Updating OpenDLP can support Oracle Databases for the PCI DSS process when looking for credit card numbers and passwords searching Windows or Unix file systems.
OpenDLP is an excellent tool for looking for credit card numbers as part of a PCI DSS scoping process, or looking for passwords and other sensitive data during a penetration test. It can search Windows and Unix file systems and databases. At the time of writing this blog entry, OpenDLP does not have support for Oracle, only MySQL and Microsoft SQL Server. If you want Oracle support in OpenDLP, please check the OpenDLP website first to see if it has been added (https://code.google.com/p/opendlp/), otherwise, read on!
I needed a tool to search Oracle databases for credit card numbers, which was part of helping a client with PCI DSS scoping. Additionally, providing the client with a good discovery tool would help them to comply with the annual requirement to verify the accuracy of the PCI DSS scope. OpenDLP is free and open source, and, while there are commercial tools out there, the client was looking at all options. OpenDLP is easy to get up and running if you download the VirtualBox VM, and it has a web interface.
Adding Oracle support required installing the Oracle Instant Client, installing DBD Oracle for Perl, and updating some of the OpenDLP Perl scripts. The updated OpenDLP files are available for download as a zip file (opendlp_0_4_4_oracle_update.zip).
This is a step by step guide to getting and updating OpenDLP.
Get the OpenDLP Virtual Machine
Download VirtualBox VM from OpenDLP (version 0.4.4)
https://code.google.com/p/opendlp/
Get the VM running and then check that the website is working at https://localhost/OpenDLP/index.html. To make it easier, I disabled the SSL certificate requirement in /etc/apache2/sites-available/default-ssl.
Install Oracle Instant Client
From root (“sudo su -“) update the existing packages and install three required packages:
apt-get update
apt-get upgrade
apt-get install libaio1 alien zip
Download the Oracle Instant Client RPMs for Linux x86 from Oracle. These need to be the basic and SDK (devel). SQL*Plus is for testing that the client works.
https://www.oracle.com/technetwork/topics/linuxsoft-082809.html
Then run alien with “–i” to generate and install debian packages from the RPMs:
alien –i oracle-instantclient11.2-basic-11.2.0.3.0-1.i386.rpm
alien –i oracle-instantclient11.2-devel-11.2.0.3.0-1.i386.rpm
alien –i oracle-instantclient11.2-sqlplus-11.2.0.3.0-1.i386.rpm
Create the file “/etc/profiles.d/oracle.sh” with the Oracle environment variables:
export ORACLE_HOME=/usr/lib/oracle/11.2/client
export PATH=$PATH:$ORACLE_HOME/bin
export LD_LIBRARY_PATH=$ORACLE_HOME/lib
Open a new shell to set the environment variables, and test the Oracle Instant Client with SQL*Plus:
sqlplus username/password@host/instance
Install DBD Oracle for Perl
Run these commands to get the DBD Oracle source package:
perl -MCPAN -e shell
get DBD::Oracle
quit
Find the folder where DBD Oracle source is downloaded (e.g. /home/opendlp/.cpan/build/DBD-Oracle-1.44-BPFWro/), and run these commands to build it. The first command seems to create a shell that you have to exit.
perl Makefile.PL
make
make install
Test DBD Oracle with this script, if nothing shows then it has connected fine.
#!/usr/bin/perl
use DBI;
my $dbh = DBI->connect("dbi:Oracle://host/instance",'username','password');
$dbh->disconnect;
Update OpenDLP to Support Oracle
You need to download the updated Perl script files: opendlp_0_4_4_oracle_update.zip. Then extract them, make them executable, and move them to the correct directories:
chmod +x db.pl
chmod +x *.html
mv db.pl /var/www/OpenDLP/bin/
mv *.html /var/www/OpenDLP/web/bin/
You should now be able to search Oracle databases for credit cards and passwords. The target format for the scan is “///”, for example “//192.168.1.123/orcl”.