| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
 |
 | |||
| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
|
| |||
Home -> Community -> Mailing Lists -> Oracle-L -> RE: methodology to keep only certain programs to connect to
This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.
------_=_NextPart_001_01C258F0.17F074A8
Content-Type: text/plain;
charset="iso-8859-1"
Kevin,
That has been my point in the past. It is really not feasible to establish connection policy this way.
For example: anybody can change the name of the sqlplus.exe executable on their desktop, run it, and connect to the database. v$session.program now reports the new executable name - not sqlplus.
The same goes for any tool on the desktop - including odbc connections.
Security policy has to start at the account/password level.
Tom Mercadante
Oracle Certified Professional
-----Original Message-----
From: Kevin Lange [mailto:kgel_at_ppoone.com]
Sent: Tuesday, September 10, 2002 1:54 PM
To: Multiple recipients of list ORACLE-L
Subject: RE: methodology to keep only certain programs to connect to
With a setup like this, how do you stop a user from simply renaming the program they are using to match what you expect to see and, therefore, getting past your security ??
-----Original Message-----
From: Shaw John-P55297 [mailto:john.shaw_at_motorola.com]
Sent: Tuesday, September 10, 2002 11:59 AM
To: Multiple recipients of list ORACLE-L
Subject: RE: methodology to keep only certain programs to connect to
use v_$mystat - it has the sid - then do your join with v$session
-----Original Message-----
From: JOE TESTA [mailto:JTESTA_at_longaberger.com]
Sent: Tuesday, September 10, 2002 10:58 AM
To: Multiple recipients of list ORACLE-L
Subject: methodology to keep only certain programs to connect to
I've been tasked to ensure only certain app programs access the database.
I'm thinking on-logon trigger, check the program field from v$session. unfortunately v$session is for all sessions, i can't seem to find the view that tells me only MY info during login. I only want the sid, serial#, username and program for my just now connection to the database.
Does this exist or am I going about this the wrong way?
We're thinking of checking those fields to make sure sql*plus, toad, etc can't connect as a particular user(even though the password is known out in the community).
any ideas would be greatly appreciated.
joe
------_=_NextPart_001_01C258F0.17F074A8
Content-Type: text/html;
charset="iso-8859-1"
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<META content="MSHTML 5.50.4912.300" name=GENERATOR></HEAD>
<BODY style="MARGIN-TOP: 2px; FONT: 10pt Times New Roman; MARGIN-LEFT: 2px">
<DIV><SPAN class=791002417-10092002>Kevin,</SPAN></DIV>
<DIV><SPAN class=791002417-10092002></SPAN> </DIV>
<DIV><SPAN class=791002417-10092002>That has been my point in the past. It
is really not feasible to establish connection policy this way.</SPAN></DIV>
<DIV><SPAN class=791002417-10092002></SPAN> </DIV>
<DIV><SPAN class=791002417-10092002>For example: anybody can change the
name of the sqlplus.exe executable on their desktop, run it, and connect to the
database. v$session.program now reports the new executable name - not
sqlplus.</SPAN></DIV>
<DIV><SPAN class=791002417-10092002></SPAN> </DIV>
<DIV><SPAN class=791002417-10092002>The same goes for any tool on the desktop -
including odbc connections.</SPAN></DIV>
<DIV><SPAN class=791002417-10092002></SPAN> </DIV>
<DIV><SPAN class=791002417-10092002>Security policy has to start at the
account/password level.</SPAN></DIV>
<DIV><FONT face=Arial></FONT> </DIV>
<DIV><FONT face=Arial>Tom Mercadante</FONT> <BR><FONT face=Arial>Oracle
Certified Professional</FONT> </DIV>
<BLOCKQUOTE dir=ltr style="MARGIN-RIGHT: 0px">
<DIV class=OutlookMessageHeader dir=ltr align=left><FONT
face=Tahoma>-----Original Message-----<BR><B>From:</B> Kevin Lange
[mailto:kgel_at_ppoone.com]<BR><B>Sent:</B> Tuesday, September 10, 2002 1:54
PM<BR><B>To:</B> Multiple recipients of list ORACLE-L<BR><B>Subject:</B> RE:
methodology to keep only certain programs to connect to<BR><BR></FONT></DIV>
<DIV><SPAN class=866415016-10092002>With a setup like this, how do you stop a
user from simply renaming the program they are using to match what you expect
to see and, therefore, getting past your security ??</SPAN></DIV>
<BLOCKQUOTE dir=ltr style="MARGIN-RIGHT: 0px">
<DIV class=OutlookMessageHeader dir=ltr align=left><FONT
face=Tahoma>-----Original Message-----<BR><B>From:</B> Shaw John-P55297
[mailto:john.shaw_at_motorola.com]<BR><B>Sent:</B> Tuesday, September 10, 2002
11:59 AM<BR><B>To:</B> Multiple recipients of list
ORACLE-L<BR><B>Subject:</B> RE: methodology to keep only certain programs to
connect to<BR><BR></FONT></DIV>
<DIV><SPAN class=118075415-10092002>use v_$mystat - it has the sid - then do
your join with v$session</SPAN></DIV>
<BLOCKQUOTE dir=ltr style="MARGIN-RIGHT: 0px">
<DIV class=OutlookMessageHeader dir=ltr align=left><FONT
face=Tahoma>-----Original Message-----<BR><B>From:</B> JOE TESTA
[mailto:JTESTA_at_longaberger.com]<BR><B>Sent:</B> Tuesday, September 10,
2002 10:58 AM<BR><B>To:</B> Multiple recipients of list
ORACLE-L<BR><B>Subject:</B> methodology to keep only certain programs to
connect to<BR><BR></FONT></DIV>
<DIV>I've been tasked to ensure only certain app programs access the
database.</DIV>
<DIV> </DIV>
<DIV>I'm thinking on-logon trigger, check the program field from
v$session. unfortunately v$session is for all sessions, i can't seem
to find the view that tells me only MY info during login. I only
want the sid, serial#, username and program for my just now connection to
the database.</DIV>
<DIV> </DIV>
<DIV>Does this exist or am I going about this the wrong way?</DIV>
<DIV> </DIV>
<DIV>We're thinking of checking those fields to make sure sql*plus, toad,
etc can't connect as a particular user(even though the password is known
out in the community).</DIV>
<DIV> </DIV>
<DIV>any ideas would be greatly appreciated.</DIV>
<DIV> </DIV>
<DIV>joe</DIV>
Received on Tue Sep 10 2002 - 12:32:55 CDT
 |
 |