Custom and GOTS application source code stored in the database should be protected with encryption or encoding.

From Oracle Database 11g Instance STIG

Part of DBMS source code encoding or encryption

SV-28568r2_rule Custom and GOTS application source code stored in the database should be protected with encryption or encoding.

Vulnerability discussion

Source code may include information on data relationships, locations of sensitive data that are otherwise obscured, or other processing information that could aid a malicious user. Encoding or encryption of the custom source code objects within the database helps protect against this type of disclosure.

Check content

If this is not a production database, this check is Not a Finding. From SQL*Plus (NOTE: The owner list below is a short list of all possible default Oracle accounts): select owner||'.'||name from dba_source where line=1 and owner not in ('SYS', 'CTXSYS', 'MDSYS', 'ODM', 'OE', 'OLAPSYS', 'ORDPLUGINS', 'ORDSYS', 'OUTLN', 'PM', 'QS_ADM', 'RMAN', 'SYSTEM', 'WKSYS', 'WMSYS', 'XDB') and owner not like 'OEM%' and text not like '%wrapped%' and type in ('PROCEDURE', 'FUNCTION', 'PACKAGE BODY'); Review the list of results with the DBA. If any results are custom or GOTS application code, this is a Finding. If all returned results are default DBMS or COTS application code, this is not a Finding.

Fix text

Use the Oracle WRAP utility to encode application source code stored in application database objects (stored procedures, functions, package bodies). The following may be used as an example process: 1) export the application object source and store in an external file. From SQL*Plus: set show off set heading off set verify off set echo off set term off set pagesize 0 set feedback off set serveroutput on size 1000000 set wrap on set trimspool on set linesize 512 spool [output file name = proc.sql] select text from dba_source where object_name='[object name]'; spool off 2) From system command line, invoke the wrap utility. wrap iname=proc.sql oname=proc.plb This will result in the file name proc.plb 3) re-create the object with the encoded source code. From SQL*Plus: @proc.plb

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer