Exadata Database Machine Security Tina Rose Platform Integration MAA Team, Exadata Development

Similar documents
Exadata Database Machine Security

Security Compliance and Data Governance: Dual problems, single solution CON8015

Oracle Exadata X7. Uwe Kirchhoff Oracle ACS - Delivery Senior Principal Service Delivery Engineer

Database Level 100. Rohit Rahi November Copyright 2018, Oracle and/or its affiliates. All rights reserved.

Exadata Database Machine: 12c Administration Workshop Ed 2

Exadata Database Machine: 12c Administration Workshop Ed 2

Exadata Database Machine: 12c Administration Workshop Ed 2 Duration: 5 Days

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

Exadata Database Machine: 12c Administration Workshop Ed 1

How to Troubleshoot Databases and Exadata Using Oracle Log Analytics

Oracle Database 18c and Autonomous Database

1Z Oracle Exadata X5 Administration Exam Summary Syllabus Questions

<Insert Picture Here> Exadata MAA Best Practices Series Session 12: Exadata Patching & Upgrades

Exadata Database Machine Administration Workshop

Introduction. Published in IOUG Select Magazine

Exdata Database Machine: 12c Administration Workshop Ed 2

Exadata Monitoring and Management Best Practices

Exadata Database Machine Administration Workshop

The Fastest and Most Cost-Effective Backup for Oracle Database: What s New in Oracle Secure Backup 10.2

Oracle Real Application Clusters (RAC) Your way to the Cloud

Oracle - Exadata Database Machine: 12c

ZDLRA High Availability for Backup and Recovery

Oracle Database 11g for Experienced 9i Database Administrators

1 Copyright 2011, Oracle and/or its affiliates. All rights reserved. reserved. Insert Information Protection Policy Classification from Slide 8

QuickBooks Online Security White Paper July 2017

Rapid database cloning using SMU and ZFS Storage Appliance How Exalogic tooling can help

Enterprise Manager: Scalable Oracle Management

"Charting the Course... Oracle 18c DBA I (3 Day) Course Summary

Private Cloud Database Consolidation Name, Title

Exadata Database Machine Administration Workshop NEW

Help Us Help You - TFA Collector and the Support Tools Bundle

ORACLE MANAGED CLOUD SECURITY SERVICES - SERVICE DESCRIPTIONS. December 1, 2017

DBAs can use Oracle Application Express? Why?

<Insert Picture Here> Managing Oracle Exadata Database Machine with Oracle Enterprise Manager 11g

MySQL Enterprise Security

Oracle Database 12c: RAC Administration Ed 1

B. Using Data Guard Physical Standby to migrate from an 11.1 database to Exadata is beneficial because it allows you to adopt HCC during migration.

Oracle Database 12c: RAC Administration Ed 1 LVC

Oracle Audit Vault. Trust-but-Verify for Enterprise Databases. Tammy Bednar Sr. Principal Product Manager Oracle Database Security

Running E-Business Suite on Exadata: Technical Details. April 25, 2017

"Charting the Course... Oracle 18c DBA I (5 Day) Course Summary

Oracle Database Exadata Cloud Service Exadata Performance, Cloud Simplicity DATABASE CLOUD SERVICE

Non-Production Databases. Oracle Recovery Manager. Presented By: Jeff Branan - Database Architect

Oracle Secure Backup 12.1 Technical Overview

JapanCert 専門 IT 認証試験問題集提供者

Database Consolidation onto Private Cloud. Piotr Kołodziej, Oracle Polska

Focus On: Oracle Database 11g Release 2

Understanding Oracle RAC ( ) Internals: The Cache Fusion Edition

Oracle Solaris 10 Recommended Patching Strategy

Oracle DBA workshop I

Oracle Privileged Account Manager

<Insert Picture Here> Exadata MAA Best Practices Series Session 6: Migrating to Exadata

Solaris Engineered Systems

Exadata for Oracle DBAs. Arup Nanda Longtime Oracle DBA (and now DMA)

Arup Nanda Longtime Oracle DBA (and now DMA)

Virtualization Security & Audit. John Tannahill, CA, CISM, CGEIT, CRISC

Oracle 1Z0-070 Exam Questions and Answers (PDF) Oracle 1Z0-070 Exam Questions 1Z0-070 BrainDumps

Oracle Auto Service Request. 1 About Oracle ASR. Exadata Database Machine Quick Installation Guide Release 5.5

Copyright 2012, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 13

Large-Scale Patch Automation for the Cloud-Generation DBAs

IPM Secure Hardening Guidelines

hcloud Deployment Models

IT infrastructure layers requiring Privileged Identity Management

Copyright 2012, Oracle and/or its affiliates. All rights reserved.

Oracle Exadata High Availability Secrets Explained: Direct from Development Technical Presentation

Oracle Database 12c: Clusterware & RAC Admin Accelerated Ed 1

Oracle Exadata Recipes

Oracle Database 12c R2: RAC Administration Ed 2

ORACLE 11gR2 DBA. by Mr. Akal Singh ( Oracle Certified Master ) COURSE CONTENT. INTRODUCTION to ORACLE

Create a DBaaS Catalog in an Hour with a PaaS-Ready Infrastructure

Server Hardening Title Author Contributors Date Reviewed By Document Version

Cloud Operations for Oracle Cloud Machine ORACLE WHITE PAPER MARCH 2017

12.1 Multitenancy in real life

Oracle Auto Service Request

Oracle Maximum Availability Architecture for Oracle Cloud

Solution Pack. Managed Services Virtual Private Cloud Security Features Selections and Prerequisites

<Insert Picture Here> Exadata MAA Best Practices Series Session 1: E-Business Suite on Exadata

Oracle Security Products and Their Relationship to EBS. Presented By: Christopher Carriero

Oracle Exadata and OVM Best Practice Overview

Oracle Exadata Course Content

Real Value of Oracle Database Health Checks. J a n

Oracle Cloud 1Z0-338

Javaentwicklung in der Oracle Cloud

Oracle Database Appliance

Use Case: Enhance security for a database with sensitive data. Koen Van Bastelaere Oracle DBA

Oracle Zero Data Loss Recovery Appliance (ZDLRA)

Oracle Database 11g: New Features for Oracle 9i DBAs

Defense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation

Vendor: Oracle. Exam Code: 1Z Exam Name: Oracle Database 11g Security Essentials. Version: Demo

90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation

Simon Pane First4 Database Partners March 15, 2012

What s New with Oracle Database 12c on Windows: On-Premises and in the Cloud

Database Services at CERN with Oracle 10g RAC and ASM on Commodity HW

What's New in Database Cloud Service. On Oracle Cloud. April Oracle Cloud. What's New for Oracle Database Cloud Service

Oracle Database 11g: Administration Workshop I Release 2

The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into

Oracle Autonomous Database

Oracle Enterprise Manager 12c IBM DB2 Database Plug-in

Securing Oracle 12 Multitenant Pluggable Databases

The Common Controls Framework BY ADOBE

Transcription:

Exadata Database Machine Security Tina Rose Platform Integration MAA Team, Exadata Development Thanks to Dan Norris

Safe Harbor Statement The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle s products remains at the sole discretion of Oracle. 2

MAA with Oracle Engineered Systems (e.g. Exadata) www.oracle.com/goto/maa Within Exadata Within a Site Across Sites Compute servers, DB servers, disks, flash, network, power Hardware Redundancy RAC, ASM, Flashback Software Fault Tolerance DATABASE IN-MEMORY Active Data Guard DATABASE IN-MEMORY Local standby for High-Availability Failover Redundant Systems Redundant Databases DATABASE IN-MEMORY Remote standby for Disaster Recovery Redundant Systems Redundant Databases Online patching, reconfiguration, expansion LAN WAN Fastest RAC Node Failure Recovery Deep ASM Mirroring Integration Fastest Backup - RMAN Offload to Storage Fastest Data Guard Redo Apply Complete Failure Testing 3

Program Agenda 1 2 3 4 5 Preparation for installation Installation, deployment Post-deployment configuration Database creation and configuration Operational security considerations 4

Security Terminology Getting us on the same page Attack surface the code within a computer system that can be run by unauthorized users Port network term referring to a virtual endpoint Service operating system term referring to a background process or daemon CPU Critical Patch Update, quarterly released security patches for Oracle products 5

Preparation for Installation Security starts early Get educated Collect security-related requirements from all stakeholders Determine whether role-separated installation is required Plan network layout Subscribe to security alerts - http://is.gd/orasec Review MOS note 1068804.1: Guidelines for enhancing the security for an Oracle Database Machine deployment Review MOS 1405320.1: Responses to common Exadata security findings 6

Plan Network Layout Perimeter security for networks Client Access is entry point for most accesses from applications Management (Admin) should be restricted InfiniBand is private to machine, physical security protects it 7

Installation and Deployment Implement the available features and security plan Exadata includes many security features by default Implement the recommended security step during deployment AKA Resecure Machine step Start secure, only open what is necessary Doing security later almost never happens (or works) Configure ASM audits to use syslog: audit_syslog_level= local0.info Configure ASM & DB init.ora: audit_sys_operations=true Configure /etc/rsyslog.conf and (set up logrotate if desired) 8

Default Security Features Implement the available features and security plan short package install list only necessary services enabled https management interface sshd secure default settings password aging maximum failed login attempts auditd monitoring enabled cellwall: iptables firewall CPUs included in patch bundles, releases synchronized system hardening boot loader password protection 9

Resecure Machine Step Implement the available features and security plan In this step, several security changes are made: password complexity requirements are added (passwdqc: dis,dis,16,12,8) passwords are expired (forcing reset on next login) password aging implemented permissions tightened 10

Resecure Machine Step $./install.sh cf maa-phys.xml -l 1. Validate Configuration File 2. Setup Required Files <snip many steps> 17. Install Exachk 18. Create Installation Summary 19. Resecure Machine 11

Resecure Machine Step $./install.sh cf maa-vm.xml -l 1. Validate Configuration File 2. Create Virtual Machine 3. Create Users <snip many steps> 17. Create Installation Summary 18. Resecure Machine 12

Post-Deployment Configuration Address site-specific requirements Change all passwords for all default accounts (MOS 1291766.1) Run: exachk profile security Exachk: MOS 1070954.1 Perform validation for local policies or rules See MOS 1405320.1 for commonly identified audit findings 13

Post-Deployment Configuration Cell Lockdown *New* in 12.1.2.2.0 Cells can have remote access disabled no direct SSH access to OS Must enable temporarily for maintenance (upgrades) New cell attributes: remoteaccessperm, remoteaccesstemp Can temporarily enable access, automatic lock up at a specified time Can still access console via ILOM Use exacli/exadcli from DB nodes for cell commands 14

Post-Deployment Configuration Cell Lockdown Setup cellcli> create role administrator cellcli> grant privilege all actions on all objects all attributes with all options to role administrator cellcli> create user celladministrator password='*' cellcli> grant role administrator to user celladministrator 15

Post-Deployment Configuration Cell Lockdown # cellcli -e list cell detail egrep -i 'cellversion accesslevel' accesslevelperm: remotelogindisabled cellversion: OSS_12.1.2.2.0_LINUX.X64_150917 exacli> list cell detail exacli> alter cell accessleveltemp=((accesslevel="remoteloginenabled", - starttime="now", - duration= 60m", - reason="quarterly maintenance")) 16

Post-Deployment Configuration Centralized syslog Cells have syslogconf cell attributes (for quite a while) DB nodes have /etc/rsyslog.conf On 12.1.2.1.0 & later, also have syslogconf dbserver attribute 17

Post-Deployment Configuration Centralized syslog cellcli> alter cell syslogconf=('authpriv.* @syslgsrv', 'security.* @seclogserver'); cellcli> alter cell validate syslogconf 'authpriv.error'; dbmcli> alter dbserver syslogconf=('authpriv.* @syslgsrv', 'security.* @seclogserver'); dbmcli> alter dbserver validate syslogconf 'authpriv.error'; 18

Open Security Mode Open security mode enables access by any database client to a grid disk. Open security mode is useful for test or development databases where there are no security requirements. This is the default security mode after creating a new storage cell. 19

Open Security Mode [root@db04 /]# cat /etc/oracle/cell/network-config/cellip.ora cell="192.168.10.120" cell="192.168.13.77;192.168.13.78 20

ASM-Scoped Security Mode Oracle ASM-scoped security mode enables access by all the database clients of an Oracle ASM cluster to grid disks on cells. Oracle ASM-scoped security is appropriate when you want all databases on a host cluster to have access to cell grid disks that compose the Oracle ASM disk groups managed by the Oracle ASM cluster. 21

ASM-Scoped Security Mode 22

Database-Scoped Security Mode Database-scoped security mode configures access to specific grid disks on cells for specific database clients of an Oracle ASM cluster. This security mode is appropriate when multiple databases are accessing cells, and you want to control which databases can access specific grid disks that compose Oracle ASM disk groups. 23

Database-scoped security 24

Secure Technical Implementation Guide - STIG Especially important to public sector ExadataSTIGFix script: How to configure and execute the ExadataStigFix script for Exadata STIG environments (Doc ID 2181944.1) Script to implement additional security hardening for STIG customers SCAP: Oracle Exadata Database Machine DoD STIG and SCAP Guidelines (Doc ID 1526868.1) Specific guidance on running SCAP reports, to include false-positive and mitigation 25

Exadata Can Now Be Used For Hosting PCI Workloads Review Coalfire Whitepaper At The Link Below For Details http://www.oracle.com/technetwork/database/exadata/exadata-pci-dss-3101847.pdf 26

Exadata Segmentation 27

Database Creation and Configuration Implement database-specific features and best practices Stay current with Exadata bundle patches (888828.1) Bundle patches include latest CPU patches Consider TDE, network encryption, Data Vault, Audit Vault Review whitepaper: Oracle Database 12c Security and Compliance - http://is.gd/seccompliance12cr1 Take the Enterprise Data Security Assessment at http://is.gd/entsecassessment 28

Oracle Database Security Defense in Depth PREVENTIVE DETECTIVE ADMINISTRATIVE Encryption & Redaction Activity Monitoring Key & Wallet Management Masking & Subsetting Database Firewall Privilege & Data Discovery DBA Controls & Cyber Security Auditing and Reporting Configuration Management 29

Operational Security Considerations Remain security-minded when patching, upgrading, backing up Changes permitted on DB nodes, not cells Backups can be encrypted Patching or upgrading may undo some changes; verify after DB node updates use yum commands with excludes (see doc for excludes) 30

Operational Security Considerations Remain security-minded when patching, upgrading, backing up Periodic reviews to ensure settings remain and vulnerabilities don t Secure erase for storage cells is available Disk drive retention is available Oracle Enterprise Manager Governance, Risk & Compliance Manager continuously reviews the system 31

Operational Security Considerations Update JDK on DB nodes- a relatively common request (MOS 2069987.1) (root)# dbmcli -e alter dbserver shutdown services ms Stopping MS services... The SHUTDOWN of MS services was successful. (root)# rpm -qa grep jdk jdk1.8.0_66-1.8.0_66-fcs.x86_64 (root)# rpm -Uvh /tmp/jdk-8u77-linux-x64.rpm Preparing... ########################################### [100%] 1:jdk1.8.0_77 ########################################### [100%] <output removed> (root)# rpm -qa grep jdk jdk1.8.0_66-1.8.0_66-fcs.x86_64 jdk1.8.0_77-1.8.0_77-fcs.x86_64 (root)# 32

Operational Security Considerations Update JDK on DB nodes- a relatively common request (MOS 2069987.1) (root)# rpm -e --nodeps jdk1.8.0_66-1.8.0_66-fcs.x86_64 (root)# rpm -qa grep jdk jdk1.8.0_77-1.8.0_77-fcs.x86_64 (root)# (root)# cd /opt/oracle/dbserver/dbms/deploy/scripts/unix/ (root)# sh setup_dynamicdeploy DB <lots of output> (root)# dbmcli -e alter dbserver startup services ms Starting MS services... The STARTUP of MS services was successful. (root)# 33

Operational Security Considerations Patching considerations Component Database Patch set Database Bundle Patch Grid Infrastructure Exadata Database Server (OS) Exadata Storage Server InfiniBand Switch Access Required Database server root, software home owner, passwordless SSH to all software home owners (on other nodes) Database server root, software home owner Same as Database Database server root, passwordless SSH to database server root Database server root, passwordless SSH from database server root to storage server root (temporarily disable lockdown) Database server root, InfiniBand switch passwordless SSH to switch root 34

Late Breaking Security Updates MOS Note or URL Description 2116547.1 Disable SSLv2 on Oracle Exadata Database Machine 2108582.1 http://badlock.org/ glibc vulnerability (CVE-2015-7547) patch availability for Oracle Exadata Database Machine Badlock bug CVE-2016-2118 - Exadata images not affected (images don't include samba packages by default) 2207063.1 Install ksplice kernel updates for Exadata Database Nodes 35

References Note or URL http://is.gd/orasec 1068804.1 1291766.1 Oracle Security Alerts subscription Description Guidelines for enhancing the security for an Oracle Database Machine deployment How to change OS user password for Cell Node, Database Node, ILOM, KVM, Infiniband Switch, GigaBit Ethernet Switch and PDU on Exadata 888828.1 Exadata Database Machine and Exadata Storage Server Supported Versions 1405320.1 Responses to common Exadata security scan findings http://is.gd/exaconsolidation http://is.gd/entsecassessment Oracle Exadata Database Machine Consolidation: Segregating Databases and Roles Enterprise Data Security Assessment 36

References MOS Note or URL Description 2069987.1 HOWTO: Update JDK on Exadata Database Nodes 2075464.1 HOWTO: Update JDK on Exadata Storage Cell Nodes 1070954.1 Oracle Exadata Database Machine exachk or HealthCheck 2207063.1 HOWTO: Install ksplice kernel updates for Exadata Database Nodes 1526868.1 Oracle Exadata Database Machine DoD STIG and SCAP Guidelines 1274318.1 Oracle Sun Database Machine Setup/Configuration Best Practices 37

38

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback