Three Tier Oracle Security in London ~ Paul M. Wright

(nix, oracle, java, www, cloud ) intersect (safety, security, reliability, integrity)

Three Tier Oracle Security in London ~ Paul M. Wright RSS Feed
 

UKOUG 2012 in a nutshell

Hi Oracle Security Folks,

UKOUG 2012 in a nutshell:

OAK Table day highlight was Julian’s analysis of RAT capture formats, which made reverse engineering proprietory formats look a lot easier than it should do. Christian’s super secret talk was so secret that it was not given, but managed to catch up on that later.

Monday my presentation was suprisingly full up (Ok it was a small room), and no one fell asleep or ran screaming so that classifies it as successful in my book. The slides are on UKOUG’s web site but require a logon. In truth the talk went very well and the audience genuinely seemed to appreciate the hard work I had put in, and the contribution made by Co-speaker Philip Weedon.

Afterwards, I wandered over to Grant Allen’s Talk. Grant made contributions from Unix perspective including how to log bash commands to syslog (cool) and re-iterated the benefits of centralising audit trail. Had a chat after and started the post talk celebrations which resulted in going to bed at breakfast time. So that’s why they call it “Bed and Breakfast”. The rest of the two days should be annotated with the fact that it took me approximately two days to recover from the Monday night, but it was worth it as had some very interesting talks about how DBA privilege is actually managed – in practise – which is different from the typical Identity Management perspective…more to come on this..

Tuesday was a later start and helped Pete with the Oracle Security Roundtable which was well attended with lively discussion.
Then Tom’s 12c talk which had some security perspectives. Tom’s presentation skills are second to none and he interacted with Hall 1 audience very naturally. What we know is there are a lot of new features for security in 12c as well a lot of extra products that can be purchased to enhance the security of the database.
Conversely I think the actual core security of the central product has been degraded in some ways. For instance password complexity, account locking, password history, failed login throttling etc are no longer effective on SYS in 11 upwards..and many of the OraSec “experts” and DBA Managers are not aware of this because they are bombarded with extraneous information about extra addons which do not cure the core weaknesses.
I published sys_throttler to address this but a full solution is not trivial..so we can say that Oracle Security is not solved yet.

After Tom we headed to Gregory’s Identity Management talk which was a good overview of how to use OVD to manage DB users, and highlighted that Oracle can unexpectedly support two seperate authentication mechanisms for one user (ref Pete), which is something I also alluded to in http://www.oracleforensics.com/wordpress/index.php/2008/09/21/bypassing-ora-01997/.

Identity Management of lower privileged accounts in Oracle is a good thing, but it certainly becomes more difficult once the users are privileged as they can break the chains that bind them….hence the requirement for a comp balance like auditing..

Pete’s Wednesday 9 AM talk on audit trails, was a bit cloudy in my mind first time round, but reading the slides now they are making sense.
Pete showed using client_identifier as central identity through core audit…excellent battle worn advice.
Also discussed identifying sql injections and killing the session automatically…but difficult for a session to kill itself. This would be handy when trying to automatically defend against an attack. Obviously it is possible to call out to the OS but within the DB this is not so easy…work to do again.
Also Pete mentioned using a trigger to enable core audit to save on performance.
A lot of this changes in 12c but the concepts were very interesting…
Pete then transferred to DBA access control mode and described how the power of the DBA can be controlled through individual proxy users proxying to a core dba role which is customised. This is a good strategy for BAU. The problem is of course that to carry out imports/exports and user management the ALTER USER privilege is needed and any user with this or execute on dbms_sys_sql etc can act as a different user so it is not a solution for highest privilege.
Breakglass and time-based access control is the way forward for taming the top dog privileges in my view/experience…though splitting SYSDBA into seperate system privileges goes towards taming SYS e.g. SYSBACKUP and SYSAUD et al.

Pythian were prominent with some interesting work on Human reliability and Privileged Access Monitoring. Absolute applications were busy with their training offerings and DSP had 6 presentations so the vendor element looked healthy.

I would have liked to have gone to…
-Guido Schmutz’s NoSQL presentation but the PDF reads well.
-Carl Dudley’s Audit trail presentation was thorough and of immediate practicable use in 11g.
-Owen Ireland’s Goldengate presentation is an excellent quick start intro for DBA.
-Hitachi’s Muthukumar did a detailed presentation on localisation in Oracle for EU.
-Portix’s Bjorn Rost did an informative presentation on Total Recall listing the virtual columns and AS OF syntax.
Of course there are loads others, these are just the presentations that caught my eye.

The general opinion was that the conference was better than last year. I can’t vouch for that as I wasn’t there last year due to work commitments, but I certainly enjoyed catching up with old friends. Next year I am informed the conference for DB will be in Manchester which is the home of my MSc CS department, Mr Turing, and some of the best music to grace our charts, as well as a special breed of mega pub (ref Moon Under the Water), though the Lass O’ Gowrie aims for quality rather than quantity. In short Manchester is literally a cool place and thankfully still serviced by Virgin trains, so see you there next year.

Thank you to all the excellent presenters this year who have increased my understanding yet again.
It is interesting to see how California’s Oracle User group compares http://www.nocoug.org/presentations.html

Cheers,
Paul

One Response to “UKOUG 2012 in a nutshell”

  1. 1
    sydoracle:

    “but difficult for a session to kill itself.”

    I once had an ugly situation where I needed a session to ‘hard-fail’ in a way that couldn’t get caught by an exception handler several layers up the call tree. A bit of trial and error indicated that raising a ‘Your session has been killed’ ORA-00028 error wouldn’t get trapped, would propagate all the way to the client layer and terminate the session.

    declare
    e_suicide exception;
    pragma exception_init(e_suicide,-28);
    begin
    raise e_suicide;
    exception
    when others then
    null;
    end;
    /

Leave a Reply

You must be logged in to post a comment.