Database Reference
In-Depth Information
Figure 18-18.
But there are no security rules regarding wallets
Replacing a password with a wallet increases convenience but can decrease security depending on the OS
permissions of the wallet, as it could be edited or deleted by a DB process using
JAVA_ADMIN
to interact with the OS as
"oracle"
Unix (see previous chapters).
Additionally, a wallet could be copied between DBs using the
DBMS_FILE_TRANSFER
package:
However, 11.2
does
allow tying the wallet to the machine, as mentioned previously, so we do have some
improvement, though this local tying is easy to bypass.
12c Oracle has adopted my
_sys_logon_delay
parameter but current EM repository RDBMS versions 11.1 and
11.2 are still both vulnerable to brute-forcing SYS remotely. 11.1 and 11.2 can be customized to include a manual
one second delay as shown in this article:
http://www.oracleforensics.com/wordpress/index.php/2012/10/24/
A piece of relevant feedback I received in my presentation at OOW/Oaktable in San Francisco 2013 regarding
the addition of a delay to failed logons pertains to this interesting MOS article kindly brought to my attention by Riyaj
Essentially, a bug in 11.1 RDBMS means that failed logon delays may stop the legitimate user from logging on.
This issue is fixed in 11.2 and up, but the OMR is still using 11.1. Here is the text of the Oracle issue from MOS.
Bug 7715339 Logon failures causes "row cache lock" waits - Allow disable of logon delay
This note gives a brief overview of bug 7715339. The content was last updated on: 19-JUN-2012
Click
here
for details of each of the sections below. Affects: