<Insert Picture Here>

Oracle 12c
Security: Whats new in Oracle 12c ?
Rainer Meisriemler rainer.meisriemler@oracle.com
ORACLE Deutschland GmbH Tel: 0711/72840162
Disclaimer

The following is intended to outline our general

product direction. It is intended for information
purposes only, and may not be incorporated into
any contract. It is not a commitment to deliver any
material, code, or functionality, and should not be
relied upon in making purchasing decisions.
The development, release, and timing of any
features or functionality described for Oracle’s
products remains at the sole discretion of Oracle.
Zusätzliche Hintergrundinformationen

Datenbases are hacked with the help of OS or

87 % SQL Injection

80 % The majority of the data thieves are Insider

10 % Only a few "Standardhacks" are published

1% real "professional" Hack are very rare

Source: Black Hat / Defcon (unofficial)
 BSI certification

Source: https://www.bsi.bund.de/SharedDocs/Zertifikate/CC/Serveranwendungen_Datenbankserver/0766.html
Finished (relax) ?
 Still Open

• Root / Admin user and su oracle ? <Insert Picture Here>

• sqlplus / as sysdba
• sqlplus system/manager
• sqlplus sapr3/sap
• AAA
 Basics

<Insert Picture Here>

• We have the best database but NO Init Parameter

make_db_secure / _make_db_secure

Important information-sources:
•1868094 - Summary: SAP-Hinweise zu Oracle-Sicherheit
•Oracle® Database Security Guide 12c Release 1 (12.1) E17607-24
•http://docs.oracle.com/cd/E16655_01/network.121/e17607/release_changes.htm#DBSEG000
 User Management

• Number of user ( Default Installation )

9iR2 @ 30 by default
10gR2 @ 27 by default
11g R1 @ 35 by default
11g R2 @ 36 by default
12c R1 @ 35 by default
 User Management
• Number of users is only half the truth
12cR1 (35) 11gR2 (36)
ANONYMOUS ANONYMOUS
APEX_040200 APEX_030200 APEX_PUBLIC_USER APEX_PUBLIC_USER
APPQOSSYS APPQOSSYS
AUDSYS ----
---- BI
CTXSYS CTXSYS
DBSNMP DBSNMP
DIP DIP
DVF ---
DVSYS ---
--- EXFSYS
FLOWS_FILES FLOWS_FILES
GSMADMIN_INTERNAL ---
GSMCATUSER ---
GSMUSER ---
--- HR
--- IX
LBACSYS ---
MDDATA MDDATA
MDSYS MDSYS
--- MGMT_VIEW
--- OE
OJVMSYS ---

etc. A.
New Multitenant Architektur
Memory and processe only at level of a container
New Multitenant Architektur
Memory and processe only at level of a container
 New Multitenant Architektur

• Up to 252 PDBs allowed

• Behavior of A PDB is like a "non-
CDB"
Database
Link • PDBs “share" SGA and
background processes
• No difference for applications
• DB Sessions only "see" the PDB,
they are connected to
 PDB’s
Connect to a PDB:
sqlplus scott/tiger@192.168.56.101:1521/orclpdb

Change to a other PDB:

SQL> ALTER SESSION SET CONTAINER=PDB1;
or:
SQL> ALTER SESSION SET CONTAINER=CDB$ROOT;

Where am I?
SQL> SHOW CON_ID
SQL> SHOW CON_NAME
SQL> SHOW PDBS
!!! Changes in the Datadictionary of the DB e.G. V$Database !!!
User (DB User)
• (“local user”) are the same as individally
created user in a non-CDB
• Aexists only in 1 PDB
• Acan admin a PDB

Ein “common user” is defined in the

“root” container and may incorporate in
every PDB

a“common user” is able to connect to

every PDB, if he has “Create Session”-
Privilege

Oracles-own Systemobjects belong to

“common users”
Common User

• A COMMON USER is typically used to admin the CDB or PDB’s e.G.

plugging and unplugging of a PDB.
• COMMON USERs are able to switch between Container DB’s (Take
Care: a new Systemprivileg: Set Container)
• Rules for COMMON USER:
• Must exist in CDB$ROOT
• The username must start with C## or c##
• Objects of a COMMON USERS are not “shared” between PDB’s but local lokal
• Dont make your own objects in the schema of a Common Users

• May exist globally, z.B. creation with CONTAINER=ALL in the CREATE USER statement
• May have privilege in CDB‘s , but don‘t need to have
• DEFAULT TABLESPACE, TEMPORARY TABLESPACE, QUOTAJ ON, or PROFILE JJ..at
the CREATE USER command:
Objects needs to exists in all Containers(PDB’s)
Example for changes in the dictionary
Änderungen
 Multitenant New Features in 12.1.0.2
• Subset by tablespace
• Metadata-only clone
• Remote clone (including
snapshots)
• File system-agnostic
Cloning cloning via dNFS (clonedb
= true)
• New “standbys” clause
• (all | none)
• Nologging clause at PDB
PRIMARY STANDBY level
Standby & Logging
SQL • New SQL clause to
aggregate data across
PDBs
select ENAME from
containers(scott.EMP)
where CON_ID in (45, 49);
Cross PDB Queries
• Flashback data archive,
transaction query &
backout
• Temporal SQL Support
• Compatible with DB In-
Memory
Additional • Maintains state of PDBs
Features between CDB restarts
 Multitenant New Features in 12.1.0.2
• Subset by tablespace
• Metadata-only clone
• Remote clone (including
snapshots)
• File system-agnostic
Cloning cloning via dNFS (clonedb
= true)
• New “standbys” clause
• (all | none)
• Nologging clause at PDB
PRIMARY STANDBY level
Standby & Logging
SQL • New SQL clause to
aggregate data across
PDBs
select ENAME from
containers(scott.EMP)
where CON_ID in (45, 49);
Cross PDB Queries
• Flashback data archive,
transaction query &
backout
• Temporal SQL Support
• Compatible with DB In-
Memory
Additional • Maintains state of PDBs
Features between CDB restarts
 Secure passwords (just a reminder)

• Upper & lower case letters !

1.
SQL orcl> connect SCOTT/TIGER
ERROR:
ORA-01017: Benutzername/Kennwort ungültig; Anmeldung abgelehnt
2. Achtung: Sie sind nicht mehr mit ORACLE verbunden.

SQL orcl> connect SCOTT/Tiger

ERROR:
ORA-01017: Benutzername/Kennwort ungültig; Anmeldung abgelehnt
3.
Achtung: Sie sind nicht mehr mit ORACLE verbunden.
4.
SQL > connect SCOTT/tiger
Connect durchgeführt.

SQL orcl> connect scott/tiger

Connect durchgeführt.
 Password –Verify Function (just a
reminder)
• Can have any name (SYS owns the function)
• Syntax:
CREATE OR REPLACE FUNCTION verify_password
(
userid varchar(30),
password varchar(30),
old_password varchar(30)
) RETURN BOOLEAN

• Usage:
ALTER PROFILE myprofile LIMIT
PASSWORD_VERIFY_FUNCTION verify_password;
More security news
 More security news
• Sensitive Datenbase tables (LINK$ , DEFAULT_PWD$ , USER$ etc. )
• SELCT ANY DICTIONARY Right allows no more access

• Speration of Duty (SOD)

• SYSKM (Key Management in ASO Umfeld)
• SYSBACKUP ( RMAN Users)
• SYSDG (Dataguard Administration)

• Support of SHA-2 (dbms_crypto, 12c Passwords)

• UNLIMITED TABLESPACE
• Is no more part of the RESOURCE Role

• Hardwareacceleration can be used for Network-Encryption and

dbms_crypto
 More security news(Invokers/Definers
right
• 2 different methods of calling PL/SQL Functions:
Definer’s Right (AUTHID = DEFINER)
proof of authority at Compile-time
• Invoker’s Right (AUTHID = CURRENT_USER)
proof of authority at run-time
• The important difference is: a PL/SQL Function with AUTHID=CURRENT_USER is using
the authority of the calling user instead of the authority of the owner of the function.
For this reason its possible to hide an casulate rigths from users (e.g. Getting a DBA for
a single action)
• New in 12c: Oracle additional checks the Privileges of the owners der Procedure, if a
Invoker Right’s Procedure is called. D.h. the Owner must have the INHERIT
PRIVILEGES Object or INHERIT ANY PRVILEGES. If that is not the case the
database will send a error.
Oracle Database Security Solutions
Defense-in-Depth for Maximum Security

PREVENTIVE DETECTIVE ADMINISTRATIVE

Encryption Activity Monitoring Privilege Analysis

Redaction and Masking Database Firewall Sensitive Data Discovery

Privileged User Controls Auditing and Reporting Configuration Management

Oracle Database Security Solutions
Defense-in-Depth for Maximum Security

PREVENTIVE DETECTIVE ADMINISTRATIVE

Encryption Activity Monitoring Privilege Analysis

Redaction and Masking Database Firewall Sensitive Data Discovery

Privileged User Controls Auditing and Reporting Configuration Management

Options (Enterprise Edition)

<Insert Picture Here>

Advanced Security Option

(Lizence needed)
 Options (Enterprise Edition)
Useful SAP Notes:
• SAP Note 926023: Oracle Database Security
• SAP Note 105047: Support for Oracle Functions in an SAP Environment
• SAP Note 973450: Oracle ASO: Network Encryption / Data Integrity
• SAP Note 828268: Oracle Database 10g: New Functions
• SAP Note 974876: Oracle ASO: Transparent Data Encryption
• SAP: 1324684 - Erstellen von verschlüsselten RMAN-Sicherungen mit BR*Tools
• SAP Note 834917: New Database Role SAPCONN

Useful Metalink Notes:

• 207959.1: All About Oracle Security
• 165465.1: FAQ about Oracle ASO
• 76637.1: Crypto Checksumming Configuration
• 76629.1: Configuration of ASO Encryption
• 132852.1: Enabling SSL Authentication
 Example

• Fall <Insert Picture Here>

• Internet: http://www.stuttgarter-zeitung.de/inhalt.kreiskrankenhaus-rastatt-100000-patientendaten-
verschwunden.7f19ec47-5914-412b-999c-424c2b7b45d0.html

• Lokale Kopie
• Resultat
• Internet: http://www.klinikum-mittelbaden.de/internet/pdf/Mitteilung-KKH-RA-in-FR.pdf
• Lokale Kopie
• AAA
Oracle Advanced Security
Transparent Encryption and Strong Authentication Services

Strong
Authentication
Transparent Network Encryption
Data Data
Transparently
Decrypted
Written Transparent
To Disk
Through Transparently
Data Encryption
SQL Interface Encrypted

Transparent Data Encryption

with RMAN Can Encrypt
entire Backups Sent to Disk
Network Encryption

• Since Oracle9iR2: Oracle Advanced Security is

installed “by default”
• Network encryption, integrity and authentication parts
are up and running, the basic adjustment is
Accepted
• To arm it: set the server to ‘Required’
• Keine Änderungen an den Clients Servernötig
setting
Rejected Accepted Requested Required
Rejected Off Off Off Failure
Client Accepted Off Off On On
setting Requested Off On On On
Required Failure On On On
 Oracle Advanced Security
secure the netzwork (encrypt and use another tcp-port)

• Simple Test e.g. Linux /usr/sbin/tcpdump -Xs 1518 -i lo port 1521

• example of a sqlnet.ora configuration
location:
$ORACLE_HOME/network/admin/sqlnet.ora (evtl. TNS_ADMIN Umgebungsvariable)

NAMES.DIRECTORY_PATH= (TNSNAMES)
ADR_BASE = /home/oracle/app/oracle
SQLNET.CRYPTO_CHECKSUM_SERVER = REQUIRED
SQLNET.ENCRYPTION_SERVER = REQUIRED
SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER = (SHA1)
SQLNET.ENCRYPTION_TYPES_SERVER = (AES256, 3DES168)
SQLNET.CRYPTO_SEED=“dflghruaegheagalihrgsielgurhuerg“

• redifine listener Port (netca )

• restart listener
• Maybe: Take care of client sqlnet.ora files (ODBC or JDBC Connection Property )
 Encryption is a basics
Preventive Control for Oracle Databases

Oracle Advanced Security Disk

• Transparent data encryption without Backups

modification at application side
• Prevents from access to data “without
Exports
the database”, network , data-files,
tapes, disks , exports, etc.
Off-Site
• Built-in Key-Management with
Facilities
HSM/KMS support
Applications
• Support s all Oracle Technologies e.g.
Exadata, Advanced Compression,
ASM, Golden Gate, etc.
Reading Data From Clear Tablespace Files

$> strings -a financials.dbf |

grep “\-[0-9]\{4\}\-”

5555-5555-5555-4444
Tablespace Files 5105-1051-0510-5100 OS User
Oracle
Database (financials.dbf)
Attempting to Read Data From Encrypted
Tablespace Files
Transparent Data Encryption $> strings -a financialsENC.dbf |
grep “\-[0-9]\{4\}\-”

Blank Results
Tablespace Files OS User
Oracle
Database (financialsENC.dbf)

Managed Keys
Advanced Security Option TDE
Wallet & Keymanagement
- regular file
- local wallet
- auto login
No access
- HSM Device
to wallet

Regular DBA starts up

Database

Security DBA opens wallet

containing master key
TDE tablespace encryption internals

• Encryption and Decryption on data-block level

• RMAN Backups are encrypted
• Data within the SGA is decrypted
• All Index Typ’s
• Equality and range scans
• All Datatyp’s
• Execution plans don’t change
• 100% application transparent
• Works very well together with other options
e.g. Compression Option
TDE tablespace encryption internals

• Pay Attention:
• Old Systems may need Patch 10080579
• SYSTEM and SYSAUX tablespaces cannot be encrypted
• UNDO, TEMP tablespaces and redo logfiles cannot be
encrypted (But: the content will be encrypted self-acting)
• We don’t have a Alter Tablespace Command to switch on
encryption
• Loss of Masterkeys is equal to loss of Data !!!!!!!!!!!!
Protect the Oracle Wallet

• Example: Store the Oracle Wallet in

/etc/ORACLE/WALLETS/oracle
• Create directories (/etc is owned by ‘root’):
# cd /etc
# mkdir –pv ./ORACLE/WALLETS/oracle
mkdir: created directory ‘ORACLE’
mkdir: created directory ‘ORACLE/WALLETS’
mkdir: created directory ‘ORACLE/WALLETS/oracle’
• Change owner and set directory access rights
# chown –R oracle:oinstall ORACLE/*
# chmod –R 700 ORACLE/*
wallet and master key creation

• Oracle Enterprise Manager

• Wallet location : v$encryption_wallet
• Default Ablage ist (don’t exist per default) :
• $ORACLE_BASE/admin/$ORACLE_SID/
• Better Definition in ‘sqlnet.ora’
$TNS_ADMIN/sqlnet.ora:
ENCRYPTION_WALLET_LOCATION =
(SOURCE = (METHOD = FILE)
(METHOD_DATA = DIRECTORY = /etc/ORACLE/WALLETS/oracle)))

• Creation of the Wallet:

• Enterprise Manager (GUI)
• Use SQL*Plus to create wallet and TDE master key:
SQL> alter system set encryption key identified by
“<strong_password>”;
Lock down the wallet

• Initially, the wallet is created with the default

privileges of the oracle user, for example 644:
$ cd /etc/ORACLE/WALLETS/oracle
$ ls –l
$ -rw-r--r-- ewallet.p12
• This should be reduced to:
$ chmod 600 ewallet.p12
• In order to protect the wallet from accidental deletion,
make it read only:
$ chmod 400 ewallet.p12
• This also disables updates to the wallet (Master key
re-key operations), returns error message
Modify Wallet Password

• Changing the Wallet password don’t change the TDE

encryption key;
• Backup the Wallets before changing the password
• Change the password
• Close the Wallets, and try to open it with the new
password
• in case of trouble: recover the wallets from the
backup and try again
• Success: go on
• Don’t forget the Backup of new wallet after the
change
• Never forget the wallet password !!!!
Oracle Advanced Security Transparent Data
Encryption (TDE)
Direct Connection Scenarios

Data
RAC Guard

Multiple
DBs Same
Machine
GoldenGa
te
Singl
e
Instan
ce

Public 5
Data Pump-Encryption

• Control via parameter

• ENCRYPTION
• ALL / DATA_ONLY / ENCRYPTED_COLUMNS_ONLY /
METADATA_ONLY / NONE
• ENCRYPTION_ALGORITHM
• AES128 / AES192 / AES256
• ENCRYPTION_MODE
• DUAL / PASSWORD / TRANSPARENT
• ENCRYPTION_PASSWORD
• The Parameter are not independent of each other
• Z.B. only ENCRYPTION_PASSWORD=pw => ENCRYPTION=ALL
 Summary of Oracle Key Vault

• Modern, scalable, and robust key management

• Secures, shares, and manages keys and secrets in the
enterprise
• Handles Oracle Wallets and Java Keystores
• Optimized for Oracle Databases with Oracle Advanced
Security TDE
• Turnkey secure software appliance platform using
Oracle technology
• Open industry standards based and engineered for the
Oracle stack
 Key Management with Oracle Key
Vault

• Centralized management of keys, secrets, Oracle Wallets, Java

Keystores and more
• Optimized solution for Oracle Stack (Database, Middleware, Systems)
• Supports industry standard OASIS KMIP protocol
Data Redaction (SAP : ???)
 Data Redaction (SAP : ???)
• Oracle Data Masking is mostly used for Test- and Development
• Repeatable, One-Way Masking , Subsetting usw.
• Traditionally handled with individual applications
• Use Case:
• Account stuff is allowed/needs to see banking information of the
customers
• Support stuff is allowed to see only technical and contact information
of the customer
• Marketing don‘t see details from support or from account stuff
 Data Redaction (SAP : ???)
• Administration: Only EXECUTE on DBMS_REDACT PL/SQL Package
needed.
• Admins don’t need access on Tables or views g
• SYS and SYSTEM users can always bypass any existing Oracle Data
Redaction policies !!!! dbexp !!!
• DML/DDL and DBMS_REDACT : Take Care
• Baseic principle is a policy (can use e.g. SYS_CONTEXT ):
BEGIN
dbms_redact.add_policy(
object_schema => 'SCOTT',
object_name => 'MSR',
policy_name => 'customers_pol',
column_name => 'ename',
function_type => DBMS_REDACT.PARTIAL,
function_parameters => 'VVVFVV,VVVFVV,x,1,3',
expression => ‘SYS_CONTEXT(‘’USERENV’’ , ’’SESSION_USER’’ )!=, ’MSR’ ’’);
END;
/
 Data Redaction Functions (SAP : ???)
• Random Redaktion
4113-5789-6776-9877  6751-4362-7869-3481
02/28/2014  11/30/2011
• RegExp Redaktion
6776-9877  6776-[hidden]
Rainer.msr@oracle.com [unknown]@oracle.com
• Partial Redaktion
4113-5789-6776-9877  ****-****-****-3481
D1U77856V8k  D1*******8k
• Full Redaktion
4113-5789-6776-9877  xxxxxxxxxxxxxxxxxxx
02/28/2014  01/01/01
Optionen

<Insert Picture Here>

Data Masking Option

(Lizence needed )
 Problem: theft of data

Produktion

• Production is well protected

• and the Rest ???

 Oracle Data Masking
Irreversible De-Identification

Production Non-Production
LAST_NAME SSN SALARY LAST_NAME SSN SALARY

AGUILAR 203-33-3234 40,000 ANSKEKSL 111—23-1111 60,000

BENSON 323-22-2943 60,000 BKJHHEIEDK 222-34-1345 40,000

• Remove sensitive data from non-production databases

• Referential integrity preserved so applications continue to work
• Sensitive data never leaves the database
• Extensible template library and policies for automation

64
 Oracle Data Masking
Make Data Anonymous

Application Testing
• Offshore or in-house application
development • Sarbanes Oxley Act of
• Offshore or in-house software QA 2002
• EU Privacy Directives
Data sharing • BSI
• Claims processing • BASEL II
• Offline reporting • PCIDSS
• Data archival and retrieval • A
• Marketing analysis of customer
data

65
 Oracle Data Masking
Concept

What
LAST_NAME SSN SALARY
• The act of anonymizing customer,
financial, or company confidential AGUILAR 203-33-3234 40,000
data to create new, legible data BENSON 323-22-2943 60,000
which retains the data's properties,
such as its width, type, and format. D’SOUZA 989-22-2403 80,000
FIORANO 093-44-3823 45,000
Why
• To protect confidential data in test
environments when the data is used
LAST_NAME SSN SALARY
by developers or offshore vendors
• When customer data is shared with ANSKEKSL 111-23-1111 40,000
3rd parties without revealing BKJHHEIEDK 111-34-1345 60,000
personally identifiable information KDDEHLHESA 111-97-2749 80,000
FPENZXIEK 111-49-3849 45,000

66
 Oracle Data Masking
Format Libraries

• Mask Primitives
• Random Number
• Random String
• Random Date within range
• Shuffle
• Sub string of original value
• Table Column
• Deterministic Masks
• User Defined Function
• National Identifiers
• Social Security Numbers
• Credit Card Numbers
• Condition-based Masking
• User-Defined Masks

67
 Oracle Data Masking
Masking Workflow
Security
Admin

Identify Identify Format Masking

Sensitive Data Library Definition
Information Formats
DBA

Clone Prod to Review Mask Execute Clone Staging

Staging Definition Mask to Test

Prod Staging Test

Oracle Data Masking Pack is now securely integrated with the database cloning capabilities in
Oracle Enterprise Manager
Optionen zur Enterprise Edition

<Insert Picture Here>

Database Vault
(Lizence needed)
 Optionen zur Enterprise Edition
Important SAP info sources:

• SAP : 1355140 - Einsatz von Oracle Database Vault in einer SAP-Umgebung

• SAP : 1503634 - Häufige Fragen: Oracle Database Vault
• SAP: 1875799 - Database Vault: Zugriff auf ausgewählte SAP-Tabellen
• SAP: 1597194: Installing Oracle Database Vault in an SAP Environment
• SAP: 1502374: Database Vault for SAP Policy Scripts
• SAP: 1716939: SAP System Copies with Database Vault
• SAP System Copy with Oracle – what to look out for
Bettina Weissinger-Stelzel, SAP
Andreas Becker, Oracle
http://scn.sap.com/docs/DOC-44148
 Privileged User Controls- Database Vault
Preventive Control for Oracle Databases

Database Vault Security

DBA

• Protect (application-) data from the DBA Procurement

• Protect the DBA from the (application-) Application
data HR DBA
• Enforce rules e.g. Multi-factor
Authorisierung on database level to Finance
enforce enterprise data governance
• least privilege policies and analyses select * from finance.customers
Applications
• Realms are Protection-Zones around
database Objects (maybe very helpful in
consolidation projects)
• Very simple to use, very complex DBA
ennvironments have full developed Out
of the box application policies (z.B. SAP)
 Data Vault Beispiel

• DBA1 accessing HR data

Select * from HR.emp
Compliance & Protection of
Insider

DBA

• DBA2 doing non regular operations

during main business hours Create procedure…
HR Realm

Factors based access HR

3PM Saturday
control
HR DBA Factors

• HR DBA accessing data from Fin Realm

Select * from fin.orders
other apps
Fin
Min. security Risik in
consolidation projects HR DBA
 Oracle Database Vault Realms

• Define declarative areas in the DB, where no Database-

Admin (DBAs) nor any other high privileged User is able
to access
• Tablel, Schema, procedures, roles, ...
• Access to Objects within the Realms needs direct GRANTs
• SOD (Separation of Duty)
• DBA only within a fixed defined Area, e.g. DBA for HR or DBA
for Accounting
• Violations against Realms (and Rules) are audited, reported
and notified
Realms protect – the DBA in any
meaning
% SQLPLUS system/mypassword
SQL> CREATE TABLE mein_emp AS
SELECT * FROM scott.emp;

ERROR at line 4:
ORA-00604: error occurred at recursive SQL level 1
ORA-20401: Realm violation on create table MEIN_EMP
ORA-06512: at ‘DVSYS.AUTHORIZE_EVENT”, line 35
ORA-06512: at line 13

SQL> DROP TABLE scott.emp;

ERROR at line 4:
ORA-00604: error occurred at recursive SQL level 1
ORA-20401: Realm violation on drop table SCOTT.EMP
ORA-06512: at ‘DVSYS.AUTHORIZE_EVENT”, line 35
ORA-06512: at line 13
Default Realms
Command rules ...
Example – simple 4-eyes-rule
(SELECT count(*) FROM v$session WHERE
username = 'KONTROLLEUR1' or username = 'KONTROLLEUR2') = 1
Oracle Database Vault
Auditing
Oracle Database Vault for SAP
Additional Realms

Realm Owner Protects

Protection Realm SAP Application
SAP business data
for ABAP Stack Account

Protection Realm SAP Application

SAP business data
for Java Stack Account

Protection Realm
SAPDBA Role DB objects needed by SAP BR*Tools
for SAP BR*Tools
Credential
Protection SAPCRED Role Data needed for credential management
Realm
Protection Realm
SAP administration roles
for SAP Admin SAPACCTMGR
(SAPCONN, SAPDBA, SAPCRED, SAPSYS)
Roles
 Database Vault Neuigkeiten 12c

• Administration:
• EM/Cloud Control is (or PL/SQL) the Admin GUI
• Installed per default (but not switched on)
• Performance improvements
• New Realms
• Block ALL functionality even to block the Owner of table from
reading data
• Support of Unified Auditing
• Least Privilege Analyse
 Data Vault Role & Privilege Capture

• Application user have to many privileges (Example SAP)

• Focus of development is very often not security Design
• Old systems
• Least Privilege Analyse is very complicated but important
 Data Vault Role & Privilege Capture

• Aufgabe : Zur Laufzeit die Nutzung von Privilegien erfassen

• Scope: Benutzer, Sessions, Rollen
• Zeigt welche Systemrechte, Objektrechte und Public Rechte
tatsächlich genutzt werden
• Aufzeigen wie ein Benutzer zum Recht kam
• Aufzeigen welche System- und Obektrechte ungenutzt sind
 Data Vault Role & Privilege Capture
process
• 1. create a Capture Policy (PL/SQL or GUI)

BEGIN
DBMS_PRIVILEGE_CAPTURE.CREATE_CAPTURE(
name => ‘MeisriemlerAnalyseTeil1',
description => 'Analyse des Anwendungsmoduls XYZ durch den Benutzer MSR',
type => DBMS_PRIVILEGE_CAPTURE.G_CONTEXT,
condition => 'SYS_CONTEXT(''USERENV'', ''MODULE'')='‘XYZ''
AND SYS_CONTEXT(''USERENV'', ''SESSION_USER'')=‘’MSR''');
END;
/
 Data Vault Role & Privilege Capture
Ablauf
• 2. activate the policy

EXEC DBMS_PRIVILEGE_CAPTURE.ENABLE_CAPTURE (' MeisriemlerAnalyseTeil1 ');

• 3. run the application/job J

• 4. disable the Capture Policy

EXEC DBMS_PRIVILEGE_CAPTURE.DISABLE_CAPTURE (' MeisriemlerAnalyseTeil1 ');

• 5. generate Data for reporting

EXEC DBMS_PRIVILEGE_CAPTURE.GENERATE_RESULT (' MeisriemlerAnalyseTeil1 ');

 Data Vault Role & Privilege Capture
Ablauf
• 6. example reporting
Oracle Database Security Solutions
Defense-in-Depth for Maximum Security

PREVENTIVE DETECTIVE ADMINISTRATIVE

Encryption Activity Monitoring Privilege Analysis

Redaction and Masking Database Firewall Sensitive Data Discovery

Privileged User Controls Auditing and Reporting Configuration Management

 Database Auditing
Detective Control for Oracle

• challenge
• Audit is complicated
• A lot of Audit xyz Statements
• Switching off Audit should not be too easy
• Audit should not impact the performance
• Data volume could be very big
• Different Audit Data stores:
• Mandatory Audit
• SYS Audit
• Standard DB Audit
• Fine grained auditing
 Database Auditing 12c Unified Audit
Detective Control for Oracle

Oracle Database 12c Unified Auditing enables selective and effective

auditing inside the Oracle database using policies and conditions.

•2 new roles/Rollen:AUDIT_ADMIN und AUDIT_VIEWER

•Policy based audit simplifies administration
•“Condition-Based” Policy’s e.g.
• time control (audit only before 5am and after 5pm)
• audit all with the exeption of some IP’s
• Audit of proxy user
•Exclude some schemas from audit J..

• Default Policy’s:
•ORA_SECURECONFIG (Audit config and Trail)
•ORA_ACCOUNT_MGNT ( create user,role and grants)
•ORA_DATABASE_PARAMETER (spfile modifications)
 Database Auditing 12c Unified Audit
Detective Control for Oracle

• example Audit Policy:

Create AUDIT POLICY dba_pol ROLE DBA;
Create AUDIT POLICY dppol1 ACTIONS COMPONENT=datapump export;
Create AUDIT POLICY msr_pol
PRIVILEGES CREATE TABLE
ACTIONS UPDATE ON SCOTT.MSR
WHEN ‚SYS_CONTEXT(‚‘USERENV‘‘,‘‘IDENTIFICATION_TYPE‘‘=‚‘EXTERNAL‘‘‘
EVALUATE PER STATEMENT;

• Aktivate: AUDIT POLICY msr_pol EXCEPT scott;

•Query of policy‘s:
 Database Auditing 12c Unified Audit
Detective Control for Oracle

•Unified Auditing has support for

•Fine Grained Audit (FGA)
•Data Pump
•RMAN
•OLS / DV / RAS

•Management of audit data must be done with built-in package

(DBMS_AUDIT_MGNT)

•faster Audit Engine and better control

• Queues Mode (default)
• fast
• controllable with Parameter UNIFIED_AUDIT_SGA_QUEUE_SIZE
• manual flush: exec dbms_audit_mgnt.flush_unified_audit_trail
• Immediate Mode
 Database Auditing
Detective Control for Oracle

• Security Guide gives recommendations for monitoring.

More Information:

11.2 Oracle Security Guide, Guidelines für Auditing:

http://docs.oracle.com/cd/E11882_01/network.112/e16543/guidelines.ht
m#DBSEG90008
12c Oracle Security Guide, Guidelines für Auditing:
http://docs.oracle.com/cd/E16655_01/network.121/e17607/guidelines.ht
m#DBSEG506
 Options

<Insert Picture Here>

Audit Vault and Database Firewall

(Lizence needed)
 Oracle Audit Vault –
Data Warehouse for Audit-Data

User defined
Oracle
Database
reports
9i R2
Fremd--
Fremd Audit Warehouse
produkte Oracle Audit Vault
Oracle predefined Roles
(SOD) reports
Database
Oracle
10g
10g R2 SOD
App Svr
Oracle Data Mining
Applications
Oracle
Partitioning
Database
Enterprise Database
10g R1
Audit Settings
 Oracle Audit Vault -
Data Warehouse for Audit-Data
 Existing Security Solutions Not Enough

Key Loggers Malware SQL Injection Espionage

Spear Phishing
Botware Social Engineering

Web Users

Database
Application Users Application Database Administrators

Data Must Be Protected at the Source

 Oracle Database Firewall
First Line of Defense

Allow

Log

Alert

Substitute
Applications
Block

Alerts Built-in Custom Policies

Reports Reports

• Monitor database activity to help prevent unauthorized activity,

application bypass and SQL injections
• Highly accurate SQL grammar based analysis
• White-list, black-list, and exception-list based security policies
• Built-in and custom compliance reports for regulations
 Oracle Database Firewall
Positive Security Model Based Enforcement

White List
Allow

Block
Applications

• White-list based policies enforce normal or expected behavior

• Policies evaluate factors such as time, day, network, and application
• Easily generate white-lists for any application
• Out of policy SQL statements can be logged, alerted, blocked or substituted
with a harmless SQL statement
• SQL substitution foils attackers without disrupting applications
 Oracle Database Firewall
Negative Security Model Based Enforcement

Black List
Allow

Block
Applications

• Stop specific unwanted SQL commands, user, or schema access

• Prevent privilege or role escalation and unauthorized access to
sensitive data
• Black list policies can evaluate factors such as day, time, network, and
application
 Oracle Database Firewall
Scalable and Safe Policy Enforcement

Log

Allow
SELECT * FROM
Alert
accounts
Substitute
Applications
Becomes
Block

SELECT * FROM dual

where 1=0
• Innovative SQL grammar technology reduces millions of SQL statements into
a small number of SQL characteristics or “clusters”
• Flexible enforcement at SQL level: block, substitute, alert and pass, log only
• SQL substitution foils attackers without disrupting applications
• Centralized policy management and reporting
• Superior performance and policy scalability
Oracle Database Firewall
Reporting
• Database Firewall log data
consolidated into reporting database
• Dozens of built in reports that can be
modified and customized
• Database activity and privileged
user reports
• Entitlements reporting for
database attestation and audit
• Supports demonstrating controls
for PCI, SOX, HIPAA, etc.
• Logged SQL statements can be
sanitized of sensitive PII data
Oracle Audit Vault and Database
Firewall
Database Firewall

APP
S

Firewall
Events

Alerts !

Built-in Reports
AUDIT
Custom Reports DATA
Custom

Policies
AUDIT VAULT
Oracle Database Security Solutions
Defense-in-Depth for Maximum Security

PREVENTIVE DETECTIVE ADMINISTRATIVE

Encryption Activity Monitoring Privilege Analysis

Redaction and Masking Database Firewall Sensitive Data Discovery

Privileged User Controls Auditing and Reporting Configuration Management

Optionen zur Enterprise Edition

<Insert Picture Here>

Lifecycle Management Pack

(Lizence needed)
 Configuration Management
Administrative Control for Oracle Databases

Oracle Database Lifecycle Management

Discover
• Standardised monitoring of Security und
Compliance policy groups
• Automatic collection of Systems
(permanent inventory)
• Out-Of-The-Box 400+ metrics in the area
of Security,best practices, industry
standards Scan & Monitor
• Expansible , define your own metrics
• Automatic discovery and documentation
of changes e.g. Databasconfig,
Installation
• Integration in trouble ticket tracking
Systeme
• Automation of Installation and patching Patch
with the help of Provisioning and change
management
 Configuration Management

• Pack of the Oracle Cloud-Control/Grid-Control/Database Control

• Automatic collection of Systeminformations
• Hardware
• Operating System
• Oracle Software (Version, Patch Sets, Configuration Setting)
• System Inventory Reporting
• System differenz reporting
• Historical Modification documentation
• Policy Manager
Oracle Database Security Solutions
Defense-in-Depth for Maximum Security

PREVENTIVE DETECTIVE ADMINISTRATIVE

Encryption Activity Monitoring Privilege Analysis

Redaction and Masking Database Firewall Sensitive Data Discovery

Privileged User Controls Auditing and Reporting Configuration Management

 Produkt

<Insert Picture Here>

OPAM -Oracle Privileged Account

Management
(Lizence needed)
Wat is a Privileged Account?

• Typical admin users: root, SYS, SYTSTEM etc.

• Any Account used to connect to a Software System maybe
a Privileged Account.
• Typically a Privileged Account hast the following nature:
• Access to sensible Information
• Has stronger Privileges e.g. Select ANY
• Multiple entities (human/non-human) use the account e.g.
SYSTEM (the opposite of a personalized account)
• Is not dedicated/attached to a person e.g. SAP-Account or other
applications/schema owner
Privileged Account Manager
Overview of Product Capabilities

• Integration with Identity Governance Platform

• Connektors to and Workflow Integration with OIM (Oracle Identity Management)
• centralized Policy Management via OIM and OIA (Oracle Identity Analytics)
• Out-of-the-box connectors, OPAM Targets “only” needs to be configured
• Database, OS, LDAP Directories and Oracle FMW applications
• Policy-based access and rules engine
• Supervision if and when admins have access to the systems
• Deputy and incidents arrangements
• Privilege and roles are managed as OPAM Usage Policies e.g. the SAP-user can connect to the
database only during normal working hours
• Typically LDAP Infos is used to connect to OPAM
• Flexible Password Policies
• Enforce and control corporate password standards
 Typical OPAM Use-Case

• User logs in as SYSTEM

• Adds Table to DB
HR Application
• System out of space Database OPAM sets the SYSTEM password for
HR App Database, based on the
password policy for HR App Database

Return SYSTEM password

Request SYSTEM password

Verify the OPAM User,
Return root password Joe, is in the “HR DBA”
Role
Request root password

User checks in passwords

Oracle Privileged
Database Account Manager
LDAP
and OPAM sets the root password for the Server
Unix Server, based on the password
policy for Unix Server.
Unix • User logs in as root
• Adds disk space
Admin
(Joe)
Unix Server
 OPAM benefit
• Enables and enforce the use of ( internal ) security policies
(e.g. different password for the SYS Account an every database)
• Reduce the Risik and threat of abuse of privileged user (e.g. root, SYS A)
• attest to regulatory requirements ( very flexible reporting)
• Cost reduction with efficient self service and centralised Security
Infrastruktur
• Real time Reporting
• Flexible and customizable reports
( BI Publisher)
Thank you very
much!

questions?
requests?
suggestions?