Oracle provides excellent protection against data loss from equipment failure, accident, or malicious damage. Administrator should focus on stopping someone from gaining access via stealing passwords, hacking accounts, or accessing restricted data elements.
Security Policy should:
- Reduce possibility of unauthorized access to database.
- Reduce damage that can be caused by user-level access.
- Detect illicit access to the database and restrict data access/damage
Three primary areas to address in Security are:
- User Accounts
- Privileges and roles given to user
- Auditing
Users:
Users must authenticate to the database before access is granted. Most common method is username/password combination. Since 11g, passwords have been case sensitive. 12c provides two new password complexity functions:
- ORA12C_VERIFY_FUNCTION (default for 12c using DBCA)
- ORA12C_STRONG_VERIFY_FUNCTION
Either function can be modified to increase or customize password complexity. If you create database with CREATE DATABASE command, no password function is used unless you execute the script.
Privileges and Roles:
Best practice is to provide least privilege and roles required for a user account to do their job.
Privileges can be granted:
- Explicit – Privilege granted directly to user
- Role-based – Privilege granted to a role then the role is granted to one or more users.
Role-based privileges is easy to administer because you classify users into groups. Create a role based on the group and assign members of that group that particular role.
Auditing:
Allows you to monitor and record the actions of user and administrators. In 12c you can use unified audit policies, DBMS_FA package for fine-grained auditing policies. Auditing allows you to determine if malicious activity is in the database.
Larry Catt
OCP