Chapter 6. Security and MonitoringUp to this point, this book has primarily focused on getting the database installed and operational. This chapter takes you into the day-to-day business of being an Oracle database administrator. We focus on two important areas of administration here: security and monitoring. 6.1. SecurityOne of your most important responsibilities as a database administrator is the security of the data in your database. You are responsible for ensuring that there is no unauthorized access to the data. Oracle has provided you with many basic features that, when applied properly and in combination, make the process of managing security relatively painless. This section covers the basic security functions of the DBA and the Oracle features that you will use. 6.1.1. Security PolicyBefore you can implement specific features, you must develop a security policy. You, your management, the application support team, and your users have to decide on how open the database and its data will be. This decision depends upon the specifics of the application and the requirements of your organization. Security policies vary widely. We have seen read-only databases where everyone in the company has access to query all data, and we have seen databases so sensitive that all access is through restricted terminals. The following summaries provide lists of questions you will have to answer when establishing your own site's security policy. Later sections contain basic information on how to implement your decisions. 6.1.1.1. User access to the databaseEvery user must connect to the database using an authorized userid and password. Questions you'll have to address include the following:
6.1.1.2. Read sensitivity of the dataBy default, data in a table is only accessible to:
Questions you'll have to address include the following:
6.1.1.3. Write sensitivity of the dataBy default, tables can only be modified by:
In addition to the questions listed above for select access, questions you'll have to address include the following:
6.1.1.4. Audit policyOnce you determine who should have access to the data, you'll need to decide if you want to know who has accessed the data. Decisions you'll need to make include the following:
See Chapter 7, for more information about creating and implementing an audit policy. 6.1.2. Creating UsersEach person accessing the database must have an Oracle userid. While userids are normally created by a DBA, they can be created by anyone who has the CREATE ANY USER system privilege. The usual syntax to create a user is as follows: CREATE USER username IDENTIFIED BY password If you do not specify a default tablespace or a temporary tablespace, Oracle will automatically assign the SYSTEM tablespace. However, you must specify a quota for the default tablespace, or the user will still not be able to create any tables or indexes in the default tablespace. You do not need to specify a quota for the temporary tablespace. See Chapter 13, for the complete CREATE USER syntax.
6.1.3. ProfilesUser profiles were introduced in Oracle7 as a way that the DBA could limit the amount of system resources that could be consumed by any particular user. In Oracle8, user profiles have been expanded to support password control. There are two flavors of profiles, resource control and password control, discussed in the following sections. Profiles are created using the CREATE PROFILE command and can be altered with the ALTER PROFILE command. At database creation time, a single profile, named DEFAULT, is created. You can use the DBA_PROFILES data dictionary view to determine which profiles have been created, and the values of each of the limits contained in the profiles. If a profile is not specified for a user in the CREATE USER command, the DEFAULT profile is used. A user's profile can be changed with the ALTER USER command. You can use the DBA_USERS data dictionary view to see which profile has been assigned to a given user. 6.1.3.1. Resource controlEach user profile has eight individual resource limits and one composite limit that can be specified. For each limit, the possible values are an integer or the keywords UNLIMITED or DEFAULT. When DEFAULT is used, the value is replaced by the corresponding value in the DEFAULT profile. The limits are summarized here:
6.1.3.2. Password controlEffective with Oracle8, the DBA can establish a password policy through the use of profiles. The user profile has been extended to include parameters that control a password's lifetime, ability to be reused, and even its length and format. There are also parameters that allow you to lock out an account if unsuccessful attempts are made to connect to it. The password control parameters include the following:
6.1.3.3. Default profileAt the time the database is created, an initial profile named DEFAULT is established. This is the default profile, and has two functions: Any of the parameters documented above can have a specified value DEFAULT. Oracle uses the value specified in the DEFAULT profile for that parameter. This process is repeated each time a user connects, so a change to the DEFAULT profile will automatically take effect with the next connection. 6.1.3.4. Implementing profilesEnforcing profile limits is a three-step process:
6.1.4. System PrivilegesSystem privileges allow a user of the database to perform specific actions within the database. In Oracle8 Release 8.0, there are 90 system privileges that can be assigned to a user or role. In Oracle7 Release 7.3 there are 78 system privileges that can be assigned to a user or role. See Chapter 15, for a complete list of system privileges that can be assigned. 6.1.5. Object PrivilegesObject privileges allow you to access or manipulate objects in the database. Depending upon the type of object, different object privileges apply. Table 6.1 shows the mapping of object privileges to object types. By default, only the owner of any object automatically has all object privileges for an object. The owner must grant access to the object to other users or roles in order for other users to access the object. The exception to this rule is that someone with the DBA role or with one of the system privileges that allow you to manipulate objects in any schema (they are listed in Table 15.4 in Chapter 15, which describes privileges in some detail) will be able to access the schema object directly. 6.1.5.1. The WITH GRANT OPTION clauseThe owner of an object can grant it to another user by specifying the WITH GRANT OPTION clause in the GRANT statement. In this case, the new grantee can then grant the same level of access to other users or roles. Here are three points to keep in mind about the WITH GRANT OPTION clause:
6.1.6. RolesRoles are the mechanism used by Oracle to facilitate the granting of system and object privileges to users. The granting of roles is a three-step process: 6.1.6.1. Default rolesNormally, when a role is granted to a user, it becomes a default role—that is, the role is automatically active at the time the user connects to the database. However, one of the options available with the CREATE USER and ALTER USER commands is the ability to specify a subset of the roles that are granted to the user by default. You can use this approach if you want a user to be granted a role with the condition that explicit actions must be taken to enable it. The most common use of non-default roles is to ensure that specific system or object privileges are available only from within an application. In this case, the application would enable the role through the SET ROLE command. 6.1.6.2. Maximum number of enabled rolesThe INIT.ORA parameter MAX_ENABLED_ROLES specifies the maximum number of enabled roles a user can have. This number includes the unlisted PUBLIC role. You can determine which roles are currently active by querying the data dictionary view SESSION_ROLES. Oracle counts all roles that have been granted either directly or indirectly through other roles against this limit. Thus, for example, enabling the DBA role actually uses seven of the allocated slots:
A slot is also used for the PUBLIC role. Since roles are established at connect time or when the SET ROLE command is executed, the most common effect of the MAX_ENABLED_ROLES parameter is for a connection to fail with an ORA-1925 error, which indicates that too many roles have been granted to the user. 6.1.6.3. Password-enabled rolesRoles can have associated passwords, which are established using the IDENTIFIED BY clause in the CREATE ROLE or ALTER ROLE commands. When a role has an associated password, the user must provide the password at the time the role is enabled with the SET ROLE command. The two most common scenarios for this are as follows:
6.1.6.4. The WITH ADMIN OPTION clauseSpecial attributes of roles can be granted to a user by including the WITH ADMIN OPTION clause in the GRANT statement. In this case, the user is allowed to grant the role to other users or roles. If you are able to grant a role to someone because you have the role WITH ADMIN OPTION, and then the role is revoked from you, the cascaded grants remain. The situation is different in cases where you simply have object privileges.
Normally, when a role is granted to a user, it is granted as a default role. The exception is when the DEFAULT ROLE clause has previously been used in the CREATE USER or ALTER USER commands. In this case, the role may be granted as a non-default role. In order for the person granting the role to ensure that the role is a default role, he or she must also have been granted the ALTER ANY USER system privilege. 6.1.7. Common Security HolesThis section discusses some of the most common security holes in an Oracle environment. 6.1.7.1. Not changing privileged user passwordsAll standard users created by Oracle have associated passwords. The two primary DBA accounts, SYS and SYSTEM, have (unfortunately) well-documented passwords. Most break-ins into Oracle databases are through one of these accounts, where the initial passwords provided with the installed systems have never been changed. 6.1.7.2. Using the same password in all databasesMost users have a strong tendency to keep passwords simple. One of the easiest ways to do this is to have the same password for all of your accounts—either all DBA accounts in the database or all accounts in all databases. The problem with specifying passwords in this way is that if your password is stolen, it opens up multiple accounts for improper usage. 6.1.7.3. The SCOTT/TIGER accountMost DBAs automatically create the SCOTT account with the well-known password TIGER. This account has been used in demos for years by Oracle and by Oracle Education (utilizing the EMP and DEPT tables). However, if this account exists, any grants made to PUBLIC are also available to the SCOTT account. If an unauthorized person accesses the database using the SCOTT account, you may have a security breach. 6.1.7.4. Shared UTL_FILE access to directoriesThe UTL_FILE built-in package allows a user to read from and write to an operating system file from within PL/SQL. The INIT.ORA parameter UTL_FILE_DIR specifies a list of operating system directories you can use with UTL_FILE. Any PL/SQL procedure executed by any user of the database can read from or write to any file in the directory. 6.1.8. AuditingAfter implementing a security policy, you need to audit actions within the database. Chapter 7, provides specific information on implementing an auditing policy. |
|