROUGH PROXY clause. In this method, the middle tier is
not assumed to be trusted. The middle tier may not perform any authentication. The user
authenticates to the database by providing the database password. This method is appropriate to
application servers that are outside a trusted region (firewall). The user will provide a password
that is passed through to the database.
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER
IS STRICTLY
PROHIBITED
Oracle
Database
11g: Security
9 - 18
The distinguished name is a global name in lieu of the password of the user being proxied for. For
example, the distinguished name can be the following:
CN=phall,OU=americas,O=oracle,L=redwoodshores,ST=ca,C=us
The distinguished name is provided by the application server when the application server connects
for the user. The distinguished name may initially be provided by the user to the application server or
the application server may retrieve the distinguished name from an LDAP directory.
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER
IS STRICTLY
PROHIBITED
Oracle
Database
11g: Security
9 - 19
In both the DISTINGUISHED NAME and CERTIFICATE cases, the proxy has already
authenticated and is acting on behalf of a global database user.
To pass over the entire certificate, the middle tier would use the following pseudo interfaces:
OCIAttrSet (
OCISession
*session_handle,
OCI_HTYPE_SESSION,
ub1
*certificate,
ub4
certificate_length,
OCI_ATTR_CERTIFICATE,
OCIError *error_handle );
If the type is not specified, the server uses its default certificate type of X.509.
Authenticating with a Specific Certificate Type
You can also indicate the type of certificate used to authenticate the user, using the following
command:
ALTER USER phall
GRANT CONNECT
THROUGH APPSVR
AUTHENTICATED USING CERTIFICATE
TYPE 'X.509' VERSION '3';
TYPE is the type of certificate to be presented. If you do not specify the type, the default is
X.509.
VERSION is the version of the certificate that is to be presented. If you do not specify the
version, the default is 3.
Note: The AUTHENTICATED USING CERTIFICATE clause is discouraged, and may not be
supported in future versions.
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER
IS STRICTLY
PROHIBITED
Oracle
Database
11g: Security
9 - 20
OCIAttrSet (
OCISession
*session_handle,
OCI_HTYPE_SESSION,
lxstp
*distinguished_name,
(ub4)
0,
OCI_ATTR_DISTINGUISHED_NAME,
OCIError *error_handle );
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER
IS STRICTLY
PROHIBITED
Oracle
Database
11g: Security
9 - 21
CONNECT APPSVR[PHALL]/appsvr_pwd
CONNECT george[APPSVR]/george_pwd
george[APPSVR]
APPSVR
george
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER
IS STRICTLY
PROHIBITED
Oracle
Database
11g: Security
9 - 22
Rajeev
CONNECT RAJEEV[PARTS_GUEST]/pwd
CONNECT JIM[PARTS_GUEST]/pwd
PARTS_DB
Jim
Copyright 2010, Oracle and/or its affiliates. All rights reserved.
Only local database schemas may be granted CONNECT THOUGH ENTEPRISE USERS. Only
users designated as such may be added as a database target user to a proxy permission in the
directory.
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER
IS STRICTLY
PROHIBITED
Oracle
Database
11g: Security
9 - 23
CONNECT JIM[PARTS_GUEST]/pwd@parts_db
The PARTS_DB database server contacts the directory to authenticate the enterprise users. The
roles are assigned based on the roles assigned to the target database user, PARTS_GUEST.
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER
IS STRICTLY
PROHIBITED
Oracle
Database
11g: Security
9 - 24
When JIM or RAJEEV want to create a session, the application issues an OCI call equivalent to
the to following SQL command:
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER
IS STRICTLY
PROHIBITED
Oracle
Database
11g: Security
9 - 25
Application-User Model
Use OCI, thin JDBC, or thick JDBC.
End-user identity is set by the middle tier.
The authentication process is as follows:
1. The middle tier authenticates to the database.
2. The end user authenticates to the middle tier.
3. The middle tier allocates a session to the user, identifying the
user with CLIENT_IDENTIFIER.
4. Optionally, the middle tier can enable roles to restrict the
privileges of the user.
Examples:
Certificate
Application username and password
Application-User Model
Many applications use session pooling to set up a number of sessions to be reused by multiple users.
In this context, the end users who are not known to the database are authenticated to the middle tier
of an application. The Oracle Database supports an application-user proxy for these types of
applications.
In this model, the middle tier passes a client identifier to the database upon session establishment.
(The client identifier can actually be anything that represents an end user connecting to the middle
tierfor example, the end-user ID or an IP address.) The client identifier, representing the end user,
is available in user-session information and can also be accessed via an application context (via the
USERENV naming context). In this way, applications can set up and reuse sessions, while still being
able to keep track of the end user in the session.
Applications can reset the client identifier and, thus, reuse the session for a different user, enabling
high performance. For OCI-based connections, the call to change CLIENT_IDENTIFIER is
combined with other OCI calls to further enhance performance. An application-user proxy is
available in thin JDBC, thick JDBC, and OCI, and provides the benefits of connection pooling
without the overhead of separate user sessions (even lightweight ones).
Note: V$SESSION.CLIENT_IDENTIFIER and
V$SESSION_CONNECT_INFO.AUTHENTICATION_TYPE can provide additional information
about the end users identity and authentication, for auditing purposes.
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER
IS STRICTLY
PROHIBITED
Oracle
Database
11g: Security
9 - 26
The full authentication sequence from the client to the middle tier to the database occurs as
follows:
1. During startup, the middle tier authenticates itself to the database server and creates a
connection pool. The method of authenticating to the database can be a password or an
authentication mechanism supported by Oracle Advanced Security, such as a Kerberos
ticket or an X.509 certificate (SSL).
2. The end user authenticates to the middle tier, using whatever form of authentication that
the middle tier accepts. Two examples are:
- The user can authenticate to the middle tier by using an X.509 certificate by means of
SSL.
- The user can authenticate to the middle tier by using a username and password stored
in the application.
3. The middle tier uses an available connection from its connection pool to create a session
for the end user, and uses JDBC or OCI calls to pass the end-user identifier to the database.
4. Depending on the information stored in the application, the middle tier can also set roles
for the end user. For example, if the application has multiple roles, you can do the
following:
a. Create database roles that match the application roles.
b. Assign appropriate privileges to the database roles.
c. Assign these roles to the application-server user, but disable the roles.
d. When the user starts a session, the application server enables the appropriate roles,
depending on the roles assigned to the user in the application. These roles may be
secure application roles, which may be enabled only through a secure package.
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER
IS STRICTLY
PROHIBITED
Oracle
Database
11g: Security
9 - 27
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER
IS STRICTLY
PROHIBITED
Oracle
Database
11g: Security
9 - 28
CLIENT
-------PHALL
PHALL
AUTH
---NO
NO
AUTHORIZATION_CONSTRAINT
-----------------------------PROXY MAY ACTIVATE ROLE
NO CLIENT ROLES MAY BE
ACTIVATED
HRUSER
PFAY
YES
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER
IS STRICTLY
PROHIBITED
Oracle
Database
11g: Security
9 - 29
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER
IS STRICTLY
PROHIBITED
Oracle
Database
11g: Security
9 - 30
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER
IS STRICTLY
PROHIBITED
Oracle
Database
11g: Security
9 - 31
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER
IS STRICTLY
PROHIBITED
Oracle
Database
11g: Security
9 - 32
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER
IS STRICTLY
PROHIBITED
Oracle
Database
11g: Security
9 - 33
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER
IS STRICTLY
PROHIBITED
Oracle
Database
11g: Security
9 - 34
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER
IS STRICTLY
PROHIBITED
Oracle
Database
11g: Security
9 - 35
Summary
Practice 9 Overview:
Implementing Proxy Authentication
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER
IS STRICTLY
PROHIBITED
Oracle
Database
11g: Security
9 - 36
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
Objectives
Authorization
Authorization is the process that determines the privileges that the user is allowed to exercise. In
Oracle Database, authorization is determined by the administration of system and object
privileges. A role is a named set of privileges and may be used to grant the privileges as a unit.
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
Authorization
Privileges
A privilege is a right to execute a particular type of SQL statement or to access another users
object. Oracle Database allows very fine-grained control over what users can or cannot do within
the database. Privileges are divided into two categories:
System privileges: Each system privilege allows a user to perform a particular database
operation or class of database operations (for example, the privilege to create tablespaces is
a system privilege). System privileges can be granted by the administrator or by someone
who is explicitly given permission to administer the privilege. There are over 150 distinct
system privileges.
Object privileges: Object privileges allow a user to perform a particular action on a
specific object, such as a table, view, sequence, procedure, function, or package. Without
specific permission, users can access only their own objects. Object privileges can be
granted by the owner of an object, by the administrator, by someone with the GRANT ANY
PRIVILEGE privilege, or by someone who has been explicitly given permission to grant
privileges on the object.
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
Privileges
Roles
Users
Roles
Privileges
Girard
HR_MGR
Delete
employees
Vance
HR_CLERK
Select
employees
Update
employees
Insert
employees
Roles
In most systems, it is too time consuming to grant necessary privileges to each user individually,
and there is too great a chance of error. Oracle Database provides for easy and controlled
privilege management through roles. Roles are named groups of related privileges that are
granted to users or to other roles. They are designed to ease the administration of privileges in
the database and, therefore, improve security.
Role Characteristics
Privileges are granted to and revoked from roles in the same manner as a user.
Roles can be granted to and revoked from users or other roles as though they were system
privileges. An exception is that you cannot grant an IDENTIFIED GLOBALLY role to
anything.
A role can consist of both system and object privileges.
A role can be enabled or disabled for each user who is granted the role.
A role can require a password for the role to be enabled (IDENTIFIED BY password).
A role can be authorized by using an external source (IDENTIFIED EXTERNALLY).
Roles are not owned by anyone, and they are not in any schema.
In the example in the slide, the HR_CLERK role is granted the SELECT and UPDATE privileges
on the EMPLOYEES table. The HR_MGR role is granted the DELETE and INSERT privileges on
the EMPLOYEES table and granted the HR_CLERK role. The manager is granted the HR_MGR
role and can now select, delete, insert, and update rows in the EMPLOYEES table.
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
Neena
Benefits of Roles
Easier Privilege Management
Use roles to simplify privilege management. Rather than granting the same set of privileges to
several users, you can grant the privileges to a role, and then grant that role to each user.
Dynamic Privilege Management
If the privileges associated with a role are modified, all the users who are granted the role
acquire the modified privileges automatically and immediately.
Selective Availability of Privileges
Roles can be enabled and disabled to turn privileges on and off temporarily. Enabling a role can
also be used to verify that a user has been granted that role.
Granting Through the Operating System
Operating system commands or utilities can be used to assign roles to users in the database, in
some operating systems.
Note: Roles are disabled in PL/SQL subprograms. The owner of a PL/SQL subprogram declared
with definers rights must have the privileges required for the subprogram granted directly and
not through a role. For a subprogram with invokers rights, roles are enabled unless the
subprogram is invoked directly or indirectly from a definers right subprogram.
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
Benefits of Roles
CONNECT
CREATE SESSION
RESOURCE
SCHEDULER_ADMIN
DBA
Predefined Roles
There are several roles that are defined automatically for Oracle databases when you execute
database creation scripts. CONNECT is granted automatically to any user who is created with
Oracle Enterprise Manager. The DBA role includes nearly all privileges and should not be
granted to nonadministrators.
Functional Roles
Other roles that authorize you to administer special functions are created when that functionality
is installed. For example, XDBADMIN contains the privileges that are required to administer the
XML database if that feature is installed. AQ_ADMINISTRATOR_ROLE provides privileges to
administer Advanced Queuing. HS_ADMIN_ROLE includes the privileges needed to administer
heterogeneous services. You must not alter the privileges granted to these functional roles
without the assistance of Oracle Support because you may inadvertently disable the needed
functionality.
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
Predefined Roles
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
If the user does not require any privileges in a specific application, the proxy user can be
prevented from activating any roles that may be granted to the user for use in other applications,
as shown in this example:
ALTER USER phall
GRANT CONNECT THROUGH appsrv
WITH NO ROLES;
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
Answer: c, d
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
Quiz
OID
Enterprise role:
PRACTICE_MGR
Enterprise role:
PROGRAMMER
Global role:
MANAGER
Global role:
USER
Global role:
EMPLOYEE
Global role:
DEVELOPER
HRDB
BUGDB
Global role:
PARTICIPANT
PROJDB
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
Sometimes, a secure package may need to access a table to retrieve all the roles that may be
enabled. This table must be accessed by a definers rights procedure called from the secure
procedure that sets the role. Create a definers rights package to return a list of roles from the
table (via an open cursor) to the invokers rights procedure. Then, fetch from the cursor the list
of roles to be enabled.
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
...
SELECT
id
INTO
v_id
FROM
oe.app_roles
WHERE username = sys_context
('userenv','current_user')
AND role = 'SALES_REP'
AND ip_address = sys_context
('userenv','ip_address');
dbms_session.set_role('oe_sales_rep');
...
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
GRANT execute
ON oe_roles
TO appsrv;
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
sec.oe_roles.set_sales_rep_role;
Step 4: Write the Application Server Code That Sets the Role
To set the role for a user, the application server calls a procedure in the package referenced in
the CREATE ROLE command. The procedure is called after the application server establishes a
session for the user.
Note: Do not grant the secure role to the user as a default role. If the role is granted to the user, it
is enabled at login if the default role is set to all. If there are roles that should be enabled for
users at login, the following command disables the secure role:
ALTER USER phall DEFAULT ROLE ALL EXCEPT oe_sales_rep;
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
SQL> SELECT *
2
FROM dba_application_roles
3
WHERE ROLE = 'OE_SALES_REP';
ROLE
SCHEMA PACKAGE
------------- ------- -------OE_SALES_REP SEC
OE_ROLES
SQL>
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
Summary
Practice 10 Overview:
Implementing the Secure Application Role
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
Objectives
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
Authorize users
Limit access to data, called by a fine-grained access control
policy
Set attributes used in the application
An application context:
Is read by applications
Can be used to:
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
Note that with an externally initialized application context, the middle-tier server can
actually initialize context values on behalf of database users. Context attributes are
propagated for the remote session at initiation time, and the remote database accepts the
values if the namespace is externally initialized.
Global Application Contexts
Many organizations centralize user information and user management in a Lightweight
Directory Access Protocol (LDAP)based directory, such as Oracle Internet Directory
(OID). Application context attribute values can be stored in OID. This type of context is
created in the database as shown in the following example:
CREATE CONTEXT hrgapp USING hr_g_context INITIALIZED GLOBALLY;
When an enterprise user connects to the database, the attributes defined in the global context
of that users OID entry are placed in the named application context. The global context
named in the preceding example is HRGAPP. The attributes that are available are dependent
on the attributes defined in the LDAP directory. The SYS_CONTEXT function can be used
to access the attributes of the context as shown in the following example:
SYS_CONTEXT('HRGAPP','Title')
The HRGAPP context and the TITLE attribute must be added to the users OID entry in the
OracleDBAppContext object. For more details, see the Oracle Database Security
Guide.
If an LDAP inetOrgPerson object entry exists for the user, the connection also retrieves
all the attributes from inetOrgPerson and assigns them to the
SYS_LDAP_USER_DEFAULT namespace as shown in the following example:
SYS_CONTEXT('SYS_LDAP_USER_DEFAULT','telephoneNumber')
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
Answer: a
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
Quiz
1.
2.
3.
4.
PL/SQL package
Application
context
Read
PL/SQL program
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
HR_CONTEXT is the trusted package that can set attributes in the context namespace
In the example code, the package and security objects are created by a user specifically defined
to own the security package and objects.
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
After you have created the context, you can set or reset the context attributes by using the
DBMS_SESSION.SET_CONTEXT package. The values of the attributes that you set
remain either until you reset them or until the user ends the session.
You can set the context attributes only in two locations:
Inside a procedure of the trusted package that you have named in the CREATE
CONTEXT statement
Inside the function named in the policy, which is discussed in the lesson titled
Implementing Virtual Private Database
This prevents a malicious user from changing context attributes without proper attribute
validation.
Enterprise Manager
Administration of application contexts is integrated in Enterprise Manager with a graphical
user interface for managing application contexts, fine-grained access control policies, and
Oracle Label Security policies. You can use Enterprise Manager to create a context and
associate it with a PL/SQL package.
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
dbms_session.set_context (
'hrapp', 'emp_id', v_emp_id );
sys_context('userenv', 'session_user');
The example shows a logon trigger that affects only a single user or schema. If all application
users are connecting as PHALL, this is an effective method of setting the context. If all users are
connecting with their own usernames, the following alternative logon trigger can be used:
CREATE OR REPLACE TRIGGER hr_context_logon
AFTER LOGON ON DATABASE
BEGIN
hr_context.set_emp_id();
END;
/
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
sys_context('hrapp', 'emp_id')
Example in SELECT:
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
PL/SQL program A
User Database Session 1
PL/SQL program B
User Database Session 2
The middle tier sets the application context for each session. The context accessed globally
allows the middle tier to store the various application context definitions in a central place in the
SGA and apply the context to a user session at session-creation time. This then becomes that
sessions driving context. This also reduces the setup time of the user session when the
application is using connection pooling.
Limitation: A context accessed globally cannot be initialized from OID or an external source.
So any context accessed globally must be a local context accessed globally.
To support connection pooling managed by middle-tier applications, the DBMS_SESSION
interface gives the application the ability to add a client identifier for each application context.
The application can manage the context globally, whereas each client sees only its assigned
application context.
The application must test input to prevent a malicious user from injecting a call to
DBMS_SESSION or any SQL injection attempt. Because DBMS_SESSION is granted to
PUBLIC, such an injection can allow the user unauthorized privileges.
By default, a context is not accessed globally.
Note: A context accessed globally is not available in the Real Application Clusters (RAC)
environment for connections that span instances. The context accessed globally is stored in the
shared pool of one instance and is not available in the other instances of the cluster.
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
PHALL
Application server
Database
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
2. Logs in
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
Maintaining contexts:
dbms_session.set_context
('hrapp', 'emp_id', v_emp_id );
dbms_session.set_identifier(client_id);
dbms_session.set_identifier(12345);
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
where CLIENT_ID is the identifier being set for this session. This identifier is arbitrary,
and it has no relationship to the SESSION_ID username. The application chooses the
identifier. Because this identifier is often placed in the browser cookie, it should not be the
information that can violate the privacy of the user. The identifier should be a randomly
chosen string or number. If the application code sets the client identifier with a call to
DBMS_SESSION.SET_IDENTIFIER, CLIENT_ID is recorded in audit trails and can
provide a way to link a user to an action, if the application maintains a CLIENT_ID to user
mapping.
CLEAR_IDENTIFIER
This procedure clears the current session identifier that has been set with
DBMS_SESSION.SET_IDENTIFIER. It has no arguments.
SET_CONTEXT
This procedure sets a context attribute. It has the following syntax:
PROCEDURE set_context (
namespace VARCHAR2,
attribute VARCHAR2,
value
VARCHAR2,
username VARCHAR2 DEFAULT NULL,
client_id VARCHAR2 DEFAULT NULL )
where:
namespace is the name of the application context
attribute is the name of the attribute to be set
value is the value to be assigned to the attribute
username is the username attribute for the application context
client_id is the client identifier that identifies a user session to set a context.
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
This procedure sets an identifier that can be used to share a global context. It has the
following specification:
PROCEDURE set_identifier (
client_id VARCHAR2 )
where:
namespace is the namespace of the application context that contains the attribute to be
cleared
client_id is the ID of the client that has the contexts
attribute is the name of the attribute to be cleared
If ATTRIBUTE is not included, all contexts for the client are cleared.
LIST_CONTEXT
This procedure lists all the current context namespaces. It has the following syntax:
PROCEDURE list_context (
list OUT AppCtxTabTyp,
lsize
OUT NUMBER )
where:
list is a table of records for storing the list of application contexts set in the current
session, where each item in the list includes the namespace, attribute, and value of the
fields
lsize is the number of entries in the buffer
The AppCtxTabTyp type has the following specification:
TYPE AppCtxRecTyp IS RECORD (
namespace VARCHAR2(30),
attribute VARCHAR2(30),
value
VARCHAR2(4000));
TYPE AppCtxTabTyp IS TABLE OF AppCtxRecTyp
INDEX BY BINARY_INTEGER;
UNIQUE_SESSION_ID
This function returns an identifier, which is unique for all sessions that are currently
connected to this database. Multiple calls to this function during the same session always
return the same result. It has the following specification:
FUNCTION unique_session_id RETURN VARCHAR2
This identifier is different from the identifier that you can set by using SET_IDENTIFIER.
This identifier is a hexadecimal representation of session_id (SID), serial#, and a
sequence number. It can be up to 24 bytes and consist of alphanumeric characters.
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
This procedure clears the attributes in a context. It has the following syntax:
PROCEDURE clear_context (
namespace VARCHAR2,
client_id VARCHAR2,
attribute VARCHAR2 DEFAULT NULL )
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
dbms_session.set_context
(context, attr, value, username, client_id);
dbms_session.set_context
('hrapp','id','phall','APPSMGR', 12345 );
dbms_session.set_context
('hrapp','dept','sales','APPSMGR', 12345 );
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
dbms_session.set_identifier( 12345 );
EXEC dbms_session.clear_context
('HRAPP', '12345');
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
Context created.
SQL> SELECT *
2
FROM dba_context
3
WHERE namespace = 'HRAPP';
NAMESPACE SCHEMA PACKAGE
TYPE
--------- ------ ---------- ---------------HRAPP
SYS
HR_CONTEXT ACCESSED LOCALLY
SQL>
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
Parallel Queries
If you try to execute SYS_CONTEXT in a parallel query environment, you receive a query
error.
If SYS_CONTEXT is used inside a SQL function that is embedded in a parallel query, the
function cannot pick up the application context. This is true because the application context
exists only in the user session. To use these features in combination, you must call
SYS_CONTEXT directly from the query.
Application Contexts Accessed Globally and RAC
Application contexts accessed globally are not available in RAC.
Validating Context Sources
When using an application context for security, the source of the values for the context
attributes must be thoroughly validated. If the source of the context is user input, there is a
possibility that the attribute may be altered to allow unintended access.
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
Summary
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
Practice 11 Overview:
Creating an Application Context
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
Objectives
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
Example:
In the example in the slide, two different users enter the same SQL statement; however, the
security policy is applied to limit the query to those rows where the user is the sales
representative for the order. In this example, the security policy consists of the entire WHERE
clause.
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
1.
2.
3.
4.
5.
SELECT *
FROM orders;
becomes
SELECT *
FROM orders
WHERE customer_id =
sys_context
('oeapp','cust_id');
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
If there are multiple policies attached to a table, the data server combines and enforces
all the predicates.
5. The Oracle server executes the dynamically modified statement. Upon execution, the
function employs the username returned by
SYS_CONTEXT ('USERENV','SESSION_USER')
to look up the corresponding customer and to limit the data returned from the ORDERS
table to that customers data only.
Multiple Policies
You can establish several policies for the same table or view. Suppose that you have a base
application for order entry, and each division of your company has its own special rules for
data access. You can add a division-specific policy function to a table without having to
rewrite the policy function of the base application.
All policies applied to a table are enforced with the AND syntax. Thus, if you have three
policies applied to the CUSTOMERS table, each policy is applied to any access of the table.
Also, you can use policy groups and a driving application context to partition fine-grained
access control enforcement so that different policies apply, depending on which application is
accessing the data.
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
Security:
Simplicity:
Define the policy once.
The policy is independent of the application.
Flexibility:
Apply different access rules to different SQL statements.
Group policies
High performance:
Define policies as static, context sensitive, or dynamic.
Active policies stored in memory.
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
To design a VPD policy to return a specific predicate for an attribute, access the application
context within the function that implements the policy.
Using an Application Context with FGAC
Customer Example
For example, to limit customers to seeing their own records only, use FGAC to dynamically
modify the users query from SELECT * FROM orders to:
SELECT * FROM orders
WHERE customer_id =
SYS_CONTEXT ('oeapp', 'cust_id');
In this example, the security function returns the following value:
customer_id = SYS_CONTEXT ('oeapp', 'cust_id')
Sales Representative Example
To limit sales representatives to seeing the records for their customers only, use FGAC to
dynamically modify the same query as above to this:
SELECT * FROM orders
WHERE sales_rep_id =
SYS_CONTEXT ('oeapp', 'emp_id');
In this example, the security function returns the following value:
sales_rep_id = SYS_CONTEXT ('oeapp', 'emp_id')
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
Answer: b, c
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
Quiz
Contexts
Client identifiers
DBMS_RLS: Manages:
Policies
Policy groups
Enterprise Manager:
Uses DBMS_RLS
Provides security policy administration
Manages VPD
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
Enterprise Manager
Alternatively, you can use Enterprise Managers graphical user interface (GUI) to apply
security policies to schema objects (such as tables and views) and to create application
contexts. Enterprise Manager provides an easy-to-use interface to manage security policies
and application contexts, and, therefore, makes the VPD easier to develop.
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
Use the DBMS_RLS package to implement a VPD by indicating which security policies apply
to which tables and views. Use the CREATE CONTEXT command to create application
contexts.
The DBMS_RLS package contains procedures and functions that are used to manage:
Policies
Policy groups
Enterprise Manager
Enterprise Manager is the GUI administration tool for the following features:
Oracle Label Security
Virtual Private Database
Application context
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
Enterprise Manager
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
DROP_POLICY
DROP_GROUPED_POLICY
Refresh policies:
REFRESH_POLICY
Group policies:
CREATE_POLICY_GROUP
REFRESH_GROUPED_POLICY
DELETE_POLICY_GROUP
DROP_POLICY_CONTEXT
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
The following is a list of parameters that are used in the DBMS_RLS procedures:
object_schema: This is the schema containing the table, view, or synonym (current
default schema, if NULL).
object_name: This is the name of the table, view, or synonym to which the policy is
added.
policy_name: This is the name of the policy to be added. It must be unique for the
same table or view.
function_schema: This is the schema of the policy function (current default
schema, if NULL).
policy_function: This is the name of a function that generates a predicate for the
policy. If the function is defined within a package, the name of the package must be
present.
statement_types: These are the statement types to which the policy applies. It can
be any combination of INDEX, SELECT, INSERT, UPDATE, or DELETE. The default
is to apply the policy to all of these types, except INDEX. Oracle Database does not
implement fine-grained access control during MERGE statements. You must use
equivalent INSERT and UPDATE statements instead of MERGE to avoid error messages
and to ensure correct access control.
update_check: This is the optional argument for the INSERT or UPDATE statement
types. The default is FALSE. Setting update_check to TRUE causes the server to
also check the policy against the value after insert or update.
enable: This indicates whether or not the policy is enabled when it is added. The
default is TRUE.
static_policy: The default is FALSE. If it is set to TRUE, the server assumes that
the policy function for the static policy produces the same predicate string for anyone
accessing the object, except for SYS or the privilege user who has the EXEMPT
ACCESS POLICY privilege.
policy_type: The default is NULL, which means policy_type is decided by the
value of static_policy. The available policy types are described in the following
slides. Specifying any of these policy types overrides the value of static_policy.
long_predicate: The default is FALSE, which means the policy function can
return a predicate with a length of up to 4 KB. TRUE means the predicate text string
length can be up to 32 KB. Policies existing before the availability of this parameter
retain a 32-KB limit.
sec_relevant_cols: This enables column-level VPD, which enforces security
policies when a column containing sensitive information is referenced in a query. This
applies to tables and views, but not to synonyms. Specify a list of valid column names
of the policy-protected object separated by commas or spaces. The policy is enforced
only if a specified column is referenced (or, for an abstract data type column, its
attributes are referenced) in the user SQL statement or its underlying view definition.
The default is all the user-defined columns for the object.
sec_relevant_cols_opt: Use with sec_relevant_cols to display all rows
for column-level VPD filtered queries (SELECT only), but where sensitive columns
appear as NULL. The default is set to NULL, which allows the filtering defined with
sec_relevant_cols to take effect. Set to dbms_rls.ALL_ROWS to display all
rows, but with sensitive column values, which are filtered by sec_relevant_cols,
displayed as NULL.
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
Column-Level VPD
Statements are not always rewritten.
Example: A policy protects the SALARY column of the
EMPLOYEES table. The VPD policy is:
Not enforced for this query:
SQL> SELECT last_name FROM employees;
Enforced for these queries:
SQL> SELECT last_name, salary
2 FROM employees;
SQL> SELECT * FROM employees;
Column-Level VPD
With column-level VPD, the policy is applied and the statements are rewritten only when the
security-relevant columns are accessed. This means that the combination of row-level access
control and security-relevant columns implies that you can control access down to the element
referenced.
Suppose that the business policy and the imposed VPD policy is that a manager can access the
EMPLOYEES sensitive information only for his or her employees. The SALARY column is
considered sensitive information.
The Oracle Database server does not enforce the VPD policy when you select only the
LAST_NAME column from the EMPLOYEES table. So all employees can access nonsensitive
information in the EMPLOYEES table. However, when you issue queries that access columns
considered as security relevant, VPD applies the access control policy defined by the policy
function.
Note: Some commands explicitly reference the columns and others reference them implicitly.
Depending on how you define the policy function, the column-level policy can be applied for
DML statements as well.
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
BEGIN
dbms_rls.add_policy(object_schema => 'hr',
object_name
=> 'employees',
policy_name
=> 'hr_policy',
function_schema
=> 'hr',
policy_function
=> 'hrsec',
statement_types
=> 'select',
sec_relevant_cols
=> 'salary',
sec_relevant_col_opts => dbms_rls.ALL_ROWS);
END;
/
DBMS_RLS.DYNAMIC (default)
Static
DBMS_RLS.STATIC
DBMS_RLS.SHARED_STATIC
Context sensitive
DBMS_RLS.CONTEXT_SENSITIVE
DBMS_RLS.SHARED_CONTEXT_SENSITIVE
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
BEGIN
dbms_rls.add_policy(
object_schema
=>
object_name
=>
policy_name
=>
function_schema
=>
policy_function
=>
statement_types
=>
policy_type
=>
sec_relevant_cols =>
END;
'hr',
'employees',
'hr_policy',
'hr',
'hrsec' ,
'select,insert',
dbms_rls.static,
'salary');
Static Policies
When you use static policies, VPD always enforces the same predicate for access control.
Regardless of which user accesses the objects, everyone gets the same predicate.
The policy function is executed only once. The returned predicate is cached in the system global
area (SGA) for all static policies with the same policy function. This makes static policies very
fast because the policy function is not executed for each query.
You can use a static policy when every query needs the same policy predicate.
You can enable static or shared static policies by setting the POLICY_TYPE parameter of the
DBMS_RLS.ADD_POLICY procedure to DBMS_RLS.STATIC or
DBMS_RLS.SHARED_STATIC, respectively.
In this example, the business policy is that a manager can access the EMPLOYEES sensitive
information only for his or her employees.
Note: The policy predicate is the same for every rewritten statement. But each execution of the
same rewritten statement can produce a different row set because the predicate may filter the data
differently according to context attributes or functions (such as SYSDATE). When the predicate
uses the SYS_CONTEXT function and the attribute remains the same, the function call is treated
like a bind variablethat is, the value returned by the function may change, but the cursor
remains the same.
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
Static Policies
Context-Sensitive Policies
BEGIN
dbms_rls.add_policy(
object_schema
=>
object_name
=>
policy_name
=>
function_schema
=>
policy_function
=>
statement_types
=>
policy_type
=>
sec_relevant_cols =>
END;
'hr',
'employees2',
'hr_policy2',
'hr',
'hrsec2',
'select,insert',
dbms_rls.context_sensitive,
'salary');
Context-Sensitive Policies
Policies are not always static or dynamic. Policy predicates may be static for a particular user
session, but different for other users. In some cases, policy predicates can change when certain
context attributes are changed within a user session. For either of these situations, you enable
context-sensitive or shared context-sensitive policies by setting the POLICY_TYPE parameter of
the DBMS_RLS.ADD_POLICY procedure. A policy type of
DBM_RLS.CONTEXT_SENSITIVE assumes that the policy predicate may be changed after
statement parsing for a particular database session. This change can occur only if there are some
session context changes. Therefore, the server reevaluates the policy function at statement
execution time if it detects context changes since the last use of the cursor. The policy predicate is
cached in the session memory.
In this example, the business policy is that a manager can access the EMPLOYEES2 sensitive
information only for his or her employees, and employees who are not managers can access only
their own sensitive information. The text of the predicate changes depending on who the user is.
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
departments
Same policy
function
countries
emp_v
employees
1.
2.
3.
4.
OEAPP
context
Read
CUST_ORDER
OE_SECURITY
package
function
OE_POLICY
OE.ORDERS
Copyright 2010, Oracle and/or its affiliates. All rights reserved.
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
Step 2: Create a unique context and associate it with the PL/SQL package.
To perform this task, use the CREATE CONTEXT statement. Context names must be unique
within the database, not just within a schema. Contexts are always owned by the SYS schema.
VARCHAR2,
VARCHAR2 )
where:
object_name is the name of the table or view to which the policy is applied.
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
Example:
The package body creates a predicate for the ORDERS table, which limits the orders returned
to those with the users customer identifier. The function uses the CUST_ID context attribute,
instead of a subquery on the CUSTOMERS table.
The following is the entire code for the example:
CREATE OR REPLACE PACKAGE oe_security_p AS
FUNCTION cust_order (
object_schema
VARCHAR2,
object_name VARCHAR2 )
RETURN VARCHAR2;
END;
/
CREATE OR REPLACE PACKAGE BODY oe_security_p AS
FUNCTION cust_order (
object_schema
VARCHAR2,
object_name VARCHAR2 )
RETURN VARCHAR2
IS
BEGIN
RETURN 'customer_id = SYS_CONTEXT(''oeapp'',
''cust_id'')';
END cust_order;
END oe_security_p;
/
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
OE_SECURITY.CUST_ORDER('A','B')
--------------------------------------------customer_id = SYS_CONTEXT('oeapp', 'cust_id')
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
RETURN 'NULL';
RETURN 'sales_rep_id =
sys_context(''oeapp'', ''emp_id'')';
RETURN 'customer_id
= sys_context(''oeapp'', ''cust_id'')';
RETURN '1=2';
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
Creating a Policy
dbms_rls.add_policy (
object_schema =>'oe', object_name => 'orders',
policy_name => 'oe_policy',
function_schema =>'sec',
policy_function =>'oe_security_p.cust_order',
statement_types =>'select')
Creating a Policy
Create the policy by using the DBMS_RLS.ADD_POLICY procedure as shown in the code
example in the slide. This example adds a policy named OE_POLICY to the ORDERS table in the
OE schema. The OE_SECURITY.CUST_ORDER function is stored in the SEC schema and
returns the policy predicate. The policy applies to the SELECT statements only.
EXECUTE Privilege on the Policy Function
You need not grant the EXECUTE privilege on the security package to application users.
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
Answer: a
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
Quiz
Order-entry Inventory
policy group policy group
Default policy
AND
AND
Orders
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
Grouping Policies
Grouping Policies
Because multiple applications, with varying security policies, can share the same table or view, it
is important to identify which policies should be in effect when the table or view is accessed for
each application.
To do this, you can organize security policies into groups. By referring to the driving application
context, the Oracle server determines which group of policies should be in effect at run time. The
server enforces all policies that belong to that policy group.
The slide outlines the steps to create and implement grouped policies.
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
For example, the EMP table in the SCOTT schema has one SYS_DEFAULT policy group, and
the DEPT table in the SCOTT schema has a different SYS_DEFAULT policy group associated
with it.
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
APP_DRIVER
SECURE.APPS_CXT_PKG
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
If the driving context is a policy group with policies, all enabled policies from that
policy group are applied, along with all policies from the SYS_DEFAULT policy group.
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
In this example, the context is set to the parameter passed to the procedure:
dbms_rls.add_policy_context(
object_schema =>'OE',
object_name => 'ORDERS' ,
namespace => 'APP_DRIVER',
attribute => 'ACTIVE_APP')
APP_DRIVER
Orders
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
dbms_rls.create_policy_group(
object_schema =>'OE',
object_name => 'ORDERS',
policy_group => 'OE_GRP' );
dbms_rls.create_policy_group
( 'OE', 'ORDERS', 'AC_GRP' );
where:
OBJECT_SCHEMA is the owner of the table or view that the policy group is applied to; the
current user is the default.
OBJECT_NAME is the name of the table or view that the policy group is applied to.
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
dbms_rls.add_grouped_policy (
object_schema
=> 'oe',
object_name
=> 'orders',
policy_group
=> 'oe_grp',
policy_name
=> 'oe_security',
function_schema => 'sec',
policy_function => 'oe_context');
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
The DBMS_RLS package contains the following procedures for managing grouped policies:
ADD_GROUPED_POLICY
DROP_GROUPED_POLICY
ENABLE_GROUPED_POLICY
DISABLE_GROUPED_POLICY
REFRESH_GROUPED_POLICY
CREATE_POLICY_GROUP
DELETE_POLICY_GROUP
For the specifications for these procedures and usage notes, refer to the PL/SQL Packages and
Types Reference manual.
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
However, if the customer updates the table, he or she can access all the rows in the table, as in the
following:
SQL> UPDATE oe.orders
2
SET sales_rep_id = 152;
107 rows updated.
If you apply different policies or predicates for different statement types on the same user and
table, be aware of this implication.
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
A policy for a table or view adds a predicate to every SQL statement executed against the table or
view. A SELECT statement against that table or view cannot be executed from within the policy.
Avoid Recursive Contexts
If the procedure that sets the application context executes a SELECT statement from a table, and
the policy on the table uses that application context to set the predicate, the SELECT statement
will fail. For example, if the users employee ID is used to set the application context by selecting
from the EMPLOYEES table when the user logs on, and a policy uses that application context to
set a predicate controlling access to the EMPLOYEES table, the SELECT statement returns no
rows. This is because the application context attributes are not set. To avoid this problem, access
the EMPLOYEES table by using the privileges of a user that has the EXEMPT ACCESS POLICY
system privilege.
Error Handling
To resolve the error message:
ORA-28112: failed to execute policy
look in the trace file for the session. The following trace file includes the PLS-00306 error,
which means that the wrong number of arguments were passed to the security function. Tracing of
errors is automatic. There are no tracing parameters required to enable this behavior.
*** 2010-01-29 11:27:43.478
------------------------------------------------------Policy function execution error:
Logon user
: TEST
Table/View
: TEST.TAB
Policy name
: TAB_RLS_POLICY
Policy function: TEST.TAB_SECURITY
ORA-06550: line 1, column 15:
PLS-00306: wrong number or types of arguments in call to
'TAB_SECURITY'
ORA-06550: line 1, column 7:
PL/SQL: Statement ignored
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
Policy Performance
Index the Column in the Predicate
Because the columns used in the predicate are used to access the table, you may be able to
improve query performance by indexing these columns.
Example: The predicate returned is:
customer_id = SYS_CONTEXT('oe', 'cust_id')
From the security function, return this predicate, which uses the context:
customer_id = SYS_CONTEXT('oe', 'cust_id')
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
Policy Performance
This code causes the subquery to be performed every time the table is accessed.
Literal values in the predicate could make every SQL statement issued have a different predicate.
The SQL cursors could not be shared, so there would be an additional overhead for parsing.
Because the call to SYS_CONTEXT is the same for all predicates, the SQL statement cursors can
be shared by multiple users. The use of application context in a fine-grained access control
package effectively gives you a bind variable in a parsed statement.
For example, a predicate applied to the ORDERS table uses the actual customer identifier, as in
the following:
cust_id = 12345
Each customer that logs on gets a different predicate, and because each predicate is different, the
cursor could not be shared.
Static Policy and Policy Type Parameters
Always specify the frequency that the policy needs to be evaluated by using either the
STATIC_POLICY policy parameter or set a POLICY_TYPE when using the ADD_POLICY
procedure. Reduce the execution overhead by specifying STATIC_POLICY=TRUE to indicate
that the policy function always returns the same predicate. As an alternative, specify
POLICY_TYPE for DBMS_RLS.STATIC or DBMS_RLS.SHARED_STATIC. Setting
POLICY_TYPE overrides the setting of the STATIC_POLICY parameter. If neither are set, the
default is a dynamic policy that is evaluated for every DML.
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
Policy Views
Security Policy Views
*_POLICIES: Views with information provided in the ADD_POLICIES procedure
Policy Context Views
*_POLICY_CONTEXTS: All driving contexts defined for tables or views in the scope of
the view. The columns have the information provided in the DBMS_RLS.ADD_POLICIES
procedure.
Policy Group Views
*_POLICY_GROUPS: All policy groups defined for any tables or views in the scope of the
view. The columns are the same as the parameters passed to
DBMS_RLS.CREATE_POLICY_GROUP .
Dynamic Performance Views
V$VPD_POLICY: All the fine-grained security policies and predicates associated with the
cursors currently in the library cache
GV$VPD_POLICY: The same information as V$VPD_POLICY, except that this view is
used with multiple instances with Real Application Clusters
For more details, see Oracle Database Reference.
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
Policy Views
POLICY
v$sql s
PREDICATE
------------ --------------------------------------SQL_TEXT
-------------------------------------------------------OE_POLICY
1=1
This query is executed after a user LSMITH (a sales representative) and the OE user accessed the
ORDERS table with the following statement:
SELECT count(*) FROM oe.orders;
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
Summary
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
Practice 12 Overview:
Implementing a Virtual Private Database Policy
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
Objectives
Label concepts
Access mediation
Objectives
This lesson is an introduction to Oracle Label Security. Implementation of Oracle Label Security is
presented in the next lesson. Additional information can be found in the Oracle Label Security
Administrators Guide.
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER
IS STRICTLY
PROHIBITED
Oracle
Database
11g: Security
13 - 2
Row-level security
Allows sophisticated access rules
Supplements DAC
Is provided by Virtual Private Database and Oracle Label
Security
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER
IS STRICTLY
PROHIBITED
Oracle
Database
11g: Security
13 - 3
Joe
REVOKE SELECT ON emp FROM fred;
Fred
Copyright 2010, Oracle and/or its affiliates. All rights reserved.
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER
IS STRICTLY
PROHIBITED
Oracle
Database
11g: Security
13 - 4
User clearance
dominates
data row label?
Confidential
OLS access
mediation
X
X
Location
Storage
OLS Label
Nevada
Conventional
Sensitive
Montana
Nuclear
Highly Sens.
Colorado
Medical
Confidential
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER
IS STRICTLY
PROHIBITED
Oracle
Database
11g: Security
13 - 5
SQL request
Authorizations
Access mediation
Data
Labels
Data sensitivity
Secret
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER
IS STRICTLY
PROHIBITED
Oracle
Database
11g: Security
13 - 6
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER
IS STRICTLY
PROHIBITED
Oracle
Database
11g: Security
13 - 7
Answer: b
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER
IS STRICTLY
PROHIBITED
Oracle
Database
11g: Security
13 - 8
Quiz
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER
IS STRICTLY
PROHIBITED
Oracle
Database
11g: Security
13 - 9
The previous releases of Oracle Label Security have relied on the Oracle database as the central
repository for policy and user label authorizations. This architecture took advantage of the scalability
and high availability of the Oracle database, but did not make use of the Oracle Identity Management
infrastructure, which includes Oracle Internet Directory. This directory is part of the Oracle Identity
Management platform. Integrating your installation of Oracle Label Security with Oracle Internet
Directory allows label authorizations to be part of your standard provisioning process.
For sites that use Oracle Internet Directory, database servers retrieve Oracle Label Security policy
information from the directory. Administrators use the olsadmintool policy administration tool
to operate directly on the directory to insert, alter, or remove metadata as needed. Because enterprise
users can log in to multiple databases by using the credentials stored in Oracle Internet Directory, it
is logical to store their Oracle Label Security policy authorizations and privileges there as well. An
administrator can then modify these authorizations and privileges simply by updating these metadata
in the directory. (Other aspects of managing enterprise users are performed through the Oracle
Identity Management Provisioning console.)
For distributed databases, centralized policy management removes the need for replicating policies
because the appropriate policy information is available in the directory. Policy changes in the
directory are synchronized with policy information in the databases by means of the Directory
Integration Platform and are effective without further effort.
The following Oracle Label Security information is stored in the directory:
Policy information, namely, policy name, column name, policy enforcement options, and audit
options
User profiles identifying their labels and privileges
Policy label components: levels, compartments, and groups
Policy data labels
The database-specific metadata is not stored in the directory. The examples include:
Lists of schemas or tables, with associated policy information
Program units, with associated policy privileges
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER
IS STRICTLY
PROHIBITED
Oracle
Database
11g: Security
13 - 10
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER
IS STRICTLY
PROHIBITED
Oracle
Database
11g: Security
13 - 11
Access Control
Implemented
With user-programmed
policies
Table changes
No columns added
New Data
Classification
None
Automatic
In addition to DAC
Policies automatically
applied
Column-level control
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER
IS STRICTLY
PROHIBITED
Oracle
Database
11g: Security
13 - 12
VPD
Database roles
Secure application roles
Stored procedures and functions
Oracle Database Vault
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER
IS STRICTLY
PROHIBITED
Oracle
Database
11g: Security
13 - 13
Summary
Label concepts
Access mediation
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER
IS STRICTLY
PROHIBITED
Oracle
Database
11g: Security
13 - 14
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
Objectives
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
BEGIN
SA_SYSDBA.CREATE_POLICY(
POLICY_NAME =>'FACILITY',
COLUMN_NAME => 'FACLAB',
DEFAULT_OPTIONS =>
'READ_CONTROL,CHECK_CONTROL,LABEL_DEFAULT,HIDE');
END;
Access-control enforcement:
Label-management enforcement:
LABEL_DEFAULT
LABEL_UPDATE
CHECK_CONTROL
READ_CONTROL enforces the policy for all queries, controlling which data rows are
accessible for SELECT, UPDATE, and DELETE. If READ_CONTROL is OFF on a policy,
for any table protected by the policy, all rows are accessible to all users.
WRITE_CONTROL determines the ability to insert, update, and delete data in a row. If this
option is active, it enforces INSERT_CONTROL, UPDATE_CONTROL, and
DELETE_CONTROL. You can apply INSERT_CONTROL, UPDATE_CONTROL, and
DELETE_CONTROL separately.
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
READ_CONTROL
WRITE_CONTROL
Set Policy Enforcement Options at the policy level as shown in the previous slide with the
DEFAULT_OPTIONS parameter. These options will be used unless other options are
specified when the policy is applied to the table or schema.
Note: Table-level options take precedence over the schema-level options.
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
LABEL_DEFAULT uses the sessions default row label value unless the user explicitly
specifies a label on INSERT.
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
BEGIN
SA_COMPONENTS.CREATE_LEVEL(
POLICY_NAME =>'FACILITY',
LEVEL_NUMBER => '100',
SHORT_NAME => 'P',
LONG_NAME => 'PUBLIC');
END;
Creating Levels
To define levels, the database administrator (DBA) or security administrator uses the
CREATE_LEVEL procedure of the SA_COMPONENTS package or Enterprise Manager.
Syntax
PROCEDURE CREATE_LEVEL (
policy_name IN VARCHAR2,
level_num IN INTEGER,
short_name IN VARCHAR2,
long_name IN VARCHAR2);
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
Creating Levels
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
BEGIN
SA_COMPONENTS.CREATE_GROUP(
POLICY_NAME =>'FACILITY',
GROUP_NUMBER => '1000',
SHORT_NAME => 'WR_SAL',
LONG_NAME => 'WR_SALES',
PARENT_NAME => 'WR');
END;
Creating Groups
To define groups, the DBA or security administrator uses the CREATE_GROUP procedure of the
SA_COMPONENTS package or Enterprise Manager.
Syntax
PROCEDURE CREATE_GROUP (
policy_name IN VARCHAR2,
group_num IN INTEGER,
short_name IN VARCHAR2,
long_name IN VARCHAR2,
parent_name IN VARCHAR2 DEFAULT NULL);
Example
BEGIN
SA_COMPONENTS.CREATE_GROUP('FACILITY',1000,
'WR','WESTERN_REGION');
SA_COMPONENTS.CREATE_GROUP('FACILITY',1200,
'WR_FIN','WR_FINANCE','WR');
SA_COMPONENTS.CREATE_GROUP('FACILITY',1210,
'WR_AP','WR_ACCT_PAYABLE','WR_FIN');
END;
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
Creating Groups
In the example:
Optional compartments are OP, CH, and FIN.
FIN could appear in the compartment field of the
level:compartment:group label.
Example: Label S:OP,CH:
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
BEGIN
SA_COMPONENTS.CREATE_COMPARTMENT(
POLICY_NAME =>'FACILITY',
COMP_NUMBER => '85',
SHORT_NAME => 'FIN',
LONG_NAME => 'Financial');
END;
Creating Compartments
To define compartments, the DBA or security administrator uses the CREATE_COMPARTMENT
procedure of the SA_COMPONENTS package or Enterprise Manager.
Syntax
PROCEDURE CREATE_COMPARTMENT (
policy_name IN VARCHAR2,
comp_num IN INTEGER,
short_name IN VARCHAR2,
long_name IN VARCHAR2);
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
Creating Compartments
LEVEL:COMPARMENT:GROUP
---------------------------------------------SENSITIVE:FINANCIAL,CHEMICAL:WESTERN_REGION
CONFIDENTIAL:FINANCIAL:WR_SALES
SENSITIVE::
HIGHLY_SENSITIVE:FINANCIAL:
SENSITIVE::WESTERN_REGION
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
BEGIN
SA_LABEL_ADMIN.CREATE_LABEL(
POLICY_NAME =>'FACILITY',
LABEL_TAG => '201000',
LABEL_VALUE => 'S::WR');
END;
Access Mediation
Location
Storage
OLS Label
Nevada
Conventional
Sensitive
Montana
Nuclear
Highly Sens.
Colorado
Medical
Confidential
Sensitive
Access Mediation
The process of comparing user authorization and data label to decide what access is granted is
called access mediation.
There are two types of access mediation for protected tables: read and write. A user can read any
data up to his or her maximum level. Write access is a subset of read access. A user cannot write
lower than his or her minimum level. This controls the users ability to disseminate data by
lowering its sensitivity.
In addition, there are separate lists of compartments and groups for which the user is
authorized that is, for which the user has at least read access. An access flag indicates whether
the user can also write to individual compartments or groups.
You can further customize user data access by granting policy privileges and setting policyenforcement options.
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
Administering Labels
Oracle Label Security provides administrative interfaces to define and manage the labels used in
a database. You can define labels in an Oracle database by using Oracle Label Security packages
or Enterprise Manager. Initially, you must define the levels, compartments, and groups that
compose the labels, and then you can define the set of valid data labels for the contents of the
database.
You can apply a policy to individual tables in the database, or to entire application schemas.
Finally, assign to each database user the label components (and privileges, if needed) that are
appropriate for the persons job function.
Set the privileges that allow data labels to be changed by certain users, if appropriate. Some sites
may not allow anyone to change a label. Some customers may have specific individuals who are
responsible for reviewing and assigning the appropriate labels.
Users are allowed to change their session label as well as row label, within the range of their
minimum and maximum labels by using the SET_LABEL and SET_ROW_LABEL procedures of
the SA_SESSION package.
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
Administering Labels
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
BEGIN
SA_POLICY_ADMIN.APPLY_TABLE_POLICY (
POLICY_NAME => 'FACILITY',
SCHEMA_NAME => 'HR',
TABLE_NAME => 'LOCATIONS',
TABLE_OPTIONS => NULL,
LABEL_FUNCTION => NULL);
END;
A user is assigned:
Maximum and minimum labels
A default session label
A row label for inserts
BEGIN
SA_USER_ADMIN.SET_USER_LABELS (
POLICY_NAME =>'FACILITY',
USER_NAME => 'MYCO_MGR',
MAX_READ_LABEL =>'S::US,EU,ASIA');
END;
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
Syntax
PROCEDURE SET_USER_LABELS (
policy_name
IN VARCHAR2,
user_name
IN VARCHAR2,
max_read_label
IN VARCHAR2,
max_write_label IN VARCHAR2 DEFAULT
min_write_label IN VARCHAR2 DEFAULT
def_label
IN VARCHAR2 DEFAULT
row_label
IN VARCHAR2 DEFAULT
NULL,
NULL,
NULL,
NULL);
Answer: c, d
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
Quiz
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
READ
privilege
SELECT
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
User-label authorizations
None
FULL
privilege
Any DML
All rows affected
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
User-label authorizations
Any
Data label
Compartment = OP, Group=Any
COMPACCESS
privilege
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
User-label authorizations
Compartment = OP
connect appuser/mypassword
begin
sa_session.set_access_profile('finance','manager');
end;
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
SQL>
2>
3>
4>
5>
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
Performance Tips
Limit policies to required tables: In most cases, only a small subset of the tables in a
database require row-level security. Carefully identify these tables and limit the policies to
these.
Warning: The policies you add will directly affect performance. Use them wisely
Planning a Label Tag Strategy: For optimal performance, you can plan a strategy for
assigning values to label tags. In general, it is best to assign higher numeric values to labels
with higher sensitivity levels. Usually, many more users can see data at comparatively low
levels; fewer users at higher levels can see many levels of data.
With READ_CONTROL set, Oracle Label Security generates a predicate that uses a
BETWEEN clause to restrict the rows to be processed by the query. If the higher-sensitivity
labels do not have a higher label tag than the lower-sensitivity labels, the query potentially
examines a larger set of rows. This affects performance by requiring more reads.
Analyzing the LBACSYS schema: Run the DBMS_STATS.GATHER_SCHEMA_STATS
procedure on the LBACSYS schema, so that the cost-based optimizer can improve
execution plans on queries. Having the statistic for the Oracle Label Security data
dictionary tables improves Oracle Label Security performance.
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
Performance Tips
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
Summary
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
Practice 14 Overview:
Implementing Oracle Label Security
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
Objectives
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
DEPARTMENT_ID
PHONE_NUMBER
100 King
90 515.123.4567
105 Austin
60 590.423.4569
110 Chen
100 515.124.4269
EMPLOYEE_ID
LAST_NAME
DEPARTMENT_ID
PHONE_NUMBER
468 Jefferies
90 510.555.1256
975 Smith
60 650.555.9753
396 Allen
100 925.555.3597
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
EMPLOYEE_ID
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
DBA
Production
Clone
production
to staging
App
DBA
Create
masking
definitions
Create
data mask
formats
Execute
masking
job
Staging
Create
masking
definitions
Clone
staging
to test
Test
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
Security
admin
Identify
sensitive
information
The application database administrator, business analyst, and users test the application.
The database administrator performs the following tasks:
1. Export the masking definition for future use.
2. Clone the staging database to a test database.
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
App
DBA
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
Security
admin
Answer: a, b, d
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
Quiz
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
The DM_FMTLIB package includes variables that enable you to modify the format style of the
predefined format definitions. As an example, you can use the DM_SSN_FORMAT variable to
include hyphens in the social security number. Refer to Oracle Enterprise Manager Concepts
10g Release 5 (10.2.0.5) for additional information and examples.
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
Type
Definition
Array List
Fixed Number
Fixed String
Random Dates
Random Digits
Random Numbers
Random Strings
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
Type
Definition
Shuffle
Substitute
Substring
Table column
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
DEPARTMENT_ID
PHONE_NUMBER
100 King
90 5151234567
105 Austin
60 5904234569
110 Chen
100 5151244269
Random
number
Anglo-American
last name
EMPLOYEE_ID
LAST_NAME
USA Phone
Number
DEPARTMENT_ID
PHONE_NUMBER
468 Jefferies
90 5105551256
975 Smith
60 6505559753
396 Allen
100 9255553597
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
EMPLOYEE_ID
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
Importing Formats
Importing Formats
You can create a masking definition for a column by using a previously defined data masking
format.
Perform the following steps:
1. After selecting the table and column for masking, click Import Format to display the
formats in the library.
2. Select the masking format that you want to use and click Import.
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
Build mapping
table
Drop
constraints
Rename
table
Collect
statistics
Create
indexes
Re-create and
reload from
renamed table
and mapping
tables
Create
constraints
Drop renamed
table and
indexes
Drop
mapping table
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
In this lesson, you should have learned how to use the Data
Masking Pack to:
Create masking formats
Manage the format library
Mask sensitive and confidential data
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
Summary
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
Practice 15 Overview:
Implementing Data Masking
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
Encryption Concepts
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
Objectives
Understanding Encryption
Encrypt/Decrypt
Understanding Encryption
Encryption in various forms has been around for centuries. All encryption has two parts: an
algorithm, which is a procedure or method of manipulating the data, and a key or a secret that
allows the data to be decrypted. In the past, for many algorithms, the method was the secret.
Modern algorithms are typically public and depend on mathematics to make the algorithm
sufficiently complex that the key cannot be guessed or derived from the encrypted data in a
reasonable time frame. In modern algorithms, the key is typically a string of numbers or
characters.
Key management becomes the critical issue with encryption. If the key is lost, the data cannot be
decrypted. If the key is mishandled and compromised, the data could be decrypted by
unauthorized persons.
The administrative costs of encryption include periodically decrypting and encrypting the data
with a new key, keeping the keys secure, and transmitting the keys to an authorized user in a
secure manner.
The processing costs of encryption include the time that is required to encrypt and decrypt the
data. Generally, a more complex algorithm produces a more secure data set, and requires more
processing to encrypt and decrypt the data.
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
Encryption protects:
Data at rest (in files)
Data in transit (network)
Cost of Encryption
Encrypt/Decrypt
Cost of Encryption
Although there are some valid reasons to encrypt data, encryption does not solve all security
problems, and may even make some problems worse. Because there is some overhead associated
with the encrypting and decrypting of data, it should be applied only in the appropriate situation.
The encryption and decryption of data uses CPU resources, whereas the management of
encryption keys requires personnel resources.
Cost of Managing Encryption
Because the human resources (HR) records are considered sensitive information, it is tempting
to think that this information should be encrypted for better security. However, encryption does
not enforce granular access control and may actually hinder data access. In the human resources
example, an employee, his or her manager, and the HR clerk need to access the employees
record. If employee data is encrypted, each person must also be able to access the data in
unencrypted form. Therefore, the employee, the manager, and the HR clerk would have to share
the same encryption key to decrypt the data. Encryption would not provide any additional
security in the sense of better access control, and the encryption may actually hinder the proper
functioning of the application.
There is the additional issue of securely transmitting and sharing the encryption keys among
multiple users of a system.
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
Accessibility
Performance
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
What to Encrypt
It is a pervasive tendency to think that if encrypting some data strengthens security, encrypting
everything can make all data secure. Encryption does not make data secure if the issues of key
management and transmission are not adequately addressed. It just changes the point of attack.
Encryption does not address access control issues. Consider the implications of encrypting an
entire production database. All data must be decrypted to be read, updated, or deleted, and the
encryption must not interfere with normal access controls. Encryption is a performance-intensive
operation; encrypting all data significantly affects performance. Availability is a key aspect of
security. If the data is not available in a timely manner because it is encrypted, you have created
a new security problem.
Encryption keys must be changed regularly as part of a good security practice, which means that
the data is inaccessible while it is being decrypted and reencrypted with a new key or keys. This
also adversely affects availability.
The management of encryption keys is critical. If a key is lost, the encrypted data is also lost. If
a key is compromised, the data must be reencrypted. This is no different from changing the locks
when an employee that has keys leaves the company.
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
What to Encrypt
Answer: b
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
Quiz
Generation
Changing
Transmission
Storage
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
Solutions
Oracle Database Vault
Transparent Data Encryption (TDE)
File encryption
RMAN backup encryption
Oracle Secure Backup
Application encryption
Solutions
Depending on the problem that you are trying to solve, there are several solutions. Each solution
solves a particular set of problems.
Oracle Database Vault: If the reason for encryption is to limit access by the DBA, Database
Vault provides powerful tools to enforce separation of duties and limit access of schema data to
authorized persons.
Transparent Data Encryption is an option that is integrated with the database when the Oracle
Advanced Security option is installed. With column-level encryption, the data is encrypted in the
database files and System Global Area (SGA). Columns are encrypted as declared in the table
definitions. With tablespace encryption, the entire tablespace is encrypted, and the encryption
and decryption is handled in the I/O layer. The encryption keys are stored encrypted in the
database, and a master key is stored in an external wallet. All access is controlled by standard
database access control methods.
File encryption provides the ability to encrypt sensitive data in backup files and dump files.
Application Encryption is a last resort. It has the advantage of limiting the access of sensitive
data to only those users that have access to the encryption key, but has all the disadvantages
inherent in a custom application, plus the issues of key management.
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS
COMPUTER IS STRICTLY PROHIBITED
Summary