2 Security Features of Oracle Database Appliance

Oracle Database Appliance uses hardware and software hardening processes to secure the system, and that assist in deploying a layered security strategy.


About Oracle Database Appliance Security Features

Oracle Database Appliance includes hardening configuration and security capabilities to core components.

Your organization can use the security features of Oracle Database Appliance as part of a layered security strategy.

Hardening Configuration

Oracle Database Appliance includes the following recommended hardening configuration procedures:

  • Installed packages are trimmed to a minimum, so that unnecessary packages are not installed on the servers.

  • Essential services only are enabled on the Oracle Database Appliance nodes.

  • Operating system users are audited.

  • Secure configurations for NTP, SSH, and other services.

Security Capabilities

Oracle Database Appliance architecture provides security capabilities to the core components. The capabilities are grouped into the following categories:

  • Isolation policies

  • Controlled access to data

  • Cryptographic services

  • Monitoring and auditing

  • Oracle Integrated Lights Out Manager (ILOM)

Using Isolation Policies

Isolation policies provide more secure multitenant services.

If your organization wants to consolidate IT infrastructure, implement shared service architectures, and deliver secure multitenant services, then you should isolate services, users, data, communications, and storage. Oracle Database Appliance provides organizations the flexibility to implement the isolation policies and strategies, based on their needs.


Isolating Network Traffic

Oracle Database Appliance isolates client access from device management and inter-device communication at the physical network level.

Oracle Database Appliance isolates client and management network traffic on separate networks. Clients access services on a redundant 10 Gbps Ethernet network that ensures reliable, high-speed access to services running on the system. Cluster management access is provided over a physically separate 1 Gbps Ethernet network. Providing physically separate networks ensures separation between operational and management network traffic.

Your organization can choose to further segregate network traffic over the client access Ethernet network by configuring virtual local area networks (VLANs). VLANs segregate network traffic based on your organization’s requirements. Oracle recommends the use of encrypted protocols over VLANs to assure the confidentiality and integrity of communications.

Isolating Databases

All Oracle Database security options are available for Oracle Database Appliance.

If your organization requires finer-grained database isolation, then you can use software such as Oracle Database Vault, Oracle Virtual Private Database, and Oracle Label Security. One of the best isolation methods is to create physical separation is to dedicate an entire environment to a single application or database. However, servers dedicated to one application or one database are expensive. A more cost-effective isolation strategy uses multiple databases within the same operating system image. You can obtain multiple database isolation through a combination of database and operating system-level controls, such as dedicated credentials for users, groups, and resource controls.

Oracle Database Vault includes a mandatory access control model, which enforces isolation by using logical realms within a single database. Logical realms form a protective boundary around existing application tables by blocking administrative accounts from having ad-hoc access to application data. Oracle Database Vault command rules enable policy-based controls that limit who, when, where, and how the database and application data is accessed. This creates a trusted path to application data. Oracle Database Vault can also be employed to restrict access based upon time, source IP address, and other criteria.

Oracle Virtual Private Database enables the creation of policies that enforce fine-grained access to database tables and views at the row and column levels. Oracle Virtual Private Database provides security portability because the policies are associated with database objects, and are automatically applied no matter how the data is accessed. Oracle Virtual Private Database can be used for fine-grained isolation within the database.

Oracle Label Security classifies data, and mediates access to that data based upon its classification. Your organization can define classification strategies, such as hierarchical or disjoint, that best support their needs. This capability allows information stored at different classification levels to be isolated at the row level within a single tablespace.

Controlling Access to Data

Controlling access to data, workloads and infrastructure helps to provide greater security.

To protect application data, workloads, and the underlying infrastructure on which it runs, Oracle Database Appliance offers comprehensive yet flexible access control capabilities for both users and administrators. The control capabilities include network access and database access.


Controlling Network Access

Configure Network access to provide fine-grained access control.

Beyond simple network-level isolation, fine-grained access control policies can be instituted at the device level. All components in Oracle Database Appliance include the ability to limit network access to services either using architectural methods, such as network isolation, or using packet filtering and access control lists to limit communication to, from, and between components and services.

Controlling Database Access

Help to reduce the risk of collusive behavior and inadvertent errors by using separation of duties at every layer of database architecture using role-allocated operating system users and group system privileges.

For example, use different operating system user accounts and designate different physical groups to grant Oracle Database and Oracle Automatic Storage Management (Oracle ASM) system privileges to ensure role separation for database and storage administrators. Within Oracle Database, you can assign specific privileges and roles to ensure that users have access to only those data objects that they are authorized to access. Data cannot be shared unless it is explicitly permitted.

In addition to the password-based authentication available in Oracle Database, Oracle Advanced Security option enables organizations to implement strong authentication using public key credentials, RADIUS, or a Kerberos infrastructure. Using Oracle Enterprise User Security, the database can be integrated with existing LDAP repositories for authentication and authorization. These capabilities provide higher assurance of the identity of users connecting to the database.

You can use Oracle Database Vault to manage administrative and privileged user access, controlling how, when and where application data can be accessed. Oracle Database Vault protects against misuse of stolen login credentials, application bypass, and unauthorized changes to applications and data, including attempts to make copies of application data. Oracle Database Vault is transparent to most applications, and day-to-day tasks. It supports multi-factor authorization policies, allowing for secure enforcement of policy without disrupting business operations.

Oracle Database Vault can enforce separation of duties to ensure that account management, security administration, resource management, and other functions are granted only to those users authorized to have those privileges.

About Managing Privileges and Security with SUDO

A SUDO policy helps to provide system auditing and access control for superuser (root) privileges on the operating system. Use these examples to help to implement a SUDO policy.

The Oracle Appliance Manager command-line utility requires root system privileges for most administrative actions. If you are not logged in as root, then you cannot carry out most actions on the appliance. For example, if you are not logged in as root, then you can view storage information, but you cannot modify the storage.

You should use SUDO, instead of su, to grant root privilege to administrative users. SUDO enables system administrators to grant certain users (or groups of users) the ability to run commands as root without the need for the root password, unlike su. It also logs all commands and arguments as part of your security and compliance protocol.

A SUDO security policy is configured by using the file /etc/sudoers. Within the sudoers file, you can configure groups of users and sets of commands to simplify and audit server administration with SUDO commands.

Configuring a SUDO Security Policy for the DCS Stack

Use these examples to help to implement a SUDO policy for Oracle Database Appliance models that are using the DCS stack (odacli).

A SUDO policy helps to provide system auditing and access control for superuser (root) privileges on the operating system.


Configuring SUDO to allow a user to perform any operation is equivalent to giving that user root privileges. Consider carefully if this is appropriate for your security needs.

Example 2-1 SUDO Example 1: Allow a User to Perform Any ODACLI Operation

This example shows how to configure SUDO to enable a user to perform any ODACLI operation. You do this by adding lines to the commands section in the /etc/sudoers file:

## The commands section may have other options added to it.
Cmnd_Alias ODACLI_CMDS=/opt/oracle/oak/bin/odacli *

In this example, the user name is jdoe. The file parameter setting ALL= ODACLI_CMDS grants the user jdoe permission to run all odacli commands that are defined by the command alias ODACLI_CMDS. After configuration, you can copy one sudoers file to multiple hosts. You can also create different rules on each host.


Before database creation, you must set up user equivalency with SSH for the root user on each server. If you do not set up user equivalency and configure SSH on each server, then you are prompted to provide the root password for each server during database creation.

After you configure the sudoer file with the user, the user jdoe can run the set of odacli commands configured with the command alias ODACLI_CMDS. For example:

$ sudo odacli create database -db newdb

INFO: 2018-06-05 14:40:55: Look at the logfile  '/opt/oracle/oak/log/node1011/tools/' for more details

INFO:2018-06-05 14:40:59: Database parameter file is not provided. Will be using default parameters for DB creation
Please enter the 'SYSASM'  password :
Please re-enter the 'SYSASM' password:
INFO: 2018-06-05 14:41:10: Installing a new home: OraDb12102_home3 at /u01/app/oracle/product/

Please select one of the following for Database type  [1 .. 3]:
1    => OLTP 
2    => DSS 
3    => In-Memory

Example 2-2 SUDO Example 2: Allow a User to Perform Only Selected ODACLI Operations

To configure SUDO to allow a user to perform only selected ODACLI operations, add lines to the commands section in the /etc/sudoers file as follows:

## DCS commands for oracle user 
Cmnd_Alias DCSCMDS = /opt/oracle/dcs/bin/odacli describe-appliance
oracle  ALL=       DCSCMDS
$ sudo /opt/oracle/dcs/bin/odacli describe-appliance

Appliance Information
                     ID: a977bb04-6cf0-4c07-8e0c-91a8c7e7ebb8
               Platform: OdaliteL
        Data Disk Count: 6
         CPU Core Count: 20
                Created: June 24, 2018 6:51:52 AM HDT

System Information
                   Name: odal001
            Domain Name: example.com
              Time Zone: America/Adak
             DB Edition: EE
            DNS Servers:
            NTP Servers:

Disk Group Information
DG Name                   Redundancy                Percentage
------------------------- ------------------------- ------------
Data                      Normal                    90
Reco                      Normal                    10

In this example, the user jdoe2 tries to run the sudo odacli list-databases command, which is not part of the set of commands that is configured for that user. SUDO prevents jdoe2 from running the command.

[jdoe2@servernode1 ~]$ sudo /opt/oracle/dcs/bin/odacli list-databases

Sorry, user jdoe2 is not allowed to execute '/opt/oracle/dcs/bin/odacli list-databases' as root on servernode1.

Using Cryptographic Services

Cryptographic services can help to protect and validate information at rest, in transit, and in use.

From encryption and decryption to digital fingerprint and certificate validation, cryptography is one of the most-widely deployed security controls in IT organizations.

Whenever possible, Oracle Database Appliance makes use of hardware-based cryptographic engines Intel AES-NI and Oracle SPARC processors. Using hardware for cryptographic operations provides significant performance improvement over performing the operations in software. Both engines provide the ability to perform cryptographic operations in hardware, and both are leveraged by Oracle software on the database and storage servers.

Network cryptographic services protect the confidentiality and integrity of communications by using a cryptographically-secure protocol. For example, Secure Shell (SSH) access provides secure administrative access to systems and Oracle Integrated Lights Out Manager (Oracle ILOM). SSL/TLS can enable secure communications between applications and other services.

Database cryptographic services are available from Oracle Advanced Security. Oracle Advanced Security encrypts information in the database using the transparent data encryption (TDE) functionality. TDE supports encryption of application table spaces, and encryption of individual columns within a table. Data stored in temporary table spaces, and redo logs are also encrypted. When the database is backed up, the data remains encrypted on destination media. This protects information at rest no matter where it is physically stored. Oracle Advanced Security should be considered for organizations concerned about the confidentiality of stored database content or database encryption, either at the table space level or column-level.

In addition, Oracle Advanced Security encrypts Oracle Net Services and JDBC traffic using either native encryption or TLS to protect information while in transit over a network. Both administrative and application connections can be protected to ensure that data in transit is protected. The TLS implementation supports the standard set of authentication methods including server-only authentication using X.509 certificates and mutual (client-server) authentication with X.509.

Monitoring and Auditing of Databases on Oracle Database Appliance

Oracle Database Appliance includes Oracle Database Fine Grained Auditing (FGA), Oracle Audit Vault, and Oracle Database Firewall Remote Monitor, which provide comprehensive monitoring and auditing features.

Whether for compliance reporting or incident response, monitoring and auditing are critical functions that organizations must use to gain increased visibility into their IT environment. The degree to which monitoring and auditing is employed is often based upon the risk or criticality of the environment. Oracle Database Appliance has been designed to offer comprehensive monitoring and auditing functionality at the server, network, database, and storage layers ensuring that information can be made available to organizations in support of their audit and compliance requirements.

Oracle Database Fine Grained Auditing (FGA) can help you to create create audit records at the level of individual tables and columns, reducing audit overhead. FGA enables organizations to establish policies that selectively determine when audit records are generated. This helps organizations to focus on other database activities, and to reduce the overhead that is often associated with audit activities.

Oracle Audit Vault centralizes the management of database audit settings and automates the consolidation of audit data into a secure repository. Oracle Audit Vault includes built-in reporting to monitor a wide range of activities including privileged user activity and changes to database structures. The reports generated by Oracle Audit Vault enable visibility into various application and administrative database activities, and provide detailed information to support accountability of actions.

Oracle Audit Vault enables the proactive detection and alerting of activities that may be indicative of unauthorized access attempts or abuse of system privileges. These alerts can include both system and user-defined events and conditions, such as the creation of privileged user accounts or the modification of tables containing sensitive information.

Oracle Database Firewall Remote Monitor can provide real-time database security monitoring. Oracle Database Firewall Remote Monitor queries database connections to detect malicious traffic, such as application bypass, unauthorized activity, SQL injection and other threats. Using an accurate SQL grammar-based approach, Oracle Database Firewall helps organizations quickly identify suspicious database activity.

About FIPS 140-2 Compliance on Oracle Database Appliance

Understand how FIPs 140-2 is implemented on Oracle Database Appliance.

Starting with Oracle Database Appliance release 19.11, the Linux kernel used by Oracle Database Appliance running on bare metal and KVM Database Systems is compliant with the United States Federal Information Processing Standard 140-2 (FIPS 140-2) level one. In accordance with the FIPS standard, the algorithms used by the secure shell (SSH) are limited to those permitted by the standard. FIPS 140-2 is supported in both newly provisioned systems and patched systems. When a system is updated, FIPS support is automatically enabled. No user intervention is needed.

About Enabling STIG on Oracle Database Appliance

Understand how you can enable Security Technical Implementation Guidelines (STIG) for Oracle Database Appliance.

The Defense Information Systems Agency (DISA) recommends the Security Technical Implementation Guidelines (STIG) for deployment and management of software, hardware, and system components. For more information about STIG standards, see https://public.cyber.mil/stigs/downloads/.

Oracle Database Appliance bundles the STIG script stig.py with the product for both bare metal and Virtualized Platform, in the directory /opt/oracle/oak/bin.

Running the STIG Script

Follow these steps to run the STIG script:

  1. Log in as root user.
  2. Run the command from the /opt/oracle/oak/bin directory:
    # ./stig.py

    On Virtualized Platform, run stig.py in ODA_BASE on both nodes to ensure that the script can fix any exceptions.

The table lists the command options for the STIG script.

Table 2-1 STIG Options for Oracle Database Appliance

Command Option Description
-h Specifies command options for Oracle Database Appliance STIG scripts
-v Describes the STIG version information
enable-SSH Enables direct ssh root login on the system
disable-SSH Disables direct ssh root login on the system
check Checks and lists Oracle Database Appliance STIG violations on the system. Use check -h to display all parameters for the check option.
fix Fixes Oracle Database Appliance STIG violations reported on the system. Use fix -h to display all parameters for the fix option.

The table lists the parameters for the check option in the STIG script.

Table 2-2 Parameters for check option for Oracle Database Appliance STIG Script

Command Option Description
-h Provides help for the check option.
all Tests and reports the violations on the system that do not adhere to STIG standards
perm Tests and reports the violations on the system for file/directory permissions checks
conf Tests and reports the violations on the system for configuration checks
audit Tests and reports the violations on the system for auditing checks
account Tests and reports the violations on the system for accounts checks
fs Tests and reports the violations on the system for file systems checks
grub Tests and reports the violations on the system for enable/disable of grub password checks
access Tests and reports the violations on the system for access-related checks

The table lists the parameters for the fix option in the STIG script.

Table 2-3 Parameters for fix option for Oracle Database Appliance STIG Script

Command Option Description
-h Provides help for the fix option.
all Fixes all the recommendations suggested by STIG standards
perm Fixes the system file/directory permissions to adhere to STIG recommendations
conf Fixes the system configuration to adhere to STIG recommendations
audit Fixes the system audits to adhere to STIG recommendations
account Fixes the system accounts to adhere to STIG recommendations
fs Fixes the system file systems to adhere to STIG recommendations
grub Fixes the system for enable/disable of grub password to adhere to STIG recommendations
access Fixes the system access to STIG recommendations
rollback Brings the system files at System Imaged state (without STIG modifications). Run this option only with the fix option.
restore_prev Brings the system files to the state prior to previous security vulnerability fix. Run this option only with the fix option.

Logging of STIG Checks

The logs for STIG checks and fixes are stored in the directory /opt/oracle/oak/log/oda_1/stig/check_time_stamp.log. Log files are created for each execution of the check, fix, enable, and disable commands with the time stamp appended to each log file.

Examples for Running the STIG Script

Example 2-3 Checking for STIG Compliance

# ./stig.py check 

Example 2-4 Implementing STIG Changes

# ./stig.py fix 

Fixing Failed STIG Rules

There may be STIG rules that need system administrator assistance for implementing them. These STIG rules have a status of Failed after you run the STIG script with the fix option.

For example:
[STIG_ID : OL07-00-040100]      Firewall is not configured to comply with PPSM CLSA and PPSM CALL, please contact system administrator -> FAILED
[STIG_ID : OL07-00-041001]      esc and pam_pkcs rps to be configured, please contact system administrator -> FAILED
[STIG_ID : OL07-00-020210]      SELINUX is not configured to be enforcing, please contact system administrator -> FAILED

About Enabling CIS Benchmarks on Oracle Database Appliance

Understand about Center for Internet Security (CIS) Benchmarks for Oracle Database Appliance.

Center for Internet Security (CIS) Benchmarks are best practices for the secure configuration of a target system. They are consensus-based, best-practice security configuration guides developed and accepted by government, business, industry, and academia. The CIS Benchmarks are available for download at https://learn.cisecurity.org/benchmarks.

Center for Internet Security (CIS) Benchmarks support was available in earlier Oracle Database Appliance releases, but Oracle Database Appliance Release 19.11 does not support Center for Internet Security (CIS) Benchmarks currently.

Using Oracle ILOM for Secure Management

Oracle Integrated Lights-Out Management (Oracle ILOM) enables full out-of-band management, providing remote management capability for Oracle Database Appliance.

IPMI v2.0 and Collections of security controls and capabilities are necessary to properly secure individual applications and services. It is equally important to have comprehensive management capabilities to sustain the security of the deployed services and systems. Oracle Database Appliance uses the security management capabilities of Oracle ILOM.

Oracle ILOM is a service processor embedded in many Oracle Database Appliance components to perform out-of-band management activities. Oracle ILOM provides the following features:

  • Secure access to perform secure lights-out management of the database and storage servers. Access includes web-based access protected by Transport Layer Security (TLS), command-line access using Secure Shell, and SNMPv3 protocols.

  • Separate duty requirements using a role-based access control model. Individual users are assigned to specific roles that limit the functions that can be performed.

  • An audit record of all logins and configuration changes. Each audit log entry lists the user performing the action, and a timestamp. This allows organizations to detect unauthorized activity or changes, and attribute those actions back to specific users.