Presentation is loading. Please wait.

Presentation is loading. Please wait.

ORACLE DATABASE VAULT Nguyễn Quang Khải50701106 Nguyễn Duy Hoàng50700852.

Similar presentations


Presentation on theme: "ORACLE DATABASE VAULT Nguyễn Quang Khải50701106 Nguyễn Duy Hoàng50700852."— Presentation transcript:

1 ORACLE DATABASE VAULT Nguyễn Quang Khải Nguyễn Duy Hoàng

2 Contents Introducing Oracle Database Vault o What is a Oracle Database Vault? o Components of Oracle Database Vault. HOWTO install Oracle Database Vault HOWTO use a Realm to secure Data Access from DBA access. HOWTO use a Command rules to secure User Activity. HOWTO use Rule Sets, Factors, and secure Application roles

3 Contents HOWTO Disable and Enable DV HOWTO Use Reports in DV HOWTO Better Understand DV’s Impact on Performance Miscellaneous Discussion – Is Auditing Alone Enough?

4 Introducing Oracle Database Vault What is oracle database vault? Components of oracle database vault

5 What is Oracle Database Vault?

6 Oracle Database Vault (DV) was introduced in Oracle 10gR2, 11g and 9iR2. DV restricts access to specific areas in an Oracle database from any user. Enable you to apply access control to your sensitive data. Protect your data from super-privileged users but still them maintain your Oracle databases.

7 What is Oracle Datbase Vault? Help to address the most difficult security problems: protecting against insider threats, meeting regulatory compliance requirements, and enforcing separation of duty. Manage the security of an individual Oracle Database instance

8 Components of Oracle Database Vault Oracle Database Vault has the following components: ■ Oracle Database Vault Access Control Components ■ Oracle Database Vault Administrator (DVA) ■ Oracle Database Vault Configuration Assistant (DVCA) ■ Oracle Database Vault DVSYS and DVF Schemas ■ Oracle Database Vault PL/SQL Interfaces and Packages ■ Oracle Database Vault and Oracle Label Security PL/SQL APIs ■ Oracle Database Vault Reporting and Monitoring Tools

9 Oracle Database Vault Access Control Components Realms: a functional grouping of database schemas, objects, and roles that must be secured. Command rules: a special rule that you can create to control how users can execute almost any SQL statement, including SELECT, ALTER SYSTEM, database definition language (DDL), and data manipulation language (DML) statements.

10 Oracle Database Vault Access Control Components Factors: a named variable or attribute, such as a user location, database IP address, or session user, which Oracle Database Vault can recognize and secure. Rule sets: a collection of one or more rules that you can associate with a realm authorization, command rule, factor assignment, or secure application role. Secure application roles: A secure application role is a special Oracle Database role that can be enabled based on the evaluation of an Oracle Database Vault rule set.

11 Oracle Database Vault Administrator (DVA) A Java application that is built on top of the Oracle Database Vault PL/SQL application programming interfaces (API). Allows security managers who may not be proficient in PL/SQL to configure the access control policy through a user-friendly interface. An extensive collection of security-related reports that assist in understanding the baseline security configuration.

12 Oracle Database Vault Configuration Assistant (DVCA): To perform maintenance tasks on your Oracle Database Vault installation Oracle Database Vault DVSYS and DVF Schemas: Stores the database objects needed to process Oracle data for Oracle Database Vault, contains the roles, views, accounts, functions, and other database objects that Oracle Database Vault uses. The DVF schema contains public functions to retrieve (at run time) the factor values set in the Oracle Database Vault access control configuration.

13 Oracle Database Vault PL/SQL Interfaces and Packages: allow security managers or application developers to configure the access control policy as required. Oracle Database Vault and Oracle Label Security PL/SQL APIs: enables the security manager to define label security policy and apply it to database objects. Oracle Database Vault Reporting and Monitoring Tools: generate reports on the various activities that Oracle Database Vault monitors.

14 HOWTO install Oracle Database Vault Install on Oracle Database 10gR2 o Download the Oracle data vault from Oracle OTN tabase_vault/index.html o stop all the 3 services (DB Console, database and listener) OR stop them manually: sqlplus / as sysdba SQL> SHUTDOWN IMMEDIATE SQL> EXIT emctl stop dbconsole lsnrctl stop o Start the installer runinstaller.sh and choose destination path, database vault owner and password.

15 HOWTO install Oracle Database Vault

16

17

18

19

20

21

22

23

24 o Open the database by starting all 3 services (listener, database and DB Console) OR start them manually: lsnrctl start sqlplus / as sysdba SQL> STARTUP emctl start dbconsole o Register your database with Database Vault o Start Database Configuration Assistant from Start->Programs- >Oracle – ORACLE_HOME->Configuration and Migration tools. o Choose “Configure Database Options” and select Oracle Database Vault (and Oracle Label Security) and proceed to credentials page. Pick a password for DBVOWNER and DBVACCTMGR accounts (you might find this very difficult as Database Vault has very strict password requirements) and proceed. The database is automatically restarted by DBCA.

25 HOWTO install Oracle Database Vault

26

27

28

29 o Login Oracle Database Vault

30 HOWTO use a Realm to secure Data Access from DBA access. Let’s use SCOTT.EMP—it has salary information in it. Before we define a realm, DBAs have access to this table—for example:

31 HOWTO use a Realm to secure Data Access from DBA access. To create a realm, logon to the DV Administrator and follow these steps: o In the Administration tab click the Realms link.

32 HOWTO use a Realm to secure Data Access from DBA access. o Click the Create button at the top right of the screen.

33 HOWTO use a Realm to secure Data Access from DBA access. o Fill in SCOTT_EMP as the Name for the realm and fi ll in a description for this realm pro-tection. Leave Status as Enabled and leave Audit on Failure for Audit Options. Click OK.

34 HOWTO use a Realm to secure Data Access from DBA access.

35 o This will create the realm and take you back to the realm list. o Select the realm using the radio button and click Edit.

36 HOWTO use a Realm to secure Data Access from DBA access. o In the realm secured objects area, click the Create button.

37 HOWTO use a Realm to secure Data Access from DBA access. o Select the owner as SCOTT, the type as TABLE, and fi ll in EMP as the object name. Click OK.

38 HOWTO use a Realm to secure Data Access from DBA access. o Click OK on the top right of the screen to return from editing the realm definition. The screen should be similar to image below where now the realm is marked as having protected objects.

39 HOWTO use a Realm to secure Data Access from DBA access. Logged on as SYSTEM you will no longer be able to access the data:

40 HOWTO use a Realm to secure Data Access from DBA access. Connect as SCOTT and issue this query you will have access:

41 More on Realms Realms contain a larger set of objects – schema, a group of roles or a group of objects which you want to associate a security policy. Example: Associate a role with realm, you can ensure that only you can assign this role and that a DBA can’t grant this role. Allows to define who the realms owners are. Realm participants can user their system privileges to access a realm-protected object.

42 More on realms DV includes a number of prebuilt realms, they are: o DV Account Management Realm: the most important realm, it limits who can manage and create database accounts. o DV Realm: protects the DV schemas (DVSYS, DVF, and LBACSYS) o Oracle Data Dictionary Realm: protect the catalog, the SYS schema, the SYSTEM schema. o Oracle Enterprise Manager Realm: protect SYSMAN and DBSNMP.

43 HOWTO use a Command rules to secure User Activity. A definition can be used to protect any activity on any object in the database. Based on a security policy phrased within a rule. A command rule is evaluated after the realm is checked and only if the realm check succeeds. DV checks all relevant command rules and only if they all evaluate to true will the action be allowed. Override regular object privilege.

44 HOWTO use a Command rules to secure User Activity. Example 1: Built a command rule disables the ability to update the SCOTT.EMP table. o Log on to the DV Administrator and in the Administration tab click the Command rules link.

45 HOWTO use a Command rules to secure User Activity. o In the Command Rules screen click on the Create button at the top right.

46 HOWTO use a Command rules to secure User Activity. o In the General area, select UPDATE from the Command pull down and leave Enabled as the Status. o In the Applicability area select SCOTT as the Object Owner and EMP as the Object Name. o From the Rule Set drop down select Disable. This is a prebuilt rule that will always return FALSE, will not allow the update.

47 HOWTO use a Command rules to secure User Activity.

48 Now, SCOTT can insert into this table but can’t update.

49 HOWTO use a Command rules to secure User Activity. Example 2: Allow UPDATES only if the connection is made locally over a bequeath session (BEQ). Do three things: o Create a rule based on this factor that returns TRUE if the connection has no CLIENT_IP. o Create a rule set with this one rule o Add the rule set to the command rule.

50 HOWTO use a Command rules to secure User Activity. o Logon to the DV Administrator, in the Administration tab click on the Rule Sets link.

51 HOWTO use a Command rules to secure User Activity. o Click the Create button at the right hand corner.

52 HOWTO use a Command rules to secure User Activity. o In the General area enter DISSALLOW_TCP_ACCESS as the Name and a description. Status should be enabled, Evaluation Options should be All True. Click OK.

53 HOWTO use a Command rules to secure User Activity. o Select your new rule set from the list of rule sets and click the Edit button.

54 HOWTO use a Command rules to secure User Activity. o Scroll down to the Rules Associates to the Rule Set area and click Create.

55 HOWTO use a Command rules to secure User Activity. o Enter a name and the expression for the rule. Click OK.

56 HOWTO use a Command rules to secure User Activity. o Back on the Edit Rule Set page click OK. Now you have a rule set with a single rule.

57 HOWTO use a Command rules to secure User Activity. o Click on the database instance breadcrumb link at the top left to navigate back to the home page.

58 HOWTO use a Command rules to secure User Activity. o Click on the command Rules link, select your command rule, and click the Edit button. o In the Rule Set pull down select your new rule set. Click OK

59 HOWTO use a Command rules to secure User Activity. Login to the databases as SCOTT using BEQ connection

60 HOWTO use a Command rules to secure User Activity. Login to the databases as SCOTT using a listener connection (TCP connection)

61 HOWTO use a Command rules to secure User Activity. DV provide a set of PL/SQL procedures that can be sued to create these contructs. These are part fo the DBMS_MACADM package within the DVSYS schema.

62 HOWTO use a Command rules to secure User Activity. Example 3: create a command rule that disallows dropping the EMP table in the SCOTT schema.

63 HOWTO use Rule Sets, Factors, and secure Application roles Rule Set: o Rule sets are used from within command rules, to determine assignment of factors, to assign DV secure application roles, and as part of realm checks. o A rule set can be of two types—an OR set evaluates to true if any of its member rules evaluates to true and an AND set evaluates to true if all of its member rules evaluate to true.

64 HOWTO use Rule Sets, Factors, and secure Application roles Rule Set: o DV comes with a large set of prebuilt rule functions that you can use:  Convenience rule sets include  Enabled—Use it to allow activity  Disabled—Use it to prevent activity  Template rule sets include  Allow Sessions  Can Grant Virtual Private Database (VPD) Administration  Can Maintain Accounts/Profiles  Can Maintain Own Account  Check Trigger Init Parameter

65 HOWTO use Rule Sets, Factors, and secure Application roles Factors: o Factors are variables that you use within rules. o Allow to define rules that make a decision based on the IP the connection is coming from, the time of day the connection is made, the user making the connection, the proxy user, and pretty much anything that the Oracle database can be aware of.

66 HOWTO use Rule Sets, Factors, and secure Application roles Factors: o Some of the useful factor API functions are:  DVF.F$CLIENT_IP: Use it when you need to base a decision on the client IP from which the connection is made.  Example: Use to distinguish between listener BEQ connection

67 HOWTO use Rule Sets, Factors, and secure Application roles Factors:

68 HOWTO use Rule Sets, Factors, and secure Application roles Factors: o Some of the useful factor API functions are:  DVF.F$NETWORK_PROTOCOL: Use it when you need to make a decision based on the protocol the database client is using to connect to the server

69 HOWTO use Rule Sets, Factors, and secure Application roles Factors:

70 HOWTO use Rule Sets, Factors, and secure Application roles Factors: o Some of the useful factor API functions are:  DVF.F$MACHINE: Use this factor when you need to make a decision based on the client hostname.

71 HOWTO use Rule Sets, Factors, and secure Application roles Factors: o Some of the useful factor API functions are:  DVF.F$ENTERPRISE_IDENTITY: Use this factor to get the enterprise identity of the logged-on user when you use advanced authentication such as Kerberos, RADIUS, or Oracle Internet Directory (OID) authentication.  DVF.F$PROXY_ENTERPRISE_IDENTITY: Use this factor to get the OID Distinguished Name (DN) when the proxy user is an enterprise user.  DVF.F$PROXYUSER:Use this factor to get the proxy user as opposed to the user who opened the connection.

72 HOWTO use Rule Sets, Factors, and secure Application roles Factors: o Some of the useful factor API functions are:  DVF.F$IDENTIFICATION_TYPE: Use this factor when you need to base your decision on how the user was identified.  DVF.F$AUTHENTICATION_METHOD: Use this factor to know how the user was authenticated—for example, PASSWORD for database authentication, KERBEROS, SSL, RADIUS, OS, etc.

73 HOWTO use Rule Sets, Factors, and secure Application roles Factors: o Example: create a new factor to limit CONNECT  Log in to the DV

74 HOWTO use Rule Sets, Factors, and secure Application roles Secure Application Roles: o These are roles within the database that depend on a rule set. o DV secure application roles are enabled based on the outcome of a DV rule set o DV secure application roles allow you to better control the privileges that you assigned to these roles.

75 HOWTO Disable and Enable DV Disable DV: o Checking if DV is disabled or enabled? SELECT * FROM V$OPTION WHERE PARAMETER = 'Oracle Database Vault'; o If the DV is enabled, the output appears:

76 HOWTO Disable and Enable DV o Stop the database, Database Control console process, and listener.

77 HOWTO Disable and Enable DV o Disable the Oracle Database Vault option In the ORACLE_HOME\bin directory, rename the oradvll.dll file to another name, such as oradvll.dll.dbl.

78 HOWTO Disable and Enable DV o Restart the database, Database Control console process, and listener.

79 HOWTO Disable and Enable DV o If the reason you needed to disable Oracle Database Vault was because of forgotten passwords, then connect as SYS or SYSTEM and reset the password.

80 HOWTO Disable and Enable DV At a command prompt, run Oracle Database Vault Configuration Assistant (DVCA) by using the dvca -action disable option.

81 HOWTO Disable and Enable DV Connect to SQL*Plus as SYS using the SYSDBA privilege, and then run the following ALTER TRIGGER statement:

82 HOWTO Disable and Enable DV Enable DV: o At a command prompt, use DVCA to reenable Oracle Database Vault.

83 HOWTO Disable and Enable DV o Stop the database, Database Control console process, and listener. o Enable the Oracle Database Vault option: rename the backed up copy of the oradvll.dll file (for example, oradv11.dll.dbl) to oradvll.dll. Ensure that the name of the Oracle Label Security executable is oralbacll.dll (and not oralbacll.dll.dbl or some other backup name). o Restart the database, Database Control console process, and listener.

84 HOWTO Disable and Enable DV

85

86 HOWTO Use Reports in DV Reports in DVDV reports DV configuration issues DV auditing reports General security reports

87 HOWTO Use Reports in DV

88 The configuration issue reports show information about problems involving command rules, factors, realm authorizations, etc

89 HOWTO Use Reports in DV The DV auditing reports show information on activities that caused DV audit records to be reported based on your definitions.

90 HOWTO Use Reports in DV The list of general security reports available to you (by category) are

91 HOWTO Use Reports in DV The list of general security reports available to you (by category) are

92 HOWTO Use Reports in DV The list of general security reports available to you (by category) are

93 HOWTO Use Reports in DV The list of general security reports available to you (by category) are

94 HOWTO Better Understand DV’s Impact on Performance DV introduces quite a lot of security functionalities and nothing comes for free. You should understand the effect of each of these features on the performance of your database

95 HOWTO Better Understand DV’s Impact on Performance Realms and performance – As a rule of thumb, the performance impact of realms is negligible and can add ~1–3 percent CPU overhead. – In any case, you should completely avoid enclosing a realm within another realm as this will adversely affect performance.

96 HOWTO Better Understand DV’s Impact on Performance Command groups and performance – Most of the effect command rules have on performance are caused by badly designed rule sets and the procedures that are fired by rule sets. – If you make sure that your rule sets are simple, command rule overhead on DML operations can be reduced to as low as 1–5 percent

97 HOWTO Better Understand DV’s Impact on Performance Rule sets and performance – Rule sets are the most dangerous in terms of effect on performance and you should review them very carefully – In terms of design, the more rules you have and the more complex the rules are, the more performance impact you will see.

98 HOWTO Better Understand DV’s Impact on Performance Factors and performance – There are two evaluation types for factors—by- session and by-access. Factors can affect performance mainly in two cases. – By-access factors should be avoided if possible and almost all factors used commonly seem to be by-session factors. – You should delete all by-session factors that you do not use to limit the impact on performance.

99 HOWTO Better Understand DV’s Impact on Performance DV auditing and performance – Enable only the DV auditing that you are required to collect.

100 HOWTO Better Understand DV’s Impact on Performance

101 Miscellaneous Discussion – Is Auditing Alone Enough? This is almost a philosophical discussion and there is no right or wrong answer—it is subjective as are many things in security. You should remember the following points: – Systems that prevent usually imply less work on an ongoing basis than systems that monitor and audit – Auditors a nd regulators look for preventive controls

102 Miscellaneous Discussion – Is Auditing Alone Enough? – There is a big difference between the need to monitor or track changes and alert when DV is disabled and the need to monitor and review all DBA activity. – Real prevention is different from prevention based on deterrence. Oracle has DV, none of the other database platforms has an equivalent capability. – You need to understand these tradeoffs and make an educated decision.


Download ppt "ORACLE DATABASE VAULT Nguyễn Quang Khải50701106 Nguyễn Duy Hoàng50700852."

Similar presentations


Ads by Google