Read-only bind mounting your ORACLE_HOME

When checking the file system Layout on my last blog post Oracle DbNest file system isolation : pivot root/ bind mount something caught my attention. So even if in oracle 20C read only oracle home is the way to go by default and DbNest is there to provide file system isolation (beside many other things) the oracle home is not mounted read only by default (DBNEST_PDB_FS_CONF not set) in the new nest mount namespace !

Which is curious because a malicious user on a compromised PDB can exploit that and impact the hole environment.

Continue reading

Oracle DbNest file system isolation : pivot root/ bind mount

In my previous blog post A first hands on Oracle 20C DbNest (Preview) i encountered some problems when trying to start the PDB nest with the default internal path (parameter DBNEST_PDB_FS_CONF not set) so i was forced to use a custom file system configuration file using the directive “DBNEST_NO_FS_ROOT_MODE” to be able to start it.

It’s time to take a look on what’s going on and what was the problem !

Continue reading

Oracle DbNest and Network isolation/Namespace

In my previous articles we have seen how oracle DbNest is taking advantage of the underling Linux namespaces features for enhancing the database security. We have taken a closer look at the user,mount and pid namespaces as they are the one used by default when enabling DbNest. But is seem that there is more (Not documented nor enabled by default) !

When taking a look at the dbnest and oracle binary it seems that that we can get better isolation by taking advantage of the Network namespace event if it’s not enabled by default (Maybe in feature release !) .

First thing first let’s get closer look at the Network Namespace !

Continue reading

Oracle oradism or the directly intimate shared monster !

oradism binary was initially created for managing Dynamic Intimate Shared Memory on Solaris, but since then it has evolved a lot (increasing the attack surface) and it’s nowadays used for many operations requiring root privileges on our Linux system. By the way i have peeked it’s new name “Directly Intimate Shared Monster” from Frits Hoogland in tweeter and i think that it fits it better 🙂

https://platform.twitter.com/widgets.js

The purpose of this blog post is to try to enumerate some of those operations using an oracle 20C preview version (Armed with my old friends systemtap/etc 🙂 )

Continue reading

Oracle DbNest : Filtered syscalls by seccomp profiles

We have already seen in my previous blog posts PART1 and PART2 what it’s Linux seccomp and how it’s used by oracle dbnest to enhance the multitenant security. In simple word seccomp is a Linux kernel feature which give the possibility to restrict the system calls a process can use which reduce the kernel attack surface :

Less reachable kernel functions -> Less possible exploits !

It’s now time to take a deeper look !

Continue reading

Oracle 20C DbNest : Linux namespaces/seccomp/Capabilites/cgroups

One of the new feature in oracle 20C (which is still in preview version) is dbnest. So what is dbnest :

“DbNest provides hierarchical, isolated run-time environments at the CDB and PDB level.

These run-time environments provide file system isolation, process ID number space isolation, and secure computing for PDBs and CDBs. To protect the multitenant environment from security breaches, dbNest uses the latest Linux resource isolation, namespace, and control group features.”

So dbnest add further protection to the databases (PDB/CDB) in consolidated environment by isolating every PDB in it’s our Container/Nest. In fact it’s powered by same fundamental technologies used by containers as we know them today .

So before giving it a try, let’s first take a quick overview at the base technologies it’s using.

Continue reading

Oracle database on AWS : Security and data protection/privacy

In this fourth part of this series we will be looking at security and more specially data privacy/protection. When planning to move your oracle databases (or any other app) to the aws cloud you will be thinking about how to enforce security and AWS offer many services to help us achieve that. Such services are : Subnets/VPC/Security groups/aws config/aws cloud trail/aws IAM/AWS Secrets Manager/AWS KMS/EBS encryption/AWS GuardDuty/ etc.

But we are not going to focus on that here. Here i want to emphasize on some important aspect when putting our data in aws CLOUD and that’s the privacy of our DATA !

You can say it now :p

Continue reading