oracle database vault - what about the os accounts

8/10/2019 Oracle Database Vault - What About the OS Accounts

1/50

Basel Baden Brugg Bern Lausanne Zrich Dsseldorf Frankfurt/M. Freiburg i. Br. Hamburg Mnchen Stuttgart Wien

Oracle Database Vault

What about the OS Accounts?

Stefan OehrliDiscipline Manager

Oracle Security

[email protected]

Geneva, 18.11.2009


2/50

2009Data Security Geneva 2009 - Oracle Database Vault What about the OS Accounts?

Agenda

Daten sind

immer im Spiel.

Introduction

Database Vault in a Nutshell

Situation with Anonymous Accounts

Approach and Challenges

DBA- and Operation Tasks

Administrative Privileges(SYSDBA and SYSOPER)

SUDO

Miscellaneous

Conclusion


3/50

2009

Introduction

Oracle Database Vault addresses common regulatory compliancerequirements and reduces the risk of insider threats by:

Preventing highly privileged users (DBA) from accessing application

data

Enforcing separation of duty

Providing controls over who, when, where and how applications, dataand databases can be accessed.

Source: Oracle Database Vault Home Page

But is this enough to protect the whole Oracle environment?

Data Security Geneva 2009 - Oracle Database Vault What about the OS Accounts?


4/50

2009

Introduction

Excerpt from Oracle Database Vault Administrator's Guide:

Managing Root and Operat ing System Access

Oracle Database Vault does not prevent highly privileged operating

system users from directly accessing database files. For this kind of

protection, use transparent data encryption ..... Carefully review andrestrict direct access to the operating systems.

You should have personalized accounts access the operating system.

These personalized accounts should, in the Linux or UNIX

environments, login using sudo to the oracle software owner when

needed. With sudo, you can control which specific command eachpersonalized user can execute. Be sure to prevent the use of the make,

relink, gdb, or other commands that could potentially harm the DB

Appendix D Oracle Database Vault Administrator's Guide



5/50

2009

Introduction

This section at the end of the documentation can cause someconfusion

To some extent Database Vault is sold as a complete Security

Solution but need some additional considerations.

This information could apparently be placed a bit more central.

This Presentation will cover the following questions:

What's covered by Database Vault?

Motivation for personalized Accounts?

Possible solution and concepts?

Challenges for the conception and the Implementation? Configuration of SYSOPER / SYSDBA?

Configuration and application of SUDO?



6/50


Agenda

Daten sind

immer im Spiel.

Introduction






SUDO

Miscellaneous

Conclusion


7/50 2009Data Security Geneva 2009 - Oracle Database Vault What about the OS Accounts?


Another Oracle Security Innovation to protect from DBA respectively SYSDBA

High system privileges like SELECT ANY TABLE, EXEMPT

ACCESS POLICY

Available as an Enterprise Edition Option

Separate download for 10g and 9i

Integrated component within Oracle 11g R1 and R2




Additional Layer within Oracle Kernel

New Components added by Database Vault

Realms

Command Rules

Factors Rule Sets

Extended functionality for

Secure Application Roles

Label Security Integration

No impact for object grants

(except for command Rules)

Restrict any select statementSource: Oracle Database Vault - An Oracle White Paper June

2007



Database Vault Data Privacy and Data Theft (1)

Access to data through aninstance is protected by

database authentication,

authorizing and auditing (AAA)

Authorizations for data can bedefined at row level

Database Files

Instance

End User,Developer,

DBA

Virtual

Private

Database

Label

Security



Database

Vault

Database Vault Data Privacy and Data Theft (2)

How to authorize users based on criteria like time, networkprotocol or IP of the client?

But what about the System privileges like SELECT ANY TABLE,

EXEMPT ACCESS POLICY a s o. which are granted to DBAs

and enabled for Connection through SYSDBA?

Database

Vault

Virtual

Private

Database

Secure

Application

Roles


11/50


12/50


Database Vault Eavesdropping and Hijacking

End User,Developer, DBA(Alice)

DatabaseServer (Bob)

Oracle Net

Hacker

Advanced

Security


13/50


Agenda

Daten sind

immer im Spiel.

Introduction






SUDO

Miscellaneous

Conclusion


14/50

2009


Administration Tasks are not traceable When and who did a listener or database restart.

Who changed the environment (e.g Shell settings)

Auditing on the OS is only partially reasonable

Its possible to see that user oracle did something but who logged inas oracle?

Installation of Software / Patch Set / CPUs is not traceable

Compliance according SOX, Basel II, etc not possible

Security protection mechanism can be bypassed anytime Relink Oracle binaries to switch off Database Vault

Direct access of Datafiles and/or Memory

OSDBA, OSOPER and OSASM is usually not defined or default



15/50


Dynamically Relink

On some OS and database version it is possible to relink theoracle binaries even when the database is running. After relink

and switch off DBV the data can be access without any

restriction.

A warning is will be shown in the ALERT.LOG but there is

also a hint displayed how this warning can be suppressed

cd $ORACLE_HOME/rdbms/lib

make -f ins_rdbms.mk dv_offcd $ORACLE_HOME/binrelink oracle

WARNING: Oracle executable binary mismatch detected.Binary of new process does not match binary which startedinstanceissue alter system set "_disable_image_check" = true todisable these messages


16/50


Additional Possibilities

Change passwords within the Datenfile of SYSTEM Tablespace(see Trivadis Training O-AI-DSI)

Modify or access data directly within a data file


17/50


18/50

2009



Commissioning Operation Decommissioning

Acceptance

Personalized Accounts,

sudo, scripts etc

No Protection,

functional

Accounts

IntermediateAcceptance

No Protection,

functional

Accounts


19/50


20/50

2009


DBA and operation tasks has to be defined Who has to do what and when? How my access what?

Create a catalog of tasks

DBA and operation tasks to be standardized on a high level e.g

scripts for certain tasks are available

A role concept within the DB is must be available

Adjustment with OSDBA and OSOPER reasonable

If not implemented properly there is a risk that loopholes willremain

It is not possible to lock out the root account. Only monitoring and

auditing is possible



21/50


Agenda

Daten sind

immer im Spiel.

Introduction






SUDO

Miscellaneous

Conclusion


22/50

2009


Deployment of Software, Patch sets, CPUs and so on

Stop / start database, agent and listener

Accessing log and trace files (DBA)

Accessing data files

Maintain scripts

Tuning, Monitoring etc

Backup / Restore

Change initialization parameter



23/50

2009


Tasks Typ Engineering Operation Application

Operation

Initial Installation OS As user oracle n/a n/a

Initial Create Database DB As user oracle n/a n/a

Patch set Installation (Software) OS sudo script

(Silent Install)

n/a n/a

Patch set Installation (Upgrade) DB sysdba oder

sudo script

n/a n/a

CPU / OPatch Installation OS sudo n/a n/a

DB Start / Stopp OS sudo script

or SYSOPER

sudo script

or SYSOPER

n/a

Listener Start / Stopp OS sudo script sudo script n/a

Agent / Konsole Start / Stopp OS sudo script sudo script n/a



24/50

2009


Tasks Typ Engineering Operation Application

Operation

Additional DB Tools (runInstaller,

dbca, dvca, netca, etc)

OS sudo sudo n/a

Houskeeping of trace and log

files

OS script/ cronjob script/ cronjob Read trace

files

Maintain Scripts(Entwicklung auf

DBA Server mit Version Control)

OS Deploment

script

n/a n/a

Monitoring DB Within DB / role Within DB / role n/a

Accounting DB n/a Within DB / role n/a

Space Management (e.g. TS) DB Within DB / role Within DB / role n/a

Backup & Recovery DB As SYSDBA or

SYSOPER

n/a



25/50

2009

Database Admin / Engineering

Personalized UX Accounts with OSDBA or OSOPER group

Stop / start database with sqlplus as sysoper

Use scripts and sudo to stop / start listener, agents etc.

Deployment of patchs and software will be done with scripts as a silent

installation

Housekeeping (Permissions, Truncate etc) of log and trace files will be

done with scripts started by cron

DBA tasks (alter system, alter tablespace etc) are done via Grid Control

and / or with personalized DBA accounts.

Prsentationskennung - Eintrag ber Kopf-/Fusszeile 25

sqlplus userxy/tiger@TMAC01 as sysoper



26/50

2009

DB Operation

Personalized UX Accounts without OSDBA or OSOPER group

Stop / start database with sqlplus as sysoper

.

Use scripts and sudo to stop / start listener, agents etc.

Limited access within the database. Required system privileges are

granted by an operation role. Operators are working with personalized

accounts

Prsentationskennung - Eintrag ber Kopf-/Fusszeile 26

sqlplus userxy/tiger@oraemst as sysoper



27/50

2009

Additional Users

Additional Users like Developer, Account Manager etc only get accesson the database level.

Access to log and trace files on special request

Limited access within the database. Required system privileges (alter

user, etc) are granted by a dedicated role.

All user are working with personalized accounts

Prsentationskennung - Eintrag ber Kopf-/Fusszeile 27Data Security Geneva 2009 - Oracle Database Vault What about the OS Accounts?


28/50


29/50

2009

Administrative Privilegien

There are two main administrative privileges in Oracle SYSOPER

SYSDBA

And SYSASM since Oracle 11g

SYSDBA and SYSOPER are special privileges as they allow access to

a database instance even when it is not running

The control of these privileges is totally outside of the database itself

By certain OS groups which are linked into the binaries (OSDBA, OSOPER

as well as OSASM since Oracle 11g)

By an oracle password



30/50

2009

OSDBA / OSOPER groups on Unix (1)

The 'OSDBA' and 'OSOPER' groups are chosen at installation time andusually both default to the group 'dba

These groups are compiled into the 'oracle' executable and so are the

same for all databases running from a given ORACLE_HOME

Verify the groups

Later change of the groups (relink of oracle binaries is required!)

cat $ORACLE_HOME/rdbms/lib/config.c

vi config.c # Adjust the goups=> #define SS_DBA_GRP osdba=> #define SS_OPER_GRP osoper

mv config.o config.o.orig # Backup of config.omake -f ins_rdbms.mk ioracle # DBsmust be stopped!



31/50


32/50

2009

SYSDBA / SYSOPER (1)

To access a database as SYSDBA or SYSOPER over SQLNET apassword file is required

Create a new password files

Define the according INIT.ORA parameters

oracle : orapwd file=${ORACLE_HOME}/dbs/orapw${ORACLE_SID}

password=manager entries=5

SQL> alter system set remote_login_passwordfile='EXCLUSIVE'scope=spfile;



33/50


34/50

2009

Difference SYSOPER / SYSDBA

SYSOPER privilege allows operations such as: Instance startup, mount & database open Instance shutdown, dismount & database close

Alter database BACKUP, ARCHIVE LOG, and RECOVER

This privilege allows the user to perform basic operational taskswithout the ability to look at user data.

SYSDBA privilege includes all SYSOPER privileges plus fullsystem privileges (with the ADMIN option), plus 'CREATE DATABASE' etc...

This is effectively the same set of privileges available when previouslyconnected INTERNAL.

=> Regards Oracle Database Vault it does make sense to useSYSOPER/SYSDBA respectively OSDBA/OSOPER. At which it isrecommended to use SYSOPER in this context



35/50


SYSDBA vs. SYSOPER (1)

1 only a complete recovery

Privilege SYSDBA SYSOPER

STARTUP and SHUTDOWN

CREATE/DROP DATABASE

CREATE SPFILE

ALTER DATABASE OPEN/MOUNT

ALTER DATABASE ARCHIVELOG

ALTER DATABASE BACKUP/RECOVER 1


36/50


Agenda

Daten sind

immer im Spiel.

Introduction






SUDO

Miscellaneous

Conclusion


37/50

2009

SUDO

SUDO allows to configure which user or user group can executewhich commands or scripts as certain user e.g root or oracle

Its possible to define a set of command for different user groups

e.g. DBAs, Operators, Developers etc.

Exectution of any sudo is written to syslog

root : grep sudo /var/adm/syslog/syslog.logFeb 19 10:44:52 urania sudo: meier : TTY=pts/2 ; PWD=/home/meier ;USER=oracle ; COMMAND=/u00/app/oracle/product/10.2_1/bin/lsnrctl statusFeb 19 10:44:56 urania sudo: meier : TTY=pts/2 ; PWD=/home/meier;

USER=root ; COMMAND=list



38/50

2009

SUDO Configuration

/usr/local/sbin/visudo

## User alias specificationUser_Alias DBADMIN = dummyUser_Alias DBOPER = meierUser_Alias DBUSER = muster, russo, smith

## Runas alias specificationRunas_Alias DB = oracle

## Cmnd alias specificationCmnd_Alias DBOPER = /u00/app/oracle/local/custom/bin/dbtoolCmnd_Alias DBADMIN= /u00/app/oracle/product/10.2_?/OPatch/opatch,/u00/app/oracle/product/10.2_?/oui/bin/runInstaller, /u00/app/oracle/product/10.2_?/bin/dvca,/u00/app/oracle/product/10.2_?/bin/dbca, /u00/app/oracle/product/10.2_?/bin/netca

# User specification

# root and users in group wheel can run anything on any machine as any userroot ALL = (ALL) ALLDBADMIN ALL = (DB) NOPASSWD: DBADMIN, DBOPER, /usr/local/bin/trussDBOPER ALL = (DB) NOPASSWD: DBOPER,/u00/app/oracle/product/10.2_?/bin/lsnrctl



39/50

2009

SUDO Usage

Or even a bit more simpler when using aliases

Alias dbtool='sudo -u oracle dbtool'

meier : iduid=108(meier) gid=20(users) groups=101(osoper)

meier : sudo -lUser oper001 may run the following commands on this host:

(oracle) NOPASSWD: /u00/app/oracle/local/custom/bin/dbca(oracle) NOPASSWD: /u00/app/oracle/product/10.2_?/bin/lsnrctl

meier : sudo -u oracle dbca



40/50

2009

SUDO constraints

SUDO is executing commands and scripts as the user specifiedfor execution e.g oracle. The environment settings will be the one

for the user specified at the sudo command.

If possible define only simple commands to be used with sudo eg.

/usr/local/bin/truss

More complex commands should be executed within a shell whichcares about parameters, errors etc.

SUDO hast to be manually installed on HP-UX and Solaris

A SUDO Configuration file can be distributed over network

sudo -u oracle lsnrctl.ksh t oraemst start



41/50


Agenda

Daten sind

immer im Spiel.

Introduction






SUDO

Miscellaneous

Conclusion


42/50

2009

Miscellaneous

OP an interesting alternative for SUDO Open Source alternative http://swapoff.org/wiki/op

Major difference is the possibilities to use mnemonics rather than

commands

Set the S-Bit for individual commands


Mit SUDO:

sudo /bin/mount -t iso9660 /dev/cdrom /mnt/cdrom

Mit OP:op mount cd

oracle@urania:/u00/app/oracle/product/11.1.0/bin/ [rdbms1110]ls -al oracle*-rwsr-s--x 1 oracle osdba 158489970 Mar 8 14:15 oracle
http://swapoff.org/wiki/ophttp://swapoff.org/wiki/op


43/50

2009

Script maintenance

Scripts should be maintained in a central repository eg.Subversion, CVS or something similar.

DBAdminss may create new revision of the scripts on theredevelopment system.

New revision have to be commited to the repository Subversion commandline fr Windows

Tortoise SVN Client

Oracle SQL Developer

Deployment of scripts and configuration should be done with adeployment process (e.g Jumpstart server, Grid Control,..)

Only a defined and accepted version of the scripts will be used onthe systems



44/50


Agenda

Daten sind

immer im Spiel.

Introduction






SUDO

Miscellaneous

Conclusion


45/50

2009

Conclusion

A reliable protection with Database Vault is possible butadditional considerations have to be taken

Auditing anonymous user does only provide limited information

Personalized Accounts are recommended for Database Vault

System / DBA task can clearly assigned (Engineering, Operation,...)

Traceability can be guaranteed

To have personalized accounts a standardized environment is

recommended and will allow a simpler implementation of SUDO

Stable Environment

Documented tasks and responsibilities



46/50


47/50

Basel Baden Brugg Bern Lausanne Zrich Dsseldorf Frankfurt/M. Freiburg i. Br. Hamburg Mnchen Stuttgart Wien

Thank you!

?www.trivadis.com


48/50

2009

Backup Slide Not covered by DBV (1)

Risk Action

Data within data files is stored in clear text

(OS- and SAN-Admin as well the Oracle-

Unix-Account can read the data)

Encryption of data files with TDE

(10g on row level, 11g on tablespace level)

Data in backups as clear text Encrypt data with RMAN

SYS-Account has to be open for RAC and

RMAN. This account is not fully prodeced by

database vault

Personalized Accounts on Unix und

Database + SUDO concept

Use of SYSOPER

Accept SYSDBA-Connections only at thetime when RMAN has to run



49/50

2009

Backup Slide Not covered by DBV (1)

Risk Action

While the database is patched Database

Vault has to be switched off (e.g. CPUs) this

is also true for database migrationens

Personalized Accounts on Unix und

Database + SUDO concept

Monitoring on the OS (inode+ctime Checks,

e.g. manual, Nimbus,iwatch (Linux, based

on inotify))

Data on the network is send as clear text (aswell interconnect on RAC Environments) Use of Advanced Security Option to encryptnetwork traffic.

Direct grants on object Existing grants must be known and has to

be verified. Database Vault Admin Console

provides reports for this

Export possibilities on application level This can only be checked on application

level. Possible restriction based on rules

(e.g. from a certain IP,)



50/50

Backup Slide Separation of Duties

Task Responsible

Operation of Database and Instance

(Create, Parameterize, Instance tuning,

Patching, Updates, Tablespace-

Management, )

Security Management

Create Realms, Define Objects which haveto be protected

Assign User to Realms

Create application roles

Assign object privilege to roles/users

Account Management + assign roles

Create technical roles, initial assignment of

system privileges to roles (not application

roles!)

oracle database vault - what about the os accounts

Documents