Changes in This Release for Oracle Database Security Guide

This preface contains:

Changes in Oracle Database Security 18c

Oracle Database Security Guide for Oracle Database 18c has new security features.

Ability to Create Schema Only Accounts

You now can create schema only accounts, for object ownership without allowing clients to log in to the schema.

A user (or other client) cannot log in to the database schema unless the account is modified to accept an authentication method. However, this type of schema user can proxy in a single session proxy.

Related Topics

Integration of Active Directory Services with Oracle Database

Starting with this release, you can authenticate and authorize users directly with Microsoft Active Directory.

With centrally managed users (CMU) Oracle database users and roles can map directly to Active Directory users and groups without using Oracle Enterprise User Security (EUS) or another intermediate directory service. EUS is not being replaced or deprecated; this new feature is another simpler option if you only want to authenticate and authorize users with Active Directory. Centrally managed users is designed to be extended to work with other LDAP version 3–compliant directory services, but Microsoft Active Directory is the only service that is supported in this release.

The direct integration with directory services supports better security through simpler configuration with the enterprise identity management architecture. In the past, users may have avoided the security practice of integrating the database with directory services due to the difficulty and complexity. With the direct integration, you can improve your security posture by more easily integrating the Database to the enterprise directory service.

Ability to Encrypt Sensitive Credential Data in the Data Dictionary

Starting with this release, you can encrypt sensitive credential data that is stored in the data dictionary SYS.LINK$ and SYS.SCHEDULER$_CREDENTIAL system tables.

In previous releases, and by default in this release, the data in these tables is obfuscated. However, because of the rise of de-obfuscation algorithms that are available on the Internet, it is important to use a more secure solution to protect this type of sensitive data. You can manually encrypt this data by using the ALTER DATABASE DICTIONARY SQL statement.

PDB Lockdown Profile Enhancements

This release introduces several enhancements for PDB lockdown profiles.

These enhancements are as follows:

  • You now can create PDB lockdown profiles in the application root, as well as in the CDB root. In previous releases, you only could create the profile in the CDB root. The ability to create a PDB lockdown profile in an application container enables you to more finely control access to the applications that are associated with the application container.

  • You now can create a PDB lockdown profile that is based on another PDB lockdown profile, either a static base profile or a dynamic base profile. You can control whether subsequent changes to the base profile are reflected in the newly created profile that uses the base profile.

  • Three default PDB lockown profiles have been added for this release: PRIVATE_DBAAS, SAAS, and PUBLIC_DBAAS. These profiles benefit Cloud environments.

  • A new dynamic data dictionary view, V$LOCKDOWN_RULES, is available. This view enables the local user to see the lockdown rules that are applicable in the PDB.

This feature benefits environments that need enforced security and isolation in PDB provisioning.

New Authentication and Certification Parameters

This release introduces four new parameters that can be used to strengthen security on the database.

The new parameters are as follows:

  • The ADD_SSLV3_TO_DEFAULT sqlnet.ora parameter controls the use of the Secure Sockets Layer version 3, which can be vulnerable to Padding Oracle On Downgraded Legacy Encryption (POODLE) attacks

  • The ADG_ACCOUNT_INFO_TRACKING initialization parameter controls login attempts on Oracle Data Guard standby databases by enabling you to maintain a single global copy of user account information across all Data Guard primary and standby databases.

    The ACCEPT_MD5_CERTS sqlnet.ora parameter enables or disables the MD5 algorithm.

  • The ACCEPT_SHA1_CERTS sqlnet.ora parameter enables or disables the SHA-1 algorithm.

Ability to Write Unified Audit Trail Records to SYSLOG or the Windows Event Viewer

Starting with this release you can write unified audit trail records to SYSLOG on UNIX or the Windows Event Viewer on Microsoft Windows.

On Microsoft Windows, you can enable or disable this behavior. On UNIX systems, you can specify the SYSLOG facility to use and the type logging category for the unified audit record, such as whether it is an alert or for an emergency. To configure this behavior, you can set the UNIFIED_AUDIT_SYSTEMLOG initialization parameter.

Ability to Use Oracle Data Pump to Export and Import the Unified Audit Trail

Starting with this release, you can include the unified audit trail in either full or partial export and import operations using Oracle Data Pump.

There is no change to the user interface. When you perform the export or import operation of a database, the unified audit trail is automatically included in the Data Pump dump files.

This feature benefits users who, as in previous releases, must create dump files of audit records.

Updates to Oracle Database Security 18c

Oracle Database release 18c has one new security update that applies to all releases starting from release 11.2.

Security Update for Native Encryption

Oracle provides a patch that you can download to address necessary security enhancements that affect native network encryption environments in Oracle Database release 11.2 and later.

This patch is available in My Oracle Support note 2118136.2.

The supported algorithms that have been improved are as follows:

  • Encryption algorithms: AES128, AES192 and AES256
  • Checksumming algorithms: SHA1, SHA256, SHA384, and SHA512

Algorithms that are deprecated and should not be used are as follows:

  • Encryption algorithms: DES, DES40, 3DES112, 3DES168, RC4_40, RC4_56, RC4_128, and RC4_256
  • Checksumming algorithm: MD5

If your site requires the use of network native encryption, then you must download the patch that is described in My Oracle Support note 2118136.2. To enable a smooth transition for your Oracle Database installation, this patch provides two parameters that enable you to disable the weaker algorithms and start using the stronger algorithms. You will need to install this patch on both servers and clients in your Oracle Database installation.

An alternative to network native encryption is Transport Layer Security (TLS), which provides protection against person-in-the-middle attacks.