Professional Documents
Culture Documents
Players :
IT/DB Security
DBAs
Appication Owner
Data Security Officer
Work council
Attackers
Step 2:
sec_case_sensitive_logon=false
cause O5LOGON Cryp. Flaw
Step 3:
Create your own high privileged accounts and one emergency user
possible ?
Tip :
Use SEC_CASE_SENSITIVE_LOGON=FALSE ( O3LOGON ), if you cant change all
clients to Authentication Protocol of 12c
Use special characters if possible and no migration to other character sets is likely
Password length >= 12 ( if possible and tested) via pwd verify function
Password complexity via pwd verify function ( strong/weak )
Table sys.user$
SPARE4 : SHA-1( password||salt)||salt - length 62
Password : DES(username||password) - length 16
Two ways:
Xdb :
SQL> set echo on
SQL> spool xdb_removal.log
SQL> @?/rdbms/admin/catnoqm.sql
BEGIN
digitarray:= '0123456789';
chararray:= 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ';
END IF;
Columns of interest.
Isdefault
Session
Some changes can be detected with Rowid s use base table x$...
Table Triggers
Row Level Triggers
Instead of Triggers
Method 2 is smart, because you are not inside the transaction of the
trigger. After inserting the events/commands in a table, you can e.g.
revoke illegal grant commands just in time !
How to audit sysdba into an os file owned by root - from Uwe Hesse
http://uhesse.com/2010/02/02/how-to-audit-sys-into-an-os-file-owned-by-root/
BSI Checkliste
https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundsch
utz/Hilfsmittel/Extern/orcl-chk_pdf.html
http://www.mcafee.com/de/products/security-scanner-for-
databases.aspx
Activity Monitoring
All of classical monitoring
Event/Commands detecting
Rule/Event based activity !
Network scanning :
select * from scott.gender;
Concept :
virtual columns + autonomous transaction
deterministic pl/sql function
INSERT
INTO creditcard
(
id,
card_nr_ecrypt
)
VALUES
(
1,
ecrypt('5554334334453344')
);
COMMIT;
Actually we discuss this point and want to find some indirect dba executions
in real life examples.
CQN Event on Resultset change of oramon.oradll ( SQL with Select e.g. filter -
Grant dba to ... - additional conditions
Points of interest :
Detection of database objects with passwords over
Object_name, object_column_names, Procedures with
parameter like Pwd ,
Detection of cleartext passwords
Detection of pasword complexity with length
Detection of password life time
Detection of encryption/hash algorithm, perhaps with salt
History of all password changes via other applications
First save all values from regular and allowed programs including
a whitlist of machines
Check with the logon trigger if module_hash,machine is member
of whitelist and if program and module are equal and
module_hash is correct for a specific application!
Questions :
Which result do you expect (Single row or multiple rows ) ?
Can you limit the input length ?
Can you limit the count of spaces ?
Can you enumerate a fixed whitelist for values ?
Can you write a static select with all possible values?
Are special characters valid and how much
Enumerate a blacklist ( union, -- , , q , )
dbms_output.put_line('ASSERT result='||VERIFY_TAB);
EXECUTE IMMEDIATE 'select count(*) from all_tables
where table_name='''||VERIFY_TAB||'''';
END test;
/
*
ERROR at line 1:
ORA-06502: PL/SQL: numeric or value error
ORA-06512: at "SYS.DBMS_ASSERT", line 234
ORA-06512: at "HACKER.TEST", line 6
ORA-06512: at line 1
VERIFY_TAB :=
DBMS_ASSERT.ENQUOTE_LITERAL(DBMS_ASSERT.QUALIFIED_S
QL_NAME(TABLENAME));
dbms_output.put_line('ASSERT result='||VERIFY_TAB);
EXECUTE IMMEDIATE 'select count(*) from all_tables
where table_name='||VERIFY_TAB;
END test;
/