Practical Database Security Fundamentals Every DBA Should Know Georgia Oracle Users Conference April 4 - 5, 2005 Kennesaw,...
Intended Audience <ul><li>DBAs with less than 2 years experience </li></ul><ul><li>DBAs with more than 2 years experience ...
Ground Rules <ul><li>Please hold questions until the end </li></ul><ul><li>Cell Phones & Pagers - Quiet Mode </li></ul>
Speaker’s Background <ul><li>19 years IT experience, primarily in Unix environments </li></ul><ul><li>Current position </l...
Speaker’s Environment <ul><li>Business </li></ul><ul><ul><li>Competitive energy company that produces and sells electricit...
Speaker’s Environment (continued) <ul><li>Technical </li></ul><ul><ul><li>Primarily Solaris shop, ~21 DB servers </li></ul...
Topics of Discussion <ul><li>Fundamental Threats to the Database </li></ul><ul><li>Fundamental Threats to the Database Ser...
Fundamental Threats to the Database <ul><li>Ignorance of Privileges </li></ul><ul><li>Ignorance of Roles </li></ul><ul><li...
Ignorance of Privileges <ul><li>Unlimited Tablespace </li></ul><ul><li>Quota Unlimited </li></ul><ul><li>Create </li></ul>...
<ul><li>Users with Unlimited Tablespace can create tables anywhere and can potentially insert unlimited rows </li></ul><ul...
<ul><li>Similar to Unlimited Tablespace but only applies to tablespace on which it has been granted </li></ul><ul><li>Dete...
<ul><li>Solid DBAs will understand the many different Create privileges and the implications of granting each </li></ul><u...
<ul><li>Determine who has create privileges </li></ul><ul><li>select * </li></ul><ul><li>from dba_sys_privs </li></ul><ul>...
Ignorance of Privileges  -   Drop / Alter <ul><li>Users with Drop or Alter privileges can delete or modify objects; use ca...
Ignorance of Privileges  - Overly Permissive Grants <ul><li>Consider this example; it speaks for itself </li></ul><ul><li>...
Ignorance of Privileges  - Overly Permissive Grants <ul><li>Example (continued) </li></ul><ul><li>SQL> select * from sessi...
Ignorance of Privileges  -   Knowing Where to Look <ul><li>The data dictionary has many tables related to privileges </li>...
Ignorance of Roles <ul><li>Default Roles </li></ul><ul><li>Admin Option </li></ul><ul><li>Password Protected Roles </li></...
Ignorance of Roles  - Default Roles <ul><li>Understand the Default Roles created in a new database </li></ul><ul><li>selec...
Ignorance of Roles  -   Default Roles <ul><li>For example, Creating a new user? </li></ul><ul><ul><li>Grant Create Session...
Ignorance of Roles  -   Admin Option <ul><li>Users with Admin Option can grant the role to other users at will </li></ul><...
Ignorance of Roles  -   Password Protected Roles <ul><li>Role that requires a password to be enabled </li></ul><ul><li>Fre...
Unintentional Access to Data <ul><li>Default Passwords </li></ul><ul><li>User’s Passwords </li></ul><ul><li>Protecting Bac...
Unintentional Access to Data  -   Default Passwords <ul><li>Default passwords are widely known and publicized </li></ul><u...
Unintentional Access to Data  -   Default Passwords <ul><li>A few classics: </li></ul><ul><li>Id / password What Default P...
Unintentional Access to Data  -   Default Passwords <ul><li>10g has made improvements </li></ul><ul><li>For the most part,...
Unintentional Access to Data  -   Default Passwords <ul><li>Perl script to Discover Default Passwords </li></ul><ul><li>#!...
Unintentional Access to Data  - Default Passwords <ul><li>Perl script to Discover Default Passwords  (continued) </li></ul...
Unintentional Access to Data  -   User’s Passwords <ul><li>Users take the path of least resistance </li></ul><ul><ul><li>P...
Unintentional Access to Data  -   User’s Passwords <ul><li>Perl script to Discover Trivial Passwords </li></ul><ul><li>#!/...
Unintentional Access to Data  -   User’s Passwords <ul><li>Perl script to Discover Trivial Passwords  (continued) </li></u...
Unintentional Access to Data  -   Protecting Backups <ul><li>Deny users read access to disks that contain backup scripts, ...
Unintentional Access to Data  -   Protecting Stored Procedures <ul><li>Stored Procedures may contain sensitive business lo...
Unintentional Access to Data  -   Protecting Dev/QA Environments <ul><li>Production data is frequently used to populate de...
Unintentional Access to Data  -   Making Passwords Visible <ul><li>Interactive shell account users can view passwords ente...
<ul><li>Alternative to putting passwords on the command line - Redirect command input inside shell script </li></ul><ul><l...
Unintentional Access to Data  -   Making Passwords Visible <ul><li>Use care with database links too </li></ul><ul><li>User...
Denial of Service <ul><li>Limiting DB Resources via Profiles </li></ul><ul><li>UTL_FILE_DIR Parameter </li></ul><ul><li>Pr...
Denial of Service  -   Limiting DB Resources via Profiles <ul><li>Oracle’s default profile is wide open </li></ul><ul><li>...
Denial of Service  -   Limiting DB Resources via Profiles <ul><li>Create specific profiles for each user class </li></ul><...
Denial of Service  -   UTL_FILE_DIR Parameter <ul><li>Used for PL/SQL file I/O </li></ul><ul><li>Limit to only directories...
<ul><li>Shell accounts on production systems can: </li></ul><ul><ul><li>Search filesystem for scripts with passwords </li>...
Denial of Service  -   Listeners & Names Servers <ul><li>Password protect Listeners and Names Servers  * </li></ul><ul><li...
Fundamental Threats to the Database Server <ul><li>Physical Security </li></ul><ul><li>Unintended Access </li></ul><ul><li...
Physical Security <ul><li>Database servers should be in a physically secure location </li></ul><ul><li>Limit Access to aut...
Unintended Access <ul><li>World Readable Files </li></ul><ul><li>Set-UID Scripts </li></ul><ul><li>NFS Shares </li></ul>Fu...
<ul><li>Protect sensitive files by not allowing world read access </li></ul><ul><li>Set UNIX File Permissions </li></ul><u...
<ul><li>Examples of things to protect against </li></ul><ul><ul><li>scripts where new users are created </li></ul></ul><ul...
<ul><li>Risk </li></ul><ul><ul><li>Potential to allow users to become root </li></ul></ul><ul><ul><ul><ul><li>cp /usr/bin/...
<ul><li>NFS is a mechanism to make file systems on one server available to many others </li></ul><ul><li>Use care when sha...
Denial of Service <ul><li>Typically handled by Network or Systems Administration teams </li></ul><ul><li>DBAs can still he...
Unnecessary Unix Services <ul><li>Many unix services have known security holes </li></ul><ul><li>Minimize services that ar...
Unnecessary Shell Accounts <ul><li>Consider every line in /etc/passwd as a potential entrypoint </li></ul><ul><li>Remove i...
Establishing a Security Mindset <ul><li>Be Curious </li></ul><ul><li>Always ask questions </li></ul><ul><li>Be Proactive <...
Q & A
Thank you! Georgia Oracle Users Conference April 4-5 2005 Practical Database Security Kristopher Cook [email_address]
Upcoming SlideShare
Loading in …5
×

Practical Database Security - Fundamentals Every DBA Should Know

976 views

Published on

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
976
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
82
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Practical Database Security - Fundamentals Every DBA Should Know

  1. 1. Practical Database Security Fundamentals Every DBA Should Know Georgia Oracle Users Conference April 4 - 5, 2005 Kennesaw, GA Kristopher Cook, Lead DBA Mirant Corporation [email_address] VP Communications Georgia Oracle User Group [email_address]
  2. 2. Intended Audience <ul><li>DBAs with less than 2 years experience </li></ul><ul><li>DBAs with more than 2 years experience who won’t get bored reviewing the basics </li></ul>
  3. 3. Ground Rules <ul><li>Please hold questions until the end </li></ul><ul><li>Cell Phones & Pagers - Quiet Mode </li></ul>
  4. 4. Speaker’s Background <ul><li>19 years IT experience, primarily in Unix environments </li></ul><ul><li>Current position </li></ul><ul><ul><li>Lead DBA </li></ul></ul><ul><li>Previous positions (last 8-9 years) </li></ul><ul><ul><li>Principal DBA </li></ul></ul><ul><ul><li>Database Administration Manager </li></ul></ul><ul><ul><li>Senior DBA </li></ul></ul><ul><ul><li>Advanced Systems Engineer </li></ul></ul>
  5. 5. Speaker’s Environment <ul><li>Business </li></ul><ul><ul><li>Competitive energy company that produces and sells electricity in the U.S., the Caribbean, and the Phillippines. </li></ul></ul><ul><ul><li>Owns or leases more than 17,000 megawatts of electric generating capacity globally. </li></ul></ul><ul><ul><li>Operates an integrated asset management and energy marketing organization from our headquarters in Atlanta. </li></ul></ul><ul><ul><li>www.mirant.com </li></ul></ul>
  6. 6. Speaker’s Environment (continued) <ul><li>Technical </li></ul><ul><ul><li>Primarily Solaris shop, ~21 DB servers </li></ul></ul><ul><ul><li>200+ Oracle instances total; 50 in production </li></ul></ul><ul><ul><li>Sizes range from 1 to 150+ GB </li></ul></ul><ul><ul><li>24x7 operations </li></ul></ul><ul><ul><li>Databases are local, remote, and at hotsite </li></ul></ul><ul><ul><li>Current standard is 9.2.0.4+ </li></ul></ul><ul><ul><li>Trading Systems, Power Scheduling, Plant Operations, Financials, HR, Intra/Inter-net </li></ul></ul><ul><ul><li>5 full time DBAs </li></ul></ul>
  7. 7. Topics of Discussion <ul><li>Fundamental Threats to the Database </li></ul><ul><li>Fundamental Threats to the Database Server </li></ul><ul><li>Establishing a Security Mindset </li></ul>
  8. 8. Fundamental Threats to the Database <ul><li>Ignorance of Privileges </li></ul><ul><li>Ignorance of Roles </li></ul><ul><li>Unintentional Access to Data </li></ul><ul><li>Denial of Service </li></ul>
  9. 9. Ignorance of Privileges <ul><li>Unlimited Tablespace </li></ul><ul><li>Quota Unlimited </li></ul><ul><li>Create </li></ul><ul><li>Drop/Alter </li></ul><ul><li>Knowing Where to Look </li></ul>Fundamental Threats to the Database
  10. 10. <ul><li>Users with Unlimited Tablespace can create tables anywhere and can potentially insert unlimited rows </li></ul><ul><li>Determine who has unlimited tablespace </li></ul><ul><li>select grantee </li></ul><ul><li>from dba_sys_privs </li></ul><ul><li>where privilege = ’UNLIMITED TABLESPACE’; </li></ul><ul><li>Determine which tablespaces have unlimited extents </li></ul><ul><li>select tablespace_name, file_name, maxbytes </li></ul><ul><li>from dba_data_files </li></ul><ul><li>where autoextensible = ’YES’; </li></ul>Ignorance of Privileges - Unlimited Tablespace
  11. 11. <ul><li>Similar to Unlimited Tablespace but only applies to tablespace on which it has been granted </li></ul><ul><li>Determine who has unlimited quota and on which tablespace </li></ul><ul><li>select username, </li></ul><ul><li>tablespace_name, </li></ul><ul><li>max_bytes </li></ul><ul><li>from dba_ts_quotas; </li></ul><ul><li>Look for a value of -1 for max_bytes which indicates unlimited </li></ul>Ignorance of Privileges - Quota Unlimited
  12. 12. <ul><li>Solid DBAs will understand the many different Create privileges and the implications of granting each </li></ul><ul><li>Discover create privileges available and consult Oracle doco on each (48 in 10.1) </li></ul><ul><li>select distinct privilege </li></ul><ul><li>from dba_sys_privs </li></ul><ul><li>where privilege like ‘CREATE%’; </li></ul><ul><li>Examples: </li></ul><ul><ul><li>create public synonym, database link </li></ul></ul><ul><ul><li>create any * </li></ul></ul>Ignorance of Privileges - Create
  13. 13. <ul><li>Determine who has create privileges </li></ul><ul><li>select * </li></ul><ul><li>from dba_sys_privs </li></ul><ul><li>where privilege like ‘CREATE%’; </li></ul><ul><li>For each user returned in the above query, ask if they Really need the privilege; grant the minimum required </li></ul><ul><ul><li>(I.e. principle of least privilege) </li></ul></ul>Ignorance of Privileges - Create
  14. 14. Ignorance of Privileges - Drop / Alter <ul><li>Users with Drop or Alter privileges can delete or modify objects; use care when granting </li></ul><ul><li>Determine who has these privileges </li></ul><ul><li>select * </li></ul><ul><li>from dba_sys_privs </li></ul><ul><li>where privilege like ’DROP%’ </li></ul><ul><li>or privilege like ’ALTER%’; </li></ul><ul><li>For each user returned in the above query, ask if they Really need the privilege; grant the minimum required </li></ul>
  15. 15. Ignorance of Privileges - Overly Permissive Grants <ul><li>Consider this example; it speaks for itself </li></ul><ul><li>SQL> show user </li></ul><ul><li>USER IS “COOK” </li></ul><ul><li>SQL> select * from session privs; </li></ul><ul><li>… </li></ul><ul><li>EXECUTE ANY PROCEDURE </li></ul><ul><li>… </li></ul><ul><li>15 rows selected. </li></ul><ul><li>SQL> exec </li></ul><ul><li>dbms_repcat_admin.grant_admin_any_schema(‘COOK’); </li></ul>
  16. 16. Ignorance of Privileges - Overly Permissive Grants <ul><li>Example (continued) </li></ul><ul><li>SQL> select * from session_privs; </li></ul><ul><ul><ul><li>PRIVILEGE </li></ul></ul></ul><ul><ul><ul><li>---------------------------------------- </li></ul></ul></ul><ul><ul><ul><li>... </li></ul></ul></ul><ul><ul><ul><li>DROP ANY TABLE </li></ul></ul></ul><ul><ul><ul><li>UPDATE ANY TABLE </li></ul></ul></ul><ul><ul><ul><li>DROP ANY CLUSTER </li></ul></ul></ul><ul><ul><ul><li>DROP ANY INDEX </li></ul></ul></ul><ul><ul><ul><li>CREATE ANY SYNONYM </li></ul></ul></ul><ul><ul><ul><li>DROP ANY SYNONYM </li></ul></ul></ul><ul><ul><ul><li>DROP PUBLIC SYNONYM </li></ul></ul></ul><ul><ul><ul><li>CREATE ANY VIEW </li></ul></ul></ul><ul><ul><ul><li>DROP ANY VIEW </li></ul></ul></ul><ul><ul><ul><li>ALTER ANY PROCEDURE </li></ul></ul></ul><ul><ul><ul><li>CREATE ANY TRIGGER </li></ul></ul></ul><ul><ul><ul><li>... </li></ul></ul></ul><ul><li>54 rows selected. </li></ul>
  17. 17. Ignorance of Privileges - Knowing Where to Look <ul><li>The data dictionary has many tables related to privileges </li></ul><ul><li>select * from dictionary </li></ul><ul><li>where table_name like ’PRIV%’; </li></ul><ul><li>Examples </li></ul><ul><li>Table_Name Comments </li></ul><ul><li>ALL_COL_PRIVS_MADE Grants on columns for which the user is owner or grantor </li></ul><ul><li>ALL_TAB_PRIVS_MADE User's grants and grants on user's objects </li></ul><ul><li>DBA_COL_PRIVS All grants on columns in the database </li></ul><ul><li>DBA_ROLE_PRIVS Roles granted to users and roles </li></ul><ul><li>DBA_SYS_PRIVS System privileges granted to users and roles </li></ul><ul><li>DBA_TAB_PRIVS All grants on objects in the database </li></ul><ul><li>ROLE_ROLE_PRIVS Roles which are granted to roles </li></ul><ul><li>ROLE_SYS_PRIVS System privileges granted to roles </li></ul><ul><li>ROLE_TAB_PRIVS Table privileges granted to roles </li></ul>
  18. 18. Ignorance of Roles <ul><li>Default Roles </li></ul><ul><li>Admin Option </li></ul><ul><li>Password Protected Roles </li></ul>Fundamental Threats to the Database
  19. 19. Ignorance of Roles - Default Roles <ul><li>Understand the Default Roles created in a new database </li></ul><ul><li>select * </li></ul><ul><li>from sys.dba_role_privs; </li></ul><ul><li>Default roles differ by Oracle version </li></ul><ul><li>Understand what privileges are granted to each role </li></ul><ul><li>select * </li></ul><ul><li>from sys.dba_sys_privs </li></ul><ul><li>where grantee in </li></ul><ul><li>(select role from sys.dba_roles); </li></ul>
  20. 20. Ignorance of Roles - Default Roles <ul><li>For example, Creating a new user? </li></ul><ul><ul><li>Grant Create Session (system priv) </li></ul></ul><ul><ul><li>or </li></ul></ul><ul><ul><li>Grant Connect (a default role) </li></ul></ul><ul><li>Create Session: user can logon </li></ul><ul><li>Connect: </li></ul><ul><li>select privilege from sys.dba_sys_privs </li></ul><ul><li>where grantee = ’CONNECT’; </li></ul><ul><li>ALTER SESSION CREATE CLUSTER </li></ul><ul><li>CREATE DATABASE LINK CREATE SEQUENCE </li></ul><ul><li>CREATE SESSION CREATE SYNONYM </li></ul><ul><li>CREATE TABLE CREATE VIEW </li></ul>
  21. 21. Ignorance of Roles - Admin Option <ul><li>Users with Admin Option can grant the role to other users at will </li></ul><ul><li>If role is later revoked from original grantee, the subsequent user still has the role and must explicitly be revoked </li></ul><ul><li>Some DBA tools’ wizards default to yes </li></ul><ul><li>Use care when granting admin option </li></ul>
  22. 22. Ignorance of Roles - Password Protected Roles <ul><li>Role that requires a password to be enabled </li></ul><ul><li>Frequently used in application development for logon security </li></ul><ul><li>Prevents users gaining access to application tables with Sqlplus, or other tools </li></ul><ul><li>See Oracle Security by Marlene Theriault and W. Heney for a good discussion on implementation </li></ul>
  23. 23. Unintentional Access to Data <ul><li>Default Passwords </li></ul><ul><li>User’s Passwords </li></ul><ul><li>Protecting Backups </li></ul><ul><li>Protecting Stored Procedures </li></ul><ul><li>Protecting Development/Test Environments </li></ul><ul><li>Making Passwords Visible </li></ul>Fundamental Threats to the Database
  24. 24. Unintentional Access to Data - Default Passwords <ul><li>Default passwords are widely known and publicized </li></ul><ul><li>Automate pw change as part of database creation </li></ul><ul><li>Don’t run utlsampl in production </li></ul><ul><li>Understand which ids get created when installing additional Oracle products </li></ul><ul><li>Users with shell access to the DB server can find ids: </li></ul><ul><li>grep -i ”identified by” $ORACLE_HOME/admin/* </li></ul>
  25. 25. Unintentional Access to Data - Default Passwords <ul><li>A few classics: </li></ul><ul><li>Id / password What Default Privileges </li></ul><ul><li>system/manager DBA DBA </li></ul><ul><li>sys/change_on_install Data Dictionary Pretty much everything </li></ul><ul><li>dbsnmp/dbsnmp Intelligent Agent Connect, resource, </li></ul><ul><li>(OEM) unlimited tablespace, … </li></ul><ul><li>mdsys/mdsys Oracle Spatial Pretty much everything </li></ul><ul><li>outln/outln Supports Plan Stability Unlimited tablespace, </li></ul><ul><li>resource, execute any proc </li></ul><ul><li>tracesvr/trace Trace Server Create session, </li></ul><ul><li>(OEM) select any table </li></ul>
  26. 26. Unintentional Access to Data - Default Passwords <ul><li>10g has made improvements </li></ul><ul><li>For the most part, default accounts are setup as locked and expired </li></ul><ul><li>however, sys/system are not </li></ul><ul><li>dbca prompts for passwords </li></ul><ul><li>if using home grown scripts, your mileage may vary </li></ul>
  27. 27. Unintentional Access to Data - Default Passwords <ul><li>Perl script to Discover Default Passwords </li></ul><ul><li>#!/usr/local/bin/perl </li></ul><ul><li>@ids = <DATA>; # get list of default id/passwords from data at end of this file. </li></ul><ul><li>open (oratab,&quot;</var/opt/oracle/oratab&quot;); # get list of sids on this system. </li></ul><ul><li>while (<oratab>) { </li></ul><ul><li>chomp; # remove newline </li></ul><ul><li>s/#.*//; # remove comments </li></ul><ul><li>s/^s+//; # remove leading white space </li></ul><ul><li>s/s+$//; # remove trailing white space </li></ul><ul><li>s/^*.*//; # remove leading * </li></ul><ul><li>next unless length; # anything left? </li></ul><ul><li>($sid, $home, $yn) = split &quot;:&quot;; # parse out the fields </li></ul><ul><li>$ENV{&quot;ORACLE_SID&quot;} = $sid; </li></ul><ul><li>$ENV{&quot;ORACLE_HOME&quot;} = $home; </li></ul><ul><li>$ENV{&quot;PATH&quot;} = $home.&quot;/bin:/bin:/usr/bin&quot;; </li></ul><ul><li>$ENV{&quot;LD_LIBRARY_PATH&quot;} = $home.&quot;/lib:/usr/openwin/lib&quot;; </li></ul>
  28. 28. Unintentional Access to Data - Default Passwords <ul><li>Perl script to Discover Default Passwords (continued) </li></ul><ul><li># loop through list of ids, attempting to log in. </li></ul><ul><li>for ($idx=0; $idx<@ids; $idx++) { </li></ul><ul><li>$id = $ids[$idx]; </li></ul><ul><li>chop($id); # remove newline </li></ul><ul><li>@x=`sqlplus $id <<EOF </li></ul><ul><li>exit </li></ul><ul><li>EOF`; </li></ul><ul><li>@ReturnLines = grep(/Connected to:/,@x); </li></ul><ul><li>print &quot;$id@$sid &quot; if (@ReturnLines != 0 ); # print the id we got in with. </li></ul><ul><li>} # for idx </li></ul><ul><li>} # while oratab </li></ul><ul><li>close (oratab); </li></ul><ul><li>__END__ </li></ul><ul><li>system/manager </li></ul><ul><li>sys/change_on_install </li></ul><ul><li>dbsnmp/dbsnmp </li></ul><ul><li>tracesrv/trace </li></ul>
  29. 29. Unintentional Access to Data - User’s Passwords <ul><li>Users take the path of least resistance </li></ul><ul><ul><li>Password same as userid </li></ul></ul><ul><ul><li>Write password on yellow sticky notes </li></ul></ul><ul><li>Beginning with Oracle 8 you can: </li></ul><ul><ul><li>Limit # of sessions per user </li></ul></ul><ul><ul><li>Limit # of failed login attempts </li></ul></ul><ul><ul><li>Limit # of times password can be reused </li></ul></ul><ul><ul><li>Limit lifetime of password (password aging) </li></ul></ul><ul><ul><li>Develop custom verification functions </li></ul></ul><ul><ul><li>Expire passwords after a certain length of time </li></ul></ul>
  30. 30. Unintentional Access to Data - User’s Passwords <ul><li>Perl script to Discover Trivial Passwords </li></ul><ul><li>#!/usr/local/bin/perl </li></ul><ul><li>open (oratab,&quot;</var/opt/oracle/oratab&quot;); # get list of sids on this system. </li></ul><ul><li>while (<oratab>) { </li></ul><ul><li>chomp; # remove newline </li></ul><ul><li>s/#.*//; # remove comments </li></ul><ul><li>s/^s+//; # remove leading white space </li></ul><ul><li>s/s+$//; # remove trailing white space </li></ul><ul><li>s/^*.*//; # remove leading * </li></ul><ul><li>next unless length; # anything left? </li></ul><ul><li>($sid,$home,$yn) = split &quot;:&quot;; # parse out the fields </li></ul><ul><li>$ENV{&quot;ORACLE_SID&quot;} = $sid; </li></ul><ul><li>$ENV{&quot;ORACLE_HOME&quot;} = $home; </li></ul><ul><li>$ENV{&quot;PATH&quot;} = $home.&quot;/bin:/bin:/usr/bin&quot;; </li></ul><ul><li>$ENV{&quot;LD_LIBRARY_PATH&quot;} = $home.&quot;/lib:/usr/openwin/lib&quot;; </li></ul>
  31. 31. Unintentional Access to Data - User’s Passwords <ul><li>Perl script to Discover Trivial Passwords (continued) </li></ul><ul><li>@userids=`sqlplus -silent / as sysdba<<eof </li></ul><ul><li>set sqlprompt &quot;&quot; </li></ul><ul><li>set pagesize 0 </li></ul><ul><li>set trimspool on </li></ul><ul><li>set echo off </li></ul><ul><li>set feedback off </li></ul><ul><li>select username from dba_users order by username; </li></ul><ul><li>exit </li></ul><ul><li>eof`; </li></ul><ul><li>for ($idx=0; $idx<@userids; $idx++) { </li></ul><ul><li>chop $userids[$idx]; </li></ul><ul><li>@x=`sqlplus $userids[$idx]/$userids[$idx] <<EOF </li></ul><ul><li>exit </li></ul><ul><li>EOF`; </li></ul><ul><li>@ReturnLines = grep(/Connected to:/,@x); </li></ul><ul><li>print &quot;$userids[$idx]@$sid &quot; if (@ReturnLines != 0 ); # print the id we got in with. </li></ul><ul><li>} # for </li></ul><ul><li>} # while oratab </li></ul><ul><li>close (oratab); </li></ul>
  32. 32. Unintentional Access to Data - Protecting Backups <ul><li>Deny users read access to disks that contain backup scripts, data, exports, etc. </li></ul><ul><li>Use Care when sharing out directories via NFS. Limit to specific hosts </li></ul><ul><li>Protect physical access to tape media </li></ul><ul><li>Put in place process, procedure, & control </li></ul><ul><li>When using off-site storage facilities, limit who can request tapes </li></ul><ul><li>Common sense goes a long way </li></ul>
  33. 33. Unintentional Access to Data - Protecting Stored Procedures <ul><li>Stored Procedures may contain sensitive business logic or other code that may need to be protected </li></ul><ul><li>Use Oracle’s PL/SQL wrapper utility to prevent exposure of your algorithms </li></ul><ul><li>Example : </li></ul><ul><ul><li>$ wrap iname=mycode.sql oname=mycode.wrapped </li></ul></ul><ul><ul><li>$ sqlplus scott/tiger @mycode.wrapped </li></ul></ul>
  34. 34. Unintentional Access to Data - Protecting Dev/QA Environments <ul><li>Production data is frequently used to populate development and QA environments </li></ul><ul><li>Use care to ensure only authorized people are allowed to view this data </li></ul>
  35. 35. Unintentional Access to Data - Making Passwords Visible <ul><li>Interactive shell account users can view passwords entered on command lines by using “ps -ef” command </li></ul><ul><ul><li>sqlplus </li></ul></ul><ul><ul><li>exp/imp </li></ul></ul><ul><ul><li>sqlldr </li></ul></ul><ul><li>Example: </li></ul><ul><li>sqlplus system/manager@orcl </li></ul><ul><li>ps -ef | grep sqlplus </li></ul><ul><li>oracle 633 103 0 20:38:50 pts/4 0:00 sqlplus system/manager </li></ul><ul><li>oracle 656 642 0 20:39:11 pts/5 0:00 grep sqlplus </li></ul><ul><li>Don’t put passwords on command lines! </li></ul>
  36. 36. <ul><li>Alternative to putting passwords on the command line - Redirect command input inside shell script </li></ul><ul><li>sqlplus <<EOF </li></ul><ul><li>scott/tiger </li></ul><ul><li>@mysql.sql </li></ul><ul><li>exit </li></ul><ul><li>EOF </li></ul>Unintentional Access to Data - Making Passwords Visible
  37. 37. Unintentional Access to Data - Making Passwords Visible <ul><li>Use care with database links too </li></ul><ul><li>Users with select any table can see passwords of links </li></ul><ul><li>select userid, password, host </li></ul><ul><li>from sys.link$; </li></ul>
  38. 38. Denial of Service <ul><li>Limiting DB Resources via Profiles </li></ul><ul><li>UTL_FILE_DIR Parameter </li></ul><ul><li>Production Should Stand Alone </li></ul><ul><li>Listeners & Name Servers </li></ul>Fundamental Threats to the Database
  39. 39. Denial of Service - Limiting DB Resources via Profiles <ul><li>Oracle’s default profile is wide open </li></ul><ul><li>RESOURCE_NAME LIMIT </li></ul><ul><ul><ul><li>-------------------------------- --------- </li></ul></ul></ul><ul><ul><ul><li>COMPOSITE_LIMIT UNLIMITED </li></ul></ul></ul><ul><ul><ul><li>SESSIONS_PER_USER UNLIMITED </li></ul></ul></ul><ul><ul><ul><li>CPU_PER_SESSION UNLIMITED </li></ul></ul></ul><ul><ul><ul><li>CPU_PER_CALL UNLIMITED </li></ul></ul></ul><ul><ul><ul><li>LOGICAL_READS_PER_SESSION UNLIMITED </li></ul></ul></ul><ul><ul><ul><li>LOGICAL_READS_PER_CALL UNLIMITED </li></ul></ul></ul><ul><ul><ul><li>IDLE_TIME UNLIMITED </li></ul></ul></ul><ul><ul><ul><li>CONNECT_TIME UNLIMITED </li></ul></ul></ul><ul><ul><ul><li>PRIVATE_SGA UNLIMITED </li></ul></ul></ul><ul><ul><ul><li>FAILED_LOGIN_ATTEMPTS UNLIMITED </li></ul></ul></ul><ul><ul><ul><li>PASSWORD_LIFE_TIME UNLIMITED </li></ul></ul></ul><ul><ul><ul><li>PASSWORD_REUSE_TIME UNLIMITED </li></ul></ul></ul><ul><ul><ul><li>PASSWORD_REUSE_MAX UNLIMITED </li></ul></ul></ul><ul><ul><ul><li>PASSWORD_VERIFY_FUNCTION UNLIMITED </li></ul></ul></ul><ul><ul><ul><li>PASSWORD_LOCK_TIME UNLIMITED </li></ul></ul></ul><ul><ul><ul><li>PASSWORD_GRACE_TIME UNLIMITED </li></ul></ul></ul>Select resource_name, limit from sys.dba_profiles where profile_name = ‘ DEFAULT’;
  40. 40. Denial of Service - Limiting DB Resources via Profiles <ul><li>Create specific profiles for each user class </li></ul><ul><li>Use reasonable limits rather than unlimited </li></ul><ul><li>Init parm RESOURCE_LIMIT must be set to enable the ability to set limits </li></ul><ul><li>or </li></ul><ul><li>alter system set resource_limit = true; </li></ul>
  41. 41. Denial of Service - UTL_FILE_DIR Parameter <ul><li>Used for PL/SQL file I/O </li></ul><ul><li>Limit to only directories necessary </li></ul><ul><li>Avoid setting to * </li></ul><ul><li>Review code writing to UTL_FILE_DIR paths to ensure efficiency and correctness (I.e. doesn’t fill up disk) </li></ul><ul><li>Ensure directories have appropriate permissions </li></ul>
  42. 42. <ul><li>Shell accounts on production systems can: </li></ul><ul><ul><li>Search filesystem for scripts with passwords </li></ul></ul><ul><ul><li>fill up disk drives </li></ul></ul><ul><ul><li>execute programs, hog memory and/or cpu </li></ul></ul><ul><ul><li>locate and read export and/or sqlldr files </li></ul></ul><ul><li>Refuse or limit/control shell accounts on production systems </li></ul>Denial of Service - Production Should Stand Alone
  43. 43. Denial of Service - Listeners & Names Servers <ul><li>Password protect Listeners and Names Servers * </li></ul><ul><li>Before 10g, client machines with listener control or names control utility can shutdown these services </li></ul><ul><li>set PASSWORDS_listenername in listener.ora </li></ul><ul><ul><li>lsnrctl change_password [listener_name] </li></ul></ul><ul><li>Set NAMES.PASSWORD in names.ora </li></ul><ul><li>*note - onames is deprecated in 10g, move to OID </li></ul>
  44. 44. Fundamental Threats to the Database Server <ul><li>Physical Security </li></ul><ul><li>Unintended Access </li></ul><ul><li>Denial of Service </li></ul><ul><li>Unnecessary Unix Services </li></ul><ul><li>Unnecessary Shell Accounts </li></ul>
  45. 45. Physical Security <ul><li>Database servers should be in a physically secure location </li></ul><ul><li>Limit Access to authorized personnel </li></ul><ul><li>Protect against fire, power failure, water, and heat </li></ul>Fundamental Threats to the Database Server
  46. 46. Unintended Access <ul><li>World Readable Files </li></ul><ul><li>Set-UID Scripts </li></ul><ul><li>NFS Shares </li></ul>Fundamental Threats to the Database Server
  47. 47. <ul><li>Protect sensitive files by not allowing world read access </li></ul><ul><li>Set UNIX File Permissions </li></ul><ul><ul><li>Owner (read,write,execute) </li></ul></ul><ul><ul><li>Group (read,execute) </li></ul></ul><ul><ul><li>World (none) </li></ul></ul><ul><li>Use chmod command to alter permissions </li></ul><ul><li>Use umask command to set default file creation permissions for oracle account </li></ul>Unintended Access - World Readable Files
  48. 48. <ul><li>Examples of things to protect against </li></ul><ul><ul><li>scripts where new users are created </li></ul></ul><ul><ul><li>find $ORACLE_HOME –type f </li></ul></ul><ul><ul><li>– exec grep –il “identified by” {} ; </li></ul></ul><ul><ul><li>sqlplus scripts that might have passwords </li></ul></ul><ul><ul><li>find /u01/app/oracle/admin –type f </li></ul></ul><ul><ul><li>– exec grep –il “sqlplus” {} ; </li></ul></ul><ul><ul><li>sqlldr scripts that might have passwords </li></ul></ul><ul><ul><li>find /u01/app/oracle/admin –type f </li></ul></ul><ul><ul><li>– exec grep –il “sqlldr” {} ; </li></ul></ul><ul><ul><li>scripts that have either import or export </li></ul></ul><ul><ul><li>find /u01/app/oracle/admin –type f </li></ul></ul><ul><ul><li>– exec egrep –il “exp|imp” {} ; </li></ul></ul>Unintended Access - World Readable Files
  49. 49. <ul><li>Risk </li></ul><ul><ul><li>Potential to allow users to become root </li></ul></ul><ul><ul><ul><ul><li>cp /usr/bin/sh /tmp/.mysh </li></ul></ul></ul></ul><ul><ul><ul><ul><li>chmod 4755 /tmp/.mysh </li></ul></ul></ul></ul><ul><ul><ul><ul><li>ls $* </li></ul></ul></ul></ul><ul><ul><ul><li>-rwsr-xr-x 1 root other 88620 .mysh </li></ul></ul></ul><ul><li>Prevention </li></ul><ul><ul><li>minimize non-admins who have shell accounts </li></ul></ul><ul><ul><li>Keep your terminal locked when away </li></ul></ul><ul><ul><li>Do not put dot “.” in your PATH </li></ul></ul><ul><ul><li>Audit system for Set UID scripts </li></ul></ul><ul><ul><ul><li>find / -local –perm –004000 –type f –print </li></ul></ul></ul>Unintended Access - Set-UID Scripts
  50. 50. <ul><li>NFS is a mechanism to make file systems on one server available to many others </li></ul><ul><li>Use care when sharing: </li></ul><ul><ul><li>only share to specific hosts, not entire network </li></ul></ul><ul><ul><li>share as read-only if possible </li></ul></ul><ul><ul><li>share at the lowest level required, not entire disk </li></ul></ul><ul><li>Example </li></ul><ul><ul><li>share -o ro=client[:client]… pathname </li></ul></ul>Unintended Access - NFS Shares
  51. 51. Denial of Service <ul><li>Typically handled by Network or Systems Administration teams </li></ul><ul><li>DBAs can still help… </li></ul><ul><ul><li>Monitor databases and servers from a different machine </li></ul></ul><ul><ul><li>Separate production server from development, test, and QA </li></ul></ul><ul><ul><li>Communicate with System and Network Administrators </li></ul></ul>Fundamental Threats to the Database Server
  52. 52. Unnecessary Unix Services <ul><li>Many unix services have known security holes </li></ul><ul><li>Minimize services that are started to those that are necessary </li></ul><ul><ul><li>I.e. do you really need ftp, finger? </li></ul></ul><ul><li>Review /etc/rc* and inetd.conf and eliminate services that get started but are not needed </li></ul><ul><li>http://www.samag.com/documents/s=1152/sam0104i/0104i.htm </li></ul>Fundamental Threats to the Database Server
  53. 53. Unnecessary Shell Accounts <ul><li>Consider every line in /etc/passwd as a potential entrypoint </li></ul><ul><li>Remove ids that are not needed </li></ul>Fundamental Threats to the Database Server
  54. 54. Establishing a Security Mindset <ul><li>Be Curious </li></ul><ul><li>Always ask questions </li></ul><ul><li>Be Proactive </li></ul><ul><li>Be Paranoid </li></ul><ul><li>Be Cautious </li></ul><ul><li>Test everything </li></ul><ul><li>Stay abreast of bugs and fixes </li></ul><ul><li>Start with minimal privs </li></ul><ul><li>Be vigilant </li></ul><ul><li>Preach the security gospel! </li></ul>
  55. 55. Q & A
  56. 56. Thank you! Georgia Oracle Users Conference April 4-5 2005 Practical Database Security Kristopher Cook [email_address]

×