Purpose
FCBGuard software http://oracleongpu.com/fcbguard/ provides the ability to prevent unauthorised AS SYSDBA login attempt to a database. This is implemented via mandatory USB security key/token/card (call it any way you like it) presence. In order to successfully perform an AS SYSDBA login, database administrator must have a properly configured and database-registered USB security key. Without such a key, any attempt to log in will result in a process kill. The main purpose of the above is to prohibit the root user from being oracle and connecting to the database.
License
FCBGuard is a free, partially closed software. You can use it in any way you like preserving copyright notice.
How it works
There are a web page and an attached intro.txt file for more details. See below for a brief description.
[oracle@databasehost ~]$ sqlplus / as sysdba
SQL*Plus: Release 19.0.0.0.0 - Production on Fri Feb 10 17:22:57 2023
...
Broadcast message from oracle@databasehost (Wed Feb 15 11:17:05 2023):
Unauthorized SYSDBA login attempt detected to dbname@databasehost
Killed
[oracle@databasehost]$
[oracle@databasehost sql]$ sqlplus sysproxy/sysproxy @${DATA_PUMP_DIR}/fcbguard.sql << file is auto generated on logon
SQL*Plus: Release 19.0.0.0.0 - Production on Fri Feb 10 18:03:29 2023
...
dba@host-where-USB-security-token-is-present's password: << here a SSH connection is established to
Using reader with a card: Yubico YubiKey OTP+FIDO+CCID 00 00 << USB security token is detected
PKCS#15 Card [Oracle login as SYSDBA]:
Version : 0
Serial number : 534xdsdfsdc9asdfasdf
Manufacturer ID: piv_II
Flags :
Logging in to "Oracle login as SYSDBA"
Please enter User PIN: << a correct PIN code is expected
Using decrypt algorithm RSA-PKCS
Sdf34rsdfee23423
Connection to host-where-USB-security-token-is-present closed
847
FCBGuard v.21.12.701
(c) 2023 Olexandr Siroklyn. All rights reserved.
Connected.
USER is "SYS"
SQL>
[Updated on: Tue, 28 February 2023 20:20]
Report message to a moderator