Five different security related posts to which I have contributed on dba.stackexchange.com. I did not necessarily provide the accepted answer for these, but felt that the questions posed were interesting enough to warrant a mention.
I just came across an interesting question on the Stack Exchange forum, where a user was asking how to execute a set of PL/SQL procedures in parallel with each other. There really isn't a construct in PL/SQL to accomplish this. That is not to say that it can't be done, however...
The final installment in my series on CAT I STIG controls is all about the use (or not) of the server operating system accounts that support the Oracle database. Two controls address the use of and access to the Oracle software installation account, and one addresses the privileges associated with individual user accounts for DBAs. … Continue reading Top STIG – Part 6 (OS Accounts)
The next CAT I STIG control in this series is less technical and more about policy. Like all of the others, however, it requires the DBA to be aware of things beyond their immediate day to day workload, and involved in the planning, design, and development of the system technology stack...
Applications must obscure feedback of authentication information; when using command-line tools such as Oracle SQL*Plus, which can accept a plain-text password, users must use an alternative logon method that does not expose the password.
I was perusing (yes, "perusing") the My Oracle Support Community Database Administration posts recently when I came across this one: "How to hide oracle database account password in a create user sql script". The poster had a problem that every database administrator has had to confront at one time or another: namely, how to embed a … Continue reading How to hide Oracle passwords in a script?
I haven't ever done this before, but this has been the busiest year yet for this blog and I thought I would take a moment to say thank you, and to reflect. I know I'm not one of those flashy sites that posts multiple times per day (how do people have time for that while doing real … Continue reading Best Year Yet
Every once in a while over the years I have been asked, “Why don’t you patch the Java JDK included in an Oracle Home directory?”
What if you have a lot of potential PII data and you need to enforce some additional safeguards on it? How do I make this information actionable, and better yet how do I automate that action as much as possible?
In Part 1 and Part 2 of this series I described the process for configuring the server wallet, sqlnet.ora, and listener.ora files. In this post I will discuss how to configure the client for SSL authentication with a smart card. At this point it is assumed that an Oracle Client has already been installed. The … Continue reading Database Authentication with a Smart Card – Part 3 (Client)
I'm going to post this as a reminder to myself as much as anything else. A couple of times - most recently this week - I've had to apply patches for Oracle APEX into various databases that I work with and received the following error almost as soon as the apxpatch.sql script started to run: … Continue reading APEX Patches and NLS_LENGTH_SEMANTICS
While perusing recent postings on the Ask Tom web site, I chanced across this one, entitled "Frustrated DBA", in which John asks the following question: "Is it just me or does doing the "typical DBA" tasks like installing, patching, backing up, checking backups, monitoring databases, creating users, checking space and other mundane tasks get boring … Continue reading The Frustrated DBA
A few years ago I started keeping most of my system documentation in APEX websheets. It's great for keeping things organized and readily available no matter how I'm accessing my work network (on-site, VPN, etc.). A lot of my installation documents have embedded screenshots, and the png files are attached to the websheet as annotations. … Continue reading How to Load Large WebSheets into APEX
I have used Oracle APEX in various capacities since version 3. Since Oracle introduced their packaged applications in version 4 I have played around with most of them from time to time and currently use several of them in my daily work. P-Track, ORAchk, WebSheets and others make my job a lot easier, and the new … Continue reading APEX Mystery Solved
What needs to be done? At this point it is important to stop and consider that if you have read my previous posts in this series and followed all the links that I recommended then you will have read a lot of other people's documentation and best practices. With a little luck you may have … Continue reading The Database, Your Way
What needs to be done? In my last two posts I discussed the rules of the road in relation to designing and implementing an Oracle database information system, and how to evaluate compliance and overall security posture. In this post I will discuss the basic Oracle license, which has been known to cause a lot … Continue reading License to Drive
What needs to be done? In my last post I talked about the legal rules of the road in regards to designing and implementing a database information system, starting from the top level and driving down to the nitty gritty step-by-step hardening instructions, including the STIG. Once the applicable rules are understood, it is important … Continue reading Passing the Test
What needs to be done? Before a driver heads out on the road, it is important for him or her to know the rules. Not just common sense stuff like "don't drive on the wrong side of the road", but the actual rules and laws that govern what you're about to do, like obeying a … Continue reading The Rules of the Road
One of the most problematic STIG checklist items is this one: Rule Title: Database account passwords should be stored in encoded or encrypted format whether stored in database objects, external host files, environment variables or any other storage locations. STIG ID: DG0067-ORACLE11 Rule ID: SV-24641r1_rule Vuln ID: V-3812 Severity: CAT I Vulnerability Discussion: Database passwords stored … Continue reading Database Account Password Storage
As a database administrator I have been called on to oversee many, many kinds of systems over the years. I have supported everything from prototype proof-of-concept systems with a single programmer to high availability production systems with thousands of end users; servers that support commercial off-the-shelf applications and servers that support multiple custom Java applications. It is an industry standard … Continue reading Shared Application Accounts and Developers
An Oracle database link is one of the most straight forward and useful methods for transferring data from one system to another. Data in remote systems can be searched or copied from table to table over the network, just like it was in the local database. If not handled correctly however, a database link can become a major … Continue reading Secure Database Links
I love Oracle's Connection Manager for its proxy filtering of Oracle Net connections, but it has one major flaw: it isn't integrated into Oracle's Cluster Ready Services (CRS) or Oracle Restart at all. When configured securely, Connection Manager requires a manually entered password to perform most maintenance and administrative functions, including startup and shutdown. If … Continue reading Connection Manager Auto Start
Two DB Installation STIG items relate to the version of Oracle software in use: Rule Title: Vendor supported software is evaluated and patched against newly found vulnerabilities. STIG ID: DG0001-ORACLE11 Rule ID: SV-24339r1_rule Vuln ID: V-5658 Severity: CAT I Discussion: Unsupported software versions are not patched by vendors to address newly discovered security versions. An … Continue reading Software Version Support
The second Installation STIG item pertains to access controls for the account (typically 'oracle') that owns the Oracle software on the database server. Group ID (Vulid): V-2422 Group Title: DBMS software owner account access Rule ID: SV-24374r1_rule Severity: CAT II Rule Version (STIG-ID): DG0040-ORACLE11 Rule Title: The DBMS software installation account should be restricted to … Continue reading Software Owner Account Access
Years ago I was fortunate enough to be a contributing author to the original DISA Database Secure Technical Implementation Guide (STIG), which primarily addressed Oracle 7 and 8. Over the years the STIG has changed quite a bit, and I thought it would be interesting to review it piece by piece with some tips and … Continue reading Thoughts on the DISA Database STIG