12c Enhanced Security * Granting RESOURCE role no longer grants UNLIMITED TABLESPACE privilege behind the scenes. http://docs.oracle.com/database/121/DBSEG/release_changes.htm#GUID-68A4EC3E-4167-4534-B04B-ADD68F4EDE6A * Revoking UNLIMITED TABLESPACE no longer revokes already granted unlimited tablespace quota from the user, as in 11gR2. * CONNECT role contains SET CONTAINER privilege (if grantee is a common user), in addition to CREATE SESSION privilege. (So it's no longer functionally equivalent to CREATE SESSION privilege.) * SELECT ANY DICTIONARY no longer allows select from sys.user$ and a few other tables. (sys.link$ was disallowed in 10.1). http://docs.oracle.com/database/121/DBSEG/release_changes.htm#GUID-A7F73C25-2D69-4871-A8A6-659598AF80B4 * (CREATE|ALTER) USER IDENTIFIED BY VALUES should be followed by the value of PASSWORD, semicolon, the value of SPARE4 of sys.user$ in 12cR1, but SPARE4 alone in 12cR2. But the VALUES clause for CREATE DATABASE LINK no longer works and throws ORA2153. (In 10gR2 and 11g, the syntax is allowed but when you use the link, you get ORA-600 [kzdlk_zt2 err]. See Note:456320.1.) See also ./PasswordCaseSensitivity.txt * In 12.1.0.2 and up, sql_text in v$sqlstats no longer shows clear text password for 'ALTER USER ... IDENTIFIED BY ...' as in 11.2.0.2 through 12.1.0.1. (See my SR 3-7691236071 "Security enhancement request: V$sqlstats shows password for alter user or grant identified by"). Instead, the text is trimmed to the first 20 characters as do all other similar SQLs including GRANT (as documented in Bug 208503). Note: If you have applied security patches to your pre-12.1.0.2 database, this hole may have been plugged. * In 11g, a database created by DBCA has tens of system privilges audited by default as shown in DBA_PRIV_AUDIT_OPTS and DBA_STMT_AUDIT_OPTS. In 12c, unified auditing is enabled by default (in mixed mode auditing if you didn't bother to change it). According to view AUDIT_UNIFIED_ENABLED_POLICIES, policy ORA_SECURECONFIG is enabled, and in 12.1.0.2, ORA_LOGON_FAILURES as well. According to view AUDIT_UNIFIED_POLICIES, these policies contain "audit options" (system privilges etc.). * Network ACLs, available in 11g, has about 10 procedures deprecated in 12c, replaced by other procedures. http://docs.oracle.com/database/121/DBSEG/release_changes.htm#BABCIGGG The fluidity of this technology may cause more users to abandon ACL and revert back to the pre-11g behavior. See also ./NetworkACL.txt * Even in 12.2.0.1, having a password_verification_function for the profile a user belongs to will reveal clear text password if the user changes the password while the DBA enables SQL trace with bind variable for the user's session: DBA's session: create profile testprofile limit password_verify_function verify_function; <-- do this as needed alter user yong profile testprofile; exec dbms_system.set_ev(,,10046,4,'') <-- get the user session's sid,serial# first (or equivalent; can be done in the user's logon trigger: alter session set events '10046...') User's session: SQL> password Changing password for Old password: New password: Retype new password: Password changed and the trace file PARSING IN CURSOR #140472439085632 len=279 dep=1 uid=0 oct=47 lid=0 tim=3113076692769 hv=5415702 ad='f3b4a248' sqlid='84dw9s40558sq' declare n boolean; x number; begin n:=sys."VERIFY_FUNCTION"(:1, :2,:3); if n = TRUE then x:=1; else x:=0; end if; :4:=x; end; END OF STMT ... Bind#1 oacdty=01 mxl=32(19) mxlc=00 mal=00 scl=00 pre=00 oacflg=10 fl2=0001 frm=01 csi=873 siz=32 off=0 kxsbbbfp=7fc24f7c8490 bln=32 avl=19 flg=09 value="secretpassword1234!" Without password_verification_function in the user's profile, the password value would be a single *. (In earlier versions, it would be the password hash value.) * 12cR2 account profile has INACTIVE_ACCOUNT_TIME, which is very nice. * 12cR1 new features official list: http://docs.oracle.com/database/121/DBSEG/release_changes.htm 12cR2 new features official list: http://docs.oracle.com/database/122/DBSEG/release-changes.htm SEE ALSO: ./Security10gEnhanced.txt