| Oracle Startup (Initialization) Parameters Versions All |
|---|
| Security Advisory | |||||||
| When an Oracle Database is started and opened there is a three step process. STARTUP NOMOUNT reads the spfile (or iniSID.ora) file.
ALTER DATABASE MOUNT reads the control file(s) identified during the first step. ALTER DATABASE OPEN, opens the data files in read-write or read-only mode. The startup parameters, in addition to providing a pointer to the control files and defining memory and other settings has a number of parameters that can have a profound impact on database security. This page is a collection point for information about as many of them as we can identify. |
|||||||
| Recommended Security Rules | |||||||
NEVER
WITH GREAT CARE AFTER READING THE DOCS and FULLY APPRECIATING THE RISKS
|
|||||||
| Data Dictionary Objects |
|
||||||
| Security Related Parameters | |||||||
| ADG_ACCOUNT_INFO_TRACKING Default: LOCAL |
Controls login attempts of users on an Active Data Guard Standby by extending control of user account security information. Range of values: {LOCAL | GLOBAL}How values impact security:LOCAL Enforces default behavior by maintaining a local copy of user account information in the Data Guard physical standby's memory. Login failures are only tracked locally on a per database basis, and login is denied when the failure maximum (set in the user's PROFILE) is reached. GLOBAL Increases security by maintaining a single global copy of user account information across all Data Guard databases, both primary and standby. Login failures across all databases in the Data Guard configuration count towards the maximum count and logins anywhere will be denied if the count is reached. This setting improves security against login attacks across a production database and all Active Data Guard standby databases. When running Active Data Guard we are not aware of any reason not to set this parameter to GLOBAL. |
||||||
col value format a7 |
|||||||
| CELL_OFFLOAD_DECRYPTION Default: TRUE |
Enable SQL processing offload of encrypted data to cells Range of values: {TRUE | FALSE} |
||||||
cell_offload_decryption=TRUE |
|||||||
| DBFIPS_140 Default: FALSE |
Enables TDE and DBMS_CRYPTO PL/SQL package program units to run in a mode compliant to the Federal Information Processing Standard. Range of Values: {FALSE | TRUE} |
||||||
DBFIPS_140=TRUE |
|||||||
| DBNEST_ENABLE
(new 20c) Default: NONE |
DbNest provides operating system resource isolation and management., file system isolation, and secure computing for PDBs. Range of values: {NONE | CDB_RESOURCE_PDB_ALL} |
||||||
dbnest_enable=cdb_resource_pdb_all sid='*' |
|||||||
| DBNEST_PDB_FS_CONF
(new 20c) Default: <no defined value> |
Specifies the DbNest file system configuration file for a PDB. Syntax: {DBNEST_PDB_FS_CONF= 'pathname' |
||||||
TBD |
|||||||
| DB_BLOCK_CHECKING Default MEDIUM |
Controls whether Oracle performs block checking for data blocks. When this parameter is set to TRUE, Oracle performs block checking for all data blocks.
When it is set to false, Oracle does not perform block checking for blocks in the user tablespaces. However, block checking for the SYSTEM tablespace is always turned on. Syntax: DB_BLOCK_CHECKING = {FALSE | OFF | LOW | MEDIUM | TRUE | FULL} |
||||||
db_block_checking=FULL |
|||||||
| DB_BLOCK_CHECKSUM Default: TYPICAL |
Determines whether DBWn and the direct loader will calculate a checksum (a number calculated from all the bytes stored in the block) and store it in the cache header of every data block when writing it to disk.
Checksums are verified when a block is read-only if this parameter is TRUE and the last write of the block stored a checksum. In addition, Oracle gives every log block a checksum before writing it to the current log. Syntax: DB_BLOCK_CHECKSUM = {OFF | FALSE | TYPICAL | TRUE | FULL} |
||||||
db_block_checksum=TRUE |
|||||||
| DB_LOST_WRITE_PROTECT Default: NONE |
Enables or disables lost write detection. A data block lost write occurs when an I/O subsystem acknowledges the completion of the block write, while in fact the write did not occur in the persistent storage. When the parameter is set to TYPICAL on the primary database, the instance logs buffer cache reads for read-write tablespaces in the redo log, which is necessary for detection of lost writes. When the parameter is set to FULL on the primary database, the instance logs reads for read-only tablespaces as well as read-write tablespaces. When the parameter is set to TYPICAL or FULL on the standby database or on the primary database during media recovery, the instance performs lost write detection. When the parameter is set to NONE on either the primary database or the standby database, no lost write detection functionality is enabled. Range of values: {NONE | TYPICAL | FULL} |
||||||
db_lost_write_protect=FULL |
|||||||
| DB_SECUREFILE Default: PREFERRED |
Specifies whether to treat LOB files as SecureFiles. Requires the tablespace is created with SEGMENT SPACE MANAGEMENT = AUTO Range of values: {NEVER | PERMITTED | PREFERRED | ALWAYS | IGNORE} |
||||||
db_securefile=ALWAYS |
|||||||
| DB_ULTRA_SAFE Default: OFF |
Sets the default values for other parameters that control protection levels. Range of values: {OFF | DATA_ONLY | DATA_AND_INDEX}How values impact security:OFF If DB_BLOCK_CHECKING, DB_CHECKSUM, or DB_LOST_WRITE_PROTECT are set, no changes are made. DATA_ONLY DB_BLOCK_CHECKING is set to MEDIUM DB_BLOCK_CHECKSUM is set to TYPICAL DB_LOST_WRITE_PROTECT is set to FULL DATA_AND_INDEX DB_BLOCK_CHECKING is set to FULL DB_BLOCK_CHECKSUM is set to TYPICAL DB_LOST_WRITE_PROTECT is set to FULL |
||||||
db_ultra_safe=OFF |
|||||||
| DIAGNOSTICS_CONTROL
(new 20c) Default: IGNORE |
Enables control and monitoring of users that can perform potentially unsafe database diagnostic operations. Range of values: {ERROR | WARNING | IGNORE} |
||||||
diagnostics_control=TRUE |
|||||||
| ENCRYPT_NEW_TABLESPACES Default: CLOUD_ONLY |
Specifies whether to encrypt newly created user tablespaces Range of values: ENCRYPT_NEW_TABLESPACES = {CLOUD_ONLY | ALWAYS | DDL} |
||||||
encrypt_new_tablespaces=DDL |
|||||||
| EXTERNAL_KEYSTORE_CREDENTIAL_LOCATION Default: <no_value> |
Specifies the location of the secure external keystore | ||||||
external_keystore_credential_location=/u01/app/oracle/admin/ORCL/db_wallet/ |
|||||||
|
LOB_SIGNATURE_ENABLE Default: FALSE |
New 19c parameter You can secure your LOBs by enabling the LOB locator signature feature. A LOB locator is a pointer to the location of a large object (LOB) value. If the LOB_SIGNATURE_ENABLED initialization parameter is set to true, then when you create a LOB, Oracle Database automatically assigns a signature to the LOB locator. When Oracle Database receives a request from a client, it uses the signature to determine if any tampering with the LOB locator has occurred. When this parameter is set to true, you also have the option of further securing your LOBs by encrypting your LOB locator signature keys. Range of values: {FALSE | TRUE} |
||||||
max_idle_time=30 |
|||||||
| MAX_IDLE_TIME Default: 0 |
Specifies the maximum number of minutes that a session can be idle after which the session is automatically terminated Range of values: {0 to the maximum integer. The value of 0 indicates that there is no limit} |
||||||
max_idle_time=30 |
|||||||
| ONE_STEP_PLUGIN_FOR_PDB_WITH_TDE Default: FALSE |
If a PDB has Transparent Data Encryption-encrypted (TDEencrypted) tables or tablespaces, you can enable ONE_STEP_PLUGIN_FOR_PDB_WITH_TDE on the target CDB to simplify the move of TDE keys in a single step PDB move operation Range of values: {FALSE | TRUE} |
||||||
one_step_plugin_for_pdb_with_tde=TRUE |
|||||||
| OPTIMIZER_SECURE_VIEW_MERGING Default: TRUE |
Enables the optimizer to use view merging to improve query performance without performing the checks that would otherwise be performed to ensure that view merging does not violate any security intentions of a view's creator. Range of values: {TRUE | FALSE} |
||||||
optimizer_secure_view_merging=TRUE |
|||||||
| OS_ROLES Default: FALSE |
Determines whether Oracle or the operating system identifies and manages the roles of each username. | ||||||
os_rules=FALSE |
|||||||
| REMOTE_LOGIN_PASSWORDFILE Default: EXCLUSIVE |
Specifies whether Oracle checks for a password file. Range of values: {SHARED | EXCLUSIVE | NONE} |
||||||
remote_login_passwordfile='EXCLUSIVE' |
|||||||
| REMOTE_OS_ROLES Default:FALSE |
Specifies whether operating system roles are allowed for remote clients. The default value, false, causes Oracle to identify and manage roles for remote clients. | ||||||
remote_os_rules=FALSE |
|||||||
| SEC_CASE_SENSITIVE_LOGON Default: TRUE |
Case sensitive password enabled
for logon Range of values {TRUE or FALSE} |
||||||
sec_case_sensitive_logon=TRUE |
|||||||
| SEC_MAX_FAILED_LOGIN_ATTEMPTS Default: 10 |
Specifies the number of authentication attempts that can be made by a client on a connection to the server process. After the specified number of failure attempts, the connection will be automatically dropped by the server process. | ||||||
sec_max_failed_login_attempts=3 |
|||||||
| SEC_PROTOCOL_ERROR_FURTHER_ACTION Default: CONTINUE |
Specifies the further execution of a server process when receiving bad packets from a possibly malicious client. Range of values: {CONTINUE | DELAY, <integer> | DROP, <integer>} |
||||||
ALTER SYSTEM SET sec_protocol_error_further_action=DELAY,3 SID='*' SCOPE=SPFILE; |
|||||||
| SEC_PROTOCOL_ERROR_TRACE_ACTION Default: TRACE |
Specifies the action that the database should take when bad packets are received from a possibly malicious client Range of values: {NONE | TRACE | LOG | ALERT} |
||||||
sec_protocol_eror_trace_action=ALERT |
|||||||
| SEC_RETURN_SERVER_RELEASE_BANNER Default: FALSE |
Specifies whether or not the server returns complete database software information to clients. | ||||||
sec_return_server_release_banner=FALSE |
|||||||
| SQL92_SECURITY Default: TRUE |
The SQL standard specifies that security administrators should be able to require that users have SELECT privilege on a table when executing an UPDATE or DELETE statement that references
table column values in a WHERE or SET clause. SQL92_SECURITY specifies whether users must have been granted the SELECT object privilege in order to execute such UPDATE or DELETE statements. Range of values: {FALSE | TRUE} |
||||||
sql92_security=TRUE |
|||||||
| SSL_WALLET No Default |
Undocumented | ||||||
| TBD | |||||||
|
TABLESPACE_ENCRYPTION_DEFAULT_ ALGORITHM (new 20c) Default: AES128 |
Enables control and monitoring of users that can perform potentially unsafe database diagnostic operations.
Up until 20c this was an undocumented underscore parameter. Range of values: {AES128 | AES192 | AES256 | ARIA128 |
ARIA192 | ARIA256 | GOST256 | SEED128 | 3DES168} |
||||||
tablespace_encryption_default_algorithm='AES256' |
|||||||
| TDE_CONFIGURATION Default: None |
Specified on a per-PDB basis for Transparent Data Encryption (TDE). Before Oracle Database 18c, each PDB stored their separate encryption keys in the CDB’s keystore (united mode).
Starting with Oracle Database 18c, a PDB can optionally store its encryption keys in a separate keystore (isolation mode), thus allowing protection by a separate keystore password.
The WALLET_ROOT initialization parameter must be set for TDE_CONFIGURATION to take effect. Range of values: {FILE | OKV | HSM | FILE|OKV | FILE|HSM | OKV|FILE | HSM|FILE} |
||||||
tde_configuration=OKV |
|||||||
| WALLET_ROOT Default: No Value |
Specifies the path to the root of a directory tree containing a subdirectory for each pluggable database (PDB),
under which a directory structure similar to the Oracle ASM wallet storage directory structure is used to store the various wallets associated with the PDB. Range of values: wallet-root-directory-path |
||||||
wallet_root=wallet-root/tde_seps/cwallet.sso |
|||||||
| Security Related Undocumented "Underscore" Parameters | |||||||
| It is critically important, before you read any entries in this section, that you understand that you are not authorized to alter the value of any underscore parameter without first opening a Service Request (SR) at
https://my.oracle.support and getting Oracle's agreement with the proposed change. We will be testing, as noted below, some of the default values because we do not find the defaults to be the best choice from the standpoint of security. If, and when, we recommend making a change do NOT do as we advise without first opening an SR and obtaining permission from Oracle Support. |
|||||||
| _assert_encrypted_tablespace_blocks Default: TRUE |
The default value, TRUE, asserts that encrypted tablespace blocks must be encrypted. Range of values: {FALSE | TRUE}Do not alter the default value. |
||||||
col name format a40 |
|||||||
| _backup_encrypt_opt_mode Default: 4294967294 |
Specifies the encryption block optimization mode. The various options are not documented so do not alter this default value. A list of valid values is not known. |
||||||
col name format a40 |
|||||||
| _db_cache_silicon_secured_memory Default: TRUE |
Enables silicon secured memory. Range of values: {FALSE | TRUE}Not using silicon secured memory is a security violation. The default value of this parameter should never be altered. |
||||||
col name format a40 |
|||||||
| _db_disable_temp_encryption Default: FALSE |
Disable Temp Encryption for Spills. Range of values: {FALSE | TRUE}Not encrypting TEMP is a security violation. The default value of this parameter should never be altered. |
||||||
col name format a40 |
|||||||
| _db_flash_cache_encryption Default: FALSE |
Set to TRUE to enable flash cache encryption. Range of values: {FALSE | TRUE}We have not yet had time to test this on an Exadata but other than the setting causing a very substantial performance issue we do not understand why anyone would want their data in the flash cache to not be encrypted.
We will check this out at the very first opportunity and update this entry as soon as we can. |
||||||
col name format a40 |
|||||||
| _db_xmem_cache_encryption Default: TRUE |
When set to TRUE enables XMEM cache encryption. Range of values: {FALSE | TRUE}Not encrypting the XMEM cache is a security violation so do not alter the default value. |
||||||
col name format a40 |
|||||||
| _enable_secure_sub_role Default: FALSE |
Disallow enabling of secure sub roles. Range of values: {FALSE | TRUE}We are not convinced that this is the best choice for a secure environment and will be testing this parameter in the near future and reporting back our results on this page. |
||||||
col name format a40 |
|||||||
| _grant_secure_role Default: FALSE |
Disallows granting of a Secure Role to another Secure Role or Non-Secure Role. Range of values: {FALSE | TRUE}Granting Secure roles to Non-Secure Roles is a security violation so do not alter the default value. |
||||||
col name format a40 |
|||||||
| _log_silicon_secured_memory Default: TRUE |
Enables silicon secured memory (log). Range of values: {FALSE | TRUE}Disabling silicon secured memory is a security violation so do not alter the default value. |
||||||
col name format a40 |
|||||||
| _default_encrypt_alg Default: 0 |
Use the default encryption algorithm. Range of values: unknownWe have insufficient information as to the valid values and their meaning to make any recommendation so do not alter the value of this parameter. |
||||||
col name format a40 |
|||||||
| _disable_data_block_check_after_decrypt Default: FALSE |
If TRUE, disable data block check after
decryption. Range of values: {FALSE | TRUE}Disabling data block checking after decryption might provide a performance enhancement but it would be one that potentially compromises data integrity. Do not alter the value of this parameter. |
||||||
col name format a40 |
|||||||
| _kcfis_disable_platform_decryption Default: FALSE |
Don't use platform-specific decryption on the storage cell. Range of values: {FALSE | TRUE}Oracle really needs to try to not make default values a double-negative which is the enemy of clarity.
If set to TRUE this parameter it is instructing the database to not use platform-specific decryption which might only make sense if the platform has an unpatchable bug. We recommend not altering the value of this parameter. |
||||||
col name format a40 |
|||||||
| _kdlxp_lobencrypt Default: FALSE |
When set to TRUE enables LOB encryption only on SecureFiles. Range of values: {FALSE | TRUE}We cannot imagine why anyone would want to disable LOB encryption anywhere at any time so this parameter's default value should not be altered. |
||||||
col name format a40 |
|||||||
| _override_datafile_encrypt_check Default: FALSE |
If TRUE, override datafile tablespace encryption cross check. Range of values: {FALSE | TRUE}Overriding the cross check is a security violation. Do not alter the value of this parameter. |
||||||
col name format a40 |
|||||||
| _stats_encryption_enabled Default: FALSE |
Enable statistics encryption on sensitive data. Range of values: {FALSE | TRUE}The default set by Oracle doesn't make any sense to us unless the encryption creates an unexpectedly large performance hit. This will be tested in the near future and we will post our recommendation here once we have verified the impact, if any. |
||||||
col name format a40 |
|||||||
| _tablespace_encryption_default_algorithm Default: AES128 Note: This becomes a fully supported parameter, without a preceding underscore in version 20c. |
Default tablespace encryption block cipher mode. Range of values: not knownAt first sight our thought is that AES256 would be more secure. We plan to test a variety of algorithms and see if we can provide guidance that lead to an improved security level without having a negative impact on performance. |
||||||
col name format a40 |
|||||||
| _use_hybrid_encryption_mode Default: FALSE |
Enable platform optimized encryption in hybrid mode. Range of values: {FALSE | TRUE}There is no documentation on what "hybrid mode" is so we recommend not altering this parameter. |
||||||
col name format a40 |
|||||||
| _use_platform_encryption_lib Default: TRUE |
Enable platform optimized encryption implementation. Range of values: {FALSE | TRUE}Overriding this setting is a security violation. Do not alter the value of this parameter. |
||||||
col name format a40 |
|||||||
| _verify_encrypted_tablespace_keys Default: TRUE |
If TRUE, verify encryption key signature for data files. Range of values: {FALSE | TRUE}Not verifying the encryption key is a security violation. Do not alter the value of this parameter. |
||||||
col name format a40 |
|||||||
| Related Topics |
| ALTER SYSTEM |