In my previous blog posts Metric Extension : HugePages & capacity planning and Metric Extension : CPU usage and capacity planning we have seen haw to improve some of the metric usually used for capacity planning. Another very important metric is our FC HBA utilization and how much free capacity we still have.Continue reading
One of the cool new feature with aws sso is the possibility to pass user attributes also known as session tags. This can be very useful for Attribute-Based Access Control (ABAC) as described on the previous article. Another useful case is using the SSMSessionRunAs TAG to specify with which credential an AWS system session manager session is launched which will allow for better security as the default user “
ssm-user” has full administrative privilege on the target instance .
PgSilo is a new PostgreSQL extension that aim to provide better security and isolation by confining PostgreSQL back-end session into silo. Every PostgreSQL cluster will be split into many silo, we can have at must one silo per database, this aim to provide better native security when deploying PostgreSQL. A compromised process connected to database A (Silo A) will not be able to affect database B (Silo B) in the same cluster or in another database cluster on same HOST machine. That’s the ultimate objective , but we are still far from that!
pgSilo is still in active development and there is still a lot to do but I decided to share it at the early stage to get feedback and contribution of course . Here is a glimpse of what the actual Pre-APLHA release can do :Continue reading
When checking the file system Layout on my last blog post Oracle DbNest file system isolation : pivot root/ bind mount something caught my attention. So even if in oracle 20C read only oracle home is the way to go by default and DbNest is there to provide file system isolation (beside many other things) the oracle home is not mounted read only by default (
DBNEST_PDB_FS_CONF not set) in the new nest mount namespace !
Which is curious because a malicious user on a compromised PDB can exploit that and impact the hole environment.Continue reading
Thanks to a friend (who shared with me his cloud account) i managed to get access to another oracle 20C preview version . So here i am with a new blog post !
When creating a new Full PDB Nest one of the first thing that is done is creating a new User namespace, so let’s take a closer look at it !Continue reading
In my previous blog post A first hands on Oracle 20C DbNest (Preview) i encountered some problems when trying to start the PDB nest with the default internal path (parameter
DBNEST_PDB_FS_CONF not set) so i was forced to use a custom file system configuration file using the directive “DBNEST_NO_FS_ROOT_MODE” to be able to start it.
It’s time to take a look on what’s going on and what was the problem !Continue reading
In my previous articles we have seen how oracle DbNest is taking advantage of the underling Linux namespaces features for enhancing the database security. We have taken a closer look at the user,mount and pid namespaces as they are the one used by default when enabling DbNest. But is seem that there is more (Not documented nor enabled by default) !
When taking a look at the dbnest and oracle binary it seems that that we can get better isolation by taking advantage of the Network namespace event if it’s not enabled by default (Maybe in feature release !) .
First thing first let’s get closer look at the Network Namespace !Continue reading
oradism binary was initially created for managing Dynamic Intimate Shared Memory on Solaris, but since then it has evolved a lot (increasing the attack surface) and it’s nowadays used for many operations requiring root privileges on our Linux system. By the way i have peeked it’s new name “Directly Intimate Shared Monster” from Frits Hoogland in tweeter and i think that it fits it better 🙂
I would say that if dism stands for directly intimate shared monster, it seems a fitting description? No?— Frits Hoogland (@fritshoogland) October 22, 2020
The purpose of this blog post is to try to enumerate some of those operations using an oracle 20C preview version (Armed with my old friends systemtap/etc 🙂 )Continue reading
We have already seen in my previous blog posts PART1 and PART2 what it’s Linux seccomp and how it’s used by oracle dbnest to enhance the multitenant security. In simple word seccomp is a Linux kernel feature which give the possibility to restrict the system calls a process can use which reduce the kernel attack surface :
Less reachable kernel functions -> Less possible exploits !
It’s now time to take a deeper look !Continue reading