Oracle oradism or the directly intimate shared monster !

October 28, 2020 Mahmoud Hatem linux

oradism binary was initially created for managing Dynamic Intimate Shared Memory on Solaris, but since then it has evolved a lot (increasing the attack surface) and it’s nowadays used for many operations requiring root privileges on our Linux system. By the way i have peeked it’s new name “Directly Intimate Shared Monster” from Frits Hoogland in tweeter and i think that it fits it better 🙂

I would say that if dism stands for directly intimate shared monster, it seems a fitting description? No?
— Frits Hoogland (@fritshoogland) October 22, 2020

https://platform.twitter.com/widgets.js

The purpose of this blog post is to try to enumerate some of those operations using an oracle 20C preview version (Armed with my old friends systemtap/etc 🙂 )

Continue reading →

Oracle DbNest : Filtered syscalls by seccomp profiles

October 27, 2020 Mahmoud Hatem Uncategorized

We have already seen in my previous blog posts PART1 and PART2 what it’s Linux seccomp and how it’s used by oracle dbnest to enhance the multitenant security. In simple word seccomp is a Linux kernel feature which give the possibility to restrict the system calls a process can use which reduce the kernel attack surface :

Less reachable kernel functions -> Less possible exploits !

It’s now time to take a deeper look !

Continue reading →

A first hands on Oracle 20C DbNest (Preview)

October 20, 2020November 4, 2020 Mahmoud Hatem linux

My previous blog post was an introduction to Oracle DBNest and the fundamental Linux technologies it is based on.It’s now the time to give it a try (This is not an in depth blog post as i’am just giving it a try so don’t expect to much :p) !

Continue reading →

Oracle 20C DbNest : Linux namespaces/seccomp/Capabilites/cgroups

October 13, 2020 Mahmoud Hatem Uncategorized

One of the new feature in oracle 20C (which is still in preview version) is dbnest. So what is dbnest :

“DbNest provides hierarchical, isolated run-time environments at the CDB and PDB level.

These run-time environments provide file system isolation, process ID number space isolation, and secure computing for PDBs and CDBs. To protect the multitenant environment from security breaches, dbNest uses the latest Linux resource isolation, namespace, and control group features.”

So dbnest add further protection to the databases (PDB/CDB) in consolidated environment by isolating every PDB in it’s our Container/Nest. In fact it’s powered by same fundamental technologies used by containers as we know them today .

So before giving it a try, let’s first take a quick overview at the base technologies it’s using.

Continue reading →

Partial CDB backup : Excluding a specific PDB

October 6, 2020 Mahmoud Hatem Uncategorized

There is nothing fancy in this blog post, it’s only about something that coud be handy when using oracle multitenant.

Suppose that we have a CBD with multiple PDBs and we want to backup all of them and only exclude one which don’t need to be backed up (No matter what is the reason) . So how to do that the simplest way.

Continue reading →