Home -> Mailing Lists -> Oracle-L -> RE: Trigger force a logout?

RE: Trigger force a logout?

From: Powell, Mark D <mark.powell_at_eds.com>
Date: Thu, 25 Jun 2009 11:53:43 -0400
Message-ID: <D1DC33E67722D54A93F05F702C99E2A90408D414_at_usahm208.amer.corp.eds.com> 





We do this using a database event log on trigger.  If the username
follows a certain pattern then it must meet certain criteria for values
in v$session.  One of the keys to making this work is not to disclose
what values the routine tests against.  You have machine, program, and
the potentially the columns populated by dbms_application_info to use
plus sys_context information such as IP.  Use several.
 


You can spoof the IP via java, you can spoof the program name, but if
the user does not know what is being tested against then spoofing all
the tests will not be that easy.  The solution may not be undefeatable,
but it is reasonably solid, IMHO.
 



    
  
  •   Mark D Powell -- 
Phone (313) 592-5148 

 



    






        From: oracle-l-bounce_at_freelists.org


[mailto:oracle-l-bounce_at_freelists.org] On Behalf Of Dennis Williams

	Sent: Thursday, June 25, 2009 10:43 AM
	To: ahmusch_at_gmail.com
	Cc: andrew.kerber_at_gmail.com; oracle-l_at_freelists.org
	Subject: Re: Trigger force a logout?
	
	
	Adam,
	 
	As I mentioned, this is to plug a security gap. The password is


embedded in an application we can't alter. I have a way to detect
whether the login is coming from the application or elsewhere. My
thought is to create a trigger that does something if someone tries to
login to the account and they aren't coming from the application.


        Not ideal, but then we don't always live in an ideal world.
         

	Thanks for your ideas.
	Dennis Williams
	
	
	On Thu, Jun 25, 2009 at 9:28 AM, Adam Musch <ahmusch_at_gmail.com>


wrote:
        



                One wonders why one doesn't simply lock the account.  
                 


                ALTER USER bad_user ACCOUNT LOCK;
                 


                seems easier than writing a trigger.
                 


                Similarly, you may wish to explore auditing and
system/application contexts so that you could audit who's trying this
account.
                
                


                On Thu, Jun 25, 2009 at 9:25 AM, Andrew Kerber


<andrew.kerber_at_gmail.com> wrote:

                



                        yes, it is possible.  It would be a system
trigger. 




                        On Thu, Jun 25, 2009 at 9:15 AM, Dennis Williams


<oracledba.williams_at_gmail.com> wrote:

                        



                                List,
                                 


                                To plug a security gap, I'm trying to
create a trigger on a certain username. If the trigger condition is met,
the trigger would force a logout. Is that possible?
                                 

				Thanks for any suggestions,
				Dennis Williams




			-- 
			Andrew W. Kerber
			
			'If at first you dont succeed, dont take up


skydiving.'
                        





		-- 
		Adam Musch
		ahmusch_at_gmail.com
		






--
http://www.freelists.org/webpage/oracle-l


Received on Thu Jun 25 2009 - 10:53:43 CDT












Original text of this message