Oracle Database Data Protection

kwlol
kwlol used Ask the Experts™
on
I would like to know how the Oracle database files are protected under the operating system, say AIX.  In particular,
- is the database files encrypted, so that they could not be seen by other users under the same OS?
- how about its stored procedures, would they be stored as plained text under the OS?
- any log files that may leak out the data stored inside?

Thanks.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Most Valuable Expert 2012
Distinguished Expert 2018

Commented:
- is the database files encrypted, so that they could not be seen by other users under the same OS?

Not by default.  You need additional products to achieve this:
http://www.oracle.com/us/products/database/sans-tde-wp-178238.pdf

- how about its stored procedures, would they be stored as plained text under the OS?

By default stored procedure code is in clear text.  Check out the WRAP program (They can still be unwrapped):

http://docs.oracle.com/cd/E11882_01/appdev.112/e25519/wrap.htm

- any log files that may leak out the data stored inside?

Main ones: Archived redo logs.

Also, any trace files have the potential to leak data.  Depending on what you consider a leak, log files like sqlnet.log and even the listener.log can provide some sensitieve information.
johnsoneSenior Oracle DBA

Commented:
While the data files are not encrypted, they are not easily human readable.  You could probably figure out things stored in VARCHAR or CHAR fields, but anything in a NUMBER field is definitely not human readable.

For stored procedures, they are stored in a data file and not easily accessible from the OS.  From within the database, they are stored in plain text unless wrapped as already suggested.

Archive log files go with data files.  The information in them is not human readable, but VARCHAR or CHAR fields could possibly be pulled from them in some way.

The only human readable file that I could think of that might have data in it would be a trace file.  However that depends on how your application is written.  If it is all done with bind variables, that would drastically minimize the amount of data that is in the files.  Also, this would assume that you have tracing turned on.  If it is off, then this would minimize it even more.
Most Valuable Expert 2012
Distinguished Expert 2018

Commented:
>>they are not easily human readable

There are a lot of tools out there to browse (recover) data by reading the DBF files directly.

Oracle even supplies one:  BBED
http://www.dba-oracle.com/forensics/t_forensics_bbed.htm

>>The information in them is not human readable, but VARCHAR or CHAR fields could possibly be pulled from them in some way.

Logminer.
Success in ‘20 With a Profitable Pricing Strategy

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Senior Oracle DBA
Commented:
I think we are reading the question differently.  The way I read it, is by using OS level tools, such as cat, awk, etc.  Can someone read the data in the files?

Oracle also supplies SQL*Plus that can read the data files.

Certainly, I could say that by logging into the database and running a SELECT, you can see the data.  Last I checked Logminer is a tool that you need to be in the database to use.

To me, you are trying to keep the casual user from reading the files directly and getting the data out of them.  If someone wants the data, and is determined enough to get it, they will get it, even if it is encrypted.  Encryption is a deterrent.  It is not one-way like hashing.  Since by its very nature it can be reversed, there is a way to get at the data no matter what.
Most Valuable Expert 2012
Distinguished Expert 2018
Commented:
>>I think we are reading the question differently.

Possibly.  I took it from a Security standpoint talking about encryption at rest/in transit.

>>Oracle also supplies SQL*Plus that can read the data files.

All I need is a copy of your datafile/logfile and I can move it off to my own server to use logminer/BBED.  Those are pretty simple to figure out.  

I thought logminer could read logs from other systems using the command line?

I agree Encryption is a deterrent but if you encrypt at rest using a decent algorithm, you will need NSA computing capabilities to get the data.
johnsoneSenior Oracle DBA

Commented:
Last time I used LogMiner, it was a package DBMS_LOGMNR.  There is no command line that I am aware of.  Without a dictionary file it is pretty difficult to read them on another system.  The datatypes and things are skewed.  You may be able to get some information out of them from the statements, but it is all in a raw binary format (even character fields).  The dictionary file is what makes them readable.
Top Expert 2015

Commented:
You need extra products to achieve PCI-DSS conformance as AIX or plain oracle has no provisions to encrypt database.
Linux on the cheaper hand can encrypt LVM partitions....

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial