Professional Documents
Culture Documents
Stefan Oehrli
Discipline Manager
Oracle Security
stefan.oehrli@trivadis.com
Geneva, 18.11.2009
Basel
Baden
Brugg
Bern
Lausanne
Zrich
Dsseldorf
Frankfurt/M.
Freiburg i. Br.
Hamburg
Mnchen
Stuttgart
Wien
Agenda
Introduction
Database Vault in a Nutshell
Situation with Anonymous Accounts
Approach and Challenges
DBA- and Operation Tasks
Daten sind
immer im Spiel.
Administrative Privileges
(SYSDBA and SYSOPER)
SUDO
Miscellaneous
Conclusion
Data Security Geneva 2009 - Oracle Database Vault What about the OS Accounts?
2009
Introduction
Oracle Database Vault addresses common regulatory compliance
requirements and reduces the risk of insider threats by:
Preventing highly privileged users (DBA) from accessing application
data
Enforcing separation of duty
Providing controls over who, when, where and how applications, data
and databases can be accessed.
Source: Oracle Database Vault Home Page
Data Security Geneva 2009 - Oracle Database Vault What about the OS Accounts?
2009
Introduction
Excerpt from Oracle Database Vault Administrator's Guide:
Managing Root and Operating System Access
Oracle Database Vault does not prevent highly privileged operating
system users from directly accessing database files. For this kind of
protection, use transparent data encryption ..... Carefully review and
restrict direct access to the operating systems.
You should have personalized accounts access the operating system.
These personalized accounts should, in the Linux or UNIX
environments, login using sudo to the oracle software owner when
needed. With sudo, you can control which specific command each
personalized user can execute. Be sure to prevent the use of the make,
relink, gdb, or other commands that could potentially harm the DB
2009
Introduction
This section at the end of the documentation can cause some
confusion
To some extent Database Vault is sold as a complete Security
Solution but need some additional considerations.
This information could apparently be placed a bit more central.
Data Security Geneva 2009 - Oracle Database Vault What about the OS Accounts?
2009
Agenda
Introduction
Database Vault in a Nutshell
Situation with Anonymous Accounts
Approach and Challenges
DBA- and Operation Tasks
Daten sind
immer im Spiel.
Administrative Privileges
(SYSDBA and SYSOPER)
SUDO
Miscellaneous
Conclusion
Data Security Geneva 2009 - Oracle Database Vault What about the OS Accounts?
2009
Data Security Geneva 2009 - Oracle Database Vault What about the OS Accounts?
2009
Realms
Command Rules
Factors
Rule Sets
Extended functionality for
Secure Application Roles
Label Security Integration
End User,
Developer,
DBA
Virtual
Private
Database
Label
Security
Data Security Geneva 2009 - Oracle Database Vault What about the OS Accounts?
Database Files
2009
Database
Vault
Secure
Application
Roles
But what about the System privileges like SELECT ANY TABLE,
EXEMPT ACCESS POLICY a s o. which are granted to DBAs
and enabled for Connection through SYSDBA?
Database
Vault
Data Security Geneva 2009 - Oracle Database Vault What about the OS Accounts?
2009
Transparent
Data
Encryption
Hacker
Instance
Database Files
Data Security Geneva 2009 - Oracle Database Vault What about the OS Accounts?
And what
about
backups?
RMAN
Backup
Encryption
2009
Database
Server (Bob)
Oracle Net
Advanced
Security
Hacker
Data Security Geneva 2009 - Oracle Database Vault What about the OS Accounts?
2009
Agenda
Introduction
Database Vault in a Nutshell
Situation with Anonymous Accounts
Approach and Challenges
DBA- and Operation Tasks
Daten sind
immer im Spiel.
Administrative Privileges
(SYSDBA and SYSOPER)
SUDO
Miscellaneous
Conclusion
Data Security Geneva 2009 - Oracle Database Vault What about the OS Accounts?
2009
2009
Dynamically Relink
On some OS and database version it is possible to relink the
oracle binaries even when the database is running. After relink
and switch off DBV the data can be access without any
restriction.
cd $ORACLE_HOME/rdbms/lib
make -f ins_rdbms.mk dv_off
cd $ORACLE_HOME/bin
relink oracle
2009
Additional Possibilities
Change passwords within the Datenfile of SYSTEM Tablespace
(see Trivadis Training O-AI-DSI)
Modify or access data directly within a data file
Data Security Geneva 2009 - Oracle Database Vault What about the OS Accounts?
2009
Agenda
Introduction
Database Vault in a Nutshell
Situation with Anonymous Accounts
Approach and Challenges
DBA- and Operation Tasks
Daten sind
immer im Spiel.
Administrative Privileges
(SYSDBA and SYSOPER)
SUDO
Miscellaneous
Conclusion
Data Security Geneva 2009 - Oracle Database Vault What about the OS Accounts?
2009
Intermediate
Acceptance
Commissioning
Operation
No Protection,
functional
Accounts
Personalized Accounts,
sudo, scripts etc
Data Security Geneva 2009 - Oracle Database Vault What about the OS Accounts?
Decommissioning
No Protection,
functional
Accounts
2009
DBA and Operation tasks will be done via sudo, group privileges
and scripts
Usage of SYSOPER, SYSDBA and DBA has to be adjusted
If the functional account or the environment will be opened an
intermediate acceptance has to be initiated
E.g. bigger changes, hardware replacement etc
Data Security Geneva 2009 - Oracle Database Vault What about the OS Accounts?
2009
It is not possible to lock out the root account. Only monitoring and
auditing is possible
Data Security Geneva 2009 - Oracle Database Vault What about the OS Accounts?
2009
Agenda
Introduction
Database Vault in a Nutshell
Situation with Anonymous Accounts
Approach and Challenges
DBA- and Operation Tasks
Daten sind
immer im Spiel.
Administrative Privileges
(SYSDBA and SYSOPER)
SUDO
Miscellaneous
Conclusion
Data Security Geneva 2009 - Oracle Database Vault What about the OS Accounts?
2009
Data Security Geneva 2009 - Oracle Database Vault What about the OS Accounts?
2009
Typ
Engineering
Operation
Application
Operation
Initial Installation
OS
As user oracle
n/a
n/a
DB
As user oracle
n/a
n/a
OS
sudo script
(Silent Install)
n/a
n/a
DB
sysdba oder
sudo script
n/a
n/a
OS
sudo
n/a
n/a
DB Start / Stopp
OS
sudo script
or SYSOPER
sudo script
or SYSOPER
n/a
OS
sudo script
sudo script
n/a
OS
sudo script
sudo script
n/a
Data Security Geneva 2009 - Oracle Database Vault What about the OS Accounts?
2009
Tasks
Typ
Engineering
Operation
Application
Operation
OS
sudo
sudo
n/a
OS
script/ cronjob
script/ cronjob
Read trace
files
OS
Deploment
script
n/a
n/a
Monitoring
DB
Within DB / role
Within DB / role
n/a
Accounting
DB
n/a
Within DB / role
n/a
DB
Within DB / role
Within DB / role
n/a
DB
As SYSDBA or
SYSOPER
Data Security Geneva 2009 - Oracle Database Vault What about the OS Accounts?
n/a
2009
DBA tasks (alter system, alter tablespace etc) are done via Grid Control
and / or with personalized DBA accounts.
Prsentationskennung
Data
Security Geneva 2009
- Eintrag
- Oracle
ber Database
Kopf-/Fusszeile
Vault What about the OS Accounts?
25
2009
DB Operation
Personalized UX Accounts without OSDBA or OSOPER group
Stop / start database with sqlplus as sysoper
.
Prsentationskennung
Data
Security Geneva 2009
- Eintrag
- Oracle
ber Database
Kopf-/Fusszeile
Vault What about the OS Accounts?
26
2009
Additional Users
Additional Users like Developer, Account Manager etc only get access
on the database level.
Access to log and trace files on special request
Prsentationskennung
Data
Security Geneva 2009
- Eintrag
- Oracle
ber Database
Kopf-/Fusszeile
Vault What about the OS Accounts?
27
2009
Agenda
Introduction
Database Vault in a Nutshell
Situation with Anonymous Accounts
Approach and Challenges
DBA- and Operation Tasks
Daten sind
immer im Spiel.
Administrative Privileges
(SYSDBA and SYSOPER)
SUDO
Miscellaneous
Conclusion
Data Security Geneva 2009 - Oracle Database Vault What about the OS Accounts?
2009
Administrative Privilegien
There are two main administrative privileges in Oracle
SYSOPER
SYSDBA
And SYSASM since Oracle 11g
Data Security Geneva 2009 - Oracle Database Vault What about the OS Accounts?
2009
Data Security Geneva 2009 - Oracle Database Vault What about the OS Accounts?
2009
Connected to:
Oracle Database 10g Enterprise Edition Release 10.2.0.4.0 64bit Production
With the Partitioning, Data Mining and Real Application Testing
options
SQL>
Data Security Geneva 2009 - Oracle Database Vault What about the OS Accounts?
2009
Data Security Geneva 2009 - Oracle Database Vault What about the OS Accounts?
2009
Data Security Geneva 2009 - Oracle Database Vault What about the OS Accounts?
SYSDB
----TRUE
FALSE
FALSE
SYSOP
----TRUE
TRUE
TRUE
2009
Data Security Geneva 2009 - Oracle Database Vault What about the OS Accounts?
2009
SYSDBA
SYSOPER
CREATE/DROP DATABASE
CREATE SPFILE
2009
Agenda
Introduction
Database Vault in a Nutshell
Situation with Anonymous Accounts
Approach and Challenges
DBA- and Operation Tasks
Daten sind
immer im Spiel.
Administrative Privileges
(SYSDBA and SYSOPER)
SUDO
Miscellaneous
Conclusion
Data Security Geneva 2009 - Oracle Database Vault What about the OS Accounts?
2009
SUDO
SUDO allows to configure which user or user group can execute
which commands or scripts as certain user e.g root or oracle
Its possible to define a set of command for different user groups
e.g. DBAs, Operators, Developers etc.
Exectution of any sudo is written to syslog
root : grep sudo /var/adm/syslog/syslog.log
Feb 19 10:44:52 urania sudo: meier : TTY=pts/2 ; PWD=/home/meier ;
USER=oracle ; COMMAND=/u00/app/oracle/product/10.2_1/bin/lsnrctl status
Feb 19 10:44:56 urania sudo: meier : TTY=pts/2 ; PWD=/home/meier;
USER=root ; COMMAND=list
Data Security Geneva 2009 - Oracle Database Vault What about the OS Accounts?
2009
SUDO Configuration
/usr/local/sbin/visudo
## User alias specification
User_Alias
DBADMIN = dummy
User_Alias
DBOPER = meier
User_Alias
DBUSER = muster, russo, smith
## Runas alias specification
Runas_Alias
DB = oracle
## Cmnd alias specification
Cmnd_Alias
DBOPER = /u00/app/oracle/local/custom/bin/dbtool
Cmnd_Alias
DBADMIN= /u00/app/oracle/product/10.2_?/OPatch/opatch,
/u00/app/oracle/product/10.2_?/oui/bin/run
Installer, /u00/app/oracle/product/10.2_?/bin/dvca,
/u00/app/oracle/product/10.2_?/bin/dbca, /u00/app/oracle/product/10.2_?/bin/netca
# User specification
# root and users in group wheel can run anything on any machine as any user
root
ALL = (ALL) ALL
DBADMIN
ALL = (DB) NOPASSWD: DBADMIN, DBOPER, /usr/local/bin/truss
DBOPER
ALL = (DB) NOPASSWD: DBOPER,
/u00/app/oracle/product/10.2_?/bin/lsnrctl
Data Security Geneva 2009 - Oracle Database Vault What about the OS Accounts?
2009
SUDO Usage
meier
: id
uid=108(meier) gid=20(users) groups=101(osoper)
meier
: sudo -l
User oper001 may run the following commands on this host:
(oracle) NOPASSWD: /u00/app/oracle/local/custom/bin/dbca
(oracle) NOPASSWD: /u00/app/oracle/product/10.2_?/bin/lsnrctl
meier
Data Security Geneva 2009 - Oracle Database Vault What about the OS Accounts?
2009
SUDO constraints
SUDO is executing commands and scripts as the user specified
for execution e.g oracle. The environment settings will be the one
for the user specified at the sudo command.
If possible define only simple commands to be used with sudo eg.
/usr/local/bin/truss
More complex commands should be executed within a shell which
cares about parameters, errors etc.
sudo -u oracle lsnrctl.ksh t oraemst start
Data Security Geneva 2009 - Oracle Database Vault What about the OS Accounts?
2009
Agenda
Introduction
Database Vault in a Nutshell
Situation with Anonymous Accounts
Approach and Challenges
DBA- and Operation Tasks
Daten sind
immer im Spiel.
Administrative Privileges
(SYSDBA and SYSOPER)
SUDO
Miscellaneous
Conclusion
Data Security Geneva 2009 - Oracle Database Vault What about the OS Accounts?
2009
Miscellaneous
OP an interesting alternative for SUDO
Open Source alternative http://swapoff.org/wiki/op
Major difference is the possibilities to use mnemonics rather than
commands
Mit SUDO:
sudo /bin/mount -t iso9660 /dev/cdrom /mnt/cdrom
Mit OP:
op mount cd
Data Security Geneva 2009 - Oracle Database Vault What about the OS Accounts?
2009
Script maintenance
Scripts should be maintained in a central repository eg.
Subversion, CVS or something similar.
DB Adminss may create new revision of the scripts on there
development system.
New revision have to be commited to the repository
Subversion commandline fr Windows
Tortoise SVN Client
Oracle SQL Developer
2009
Agenda
Introduction
Database Vault in a Nutshell
Situation with Anonymous Accounts
Approach and Challenges
DBA- and Operation Tasks
Daten sind
immer im Spiel.
Administrative Privileges
(SYSDBA and SYSOPER)
SUDO
Miscellaneous
Conclusion
Data Security Geneva 2009 - Oracle Database Vault What about the OS Accounts?
2009
Conclusion
A reliable protection with Database Vault is possible but
additional considerations have to be taken
Auditing anonymous user does only provide limited information
Data Security Geneva 2009 - Oracle Database Vault What about the OS Accounts?
2009
Conclusion
The application of personalized accounts can be implemented
step by step
A combination of SUDO and OSDBA / OSOPER can reasonable
Data Security Geneva 2009 - Oracle Database Vault What about the OS Accounts?
2009
Thank you!
?
www.trivadis.com
Basel
Baden
Brugg
Bern
Lausanne
Zrich
Dsseldorf
Frankfurt/M.
Freiburg i. Br.
Hamburg
Mnchen
Stuttgart
Wien
Action
Data Security Geneva 2009 - Oracle Database Vault What about the OS Accounts?
2009
Action
Data Security Geneva 2009 - Oracle Database Vault What about the OS Accounts?
2009
Responsible
Data Security Geneva 2009 - Oracle Database Vault What about the OS Accounts?
2009