20131003 pizzasessie db-security

Database SecurityJelmer de Reus

Utrecht, 3 oktober 2013

Overview

• Inleiding en relevantie• Netwerk ecosysteem• Logs en Traps• Incident & Event Management• Operating Systems• Implementatie• PostgreSQL• MySQL

Inleiding en relevantie

• Voorbeelden Security Audits• Ontwikkelingen in attacks• Automated reconnaissance• Blind SQLi• Bruteforce• Pivoting

• Ontwikkelingen in tools• Metasploit Framework• Fasttrack, SQLping

• Database engines ontwikkelen mee

Netwerk Ecosysteem

Overview•Deployment in het netwerk•Management access•Netwerk services•Logging•Traffic analysis/IPS

Netwerk EcosysteemDeployment verschillenServices•DB server•DB server + Web server + ?

Status•Proof-of-concept•OTA•Productie

Netwerk EcosysteemDeployment issues•Management VLAN (iDRAC/ILO)•Productie VLAN• Private VLAN• Demilitarized Zone

•Firewalling• Minimale toegang• Logging op specifieke rules• IPS enabled indien mogelijk• Rules onderhouden/auditen

Netwerk Ecosysteem

Management VLAN

Logs en Traps

Local vs remote logging issues

Local logging•Log file bescherming•Log file capaciteit/rotation

Remote issues•Waar naartoe?•Syslog•SNMPtrap

Logs en Traps

Log file bescherming: append-only file flags op FreeBSD

chflags•chflags sappnd <path>/file.log•ls -lo <path>/file.log

Enforcement tegen root users•Securelevel +1 (in single user mode)

Logs en Traps

Log file bescherming: append-only file flags op GNU/Linux

file attributes•chattr -a <path>/file.log•lsattr <path>/file.log

Enforcement tegen root users•?

Logs en Traps

Append-only file flags op GNU/Linux

DEMO

Incident & Event Management

Security Incident & Event Management:•Inputs• Host-based IDS• Network IDS• Syslog, snmptrap• Netflow

•Correlatie (SQLi -> id, prio, metadata -> Event)•Management software


Network IDS/IPS•Check Point IPS blade•Fortinet UTM IPS module•Juniper Mykonos Web Gateway•Snort IDS (FOSS)•SourceFire (nu: Cisco)


SIEM Software•Tripwire•Check Point SmartEvent•McAfee ESM•AlienVault OSSIM (FOSS)


D E M O

Incident & Event ManagementSIEM links op het webCheck Point Smartevent

Event Correlation Software Bladehttp://www.wickhill.com/products/vendors/product/412/Event-Correlation

SmartEvent Software Bladehttp://rus.checkpoint.com/products/softwareblades/smartevent.html

supported event sourceshttp://www.checkpoint.com/products/home_promo/popups/eventia_2005.html

McAfee DS SIEM / ESMdevice supporthttp://www.mcafee.com/cn/resources/data-sheets/ds-siem-device-support-matrix.pdf

Alienvault OSSIMHow to configure network monitoring in VMware ESXihttps://alienvault.bloomfire.com/series/3643

Event Log Integration Guideshttps://alienvault.bloomfire.com/series/3631

AlienVault Data Plugins - By Vendorhttps://alienvault.bloomfire.com/series/3631/posts/596580

Operating Systems

Operating System issues•Hardening•Beheer• Patch Management• Onderhoud

•Vendor support•Userland tools

Operating SystemsHardening(zie ook netwerk ecosysteem)

•Alleen noodzakelijke services•Geen onnodige open poorten•Log files beschermen•Application/Execution control• GNU/Linux: AppArmor, SELinux• FreeBSD: MAC / Capsicum

•Toegang strak trekken / bewaken

Database implementatie

• Management access• Config files• Tablespaces• Authenticatie• Permissies• Role based access control

Database Implementatie

PostgreSQL gebruikers en databases aanmaken


PostgreSQL gebruikers en rechten


PostgreSQL config files


PostgreSQL logs

Database ImplementatieMySQL gebruikers en permissies (1)adminos@publicwww01:~$ mysql -u root –p…mysql> show databases;| information_schema || concrete5db01 || mysql || performance_schema |

mysql> use mysql;

mysql> select * from user;...| Host | User | Password | Select_priv | Insert_priv | Update_priv | Delete_priv | Create_priv | Drop_priv | Reload_priv | Shutdown_priv | Process_priv | File_priv | Grant_priv | References_priv | Index_priv | Alter_priv | Show_db_priv | Super_priv | Create_tmp_table_priv | Lock_tables_priv | Execute_priv | Repl_slave_priv | Repl_client_priv | Create_view_priv | Show_view_priv | Create_routine_priv | Alter_routine_priv | Create_user_priv | Event_priv | Trigger_priv | Create_tablespace_priv | ssl_type | ssl_cipher | x509_issuer | x509_subject | max_questions | max_updates | max_connections | max_user_connections | plugin | authentication_string

Database ImplementatieMySQL gebruikers en permissies (2)mysql> select Host,User,Select_priv,Alter_priv,Insert_priv from user;

+-------------------------+------------------+-------------+------------+-------------+| Host | User | Select_priv | Alter_priv | Insert_priv |+-------------------------+------------------+-------------+------------+-------------+| localhost | root | Y | Y | Y || publicwww01.localdomain | root | Y | Y | Y || 127.0.0.1 | root | Y | Y | Y || ::1 | root | Y | Y | Y || localhost | concrete5usr | N | N | N || localhost | debian-sys-maint | Y | Y | Y || localhost | modxusr | N | N | N || localhost | modxusr03 | N | N | N |+-------------------------+------------------+-------------+------------+-------------+

Database ImplementatieMySQL gebruikers en permissies (3)mysql> show grants;

+----------------------------------------------------------------------------------------------------------------------------------------+| Grants for root@localhost |+----------------------------------------------------------------------------------------------------------------------------------------+| GRANT ALL PRIVILEGES ON *.* TO 'root'@'localhost' IDENTIFIED BY PASSWORD 'ABCD' WITH GRANT OPTION || GRANT PROXY ON ''@'' TO 'root'@'localhost' WITH GRANT OPTION |+----------------------------------------------------------------------------------------------------------------------------------------+

Bedankt voor je tijd!

• Vragen?

20131003 pizzasessie db-security

Technology

Transcript of 20131003 pizzasessie db-security