www.it-ebooks.info Oracle 11 g Anti-hacker's Cookbook Over 50 recipes and scenarios to hack, defend, and secure your Oracle Database Adrian Neagu BIRMINGHAM - MUMBAI www.it-ebooks.info Oracle 11 g Anti-hacker's Cookbook Copyright © 2012 Packt Publishing All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews. Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing, and its dealers and distributors will be held liable for any damages caused or alleged to be caused directly or indirectly by this book. Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information. First published: October 2012 Production Reference: 1181012 Published by Packt Publishing Ltd. Livery Place 35 Livery Street Birmingham B3 2PB, UK. ISBN 978-1-84968-526-9 www.packtpub.com Cover Image by Mark Holland (m.j.g.holland@bham.ac.uk) www.it-ebooks.info Credits Author Adrian Neagu Reviewers Bogdan Dragu Gabriel Nistor Steven Macaulay Laszlo Toth Acquisition Editor Rukhsana Khambatta Lead Technical Editor Sweny M. Sukumaran Sonali Tharwani Technical Editor Madhuri Das Jalasha D'costa Worrell Lewis Copy Editor Insiya Morbiwala Project Coordinator Yashodhan Dere Proofreader Maria Gould Indexer Rekha Nair Graphics Aditi Gajjar Valentina D'silva Production Coordinator Arvindkumar Gupta Cover Work Arvindkumar Gupta www.it-ebooks.info www.it-ebooks.info Foreword When I rst became aware of Adrian Neagu's intent to author a book on Oracle security, I sent him a congratulatory note. This is an important subject area, and I felt a special need to pass on my best wishes. His rst book IBM DB2 9.7 Advanced Administration Cookbook, Packt Publishing, had a chapter devoted to database security that shared some of the knowledge he had learned as an IBM Certied Advanced DB2 Administrator. I was excited to hear that he was now going to put on paper some of the knowledge he has gained from real-world security experiences as an Oracle Certied Master Database Administrator. He was going to help educate Oracle IT professionals on techniques they could use to protect the data and server assets placed under their stewardship. The title he chose for his second book, Oracle 11g Anti-hacker's Cookbook, really grabbed my attention as well. The book's title seemed to conjure up images of evildoers on the internet placing their sights on attacking systems and attempting to steal or compromise the data they contained. We've all heard stories about hackers that have broken into systems and stolen our data. They've actually gotten some of my personal data by compromising the systems of a couple of companies whose products I have purchased. The same group or others like them may have taken some of your data as well. There are bad guys out there, and there are certainly many that try to get into systems for amusement, malice, or prot. But hackers are not the only ones that can harm or inappropriately access your data. I've been personally involved in situations in which identied risks were traced back to an authorized internal user who was doing some things he or she should not have done. Those situations could have been prevented with some of the controls described in this book. They may not have been available then, but they are available now in the enhanced Oracle 11g security-oriented features. www.it-ebooks.info As someone who has worked with databases for over 20 years, across a number of industries including aerospace, manufacturing, nancial, government, educational, and retail, I've seen rsthand how reducing security risks has become more and more a key part of an Oracle professional's responsibilities. What interested me about Adrian's latest book endeavor was that it offered an opportunity to help educate more people about the increasingly important topic of database security. The cookbook and recipe approach he had chosen to use sounded like an interesting way to convey the main concepts and techniques behind the threats he wanted to describe to the reader. More importantly, the recipes he was going to create were going to show some ways those security risks could be mitigated or reduced. He had me hooked and ready to read his book. The only problem for me at that time was that he hadn't completed it yet. Only a few of his recipes had been cooked up, and when I sat down to get an early taste, they were being brought to me one selection at a time. But the full course is now ready to be served. It's at your table and on your plate, and I recommend that you take the time to check out his menu of security-avored delectables. There is a logical ow to his cookbook style, and certain recipes do build on and complement each other, so I would suggest starting from the beginning. But don't be afraid to dive straight into any selection that piques your appetite. You will learn something important about Oracle security no matter where you start or end, and that's the main desire of this IT chef. Unless you have spent many years working in the area of database security, there is a good chance that you may have never tasted beforehand some of the recipes he presents. Have you ever really seen how a hacker can hijack a database session? If not, there is a recipe that shows you how it can be done. Have you tried to crack a password for a trusted Oracle account? There's a recipe for that too. Do you know how to keep the privileged root user from modifying important database les such as listener.ora? If not, you will learn how to lock this down tight, in another recipe. Has a hacker or malicious user gotten in and modied something in the database or in a le that shouldn't have been changed? You will nd out how to know that it has occurred and how to prevent it from happening, with some of his audit and modication detection and prevention recipes. www.it-ebooks.info You'll also sample some information related to limiting access to trusted users such as database administrators. In the past, this group usually had the keys to your data kingdom. They could see and do anything they needed or wanted, there. Sure, you could trust them. You knew their name and they sat right next to you at the ofce table. But is that the case anymore? Does your junior DBA staff need as much access as your senior DBA staff? Do your systems administrators need to see your database data? Does your remote contractor resource need access to everything, or do they only have to be able to do the tasks you want them to do and see only the data they really need to see to do their job? With powerful Oracle 11g features such as Database Vault, if your risk prole and data sensitivity needs warrant it, you can place tighter restrictions on what a DBA user can and cannot do with your data. There is a recipe that will help show you that as well. If you want to encrypt your data so it can't be deciphered by someone that may have access to it but doesn't need to know what it is, there are recipes here that are going to help explain how to do this too. You probably also have certain regulatory requirements that require you to prove to auditors that you know who can do what in your database as well what they have been doing. Guess what? The Audit Vault recipes are going to help you here. There are a lot of recipes that Adrian has cooked up for you in his book. Some of them you will want to devour right away, while others you will want to consume a little slower and over time. Regardless of whether you are hungry and craving for this information or just want a little taste to whet your appetite for knowledge in this area, I think you will nd that his cookbook approach is both satisfying and hits the intended mark. There is a lot of subject matter to digest, but it doesn't have to all be taken in at one sitting. Walk away when you are full, and come back for some more when you need charge up again. The nourishment provided by the security-oriented knowledge contained in the book's recipes will help you grow. As you gain strength by learning more, your ability to protect your systems and data will increase as well. It's time to start learning. I hope you will like the educational security meal Adrian has prepared as much as I did. He's a good cook. Enjoy! Steven Macaulay CISSP, OCP, MIS www.it-ebooks.info About the Author Adrian Neagu has over ten years of experience as a database administrator, mainly with DB2 and Oracle databases. He is an Oracle Certied Master 10g, Oracle Certied Professional 9i, 10g, and 11g, IBM DB2 Certied Administrator version 8.1.2 and 9, IBM DB2 9 Advanced Certied Administrator 9, and Sun Certied System Administrator Solaris 10. He is an expert in many areas of database administration such as performance tuning, high availability, replication, backup, and recovery. In his spare time, he likes to cook, take photos, and to catch big pikes with huge jerkbaits and bulldawgs. I would like to give many thanks to my family, to my daughter, Maia-Maria, and my wife, Dana, who helped and supported me unconditionally, also to my colleagues, my friends, Pete Finnigan, Laszlo Toth, Steven D. Macaulay, Rukhsana Khambatta, and the Packt Team and to all those who have provided me with invaluable advice. www.it-ebooks.info About the Reviewers Bogdan Dragu is a senior DBA certied with Oracle 8i, 9i, 10g, 11g, and with DB2. Although he has a business background, he began pursuing a career as a DBA after deciding to transform his interest in databases into a profession. Bogdan has over 10 years of experience as a DBA, working with Oracle databases for large organizations in various domains, and is currently working in the banking industry. Bogdan has also worked within Oracle for three years as a support engineer. Throughout his career, Bogdan was deeply involved in all areas of database administration, such as performance, tuning, high availability, replication, database upgrades, backup, and recovery, while particularly interested in performance tuning and data security. In his spare time, Bogdan enjoys playing the guitar and taking photos of his colleagues and friends. Gabriel Nistor is a principal technologist working with a group called Platform Technology Solutions (PTS), which is a part of the Oracle Product Development's Server Technologies (ST) division. The group's mission is to help Oracle partners adopt and implement the latest and greatest of Oracle software. Gabriel acts as a Technology Evangelist for Oracle within the EMEA (Europe, Middle East and Africa) region, enabling partners in the areas of Oracle Exalytics, Big Data Appliance, Endeca, Oracle Business Intelligence Enterprise Edition, BI Applications, Oracle Data Integrator, Essbase, Golden Gate, Real Time Decisions, Oracle Database Enterprise Edition (options inclusive), and Fusion Applications. He has foundation level experience with SOA, BPM, EPM, Oracle Exadata v1 (HP hardware) and v2 (Sun hardware), and know-how of developing with Oracle Exalogic and WCC (ECM). He has undertaken projects involving migration of third party databases to Oracle. www.it-ebooks.info [...]... after HOSTNAME=/nodeorcl1 add the ORACLE_ HOME variable as follows: HOSTNAME=nodeorcl1; ORACLE_ HOME="/u01/app /oracle/ product/11.2.0/dbhome_1"; 11 www.it-ebooks.info Operating System Security 6 Add two new rules related to the Oracle software binaries and libraries (all files from $ORACLE_ HOME/bin and $ORACLE_ HOME/lib) and network configuration files (all files from $ORACLE_ HOME/network/admin) The files... and extproc back to $ORACLE_ HOME/bin Create a file named ha_script in /home /oracle with the SUID and GUID bit set and a file with world writeable permissions called ha_wwfile: [root@nodeorcl1 ~]$ chmod o+r /u02/HACKDB/users01.dbf [root@nodeorcl1 oracle] # touch ha_script [root@nodeorcl1 oracle] # chmod u+s,g+s,u+x ha_script [root@nodeorcl1 oracle] # touch ha_wwfile [root@nodeorcl1 oracle] # chmod o+w ha_wwfile... virtual machines, created with Oracle Virtual Box 4.1.12 As a preliminary task before we start, prepare the server environment in terms of kernel parameters, directories, users, groups, and software installation as instructed in Oracle Database Installation Guide 11g Release 2 (11.2) for Linux (http://docs .oracle com/cd/E11882_01/install.112/e24321/toc.htm) Download and install Oracle Enterprise Edition... the roll out of the satellite radio industry in the United States He was one of the first Oracle Certified Professionals in the world, and he has been Oracle certified at multiple release levels He has worked with Oracle database and application technologies across all release levels, from Oracle version 6 to Oracle 12c He is a Certified Information Systems Security Professional (CISSP), and has earned... contains the Oracle Database files (/u02/HACKDB) These files change frequently, and the $Dynamic summary mask should be appropriate here Add the following three sections at the end of the twpolicy.txt file: ################################ # Oracle Libraries and Binaries # ################################ ( rulename = "Oracle Binaries and Libraries", severity = 99, ) { $ (ORACLE_ HOME)/bin $ (ORACLE_ HOME)/lib... $(ReadOnly); } ##################################### # Oracle Network Configuration Files # ##################################### ( rulename = " Oracle Network Configuration files", severity = 90, ) { $ (ORACLE_ HOME)/network/admin -> $(ReadOnly); } ########################################## # Oracle Datafiles ########################################## ( rulename= "Oracle Datafiles", severity=99, 12 www.it-ebooks.info... security measure we will move (normally in a production environment you should delete them) these files from $ORACLE_ HOME/bin directory to /extprocjob directory: [oracle@ nodeorcl1 bin]# mv /u01/app /oracle/ product/11.2.0/ dbhome_1/bin/extproc /extprocjob [oracle@ nodeorcl1 bin]# mv /u01/app /oracle/ product/11.2.0/ dbhome_1/bin/extjob /extprocjob 8 Next, as root update the Tripwire database using the new... 114 Chapter 4: Authentication and User Security 119 Chapter 5: Beyond Privileges: Oracle Virtual Private Database 145 Chapter 6: Beyond Privileges: Oracle Label Security 185 Chapter 7: Beyond Privileges: Oracle Database Vault 215 Introduction Performing a security evaluation using Oracle Enterprise Manager Using an offline Oracle password cracker Using user profiles to enforce password policies Using... object Added: [x] "/home /oracle/ ha_script" [x] "/home /oracle/ ha_wwfile" /…………………………………………………………………………………………………………………………………………… Remove the "x" from the adjacent box to prevent updating the database with the new values for this object Added: [x] "/u01/app /oracle/ product/11.2.0/dbhome_1/bin/extproc" [x] "/u01/app /oracle/ product/11.2.0/dbhome_1/bin/extjob" Modified: [x] "/u01/app /oracle/ product/11.2.0/dbhome_1/bin"... kit]# echo "" >> /u01/app /oracle/ product/11.2.0/ dbhome_1/network/admin/listener.ora bash: /u01/app /oracle/ product/11.2.0/dbhome_1/network/admin/ listener.ora: Permission denied 3 At this step, we will set a library as immutable For example, to protect against disabling the Oracle Database Vault option, turn $ORACLE_ HOME/rdbms/lib/ libknlopt.a immutable: chattr -V +i /u01/app /oracle/ product/11.2.0/dbhome_1/rdbms/lib/ . www.it-ebooks.info Oracle 11 g Anti-hacker's Cookbook Over 50 recipes and scenarios to hack, defend, and secure your Oracle Database Adrian Neagu BIRMINGHAM - MUMBAI www.it-ebooks.info Oracle 11 g . a database administrator, mainly with DB2 and Oracle databases. He is an Oracle Certied Master 10g, Oracle Certied Professional 9i, 10g, and 11g, IBM DB2 Certied Administrator version 8.1.2. Beyond Privileges: Oracle Database Vault 215 Introduction 215 Creating and using Oracle Database Vault realms 216 Creating and using Oracle Vault command rules 223 Creating and using Oracle Database