Oracle 11g Security Enhancements Part – 1

Oracle 11g Security Enhancements Part – 1

New parameters have been added to the Oracle Database 11g to enhance the default security of the database.

• SEC_RETURN_SERVER_RELEASE
• SEC_PROTOCOL_ERROR_FURTHER_ACTION
• SEC_PROTOCOL_ERROR_TRACE_ACTION
• SEC_MAX_FAILED_FAILED_LOGIN_ATTEMPTS
• SEC_DISABLE_OLDER_ORACLE_RPCS*

These parameters are system wide and static.

• Release of server information restriction

You can restrict the display of the database version banner to unauthenticated clients by setting the SEC_RETURN_SERVER_RELEASE_BANNER initialization parameter in the initsid.ora initialization parameter file to either YES or NO. By default, SEC_RETURN_SERVER_RELEASE_BANNER is set to FALSE.

SQL> show parameter SEC_RETURN_SERVER_RELEASE_BANNER NAME TYPE VALUE ----------------------------- -------------------- --------------------- sec_return_server_release_banner boolean FALSE

When set to true the full banner is displayed. When the value is set to FALSE, a limited generic banner is displayed.

• Protect against denial of Service (DoS) attacks

The two parameters shown specify the actions to be taken when the database receives bad packets from a client. The assumption is that the bad packets are from a possible malicious client. The SEC_PROTOCOL_ERROR_FURTHER_ACTION parameter specifies what action is to be taken with the client connection: Continue, drop the connection, or delay accepting requests.

# Continue connection after 10 bad packet SEC_PROTOCOL_ERROR_FURTHER_ACTION = Continue #Delay 4 Sec before sever accept next connection SEC_PROTOCOL_ERROR_FURTHER_ACTION = Delay,4 # Drop connection after 10 bad packet SEC_PROTOCOL_ERROR_FURTHER_ACTION = Drop,10

The other parameter SEC_PROTOCOL_ERROR_TRACE_ACTION specifies a monitoring action: NONE, TRACE(Default) , LOG, or ALERT.

# DEFAULT Creates the trace files, but it is useful for debugging purposes, SEC_PROTOCOL_ERROR_TRACE_ACTION = Trace # Writes a short, one-line error message to the server trace file and alert log. SEC_PROTOCOL_ERROR_TRACE_ACTION = Alert # Writes a short, one-line message to the server trace file. SEC_PROTOCOL_ERROR_TRACE_ACTION = Log # Configures the server to ignore the bad packets and does not generate any trace files or SEC_PROTOCOL_ERROR_TRACE_ACTION = None

>

SQL> show parameter SEC_PROTOCOL_ERROR_FURTHER_ACTION NAME TYPE VALUE ------------------------------- ------------------- ------------------------ sec_protocol_error_further_action string CONTINUE SQL> show parameter SEC_PROTOCOL_ERROR_TRACE_ACTION NAME TYPE VALUE ---------------------- ------------------------- ----------------------- sec_protocol_error_trace_action string TRACE

• Protect against intruder

If profile is not enabled then intruder can try unlimited number of authenticated requests with different user names and passwords in an attempt to gain access to the database.

A new initialization parameter SEC_MAX_FAILED_LOGIN_ATTEMPTS that has a default setting of 10 causes a connection to be automatically dropped after the specified number of attempts. This parameter is enforced even when the password profile is not enabled.

SQL> show parameter SEC_MAX_FAILED_LOGIN_ATTEMPTS NAME TYPE VALUE -------------------------- -------------------------------------------------- sec_max_failed_login_attempts integer 10

>

The sqlnet.ora INBOUND_CONNECT_TIMEOUT parameter and the FAILED_LOGIN_ATTEMPTS initialization parameter also restrict failed logins, but the difference is that these two parameters only apply to valid user accounts.

>

Recently come across new parameter SEC_DISABLE_OLDER_ORACLE_RPCS on Database Error Messages 11g Release 1

>
ORA-03139: This OCI call has been disabled by the DBA
Cause: The SEC_DISABLE_OLDER_ORACLE_RPCS initialization parameter was enabled.
Action: Contact the Database Administrator

But when searched oracle documentation not found any detail about it , also not found any detail about it on Database

SQL> show parameter SEC_DISABLE_OLDER_ORACLE_RPCS SQL>