Call: +44 (0)1904 557620 Call
Blog

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "Oracles Free TNS Firewall - VALIDNODE_CHECKING"] [Next entry: "PL/SQL Machine Code Trace - event 10928"]

Be Careful of What You Include In SQL*Net Security Banners

A short post today to add a little to the post I made the other day. In that post Add A SQL*Net Security Banner And Audit Notice I talked about using the sqlnet.ora parameters SEC_USER_AUDIT_ACTION_BANNER and SEC_USER_UNAUTHORIZED_ACCESS_BANNER to add security banners to your SQL*Net logins through tools such as SQL*Plus.

I got an email from someone today who advised me of a gotcha around this. He said he had implemented something similar using a logon trigger many many years ago where this logon trigger was able to output a banner of the form:

/*************************************************************************
THIS IS MY SECURITY BANNER
**************************************************************************/

But some shell scripts (bash, sh, ksh etc) that then called sqlplus to connect to the database read in the output which included the banner and the stars and these were, because of how the shell script was constructed, converted into shell input and the stars were converted in his case to file listings from the CWD (Current Working Directory). This caused problems for him.

So, be careful in what you add to your banners; keep it straight text and no special characters as that is unlikely to cause problems for any automated processes that connect to the database BUT test and make sure!

Bye for now from WFH!