Auditing an Oracle database for security issues is very important. PeteFinnigan.com provides all of the information and tools that you will need Click here for details of PeteFinnigan.com Limited's detailed Oracle database security audit service Click here for details of PeteFinnigan.com Limited's Oracle Security Training Courses
There are 55 visitors online    
Cookie Policy:We only use essential cookies on small sections of this website. For details see here.

Pete Finnigan is the author of the SANS book Oracle security step-by-step - a survival guide for Oracle security. Pete also has written many papers about Oracle security. petefinnigan.com is the place for free Oracle security information, white papers, links to other resources, free scripts tools and products and professional Oracle security audit services.

For over 100 Oracle security white papers see here.

PeteFinnigan.com Oracle FAQ's, Tips and ramblings

This page is a collection of FAQ type information, tips and ramblings. What is a rambling you may ask? - well its simple - it is me rambling on about something in Oracle and probably to do with Oracle security. I have been answering questions on newsgroups and mailing lists for some time and quite often I notice that the same questions come around again. So i have decided to keep some of the good answers and tips that I and others have raised and to present them here as a simple un-ordered list of information.

Usually tips these will be information on how to do something, set something up or how to disable something. I like to test things for myself usually in SQL*Plus and some of these ramblings will be a simple spool file from SQL*Plus showing how i tested something or demonstrated something. These are not polished papers, see my white papers section for those. Anyway lets begin, here they are:-

Date Link Description
10-Feb-2004 How to disable iSQL*Plus This short FAQ shows how to stop iSQL*Plus, the web based version of SQL*Plus from running on your system. You may wish to disable this tool in production environments for security reasons. There have been a number of security issues that have become known with this tool. Read here how to disable it.
18-Feb-2004 How to grant all privileges in Oracle This short FAQ shows how to grant all privileges to a user in Oracle. It specifically shows what privilege is necessary to do this. You should also be aware that granting ALL PRIVILEGES should never be necessary. Use the Least privilege principle and grant what is necessary not everything!.
18-Feb-2004 How to Stop / shutdown the ftp and http ports (2100 and 8080) on 91R2 This short FAQ shows how to shutdown the new ftp and http ports that are enabled by default in a 9iR2 installation. These are part of the new OSE stack and could represent a security threat if you are not aware that they are there.
24-Feb-2004 How to set the Oracle database listener password This short FAQ shows how to set encrypted or unencrypted passwords for your database listener. I would not recommend that you use unencrypted passwords though. For completeness I also show you how to remove the listener password if need be.
26-Feb-2004 Can Row Level Access be used on views as well as tables? This short test shows an example of fine grained access control (VPD, RLS) being used on views. This simple test was to prove to a colleague that it is indeed possible to add policy functions to views as well as tables.
27-Feb-2004 Updated 04 March 2004 many ways to set Oracle trace for your session, others sessions and at instance level This short paper explores many ways to set trace in an Oracle database, either to set trace for the current session or to set trace in another session or how to set trace at the instance level. It also talks about setting extended trace and levels and also about autotrace in SQL*Plus
14-Mar-2004 Passwords in clear text for ALTER USER in SQL*Net This short test was prompted by a thread on the ORACLE-L list discussing how to hack the SYS password on a database. This test is a write up of my post to that thread to show that when executing an ALTER USER command the password is passed in clear text to the server and also when the password function is used the password is not passed in clear text.
14-Mar-2004 Issues with bypassing password protected roles This short test was prompted from the above test as I was also checking to see if the use of SET ROLE for a password protected role also caused passwords to be sent in clear text via SQL*Net. This turned out to be true but I also discovered that password protected roles can be bypassed. Read on to see how.
14-Mar-2004 example use of DBMS_UTILITY.DB_VERSION This very short example shows how to use the built in package DBMS_UTILITY.DB_VERSION to get version and compatibility instead of having to get them piecemeal from v$parameter and v$version.
15-Mar-2004 create user and grant {blah} to user identified by {blah} send password in clear text This very short example shows how CREATE USER and GRANT {BLAH} TO {USER} IDENTIFIED BY {BLAH} send the password to the database server in clear text and suggests a couple of possible solutions.
02-Apr-2004 can SYS be locked out by a failed_login_attempts setting This short paper is an answer to a question one visitor of my website asked me. He wanted to know if the SYS account could be locked out and a Denial of Service caused if the account was brute forced and a failed_login_attempts setting had been configured in the profile attached to SYS.
02-Apr-2004 Can calls to DBMS_OBFUSCATION_TOOLKIT.DESENCRYPT be hidden in the SGA This short paper is posting i made to one of the newsgroups when someone asked if it was possible to stop a user from reading in clear text from the SGA a call made to dbms_obfuscation_toolkit.desencrypt. The answer is yes it is possible. Read the paper to see.
02-Apr-2004 How to simulate LOCK_SGA in C on Solaris This is a short answer i made recently to the lazydba mailing list when someone asked about locking the SGA shared memory segments in core with the LOCK_SGA parameter. It is not possible to use this parameter on Solaris unless Oracle is configured to run as root.