Five Thoughts on Oracle Security

Five different security related posts to which I have contributed on I did not necessarily provide the accepted answer for these, but felt that the questions posed were interesting enough to warrant a mention.

Every Which Way But Loose

Rather than a one-size fits all solution - trying to handle everything through a Virtual Private Database policy - a proper security plan involves the use of a variety of techniques, each with their own place in the model. #oracle #vpd #security #roles #plsql #privileges #constraints

How To Do It In Parallel

I just came across an interesting question on the Stack Exchange forum, where a user was asking how to execute a set of PL/SQL procedures in parallel with each other. There really isn't a construct in PL/SQL to accomplish this. That is not to say that it can't be done, however...

Top STIG – Part 6 (OS Accounts)

The final installment in my series on CAT I STIG controls is all about the use (or not) of the server operating system accounts that support the Oracle database. Two controls address the use of and access to the Oracle software installation account, and one addresses the privileges associated with individual user accounts for DBAs. … Continue reading Top STIG – Part 6 (OS Accounts)

Top STIG – Part 5 (Default Passwords)

One of the most common attack vectors for any hacker is checking to see if you have reset default passwords on service and administrator accounts. Almost every piece of hardware or software comes with some default way to login the first time, and a lot of people are really bad at changing those credentials to be more secure. Oracle databases and DBAs are no exception...

Top STIG – Part 3 (Software Support)

The next CAT I STIG control in this series is less technical and more about policy. Like all of the others, however, it requires the DBA to be aware of things beyond their immediate day to day workload, and involved in the planning, design, and development of the system technology stack...

Top STIG – Part 2 (Obscuring Credentials)

Applications must obscure feedback of authentication information; when using command-line tools such as Oracle SQL*Plus, which can accept a plain-text password, users must use an alternative logon method that does not expose the password.

How to Limit a User Connection to a Specific IP Address

Seriously, I find all the best questions about Oracle security on forums like Oracle Communities and AskTom. Sometimes I need to be careful, though. I have a tendency to jump right to implementation details in my head without always considering all of the ramifications of the original question. Sometimes the answers seem immediately obvious, but it doesn't usually take long before someone offers an observation that makes me sit back and think that maybe my first instinct needs some qualification. Case in point...

AntiVirus for my Database Server?

I've seen a couple of Oracle Community and AskTom posts over the last year or two about installing anti-virus software on Oracle database servers. Usually it is because someone in security told the sysadmin or the DBA that they had to install some kind of AV software because it was required. Been there; done that. I found out the hard way that doing so was a bad idea...

Understanding the AF/Oracle ESLA

A proper understanding of Oracle product licensing is essential to planning and controlling costs associated with system development and deployment. Taking into account that the cost and number of licenses you need may vary depending on the operating system you choose to use, the number of physical CPU sockets in your hardware, the number of users your system will support, or whether or not your servers are virtualized, and it doesn’t take much to get completely lost. If you don’t plan and implement carefully, an audit of database usage by Oracle (yes, they do that!) could wind up costing you hundreds of thousands of dollars or more in additional fees.

Automatically Protecting PII Data Columns with Transparent Data Encryption

What if you have a lot of potential PII data and you need to enforce some additional safeguards on it? How do I make this information actionable, and better yet how do I automate that action as much as possible?