Database Support

Thursday, April 25, 2013

Security Policies - Part 3

Dear Readers,

My name is Franz Devantier, creator of this blog. I am an Oracle Certified Professional (OCP DBA 11g) Security DBA. I will be sharing with you the basic duties of an Oracle DBA, and also some of the undocumented, and not so well known tasks.

I will make a deal with you: If you refer me to a company that needs database support, from a few hours per week to full time, and I am able to sign a contract with them.

Then I will give you 10% of the monthly contract or deal price every month. When the contract ends, and we re-sign the contract, I will again give you 10% of the monthly contract price. This will go on until the company no longer employs or contracts me or my agents to look after their databases.

I can do this, because that 10% is my marketing budget. When we re-sign the contract, in the future, it may depend on you giving the thumbs up again, and that is worth 10% of the monthly contract price, to be given to you as commission.

Contact: Franz

Security Policies - Part 3

Using Roles for Administrator Privilege Management

Roles are the most efficient way to restrict the powerful system privileges that are required by people who administer the database.

Ideally at a large installation, each database administrator would be responsible for a specific area of management.

-> Object creation and maintenance.

-> Database tuning and performance.

-> Creation and management of users, including the granting of privileges and roles to database users.

-> Routine maintenance, like STARTUP, SHUTDOWN, and backup and recovery.

-> Emergency maintenance, as when a database crashes.

-> You may have new, inexperienced database administrators, who need limited capabilities to learn database management.

You could create a number of different roles to cater for the different levels of database administrators.

-> dba_objects

-> dba_tuning

-> dba_security

-> dba_maintenance

-> dba_recovery

-> dba_learning

Now in order to make these roles work, you will need to grant all of the privileges needed to each of these roles, in order to allow a database administrator to complete their tasks. Then you can grant these roles to the appropriate administrators.

The above plan will reduce the management of database administrators, and limit the administrators to just the privileges they need to complete their tasks.

-> If a database administrator’s (DBA) job description changes to include more responsibilities, then you can grant the DBA the additional needed DBA roles that you have created.

-> If the DBA’s job description changes to include fewer responsibilities, then you can revoke the roles that are no longer needed.

-> The data dictionary will have the information stored with regards to what privileges are granted to each role, and what roles are granted to each user. So you can report on the privileges that each DBA has, and which tasks each user is allowed to do.

Franz Devantier,

Need a database health check, or a security audit?

devantierf@gmail.com

Classifieds

Year of the Stem Cell

Devantier Hosting, from $2.75

Host then Profit GVO

Global Domains International

Traffic Exchange Profits

Easy Downlines

Fast Cash and Traffic

Simple Safelists

Traffic Wave - Autoresponder

Traffic Hoopla

Business Related Social Media

Wednesday, April 24, 2013

Security Policies - Part 2

Dear Readers,

I will make a deal with you: If you refer me to a company that needs database support, from a few hours per week to full time, and I am able to sign a contract with them.

Contact: Franz

Security Policies - Part 2

Protection for Connections as SYS and SYSTEM

After database creation, you should change the default passwords for SYS and SYSTEM. If you used DBCA, then they would have already been changed, but if you created the database manually, then they would be: SYS/CHANGE_ON_INSTALL and SYSTEM/MANAGER. The SYS and SYSTEM users are very powerful users, and gives all the privileges to modify a database. So the number of users or administrators that are allowed to connect as SYS and SYSTEM must be reduced and monitored.

You should also make sure that other administrative names such as SYSMAN and DBSNMP are also changed from the default. If you want to unlock user accounts, then you can use the syntax:

SQL> ALTER USER <fred> ACCOUNT UNLOCK IDENTIFIED BY <password>;

It is good practice to change the password at the same time as you unlock the account.

Protection for Administrator Connections

Make sure that only database administrators can connect to the database as SYSDBA or SYSOPER. SYSOPER privileges allow the user to STARTUP, SHUTDOWN, and recover the database. SYSDBA privileges are the same as SYSOPER, but include unrestricted privileges to perform just about any operation on the database. SYSDBA can alter the data dictionary tables.

It is good practice to make sure that the 07_DICTIONARY_ACCESSIBILITY initialization parameter is set to FALSE, so that only the SYSDBA or SYSOPER user, can modify the data dictionary.

Connections with SYSDBA/SYSOPER are authorized after verification with the password file, and with the operating system privileges and permissions. If there is no password file, or the user is not in the password file, then Operating System Authentication is used.

If the authentication succeeds with the password file, then the connection is logged with the user name. If authentication succeeds by means of the operating system, then “CONNECT /” connection does not record the specific user.

Franz Devantier,

Need a database health check, or a security audit?

devantierf@gmail.com

Classifieds

Year of the Stem Cell

Devantier Hosting, from $2.75

Host then Profit GVO

Global Domains International

Traffic Exchange Profits

Easy Downlines

Fast Cash and Traffic

Simple Safelists

Traffic Wave - Autoresponder

Traffic Hoopla

Business Related Social Media

Tuesday, April 23, 2013

Security Policies - Part 1

Dear Readers,

I will make a deal with you: If you refer me to a company that needs database support, from a few hours per week to full time, and I am able to sign a contract with them.

Contact: Franz

Security Policies - Part 1

Security Policies

Security considerations range from protecting sensitive table data on the row or column level to; regular database backups that are stored offsite.

We can divide security policies into the following broad headings:

-> System Security Policy

-> Data Security Policy

-> User Security Policy

-> Password Management Policy

-> Auditing Policy

-> Security Checklist

System Security Policy

System Security consists of the following broad areas:

-> Database User Management

-> User Authentication

-> Operating System Security

In a small installation the database administrator will double up as the security administrator. Otherwise you may have one or more database security administrators. A security policy should be developed for every database.

Database User Management

Database users represent the access paths to all of the data in an Oracle database. The security administrator should exclusively have the privileges required to CREATE, ALTER, or DROP database users.

User Authentication

You can authenticate users through Oracle or through the host operating system. If you have advanced security installed, then you can also authenticate users through network services, or by Secure Sockets Layer (SSL).

Operating System Security

Firstly database administrators must have the operating system privileges to create and delete files. Secondly, other database users should not have the operating system privileges to create or delete files, related to the database. Lastly, if the operating system identified database roles for users; then the Security database administrator/s must have the privileges to modify the security domain of operating system accounts.

Data Security Policy

This policy determines which users have access to which schema objects, as well as the list of specific actions that the user is allowed to execute on those objects.

The level of security that you want to establish overall for your database, determines how you security policy will look at the detail level.

Generally the data security policy is based on the sensitivity of the data stored in the table objects. If the data is not sensitive, then little or no security may be necessary to implement. If the data is sensitive, then a tight security policy should be developed and maintained.

You can implement data security by managing system privileges, object privileges, and roles. Roles are named sets of privileges that are grouped together. Views also implement data security, because a view can restrict the columns and rows of the base tables that are displayed, thereby filtering out the sensitive data, from the viewer.

You can implement data security with fine-grained access control. Fine-grained access control enables you to implement security policies with functions, which can be associated with tables or views. The security function policy generates a WHERE condition that is appended to the SQL statement given, and restricts user access to certain rows in the table or view. An application context consists of a secure data cache, in which attributes on the application level and user level are stored, which are used in making data access decisions, and also for other functions in the application

User Security Policy

There are a few broad areas to cover with reference to User Security Policy:

-> General User Security

-> End-User Security

-> Administrator Security

-> Application Developer Security

-> Application Administrator Security

General User Security

For all types of database users, there are two security issues that always emerge:

-> Password Security

-> Privilege management

Password Security

Database Security Administrators should develop a password security policy to maintain database access security, for users who are authenticated y the database. You can reduce unauthorized database access, by forcing a user to modify their password on a regular basis, and in cases where the password has been compromised, to change it as well.

If you use the AES (Advanced Encryption Standard) algorithm on passwords, before sending them across the network, then the passwords will be automatically and transparently encrypted for Client/Server and server/server connections.

Privilege Management

There are a few issues to consider with privilege management. For example if there are only a few users, it may be easy enough to directly grant the needed privileges explicitly to the users. In this way you would have avoided using roles. If a database has many users or schemas, then it becomes more beneficial to use roles. Roles are named groups of privileges that you can grant to users or to other roles. Using roles simplifies the task of granting a whole lot of people a set of privileges, because you just grant these privileges to the role once, and thereafter, you just grant the role, to each user with a similar requirement. In complicated environments, the use of roles is essential in order to simplify the administration.

End-User Security

There must be a policy that is designed for end-user security. If there are many users, then the security administrator can put different users in their own user groups, and then create roles that match the requirements for these groups. You will grant all the needed privileges to a role, and then grant the role to everyone in the group. Of course there will always be exceptions. To handle these exceptions, the required privileges can be granted to the users in addition, or a special role with the special privileges in it, can be created, and granted to the users, with the exception.

Using Roles for End-User Privilege Management

To simplify the management and improve the level of control over the granting of privileges, roles are the simplest means of ease of management and control. Let’s say that an employee needs the access rights to access accounts receivable, and the general Ledger, then roles for each of these applications will have been created, containing all of the necessary privileges. The roles are then granted to the employee.

For example if you have a requirement for a group of accountants to work together. Each accountant may need access to the accounts receivable and the accounts payable objects.

To facilitate this you create an accounts receivable role, and grant all the privileges to the accounts receivable role, that you need. Then you create an accounts payable role, and grant all the privileges to the accounts payable role, that is needed to perform their duties. Now you create an accountant role, and grant the accounts receivable role, and the accounts payable role to the accountant role. Now when a new accountant joints the company, you simply grant them the accountant role. With this role they will be able to perform all of their duties.

-> With this arrangement, if a new database application was developed or assigned to accountants, then a new role can be created for the new application, all the privileges assigned to this role, and this role then granted to the accountant role. In this way the users will automatically be able to access all of the objects for the new application. None of the users, will need the privileges granted to them individually.

-> In the same way if the accounting department were to discontinue the use of a certain application, then the role associated with the application can be revoked from the accountant role.

-> If there are changes to the accounts receivable application and or the accounts payable application, then the new privileges required can be granted to the two application roles. The security domain of the accountant role, and all the users who are granted the accountant role, will automatically reflect the privilege modification.

As a rule of thumb, use roles in all the situations that you can, in order to simplify end-user privilege management, and make the process more efficient and simple.

Using a Directory Service for End-User Privilege Management

If you have installed the Oracle Advanced Security options, then you can set up a directory service through the enterprise user, and enterprise role features of oracle Advanced Security. This is an alternative way to manage users, and their authorizations centrally.

Administrator Security

There should be a policy in place to address database administrator security. Especially if there are several different types of database administrators in a large database installation. You can group related administrative privileges into several administrative roles. You can then grant different roles to different administrators. In this way you can create a separation of duties, and improve the security of the database installation. However on a small installation, you may just create one custom administrative role, and grant this role to all the administrators.

Franz Devantier,

Need a database health check, or a security audit?

devantierf@gmail.com

Classifieds

Year of the Stem Cell

Devantier Hosting, from $2.75

Host then Profit GVO

Global Domains International

Traffic Exchange Profits

Easy Downlines

Fast Cash and Traffic

Simple Safelists

Traffic Wave - Autoresponder

Traffic Hoopla

Business Related Social Media

Monday, April 22, 2013

Security, Access control on tables - Part 5

Dear Readers,

I will make a deal with you: If you refer me to a company that needs database support, from a few hours per week to full time, and I am able to sign a contract with them.

Contact: Franz

Security, Access control on tables, views, Synonyms or Rows - Part 5

Security Follow-up: Auditing and Prevention

Let’s say that you have carefully designed and implemented security measures, using privileges, views and policies. However you need to monitor how these measures perform in a live situation. You can use auditing to notify you of any suspicious or questionable activities.

Once your auditing is working properly, you will be in a position to investigate in depth your defence systems, and judge their relative effectiveness. You can then strengthen your security measures if appropriate, or loosen up on some other areas that are causing problems with too much security. You can deal with inappropriate actions that you find on the data, and the consequences of these changes. You can identify the offenders and take appropriate actions or measures against them.

Auditing can complement your access control in different ways.

-> You can Audit important data to make sure that any changes are recorded, and if suspicious or malicious action is suspected, you have the audit trail or the meta-data to present a case.

-> You can use your auditing as a way of verifying that your access control mechanisms are working the way they were designed to work.

-> You can design audit policies that are designed to only fire when a security breach has been detected. The other controls that you have in place, should prevent it ever drilling down to this policy, and firing it. If such a policy does fire, it could mean that your security measures are not working as expected, or that you have had a security breach. At least with such a policy, you will be alerted to the possibility.

Franz Devantier,

Need a database health check, or a security audit?

devantierf@gmail.com

Classifieds

Year of the Stem Cell

Devantier Hosting, from $2.75

Host then Profit GVO

Global Domains International

Traffic Exchange Profits

Easy Downlines

Fast Cash and Traffic

Simple Safelists

Traffic Wave - Autoresponder

Traffic Hoopla

Business Related Social Media

Sunday, April 21, 2013

Security, Access control on tables - Part 4

Dear Readers,

I will make a deal with you: If you refer me to a company that needs database support, from a few hours per week to full time, and I am able to sign a contract with them.

Contact: Franz

Security, Access control on tables, views, Synonyms or Rows - Part 4

Application Context

Application context helps you to apply fine-grained access control. The reason why we can say this is because, it allows you to link function-based security policies with applications, using application context and applying the fine-grained access control.

There is a built in application context that ships with Oracle; USERENV. USERENV provides access to predefined attributes. These attributes consist of information that the Oracle Database Server automatically captures for a user session, called “Session Primitives”. For example the IP address, the username, the proxy_user_name, if the user came through a middle tier etc, are available as session primitives; and can be queried through the USERENV or default application context.

Each application also has its own application specific context. Users cannot change the values in the application specific context though SQL*Plus or other means. Application specific context attributes are only accessible to the functions that implement the security policies.

To illustrate, the application specific context attributes for a salary application could include attributes like: position, unit, salary_notch, salary_scale, country etc. The attributes available from an accounts receivable application would be quite different and separated from the salary application. To summarize, application contexts include the default application context, USERENV, in which the user environment attributes are automatically captured. Application contexts for specific applications will contain attributes for the specific applications.

In an application context you can:

-> Base predicates on context values

-> Use context values within predicates as bind variables

-> Set user attributes

-> Access user attributes

To define an application context:

1. You can create a PL/SQL package to validate and set the context for the application. You can use a logon trigger to set the initial context for logged in users.

2. The next step is to create a context name and associate it with the PL/SQL package that you created in step 1. You can use the CREATE CONTEXT syntax, making sure that the context name is unique.

3. Now there are two ways to proceed.

3.1 You can now reference the application context with the policy function in order to implement fine-grained access control.

3.2 You can create a logon event trigger to set the initial context for users of the application. This may include querying personnel information, and setting up values in the attributes, such as the ID Number etc.

4. Now you can just reference the application context for application context values. For example you may like to restrict ordinary users to being able to only see their own salary records.

You would use fine-grained access control to dynamically modify the users query from:

SELECT * FROM salary;

This query would now be modified to.

SELECT * FROM salary WHERE id_number=SYS_CONTEXT(‘salaries’,’id_num’);

The result is that the user will only see their own salary details.

Dynamic Contexts

When you create a policy, you specify how the policy will be defined at runtime. This definition will also have an effect on the efficiency of the policy. The different options that are available are:

-> Static

-> Shared

-> Context-sensitive

-> Dynamic

Policy Types & Run Time Efficiencies

Policy Type	Predicate and Policy Function	Description and Operational Explanation
Static	Same predicate string for anyone accessing the object	Executed once and cached in SGA. Policies for statements accessing the same object do not re-execute the policy function, but use the cached predicate instead.
Shared-static	Same as static, except the policy can be shared across multiple objects	Ideal for data partitions in hosting environments because almost all objects share the same function and the policy is static. Executed once and cached in SGA, but the server first looks for a cached predicate generated by the same policy function of the same policy type.
Context-sensitive and shared context-sensitive	Policy function executed when statement parsed, but value returned is not cached	The policy function is not re-evaluated at statement execution time unless the server detects context changes since the last use of the cursor. (For session pooling where multiple clients share a database session, the middle tier must reset context during client switches.) When a context-sensitive policy is labeled shared, the server first looks for a cached predicate generated by the same policy function of the same policy type within the same database session. If the predicate is found in the session memory, then the policy function is not rerun and the cached value is valid until session private application context changes occur.
Dynamic	Policy function always re-executed on each statement parsing or execution	Server assumes the predicate may be affected by any system or session environment at any time. Dynamic is the system default. If no policy type is specified when DBMS_RLS.ADD_POLICY is called, then dynamic is assumed, so it is best to specify.

Franz Devantier,

Need a database health check, or a security audit?

devantierf@gmail.com

Classifieds

Year of the Stem Cell

Devantier Hosting, from $2.75

Host then Profit GVO

Global Domains International

Traffic Exchange Profits

Easy Downlines

Fast Cash and Traffic

Simple Safelists

Traffic Wave - Autoresponder

Traffic Hoopla

Business Related Social Media

Saturday, April 20, 2013

Security, Access control on tables - Part 3

Dear Readers,

I will make a deal with you: If you refer me to a company that needs database support, from a few hours per week to full time, and I am able to sign a contract with them.

Contact: Franz

Security, Access control on tables, views, Synonyms or Rows - Part 3

Fine-Grained Access Control

Fine-Grained access control works by means of Functions that are used to implement your security policies, which will be associated with tables, views, or synonyms. In Fine-Grained access control the Oracle Database Server automatically enforces your security policies, regardless of how the data in the tables is accessed. It will work the same whether your data is accessed through an application, or through ad-hoc queries from something like SQL*Plus.

Fine-Grained access control includes the following capabilities, which can be enabled.

-> You can limit access at the row level by using different policies for SELECT, UPDATE, INSERT, and DELETE.

-> You can use security policies only on the tables or data that contain the sensitive information.

-> You can allow access to a table, but if the salary column is referenced for example, then you can invoke the security policy.

-> You can restrict access with a combination of row-level and column-level restrictions. A VPD policy applied to the table can have this effect.

-> You have some policies called static policies that are always applied to a table. Other policies called dynamic policies, can be applied, according to the specific situation.

-> You can use multiple policies for each table if required. You can build on top of base polices in packaged applications.

-> Policy groups enable different applications to use different sets of policies. A policy group will belong to an application.

-> You can control the use of INDEX, which can be distinguished in row level security policies.

-> The driving context is the application context. When the fine-grained access control engine looks up the driving context, during the execution of a specific application; The policy group is determined according to the policy group, and all the associated policies for that application, and that belong to that specific policy group are enforced.

Use the PL/SQL package DBMS_RLS to administer your security policies. With DBMS_RLS, you can add, drop, enable, disable, and refresh the policies , or policy groups that you create.

There are a number of areas in fine-grained access control:

-> Dynamic Predicates

-> Application context

-> Dynamic Contexts

-> Policy Groups (set of policies that belongs to an application)

-> INDEX in row level security policies

-> Application Context or Driving Context: application context indicates the policy group in effect. Fine-Grained access control engine looks up the driving context to determine the policy group in effect.

Dynamic Predicates

Dynamic predicates are associated with a security policy which is acquired at statement parse time. Dynamic predicates are aimed at table’s, view’s, and synonym’s. Dynamic predicates are defined through a PL/SQL function which is implemented through a function, during a DML statement on the base table.

The Function or Package that implements the security policy returns a predicate or a WHERE condition. This predicate controls the access of the statement in the application by re-writing it. Rewritten queries are fully shareable and optimized.

For example:

EXEC DBMS_RLS.ADD_POLICY(‘fred’,’salary’,’sal_policy’,’fred’,’sal_security’,’select’);

Now whenever the fred.salary table is selected, the Oracle Database Server calls the sal_security function which returns a predicate, in this case “P1”. The predicate is based on the requirements for the sal_policy . The security policy may also have generated the predicates from the session environment variables, or the application context.

Now the statement is assembled using a transient view:

SELECT * FROM fred.salary where P1;

P1 is then expanded to form.

SELECT * FROM fred.salary where salary < 1000;

The Oracle Database Server does not implement fin-grained access control during MERGE statements. Therefore you must use equivalent INSERT and UPDATE statements instead of the MERGE statement. This will avoid error messages and ensure correct access control operation.

Franz Devantier,

Need a database health check, or a security audit?

devantierf@gmail.com

Classifieds

Year of the Stem Cell

Devantier Hosting, from $2.75

Host then Profit GVO

Global Domains International

Traffic Exchange Profits

Easy Downlines

Fast Cash and Traffic

Simple Safelists

Traffic Wave - Autoresponder

Traffic Hoopla

Business Related Social Media

Friday, April 19, 2013

Security, Access control on tables - Part 2

Dear Readers,

I will make a deal with you: If you refer me to a company that needs database support, from a few hours per week to full time, and I am able to sign a contract with them.

Contact: Franz

Security, Access control on tables, views, Synonyms or Rows - Part 2

Introduction to Views

A view displays the data from a table. Typically the view will display only a subset of the rows of the base table, and also only a subset of the columns of the base table. A view is really a stored query on a certain set of data. So every time you access the view, it causes the underlying SELECT statement/s to be executed. So the view itself, although it is an object, does not contain any data. A view consists of the Query statement.

Data in a view can be INSERTED, UPDATED, and DELETED; provided that the NOT NULL columns are represented in the view, of if the NOT NULL columns are not present in the view, then they have default values. Changing the data in a view, means that the changes submitted are also dependent on all of the integrity constraints and triggers that have been defined on the base tables. Because of all the restrictions, you will find times, when you can’t update a table through a view.

A view may consist of a query statement that includes several base tables that are joined together. This type of view will also be updatable, as long as all the integrity constraint requirements, and trigger requirements on the base tables are met. Because of having default values for certain columns, you may not even be aware of all the values that are going into the full row on the table side.

A view may include summary data, for example a view may consist of the totals of the business conducted in a supermarket on a daily or hourly basis. In this case you can’t update the base tables, because the data that you see, has been derived from the base tables, and therefore does not exist in the base table.

In business applications, a view is often designed to bring a set of data together , that takes quite a complex query to assemble. Then for reporting purposes, queries can be designed on top of this view, to report on various aspects of the progress of the business. I think you can recognise the problem. Just a simple query on the view, will mean that the complex and potentially long running underlying query will first have to be run. As a result such application reporting functionality is slow, to the point of being unusable to some extent. One solution to this dilemma is to create a temporary table, and clean it out and populate it every day, with the query that would have returned the data for the view. Now when you run a query against this temporary table it goes very quickly by comparison. Oracle has gone the next step for you, and created an object called a Materialized View, or a snapshot. A materialized view is like a hybrid between a view and a table. It includes the query as part of the object, but also includes the storage definition as part of the object. So when you create or refresh a materialized view it will run the query, and then store the results in an object that has all the properties of a table; a materialized view. Now you can just refresh this materialized view whenever you need to. A straight-forward materialized is not updatable, so in order to update the underlying tables, you will need to update the tables directly, and then refresh the materialized view in order to be able to see the changes.

If you want a certain set of users to be able to see only specific columns of the underlying tables, then you create a view of that table, that only contains the necessary columns. You can then grant these users, access to the view, and revoke their access to the base table. A synonym to the base table, can keep the process transparent.

Example of a view, notice how the “hire_date” and “salary”, have been left out of the view:

schema object privilege

This is a privilege or right to perform an action on a schema object. There are different object privileges available for different types of schema objects. For example for objects like views and tables, you can grant SELECT, UPDATE, DELETE, INSERT, for objects like procedures and packages, you can grant EXECUTE on them. Some schema objects don’t have associated object privileges, for example clusters, indexes, triggers, and database links. For example because there are no associated object privileges on clusters, a user must either own the cluster or have the ALTER ANY CLUSTER system privilege granted to them, in order to be able to alter a cluster.

In some cases, a finer level of access control is needed for tables and views, and the rows and the possible actions, associated with them. This finer level of access may be associated with an application. Oracle fine-grained access control can be used to facilitate such requirements.

Franz Devantier,

Need a database health check, or a security audit?

devantierf@gmail.com

Classifieds

Year of the Stem Cell

Devantier Hosting, from $2.75

Host then Profit GVO

Global Domains International