Database Link Security et al

From: <oracle_at_ukcert.org.uk>
Date: Sun, 25 Nov 2012 20:18:52 +0000 (GMT)
Message-ID: <Ex24UDYQ.1353874732.6475400.oracle_at_ukcert.org.uk>


So, users can decrypt dblink passwords as the key is included in the ciphertext... -->

SQL> select name, userid,
utl_raw.cast_to_varchar2(dbms_crypto.decrypt((substr(passwordx,19)), 4353, (substr(passwordx,3,16)))) from sys.link$ where name='TEST_LINK';

NAME



USERID

PASSWORD

TEST_LINK
DBLINK_ACCOUNT
MYPW ..one saving grace is that we can now identify incoming db links using this..

select userid, terminal, comment$text from sys.aud$ where comment$text like 'DBLINK%';

USERID         NTIMESTAMP#          USERHOST  COMMENT$TEXT
------------  -----------------     -------   --------------
DBLINK_ACCOUNT	19-NOV-12 01.42.16.305194000	orlin	DBLINK_INFO:
(SOURCE_GLOBAL_NAME=orcl.4294967295)

-->could be too late though so best to take a few precautions in
advance... preferably automated...

..Same with lack of profiles on SYS account. Sometimes easier to fix ourselves..

create or replace trigger sys_throttler.tra_servererror_ora1017 after servererror on database
declare

   l_db_usr varchar2 (32);
begin

   if (ora_is_servererror(1017)) then

      l_db_usr := upper (trim (sys_context ('userenv', 'authenticated_identity')));

      if l_db_usr ='SYS' then
            dbms_lock.sleep (1);
      else
          NULL;
        end if;

   end if;
end tra_servererror_ora1017;
/

More like this at UKOUG Monday, if you are in the area...

Cheers,
Paul M. Wright
http://www.oraclesecurity.com
http://2012.ukoug.org/default.asp?p=9339&dlgact=shwprs&prs_prsid=7736&day_dayid=62

--
http://www.freelists.org/webpage/oracle-l
Received on Sun Nov 25 2012 - 21:18:52 CET

Original text of this message