Purpose

FCBGuard software provides the ability to prevent unauthorised AS SYSDBA login to a database. This is implemented via mandatory USB security key/token/card (call it any way you like it) login. In order to successfully perform an AS SYSDBA login, database administrator must have a properly configured and database-registered USB security key. Without such a key, any attempt to log in will result in a process kill. The main purpose of the above is to prohibit the root user from, being oracle, connecting to the database.

pre-FCBGuard epoch 🙂

# whoami
root
# su - oracle
# sqlplus "/ as sysdba"

Do you consider the situation above is normal? From a security perspective, I’d say it’s hardly normal. From the other side, there are only a few doubtful well known ways to prevent it:

  • Database administrator takes full responsibility of system administrator. This way contradicts the “separation of duties” principle.
  • Use threads. Starting with Oracle Database 12c, the multithreaded Oracle model allows Oracle processes on UNIX and Linux to run as operating system threads in separate address spaces. When the THREADED_EXECUTION initialization parameter is set to TRUE, which enables the multithreaded Oracle model, operating system authentication is not supported. Attempts to connect to the database using operating system authentication (for example, CONNECT / AS SYSDBA or CONNECT / ) when this initialization parameter is set to TRUE results in an ORA-01031 “insufficient privileges” error. Can anyone share info what benefits can be gained by using THREADED_EXECUTION=true?

How it works

So, if to leave for root what belongs to root and not to touch THREADED_EXECUTION, the FCBGuard software has been created in order to:

  • fail any unauthorized AS SYSDBA database connection attempts
[oracle@databasehost ~]$ sqlplus / as sysdba

SQL*Plus: Release 19.0.0.0.0 - Production on Fri Feb 10 17:22:57 2023
...
Broadcast message from oracle@databasehost (Wed Feb 15 11:17:05 2023):

Unauthorized SYSDBA login attempt detected to dbname@databasehost

Killed

[oracle@databasehost]$

  • authentify a “real” DBA using a USB security key and to allow to connect AS SYSDBA to a database

[oracle@databasehost sql]$ sqlplus sysproxy/sysproxy @${DATA_PUMP_DIR}/fcbguard.sql   << file is auto generated on logon

SQL*Plus: Release 19.0.0.0.0 - Production on Fri Feb 10 18:03:29 2023 
...
dba@host-where-USB-security-token-is-present's password:       << here a SSH connection is established to

Using reader with a card: Yubico YubiKey OTP+FIDO+CCID 00 00   << USB security token is detected
PKCS#15 Card [Oracle login as SYSDBA]:
        Version        : 0
        Serial number  : 534xdsdfsdc9asdfasdf
        Manufacturer ID: piv_II
        Flags          :

Logging in to "Oracle login as SYSDBA"
Please enter User PIN:                                          << a correct PIN code is expected
Using decrypt algorithm RSA-PKCS
Sdf34rsdfee23423
Connection to host-where-USB-security-token-is-present closed
847

FCBGuard v.21.12.701
(c) 2023 Olexandr Siroklyn. All rights reserved.

Connected.
USER is "SYS"

SQL>

Requirements

  • A UNIX host where free OpenSC software is installed, fully functional and your USB security key can be operated in read-only mode by the OpenSC software.
  • That UNIX host must be available via SSH.
  • A USB security key. Taglio PIVKey T600, Feitian ePass2003 and Yubikey 5c have been tested successfully. Yubikey is the best choice if you don’t mind the price.
  • The USB security key must be proper configured, i.e. x509 certificate is generated and stored, and, therefore, public and private keys are present as well.
  • A UNIX based Oracle database. On-premise or cloud installed database. Any edition and any version (12c and higher) where Java subsystem is available.

Restrictions

A free version of the FCBGuard software is available for download and has the following limitations:

  • Only one USB security key can be active and used during connect, i.e. only one AS SYSDBA person can be connected locally. No restrictions for AS SYSDBA remote connections.
  • Reaching initial nomount, mount, upgrade and open database stages are possible without presence of a USB security key
  • The current downloadable free version of the software has limited capabilities when installed on a multi-tenant database.

License

FCBGuard is a free, partially closed software. You can use it in any way you like preserving copyright notice.

What’s new

  • Dec 1, 2024
    • The current non-free version of the software is successfully tested on an Oracle 23ai multi-tenant database. The current downloadable free version of the software can be installed and successfully run on Oracle 23ai and lower database versions.
  • Mar 5, 2023.
    • v. 21.12.723 released. Minor fixes.
  • Feb 28, 2023.
    • Initial v. 21.12.721 released

Download

  • version: 21.12.723, size: 535 KBytes, md5: d7bf3ca5c38b0b0e9a9a372b1928ccec

Last, but not least

If USB security token is lost or broken it’s not a fatal event, because remote, via listener, AS SYSDBA login remains always available.

P.S.

If you think that it would be good for you to have more FCBGuard features, please feel free to contact me.