3 Planning a Secure Environment

Security practices should be in place before the arrival of Oracle Exadata Database Machine.

After arrival, the security practices should be periodically reviewed and adjusted to stay current with the security requirements of your organization.

3.1 Considerations for a Secure Environment

Oracle Exadata Database Machine includes many layered security controls that can be tailored to meet an organization's specific policies and requirements.

Organizations must evaluate how to best utilize these capabilities and integrate them into their existing IT security architecture. Effective IT security must consider the people, processes, and technology in order to provide solid risk management and governance practices. Practices and policies should be designed and reviewed during the planning, installation, and deployment stages of Oracle Exadata Database Machine.

While many of the features integrated into Oracle Exadata Database Machine are configured by default for secure deployment, organizations have their own security configuration standards. It is important to review Oracle security information before testing any security setting changes to Oracle Exadata Database Machine components. In particular, it is important to identify where existing standards can be improved, and where support issues may limit what changes can be made to a given component.

Note:

To minimize the attack surface, Oracle Exadata Storage Servers do not support customization outside of their management interfaces. No custom users are permitted on the storage servers. The servers have been optimized and hardened for their specific purpose.

3.1.1 Identity and Access Management Considerations

A unified approach should be used when integrating Oracle Exadata Database Machine components and deployed services with your organization's existing identity and access management architecture.

Oracle Database supports many open and standard protocols that allow it to be integrated with existing identity and access management deployments. To ensure application availability, unified identity and access management systems must be available, or the availability of Oracle Exadata Database Machine may be compromised.

Before Oracle Exadata Database Machine arrives, the following security considerations should be discussed. These considerations are based on Oracle best practices for Oracle Exadata Database Machine.

  • The ability to directly log in to common operating system accounts such as root, grid and oracle should be disabled. Individual user accounts should be created for each administrator. After logging in with their individual account, the administrator can use sudo to run privileged commands, when required.

  • The use of host-based intrusion detection and prevention systems for increased visibility within Oracle Exadata Database Machine. By using the fine-grained auditing capabilities of Oracle Database, host-based systems have a greater likelihood of detecting inappropriate actions and unauthorized activity.

  • The use of centralized audit and log repositories to aggregate the security-relevant information for improved correlation, analysis, and reporting. Oracle Exadata Storage Servers support this through the CELL attribute syslogConf. The database servers support centralized logging using the typical system configuration methods.

  • The use of encryption features such as transparent data encryption (TDE), Oracle Recovery Manager (RMAN) encryption for backups.

The security of the data and system is diminished by user access and password security. Oracle recommends the following guidelines to maximize your user security:

  • Create separate software owner accounts for Oracle Grid Infrastructure and Oracle Database software installations. These accounts should be used when deploying Oracle Exadata Database Machine. A separate software owner for Oracle Grid Infrastructure and Oracle Database software installations is required for implementing DB-scoped security.

  • Implement a user password policy that enforces password complexity beyond the minimum requirements.
  • Implement password aging and account locking. Starting with Oracle Exadata System Software release 19.1.0 you can use DBSERVER and CELL attributes to configure the following account security features:
    • A user's password expires after a specified number of days. The default user password expiration time is 0. 0 means passwords will not expire.
    • A user gets a warning message when logging in for a specified number of days before their password expires. The default user account password expiration warning time is 7 days.

    • The user is prompted to change their password when logging within a specified number of days after their password expires. If the remotePwdChangeAllowed attribute on the server indicates that a service request is not required to change the password, then the user can change the password immediately. Otherwise, the user must connect the server administrator to have their password changed.

    • A user account is locked a specified number of days after the password expires. The default user account lock time is 7 days. After the account is locked, the user must contact the server administrator to have the account unlocked.

3.1.2 Network Security Considerations

Before Oracle Exadata Database Machine arrives at your location, network security considerations should be discussed.

The following considerations are based on Oracle best practices for Oracle Exadata Database Machine.

  • The use of intrusion prevention systems on database servers to monitor network traffic flowing to and from Oracle Exadata Database Machine. Such systems enable the identification of suspicious communications, potential attack patterns, and unauthorized access attempts.

  • The use of application and network-layer firewalls to protect information flowing to and from Oracle Exadata Database Machine. Filtering network ports provides the first line of defense in preventing unauthorized access to systems and services.

    Network-level segmentation using Ethernet virtual local area networks (VLANs) and host-based firewalls enforce inbound and outbound network policy at the host level. Using segmentation allows fine-grained control of communications between components of Oracle Exadata Database Machine. Oracle Exadata Storage Servers include a configured software firewall by default. The database servers can be configured with a software firewall.

  • The use of encryption features such as Oracle Advanced Security to encrypt traffic to Oracle Data Guard standby databases.

The security of the data and system is diminished by weak network security. Oracle recommends the following guidelines to maximize your Ethernet network security:

  • Configure administrative and operational services to use encryption protocols and key lengths that align with current policies. Cryptographic services provided by Oracle Exadata Database Machine benefit from hardware acceleration, which improves security without impacting performance.

  • Manage and separate switches in Oracle Exadata Database Machine from data traffic on the network. This separation is also referred to as "out-of-band."

  • Separate sensitive clusters from the rest of the network by using virtual local area networks (VLANs). This decreases the likelihood that users can gain access to information on these clients and servers.

  • Use a static VLAN configuration.

  • Disable unused switch ports, and assign an unused VLAN number.

  • Assign a unique native VLAN number to trunk ports.

  • Limit the VLANs that can be transported over a trunk to only those that are strictly required.

  • Disable VLAN Trunking Protocol (VTP), if possible. If it is not possible, then set the management domain, password and pruning for VTP. In addition, set VTP to transparent mode.

  • Disable unnecessary network services, such as TCP small servers or HTTP. Enable only necessary network services, and configure these services securely.

  • Network switches offer different levels of port security features. Use these port security features if they are available:

  • Lock the Media Access Control (MAC) address of one or more connected devices to a physical port on a switch. If a switch port is locked to a particular MAC address, then super users cannot create back doors into the network with rogue access points.

  • Disable a specified MAC address from connecting to a switch.

  • Use each switch port's direct connections so the switch can set security based on its current connections.

Network Diagrams

Figure 3-1 shows the default network for Oracle Exadata Database Machine X7-2 and X8-2. Each Oracle Exadata Database Machine requires a minimum of two Ethernet networks and one InfiniBand network.

Figure 3-1 Network for Oracle Exadata Database Machine X7-2 and X8-2 with Bonded Client Access

Description of Figure 3-1 follows
Description of "Figure 3-1 Network for Oracle Exadata Database Machine X7-2 and X8-2 with Bonded Client Access"

Figure 3-2 shows the default network for Oracle Exadata Database Machine X6-2, X5-2, X4-2, X3-2, and X2-2. Each Oracle Exadata Database Machine requires a minimum of two Ethernet networks and one InfiniBand network.

Figure 3-2 Network for Oracle Exadata Database Machine X6-2, X5-2, X4-2, X3-2, and X2-2 with Bonded Client Access

Description of Figure 3-2 follows
Description of "Figure 3-2 Network for Oracle Exadata Database Machine X6-2, X5-2, X4-2, X3-2, and X2-2 with Bonded Client Access"

Figure 3-3 shows the default network for Oracle Exadata Database Machine X6-8, X5-8, and X4-8 Full Rack. Each Oracle Exadata Database Machine requires a minimum of two Ethernet networks and one InfiniBand network.

Figure 3-3 Network for Oracle Exadata Database Machine X6-8, X5-8, and X4-8 Full Rack with Bonded Client Access

Description of Figure 3-3 follows
Description of "Figure 3-3 Network for Oracle Exadata Database Machine X6-8, X5-8, and X4-8 Full Rack with Bonded Client Access"

Figure 3-4 shows the default network for Oracle Exadata Database Machine X3-8 Full Rack, and Oracle Exadata Database Machine X2-8 Full Rack. Each Oracle Exadata Database Machine requires a minimum of two Ethernet networks and one InfiniBand network.

Figure 3-4 Network Diagram for Oracle Exadata Database Machine X3-8 Full Rack, and Oracle Exadata Database Machine X2-8 Full Rack with Bonded Client Access

Description of Figure 3-4 follows
Description of "Figure 3-4 Network Diagram for Oracle Exadata Database Machine X3-8 Full Rack, and Oracle Exadata Database Machine X2-8 Full Rack with Bonded Client Access"

3.2 Understanding the Default Security Settings

Oracle Exadata System Software is installed with many default security settings.

Whenever possible and practical, secure default settings should be chosen and configured. The following default settings are used in Oracle Exadata Database Machine:

  • A minimal software installation to reduce attack surface.

  • Oracle Database secure settings developed and implemented using Oracle best practices.

  • A password policy that enforces a minimum password complexity.

  • Failed log in attempts cause a lockout after a set number of failed attempts.

  • All default system accounts in the operating system are locked and prohibited from logging in.

  • Limited ability to use the su command.

  • Password-protected boot loader installation.

  • All unnecessary system services are disabled, including the Internet service daemon (inetd/xinetd).

  • Software firewall configured on the storage cells.

  • Restrictive file permissions on key security-related configuration files and executable files.

  • SSH listen ports restricted to management and private networks.

  • SSH limited to v2 protocol.

  • Disabled insecure SSH authentication mechanisms.

  • Configured specific cryptographic ciphers.

  • Unnecessary protocols and modules are disabled from the operating system kernel.

3.3 Understanding User Accounts

There are several users used to manage the components of Oracle Exadata Database Machine

In addition to the root user, Oracle Exadata Storage Servers have two users, celladmin and cellmonitor. The celladmin user is used to run all services on the cell. The cellmonitor user is used for monitoring purposes. The cellmonitor user cannot run services on the cell. Other Oracle Exadata Database Machine components have users for the management of the component.

Note:

After Oracle Exadata Database Machine has been deployed, the installation process disables all root SSH keys and expires all user passwords as a security measure for your system. If you do not want the SSH keys disabled or the passwords expired, advise the installation engineer before the deployment.

Starting with Oracle Exadata System Software release 19.1.0, two new users are created, to improve security of specific actions. The cellofl user runs query offload processes on the storage servers as a non-root user. The exawatch user is responsible for collecting and archiving system statistics on both the database servers and the storage servers.

The following table lists the default users and passwords for the Oracle Exadata Database Machine components. All default passwords should be changed after installation of Oracle Exadata Database Machine. Refer to My Oracle Support note 1291766.1 for information about changing the default user accounts passwords.

Table 3-1 Default Users and Passwords

User Name and password User type Component

root/welcome1

Operating system user

Oracle Exadata Database Servers

Oracle Exadata Storage Servers

InfiniBand switches

Database server ILOMs

Oracle Exadata Storage Server ILOMs

InfiniBand ILOMs

oracle/We1come$

Operating system user

Oracle Exadata Database Servers

grid/We1come$ (this user exists only if role separation is chosen during deployment)

Operating system user

Oracle Exadata Database Servers

celladmin/welcome

Operating system user

Oracle Exadata Storage Servers

CELLDIAG/Welcome12345

The password of the CELLDIAG user is reset to a random password during the "Apply Security Fixes" step of Oracle Exadata Deployment Assistant (OEDA).

Oracle Exadata System Software user

Oracle Exadata Storage Servers

cellmonitor/welcome

Operating system user

Oracle Exadata Storage Servers

cellofl (release 18.2 and later) - no logon privileges

Operating system user

Oracle Exadata Storage Servers

dbmadmin/welcome

Operating system user

Oracle Exadata Database Servers

dbmmonitor/welcome

Operating system user

Oracle Exadata Database Servers

exawatch (release 18.2 and later) - no logon privileges

Operating system user

Oracle Exadata Database Servers

Oracle Exadata Storage Servers

SYS/We1come$

Oracle Database user

Oracle Exadata Database Servers

SYSTEM/We1come$

Oracle Database user

Oracle Exadata Database Servers

grub boot loader password: sos1Exadata

Operating system user

Oracle Exadata Database Servers

Oracle Exadata Storage Servers

nm2user/changeme

Firmware user

InfiniBand switches

ilom-admin/ilom-admin

ILOM user

InfiniBand switches

ilom-operator/ilom-operator

ILOM user

InfiniBand switches

admin/welcome1

You should secure the enable mode password and secret values for the admin user.

Firmware user

Ethernet switches

admin/welcome1

The password for the admin user is adm1n if you reset the PDU to factory default settings.

Firmware user

Power distribution units (PDUs)

Keyboard, video, mouse (KVM)

MSUser

Management Server (MS) uses this account to manage ILOM and reset it if it detects a hang.

The MSUser password is not persisted anywhere. Each time MS starts up, it deletes the previous MSUser account and re-creates the account with a randomly generated password.

Do not modify this account. This account is to be used by MS only.

ILOM user

Database server ILOMs

Oracle Exadata Storage Server ILOMs

3.4 Default Password Requirements

Oracle Exadata Deployment Assistant (OEDA) implements a default password policy on Oracle Exadata Database Machine.

The last step of OEDA, "Secure Oracle Exadata Database Machine", implements the following password requirements:

  • Dictionary words are not valid or accepted.
  • Character classes for passwords are uppercase letters, lowercase letters, digits, and special characters.
  • Passwords must contain characters from all four character classes. Passwords using only one, two, or three character classes are not allowed.
  • The minimum length of a password is eight characters.
  • Pass-phrases are allowed. A pass-phrase should contain at least three words, be 16 to 40 characters in length, and contain different character classes.
  • A new password cannot be similar to old passwords. There must be at least eight characters in the new password that were not present in the old password.
  • A maximum of three consecutive characters of the same value can be used in a password.
  • A maximum of four consecutive characters of the same character class can be used in a password. For example, abcde1#6B cannot be used as a password because it uses five consecutive lower case letters.

3.5 Default Security Settings Enacted by OEDA

Oracle Exadata Deployment Assistant (OEDA) includes a step to increase hardware security on Oracle Exadata Database Machine.

The last step of OEDA, "Secure Oracle Exadata Database Machine", implements the following security policies:

  • For all newly created operating system users on the database servers and storage servers, the following password-aging values are set:
    • The maximum number of days for a password is 90 days. Starting with Oracle Exadata System Software release 19.1.0, this value has been reduced to 60 days.
    • The minimum amount of time between password changes is 24 hours.
    • The number of days of alerts before a password change is seven days.
    • All non-root users must change their password at their next log in.
  • An operating system user account is temporarily locked for 10 minutes after one failed log in attempt.
  • An operating system user account is locked after five failed attempts.
  • A log in session will terminate after 14400 seconds of no input.
  • An SSH session will terminate after 7200 seconds of inactivity.
  • For the root user, SSH equivalency is removed for all database servers and Oracle Exadata Storage Servers.

  • The following permissions are set by OEDA:

    • The Automatic Diagnostic Repository (ADR) base directory, $ADR_BASE, has SUID (Set owner User ID) on the diag directory and its sub-directories.
    • The celladmin user group has read and write permissions on the $ADR_BASE.