Oracle Security
Version 11.2.0.3
 
General Information
Note: This library page is far from complete and not intended to produce a locked-down database. Rather it is intended as a starting point. If you are not doing at least this ... you have a system at very high risk.
 
Secure Configuration
The 11g database contains a script specifically written to be a starting point for creating a secure configuration. The contents are to the right. $ORACLE_HOME/rdbms/admin/secconf.sql
ALTER PROFILE DEFAULT LIMIT
PASSWORD_LIFE_TIME 180
PASSWORD_GRACE_TIME 7
PASSWORD_REUSE_TIME UNLIMITED
PASSWORD_REUSE_MAX UNLIMITED
FAILED_LOGIN_ATTEMPTS 10
PASSWORD_LOCK_TIME 1;

-- Turn on auditing options
Audit alter any table by access;
Audit create any table by access;
Audit drop any table by access;
Audit Create any procedure by access;
Audit Drop any procedure by access;
Audit Alter any procedure by access;
Audit Grant any privilege by access;
Audit grant any object privilege by access;
Audit grant any role by access;
Audit audit system by access;
Audit create external job by access;
Audit create any job by access;
Audit create any library by access;
Audit create public database link by access;
Audit exempt access policy by access;
Audit alter user by access;
Audit create user by access;
Audit role by access;
Audit create session by access;
Audit drop user by access;
Audit alter database by access;
Audit alter system by access;
Audit alter profile by access;
Audit drop profile by access;
I personally find Oracle's file far too loose and thus am providing my own variant. It is not substantially better but provides an incremental improvement. conn / as sysdba

@?/rdbms/admin/utlpwdmg.sql

ALTER PROFILE DEFAULT LIMIT
PASSWORD_LIFE_TIME 90
PASSWORD_GRACE_TIME 10
PASSWORD_REUSE_TIME 0
PASSWORD_REUSE_MAX 0
FAILED_LOGIN_ATTEMPTS 3
PASSWORD_LOCK_TIME 30;
PASSWORD_VERIFY_FUNCTION verify_function;

Audit create any procedure by access;
Audit alter any procedure by access;
Audit grant any privilege by access;
Audit grant any object privilege by access;
Audit grant any role by access;
Audit audit system by access;
Audit create external job by access;
Audit create any job by access;
Audit create any library by access;
Audit create public database link by access;
Audit exempt access policy by access;
Audit alter user by access;
Audit create user by access;
Audit role by access;
Audit create session by access;
Audit alter database by access;
Audit alter system by access;
Audit alter profile by access;
Audit drop profile by access;
 
Additional Actions
DDL Event Triggers CREATE OR REPLACE TRIGGER save_our_db
BEFORE DROP OR TRUNCATE
ON DATABASE

DECLARE
 oper VARCHAR2(30);
BEGIN
  SELECT ora_sysevent
  INTO oper
  FROM dual;

  IF oper = 'DROP' THEN
    RAISE_APPLICATION_ERROR(-20998, 'Attempt To Drop A Production Object Has Been Logged');
  ELSIF oper = 'TRUNCATE' THEN
    RAISE_APPLICATION_ERROR(-20999, 'Attempt To Truncate A Production Table Has Been Logged');
  END IF;
END save_our_db;
/

-- it is highly advisable to alter this basic trigger to include
-- logging and and email created with UTL_MAIL routed to security
Enable Case Sensitive Passwords set linesize 121
col name format a30
col value format a30

SELECT name, value
FROM gv$parameter
WHERE (name LIKE '%sensitive%');

SELECT username, password_versions
FROM dba_users;

alter user sh identified by Sh;

conn sh/sh

conn sh/Sh
Remove Default Passwords SELECT d.username, u.account_status
FROM dba_users_with_defpwd d, dba_users u
WHERE d.username = u.username
ORDER BY 2,1;
SQLNET.ORA Alteration tcp.validnode_checking=yes
tcp.invited_nodes=(<comma_delimited_list_of_specific_ip_addresses)
sqlnet.encryption_server=required
sqlnet.encryption_client=required
Secure Roles SELECT grantee, granted_role
FROM dba_role_privs
WHERE granted_role IN ('CONNECT', 'RESOURCE')
ORDER BY 2,1;

Revoke CONNECT and RESOURCE from any unlocked account and create your own role with those specific privileges required only.
SQL Injection Click Here
SYSDBA and SYSOPER -- these two privileges are not "normal" system privielges and can not be found in the grants in dba_sys_privs
-- as they are recorded in the password file. To locate them:

conn / as sysdba

SELECT *
FROM v$pwfile_users
WHERE sysdba='TRUE';

GRANT sysdba TO uwclass;

SELECT *
FROM v$pwfile_users
WHERE sysdba='TRUE';

REVOKE sysdba FROM uwclass;

SELECT *
FROM v$pwfile_users
WHERE sysdba='TRUE';
System Event Triggers Click Here
System Events Click Here
System Privileges Grant CREATE privileges such as CREATE TABLE and CREATE PROCEDURE only for the duration of schema creation. As soon as the application schemas has been created revoke those privileges and do not grant them again except during, and for the duration, of a maintenance window.
Tablespace Encryption Click Here
Transparent Data Encryption Click Here
Wallet -- in sqlnet.ora
ENCRYPTION_WALLET_LOCATION = (SOURCE = (METHOD=FILE) (METHOD_DATA = (DIRECTORY = c:\oracle\admin\orabase\wallet)))

-- in SQL*Plus
conn / as sysdba

ALTER SYSTEM SET ENCRYPTION KEY AUTHENTICATED BY "N0way!iN";

desc gv$encryption_wallet

col wrl_parameter format a40

SELECT * FROM gv$encryption_wallet;
 
 
Morgan's Library Page Footer
This site is maintained by Dan Morgan. Last Updated: This site is protected by copyright and trademark laws under U.S. and International law. © 1998-2014 Daniel A. Morgan All Rights Reserved