Browse Library
Sign In Start Free Trial
Close icon Search icon
Account
Browse Library Sign In Start Free Trial

Add to playlist

Create a Playlist

Modal Close icon
You need to login to use this feature.
  • Book Overview & Buying Oracle 11g Anti-hacker's Cookbook
  • Table Of Contents Toc
Oracle 11g Anti-hacker's Cookbook

Oracle 11g Anti-hacker's Cookbook

By : Adrian Neagu
5 (5)
Buy this Book
close
close
Oracle 11g Anti-hacker's Cookbook

Oracle 11g Anti-hacker's Cookbook

5 (5)
By: Adrian Neagu
Buy this Book

Overview of this book

For almost all organizations, data security is a matter of prestige and credibility. The Oracle Database is one of the most rich in features and probably the most used Database in a variety of industries where security is essential. To ensure security of data both in transit and on the disk, Oracle has implemented the security technologies to achieve a reliable and solid system. In Oracle 11g Anti-Hacker's Cookbook, you will learn about the most important solutions that can be used for better database security."Oracle 11g Anti-hacker's Cookbook" covers all the important security measures and includes various tips and tricks to protect your Oracle Database."Oracle 11g Anti-hacker's Cookbook" uses real-world scenarios to show you how to secure the Oracle Database server from different perspectives and against different attack scenarios. Almost every chapter has a possible threads section, which describes the major dangers that can be confronted. The initial chapters cover how to defend the operating system, the network, the data and the users. The defense scenarios are linked and designed to prevent these attacks. The later chapters cover Oracle Vault, Oracle VPD, Oracle Labels, and Oracle Audit. Finally, in the Appendices, the book demonstrates how to perform a security assessment against the operating system and the database, and how to use a DAM tool for monitoring.
Table of Contents (16 chapters)
close
close
close
Oracle 11g Anti-hacker's Cookbook
Icon
Oracle 11g Anti-hacker's Cookbook
Credits
Icon
Credits
Foreword
Icon
Foreword
About the Author
Icon
About the Author
About the Reviewers
Icon
About the Reviewers
www.PacktPub.com
Icon
www.PacktPub.com
Preface
Icon
Preface
Lock Free Chapter
1
Operating System Security
chevron up
Icon
Operating System Security
Icon
Introduction
Icon
Using Tripwire for file integrity checking
Icon
Using immutable files to prevent modifications
Icon
Closing vulnerable network ports and services
Icon
Using network security kernel tunables to protect your system
Icon
Using TCP wrappers to allow and deny remote connections
Icon
Enforcing the use of strong passwords and restricting the use of previous passwords
Icon
Restricting direct login and su access
Icon
Securing SSH login
2
Securing the Network and Data in Transit
Icon
Securing the Network and Data in Transit
Icon
Introduction
Icon
Hijacking an Oracle connection
Icon
Using OAS network encryption for securing data in motion
Icon
Using OAS data integrity for securing data in motion
Icon
Using OAS SSL network encryption for securing data in motion
Icon
Encrypting network communication using IPSEC
Icon
Encrypting network communication with stunnel
Icon
Encrypting network communication using SSH tunneling
Icon
Restricting the fly listener administration using the ADMIN_RESTRICTION_LISTENER parameter
Icon
Securing external program execution (EXTPROC)
Icon
Controlling client connections using the TCP.VALIDNODE_CHECKING listener parameter
3
Securing Data at Rest
Icon
Securing Data at Rest
Icon
Introduction
Icon
Using block device encryption
Icon
Using filesystem encryption with eCryptfs
Icon
Using DBMS_CRYPTO for column encryption
Icon
Using Transparent Data Encryption for column encryption
Icon
Using TDE for tablespace encryption
Icon
Using encryption with data pump
Icon
Using encryption with RMAN
4
Authentication and User Security
Icon
Authentication and User Security
Icon
Introduction
Icon
Performing a security evaluation using Oracle Enterprise Manager
Icon
Using an offline Oracle password cracker
Icon
Using user profiles to enforce password policies
Icon
Using secure application roles
Icon
How to perform authentication using external password stores
Icon
Using SSL authentication
5
Beyond Privileges: Oracle Virtual Private Database
Icon
Beyond Privileges: Oracle Virtual Private Database
Icon
Introduction
Icon
Using session-based application contexts
Icon
Implementing row-level access policies
Icon
Using Oracle Enterprise Manager for managing VPD
Icon
Implementing column-level access policies
Icon
Implementing VPD grouped policies
Icon
Granting exemptions from VPD policies
6
Beyond Privileges: Oracle Label Security
Icon
Beyond Privileges: Oracle Label Security
Icon
Introduction
Icon
Creating and using label components
Icon
Defining and using compartments and groups
Icon
Using label policy privileges
Icon
Using trusted stored units
7
Beyond Privileges: Oracle Database Vault
Icon
Beyond Privileges: Oracle Database Vault
Icon
Introduction
Icon
Creating and using Oracle Database Vault realms
Icon
Creating and using Oracle Vault command rules
Icon
Creating and using Oracle Database Vault rulesets
Icon
Creating and using Oracle Database Vault factors
Icon
Creating and using Oracle Database Vault reports
8
Tracking and Analysis: Database Auditing
Icon
Tracking and Analysis: Database Auditing
Icon
Introduction
Icon
Determining how and where to generate audit information
Icon
Auditing sessions
Icon
Auditing statements
Icon
Auditing objects
Icon
Auditing privileges
Icon
Implementing fine-grained auditing
Icon
Integrating Oracle audit with SYSLOG
Icon
Auditing sys administrative users
1
Index
Icon
Index

Enforcing the use of strong passwords and restricting the use of previous passwords

It is essential to establish an effective security policy for Oracle software owner users. In this recipe we will talk about managing complex password rules that can primarily prevent brute force attacks. Restriction of using previous passwords and too similar passwords is an additional security measure which can be implemented to prevent undesired access into the system.

Password rule checking and restriction of the use of previous passwords is performed by Pluggable Authentication Module, or simply known as PAM, discussed in this recipe. In these days PAM is available and used on all major Linux and Unix distributions. The differences in implementation on these platforms are minimal.

Getting ready

All steps will be performed on the database server host nodeorcl1.

How to do it...

  1. As the user root open /etc/pam.d/system-auth for editing. Modify the line that begins with password requisite pam_cracklib.so, with the following line:
    password    requisite     pam_cracklib.so try_first_pass retry=3 minlen=12 lcredit=-2 ucredit=-2 dcredit=-1 ocredit=-1
  2. Save and close the file. At this step you can try to set some weak passwords, such as dictionary-based or very short passwords to verify that the defined rules are enforced.
  3. If the password enforcement rules are working, login as the oracle user and change the password to a strong password, such as of24UT()next(1)=2:
    [oracle@nodeorcl1 ~]$ passwd 
Changing password for user oracle.
Changing password for oracle
(current) UNIX password: 
New UNIX password: 
Retype new UNIX password: 
passwd: all authentication tokens updated successfully.
  4. At this step we will set up the restriction for using previous passwords. First create /etc/security/opasswd file and set its permission to 600. This file will retain the used password history for comparisons:
    [root@nodeorcl1 security]# touch /etc/security/opasswd ; chmod 600 /etc/security/opasswd
  5. Open the /etc/pam.d/system-auth file and modify the line added in step 4 by appending the difok parameter and remember parameter at the end of the line beginning with password sufficient pam_unix.so as follows: 
    password    requisite     pam_cracklib.so try_first_pass retry=3 minlen=12 lcredit=-2 ucredit=-2 dcredit=-1 ocredit=-1 difok=6
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok remember=10
  6. Login as oracle and change the password. Try to set the password as the same password used before. The PAM module will detect that the password is unchanged as we can see from the following listing:
    [oracle@nodeorcl1 ~]$ passwd
Changing password for user oracle.
Changing password for oracle
(current) UNIX password: 
New UNIX password: 
Password unchanged
New UNIX password
  7. Next, type a password with only two characters, difference. We will get a message that will tell us that the password is too similar to the old one:
    [oracle@nodeorcl1 ~]$ passwd
Changing password for user oracle.
Changing password for oracle
(current) UNIX password: 
New UNIX password: 
BAD PASSWORD: is too similar to the old one
Finally use a strong password (Ty%u60i)R_"Wa?) with more than three different characters as follows:
[oracle@nodeorcl1 ~]$ passwd
Changing password for user oracle.
Changing password for oracle
(current) UNIX password: 
New UNIX password: 
Retype new UNIX password: 
passwd: all authentication tokens updated successfully.
[oracle@nodeorcl1 ~]$

Note

It is highly recommended to perform security assessments regularly on your system. To check your real password's strength you should try to use a password cracker.

For a list and description of some of the best available password crackers consult http://nrupentheking.blogspot.com/2011/02/best-password-crackers-in-hackers.html.

Some recommendations for generating strong passwords:

  • Strong passwords should contain lowercase, uppercase, special characters (such as@,&,},?, and !), high ASCII code characters (such as ♣ and ♫), or unicode characters (such as ﭏ, and ﭚ).
  • Divide your password in to more than 2 or 3 groups and use special characters, high ASCII codes, or Unicode characters as delimiters for groups (for example: u6Yi5@My1k!P;m8U where @,!, and ; are delimiters).
  • Use more than 8 characters; 15-20 is a good number to prevent brute-force attacks. A brute force cracker program will need exponentially more time to break a password directly proportional with the password length.
  • Do not use more that 40 percent numbers in your password.
  • Avoid dictionary words.

How it works...

The Linux PAM module pam_cracklib.so checks the password against dictionary words and other constraints using minlen, lcredi, ucredi, dcredit, and ocredit parameters, which are defined as follows:

  • minlen: Minimum length of password. In our case must be 12.
  • lcredit: Minimum number of lower case letters. In our case must be 2.
  • ucredit: Minimum number of upper case letters. In our case must be 2.
  • dcredit: Minimum number of digits. In our case must be 1.
  • ocredit: Minimum number of other characters. In our case must be 1.

To restrict the use of a previous password, the system must save the used passwords to use them for comparison. The file used for storing previous passwords is called opasswd. In case it does not exist, it must be created in the /etc/security directory. The restrict enforcement is performed in stacking mode by combining the remember parameter of the pam_unix.so module with the difok parameter of the pam_cracklib.so module. The remember parameter will configure the number of previous passwords that cannot be reused, and difok is used to specify the number of characters that must be different between the old and the new password.

PAM configuration files on Red Hat Linux and variants are located in /etc/pam.d directory. The service shares the same name as the application designed to authenticate; for example the PAM configuration file for the su command is contained in a file with the same name (/etc/pam.d/su).

Next, we will take a look at the PAM configuration file format. To understand this we will use the line corresponding to the password module modified in this recipe:

password    requisite     pam_cracklib.so try_first_pass retry=3 minlen=12 lcredit=-2 ucredit=-2 dcredit=-1 ocredit=-1

The first directive is the module type. A brief summary of module types and how PAM enforces the rules is as follows:

Module type

Description

account

Account modules check that the specified account is a valid authentication target. Here we may have various conditions such as time of the day, account expiration, and that the user has access to the requested service.

auth

These modules verify the user's identity. The identity is verified by checking passwords or other authentication variables, such as a keyring.

password

These modules are responsible for updating passwords and checking password enforcement rules.

session

These modules check the actions performed after the users are authenticated at the beginning and end of the session.

The second directive from the PAM configuration files is represented by control flags. These flags tell what to do with the result returned by a module. All PAM modules return a success or failure result when called.

Control flag

Description

required

If this control flag is used, the result returned by the module must be always successful in order for the authentication process to succeed. If the return value represents a failure, then the user is not notified until the results of all module tests are complete.

requisite

This is similar to required, but if the test fails the user is immediately notified and no other module tests are performed.

sufficient

If this control flag is used and the result fails, it is ignored. If it has a return value of success and it is used with other modules that have the required flag, and these also have a return value of success, then no other results are required and the user is authenticated.

optional

The result of modules flagged with optional is ignored until no other modules reference the interface.

The third directive is the pluggable module. The next parameters represent the arguments passed to the pluggable module.

There is more...

You can bypass PAM rules for password enforcement as root; hence the passwords to comply with the enforcement rules must be changed by each user.

Performing a security assessment on current passwords with the John the Ripper password cracker tool

  1. Download and build John the Ripper from source code as follows:
    [root@nodeorcl1 run]# make clean linux-x86-64
  2. Unshadow /etc/password and /etc/shadow into a separate file, /tmp/passwd.db:
    [root@nodeorcl1 run]# ./unshadow /etc/passwd /etc/shadow > /tmp/passwd.db
  3. Add the file as an argument and perform a simple password cracking session:
    [root@nodeorcl1 run]# ./john /tmp/passwd.db
  4. The weak passwords are found instantaneously:
    Loaded 3 password hashes with 3 different salts (FreeBSD MD5 [32/64 X2])
testuser         (testuser)
root1234         (root)
guesses: 3  time: 0:00:00:00 100% (1)  c/s: 2150  trying: 
Root999 - root1234
Use the "--show" option to display all of the cracked passwords reliably
[root@nodeorcl1 run]#
CONTINUE READING
83
Tech Concepts
36
Programming languages
73
Tech Tools
Icon Unlimited access to the largest independent learning library in tech of over 8,000 expert-authored tech books and videos.
Icon Innovative learning tools, including AI book assistants, code context explainers, and text-to-speech.
Icon 50+ new titles added per month and exclusive early access to books as they are being written.
Oracle 11g Anti-hacker's Cookbook
End of Section 1
Next Section
notes
bookmark Notes and Bookmarks search Search in title playlist Add to playlist font-size Font size

Change the font size

margin-width Margin width

Change margin width

day-mode Day/Sepia/Night Modes

Change background colour

Close icon Search
Country selected
Close icon Your notes and bookmarks

Confirmation

Modal Close icon
claim successful
Order Page Read Now

Buy this book with your credits?

Modal Close icon
Are you sure you want to buy this book with one of your credits?
Close
YES, BUY

Submit Your Feedback

Modal Close icon
Modal Close icon
Modal Close icon