In this chapter we will cover the following topics:
- Using Tripwire for file integrity checking
- Using immutable files to prevent modifications
- Closing vulnerable network ports and services
- Using network security kernel tunables to protect your system
- Using TCP wrappers to allow and deny remote connections
- Enforcing the use of strong passwords and restricting the use of previous passwords
- Restricting direct login and su access
- Securing SSH login
The number of security threats related to operating systems and databases are increasing every day, and this trend is expected to continue. Therefore, effective countermeasures to reduce or eliminate these threats must be found and applied. The database administrators and system administrators should strive to maintain a secure and stable environment for the systems they support. The need for securing and ensuring that the database servers are operational is crucial, especially in cases in which we are working with mission critical systems that require uninterrupted access to data stored in Oracle Databases.
In this chapter, we will focus on some operating system security measures to be taken to have a reliable, stable, and secure system. Obviously operating system security is a vast domain and to cover this subject in a few pages is not possible. However, we can briefly describe several key items that can provide a starting point to address some of the concerns we will highlight in our recipes.
Briefly, the possible operating security threats are:
- Denial of service
- Exploits and vulnerabilities
- Backdoors, viruses, and worms
- Operating system bugs
Recommendations and guidelines:
- Develop a patching policy.
- Perform security assessments regularly.
- Try to use hard-to-guess passwords.
- Disable direct root login and create a special login user. It would be also easier to perform auditing.
- Limit the number of users.
- Limit the number of users who can issue the
sucommand to become the root or oracle owner user. - Limit the number of services started, use only the necessary ones.
- Limit the number of open ports.
- Refrain from using symbolic links whenever possible.
- Do not give more permissions to users than is necessary.
- Secure
ssh. - Use firewalls.
In these series of recipes for the server environment, we will use the operating system Red Hat Enterprise Linux Server release 6.0 (Santiago) 64-bit version. For the client environment we will use the Fedora 11 update 11 64-bit version. The server hostname will be nodeorcl1 and the client hostname will be nodeorcl5. All machines used are virtual machines, created with Oracle Virtual Box 4.1.12.
As a preliminary task before we start, prepare the server environment in terms of kernel parameters, directories, users, groups, and software installation as instructed in Oracle® Database Installation Guide 11g Release 2 (11.2) for Linux (http://docs.oracle.com/cd/E11882_01/install.112/e24321/toc.htm). Download and install Oracle Enterprise Edition 11.2.0.3, create a database called HACKDB, configured with
Enterprise Manager and
Sample Schemas, and define a listener called LISTENER with a default port of 1521.
Due to the limited page constraints, we will omit the description of each command and their main differences on other Linux distributions or Unix variants. The most important thing to understand is the main concept behind every security measure.