For almost all organizations, data security is a matter of prestige and credibility. The Oracle Database is one of the richest in features and one of the most used databases in a variety of industries. Oracle has implemented security technologies to achieve a reliable and solid system. In this book, you will learn some of the most important solutions that can be used for better database security. This book covers all the important security measures and includes various tips and tricks to protect your Oracle Database. This book uses real-world scenarios to show you how to secure the Oracle Database server against different attack scenarios.
Chapter 1, Operating System Security, covers Tripwire and how it can be used for file integrity checking and intrusion detection in the first section. In the second and third sections, security measures related to user account security, network services and ports, security kernel tunables, local and remote login, and SSH are covered.
Chapter 2, Securing the Network and Data in Transit, contains recipes that explain how to secure data in transit, and covers the most important aspects related to Oracle listener security. In the first section, a step-by-step, classical, man-in-the-middle-type attack scenario is presented, in which an attacker placed in the middle hijacks an Oracle session, followed by the main measures to confront different interception-type attacks by using Oracle Advanced Security encryption and integrity, and alternatives such as IPSEC, stunnel, and SSH tunneling. The last part of this chapter has listener security as its main subject, covering features such as on-the-fly administration restriction, securing external procedure execution (extproc), and client connection control.
Chapter 3, Securing Data at Rest, contains recipes that explain how to use data at rest encryption, using an OS native method with LUKS for block device encryption, eCryptfs for filesystem encryption, DBMS_CRYPTO for column encryption, and Oracle Transparent Data Encryption for columns, tablespaces, data pump dumps, and database backups created with RMAN.
Chapter 4, Authentication and User Security, covers how to perform a security assessment using Oracle Enterprise Manager built in the policy security evaluation feature; the usage of a password cracker to check the real strength of database passwords; how to implement password policies and enforce the usage of strong passwords by using customized user profiles, secure application roles, passwordless authentication using external password stores, and SSL authentication.
Chapter 5, Beyond Privileges: Oracle Virtual Private Database, covers Oracle Virtual Private Database technology; here you will learn about session-based application contexts, how to implement row-level access policies using PL/SQL interface and OEM, column-level access policies, grouped policies, and how to implement exemptions from VPD policies.
Chapter 6, Beyond Privileges: Oracle Label Security, covers how to apply OLS label components to enforce row-level security, the usage of OLS compartments and groups for advanced row segregation, special label policy privileges, and how to grant access to label-protected data by using trusted stored units.
Chapter 7, Beyond Privileges: Oracle Database Vault, covers the main components of Oracle Database Vault, such as realm, command rules, rulesets, and factors, and how to use them to secure database access and objects. The last recipe covers the Oracle Database Vault audit and reporting interface, and how to use this interface for creating audit reports and various database entitlement reports.
Chapter 8, Tracking and Analysis: Database Auditing, covers the main aspects of the Oracle standard audit framework, such as session, statement, object and privilege auditing, fine-grained security, sys audit, and the integration of a standard audit with SYSLOG on Unix-like systems.
Appendix, Installing and Configuring Guardium, ODF, and OAV, covers the installation and configuration of IBM InfoSphere Database Security Guardium and how to perform security assessments, installation, and configuration of Oracle Database Firewall. It also covers the key capabilities and features, such as defining enforcement points and monitoring, installation, and configuration of Oracle Database Vault, its key capabilities, covering central repository installation, agent and collector deployments, and its reporting and real-time alerting interface.
This chapter is not present in the book, but is available as a free download from the link http://www.packtpub.com/sites/default/files/downloads/5269EN_AppendixA_Installing_and_Configuring_Guardium_ODF_and_OAV.pdf.
All database servers, clients, and other various hosts used through the book are virtual machines that are created and configured using Oracle Virtual Box. Some of the recipes will contain prerequisites about the operating system and the Oracle server and client versions to be used. You will need a system with sufficient processing power to sustain the many virtual machines that are running under Oracle Virtual Box simultaneously. We recommend you use a system very similar to Intel Corei3-2100 CPU 3.10 Ghz, 8 Gb RAM, MS Windows 7 Enterprise 64-bit SP1, which we used for all recipes in this book.
We must stress the importance of using a sandbox environment to duplicate the recipes in this book. Some recipes are intended for demonstration purposes and should not be done in a production environment.
If you are an Oracle Database Administrator, Security Manager, IT professional, or Security Auditor looking to secure the Oracle Database or prevent it from being hacked, then this book is for you.
This book assumes that you have a basic understanding of security concepts and Oracle databases.
In this book, you will find a number of styles of text that distinguish between different kinds of information. Here are some examples of these styles, and an explanation of their meaning.
Code words in text are shown as follows: "Perform some modifications in listener.ora and sqlnet.ora, and move extjob and extproc to a different directory "
Any command-line input or output is written as follows:
[root@nodeorcl1 tripwire-2.4.2.2-src]# ./make ……………………………………………………… g++ -O -pipe -Wall -Wno-non-virtual-dtor -L../../lib -o tripwire generatedb.o ………………………………………………………… /usr/bin/install -c -m 644 './twconfig.4' '/usr/local/share/man/man4/twconfig.4'
New terms and important words are shown in bold. Words that you see on the screen, in menus or dialog boxes for example, appear in the text like this: "clicking the Next button moves you to the next screen".
Feedback from our readers is always welcome. Let us know what you think about this book—what you liked or may have disliked. Reader feedback is important for us to develop titles that you really get the most out of.
To send us general feedback, simply send an e-mail to <[email protected]>, and mention the book title via the subject of your message.
If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, see our author guide on www.packtpub.com/authors.
Now that you are the proud owner of a Packt book, we have a number of things to help you to get the most from your purchase.
You can download the example code files for all Packt books you have purchased from your account at http://www.PacktPub.com. If you purchased this book elsewhere, you can visit http://www.PacktPub.com/support and register to have the files e-mailed directly to you.
Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you find a mistake in one of our books—maybe a mistake in the text or the code—we would be grateful if you would report this to us. By doing so, you can save other readers from frustration and help us improve subsequent versions of this book. If you find any errata, please report them by visiting http://www.packtpub.com/support, selecting your book, clicking on the errata submission form link, and entering the details of your errata. Once your errata are verified, your submission will be accepted and the errata will be uploaded on our website, or added to any list of existing errata, under the Errata section of that title. Any existing errata can be viewed by selecting your title from http://www.packtpub.com/support.
Piracy of copyright material on the Internet is an ongoing problem across all media. At Packt, we take the protection of our copyright and licenses very seriously. If you come across any illegal copies of our works, in any form, on the Internet, please provide us with the location address or website name immediately so that we can pursue a remedy.
Please contact us at <[email protected]> with a link to the suspected pirated material.
We appreciate your help in protecting our authors, and our ability to bring you valuable content.
You can contact us at <[email protected]> if you are having a problem with any aspect of the book, and we will do our best to address it.