Archive for September, 2013

Fix for oradebug disable auditing available (

Freitag, September 13th, 2013

2 days ago I gave a presentation „Oracle 12c from the attackers perspective“ at the DOAG SIG Security. I learned some interesting things, especially that a fix for the Oracle oradebug „disable auditing“ problem is available since 9 months.

Oradebug allows to run OS commands and to enable/disable Oracle SYSDBA and normal auditing on the fly without leaving traces in the audit log. The fix for this problem is available in Oracle and was backported to using the patches 15805002, 15808245, 16177780.

By default the setting is not enabled in Oracle

The undocumented parameter  _fifteenth_spare_parameter (Oracle Description: fifteenth spare parameter – integer – Yeah, really useful)  can now disable or limit the oradebug functionality. I could not find any information about this parameter on google or my oracle support.

—— extract from the read me.txt of the patch file——————

## _fifteenth_spare_parameter can be set to „all“, „restricted“ or „none“
## „all“ disables execution of all oradebug commands, „restricted“ disables
## execution of restricted oradebug commands, „none“ (default) allows execution
## of oradebug commands.

—— extract from the read me.txt ——————