1 An Oracle White Paper August 2010 Hardening Oracle Database with Oracle Solaris Security Technologies
2 Introduction... 1! Containment... 2! Operating System Virtualization... 2! Containment Through File System Configuration... 5! Least Privilege... 6! User Rights Management... 7! Process Rights Management... 10! Service Management... 13! Locking Down Oracle with Auditing... 15! Configuring the System for Audit... 16! Determining What to Audit... 16! Configuring the Audit... 17! Securing the Audit... 18! Enable Auditing... 19! Viewing the Audit Log... 19! Stopping and Starting the Audit... 23! Conclusion... 24! References... 24!
3 Introduction This white paper describes and demonstrates how commodity Oracle Solaris operating system security features can be used to lock down network-facing services in order to protect them against internal and external threats. Technology concepts and their realizations are presented in a hands-on fashion using a running example: Oracle Database Server 11g Release 2 executing on Oracle Solaris 10 10/09. While the Oracle Solaris operating system contains a large ecosystem of security mechanisms, this document focuses on a few that are especially powerful when it comes to protecting network-facing services. It explores the mechanisms in several categories: Containment, through operating system virtualization and file system configuration Least privilege, through Oracle Solaris role-based access control and privileges Reliability and availability, through the Oracle Solaris Service Management Facility Accountability, through auditing 1
4 Containment Containment is a methodology in which computing assets such as data, processes, or files are grouped within a well-defined perimeter. It is often loosely referred to as sandboxing. Crossing the perimeter is carefully controlled by mechanisms such as well-defined interfaces or access points that enforce security policies. Such perimeters can exist at any level of granularity, from computer networks surrounded by firewalls to object instances in an object-oriented programming environment. Containment works in both directions. While access to objects within a perimeter is guarded, those objects cannot escape their sandbox unless explicitly allowed. The latter protects the environment from damage inside the perimeter as well as danger originating from the contained entities. It also can help enforce confidentiality requirements. Containment strategies that are employed in a hierarchical fashion contribute to defense in depth. There are several well-known examples of security technologies that are based on containment. For example, in firewall technology an entire network policy domain is the unit of containment. In Java Virtual Machine, Java byte codes are executed in an environment with well-defined and carefully controlled resource access. Operating System Virtualization The Oracle Solaris operating system offers a built-in, lightweight virtualization technology in which multiple Oracle Solaris user space instances, called Oracle Solaris Containers, share a single kernel. This technology provides a coarse-grained containment mechanism that offers all the security benefits of containment in the form of a familiar abstraction: the UNIX user space environment. It can be thought of as an advanced extension of the UNIX chroot mechanism (). A zone is simply a virtual operating system abstraction that provides a protected environment in which applications run isolated from other applications on the system. A special zone in each system, called the global zone, is the parent of all non-global zones. Non-global zones are managed by global zone administrators. Operating system (OS) level virtualization allows multiple applications to share the same operating system instance while providing separate security domains for each application. In an OS virtualized environment, the kernel provides multiple isolated user space instances. Zones look and feel to users and administrators like separate operating system instances. Fine-grained resource management of CPUs, memory, and network bandwidth limits the amount of resources that can be consumed by applications within zones. Such application containment provides a variety of security advantages. Damage caused by an application isolated in a zone remains contained within that zone, as if the application ran on a dedicated machine. In other words, applications in different zones are protected from each other to provide software fault isolation. Applications that execute in zones cannot interact with privileged system processes or resources, as a limited set of privileges are available to them. They cannot escape from zones or observe or signal processes in other zones. There is no shared memory or inter-process communication available across zone boundaries. 2
5 Individual zones can instantiate their own network security policies when configured to use exclusive Internet Protocol (IP) stack instances by employing their own Internet Protocol Security (IPSec), packet filtering, and virtual LAN (VLAN) security policies. Each zone has its own instance of the Oracle Solaris Service Management Facility, aiding the reduction of system attack surfaces through the minimization of externally facing services. A discussion of the Oracle Solaris Service Management Facility can be found in the Service Management section of this document. Zones are the primary mechanism used to implement data separation in Oracle Solaris Trusted Extensions, an advanced security feature that implements labels to protect data and applications based on their sensitivity level, not just who owns or runs them. In addition, Oracle Solaris offers a type-1 hypervisor technology on the sun4v architecture of the SPARC processor series, called Oracle VM Server for SPARC. For defense in depth, the sample system described in this document also can be deployed inside a domain. A discussion of when to use this additional layer of virtualization is beyond the scope of this document. Figure 1, Figure 2, and Figure 3 illustrate three deployment architectures. Figure 1 shows how a service is deployed in a traditional UNIX system. In this figure, host ozone has three architectural layers: hardware and hypervisor, operating system, and user space. The database service process(es) here are denoted generically as a service. They execute in the user space with the user id oracle, an established way to run services with reduced privileges. The service communicates with the outside world over a network interface. In the example, the network interface is named nic0. Figure 1. Service deployed in a traditional UNIX system architecture Figure 2 shows how a service is deployed inside a zone in an OS virtualized environment. In this diagram, the Oracle database service runs inside a non-global zone, named ozone. While zone ozone (with associated host name ozone) is displayed side-by-side with the global zone (with associated host name paris), its powers compared to the global zone are greatly reduced. Both zones share the same operating system kernel image. However, the Oracle Solaris privilege model restricts non-global zones by capping their process privilege limit sets. That means even root processes executing inside a nonglobal zone cannot affect the global zone or any system resources or processes that belong to other 3
6 zones. The Oracle Solaris privilege model is explained in detail in chapters 5.2 and of . Reference  describes in detail how zones are created, installed, and managed. Figure 2. Service deployed in operating system virtualized (zoned) architecture The configuration illustrated in Figure 2 is shown via shell commands below. zoneadm list -cv ID NAME STATUS PATH BRAND IP 0 global running / native shared 1 ozone running /zone/ozone native shared ssh -X -l jdoe ozone Password: Last login: Wed Oct 28 16:51: from paris Sun Microsystems Inc. SunOS 5.11 snv_125 November 2008 The output of the zoneadm!list!-cv command (zoneadm(1m)) shows two running zones: the global zone with ID 0, and the non-global zone named ozone with ID 1. The root path name for the global zone is /, and the root pathname for the non-global zone named ozone is /zone/ozone. The second path name is equivalent to the traditional chroot directory. That means every process executing within zone ozone only can access file system contents relative to the directory /zone/ozone/root that appears to be the root directory. Example 1 shows user jdoe logging in to the non-global zone ozone from the global zone (with host name paris.) The ssh command is used because sshd is the only remote terminal service accessible on Oracle Solaris by default. There is no apparent difference to user jdoe between logging into a nonglobal zone and logging into a standalone server. Furthermore, Figure 2 indicates the service no longer is run under the user id oracle, but a role of the same name. Similarly, as indicated in the global zone, there is no longer a superuser account (root) on 4
7 the entire system root is a role that authorized users can assume. The Least Privilege section explains the role-based access control (RBAC) model in Oracle Solaris, particularly the advantages of roles over regular user accounts. Figure 3 shows how a system is deployed inside a domain created by Oracle VM Server for SPARC. Figure 3. Operating system virtualized images together with the surrounding operating system deployed inside a domain created by Oracle VM Server for SPARC Containment Through File System Configuration Further containment can be observed in an Oracle Solaris ZFS file system configuration. The example in this document uses Oracle Solaris ZFS as the root file system for the global zone, with a dataset under the control of the zone. The Oracle Solaris ZFS file system offers many advantages over If a global zone uses a UFS root file traditional file systems, including instantaneous snapshots and system, users can create Oracle Solaris ZFS file systems for a zone clones, and delegation of administrative rights. An Oracle Solaris using dedicated disk drives. ZFS dataset is a lightweight file system abstraction that can include an explicit mount point and a compression factor, and can be used in many cases like traditional directories. For example, each user's home directory can be managed as a separate Oracle Solaris ZFS dataset. Individual users can be delegated the rights to take archival snapshots, and to revert to earlier versions of files. Similarly, database instances can be archived via snapshots. Oracle Solaris zones are optimized to use Oracle Solaris ZFS. Each zone is installed in its own dataset, and snapshots of the datasets for installed zones can be used to clone new zones. When installing or cloning a zone, the zoneadm command automatically creates a new dataset if the parent directory corresponds to an Oracle Solaris ZFS dataset. The parent dataset for all zones is created as follows. zfs create -o mountpoint=/zone rpool/zones 5
8 Dataset names are hierarchical, like directory pathnames. The difference is that the first component in the path is the name of the storage pool, called a zpool. When zone ozone is installed its dataset, rpool/zones/ozone is mounted on /zone/ozone. This corresponds to /, the root directory, when viewed from within the zone. In order to provide the benefits of Oracle Solaris ZFS to users within the zone, additional datasets can be delegated for use within the zone. This is done within the global zone as follows. The dataset appears in the zone when it is booted, and is mounted on /u01. Oracle Database 11g then can be installed. zoneadm -z ozone halt zfs create -o zoned=on -o mountpoint=/u01 rpool/zones/ozone/zfs01 zonecfg -z ozone zonecfg:ozone> add dataset zonecfg:ozone:dataset> set name=rpool/zones/ozone/u01 zonecfg:ozone:dataset> end zonecfg:ozone> exit zoneadm -z ozone boot zlogin ozone Snapshots and clones of this dataset can be managed from within the zone. The rights to create and manage these snapshots can be delegated to the oracle role as shown below. Once granted, the Oracle role is authorized to execute Oracle Solaris ZFS sub-commands on the specified dataset and its children. For example, periodic snapshots can be taken in real time. If necessary, the database can be reverted to a previous state by promoting the snapshot to the parent dataset. zfs allow oracle clone,create,destroy,mount,snapshot,promote \ rpool/zones/ozone/zfs01 Least Privilege In today's systems, it is important to have different levels of access for different types of administration, and to record who performed what action. For this reason, the old UNIX model of an all-powerful root user no longer suffices. This is in accordance with the security principle of least privilege that demands that every program and user of the system operate using the smallest set of privileges necessary to complete the job. The solution in the Oracle Solaris operating system is the use of roles for specific administrative tasks. Users only can assume the roles for which they are authorized. Rights profiles are created and assigned to roles to specify which tasks a role can perform. Starting with Oracle Solaris 10, the operating system implements a set of privileges that provide finegrained control over the actions of processes. For each privileged operation, such as accessing raw network devices or mounting a file system, the kernel validates that the process performing the operation has been assigned the required privilege. The use of fine-grained privileges is discussed in more detail later in this section. 6
9 User Rights Management Role-based access control (RBAC)  is an approach that restricts system access to authorized users based on their individual job function (called a role.) In Oracle Solaris, a role is instantiated as a normal user account carrying one important restriction. A role cannot log into a system, it can only be assumed using the su(1m) command by a user who is already logged in to the system. For example, the auditor role can be assumed by the authorized user tstark to configure and review auditing. In addition, roles are managed by a system administrator and can be shared among users. There are a number of benefits to using roles. The RBAC mechanism in Oracle Solaris provides a very flexible and simple means to assign rights for privileged actions to users in a fine-grained manner. The superuser role is decomposed into distinct roles. Individual rights are specified using hierarchical profiles and authorizations. Administrative actions are audited based on user identifiers, not role identifiers. In other words, in a traditional UNIX environment where multiple administrators knew the root password, administrative actions by one superuser could not be attributed to a single person. With Oracle Solaris, however, privileged actions always are attributed in the audit trail to the user assuming the administrative role. Consider the sample configuration depicted in Figure 4. Figure 4. User and role hierarchy in the global zone The following example shows the contents of the RBAC files for this configuration. 7
10 grep auditor /etc/passwd auditor:x:100:1::/export/home/auditor:/usr/bin/bash grep auditor /etc/user_attr auditor::::type=role;profiles=audit Review,Audit Control tstark::::type=normal;roles=root,auditor; grep Audit /etc/security/prof_attr Audit Control:::Configure BSM auditing:\ auths=solaris.audit.config,solaris.jobs.admin,solaris.admin.logsvc.purge,\ solaris.admin.logsvc.read;help=rtauditctrl.html Audit Review:::Review BSM auditing logs:\ auths=solaris.audit.read;help=rtauditreview.html grep Audit /etc/security/exec_attr Audit Control:suser:cmd:::/etc/security/bsmconv:uid=0 Audit Control:suser:cmd:::/etc/security/bsmunconv:uid=0 Audit Control:suser:cmd:::/usr/sbin/audit:euid=0 Audit Control:suser:cmd:::/usr/sbin/auditconfig:euid=0 Audit Control:suser:cmd:::/usr/sbin/auditd:uid=0 Audit Review:suser:cmd:::/usr/sbin/auditreduce:euid=0 Audit Review:suser:cmd:::/usr/sbin/auditstat:euid=0 Audit Review:suser:cmd:::/usr/sbin/praudit:euid=0 The following example shows the output of some RBAC commands executed by tstark in the global zone. id uid=101(tstark) gid=1(other) roles root,auditor profiles -l auditor Audit Review: /usr/sbin/auditreduce euid=0 /usr/sbin/auditstat euid=0 /usr/sbin/praudit euid=0 Audit Control: /etc/security/bsmconv uid=0 /etc/security/bsmunconv uid=0 /usr/sbin/audit euid=0 /usr/sbin/auditconfig euid=0 /usr/sbin/auditd uid=0 All: * auths auditor solaris.audit.read,solaris.audit.config,... 8
11 RBAC also is used in the ozone zone. For example, the ozone zone is configured such that an authorized user (jdoe) must assume the role oracle to start, stop, or administer Oracle database related services (Figure 5). Figure 5. User and role hierarchy in the ozone zone. The example below shows the contents of the RBAC files for this configuration in zone ozone. egrep jdoe oracle /etc/passwd jdoe:x:65535:10:john Demo:/export/home/jdoe:/bin/bash oracle:x:65537:100:oracle Role Account:/export/home/oracle:/bin/bash grep jdoe oracle /etc/user_attr oracle::::type=role;profiles=oracle Management;defaultpriv=basic,!proc_info jdoe::::type=normal;roles=oracle;defaultpriv=basic,!proc_info grep Oracle /etc/security/prof_attr Oracle Management:::Manage the Oracle Software:auths=solaris.smf.manage.\ oracle.database,solaris.smf.manage.oracle.listener;help=none.html The /etc/passwd file in zone ozone and in the global zone contains the user and role definition for user jdoe and role oracle, and user tstark and role auditor, respectively. See passwd(4)for more information. The /etc/user_attr file is the local source for extended attributes associated with users and roles. In this example, it specifies that oracle is of type=role, and that the role oracle contains the Oracle Management execution profile. The following line shows the entry for jdoe, a normal user account that is authorized to assume the oracle role (roles=oracle). It has the typical user account execution profile, Basic Solaris User. See userattr(4)for more information. 9
12 While the /etc/security/prof_attr file contains locally defined execution profile names, descriptions, and other attributes of execution profiles, the /etc/security/exec_attr file specifies the execution attributes associated with profiles. See prof_attr(4) and exec_attr(4) for more information. In UNIX, the Oracle database software traditionally is installed and run with the oracle user id. In this example, the user id oracle was not created. Instead, an oracle role was created. Users that need to be able to administer the Oracle database are authorized to assume the oracle role, such as user In Oracle Solaris, roles are assigned execution profiles, a mechanism used to bundle the commands and authorizations needed to perform a specific function. Figure 5 lists the execution path names and attributes for the Oracle Management execution profile. Authorizations are unique strings that represent a user s or role s right to perform an operation or class of operations. Authorization definitions are stored in the /etc/security/auth_attr database. Two authorizations are defined in the example: solaris.smf.manage.oracle.database and solaris.smf.manage.oracle.listener. For programmatic authorization checks, only the authorization name is significant. The Oracle Solaris Service Management Facility that is responsible for managing service instances in Oracle Solaris checks programmatically to see if a user has those authorizations based on the role and execution profiles. See roleadd(1m) and authattr(4) for more information. Process Rights Management There are two facets to the principle of least privilege in Oracle Solaris: limiting what users and processes are allowed to do. The User Rights Management section addressed how to limit a user's privileges. This section addresses how to limit a the privileges for a process. Beginning with Oracle Solaris 10, all operations that were previously guarded by checks for user ID zero have been investigated and categorized. This resulted in a breakdown of super-user powers into a large number of operation-specific privileges (approximately 68 in the Oracle Solaris 10 10/09 release). Names indicate their purpose. For example, a process that is granted the proc_info privilege is allowed to examine the status information of processes. Oracle Solaris uses privilege sets that can be empty or contain a number of privileges. Each process is associated with four privilege sets. The effective set contains the privileges a process is currently using. It is analogous to the effective UID in the traditional UNIX model. The permitted set contains the privileges a process can put into effect. The inheritable set contains the privileges that can be carried over to child processes. The limit set contains an upper limit on which privileges a process and its offspring can obtain. Every privileged operation in Oracle Solaris is validated. The OS verifies that the user performing the operation is assigned the specific privilege required to perform the operation. For backwards compatibility, five privileges are granted to all new users in the basic set: file_link_any, 10
13 proc_exec, proc_fork, proc_info, and proc_session. These privileges allow users to do everything they used to be able to do on previous versions of the OS, freeing system administrators from dealing with privileges until they are ready to do so. By understanding the process privileges that are available, administrators can fine-tune a user or role so they have just the right amount of privileges they need to get the job done. This may include adding additional privileges or removing privileges from the basic set. For example, the oracle role can be kept from viewing process information. This can be accomplished by removing the proc_info privilege granted as part of the basic set. Take a look at the privilege sets granted to the shell of the oracle role. The Oracle shell is running as process ID It is a Bourne again shell (bash). The process has no flags, indicating it is a non privilege-aware (NPA) process. In other words, the bash process runs without modifications in a backwards compatible manner. This is currently the case with most Oracle Solaris processes. ppriv -S $$ 4048: -bash flags = <none> E: basic I: basic P: basic L: zone Privilege-aware (PA) programs can take better advantage of Oracle Solaris privilege features by manipulating the various privilege sets programmatically. At the beginning of execution, a privilegeaware program can eliminate any privileges that are not needed. Throughout execution, the program can bracket privileged operations and relinquish privileges when they are no longer needed. For example, the ISCSI Initiator is a privilege-aware process. The ISCSI Initiator, which historically ran with root privileges, now runs with only the basic privilege set plus the sys_devices privilege. ppriv -S `pgrep iscsid` 309: /lib/svc/method/iscsid flags = PRIV_AWARE E: basic,sys_devices I: basic,sys_devices P: basic,sys_devices L: all A description of a privilege can be obtained by using the ppriv command. ppriv -lv sys_devices sys_devices Allows a process to successfully call a kernel module that calls the kernel drv_priv(9f) function to check for allowed access. Allows a process to open the real console device directly. Allows a process to open devices that have been exclusively opened. 11
14 The limit set defines the upper limit of which privileges can be used, even by the most powerful processes. For example, even a root process inside a zone cannot load a kernel module, as the required privileges are never available to any process executing in a zone context. Since the oracle role has the basic set of privileges, it is allowed to view all the processes on the system. ps -ef more UID PID PPID C STIME TTY TIME CMD oracle :55:47? 0:00 ora_diag_orcl root :44:29? 0:00 /usr/lib/ssh/sshd oracle :45:34 pts/7 0:00 -bash oracle :56:12? 0:00 ora_arc0_orcl oracle :55:46? 0:00 ora_pmon_orcl jdoe :44:29? 0:00 /usr/lib/ssh/sshd oracle :55:46? 0:00 ora_vktm_orcl jdoe :44:32 pts/7 0:00 -bash oracle :55:47? 0:00 ora_gen0_orcl root :01:14? 0:00 /usr/lib/ssh/sshd root :00:25? 0:00 zsched root :00:26? 0:00 /sbin/init root :00:27? 0:37 /lib/svc/bin/svc.configd root :00:27? 0:16 /lib/svc/bin/svc.startd daemon :01:00? 0:00 /usr/lib/nfs/lockd root :00:48? 0:14 /usr/sbin/nscd root :01:17? 0:00 /usr/lib/dmi/snmpxdmid -s ozone smmsp :01:15? 0:00 /usr/lib/sendmail -Ac -q15m root :01:12? 0:00 /usr/lib/autofs/automountd root :01:01 0:00 /usr/sadm/lib/smc/bin/smcboot This access is granted by the proc_info privilege. ppriv -lv proc_info proc_info Allows a process to examine the status of processes other than those it can send signals to. Processes which cannot be examined cannot be seen in /proc and appear not to exist. If administrators want to prevent the oracle role from having this privilege, the account can be modified as follows. # rolemod -K defaultpriv=basic,!proc_info oracle 12
15 When the oracle role runs the ps command, it can see only the processes it owns. ps -ef UID PID PPID C STIME TTY TIME CMD oracle :55:47? 0:01 ora_diag_orcl oracle :56:12? 0:01 ora_arc0_orcl oracle :55:46? 0:03 ora_pmon_orcl oracle :55:46? 0:02 ora_vktm_orcl oracle :55:47? 0:01 ora_gen0_orcl oracle :55:47? 0:01 ora_dbrm_orcl oracle :55:48? 0:02 ora_psp0_orcl oracle :56:14? 0:01 ora_arc2_orcl oracle :55:48? 0:03 ora_dia0_orcl oracle :55:48? 0:07 ora_mman_orcl oracle :55:49? 0:03 ora_dbw0_orcl oracle :55:49? 0:03 ora_lgwr_orcl oracle :55:49? 0:04 ora_ckpt_orcl oracle :55:50? 0:03 ora_smon_orcl oracle :55:50? 0:01 ora_reco_orcl oracle :55:50? 0:05 ora_mmon_orcl oracle :55:51? 0:03 ora_mmnl_orcl oracle :55:51? 0:01 ora_d000_orcl Administrators may need to understand which privilege is limiting the ability to do something on the system. By executing the same command with the ppriv -e -D wrapper, more detailed information on the missing privileges can be obtained. ppriv -ed ps PID TTY TIME CMD ps: missing privilege "proc_info" (euid = 501, syscall = 81) needed at pr_readdir_procdir+0x pts/4 0:00 ps 2127 pts/4 0:00 bash 2118 pts/4 0:00 bash ps: missing privilege "proc_info" (euid = 501, syscall = 81) needed at pr_readdir_procdir+0x100 Service Management The Oracle Solaris Service Management Facility creates a supported, unified model for services and service management on each Oracle Solaris system. A fundamental building block for system security, the Oracle Solaris Service Management Facility ties together a number of technologies to accomplish security goals, such as improving system and service availability, integrity assurance, resilience against attacks, administrative authorizations, and auditing. As a diagnostic tool, it pinpoints core faults in cascading failures in complex software architectures, reducing the problem of misdiagnosis. A service usually is defined by a service manifest, an XML file that describes a service and any instances associated with that service. The service manifest is pulled into the repository at boot time, or by using 13
16 the svccfg import subcommand. The Oracle database and the Oracle listener can be described in a manifest. Each manifest specifies the dependencies that are prerequisites for the service to start, the authorizations required to manage the service, and process credentials. In general, each service is described in its own manifest file. However, multiple instances of the Oracle database can be described in the same manifest. The example below names the Oracle database service, lists its dependencies, and and names an instance (oowtest). <service_bundle type="manifest" name="oracle-database-service"> <service name="application/oracle/database" type="service" version="0.2"> <dependency name="multi-user" grouping="require_all" restart_on="error" type="service"> <service_fmri value="svc:/milestone/multi-user:default"/> </dependency> <instance name="oowtest" enabled="false"> Services can be started or stopped by the superuser and authorized users. These authorizations are specific to each service and can be assigned to individual users or roles. The following example specifies the authorizations required to temporarily or permanently start and stop an instance of the Oracle database. <property_group name="general" type="framework"> <!-- start and stop oracle --> <propval name="action_authorization" type="astring" value="solaris.smf.manage.oracle.database"/> <!-- make persistent changes across reboots --> <propval name="value_authorization" type="astring" value="solaris.smf.manage.oracle.database"/> </property_group> In the section on role-based access control, the oracle role was assigned the solaris.smf.manage.oracle.database authorization. It is this authorization that allows the oracle role to start and stop the oracle database via the Oracle Solaris Service Management Facility. An authorized, but unprivileged user can start a service that requires specific process credentials (user, group, and privileges). The example below specifies the credentials for the Oracle database. Note that the credentials specified for this service do not enumerate any privileges beyond the basic set granted to all users. <method_credential user="oracle" group="oinstall" limit_privileges=":default" privileges="basic" supp_groups=":default" /> 14
17 The manifest also specifies the commands or scripts to execute when the service is started or stopped. The example below shows the start and stop methods for the Oracle database. </method_context> <exec_method name="start" type="method" exec="sh -c 'echo startup $ORACLE_HOME/bin/sqlplus / as sysdba'" timeout_seconds="500"> </exec_method> <exec_method name="stop" type="method" exec="sh -c 'echo shutdown immediate $ORACLE_HOME/bin/sqlplus / as sysdba'" timeout_seconds="900"> </exec_method> <method_context/> A significant feature the Oracle Solaris Service Management Facility is its ability to improve system and service availability. The previous dependency specification includes the setting restart_on="error". This setting instructs the Oracle Solaris Service Management Facility to restart the service if it encounters a fatal error. While not a recommend procedure, a fatal error can be simulated by killing the Oracle Service Monitor process and observing that the database service is restarted by the Oracle Solaris Service Management Facility. The activity can be observed in real time by tailing the log file associated with the service. The following command provides the pathname to the log file. svcs -l oracle/database:oowtest The following command generates a fatal error. pkill -9 ora_smon In can be observed in the log file that the Oracle Solaris Service Management Facility detects the failure and restarts the service. The example below shows the normal command to stop the service. svcadm disable oracle/database:oowtest More information on writing a service manifest can be found at and Locking Down Oracle with Auditing The Oracle Solaris audit feature provides the ability to log system activity at a granular level. System activity refers to any auditable Oracle Solaris event, such as system calls on the server machine, packets sent over the network, or a sequence of bits written to disk. As a result, the Oracle Solaris Containers model offers an attractive environment for auditing. Processes that are run within the context of nonglobal zones are separated and isolated from auditing software that is running in the global zone and the kernel, while maintaining excellent visibility into its zones. 15
18 This type of monitoring hosted environments is often referred to as introspection. When the Oracle Database runs in a non-global zone, it is possible to introspect the actions of the Oracle Database administrator from the global zone. Configuring the System for Audit The first step in the process is to create the auditor role. As with the oracle role in the non-global zone, it makes sense to delegate tasks to an auditor role in the global-zone. This allows different actual users to assume the auditor role, as well as the auditing of the auditor. Two rights profiles are pre-defined for reviewing and controlling the audit: Audit Review and Audit Control. The example below creates a role that can review and control auditing on the system. These activities can be separated into distinct roles. The following command defines the auditor role. roleadd -P "Audit Review,Audit Control" -m -d \ /export/home/auditor -s /usr/bin/bash auditor passwd auditor In order for the auditor to read and write to the default location of the audit log, ownership of the /var/audit directory must be changed. chown auditor:other /var/audit The final step is to add the auditor role to one or more users. usermod -R auditor tstark Determining What to Audit Auditing control in Oracle Solaris is granular. Some upfront planning is required to determine which events need to be recorded. The types of events that can be audited in Oracle Solaris are grouped into classes. The classes are defined in the /etc/security/audit_class file. For example, configuring the auditing of the fd class lets administrators audit every time a file is deleted. no:invalid class fr:file read fw:file write fa:file attribute access fm:file attribute modify fc:file create fd:file delete cl:file close nt:network 16
19 ip:ipc na:non-attribute lo:login or logout ap:application ss:change system state as:system-wide administration ua:user administration am:administrative (meta-class) aa:audit utilization ad:old administrative (meta-class) ps:process start/stop pm:process modify pc:process (meta-class) xp:x - privileged/administrative operations xc:x - object create/destroy xs:x - operations that always silently fail, if bad xx:x - all X events (meta-class) io:ioctl ex:exec ot:other all:all classes (meta-class) The system events that map to the audit classes are defined in the /etc/security/audit_event file. Over 500 unique system events exist. A given event can map to one or more audit classes. For a detailed discussion of planning, configuration, and management of the Oracle Solaris auditing subsystem, See Part VII, Oracle Solaris Auditing of the System Administration Guide: Security Services located at Configuring the Audit Among other things, the classes to audit are configured in the etc/security/audit_control file. The content of the default audit_control file is shown below. dir:/var/audit flags: minfree:20 naflags:lo 17
20 In this file: dir defines where audit log files are written. Audit files can be written on the local machine or an NFS mount to another server. The example below uses the /var/audit directory of the local machine. flags specifies the classes to audit. minfree defines the percentage of free space required before the audit_warn script is invoked. See the audit_warn(1m) man page for how to work with the audit_warn script. naflags stands for non-attributable flags. It is used to log audit events that cannot be attributed to a specific user, such as commands that happen during the boot process. The audit classes defined in the audit_control file record events for all users of the system. The example below records the events of a specific role, oracle. A secondary file, audit_user, is used for this purpose. The default audit_user file contains a single entry root:lo:no, that is defined as follows. username:always-audit-flags:never-audit-flags The audit logs whenever the root user logs into or out of the system. The invalid class is never audited there are no classes excluded from auditing for this user. Remember, additional classes can be defined in the audit_control file. For the purposes of the example, add the following to the audit_user file. # Always audited for logins, never for audit utilization audit:lo:aa # Always audited for login, user administration, system-wide administration oracle:lo,ex,ua,as:no Finally, be sure the audit log captures additional useful information, such as the arguments passed to the commands and the zone from which the commands were run. To accomplish this, add the following two lines to the /etc/security/audit_startup file. /usr/sbin/auditconfig -setpolicy +argv /usr/sbin/auditconfig -setpolicy +zonename Securing the Audit The audit_user file must exist in every zone to be audited. However, as an additional security measure, administrators can loopback mount the file as read-only from the global zone to prevent the local zone from potentially tampering with the type of audit data collected. It's also interesting to note individual files as well as file systems can be added to a zone. Save the following to the ozone_audit_cfg file. 18
An Oracle White Paper May 2010 How to Eliminate Web Page Hijacking Using Oracle Solaris 10 Security Introduction... 1 Oracle Solaris Security: Overview... 2 Oracle Solaris User and Process Rights Management...
An Oracle White Paper April 2010 How to Install the Oracle Solaris 10 Operating System on x86 Systems Introduction... 1 Installation Assumptions... 2 Check the Hardware Compatibility List... 2 Basic System
An Oracle White Paper July 2013 Introducing the Oracle Home User Introduction Starting with Oracle Database 12c Release 1 (12.1), Oracle Database on Microsoft Windows supports the use of an Oracle Home
An Oracle White Paper June 2010 How to Install and Configure a Two-Node Cluster Table of Contents Introduction... 3 Two-Node Cluster: Overview... 4 Prerequisites, Assumptions, and Defaults... 4 Configuration
An Oracle White Paper February 2011 Sun ZFS Storage Appliance Rule-Based Identity Mapping Between Active Directory and Network Information Services Implementation Guide Introduction... 4 Overview and Prerequisites...
An Oracle White Paper May 2011 Distributed Development Using Oracle Secure Global Desktop Introduction One of the biggest challenges software development organizations face today is how to provide software
An Oracle Technical White Paper March 2014 Using Symantec NetBackup with VSS Snapshot to Perform a Backup of SAN LUNs in the Oracle ZFS Storage Appliance Introduction... 2 Overview... 3 Oracle ZFS Storage
An Oracle White Paper September 2013 Oracle WebLogic Server 12c on Microsoft Windows Azure Table of Contents Introduction... 1 Getting Started: Creating a Single Virtual Machine... 2 Before You Begin...
An Oracle White Paper November 2010 Deploying SAP NetWeaver Master Data Management on Oracle Solaris Containers Executive Overview...1 Application overview: Oracle Solaris Containers Overview...2 Oracle
An Oracle White Paper October 2011 BI Publisher 11g Scheduling & Apache ActiveMQ as JMS Provider Disclaimer The following is intended to outline our general product direction. It is intended for information
Deploying Oracle Database 12c with the Oracle ZFS Storage Appliance Paul Johnson Principal Software Engineer Bryce Cracco Senior Product Manager Nagendran J Principal Software Engineer Wendy Chen Principal
An Oracle White Paper March 2013 Oracle s Single Server Solution for VDI Introduction The concept of running corporate desktops in virtual machines hosted on servers is a compelling proposition. In contrast
An Oracle White Paper June 2013 Oracle Linux Management with Oracle Enterprise Manager 12c Introduction... 1 Oracle Enterprise Manager 12c Overview... 3 Managing Oracle Linux with Oracle Enterprise Manager
An Oracle White Paper June 2011 OpenLDAP Oracle Enterprise Gateway Integration Guide 1 / 29 Disclaimer The following is intended to outline our general product direction. It is intended for information
ORACLE OPS CENTER: VIRTUALIZATION MANAGEMENT PACK KEY FEATURES LIFECYCLE MANAGEMENT OF VIRTUALIZATION TECHNOLOGIES MADE SIMPLE Automation of lifecycle management reduces costs and errors while improving
An Oracle White Paper June, 2012 Provisioning & Patching Oracle Database using Enterprise Manager 12c. Table of Contents Executive Overview... 2 Introduction... 2 EM Readiness:... 3 Installing Agent...
An Oracle Technical White Paper November 2014 How to Use Microsoft Active Directory as an LDAP Source with the Oracle ZFS Storage Appliance Table of Contents Introduction...3 Active Directory LDAP Services...4
An Oracle White Paper January 2011 Using Oracle's StorageTek Search Accelerator Executive Summary...2 Introduction...2 The Problem with Searching Large Data Sets...3 The StorageTek Search Accelerator Solution...3
An Oracle White Paper September 2013 Advanced Java Diagnostics and Monitoring Without Performance Overhead Introduction... 1 Non-Intrusive Profiling and Diagnostics... 2 JMX Console... 2 Java Flight Recorder...
Migration Best Practices for OpenSSO 8 and SAM 7.1 deployments O R A C L E W H I T E P A P E R M A R C H 2015 Disclaimer The following is intended to outline our general product direction. It is intended
An Oracle White Paper July 2011 Oracle Desktop Virtualization Simplified Client Access for Oracle Applications Overview Oracle has the world s most comprehensive portfolio of industry-specific applications
An Oracle White Paper February 2014 Oracle Data Integrator 12c Introduction Oracle Data Integrator (ODI) 12c is built on several components all working together around a centralized metadata repository.
An Oracle White Paper July 2014 Oracle Linux and Oracle VM Remote Lab User Guide Contents Introduction... 1 Infrastructure Requirements on the Client Side... 2 Overview of the Lab Hardware... 3 Logging
An Oracle White Paper August 2010 Oracle Database Auditing: Performance Guidelines Introduction Database auditing has become increasingly important as threats to applications become more sophisticated.
An Oracle Technical White Paper January 2014 How to Configure the Trend Micro IWSA Virus Scanner for the Oracle ZFS Storage Appliance Table of Contents Introduction... 2 How VSCAN Works... 3 Installing
Oracle Primavera Gateway Disclaimer The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is
An Oracle White Paper November 2010 Oracle Business Intelligence Standard Edition One 11g Introduction Oracle Business Intelligence Standard Edition One is a complete, integrated BI system designed for
Oracle Whitepaper April 2015 Security and the Oracle Database Cloud Service Table of Contents Overview... 3 Security architecture... 4 User areas... 4 Accounts... 4 Identity Domains... 4 Database Cloud
REDUCE RISK WITH ORACLE SOLARIS 11 MITIGATE RISKS WITH INTELLIGENT SECURITY CONTROLS KEY FEATURES Security in Silicon: Hardware-integrated cryptographic acceleration to protect both data and network. Reduce
An Oracle Technical Article March 2015 Certification with Oracle Linux 7 Oracle Technical Article Certification with Oracle Linux 7 Introduction...1 Comparing Oracle Linux 7 and Red Hat Enterprise Linux
Oracle Fusion Middleware Getting Started with Oracle Data Integrator 12c Virtual Machine Installation Guide December 2014 Oracle Fusion Middleware Getting Started with Oracle Data Integrator, 12c Copyright
An Oracle White Paper January 2011 Oracle Database Firewall Introduction... 1 Oracle Database Firewall Overview... 2 Oracle Database Firewall... 2 White List for Positive Security Enforcement... 3 Black
An Oracle White Paper January 2013 Integrating Oracle Application Express with Oracle Access Manager Revision 1 Disclaimer The following is intended to outline our general product direction. It is intended
Oracle Solaris Security: Mitigate Risk by Isolating Users, Applications, and Data Will Fiveash presenter, Darren Moffat author Staff Engineer Solaris Kerberos Development Safe Harbor Statement The following
An Oracle Technical White Paper November 2011 Oracle Solaris 11 Network Virtualization and Network Resource Management Executive Overview... 2 Introduction... 2 Network Virtualization... 2 Network Resource
An Oracle White Paper January 2014 Managed Storage Services Designed to Meet Your Custom Needs for Availability, Reliability and Security A complete Storage Solution Oracle Managed Cloud Services (OMCS)
An Oracle Technical White Paper May 2015 How to Configure Kaspersky Anti-Virus Software for the Oracle ZFS Storage Appliance Table of Contents Introduction... 2 How VSCAN Works... 3 Installing Kaspersky
ORACLE VM MANAGEMENT PACK Effective use of virtualization promises to deliver significant cost savings and operational efficiencies. However, it does pose some management challenges that need to be addressed
An Oracle White Paper September 2011 Upgrade Methods for Upgrading to Oracle Database 11g Release 2 Introduction... 1 Database Upgrade Methods... 3 Database Upgrade Assistant (DBUA)... 3 Manual Upgrade...
An Oracle White Paper June 2011 WebSphere MQ Oracle Enterprise Gateway Integration Guide 1 / 30 Disclaimer The following is intended to outline our general product direction. It is intended for information
Oracle White Paper Load Testing Hyperion System 9 HFM An Oracle White Paper May 2010 Load Testing Hyperion Applications Using Oracle Load Testing 9.1 Oracle White Paper Load Testing Hyperion System 9 HFM
An Oracle White Paper December 2010 Leveraging Oracle Enterprise Single Sign-On Suite Plus to Achieve HIPAA Compliance Executive Overview... 1 Health Information Portability and Accountability Act Security
Top Ten Reasons for Deploying Oracle Virtual Networking in Your Data Center Expect enhancements in performance, simplicity, and agility when deploying Oracle Virtual Networking in the data center. ORACLE
An Oracle White Paper October 2013 Realizing the Superior Value and Performance of Oracle ZFS Storage Appliance Executive Overview... 2 Introduction... 3 Delivering Superior Performance at a Lower Price...
An Oracle White Paper January 2012 Oracle Database Firewall Introduction... 2 Oracle Database Firewall Overview... 3 Oracle Database Firewall... 3 White List for Positive Security Enforcement... 4 Black
Oracle Enterprise Manager Ops Center Configuring a Virtual Datacenter 12c Release 1 (184.108.40.206.0) E27347-01 June 2012 This guide provides an end-to-end example for how to use Oracle Enterprise Manager Ops
ORACLE OPS CENTER: PROVISIONING AND PATCH AUTOMATION PACK KEY FEATURES PROVISION FROM BARE- METAL TO PRODUCTION QUICKLY AND EFFICIENTLY Controlled discovery with active control of your hardware Automatically
An Oracle White Paper June, 2013 Enterprise Manager 12c Cloud Control Executive Overview... 2 Introduction... 2 Business Application Performance Monitoring... 3 Business Application... 4 User Experience
An Oracle White Paper September 2012 Performance with the Oracle Database Cloud Multi-tenant architectures and resource sharing 1 Table of Contents Overview... 3 Performance and the Cloud... 4 Performance
Oracle Identity Management Concepts and Architecture An Oracle White Paper December 2003 Oracle Identity Management Concepts and Architecture Introduction... 3 Identity management... 3 What is Identity
Configuring Oracle SDN Virtual Network Services on Netra Modular System ORACLE WHITE PAPER SEPTEMBER 2015 Introduction 1 Netra Modular System 2 Oracle SDN Virtual Network Services 3 Configuration Details
An Oracle White Paper September 2012 Oracle Database and the Oracle Database Cloud 1 Table of Contents Overview... 3 Cloud taxonomy... 4 The Cloud stack... 4 Differences between Cloud computing categories...
An Oracle Technical Article October 2014 Certification with Oracle Linux 5 Introduction... 1 Comparing Oracle Linux 5 and Red Hat Enterprise Linux (RHEL) 5.. 2 Checking the /etc/ File... 2 Checking for
Utilizing Solaris 10 Security Features Presented by: Nate Rotschafer Peter Kiewit Institute Revised: August 8, 2005 Solaris 10 Security Features Outline Solaris Development Least Privilege RBAC Service
An Oracle White Paper June 2014 Data Movement and the Oracle Database Cloud Service Multitenant Edition 1 Table of Contents Introduction to data loading... 3 Data loading options... 4 Application Express...
APPLICATION MANAGEMENT SUITE FOR ORACLE E-BUSINESS SUITE APPLICATIONS Oracle Application Management Suite for Oracle E-Business Suite delivers capabilities that helps to achieve high levels of application
An Oracle White Paper June 2014 RESTful Web Services for the Oracle Database Cloud - Multitenant Edition 1 Table of Contents Introduction to RESTful Web Services... 3 Architecture of Oracle Database Cloud
An Oracle White Paper Dec 2013 Oracle Access Management Security Token Service Disclaimer The following is intended to outline our general product direction. It is intended for information purposes only,
General Overview What is Oracle s Virtual Compute Appliance? Oracle s Virtual Compute Appliance is an integrated, wire once, software-defined infrastructure system designed for rapid deployment of both
An Oracle Communications White Paper December 2014 Serialized Asset Lifecycle Management and Property Accountability Disclaimer The following is intended to outline our general product direction. It is
An Oracle White Paper November 2011 Upgrade Best Practices - Using the Oracle Upgrade Factory for Siebel Customer Relationship Management Executive Overview... 1 Introduction... 1 Standard Siebel CRM Upgrade
An Oracle White Paper October 2013 Gneis Turns to Oracle to Secure and Manage s Gneis Turns to Oracle to Secure and Manage s Executive Overview Gneis Global Services SA planned to introduce Session Initiation
June, 2015 Oracle s Siebel CRM Statement of Direction Client Platform Support Oracle s Siebel CRM Statement of Direction IP2016 Client Platform Support Disclaimer This document in any form, software or
Oracle Virtual Networking Overview and Frequently Asked Questions March 26, 2013 Overview Oracle Virtual Networking revolutionizes data center economics by creating an agile, highly efficient infrastructure
Manage Oracle Database Users and Roles Centrally in Active Directory or Sun Directory Overview August 2008 Introduction... 3 Centralizing DataBase Account Management using Existing Directories with OVD...
User Experience Direct (UX Direct) FAQ: How to create Effective Messages Disclaimer The following is intended to outline our general product direction. It is intended for information purposes only, and
An Oracle White Paper September 2011 Unbreakable Linux Network An Overview Introduction... 1 The Update Agent (yum)... 2 Channels Descriptions and Usage... 2 Switching from Red Hat Network (RHN) to ULN...
APPLICATION MANAGEMENT SUITE FOR SIEBEL APPLICATIONS USER EXPERIENCE MANAGEMENT SERVICE LEVEL OBJECTIVE REAL USER MONITORING SYNTHETIC USER MONITORING SERVICE TEST KEY PERFORMANCE INDICATOR PERFORMANCE
An Oracle White Paper March, 2012 Enterprise Manager 12c Cloud Control: Configuring OMS High Availability with F5 BIG- IP Local Traffic Manager Executive Overview... 2 About F5 BIG-IP and Oracle Enterprise
An Oracle Technical Article by Alta Elstad November 2010 How To Copy an Oracle Solaris 11 Express Software Package Repository Introduction...1 System Requirements...2 Create a ZFS File System To Hold the
Oracle Mobile Security What s New in OMSS 11gR2 Patch Set 3 ORACLE WHITE PAPER MAY 2015 Disclaimer The following is intended to outline our general product direction. It is intended for information purposes
Развертывание сервера приложений Oracle GlassFish Server на OpenSolaris: мониторинг, подготовка к работе и резервное копирование Филипп Торчинский Sun Microsystems 1 Agenda Introduction What is OpenSolaris,
ORACLE VIRTUAL DESKTOP INFRASTRUCTURE HIGHLY SECURE AND MOBILE ACCESS TO VIRTUALIZED DESKTOP ENVIRONMENTS KEY FEATURES Centralized virtual desktop management and hosting Facilitates access to VDI desktops
Oracle Enterprise Manager Ops Center Ports and Protocols Guide 12c Release 2 (220.127.116.11.0) E51942-04 December 2014 This document contains the latest information on the ports and protocols that Oracle Enterprise
An Oracle White Paper February 2014 Integrating Oracle Exadata Database Machine with a Data Center s 1 GbE and 10 GbE Networks Using Oracle Switch ES1-24 Introduction... 1 Integrating Oracle Exadata Database
Oracle Enterprise Manager System Monitoring Plug-in Installation Guide for Microsoft Active Directory Release 18.104.22.168.0 E28548-04 February 2014 Microsoft Active Directory, which is included with Microsoft
An Oracle White Paper April, 2010 Effective Account Origination with Siebel Financial Services Customer Order Management for Banking Executive Overview In the absence of an enterprise account origination
An Oracle White Paper November 2010 Leveraging Massively Parallel Processing in an Oracle Environment for Big Data Analytics 1 Introduction New applications such as web searches, recommendation engines,
Oracle Database Backup Service Secure Backup in the Oracle Cloud Today s organizations are increasingly adopting cloud-based IT solutions and migrating on-premises workloads to public clouds. The motivation
An Oracle White Paper February 2010 Rapid Bottleneck Identification - A Better Way to do Load Testing Introduction You re ready to launch a critical Web application. Ensuring good application performance
An Oracle White Paper May 2012 Oracle Database Cloud Service Executive Overview The Oracle Database Cloud Service provides a unique combination of the simplicity and ease of use promised by Cloud computing