Three Tier Oracle Security in London ~ Paul M. Wright

(nix, oracle, java, www, cloud ) intersect (safety, security, reliability, integrity)

Three Tier Oracle Security in London ~ Paul M. Wright RSS Feed
 

PL/SQL Source code version in the DB

I have experienced that it is common for the version of code in the PRODUCTION DB to be different from that which CVS or Subversion says it is i.e. code in the DB can be out of sync with the code repository.
This can be ascertained by a simple query
SELECT TEXT FROM DBA_SOURCE WHERE NAME=PACKAGE_NAME;
Or by checksumming the code automatically as laid out in my book.
Of interest is the fact that in some situations the code source of a procedure is still present in DBA_SOURCE even though the procedure has been dropped…more to come on this as remains of deleted data often form evidence which would be of interest in a forensic investigation.

If you have not seen it this thread is an interesting one at Pete’s site. One of the reasons for wanting to control access to the ALTER USER command could be to stop a user making themselves EXTERNALLY
identified.
ALTER USER SCOTT IDENTIFIED EXTERNALLY or maybe even
ALTER USER SCOTT IDENTIFIED BY VALUES 'EXTERNAL';
Also
ALTER USER SCOTT IDENTIFIED BY VALUES 'SCOTT.BADPROC';
Which could be executed if called from a script that reads in DB users and passwords.
Additionally the ALTER USER syntax gives that user the ability to set up proxy relationships via a command such as
ALTER USER SCOTT GRANT CONNECT THROUGH ORCL AS DBA;

In terms of user management removing the ability to do the above is a good idea so nice thread.

Just noticed on Bugtraq the following vulnerability thread. http://www.securityfocus.com/archive/1/495336
This gives a DBA role user the privilege of SYSDBA. This is a vulnerability as DBA cannot stop and start the DB and read the X$ tables i.e. they are not the highest privilege, so SYSDBA access could present a security problem. I think this is especially true given that access to strong crypto on 10gR2 via DBMS_CRYPTO is restricted to the SYSDBA user. However there are many other ways to escalate DBA to SYSDBA so perhaps there are higher priorities currently for most sites.

Cheers,
Paul

Leave a Reply

You must be logged in to post a comment.