Exadata Database Machine Security Tina Rose Platform Integration MAA Team, Exadata Development Thanks to Dan Norris
Safe Harbor Statement The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle s products remains at the sole discretion of Oracle. 2
MAA with Oracle Engineered Systems (e.g. Exadata) www.oracle.com/goto/maa Within Exadata Within a Site Across Sites Compute servers, DB servers, disks, flash, network, power Hardware Redundancy RAC, ASM, Flashback Software Fault Tolerance DATABASE IN-MEMORY Active Data Guard DATABASE IN-MEMORY Local standby for High-Availability Failover Redundant Systems Redundant Databases DATABASE IN-MEMORY Remote standby for Disaster Recovery Redundant Systems Redundant Databases Online patching, reconfiguration, expansion LAN WAN Fastest RAC Node Failure Recovery Deep ASM Mirroring Integration Fastest Backup - RMAN Offload to Storage Fastest Data Guard Redo Apply Complete Failure Testing 3
Program Agenda 1 2 3 4 5 Preparation for installation Installation, deployment Post-deployment configuration Database creation and configuration Operational security considerations 4
Security Terminology Getting us on the same page Attack surface the code within a computer system that can be run by unauthorized users Port network term referring to a virtual endpoint Service operating system term referring to a background process or daemon CPU Critical Patch Update, quarterly released security patches for Oracle products 5
Preparation for Installation Security starts early Get educated Collect security-related requirements from all stakeholders Determine whether role-separated installation is required Plan network layout Subscribe to security alerts - http://is.gd/orasec Review MOS note 1068804.1: Guidelines for enhancing the security for an Oracle Database Machine deployment Review MOS 1405320.1: Responses to common Exadata security findings 6
Plan Network Layout Perimeter security for networks Client Access is entry point for most accesses from applications Management (Admin) should be restricted InfiniBand is private to machine, physical security protects it 7
Installation and Deployment Implement the available features and security plan Exadata includes many security features by default Implement the recommended security step during deployment AKA Resecure Machine step Start secure, only open what is necessary Doing security later almost never happens (or works) Configure ASM audits to use syslog: audit_syslog_level= local0.info Configure ASM & DB init.ora: audit_sys_operations=true Configure /etc/rsyslog.conf and (set up logrotate if desired) 8
Default Security Features Implement the available features and security plan short package install list only necessary services enabled https management interface sshd secure default settings password aging maximum failed login attempts auditd monitoring enabled cellwall: iptables firewall CPUs included in patch bundles, releases synchronized system hardening boot loader password protection 9
Resecure Machine Step Implement the available features and security plan In this step, several security changes are made: password complexity requirements are added (passwdqc: dis,dis,16,12,8) passwords are expired (forcing reset on next login) password aging implemented permissions tightened 10
Resecure Machine Step $./install.sh cf maa-phys.xml -l 1. Validate Configuration File 2. Setup Required Files <snip many steps> 17. Install Exachk 18. Create Installation Summary 19. Resecure Machine 11
Resecure Machine Step $./install.sh cf maa-vm.xml -l 1. Validate Configuration File 2. Create Virtual Machine 3. Create Users <snip many steps> 17. Create Installation Summary 18. Resecure Machine 12
Post-Deployment Configuration Address site-specific requirements Change all passwords for all default accounts (MOS 1291766.1) Run: exachk profile security Exachk: MOS 1070954.1 Perform validation for local policies or rules See MOS 1405320.1 for commonly identified audit findings 13
Post-Deployment Configuration Cell Lockdown *New* in 12.1.2.2.0 Cells can have remote access disabled no direct SSH access to OS Must enable temporarily for maintenance (upgrades) New cell attributes: remoteaccessperm, remoteaccesstemp Can temporarily enable access, automatic lock up at a specified time Can still access console via ILOM Use exacli/exadcli from DB nodes for cell commands 14
Post-Deployment Configuration Cell Lockdown Setup cellcli> create role administrator cellcli> grant privilege all actions on all objects all attributes with all options to role administrator cellcli> create user celladministrator password='*' cellcli> grant role administrator to user celladministrator 15
Post-Deployment Configuration Cell Lockdown # cellcli -e list cell detail egrep -i 'cellversion accesslevel' accesslevelperm: remotelogindisabled cellversion: OSS_12.1.2.2.0_LINUX.X64_150917 exacli> list cell detail exacli> alter cell accessleveltemp=((accesslevel="remoteloginenabled", - starttime="now", - duration= 60m", - reason="quarterly maintenance")) 16
Post-Deployment Configuration Centralized syslog Cells have syslogconf cell attributes (for quite a while) DB nodes have /etc/rsyslog.conf On 12.1.2.1.0 & later, also have syslogconf dbserver attribute 17
Post-Deployment Configuration Centralized syslog cellcli> alter cell syslogconf=('authpriv.* @syslgsrv', 'security.* @seclogserver'); cellcli> alter cell validate syslogconf 'authpriv.error'; dbmcli> alter dbserver syslogconf=('authpriv.* @syslgsrv', 'security.* @seclogserver'); dbmcli> alter dbserver validate syslogconf 'authpriv.error'; 18
Open Security Mode Open security mode enables access by any database client to a grid disk. Open security mode is useful for test or development databases where there are no security requirements. This is the default security mode after creating a new storage cell. 19
Open Security Mode [root@db04 /]# cat /etc/oracle/cell/network-config/cellip.ora cell="192.168.10.120" cell="192.168.13.77;192.168.13.78 20
ASM-Scoped Security Mode Oracle ASM-scoped security mode enables access by all the database clients of an Oracle ASM cluster to grid disks on cells. Oracle ASM-scoped security is appropriate when you want all databases on a host cluster to have access to cell grid disks that compose the Oracle ASM disk groups managed by the Oracle ASM cluster. 21
ASM-Scoped Security Mode 22
Database-Scoped Security Mode Database-scoped security mode configures access to specific grid disks on cells for specific database clients of an Oracle ASM cluster. This security mode is appropriate when multiple databases are accessing cells, and you want to control which databases can access specific grid disks that compose Oracle ASM disk groups. 23
Database-scoped security 24
Secure Technical Implementation Guide - STIG Especially important to public sector ExadataSTIGFix script: How to configure and execute the ExadataStigFix script for Exadata STIG environments (Doc ID 2181944.1) Script to implement additional security hardening for STIG customers SCAP: Oracle Exadata Database Machine DoD STIG and SCAP Guidelines (Doc ID 1526868.1) Specific guidance on running SCAP reports, to include false-positive and mitigation 25
Exadata Can Now Be Used For Hosting PCI Workloads Review Coalfire Whitepaper At The Link Below For Details http://www.oracle.com/technetwork/database/exadata/exadata-pci-dss-3101847.pdf 26
Exadata Segmentation 27
Database Creation and Configuration Implement database-specific features and best practices Stay current with Exadata bundle patches (888828.1) Bundle patches include latest CPU patches Consider TDE, network encryption, Data Vault, Audit Vault Review whitepaper: Oracle Database 12c Security and Compliance - http://is.gd/seccompliance12cr1 Take the Enterprise Data Security Assessment at http://is.gd/entsecassessment 28
Oracle Database Security Defense in Depth PREVENTIVE DETECTIVE ADMINISTRATIVE Encryption & Redaction Activity Monitoring Key & Wallet Management Masking & Subsetting Database Firewall Privilege & Data Discovery DBA Controls & Cyber Security Auditing and Reporting Configuration Management 29
Operational Security Considerations Remain security-minded when patching, upgrading, backing up Changes permitted on DB nodes, not cells Backups can be encrypted Patching or upgrading may undo some changes; verify after DB node updates use yum commands with excludes (see doc for excludes) 30
Operational Security Considerations Remain security-minded when patching, upgrading, backing up Periodic reviews to ensure settings remain and vulnerabilities don t Secure erase for storage cells is available Disk drive retention is available Oracle Enterprise Manager Governance, Risk & Compliance Manager continuously reviews the system 31
Operational Security Considerations Update JDK on DB nodes- a relatively common request (MOS 2069987.1) (root)# dbmcli -e alter dbserver shutdown services ms Stopping MS services... The SHUTDOWN of MS services was successful. (root)# rpm -qa grep jdk jdk1.8.0_66-1.8.0_66-fcs.x86_64 (root)# rpm -Uvh /tmp/jdk-8u77-linux-x64.rpm Preparing... ########################################### [100%] 1:jdk1.8.0_77 ########################################### [100%] <output removed> (root)# rpm -qa grep jdk jdk1.8.0_66-1.8.0_66-fcs.x86_64 jdk1.8.0_77-1.8.0_77-fcs.x86_64 (root)# 32
Operational Security Considerations Update JDK on DB nodes- a relatively common request (MOS 2069987.1) (root)# rpm -e --nodeps jdk1.8.0_66-1.8.0_66-fcs.x86_64 (root)# rpm -qa grep jdk jdk1.8.0_77-1.8.0_77-fcs.x86_64 (root)# (root)# cd /opt/oracle/dbserver/dbms/deploy/scripts/unix/ (root)# sh setup_dynamicdeploy DB <lots of output> (root)# dbmcli -e alter dbserver startup services ms Starting MS services... The STARTUP of MS services was successful. (root)# 33
Operational Security Considerations Patching considerations Component Database Patch set Database Bundle Patch Grid Infrastructure Exadata Database Server (OS) Exadata Storage Server InfiniBand Switch Access Required Database server root, software home owner, passwordless SSH to all software home owners (on other nodes) Database server root, software home owner Same as Database Database server root, passwordless SSH to database server root Database server root, passwordless SSH from database server root to storage server root (temporarily disable lockdown) Database server root, InfiniBand switch passwordless SSH to switch root 34
Late Breaking Security Updates MOS Note or URL Description 2116547.1 Disable SSLv2 on Oracle Exadata Database Machine 2108582.1 http://badlock.org/ glibc vulnerability (CVE-2015-7547) patch availability for Oracle Exadata Database Machine Badlock bug CVE-2016-2118 - Exadata images not affected (images don't include samba packages by default) 2207063.1 Install ksplice kernel updates for Exadata Database Nodes 35
References Note or URL http://is.gd/orasec 1068804.1 1291766.1 Oracle Security Alerts subscription Description Guidelines for enhancing the security for an Oracle Database Machine deployment How to change OS user password for Cell Node, Database Node, ILOM, KVM, Infiniband Switch, GigaBit Ethernet Switch and PDU on Exadata 888828.1 Exadata Database Machine and Exadata Storage Server Supported Versions 1405320.1 Responses to common Exadata security scan findings http://is.gd/exaconsolidation http://is.gd/entsecassessment Oracle Exadata Database Machine Consolidation: Segregating Databases and Roles Enterprise Data Security Assessment 36
References MOS Note or URL Description 2069987.1 HOWTO: Update JDK on Exadata Database Nodes 2075464.1 HOWTO: Update JDK on Exadata Storage Cell Nodes 1070954.1 Oracle Exadata Database Machine exachk or HealthCheck 2207063.1 HOWTO: Install ksplice kernel updates for Exadata Database Nodes 1526868.1 Oracle Exadata Database Machine DoD STIG and SCAP Guidelines 1274318.1 Oracle Sun Database Machine Setup/Configuration Best Practices 37
38