Oracle Database Vault DVSYS and DVF Schemas
Download
Report
Transcript Oracle Database Vault DVSYS and DVF Schemas
ORACLE DATABASE VAULT
Nguyễn Quang Khải 50701106
Nguyễn Duy Hoàng 50700852
Contents
• Introducing Oracle Database Vault
o What is a Oracle Database Vault?
o Components of Oracle Database Vault.
• HOWTO install Oracle Database Vault
• HOWTO use a Realm to secure Data Access from
DBA access.
• HOWTO use a Command rules to secure User
Activity.
• HOWTO use Rule Sets, Factors, and secure
Application roles
Contents
• HOWTO Disable and Enable DV
• HOWTO Use Reports in DV
• HOWTO Better Understand DV’s Impact on
Performance
• Miscellaneous Discussion – Is Auditing Alone
Enough?
Introducing Oracle Database Vault
• What is oracle database vault?
• Components of oracle database vault
What is Oracle Database Vault?
What is Oracle Database Vault?
• Oracle Database Vault (DV) was introduced in
Oracle 10gR2, 11g and 9iR2.
• DV restricts access to specific areas in an
Oracle database from any user.
• Enable you to apply access control to your
sensitive data.
• Protect your data from super-privileged users
but still them maintain your Oracle databases.
What is Oracle Datbase Vault?
• Help to address the most difficult security
problems: protecting against insider threats,
meeting regulatory compliance requirements,
and enforcing separation of duty.
• Manage the security of an individual Oracle
Database instance
Components of Oracle Database Vault
Oracle Database Vault has the following components:
■ Oracle Database Vault Access Control Components
■ Oracle Database Vault Administrator (DVA)
■ Oracle Database Vault Configuration Assistant (DVCA)
■ Oracle Database Vault DVSYS and DVF Schemas
■ Oracle Database Vault PL/SQL Interfaces and Packages
■ Oracle Database Vault and Oracle Label Security PL/SQL
APIs
■ Oracle Database Vault Reporting and Monitoring Tools
Oracle Database Vault Access Control
Components
• Realms: a functional grouping of database
schemas, objects, and roles that must be
secured.
• Command rules: a special rule that you can
create to control how users can execute
almost any SQL statement, including SELECT,
ALTER SYSTEM, database definition language
(DDL), and data manipulation language (DML)
statements.
Oracle Database Vault Access Control
Components
• Factors: a named variable or attribute, such as a user
location, database IP address, or session user, which
Oracle Database Vault can recognize and secure.
• Rule sets: a collection of one or more rules that you
can associate with a realm authorization, command
rule, factor assignment, or secure application role.
• Secure application roles: A secure application role is a
special Oracle Database role that can be enabled based
on the evaluation of an Oracle Database Vault rule set.
Oracle Database Vault Administrator
(DVA)
• A Java application that is built on top of the
Oracle Database Vault PL/SQL application
programming interfaces (API).
• Allows security managers who may not be
proficient in PL/SQL to configure the access
control policy through a user-friendly interface.
• An extensive collection of security-related reports
that assist in understanding the baseline security
configuration.
• Oracle Database Vault Configuration Assistant
(DVCA): To perform maintenance tasks on your
Oracle Database Vault installation
• Oracle Database Vault DVSYS and DVF Schemas:
Stores the database objects needed to process
Oracle data for Oracle Database Vault, contains
the roles, views, accounts, functions, and other
database objects that Oracle Database Vault uses.
The DVF schema contains public functions to
retrieve (at run time) the factor values set in the
Oracle Database Vault access control
configuration.
• Oracle Database Vault PL/SQL Interfaces and
Packages: allow security managers or
application developers to configure the access
control policy as required.
• Oracle Database Vault and Oracle Label
Security PL/SQL APIs: enables the security
manager to define label security policy and
apply it to database objects.
• Oracle Database Vault Reporting and
Monitoring Tools: generate reports on the
various activities that Oracle Database Vault
monitors.
HOWTO install Oracle Database Vault
• Install on Oracle Database 10gR2
o Download the Oracle data vault from Oracle OTN
http://www.oracle.com/technology/software/products/da
tabase_vault/index.html
o stop all the 3 services (DB Console, database and listener)
OR stop them manually:
sqlplus / as sysdba
SQL> SHUTDOWN IMMEDIATE
SQL> EXIT
emctl stop dbconsole
lsnrctl stop
o Start the installer
runinstaller.sh and choose destination path, database vault
owner and password.
HOWTO install Oracle Database Vault
HOWTO install Oracle Database Vault
HOWTO install Oracle Database Vault
HOWTO install Oracle Database Vault
HOWTO install Oracle Database Vault
HOWTO install Oracle Database Vault
HOWTO install Oracle Database Vault
HOWTO install Oracle Database Vault
HOWTO install Oracle Database Vault
HOWTO install Oracle Database Vault
o Open the database by starting all 3 services (listener,
database and DB Console) OR start them manually:
lsnrctl start
sqlplus / as sysdba
SQL> STARTUP
emctl start dbconsole
o Register your database with Database Vault
o Start Database Configuration Assistant from Start->Programs>Oracle – ORACLE_HOME->Configuration and Migration tools.
o Choose “Configure Database Options” and select Oracle Database
Vault (and Oracle Label Security) and proceed to credentials page.
Pick a password for DBVOWNER and DBVACCTMGR accounts (you
might find this very difficult as Database Vault has very strict
password requirements) and proceed. The database is
automatically restarted by DBCA.
HOWTO install Oracle Database Vault
HOWTO install Oracle Database Vault
HOWTO install Oracle Database Vault
HOWTO install Oracle Database Vault
HOWTO install Oracle Database Vault
o Login Oracle Database Vault
HOWTO use a Realm to secure Data
Access from DBA access.
• Let’s use SCOTT.EMP—it has salary
information in it. Before we define a realm,
DBAs have access to this table—for example:
HOWTO use a Realm to secure Data
Access from DBA access.
• To create a realm, logon to the DV
Administrator and follow these steps:
o In the Administration tab click the Realms link.
HOWTO use a Realm to secure Data
Access from DBA access.
o Click the Create button at the top right of the
screen.
HOWTO use a Realm to secure Data
Access from DBA access.
o Fill in SCOTT_EMP as the Name for the realm and
fi ll in a description for this realm pro-tection.
Leave Status as Enabled and leave Audit on Failure
for Audit Options. Click OK.
HOWTO use a Realm to secure Data
Access from DBA access.
HOWTO use a Realm to secure Data
Access from DBA access.
o This will create the realm and take you back to the
realm list.
o Select the realm using the radio button and click
Edit.
HOWTO use a Realm to secure Data
Access from DBA access.
o In the realm secured objects area, click the Create
button.
HOWTO use a Realm to secure Data
Access from DBA access.
o Select the owner as SCOTT, the type as TABLE, and
fi ll in EMP as the object name. Click OK.
HOWTO use a Realm to secure Data
Access from DBA access.
o Click OK on the top right of the screen to return
from editing the realm definition. The screen
should be similar to image below where now the
realm is marked as having protected objects.
HOWTO use a Realm to secure Data
Access from DBA access.
• Logged on as SYSTEM you will no longer be able to
access the data:
HOWTO use a Realm to secure Data
Access from DBA access.
• Connect as SCOTT and issue this query you will
have access:
More on Realms
• Realms contain a larger set of objects –
schema, a group of roles or a group of objects
which you want to associate a security policy.
Example: Associate a role with realm, you can
ensure that only you can assign this role and that
a DBA can’t grant this role.
• Allows to define who the realms owners are.
• Realm participants can user their system
privileges to access a realm-protected object.
More on realms
• DV includes a number of prebuilt realms, they
are:
o DV Account Management Realm: the most important
realm, it limits who can manage and create database
accounts.
o DV Realm: protects the DV schemas (DVSYS, DVF, and
LBACSYS)
o Oracle Data Dictionary Realm: protect the catalog, the
SYS schema, the SYSTEM schema.
o Oracle Enterprise Manager Realm: protect SYSMAN
and DBSNMP.
HOWTO use a Command rules to
secure User Activity.
• A definition can be used to protect any activity on
any object in the database.
• Based on a security policy phrased within a rule.
• A command rule is evaluated after the realm is
checked and only if the realm check succeeds.
• DV checks all relevant command rules and only if
they all evaluate to true will the action be
allowed.
• Override regular object privilege.
HOWTO use a Command rules to
secure User Activity.
• Example 1:
• Built a command rule disables the ability to
update the SCOTT.EMP table.
o Log on to the DV Administrator and in the
Administration tab click the Command rules link.
HOWTO use a Command rules to
secure User Activity.
o In the Command Rules screen click on the Create
button at the top right.
HOWTO use a Command rules to
secure User Activity.
o In the General area, select UPDATE from the
Command pull down and leave Enabled as the
Status.
o In the Applicability area select SCOTT as the Object
Owner and EMP as the Object Name.
o From the Rule Set drop down select Disable. This is a
prebuilt rule that will always return FALSE, will not
allow the update.
HOWTO use a Command rules to
secure User Activity.
HOWTO use a Command rules to
secure User Activity.
• Now, SCOTT can insert into this table but can’t
update.
HOWTO use a Command rules to
secure User Activity.
• Example 2:
• Allow UPDATES only if the connection is made
locally over a bequeath session (BEQ).
• Do three things:
o Create a rule based on this factor that returns
TRUE if the connection has no CLIENT_IP.
o Create a rule set with this one rule
o Add the rule set to the command rule.
HOWTO use a Command rules to
secure User Activity.
o Logon to the DV Administrator, in the
Administration tab click on the Rule Sets link.
HOWTO use a Command rules to
secure User Activity.
o Click the Create button at the right hand
corner.
HOWTO use a Command rules to
secure User Activity.
o In the General area enter DISSALLOW_TCP_ACCESS as
the Name and a description. Status should be enabled,
Evaluation Options should be All True. Click OK.
HOWTO use a Command rules to
secure User Activity.
o Select your new rule set from the list of rule
sets and click the Edit button.
HOWTO use a Command rules to
secure User Activity.
o Scroll down to the Rules Associates to the Rule
Set area and click Create.
HOWTO use a Command rules to
secure User Activity.
o Enter a name and the expression for the rule.
Click OK.
HOWTO use a Command rules to
secure User Activity.
o Back on the Edit Rule Set page click OK. Now
you have a rule set with a single rule.
HOWTO use a Command rules to
secure User Activity.
o Click on the database instance breadcrumb link at the
top left to navigate back to the home page.
HOWTO use a Command rules to
secure User Activity.
o Click on the command Rules link, select your
command rule, and click the Edit button.
o In the Rule Set pull down select your new rule set.
Click OK
HOWTO use a Command rules to
secure User Activity.
• Login to the databases as SCOTT using BEQ
connection
HOWTO use a Command rules to
secure User Activity.
• Login to the databases as SCOTT using a
listener connection (TCP connection)
HOWTO use a Command rules to
secure User Activity.
• DV provide a set of PL/SQL procedures that
can be sued to create these contructs.
• These are part fo the DBMS_MACADM
package within the DVSYS schema.
HOWTO use a Command rules to
secure User Activity.
• Example 3: create a command rule that
disallows dropping the EMP table in the
SCOTT schema.
HOWTO use Rule Sets, Factors, and
secure Application roles
• Rule Set:
o Rule sets are used from within command rules, to
determine assignment of factors, to assign DV
secure application roles, and as part of realm
checks.
o A rule set can be of two types—an OR set
evaluates to true if any of its member rules
evaluates to true and an AND set evaluates to true
if all of its member rules evaluate to true.
HOWTO use Rule Sets, Factors, and
secure Application roles
• Rule Set:
o DV comes with a large set of prebuilt rule
functions that you can use:
Convenience rule sets include
Enabled—Use it to allow activity
Disabled—Use it to prevent activity
Template rule sets include
Allow Sessions
Can Grant Virtual Private Database (VPD) Administration
Can Maintain Accounts/Profiles
Can Maintain Own Account
Check Trigger Init Parameter
HOWTO use Rule Sets, Factors, and
secure Application roles
• Factors:
o Factors are variables that you use within rules.
o Allow to define rules that make a decision based
on the IP the connection is coming from, the time
of day the connection is made, the user making
the connection, the proxy user, and pretty much
anything that the Oracle database can be aware
of.
HOWTO use Rule Sets, Factors, and
secure Application roles
• Factors:
o Some of the useful factor API functions are:
DVF.F$CLIENT_IP: Use it when you need to base a
decision on the client IP from which the connection is
made.
Example: Use to distinguish between listener BEQ
connection
HOWTO use Rule Sets, Factors, and
secure Application roles
• Factors:
HOWTO use Rule Sets, Factors, and
secure Application roles
• Factors:
o Some of the useful factor API functions are:
DVF.F$NETWORK_PROTOCOL: Use it when you need to
make a decision based on the protocol the database
client is using to connect to the server
HOWTO use Rule Sets, Factors, and
secure Application roles
• Factors:
HOWTO use Rule Sets, Factors, and
secure Application roles
• Factors:
o Some of the useful factor API functions are:
DVF.F$MACHINE: Use this factor when you need to
make a decision based on the client hostname.
HOWTO use Rule Sets, Factors, and
secure Application roles
• Factors:
o Some of the useful factor API functions are:
DVF.F$ENTERPRISE_IDENTITY: Use this factor to get the
enterprise identity of the logged-on user when you use
advanced authentication such as Kerberos, RADIUS, or
Oracle Internet Directory (OID) authentication.
DVF.F$PROXY_ENTERPRISE_IDENTITY: Use this factor to
get the OID Distinguished Name (DN) when the proxy
user is an enterprise user.
DVF.F$PROXYUSER:Use this factor to get the proxy user
as opposed to the user who opened the connection.
HOWTO use Rule Sets, Factors, and
secure Application roles
• Factors:
o Some of the useful factor API functions are:
DVF.F$IDENTIFICATION_TYPE: Use this factor when you
need to base your decision on how the user was
identified.
DVF.F$AUTHENTICATION_METHOD: Use this factor to
know how the user was authenticated—for example,
PASSWORD for database authentication, KERBEROS,
SSL, RADIUS, OS, etc.
HOWTO use Rule Sets, Factors, and
secure Application roles
• Factors:
o Example: create a new factor to limit CONNECT
Log in to the DV
HOWTO use Rule Sets, Factors, and
secure Application roles
• Secure Application Roles:
o These are roles within the database that depend
on a rule set.
o DV secure application roles are enabled based on
the outcome of a DV rule set
o DV secure application roles allow you to better
control the privileges that you assigned to these
roles.
HOWTO Disable and Enable DV
• Disable DV:
o Checking if DV is disabled or enabled?
SELECT * FROM V$OPTION WHERE PARAMETER = 'Oracle
Database Vault';
o If the DV is enabled, the output appears:
HOWTO Disable and Enable DV
o Stop the database, Database Control console
process, and listener.
HOWTO Disable and Enable DV
o Disable the Oracle Database Vault option
In the ORACLE_HOME\bin directory, rename the
oradvll.dll file to another name, such as
oradvll.dll.dbl.
HOWTO Disable and Enable DV
o Restart the database, Database Control console
process, and listener.
HOWTO Disable and Enable DV
o If the reason you needed to disable Oracle
Database Vault was because of forgotten
passwords, then connect as SYS or SYSTEM and
reset the password.
HOWTO Disable and Enable DV
• At a command prompt, run Oracle Database
Vault Configuration Assistant (DVCA) by using
the dvca -action disable option.
HOWTO Disable and Enable DV
• Connect to SQL*Plus as SYS using the SYSDBA
privilege, and then run the following ALTER
TRIGGER statement:
HOWTO Disable and Enable DV
• Enable DV:
o At a command prompt, use DVCA to reenable
Oracle Database Vault.
HOWTO Disable and Enable DV
o Stop the database, Database Control console
process, and listener.
o Enable the Oracle Database Vault option: rename
the backed up copy of the oradvll.dll file (for
example, oradv11.dll.dbl) to oradvll.dll. Ensure
that the name of the Oracle Label Security
executable is oralbacll.dll (and not oralbacll.dll.dbl
or some other backup name).
o Restart the database, Database Control console
process, and listener.
HOWTO Disable and Enable DV
HOWTO Disable and Enable DV
HOWTO Use Reports in DV
Reports in DV
DV reports
DV
configuration
issues
DV auditing
reports
General
security
reports
HOWTO Use Reports in DV
HOWTO Use Reports in DV
• The configuration issue reports show information
about problems involving command rules,
factors, realm authorizations, etc
HOWTO Use Reports in DV
• The DV auditing reports show information on
activities that caused DV audit records to be
reported based on your definitions.
HOWTO Use Reports in DV
• The list of general security reports available to
you (by category) are
HOWTO Use Reports in DV
• The list of general security reports available to
you (by category) are
HOWTO Use Reports in DV
• The list of general security reports available to
you (by category) are
HOWTO Use Reports in DV
• The list of general security reports available to
you (by category) are
HOWTO Better Understand DV’s
Impact on Performance
• DV introduces quite a lot of security
functionalities and nothing comes for free.
• You should understand the effect of each of
these features on the performance of your
database
HOWTO Better Understand DV’s
Impact on Performance
• Realms and performance
– As a rule of thumb, the performance impact of
realms is negligible and can add ~1–3 percent
CPU overhead.
– In any case, you should completely avoid
enclosing a realm within another realm as this will
adversely affect performance.
HOWTO Better Understand DV’s
Impact on Performance
• Command groups and performance
– Most of the effect command rules have on
performance are caused by badly designed rule
sets and the procedures that are fired by rule sets.
– If you make sure that your rule sets are simple,
command rule overhead on DML operations can
be reduced to as low as 1–5 percent
HOWTO Better Understand DV’s
Impact on Performance
• Rule sets and performance
– Rule sets are the most dangerous in terms of
effect on performance and you should review
them very carefully
– In terms of design, the more rules you have and
the more complex the rules are, the more
performance impact you will see.
HOWTO Better Understand DV’s
Impact on Performance
• Factors and performance
– There are two evaluation types for factors—bysession and by-access. Factors can affect
performance mainly in two cases.
– By-access factors should be avoided if possible
and almost all factors used commonly seem to be
by-session factors.
– You should delete all by-session factors that you
do not use to limit the impact on performance.
HOWTO Better Understand DV’s
Impact on Performance
• DV auditing and performance
– Enable only the DV auditing that you are required
to collect.
HOWTO Better Understand DV’s
Impact on Performance
Miscellaneous Discussion – Is Auditing
Alone Enough?
• This is almost a philosophical discussion and
there is no right or wrong answer—it is
subjective as are many things in security.
• You should remember the following points:
– Systems that prevent usually imply less work on
an ongoing basis than systems that monitor and
audit
– Auditors a nd regulators look for preventive
controls
Miscellaneous Discussion – Is Auditing
Alone Enough?
– There is a big difference between the need to
monitor or track changes and alert when DV is
disabled and the need to monitor and review all
DBA activity.
– Real prevention is different from prevention based
on deterrence. Oracle has DV, none of the other
database platforms has an equivalent capability.
– You need to understand these tradeoffs and make
an educated decision.