Exploiting and Protecting Oracle - PowerPoint PPT Presentation

1 / 30
About This Presentation
Title:

Exploiting and Protecting Oracle

Description:

Open VMS Authentication. Vulnerabilities and Solutions. Database Roles ... Open VMS Authentication. Vulnerabilities (very similar to Windows) ... – PowerPoint PPT presentation

Number of Views:104
Avg rating:3.0/5.0
Slides: 31
Provided by: duanew4
Category:

less

Transcript and Presenter's Notes

Title: Exploiting and Protecting Oracle


1
Exploiting and Protecting Oracle
  • By
  • Curtis Davis
  • Duane Wardell
  • Memorial Hermann Healthcare System
  • January 19, 2005

2
Agenda
  • Windows Authentication
  • Vulnerabilities and Solutions
  • Live Demo
  • Unix Authentication
  • Vulnerabilities and Solutions
  • Open VMS Authentication
  • Vulnerabilities and Solutions
  • Database Roles
  • Using GUI install and Default Users
  • Default Database Profile
  • Must Dos
  • Security Breach Notification Action Plan
  • What to do if/when you are attacked

3
Windows Authentication
  • Vulnerabilities
  • ORA_DBA group ? SYSDBA
  • ORA_OPER group ? SYSOPER
  • Listener (defaults to no pw, default name, no
    restrictions, and known ports 1521)
  • SQLNET/NET8 (clients auth. enabled)
  • Oracle Client code (Many un-centralized client
    installs ? many tnsnames.ora files and to much to
    keep track of)

4
Windows Authentication
  • Solutions (Live Demo)
  • ORA_DBA, ORA_OPER
  • Listener (using pw, change ports, name,
    ADMIN_RESTRICTIONS_ltListenerNamegt True)
  • SQLNET/NET8 (Disable Client Auth.)
  • Oracle Client (Centralize Installation ? client
    reside on a central server class machine with
    single tnsname.ora file)

5
Windows Authentication Demo
6
Windows Authentication Demo
7
Windows Authentication Demo
8
Windows Authentication Demo
9
Windows Authentication Demo
10
Windows Authentication Demo
11
Windows Authentication Demo
12
Windows Authentication Demo
13
Windows Authentication Demo
14
Windows Authentication Demo
15
Windows Authentication Demo
16
Windows Authentication Demo
17
Windows Authentication Demo
18
Windows Authentication Demo
19
Windows Authentication Demo
20
Windows Authentication Demo
21
Windows Authentication Demo
22
Unix Authentication
  • Vulnerabilities
  • dba group ? SYSDBA ( / as sysdba) no longer
    need ops
  • File Security (should set authorization )
  • Listener (no pw, default name, know ports, no
    restrictions)
  • Solutions
  • dba group (/etc/groups ?contain only members of
    DBA personnel.)
  • File Security (should set authorization to
    0600read/write (rw) by owner (oracle) only, with
    no write authorization for group or other users.)
  • Listener (pw, name, ports, restrictions)

23
Windows Authentication Demo
24
Open VMS Authentication
  • Vulnerabilities (very similar to Windows)
  • ORA_DBA rights identifier ? SYSDBA ( / as
    sysdba) no longer need ops
  • ORA_OPER rights identifier ? SYSOPER
  • Listener (no pw, default name, know ports, no
    restrictions)
  • Solutions
  • ORA_DBA, ORA_OPER (show process/all)
  • ORA_ltsidgt_DBA ?SYSDBA for that named instance.
    Once defined it overrides ORA_DBA, ORA_OPER
  • Listener (pw, name, ports, restrictions)

25
Windows Authentication Demo
26
Database Roles
  • Using GUI (DBCA) installing (be careful what
    you choose) it will install a lot of default
    functionality which are controlled by many
    privileged DB users (Perfstat, Dbsnmp, Outln,
    CTXSYS)
  • Over Oracle history they have created more than
    600 default user accounts.
  • Must change default passwords and lock these user
    accounts.

27
Modifying Default Profile
  • Oracle will install the default profile which
    sets all options to unlimited. Must modify the
    following (or create your own)
  • sessions_per_user 2 --
  • cpu_per_session unlimited -- hunderth of seconds
  • cpu_per_call 3000 -- hunderth of seconds
  • connect_time 45 -- minutes
  • idle_time 30 -- minutes
  • logical_reads_per_session default -- db
    blocks
  • logical_reads_per_call default -- db blocks
  • -- composite_limit default --
  • private_sga 20M --
  • failed_login_attempts 3 --
  • password_life_time 90 -- days
  • password_reuse_time 1 --
  • password_reuse_max unlimited --
  • password_lock_time 3 -- days
  • password_grace_time 15 -- days
  • password_verify_function verify_function

28
Security Breach Notification Action Plan(what to
do if/when you are attacked!!!)
  • Security Breach Suspected or Detected
  • Alert the database owner
  • Secure system and take it temporarily off-line
  • Collect info supporting the observation of a real
    or suspected breach
  • Report breach in writing immediately (no more
    than 24 hrs)
  • Incident Review
  • Conduct an incident review
  • Breach of Security Notification
  • Determine the scope of breach and restore
    reasonable integrity of the database. Determine
    if outside intervention is necessary.
  • Incident Closure Report
  • A closure report should be submitted to internal
    audit.
  • Report should show detailed nature and cause of
    the incident.
  • Report should also show steps taken to prevent
    recurrence of incident.

29
Questions and Answers
30
(No Transcript)
Write a Comment
User Comments (0)
About PowerShow.com