security solutions ref: oracle FAQ
Omar, May 10, 2006 - 4:31 am UTC
Tom,
Thank you, for such a detailed and informative response.
With reference to the great comment "complex" is entirely in the eye of the Beholder :)
I would like to elaborate with extracts from www.oracle.com (Oracle 9i Label security FAQ section)
Depending on the complexity of the security policy, Oracle9i virtual private database may be the preferred method for implementing your security policy. In addition, Oracle9i Label Security is best suited for situations where access control decisions need to be based on the sensitivity of the information.
In most cases, the security mechanisms provided at no-cost with the Oracle9i Enterprise Edition will be sufficient to address security requirements. Oracle9i Label Security should be considered when security is required at the individual row level.
Now the kind of Information management product I am working on requires security at various levels and usually at a higher levels of granularity i.e. to secure data at a country level, company level, region level etc. that means I would usually not require security at individual row level but on a group of rows. For this I might need to build a custom GUI to provide more flexibility and usability rather than using Oracle Policy Manager.
From the above two extracts (www.oracle.com Oracle 9i Label security FAQ section) and some of your points I still strongly feet that VPD would be a better solutions for my requirements . Please correct me if I am wrong in any way Or if my approach for selection b/w VPD and OLS is not good
Thanks in Advance
Omar
May 10, 2006 - 8:08 am UTC
I fail to see how "to secure
data at a country level, company level, region level etc. " doesn't mean "row". seems a row would be in a country for a company in a region.
question - when row is inserted, can you tell who can see that row.
If answer is "yes", OLS might well fit for you.
security solutions
Thirumaran, May 10, 2006 - 8:01 am UTC
Hi Tom,
What is meant by Attribute level security and ROW level security.
Does OLS supports both ?
Thanks In advance
Thirumaran
May 10, 2006 - 9:22 am UTC
row level security prevents (or permits) access to individual rows.
attribute (or column) level security prevents (or permits) access to individual columns within the rows.
OLS is all about row level security.
Zahid, May 11, 2006 - 6:12 am UTC
Tom i have two questions?
1). i need row and column level security both. and as i know that in OLS column masking or column level security has not been introduced yet (If this is true, i will appriciate if you refer me an official document of Oracle Corporation stating this). as it is possible in VPD from 10g Release 1. So for me OLS doesn't seems to be a choice. The only solution i got is VPD. What do u say?
2). If i use VPD or OLS, what will be the technique of deployment of the policies to another database. Export and Import are not possible with OLS, because LBACSYS (the admin user for OLS Policies can not be exported). Please provide me some help in this regard.
Thank you in advance
Zahid
Zahid, May 12, 2006 - 12:00 am UTC
Thanks for your quick reply Tom! I appreciate.
I didn't get even a bit of the first question's answer.
("U" isn't here. I've yet to meet "U". Therefore, "U" cannot comment.)
Can you please be more ellaborative on this.
Bundle of Thanks.
Zahid.
May 12, 2006 - 9:10 am UTC
It is simple, you wrote:
.... What do u say? ....
I answered that I don't know what "U" would say since "U" is not here.
OLS (Oracle Label Security) protects rows. You may use VPD (virtual private database, the feature used by OLS itself) to further hide columns (it can null them out if someone is not supposed to see them). They are not mutually exclusive, it is not "use one or the other"
OLS Thoughts...
Mark Wooldridge, May 12, 2006 - 4:25 pm UTC
OLS provides Levels, Compartments and groups(these can be substitted to get inverse or releasable compartments). OLS defines a specific policy and if your needs fit within the policy OLS is the tool. If you need to compartmentalize data but still allow sharing of information this is where OLS starts to not fit so well.
Say you have four organizations org1..org4. They all want to share information with 1 or more of the other organizations. This could be done with OLS compartments, 1 for each combination of sharing possibilites. A simple Access control list (ACL) and VPD might be a better solution.
If you go the route of VPD/RLS complex predicates may affect performance. You will want to evaluate how much of the security logic you put in the custom predicate and how much you try and "pre-process" and store with the data.
Column Masking
Zahid Kareem, June 14, 2006 - 2:49 am UTC
Tom,
i got your point about "U". Sorry.
I want to implement column masking/column level security in Oracle 9i but its not avaialable in OLS or VPD in 9i. Please give me some suggestions to do it.
Thank you.
June 14, 2006 - 8:55 am UTC
you would have to sort of "do it yourself"
It can work in a read only fashion - you use a view, the view selects f(column) instead of column. the function F either returns the column or returns NULL (if you can see it, you get it, else you get NULL)
F could be as simple as a decode or a case statement...
select a, b, c,
decode( (select 1
from auth_table
where uname = USER
and colname = 'D'), 1, d, null ) d
for example uses a table you create to see if this user is allowed to see this column.
Taking a step further, you might even be able to use instead of triggers to make it updateable.
Column Masking for LONG RAW,BLOB,LOB etc
Omar, June 14, 2006 - 10:07 am UTC
Tom,
if we have to provide column masking for a LONG RAW,BLOB,LOB etc. column(s) and we want to return some text e.g 'Private Data' when the user does not have the required access, then we get the ORA-00932 : inconsistent data types error. Can you please tell us any work around for this using the DECODE solution you just mentioned. I have tried it with the CASE statement and it works fine but Case statement is available from Oracle 8i Release 2 (8.1.6 +).
Thanks,
Omar
June 14, 2006 - 12:38 pm UTC
that is not going to happen with the decode/function. it won't work.
You'll need to use multiple views in this case and grant access to the proper view to the proper people.
true about accessing the DB?
Dawar Naqvi, October 16, 2006 - 6:36 pm UTC
Tom,
I am workingh on our security policies etc.
which one is true about accessing the DB?
1) The database should enforce access control permission.
OR
2) The application is a better place to enforce access control permissions than the database.
Dawar
October 16, 2006 - 9:02 pm UTC
the application is the worst place to put it.
Put it in your application and you've just locked yourself in (sounds strange when you say that, doesn't it - the guys writing the application will say the reverse won't they). You've locked yourself into an application, one that will take engineering change proposals and the like to change. You've locked yourself into replicating those rules into 50 different places as the "correct and proper application design paradigm du-jour" changes. You've entrusted the guys writing the application - who probably cannot spell bind variable - to understand things like sql injection and write bullet proof, super secure code. You've bought into the "fact" that no one will ever bypass the application and go after the data directly. You've bought into the fact that no one would ever think of using this data in some new and unknown way in the future (you know, no end user would ever want to ad-hoc this data, never, nah - it won't happen).
I could go on.
Utilities can be used to review the applications
Dawar, October 17, 2006 - 6:49 pm UTC
Hello Tom,
While defining our security policies we need to know following information for our security documentation.
which of the following utilities can be used to review the applications that can access the Oracle database?
We guess three options:
peep, dbtop or detect.
I am more confuse between dbtop and detect.
could you pl. tell me which one should be?
cheers,
Dawar
October 18, 2006 - 7:45 am UTC
you should probably ask the people that make them?
setting up permission for application file
Dawar Naqvi, October 18, 2006 - 10:48 am UTC
Tom,
when setting up permission for application file, which permission is appropriate?
a) If application files are owned by a sigle owner,that owner should be oracle user.
b) Application files should be owned by oracle user
c) Application files should be owned by single user.
cheers,
Dawar
October 18, 2006 - 11:06 am UTC
what is an "application file"
setting up permission for application file
Dawar, October 18, 2006 - 11:20 am UTC
any application running on top of oracle Database.
October 18, 2006 - 11:41 am UTC
do whatever you like then. You secure them the way you need to secure them.
they can be owned by anywhere, anywhere, anytime, the database frankly doesn't care.
It would be a security thing, based on your needs.
any application running on top of oracle Database.
Dawar, October 18, 2006 - 11:55 am UTC
if application deployed on a middle tier, completely on a client.
October 18, 2006 - 12:01 pm UTC
?
that isn't quite a sentence, nor a comment, nor a question.
But - we really don't care who owns the files, maybe you might (to avoid people erasing them, modifying them).
any application running on top of oracle Database
Dawar, October 18, 2006 - 12:35 pm UTC
Tom,
Id like to share with you paragraph "Last para in double quote from SANS booklet. SECURING APPLICATIONS AND AN INTRODUCTION TO 9i AS".
But for your convenience I added three paragraphs before that paragraph to understand clear what they are trying to say.
For me your feedback is authentic/trust able for me than SANS. This will help us to define our company policies.
Please have a look:
Auditing an application on a server that uses Oracle is specific to the application itself. What we can offer here are a few general guidelines. Identify the application that is to be audited. Ensure that it is installed on a separate server from the Oracle Database., if possible. If the application is cohosted and is vulnerable, the database can be breached as well.
Identify the installation tree and any log or trace directories used by application. This can be done from your knowledge of the application; by using tools from www.sysinternals.com, such as filemon or regmon for windows, or by running the application with a tool such as truss on UNIX (Solaris) and strace for Linux. Another option is the lsof command available on most UNIX implementations. Identify which files and other services are used.
Review the file permissions on all the application installations. Look for configuration files that are world readable or writable and binaries that can be execute by world. Any configuration info is useful to a hacker. Ensure that shell scripts cannot be read by world for the same reason. If hacker can run binaries that are normally are executed by other parts of the application, he might be able to exploit it. Pay attention to any SUID (set User ID) and SGID (set Group ID) binaries because these can be targets for buffer overflows for privilege escalation.
Review the ownership of the application files. They should be owned by one owner that is not root or Oracle, and ideally not by multiple owners. Ensure that the user is correct user. "
cheers,
Dawar Naqvi
LA, CA --USA
October 18, 2006 - 1:11 pm UTC
it is just as I've been saying over and over - do you see me disagreeing with them or saying something different???!?!?!?
Am I missing your point?
.... we really don't care who owns the files, maybe you might (to avoid people
erasing them, modifying them). .....
... You secure them the way you need to secure them. ...
It would be a security thing, based on your needs. ....
VPD used as an Access Control List
Aaron, October 23, 2006 - 5:46 pm UTC
lol . . those last few posts crack me up.
Anyway - can you explain if it is possible (or why it is not possible) to use VPD / FGAC like an Access Control List (ACL) in the database.
Specifically, say I have 3 users in the database - Joe, Jane, and Mike - who all store their data in one table owned by another schema, called USER. Mike has inserted 10 rows into this shared table, and I want to allow Mike the ability to grant SELECT to JANE but only on 3 of the 10 rows which Mike determines he wants her to see. And also allow Mike to grant SELECT to Joe, but only on 9 of the 10 rows. Futhermore, I want Jane to be able to grant SELECT on a variable subset of her inserted rows to Joe and Mike, and Joe to Mike and Jane.
To me it sounds like what an ACL is designed to do, but can such a concept be implemented through FGAC/VPD?
Thought about adding a column to the table, with a flag of some sort indicating if it can be shared and who it can be shared with - but it just doesn't seem practical. There's gotta be an easier way to do this . . .
Is this possible to do somehow? If not, can you recommend some way it could be done (without purchasing a third-party tool or Content Database application).
Thanks!
October 24, 2006 - 12:28 am UTC
FGAC (vpd, dbms_rls) can be used to implement "ACL" type of protection.
You have to model it, implementment it (it is just query rewrites, we add your predicate).
Or you could use Oracle Label Security - OLS - (an out of the box implementation that does much of what you ask for)
I will not implement it for you - but you would build a model that supports your ideas (we need the data, you have to figure out how you want to store the data), OLS does this (but would fall into 3rd party/content database type of category - it is an option, the build vs buy option)
VPD policies on Oracle Views
Omar, October 27, 2006 - 4:33 am UTC
Hi Tom,
I went through the chapter 21: Fine Grained Access Control (Expert one-on-one Oracle), which was very helpful in my project for implementing VPD solution. But in some cases i have to implement VPD policies on Oracle views, i did observe some strange behavior in the case of "update_check" and statement_types => insert" i.e. update/insert checks are not imposed on Oracle Views? Can you please provide any tips on implementing VDP policies on Oracle views; do you see any pit falls in this approach?
Thanks,
Omar
October 27, 2006 - 7:50 am UTC
can you give a SHORT, CONCISE, yet 100% complete example (with tables and all - make it small small small) that shows your issue.
Oracle Cross Domain Security Solution
ZB, June 11, 2008 - 6:22 pm UTC
Tom,
A customer has asked us to look into Oracle CDSS - Cross Domain Security Solution. I have looked up oracle.com and metalink, could not find any document on CDSS. What's Oracle CDSS? Could you please provide any info or comment?
Thanks
ZB
June 24, 2008 - 4:49 pm UTC
ZB
if you can email me (thomas.kyte@oracle.com) I'll put you in touch with someone
ZB, June 12, 2008 - 5:42 pm UTC
thanks Tom. Look forward on what you hear.
security soultion
A reader, September 21, 2008 - 2:35 pm UTC
Tom:
Can you list the minimum basic security Reqts to secure a 9i oracle database application:
one web application using mod_plsql and another client/server app using Power builder.
Currently there is no security and we are using application accounts (one user big application model) where everyone connects using one database account.
Some thinking is to have three levels of accounts (Read, Read/Write, Read/Write/Delete).
We also think of adding
- auditing and logging
- access control
- authentication
- authorization
- access control
- roles/privileges.
- session management
- data input validation
Here is my list. can you correct it as necesary.
Communication
--------------
1. Encrypt communication (SSL) for web.
2. Use Advanced security option to encrypt coomunication between web server and DB.
3. not sure how you encrypt power builer client communication to server using native oracle driver.
Database
---------------
1. Is it a must to set up one database account per user?
2. Do we need Virtual PRivate database and FGAC? or we must have #1 implemented for that.
3. Data Encryption for sensitive data.
4. Set up Application Roles and privileges.
5. Password Management (if database accounts).
6. We want to audit user activity. I guess the database can do only when each user has one DB account.
Web Application
----------------------
1. Session Management: Use security tokens for session management.
2. Use bind variables for sql injection prevention.
3. Prevent Buffer overflows.
4. Password Management (if application accounts)
5. If we continue with application accounts, then we have to code auditing ourselves for each user?
6. Implement FGAC using application accounts. I think this can be done too.
Architecture:
----------------
1. Single sign on?
2. PKI
3. n tier authentication
September 21, 2008 - 2:43 pm UTC
.... Can you list the minimum basic security Reqts to secure a 9i oracle database
application:
...
I've said something similar to you many times before:
if there were some set of things that should always be done, they would be done.
YOU have your needs.
WE have tools, features functions.
YOU blend your needs with our tools to implement a solution that satisfies your needs.
for example, SSL - non-starter for me, I have a web application - I have no need for SSL, at all.
Your list - does not apply to my needs
Your list - might apply to many people, but I know of many people that it does not apply to.
Your list is your list - does it satisfy all of your needs or is it missing something? ONLY YOU can say.
bits and pieces of your list apply - eg: binds for example.
Some of them are rather random "prevent buffer overflows", that is sort of programming 101.
security solution
sam, September 21, 2008 - 4:10 pm UTC
TOm
I did list some of my needs. Do you want more level of detail:
1. auditing user activity
2. password management. There will special rules for password ie minimum of 8 characters, one underscore, expire in 60 days, cant resuse, etc.
3. session management
4. authenticating users
5. accounts will be 3 levels: read only, read/write, read/write/delete
6. encrypting communication between client and server
I read part of this but there is a lot of stuff
http://download.oracle.com/docs/cd/B10501_01/appdev.920/a96590/adgsec01.htm#1006574
September 21, 2008 - 4:42 pm UTC
like I said - we have tools, you have needs.
define, audit. no wait, don't define it to us, define it for yourself - then review the fact that we can audit many different ways - there is action auditing (audit command), there is fga - fine grained auditing, there is auditing in xml, to the os log, to the database, you can write triggers to audit, you can write to an audit trail for your own applications. I have no idea what you need to audit, how you need to access this audit information, what you need to do with it, and so on.
same with all of the rest. Not sure, short of designing your entire system, you want me to say?
security
sam, September 21, 2008 - 7:19 pm UTC
Tom:
That is a good hint. I will find out.
I thought auditing is mostly for database. So when user edits/deletes a record you log it in. But it seems auditing can be for querying, etc.
Many customer do not know their security needs until you explain to them what the database offers. I was trying to see what Oracle offers first and then assist them in defining their needs.
Do you know of a good reference article or book that covers these features at high level?
September 22, 2008 - 4:59 pm UTC
David Knox has a good security book - see links I like on my toolbar above for a link to it.
security
sam, September 21, 2008 - 11:31 pm UTC
security
sam, September 21, 2008 - 11:31 pm UTC
security
A reader, September 28, 2008 - 11:58 pm UTC
Tom:
I ordered the david knox book. The ptp professional oracle programming has a good chapter on the high level features too which gave me a good idea.
But some questions:
1. If we continue with application accounts (one custom table) not one DB acount per user, would I lose all those DB security features like Auditing, VPD, authorization, access control, etc.
It sounds like I have to recode a lot of the stuff for auditing via triggers, setting up roles and priviledges, etc.
I think VPD may still be used if you apss the userid as part of the session variable.
2. There is something called "shared schema" which allows a large number of users to share one schema if they do not create db objects.
Well since most of our users just select, and update data can we just use this instead of creating 500 schemas. How would this affect all the other feautures like auditing, authorization, access control etc.
auditing
A reader, August 04, 2009 - 7:48 pm UTC
Tom:
A quick question/confirmation on auditing.
I want to use 11g oracle standard auditing and/or any other built in features (FGA, Flashbak query, etc) to audit data, transactions (select, delete, update) and applications users (one db account) for one PB client/server application and one pl/sql web application.
1. Would setting client identifiers work for both apps or just the client/server so the oracle audit trail will have the application userid and ip address?
2. It seems for client/server all i need is after logon trigger that sets the client identifier for that session and no code is needed in the client itself as oracle will track all the audits required. correct?
XACML in oracle
mfz, February 19, 2010 - 9:11 am UTC
How does Oracle support XACML ?
I am on 11g