E-Book, Englisch, 351 Seiten
Mustafa / Lockard Oracle Database Application Security
1. ed
ISBN: 978-1-4842-5367-0
Verlag: Apress
Format: PDF
Kopierschutz: 1 - PDF Watermark
With Oracle Internet Directory, Oracle Access Manager, and Oracle Identity Manager
E-Book, Englisch, 351 Seiten
ISBN: 978-1-4842-5367-0
Verlag: Apress
Format: PDF
Kopierschutz: 1 - PDF Watermark
Focus on the security aspects of designing, building, and maintaining a secure Oracle Database application. Starting with data encryption, you will learn to work with transparent data, back-up, and networks. You will then go through the key principles of audits, where you will get to know more about identity preservation, policies and fine-grained audits. Moving on to virtual private databases, you'll set up and configure a VPD to work in concert with other security features in Oracle, followed by tips on managing configuration drift, profiles, and default users.
Shifting focus to coding, you will take a look at secure coding standards, multi-schema database models, code-based access control, and SQL injection. Finally, you'll cover single sign-on (SSO), and will be introduced to Oracle Internet Directory (OID), Oracle Access Manager (OAM), and Oracle Identity Management (OIM) by installing and configuring them to meet your needs.
Oracle databases hold the majority of the world's relational data, and are attractive targets for attackers seeking high-value targets for data theft. Compromise of a single Oracle Database can result in tens of millions of breached records costing millions in breach-mitigation activity. This book gets you ready to avoid that nightmare scenario.
What You Will LearnWork with Oracle Internet Directory using the command-line and the console Integrate Oracle Access Manager with different applications Work with the Oracle Identity Manager console and connectors, while creating your own custom one Troubleshooting issues with OID, OAM, and OIDDive deep into file system and network security concepts
Who This Book Is For
Oracle DBAs and developers. Readers will need a basic understanding of Oracle RDBMS and Oracle Application Server to take complete advantage of this book.
Osama Mustafa is a database specialist, an Oracle ACE Director, Certified Oracle Professional (10g, 11g), Certified Ethical Hacker and Sun System Administrator. Osama currently works as an Oracle Instructor in the Middle East. He also works on troubleshooting and the implementation of database projects. He spends his free time on Oracle OTN forums and publishes many articles, including Oracle database articles, on his blog.
Robert P. Lockard is an Oracle ACE Director, a professional Oracle DBA, designer, developer, and project manager with more than three decades of experience. For the past twenty years he has worked as an independent consultant providing quality services to his customers at a reasonable price. Robert has worked in financial intelligence tracking money laundering, terrorist money, and identity theft. He has also worked in the cyber crimes arena tracking attacks on information systems. He specializes in evaluating and securing your Oracle database environment from threats both external and internal.
Autoren/Hrsg.
Weitere Infos & Material
1;Table of Contents;5
2;About the Authors;11
3;About the Technical Reviewer;12
4;Acknowledgments;13
5;Introduction;14
6;Chapter 1: Encryption;15
6.1;Transparent Data Encryption;15
6.1.1;Rekey the Keystore Master Encryption Key;20
6.1.2;Query the Master Key Information;21
6.1.2.1;V$ENCRYPTION_WALLET;21
6.1.2.2;V$ENCRYPTION_KEYS;23
6.1.2.3;V$DATABASE_KEY_INFO;27
6.1.3;Rekey a Table Key;29
6.1.4;Rekey a Tablespace;29
6.1.5;Change the Password of the Keystore;30
6.2;Column Encryption;31
6.2.1;Salt or No Salt?;32
6.2.2;Encrypt a Column in an Existing Table;32
6.2.3;Primary Key Foreign Key Constraints on an Encrypted Column;33
6.2.4;Rekey a Column;33
6.3;Tablespace Encryption;34
6.4;Tablespace Encryption vs. Column Encryption Performance;36
6.5;External Table Encryption;38
6.6;Where Can Data Spill Out in Plain Text When Using External Tables?;42
6.7;Full Database Encryption;44
6.8;Ghost Data;45
6.8.1;How to Fix It;47
6.8.2;Column Encryption;47
6.8.3;Tablespace Encryption;47
6.8.4;Full Encryption;47
6.8.5;Online Tablespace Encryption;48
6.8.6;External Tables;48
6.8.7;Algorithms;48
6.9;RMAN;49
6.10;Data Pump;50
6.11;Network Encryption and Integrity;53
6.11.1;Configure;53
6.11.2;Cross-Border Issues;57
6.11.3;Integrity;58
7;Chapter 2: Audits;60
7.1;Ways to Audit a Database;61
7.1.1;Application API Code;61
7.1.2;Auditing with Trigger Code;61
7.1.3;Normal Audit;62
7.1.4;Unified Audit;63
7.1.5;Fine-Grained Auditing;65
7.1.6;Comparing Methods;66
7.1.7;What Happened Yesterday;68
7.1.7.1;Audit Reports;69
7.1.7.2;Connections by os_username, username, terminal, and userhost;69
7.1.7.3;Invalid Login Attempts;71
7.1.7.4;Audit the Privileges Used in the Last 24 Hours;75
7.1.7.5;Look for Select, Update, and Delete Statements Against Sensitive Tables That Bypass the Application;75
7.1.7.6;Unusual Application Activity Against Sensitive Tables That Should Be Accessed from Only Specific IP Addresses;76
7.2;What Are You Looking for When You Audit?;80
7.3;Accessing Information Outside of the Trusted Path;80
7.4;The Policy Needs to Tell Who, What, When, and Where;81
7.4.1;Who;82
7.4.2;What;82
7.4.3;When;82
7.4.4;Where;83
7.4.5;Configuration Drift;83
7.4.5.1;ORACLE_HOME;85
7.4.5.2;New Objects;87
7.4.5.3;Altered Objects;87
8;Chapter 3: Privilege Analysis;88
8.1;SYS.DBMS_PRIVILEGE_CAPTURE;89
8.1.1;Requirements;90
8.1.2;Capture Modes;90
8.1.2.1;Database;91
8.1.2.2;Role;91
8.1.2.3;Context;92
8.1.2.4;Role and Context;92
8.1.3;Procedures;92
8.1.3.1;CREATE_CAPTURE;93
8.1.3.2;ENABLE_CAPTURE;95
8.1.3.3;DISABLE_CAPTURE;96
8.1.3.4;GENERATE_RESULTS;97
8.1.3.5;DROP_CAPTURE;97
8.1.4;Views;98
8.1.4.1;DBA_USED_PRIVS;98
8.1.4.2;DBA_USED_SYSPRIVS;101
8.1.4.3;DBA_USED_OBJPRIVS;103
8.1.4.4;DBA_USED_USERPRIVS;105
8.1.4.5;DBA_USED_PUBPRIVS;107
8.1.4.6;DBA_UNUSED_PRIVS;109
8.1.4.7;DBA_UNUSED_SYSPRIVS_PATH;112
8.1.4.8;DBA_UNUSED_SYSPRIVS;113
8.1.4.9;DBA_UNUSED_OBJPRIVS_PATH;114
8.1.4.10;DBA_UNUSED_OBJPRIVS;116
8.1.4.11;DBA_UNUSED_USERPRIVS_PATH;117
8.1.4.12;DBA_UNUSED_USERPRIVS;118
8.2;Putting It Together;119
9;Chapter 4: Oracle Database Threats;137
9.1;Threat Categories;138
9.1.1;What Protocol Is Your Database Server Using?;138
9.1.2;Understand the Code Running on Your Database;139
9.1.3;Debug, Debug, and Then Debug Some More;139
9.1.4;Test It Before Implementing It;139
9.2;Dealing with Threats;139
9.2.1;Oracle Authentication and Authorization;140
9.2.2;TNS Poisoning;145
9.2.3;PL/SQL Injection;162
9.2.4;Execute Operating System Commands Through Oracle;165
9.2.5;Injecting a Rootkit into the Oracle Database;169
9.2.6;Running Operating System Commands Using DBMS_SCHEDULER;171
9.2.7;Disable Audits Using Oradebug Tools;171
9.2.8;Access the Operating System File System;172
9.3;Oracle Security Recommendations;172
9.3.1;Oracle TNS Listener;173
9.3.1.1;Set the TNS LISTENER Password;173
9.3.1.2;Turn On the Admin Restriction;174
9.3.1.3;Turn On Valid Node Checking;174
9.3.2;Database Accounts;175
9.3.2.1;Lock Unused Accounts;175
9.3.2.2;New Account Creation;175
9.3.2.3;Password;175
9.3.3;PL/SQL Packages, Procedures, and Functions;177
9.3.4;Patching;178
9.3.5;Review Database Privileges Frequently;178
10;Chapter 5: Network Access and Evaluation;179
10.1;What Is an Access Control List?;179
10.1.1;File System ACL;180
10.1.2;Network ACL;181
10.1.3;SQL ACL;182
10.1.4;Access Control List Concepts;183
10.1.4.1;Principals;183
10.1.4.2;Privileges;184
10.2;Working with ACLs;187
10.2.1;Creating an ACL;187
10.2.2;Deleting an ACL;191
10.2.3;Creating an ACL Based on an Existing ACL;191
10.2.4;Checking Privileges;194
10.2.5;Dropping an ACL;196
10.2.6;Testing an ACL;197
10.2.6.1;Testing Using UTL_HTTP;197
10.2.6.2;Testing Using UTL_SMTP;199
10.3;Set Up HTTPS Using an ACL;200
10.3.1;Downloading the Certificate from the Web Site You Would Like to Access;201
10.3.2;Uploading the Certificate;206
10.3.3;Creating the Wallet;206
10.3.4;Testing the Web Site;207
10.4;Summary;207
11;Chapter 6: Secure Coding and Design;208
11.1;Problematic Designs;209
11.2;Improved Design;211
11.3;Schema-Only Accounts;213
11.4;Trusted Path;214
11.4.1;Definer’s and Invoker’s Rights;217
11.4.1.1;Definer’s Rights;217
11.4.1.2;Invoker’s Rights;221
11.4.2;accessible by;224
11.5;Using the Schema-Only Account;228
11.6;Code-Based Access Control;229
11.6.1;Set Up Roles and Privileges;235
11.6.2;Build the API Schema;237
11.6.3;Business Logic Schema;241
11.7;Error Handling;242
11.8;Summary;255
12;Chapter 7: Single Sign-On;256
12.1;SSO Terms and Concepts;257
12.2;Installation and Configuration;261
12.2.1;Oracle Webgate Installation and Configuration;261
12.2.2;Oracle Internet Directory Installation;275
12.2.2.1;Configure the Repository Creation Utility;277
12.2.2.2;Configure the OID Domain;286
12.2.2.2.1;Start Node Manager;303
12.2.2.2.2;Start the Administration Server;304
12.2.2.2.3;Start the Managed Servers;304
12.2.2.3;OID Links;304
12.2.2.4;Initial Setup for OID;305
12.3;Oracle Access Manager;307
12.3.1;Oracle Access Manager Prerequisites;308
12.3.2;Oracle Access Manager Resource Type;309
12.3.3;Oracle Access Manager Authentication;310
12.3.4;Oracle Access Manager Single Sign-On Cookie;311
12.3.5;Oracle Access Manager Installation;311
12.3.5.1;Configure the Repository Creation Utility for OAM;312
12.3.5.2;Configure the OAM Domain;321
12.3.6;Verify the OAM Installation;329
12.4;Single Sign-on Examples;332
12.4.1;Integrate WebLogic with Kerberos;332
12.4.1.1;Active Directory Setup;333
12.4.1.2;Create a Kerberos File;333
12.4.1.3;Create the Keytab File;334
12.4.1.4;Configure the WebLogic Server;335
12.4.1.5;Test the Configuration;336
12.4.2;Configure SSO for a Siebel Application;337
12.4.3;Configure SSO for EBS 12.2.x, Integration with Oracle Access Manager, and Oracle Internet Directory;340
13;Index;343
