Database Reference
In-Depth Information
See this paper for more details on SYS password security and brute-forcing remotely (requires Firefox or IE):
And of course check that the OS account is not
oracle/oracle
or even worse, on Solaris 10 that this telnet bug is
fixed. It allows remote unauthenticated access to Solaris 10 as shown:
[root@localhost ~]# telnet -l "-fbin" 10.1.1.11
Trying 10.1.1.11...
Connected to 10.1.1.11 (10.1.1.11).
Escape character is '^]'.
Last login: Tue Feb 13 11:19:02 from 10.1.1.166
Sun Microsystems Inc. SunOS 5.10 Generic January 2005
$ cat /etc/passwd
root:x:0:0:Super-User:/:/sbin/sh
daemon:x:1:1::/:
bin:x:2:2::/usr/bin:
It is worth putting network monitoring onto the EM installation to alert to attempts to scan the EM repository or
attempt to log on without the correct password. SNORT is good free security monitoring software under GPL.
The SNORT rules are available at
http://www.snort.org/pub-bin/sigs-search.cgi?sid=oracle
and benefit
from use with regular expressions.
When using SNORT watch out for potential signature bypasses like these two examples, as well as encrypted
commands:
SQL> GRANT/**/DBA/**/TO/**/PUBLIC;
declare
l_cnt varchar2(20);
begin
execute immediate 'sel'||'ect pas'||'sword'||' from dba'||'_users where user'||'_id =0'
into l_cnt;
dbms_output.put_line(l_cnt);
end;
Additionally, the SQL Translation framework in 12c causes problems for network monitoring as the SQL on the
network is not what gets run on the DB. In this case an in-memory agent on the EM repository will reduce risk and get
on top of the DBA privilege. In medium to high security environments it is worth installing a high-quality monitoring
tool that cannot be turned off or bypassed by DBA privilege. See here:
It is worth allocating significant budget to the problem of securing an EM12c installation, especially the OMR,
because it is the most important Oracle component, but currently has the least effective security. This is where a third
party monitoring tool such as those mentioned in Chapter 11 becomes mandatory in a high security environment.
But the problem with monitoring is that it is reactive. Even IPS is reactive. In order to avoid and prevent risk
occurring, privileged access control has to be applied to 12c itself. Installing YAST and giving DBAs root may make
life easier, but this increases the risk of backdoors. How does one control privileged identities on a cloud-oriented
platform? The next chapter will dig deeper into this interesting subject.
