Oracle Database Asset Protection Standards:

From HORSE - Holistic Operational Readiness Security Evaluation.
Revision as of 01:40, 12 January 2007 by Mdpeters (talk | contribs)
Jump to navigation Jump to search

Oracle's security by default is not extremely good. For example, Oracle will allow users to choose single character passwords or select passwords that match their name or userid. Also, passwords do not expire. This means that one can compromise and have access to an Oracle account for years without an account expiration ever locking the user account.

All this being said, the following items can be do to make an Oracle installation more secure.

Oracle can manage passwords through profiles. Some of the things that one can restrict:

FAILED_LOGIN_ATTEMPTS - failed login attempts before the account is locked.
PASSWORD_LIFE_TIME - limits the number of days the same password can be used for authentication.
PASSWORD_REUSE_TIME - number of days before a password can be reused.
PASSWORD_REUSE_MAX - number of password changes required before the current password can be reused.
PASSWORD_LOCK_TIME - number of days an account will be locked after maximum failed login attempts.
Examples are: 1.0 = 24 hours, .5 = 12 hours, .25 = 6 hours, .125 = 3 hours, and .0625 = 1.5 hours.
PASSWORD_GRACE_TIME - number of days after the grace period begins during which a warning is issued and login is allowed.
PASSWORD_VERIFY_FUNCTION - password complexity verification script.


You should specify a profile when you create a user. A profile is a set of limits on database resources and password access to the database. If no profile is specified, the user is assigned a default profile.

It is recommended that the accepted standards developed by the company be applied to the default profile to eliminate any possibility that a newly created account without a profile assignment be automatically assigned the default profile.

Complex password enforcement script example. Media:PASSWORD_FUNCTION.doc

List of Active and Inactive user accounts with dates.
SQL:
select username,account_status,lock_date,expiry_date from dba_users order by username

List the Oracle default profile (Select * from dba_profiles where resource_type = 'PASSWORD').
SQL:
Select * from dba_profiles where resource_type = 'PASSWORD'

Listing of current parameter block using SHOW PARAMETERS BLOCK.
SQL> SHOW PARAMETERS BLOCK

List privileges that have been granted to PUBLIC.
SQL:
select * from dba_tab_privs where grantee='PUBLIC'

List users who have been assigned these privileges (DBA_SYS_PRIVS):

ALTER_DATABASE
GRANT ANY PRIVILEGE
GRANT ANY ROLE
CREATE PROFILE
CREATE ROLE
RESTRICTED SESSION
STARTUP
CREATE SNAPSHOT
ATER SYSTEM
CREATE USER
ALTER USER
WITH ADMIN OPTION


List the records in the following tables:
DBA_ROLES
SQL:
select * from DBA_ROLES;

DBA_ROLE_PRIVS
SQL:
select * from DBA_ROLE_PRIVS;

DBA_SYS_PRIVS
SQL:
select * from DBA_SYS_PRIVS;

ROLE_ROLE_PRIVS
SQL:
select * from ROLE_ROLE_PRIVS;

ROLE_SYS_PRIVS
SQL:
select * from ROLE_SYS_PRIVS;

ROLE_TAB_PRIVS
SQL:
select * from ROLE_SYS_PRIVS;

List of users including PUBLIC who have table access with privileges of INSERT, UPDATE, ALTER, DELETE (from DBA_TAB_PRIVS).

List users with access to high-level administrative privileges:
SELECT * FROM SYS.DBA_SYS_PRIVS WHERE PRIVILEGE in ('ALTER DATABASE','GRANT ANY PRIVILEGE','GRANT ANY ROLE','CREATE PROFILE','CREATE ROLE','RESTRICTED SESSION','STARTUP','CREATE SNAPSHOT','ALTER SYSTEM','CREATE USER','ALTER USER'
SQL:
SELECT * FROM SYS.DBA_SYS_PRIVS WHERE PRIVILEGE in
('ALTER DATABASE','GRANT ANY PRIVILEGE','GRANT ANY ROLE','CREATE PROFILE','CREATE ROLE','RESTRICTED SESSION','STARTUP','CREATE SNAPSHOT','ALTER SYSTEM','CREATE USER','ALTER USER')

Oracle Event Auditing: Obtain output from the SELECT * FROM audit_actions

Examine the following files:

init.ora

--Mdpeters 10:36, 16 November 2006 (EST)