Define Your Own Role for Database Target Access in EM12c

Scenario

  1. Enterprise Manager 12c (EM) installed and agents rolled out to database servers
  2. Access to EM offered to development teams with the primary purpose of allowing them to investigate application related database performance issues

Documentation

The EM documentation covers a selection of privileges you might want to grant to users in database targets in order to allow them to be used for accessing EM functionality. The privileges mentioned are:

  1. SELECT ANY DICTIONARY
  2. CREATE SESSION
  3. EXECUTE on (more...)

Why Oracle Big Data SQL Potentially Solves a Big Issue with Hadoop Security

Oracle announced their Big Data SQL product a couple of weeks ago, which effectively extends Exadata’s query-offloading to Hadoop data sources. I covered the launch a few days afterwards, focusing on how it implements Exadata’s SmartScan on Hive and NoSQL data sources and provides a single metadata catalog over both relational, and Hadoop, data sources. In a Twitter conversation later in the day though, I made the comment that in my opinion, the biggest (more...)

Unlimited Session Timeout

There are a lot of security admins out there that are going to hate me for this post. There are a lot of system administrators, developers, and users, however, that will LOVE me for this post. The code I'm about to share with you will keep the logged in PeopleSoft user's session active as long as the user has a browser window open that points to a PeopleSoft instance. Why would you do this? I (more...)

The value of audit_trail=DB,EXTENDED

I was recently reading a blog entry by Dominic Brooks regarding auditing and I was intrigued by the line referring to the audit_trail parameter being set to DB, EXTENDED

Behaves the same as AUDIT_TRAIL=DB, but also populates the SQL bind and SQL text CLOB-type columns of the SYS.AUD$ table, when available.

Nothing wrong with that and straight from the manual but I was surprised that they were CLOBS. However on looking at them they (more...)

Invoker Rights in Oracle Database 12c : Some more articles

I wrote about the Code Based Access Control (CBAC) stuff in Oracle Database 12c a while back.

I’ve recently “completed the set” by looking at the INHERIT PRIVILEGES and BEQUEATH CURRENT_USER stuff for PL/SQL code and views respectively.

Incompetence or Malice?

We’ve just had a leak of 900,000 national identifier numbers here in Denmark. That’s about 16% of the total population, so it’s pretty big. These numbers are unique identifiers for a person (similar to Social Security Numbers) and are a good starting point for identity theft.

Never ascribe to malice that which can adequately be explained by incompetence.

Napoleon Bonaparte

 

So how did these numbers leak? Through plain incompetence and lack of procedures. It (more...)

They Took Away My Cloud

On Monday, a U.S. judge gave Microsoft control of 22 domains owned by domain hosting service No-IP.com. Microsoft intended to filter out some domains used by malware, but promptly screwed up. The result was that millions of legitimate users could not access their servers.

This will happen again and again as infrastructure moves to centralized cloud providers. What do you think will happen if the server just above yours in the server rack (more...)

Is your database secure? Are you sure? Are you *really* sure?

Credit for finding this bug is given to Daniel Ekberg – https://www.linkedin.com/profile/view?id=10435009. He got the official credit given by Oracle Corp for helping out with security related bugs in the January 2014 CPU. He found the bug and had the tenacity to track down and prove that it was a bug and not just a flaw in the logging mechanism where this first was indicated to occur.

Today is the day when (more...)

Oracle 12c – New SYS-level Administration Privileges

For a while now, Oracle has been moving its security model toward a more differentiated set of privileges than just SYSDBA and SYSOPER.  We saw this in 11g with the SYSASM privilege.  This is in response to the growing number of DBA shops that delineate permissions at a more granular level, even among DBAs.  Rather than saying, “Here’s my DBA team, everyone has SYSDBA,” more and more IT shops are defining DBA (more...)

Data Masking mit 12c

Sieht auf den ersten Blick eher bizarr aus, hat aber seine Anwendungsfälle... Gavin Sooma schreibt über das Cloud Control Data Masking Pack, mit dessen Hilfe  in 12c vertrauliche oder in anderer Weise sensitive Daten durch mehr oder minder zufällig generierte Daten ersetzt werden können. "Ersetzt" bedeutet in diesem Fall: physikalisch ersetzt - es geht also um eine semantische Änderung von Daten: und das ist natürlich nicht unbedingt etwas, das man in einer Produktivdatenbank durchführen (more...)

Database Security Best Practices

Database administrators, by the very essence of their job descriptions, are the protectors of their organization’s core data assets. They are tasked with ensuring that key data stores are safeguarded against any type of unauthorized data access. Ensuring that data is protected on a 24 x 7 basis is a complex task. External intrusions and internal employee data thefts combine to make many IT professionals lie awake at night thinking about how they can secure (more...)

Quis custodiet ipsos custodes?

The above phase means “who will guard the guards themselves?” and is relevant in many security contexts.

Here in Denmark, we are currently having our own “News of the World” affair. In our case, a contractor at the payment processor handling almost all Danish credit cards was able to automatically send a tip to a journalist whenever a celebrity used his or her credit card. That makes it hard to take an incognito honeymoon (more...)

Shared authentication across multiple APEX applications

Quite a few times I see a questions regarding how to share authentication between Oracle APEX applications so the user does not need to log in a second time.

As long as your link between the applications share the session ID, the solution is simple - set the cookie name the same across your applications.
Shared components -> Authentication Schemes -> Edit current scheme -> Session cookie attributes -> Cookie Name
Set same cookie (more...)

IT Defence in Depth

The Heartbleed bug has shown that security vulnerabilities can pop up everywhere. Unfortunately, many IT organizations depend on a single security layer to secure their network – and as the ineffectiveness of the Maginot Line proved, that is a risky strategy. You need multiple security layers – what soldiers call Defence in Depth.Security LayersThis illustration is from my weekly Technology That Fits newsletter – sign up here.

HeartBleed and Oracle

There are a lot of people asking about Heartbleed and how it has impacted the web.
Oracle has published  MOS Note 1645479.1 that talks about all the products impacted and if and when fixes will be available.
The following blog post is also a good reference about the vulnerability.  https://blogs.oracle.com/security/entry/heartbleed_cve_2014_0160_vulnerability



Deep Dive: Oracle WebCenter Tips and Traps!

I'm currently at IOUG Collaborate 2014 in Las Vegas, and I recently finished my 2-hour deep dive into WebCenter. I collected a bunch of tips & tricks in 5 different areas: metadata, contribution, consumption, security, and integrations:


As usual, a lot of good presentations this year, but the Collaborate Mobile App makes it a bit tough to find them...

Bezzotech will be at booth (more...)

ADF Alert – Facelets Vulnerability in ADF 11g R2 and 12c

If you are running your application in ADF 11g R2 or 12c environment and using facelets - you should double check, if a source code for the facelet pages is not accessible through the URL. There is another security vulnerability in ADF 11g R2, documented here - Alert for ADF Security - JSF 2.0 Vulnerability in ADF 11g R2. Apparently this is a patch from Oracle for JSF 2.0 vulnerability and also there (more...)

Alert for ADF Security – JSF 2.0 Vulnerability in ADF 11g R2

You must be concerned about your system security, if you are running ADF runtime based on ADF 11.1.2.1.0 - 11.1.2.4.0 versions. These versions are using JSF 2.0 with known security vulnerability - Two Path Traversal Defects in Oracle's JSF2 Implementation. This vulnerability allows to download full content of WEB-INF through any browser URL. There is a fix, but this fix is not applied by JDeveloper IDE (more...)

Pre-digested authentication

A bit of a follow-up to my previous post on Digest authentication.

The fun thing about doing the hard yards to code up the algorithm is that you get a deeper level of understanding about what's going on. Take these lines:

    v_in_str := utl_raw.cast_to_raw(i_username||':'||i_realm||':'||i_password);
    v_ha1 := lower(DBMS_OBFUSCATION_TOOLKIT.md5(input => v_in_raw));

Every time we build the "who we are" component for this site, we start with exactly the same (more...)

PL/SQL, UTL_HTTP and Digest Authentication

For the first time in what seems like ages, I've actually put together a piece of code worth sharing. It's not that I haven't been working, but just that it has all been very 'in-house' specific.

However I had a recent requirement to use a web service that makes use of Digest Authentication. If you have look at the UTL_HTTP SET_AUTHENTICATION subprogram, it only addresses Basic authentication (and, apparently, Amazon S3 which looks intriguing).

In (more...)