{"id":3387,"date":"2018-06-11T17:08:31","date_gmt":"2018-06-11T20:08:31","guid":{"rendered":"https:\/\/www.dbarj.com.br\/?p=3387"},"modified":"2018-11-09T17:33:49","modified_gmt":"2018-11-09T19:33:49","slug":"protecting-oracle-database-binaries-against-malicious-changes","status":"publish","type":"post","link":"https:\/\/www.dbarj.com.br\/en\/2018\/06\/protecting-oracle-database-binaries-against-malicious-changes\/","title":{"rendered":"Protecting Oracle Database Binaries against malicious changes"},"content":{"rendered":"

Introduction<\/h3>\n

In the live sessions where I talk about Oracle Database<\/span><\/strong> security and vulnerabilities, I do always mention rootkits or malwares that can attack a database from either inside (via SQL injection, PL\/SQL poisoning, Java leaks, etc) or externally (by changing oracle user files, such as binaries \/ libs \/ crontab \/ etc).<\/p>\n

To explore these two forms of attacks, a hacker often uses what I call the ladder of joy<\/strong><\/span><\/em>:<\/p>\n

\"\"<\/p>\n

Usually an attacker starts the privilege escalation attack from a low-level user, maybe with only the CREATE SESSION<\/strong> permission, and attempts many “ladder-climbing” techniques such as SQL Injection, Java Vulnerabilities, Buffer Overflow, etc. Once as SYSDBA<\/strong> or DBA<\/strong>, it is trivial to reach the oracle<\/em> account in OS, responsible for the DB binaries.<\/p>\n

The purpose of this article is to present how to protect the Oracle Home user files against improper changes and thus prevent the deployment of rootkits or malwares.<\/strong><\/span><\/p>\n

P.S: Note that some steps of this article are not <\/b>documented<\/b><\/span>\u00a0nor supported by oracle. Needless to say to try this at your own risk.<\/b><\/span><\/p>\n

Getting Started<\/h3>\n

In Oracle 18c was introduced a new feature called Read-Only Oracle Home (or ROOH<\/strong>) and over this new feature that we will implement this security functionality. For pre-18c databases, there is also a section in this tutorial.<\/p>\n

Among the objectives of the ROOH, we have:<\/p>\n

\u2022 Remove mutable files from Oracle Home.
\n\u2022 Consolidate these files into a separate folder.
\n\u2022 Facilitate the migration \/ environments cloning.
\n\u2022 Facilitate use of Docker \/ Oracle Homes sharing via NFS \/ etc.<\/p>\n

However, ROOH only ensures that no process will create or change files in ORACLE_HOME, but it doesn’t make it impossible for the oracle<\/em> user to do any kind of change in his own files. Once as owner, he is obviously able to change them. Therefore, these files are not yet protected against malicious changes.<\/p>\n

What we will do, once activated ROOH<\/span> and ensured that the oracle<\/em> user does not need to modify any file within Oracle Home root anymore (except in cases of patching), is to protect the binaries with the following steps:<\/p>\n

    \n
  1. Save the current owners and privileges of all ORACLE_HOME files.<\/li>\n
  2. Change the current owner of all ORACLE_HOME files to root<\/em>.<\/li>\n<\/ol>\n

    The purpose of Step 1 is to have a way to return to the original owner and privileges in case you need to apply a patch or do any other type of ORACLE_HOME change.<\/p>\n

    The goal of Step 2 is to effectively protect ORACLE_HOME from unwanted changes, since the oracle<\/strong><\/em> user will no longer own the files (similar to what happens today with GRID_HOME, whose owner is root<\/em> and not the grid<\/em>).<\/p>\n

    Before you begin<\/h4>\n

    Make sure that:<\/p>\n