SlideShare uma empresa Scribd logo
1 de 66
Baixar para ler offline
Oracle Database Security
Top 10 Things You Could & Should Be Doing
Differently
Simon Pane - Oracle Database Principal Consultant
April 11, 2016
ABOUT ME
• Working with Oracle DB since
version 6
• Oracle Certified Professional:
Oracle 8, 8i, 9i,10g, 11g, 12c
• Oracle Certified Expert
• Oracle Certified Partner Specialist
• Oracle Ace Associate
• MOS Communities Simon_DBA
© 2016 Pythian Confidential
ABOUT PYTHIAN
11,400
Pythian currently manages
more than 11,400 systems.
400+
Pythian currently employs
more than 400 people in 200
cities in 35 countries
1997
Pythian was founded in 1997
Global Leader In IT Transformation And Operational Excellence
Unparalleled Expertise
• Top 5% in databases, applications, infrastructure, Big Data, Cloud, Data
Science, and DevOps
Unmatched Certifications
• 9 Oracle ACEs, 4 Oracle ACE Directors, 1 Oracle ACE Associate
• 6 Microsoft MVPs, 1 Microsoft Certified Master
• 5 Google Platform Qualified Developers
• 1 Cloudera Champion of Big Data
• 1 Mongo DB Certified DBA Associate Level
• 1 DataStax Certified Partner, 1 MVP
Broad Technical Experience
• Oracle, Microsoft, MySQL, Oracle EBS, Hadoop, Cassandra,
MongoDB, virtualization, configuration management, monitoring,
trending, and more.
© 2016 Pythian Confidential
WHAT THIS IS NOT ABOUT ….
• All great products / tools:
– Oracle Database Vault
– Oracle Audit Vault and Database Firewall
– Privilege Analysis
– Oracle Key Vault
– Oracle Identity Management
– Transparent Data Encryption
– Oracle Data Redaction
– VPD / FGAC / Real Application Security (RAS)
– Oracle Data Masking and Subsetting
– Oracle Total Recall
– Advanced Security Option
© 2016 Pythian Confidential
…. INSTEAD IT IS ABOUT
• What can we do with what we already have?
• What we need to watch out for?
• How should we change our operational
practices?
© 2016 Pythian Confidential
AGENDA
• “Top 10”
– Applies to Standard Edition & Enterprise Edition
– Various releases: 10g, 11g, 12c
• Bonus: Oracle Database 12c specific features
• The take away: tips, suggestions, cautions!
© 2016 Pythian Confidential
© 2016 Pythian Confidential
AVOID CLEAR TEXT PASSWORD IN SQLNET
• Authentication is automatically encrypted - other
commands are not!
• Never use “… identified by …” through SQLNET
– What about our tools?
• Use the “password” command instead
– This command does encrypt the password in flight
© 2016 Pythian Confidential
AVOID CLEAR TEXT PASSWORD IN SQLNET
• Easy for a DBA to trace:
• Easy for anyone else on the network to trace
– Network sniffers (i.e. WireShark)
© 2016 Pythian Confidential
AVOID CLEAR TEXT PASSWORD IN SQLNET
• Resulting trace file:
• Using $ORACLE_HOME/bin/trcasst: (11g)
© 2016 Pythian Confidential
12c
Bug!
AVOID CLEAR TEXT PASSWORD IN SQLNET
• What about if you’re going through a public
network?
– Or between services in a public cloud?
• From Amazon RDS documentation:
© 2016 Pythian Confidential
AVOID CLEAR TEXT PASSWORD IN SQLNET
• Wireshark to AWS with VPC security group:
© 2016 Pythian Confidential
AVOID CLEAR TEXT PASSWORD IN SQLNET
• Better method (AWS RDS using SQL Developer):
• Or ensure network encryption / VPN / IPSEC
© 2016 Pythian Confidential
© 2016 Pythian Confidential
PROTECT PASSWORD HASH VALUES & SALTS
• Easy to crack offline (particularly old 10g DES hashes)
• Protect network traffic:
– “Oracle Network Encryption” or other tunneling software
– Exposures pre-11.2.0.4 – see CVE-2012-3137
• fixed OCT2012 PSU
• Protect and audit in the catalog:
• SYS.USER$ and SYS.USER_HISTORY$
• SYS.USER$.SPARE4 includes the salt
• Force complexity:
– Use a password-verificationfunction and profiles
© 2016 Pythian Confidential
PROTECT PASSWORD HASH VALUES & SALTS
• Never post hashes into documentation or ticket
system:
© 2016 Pythian Confidential
Don’t
Do!
© 2016 Pythian Confidential
AVOID PASSWORDS IN SCRIPT VARIABLES
• Don’t put passwords into script variables:
– Variables can be exposed in diagnostic dumps
– Also shouldn’t ever need to “export” variables!!
• Scripting mistake:
© 2016 Pythian Confidential
AVOID PASSWORDS IN SCRIPT VARIABLES
• Listener dump:
© 2016 Pythian Confidential
AVOID PASSWORDS IN SCRIPT VARIABLES
• Variables are in: /proc/${pmon pid}/environ
• And RMAN script when running:
© 2016 Pythian Confidential
AVOID PASSWORDS IN SCRIPT VARIABLES
• Better solution: “Secure External Password Store”
– Doesn’t negate “/ as sysdba” connections
– Compatible with SQLNET.AUTHENTICATION_SERVICES=NONE
© 2016 Pythian Confidential
AVOID PASSWORDS IN SCRIPT VARIABLES
• “Secure External Password Store” usage:
© 2016 Pythian Confidential
AVOID PASSWORDS IN SCRIPT VARIABLES
• “Secure External Password Store”:
– Bug with the -auto_login_local option
• Works in 11.2.0.4 and 12.1.0.1 but not 12.1.0.2
• May need to remediate scripts anyway
– For compliance or PDB (service) compatibility
© 2016 Pythian Confidential
12.1.0.2
Bug!
© 2016 Pythian Confidential
USE THE SCHEDULER
• CRON scripts often run .SQL files
– Monitoring jobs
– Application jobs
– Backup jobs
• How are the DB credentials for those secured?
– Why schedule from the CRON and then have to worry
about DB credentials?
© 2016 Pythian Confidential
USE THE SCHEDULER
• Can also use to run OS scripts ( .sh or .cmd )
– OS Security context for non-SYS jobs to use when
running external jobs is defined in:
$ORACLE_HOME/rdbms/admin/externaljob.ora
– Be careful this doesn’t become an OS-injection risk
• The program being run could be “sh”
• Actual OS commands could be the arguments
© 2016 Pythian Confidential
USE THE SCHEDULER
• Default UNIX settings in externaljob.ora:
run_user = nobody
run_group = nobody
• Be cautious if changing to a more powerful
account.
run_user = oracle
run_group = dba
© 2016 Pythian Confidential
OS Injection
as “oracle”
USE THE SCHEDULER
• Windows adds the service:
– OracleJobScheduler<ORACLE_SID>
• Service ownership defaults to LocalSystem (11g)
– Change to a low level user or disable (default)
– This service runs non-SYS scheduler jobs
© 2016 Pythian Confidential
USE THE SCHEDULER
• Scheduler best practices:
1. Use a dedicated least-privileged DB user/credential
2. Use a dedicated least-privileged OS user/credential
© 2016 Pythian Confidential
© 2016 Pythian Confidential
SET SECURITY INITIALIZATION PARAMETERS
• Often overlooked initialization parameters:
SEC_MAX_FAILED_LOGIN_ATTEMPTS
• Not password attempts – client to server process
SEC_PROTOCOL_ERROR_FURTHER_ACTION
• What the server process does when receiving bad
packets
SEC_PROTOCOL_ERROR_TRACE_ACTION
• Trace, log, alert, or nothing with bad packets
SEC_RETURN_SERVER_RELEASE_BANNER
• Is the DB version returned to the client
© 2016 Pythian Confidential
Changes
in 12.1.0.2
Changes
in 12.1.0.2
SET SECURITY INITIALIZATION PARAMETERS
• In SQLNET.ORA pre-12c:
SQLNET.ALLOWED_LOGON_VERSION
• In SQLNET.ORA as of 12c:
SQLNET.ALLOWED_LOGON_VERSION_SERVER
SQLNET.ALLOWED_LOGON_VERSION_CLIENT
• Controls “authentication protocol”:
– i.e. O3L, O4L, O5L, O5L_NP, O7L_MR
– Relates to the password versions stored in the DB
© 2016 Pythian Confidential
© 2016 Pythian Confidential
CONSIDER SECURE APPLICATION DESIGN
• Secure application design would include separate
schemas for:
– Data - Code - Access (users)
• Implement data & code separation using:
– Fully qualified object references
– Private synonyms
– Promotes a “least privilege” model
• Data schemas (with full DML) can be LOCKED!
– If not, there is always a risk
© 2016 Pythian Confidential
CONSIDER SECURE APPLICATION DESIGN
• Even more secure if all data interaction is through
PL/SQL objects (APIs)?
– Controls use of object privileges
– No dynamic SQL
– Use bind variables and/or DBMS_ASSERT to prevent
SQL Injection:
© 2016 Pythian Confidential
Source: https://en.wikipedia.org/wiki/SQL_injection
CONSIDER SECURE APPLICATION DESIGN
© 2016 Pythian Confidential
Data
Holding
Schema
Locked
Code
Schema
Locked
Users
Open
ü Can’t perform DDL
on tables or code
ü Can’t perform ad-hoc
queries
ü Can’t perform DDL
on base tables
ü Sanitize inputs with
DBMS_ASSERT
© 2016 Pythian Confidential
USE ROLE SECURITY
• Can be a solution to try to prevent “application
bypass”
– TOAD / SQL Developer / SQLPLUS connections
• Typically protect with a password or a package:
© 2016 Pythian Confidential
USE ROLE SECURITY
• Activate password protected roles:
• Limitations of password protected roles:
– Passwords sent as clear-text through SQLNET
– Pre-11.2.0.4: by-pass through nesting:
© 2016 Pythian Confidential
Test if
using
an old
version
USE ROLE SECURITY
• Application roles:
– Authentication logic resides in PL/SQL package
• Must use “invoker’s rights”
• Must include one or more security checks (i.e. using
SYS_CONTEXT properties)
• Must issue SET ROLE or
DBMS_SESSION.SET_ROLE
• After granting, manually change to not be a
“default role” – otherwise logic is bypassed!
© 2016 Pythian Confidential
© 2016 Pythian Confidential
LISTENER PROTECTION
• Valid Node Checking
– Provides basic firewall functionality
– Only allow connections from authorized application
servers and DBA desktops
• Prevent “application by-passing”
– Prevent connections from un-authorized servers
• From TEST/DEV/QA to PROD
• Through DB links after refreshes
© 2016 Pythian Confidential
RISK!
LISTENER PROTECTION
• DB Link Risk:
© 2016 Pythian Confidential
PROD1 PROD2
DB Link
DEV1
RMAN
Clone
DB Link
DB Links and passwords should be adjusted
after a RMAN duplicate but often are missed
LISTENER PROTECTION
• Valid Node Checking implementation:
– Three parameters in server’s sqlnet.ora:
– Can’t use hostname or IP ranges (no wildcards)
– “invited’ and “excluded” are mutually exclusive
© 2016 Pythian Confidential
LISTENER PROTECTION
• Protect the database from a connection storm
through listener parameters:
– RATE_LIMIT
– CONNECTION_RATE_<listener>
• But there’s still risks:
– TNS connections can by-passing the listener and
connect directly to dispatchers (if port is discovered)!
• Check the default shared server related
initialization parameters (“DISPATCHERS”)
© 2016 Pythian Confidential
XDB!
© 2016 Pythian Confidential
PROTECT AT THE OS LEVEL
• If someone can copy the .DMP and RMAN
backup files they have everything!
– What if backed up to remote device / NFS share?
© 2016 Pythian Confidential
Make sure owner and group is correct
Make sure file permissions are limited
PROTECT AT THE OS LEVEL
• Tools can extract data right out of DBF files:
© 2016 Pythian Confidential
Make sure group is correct and membership is limited;
Ensure (o)thers have no permissions
© 2016 Pythian Confidential
• DBA & Developers don’t need to know any
schema passwords (i.e. application schema
passwords)
• Use “Proxy Authenticated Connections”
– “Connect as specified schema using your own
credentials”
© 2016 Pythian Confidential
USE PROXY AUTHENTICATED CONNECTIONS
USE PROXY AUTHENTICATED CONNECTIONS
• Example:
© 2016 Pythian Confidential
USE PROXY AUTHENTICATED CONNECTIONS
• Viewing configuration:
• Viewing active connections:
© 2016 Pythian Confidential
USE PROXY AUTHENTICATED CONNECTIONS
• DBA_AUDIT_SESSION:
• DBA_AUDIT_TRAIL:
© 2016 Pythian Confidential
USE PROXY AUTHENTICATED CONNECTIONS
• Advantages:
– Proxy authenticated connections provide more
functionality than “ALTER SESSION SET
CURRENT_SCHEMA …”
– Works with most tools and utilities (including wallets)
– Works with JDBC thin connections
– All access individualized for audit
– Easier off-boarding of DBA / Dev staff:
• Who no longer works here yet still knows the password
because it hasn’t changed!
© 2016 Pythian Confidential
ORACLE DATABASE 12C SPECIFIC
© 2016 Pythian Confidential
ORACLE DATABASE 12C SPECIFIC
• Last login time is now recorded:
– In catalog table: sys.user$.spare6
– Also displayed in DBA_USERS.LAST_LOGIN
© 2016 Pythian Confidential
ORACLE DATABASE 12C SPECIFIC
• New “READ” and “READ ANY TABLE” privileges
– Gives grantee “query only” (12c Release 1: 12.1.0.2)
– Does not provide:
• “LOCK TABLE … ”
• “SELECT … FOR UPDATE ”
– Source:
http://docs.oracle.com/database/121/DBSEG/authorization.htm#CACGJAAH
© 2016 Pythian Confidential
ORACLE DATABASE 12C SPECIFIC
• Network encryption no longer part of ASO
– Source: http://docs.oracle.com/database/121/DBLIC/editions.htm
• Backported to 11gR2:
– Source:
http://docs.oracle.com/cd/E11882_01/license.112/e47877/options.htm#DBLIC143
© 2016 Pythian Confidential
ORACLE DATABASE 12C SPECIFIC
• Network encryption can be as simple as two
parameters in the sqlnet.ora file:
© 2016 Pythian Confidential
ORACLE DATABASE 12C SPECIFIC
• New Windows Service Owner:
© 2016 Pythian Confidential
WRAP UP!
© 2016 Pythian Confidential
SUMMARY
• Think about DBA and Developer processes:
– Don’t just focus on profiles and object privileges
• Think outside of the database
– Protecting backups can be just as important
– Consider the network and data in-flight
© 2016 Pythian Confidential
SUMMARY
• Understand the capabilities of the products you
already have:
– Consider new features and changes between versions /
releases
– Explore features and functions that you may not be very
familiar with
• Continuous Improvement:
– Modernize & evolve both the technology and process
• As technology changes
• As business needs change
• As technical requirements change
© 2016 Pythian Confidential
THANKS AND Q&A
pane@pythian.com
1-877-PYTHIAN
http://www.Pythian.com/blog
http://is.gd/PythianFacebook
@Pythian
http://linkedin.com/company/Pythian
Don’t forget
evaluations!
© 2016 Pythian Confidential
Get Published in IOUG SELECT Journal
Quarterly journal of peer-reviewed technical articles and
news published by the Independent Oracle Users Group
We are always looking for new authors, interested?
– TechnicalTip – ~500 words
– Column – ~ 500 – 1000 words
– TechnicalArticle – ~ 1500 – 2500 words
– Blog posting – ~ 500 – 2500 words
Visit http://ioug.org/select for more information.
Questions? select@ioug.org
IOUG Members have unlimited access to the current and
archives of SELECT Journal
Including more than 3,000 papers and presentations in the
IOUG Library
65
Earn an #IOUGenius Certificate
Demonstrate the skills you’ve gained at COLLABORATE 16
How to Earn Your Certificate
1. Choose a certificate that benefits you and your company the
most.
2. Search for sessions mobile app device by using the hashtag
#IOUGenius.
3. “Check-in” to 4+ sessions on your mobile app.
4. Email us at speakers@ioug.org to receive your #IOUGenius e-
certificate(s).
Visit: collaborate.ioug.org/certificates
• 12c	New	Features	and	
Upgrades
• Core	DBA	Skills
• Oracle	Enterprise	Manager
• Performance
• Securing	Your	Oracle	Database
• Techniques	for	High	Availability
• The	Cloud,	Options,	and	Choices
• Understanding	Big	Data,	Tools,	and	
Techniques
• WebCenter Strategies	and	Best	
Practices

Mais conteúdo relacionado

Mais procurados

DOAG Oracle Database Vault
DOAG Oracle Database VaultDOAG Oracle Database Vault
DOAG Oracle Database VaultStefan Oehrli
 
UKOUG TechFest PDB Isolation and Security
UKOUG TechFest PDB Isolation and SecurityUKOUG TechFest PDB Isolation and Security
UKOUG TechFest PDB Isolation and SecurityStefan Oehrli
 
MySQL Tech Tour 2015 - Manage & Tune
MySQL Tech Tour 2015 - Manage & TuneMySQL Tech Tour 2015 - Manage & Tune
MySQL Tech Tour 2015 - Manage & TuneMark Swarbrick
 
UKOUG Techfest 2019 Central user Administration of Oracle Databases
UKOUG Techfest 2019 Central user Administration of Oracle DatabasesUKOUG Techfest 2019 Central user Administration of Oracle Databases
UKOUG Techfest 2019 Central user Administration of Oracle DatabasesStefan Oehrli
 
IPv6 Standard Content Guide for ESM 6.5c
IPv6 Standard Content Guide for ESM 6.5c	IPv6 Standard Content Guide for ESM 6.5c
IPv6 Standard Content Guide for ESM 6.5c Protect724migration
 
MySQL Tech Tour 2015 - 5.7 Security
MySQL Tech Tour 2015 - 5.7 SecurityMySQL Tech Tour 2015 - 5.7 Security
MySQL Tech Tour 2015 - 5.7 SecurityMark Swarbrick
 
IaC MeetUp Active Directory Setup for Oracle Security LAB
IaC MeetUp Active Directory Setup for Oracle Security LABIaC MeetUp Active Directory Setup for Oracle Security LAB
IaC MeetUp Active Directory Setup for Oracle Security LABStefan Oehrli
 
Modern Data Security with MySQL
Modern Data Security with MySQLModern Data Security with MySQL
Modern Data Security with MySQLVittorio Cioe
 
DOAG Oracle Unified Audit in Multitenant Environments
DOAG Oracle Unified Audit in Multitenant EnvironmentsDOAG Oracle Unified Audit in Multitenant Environments
DOAG Oracle Unified Audit in Multitenant EnvironmentsStefan Oehrli
 
Improve oracle 12c security
Improve oracle 12c securityImprove oracle 12c security
Improve oracle 12c securityLaurent Leturgez
 
MySQL Enterprise Monitor
MySQL Enterprise MonitorMySQL Enterprise Monitor
MySQL Enterprise MonitorMario Beck
 
MySQL Security
MySQL SecurityMySQL Security
MySQL SecurityMario Beck
 
2020 - GUOB Tech Day / Groundbreakers LAD Tour - How to Create an AutoScale C...
2020 - GUOB Tech Day / Groundbreakers LAD Tour - How to Create an AutoScale C...2020 - GUOB Tech Day / Groundbreakers LAD Tour - How to Create an AutoScale C...
2020 - GUOB Tech Day / Groundbreakers LAD Tour - How to Create an AutoScale C...Marcus Vinicius Miguel Pedro
 
Využijte svou Oracle databázi na maximum!
Využijte svou Oracle databázi na maximum!Využijte svou Oracle databázi na maximum!
Využijte svou Oracle databázi na maximum!MarketingArrowECS_CZ
 
Intrusion Monitoring Standard Content Guide for ESM 6.8c
Intrusion Monitoring Standard Content Guide for ESM 6.8cIntrusion Monitoring Standard Content Guide for ESM 6.8c
Intrusion Monitoring Standard Content Guide for ESM 6.8cProtect724migration
 
MySQL 8.0, what's new ? - Forum PHP 2018
MySQL 8.0, what's new ? - Forum PHP 2018MySQL 8.0, what's new ? - Forum PHP 2018
MySQL 8.0, what's new ? - Forum PHP 2018Olivier DASINI
 
Oracle Database Backup Cloud Service
Oracle Database Backup Cloud ServiceOracle Database Backup Cloud Service
Oracle Database Backup Cloud ServiceMarketingArrowECS_CZ
 
Cisco Monitoring Standard Content Guide for ESM 6.8c
Cisco Monitoring Standard Content Guide for ESM 6.8cCisco Monitoring Standard Content Guide for ESM 6.8c
Cisco Monitoring Standard Content Guide for ESM 6.8cProtect724migration
 
Solaris11 Desayunos Tecnicos Oracle (Solaris)
Solaris11 Desayunos Tecnicos Oracle (Solaris)Solaris11 Desayunos Tecnicos Oracle (Solaris)
Solaris11 Desayunos Tecnicos Oracle (Solaris)Fran Navarro
 

Mais procurados (20)

DOAG Oracle Database Vault
DOAG Oracle Database VaultDOAG Oracle Database Vault
DOAG Oracle Database Vault
 
UKOUG TechFest PDB Isolation and Security
UKOUG TechFest PDB Isolation and SecurityUKOUG TechFest PDB Isolation and Security
UKOUG TechFest PDB Isolation and Security
 
MySQL Tech Tour 2015 - Manage & Tune
MySQL Tech Tour 2015 - Manage & TuneMySQL Tech Tour 2015 - Manage & Tune
MySQL Tech Tour 2015 - Manage & Tune
 
Database security2 adebiaye
Database security2 adebiayeDatabase security2 adebiaye
Database security2 adebiaye
 
UKOUG Techfest 2019 Central user Administration of Oracle Databases
UKOUG Techfest 2019 Central user Administration of Oracle DatabasesUKOUG Techfest 2019 Central user Administration of Oracle Databases
UKOUG Techfest 2019 Central user Administration of Oracle Databases
 
IPv6 Standard Content Guide for ESM 6.5c
IPv6 Standard Content Guide for ESM 6.5c	IPv6 Standard Content Guide for ESM 6.5c
IPv6 Standard Content Guide for ESM 6.5c
 
MySQL Tech Tour 2015 - 5.7 Security
MySQL Tech Tour 2015 - 5.7 SecurityMySQL Tech Tour 2015 - 5.7 Security
MySQL Tech Tour 2015 - 5.7 Security
 
IaC MeetUp Active Directory Setup for Oracle Security LAB
IaC MeetUp Active Directory Setup for Oracle Security LABIaC MeetUp Active Directory Setup for Oracle Security LAB
IaC MeetUp Active Directory Setup for Oracle Security LAB
 
Modern Data Security with MySQL
Modern Data Security with MySQLModern Data Security with MySQL
Modern Data Security with MySQL
 
DOAG Oracle Unified Audit in Multitenant Environments
DOAG Oracle Unified Audit in Multitenant EnvironmentsDOAG Oracle Unified Audit in Multitenant Environments
DOAG Oracle Unified Audit in Multitenant Environments
 
Improve oracle 12c security
Improve oracle 12c securityImprove oracle 12c security
Improve oracle 12c security
 
MySQL Enterprise Monitor
MySQL Enterprise MonitorMySQL Enterprise Monitor
MySQL Enterprise Monitor
 
MySQL Security
MySQL SecurityMySQL Security
MySQL Security
 
2020 - GUOB Tech Day / Groundbreakers LAD Tour - How to Create an AutoScale C...
2020 - GUOB Tech Day / Groundbreakers LAD Tour - How to Create an AutoScale C...2020 - GUOB Tech Day / Groundbreakers LAD Tour - How to Create an AutoScale C...
2020 - GUOB Tech Day / Groundbreakers LAD Tour - How to Create an AutoScale C...
 
Využijte svou Oracle databázi na maximum!
Využijte svou Oracle databázi na maximum!Využijte svou Oracle databázi na maximum!
Využijte svou Oracle databázi na maximum!
 
Intrusion Monitoring Standard Content Guide for ESM 6.8c
Intrusion Monitoring Standard Content Guide for ESM 6.8cIntrusion Monitoring Standard Content Guide for ESM 6.8c
Intrusion Monitoring Standard Content Guide for ESM 6.8c
 
MySQL 8.0, what's new ? - Forum PHP 2018
MySQL 8.0, what's new ? - Forum PHP 2018MySQL 8.0, what's new ? - Forum PHP 2018
MySQL 8.0, what's new ? - Forum PHP 2018
 
Oracle Database Backup Cloud Service
Oracle Database Backup Cloud ServiceOracle Database Backup Cloud Service
Oracle Database Backup Cloud Service
 
Cisco Monitoring Standard Content Guide for ESM 6.8c
Cisco Monitoring Standard Content Guide for ESM 6.8cCisco Monitoring Standard Content Guide for ESM 6.8c
Cisco Monitoring Standard Content Guide for ESM 6.8c
 
Solaris11 Desayunos Tecnicos Oracle (Solaris)
Solaris11 Desayunos Tecnicos Oracle (Solaris)Solaris11 Desayunos Tecnicos Oracle (Solaris)
Solaris11 Desayunos Tecnicos Oracle (Solaris)
 

Destaque

Abc Digital2
Abc Digital2Abc Digital2
Abc Digital2efanego
 
Curso esmm teresasotomayor
Curso esmm teresasotomayorCurso esmm teresasotomayor
Curso esmm teresasotomayorteresa0sotomayor
 
Projeto e proinfo paroquial
Projeto e proinfo paroquialProjeto e proinfo paroquial
Projeto e proinfo paroquialdinoan
 
Present. introd. a los primeros auxilios
Present. introd. a los primeros auxiliosPresent. introd. a los primeros auxilios
Present. introd. a los primeros auxiliosManuel Ortiz Rojo
 
áRbol De Problemas Y Soluciones 2
áRbol De Problemas Y Soluciones 2áRbol De Problemas Y Soluciones 2
áRbol De Problemas Y Soluciones 2lelia804
 
Conservacion del ambiente mapa
Conservacion del ambiente mapaConservacion del ambiente mapa
Conservacion del ambiente mapayainin27
 
Разработка надежных параллельных, распределенных приложений: быстро и дешево
Разработка надежных параллельных, распределенных приложений: быстро и дешевоРазработка надежных параллельных, распределенных приложений: быстро и дешево
Разработка надежных параллельных, распределенных приложений: быстро и дешевоDotNetConf
 
Protección y Conservación del Medio Ambiente
Protección y Conservación del Medio AmbienteProtección y Conservación del Medio Ambiente
Protección y Conservación del Medio AmbienteLuis Duran
 
Conservación del medio ambiente
Conservación del medio ambienteConservación del medio ambiente
Conservación del medio ambienteSamary Diaz
 
Pasteleria mony.pptx power
Pasteleria  mony.pptx powerPasteleria  mony.pptx power
Pasteleria mony.pptx poweralexitacuasquer
 
Emergence of Big Data in Digital Marketing
Emergence of Big Data  in Digital MarketingEmergence of Big Data  in Digital Marketing
Emergence of Big Data in Digital MarketingKrishnan Parasuraman
 
Dan Norris: Exadata security
Dan Norris: Exadata securityDan Norris: Exadata security
Dan Norris: Exadata securityKyle Hailey
 
Mark Farnam : Minimizing the Concurrency Footprint of Transactions
Mark Farnam  : Minimizing the Concurrency Footprint of TransactionsMark Farnam  : Minimizing the Concurrency Footprint of Transactions
Mark Farnam : Minimizing the Concurrency Footprint of TransactionsKyle Hailey
 

Destaque (20)

resume 11
resume 11resume 11
resume 11
 
Presentacion (1)
Presentacion (1)Presentacion (1)
Presentacion (1)
 
Abc Digital2
Abc Digital2Abc Digital2
Abc Digital2
 
Curso esmm teresasotomayor
Curso esmm teresasotomayorCurso esmm teresasotomayor
Curso esmm teresasotomayor
 
moda
modamoda
moda
 
Amigos
AmigosAmigos
Amigos
 
Projeto e proinfo paroquial
Projeto e proinfo paroquialProjeto e proinfo paroquial
Projeto e proinfo paroquial
 
Present. introd. a los primeros auxilios
Present. introd. a los primeros auxiliosPresent. introd. a los primeros auxilios
Present. introd. a los primeros auxilios
 
áRbol De Problemas Y Soluciones 2
áRbol De Problemas Y Soluciones 2áRbol De Problemas Y Soluciones 2
áRbol De Problemas Y Soluciones 2
 
Conservacion del ambiente mapa
Conservacion del ambiente mapaConservacion del ambiente mapa
Conservacion del ambiente mapa
 
Разработка надежных параллельных, распределенных приложений: быстро и дешево
Разработка надежных параллельных, распределенных приложений: быстро и дешевоРазработка надежных параллельных, распределенных приложений: быстро и дешево
Разработка надежных параллельных, распределенных приложений: быстро и дешево
 
Protección y Conservación del Medio Ambiente
Protección y Conservación del Medio AmbienteProtección y Conservación del Medio Ambiente
Protección y Conservación del Medio Ambiente
 
Conservación del medio ambiente
Conservación del medio ambienteConservación del medio ambiente
Conservación del medio ambiente
 
Estilo de vida y riesgo cardiovascular
Estilo de vida y riesgo cardiovascularEstilo de vida y riesgo cardiovascular
Estilo de vida y riesgo cardiovascular
 
Pasteleria mony.pptx power
Pasteleria  mony.pptx powerPasteleria  mony.pptx power
Pasteleria mony.pptx power
 
Emergence of Big Data in Digital Marketing
Emergence of Big Data  in Digital MarketingEmergence of Big Data  in Digital Marketing
Emergence of Big Data in Digital Marketing
 
Tritico comunicacion familiar
Tritico comunicacion familiarTritico comunicacion familiar
Tritico comunicacion familiar
 
The Insiders 2016 GM
The Insiders 2016 GMThe Insiders 2016 GM
The Insiders 2016 GM
 
Dan Norris: Exadata security
Dan Norris: Exadata securityDan Norris: Exadata security
Dan Norris: Exadata security
 
Mark Farnam : Minimizing the Concurrency Footprint of Transactions
Mark Farnam  : Minimizing the Concurrency Footprint of TransactionsMark Farnam  : Minimizing the Concurrency Footprint of Transactions
Mark Farnam : Minimizing the Concurrency Footprint of Transactions
 

Semelhante a Oracle Database Security: Top 10 Things You Could & Should Be Doing Differently

Password Policies in Oracle Access Manager. How to improve user authenticatio...
Password Policies in Oracle Access Manager. How to improve user authenticatio...Password Policies in Oracle Access Manager. How to improve user authenticatio...
Password Policies in Oracle Access Manager. How to improve user authenticatio...Andrejs Prokopjevs
 
Mysql user-camp-march-11th-2016
Mysql user-camp-march-11th-2016Mysql user-camp-march-11th-2016
Mysql user-camp-march-11th-2016Harin Vadodaria
 
Using Vault to decouple MySQL Secrets
Using Vault to decouple MySQL SecretsUsing Vault to decouple MySQL Secrets
Using Vault to decouple MySQL SecretsDerek Downey
 
Password Policies in Oracle Access Manager. How to improve user authenticatio...
Password Policies in Oracle Access Manager. How to improve user authenticatio...Password Policies in Oracle Access Manager. How to improve user authenticatio...
Password Policies in Oracle Access Manager. How to improve user authenticatio...Andrejs Prokopjevs
 
MySQL for Software-as-a-Service (SaaS)
MySQL for Software-as-a-Service (SaaS)MySQL for Software-as-a-Service (SaaS)
MySQL for Software-as-a-Service (SaaS)Mario Beck
 
[db tech showcase Tokyo 2018] #dbts2018 #B31 『1,2,3 and Done! 3 easy ways to ...
[db tech showcase Tokyo 2018] #dbts2018 #B31 『1,2,3 and Done! 3 easy ways to ...[db tech showcase Tokyo 2018] #dbts2018 #B31 『1,2,3 and Done! 3 easy ways to ...
[db tech showcase Tokyo 2018] #dbts2018 #B31 『1,2,3 and Done! 3 easy ways to ...Insight Technology, Inc.
 
MySQL in OPC(Oracle Public Cloud)
MySQL in OPC(Oracle Public Cloud)MySQL in OPC(Oracle Public Cloud)
MySQL in OPC(Oracle Public Cloud)Ramana Yeruva
 
Password Policies in Oracle Access Manager. How to improve user authenticatio...
Password Policies in Oracle Access Manager. How to improve user authenticatio...Password Policies in Oracle Access Manager. How to improve user authenticatio...
Password Policies in Oracle Access Manager. How to improve user authenticatio...Andrejs Prokopjevs
 
MySQL Cloud Service Deep Dive
MySQL Cloud Service Deep DiveMySQL Cloud Service Deep Dive
MySQL Cloud Service Deep DiveMorgan Tocker
 
Experiences of SOACS
Experiences of SOACSExperiences of SOACS
Experiences of SOACSSimon Haslam
 
MySQL Enterprise Edition Portfolio
MySQL Enterprise Edition PortfolioMySQL Enterprise Edition Portfolio
MySQL Enterprise Edition PortfolioMySQL Brasil
 
MySQL Day Paris 2016 - Introducing Oracle MySQL Cloud Service
MySQL Day Paris 2016 - Introducing Oracle MySQL Cloud ServiceMySQL Day Paris 2016 - Introducing Oracle MySQL Cloud Service
MySQL Day Paris 2016 - Introducing Oracle MySQL Cloud ServiceOlivier DASINI
 
Oracle Unified Directory. Lessons learnt. Is it ready for a move from OID? (O...
Oracle Unified Directory. Lessons learnt. Is it ready for a move from OID? (O...Oracle Unified Directory. Lessons learnt. Is it ready for a move from OID? (O...
Oracle Unified Directory. Lessons learnt. Is it ready for a move from OID? (O...Andrejs Prokopjevs
 
NoSQL no MySQL 5.7
NoSQL no MySQL 5.7NoSQL no MySQL 5.7
NoSQL no MySQL 5.7MySQL Brasil
 
SQL Server 2016: Just a Few of Our DBA's Favorite Things
SQL Server 2016: Just a Few of Our DBA's Favorite ThingsSQL Server 2016: Just a Few of Our DBA's Favorite Things
SQL Server 2016: Just a Few of Our DBA's Favorite ThingsHostway|HOSTING
 
MySQL Day Paris 2016 - MySQL Enterprise Edition
MySQL Day Paris 2016 - MySQL Enterprise EditionMySQL Day Paris 2016 - MySQL Enterprise Edition
MySQL Day Paris 2016 - MySQL Enterprise EditionOlivier DASINI
 
Protect Sensitive Data: Implementing Fine-Grained Access Control in Oracle
Protect Sensitive Data: Implementing Fine-Grained Access Control in OracleProtect Sensitive Data: Implementing Fine-Grained Access Control in Oracle
Protect Sensitive Data: Implementing Fine-Grained Access Control in OracleNelson Calero
 
Provisioning with Oracle Cloud Stack Manager
Provisioning with Oracle Cloud Stack ManagerProvisioning with Oracle Cloud Stack Manager
Provisioning with Oracle Cloud Stack ManagerSimon Haslam
 
Hitchhiker's Guide to free Oracle tuning tools
Hitchhiker's Guide to free Oracle tuning toolsHitchhiker's Guide to free Oracle tuning tools
Hitchhiker's Guide to free Oracle tuning toolsBjoern Rost
 

Semelhante a Oracle Database Security: Top 10 Things You Could & Should Be Doing Differently (20)

Password Policies in Oracle Access Manager. How to improve user authenticatio...
Password Policies in Oracle Access Manager. How to improve user authenticatio...Password Policies in Oracle Access Manager. How to improve user authenticatio...
Password Policies in Oracle Access Manager. How to improve user authenticatio...
 
Mysql user-camp-march-11th-2016
Mysql user-camp-march-11th-2016Mysql user-camp-march-11th-2016
Mysql user-camp-march-11th-2016
 
Using Vault to decouple MySQL Secrets
Using Vault to decouple MySQL SecretsUsing Vault to decouple MySQL Secrets
Using Vault to decouple MySQL Secrets
 
Password Policies in Oracle Access Manager. How to improve user authenticatio...
Password Policies in Oracle Access Manager. How to improve user authenticatio...Password Policies in Oracle Access Manager. How to improve user authenticatio...
Password Policies in Oracle Access Manager. How to improve user authenticatio...
 
MySQL for Software-as-a-Service (SaaS)
MySQL for Software-as-a-Service (SaaS)MySQL for Software-as-a-Service (SaaS)
MySQL for Software-as-a-Service (SaaS)
 
[db tech showcase Tokyo 2018] #dbts2018 #B31 『1,2,3 and Done! 3 easy ways to ...
[db tech showcase Tokyo 2018] #dbts2018 #B31 『1,2,3 and Done! 3 easy ways to ...[db tech showcase Tokyo 2018] #dbts2018 #B31 『1,2,3 and Done! 3 easy ways to ...
[db tech showcase Tokyo 2018] #dbts2018 #B31 『1,2,3 and Done! 3 easy ways to ...
 
MySQL in OPC(Oracle Public Cloud)
MySQL in OPC(Oracle Public Cloud)MySQL in OPC(Oracle Public Cloud)
MySQL in OPC(Oracle Public Cloud)
 
Password Policies in Oracle Access Manager. How to improve user authenticatio...
Password Policies in Oracle Access Manager. How to improve user authenticatio...Password Policies in Oracle Access Manager. How to improve user authenticatio...
Password Policies in Oracle Access Manager. How to improve user authenticatio...
 
MySQL Cloud Service Deep Dive
MySQL Cloud Service Deep DiveMySQL Cloud Service Deep Dive
MySQL Cloud Service Deep Dive
 
Experiences of SOACS
Experiences of SOACSExperiences of SOACS
Experiences of SOACS
 
MySQL Enterprise Edition Portfolio
MySQL Enterprise Edition PortfolioMySQL Enterprise Edition Portfolio
MySQL Enterprise Edition Portfolio
 
MySQL Day Paris 2016 - Introducing Oracle MySQL Cloud Service
MySQL Day Paris 2016 - Introducing Oracle MySQL Cloud ServiceMySQL Day Paris 2016 - Introducing Oracle MySQL Cloud Service
MySQL Day Paris 2016 - Introducing Oracle MySQL Cloud Service
 
Oracle Unified Directory. Lessons learnt. Is it ready for a move from OID? (O...
Oracle Unified Directory. Lessons learnt. Is it ready for a move from OID? (O...Oracle Unified Directory. Lessons learnt. Is it ready for a move from OID? (O...
Oracle Unified Directory. Lessons learnt. Is it ready for a move from OID? (O...
 
NoSQL no MySQL 5.7
NoSQL no MySQL 5.7NoSQL no MySQL 5.7
NoSQL no MySQL 5.7
 
SQL Server 2016: Just a Few of Our DBA's Favorite Things
SQL Server 2016: Just a Few of Our DBA's Favorite ThingsSQL Server 2016: Just a Few of Our DBA's Favorite Things
SQL Server 2016: Just a Few of Our DBA's Favorite Things
 
MySQL Day Paris 2016 - MySQL Enterprise Edition
MySQL Day Paris 2016 - MySQL Enterprise EditionMySQL Day Paris 2016 - MySQL Enterprise Edition
MySQL Day Paris 2016 - MySQL Enterprise Edition
 
MySQL Security
MySQL SecurityMySQL Security
MySQL Security
 
Protect Sensitive Data: Implementing Fine-Grained Access Control in Oracle
Protect Sensitive Data: Implementing Fine-Grained Access Control in OracleProtect Sensitive Data: Implementing Fine-Grained Access Control in Oracle
Protect Sensitive Data: Implementing Fine-Grained Access Control in Oracle
 
Provisioning with Oracle Cloud Stack Manager
Provisioning with Oracle Cloud Stack ManagerProvisioning with Oracle Cloud Stack Manager
Provisioning with Oracle Cloud Stack Manager
 
Hitchhiker's Guide to free Oracle tuning tools
Hitchhiker's Guide to free Oracle tuning toolsHitchhiker's Guide to free Oracle tuning tools
Hitchhiker's Guide to free Oracle tuning tools
 

Mais de Pythian

Pythian Analytics-as-a-Service on Google Cloud Platform - Technical Overview
Pythian Analytics-as-a-Service on Google Cloud Platform - Technical OverviewPythian Analytics-as-a-Service on Google Cloud Platform - Technical Overview
Pythian Analytics-as-a-Service on Google Cloud Platform - Technical OverviewPythian
 
Why You Will Love Working at Pythian
Why You Will Love Working at PythianWhy You Will Love Working at Pythian
Why You Will Love Working at PythianPythian
 
London SQL Meetup - Alex Lovell-Troy, April 24 2016
London SQL Meetup - Alex Lovell-Troy, April 24 2016London SQL Meetup - Alex Lovell-Troy, April 24 2016
London SQL Meetup - Alex Lovell-Troy, April 24 2016Pythian
 
Tour of Data Platforms as a Service - Pythian's Christo Kutrovsky at Cloud Ex...
Tour of Data Platforms as a Service - Pythian's Christo Kutrovsky at Cloud Ex...Tour of Data Platforms as a Service - Pythian's Christo Kutrovsky at Cloud Ex...
Tour of Data Platforms as a Service - Pythian's Christo Kutrovsky at Cloud Ex...Pythian
 
Considerations for Moving a Database to the Public Cloud - Pythian's Chris Pr...
Considerations for Moving a Database to the Public Cloud - Pythian's Chris Pr...Considerations for Moving a Database to the Public Cloud - Pythian's Chris Pr...
Considerations for Moving a Database to the Public Cloud - Pythian's Chris Pr...Pythian
 
Why work for Pythian?
Why work for Pythian?Why work for Pythian?
Why work for Pythian?Pythian
 

Mais de Pythian (6)

Pythian Analytics-as-a-Service on Google Cloud Platform - Technical Overview
Pythian Analytics-as-a-Service on Google Cloud Platform - Technical OverviewPythian Analytics-as-a-Service on Google Cloud Platform - Technical Overview
Pythian Analytics-as-a-Service on Google Cloud Platform - Technical Overview
 
Why You Will Love Working at Pythian
Why You Will Love Working at PythianWhy You Will Love Working at Pythian
Why You Will Love Working at Pythian
 
London SQL Meetup - Alex Lovell-Troy, April 24 2016
London SQL Meetup - Alex Lovell-Troy, April 24 2016London SQL Meetup - Alex Lovell-Troy, April 24 2016
London SQL Meetup - Alex Lovell-Troy, April 24 2016
 
Tour of Data Platforms as a Service - Pythian's Christo Kutrovsky at Cloud Ex...
Tour of Data Platforms as a Service - Pythian's Christo Kutrovsky at Cloud Ex...Tour of Data Platforms as a Service - Pythian's Christo Kutrovsky at Cloud Ex...
Tour of Data Platforms as a Service - Pythian's Christo Kutrovsky at Cloud Ex...
 
Considerations for Moving a Database to the Public Cloud - Pythian's Chris Pr...
Considerations for Moving a Database to the Public Cloud - Pythian's Chris Pr...Considerations for Moving a Database to the Public Cloud - Pythian's Chris Pr...
Considerations for Moving a Database to the Public Cloud - Pythian's Chris Pr...
 
Why work for Pythian?
Why work for Pythian?Why work for Pythian?
Why work for Pythian?
 

Último

IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IES VE
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024SkyPlanner
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1DianaGray10
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UbiTrack UK
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPathCommunity
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Brian Pichman
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URLRuncy Oommen
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesDavid Newbury
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding TeamAdam Moalla
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfinfogdgmi
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemAsko Soukka
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsSeth Reyes
 
How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?IES VE
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxMatsuo Lab
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaborationbruanjhuli
 
VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXTarek Kalaji
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1DianaGray10
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Websitedgelyza
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Will Schroeder
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6DianaGray10
 

Último (20)

IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation Developers
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URL
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond Ontologies
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdf
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystem
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and Hazards
 
How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptx
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
 
VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBX
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Website
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6
 

Oracle Database Security: Top 10 Things You Could & Should Be Doing Differently

  • 1. Oracle Database Security Top 10 Things You Could & Should Be Doing Differently Simon Pane - Oracle Database Principal Consultant April 11, 2016
  • 2. ABOUT ME • Working with Oracle DB since version 6 • Oracle Certified Professional: Oracle 8, 8i, 9i,10g, 11g, 12c • Oracle Certified Expert • Oracle Certified Partner Specialist • Oracle Ace Associate • MOS Communities Simon_DBA © 2016 Pythian Confidential
  • 3. ABOUT PYTHIAN 11,400 Pythian currently manages more than 11,400 systems. 400+ Pythian currently employs more than 400 people in 200 cities in 35 countries 1997 Pythian was founded in 1997 Global Leader In IT Transformation And Operational Excellence Unparalleled Expertise • Top 5% in databases, applications, infrastructure, Big Data, Cloud, Data Science, and DevOps Unmatched Certifications • 9 Oracle ACEs, 4 Oracle ACE Directors, 1 Oracle ACE Associate • 6 Microsoft MVPs, 1 Microsoft Certified Master • 5 Google Platform Qualified Developers • 1 Cloudera Champion of Big Data • 1 Mongo DB Certified DBA Associate Level • 1 DataStax Certified Partner, 1 MVP Broad Technical Experience • Oracle, Microsoft, MySQL, Oracle EBS, Hadoop, Cassandra, MongoDB, virtualization, configuration management, monitoring, trending, and more. © 2016 Pythian Confidential
  • 4. WHAT THIS IS NOT ABOUT …. • All great products / tools: – Oracle Database Vault – Oracle Audit Vault and Database Firewall – Privilege Analysis – Oracle Key Vault – Oracle Identity Management – Transparent Data Encryption – Oracle Data Redaction – VPD / FGAC / Real Application Security (RAS) – Oracle Data Masking and Subsetting – Oracle Total Recall – Advanced Security Option © 2016 Pythian Confidential
  • 5. …. INSTEAD IT IS ABOUT • What can we do with what we already have? • What we need to watch out for? • How should we change our operational practices? © 2016 Pythian Confidential
  • 6. AGENDA • “Top 10” – Applies to Standard Edition & Enterprise Edition – Various releases: 10g, 11g, 12c • Bonus: Oracle Database 12c specific features • The take away: tips, suggestions, cautions! © 2016 Pythian Confidential
  • 7. © 2016 Pythian Confidential
  • 8. AVOID CLEAR TEXT PASSWORD IN SQLNET • Authentication is automatically encrypted - other commands are not! • Never use “… identified by …” through SQLNET – What about our tools? • Use the “password” command instead – This command does encrypt the password in flight © 2016 Pythian Confidential
  • 9. AVOID CLEAR TEXT PASSWORD IN SQLNET • Easy for a DBA to trace: • Easy for anyone else on the network to trace – Network sniffers (i.e. WireShark) © 2016 Pythian Confidential
  • 10. AVOID CLEAR TEXT PASSWORD IN SQLNET • Resulting trace file: • Using $ORACLE_HOME/bin/trcasst: (11g) © 2016 Pythian Confidential 12c Bug!
  • 11. AVOID CLEAR TEXT PASSWORD IN SQLNET • What about if you’re going through a public network? – Or between services in a public cloud? • From Amazon RDS documentation: © 2016 Pythian Confidential
  • 12. AVOID CLEAR TEXT PASSWORD IN SQLNET • Wireshark to AWS with VPC security group: © 2016 Pythian Confidential
  • 13. AVOID CLEAR TEXT PASSWORD IN SQLNET • Better method (AWS RDS using SQL Developer): • Or ensure network encryption / VPN / IPSEC © 2016 Pythian Confidential
  • 14. © 2016 Pythian Confidential
  • 15. PROTECT PASSWORD HASH VALUES & SALTS • Easy to crack offline (particularly old 10g DES hashes) • Protect network traffic: – “Oracle Network Encryption” or other tunneling software – Exposures pre-11.2.0.4 – see CVE-2012-3137 • fixed OCT2012 PSU • Protect and audit in the catalog: • SYS.USER$ and SYS.USER_HISTORY$ • SYS.USER$.SPARE4 includes the salt • Force complexity: – Use a password-verificationfunction and profiles © 2016 Pythian Confidential
  • 16. PROTECT PASSWORD HASH VALUES & SALTS • Never post hashes into documentation or ticket system: © 2016 Pythian Confidential Don’t Do!
  • 17. © 2016 Pythian Confidential
  • 18. AVOID PASSWORDS IN SCRIPT VARIABLES • Don’t put passwords into script variables: – Variables can be exposed in diagnostic dumps – Also shouldn’t ever need to “export” variables!! • Scripting mistake: © 2016 Pythian Confidential
  • 19. AVOID PASSWORDS IN SCRIPT VARIABLES • Listener dump: © 2016 Pythian Confidential
  • 20. AVOID PASSWORDS IN SCRIPT VARIABLES • Variables are in: /proc/${pmon pid}/environ • And RMAN script when running: © 2016 Pythian Confidential
  • 21. AVOID PASSWORDS IN SCRIPT VARIABLES • Better solution: “Secure External Password Store” – Doesn’t negate “/ as sysdba” connections – Compatible with SQLNET.AUTHENTICATION_SERVICES=NONE © 2016 Pythian Confidential
  • 22. AVOID PASSWORDS IN SCRIPT VARIABLES • “Secure External Password Store” usage: © 2016 Pythian Confidential
  • 23. AVOID PASSWORDS IN SCRIPT VARIABLES • “Secure External Password Store”: – Bug with the -auto_login_local option • Works in 11.2.0.4 and 12.1.0.1 but not 12.1.0.2 • May need to remediate scripts anyway – For compliance or PDB (service) compatibility © 2016 Pythian Confidential 12.1.0.2 Bug!
  • 24. © 2016 Pythian Confidential
  • 25. USE THE SCHEDULER • CRON scripts often run .SQL files – Monitoring jobs – Application jobs – Backup jobs • How are the DB credentials for those secured? – Why schedule from the CRON and then have to worry about DB credentials? © 2016 Pythian Confidential
  • 26. USE THE SCHEDULER • Can also use to run OS scripts ( .sh or .cmd ) – OS Security context for non-SYS jobs to use when running external jobs is defined in: $ORACLE_HOME/rdbms/admin/externaljob.ora – Be careful this doesn’t become an OS-injection risk • The program being run could be “sh” • Actual OS commands could be the arguments © 2016 Pythian Confidential
  • 27. USE THE SCHEDULER • Default UNIX settings in externaljob.ora: run_user = nobody run_group = nobody • Be cautious if changing to a more powerful account. run_user = oracle run_group = dba © 2016 Pythian Confidential OS Injection as “oracle”
  • 28. USE THE SCHEDULER • Windows adds the service: – OracleJobScheduler<ORACLE_SID> • Service ownership defaults to LocalSystem (11g) – Change to a low level user or disable (default) – This service runs non-SYS scheduler jobs © 2016 Pythian Confidential
  • 29. USE THE SCHEDULER • Scheduler best practices: 1. Use a dedicated least-privileged DB user/credential 2. Use a dedicated least-privileged OS user/credential © 2016 Pythian Confidential
  • 30. © 2016 Pythian Confidential
  • 31. SET SECURITY INITIALIZATION PARAMETERS • Often overlooked initialization parameters: SEC_MAX_FAILED_LOGIN_ATTEMPTS • Not password attempts – client to server process SEC_PROTOCOL_ERROR_FURTHER_ACTION • What the server process does when receiving bad packets SEC_PROTOCOL_ERROR_TRACE_ACTION • Trace, log, alert, or nothing with bad packets SEC_RETURN_SERVER_RELEASE_BANNER • Is the DB version returned to the client © 2016 Pythian Confidential Changes in 12.1.0.2 Changes in 12.1.0.2
  • 32. SET SECURITY INITIALIZATION PARAMETERS • In SQLNET.ORA pre-12c: SQLNET.ALLOWED_LOGON_VERSION • In SQLNET.ORA as of 12c: SQLNET.ALLOWED_LOGON_VERSION_SERVER SQLNET.ALLOWED_LOGON_VERSION_CLIENT • Controls “authentication protocol”: – i.e. O3L, O4L, O5L, O5L_NP, O7L_MR – Relates to the password versions stored in the DB © 2016 Pythian Confidential
  • 33. © 2016 Pythian Confidential
  • 34. CONSIDER SECURE APPLICATION DESIGN • Secure application design would include separate schemas for: – Data - Code - Access (users) • Implement data & code separation using: – Fully qualified object references – Private synonyms – Promotes a “least privilege” model • Data schemas (with full DML) can be LOCKED! – If not, there is always a risk © 2016 Pythian Confidential
  • 35. CONSIDER SECURE APPLICATION DESIGN • Even more secure if all data interaction is through PL/SQL objects (APIs)? – Controls use of object privileges – No dynamic SQL – Use bind variables and/or DBMS_ASSERT to prevent SQL Injection: © 2016 Pythian Confidential Source: https://en.wikipedia.org/wiki/SQL_injection
  • 36. CONSIDER SECURE APPLICATION DESIGN © 2016 Pythian Confidential Data Holding Schema Locked Code Schema Locked Users Open ü Can’t perform DDL on tables or code ü Can’t perform ad-hoc queries ü Can’t perform DDL on base tables ü Sanitize inputs with DBMS_ASSERT
  • 37. © 2016 Pythian Confidential
  • 38. USE ROLE SECURITY • Can be a solution to try to prevent “application bypass” – TOAD / SQL Developer / SQLPLUS connections • Typically protect with a password or a package: © 2016 Pythian Confidential
  • 39. USE ROLE SECURITY • Activate password protected roles: • Limitations of password protected roles: – Passwords sent as clear-text through SQLNET – Pre-11.2.0.4: by-pass through nesting: © 2016 Pythian Confidential Test if using an old version
  • 40. USE ROLE SECURITY • Application roles: – Authentication logic resides in PL/SQL package • Must use “invoker’s rights” • Must include one or more security checks (i.e. using SYS_CONTEXT properties) • Must issue SET ROLE or DBMS_SESSION.SET_ROLE • After granting, manually change to not be a “default role” – otherwise logic is bypassed! © 2016 Pythian Confidential
  • 41. © 2016 Pythian Confidential
  • 42. LISTENER PROTECTION • Valid Node Checking – Provides basic firewall functionality – Only allow connections from authorized application servers and DBA desktops • Prevent “application by-passing” – Prevent connections from un-authorized servers • From TEST/DEV/QA to PROD • Through DB links after refreshes © 2016 Pythian Confidential RISK!
  • 43. LISTENER PROTECTION • DB Link Risk: © 2016 Pythian Confidential PROD1 PROD2 DB Link DEV1 RMAN Clone DB Link DB Links and passwords should be adjusted after a RMAN duplicate but often are missed
  • 44. LISTENER PROTECTION • Valid Node Checking implementation: – Three parameters in server’s sqlnet.ora: – Can’t use hostname or IP ranges (no wildcards) – “invited’ and “excluded” are mutually exclusive © 2016 Pythian Confidential
  • 45. LISTENER PROTECTION • Protect the database from a connection storm through listener parameters: – RATE_LIMIT – CONNECTION_RATE_<listener> • But there’s still risks: – TNS connections can by-passing the listener and connect directly to dispatchers (if port is discovered)! • Check the default shared server related initialization parameters (“DISPATCHERS”) © 2016 Pythian Confidential XDB!
  • 46. © 2016 Pythian Confidential
  • 47. PROTECT AT THE OS LEVEL • If someone can copy the .DMP and RMAN backup files they have everything! – What if backed up to remote device / NFS share? © 2016 Pythian Confidential Make sure owner and group is correct Make sure file permissions are limited
  • 48. PROTECT AT THE OS LEVEL • Tools can extract data right out of DBF files: © 2016 Pythian Confidential Make sure group is correct and membership is limited; Ensure (o)thers have no permissions
  • 49. © 2016 Pythian Confidential
  • 50. • DBA & Developers don’t need to know any schema passwords (i.e. application schema passwords) • Use “Proxy Authenticated Connections” – “Connect as specified schema using your own credentials” © 2016 Pythian Confidential USE PROXY AUTHENTICATED CONNECTIONS
  • 51. USE PROXY AUTHENTICATED CONNECTIONS • Example: © 2016 Pythian Confidential
  • 52. USE PROXY AUTHENTICATED CONNECTIONS • Viewing configuration: • Viewing active connections: © 2016 Pythian Confidential
  • 53. USE PROXY AUTHENTICATED CONNECTIONS • DBA_AUDIT_SESSION: • DBA_AUDIT_TRAIL: © 2016 Pythian Confidential
  • 54. USE PROXY AUTHENTICATED CONNECTIONS • Advantages: – Proxy authenticated connections provide more functionality than “ALTER SESSION SET CURRENT_SCHEMA …” – Works with most tools and utilities (including wallets) – Works with JDBC thin connections – All access individualized for audit – Easier off-boarding of DBA / Dev staff: • Who no longer works here yet still knows the password because it hasn’t changed! © 2016 Pythian Confidential
  • 55. ORACLE DATABASE 12C SPECIFIC © 2016 Pythian Confidential
  • 56. ORACLE DATABASE 12C SPECIFIC • Last login time is now recorded: – In catalog table: sys.user$.spare6 – Also displayed in DBA_USERS.LAST_LOGIN © 2016 Pythian Confidential
  • 57. ORACLE DATABASE 12C SPECIFIC • New “READ” and “READ ANY TABLE” privileges – Gives grantee “query only” (12c Release 1: 12.1.0.2) – Does not provide: • “LOCK TABLE … ” • “SELECT … FOR UPDATE ” – Source: http://docs.oracle.com/database/121/DBSEG/authorization.htm#CACGJAAH © 2016 Pythian Confidential
  • 58. ORACLE DATABASE 12C SPECIFIC • Network encryption no longer part of ASO – Source: http://docs.oracle.com/database/121/DBLIC/editions.htm • Backported to 11gR2: – Source: http://docs.oracle.com/cd/E11882_01/license.112/e47877/options.htm#DBLIC143 © 2016 Pythian Confidential
  • 59. ORACLE DATABASE 12C SPECIFIC • Network encryption can be as simple as two parameters in the sqlnet.ora file: © 2016 Pythian Confidential
  • 60. ORACLE DATABASE 12C SPECIFIC • New Windows Service Owner: © 2016 Pythian Confidential
  • 61. WRAP UP! © 2016 Pythian Confidential
  • 62. SUMMARY • Think about DBA and Developer processes: – Don’t just focus on profiles and object privileges • Think outside of the database – Protecting backups can be just as important – Consider the network and data in-flight © 2016 Pythian Confidential
  • 63. SUMMARY • Understand the capabilities of the products you already have: – Consider new features and changes between versions / releases – Explore features and functions that you may not be very familiar with • Continuous Improvement: – Modernize & evolve both the technology and process • As technology changes • As business needs change • As technical requirements change © 2016 Pythian Confidential
  • 65. Get Published in IOUG SELECT Journal Quarterly journal of peer-reviewed technical articles and news published by the Independent Oracle Users Group We are always looking for new authors, interested? – TechnicalTip – ~500 words – Column – ~ 500 – 1000 words – TechnicalArticle – ~ 1500 – 2500 words – Blog posting – ~ 500 – 2500 words Visit http://ioug.org/select for more information. Questions? select@ioug.org IOUG Members have unlimited access to the current and archives of SELECT Journal Including more than 3,000 papers and presentations in the IOUG Library 65
  • 66. Earn an #IOUGenius Certificate Demonstrate the skills you’ve gained at COLLABORATE 16 How to Earn Your Certificate 1. Choose a certificate that benefits you and your company the most. 2. Search for sessions mobile app device by using the hashtag #IOUGenius. 3. “Check-in” to 4+ sessions on your mobile app. 4. Email us at speakers@ioug.org to receive your #IOUGenius e- certificate(s). Visit: collaborate.ioug.org/certificates • 12c New Features and Upgrades • Core DBA Skills • Oracle Enterprise Manager • Performance • Securing Your Oracle Database • Techniques for High Availability • The Cloud, Options, and Choices • Understanding Big Data, Tools, and Techniques • WebCenter Strategies and Best Practices