Call: +44 (0)7759 277220 Call

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "I am presenting at the DBMS SIG in Melton Mowbray about Oracle security"] [Next entry: "CIS Oracle security checklist referral"]

DBMS SIG conference today - A security focus

I have just returned home from the UKOUG DBMS SIG conference held today in Melton Mowbray. I was speaking about many ways to become a DBA. I also attended two other security oriented presentations. The first talk was by Chris Dunscombe of Christallize who talked about DIY Fine Grained System Privileges. This was a very interesting talk and covered some ideas I have been talking about also for years. Chris discussed a PL/SQL package that he developed for a previous client where he controlled access to wide ranging system privileges via a PL/SQL wrapper. The package was controlled by a table that held the rules of what system privileges can be used by which users and against which objects. The package can be run by a user and a check is made to ensure that the user can execute the necessary privilege. An example is the limitation to truncate certain tables by certain users through the package. To truncate a table in another schema requires the granting of DROP ANY TABLE. This package protects the database from a user being able to truncate any table. The same applies to other system privileges. I have suggested a similar method many times in the past. Grant a system privilege to a user then restrict its use via a PL/SQL wrapper and then allow others to use the PL/SQL wrapper.

I liked the idea of a framework in PL/SQL that is controlled by a parameter table to allow wide ranging privileges to be reigned in. Unfortunately Chris's package is not available publicly. If I get a chance I will look at writing a similar package and make it available via my tools page or if anyone else out there has a similar package already or would like to help write one let me know.

The second Oracle security talk I listened to was by Carl Dudley of the University of Wolverhampton talked about Transparent Data Encryption. This was an excellent talk about this new 10gR2 feature and explained its setup, use and some issues very well. Carl has been experimenting with different datatypes, changing keys and also he has looked in detail at data sizing on disk when different algorithms are used with and without salt. He has also experimented with using the datapump (10g fast export and import) and also RMAN with transparent data encryption. This was an excellent talk that gave a very thorough overview of TDE.