DBSecWorx: Data Control Language (DCL)

Oracle Data Control Language (DCL) Versions All

Security Advisory

DCL, in and of itself, is not a security risk. But, controlling and monitoring two elements of DCL, is critically important to creating and maintaining a secure environment.

Use the table below to better identify those DCL statements of concern; and why.

Syntax	Risk Rating	Comment
COMMIT	21	Too many commits, for example ODBC driver auto-commit, impact performance and scalability. Too few may create a risk of data loss in the event of stability issues. The generic recommendation is to perform a commit after every logical transaction as opposed to a commit after every DML statement. Learn about the WAIT \| NOWAIT and BATCH \| IMMEDIATE options in the Oracle COMMIT
GRANT	10	One of the largest risks in Oracle, or any other database, is inappropriate granting of privileges either by DBAs that do not understand what truly constitutes "least privileges", by an attacker most often through the use of SQL Injection, or unfortunately, from Oracle's overly permissive default installation.
REVOKE	6	The risk cited here relates to granted privileges being revoked as part of a Denial of Service attack. Most organizations would have a difficult time realizing the reason the application failed is missing permissions and, having a script already written to immediately restore them.
ROLLBACK	1	Too many rollbacks is a performance and scalability issue unrelated to security.
SAVEPOINT	1	Zero risk but we still rate it a "1" because attackers can be remarkably creative.

To address issues related to GRANT and REVOKE statements the best line of defense is DDL triggers.

Auditing in this situation is slightly better than useless but not by much as auditing GRANT and REVOKE statements will tell you minutes, hours, or days, what happened that should not have happened and by then it will likely be too late to do much other than issue an apology to your customers.

The other issue with auditing, from the standpoint of security, is that it is most often incapable of telling the difference between an appropriate GRANT and an inappropriate GRANT and thus often relies on a marginally trained member of a security group to raise an alarm.