Oracle security 02-administering user security

云和恩墨成就所托 by 王朝阳 18516271611 [email protected]

Administering User Security

mailto:[email protected]


Objectives

After completing this lesson, you should be able to:• Create and manage database user accounts:

– Authenticate users– Assign default storage areas (tablespaces)

• Grant and revoke privileges• Create and manage roles• Create and manage profiles:

– Implement standard password security features– Control resource usage by users



Database User Accounts

Each database user account has:• A unique username• An authentication method• A default tablespace • A temporary tablespace• A user profile• An initial consumer group• An account status

A schema:• Is a collection of database objects that are owned by a

database user• Has the same name as the user account



Predefined Administrative Accounts

• SYS account:– Is granted the DBA role, as well as several other roles.– Has all privileges with ADMIN OPTION– Is required for startup, shutdown, and some

maintenance commands– Owns the data dictionary and the Automatic Workload

Repository (AWR)• SYSTEM account is granted the DBA, MGMT_USER, and

AQ_ADMINISTRATOR_ROLE roles. • DBSNMP account is granted the OEM_MONITOR role.• SYSMAN account is granted the MGMT_USER, RESOURCE

and SELECT_CATALOG_ROLE roles.• These accounts are not used for routine operations.



SYSOPER and SYSDBA



Creating a User

Select Server > Users, and then click the Create button.



Authenticating Users

• Password• External• Global



Fixed Database Links

• Create a public fixed database link:

• Use a public database link:

CREATE PUBLIC DATABASE LINK dblk_orcl10g_hr CONNECT TO hr IDENTIFIED BY oracle USING

‘ORCL10g’;

SELECT * FROM employees@dblk_orcl10g_hr;

ORCL10g

connect hr/oracle



Viewing Database Link Passwords

• A privileged user may view database link passwords:

• The passwords for fixed links are stored in clear text in 10g:

SELECT USERID,PASSWORDFROM SYS.LINK$

WHERE PASSWORD IS NOT NULL;

USERID PASSWORD---------- ----------SYSTEM ORACLESCOTT TIGER



Database Links Without Credentials

• Creating a connected user database link:

• Creating a current user database link:

CREATE DATABASE LINK sales.division3.acme.com USING 'sales';

CREATE DATABASE LINK sales CONNECT TO CURRENT_USER USING 'sales';



Audit Database Links

Local database audits jane

FINANCE

connect scott/tigerconnect jane/doe

Remote database audits scott



Administrator Authentication

Operating system security:• DBAs must have the OS privileges to create and delete

files.• Typical database users should not have the OS

privileges to create or delete database files. Administrator security:• For SYSDBA, SYSOPER, and SYSASM connections:

– DBA user by name is audited for password file and strong authentication methods

– OS account name is audited for OS authentication– OS authentication takes precedence over password file

authentication for privileged users– Password file uses case-sensitive passwords



Locking and Expiring Default User Accounts

• The Database Configuration Assistant (DBCA) expires and locks all accounts, except:– SYS– SYSTEM– SYSMAN– DBSNMP

• For a manual installation, lock and expire accounts by using:

ALTER USER hr PASSWORD EXPIRE ACCOUNT LOCK;



Privileges

There are two types of user privileges:• System: Enables users to perform particular actions in

the database• Object: Enables users to access and manipulate a

specific object

System privilege: Create session

HR_DBA

Object privilege: Update employees



System Privileges



Object Privileges

To grant object privileges:• Choose the object type.• Select objects.• Select privileges.

Search and

select objects.

1

2

3



GRANT

REVOKE

Revoking System Privilegeswith ADMIN OPTION

REVOKE CREATE TABLE FROM joe;

User

Privilege

Object

DBA Joe Emily

Joe EmilyDBA



GRANT

REVOKE

Revoking Object Privilegeswith GRANT OPTION

Bob Joe Emily

EmilyJoeBob



Benefits of Roles

• Easier privilege management• Dynamic privilege management• Selective availability of privileges



Assigning Privileges to Roles andAssigning Roles to Users

Users

Privileges

Roles HR_CLERKHR_MGR

Jenny David Rachel

Deleteemployees.

Selectemployees.

Updateemployees.

Insertemployees.

CreateJob.



Predefined Roles

Role Privileges Included

CONNECT CREATE SESSION

RESOURCE CREATE CLUSTER, CREATE INDEXTYPE, CREATE OPERATOR, CREATE PROCEDURE, CREATE SEQUENCE,CREATE TABLE, CREATE TRIGGER, CREATE TYPE

SCHEDULER_ ADMIN CREATE ANY JOB, CREATE EXTERNAL JOB, CREATE JOB, EXECUTE ANY CLASS, EXECUTE ANY PROGRAM,MANAGE SCHEDULER

DBA Most system privileges; several other roles. Do not grant to nonadministrators.

SELECT_

CATALOG_ROLENo system privileges; HS_ADMIN_ROLE and over 1,700 object privileges on the data dictionary



Creating a Role

Select Server > Roles.

Click OK when

finished.

Add privileges and roles from the appropriate tab.Add privileges and roles from the appropriate tab.Add privileges and roles from the appropriate tab.



CREATE ROLE secure_application_roleIDENTIFIED USING <security_procedure_name>;

Secure Application Roles

• Roles can be nondefault and enabled when required.

• Roles can be protected through authentication.

• Roles can also be secured programmatically.

SET ROLE vacationdba;



Implementing a Secure Application Role

1. Create the role.2. Create the package that sets the role:

a. Create the package specification.b. Create the package body.

3. Grant the execute privilege on the package.4. Write the application server code that sets the role.



CREATE ROLE oe_sales_repIDENTIFIED USING secure.oe_roles;

Step 1: Create the Role

• The CREATE ROLE command identifies the package that sets the role.

• The package does not need to exist.• Example:



CREATE OR REPLACE PACKAGE oe_rolesAUTHID CURRENT_USER

ISPROCEDURE set_sales_rep_role;

END;/

Step 2.1: Create the Package Specification

• The OE_ROLES package is referenced in the CREATE ROLE command.

• The AUTHID CURRENT_USER clause is required to properly set the role.

• Example:



...SELECT idINTO v_idFROM oe.app_rolesWHERE username = sys_context

('userenv','current_user')AND role = 'SALES_REP'AND ip_address = sys_context

('userenv','ip_address'); dbms_session.set_role('oe_sales_rep');...

Step 2.2: Create the Package Body



GRANT executeON oe_rolesTO appsrv;

Step 3: Grant the EXECUTE Privilege on the Package

• The application server connects as the appsrvuser.

• It sets the role after it starts the user’s session.• Example:



Step 4: Write the Application Server Code That Sets the Role

• When starting, the application server:– Connects as the APPSRV user – Creates a connection pool

• When starting a session for a user, the application server:– Gets a connection from the pool– Starts a session for the user– Sets the user’s role

• Set the user’s role by using:

secure.oe_roles.set_sales_rep_role;



Data Dictionary Views

SQL> SELECT *2 FROM dba_application_roles3 WHERE ROLE = 'OE_SALES_REP';

ROLE SCHEMA PACKAGE------------- ------- --------OE_SALES_REP SECURE OE_ROLES

SQL>



Assigning Roles to Users



Quiz

All passwords created in Oracle Database 11g are not case-sensitive by default. 1. True 2. False



Quiz

A database role: 1. Can be enabled or disabled 2. Can consist of system and object privileges 3. Is owned by its creator 4. Cannot be protected by a password



Profiles and Users

Users are assigned only one profile at a time.Profiles:• Control resource

consumption• Manage account

status and password expiration

Note: RESOURCE_LIMIT must be set to TRUE before profiles can impose resource limitations.



Implementing Password Security Features

Password history

Account locking

Password aging and expiration

Password complexity verification

User Setting up profiles

Note: Do not use profiles that cause the SYS, SYSMAN, and DBSNMPpasswords to expire and the accounts to be locked.



Creating a Password Profile



Supplied Password Verification Function: VERIFY_FUNCTION_11G

The VERIFY_FUNCTION_11G function insures that the password is:• At least eight characters• Different from the username, username with a number,

or username reversed• Different from the database name or the database

name with a number• A string with at least one alphabetic and one numeric

character• Different from the previous password by

at least three lettersTip: Use this function as a template to create your own customized password verification.



Assigning Quotas to Users

Users who do not have the UNLIMITED TABLESPACEsystem privilege must be given a quota before they can create objects in a tablespace.

Quotas can be:• A specific value in megabytes or kilobytes• Unlimited



Applying the Principle of Least Privilege

• Protect the data dictionary:

• Revoke unnecessary privileges from PUBLIC.• Use access control lists (ACL) to control network

access.• Restrict the directories accessible by users.• Limit users with administrative privileges.• Restrict remote database authentication:

O7_DICTIONARY_ACCESSIBILITY=FALSE

REMOTE_OS_AUTHENT=FALSE



Protect Privileged Accounts

Privileged accounts can be protected by:• Using password file with case-sensitive passwords• Enabling strong authentication for administrator roles

SYSDBA



Separation of Responsibilities

Users with DBA privileges must be trusted, but separation of responsibilities can:

• Prevent abuse of trust• Allow audit trails to protect the trusted position

To implement separation of trust:• DBA responsibilities must be shared• Accounts must never be shared• DBA and system administrator must be different

people• SYSOPER and SYSDBA responsibilities must be

separated.







Quiz

Applying the principle of least privilege is not enough to harden the Oracle database. 1. True 2. False



Quiz

With RESOURCE_LIMIT set at its default value of FALSE, profile password limitations are ignored. 1. True 2. False



Summary

In this lesson, you should have learned how to:• Create and manage database user accounts:

– Authenticate users– Assign default storage areas (tablespaces)

• Grant and revoke privileges• Create and manage roles• Create and manage profiles:

– Implement standard password security features– Control resource usage by users



Q&A


Technology

Oracle security 02-administering user security