a first look at database vault david bergmeier. overview installation limitations securing data ...

A First look atA First look atDatabase VaultDatabase Vault

David BergmeierDavid Bergmeier

Overview

Installation

Limitations

Securing Data

Backups

A trigger problem

AgendaAgenda

Senior Oracle DBA

Worked for MGA nearly 2 years

Background as an Analyst/Programmer

12 years in financial services industry

Started using Oracle in 1996

About meAbout me

Why Oracle Database Vault?

• Don’t trust the DBA

• Regulatory Compliance(e.g. Sarbanes Oxley)

• Separation of duties

OverviewOverview

Separation of dutiesSeparation of duties

connect / as sysdbacreate user david ...grant dba to david;select * from scott.emp;

Separation of dutiesSeparation of duties

Overview

Installation

Limitations

Securing Data

Backups

A trigger problem

AgendaAgenda

• Oracle 10.2.0.3

• 1024 MB of Physical RAM

• Swap space (1.5 times RAM)

• 400 MB in /tmp

• 270 MB for database vault binaries

• 10 MB additional for database files

PrerequisitesPrerequisites

Installation

• Assumes one instance per Oracle home

• But can support more

PrerequisitesPrerequisites

InstallationInstallation

InstallationInstallationUser to receive DV_OWNER role

InstallationInstallationPasswords must

have alpha, numeric & special


User to receive DV_ACCTMGR role

Overview

Installation

Limitations

Securing Data

Backups

A trigger problem

AgendaAgenda

Let’s start the database

The First ProblemThe First Problem

I cannot login as SYDBA

So how do I start/stop Oracle?


connect / as SYSOPER


Overview

Installation

Limitations

Securing Data

Backups

A trigger problem

AgendaAgenda

$ lsnrctl start

$ emctl start dbconsole

Securing Some DataSecuring Some Data

$ sqlplus system/manager

SQL> select * from scott.emp;

...

14 rows selected.

SQL>


A realm is a

functional grouping of schemas and roles that are

secured.

What is a Realm?What is a Realm?

What is a Realm?What is a Realm?

Realm

Secured Objects Authorizations

One

Many


select * from scott.emp

*

ERROR at line 1:

ORA-01031: Insufficient Privileges

SQL>


SQL> select * from scott.dept; DEPTNO DNAME LOC---------- -------------- -------- 10 ACCOUNTING NEW YORK 20 RESEARCH DALLAS 30 SALES CHICAGO 40 OPERATIONS BOSTONSQL>


That’s the end of the tutorial.

So now let’s consider a real world application.


Real world ExampleReal world Example

EMP

application user

SCOTT

Application server connects to database as

single user


EMP

application user

support users

SCOTT

Support users connect with

individual accounts with

read-only access


EMP

grant select insert update delete

scott_app_user

scott_ro_role

scott_rogrant select

grant role

SCOTT

SQL> connect system/manager

SQL> create user scott_app_user

2> identified by tiger

3> default tablespace USERS;

identified by tiger

*

ERROR at line 2:


Create UserCreate User

SQL> connect dbu/manager

SQL> create user scott_app_user



User created.

SQL> grant connect to scott_app_user;



SQL> create user scott_ro



User created.

SQL> grant connect to scott_ro;



SQL> create role scott_ro_role;

Role created.

SQL> grant scott_ro_role to scott_ro;

Grant succeeded.

SQL>

Create RoleCreate Role

SQL> connect scott/tiger

SQL> grant select,insert,update,delete on emp to scott_app_user;

Grant succeeded.

SQL> grant select on emp to scott_ro_role;

Grant succeeded.

SQL>

GrantsGrants

Now to test it...


SQL> connect scott_ro/tiger


14 rows selected.

SQL> delete from scott.emp;

delete from scott.emp

*

ERROR at line 1:


Testing scott_roTesting scott_ro

SQL> connect scott_app_user/tiger


14 rows selected.


14 rows deleted.

SQL> rollback;

Testing scott_app_userTesting scott_app_user



14 rows selected.



*

ERROR at line 1:


Testing systemTesting system


SQL> select * from session_roles;

ROLE---------------------------DV_PUBLICDBA...SCOTT_RO_ROLE

14 rows selected.

SQL>

What went wrong?What went wrong?

How did SYSTEM get

SCOTT_RO_ROLE?



SQL> create role foo;

Role created.

SQL> set role all;

Role set.


ROLE---------------------------DV_PUBLIC...FOO


So now we have a problem!


If we only revoke the role, SYSTEM can grant it again.

How do we prevent this?


SQL> drop role scott_ro_role;

Role dropped.


ROLE---------------------------DV_PUBLIC...MGMT_USER

13 rows selected.

SQL>

Remove the RoleRemove the Role

DV_ACCTMGR has• create/drop user

• alter user account lock/unlock

• alter user password expire

• grant/revoke CONNECT role

Problem with DV_ACCTMGRProblem with DV_ACCTMGR

DV_ACCTMGR needs• create role

• alter any role

• drop any role

• SELECT_CATALOG_ROLE

To get these, we need to login as SYSDBA

Problem with DV_ACCTMGRProblem with DV_ACCTMGR

$ cd $ORACLE_HOME/dbs

$ orapwd file=orapwmozart password=mozart entries=20 force=y nosysdba=n

$ sqlplus sys/mozart as sysdba

SQL> startup

SQL> alter user sys identified by mozart;

Allow SYSDBAAllow SYSDBA

SQL> connect sys/mozart as sysdba

SQL> grant create role to DV_ACCTMGR;

SQL> grant alter any role to DV_ACCTMGR;

SQL> grant drop any role to DV_ACCTMGR;

Grants to DV_ACCTMGRGrants to DV_ACCTMGR

SELECT_CATALOG_ROLESELECT_CATALOG_ROLE

Fixing DV_ACCTMGRFixing DV_ACCTMGR


SQL> create role scott_ro_role;

Role created.

SQL>

Create Role as DV_ACCTMGRCreate Role as DV_ACCTMGR

At this stage we delay granting scott_ro_role

Securing SCOTT_RO_ROLESecuring SCOTT_RO_ROLE



grant scott_ro_role to scott_ro

*

ERROR at line 1:

ORA-47401: Realm violation for grant role privilege on SCOTT_RO_ROLE

Granting SCOTT_RO_ROLEGranting SCOTT_RO_ROLE

So who can/should

do the grant of SCOTT_RO_ROLE ?


So who can/should

do the grant of SCOTT_RO_ROLE ?

Answer: SCOTT


Answer: SCOTT

Provided SCOTT can only grant SCOTT_RO_ROLE

and not other roles

like DBA.


One more grant as SYSDBA



SQL> grant grant any role to scott;

Grant succeeded.

SQL>

SQL> connect scott/tiger


Grant succeeded.

SQL> revoke scott_ro_role from dbu;

Revoke succeeded.

SQL>


SQL> connect scott/tigerSQL> grant DBA to scott;grant DBA to scott*ERROR at line 1:ORA-00604: error occurred at recursive SQL level 1

ORA-47401: Realm violation for grant role privilege on UNLIMITED TABLESPACE.


WHY?


The DBA role

is protected by the

“Oracle Data Dictionary” Realm.


Now to test it...

Again


SQL> connect scott_ro/tiger


14 rows selected.



*

ERROR at line 1:


Testing scott_ro againTesting scott_ro again

SQL> connect scott_app_user/tiger


14 rows selected.


14 rows deleted.

SQL> rollback;

Testing scott_app_userTesting scott_app_user



ERROR at line 1:



ERROR at line 1:


Testing system againTesting system again



ERROR at line 1:



ERROR at line 1:


Testing SYSDBATesting SYSDBA



ERROR at line 1:



ERROR at line 1:


Testing DV_ACCTMGRTesting DV_ACCTMGR

SQL> connect dbv/manager


ERROR at line 1:



ERROR at line 1:


Testing DV_ADMINTesting DV_ADMIN

Let’s review the actions performed by each of the different users/roles

Separation of DutiesSeparation of Duties

SYS as SYSDBA

• Grant role privileges to DV_ACCTMGR(one time)

• Grant “grant any role” to SCOTT(once per application)


DV_ADMIN (user = dbv)

• Realm authorizations (once per application)

• Command Rules(one time)


DV_ACCTMGR (user = dbu)

• Create user (ongoing)

• Grant connect (ongoing)

• Create role (once per app)


Schema owner (SCOTT)

• Grant object privileges(once per application)

• Grant SCOTT_RO_ROLE (ongoing)


DBA (user = system)

• Nothing


Overview

Installation

Limitations

Securing Data

Backups

A trigger problem

AgendaAgenda

Impact of Backups

• Export

• Data Pump

• RMAN

BackupsBackups

Export

• Lots of ORA-01031

• Will be unable to Import

• Not viable

BackupsBackups

Data Pump

• Not tested

BackupsBackups

RMAN

• Requires SYSDBA access

• May need to hardcode SYS password or use wallet

• Works successfully

BackupsBackups

Overview

Installation

Limitations

Securing Data

Backups

A trigger problem

AgendaAgenda

Error creating trigger

• Minor changes to whitespace in trigger source caused compile success/failure

• Known Bug: 5630439

• ORA-47999: internal Database Vault error: create trigger

Trigger ProblemTrigger Problem

Workaround available• Login as dv_owner account

• alter trigger dvsys.DV_BEFORE_DDL_TRG disable

• Login as SCOTT and create trigger

• Login as dv_owner account

• alter trigger dvsys.DV_BEFORE_DDL_TRG enable

Trigger ProblemTrigger Problem

You probably don’t need Database Vault

It’s a trade off between more security with more bureaucracy

It seems to work okay but there are some bugs

Typical work arounds involve deactivating Database Vault

ConclusionConclusion

The EndThe End

Thank you for your attendance

[email protected]

http://www.mga.com.au

a first look at database vault david bergmeier. overview installation limitations securing data ...

Documents