The easiest and most successful database compromises will often involve getting the database data from area’s where it is held unsecured.
The main point here is that the data and the database is often not just held on a single production machine and database. There are often multiple development databases, system test databases, integration test databases, UAT databases and many forms of backups. ARCHIVELOG, redo logs, and export files will be covered later in exports, redo logs and control files. There are also the backups themselves to tape or to disk.
Types of Oracle backup
There are three main sorts of backup, exports, hot backups and cold backups.
Exports: The Oracle tool exp is used to extract the data from the database itself to an Operating System file. The file format is proprietary and will be discussed in export, redo logs and control files. The Oracle tool imp is used to put the data back into the same database or another database. Partial exports can be done or Full exports of the whole database. A full export includes the password hashes. If the aim is to steal data then an export of the application owner’s schema will suffice.
Cold Backups: Cold backups can be performed using a number of methods and Unix tools. They can also be written to disk or to tape. The database needs to be completely shutdown for cold backups to take place.
Hot Backups: Hot backups are backups taken on high availability systems and applications where the database cannot be shutdown. The database needs to be in ARCHIVELOG mode for hot backups, but a database being in ARCHIVELOG mode doesn’t signify that hot backups take place. It’s a bit more difficult to see this.
To check if a database is in ARCHIVELOG mode the following query can be issued in sqlplus
SQL> show user
USER is “DBSNMP”
SQL> select log_mode from v$database;
To see if a database is backed up hot or cold requires a little more investigation. You could search the machine for backup scripts containing the words ALTER TABLESPACE [TABLESPACE NAME] BEGIN BACKUP. Check out cron jobs for backup jobs, check out process listings throughout the day to see if any recognizable backup software is running. Check for log files. Check out what backup software is installed on the machine using pkginfo -l. You can check the status of tablespaces to see if any go offline during the day with the following query which would be a good sign a hot backup is running:
SQL> select tablespace_name,status from dba_tablespaces;
Checking for a cold backup is easier as you can check out cron again, check process listings and see if the database is regularly shutdown and then look for any backup software running. If the Oracle alert log can be accessed then the database stop and start times will be clearly seen by scrolling through this file. Depending on what it is try and determine where and when the files are written and more importantly determine if they can be taken and read.
Next» Database Service Scanning