Five different security related posts to which I have contributed on dba.stackexchange.com. I did not necessarily provide the accepted answer for these, but felt that the questions posed were interesting enough to warrant a mention.
Rather than a one-size fits all solution - trying to handle everything through a Virtual Private Database policy - a proper security plan involves the use of a variety of techniques, each with their own place in the model. #oracle #vpd #security #roles #plsql #privileges #constraints
The final installment in my series on CAT I STIG controls is all about the use (or not) of the server operating system accounts that support the Oracle database. Two controls address the use of and access to the Oracle software installation account, and one addresses the privileges associated with individual user accounts for DBAs. … Continue reading Top STIG – Part 6 (OS Accounts)
One of the most common attack vectors for any hacker is checking to see if you have reset default passwords on service and administrator accounts. Almost every piece of hardware or software comes with some default way to login the first time, and a lot of people are really bad at changing those credentials to be more secure. Oracle databases and DBAs are no exception...
Part 4 of this series on top STIG controls takes a look at the encryption of data in motion and the use of Public Key Infrastructure (PKI).
The next CAT I STIG control in this series is less technical and more about policy. Like all of the others, however, it requires the DBA to be aware of things beyond their immediate day to day workload, and involved in the planning, design, and development of the system technology stack...
Applications must obscure feedback of authentication information; when using command-line tools such as Oracle SQL*Plus, which can accept a plain-text password, users must use an alternative logon method that does not expose the password.
In this post I'm going to start going over the Database STIG CAT I vulnerabilities in a little more detail. The first two relate to database initialization parameters and authentication.
This post contains a listing of all 199 Oracle 12c Database STIG controls from Release 16 (24 January 2020), organized by the five major categories of database security...
A lot of things are possible in the cloud, but not everything. A couple of technologies in particular that might seem common in on premise systems are nearly impossible to deploy in the cloud. The first is the idea of multiple networks. Many systems are deployed around the idea that there is a common, “public” … Continue reading What the Cloud Can’t Do
There are over 60 controls in the DISA Oracle 12c Database Secure Technical Implementation Guide (STIG) that contain the word "audit" or "auditing"...
FIPS is a four letter word. It is also a source of some confusion when it comes to the Oracle database and DISA STIG compliance, which I will attempt to sort out to the best of my ability in this post.
Seriously, I find all the best questions about Oracle security on forums like Oracle Communities and AskTom. Sometimes I need to be careful, though. I have a tendency to jump right to implementation details in my head without always considering all of the ramifications of the original question. Sometimes the answers seem immediately obvious, but it doesn't usually take long before someone offers an observation that makes me sit back and think that maybe my first instinct needs some qualification. Case in point...
I've seen a couple of Oracle Community and AskTom posts over the last year or two about installing anti-virus software on Oracle database servers. Usually it is because someone in security told the sysadmin or the DBA that they had to install some kind of AV software because it was required. Been there; done that. I found out the hard way that doing so was a bad idea...
A proper understanding of Oracle product licensing is essential to planning and controlling costs associated with system development and deployment. Taking into account that the cost and number of licenses you need may vary depending on the operating system you choose to use, the number of physical CPU sockets in your hardware, the number of users your system will support, or whether or not your servers are virtualized, and it doesn’t take much to get completely lost. If you don’t plan and implement carefully, an audit of database usage by Oracle (yes, they do that!) could wind up costing you hundreds of thousands of dollars or more in additional fees.
I was perusing (yes, "perusing") the My Oracle Support Community Database Administration posts recently when I came across this one: "How to hide oracle database account password in a create user sql script". The poster had a problem that every database administrator has had to confront at one time or another: namely, how to embed a … Continue reading How to hide Oracle passwords in a script?
Authentication In my previous two posts, I discussed configuring the Apache web server and the APEX Workspace for smart card authentication. With those in mind, I will now look at basic smart authentication within an APEX application. In this architecture, individual APEX applications may now authenticate users through one of two methods: HTTP Header Variable: … Continue reading APEX Authentication with a Smart Card – Part 3 (Application)
Welcome to the second step in the process of configuring Oracle APEX for smart card authentication. In my previous post I demonstrated how to configure an Apache HTTPD server to query a smart card and place the user's certificate Common Name into a header variable named SSL_CLIENT_S_DN_CN. In this post I will describe how to … Continue reading APEX Authentication with a Smart Card – Part 2 (Workspace)
I have written previously on how much I dislike password maintenance. Every chance I get to enable PKI certificate authentication, I take it. Most of my career I have worked in environments where certificate authentication was expected, if not explicitly required, so it wasn't a big leap for me to look at configuring Oracle APEX … Continue reading APEX Authentication with a Smart Card – Part 1 (Web Server)
This guide includes step-by-step instructions to install and configure the Apache HTTPD, Tomcat, Oracle REST Data Services, and Oracle Application Express (APEX) technology stack within a simple, highly available infrastructure. It also describes basic HTTP Header-based user authentication and authorization configuration within an APEX application built within the stack.
One thing that going over this material again and again over the last few weeks has driven home for me, especially as our customer considers how best to implement their various choices for development frameworks, is just how much of a fairy tale the promises of middle-tier application servers turned out out to be in terms of processing business logic.
Every once in a while over the years I have been asked, “Why don’t you patch the Java JDK included in an Oracle Home directory?”
An example of a method for scanning the Oracle data dictionary for potential PII data and automating specific responses, such as encrypting of columns or alerting the DBA, when new data is found.
What if you have a lot of potential PII data and you need to enforce some additional safeguards on it? How do I make this information actionable, and better yet how do I automate that action as much as possible?
This is the last post in this series, in which I have described configurations for the server wallet, server networking, client networking, and database. If you have completed all of the steps I laid out, then you are ready to test your SSL connection using your smart card. TNS Ping over TCPS First confirm that … Continue reading Database Authentication with a Smart Card – Part 5 (Testing)