This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

OWASP Backend Security Project Oracle Hardening

From OWASP
Revision as of 18:56, 4 June 2008 by Pderinaldis (talk | contribs) (Sample schemas)

Jump to: navigation, search

Overview

Description

Installation security

This section is useful to understand how the installation will introduce vulnerabilities if it is not made “security oriented”.

Options and products

You should use a advanced installation to custom the installation process so that you be able to install only the component required by application will connect to database.

Sample schemas

You should review installed schema, especially the sample schemas provided by Oracle base installation, and remove any schema you do not need.

Example SQL to remove a schema:

  SQL> DROP USER <user_name> CASCADE;

Patching

You should keep up to date the Oracle Database therefore, periodically, you should check the Oracle Technology Network web site (http://otn.oracle.com/deploy/security/alerts.htm) to keep up on security alerts issued from Oracle Corporation in regard to all installed components.

Sometime, there are public vulnerility about Oracle software without a patch so it is a good idea subscribe to the security mailing lists so that you will be able to catch those new security issues and to find a way to mitigate the risk of the new vulnerability.

Initialization parameters

This section cover the Oracle Initialization parameters that are relevant for the security aspects. All the following initialization parameters have to be specified for all Oracle instances.

Parameter name Description Security value
REMOTE_OS_AUTHENTICATION This parameter should be set to FALSE to deny the authentication of remote clients by operating system. FALSE
REMOTE_LOGIN_PASSWORDFILE This parameter should be set to NONE, but if this functionality is required set the parameter EXCLUSIVE to make it more secure considering that that the password file can be used by only one database. NONE
RESOURCE_LIMIT This parameter should be set to TRUE to enforce other parameter about resource limitsuch as idle time limits. The default is FALSE. TRUE
REMOTE_OS_ROLES This parameter should be set to FALSE to deny the operating system groups to control Oracle roles. FALSE
OS_ROLES This parameter should be set to FALSE to configure Oracle to identifies and manages the roles.

Default value false.

FALSE
UTL_FILE_DIR This parameter should be set to NULL to specify any directories that Oracle should use for PL/SQL file I/O. NULL
AUDIT_SYS_OPERATIONS This parameter should be set to TRUE to ... TRUE
AUDIT_TRAIL This parameter should be set to OS to... OS
AUDIT_FILE_DEST (UNIX only) This parameter should be set to... <Protected Directory>
USER_DUMP_DEST This parameter should be set to ... <Protected Directory>
BACKGROUND_DUMP_DEST This parameter should be set to ... <Protected Directory>
CORE_DUMP_DEST This parameter should be set to ... <Protected Directory>
07_DICTIONARY_ACCESSIBILITY This parameter should be set to FALSE to... FALSE

Example SQL for setting the REMOTE_OS_AUTHENTICATION parameter:

  SQL> ALTER SYSTEM SET REMOTE_OS_AUTHENTICATION = FALSE SCOPE=BOTH

Scope:

  • MEMORY: This value change the instance immediately, but the configuration is lost after a restart.
  • SPFILE: This value NOT change the instance immediately, but a restart is necessaty to take effect.
  • BOTH: This value change the instance immediately as well as the spfile.

Operating system security

Owner account

The Oracle OS installation account, owner of all Oracle application and datafiles, should be used only for the update and maintenance of the Oracle software and will not be used during the standard DBA activities. The individual DBAs will have to use their assigned OS personal accounts, so the auditing process will be able to actions performed with the correct OS account. The Oracle software installation account will not be a member of the administrative group.

Files and directories

All files and directories generated during the installation process of Oracle will be restricted to the Oracle software owner or the DBA OS user group, especially the file list below:

File name Description
init.ora and/or init<SID>.ora

Spfile.ora

The file houses Oracle initialization parameter files. Replace SID with the name of your SID.
orapw<SID> The file contain SYS password and the password of accounts granted the SYSDBA or SYSOPER role. Replace SID with the name of your SID.
listener.ora The file houses listener configuration parameters and password.
snmp_rw.ora The file contains the password for the DBSNMP database account in cleartext.
snmp_ro.ora The file houses configuration information for the Oracle Intelligent Agent.
sqlnet.ora The file contains network configuration information for the host database and listener.

Other accounts should be denied access except to executables under the “bin” directory as specifically required. All files stored in the “bin” directory will be owned by the Oracle software installation account. These files and directories will be secured by using access control methods native to the operating system.

Account management

Lock and expire unused accounts

A number of default database server user accounts are create during the installation process so, if you do not use the Database Configuration Assistant, you should lock and expire all default database user accounts. Unlock only those accounts that need to be accessed on a regular basis and assign a strong password to each of these unlocked accounts.

Example SQL for reviewing the Oracle Default Accounts with status “OPEN”:

  SQL> SELECT <user_name> FROM dba_users WHERE account_status <> ’OPEN’ ORDER BY <user_name>;

Example SQL for Locking Accounts:

  SQL> ALTER USER <user_name> ACCOUNT LOCK;

Change default password

The major weakness concerning the password is that some user default account, after the installation, still has a default password associated with it, so you should be review the passwords of all default accounts (SYS, SYSTEM, DBSNMP, OUTLN and so on) and change it if necessary.

Enforce password policy

The password policy should be enforced by password verification function setting password parameter (list below) and providing password complexity feature like minimum length, password not same as the username, the password contains repeating characters, the password differs from the previous password by at least a maximal number of letters.

Example SQL for setting a password verification function to a profile:

  SQL> CREATE PROFILE <profile_name> LIMIT PASSWORD_VERIFICATION_FUCTION <newvalue>

Example SQL for assigning profile profile to a user:

  SQL> CREATE USER <user_name> IDENTIFIED BY <password> PROFILE <profile_name>;

Roles

Automated processing database accounts

Network security

Encrypt network logins

The password information in a connection request should be encrypted to protect against network eavesdropping. The value of the follow parameter should be review:

  ORA_ENCRYPT_LOGIN (on the client machine)
  DBLINK_ENCRYPT_LOGIN (on the server machine)

Once these parameters have been set to TRUE, passwords will be encrypted in connection requests. Note that on Oracle version 9.02 and later these parameter are not available, in fact it is encrypt automatically the password information when transmitting over a network, although the setting or changing of passwords is NOT encrypted when across the network.

Protect network communications

You should configure the Oracle Advanced Security component to use Secure Socket Layer (SSL) as to encrypt network traffic between clients and databases to avoid network eavesdropping. Enabling the protection about network communication by following the next step:

  ...

XML database (XDB) protocol server

The XML Database (XDB) offers access to the Oracle XML DB resources using the standard Internet protocols FTP, listening on TCP port 2100, and HTTP, listening on TCP port 8080. The Oracle XML DB Protocol Server is a specific type of Oracle shared server dispatcher and is specified in the Oracle database initialization parameter file for startup, so if XDB is not used it should be turned off editing the init<SID>.ora or spfile<SID>.ora (replace SID with the name of your SID) file and remove or comment the follow line:

 dispatchers="(PROTOCOL=TCP) (SERVICE=<SID>XDB)"

If access via the Internet protocols is required, logging should be enabled by setting the “ftp-log-level” and “http-log-level” parameters to a value of 1 in xdbconfig.xml file.

Oracle TNS Listner security

Password

A listener password should be set at the end of listener configuration process to avoid from unauthorized start, stop, and configure. The password will be stored in encrypted format within the listener.ora file by using the LSNRCTL utility:

  LSNRCTL> set current_listener <listener_name>
  LNSRCTL> set password
  Password: (type "enter" if it is the first time)
  The command completed successfully
  LSNRCTL> change_password
  Old password: (type "enter")
  New password: <new_password>
  Reenter new password: <new_password>
  […]
  The command completed successfully
  LSNRCTL> save_config (important to save the configuration)
  […]
  Saved LISTENER configuration parameters.
  Listener Parameter File […]
  Old Parameter File […]
  The command completed successfully
  LSNRCTL> exit

Admin restrictions

The remote administration of the Oracle listener should be prevent by setting to TRUE the ADMIN_RESTRICTIONS parameter in the listener.ora file:

  ADMIN_RESTRICTIONS_<listener_name> = TRUE

Network address restriction

The network address restrictions should be enforced by the Oracle listener to further protect your database from unauthorized remote access. Network address restriction is required when the PLSQL EXTPROC is in use to protect against unauthenticated access to the database. To enable network address restriction, edit the SQLNET.ORA to add the follow line:

  TCP.VALIDNODE_CHECKING = YES

Then, to defines TCP/IP addresses that are allowed to connect to database add the follow line:

  TCP.INVITED_NODES = <list of IP addresses>

At the end, to defines TCP/IP addresses that are refused connections to the database set the follow parameter

  TCP.EXCLUDED_NODES = <list of IP addresses>

External procedures

Inbound connection timeout

The amount of time the listener waits for a network client to complete the connection request should be manage to prevent a denial of service attack. The name of parameter to set to configure inbound connection timeout and the name of the file of configuration, depends on Oracle version.

Packages, procedures and functions

Audit

References

[1] The Oracle Hacker's Handbook: Hacking and Defending Oracle by David Litchfield

[2] The Database Hacker's Handbook: Defending Database Servers by David Litchfield

[3] Database Security Technical Implementation Guide by DISA for the DOD

[4] Oracle Database Security Guide by Oracle Corporation

[5] Oracle Database Security Checklist by Oracle Corporation