Database Reference
In-Depth Information
Figure 18-18. But there are no security rules regarding wallets
Replacing a password with a wallet increases convenience but can decrease security depending on the OS
permissions of the wallet, as it could be edited or deleted by a DB process using JAVA_ADMIN to interact with the OS as
"oracle" Unix (see previous chapters).
Additionally, a wallet could be copied between DBs using the DBMS_FILE_TRANSFER package:
http://docs.oracle.com/cd/B19306_01/appdev.102/b14258/d_ftran.htm
However, 11.2 does allow tying the wallet to the machine, as mentioned previously, so we do have some
improvement, though this local tying is easy to bypass.
12c Oracle has adopted my _sys_logon_delay parameter but current EM repository RDBMS versions 11.1 and
11.2 are still both vulnerable to brute-forcing SYS remotely. 11.1 and 11.2 can be customized to include a manual
one second delay as shown in this article: http://www.oracleforensics.com/wordpress/index.php/2012/10/24/
sys_throttler-and-distributed-database-forensics/
A piece of relevant feedback I received in my presentation at OOW/Oaktable in San Francisco 2013 regarding
the addition of a delay to failed logons pertains to this interesting MOS article kindly brought to my attention by Riyaj
Shamsudeen of http://www.orainternals.com .
Essentially, a bug in 11.1 RDBMS means that failed logon delays may stop the legitimate user from logging on.
This issue is fixed in 11.2 and up, but the OMR is still using 11.1. Here is the text of the Oracle issue from MOS.
Bug 7715339 Logon failures causes "row cache lock" waits - Allow disable of logon delay
This note gives a brief overview of bug 7715339. The content was last updated on: 19-JUN-2012
Click here for details of each of the sections below. Affects:
Previous Page
Next Page
Protecting Oracle Database 12c
Search WWH ::




Custom Search
Home