database vault 2007

8/10/2019 Database Vault 2007

1/119

A First look at

Database Vault

David Bergmeier


2/119

Overview

Installation

Limitations

Securing Data

Backups

A trigger problem

Agenda


3/119


4/119

Why Oracle Database Vault?

Dont trust the DBA

Regulatory Compliance(e.g. Sarbanes Oxley)

Separation of duties

Overview


5/119


connect / as sysdba

create user david ...grant dba to david;select * from scott.emp;


6/119


connect / as sysdba

create user david ...grant dba to david;select * from scott.emp;


7/119



8/119



9/119



10/119

Overview

Installation

Limitations

Securing Data

Backups

A trigger problem

Agenda


11/119

Oracle 10.2.0.3

1024 MB of Physical RAM

Swap space (1.5 times RAM)

400 MB in /tmp

270 MB for database vault binaries

10 MB additional for database files

Prerequisites


12/119

Installation

Assumes one instance per Oracle home

But can support more

Prerequisites


13/119

Installation


14/119

Installation

User to receive

DV_OWNER role


15/119

Installation

Passwords must

have alpha,

numeric special


16/119

Installation

User to receive

DV_ACCTMGR role


17/119

Installation


18/119


19/119

Installation


20/119

Installation


21/119

Installation


22/119

Installation


23/119


24/119

Overview

Installation

Limitations

Securing Data

Backups

A trigger problem

Agenda


25/119

Lets start the database

The First Problem


26/119

The First Problem


27/119

The First Problem


28/119

I cannot login as SYDBA

So how do I start/stop Oracle?

The First Problem


29/119

connect / as SYSOPER

The First Problem


30/119


31/119

Overview

Installation

Limitations

Securing Data

Backups

A trigger problem

Agenda


32/119

$ lsnrctl start

$ emctl start dbconsole

Securing Some Data


33/119

$ sqlplus system/manager

SQL> select * from scott.emp;...

14 rows selected.

SQL>

Securing Some Data


34/119

Securing Some Data


35/119

Securing Some Data


36/119

Securing Some Data


37/119

Securing Some Data


38/119

A realm is a

functional grouping of

schemasand rolesthat are secured.

What is a Realm?


39/119

What is a Realm?

Realm

Secured Objects Authorizations

One

Many


40/119

Securing Some Data


41/119

Securing Some Data


42/119

Securing Some Data


43/119

Securing Some Data


44/119

Securing Some Data


45/119


46/119

Securing Some Data


47/119

SQL> select * from scott.emp;

select * from scott.emp

*

ERROR at line 1:ORA-01031: Insufficient Privileges

SQL>

Securing Some Data


48/119

SQL> select * from scott.dept;DEPTNO DNAME LOC

---------- -------------- --------10 ACCOUNTING NEW YORK20 RESEARCH DALLAS30 SALES CHICAGO40 OPERATIONS BOSTON

SQL>

Securing Some Data


49/119

Thats the end of the tutorial.

So now lets consider a real worldapplication.

Securing Some Data


50/119


51/119

Real world Example

EMP

application user

support users

SCOTT

Support users

connect with

individual

accounts with

read-only access


52/119

Real world Example

EMP

grant select insert

update delete

scott_app_user

scott_ro_role

scott_ro

grant select

grant role

SCOTT


53/119

SQL> connect system/manager

SQL> create user scott_app_user

2> identified by tiger

3> default tablespace USERS;

identified by tiger

*


Create User


54/119

SQL> connect dbu/manager

SQL> create user scott_app_user



User created.

SQL> grant connect toscott_app_user;

Create User


55/119


SQL> create user scott_ro



User created.

SQL> grant connect to scott_ro;

Create User

Create Role


56/119


SQL> create role scott_ro_role;

Role created.

SQL> grant scott_ro_roleto scott_ro;

Grant succeeded.

SQL>

Grants


57/119

SQL> connect scott/tiger

SQL> grant select,insert,update,delete on emp to scott_app_user;

Grant succeeded.

SQL> grant select on emp toscott_ro_role;

Grant succeeded.

SQL>

Real world Example


58/119

Now to test it...


59/119

Testing scott_ro


60/119

SQL> connect scott_ro/tiger


14 rows selected.

SQL> delete from scott.emp;delete from scott.emp

*

ERROR at line 1:

ORA-01031: Insufficient Privileges

Testing scott_app_user


61/119

SQL> connect scott_app_user/tiger


14 rows selected.

SQL> delete from scott.emp;

14 rows deleted.

SQL> rollback;



62/119

SQL> connect scott_app_user/tiger


14 rows selected.


14 rows deleted.

SQL> rollback;

Testing system


63/119



14 rows selected.


*

ERROR at line 1:


Testing system


64/119



14 rows selected.


*

ERROR at line 1:


What went wrong?


65/119


SQL> select * from session_roles;

ROLE---------------------------DV_PUBLICDBA...SCOTT_RO_ROLE

14 rows selected.

SQL>


66/119

What went wrong?


67/119


SQL> create role foo;Role created.

SQL> set role all;

Role set.SQL> select * from session_roles;

ROLE---------------------------DV_PUBLIC...FOO

What went wrong?


68/119

So now we have a problem!

If we only revoke the role,

SYSTEM can grant it again.

How do we prevent this?

Remove the Role


69/119


SQL> drop role scott_ro_role;Role dropped.

SQL> select * from session_roles;

ROLE---------------------------DV_PUBLIC...MGMT_USER

13 rows selected.

SQL>

Problem with DV_ACCTMGR


70/119

DV_ACCTMGR has

create/drop user

alter user account lock/unlock

alter user password expire

grant/revoke CONNECT role


71/119

Allow SYSDBA


72/119

$ cd $ORACLE_HOME/dbs

$ orapwd file=orapwmozartpassword=mozartentries=20force=y

nosysdba=n$ sqlplus sys/mozart as sysdba

SQL> startup

SQL> alter user sys identifiedby mozart;

Grants to DV_ACCTMGR


73/119

SQL> connect sys/mozart as sysdba

SQL> grant create roleto DV_ACCTMGR;

SQL> grant alter any roleto DV_ACCTMGR;

SQL> grant drop any role

to DV_ACCTMGR;

SELECT_CATALOG_ROLE


74/119

SELECT_CATALOG_ROLE


75/119

Fixing DV_ACCTMGR


76/119

Fixing DV_ACCTMGR


77/119

Fixing DV_ACCTMGR


78/119

SQL> t db /

Create Role as DV_ACCTMGR


79/119


SQL> create role scott_ro_role;

Role created.

SQL>

At this stage we delay granting

scott_ro_role

Securing SCOTT_RO_ROLE


80/119

Securing SCOTT_RO_ROLE


81/119


Granting SCOTT_RO_ROLE


82/119



grant scott_ro_role to scott_ro

*ERROR at line 1:

ORA-47401: Realm violation for

grant role privilege onSCOTT_RO_ROLE



83/119

So who can/shoulddo the grant of

SCOTT_RO_ROLE ?


84/119



85/119

Answer: SCOTT

ProvidedSCOTT can only

grant SCOTT_RO_ROLE

and not other roles

like DBA.



86/119

One more grant as SYSDBASQL> connect sys/mozart as sysdba

SQL> grant grant any role to scott;

Grant succeeded.

SQL>




87/119



Grant succeeded.

SQL> revoke scott_ro_rolefrom dbu;

Revoke succeeded.

SQL>




88/119


SQL> grant DBA to scott;grant DBA to scott*ERROR at line 1:

ORA-00604: error occurred atrecursive SQL level 1

ORA-47401: Realm violation for

grant role privilege onUNLIMITED TABLESPACE.



89/119

WHY?



90/119

The DBA roleis protected by the

Oracle Data DictionaryRealm.



91/119

Now to test it...

Again


92/119

SQL> connect scott ro/tiger

Testing scott_ro again


93/119

Q _ / g


14 rows selected.


*


SQL> connect scott app user/tiger



94/119

Q _ pp_ g


14 rows selected.

SQL> delete from scott.emp;14 rows deleted.

SQL> rollback;

SQL> connect scott app user/tiger



95/119

_ pp_ g


14 rows selected.

SQL> delete from scott.emp;14 rows deleted.

SQL> rollback;


96/119


97/119


Testing SYSDBA


98/119

SQL> select * from scott.emp;ERROR at line 1:



ERROR at line 1:



Testing SYSDBA


99/119




ERROR at line 1:



Testing DV_ACCTMGR


100/119




ERROR at line 1:



Testing DV_ACCTMGR


101/119




ERROR at line 1:


SQL> connect dbv/manager

Testing DV_ADMIN


102/119




ERROR at line 1:


SQL> connect dbv/manager

Testing DV_ADMIN


103/119




ERROR at line 1:



104/119

Separation of Duties


105/119

SYS as SYSDBA

Grant role privileges to

DV_ACCTMGR(one time)

Grant grant any role to

SCOTT(once per application)


106/119



107/119

DV_ACCTMGR (user = dbu)

Create user (ongoing)

Grant connect (ongoing)

Create role (once per app)



108/119

Schema owner (SCOTT)

Grant object privileges

(once per application) Grant SCOTT_RO_ROLE

(ongoing)



109/119

DBA (user = system)

Nothing

Overview

Agenda


110/119

Overview

Installation

Limitations

Securing Data

Backups

A trigger problem


111/119

Backups


112/119

Export

Lots of ORA-01031

Will be unable to Import

Not viable

Backups


113/119

Data Pump

Not tested

Backups


114/119

RMAN Requires SYSDBA access

May need to hardcode SYSpassword or use wallet

Works successfully

Overview

Agenda


115/119

Installation

Limitations

Securing Data

Backups

A trigger problem

Error creating trigger

Trigger Problem


116/119

g gg

Minor changes to whitespacein trigger source causedcompile success/failure

Known Bug: 5630439

ORA-47999: internal DatabaseVault error: create trigger

Workaround available

Trigger Problem


117/119

Login as dv_owner account

alter triggerdvsys.DV_BEFORE_DDL_TRG disable

Login as SCOTT and create trigger

Login as dv_owner account

alter triggerdvsys.DV_BEFORE_DDL_TRG enable


118/119


119/119

The End

Thank you for your attendance

[email protected]

http://www.mga.com.au

database vault 2007

Documents