Vous êtes sur la page 1sur 0

Oracle Security and Auditing

Oracle Security

By K. K. Mookhey cto@nii.co.in
Network Intelligence India Pvt. Ltd.

Copyright 2003 by Network Intelligence India Pvt. Ltd. All rights reserved. No
part of this publication may be reproduced or distributed in any form or any means
whatsoever, without the prior written permission of Network Intelligence India Pvt.

If you find this document useful and wish to recommend it to someone, please do
not make copies of it, but ask them to download it from
Network Intelligence India Pvt. Ltd.

Oracle Security and Auditing

This document is about the practical techniques for auditing Oracle databases. It gives the queries and
the configurations that the auditor must check for when carrying out an Oracle audit. Most of the
material in this document applies to both Oracle 8i and 9i. Wherever it differs we have clarified the
distinction. Towards the end we also give the tools and products that an auditor might use in order to
ease the task of data gathering and reporting. Finally, not much previous Oracle experience is assumed,
but some general knowledge about SQL and relational databases would aid the reader.

For auditing the security of an Oracle database, we will execute SQL queries using the SQL*Plus utility
that gets installed whenever Oracle client is installed. The output of these queries can be voluminous
and therefore we must store it in an output file. You may also use the DBA Studio to view the schemas,
tables, views, users, etc., and the SQL Worksheet to execute SQL queries. You could also use the
command-line sqlplus utility. When auditing Oracle Security, we must also audit the underlying
Operating System. But we do not go much into detail on that aspect. We will however explain how to
audit that part of the OS Security that deals with the database.

Introduction to Oracle Security

Secure Installation and OS Security
Gathering General Information
Database Parameters
Users and Profiles
Roles and Privileges
Oracle Built-in Auditing
Miscellaneous Security Aspects

Network Intelligence India Pvt. Ltd.

Oracle Security and Auditing
Introduction to Oracle Security

Some time back Oracle had started a marketing campaign, which proclaimed its product to be
Unbreakable. During this campaign, a UK based researcher discovered a dozen critical security flaws
in Oracle that proved once and for all that no system could claim to be 100% secure. Since then Oracle
has put into place a number of security measures, but recently a series of critical flaws were once again
discovered in the latest version Oracle 9i. What all this really means is that it is we security auditors,
administrators, and DBAs who must really take the onus of securing our databases.

Oracle provides extensive measures to implement security, while at the same time maintain
functionality and efficiency. With Oracle 8i, Oracle has also started providing for a new kind of security
called Fine-Grained Security which allows us to ensure auditing the tables on a per-user or per-field
basis and Oracle Label Security, which enables access control on each row of any table in the

Secure Installation and OS Security
This section briefly touches upon the method of installing Oracle securely and the measures that must be
taken to secure the Operating System as it relates to the Oracle database. We cover Unix and Windows
separately and it is assumed that the reader is familiar with common administration tasks dealing with
user permissions and filesystem structures.

Unix and Oracle Security
Usually, Oracle installs under the username oracle and the group oinstall. During installation it
creates the DBA group dba, which maps to the database roles OSDBA, and OSOPER. All these are
default names and create insecurity. It is advisable for the administrator to choose unique names during
the installation process itself to make it more difficult for an attacker to guess the Oracle owner and
group names.
It is also advisable that each administrator or operator of the database should have their own accounts
and these should be added to the respective groups instead of having one generic all-powerful DBA
account. This can be viewed by seeing group membership information in the /etc/group file.
In Unix, each user has his own umask value. The umask determine the permissions with which new
files get created by the user. For a detailed description on Unix permissions and how to read them, see
Oracle recommends that the user who is designated as the owner of the Oracle software should have an
umask value of 022. This means that any new files created by him will have permissions 755. A users
umask value is specified in one of his startup scripts, such as the .profile file in his home directory, or
the default is picked up from /etc/profile or /etc/default/profile. An easy way to check the oracle owners
umask value is to login to his account and issue the command umask at the Unix prompt.

The most important part with the Oracle installation is the file permissions on the Oracle files and
folders (these are present in ORACLE_HOME and you can go to this folder directly by executing cd
$ORACLE_HOME at the Unix command prompt). The model suggested by Oracle is (assuming
oracle is the account used during Oracles installation):

Network Intelligence India Pvt. Ltd.
This account, oracle, should own all the files and directories and must have full permissions on
all files
Oracle Security and Auditing

The Oracle installation group oinstall by default should have read, write, and execute
permissions on the oraInventory directory, but should not have write permissions on any other
No other user should have write access to any files under the ORACLE_HOME directory.

This is actually the minimum level of security that should exist on the files and folders under
ORACLE_HOME. Usually, you would want to implement tighter controls. As an auditor, you could
recommend the following setup:
1. The oracle software installation account oracle should be given no access once installation
is over. In fact, you may recommend that this account be locked out by setting an invalid
password hash in the /etc/shadow file. This would prevent anyone from logging into the Unix
system with the username oracle
2. Create a single group called oradba, which is mapped to the OSDBA role during installation.
3. Any accounts that need to carry out database administration should be added to this group.
4. The permissions on the entire ORACLE_HOME directory should be to give the owner and the
group full permissions and no access at all to any body else (770).
5. Furthermore, you may remove write permissions even to the members of the oradba group on
critical directories such as $ORACLE_HOME/rdbms/log and $ORACLE_HOME/rdbms/audit
and the directories containing the data files, to ensure that even a DBA cannot modify the audit
trails or the database files directly.
6. Critical files: Certain files should be secured even further:
a. Listener.ora in $ORACLE_HOME/network/admin
b. Remote password files in $ORACLE_HOME/dbs/orapw<SID>
c. Snmp*.ora files in $ORACLE_HOME/network/admin directory
Users must be given no permissions at all on these files.

Also, check all SUID files in the ORACLE_HOME directory. In Unix, SUID files are those that execute
with the privileges of the owner of the file. As far as Oracle is concerned, SUID files can either execute
with privileges of the oracle account or of root. Both are of equal concern to us, and it is extremely
vital that apart from the Oracle owner, and the DBA group, no one else has any permission on these files
(770). To find all SUID files:
unix#>find $ORACLE_HOME -perms 4000

Finally, you must check for any SQL*Plus commands being executed on this system. SQL*Plus is the
utility to connect to the Oracle database to directly execute SQL queries. It is possible to use SQL*Plus
by supplying the username and the password in the command itself. For instance, sqlplus
system/manager. This is usually done when sqlplus is to be executed with batch jobs. To check for this:
unix#>ps ef | grep sqlplus
And see if any username/password combinations pop up.

You must also ensure that all other Unix security measures have been followed.
Network Intelligence India Pvt. Ltd.

Oracle Security and Auditing
Windows and Oracle Security
Oracle must be installed under a specially created account, which should preferably not be called
oracle, and must be an Administrator group member.

Ensure that the drive onto which Oracle is installed is an NTFS drive. Right click on the drive letter in
Windows Explorer and see if there is a Security tab in the Properties menu item.

Audit all accounts that belong to the ORA_DBA group on the Windows system User Manager in
Windows NT, and Computer Management | Users and Groups in Windows 2000. Any user in the
ORA_DBA group receives both OSDBA and OSOPER rights on Oracle. Ensure that each DBA has
his/her own account, and this should then be added to the ORA_DBA group, instead of a generic user

Once again, ensure that all files and folders under ORACLE_HOME are owned by the Oracle owner
(created during installation), and that the ORA_DBA group has full control, and the Everyone group
has no privileges at all. To check this Right click on the ORACLE_HOME folder | Properties | Security |
Permissions | Advanced.

It is to be strongly recommended that a Windows server running Oracle should be a dedicated server
with no other application being run on it, and only the system and database administrators should have
logon accounts to it.

Finally, follow all Windows NT/2000 checks for overall security.

Network Intelligence India Pvt. Ltd.

Oracle Security and Auditing
General Information Gathering

Initially, we must make an inventory of the database version, its components and their versions. This is
mainly to ensure that all components are upgraded to the latest secure versions as recommended by
Queries can be executed under two privilege levels:
1. As the user sys with SYSDBA privileges
2. As a lower-privileged account who must have the necessary SELECT permissions on all system
tables and views in the SYS and SYSTEM tablespaces. You may ask the local DBA to create
such an account for you and allot the required privileges. This is the preferred method when
doing an audit. Mainly, you will need to have CREATE SESSION system privileges, and
SELECT object privileges on all tables and views in the SYS and the SYSTEM tablespaces, and
your default tablespace as SYS.

For the remainder of this document, we shall assume that we are connected with the AUDITOR account
with appropriate privileges.

When connecting using SQL*Plus, you will be asked for the Username, Password and the Host String.
Now on a given Oracle installation, it is possible to have multiple database instances running. Each such
instance is an independent database with its own tables, users, roles, privileges etc. In the Host String
you must provide the name of this instance, also known as SID (System Identifier). On your target
Oracle server, there might be multiple SIDs. The more the number of SIDs, the more the resources
being used up, and the greater the chance of an insecure configuration on one or more of them. You
must ascertain that only the absolutely necessary instances are configured on a production database. You
can determine the current SID by studying the environment variables on the target system. If it is a Unix
system then issue the command env at a command prompt and determine the value of the variable
ORACLE_SID. Enter this value into the Host String to connect to the database. On Windows, you may
right-click on My Computer, and go to Environment to check for the value of the ORACLE_SID

If there are multiple instances running on the same database, then their configuration files will be stored
in files of the name init<SID>.ora as mentioned earlier. But, it is preferable that there be only one
init.ora file which contains the common parameters, and the other init<SID>.ora file must contain a line
of the type IFILE=Path of the main init.ora file, along with the minimum necessary instance-specific
parameters. This ensures that a change in any configuration parameters has to be made only once in the
main init.ora file, and it will get reflected for all the instances once they are restarted.

Once connected to a given instance, you will see the version number of the SQL*Plus utility, and will
be landed onto a prompt. Before issuing the commands you may start spooling to an output file by going
to File | Spool | Spool File. This not only saves the queries and their outputs, but it also helps to maintain
accountability of your actions. You may also prefer to gather the entire list of queries given in this
document into a single file and give this as the input to SQL*Plus by going to File | Open and navigating
to the .sql file. You can then analyze the output of these commands offline.
Network Intelligence India Pvt. Ltd.

Oracle Security and Auditing
To gather a list of components and their versions, issue the following command at the SQL prompt:

SQL>select * from product_component_version

Here the output will give us the component version in a form such as Each of the numbers
gives us vital clues as to the patches applied to Oracle.

Version Number Platform specific patch set number

New features release number Generic patch set number

Maintenance release number

Version number
This number represents the major Oracle release, indicating significant new additions and features

New Features Release Number
Represents new features in the same release

Maintenance Release Number
Represents a new maintenance release. May also include some new features

Generic Patch set Number
Identifies a generic patch set which is applicable across all operating systems and hardware platforms.

Platform Specific Patch Set Number
Represents a patch set that is applicable only to specific operating systems or hardware platforms.

You must ensure that the latest generic and platform patch set number has been applied to the system
being audited. Information on the latest vulnerabilities and patches is available at Oracles website
http://otn.oracle.com/deploy/security/alerts.htm. To be able to download patches you need to be a
member of Oracle Metalink http://metalink.oracle.com

Next you must gather information about the instances configured on this database, and their status i.e.
whether they are configured to run, and if so in what mode. This information is maintained in a System
View called v$database:

SQL>select NAME, CREATED, LOG_MODE, OPEN_MODE from v$database

Network Intelligence India Pvt. Ltd.
Oracle Security and Auditing
The first two parameters are self-explanatory. The third parameter tells us whether Oracles built-in
auditing has been turned on for this instance or not. And the OPEN_MODE parameter tells us whether
this database is in READ WRITE or only READ. Most databases would need to be in READ
WRITE mode.

SGA System Global Area
The System Global Area is the memory Oracle takes when the database is started. Information about the
SGA parameters can be gathered with:

SQL>select * from V$SGA

The parameters are:
Fixed Size, Variable Size, Database Buffers, and Redo Buffers. These parameters must be set according
to the available memory, size of the database, and the number of expected concurrent transactions.
Details on this and the recommended settings for different database sizes are given in the default
init.ora, supplied by Oracle.
Network Intelligence India Pvt. Ltd.

Oracle Security and Auditing
Database Configuration Parameters

The configuration parameters for each instance of the database are in files of the name init<SID>.ora
present in the $ORACLE_HOME/admin/<SID>/pfile directory. You must study this file to ensure that
critical security parameters are set properly. Alternatively, you may execute the following SQL query to
gather only the specific configuration parameters that we need to audit from a security perspective:

SQL>select name, value, description from v$parameter where NAME in
(O7_DICTIONARY_ACCESSIBILITY, audit_trail, db_name,
dblink_encrypt_login, instance_name, log_archive_start,
os_authent_prefix, os_roles, processes ,
remote_login_passwordfile, remote_os_authent, remote_os_roles,
resource_limit, sessions , sql92_security,

The following table gives the explanation of each of these parameters, and their suggested values:

Network Intelligence India Pvt. Ltd.
Version 7 Dictionary
Accessibility Support
Users with the ANY privilege (see section on
Privileges) would be allowed to access the
objects (tables, views, triggers, etc.) in the
SYS schema. These are very critical objects
with very sensitive information, and you can
prevent a user from accessing this
information, even if he has the ANY
privileges, by setting the value of this
parameter to FALSE. Under no circumstances
is it recommended to set this value to TRUE.
audit_trail Enable system auditing
To turn auditing on and control whether
Oracle generates audit records based on the
audit options currently set, set the parameter
AUDIT_TRAIL to "DB" in the database's
parameter file. This will start Oracles built-in
auditing and direct all auditing data to the
database's auditing trail.
database name specified
This is for information purposes only the
name of the database.
enforce password for
distributed login always
be encrypted
The Oracle configuration parameter
whether attempts to connect to remote Oracle
databases through database links should use
encrypted passwords. Prior to Oracle 7.2,
Oracle Security and Auditing
Network Intelligence India Pvt. Ltd.
passwords were not encrypted before being
sent over the network. In order to connect to
older servers, Oracle included this parameter
to retry failed connections using the
unencrypted format. If the
TRUE, and the connection fails, Oracle does
not reattempt the connection. If this parameter
is FALSE, Oracle reattempts the connection
using an unencrypted version of the password.
set to FALSE can be coerced into sending
unencrypted passwords by computers between
linked servers. This parameter must be set to
TRUE in the init.ora configuration file.
(See the section on Database Links for more
instance name supported
by the instance
This is just for information purposes and its
value is the same as that which you used in the
start archival process on
SGA initialization
To enable automatic archiving of filled groups
each time an instance is started, include the
initialization parameter
LOG_ARCHIVE_START in the databases
initialization parameter file and set it to
TRUE. The new value takes effect the next
time you start the database.
If the database has been configured to use the
Operating System authentication, rather than
its own, then the users who are identified on
the OS rather than on the database, have their
user names on the database prefixed by the
value shown here in order to distinguish them
as OS users. By default this value is OPS$,
meaning that a user who is identified on the
Operating System as user1 will have a
corresponding database login as OPS$user1
retrieve roles from the
operating system
To operate a database so that it uses the
operating system to identify each users
database roles when a session is created, set
the initialization parameter OS_ROLES to
TRUE (and restart the instance, if it is
currently running). When a user attempts to
create a session with the database, Oracle
Oracle Security and Auditing
Network Intelligence India Pvt. Ltd.
initializes the users security domain using the
database roles identified by the operating
system. This may be set to TRUE if the
database is configured to use external
Operating System authentication.
processes user processes
This parameter determines the maximum
number of operating system processes that can
be connected to Oracle concurrently. The
value of this parameter must include 5 for the
background processes and 1 for each user
process. For example, if you plan to have 50
concurrent users, set this parameter to at least
55.This parameter is set to an acceptable
password file usage
This parameter tell Oracle whether to check
authentication information from a file created
using the orapwd utility instead of the
SYS.USER$ table. This is mainly for remote
administration of a database from a client PC
and should in most cases be strictly avoided.
The preferred value of this parameter is
NONE. It can also be set to EXCLUSIVE,
which means that only one instance can use
this file, but it can contain hashed passwords
for users other than SYS and INTERNAL. It
can also be set to SHARED, which means
multiple instances can use the password file,
but only hashed passwords for SYS and
INTERNAL are allowed. See the section on
Users and Roles for more information on the
INTERNAL account.
allow non-secure remote
clients to use auto-logon
It is strongly recommended that the value of
this parameter be set to FALSE. Setting it to
TRUE allows a user to connect to the database
without supplying a password, as long as he is
logged on to his operating system with an
allowed user name. An attacker can
impersonate the user on his own OS and get
connected to Oracle, if the user is set up for
remote authentication.
allow non-secure remote
clients to use os roles
The same logic applies here as well. This
value must be set to FALSE to disallow a
malicious user from connecting to the
database and assuming a role that is identified
Oracle Security and Auditing
by his own Operating System, instead of by
the database.
master switch for
resource limit
If a database can be temporarily shut down,
resource limitation can be enabled or disabled
by the RESOURCE_LIMIT initialization
parameter in the databases initialization
parameter file. Valid values for the parameter
are TRUE (enables enforcement) and FALSE;
by default, this parameters value is set to
FALSE. Once the parameter file has been
edited, the database instance must be restarted
to take effect. Every time an instance is
started, the new parameter value enables or
disables the enforcement of resource
user and system
This is the maximum number of sessions that
can connect to the database. Usually, you
begin with the default value and increase it if
you find that the peak usage is more than
require select privilege
for searched
The SQL92 standards specify that security
administrators should be able to require that
users have SELECT privilege on a table when
executing an UPDATE or DELETE statement
that references table column values in a
lets you specify whether users must have been
granted the SELECT object privilege in order
to execute such UPDATE or DELETE
Directories that the
UTL_FILE package can
The UTL_FILE package allows Oracle to read
and write files on the host Operating System.
The value of this parameter determines which
directories on the OS can be accessed by
PL/SQL statements. Setting this option to *
in effect turns of any access control on the
directories. It must also not be set to the
current directory .. In face, access to the
UTL_FILE package itself must be severely
Network Intelligence India Pvt. Ltd.

Oracle Security and Auditing
Users and Profiles

Before we move onto describing users and profiles on an Oracle database, let us determine our main
sources of information for Oracle. Most of the information that we will be gathering in the next few
sections is from views that exist in the SYS schema (you can see this using DBA Studio). These views
are of three main types:
1. DBA_<view_name>: views that are for the DBA and list all information
2. ALL_<view_name>: views that list all information except any sensitive data
3. USER_<view_name>: views that list information pertaining to the currently logged on user, who
is executing the query.

When carrying out an Oracle audit after logging in with a specially created account, you must ensure
that you have been granted SELECT privileges on all views that begin with DBA_, ALL_, and USER_.

To see all the users created on the system:
SQL>Select * from DBA_USERS

In order to get only the fields we want to study:
SQL>Select Username, Password, Account_Status, Default_Tablespace,
Profile from DBA_USERS

Let us study each of these columns one by one. The first two column lists all the users created in this
database, and their hashed passwords. We must ensure that all default accounts have been removed
unless they are absolutely required. The problems with default accounts are well known: they are
common knowledge, their passwords are also known (see table of default users and passwords below),
and they have the privileges that have been granted to the role PUBLIC (more on this in the section on
Roles and Privileges). As a result, most hackers will try to log in to your Oracle database using any
number of default username/password pairs. The following is a table of these accounts, and what their
purpose is:

Network Intelligence India Pvt. Ltd.
Username Default Password Function
SYS CHANGE_ON_INSTALL The most powerful account
on the database that owns
all the internal objects that
make up the database itself.
SYSTEM MANAGER The initial very powerful
account from which most of
the object creation is done.
Its default password is so
well-known, that it must be
changed immediately.
SCOTT TIGER This account is mainly for
learning SQL and for
testing database
connectivity over the
network. You may choose
Oracle Security and Auditing
Network Intelligence India Pvt. Ltd.
to keep it, but it inherits all
the privileges that have
been given to the PUBLIC
role, and therefore these
must be restricted, or
completely removed.
DBSNMP DBSNMP Required for Oracle
Enterprise Manager
Intelligent Agent. This is
used for remote database
administration. It is
preferable to not administer
Oracle from a remote
console, and therefore this
account must be removed or
its password changed.
TRACESVR TRACE For Oracle Trace collection,
which is used to collection
performance and resource
utilization data.
CTXSYS CTXSYS Supports Context option for
function calls contained the
columns attribute.
MDSYS MDSYS Used to support Spatial
Data Option. Remove or
disable unless this option is
DEMO DEMO As the name suggests.
CTXDEMO CTXDEMO Context option
attribute information for
ORDVideo objects.
OUTLN OUTLN Ensures that the SQL Query
optimizer generates the
same final execution plan
when the input SQL
statements are the same.
ADAMS WOOD The accounts of ADAMS,
CLARK are legacy
accounts for education
Oracle Security and Auditing
Randomly generated Used for supporting the
Oracle 8i Aurora JVM
facilities of the RDBMS
server to concurrently
schedule Java execution.
ORDSYS ORDSYS Used to support Oracle 8i
Time Series Option to
enable working with
calendars and time series
MTSYS MTSYS This account supports the
Microsoft Transaction
Server and the Microsoft
Application Demo software.
SAP SAPR3 The default
combination if SAP is

During an audit, what we really need to check for is whether the default username/password
combinations exist or not. Now the passwords in an Oracle database are stored using a modified DES
algorithm. Therefore, we need to know the list of password hashes for these users as well. I recommend
http://www.pentest-limited.com/default-user.htm for not only a list of default username/passwords, but
also for a sample SQL script that you can run towards the end of the audit, to ensure that even if the
default accounts exist, their passwords must be changed.

You can check for these accounts with a query like this (assuming you are already connected with
SELECT privileges on SYS.USER$):
SQL>Select DBSNMP has default password DBSNMP where
username=DBSNMP and password=E066D214D5421CCC

Connect as INTERNAL
In Oracle 8i and earlier, a user can connect to the database with the alias INTERNAL and the default
password ORACLE. This would give him highest possible privileges on the database, including the
ability to start or shutdown a database. This feature was deprecated in Oracle 8i and has been
completely removed in Oracle 9i. This is probably one of the highest security risks in Oracle. You can
test whether this account still exists with the default password, or an easy to guess password by:

SQL>connect internal/oracle
SQL>connect internal/<easy_password>
Network Intelligence India Pvt. Ltd.

Oracle Security and Auditing
Going back to the output of our query on the DBA_USERS view, we want to audit for users whose
ACCOUNT_STATUS is not LOCKED/EXPIRED i.e. it is OPEN. We will see later in Password
Parameters, how the account gets locked out or expired.

Next, we want to ensure that for no users does the DEFAULT_TABLESPACE value equal SYS or
SYSTEM. These are very highly privileges system tablespaces containing the tables that are required for
the oracle database to function and contain highly critical information. When the user logs in to Oracle,
he is automatically assigned a tablespace according to the value set for this parameter. To enlist users
with the default tablespace as SYS or SYSTEM, execute the following SQL query:

SQL>Select Username from DBA_USERS where DEFAULT_TABLESPACE in

The final and most important user parameter is the Profile. In Oracle, user account restrictions in terms
of password parameters and resource usage can be set with the use of Profiles. In a default installation,
Oracle creates one profile called the DEFAULT profile, which gives no password or resource
restrictions. We must modify this profile to set its parameters appropriately.

You may execute the following query to get the values for the parameters in each profile defined in the

SQL>Select * from DBA_PROFILES

Next, we describe each parameter, and its suggested value. Do keep in mind, though, that these are only
general recommendations and need to be carefully evaluated for each specific instance. But the
important thing is that the parameters must be changed from their default settings. This can also be done
by using a script called utlpwdmg.sql found in $ORACLE_HOME/rdbms/admin.

The parameters of each Profile are of two types: Kernel and Password. Let us see the Password
parameters first:

The FAILED_LOGIN_ATTEMPTS parameter serves as a limit to the number of allowed failed login
attempts before the account is locked out. Setting this parameter to an acceptable value ensures that no
malicious user can try to guess passwords by repeatedly trying to login. Setting this value limits the
ability of unauthorized users to guess passwords and alerts the DBA as to when password guessing
occurs (accounts display as locked). Once an account is locked, it cannot be logged on to for a specified
number of days or until the DBA unlocks the account. (See the Password Lock Time and Password
Reuse Time below).
Default value: UNLIMITED, meaning never lock an account.
Suggested value: A user must be locked out after at least 3 failed login attempts. Ensure that this value
is set to 3, or a maximum of 6 but never more than that.
Network Intelligence India Pvt. Ltd.

Oracle Security and Auditing
When a particular user exceeds a designated number of failed login attempts, the server automatically
locks that users account. You must specify the permissible number of failed login attempts using the
FAILED_LOGIN ATTEMPTS parameter above. Here you can specify the amount of time accounts
remain locked.
Default value: UNLIMITED
Suggested value: .0006

This parameter determines the maximum validity period for a password. The user must change the
password within the value of this parameter. This is one of the most critical parameters and its value
must be set strictly as recommended. Setting this value ensures users are changing their passwords.
Default value: UNLIMITED.
Suggested value: As per the security policy, this may be set to a value between 30-60 days.

Users enter the grace period upon the first attempt to log in to a database account after their password
has expired. During the grace period, a warning message appears each time users try to log in to their
accounts, and continues to appear until the grace period expires. Users must change the password within
the grace period. If the password is not changed within the grace period, the account expires and no
further logins to that account are allowed until the password is changed.
Default value: UNLIMITED, meaning never require an account to change the password;
Suggested value: 10

The PASSWORD_REUSE_TIME value specifies the number of days before a password can be reused.
PASSWORD_REUSE_TIME can be set to a specific number of days; to UNLIMITED; or to
DEFAULT, which uses the value indicated in the DEFAULT profile. Default value: UNLIMITED,
which allows passwords to be reused immediately.
PASSWORD_REUSE_TIME is mutually exclusive with PASSWORD_REUSE_MAX. If
PASSWORD_REUSE_TIME is set to a value for a given profile, PASSWORD_REUSE_MAX must be
set to UNLIMITED for the same profile. And vice-versa.
Default value: UNLIMITED
Suggested value: 1800

This parameter determines the number of password changes a user must make before he can re-use his
current password. (Compare this with the PASSWORD_RESUE_TIME, wherein he can reuse his
password if it is older than x number of days). This along with the other parameters for the profile
further increases the impregnability of the user accounts. If PASSWORD_REUSE_MAX is set to a
value for a given profile, PASSWORD_REUSE_TIME must be set to UNLIMITED.
Default value: UNLIMITED
Suggested value: UNLIMITED (assuming PASSWORD_REUSE_TIME has been set appropriately).

Network Intelligence India Pvt. Ltd.
The PASSWORD_VERIFY_FUNCTION value specifies a PL/SQL function to be used for password
verification when users who are assigned this profile log into a database. This function can be used to
Oracle Security and Auditing
validate password strength by requiring passwords to pass a strength test written in PL/SQL. The
function must be locally available for execution on the database to which this profile applies. Oracle
provides a default script (utlpwdmg.sql), but you can also create your own function. The password
verification function must be owned by SYS.
Default value: NULL, meaning no password verification is performed.
Suggested value: VERIFY_FUNCTION (found in the utlpwdmgr.sql script, or one of your own.)

As mentioned earlier, there exists a default script utlpwdmgr.sql to do it for you. The values set by this
script are the ones given here as suggested values. You may change this script or use the ALTER
PROFILE statement to set your own values.

Finally, we have the Kernel parameters, which are to do with restrictions on resource usage and help to
prevent a Denial of Service situation. Again, the values given here are only suggestions and you may
have to test these on a development database before applying them on a production setup.

Composite Resource Usage limits the total cost of resources used for a session. The resource cost for a
session is the weighted sum of the CPU time used in the session, the connect time, the number of reads
made in the session, and the amount of private SGA space allocated.
Its recommended value is 1000000

Concurrent Sessions Resource Usage limits the number of connections that a user can establish without
releasing previous connections.
Its recommended value is 1

CPU/Session limits restrict the maximum amount of total CPU time allowed in a session. The limit is
expressed in seconds.
Its recommended value is 1000000

CPU/Call limits restrict the maximum amount of total CPU time allowed for a call (a parse, execute, or
fetch). The limit is also expressed in seconds.
Its recommended value is 1000000

Reads/Session Resource Usage limits restrict the total number of data block reads allowed in a session.
The limit includes blocks read from memory and disk.
Its recommended value is 50000

Reads/Call Resource Usage limits restrict the Maximum number of data block reads allowed for a call
(a parse, execute, or fetch) to process a SQL statement. The limit includes blocks read from memory and
Its recommended value is 5000
Network Intelligence India Pvt. Ltd.

Oracle Security and Auditing
This setting limits the maximum idle time allowed in a session. Idle time is a continuous period of
inactive time during a session. Long-running queries and other operations are not subject to this limit.
The limit is expressed in minutes. Setting an Idle Time Resource Usage limit helps prevent users from
leaving applications open when they are away from their desks.
Its recommended value is 15

Connect Time Resource Usage limits restrict the maximum elapsed time allowed for a session. The limit
is expressed in minutes. Setting a Connect Time Resource Usage limit helps prevent users from
monopolizing a system and can ensure that resources are released when a user leaves his workstation
without logging off the system.
Its recommended value is 90

Network Intelligence India Pvt. Ltd.
The default value for all of these parameters is UNLIMITED, and must be changed according to the
values suggested above or those found appropriate depending upon available resources and expected
peak usage.
Oracle Security and Auditing
Roles and Privileges

In Oracle, privileges are assigned to roles and roles are assigned to users. You can think of roles in
Oracle, as groups in Unix or Windows. This facilitates easier management of users and privileges.
Instead of assigning privileges to 100 users in the accounts department, you can create one ACCOUNTS
role, assign it the required privileges, and then assign this role to all the 100 users. If in the future, you
decide to remove a privilege you had granted earlier, all you need to do is remove it from the role, and
automatically all the users assigned to that role will lose the privilege.

To see all the roles that exist in the database:

SQL>Select * from DBA_ROLES

To first see what roles have been granted to a given user, RAKESH:


Remember that roles can be assigned to users as well as to roles. An entire hierarchy of roles can be
created. For instance, you may create roles ACCOUNTS and PERSONNEL for the respective
departments, and a role MANAGEMENT for senior managers. If the requirement is to provide
MANAGEMENT privileges that have been granted to both ACCOUNTS and PERSONNEL, then these
roles can be assigned to MANAGEMENT. As a result, to really know all the roles assigned to a user,
you must repeatedly execute the above query for the roles that appear in its result. We will see an
example of how to do this below.

Also, there is one critical role that you must ensure has not been assigned to any application users: the
RESOURCE role. This role includes privileges that are not required by most application users, and a
more restricted role must be granted:


Another role that you must also check for, is the CONNECT role. This role grants critical privileges
such as CREATE TABLE, CREATE DATABASE LINK, and several others, which are not required by
the majority of database users. Instead of using the CONNECT role to grant users access to Oracle, a
special role must be created with only the CREATE SESSION privilege, and then this role must be
granted to all users. This can be checked as follows:

Network Intelligence India Pvt. Ltd.

Oracle Security and Auditing
Privileges are granted to users/roles using the GRANT statement and are removed using the REVOKE
statement. The possible privileges in an Oracle database are:

Privilege Authorization
Select Read the information from a table or view

Update Modify the contents of the table or view

Insert Add new rows of data into a table or view

Delete Delete one or more rows from a table or view

Execute Execute or access a function or procedure

Alter Modify an objects parameters

Read Read files in a directory

Reference Create a constraint that refers to a table

Index Create an index on a table

These are called object privileges, and are granted to users or roles on database objects such as tables,
views, procedures, functions, triggers, synonyms, indices, etc.

The second type of privilege is system privileges. These allow you to connect to the database, affect
database objects, and to create user objects such as tables, views, indexes and stored procedures.

The syntax for granting privileges is:

SQL>grant <privilege> to <user or role>

To see what privileges a user is granted you must also see what privileges are granted to the roles that he
is assigned. Object and system privileges are stored in the DBA_TAB_PRIVS and the
DBA_SYS_PRIVS views. For RAKESH, check the object privileges that have been granted:


You must also ensure that RAKESH has been granted only the appropriate privileges, according to his
functionality requirements.

Network Intelligence India Pvt. Ltd.
Here, the GRANTOR and the OWNER can be two different users. This is possible because of the
GRANTABLE field. This field is also known as the WITH GRANT OPTION. This option allows the
Oracle Security and Auditing
grantee to further grant these privileges to users that he wants to. This is a dangerous option and must be
used sparingly.

To check all object privileges that have been assigned with the WITH GRANT OPTION:


Finally, system privileges are stored in the view DBA_SYS_PRIVS. Some system privileges are
CREATE SESSION (to allow the user to connect to the oracle database), CREATE TABLE, CREATE
VIEW, etc. To check what actions RAKESH can do as far as creating and manipulating the database
objects is concerned:


Once again, you must ensure that RAKESH has the most restrictive set of system privileges. The other
thing to note is the field ADMIN_OPTION. This is somewhat similar to the field GRANTABLE in the
object privileges view DBA_TAB_PRIVS. This field, also known as, WITH ADMIN OPTION,
allows the GRANTEE to grant these system privileges to other users or roles. This is similar to the
WITH GRANT OPTION for object privileges and is very critical. To check for all privileges that have
been assigned using the WITH ADMIN OPTION:


To summarize, what we need to do is this:
1. Pick the user (or we can do this for all users), say RAKESH
2. Find out all the roles assigned to him:
3. Find out the object privileges granted to RAKESH and also to the roles that have been assigned
4. Find out all system privileges granted to RAKESH and his roles:

One role that this must specially be done for is PUBLIC. The PUBLIC role is like the Everyone group
in Windows. It cannot be removed, and every database user is automatically assigned the PUBLIC role.
On a default database, the PUBLIC role has a really extensive list of permissions. It is highly
recommended to complete REVOKE all privileges and roles that have been granted to PUBLIC. Any
privilege that stays with PUBLIC is to be viewed as a critical security risk. In a default setup the output
of this command can be quite voluminous:

Network Intelligence India Pvt. Ltd.

Oracle Security and Auditing
Alternatively, you can query privileges based on the object name. For instance, the SYS.LINK$ table
contains plain-text passwords for database links (see section later), and the SYS.AUD$ table contains
the auditing trail, in case auditing has been turned on and the audit destination is DB. Both these tables
must be protected from lower-privileges accounts. You can view the privileges on these tables with the

SQL>Select * from DBA_TAB_PRIVS where TABLE_NAME in (SYS.LINK$,

It is preferable that privileges be granted to roles rather than to users. The advantages of this have been
mentioned at the start of this section. To check for those privileges that have been granted directly to

SQL>Select * from DBA_TAB_PRIVS where GRANTEE in (Select * from
SQL>Select * from DBA_SYS_PRIVS where GRANTEE in (Select * from

Additionally, you also want to ascertain all object privileges that have been granted with the WITH


And all system privileges that have been granted with the WITH ADMIN OPTION:


There is a certain subset of system privileges, which are granted using the keyword ANY. For instance,
a user can be granted the CREATE TABLE privilege, which allows him to create tables within his own
schema, but he can also be granted the CREATE ANY TABLE privilege, which allows him to create
tables in other users schemas as well. This is once again a dangerous set of privileges and must be
granted with extreme caution. To check who has these privileges:


You also want to be very sure of why any users have been granted the DBA role:


The absolute minimum number of people must be granted this maximum privileges role. Any
extraneous additions to this role imply serious security flaws in the setup.

Next you must check for those users that are connected to the database at this point of time, with DBA
Network Intelligence India Pvt. Ltd.

Oracle Security and Auditing
SQL> Select username, SID, Status, Schema#, Server from
SYS.V_$SESSION where username in (Select username from DBA_ROLE_PRIVS
where GRANTED_ROLE in ('SYS','DBA'))

The V_$SESSION view contains information about the current sessions, and we query it for those users
who are assigned to the SYS or the DBA roles. This again, must be a minimum number and you must
check that there are no multiple logins by two or more users using the same DBA-level account. This
results in a complete loss of accountability. All users must have their own accounts with appropriate
restricted privileges.

You must also keep a check on all tables that are present in the SYS or SYSTEM tablespaces. As
mentioned earlier, these are privileges tablespaces and no user must be allowed to create his own tables
here. The best method is to run the following query on a default installation and store it as a baseline for
future comparisons, any new tables popping up in the output must be investigated:


Default Roles and Roles with Password
Each user can be assigned any number of roles. Of these, one or more roles are the users default roles.
When a user connects to an Oracle database, he is automatically granted the privileges that have been
assigned to his default roles. In order to assume another role, the user must execute the SET ROLE
query. In such a case, if the Role is password-protected, then he will have to supply the password before
being allowed to assume that role. To check for what roles have been assigned as default roles to a given

To check those roles that are password protected, (and all roles that have been granted critical privileges
must be so):

Finally, let us recap the important views:
DBA_SYS_PRIVS: List of system privileges assigned to users and roles
DBA_TAB_PRIVS: List of object privileges assigned to users and roles
DBA_ROLE_PRIVS: List of roles assigned to a user or a role
DBA_ROLES: List of roles in the database

Network Intelligence India Pvt. Ltd.
This is by far, the most important section as far as Oracle security is concerned. All the remaining
measures can crumble if users and roles are not assigned privileges appropriately. Another common
occurrence you will find during audits, is that the application, or the GUI, or the front-end is quite
restricted. But you must audit whether those same restrictions get reflected on the database as well. It is
usually, preferred to have access control be defined at the database, rather than within the application
code. Because, sooner or later, even the most inexperienced user will discover tools such as SQL*PLUS
and realize that he has more privileges if he connects directly to the Oracle database and executes SQL
queries than he does through the application installed on his PC. Keeping this in mind, you are urged to
read through the section again.
Oracle Security and Auditing
Oracle Auditing

For Oracles built-in auditing functionality, you must not only determine the rationale behind the turning
on of auditing, but also the level of auditing and its impact on system resources. Oracle auditing gets
turned on as soon as you set the AUDIT_TRAIL parameter in the init<SID>.ora file. If this value is set
to DB, then all entries go to SYS.AUD$ table, if it is set to OS, then they go to the
$ORACLE_HOME/rdbms/audit directory. This location will be altered if the AUDIT_FILE_DEST
parameter is set to a different path.

In Oracle, we can audit the following:
Statement Auditing: Audits on the type of SQL statement used, such as any SQL statement on a table.
Privilege Auditing: Audits use of a particular system privilege, such as CREATE TABLE
Object: Audits specific statements on specific objects such as ALTER PROFILE on the DEFAULT

You can set these auditing options and specify the following conditions:


The main problem with auditing is either too much information or too less information.

All audit entries go into the SYS.AUD$ table which must be secured with the tightest set of
permissions. It must also be recycled by exporting it to another table, and truncating it, as it has a
predefined size limit.

To view the current auditing options:
Statement Auditing

Privilege Auditing

Object Auditing

Ensure that the audit parameters are according to the rationale and requirement of the organizations
audit policy.

The SYS.AUD$ table is bulky and difficult to analyze; therefore you must rely on the numerous views
created on this table. These views are of the type: DBA_AUDIT_<viewname>
Network Intelligence India Pvt. Ltd.

Oracle Security and Auditing
Irrespective of the audit configuration, Oracle will always capture the following minimum fields:

User ID
Session identifier
Terminal identifier
Name of the schema object accessed
Operation performed or attempted
Completion code of operation
Date and time
System privileges used

Network Intelligence India Pvt. Ltd.

Oracle Security and Auditing
Miscellaneous Security Aspects

SQL*Plus Security
You can restrict users from executing certain commands or even connecting to a database using
SQL*Plus by using a table called the PRODUCT_USER_PROFILE. This table is not created by default,
and must be done so by running a script called pupbld.sql. This is very essential for certain critical
PL/SQL commands like host. This command allows the user to spawn an operating system prompt and
execute OS commands. However, the command prompt is of the system on which he executed the
SQL*Plus utility. If executing it remotely, he will get the command prompt of his local operating
system. This is a mitigating factor, but there are other critical PL/SQL commands that you would not
want all users to execute. This is done through the table PRODUCT_USER_PROFILE.


Here PRODUCT is either SQL, PL/SQL, or SQL*Plus. USERID is the name of the user you want to
restrict access for. ATTRIBUTE is the command you want to restrict. And CHAR_VALUE is
DISABLED in case we are making an entry for SQL, PL/SQL or SQL*Plus, or if its an entry for a role,
then CHAR_VALUE is the role name.

Database Links
Database links are Oracle mechanisms for one database to connect to another database and for all this to
be transparent to the user. For instance, if one Oracle database, say ORA1, has a Link to a second
database called ORA2, then a user can query tables of ORA2 just as if they were tables on ORA1.
Information about the databases that our target database links to is stored in the table DBA_DB_LINK:

SQL>Select * from DBA_DB_LINK$

If a specific account is used to connect to the second database, the password for this account gets stored
in the SYS.LINK$ table in clear text. Therefore, if database links are being used, the permission on this
table must be extremely restrictive. To view, who has what permission on SYS.LINK$:


Also, only select users must be granted the Select Any Table system privileges, because they will be
able to see the clear text passwords in the SYS.LINK$ table.

To ensure that passwords are sent in encrypted format in all server to server communications, you must
set the dblink_encrypt_login parameter to TRUE in the init.ora file for all instances.

Recommend to the select query on DBA_DB_LINK$ at regular intervals to audit what database links
exist, who created them, and when they were created.

Network Intelligence India Pvt. Ltd.

Oracle Security and Auditing
Oracle Network Security

From Oracle 8i onwards network security is implemented using Oracle Advanced Security. This ensures
encryption of all network traffic between client and server. This is of vital importance where the
database has to be accessed by users outside the network. This could lead to spoofing (an attacker
impersonates a genuine connection, either from the client or the server end), sniffing (an attacker sniffs
the data off the network and gathers vital information), or integrity attacks (attacker modifies the data as
it passes over the network, either converting it into something malicious or unintelligible).

You can see the parameters that have been set for OAS through the Net8 configuration assistant:
Network Administration | Net8 Assistant on Windows, and $ORACLE_HOME/bin/netasst on Unix.

If OAS has been installed, then under the Local Node, click on Profile, and then on Oracle Advanced
Security from the drop-down list on the right. There will be five tabs:

Authentication check which one is chosen: Kerberos, RADIUS, NTS, SecurID, CyberSafe, or Identix.

Integrity MD5 or SHA1 and ensure Checksum value is set to Required or Requested (see below).

Encryption Again Encryption Type must be Required or Requested (see below).

SSL SSL if configured must have a valid CA certificate. Further discussion on SSL on Oracle is
beyond the scope of this document.

Other Params provides a way to define the file locations and other authentication method-specific

For Encryption and Integrity tabs we have the following options:
Required: Either use the security option or do not connect at all
Requested: Use the option only if the other end supports it
Accepted: Use the option only if the other side requests it
Rejected: Do not use the security option at all.

Physical Security and Backups and Emergency Recovery
We have put these two sections together because they are generic and only a few points are specific to
Oracle. Most of the checks that are recommended in any audit standard will be applicable here.

For Physical Security check:

The room is secured using locks or keypads, and who has the key codes or the keys to enter the
It is temperature controlled and is there adequate protection from natural hazards such as fire,
water, and Acts of God.
What is the normal position of the door, when authorized staff are present inside, and when none
are present
Network Intelligence India Pvt. Ltd.
If there is adequate protection from power surges and a good UPS in place
Oracle Security and Auditing

Are there clearly defined rules for who is allowed physical access to the room other than the
authorized staff, and if so under what circumstances and in what manner.
Is there an inventory of all equipment and is a register maintained to record all hardware inflows
and outflows.

Backup and Emergency Recovery:

For any database, reliable and efficient backups can be a lifesaver. More so than for any other
audit, it is for a database audit that you must really concentrate on the backup strategy of the
First and foremost ensure that there exists a formalized backup strategy and that the
responsibility for backups is clearly marked out to a specific set of people.
When the backups are made, is this information recorded in a backup register noting down the
date, time, personnel, and name of tape.
Where are the backup tapes stored
How many copies of the backup tapes are maintained. For instance, one copy of the daily backup
tape might be stored onsite, whereas a week old backup might be available offsite. Or some
other strategy might be implemented.
Where are the offsite backup tapes stored. Ensure it is a fireproof and physically secured
Most important is to test recovery from the backup tapes. There is nothing worse than an
immaculate backup plan, which has never been tested, and fails to help at crunch time.
Check also what is backed up. In most locations, data is backed up daily, where as configuration
files are backed up on a fortnightly or a monthly basis. It is extremely important to backup
configuration files for both the database and the operating system to ensure faster recovery.
Is there a documented disaster recovery plan? Audit it thoroughly, and see how well it has been
Depending upon the criticality of the system, you may recommend a hot backup site, which can
be brought up in very less time.
At the least, there should be hardware spares for all critical components of the server.
The Disaster Recovery Plan must be fully test-run and evaluated
Network Intelligence India Pvt. Ltd.

Oracle Security and Auditing

The one good source for all Oracle security information is the official website:
http://otn.oracle.com/deploy/security/content.html Here you will find not only the latest security topics
with Oracle, but also extensive documentation on security measures available with each database

There is a book by the Oracle Press, Oracle Security Handbook, by Theriault and Newman, which is
more from the DBAs point of view, but contains some excellent material even for auditors. You can find
it on Amazon.

Another good site for Oracle security is the home page of Oracle security expert Pete Finnigan
http://www.petefinnigan.com. It contains excellent resources and links to whitepapers and tools on
security for Oracle.

Network Intelligence India Pvt. Ltd.
Of course, all updates and changes made to this document will be sent to you immediately.
Oracle Security and Auditing

Network Intelligence India Pvt. Ltd.

NII is an IT Security Company involved in the development of indigenous host-based security auditing
tools under the AuditPro brand name. These tools are uniquely different from the usual Vulnerability
Scanners. There are AuditPro tools for Windows, Unix, Oracle, MS SQL Server and Sybase. These
tools check your systems for misconfigurations, weak passwords, privileges, access control, and other
vulnerabilities. The reports produced by these tools are comprehensive, detailed and accurate, without
any false positives. More information on AuditPro tools is available at

NII is also a provider of IT Security Services such as Security Auditing, Software Testing, Ethical
Hacking, Security Training, and Security Implementation. More information is available at

We are also, probably the only company in the country to be involved in Security Research. This is
evidenced by the fact that we have the most advisories in India, detailing vulnerabilities we have
discovered in software from companies such as Microsoft, Oracle, Symantec, Gupta Worldwide,
Cypherix, etc. These advisories are available at http://www.nii.co.in/research/advisories.html We also
develop free tools for the security community such as EnforcePass and forceSQL for SQL Server
password security. These are available at http://www.nii.co.in/research/tools.html
Other security research documents such as this one are available at

You can contact us at docs@nii.co.in or call us at 91-22-22001530/22006019
Network Intelligence India Pvt. Ltd.