Security Hardening of Oracle Database

oracle

This post introduces how to implement security hardening of Oracle database.

1. Verification function of password limits

Below script contains a verification function name ora12c_verify_function:

1
2
[[email protected] ~]$ ls -l $ORACLE_HOME/rdbms/admin/utlpw*
-rw-r--r--. 1 oracle oinstall 12543 11月  7 2013 /oracle/app/oracle/product/12c/db_1/rdbms/admin/utlpwdmg.sql

2. Resource limit of default profile after executing utlpwdmg.sql

utlpwdmg.sql script will modify default profile as below rules:

1
2
3
4
5
6
7
8
ALTER PROFILE DEFAULT LIMIT
PASSWORD_LIFE_TIME 180
PASSWORD_GRACE_TIME 7
PASSWORD_REUSE_TIME UNLIMITED
PASSWORD_REUSE_MAX  UNLIMITED
FAILED_LOGIN_ATTEMPTS 10
PASSWORD_LOCK_TIME 1
PASSWORD_VERIFY_FUNCTION ora12c_verify_function;

Also create ORA_STIG_PROFILE as below rules:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
SQL> col profile for a30
col resource for a30
col limit for a50
set line 200 pagesize 200
select * from dba_profiles;
SQL> 
PROFILE 		       RESOURCE_NAME			RESOURCE LIMIT						    COM
------------------------------ -------------------------------- -------- -------------------------------------------------- ---
DEFAULT 		       COMPOSITE_LIMIT			KERNEL	 UNLIMITED					    NO
DEFAULT 		       SESSIONS_PER_USER		KERNEL	 UNLIMITED					    NO
DEFAULT 		       CPU_PER_SESSION			KERNEL	 UNLIMITED					    NO
DEFAULT 		       CPU_PER_CALL			KERNEL	 UNLIMITED					    NO
DEFAULT 		       LOGICAL_READS_PER_SESSION	KERNEL	 UNLIMITED					    NO
DEFAULT 		       LOGICAL_READS_PER_CALL		KERNEL	 UNLIMITED					    NO
DEFAULT 		       IDLE_TIME			KERNEL	 UNLIMITED					    NO
DEFAULT 		       CONNECT_TIME			KERNEL	 UNLIMITED					    NO
DEFAULT 		       PRIVATE_SGA			KERNEL	 UNLIMITED					    NO
DEFAULT 		       FAILED_LOGIN_ATTEMPTS		PASSWORD 10						    NO
DEFAULT 		       PASSWORD_LIFE_TIME		PASSWORD 180						    NO
DEFAULT 		       PASSWORD_REUSE_TIME		PASSWORD UNLIMITED					    NO
DEFAULT 		       PASSWORD_REUSE_MAX		PASSWORD UNLIMITED					    NO
DEFAULT 		       PASSWORD_VERIFY_FUNCTION 	PASSWORD NULL						    NO
DEFAULT 		       PASSWORD_LOCK_TIME		PASSWORD 1						    NO
DEFAULT 		       PASSWORD_GRACE_TIME		PASSWORD 7						    NO
ORA_STIG_PROFILE	       COMPOSITE_LIMIT			KERNEL	 DEFAULT					    NO
ORA_STIG_PROFILE	       SESSIONS_PER_USER		KERNEL	 DEFAULT					    NO
ORA_STIG_PROFILE	       CPU_PER_SESSION			KERNEL	 DEFAULT					    NO
ORA_STIG_PROFILE	       CPU_PER_CALL			KERNEL	 DEFAULT					    NO
ORA_STIG_PROFILE	       LOGICAL_READS_PER_SESSION	KERNEL	 DEFAULT					    NO
ORA_STIG_PROFILE	       LOGICAL_READS_PER_CALL		KERNEL	 DEFAULT					    NO
ORA_STIG_PROFILE	       IDLE_TIME			KERNEL	 15						    NO
ORA_STIG_PROFILE	       CONNECT_TIME			KERNEL	 DEFAULT					    NO
ORA_STIG_PROFILE	       PRIVATE_SGA			KERNEL	 DEFAULT					    NO
ORA_STIG_PROFILE	       FAILED_LOGIN_ATTEMPTS		PASSWORD 3						    NO
ORA_STIG_PROFILE	       PASSWORD_LIFE_TIME		PASSWORD 60						    NO
ORA_STIG_PROFILE	       PASSWORD_REUSE_TIME		PASSWORD 365						    NO
ORA_STIG_PROFILE	       PASSWORD_REUSE_MAX		PASSWORD 10						    NO
ORA_STIG_PROFILE	       PASSWORD_VERIFY_FUNCTION 	PASSWORD ORA12C_STRONG_VERIFY_FUNCTION			    NO
ORA_STIG_PROFILE	       PASSWORD_LOCK_TIME		PASSWORD UNLIMITED					    NO
ORA_STIG_PROFILE	       PASSWORD_GRACE_TIME		PASSWORD 5						    NO

3. Difference between 11g and 12c

3.1 verify_function_11G Function Password Requirements

This function checks for the following requirements when users create or modify passwords:

  • The password is not the same as the user name, nor is it the user name spelled backward or with the numbers 1–100 appended.
  • The password is not the same as the server name or the server name with the numbers 1–100 appended.
  • The password is not too simple (for example, oracle, oracle with the numbers 1–100 appended, welcome1, database1, account1, user1234, password1, oracle123, computer1, abcdefg1, or change_on_install).
  • The password includes at least 1 numeric and 1 alphabetic character.
  • The password differs from the previous password by at least 3 characters.

The following internal checks are also applied:

  • The password contains no fewer than 8 characters and does not exceed 30 characters.
  • The password does not contain the double-quotation character ("). It can be surrounded by double-quotation marks, however.

3.2 ora12c_verify_function Password Requirements

The ora12c_verify_function function provides requirements that the Department of Defense Database Security Technical Implementation Guide recommends.

This function checks for the following requirements when users create or modify passwords:

  • The password contains no fewer than 8 characters and includes at least 1 numeric and 1 alphabetic character.
  • The password is not the same as the user name or the user name reversed.
  • The password is not the same as the database name.
  • The password does not contain the word oracle (such as oracle123).
  • The password is not too simple (for example, welcome1, database1, account1, user1234, password1, oracle123, computer1, abcdefg1, or change_on_install).
  • The password differs from the previous password by at least 3 characters.
  • The password contains at least one special character.

The following internal checks are also applied:

  • The password does not exceed 30 characters.
  • The password does not contain the double-quotation character ("). It can be surrounded by double-quotation marks, however.

3.3 ora12c_strong_verify_function Function Password Requirements

The ora12c_strong_verify_function function fulfills the Department of Defense Database Security Technical Implementation Guide requirements.

This function checks for the following requirements when users create or modify passwords:

  • The password must contain at least 2 upper case characters, 2 lower case characters, 2 numeric characters, and 2 special characters. These special characters are as follows:

    1
    ‘ ~ ! @ # $ % ^ & * ( ) _ - + = { } [ ] \ / < > , . ; ? ' : | (space)

  • The password must differ from the previous password by at least 4 characters.

The following internal checks are also applied:

  • The password contains no fewer than nine characters and does not exceed 30 characters.
  • The password does not contain the double-quotation character ("). It can be surrounded by double-quotation marks, however.

4. Example of modifying user profile

1
2
alter profile default limit PASSWORD_LIFE_TIME UNLIMITED;
alter profile default limit PASSWORD_VERIFY_FUNCTION null;

5. Summary

Even with Oracle 12c, security hardening is not enabled by force, DBA need to execute utlpwdmg.sql manually to enable.
By default, this script will update default profile, which is the default profile for all users. It's recommended to modify this script, not using default profile for all users.

Reference:
Database Security Guide-Configuring Authentication

EOF

#how to
A Brief Introduction of Oracle Role and Privilege Easy Connect with ORA-12504