dan norris: exadata security
TRANSCRIPT
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Exadata Database Machine Security
Dan Norris MAA Team, Oracle Development October 26, 2015
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Program Agenda
PreparaKon for installaKon
InstallaKon, deployment
Post-‐deployment configuraKon
Database creaKon and configuraKon
OperaKonal security consideraKons
1
2
3
4
5
2
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Security Terminology
• APack surface – the code within a computer system that can be run by unauthorized users • Port – network term referring to a virtual endpoint • Service – operaKng system term referring to a background process or daemon • CPU – CriKcal Patch Update, quarterly released security patches for Oracle products
Ge)ng us on the same page
3
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
PreparaKon for InstallaKon
• Get educated • Collect security-‐related requirements from all stakeholders • Determine whether role-‐separated installaKon is required • Plan network layout • Subscribe to security alerts -‐ hPp://is.gd/orasec • Review MOS note 1068804.1: Guidelines for enhancing the security for an Oracle Database Machine deployment
Security starts early
4
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Plan Network Layout
• Client Access is entry point for most accesses • Management should be restricted • InfiniBand is private to machine, physical security protects it
Perimeter security for networks
5
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
InstallaKon and Deployment
• Exadata includes many security features by default
• Implement the recommended security step during deployment – AKA “Resecure Machine” step
• Start secure, only open what is necessary – “Doing security” later almost never happens (or works)
• Configure ASM audits to use syslog (audit_syslog_level) • Configure ASM & DB init.ora: audit_sys_operaKons=true
Implement the available features and security plan
6
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Default Security Features
• short package install list • only necessary services enabled • hPps management interface • sshd secure default sehngs • password aging • maximum failed login aPempts
Implement the available features and security plan
7
• auditd monitoring enabled • cellwall: iptables firewall • CPUs included in patch bundles, releases synchronized • system hardening • boot loader password protecKon
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Resecure Machine Step
• In this step, several security changes are made: – password complexity requirements are added (dis,dis,16,12,8) – passwords are expired (forcing reset on next login) – password aging implemented – permissions Kghtened
Implement the available features and security plan
8
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Resecure Machine Step $ ./install.sh –cf maa-phys.xml -l
1. Validate Configuration File
2. Setup Required Files
<snip many steps>
17. Install Exachk
18. Create Installation Summary
19. Resecure Machine
9
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Resecure Machine Step $ ./install.sh –cf maa-vm.xml -l
1. Validate Configuration File
2. Create Virtual Machine
3. Create Users
<snip many steps>
17. Create Installation Summary
18. Resecure Machine
10
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Post-‐Deployment ConfiguraKon
• Change all passwords for all default accounts (MOS 1291766.1) • Perform validaKon for local policies or rules – See MOS 1405320.1 for commonly idenKfied audit findings
• Exadata Security – especially for consolidaKon environments
Address site-‐specific requirements
11
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Post-‐Deployment ConfiguraKon
• *New* in 12.1.2.2.0 • Cells can have remote access disabled – no SSH access to OS • Must enable temporarily for maintenance (upgrades) • New cell aPributes: remoteAccessPerm, remoteAccessTemp • Can temporarily enable access, automaKc lock up at a specified Kme • Can sKll access console via ILOM • Use exacli/exadcli from DB nodes for cell commands
Cell Lockdown
12
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Post-‐Deployment ConfiguraKon
cellcli> create role administrator
cellcli> grant privilege all actions on all objects all attributes with all options to role administrator
cellcli> create user celladministrator password='*'
cellcli> grant role administrator to user celladministrator
Cell Lockdown Setup
13
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Post-‐Deployment ConfiguraKon
# cellcli -e list cell detail | egrep -i 'cellversion|accesslevel'
accessLevelPerm: remoteLoginDisabled
cellVersion: OSS_12.1.2.2.0_LINUX.X64_150917
exacli> alter cell accessLevelTemp=((accessLevel="remoteLoginEnabled", -
startTime="now", -
duration="30m", -
reason="Quarterly maintenance"))
Cell Lockdown
14
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Post-‐Deployment ConfiguraKon
• Cells have syslogconf cell aPributes (for quite a while) • DB nodes have /etc/rsyslog.conf – On 12.1.2.1.0 & later, also have syslogconf dbserver aPribute
Centralized syslog
15
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Post-‐Deployment ConfiguraKon
On receiving side, for rsyslogd, modify /etc/rsyslogd.conf: # Provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514
The HUP rsyslogd: kill -HUP $(cat /var/run/syslogd.pid)
Centralized syslog setup
16
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Post-‐Deployment ConfiguraKon
cellcli> alter cell syslogconf=('authpriv.* @syslgsrv', 'security.* @seclogserver');
cellcli> alter cell validate syslogconf 'authpriv.error';
dbmcli> alter dbserver syslogconf=('authpriv.* @syslgsrv', 'security.* @seclogserver');
dbmcli> alter dbserver validate syslogconf 'authpriv.error';
Centralized syslog
17
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Exadata Security (ASM, Griddisks) ConsolidaIon: sharing without peeking
18
• Privileges on griddisk level • Restrict griddisks to certain clusters and/or certain database(s) • Especially effecKve to manage mulKple administrators • See whitepapers – Oracle Exadata Database Machine ConsolidaKon: SegregaKng Databases and Roles -‐ hPp://is.gd/exaconsolidaKon – Best PracKces for Database ConsolidaKon On Exadata Database Machine -‐ hPp://is.gd/orclconswp
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Database CreaKon and ConfiguraKon Implement database-‐specific features and best pracIces
19
• Stay current with Exadata bundle patches (888828.1) – Bundle patches include latest CPU patches
• Consider TDE, network encrypKon, Data Vault, Audit Vault • Review whitepaper: “Cost EffecKve Security and Compliance with Oracle Database 11g Release 2” -‐ hPp://is.gd/seccompliance11gr2 • Take the Enterprise Data Security Assessment at hPp://is.gd/entsecassessment
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Oracle Database Security Defense in Depth
Masking & Subsetting
DBA Controls & Cyber Security
Encryption & Redaction
PREVENTIVE
Activity Monitoring
Database Firewall
Auditing and Reporting
DETECTIVE ADMINISTRATIVE
Privilege & Data Discovery
Configuration Management
Key & Wallet Management
20
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
OperaKonal Security ConsideraKons Remain security-‐minded when patching, upgrading, backing up
21
• Changes permiPed on DB nodes, not cells • Backups can be encrypted • Patching or upgrading may “undo” some changes; verify aper • DB node updates use yum commands with excludes (see doc for excludes)
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
OperaKonal Security ConsideraKons Remain security-‐minded when patching, upgrading, backing up
22
• Periodic reviews to ensure sehngs remain and vulnerabiliKes don’t • Secure erase for storage cells is available • Disk drive retenKon is available • Oracle Enterprise Manager Governance, Risk & Compliance Manager conKnuously reviews the system
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
OperaKonal Security ConsideraKons
Component Access Required
Database – Patch set Database server root, sopware home owner, passwordless SSH to all sopware home owners (on other nodes)
Database – Patch set Database server root, sopware home owner
Grid Infrastructure Same as Database
Exadata Database Server (OS) Database server root
Exadata Storage Server Database server root, Passwordless SSH from database server root to storage server root (temporarily disable lockdown)
InfiniBand Switch Database server root, InfiniBand switch root
23
Patching consideraIons
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Late Breaking Security Updates
MOS Note or URL DescripIon
Coming soon UpdaKng JDK on Exadata Database Machine database nodes
2060027.1 October 2015 ILOM security updates – fixes included in Exadata 12.1.2.2.0 images
24
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Summary
PreparaKon for installaKon
InstallaKon, deployment
Post-‐deployment configuraKon
Database creaKon and configuraKon
OperaKonal security consideraKons
1
2
3
4
5
25
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
References Note or URL DescripIon
hPp://is.gd/orasec Oracle Security Alerts subscripKon
1068804.1 Guidelines for enhancing the security for an Oracle Database Machine deployment
1291766.1 How to change OS user password for Cell Node, Database Node , ILOM, KVM , Infiniband Switch , GigaBit Ethernet Switch and PDU on Exadata
888828.1 Database Machine and Exadata Storage Server 11g Release 2 (11.2) Supported Versions
1405320.1 Responses to common Exadata security scan findings
hPp://is.gd/exaconsolidaKon Oracle Exadata Database Machine ConsolidaKon: SegregaKng Databases and Roles
hPp://is.gd/entsecassessment Enterprise Data Security Assessment
26
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
References
MOS Note or URL DescripIon
1938719.1 Exadata informaKon on Bash shellshock vulnerability
1935817.1 Exadata informaKon on SSLv3 POODLE vulnerability
hPp://is.gd/orclpoodle Generic info about POODLE for all Oracle products
hPp://is.gd/orclshellshock Generic info about Bash Shellshock for all Oracle products
2069987.1 HOWTO: Update JDK on Exadata Database Nodes
27
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Safe Harbor Statement The preceding is intended to outline our general product direcKon. It is intended for informaKon purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or funcKonality, and should not be relied upon in making purchasing decisions. The development, release, and Kming of any features or funcKonality described for Oracle’s products remains at the sole discreKon of Oracle.
28