Three Tier Oracle Security in London ~ Paul M. Wright

(nix, oracle, java, www, cloud ) intersect (safety, security, reliability, integrity)

Three Tier Oracle Security in London ~ Paul M. Wright RSS Feed
 

DAMS for Post and PRE-CPU Change Management

When a new CPU/PSU comes out a package is known to be vulnerable e.g. SYS.DMP_SYS (CVE-2009-1007) but applying the patch may be too risky and/or take too long to test before deployment. CPUs are complex and their effect cannot be predicted. The strategy has to be one of install on QA and stand well back ~ November 5th firework style.
A quicker and simpler way to remove the threat of a vulnerable package is to simply REVOKE the PUBLIC EXECUTE on that package. The effects of this can be predicted and controlled more closely, but it may be the case that SYS.DMP_SYS is used by other packages, applications and in-house code that rely on that PUBLIC EXECUTE for their functionality. This is especially the case with SYS objects because high privileged DBA and application accounts with EXECUTE ANY PROCEDURE are still relying on the PUBLIC EXECUTE to be able to use that package because the EXECUTE ANY PROCEDURE system privilege omits the SYS schema. Only SYS does not use the PUBLIC EXECUTE privilege for SYS packages.
The other advantage of being able to make manual changes like this rather than relying on the patch is that PRE-CPU information can be acted upon.

In order to carry out this command…

REVOKE EXECUTE ON SYS.DMP_SYS FROM PUBLIC;

…with low risk, access to SYS.DMP_SYS has to be monitored and profiled over time before the change is made. This is one of the benefits of using a Database Activity Monitoring System. To profile use of SYS.DMP_SYS properly, a host based system is required as a network based system is only going to see calls from the app tier and not internal calls from other Oracle packages in the DB. The simplest and most generic host-based DAMS rule language is Sentrigo Hedgehog as follows.

object='SYS.DMP_SYS' AND USER <>'SYS'

If the above rule returns no results after a couple of weeks then the PUBLIC EXECUTE can be REVOKEd with low risk. This is quicker than testing patches and will work more often than a complex patch which may fail. So in addition to IDS/IPS and user activity monitoring, DAMS can provide a quicker and more efficient change control process.
If you are interested in the benefits of deploying a Database Activity Monitoring system it is worth reading the case-study highlighted in UKOUG SCENE Journal and attending the SANS DAMS course of the same name. I recommend registering sooner rather than later to avoid disappointment.
Cheers,
Paul

Leave a Reply

You must be logged in to post a comment.