Database Reference
In-Depth Information
Detecting Second-Generation Rootkits
We are moving from the database level to checking the files that support the database at the OS level. This is the realm
of second-generation rootkits, as defined and exemplified in these papers:
http://www.red-database-security.com/wp/oracle_rootkits_2.0.pdf
http://www.dcs.co.jp/security/NGS_freedownloads/OracleSysDBA_Backdoor.pdf
On Solaris 10 there is already a fingerprint database that can be used as an in-built OS file state-checker called
BART. You can read about it at this URL:
http://www.oracle.com/technetwork/articles/systems-hardware-architecture/o11-005-bart-solaris-fp-db-276999.pdf
This fingerprint database in Solaris is a very cool feature. Solaris 11 has built BART-like functionality into the
package manager, which is named IPS. Checksums for binaries are contained within the package manifests so that
they can be read and checked manually. More efficiently, automatic verification is possible through the Solaris pkg
verify command, which verifies every installed package against the repository from which it was installed. Binary
script checksums as well as file permissions are checked. Then the admin can decide if they want the system to
automatically refresh the changed files back to their original state. For specific examples please see the Oracle IPS
cheat sheet at:
http://www.oracle.com/technetwork/server-storage/solaris11/documentation/ips-one-liners-032011-337775.pdf
Oracle Binary Integrity
My main platform is still Linux, so let's look at how we can verify the integrity of the Oracle installation from that OS.
Since 11.2, an undocumented alert.log entry has been in place to record when the checksum of the Oracle binary
changes. There is no reason for the Oracle binary to change unless there is an upgrade of the database.
We can do the same check manually for the 12c beta binary as follows:
[oracle@orlin ~]$ md5sum /home/oracle/app/oracle/product/12.1.0/dbhome_1/bin/oracle
83adb69ca4fcb8a787663e8f805c8dd8
Or for the 12.1.0.1.0 GA executable checksum:
[root@ol6 ~]# md5sum /u01/app/oracle/product/12.1.0/dbhome_1/bin/oracle
6010431668d40dc22aaadc20a471c5c7
The Oracle binary state check recorded in the alert.log is on startup only. Given that an Oracle database may
not be restarted at all, it is wise to add the foregoing check to our rootkit checker so that it will be run at the beginning
and end of break-glass sessions, which may occur daily. Running chopt options does not change the checksum of the
Oracle binary, as shown below:
[oracle@orlin ~]$ md5sum /home/oracle/app/oracle/product/12.1.0/dbhome_1/bin/oracle
83adb69ca4fcb8a787663e8f805c8dd8 /home/oracle/app/oracle/product/12.1.0/dbhome_1/bin/oracle
[oracle@orlin ~]$ /home/oracle/app/oracle/product/12.1.0/dbhome_1/bin/chopt enable lbac
Writing to /home/oracle/app/oracle/product/12.1.0/dbhome_1/install/enable_lbac.log...
/usr/bin/make -f /home/oracle/app/oracle/product/12.1.0/dbhome_1/rdbms/lib/ins_rdbms.mk lbac_on
ORACLE_HOME= /home/oracle/app/oracle/product/12.1.0/dbhome_1
/usr/bin/make -f /home/oracle/app/oracle/product/12.1.0/dbhome_1/rdbms/lib/ins_rdbms.mk ioracle
ORACLE_HOME= /home/oracle/app/oracle/product/12.1.0/dbhome_1
 
Previous Page
Next Page
Protecting Oracle Database 12c
Search WWH ::




Custom Search
Home