17 | 08 | 2017
Latest Articles
Popular Articles

Security

Some security enhancements with Oracle 11G

User Rating:  / 0
PoorBest 

Some security enhancements with Oracle 11G


Passwords can from 11G R1 onwards become case sensitive ( by default )

If you migrate from a previous release to 11G, user password for user which already existed in the older version aren' t case sensitive until you change the password.

 

SQL> show parameter sec_case_sensitive_logon
 
NAME                                 TYPE        VALUE
sec_case_sensitive_logon             boolean     TRUE

 


The number of connection attempts can be limited with an instance initialization parameter. After n number of attempts the connection is dropped.

 

SQL> show parameter sec_max_failed_login_attempts
 
NAME                                 TYPE        VALUE
sec_max_failed_login_attempts        integer     10

 

 

What should be done when there are possible malicious connection attempts ( bad packets )

Possible values are NONE, TRACE, LOG, ALERT
 

SQL> show parameter sec_protocol_error_trace_action
 
NAME                                 TYPE        VALUE
sec_protocol_error_trace_action      string      TRACE

 


What should the server process do when bad packets are received from the client

Possible values are CONTINUE, DELAY ( delay n seconds before next requests are allowed ), DROP ( drop connection after n bad packets ) 

SQL> show parameter sec_protocol_error_further_action

NAME                                 TYPE        VALUE

sec_protocol_error_further_action    string      CONTINUE

 

Should the exact database version be returned to the clients who are connecting ?

 

SQL> show parameter sec_return_server_release_banner

NAME                                 TYPE        VALUE
sec_return_server_release_banner     boolean     FALSE

 

 

The DBA can also compile the function verify_function_11G to enforce password complexity

 


PLATINUM_SYS > start ?/rdbms/admin/utlpwdmg.sql;

Function created.


Profile altered.  >>>> default profile is altered


Function created.


PLATINUM_SYS >desc verify_function_11G;


FUNCTION verify_function_11G RETURNS BOOLEAN


Argument Name                  Type                    In/Out Default?
------------------------------ ----------------------- ------ --------
USERNAME                       VARCHAR2                IN
PASSWORD                       VARCHAR2                IN
OLD_PASSWORD                   VARCHAR2                IN


PLATINUM_SYS > alter profile default LIMIT password_verify_function NULL;

Profile altered.

 

By default some privileges are audited and the audit trail is in the database

 

16:47:33 SILVER > show parameter audit


NAME                                 TYPE        VALUE

------------------------------------ ----------- ------------------------------

audit_file_dest                      string      /u01/app/oracle/admin/SILVER/adump

audit_sys_operations                 boolean     FALSE

audit_syslog_level                   string      

audit_trail                          string      DB

16:47:57 SILVER> select privilege from DBA_PRIV_AUDIT_OPTS order by 1;

PRIVILEGE

----------------------------------------

ALTER ANY PROCEDURE

ALTER ANY TABLE

ALTER DATABASE

ALTER PROFILE

ALTER SYSTEM

ALTER USER

AUDIT SYSTEM

CREATE ANY JOB

CREATE ANY LIBRARY

CREATE ANY PROCEDURE

CREATE ANY TABLE

CREATE EXTERNAL JOB

CREATE PUBLIC DATABASE LINK

CREATE SESSION

CREATE USER

DROP ANY PROCEDURE

DROP ANY TABLE

DROP PROFILE

DROP USER

EXEMPT ACCESS POLICY

GRANT ANY OBJECT PRIVILEGE

GRANT ANY PRIVILEGE

GRANT ANY ROLE

 

23 rows selected.

 

16:48:02 SILVER > select count(*) from DBA_OBJ_AUDIT_OPTS;

        COUNT(*)

----------------

               0

 

SEC_CASE_SENSITIVE_LOGON