Oracle Database 12c Security Cookbook

Table of Contents

Oracle Database 12c Security Cookbook

Credits

About the Authors

About the Reviewers

www.PacktPub.com

eBooks, discount offers, and more

Why subscribe?

Instant updates on new Packt books

Preface

What this book covers

What you need for this book

Who this book is for

Sections

Getting ready

How to do it…

How it works…

There's more…

See also

Conventions

Reader feedback

Customer support

 Downloading the example code 

Errata

Piracy

Questions

1. Basic Database Security

Introduction

Creating a password profile

Getting ready

How to do it...

How it works...

There's more...

See also

Creating password-authenticated users

Getting ready

How to do it...

How it works...

There's more...

How to create a user using EM Express

See also

Changing a user's password

Getting ready

How to do it...

How it works...

There's more...

See also

Creating a user with the same credentials on another database

Getting ready

How to do it...

How it works...

There's more...

See also

Locking a user account

Getting ready

How to do it...

How it works...

See also

Expiring a user's password

Getting ready

How to do it...

How it works...

See also

Creating and using OS-authenticated users

Getting ready

How to do it...

How it works...

There's more...

Creating and using proxy users

Getting ready

How to do it...

How it works...

There's more...

Creating and using database roles

Getting ready

How to do it...

How it works...

There's more...

See also

The sysbackup privilege – how, when, and why should you use it?

Getting ready

How to do it...

Database authentication

OS authentication

How it works...

There's more...

See also

The syskm privilege – how, when, and why should you use it?

Getting ready

How to do it...

Database authentication

OS authentication

How it works...

There's more...

See also

The sysdg privilege – how, when, and why should you use it?

Getting ready

How to do it...

Database authentication

OS authentication

How it works...

There's more...

See also

2. Security Considerations in Multitenant Environment

Introduction

Creating a common user

Getting ready

How to do it...

How it works...

Rules/guidelines for creating and managing common users

There's more...

How to create a common user using OEM 12c

Creating a local user

Getting ready

How to do it...

How it works...

Rules/guidelines for creating and managing local users

There's more...

How to create a local user using OEM 12c

Creating a common role

Getting ready

How to do it...

How it works...

There's more...

How to create a common role using OEM 12c

Creating a local role

Getting ready

How to do it...

How it works...

There's more...

How to create a local role using OEM 12c

Granting privileges and roles commonly

Getting ready

How to do it...

How it works...

Granting privileges and roles locally

Getting ready

How to do it...

How it works...

Effects of plugging/unplugging operations on users, roles, and privileges

Getting ready

How to do it...

How it works...

3. PL/SQL Security

Introduction

Creating and using definer's rights procedures

Getting ready

How to do it...

How it works...

Creating and using invoker's right procedures

Getting ready

How to do it...

How it works...

There's more...

Using code-based access control

Getting ready

How to do it...

How it works...

There's more...

Restricting access to program units by using accessible by

Getting ready

How to do it...

How it works...

4. Virtual Private Database

Introduction

Creating different policy functions

Getting ready

How to do it...

How it works...

There's more...

See also

Creating Oracle Virtual Private Database row-level policies

Getting ready

How to do it...

There's more...

See also

Creating column-level policies

Getting ready

How to do it...

How it works...

Creating a driving context

Getting ready

How to do it...

Creating policy groups

Getting ready

How to do it...

Setting context as a driving context

Getting ready

How to do it...

Adding policy to a group

Getting ready

How to do it...

Exempting users from VPD policies

Getting ready

How to do it...

5. Data Redaction

Introduction

Creating a redaction policy when using full redaction

Getting ready

How to do it...

How it works...

There's more...

How to change the default value

See also

Creating a redaction policy when using partial redaction

How to do it...

How it works...

There's more...

Creating a redaction policy when using random redaction

Getting ready

How to do it...

How it works...

Creating a redaction policy when using regular expression redaction

Getting ready

How to do it...

How it works...

Using Oracle Enterprise Manager Cloud Control 12c to manage redaction policies

Getting ready

How to do it...

Changing the function parameters for a specified column

Getting ready

How to do it...

Add a column to the redaction policy

Getting ready

How to do it...

How it works...

See also

Enabling, disabling, and dropping redaction policy

Getting ready

How to do it...

See also

Exempting users from data redaction policies

Getting ready

How to do it...

How it works...

6. Transparent Sensitive Data Protection

Introduction

Creating a sensitive type

Getting ready

How to do it...

How it works...

There's more...

Determining sensitive columns

Getting ready

How to do it...

How it works...

Creating transparent sensitive data protection policy

Getting ready

How to do it...

How it works...

See also

Associating transparent sensitive data protection policy with sensitive type

Getting ready

How to do it...

There's more...

See also

Enabling, disabling, and dropping policy

Getting ready

How to do it...

How it works...

There's more...

Altering transparent sensitive data protection policy

Getting ready

How to do it...

How it works...

See also

7. Privilege Analysis

Introduction

Creating database analysis policy

Getting ready

How to do it...

How it works...

There's more...

See also

Creating role analysis policy

Getting ready

How to do it...

There's more...

See also

Creating context analysis policy

Getting ready

How to do it...

There's more...

See also

Creating combined analysis policy

Getting ready

How to do it...

There's more...

See also

Starting and stopping privilege analysis

Getting ready

How to do it...

How it works...

There's more...

Reporting on used system privileges

Getting ready

How to do it...

There's more...

Reporting on used object privileges

Getting ready

How to do it...

There's more...

Reporting on unused system privileges

Getting ready

How to do it...

There's more...

Reporting on unused object privileges

Getting ready

How to do it...

There's more...

How to revoke unused privileges

How to do it...

There's more...

Dropping the analysis

Getting ready

How to do it...

There's more...

8. Transparent Data Encryption

Introduction

Configuring keystore location in sqlnet.ora

How to do it...

Creating and opening the keystore

Getting ready

How to do it...

How it works...

There's more...

Setting master encryption key in software keystore

Getting ready

How to do it...

There's more...

See also

Column encryption - adding new encrypted column to table

Getting ready

How to do it...

Column encryption - creating new table that has encrypted column(s)

Getting ready

How to do it...

Using salt and MAC

Getting ready

How to do it...

How it works...

There's more...

Column encryption - encrypting existing column

Getting ready

How to do it...

There's more...

Auto-login keystore

Getting ready

How to do it...

How it works...

Encrypting tablespace

Getting ready

How to do it...

How it works...

There's more...

Rekeying

Getting ready

How to do it...

How it works...

Backup and Recovery

How to do it...

There's more...

9. Database Vault

Introduction

Registering Database Vault

Getting ready

How to do it...

How it works...

There's more...

See also

Preventing users from exercising system privileges on schema objects

Getting ready

How to do it...

There's more...

See also

Securing roles

Getting ready

How to do it...

There's more...

See also

Preventing users from executing specific command on specific object

How to do it...

How it works...

Creating a rule set

Getting ready

How to do it...

There's more...

Creating a secure application role

How to do it...

There's more...

See also

Using Database Vault to implement that administrators cannot view data

How to do it...

There's more...

Running Oracle Database Vault reports

How to do it...

Disabling Database Vault

How to do it...

Re-enabling Database Vault

How to do it...

10. Unified Auditing

Introduction

Enabling Unified Auditing mode

Getting ready

How to do it...

How it works...

Predefined unified audit policies

There's more...

See also

Configuring whether loss of audit data is acceptable

Getting ready

How to do it...

How it works...

Which roles do you need to have to be able to create audit policies and to view audit data?

Getting ready

How to do it...

How it works...

There's more...

Auditing RMAN operations

Getting ready

How to do it...

How it works...

See also

Auditing Data Pump operations

Getting ready

How to do it...

See also

Auditing Database Vault operations

Getting ready

How to do it...

How it works...

There's more...

See also

Creating audit policies to audit privileges, actions and roles under specified conditions

Getting ready

How to do it...

How it works...

See also

Enabling audit policy

Getting ready

How to do it...

How it works...

Finding information about audit policies and audited data

Getting ready

How to do it...

Auditing application contexts

Getting ready

How to do it...

How it works...

There's more...

See also

Purging audit trail

Getting ready

How to do it...

How it works...

There's more...

Disabling and dropping audit policies

Getting ready

How to do it...

How it works...

See also

11. Additional Topics

Introduction

Exporting data using Oracle Data Pump in Oracle Database Vault environment

Getting ready

How to do it...

How it works...

There's more...

See also

Creating factors in Oracle Database Vault

Getting ready

How to do it...

How it works...

There's more...

See also

Using TDE in a multitenant environment

Getting ready

How to do it...

How it works...

See also

12. Appendix – Application Contexts

Introduction

Exploring and using built-in contexts

Getting ready

How to do it...

How it works...

There's more...

See also

Creating an application context

Getting ready

How to do it...

How it works...

Setting application context attributes

Getting ready

How to do it...

How it works...

There's more...

See also

Using an application context

Getting ready

How to do it...

How it works...

See also

Oracle Database 12c Security Cookbook

Oracle Database 12c Security Cookbook

Copyright © 2016 Packt Publishing

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.

Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the authors, nor Packt Publishing, and its dealers and distributors will be held liable for any damages caused or alleged to be caused directly or indirectly by this book.

Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.

First published: May 2016

Production reference: 1270516

Published by Packt Publishing Ltd.

Livery Place

35 Livery Street

Birmingham B3 2PB, UK.

ISBN  978-1-78217-212-3

www.packtpub.com

Credits

About the Authors

Zoran Pavlović has worked on various complex database environments including RAC, ASM, Data Guard, GoldenGate, and so on. Areas of his expertise are security, performance/SQL tuning and high availabilty/disaster recovery of Oracle database. He has been working as an instructor for Oracle University since 2010 and during that time he has trained more than 200 students in Europe. In the last couple of years, Zoran has also been working on projects for Oracle Consulting. He is an Oracle ACE and he has been featured speaker/author at many conferences/magazines. He was actively engaged in beta testing Oracle Database 12c. Currently, Zoran is working as an Oracle Technical Architect in Parallel d.o.o. Belgrade.

I would like to take this opportunity to acknowledge some important people in my life who continuously inspire and support me. First, I want to say thank you to my parents Milenko and Stanojka Pavlovic, for everything they taught me, and for all the support they gave me during all these years. Second, I would like to say thank you to my family and my good friends, who helped me become a better person and a better professional. I am very thankful to our excellent team of technical reviewers: Arup Nanda, Gokhan Atil, Dmitri Levin, Osama Mustafa, and Kenneth Roth for their great suggestions and a very helpful feedback. I am also very thankful to Maja Veselica (it was a pleasure writing this book with you), all the editors, and everyone involved in this book.

Maja Veselica, MSc in software engineering, is currently working for Parallel d.o.o., Belgrade, as  an Oracle Database consultant (security, performance tuning, and so on). She has been working as an instructor for Oracle University since 2010. In the last couple of years, she has also been working for Oracle Consulting. Also, Maja is a member of Oracle ACE Program and has more than 20 Oracle certificates. She enjoys (beta) testing Oracle products and participating in other Oracle-related activities.

This is the first book I've written, and because of that, it will always be special to me. I would like to thank my entire family and friends for their patience and support. I am especially grateful to my parents, Mirko and Sanja Veselica, who informally reviewed most parts of the book, and to my uncle Dušan, aunt Zora, and my best friend Mirjana Marković for very creative suggestions.

I am very thankful to the technical reviewers: Arup Nanda, Gokhan Atil, Dmitri Levin, Osama Mustafa, and Kenneth Roth for spending their spare time reviewing this book and for providing us with very valuable feedback (corrections, suggestions, ideas, and opinions). Also, this book couldn't have been written without the Packt Publishing team - thank you all!

Zoran, I always enjoy working with you. Hopefully someday, we'll write another book together.

About the Reviewers

Gokhan Atil is an Oracle ACE Director and DBA team lead at Bilyoner.com in Istanbul, Turkey. He has more than 15 years of experience in the IT industry, working with Oracle, PostgreSQL, Microsoft SQL Server, MySQL, and NoSQL databases. He has a strong background in software development and UNIX systems. Gokhan is an Oracle Certified Professional (OCP), and he specializes in high availability solutions, performance tuning, and monitoring tools.

Gokhan is a founding member and current vice president of Turkish Oracle User Group (TROUG). He's also a member of Independent Oracle User Group (IOUG). Gokhan has presented at various conferences, and he is a coauthor of Expert Oracle Enterprise Manager 12c book.

Gokhan shares his experience of working with Oracle products by blogging