Copyright©2016,Oracleand/oritsaffiliates.Allrightsreserved.|
ExadataDatabaseMachineSecurity
DanNorrisMAATeam,OracleDevelopmentApril14,2016
Copyright©2016,Oracleand/oritsaffiliates.Allrightsreserved.|
MAAwithOracleEngineeredSystems(e.g.Exadata)FurtherReduceCost&ComplexityforanyServiceLevel
2
FastestRACNodeFailureRecovery|DeepASMMirroringIntegraBon|FastestBackup-RMANOffloadtoStorage|FastestDataGuardRedoApply|CompleteFailureTesBng
LocalstandbyforHigh-Availability
Failover
AcBveDataGuard
Onlinepatching,reconfiguraBon,
expansion
LAN WAN
Computeservers,DBservers,disks,flash,network,power
HardwareRedundancy
RAC,ASM,Flashback
SoOwareFaultTolerance
WithinExadata WithinaSite
RedundantSystemsRedundantDatabases
RemotestandbyforDisasterRecovery
AcrossSites
RedundantSystemsRedundantDatabases
DATA
BA
SE IN-M
EMO
RY
DATA
BA
SE IN-M
EMO
RY
DATA
BA
SE IN-M
EMO
RY
Copyright©2016,Oracleand/oritsaffiliates.Allrightsreserved.|
ProgramAgenda
PreparaRonforinstallaRon
InstallaRon,deployment
Post-deploymentconfiguraRon
DatabasecreaRonandconfiguraRon
OperaRonalsecurityconsideraRons
1
2
3
4
5
3
Copyright©2016,Oracleand/oritsaffiliates.Allrightsreserved.|
SecurityTerminology
• AXacksurface–thecodewithinacomputersystemthatcanberunbyunauthorizedusers• Port–networktermreferringtoavirtualendpoint• Service–operaRngsystemtermreferringtoabackgroundprocessordaemon• CPU–CriRcalPatchUpdate,quarterlyreleasedsecuritypatchesforOracleproducts
GeWngusonthesamepage
4
Copyright©2016,Oracleand/oritsaffiliates.Allrightsreserved.|
PreparaRonforInstallaRon
• Geteducated• Collectsecurity-relatedrequirementsfromallstakeholders• Determinewhetherrole-separatedinstallaRonisrequired• Plannetworklayout• Subscribetosecurityalerts-hXp://is.gd/orasec• ReviewMOSnote1068804.1:GuidelinesforenhancingthesecurityforanOracleDatabaseMachinedeployment• ReviewMOS1405320.1:ResponsestocommonExadatasecurityfindings
Securitystartsearly
5
Copyright©2016,Oracleand/oritsaffiliates.Allrightsreserved.|
PlanNetworkLayout
• ClientAccessisentrypointformostaccessesfromapplicaRons• Management(Admin)shouldberestricted• InfiniBandisprivatetomachine,physicalsecurityprotectsit
Perimetersecurityfornetworks
6
Copyright©2016,Oracleand/oritsaffiliates.Allrightsreserved.|
InstallaRonandDeployment
• Exadataincludesmanysecurityfeaturesbydefault
• Implementtherecommendedsecuritystepduringdeployment– AKA“ResecureMachine”step
• Startsecure,onlyopenwhatisnecessary– “Doingsecurity”lateralmostneverhappens(orworks)
• ConfigureASMauditstousesyslog(audit_syslog_level)• ConfigureASM&DBinit.ora:audit_sys_operaRons=true
Implementtheavailablefeaturesandsecurityplan
7
Copyright©2016,Oracleand/oritsaffiliates.Allrightsreserved.|
DefaultSecurityFeatures
• shortpackageinstalllist• onlynecessaryservicesenabled• hXpsmanagementinterface• sshdsecuredefaultsekngs• passwordaging• maximumfailedloginaXempts
Implementtheavailablefeaturesandsecurityplan
8
• auditdmonitoringenabled• cellwall:iptablesfirewall• CPUsincludedinpatchbundles,releasessynchronized• systemhardening• bootloaderpasswordprotecRon
Copyright©2016,Oracleand/oritsaffiliates.Allrightsreserved.|
ResecureMachineStep
• Inthisstep,severalsecuritychangesaremade:– passwordcomplexityrequirementsareadded(passwdqc:dis,dis,16,12,8)– passwordsareexpired(forcingresetonnextlogin)– passwordagingimplemented– permissionsRghtened
Implementtheavailablefeaturesandsecurityplan
9
Copyright©2016,Oracleand/oritsaffiliates.Allrightsreserved.|
ResecureMachineStep$ ./install.sh –cf maa-phys.xml -l
1. Validate Configuration File
2. Setup Required Files
<snip many steps>
17. Install Exachk
18. Create Installation Summary
19. Resecure Machine
10
Copyright©2016,Oracleand/oritsaffiliates.Allrightsreserved.|
ResecureMachineStep$ ./install.sh –cf maa-vm.xml -l
1. Validate Configuration File
2. Create Virtual Machine
3. Create Users
<snip many steps>
17. Create Installation Summary
18. Resecure Machine
11
Copyright©2016,Oracleand/oritsaffiliates.Allrightsreserved.|
Post-DeploymentConfiguraRon
• Changeallpasswordsforalldefaultaccounts(MOS1291766.1)• PerformvalidaRonforlocalpoliciesorrules– SeeMOS1405320.1forcommonlyidenRfiedauditfindings
• ExadataSecurity–especiallyforconsolidaRonenvironments
Addresssite-specificrequirements
12
Copyright©2016,Oracleand/oritsaffiliates.Allrightsreserved.|
Post-DeploymentConfiguraRon
• *New*in12.1.2.2.0• Cellscanhaveremoteaccessdisabled–nodirectSSHaccesstoOS• Mustenabletemporarilyformaintenance(upgrades)• NewcellaXributes:remoteAccessPerm,remoteAccessTemp• Cantemporarilyenableaccess,automaRclockupataspecifiedRme• CansRllaccessconsoleviaILOM• Useexacli/exadclifromDBnodesforcellcommands
CellLockdown
13
Copyright©2016,Oracleand/oritsaffiliates.Allrightsreserved.|
Post-DeploymentConfiguraRon
cellcli> create role administrator
cellcli> grant privilege all actions on all objects all attributes with all options to role administrator
cellcli> create user celladministrator password='*'
cellcli> grant role administrator to user celladministrator
CellLockdownSetup
14
Copyright©2016,Oracleand/oritsaffiliates.Allrightsreserved.|
Post-DeploymentConfiguraRon
# cellcli -e list cell detail | egrep -i 'cellversion|accesslevel'
accessLevelPerm: remoteLoginDisabled
cellVersion: OSS_12.1.2.2.0_LINUX.X64_150917
exacli> alter cell accessLevelTemp=((accessLevel="remoteLoginEnabled", -
startTime="now", -
duration="30m", -
reason="Quarterly maintenance"))
CellLockdown
15
Copyright©2016,Oracleand/oritsaffiliates.Allrightsreserved.|
Post-DeploymentConfiguraRon
• CellshavesyslogconfcellaXributes(forquiteawhile)• DBnodeshave/etc/rsyslog.conf– On12.1.2.1.0&later,alsohavesyslogconfdbserveraXribute
Centralizedsyslog
16
Copyright©2016,Oracleand/oritsaffiliates.Allrightsreserved.|
Post-DeploymentConfiguraRon
Onreceivingside,forrsyslogd,modify/etc/rsyslogd.conf:# Provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514
TheHUPrsyslogd:kill -HUP $(cat /var/run/syslogd.pid)
Centralizedsyslogsetup
17
Copyright©2016,Oracleand/oritsaffiliates.Allrightsreserved.|
Post-DeploymentConfiguraRon
cellcli> alter cell syslogconf=('authpriv.* @syslgsrv', 'security.* @seclogserver');
cellcli> alter cell validate syslogconf 'authpriv.error';
dbmcli> alter dbserver syslogconf=('authpriv.* @syslgsrv', 'security.* @seclogserver');
dbmcli> alter dbserver validate syslogconf 'authpriv.error';
Centralizedsyslog
18
Copyright©2016,Oracleand/oritsaffiliates.Allrightsreserved.|
ExadataSecurity(ASM,Griddisks)ConsolidaBon:sharingwithoutpeeking
19
• Privilegesongriddisklevel• Restrictgriddiskstocertainclustersand/orcertaindatabase(s)• EspeciallyeffecRvetomanagemulRpleadministrators• Seewhitepapers– OracleExadataDatabaseMachineConsolidaRon:SegregaRngDatabasesandRoles-hXp://is.gd/exaconsolidaRon– BestPracRcesforDatabaseConsolidaRonOnExadataDatabaseMachine-hXp://is.gd/orclconswp
Copyright©2016,Oracleand/oritsaffiliates.Allrightsreserved.|
DatabaseCreaRonandConfiguraRonImplementdatabase-specificfeaturesandbestpracBces
20
• StaycurrentwithExadatabundlepatches(888828.1)– BundlepatchesincludelatestCPUpatches
• ConsiderTDE,networkencrypRon,DataVault,AuditVault• Reviewwhitepaper:“CostEffecRveSecurityandCompliancewithOracleDatabase11gRelease2”-hXp://is.gd/seccompliance11gr2• TaketheEnterpriseDataSecurityAssessmentathXp://is.gd/entsecassessment
Copyright©2016,Oracleand/oritsaffiliates.Allrightsreserved.|
OracleDatabaseSecurityDefenseinDepth
Masking & Subsetting
DBA Controls & Cyber Security
Encryption & Redaction
PREVENTIVE
Activity Monitoring
Database Firewall
Auditing and Reporting
DETECTIVE ADMINISTRATIVE
Privilege & Data Discovery
Configuration Management
Key & Wallet Management
21
Copyright©2016,Oracleand/oritsaffiliates.Allrightsreserved.|
OperaRonalSecurityConsideraRonsRemainsecurity-mindedwhenpatching,upgrading,backingup
22
• ChangespermiXedonDBnodes,notcells• Backupscanbeencrypted• Patchingorupgradingmay“undo”somechanges;verifyaOer• DBnodeupdatesuseyumcommandswithexcludes(seedocforexcludes)
Copyright©2016,Oracleand/oritsaffiliates.Allrightsreserved.|
OperaRonalSecurityConsideraRonsRemainsecurity-mindedwhenpatching,upgrading,backingup
23
• PeriodicreviewstoensuresekngsremainandvulnerabiliResdon’t• Secureeraseforstoragecellsisavailable• DiskdriveretenRonisavailable• OracleEnterpriseManagerGovernance,Risk&ComplianceManagerconRnuouslyreviewsthesystem
Copyright©2016,Oracleand/oritsaffiliates.Allrightsreserved.|
OperaRonalSecurityConsideraRonsUpdateJDKonDBnodes-arelaBvelycommonrequest(MOS2069987.1)
24
(root)# dbmcli -e alter dbserver shutdown services ms
Stopping MS services...
The SHUTDOWN of MS services was successful.
(root)# rpm -qa | grep jdk
jdk1.8.0_66-1.8.0_66-fcs.x86_64
(root)# rpm -Uvh /tmp/jdk-8u77-linux-x64.rpm
Preparing... ########################################### [100%]
1:jdk1.8.0_77 ########################################### [100%]
<output removed>
(root)# rpm -qa | grep jdk
jdk1.8.0_66-1.8.0_66-fcs.x86_64
jdk1.8.0_77-1.8.0_77-fcs.x86_64
(root)#
Copyright©2016,Oracleand/oritsaffiliates.Allrightsreserved.|
OperaRonalSecurityConsideraRonsUpdateJDKonDBnodes-arelaBvelycommonrequest(MOS2069987.1)
25
(root)# rpm -qa | grep jdk
jdk1.8.0_66-1.8.0_66-fcs.x86_64
jdk1.8.0_77-1.8.0_77-fcs.x86_64
(root)# rpm -e --nodeps jdk1.8.0_66-1.8.0_66-fcs.x86_64
(root)# rpm -qa | grep jdk
jdk1.8.0_77-1.8.0_77-fcs.x86_64
(root)#
(root)# cd /opt/oracle/dbserver/dbms/deploy/scripts/unix/
(root)# sh setup_dynamicDeploy DB
<lots of output>
(root)# dbmcli -e alter dbserver startup services ms
Starting MS services...
The STARTUP of MS services was successful.
(root)#
Copyright©2016,Oracleand/oritsaffiliates.Allrightsreserved.|
OperaRonalSecurityConsideraRons
Component AccessRequired
Database–Patchset Databaseserverroot,soOwarehomeowner,passwordlessSSHtoallsoOwarehomeowners(onothernodes)
Database–BundlePatch Databaseserverroot,soOwarehomeowner
GridInfrastructure SameasDatabase
ExadataDatabaseServer(OS) Databaseserverroot,passwordlessSSHtodatabaseserverroot
ExadataStorageServer Databaseserverroot,passwordlessSSHfromdatabaseserverroottostorageserverroot(temporarilydisablelockdown)
InfiniBandSwitch Databaseserverroot,InfiniBandswitchpasswordlessSSHtoswitchroot
26
PatchingconsideraBons
Copyright©2016,Oracleand/oritsaffiliates.Allrightsreserved.|
LateBreakingSecurityUpdates
MOSNoteorURL DescripBon
2116547.1 DisableSSLv2onOracleExadataDatabaseMachine
2108582.1 glibcvulnerability(CVE-2015-7547)patchavailabilityforOracleExadataDatabaseMachine
hXp://badlock.org/ BadlockbugCVE-2016-2118-Exadataimagesnotaffected(imagesdon'tincludesambapackagesbydefault)
27
Copyright©2016,Oracleand/oritsaffiliates.Allrightsreserved.|
Summary
PreparaRonforinstallaRon
InstallaRon,deployment
Post-deploymentconfiguraRon
DatabasecreaRonandconfiguraRon
OperaRonalsecurityconsideraRons
1
2
3
4
5
28
Copyright©2016,Oracleand/oritsaffiliates.Allrightsreserved.|
ReferencesNoteorURL DescripBon
hXp://is.gd/orasec OracleSecurityAlertssubscripRon
1068804.1 GuidelinesforenhancingthesecurityforanOracleDatabaseMachinedeployment
1291766.1 HowtochangeOSuserpasswordforCellNode,DatabaseNode,ILOM,KVM,InfinibandSwitch,GigaBitEthernetSwitchandPDUonExadata
888828.1 ExadataDatabaseMachineandExadataStorageServerSupportedVersions
1405320.1 ResponsestocommonExadatasecurityscanfindings
hXp://is.gd/exaconsolidaRon OracleExadataDatabaseMachineConsolidaRon:SegregaRngDatabasesandRoles
hXp://is.gd/entsecassessment EnterpriseDataSecurityAssessment
29
Copyright©2016,Oracleand/oritsaffiliates.Allrightsreserved.|
References
MOSNoteorURL DescripBon
2069987.1 HOWTO:UpdateJDKonExadataDatabaseNodes
2075464.1 HOWTO:UpdateJDKonExadataStorageCellNodes
30
Copyright©2016,Oracleand/oritsaffiliates.Allrightsreserved.|
SafeHarborStatementTheprecedingisintendedtooutlineourgeneralproductdirecRon.ItisintendedforinformaRonpurposesonly,andmaynotbeincorporatedintoanycontract.Itisnotacommitmenttodeliveranymaterial,code,orfuncRonality,andshouldnotberelieduponinmakingpurchasingdecisions.Thedevelopment,release,andRmingofanyfeaturesorfuncRonalitydescribedforOracle’sproductsremainsatthesolediscreRonofOracle.
31
Copyright©2016,Oracleand/oritsaffiliates.Allrightsreserved.| 32