Database Link Security et al
- From: <oracle@xxxxxxxxxxxxx>
- To: oracle-l@xxxxxxxxxxxxx
- Date: Sun, 25 Nov 2012 20:18:52 +0000 (GMT)
So, users can decrypt dblink passwords as the key is included in the
ciphertext... -->
SQL> select name, userid,
utl_raw.cast_to_varchar2(dbms_crypto.decrypt((substr(passwordx,19)),
4353, (substr(passwordx,3,16)))) from sys.link$ where name='TEST_LINK';
NAME
--------------------------------------------------------------------------------
USERID
------------------------------
PASSWORD
--------------------------------------------------------------------------------
TEST_LINK
DBLINK_ACCOUNT
MYPW
..one saving grace is that we can now identify incoming db links using
this..
select userid, terminal, comment$text from sys.aud$ where comment$text
like 'DBLINK%';
USERID NTIMESTAMP# USERHOST COMMENT$TEXT
------------ ----------------- ------- --------------
DBLINK_ACCOUNT 19-NOV-12 01.42.16.305194000 orlin DBLINK_INFO:
(SOURCE_GLOBAL_NAME=orcl.4294967295)
-->could be too late though so best to take a few precautions in
advance... preferably automated...
..Same with lack of profiles on SYS account. Sometimes easier to fix
ourselves..
create or replace trigger sys_throttler.tra_servererror_ora1017
after servererror on database
declare
l_db_usr varchar2 (32);
begin
if (ora_is_servererror(1017)) then
l_db_usr := upper (trim (sys_context ('userenv',
'authenticated_identity')));
if l_db_usr ='SYS' then
dbms_lock.sleep (1);
else
NULL;
end if;
end if;
end tra_servererror_ora1017;
/
More like this at UKOUG Monday, if you are in the area...
Cheers,
Paul M. Wright
http://www.oraclesecurity.com
http://2012.ukoug.org/default.asp?p=9339&dlgact=shwprs&prs_prsid=7736&day_dayid=62
--
//www.freelists.org/webpage/oracle-l
Other related posts:
