A First look at Database Vault David Bergmeier

 Overview  Installation  Limitations  Securing Data  Backups  A trigger problem Agenda

 Senior Oracle DBA  Worked for MGA nearly 2 years  Background as an Analyst/Programmer  12 years in financial services industry  Started using Oracle in 1996 About me

Why Oracle Database Vault? Don’t trust the DBA Regulatory Compliance (e.g. Sarbanes Oxley) Separation of duties Overview

connect / as sysdba create user david... grant dba to david; select * from scott.emp;

Separation of duties connect / as sysdba create user david... grant dba to david; select * from scott.emp;

Separation of duties

 Overview  Installation  Limitations  Securing Data  Backups  A trigger problem Agenda

Oracle MB of Physical RAM Swap space (1.5 times RAM) 400 MB in /tmp 270 MB for database vault binaries 10 MB additional for database files Prerequisites

Installation Assumes one instance per Oracle home But can support more Prerequisites

Installation

Installation User to receive DV_OWNER role

Installation Passwords must have alpha, numeric & special

Installation User to receive DV_ACCTMGR role

Installation

Installation

Installation

Installation

Installation

Installation

Installation

 Overview  Installation  Limitations  Securing Data  Backups  A trigger problem Agenda

Let’s start the database The First Problem

I cannot login as SYDBA So how do I start/stop Oracle? The First Problem

connect / as SYSOPER The First Problem

 Overview  Installation  Limitations  Securing Data  Backups  A trigger problem Agenda

$ lsnrctl start $ emctl start dbconsole Securing Some Data

$ sqlplus system/manager SQL> select * from scott.emp; rows selected. SQL> Securing Some Data

A realm is a functional grouping of schemas and roles that are secured. What is a Realm?

RealmSecured ObjectsAuthorizations One Many

Securing Some Data

SQL> select * from scott.emp; select * from scott.emp * ERROR at line 1: ORA-01031: Insufficient Privileges SQL> Securing Some Data

SQL> select * from scott.dept; DEPTNO DNAME LOC ACCOUNTING NEW YORK 20 RESEARCH DALLAS 30 SALES CHICAGO 40 OPERATIONS BOSTON SQL> Securing Some Data

That’s the end of the tutorial. So now let’s consider a real world application. Securing Some Data

Real world Example EMP application userSCOTT Application server connects to database as single user

Real world Example EMP application usersupport usersSCOTT Support users connect with individual accounts with read-only access

Real world Example EMP grant select insert update delete scott_app_userscott_ro_rolescott_ro grant select grant role SCOTT

SQL> connect system/manager SQL> create user scott_app_user 2> identified by tiger 3> default tablespace USERS; identified by tiger * ERROR at line 2: ORA-01031: Insufficient Privileges Create User

SQL> connect dbu/manager SQL> create user scott_app_user 2> identified by tiger 3> default tablespace USERS; User created. SQL> grant connect to scott_app_user; Create User

SQL> connect dbu/manager SQL> create user scott_ro 2> identified by tiger 3> default tablespace USERS; User created. SQL> grant connect to scott_ro; Create User

SQL> connect system/manager SQL> create role scott_ro_role; Role created. SQL> grant scott_ro_role to scott_ro; Grant succeeded. SQL> Create Role

SQL> connect scott/tiger SQL> grant select,insert,update, delete on emp to scott_app_user; Grant succeeded. SQL> grant select on emp to scott_ro_role; Grant succeeded. SQL> Grants

Now to test it... Real world Example

SQL> connect scott_ro/tiger SQL> select * from scott.emp; 14 rows selected. SQL> delete from scott.emp; delete from scott.emp * ERROR at line 1: ORA-01031: Insufficient Privileges Testing scott_ro

SQL> connect scott_ro/tiger SQL> select * from scott.emp; 14 rows selected. SQL> delete from scott.emp; delete from scott.emp * ERROR at line 1: ORA-01031: Insufficient Privileges Testing scott_ro

SQL> connect scott_app_user/tiger SQL> select * from scott.emp; 14 rows selected. SQL> delete from scott.emp; 14 rows deleted. SQL> rollback; Testing scott_app_user

SQL> connect scott_app_user/tiger SQL> select * from scott.emp; 14 rows selected. SQL> delete from scott.emp; 14 rows deleted. SQL> rollback; Testing scott_app_user

SQL> connect system/manager SQL> select * from scott.emp; 14 rows selected. SQL> delete from scott.emp; delete from scott.emp * ERROR at line 1: ORA-01031: Insufficient Privileges Testing system

SQL> connect system/manager SQL> select * from scott.emp; 14 rows selected. SQL> delete from scott.emp; delete from scott.emp * ERROR at line 1: ORA-01031: Insufficient Privileges Testing system

SQL> connect system/manager SQL> select * from session_roles; ROLE DV_PUBLIC DBA... SCOTT_RO_ROLE 14 rows selected. SQL> What went wrong?

How did SYSTEM get SCOTT_RO_ROLE? What went wrong?

SQL> connect system/manager SQL> create role foo; Role created. SQL> set role all; Role set. SQL> select * from session_roles; ROLE DV_PUBLIC... FOO What went wrong?

So now we have a problem! What went wrong? If we only revoke the role, SYSTEM can grant it again. How do we prevent this?

SQL> connect system/manager SQL> drop role scott_ro_role; Role dropped. SQL> select * from session_roles; ROLE DV_PUBLIC... MGMT_USER 13 rows selected. SQL> Remove the Role

DV_ACCTMGR has create/drop user alter user account lock/unlock alter user password expire grant/revoke CONNECT role Problem with DV_ACCTMGR

DV_ACCTMGR needs create role alter any role drop any role SELECT_CATALOG_ROLE To get these, we need to login as SYSDBA Problem with DV_ACCTMGR

$ cd $ORACLE_HOME/dbs $ orapwd file=orapwmozart password=mozart entries=20 force=y nosysdba=n $ sqlplus sys/mozart as sysdba SQL> startup SQL> alter user sys identified by mozart; Allow SYSDBA

SQL> connect sys/mozart as sysdba SQL> grant create role to DV_ACCTMGR; SQL> grant alter any role to DV_ACCTMGR; SQL> grant drop any role to DV_ACCTMGR; Grants to DV_ACCTMGR

SELECT_CATALOG_ROLE

SELECT_CATALOG_ROLE

Fixing DV_ACCTMGR

SQL> connect dbu/manager SQL> create role scott_ro_role; Role created. SQL> Create Role as DV_ACCTMGR At this stage we delay granting scott_ro_role

Securing SCOTT_RO_ROLE

SQL> connect dbu/manager SQL> grant scott_ro_role to scott_ro; grant scott_ro_role to scott_ro * ERROR at line 1: ORA-47401: Realm violation for grant role privilege on SCOTT_RO_ROLE Granting SCOTT_RO_ROLE

So who can/should do the grant of SCOTT_RO_ROLE ? Granting SCOTT_RO_ROLE

So who can/should do the grant of SCOTT_RO_ROLE ? Answer: SCOTT Granting SCOTT_RO_ROLE

Answer: SCOTT Provided SCOTT can only grant SCOTT_RO_ROLE and not other roles like DBA. Granting SCOTT_RO_ROLE

One more grant as SYSDBA Granting SCOTT_RO_ROLE SQL> connect sys/mozart as sysdba SQL> grant grant any role to scott; Grant succeeded. SQL>

SQL> connect scott/tiger SQL> grant scott_ro_role to scott_ro; Grant succeeded. SQL> revoke scott_ro_role from dbu; Revoke succeeded. SQL> Granting SCOTT_RO_ROLE

SQL> connect scott/tiger SQL> grant DBA to scott; grant DBA to scott * ERROR at line 1: ORA-00604: error occurred at recursive SQL level 1 ORA-47401: Realm violation for grant role privilege on UNLIMITED TABLESPACE. Granting SCOTT_RO_ROLE

WHY? Granting SCOTT_RO_ROLE

The DBA role is protected by the “Oracle Data Dictionary” Realm. Granting SCOTT_RO_ROLE

Now to test it... Again Granting SCOTT_RO_ROLE

SQL> connect scott_ro/tiger SQL> select * from scott.emp; 14 rows selected. SQL> delete from scott.emp; delete from scott.emp * ERROR at line 1: ORA-01031: Insufficient Privileges Testing scott_ro again

SQL> connect scott_ro/tiger SQL> select * from scott.emp; 14 rows selected. SQL> delete from scott.emp; delete from scott.emp * ERROR at line 1: ORA-01031: Insufficient Privileges Testing scott_ro again

SQL> connect scott_app_user/tiger SQL> select * from scott.emp; 14 rows selected. SQL> delete from scott.emp; 14 rows deleted. SQL> rollback; Testing scott_app_user

SQL> connect scott_app_user/tiger SQL> select * from scott.emp; 14 rows selected. SQL> delete from scott.emp; 14 rows deleted. SQL> rollback; Testing scott_app_user

SQL> connect system/manager SQL> select * from scott.emp; ERROR at line 1: ORA-01031: Insufficient Privileges SQL> delete from scott.emp; ERROR at line 1: ORA-01031: Insufficient Privileges Testing system again

SQL> connect system/manager SQL> select * from scott.emp; ERROR at line 1: ORA-01031: Insufficient Privileges SQL> delete from scott.emp; ERROR at line 1: ORA-01031: Insufficient Privileges Testing system again

SQL> connect sys/mozart as sysdba SQL> select * from scott.emp; ERROR at line 1: ORA-01031: Insufficient Privileges SQL> delete from scott.emp; ERROR at line 1: ORA-01031: Insufficient Privileges Testing SYSDBA

SQL> connect sys/mozart as sysdba SQL> select * from scott.emp; ERROR at line 1: ORA-01031: Insufficient Privileges SQL> delete from scott.emp; ERROR at line 1: ORA-01031: Insufficient Privileges Testing SYSDBA

SQL> connect dbu/manager SQL> select * from scott.emp; ERROR at line 1: ORA-01031: Insufficient Privileges SQL> delete from scott.emp; ERROR at line 1: ORA-01031: Insufficient Privileges Testing DV_ACCTMGR

SQL> connect dbu/manager SQL> select * from scott.emp; ERROR at line 1: ORA-01031: Insufficient Privileges SQL> delete from scott.emp; ERROR at line 1: ORA-01031: Insufficient Privileges Testing DV_ACCTMGR

SQL> connect dbv/manager SQL> select * from scott.emp; ERROR at line 1: ORA-01031: Insufficient Privileges SQL> delete from scott.emp; ERROR at line 1: ORA-01031: Insufficient Privileges Testing DV_ADMIN

SQL> connect dbv/manager SQL> select * from scott.emp; ERROR at line 1: ORA-01031: Insufficient Privileges SQL> delete from scott.emp; ERROR at line 1: ORA-01031: Insufficient Privileges Testing DV_ADMIN

Let’s review the actions performed by each of the different users/roles Separation of Duties

SYS as SYSDBA Grant role privileges to DV_ACCTMGR (one time) Grant “grant any role” to SCOTT (once per application) Separation of Duties

DV_ADMIN (user = dbv) Realm authorizations (once per application) Command Rules (one time) Separation of Duties

DV_ACCTMGR (user = dbu) Create user (ongoing) Grant connect (ongoing) Create role (once per app) Separation of Duties

Schema owner (SCOTT) Grant object privileges (once per application) Grant SCOTT_RO_ROLE (ongoing) Separation of Duties

DBA (user = system) Nothing Separation of Duties

 Overview  Installation  Limitations  Securing Data  Backups  A trigger problem Agenda

Impact of Backups Export Data Pump RMAN Backups

Export Lots of ORA Will be unable to Import Not viable Backups

Data Pump Not tested Backups

RMAN Requires SYSDBA access May need to hardcode SYS password or use wallet Works successfully Backups

 Overview  Installation  Limitations  Securing Data  Backups  A trigger problem Agenda

Error creating trigger Minor changes to whitespace in trigger source caused compile success/failure Known Bug: ORA-47999: internal Database Vault error: create trigger Trigger Problem

Workaround available Login as dv_owner account alter trigger dvsys.DV_BEFORE_DDL_TRG disable Login as SCOTT and create trigger Login as dv_owner account alter trigger dvsys.DV_BEFORE_DDL_TRG enable Trigger Problem

 You probably don’t need Database Vault  It’s a trade off between more security with more bureaucracy  It seems to work okay but there are some bugs  Typical work arounds involve deactivating Database Vault Conclusion

The End Thank you for your attendance