Oracle - SCOTT/TIGER - 2

Oracle - SCOTT/TIGER - 2

Oracle Database - - - Standard Edition 3

DoS =$ 4

5

SSO Browser Clients IC OID LDAP/SSL USB PKI SSL Web Server SQL Clients

7

Agenda Oracle Database Oracle Database 8

OS 9

OUI 10

11

Oracle Spatial Oracle Ultra Search Oracle Label Security Oracle Data Mining Oracle OLAP Example Schemas Oracle JVM Oracle intermedia Oracle Text Oracle XML DB 8080 2100 12

USERNAME ACCOUNT_STATUS ------------------------------------------------------------------------------------------------------------------------- ADAMS ANONYMOUS AURORA$JIS$UTILITY$ OPEN AURORA$ORB$UNAUTHENTICATED OPEN BLAKE CLARK CTXSYS DBSNMP OPEN HR JONES LBACSYS MDSYS ODM ODM_MTR OE OLAPDBA OLAPSVR OLAPSYS ORDPLUGINS ORDSYS OSE$HTTP$ADMIN OPEN OUTLN OPEN OWNER PM QS QS_ADM QS_CB QS_CBADM QS_CS QS_ES QS_OS QS_WS SCOTT OPEN SH SYS OPEN SYSTEM OPEN WKPROXY WKSYS WMSYS XDB Database Configuration Assistant 13

SCOTT CTXSYS MDSYS ORDSYS ORDPLUGINS WMSYS XDB WKSYS, WKPROXY PM, OE, QS_CS, QS_CB, QS_CBADM, QS_OS, QS_ES,QS_WS, QS, QS_ADM, SH, HR Oracle Text Oracle Spatial intermedia intermedia audio,video Workspace Manager Oracle XML DB Oracle Ultra Serch 14

DBSNMP OUTLN AURORA$JIS$UTILITY$ ( ) AURORA$ORB$UNAUTHENTICATED ( ) OSE$HTTP$ADMIN ( ) JSERV SYS SYSTEM DBCA 15

CREATE PROFILE UTLPWDMG.SQL VERIFY_FUNCTION 16

AAA init<sid>.ora REMOTE_OS_AUTHENT = FALSE AAA Externally ( ) 17

init<sid>.ora O7_DICTIONARY_ACCESSIBILITY = FALSE O7_DISCTIOARY_ACCESSIBILITY Oracle8 TRUE Oracle9i FALSE 18

SYSDBA SYSOPER ANY AAA SYSDBA AAA, BBB, CCC 19

DBA Role AAA Role, DDD DBA Role BBB Role DBA Role AAA Role, BBB Role 20

PUBLIC PUBLIC EXECUTE UTL_SMTP UTL_TCP UTL_HTTP UTL_FILE DBMS_RANDOM HTML Web 21

SQL*PLUS SQL*PLUS % % ls $ORACLE_HOME/bin/sqlplus sqlplus % PATH 22

OS OS OS ORACLE_HOME 23

http://otn.oracle.co.jp/security/index.html 24

Agenda Oracle Database Oracle Database 25

Firewall Oracle Listener IP 26

LSNRCTL> LSNRCTL> status local Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=xxxx)(PORT=1521))) STATUS of the LISTENER -------------------- Alias ener Version TNSLSNR for 32-bit Windows: Version 8.1.6.0.0 - Production Start Date 09-AUG-2000 14:57:05 Uptime 0 days 2hr. 6 min. 22 sec Trace Level off Security ON SNMP OFF Listener Parameter File L: Sarah network admin listener.ora Listener Log File L: Sarah network log ener.log Services Summary... PLSExtProc has 1 service handler(s) sarah1 has 1 service handler(s) The command completed successfully LSNRCTL> TIMEZONE Oracle ORACLE_HOME 27

Firewall Firewall Firewall Firewall Listener 1521 28

Oracle Listener % lsnrctl LSNRCTL> change_password LSNRCTL> set password LSNRCTL> save_config Listener listener.ora ADMIN_RESTRICTIONS_listener_name=ON 29

IP Oracle Net IP protocol.ora sqlnet.ora tcp.validnode_checking = YES tcp.excluded_nodes = { } tcp.invited_nodes = { } IP 30

Agenda Oracle Database Oracle Database 31

32

33

34

35

36

DBA SQL DBA 37

SYSOPER/SYSDBA $ORACLE_HOME/rdbms/audit/ora_xxxxx.aud Windows $ORACLE_HOME/network/log/listener.log Oracle*Net lsnrctl set log_status off 38

SYSDBA Thu Jun 17 18:38:29 2004 ACTION : 'CONNECT' DATABASE USER: 'SYS' PRIVILEGE : SYSDBA CLIENT USER: miyamoto CLIENT TERMINAL: pts/3 STATUS: 0 ora_xxxx.aud DB OS ORA 39

listener.log listener.log 16-7 -2004 18:38:57 * (CONNECT_DATA=(SERVER=DEDICATED) (SERVICE_NAME=test)(CID=(PROGRAM=D: oracle orcl bin sqlplus.exe)(host=test01)( USER=miyamoto))) * (ADDRESS=(PROTOCOL=tcp)(HOST=123.45. 67.89)(PORT=4942)) * establish * test * 0 Net DB 40

SYS.AUD$ SQL 10 g init<sid>.ora AUDIT_TRAIL = DB AUDIT_TRAIL = DB_EXTENDED AUDIT_TRAIL = OS AUDIT_FILE_DEST = 41

SYS.AUD$ DBA_AUDIT_TRAIL OS OS DBA 42

CLIENT USER os DATABASE USER os os os ACTION os os UTC PRIVILEGE os ID ID os * init.ora AUDIT_TRAIL=DB_EXTENDED os ID SQL SCN * SQL SQL * SQL 43

DDL AUDIT TABLE TABLE CREATE ANY TRIGGER SCOTT EMP SELECT 44

DBA SYS SYSOPER / SYSDBA OS 45

DBA init<sid>.ora AUDIT_SYS_OPERATIONS = TRUE Windows Solaris AUDIT_FILE_DEST ORACLE_HOME/rdbms/audit 46

DBA Thu Jan 24 12:58:00 2002 ACTION: 'CONNECT' DATABASE USER: '/' OSPRIV: SYSDBA CLIENT USER: jeff CLIENT TERMINAL: pts/2 STATUS: 0 Thu Jan 24 12:58:00 2002 ACTION: 'update salary set base=1000 where name='myname'' DATABASE USER: '' OSPRIV: SYSDBA CLIENT USER: jeff CLIENT TERMINAL: pts/2 STATUS: 0 47

Agenda Oracle Database Oracle Database 48

10 49

Oracle9i R2 http://otndnld.oracle.co.jp/idba/security/oracle9ir2/pdf/ 9ir2_checklist_new.pdf Oracle http://otndnld.oracle.co.jp/deploy/security/pdf/orahack_ fixed.pdf 50