Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: Adding some random characters to Oracle password

Re: Adding some random characters to Oracle password

From: Howard J. Rogers <hjr_at_dizwell.com>
Date: Wed, 27 Oct 2004 07:11:36 +1000
Message-ID: <417ebd79$0$21982$afc38c87@news.optusnet.com.au>


Prem K Mehrotra wrote:

> I am working on Sarbarbes Oxley compliance for Oracle databases
> version 8.1.6.2 on HP UNIX 11. We have a third party application
> which requires a login for each user in the database. Application
> security is controlled through the application, so users can do only
> certain things from the application user interface.
>
> Application is a Web based Oracle Forms 6i application which runs on
> a Windows Server, it then connects to database on HP UNIX.
>
> However, the problem is that if users can connect to database directly
> using sqlplus, there is no security built in the database to control
> what a user can do, they can delete all the data if they want. Since,
> it is a third party application, I cannot change their code.
>
>
> 1. Since the database connection is made from windows Server to UNIX
> server and no
> end user has login on Windows Sever or NIX server, I was thinking of
> creating a logon trigger for every end user account and verifying that
> connection is made only from Forms server. This way, they cannot make
> direct connection from their PC. Does anyone see a problem with it?

All sorts of suggestions are likely to be made in regard to this. Just because it's fresh in my mind, I'd consider using Row Level Security (Virtual Private Database/Fine-Grained Access Control) to add a policy to each table which states: if the program you are using is not Forms, then 1=2. Every SQL statement then issued by all users who had hacked in would then find a 'WHERE 1=2' clause silently appended to their SQL statements, and your data would therefore be safe.

Being tied directly to tables, RLS/VPD/FGAC is not capable of being circumvented, except by SYS (to which the policies never applies).

The concern I have with your suggestion is that if the logon trigger were ever disabled or dropped, your database would be wide open. With the RLS approach, if the appropriate logon trigger were disabled, the data would still be safe because the policies applied to all the tables would still be in force (you wouldn't get a nice '0 rows deleted' error, probably, but you'd still get a failure to perform effective DML).

Just a suggestion, anyway. (And there's a paper at www.dizwell.com on setting up an RLS/VPD/FGAC test if you need to investigate it).

> 2. My auditors told me Oracle has some tool where some random
> characters are added to password, so user will not know these
> characters (so they cannot make direct connection?)/ I have not heard
> of anything like that until now. Does anyone have more information on
> it? Auditors said instead d of creating logon triggers, I can
> probably use this tool.

I can't think of what they are talking about, either. Get them to explain what they are talking about in words of few syllables. If they're auditors, it's their job not to talk in riddles, but to be specific about what security recommendations they are making.

Regards
HJR
> Thanks a lot?
>
> Prem
Received on Tue Oct 26 2004 - 16:11:36 CDT

Original text of this message

HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US