Call: +44 (0)7759 277220 Call

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "Oracle Forensics Paper part 6"] [Next entry: "Oracle 11g Security - part 2 {The beginning}"]

11g and Oracle Security

I have started to research the new Oracle 11gR1 specifically in the area of Oracle security. For me this doesnt just mean looking at the documentation and pulling out the new Oracle security related features. Of course I will look at those as well but i have a devious mind so I like to look at everything and see if I can spot an angle, an edge that will show me a security weakness.

Before I could start I needed to get 11gR1 loaded. The first stages of this research are two fold, look at the documentation and of course look at 11g itself. I downloaded 11g as soon as it was available for download for Linux a week or so ago but didnt get around to installing it until last night. I had to first dig out a box to install on. I was going to vmware it then i thought, no better to run natively even if the box is not top spec. I had thought about an old base unit i have but decided that it was too old and slow and instead I have reformatted the disk of my last laptop and I downloaded Oracle "unbreakable" linux at the weekend.

I then spent Monday evening trying to get it installed.... that was a failure, wouldnt you think that Oracle "unbreabable" Linux downloaded from Oracle's site would work out of the box with Oracle 11g database.... nope..... no such luck. After some digging this last night, i solved the DISPLAY issue (Thanks to Howard) and then set about fixing the packages, kernel parameters and a few other bits. I seemed to have parameter issues that are not listed in Howards install docs or others I found. The install then went reasonably smoothly, if slow. When it had finished I got another issue. I tried to log into sqlplus but got an error "sqlplus: error while loading shared libraries: /oracle/11g/ cannot restore segment prot after reloc: permission denied" - This was solved after a bit of digging to find it was an SELinux policy issue. I had to log in as root and run "tail -f /var/log/audit/audit.log | tee oracle.log" then log back in as oracle and try and start sqlplus as sysdba. The log back in as root and CTRL-C the log file. Then its a simple case of feeding the log into the policy by doing "audit2allow -M oracle < oracle.log" and then run "semodule -i oracle.pp" - now sqlplus works natively on the Linux box. I can of course also log in remotely:

SQL*Plus: Release - Production on Wed Aug 22 22:55:27 2007

Copyright (c) 1982, 2002, Oracle Corporation. All rights reserved.

Connected to:
Oracle Database 11g Enterprise Edition Release - Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options


Even from 9iR2. Now I have a platform to play with. I have some ideas of what to investigate and look at. More tomorrow....

There has been 4 Comments posted on this article

August 23rd, 2007 at 12:13 am

Marco Gralike says:

I was wondering, did you installed in on Oracle Enterprise Linux V5 with SELinux?

Because I didn't encounter problems on Oracle EL V5 without SELinux.

Could you elaborate on the DISPLAY issue. The URL towards Howard is only the general one.



August 23rd, 2007 at 09:30 am

Pete says:

Hi Marco,

Thanks for your reply. Yes I did install with SELinux, i thought about not having it but in the end decided as Oracle felt it was worth having i should install it..:-)

My issue described above was because SELinux was installed.

The DISPLAY issue is shown when you start the runInstaller and it fails on the graphics colour check. If you set the DISPLAY variable as it suggests this doesnt fix it. The issue seems to be because i su'd to the oracle user from the root shell used to set everything up. Howard pointed out in one of his installs, 11g or 10gR2 (cannot remember which)that you need to log off the server completely as root and log back in as Oracle to fix the issue.



August 23rd, 2007 at 10:04 am

Marco Gralike says:

ThX for your reply.

SELinux. I didn't dare (yet) to go that way so that explains it.

I would be very interested hearing here regarding your experiences with SELinux. Though promoted by Oracle, (as far as I know), they didn't give a lot of guidelines yet...

August 23rd, 2007 at 10:06 pm

Pete says:

Hi Marco,

Thanks very much for your reply. I dont have much direct experience of the specific SELinux features yet but its something I am going to look at. In general when i perform Oracle database security audits in the operating system part of the audit i focus on the issues that are directly related to the Oracle install so dont tend to look at the core OS security features as they are usually out of scope hence i have tended to not go as deep in testing and research of the same when researching as Oracle Database security is a large subject and I have limited time to research so it has to be focused.