An important concept in computer security, the principle of least privilege (POLP) is to limit users' access rights to the minimum permissions they need to do their job.
The privilege policy should be given as many privileges as a user needs.?In this way, whatever the user needs to do, he will only have the privileges related to it.
By applying this principle in databases, you can increase security to the next level.
To enforce the policy of least privilege on Oracle databases:
- Secure the data dictionary.?When the 07_DICTIONARY_ACCESSIBILITY parameter is FALSE, access to data dictionary based tables is restricted for people with ANY TABLE privilege.?The default value of the parameter is FALSE and should not be changed.
- Get redundant authorizations from PUBLIC schema.?Packages such as UTL_SMTP, UTL_TCP, UTL_HTTP and UTL_FILE have PUBLIC schema execute permission.?These can be taken if not needed.
- Use an access control list (ACL) to control network access.?Starting from the 11g version, it is necessary to create a Network Access Control List and authorize the relevant user for network access.
- Restrict access to operating system directories.
- Restrict administrative privileges on users.?Do not grant DBA privileges to normal user.
- Restrict remote database authentication.?With the REMOTE_OS_AUTHENT parameter, it is determined whether the remote clients will authenticate with the value of the OS_AUTHENT_PREFIX parameter.?Its default value is FALSE and should be like this.?If TRUE is set, users created as “CREATE USER … IDENTIFIED EXTERNALLY” will be able to log in to the system.
- Define and monitor audit policies regarding users' critical statements and transactions.?Track SYS transactions in your databases.?For this, the value of the AUDIT_SYS_OPERATIONS parameter must be TRUE.?When the unified auditing feature in version 12.2 is used for monitoring, the monitoring records will be located in the SYS.UNIFIED_AUDIT_TRAIL image.
