Oracle Security

Radoslav Rusinov
ING Wholesale Banking
 Agenda

• The need of Security

• Information Security
• Securing Databases
• Securing Oracle
• Recommended Readings
• Conclusion

2 of 58
 Why is security necessary?
• Security threats have grown monthly
• Unauthorized access to servers, databases
and applications
• Worms / Viruses
• Software vulnerabilities
• Theft / Hacker intrusions
• Operator or user errors
• 70% of intrusions are internal

3 of 58
 Security Breaches – Last Cases
• 25.02.2005 – Bank of America Corp. loses credit
card info of 1.2M federal workers
• 08.04.2005 – Stolen computers from San Jose
Medical Group contain data on 185,000 patients
• 12.04.2005 – Data broker LexisNexis Group said
that hackers have stolen data of 310,000 people
• 14.04.2005 – British HSBC Bank PLC warns for
stolen data of 180,000 credit card customers
• 15.04.2005 – Bulgarian National Cardiologic
Hospital informs of an intrusion attack

4 of 58
 Intrusions – Business Impact

• Damage to image and reputation

• Loss of Customer confidence
• Loss of Partner confidence
• Loss of Business
• Impact in the revenue
• Benefits competition

5 of 58
 Agenda

• The need of Security

• Information Security
• Securing Databases
• Securing Oracle
• Recommended Readings
• Conclusion

6 of 58
 Information Security
• Every organization should secure its information
• They should use security management strategy

7 of 58
 Information Security - Regulatory
• Health Insurance Portability and Accountability Act
(HIPAA)
• Sarbanes-Oxley Act
• California SB 1386
• GLB – Gramm-Leach-Biley Act
• MasterCard Site Data Protection (SDP)
• Payment Card Industry (PCI) Data Security
Standard
• Visa USA Cardholder Information Security
Program (CISP)
• ISO IEC 17799/BS7799 Standard

8 of 58
 Information Security - Certifying

• Certification Organizations - BSI, DNV, KPMG,

Certification Europe, KEMA, JACO IS
• Vulnerability Assessment/Penetration Testing by
Information Security Audit Companies – KPMG,
PricewaterhouseCoopers
• SANS Best practices in Information Security
URL: http://www.sans.org/rr/whitepapers/bestprac
• Information Security News – URL:
www.computerworld.com/securitytopics/security

9 of 58
 Information Security - Own
Procedures

• Organizations can follow their own Information

Security Standards

• The Database Security is important part of these

standards

10 of 58
 Agenda

• The need of Security

• Information Security
• Securing Databases
• Securing Oracle
• Recommended Readings
• Conclusion

11 of 58
Securing Databases - Layers

12 of 58
 Securing Databases - Common Steps
• Write a database security procedure
• Record the current configuration
• Test and implement the procedure
• Record the OS configuration
• Record the database configuration
• Record the security configuration
• Monitor the environment
• Regular checks
• Update your security plan

13 of 58
 Agenda
• The need of Security • OS Security
• Information Security • Oracle Authentication
• Securing Databases • Access to the Database
• Securing Oracle • Securing PUBLIC Role
• Initialization Parameters
• Recommended
Readings • Application Security
• Auditing
• Conclusion
• Securing the Network
• Availability
• Regular Checks

14 of 58
OS Security – Owner of Oracle software -
1/2
• Do not name the owner of Oracle software
“oracle”
• This is considered as “security through
obscurity”
• Limit access to the account that owns Oracle
software using mechanisms like “sudo”
• Create different users for every part of Oracle
software. Examples:
• Oralsnr – for the listener
• Oradb – for the database

15 of 58
OS Security – Owner of Oracle software -
2/2
• The user used to install Oracle should be a
local one
• Prohibit sys administrators to access files
owned by “oracle”
• “oracle” account should not be a member of
the admin group
• Check members of the ORA_DBA / OSDBA
group
• Only database administrators should be
assigned to the ORA_DBA / OSDBA group

16 of 58
 OS Security – File Permissions - 1/2
• Verify permissions for files under the
ORACLE_BASE and ORACLE_HOME directories
• Disable the otrace utility – Metalink note:
192541.995
• Oracle processes should be run through the
Oracle software account (or ORA_DBA group)
• On Windows, Oracle services are using “Local
System Account” – it should be changed
• On Windows, restrict access to directory
C:\Program Files\Oracle

17 of 58
OS Security – File Permissions - 2/2
• Remove or restrict permissions on all saved script
files after creating the database
• On Windows
- Restrict access to Windows Registry
- Give Full Control over registry key
HKEY_LOCAL_MACHINE\Software\Oracle to the
account that will run Oracle Services
- Use regedt32.exe for changing Registry Security
Policy
• If database backups are written to the system
disks, verify the permissions for this directory

18 of 58
 OS Security – Usernames and
Passwords
• On Unix
- restrict the “ps” command at the OS level
- check the cron jobs
• Check the server for scripts that contains
usernames and passwords
• Check all environment variables
• Check client machines for application
configuration files
• Use secure IP communications

19 of 58
 OS Security – Auditing
• Start OS level auditing for unauthorized use of
Oracle. For particular directories – tripwire
• For monitoring and analyzing of log files – swatch,
logcheck
• For checking of integrity of Oracle binary and
configuration files – tripwire, samhain, AIDE
• Oracle provides a tool for monitoring OracleAS –
iHAT
• Save audit log files on secured remote servers
• Check processes regularly

20 of 58
 Agenda
• The need of Security • OS Security
• Information Security • Oracle Authentication
• Securing Databases • Access to the Database
• Securing Oracle • Securing PUBLIC Role
• Initialization Parameters
• Recommended
Readings • Application Security
• Auditing
• Conclusion
• Securing the Network
• Availability
• Regular Checks

21 of 58
Oracle Authentication – Password Policy
• All employees that are using the database must
have own accounts
• Use Oracle password management features:
alter profile default
limit failed_login_attempts 3
password_life_time 60
password_reuse_max 20
password_lock_time 1;
• User passwords should be changed on a regular
basis
• Create different profiles for different types of users

22 of 58
 Oracle Authentication – Weak
Passwords

• Enable password verification function

• Check for default accounts that are installed as
part of Oracle installation
• Check application accounts for
username/password matching
• Check for weak passwords
• Check for roles with default passwords

23 of 58
 Agenda
• The need of Security • OS Security
• Information Security • Oracle Authentication
• Securing Databases • Access to the Database
• Securing Oracle • Securing PUBLIC Role
• Initialization Parameters
• Recommended
Readings • Application Security
• Auditing
• Conclusion
• Securing the Network
• Availability
• Regular Checks

24 of 58
 Access to the Database - 1/3

• Limit access to roles that consists of _CATALOG_

• Use manually created roles
• Roles that are powerful should be password
protected
• Use password protected role when DML is used
• Check for users or roles with granted privileges
consists of “all privileges”, “any”, “with admin”,
“with grant”
• Review the system privileges granted to users

25 of 58
 Access to the Database - 2/3

• Check for granted direct privileges on objects, use

roles
• Check for granted “CREATE LIBRARY”, “ALTER
SYSTEM” or “CREATE PROCEDURE”
• Check for users that have “CREATE ANY
DIRECTORY” privilege
• Check for users that have “CREATE JOB” or
“CREATE ANY JOB” privilege (10G)
• Check user objects in SYSTEM tablespace

26 of 58
 Access to the Database - 3/3

• Check for “external” users

• Revoke RESOURCE role from user accounts
• Revoke CONNECT role from user accounts
• Check for users with “CREATE ANY TRIGGER”
privilege
• Check for users that have access to data
dictionary views and tables
• Check for users that have “SELECT ANY TABLE”
privilege

27 of 58
 Agenda
• The need of Security • OS Security
• Information Security • Oracle Authentication
• Securing Databases • Access to the Database
• Securing Oracle • Securing PUBLIC Role
• Initialization Parameters
• Recommended
Readings • Application Security
• Auditing
• Conclusion
• Securing the Network
• Availability
• Regular Checks

28 of 58
 Securing PUBLIC Role - 1/3
• Grant privileges to appropriate users before
revoking
• revoke all on utl_tcp from public;
• revoke all on utl_http from public;
• revoke all on utl_smtp from public;
• revoke all on utl_file from public;
• revoke all on dbms_random from public;
• revoke all on dbms_lob from public;
• revoke all on dbms_sql from public;

29 of 58
 Securing PUBLIC Role - 2/3
• revoke all on dbms_sys_sql from public;
• revoke all on dbms_job on public;
• revoke all on dbms_scheduler from
public;
• revoke all on owa_util from public;
• revoke all on utl_xml from public;
• revoke all on dbms_java_test from
public;
• revoke all on dbms_lock from public;
• revoke all on dbms_pipe from public;

30 of 58
 Securing PUBLIC Role - 3/3
• revoke select on all_db_links from
public;
• revoke select on all_users from public;
• revoke select on all_catalog from
public;
• revoke select on all_java_classes from
public;
• revoke select on all_source from public;
• revoke select on all_tab_privs from
public;
• Check all PUBLIC execute privileges on packages
owned by SYS (XMLDB problem)
31 of 58
 Agenda
• The need of Security • OS Security
• Information Security • Oracle Authentication
• Securing Databases • Access to the Database
• Securing Oracle • Securing PUBLIC Role
• Initialization Parameters
• Recommended
Readings • Application Security
• Auditing
• Conclusion
• Securing the Network
• Availability
• Regular Checks

32 of 58
 Initialization Parameters - 1/2
• Check user_dump_dest, background_dump_dest
and core_dump_dest
• Set global_names=TRUE
• Set max_enabled_roles=30
• Set os_authent_prefix=“” (a null string)
• Set os_roles=FALSE
• Set o7_dictionary_accessibility=FALSE
• Set remote_os_authent=FALSE
• Set remote_os_roles=FALSE
• Set remote_listener=“” (a null string)
• Set sql92_security=TRUE

33 of 58
 Initialization Parameters - 2/2
• Set row_locking=ALWAYS
• Set remote_login_passwordfile=NONE
• Avoid using the utl_file_dir parameter
• Set dblink_encrypt_login=TRUE. For “client to
server” connections set
ORA_ENCRYPT_LOGIN=TRUE environment
variable
• Set transaction_auditing=TRUE
• Check if that IFILE is used
• Periodically check the instance

34 of 58
 Initialization Parameters - Hidden

• Set _trace_file_public=FALSE
• Set _system_trig_enabled=TRUE
• Review on regular basis all hidden parameters

35 of 58
 Agenda
• The need of Security • OS Security
• Information Security • Oracle Authentication
• Securing Databases • Access to the Database
• Securing Oracle • Securing PUBLIC Role
• Initialization Parameters
• Recommended
Readings • Application Security
• Auditing
• Conclusion
• Securing the Network
• Availability
• Regular Checks

36 of 58
 Application Security – 1/4
• Wrap the PL/SQL application code
• Checksum the PL/SQL source code and Java classes
DECLARE
v_counter NUMBER;
BEGIN
v_counter := 0;
FOR c IN (SELECT text FROM user_source WHERE
NAME='TEST_PKG' ORDER BY line) LOOP
v_counter := v_counter +
owa_opt_lock.checksum(c.text);
END LOOP;
dbms_output.put_line('checksum: '||v_counter);
END;
• Check the code for hard coded passwords

37 of 58
 Application Security – 2/4
• Check the PL/SQL code for SQL injection and
PL/SQL injection possibilities. Some guidelines:
- use bind variables
- review the new code for security compliance
- secure PUBLIC role
- do not use dynamic SQL and PL/SQL
- use input filtering for web-based PL/SQL
• Prevent your web-based applications from Cross
Site Scripting. Use output filtering

38 of 58
 Application Security – 3/4

• Check which applications access the database

• Control which applications access your database
• Review grants of the application account
• Batch processes should use own account
• Encrypt critical application data
• Write procedures for adding new applications
• Write procedures for employee movers, leavers
and joiners
• Secure Test and Development databases

39 of 58
 Application Security – 4/4
• Restrict access to SQL*Plus
• Disable iSQL*Plus or limit access to it.
• Restrict access to debugging interfaces
- Oradebug
- DBMS_DEBUG
- JDeveloper
- Oracle tracing
• Do not publish information about your production
environments. Try Google.com

40 of 58
 Agenda
• The need of Security • OS Security
• Information Security • Oracle Authentication
• Securing Databases • Access to the Database
• Securing Oracle • Securing PUBLIC Role
• Initialization Parameters
• Recommended
Readings • Application Security
• Auditing
• Conclusion
• Securing the Network
• Availability
• Regular Checks

41 of 58
 Auditing – 1/2
• Set audit_trail=DB, or OS
• Use OS audit instead DB audit
• Audit SYS activities
• Audit DML failures
• Audit CREATE SESSION
• Audit using of GRANT, DROP, ALTER statements
on application accounts
• Audit CREATE USER, CREATE ROLE on on
application accounts
• Audit CREATE statements on application
accounts

42 of 58
 Auditing – 2/2
• Audit employee's database accounts
• Use process to monitor database activities and
sends SMS or email
• Consider row level auditing
• Write procedures for protection of generated audit
info
• Review regularly generated audit logs
• Logs for checking for suspicious activities
- on OS level – Eventviewer / Syslog
- listener.log, sqlnet.log
- access_log, error_log, Apache.log

43 of 58
 Agenda
• The need of Security • OS Security
• Information Security • Oracle Authentication
• Securing Databases • Access to the Database
• Securing Oracle • Securing PUBLIC Role
• Initialization Parameters
• Recommended
Readings • Application Security
• Auditing
• Conclusion
• Securing the Network
• Availability
• Regular Checks

44 of 58
 Securing the Network – 1/2
• Secure the listener
• Create separate listeners for clients and for
administration
• Configure Oracle to use your firewall (Windows)
• Use a personal firewall on all database
administration computers
• Accept connections from short list of IP addresses
• Search for sqlnet.log files on the server and client
machines
• Set log_directory_client in sqlnet.ora

45 of 58
 Securing the Network – 2/2

• Secure used database links. There are passwords

in clear text in sys.link$ table
• Write a policy for managing database links
• Check with port scanner for open default ports
• Secure the Intelligent agent
• Encrypt communication between all Oracle clients
and the database. Use IPSec or SSL

46 of 58
 Agenda
• The need of Security • OS Security
• Information Security • Oracle Authentication
• Securing Databases • Access to the Database
• Securing Oracle • Securing PUBLIC Role
• Initialization Parameters
• Recommended
Readings • Application Security
• Auditing
• Conclusion
• Securing the Network
• Availability
• Regular Checks

47 of 58
 Availability
• Review backup and restore procedures
• Check periodically the backup media integrity
• Backups should be available only off-site
• Write procedures for backup tape retrieval to
prevent social engineering
• Format all old and not already used disks (DUL
and BBED tools)
• Secure the fallback databases as they are
production one
• Write and test disaster recovery procedures

48 of 58
 Agenda
• The need of Security • OS Security
• Information Security • Oracle Authentication
• Securing Databases • Access to the Database
• Securing Oracle • Securing PUBLIC Role
• Initialization Parameters
• Recommended
Readings • Application Security
• Auditing
• Conclusion
• Securing the Network
• Availability
• Regular Checks

49 of 58
 Regular Checks
• Check for unauthorized changes
• Monitor the audited information
• Review members of the ORA_DBA/OSDBA groups
• Review the recorded database configuration
• Monitor listener.log for brute force attacks
• Test the disaster recovery procedures
• Test the recovery procedures
• Install the latest Oracle security patches
• Stay up-to-date with latest known Oracle
vulnerabilities (mailing lists and sites)

50 of 58
 Agenda

• The need of Security

• Information Security
• Securing Databases
• Securing Oracle
• Recommended Readings
• Conclusion

51 of 58
 Recommended Readings - Papers
• Oracle Database Security Benchmark -
http://www.cisecurity.org/bench_oracle.html
• SANS Oracle Database Checklist -
http://www.sans.org/score/checklists/Oracle
_Database_Checklist.pdf
• Oracle Security Papers -
http://www.petefinnigan.com/orasec.htm
• Oracle 10G – Security Guide
• Protecting Oracle Databases – white paper

52 of 58
 Recommended Readings - Sites
• http://www.petefinnigan.com/
• http://www.cisecurity.org/
• http://www.protegrity.com/
• http://www.nextgenss.com/
• http://www.appsecinc.com/
• http://www.sans.org/
• http://www.iss.net/
• http://www.securityfocus.com/
• http://otn.oracle.com/deploy/security
• http://www.computerworld.com/securitytopics/sec
urity

53 of 58
 Recommended Readings - Books

http://www.amazon.com/exec/obidos/tg/detail/-/0974372749/qid=1111427975

54 of 58
 Recommended Readings - Books

http://www.amazon.com/exec/obidos/tg/detail/-/0072231300/qid=1091002374
 Recommended Readings – Books

• Oracle Database Security, Audit & Control

Features (PricewaterhouseCoopers – 2004)
• Security, Audit & Control Features Oracle
Applications: A Technical and Risk
Management Reference Guide (Deloitte &
Touche Tohmatsu Research Team - 2003)
• Oracle Security Handbook : Implement a
Sound Security Plan in Your Oracle
Environment (Oracle Press – 2001)
• Oracle Security (O’Reilly – 1998)

56 of 58
 Conclusion
• Do not wait to be hacked
• Implement some security policy
• Stay up-to-date
• Improve the policy repeatedly
• The mentioned steps are not rules –
they are information
• Do not implement everything – balance
between security, performance and
usability

57 of 58
Questions or Comments

Radoslav Rusinov

Radoslav.Rusinov@dir.bg
Radoslav.Rusinov@gmail.com

58 of 58