This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "OWASP Backend Security Project Oracle Hardening"

From OWASP
Jump to: navigation, search
(Description)
(Overview)
Line 1: Line 1:
= Overview =
 
 
 
= Overview =
 
= Overview =
  

Revision as of 22:32, 26 May 2008

Overview

Description

Installation security

This section is useful to understand how the installation will introduce vulnerabilities if it is not made “security oriented”.

Options and products

The Oracle Database installation pack contains a lot of options and products in addition to the database server, so it is suggest to do a custom installation to avoid installing options and products not needed. The Oracle components other than the list below have to be removed if not specifically required by any database applications.

Oracle database components
Assistant Common Files
Generic Connectivity Common Files
Generic Connectivity Using Open Database Connectivity (ODBC)
Oracle Net
Oracle Net Listener
Oracle Net Manager
Oracle Net Required Support Files
Oracle Net Services
Oracle Core Required Support Files
Oracle Call Interface
Oracle9i/8i/10g
Oracle9i/8i/10g Database
Oracle9i/8i/10g Development Kit
Oracle9i/8i/10g Windows Documentation (Windows only)
Parser Generator Required Support Files
Programming Language / Structured Query Language (PL/SQL)
PL/SQL Embedded Gateway
PL/SQL Required Support Files
Platform Required Support Files
Relational Database Management System (RDBMS) Required Support Files
Required Support Files

Sample schemas

Oracle Corporation provides sample schemas in order to provide a common platform for examples. Review, after the installation, installed schema and remove any schema you do not need. 2.1.3 PATCHING Apply, always, all security patches for Oracle Database itself, and for all the options and components that are installed. Periodically check the security site on Oracle Technology Network for details on security alerts released by Oracle Corporation:

http://otn.oracle.com/deploy/security/alerts.htm

Further, if you subscribe the security mailing lists you will be able to catch any new security issues that are not reported to Oracle but are announced to the public (maybe without a patch). In such cases, it will be relevant to find a way to mitigate the risk of the new vulnerability in the absence of an Oracle-supplied patch.

Initialization parameters

This section cover the Oracle Initialization parameters that are relevant for the security aspects. All the following initialization parameters have to be specified for all Oracle instances.

Parameter name Description Security value
REMOTE_OS_AUTHENTICATION This parameter, when set to TRUE, allows the authentication of remote clients by the host operating system. The default value for this parameter is FALSE. This parameter will remain set to FALSE because of the risk of an impersonation attack, otherwise known as spoofing. FALSE
REMOTE_LOGIN_PASSWORDFILE Specifies whether Oracle uses a password file and, if in use, how many databases can use the password file. Setting the parameter to EXCLUSIVE signifies that the password file can be used by only one database. The password file requires remote DBAs to use their own individual DBA accounts to authenticate to the database for administrative database operations. EXCLUSIVE
RESOURCE_LIMIT Specifies whether or not enforcement of resource limits is enabled. If not enabled, the required idle time limits would not be enforced. The default is FALSE. TRUE
REMOTE_OS_ROLES Allow operating system roles to be used from remote clients. FALSE
OS_ROLES Determines whether Oracle or the operating system identifies and manages the roles of each username.

Set to FALSE to configure Oracle to identifies and manages the roles. Default value false.

FALSE
UTL_FILE_DIR Specifies one or more directories that Oracle should use for PL/SQL

file I/O.

NULL
AUDIT_SYS_OPERATIONS Enables or disables the auditing of operations issued by user SYS, and users connecting with SYSDBA or SYSOPER privileges. The audit records are written to the operating system's audit trail if the AUDIT_TRAIL initialization parameter is set to OS. The default is FALSE. TRUE
AUDIT_TRAIL Enables or disables database auditing. Default value none. OS
AUDIT_FILE_DEST (UNIX only) Specifies the operating system directory into which the audit trail is written when the AUDIT_TRAIL initialization parameter is set to os, xml, or xml,extended.

The audit records will be written in XML format if the AUDIT_TRAIL initialization parameter is set to XML. It is also the location to which mandatory auditing information is written and, if so specified by the AUDIT_SYS_OPERATIONS initialization parameter, audit records for user SYS.

<Protected Directory>
USER_DUMP_DEST Specifies the pathname for a directory where the server will write debugging trace files on behalf of a user process. <Protected Directory>
BACKGROUND_DUMP_DEST Specifies the pathname (directory or disk) where debugging trace files for the background processes (LGWR, DBWn, and so on) are written during Oracle operations. <Protected Directory>
CORE_DUMP_DEST Specifies the directory where Oracle dumps core files. <Protected Directory>
07_DICTIONARY_ACCESSIBILITY Controls restrictions on SYSTEM privileges. If this parameter is set to FALSE, SYSTEM privileges that allow access to objects in other schemas do not allow access to objects in the dictionary or SYS schema. FALSE

Example SQL for setting the REMOTE_OS_AUTHENTICATION parameter:

  SQL> ALTER SYSTEM SET REMOTE_OS_AUTHENTICATION = FALSE SCOPE=BOTH

Scope:

  • MEMORY: This affects the database now; but will not remain after a restart.
  • SPFILE: This does not change the instance immediately, but it will will take effect after a restart.
  • BOTH: changes the current instance as well as the spfile.

Operating system security

Owner account

The Oracle OS installation account, owner of all Oracle application and datafiles, should be used only for the update and maintenance of the Oracle software and will not be used during the standard DBA activities. The individual DBAs will have to use their assigned OS personal accounts, so the auditing process will be able to actions performed with the correct OS account. The Oracle software installation account will not be a member of the administrative group.

Files and directories

All files and directories generated during the installation process of Oracle will be restricted to the Oracle software owner or the DBA OS user group, especially the file list below:

References

References