Oracle Security Radoslav Rusinov ING Wholesale Banking

1
Oracle Security

• Radoslav Rusinov
• ING Wholesale Banking

2
Agenda

• The need of Security
• Information Security
• Securing Databases
• Securing Oracle
• Recommended Readings
• Conclusion

3
Why is security necessary?

• Security threats have grown monthly
• Unauthorized access to servers, databases and
  applications
• Worms / Viruses
• Software vulnerabilities
• Theft / Hacker intrusions
• Operator or user errors
• 70 of intrusions are internal

4
Security Breaches Last Cases

• 25.02.2005 Bank of America Corp. loses credit
  card info of 1.2M federal workers
• 08.04.2005 Stolen computers from San Jose
  Medical Group contain data on 185,000 patients
• 12.04.2005 Data broker LexisNexis Group said
  that hackers have stolen data of 310,000 people
• 14.04.2005 British HSBC Bank PLC warns for
  stolen data of 180,000 credit card customers
• 15.04.2005 Bulgarian National Cardiologic
  Hospital informs of an intrusion attack

5
Intrusions Business Impact

• Damage to image and reputation
• Loss of Customer confidence
• Loss of Partner confidence
• Loss of Business
• Impact in the revenue
• Benefits competition

6
Agenda

• The need of Security
• Information Security
• Securing Databases
• Securing Oracle
• Recommended Readings
• Conclusion

7
Information Security

• Every organization should secure its information
• They should use security management strategy

8
Information Security - Regulatory

• Health Insurance Portability and Accountability
  Act (HIPAA)
• Sarbanes-Oxley Act
• California SB 1386
• GLB Gramm-Leach-Biley Act
• MasterCard Site Data Protection (SDP)
• Payment Card Industry (PCI) Data Security
  Standard
• Visa USA Cardholder Information Security Program
  (CISP)
• ISO IEC 17799/BS7799 Standard

9
Information Security - Certifying

• Certification Organizations - BSI, DNV, KPMG,
  Certification Europe, KEMA, JACO IS
• Vulnerability Assessment/Penetration Testing by
  Information Security Audit Companies KPMG,
  PricewaterhouseCoopers
• SANS Best practices in Information Security
• URL http//www.sans.org/rr/whitepapers/bestprac
• Information Security News URL
  www.computerworld.com/securitytopics/security

10
Information Security - Own Procedures

• Organizations can follow their own Information
  Security Standards
• The Database Security is important part of these
  standards

11
Agenda

• The need of Security
• Information Security
• Securing Databases
• Securing Oracle
• Recommended Readings
• Conclusion

12
Securing Databases - Layers
13
Securing Databases - Common Steps

• Write a database security procedure
• Record the current configuration
• Test and implement the procedure
• Record the OS configuration
• Record the database configuration
• Record the security configuration
• Monitor the environment
• Regular checks
• Update your security plan

14
Agenda

• The need of Security
• Information Security
• Securing Databases
• Securing Oracle
• Recommended Readings
• Conclusion

• OS Security
• Oracle Authentication
• Access to the Database
• Securing PUBLIC Role
• Initialization Parameters
• Application Security
• Auditing
• Securing the Network
• Availability
• Regular Checks

15
OS Security Owner of Oracle software - 1/2

• Do not name the owner of Oracle software oracle
  
• This is considered as security through
  obscurity
• Limit access to the account that owns Oracle
  software using mechanisms like sudo
• Create different users for every part of Oracle
  software. Examples
• Oralsnr for the listener
• Oradb for the database

16
OS Security Owner of Oracle software - 2/2

• The user used to install Oracle should be a local
  one
• Prohibit sys administrators to access files owned
  by oracle
• oracle account should not be a member of the
  admin group
• Check members of the ORA_DBA / OSDBA group
• Only database administrators should be assigned
  to the ORA_DBA / OSDBA group

17
OS Security File Permissions - 1/2

• Verify permissions for files under the
  ORACLE_BASE and ORACLE_HOME directories
• Disable the otrace utility Metalink note
  192541.995
• Oracle processes should be run through the Oracle
  software account (or ORA_DBA group)
• On Windows, Oracle services are using Local
  System Account it should be changed
• On Windows, restrict access to directory
  C\Program Files\Oracle

18
OS Security File Permissions - 2/2

• Remove or restrict permissions on all saved
  script files after creating the database
• On Windows
• - Restrict access to Windows Registry
• - Give Full Control over registry key
  HKEY_LOCAL_MACHINE\Software\Oracle to the account
  that will run Oracle Services
• - Use regedt32.exe for changing Registry
  Security Policy
• If database backups are written to the system
  disks, verify the permissions for this directory

19
OS Security Usernames and Passwords

• On Unix
• - restrict the ps command at the OS level
• - check the cron jobs
• Check the server for scripts that contains
  usernames and passwords
• Check all environment variables
• Check client machines for application
  configuration files
• Use secure IP communications

20
OS Security Auditing

• Start OS level auditing for unauthorized use of
  Oracle. For particular directories tripwire
• For monitoring and analyzing of log files
  swatch, logcheck
• For checking of integrity of Oracle binary and
  configuration files tripwire, samhain, AIDE
• Oracle provides a tool for monitoring OracleAS
  iHAT
• Save audit log files on secured remote servers
• Check processes regularly

21
Agenda

• The need of Security
• Information Security
• Securing Databases
• Securing Oracle
• Recommended Readings
• Conclusion

• OS Security
• Oracle Authentication
• Access to the Database
• Securing PUBLIC Role
• Initialization Parameters
• Application Security
• Auditing
• Securing the Network
• Availability
• Regular Checks

22
Oracle Authentication Password Policy

• All employees that are using the database must
  have own accounts
• Use Oracle password management features
• alter profile default
• limit failed_login_attempts 3
• password_life_time 60
• password_reuse_max 20
• password_lock_time 1
• User passwords should be changed on a regular
  basis
• Create different profiles for different types of
  users

23
Oracle Authentication Weak Passwords

• Enable password verification function
• Check for default accounts that are installed as
  part of Oracle installation
• Check application accounts for username/password
  matching
• Check for weak passwords
• Check for roles with default passwords

24
Agenda

• The need of Security
• Information Security
• Securing Databases
• Securing Oracle
• Recommended Readings
• Conclusion

• OS Security
• Oracle Authentication
• Access to the Database
• Securing PUBLIC Role
• Initialization Parameters
• Application Security
• Auditing
• Securing the Network
• Availability
• Regular Checks

25
Access to the Database - 1/3

• Limit access to roles that consists of _CATALOG_
• Use manually created roles
• Roles that are powerful should be password
  protected
• Use password protected role when DML is used
• Check for users or roles with granted privileges
  consists of all privileges, any, with
  admin, with grant
• Review the system privileges granted to users

26
Access to the Database - 2/3

• Check for granted direct privileges on objects,
  use roles
• Check for granted CREATE LIBRARY, ALTER
  SYSTEM or CREATE PROCEDURE
• Check for users that have CREATE ANY DIRECTORY
  privilege
• Check for users that have CREATE JOB or CREATE
  ANY JOB privilege (10G)
• Check user objects in SYSTEM tablespace

27
Access to the Database - 3/3

• Check for external users
• Revoke RESOURCE role from user accounts
• Revoke CONNECT role from user accounts
• Check for users with CREATE ANY TRIGGER
  privilege
• Check for users that have access to data
  dictionary views and tables
• Check for users that have SELECT ANY TABLE
  privilege

28
Agenda

• The need of Security
• Information Security
• Securing Databases
• Securing Oracle
• Recommended Readings
• Conclusion

• OS Security
• Oracle Authentication
• Access to the Database
• Securing PUBLIC Role
• Initialization Parameters
• Application Security
• Auditing
• Securing the Network
• Availability
• Regular Checks

29
Securing PUBLIC Role - 1/3

• Grant privileges to appropriate users before
  revoking
• revoke all on utl_tcp from public
• revoke all on utl_http from public
• revoke all on utl_smtp from public
• revoke all on utl_file from public
• revoke all on dbms_random from public
• revoke all on dbms_lob from public
• revoke all on dbms_sql from public

30
Securing PUBLIC Role - 2/3

• revoke all on dbms_sys_sql from public
• revoke all on dbms_job on public
• revoke all on dbms_scheduler from public
• revoke all on owa_util from public
• revoke all on utl_xml from public
• revoke all on dbms_java_test from public
• revoke all on dbms_lock from public
• revoke all on dbms_pipe from public

31
Securing PUBLIC Role - 3/3

• revoke select on all_db_links from public
• revoke select on all_users from public
• revoke select on all_catalog from public
• revoke select on all_java_classes from public
• revoke select on all_source from public
• revoke select on all_tab_privs from public
• Check all PUBLIC execute privileges on packages
  owned by SYS (XMLDB problem)

32
Agenda

• The need of Security
• Information Security
• Securing Databases
• Securing Oracle
• Recommended Readings
• Conclusion

• OS Security
• Oracle Authentication
• Access to the Database
• Securing PUBLIC Role
• Initialization Parameters
• Application Security
• Auditing
• Securing the Network
• Availability
• Regular Checks

33
Initialization Parameters - 1/2

• Check user_dump_dest, background_dump_dest and
  core_dump_dest
• Set global_namesTRUE
• Set max_enabled_roles30
• Set os_authent_prefix (a null string)
• Set os_rolesFALSE
• Set o7_dictionary_accessibilityFALSE
• Set remote_os_authentFALSE
• Set remote_os_rolesFALSE
• Set remote_listener (a null string)
• Set sql92_securityTRUE

34
Initialization Parameters - 2/2

• Set row_lockingALWAYS
• Set remote_login_passwordfileNONE
• Avoid using the utl_file_dir parameter
• Set dblink_encrypt_loginTRUE. For client to
  server connections set ORA_ENCRYPT_LOGINTRUE
  environment variable
• Set transaction_auditingTRUE
• Check if that IFILE is used
• Periodically check the instance

35
Initialization Parameters - Hidden

• Set _trace_file_publicFALSE
• Set _system_trig_enabledTRUE
• Review on regular basis all hidden parameters

36
Agenda

• The need of Security
• Information Security
• Securing Databases
• Securing Oracle
• Recommended Readings
• Conclusion

• OS Security
• Oracle Authentication
• Access to the Database
• Securing PUBLIC Role
• Initialization Parameters
• Application Security
• Auditing
• Securing the Network
• Availability
• Regular Checks

37
Application Security 1/4

• Wrap the PL/SQL application code
• Checksum the PL/SQL source code and Java classes
• DECLARE
• v_counter NUMBER
• BEGIN
• v_counter 0
• FOR c IN (SELECT text FROM user_source WHERE
  NAME'TEST_PKG' ORDER BY line) LOOP
• v_counter v_counter owa_opt_lock.checksum(c
  .text)
• END LOOP
• dbms_output.put_line('checksum 'v_counter)
• END
• Check the code for hard coded passwords

38
Application Security 2/4

• Check the PL/SQL code for SQL injection and
  PL/SQL injection possibilities. Some guidelines
• - use bind variables
• - review the new code for security compliance
• - secure PUBLIC role
• - do not use dynamic SQL and PL/SQL
• - use input filtering for web-based PL/SQL
• Prevent your web-based applications from Cross
  Site Scripting. Use output filtering

39
Application Security 3/4

• Check which applications access the database
• Control which applications access your database
• Review grants of the application account
• Batch processes should use own account
• Encrypt critical application data
• Write procedures for adding new applications
• Write procedures for employee movers, leavers and
  joiners
• Secure Test and Development databases

40
Application Security 4/4

• Restrict access to SQLPlus
• Disable iSQLPlus or limit access to it.
• Restrict access to debugging interfaces
• Oradebug
• DBMS_DEBUG
• JDeveloper
• Oracle tracing
• Do not publish information about your production
  environments. Try Google.com

41
Agenda

• The need of Security
• Information Security
• Securing Databases
• Securing Oracle
• Recommended Readings
• Conclusion

• OS Security
• Oracle Authentication
• Access to the Database
• Securing PUBLIC Role
• Initialization Parameters
• Application Security
• Auditing
• Securing the Network
• Availability
• Regular Checks

42
Auditing 1/2

• Set audit_trailDB, or OS
• Use OS audit instead DB audit
• Audit SYS activities
• Audit DML failures
• Audit CREATE SESSION
• Audit using of GRANT, DROP, ALTER statements on
  application accounts
• Audit CREATE USER, CREATE ROLE on on application
  accounts
• Audit CREATE statements on application accounts

43
Auditing 2/2

• Audit employee's database accounts
• Use process to monitor database activities and
  sends SMS or email
• Consider row level auditing
• Write procedures for protection of generated
  audit info
• Review regularly generated audit logs
• Logs for checking for suspicious activities
• - on OS level Eventviewer / Syslog
• - listener.log, sqlnet.log
• - access_log, error_log, Apache.log

44
Agenda

• The need of Security
• Information Security
• Securing Databases
• Securing Oracle
• Recommended Readings
• Conclusion

• OS Security
• Oracle Authentication
• Access to the Database
• Securing PUBLIC Role
• Initialization Parameters
• Application Security
• Auditing
• Securing the Network
• Availability
• Regular Checks

45
Securing the Network 1/2

• Secure the listener
• Create separate listeners for clients and for
  administration
• Configure Oracle to use your firewall (Windows)
• Use a personal firewall on all database
  administration computers
• Accept connections from short list of IP
  addresses
• Search for sqlnet.log files on the server and
  client machines
• Set log_directory_client in sqlnet.ora

46
Securing the Network 2/2

• Secure used database links. There are passwords
  in clear text in sys.link table
• Write a policy for managing database links
• Check with port scanner for open default ports
• Secure the Intelligent agent
• Encrypt communication between all Oracle clients
  and the database. Use IPSec or SSL

47
Agenda

• The need of Security
• Information Security
• Securing Databases
• Securing Oracle
• Recommended Readings
• Conclusion

• OS Security
• Oracle Authentication
• Access to the Database
• Securing PUBLIC Role
• Initialization Parameters
• Application Security
• Auditing
• Securing the Network
• Availability
• Regular Checks

48
Availability

• Review backup and restore procedures
• Check periodically the backup media integrity
• Backups should be available only off-site
• Write procedures for backup tape retrieval to
  prevent social engineering
• Format all old and not already used disks (DUL
  and BBED tools)
• Secure the fallback databases as they are
  production one
• Write and test disaster recovery procedures

49
Agenda

• The need of Security
• Information Security
• Securing Databases
• Securing Oracle
• Recommended Readings
• Conclusion

• OS Security
• Oracle Authentication
• Access to the Database
• Securing PUBLIC Role
• Initialization Parameters
• Application Security
• Auditing
• Securing the Network
• Availability
• Regular Checks

50
Regular Checks

• Check for unauthorized changes
• Monitor the audited information
• Review members of the ORA_DBA/OSDBA groups
• Review the recorded database configuration
• Monitor listener.log for brute force attacks
• Test the disaster recovery procedures
• Test the recovery procedures
• Install the latest Oracle security patches
• Stay up-to-date with latest known Oracle
  vulnerabilities (mailing lists and sites)

51
Agenda

• The need of Security
• Information Security
• Securing Databases
• Securing Oracle
• Recommended Readings
• Conclusion

52
Recommended Readings - Papers

• Oracle Database Security Benchmark -
  http//www.cisecurity.org/bench_oracle.html
• SANS Oracle Database Checklist -
  http//www.sans.org/score/checklists/Oracle_Databa
  se_Checklist.pdf
• Oracle Security Papers - http//www.petefinnigan.c
  om/orasec.htm
• Oracle 10G Security Guide
• Protecting Oracle Databases white paper

53
Recommended Readings - Sites

• http//www.petefinnigan.com/
• http//www.cisecurity.org/
• http//www.protegrity.com/
• http//www.nextgenss.com/
• http//www.appsecinc.com/
• http//www.sans.org/
• http//www.iss.net/
• http//www.securityfocus.com/
• http//otn.oracle.com/deploy/security
• http//www.computerworld.com/securitytopics/securi
  ty

54
Recommended Readings - Books
http//www.amazon.com/exec/obidos/tg/detail/-/0974
372749/qid1111427975
55
Recommended Readings - Books

• http//www.amazon.com/exec/obidos/tg/detail/-/0072
  231300/qid1091002374

56
Recommended Readings Books

• Oracle Database Security, Audit Control
  Features (PricewaterhouseCoopers 2004)
• Security, Audit Control Features Oracle
  Applications A Technical and Risk Management
  Reference Guide (Deloitte Touche Tohmatsu
  Research Team - 2003)
• Oracle Security Handbook Implement a Sound
  Security Plan in Your Oracle Environment (Oracle
  Press 2001)
• Oracle Security (OReilly 1998)

57
Conclusion

• Do not wait to be hacked
• Implement some security policy
• Stay up-to-date
• Improve the policy repeatedly
• The mentioned steps are not rules they are
  information
• Do not implement everything balance between
  security, performance and usability

58
Questions or Comments

• Radoslav Rusinov
• Radoslav.Rusinov_at_dir.bg
• Radoslav.Rusinov_at_gmail.com