OCI Data Safe - Oracle Database User Assessment

 

Introduction:

• Data Safe User Assessment enables you to evaluate how securely database user accounts are configured and to detect users that may pose a higher security risk. This helps you understand the potential impact on your data if an account is ever compromised.
• With User Assessment, you can track and receive alerts for changes to users or their privileges, uncover weak authentication practices, and identify inadequate password or login policies—supporting stronger overall database security.
• Oracle Data Safe automatically performs user assessments for registered target databases and keeps the results in an assessment history for future reference.
• You can review and analyze assessment results both across all target databases and at an individual database level.
• User and privilege changes can be detected by comparing the most recent assessment with a baseline or a previous assessment.

In my previous Data Safe blog, we walked through the steps to register Autonomous AI database into Data Safe, and explore Data Safe security center.

In this blog, we will walk through the steps to:

• View User Assessment's overview page and the latest user assessment for your target database
• Change users and entitlements on the target database.
• Refresh the latest user assessment and compare with the initial user assessment.

Prerequisites:

• A free tier or paid Oracle Cloud account
• A provisioned Always free Autonomous AI database
• Access to a registered target database. Covered in my previous Data Safe blog 

Task #1: View User Assessment Overview Page

1. From the navigation menu, select Oracle AI Database, and then Data Safe - Database Security.

2. Under Security center, click Security assessment.

3. Under List scope, select your compartment. Deselect Include child compartments. The overview page shows user's security statistics for all target databases under the selected compartment. 

4. Review 5 charts at the top of overview page.

• Potential user risk chart: shows you the number and percentage of users who are potentially Critical, High, Medium, and Low risk.
• User roles chart: shows you the number of users with the DBA, DV admin, and Audit admin roles.
• Last password change chart: shows you the number of users who changed their passwords within the last 30 days, within the last 30-90 days, and 90 days ago or more.
• Last login chart: shows you the number of users that signed in to the target database within the last 24 hours, within the last week, within the current month, within the current year, and a year ago or more.
• Password expiry date chart: shows you the number of users whose passwords will expire within three distinct time intervals: next 30 days, 30-90 days, and beyond 90 days.

5. Review the Risk summary tab. It provides information on potential risks across all selected target databases. It shows you potential risk levels, the number of target databases, the total number of users at each risk level, the total number of privileged users at each risk level, and counts for DBAs, DV admins, and Audit admins.

6. Review the Target summary tab. It shows the following information for each target database

• The number of critical and high risk users, DBAs, DV admins, and Audit admins.
• Date and time of the latest user assessment.

Task #2: Analyze Users in the Latest User Assessment

The latest user assessment is the one that was automatically generated by Oracle Data Safe when you registered your target database.

1. On the Target summary tab, locate your target database and click View report. 

The latest user assessment for your target database is displayed.

2. On the Overview tab, review 6 charts

• Potential user risk
• User roles
• Tope 5 users by schema access
• Last password change
• Last login
• Password expiry date

3. Click the Assessment information tab to view details about user assessment like OCID, compartment name, target database name, assessment date and time, schedule, name, name of the baseline assessment.

Rename the latest user assessment "UA_<TARGET_DATABASE_NAME>_Latest".

4. Scroll down and review the User details section.

5. In the User name column, click a user that is a CRITICAL potential risk, for example DBA_DEBRA.

The User details page shows information shows below.

Task #3: Change Users and Entitlements on the Target database

1. Access the SQL worksheet in Database Actions of your Autonomous AI Database.

2. As ADMIN, execute below commands.

DROP USER evil_rich;

CREATE USER app_developer identified by <user-password>;

GRANT PDB_DBA to app_developer;

Task #4: Refresh the Latest User Assessment

At the top of the latest security assessment report page, click Refresh now to get the latest data. The Refresh now panel is displayed. Name the assessment "UA_<TARGET_DATABASE_NAME>_2", and click Refresh now. Wait for the status to read as SUCCEEDED.

Review the refreshed latest assessment charts and user details table.

Notice that EVIL_RICH user is no longer a CRITICAL potential risk, while user "APP_DEVELOPER", which was created in previous task, is a CRITICAL potential risk because the user has PDB_DBA role.

Task #5: Compare the Latest User Assessment with the Initial User Assessment

1. With the latest user assessment displayed, under Resources on the left, click Compare assessments.

2. From the Select assessment drop-down list, select the initial assessment for your target database. As soon as you select it, the comparison operation is started.

3. Review the results. A new user is added  (APP_DEVELOPER) and a user is deleted (EVIL_RICH). The new user finding is identified as a potential CRITICAL risk.

4. In the Comparison results column, click Open details links for new user to view more information.

Thanks for reading !!!