Title: Exploiting and Protecting Oracle
1Exploiting and Protecting Oracle
- By
- Curtis Davis
-
- Duane Wardell
- Memorial Hermann Healthcare System
- January 19, 2005
2Agenda
- Windows Authentication
- Vulnerabilities and Solutions
- Live Demo
- Unix Authentication
- Vulnerabilities and Solutions
- Open VMS Authentication
- Vulnerabilities and Solutions
- Database Roles
- Using GUI install and Default Users
- Default Database Profile
- Must Dos
- Security Breach Notification Action Plan
- What to do if/when you are attacked
-
3Windows Authentication
- Vulnerabilities
- ORA_DBA group ? SYSDBA
- ORA_OPER group ? SYSOPER
- Listener (defaults to no pw, default name, no
restrictions, and known ports 1521) - SQLNET/NET8 (clients auth. enabled)
- Oracle Client code (Many un-centralized client
installs ? many tnsnames.ora files and to much to
keep track of)
4Windows Authentication
- Solutions (Live Demo)
- ORA_DBA, ORA_OPER
- Listener (using pw, change ports, name,
ADMIN_RESTRICTIONS_ltListenerNamegt True) - SQLNET/NET8 (Disable Client Auth.)
- Oracle Client (Centralize Installation ? client
reside on a central server class machine with
single tnsname.ora file)
5Windows Authentication Demo
6Windows Authentication Demo
7Windows Authentication Demo
8Windows Authentication Demo
9Windows Authentication Demo
10Windows Authentication Demo
11Windows Authentication Demo
12Windows Authentication Demo
13Windows Authentication Demo
14Windows Authentication Demo
15Windows Authentication Demo
16Windows Authentication Demo
17Windows Authentication Demo
18Windows Authentication Demo
19Windows Authentication Demo
20Windows Authentication Demo
21Windows Authentication Demo
22Unix Authentication
- Vulnerabilities
- dba group ? SYSDBA ( / as sysdba) no longer
need ops - File Security (should set authorization )
- Listener (no pw, default name, know ports, no
restrictions) - Solutions
- dba group (/etc/groups ?contain only members of
DBA personnel.) - File Security (should set authorization to
0600read/write (rw) by owner (oracle) only, with
no write authorization for group or other users.) - Listener (pw, name, ports, restrictions)
23Windows Authentication Demo
24Open VMS Authentication
- Vulnerabilities (very similar to Windows)
- ORA_DBA rights identifier ? SYSDBA ( / as
sysdba) no longer need ops - ORA_OPER rights identifier ? SYSOPER
- Listener (no pw, default name, know ports, no
restrictions) - Solutions
- ORA_DBA, ORA_OPER (show process/all)
- ORA_ltsidgt_DBA ?SYSDBA for that named instance.
Once defined it overrides ORA_DBA, ORA_OPER - Listener (pw, name, ports, restrictions)
25Windows Authentication Demo
26Database Roles
- Using GUI (DBCA) installing (be careful what
you choose) it will install a lot of default
functionality which are controlled by many
privileged DB users (Perfstat, Dbsnmp, Outln,
CTXSYS) - Over Oracle history they have created more than
600 default user accounts. - Must change default passwords and lock these user
accounts.
27Modifying Default Profile
- Oracle will install the default profile which
sets all options to unlimited. Must modify the
following (or create your own) - sessions_per_user 2 --
- cpu_per_session unlimited -- hunderth of seconds
- cpu_per_call 3000 -- hunderth of seconds
- connect_time 45 -- minutes
- idle_time 30 -- minutes
- logical_reads_per_session default -- db
blocks - logical_reads_per_call default -- db blocks
- -- composite_limit default --
- private_sga 20M --
- failed_login_attempts 3 --
- password_life_time 90 -- days
- password_reuse_time 1 --
- password_reuse_max unlimited --
- password_lock_time 3 -- days
- password_grace_time 15 -- days
- password_verify_function verify_function
28Security Breach Notification Action Plan(what to
do if/when you are attacked!!!)
- Security Breach Suspected or Detected
- Alert the database owner
- Secure system and take it temporarily off-line
- Collect info supporting the observation of a real
or suspected breach - Report breach in writing immediately (no more
than 24 hrs) - Incident Review
- Conduct an incident review
- Breach of Security Notification
- Determine the scope of breach and restore
reasonable integrity of the database. Determine
if outside intervention is necessary. - Incident Closure Report
- A closure report should be submitted to internal
audit. - Report should show detailed nature and cause of
the incident. - Report should also show steps taken to prevent
recurrence of incident.
29Questions and Answers
30(No Transcript)