Re: Oracle Security

Karel Sprenger (ks_at_ic.uva.nl) wrote:
> In article <3fk3ti$7m4_at_redstone.interpath.net> hcurtis_at_hcurtis.pdial.interpath.net writes:
 

> >Is anyone aware of a mechanism to disable "fastpathing" when entering
> >an Oracle product (e.g. SQLPLUS). I'd like to force use of the
> >prompting mechanism within Oracle. For example:
> > Typing : SQLPLUS userid/password
> > to enter the product works fine. The problem is, anyone executing
> > a ps -ef now has the userid and password of a valid oracle account.
> >Needless to say, this causing some excitment among our security folks.
 

> Except for switching to OPS$ usernames, the only mechanism would be to
> "program" the users to stop entering their oracle username/password on the
> command line. To help them, you might consider writing stubs for the oracle
> tools that warn against this unsafe practice when used and otherwise start up
> the actual tool.
> Of course, the best solution would be if Oracle Corp changed the tools
> themselves...
 

> Just my $0.02 worth,
> Karel Sprenger <ks_at_ic.uva.nl>

+++ Or you can solve the problem within UNIX by defining your own
+++ sqlplus command in the directory of PATH that comes before ORACLE, e.g.,
+++ in /usr/bin. This command could check for a usr/pwd type
+++ paramter and if it exists, display an error message and exit.
+++ Using this type of idea you can get more and more tricky.
	Just my $0.01 worth,
	parris