Oracle Database Appliance uses hardware and software hardening processes to secure the system, and that assist in deploying a layered security strategy.
About Oracle Database Appliance Security Features
Oracle Database Appliance includes hardening configuration and security capabilities to core components.
Your organization can use the security features of Oracle Database Appliance as part of a layered security strategy.
Oracle Database Appliance includes the following recommended hardening configuration procedures:
Installed packages are trimmed to a minimum, so that unnecessary packages are not installed on the servers.
Essential services only are enabled on the Oracle Database Appliance nodes.
Operating system users are audited.
Secure configurations for NTP, SSH, and other services.
Oracle Database Appliance architecture provides security capabilities to the core components. The capabilities are grouped into the following categories:
Controlled access to data
Monitoring and auditing
Oracle Integrated Lights Out Manager (ILOM)
Using Isolation Policies
Isolation policies provide more secure multitenant services.
If your organization wants to consolidate IT infrastructure, implement shared service architectures, and deliver secure multitenant services, then you should isolate services, users, data, communications, and storage. Oracle Database Appliance provides organizations the flexibility to implement the isolation policies and strategies, based on their needs.
Isolating Network Traffic
Oracle Database Appliance isolates client access from device management and inter-device communication at the physical network level.
Oracle Database Appliance isolates client and management network traffic on separate networks. Clients access services on a redundant 10 Gbps Ethernet network that ensures reliable, high-speed access to services running on the system. Cluster management access is provided over a physically separate 1 Gbps Ethernet network. Providing physically separate networks ensures separation between operational and management network traffic.
Your organization can choose to further segregate network traffic over the client access Ethernet network by configuring virtual local area networks (VLANs). VLANs segregate network traffic based on your organization’s requirements. Oracle recommends the use of encrypted protocols over VLANs to assure the confidentiality and integrity of communications.
All Oracle Database security options are available for Oracle Database Appliance.
If your organization requires finer-grained database isolation, then you can use software such as Oracle Database Vault, Oracle Virtual Private Database, and Oracle Label Security. One of the best isolation methods is to create physical separation is to dedicate an entire environment to a single application or database. However, servers dedicated to one application or one database are expensive. A more cost-effective isolation strategy uses multiple databases within the same operating system image. You can obtain multiple database isolation through a combination of database and operating system-level controls, such as dedicated credentials for users, groups, and resource controls.
Oracle Database Vault includes a mandatory access control model, which enforces isolation by using logical realms within a single database. Logical realms form a protective boundary around existing application tables by blocking administrative accounts from having ad-hoc access to application data. Oracle Database Vault command rules enable policy-based controls that limit who, when, where, and how the database and application data is accessed. This creates a trusted path to application data. Oracle Database Vault can also be employed to restrict access based upon time, source IP address, and other criteria.
Oracle Virtual Private Database enables the creation of policies that enforce fine-grained access to database tables and views at the row and column levels. Oracle Virtual Private Database provides security portability because the policies are associated with database objects, and are automatically applied no matter how the data is accessed. Oracle Virtual Private Database can be used for fine-grained isolation within the database.
Oracle Label Security classifies data, and mediates access to that data based upon its classification. Your organization can define classification strategies, such as hierarchical or disjoint, that best support their needs. This capability allows information stored at different classification levels to be isolated at the row level within a single tablespace.
Controlling Access to Data
Controlling access to data, workloads and infrastructure helps to provide greater security.
To protect application data, workloads, and the underlying infrastructure on which it runs, Oracle Database Appliance offers comprehensive yet flexible access control capabilities for both users and administrators. The control capabilities include network access and database access.
Controlling Network Access
Configure Network access to provide fine-grained access control.
Beyond simple network-level isolation, fine-grained access control policies can be instituted at the device level. All components in Oracle Database Appliance include the ability to limit network access to services either using architectural methods, such as network isolation, or using packet filtering and access control lists to limit communication to, from, and between components and services.
Controlling Database Access
Help to reduce the risk of collusive behavior and inadvertent errors by using separation of duties at every layer of database architecture using role-allocated operating system users and group system privileges.
For example, use different operating system user accounts and designate different physical groups to grant Oracle Database and Oracle Automatic Storage Management (Oracle ASM) system privileges to ensure role separation for database and storage administrators. Within Oracle Database, you can assign specific privileges and roles to ensure that users have access to only those data objects that they are authorized to access. Data cannot be shared unless it is explicitly permitted.
In addition to the password-based authentication available in Oracle Database, Oracle Advanced Security option enables organizations to implement strong authentication using public key credentials, RADIUS, or a Kerberos infrastructure. Using Oracle Enterprise User Security, the database can be integrated with existing LDAP repositories for authentication and authorization. These capabilities provide higher assurance of the identity of users connecting to the database.
You can use Oracle Database Vault to manage administrative and privileged user access, controlling how, when and where application data can be accessed. Oracle Database Vault protects against misuse of stolen login credentials, application bypass, and unauthorized changes to applications and data, including attempts to make copies of application data. Oracle Database Vault is transparent to most applications, and day-to-day tasks. It supports multi-factor authorization policies, allowing for secure enforcement of policy without disrupting business operations.
Oracle Database Vault can enforce separation of duties to ensure that account management, security administration, resource management, and other functions are granted only to those users authorized to have those privileges.
About Managing Privileges and Security with SUDO
A SUDO policy helps to provide system auditing and access control for superuser (root) privileges on the operating system. Use these examples to help to implement a SUDO policy.
The Oracle Appliance Manager command-line utility requires
system privileges for most administrative actions. If you are not logged in as
root, then you cannot carry out most actions on the appliance. For
example, if you are not logged in as
root, then you can view storage
information, but you cannot modify the storage.
You should use SUDO, instead of
su, to grant root privilege to
administrative users. SUDO enables system administrators to grant certain users (or
groups of users) the ability to run commands as root without the need for the root
su. It also logs all commands and arguments as part of
your security and compliance protocol.
A SUDO security policy is configured by using the file
/etc/sudoers. Within the
sudoers file, you can configure groups of users and sets of commands to simplify and audit server administration with SUDO commands.
Configuring a SUDO Security Policy for the DCS Stack
Use these examples to help to implement a SUDO policy for Oracle Database Appliance models that are using the DCS stack (odacli).
Configuring SUDO to allow a user to perform any operation is equivalent to giving that user
root privileges. Consider carefully if this is appropriate for your security needs.
Example 2-1 SUDO Example 1: Allow a User to Perform Any ODACLI Operation
This example shows how to configure SUDO to enable a user to perform any ODACLI operation. You do this by adding lines to the commands section in the
## The commands section may have other options added to it. ## Cmnd_Alias ODACLI_CMDS=/opt/oracle/oak/bin/odacli * jdoe ALL = ODACLI_CMDS
In this example, the user name is
jdoe. The file parameter setting
ALL= ODACLI_CMDS grants the user
jdoe permission to run all
odacli commands that are defined by the command alias
ODACLI_CMDS. After configuration, you can copy one
sudoers file to multiple hosts. You can also create different rules on each host.
Before database creation, you must set up user equivalency with SSH for the root user on each server. If you do not set up user equivalency and configure SSH on each server, then you are prompted to provide the root password for each server during database creation.
After you configure the
sudoer file with the user, the user jdoe can run the set of
odacli commands configured with the command alias
ODACLI_CMDS. For example:
$ sudo odacli create database -db newdb INFO: 2018-06-05 14:40:55: Look at the logfile '/opt/oracle/oak/log/node1011/tools/18.104.22.168.0/createdb_newdb_91715.log' for more details INFO:2018-06-05 14:40:59: Database parameter file is not provided. Will be using default parameters for DB creation Please enter the 'SYSASM' password : Please re-enter the 'SYSASM' password: INFO: 2018-06-05 14:41:10: Installing a new home: OraDb12102_home3 at /u01/app/oracle/product/22.214.171.124/dbhome_3 Please select one of the following for Database type [1 .. 3]: 1 => OLTP 2 => DSS 3 => In-Memory
Example 2-2 SUDO Example 2: Allow a User to Perform Only Selected ODACLI Operations
To configure SUDO to allow a user to perform only selected ODACLI operations, add lines to the commands section in the
/etc/sudoers file as follows:
## DCS commands for oracle user Cmnd_Alias DCSCMDS = /opt/oracle/dcs/bin/odacli describe-appliance oracle ALL= DCSCMDS
$ sudo /opt/oracle/dcs/bin/odacli describe-appliance Appliance Information ---------------------------------------------------------------- ID: a977bb04-6cf0-4c07-8e0c-91a8c7e7ebb8 Platform: OdaliteL Data Disk Count: 6 CPU Core Count: 20 Created: June 24, 2018 6:51:52 AM HDT System Information ---------------------------------------------------------------- Name: odal001 Domain Name: example.com Time Zone: America/Adak DB Edition: EE DNS Servers: 10.200.76.198 10.200.76.199 192.0.2.254 NTP Servers: 10.200.0.1 10.200.0.2 Disk Group Information ---------------------------------------------------------------- DG Name Redundancy Percentage ------------------------- ------------------------- ------------ Data Normal 90 Reco Normal 10
In this example, the user
jdoe2 tries to run the
sudo odacli list-databases command, which is not part of the set of commands that is configured for that user. SUDO prevents
jdoe2 from running the command.
[jdoe2@servernode1 ~]$ sudo /opt/oracle/dcs/bin/odacli list-databases Sorry, user jdoe2 is not allowed to execute '/opt/oracle/dcs/bin/odacli list-databases' as root on servernode1.
Using Cryptographic Services
Cryptographic services can help to protect and validate information at rest, in transit, and in use.
From encryption and decryption to digital fingerprint and certificate validation, cryptography is one of the most-widely deployed security controls in IT organizations.
Whenever possible, Oracle Database Appliance makes use of hardware-based cryptographic engines Intel AES-NI and Oracle SPARC processors. Using hardware for cryptographic operations provides significant performance improvement over performing the operations in software. Both engines provide the ability to perform cryptographic operations in hardware, and both are leveraged by Oracle software on the database and storage servers.
Network cryptographic services protect the confidentiality and integrity of communications by using a cryptographically-secure protocol. For example, Secure Shell (SSH) access provides secure administrative access to systems and Oracle Integrated Lights Out Manager (Oracle ILOM). SSL/TLS can enable secure communications between applications and other services.
Database cryptographic services are available from Oracle Advanced Security. Oracle Advanced Security encrypts information in the database using the transparent data encryption (TDE) functionality. TDE supports encryption of application table spaces, and encryption of individual columns within a table. Data stored in temporary table spaces, and redo logs are also encrypted. When the database is backed up, the data remains encrypted on destination media. This protects information at rest no matter where it is physically stored. Oracle Advanced Security should be considered for organizations concerned about the confidentiality of stored database content or database encryption, either at the table space level or column-level.
In addition, Oracle Advanced Security encrypts Oracle Net Services and JDBC traffic using either native encryption or TLS to protect information while in transit over a network. Both administrative and application connections can be protected to ensure that data in transit is protected. The TLS implementation supports the standard set of authentication methods including server-only authentication using X.509 certificates and mutual (client-server) authentication with X.509.
Monitoring and Auditing of Databases on Oracle Database Appliance
Oracle Database Appliance includes Oracle Database Fine Grained Auditing (FGA), Oracle Audit Vault, and Oracle Database Firewall Remote Monitor, which provide comprehensive monitoring and auditing features.
Whether for compliance reporting or incident response, monitoring and auditing are critical functions that organizations must use to gain increased visibility into their IT environment. The degree to which monitoring and auditing is employed is often based upon the risk or criticality of the environment. Oracle Database Appliance has been designed to offer comprehensive monitoring and auditing functionality at the server, network, database, and storage layers ensuring that information can be made available to organizations in support of their audit and compliance requirements.
Oracle Database Fine Grained Auditing (FGA) can help you to create create audit records at the level of individual tables and columns, reducing audit overhead. FGA enables organizations to establish policies that selectively determine when audit records are generated. This helps organizations to focus on other database activities, and to reduce the overhead that is often associated with audit activities.
Oracle Audit Vault centralizes the management of database audit settings and automates the consolidation of audit data into a secure repository. Oracle Audit Vault includes built-in reporting to monitor a wide range of activities including privileged user activity and changes to database structures. The reports generated by Oracle Audit Vault enable visibility into various application and administrative database activities, and provide detailed information to support accountability of actions.
Oracle Audit Vault enables the proactive detection and alerting of activities that may be indicative of unauthorized access attempts or abuse of system privileges. These alerts can include both system and user-defined events and conditions, such as the creation of privileged user accounts or the modification of tables containing sensitive information.
Oracle Database Firewall Remote Monitor can provide real-time database security monitoring. Oracle Database Firewall Remote Monitor queries database connections to detect malicious traffic, such as application bypass, unauthorized activity, SQL injection and other threats. Using an accurate SQL grammar-based approach, Oracle Database Firewall helps organizations quickly identify suspicious database activity.
About FIPS 140-2 Compliance on Oracle Database Appliance
Understand how FIPs 140-2 is implemented on Oracle Database Appliance.
Starting with Oracle Database Appliance release 19.11, the Linux kernel used by Oracle Database Appliance running on bare metal and KVM Database Systems is compliant with the United States Federal Information Processing Standard 140-2 (FIPS 140-2) level one. In accordance with the FIPS standard, the algorithms used by the secure shell (SSH) are limited to those permitted by the standard. FIPS 140-2 is supported in both newly provisioned systems and patched systems. When a system is updated, FIPS support is automatically enabled. No user intervention is needed.
About Enabling STIG on Oracle Database Appliance
Understand how you can enable Security Technical Implementation Guidelines (STIG) for Oracle Database Appliance.
The Defense Information Systems Agency (DISA) recommends the Security Technical Implementation Guidelines (STIG) for deployment and management of software, hardware, and system components. For more information about STIG standards, see https://public.cyber.mil/stigs/downloads/.
Oracle Database Appliance bundles the STIG script
with the product for both bare metal and Virtualized Platform, in the directory
Running the STIG Script
Follow these steps to run the STIG script:
- Log in as
- Run the command from the
On Virtualized Platform, run
ODA_BASEon both nodes to ensure that the script can fix any exceptions.
The table lists the command options for the STIG script.
Table 2-1 STIG Options for Oracle Database Appliance
||Specifies command options for Oracle Database Appliance STIG scripts|
||Describes the STIG version information|
||Enables direct ssh root login on the system|
||Disables direct ssh root login on the system|
||Checks and lists Oracle Database Appliance STIG violations on the
||Fixes Oracle Database Appliance STIG violations reported on the
The table lists the parameters for the
check option in the STIG
Table 2-2 Parameters for
check option for Oracle Database Appliance
||Provides help for the
||Tests and reports the violations on the system that do not adhere to STIG standards|
||Tests and reports the violations on the system for file/directory permissions checks|
||Tests and reports the violations on the system for configuration checks|
||Tests and reports the violations on the system for auditing checks|
||Tests and reports the violations on the system for accounts checks|
||Tests and reports the violations on the system for file systems checks|
||Tests and reports the violations on the system for enable/disable of grub password checks|
||Tests and reports the violations on the system for access-related checks|
The table lists the parameters for the
fix option in the STIG
Table 2-3 Parameters for
fix option for Oracle Database Appliance STIG
||Provides help for the
||Fixes all the recommendations suggested by STIG standards|
||Fixes the system file/directory permissions to adhere to STIG recommendations|
||Fixes the system configuration to adhere to STIG recommendations|
||Fixes the system audits to adhere to STIG recommendations|
||Fixes the system accounts to adhere to STIG recommendations|
||Fixes the system file systems to adhere to STIG recommendations|
||Fixes the system for enable/disable of grub password to adhere to STIG recommendations|
||Fixes the system access to STIG recommendations|
||Brings the system files at System Imaged state (without STIG
modifications). Run this option only with the
||Brings the system files to the state prior to previous security
vulnerability fix. Run this option only with the
Logging of STIG Checks
The logs for STIG checks and fixes are stored in the directory
Log files are created for each execution of the check, fix, enable, and disable
commands with the time stamp appended to each log file.
Examples for Running the STIG Script
Example 2-3 Checking for STIG Compliance
# ./stig.py check
Example 2-4 Implementing STIG Changes
# ./stig.py fix
Fixing Failed STIG Rules
There may be STIG rules that need system administrator assistance for implementing
them. These STIG rules have a status of
Failed after you run the
STIG script with the
[STIG_ID : OL07-00-040100] Firewall is not configured to comply with PPSM CLSA and PPSM CALL, please contact system administrator -> FAILED [STIG_ID : OL07-00-041001] esc and pam_pkcs rps to be configured, please contact system administrator -> FAILED [STIG_ID : OL07-00-020210] SELINUX is not configured to be enforcing, please contact system administrator -> FAILED
About Enabling CIS Benchmarks on Oracle Database Appliance
Understand about Center for Internet Security (CIS) Benchmarks for Oracle Database Appliance.
Center for Internet Security (CIS) Benchmarks are best practices for the secure configuration of a target system. They are consensus-based, best-practice security configuration guides developed and accepted by government, business, industry, and academia. The CIS Benchmarks are available for download at https://learn.cisecurity.org/benchmarks.
Center for Internet Security (CIS) Benchmarks support was available in earlier Oracle Database Appliance releases, but Oracle Database Appliance Release 19.11 does not support Center for Internet Security (CIS) Benchmarks currently.
Using Oracle ILOM for Secure Management
Oracle Integrated Lights-Out Management (Oracle ILOM) enables full out-of-band management, providing remote management capability for Oracle Database Appliance.
IPMI v2.0 and Collections of security controls and capabilities are necessary to properly secure individual applications and services. It is equally important to have comprehensive management capabilities to sustain the security of the deployed services and systems. Oracle Database Appliance uses the security management capabilities of Oracle ILOM.
Oracle ILOM is a service processor embedded in many Oracle Database Appliance components to perform out-of-band management activities. Oracle ILOM provides the following features:
Secure access to perform secure lights-out management of the database and storage servers. Access includes web-based access protected by Transport Layer Security (TLS), command-line access using Secure Shell, and SNMPv3 protocols.
Separate duty requirements using a role-based access control model. Individual users are assigned to specific roles that limit the functions that can be performed.
An audit record of all logins and configuration changes. Each audit log entry lists the user performing the action, and a timestamp. This allows organizations to detect unauthorized activity or changes, and attribute those actions back to specific users.