Practice: Demonstrating Database User Objects, Roles and Permissions.

 

This practice uses common UNIX and Windows NT Oracle utilities to review database user objects’ key roles and  permissions.  You will:

1.        See default user objects and their default passwords.

2.        Understand V$PWFILE_USER data dictionary view, and how to use this view to inspect SYSDBA or SYSOPER privileges assigned to user objects.

3.        Examine two key data dictionary views that reveal information about an important privilege for Oracle Audit.

4.        Investigate how to find user objects that are assigned unlimited tablespace in your active Oracle instances.

5.        Review the secure method for invoking SQLPlus, utilizing the /nolog command line switch.

 

 

ASSUMPTIONS

 

1.        This practice references SQL commands that function equivalently on the UNIX and NT operating systems.

2.        Results may vary slightly according to your Oracle environment.

3.        To further illustrate and guide this activity, view  this topic’s  Demo in conjunction with this Practice.

4.        Login to your sqlplus session using the SYSTEM user object and the current password.

 

 

INSTRUCTIONS

 

1.

UNIX: Open a shell, login, and type the following command:

NT: Open a DOS prompt, or invoke from the START/RUN pull down box.

 

sqlplus system/<password>                         SQL> connect system/manager Connected. SQL> connect sys/change_on_install Connected. SQL> connect scott/tiger Connected. SQL>

 

Each connect command shows if the default password is in use with that particular default database user object.   Those objects using the default passwords should have their passwords changed.

 

 

2.

UNIX:  Open a shell, login, and type the following command

NT: Open a DOS prompt, or invoke from the START/RUN pull down box.

 

sqlplus system/<password>   SQL> select * from v$pwfile_users;   USERNAME                       SYSDB SYSOP ------------------------------       -----       ----- INTERNAL                       TRUE      TRUE SYS                            TRUE      TRUE ROD                            TRUE      FALSE   SQL>

 

It is normal for INTERNAL or SYS to have the SYSOPER and/or SYSDBA privilege.   Any other user objects are suspect and should be scrutinized.

 

 

3.

UNIX: Open a shell, login, and type the following command:

NT: Open a DOS prompt, or invoke from the START/RUN pull down box.

 

sqlplus system/<current password>   SQL> select role,privilege from role_sys_privs        2  where role='DELETE_ANY_CATALOG'; no rows selected   SQL> select role,privilege from role_sys_privs        2  where role='DELETE_ANY_CATALOG'; no rows selected

 

Any user objects that have the DELETE_ANY_CATALOG privilege should be scrutinized closely.  Verify the need for this object to have this privilege.  If in doubt, revoke the privilege.

 

 

4.

UNIX: Open a shell, login, and type this command

NT: Open a DOS prompt, or invoke from the START/RUN pull down box.

 

sqlplus system/<current password>   SQL> select username,max_bytes,max_blocks from dba_ts_quotas;   USERNAME                        MAX_BYTES MAX_BLOCKS ------------------------------ ---------- ---------- RODOEMREPOS                            -1         -1 RODOEMREPOS                            -1         -1   SQL>

 

The numeric “-1” is the indication of unlimited tablespace assignments, whether in a MAX_BYTES or MAY_BLOCKS column.   Examine those usernames that display the “-1” value.   A username with unlimited tablespace privilege could accidentally or intentionally use 100% of that tablespace.

 

 

5.

UNIX: open a shell, login, and type the following command:

NT: no practice for this concept on NT.

 

 

sqlplus system/<current password>   SQL> host ps -ef|grep sqlplus

 

 

The results of this UNIX command within sqlplus will display the sqlplus session with the SYSTEM user object’s password in plain text.  This is a security breach, and can be avoided with utilizing sqlplus in the NOLOG mode displayed next.

 

 

6.

UNIX: Open a shell, login, and type the following command:

NT: No practice for this concept on NT.

 

 

sqlplus system /nolog   SQL> connect system/manager Connected.   SQL> host ps -ef|grep sqlplus

 

The results of this UNIX command within sqlplus will display the sqlplus session with the SYSTEM user object’s password hidden.  The session now displays only the “/nolog” in the UNIX process table.   This keeps unauthorized users from gaining passwords by watching active sessions using the UNIX command “ps”.

 

 

 

 

Practice: Demonstrating Oracle AUDIT Concepts and Procedures.

 

This practice uses common UNIX and NT Oracle utilities to practice enabling AUDIT on a database.  You will:

·             See the procedure to enable and disable Oracle AUDIT on a database.

·             Understand the SQL commands used to audit a specific user schema object.

·             Investigate how to configure Audit to extend auditing into modified or new schema objects..

 

ASSUMPTIONS

 

·             This practice will reference SQL commands that function equally on UNIX operating systems, and the NT operating system, using SQLPlus.

·             Results may vary slightly according to your Oracle environment.

·             Utilize the RealPlayer Demonstration in conjunction with this Practice, to further illustrate and guide this activity.

·             Login to your sqlplus session using the SYSTEM user object and the current password.

 

INSTRUCTIONS

 

 

1.

 

UNIX: Open a shell, login, locate and edit the initSID.ora file for your database:

NT: Use Window’ File Manager to locate the initSID.ora file for your database.

 

#audit_trail = true        # save,  original line audit_trail = true         #activated for demonstration, rjm

 

Locate the line above, make a full copy of the line in the next newline, then uncomment (remove the # symbol) from the line.  Edit comments to reflect your reasons for the change.  Save the modified file, then shutdown/startup the instance.  Audit is now active on your database instance.

 

 

2.

 

UNIX: Open a shell, login, create a SQLPlus session with the SYSTEM connection.

NT: Create an SQLPlus session with SYSTEM connection.

 

sqlplus /nolog   SQL> audit select any table by scott;   Audit succeeded.   SQL> noaudit select any table by scott;   Noaudit succeeded.   SQL> audit all by scott;   Audit succeeded.   SQL> noaudit all by scott;   Noaudit succeeded.   SQL>

 

Now, all SELECT activity by the user Scott will be recorded in the audit trail, for our review later.

 

The NOAUDIT command following disables this selective monitoring once we have accumulated sufficient data to analyze.  The next commands will begin monitoring on ALL database activity for the user Scott, and then disables that same type of monitoring.

 

 

3.

 

UNIX: Open a shell, login, create a SQLPlus session with SYSTEM connection:

NT: Create a SQLPlus session with SYSTEM connection:

 

sqlplus /nolog   SQL> audit insert on default;   Audit succeeded.   SQL> audit delete on default;   Audit succeeded.   SQL> audit update on default;   Audit succeeded.   SQL> noaudit insert on default;   Noaudit succeeded.   SQL> noaudit delete on default;   Noaudit succeeded.   SQL> noaudit update on default;   Noaudit succeeded.   SQL>

 

 

These commands will extend INSERT, DELETE, UPDATE auditing to include future new or modified schema objects.

 

The second set of NOAUDIT commands disable those same audit actions.