All,
Does anyone know of a solution to prevent users from logging into a
database with certain applications. In my case, I want to prevent users
from logging into our production databases using TOAD.
I can monitor who is logging in and how they are logging in using OEM,
but what I would like is to be alerted the second someone tries to log
in using TOAD. Can this be done?
TIA,
Daniel N.
Oracle DBA
You can check for v$session for module = 'T.O.A.D', or if the user
hasn't renamed the toad program name, program = 'TOAD.exe', and kill
the session. But it's trivial to even change the binary toad.exe to
hide the 'T.O.A.D' string. Open it with a binary file editor, or even
a text editor that is binary-file friendly such as (g)vim. Find the
string "begin sys.dbms_application_info.set_module('T.O.A.D.', null);
end;" and replace 'T.O.A.D' with any 7 character long string. In a
nutshell, there's no absolute way to prevent it. You may better off
block connections from any terminal other than designated ones using
$TNS_ADMIN/protocol.ora (or .protocol.ora if it's before 8.1.6.2).
If you wish to use product_user_profile table to restrict connections
from third party tools such as Toad, it's not possible. That table can
only block sqlplus connection.
Yong Huang
Apologies if this is posted twice, google suddenly did weird things a
few minutes ago.
>
>
> All,
>
> Does anyone know of a solution to prevent users from logging into a
> database with certain applications. In my case, I want to prevent users
> from logging into our production databases using TOAD.
>
> I can monitor who is logging in and how they are logging in using OEM,
> but what I would like is to be alerted the second someone tries to log
> in using TOAD. Can this be done?
If you have listener logging turned on, you might write a little shell
script that does a tail -f on the log and parse out the PROGRAM=
statement. Then parse out the ip address and ping flood them until
you can get your silver hammer or they complain how slow the system
is. :-O
So what is it they can do with toad that they can't do with anything
else? Sounds like you need better password control.
jg
--
@home.com is bogus.
I wuz only kidding! Honest!
To add to above, serve the applications that are supposed to have
access to the database from a file server. Give users only read access
to the executables so that they cannot change file name. Only allow
those executables via a logon trigger.... Kick everything else out.
Ofcourse you would need to tweek it a bit if you want users with admin
rights to logon using OEM, Sqlplus etc.
Regards
/Rauf Sarwar
Ya think? My experience as a DBA with developers wanting to use TOAD
in production is that they want to go in and start tweaking
application configuration data with no controls. Of course that was
in a big place where there were separate designers and developers, and
the designers would use Oracle tools to browse the schema. I can see
your point though, I've been in smaller places where I might have used
TOAD for such a purpose if I didn't write my own scripts and do
everything from command line.
"It's a masochists wonderland!" Radio ad for local ski/snowboard
resort.