Lab 9 Oracle Database Security

Contents
1. Introducing Database Security. ........................................................................1
2. Database controls: .............................................................................................2
3. Oracle Database Security Solutions .................................................................3
3.1 Assess the database to find and remove unnecessary risk ..........................3
3.2 Encrypt data at rest .....................................................................................6
3.3 Control access to the data .........................................................................11
3.4 Audit database activity .............................................................................15

1. Introducing Database Security.

Data security refers to the safeguards used to secure data from
unauthorized access and to maintain the confidentiality, integrity, and
availability of data. Threats to data are increasing day by day.

Top Cyber Security Experts Report

Source: https://www.prnewswire.com/news-releases/top-cyber-
security-experts-report-4-000-cyber-attacks-a-day-since-covid-19-pandemic-
301110157.html
 Data security best practices include data protection techniques such as data
encryption, key management, data redaction, data Subsetting, and data masking.),
as well as controlling and auditing and monitoring of privileged user access
(privileged user access controls and auditing and monitoring).

Outsiders and Insiders

They all create risks to the security of personal data, financial data, trade secrets
and regulated data.
2. Database controls:
- Assessment controls: help evaluate the security status of the database and
will also provide the ability to identify configuration changes.
 - Detect: monitors user and application access to data, identifies anomalous
behavior, and detects and blocks threats
- Prevent: blocks unauthorized access to data by encrypting, redacting,
masking, and substituting data, based on the intended use case. The ultimate
goal is to prevent unauthorized access to data.
- Data: enforces application-level access policies within the database,
providing a consistent authorization model across multiple applications,
reporting tools, and database clients.
- Users: enforce appropriate user authentication and authorization policies,
ensuring that only authenticated and authorized users have access to data.

3. Oracle Database Security Solutions

3.1 Assess the database to find and remove unnecessary risk
The Oracle Database Security Assessment Tool (DBSAT) helps
identify areas where your database configuration, operations, or deployment pose
risk and recommends changes and controls. control to minimize those risks
Download DBSAT:
https://www.oracle.com/uk/database/technologies/security/dbsat.html
Download DBSAT on drive:
https://drive.google.com/file/d/1467ucvXl4wqrjFI0Y1gNOFnBzm-
kvRbA/view?usp=sharing

Create the dbsat directory, and cd to the dbsat directory

Then we will collect database data: ./dbsat collect system
/home/oracle/dbsat/db04

The above command will collect the database and save it to the dbsat directory
with the name db04. When completed, the line DBSAT Collector completed
successfully will appear
Check the db04 file after displaying collect:

Once created, check to see if there is a db04_report file in the dbsat directory:

We can view db04_report in HTML

Video Demo DBSAT Tool:
https://drive.google.com/file/d/1TqtEJzgpDX3ym8uRYxG0qIHXcbGkGBdO/view
?usp=sharing

3.2 Encrypt data at rest

Encrypting data at rest in Oracle involves applying encryption techniques
to protect the confidentiality and integrity of data.
Include:
- Encrypting Data at Rest (Static Encryption)
- Transparent Data Encryption (TDE)
First we turn on cmd and use the sqlplus / as sysdba command to log in to
the oracle database
Then use some commands like show pdbs to check the information, Use the
commands in the red box to check if the information has been set
After checking, the wallet type and status of the wallet are still unknown. We use
the alter system set wallet_root command to update the wallet address, then use
the shutdown immediate and startup commands to restart sql to update the wallet
address.

Next we use the command administer key management create keystore to

create a key storage.
After creating the keystore, the wallet's status has changed to closed, proving
that the wallet has been created successfully. Next we use the command
administer key management set keystore open to open the wallet. If
successful, the wallet type will change to password and the status will be
open no master key.
We check the key column with the red command below and will see that
key_id is not there.

We use the admin key management set key with backup container command
above to update the key_id for pdb. We have successfully configured TDE.
 3.3 Control access to the data
3.3.1 User administration
Scenario: User data analyst needs access to the sales user's
Customers database containing information about customers.
Create users:

* CREATE SESSION — allows an account to connect to a database.

* GRANT RESOURCE — add role RESOURCE to user sales
Create table sales.customers

Grant select table Customers permission to user data_analyst

Check:

Revoke select table Customers permission for user data_analyst

Check:
In addition to select, we can also grant other permissions such as delete, insert,
update...

3.3.2 Database Vault

Oracle Database Vault provides controls to prevent unauthorized
privileged users from accessing sensitive data, prevent unauthorized
database changes, and helps customers meet industry, regulatory, or
corporate security standards.

Create Database Vault: Create user dvowner and dvmanager to

configure Database Vault.

Enable Database Vault: Log in as dvowner and run the command to

enable database vault.

After the command is executed, we need one more step to restart the
database so that the database vault is activated. To check whether the
database vault is enabled or not:
select * from v$option where parameter = 'Oracle Database Vault';
FALSE → not enabled.
Restart the database:
shutdown immediate;
startup;
After rebooting, we check the database vault again

Create Database Vault realm:

 Add object to realm:

Add auth to realm:

Check: Log in with the DBA to test access to the sales.customers table

Log in with the sales user to check access to the sales.customers table
3.4 Audit database activity
Use the show audit parameter command to check what the audit
policy is set up for

Create a table in the database

Create a policy, audit insert, update, delete operations on income,

income_path columns.
 Use the command select * from dba_audit_policies

Then insert more information

Then check the audit has received

select * from dba_fga_audit_trail;