Re: is it ok to tighten up extproc security?

From: Pete Finnigan <pete_at_petefinnigan.com>
Date: Fri, 14 Nov 2008 15:55:21 +0000
Message-ID: <491D9F69.8040806@petefinnigan.com>


Hi Douglas,

A few people have commented already but allow me to add a little.

If you are using extproc, then its good practice to move it to a seperate listener. There is a note on Metalink that describes this, sorry i dont have the number to hand. If you do this you can start the new extproc listener as a "nobody:nobody" type user. Of course also remove it from the main listener.

The extproc service was standard up to 11gR1, i.e. its not there by default anymore in 11gR1, this is good.

The hardest problem is to find out if extproc is used or not. There are a number of techniques that come to mind.

Check for dba_libraries :

SQL> edit
Wrote file afiedt.buf

  1 select * from dba_libraries
  2* where file_spec is not null
SQL> /

OWNER                          LIBRARY_NAME
------------------------------ ------------------------------
FILE_SPEC

D STATUS
- -------

SYS                            DBMS_SUMADV_LIB
C:\app\Admin\product\11.1.0\db_1\bin\oraqsmashr.dll Y VALID
ORDSYS                         ORDIMLIBS
C:\app\Admin\product\11.1.0\db_1\bin\oraordim11.dll Y VALID
OWNER                          LIBRARY_NAME
------------------------------ ------------------------------
FILE_SPEC

D STATUS
- -------

MDSYS                          SDO_GEOR_LIZARDTECH_LIB
C:\ADE\aime_071014.0004\oracle\md\dll\lt_dbmrsid_oci.dll Y VALID SQL> and check if any added look like they are not installed by Oracle, i.e. these three are installed by Oracle.

Another trick is to fire up the listener control lsrnct and run the services command to see if any established connections have been made to the extproc service.

Someone also mentioned mining the listener log, this is a good idea. Another option is to look at all possible libraries, use the DBA_DEPENDENCIES view and see if they are accessed by any PL/SQL procedures (they must be if used) and then put audit on those procedures for EXECUTE by access. Aother option at this stage for a quicker answer is to check v$sqlarea for the same procedures.

You mention that AppDetective suggests adding valid node checking in the protocol.ora, this would worry me, how old is your AppDetective? - the protocol.ora has not been used for many a long year for valid node checking, or is this an AppDetective bug? also like the OP, if the lisetener is on the database server then the valid node checking will restrict network connections to start from the database server. Also valid node checking doesnt work at the service level so this would stop valid connections. Also as one risk would be use of a library rather than direct network access, this would not fix it.

hth

cheers

Pete

Douglas Cowles wrote:
> An application called appdetective has flagged one of my systems as having
> an extproc service which is a security violation in it's estimation.
> It recommend I either remove the lines from listener.ora to prevent the
> service from spawning or modify the protocol.ora to use validnode checking
> parameter to only accept requests from certain network addresses.
>
> My first question is how can I determine whether there are any external
> procs being used in the database in the first place. I would figure it
> would require a library, but all the libraries I have in the database are
> owned by sys and don't seem user generated even for Peoplesoft purposes. I
> would imagine I could turn this off but someone must have modified the
> listener at some point to allow extproc in the first place which makes me
> think someone wanted
> to do it but when and for what. It could have been set up 3 years ago.
>
> Secondly, if the first question is not definitive, is simply putting the
> database server itself as the only node allowed to invoke extproc a
> solution that is likely to handle things? It is possible a Peoplesoft app
> or web server would want to invoke an extproc on a database server?
>
> This is a 10.2.0.3 database on AIX 5.3 running Peoplesoft 9 (unsure of
> exact version)
>
> Any other thoughts about how to handle a violation item like this would be
> appreciated.
>
>
> Thanks,
> Doug Cowles
>

-- 

Pete Finnigan
Director
PeteFinnigan.com Limited

Specialists in database security.

If you need help to audit or secure an Oracle database, please ask for
details of our courses and consulting services

Phone: +44 (0)1904 791188
Fax  : +44 (0)1904 791188
Mob  : +44 (0)7742 114223
email: pete_at_petefinnigan.com
site : http://www.petefinnigan.com

Registered Office: 9 Beech Grove, Acomb, York, YO26 5LD, United Kingdom
Company No       : 4664901
VAT No.          : 940 6681 14

Please note that this email communication is intended only for the
addressee and may contain confidential or privileged information. The
contents of this email may be circulated internally within your
organisation only and may not be communicated to third parties without
the prior written permission of PeteFinnigan.com Limited.  This email is
not intended nor should it be taken to create any legal relations,
contractual or otherwise.

--
http://www.freelists.org/webpage/oracle-l
Received on Fri Nov 14 2008 - 09:55:21 CST

Original text of this message