Database Vault – In Practice Stefan P Knecht Senior Consultant Stefan.Knecht@trivadis.com Freiburg, 29.01.2008
About me Consultant at Trivadis AG, Switzerland Interests stefan.knecht@trivadis.com www.trivadis.com Interests Database Performance Oracle Security *nix 8 years of *nix experience 5 years of Oracle experience Oracle Database Vault - In practice
Agenda The Goal Introduction The SYSDBA story OS Administrator Experiences & Suggestions Data are always part of the game. Oracle Database Vault - In practice
The goal of Oracle Database Vault (1) Oracle has extended its security concepts for several releases, to ensure that only authorized users can view and edit data: User and role concept Auditing, Fine Grained Auditing Virtual Private Database (Row Level Security) RMAN Backup Encryption Secure Application Roles Transparent Data Encryption Secure Backup Encryption and integrity checking in networking But none of these features made it possible to prevent a DBA from viewing sensitive data Oracle Database Vault - In practice
The goal of Oracle Database Vault (2) That's the primary goal of Oracle Database Vault (DBV) It also enforces a strong separation of duty It provides enhanced controls to authorize connections to the database "Oracle Database Vault provides a solution to help customers address the most difficult security problems remaining today" Source:"Oracle Database Vault Data Sheet": To put it in laymen's terms, it provides additional filters when "ANY" system privileges are used Oracle Database Vault - In practice
Agenda The Goal Introduction The SYSDBA story OS Administrators Experiences & Suggestions Data are always part of the game. Oracle Database Vault - In practice
Introduction to Database Vault (1) Source: Oracle Corporation Oracle Database Vault - In practice
Introduction to Database Vault (2) Realms protect data at schema / object level Predefined realms exist Database Vault Account Management Oracle Data Dictionary Oracle Database Vault Oracle Enterprise Manager User-defined realms can be created Access can be granted individually Command Rules restrict access to DML / DDL Predefined command rules are created during installation i.e. ALTER USER restricted to “Can maintain own account” Oracle Database Vault - In practice
Introduction to Database Vault (3) Rules Can be any PL/SQL code that verifies the user In combination with factors, can restrict access based on virtually any condition Rule Sets Groups rules into a set for combined evaluation Defined either ANY true or ALL true Use to conditionally allow realm authorisations Determine when to allow a command rule To enable a secure application role Oracle Database Vault - In practice
Introduction to Database Vault (4) DV_OWNER (DBV Owner Role) Superuser – controls DVSYS schema and all realms DV_ADMIN (DBV Configuration Administrator) Execute privilege on DVSYS.DBMS_MACADM (managing realms) DV_SECANALYST (DBV Security Analyst) Select privilege on DVSYS schema objects Can verify configuration and view DBV reports DV_ACCTMGR Can create and manage database users and roles But a DBA is still needed to grant privileges Oracle Database Vault - In practice
Introduction to Database Vault (5) Custom “duties” can be created using supplied roles DV_ACCTMGR DV_ADMIN DV_OWNER DV_PUBLIC DV_REALM_OWNER DV_REALM_RESOURCE DV_SECANALYST Oracle Database Vault - In practice
Flowchart Oracle Database Vault - In practice
Flowchart Oracle Database Vault - In practice
Flowchart Das ist etwas widersprüchlich, Oracle sagt gemäss Dokumentation 3.8, Is the database account using a system ANY privilege to execute the SQL statement? Das stimmt aber auch nicht auf jeden Fall gemäss Oracle Support sollte es aber auf system privilegien basieren. Habe dazu einen Doc Bug offen: 1. Is the database account using a system ANY privilege to execute the SQL statement? If YES -> 2. else -> 6. But the GRANT command executed as the Object Owner doesn't work if we are not the Owner of the Realm. I think this is an normal behavour written in Point 3. but then the point 1. is wrong, it then should be something like: Is the database account using a system ANY privilege or using a GRANT/REVOKE to execute the SQL statement goto 2. else to 6. . Wouldn't it be better then to just specify : 1. Is the database account using a system privilege to execute the SQL statement? Oracle Database Vault - In practice
Flowchart Oracle Database Vault - In practice
Flowchart Oracle Database Vault - In practice
Flowchart Oracle Database Vault - In practice
Flowchart Oracle Database Vault - In practice
Flowchart Oracle Database Vault - In practice
Flowchart Oracle Database Vault - In practice
Agenda The Goal Introduction The SYSDBA story OS Administrators Experiences & Suggestions Data are always part of the game. Oracle Database Vault - In practice
SYSDBA (1) SYSDBA has all the privileges in an Oracle Database Per default, SYSDBA is completely disabled This is achieved by modifying the password file to include an additional flag (nosysdba) To re-enable it, a new password file has to be created Where possible, use of SYSOPER is encouraged instead orapwd file=<File> password=<PW> nosysdba=n Oracle Database Vault - In practice
SYSDBA Certain tools however, still require the use of SYSDBA RMAN Data Guard Real Application Clusters Data Pump (only with DBV – "fixed" with MLR Patch 6194897) Installation of software (and patches) CREATE / DROP Database Automatic Storage Management Oracle 11g has already reduced the need for SYSDBA ASM no longer needs it According to future plans in Oracle development SYSDBA will no longer be mandatory for basic operation procedures Oracle Database Vault - In practice
SYSDBA SYSDBA is per default OS-authenticated in Oracle With DBV, this behaviour is inconsistent between versions According to the documention, it's disabled – logging in without specifying a password is not possible In DBV 9.2.0.8, 11g and 10.2.0.3 with MLR 6194897 it's enabled In DBV 10.2.0.2 and 10.2.0.3 it's disabled Discussions with Oracle are still undergoing about the "final" implementation of this feature Some "lazy" customers request it to be enabled Some security conscious customers request it to be disabled Perhaps it will be configurable with a parameter soon, and hopefully a parameter inside the database Oracle Database Vault - In practice
SYSDBA In current versions of Oracle Database Vault, unresolved vulnerabilities exist where SYS can view protected data With MLR Patch 6194897 or 6495033 installed: SYS can export anything and everything SYS can read anything and everything In all versions: SYS can update base tables (user$) and unlock critical accounts SYS is used to install patches – DBV has to be disabled Oracle Database Vault - In practice
Agenda The Goal Introduction The SYSDBA story OS Administrators Experiences & Suggestions Data are always part of the game. Oracle Database Vault - In practice
OS Administrators The documentation states: "Oracle Database Vault does not provide protection against the operating system root access. " "Oracle Database Vault does not provide protection against the operating system access of the Oracle software owner. " This is a common misunderstanding Due to the intense marketing by Oracle, many people believe database vault to be a fire-and-forget solution that will solve all the security issues related to data access within Oracle Perhaps the above comments should be in the beginning of the manual, and not hidden at the very end of it Oracle Database Vault - In practice
On-line relink of Oracle (1) On various operating systems, that do not use exclusive locks on open files, it's possible to re-link the Oracle binary (without DBV option) on-the-fly. Thereby gaining access to all data. A warning is printed to the alert log, along with a hint on how to suppress it cd $ORACLE_HOME/rdbms/lib make -f ins_rdbms.mk dv_off cd $ORACLE_HOME/bin relink oracle Hier sollte Oracle crashen WARNING: Oracle executable binary mismatch detected. Binary of new process does not match binary which started instance issue alter system set "_disable_image_check" = true to disable these messages Oracle Database Vault - In practice
On-line relink of Oracle (2) Status: "Under investigation / Being fixed in main codeline" Oracle won't say what they'll change, but hopefully it'll prevent misuse of the feature, while still allowing (presumably) rolling upgrades Oracle Database Vault - In practice
Datafile access No matter how data is stored in Oracle It always ends up in a datafile Some datafiles can't be encrypted (including 11g) – for example SYSTEM tablespace A skilled OS administrator can view the data straight out of the datafiles, or even alter passwords without needing access to the database instance Up to 10gR2 Oracle even shipped a binary block editor (BBED) No longer included in 11g, key libraries not shipped with the release Hier sollte Oracle crashen Oracle Database Vault - In practice
Agenda The Goal Introduction The SYSDBA story OS Administrator Experiences & Suggestions Data are always part of the game. Oracle Database Vault - In practice
Experiences & Suggestions (1) Various Oracle products are not working correctly with DBV installed Some examples: Oracle Application Express (APEX) Oracle Warehouse Builder (OWB) Oracle plans to release specific DBV-Rulesets for its own applications Peoplesoft already released on OTN Some issues fixed with MLR Patch 6194897 or 6495033 For security reasons, DO NOT INSTALL THESE PATCHES !!! However, rather live with the bugs / workarounds Oracle Database Vault - In practice
Experiences & Suggestions (2) RMAN is a must You have to enable SYSDBA (but only temporarily) Password-File can be "switched" on-the-fly You can leave OS-authentication disabled (config.c/h) Change ownership of config.c to root:root (and mode 444) Starting with 10.2 you can use Secure External Password Store for RMAN to connect to the database Use strict separation of duty and very restrictive permissions on OS level to achieve a secure environment where only 1 user can execute RMAN and connect to the database Oracle Database Vault - In practice
Experiences & Suggestions (3) Protection from OS access Currently a concept is in the works Make use of advanced OS security functionality SE-Linux on Linux Solaris provides RBAC and other mechanisms Use strict account separation DBAs don't get permanent access to the Oracle software owner They don't even share the same group The account only needs to be unlocked to perform software installations Encrypt your sensitive data Better safe than sorry, don't trust in DBV blindly Oracle Database Vault - In practice
Experiences & Suggestions (4) Don't use the GUI It has many bugs in current versions Write scripts instead, they're easily reproducable DBMS_MACADM Can create realms, rule sets, rules and command rules Grant authorisations to realms Manage factors DBMS_MACUTL Provides functions to use to define your rules Raise database vault violation exceptions (ORA-20920) Oracle Database Vault - In practice
Experiences & Suggestions (5) Full export / import Is some tricky business with DBV installed You have to disable DBV (obviously) to export and import DVF schema contains internal DBV functions They call procedures in DVSYS DVF has no object privileges, and only CREATE SESSION You won't be able to recompile these after import How to get them valid ? DBV option contains hard-coded grants on DVSYS to DVF Not visible anywhere Only when you re-enable DBV, you'll be able to compile the objects Feels like magic, somewhat scary isn't it Oracle Database Vault - In practice
Experiences & Suggestions (6) Auditing objects modified on installation When installing DBV AUD$ gets moved to SYSTEM SYS gets a private synonym From catlbacs.sql CREATE TABLE SYSTEM.aud$ AS SELECT * FROM aud$; DROP TABLE AUD$; Installation can take *very long* when you've got a large AUD$ table It can blow up your SYSTEM tablespace Prepare for this before you install DBV If you have moved AUD$ to a dedicated tablespace It will end up in SYSTEM after installation ... unless you modify the script to include a TABLESPACE clause Oracle Database Vault - In practice
Experiences & Suggestions (7) Patch Installation on 10.2 To install a patch, DBV has to be disabled catmac.sql has to be re-executed To minimize your downtime, comment out the 106'253 INSERT INTO sys.db_profile_dict$ statements You'll get 106'254 unique constraint violations (ORA-00001) Fixed in 11g In Release 11g, Oracle has fixed this issue Dictionary is no longer reloaded during patch installation Oracle Database Vault - In practice
Experiences & Suggestions (8) Keep an eye on your DBAs ;-) Oracle Database Vault - In practice
WAIT #0 nam='sql*net message from client' ela=? www.trivadis.com