• Embed Doc
  • Copy Link
  • Readcast
  • Collections
  • 1
    CommentGo Back
Download
 
Oracle 10g Security and AuditA White Paper by Lewis R Cunningham
October 2, 2005
Abstract
The Oracle 10g database provides a rich set of features to secure and audit an application.Unfortunately, many applications treat security and audit as an after thought rather than a designgoal. Security and audit, to be effective, must be an integral part of an application. In today's ITenvironment, complying with regulatory mandates such as Sarbanes-Oxley and HIPAA ensurethat security and audit is visible at the highest levels of management. An insecure application or an application that does not supply mandated audit trails is no longer an option.This white paper will define the native features of Oracle 10g that are available to secure andaudit an application. The technical implementation of these features will be covered and bestpractices are provided.
The Author 
Lewis R Cunningham is a Senior Oracle DBA at a Fortune 500 financial services corporation inSt. Petersburg, FL. Mr. Cunningham has been employed, as both a consultant and an employee,in many capacities, including DBA, Developer, Data Modeler and Architect. Mr. Cunningham is amember of the Association of Computing Machinery (ACM) and the Oracle Developer Tools User Group (ODTUG) and is a Certified Oracle PL/SQL Developer.You can read Mr. Cunningham's An Expert's Guide to Oracle web log at:http://blogs.ittoolbox.com/oracle/guide/Or, you can ask him XML and Application Design questions at:http://searchoracle.techtarget.com/ateAnswers/0,289620,sid41_tax301668,00.html(requires free registration)You may also contact him by email at lewisc@acm.org
Oracle Security – A Definition in Plain English
1 of 15
 
INTRODUCTION..........................................................................................................................................3A
UTHENTICATION
.................................................................................................................................................3A
UTHORIZATION
..................................................................................................................................................3D
ATA
A
CCESS
.....................................................................................................................................................4A
UDIT
.................................................................................................................................................................4THE TECHNICAL DETAILS OF SECURITY..........................................................................................5AUDIT.............................................................................................................................................................8S
TANDARD
A
UDIT
................................................................................................................................................9F
INE
G
RAINED
A
UDIT
(FGA)..............................................................................................................................9T
RIGGER 
B
ASED
..................................................................................................................................................9THE TECHNICAL DETAILS OF AUDIT..................................................................................................9S
TANDARD
A
UDIT
..............................................................................................................................................10 FGA................................................................................................................................................................11  T
RIGGER 
B
ASED
A
UDIT
......................................................................................................................................12 BEST PRACTICES......................................................................................................................................14 
Oracle Security – A Definition in Plain English
2 of 15
 
Introduction
What exactly do I mean by security? There are several aspects of security in an enterprise workplace: locked doors, guards, cameras, etc. There are just as many aspects when protectingenterprise data. Oracle provides security in four ways: authentication, authorization, data accessand audit.
 Authentication
Authentication is a verification that you are who you say you are. It's the equivalent of showing aguard your ID. By default, Oracle implements authentication through a user ID and password; thisis called database authentication.Another method of authentication is OS authentication. Using this method, a user logs into theOS and Oracle will accept that authentication as gospel. Sometimes you will hear OSauthentication referred to as OPS$ (pronounced "ops dollar") accounts. When you use OSauthentication to login into SQL*Plus, the command line looks something like "sqlplus / ". Whenyou use a "/", Oracle looks for an ID that matches your OS login ID and prepends an OPS$ to it.So if your OS account is lcunning, your Oracle account would look like OPS$lcunning. The OPS$is just a default and can be changed.OPS$ accounts provide an additional benefit. OS scripts can log into the database without hardcoding user names and passwords. This enhances overall database security.In my experience, database and OS authentication are the most common authenticationmethods. However, I have run into several other methods. You can tie authentication to third-party providers like Kerberos or DCE (called network authentication) or provide it from the middletier (called multitier authentication).Network authentication is more expensive as you must be running Oracle Enterprise server andlicense an additional security pack.There are several security issues relating to multitier security due to its distributed nature. Theclient must authenticate to the middle tier and the middle tier must authenticate to the database.In addition, because multiple users are sharing a connection, the database must be able todistinguish the application from the user and one user from another. This white paper does notaddress multitier security..
 Authorization
Authorization is giving access to certain objects, processes or resources. The equivalent in our enterprise analogy would be a key card allowing access to a specific room or having the passcode to the VIP restroom (I want one of those. I bet all the seats have felt covers and it smells likeroses and lavender in there). The thought here being that management has granted you accessto these rooms or resources.Authorization is implemented using GRANTS on objects to ROLES or USERS. Let's say your IDis JohnD. Your friendly neighborhood DBA can grant you SELECT access on the EMP tableowned by SCOTT. Or not. You never can tell about those DBA people. But if the DBA will grantyou that access, from that point on you can select from SCOTT.EMP. Alternatively, the DBA cancreate a ROLE called EMP_DEPT and grant SELECT on EMP and DEPT to EMP_DEPT. If hethen granted the emp_dept role to your ID, you would be able to select from both the EMP andDEPT tables.
Oracle Security – A Definition in Plain English
3 of 15
of 00

Leave a Comment

You must be to leave a comment.
Submit
Characters: ...
phoenix_chi

Nice ebook, just what I was looking for, thanks!!!

reply05 / 20 / 2009
You must be to leave a comment.
Submit
Characters: ...