DG0091-ORACLE11 - Custom and GOTS application source code stored in the database should be protected with encryption or encoding.

Information

Source code may include information on data relationships, locations of sensitive data that are otherwise obscured, or other processing information that could aid a malicious user. Encoding or encryption of the custom source code objects within the database helps protect against this type of disclosure.

Solution

Use the Oracle WRAP utility to encode application source code stored in application database objects (stored procedures, functions, package bodies).

The following may be used as an example process:

1) export the application object source and store in an external file.

From SQL*Plus:
set show off
set heading off
set verify off
set echo off
set term off
set pagesize 0
set feedback off
set serveroutput on size 1000000
set wrap on
set trimspool on
set linesize 512
spool [output file name = proc.sql]
select text from dba_source
where object_name='[object name]';
spool off

2) From system command line, invoke the wrap utility.

wrap iname=proc.sql oname=proc.plb

This will result in the file name proc.plb

3) re-create the object with the encoded source code.

From SQL*Plus:
@proc.plb

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Oracle_Database_11g_Y21M10_STIG.zip

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-28(1), CAT|III, Rule-ID|SV-28568r2_rule, STIG-ID|DG0091-ORACLE11, Vuln-ID|V-3823

Plugin: OracleDB

Control ID: f79416be5a74a936af57fd1428846ea13e478b220d406038fd2be1fd4ac1e342