Database Reference
In-Depth Information
SQL> select sys_context('USERENV','DBLINK_INFO') FROM DUAL@TEST;
SYS_CONTEXT('USERENV','DBLINK_INFO')
The key to DBLink security is to create a separate user for the link that is uniquely identifiable and low privileged
in itself. Then grant the appropriate privileges to that user or grant access through a stored procedure.
Oracle has updated the database link encryption mechanism both for 11.2.0.3 and for 12c, and it is useful to know
that the algorithm for this new encryption is already reverse engineered within the information security community.
Chapter 10 will detail this decryption and, most important, how to stop an attacker from doing so on your database.
In 11.2.0.3 and above, SYSDBA is required to select DBlink passwords. SYSDBA is the highest privilege and as
such is very difficult to control. Database Vault is designed to control SYS, but obvious issues with maintaining the
database e.g., backups and patches mean that DV has its failings. The common counterbalance to SYSDBA's power is
monitoring in the form of audit-logging.
A powerful, cheap, and efficient method of audit-logging SYSDBAs in a large estate is centralized syslogging.
It is built into 10.2 upwards, including 12c. The database syslog correlates with the already present Linux and
Unix syslog audit trail for the
root
and
oracle
users
.
Remember, it is the Unix SAs who are largely responsible for
counterbalancing the DBAs. The SAs are a large part of the database security picture, as it is they who control the root
privilege—not the DBA team.
Following are the steps for setting up centralized syslogging:
1.
Set up syslogging at the Unix level:
#send syslog to centralized server dbsyslog01
local4.info @dbsyslog01.svr.emea.mydomain.net
#May need to replace spaces with tabs in /etc/syslog.conf
#vi or vim this will show spaces as blank
:set list
#single line replacement of spaces by tabs.
s/ //g
#and restart syslog after edit on Solaris
svcadm restart system-log
#or on linux
[root@lab2-5 etc]# service syslog restart
2.
Test the configuration:
logger -t "Oracle Test" -p local4.info "test to local4.info"
3.
Set up syslogging at the database level:
--as SYS on DB
alter system set audit_syslog_level='local4.info' scope=spfile;
alter system set audit_sys_operations=true SCOPE=SPFILE;
alter system set audit_trail='DB' SCOPE=SPFILE;
shutdown immediate;
startup;
4.
Then search through the centralized syslog for interesting events. For example, search for
Event 1017:
for file in */*/*.gz; do gunzip -c "$file"; done | egrep -i '1017'
