Musang – Oracle DB Security Testing – v1.8

Musang is a Docker-supplied Python/Django project for authenticated security testing scans for Oracle Database, for on-premise, or cloud SaaS, PaaS or IaaS stacks.

The last update of Musang (1.4) was in 2013! So this latest update (1.8) brings Musang into the modern age of old software by introducing support for 12c databases – after all i’m sure there are lots who upgraded from 9g. Right?

No but seriously, Oracle Database 12c introduces the concept of Containers and Pluggable Databases (PDB). It also stores password hashes in a dramatically different way (The mighty Pete Finnegan explains about these hashes so I don’t have to). The user doesn’t have to lose sleep worrying about such things – Musang auto-detects Database versions and selects the corresponding library of tests. However the connection string passed to the Database has to use the right SID of course – do you want to connect to a container or PDB?

Other major changes centred around Python 2.x going EOL – and with it the shift to Django 2.x.

An account privileges dump (for non-SYS, SYSTEM users) has been added also, and the output links each account to the account status (locked, expired, open, etc) – see below …

A rundown of the major changes…

  • Now covers 12c.
  • For the connection test, when Musang detects 12c it dumps the configuration of containers and pluggable databases – if you connect to the container instance, you see a very different output in some tests – notably the password hashes.
  • To get hashes for SYS and SYSTEM you need to connect to the container, with SYS and “as SYSDBA”. Musang now has as the classic “as SYSDBA” option.
  • Added a privileges dump for non SYS and SYSTEM DBAs – see above screen dump.
  • Phased out django-dajaxice and replaced those calls with native AJAX – basically Dajaxice is terrible and was not maintained for years.
  • Few other changes related to 12c and lots related to the above upgrades.
  • Celery is now 4.2.1.
  • Multiple other changes related to stability and 12c intricacies

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.