[Previous entry: "Comments are enabled on this blog again"] [Next entry: "Oracle Database Vault is certified with PeopleSoft"]
Detecting rootkits
February 5th, 2007 by Pete
Post to del.icio.us
Post to Furl
I saw a nice paper at the weekend titled "Thoughts about cross-view based rootkit detection" that discusses detecting rootkits by using low level access routines to compare a low level view of the file system with a high level view. I immediatly thought about the Oracle equivalent. If someone installed an Oracle rootkit in a database and for instance hid a hackers user account by modifying dictionary views such as DBA_USERS then you would check for this user by comparing the number of users in SYS.USER$ with those in DBA_USERS or more likely doing set arithmatic to check for differences. This would be a direct analogy of this Windows based paper. An other technique is to create a "clean" database and to checksum everything in the database, objects, views, tables, code etc and to then store the checksums and use them to compare future checks against.
will the world of rootkits transfer to Oracle databases at some point soon and will we need to create similar tools to check for and remove rootkits from Oracle databases?
