oracle database security: top 10 things you could & should be doing differently
TRANSCRIPT
Oracle Database Security
Top 10 Things You Could & Should Be Doing Differently
Simon Pane - Oracle Database Principal Consultant
April 11, 2016
ABOUT ME
• Working with Oracle DB since version 6
• Oracle Certified Professional: Oracle 8, 8i, 9i,10g, 11g, 12c
• Oracle Certified Expert
• Oracle Certified Partner Specialist
• Oracle Ace Associate
• MOS Communities Simon_DBA
© 2016 Pythian Confidential
ABOUT PYTHIAN
11,400Pythian currently manages more than 11,400 systems.
400+Pythian currently employs more than 400 people in 200 cities in 35 countries
1997Pythian was founded in 1997
Global Leader In IT Transformation And Operational Excellence
Unparalleled Expertise• Top 5% in databases, applications, infrastructure, Big Data, Cloud, Data
Science, and DevOps
Unmatched Certifications• 9 Oracle ACEs, 4 Oracle ACE Directors, 1 Oracle ACE Associate• 6 Microsoft MVPs, 1 Microsoft Certified Master
• 5 Google Platform Qualified Developers• 1 Cloudera Champion of Big Data
• 1 Mongo DB Certified DBA Associate Level• 1 DataStax Certified Partner, 1 MVP
Broad Technical Experience• Oracle, Microsoft, MySQL, Oracle EBS, Hadoop, Cassandra,
MongoDB, virtualization, configuration management, monitoring, trending, and more.
© 2016 Pythian Confidential
WHAT THIS IS NOT ABOUT ….
• All great products / tools:– Oracle Database Vault– Oracle Audit Vault and Database Firewall– Privilege Analysis– Oracle Key Vault– Oracle Identity Management– Transparent Data Encryption– Oracle Data Redaction– VPD / FGAC / Real Application Security (RAS)– Oracle Data Masking and Subsetting– Oracle Total Recall– Advanced Security Option
© 2016 Pythian Confidential
…. INSTEAD IT IS ABOUT
• What can we do with what we already have?
• What we need to watch out for?
• How should we change our operational practices?
© 2016 Pythian Confidential
AGENDA
• “Top 10”– Applies to Standard Edition & Enterprise Edition
– Various releases: 10g, 11g, 12c
• Bonus: Oracle Database 12c specific features
• The take away: tips, suggestions, cautions!
© 2016 Pythian Confidential
AVOID CLEAR TEXT PASSWORD IN SQLNET
• Authentication is automatically encrypted - other commands are not!
• Never use “… identified by …” through SQLNET– What about our tools?
• Use the “password” command instead– This command does encrypt the password in flight
© 2016 Pythian Confidential
AVOID CLEAR TEXT PASSWORD IN SQLNET
• Easy for a DBA to trace:
• Easy for anyone else on the network to trace– Network sniffers (i.e. WireShark)
© 2016 Pythian Confidential
AVOID CLEAR TEXT PASSWORD IN SQLNET
• Resulting trace file:
• Using $ORACLE_HOME/bin/trcasst: (11g)
© 2016 Pythian Confidential
12c Bug!
AVOID CLEAR TEXT PASSWORD IN SQLNET
• What about if you’re going through a public network?– Or between services in a public cloud?
• From Amazon RDS documentation:
© 2016 Pythian Confidential
AVOID CLEAR TEXT PASSWORD IN SQLNET
• Wireshark to AWS with VPC security group:
© 2016 Pythian Confidential
AVOID CLEAR TEXT PASSWORD IN SQLNET
• Better method (AWS RDS using SQL Developer):
• Or ensure network encryption / VPN / IPSEC
© 2016 Pythian Confidential
PROTECT PASSWORD HASH VALUES & SALTS
• Easy to crack offline (particularly old 10g DES hashes)
• Protect network traffic:– “Oracle Network Encryption” or other tunneling software– Exposures pre-11.2.0.4 – see CVE-2012-3137
• fixed OCT2012 PSU
• Protect and audit in the catalog:• SYS.USER$ and SYS.USER_HISTORY$• SYS.USER$.SPARE4 includes the salt
• Force complexity:– Use a password-verification function and profiles
© 2016 Pythian Confidential
PROTECT PASSWORD HASH VALUES & SALTS
• Never post hashes into documentation or ticket system:
© 2016 Pythian Confidential
Don’t Do!
AVOID PASSWORDS IN SCRIPT VARIABLES
• Don’t put passwords into script variables:– Variables can be exposed in diagnostic dumps
– Also shouldn’t ever need to “export” variables!!
• Scripting mistake:
© 2016 Pythian Confidential
AVOID PASSWORDS IN SCRIPT VARIABLES
• Variables are in: /proc/${pmon pid}/environ
• And RMAN script when running:
© 2016 Pythian Confidential
AVOID PASSWORDS IN SCRIPT VARIABLES
• Better solution: “Secure External Password Store”– Doesn’t negate “/ as sysdba” connections
– Compatible with SQLNET.AUTHENTICATION_SERVICES=NONE
© 2016 Pythian Confidential
AVOID PASSWORDS IN SCRIPT VARIABLES
• “Secure External Password Store” usage:
© 2016 Pythian Confidential
AVOID PASSWORDS IN SCRIPT VARIABLES
• “Secure External Password Store”:– Bug with the -auto_login_local option
• Works in 11.2.0.4 and 12.1.0.1 but not 12.1.0.2
• May need to remediate scripts anyway– For compliance or PDB (service) compatibility
© 2016 Pythian Confidential
12.1.0.2 Bug!
USE THE SCHEDULER
• CRON scripts often run .SQL files– Monitoring jobs
– Application jobs– Backup jobs
• How are the DB credentials for those secured?– Why schedule from the CRON and then have to worry
about DB credentials?
© 2016 Pythian Confidential
USE THE SCHEDULER
• Can also use to run OS scripts ( .sh or .cmd )– OS Security context for non-SYS jobs to use when
running external jobs is defined in:
$ORACLE_HOME/rdbms/admin/externaljob.ora
– Be careful this doesn’t become an OS-injection risk
• The program being run could be “sh”
• Actual OS commands could be the arguments
© 2016 Pythian Confidential
USE THE SCHEDULER
• Default UNIX settings in externaljob.ora:run_user = nobody
run_group = nobody
• Be cautious if changing to a more powerful account.
run_user = oracle
run_group = dba
© 2016 Pythian Confidential
OS Injection as “oracle”
USE THE SCHEDULER
• Windows adds the service:– OracleJobScheduler<ORACLE_SID>
• Service ownership defaults to LocalSystem (11g)– Change to a low level user or disable (default)
– This service runs non-SYS scheduler jobs
© 2016 Pythian Confidential
USE THE SCHEDULER
• Scheduler best practices:
1. Use a dedicated least-privileged DB user/credential
2. Use a dedicated least-privileged OS user/credential
© 2016 Pythian Confidential
SET SECURITY INITIALIZATION PARAMETERS
• Often overlooked initialization parameters:SEC_MAX_FAILED_LOGIN_ATTEMPTS
• Not password attempts – client to server processSEC_PROTOCOL_ERROR_FURTHER_ACTION
• What the server process does when receiving bad packets
SEC_PROTOCOL_ERROR_TRACE_ACTION
• Trace, log, alert, or nothing with bad packetsSEC_RETURN_SERVER_RELEASE_BANNER
• Is the DB version returned to the client
© 2016 Pythian Confidential
Changes in 12.1.0.2
Changes in 12.1.0.2
SET SECURITY INITIALIZATION PARAMETERS
• In SQLNET.ORA pre-12c:SQLNET.ALLOWED_LOGON_VERSION
• In SQLNET.ORA as of 12c:SQLNET.ALLOWED_LOGON_VERSION_SERVER
SQLNET.ALLOWED_LOGON_VERSION_CLIENT
• Controls “authentication protocol”:– i.e. O3L, O4L, O5L, O5L_NP, O7L_MR
– Relates to the password versions stored in the DB
© 2016 Pythian Confidential
CONSIDER SECURE APPLICATION DESIGN
• Secure application design would include separate schemas for:– Data - Code - Access (users)
• Implement data & code separation using:– Fully qualified object references– Private synonyms– Promotes a “least privilege” model
• Data schemas (with full DML) can be LOCKED!– If not, there is always a risk
© 2016 Pythian Confidential
CONSIDER SECURE APPLICATION DESIGN
• Even more secure if all data interaction is through PL/SQL objects (APIs)?– Controls use of object privileges– No dynamic SQL
– Use bind variables and/or DBMS_ASSERT to prevent SQL Injection:
© 2016 Pythian Confidential
Source: https://en.wikipedia.org/wiki/SQL_injection
CONSIDER SECURE APPLICATION DESIGN
© 2016 Pythian Confidential
Data Holding Schema
Locked
Code Schema
Locked
Users
Open
ü Can’t perform DDL on tables or code
ü Can’t perform ad-hoc queries
ü Can’t perform DDL on base tables
ü Sanitize inputs with DBMS_ASSERT
USE ROLE SECURITY
• Can be a solution to try to prevent “application bypass”– TOAD / SQL Developer / SQLPLUS connections
• Typically protect with a password or a package:
© 2016 Pythian Confidential
USE ROLE SECURITY
• Activate password protected roles:
• Limitations of password protected roles:– Passwords sent as clear-text through SQLNET
– Pre-11.2.0.4: by-pass through nesting:
© 2016 Pythian Confidential
Test if using an old version
USE ROLE SECURITY
• Application roles:– Authentication logic resides in PL/SQL package
• Must use “invoker’s rights”• Must include one or more security checks (i.e. using SYS_CONTEXT properties)
• Must issue SET ROLE or DBMS_SESSION.SET_ROLE
• After granting, manually change to not be a “default role” – otherwise logic is bypassed!
© 2016 Pythian Confidential
LISTENER PROTECTION
• Valid Node Checking– Provides basic firewall functionality
– Only allow connections from authorized application servers and DBA desktops
• Prevent “application by-passing”
– Prevent connections from un-authorized servers• From TEST/DEV/QA to PROD
• Through DB links after refreshes
© 2016 Pythian Confidential
RISK!
LISTENER PROTECTION
• DB Link Risk:
© 2016 Pythian Confidential
PROD1 PROD2DB Link
DEV1
RMAN Clone
DB Link
DB Links and passwords should be adjusted after a RMAN duplicate but often are missed
LISTENER PROTECTION
• Valid Node Checking implementation:– Three parameters in server’s sqlnet.ora:
– Can’t use hostname or IP ranges (no wildcards)– “invited’ and “excluded” are mutually exclusive
© 2016 Pythian Confidential
LISTENER PROTECTION
• Protect the database from a connection storm through listener parameters:– RATE_LIMIT
– CONNECTION_RATE_<listener>
• But there’s still risks:– TNS connections can by-passing the listener and
connect directly to dispatchers (if port is discovered)!• Check the default shared server related
initialization parameters (“DISPATCHERS”)
© 2016 Pythian Confidential
XDB!
PROTECT AT THE OS LEVEL
• If someone can copy the .DMP and RMAN backup files they have everything!– What if backed up to remote device / NFS share?
© 2016 Pythian Confidential
Make sure owner and group is correctMake sure file permissions are limited
PROTECT AT THE OS LEVEL
• Tools can extract data right out of DBF files:
© 2016 Pythian Confidential
Make sure group is correct and membership is limited; Ensure (o)thers have no permissions
• DBA & Developers don’t need to know any schema passwords (i.e. application schema passwords)
• Use “Proxy Authenticated Connections”– “Connect as specified schema using your own
credentials”
© 2016 Pythian Confidential
USE PROXY AUTHENTICATED CONNECTIONS
USE PROXY AUTHENTICATED CONNECTIONS
• Viewing configuration:
• Viewing active connections:
© 2016 Pythian Confidential
USE PROXY AUTHENTICATED CONNECTIONS
• DBA_AUDIT_SESSION:
• DBA_AUDIT_TRAIL:
© 2016 Pythian Confidential
USE PROXY AUTHENTICATED CONNECTIONS
• Advantages:– Proxy authenticated connections provide more
functionality than “ALTER SESSION SET CURRENT_SCHEMA …”
– Works with most tools and utilities (including wallets)
– Works with JDBC thin connections– All access individualized for audit
– Easier off-boarding of DBA / Dev staff:• Who no longer works here yet still knows the password
because it hasn’t changed!
© 2016 Pythian Confidential
ORACLE DATABASE 12C SPECIFIC
• Last login time is now recorded:– In catalog table: sys.user$.spare6
– Also displayed in DBA_USERS.LAST_LOGIN
© 2016 Pythian Confidential
ORACLE DATABASE 12C SPECIFIC
• New “READ” and “READ ANY TABLE” privileges– Gives grantee “query only” (12c Release 1: 12.1.0.2)
– Does not provide:• “LOCK TABLE … ”
• “SELECT … FOR UPDATE ”
– Source: http://docs.oracle.com/database/121/DBSEG/authorization.htm#CACGJAAH
© 2016 Pythian Confidential
ORACLE DATABASE 12C SPECIFIC
• Network encryption no longer part of ASO
– Source: http://docs.oracle.com/database/121/DBLIC/editions.htm
• Backported to 11gR2:
– Source: http://docs.oracle.com/cd/E11882_01/license.112/e47877/options.htm#DBLIC143
© 2016 Pythian Confidential
ORACLE DATABASE 12C SPECIFIC
• Network encryption can be as simple as two parameters in the sqlnet.ora file:
© 2016 Pythian Confidential
SUMMARY
• Think about DBA and Developer processes:– Don’t just focus on profiles and object privileges
• Think outside of the database– Protecting backups can be just as important
– Consider the network and data in-flight
© 2016 Pythian Confidential
SUMMARY
• Understand the capabilities of the products you already have:– Consider new features and changes between versions /
releases– Explore features and functions that you may not be very
familiar with
• Continuous Improvement:– Modernize & evolve both the technology and process
• As technology changes• As business needs change• As technical requirements change
© 2016 Pythian Confidential
THANKS AND Q&A
1-877-PYTHIAN
http://www.Pythian.com/blog
http://is.gd/PythianFacebook
@Pythian
http://linkedin.com/company/Pythian
Don’t forget evaluations!
© 2016 Pythian Confidential
Get Published in IOUG SELECT Journal
Quarterly journal of peer-reviewed technical articles and news published by the Independent Oracle Users Group
We are always looking for new authors, interested? – Technical Tip – ~500 words– Column – ~ 500 – 1000 words– Technical Article – ~ 1500 – 2500 words– Blog posting – ~ 500 – 2500 words
Visit http://ioug.org/select for more information.
Questions? [email protected]
IOUG Members have unlimited access to the current and archives of SELECT Journal
Including more than 3,000 papers and presentations in the IOUG Library
65
Earn an #IOUGenius Certificate Demonstrate the skills you’ve gained at COLLABORATE 16
How to Earn Your Certificate1. Choose a certificate that benefits you and your company the
most.2. Search for sessions mobile app device by using the hashtag
#IOUGenius.3. “Check-in” to 4+ sessions on your mobile app. 4. Email us at [email protected] to receive your #IOUGenius e-
certificate(s).
Visit: collaborate.ioug.org/certificates
• 12cNewFeaturesandUpgrades
• CoreDBASkills• OracleEnterpriseManager• Performance• SecuringYourOracleDatabase
• Techniques forHighAvailability• TheCloud,Options,andChoices• UnderstandingBigData,Tools,and
Techniques• WebCenter StrategiesandBest
Practices