Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: Adding some random characters to Oracle password

Re: Adding some random characters to Oracle password

From: Howard J. Rogers <hjr_at_dizwell.com>
Date: Wed, 27 Oct 2004 07:11:36 +1000
Message-ID: <417ebd79$0$21982$afc38c87@news.optusnet.com.au> 





Prem K Mehrotra wrote:



> I am working on Sarbarbes Oxley compliance for Oracle databases

> version 8.1.6.2 on HP UNIX  11. We have a third party application

> which requires a login for each user in the database. Application

> security is controlled through the application, so users can do only

> certain things from the application user interface.

> 

> Application is a Web based Oracle Forms 6i  application which runs on

> a Windows Server, it then connects to database on HP UNIX.

> 

> However, the problem is that if users can connect to database directly

> using sqlplus, there is no security built in the database  to control

> what a user can do, they can delete all the data if they want. Since,

> it is a third party application, I cannot change their code.

> 

> 

> 1. Since the database connection is made from windows Server to UNIX

> server and no

> end user has login on Windows Sever or NIX server, I was thinking of

> creating a logon trigger for every end user account and verifying that

> connection is made only from Forms server. This way, they cannot  make

> direct connection from their PC. Does anyone see a problem with it?




All sorts of suggestions are likely to be made in regard to this. Just
because it's fresh in my mind, I'd consider using Row Level Security
(Virtual Private Database/Fine-Grained Access Control) to add a policy to
each table which states: if the program you are using is not Forms, then
1=2. Every SQL statement then issued by all users who had hacked in would
then find a 'WHERE 1=2' clause silently appended to their SQL statements,
and your data would therefore be safe.



Being tied directly to tables, RLS/VPD/FGAC is not capable of being
circumvented, except by SYS (to which the policies never applies).



The concern I have with your suggestion is that if the logon trigger were
ever disabled or dropped, your database would be wide open. With the RLS
approach, if the appropriate logon trigger were disabled, the data would
still be safe because the policies applied to all the tables would still be
in force (you wouldn't get a nice '0 rows deleted' error, probably, but
you'd still get a failure to perform effective DML).



Just a suggestion, anyway. (And there's a paper at www.dizwell.com on
setting up an RLS/VPD/FGAC test if you need to investigate it).



> 2. My auditors  told me Oracle has some tool where some random

> characters are added to password, so user will not know these

> characters (so they cannot make direct connection?)/  I have not heard

> of anything like that until now. Does anyone have more information on

> it? Auditors said instead d of creating  logon triggers, I can

> probably use this tool.




I can't think of what they are talking about, either. Get them to explain
what they are talking about in words of few syllables. If they're auditors,
it's their job not to talk in riddles, but to be specific about what
security recommendations they are making.



Regards


HJR






> Thanks a lot?

> 

> Prem

Received on Tue Oct 26 2004 - 16:11:36 CDT












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US