Oracle to Offer Single View Into Its OEM

By Lisa Vaas  |  Posted 2003-05-05

Oracle to Offer Single View Into Its OEM

Oracle Corp.s plan to offer a single-browser-based view in its Oracle Enterprise Manager is being greeted with glee by users, particularly in light of a major Oracle database vulnerability discovered last week.

Andy Mendelsohn, Oracles senior vice president of database and application server technologies, outlined a vision of a self-managing database during his keynote on Tuesday at the International Oracle Users Group conference in Orlando, Fla.

The enhanced version of OEM, due with the next release of Oracle Application Server this summer, will allow DBAs (database administrators) to see information from all databases, as opposed to being forced to monitor and manage each individual system, Mendelsohn said.

Jim Wolff, a senior DBA and manager for MIS operations at Space Gateway Support, in Kennedy Space Center, Fla., said that the consolidated OEM view may fill a hole in Oracles current database security interface. "As a DBA working with Oracle products since about 1988, [Id say] they have good security for the most part," he said. "But everything has vulnerabilities. Where [Oracle is lacking] is in the ability to provide for an easy-to-use interface for the DBAs to monitor auditing and those kinds of things."

Currently, those activities take a large bite out of DBAs time, Wolff said. "You have to develop your own scripts and interfaces," he said. "Thats a really big hole. … [Oracle has] such good database software, but it lacks in providing a good interface for monitoring security and auditing related stuff, [such as] whos logged in, password monitoring, keystroke logging, and accessing what data, etc."

Page 2

Kelly Cox, an Oracle DBA who runs a consultancy in Alexandria, Va., was also pleased to hear that soon she could access a single view, as opposed to dealing with Oracles current multiplicity of auditing tables. "That table structure of auditing, it doesnt take long to figure out, but DBAs have enough on their plate without having to learn a whole new structure," she said.

Another feature of the future OEM will be the ability to not only track what patches have been applied but also to automatically link to Oracle Support Services OracleMetaLink, an online support feature for Oracle customers. This will allow DBAs, when logging on, to automatically receive patches.

Thats yet another thing thats been sorely needed in database security, according to Aaron Newman, chief technology officer and co-founder of Application Security Inc., a New York-based provider of database security technology. "A typical DBA doesnt have one or two servers—they track 50," he said. "So it helps to have a tool help them go across 50 servers to find out what patch was applied where. A tool like that is pretty necessary, not only for security but for data corruption issues."

Such sentiments in support of overburdened DBAs come on the heels of the discovery of a major vulnerability in Oracle databases last Tuesday. The unchecked buffer overflow vulnerability allows virtually any Oracle user to perform the "create database link" task—a privilege assigned to the "connect" role by default.

Oracles patch is available on OracleMetaLink to paying support customers. For others, Newman suggested that a workaround would be to revoke the "create database link" from the account of any untrusted user or from those users who dont absolutely need it.

Latest Oracle News:

Search for more stories by Lisa Vaas.

Rocket Fuel