|
 |
|
Oracle Tips by Burleson |
Chapter 11 Oracle Fine Grained Auditing
decides to forge identity of the Domain Name to
say, ORACLE.COM, he or she will not be successful because he or she
does not know the encryption key. The user can call
SECUSER.SET_CLIENT_ID to set another client identifier, but it will
not be decrypted properly, and will not state ORACLE.COM, unlike
what the hacker intended. Therefore, the value can be set and
retrieved in a secured manner.
Potential Threats
This merely ensures that the user does not
enter a value that can be considered valid. However, this does not
prevent the user from changing the value of the client identifier.
It will not be valid, but it will be passed on to the FGA trail
tables, and thus the identity of the user can be shrouded. This
setup does not help in identifying culprits but makes sure the wrong
person is not identified for a malicious act.
In order to absolutely make sure that the
user is identified, you have to user the Oracle Advanced Security
option to pass the username from the LDAP server.
Application Context
Unlike Virtual Private Database, the Client
Identifier method is available only in Oracle 9i. For Oracle 8i, the
absence of this variable makes tracking of the usernames difficult.
However, FGA is not available in Oracle 8i, so this ceases to be
problem.
In VPD, the
problem was solved using application contexts in Oracle 8i. But even
in Oracle 9i, they can be used to enhance the FGA. Earlier, we saw
that we could store a long list of information in Client Identifier,
such as the Domain Name, Application User Name,
The above text is
an excerpt from
the bestselling book:
Oracle
Privacy Security Auditing.
It's only $39.95 and has an
download of working security scripts:
This is the only authoritative
book on Oracle Security, Oracle Privacy, and Oracle Auditing written
by two of the world’s leading Oracle Security experts.
This indispensable book is only $39.95 and has an
download of working security scripts:
http://rampant-books.com/book_2003_2_audit.htm
Download your Oracle scripts now:
www.oracle-script.com
The
definitive Oracle Script collection for every Oracle professional DBA
|
|