Oracle Real Application Security (RAS)
Versions 12.1 - 19.3

RAS Background
The Oracle Database has a large number of significant options that can be purchased to enhance security. In our opinion no one should spend dollar one purchasing any of them if they haven't securing the underlying product through proper configuration, but for those that do these products can have very significant value. For those that don't the worst case scenario is that while the attackers don't go away the auditors do and for most management types their focus is on auditors not actual security.

RAS, like Advanced Security, Label Security, and Database Vault has significant value. The following quote is from the Oracle docs.

"Oracle RAS provides a declarative model that enables security policies that encompass not only the business objects being protected but also the principals (users and roles) that have permissions to operate on those business objects. RAS is more secure, scalable, and cost effective than traditional Oracle VPD technology.

With Oracle RAS, application users are authenticated in the application-tier as well as in the database. Irrespective of the data access path, the data security policies are enforced in the database kernel based on the end-user native session in the database. The privileges assigned to the user control the type of operations (select, insert, update and delete) that can be performed on rows and columns of the database objects."



In general we agree with the statement, if we didn't we'd pick it apart or we wouldn't have repeated it. Our only issue with it is how anything can be more cost effective than VPD which is free for anyone with Enterprise Edition. In our opinion RAS and VPD are doing 2 very different things.

This page is being used to provide a single access point to RAS components as we, over time, examine them individually as we try to fully understand what Oracle has created with the goal of enhanced security.

Needless to say, but we are saying it anywhere, objects with privileges granted to PUBLIC are of immediate concern. At the very least Oracle should have created a new role and granted them to the role ... but not, never, ever, to PUBLIC.
 
RAS Packages
Name Granted to PUBLIC Description
DBMS_XS_FIDM N  
DBMS_XS_MTCACHE N  
DBMS_XS_PRINCIPALS N  
DBMS_XS_SESSIONS Y  
DBMS_XS_SESSIONS_FFI N  
DBMS_XS_SIDP N  
DBMS_XS_SYSTEM N  
DBMS_XS_SYSTEM_FFI N  
XS_ACL Y  
XS_ACL_INT N  
XS_ADMIN_INT N  
XS_ADMIN_UTIL Y  
XS_ADMIN_UTIL_INT N  
XS_DATA_SECURITY Y  
XS_DATA_SECURITY_INT N  
XS_DATA_SECURITY_UTIL N  
XS_DATA_SECURITY_UTIL_INT N  
XS_DIAG Y  
XS_DIAG_INT N  
XS_MTCACHE_INT N  
XS_NAMESPACE Y  
XS_NAMESPACE_INT N  
XS_PRINCIPAL Y  
XS_PRINCIPAL_INT N  
XS_ROLESET Y  
XS_ROLESET_INT N  
XS_SECURITY_CLASS Y  
XS_SECURITY_CLASS_INT N  
 
RAS Tables
Name Granted to PUBLIC Description
XS$ACE N  
XS$ACE_PRIV N  
XS$ACL N  
XS$ACL_PARAM N  
XS$AGGR_PRIV N  
XS$ATTR_SEC N  
XS$CACHE_ACTIONS N  
XS$CACHE_DELETE N  
XS$DSEC N  
XS$INSTSET_ACL N  
XS$INSTSET_INH N  
XS$INSTSET_INH_KEY N  
XS$INSTSET_LIST N  
XS$INSTSET_RULE N  
XS$NSTMPL N  
XS$NSTMPL_ATTR N  
XS$OBJ N  
XS$OLAP_POLICY N  
XS$PARAMETERS N  
XS$POLICY_PARAM N  
XS$PRIN N  
XS$PRIV N  
XS$PROXY_ROLE N  
XS$ROLESET N  
XS$ROLESET_ROLES N  
XS$ROLE_GRANT N  
XS$SECCLS N  
XS$SECCLS_H N  
XS$TENANT N  
XS$VALIDATION_TABLE N  
XS$VERIFIERS N  
XS$WORKSPACE N  
XSDB$SCHEMA_ACL N  
 
RAS Types
Name Granted to PUBLIC Description
DBMS_XS_NSATTR Y  
KU$_XSACEPRIV_LIST_T Y  
KU$_XSACEPRIV_T Y  
KU$_XSACE_LIST_T Y  
KU$_XSACE_T Y  
KU$_XSACLPARAM_LIST_T Y  
KU$_XSACLPARAM_T Y  
KU$_XSACL_T Y  
KU$_XSAGGPRIV_LIST_T Y  
KU$_XSAGGPRIV_T Y  
KU$_XSATTRSEC_LIST_T Y  
KU$_XSGRANT_T Y  
KU$_XSINSTACL_LIST_T Y  
KU$_XSINSTINHKEY_LIST_T Y  
KU$_XSINSTINH_LIST_T Y  
KU$_XSINSTSET_LIST_T Y  
KU$_XSINSTSET_T Y  
KU$_XSINST_ACL_T Y  
KU$_XSINST_INHKEY_T Y  
KU$_XSINST_INH_T Y  
KU$_XSINST_RULE_T Y  
KU$_XSNSPACE_T Y  
KU$_XSNSTMPL_ATTR_LIST_T Y  
KU$_XSNSTMPL_ATTR_T Y  
KU$_XSOBJ_LIST_T Y  
KU$_XSOBJ_T Y  
KU$_XSOLAP_POLICY_LIST_T Y  
KU$_XSOLAP_POLICY_T Y  
KU$_XSPOLICY_PARAM_T Y  
KU$_XSPOLICY_T Y  
KU$_XSPRIN_T Y  
KU$_XSPRIV_LIST_T Y  
KU$_XSPRIV_T Y  
KU$_XSRGRANT_LIST_T Y  
KU$_XSROLESET_T Y  
KU$_XSROLE_GRANT_T Y  
KU$_XSROLE_T Y  
KU$_XSSCLASS_T Y  
KU$_XSSECCLSH_LIST_T Y  
KU$_XSSECCLSH_T Y  
KU$_XSUSER_T Y  
XS$ACE_LIST N  
XS$ACE_TYPE N  
XS$COLUMN_CONSTRAINT_LIST N  
XS$COLUMN_CONSTRAINT_TYPE N  
XS$KEY_LIST N  
XS$KEY_TYPE N  
XS$LIST N  
XS$NAME_LIST N  
XS$NS_ATTRIBUTE N  
XS$NS_ATTRIBUTE_LIST N  
XS$NULL N  
XS$PRIVILEGE N  
XS$PRIVILEGE_LIST N  
XS$REALM_CONSTRAINT_LIST N  
XS$REALM_CONSTRAINT_TYPE N  
XS$ROLE_GRANT_LIST N  
XS$ROLE_GRANT_TYPE N  
 
RAS Views
Name Granted to PUBLIC Description
DBA_XS_ACES N  
DBA_XS_ACLS N  
DBA_XS_ACL_PARAMETERS N  
DBA_XS_ACTIVE_SESSIONS N  
DBA_XS_APPLIED_POLICIES N  
DBA_XS_AUDIT_POLICY_OPTIONS N  
DBA_XS_AUDIT_TRAIL N  
DBA_XS_COLUMN_CONSTRAINTS N  
DBA_XS_DYNAMIC_ROLES N  
DBA_XS_ENABLED_AUDIT_POLICIES N  
DBA_XS_EXTERNAL_PRINCIPALS N  
DBA_XS_IMPLIED_PRIVILEGES N  
DBA_XS_INHERITED_REALMS N  
DBA_XS_MODIFIED_POLICIES N  
DBA_XS_NS_TEMPLATES N  
DBA_XS_NS_TEMPLATE_ATTRIBUTES N  
DBA_XS_OBJECTS N  
DBA_XS_POLICIES N  
DBA_XS_PRINCIPALS N  
DBA_XS_PRIVILEGES N  
DBA_XS_PRIVILEGE_GRANTS N  
DBA_XS_PROXY_ROLES N  
DBA_XS_REALM_CONSTRAINTS N  
DBA_XS_ROLES N  
DBA_XS_ROLE_GRANTS N  
DBA_XS_SECURITY_CLASSES N  
DBA_XS_SECURITY_CLASS_DEP N  
DBA_XS_SESSIONS N  
DBA_XS_SESSION_NS_ATTRIBUTES N  
DBA_XS_SESSION_ROLES N  
DBA_XS_USERS N  
GV_$XS_SESSIONS N  
GV_$XS_SESSION_NS_ATTRIBUTES Y  
GV_$XS_SESSION_ROLES Y  
KU$_XSACEPRIV_VIEW Y  
KU$_XSACE_VIEW Y  
KU$_XSACLPARAM_VIEW Y  
KU$_XSACL_VIEW Y  
KU$_XSAGGPRIV_VIEW Y  
KU$_XSATTRSEC_VIEW Y  
KU$_XSGRANT_VIEW Y  
KU$_XSINSTSET_VIEW Y  
KU$_XSINST_ACL_VIEW Y  
KU$_XSINST_INHKEY_VIEW Y  
KU$_XSINST_INH_VIEW Y  
KU$_XSINST_RULE_VIEW Y  
KU$_XSNSPACE_VIEW Y  
KU$_XSNSTMPL_ATTR_VIEW Y  
KU$_XSOBJ_VIEW Y  
KU$_XSOLAP_POLICY_VIEW Y  
KU$_XSPOLICY_PARAM_VIEW Y  
KU$_XSPOLICY_VIEW Y  
KU$_XSPRIN_VIEW Y  
KU$_XSPRIV_VIEW Y  
KU$_XSRLS_POLICY_VIEW Y  
KU$_XSROLESET_VIEW Y  
KU$_XSROLE_GRANT_VIEW Y  
KU$_XSROLE_VIEW Y  
KU$_XSSCLASS_VIEW Y  
KU$_XSSECCLSH_VIEW Y  
KU$_XSUSER_VIEW Y  
VW_X$AUD_XS_ACTIONS N  
 

Related Topics
-