Pete Finnigan's Oracle Security Forum


    
      
        Pete Finnigan's Oracle Security Forum
        (http://www.petefinnigan.com/forum/yabb/YaBB.cgi)
      

        Database Security >> Database Security >> dba role through indirect membership
        
(Message started by: Pete Finnigan on Nov 17^th, 2010, 3:17pm)

Title: dba role through indirect membership
Post by Pete Finnigan on Nov 17^th, 2010, 3:17pm

Hi Pete,

I have recently performed an audit on an Oracle database using Squirrel. I have noted that all users have indirectly adopted the DBA role via another role. How severe is this if what can be performed by users is controlled by the application? Secondly what parameter can be set on Oracle to negate a direct connection to the database, i.e. bypass the normal route of access such as the application.

Thanks,
Stephen

Title: Re: dba role through indirect membership
Post by Pete Finnigan on Nov 19^th, 2010, 3:59am

If the application is a web application, then you are best off with a firewall style lockout that prevents connections to the database from machines other than the application server.

Within Oracle a similar effect can be achieved using SQLNET.ora settingshttp://download.oracle.com/docs/cd/B28359_01/network.111/b28317/sqlnet.htm#CIHJDJII

I'd suggest putting an AUDIT on use of the DBA role and if, after a week, the audit trail doesn't indicate it is necessary then REVOKE the role.