In this chapter we will cover:
Performing a security evaluation using Oracle Enterprise Manager
Using an offline Oracle password cracker
Using user profiles to enforce password policies
Using secure application roles
How to perform authentication using external password stores
Using SSL authentication
Account security probably raises the most controversies and is the most difficult aspect of database security. For example your database could have third-party applications schemas that have more privileges than they actually need.I have seen during my experience many application schema users with all ANY type privileges or DBA and SYSDBA role granted due to a misguided application design. In such a situation, it could be very difficult to revoke privileges because there is a risk of affecting the entire application functionality. The access to the database is granted through a form of authentication, and all access to database objects is performed through user accounts. Too many privileges and weak passwords will open the door to sensitive data. Probably, one of the most successful outcomes of a hacker's attack would be to find or crack passwords for users with administrative rights. For example, in previous Oracle versions, such as 9i and 10g, there were active users installed...
A good way to check a user's rights and the privileges granted to users or to a public role and other security weaknesses can be to initiate it from Oracle Enterprise Manager Database Control by using the secure configuration evaluation feature.
If you do not have OEM installed and configured, you may use the dbca or emca command line utility to perform interactive installation and configuration (for example, emca –config dbcontrol db):
Log in to Oracle Enterprise Manager (OEM) as an administrative user. Navigate to the Server tab, go to the Related Links panel, and click on the Policy Groups link shown as follows:
The Policy Group Library page will open. In line with the Policy Group Secure configuration for Oracle in the Scheduled Evaluation column, click on the opened notebook icon as shown in the following screenshot:
Next, Scheduled Evaluations...
As we have mentioned and emphasized before you should perform security assessments against your databases regularly. Password crackers are the best tools to check your real passwords strength. These tools are used also by attackers to crack passwords. If you can crack a password then there is 100 percent probability that an attacker can do the same. In recent years, some very fast Oracle password crackers were developed. In this recipe we will use one of the fastest, an Oracle password-cracker tool developed by Laszlo Toth called woraauthbf.
This tool can be downloaded from Laszlo's personal page http://soonerorlater.hu (For a description of the tool and its download link, go to http://soonerorlater.hu/index.khtml?article_id=513); it has the capability of cracking passwords based on hash, dictionary, and brute force methods.
In this recipe we will connect to the HACKDB database, and we will collect the password hashes in a file that will be used as...
A user profile controls user password policies and resource control. Every user has an allocated profile.
The DEFAULT profile will be assigned if another profile is not specified for a user. It is recommended that you use your own custom profiles to enforce password aging policies, strong passwords, and resource utilization. In this recipe, we will create a customized profile named CUSTPROF that establishes a strong password policy through the use of password related profile resources and the use of a password verification function.
The profile CUSTPROF will be assigned to the HR user in the following steps:
Create a new profile named CUSTPROF using the following statement:
SQL> create profile custprof limit password_reuse_max 15; Profile created.
To find information about the profile CUSTPROF, issue the following query:
SQL> select PROFILE,RESOURCE_NAME...Secure application roles can be used to grant roles selectively based on the specific needs of the application users. The main advantage is that secure application roles do not require hardcoded passwords in the application code, and can be enabled in the background using a stored procedure. In this way, you can develop some strict rules to allow users to receive certain privileges only while the application is in use. Also in this recipe we will create two users vw_america and vw_europe that will also be used in the further recipes.
The application role will be enabled by using the default context sys_context. A detailed coverage on contexts can be found in Chapter 5, Beyond Privileges: Oracle Virtual Private Database.
Connect as the user system. Create two users vw_america and vw_europe and grant create session privilege to each of them as follows:
SQL> create user vw_america...External password stores are useful in situations in which you want to prevent the connection credentials from being exposed in scripts or application code. In this recipe, we will create a password store that will contain the password for the HR user.
The steps in this recipe will be performed on the HACKDB database and the client node nodeorcl5.
During this recipe, we will use the mkstore utility for wallet management:
Create the wallet by using the mkstore utility. Use ly8T%QX;r for the wallet password as follows:
mkstore -wrl /security/wallets/pass_store -create Oracle Secret Store Tool : Version 11.2.0.3.0 - Production Copyright (c) 2004, 2011, Oracle and /or its affiliates. All rights reserved. Enter password: Enter password again:
Create a net service name used for working with the password store, as follows:
HACKDB_PASS_STORE = (DESCRIPTION = (ADDRESS_LIST = (ADDRESS = (PROTOCOL ...
The Secure Sockets Layer, commonly referred to as SSL, is another method of authentication based on externally stored credentials. The mechanism is very similar to that used in authentication based on external stores. The major difference is that in authentication based on external stores, we are still using passwords, and the normal user authentication is unaltered. In SSL-based authentication, users are defined externally or globally, and authorization is based on certificates.
In this recipe we will re-use the SSL-based connection setup that was described in Chapter 2, Securing the Network and Data in Transit. Additionally we will create a user named ssluser defined with an external identification. Before starting with the steps, set up the SSL communication as instructed in Chapter 2, Securing the Network and Data in Transit.
© 2012 Packt Publishing Limited All Rights Reserved
