Search icon CANCEL
Subscription
0
Cart icon
Your Cart (0 item)
Close icon
You have no products in your basket yet
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Conferences
Free Learning
Arrow right icon
Arrow up icon
GO TO TOP
Oracle 11g Anti-hacker's Cookbook

You're reading from   Oracle 11g Anti-hacker's Cookbook Make your Oracle database virtually impregnable to hackers using the knowledge in this book. With over 50 recipes, you'll quickly learn protection methodologies that use industry certified techniques to secure the Oracle database server.

Arrow left icon
Product type Paperback
Published in Oct 2012
Publisher Packt
ISBN-13 9781849685269
Length 302 pages
Edition 1st Edition
Languages
Arrow right icon
Author (1):
Arrow left icon
Adrian Neagu Adrian Neagu
Author Profile Icon Adrian Neagu
Adrian Neagu
Arrow right icon
View More author details
Toc

Table of Contents (16) Chapters Close

Oracle 11g Anti-hacker's Cookbook
Credits
Foreword
About the Author
About the Reviewers
www.PacktPub.com
Preface
1. Operating System Security 2. Securing the Network and Data in Transit FREE CHAPTER 3. Securing Data at Rest 4. Authentication and User Security 5. Beyond Privileges: Oracle Virtual Private Database 6. Beyond Privileges: Oracle Label Security 7. Beyond Privileges: Oracle Database Vault 8. Tracking and Analysis: Database Auditing Index

Using Tripwire for file integrity checking


Appropriate file and filesystem permissions are essential in order to ensure the integrity of the files that physically comprise the database and the Oracle software. We must make sure that we do not grant permissions to other users to write or read data belonging to physical database and configuration files, such as listener.ora or sqlnet.ora outside of the oracle owner user. When Automatic Storage Management (ASM) is used as a storage medium, we also need to ensure that we have the appropriate permissions defined at the exposed raw disks level. Even if these files are not normally seen with OS commands, disks can be compromised by using the dd command. Another problem may be related to the script or program execution, as power users and attackers may have group-level permissions that would allow them to unexpectedly or intentionally endanger the integrity of the database files.

The alteration of files and directories considered critical in terms of content and permissions could be the first sign of attack or system penetration. In this category we can also add suspect files with SUID and GUID enabled (most rootkits have files with SUID and GUID permissions), world writeable, readable and executable files, and unowned files. One option is to use custom scripts for change detection. In my opinion this is error prone and requires serious development effort. A better option is to use specialized intrusion detection tools that have built-in integrity checking algorithms and real-time alerting capabilities (SNMP traps, e-mail, and sms).

Tripwire is an intrusion detection system (IDS), which is able to take time-based snapshots and compare them in order to check different types of modifications performed on monitored files and directories.

In the following recipe we will use the open source variant of the Tripwire intrusion detection system and demonstrate some of its key capabilities.

Getting ready

All steps will be performed as root user on nodeorcl1.

As a prerequisite, download the latest version source code of the Tripwire extract and copy it to a directory that will be used for compiling and linking the source code.

How to do it...

  1. Enter in the directory where you have extracted the Tripwire source code, configure and build Tripwire binaries and libraries as follows:

    [root@nodeorcl1 tripwire-2.4.2.2-src]# ./configure
    ……………………………………………………
    [root@nodeorcl1 tripwire-2.4.2.2-src]# ./make install
    ………………………………………………………
    g++  -O -pipe -Wall -Wno-non-virtual-dtor  -L../../lib -o tripwire  generatedb.o …………………………………………………………
    /usr/bin/install -c -m 644 './twconfig.4' '/usr/local/share/man/man4/twconfig.4'
     /usr/bin/install -c -m 644 './twpolicy.4' '/usr/local/share/man/man4/twpolicy.4'
    
  2. During make install phase we will be asked to accept the license agreement and a series of passphrases for generating the site and local key:

    ……………………………………………………………
    LICENSE AGREEMENT for Tripwire(R) 2.4 Open Source
    
    Please read the following license agreement.  You must accept the
    agreement to continue installing Tripwire.
    
    Press ENTER to view the License Agreement.
    ………………………………………………………………………………………………………………………
    Please type "accept" to indicate your acceptance of this
    license agreement. [do not accept] accept
    …………………………………………………………………………………………………………………………………
    Continue with installation? [y/n] y
    
     
    (When selecting a passphrase, keep in mind that good passphrases typically
    have upper and lower case letters, digits and punctuation marks, and are
    at least 8 characters in length.)
    
    Enter the site keyfile passphrase:
    Verify the site keyfile passphrase:
    Generating key (this may take several minutes)...Key generation complete.
    
    ……………………………………………………………………………………………
    
    Enter the local keyfile passphrase:
    Verify the local keyfile passphrase:
    Generating key (this may take several minutes)...Key generation complete.
    
    ----------------------------------------------
    ………………………………………………
    [root@nodeorcl1 tripwire-2.4.2.2-src]#
    
  3. After the installation is complete, initialize Tripwire. At this step, the policy and configuration files will be encrypted and applied. Based on policies and configuration, an initial baseline check will be performed and a database containing the characteristics of monitored files will be built:

    [root@nodeorcl1 etc]# tripwire --init
    Please enter your local passphrase: 
    Parsing policy file: /usr/local/etc/tw.pol
    Generating the database...
    *** Processing Unix File System ***
    
    …………………………………………
    Wrote database file: /usr/local/lib/tripwire/nodeorcl1.twd
    The database was successfully generated.
    [root@nodeorcl1 etc]#
    
  4. After Tripwire will finalize the initialization, we will be able to add our own policies. On Red Hat, by default, the initial policy file, twpol.txt, and configuration file, twcfg.txt, will be located in the /local/usr/etc/tripwire/ directory. For security reasons these files must be deleted. To generate a text-based policy file from the existent policy configuration execute the following command:

    [root@nodeorcl1 etc]#twadmin --print-polfile > //usr/local/etc//twpolicy.txt
    [root@nodeorcl1 etc]#
    
  5. Open and edit the /local/usr/etc/tripwire/twpolicy.txt file. In the global section after HOSTNAME=/nodeorcl1 add the ORACLE_HOME variable as follows:

    HOSTNAME=nodeorcl1;
    ORACLE_HOME="/u01/app/oracle/product/11.2.0/dbhome_1";
    
  6. Add two new rules related to the Oracle software binaries and libraries (all files from $ORACLE_HOME/bin and $ORACLE_HOME/lib) and network configuration files (all files from $ORACLE_HOME/network/admin). The files from these directories are mostly static; all modifications performed here are usually performed by database administrators (patching, enabling, or disabling an option, such as OVA, OLS, and network settings). In this case the ReadOnly mask summary is appropriate. Add a rule for the directory that contains the Oracle Database files (/u02/HACKDB). These files change frequently, and the $Dynamic summary mask should be appropriate here. Add the following three sections at the end of the twpolicy.txt file:

    ################################
    # Oracle Libraries and Binaries #
    ################################
    (
    rulename = "Oracle Binaries and Libraries",
    severity = 99,
    )
    {
    $(ORACLE_HOME)/bin    -> $(ReadOnly);
    $(ORACLE_HOME)/lib   -> $(ReadOnly);
    }
    #####################################
    # Oracle Network Configuration Files #
    #####################################
    
    (
    rulename = " Oracle Network Configuration files",
    severity = 90,
    )
    {
    $(ORACLE_HOME)/network/admin -> $(ReadOnly);
    }
    ##########################################
    # Oracle Datafiles
    ##########################################
    (
    rulename="Oracle Datafiles",
    severity=99,
    )
    {
    /u02/HACKDB -> $(Dynamic);
    }
    
  7. Perform some modifications in listener.ora and sqlnet.ora. Also, we have decided to not use external procedures and external job execution in the future. Therefore as a primary security measure we will move (normally in a production environment you should delete them) these files from $ORACLE_HOME/bin directory to /extprocjob directory:

    [oracle@nodeorcl1 bin]# mv /u01/app/oracle/product/11.2.0/dbhome_1/bin/extproc /extprocjob
    [oracle@nodeorcl1 bin]# mv /u01/app/oracle/product/11.2.0/dbhome_1/bin/extjob /extprocjob  
    
  8. Next, as root update the Tripwire database using the new updated policy file as follows:

    [root@nodeorcl1 etc]# tripwire -m p --secure-mode low /usr/local/etc/twpolicy.txt
    Parsing policy file: /usr/local/etc/twpol.txt
    Please enter your local passphrase: 
    Please enter your site passphrase: 
    ……………………………………………………………………………
    Wrote policy file: /usr/local/etc/tw.pol
    Wrote database file: /usr/local/lib/tripwire/nodeorcl1.twd
    [root@nodeorcl1 etc]#
    
  9. Again, to simulate an intrusion, perform some modifications on listener.ora and sqlnet.ora, change permissions on /u02/HACKDB/users01.dbf to world readeable, and move extjob and extproc back to $ORACLE_HOME/bin. Create a file named ha_script in /home/oracle with the SUID and GUID bit set and a file with world writeable permissions called ha_wwfile:

    [root@nodeorcl1 ~]$ chmod o+r /u02/HACKDB/users01.dbf
    [root@nodeorcl1 oracle]# touch ha_script
    [root@nodeorcl1 oracle]# chmod u+s,g+s,u+x ha_script 
    [root@nodeorcl1 oracle]# touch ha_wwfile
    [root@nodeorcl1 oracle]# chmod o+w ha_wwfile
    
  10. Next as root, perform an interactive type check to find out the modifications performed on monitored directories and files. The expected values are recorded in the Expected column. All modifications are recorded in the Observed column as follows:

    [root@nodeorcl1 etc]# tripwire –check --interactive
    Parsing policy file: /usr/local/etc/tw.pol
    *** Processing Unix File System ***
    Performing integrity check...
    ……………………………………………………
    ### Continuing...
    ……………………………………………………………………………………………………………………………………………
    Remove the "x" from the adjacent box to prevent updating the database
    with the new values for this object.
    
    Added:
    [x] "/home/oracle/ha_script"
    [x] "/home/oracle/ha_wwfile"
    
    /…………………………………………………………………………………………………………………………………………….
    Remove the "x" from the adjacent box to prevent updating the database
    with the new values for this object.
    
    Added:
    [x] "/u01/app/oracle/product/11.2.0/dbhome_1/bin/extproc"
    [x] "/u01/app/oracle/product/11.2.0/dbhome_1/bin/extjob"
    
    Modified:
    [x] "/u01/app/oracle/product/11.2.0/dbhome_1/bin"
    
    -------------------------------------------------------------------------------
    Rule Name: Oracle Network Configuration files (/u01/app/oracle/product/11.2.0/dbhome_1/network/admin)
    Severity Level: 90
    -------------------------------------------------------------------------------
    
    Remove the "x" from the adjacent box to prevent updating the database
    with the new values for this object.
    
    Modified:
    [x] "/u01/app/oracle/product/11.2.0/dbhome_1/network/admin"
    [x] "/u01/app/oracle/product/11.2.0/dbhome_1/network/admin/listener.ora"
    [x] "/u01/app/oracle/product/11.2.0/dbhome_1/network/admin/sqlnet.ora"
    
    -------------------------------------------------------------------------------
    Rule Name: Oracle Datafiles (/u02/HACKDB)
    Severity Level: 99
    -------------------------------------------------------------------------------
    
    Remove the "x" from the adjacent box to prevent updating the database
    with the new values for this object.
    
    Modified:
    [x] "/u02/HACKDB/users01.dbf"
    …………………………………………………………………………………………………………………………………
    Modified object name:  /u02/HACKDB/users01.dbf
    
      Property:            Expected                    Observed
      -------------        -----------                 -----------
      Object Type          Regular File                Regular File
      Device Number        64768                       64768
      Inode Number         393224                      393224
    * Mode                 -rw-r-----                  -rw-r--r--
      Num Links            1                           1
      UID                  oracle (501)                oracle (501)
      GID                  oinstall (502)              oinstall (502)
    
    …………………………………………………………………………………………………………………………………………………………………………
    
  11. Also you will find information, visible in the Observed column, about the two files added in /home/oracle:

    Added Objects: 2
      ----------------------------------------
    
    Added object name:  /home/oracle/ha_script
    
      Property:            Expected                    Observed
      -------------        -----------                 -----------
    * Object Type          ---                         Regular File
    * Device Number        ---                         64771
    * Inode Number         ---                         262354
    * Mode                 ---                         -rwsr-lr--
    * Num Links            ---                         1
    * UID                  ---                         oracle (501)
    * GID                  ---                         oinstall (502)
    * Size                 ---                         0
    * Modify Time          ---                         Sun 23 Sep 2012 10:03:54 PM EEST
    * Blocks               ---                         0
    * CRC32                ---                         D/////
    * MD5                  ---                         DUHYzZjwCyBOmACZjs+EJ+
    
    
    Added object name:  /home/oracle/ha_wwfile
    
      Property:            Expected                    Observed
      -------------        -----------                 -----------
    * Object Type          ---                         Regular File
    * Device Number        ---                         64771
    * Inode Number         ---                         262355
    * Mode                 ---                         -rw-r--rw-
    * Num Links            ---                         1
    * UID                  ---                         oracle (501)
    * GID                  ---                         oinstall (502)
    * Size                 ---                         0
    * Modify Time          ---                         Sun 23 Sep 2012 10:04:24 PM EEST
    * Blocks               ---                         0
    * CRC32                ---                         D/////
    * MD5                  ---                         DUHYzZjwCyBOmACZjs+EJ+
    

Note

Downloading the example code

You can download the example code files for all Packt books you have purchased from your account at http://www.PacktPub.com. If you purchased this book elsewhere, you can visit http://www.PacktPub.com/support and register to have the files e-mailed directly to you.

How it works...

The most appropriate moment to install and perform an initial check for creating a baseline is right after operating system installation. Starting with a clean baseline we will be able to monitor and catch any suspect change performed on files over time. The monitoring performed by Tripwire is based on a policy and compliance model. There are a multitude of parameters or property masks that can be applied on monitored files, based on permission change, checksum, object owner, modification timestamp, and more. A property mask tells Tripwire what change about a file is being monitored. A summary property mask is a collection of property masks. The description of property masks and summary masks can be found in the policy file header.

There's more...

Other administrative options

  • Print Tripwire configuration file:

    [root@nodeorcl1 lib]# twadmin --print-cfgfile
    ROOT          =/usr/local/sbin
    POLFILE       =/usr/local/etc/tw.pol
    DBFILE        =/usr/local/lib/tripwire/$(HOSTNAME).twd
    REPORTFILE    =/usr/local/lib/tripwire/report/$(HOSTNAME)-$(DATE).twr
    SITEKEYFILE   =/usr/local/etc/site.key
    LOCALKEYFILE  =/usr/local/etc/nodeorcl1-local.key
    EDITOR        =/bin/vi
    LATEPROMPTING =false
    LOOSEDIRECTORYCHECKING =false
    MAILNOVIOLATIONS =true
    EMAILREPORTLEVEL =3
    REPORTLEVEL   =3
    MAILMETHOD    =SENDMAIL
    SYSLOGREPORTING =false
    MAILPROGRAM   =/usr/sbin/sendmail -oi -t
    
  • To create or recreate the local and site keys, execute the following:

    / [root@nodeorcl1 lib]# tripwire-setup-keyfiles
    
  • To print information about a database entry related to a file or object:

    [root@nodeorcl1 lib]# twprint --print-dbfile $ORACLE_HOME/network/admin/listener.ora
    
  • To print a generated report:

    twprint --print-report –twrfile usr/local/lib/tripwire/report/report_name.txt
    
  • To add an e-mail address within a rule for change alert:

    ##########################################
    # Oracle Datafiles
    ##########################################
    (
    rulename="Oracle Datafiles",
    severity=99,
    emailto = <your email address>
    )
    {
    /u02/HACKDB -> $(Dynamic);
    }
    
lock icon The rest of the chapter is locked
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Renews at $19.99/month. Cancel anytime
Banner background image