OraFAQ Forum: Security » Change control for PL/SQL

Home » RDBMS Server » Security » Change control for PL/SQL

Show: Today's Messages :: Polls :: Message Navigator
E-mail to friend

Change control for PL/SQL [message #635566]

Wed, 01 April 2015 06:51

John Watson
Messages: 8964
Registered: January 2010
Location: Global Village

Senior Member

Hello - I'm looking for a facility that will track changes to code, some sort of source code control system. The emphasis is not so much on managing change, as detecting change. I've been Googling around, but haven't found anything that would help. The closest is the Oracle Datbase Firewall, which can scan all stored objects and report on any changes. That would do, but it is not possible for me to install the Firewall just for that.

Anyone know of any third party products to do this sort of thing?

Thank you for any insight.

Report message to a moderator

Re: Change control for PL/SQL [message #635567 is a reply to message #635566]

Wed, 01 April 2015 07:53

Michel Cadot
Messages: 68732
Registered: March 2007
Location: Saint-Maur, France, https...

Senior Member
Account Moderator

I don't know any tool but I remember T. Kyte posted a trigger to record code change (of course it is stored PL/SQL one).
If you are interested I will try to search for it.

Report message to a moderator

Re: Change control for PL/SQL [message #635568 is a reply to message #635567]

Wed, 01 April 2015 07:59

John Watson
Messages: 8964
Registered: January 2010
Location: Global Village

Senior Member

Thank you for the idea - I'll look into it, it might be a solution. This is all about security, and if someone has the ability to modify code they may also have the ability to disable triggers. But in combination with audit (and 12.x Unified Audit really is, I think, impossible to hack) it might do.

A tool would be nice, though.

Report message to a moderator

Re: Change control for PL/SQL [message #635569 is a reply to message #635566]

Wed, 01 April 2015 08:02

gazzag
Messages: 1119
Registered: November 2010
Location: Bedwas, UK

Senior Member

John,

In the past I have implemented a LOGIN and an OWNER schema solution to stop unauthorised/uncontrolled changes. The schema objects are all owned by the <app_name>_OWNER schema, for example, whose account is locked and whose password is expired. The <app_name>_LOGIN schema has the required privileges and synonyms pointing at the <app_name>_OWNER schema objects. Is that something like what you have in mind?

Report message to a moderator

Re: Change control for PL/SQL [message #635570 is a reply to message #635568]

Wed, 01 April 2015 08:13

Michel Cadot
Messages: 68732
Registered: March 2007
Location: Saint-Maur, France, https...

Senior Member
Account Moderator

I found the link on AskTom, the trigger is very simple.

In addition, to gazzag's answer, you can create this trigger in a SYS schema (not recommended but possible, you just have to take care to drop and recreate the trigger and related objects before and after any patch).

Protection against SYS is very difficult. A possibility is Database Vault...

Report message to a moderator

Re: Change control for PL/SQL [message #635571 is a reply to message #635569]

Wed, 01 April 2015 08:28

John Watson
Messages: 8964
Registered: January 2010
Location: Global Village

Senior Member

I don't think I can use that approach because this has to be retro-fitted to an existing environment. Thankyou for taking time to reply.

Report message to a moderator

Re: Change control for PL/SQL [message #635574 is a reply to message #635571]

Wed, 01 April 2015 09:15

gazzag
Messages: 1119
Registered: November 2010
Location: Bedwas, UK

Senior Member

I did also retro-fit it to an existing environment. The existing application schema was renamed "<app_name>_OWNER". Then, if you call the "login" schema the same name as the current application schema as well as creating appropriate synonyms, no changes to the application should be required.

Report message to a moderator

Previous Topic:	proxy users - DBA_AUDIT_TRAIL
Next Topic:	How to stop self password rotation ?

Goto Forum:

-=] Back to Top [=-

[ Syndicate this forum (XML) ] [

]

Current Time: Sat Feb 01 21:25:34 CST 2025