Database Reference
In-Depth Information
3
1
2
4
DB Servers
PAC account automatically resets SYS pw
Password
Hub
e.g.
CyberArk EPV
Logon to server directly with new SYS pw
LDAP
Directory
e.g. OUD,
AD
Checkout SYS Password
Authentication
A B C D
Administrative DBA Users
Figure 13-1.
Password hub system
DBAs can check out the SYS password for any database in the estate directory from a single point of truth in the
EPV repository. EPV changes the password daily to a new random value by logging on automatically to each DB and
performing an
ALTER USER
statement to change the password; it then stores that password. When the DBA checks
out the current password for a destination server, they must log on using their EPV credential, which commonly is an
enterprise SSO/AD type logon similar to the desktop. Then the DBA logs on directly to the database from their
own terminal.
This system actually has some great benefits. First, the SYS password can be guaranteed to have a complex value,
which is cycled regularly. By default SYS does not have password protection within the DB, due to Oracle exempting
it from Account Profiles. So EPV takes over what the Oracle DB should have already been doing—maintaining its SYS
password securely.
However, EPV has some downsides. For instance, the DB protocol connection used by EPV to connect to the
destination servers is commonly plaintext, which results in daily clear
ALTER USER
statements going over the network.
This is very insecure and arguably makes the security of the Oracle DB estate lower than if the system was not in place.
Oracle has now made session encryption with OAS/SSL completely free of charge on all versions of its database, but it
needs integrating with the vendor PAC software client, so check that this is encrypted because usually it is not.
The next chapter will demonstrate how to secure PAC systems, including carrying out this encryption and
detecting if privilege escalation has been successful in the past.
The password checkout process in Figure
13-1
is outlined here:
1.
DBA A needs to log on to DB 1.
2.
DBA A authenticates to Password Hub with personal credential, e.g., AD/OUD SSO.
3.
Password Hub resets that SYS password to a new value.
4.
Password Hub gives that new SYS password value to the DBA.
5.
DBA logs on to DB1 using that new value.
Approval flow can be
before
checkout, which causes delay, or
after
checkout, which is useful in case of emergency
production issues. The latter is named “break-glass” and is increasingly useful.
