Secure your database (part 1)

by Kamil Stawiarski

I’ve already showed you, how to escalate privileges in Oracle Databases.

The question is – how to secure your database, if you don’t have EE or possibility to buy Oracle Database Vault or Oracle Advanced Security. Well – there’s always a DBA creativity 😉

For example – if you want to secure the system from creating unwanted DIRECTORY objects, you can create the following trigger as SYSDBA:

create or replace trigger trc_sec_directories
before create on database
  v_dirs varchar2(32000):='/bin/,/dev/,/etc/,/sbin/,/home/oracle/,/home/oracle/.ssh/,/u01/app/oracle/product/11.2.0/dbhome_1/,/u01/app/oracle/product/11.2.0/dbhome_1/sqlplus/admin/,/u01/app/oracle/product/11.2.0/dbhome_1/lib/,/u01/app/oracle/product/11.2.0/dbhome_1/bin/,/u01/app/oracle/product/11.2.0/dbhome_1/dbs/,/u01/app/oracle/product/11.2.0/dbhome_1/rdbms/lib/,/u01/app/oracle/product/11.2.0/dbhome_1/rdbms/admin/';
  v_dir_name varchar2(30);
  v_sql_list ora_name_list_t;
  v_sql_text clob;
  v_cnt number;
  if ora_dict_obj_type='DIRECTORY' then
         for i in 1..v_cnt loop
            v_sql_text:=v_sql_text || v_sql_list(i);
         end loop;
         if regexp_like(v_dirs,trim(replace(substr(v_sql_text,instr(lower(v_sql_text), 'as')+2),'''',''))) then
                raise_application_error(-20666, 'Insufficient privileges');
         end if;
  end if;

Each time, someone will try to create a directory, pointing to those, stored in V_DIRS variable, an exception will be thrown.



Database Whisperers sp. z o. o. sp. k.
Al. Jerozolimskie 200
Wejście B, III piętro/ pokój 342
02-486 Warszawa
NIP: 5272744987
+48 508 943 051
+48 661 966 009

Newsletter zapisz się żeby być na bieżąco