![Page 1: Database Role Activity. DB Role and Privileges Worksheet](https://reader036.vdocuments.us/reader036/viewer/2022081603/56649f2f5503460f94c4962a/html5/thumbnails/1.jpg)
Database Role Activity
![Page 2: Database Role Activity. DB Role and Privileges Worksheet](https://reader036.vdocuments.us/reader036/viewer/2022081603/56649f2f5503460f94c4962a/html5/thumbnails/2.jpg)
DB Role and Privileges Worksheet
![Page 3: Database Role Activity. DB Role and Privileges Worksheet](https://reader036.vdocuments.us/reader036/viewer/2022081603/56649f2f5503460f94c4962a/html5/thumbnails/3.jpg)
DB Role and Privileges Answers
![Page 4: Database Role Activity. DB Role and Privileges Worksheet](https://reader036.vdocuments.us/reader036/viewer/2022081603/56649f2f5503460f94c4962a/html5/thumbnails/4.jpg)
Remember Code Change SOD?
![Page 5: Database Role Activity. DB Role and Privileges Worksheet](https://reader036.vdocuments.us/reader036/viewer/2022081603/56649f2f5503460f94c4962a/html5/thumbnails/5.jpg)
Database Security Configuration
• 1. Verify that database permissions are granted or revoked appropriately for the required level of authorization.
• Risk: If database permissions are not restricted properly, unauthorized access to critical data may occur.
![Page 6: Database Role Activity. DB Role and Privileges Worksheet](https://reader036.vdocuments.us/reader036/viewer/2022081603/56649f2f5503460f94c4962a/html5/thumbnails/6.jpg)
Database Security Configuration
• 2. Review database permissions granted to individuals instead of groups or roles.
• Risk: Assigning permissions to individuals rather than roles/groups increases maintenance required for security, and greatly increases the chances of making security mistakes.
![Page 7: Database Role Activity. DB Role and Privileges Worksheet](https://reader036.vdocuments.us/reader036/viewer/2022081603/56649f2f5503460f94c4962a/html5/thumbnails/7.jpg)
Database Security Configuration
• 3. Ensure that database permissions are not implicitly granted incorrectly.
• Risk: Poorly managed database permissions can allow access to all data and can lead to unauthorized access to data.
![Page 8: Database Role Activity. DB Role and Privileges Worksheet](https://reader036.vdocuments.us/reader036/viewer/2022081603/56649f2f5503460f94c4962a/html5/thumbnails/8.jpg)
Database Security Configuration
• 4. Review dynamic SQL executed in stored procedures.
• Risk: If stored procedures and functions are not constructed properly, they be manipulated to gain unauthorized access to data and functionality.
![Page 9: Database Role Activity. DB Role and Privileges Worksheet](https://reader036.vdocuments.us/reader036/viewer/2022081603/56649f2f5503460f94c4962a/html5/thumbnails/9.jpg)
Database Security Configuration
• 5. Ensure that row-level access to table data is implemented properly.
• Risk: If row-level security is not well designed, the DBA may be unable to restrict access to a subset of rows in a table.
![Page 10: Database Role Activity. DB Role and Privileges Worksheet](https://reader036.vdocuments.us/reader036/viewer/2022081603/56649f2f5503460f94c4962a/html5/thumbnails/10.jpg)
Database Security Configuration
• 6. Ensure that PUBLIC permissions are revoked where not needed.
• Risk: Default PUBLIC permissions will most likely provide more access than is warranted than business need requires.
![Page 11: Database Role Activity. DB Role and Privileges Worksheet](https://reader036.vdocuments.us/reader036/viewer/2022081603/56649f2f5503460f94c4962a/html5/thumbnails/11.jpg)
Oracle Access Worksheet
![Page 12: Database Role Activity. DB Role and Privileges Worksheet](https://reader036.vdocuments.us/reader036/viewer/2022081603/56649f2f5503460f94c4962a/html5/thumbnails/12.jpg)
Oracle Access Answers
![Page 13: Database Role Activity. DB Role and Privileges Worksheet](https://reader036.vdocuments.us/reader036/viewer/2022081603/56649f2f5503460f94c4962a/html5/thumbnails/13.jpg)
Example Oracle OutputGRANTEE GRANTED_ROLE ADM DEF
-------------------- ------------------------------ --- ---
DBA DELETE_CATALOG_ROLE YES YES
EXECUTE_CATALOG_ROLE YES YES
EXP_FULL_DATABASE NO YES
GATHER_SYSTEM_STATISTICS NO YES
IMP_FULL_DATABASE NO YES
JAVA_ADMIN NO YES
JAVA_DEPLOY NO YES
PLUSTRACE YES YES
SELECT_CATALOG_ROLE YES YES
DBSNMP CONNECT NO YES
DPAUL DWREADER NO YES
DSHERMAN DWREADER NO YES
DWOWNER PLUSTRACE NO YES
EXECUTE_CATALOG_ROLE HS_ADMIN_ROLE NO YES
![Page 14: Database Role Activity. DB Role and Privileges Worksheet](https://reader036.vdocuments.us/reader036/viewer/2022081603/56649f2f5503460f94c4962a/html5/thumbnails/14.jpg)
Operating System Security
• 7. Ensure that access to the operating system is restricted to server administrators and back up operators.
• Risk: If users have access to the operating system, this can be used to circumvent access controls built into the database and the application(s) on top of the database.
![Page 15: Database Role Activity. DB Role and Privileges Worksheet](https://reader036.vdocuments.us/reader036/viewer/2022081603/56649f2f5503460f94c4962a/html5/thumbnails/15.jpg)
Operating System Security• 8. Ensure that permissions on the
directory to which the database is installed are restricted to authorized individuals with a business need.
• Risk: File level access to the database can be used to circumvent access controls to database and application, to alter or corrupt the data, or to disrupt access for authorized users.
![Page 16: Database Role Activity. DB Role and Privileges Worksheet](https://reader036.vdocuments.us/reader036/viewer/2022081603/56649f2f5503460f94c4962a/html5/thumbnails/16.jpg)
Operating System Security• 9. Ensure that permissions on the
registry keys used by the database are restricted to authorized individuals with a business need.
• Risk: Failure to secure the registry keys that are used to store configuration values that are important to the secure functioning of the database can lead to a breech of security.
![Page 17: Database Role Activity. DB Role and Privileges Worksheet](https://reader036.vdocuments.us/reader036/viewer/2022081603/56649f2f5503460f94c4962a/html5/thumbnails/17.jpg)
Password Management
• 10. Check for default usernames and passwords.
• Risk: Failure to control default usernames and passwords is a violation of University policy, and can lead to unauthorized access, data corruption, and loss of availability.
![Page 18: Database Role Activity. DB Role and Privileges Worksheet](https://reader036.vdocuments.us/reader036/viewer/2022081603/56649f2f5503460f94c4962a/html5/thumbnails/18.jpg)
Default Accounts and Default Password
Oracle Default Passwords
• SYS = CHANGE_ON_INSTALL
• SYSTEM=MANAGER
• Scott = Tiger
• DBSNMP = DBSNMP
• OUTLN = OUTLN
• Other Locked Default Accounts
![Page 19: Database Role Activity. DB Role and Privileges Worksheet](https://reader036.vdocuments.us/reader036/viewer/2022081603/56649f2f5503460f94c4962a/html5/thumbnails/19.jpg)
Easily Guessed Passwords• 11. Check for easily guessed passwords.
• Risk: Using passwords that can be easily guessed can lead to unauthorized access. Password complexity is required by University policy.
![Page 20: Database Role Activity. DB Role and Privileges Worksheet](https://reader036.vdocuments.us/reader036/viewer/2022081603/56649f2f5503460f94c4962a/html5/thumbnails/20.jpg)
Password Management
• 12. Check that password management capabilities are enabled.
• Risk: If the DBA does not configure the settings, these features will not be enabled, lowering the security of the database.
![Page 21: Database Role Activity. DB Role and Privileges Worksheet](https://reader036.vdocuments.us/reader036/viewer/2022081603/56649f2f5503460f94c4962a/html5/thumbnails/21.jpg)
Password ManagementPasswords may be established
remotely
• OS Authentication
• Remote Password File
![Page 22: Database Role Activity. DB Role and Privileges Worksheet](https://reader036.vdocuments.us/reader036/viewer/2022081603/56649f2f5503460f94c4962a/html5/thumbnails/22.jpg)
University Password Policy• Same password requirements for
servers and applications
– 8 character minimum
– Periodically changed
–Complexity
–Failed Login Attempts
–Passwords not Shared
![Page 23: Database Role Activity. DB Role and Privileges Worksheet](https://reader036.vdocuments.us/reader036/viewer/2022081603/56649f2f5503460f94c4962a/html5/thumbnails/23.jpg)
Audit Trails & Monitoring• 13. Check that auditing is enabled.
• Risks: Audit trails are required to:o Determine who accessed which systems
o Determine what activities were performed
o Identify suspicious access
o Monitor for attempts to exploit vulnerabilities
o Find and track deviations from baseline
![Page 24: Database Role Activity. DB Role and Privileges Worksheet](https://reader036.vdocuments.us/reader036/viewer/2022081603/56649f2f5503460f94c4962a/html5/thumbnails/24.jpg)
Audit Trails & Monitoring
–More critical in a DB setting
–Often claimed to be too resource intensive
![Page 25: Database Role Activity. DB Role and Privileges Worksheet](https://reader036.vdocuments.us/reader036/viewer/2022081603/56649f2f5503460f94c4962a/html5/thumbnails/25.jpg)
Encryption
• 14. Verify that network encryption is implemented.
• Risk: Data sent in the clear can be intercepted by unauthorized parties.
![Page 26: Database Role Activity. DB Role and Privileges Worksheet](https://reader036.vdocuments.us/reader036/viewer/2022081603/56649f2f5503460f94c4962a/html5/thumbnails/26.jpg)
Encryption• 15. Verify that encryption of data-at-rest
is implemented where appropriate. Ensure that encryption key management is part of the disaster-recovery plan.
• Risk: Data are most likely to be stolen from the database while at rest, not while traversing the network.
![Page 27: Database Role Activity. DB Role and Privileges Worksheet](https://reader036.vdocuments.us/reader036/viewer/2022081603/56649f2f5503460f94c4962a/html5/thumbnails/27.jpg)
Patch Management and Integrity
• 16. Verify that the latest patches for the database have been installed.
• Risk: Failure to apply security patches will leave the database vulnerable to compromise.
![Page 28: Database Role Activity. DB Role and Privileges Worksheet](https://reader036.vdocuments.us/reader036/viewer/2022081603/56649f2f5503460f94c4962a/html5/thumbnails/28.jpg)
Patch Management and Integrity
• 17. Verify that the database is running a version the vendor continues to support.
• Risk: An unsupported version may no longer receive patches, leaving the system open to new vulnerabilities.
![Page 29: Database Role Activity. DB Role and Privileges Worksheet](https://reader036.vdocuments.us/reader036/viewer/2022081603/56649f2f5503460f94c4962a/html5/thumbnails/29.jpg)
Patch Management and Integrity
• 18. Verify that policies and procedures are in place to identify when a patch is available and to apply the patch.
• Risk: If policies and procedures are not in place to identify when a patch is available, the DBA may be unaware of new patches.
![Page 30: Database Role Activity. DB Role and Privileges Worksheet](https://reader036.vdocuments.us/reader036/viewer/2022081603/56649f2f5503460f94c4962a/html5/thumbnails/30.jpg)
Patch Management and Integrity
• 19. Evaluate what the database administration group is doing to ensure the integrity of the database, (looking for root kits, viruses, backdoors, etc).
• Risk: If a compromise is not detected, an unauthorized individual may maintain access for an extended period of time.
![Page 31: Database Role Activity. DB Role and Privileges Worksheet](https://reader036.vdocuments.us/reader036/viewer/2022081603/56649f2f5503460f94c4962a/html5/thumbnails/31.jpg)
Application and Database Auditing Exercise