Database Link Security et al
Date: Sun, 25 Nov 2012 20:18:52 +0000 (GMT)
Message-ID: <Ex24UDYQ.1353874732.6475400.oracle_at_ukcert.org.uk>
So, users can decrypt dblink passwords as the key is included in the ciphertext... -->
SQL> select name, userid,
utl_raw.cast_to_varchar2(dbms_crypto.decrypt((substr(passwordx,19)),
4353, (substr(passwordx,3,16)))) from sys.link$ where name='TEST_LINK';
NAME
USERID
PASSWORD
TEST_LINK
DBLINK_ACCOUNT
MYPW ..one saving grace is that we can now identify incoming db links using this..
select userid, terminal, comment$text from sys.aud$ where comment$text like 'DBLINK%';
USERID NTIMESTAMP# USERHOST COMMENT$TEXT ------------ ----------------- ------- -------------- DBLINK_ACCOUNT 19-NOV-12 01.42.16.305194000 orlin DBLINK_INFO:(SOURCE_GLOBAL_NAME=orcl.4294967295)
-->could be too late though so best to take a few precautions in
advance... preferably automated...
..Same with lack of profiles on SYS account. Sometimes easier to fix ourselves..
create or replace trigger sys_throttler.tra_servererror_ora1017
after servererror on database
declare
l_db_usr varchar2 (32);
begin
if (ora_is_servererror(1017)) then
l_db_usr := upper (trim (sys_context ('userenv', 'authenticated_identity')));
if l_db_usr ='SYS' then dbms_lock.sleep (1); else NULL; end if;
end if;
end tra_servererror_ora1017;
/
More like this at UKOUG Monday, if you are in the area...
Cheers,
Paul M. Wright
http://www.oraclesecurity.com
http://2012.ukoug.org/default.asp?p=9339&dlgact=shwprs&prs_prsid=7736&day_dayid=62
-- http://www.freelists.org/webpage/oracle-lReceived on Sun Nov 25 2012 - 21:18:52 CET