Presentation is loading. Please wait.

Presentation is loading. Please wait.

Database Vault – In Practice

Published byLiane Weiss Modified over 5 years ago

Similar presentations

Presentation on theme: "Database Vault – In Practice"— Presentation transcript:

1 Database Vault – In Practice
Stefan P Knecht Senior Consultant Freiburg,

2 About me Consultant at Trivadis AG, Switzerland Interests
Interests Database Performance Oracle Security *nix 8 years of *nix experience 5 years of Oracle experience Oracle Database Vault - In practice

3 Agenda The Goal Introduction The SYSDBA story OS Administrator
Experiences & Suggestions Data are always part of the game. Oracle Database Vault - In practice

4 The goal of Oracle Database Vault (1)
Oracle has extended its security concepts for several releases, to ensure that only authorized users can view and edit data: User and role concept Auditing, Fine Grained Auditing Virtual Private Database (Row Level Security) RMAN Backup Encryption Secure Application Roles Transparent Data Encryption Secure Backup Encryption and integrity checking in networking But none of these features made it possible to prevent a DBA from viewing sensitive data Oracle Database Vault - In practice

5 The goal of Oracle Database Vault (2)
That's the primary goal of Oracle Database Vault (DBV) It also enforces a strong separation of duty It provides enhanced controls to authorize connections to the database "Oracle Database Vault provides a solution to help customers address the most difficult security problems remaining today" Source:"Oracle Database Vault Data Sheet": To put it in laymen's terms, it provides additional filters when "ANY" system privileges are used Oracle Database Vault - In practice

6 Agenda The Goal Introduction The SYSDBA story OS Administrators
Experiences & Suggestions Data are always part of the game. Oracle Database Vault - In practice

7 Introduction to Database Vault (1)
Source: Oracle Corporation Oracle Database Vault - In practice

8 Introduction to Database Vault (2)
Realms protect data at schema / object level Predefined realms exist Database Vault Account Management Oracle Data Dictionary Oracle Database Vault Oracle Enterprise Manager User-defined realms can be created Access can be granted individually Command Rules restrict access to DML / DDL Predefined command rules are created during installation i.e. ALTER USER restricted to “Can maintain own account” Oracle Database Vault - In practice

9 Introduction to Database Vault (3)
Rules Can be any PL/SQL code that verifies the user In combination with factors, can restrict access based on virtually any condition Rule Sets Groups rules into a set for combined evaluation Defined either ANY true or ALL true Use to conditionally allow realm authorisations Determine when to allow a command rule To enable a secure application role Oracle Database Vault - In practice

10 Introduction to Database Vault (4)
DV_OWNER (DBV Owner Role) Superuser – controls DVSYS schema and all realms DV_ADMIN (DBV Configuration Administrator) Execute privilege on DVSYS.DBMS_MACADM (managing realms) DV_SECANALYST (DBV Security Analyst) Select privilege on DVSYS schema objects Can verify configuration and view DBV reports DV_ACCTMGR Can create and manage database users and roles But a DBA is still needed to grant privileges Oracle Database Vault - In practice

11 Introduction to Database Vault (5)
Custom “duties” can be created using supplied roles DV_ACCTMGR DV_ADMIN DV_OWNER DV_PUBLIC DV_REALM_OWNER DV_REALM_RESOURCE DV_SECANALYST Oracle Database Vault - In practice

12 Flowchart Oracle Database Vault - In practice

13 Flowchart Oracle Database Vault - In practice

14 Flowchart Das ist etwas widersprüchlich, Oracle sagt gemäss Dokumentation 3.8, Is the database account using a system ANY privilege to execute the SQL statement? Das stimmt aber auch nicht auf jeden Fall gemäss Oracle Support sollte es aber auf system privilegien basieren. Habe dazu einen Doc Bug offen: 1. Is the database account using a system ANY privilege to execute the SQL statement? If YES -> 2. else -> 6. But the GRANT command executed as the Object Owner doesn't work if we are not the Owner of the Realm. I think this is an normal behavour written in Point 3. but then the point 1. is wrong, it then should be something like: Is the database account using a system ANY privilege or using a GRANT/REVOKE to execute the SQL statement goto 2. else to 6. . Wouldn't it be better then to just specify : 1. Is the database account using a system privilege to execute the SQL statement? Oracle Database Vault - In practice

15 Flowchart Oracle Database Vault - In practice

16 Flowchart Oracle Database Vault - In practice

17 Flowchart Oracle Database Vault - In practice

18 Flowchart Oracle Database Vault - In practice

19 Flowchart Oracle Database Vault - In practice

20 Flowchart Oracle Database Vault - In practice

21 Agenda The Goal Introduction The SYSDBA story OS Administrators
Experiences & Suggestions Data are always part of the game. Oracle Database Vault - In practice

22 SYSDBA (1) SYSDBA has all the privileges in an Oracle Database
Per default, SYSDBA is completely disabled This is achieved by modifying the password file to include an additional flag (nosysdba) To re-enable it, a new password file has to be created Where possible, use of SYSOPER is encouraged instead orapwd file=<File> password=<PW> nosysdba=n Oracle Database Vault - In practice

23 SYSDBA Certain tools however, still require the use of SYSDBA
RMAN Data Guard Real Application Clusters Data Pump (only with DBV – "fixed" with MLR Patch ) Installation of software (and patches) CREATE / DROP Database Automatic Storage Management Oracle 11g has already reduced the need for SYSDBA ASM no longer needs it According to future plans in Oracle development SYSDBA will no longer be mandatory for basic operation procedures Oracle Database Vault - In practice

24 SYSDBA SYSDBA is per default OS-authenticated in Oracle
With DBV, this behaviour is inconsistent between versions According to the documention, it's disabled – logging in without specifying a password is not possible In DBV , 11g and with MLR it's enabled In DBV and it's disabled Discussions with Oracle are still undergoing about the "final" implementation of this feature Some "lazy" customers request it to be enabled Some security conscious customers request it to be disabled Perhaps it will be configurable with a parameter soon, and hopefully a parameter inside the database Oracle Database Vault - In practice

25 SYSDBA In current versions of Oracle Database Vault, unresolved vulnerabilities exist where SYS can view protected data With MLR Patch or installed: SYS can export anything and everything SYS can read anything and everything In all versions: SYS can update base tables (user$) and unlock critical accounts SYS is used to install patches – DBV has to be disabled Oracle Database Vault - In practice

26 Agenda The Goal Introduction The SYSDBA story OS Administrators
Experiences & Suggestions Data are always part of the game. Oracle Database Vault - In practice

27 OS Administrators The documentation states:
"Oracle Database Vault does not provide protection against the operating system root access. " "Oracle Database Vault does not provide protection against the operating system access of the Oracle software owner. " This is a common misunderstanding Due to the intense marketing by Oracle, many people believe database vault to be a fire-and-forget solution that will solve all the security issues related to data access within Oracle Perhaps the above comments should be in the beginning of the manual, and not hidden at the very end of it Oracle Database Vault - In practice

28 On-line relink of Oracle (1)
On various operating systems, that do not use exclusive locks on open files, it's possible to re-link the Oracle binary (without DBV option) on-the-fly. Thereby gaining access to all data. A warning is printed to the alert log, along with a hint on how to suppress it cd $ORACLE_HOME/rdbms/lib make -f ins_rdbms.mk dv_off cd $ORACLE_HOME/bin relink oracle Hier sollte Oracle crashen WARNING: Oracle executable binary mismatch detected. Binary of new process does not match binary which started instance issue alter system set "_disable_image_check" = true to disable these messages Oracle Database Vault - In practice

29 On-line relink of Oracle (2)
Status: "Under investigation / Being fixed in main codeline" Oracle won't say what they'll change, but hopefully it'll prevent misuse of the feature, while still allowing (presumably) rolling upgrades Oracle Database Vault - In practice

30 Datafile access No matter how data is stored in Oracle
It always ends up in a datafile Some datafiles can't be encrypted (including 11g) – for example SYSTEM tablespace A skilled OS administrator can view the data straight out of the datafiles, or even alter passwords without needing access to the database instance Up to 10gR2 Oracle even shipped a binary block editor (BBED) No longer included in 11g, key libraries not shipped with the release Hier sollte Oracle crashen Oracle Database Vault - In practice

31 Agenda The Goal Introduction The SYSDBA story OS Administrator
Experiences & Suggestions Data are always part of the game. Oracle Database Vault - In practice

32 Experiences & Suggestions (1)
Various Oracle products are not working correctly with DBV installed Some examples: Oracle Application Express (APEX) Oracle Warehouse Builder (OWB) Oracle plans to release specific DBV-Rulesets for its own applications Peoplesoft already released on OTN Some issues fixed with MLR Patch or For security reasons, DO NOT INSTALL THESE PATCHES !!! However, rather live with the bugs / workarounds Oracle Database Vault - In practice

33 Experiences & Suggestions (2)
RMAN is a must You have to enable SYSDBA (but only temporarily) Password-File can be "switched" on-the-fly You can leave OS-authentication disabled (config.c/h) Change ownership of config.c to root:root (and mode 444) Starting with 10.2 you can use Secure External Password Store for RMAN to connect to the database Use strict separation of duty and very restrictive permissions on OS level to achieve a secure environment where only 1 user can execute RMAN and connect to the database Oracle Database Vault - In practice

34 Experiences & Suggestions (3)
Protection from OS access Currently a concept is in the works Make use of advanced OS security functionality SE-Linux on Linux Solaris provides RBAC and other mechanisms Use strict account separation DBAs don't get permanent access to the Oracle software owner They don't even share the same group The account only needs to be unlocked to perform software installations Encrypt your sensitive data Better safe than sorry, don't trust in DBV blindly Oracle Database Vault - In practice

35 Experiences & Suggestions (4)
Don't use the GUI It has many bugs in current versions Write scripts instead, they're easily reproducable DBMS_MACADM Can create realms, rule sets, rules and command rules Grant authorisations to realms Manage factors DBMS_MACUTL Provides functions to use to define your rules Raise database vault violation exceptions (ORA-20920) Oracle Database Vault - In practice

36 Experiences & Suggestions (5)
Full export / import Is some tricky business with DBV installed You have to disable DBV (obviously) to export and import DVF schema contains internal DBV functions They call procedures in DVSYS DVF has no object privileges, and only CREATE SESSION You won't be able to recompile these after import How to get them valid ? DBV option contains hard-coded grants on DVSYS to DVF Not visible anywhere Only when you re-enable DBV, you'll be able to compile the objects Feels like magic, somewhat scary isn't it Oracle Database Vault - In practice

37 Experiences & Suggestions (6)
Auditing objects modified on installation When installing DBV AUD$ gets moved to SYSTEM SYS gets a private synonym From catlbacs.sql CREATE TABLE SYSTEM.aud$ AS SELECT * FROM aud$; DROP TABLE AUD$; Installation can take *very long* when you've got a large AUD$ table It can blow up your SYSTEM tablespace Prepare for this before you install DBV If you have moved AUD$ to a dedicated tablespace It will end up in SYSTEM after installation ... unless you modify the script to include a TABLESPACE clause Oracle Database Vault - In practice

38 Experiences & Suggestions (7)
Patch Installation on 10.2 To install a patch, DBV has to be disabled catmac.sql has to be re-executed To minimize your downtime, comment out the 106'253 INSERT INTO sys.db_profile_dict$ statements You'll get 106'254 unique constraint violations (ORA-00001) Fixed in 11g In Release 11g, Oracle has fixed this issue Dictionary is no longer reloaded during patch installation Oracle Database Vault - In practice

39 Experiences & Suggestions (8)
Keep an eye on your DBAs ;-) Oracle Database Vault - In practice

40 WAIT #0 nam='sql*net message from client' ela=?

Download ppt "Database Vault – In Practice"

Similar presentations

ITEC474 INTRODUCTION.

ITEC474 INTRODUCTION.
Chapter 20 Oracle Secure Backup.

Chapter 20 Oracle Secure Backup.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.
Database Vault Welcome, today I’d like to present an overview of the latest security product from Oracle – Database Vault. We announced this new product.

Database Vault Welcome, today I’d like to present an overview of the latest security product from Oracle – Database Vault. We announced this new product.
The twenty-four/seven database Oracle Database Security David Yahalom Senior database consultant

The twenty-four/seven database Oracle Database Security David Yahalom Senior database consultant
A First look at Database Vault David Bergmeier.  Overview  Installation  Limitations  Securing Data  Backups  A trigger problem Agenda.

A First look at Database Vault David Bergmeier.  Overview  Installation  Limitations  Securing Data  Backups  A trigger problem Agenda.
Self-Validation Tech Guide

Self-Validation Tech Guide
Database Vault Marco Alamanni

Database Vault Marco Alamanni
Understand Database Security Concepts

Understand Database Security Concepts
Oracle9i Database Administrator: Implementation and Administration 1 Chapter 12 System and Object Privileges.

Oracle9i Database Administrator: Implementation and Administration 1 Chapter 12 System and Object Privileges.
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Oracle Database Vault with Oracle Database 12c Chi Ching Chui Senior Development.

Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Oracle Database Vault with Oracle Database 12c Chi Ching Chui Senior Development.
Database Administration ISQA 436 Fall 2006 Mark Freeman

Database Administration ISQA 436 Fall 2006 Mark Freeman
System Administration Accounts privileges, users and roles

System Administration Accounts privileges, users and roles
Backup The flip side of recovery. Types of Failures Transaction failure –Transaction must be aborted System failure –Hardware or software problem resulting.

Backup The flip side of recovery. Types of Failures Transaction failure –Transaction must be aborted System failure –Hardware or software problem resulting.
Harvard University Oracle Database Administration Session 2 System Level.

Harvard University Oracle Database Administration Session 2 System Level.
Presenter: Raman Chohan. AGENDA Oracle Best Practices Oracle Backups Why upgrade to Oracle 11? Performance Troubleshooting axiUm Pre-Upgrade Checklist.

Presenter: Raman Chohan. AGENDA Oracle Best Practices Oracle Backups Why upgrade to Oracle 11? Performance Troubleshooting axiUm Pre-Upgrade Checklist.
Database Security Managing Users and Security Models.

Database Security Managing Users and Security Models.
10 Copyright © 2005, Oracle. All rights reserved. Implementing Oracle Database Security.

10 Copyright © 2005, Oracle. All rights reserved. Implementing Oracle Database Security.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.

Similar presentations

Ads by Google