Oracle Database Application Security (eBook)
XVII, 341 Seiten
Apress (Verlag)
978-1-4842-5367-0 (ISBN)
- Work with Oracle Internet Directory using the command-line and the console
- Integrate Oracle Access Manager with different applications
- Work with the Oracle Identity Manager console and connectors, while creating your own custom one
- Troubleshooting issues with OID, OAM, and OID
- Dive deep into file system and network security concepts
Osama Mustafa is a database specialist, an Oracle ACE Director, Certified Oracle Professional (10g, 11g), Certified Ethical Hacker and Sun System Administrator. Osama currently works as an Oracle Instructor in the Middle East. He also works on troubleshooting and the implementation of database projects. He spends his free time on Oracle OTN forums and publishes many articles, including Oracle database articles, on his blog.
Focus on the security aspects of designing, building, and maintaining a secure Oracle Database application. Starting with data encryption, you will learn to work with transparent data, back-up, and networks. You will then go through the key principles of audits, where you will get to know more about identity preservation, policies and fine-grained audits. Moving on to virtual private databases, you'll set up and configure a VPD to work in concert with other security features in Oracle, followed by tips on managing configuration drift, profiles, and default users. Shifting focus to coding, you will take a look at secure coding standards, multi-schema database models, code-based access control, and SQL injection. Finally, you'll cover single sign-on (SSO), and will be introduced to Oracle Internet Directory (OID), Oracle Access Manager (OAM), and Oracle Identity Management (OIM) by installing and configuring them to meet your needs. Oracle databases hold the majority of the world's relational data, and are attractive targets for attackers seeking high-value targets for data theft. Compromise of a single Oracle Database can result in tens of millions of breached records costing millions in breach-mitigation activity. This book gets you ready to avoid that nightmare scenario.What You Will LearnWork with Oracle Internet Directory using the command-line and the console Integrate Oracle Access Manager with different applications Work with the Oracle Identity Manager console and connectors, while creating your own custom one Troubleshooting issues with OID, OAM, and OIDDive deep into file system and network security concepts Who This Book Is ForOracle DBAs and developers. Readers will need a basic understanding of Oracle RDBMS and Oracle Application Server to take complete advantage of this book.
Table of Contents 5
About the Authors 11
About the Technical Reviewer 12
Acknowledgments 13
Introduction 14
Chapter 1: Encryption 15
Transparent Data Encryption 15
Rekey the Keystore Master Encryption Key 20
Query the Master Key Information 21
V$ENCRYPTION_WALLET 21
V$ENCRYPTION_KEYS 23
V$DATABASE_KEY_INFO 27
Rekey a Table Key 29
Rekey a Tablespace 29
Change the Password of the Keystore 30
Column Encryption 31
Salt or No Salt? 32
Encrypt a Column in an Existing Table 32
Primary Key Foreign Key Constraints on an Encrypted Column 33
Rekey a Column 33
Tablespace Encryption 34
Tablespace Encryption vs. Column Encryption Performance 36
External Table Encryption 38
Where Can Data Spill Out in Plain Text When Using External Tables? 42
Full Database Encryption 44
Ghost Data 45
How to Fix It 47
Column Encryption 47
Tablespace Encryption 47
Full Encryption 47
Online Tablespace Encryption 48
External Tables 48
Algorithms 48
RMAN 49
Data Pump 50
Network Encryption and Integrity 53
Configure 53
Cross-Border Issues 57
Integrity 58
Chapter 2: Audits 60
Ways to Audit a Database 61
Application API Code 61
Auditing with Trigger Code 61
Normal Audit 62
Unified Audit 63
Fine-Grained Auditing 65
Comparing Methods 66
What Happened Yesterday 68
Audit Reports 69
Connections by os_username, username, terminal, and userhost 69
Invalid Login Attempts 71
Audit the Privileges Used in the Last 24 Hours 75
Look for Select, Update, and Delete Statements Against Sensitive Tables That Bypass the Application 75
Unusual Application Activity Against Sensitive Tables That Should Be Accessed from Only Specific IP Addresses 76
What Are You Looking for When You Audit? 80
Accessing Information Outside of the Trusted Path 80
The Policy Needs to Tell Who, What, When, and Where 81
Who 82
What 82
When 82
Where 83
Configuration Drift 83
ORACLE_HOME 85
New Objects 87
Altered Objects 87
Chapter 3: Privilege Analysis 88
SYS.DBMS_PRIVILEGE_CAPTURE 89
Requirements 90
Capture Modes 90
Database 91
Role 91
Context 92
Role and Context 92
Procedures 92
CREATE_CAPTURE 93
ENABLE_CAPTURE 95
DISABLE_CAPTURE 96
GENERATE_RESULTS 97
DROP_CAPTURE 97
Views 98
DBA_USED_PRIVS 98
DBA_USED_SYSPRIVS 101
DBA_USED_OBJPRIVS 103
DBA_USED_USERPRIVS 105
DBA_USED_PUBPRIVS 107
DBA_UNUSED_PRIVS 109
DBA_UNUSED_SYSPRIVS_PATH 112
DBA_UNUSED_SYSPRIVS 113
DBA_UNUSED_OBJPRIVS_PATH 114
DBA_UNUSED_OBJPRIVS 116
DBA_UNUSED_USERPRIVS_PATH 117
DBA_UNUSED_USERPRIVS 118
Putting It Together 119
Chapter 4: Oracle Database Threats 137
Threat Categories 138
What Protocol Is Your Database Server Using? 138
Understand the Code Running on Your Database 139
Debug, Debug, and Then Debug Some More 139
Test It Before Implementing It 139
Dealing with Threats 139
Oracle Authentication and Authorization 140
TNS Poisoning 145
PL/SQL Injection 162
Execute Operating System Commands Through Oracle 165
Injecting a Rootkit into the Oracle Database 169
Running Operating System Commands Using DBMS_SCHEDULER 171
Disable Audits Using Oradebug Tools 171
Access the Operating System File System 172
Oracle Security Recommendations 172
Oracle TNS Listener 173
Set the TNS LISTENER Password 173
Turn On the Admin Restriction 174
Turn On Valid Node Checking 174
Database Accounts 175
Lock Unused Accounts 175
New Account Creation 175
Password 175
PL/SQL Packages, Procedures, and Functions 177
Patching 178
Review Database Privileges Frequently 178
Chapter 5: Network Access and Evaluation 179
What Is an Access Control List? 179
File System ACL 180
Network ACL 181
SQL ACL 182
Access Control List Concepts 183
Principals 183
Privileges 184
Working with ACLs 187
Creating an ACL 187
Deleting an ACL 191
Creating an ACL Based on an Existing ACL 191
Checking Privileges 194
Dropping an ACL 196
Testing an ACL 197
Testing Using UTL_HTTP 197
Testing Using UTL_SMTP 199
Set Up HTTPS Using an ACL 200
Downloading the Certificate from the Web Site You Would Like to Access 201
Uploading the Certificate 206
Creating the Wallet 206
Testing the Web Site 207
Summary 207
Chapter 6: Secure Coding and Design 208
Problematic Designs 209
Improved Design 211
Schema-Only Accounts 213
Trusted Path 214
Definer’s and Invoker’s Rights 217
Definer’s Rights 217
Invoker’s Rights 221
accessible by 224
Using the Schema-Only Account 228
Code-Based Access Control 229
Set Up Roles and Privileges 235
Build the API Schema 237
Business Logic Schema 241
Error Handling 242
Summary 255
Chapter 7: Single Sign-On 256
SSO Terms and Concepts 257
Installation and Configuration 261
Oracle Webgate Installation and Configuration 261
Oracle Internet Directory Installation 275
Configure the Repository Creation Utility 277
Configure the OID Domain 286
Start Node Manager 303
Start the Administration Server 304
Start the Managed Servers 304
OID Links 304
Initial Setup for OID 305
Oracle Access Manager 307
Oracle Access Manager Prerequisites 308
Oracle Access Manager Resource Type 309
Oracle Access Manager Authentication 310
Oracle Access Manager Single Sign-On Cookie 311
Oracle Access Manager Installation 311
Configure the Repository Creation Utility for OAM 312
Configure the OAM Domain 321
Verify the OAM Installation 329
Single Sign-on Examples 332
Integrate WebLogic with Kerberos 332
Active Directory Setup 333
Create a Kerberos File 333
Create the Keytab File 334
Configure the WebLogic Server 335
Test the Configuration 336
Configure SSO for a Siebel Application 337
Configure SSO for EBS 12.2.x, Integration with Oracle Access Manager, and Oracle Internet Directory 340
Index 343
| Erscheint lt. Verlag | 31.10.2019 |
|---|---|
| Zusatzinfo | XVII, 341 p. 88 illus. |
| Sprache | englisch |
| Themenwelt | Mathematik / Informatik ► Informatik ► Datenbanken |
| Informatik ► Netzwerke ► Sicherheit / Firewall | |
| Schlagworte | Audit • Database • Encryption • Network • OAM • OID • OIM • security • SSO |
| ISBN-10 | 1-4842-5367-1 / 1484253671 |
| ISBN-13 | 978-1-4842-5367-0 / 9781484253670 |
| Informationen gemäß Produktsicherheitsverordnung (GPSR) | |
| Haben Sie eine Frage zum Produkt? |
PDF (Wasserzeichen)DRM: Digitales Wasserzeichen
Dieses eBook enthält ein digitales Wasserzeichen und ist damit für Sie personalisiert. Bei einer missbräuchlichen Weitergabe des eBooks an Dritte ist eine Rückverfolgung an die Quelle möglich.
Dateiformat: PDF (Portable Document Format)
Mit einem festen Seitenlayout eignet sich die PDF besonders für Fachbücher mit Spalten, Tabellen und Abbildungen. Eine PDF kann auf fast allen Geräten angezeigt werden, ist aber für kleine Displays (Smartphone, eReader) nur eingeschränkt geeignet.
Systemvoraussetzungen:
PC/Mac: Mit einem PC oder Mac können Sie dieses eBook lesen. Sie benötigen dafür einen PDF-Viewer - z.B. den Adobe Reader oder Adobe Digital Editions.
eReader: Dieses eBook kann mit (fast) allen eBook-Readern gelesen werden. Mit dem amazon-Kindle ist es aber nicht kompatibel.
Smartphone/Tablet: Egal ob Apple oder Android, dieses eBook können Sie lesen. Sie benötigen dafür einen PDF-Viewer - z.B. die kostenlose Adobe Digital Editions-App.
Buying eBooks from abroad
For tax law reasons we can sell eBooks just within Germany and Switzerland. Regrettably we cannot fulfill eBook-orders from other countries.
aus dem Bereich
