DATABASE SECURITY

CSEC3360
Chapter 2: Essential Elements of User Security

Dr. Ruba Awadallah

Textbook: David C. Knox, William Maroulis, and Scott Gaetjen:Oracle Database 12c
Security.Thanks to Engineer Saif

23/03/2025 Dr. Ruba Awadallah

 Understanding Identification and Authentication

▪ To review, the database security flow can be summarized by the

following three steps:

1. A user presents an identity to the database.

2. The user proves that he or she is authorized to use the identity

presented by providing the password. The password is checked by the
database to determine if it is the correct password for the identity
presented.

3. Assuming the password is correct, the database assumes the user can
be trusted with the identity presented. The database will then
determine what privileges and authorizations the user has. Data
security is implemented based on the user’s privileges and
authorizations.
 Identification Methods

➢ Identification is the process of specifically and distinctly recognizing an

individual.
❑ Comes in many forms:
- Your photo
- Your fingerprints
- Your employee number
- Your username
❑ The methods for identification fall into two categories:
1. User-supplied identity
2. Technological identification
 User-Supplied Identification

❑ In most computer applications, identification is based on the

username.

❑ In all cases, the user is responsible for providing the correct identifying
information.

❑ Choosing identifiers that don’t indicate the privileges of the person is

valuable, too.
 Technological Identification

❑ However, designing a security implementation exclusively based on the

knowledge of the identifier—for example, a username or account number—is a
risky proposition.

❑ The benefit to using user-provided identification is that the identifier (such as

username) is generally flexible.

❑ As discussed in the previous paragraph, the benefit is also the weakness.

 Technological Identification

➢ Technologyalsooffers a choiceof waysto identify ourselves, including biometrics,

computer identities,and digital identities.

❑ Biometrics:
o Refers to the biological characteristics of people that can be measured to
distinguish the differences among them.
o Impossible to guess and difficult to steal.
Technological Identification
 Technological Identification

❑ Biometrics :
o Biometrics are unique in that the same biometric can be used
for both the identification and the authentication processes:
❖ With biometric identification, the biometric information is considered
unique and can be used to accurately identify the person presenting the
biometric.

❖ Biometric authentication is the process of comparing the biometric

signature with a reference to prove or disprove an identity—that is, the
identity is already known.
 Technological Identification

❑ Digital Identities:
o An example seen today is the digital certificates used as part of Public Key
Infrastructures (PKIs).

o Digital certificates are popular not only because the certificates are standards based,
but also because the certificates contain additional informationthat can be used in
implementing effective security controls.
 Technological Identification

❑ Computer Identities and Non-person Entities (NPEs)

- Computer’s name
- A web browser cookie
- A physical network address (that is, a MAC address)
- Logical network address (IP address)
➢ It is important, that you understand how to represent identities no matter whether or
not they represent actual people.
➢ Computers, applications, batch jobs, services, and so forth need to interact with the
database in a secure and verifiable way
 Authentication

➢ A process for proving that a person is who they claim to be.

❑ Authentication Methods:
✓ Something you know , such as a password or personal identification
number (PIN).
✓ Something you possess, such as a smart card, car key, credit card, or
software license key (Legitimate Entity).
✓ Something you are, or biometrics. Fingerprints, facial and voice
recognition, and iris scans.
❑ Strong vs Weak Authentication
 Authentication Best Practices

➢ The best practice is clearly to use strong authentication.

➢ Today, the best practice for high-exposure or high-risk applications and

databases is to use multifactor authentication to create a strong
authentication environment

➢ The authentication strength of applications that are connected to your

database has a transitive (weakest link in the chain) effect on the
security of your database.

➢ Recall: It is good to assume that you are working in a compromised

environment
 Understanding Database Account Types

➢ No specific syntax for creating different types in Oracle ( they can all be
created with the CREATE USER command).
➢ The types are actually derived by the permissions the accounts possess
and how they are used.

➢ A typical Oracle Database has the following types of accounts:

1. End User: typically have a limited number of database privileges, i.e.
SELECT,
INSERT, UPADTE, DELETE, EXECUTE.
2. Connection pool: support web applications or web services.
 Understanding Database Account Types

3. Non-person entities: support programs that run on an automated scheduled

jobs and have elevated privileges.

4. Application schema This account type owns the database objects, such as
tables, views.

5. Operational database administrator (DBA) This account type is the most

privileged account in a database..

6. Application database administrator: This account type is an end-user

account that is responsible for maintaining database objects for a specific
application
Understanding Database Account Types
 Database Account Types in Oracle Database 12c
Multitenant Architecture

The multitenant architecture enables an Oracle database to function as a

multitenant container database (CDB) that includes zero, one, or many
customer-created pluggable databases (PDBs).

PDB is a portable collection of schemas, schema objects, and non-schema objects

(non-CDB).

A container is either a PDB or the root container (also called the root). The root is
a collection of schemas, schema objects, and non-schema objects to which all PDBs
belong.

Every multitenant container database will have exactly one root container, named
CDB$ROOT, for common users, and one PDB Seed Database PDB$SEED.
Database Account Types in Oracle Database 12c
Multitenant Architecture
Database Account Types in Oracle Database 12c
Multitenant Architecture

HR Schema PDBORCL PDB$SEED

Root Container (CDB$ROOT)

Container Database (CDB) => ORCL

 Database Account Types in Oracle Database 12c
Multitenant Architecture

❑ Advantages:
1. At first glance, you might think this consolidation has only reduced the need for multiple
operationalDBAs.
2. This is certainly desirable as it reducesthatcost associated with managing these accounts on
multiple database servers.

3. There are also labor costs savings in the work that these operationalDBAs perform.
4. We will have fewer servers that we need to apply software patchesto, so the cost to ensure
our databasesare running the latest functional or security patchesis reduced.
5. Cost savingsrelated to the time it takes create and managea database’ssecure initialization
parameters.
Privileged Database Account Management in
Oracle Database 12c
❑ Administrative Privileges for Separation of Duty:
➢ Oracle Database 12c creates the SYS and SYSTEM schemas when you create a
new database:
❖ The SYS schema owns a large number database objects, referred to as the data
dictionary. The SYSTEM account owns a less number of database objects.
❖ The SYSTEM schema is an Oracle account that has the DBA role granted to it by
default.
❖ SYS : The super-user, manages core database functionality. Used for critical
database operations.
❖ SYSTEM : A privileged user for general administration, but not as powerful as
SYS. Primarily used for routine management tasks
▪ Key Difference: SYS manages the database engine, while SYSTEM manages
user-level tasks.
PrivilegedDatabaseAccount Managementin OracleDatabase
12c
PrivilegedDatabaseAccount Managementin OracleDatabase
12c

NOTE: It is considered a best practice to avoid

creating database objects for custom applications
under the SYS or SYSTEM schema.
 PrivilegedDatabaseAccount Managementin OracleDatabase
12c
❑ Administrative privilegesthat are
available in the Oracle Database 12c: SYSDBA SYSOPER

SYSBACKUP SYSDG

SYSKM SYSASM
 PrivilegedDatabaseAccount Managementin OracleDatabase
12c

➢ The database also includesthe traditional SYSDBAand SYSOPERadministrative privileges .

1. The SYSDBAprivilege is analogous to the “root” account on a UNIX operating system, as

SYSDBAprovidesaccess to all objects and all privilegesin the database.

2. SYSOPERprovides delegated administrationof database startup,shutdown, initialization file

management,database open, database mount, and database backup and recovery.

3. SYSBACKUP:providesdelegated administration of database backup and recovery capabilities

 PrivilegedDatabaseAccount Managementin OracleDatabase
12c
4. SYSDG:providesadministration for disaster recovery with the Oracle Data Guard (DG) .

5. SYSKM:This privilege provideskey management(KM)and delegated administration of Oracle

Wallets (encryption key-stores)used by Oracle Transparent Data Encryption (TDE).

6. SYSASM: Thisprivilegeprovidesfor separation of duty in the administrationof installation

Automated Storage Management(ASM)instance and the Oracle Grid Infrastructure (GI)
PrivilegedDatabaseAccount Managementin OracleDatabase
12c
 Methodsfor Privileged DatabaseAccountManagement(1)

SELECT username,account_status, common FROM dba_users WHERE

username LIKE 'SYS%' AND username != 'SYSTEM'
ORDER B Y username;

➢ Notice that Oracle Database 12c added a “common”column for accounts to indicate the
account is shared between the root container andall pluggable databases
 Methodsfor Privileged DatabaseAccountManagement

❑ The internaltable V$PWFILE_USERScan be used to view the administrative privilegesthat are

associated with these accounts.

SELECT * FROM v$pwfile_users;

 Methodsfor Privileged DatabaseAccountManagement

❑ Creating Accounts:
1. Create a mapping from an OS account to the database administrative account.
2. Create a standard database account and grant the role/privileges to that user.
Methodsfor Privileged DatabaseAccountManagement

PrivilegedDatabase AccountManagementBasedonOracleOSAuthentication:
Methodsfor Privileged DatabaseAccountManagement
Methodsfor Privileged DatabaseAccountManagement

SELECT * FROM as sysbackup

session_privs
ORDER B Y 1;
Methodsfor Privileged DatabaseAccountManagement

SELECT * FROM session_roles

ORDER BY 1;
Methodsfor Privileged DatabaseAccountManagement

SELECT SYS_CONTEXT('USERENV','OS_USER') os_user

,SYS_CONTEXT('USERENV','HOST') host,
SYS_CONTEXT('USERENV','SESSION_USER') session_user
FROM dual;
 Methodsfor Privileged DatabaseAccountManagement

Privileged Database Account ManagementBased on Named Accounts

➢ First we create the nameduser account:

CREATE USER bill

IDENTIFIED B Y 123456;
1
------User created.

ALTER USER bill PASSWORD EXPIRE;

2
-------User altered.
 Methodsfor Privileged DatabaseAccountManagement

➢ Next we grant this account the SYSBACKUP privilege and we grant the CREATESESSION
privilege so thatthe accountcan log in to the database

3 GRANT SYSBACKUP, CREATE SESSION TO bill;

GRANT SYSBACKUP, CREATE SESSION TO bill

IDENTIFIED BY welcome1;

4 CONNECT bill/defaultpass as sysbackup

 Managing Accountsin aPluggableDatabase

➢ To create a local account in a pluggable database, we first need to decide which PDBs the
account will be created in

SHOW PDBS
Managing Accounts in a Pluggable Database
❑ Creating aPluggable Database:
➢ The SALES PDB was created from PDB$SEEDwith the following command:
CREATE PLUGGABLE DATABASE sales
ADMIN USER pdbadmin IDENTIFIED B Y Admin123
ROLES = (DBA)
FILE_NAME_CONVERT =
('D:\app\OracleHomeUser1\oradata\orcl\',
'D:\app\OracleHomeUser1\oradata\orcl\mypdb\');

➢ Create TABLESPACE for Sales PDB:

CREATE TABLESPACE sales
DATAFILE 'D:\app\OracleHomeUser1\oradata\orcl\sales.dbf'
SIZE 100M;
Identifying Local Accounts in a Container

SELECT u.con_id ,NVL(p.pdb_name,'CDB$ROOT') con_name,

u.username, u.oracle_maintainedO
FROM cdb_users u
LEFT OUTER JOIN (SELECT pdb_id, pdb_name FROM cdb_pdbs) p
ON u.con_id= p.pdb_id
WHERE u.username IN ('SYS','PDBADMIN','C##BILL')
ORDER BY u.con_id, u.username;
Creating Named Accounts in a PDB

CREATE USER sh
1
IDENTIFIED BY welcome1
DEFAULT TABLESPACE sales;

2 GRANT CREATE SESSION, CREATE TABLE TO sh;

3 CONNECT sh/welcome1@sales

CREATE TABLE sales_history (

product VARCHAR2(30)
, sales_date DATE
4 , quantity NUMBER
, total_cost NUMBER(10,2));
Creating Named Accounts in a PDB

INSERT INTO sh.sales_history

5 VALUES ( 'Stereo' , SYSDATE-10 , 1 , 100.00);

INSERT INTO sh.sales_history

6
VALUES ( 'Walkman' , SYSDATE , 5 , 250.00 );

7 COMMIT;
Managing Database Account Passwords and Profiles

➢ Passwords are the most prevalentform of authenticationto Oracle Databases.

➢ Oracle enabled you to enforce the choice of strong passwordsthrough the use of password
complexityroutines.

➢ Passwordsare often the weak link in the security chain.

➢ Oracle Database 12c supportscase-sensitive passwords.

 Managing DatabaseAccountPasswords andProfiles

❑ ManagingPasswords for Local Database Accounts:

➢ Oracle Database stores user passwordsin the data dictionary.
➢ Passwords aren’t stored in plain text, but in an encryptedformknown as a password verifier.

2
3
plain-text (2)
Verifier
User Encrypted
Compare Passwords
1

Data
Oracle Dictionary
4
5 If Matching
 Managing DatabaseAccountPasswords andProfiles

❑ Maintaining Database Passwords:

o Create newaccounts and passwordsusing the CREATE USERand GRANT commands with the
following syntax:

CREATE USER <account> IDENTIFIED BY <new password>

GRANT CREATE SESSION TO <account> IDENTIFIED BY <new password>

o Expire Password:

ALTER USER <account> PASSWORD EXPIRE

 Managing DatabaseAccountPasswords andProfiles

o To change an account’s password, you must have the ALTER USER systemprivilege

ALTER USER <account> IDENTIFIED BY <new password>

❑ AuthenticatingRemote Database Clients

▪ The plaintextpassword supplied bythe client is never sent over the network.

▪ The challenge and response data during this authentication phase is encrypted.

▪ The database initialization parameter should be used to control the number of times a remote
client can fail login attempts.
 Managing DatabaseAccountProfiles

❑ Oracle Database profiles have been used in the past to:

1. Controlresource consumption which improvesthe availabilityof your database and prevents
DoS attack.
2. Enforce secure password managementpolicy controls such as password complexity checking
functions,password aging, and password reuse.

❑ Secure Password ManagementPolicies:

➢ The CREATEPROFILEand ALTER PROFILEcommands are used to create customcollections of
password constraints controls.
Managing DatabaseAccountProfiles

❑ Oracle Database profiles include support for the following password constraints controls:
1. Failed logon attempts: Thenumber of times an incorrect password can be used before the
account is locked.
2. Account lockout: The amount of time that an account will remain locked after repeated
incorrect password login attempts.
3. Password lifetime or age: The number of days that a password can be used before it must be
changed.

4. Password grace time: The amount of time that an account can use an expiring password
before it must be changed.
Managing DatabaseAccountProfiles

5. Password reuse time/max: The number of times different passwordsmust be used before a
password can be reused or the number of days before a password can be reused.

6. Password verification: The ability to specify a custom PL/SQL function to verify that a
password meets your organization'spassword complexity rules

➢ Default Profile vs Custom Profile

ALTER USER <account_name> PROFILE <profile_name>

 Managing DatabaseAccountProfiles

2
1 Expire the user’s existing
password
Create a password profile After creating a passwordprofile,
you will force your users to change
their passwords to ensure all
passwords being used comply with
the profile.

4 Check NewPassword
The new password is
Reset Password
3
checked against the Uponthe next login, the
complexityroutine and the database prompts the user to
other password profile reset the password.
values will also be enforced.
Managing DatabaseAccountProfiles

DEFAULT profile: The settings in this profile can be displayed as follows:

SELECT resource_name, limit,

common FROM dba_profiles
WHERE profile = 'DEFAULT' AND resource_type = 'PASSWORD'
ORDER BY resource_name;
Managing DatabaseAccountProfiles

❑ Password Complexity Verification:

➢ Here are a few common best practice checks you can implement within the complexity routine:
1. Password is greater than some specified length.
2. Password contains at a certain number of characters (upper or lower case), digits, and special
characters.

3. Password is not the same as or similar to the old password.

4. Password is not easily guessable by using some form of the username, database hostname, or
common words (think a dictionary).
Managing DatabaseAccountProfiles

❑ Three template password verification PL/SQL functions are provided by Oracle Database 12c:
1. verify_function_11g
2. ora12c_verify_function
3. ora12c_strong_verify_function

➢ The code for these functionsis located in the file $ORACLE_HOME/rdbms/admin/utlpwdmg.sql

Managing DatabaseAccountProfiles
❑ The function thatimplements the password check has to be implemented in the SYS schema,
❑ You will need to grant EXECUTE on the function to PUBLIC.
CREATE OR REPLACE FUNCTION verify_function_custom
(username varchar2, password varchar2, old_password varchar2)
RETURN BOOLEAN AS BEGIN
RETURN TRUE;
END;

❑ To illustrate, we will first deploy the password complexity routinesprovided with Oracle
Database 12c as follows:

@D:\app\OracleHomeUser1\product\12.2.0\dbhome_1\rdbms\admin\utlpwdmg.sql
Managing DatabaseAccountProfiles

❑ This functions signature is as follows:

CREATE OR REPLACE FUNCTION complexity_check(

password VARCHAR2,
chars integer ,
upper integer ,
lower integer ,
digit integer ,
special integer
) RETURN BOOLEAN IS
BEGIN
RETURN TRUE;
END;
Managing DatabaseAccountProfiles

❑ The script also includes a PL/SQL function named string_distance

CREATE OR REPLACE FUNCTION string_distance(

str1 VARCHAR2,
str2 VARCHAR2
) RETURN NUMBER IS
BEGIN
RETURN UTL_MATCH.EDIT_DISTANCE(str1, str2);
END;
/

❑ This function should be used if you want to enforce that new and old passwords are
not the same or even similar.
Managing DatabaseAccountProfiles

❑ Let’s take a look at the code in $ORACLE_HOME/rdbms/admin/utlpwdmg.sql that implements

the Oracle-supplied password verification function ora12c_strong_verify_function.

❑ We think that ora12c_strong_verify_function is the best function to start with either as it

exists or as a basis for customization.

❑ Then:

GRANT EXECUTE ON ora12c_strong_verify_function TO PUBLIC;

Managing DatabaseAccountProfiles

❑ After running $ORACLE_HOME/rdbms/admin/utlpwdmg.sql,you will notice that the Oracle

Database profile DEFAULThas been modified toinclude the password function
ora12c_verify_function,as follows:

ALTER PROFILE DEFAULT LIMIT

PASSWORD_LIFE_TIME 180
PASSWORD_GRACE_TIME 7
PASSWORD_REUSE_TIME UNLIMITED
PASSWORD_REUSE_MAX UNLIMITED
FAILED_LOGIN_ATTEMPTS 10
PASSWORD_LOCK_TIME 1
PASSWORD_VERIFY_FUNCTION ora12c_verify_function;

Profile altered.
Managing DatabaseAccountProfiles

We will modify the DEFAULTprofile to leverage the ora12c_strong_verify_function for the

PASSWORD_VERIFY_FUNCTION and to enforce more stringentpassword controls as follows

ALTER PROFILE DEFAULT LIMIT

PASSWORD_LIFE_TIME 90
PASSWORD_GRACE_TIME 7
PASSWORD_REUSE_TIME 365
PASSWORD_REUSE_MAX UNLIMITED
FAILED_LOGIN_ATTEMPTS 5
PASSWORD_LOCK_TIME 0.5
PASSWORD_VERIFY_FUNCTION ora12c_strong_verify_function

Profile altered.
Managing DatabaseAccountProfiles

❑ Alter session back to pluggable database.

❑ We now test the ora12c_strong_verify_function to see how it behaves with

password policy violations as well as with valid passwords:

-- force a length violation

CREATE USER user1 IDENTIFIED BY welcome1;

CREATE USER user1

*
ERROR at line 1:
ORA-28003: password verification for the specified
password failed ORA-20001: Password length less than 9
Managing DatabaseAccountProfiles

-- force a minimum character type missing violation

CREATEUSER user1 IDENTIFIED BY welcome123;

CREATEUSER user1
*
ERRORatline1:
ORA-28003:password verificationforthe specified password failed
ORA-20023:Password must contain atleast2uppercase character(s)
Managing DatabaseAccountProfiles

-- attempt a valid password

CREATEUSERuser1 IDENTIFIEDBY “WElcome@@123";

User created.

-- attempt toreuse the password

ALTER USERuser1 IDENTIFIED BY “WElcome@@123";

ALTERUSER C##user1
*
ERRORatline1:
ORA-28007:thepassword cannot be reused
Managing DatabaseAccountProfiles

-- Note: the Levenshteindistance algorithmwill fire for the real end user changing the password
not an administrator like SYSDBA so let's login as the account to test this

GRANT CREATESESSION TOuser1;

Grant succeeded.

-- login as user1 using sqldeveloper

--ChangePassword

PASSWORD
Managing DatabaseAccountProfiles

ALTER USER user1 IDENTIFIED BY WElcome@?122

ERROR:
ORA-28003:password verification forthe specified password failed
ORA-20032:Password should differ from previous password by atleast4 characters

Password unchanged

❖ Total Mutations: 2
➢ Old Pass: WElcome@@123
➢ NewPass: WElcome@?122 ❖ Mutations:
1. Replace @at position 9 with ?.
2. Replace 3 at position 12with 2.
Managing DatabaseAccountProfiles

❑ Recommendations:

✓ Keep the Password Policies Practical

✓ Limiting Database Resources with Database Profiles: resources can be

consumed by attacks (denial-of-service (DoS):

➢ DoS attacks: easy to implement and hard to defend against.

➢ Defense Challenge: arises from the fact that there are an enormous number of
ways to trigger such an attack.

➢ Result: exhaust computing resources to the point that the database can no longer
provide adequate service
Managing Database Account Profiles

❑ DoS attacks Mitigation:

✓ Password profile capabilities.

✓ Oracle also supports the use of resource profiles to limit the use of database
resources.

❖ View various resources by querying the DBA_PROFILES view:

SELECT resource_name, limit,

common FROM dba_profiles
WHERE profile = 'DEFAULT' AND
resource_type = 'KERNEL'
ORDER BY
resource_name;
Managing Database Account Profiles