How to Harden Oracle Database Security: Practical Hardening Steps

Oracle Database Self‑Security

Discusses the need to secure the Oracle database itself before addressing operating‑system and hardware layers.

Disaster‑Recovery Environment Hardening

Deploys DataGuard in a physical standby configuration using a primary‑to‑multiple‑standby scheme. Two synchronization modes are described:

Maximum performance : asynchronous transfer, minimal impact on the primary but possible data loss on failover.

Maximum availability : synchronous by default, falls back to asynchronous if the standby is unreachable, balancing performance impact and data loss risk.

RMAN Physical Backup

RMAN (Recovery Manager) provides full, incremental, and differential backup options. Incremental block‑level backups are space‑efficient but traverse the whole database, affecting performance.

DataPump Logical Backup

Impdp/Expdp (DataPump) replace the older exp/imp tools, allowing flexible logical backups of specific users, schemas, or the entire database. Logical backups complement physical backups for large databases.

Account Privilege Hardening

Apply the principle of least privilege by revoking unnecessary system and object privileges from PUBLIC and other users.

REVOKE EXECUTE ON SYS.UTL_HTTP FROM PUBLIC;
REVOKE EXECUTE ON SYS.UTL_FILE FROM PUBLIC;
REVOKE EXECUTE ON SYS.UTL_SMTP FROM PUBLIC;
REVOKE SELECT ON ALL_USERS FROM PUBLIC;

Verify revocations via OEM or SQL queries against DBA_TAB_PRIVS.

User Account Management

Lock or expire passwords for unused accounts and change default passwords for built‑in accounts such as MGMT_VIEW, DBSNMP, SYSMAN, etc.

ALTER USER user PASSWORD EXPIRE;
ALTER USER user ACCOUNT UNLOCK;

DBSNMP Account Protection

Lock or change the default password of the DBSNMP account, which is created automatically and can be a security risk.

SYS User Protection

Change the SYS password to meet complexity requirements and create a separate DBA user for routine administration.

Data Dictionary Protection

Set O7_DICTIONARY_ACCESSIBILITY=FALSE so only SYSDBA can access dictionary base tables.

show parameter O7_DICTIONARY_ACCESSIBILITY

Data Access Control Hardening

Restrict permissions on $ORACLE_HOME/bin so only the oracle user can write.

chown -R oracle:dba $ORACLE_HOME/bin
ls -l $ORACLE_HOME/bin

Network Access Control Hardening

Limit TNS listener connections by editing sqlnet.ora:

tcp.validnode_checking=yes
tcp.invited_nodes=(localhost, 10.0.0.1, 10.0.0.2)
tcp.excluded_nodes=(10.0.0.3,10.0.0.4)

Change the default listener port (1521) to a non‑standard port in listener.ora and restart the listener.

(ADDRESS = (PROTOCOL = TCP)(HOST = 127.0.0.1)(PORT = 3521))
lsnrctl reload

Disable Remote OS Authentication

Set remote_os_authent to FALSE to prevent remote OS‑based logins.

alter system set remote_os_authent=false scope=spfile;

Service Management Hardening

Stop or disable services and components that are not required for business operations.

Business Data Management Hardening

Periodically purge obsolete tables, views, procedures, and other objects.

Extproc and XDB Service Hardening

Remove Extproc entries from listener.ora and disable the XDB HTTP/FTP services if XML DB functionality is not needed.

Password File Management

Configure the password file usage mode to EXCLUSIVE for a single database.

alter system set remote_login_passwordfile=EXCLUSIVE scope=spfile;

Resource Limits

Enable resource_limit and adjust profile parameters such as CPU, idle time, and connect time.

alter system set resource_limit=true scope=both;
ALTER PROFILE default LIMIT FAILED_LOGIN_ATTEMPTS 60;
ALTER PROFILE default LIMIT PASSWORD_LOCK_TIME 0.5;

Password Policy Settings

Set profile parameters to enforce password complexity, expiration, reuse limits, and lockout thresholds.

FAILED_LOGIN_ATTEMPTS=60
PASSWORD_LIFE_TIME=180
PASSWORD_REUSE_MAX=5
PASSWORD_REUSE_TIME=365
PASSWORD_VERIFY_FUNCTION=UTL_PWDMG.SQL

Audit Strategy Hardening

Enable comprehensive auditing by setting AUDIT_TRAIL='OS' and AUDIT_SYS_OPERATIONS=true, and define the audit file destination.

alter system set audit_trail='OS' scope=spfile;
alter system set audit_sys_operations=true scope=spfile;
alter system set audit_file_dest='/u01/app/oracle/rdbms/audit';

Log Management

Locate listener logs and configure dump destinations for trace and core files.

find $ORACLE_BASE -name listener.log
show parameter dump

Patching

Regularly apply Oracle security patches from My Oracle Support (MOS) to address known vulnerabilities.

Following these steps creates a layered defense that protects the Oracle database from unauthorized access, data leakage, and exploitation of known weaknesses.