Database Security & Audit

John Tannahill, CA, CISM [email protected]

Relational Database Environments

Most business applications are using relational database management systems. These include:

Oracle DB2 UDB MS SQL Server Sybase MySQL PostgreSQL

Audit and control issues for each type of database are similar but need to understand specific architecture and technology

Relational Databases

Relational database:

Data stored in tables Tables have columns and rows Tables can be related if they each have column with a common type of information

Business Logic may also be held in database

Stored Procedures

Database Security

A database environment is essentially a data repository or data store

Operational Data (e.g.Financial Data; Personnel Data) Data Warehouse Data Security Data Confidentiality Integrity Availability

Need to understand security requirements for data in terms of

Need to understand compliance and regulatory requirements based on business environment

Database Security

Database security mechanisms include:

Identification and authentication mechanisms Access controls Audit trail mechanisms

Network security and host operating system security are required in addition to database security Database systems are TCP/IP services and can be compromised even when the operating system is hardened

Database compromise can also result in operating system compromise

Database Schemas & Objects

Database Instance

Multiple Instances on same host (Oracle & SQL Server) Multiple databases within Instance (SQL Server) Multiple databases within Instance (DB2/UDB) Object Ownership within database (database object owner) Tables and Views Stored Procedures, Triggers, Packages

Database Schemas

Objects defined in a database include:

Oracle Database Instance

SQL Server Database Instance

DB2/UDB Instance

SQL Components

Data Definition Language (DDL)

Define & maintain objects CREATE; ALTER; DROP Maintain & query data SELECT; INSERT; UPDATE; DELETE Administer & control objects GRANT; REVOKE

Data Manipulation Language (DML)

Data Control Language (DCL)

10

SQL Tools for Audit

Direct Interface to Database Server

SQL*PLUS (Oracle) SQL Query Analyzer (SQL Server) DB2 CLP / Command Editor (DB2) Allows use of standard software tools Excel; MSQuery; Microsoft Access

ODBC Interface

11

JDBC Interface

Security Architecture & Design

Need to understand network and application system architecture and design Need to identify and understand database connections in relation to the following access paths to the database environment:

On-line transaction processing Batch processing (application and database) Business user ad-hoc access Database Administration Developer and Application Support access

12

Example Environment (1)

Windows 2003 Server Domain Controller

WAN
Switch

Application Server

13

Windows XP Workstations Application Client

Database Server

Example Environment (2)

DMZ - Web Servers Internet Router Firewall

Web-Based Clients 14

Firewall

Application/Database Servers

Database Audit - Initial Planning

Understand application system and network infrastructure Identify Database Administrators Identify Database environments and versions

Operating system hosts Database configuration files / documentation Database Schemas

Arrange database access

Select access to system tables/views

Run initial sql queries to obtain database security information

15

OS Considerations for Database

OS Accounts & Related Password Controls Privileged OS Accounts Group Membership

Unix groups Windows 2000 Administrators Group Owner / Service Accounts for Database Management System software OS Directory and File Permissions

Program & File Protection

16

Database - TCP/IP Services

Client
Application Layer
DBMS Client
Host-to-Host Transport Layer

Server
Application Layer
DBMS FTP SMTP Telnet
Server

--Listeners-Host-to-Host Transport Layer

TCP

TCP

Internet Layer (IP) Ethernet

192.168.0.5:1050 to 192.168.0.2:1433

Internet Layer (IP) Ethernet

Major Security Vulnerabilities

18

Bugs in database software components (e.g. buffer overflows) left un-patched Lack of network isolation (external and internal) Improper security configuration Use of default user accounts and passwords Use of null passwords Excessive privileges

Database Vulnerability Testing

Information Gathering & Service Enumeration

Ping sweep

Network segment where database server resides Identify other services running

Service enumeration / port scan

Tools

nmap (www.insecure.org)

19

TCP/IP Service Ports

Oracle

TCP 1521 TCP 1433; UDP 1434 TCP 50000 TCP 3306

SQL Server

DB2

MySQL

20

Port Scan SQL Server

21

Database Vulnerability Testing

Vulnerability Tests

OS probes for known vulnerabilities Identify vulnerable tcp/ip services Database probes for known weaknesses and vulnerabilities Specifically test for default accounts and weak passwords Nessus (www.nessus.org) AppDetective (www.appsecinc.com) NGSSquirrel (www.ngssoftware.com)

Tools

22

Nessus DB Vulnerability Tests

23

Example Oracle Vulnerabilities

24

Example SQL Server Vulnerability

25

Database OS Hardening Steps

Secure Configuration (Hardening) Security Patch Management Example Standards:

Database Security (STIG)

http://iase.disa.mil/stigs/stig/index.html Oracle 8i / 9i / 10G Benchmarks and Scoring Tools SQL Server 2000/2005 Benchmark

Center for Internet Security (cisecurity.org)

26

Database Security Issues (1)

Use of Generic & Shared User Accounts Use of OS Authentication Application Connections to Database Default / weak passwords Hard-coded passwords in application code and scripts Lack of Password Controls

27

Database Security Issues (2)

Control over Administrative Users

dba (technical and application support) developers

28

System Privileges and Authorities Object Privileges required for Production environment Public Access to Production Schemas Default access provided to PUBLIC

Database Security Issues (3)

Security Events and Audit Trails System Access

Logins Success / Fail Account / Role / Permissions Changes SELECT Success / Fail INSERT, UPDATE, DELETE CREATE, ALTER, DROP All

Data Access

Data Change Schema / Object Changes Privileged User Activity

29

Monitoring, Analysis and Follow-up Processes

Oracle Database Security

Oracle versions

Oracle 9i (9.0.1.1) Oracle 10g Oracle 11g Oracle Security Alerts Oracle Critical Patch Updates (CPU)

Security Patches

30

Oracle Versions

Select * from v$version; Check for up-to-date version Check for known vulnerabilities

31

Oracle Database Components

Sqlplus Application Client Net Protocol

32

Database Admin: Enterprise Manager

Oracle Server Database Files TCP Listener Control Files Redo Logs Application Server Archive Logs

Oracle Database Audit Areas

33

Configuration Parameters Oracle User Accounts and Passwords Oracle Roles Database System Privileges Database Object Privileges Oracle Audit Trails Network Security

Configuration Parameters

System Tables

Oracle Data Dictionary SHOW PARAMETERS select * from v$parameter TCP Listener (listener.ora) sqlnet.ora, tnsnames.ora

Initialization Parameters

Other start-up files

34

Key Initialization Parameters

35

AUDIT_TRAIL AUDIT_SYS_OPERATIONS OS_AUTHENT_PREFIX REMOTE_OS_AUTHENT O7_DICTIONARY_ACCESSIBILITY REMOTE_LOGIN_PASSWORDFILE UTL_FILE_DIR

Oracle Listener Security

36

Oracle Users and Passwords

Obtain listing of all Oracle user accounts

select * from sys.dba_users

Identify purpose and use of each Oracle account

identify generic accounts defined in Oracle profiles

Review password policies

Check for open default accounts and default passwords

37

Oracle Users

38

Oracle Default Users / Passwords

39

Oracle Password Checks

> checkpwd /@oraprod password_file.txt > badpasswords.txt Checkpwd 1.10 - (c) 2005 by Red-Database-Security GmbH Oracle Security Consulting, Security Audits & Security Trainings http://www.red-database-security.com ***************************************************************** SYS has weak password MERCURY [OPEN] SYSTEM has weak password MERCURY [OPEN] DBSNMP has weak password DBSNMP [OPEN] OPS$JOHN OK [OPEN] OUTLN has weak password OUTLN [EXPIRED & LOCKED] JILL has weak password MERCURY [OPEN] SCOTT has weak password TIGER [OPEN] JACK has weak password MERCURY [OPEN]

40

Oracle Password Cracking

41

Oracle Password Controls

42

External Identification & Authentication

Operating System Authentication

os_authent (OPS$) remote_os_authent

sysdba and sysoper OS system DBA groups

43

Oracle Schemas

Identify schemas subject to audit Select distinct owner from dba_objects Select owner, count(*) from dba_objects group by owner Select owner, object_name, object_type from dba_objects where owner = xxx

44

Identify Schema Owners

45

Schema Objects Count

46

Identify Objects within Schema

47

Overview Mapping
Users: dba_users dba_profiles System Privileges: dba_sys_privs

Roles: dba_roles dba_role_privs

Object Privileges: dba_tab_privs

48

Oracle Roles

Oracle roles provide a mechanism to group privileges Roles can be granted to users or other roles Enabling a role can be password protected Need to review the following views:

dba_roles (roles defined) dba_role_privs (roles granted) dba_sys_privs (privileges granted)

49

Roles Granted to Users / Roles

50

System Privileges Granted

51

PUBLIC Privileges

52

Object Privileges - dba_tab_privs

53

Oracle Auditing

Enabled in init.ora

audit_trail = NONE | DB | OS Statement executed (dba_stmt_audit_opts) Privilege used (dba_priv_audit_opts) Object accessed (dba_obj_audit_opts)

Audit activities based on:

Limit audit recording based on user, success of failure Use AUDIT statement to start a particular auditing task

AUDIT SESSION (all connections)

SQL> select * from dba_audit_object; SQL> select * from dba_audit_session; SQL> select * from dba_audit_statement;

Queries to View Audit Trails (SYS.AUD$):

54

Oracle Network Security

Data is transmitted in clear-text

Oracle Advanced Security TCP.VALIDNODE_CHECKING=<yes/no> TCP.EXCLUDED_NODES= (ip_address, hostname) TCP.INVITED_NODES=(hostname, ip_address)

Sqlnet.ora Node Checking

55

Microsoft SQL Server Security

SQL Server 2000 SQL Server 2005 Security Patches

Service Packs Hot-Fixes MBSA

56

SQL Server Environment

Query Analyzer isql,osql Network Libraries SQL Server SQL Server Agent

Enterprise Manager 57

SQL Server SQL Server Agent

Audit Areas

SQL Server Security Configuration SQL Server Logins Server Roles SQL Server Databases

Database Roles Statement & Object Permissions

Security Logs and Audit Trails

Enterprise Manager

59

Security Configuration

Configuration Parameters

exec sp_configure Stored in master database, and Stored in each individual database (including master database)

System Tables

60

Server Logins Server Roles

Configuration Parameters

Identify using sp_configure stored procedure Examples:

name allow updates c2 audit mode remote access minimum maximum 0 0 0 1 1 1 config_value 0 0 1 run_value 0 0 1

61

System-Level System Tables

Information that resides in master database only Need to obtain and review the following:

sysxlogins - server logins sysdatabases - databases syscurconfigs - current configuration

Information can also be obtained using related stored procedure Information obtained will help to define scope of audit or security review

62

SQL Server Security Modes

Windows Authentication Mode

Requires user to be authenticated by Windows NT/2000 This is default for SQL Server 2000 Permissions granted directly to Windows NT or 2000 user accounts / groups Both SQL Server and Windows Authentication Mode logins are allowed access SQL Server login lacks controls such as password complexity, expiration, lockout, or history

SQL Server and Windows Mode

63

sysxlogins
Identify Users and Groups Look for null passwords

64

sp_helplogins

65

Logins - Audit Issues

Generic & Group User-ids (OS) Membership of OS Admin Groups Trust Relationships (Domains) Password Crackers Null password for sa account Lack of Password Controls

66

Server Roles

sysadmin - can perform any activity in SQL Server serveradmin - can set server-wide configuration options, shut down the server setupadmin - can manage linked servers and startup procedures securityadmin - can manage logins and CREATE DATABASE permissions, read error logs and change passwords processadmin - can manage processes running in SQL Server dbcreator - can create, alter, and drop databases diskadmin - can manage disk files bulkadmin - can execute BULK INSERT statements

67

sp_helpsrvrolemember

68

SQL Server Databases

SQL Server databases comprise:

Master Database Default Install databases - tempdb, msdb, pubs & model Sample databases - e.g. Northwind Application & User databases exec sp_helpdb select * from sysdatabases

Master Database

Need to identify databases subject to audit Should always include Master database

69

Database-Level System Tables

Information that resides in each individual database, including Master database

sysusers - each user allowed in database sysobjects - database objects e.g. tables sp_helprotect

Collect and review this information for each database included in audit or security review

70

sp_helpdb

71

sysdatabases

72

sp_helpuser

73

sp_helprotect

74

Database Roles - sp_helprolemember

75

Public Role

Public role is a special role that exists in every database Functionally can be compared to the Everyone group in the Windows 2000 environment. Every database user is a member of this role automatically - users cannot be added or removed from this role. Public role provides certain permissions for users in a database and cannot be deleted.

76

Audit Trail Mechanisms

OS Application Event Log - Logins SQL Error Log - Logins Profiler Events based on selected criteria C2 Audit mechanism Snort IDS specific attacks

77

SQL Server 2005 Security Features

Surface Area Configuration Password Policy Granular Permission Model Proxy Accounts Execution Context Encryption

78

SQL Server Management Studio

79

SQL Server Configuration Manager

80

Surface Area Configuration

81

SQL Server 2005 Security Model

Principals

Windows Level SQL Server Level Database Level SQL Server Database

Securables

82

Permissions
Source - Microsoft SQL Server 2005 Books Online

SQL Server Security Properties

83

Windows 2003 Password Policy

Can set the following for SQL Accounts

Password Policy Password Expiration Account Lockout

If not using Windows Server 2003, SQL Server uses checks to prevent SQL accounts passwords that are:

Null or empty Same as name of computer or login "password", "admin", "administrator", "sa", "sysadmin"

84

SQL Server Login Properties

85

SQL Profiler

86

DB2/UDB Security

DB2 versions

DB2 8.2.x DB2 9.x IBM Security Alerts Fix Paks

Security Patches

87

DB2/UDB Environment
Command Editor DB2CLP Application Client
DB2 Connect DB2 Instance DB2DAS DB2 Security Server

DB2 Control Center 88

Application Server

DB2 Audit Areas

Security Configuration Parameters Authentication DB2 Authorities Database Privileges Object Privileges Audit Trail Mechanisms

89

OS-Related Accounts

Installation user account DB2 Administration Server (DAS) user account DB2 UDB instance owner user account DB2 UDB fenced routine user account Note: default accounts and passwords

90

Authentication Parameters

db2 get dbm cfg Authentication Types

SERVER SERVER_ENCRYPT CLIENT KERBEROS KRB_SERVER_ENCRYPT

91

Trusted versus Untrusted Clients

DB2 Authorities (Instance-Level)

> db2 => get dbm cfg

SYSADM group name (SYSADM_GROUP) = SYSCTRL group name (SYSCTRL_GROUP) = SYSMAINT group name (SYSMAINT_GROUP) = SYSMON group name (SYSMON_GROUP) =

92

DB2 Authorities Database Level

93

DB2 Privileges

sysibm.sysdbauth - Database privileges sysibm.systabauth - Table & View Privileges sysibm.sysuserauth - System Privileges sysibm.sysplanauth - Plan Privileges sysibm.syspackauth - Package Privileges

94

DB2 Audit Trails

95

Linux OS - Databases

MySQL (Version 5.x)

OS Configuration File System Permissions Logging MySQL Configuration MySQL Permissions Local Trust Authentication Brute Force User Accounts Privilege Escalation

PostgreSQL (Version 8.2.x)

96

MySQL

97

Audit Tools and Resources

Implementing Database Security & Auditing

Ron Ben Natan (Elsevier Digital Press) Litchfield, Anley, Heasman, Grindlay (Wiley)

The Database Hackers Handbook

Oracle Security Handbook (Oracle Press) Oracle Database Administration (OReilly) www.petefinnigan.com

Many useful resources and scripts scanner.sql (security and audit test script) Exploiting and Penetrating Oracle whitepaper

www.sans.org (SCORE section Oracle Audit Checklist)

98

Audit Tools & Resources

SQL Server Security Andrews/Litchfield

McGraw Hill / Osborne

SQL Server Audit Checklists and Tools

www.sqlsecurity.com
www.auditnet.org/docs/

DB2 Audit Programs

IBM DB2 Security

www.net-security.org/dl/articles/Securing_IBM_DB2.pdf
Cisecurity.org (Oracle, SQL Server, MySQL)

Center for Internet Security Benchmarks

99

Database - Key Controls

Database security design Database hardening Security alert monitoring Patch management Network isolation

Not exposed to Internet Not exposed in internal network

Encryption in transit Database Encryption Secure Application Coding (e.g. to address SQL Injection issues)

100

Summary

Security and control of database environment involves audit of a number of key areas:

Network Security Operating System Security Database Security Application System Security

Key is to understand and evaluate the placement of security and control features

101