Oracle User Password Security

About User Security

Each Oracle database has a list of valid database users. To access a database, a user must run a database application, and connect to the database instance using a valid user name defined in the database. Oracle Database enables you to set up security for your users in a variety of ways. When you create user accounts, you can specify limits to the user account. You can also set limits on the amount of various system resources available to each user as part of the security domain of that user. Oracle Database provides a set of database views that you can query to find information such as resource and session information.

Profile

 A profile is collection of attributes that apply to a user. It enables a single point of reference for any of multiple users that share those exact attributes.

Default Oracle Passwords

By default Oracle creates a number of schemas, each with a default password. Although many of these users are locked, it is still good practice to switch to non-default passwords in case they are unlocked by mistake. In addition, regular users often switch their passwords to match their username. Both of these situations represent a security risk

Password Management

The Oracle database includes a range of functionilty to help secure database users. Unused accounts should be locked, while accounts that are used intermittantly should be unlocked as needed.

ALTER USER scott ACCOUNT UNLOCK;

-- Use the schema.

ALTER USER scott ACCOUNT LOCK;

Creating Profile

Password aging, expiration and history is managed via profiles, as shown below. 

CONN sys/password AS SYSDBA

CREATE PROFILE my_profile LIMIT
  FAILED_LOGIN_ATTEMPTS 3  -- Account locked after 3 failed logins.
  PASSWORD_LOCK_TIME 5     -- Number of days account is locked for. UNLIMITED required explicit unlock by DBA.
  PASSWORD_LIFE_TIME 30    -- Password expires after 90 days.
  PASSWORD_GRACE_TIME 3    -- Grace period for password expiration.
  PASSWORD_REUSE_TIME 120  -- Number of days until a specific password can be reused. UNLIMITED means never.
  PASSWORD_REUSE_MAX 10    -- The number of changes required before a password can be reused. UNLIMITED means never.
/

ALTER USER scott PROFILE my_profile; 

The PASSWORD_REUSE_TIME and PASSWORD_REUSE_MAX parameters work in conjunction, so if either is set to unlimited password reuse is prevented.

 PASSWORD_VERIFY_FUNCTION

Password complexity is enforced using a verification function. This must accept three parameters (username, password and old_password) and return a boolean value, where the value TRUE signifies the password is valid. The example below forces the password to be at least 8 characters long.

CREATE OR REPLACE FUNCTION my_varification_function (
  username      VARCHAR2,
  password      VARCHAR2,
  old_password  VARCHAR2)
  RETURN BOOLEAN AS
BEGIN
  IF LENGTH(password) < 8 THEN
    RETURN FALSE;
  ELSE
    RETURN TRUE;
  END IF;
END my_varification_function;
/

Once the function is compiled under the SYS schema it can be referenced by the PASSWORD_VERIFY_FUNCTION parameter of a profile.

ALTER PROFILE my_profile LIMIT
  PASSWORD_VERIFY_FUNCTION my_varification_function;

The code below assigns the completed profile to a user and tests it.

SQL> ALTER USER scott PROFILE my_profile;

User altered.

SQL> ALTER USER scott IDENTIFIED BY small;
ALTER USER scott IDENTIFIED BY small
*
ERROR at line 1:
ORA-28003: password verification for the specified password failed
ORA-28003: password verification for the specified password failed


SQL> ALTER USER scott IDENTIFIED BY much_bigger;

User altered.

SQL>

 Revoke Unnecessary Privileges

As a rule of thumb, you should grant users the smallest number of privileges necessary to do their job.

REVOKE CREATE DATABASE LINK FROM connect;
REVOKE EXECUTE ON utl_tcp FROM public;
REVOKE EXECUTE ON utl_smtp FROM public;
REVOKE EXECUTE ON utl_http FROM public;
REVOKE EXECUTE ON utl_mail FROM public;
REVOKE EXECUTE ON utl_inaddr FROM public;
REVOKE EXECUTE ON utl_file FROM public;
REVOKE EXECUTE ON dbms_java FROm public;

Securing the Listener
In versions prior to 10g Release 1, the TNS listener should be password protected using the lsnrctl utility or the netmgr GUI. When using the lsnrctl utility, the change_password command is used to set the password for the first time, or to change an existing password.

LSNRCTL> change_password
Old password:
New password:
Reenter new password:
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=myserver.mydomain)(PORT=1521)))
Password changed for LISTENER
The command completed successfully
LSNRCTL>

The "Old password:" value should be left blank if the password is being set for the first time. Once the new password is set, the configuration 
should be saved using the save_config command. 

LSNRCTL> save_config
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=myserver.mydomain)(PORT=1521)))
Saved LISTENER configuration parameters.
Listener Parameter File   /u01/app/oracle/product/10.1.0/db_1/network/admin/listener.ora
Old Parameter File   /u01/app/oracle/product/10.1.0/db_1/network/admin/listener.bak
The command completed successfully
LSNRCTL>

Once the password is set, subsequent attempts to perform privileged operations such as save_config and stop will fail unless the password is set using the set password command.

LSNRCTL> set password
Password:
The command completed successfully
LSNRCTL>

Authorisation failure with CRS

A while back I had the problem that my CRS information was lost.

Now I had found that when I did a crs_start of the component I received the following error:

CRS-0254 authorization failure

Some investigation showed that the problem was related to the fact that the component was not owned by the oracle user.

Using crs_getperm ora.ORCL.db showed the problem.

oracle@myhost:/opt/oracle/crs/bin>./crs_getperm ora.ORCL.db
Name: ora.ORCL.db
owner:root:rwx,pgrp:system:r-x,other::r--,

This can be solved by doing the following:

crs_setperm ora.ORCL.db -o oracle
crs_setperm ora.ORCL.db -g dba

Now it works again.

Oracle listener lsnrctl tips

Here we see the lsnrctl command in action:
$ lsnrctl

LSNRCTL for Solaris: Version 9.2.0.1.0 - Production on 30-JAN-2003 11:54:13

(c) Copyright 1998 Oracle Corporation.  All rights reserved.

Welcome to LSNRCTL, type "help" for information.

LSNRCTL> help

The following lsnrctl operations are available

An asterisk (*) denotes a modifier or extended command:

start               stop                status

services            version             reload

save_config         trace               spawn

dbsnmp_start        dbsnmp_stop         dbsnmp_status

change_password     quit                exit

set*                show*

  

The following commands are used to manage the listener: 

·     start – Starts the listener with the name specified, otherwise LISTENER will be used.  For Windows systems, the listener can also be started from the Control Panel.

·     stop – Stops the listener.  For Windows systems, the listener can also be stopped from the Control Panel.

·     status – Provides status information about the listener, including start date, uptime, and trace level.

·     services – Displays each service available, along with the connection history.

·     version – Displays the version information of the listener.

·     reload – Forces a read of the configuration file in order for new settings to take effect without stopping and starting the listener.

·     save_config – Creates a backup of the existing listener.ora file and saves changes to the current version.

·     trace – Sets the trace level to one of the following – OFF, USER, ADMIN, or SUPPORT.

·     spawn – Spawns a program that runs with an alias in the listener.ora file.

·     dbsnmp_start – Starts the DBSNMP subagent. 

 ·     dbsnmp_stop – Stops the DBSNMP subagent.

·     dbsnmp_status – Displays the status of the DBSNMP subagent.

·     change_password – Sets a new password for the listener.

·     quit and exit – Exits the utility.

·     set – Changes the value of any parameter.  Everything that can be shown can be set.

show – Displays current parameter settings.
 

DUL(Data UnLoading) & Desperation

Imagine, if you will, a situation where your Oracle database has become corrupted and your backup could either not be restored or was too out-of-date to be worth restoration. Unfortunately, this situation isn’t as hypothetical or as rare as one would think.
While poor backup strategies set the stage for this situation, hardware failures are an all-too-common occurrence which can wreak havoc on your database. So, what is a DBA to do when confronted with such a vexing situation? If the corruption is substantial or the data must be recovered, the only solution is Data Unloading (DUL).

What is Data Unloading?
DUL is the process of extracting (unloading) data from Oracle data files directly; completely bypassing the Oracle Kernel. Unloading does not even require Oracle to be installed.

How is DUL different from exporting data?
While DUL does export data, it does not require a running server; as does EXP, EXPDP, etc. DUL is strictly an offline operation.

What about database security?
As DUL reads data files directly, user and role-level permissions are completely ineffective. Currently, the only way to protect data from an unloader is to use encryption. However, Oracle’s DUL (and soon DUDE) can read a file which uses Transparent Data Encryption (TDE).

Who can perform DUL?
Technically, anyone who knows the data type and file storage formats used by Oracle can extract the data. Though, DUL is generally performed by specialized utilities; a software category of which only a handful of tools exist.

Basically, these utilities first attempt to open the SYSTEM tablespace data files and retrieve the USER$, OBJ$, TAB$ and COL$ data for use in extracting the data. If this file is also corrupt, you may have to specify object information manually. Though, several of the utilities are able to scan the data files and heuristically determine objects to extract.

SQL and It's Most Basic Command

SQL( Structure Query Language): 
SQL is short for Structured Query Language and is a widely used database language, providing means of data manipulation (store, retrieve, update, delete) and database creation.Almost all modern Relational Database Management Systems like MS SQL Server, Microsoft Access, MSDE, Oracle, DB2, Sybase, MySQL, Postgres and Informix use SQL as standard database language.

Basic SQL Command:
DQL(Data Query Language)
SELECT: Command to retrieve data from tables and views.

DDL: (Data Definition Language):
This includes all commands need to create, modify and drop the structure of database objects.
CREATE: command user to create any database  object.
ALTER: command to modify the structure of any database object.
DROP: To remove the object from database dictionary.

DQL(
DML(Data Manipulation Language):
This includes command to insert, update and delete data from tables.
INSERT: To insert a record into table.
UPDATE: To update a particular record.
DELETE: To delete a Record from the table.

DCL(Data Control Language):
Contol the access to data in database.
GRANT to allow specified users to perform specified tasks.
REVOKE to cancel previously granted or denied permissions.

DTL(Data Transaction Language):
Control transactions in database accessCOMMIT: commit (make persistent) all changes for the current transaction
ROLLBACK:-- roll back (rescind) all changes for the current transaction.