There is an excellent book on “Oracle Security” available online from “http://www.sans.org”. Concise, organized, and prioritized. Also, Newman and Theriault’s “Oracle Security Handbook” from Oracle Press is chock full of common sense...
Not sure what the question about “automating the migration of stored procedures” refers to. Could you provide more information? I don’t think I understand the problem...
Storing password files on the database server is mainly an exercise in ensuring that OS security and file permissions properly implemented. If you cannot ensure that OS files are properly secured, then the entire Oracle database is at risk, not to mention files containing clear-text passwords. After all, one can view data within datafiles using programs other than the Oracle RDBMS...
The idea of creating production schemas/logins to separate object ownership from application/end-user access is excellent. To avoid using synonyms, consider the functionality of the “ALTER SESSION SET CURRENT_SCHEMA = <ownership-schema>” command being executed in an AFTER LOGON trigger in all accounts used for end-user access. It is a little-known but wonderfully manageable bit of functionality...
Hope this helps...
-Tim
on 8/7/03 5:44 AM, [EMAIL PROTECTED] at [EMAIL PROTECTED] wrote:
Can anybody help-me in finding a security approach to a Oracle database?
We are trying to set up a security policy for Oracle but we are having some problem in questions like:
1) Automatic process: How to create a single login user that automates the migration of stored procedures
2) How to store password-files safely in order to avoid users reading it (encryption may be)
3) How to create production logins that are not the owner of the tables/procedures and without creating synonyms avoiding them to have to prefix the objects with the owner
Is there any documentation or site you can suggest me?
Thanks,
Sandro Augusto da Silva
Technology Services & Support
NLA Technology Services
Phone: +55 11 3398-8438
Fax: +55 11 3398-7522
Esta mensagem, incluindo seus anexos, pode conter informação confidencial e/ou privilegiada. Se você recebeu este e-mail por engano, não utilize, copie ou divulgue as informações nele contidas. E, por favor, avise imediatamente o remetente, respondendo ao e-mail, e em seguida apague-o. Este e-mail possui conteúdo informativo e não transacional. Caso necessite de atendimento imediato, recomendamos utilizar um dos canais disponíveis: Internet Banking <http://www.bankboston.com.br> , BankBoston por telefone <http://www.bankboston.com.br/bpt> ou agência/representante de atendimento de sua conveniência. Agradecemos sua colaboração.
This message, including its attachments, may contain confidential and/or privileged information. If you received this email by mistake, do not use, copy or disseminate any information herein contained. Please notify us immediately by replying to the sender and then delete it. This email is for information purposes only, not for transactions. In case you need immediate assistance, please use one of the following channels: Internet Banking <http://www.bankboston.com.br> , BankBoston by phone <http://www.bankboston.com.br/bpt> or branch/relationship manager at your convenience. Thank you for your cooperation.
