Database Reference
In-Depth Information
Those in the know will realize that both
LINK$
and
USER_HISTORY$
have been outside of
SELECT ANY DICTIONARY
for a long time already, i.e., before 12c (so I think the 12c documentation is a bit misleading in this respect). I guess it
should be noted that this list of omitted SELECTs does draw the spotlight to the data held within them:
DEFAULT_PWD$
- contains the default passwords within the DB.
•
ENC$ -
where the key for encrypted columns are kept (
dba_encrypted_columns
), which we
will decrypt in Chapter 10.
•
USER$
- where the password hashes for each user are kept, including weak 10g hashes.
•
LINK$
- where the dblinks and their encrypted passwords are kept and has been outside of
SELECT ANY DICTIONARY
as well.
•
USER_HISTORY$
- where the history of previous passwords is kept for each user. This is very
sensitive and has actually always been outside of
SELECT ANY DICTIONARY
, so this is not
new for 12c. The reason for sensitivity is that an attacker can infer the user's algorithm for
generating new passwords, which gives the ability to crack passwords ahead of time and use
the other passwords on other machines.
•
•
XS$VERIFIER
- verification information.
Breaking Up SYSDBA Privilege
In order to improve segregation of duty, an attempt has been made to reduce dependency on SYSDBA as the
“uncontrolled dictator” privilege needed for many tasks. Now we also have these privileges(in addition to SYSOPER
and SYSASM in 11g):
SYSDG
- so sysdba is not needed for dataguard
•
SYSBACKUP
- rman user, so sysdba not needed for rman
•
SYSKM
- for managing TDE keys
The aim is to lower the need for
SYSDBA,
and these new privileges achieve that, but
SYSDBA
cannot be removed
and is still unlockable, and the truth is that more than 90% of production DBA work direct to the DB is still done with
the
oracle
Unix account coming in as '/, as we will discuss in Part III in the privileged access chapter. This will be my
favourite chapter, and I hope your's as well, as there is definitely still work to do here.
•
12c Miscellaneous Security Improvements
In addition to the larger feature updates there have been some smaller security updates, listed here:
•
SHA 2 hashing
for password verifiers,
dbms_crypto,
and TDE, but not for DB
authentication yet.
•
Updated verification function
, which gives a choice of a strong or a normal security level.
The strong version uses the Levenshtein distance to try and force password renewals that are
not too similar to previous passwords. We will talk about that in Chapter 10.
•
SYS pwfile can now be placed on the ASM disks
, so an RAC cluster can share a single pwfile,
which is useful given that alternative raw disks support has been removed in 12c. A work
around is to copy the pwfile to each node of the rac cluster, but this can result in different SYS
passwords on each node.
