2.4 Strengthen Database Security

Oracle Database contains inherent security features that help in protecting it from many types of attacks, including SQL injection.

Here is a list of some of the practices to observe when you secure the Oracle database:

• Encrypt sensitive data so that it cannot be viewed.
• Evaluate all PUBLIC privileges and revoke them where possible.
• Do not widely grant EXECUTE ANY PROCEDURE.
• Avoid granting privileges WITH ADMIN option.
• Ensure that application users are granted minimum privileges by default. Make privileges configurable if necessary.
• Do not allow wide access to any standard Oracle packages that can operate on the operating system. These packages include:
  • UTL_HTTP, UTL_SMTP, UTL_TCP, DBMS_PIPE, UTL_MAIL, and UTL_FTP
• Certain Oracle packages such as UTL_FILE and DBMS_LOB are governed by the privilege model of the Oracle DIRECTORY object. Protect Oracle DIRECTORY objects.
• Lock the database default accounts and expire the default passwords.
• Remove example scripts and programs from the Oracle directory.
• Run the database listener as a nonprivileged user.
• Ensure that password management is active.
• Enforce password management. Apply basic password management rules, such as password length, history, and complexity, to all user passwords. Mandate that all the users change their passwords regularly.
• Lock and expire the default user accounts and change the default user password.

For more details on this topic, see: Oracle® Database Security Guide Security Checklists and Recommendations