oracle database vault - what about the os accounts

Upload: banalakalyan

Post on 02-Jun-2018

235 views

Category:

Documents


0 download

TRANSCRIPT

  • 8/10/2019 Oracle Database Vault - What About the OS Accounts

    1/50

    Basel Baden Brugg Bern Lausanne Zrich Dsseldorf Frankfurt/M. Freiburg i. Br. Hamburg Mnchen Stuttgart Wien

    Oracle Database Vault

    What about the OS Accounts?

    Stefan OehrliDiscipline Manager

    Oracle Security

    [email protected]

    Geneva, 18.11.2009

  • 8/10/2019 Oracle Database Vault - What About the OS Accounts

    2/50

    2009Data Security Geneva 2009 - Oracle Database Vault What about the OS Accounts?

    Agenda

    Daten sind

    immer im Spiel.

    Introduction

    Database Vault in a Nutshell

    Situation with Anonymous Accounts

    Approach and Challenges

    DBA- and Operation Tasks

    Administrative Privileges(SYSDBA and SYSOPER)

    SUDO

    Miscellaneous

    Conclusion

  • 8/10/2019 Oracle Database Vault - What About the OS Accounts

    3/50

    2009

    Introduction

    Oracle Database Vault addresses common regulatory compliancerequirements and reduces the risk of insider threats by:

    Preventing highly privileged users (DBA) from accessing application

    data

    Enforcing separation of duty

    Providing controls over who, when, where and how applications, dataand databases can be accessed.

    Source: Oracle Database Vault Home Page

    But is this enough to protect the whole Oracle environment?

    Data Security Geneva 2009 - Oracle Database Vault What about the OS Accounts?

  • 8/10/2019 Oracle Database Vault - What About the OS Accounts

    4/50

    2009

    Introduction

    Excerpt from Oracle Database Vault Administrator's Guide:

    Managing Root and Operat ing System Access

    Oracle Database Vault does not prevent highly privileged operating

    system users from directly accessing database files. For this kind of

    protection, use transparent data encryption ..... Carefully review andrestrict direct access to the operating systems.

    You should have personalized accounts access the operating system.

    These personalized accounts should, in the Linux or UNIX

    environments, login using sudo to the oracle software owner when

    needed. With sudo, you can control which specific command eachpersonalized user can execute. Be sure to prevent the use of the make,

    relink, gdb, or other commands that could potentially harm the DB

    Appendix D Oracle Database Vault Administrator's Guide

    Data Security Geneva 2009 - Oracle Database Vault What about the OS Accounts?

  • 8/10/2019 Oracle Database Vault - What About the OS Accounts

    5/50

    2009

    Introduction

    This section at the end of the documentation can cause someconfusion

    To some extent Database Vault is sold as a complete Security

    Solution but need some additional considerations.

    This information could apparently be placed a bit more central.

    This Presentation will cover the following questions:

    What's covered by Database Vault?

    Motivation for personalized Accounts?

    Possible solution and concepts?

    Challenges for the conception and the Implementation? Configuration of SYSOPER / SYSDBA?

    Configuration and application of SUDO?

    Data Security Geneva 2009 - Oracle Database Vault What about the OS Accounts?

  • 8/10/2019 Oracle Database Vault - What About the OS Accounts

    6/50

    2009Data Security Geneva 2009 - Oracle Database Vault What about the OS Accounts?

    Agenda

    Daten sind

    immer im Spiel.

    Introduction

    Database Vault in a Nutshell

    Situation with Anonymous Accounts

    Approach and Challenges

    DBA- and Operation Tasks

    Administrative Privileges(SYSDBA and SYSOPER)

    SUDO

    Miscellaneous

    Conclusion

  • 8/10/2019 Oracle Database Vault - What About the OS Accounts

    7/50 2009Data Security Geneva 2009 - Oracle Database Vault What about the OS Accounts?

    Database Vault in a Nutshell

    Another Oracle Security Innovation to protect from DBA respectively SYSDBA

    High system privileges like SELECT ANY TABLE, EXEMPT

    ACCESS POLICY

    Available as an Enterprise Edition Option

    Separate download for 10g and 9i

    Integrated component within Oracle 11g R1 and R2

  • 8/10/2019 Oracle Database Vault - What About the OS Accounts

    8/50 2009Data Security Geneva 2009 - Oracle Database Vault What about the OS Accounts?

    Database Vault in a Nutshell

    Additional Layer within Oracle Kernel

    New Components added by Database Vault

    Realms

    Command Rules

    Factors Rule Sets

    Extended functionality for

    Secure Application Roles

    Label Security Integration

    No impact for object grants

    (except for command Rules)

    Restrict any select statementSource: Oracle Database Vault - An Oracle White Paper June

    2007

  • 8/10/2019 Oracle Database Vault - What About the OS Accounts

    9/50 2009Data Security Geneva 2009 - Oracle Database Vault What about the OS Accounts?

    Database Vault Data Privacy and Data Theft (1)

    Access to data through aninstance is protected by

    database authentication,

    authorizing and auditing (AAA)

    Authorizations for data can bedefined at row level

    Database Files

    Instance

    End User,Developer,

    DBA

    Virtual

    Private

    Database

    Label

    Security

  • 8/10/2019 Oracle Database Vault - What About the OS Accounts

    10/50 2009Data Security Geneva 2009 - Oracle Database Vault What about the OS Accounts?

    Database

    Vault

    Database Vault Data Privacy and Data Theft (2)

    How to authorize users based on criteria like time, networkprotocol or IP of the client?

    But what about the System privileges like SELECT ANY TABLE,

    EXEMPT ACCESS POLICY a s o. which are granted to DBAs

    and enabled for Connection through SYSDBA?

    Database

    Vault

    Virtual

    Private

    Database

    Secure

    Application

    Roles

  • 8/10/2019 Oracle Database Vault - What About the OS Accounts

    11/50

  • 8/10/2019 Oracle Database Vault - What About the OS Accounts

    12/50

    2009Data Security Geneva 2009 - Oracle Database Vault What about the OS Accounts?

    Database Vault Eavesdropping and Hijacking

    End User,Developer, DBA(Alice)

    DatabaseServer (Bob)

    Oracle Net

    Hacker

    Advanced

    Security

  • 8/10/2019 Oracle Database Vault - What About the OS Accounts

    13/50

    2009Data Security Geneva 2009 - Oracle Database Vault What about the OS Accounts?

    Agenda

    Daten sind

    immer im Spiel.

    Introduction

    Database Vault in a Nutshell

    Situation with Anonymous Accounts

    Approach and Challenges

    DBA- and Operation Tasks

    Administrative Privileges(SYSDBA and SYSOPER)

    SUDO

    Miscellaneous

    Conclusion

  • 8/10/2019 Oracle Database Vault - What About the OS Accounts

    14/50

    2009

    Situation with Anonymous Accounts

    Administration Tasks are not traceable When and who did a listener or database restart.

    Who changed the environment (e.g Shell settings)

    Auditing on the OS is only partially reasonable

    Its possible to see that user oracle did something but who logged inas oracle?

    Installation of Software / Patch Set / CPUs is not traceable

    Compliance according SOX, Basel II, etc not possible

    Security protection mechanism can be bypassed anytime Relink Oracle binaries to switch off Database Vault

    Direct access of Datafiles and/or Memory

    OSDBA, OSOPER and OSASM is usually not defined or default

    Data Security Geneva 2009 - Oracle Database Vault What about the OS Accounts?

  • 8/10/2019 Oracle Database Vault - What About the OS Accounts

    15/50

    2009Data Security Geneva 2009 - Oracle Database Vault What about the OS Accounts?

    Dynamically Relink

    On some OS and database version it is possible to relink theoracle binaries even when the database is running. After relink

    and switch off DBV the data can be access without any

    restriction.

    A warning is will be shown in the ALERT.LOG but there is

    also a hint displayed how this warning can be suppressed

    cd $ORACLE_HOME/rdbms/lib

    make -f ins_rdbms.mk dv_offcd $ORACLE_HOME/binrelink oracle

    WARNING: Oracle executable binary mismatch detected.Binary of new process does not match binary which startedinstanceissue alter system set "_disable_image_check" = true todisable these messages

  • 8/10/2019 Oracle Database Vault - What About the OS Accounts

    16/50

    2009Data Security Geneva 2009 - Oracle Database Vault What about the OS Accounts?

    Additional Possibilities

    Change passwords within the Datenfile of SYSTEM Tablespace(see Trivadis Training O-AI-DSI)

    Modify or access data directly within a data file

  • 8/10/2019 Oracle Database Vault - What About the OS Accounts

    17/50

  • 8/10/2019 Oracle Database Vault - What About the OS Accounts

    18/50

    2009

    Approach and Challenges

    Data Security Geneva 2009 - Oracle Database Vault What about the OS Accounts?

    Commissioning Operation Decommissioning

    Acceptance

    Personalized Accounts,

    sudo, scripts etc

    No Protection,

    functional

    Accounts

    IntermediateAcceptance

    No Protection,

    functional

    Accounts

  • 8/10/2019 Oracle Database Vault - What About the OS Accounts

    19/50

  • 8/10/2019 Oracle Database Vault - What About the OS Accounts

    20/50

    2009

    Approach and Challenges

    DBA and operation tasks has to be defined Who has to do what and when? How my access what?

    Create a catalog of tasks

    DBA and operation tasks to be standardized on a high level e.g

    scripts for certain tasks are available

    A role concept within the DB is must be available

    Adjustment with OSDBA and OSOPER reasonable

    If not implemented properly there is a risk that loopholes willremain

    It is not possible to lock out the root account. Only monitoring and

    auditing is possible

    Data Security Geneva 2009 - Oracle Database Vault What about the OS Accounts?

  • 8/10/2019 Oracle Database Vault - What About the OS Accounts

    21/50

    2009Data Security Geneva 2009 - Oracle Database Vault What about the OS Accounts?

    Agenda

    Daten sind

    immer im Spiel.

    Introduction

    Database Vault in a Nutshell

    Situation with Anonymous Accounts

    Approach and Challenges

    DBA- and Operation Tasks

    Administrative Privileges(SYSDBA and SYSOPER)

    SUDO

    Miscellaneous

    Conclusion

  • 8/10/2019 Oracle Database Vault - What About the OS Accounts

    22/50

    2009

    DBA- and Operation Tasks

    Deployment of Software, Patch sets, CPUs and so on

    Stop / start database, agent and listener

    Accessing log and trace files (DBA)

    Accessing data files

    Maintain scripts

    Tuning, Monitoring etc

    Backup / Restore

    Change initialization parameter

    Data Security Geneva 2009 - Oracle Database Vault What about the OS Accounts?

  • 8/10/2019 Oracle Database Vault - What About the OS Accounts

    23/50

    2009

    DBA- and Operation Tasks

    Tasks Typ Engineering Operation Application

    Operation

    Initial Installation OS As user oracle n/a n/a

    Initial Create Database DB As user oracle n/a n/a

    Patch set Installation (Software) OS sudo script

    (Silent Install)

    n/a n/a

    Patch set Installation (Upgrade) DB sysdba oder

    sudo script

    n/a n/a

    CPU / OPatch Installation OS sudo n/a n/a

    DB Start / Stopp OS sudo script

    or SYSOPER

    sudo script

    or SYSOPER

    n/a

    Listener Start / Stopp OS sudo script sudo script n/a

    Agent / Konsole Start / Stopp OS sudo script sudo script n/a

    Data Security Geneva 2009 - Oracle Database Vault What about the OS Accounts?

  • 8/10/2019 Oracle Database Vault - What About the OS Accounts

    24/50

    2009

    DBA- and Operation Tasks

    Tasks Typ Engineering Operation Application

    Operation

    Additional DB Tools (runInstaller,

    dbca, dvca, netca, etc)

    OS sudo sudo n/a

    Houskeeping of trace and log

    files

    OS script/ cronjob script/ cronjob Read trace

    files

    Maintain Scripts(Entwicklung auf

    DBA Server mit Version Control)

    OS Deploment

    script

    n/a n/a

    Monitoring DB Within DB / role Within DB / role n/a

    Accounting DB n/a Within DB / role n/a

    Space Management (e.g. TS) DB Within DB / role Within DB / role n/a

    Backup & Recovery DB As SYSDBA or

    SYSOPER

    n/a

    Data Security Geneva 2009 - Oracle Database Vault What about the OS Accounts?

  • 8/10/2019 Oracle Database Vault - What About the OS Accounts

    25/50

    2009

    Database Admin / Engineering

    Personalized UX Accounts with OSDBA or OSOPER group

    Stop / start database with sqlplus as sysoper

    Use scripts and sudo to stop / start listener, agents etc.

    Deployment of patchs and software will be done with scripts as a silent

    installation

    Housekeeping (Permissions, Truncate etc) of log and trace files will be

    done with scripts started by cron

    DBA tasks (alter system, alter tablespace etc) are done via Grid Control

    and / or with personalized DBA accounts.

    Prsentationskennung - Eintrag ber Kopf-/Fusszeile 25

    sqlplus userxy/tiger@TMAC01 as sysoper

    Data Security Geneva 2009 - Oracle Database Vault What about the OS Accounts?

  • 8/10/2019 Oracle Database Vault - What About the OS Accounts

    26/50

    2009

    DB Operation

    Personalized UX Accounts without OSDBA or OSOPER group

    Stop / start database with sqlplus as sysoper

    .

    Use scripts and sudo to stop / start listener, agents etc.

    Limited access within the database. Required system privileges are

    granted by an operation role. Operators are working with personalized

    accounts

    Prsentationskennung - Eintrag ber Kopf-/Fusszeile 26

    sqlplus userxy/tiger@oraemst as sysoper

    Data Security Geneva 2009 - Oracle Database Vault What about the OS Accounts?

  • 8/10/2019 Oracle Database Vault - What About the OS Accounts

    27/50

    2009

    Additional Users

    Additional Users like Developer, Account Manager etc only get accesson the database level.

    Access to log and trace files on special request

    Limited access within the database. Required system privileges (alter

    user, etc) are granted by a dedicated role.

    All user are working with personalized accounts

    Prsentationskennung - Eintrag ber Kopf-/Fusszeile 27Data Security Geneva 2009 - Oracle Database Vault What about the OS Accounts?

  • 8/10/2019 Oracle Database Vault - What About the OS Accounts

    28/50

  • 8/10/2019 Oracle Database Vault - What About the OS Accounts

    29/50

    2009

    Administrative Privilegien

    There are two main administrative privileges in Oracle SYSOPER

    SYSDBA

    And SYSASM since Oracle 11g

    SYSDBA and SYSOPER are special privileges as they allow access to

    a database instance even when it is not running

    The control of these privileges is totally outside of the database itself

    By certain OS groups which are linked into the binaries (OSDBA, OSOPER

    as well as OSASM since Oracle 11g)

    By an oracle password

    Data Security Geneva 2009 - Oracle Database Vault What about the OS Accounts?

  • 8/10/2019 Oracle Database Vault - What About the OS Accounts

    30/50

    2009

    OSDBA / OSOPER groups on Unix (1)

    The 'OSDBA' and 'OSOPER' groups are chosen at installation time andusually both default to the group 'dba

    These groups are compiled into the 'oracle' executable and so are the

    same for all databases running from a given ORACLE_HOME

    Verify the groups

    Later change of the groups (relink of oracle binaries is required!)

    cat $ORACLE_HOME/rdbms/lib/config.c

    vi config.c # Adjust the goups=> #define SS_DBA_GRP osdba=> #define SS_OPER_GRP osoper

    mv config.o config.o.orig # Backup of config.omake -f ins_rdbms.mk ioracle # DBsmust be stopped!

    Data Security Geneva 2009 - Oracle Database Vault What about the OS Accounts?

  • 8/10/2019 Oracle Database Vault - What About the OS Accounts

    31/50

  • 8/10/2019 Oracle Database Vault - What About the OS Accounts

    32/50

    2009

    SYSDBA / SYSOPER (1)

    To access a database as SYSDBA or SYSOPER over SQLNET apassword file is required

    Create a new password files

    Define the according INIT.ORA parameters

    oracle : orapwd file=${ORACLE_HOME}/dbs/orapw${ORACLE_SID}

    password=manager entries=5

    SQL> alter system set remote_login_passwordfile='EXCLUSIVE'scope=spfile;

    Data Security Geneva 2009 - Oracle Database Vault What about the OS Accounts?

  • 8/10/2019 Oracle Database Vault - What About the OS Accounts

    33/50

  • 8/10/2019 Oracle Database Vault - What About the OS Accounts

    34/50

    2009

    Difference SYSOPER / SYSDBA

    SYSOPER privilege allows operations such as: Instance startup, mount & database open Instance shutdown, dismount & database close

    Alter database BACKUP, ARCHIVE LOG, and RECOVER

    This privilege allows the user to perform basic operational taskswithout the ability to look at user data.

    SYSDBA privilege includes all SYSOPER privileges plus fullsystem privileges (with the ADMIN option), plus 'CREATE DATABASE' etc...

    This is effectively the same set of privileges available when previouslyconnected INTERNAL.

    => Regards Oracle Database Vault it does make sense to useSYSOPER/SYSDBA respectively OSDBA/OSOPER. At which it isrecommended to use SYSOPER in this context

    Data Security Geneva 2009 - Oracle Database Vault What about the OS Accounts?

  • 8/10/2019 Oracle Database Vault - What About the OS Accounts

    35/50

    2009Data Security Geneva 2009 - Oracle Database Vault What about the OS Accounts?

    SYSDBA vs. SYSOPER (1)

    1 only a complete recovery

    Privilege SYSDBA SYSOPER

    STARTUP and SHUTDOWN

    CREATE/DROP DATABASE

    CREATE SPFILE

    ALTER DATABASE OPEN/MOUNT

    ALTER DATABASE ARCHIVELOG

    ALTER DATABASE BACKUP/RECOVER 1

  • 8/10/2019 Oracle Database Vault - What About the OS Accounts

    36/50

    2009Data Security Geneva 2009 - Oracle Database Vault What about the OS Accounts?

    Agenda

    Daten sind

    immer im Spiel.

    Introduction

    Database Vault in a Nutshell

    Situation with Anonymous Accounts

    Approach and Challenges

    DBA- and Operation Tasks

    Administrative Privileges(SYSDBA and SYSOPER)

    SUDO

    Miscellaneous

    Conclusion

  • 8/10/2019 Oracle Database Vault - What About the OS Accounts

    37/50

    2009

    SUDO

    SUDO allows to configure which user or user group can executewhich commands or scripts as certain user e.g root or oracle

    Its possible to define a set of command for different user groups

    e.g. DBAs, Operators, Developers etc.

    Exectution of any sudo is written to syslog

    root : grep sudo /var/adm/syslog/syslog.logFeb 19 10:44:52 urania sudo: meier : TTY=pts/2 ; PWD=/home/meier ;USER=oracle ; COMMAND=/u00/app/oracle/product/10.2_1/bin/lsnrctl statusFeb 19 10:44:56 urania sudo: meier : TTY=pts/2 ; PWD=/home/meier;

    USER=root ; COMMAND=list

    Data Security Geneva 2009 - Oracle Database Vault What about the OS Accounts?

  • 8/10/2019 Oracle Database Vault - What About the OS Accounts

    38/50

    2009

    SUDO Configuration

    /usr/local/sbin/visudo

    ## User alias specificationUser_Alias DBADMIN = dummyUser_Alias DBOPER = meierUser_Alias DBUSER = muster, russo, smith

    ## Runas alias specificationRunas_Alias DB = oracle

    ## Cmnd alias specificationCmnd_Alias DBOPER = /u00/app/oracle/local/custom/bin/dbtoolCmnd_Alias DBADMIN= /u00/app/oracle/product/10.2_?/OPatch/opatch,/u00/app/oracle/product/10.2_?/oui/bin/runInstaller, /u00/app/oracle/product/10.2_?/bin/dvca,/u00/app/oracle/product/10.2_?/bin/dbca, /u00/app/oracle/product/10.2_?/bin/netca

    # User specification

    # root and users in group wheel can run anything on any machine as any userroot ALL = (ALL) ALLDBADMIN ALL = (DB) NOPASSWD: DBADMIN, DBOPER, /usr/local/bin/trussDBOPER ALL = (DB) NOPASSWD: DBOPER,/u00/app/oracle/product/10.2_?/bin/lsnrctl

    Data Security Geneva 2009 - Oracle Database Vault What about the OS Accounts?

  • 8/10/2019 Oracle Database Vault - What About the OS Accounts

    39/50

    2009

    SUDO Usage

    Or even a bit more simpler when using aliases

    Alias dbtool='sudo -u oracle dbtool'

    meier : iduid=108(meier) gid=20(users) groups=101(osoper)

    meier : sudo -lUser oper001 may run the following commands on this host:

    (oracle) NOPASSWD: /u00/app/oracle/local/custom/bin/dbca(oracle) NOPASSWD: /u00/app/oracle/product/10.2_?/bin/lsnrctl

    meier : sudo -u oracle dbca

    Data Security Geneva 2009 - Oracle Database Vault What about the OS Accounts?

  • 8/10/2019 Oracle Database Vault - What About the OS Accounts

    40/50

    2009

    SUDO constraints

    SUDO is executing commands and scripts as the user specifiedfor execution e.g oracle. The environment settings will be the one

    for the user specified at the sudo command.

    If possible define only simple commands to be used with sudo eg.

    /usr/local/bin/truss

    More complex commands should be executed within a shell whichcares about parameters, errors etc.

    SUDO hast to be manually installed on HP-UX and Solaris

    A SUDO Configuration file can be distributed over network

    sudo -u oracle lsnrctl.ksh t oraemst start

    Data Security Geneva 2009 - Oracle Database Vault What about the OS Accounts?

  • 8/10/2019 Oracle Database Vault - What About the OS Accounts

    41/50

    2009Data Security Geneva 2009 - Oracle Database Vault What about the OS Accounts?

    Agenda

    Daten sind

    immer im Spiel.

    Introduction

    Database Vault in a Nutshell

    Situation with Anonymous Accounts

    Approach and Challenges

    DBA- and Operation Tasks

    Administrative Privileges(SYSDBA and SYSOPER)

    SUDO

    Miscellaneous

    Conclusion

  • 8/10/2019 Oracle Database Vault - What About the OS Accounts

    42/50

    2009

    Miscellaneous

    OP an interesting alternative for SUDO Open Source alternative http://swapoff.org/wiki/op

    Major difference is the possibilities to use mnemonics rather than

    commands

    Set the S-Bit for individual commands

    Data Security Geneva 2009 - Oracle Database Vault What about the OS Accounts?

    Mit SUDO:

    sudo /bin/mount -t iso9660 /dev/cdrom /mnt/cdrom

    Mit OP:op mount cd

    oracle@urania:/u00/app/oracle/product/11.1.0/bin/ [rdbms1110]ls -al oracle*-rwsr-s--x 1 oracle osdba 158489970 Mar 8 14:15 oracle

    http://swapoff.org/wiki/ophttp://swapoff.org/wiki/op
  • 8/10/2019 Oracle Database Vault - What About the OS Accounts

    43/50

    2009

    Script maintenance

    Scripts should be maintained in a central repository eg.Subversion, CVS or something similar.

    DBAdminss may create new revision of the scripts on theredevelopment system.

    New revision have to be commited to the repository Subversion commandline fr Windows

    Tortoise SVN Client

    Oracle SQL Developer

    Deployment of scripts and configuration should be done with adeployment process (e.g Jumpstart server, Grid Control,..)

    Only a defined and accepted version of the scripts will be used onthe systems

    Data Security Geneva 2009 - Oracle Database Vault What about the OS Accounts?

  • 8/10/2019 Oracle Database Vault - What About the OS Accounts

    44/50

    2009Data Security Geneva 2009 - Oracle Database Vault What about the OS Accounts?

    Agenda

    Daten sind

    immer im Spiel.

    Introduction

    Database Vault in a Nutshell

    Situation with Anonymous Accounts

    Approach and Challenges

    DBA- and Operation Tasks

    Administrative Privileges(SYSDBA and SYSOPER)

    SUDO

    Miscellaneous

    Conclusion

  • 8/10/2019 Oracle Database Vault - What About the OS Accounts

    45/50

    2009

    Conclusion

    A reliable protection with Database Vault is possible butadditional considerations have to be taken

    Auditing anonymous user does only provide limited information

    Personalized Accounts are recommended for Database Vault

    System / DBA task can clearly assigned (Engineering, Operation,...)

    Traceability can be guaranteed

    To have personalized accounts a standardized environment is

    recommended and will allow a simpler implementation of SUDO

    Stable Environment

    Documented tasks and responsibilities

    Data Security Geneva 2009 - Oracle Database Vault What about the OS Accounts?

  • 8/10/2019 Oracle Database Vault - What About the OS Accounts

    46/50

  • 8/10/2019 Oracle Database Vault - What About the OS Accounts

    47/50

    Basel Baden Brugg Bern Lausanne Zrich Dsseldorf Frankfurt/M. Freiburg i. Br. Hamburg Mnchen Stuttgart Wien

    Thank you!

    ?www.trivadis.com

  • 8/10/2019 Oracle Database Vault - What About the OS Accounts

    48/50

    2009

    Backup Slide Not covered by DBV (1)

    Risk Action

    Data within data files is stored in clear text

    (OS- and SAN-Admin as well the Oracle-

    Unix-Account can read the data)

    Encryption of data files with TDE

    (10g on row level, 11g on tablespace level)

    Data in backups as clear text Encrypt data with RMAN

    SYS-Account has to be open for RAC and

    RMAN. This account is not fully prodeced by

    database vault

    Personalized Accounts on Unix und

    Database + SUDO concept

    Use of SYSOPER

    Accept SYSDBA-Connections only at thetime when RMAN has to run

    Data Security Geneva 2009 - Oracle Database Vault What about the OS Accounts?

  • 8/10/2019 Oracle Database Vault - What About the OS Accounts

    49/50

    2009

    Backup Slide Not covered by DBV (1)

    Risk Action

    While the database is patched Database

    Vault has to be switched off (e.g. CPUs) this

    is also true for database migrationens

    Personalized Accounts on Unix und

    Database + SUDO concept

    Monitoring on the OS (inode+ctime Checks,

    e.g. manual, Nimbus,iwatch (Linux, based

    on inotify))

    Data on the network is send as clear text (aswell interconnect on RAC Environments) Use of Advanced Security Option to encryptnetwork traffic.

    Direct grants on object Existing grants must be known and has to

    be verified. Database Vault Admin Console

    provides reports for this

    Export possibilities on application level This can only be checked on application

    level. Possible restriction based on rules

    (e.g. from a certain IP,)

    Data Security Geneva 2009 - Oracle Database Vault What about the OS Accounts?

  • 8/10/2019 Oracle Database Vault - What About the OS Accounts

    50/50

    Backup Slide Separation of Duties

    Task Responsible

    Operation of Database and Instance

    (Create, Parameterize, Instance tuning,

    Patching, Updates, Tablespace-

    Management, )

    Security Management

    Create Realms, Define Objects which haveto be protected

    Assign User to Realms

    Create application roles

    Assign object privilege to roles/users

    Account Management + assign roles

    Create technical roles, initial assignment of

    system privileges to roles (not application

    roles!)