from the posts that I never got around to posting department (originally dated at 26 July 2005)… posting now because Oracle Open World has a bunch of database security products now – and someone might actually implement this .
I have got a product vapourware idea that has been floating around in my head for a little while. A product that will help protect databases.
The tool will do the following:
1) record checksum for key objects in the database (by default it shoud do the data dictionary). It will allow users to record checksums for all objects, in particular supporting stored procedures, and views. This will help prevent attackers from hiding there tracks. This type of attack has been setup in a proof of concept shown at Red Database Security Services (edit – sorry – not sure of the deep link or if this is still publicly available).
2) check the passwords of users in the database, ensuring that the password quality is good.
I can picture quite easily how to do this in Oracle, can see the feasability of it in SQL Server, and know that every database will provide a data dictionary that will make at least step 1 possible. So – to all you database security vendors out there – please implement.