Auditing an Oracle database for security issues is very important. PeteFinnigan.com provides all of the information and tools that you will need Click here for details of PeteFinnigan.com Limited's detailed Oracle database security audit service Click here for details of PeteFinnigan.com Limited's Oracle Security Training Courses
There are 61 visitors online    
Cookie Policy:We only use essential cookies on small sections of this website. For details see here.

Pete Finnigan is the author of the SANS book Oracle security step-by-step - a survival guide for Oracle security. Pete also has written many papers about Oracle security. petefinnigan.com is the place for free Oracle security information, white papers, links to other resources, free scripts tools and products and professional Oracle security audit services.

For over 100 Oracle security white papers see here.

PeteFinnigan.com Tools

All of the scripts and tools provided here are available free. You can do anything you want with them commercial or non commercial as long as the copyrights and this notice are not removed or edited in any way. The scripts cannot be posted / published / hosted or whatever anywhere else except at www.petefinnigan.com/tools.htm.

Although every care has been taken to ensure that they are error free Pete Finnigan cannot be held responsible for any damage caused by their use.

This page includes scripts written by Pete Finnigan.com and also links to useful Oracle security based tools written by others. The first section are Pete Finnigan's Tools.
Tool By Description
Oracle Password Cracker in PL/SQL pete@petefinnigan.com This simple tool implements a Oracle database password cracker in PL/SQL. the main driving force behind this is to encourage DBA's to test the strength of passwords in their databases mopre easily by being able to use PL/SQL scripts simply from SQL*Plus without the need to download binaries or libraries and more. The main goal is simplicity and to encourage people to strengthen their database security.
testpwd.sql pete@petefinnigan.com This is a PL/SQL function that can be installed into the database to test if a password is correct or not. The function is based on the PL/SQL password cracker above and is in response to a post on the oaktable list and also on my Oracle security forum asking if such a check can be written.
who_has_priv_procedure.sql pete@petefinnigan.com This is a version of the who has privs script that is included below. This version is meant to be installed in the database as a procedure rather than run as a standalone script.
find_all_privs.sql pete@petefinnigan.com This short script can be used to find all of the privileges granted to a particular user. It includes Roles, system privileges and object privileges. If a role is encountered then it recursively looks for the roles, system privileges and object privileges granted to the roles and so on.....

The output can be directed to either the 'S'creen or to a 'F'ile. This is prompted for at run time. If a 'F'ile is chosen then a file name and output directory are needed. If 'F'ile is chosen then the directory used needs to be enabled via utl_file_dir prior to 9iR2 and with a directory object after that.

find_all_privs2.sql pete@petefinnigan.com This is an updated version of find_all_privs.sql updated by David Arthur to add the ability to skip table privileges and also the ability to sort the results within then tree. He has also added an indicator as to whether the roles are password protected or not and he has also tuned the main driving select by adding a parallel hint. This is version 1.8 of find_all_privs.sql (version 1.7) still available above.

Version 1.9 had to be released close after 1.8 as David Litchfield found a 12801 parallel server error with the parallel hint in David Arthurs update. The hint is commented out so choose to use it or not based on whether you get any errors

find_all_privs_sum.sql pete@petefinnigan.com This is an updated version of find_all_privs.sql that I modified to summarise object privileges rather than list them out individually. This is useful for schemas with large amounts of granted privileges.
who_has_role.sql pete@petefinnigan.com This short script is the second in a series of four scripts to check user and object privileges in the database. This script accepts the name of a role in the database and it lists out a hierarchical list of users and roles that have been granted the role being checked. This can be very useful to check who has access to critical database roles.

The output can be directed to either the 'S'creen or to a 'F'ile. This is prompted for at run time. If a 'F'ile is chosen then a file name and output directory are needed. If 'F'ile is chosen then the directory used needs to be enabled via utl_file_dir prior to 9iR2 and with a directory object after that.

who_has_priv.sql pete@petefinnigan.com This short script is the third in the series and can be used to find out which users or roles have been granted a particular system privilege. As with the other scripts in this series it does this by printing out a hierarchical list of users and roles and then the roles and users granted to those roles and so on.

The output can be directed to either the 'S'creen or to a 'F'ile. This is prompted for at run time. If a 'F'ile is chosen then a file name and output directory are needed. If 'F'ile is chosen then the directory used needs to be enabled via utl_file_dir prior to 9iR2 and with a directory object after that.

who_can_access.sql pete@petefinnigan.com This short script is the fourth in the series of useful scripts that can be used to audit an Oracle database. This script allows to to test the privileges that have been granted to any users or roles or again as with the other scripts users via roles, via roles.. etc. You can supply the name of most object types, tables, views, procedures, packages, directories, libraries etc and find who has been granted each privilege. In this report unlike the others there can be multiple entries per object. For instance a TABLE may have SELECT and INSERT privileges granted on it.

The output can be directed to either the 'S'creen or to a 'F'ile. This is prompted for at run time. If a 'F'ile is chosen then a file name and output directory are needed. If 'F'ile is chosen then the directory used needs to be enabled via utl_file_dir prior to 9iR2 and with a directory object after that.

check_parameter.sql pete@petefinnigan.com This is the last of the five core auditing scripts available from this tools page. There will be others in the future but the first five here are useful core tools. This script allows you to neatly print out the values of initialization parameters from the database and to also check the results against a known correct value. The script also allows you to check hidden or undocumented parameters. A sample usage of this script is given here.

The output can be directed to either the 'S'creen or to a 'F'ile. This is prompted for at run time. If a 'F'ile is chosen then a file name and output directory are needed. If 'F'ile is chosen then the directory used needs to be enabled via utl_file_dir prior to 9iR2 and with a directory object after that.

audit_last_logon.sql pete@petefinnigan.com This short SQL script can be used to find the last time database users logged on to the database. It prompts for the number of days since last logged on. For instance if you wish to find users who have not logged on for 2 days run the script as follows:


SQL> @aud_last_logon

Enter value for number_of_days: 2
old 13: and a.timestamp<(sysdate-&&number_of_days)
new 13: and a.timestamp<(sysdate-2)

USERNAME OS_USERNAM TIMESTAMP LOGOFF_TI RETURNCODE TERMINAL USERHOST
---------- ---------- --------- --------- ---------- ---------- ----------
PETE oracle 10-JUL-03 10-JUL-03 0 pts/1
SYSTEM oracle 10-JUL-03 10-JUL-03 0 pts/1
TESTER oracle 09-JUL-03 09-JUL-03 0 pts/1
ZULIA oracle 12-MAY-03 12-MAY-03 0 pts/1

4 rows selected.

SQL>

To find all users last logon time simply put in "0" as the number of days.

find_audit_privs.sql pete@petefinnigan.com This short SQL script can be used to find the users who have been granted privileges to audit the database.Run the script as follows:


SQL> @find_audit_privs

GRANTEE PRIVILEGE ADMI
-------------------- --------------- ----
CTXSYS AUDIT ANY NO
CTXSYS AUDIT SYSTEM NO
DBA AUDIT ANY YES
DBA AUDIT SYSTEM YES
IMP_FULL_DATABASE AUDIT ANY NO
MDSYS AUDIT ANY YES
MDSYS AUDIT SYSTEM YES

7 rows selected.

SQL>

Useful Oracle security tools from other authors

The following list of links are to useful Oracle security and auditing tools written by other authors.

If anyone has any good links or papers about Oracle security tools in particular that I have not found myself yet, please let me know the URL and I will add them to the list below. Please email tools@petefinnigan.com.

Pete Finnigan does not endorse the use of these tools for illegal purposes. They are however useful tools to use for auditing of your own Oracle database. Most of the authors of the tools listed below also take a similar stance on their web sites!

Tool By Description
Hedgehog Standard Edition Sentrigo Inc This is a completely free version of the Sentrigo Hedgehog Database Activity Monitoring software. It uses the same groundbreaking technology used in the enterprise edition and provides real time activity and alert monitoring.
Oracle PL/SQL Fuzzer Joxean Koret This is a PL/SQL fuzzing tool written in python and freely distributed via the bugtraq, full-disclosure lists on December 6th. This is a fairly simple tool that is GPL and can be easily extended. The author says that he will release an Oracle specific vulnerability assessment tool that this is part of soon.
Oracle Default Password checking tool Marcel-Jan Krijgsman and Pete Finnigan This is a set of SQL and PL/SQL scripts that can be used to check a database for the existance of any default user accounts with their well known default passwords still set. The list of accounts used is based on the largest list of Oracle default users on the net. Use this tool to ensure that your database is not vulnerable to the most fundamental issue is Oracle security 101.
Oracle stand alone password cracker for Windows Alex Kornbrust Alex Kornbrust has just released a stand alone Oracle dictionary password cracker on his web site. This is available as a binary and libraries. Also included is a small dictionary file that consists of a default password list. A bigger dictionary file is available with the 4.7 MB download. This is a very useful tool for performing Oracle database security audits as it is the first publicly available stand alone Oracle password cracker written in a 3gl language rather than the PL/SQL based crackers previously available.

Alex has updated both of the Windows versions to 1.1.

Oracle stand alone password cracker for Linux (shared linked) Alex Kornbrust The Linux version is linked for shared libraries and includes a default password list and a 1.5 Million word wordlist. It only supports the standalone mode. The download is 3.9MB. Alex has also provided a second Linux version. This is standalone, shared and static linked. This also includes the default password list. The download of version 1.1 of checkpwd is 5.5MB

Alex has updated both of the Windows versions to 1.1.

Oracle Password Cracker - orabf - version 0.7 0rm - Toolcrypt I have known about this Oracle brute force and dictionary password cracker for over a year now. This is a brute force and dictionary password cracker for Oracle. It is also possible to define the character set used in a brute force attack. You can choose, alpha, alpha+numeric, numeric and all the character key space. You can also define the number of characters in the password to check up to. It is also possible to stop the run and use the resume feature to carry on a previous attack. The tool also comes with a batch script to attack multiple password hashes in one run and also a very very good permute program for mangling dictionary files. Also included is a default password list.

But the best feature is kept until last. This is quite simply the fastest Oracle password cracker there is. I have clocked it at 1.02 million hashes per second on a 2.8 gig pentium 4 laptop.

Hashattack 2.0 Joshua Wright This is a set of PL/SQL, SQL*loader and shell scripts that can be used to check for weak passwords for any Oracle database account. The tool generates a list of password hashes for one user from a dictionary file (word list) and stores the resulting username, password (clear text) and password hash in a table. The pre-computed list can be used to test if the password set of a user is weak. This pre-computing of password hashes means that checking of passwords can be fast against a dictionary. This tool uses the ALTER USER syntax to find all password hashes and so it slow. It uses the same techniques as Adam Martin's tool and also the Bear Dang Oracle cracker except those tools do the checks in real time rather than pre-computing.Please note that the links no longer work and no current download can be found. The link is still here for reference but does not work.

This is not a new idea, but this is the first free tool available to pre-compute hashes. The same technique is described in detail in David Knox's book. The technique is useful but is limited as a pre-computed table is needed for each user to be checked. This is a useful technique for the popular default accounts but for other users accounts it is probably better to simply use other tools such as the two PL/SQL based crackers listed here.

This tool has been updated to version 2.0

The previous version 1.0 is available here, if necessary.

Oracle Password Brute Forcer (Perl) dab - !dSR - www.digitalsec.net I was made aware of this perl script that can be used to brute force Oracle database passwords. The script is reasonably simple. It first builds TNS packets to get the SIDs/services available from the listener that is being queried. It then uses the SID's found and attempts to connect to the database.
OScanner Patrik Karlsson - http://cqure.net Patrik Karlsson has today released a new Oracle security scanner written in Java. The tool is free for download as a binary or as source code. The scanner is an Oracle assessment framework written in Java and it has a plug in architecture. It is delivered with a couple of plug-ins that already do :
  • Sid Enumeration
  • Passwords tests (common & dictionary)
  • Enumerate Oracle version
  • Enumerate account roles
  • Enumerate account privileges
  • Enumerate account hashes
  • Enumerate audit information
  • Enumerate password policies
  • Enumerate database links

This looks like another great tool from Patrik.

CIS Oracle database security benchmark tool The Center for Internet Security The center for Internet Security provides benchmark documents that are intended to be a best practice minimum standard on securing each piece of equipment that is the subject of the document. There is an Oracle security benchmark document that was developed by CIS in part from the SANS Oracle Security step-by-step written by Pete Finnigan. This scoring tool is based on the benchmark paper and checks most of the items in this paper. The tool provides a score as to how compliant you are with the benchmark.

Some items in the benchmark are not covered by the tool but you can check this from the document itself as each item in the benchmark document indicates if its included in the tool. The tool covers quite a lot of items in the score by asking a questionnaire at the beginning of its operation. The rest of the checks are done programmatically. The tool is written in Java and is available for Windows, Solaris and Linux for Oracle 8i and 9i.

The tools are free for download.

Oracle Password Cracker - version 1.6 Adam Martin This tool is a dictionary attack based Oracle password cracker. It is written in PL/SQL and uses the alter user method to encrypt username/password pairs to then compare with a passed in hash. If you pay for the source code you also get an Oracle form to run the tool from a GUI interface.

It has some serious drawbacks as its use can cause serious resource problems to the database it is run on. It is advisable to run this tool an a separate database. Its performance is not brilliant due to the method used but it is useful for performing dictionary attacks to verify if users of your database have set weak passwords.

Alternate link to details of Adam's cracker is available on the Web Archive. This is just a link to the details. The cracker is no longer available even from this link. If anyone knows where it can be downloaded them pelase let me know.

Oracle Password Cracker by Bear Dang, tran technologies limited This tool is a PL/SQL based brute force password cracker for Oracle databases. The tool utilizes the same method as Adam Martin and complements it as they both do one of the methods, brute force or dictionary attack - the ALTER USER statement. The tool is reasonably well written and the authors have taken the time to look at performance and use of the tool. They specify init.ora parameters that will help it to not hog all of the system resources.

As with Adam Martins tool i would run this on a separate database. It is restricted as it does not do dictionary attacks but as the source is included this would be easy to add.

Oracle Toplink Mapping Workbench - Password decrypt tool Martin (broadcast@mail.ptraced.net) This simple perl script allows decrypting of Oracle toplink mapping workbench passwords. The algorithm was made public on 26 Jan 2004 and a link to this is available here.

Thanks very much to Martin for allowing me to post his perl script here.

Oracle Auditing Tools Patrik Karlsson This is a great free tool kit that utilizes the know vulnerabilities with external procedures in Oracle to create a library that accesses the WinExec function in the kernel32.dll library. or the system() call on Unix. The tool also includes a simple Oracle dictionary attack tool to test default passwords that are known or with a user supplied dictionary. Once access is gained with a suitable user the system() library is created. The tools are Java based. The following components are available. OraclePWGUess, OracleQuery - a minimal SQL query tool, OracleSAMDump - which connects to an Oracle server and executes a tftp get to get the pwdump2 binary. OracleSYSExec - can be run in interactive mode to allow the user to specify commands to be executed on the server. OracleTNSCtrl - is used like the listener control utility lsnrctl to query the listener.
Oracle SID Enumeration Patrik Karlsson This is another great free tool that can be used to enumerate Oracle SID's on a network. Basically it tries to find Oracle databases by sending commands to the Oracle listener similar to the lsnrctl services command.
tnscmd James Abendschan This is a tool written by James in an attempt to see how the listener functions. It was used to exploit some memory corruption issues with the listener. It also includes a documention page and is still a useful tool in the Oracle security professional's toolkit.
Oracle listener security check version 2.2 Integrigy

Update, xmas 23rd December 2006

Integrigy have just released a complete re-write of this tool. This is a great tool now with a lot of new features. The original 3 checks have been enhanced and the complete list of checks includes:- 1) the listener version, 2) Whether the listener password is set, 3) whether ADMIN_RESTRICTIONS are set, 4) whether listener logging is on and 5) whether LOCAL_OS_AUTHENTICATION is on or off.

The tool also includes a set of FNDFS Oracle Applications 11i listener checks. Oracle Applications includes a seperate listener, defaulted on port 1626 in addition to the database listener. This listener is an Oracle 8.0.6 listener.

The tool also includes a SID enumeration tool and also a TNSNAMES.ORA security check. Also if you dig deep and venture to the about page you are rewarded with an extra link that takes you to a page that can be used to generate TNS names entries, 10g connect strings (the new short ones) and JDBC connect strings.

Oracle Security Check ensync Solutions This is a simple GUI windows tool that can be used to audit known default passwords in an Oracle database.
dbcool_audit.pl Geoff Ingram This is a short security audit script written in perl that can be used to do a simple Oracle security audit.
A Simple Oracle Installation Security Scanner Pete Finnigan This is the script from the simple Oracle security scanner paper I wrote for security focus whilst still working for a previous employer.
fileprobe.sh Tim Gorman This is a superb script written by Tim Gorman. This korn shell script checks the files in the $ORACLE_HOME and $ORACLE_BASE for any security loopholes.

UPDATE 29-Apr-2005 Tim has just made some updates to this excellent script. He has added details of the changes made to the script in the files header.

tnsprobe.sh Tim Gorman This is a another superb script written by Tim Gorman. This korn shell script looks for Oracle listeners on a server on ports from 1025 to 65536. If a listener is found then it is probed to check if the listener is passworded and then an attempt is made to break into the database with oraprobe.sh to see if any default accounts are still active with default passwords.
oraprobe.sh Tim Gorman This is the last superb script written by Tim Gorman. This korn shell script looks builds an SQL script with some easy to guess passwords and then uses it to try and break into the database to check security.
nessus Nessus Nessus is the ubiquitous security scanner. It includes quite a good list of plug ins for Oracle specific vulnerabilities.
metacoretex metacoretex metacoretex is a completely Java based security scanning framework that specialises on databases. There is a list of probes that can be plugged in. There are a number of Oracle probes included to scan for quite a few issues.
p6spy p6spy.com This is an excellent open source Java tool called p6Log that intercepts and logs all of the database statements sent by applications to the database that use JDBC. This code works on many databases including Oracle. There are some GUI add-ons that allow analysis and caching of some SQL statements. The tool obviously has security uses as well in an environment that uses JDBC. It is worth looking into as an option for auditing user access.
OCISPY - ORACLE OCI client side tracing and monitoring utility Sergey Sikorskiy OCISPY is a free tool that allows OCI calls to be logged to a trace file. This is a useful tool to understand what an application is doing if it uses OCI. It is free but the source is not available. It works on Linux and Windows. It doesn't support all OCI calls and is a bit dated (2001) now but still could be of use on security research or possibly for auditing what a third party application is doing so that it can be secured correctly.
hide.c D Beusee This is Oracles hide.c program that can be used to hide program arguments from ps commands. The notes in it suggest that this fools all known Unix ps commands. It works quite simply by padding argv[0] with 3000 slash characters.
Linux rescue boot disk Thomas A. Oehser This is a great site that includes a disk image for Linux. This is a floppy disk image not a CD image. This is a Linux (small Linux) distribution that aims to be first and foremost a rescue and recovery disk. The disk includes an impressive array of tools and utilities and also supports itself. That is, the author maintains the disk image running under a copy of this distribution. Finally the disk also supports a live root file system. This is an excellent tool that can be used to access failed systems supporting Oracle databases.
Helix CD Knoppix / Helix Paul Drake made me aware of this tool in a comment to one of my weblog posts about a recovery floppy disk that is listed above. This CD is called Helix and is a customized version of the Knoppix CD. The Helix CD is a live bootable Linux distribution that includes a lot of tools dedicated to incident response and forensics. The CD has been specially created to not alter the HOST PC in anyway. This CD` is used in SANS track 8 - System Forensics, investigation and response course.
LMon - log monitoring tool Anders Nordby I just found this useful Perl log monitoring tool issued under a BSD license. The tool allows near real time monitoring of logs. Email can be sent when log events match rules that have been set up or when unknown data is found.
OPR (Oracle Password Repository) Jan-Marten Spit and Jasper Spit I have just come across this useful piece of software on sourceforge. It is an Oracle Password Repository. This is a Unix security tool used to store and retrieve Oracle database passwords. The idea is that instead of having Oracle database usernames and passwords stored in a file or environment variable or hard coded in SQL scripts or shell scripts that call SQL*Plus you instead store the usernames and passwords in OPR and call OPR from the scripts or script invocations to return the username and password. This can make the use of SQL scripts a little more secure in terms of leaking passwords.
URL Fixed Oracle .NET GUI default password check tool Mark Woan Mark emailed me to let me know of a new .NET GUI default password tool that he has written that utilizes my default password list. It needs the Oracle data provider for .NET but it should be a useful tool for folks who like GUI tools rather than installing SQL file and tools.
New Version: Password changing tool
Password changing tool
Noel Talard

A new version of this tool has been released by Noel and this is available here from the link above. The new version deals with the replace syntax in ALTER USER IDENTIFIED BY...

A question was asked on the Oracle-l list about any free tools that exist that can be used to manage Oracle passwords. Stephane faroult emailed me about this free Java tool called ChgPwd written by Noel Talard. Noel has kindly agreed to let me host this tool here on my free Oracle security tools section. As I said it is Java based. There is a properties file that you can fill in, the one in the zip file includes examples. There is also a batch script that can be used to launch the Java tool. The tool performs a number of basic checks (at least 6 characters, at least one digit, different from username, different from previous password). I have not had chance to test this tool yet, but will do so. If you need to manage Oracle passwords then this tool could be of user to you.
WinSID (free) - Oracle instance discovery tools Paul Breniuc Paul Breniuc has written this great Oracle instance discovery tool. The tool does not need an Oracle client and is not a wrapper on top of the Oracle client. It can be used to interrogate the Oracle listener to display information about remote (and local) listeners - For instance services, SID, listener statistics on established connections. The link above points to Paul's main page for this tool and it gives some details of the tool and also some graphics of it in use. A great feature is the fact that a working TNSNAMES.ORA connection string is stored in the Windows clipboard. As I said the tool does not use Oracle libraries / OCI etc. It used native network code to send packets to the listener. The free version does not support all listener commands, the Pro version does. The free version does not support TNSPings but Paul has a free TNSPinger for this - It doesn't look like it has been released yet.

The tool is available for free download from Paul's site and there is also a professional version WinSID Pro that can scan complete networks looking for Oracle listeners. The free version of WinSID Oracle instance recovery tool was available from here http://www.syntheticbytes.com/oracle/WinSID.zip.

UPDATE I have just come across a download site for this tool. The original author removed it from his own site some time ago but WinSID is available for download again.

Oracle TNSLSNR Full Client DokFLeed This is a full hand coded TNS protocol client. It is written in C and has a small GUI interface. The tool completely replicates all of the commands that the listener daemon accepts. Full crafted TNS packets are also supported. The tool is a re-write of the James Abendschan tool tnscmd.pl also listed on this page. This tool supports the following commands:

ping , version , service , status change_password, help, reload, save_config, set connect_timout set display_mode, set log_directory , set log_file , set log_status , show , spawn stop plus full packet crafting.

There is also a 10g version on the way.

Oracle Internals Tools

All of the tools listed in this section are for Oracle internals work and are written and provided by other sites as indicated. Contact them for more details.
Tool By Description
jDUL / DUDE dude@ora600.org This site details Kurt Van Meerbeeck's Tool jDUL, which has been renamed to DUDE (Database Unloading by Data Extraction)which is a data unloader. This tool performs the same service as Oracle's own DUL (Data UnLoader). Kurt has written DUDE in java to extract data from Oracle database files without the database instance being started. This can be used to extract data very fast or can be used to extract data from a crashed database. It supports 8, 8i, 9i and 10g and also can recreate the data dictionary, can extract complete tablespaces, pl/sql, most data types, chained and migrated rows, partitioned tables and much more. The tool can be leased for short periods or can be operated by Kurts team for a client. Miracle AS are offering consulting based on the tool as perferred partners.

Commercial Oracle security tools

The following list of links to commercial tools for auditing, scanning or penetration testing an Oracle database. I offer no recommendations as to which tools are better than others.

If anyone has any good links or papers about Oracle security tools in particular that I have not found myself yet, please let me know the URL and I will add them to the list below. Please email tools@petefinnigan.com.

Pete Finnigan does not endorse the use of these tools for illegal purposes. They are however useful tools to use for auditing of your own Oracle database. Most of the authors of the tools listed below also take a similar stance on their web sites!

Tool By Description
Hedgehog Enterprise Sentrigo Inc This product is database activity monitoring software that provides virtual patching, IDS and IPS functions for the Oracle database. The link above provides a more detailed description of the enterprise product.
AppDetective for Oracle Application Security Inc This tool is a network vulnerability scanner for Oracle databases. It supports three modes, discovery which find Oracle databases in your organisation, pentest which performs a penetration test against your Oracle databases for know vulnerabilities and exploits and finally it is security audit tool used to test the configurations and settings of your database. The tool is very comprehensive and with NGS Softwares NGS Squirrel is one of the top Oracle audit tools in terms of numbers of checks for configuration and vulnerabilities. Free trial download available
DbEncrypt for Oracle Application Security Inc This tool allows data to be encrypted within the Oracle database. It supports column and row level encryption and supports a good range of encryption algorithms. These include AES, DES, Triple DES, Blowfish, Twofish and many more. The tool supports many templates to build your procedures from and also supports a point and click interface to aid installation of encryption in your database. Free trial download available
NGS SquirreL for Oracle NGS Software NGS Softwares tool ranks in the top two Oracle security auditing / scanning tools along with AppDetective. This tool provides a comprehensive audit for current and future Oracle security issues in your database installation. It supports three levels of scan, quick, normal and full. It audits for all configuration issues, listener issues, security privileges and like AppDetective it does a brute force password audit. NGS Squirrels selling point is that it checks for vulnerabilities found by NGS that are not public knowledge yet.Free trial download available
orascan NGS Software This is the second offering from NGS Software and is the only tool capable of auditing custom web applications running on Oracles application servers. Orascan also audits the Oracle application server to ensure no known security bugs exist. It can audit PL/SQL, JSP, SQLJSP and XSQL. Free trial download available
AuditPro for Oracle Network Intelligence India Pvt ltd This is clearly the up an coming layer in the Oracle security scanner market. The tool is designed by KK Mookhey and is coming on in leaps and bounds recently. NII are looking to improve and add to this tool at all times. It does a pretty good audit not covering the breadth yet of AppDetective or NGS SquirreL but it is still worth a look. One of AuditPro for Oracles unique features is its baseline technology that allows a check to be done in the future against a previously baselined database. Free trial download available
Database Scanner Internet Security Systems (ISS) This database scanner is a bit dated now but is still a database scanner for Oracle. It still covers quite an interesting range of checks.
ESM for Oracle Symantec This database scanner like ISS's tool is a little dated now and does not keep up with current issues, vulnerabilities and checks like the major players do.
VigilEnt for Oracle NetIQ (Formally Pentasafe) Again like the previous two this database scanner is also a little dated now and does not keep apace with its more modern competition.
Orange for Oracle OR Solutions This tool competes with PL/SQL and Oracle development tools such as TOAD but the DBA tools version includes some security monitoring features. This tool can also be used in conjunction with OR Solutions other two tools discussed next.
Chakra OR Solutions This tool could be thought of as a performance monitoring tool but also includes auditing features, It is implemented outside of the database and as such should not impact the database performance. It detects all SQL statements being sent to the database. The tool could provide very useful auditing features on top of the normal Oracle implementations.
Trusted Orange OR Solutions The third product in OR Solutions range is perhaps the most interesting and is probably unique. It is built on an trusted Orange authorisation server. users authorise through this server and it controls the types of access and use users can make to the database. The product has a very interesting concept. It is possible to define rules and definitions of what is allowed and what isn't. If a user or developer submits a piece of SQL (a report) to the database it waits for authorisation by a manager or other authority before being allowed to execute. Quite an interesting concept with uses in the military, secret services and any organisation that would like to control users database access more closely.
nTier / Audit nTier Security Solutions This is a very interesting product aimed at multi- tier applications and applications security in general. The tool provides assessment detecting and protection of your multi-tier applications. There is currently a solution for Oracle Applications and Peoplesoft.
AppSentry for Oracle Application Server Integrigy The AppSentry for Oracle application server detects security risks and vulnerabilities within the oracle application server. It includes over 100 audits and checks. It performs external "break in" type checks as well as many application server specific checks that other tools often miss. It also includes a password module that will brute force application server and application authentication using default passwords, password lists or a dictionary attack.
AppSentry for Oracle Integrigy This tool from Integrigy mirrors the tool for the application server and checks over 100 vulnerabilities and issues. It also provides a password module and tests are performed externally to the database in an attempt to break in. Common ports and database accounts are checked for known configuration issues.
AppSentry for the Oracle E-Business Suite Integrigy This is the third tool in the AppSentry suite specifically aimed at Aoracle applications and the E-Business suite. This tool detects security risks and vulnerabilities in the Oracle applications technology stack. It tests for over 300 issues and vulnerabilities. Like the previous two tools it does a lot of its testing by trying known vulnerabilities externally to the applications and tries to break in. It also includes internal checks the entire Oracle E-Business suite configuration and transaction processing to look for security risks and possible fraud.
AppDefend for Oracle Integrigy AppDefend is a new tool and is not released yet. Its release date is expected to be April 12th 2004 and further technical information should be available then. It is an intrusion detection and prevention tool aimed at Oracle Applications 11i. It will come with a large set of rules already configured.
Secure.data Protegrity Secure.Data is one of the three main players in the Oracle encryption market.
Encryption Wizard Relational Database Consultants Inc Encryption wizard is one of the three Oracle database encryption players.
Guardium SQL Guard Guardium Interesting tool that captures SQL streams as they are sent to the database. The method used is network based and captures all SQL sent to the database. There are many standard reports useful in auditing situations. The database information can be integrated with network and application audit info. The tool is customizable in what reports can be generated.
Data security audit system IPLocks Inc This looks like quite an interesting product that monitors continuously for malicious activity in your database. It can monitor configurations, privileges, metadata, content and user behavior. It looks like a very configurable tools. Worth looking at if you are interested in database security.
Entegra for Oracle Lumigent Technologies, Inc. This is a new product released a couple of months ago by Lumigent. Entegra for Oracle uses a proprietary log reading approach to capture a comprehensive audit trail of all activity in the database including DML, DDL and SELECT statements. It uses lightweight agents to collect audit data from the target servers stores it in a separate repository for archiving and reporting. The Entegra report server allows a point and click approach to creating, distributing and scheduling reports and includes ready made templates.

The interface is used also on a SQL server product and should provide a common interface for companies to monitor all database activity. This looks like a very interesting product. It should make complying with some of the new regulations such as Sarbanes Oxley and HIPAA easier. The fact that the repository is separate is a good security plus and also the GUI will allow sorting, filtering and correlation and even alerting. Processing Oracle auditing has never been completely done all in one place so this looks useful.

Zeus Extensible Traffic Manager (ZXTM) Zeus Technology Ltd. I came across this product recently. Zeus Extensible Traffic Manager (ZXTM) is an interesting product. It looks like a network appliance that is paced between the internet and the servers hosting the Oracle database. ZXTM filters all network traffic destined for the Oracle database or application servers. Any hostile traffic is filtered out and not allowed to pass so thwarting hack attempts against the database. The link to the product includes a simple diagram of how the product works. ZXTM can be deployed on a fault tolerant cluster that acts as an application level firewall. It is also able to load balance the network traffic and filter dangerous network traffic at the same time. ZXTM also supports multiple protocols and can also act as a back end monitor checking that all services are running. A free 30 day trial is available.
AppDetective for Oracle Application Server Application Security Inc AppDetectiveT for Oracle Application Server is a network-based, vulnerability assessment scanner that locates and assesses the security strength of database applications within your network through penetration testing techniques. Armed with a revolutionary security methodology together with an extensive knowledge base of vulnerabilities, AppDetectiveT for Oracle Application Server will locate, examine, report, and help fix your security holes and misconfigurations at your command.

You can see a complete list of checks it looks for here

AppDetective for Web Applications Application Security Inc AppDetective for Web Applications (can be run against any Oracle HTTP component including Oracle Application Server, Oracle HTTP Server, Oracle Containers for Java, Oracle Reports Server, etc...)

AppDetectiveT for Web Applications is a network-based, vulnerability assessment scanner that locates and assesses the security strength of web applications within your network. Armed with a revolutionary security methodology together with an extensive knowledgebase of vulnerabilities. AppDetectiveT for Web Applications will locate, examine, report, and help fix web application security holes and misconfigurations at your command.

You can see a complete list of checks it looks for here.

AppSecInc Console Application Security Inc A unified front-end for AppSecInc products, the AppSecIncT Console centralizes database security management across complex, heterogeneous environments. With its Web-based user interface and role-based access control features, organizations can easily distribute database security testing, auditing, and real-time monitoring functions across workgroups and business units.
AppRadar for Oracle available 4th quarter 2004 Application Security Inc AppRadarT is a host-based, database auditing and intrusion protection system (Db-IPS) for large enterprises who struggle to secure their databases amid increasing zero-day threats and mounting regulatory requirements. Unlike generic network or operating system solutions, AppRadar provides database-specific, active protection and monitoring. As a complementary database intrusion protection system, AppRadarT now makes it possible to monitor and defend the data stored within your database.
The Data Masker Net 2000 Ltd. The Data masker is a new tool that can protect sensitive information in test databases by replacing real data with false but realistic looking data. The data stays usable but does not disclose any real details. It can exchange many types of data such as credit cards that will not work, incorrect phone numbers, random last names, random and false company names, generated street addresses. The tool uses rules to map the data changes that can be then reapplied to the data again. The tool looks very interesting and will find a lot of use in adhering to the regulations such as SO, HIPAA, GL&B and the UK Data Protection Act as well as the rules imposed by the likes of Amex and Visa and other credit card companies.
OraDep - Oracle Objects dependencies analysing Sam Trest I just came across this fairly new program that has been written to analyse dependencies between objects in the database such as procedures, tables, views etc. The program can produce a hierarchy of dependencies between objects that have been selected to be analysed. It also produces HTML reports and shows the text of the programs where the dependencies occur. The program can also be used to analyse the dependencies between objects in Forms source code and also the database.

OK, so what has this got to do with security? - quite a lot. If you are analysing or auditing the objects for security issues in the database a dependency tree is often needed to see the relationships between objects. This is also particularly useful when the object dependencies can be audited at the source code level to see the use of the particular object. A tool like this could save a lot of time when tracking down security issues.

Three things i should say about this product, the first is I have not downloaded the program yet to try it, the second is that it is not clear if this program is free or not, hence I have added it to my commercial section. There is a free trial version, hence my assumption that it is commercial although there are no details of commercial pricing. The final point is that I have not looked into this programs market area to see if there are other similar programs and how they compare.

DB Audit 2.5 SoftTree Technologies Inc I just came across this product via a thread on the Oracle-l mailing list. This is a database auditing solution that can be used not only on Oracle but also Sybase, DB2 and MS SQL Server. The tool allows the DBA or security auditor to monitor all changes and access made to the database. Some of the key features include a central repository for monitoring multiple databases. This fan improve security by isolating the audit trails and it can also provide cost benefits by centralizing the audit data. The tool includes a GUI interface and also central reports. It can audit traffic that cannot be audited natively. DB Audit 2.0 also provides real time alerting.

There seem to be a growing number of tools in this space currently and this is an exciting and useful tool space. Although I didn't find it detailed in my cursory look, I suspect that this tool, like others simply analyses the network traffic to and from the database. This sounds a very interesting tool though.

UPDATED 06-Jun-2005 I have just updated the link on this tool and also the version number. The product has been updated to version 2.5. I have not tested it but it is available as a free trial download. It seems worth a look if you are looking for an audit solution.

Ambeo Ambeo I just came across this product via a thread on the Oracle-l mailing list. Ambeo has a range of products available for auditing and monitoring databases in the enterprise. They range from covering performance optimization, data privacy auditing, data migration and resource optimization. The website gives some interesting information that indicates that many databases can be monitored, that users can be monitored across the enterprise and even redundant data can be identified.

The auditing solution looks quite promising, the product can detect and audit access to critical or data that has to be legally protected. It can also detect security protection breaches and also find use of non authorized applications. It seems again from the look I had of their site that they too analyse the network traffic like other products on this page.

nCipher - SecureDB nCipher This is an interesting security product that offers column level encryption to data even when at rest. It provides a simple and cost effective deployment method that requires minimal integration with the applications. The product page quoted here supports - column level encryption, granular access control, transparent to e-commerce and legacy applications, segregation of admin and security functions and integration with FIPS 140-2 level 3.

This looks like a very interesting product and well worth a look into.

Repscan Red Database Security This is an interesting product by Alex Kornbrusts company Red Database Security based in Germany. Repscan is used to verify that an Oracle databases dictionary and objects have not been tampered with. This could be because of an Oracle rootkit being installed or an Oracle virus or because someone in your organisation has been altering database objects that should not have been altered. The tool works by first generating a baseline repository that is then subsequently used to test if any objects have been changed.

The tool works by generating checksums of each object and stores them for later comparison. It is important that the baseline generated is clean and protected from amendment. The tool also checks for some basic Oracle security issues such as checking default passwords.

A free limited trial version of the tool is available for download.

Ingrian DataSecure Platforms Ingrian Networks Inc This is an interesting encryption product that offers a way to encrypt critical data in applications and databases. This is a network appliance and offers a way for companies to meet current legislation. The features include granular encryption and centralized security management. The implementation claims to be seamless (i have not verified this). It offers secure key and policy management, segregation of duties, it is transparent to users and applications. One good advantage is that the cryptographic processing is done away from the database server so the load increases expected with heavily encrypting a lot of data will not be seen. There are three components, the DataSecure Appliance, the Network Attached Encryption server which runs on the DataSecure appliance and the Ingrian NAE connector - a software provider that is installed on either the web server, application server or database server. The appliance is a dedicated hardware component that is designed to just do the computations. It provides redundancy and also has an optional FIPS 140-2 level 3 hardware module providing tamper proof protection of the encryption keys. There are 4 appliance levels each offering different processing power.

The product suite supports Oracle, DB2 and Microsoft SQL Server.

I have not looked at this product in real life yet but it does sound like an interesting alternative the built in encryption solutions in the database.