dan norris: exadata security

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |

Exadata Database Machine Security

Dan Norris MAA Team, Oracle Development October 26, 2015


Program Agenda

PreparaKon for installaKon

InstallaKon, deployment

Post-‐deployment configuraKon

Database creaKon and configuraKon

OperaKonal security consideraKons

1

2

3

4

5

2


Security Terminology

• APack surface – the code within a computer system that can be run by unauthorized users • Port – network term referring to a virtual endpoint •  Service – operaKng system term referring to a background process or daemon • CPU – CriKcal Patch Update, quarterly released security patches for Oracle products

Ge)ng us on the same page

3


PreparaKon for InstallaKon

• Get educated • Collect security-‐related requirements from all stakeholders • Determine whether role-‐separated installaKon is required • Plan network layout •  Subscribe to security alerts -‐ hPp://is.gd/orasec • Review MOS note 1068804.1: Guidelines for enhancing the security for an Oracle Database Machine deployment

Security starts early

4


Plan Network Layout

• Client Access is entry point for most accesses • Management should be restricted •  InfiniBand is private to machine, physical security protects it

Perimeter security for networks

5


InstallaKon and Deployment

•  Exadata includes many security features by default

•  Implement the recommended security step during deployment – AKA “Resecure Machine” step

•  Start secure, only open what is necessary – “Doing security” later almost never happens (or works)

• Configure ASM audits to use syslog (audit_syslog_level) • Configure ASM & DB init.ora: audit_sys_operaKons=true

Implement the available features and security plan

6


Default Security Features

•  short package install list • only necessary services enabled • hPps management interface •  sshd secure default sehngs • password aging • maximum failed login aPempts


7

•  auditd monitoring enabled •  cellwall: iptables firewall • CPUs included in patch bundles, releases synchronized •  system hardening • boot loader password protecKon


Resecure Machine Step

•  In this step, several security changes are made: – password complexity requirements are added (dis,dis,16,12,8) – passwords are expired (forcing reset on next login) – password aging implemented – permissions Kghtened


8


Resecure Machine Step $ ./install.sh –cf maa-phys.xml -l

1. Validate Configuration File

2. Setup Required Files

<snip many steps>

17. Install Exachk

18. Create Installation Summary

19. Resecure Machine

9


Resecure Machine Step $ ./install.sh –cf maa-vm.xml -l

1. Validate Configuration File

2. Create Virtual Machine

3. Create Users

<snip many steps>

17. Create Installation Summary

18. Resecure Machine

10


Post-‐Deployment ConfiguraKon

• Change all passwords for all default accounts (MOS 1291766.1) • Perform validaKon for local policies or rules – See MOS 1405320.1 for commonly idenKfied audit findings

•  Exadata Security – especially for consolidaKon environments

Address site-‐specific requirements

11



•  *New* in 12.1.2.2.0 • Cells can have remote access disabled – no SSH access to OS • Must enable temporarily for maintenance (upgrades) • New cell aPributes: remoteAccessPerm, remoteAccessTemp • Can temporarily enable access, automaKc lock up at a specified Kme • Can sKll access console via ILOM • Use exacli/exadcli from DB nodes for cell commands

Cell Lockdown

12



cellcli> create role administrator

cellcli> grant privilege all actions on all objects all attributes with all options to role administrator

cellcli> create user celladministrator password='*'

cellcli> grant role administrator to user celladministrator

Cell Lockdown Setup

13



# cellcli -e list cell detail | egrep -i 'cellversion|accesslevel'

accessLevelPerm: remoteLoginDisabled

cellVersion: OSS_12.1.2.2.0_LINUX.X64_150917

exacli> alter cell accessLevelTemp=((accessLevel="remoteLoginEnabled", -

startTime="now", -

duration="30m", -

reason="Quarterly maintenance"))

Cell Lockdown

14



• Cells have syslogconf cell aPributes (for quite a while) • DB nodes have /etc/rsyslog.conf – On 12.1.2.1.0 & later, also have syslogconf dbserver aPribute

Centralized syslog

15



On receiving side, for rsyslogd, modify /etc/rsyslogd.conf: # Provides UDP syslog reception

$ModLoad imudp

$UDPServerRun 514

The HUP rsyslogd: kill -HUP $(cat /var/run/syslogd.pid)

Centralized syslog setup

16



cellcli> alter cell syslogconf=('authpriv.* @syslgsrv', 'security.* @seclogserver');

cellcli> alter cell validate syslogconf 'authpriv.error';

dbmcli> alter dbserver syslogconf=('authpriv.* @syslgsrv', 'security.* @seclogserver');

dbmcli> alter dbserver validate syslogconf 'authpriv.error';

Centralized syslog

17


Exadata Security (ASM, Griddisks) ConsolidaIon: sharing without peeking

18

• Privileges on griddisk level • Restrict griddisks to certain clusters and/or certain database(s) •  Especially effecKve to manage mulKple administrators •  See whitepapers – Oracle Exadata Database Machine ConsolidaKon: SegregaKng Databases and Roles -‐ hPp://is.gd/exaconsolidaKon – Best PracKces for Database ConsolidaKon On Exadata Database Machine -‐ hPp://is.gd/orclconswp


Database CreaKon and ConfiguraKon Implement database-‐specific features and best pracIces

19

•  Stay current with Exadata bundle patches (888828.1) – Bundle patches include latest CPU patches

• Consider TDE, network encrypKon, Data Vault, Audit Vault • Review whitepaper: “Cost EffecKve Security and Compliance with Oracle Database 11g Release 2” -‐ hPp://is.gd/seccompliance11gr2 •  Take the Enterprise Data Security Assessment at hPp://is.gd/entsecassessment


Oracle Database Security Defense in Depth

Masking & Subsetting

DBA Controls & Cyber Security

Encryption & Redaction

PREVENTIVE

Activity Monitoring

Database Firewall

Auditing and Reporting

DETECTIVE ADMINISTRATIVE

Privilege & Data Discovery

Configuration Management

Key & Wallet Management

20


OperaKonal Security ConsideraKons Remain security-‐minded when patching, upgrading, backing up

21

• Changes permiPed on DB nodes, not cells • Backups can be encrypted • Patching or upgrading may “undo” some changes; verify aper • DB node updates use yum commands with excludes (see doc for excludes)


OperaKonal Security ConsideraKons Remain security-‐minded when patching, upgrading, backing up

22

• Periodic reviews to ensure sehngs remain and vulnerabiliKes don’t •  Secure erase for storage cells is available • Disk drive retenKon is available • Oracle Enterprise Manager Governance, Risk & Compliance Manager conKnuously reviews the system


OperaKonal Security ConsideraKons

Component Access Required

Database – Patch set Database server root, sopware home owner, passwordless SSH to all sopware home owners (on other nodes)

Database – Patch set Database server root, sopware home owner

Grid Infrastructure Same as Database

Exadata Database Server (OS) Database server root

Exadata Storage Server Database server root, Passwordless SSH from database server root to storage server root (temporarily disable lockdown)

InfiniBand Switch Database server root, InfiniBand switch root

23

Patching consideraIons


Late Breaking Security Updates

MOS Note or URL DescripIon

Coming soon UpdaKng JDK on Exadata Database Machine database nodes

2060027.1 October 2015 ILOM security updates – fixes included in Exadata 12.1.2.2.0 images

24


Summary

PreparaKon for installaKon

InstallaKon, deployment

Post-‐deployment configuraKon

Database creaKon and configuraKon

OperaKonal security consideraKons

1

2

3

4

5

25


References Note or URL DescripIon

hPp://is.gd/orasec Oracle Security Alerts subscripKon

1068804.1 Guidelines for enhancing the security for an Oracle Database Machine deployment

1291766.1 How to change OS user password for Cell Node, Database Node , ILOM, KVM , Infiniband Switch , GigaBit Ethernet Switch and PDU on Exadata

888828.1 Database Machine and Exadata Storage Server 11g Release 2 (11.2) Supported Versions

1405320.1 Responses to common Exadata security scan findings

hPp://is.gd/exaconsolidaKon Oracle Exadata Database Machine ConsolidaKon: SegregaKng Databases and Roles

hPp://is.gd/entsecassessment Enterprise Data Security Assessment

26


References

MOS Note or URL DescripIon

1938719.1 Exadata informaKon on Bash shellshock vulnerability

1935817.1 Exadata informaKon on SSLv3 POODLE vulnerability

hPp://is.gd/orclpoodle Generic info about POODLE for all Oracle products

hPp://is.gd/orclshellshock Generic info about Bash Shellshock for all Oracle products

2069987.1 HOWTO: Update JDK on Exadata Database Nodes

27


Safe Harbor Statement The preceding is intended to outline our general product direcKon. It is intended for informaKon purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or funcKonality, and should not be relied upon in making purchasing decisions. The development, release, and Kming of any features or funcKonality described for Oracle’s products remains at the sole discreKon of Oracle.

28

dan norris: exadata security

Internet