Re: Exadata and anti-virus
- From: Mladen Gogala <gogala.mladen@xxxxxxxxx>
- To: oracle-l@xxxxxxxxxxxxx
- Date: Mon, 25 Mar 2019 19:34:40 -0400
On 3/25/19 12:17 PM, Brad Peek (Redacted sender brad_peek for DMARC) wrote:
Listers -- Looking for feedback regarding installing anti-virus
software on Exadata compute nodes. MOS Doc ID 1935746.1 says “Anti
Virus software is allowed, but it is not necessarily needed or
recommended”. I’ve used Exadata since X2 and have not installed AV
on it or seen much mention of it.
I would like to get some feedback before deciding where I stand on this.
Have you installed it?
If yes, specifically what did you install?
Any issues or advice?
Thanks -- Brad Peek
Hi Brad,
How do you envision a situation in which Exadata can get infected?
Exadata is, in its essence, a database server which communicates with
the outer world using Oracle*Net. This is particularly true for the
latest version of Exadata, x7-2 which no longer has hardware based
database nodes, but has OVM based virtual machines instead. If a virtual
machine somehow gets infected, you can simply drop it and create a new
one. Viruses usually modify an existing executable, like
$ORACLE_HOME/bin/sqlplus, and replace it with a version which contains
malicious code. First, common users do not have write access to anything
in the $ORACLE_BASE directory, which of course includes $ORACLE_HOME.
User "bpeek" will not be able to modify $ORACLE_HOME/bin/sqlplus file.
This is a part of the broader question of viruses on Linux. Yes, it is
true, there are some. However, all of them require that at some point a
user with sufficient privilege executes malicious code. That means two
things:
1. Somebody must copy the infected file to one of Exadata database nodes
2. Somebody must execute it.
Exadata should only communicate with the external world using
Oracle*Net, usually on port 1521. Only the administrator should have
access to the interactive login to Exadata. And the administrator should
only copy patches and new versions downloaded directly from Oracle Corp.
Nothing else should go there. There should be email server, no ftp
server and no web server. I am aware of the fact that Oracle RDBMS
contains web server, which needs to be enabled for APEX. I would cut
that off by the means of firewall, preferably an external one, and not
use APEX on Exadata database nodes. Exadata is a very expensive and
very fast data warehouse machine and should be used accordingly. In a
situation like that, it's completely unfathomable that Exadata would get
infected. However, contrary to what you've heard about "database that
administers itself", I would still strongly advise hiring a competent
DBA or entrusting administration to some of the proven remote DBA
heavyweights like Pythian. Self-administering database, code name
Skynet, functions only on the marketing level. In practice, you will
still need a DBA. Databases are getting more complex and Skynet is not
yet around. I'll be back (with strong Austrian accent).
Regards
--
Mladen Gogala
Database Consultant
Tel: (347) 321-1217
Other related posts: