Security – Make DBA Life Easy

Column Privileges in Oracle

Table column privileges include only INSERT,UPDATE without SELECT unfortunately.

How to Grant Column Privileges ?

SQL> GRANT update (columnname1),insert (columnname2, columnname3)  ON user1.table1 TO user2;

How to Check Column Privileges ?

SQL> select * from dba_col_privs ;

How to Remove Column Privileges ?

SQL> revoke insert (columnname2, columnname3) ON user1.table1 from user2;
revoke insert (columnname2, columnname3) ON user1.table1 from user2;
              *
ERROR at line 1:
ORA-01750: UPDATE/REFERENCES may only be REVOKEd from the whole table, not by column

SQL> revoke insert  on  user1.table1 from user2;
Revoke succeeded.

Autonomous Health Framework (AHF ) 20.4.4.0.0 and vulnerability CVE-2021-45105/CVE-2021-44228/CVE-2021-45046

A client’s ExaCC platform installed with Autonomous Health Framework (AHF ) 20.4.4.0.0, which uses /opt/oracle.ahf/common/jlib/log4j-core-2.13.3.jar.

So to address vulnerability CVE-2021-45105/CVE-2021-44228/CVE-2021-45046. AHF should be upgraded to 21.4 or later versions.

To download the latest AHF here Autonomous Health Framework (AHF) – Including TFA and ORAchk/EXAchk (Doc ID 2550798.1)

This version 21.4 of AHF uses Log4J 2.17, fixing the following Log4J CVEs:

CVE-2021-44228
CVE-2021-45046
CVE-2021-45105

Disable Oracle Password Verification and Complexity Function

While installing OEM 13c, the following warning might occur from checking OEM repository database:

“Oracle strongly recommends that you disable the password verification function in your database before proceeding any further”

Let’s check and disable password verification function if any.

SQL>select username, profile from dba_users where username like 'SYSMAN%';

USERNAME                       PROFILE
------------------------------ ------------------------------
SYSMAN_TYPES                   DEFAULT
SYSMAN_RO                      MGMT_INTERNAL_USER_PROFILE
SYSMAN_OPSS                    MGMT_INTERNAL_USER_PROFILE
SYSMAN_STB                     MGMT_INTERNAL_USER_PROFILE
SYSMAN_BIPLATFORM              MGMT_INTERNAL_USER_PROFILE
SYSMAN                         MGMT_INTERNAL_USER_PROFILE
SYSMAN_MDS                     MGMT_INTERNAL_USER_PROFILE

7 rows selected.

SQL>  select PROFILE,RESOURCE_NAME,LIMIT from dba_profiles  
      where PROFILE in ('DEFAULT','MGMT_INTERNAL_USER_PROFILE') 
        and RESOURCE_NAME='PASSWORD_VERIFY_FUNCTION'; 

PROFILE                    RESOURCE_NAME            LIMIT
-------------------------- ------------------------ --------------------- 
DEFAULT                    PASSWORD_VERIFY_FUNCTION NULL
MGMT_INTERNAL_USER_PROFILE PASSWORD_VERIFY_FUNCTION GMT_INTERNAL_PASS_VERIFY
SQL>

SQL> alter profile MGMT_INTERNAL_USER_PROFILE limit  
                      PASSWORD_VERIFY_FUNCTION null;
Profile altered. 

SQL>  select PROFILE,RESOURCE_NAME,LIMIT 
        from dba_profiles  
       where PROFILE in ('DEFAULT','MGMT_INTERNAL_USER_PROFILE') 
         and RESOURCE_NAME='PASSWORD_VERIFY_FUNCTION';

PROFILE                     RESOURCE_NAME             LIMIT
--------------------------  ------------------------  ------------------
DEFAULT                     PASSWORD_VERIFY_FUNCTION  NULL
MGMT_INTERNAL_USER_PROFILE  PASSWORD_VERIFY_FUNCTION  NULL
SQL>

Database Logon Trigger to Block Sessions from Some Users using Toad,SQL Developer….

Here is an example of database logon trigger for blocking specific users from accessing database through tools like Toad or SQL Developer tools, etc.

Subscribe to get access

Read more of this content when you subscribe today.

Any database users with “ADMINISTER DATABASE TRIGGER” will bypass the database logon trigger.

SQL> grant ADMINISTER DATABASE TRIGGER to testuser;

Grant succeeded.

SQL> connect testuser
Enter password:
Connected.

Schema Logon Trigger to Block Logon Sessions from Toad, SQL Developer, Sqlplus….

In production environment, sessions from developers using tools like Toad, SQL Developer, Sqlplus, etc can be blocked by after schema logon trigger.

Subscribe to get access

Read more of this content when you subscribe today.

M	T	W	T	F	S	S
		1	2	3	4	5
6	7	8	9	10	11	12
13	14	15	16	17	18	19
20	21	22	23	24	25	26
27	28	29	30	31