As we have seen already it is possible with DBCA when you create a new 11g database as well as with DBUA for a database upgrade to 11g to enable default security settings.

These default settings include auditing settings for a number of system privileges.

Here is a list of the privileges which are audited by access by default in 11g:

ALTER ANY PROCEDURE
ALTER ANY TABLE
ALTER DATABASE
ALTER PROFILE
AUDIT ROLE BY ACCESS
ALTER SYSTEM
ALTER USER
AUDIT SYSTEM
AUDIT SYSTEM BY ACCESS
CREATE ANY JOB
CREATE ANY LIBRARY
CREATE ANY PROCEDURE
CREATE ANY TABLE
CREATE EXTERNAL JOB
CREATE PUBLIC DATABASE LINK
CREATE SESSION
CREATE USER
DROP ANY PROCEDURE
DROP ANY TABLE
DROP PROFILE
DROP USER
EXEMPT ACCESS POLICY
GRANT ANY OBJECT PRIVILEGE
GRANT ANY PRIVILEGE
GRANT ANY ROLE

Strong authentication for sysdba and sysoper in 11g

Connections with sysdba or sysoper privileges must always be authenticated. This is possible through OS authentication by assigning the appropriate OS group to the OS user.

Another method is the use of a password file.

If there is concern that the password file might be vulnerable the following strong authentication methods can be used with Oracle database 11g:

• Oracle Internet Directory (OID) grants for sysdba and sysoper

• Kerberos ticket server

• Secure Socket Layer (SSL) certificates

In order to use OID the parameter LDAP_DIRECTORY_ACCESS must be set to PASSWORD or SSL.

If you intend to use any of these strong authentication methods the initialization parameter LDAP_DIRECTORY_SYSAUTH must be set to YES. Its default is NO.

Limiting access to External Networking Services

It is possible to establish network connections from inside the database using TCP or higher network protocols. Oracle ships with a number of built in packages for this such as UTL_TCP, UTL_HTTP, UTL_MAIL,  UTL_INADDR, UTL_SMTP.

In Oracle releases prior to 11g the only way to limit access to the network via these packages was to restrict privileges on the packages. Since these packages are granted to PUBLIC by default an intruder who gained access to the database could maliciously affect the network with them.

In  11g and beyond, Oracle has introduced the ability to restrict connections to specific hosts (or IP addresses). Oracle 11g database uses Access Control Lists (ACLs) to restrict the allowed target hosts.

This feature greatly improves network security.

Basically there are two different ways to use this feature:

• using Oracle XML DB

• using the new packages DBMS_NETWORK_ACL_ADMIN
  and DBMS_NETWORK_ACL_UTILITY

Either method can be used to create and manage ACLs.

Your application will encounter an ORA-24247 error if it relies on one of the network packages and no proper ACL has been created. For the use of the following packages it is mandatory to have an ACL for the application user in place in 11g:

• UTL_TCP

• UTL_SMTP

• UTL_MAIL

• UTL_HTTP

• UTL_INADDR

This is the page for security policies in the Enterprise Manager:

% When you upgrade a database to 11g and your application uses the      UTL_TCP, UTL_SMTP, UTL_MAIL, UTL_HTTP, or UTL_INADDR packages you must configure network access control lists (ACLs) in the database before these packages can work as they did in prior releases.

Below you find the explanation for error ORA-24247:

[oracle@rhas4 ~]$ oerr ora 24247

24247, 00000, "network access denied by access control list (ACL)"

// *Cause:    No access control list (ACL) has been assigned to the target
//            host or the privilege necessary to access the target host has not
//            been granted to the user in the access control list.
// *Action:   Ensure that an access control list (ACL) has been assigned to
//            the target host and the privilege necessary to access the target
//            host has been granted to the user.