View
231
Download
4
Category
Tags:
Preview:
Citation preview
Oracle Security
Radoslav Rusinov
ING Wholesale Banking
2 of 58
Agenda
• The need of Security• Information Security• Securing Databases• Securing Oracle• Recommended Readings• Conclusion
3 of 58
Why is security necessary?
• Security threats have grown monthly
• Unauthorized access to servers, databases and applications
• Worms / Viruses
• Software vulnerabilities
• Theft / Hacker intrusions
• Operator or user errors
• 70% of intrusions are internal
4 of 58
Security Breaches – Last Cases
• 25.02.2005 – Bank of America Corp. loses credit card info of 1.2M federal workers
• 08.04.2005 – Stolen computers from San Jose Medical Group contain data on 185,000 patients
• 12.04.2005 – Data broker LexisNexis Group said that hackers have stolen data of 310,000 people
• 14.04.2005 – British HSBC Bank PLC warns for stolen data of 180,000 credit card customers
• 15.04.2005 – Bulgarian National Cardiologic Hospital informs of an intrusion attack
5 of 58
Intrusions – Business Impact
• Damage to image and reputation• Loss of Customer confidence• Loss of Partner confidence• Loss of Business• Impact in the revenue• Benefits competition
6 of 58
Agenda
• The need of Security• Information Security• Securing Databases• Securing Oracle• Recommended Readings• Conclusion
7 of 58
Information Security
• Every organization should secure its information• They should use security management strategy
8 of 58
Information Security - Regulatory
• Health Insurance Portability and Accountability Act (HIPAA)
• Sarbanes-Oxley Act• California SB 1386• GLB – Gramm-Leach-Biley Act• MasterCard Site Data Protection (SDP)• Payment Card Industry (PCI) Data Security
Standard• Visa USA Cardholder Information Security
Program (CISP)• ISO IEC 17799/BS7799 Standard
9 of 58
Information Security - Certifying
• Certification Organizations - BSI, DNV, KPMG, Certification Europe, KEMA, JACO IS
• Vulnerability Assessment/Penetration Testing by Information Security Audit Companies – KPMG, PricewaterhouseCoopers
• SANS Best practices in Information Security
URL: http://www.sans.org/rr/whitepapers/bestprac• Information Security News – URL:
www.computerworld.com/securitytopics/security
10 of 58
Information Security - Own Procedures
• Organizations can follow their own Information Security Standards
• The Database Security is important part of these standards
11 of 58
Agenda
• The need of Security• Information Security• Securing Databases• Securing Oracle• Recommended Readings• Conclusion
12 of 58
Securing Databases - Layers
13 of 58
Securing Databases - Common Steps
• Write a database security procedure• Record the current configuration• Test and implement the procedure• Record the OS configuration• Record the database configuration• Record the security configuration• Monitor the environment• Regular checks • Update your security plan
14 of 58
Agenda
• The need of Security• Information Security• Securing Databases• Securing Oracle• Recommended
Readings• Conclusion
• OS Security• Oracle Authentication• Access to the Database• Securing PUBLIC Role• Initialization Parameters• Application Security• Auditing• Securing the Network• Availability• Regular Checks
15 of 58
OS Security – Owner of Oracle software - 1/2
• Do not name the owner of Oracle software “oracle”
• This is considered as “security through obscurity”
• Limit access to the account that owns Oracle software using mechanisms like “sudo”
• Create different users for every part of Oracle software. Examples:• Oralsnr – for the listener• Oradb – for the database
16 of 58
OS Security – Owner of Oracle software - 2/2
• The user used to install Oracle should be a local one
• Prohibit sys administrators to access files owned by “oracle”
• “oracle” account should not be a member of the admin group
• Check members of the ORA_DBA / OSDBA group
• Only database administrators should be assigned to the ORA_DBA / OSDBA group
17 of 58
OS Security – File Permissions - 1/2
• Verify permissions for files under the ORACLE_BASE and ORACLE_HOME directories
• Disable the otrace utility – Metalink note: 192541.995
• Oracle processes should be run through the Oracle software account (or ORA_DBA group)
• On Windows, Oracle services are using “Local System Account” – it should be changed
• On Windows, restrict access to directory C:\Program Files\Oracle
18 of 58
OS Security – File Permissions - 2/2
• Remove or restrict permissions on all saved script files after creating the database
• On Windows- Restrict access to Windows Registry- Give Full Control over registry key HKEY_LOCAL_MACHINE\Software\Oracle to the account that will run Oracle Services - Use regedt32.exe for changing Registry Security Policy
• If database backups are written to the system disks, verify the permissions for this directory
19 of 58
OS Security – Usernames and Passwords
• On Unix
- restrict the “ps” command at the OS level
- check the cron jobs• Check the server for scripts that contains
usernames and passwords• Check all environment variables• Check client machines for application
configuration files• Use secure IP communications
20 of 58
OS Security – Auditing
• Start OS level auditing for unauthorized use of Oracle. For particular directories – tripwire
• For monitoring and analyzing of log files – swatch, logcheck
• For checking of integrity of Oracle binary and configuration files – tripwire, samhain, AIDE
• Oracle provides a tool for monitoring OracleAS – iHAT
• Save audit log files on secured remote servers • Check processes regularly
21 of 58
Agenda
• The need of Security• Information Security• Securing Databases• Securing Oracle• Recommended
Readings• Conclusion
• OS Security• Oracle Authentication• Access to the Database• Securing PUBLIC Role• Initialization Parameters• Application Security• Auditing• Securing the Network• Availability• Regular Checks
22 of 58
Oracle Authentication – Password Policy
• All employees that are using the database must have own accounts
• Use Oracle password management features:alter profile defaultlimit failed_login_attempts 3password_life_time 60password_reuse_max 20password_lock_time 1;
• User passwords should be changed on a regular basis
• Create different profiles for different types of users
23 of 58
Oracle Authentication – Weak Passwords
• Enable password verification function• Check for default accounts that are installed as
part of Oracle installation • Check application accounts for
username/password matching• Check for weak passwords • Check for roles with default passwords
24 of 58
Agenda
• The need of Security• Information Security• Securing Databases• Securing Oracle• Recommended
Readings• Conclusion
• OS Security• Oracle Authentication• Access to the Database• Securing PUBLIC Role• Initialization Parameters• Application Security• Auditing• Securing the Network• Availability• Regular Checks
25 of 58
Access to the Database - 1/3
• Limit access to roles that consists of _CATALOG_• Use manually created roles• Roles that are powerful should be password
protected• Use password protected role when DML is used• Check for users or roles with granted privileges
consists of “all privileges”, “any”, “with admin”, “with grant”
• Review the system privileges granted to users
26 of 58
Access to the Database - 2/3
• Check for granted direct privileges on objects, use roles
• Check for granted “CREATE LIBRARY”, “ALTER SYSTEM” or “CREATE PROCEDURE”
• Check for users that have “CREATE ANY DIRECTORY” privilege
• Check for users that have “CREATE JOB” or “CREATE ANY JOB” privilege (10G)
• Check user objects in SYSTEM tablespace
27 of 58
Access to the Database - 3/3
• Check for “external” users• Revoke RESOURCE role from user accounts• Revoke CONNECT role from user accounts• Check for users with “CREATE ANY TRIGGER”
privilege• Check for users that have access to data
dictionary views and tables• Check for users that have “SELECT ANY TABLE”
privilege
28 of 58
Agenda
• The need of Security• Information Security• Securing Databases• Securing Oracle• Recommended
Readings• Conclusion
• OS Security• Oracle Authentication• Access to the Database• Securing PUBLIC Role• Initialization Parameters• Application Security• Auditing• Securing the Network• Availability• Regular Checks
29 of 58
Securing PUBLIC Role - 1/3
• Grant privileges to appropriate users before revoking
• revoke all on utl_tcp from public;• revoke all on utl_http from public;• revoke all on utl_smtp from public;• revoke all on utl_file from public;• revoke all on dbms_random from public;• revoke all on dbms_lob from public;• revoke all on dbms_sql from public;
30 of 58
Securing PUBLIC Role - 2/3
• revoke all on dbms_sys_sql from public;• revoke all on dbms_job on public;• revoke all on dbms_scheduler from public;
• revoke all on owa_util from public;• revoke all on utl_xml from public;• revoke all on dbms_java_test from public;
• revoke all on dbms_lock from public;• revoke all on dbms_pipe from public;
31 of 58
Securing PUBLIC Role - 3/3• revoke select on all_db_links from public;
• revoke select on all_users from public;• revoke select on all_catalog from public;
• revoke select on all_java_classes from public;
• revoke select on all_source from public;• revoke select on all_tab_privs from public;
• Check all PUBLIC execute privileges on packages owned by SYS (XMLDB problem)
32 of 58
Agenda
• The need of Security• Information Security• Securing Databases• Securing Oracle• Recommended
Readings• Conclusion
• OS Security• Oracle Authentication• Access to the Database• Securing PUBLIC Role• Initialization Parameters• Application Security• Auditing• Securing the Network• Availability• Regular Checks
33 of 58
Initialization Parameters - 1/2
• Check user_dump_dest, background_dump_dest and core_dump_dest
• Set global_names=TRUE• Set max_enabled_roles=30• Set os_authent_prefix=“” (a null string)• Set os_roles=FALSE• Set o7_dictionary_accessibility=FALSE• Set remote_os_authent=FALSE• Set remote_os_roles=FALSE• Set remote_listener=“” (a null string)• Set sql92_security=TRUE
34 of 58
Initialization Parameters - 2/2
• Set row_locking=ALWAYS• Set remote_login_passwordfile=NONE• Avoid using the utl_file_dir parameter• Set dblink_encrypt_login=TRUE. For “client to
server” connections set ORA_ENCRYPT_LOGIN=TRUE environment variable
• Set transaction_auditing=TRUE• Check if that IFILE is used• Periodically check the instance
35 of 58
Initialization Parameters - Hidden
• Set _trace_file_public=FALSE• Set _system_trig_enabled=TRUE• Review on regular basis all hidden parameters
36 of 58
Agenda
• The need of Security• Information Security• Securing Databases• Securing Oracle• Recommended
Readings• Conclusion
• OS Security• Oracle Authentication• Access to the Database• Securing PUBLIC Role• Initialization Parameters• Application Security• Auditing• Securing the Network• Availability• Regular Checks
37 of 58
Application Security – 1/4
• Wrap the PL/SQL application code• Checksum the PL/SQL source code and Java classes
DECLAREv_counter NUMBER;BEGIN v_counter := 0; FOR c IN (SELECT text FROM user_source WHERE NAME='TEST_PKG' ORDER BY line) LOOP
v_counter := v_counter + owa_opt_lock.checksum(c.text);
END LOOP; dbms_output.put_line('checksum: '||v_counter);END;
• Check the code for hard coded passwords
38 of 58
Application Security – 2/4
• Check the PL/SQL code for SQL injection and PL/SQL injection possibilities. Some guidelines:
- use bind variables
- review the new code for security compliance
- secure PUBLIC role
- do not use dynamic SQL and PL/SQL
- use input filtering for web-based PL/SQL• Prevent your web-based applications from Cross
Site Scripting. Use output filtering
39 of 58
Application Security – 3/4
• Check which applications access the database• Control which applications access your database• Review grants of the application account• Batch processes should use own account• Encrypt critical application data• Write procedures for adding new applications• Write procedures for employee movers, leavers
and joiners• Secure Test and Development databases
40 of 58
Application Security – 4/4
• Restrict access to SQL*Plus• Disable iSQL*Plus or limit access to it. • Restrict access to debugging interfaces
- Oradebug- DBMS_DEBUG- JDeveloper- Oracle tracing
• Do not publish information about your production environments. Try Google.com
41 of 58
Agenda
• The need of Security• Information Security• Securing Databases• Securing Oracle• Recommended
Readings• Conclusion
• OS Security• Oracle Authentication• Access to the Database• Securing PUBLIC Role• Initialization Parameters• Application Security• Auditing• Securing the Network• Availability• Regular Checks
42 of 58
Auditing – 1/2
• Set audit_trail=DB, or OS• Use OS audit instead DB audit• Audit SYS activities• Audit DML failures• Audit CREATE SESSION• Audit using of GRANT, DROP, ALTER statements
on application accounts• Audit CREATE USER, CREATE ROLE on on
application accounts• Audit CREATE statements on application
accounts
43 of 58
Auditing – 2/2• Audit employee's database accounts• Use process to monitor database activities and
sends SMS or email• Consider row level auditing• Write procedures for protection of generated audit
info• Review regularly generated audit logs• Logs for checking for suspicious activities
- on OS level – Eventviewer / Syslog- listener.log, sqlnet.log- access_log, error_log, Apache.log
44 of 58
Agenda
• The need of Security• Information Security• Securing Databases• Securing Oracle• Recommended
Readings• Conclusion
• OS Security• Oracle Authentication• Access to the Database• Securing PUBLIC Role• Initialization Parameters• Application Security• Auditing• Securing the Network• Availability• Regular Checks
45 of 58
Securing the Network – 1/2
• Secure the listener • Create separate listeners for clients and for
administration• Configure Oracle to use your firewall (Windows)• Use a personal firewall on all database
administration computers• Accept connections from short list of IP addresses• Search for sqlnet.log files on the server and client
machines• Set log_directory_client in sqlnet.ora
46 of 58
Securing the Network – 2/2
• Secure used database links. There are passwords in clear text in sys.link$ table
• Write a policy for managing database links• Check with port scanner for open default ports• Secure the Intelligent agent• Encrypt communication between all Oracle clients
and the database. Use IPSec or SSL
47 of 58
Agenda
• The need of Security• Information Security• Securing Databases• Securing Oracle• Recommended
Readings• Conclusion
• OS Security• Oracle Authentication• Access to the Database• Securing PUBLIC Role• Initialization Parameters• Application Security• Auditing• Securing the Network• Availability• Regular Checks
48 of 58
Availability
• Review backup and restore procedures• Check periodically the backup media integrity• Backups should be available only off-site• Write procedures for backup tape retrieval to
prevent social engineering• Format all old and not already used disks (DUL
and BBED tools)• Secure the fallback databases as they are
production one• Write and test disaster recovery procedures
49 of 58
Agenda
• The need of Security• Information Security• Securing Databases• Securing Oracle• Recommended
Readings• Conclusion
• OS Security• Oracle Authentication• Access to the Database• Securing PUBLIC Role• Initialization Parameters• Application Security• Auditing• Securing the Network• Availability• Regular Checks
50 of 58
Regular Checks
• Check for unauthorized changes• Monitor the audited information• Review members of the ORA_DBA/OSDBA groups• Review the recorded database configuration• Monitor listener.log for brute force attacks• Test the disaster recovery procedures• Test the recovery procedures• Install the latest Oracle security patches• Stay up-to-date with latest known Oracle
vulnerabilities (mailing lists and sites)
51 of 58
Agenda
• The need of Security• Information Security• Securing Databases• Securing Oracle• Recommended Readings• Conclusion
52 of 58
Recommended Readings - Papers
• Oracle Database Security Benchmark - http://www.cisecurity.org/bench_oracle.html
• SANS Oracle Database Checklist - http://www.sans.org/score/checklists/Oracle_Database_Checklist.pdf
• Oracle Security Papers - http://www.petefinnigan.com/orasec.htm
• Oracle 10G – Security Guide
• Protecting Oracle Databases – white paper
53 of 58
Recommended Readings - Sites• http://www.petefinnigan.com/• http://www.cisecurity.org/• http://www.protegrity.com/• http://www.nextgenss.com/• http://www.appsecinc.com/• http://www.sans.org/• http://www.iss.net/• http://www.securityfocus.com/• http://otn.oracle.com/deploy/security• http://www.computerworld.com/securitytopics/sec
urity
54 of 58
Recommended Readings - Books
http://www.amazon.com/exec/obidos/tg/detail/-/0974372749/qid=1111427975
Recommended Readings - Books
http://www.amazon.com/exec/obidos/tg/detail/-/0072231300/qid=1091002374
56 of 58
Recommended Readings – Books
• Oracle Database Security, Audit & Control Features (PricewaterhouseCoopers – 2004)
• Security, Audit & Control Features Oracle Applications: A Technical and Risk Management Reference Guide (Deloitte & Touche Tohmatsu Research Team - 2003)
• Oracle Security Handbook : Implement a Sound Security Plan in Your Oracle Environment (Oracle Press – 2001)
• Oracle Security (O’Reilly – 1998)
57 of 58
Conclusion
• Do not wait to be hacked• Implement some security policy• Stay up-to-date• Improve the policy repeatedly• The mentioned steps are not rules –
they are information• Do not implement everything – balance
between security, performance and usability
58 of 58
Questions or Comments
Radoslav Rusinov
Radoslav.Rusinov@dir.bg
Radoslav.Rusinov@gmail.com
Recommended