1 / 58

Oracle Security

Oracle Security. Radoslav Rusinov ING Wholesale Banking. Agenda. The need of Security Information Security Securing Databases Securing Oracle Recommended Readings Conclusion. Why is security necessary?. Security threats have grown monthly

artemas
Download Presentation

Oracle Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Oracle Security Radoslav Rusinov ING Wholesale Banking

  2. Agenda • The need of Security • Information Security • Securing Databases • Securing Oracle • Recommended Readings • Conclusion

  3. Why is security necessary? • Security threats have grown monthly • Unauthorized access to servers, databases and applications • Worms / Viruses • Software vulnerabilities • Theft / Hacker intrusions • Operator or user errors • 70% of intrusions are internal

  4. Security Breaches – Last Cases • 25.02.2005 – Bank of America Corp. loses credit card info of 1.2M federal workers • 08.04.2005 – Stolen computers from San Jose Medical Group contain data on 185,000 patients • 12.04.2005 – Data broker LexisNexis Group said that hackers have stolen data of 310,000 people • 14.04.2005 – British HSBC Bank PLC warns for stolen data of 180,000 credit card customers • 15.04.2005 – Bulgarian National Cardiologic Hospital informs of an intrusion attack

  5. Intrusions – Business Impact • Damage to image and reputation • Loss of Customer confidence • Loss of Partner confidence • Loss of Business • Impact in the revenue • Benefits competition

  6. Agenda • The need of Security • Information Security • Securing Databases • Securing Oracle • Recommended Readings • Conclusion

  7. Information Security • Every organization should secure its information • They should use security management strategy

  8. Information Security - Regulatory • Health Insurance Portability and Accountability Act (HIPAA) • Sarbanes-Oxley Act • California SB 1386 • GLB – Gramm-Leach-Biley Act • MasterCard Site Data Protection (SDP) • Payment Card Industry (PCI) Data Security Standard • Visa USA Cardholder Information Security Program (CISP) • ISO IEC 17799/BS7799 Standard

  9. Information Security - Certifying • Certification Organizations - BSI, DNV, KPMG, Certification Europe, KEMA, JACO IS • Vulnerability Assessment/Penetration Testing by Information Security Audit Companies – KPMG, PricewaterhouseCoopers • SANS Best practices in Information Security URL: http://www.sans.org/rr/whitepapers/bestprac • Information Security News – URL: www.computerworld.com/securitytopics/security

  10. Information Security - Own Procedures • Organizations can follow their own Information Security Standards • The Database Security is important part of these standards

  11. Agenda • The need of Security • Information Security • Securing Databases • Securing Oracle • Recommended Readings • Conclusion

  12. Securing Databases - Layers

  13. Securing Databases - Common Steps • Write a database security procedure • Record the current configuration • Test and implement the procedure • Record the OS configuration • Record the database configuration • Record the security configuration • Monitor the environment • Regular checks • Update your security plan

  14. The need of Security Information Security Securing Databases Securing Oracle Recommended Readings Conclusion OS Security Oracle Authentication Access to the Database Securing PUBLIC Role Initialization Parameters Application Security Auditing Securing the Network Availability Regular Checks Agenda

  15. OS Security – Owner of Oracle software - 1/2 • Do not name the owner of Oracle software “oracle” • This is considered as “security through obscurity” • Limit access to the account that owns Oracle software using mechanisms like “sudo” • Create different users for every part of Oracle software. Examples: • Oralsnr – for the listener • Oradb – for the database

  16. OS Security – Owner of Oracle software - 2/2 • The user used to install Oracle should be a local one • Prohibit sys administrators to access files owned by “oracle” • “oracle” account should not be a member of the admin group • Check members of the ORA_DBA / OSDBA group • Only database administrators should be assigned to the ORA_DBA / OSDBA group

  17. OS Security – File Permissions - 1/2 • Verify permissions for files under the ORACLE_BASE and ORACLE_HOME directories • Disable the otrace utility – Metalink note: 192541.995 • Oracle processes should be run through the Oracle software account (or ORA_DBA group) • On Windows, Oracle services are using “Local System Account” – it should be changed • On Windows, restrict access to directory C:\Program Files\Oracle

  18. OS Security – File Permissions - 2/2 • Remove or restrict permissions on all saved script files after creating the database • On Windows - Restrict access to Windows Registry - Give Full Control over registry key HKEY_LOCAL_MACHINE\Software\Oracle to the account that will run Oracle Services - Use regedt32.exe for changing Registry Security Policy • If database backups are written to the system disks, verify the permissions for this directory

  19. OS Security – Usernames and Passwords • On Unix - restrict the “ps” command at the OS level - check the cron jobs • Check the server for scripts that contains usernames and passwords • Check all environment variables • Check client machines for application configuration files • Use secure IP communications

  20. OS Security – Auditing • Start OS level auditing for unauthorized use of Oracle. For particular directories – tripwire • For monitoring and analyzing of log files – swatch, logcheck • For checking of integrity of Oracle binary and configuration files – tripwire, samhain, AIDE • Oracle provides a tool for monitoring OracleAS – iHAT • Save audit log files on secured remote servers • Check processes regularly

  21. The need of Security Information Security Securing Databases Securing Oracle Recommended Readings Conclusion OS Security Oracle Authentication Access to the Database Securing PUBLIC Role Initialization Parameters Application Security Auditing Securing the Network Availability Regular Checks Agenda

  22. Oracle Authentication – Password Policy • All employees that are using the database must have own accounts • Use Oracle password management features: alter profile default limit failed_login_attempts 3 password_life_time 60 password_reuse_max 20 password_lock_time 1; • User passwords should be changed on a regular basis • Create different profiles for different types of users

  23. Oracle Authentication – Weak Passwords • Enable password verification function • Check for default accounts that are installed as part of Oracle installation • Check application accounts for username/password matching • Check for weak passwords • Check for roles with default passwords

  24. The need of Security Information Security Securing Databases Securing Oracle Recommended Readings Conclusion OS Security Oracle Authentication Access to the Database Securing PUBLIC Role Initialization Parameters Application Security Auditing Securing the Network Availability Regular Checks Agenda

  25. Access to the Database - 1/3 • Limit access to roles that consists of _CATALOG_ • Use manually created roles • Roles that are powerful should be password protected • Use password protected role when DML is used • Check for users or roles with granted privileges consists of “all privileges”, “any”, “with admin”, “with grant” • Review the system privileges granted to users

  26. Access to the Database - 2/3 • Check for granted direct privileges on objects, use roles • Check for granted “CREATE LIBRARY”, “ALTER SYSTEM” or “CREATE PROCEDURE” • Check for users that have “CREATE ANY DIRECTORY” privilege • Check for users that have “CREATE JOB” or “CREATE ANY JOB” privilege (10G) • Check user objects in SYSTEM tablespace

  27. Access to the Database - 3/3 • Check for “external” users • Revoke RESOURCE role from user accounts • Revoke CONNECT role from user accounts • Check for users with “CREATE ANY TRIGGER” privilege • Check for users that have access to data dictionary views and tables • Check for users that have “SELECT ANY TABLE” privilege

  28. The need of Security Information Security Securing Databases Securing Oracle Recommended Readings Conclusion OS Security Oracle Authentication Access to the Database Securing PUBLIC Role Initialization Parameters Application Security Auditing Securing the Network Availability Regular Checks Agenda

  29. Securing PUBLIC Role - 1/3 • Grant privileges to appropriate users before revoking • revoke all on utl_tcp from public; • revoke all on utl_http from public; • revoke all on utl_smtp from public; • revoke all on utl_file from public; • revoke all on dbms_random from public; • revoke all on dbms_lob from public; • revoke all on dbms_sql from public;

  30. Securing PUBLIC Role - 2/3 • revoke all on dbms_sys_sql from public; • revoke all on dbms_job on public; • revoke all on dbms_scheduler from public; • revoke all on owa_util from public; • revoke all on utl_xml from public; • revoke all on dbms_java_test from public; • revoke all on dbms_lock from public; • revoke all on dbms_pipe from public;

  31. Securing PUBLIC Role - 3/3 • revoke select on all_db_links from public; • revoke select on all_users from public; • revoke select on all_catalog from public; • revoke select on all_java_classes from public; • revoke select on all_source from public; • revoke select on all_tab_privs from public; • Check all PUBLIC execute privileges on packages owned by SYS (XMLDB problem)

  32. The need of Security Information Security Securing Databases Securing Oracle Recommended Readings Conclusion OS Security Oracle Authentication Access to the Database Securing PUBLIC Role Initialization Parameters Application Security Auditing Securing the Network Availability Regular Checks Agenda

  33. Initialization Parameters - 1/2 • Check user_dump_dest, background_dump_dest and core_dump_dest • Set global_names=TRUE • Set max_enabled_roles=30 • Set os_authent_prefix=“” (a null string) • Set os_roles=FALSE • Set o7_dictionary_accessibility=FALSE • Set remote_os_authent=FALSE • Set remote_os_roles=FALSE • Set remote_listener=“” (a null string) • Set sql92_security=TRUE

  34. Initialization Parameters - 2/2 • Set row_locking=ALWAYS • Set remote_login_passwordfile=NONE • Avoid using the utl_file_dir parameter • Set dblink_encrypt_login=TRUE. For “client to server” connections set ORA_ENCRYPT_LOGIN=TRUE environment variable • Set transaction_auditing=TRUE • Check if that IFILE is used • Periodically check the instance

  35. Initialization Parameters - Hidden • Set _trace_file_public=FALSE • Set _system_trig_enabled=TRUE • Review on regular basis all hidden parameters

  36. The need of Security Information Security Securing Databases Securing Oracle Recommended Readings Conclusion OS Security Oracle Authentication Access to the Database Securing PUBLIC Role Initialization Parameters Application Security Auditing Securing the Network Availability Regular Checks Agenda

  37. Application Security – 1/4 • Wrap the PL/SQL application code • Checksum the PL/SQL source code and Java classes DECLARE v_counter NUMBER; BEGIN v_counter := 0; FOR c IN (SELECT text FROM user_source WHERE NAME='TEST_PKG' ORDER BY line) LOOP v_counter := v_counter + owa_opt_lock.checksum(c.text); END LOOP; dbms_output.put_line('checksum: '||v_counter); END; • Check the code for hard coded passwords

  38. Application Security – 2/4 • Check the PL/SQL code for SQL injection and PL/SQL injection possibilities. Some guidelines: - use bind variables - review the new code for security compliance - secure PUBLIC role - do not use dynamic SQL and PL/SQL - use input filtering for web-based PL/SQL • Prevent your web-based applications from Cross Site Scripting. Use output filtering

  39. Application Security – 3/4 • Check which applications access the database • Control which applications access your database • Review grants of the application account • Batch processes should use own account • Encrypt critical application data • Write procedures for adding new applications • Write procedures for employee movers, leavers and joiners • Secure Test and Development databases

  40. Application Security – 4/4 • Restrict access to SQL*Plus • Disable iSQL*Plus or limit access to it. • Restrict access to debugging interfaces • Oradebug • DBMS_DEBUG • JDeveloper • Oracle tracing • Do not publish information about your production environments. Try Google.com

  41. The need of Security Information Security Securing Databases Securing Oracle Recommended Readings Conclusion OS Security Oracle Authentication Access to the Database Securing PUBLIC Role Initialization Parameters Application Security Auditing Securing the Network Availability Regular Checks Agenda

  42. Auditing – 1/2 • Set audit_trail=DB, or OS • Use OS audit instead DB audit • Audit SYS activities • Audit DML failures • Audit CREATE SESSION • Audit using of GRANT, DROP, ALTER statements on application accounts • Audit CREATE USER, CREATE ROLE on on application accounts • Audit CREATE statements on application accounts

  43. Auditing – 2/2 • Audit employee's database accounts • Use process to monitor database activities and sends SMS or email • Consider row level auditing • Write procedures for protection of generated audit info • Review regularly generated audit logs • Logs for checking for suspicious activities - on OS level – Eventviewer / Syslog - listener.log, sqlnet.log - access_log, error_log, Apache.log

  44. The need of Security Information Security Securing Databases Securing Oracle Recommended Readings Conclusion OS Security Oracle Authentication Access to the Database Securing PUBLIC Role Initialization Parameters Application Security Auditing Securing the Network Availability Regular Checks Agenda

  45. Securing the Network – 1/2 • Secure the listener • Create separate listeners for clients and for administration • Configure Oracle to use your firewall (Windows) • Use a personal firewall on all database administration computers • Accept connections from short list of IP addresses • Search for sqlnet.log files on the server and client machines • Set log_directory_client in sqlnet.ora

  46. Securing the Network – 2/2 • Secure used database links. There are passwords in clear text in sys.link$ table • Write a policy for managing database links • Check with port scanner for open default ports • Secure the Intelligent agent • Encrypt communication between all Oracle clients and the database. Use IPSec or SSL

  47. The need of Security Information Security Securing Databases Securing Oracle Recommended Readings Conclusion OS Security Oracle Authentication Access to the Database Securing PUBLIC Role Initialization Parameters Application Security Auditing Securing the Network Availability Regular Checks Agenda

  48. Availability • Review backup and restore procedures • Check periodically the backup media integrity • Backups should be available only off-site • Write procedures for backup tape retrieval to prevent social engineering • Format all old and not already used disks (DUL and BBED tools) • Secure the fallback databases as they are production one • Write and test disaster recovery procedures

  49. The need of Security Information Security Securing Databases Securing Oracle Recommended Readings Conclusion OS Security Oracle Authentication Access to the Database Securing PUBLIC Role Initialization Parameters Application Security Auditing Securing the Network Availability Regular Checks Agenda

  50. Regular Checks • Check for unauthorized changes • Monitor the audited information • Review members of the ORA_DBA/OSDBA groups • Review the recorded database configuration • Monitor listener.log for brute force attacks • Test the disaster recovery procedures • Test the recovery procedures • Install the latest Oracle security patches • Stay up-to-date with latest known Oracle vulnerabilities (mailing lists and sites)

More Related