Embed Size (px)
Citation preview
Managing Security
Security
• Authentication– User Account/Login• Some applications have new user account for every
user• Some applications use one account for all users
– Password• Authorization– Right to perform any action after successful
authentication (Access rights)
User Accounts
• Login to connect to Oracle DB• Properties of User Account– Username– Authentication method– Default tablespace– Tablespace quotas– Temporary tablespace– User profile– Account status
Default Admin Accounts
• SYS (Highly privileged role)– DBA– SYSDBA
• SYSTEM• SYSMAN
User Name
• Must be Unique• Resreve words not allowed• Start with letter• <= 30 in length• Letter, Digits, $, _ are allowed– Above rules except length can be broken if
username is specified in double qoutesCREATE USER username IDENTIFIED {BY password | EXTERNALLY | GLOBALLY AS 'external_name'}
Default Tablespace and Quotas
• Every user account has a default tablespace– This is the tablespace where any object (such as
tables or indexes) created by the user will reside• ALTER DATABASE DEFAULT TABLESPACE
tablespace_name• A quota is the amount of space in a tablespace
that a user is allowed to occupy
Temporary Tablespace
• A session will need space in a temporary tablespace if it needs space for certain perations that exceed the space available in the session’s PGA.
• ALTER USER username TEMPORARY TABLESPACE tablespace_name;
Tablespace
• Select username, DEFAULT_TABLESPACE, temporary_TABLESPACE from DBA_USERS where username = ‘wasti’
• DESCRIBE is used to show the meta data about a table or view in oracle
• Select tablesapce_name, bytes, max_bytes from dba_ts_quotas where username =‘wasti’;
Profile
• A user’s profile controls his/her password settings.– Password settings• Password complexity• Retry attempts etc.• Password expiration
Account Status
OPEN The account is available for use.LOCKED This indicates that the DBA deliberately locked the account. No user can connect to a locked account.EXPIRED This indicates that the lifetime has expired. Passwords can have a limited lifetime. No user can connect to an EXPIRED account until the password is reset.EXPIRED & LOCKED Not only has the account been locked, but itspassword has also expired.EXPIRED (GRACE) This indicates that the grace period is in effect. A password need not expire immediately when its lifetime ends; it may be configured with a grace period during which users connecting to the account have the opportunity to change the password.
Account Status
• LOCKED (TIMED) This indicates that the account is locked because of failed login attempts. An account can be configured to lock automatically for a period after an incorrect password is presented a certain number of times.
• EXPIRED & LOCKED (TIMED)• EXPIRED (GRACE) & LOCKED• EXPIRED (GRACE) & LOCKED (TIMED)
Account Status
• ALTER USER username ACCOUNT LOCK ;• ALTER USER username ACCOUNT UNLOCK ;• ALTER USER username PASSWORD EXPIRE;– There is no such command as alter…unexpire.”
Authentication Methods
• A user account must have an authentication method: so that DB can allow user to create session.– Operating system authentication– Password file authentication– Password authentication– External authentication– Global authentication
Operating System and Password File Authentication
• To enable operating system and password file authentication– User account must be SYSDBA or SYSOPER
• Granting either (or both) of these privileges will copy the user’s password from the data dictionary into the external password file, where it can be read by the instance even if the database is not open.
User Accounts
• GRANT [sysdba | sysoper ] TO username ;• CONNECT username / password AS [ SYSOPER
| SYSDBA ] ;
Password Authentication
• CONNECT username / password ;• Any user can change his/her user account password
at any time, or a highly privileged user (such as SYSTEM) can change any user account password.
• The syntax (whether you are changing your own password or another one) is
• ALTER USER username IDENTIFIED BY password ;
Creating User Accounts
1. create user shahbaz identified by wasti2. default tablespace users temporary tablespace
temp3. quota 100m on users, quota unlimited on example4. profile developer_profile5. password expire6. account unlock;
Creating User Accounts
1. Provide the username, and a password for password authentication.
2. Provide the default and temporary tablespaces.3. Set up quotas on the default and another tablespace.4. Nominate a profile for password and resource management.5. Force the user to change his password immediately.6. Make the account available for use (which would have been
the default).
Creating User Account
• Every attribute of an account can be adjusted later with ALTER USER commands, with the exception of the name.
• To change the password,– alter user shahbaz identified by hasan;
• To change the default and temporary tablespaces,– alter user scott default tablespace hr_data
temporary tablespace hr_temp;
Creating User Accounts
• To change quotas,– alter user scott quota unlimited on hr_data, quota 0 on users;
• To change the profile,– alter user scott profile prod_profile;
• To force a password change,– alter user scott password expire;
• To lock the account,– alter user scott account lock;
• Having created a user account, it may be necessary to drop it:– drop user scott;– drop user cascade;
User Privileges/ Rights
• By default, no one can do anything in an Oracle database. A user cannot even connect without being granted a privilege.
• Privileges are assigned to user accounts with a GRANT command and withdrawn with a REVOKE.
System PrivilegesThere are about two hundred system privileges. Most apply to actions that affect the data dictionary, such as creating tables or users.• CREATE SESSION This lets the user connect. Without this, he/she
cannot even log on to the database.• ALTER DATABASE Gives access to many commands necessary for
modifying physical structures.• ALTER SYSTEM Gives control over instance parameters and memory
structures.• CREATE TABLESPACE With the ALTER TABLESPACE and DROP
TABLESPACE privileges, these will let a user manage tablespaces.• CREATE TABLE Lets the grantee create tables in his/her own schema;
includes the ability to alter and drop them, to run SELECT and DML commands on them, and to create, alter, or drop indexes on them.
Object Privileges
• GRANT ANY OBJECT PRIVILEGE Lets the grantee grant object permissions on objects he/she does not own to others—but not to himself/ herself.
• CREATE ANY TABLE The grantee can create tables that belong to other users.
• DROP ANY TABLE The grantee can drop tables belonging to other users.
• INSERT ANY TABLE, UPDATE ANY TABLE, DELETE ANY TABLE The grantee can execute these DML commands against tables owned by all other users.
• SELECT ANY TABLE The grantee can SELECT from any table in the database.
Grant & Revoke
• grant create session to shahbaz• Revoke create session from shahbaz
Object Privileges
• Object privileges give the ability to perform SELECT, INSERT, UPDATE, and DELETE commands against tables and related objectsPrivilege Granted onSELECT Tables, views, sequences, synonyms
INSERT Tables, views, synonyms
UPDATE Tables, views, synonyms
DELETE Tables, views, synonyms
ALTER Tables, sequences
EXECUTE Procedures, functions, packages, synonyms
Object Priviliges
• GRANT privilege ON schema.object TO username [WITH GRANT OPTION] ;
• grant select on hr.regions to shahbaz;• grant select on hr.employees to scott;• grant update (salary) on hr.employees to scott;• grant all on hr.regions to scott;
Object Privileges• With Grant Option
– Using WITH GRANT OPTION lets a user pass his/her object privilege on to• a third party.• connect hr/hr; • grant select on employees to scott with grant option;• connect scott/tiger;• grant select on hr.employees to jon with grant option;• conn jon/jon;• grant select on hr.employees to sue;• connect hr/hr;• revoke select on employees from scott;
Create and Manage Roles
• Managing security with directly granted privileges works but has two problems.
• First, it can be a huge workload• Second, if a privilege has been granted to a user, that
user has it in all circumstances: it is not possible to make a privilege active only in certain circumstances.
• Both these problems are solved by using roles. A role is a bundle of system and/or object privileges that can be granted and revoked as a unit, and having been granted can be temporarily activated or deactivated within a session.
Create and Manage Roles• CREATE ROLE rolename;• Predefined Roles• CONNECT This only exists for backward compatibility. In previous releases, it had the
system privileges necessary to create data storing objects, such as tables; with the current release, it only has CREATE SESSION.
• RESOURCE Also for backward compatibility, this role can create• both data objects (such as tables) and procedural objects (such PL/SQL procedures). It
also includes UNLIMITED TABLESPACE.• DBA Has most of the system privileges, and several object privileges and roles. Any user
granted DBA can manage virtually all aspects of the database, except for startup and shutdown.
• SELECT_CATALOG_ROLE Has over 2000 object privileges against data dictionary objects, but no system privileges or privileges against user data. Useful for junior administration staff who must monitor and report on the database but not be able to see user data.
• SCHEDULER_ADMIN Has the system privileges necessary for managing the Scheduler job scheduling service.
Enabling Roles
• Role will be enabled by assigning it to the user• To view user and its role following sql is
required• SELECT * FROM dba_role_privs
grantee=‘wasti’;• SELECT * FROM dba_role_privs where
grantee=‘JON’;
Create and Manage Profiles
• A profile has a dual function: to enforce a password policy and to restrict the resources a session can take up.
• Password controls are always enforced; resource limits are only enforced if the instance parameter RESOURCE_LIMIT is on TRUE—by default, it is FALSE.
• ALTER system set resource_limit = true;
Password Management• FAILED_LOGIN_ATTEMPTS Specifies the number of consecutive errors on a
password before the account is locked. If the correct password is given before this limit is reached, the counter is reset to zero.
• PASSWORD_LOCK_TIME The number of days to lock an account after FAILED_LOGIN_ATTEMPTS is reached.
• PASSWORD_LIFE_TIME The number of days before a password expires. It may still be usable for a while after this time, depending on PASSWORD_GRACE_TIME.
• PASSWORD_GRACE_TIME The number of days following the first successful login after the password has expired that prompts to change the password will be generated. The old password is still usable during this time.
• PASSWORD_REUSE_TIME The number of days before a password can be reused.• PASSWORD_REUSE_MAX Then number of times a password can be reused.• PASSWORD_VERIFY_FUNCTION The name of a function to run whenever a
password is changed. The purpose of the function is assumed to be checking the new password for a required degree of complexity, but it can do pretty much anything you want.
Resource LimitThe limits that can be applied to resource usage
SESSIONS_PER_USER The number of concurrent logins that can bemade to the same user account. Sessions attempting to log in with the same user name when this limit is reached will be blocked.CPU_PER_SESSION The CPU time that a session’s server process is allowed to use before the session is forcibly terminated.CPU_PER_CALL The CPU time that a session’s server process is allowed to use to execute one SQL statement before the statement is forcibly terminated.LOGICAL_READS_PER_SESSION The number of blocks that can be read by a session (irrespective of whether they were in the database buffer cache or read from disk) before the session is forcibly terminated.
Resource Limit
LOGICAL_READS_PER_CALL The number of blocks that can be read by a single statement (irrespective of whether they were in the database buffer cache or read from disk) before the statement is forcibly terminated.PRIVATE_SGA For sessions connected through the shared server architecture, the number of kilobytes that the session is allowed to take in the SGA for session data.CONNECT_TIME In minutes, the maximum duration of a session before the session is forcibly terminated.IDLE_TIME In minutes, the maximum time a session can be idle before the session is forcibly terminated.COMPOSITE_LIMIT A weighted sum of CPU_PER_SESSION, CONNECT_TIME, LOGICAL_READS_PER_SESSION, and PRIVATE_SGA.
Default Profile
• This will alter the default profile• ALTER PROFILE DEFAULT LIMITPASSWORD_LIFE_TIME 180 PASSWORD_GRACE_TIME 7 PASSWORD_REUSE_TIME UNLIMITEDPASSWORD_REUSE_MAX UNLIMITEDFAILED_LOGIN_ATTEMPTS 10PASSWORD_LOCK_TIME 1PASSWORD_VERIFY_FUNCTION verify_function_11G;
Default Profile
• In default profile there is no resource limit but has some password limit
VERIFY_FUNCTION_11G
• It checks the password and will reject a password change if it does not meet the complexity criteria
• The new password must be at least eight characters long.• The new password cannot be the same as the username
(spelled backward or forward) or the name of the database, in upper- or lowercase.
• A few simple and commonly used passwords (such as “oracle”) will be rejected.
• The new password must have at least one letter and at least one digit.
• The password must differ in at least three characters from the preceding password.
Creating and Assigning Profiles
1. Connect to your database with SQL*Plus as user system.2. Create a profile that will lock accounts after two wrong passwords: create profile admin_profile limit failed_login_attempts 2;3. Assign this new profile to ALOIS:
alter user shahbaz profile two_wrong;4. Deliberately enter the wrong password for ALOIS a few times:
connect shahbaz/wasti5. As user SYSTEM, unlock the ALOIS account:
alter user shahbaz account unlock;6. Check that ALOIS can now connect:
connect shahbaz/oracle
