Database Reference
In-Depth Information
The above represents privileged user escalation from just SELECT privilege on the SYSMAN schema (i.e., not
requiring execute privileges on packages).
In order to remove this threat, the encryption key used to hide the passwords stored in the repository can be
kept in a wallet on the OS, as the key then does not have to be stored in the database tables. This creates issues when
moving the repository database, which then requires a parallel movement of wallets with the database. Also, the key
will be persisted in the memory of the database, so a rekey will be required after either a restart or a memory flush.
Another consideration when scaling up grid and cloud control is that the password values per database need to be
kept unique and renewed over time in order to remove the risk of a network-based attack.
This makes the security of the repository the single most important task for an Oracle architecture. That is why we
are devoting a chapter to the subject of cloud control security as part of an overall security architecture (Chapter 18).
As well as the security of the repository, an important point is the network security of DBSNMP logons. Some very
good news from Oracle is that TCPS, i.e., encrypted TCP, is now free of charge for all client-to-DB communications
through TNS. In other words, the network part of ASO is now free. TCPS (TLS) as well as Kerberos and other network
security features are now part of all DB editions and do not require separate licensing. TCPS is good news as the
passwords themselves have not been updated from SHA-1 to SHA-2 in 12.1.0.1.0 as originally intended, so protecting
the session transport partly mitigates the less powerful checksum capability, as the whole session will be encrypted.
Oracle opted not to make TLS on by default because some customers have expressed concern about large
overhead when they have a large connection pool starting up (though this may be mitigated by support for ECC
ciphersuites in 12.1). In any case, Oracle felt that letting users choose to enable TCPS rather than have it be enabled by
default would best avoid an unpleasant surprise after upgrading to 12.1. So there is now a large piece of work involved
in securing the cloud control-to-DB network communications. Cloud control at this time does not fully support TCPS
and requires a TCP listener, but it can be customized to do so. In my view, this is worthwhile doing, especially because
of the imminent availability of 12c oradecrypt from Laszlo Toth, as discussed in Chapter 10. Oracle making TCPS free
of charge will kick start Oracle security projects in many organizations. The setup is simply a case of creating a wallet
and changing TCP to TCPS in the listener.ora, but development work will be needed at the client ends to send TCPS.
We will walk through how to do this in Chapter 18 along with specifics on 12c cloud control security.
Part of this overall security picture is how to react if (and when) some aspect of the defense prevention mechanism
fails, i.e., an attack has been identified. I wrote the first book on database forensics for Rampant Techpress back in
2007, which is still in print and copyrighted so I cannot duplicate the content here, but we can summarize what we
need to know and how the field has progressed in the past six years in the following “Oracle Forensics” section.
Oracle Forensics
We can define Oracle forensics as the science of ascertaining knowledge from Oracle-based digital evidence that
would be appropriate for use in a court of law or formal truth-seeking processes.
In practice it is a process of piecing together previous activity in order to answer the who, what, where, when,
and, increasingly, why after a security incident has occurred.
A generic forensic response process contains the following technical tasks:
1.
Collecting
and backing up evidence in a verifiable way by collecting and recording
checksums, file size, and timestamps.
2.
Recovering
deleted data such as that which an attacker may have attempted to hide.
3.
Timeline analysis
by placing above evidence on a timeline to show order of past events.
4.
In-depth analysis
entailing lower level inspection of data than is normally possible.
