|
While
today, we take security seriously,
unfortunately we don�t take database
security as seriously as other
security. The database information
is the most valuable asset that an
organization owns. The database
security today should be taken more
seriously; and it should not be
compromised to save money.
This
article only will address the most
important security holes that we as
a DBA may encounter in our database
setup. This topic is endless and
remembers that there is no such a
secure environment. What we will try
to do is: to make a safer and
securer environment for ourselves.
First, you should
always try to keep up to date with
Oracle Security
vulnerabilities on Oracles Security
Alert page on the Oracle web site.
Oracle�s
Security
Site:
Oracle Security and Oracle�s
Customer information Site:
Oracle Metalink to check a
security alerts and patches
regularly.
A
check list to protect your database
(Minimum compromising)
The
following items may or maybe
applicable to your database
environment. It is very important at
least to pay attention to following
basic items.
1-
Make sure to change passwords (not
easy to find) of your SYS, and
SYSTEM usernames and lock or drop
other usernames if you don�t use
them. To lock an account (ALTER USER
username ACCOUNT LOCK; DROP USER
username CASCADE;)
1-
Make sure to change the orcladmin/welcome
and sysman/oem_temp passwords if you
use OEM and Oracle9ias.
2-
Consider to lock ORACLE account if
needed. Be sure to have supper
account to access to ORACLE account
and then run the ORACLE�s profile.
3-
Make sure to have a secure ORACLE
password.
|
For Oracle Net Password
Protection:
Non-encrypted Password
Protection:
/* Add PASSWORDS_listener
entry to listener.ora.
PASSWORDS_listener=(mypassword)
$lsnrctl
lsnrctl> SET
current_listener
your_listener_name
lsnrctl> SET password
mypassword
lsnrctl> STOP or START
Encrypted Password
Protection;
/* There should not be any
PASSWORDS_listener
entry */
$lsnrctl
lsnrctl> SET
current_listener
your_listener_name
lsnrctl> SET
save_config_on_stop ON
lsnrctl> CHANGE_PASSWORD
lsnrctl> SET password
/* since it is
encrypted you can not say
�SET password newpassword�
*/
lsnrctl> STOP or START
Forgot your password:
/* Comment the following
lines in the listener.ora
file */
PASSWORDS_listener
= 77DE8751BF7645921
SAVE_CONFIG_ON_STOP_LISTERNER=ON
Restrict operator to SET
commands
/* Add the following line */
ADMIN_RESTRICTIONS_LISTENER
=ON
|
4-
Use SSH or SUDO to disable remote
log-in to the ORACLE account.
5-
On Unix System, change the
$ORACLE_HOME/bin files� permissions
to 0751 or less if possible.
6-
Make sure to set
REMOTE_LOGIN_PASSWORD_FILE=NONE.
7-
Make sure that the ORACLE account is
not a member of root (UNIX) and it
is only a member of the dba group.
$ grep
�i root /etc/group
$ grep
�i dba /etc/group
8-
Make sure that datafiles have only
read/write accesses. ($cdmod �R 600
/u02/oradata)
9-
Don�t hard code a user name and
password in your sql scripts. If you
have to, make sure to use /nolog to
instead of entering the username and
password.
$sqlplus /nolog @mysqlscripts.sql
(still this is not good since your
username and password is in sql
scripts but it is better than
$sqlplus scott/tiger @mysqlscripts
that the whole world can find out.
Or for
exporting do the following:
$exp
UP=scott/tiger
$exp
parfile=yourparm.ctl
(If
you can restrict the �ps� command at
the operating system level.)
10- You can use
Oracle Advanced Security
to
encrypt data over networks. Read
This Link
11- Make sure to set
the following environment variables
to TRUE to prevent password to be
revealing to others.
(ORA_ENCRYTP_LOGIN in client and
server, and DBLINK_ENCRYPT_LOGIN
in
both servers)
12-
Make sure in UNIX add �set
noexec_user_stack=1� in the
/etc/system file to make the stack
non-executable.
13- Don�t give the
�ALTER SESSION� system privilege to
users that they don�t need it. No
way you should give any one the
�ALTER SYSTEM
�
system privilege unless there are
DBAs.
14-
Use the following UNIX script to
check to see if there are any �exp,
connect or sqlplus� command with a
password in them.
# find
/u01 -name �*� �print | while read
filename
do
egrep �i
�exp|connect|sqlplus� $filename >>
exp.lis 2> /dev/null
done
#
15-
Don�t use any external files if you
can. Make sure the count is zero.
(SELECT count(*) FROM
dba_external_tables)
16- Be
aware of the following files that
contains passwords:
|
File name
|
Type of password
|
|
orapwd<sid>.ora
|
Remote login passwords
|
|
snmp_rw.ora
|
Intelligent agent password
|
|
exported complete dmp
|
Oracle Hashkeys
|
|
htaccess
|
Apache passwords
|
|
wdbsvr.app
|
Contains mod_plsql passwords
|
|
webcache.xml
|
Weekly encrypted passwords
|
|
listener.ora
|
Listener
passwords (encrypted or
text)
|
|
Database creation scripts
|
Oracle passwords if not
changed.
|
17-
Make sure to delete the �MDSYS or
FINANCE� username since they are
granted ALL PRIVILEDGES.
18-
Alter default profile to have
password management features.
SQL>
ALTER PROFILE default
2 LIMIT
FAILED_LOGIN_ATTEMPTS
10
3 PASSWORD_LIFE_TIME
90
4 PASSWORD_REUSE_MAX
5
5
PASSWORD_GRACE_TIME
5
/
19- If
needed write a password in house
verification function. The following
is a sample of a function verifies
password that checks to ensure old
password is not the same of new
password and the length of a new
password. You can make this very
complex due to your company business
rules. Check also the
%ORACLE_HOME%\rdbm\admin\utlpwdmg.sql
file. Then alter your profile.
(ALTER PROFILE DEFAULT limit
password_verify_function
verify_password)
CREATE
OR REPLACE FUNCTION verify_password
(
v_user IN
VARCHAR2,
v_new_pw IN VARCHAR2,
v_old_pw IN VARCHAR2)
RETURN BOOLEAN IS
BEGIN
IF
LENGTH (v_new_pw) < 8 THEN
RAISE_APPLICATION_ERROR(-20100,
�Your password is too short.�);
ELSIF v_new_pw = v_user THEN
RAISE_APPLICATION_ERROR(-20104, �New
password same as username.�);
ELSIF v_new_pw = v_old_pw THEN
RAISE_APPLICATION_ERROR(-20108, �New
password same as old.�);
ELSE
RETURN(TRUE);
END
IF;
END;
/
20-
Lock or drop all the username
account that was not used for more
certain time for ex: 90 days.
SQL>
AUDIT CREATE SESSION WHENEVER
SUCCESSFUL;
SQL>
-- after 90 days, do the following.
SQL>
SELECT distinct (u.username) FROM
dba_users u
2 WHERE NOT EXISTS
(SELECT �T� FROM dba_audit_trail a
3 WHERE a.username =
u.username and a.logoff_time >
sysdate � 90)
/
21-
Don�t hardcode any password in your
scribe. If you have to, make sure
immediately when your job was done.
22- Make sure that an
access to the �UTL_FILE
,�
�UTL_TCP
,�
�UTL_HTTP
,�
UTL_SMTP
,�
�DBMS_JAVA,� �DBMS_RANDOM
,�
�DBMS_SQL,� �DBMS_SYS_SQL� and
�DBMS_BACKUP_RESTORE� packages
weren�t granted to PUBLIC; revoke
them if they are and give access to
those only needed. (REVOKE EXECUTE
ON utl_file FROM PUBLIC;)
23-
Revoke access the �ALL_USERS� table
from public. (REVOKE SELECT ON
all_users FROM PUBLIC;)
24- If
you don�t need c library then remove
the EXTPROC (c library) from the
listener.ora.
25-
Make sure that the
SELECT_CATALOG_ROLE,
EXECUTE_CATALOG_ROLE AND
DELETE_CATALOG_ROLE system
privileges or all DBA_ were granted
only to DBAs. (dba_role_privs)
26-
Avoid creating account externally.
Check their privileges with no
SYSDBA or SYSOPER roles.
27- Make sure that
the �O7_DICTIONARY_ACCESSIBILITY
�
parameter is set to �FALSE.�
28- Make sure that
the �REMOTE_OS_AUTHENT
� and
�REMOTE_OS_ROLES� are not set to
�TRUE.� These parameters are set to
�FALSE� by default.
29-
Don�t grant the �EXEMPT ACCESS
POLICY� system privilege to any
users, unless you have to.
30-
Make sure that no other objects
except sys�s objects are in the
system tablespace. If there are,
please move them to an alternative
location.
SELECT
owner, segment_name, segment_type
FROM dba_segments
WHERE
tablespace_name = �SYSTEM� and owner
!= �SYS�;
31-
Make sure that an ordinary users do
not have any system privileges. Also
check for the �SELECT ANY TABLE�
privilege.
32-
Revoke any PUBLIC privileges on
DICTIONAY objects.
33-
Check on the �RESOURCE� role. It
gives unlimited tablespace on all
tablespaces.
34- Be
sure to revoke the key dangerous
privileges from the �RESOURCE� and
�CONNECT� roles.
35-
Change at least the �IDLE_TIME�
parameter of the default and users
profile.
36-
Prevent any access to dba_users,
sys.link$, sys.user$, and
sys.user_history$ tables. These
tables or views contain users�
password.
37-
Make sure to audit the auditors by
�AUDIT ALL ON sys.aud$ BY ACCESS,�
if you are auditing.
38-
Regularly check the following Oracle
log files.
|
Type
|
File/System
|
|
Window OS
|
Eventviewer
|
|
UNIX OS
|
syslog
|
|
Oracle
|
listener.log (Connection
attempts are logged)
|
|
Oracle
|
access_log (Every access to
Oracle)
|
|
Oracle
|
error_log (Oracle errors)
|
|
Oracle
|
sqlnet.log (Connection
failuers)
|
|
Oracle
|
apache.log (access
violations)
|
39- Make sure that
the
�ADMIN_RESTRICTIONS_listernername
�
parameter is set to �ON� to prevent
the listener from accepting SET
commands while is running.
40-
Set reasonable file permissions on
the listener configuration file. ($
chmod 600 listerner.ora)
41- If
you need a very tide security,
ensure that the following parameters
are set in the
�network/admin/protocol.ora� file.
tcp.validnode_checking=YES
tcp.invited_nodes=(xxx.xxx.xxx.xxx,xxx.xxx.xxx.xxx)
or tcp.excluded_nodes
The
invited_nodes parameter will allow
connections only from specific nodes
and deny any others.
42- If
you need to tide your network much
more, use Connection Manager (CMAN).
You can have your own firewall
beside your network firewall and
De-Militarised Zone (DMZ). It means
3 firewalls.
43-
Ensure that the listener password
has been set.
$
lsnrctl
$ LSNRCTL
>
change_password (Notice automatic
start/stop is a big problem.
44-
Disable logging to listener.log or
sqlnet.log if that is possible.
LOGGING_listener
= OFF
or lsnrctl set log_status off
45-
Never have a link to production
database from test or development
database. Use exp/imp utilities to
copy the files.
46- If
you have hardcoded procedures, you
should wrap your functions,
procedures, and packages source
programs. (wrap iname=myproc.sql
oname=myprocx.sql)
|
