Three Tier Oracle Security in London ~ Paul M. Wright

(nix, oracle, java, www, cloud ) intersect (safety, security, reliability, integrity)

Three Tier Oracle Security in London ~ Paul M. Wright RSS Feed
 

Advanced Oracle Security Development

The code and slides for my talk was first made available at UKOUG’s web site
http://conference.ukoug.org/default.asp?p=842&dlgact=shwprs&prs_prsid=3130&day_dayid=13

I have edited the content into Word .

Below is the CREATE_DIRECTORY package I have written which means that users do not need to be granted CREATE ANY DIRECTORY in future. Updates to the package will be made to this URL.

--CREATES A DIRECTORY IN A SPECIFIC OS LOCATION AND GRANTS READ/WRITE
CREATE OR REPLACE PACKAGE CREATE_DIRECTORY AS
PROCEDURE createdirectory(directory_name IN VARCHAR2, directory_path IN VARCHAR2);
END create_directory;
/
CREATE OR REPLACE PACKAGE BODY CREATE_DIRECTORY as
PROCEDURE createdirectory(directory_name IN VARCHAR2, directory_path IN VARCHAR2) IS
l_exec_string VARCHAR2(1024):= 'CREATE OR REPLACE DIRECTORY ';
l_directory_validated VARCHAR2(1024);
BEGIN
l_directory_validated := REPLACE(directory_path,'.','');
IF instr(l_directory_validated,'/u01/thisismypath') = 1
THEN
l_exec_string := l_exec_string||directory_name||' AS '||''''||l_directory_validated||'''' ;
EXECUTE IMMEDIATE (l_exec_string);
l_exec_string := 'GRANT READ, WRITE ON DIRECTORY '||directory_name||' TO '||user;
EXECUTE IMMEDIATE (l_exec_string);
END IF;
END createdirectory;
END create_directory;
/
-- EXEC CREATE_DIRECTORY.createdirectory('PAULSDIR2','/u01/thisismypath');

The above code can act as a workround to allocating the CREATE ANY DIRECTORY privilege, in light of the vulnerability I first published on that allows any user with CREATE ANY DIRECTORY to overwrite the password file with a known password file containing an unauthorised SYSDBA account.

Please send feedback about the above code and any additions you would recommend to paul.wright@oracleforensics.com

So UKOUG so far has been interesting. Starting with Tom Kyte talking on Encryption, I picked up these points from it.
-Hard ware add on to Oracle for storing private keys is becoming more popular
-TDE was convenient for application integration (transparent).
-Column level encryption in 11g was a bit of a pain as cardinality (fks) and indexes were inconvenienced.
-From performance perspective BLOB data types very slow to encrypt therefore < 4000 use varchars for speed of encryption.
-Tablespace encyrption is very nice as no query performance hit as SGA cleartext (and sentrigo will still work) but data files on their own do not represent a risk as encrypted.
Then I enjoyed Slavik's Presentation on Oracle vulnerability discovery and Sentrigo Hedgehog.
The new fuzzer looks great and will be available via Slavik’s blog quite soon.
I also enjoyed Michael Moller‘s presentation on Internationalisation.
Looking forward to Pete’s presentation on Friday. All in all good conference and great to meet Tom, Jonathan and Julian there. Already started writing my presentation for the next year which is entitled “Three Tier Oracle Forensics”. It is to do with the problems of logging and responding to web activity through to the DB. There are challenges with Time synchronisation and identifying the web session at the DB end, though these are beginning to be solved to the point at which legalised formalities can be standardised upon.
More to come..
Cheers,
Paul

Leave a Reply

You must be logged in to post a comment.