Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Mailing Lists -> Oracle-L -> RES: Oracle Security Best Practices

RES: Oracle Security Best Practices

From: <SSILVA9_at_BKB.com.br>
Date: Thu, 07 Aug 2003 09:44:24 -0800
Message-ID: <F001.005C97C2.20030807094424@fatcity.com>


Tim,  

         Thank you for the reply. We created this after logon trigger. Its working very well.  

         We are having problems creating the objects and granting the access. We figured out that our problem is granting the access because we were intended to use the DBA's login, but we can't because the only one that can grant access to the object is the owner, correct?  

         Do you know how to implement an environment so that allow log on only from a specific machine/ip for a given login?  

         How do you (as DBA) create objects and give its permissions? With the owner's login?  

         Thank you,  

Sandro Augusto da Silva
Technology Services & Support
NLA Technology Services
Phone: +55 11 3398-8438
Fax: +55 11 3398-7522

-----Mensagem original-----
De: Tim Gorman [mailto:tim_at_sagelogix.com] Enviada em: quinta-feira, 7 de agosto de 2003 12:25 Para: Multiple recipients of list ORACLE-L Assunto: Re: Oracle Security Best Practices  

Sandro,

There is an excellent book on "Oracle Security" available online from "http://www.sans.org". Concise, organized, and prioritized. Also, Newman and Theriault's "Oracle Security Handbook" from Oracle Press is chock full of common sense...

Not sure what the question about "automating the migration of stored procedures" refers to. Could you provide more information? I don't think I understand the problem...

Storing password files on the database server is mainly an exercise in ensuring that OS security and file permissions properly implemented. If you cannot ensure that OS files are properly secured, then the entire Oracle database is at risk, not to mention files containing clear-text passwords. After all, one can view data within datafiles using programs other than the Oracle RDBMS...

The idea of creating production schemas/logins to separate object ownership from application/end-user access is excellent. To avoid using synonyms, consider the functionality of the "ALTER SESSION SET CURRENT_SCHEMA =
<ownership-schema>" command being executed in an AFTER LOGON trigger in all
accounts used for end-user access. It is a little-known but wonderfully manageable bit of functionality...

Hope this helps...

-Tim

on 8/7/03 5:44 AM, SSILVA9_at_BKB.com.br at SSILVA9_at_BKB.com.br wrote:

Can anybody help-me in finding a security approach to a Oracle database?

We are trying to set up a security policy for Oracle but we are having some problem in questions like:

  1. Automatic process: How to create a single login user that automates the migration of stored procedures
  2. How to store password-files safely in order to avoid users reading it (encryption may be)
  3. How to create production logins that are not the owner of the tables/procedures and without creating synonyms avoiding them to have to prefix the objects with the owner

Is there any documentation or site you can suggest me?

Thanks,

Sandro Augusto da Silva
Technology Services & Support
NLA Technology Services
Phone: +55 11 3398-8438
Fax: +55 11 3398-7522

Esta mensagem, incluindo seus anexos, pode conter informação confidencial e/ou privilegiada. Se você recebeu este e-mail por engano, não utilize, copie ou divulgue as informações nele contidas. E, por favor, avise imediatamente o remetente, respondendo ao e-mail, e em seguida apague-o. Este e-mail possui conteúdo informativo e não transacional. Caso necessite de atendimento imediato, recomendamos utilizar um dos canais disponíveis: Internet Banking <http://www.bankboston.com.br> , BankBoston por telefone
<http://www.bankboston.com.br/bpt> ou agência/representante de atendimento
de sua conveniência. Agradecemos sua colaboração.

This message, including its attachments, may contain confidential and/or privileged information. If you received this email by mistake, do not use, copy or disseminate any information herein contained. Please notify us immediately by replying to the sender and then delete it. This email is for information purposes only, not for transactions. In case you need immediate assistance, please use one of the following channels: Internet Banking
<http://www.bankboston.com.br> , BankBoston by phone
<http://www.bankboston.com.br/bpt> or branch/relationship manager at your
convenience. Thank you for your cooperation.  

Esta mensagem, incluindo seus anexos, pode conter informação confidencial e/ou privilegiada. Se você recebeu este e-mail por engano, não utilize, copie ou divulgue as informações nele contidas. E, por favor, avise imediatamente o remetente, respondendo ao e-mail, e em seguida apague-o. Este e-mail possui conteúdo informativo e não transacional. Caso necessite de atendimento imediato, recomendamos utilizar um dos canais disponíveis: Internet Banking <http://www.bankboston.com.br> , BankBoston por telefone
<http://www.bankboston.com.br/bpt> ou agência/representante de atendimento
de sua conveniência. Agradecemos sua colaboração. This message, including its attachments, may contain confidential and/or privileged information. If you received this email by mistake, do not use, copy or disseminate any information herein contained. Please notify us immediately by replying to the sender and then delete it. This email is for information purposes only, not for transactions. In case you need immediate assistance, please use one of the following channels: Internet Banking
<http://www.bankboston.com.br> , BankBoston by phone
<http://www.bankboston.com.br/bpt> or branch/relationship manager at your
convenience. Thank you for your cooperation.

-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.net
-- 
Author: 
  INET: SSILVA9_at_BKB.com.br

Fat City Network Services    -- 858-538-5051 http://www.fatcity.com
San Diego, California        -- Mailing list and web hosting services
---------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).
Received on Thu Aug 07 2003 - 12:44:24 CDT

Original text of this message

HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US