PDB Lockdown Profiles: - Oracle 12c new feature

 

PDB Lockdown Profiles: - Oracle 12c new feature

The PDB lockdown profile is a set of named sets that control operations. Controlling the PDB's operational privileges is effective for all users.

For example, you can control the syntax of the user to prohibit direct ALTER SYSTEM. To some extent, the security of the database is guaranteed.

You can limit the following four aspects of the operation:

 
1.      Network access features. These are operations that use the network to communicate outside the PDB. For example, the PL/SQL packages UTL_TCP, UTL_HTTP, UTL_MAIL, UTL_SNMP, UTL_INADDR, and DBMS_DEBUG_JDWP perform these kinds of operations. Currently, ACLs are used to control this kind of access to share network identity.
2.      Common user or object access. These are operations in which a local user in the PDB can proxy through common user accounts or access objects in a common schema. These kinds of operations include adding or replacing objects in a common schema, granting privileges to common objects, accessing common directory objects, granting the INHERIT PRIVILEGES role to a common user, and manipulating a user proxy to a common user.
3.      Operating System access. For example, you can restrict access to the UTL_FILE or DBMS_FILE_TRANSFER PL/SQL packages.
4.      Connections. For example, you can restrict common users from connecting to the PDB or you can restrict a local user who has the SYSOPER administrative privilege from connecting to a PDB that is open in restricted mode.

 

Creating a PDB Lockdown Profile

– Log in to CDB root and create a Lockdown profile

SQL> create lockdown profile profile1_lckdwn;

Lockdown Profile created.

– Modify the Lockdown profile to disable refreshing the shared pool

 

SQL> ALTER LOCKDOWN PROFILE profile1_lckdwn DISABLE STATEMENT = ('ALTER SYSTEM') clause = ('flush shared_pool');

Lockdown Profile altered.

Note: A Lockdown profile is in use and will be effective immediately if it is modified.

 

 Enabling the PDB Lockdown Profile

·        If the Lockdown Profile is enabled at the CDB level, it will take effect for all PDBs under the CDB.

 

 SQL> alter system set pdb_lockdown= profile1_lckdwn;

System altered.

 

If the Lockdown Profile is enabled at the PDB level, it will only take effect for this PDB.

Q) Is the login to the PDB test valid?

According to all the restrictions of the Lockdown profile, clear the shared pool operation.

SQL> alter system flush shared_pool;

alter system flush shared_pool

*

ERROR at line 1:

ORA-01031: insufficient privileges

 

The prompt does not have permission to operate, other operations are normal. Such as:

SQL>  alter system set sessions=400;

System altered.

 

Disabling the PDB Lockdown Profile

Also distinguish between CDB level and PDB level settings

 SQL> alter system set pdb_lockdown='';

 

 

Deleting the PDB Lockdown Profile

SQL > DROP Lockdown Profile profile1_lckdwn;

Lockdown Profile dropped.