Book Image

Oracle 11g Anti-hacker's Cookbook

By : Adrian Neagu
Book Image

Oracle 11g Anti-hacker's Cookbook

By: Adrian Neagu

Overview of this book

For almost all organizations, data security is a matter of prestige and credibility. The Oracle Database is one of the most rich in features and probably the most used Database in a variety of industries where security is essential. To ensure security of data both in transit and on the disk, Oracle has implemented the security technologies to achieve a reliable and solid system. In Oracle 11g Anti-Hacker's Cookbook, you will learn about the most important solutions that can be used for better database security."Oracle 11g Anti-hacker's Cookbook" covers all the important security measures and includes various tips and tricks to protect your Oracle Database."Oracle 11g Anti-hacker's Cookbook" uses real-world scenarios to show you how to secure the Oracle Database server from different perspectives and against different attack scenarios. Almost every chapter has a possible threads section, which describes the major dangers that can be confronted. The initial chapters cover how to defend the operating system, the network, the data and the users. The defense scenarios are linked and designed to prevent these attacks. The later chapters cover Oracle Vault, Oracle VPD, Oracle Labels, and Oracle Audit. Finally, in the Appendices, the book demonstrates how to perform a security assessment against the operating system and the database, and how to use a DAM tool for monitoring.

Related Content you might be interested in

Current Title:

Small book image
Oracle 11g Anti-hacker's Cookbook
Adrian Neagu
Oct, 2012 | 302 pages
No titles found
Table of Contents (16 chapters)
Oracle 11g Anti-hacker's Cookbook
Oracle 11g Anti-hacker's Cookbook
Credits
Credits
Foreword
Foreword
About the Author
About the Author
About the Reviewers
About the Reviewers
www.PacktPub.com
www.PacktPub.com
Preface
Preface
Free Chapter
1
Operating System Security
Operating System Security
Introduction
Using Tripwire for file integrity checking
Using immutable files to prevent modifications
Closing vulnerable network ports and services
Using network security kernel tunables to protect your system
Using TCP wrappers to allow and deny remote connections
Enforcing the use of strong passwords and restricting the use of previous passwords
Restricting direct login and su access
Securing SSH login
2
Securing the Network and Data in Transit
Securing the Network and Data in Transit
Introduction
Hijacking an Oracle connection
Using OAS network encryption for securing data in motion
Using OAS data integrity for securing data in motion
Using OAS SSL network encryption for securing data in motion
Encrypting network communication using IPSEC
Encrypting network communication with stunnel
Encrypting network communication using SSH tunneling
Restricting the fly listener administration using the ADMIN_RESTRICTION_LISTENER parameter
Securing external program execution (EXTPROC)
Controlling client connections using the TCP.VALIDNODE_CHECKING listener parameter
3
Securing Data at Rest
Securing Data at Rest
Introduction
Using block device encryption
Using filesystem encryption with eCryptfs
Using DBMS_CRYPTO for column encryption
Using Transparent Data Encryption for column encryption
Using TDE for tablespace encryption
Using encryption with data pump
Using encryption with RMAN
4
Authentication and User Security
Authentication and User Security
Introduction
Performing a security evaluation using Oracle Enterprise Manager
Using an offline Oracle password cracker
Using user profiles to enforce password policies
Using secure application roles
How to perform authentication using external password stores
Using SSL authentication
5
Beyond Privileges: Oracle Virtual Private Database
Beyond Privileges: Oracle Virtual Private Database
Introduction
Using session-based application contexts
Implementing row-level access policies
Using Oracle Enterprise Manager for managing VPD
Implementing column-level access policies
Implementing VPD grouped policies
Granting exemptions from VPD policies
6
Beyond Privileges: Oracle Label Security
Beyond Privileges: Oracle Label Security
Introduction
Creating and using label components
Defining and using compartments and groups
Using label policy privileges
Using trusted stored units
7
Beyond Privileges: Oracle Database Vault
Beyond Privileges: Oracle Database Vault
Introduction
Creating and using Oracle Database Vault realms
Creating and using Oracle Vault command rules
Creating and using Oracle Database Vault rulesets
Creating and using Oracle Database Vault factors
Creating and using Oracle Database Vault reports
8
Tracking and Analysis: Database Auditing
Tracking and Analysis: Database Auditing
Introduction
Determining how and where to generate audit information
Auditing sessions
Auditing statements
Auditing objects
Auditing privileges
Implementing fine-grained auditing
Integrating Oracle audit with SYSLOG
Auditing sys administrative users
Index
Index

Restricting direct login and su access

On critical systems it is usually considered a bad practice to allow direct remote logins to system users, such as root or other application owners, and shared users, such as oracle. As a method for better control and from the user audit point of view, it is recommended to create different login users that will be allowed to connect and perform switches (su) to users considered critical. No other users should be exposed to the external world to allow direct, remote, or local connections.

In this recipe, we will create a group log and a user named loguser1, and we will disable direct logins for all others.

Getting ready

All steps will be performed on nodeorcl1.

How to do it...

  1. Create a designated group for users allowed to log in:

    [root@nodeorcl1 ~]# groupadd logingrp

  2. Create an user and assign it to logingrp group as follows:

    [root@nodeorcl1 ~]# useradd -g logingrp loginuser1

  3. To disable direct login for all users add the following line to /etc/pam.d/system-auth:

    account     required       pam_access.so

  4. Uncomment and modify the following line from /etc/security/access.conf:

    :ALL EXCEPT logingrp :ALL

  5. All logins excepting users from the logingrp group will be denied. If we try to connect from nodeorcl5 the connection will be closed:

    [loguser1@nodeorcl5 ~]$ ssh -l oracle nodeorcl1
oracle@nodeorcl1's password:
Connection closed by 10.241.132.218
[loguser1@nodeorcl5 ~]$

  6. The connection succeeds as loginuser1:

    [loguser1@nodeorcl5 ~]$ ssh -l loginuser1 nodeorcl1
loguser1@nodeorcl1's password:
[loguser1@nodeorcl1 ~]$

  7. To disable the su capabilities for all users exempting loginuser1, open /etc/pam.d/su and uncomment the following line as instructed in the file:

    # Uncomment the following line to require a user to be in the "wheel" group.
auth            required        pam_wheel.so use_uid

  8. At this moment all users that don't belong to the wheel group are not allowed to switch to an other user. Add loginuser1 to the wheel group as follows. In this way the only user that may execute su command will be loginuser1:

    [root@nodeorcl1 etc]# usermod -G wheel loginuser1

  9. If you try to execute an su command with the oracle user, you will get incorrect password message, and the switch cannot be performed:

    [oracle@nodeorcl1 ~]$ su -
Password: 
su: incorrect password
[oracle@nodeorcl1 ~]$

  10. But as user loguser1 it succeeds:

    [loguser1@nodeorcl1 ~]$ su - 
Password: 
[root@nodeorcl1 ~]#

How it works...

The PAM module that performs the login check is pam_access.so, with the control flag set to required and the module type account. The control of su command is performed by the pam_wheel.so module.

There's more...

At this moment all users who do not belong to the group logusers are not allowed to log in locally or remotely. The only exemption is root login using ssh. We will see how to deny remote root logins with ssh in the following recipe, Securing SSH login.

Previous Section
End of Section 9
Next Section