Pete Finnigan's Oracle Security Weblog

Well it has been a long time to wait for 12cR1 to be released. The beta program has been on for a long time and I was not involved so I didnt get to see 12c until last week for the first time. It would have been nice to have seen 12c before now but it wasn't an option for me. I did get to hear a little about the new 12c features at the UKOUG conference at the end of last year from a couple of talks. Tom Kyte did a talk about the Oracle security features coming in 12c at that time.

I downloaded 12cR1 for Linux X64 last Tuesday just after it came out but i could not start to attempt to install it until later in the week as I am just too busy with paying work at the moment. I finally tried to install Oracle Linux 6.4 first in VMWare but had troubles. It installed properly but when at the end of the install it came to reboot the Linux kernel panicked. I tried again with Oracle Linux 6.3 and Oracle Linux 6.1 after speaking to Tim Hall who told me 6.4 worked for him on VMWare and also Virtual box on Windows and also linux. I was trying to install onto an external USB terabyte drive which was the only difference to Tim (in high level terms, PC's are obviously completely different under the skin). I then tried to install Oracle Linux 6.4 in VirtualBox and again got a very similar error; at the time of reboot after the last setup the VirtualBox itself crashed. So whilst the kernel didnt panic, it failed in the same place with a similar error.

Anyway Tim also said he had used Oracle Linux 5.9 so over the weekend I installed 5.9 and then finally got Oracle 12cR1 installed. Wow, its finally there.

The last few days I have been very busy with paid work so not had a lot of time to play with 12cR1 yet but i have done quite a bit of digging already into the database itself with SQL*Plus and also into the documentation to see whats changed, whats new in terms of Oracle security and also what new features that are not related to security may affect security. I have made a lot of notes on paper so plenty of fodder for blog posts. So expect more blogging than has been usual for the last couple of years. I saw Steve Karams post about Oracle 12c yesterday and the list of Oracle 12c posts by various blooggers shows that there is a lot more interest in this release than previous ones.

The biggest change of course is the multi-tenant or is it multitenant? addition to the database with root containers, seed containers, pluggable databases, CDB's PDBs and more. I have already had a play with my existing PL/SQL tools and also our scanner PFCLScan and have found out quite a lot so far. In terms of security, there are a lot of new features at the high level - i will discuss these in a future post but the biggest for security is the multi-tenant or pluggable databases as we now have local and global or common users and privileges and database objects and even parameters that are local or global. I will go into more details in a future post about that and its implications for security. I will also discuss the general new security features such as unified audit trails, redaction, PL/SQL privileges, authentication, SHA2 or SHA-2?, dbms_crypto and much more but also I will discuss all the smaller things I have seen so far, view changes, privilege changes, last login, view changes and much more.

As i said, I have made pages of high level notes so have plenty of material for blog posts so i hope to find enough time to discuss them all in some detail.

This new 12cR1 seems to be a good change, DV and OLS seem to be installed and I have always liked VPD, FGA, OLS and DV as concepts and features and indeed helped a number of customers design/implement and use VPD/OLS/FGA so its good to see some of them being used as core database features. I don't know how much of pluggable databases or multi-tenant are code changes to the core database and how much is implemented as DV or OLS policies (if any - maybe the presence of DV and OLS is for ease of build, to bind DV to the core to prevent the issue of turning it on and off or maybe its part of the functionallity) but to me the presence of these security functions in the core database being used to, clearly, protect the database is good. They are still cost options to EE but why not use them in all databases to implement or protect core database features.

Thats it for now, more to come soon with details!! on 12cR1 Oracle security