I just found one of Marks recent posts on his blog entitled "A Couple Of Alternative Event 10046 Resource Profilers". Mark is talking about a couple of trace profiling tools. The first is Andy Rivenes's http://home.comcast.net/~arivenes/utilities_resource.htm - (broken link) resource profiler, the second is SimpleProfiler by Niall Litchfield and needs HTML DB to run. There is of course the Hotsos profiler as well and also a good Trace file repository from Miracle AS in Denmark called Miracle tracefile repository. There are probably many more similar tools available.
I have also written a paper detailing many ways that can be used to set trace either for the current session or for another session running in the database. It also shows how to set extended trace either for binds or waits or both.
OK, so what has this got to do with Oracle security? Quite a bit actually. I often highlight to customers the dangers of allowing users access to set trace for their own session or others. Worse still is allowing these users access to trace files or even via autotrace in SQL*Plus. Actually being able to see the trace will reveal a lot of information about the structure of an application and even in some cases critical information about security settings or passwords in some versions or password hash values in others that could be cracked using one of the tools listed on my tools page. So we know the dangers of allowing users to set trace or to access trace data but these tools simply summarise details from the trace files without revealing structure. In some cases this sort of information could be used by a malicious person still to plan a Denial Of Service attack. Some of the tools mentioned above, such as Niall's and the Miracle AS tool allows trace files to be accessed remotely via a web interface. This implies that trace files are one step closer to a remote user or even an in-house user who does not have access to tools such as SQL*Plus.
There have been many posts to newsgroups about simple PL/SQL code that can be used to load trace files into the database so that they can be viewed remotely. This is a great practice for admin staff and for tuning and monitoring but you should consider the security aspects of allowing internals data and structure to be exposed externally.
Blog
Pete Finnigan's Oracle Security Weblog
This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.
[Previous entry: "Colin Maxwell talks about reducing the scope for encryption"] [Next entry: "Oracle 9.2.0.6 and alert #68"]
November 2004
- Another good paper by Howard Rogers on read-only tables - 11/01/2004 by 11/01/2004
- The 9.2.0.6 patch set is out - 11/02/2004 by 11/02/2004
- Nice four part paper on label security by Jim Czuprynski - 11/03/2004 by 11/03/2004
- Howard Rogers has a new ebook out - 11/04/2004 by 11/04/2004
- Patrik Karlsson releases OScanner - A new free Oracle security vulnerability scanner - 11/05/2004 by 11/05/2004
- Post on ORACLE-L : Exploring Oracle November 2004 and REMOTE_OS_AUTHENT - 11/06/2004 by 11/06/2004
- Two great papers and tools by Tim Gorman - 11/07/2004 by 11/07/2004
- A lot of new pages on my site - 11/08/2004 by 11/08/2004
- A new Oracle default password checking tool is available - 11/09/2004 by 11/09/2004
- Small update to the default password check scripts - 11/10/2004 by 11/10/2004
- Colin Maxwell talks about securing web services using JDev and WS-Security - 11/11/2004 by 11/11/2004
- Hack notes books - 11/12/2004 by 11/12/2004
- Interesting discussion on DBMS_SUPPORT versions - 11/13/2004 by 11/13/2004
- Exploits and blog software - 11/14/2004 by 11/14/2004
- Default password lists and updates - 11/15/2004 by 11/15/2004
- 600 Oracle default usernames/passwords available - 11/16/2004 by 11/16/2004
- Two more "takes" on the Gartner / Oracle exploit information release reluctance - 11/17/2004 by 11/17/2004
- An interesting case of information disclosure - 11/18/2004 by 11/18/2004
- Three more news sites are talking about the new patch schedule - 11/19/2004 by 11/19/2004
- More news on the new patch schedule - 11/20/2004 by 11/20/2004
- Frank Nimphius talks about showing/hiding UIX components based on isUserInRole() - 11/21/2004 by 11/21/2004
- Amis blog - shows how to create a certificate and configure OC4J to use it - 11/22/2004 by 11/22/2004
- Oracle secalert_us have sent out emails to tell some customers about the quarterly patch schedule - 11/23/2004 by 11/23/2004
- And still more news stories - 11/24/2004 by 11/24/2004
- Colin Maxwell talks about reducing the scope for encryption - 11/25/2004 by 11/25/2004
- James Morle's book is available as a free pdf - 11/26/2004 by 11/26/2004
- Edward Stangler talks about running catpatch - 11/27/2004 by 11/27/2004
- Looks like 9.2.0.6 is available on more platforms now - 11/28/2004 by 11/28/2004
- A good list of Oracle security check items - 11/29/2004 by 11/29/2004
- Edward Stanglers next post in the not running catpatch.sql series - 11/30/2004 by 11/30/2004
Archives
Syndication
Powered by gm-rss 2.0.0
