Purpose

The FCBGuardDUO is a second variant of the FCBGuard series of software designed to fix a multi-year security vulnerability that Oracle Corp. has been ignoring (see *** below). Briefly, the FCBGuard software can prevent unauthorized AS SYSDBA, it’s the primary goal, and actually any logins to databases.

A first variant of the FCBGuard software is available on https://oracleongpu.com/fcbguard/ .

The FCBGuardDUO implements a mandatory Cisco DUO login. To successfully perform an AS SYSDBA login, a database administrator must have a Cisco DUO account that is properly configured and registered with the database. Without such an account, any attempt to log in will result in the process being terminated.

Vulnerability

***

# whoami
root
# su - oracle
# sqlplus "/ as sysdba"

How it works to prevent unauthorized login

[root@dbhost ~]# whoami
root

[root@dbhost ~]# su - oracle
[oracle@dbhost ~]$ whoami
oracle

[oracle@dbhost ~]$ groups
dba vboxsf

[oracle@dbhost ~]$ sqlplus "/ as sysdba"

SQL*Plus: Release 19.0.0.0.0 - Production on Fri Oct 24 12:10:52 2025
Version 19.3.0.0.0

Copyright (c) 1982, 2019, Oracle.  All rights reserved.
                                                                               
Broadcast message from oracle@dbhost (somewhere) (Fri Oct 24 12:10:53 2025):     
                                                                               
Unauthorised SYSDBA login attempt detected on se19@dbhost
                                                                               
Killed
[oracle@dbhost ~]$

How it works to allow authorized login

[oracle@dbhost ~]$ sqlplus sysproxy/sysproxy @$YOUR-DATA_PUMP_DIR/fcbguard_duo.sql << this login file is auto-generated

SQL*Plus: Release 19.0.0.0.0 - Production on Fri Oct 24 12:17:21 2025
Version 19.3.0.0.0

Copyright (c) 1982, 2019, Oracle.  All rights reserved.

Last Successful login time: Fri Oct 24 2025 12:17:14 -04:00

Connected to:
Oracle Database 19c Standard Edition 2 Release 19.0.0.0.0 - Production
Version 19.3.0.0.0
...
Enter your personal Duo registered login name: john.doe@gmail.com

Duo two-factor login for john.doe@gmail.com

Enter a passcode or select one of the following options:

1. Duo Push to XXX-XXX-XXXX
2. Phone call to XXX-XXX-XXXX
3. SMS passcodes to XXX-XXX-XXXX (next code starts with: 1)

Passcode or option (1-3): 1

Pushed a login request to your device...
227395

...                                 << here your CISCO Duo auth application pops up on your smartphone (see a screenshot below)

FCBGuardDUO v.23.12.801
Copyright (c) 2025, Olexandr Siroklyn. All rights reserved.
Connected.

USER is "SYS"
SQL>

Requirements

  • any database starting from 12c and up to 23c. See no reason to exclude 26ai, but it wasn’t tested. On-premise or cloud based ones. Standard, Personal or Enterprise edition. Multi-tenant or old-school ones.
  • ** Linux OS on a host where your database is used
  • database Unified Auditing is activated
  • Java database subsystem is available
  • Cisco DUO account. That means you or your Cisco DUO admin has access to https://admin-*******.duosecurity.com/
  • installed Cisco DUO application on your mobile phone
  • registered “UNIX application” entry on your Applications page on https://admin-******.duosecurity.com/
  • access to DUO info: api hostname, secret key and integration key
  • registered DUO user login for your DUO UNIX application.
  • Cisco DUO API comes from https://github.com/duosecurity/libduo
  • a host to build C language code, I used a database host, is capable to build the https://github.com/duosecurity/libduo sources
  • minimal knowledge how to build C language code

Notes

  • ** it is also possible to use AIX, HP-UX and Solaris, but not for the version of the software available for download
  • provided external shared library communicates with Cisco DUO cloud service (API endpoint) via outbound TCP port 443
  • downloadable version of the software is made about AS SYSDBA concern only
  • for testing purposes, Cisco DUO provides free accounts. Please note that free accounts have incorrect geolocation data. This is why you can see ‘AU’ on the screenshot*

Installation

See the installation.txt file in a docs directory for more details.

License

FCBGuardDUO is a free, partially closed software. You can use it in any way you like preserving copyright notice.

What’s new

  • Nov 21, 2025
    • Initial v. 23.12.832 released

Download

  • version: 23.12.832, size: 140 KBytes, md5: 2a4060471950a8974e0196aada21e34d
Download

Suggestion

Consider the FCBGuard or FCBGuardDUO software to be like a small watchdog that barks when someone tries to break into your house. The default reaction of the software, which is available to download, is simply to terminate the intruder session. That’s too simple solution. If you’re serious about your database security, take a look at the cre_sys.prc_fcbguard_duo.sql file, where a procedure, that reacts on intrusion, is created. Make this reaction more sophisticated, reasonable and unpredictable for intruder by using a more complex approach.