Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Dan Norris: Exadata security

1,161 views

Published on

Dan Norris: Exadata security

Published in: Internet

Dan Norris: Exadata security

  1. 1. Copyright  ©  2015,  Oracle  and/or  its  affiliates.  All  rights  reserved.    |   Exadata  Database  Machine   Security   Dan  Norris   MAA  Team,  Oracle  Development   October  26,  2015  
  2. 2. Copyright  ©  2015,  Oracle  and/or  its  affiliates.  All  rights  reserved.    |   Program  Agenda   PreparaKon  for  installaKon   InstallaKon,  deployment   Post-­‐deployment  configuraKon   Database  creaKon  and  configuraKon   OperaKonal  security  consideraKons   1   2   3   4   5   2  
  3. 3. Copyright  ©  2015,  Oracle  and/or  its  affiliates.  All  rights  reserved.    |   Security  Terminology   •  APack  surface  –  the  code  within  a  computer  system  that  can  be  run  by   unauthorized  users     •  Port  –  network  term  referring  to  a  virtual  endpoint   •  Service  –  operaKng  system  term  referring  to  a  background  process  or   daemon   •  CPU  –  CriKcal  Patch  Update,  quarterly  released  security  patches  for  Oracle   products   Ge)ng  us  on  the  same  page   3  
  4. 4. Copyright  ©  2015,  Oracle  and/or  its  affiliates.  All  rights  reserved.    |   PreparaKon  for  InstallaKon   •  Get  educated   •  Collect  security-­‐related  requirements  from  all  stakeholders   •  Determine  whether  role-­‐separated  installaKon  is  required     •  Plan  network  layout   •  Subscribe  to  security  alerts  -­‐  hPp://is.gd/orasec   •  Review  MOS  note  1068804.1:  Guidelines  for  enhancing  the  security  for  an   Oracle  Database  Machine  deployment   Security  starts  early   4  
  5. 5. Copyright  ©  2015,  Oracle  and/or  its  affiliates.  All  rights  reserved.    |   Plan  Network  Layout   •  Client  Access  is  entry  point  for  most   accesses   •  Management  should  be  restricted   •  InfiniBand  is  private  to  machine,   physical  security  protects  it   Perimeter  security  for  networks   5  
  6. 6. Copyright  ©  2015,  Oracle  and/or  its  affiliates.  All  rights  reserved.    |   InstallaKon  and  Deployment   •  Exadata  includes  many  security  features  by  default   •  Implement  the  recommended  security  step  during  deployment   – AKA  “Resecure  Machine”  step   •  Start  secure,  only  open  what  is  necessary   – “Doing  security”  later  almost  never  happens  (or  works)   •  Configure  ASM  audits  to  use  syslog  (audit_syslog_level)   •  Configure  ASM  &  DB  init.ora:  audit_sys_operaKons=true   Implement  the  available  features  and  security  plan   6  
  7. 7. Copyright  ©  2015,  Oracle  and/or  its  affiliates.  All  rights  reserved.    |   Default  Security  Features   •  short  package  install  list   •  only  necessary  services  enabled   •  hPps  management  interface   •  sshd  secure  default  sehngs   •  password  aging   •  maximum  failed  login  aPempts   Implement  the  available  features  and  security  plan   7   •  auditd  monitoring  enabled   •  cellwall:  iptables  firewall   •  CPUs  included  in  patch  bundles,   releases  synchronized   •  system  hardening   •  boot  loader  password  protecKon  
  8. 8. Copyright  ©  2015,  Oracle  and/or  its  affiliates.  All  rights  reserved.    |   Resecure  Machine  Step   •  In  this  step,  several  security  changes   are  made:   – password  complexity  requirements  are   added  (dis,dis,16,12,8)   – passwords  are  expired  (forcing  reset  on   next  login)   – password  aging  implemented   – permissions  Kghtened   Implement  the  available  features  and  security  plan   8  
  9. 9. Copyright  ©  2015,  Oracle  and/or  its  affiliates.  All  rights  reserved.    |   Resecure  Machine  Step   $ ./install.sh –cf maa-phys.xml -l 1. Validate Configuration File 2. Setup Required Files <snip many steps> 17. Install Exachk 18. Create Installation Summary 19. Resecure Machine 9  
  10. 10. Copyright  ©  2015,  Oracle  and/or  its  affiliates.  All  rights  reserved.    |   Resecure  Machine  Step   $ ./install.sh –cf maa-vm.xml -l 1. Validate Configuration File 2. Create Virtual Machine 3. Create Users <snip many steps> 17. Create Installation Summary 18. Resecure Machine 10  
  11. 11. Copyright  ©  2015,  Oracle  and/or  its  affiliates.  All  rights  reserved.    |   Post-­‐Deployment  ConfiguraKon   •  Change  all  passwords  for  all  default   accounts  (MOS  1291766.1)   •  Perform  validaKon  for  local  policies  or   rules   – See  MOS  1405320.1  for  commonly   idenKfied  audit  findings   •  Exadata  Security  –  especially  for   consolidaKon  environments   Address  site-­‐specific  requirements   11  
  12. 12. Copyright  ©  2015,  Oracle  and/or  its  affiliates.  All  rights  reserved.    |   Post-­‐Deployment  ConfiguraKon   •  *New*  in  12.1.2.2.0   •  Cells  can  have  remote  access  disabled  –  no  SSH  access  to  OS   •  Must  enable  temporarily  for  maintenance  (upgrades)   •  New  cell  aPributes:  remoteAccessPerm,  remoteAccessTemp   •  Can  temporarily  enable  access,  automaKc  lock  up  at  a  specified  Kme   •  Can  sKll  access  console  via  ILOM   •  Use  exacli/exadcli  from  DB  nodes  for  cell  commands   Cell  Lockdown   12  
  13. 13. Copyright  ©  2015,  Oracle  and/or  its  affiliates.  All  rights  reserved.    |   Post-­‐Deployment  ConfiguraKon   cellcli> create role administrator cellcli> grant privilege all actions on all objects all attributes with all options to role administrator cellcli> create user celladministrator password='*' cellcli> grant role administrator to user celladministrator Cell  Lockdown  Setup   13  
  14. 14. Copyright  ©  2015,  Oracle  and/or  its  affiliates.  All  rights  reserved.    |   Post-­‐Deployment  ConfiguraKon   # cellcli -e list cell detail | egrep -i 'cellversion|accesslevel' accessLevelPerm: remoteLoginDisabled cellVersion: OSS_12.1.2.2.0_LINUX.X64_150917 exacli> alter cell accessLevelTemp=((accessLevel="remoteLoginEnabled", - startTime="now", - duration="30m", - reason="Quarterly maintenance")) Cell  Lockdown   14  
  15. 15. Copyright  ©  2015,  Oracle  and/or  its  affiliates.  All  rights  reserved.    |   Post-­‐Deployment  ConfiguraKon   • Cells  have  syslogconf  cell  aPributes  (for  quite  a  while)   • DB  nodes  have  /etc/rsyslog.conf   – On  12.1.2.1.0  &  later,  also  have  syslogconf  dbserver  aPribute     Centralized  syslog   15  
  16. 16. Copyright  ©  2015,  Oracle  and/or  its  affiliates.  All  rights  reserved.    |   Post-­‐Deployment  ConfiguraKon   On  receiving  side,  for  rsyslogd,  modify  /etc/rsyslogd.conf:   # Provides UDP syslog reception $ModLoad imudp $UDPServerRun 514   The  HUP  rsyslogd:   kill -HUP $(cat /var/run/syslogd.pid) Centralized  syslog  setup   16  
  17. 17. Copyright  ©  2015,  Oracle  and/or  its  affiliates.  All  rights  reserved.    |   Post-­‐Deployment  ConfiguraKon   cellcli> alter cell syslogconf=('authpriv.* @syslgsrv', 'security.* @seclogserver'); cellcli> alter cell validate syslogconf 'authpriv.error';   dbmcli> alter dbserver syslogconf=('authpriv.* @syslgsrv', 'security.* @seclogserver'); dbmcli> alter dbserver validate syslogconf 'authpriv.error';   Centralized  syslog   17  
  18. 18. Copyright  ©  2015,  Oracle  and/or  its  affiliates.  All  rights  reserved.    |   Exadata  Security  (ASM,  Griddisks)   ConsolidaIon:  sharing  without  peeking   18   •  Privileges  on  griddisk  level   •  Restrict  griddisks  to  certain  clusters  and/or  certain  database(s)   •  Especially  effecKve  to  manage  mulKple  administrators   •  See  whitepapers   – Oracle  Exadata  Database  Machine  ConsolidaKon:  SegregaKng  Databases  and  Roles  -­‐   hPp://is.gd/exaconsolidaKon   – Best  PracKces  for  Database  ConsolidaKon  On  Exadata  Database  Machine  -­‐  hPp:// is.gd/orclconswp  
  19. 19. Copyright  ©  2015,  Oracle  and/or  its  affiliates.  All  rights  reserved.    |   Database  CreaKon  and  ConfiguraKon   Implement  database-­‐specific  features  and  best  pracIces   19   •  Stay  current  with  Exadata  bundle  patches  (888828.1)   – Bundle  patches  include  latest  CPU  patches   •  Consider  TDE,  network  encrypKon,  Data  Vault,  Audit  Vault   •  Review  whitepaper:  “Cost  EffecKve  Security  and  Compliance  with  Oracle   Database  11g  Release  2”  -­‐  hPp://is.gd/seccompliance11gr2   •  Take  the  Enterprise  Data  Security  Assessment  at  hPp://is.gd/ entsecassessment  
  20. 20. Copyright  ©  2015,  Oracle  and/or  its  affiliates.  All  rights  reserved.    |   Oracle  Database  Security  Defense  in  Depth   Masking & Subsetting DBA Controls & Cyber Security Encryption & Redaction PREVENTIVE Activity Monitoring Database Firewall Auditing and Reporting DETECTIVE ADMINISTRATIVE Privilege & Data Discovery Configuration Management Key & Wallet Management 20  
  21. 21. Copyright  ©  2015,  Oracle  and/or  its  affiliates.  All  rights  reserved.    |   OperaKonal  Security  ConsideraKons   Remain  security-­‐minded  when  patching,  upgrading,  backing  up   21   •  Changes  permiPed  on  DB  nodes,  not   cells   •  Backups  can  be  encrypted   •  Patching  or  upgrading  may  “undo”  some   changes;  verify  aper   •  DB  node  updates  use  yum  commands   with  excludes  (see  doc  for  excludes)    
  22. 22. Copyright  ©  2015,  Oracle  and/or  its  affiliates.  All  rights  reserved.    |   OperaKonal  Security  ConsideraKons   Remain  security-­‐minded  when  patching,  upgrading,  backing  up   22   •  Periodic  reviews  to  ensure  sehngs   remain  and  vulnerabiliKes  don’t   •  Secure  erase  for  storage  cells  is  available     •  Disk  drive  retenKon  is  available   •  Oracle  Enterprise  Manager  Governance,   Risk  &  Compliance  Manager   conKnuously  reviews  the  system  
  23. 23. Copyright  ©  2015,  Oracle  and/or  its  affiliates.  All  rights  reserved.    |   OperaKonal  Security  ConsideraKons   Component   Access  Required   Database  –  Patch  set   Database  server  root,  sopware  home  owner,  passwordless  SSH  to  all   sopware  home  owners  (on  other  nodes)   Database  –  Patch  set   Database  server  root,  sopware  home  owner   Grid  Infrastructure   Same  as  Database   Exadata  Database  Server  (OS)   Database  server  root   Exadata  Storage  Server   Database  server  root,  Passwordless  SSH  from  database  server  root  to   storage  server  root  (temporarily  disable  lockdown)   InfiniBand  Switch   Database  server  root,  InfiniBand  switch  root   23   Patching  consideraIons  
  24. 24. Copyright  ©  2015,  Oracle  and/or  its  affiliates.  All  rights  reserved.    |   Late  Breaking  Security  Updates   MOS  Note  or  URL   DescripIon   Coming  soon   UpdaKng  JDK  on  Exadata  Database  Machine  database  nodes   2060027.1   October  2015  ILOM  security  updates  –  fixes  included  in  Exadata  12.1.2.2.0   images   24  
  25. 25. Copyright  ©  2015,  Oracle  and/or  its  affiliates.  All  rights  reserved.    |   Summary   PreparaKon  for  installaKon   InstallaKon,  deployment   Post-­‐deployment  configuraKon   Database  creaKon  and  configuraKon   OperaKonal  security  consideraKons   1   2   3   4   5   25  
  26. 26. Copyright  ©  2015,  Oracle  and/or  its  affiliates.  All  rights  reserved.    |   References   Note  or  URL   DescripIon   hPp://is.gd/orasec   Oracle  Security  Alerts  subscripKon   1068804.1   Guidelines  for  enhancing  the  security  for  an  Oracle  Database  Machine   deployment   1291766.1   How  to  change  OS  user  password  for  Cell  Node,  Database  Node  ,  ILOM,   KVM  ,  Infiniband  Switch  ,  GigaBit  Ethernet  Switch  and  PDU  on  Exadata   888828.1   Database  Machine  and  Exadata  Storage  Server  11g  Release  2  (11.2)   Supported  Versions   1405320.1   Responses  to  common  Exadata  security  scan  findings   hPp://is.gd/exaconsolidaKon   Oracle  Exadata  Database  Machine  ConsolidaKon:  SegregaKng  Databases   and  Roles   hPp://is.gd/entsecassessment   Enterprise  Data  Security  Assessment   26  
  27. 27. Copyright  ©  2015,  Oracle  and/or  its  affiliates.  All  rights  reserved.    |   References   MOS  Note  or  URL   DescripIon   1938719.1   Exadata  informaKon  on  Bash  shellshock  vulnerability   1935817.1   Exadata  informaKon  on  SSLv3  POODLE  vulnerability   hPp://is.gd/orclpoodle   Generic  info  about  POODLE  for  all  Oracle  products   hPp://is.gd/orclshellshock   Generic  info  about  Bash  Shellshock  for  all  Oracle  products   2069987.1   HOWTO:  Update  JDK  on  Exadata  Database  Nodes   27  
  28. 28. Copyright  ©  2015,  Oracle  and/or  its  affiliates.  All  rights  reserved.    |   Safe  Harbor  Statement   The  preceding  is  intended  to  outline  our  general  product  direcKon.  It  is  intended  for   informaKon  purposes  only,  and  may  not  be  incorporated  into  any  contract.  It  is  not  a   commitment  to  deliver  any  material,  code,  or  funcKonality,  and  should  not  be  relied  upon   in  making  purchasing  decisions.  The  development,  release,  and  Kming  of  any  features  or   funcKonality  described  for  Oracle’s  products  remains  at  the  sole  discreKon  of  Oracle.   28  
  29. 29. Copyright  ©  2015,  Oracle  and/or  its  affiliates.  All  rights  reserved.    |   29  

×