Re: Exadata and anti-virus

From: Mladen Gogala <gogala.mladen_at_gmail.com>
Date: Mon, 25 Mar 2019 19:34:40 -0400
Message-ID: <c32adef6-b87e-b4f6-5c93-8c557021ae67_at_gmail.com>

On 3/25/19 12:17 PM, Brad Peek (Redacted sender brad_peek for DMARC) wrote:
>
> Listers -- Looking for feedback regarding installing anti-virus
> software on Exadata compute nodes. MOS Doc ID 1935746.1 says “Anti
> Virus software is allowed, but it is not necessarily needed or
> recommended”. I’ve used Exadata since X2 and have not installed AV
> on it or seen much mention of it.
>
> I would like to get some feedback before deciding where I stand on this.
>
> Have you installed it?
>
> If yes, specifically what did you install?
>
> Any issues or advice?
>
>
> Thanks -- Brad Peek

Hi Brad,

How do you envision a situation in which Exadata can get infected? Exadata is, in its essence, a database server which communicates with the outer world using Oracle*Net. This is particularly true for the latest version of Exadata, x7-2 which no longer has hardware based database nodes, but has OVM based virtual machines instead. If a virtual machine somehow gets infected, you can simply drop it and create a new one. Viruses usually modify an existing executable, like $ORACLE_HOME/bin/sqlplus, and replace it with a version which contains malicious code. First, common users do not have write access to anything in the $ORACLE_BASE directory, which of course includes $ORACLE_HOME. User "bpeek" will not be able to modify $ORACLE_HOME/bin/sqlplus file.

This is a part of the broader question of viruses on Linux. Yes, it is true, there are some. However, all of them require that at some point a user with sufficient privilege executes malicious code. That means two things:

Somebody must copy the infected file to one of Exadata database nodes
Somebody must execute it.

Exadata should only communicate with the external world using Oracle*Net, usually on port 1521. Only the administrator should have access to the interactive login to Exadata. And the administrator should only copy patches and new versions downloaded directly from Oracle Corp. Nothing else should go there. There should be email server, no ftp server and no web server. I am aware of the fact that Oracle RDBMS contains web server, which needs to be enabled for APEX. I would cut that off by the means of firewall, preferably an external one, and not use APEX on Exadata database nodes. Exadata is a very expensive and very fast data warehouse machine and should be used accordingly. In a situation like that, it's completely unfathomable that Exadata would get infected. However, contrary to what you've heard about "database that administers itself", I would still strongly advise hiring a competent DBA or entrusting administration to some of the proven remote DBA heavyweights like Pythian. Self-administering database, code name Skynet, functions only on the marketing level. In practice, you will still need a DBA. Databases are getting more complex and Skynet is not yet around. I'll be back (with strong Austrian accent).

Regards

-- 
Mladen Gogala
Database Consultant
Tel: (347) 321-1217


--
http://www.freelists.org/webpage/oracle-l

Received on Tue Mar 26 2019 - 00:34:40 CET

This message: [ Message body ]
Next message: Mladen Gogala: "Re: System stats"
Previous message: Cee Pee: "Re: System stats"
In reply to: Brad Peek: "Exadata and anti-virus"
In reply to Sheehan, Jeremy: "RE: Exadata and anti-virus"
Next in thread: Mladen Gogala: "Re: System stats"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message