Presentation is loading. Please wait.

Presentation is loading. Please wait.

A First look at Database Vault David Bergmeier.  Overview  Installation  Limitations  Securing Data  Backups  A trigger problem Agenda.

Similar presentations


Presentation on theme: "A First look at Database Vault David Bergmeier.  Overview  Installation  Limitations  Securing Data  Backups  A trigger problem Agenda."— Presentation transcript:

1 A First look at Database Vault David Bergmeier

2  Overview  Installation  Limitations  Securing Data  Backups  A trigger problem Agenda

3  Senior Oracle DBA  Worked for MGA nearly 2 years  Background as an Analyst/Programmer  12 years in financial services industry  Started using Oracle in 1996 About me

4 Why Oracle Database Vault? Don’t trust the DBA Regulatory Compliance (e.g. Sarbanes Oxley) Separation of duties Overview

5 connect / as sysdba create user david... grant dba to david; select * from scott.emp;

6 Separation of duties connect / as sysdba create user david... grant dba to david; select * from scott.emp;

7 Separation of duties

8

9

10  Overview  Installation  Limitations  Securing Data  Backups  A trigger problem Agenda

11 Oracle MB of Physical RAM Swap space (1.5 times RAM) 400 MB in /tmp 270 MB for database vault binaries 10 MB additional for database files Prerequisites

12 Installation Assumes one instance per Oracle home But can support more Prerequisites

13 Installation

14 Installation User to receive DV_OWNER role

15 Installation Passwords must have alpha, numeric & special

16 Installation User to receive DV_ACCTMGR role

17 Installation

18 Installation

19 Installation

20 Installation

21 Installation

22 Installation

23 Installation

24  Overview  Installation  Limitations  Securing Data  Backups  A trigger problem Agenda

25 Let’s start the database The First Problem

26

27

28 I cannot login as SYDBA So how do I start/stop Oracle? The First Problem

29 connect / as SYSOPER The First Problem

30

31  Overview  Installation  Limitations  Securing Data  Backups  A trigger problem Agenda

32 $ lsnrctl start $ emctl start dbconsole Securing Some Data

33 $ sqlplus system/manager SQL> select * from scott.emp; rows selected. SQL> Securing Some Data

34

35

36

37

38 A realm is a functional grouping of schemas and roles that are secured. What is a Realm?

39 RealmSecured ObjectsAuthorizations One Many

40 Securing Some Data

41

42

43

44

45

46

47 SQL> select * from scott.emp; select * from scott.emp * ERROR at line 1: ORA-01031: Insufficient Privileges SQL> Securing Some Data

48 SQL> select * from scott.dept; DEPTNO DNAME LOC ACCOUNTING NEW YORK 20 RESEARCH DALLAS 30 SALES CHICAGO 40 OPERATIONS BOSTON SQL> Securing Some Data

49 That’s the end of the tutorial. So now let’s consider a real world application. Securing Some Data

50 Real world Example EMP application userSCOTT Application server connects to database as single user

51 Real world Example EMP application usersupport usersSCOTT Support users connect with individual accounts with read-only access

52 Real world Example EMP grant select insert update delete scott_app_userscott_ro_rolescott_ro grant select grant role SCOTT

53 SQL> connect system/manager SQL> create user scott_app_user 2> identified by tiger 3> default tablespace USERS; identified by tiger * ERROR at line 2: ORA-01031: Insufficient Privileges Create User

54 SQL> connect dbu/manager SQL> create user scott_app_user 2> identified by tiger 3> default tablespace USERS; User created. SQL> grant connect to scott_app_user; Create User

55 SQL> connect dbu/manager SQL> create user scott_ro 2> identified by tiger 3> default tablespace USERS; User created. SQL> grant connect to scott_ro; Create User

56 SQL> connect system/manager SQL> create role scott_ro_role; Role created. SQL> grant scott_ro_role to scott_ro; Grant succeeded. SQL> Create Role

57 SQL> connect scott/tiger SQL> grant select,insert,update, delete on emp to scott_app_user; Grant succeeded. SQL> grant select on emp to scott_ro_role; Grant succeeded. SQL> Grants

58 Now to test it... Real world Example

59 SQL> connect scott_ro/tiger SQL> select * from scott.emp; 14 rows selected. SQL> delete from scott.emp; delete from scott.emp * ERROR at line 1: ORA-01031: Insufficient Privileges Testing scott_ro

60 SQL> connect scott_ro/tiger SQL> select * from scott.emp; 14 rows selected. SQL> delete from scott.emp; delete from scott.emp * ERROR at line 1: ORA-01031: Insufficient Privileges Testing scott_ro

61 SQL> connect scott_app_user/tiger SQL> select * from scott.emp; 14 rows selected. SQL> delete from scott.emp; 14 rows deleted. SQL> rollback; Testing scott_app_user

62 SQL> connect scott_app_user/tiger SQL> select * from scott.emp; 14 rows selected. SQL> delete from scott.emp; 14 rows deleted. SQL> rollback; Testing scott_app_user

63 SQL> connect system/manager SQL> select * from scott.emp; 14 rows selected. SQL> delete from scott.emp; delete from scott.emp * ERROR at line 1: ORA-01031: Insufficient Privileges Testing system

64 SQL> connect system/manager SQL> select * from scott.emp; 14 rows selected. SQL> delete from scott.emp; delete from scott.emp * ERROR at line 1: ORA-01031: Insufficient Privileges Testing system

65 SQL> connect system/manager SQL> select * from session_roles; ROLE DV_PUBLIC DBA... SCOTT_RO_ROLE 14 rows selected. SQL> What went wrong?

66 How did SYSTEM get SCOTT_RO_ROLE? What went wrong?

67 SQL> connect system/manager SQL> create role foo; Role created. SQL> set role all; Role set. SQL> select * from session_roles; ROLE DV_PUBLIC... FOO What went wrong?

68 So now we have a problem! What went wrong? If we only revoke the role, SYSTEM can grant it again. How do we prevent this?

69 SQL> connect system/manager SQL> drop role scott_ro_role; Role dropped. SQL> select * from session_roles; ROLE DV_PUBLIC... MGMT_USER 13 rows selected. SQL> Remove the Role

70 DV_ACCTMGR has create/drop user alter user account lock/unlock alter user password expire grant/revoke CONNECT role Problem with DV_ACCTMGR

71 DV_ACCTMGR needs create role alter any role drop any role SELECT_CATALOG_ROLE To get these, we need to login as SYSDBA Problem with DV_ACCTMGR

72 $ cd $ORACLE_HOME/dbs $ orapwd file=orapwmozart password=mozart entries=20 force=y nosysdba=n $ sqlplus sys/mozart as sysdba SQL> startup SQL> alter user sys identified by mozart; Allow SYSDBA

73 SQL> connect sys/mozart as sysdba SQL> grant create role to DV_ACCTMGR; SQL> grant alter any role to DV_ACCTMGR; SQL> grant drop any role to DV_ACCTMGR; Grants to DV_ACCTMGR

74 SELECT_CATALOG_ROLE

75 SELECT_CATALOG_ROLE

76 Fixing DV_ACCTMGR

77

78

79 SQL> connect dbu/manager SQL> create role scott_ro_role; Role created. SQL> Create Role as DV_ACCTMGR At this stage we delay granting scott_ro_role

80 Securing SCOTT_RO_ROLE

81

82 SQL> connect dbu/manager SQL> grant scott_ro_role to scott_ro; grant scott_ro_role to scott_ro * ERROR at line 1: ORA-47401: Realm violation for grant role privilege on SCOTT_RO_ROLE Granting SCOTT_RO_ROLE

83 So who can/should do the grant of SCOTT_RO_ROLE ? Granting SCOTT_RO_ROLE

84 So who can/should do the grant of SCOTT_RO_ROLE ? Answer: SCOTT Granting SCOTT_RO_ROLE

85 Answer: SCOTT Provided SCOTT can only grant SCOTT_RO_ROLE and not other roles like DBA. Granting SCOTT_RO_ROLE

86 One more grant as SYSDBA Granting SCOTT_RO_ROLE SQL> connect sys/mozart as sysdba SQL> grant grant any role to scott; Grant succeeded. SQL>

87 SQL> connect scott/tiger SQL> grant scott_ro_role to scott_ro; Grant succeeded. SQL> revoke scott_ro_role from dbu; Revoke succeeded. SQL> Granting SCOTT_RO_ROLE

88 SQL> connect scott/tiger SQL> grant DBA to scott; grant DBA to scott * ERROR at line 1: ORA-00604: error occurred at recursive SQL level 1 ORA-47401: Realm violation for grant role privilege on UNLIMITED TABLESPACE. Granting SCOTT_RO_ROLE

89 WHY? Granting SCOTT_RO_ROLE

90 The DBA role is protected by the “Oracle Data Dictionary” Realm. Granting SCOTT_RO_ROLE

91 Now to test it... Again Granting SCOTT_RO_ROLE

92 SQL> connect scott_ro/tiger SQL> select * from scott.emp; 14 rows selected. SQL> delete from scott.emp; delete from scott.emp * ERROR at line 1: ORA-01031: Insufficient Privileges Testing scott_ro again

93 SQL> connect scott_ro/tiger SQL> select * from scott.emp; 14 rows selected. SQL> delete from scott.emp; delete from scott.emp * ERROR at line 1: ORA-01031: Insufficient Privileges Testing scott_ro again

94 SQL> connect scott_app_user/tiger SQL> select * from scott.emp; 14 rows selected. SQL> delete from scott.emp; 14 rows deleted. SQL> rollback; Testing scott_app_user

95 SQL> connect scott_app_user/tiger SQL> select * from scott.emp; 14 rows selected. SQL> delete from scott.emp; 14 rows deleted. SQL> rollback; Testing scott_app_user

96 SQL> connect system/manager SQL> select * from scott.emp; ERROR at line 1: ORA-01031: Insufficient Privileges SQL> delete from scott.emp; ERROR at line 1: ORA-01031: Insufficient Privileges Testing system again

97 SQL> connect system/manager SQL> select * from scott.emp; ERROR at line 1: ORA-01031: Insufficient Privileges SQL> delete from scott.emp; ERROR at line 1: ORA-01031: Insufficient Privileges Testing system again

98 SQL> connect sys/mozart as sysdba SQL> select * from scott.emp; ERROR at line 1: ORA-01031: Insufficient Privileges SQL> delete from scott.emp; ERROR at line 1: ORA-01031: Insufficient Privileges Testing SYSDBA

99 SQL> connect sys/mozart as sysdba SQL> select * from scott.emp; ERROR at line 1: ORA-01031: Insufficient Privileges SQL> delete from scott.emp; ERROR at line 1: ORA-01031: Insufficient Privileges Testing SYSDBA

100 SQL> connect dbu/manager SQL> select * from scott.emp; ERROR at line 1: ORA-01031: Insufficient Privileges SQL> delete from scott.emp; ERROR at line 1: ORA-01031: Insufficient Privileges Testing DV_ACCTMGR

101 SQL> connect dbu/manager SQL> select * from scott.emp; ERROR at line 1: ORA-01031: Insufficient Privileges SQL> delete from scott.emp; ERROR at line 1: ORA-01031: Insufficient Privileges Testing DV_ACCTMGR

102 SQL> connect dbv/manager SQL> select * from scott.emp; ERROR at line 1: ORA-01031: Insufficient Privileges SQL> delete from scott.emp; ERROR at line 1: ORA-01031: Insufficient Privileges Testing DV_ADMIN

103 SQL> connect dbv/manager SQL> select * from scott.emp; ERROR at line 1: ORA-01031: Insufficient Privileges SQL> delete from scott.emp; ERROR at line 1: ORA-01031: Insufficient Privileges Testing DV_ADMIN

104 Let’s review the actions performed by each of the different users/roles Separation of Duties

105 SYS as SYSDBA Grant role privileges to DV_ACCTMGR (one time) Grant “grant any role” to SCOTT (once per application) Separation of Duties

106 DV_ADMIN (user = dbv) Realm authorizations (once per application) Command Rules (one time) Separation of Duties

107 DV_ACCTMGR (user = dbu) Create user (ongoing) Grant connect (ongoing) Create role (once per app) Separation of Duties

108 Schema owner (SCOTT) Grant object privileges (once per application) Grant SCOTT_RO_ROLE (ongoing) Separation of Duties

109 DBA (user = system) Nothing Separation of Duties

110  Overview  Installation  Limitations  Securing Data  Backups  A trigger problem Agenda

111 Impact of Backups Export Data Pump RMAN Backups

112 Export Lots of ORA Will be unable to Import Not viable Backups

113 Data Pump Not tested Backups

114 RMAN Requires SYSDBA access May need to hardcode SYS password or use wallet Works successfully Backups

115  Overview  Installation  Limitations  Securing Data  Backups  A trigger problem Agenda

116 Error creating trigger Minor changes to whitespace in trigger source caused compile success/failure Known Bug: ORA-47999: internal Database Vault error: create trigger Trigger Problem

117 Workaround available Login as dv_owner account alter trigger dvsys.DV_BEFORE_DDL_TRG disable Login as SCOTT and create trigger Login as dv_owner account alter trigger dvsys.DV_BEFORE_DDL_TRG enable Trigger Problem

118  You probably don’t need Database Vault  It’s a trade off between more security with more bureaucracy  It seems to work okay but there are some bugs  Typical work arounds involve deactivating Database Vault Conclusion

119 The End Thank you for your attendance


Download ppt "A First look at Database Vault David Bergmeier.  Overview  Installation  Limitations  Securing Data  Backups  A trigger problem Agenda."

Similar presentations


Ads by Google