Oracle Database Architecture and User Security

Questions and Answers

In Oracle Database architecture, which component is responsible for storing data and code for an individual server process?

• Control File
• Redo Log Files
• System Global Area (SGA)
• Program Global Area (PGA) (correct)

Which command is used to grant a user the ability to connect to an Oracle database?

• `GRANT CONNECT TO username;`
• `GRANT CREATE TABLE TO username;`
• `GRANT CREATE SESSION TO username;` (correct)
• `GRANT EXECUTE ON procedure_name TO username;`

You need to create a profile in Oracle to limit the session duration for a user. Which CREATE PROFILE option would achieve this?

• `CREATE PROFILE limit_profile LIMIT CONNECT_TIME 60;` (correct)
• `CREATE PROFILE limit_profile LIMIT PASSWORD_LIFE_TIME 60;`
• `CREATE PROFILE limit_profile LIMIT FAILED_LOGIN_ATTEMPTS 3;`
• `CREATE PROFILE limit_profile LIMIT IDLE_TIME 60;`

Which of the following is the correct SQL command to remove a user from an Oracle database, including all their objects?

DROP USER username CASCADE; (C)

You want to grant a user the privilege to both select data from the employees table and allow them to grant this privilege to other users. Which SQL statement should you use?

GRANT SELECT ON employees TO username WITH GRANT OPTION; (C)

Which Oracle feature allows you to define access control policies based on the context of the user's session, such as the application they are using or their location?

Virtual Private Database (VPD) (B)

What is the primary purpose of auditing in Oracle Database?

To track and record database activity for security and compliance. (B)

Which of the following actions is most important when securing the Oracle Listener?

Ensuring the Listener only accepts connections from authorized IP addresses. (D)

Your organization requires that all database passwords be changed every 90 days. How can you enforce this requirement in Oracle Database?

By setting the PASSWORD_LIFE_TIME parameter in a profile and assigning it to users. (B)

What is the purpose of Transparent Data Encryption (TDE) in Oracle Database?

To encrypt data at rest, protecting it from unauthorized access to storage media. (B)

Flashcards

Architecture Oracle Database

Composée d'une instance Oracle (processus en mémoire et d'arrière-plan) et d'une base de données (fichiers de données, journaux redo, fichier de contrôle).

Privilèges dans Oracle

Assurent la capacité d'un utilisateur à se connecter et interagir avec la base de données, incluant la création d'objets ou la sélection de données.

Rôles Oracle

Groupe de privilèges accordés à des utilisateurs ou d'autres rôles, simplifiant la gestion des droits d'accès.

Profils Oracle

Permet de limiter les ressources (temps de connexion, CPU, espace disque) utilisées par un utilisateur.

Oracle Listener

Processus écoutant les connexions entrantes à la base de données. Sécuriser le Listener est crucial.

Chiffrement des données

Protège les données sensibles via des méthodes comme Transparent Data Encryption (TDE) ou le masquage des données.

CREATE USER

Commande SQL utilisée pour créer un nouvel utilisateur de base de données.

ALTER USER

Commande SQL utilisée pour modifier un utilisateur existant, comme changer le mot de passe, verrouiller ou déverrouiller le compte et attribuer un profil.

GRANT

Commande SQL utilisée pour accorder des privilèges système ou d'objet à un utilisateur ou à un rôle.

REVOKE

Commande SQL utilisée pour révoquer les privilèges système ou d'objet précédemment accordés à un utilisateur ou à un rôle.

Study Notes

Architecture Oracle Database

• An Oracle database consists of an Oracle instance and a database.
• The Oracle instance includes memory structures and background processes.
• The database includes data files, redo log files, and a control file.
• The System Global Area (SGA) and the Program Global Area (PGA) are memory structures.
• The SGA is shared memory that stores data and code for the Oracle instance.
• The PGA is private memory that stores data and code for a server process.
• Background processes perform tasks such as writing data to disk.
• Data files store data in the database; redo log files record database changes.
• The control file contains metadata about the database.

User Security

• User security in Oracle is managed via user accounts, roles, and privileges.
• A user account consists of a username and password for database login.
• A role is a group of privileges that can be granted to users or other roles.
• A privilege is the right to perform a specific database action.

User Creation

• Users are created using the CREATE USER command.
• The basic syntax is CREATE USER username IDENTIFIED BY password;
• Strong passwords are vital, options like ACCOUNT LOCK can lock accounts.

Privilege Assignment

• System privileges allow general database operations.
• Object privileges allow actions on specific objects like tables.
• Privileges are granted using the GRANT command.
• GRANT CREATE SESSION TO username; allows the user to connect.
• GRANT SELECT ON table_name TO username; allows the user to read data.
• WITH GRANT OPTION enables the user to grant privileges to others.

Roles

• Roles simplify privilege management for multiple users.
• Predefined roles include CONNECT, RESOURCE, and DBA.
• Custom roles can be created with CREATE ROLE.
• Privileges are granted to roles with GRANT.
• Roles are assigned to users with GRANT role_name TO username; and revoked with REVOKE role_name FROM username;

Profiles

• Profiles limit the resources used by a user, such as CPU, connection time, and disk space.
• Profiles are created with CREATE PROFILE and assigned during user creation or modification.
• CREATE PROFILE limit_profile LIMIT CONNECT_TIME 60 IDLE_TIME 30; creates a profile that limits connection and idle times
• Assign a profile to user: ALTER USER username PROFILE limit_profile;

Authentication

• Password authentication is the most common method.
• Kerberos and other external authentication methods can be configured.
• Centralized authentication manages users and passwords in one location.

Audit

• Auditing tracks actions performed in the database.
• Auditing is configured with the AUDIT command, and audit information is stored in audit tables.
• Logs can be analyzed to detect suspicious activity.

Network Security

• The Oracle Listener process listens for incoming connections.
• Securing the Listener is important for preventing attacks by using TLS to encrypt communications.
• Firewall rules are essential for limiting database access.

Data security

• Data encryption protects sensitive information.
• Oracle offers encryption options like Transparent Data Encryption (TDE).
• Data masking hides sensitive information in development/test environments.
• Virtual Private Database (VPD) defines access rules based on context.

Password Management

• Complex password policies are a security best practice.
• Password requirements encompass length, complexity, and history.
• Passwords should be changed regularly; use ALTER USER username PASSWORD EXPIRE; to force a password change upon next login.

User Deletion

• Users are deleted with the command DROP USER username;
• CASCADE is needed to drop any objects the user owns, like this: DROP USER username CASCADE;

Key SQL Commands

• CREATE USER: Creates a new database user.
• ALTER USER: Modifies a user account.
• DROP USER: Removes a user from the database.
• GRANT: Grants system or object privileges to a user or role.
• REVOKE: Revokes privileges.
• CREATE ROLE: Creates a new role.
• ALTER ROLE: Modifies a role.
• DROP ROLE: Deletes a role.
• CREATE PROFILE: Creates a profile to limit user resources.
• ALTER PROFILE: Modifies an existing profile.
• DROP PROFILE: Deletes a profile.
• ALTER USER: Assigns a profile to a user.

Advanced Auditing

• Standard auditing can be combined with Fine Grained Auditing (FGA).

Continuous Monitoring

• Oracle Enterprise Manager (OEM) monitors user activity.

Application Security

• Applications should connect to the database using accounts with limited privileges and avoid embedding database credentials directly in application code.