Tài liệu Security Guide pptx

12-15 13 Using Virtual Private Database to Implement Application Security PoliciesAbout Virtual Private Database, Fine-Grained Access Control, and Application Context 13-2 Introduction t

Security Guide

10g Release 1 (10.1)

Part No B10773-01

December 2003

Oracle Database Security Guide, 10g Release 1 (10.1)

Part No B10773-01

Copyright © 2003 Oracle Corporation All rights reserved.

Primary Authors: Laurel P Hale, Jeffrey Levinger

Contributing Authors: Ruth Baylis, Michele Cyran, John Russell

Graphic Designer: Valarie Moore

The Programs (which include both the software and documentation) contain proprietary information of Oracle Corporation; they are provided under a license agreement containing restrictions on use and disclosure and are also protected by copyright, patent and other intellectual and industrial property laws Reverse engineering, disassembly or decompilation of the Programs, except to the extent required

to obtain interoperability with other independently created software or as specified by law, is prohibited The information contained in this document is subject to change without notice If you find any problems

in the documentation, please report them to us in writing Oracle Corporation does not warrant that this document is error-free Except as may be expressly permitted in your license agreement for these Programs, no part of these Programs may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of Oracle Corporation.

If the Programs are delivered to the U.S Government or anyone licensing or using the programs on behalf of the U.S Government, the following notice is applicable:

Restricted Rights Notice Programs delivered subject to the DOD FAR Supplement are "commercial computer software" and use, duplication, and disclosure of the Programs, including documentation, shall be subject to the licensing restrictions set forth in the applicable Oracle license agreement.

Otherwise, Programs delivered subject to the Federal Acquisition Regulations are "restricted computer software" and use, duplication, and disclosure of the Programs shall be subject to the restrictions in FAR 52.227-19, Commercial Computer Software - Restricted Rights (June, 1987) Oracle Corporation, 500 Oracle Parkway, Redwood City, CA 94065.

The Programs are not intended for use in any nuclear, aviation, mass transit, medical, or other inherently dangerous applications It shall be the licensee's responsibility to take all appropriate fail-safe, backup, redundancy, and other measures to ensure the safe use of such applications if the Programs are used for such purposes, and Oracle Corporation disclaims liability for any damages caused by such use of the Programs.

Oracle is a registered trademark, and Oracle Store, Oracle8i, Oracle9i, PL/SQL, SQL*Net, and SQL*Plus

are trademarks or registered trademarks of Oracle Corporation Other names may be trademarks of their respective owners.

List of Figures

List of Tables

Send Us Your Comments xxi

Preface xxiii

Audience xxiv

Organization xxiv

Related Documentation xxvii

Conventions xxviii

Documentation Accessibility xxxii

What's New in Oracle Database Security? xxxv

New Features in Virtual Private Database xxxvi

New Features in Auditing xxxvii

New PL/SQL Encryption Package: DBMS_CRYPTO xxxviii

Part I Overview of Security Considerations and Requirements

1 Security Requirements, Threats, and Concepts

Identity Management: Security in Complex, High Volume Environments 1-4

Desired Benefits of Identity Management 1-5

Components of Oracle's Identity Management Infrastructure 1-6

2 Security Checklists and Recommendations

Physical Access Control Checklist 2-2

Personnel Checklist 2-2

Secure Installation and Configuration Checklist 2-3

Networking Security Checklists 2-7

SSL (Secure Sockets Layer) Checklist 2-7

Client Checklist 2-8

Listener Checklist 2-9

Network Checklist 2-9

3 Security Policies and Tips

Introduction to Database Security Policies 3-1

Security Threats and Countermeasures 3-1

What Information Security Policies Can Cover 3-2

Recommended Application Design Practices to Reduce Risk 3-4

Tip 1: Enable and Disable Roles Promptly 3-5

Tip 2: Encapsulate Privileges in Stored Procedures 3-6

Tip 3: Use Role Passwords Unknown to the User 3-7

Tip 4: Use Proxy Authentication and a Secure Application Role 3-7

Tip 5: Use Secure Application Role to Verify IP Address 3-8

Tip 6: Use Application Context and Fine-Grained Access Control 3-9

Part II Security Features, Concepts, and Alternatives

4 Authentication Methods

Authentication by the Operating System 4-2

Authentication by the Network 4-2

Authentication by the Secure Socket Layer Protocol 4-3

Authentication Using Third-Party Services 4-3

DCE Authentication 4-4

Kerberos Authentication 4-4

Public Key Infrastructure-Based Authentication 4-4

Authentication with RADIUS 4-6

Directory-based Services 4-7

Account Locking 4-9

Password Lifetime and Expiration 4-9

Password History 4-9

Password Complexity Verification 4-10

Multitier Authentication and Authorization 4-10

Clients, Application Servers, and Database Servers 4-11

Security Issues for Middle-Tier Applications 4-13

Identity Issues in a Multitier Environment 4-14

Restricted Privileges in a Multitier Environment 4-14

Client Privileges 4-14

Application Server Privileges 4-14

Authentication of Database Administrators 4-14

5 Authorization: Privileges, Roles, Profiles, and Resource Limitations

Introduction to Privileges 5-2

System Privileges 5-3

Granting and Revoking System Privileges 5-3

Who Can Grant or Revoke System Privileges? 5-4

Schema Object Privileges 5-4

Granting and Revoking Schema Object Privileges 5-5

Who Can Grant Schema Object Privileges? 5-5

Using Privileges with Synonyms 5-6

Table Privileges 5-6

Data Manipulation Language (DML) Operations 5-6

Data Definition Language (DDL) Operations 5-7

View Privileges 5-7

Privileges Required to Create Views 5-8

Increasing Table Security with Views 5-8

Procedure Privileges 5-9

Procedure Execution and Security Domains 5-10

System Privileges Needed to Create or Alter a Procedure 5-12

Packages and Package Objects 5-12

Type Privileges 5-14

System Privileges for Named Types 5-14

Object Privileges 5-15

Method Execution Model 5-15

Privileges Required to Create Types and Tables Using Types 5-15

Example of Privileges for Creating Types and Tables Using Types 5-16

Privileges on Type Access and Object Access 5-17

Type Dependencies 5-19

Introduction to Roles 5-19

Properties of Roles 5-20

Common Uses for Roles 5-21

Application Roles 5-22

User Roles 5-22

Granting and Revoking Roles 5-22

Who Can Grant or Revoke Roles? 5-23

Security Domains of Roles and Users 5-23

PL/SQL Blocks and Roles 5-24

Named Blocks with Definer’s Rights 5-24

Anonymous Blocks with Invoker’s Rights 5-24

Data Definition Language Statements and Roles 5-24

Predefined Roles 5-26

The Operating System and Roles 5-26

Roles in a Distributed Environment 5-26

Secure Application Roles 5-27

Creation of Secure Application Roles 5-27

User Resource Limits 5-28

Types of System Resources and Limits 5-29

Session Level 5-29

Call Level 5-30

CPU Time 5-30

Logical Reads 5-30

Limiting Other Resources 5-30

Profiles 5-32

Determining Values for Resource Limits 5-32

Fine-Grained Access Control 6-3

System Security Policy 7-1

Database User Management 7-2

User Authentication 7-2

Operating System Security 7-2

Data Security Policy 7-3

User Security Policy 7-4

General User Security 7-4

Password Security 7-4

Privilege Management 7-5

End-User Security 7-5

Using Roles for End-User Privilege Management 7-5

Using a Directory Service for End-User Privilege Management 7-7

Administrator Security 7-7

Protection for Connections as SYS and SYSTEM 7-7

Protection for Administrator Connections 7-7

Using Roles for Administrator Privilege Management 7-8

Application Developer Security 7-9

Application Developers and Their Privileges 7-9

The Application Developer's Environment: Test and Production Databases 7-10

Free Versus Controlled Application Development 7-10

Roles and Privileges for Application Developers 7-10

Space Restrictions Imposed on Application Developers 7-11

Application Administrator Security 7-11

Password Management Policy 7-12

Account Locking 7-12

Password Aging and Expiration 7-13

Password History 7-15

Password Complexity Verification 7-16

Password Verification Routine Formatting Guidelines 7-16

Sample Password Verification Routine 7-17

Auditing Policy 7-20

A Security Checklist 7-20

8 Database Auditing: Security Considerations

Auditing Types and Records 8-2

Audit Records and the Audit Trails 8-3

Database Audit Trail (DBA_AUDIT_TRAIL) 8-4

Operating System Audit Trail 8-5

Operating System Audit Records 8-6

Records Always in the Operating System Audit Trail 8-7

When Are Audit Records Created? 8-7

Statement Auditing 8-9

Privilege Auditing 8-9

Schema Object Auditing 8-10

Schema Object Audit Options for Views, Procedures, and Other Elements 8-10

Focusing Statement, Privilege, and Schema Object Auditing 8-12

Auditing Statement Executions: Successful, Unsuccessful, or Both 8-12

Number of Audit Records from Multiple Executions of a Statement 8-13

Creating a User Who is Authenticated Externally 9-4

Operating System Authentication 9-4

Network Authentication 9-5

Advantages of External Authentication 9-5

Global Authentication and Authorization 9-5

Creating a User Who is Authorized by a Directory Service 9-6

Advantages of Global Authentication and Global Authorization 9-7

Proxy Authentication and Authorization 9-8

Authorizing a Middle Tier to Proxy and Authenticate a User 9-9

Authorizing a Middle Tier to Proxy a User Authenticated by Other Means 9-9

10 Administering User Privileges, Roles, and Profiles

Managing Oracle Users 10-1

Creating Users 10-2

Specifying a Name 10-3

Setting a User's Authentication 10-3

Assigning a Default Tablespace 10-3

Assigning Tablespace Quotas 10-4

Assigning a Temporary Tablespace 10-5

Specifying a Profile 10-6

Setting Default Roles 10-6

Altering Users 10-7

Changing a User's Authentication Mechanism 10-7

Changing a User's Default Roles 10-8

Dropping Users 10-8

Viewing Information About Database Users and Profiles 10-9

User and Profile Information in Data Dictionary Views 10-9

Listing All Users and Associated Information 10-11

Listing All Tablespace Quotas 10-11

Listing All Profiles and Assigned Limits 10-11

Viewing Memory Use for Each User Session 10-12

Managing Resources with Profiles 10-13

Dropping Profiles 10-14

Understanding User Privileges and Roles 10-15

System Privileges 10-15

Restricting System Privileges 10-15

Accessing Objects in the SYS Schema 10-16

Object Privileges 10-17

User Roles 10-18

Managing User Roles 10-20

Creating a Role 10-20

Specifying the Type of Role Authorization 10-21

Role Authorization by the Database 10-21

Role Authorization by an Application 10-22

Role Authorization by an External Source 10-22

Role Authorization by an Enterprise Directory Service 10-23

Dropping Roles 10-24

Granting User Privileges and Roles 10-24

Granting System Privileges and Roles 10-24

Granting the ADMIN OPTION 10-25

Creating a New User with the GRANT Statement 10-26

Granting Object Privileges 10-26

Specifying the GRANT OPTION 10-27

Granting Object Privileges on Behalf of the Object Owner 10-27

Granting Privileges on Columns 10-29

Row-Level Access Control 10-29

Revoking User Privileges and Roles 10-29

Revoking System Privileges and Roles 10-30

Revoking Object Privileges 10-30

Revoking Object Privileges on Behalf of the Object Owner 10-31

Revoking Column-Selective Object Privileges 10-32

Revoking the REFERENCES Object Privilege 10-32

Cascading Effects of Revoking Privileges 10-32

System Privileges 10-33

Object Privileges 10-33

Granting to and Revoking from the User Group PUBLIC 10-34

When Do Grants and Revokes Take Effect? 10-35

The SET ROLE Statement 10-35

Granting Roles Using the Operating System or Network 10-36

Using Operating System Role Identification 10-37

Using Operating System Role Management 10-39

Granting and Revoking Roles When OS_ROLES=TRUE 10-39

Enabling and Disabling Roles When OS_ROLES=TRUE 10-39

Using Network Connections with Operating System Role Management 10-40

Viewing Privilege and Role Information 10-40

Listing All System Privilege Grants 10-42

Listing All Role Grants 10-42

Listing Object Privileges Granted to a User 10-42

Listing the Current Privilege Domain of Your Session 10-43

Listing Roles of the Database 10-44

Listing Information About the Privilege Domains of Roles 10-44

11 Configuring and Administering Auditing

Actions Audited by Default 11-1

Guidelines for Auditing 11-2

Keep Audited Information Manageable 11-3

Auditing Normal Database Activity 11-3

Auditing Suspicious Database Activity 11-4

Auditing Administrative Users 11-4

Using Triggers 11-6

Decide Whether to Use the Database or Operating System Audit Trail 11-7

What Information is Contained in the Audit Trail? 11-7

Database Audit Trail Contents 11-8

Audit Information Stored in an Operating System File 11-9

Managing the Standard Audit Trail 11-10

Enabling and Disabling Standard Auditing 11-10

Setting the AUDIT_TRAIL Initialization Parameter 11-11

Setting the AUDIT_FILE_DEST Initialization Parameter 11-12

Standard Auditing in a Multitier Environment 11-13

Setting Standard Auditing Options 11-13

Specifying Statement Auditing 11-15

Specifying Privilege Auditing 11-15

Specifying Object Auditing 11-16

Turning Off Standard Audit Options 11-17

Turning Off Statement and Privilege Auditing 11-17

Turning Off Object Auditing 11-18

Controlling the Growth and Size of the Standard Audit Trail 11-18

Purging Audit Records from the Audit Trail 11-19

Archiving Audit Trail Information 11-20

Reducing the Size of the Audit Trail 11-20

Protecting the Standard Audit Trail 11-21

Auditing the Standard Audit Trail 11-21

Viewing Database Audit Trail Information 11-22

Audit Trail Views 11-22

Using Audit Trail Views to Investigate Suspicious Activities 11-23

Listing Active Statement Audit Options 11-25

Listing Active Privilege Audit Options 11-25

Listing Active Object Audit Options for Specific Objects 11-25

Listing Default Object Audit Options 11-26

Listing Audit Records 11-26

Listing Audit Records for the AUDIT SESSION Option 11-26

Deleting the Audit Trail Views 11-26

Example of Auditing Table SYS.AUD$ 11-27

Fine-Grained Auditing 11-29

Policies in Fine-Grained Auditing 11-30

Advantages of Fine-Grained Auditing over Triggers 11-30

Extensible Interface Using Event Handler Functions 11-31

Functions and Relevant Columns in Fine-Grained Auditing 11-31

Audit Records in Fine-Grained Auditing 11-32

NULL Audit Conditions 11-32

Defining FGA Policies 11-32

An Added Benefit to Fine-Grained Auditing 11-33

The DBMS_FGA Package 11-35

ADD_POLICY Procedure 11-35

Syntax 11-35

Parameters 11-36

12 Introducing Database Security for Application Developers

About Application Security Policies 12-2

Considerations for Using Application-Based Security 12-2

Are Application Users Also Database Users? 12-2

Is Security Enforced in the Application or in the Database? 12-4

Managing Application Privileges 12-4

Creating Secure Application Roles 12-5

Example of Creating a Secure Application Role 12-6

Associating Privileges with the User's Database Role 12-8

Using the SET ROLE Statement 12-9

Using the SET_ROLE Procedure 12-9

Examples of Assigning Roles with Static and Dynamic SQL 12-10

Protecting Database Objects Through the Use of Schemas 12-12

Unique Schemas 12-12

Shared Schemas 12-13

Managing Object Privileges 12-13

What Application Developers Need to Know About Object Privileges 12-13

SQL Statements Permitted by Object Privileges 12-15

13 Using Virtual Private Database to Implement Application Security PoliciesAbout Virtual Private Database, Fine-Grained Access Control, and Application Context 13-2

Introduction to VPD 13-2

Column-level VPD 13-4

Column-level VPD with Column Masking Behavior 13-4

VPD Security Policies and Applications 13-4

Introduction to Fine-Grained Access Control 13-6

Features of Fine-Grained Access Control 13-6

Table-, View-, or Synonym-Based Security Policies 13-6

Multiple Policies for Each Table, View, or Synonym 13-7

Grouping of Security Policies 13-7

High Performance 13-8

Default Security Policies 13-8

About Creating a Virtual Private Database Policy with Oracle Policy Manager 13-9

Introduction to Application Context 13-10

Features of Application Context 13-10

Specifying Attributes for Each Application 13-10

Providing Access to Predefined Attributes through the USERENV Namespace 13-11

Externalized Application Contexts 13-15

Ways to Use Application Context with Fine-Grained Access Control 13-16

Using Application Context as a Secure Data Cache 13-16

Using Application Context to Return a Specific Predicate (Security Policy) 13-16

Using Application Context to Provide Attributes Similar to Bind Variables in a

Predicate 13-17

Introduction to Global Application Context 13-17

Enforcing Application Security 13-18

Use of Ad Hoc Tools a Potential Security Problem 13-18

Restricting SQL*Plus Users from Using Database Roles 13-19

Limit Roles Through PRODUCT_USER_PROFILE 13-19

Use Stored Procedures to Encapsulate Business Logic 13-20

Use Virtual Private Database for Highest Security 13-20

Virtual Private Database and Oracle Label Security Exceptions and Exemptions 13-20

User Models and Virtual Private Database 13-22

14 Implementing Application Context and Fine-Grained Access ControlAbout Implementing Application Context 14-2

How to Use Application Context 14-3

Task 1: Create a PL/SQL Package that Sets the Context for Your Application 14-3

SYS_CONTEXT Example 14-3

Using SYS_CONTEXT in a Parallel Query 14-5

Using SYS_CONTEXT with Database Links 14-6

Task 2: Create a Unique Context and Associate It with the PL/SQL Package 14-6

Task 3: Set the Context Before the User Retrieves Data 14-7

Task 4 Use the Context in a VPD Policy Function 14-7

Examples: Application Context Within a Fine-Grained Access Control Function 14-7

Example 1: Implementing the Policy 14-7

Step 1 Create a PL/SQL Package Which Sets the Context for the Application 14-8

Step 2 Create an Application Context 14-9

Step 3 Access the Application Context Inside the Package 14-9

Step 4 Create the New Security Policy 14-10

Example 2: Controlling User Access by Way of an Application 14-11

Step 1 Create a PL/SQL Package to Set the Context 14-12

Step 2 Create the Context and Associate It with the Package 14-13

Step 3 Create the Initialization Script for the Application 14-13

Example 3: Event Triggers, Application Context, Fine-Grained Access Control, and

Encapsulation of Privileges 14-13

Initializing Application Context Externally 14-18

Obtaining Default Values from Users 14-18

Obtaining Values from Other External Resources 14-19

Initializing Application Context Globally 14-19

Application Context Utilizing LDAP 14-20

How Globally Initialized Application Context Works 14-22

Example: Initializing Application Context Globally 14-22

How to Use Global Application Context 14-24

Using the DBMS_SESSION Interface to Manage Application Context in Client Sessions 14-25

Examples: Global Application Context 14-25

Example 1: Global Application Context 14-25

Example 2: Global Application Context for Lightweight Users 14-27

How Fine-Grained Access Control Works 14-29

How to Establish Policy Groups 14-30

The Default Policy Group: SYS_DEFAULT 14-30

New Policy Groups 14-31

How to Implement Policy Groups 14-32

Step 1: Set Up a Driving Context 14-32

Step 2: Add a Policy to the Default Policy Group 14-33

Step 3: Add a Policy to the HR Policy Group 14-33

Step 4: Add a Policy to the FINANCE Policy Group 14-34

Validation of the Application Used to Connect 14-34

How to Add a Policy to a Table, View, or Synonym 14-35

DBMS_RLS.ADD_POLICY Procedure Policy Types 14-36

Optimizing Performance by Enabling Static and Context Sensitive Policies 14-38

About Static Policies 14-39

About Context Sensitive Policies 14-39

Adding Policies for Column-Level VPD 14-40

Default Behavior 14-41

Column Masking Behavior 14-42

Enforcing VPD Policies on Specific SQL Statement Types 14-44

Enforcing Policies on Index Maintenance 14-44

How to Check for Policies Applied to a SQL Statement 14-44

Users Who Are Exempt from VPD Policies 14-45

SYS User Exempted from VPD Policies 14-45

EXEMPT ACCESS POLICY System Privilege 14-46

Automatic Reparse 14-46

VPD Policies and Flashback Query 14-47

15 Preserving User Identity in Multitiered Environments

Security Challenges of Three-tier Computing 15-2

Who Is the Real User? 15-2

Does the Middle Tier Have Too Much Privilege? 15-2

How to Audit? Whom to Audit? 15-3

What Are the Authentication Requirements for Three-tier Systems? 15-3

Client to Middle Tier Authentication 15-3

Middle Tier to Database Authentication 15-3

Client Re-Authentication Through Middle Tier to Database 15-4

Oracle Database Solutions for Preserving User Identity 15-5

Proxy Authentication 15-5

Passing Through the Identity of the Real User by Using Proxy Authentication 15-5

Auditing Actions Taken on Behalf of the Real User 15-10

Advantages of Proxy Authentication 15-10

Client Identifiers 15-11

Support for Application User Models by Using Client Identifiers 15-11

Using the CLIENT_IDENTIFIER Attribute to Preserve User Identity 15-12

Using CLIENT_IDENTIFIER Independent of Global Application Context 15-12

16 Developing Applications Using Data Encryption

Securing Sensitive Information 16-2

Principles of Data Encryption 16-3

Principle 1: Encryption Does Not Solve Access Control Problems 16-3

Principle 2: Encryption Does Not Protect Against a Malicious DBA 16-4

Principle 3: Encrypting Everything Does Not Make Data Secure 16-5

Solutions For Stored Data Encryption in Oracle Database 16-6

Oracle Database Data Encryption Capabilities 16-6

Data Encryption Challenges 16-8

Encrypting Indexed Data 16-9

Key Management 16-9

Key Transmission 16-10

Key Storage 16-10

Storing the Keys in the Database 16-10

Storing the Keys in the Operating System 16-12

Users Managing Their Own Keys 16-12

Changing Encryption Keys 16-12

Binary Large Objects (BLOBS) 16-13

Example of a Data Encryption PL/SQL Program 16-13

Example of Encrypt/Decrypt Procedures for BLOB Data 16-15

Glossary

Index

List of Figures

1–1 Realms Needing Protection in an Internet World 1-24–1 Oracle Public Key Infrastructure 4-64–2 Multitier Authentication 4-134–3 Database Administrator Authentication Methods 4-155–1 Common Uses for Roles 5-226–1 An Example of a View 6-37–1 User Role 7-67–2 Chronology of Password Lifetime and Grace Period 7-1414–1 Location of Application Context in LDAP Directory Information Tree (DIT) 14-21

1–1 Security Issues by Category 1-33–1 Issues and Actions for Policies to Address 3-23–2 References Terms and Chapters for Oracle Features and Products 3-45–1 System Privileges for Named Types 5-155–2 Privileges for Object Tables 5-175–3 Topics and Sections in This Section 5-206–1 Policy Types and Run-Time Efficiencies 6-97–1 Parameters Controlling Re-Use of an Old Password 7-157–2 Default Accounts and Their Status (Standard Installation) 7-228–1 Auditing Types and Descriptions 8-38–2 Columns Shown in the Database Audit Trail (DBA_AUDIT_TRAIL) 8-48–3 Auditing Actions Newly Enabled by Oracle Database 10g 8-1110–1 Predefined Roles 10-1811–1 ADD_POLICY Procedure Parameters 11-3611–2 DROP_POLICY Procedure Parameters 11-3811–3 ENABLE_POLICY Procedure Parameters 11-3911–4 DISABLE_POLICY Procedure Parameters 11-4012–1 How Privileges Relate to Schema Objects 12-1412–2 SQL Statements Permitted by Database Object Privileges 12-1513–1 Key to Predefined Attributes in USERENV Namespace 13-1214–1 Types of Application Contexts 14-214–2 DBMS_RLS Procedures 14-3514–3 DBMS_RLS.ADD_POLICY Policy Types At a Glance 14-3714–4 V$VPD_POLICY 14-4516–1 DBMS_CRYPTO and DBMS_OBFUSCATION_TOOLKIT Feature Comparison 16-7

Oracle Database Security Guide, 10g Release 1 (10.1)

Part No B10773-01

Oracle Corporation welcomes your comments and suggestions on the quality and usefulness of thisdocument Your input is an important part of the information used for revision

■ Did you find any errors?

■ Is the information clearly presented?

■ Do you need more information? If so, where?

■ Are the examples correct? Do you need more examples?

■ What features did you like most?

If you find any errors or have any other suggestions for improvement, please indicate the documenttitle and part number, and the chapter, section, and page number (if available) You can send com-ments to us in the following ways:

■ Electronic mail: infodev_us@oracle.com

■ FAX: (650) 506-7227 Attn: Server Technologies Documentation Manager

■ Postal service:

Oracle Corporation

Server Technologies Documentation

500 Oracle Parkway, Mailstop 4op11

This document provides a comprehensive overview of security for Oracle Database.

It includes conceptual information about security requirements and threats,

descriptions of Oracle Database security features, and procedural information thatexplains how to use those features to secure your database

This preface contains these topics:

The Oracle Database Security Guide is intended for database administrators(DBAs), security administrators, application developers, and others tasked withperforming the following operations securely and efficiently:

■ Designing and implementing security policies to protect the organization's data,users, and applications from accidental, inappropriate, or unauthorized actions

■ Creating and enforcing policies and practices of auditing and accountability forany such inappropriate or unauthorized actions

■ Creating, maintaining, and terminating user accounts, passwords, roles, andprivileges

■ Developing applications that provide desired services securely in a variety ofcomputational models, leveraging database and directory services to maximizeboth efficiency and client ease of use

To use this document, you need a basic understanding of how and why a database

is used, as well as at least basic familiarity with SQL queries or programming

Organization

This document contains:

Part I, "Overview of Security Considerations and Requirements"

Part I presents fundamental concepts of data security, and offers checklists andpolicies to aid in securing your site's data, operations, and users

Chapter 1, "Security Requirements, Threats, and Concepts"

This chapter presents fundamental concepts of data security requirements andthreats

Chapter 2, "Security Checklists and Recommendations"

This chapter presents checklists, with brief explanations, for policies and practicesthat reduce your installation's vulnerabilities

Chapter 3, "Security Policies and Tips"

This chapter presents basic general security policies, with specific chapterreferences, that apply to every site These you must understand and apply to the

Part II, "Security Features, Concepts, and Alternatives"

Part II presents methods and features that address the security requirements,threats, and concepts described in Part I

Chapter 4, "Authentication Methods"

This chapter deals with verifying the identity of anyone who wants to use data,resources, or applications Authentication establishes a trust relationship for furtherinteractions as well as accountability linking access and actions to a specific identity

Chapter 5, "Authorization: Privileges, Roles, Profiles, and Resource

Limitations"

This chapter describes standard authorization processes that allow an entity to havecertain levels of access and action, but which also limit the access, actions, andresources permitted to that entity

Chapter 6, "Access Controls on Tables, Views, Synonyms, or Rows"

This chapter discusses protecting objects by using object-level privileges and views,

as well as by designing and using policies to restrict access to specific tables, views,synonyms, or rows Such policies invoke functions that you design to specifydynamic predicates establishing the restrictions

Chapter 7, "Security Policies"

This chapter discusses security policies in separate sections dealing with systemsecurity, data security, user security, password management, and auditing It

concludes with a more detailed version of the checklist first presented in Chapter 2

Chapter 8, "Database Auditing: Security Considerations"

This chapter presents auditing as the monitoring and recording of selected userdatabase actions Auditing can be based either on individual actions, such as thetype of SQL statement executed, or on combinations of factors that can include username, application, time, and so on Security policies can trigger auditing whenspecified elements in an Oracle database are accessed or altered, including thecontents within a specified object

Part III, "Security Implementation, Configuration, and Administration"

Part III presents the details of setting up, configuring, and administering OracleDatabase security features

Chapter 9, "Administering Authentication"

This chapter describes the methods for creating and administering authentication

by defining users and how they are to be identified and verified before access isgranted Chapter 9 discusses the four primary methods as database, external,global, and proxy authentication

Chapter 10, "Administering User Privileges, Roles, and Profiles"

This chapter presents the interwoven tasks and considerations involved in granting,viewing, and revoking database user privileges and roles, and the profiles thatcontain them

Chapter 11, "Configuring and Administering Auditing"

This chapter describes auditing and accountability to protect and preserve privacyfor the information stored in databases, detect suspicious activities, and enablefinely-tuned security responses

Chapter 12, "Introducing Database Security for Application Developers"

This chapter provides an introduction to the security challenges that faceapplication developers and includes an overview of Oracle Database features theycan use to develop secure applications

Chapter 13, "Using Virtual Private Database to Implement Application Security Policies"

This chapter discusses developing secure applications by using application context,fine-grained access control, or virtual private database to implement securitypolicies

Chapter 14, "Implementing Application Context and Fine-Grained Access Control"

This chapter provides several examples of applications developed using applicationcontext, fine-grained access control, and virtual private database It includes codeexamples and their corresponding explanations

Chapter 15, "Preserving User Identity in Multitiered Environments"

This chapter discusses developing secure multiple tier applications

applications, and the strengths and weaknesses of using this feature.

Glossary Index

Related Documentation

For more information, see these Oracle resources:

■ Oracle Database Concepts

■ Oracle Database Administrator's Guide

■ Oracle Data Warehousing Guide

■ Oracle Streams Advanced Queuing Java API Reference

■ Oracle Streams Advanced Queuing User's Guide and Reference

Many of the examples in this book use the sample schemas of the seed database,

which is installed by default when you install Oracle Refer to Oracle Database

Sample Schemas for information on how these schemas were created and how you

can use them yourself

Printed documentation is available for sale in the Oracle Store athttp://oraclestore.oracle.com/

To download free release notes, installation documentation, white papers, or othercollateral, please visit the Oracle Technology Network (OTN) You must registeronline before using OTN; registration is free and can be done at

This section describes the conventions used in the text and code examples of thisdocumentation set It describes:

■ Conventions in Text

■ Conventions in Code Examples

■ Conventions for Windows Operating Systems

Conventions in Text

We use various conventions in text to help you more quickly identify special terms.The following table describes those conventions and provides examples of their use

Bold Bold typeface indicates terms that are

defined in the text or terms that appear in

Oracle Database Concepts

Ensure that the recovery catalog and target

database do not reside on the same disk.

You can specify this clause only for a NUMBER column.

You can back up the database by using the BACKUP command.

Query the TABLE_NAME column in the USER_ TABLES data dictionary view.

Use the DBMS_STATS GENERATE_STATS procedure.

Conventions in Code Examples

Code examples illustrate SQL, PL/SQL, SQL*Plus, or other command-linestatements They are displayed in a monospace (fixed-width) font and separatedfrom normal text as shown in this example:

SELECT username FROM dba_users WHERE username = 'MIGRATE';

The following table describes typographic conventions used in code examples andprovides examples of their use

Note:Some programmatic elements use a mixture of UPPERCASE and lowercase.

Enter these elements as shown.

The password is specified in the orapwd file Back up the datafiles and control files in the /disk1/oracle/dbs directory.

The department_id , department_name , and location_id columns are in the hr.departments table.

Set the QUERY_REWRITE_ENABLED initialization parameter to true.

[ ] Brackets enclose one or more optional

items Do not enter the brackets.

DECIMAL (digits [ , precision ])

{ } Braces enclose two or more items, one of

which is required Do not enter the braces.

{ENABLE | DISABLE}

| A vertical bar represents a choice of two

or more options within brackets or braces.

Enter one of the options Do not enter the vertical bar.

{ENABLE | DISABLE}

[COMPRESS | NOCOMPRESS]

Horizontal ellipsis points indicate either:

■ That we have omitted parts of the code that are not directly related to the example

■ That you can repeat a portion of the code

CREATE TABLE AS subquery;

SELECT col1, col2, , coln FROM

SQL> SELECT NAME FROM V$DATAFILE; NAME

/fsl/dbs/tbs_01.dbf

-/fs1/dbs/tbs_02.dbf

/fsl/dbs/tbs_09.dbf

9 rows selected.

Other notation You must enter symbols other than

brackets, braces, vertical bars, and ellipsis points as shown.

acctbal NUMBER(11,2);

acct CONSTANT NUMBER(4) := 3;

Italics Italicized text indicates placeholders or

variables for which you must supply particular values.

CONNECT SYSTEM/system_password DB_NAME = database_name

UPPERCASE Uppercase typeface indicates elements

supplied by the system We show these terms in uppercase in order to distinguish them from terms you define Unless terms appear in brackets, enter them in the order and with the spelling shown.

However, because these terms are not case sensitive, you can enter them in lowercase.

SELECT last_name, employee_id FROM employees;

SELECT * FROM USER_TABLES;

DROP TABLE hr.employees;

programmatic elements that you supply.

For example, lowercase indicates names

of tables, columns, or files.

Note:Some programmatic elements use a mixture of UPPERCASE and lowercase.

Enter these elements as shown.

SELECT last_name, employee_id FROM employees;

sqlplus hr/hr CREATE USER mjones IDENTIFIED BY ty3MU9;

provides examples of their use.

Choose Start > How to start a program To start the Database Configuration Assistant,

choose Start > Programs > Oracle - HOME_

NAME > Configuration and Migration Tools >

Database Configuration Assistant.

File and directory

names

File and directory names are not case sensitive The following special characters are not allowed: left angle bracket (<), right angle bracket (>), colon (:), double quotation marks ("), slash (/), pipe (|), and dash (-) The special character backslash (\) is treated as an element separator, even when it appears in quotes.

If the file name begins with \\, then Windows assumes it uses the Universal Naming Convention.

c:\winnt"\"system32 is the same as C:\WINNT\SYSTEM32

prompt of the current hard disk drive.

The escape character in a command prompt is the caret (^) Your prompt reflects the subdirectory in which you are

working Referred to as the command

prompt in this manual.

C:\oracle\oradata>

Special characters The backslash (\) special character is

sometimes required as an escape character for the double quotation mark (") special character at the Windows command prompt Parentheses and the single quotation mark (') do not require

an escape character Refer to your Windows operating system documentation for more information on escape and special characters.

C:\>exp scott/tiger TABLES=emp QUERY=\"WHERE job='SALESMAN' and sal<1600\"

C:\>imp SYSTEM/password FROMUSER=scott

TABLES=(emp, dept)

HOME_NAME Represents the Oracle home name The

home name can be up to 16 alphanumeric characters The only special character allowed in the home name is the underscore.

C:\> net start OracleHOME_NAMETNSListener

Documentation Accessibility

Our goal is to make Oracle products, services, and supporting documentationaccessible, with good usability, to the disabled community To that end, ourdocumentation includes features that make information available to users ofassistive technology This documentation is available in HTML format, and containsmarkup to facilitate access by the disabled community Standards will continue toevolve over time, and Oracle is actively engaged with other market-leadingtechnology vendors to address technical obstacles so that our documentation can beaccessible to all of our customers For additional information, visit the OracleAccessibility Program Web site at

http://www.oracle.com/accessibility/

ORACLE_HOME

andORACLE_

BASE

In releases prior to Oracle8i release 8.1.3,

when you installed Oracle components, all subdirectories were located under a top levelORACLE_HOME directory that by default used one of the following names:

■ C:\orant for Windows NT

■ C:\orawin98 for Windows 98 This release complies with Optimal Flexible Architecture (OFA) guidelines.

All subdirectories are not under a top levelORACLE_HOME directory There is a top level directory calledORACLE_BASE

that by default is C:\oracle If you install the latest Oracle release on a computer with no other Oracle software installed, then the default setting for the first Oracle home directory is

C:\oracle\orann, wherenn is the latest release number The Oracle home directory is located directly under

ORACLE_BASE All directory path examples in this guide follow OFA conventions.

Refer to Oracle Database Platform Guide for

Windows for additional information about

OFA compliances and for information about installing Oracle products in non-OFA compliant directories.

Go to theORACLE_BASE\ORACLE_

HOME\rdbms\admin directory.

conventions for writing code require that closing braces should appear on anotherwise empty line; however, JAWS may not always read a line of text that

consists solely of a bracket or brace

Accessibility of Links to External Web Sites in Documentation This

documentation may contain links to Web sites of other companies or organizationsthat Oracle does not own or control Oracle neither evaluates nor makes any

representations regarding the accessibility of these Web sites

The Oracle Database 10g Release 1 (10.1) security features and enhancements

described in this section comprise the overall effort to provide superior accesscontrol and accountability (privacy) with this release of the database

The following sections describe new security features of Oracle Database 10g

Release 1 (10.1) and provide pointers to additional information:

■ New Features in Virtual Private Database

■ New Features in Auditing

■ New PL/SQL Encryption Package: DBMS_CRYPTO

New Features in Virtual Private Database

To provide enhanced access control, privacy, and performance, the followingenhancements have been added to Virtual Private Database (VPD), a feature of theEnterprise Edition:

■ Column-level VPD and Column Masking

Column-level VPD policies provides more fine-grained access controls on data.

With column-level VPD, security policies can be applied only where aparticular column or columns are accessed in the user's query This means thatwhen a user has rights to access the object itself, VPD can limit the individualrows returned only if the columns the user accesses contain sensitive

information, such as salaries, or national identity numbers

The default behavior of column-level VPD restricts the number of rowsreturned when a query addresses columns containing sensitive data In

contrast, column masking behavior allows all rows to be returned for a query

against data protected by column-level VPD, but the columns that containsensitive information are returned asNULL values With column masking, userssee all the data they are supposed to see, but privacy is not compromised

■ Static, Context-Sensitive, and Shared VPD Policy TypesStatic and context-sensitive policy types optimize VPD for significantperformance improvements because the policy function does not execute for

every SQL query Static policies maintain the same predicate for queries,

updates, inserts, and deletes throughout a session (However applicationcontext or attributes such asSYSDATE can change the value returned by thepredicate.) They are particularly useful for hosting environments where you

always need to apply the same predicate With context-sensitive policies, the

predicate can change after statement parse time, but VPD re-executes the policyfunction only if the application context changes This ensures that any changes

to the predicate since the initial parsing are captured Context-sensitive policies

Both static and context-sensitive policies can be shared across multiple databaseobjects, so that queries on another database object can use the same cachedpredicate Shared policies enable you to further decrease the overhead ofre-executing policy functions for every query, reducing any performanceimpact.

■ Application context support for parallel queries

In this release, if you useSYS_CONTEXT inside a SQL function which isembedded in a parallel query, the function picks up the application context

New Features in Auditing

Oracle Database 10g Release 1 (10.1) expands upon standard and fine-grained

auditing for enhanced user accountability, providing the following new features:

■ Fine-grained Auditing Support for DML

In the previous release, fine-grained auditing support was only available for

SELECT statements In this release, fine-grained auditing support is expanded

to include DMLs (INSERT,UPDATE,DELETE)

■ Uniform Audit Trail

In this release theDBA_COMMON_AUDIT_TRAIL view has been added, whichpresents both the standard and the fine-grained audit log records in a singleview

See Also: "DBMS_RLS.ADD_POLICY Procedure Policy Types"onpage 14-36 for more information about these new policy types andhow to use them in applications

See Also: "Using SYS_CONTEXT in a Parallel Query" onpage 14-5 for information about using this enhancement

See Also: "Fine-Grained Auditing" on page 11-29 for moreinformation about this new feature

See Also: "Database Audit Trail Contents" on page 11-8 for moreinformation about this new view

■ Extensions to Standard Audit and Fine-Grained AuditingFields have been added to the standard and the fine-grained audit trails in thisrelease New fields capture the exact SQL text of audited statements, the dateand time stamp in UTC (Coordinated Universal Time) format, and enhancedauditing for enterprise users Enterprise users are global database users, whoare stored in and LDAP directory In this release, the audit trail includesenterprise users' full distinguished names (DNs) and global user identifiers(GUIDs).

New PL/SQL Encryption Package: DBMS_CRYPTO

In this release, a new flexible interface,DBMS_CRYPTO, is provided to encryptespecially sensitive stored data, or it can also be used in conjunction with PL/SQLprograms running network communications This new interface provides supportfor the following features:

■ Encryption algorithms as follows:

– AES (Advanced Encryption Standard)

– Triple DES (112- and 168-bits)

■ Cryptographic hash algorithms (SHA-1, MD5, and MD4)

■ Keyed hash (MAC, or Message Authentication Code) algorithms (SHA-1, MD5)

■ Padding forms (PKCS #5, zeroes)

■ Block cipher chaining mode modifiers (CBC, CFB, ECB, OFB)

DBMS_CRYPTO is intended to replace theDBMS_OBFUSCATION_TOOLKIT,providing greater ease of use and support for a range of algorithms toaccommodate new and existing systems

See Also: "What Information is Contained in the Audit Trail?" onpage 11-7 for more information about the extensions to standardand fine-grained audit trails

See Also: Chapter 16, "Developing Applications Using DataEncryption" for information about how to use this package

Part I Overview of Security Considerations and

This part contains the following chapters:

■ Chapter 1, "Security Requirements, Threats, and Concepts"

■ Chapter 2, "Security Checklists and Recommendations"

■ Chapter 3, "Security Policies and Tips"

This part also contains high-level security checklists for DBAs and applicationdevelopers, covering preparations for installation, best practices for administration,and recommended practices for developing secure applications References areincluded, pointing to the explanations and alternatives presented in Part II and theexamples described in Part III