Oracle Database Appliance uses hardware and software hardening processes to secure the system, and that assist in deploying a layered security strategy.
Topics:
Oracle Database Appliance includes hardening configuration and security capabilities to core components.
Your organization can use the security features of Oracle Database Appliance as part of a layered security strategy.
Hardening Configuration
Oracle Database Appliance includes the following recommended hardening configuration procedures:
Installed packages are trimmed to a minimum, so that unnecessary packages are not installed on the servers.
Essential services only are enabled on the Oracle Database Appliance nodes.
Operating system users are audited.
Secure configurations for NTP, SSH, and other services.
Security Capabilities
Oracle Database Appliance architecture provides security capabilities to the core components. The capabilities are grouped into the following categories:
Isolation policies
Controlled access to data
Cryptographic services
Monitoring and auditing
Oracle Integrated Lights Out Manager (ILOM)
Isolation policies provide more secure multitenant services.
If your organization wants to consolidate IT infrastructure, implement shared service architectures, and deliver secure multitenant services, then you should isolate services, users, data, communications, and storage. Oracle Database Appliance provides organizations the flexibility to implement the isolation policies and strategies, based on their needs.
Topics:
Oracle Database Appliance isolates client access from device management and inter-device communication at the physical network level.
Oracle Database Appliance isolates client and management network traffic on separate networks. Clients access services on a redundant 10 Gbps Ethernet network that ensures reliable, high-speed access to services running on the system. Cluster management access is provided over a physically separate 1 Gbps Ethernet network. Providing physically separate networks ensures separation between operational and management network traffic.
Your organization can choose to further segregate network traffic over the client access Ethernet network by configuring virtual local area networks (VLANs). VLANs segregate network traffic based on your organization’s requirements. Oracle recommends the use of encrypted protocols over VLANs to assure the confidentiality and integrity of communications.
All Oracle Database security options are available for Oracle Database Appliance.
One of the best isolation methods is to create physical separation is to dedicate an entire environment to a single application or database. However, servers dedicated to one application or one database are expensive. A more cost-effective isolation strategy uses multiple databases within the same operating system image. You can obtain multiple database isolation through a combination of database and operating system-level controls, such as dedicated credentials for users, groups, and resource controls.
All Oracle Database security options are available for Oracle Database Appliance. If your organization requires finer-grained database isolation can use software such as Oracle Database Vault, Oracle Virtual Private Database, and Oracle Label Security.
Oracle Database Vault includes a mandatory access control model, which enforces isolation by using logical realms within a single database. Logical realms form a protective boundary around existing application tables by blocking administrative accounts from having ad-hoc access to application data. Oracle Database Vault command rules enable policy-based controls that limit who, when, where, and how the database and application data is accessed. This creates a trusted path to application data. Oracle Database Vault can also be employed to restrict access based upon time, source IP address, and other criteria.
Oracle Virtual Private Database enables the creation of policies that enforce fine-grained access to database tables and views at the row and column levels. Oracle Virtual Private Database provides security portability because the policies are associated with database objects, and are automatically applied no matter how the data is accessed. Oracle Virtual Private Database can be used for fine-grained isolation within the database.
Oracle Label Security classifies data, and mediates access to that data based upon its classification. Your organization can define classification strategies, such as hierarchical or disjoint, that best support their needs. This capability allows information stored at different classification levels to be isolated at the row level within a single tablespace.
Controlling access to data, workloads and infrastructure helps to provide greater security.
To protect application data, workloads, and the underlying infrastructure on which it runs, Oracle Database Appliance offers comprehensive yet flexible access control capabilities for both users and administrators. The control capabilities include network access and database access.
Topics:
Configure Network access to provide fine-grained access control.
Beyond simple network-level isolation, fine-grained access control policies can be instituted at the device level. All components in Oracle Database Appliance include the ability to limit network access to services either using architectural methods, such as network isolation, or using packet filtering and access control lists to limit communication to, from, and between components and services.
Help to reduce the risk of collusive behavior and inadvertent errors by using separation of duties at every layer of database architecture using role-allocated operating system users and group system privileges.
key credentials,
For example, use different operating system user accounts and designate different physical groups to grant Oracle Database and Oracle Automatic Storage Management (Oracle ASM) system privileges to ensure role separation for database and storage administrators. Within Oracle Database, you can assign specific privileges and roles to ensure that users have access to only those data objects that they are authorized to access. Data cannot be shared unless it is explicitly permitted.
In addition to the password-based authentication available in Oracle Database, Oracle Advanced Security option enables organizations to implement strong authentication using public key credentials, RADIUS, or a Kerberos infrastructure. Using Oracle Enterprise User Security, the database can be integrated with existing LDAP repositories for authentication and authorization. These capabilities provide higher assurance of the identity of users connecting to the database.
You can use Oracle Database Vault to manage administrative and privileged user access, controlling how, when and where application data can be accessed. Oracle Database Vault protects against misuse of stolen login credentials, application bypass, and unauthorized changes to applications and data, including attempts to make copies of application data. Oracle Database Vault is transparent to most applications, and day-to-day tasks. It supports multi-factor authorization policies, allowing for secure enforcement of policy without disrupting business operations.
Oracle Database Vault can enforce separation of duties to ensure that account management, security administration, resource management, and other functions are granted only to those users authorized to have those privileges.
Use these examples to help to implement a SUDO policy.
A SUDO policy helps to provide system auditing and access control for superuser (root) privileges on the operating system.
In environments where the system administration is handled by a different group than the database administration, or where security is a large concern, you may want to limit access to the root user account and password. SUDO allows a system administrator to give certain users (or groups of users) the ability to run commands as root while logging all commands and arguments.
A SUDO security policy is configured by using the file /etc/sudoers. Within the sudoers file, you can configure groups of users and sets of commands to simplify SUDO administration.
Caution:
Configuring SUDO to allow a user to perform any operation is equivalent to giving that user root privileges. Consider carefully if this is appropriate for your security needs.
SUDO Example 1: Allow a User to Perform Any OAKCLI Operation
To configure SUDO to allow a user to perform any OAKCLI operation, add lines to the commands section in the /etc/sudoers file. For example:
## The commands section may have other options added to it. ## Cmnd_Alias OAKCLI_CMDS=/opt/oracle/oak/bin/oakcli * jdoe ALL = OAKCLI_CMDS
In this example, jdoe is the user name. ALL= OAKCLI_CMDS grants the jdoe user permission to run all oakcli commands defined in the command alias OAKCLI_CMDS. The sudoers file is designed so that one sudoers file can be copied to multiple hosts with different rules on each host.
Note:
You must have Secure Shell (SSH) user equivalency set up before creating the database. If it is not set up, then you are required to provide the root password during database creation.
After you configure the sudoer file with the user, user jdoe can run oakcli commands. For example:
[jdoe@servernode1 ~]$ sudo /opt/oracle/oak/bin/oakcli create database -db newdb INFO: 2015-08-05 14:40:55: Look at the logfile '/opt/oracle/oak/log/scaoda1011/tools/12.1.2.4.0/createdb_newdb_91715.log' for more details INFO: 2015-08-05 14:40:59: Database parameter file is not provided. Will be using default parameters for DB creation Please enter the 'SYSASM' password : (During deployment we set the SYSASM password to 'welcome1'): Please re-enter the 'SYSASM' password: INFO: 2015-08-05 14:41:10: Installing a new home: OraDb12102_home3 at /u01/app/oracle/product/12.1.0.2/dbhome_3 Please select one of the following for Database type [1 .. 3]: 1 => OLTP 2 => DSS 3 => In-Memory
SUDO Example 2: Allow a User to Perform Only Selected OAKCLI Operations
To configure SUDO to allow a user to perform only selected OAKCLI operations, add lines to the commands section in the /etc/sudoers file. For example:
[jdoe2@servernode1 ~]$ sudo /opt/oracle/oak/bin/oakcli create database -db test INFO: 2015-09-30 15:49:07: Look at the logfile '/opt/oracle/oak/log/servernode1/tools/12.1.2.4.0/createdb_test_59955.log' for more details INFO: 2015-09-30 15:49:12: Database parameter file is not provided. Will be using default parameters for DB creation Please enter the 'SYSASM' password : (During deployment we set the SYSASM password to 'welcome1'): Please re-enter the 'SYSASM' password: INFO: 2015-09-30 15:49:27: Installing a new home: OraDb12102_home2 at /u01/app/oracle/product/12.1.0.2/dbhome_2 Please select one of the following for Database type [1 .. 3]: 1 => OLTP 2 => DSS 3 => In-Memory
In this command example, the user jdoe2 tries to run the oakcli show databases command, and receives an error message:
[jdoe2@servernode1 ~]$ sudo /opt/oracle/oak/bin/oakcli show database Sorry, user jdoe2 is not allowed to execute '/opt/oracle/oak/bin/oakcli show database' as root on servernode1.
Note:
You must have Secure Shell (SSH) user equivalency set up before creating the database. If it is not set up, then you are required to provide the root password during database creation.
Note:
For more information about configuring and using SUDO, refer to the SUDO man pages:
Cryptographic services can help to protect and validate information at rest, in transit, and in use.
From encryption and decryption to digital fingerprint and certificate validation, cryptography is one of the most-widely deployed security controls in IT organizations.
Whenever possible, Oracle Database Appliance makes use of hardware-based cryptographic engines Intel AES-NI and Oracle SPARC processors. Using hardware for cryptographic operations provides significant performance improvement over performing the operations in software. Both engines provide the ability to perform cryptographic operations in hardware, and both are leveraged by Oracle software on the database and storage servers.
Network cryptographic services protect the confidentiality and integrity of communications by using a cryptographically-secure protocol. For example, Secure Shell (SSH) access provides secure administrative access to systems and Integrated Lights Out Managers (ILOMs). SSL/TLS can enable secure communications between applications and other services.
Database cryptographic services are available from Oracle Advanced Security. Oracle Advanced Security encrypts information in the database using the transparent data encryption (TDE) functionality. TDE supports encryption of application table spaces, and encryption of individual columns within a table. Data stored in temporary table spaces, and redo logs are also encrypted. When the database is backed up, the data remains encrypted on destination media. This protects information at rest no matter where it is physically stored. Oracle Advanced Security should be considered for organizations concerned about the confidentiality of stored database content or database encryption, either at the table space level or column-level.
In addition, Oracle Advanced Security can encrypt Oracle Net Services and JDBC traffic using either native encryption or SSL to protect information while in transit over a network. Both administrative and application connections can be protected to ensure that data in transit is protected. The SSL implementation supports the standard set of authentication methods including anonymous (Diffie-Hellman), server-only authentication using X.509 certificates, and mutual (client-server) authentication with X.509.
Oracle Database Appliance includes Oracle Database Fine Grained Auditing (FGA), Oracle Audit Vault, and Oracle Database Firewall Remote Monitor, which provide comprehensive monitoring and auditing features.
Whether for compliance reporting or incident response, monitoring and auditing are critical functions that organizations must use to gain increased visibility into their IT environment. The degree to which monitoring and auditing is employed is often based upon the risk or criticality of the environment. Oracle Database Appliance has been designed to offer comprehensive monitoring and auditing functionality at the server, network, database, and storage layers ensuring that information can be made available to organizations in support of their audit and compliance requirements.
Oracle Database Fine Grained Auditing (FGA) can help you to create create audit records at the level of individual tables and columns, reducing audit overhead. FGA enables organizations to establish policies that selectively determine when audit records are generated. This helps organizations to focus on other database activities, and to reduce the overhead that is often associated with audit activities.
Oracle Audit Vault centralizes the management of database audit settings and automates the consolidation of audit data into a secure repository. Oracle Audit Vault includes built-in reporting to monitor a wide range of activities including privileged user activity and changes to database structures. The reports generated by Oracle Audit Vault enable visibility into various application and administrative database activities, and provide detailed information to support accountability of actions.
Oracle Audit Vault enables the proactive detection and alerting of activities that may be indicative of unauthorized access attempts or abuse of system privileges. These alerts can include both system and user-defined events and conditions, such as the creation of privileged user accounts or the modification of tables containing sensitive information.
Oracle Database Firewall Remote Monitor can provide real-time database security monitoring. Oracle Database Firewall Remote Monitor queries database connections to detect malicious traffic, such as application bypass, unauthorized activity, SQL injection and other threats. Using an accurate SQL grammar-based approach, Oracle Database Firewall helps organizations quickly identify suspicious database activity.
Oracle Integrated Lights-Out Management (ILOM) enables full out-of-band management, providing remote management capability for Oracle Database Appliance.
IPMI v2.0 and Collections of security controls and capabilities are necessary to properly secure individual applications and services. It is equally important to have comprehensive management capabilities to sustain the security of the deployed services and systems. Oracle Database Appliance uses the security management capabilities of Oracle ILOM.
Oracle ILOM is a service processor embedded in many Oracle Database Appliance components to perform out-of-band management activities. Oracle ILOM provides the following features:
Secure access to perform secure lights-out management of the database and storage servers. Access includes web-based access protected by SSL, command-line access using Secure Shell, and SNMPv3 protocols.
Separate duty requirements using a role-based access control model. Individual users are assigned to specific roles that limit the functions that can be performed.
An audit record of all logins and configuration changes. Each audit log entry lists the user performing the action, and a timestamp. This allows organizations to detect unauthorized activity or changes, and attribute those actions back to specific users.