As we have seen already it is
possible with DBCA when you create a new 11g database as
well as with DBUA for a database upgrade to 11g to enable
default security settings.
These default settings include auditing settings for a
number of system privileges.
% The parameter
audit_trail is set to the value DB
by default in 11g if the database was created
with DBCA or upgraded to 11g with DBUA.
% The table aud$ is located in the system tablespace. The
audit records should be archived and the
table should be purged manually on a regular basis in
order not to let it become too big because
the system tablespace is auto extensible with
an unlimited max size!
Here is a list of the
privileges which are audited by access by default
in 11g:
ALTER ANY PROCEDURE
ALTER ANY TABLE
ALTER DATABASE
ALTER PROFILE
AUDIT ROLE BY ACCESS
ALTER SYSTEM
ALTER USER
AUDIT SYSTEM
AUDIT SYSTEM BY ACCESS
CREATE ANY JOB
CREATE ANY LIBRARY
CREATE ANY PROCEDURE
CREATE ANY TABLE
CREATE EXTERNAL JOB
CREATE PUBLIC DATABASE LINK
CREATE SESSION
CREATE USER
DROP ANY PROCEDURE
DROP ANY TABLE
DROP PROFILE
DROP USER
EXEMPT ACCESS POLICY
GRANT ANY OBJECT PRIVILEGE
GRANT ANY PRIVILEGE
GRANT ANY ROLE
Strong
authentication for sysdba and sysoper in 11g
Connections with sysdba or sysoper
privileges must always be authenticated. This is possible
through OS authentication by assigning the appropriate OS
group to the OS user.
Another method is the use of a
password file.
If there is concern that the password
file might be vulnerable the following strong
authentication methods can be used with Oracle
database 11g:
In order to use OID the parameter
LDAP_DIRECTORY_ACCESS must be set to PASSWORD or
SSL.
If you intend to use any of these
strong authentication methods the initialization parameter
LDAP_DIRECTORY_SYSAUTH must be set to YES.
Its default is NO.
% For
strong authentication of sysdba and sysoper you need a
license for the Advance Security Option!
Limiting access to External Networking Services
It is possible to establish network
connections from inside the database using TCP or higher
network protocols. Oracle ships with a number of built in
packages for this such as UTL_TCP, UTL_HTTP, UTL_MAIL,
UTL_INADDR, UTL_SMTP.
In Oracle releases prior to 11g the
only way to limit access to the network via these packages
was to restrict privileges on the packages. Since these
packages are granted to PUBLIC by default an intruder who
gained access to the database could maliciously affect the
network with them.
% EXECUTE
privileges on some of these packages are still granted
to the user PUBLIC by default which is not a
serious security risk any more as it was in
10g and it does not cause a policy violation
of Oracle's built in policies in 11g.
In 11g and beyond, Oracle has
introduced the ability to restrict connections to specific
hosts (or IP addresses). Oracle 11g database uses Access Control
Lists (ACLs) to restrict the allowed target hosts.
This feature greatly improves network
security.
Basically there are two different
ways to use this feature:
Either method can be used to create
and manage ACLs.
Your
application will encounter an ORA-24247 error if it relies
on one of the network packages and no proper ACL has been
created. For the use of the following packages it is
mandatory to have an ACL for the application user in place
in 11g:
-
UTL_TCP
-
UTL_SMTP
-
UTL_MAIL
-
UTL_HTTP
-
UTL_INADDR
% These package
are running with invoker's privileges in 11g. The
invoking user needs the connect privilege
granted in the access control list assigned to the
remote network host
to which he wants to connect.
This is the page for security
policies in the Enterprise Manager:
%
When you
upgrade a database to 11g and your application uses
the
UTL_TCP,
UTL_SMTP,
UTL_MAIL,
UTL_HTTP, or
UTL_INADDR packages you must configure
network access control lists (ACLs) in the
database before these packages can work as they did in
prior releases.
Below you find the explanation for error ORA-24247:
[oracle@rhas4 ~]$ oerr ora 24247
24247, 00000, "network
access denied by access control list (ACL)"
// *Cause: No access control list (ACL)
has been assigned to the target
//
host or the privilege necessary to access the target host
has not
//
been granted to the user in the access control list.
// *Action: Ensure that an access control list
(ACL) has been assigned to
//
the target host and the privilege necessary to access the
target
//
host has been granted to the user.