Security Guide for Base Database Service
Security Overview
This topic provides an overview of the security in the Base Database Service. Oracle manages security for most components, while users are responsible for the security of some components.
The cloud service components are classified into user-accessible services and Oracle-managed infrastructure. User-accessible service refers to the components that users can access as part of their subscription to the Base Database Service. These are virtual machines and database services commonly called as DB systems and databases respectively. Oracle-managed infrastructure refers to the hardware that Oracle owns and operates to support user-accessible services. It consists of AMD or Intel-based database computing shapes.
Oracle will manage the security and access to the Oracle-managed infrastructure components. Users will manage the security and access to the user-accessible services that include access to DB system and database services, network access to the DB system, authentication to access the DB system, and authentication to access databases running on the DB systems. Oracle staff are not authorized to access user-accessible services.
Users access Oracle Databases running on DB systems via a layer 2 (tagged VLAN) connection from user equipment using standard Oracle Database connection methods, such as Oracle Net on port 1521. Users can use the standard Oracle Linux methods to connect to the DB system running the Oracle Databases, such as token-based SSH on port 22.
The Base Database Service employs multiple, independent, and mutually-reinforcing security controls to help organizations create a secure operating environment for their workloads and data. The Base Database Service provides the following security controls:
Defense in Depth to Secure the Operating Environment
The Base Database Service provides several controls to maintain confidentiality, integrity, and accountability across the service. The Base Database Service promotes the principle of defense-in-depth as follows:
- The virtual machines for DB systems are built from the hardened operating system image based on Oracle Linux 7. It secures the core operating environment by restricting the installation image to only the required software packages, disabling unnecessary services, and implementing secure configuration parameters throughout the system.
- Additional secure default configuration choices are implemented in the service instances in addition to inheriting all the strengths of the mature Oracle Linux platform. For example, all database tablespaces require transparent data encryption (TDE), strong password enforcement for initial database users and superusers, and enhanced audit and event rules.
- The Base Database Service also constitutes a complete deployment and service and is subject to industry-standard external audits such as PCI, HIPPA, and ISO27001. These external audit requirements impose additional value-added service features such as antivirus scanning, automated alerting for unexpected changes to the system, and vulnerability scans for all Oracle-managed infrastructure systems in the fleet.
Least Privilege for Services and Users
Oracle secure coding standards require the paradigm of least privilege. Ensuring that applications, services, and users have access to the capabilities that they need to perform their tasks is only one side of the least-privilege principle. It is equally important to ensure that access to unnecessary capabilities, services, and interfaces are limited. Base Database Service promotes the principle of least-privilege as follows:
- Each process and daemon must run as a normal, unprivileged user unless it can prove a requirement for a higher level of privilege. This helps contain any unforeseen issues or vulnerabilities to unprivileged user space and not compromise an entire system.
- This principle also applies to Oracle operations team members who use individual named accounts to access the infrastructure for maintenance or troubleshooting. Only when necessary will they use the audited access to higher levels of privilege to solve or resolve an issue. Most issues are resolved through automation, so we also employ least privilege by not permitting human operators to access a system unless the automation is unable to resolve the issue.
Audit and Accountability of Events and Actions
A system must be able to recognize and notify incidents as they occur. Similarly, when an incident cannot be averted, an organization must be able to identify its occurrence in order to take the appropriate actions. Base Database Service encourages audit and accountability in the following ways:
- Auditing and accountability ensure that both Oracle and users are aware of the activity done on the system and its time. These details not only ensure that we remain compliant with reporting requirements for external audits, but they can also assist in identifying the activity that led to unexpected behavior.
- Auditing capabilities are provided for all infrastructure components to ensure all actions are captured. Users can also configure auditing for their database and user domain (domU) configuration and may choose to integrate those with other enterprise auditing systems.
- Oracle does not access the user domU.
Automating Cloud Operations
By eliminating manual operations required to provision, patch, maintain, troubleshoot, and configure systems, the possibility for error is reduced and a secure configuration is ensured.
The Base Database Service is designed to be secure by automating all provisioning, configuration, and the majority of other operational tasks. By automating, it is possible to avoid missed configurations and ensure all necessary paths into the system are properly configured.
Security Features
This topic describes the security features available in the Base Database Service.
The Base Database Service provides the following security features:
Hardened OS Image
- Minimal package installation: Only the necessary packages required to run an efficient system are installed. By installing a smaller set of packages, the attack surface of the operating system is reduced and the system remains more secure.
- Secure configuration: Many non-default configuration parameters are set during installation to enhance the security posture of the system and its content. For example, SSH is configured to only listen on certain network interfaces, sendmail is configured to only accept local host connections, and many other similar restrictions are implemented during installation.
- Run only necessary services: Any services that may be installed on the system but are not required for normal operation are disabled by default. For example, while NFS is a service often configured by users for various application purposes, it is disabled by default as it is not required for normal database operations. Users may choose to optionally configure services as per their requirements.
Minimized Attack Surface
As part of the hardened image, the attack surface is reduced by installing and running only the software required to deliver the service.
Additional Security Features Enabled
- Base Database Service is designed to be secure by default and provides a complete security stack, from network firewall control to access control security policies.
- FIPS, SE Linux, and STIG can be enabled additionally to improve
security on systems using the
dbcli secure-dbsystem
CLI. - The STIG tool is provided to increase compliance with DISA's Oracle Linux 7 STIG on each system node in provisioned systems.
Secure Access Methods
- Access database servers via SSH using strong cryptographic ciphers. Weak ciphers are disabled by default.
- Access databases via encrypted Oracle Net connections. By default, our services are available using encrypted channels, and a default configured Oracle Net client will use encrypted sessions.
Auditing and Logging
By default, auditing and logging do not add any additional configuration for commercial deployments from what the operating system provides, but it can be improved by adding additional security settings by enabling STIG.
User Security
This topic describes the user security available in the Base Database Service. The Base Database Service components are regularly managed by several user accounts. Oracle uses and recommends token-based SSH login only. Oracle users or processes do not use password-based authentication.
The following kinds of users are created by default:
Default Users: No Logon Privileges
This user list consists of default operating system users. These users should not be altered. These users cannot login to the system.
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
rpc:x:32:32:Rpcbind Daemon:/var/lib/rpcbind:/sbin/nologin
polkitd:x:999:996:User for polkitd:/:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
tss:x:59:59:Account used by the trousers package to sandbox the
tcsd daemon:/dev/null:/sbin/nologin
sssd:x:998:994:User for sssd:/:/sbin/nologin
named:x:25:25:Named:/var/named:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
dhcpd:x:177:177:DHCP server:/:/sbin/nologin
saslauth:x:997:76:Saslauthd user:/run/saslauthd:/sbin/nologin
tcpdump:x:72:72::/:/sbin/nologin
Default Users: With Login Privileges
These privileged users are responsible for accomplishing most of the tasks in the system. These users should never be altered or deleted as it would have a significant impact on the running system. SSH keys are used for logging in.
The following is the list of default users with login privileges.
root
is a Linux requirement. It is used sparingly to run local privileged commands. The root is also used for some processes like TFA Agent. It runs the local agent (aka "DCS Agent") that performs lifecycle operations for RDBMS software (patching, create database, etc.)oracle
owns the Oracle Database software installation and runs RDBMS processes.grid
owns the Oracle Grid Infrastructure software installation and runs GI processes.opc
is used by Oracle Cloud Automation for automation tasks. User has the ability to run certain privileged commands without further authentication (to support automation functions).mysql
is a critical user, and it needs to be up and running for successful operation of DCS Agent as it owns the metastore of DCS Agent.
root:x:0:0:root:/root:/bin/bash
opc:x:54322:54323::/home/opc:/bin/bash
mysql:x:54323:54331::/home/mysql:/bin/bash
grid:x:102:1001::/home/grid:/bin/bash
oracle:x:101:1001::/home/oracle:/bin/bash
Security Settings
This topic describes the security settings available in the Base Database Service. The following are the default security settings provided in the system.
Table - Security Settings and Default Values
Security Settings | Default Values |
---|---|
Password complexity |
|
User account configuration |
|
Disabled options |
|
SSH Configurations |
|
Packages |
|
Logging |
|
Others |
|
Additionally, by default, ONSR regions enable FIPS, SE Linux, and STIG to comply with the requirements standards. You can improve the system security by enabling additional configurations. The configuration standard (STIG) can be set to follow the most restrictive standards and increase security compliance with DISA's Oracle Linux 7 STIG. A tool is provided as a part of the image to enable FIPS, SE Linux, and STIG.
Security Processes
This topic describes the default security processes available in the Base Database Service. The following are the list of processes that are run by default on the user virtual machine (DB system) also called the domU.
Table - Security Processes
Processes | Description |
---|---|
domU agent |
It is a cloud agent for handling database lifecycle operations.
|
TFA Agent |
The Oracle Trace File Analyzer (TFA) provides several diagnostic tools in a single bundle, making it easy to gather diagnostic information about the Oracle Database and Clusterware, which in turn helps with problem resolution when dealing with Oracle Support.
|
Database and GI (clusterware) |
|
Network Security
This topic describes the network security in the Base Database Service. The following are the list of default ports, processes, and iptables rules that are run by default on the user virtual machine (DB system), also called the domU.
Ports for domU Service
The following table provides a list of default ports for domU services.
Table - Default port matrix for domU services
Type of interface | Name of interface | Port | Process running |
---|---|---|---|
Listen on all interfaces | 0.0.0.0 | 22 | SSH |
1522 | RDBMS: TNS listener | ||
7060 | DCS Admin | ||
7070 | DCS Agent | ||
2181 | Zookeeper | ||
8888, 8895 | RAC: Quality of Management Service (QOMS) Server | ||
9000 | RAC: Oracle Clusterware | ||
68 | DHCP | ||
123 | NTP | ||
5353 | Multicast DNS | ||
Client Interface | ens3 | 1521 | RDBMS: TNS listener |
5000 | RDBMS: Autonomous Health Framework (AHF) (includes TFA) | ||
ens3:1 | 1521 | RDBMS: TNS listener | |
ens3:2 | 1521 | RDBMS: TNS listener | |
ens3:3 | 1521 | RDBMS: TNS listener | |
Cluster Interconnect | ens4 | 1525 | RDBMS: TNS listener |
2888 | Zookeeper | ||
3888 | Zookeeper | ||
6000 | RAC: Grid inter-process communication | ||
7000 | RAC: High availability service |
iptables Rules for domU
The default iptables is set up to ACCEPT
connections on input,
forward, and output chains.
The following are the default iptables rules for domU services:
CHAIN INPUT
CHAIN FORWARD
CHAIN OUTPUT
Example - iptables rules
The following example provides the default iptables rules for domU services.
iptables -L -n -v
Output:
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
43M 110G ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
2664 224K ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
40793 2441K ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- ens4 * 0.0.0.0/0 0.0.0.0/0
3 192 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
40 2400 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:1521 /* Required for access to Database Listener, Do not remove or modify. */
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:5000 /* Required for TFA traffic. */
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:6200 /* This rule is recommended and enables the Oracle Notification Services (ONS) to communicate about Fast Application Notification (FAN) events. */
343 20580 ACCEPT tcp -- * * 169.254.0.0/16 0.0.0.0/0 state NEW tcp dpt:7070 /* Required for instance management by the Database Service, Do not remove or modify. */
132 7920 ACCEPT tcp -- * * 169.254.0.0/16 0.0.0.0/0 state NEW tcp dpt:7060 /* Required for instance management by the Database Service, Do not remove or modify. */
0 0 ACCEPT tcp -- * * 169.254.0.0/16 0.0.0.0/0 state NEW tcp dpt:22 /* Required for instance management by the Database Service, Do not remove or modify. */
3 424 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 51078 packets, 3218K bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * ens4 0.0.0.0/0 0.0.0.0/0
52M 170G ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
8003 548K InstanceServices all -- * * 0.0.0.0/0 169.254.0.0/16
Chain InstanceServices (1 references)
pkts bytes target prot opt in out source destination
11 660 ACCEPT tcp -- * * 0.0.0.0/0 169.254.2.0/24 owner UID match 0 tcp dpt:3260 /* See the Oracle-Provided Images section in the Oracle documentation for security impact of modifying or removing this rule */
1 60 ACCEPT tcp -- * * 0.0.0.0/0 169.254.0.2 owner UID match 0 tcp dpt:3260 /* See the Oracle-Provided Images section in the Oracle documentation for security impact of modifying or removing this rule */
0 0 ACCEPT tcp -- * * 0.0.0.0/0 169.254.0.2 tcp dpt:80 /* See the Oracle-Provided Images section in the Oracle documentation for security impact of modifying or removing this rule */
678 63323 ACCEPT udp -- * * 0.0.0.0/0 169.254.169.254 udp dpt:53 /* See the Oracle-Provided Images section in the Oracle documentation for security impact of modifying or removing this rule */
0 0 ACCEPT tcp -- * * 0.0.0.0/0 169.254.169.254 tcp dpt:53 /* See the Oracle-Provided Images section in the Oracle documentation for security impact of modifying or removing this rule */
0 0 ACCEPT tcp -- * * 0.0.0.0/0 169.254.0.3 owner UID match 0 tcp dpt:80 /* See the Oracle-Provided Images section in the Oracle documentation for security impact of modifying or removing this rule */
0 0 ACCEPT tcp -- * * 0.0.0.0/0 169.254.0.4 tcp dpt:80 /* See the Oracle-Provided Images section in the Oracle documentation for security impact of modifying or removing this rule */
2569 195K ACCEPT udp -- * * 0.0.0.0/0 169.254.169.254 udp dpt:123 /* Allow access to OCI local NTP service */
4727 284K ACCEPT tcp -- * * 0.0.0.0/0 169.254.169.254 tcp dpt:80 /* See the Oracle-Provided Images section in the Oracle documentation for security impact of modifying or removing this rule */
15 4920 ACCEPT udp -- * * 0.0.0.0/0 169.254.169.254 udp dpt:67 /* See the Oracle-Provided Images section in the Oracle documentation for security impact of modifying or removing this rule */
0 0 ACCEPT udp -- * * 0.0.0.0/0 169.254.169.254 udp dpt:69 /* See the Oracle-Provided Images section in the Oracle documentation for security impact of modifying or removing this rule */
0 0 REJECT tcp -- * * 0.0.0.0/0 169.254.0.0/16 tcp /* See the Oracle-Provided Images section in the Oracle documentation for security impact of modifying or removing this rule */ reject-with tcp-reset
0 0 REJECT udp -- * * 0.0.0.0/0 169.254.0.0/16 udp /* See the Oracle-Provided Images section in the Oracle documentation for security impact of modifying or removing this rule */ reject-with icmp-port-unreachable
User Responsibilities for Security Settings
This topic describes the Oracle Cloud Operations responsibilities and user responsibilities for security settings in the Base Database Service. The following table provides a list of security settings that the Oracle Cloud Operations and user need to perform.
Table - Oracle Cloud Operations and User Responsibilities for Various Operations
Operation | Oracle Cloud Platform | User / Tenant Instances | ||
---|---|---|---|---|
Oracle Cloud Responsibility | User Responsibility | Oracle Cloud Responsibility | User Responsibility | |
DATABASE DEPLOYMENT | Software infrastructure and guidance for Base Database Service deployment |
Network Admin: Configure cloud network infrastructure (VCN and subnets, gateway, etc). Database Admin:Setup database requirements (memory, storage, computation, database version, database type, etc). |
Install operating system, database and Grid Infrastructure system if selected | Database Admin: Update Oracle Database software version, shape of virtual machine requirements (CPU / memory), data storage and recovery storage configuration size resources based on workloads if required (upgrade/downgrade resources). |
MONITORING | Physical security, infrastructure, control plane, hardware faults, availability, capacity | Nothing required | Infrastructure availability to support user monitoring of user services. | Database Admin: Monitoring of user operating system, databases, apps and Grid Infrastructure |
INCIDENT MANAGEMENT AND RESOLUTION | Incident management and remediationspare parts and field dispatch | Nothing required | Support for any incidents related to the underlying platform | Database Admin: Incident Management and resolution for user apps |
PATCH MANAGEMENT | Proactive patching of hardware, IaaS/PaaS control stack | Nothing required | Staging of available patches, for example, Oracle Database patch set |
Database Admin: Patching of tenant instances, testing OS Admin: OS patching |
BACKUP AND RESTORATION | Infrastructure and control plane backup and recovery, recreate user virtual machines | Nothing required | Provide running and user accessible virtual machines | Database Admin: Snapshots / backup and recovery of user IaaS and PaaS data using Oracle native or third-party capability |
Enable Additional Security Capabilities
The Base Database Service provides the following additional security capabilities:
dbcli NetSecurity
The dbcli NetSecurity deals with the encryption of data as it travels
through the network. When the data moves from Oracle Database to a third party or
from a server to client, it has to be encrypted at the sender's end and decrypted at
the receiver's end. In NetSecurity, rules are configured with default values for
both client and server during provisioning and database home creation operations.
The dcs-agent
CLI interface provides commands to update these
NetSecurity rules and enhance security for encryption algorithms, integrity
algorithms, and connection types.
By default,
dcs-agent
configures the following default rules for the
database home:
SQLNET.ENCRYPTION_SERVER=REQUIRED
SQLNET.CRYPTO_CHECKSUM_SERVER=REQUIRED
SQLNET.ENCRYPTION_TYPES_SERVER=(AES256,AES192,AES128)
SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER=(SHA1)
SQLNET.ENCRYPTION_CLIENT=REQUIRED
SQLNET.CRYPTO_CHECKSUM_CLIENT=REQUIRED
SQLNET.ENCRYPTION_TYPES_CLIENT=(AES256,AES192,AES128)
SQLNET.CRYPTO_CHECKSUM_TYPES_CLIENT=(SHA1)
For more information on updating the settings, see Oracle Database CLI Reference.
OCI Vault Integration
The Base Database Service now has integration with the OCI Vault service in all OCI commercial regions. You can now create and manage TDE master keys within the OCI Vault that protect your databases. With this feature, you have the option to start using the OCI Vault service to store and manage the master encryption keys. The OCI Vault keys used for protecting databases are stored in a highly available, durable, and managed service.
Note:
The OCI Vault integration is only available for Oracle Database versions 19.13 and later.With OCI Vault integration with Base Database Service, you can:
- Centrally control and manage TDE master keys by enabling OCI Vault-based key encryption while provisioning Oracle Databases on the Base Database Service.
- Have your TDE master keys stored in a highly available, durable, and managed service wherein the keys are protected by hardware security modules (HSM) that meet Federal Information Processing Standards (FIPS) 140-2 Security Level 3 security certification.
- Rotate your encryption keys periodically to maintain security compliance and, in cases of personnel changes, disable access to a database.
- Migrate from Oracle-managed keys to user-managed keys for your existing databases.
- Bring in your own keys—that's BYOK (Bring Your Own Key)—and use them while creating databases with user-managed encryption.
Note:
- BYOK is applicable to the container database (CDB) only. The pluggable database (PDB) will be assigned an automatically generated new key version.
- Oracle Databases that use user-managed encryption support DB system cloning, in-place restore, out-of-place restore, intra-region Data Guard configuration, and PDB-specific operations like PDB creation and local cloning.
CLI to Enable FIPS
Oracle provides a tool for commercial users to improve security by default. This tool is used to enable FIPS, SE Linux, and STIG to follow the most rigorous standards.
For more information, see Enable FIPS, SE Linux, and STIG on the DB System Components.
Security Guide for Base Database Service
Copyright © 2022, 2024, Oracle and/or its affiliates.
For information about Oracle's commitment to accessibility, visit the Oracle Accessibility Program website at http://www.oracle.com/pls/topic/lookup?ctx=acc&id=docacc.
Access to Oracle Support
Oracle customers that have purchased support have access to electronic support through My Oracle Support. For information, visit http://www.oracle.com/pls/topic/lookup?ctx=acc&id=info or visit http://www.oracle.com/pls/topic/lookup?ctx=acc&id=trs if you are hearing impaired.