oracle database vault - what about the os accounts
TRANSCRIPT
-
8/10/2019 Oracle Database Vault - What About the OS Accounts
1/50
Basel Baden Brugg Bern Lausanne Zrich Dsseldorf Frankfurt/M. Freiburg i. Br. Hamburg Mnchen Stuttgart Wien
Oracle Database Vault
What about the OS Accounts?
Stefan OehrliDiscipline Manager
Oracle Security
Geneva, 18.11.2009
-
8/10/2019 Oracle Database Vault - What About the OS Accounts
2/50
2009Data Security Geneva 2009 - Oracle Database Vault What about the OS Accounts?
Agenda
Daten sind
immer im Spiel.
Introduction
Database Vault in a Nutshell
Situation with Anonymous Accounts
Approach and Challenges
DBA- and Operation Tasks
Administrative Privileges(SYSDBA and SYSOPER)
SUDO
Miscellaneous
Conclusion
-
8/10/2019 Oracle Database Vault - What About the OS Accounts
3/50
2009
Introduction
Oracle Database Vault addresses common regulatory compliancerequirements and reduces the risk of insider threats by:
Preventing highly privileged users (DBA) from accessing application
data
Enforcing separation of duty
Providing controls over who, when, where and how applications, dataand databases can be accessed.
Source: Oracle Database Vault Home Page
But is this enough to protect the whole Oracle environment?
Data Security Geneva 2009 - Oracle Database Vault What about the OS Accounts?
-
8/10/2019 Oracle Database Vault - What About the OS Accounts
4/50
2009
Introduction
Excerpt from Oracle Database Vault Administrator's Guide:
Managing Root and Operat ing System Access
Oracle Database Vault does not prevent highly privileged operating
system users from directly accessing database files. For this kind of
protection, use transparent data encryption ..... Carefully review andrestrict direct access to the operating systems.
You should have personalized accounts access the operating system.
These personalized accounts should, in the Linux or UNIX
environments, login using sudo to the oracle software owner when
needed. With sudo, you can control which specific command eachpersonalized user can execute. Be sure to prevent the use of the make,
relink, gdb, or other commands that could potentially harm the DB
Appendix D Oracle Database Vault Administrator's Guide
Data Security Geneva 2009 - Oracle Database Vault What about the OS Accounts?
-
8/10/2019 Oracle Database Vault - What About the OS Accounts
5/50
2009
Introduction
This section at the end of the documentation can cause someconfusion
To some extent Database Vault is sold as a complete Security
Solution but need some additional considerations.
This information could apparently be placed a bit more central.
This Presentation will cover the following questions:
What's covered by Database Vault?
Motivation for personalized Accounts?
Possible solution and concepts?
Challenges for the conception and the Implementation? Configuration of SYSOPER / SYSDBA?
Configuration and application of SUDO?
Data Security Geneva 2009 - Oracle Database Vault What about the OS Accounts?
-
8/10/2019 Oracle Database Vault - What About the OS Accounts
6/50
2009Data Security Geneva 2009 - Oracle Database Vault What about the OS Accounts?
Agenda
Daten sind
immer im Spiel.
Introduction
Database Vault in a Nutshell
Situation with Anonymous Accounts
Approach and Challenges
DBA- and Operation Tasks
Administrative Privileges(SYSDBA and SYSOPER)
SUDO
Miscellaneous
Conclusion
-
8/10/2019 Oracle Database Vault - What About the OS Accounts
7/50 2009Data Security Geneva 2009 - Oracle Database Vault What about the OS Accounts?
Database Vault in a Nutshell
Another Oracle Security Innovation to protect from DBA respectively SYSDBA
High system privileges like SELECT ANY TABLE, EXEMPT
ACCESS POLICY
Available as an Enterprise Edition Option
Separate download for 10g and 9i
Integrated component within Oracle 11g R1 and R2
-
8/10/2019 Oracle Database Vault - What About the OS Accounts
8/50 2009Data Security Geneva 2009 - Oracle Database Vault What about the OS Accounts?
Database Vault in a Nutshell
Additional Layer within Oracle Kernel
New Components added by Database Vault
Realms
Command Rules
Factors Rule Sets
Extended functionality for
Secure Application Roles
Label Security Integration
No impact for object grants
(except for command Rules)
Restrict any select statementSource: Oracle Database Vault - An Oracle White Paper June
2007
-
8/10/2019 Oracle Database Vault - What About the OS Accounts
9/50 2009Data Security Geneva 2009 - Oracle Database Vault What about the OS Accounts?
Database Vault Data Privacy and Data Theft (1)
Access to data through aninstance is protected by
database authentication,
authorizing and auditing (AAA)
Authorizations for data can bedefined at row level
Database Files
Instance
End User,Developer,
DBA
Virtual
Private
Database
Label
Security
-
8/10/2019 Oracle Database Vault - What About the OS Accounts
10/50 2009Data Security Geneva 2009 - Oracle Database Vault What about the OS Accounts?
Database
Vault
Database Vault Data Privacy and Data Theft (2)
How to authorize users based on criteria like time, networkprotocol or IP of the client?
But what about the System privileges like SELECT ANY TABLE,
EXEMPT ACCESS POLICY a s o. which are granted to DBAs
and enabled for Connection through SYSDBA?
Database
Vault
Virtual
Private
Database
Secure
Application
Roles
-
8/10/2019 Oracle Database Vault - What About the OS Accounts
11/50
-
8/10/2019 Oracle Database Vault - What About the OS Accounts
12/50
2009Data Security Geneva 2009 - Oracle Database Vault What about the OS Accounts?
Database Vault Eavesdropping and Hijacking
End User,Developer, DBA(Alice)
DatabaseServer (Bob)
Oracle Net
Hacker
Advanced
Security
-
8/10/2019 Oracle Database Vault - What About the OS Accounts
13/50
2009Data Security Geneva 2009 - Oracle Database Vault What about the OS Accounts?
Agenda
Daten sind
immer im Spiel.
Introduction
Database Vault in a Nutshell
Situation with Anonymous Accounts
Approach and Challenges
DBA- and Operation Tasks
Administrative Privileges(SYSDBA and SYSOPER)
SUDO
Miscellaneous
Conclusion
-
8/10/2019 Oracle Database Vault - What About the OS Accounts
14/50
2009
Situation with Anonymous Accounts
Administration Tasks are not traceable When and who did a listener or database restart.
Who changed the environment (e.g Shell settings)
Auditing on the OS is only partially reasonable
Its possible to see that user oracle did something but who logged inas oracle?
Installation of Software / Patch Set / CPUs is not traceable
Compliance according SOX, Basel II, etc not possible
Security protection mechanism can be bypassed anytime Relink Oracle binaries to switch off Database Vault
Direct access of Datafiles and/or Memory
OSDBA, OSOPER and OSASM is usually not defined or default
Data Security Geneva 2009 - Oracle Database Vault What about the OS Accounts?
-
8/10/2019 Oracle Database Vault - What About the OS Accounts
15/50
2009Data Security Geneva 2009 - Oracle Database Vault What about the OS Accounts?
Dynamically Relink
On some OS and database version it is possible to relink theoracle binaries even when the database is running. After relink
and switch off DBV the data can be access without any
restriction.
A warning is will be shown in the ALERT.LOG but there is
also a hint displayed how this warning can be suppressed
cd $ORACLE_HOME/rdbms/lib
make -f ins_rdbms.mk dv_offcd $ORACLE_HOME/binrelink oracle
WARNING: Oracle executable binary mismatch detected.Binary of new process does not match binary which startedinstanceissue alter system set "_disable_image_check" = true todisable these messages
-
8/10/2019 Oracle Database Vault - What About the OS Accounts
16/50
2009Data Security Geneva 2009 - Oracle Database Vault What about the OS Accounts?
Additional Possibilities
Change passwords within the Datenfile of SYSTEM Tablespace(see Trivadis Training O-AI-DSI)
Modify or access data directly within a data file
-
8/10/2019 Oracle Database Vault - What About the OS Accounts
17/50
-
8/10/2019 Oracle Database Vault - What About the OS Accounts
18/50
2009
Approach and Challenges
Data Security Geneva 2009 - Oracle Database Vault What about the OS Accounts?
Commissioning Operation Decommissioning
Acceptance
Personalized Accounts,
sudo, scripts etc
No Protection,
functional
Accounts
IntermediateAcceptance
No Protection,
functional
Accounts
-
8/10/2019 Oracle Database Vault - What About the OS Accounts
19/50
-
8/10/2019 Oracle Database Vault - What About the OS Accounts
20/50
2009
Approach and Challenges
DBA and operation tasks has to be defined Who has to do what and when? How my access what?
Create a catalog of tasks
DBA and operation tasks to be standardized on a high level e.g
scripts for certain tasks are available
A role concept within the DB is must be available
Adjustment with OSDBA and OSOPER reasonable
If not implemented properly there is a risk that loopholes willremain
It is not possible to lock out the root account. Only monitoring and
auditing is possible
Data Security Geneva 2009 - Oracle Database Vault What about the OS Accounts?
-
8/10/2019 Oracle Database Vault - What About the OS Accounts
21/50
2009Data Security Geneva 2009 - Oracle Database Vault What about the OS Accounts?
Agenda
Daten sind
immer im Spiel.
Introduction
Database Vault in a Nutshell
Situation with Anonymous Accounts
Approach and Challenges
DBA- and Operation Tasks
Administrative Privileges(SYSDBA and SYSOPER)
SUDO
Miscellaneous
Conclusion
-
8/10/2019 Oracle Database Vault - What About the OS Accounts
22/50
2009
DBA- and Operation Tasks
Deployment of Software, Patch sets, CPUs and so on
Stop / start database, agent and listener
Accessing log and trace files (DBA)
Accessing data files
Maintain scripts
Tuning, Monitoring etc
Backup / Restore
Change initialization parameter
Data Security Geneva 2009 - Oracle Database Vault What about the OS Accounts?
-
8/10/2019 Oracle Database Vault - What About the OS Accounts
23/50
2009
DBA- and Operation Tasks
Tasks Typ Engineering Operation Application
Operation
Initial Installation OS As user oracle n/a n/a
Initial Create Database DB As user oracle n/a n/a
Patch set Installation (Software) OS sudo script
(Silent Install)
n/a n/a
Patch set Installation (Upgrade) DB sysdba oder
sudo script
n/a n/a
CPU / OPatch Installation OS sudo n/a n/a
DB Start / Stopp OS sudo script
or SYSOPER
sudo script
or SYSOPER
n/a
Listener Start / Stopp OS sudo script sudo script n/a
Agent / Konsole Start / Stopp OS sudo script sudo script n/a
Data Security Geneva 2009 - Oracle Database Vault What about the OS Accounts?
-
8/10/2019 Oracle Database Vault - What About the OS Accounts
24/50
2009
DBA- and Operation Tasks
Tasks Typ Engineering Operation Application
Operation
Additional DB Tools (runInstaller,
dbca, dvca, netca, etc)
OS sudo sudo n/a
Houskeeping of trace and log
files
OS script/ cronjob script/ cronjob Read trace
files
Maintain Scripts(Entwicklung auf
DBA Server mit Version Control)
OS Deploment
script
n/a n/a
Monitoring DB Within DB / role Within DB / role n/a
Accounting DB n/a Within DB / role n/a
Space Management (e.g. TS) DB Within DB / role Within DB / role n/a
Backup & Recovery DB As SYSDBA or
SYSOPER
n/a
Data Security Geneva 2009 - Oracle Database Vault What about the OS Accounts?
-
8/10/2019 Oracle Database Vault - What About the OS Accounts
25/50
2009
Database Admin / Engineering
Personalized UX Accounts with OSDBA or OSOPER group
Stop / start database with sqlplus as sysoper
Use scripts and sudo to stop / start listener, agents etc.
Deployment of patchs and software will be done with scripts as a silent
installation
Housekeeping (Permissions, Truncate etc) of log and trace files will be
done with scripts started by cron
DBA tasks (alter system, alter tablespace etc) are done via Grid Control
and / or with personalized DBA accounts.
Prsentationskennung - Eintrag ber Kopf-/Fusszeile 25
sqlplus userxy/tiger@TMAC01 as sysoper
Data Security Geneva 2009 - Oracle Database Vault What about the OS Accounts?
-
8/10/2019 Oracle Database Vault - What About the OS Accounts
26/50
2009
DB Operation
Personalized UX Accounts without OSDBA or OSOPER group
Stop / start database with sqlplus as sysoper
.
Use scripts and sudo to stop / start listener, agents etc.
Limited access within the database. Required system privileges are
granted by an operation role. Operators are working with personalized
accounts
Prsentationskennung - Eintrag ber Kopf-/Fusszeile 26
sqlplus userxy/tiger@oraemst as sysoper
Data Security Geneva 2009 - Oracle Database Vault What about the OS Accounts?
-
8/10/2019 Oracle Database Vault - What About the OS Accounts
27/50
2009
Additional Users
Additional Users like Developer, Account Manager etc only get accesson the database level.
Access to log and trace files on special request
Limited access within the database. Required system privileges (alter
user, etc) are granted by a dedicated role.
All user are working with personalized accounts
Prsentationskennung - Eintrag ber Kopf-/Fusszeile 27Data Security Geneva 2009 - Oracle Database Vault What about the OS Accounts?
-
8/10/2019 Oracle Database Vault - What About the OS Accounts
28/50
-
8/10/2019 Oracle Database Vault - What About the OS Accounts
29/50
2009
Administrative Privilegien
There are two main administrative privileges in Oracle SYSOPER
SYSDBA
And SYSASM since Oracle 11g
SYSDBA and SYSOPER are special privileges as they allow access to
a database instance even when it is not running
The control of these privileges is totally outside of the database itself
By certain OS groups which are linked into the binaries (OSDBA, OSOPER
as well as OSASM since Oracle 11g)
By an oracle password
Data Security Geneva 2009 - Oracle Database Vault What about the OS Accounts?
-
8/10/2019 Oracle Database Vault - What About the OS Accounts
30/50
2009
OSDBA / OSOPER groups on Unix (1)
The 'OSDBA' and 'OSOPER' groups are chosen at installation time andusually both default to the group 'dba
These groups are compiled into the 'oracle' executable and so are the
same for all databases running from a given ORACLE_HOME
Verify the groups
Later change of the groups (relink of oracle binaries is required!)
cat $ORACLE_HOME/rdbms/lib/config.c
vi config.c # Adjust the goups=> #define SS_DBA_GRP osdba=> #define SS_OPER_GRP osoper
mv config.o config.o.orig # Backup of config.omake -f ins_rdbms.mk ioracle # DBsmust be stopped!
Data Security Geneva 2009 - Oracle Database Vault What about the OS Accounts?
-
8/10/2019 Oracle Database Vault - What About the OS Accounts
31/50
-
8/10/2019 Oracle Database Vault - What About the OS Accounts
32/50
2009
SYSDBA / SYSOPER (1)
To access a database as SYSDBA or SYSOPER over SQLNET apassword file is required
Create a new password files
Define the according INIT.ORA parameters
oracle : orapwd file=${ORACLE_HOME}/dbs/orapw${ORACLE_SID}
password=manager entries=5
SQL> alter system set remote_login_passwordfile='EXCLUSIVE'scope=spfile;
Data Security Geneva 2009 - Oracle Database Vault What about the OS Accounts?
-
8/10/2019 Oracle Database Vault - What About the OS Accounts
33/50
-
8/10/2019 Oracle Database Vault - What About the OS Accounts
34/50
2009
Difference SYSOPER / SYSDBA
SYSOPER privilege allows operations such as: Instance startup, mount & database open Instance shutdown, dismount & database close
Alter database BACKUP, ARCHIVE LOG, and RECOVER
This privilege allows the user to perform basic operational taskswithout the ability to look at user data.
SYSDBA privilege includes all SYSOPER privileges plus fullsystem privileges (with the ADMIN option), plus 'CREATE DATABASE' etc...
This is effectively the same set of privileges available when previouslyconnected INTERNAL.
=> Regards Oracle Database Vault it does make sense to useSYSOPER/SYSDBA respectively OSDBA/OSOPER. At which it isrecommended to use SYSOPER in this context
Data Security Geneva 2009 - Oracle Database Vault What about the OS Accounts?
-
8/10/2019 Oracle Database Vault - What About the OS Accounts
35/50
2009Data Security Geneva 2009 - Oracle Database Vault What about the OS Accounts?
SYSDBA vs. SYSOPER (1)
1 only a complete recovery
Privilege SYSDBA SYSOPER
STARTUP and SHUTDOWN
CREATE/DROP DATABASE
CREATE SPFILE
ALTER DATABASE OPEN/MOUNT
ALTER DATABASE ARCHIVELOG
ALTER DATABASE BACKUP/RECOVER 1
-
8/10/2019 Oracle Database Vault - What About the OS Accounts
36/50
2009Data Security Geneva 2009 - Oracle Database Vault What about the OS Accounts?
Agenda
Daten sind
immer im Spiel.
Introduction
Database Vault in a Nutshell
Situation with Anonymous Accounts
Approach and Challenges
DBA- and Operation Tasks
Administrative Privileges(SYSDBA and SYSOPER)
SUDO
Miscellaneous
Conclusion
-
8/10/2019 Oracle Database Vault - What About the OS Accounts
37/50
2009
SUDO
SUDO allows to configure which user or user group can executewhich commands or scripts as certain user e.g root or oracle
Its possible to define a set of command for different user groups
e.g. DBAs, Operators, Developers etc.
Exectution of any sudo is written to syslog
root : grep sudo /var/adm/syslog/syslog.logFeb 19 10:44:52 urania sudo: meier : TTY=pts/2 ; PWD=/home/meier ;USER=oracle ; COMMAND=/u00/app/oracle/product/10.2_1/bin/lsnrctl statusFeb 19 10:44:56 urania sudo: meier : TTY=pts/2 ; PWD=/home/meier;
USER=root ; COMMAND=list
Data Security Geneva 2009 - Oracle Database Vault What about the OS Accounts?
-
8/10/2019 Oracle Database Vault - What About the OS Accounts
38/50
2009
SUDO Configuration
/usr/local/sbin/visudo
## User alias specificationUser_Alias DBADMIN = dummyUser_Alias DBOPER = meierUser_Alias DBUSER = muster, russo, smith
## Runas alias specificationRunas_Alias DB = oracle
## Cmnd alias specificationCmnd_Alias DBOPER = /u00/app/oracle/local/custom/bin/dbtoolCmnd_Alias DBADMIN= /u00/app/oracle/product/10.2_?/OPatch/opatch,/u00/app/oracle/product/10.2_?/oui/bin/runInstaller, /u00/app/oracle/product/10.2_?/bin/dvca,/u00/app/oracle/product/10.2_?/bin/dbca, /u00/app/oracle/product/10.2_?/bin/netca
# User specification
# root and users in group wheel can run anything on any machine as any userroot ALL = (ALL) ALLDBADMIN ALL = (DB) NOPASSWD: DBADMIN, DBOPER, /usr/local/bin/trussDBOPER ALL = (DB) NOPASSWD: DBOPER,/u00/app/oracle/product/10.2_?/bin/lsnrctl
Data Security Geneva 2009 - Oracle Database Vault What about the OS Accounts?
-
8/10/2019 Oracle Database Vault - What About the OS Accounts
39/50
2009
SUDO Usage
Or even a bit more simpler when using aliases
Alias dbtool='sudo -u oracle dbtool'
meier : iduid=108(meier) gid=20(users) groups=101(osoper)
meier : sudo -lUser oper001 may run the following commands on this host:
(oracle) NOPASSWD: /u00/app/oracle/local/custom/bin/dbca(oracle) NOPASSWD: /u00/app/oracle/product/10.2_?/bin/lsnrctl
meier : sudo -u oracle dbca
Data Security Geneva 2009 - Oracle Database Vault What about the OS Accounts?
-
8/10/2019 Oracle Database Vault - What About the OS Accounts
40/50
2009
SUDO constraints
SUDO is executing commands and scripts as the user specifiedfor execution e.g oracle. The environment settings will be the one
for the user specified at the sudo command.
If possible define only simple commands to be used with sudo eg.
/usr/local/bin/truss
More complex commands should be executed within a shell whichcares about parameters, errors etc.
SUDO hast to be manually installed on HP-UX and Solaris
A SUDO Configuration file can be distributed over network
sudo -u oracle lsnrctl.ksh t oraemst start
Data Security Geneva 2009 - Oracle Database Vault What about the OS Accounts?
-
8/10/2019 Oracle Database Vault - What About the OS Accounts
41/50
2009Data Security Geneva 2009 - Oracle Database Vault What about the OS Accounts?
Agenda
Daten sind
immer im Spiel.
Introduction
Database Vault in a Nutshell
Situation with Anonymous Accounts
Approach and Challenges
DBA- and Operation Tasks
Administrative Privileges(SYSDBA and SYSOPER)
SUDO
Miscellaneous
Conclusion
-
8/10/2019 Oracle Database Vault - What About the OS Accounts
42/50
2009
Miscellaneous
OP an interesting alternative for SUDO Open Source alternative http://swapoff.org/wiki/op
Major difference is the possibilities to use mnemonics rather than
commands
Set the S-Bit for individual commands
Data Security Geneva 2009 - Oracle Database Vault What about the OS Accounts?
Mit SUDO:
sudo /bin/mount -t iso9660 /dev/cdrom /mnt/cdrom
Mit OP:op mount cd
oracle@urania:/u00/app/oracle/product/11.1.0/bin/ [rdbms1110]ls -al oracle*-rwsr-s--x 1 oracle osdba 158489970 Mar 8 14:15 oracle
http://swapoff.org/wiki/ophttp://swapoff.org/wiki/op -
8/10/2019 Oracle Database Vault - What About the OS Accounts
43/50
2009
Script maintenance
Scripts should be maintained in a central repository eg.Subversion, CVS or something similar.
DBAdminss may create new revision of the scripts on theredevelopment system.
New revision have to be commited to the repository Subversion commandline fr Windows
Tortoise SVN Client
Oracle SQL Developer
Deployment of scripts and configuration should be done with adeployment process (e.g Jumpstart server, Grid Control,..)
Only a defined and accepted version of the scripts will be used onthe systems
Data Security Geneva 2009 - Oracle Database Vault What about the OS Accounts?
-
8/10/2019 Oracle Database Vault - What About the OS Accounts
44/50
2009Data Security Geneva 2009 - Oracle Database Vault What about the OS Accounts?
Agenda
Daten sind
immer im Spiel.
Introduction
Database Vault in a Nutshell
Situation with Anonymous Accounts
Approach and Challenges
DBA- and Operation Tasks
Administrative Privileges(SYSDBA and SYSOPER)
SUDO
Miscellaneous
Conclusion
-
8/10/2019 Oracle Database Vault - What About the OS Accounts
45/50
2009
Conclusion
A reliable protection with Database Vault is possible butadditional considerations have to be taken
Auditing anonymous user does only provide limited information
Personalized Accounts are recommended for Database Vault
System / DBA task can clearly assigned (Engineering, Operation,...)
Traceability can be guaranteed
To have personalized accounts a standardized environment is
recommended and will allow a simpler implementation of SUDO
Stable Environment
Documented tasks and responsibilities
Data Security Geneva 2009 - Oracle Database Vault What about the OS Accounts?
-
8/10/2019 Oracle Database Vault - What About the OS Accounts
46/50
-
8/10/2019 Oracle Database Vault - What About the OS Accounts
47/50
Basel Baden Brugg Bern Lausanne Zrich Dsseldorf Frankfurt/M. Freiburg i. Br. Hamburg Mnchen Stuttgart Wien
Thank you!
?www.trivadis.com
-
8/10/2019 Oracle Database Vault - What About the OS Accounts
48/50
2009
Backup Slide Not covered by DBV (1)
Risk Action
Data within data files is stored in clear text
(OS- and SAN-Admin as well the Oracle-
Unix-Account can read the data)
Encryption of data files with TDE
(10g on row level, 11g on tablespace level)
Data in backups as clear text Encrypt data with RMAN
SYS-Account has to be open for RAC and
RMAN. This account is not fully prodeced by
database vault
Personalized Accounts on Unix und
Database + SUDO concept
Use of SYSOPER
Accept SYSDBA-Connections only at thetime when RMAN has to run
Data Security Geneva 2009 - Oracle Database Vault What about the OS Accounts?
-
8/10/2019 Oracle Database Vault - What About the OS Accounts
49/50
2009
Backup Slide Not covered by DBV (1)
Risk Action
While the database is patched Database
Vault has to be switched off (e.g. CPUs) this
is also true for database migrationens
Personalized Accounts on Unix und
Database + SUDO concept
Monitoring on the OS (inode+ctime Checks,
e.g. manual, Nimbus,iwatch (Linux, based
on inotify))
Data on the network is send as clear text (aswell interconnect on RAC Environments) Use of Advanced Security Option to encryptnetwork traffic.
Direct grants on object Existing grants must be known and has to
be verified. Database Vault Admin Console
provides reports for this
Export possibilities on application level This can only be checked on application
level. Possible restriction based on rules
(e.g. from a certain IP,)
Data Security Geneva 2009 - Oracle Database Vault What about the OS Accounts?
-
8/10/2019 Oracle Database Vault - What About the OS Accounts
50/50
Backup Slide Separation of Duties
Task Responsible
Operation of Database and Instance
(Create, Parameterize, Instance tuning,
Patching, Updates, Tablespace-
Management, )
Security Management
Create Realms, Define Objects which haveto be protected
Assign User to Realms
Create application roles
Assign object privilege to roles/users
Account Management + assign roles
Create technical roles, initial assignment of
system privileges to roles (not application
roles!)