Download - Odv oracle customer_demo
33
Overview
What is Oracle Database Vault ?• Oracle Database Vault (ODV) was introduced in Oracle 9iR2.
• ODV restricts access to specific areas in an Oracle database from any user.
• Enables you to apply access control to sensitive data.
• Protect data from super-privileged (like DBA) users but still let them maintain the Oracle database
44
Overview
Why Oracle Database Vault ?
• Systems with integrity, confidentiality = 3 (IV=3).
• Separation of duties.
• Internal control.
• Reasons like BASEL, SOX, PCI, DSS
• Don’t trust the DBA
66
Overview
• Virtual Private Database (VPD):Restricts access to certain rows for a user by modifying the WHERE clause
• Oracle Label Security (OLS):Mediates access to a given row, based on the label on the row and the security level of the user
• VPD and OLS restrict access at the row level, whereas Oracle Database Vault restricts access at the object and command levels.
• Transparent Data Encryption (TDE) Out of the box, TDE provides (strong) encryption for the database
ODV is integrable with VPD, OLS and TDE
88
Securing Data
Realms (gebieden): Functional grouping of database schemas, objects, and roles that need to be secured.(example: all objects from SCOTT belong to realm RLM_SCOTT)
Command rules: A special rule that you can create to control how users can execute almost any SQL statement, including SELECT, ALTER SYSTEM, database definition language (DDL), and data manipulation language (DML) statements.(example: SELECT on SCOTT objects)
99
Securing Data
Factors: A named variable or attribute, such as a user location, database IP address, or session user, which Oracle Database Vault can recognize and secure.(Example: FAC_HOSTNAME => ‘hostname=‘exdb4002-adm’)
Rule sets: A collection of one or more rules that you can associate with a realm authorization, command rule, factor assignment, or secure application role.(Example: RST_IS_LASTDAYOFMONTH)
Rules:Like “WHERE department = [whatever]”(Example: RUL_DBUSER_ISNOT_GOOSSENSHFM)
1111
Securing Data
connect / as sysdbacreate user harrygrant dba to harry;connect harry
select * from owner_dbt.emp;
1212
Securing Data
connect / as sysdbacreate user harrygrant dba to harry;connect harry
select * from owner_dbt.emp;
1414
Securing Data
The key to Separation of Duties is that no one single ROLE can do everything.
• The DV_OWNER role can only do data security.• The DV_ACCTMGR role can only create/drop users
A DBA role can do anything EXCEPT data security and create/drop users – and is subject to any data security setup by the DV_OWNER role.
By default Rabobank does not separate data and user administration. Both roles (DV_OWNER and DV_ACCTMGR) are granted to the same user.
1515
Securing Data
$ sqlplus system/********
SQL*Plus: Release 11.2.0.4.0 Production on Tue Apr 26 14:27:23 2016
Copyright (c) 1982, 2013, Oracle. All rights reserved.
Connected to:Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 - 64bit ProductionWith the Partitioning, Real Application Clusters, Automatic Storage Management, Oracle Label Security,OLAP, Data Mining, Oracle Database Vault and Real Application Testing options
SYSTEM@OLTB7_1 SQL> SELECT * FROM owner_dbt.emp;
EMPNO ENAME JOB MGR HIREDATE SAL COMM DEPTNO---------- ------------------------------ --------------------------- ---------- ------------------- ---------- ---------- ---------- 7369 SMITH CLERK 7902 14-12-2013:00:00:00 800 20…. 7902 FORD ANALYST 7566 30-11-2014:00:00:00 3000 20 7934 MILLER CLERK 7782 20-01-2015:00:00:00 1300 10
14 rows selected.
SYSTEM@OLTB7_1 SQL>
1717
Securing Data
$ sqlplus system
SQL*Plus: Release 11.2.0.4.0 Production on Tue Apr 26 14:58:07 2016
Copyright (c) 1982, 2013, Oracle. All rights reserved.
Connected to:Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 - 64bit ProductionWith the Partitioning, Real Application Clusters, Automatic Storage Management, Oracle Label Security,OLAP, Data Mining, Oracle Database Vault and Real Application Testing options
SYSTEM@OLTB7_1 SQL> select * from owner_dbt.emp;select * from owner_dbt.emp *ERROR at line 1:ORA-01031: insufficient privileges
SYSTEM@OLTB7_1 SQL> select * from owner_dbt.dept;
DEPTNO DNAME LOC---------- ------------------------------------------ --------------------------------------- 10 ACCOUNTING NEW YORK… 40 OPERATIONS BOSTON
SYSTEM@OLTB7_1 SQL>
1818
Securing Data
application user
OWNER_DBT
Application server connects to database as
user user_app_dbt
support users
Support users connect with individual accounts with read-only access
user_dbt
1919
Securing Data
grant select insert update delete
user_app_dbt
owner_dbt_ro_role
user_dbt grant selectall objects
grant role OWNER_DBT
2020
Securing Data
To create the app user we need the special security account with the dv_acctmgr role
SYSTEM@OLTB7_1 SQL> create user user_app_dbt identified by ******* default tablespace users;create user user_app_dbt identified by ******** default tablespace users *ERROR at line 1:ORA-47306: 20006: No way Jose
SYSTEM@OLTB7_1 SQL> connect owner_dvtConnected.OWNER_DVT@OLTB7_1 SQL> create user user_app_dbt identified by ******** default tablespace users;
User created.
OWNER_DVT@OLTB7_1 SQL> grant connect to user_app_dbt;
Grant succeeded.
OWNER_DVT@OLTB7_1 SQL>
2121
Securing Data
Create the RO user and create RO role
OWNER_DVT@OLTB7_1 SQL> create user user_dbt identified by ******** default tablespace users;
User created.
OWNER_DVT@OLTB7_1 SQL> grant connect to user_dbt;
Grant succeeded.
OWNER_DVT@OLTB7_1 SQL>
SYSTEM@OLTB7_1 SQL> create role owner_dbt_ro_role;
Role created.
SYSTEM@OLTB7_1 SQL> grant owner_dbt_ro_role to user_dbt;
Grant succeeded.
SYSTEM@OLTB7_1 SQL>
2222
Securing Data
$ sqlplus owner_dbt/********
SQL*Plus: Release 11.2.0.4.0 Production on Tue Apr 26 17:37:16 2016
Copyright (c) 1982, 2013, Oracle. All rights reserved.
Connected to:Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 - 64bit ProductionWith the Partitioning, Real Application Clusters, Automatic Storage Management, Oracle Label Security,OLAP, Data Mining, Oracle Database Vault and Real Application Testing options
OWNER_DBT@OLTB7_1 SQL> grant select, insert, update, delete on emp to user_app_dbt;
Grant succeeded.
OWNER_DBT@OLTB7_1 SQL> grant select on emp to owner_dbt_ro_role;
Grant succeeded.
OWNER_DBT@OLTB7_1 SQL>
2323
Securing Data
grant select insert update delete
user_app_dbt
owner_dbt_ro_role
user_dbt grant selectall objects
grant role OWNER_DBT
2424
Securing Data
USER_DBT@OLTB7_1 SQL> connect user_dbt/********Connected.USER_DBT@OLTB7_1 SQL> select count(*) from owner_dbt.emp;
COUNT(*)---------- 14
USER_DBT@OLTB7_1 SQL> delete from owner_dbt.emp;delete from owner_dbt.emp *ERROR at line 1:ORA-01031: insufficient privileges
READ access granted through “owner_dbt_ro_role”, delete not permitted
2525
Securing Data
SYS@OLTB7_1 SQL> connect user_app_dbt/********Connected.USER_APP_DBT@OLTB7_1 SQL> select count(*) from owner_dbt.emp;
COUNT(*)---------- 14
USER_APP_DBT@OLTB7_1 SQL> delete from owner_dbt.emp;
14 rows deleted.
USER_APP_DBT@OLTB7_1 SQL> rollback;
Rollback complete.
USER_APP_DBT@OLTB7_1 SQL>
READ, WRITE, DELETE and UPDATE access granted through “GRANT”
2626
Securing Data
SYSTEM@OLTB7_1 SQL> select count(*) from owner_dbt.emp;
COUNT(*)---------- 14
SYSTEM@OLTB7_1 SQL> delete from owner_dbt.emp;delete from owner_dbt.emp *ERROR at line 1:ORA-01031: insufficient privileges
What the heck is going on, SYSTEM can still SELECT from OWNER_DBT.EMP?
SYSTEM@OLTB7_1 SQL> select * from session_roles where role like 'OWNER%';
ROLE-----------------OWNER_DBT_RO_ROLE
2727
Securing Data
ROLE has been created by SYSTEM and because of this is granted access also. There is a nice solution for this but we keep it simple for now.
SYSTEM@OLTB7_1 SQL> drop role owner_dbt_ro_role;
Role dropped.
SYSTEM@OLTB7_1 SQL> connect owner_dbt/********Connected.OWNER_DBT@OLTB7_1 SQL> grant select on emp to user_dbt;
Grant succeeded.
OWNER_DBT@OLTB7_1 SQL> connect system/********Connected.SYSTEM@OLTB7_1 SQL> select count(*) from owner_dbt.emp;select count(*) from owner_dbt.emp *ERROR at line 1:ORA-01031: insufficient privileges
SYSTEM@OLTB7_1 SQL> delete from owner_dbt.emp;delete from owner_dbt.emp *ERROR at line 1:ORA-01031: insufficient privileges
2828
Securing Data
$ sqlplus / as sysdba
SQL*Plus: Release 11.2.0.4.0 Production on Thu Apr 28 10:39:25 2016
Copyright (c) 1982, 2013, Oracle. All rights reserved.
Connected to:Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 - 64bit ProductionWith the Partitioning, Real Application Clusters, Automatic Storage Management, Oracle Label Security,OLAP, Data Mining, Oracle Database Vault and Real Application Testing options
SYS@OLTB7_1 SQL> select count(*) from owner_dbt.emp;select count(*) from owner_dbt.emp *ERROR at line 1:ORA-01031: insufficient privileges
SYS@OLTB7_1 SQL> delete from owner_dbt.emp;delete from owner_dbt.emp *ERROR at line 1:ORA-01031: insufficient privileges
2929
Securing Data
SYS@OLTB7_1 SQL> connect user_dbt/********Connected.USER_DBT@OLTB7_1 SQL> select count(*) from owner_dbt.emp;
COUNT(*)---------- 14
USER_DBT@OLTB7_1 SQL> delete from owner_dbt.emp;delete from owner_dbt.emp *ERROR at line 1:ORA-01031: insufficient privileges
3030
Securing Data
USER_DBT@OLTB7_1 SQL> connect owner_dvt/********Connected.OWNER_DVT@OLTB7_1 SQL> select count(*) from owner_dbt.emp;select count(*) from owner_dbt.emp *ERROR at line 1:ORA-00942: table or view does not exist
OWNER_DVT@OLTB7_1 SQL> delete from owner_dbt.emp;delete from owner_dbt.emp *ERROR at line 1:ORA-00942: table or view does not exist
3333
Auditing
A trigger on audit table makes sure all violations are also written to OS (root)Apr 28 09:44:52 exdb1003-adm goossenshfm: CEF:0|ORACLE|database vault|1.0|001|Realm Violation Audit|10|rt=28-04-2016:09:44:52 fname=3433240261 deviceProcessName=DELETE FROM OWNER_DBT.EMP duser=SYSTEM suser=goossenshfm cs1=on_fail cs1Label=audit_option cs2= cs2Label=rule_set_name cs3=RLM_OWNER_DBT cs3Label=action_object_nameApr 28 10:11:59 exdb1003-adm goossenshfm: CEF:0|ORACLE|database vault|1.0|001|Realm Violation Audit|10|rt=28-04-2016:10:11:59 fname=3433240261 deviceProcessName=SELECT COUNT(*) FROM OWNER_DBT.EMP duser=SYSTEM suser=goossenshfm cs1=on_fail cs1Label=audit_option cs2= cs2Label=rule_set_name cs3=RLM_OWNER_DBT cs3Label=action_object_nameApr 28 10:12:08 exdb1003-adm goossenshfm: CEF:0|ORACLE|database vault|1.0|001|Realm Violation Audit|10|rt=28-04-2016:10:12:08 fname=3433240261 deviceProcessName=DELETE FROM OWNER_DBT.EMP duser=SYSTEM suser=goossenshfm cs1=on_fail cs1Label=audit_option cs2= cs2Label=rule_set_name cs3=RLM_OWNER_DBT cs3Label=action_object_nameApr 28 10:39:34 exdb1003-adm goossenshfm: CEF:0|ORACLE|database vault|1.0|001|Realm Violation Audit|10|rt=28-04-2016:10:39:34 fname=3433240261 deviceProcessName=SELECT COUNT(*) FROM OWNER_DBT.EMP duser=SYS suser=goossenshfm cs1=on_fail cs1Label=audit_option cs2= cs2Label=rule_set_name cs3=RLM_OWNER_DBT cs3Label=action_object_nameApr 28 10:39:39 exdb1003-adm goossenshfm: CEF:0|ORACLE|database vault|1.0|001|Realm Violation Audit|10|rt=28-04-2016:10:39:39 fname=3433240261 deviceProcessName=DELETE FROM OWNER_DBT.EMP duser=SYS suser=goossenshfm cs1=on_fail cs1Label=audit_option cs2= cs2Label=rule_set_name cs3=RLM_OWNER_DBT cs3Label=action_object_nameApr 28 10:52:25 exdb1003-adm goossenshfm: CEF:0|ORACLE|database vault|1.0|001|Realm Violation Audit|10|rt=28-04-2016:10:52:25 fname=3433240261 deviceProcessName=SELECT "OWNER_DBT"."EMP".* FROM "OWNER_DBT"."EMP" duser=SYSTEM suser=goossenshfm cs1=on_fail cs1Label=audit_option cs2= cs2Label=rule_set_name cs3=RLM_OWNER_DBT cs3Label=action_object_name[root@exdb1003-adm oracle_audit]#
3636
Backups
Export….. about to export OWNER_DBT's tables via Conventional Path .... . exporting table AAP 0 rows exported. . exporting table BONUS 0 rows exported. . exporting table DEPT 4 rows exportedEXP-00091: Exporting questionable statistics.. . exporting table DUMMY 1 rows exportedEXP-00091: Exporting questionable statistics.. . exporting table EMPEXP-00056: ORACLE error 1031 encounteredORA-01031: insufficient privileges. . exporting table MIES 0 rows exported. . exporting table NOOT 0 rows exported. . exporting table SALARY 2 rows exportedEXP-00091: Exporting questionable statistics.. . exporting table SALGRADE 5 rows exportedEXP-00091: Exporting questionable statistics.……
3737
Securing Data
Data Pump….Processing object type SCHEMA_EXPORT/POST_SCHEMA/PROCACT_SCHEMAORA-31693: Table data object "OWNER_DBT"."DEPT" failed to load/unload and is being skipped due to error:ORA-02354: error in exporting/importing dataORA-28116: insufficient privileges to do direct path accessORA-31693: Table data object "OWNER_DBT"."DUMMY" failed to load/unload and is being skipped due to error:ORA-02354: error in exporting/importing dataORA-28116: insufficient privileges to do direct path accessORA-31693: Table data object "OWNER_DBT"."EMP" failed to load/unload and is being skipped due to error:ORA-02354: error in exporting/importing dataORA-28116: insufficient privileges to do direct path accessORA-31693: Table data object "OWNER_DBT"."SALARY" failed to load/unload and is being skipped due to error:ORA-02354: error in exporting/importing dataORA-28116: insufficient privileges to do direct path accessORA-31693: Table data object "OWNER_DBT"."SALGRADE" failed to load/unload and is being skipped due to error:ORA-02354: error in exporting/importing dataORA-28116: insufficient privileges to do direct path access….
3838
Backups
RMAN• Requires SYSDBA access• May need to hardcode SYS
password or use wallet• Works successfully