Security

arupnanda's picture

Last Successful Login Time in SQL*Plus in Oracle 12c

If you have been working with Oracle 12c, you may have missed a little something that appeared without mush fanfare but has some powerful implications. Let's see it with a small example--connecting with SQL*Plus.

C:\> sqlplus arup/arup

SQL*Plus: Release 12.1.0.1.0 Production on Mon Aug 19 14:17:45 2013

Copyright (c) 1982, 2013, Oracle.  All rights reserved.

Last Successful login time: Mon Aug 19 2013 14:13:33 -04:00

oraclebase's picture

WordPress Security…

With all the recent press about global brute force attacks on WordPress I decided to install the Better WP Security plugin last Sunday.

It includes loads of security features, including the big ones mentioned in the recent attacks:

  • Changing the name of the “admin” user.
  • Changing the ID of your renamed admin user.
  • Changing the table prefix.
  • Max login attempts lockdown.

Of the 5 blogs I manage, 4 worked straight off with this plugin. Unfortunately, one required a few attempts, so remember to take filesystem and database backups before you start or you may not end up in a happy place.

mwidlake's picture

Row Level Security 3 – In Pictures!

<..Part one intro and examples
<….Part two Permissions

I’ve noticed that there has not been a lot of traffic on this series on Row Level Security (data masking) so far – maybe due to how I am presenting the material? So here is a summary to date in picture/diagram format:

mwidlake's picture

Row Level Security Part 2 – permissions

<..Part 1, introduction..
..Part 3 summary in pictures..>

In this second post on the topic of “an introduction to Row Level Security” I want to cover a few things about what permissions you need to implement RLS and some of the consequences. In my introduction in part one I just said my main user has “DBA type Privileges”.

{NB This is all on Oracle V11.2 and I believe everything below is applicable to V10 as well. Also, I should point out that I am not an Oracle security expert – but despite repeatedly saying this, it seems like at least once a year I am asked to improve a system’s security on the grounds of “more than we have now is an improvement”}.

mwidlake's picture

Row Level Security Part 1

I’ve been working a little on Row Level Security (RLS) recently and wanted to mention a few things, so first some groundwork.

If you want to limit the rows certain users can see, you might think to use views or you might think to use RLS (part of VPD – Virtual Private Database). You can also (from V10 I think) limit which columns users can see. An example is probably the best way to show this. I’m doing this on Oracle 11.2.0.3.

I have two users, MDW and MDW_OFFSHORE. MDW has DBA-type privileges and MDW_OFFSHORE has connect, resource and one or two other simple privs. I will now demonstrate creating and populating a simple table under MDW, adding RLS to it and how it alters what MDW_OFFSHORE sees.

arupnanda's picture

Collaborate 2012 Sessions and Select Article

Thank you all who came to my sessions at #IOUG Collaborate 2012 #C12LV on April 22-24 in Las Vegas. I had four full sessions, two panels and one bootcamp. Quite a busy schedule, as you can see. I also worked on some urgent performance issues at work during the week.

You can download the the slides and scripts here. They are available from the IOUG site but I thought I would put them for download here as well.

martin.bach's picture

The art of getting security right-an observation

A number of high-profile hacks recently (and not so recent) has caught my attention. Well I thought, not such a big problem-I don’t have a PS3 and hence don’t have an account that can be hacked. I was still intrigued that the hackers managed to get hold of the passwords. I may be wrong here, as I haven’t followed the developments not close enough (as I wasn’t affected), but the question I asked myself: how can they be obtained? Surely Sony must have used some sort of encryption for passwords. It’s so far-fetched that anybody stores passwords in clear text somewhere!

Oh well then, Sony has been targeted a number of times and time and time again the security was breached. They only consolation is that the intruders have made it very public when they were successful, otherwise we’d have never learned about the problems Sony has with security.

Now other sites were hacked as well, and somehow I felt the impacts coming closer, such as kernel.org and others.

arupnanda's picture

Difference between Select Any Dictionary and Select_Catalog_Role

When you want to give a user the privilege to select from data dictionary and dynamic performance views such as V$DATAFILE, you have two options:

grant select any dictionary to ;
grant select_catalog_role to ;

Did you ever wonder why there are two options for accomplishing the same objective? Is one of them redundant? Won't it make sense for Oracle to have just one privilege? And, most important, do these two privileges produce the same result?

oraclebase's picture

Security: It’s always the silly things that get you…

I had to laugh when I read this story about Amazon Web Services. It’s posted with an attention grabbing title that implies this is an Amazon problem, but it is squarely down to user error/oversight.

Luckily I’ve not fallen into this trap yet, but I have done equally silly things in the past. That reminds me, I must go to a Pete Finnigan session next time we are at the same conference… :)

Cheers

Tim…




marco's picture

The Oracle XMLDB “anonymous” user account

Trying here to be as correct as possible, as far as I understand it currently.

ANONYMOUS is an Oracle user account specifically designed for HTTP access. It has only one system privilege, that is “create session” and the account is locked by default. If it is unlocked, it only is used for HTTP access via the XDB Protocol Server, aka PL/SQL Gateway, and can access objects in the XDB Repository that are protected by an ACL (Access Control Lists) mentioning this “principal”.

By default there is no ACL file that grants any privilege to this “user” ANONYMOUS. When APEX is installed then there will be a /sys/acls/ro_anonymous_acl.xml file that grants read access to the /images/ or /i/ directory (depending on the APEX version). If you lock ANONYMOUS or remove the ACL defined privileges then APEX can not show/access those files in that XDB Repository folder (/images, /i) if you would need to access these files. For example when using the APEX listener setup the application images and help doc images are stored locally on the server and not in the database, so in principal there is no need to access those image(s) directories in the database.

Example of an ACL which can used by XDB which grants read properties and read content rights to all objects which are protected by this ACL

#66cc66;"><acl description#66cc66;">=#ff0000;">"File /sys/acl/my_acl.xml"
     xmlns#66cc66;">=#ff0000;">"http://xmlns.oracle.com/xdb/acl.xsd"
     xmlns:dav#66cc66;">=#ff0000;">"DAV:"
     xmlns:xsi#66cc66;">=#ff0000;">"http://www.w3.org/2001/XMLSchema-instance"
     xsi:schemaLocation#66cc66;">=#ff0000;">"http://xmlns.oracle.com/xdb/acl.xsd
                         http://xmlns.oracle.com/xdb/acl.xsd"#66cc66;">>
  #66cc66;"><ace#66cc66;">>
    #66cc66;"><principal#66cc66;">>ANONYMOUS#66cc66;">principal#66cc66;">>
    #66cc66;"><grant#66cc66;">>true#66cc66;">grant#66cc66;">>
    #66cc66;"><privilege#66cc66;">>
      #66cc66;"><read #66cc66;">-properties#66cc66;">/>
      #66cc66;"><read #66cc66;">-contents#66cc66;">/>
      #66cc66;"><resolve #66cc66;">/>
    #66cc66;">privilege#66cc66;">>
  #66cc66;">ace#66cc66;">>
#66cc66;">acl#66cc66;">>

By default when a resource (a file or folder) is created by a process it will get the privileges defined in the bootstrap ACL (which is protected by itself). So no privileges will be granted to this ANONYMOUS account by default. And even when unlocked, this user only opens up, by default, to hierarchy enabled, XDB Repository related objects. Mind the mentioning “by default”; Its is possible to opening up and overrule default security ruling in place when you alter the content of ACL defaults (which is, could be considered, a security breach). For example you could alter the contents of the bootstrap_acl.xml file in such a way, if your have maliceious intentions from within the database, but you would need very powerful database account access to start with anyway, to make this happen.

Example of the default content of the bootstrap_acl.xml file:

SQL#66cc66;">> #993333; font-weight: bold;">SELECT xdburitype#66cc66;">(#ff0000;">'/sys/acls/bootstrap_acl.xml'#66cc66;">)#66cc66;">.getCLOB#66cc66;">(#66cc66;">) #993333; font-weight: bold;">FROM dual;
 
#66cc66;"><acl description#66cc66;">=#ff0000;">"Protected:Readable by PUBLIC and all privileges to OWNER" 
     xmlns#66cc66;">=#ff0000;">"http://xmlns.oracle.com/xdb/acl.xsd" 
     xmlns:dav#66cc66;">=#ff0000;">"DAV:" 
     xmlns:xsi#66cc66;">=#ff0000;">"http://www.w3.org/2001/XMLSchema-instance" 
     xsi:schemaLocation#66cc66;">=#ff0000;">"http://xmlns.oracle.com/xdb/acl.xsd 
          http://xmlns.oracle.com/xdb/acl.xsd"#66cc66;">>
  #66cc66;"><ace#66cc66;">>
    #66cc66;"><principal#66cc66;">>dav:owner#66cc66;">principal#66cc66;">>
    #66cc66;"><grant#66cc66;">>true#66cc66;">grant#66cc66;">>
    #66cc66;"><privilege#66cc66;">>
      #66cc66;"><all #66cc66;">/>
    #66cc66;">privilege#66cc66;">>
  #66cc66;">ace#66cc66;">>
  #66cc66;"><ace#66cc66;">>
    #66cc66;"><principal#66cc66;">>XDBADMIN#66cc66;">principal#66cc66;">>
    #66cc66;"><grant#66cc66;">>true#66cc66;">grant#66cc66;">>
    #66cc66;"><privilege#66cc66;">>
      #66cc66;"><all #66cc66;">/>
    #66cc66;">privilege#66cc66;">>
  #66cc66;">ace#66cc66;">>
  #66cc66;"><ace#66cc66;">>
    #66cc66;"><principal#66cc66;">>PUBLIC#66cc66;">principal#66cc66;">>
    #66cc66;"><grant#66cc66;">>true#66cc66;">grant#66cc66;">>
    #66cc66;"><privilege#66cc66;">>
      #66cc66;"><read #66cc66;">-properties#66cc66;">/>
      #66cc66;"><read #66cc66;">-contents#66cc66;">/>
      #66cc66;"><read #66cc66;">-acl#66cc66;">/>
      #66cc66;"><resolve #66cc66;">/>
    #66cc66;">privilege#66cc66;">>
  #66cc66;">ace#66cc66;">>
#66cc66;">acl#66cc66;">>

Be aware that, although the PUBLIC ACE (Access Control Entries) entry sounds dangerous, this only means that from within the database DIRECT access to the objects via database accounts are possible. This is not possible via HTTP (by default). An example to this effect would be that for the APEX /images directory, which is protected only for read only access of the principal ANONYMOUS, this means that PL/SQL packages (owned/executed by users from WITHIN the database) etc, will not have access to these image files.

The “service” provided via the XDB Protocol Server and its access rules are defined in the xdbconfig.xml configuration file. The services defined there (for example APEX’s entries via PL/SQL, that is, via the PL/SQL gateway) in this xdbconfig.xml file links up to the to be used “principal” (ANONYMOUS in the case of APEX) security access owner, role, trusted user or LDAP definition, for that specific service.

Normally an anonymous user is a user whose credentials have not been validated (hence unauthenticated) that is permitted access to only unprotected resources, but by default all created objects in the XDB repository will be protected by the default bootstrap ACL and in normal cases a ACL with a defined ANONYMOUS principal is not created, does not exist in the database. Even if, you would still need entries in the xdbconfig.xml file that link the (unlocked) ANONYMOUS account with a defined service that grants you access or an entry point to the database.

The underlying by Oracle implemented security mechanism is the same as for the database and also it used the advanced security feature VPD. Due to the fact that Oracle itself makes use of this, a extra license is not needed for this advanced security feature, as long as you don’t use it yourself. Oracle XMLDB in itself is a “no cost option” that comes along when you buy the licenses needed for your database software.

This is a backup copy of a XMLDB OTN Forum Thread.

To prevent automated spam submissions leave this field empty.
Syndicate content