Oracle Security Radoslav Rusinov ING Wholesale Banking

Oracle Security

Radoslav Rusinov

ING Wholesale Banking

2 of 58

Agenda

• The need of Security• Information Security• Securing Databases• Securing Oracle• Recommended Readings• Conclusion

3 of 58

Why is security necessary?

• Security threats have grown monthly

• Unauthorized access to servers, databases and applications

• Worms / Viruses

• Software vulnerabilities

• Theft / Hacker intrusions

• Operator or user errors

• 70% of intrusions are internal

4 of 58

Security Breaches – Last Cases

• 25.02.2005 – Bank of America Corp. loses credit card info of 1.2M federal workers

• 08.04.2005 – Stolen computers from San Jose Medical Group contain data on 185,000 patients

• 12.04.2005 – Data broker LexisNexis Group said that hackers have stolen data of 310,000 people

• 14.04.2005 – British HSBC Bank PLC warns for stolen data of 180,000 credit card customers

• 15.04.2005 – Bulgarian National Cardiologic Hospital informs of an intrusion attack

5 of 58

Intrusions – Business Impact

• Damage to image and reputation• Loss of Customer confidence• Loss of Partner confidence• Loss of Business• Impact in the revenue• Benefits competition

6 of 58

Agenda


7 of 58

Information Security

• Every organization should secure its information• They should use security management strategy

8 of 58

Information Security - Regulatory

• Health Insurance Portability and Accountability Act (HIPAA)

• Sarbanes-Oxley Act• California SB 1386• GLB – Gramm-Leach-Biley Act• MasterCard Site Data Protection (SDP)• Payment Card Industry (PCI) Data Security

Standard• Visa USA Cardholder Information Security

Program (CISP)• ISO IEC 17799/BS7799 Standard

9 of 58

Information Security - Certifying

• Certification Organizations - BSI, DNV, KPMG, Certification Europe, KEMA, JACO IS

• Vulnerability Assessment/Penetration Testing by Information Security Audit Companies – KPMG, PricewaterhouseCoopers

• SANS Best practices in Information Security

URL: http://www.sans.org/rr/whitepapers/bestprac• Information Security News – URL:

www.computerworld.com/securitytopics/security

http://www.sans.org/rr/whitepapers/bestprac

http://www.sans.org/rr/whitepapers/bestprac

http://www.computerworld.com/securitytopics/security

10 of 58

Information Security - Own Procedures

• Organizations can follow their own Information Security Standards

• The Database Security is important part of these standards

11 of 58

Agenda


12 of 58

Securing Databases - Layers

13 of 58

Securing Databases - Common Steps

• Write a database security procedure• Record the current configuration• Test and implement the procedure• Record the OS configuration• Record the database configuration• Record the security configuration• Monitor the environment• Regular checks • Update your security plan

14 of 58

Agenda

• The need of Security• Information Security• Securing Databases• Securing Oracle• Recommended

Readings• Conclusion

• OS Security• Oracle Authentication• Access to the Database• Securing PUBLIC Role• Initialization Parameters• Application Security• Auditing• Securing the Network• Availability• Regular Checks

15 of 58

OS Security – Owner of Oracle software - 1/2

• Do not name the owner of Oracle software “oracle”

• This is considered as “security through obscurity”

• Limit access to the account that owns Oracle software using mechanisms like “sudo”

• Create different users for every part of Oracle software. Examples:• Oralsnr – for the listener• Oradb – for the database

16 of 58

OS Security – Owner of Oracle software - 2/2

• The user used to install Oracle should be a local one

• Prohibit sys administrators to access files owned by “oracle”

• “oracle” account should not be a member of the admin group

• Check members of the ORA_DBA / OSDBA group

• Only database administrators should be assigned to the ORA_DBA / OSDBA group

17 of 58

OS Security – File Permissions - 1/2

• Verify permissions for files under the ORACLE_BASE and ORACLE_HOME directories

• Disable the otrace utility – Metalink note: 192541.995

• Oracle processes should be run through the Oracle software account (or ORA_DBA group)

• On Windows, Oracle services are using “Local System Account” – it should be changed

• On Windows, restrict access to directory C:\Program Files\Oracle

18 of 58

OS Security – File Permissions - 2/2

• Remove or restrict permissions on all saved script files after creating the database

• On Windows- Restrict access to Windows Registry- Give Full Control over registry key HKEY_LOCAL_MACHINE\Software\Oracle to the account that will run Oracle Services - Use regedt32.exe for changing Registry Security Policy

• If database backups are written to the system disks, verify the permissions for this directory

19 of 58

OS Security – Usernames and Passwords

• On Unix

- restrict the “ps” command at the OS level

- check the cron jobs• Check the server for scripts that contains

usernames and passwords• Check all environment variables• Check client machines for application

configuration files• Use secure IP communications

20 of 58

OS Security – Auditing

• Start OS level auditing for unauthorized use of Oracle. For particular directories – tripwire

• For monitoring and analyzing of log files – swatch, logcheck

• For checking of integrity of Oracle binary and configuration files – tripwire, samhain, AIDE

• Oracle provides a tool for monitoring OracleAS – iHAT

• Save audit log files on secured remote servers • Check processes regularly

21 of 58

Agenda




22 of 58

Oracle Authentication – Password Policy

• All employees that are using the database must have own accounts

• Use Oracle password management features:alter profile defaultlimit failed_login_attempts 3password_life_time 60password_reuse_max 20password_lock_time 1;

• User passwords should be changed on a regular basis

• Create different profiles for different types of users

23 of 58

Oracle Authentication – Weak Passwords

• Enable password verification function• Check for default accounts that are installed as

part of Oracle installation • Check application accounts for

username/password matching• Check for weak passwords • Check for roles with default passwords

24 of 58

Agenda




25 of 58

Access to the Database - 1/3

• Limit access to roles that consists of _CATALOG_• Use manually created roles• Roles that are powerful should be password

protected• Use password protected role when DML is used• Check for users or roles with granted privileges

consists of “all privileges”, “any”, “with admin”, “with grant”

• Review the system privileges granted to users

26 of 58


• Check for granted direct privileges on objects, use roles

• Check for granted “CREATE LIBRARY”, “ALTER SYSTEM” or “CREATE PROCEDURE”

• Check for users that have “CREATE ANY DIRECTORY” privilege

• Check for users that have “CREATE JOB” or “CREATE ANY JOB” privilege (10G)

• Check user objects in SYSTEM tablespace

27 of 58


• Check for “external” users• Revoke RESOURCE role from user accounts• Revoke CONNECT role from user accounts• Check for users with “CREATE ANY TRIGGER”

privilege• Check for users that have access to data

dictionary views and tables• Check for users that have “SELECT ANY TABLE”

privilege

28 of 58

Agenda




29 of 58

Securing PUBLIC Role - 1/3

• Grant privileges to appropriate users before revoking

• revoke all on utl_tcp from public;• revoke all on utl_http from public;• revoke all on utl_smtp from public;• revoke all on utl_file from public;• revoke all on dbms_random from public;• revoke all on dbms_lob from public;• revoke all on dbms_sql from public;

30 of 58

Securing PUBLIC Role - 2/3

• revoke all on dbms_sys_sql from public;• revoke all on dbms_job on public;• revoke all on dbms_scheduler from public;

• revoke all on owa_util from public;• revoke all on utl_xml from public;• revoke all on dbms_java_test from public;

• revoke all on dbms_lock from public;• revoke all on dbms_pipe from public;

31 of 58

Securing PUBLIC Role - 3/3• revoke select on all_db_links from public;

• revoke select on all_users from public;• revoke select on all_catalog from public;

• revoke select on all_java_classes from public;

• revoke select on all_source from public;• revoke select on all_tab_privs from public;

• Check all PUBLIC execute privileges on packages owned by SYS (XMLDB problem)

32 of 58

Agenda




33 of 58

Initialization Parameters - 1/2

• Check user_dump_dest, background_dump_dest and core_dump_dest

• Set global_names=TRUE• Set max_enabled_roles=30• Set os_authent_prefix=“” (a null string)• Set os_roles=FALSE• Set o7_dictionary_accessibility=FALSE• Set remote_os_authent=FALSE• Set remote_os_roles=FALSE• Set remote_listener=“” (a null string)• Set sql92_security=TRUE

34 of 58

Initialization Parameters - 2/2

• Set row_locking=ALWAYS• Set remote_login_passwordfile=NONE• Avoid using the utl_file_dir parameter• Set dblink_encrypt_login=TRUE. For “client to

server” connections set ORA_ENCRYPT_LOGIN=TRUE environment variable

• Set transaction_auditing=TRUE• Check if that IFILE is used• Periodically check the instance

35 of 58

Initialization Parameters - Hidden

• Set _trace_file_public=FALSE• Set _system_trig_enabled=TRUE• Review on regular basis all hidden parameters

36 of 58

Agenda




37 of 58

Application Security – 1/4

• Wrap the PL/SQL application code• Checksum the PL/SQL source code and Java classes

DECLAREv_counter NUMBER;BEGIN v_counter := 0; FOR c IN (SELECT text FROM user_source WHERE NAME='TEST_PKG' ORDER BY line) LOOP

v_counter := v_counter + owa_opt_lock.checksum(c.text);

END LOOP; dbms_output.put_line('checksum: '||v_counter);END;

• Check the code for hard coded passwords

38 of 58


• Check the PL/SQL code for SQL injection and PL/SQL injection possibilities. Some guidelines:

- use bind variables

- review the new code for security compliance

- secure PUBLIC role

- do not use dynamic SQL and PL/SQL

- use input filtering for web-based PL/SQL• Prevent your web-based applications from Cross

Site Scripting. Use output filtering

39 of 58


• Check which applications access the database• Control which applications access your database• Review grants of the application account• Batch processes should use own account• Encrypt critical application data• Write procedures for adding new applications• Write procedures for employee movers, leavers

and joiners• Secure Test and Development databases

40 of 58


• Restrict access to SQL*Plus• Disable iSQL*Plus or limit access to it. • Restrict access to debugging interfaces

- Oradebug- DBMS_DEBUG- JDeveloper- Oracle tracing

• Do not publish information about your production environments. Try Google.com

41 of 58

Agenda




42 of 58

Auditing – 1/2

• Set audit_trail=DB, or OS• Use OS audit instead DB audit• Audit SYS activities• Audit DML failures• Audit CREATE SESSION• Audit using of GRANT, DROP, ALTER statements

on application accounts• Audit CREATE USER, CREATE ROLE on on

application accounts• Audit CREATE statements on application

accounts

43 of 58

Auditing – 2/2• Audit employee's database accounts• Use process to monitor database activities and

sends SMS or email• Consider row level auditing• Write procedures for protection of generated audit

info• Review regularly generated audit logs• Logs for checking for suspicious activities

- on OS level – Eventviewer / Syslog- listener.log, sqlnet.log- access_log, error_log, Apache.log

44 of 58

Agenda




45 of 58

Securing the Network – 1/2

• Secure the listener • Create separate listeners for clients and for

administration• Configure Oracle to use your firewall (Windows)• Use a personal firewall on all database

administration computers• Accept connections from short list of IP addresses• Search for sqlnet.log files on the server and client

machines• Set log_directory_client in sqlnet.ora

46 of 58

Securing the Network – 2/2

• Secure used database links. There are passwords in clear text in sys.link$ table

• Write a policy for managing database links• Check with port scanner for open default ports• Secure the Intelligent agent• Encrypt communication between all Oracle clients

and the database. Use IPSec or SSL

47 of 58

Agenda




48 of 58

Availability

• Review backup and restore procedures• Check periodically the backup media integrity• Backups should be available only off-site• Write procedures for backup tape retrieval to

prevent social engineering• Format all old and not already used disks (DUL

and BBED tools)• Secure the fallback databases as they are

production one• Write and test disaster recovery procedures

49 of 58

Agenda




50 of 58

Regular Checks

• Check for unauthorized changes• Monitor the audited information• Review members of the ORA_DBA/OSDBA groups• Review the recorded database configuration• Monitor listener.log for brute force attacks• Test the disaster recovery procedures• Test the recovery procedures• Install the latest Oracle security patches• Stay up-to-date with latest known Oracle

vulnerabilities (mailing lists and sites)

51 of 58

Agenda


52 of 58

Recommended Readings - Papers

• Oracle Database Security Benchmark - http://www.cisecurity.org/bench_oracle.html

• SANS Oracle Database Checklist - http://www.sans.org/score/checklists/Oracle_Database_Checklist.pdf

• Oracle Security Papers - http://www.petefinnigan.com/orasec.htm

• Oracle 10G – Security Guide

• Protecting Oracle Databases – white paper

http://www.sans.org/score/checklists/Oracle_Database_Checklist.pdf



http://www.petefinnigan.com/orasec.htm




53 of 58

Recommended Readings - Sites• http://www.petefinnigan.com/• http://www.cisecurity.org/• http://www.protegrity.com/• http://www.nextgenss.com/• http://www.appsecinc.com/• http://www.sans.org/• http://www.iss.net/• http://www.securityfocus.com/• http://otn.oracle.com/deploy/security• http://www.computerworld.com/securitytopics/sec

urity

http://www.petefinnigan.com/

http://www.cisecurity.org/

http://www.protegrity.com/

http://www.nextgenss.com/

http://www.appsecinc.com/

http://www.sans.org/

http://www.iss.net/

http://otn.oracle.com/deploy/security



54 of 58

Recommended Readings - Books

http://www.amazon.com/exec/obidos/tg/detail/-/0974372749/qid=1111427975


Recommended Readings - Books



56 of 58

Recommended Readings – Books

• Oracle Database Security, Audit & Control Features (PricewaterhouseCoopers – 2004)

• Security, Audit & Control Features Oracle Applications: A Technical and Risk Management Reference Guide (Deloitte & Touche Tohmatsu Research Team - 2003)

• Oracle Security Handbook : Implement a Sound Security Plan in Your Oracle Environment (Oracle Press – 2001)

• Oracle Security (O’Reilly – 1998)

57 of 58

Conclusion

• Do not wait to be hacked• Implement some security policy• Stay up-to-date• Improve the policy repeatedly• The mentioned steps are not rules –

they are information• Do not implement everything – balance

between security, performance and usability

58 of 58

Questions or Comments

Radoslav Rusinov

[email protected]

[email protected]

mailto:[email protected]



Documents

Oracle Security Radoslav Rusinov ING Wholesale Banking