Oracle Database Application Security Book

Finally …

The Book is alive

For the first time the book which is dicussed critcal security issues such as database threats, and how to void them, the book also include advance topics about Oracle internet directory, Oracle access manager and how to implement full cycle single sign on,

Focus on the security aspects of designing, building, and maintaining a secure Oracle Database application. Starting with data encryption, you will learn to work with transparent data, back-up, and networks. You will then go through the key principles of audits, where you will get to know more about identity preservation, policies and fine-grained audits. Moving on to virtual private databases, you’ll set up and configure a VPD to work in concert with other security features in Oracle, followed by tips on managing configuration drift, profiles, and default users.

What You Will Learn:- 

  • Work with Oracle Internet Directory using the command-line and the console.
  • Integrate Oracle Access Manager with different applications.
  • Work with the Oracle Identity Manager console and connectors, while creating your own custom one.
  • Troubleshooting issues with OID, OAM, and OID.
  • Dive deep into file system and network security concepts.
  • First time chapter that include most of the critical database threats in real life.

 

You can buy the book now from amazon here

 

Cheers

Osama

Oracle Password Security

As Certified Ethical hacker and Penetration  Testing Always people Asked me about if the Oracle Password can be Cracked or not ? You need to know that if the hacker want to get into your database and he will all you can do is make it harder for him , so don’t choose Easy password to crack

I post these topics not to use it in wrong way , No as DBA you need to know about Securing you database
and How to make it unbreakable.

For example check the below tools that used to crack Oracle Password

And Others Tools Found for free On Internet , for example Red database security (which is amazing company and website provide you with article/topics about oracle security ) provide some of these tools for free.

Thank you
Osama Mustafa

Oracle security Function for password changing

Check this function that is used for changing user password , you need to watch out from functions like that i post this function as an example

FUNCTION CHGPWD (
P_USER VARCHAR2,
P_PWD VARCHAR2)
RETURN BOOLEAN IS
L_STMT VARCHAR2(255);
BEGIN
L_STMT:= ‘ALTER USER “‘ || P_USER || ‘” IDENTIFIED BY “‘ || P_PWD||’”‘;
EXECUTE IMMEDIATE L_STMT;
RETURN TRUE;
END;

Thank you

I will Post More and More Topics about Oracle security

Data Masking In Oracle/Column Masking

Or We Can Call it VPD : Virtual Private Database

What is Data Masking Mean ? 

simple way to hide you valuable data from certain users without having to apply encrypt/decrypt techniques and increase the column width to accommodate the new string like the old times. Through some simple configuration you can create policies to show your important columns as null without rewriting a single line of code on your application side.

There are 3 steps for accomplish column masking:

  1. A function to be used by the policy (function policy) created in next step.
  2. Use dbms_rls package to create the policy.
  3. Assign “exempt access policy” to users to be excluded from the policy. These users can see all data with no masking.

Step1 : Create Function Policy 

CREATE OR REPLACE
FUNCTION vpd_function (obj_owner IN VARCHAR2, obj_name IN VARCHAR2)
RETURN VARCHAR2
AS
BEGIN
RETURN ‘rowid = ”0”’;
END vpd_function;

/

The Above Function is Used for Column Masking , If you set this function to True All User will be able to see the correct Data , But the above function Is to False (rowid=0).


Step2: Create Policy

BEGIN
DBMS_RLS.ADD_POLICY(object_schema=> ‘SCOTT’,
object_name=> ‘EMP’,
policy_name=> ‘scott_emp_policy’,
function_schema=> ‘SYSTEM’,
policy_function=> ‘vpd_function’,
sec_relevant_cols=> ‘JOB’,
policy_type => DBMS_RLS.SHARED_STATIC,
sec_relevant_cols_opt=> dbms_rls.ALL_ROWS);

END;
/

exempt access policy : Use to Exclude Some Users to See All the Correct Data .

Important Views :

dba_policies
v$vpd_policy

Enjoy with Security

Osama Mustafa

Oracle Secuirty Tips / SQLNET.ORA Part 2

Hi All ,

I post before about sqlnet.ora with parameter called invited_list , Exclude_list , assume  that i want to prevent sysdba to access database without password Simple Way .

SQLNET.AUTHENTICATION_SERVICES=NONE 



Setting “SQLNET.AUTHENTICATION_SERVICES” parameter to “NONE” in sqlnet.ora file will make it not possible to connect to the database without a password as sysdba. (sqlplus / as sysdba)

This parameter may also have the values : NTS for Windows NT native authentication, ALL for all authentication methods.

Authentication Methods Available with Oracle Advanced Security:

  • kerberos5 for Kerberos authentication
  • cybersafe for Cybersafe authentication
  • radius for RADIUS authentication
  • dcegssapi for DCE GSSAPI authentication

If authentication has been installed, it is recommended that this parameter be set to either none or to one of the authentication methods.

Enjoy

Thank you
Osama Mustafa

Limit Access to your Database

Its Simple Easy Way to Limit Access for your Database to Prevent People to miss Around , we all know there’s File Called “sqlnet.ora” All you Have to do is Follow The Below Steps and Add what you want :

Sqlnet.ora : $ORACLE_HOME/network/admin

TCP.EXCLUDED_NODES

Purpose
Use the parameter TCP.EXCLUDED_NODES to specify which clients are denied access to the database.

Example
TCP.EXCLUDED_NODES=(finance.us.acme.com, mktg.us.acme.com, 144.25.5.25)

TCP.INVITED_NODES

Purpose
Use the parameter TCP.INVITED_NODES to specify which clients are allowed access to the database.
 This list takes precedence over the TCP.EXCLUDED_NODES parameter if both lists are present.

Example
TCP.INVITED_NODES=(sales.us.acme.com, hr.us.acme.com, 144.185.5.73)

TCP.VALIDNODE_CHECKING

 Purpose
Use the parameter TCP.VALIDNODE_CHECKING to check for the TCP.INVITED_NODES and TCP.
EXCLUDED_NODES to determine which clients to allow or deny access.

Example
TCP.VALIDNODE_CHECKING=yes
TCP.VALIDNODE_CHECKING=no

Simple Way to keep your database Clean . you maybe need to restart your Listener after this

Thank you
Osama Mustafa

Threats to Database Security Part 1

Today, all company needs to save data and information, these kinds of data different from company to other such as (pictures, employee and Customer data); it’s so rarely to find companies used papers to save important data.We don’t disagree on database type, Sure Oracle is the best but there’s another product in the market today such as Oracle, Microsoft and k2 but all these products have common thing Called Threats .

Before this, we need to know what we mean with database Security since it’s my article subject
Database Security: can be defined as a system or process by which the “Confidentiality, Integrity, and Availability (CIA) of the database can be protectedUnauthorized entry or access to a database server signifies a loss of confidentiality; unauthorized alteration to the available data signifies loss of integrity; and lack of access to database services signifies loss of availability. Loss of one or more of these basic facets will have a significant impact on the security of the database.
This is the common defined for database security.For an illustration of this concept, imagine that the website of a company contains information like who they are, what they do, and what prospective customers have to do to contact them for their queries. In this case, the availability of the database services is more important when compared with other factors like the confidentiality or integrity of the database security.
Threats and risks to databases have increased and therefore, the need for securing databases has also increased. When it comes to securing a database, lots of things have to take care of , if you was focused On pervious talking you will know that I am talking about:
1- Confidentiality
2- Integrity
3- Availability

Confidentiality

What I mean in this word is so simple by encrypting the data stored in the database,two type of encryption in database :
1-Data-in-transit:
This refers to data that is moving within the network. Sensitive data, for example, that is sent through network layers or through the Internet. A hacker can gain access to this sensitive data by eavesdropping. When this happens, the confidentiality of the data is compromised. Encrypting datain-transit avoids such compromises.

2- Data-at-rest:
It is possible for a hacker to hack the data that is stored in the database. Encrypting data-at-rest prevents such data leakages.

Integrity
 
I am not going to say it’s too simple to, because I don’t want from Listeners to kick me; but guys for me It’s simple sorry, Integrity talking about which users have to be given what permissions in the database For example, data related to employee information is stored in a database. An employee may have permission for viewing the records and altering only part of information like his contact details, whereas a person in the human resources department will have more privileges.

To make sure everything is going to be ok just following these steps:

  • Change the password, once the database is installed.
  • Policies to set strong passwords have to be enforced. A good idea is to have a policy of changing the passwords once per a month.
  • Does your company have multiple database administrators? If yes, segregate the duties
    among these database administrators. 

Simple steps (again simple) save you and your company. 

Now last but I am not finished yet



Availability

Databases must not have unplanned downtime, to ensure this, following steps have to be taken:

  • To ensure high availability, usage of database clusters is recommended. 
  • Databases should be secured against security vulnerabilities.
  • Backup the data at periodic intervals to ensure data recovery in case of application issues.

As we all know there’s nothing perfect so when we talk about Security, that mean we talk about Threats and attackers. With the increase in usage of databases, the frequency of attacks against those databases has also increased; Database attacks are an increasing trend these days. What is the reason behind database attacks? One reason is the increase in access to data stored in databases. When the data is been accessed by many people, the chances of data theft increases. In the past, database attacks were prevalent, but were less in number as hackers hacked the network more to show it was possible to hack and not to sell proprietary information. Another reason for database attacks is to gain money selling sensitive information, which includes credit card numbers, Social Security Numbers, etc. We previously defined database security and talked about common database security concepts. Now let’s look at the various types of threats that affect database security.



Thank You 
Written By : Osama Mustafa 
Consider this as part one since i will post another one related to this .
Twitter

Usage of OS_AUTHENT_PREFIX

1. Overview

1) OS_AUTHENT_PREFIX is an important initialization parameter to configure Oracle External User environment.
2) External User is a kind of Oracle External Authentication solution.
3) With Oracle External User, the user authentication process is accomplished by operating system automatically.
4) Authorized OS user can access Oracle database directly without providing username and password other than logon with prompting these information.

2. Official Reference

OS_AUTHENT_PREFIX
Parameter type
String
Syntax
OS_AUTHENT_PREFIX = authentication_prefix
Default value
OPS$
Modifiable
No
OS_AUTHENT_PREFIX specifies a prefix that Oracle uses to authenticate users attempting to connect to the server. Oracle concatenates the value of this parameter to the beginning of the user’s operating system account name and password. When a connection request is attempted, Oracle compares the prefixed username with Oracle usernames in the database.
The default value of this parameter is OPS$ for backward compatibility with previous versions. However, you might prefer to set the prefix value to “” (a null string), thereby eliminating the addition of any prefix to operating system account names
Note:
The text of the OS_AUTHENT_PREFIX parameter is case sensitive on some operating systems.
See Also:
l Your operating system-specific Oracle documentation for the default value
Create Oracle database user with OS authentication solution.

3.1 Prerequisite Checking

1) OS Environment
C:\Documents and Settings\ZYY> sqlplus “/as sysdba”
SQL*Plus: Release 10.2.0.1.0 – Production on 星期四 6 11 17:02:49 2009
Copyright (c) 1982, 2005, Oracle. All rights reserved.
连接到:
Oracle Database 10g Express Edition Release 10.2.0.1.0 – Production
SQL> SELECT OSUSER, USERNAME, PROGRAM FROM V$SESSION;
OSUSER USERNAME PROGRAM
——————– ——————– ——————–
SYSTEM ORACLE.EXE (q001)
SYSTEM ORACLE.EXE (QMNC)
SYSTEM ORACLE.EXE (q000)
YYBB\ZYY YYBB\ZYY sqlplus.exe
SYSTEM ORACLE.EXE (MMNL)
SYSTEM ORACLE.EXE (MMON)
SYSTEM ORACLE.EXE (CJQ0)
SYSTEM ORACLE.EXE (RECO)
SYSTEM ORACLE.EXE (SMON)
SYSTEM ORACLE.EXE (CKPT)
SYSTEM ORACLE.EXE (LGWR)
SYSTEM ORACLE.EXE (DBW0)
SYSTEM ORACLE.EXE (MMAN)
SYSTEM ORACLE.EXE (PSP0)
SYSTEM ORACLE.EXE (PMON)
Note:
n This practice is intended to be taken on Microsoft Windows platform.
n YYBB” is the Computer Name on which runs the Windows OS.
n ZYY” is the User Name which be used to logon to Windows OS.
2) Database Environment
SQL> SHOW PARAMETER OS_AUTHENT
NAME TYPE VALUE
———————————— ———————- ————–
os_authent_prefix string
remote_os_authent boolean FALSE
Note:
n The value of OS_AUTHENT_PREFIX parameter is set to “” (a null string).

3.2 Create External User

1) Create User in Oracle Database
SQL> CREATE USER “YYBB\ZYY” IDENTIFIED EXTERNALLY;
Note:
n In the above demo case, the value of OS_AUTHENT_PREFIX parameter is set to “” (a null string), the corresponding username in Oracle database should be YYBB\ZYY.
n If the value of OS_AUTHENT_PREFIX parameter is set to “OPS$”, the corresponding username in Oracle database should be OPS$YYBB\ZYY.
n Do NOT forget the Double Quotation Marks(“”) embrace the username YYBB\ZYY, otherwise, you will get an ORA-00911 warning against the special character \.
n Be aware of the keyword “EXTERNALLY”.
n Do NOT be reckless with “IDENTIFIED” which should NOT be followed by “BY”.
2) Grant Privileges to Oracle User
SQL> GRANT RESOURCE, CONNECT TO “YYBB\ZYY”;
Note:
n Grant appropriate and Minimum privileges to this Oracle user according to your system security acquirement.
n Oracle user name might be Case Sensitive on some platforms.

3.3 Test External User

1) Logon Oracle Database with External User
C:\Documents and Settings\ZYY>sqlplus /
SQL*Plus: Release 10.2.0.1.0 – Production on 星期四 6 11 17:26:51 2009
Copyright (c) 1982, 2005, Oracle. All rights reserved.
连接到:
Oracle Database 10g Express Edition Release 10.2.0.1.0 – Production
SQL>
Note:
n You do NOT need to provide username and password to logon to Oracle database through sqlplus.
2) Check the Current Logon User
SQL> SHOW USER
USER YYBB\ZYY
SQL> SELECT USERNAME FROM DBA_USERS;
USERNAME
————————————————————
YYBB\ZYY
SYS
SYSTEM
MDSYS
OUTLN
XDB
Note:
n Current logon user is “YYBB\ZYY”.
n You can now access Oracle database via your OS user account directly.