Oracle Security – Restrict DB Login Based on SQL Client

oracleSecurity

We have an application in our organization that is based on Oracle Forms 11g (on Oracle Fusion Middleware/WLS). Users have access to the application through accounts created at the database (i.e. they exist in dba_users). Each user is assigned a specific role based on their area of work and they use the user id to log on to the application. The user may have read/write access to certain functionality in the application and for this their roles have the following permissions-

EXECUTE ANY LIBRARY   
SELECT  ANY SEQUENCE   
EXECUTE ANY TYPE      
EXECUTE ANY PROCEDURE 
UPDATE  ANY TABLE      
SELECT  ANY TABLE      
DELETE  ANY TABLE      
EXECUTE ANY INDEXTYPE 
INSERT  ANY TABLE

Now we have some users requesting for SQL Client access (i.e. TNS settings) so that they can connect to the DB and perform queries for their research. These business users are ofcourse knowledgeable in SQL but we want to restrict their access based on the type of client they use to log on to the database. Any client other than the application itself, should restrict them to "read only".

Is there a way to achieve this?

Best Answer

You can check it with a database trigger, for example:

CREATE ROLE ROLE_POWER_USER NOT IDENTIFIED;

CREATE OR REPLACE TRIGGER LOG_T_LOGON 
    AFTER LOGON ON DATABASE
DECLARE
    
    osUser VARCHAR2(30);
    machine VARCHAR2(100); 
    prog VARCHAR2(100)
    ip VARCHAR2(15);
    
BEGIN
        
    IF ora_login_user IS NULL THEN 
        RETURN;
    END IF;
    
    SELECT OSUSER, MACHINE, PROGRAM, ora_client_ip_address
    INTO osUser, machine, prog, ip
    FROM V$SESSION 
    WHERE SID = SYS_CONTEXT('USERENV', 'SID');
    
    IF NOT DBMS_SESSION.IS_ROLE_ENABLED('ROLE_POWER_USER') THEN     
        IF LOWER(prog) <> 'your_application_name.exe' THEN
            RAISE_APPLICATION_ERROR(-20000, 'Logon denied: You must use only the official client application');
        END IF;
    ELSE
        IF LOWER(prog) NOT IN ('sqlplus.exe', 'toad.exe') THEN
            RAISE_APPLICATION_ERROR(-20000, 'Logon denied: You must use only SQL*Plus or TOAD for you private queries');
        END IF; 
    END IF;
    -- Successful login, continue as normal
END;
/

You can also check other conditions like IP-Address or the machine name.

SELECT privileges on tables and views you have to grant to the user or ROLE in the "classic" way. This trigger only prevents to logon to the database with certain tools.

Note, a user with System Privilege ADMINISTER DATABASE TRIGGER (for example DBA role, or SYS of course) never get the exception, i.e. they can logon to the database in any case and you cannot block this by the trigger.

Another note: This trigger is insecure! For example you can simply make a copy of your local sqlplus.exe and name it your_application_name.exe. Then this trigger would allow to use it.

With JDBC it is even a simple property you can set, see https://stackoverflow.com/questions/42027389/programatically-set-vsession-program-property

Related Solutions

Mysql – different login credentials based on user

You typically have to weight the cost of doing so vs. the benefits ... but benefit in risk management is difficult to quantify.

Basically, it comes down to what the cost of an exploit would be, and what the likihood of it happening are.

So, having to restore from backup because someone managed to drop a table which creates a denial of service, and being down for a day has a cost to the company in terms of what profit they'd have made in that given time, but there's also an issue of reputation loss (ie, customers/users who stop doing business with you, or potential users who are less likely to do busines in the future) ... but we have to balance this by the likehood of someone successfully attacking the site and causing this.

If you're not storing credit cards, and you're not a big target (the type of site people would brag about taking out), you're less likely to be hacked ... although, if you're running commonly distributed software, you still risk attacks by script kiddies who are just looking for people running software with a known exploit.

...

What our security folks don't seem to understand is that it's a balancing act -- some changes for security will create a burden on your users. And sometimes, the security itself will cause outages (eg, one of our external partners moves IP ranges ... but the new holes in the firewall weren't made, and due to a "network hold" we can't get any changes made for over a week) or just performance degredation.

Sometimes it's just that it takes longer to code, or more headaches to maintain, etc.

But it's something you have to answer for yourself -- is the cost worth the benefit of having made the change? (and sometimes, if the cost is just in man-power, was there an opportunity cost; ie, could you have been doing something else that would derive even more benefit with your time?)

SQL Server Trace – Based on Client TCP Port

Is there a way to trace a SQL session based on the client's TCP port?

Yes. You can query sys.dm_exec_connections to identify a session from the client's TCP port (column client_tcp_port).

For example:

SELECT DEC.session_id
FROM sys.dm_exec_connections AS DEC
WHERE DEC.client_net_address = '192.168.0.100'
AND DEC.client_tcp_port = 63465;

Best Answer

Related Solutions

Mysql – different login credentials based on user

SQL Server Trace – Based on Client TCP Port

Related Question