Call: +44 (0)1904 557620 Call
Blog

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "2 Day Oracle Security Seminar in York, England"] [Next entry: "Poor mans database vault"]

A new database security auditing and scanner product, some BBED, ASM and AV



Well, it has been a very long time since my last post. I keep wanting to write a post but my time is so extremely limited at the moment that its hard to keep on top of work, emails, familly and trying to fit in blog posts falls down the list a bit which is a shame.

All of my spare time of which there isn't much at the moment is used up being involved in our companies Oracle database security audit and scanner product. The product is very exciting for us. I am going to talk a lot more about it over the coming weeks as we ready for production and sale to customers. We have demonstrated it a couple of times already and the feedback has been amazing.

As a little taster it's two main aims are:

1) To try and help people secure databases (initially just Oracle but will also be SQL Server soon). There is more to securing a database than just running a bunch of checks and then creating a report. We recognise this ( indeed our hand done audits and training classes are aimed at the same ideas) and the product is based around the whole life cycle of securing a database from cradle to grave; from inventory gathering, first deep assessment of a database, correction strategy, creation of solution assistance tools, creation of a security policy document, fixing (many modes of fix available), scanning all databases, compliance checking. Cradle to grave.

2) transfer my knowledge. I have gained a huge amount of knowledge and experience over the years of securing and teaching and researching and speaking about Oracle for clients and one of the goals for this product was to encapsulate as much of this as we could. One of the key problems people have in my experience is that they perform an audit of a database (internally or via professional services) and all seems good except that they are really unsure what to do next, what to fix, how to fix, how much to fix...... This is an area where we wanted to add value, so whilst its not possible for a product to simply generate fixes (well it is but would you run them??) it is possible to provide "deep hand-holding" to really assist in this process. We of course produce fixes as well BUT they are targetted to the client.

Another issue we wanted to solve is the problem of data loss and increased risk caused by the use of an audit product. Its obvious that anyone running a security scanner/audit tool could be a good target for someone wanting to steal; either the IPR itself of the checks/tests being performed or the results. We have a great solution for this; more detail later; basically the IPR cannot be sniffed and the results cannot be sniffed either. The solution is not encryption or anything like that, its simply that we dont transmit in the first place..:-) This allows a mode of operation that suits auditors in that they can ask the DBA or some junior staff to run the scan and collect the results without fear of loss of "what is being checked" or loss of the detailed results. The full analysis in this mode is done off line.

We also allow "complex" policies, that is policies that can depend on each other in any number of layers or heirarchies or ways. Also policies can contain what can be described as "loops". These features are not done justice in a few lines here but i wanted to start to discuss them now as this is a major feature of the product. Very complex policies have been created and are included and the customer can also create policies by simple point and click; this allows an unprecedented level depth o audit to take place because we can audit even what we dont know about!

I demonstrated these functionallities live in the last few days to a prospective customer and they were blown away with the ideas and what the product can do.

Anyway I will talk again about the product soon as we near beta testing and production but for now I have added a simple 2 page flyer describing the product to our website - PFCLScan. If anyone would like any more details then please email me on pete_at_petefinnigan_dot_com

I just saw on Marcin Przepiorowski's site a nice paper titled "How to view and edit data on ASM using BBED" which describes how you can use BBED to read and modify data on ASM, very nice. He mentions that he has based some of this on Miladin's earlier papers and Graham Thorntons excellent paper and also some is based on https://twiki.cern.ch/twiki//bin/view/PSSGroup/ASM_Internals - (broken link) Luca Canali's work on ASM internals which is also excellent. Finally Marcin mentions in another post - BBED and Oracle Vault - to defeat Audit Vault with BBED, nice but no indication of actual privileges used to do this.

There has been 1 Comment posted on this article


July 22nd, 2009 at 09:00 am

Pete Finnigan says:

Hi Pete,

First of all I'm really happy that you mentioned my post on one of my favorite blogs - Thanks.

There is a little mistake in your post - I was taking about BBED and Oracle Vault option not about Oracle Audit Vault.

Can I ask you one question via mail ?

regards,
Marcin Przepiorowski