Call: +44 (0)1904 557620 Call

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "Comments are enabled on this blog again"] [Next entry: "Oracle Database Vault is certified with PeopleSoft"]

Detecting rootkits

I saw a nice paper at the weekend titled "Thoughts about cross-view based rootkit detection" that discusses detecting rootkits by using low level access routines to compare a low level view of the file system with a high level view. I immediatly thought about the Oracle equivalent. If someone installed an Oracle rootkit in a database and for instance hid a hackers user account by modifying dictionary views such as DBA_USERS then you would check for this user by comparing the number of users in SYS.USER$ with those in DBA_USERS or more likely doing set arithmatic to check for differences. This would be a direct analogy of this Windows based paper. An other technique is to create a "clean" database and to checksum everything in the database, objects, views, tables, code etc and to then store the checksums and use them to compare future checks against.

will the world of rootkits transfer to Oracle databases at some point soon and will we need to create similar tools to check for and remove rootkits from Oracle databases?