Wednesday, April 17, 2013

Oracle Security --> Where to Start ? What to do ?

When you start reading the title you start thinking of Race, Mostly you can think of that since technology going fast, But my article it's not about race it's talking about where should i look when i secure my database what should i secure ? I post another articles talking about security and how to secure your database what is the benefits of securing database ? I will try to mention the most important points to secure and protecting database specially internal users.

Database is complex, so DBA ( Database administrator ) must understand potential security impacts  and The three components Triangle which i mentioned before in "Top ten Threats to Database" For example when DBA looking for availability they ignore right configuration which cause security vulnerability and this can lead to expose confidential data. it's not about database if you have application you need to take over and start secure this application. but what can i do ? Where to start and how to start ? 

The Basic Steps to Start like i mentioned in my post "basic Steps to Secure Oracle"  is to discuss the risk management that lead to this, and you can secure your database by looking for the below keys  :

  • Auditing
  • Database Configuration
  • Access to database
  • Authentication 

I need to Remind you in something Secuirty Not means i will protect my database 100% it's way to prevent attacks and make it harder, But what if the attackers get in database 

Auditing 


Auditing allow us to monitor database users,or anything that happened on database,first audit_sys_operations parameter should be set to TRUE to monitor sys user operation. The audit_trail parameter ( DB|OS) where the location of Audit files will goes ? For example Audit Files could be written on Database  or On File System if you set this parameter to OS. let's talk about database here :


SQL> SELECT * FROM dba_obj_audit_opts;
SQL> SELECT * FROM dba_priv_audit_opts;
SQL> SELECT * FROM dba_stmt_audit_opts
 you cannot enable auditing to monitor all database activities but at least you can enable it for action such as create session , by fire this command ---> audit create session;

What i love in 11gR2 documentation is that Oracle has create it's own list for recommended auditing list which mean you should enable it. another type of auditing called FGA allow you to create policy to run on certain event for example when scott read from table emp column Sal i want to record this transaction on table. simple way read more about : ---> DBMS_FGA.ADD_POLICY, and check this event to you need to have access on sys.fga$.

After you enable auditing it's very important to Create your own reports to monitor database.Oracle gives you products to centralize this audit logs called audit vault the benefits of this products it's automatically clean up the old data ( only if transferred to server ) and remove them.

 Database Configuration

When start talking about secure configuration lot of steps came to my mind, but i will try make simple since i can't cover everything in this topics, i will divide it to more than one topics and Post on my blog, as you know in this part you have to look at network, Listener , Client side , Parameters , and Backup i am apology if i forget something, each part of this compentents are very important but let's talk about parameters as we all know Database have something called spfile/pfile which is parameter file for database, Some of parameter set for TRUE by default while i don't need them vice versa, change the value of this parameter are important to avoid any Weakness in the futures some of this parameters are :

  • OS_ROLES ----> Should be False 
  • os_authent_prefix ---> Ops$ 
  • o7_dictionary_accessibility --> Should be False 
  • audit_sys_operations --> Should be True
  • Global_name ---> Should be True
  • Remote_listener ---> use it only if you need it
  • remote_login_passwordfile --> none 
  • sec_case_sensitive_logon --> Should be True
  • sql92_security ---> Should be True 
  • remote_os_roles --> Should be False
lot of parameters, but i mention some of them.

Also Don't forget to secure your Listener set password for listener, change default port simple steps but make you avoid future attack.
Another point don't forget to patch your database check oracle site for you new CPU and PSU patch this will fix security vulnerability, Read More here.
 Another way also to secure configuration using Database firewall ( i will post topic about it later ) , network firewall and create policy inside the company.

Access to database


in each topic i post i am talking about this, i am will mention it in every topics in the future it's important and the most of hacking cases happened because user has privileges more than he needs why ?  is your data not important !!! when the user authenticated to database first thing you need to check what this user allow to do ? especially for developers and application user ( dose he need DBA role to execute procedure ) 

 SQL> SELECT * FROM dba_sys_privs;
SQL> SELECT * FROM dba_role_privs;
SQL> SELECT * FROM dba_col_privs;
SQL> SELECT * FROM dba_tab_privs;

it's not only about privileges , Create Development , test and QA database is important not everything works on Production is correct , create new users with different privileges some of them to monitor some of them to manege, Boring but Useful , Don't forget Database links i mention before in my topics about database link security and how this could effect on your database, well Links create new privileges escalation, Review database link and check who access to them , who use them , how he use them and is it valid any more ?

SQL> SELECT * FROM sys.link$;

as conclusion you have to check user privileges , Application users , Users , Database links and Create new instance for new jobs ,  not all company spend money to secure database but why should i buy new products while i am not doing the basic steps before that , it's maybe avoid company small fortune and they will loves for that.

Authentications

Well , I should mention it first but it's all about security why should i care ? the first thing happened in database is authentications obtaining user information , Password the problem is The mutli way for doing that make risk is high you have OS authentications .... etc check my post about "Effect of Default Password" and you will be surprised what i can do with default password !!! in 11g you can check the Deafult password in new View :


SQL >  select * from dba_users_with_defpwd;
But you can't also forget about
SQL > Select * from dba_users;

each of them has different job, not everything mentioned in dba_users_with_defpwd , Once you change password and Create new one ( hard to guess ) now you need to provide new rules for password here we start talking about profiles

SQL > Select * from dba_profiles ;
Example for how to create profile in oracle :

CREATE PROFILE Example LIMIT
  FAILED_LOGIN_ATTEMPTS 3 
  PASSWORD_LOCK_TIME 5    
  PASSWORD_LIFE_TIME 30   
  PASSWORD_GRACE_TIME 3   
  PASSWORD_REUSE_TIME 120 
  PASSWORD_REUSE_MAX 10   
/
Also read Oracle documentation here.

I will take later about Authentications type In oracle provided with Examples and talk about which one is more secure and when i need to use it ?

Don't forget that Oracle Provide Password complexity that located in $ORACLE_HOME/rdbms/admin with Script called --> utlpwdmg.sql just run it / as sysdba and new rules will be applied to passwords you can create your own one. but this script do the below
  • The password contains  eight characters or more.
  • Password not same as username.
  • password should not be simple 
  • password should contain Numeric and alphabetic.
  • password should be different from the last password.
and other's features simple and amazing Right :)

as conclusion i will post more topics about security and more examples will be waiting, and i wish it's useful and simple, i can't cover all things in one article i will be huge i will try to do my best.

Thank you
Osama Mustafa

2 comments:

  1. Thanks for taking the time to discuss this, I feel strongly about it and love learning more on event staffingIf possible, as you gain expertise, would you mind updating your blog with more information? It is extremely helpful for me.

    ReplyDelete
    Replies
    1. Thank you for your comment , I will keep updated with new topics :)

      Delete