database vault 2007
TRANSCRIPT
-
8/10/2019 Database Vault 2007
1/119
A First look at
Database Vault
David Bergmeier
-
8/10/2019 Database Vault 2007
2/119
Overview
Installation
Limitations
Securing Data
Backups
A trigger problem
Agenda
-
8/10/2019 Database Vault 2007
3/119
-
8/10/2019 Database Vault 2007
4/119
Why Oracle Database Vault?
Dont trust the DBA
Regulatory Compliance(e.g. Sarbanes Oxley)
Separation of duties
Overview
-
8/10/2019 Database Vault 2007
5/119
Separation of duties
connect / as sysdba
create user david ...grant dba to david;select * from scott.emp;
-
8/10/2019 Database Vault 2007
6/119
Separation of duties
connect / as sysdba
create user david ...grant dba to david;select * from scott.emp;
-
8/10/2019 Database Vault 2007
7/119
Separation of duties
-
8/10/2019 Database Vault 2007
8/119
Separation of duties
-
8/10/2019 Database Vault 2007
9/119
Separation of duties
-
8/10/2019 Database Vault 2007
10/119
Overview
Installation
Limitations
Securing Data
Backups
A trigger problem
Agenda
-
8/10/2019 Database Vault 2007
11/119
Oracle 10.2.0.3
1024 MB of Physical RAM
Swap space (1.5 times RAM)
400 MB in /tmp
270 MB for database vault binaries
10 MB additional for database files
Prerequisites
-
8/10/2019 Database Vault 2007
12/119
Installation
Assumes one instance per Oracle home
But can support more
Prerequisites
-
8/10/2019 Database Vault 2007
13/119
Installation
-
8/10/2019 Database Vault 2007
14/119
Installation
User to receive
DV_OWNER role
-
8/10/2019 Database Vault 2007
15/119
Installation
Passwords must
have alpha,
numeric special
-
8/10/2019 Database Vault 2007
16/119
Installation
User to receive
DV_ACCTMGR role
-
8/10/2019 Database Vault 2007
17/119
Installation
-
8/10/2019 Database Vault 2007
18/119
-
8/10/2019 Database Vault 2007
19/119
Installation
-
8/10/2019 Database Vault 2007
20/119
Installation
-
8/10/2019 Database Vault 2007
21/119
Installation
-
8/10/2019 Database Vault 2007
22/119
Installation
-
8/10/2019 Database Vault 2007
23/119
-
8/10/2019 Database Vault 2007
24/119
Overview
Installation
Limitations
Securing Data
Backups
A trigger problem
Agenda
-
8/10/2019 Database Vault 2007
25/119
Lets start the database
The First Problem
-
8/10/2019 Database Vault 2007
26/119
The First Problem
-
8/10/2019 Database Vault 2007
27/119
The First Problem
-
8/10/2019 Database Vault 2007
28/119
I cannot login as SYDBA
So how do I start/stop Oracle?
The First Problem
-
8/10/2019 Database Vault 2007
29/119
connect / as SYSOPER
The First Problem
-
8/10/2019 Database Vault 2007
30/119
-
8/10/2019 Database Vault 2007
31/119
Overview
Installation
Limitations
Securing Data
Backups
A trigger problem
Agenda
-
8/10/2019 Database Vault 2007
32/119
$ lsnrctl start
$ emctl start dbconsole
Securing Some Data
-
8/10/2019 Database Vault 2007
33/119
$ sqlplus system/manager
SQL> select * from scott.emp;...
14 rows selected.
SQL>
Securing Some Data
-
8/10/2019 Database Vault 2007
34/119
Securing Some Data
-
8/10/2019 Database Vault 2007
35/119
Securing Some Data
-
8/10/2019 Database Vault 2007
36/119
Securing Some Data
-
8/10/2019 Database Vault 2007
37/119
Securing Some Data
-
8/10/2019 Database Vault 2007
38/119
A realm is a
functional grouping of
schemasand rolesthat are secured.
What is a Realm?
-
8/10/2019 Database Vault 2007
39/119
What is a Realm?
Realm
Secured Objects Authorizations
One
Many
-
8/10/2019 Database Vault 2007
40/119
Securing Some Data
-
8/10/2019 Database Vault 2007
41/119
Securing Some Data
-
8/10/2019 Database Vault 2007
42/119
Securing Some Data
-
8/10/2019 Database Vault 2007
43/119
Securing Some Data
-
8/10/2019 Database Vault 2007
44/119
Securing Some Data
-
8/10/2019 Database Vault 2007
45/119
-
8/10/2019 Database Vault 2007
46/119
Securing Some Data
-
8/10/2019 Database Vault 2007
47/119
SQL> select * from scott.emp;
select * from scott.emp
*
ERROR at line 1:ORA-01031: Insufficient Privileges
SQL>
Securing Some Data
-
8/10/2019 Database Vault 2007
48/119
SQL> select * from scott.dept;DEPTNO DNAME LOC
---------- -------------- --------10 ACCOUNTING NEW YORK20 RESEARCH DALLAS30 SALES CHICAGO40 OPERATIONS BOSTON
SQL>
Securing Some Data
-
8/10/2019 Database Vault 2007
49/119
Thats the end of the tutorial.
So now lets consider a real worldapplication.
Securing Some Data
-
8/10/2019 Database Vault 2007
50/119
-
8/10/2019 Database Vault 2007
51/119
Real world Example
EMP
application user
support users
SCOTT
Support users
connect with
individual
accounts with
read-only access
-
8/10/2019 Database Vault 2007
52/119
Real world Example
EMP
grant select insert
update delete
scott_app_user
scott_ro_role
scott_ro
grant select
grant role
SCOTT
-
8/10/2019 Database Vault 2007
53/119
SQL> connect system/manager
SQL> create user scott_app_user
2> identified by tiger
3> default tablespace USERS;
identified by tiger
*
ERROR at line 2:ORA-01031: Insufficient Privileges
Create User
-
8/10/2019 Database Vault 2007
54/119
SQL> connect dbu/manager
SQL> create user scott_app_user
2> identified by tiger
3> default tablespace USERS;
User created.
SQL> grant connect toscott_app_user;
Create User
-
8/10/2019 Database Vault 2007
55/119
SQL> connect dbu/manager
SQL> create user scott_ro
2> identified by tiger
3> default tablespace USERS;
User created.
SQL> grant connect to scott_ro;
Create User
Create Role
-
8/10/2019 Database Vault 2007
56/119
SQL> connect system/manager
SQL> create role scott_ro_role;
Role created.
SQL> grant scott_ro_roleto scott_ro;
Grant succeeded.
SQL>
Grants
-
8/10/2019 Database Vault 2007
57/119
SQL> connect scott/tiger
SQL> grant select,insert,update,delete on emp to scott_app_user;
Grant succeeded.
SQL> grant select on emp toscott_ro_role;
Grant succeeded.
SQL>
Real world Example
-
8/10/2019 Database Vault 2007
58/119
Now to test it...
-
8/10/2019 Database Vault 2007
59/119
Testing scott_ro
-
8/10/2019 Database Vault 2007
60/119
SQL> connect scott_ro/tiger
SQL> select * from scott.emp;
14 rows selected.
SQL> delete from scott.emp;delete from scott.emp
*
ERROR at line 1:
ORA-01031: Insufficient Privileges
Testing scott_app_user
-
8/10/2019 Database Vault 2007
61/119
SQL> connect scott_app_user/tiger
SQL> select * from scott.emp;
14 rows selected.
SQL> delete from scott.emp;
14 rows deleted.
SQL> rollback;
Testing scott_app_user
-
8/10/2019 Database Vault 2007
62/119
SQL> connect scott_app_user/tiger
SQL> select * from scott.emp;
14 rows selected.
SQL> delete from scott.emp;
14 rows deleted.
SQL> rollback;
Testing system
-
8/10/2019 Database Vault 2007
63/119
SQL> connect system/manager
SQL> select * from scott.emp;
14 rows selected.
SQL> delete from scott.emp;delete from scott.emp
*
ERROR at line 1:
ORA-01031: Insufficient Privileges
Testing system
-
8/10/2019 Database Vault 2007
64/119
SQL> connect system/manager
SQL> select * from scott.emp;
14 rows selected.
SQL> delete from scott.emp;delete from scott.emp
*
ERROR at line 1:
ORA-01031: Insufficient Privileges
What went wrong?
-
8/10/2019 Database Vault 2007
65/119
SQL> connect system/manager
SQL> select * from session_roles;
ROLE---------------------------DV_PUBLICDBA...SCOTT_RO_ROLE
14 rows selected.
SQL>
-
8/10/2019 Database Vault 2007
66/119
What went wrong?
-
8/10/2019 Database Vault 2007
67/119
SQL> connect system/manager
SQL> create role foo;Role created.
SQL> set role all;
Role set.SQL> select * from session_roles;
ROLE---------------------------DV_PUBLIC...FOO
What went wrong?
-
8/10/2019 Database Vault 2007
68/119
So now we have a problem!
If we only revoke the role,
SYSTEM can grant it again.
How do we prevent this?
Remove the Role
-
8/10/2019 Database Vault 2007
69/119
SQL> connect system/manager
SQL> drop role scott_ro_role;Role dropped.
SQL> select * from session_roles;
ROLE---------------------------DV_PUBLIC...MGMT_USER
13 rows selected.
SQL>
Problem with DV_ACCTMGR
-
8/10/2019 Database Vault 2007
70/119
DV_ACCTMGR has
create/drop user
alter user account lock/unlock
alter user password expire
grant/revoke CONNECT role
-
8/10/2019 Database Vault 2007
71/119
Allow SYSDBA
-
8/10/2019 Database Vault 2007
72/119
$ cd $ORACLE_HOME/dbs
$ orapwd file=orapwmozartpassword=mozartentries=20force=y
nosysdba=n$ sqlplus sys/mozart as sysdba
SQL> startup
SQL> alter user sys identifiedby mozart;
Grants to DV_ACCTMGR
-
8/10/2019 Database Vault 2007
73/119
SQL> connect sys/mozart as sysdba
SQL> grant create roleto DV_ACCTMGR;
SQL> grant alter any roleto DV_ACCTMGR;
SQL> grant drop any role
to DV_ACCTMGR;
SELECT_CATALOG_ROLE
-
8/10/2019 Database Vault 2007
74/119
SELECT_CATALOG_ROLE
-
8/10/2019 Database Vault 2007
75/119
Fixing DV_ACCTMGR
-
8/10/2019 Database Vault 2007
76/119
Fixing DV_ACCTMGR
-
8/10/2019 Database Vault 2007
77/119
Fixing DV_ACCTMGR
-
8/10/2019 Database Vault 2007
78/119
SQL> t db /
Create Role as DV_ACCTMGR
-
8/10/2019 Database Vault 2007
79/119
SQL> connect dbu/manager
SQL> create role scott_ro_role;
Role created.
SQL>
At this stage we delay granting
scott_ro_role
Securing SCOTT_RO_ROLE
-
8/10/2019 Database Vault 2007
80/119
Securing SCOTT_RO_ROLE
-
8/10/2019 Database Vault 2007
81/119
SQL> connect dbu/manager
Granting SCOTT_RO_ROLE
-
8/10/2019 Database Vault 2007
82/119
SQL> connect dbu/manager
SQL> grant scott_ro_roleto scott_ro;
grant scott_ro_role to scott_ro
*ERROR at line 1:
ORA-47401: Realm violation for
grant role privilege onSCOTT_RO_ROLE
Granting SCOTT_RO_ROLE
-
8/10/2019 Database Vault 2007
83/119
So who can/shoulddo the grant of
SCOTT_RO_ROLE ?
-
8/10/2019 Database Vault 2007
84/119
Granting SCOTT_RO_ROLE
-
8/10/2019 Database Vault 2007
85/119
Answer: SCOTT
ProvidedSCOTT can only
grant SCOTT_RO_ROLE
and not other roles
like DBA.
Granting SCOTT_RO_ROLE
-
8/10/2019 Database Vault 2007
86/119
One more grant as SYSDBASQL> connect sys/mozart as sysdba
SQL> grant grant any role to scott;
Grant succeeded.
SQL>
SQL> connect scott/tiger
Granting SCOTT_RO_ROLE
-
8/10/2019 Database Vault 2007
87/119
SQL> connect scott/tiger
SQL> grant scott_ro_roleto scott_ro;
Grant succeeded.
SQL> revoke scott_ro_rolefrom dbu;
Revoke succeeded.
SQL>
SQL> connect scott/tiger
Granting SCOTT_RO_ROLE
-
8/10/2019 Database Vault 2007
88/119
SQL> connect scott/tiger
SQL> grant DBA to scott;grant DBA to scott*ERROR at line 1:
ORA-00604: error occurred atrecursive SQL level 1
ORA-47401: Realm violation for
grant role privilege onUNLIMITED TABLESPACE.
Granting SCOTT_RO_ROLE
-
8/10/2019 Database Vault 2007
89/119
WHY?
Granting SCOTT_RO_ROLE
-
8/10/2019 Database Vault 2007
90/119
The DBA roleis protected by the
Oracle Data DictionaryRealm.
Granting SCOTT_RO_ROLE
-
8/10/2019 Database Vault 2007
91/119
Now to test it...
Again
-
8/10/2019 Database Vault 2007
92/119
SQL> connect scott ro/tiger
Testing scott_ro again
-
8/10/2019 Database Vault 2007
93/119
Q _ / g
SQL> select * from scott.emp;
14 rows selected.
SQL> delete from scott.emp;delete from scott.emp
*
ERROR at line 1:ORA-01031: Insufficient Privileges
SQL> connect scott app user/tiger
Testing scott_app_user
-
8/10/2019 Database Vault 2007
94/119
Q _ pp_ g
SQL> select * from scott.emp;
14 rows selected.
SQL> delete from scott.emp;14 rows deleted.
SQL> rollback;
SQL> connect scott app user/tiger
Testing scott_app_user
-
8/10/2019 Database Vault 2007
95/119
_ pp_ g
SQL> select * from scott.emp;
14 rows selected.
SQL> delete from scott.emp;14 rows deleted.
SQL> rollback;
-
8/10/2019 Database Vault 2007
96/119
-
8/10/2019 Database Vault 2007
97/119
SQL> connect sys/mozart as sysdba
Testing SYSDBA
-
8/10/2019 Database Vault 2007
98/119
SQL> select * from scott.emp;ERROR at line 1:
ORA-01031: Insufficient Privileges
SQL> delete from scott.emp;
ERROR at line 1:
ORA-01031: Insufficient Privileges
SQL> connect sys/mozart as sysdba
Testing SYSDBA
-
8/10/2019 Database Vault 2007
99/119
SQL> select * from scott.emp;ERROR at line 1:
ORA-01031: Insufficient Privileges
SQL> delete from scott.emp;
ERROR at line 1:
ORA-01031: Insufficient Privileges
SQL> connect dbu/manager
Testing DV_ACCTMGR
-
8/10/2019 Database Vault 2007
100/119
SQL> select * from scott.emp;ERROR at line 1:
ORA-01031: Insufficient Privileges
SQL> delete from scott.emp;
ERROR at line 1:
ORA-01031: Insufficient Privileges
SQL> connect dbu/manager
Testing DV_ACCTMGR
-
8/10/2019 Database Vault 2007
101/119
SQL> select * from scott.emp;ERROR at line 1:
ORA-01031: Insufficient Privileges
SQL> delete from scott.emp;
ERROR at line 1:
ORA-01031: Insufficient Privileges
SQL> connect dbv/manager
Testing DV_ADMIN
-
8/10/2019 Database Vault 2007
102/119
SQL> select * from scott.emp;ERROR at line 1:
ORA-01031: Insufficient Privileges
SQL> delete from scott.emp;
ERROR at line 1:
ORA-01031: Insufficient Privileges
SQL> connect dbv/manager
Testing DV_ADMIN
-
8/10/2019 Database Vault 2007
103/119
SQL> select * from scott.emp;ERROR at line 1:
ORA-01031: Insufficient Privileges
SQL> delete from scott.emp;
ERROR at line 1:
ORA-01031: Insufficient Privileges
-
8/10/2019 Database Vault 2007
104/119
Separation of Duties
-
8/10/2019 Database Vault 2007
105/119
SYS as SYSDBA
Grant role privileges to
DV_ACCTMGR(one time)
Grant grant any role to
SCOTT(once per application)
-
8/10/2019 Database Vault 2007
106/119
Separation of Duties
-
8/10/2019 Database Vault 2007
107/119
DV_ACCTMGR (user = dbu)
Create user (ongoing)
Grant connect (ongoing)
Create role (once per app)
Separation of Duties
-
8/10/2019 Database Vault 2007
108/119
Schema owner (SCOTT)
Grant object privileges
(once per application) Grant SCOTT_RO_ROLE
(ongoing)
Separation of Duties
-
8/10/2019 Database Vault 2007
109/119
DBA (user = system)
Nothing
Overview
Agenda
-
8/10/2019 Database Vault 2007
110/119
Overview
Installation
Limitations
Securing Data
Backups
A trigger problem
-
8/10/2019 Database Vault 2007
111/119
Backups
-
8/10/2019 Database Vault 2007
112/119
Export
Lots of ORA-01031
Will be unable to Import
Not viable
Backups
-
8/10/2019 Database Vault 2007
113/119
Data Pump
Not tested
Backups
-
8/10/2019 Database Vault 2007
114/119
RMAN Requires SYSDBA access
May need to hardcode SYSpassword or use wallet
Works successfully
Overview
Agenda
-
8/10/2019 Database Vault 2007
115/119
Installation
Limitations
Securing Data
Backups
A trigger problem
Error creating trigger
Trigger Problem
-
8/10/2019 Database Vault 2007
116/119
g gg
Minor changes to whitespacein trigger source causedcompile success/failure
Known Bug: 5630439
ORA-47999: internal DatabaseVault error: create trigger
Workaround available
Trigger Problem
-
8/10/2019 Database Vault 2007
117/119
Login as dv_owner account
alter triggerdvsys.DV_BEFORE_DDL_TRG disable
Login as SCOTT and create trigger
Login as dv_owner account
alter triggerdvsys.DV_BEFORE_DDL_TRG enable
-
8/10/2019 Database Vault 2007
118/119
-
8/10/2019 Database Vault 2007
119/119
The End
Thank you for your attendance
http://www.mga.com.au