Oracle Database 12c Security Cookbook

Oracle Database 12c Security Cookbook

By : Zoran Pavlovic, Maja Veselica

Buy this Book

Oracle Database 12c Security Cookbook

By: Zoran Pavlovic, Maja Veselica

Buy this Book

Overview of this book

Businesses around the world are paying much greater attention toward database security than they ever have before. Not only does the current regulatory environment require tight security, particularly when dealing with sensitive and personal data, data is also arguably a company’s most valuable asset - why wouldn’t you want to protect it in a secure and reliable database? Oracle Database lets you do exactly that. It’s why it is one of the world’s leading databases – with a rich portfolio of features to protect data from contemporary vulnerabilities, it’s the go-to database for many organizations. Oracle Database 12c Security Cookbook helps DBAs, developers, and architects to better understand database security challenges. Let it guide you through the process of implementing appropriate security mechanisms, helping you to ensure you are taking proactive steps to keep your data safe. Featuring solutions for common security problems in the new Oracle Database 12c, with this book you can be confident about securing your database from a range of different threats and problems.

Oracle Database 12c Security Cookbook

Credits

About the Authors

About the Reviewers

www.PacktPub.com

Preface

Free Chapter

Basic Database Security

Introduction

Creating a password profile

Creating password-authenticated users

Changing a user's password

Creating a user with the same credentials on another database

Locking a user account

Expiring a user's password

Creating and using OS-authenticated users

Creating and using proxy users

Creating and using database roles

The sysbackup privilege – how, when, and why should you use it?

The syskm privilege – how, when, and why should you use it?

The sysdg privilege – how, when, and why should you use it?

Security Considerations in Multitenant Environment

Introduction

Creating a common user

Creating a local user

Creating a common role

Creating a local role

Granting privileges and roles commonly

Granting privileges and roles locally

Effects of plugging/unplugging operations on users, roles, and privileges

PL/SQL Security

Introduction

Creating and using definer's rights procedures

Creating and using invoker's right procedures

Using code-based access control

Restricting access to program units by using accessible by

Virtual Private Database

Introduction

Creating different policy functions

Creating Oracle Virtual Private Database row-level policies

Creating column-level policies

Creating a driving context

Creating policy groups

Setting context as a driving context

Adding policy to a group

Exempting users from VPD policies

Data Redaction

Introduction

Creating a redaction policy when using full redaction

Creating a redaction policy when using partial redaction

Creating a redaction policy when using random redaction

Creating a redaction policy when using regular expression redaction

Using Oracle Enterprise Manager Cloud Control 12c to manage redaction policies

Changing the function parameters for a specified column

Add a column to the redaction policy

Enabling, disabling, and dropping redaction policy

Exempting users from data redaction policies

Transparent Sensitive Data Protection

Introduction

Creating a sensitive type

Determining sensitive columns

Creating transparent sensitive data protection policy

Associating transparent sensitive data protection policy with sensitive type

Enabling, disabling, and dropping policy

Altering transparent sensitive data protection policy

Privilege Analysis

Introduction

Creating database analysis policy

Creating role analysis policy

Creating context analysis policy

Creating combined analysis policy

Starting and stopping privilege analysis

Reporting on used system privileges

Reporting on used object privileges

Reporting on unused system privileges

Reporting on unused object privileges

How to revoke unused privileges

Dropping the analysis

Transparent Data Encryption

Introduction

Configuring keystore location in sqlnet.ora

Creating and opening the keystore

Setting master encryption key in software keystore

Column encryption - adding new encrypted column to table

Column encryption - creating new table that has encrypted column(s)

Using salt and MAC

Column encryption - encrypting existing column

Auto-login keystore

Encrypting tablespace

Rekeying

Backup and Recovery

Database Vault

Introduction

Registering Database Vault

Preventing users from exercising system privileges on schema objects

Securing roles

Preventing users from executing specific command on specific object

Creating a rule set

Creating a secure application role

Using Database Vault to implement that administrators cannot view data

Running Oracle Database Vault reports

Disabling Database Vault

Re-enabling Database Vault

Unified Auditing

Introduction

Enabling Unified Auditing mode

Configuring whether loss of audit data is acceptable

Which roles do you need to have to be able to create audit policies and to view audit data?

Auditing RMAN operations

Auditing Data Pump operations

Auditing Database Vault operations

Creating audit policies to audit privileges, actions and roles under specified conditions

Enabling audit policy

Finding information about audit policies and audited data

Auditing application contexts

Purging audit trail

Disabling and dropping audit policies

Additional Topics

Introduction

Exporting data using Oracle Data Pump in Oracle Database Vault environment

Creating factors in Oracle Database Vault

Using TDE in a multitenant environment

Appendix – Application Contexts

Introduction

Exploring and using built-in contexts

Creating an application context

Setting application context attributes

Using an application context

Customer Reviews

5 star

4 star

3 star

2 star

1 star

The sysdg privilege – how, when, and why should you use it?

It is recommended that you use the sysdg administrative privilege instead of sysdba administrative privilege to perform operations related to data guard tasks.

Getting ready

For this recipe, you'll need:

An existing database user (for example, mike) and a password file in the 12c format if you want to complete it using a password-authenticated user
An existing OS user (for example, kelly), who belongs to the dgdba OS group in order to connect to the database using OS authentication

How to do it...

Instructions are split into sections for database authentication and OS authentication.

Database authentication

The instructions for database authentication are as follows:

Connect to the database as sysdba (or another user who can grant the sysdg privilege):
```
sqlplus / as sysdba
```
Grant SYSDG privilege to user mike:
```
SQL> grant sysdg to mike; 
```
Exit SQL*Plus, connect mike using the dgmgrl command-line interface:
```
SQL> exit
$ dgmgrl
DGMRRL> connect mike/test_1
```

OS authentication

The instructions for OS authentication are as follows:

Verify that the OS user (for example, kelly) is a member of the dgdba OS group:
```
$ id kelly
```
Connect using the dgmgrl utility and OS authentication:
```
$ dgmgrl

DGMGRL> connect /
```

How it works...

When you connect to the database as sysdg, you are connected as a predefined user, sysdg. Using the sysdg privilege, you can connect to the database even when it is not open.

After completing step 2 successfully in the Database authentication section, user mike, as expected, can grant/revoke sysdg privilege to/from another existing user. If you want to try it out, type the statements given here.

After you connect to the database using the sysdg administrative privilege, you can perform the following operations:

Operations
`STARTUP`, `SHUTDOWN`	`CREATE SESSION`
`ALTER SESSION`	`SELECT ANY DICTIONARY`
`ALTER DATABASE`	`FLASHBACK DATABASE`
`ALTER SYSTEM`	`EXECUTE SYS.DBMS_DRS`
`CREATE/DROP RESTORE POINT` (including `GUARANTEED` restore points)	`SELECT X$ tables`, `V$` and `GV$` views
`DELETE APPQOSSYS.WLM_CLASSIFIER_PLAN`	`SELECT APPQOSSYS.WLM_CLASSIFIER_PLAN`

Tip

It is important for you to remember that:

When using the sysdg administrative privilege, you can't view application data.

There's more...

You can't drop user sysdg. When you are connected to the database as sysdg, you are connected as sysdg user to the SYS schema:

SQL> connect / as sysdg
Connected.

SQL> show user
USER is "SYSDG"

SQL> select sys_context( 'userenv', 'current_schema' ) from dual;
SYS_CONTEXT('USERENV','CURRENT_SCHEMA')
------------------------------------------------------------------
SYS

Oracle Database 12c Security Cookbook

By : Zoran Pavlovic, Maja Veselica

Oracle Database 12c Security Cookbook

By: Zoran Pavlovic, Maja Veselica

Overview of this book

Related Content you might be interested in

Current Title:

Oracle Database 12c Security Cookbook

The sysdg privilege – how, when, and why should you use it?

Getting ready

How to do it...

Database authentication

OS authentication

How it works...

Tip

There's more...

See also