20131003 pizzasessie db-security
-
Upload
jelmer-de-reus -
Category
Technology
-
view
2.638 -
download
2
Transcript of 20131003 pizzasessie db-security
Database SecurityJelmer de Reus
Utrecht, 3 oktober 2013
Overview
• Inleiding en relevantie• Netwerk ecosysteem• Logs en Traps• Incident & Event Management• Operating Systems• Implementatie• PostgreSQL• MySQL
Inleiding en relevantie
• Voorbeelden Security Audits• Ontwikkelingen in attacks• Automated reconnaissance• Blind SQLi• Bruteforce• Pivoting
• Ontwikkelingen in tools• Metasploit Framework• Fasttrack, SQLping
• Database engines ontwikkelen mee
Netwerk Ecosysteem
Overview•Deployment in het netwerk•Management access•Netwerk services•Logging•Traffic analysis/IPS
Netwerk EcosysteemDeployment verschillenServices•DB server•DB server + Web server + ?
Status•Proof-of-concept•OTA•Productie
Netwerk EcosysteemDeployment issues•Management VLAN (iDRAC/ILO)•Productie VLAN• Private VLAN• Demilitarized Zone
•Firewalling• Minimale toegang• Logging op specifieke rules• IPS enabled indien mogelijk• Rules onderhouden/auditen
Netwerk Ecosysteem
Management VLAN
Logs en Traps
Local vs remote logging issues
Local logging•Log file bescherming•Log file capaciteit/rotation
Remote issues•Waar naartoe?•Syslog•SNMPtrap
Logs en Traps
Log file bescherming: append-only file flags op FreeBSD
chflags•chflags sappnd <path>/file.log•ls -lo <path>/file.log
Enforcement tegen root users•Securelevel +1 (in single user mode)
Logs en Traps
Log file bescherming: append-only file flags op GNU/Linux
file attributes•chattr -a <path>/file.log•lsattr <path>/file.log
Enforcement tegen root users•?
Logs en Traps
Append-only file flags op GNU/Linux
DEMO
Incident & Event Management
Security Incident & Event Management:•Inputs• Host-based IDS• Network IDS• Syslog, snmptrap• Netflow
•Correlatie (SQLi -> id, prio, metadata -> Event)•Management software
Incident & Event Management
Network IDS/IPS•Check Point IPS blade•Fortinet UTM IPS module•Juniper Mykonos Web Gateway•Snort IDS (FOSS)•SourceFire (nu: Cisco)
Incident & Event Management
SIEM Software•Tripwire•Check Point SmartEvent•McAfee ESM•AlienVault OSSIM (FOSS)
Incident & Event Management
D E M O
Incident & Event ManagementSIEM links op het webCheck Point Smartevent
Event Correlation Software Bladehttp://www.wickhill.com/products/vendors/product/412/Event-Correlation
SmartEvent Software Bladehttp://rus.checkpoint.com/products/softwareblades/smartevent.html
supported event sourceshttp://www.checkpoint.com/products/home_promo/popups/eventia_2005.html
McAfee DS SIEM / ESMdevice supporthttp://www.mcafee.com/cn/resources/data-sheets/ds-siem-device-support-matrix.pdf
Alienvault OSSIMHow to configure network monitoring in VMware ESXihttps://alienvault.bloomfire.com/series/3643
Event Log Integration Guideshttps://alienvault.bloomfire.com/series/3631
AlienVault Data Plugins - By Vendorhttps://alienvault.bloomfire.com/series/3631/posts/596580
Operating Systems
Operating System issues•Hardening•Beheer• Patch Management• Onderhoud
•Vendor support•Userland tools
Operating SystemsHardening(zie ook netwerk ecosysteem)
•Alleen noodzakelijke services•Geen onnodige open poorten•Log files beschermen•Application/Execution control• GNU/Linux: AppArmor, SELinux• FreeBSD: MAC / Capsicum
•Toegang strak trekken / bewaken
Database implementatie
• Management access• Config files• Tablespaces• Authenticatie• Permissies• Role based access control
Database Implementatie
PostgreSQL gebruikers en databases aanmaken
Database Implementatie
PostgreSQL gebruikers en rechten
Database Implementatie
PostgreSQL config files
Database Implementatie
PostgreSQL logs
Database ImplementatieMySQL gebruikers en permissies (1)adminos@publicwww01:~$ mysql -u root –p…mysql> show databases;| information_schema || concrete5db01 || mysql || performance_schema |
mysql> use mysql;
mysql> select * from user;...| Host | User | Password | Select_priv | Insert_priv | Update_priv | Delete_priv | Create_priv | Drop_priv | Reload_priv | Shutdown_priv | Process_priv | File_priv | Grant_priv | References_priv | Index_priv | Alter_priv | Show_db_priv | Super_priv | Create_tmp_table_priv | Lock_tables_priv | Execute_priv | Repl_slave_priv | Repl_client_priv | Create_view_priv | Show_view_priv | Create_routine_priv | Alter_routine_priv | Create_user_priv | Event_priv | Trigger_priv | Create_tablespace_priv | ssl_type | ssl_cipher | x509_issuer | x509_subject | max_questions | max_updates | max_connections | max_user_connections | plugin | authentication_string
Database ImplementatieMySQL gebruikers en permissies (2)mysql> select Host,User,Select_priv,Alter_priv,Insert_priv from user;
+-------------------------+------------------+-------------+------------+-------------+| Host | User | Select_priv | Alter_priv | Insert_priv |+-------------------------+------------------+-------------+------------+-------------+| localhost | root | Y | Y | Y || publicwww01.localdomain | root | Y | Y | Y || 127.0.0.1 | root | Y | Y | Y || ::1 | root | Y | Y | Y || localhost | concrete5usr | N | N | N || localhost | debian-sys-maint | Y | Y | Y || localhost | modxusr | N | N | N || localhost | modxusr03 | N | N | N |+-------------------------+------------------+-------------+------------+-------------+
Database ImplementatieMySQL gebruikers en permissies (3)mysql> show grants;
+----------------------------------------------------------------------------------------------------------------------------------------+| Grants for root@localhost |+----------------------------------------------------------------------------------------------------------------------------------------+| GRANT ALL PRIVILEGES ON *.* TO 'root'@'localhost' IDENTIFIED BY PASSWORD 'ABCD' WITH GRANT OPTION || GRANT PROXY ON ''@'' TO 'root'@'localhost' WITH GRANT OPTION |+----------------------------------------------------------------------------------------------------------------------------------------+
Bedankt voor je tijd!
• Vragen?