Auditing an Oracle database for security issues is very important. PeteFinnigan.com provides all of the information and tools that you will need Click here for details of PeteFinnigan.com Limited's detailed Oracle database security audit service Click here for details of PeteFinnigan.com Limited's Oracle Security Training Courses
     
Cookie Policy:We only use essential cookies on small sections of this website. For details see here.

Welcome, Guest. Please Login.
Nov 17th, 2017, 9:21pm
News: If you would like to register contact the forum admin
Home | Help | Search | Members | Login
   Pete Finnigan's Oracle Security Forum
   Oracle Security
   Oracle Security
(Moderator: Pete Finnigan)
   sys.link$
« Previous topic | Next topic »
Pages: 1  Reply | Notify of replies | Send Topic | Print
   Author  Topic: sys.link$  (Read 11096 times)
robotto
PeteFinnigan.com Newbie
*



I love YaBB 1G - SP1!

   
View Profile |

Posts: 4
sys.link$
« on: Jun 23rd, 2010, 11:17am »
Quote | Modify

Hi, am I correct in stating that although sys.link$ pre Oracle10g is available only to sys, not all dba’s should have access to passwords of fixed database links therefore there is a security risk
IP Logged
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
Re: sys.link$
« Reply #1 on: Jun 28th, 2010, 9:41am »
Quote | Modify

Hi,
 
Yes you are correct. There are a number of more subtle issues here. The first is that a lot of sites by default allow DBA's access to SYS and SYSTEM and of course SYS can view this table and see passwords pre 10g and decrypt them post 10gR2. The more subtle issue is that in designing your DNA roles you must take care to not effectively make anoither SYS or allow easy access to SYS.  
 
Also in this case you must review existing links and why they exist. There should be no PUBLIC links. Also remember that a fixed link with a password is better in one sense in that if you chose to use a concurrent or connected user link you are effectively saying its OK to set the same password in multiple databases. My view is seperate passwords, links ONLY if you absolutely need them, they must be private and only SYSDBA should be able to read LINK$.
 
cheers
 
Pete
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Pages: 1  Reply | Notify of replies | Send Topic | Print

« Previous topic | Next topic »

Powered by YaBB 1 Gold - SP 1.4!
Forum software copyright © 2000-2004 Yet another Bulletin Board