Database Reference
In-Depth Information
BAU personal account with specific capabilities (privileges)
BAU personal account with specific capabilities (privileges)
Time X
Break-glass risk period
Privilege Y
Is
State A
equal to
State B
?
Figure 14-1.
Break-glass integrity verification checking
In Figure
14-1
the personal account privilege is low and constant, but the problem is it could be escalated. So,
abandoning that method, we consider method 2, where elevated privilege is granted but only for a short period of
time, but this could be maliciously extended by installing a rootkit. However, a rootkit could be identified by a forensic
state-check. The question is whether the initial known-good state before the timed session is the same as that after
the session.
Least-privilege (1) and time-limiting methods (2) could be combined into a “break-glass personal account,”
but the underlying problem still exists. If the user wanted to, they could escalate and backdoor that account. The
traditional solution is monitoring, but we have already seen that all forms of monitoring have weaknesses. What, then,
is the solution?
A good solution is an on-host integrity verification from root that pro-actively checks before and after the
break-glass session to be alert to the probable installation of a rootkit/backdoor. In the preceding diagram the key
question is:
Is state A equal to state B?
Achieving this check in a way that can be considered “complete” is
non-trivial due to the complexity of the Oracle RDBMS. A close-to-complete verification check of a whole RDBMS
would significantly hamper the performance of the system and would suffer from a high false positive rate.
Therefore, there is a requirement to be able to integrity check for rootkits to a pragmatic level of certainty, which
does not affect performance.
The traditional method of host-based integrity checking is Tripwire, which gained popularity through a free
Linux implementation that has since been heavily commercialized. As stated in Chapter 11, the free version of
Tripwire is no longer actively maintained and was found to fail on install by myself and other well-known analysts.
This is understandable, as Tripwire is now mainly available as a commercial product. What is needed is a new way
to monitor the integrity of the database from the OS root account. The next chapter focuses on rootkit detection and,
more specifically, root-based integrity verification of Oracle databases in order to detect rootkits installed during
time-limited sessions such as break-glass.
