Oracle Database Security 12c

Oracle Database Security 12c Jan‐Peter Timmermann, PITSS GmbH The Oracle  Modernization Experts www.pitss.com © PITSS GmbH 2014  Forms und Repo...
39 downloads 3 Views 2MB Size
Oracle Database Security 12c

Jan‐Peter Timmermann, PITSS GmbH

The Oracle  Modernization Experts

www.pitss.com

© PITSS GmbH 2014

 Forms und Reports Modernisierungsexperte  über 15 Jahre Erfahrung mit Oracle  Technologien  Oracle Gold Partner  Mitglied der Oracle Modernization  Alliance  Oracle Forms Migration Partner

PITSS GmbH Geschichte

Wer wir sind:

PITSS America LLC    PITSS GmbH Stuttgart/Bielefeld www.pitssamerica.com www.pitss.de www.pitss.com

www.pitss.com

© PITSS GmbH 2014

2

PITSS Standorte PITSS Region Nord D‐33604 Bielefeld [email protected] Tel.: +49 521 546 795‐00

Milton Keynes, UK Troy (MI), USA

PITSS Region Südwest  PITSS Region Südwest (HQ) D‐70567 Stuttgart [email protected] e Tel.: +49 711 728 752‐00 PITSS Region Südost D‐82515 Wolfratshausen [email protected] Tel.: +49 8171 21 62‐10

www.pitss.com

© PITSS GmbH 2014

3

Security Risks and  Oracle Solutions Net Services

Security Requirements 

Oracle Solutions

Basic Database Security Firewall Basic

Network Traffic Encryption  Strong

Listener Security

Proxy

Authentication Database and Enterprise Users Privileges and Roles Data Access  Control

RMAN Virtual Private Catalog

Privilege Analysis Virtual Private Database

www.pitss.com

Data  Confidentiality

Data Redaction

Auditing

Unified Auditing

Oracle Label Security

Data Masking

Transparent Data Encryption

TDSP

DBMS_CRYPTO

Database Storage Security

Fine‐Grained Audit © PITSS GmbH 2014

4

   

www.pitss.com

Use a firewall. Restrict IP addresses. Encrypt network traffic. Use network log files to monitor connections.

© PITSS GmbH 2014

5

Restricting Network IP Addresses tcp.validnode_checking = YES

tcp.excluded_nodes = (135.245.234.44) tcp.invited_nodes = (144.198.58.146, 144.198.58.147)

www.pitss.com

© PITSS GmbH 2014

6

Restricting Network IP Addresses

 Do not use IP restrictions as your only security.  IP addresses can be spoofed.   Use listener node registration lists.  Limit access by protocol: TCPS is a secure  protocol and can be used

www.pitss.com

© PITSS GmbH 2014

7

www.pitss.com

© PITSS GmbH 2014

8

www.pitss.com

© PITSS GmbH 2014

9

www.pitss.com

© PITSS GmbH 2014

10

Listener Security: Checklist

      www.pitss.com

Limit the privileges of the listener. Restrict node registration. Move the listener to a nondefault port. Secure administration. Protect against denial‐of‐service (DoS) attacks. Monitor listener activity. © PITSS GmbH 2014

11

• •

Password‐protecting the listener is no longer supported.  Local listener administration is secured through local

• •

By default, remote listener administration is disabled. Remote listener administration allows all commands except  START. 

www.pitss.com

© PITSS GmbH 2014

12

INBOUND_CONNECT_TIMEOUT

 Protect the listener from DoS attacks with the following  network parameters:  SQLNET.INBOUND_CONNECT_TIMEOUT  INBOUND_CONNECT_TIMEOUT_listener_name

 These parameters:   Set the time allowed for a connection to complete  authentication  Log failures with source IP addresses

 Default 60 Sekunden www.pitss.com

© PITSS GmbH 2014

13

ORAPKI

 Anlegen eines Wallet mit ORAPKI Configuring SSL for Client Authentication and Encryption With Self Signed Certificates On Both Ends Using orapki Doc ID  401251.1)

www.pitss.com

© PITSS GmbH 2014

14

  

orapki wallet create ‐wallet /home/oracle/wallet/server_wallet ‐auto_login ‐pwd welcome1 orapki wallet add ‐wallet /home/oracle/wallet/server_wallet/ ‐dn "CN=server" ‐keysize 512 ‐ self_signed ‐validity 365 ‐pwd welcome1 orapki wallet export ‐wallet /home/oracle/wallet/server_wallet ‐dn "CN=server" ‐cert server_ca.cert



orapki wallet create ‐wallet /home/oracle/wallet/client_wallet ‐auto_login ‐pwd welcome1



orapki wallet add ‐wallet /home/oracle/wallet/client_wallet ‐dn "CN=client" ‐keysize 512 ‐self_signed ‐validity 365 ‐pwd welcome1 orapki wallet export ‐wallet /home/oracle/wallet/client_wallet ‐dn "CN=client" ‐cert client_ca.cert

  

orapki wallet add ‐wallet /home/oracle/wallet/client_wallet ‐trusted_cert ‐cert server_ca.cert ‐pwd welcome1 orapki wallet add ‐wallet /home/oracle/wallet/server_wallet ‐trusted_cert ‐cert client_ca.cert ‐pwd welcome1

www.pitss.com

© PITSS GmbH 2014

15

LISTENER = (DESCRIPTION_LIST = (DESCRIPTION = (ADDRESS = (PROTOCOL = TCP)(HOST = fmw11gr2)(PORT = 1521)) ) (DESCRIPTION = (ADDRESS = (PROTOCOL = TCPS)(HOST = fmw11gr2)(PORT = 1522)) ) ) WALLET_LOCATION = (SOURCE= (METHOD=File) (METHOD_DATA= (DIRECTORY=/home/oracle/wallet/server_wallet)))

www.pitss.com

© PITSS GmbH 2014

16

Basic User Authentication by Password A database user:  CONNECT paul/xxx

Identity: paul Authentication method: password

Schema

Password: xxx Audited

SQL> CREATE USER username IDENTIFIED BY password;

A common user connects with the same password in all  containers of a CDB: CDB1 CONNECT c##u1/xxx@PDB1 CONNECT c##u1/xxx@PDB2

PDB1

PDB2

PDB3

CONNECT local_u1/p1@PDB3

A local user connects with its own password in the PDB. www.pitss.com

© PITSS GmbH 2014

17

New Administrative Privileges

www.pitss.com

Administrative Privilege Username

Tasks

SYSDBA, SYSOPER

SYS / PUBLIC

Same operations as in 11g

SYSASM

SYS

Specific to ASM instances only

SYSBACKUP

SYSBACKUP

Perform RMAN backup and  recovery operations from RMAN or  through SQL

SYSDG

SYSDG

Perform Data Guard operations  with Data Guard Broker or DGMGRL

SYSKM

SYSKM

Manage transparent data  encryption keystore operations

© PITSS GmbH 2014

18

New Administrative Privilege: SYSBACKUP System / Object Privileges ALTER DATABASE ALTER SYSTEM CREATE SESSION ALTER SESSION ALTER TABLESPACE DROP TABLESPACE UNLIMITED TABLESPACE RESUMABLE

CREATE ANY CREATE ANY CREATE ANY AUDIT ANY SELECT ANY DICTIONARY SELECT ANY

DIRECTORY TABLE CLUSTER

SELECT X$ tables, V$ / GV$  views EXECUTE SYS.DBMS_BACKUP_RESTORE

TRANSACTION

SYS.DBMS_RCVMAN SYS.DBMS_IR SYS.DBMS_TTS SYS.DBMS_TDB SYS.DBMS_PLUGTS SYS.DBMS_PLUGTSP

Statements and Roles CREATE PFILE CREATE SPFILE CREATE CONTROLFILE DROP DATABASE STARTUP , SHUTDOWN

www.pitss.com

CREATE / DROP RESTORE POINT (GUARANTEED restore points) FLASHBACK DATABASE SELECT_CATALOG_ROLE HS_ADMIN_SELECT_ROLE

© PITSS GmbH 2014

19

New Administrative Privilege: SYSDG System / Object privileges CREATE SESSION ALTER SYSTEM ALTER SESSION ALTER DATABASE SELECT ANY DICTIONARY

SELECT X$ tables, V$ and GV$ views DELETE / SELECT APPQOSSYS.WLM_CLASSIFIER_PLAN

EXECUTE

SYS.DBMS_DRS

Statements and Roles STARTUP SHUTDOWN

CREATE RESTORE POINT DROP RESTORE POINT (including GUARANTEED restore points)

FLASHBACK DATABASE

www.pitss.com

© PITSS GmbH 2014

20

New Administrative Privilege: SYSKM System / Object privileges CREATE SESSION ADMINISTER KEY MANAGEMENT SELECT SYS.V$WALLET SELECT SYS.V$ENCRYPTION_WALLET SELECT SYS.V$ENCRYPTED_TABLESPACES



Connected as SYSKM predefined user



Manage TDE operations – Keystore creation, opening, closing – Master Key creation and changes – Column and tablespace keys management – Access to TDE information in appropriate views No access to application data

• www.pitss.com

© PITSS GmbH 2014

21

Creating Common and Local Roles Container Database CDB1

 root

In a CDB, a common role is created in  all containers.

SQL> CREATE ROLE c##r1 CONTAINER=ALL;

c##r1

A local role is created in one single container. SQL> CREATE ROLE l_role1 ;

PDB_HR

PDB_SALES

c##r1

www.pitss.com

c##r1

r1

© PITSS GmbH 2014

22

Granting Common and Local Privileges Container Database CDB1



root

In a CDB, a common privilege is  granted to a grantee in all containers.

SQL> GRANT create session TO c##dba 2 CONTAINER=ALL; c##dba

create sessio n

A local privilege is granted to a grantee in one single container. SQL> GRANT advisor TO u1;

PDB_HR

PDB_SALES

u1 c##dba

www.pitss.com

create sessio n

c##dba

adviso r

create sessio n

© PITSS GmbH 2014

23

Controlling Backup Access Based on Privilege Databases registered in RMAN catalog

PREVENTION Privileged User Controls RMAN Base catalog

Enhancing security by restricting access to metadata

RMAN Virtual Private Catalog (VPC)

www.pitss.com



Avoid  the inadvertent or malicious destruction of catalog data for other  databases



Keep clear separation of duty between administrators of various databases

© PITSS GmbH 2014

24

RMAN‐Encrypted Backups Encrypted to disk (Oracle Advanced Security)

RMAN Third-party media manager Data files Encrypted to tape (Oracle Secure Backup) Password

www.pitss.com

© PITSS GmbH 2014

25

Controlling Data Access Based on Label Sensitive Transactions

Confidential Report Data

Public Reports

Confidential

Sensitive OLS policies

Oracle Label Security (OLS):

www.pitss.com



Chooses your virtual information partitioning



Classifies users and data using labels



Creates labels based on business drivers



Enforces row‐level access control automatically, transparent to applications



Uses labels as factors in other policies (Database Vault)

© PITSS GmbH 2014

26

Oracle Audit Vault and Database Firewall A single solution: Oracle Audit Vault and Database Firewall  Database Firewall Users

Allo w Log Alert Substitute

Applications

Block

Firewall Events

Alerts

Auditor Security Analyst

Audit Data

Built-in Reports Custom Reports Policies

www.pitss.com

!

Audit Vault

OS, Directory, File System, & Custom Audit Logs

© PITSS GmbH 2014

27

Suggested Schedule

Net Services

Oracle Solutions

Day 1

Security Requirements  Basic Database Security Firewall Basic

Network Traffic Encryption  Strong

Listener Security Day 2

Security Risks and  Oracle Solutions

Proxy

Authentication

Privilege Analysis Virtual Private Database

www.pitss.com

Data  Confidentiality

Data Redaction

Auditing

Unified Auditing

Oracle Label Security

Data Masking

Transparent Data Encryption

TDSP

DBMS_CRYPTO

Database Storage Security

Fine‐Grained Audit

Day 5

Data Access  Control

RMAN Virtual Private Catalog

Days 4&5

Privileges and Roles

Days 3 & 4

Database and Enterprise Users

© PITSS GmbH 2014

28

Oracle Data Redaction: Overview   On‐the‐fly redaction based on username, IP address,  application context, and other factors  Transparent, consistent enforcement in the database  High performance for production applications  Appropriate for call centers, decision support systems, and  systems with PII, PHI, and PCI data SELECT creditcard_no FROM …

Redaction Policies

Query executed CREDITCARD_NO XXXX-XXXX-XXXX-5100 XXXX-XXXX-XXXX-1118 XXXX-XXXX-XXXX-5454

Redacted data returned www.pitss.com

5105-1051-0510-5100 5111-1111-1111 -1118 5454-5454-5454-5454

Redaction policy enforced Sensitive data © PITSS GmbH 2014

29

Suggested Schedule

Net Services

Oracle Solutions

Day 1

Security Requirements  Basic Database Security Firewall Basic

Network Traffic Encryption  Strong

Listener Security Day 2

Security Risks and  Oracle Solutions

Proxy

Authentication

Privilege Analysis Virtual Private Database

www.pitss.com

Data  Confidentiality

Data Redaction

Auditing

Unified Auditing

Oracle Label Security

Data Masking

Transparent Data Encryption

TSDP

DBMS_CRYPTO

Database Storage Security

Fine‐Grained Audit

Day 5

Data Access  Control

RMAN Virtual Private Catalog

Days 4&5

Privileges and Roles

Days 3 & 4

Database and Enterprise Users

© PITSS GmbH 2014

30

Auditing and Alerting in Real‐Time Audit Data & Event Logs Oracle Database Firewall OS & Storage

Auditing and Reporting • Oracle Audit Vault • Unified Audit • Fine-Grained Audit

Directories Databases Custom

!

Alerts Built-in Reports Custom Reports

Auditor

AV policies Security Analyst

Oracle Audit Vault

www.pitss.com



Database audit streamline 



Powerful detection and alert of suspicious activities



Out‐of‐the box compliance and custom reports



Consolidated multi‐source reporting



Built‐in segregation of duties



Centralized secure repository © PITSS GmbH 2014

31

Fine‐Grained Auditing

Security Officer Audit Data

Users

Auditing and Reporting • Oracle Audit Vault

• Unified Audit • Fine-Grained Audit

Applications

Event handler Secured audited columns

Policies configuration options

Fine‐Grained Auditing (FGA): • • •

www.pitss.com

Monitors data access based on content Audits SELECT and DML statements May fire an event handler procedure

© PITSS GmbH 2014

32

Enforcing Security at Different Levels Network Security • Encryption (sqlnet.ora)

Database Access • Database Firewall Clients Firewall

Listener security



User Authentication • •

Firewall

Basic Strong

Control • Constraints, triggers • Unified  audit, FGA

• Proxy  Centralized with LDAP/EUS HR.EMP table

Authorization & Access Control

• Audit Vault • Logminer • Temporal History • Compliance standards

• Privileges • Views, VPD, OLS • Database Vault, Audit Vault • VPC

Application Web server

Confidentiality

• Data Masking, Data Redaction, TSDP • TDE, Data Pump & TDE, DBMS_CRYPTO • RMAN & TDE, Oracle Secure Backup

www.pitss.com

© PITSS GmbH 2014

33

Vielen Dank für Ihre Zeit. Hamburg, den 10.02.2015 Jan‐Peter Timmermann, Pitss GmbH [email protected]

www.pitss.com

The Oracle  Modernization Experts

© PITSS GmbH 2014