You are on page 1of 50

Oracle Database Vault

What about the OS Accounts?

Stefan Oehrli
Discipline Manager
Oracle Security
stefan.oehrli@trivadis.com
Geneva, 18.11.2009

Basel

·

Baden

Brugg ·

Bern

·

Lausanne

·

Zürich

·

Düsseldorf

Frankfurt/M.

·

Freiburg i. Br.

·

Hamburg

·

München

Stuttgart ·

Wien

Agenda
 Introduction
 Database Vault in a Nutshell
 Situation with Anonymous Accounts
 Approach and Challenges
 DBA- and Operation Tasks
Daten sind
immer im Spiel.

 Administrative Privileges
(SYSDBA and SYSOPER)
 SUDO
 Miscellaneous
 Conclusion

Data Security Geneva 2009 - Oracle Database Vault What about the OS Accounts?

© 2009

Introduction
 Oracle Database Vault addresses common regulatory compliance
requirements and reduces the risk of insider threats by:
 Preventing highly privileged users (DBA) from accessing application
data
 Enforcing separation of duty
 Providing controls over who, when, where and how applications, data
and databases can be accessed.
Source: Oracle Database Vault Home Page

 But is this enough to protect the whole Oracle environment?

Data Security Geneva 2009 - Oracle Database Vault What about the OS Accounts?

© 2009

Introduction
Excerpt from Oracle® Database Vault Administrator's Guide:
„Managing Root and Operating System Access
Oracle Database Vault does not prevent highly privileged operating
system users from directly accessing database files. For this kind of
protection, use transparent data encryption ..... Carefully review and
restrict direct access to the operating systems.
You should have personalized accounts access the operating system.
These personalized accounts should, in the Linux or UNIX
environments, login using sudo to the oracle software owner when
needed. With sudo, you can control which specific command each
personalized user can execute. Be sure to prevent the use of the make,
relink, gdb, or other commands that could potentially harm the DB…

Appendix D Oracle® Database Vault Administrator's Guide
Data Security Geneva 2009 - Oracle Database Vault What about the OS Accounts?

© 2009

Introduction
 This section at the end of the documentation can cause some
confusion
 To some extent Database Vault is sold as a complete Security
Solution but need some additional considerations.
 This information could apparently be placed a bit more central.

 This Presentation will cover the following questions:





What's covered by Database Vault?
Motivation for personalized Accounts?
Possible solution and concepts?
Challenges for the conception and the Implementation?
Configuration of SYSOPER / SYSDBA?
Configuration and application of SUDO?

Data Security Geneva 2009 - Oracle Database Vault What about the OS Accounts?

© 2009

and Operation Tasks Daten sind immer im Spiel.  Administrative Privileges (SYSDBA and SYSOPER)  SUDO  Miscellaneous  Conclusion Data Security Geneva 2009 .Agenda  Introduction  Database Vault in a Nutshell  Situation with Anonymous Accounts  Approach and Challenges  DBA.Oracle Database Vault What about the OS Accounts? © 2009 .

Database Vault in a Nutshell  Another Oracle Security Innovation to protect from  DBA respectively SYSDBA  High system privileges like “SELECT ANY TABLE”.Oracle Database Vault What about the OS Accounts? © 2009 . “EXEMPT ACCESS POLICY”  Available as an Enterprise Edition Option  Separate download for 10g and 9i  Integrated component within Oracle 11g R1 and R2 Data Security Geneva 2009 .

An Oracle White Paper June 2007 © 2009 .Database Vault in a Nutshell  Additional Layer within Oracle Kernel  New Components added by Database Vault      Realms Command Rules Factors Rule Sets Extended functionality for  Secure Application Roles  Label Security Integration  No impact for object grants (except for command Rules)  Restrict any select statement Data Security Geneva 2009 .Oracle Database Vault What about the OS Accounts? Source: Oracle Database Vault .

authorizing and auditing (AAA) End User.Oracle Database Vault What about the OS Accounts? Database Files © 2009 . DBA  Authorizations for data can be defined at row level Instance Virtual Private Database Label Security Data Security Geneva 2009 . Developer.Database Vault – Data Privacy and Data Theft (1)  Access to data through an instance is protected by database authentication.

network protocol or IP of the client? Virtual Private Database Database Vault Secure Application Roles  But what about the System privileges like “SELECT ANY TABLE”. which are granted to DBAs and enabled for Connection through SYSDBA? Database Vault Data Security Geneva 2009 .Database Vault – Data Privacy and Data Theft (2)  How to authorize users based on criteria like time. “EXEMPT ACCESS POLICY” a s o.Oracle Database Vault What about the OS Accounts? © 2009 .

Oracle Database Vault What about the OS Accounts? And what about backups? RMAN Backup Encryption © 2009 . Developer. DBA Transparent Data Encryption Hacker Instance Database Files Database AAA does not protect access to shared memory and data files! Data Security Geneva 2009 .Database Vault – Data Privacy and Data Theft (3) End User.

Database Vault – Eavesdropping and Hijacking End User. DBA (Alice) Database Server (Bob) Oracle Net Advanced Security Hacker Data Security Geneva 2009 . Developer.Oracle Database Vault What about the OS Accounts? © 2009 .

Oracle Database Vault What about the OS Accounts? © 2009 .and Operation Tasks Daten sind immer im Spiel.  Administrative Privileges (SYSDBA and SYSOPER)  SUDO  Miscellaneous  Conclusion Data Security Geneva 2009 .Agenda  Introduction  Database Vault in a Nutshell  Situation with Anonymous Accounts  Approach and Challenges  DBA.

Basel II.  Who changed the environment (e. etc not possible  Security protection mechanism can be bypassed anytime  Relink Oracle binaries to switch off Database Vault  Direct access of Datafiles and/or Memory  OSDBA.Oracle Database Vault What about the OS Accounts? © 2009 . OSOPER and OSASM is usually not defined or default Data Security Geneva 2009 .g Shell settings)  Auditing on the OS is only partially reasonable  It‟s possible to see that user oracle did something but who logged in as oracle?  Installation of Software / Patch Set / CPU‟s is not traceable  Compliance according SOX.Situation with Anonymous Accounts  Administration Tasks are not traceable  When and who did a listener or database restart.

mk dv_off cd $ORACLE_HOME/bin relink oracle  A warning is will be shown in the ALERT. After relink and switch off DBV the data can be access without any restriction.Dynamically Relink  On some OS and database version it is possible to relink the oracle binaries even when the database is running. Binary of new process does not match binary which started instance issue alter system set "_disable_image_check" = true to disable these messages Data Security Geneva 2009 . cd $ORACLE_HOME/rdbms/lib make -f ins_rdbms.LOG but there is also a hint displayed how this warning can be suppressed… WARNING: Oracle executable binary mismatch detected.Oracle Database Vault What about the OS Accounts? © 2009 .

Additional Possibilities  Change passwords within the Datenfile of SYSTEM Tablespace (see Trivadis Training O-AI-DSI)  Modify or access data directly within a data file Data Security Geneva 2009 .Oracle Database Vault What about the OS Accounts? © 2009 .

Oracle Database Vault What about the OS Accounts? © 2009 .Agenda  Introduction  Database Vault in a Nutshell  Situation with Anonymous Accounts  Approach and Challenges  DBA.and Operation Tasks Daten sind immer im Spiel.  Administrative Privileges (SYSDBA and SYSOPER)  SUDO  Miscellaneous  Conclusion Data Security Geneva 2009 .

scripts etc Data Security Geneva 2009 . functional Accounts Personalized Accounts. functional Accounts © 2009 .Approach and Challenges Acceptance Intermediate Acceptance Commissioning Operation No Protection.Oracle Database Vault What about the OS Accounts? Decommissioning No Protection. sudo.

bigger changes.Approach and Challenges  There is no protection in the commissioning and decommissioning phase  After the acceptance the functional account oracle is locked  DBA and Operation tasks will be done via sudo.g. group privileges and scripts  Usage of SYSOPER. hardware replacement etc Data Security Geneva 2009 .Oracle Database Vault What about the OS Accounts? © 2009 . SYSDBA and DBA has to be adjusted  If the functional account or the environment will be “opened” an intermediate acceptance has to be initiated  E.

g scripts for certain tasks are available  A role concept within the DB is must be available  Adjustment with OSDBA and OSOPER reasonable  If not implemented properly there is a risk that „loopholes“ will remain  It is not possible to lock out the root account.Approach and Challenges  DBA and operation tasks has to be defined  Who has to do what and when? How my access what?  Create a catalog of tasks  DBA and operation tasks to be „standardized“ on a high level e.Oracle Database Vault What about the OS Accounts? © 2009 . Only monitoring and auditing is possible Data Security Geneva 2009 .

 Administrative Privileges (SYSDBA and SYSOPER)  SUDO  Miscellaneous  Conclusion Data Security Geneva 2009 .Agenda  Introduction  Database Vault in a Nutshell  Situation with Anonymous Accounts  Approach and Challenges  DBA.Oracle Database Vault What about the OS Accounts? © 2009 .and Operation Tasks Daten sind immer im Spiel.

agent and listener  Accessing log and trace files (DBA)  Accessing data files  Maintain scripts  Tuning.and Operation Tasks  Deployment of Software. Monitoring etc  Backup / Restore  Change initialization parameter Data Security Geneva 2009 .DBA. CPU„s and so on  Stop / start database.Oracle Database Vault What about the OS Accounts? © 2009 . Patch sets.

DBA.Oracle Database Vault What about the OS Accounts? © 2009 .and Operation Tasks Tasks Typ Engineering Operation Application Operation Initial Installation OS As user oracle n/a n/a Initial Create Database DB As user oracle n/a n/a Patch set Installation (Software) OS sudo script (Silent Install) n/a n/a Patch set Installation (Upgrade) DB sysdba oder sudo script n/a n/a CPU / OPatch Installation OS sudo n/a n/a DB Start / Stopp OS sudo script or SYSOPER sudo script or SYSOPER n/a Listener Start / Stopp OS sudo script sudo script n/a Agent / Konsole Start / Stopp OS sudo script sudo script n/a Data Security Geneva 2009 .

netca. etc) OS sudo sudo n/a Houskeeping of trace and log files OS script/ cronjob script/ cronjob Read trace files Maintain Scripts(Entwicklung auf DBA Server mit Version Control) OS Deploment script n/a n/a Monitoring DB Within DB / role Within DB / role n/a Accounting DB n/a Within DB / role n/a Space Management (e.and Operation Tasks Tasks Typ Engineering Operation Application Operation Additional DB Tools (runInstaller. dbca.Oracle Database Vault What about the OS Accounts? n/a © 2009 .g. TS) DB Within DB / role Within DB / role n/a Backup & Recovery DB As SYSDBA or SYSOPER Data Security Geneva 2009 .DBA. dvca.

Database Admin / Engineering  Personalized UX Accounts with OSDBA or OSOPER group  Stop / start database with sqlplus as sysoper sqlplus userxy/tiger@TMAC01 as sysoper  Use scripts and sudo to stop / start listener.  Deployment of patch‟s and software will be done with scripts as a silent installation  Housekeeping (Permissions. agents etc.Eintrag . Truncate etc) of log and trace files will be done with scripts started by cron  DBA tasks (alter system. Präsentationskennung Data Security Geneva 2009 .Oracle über Database Kopf-/Fusszeile Vault What about the OS Accounts? 25 © 2009 . alter tablespace etc) are done via Grid Control and / or with personalized DBA accounts.

agents etc.  Limited access within the database. Operators are working with personalized accounts Präsentationskennung Data Security Geneva 2009 .Eintrag . sqlplus userxy/tiger@oraemst as sysoper  Use scripts and sudo to stop / start listener.DB Operation  Personalized UX Accounts without OSDBA or OSOPER group  Stop / start database with sqlplus as sysoper  . Required system privileges are granted by an operation role.Oracle über Database Kopf-/Fusszeile Vault What about the OS Accounts? 26 © 2009 .

Eintrag .Oracle über Database Kopf-/Fusszeile Vault What about the OS Accounts? 27 © 2009 .Additional Users  Additional Users like Developer. Required system privileges (alter user.  All user are working with personalized accounts Präsentationskennung Data Security Geneva 2009 .  Access to log and trace files on special request  Limited access within the database. etc) are granted by a dedicated role. Account Manager etc only get access on the database level.

Agenda  Introduction  Database Vault in a Nutshell  Situation with Anonymous Accounts  Approach and Challenges  DBA.  Administrative Privileges (SYSDBA and SYSOPER)  SUDO  Miscellaneous  Conclusion Data Security Geneva 2009 .Oracle Database Vault What about the OS Accounts? © 2009 .and Operation Tasks Daten sind immer im Spiel.

Oracle Database Vault What about the OS Accounts? © 2009 . OSOPER as well as OSASM since Oracle 11g)  By an oracle password Data Security Geneva 2009 .Administrative Privilegien  There are two main administrative privileges in Oracle  SYSOPER  SYSDBA  And SYSASM since Oracle 11g  SYSDBA and SYSOPER are special privileges as they allow access to a database instance even when it is not running  The control of these privileges is totally outside of the database itself  By certain OS groups which are linked into the binaries (OSDBA.

OSDBA / OSOPER groups on Unix (1)  The 'OSDBA' and 'OSOPER' groups are chosen at installation time and usually both default to the group 'dba„  These groups are compiled into the 'oracle' executable and so are the same for all databases running from a given ORACLE_HOME  Verify the groups cat $ORACLE_HOME/rdbms/lib/config.orig # Backup of config.Oracle Database Vault What about the OS Accounts? © 2009 .o config.mk ioracle # DB’s must be stopped! Data Security Geneva 2009 .o.o make -f ins_rdbms.c  Later change of the groups (relink of oracle binaries is required!) vi config.c # Adjust the goups => #define SS_DBA_GRP ”osdba“ => #define SS_OPER_GRP “osoper“ mv config.

2007.4.101(osoper) eng001 : sqlplus / as sysdba SQL*Plus: Release 10. All Rights Reserved.2.4.0. Oracle. Data Mining and Real Application Testing options SQL> Data Security Geneva 2009 .OSDBA / OSOPER group on Unix (2)  Usage of SYSDBA (SYSOPER is used similar) eng001 : id uid=101(muster) gid=20(users) groups=30(dba).0.Production on Thu Feb 19 08:49:34 2009 Copyright (c) 1982.Oracle Database Vault What about the OS Accounts? © 2009 . Connected to: Oracle Database 10g Enterprise Edition Release 10.0 .2.0 64bit Production With the Partitioning.

Data Security Geneva 2009 .ORA parameters SQL> alter system set remote_login_passwordfile='EXCLUSIVE' scope=spfile.Oracle Database Vault What about the OS Accounts? © 2009 .SYSDBA / SYSOPER (1)  To access a database as SYSDBA or SYSOPER over SQLNET a password file is required  Create a new password files oracle : orapwd file=${ORACLE_HOME}/dbs/orapw${ORACLE_SID} password=manager entries=5  Define the according INIT.

SYSDBA / SYSOPER (2)  Add additional user with a grant SQL> grant SYSOPER to muster.  List all users with SYSOPER or SYSDBA privileges SQL> select * from V$PWFILE_USERS. USERNAME -----------------------------SYS SYSTEM MUSTER Data Security Geneva 2009 .Oracle Database Vault What about the OS Accounts? SYSDB ----TRUE FALSE FALSE SYSOP ----TRUE TRUE TRUE © 2009 .

 This is effectively the same set of privileges available when previously connected INTERNAL.Oracle Database Vault What about the OS Accounts? © 2009 .  SYSDBA privilege includes all SYSOPER privileges plus full system privileges  (with the ADMIN option). dismount & database close  Alter database BACKUP.  => Regards Oracle Database Vault it does make sense to use SYSOPER/SYSDBA respectively OSDBA/OSOPER. and RECOVER  This privilege allows the user to perform basic operational tasks without the ability to look at user data. ARCHIVE LOG.. At which it is recommended to use SYSOPER in this context Data Security Geneva 2009 . mount & database open  Instance shutdown.. plus 'CREATE DATABASE' etc.Difference SYSOPER / SYSDBA  SYSOPER privilege allows operations such as:  Instance startup.

Oracle Database Vault What about the OS Accounts? © 2009 .SYSDBA vs. SYSOPER (1) Privilege SYSDBA SYSOPER STARTUP and SHUTDOWN   CREATE/DROP DATABASE   CREATE SPFILE   ALTER DATABASE OPEN/MOUNT   ALTER DATABASE ARCHIVELOG   ALTER DATABASE BACKUP/RECOVER  1 1 only a complete recovery Data Security Geneva 2009 .

Oracle Database Vault What about the OS Accounts? © 2009 .Agenda  Introduction  Database Vault in a Nutshell  Situation with Anonymous Accounts  Approach and Challenges  DBA.  Administrative Privileges (SYSDBA and SYSOPER)  SUDO  Miscellaneous  Conclusion Data Security Geneva 2009 .and Operation Tasks Daten sind immer im Spiel.

Operators. PWD=/home/meier.  Exectution of any sudo is written to syslog root : grep sudo /var/adm/syslog/syslog. COMMAND=list Data Security Geneva 2009 . COMMAND=/u00/app/oracle/product/10.log Feb 19 10:44:52 urania sudo: meier : TTY=pts/2 .2_1/bin/lsnrctl status Feb 19 10:44:56 urania sudo: meier : TTY=pts/2 .SUDO  SUDO allows to configure which user or user group can execute which commands or scripts as certain user e. PWD=/home/meier .g. USER=oracle . USER=root .g root or oracle  Its possible to define a set of command for different user groups e.Oracle Database Vault What about the OS Accounts? © 2009 . Developers etc. DBA‟s.

2_?/bin/dbca. /u00/app/oracle/product/10.2_?/bin/lsnrctl Data Security Geneva 2009 . /u00/app/oracle/product/10.2_?/OPatch/opatch.2_?/bin/netca # User specification # root and users in group wheel can run anything on any machine as any user root ALL = (ALL) ALL DBADMIN ALL = (DB) NOPASSWD: DBADMIN. /u00/app/oracle/product/10. /u00/app/oracle/product/10.2_?/bin/dvca. smith ## Runas alias specification Runas_Alias DB = oracle ## Cmnd alias specification Cmnd_Alias DBOPER = /u00/app/oracle/local/custom/bin/dbtool Cmnd_Alias DBADMIN= /u00/app/oracle/product/10. /u00/app/oracle/product/10. /usr/local/bin/truss DBOPER ALL = (DB) NOPASSWD: DBOPER.SUDO Configuration /usr/local/sbin/visudo ## User alias specification User_Alias DBADMIN = dummy User_Alias DBOPER = meier User_Alias DBUSER = muster.2_?/oui/bin/run Installer.Oracle Database Vault What about the OS Accounts? © 2009 . russo. DBOPER.

2_?/bin/lsnrctl meier : sudo -u oracle dbca  Or even a bit more simpler when using aliases Alias dbtool='sudo -u oracle dbtool' Data Security Geneva 2009 .Oracle Database Vault What about the OS Accounts? © 2009 .SUDO Usage meier : id uid=108(meier) gid=20(users) groups=101(osoper) meier : sudo -l User oper001 may run the following commands on this host: (oracle) NOPASSWD: /u00/app/oracle/local/custom/bin/dbca (oracle) NOPASSWD: /u00/app/oracle/product/10.

The environment settings will be the one for the user specified at the sudo command.ksh –t oraemst start  SUDO hast to be manually installed on HP-UX and Solaris  A SUDO Configuration file can be distributed over network Data Security Geneva 2009 .  If possible define only simple commands to be used with sudo eg.SUDO constraints  SUDO is executing commands and scripts as the user specified for execution e.Oracle Database Vault What about the OS Accounts? © 2009 .g oracle. /usr/local/bin/truss  More complex commands should be executed within a shell which cares about parameters. sudo -u oracle lsnrctl. errors etc.

Oracle Database Vault What about the OS Accounts? © 2009 .Agenda  Introduction  Database Vault in a Nutshell  Situation with Anonymous Accounts  Approach and Challenges  DBA.  Administrative Privileges (SYSDBA and SYSOPER)  SUDO  Miscellaneous  Conclusion Data Security Geneva 2009 .and Operation Tasks Daten sind immer im Spiel.

Oracle Database Vault What about the OS Accounts? © 2009 .1.0/bin/ [rdbms1110] ls -al oracle* -rwsr-s--x 1 oracle osdba 158489970 Mar 8 14:15 oracle Data Security Geneva 2009 .org/wiki/op  Major difference is the possibilities to use mnemonics rather than commands Mit SUDO: sudo /bin/mount -t iso9660 /dev/cdrom /mnt/cdrom Mit OP: op mount cd  Set the S-Bit for individual commands oracle@urania:/u00/app/oracle/product/11.Miscellaneous  OP an interesting alternative for SUDO  Open Source alternative http://swapoff.

Script maintenance  Scripts should be maintained in a central repository eg.Oracle Database Vault What about the OS Accounts? © 2009 . CVS or something similar.)  Only a defined and accepted version of the scripts will be used on the systems Data Security Geneva 2009 .. Grid Control.g Jumpstart server.  DB Admins‟s may create new revision of the scripts on there development system. Subversion..  New revision have to be commited to the repository  Subversion commandline für Windows  Tortoise SVN Client  Oracle SQL Developer  Deployment of scripts and configuration should be done with a deployment process (e.

and Operation Tasks Daten sind immer im Spiel.  Administrative Privileges (SYSDBA and SYSOPER)  SUDO  Miscellaneous  Conclusion Data Security Geneva 2009 .Agenda  Introduction  Database Vault in a Nutshell  Situation with Anonymous Accounts  Approach and Challenges  DBA.Oracle Database Vault What about the OS Accounts? © 2009 .

..Conclusion  A reliable protection with Database Vault is possible but additional considerations have to be taken  Auditing anonymous user does only provide limited information  Personalized Accounts are recommended for Database Vault  System / DBA task can clearly assigned (Engineering.Oracle Database Vault What about the OS Accounts? © 2009 . Operation..)  Traceability can be guaranteed  To have personalized accounts a standardized environment is recommended and will allow a simpler implementation of SUDO  Stable Environment  Documented tasks and responsibilities Data Security Geneva 2009 .

Oracle Database Vault What about the OS Accounts? © 2009 .Conclusion  The application of personalized accounts can be implemented step by step  A combination of SUDO and OSDBA / OSOPER can reasonable  Initial engineering work has to be done but none Database Vault environment can also benefit Data Security Geneva 2009 .

trivadis.com Basel · Baden Brugg · Bern · Lausanne · Zürich · Düsseldorf Frankfurt/M.Thank you! ? www. · Hamburg · München Stuttgart · Wien . Br. · Freiburg i.

Oracle Database Vault What about the OS Accounts? © 2009 .Backup Slide – Not covered by DBV (1) Risk Action Data within data files is stored in clear text (OS.and SAN-Admin as well the OracleUnix-Account can read the data) Encryption of data files with TDE (10g on row level. This account is not fully prodeced by database vault Personalized Accounts on Unix und Database + SUDO concept Use of SYSOPER Accept SYSDBA-Connections only at the time when RMAN has to run Data Security Geneva 2009 . 11g on tablespace level) Data in backups as clear text Encrypt data with RMAN SYS-Account has to be open for RAC and RMAN.

…) Data Security Geneva 2009 . e. Direct grants on object Existing grants must be known and has to be verified. based on inotify)) Data on the network is send as clear text (as well interconnect on RAC Environments) Use of Advanced Security Option to encrypt network traffic. Possible restriction based on rules (e.Oracle Database Vault What about the OS Accounts? © 2009 .g. manual. CPUs) this is also true for database migrationens Personalized Accounts on Unix und Database + SUDO concept Monitoring on the OS (inode+ctime Checks.g. Database Vault Admin Console provides reports for this Export possibilities on application level This can only be checked on application level.iwatch (Linux.Backup Slide – Not covered by DBV (1) Risk Action While the database is patched Database Vault has to be switched off (e. from a certain IP.g. Nimbus.

initial assignment of system privileges to roles (not application roles!) Data Security Geneva 2009 . TablespaceManagement.Oracle Database Vault What about the OS Accounts? © 2009 . Define Objects which have to be protected Assign User to Realms Create application roles Assign object privilege to roles/users Account Management + assign roles Create technical roles. Instance tuning. …) Security Management Create Realms. Updates. Patching.Backup Slide – Separation of Duties Task Responsible Operation of Database and Instance (Create. Parameterize.