USING ORACLE 10g DATABASE VAULT

CONFIGURING DATABASE VAULT OPTIONS TO AN EXISTING ORACLE_HOME AND SETTING UP THE DATA VAULT OWNER IN THE DATABASE ‘VAULTDB’ dvca -action option -oh $ORACLE_HOME -s_path /tmp -logfile /tmp/log.out -owner_account dvo -owner_passwd Salom#2401 -jdbc_str jdbc:oracle:oci:@vaultdb -sys_passwd oracle -nodecrypt -silent vaultdb:/u02/oracle/10.2/bin> ./dvca -action option -oh $ORACLE_HOME -s_path /tmp -logfile /tmp/log.out -owner_account dvo -owner_passwd Salom#2401 -jdbc_> DVCA started Executing task RESTART_SERVICES_PATCH MANAGE_INSTANCE stop isqlplus MANAGE_INSTANCE stop OC4J MANAGE_LISTENER start listener MANAGE_LISTENER start listener result=/u02/oracle/10.2/bin/dvca_start_listener.sh,1, MANAGE_LISTENER start listener log= LSNRCTL for IBM/AIX RISC System/6000: Version 10.2.0.3.0 - Production on 08-OCT-2008 04:10:00

Copyright (c) 1991, 2006, Oracle. All rights reserved.

TNS-01106: Listener using listener name LISTENER has already been started

MANAGE_INSTANCE start RDBMS Executing task SQLPLUS_CATOLS Executing task RESTART_SERVICES_OLS MANAGE_INSTANCE stop isqlplus MANAGE_INSTANCE stop OC4J MANAGE_LISTENER start listener MANAGE_LISTENER start listener result=/u02/oracle/10.2/bin/dvca_start_listener.sh,1, MANAGE_LISTENER start listener log= LSNRCTL for IBM/AIX RISC System/6000: Version 10.2.0.3.0 - Production on 08-OCT-2008 04:15:52

Copyright (c) 1991, 2006, Oracle. All rights reserved.

TNS-01106: Listener using listener name LISTENER has already been started

MANAGE_INSTANCE start RDBMS Executing task SQLPLUS_CATMAC Executing task UNLOCK_DVSYS Executing task LOAD_NLS_FILES Executing task ACCOUNT_CREATE_OWNER Executing task GRANT_CONNECT_OWNER Executing task GRANT_ADMIN_DB_TRIG Executing task GRANT_ALTER_ANY_TRIG Executing task PASSWORD_CHANGE_DVSYS Executing task PASSWORD_CHANGE_DVF RULE_SYNC:TRUE Executing task GRANT_DV_OWNER_OWNER Executing task GRANT_DBMS_RLS_OWNER Executing task GRANT_AUDIT_TRAIL Executing task GRANT_DV_ACCTMGR_OWNER COMMAND_RULES:9 Executing task ALTER_TRIGGER_BEFORE_DDL Executing task ALTER_TRIGGER_AFTER_DDL Executing task REVOKE_CONNECT_DVSYS Executing task REVOKE_CONNECT_DVF Executing task LOCK_DVSYS Executing task LOCK_DVF Executing task ALTER_TRIGGER_LBACSYS1 Executing task ALTER_TRIGGER_LBACSYS2 Executing task ALTER_TRIGGER_LBACSYS3 Executing task DEPLOY_DVA DEPLOY_DVA,validate DEPLOY_DVA get EM home DEPLOY_DVA get EM home instance=tmpu008.bankwest.com_vaultdb DEPLOY_DVA stop isqlplus DEPLOY_DVA stop OC4J DEPLOY_DVA,modify /u02/oracle/10.2/oc4j/j2ee/OC4J_DBConsole_tmpu008.bankwest.com_vaultdb/config/server.xml DEPLOY_DVA,modify /u02/oracle/10.2/oc4j/j2ee/OC4J_DBConsole_tmpu008.bankwest.com_vaultdb/config/http-web-site.xml Executing task SQLPLUS_UTLRP Executing task INIT_AUDIT_SYS_OPERATIONS Executing task INIT_REMOTE_OS_AUTHENT Executing task INIT_REMOTE_OS_ROLES Executing task INIT_OS_ROLES Executing task INIT_SQL92_SECURITY Executing task INIT_OS_AUTHENT_PREFIX Executing task INIT_REMOTE_LOGIN_PASSWORDFILE Executing task INIT_RECYCLEBIN Executing task RESTART_SERVICES MANAGE_INSTANCE stop isqlplus MANAGE_INSTANCE stop OC4J MANAGE_INSTANCE stop RDBMS MANAGE_LISTENER stop listener MANAGE_LISTENER start listener MANAGE_INSTANCE start RDBMS MANAGE_INSTANCE start OC4J vaultdb:/u02/oracle/10.2/bin> Launch the Oracle Database Vault web application from the URL: http://tmpu008:1158/dva

CASE 1

User SYSTEM has SELECT ANY TABLE privilege and can select all the rows of the HR.REGIONS table.

Note that the banner indicates that Database Vault option has been added to the Oracle software vaultdb:/u02/oracle/10.2/install> sqlplus system/oracle

SQL*Plus: Release 10.2.0.3.0 - Production on Wed Oct 8 13:03:43 2008

Copyright (c) 1982, 2006, Oracle. All Rights Reserved.

Connected to: Oracle Database 10g Enterprise Edition Release 10.2.0.3.0 - 64bit Production With the Partitioning, Oracle Label Security, OLAP, Data Mining and Oracle Database Vault options

SQL> select * from hr.regions;

REGION_ID REGION_NAME ------1 Europe 2 Americas 3 Asia 4 Middle East and Africa Using Database Vault, we will set up security so that even a privileged user like SYSTEM is not able to access any tables owned by the schema HR

Connect as the Database Vault owner - dvo

Create a new security realm PROTECT_HR

ADD ALL TABLES OWNED BY HR TO THE SECURED REALM PROTECT_HR

TEST THE SAME BY CONNECTING AS SYSTEM AND TRYING TO ACCESS ANY TABLES OWNED BY HR vaultdb:/u02/oracle/10.2/install> sqlplus system/oracle

SQL*Plus: Release 10.2.0.3.0 - Production on Wed Oct 8 13:28:18 2008

Copyright (c) 1982, 2006, Oracle. All Rights Reserved.

Connected to: Oracle Database 10g Enterprise Edition Release 10.2.0.3.0 - 64bit Production With the Partitioning, Oracle Label Security, OLAP, Data Mining and Oracle Database Vault options

SQL> select * from hr.regions; select * from hr.regions * ERROR at line 1: ORA-01031: insufficient privileges

HOWEVER, SYSTEM USER CAN ACCESS OTHER TABLES IN THE DATABASE IN SCHEMAS OTHER THAN HR

SQL> select count(*) from sh.sales;

COUNT(*) ------918843 DATABASE VAULT ALSO TRACKS AND REPORTS ANY SECURITY VIOLATIONS THAT HAVE OCCURRED CASE TWO

In the second case study we will set up security using Database Vault so that any DELETE operation on a certain table can ONLY BE PERFORMED IF YOU CONNECT FROM A CLIENT MACHINE WITH A PARTICULAR IP ADDRESS – this will prevent any unauthorized access to data stored in sensitive tables CREATE A NEW RULE SET CALLED PRIVILEGED_CLIENT_MACHINE

While creating the RULE SET, we will provide the IP ADDRESS of the particular client machine that we want to restrict connections to.

NEXT WE ASSOCIATE THE RULE SET WE JUST CREATED WITH A PARTICULAR COMMAND – IN OUR CASE THE COMMAND IS DELETE

TEST THE SAME BY CONNECTING AS SYSTEM FROM A SQL*PLUS SESSION DIRECTLY FROM THE SERVER vaultdb:/u02/oracle/10.2/install> sqlplus system/oracle

SQL*Plus: Release 10.2.0.3.0 - Production on Wed Oct 8 14:48:56 2008

Copyright (c) 1982, 2006, Oracle. All Rights Reserved.

Connected to: Oracle Database 10g Enterprise Edition Release 10.2.0.3.0 - 64bit Production With the Partitioning, Oracle Label Security, OLAP, Data Mining and Oracle Database Vault options

SQL> delete sh.sales where rownum < 10; delete sh.sales where rownum < 10 * ERROR at line 1: ORA-01031: insufficient privileges ON THE CLIENT MACHINE WHICH HAS BEEN GRANTED ACCESS, CONFIGURE A LOCAL TNSNAMES.ORA CLIENT CONNECTION TO THE VAULTDB DATABASE AND CONNECT AS THE USER SYSTEM

NOTE THAT SINCE WE CONNECTING TO THE DATABASE FROM A CONNECTION THAT HAS BEEN SECURED BY DATABASE VAULT, THE DELETE OPERATION ON THE TABLE SALES CAN BE PERFORMED DISABLE DATABASE VAULT vaultdb:/u02/oracle/10.2/install> cd $ORACLE_HOME/rdbms/lib vaultdb:/u02/oracle/10.2/rdbms/lib> make -f ins_rdbms.mk dv_off lbac_off /bin/ar -X64 d /u02/oracle/10.2/rdbms/lib/libknlopt.a kzvidv.o /bin/ar -X64 cr /u02/oracle/10.2/rdbms/lib/libknlopt.a /u02/oracle/10.2/rdbms/lib/kzvndv.o /bin/ar -X64 d /u02/oracle/10.2/rdbms/lib/libknlopt.a kzlilbac.o /bin/ar -X64 cr /u02/oracle/10.2/rdbms/lib/libknlopt.a /u02/oracle/10.2/rdbms/lib/kzlnlbac.o vaultdb:/u02/oracle/10.2/bin> relink oracle chmod 755 /u02/oracle/10.2/bin

- Linking Oracle rm -f /u02/oracle/10.2/rdbms/lib/oracle ld -b64 -o /u02/oracle/10.2/rdbms/lib/oracle -L/u02/oracle/10.2/rdbms/lib/ -L/u02/oracle/10.2/lib/ -bbigtoc -bnoipath -bI:/u02/oracle/10.2/lib/ksms.imp /u02/oracle/10.2/rdbms/lib/opimai.o /u02/oracle/10.2/rdbms/lib/ssoraed.o /u02/oracle/10.2/rdbms/lib/ttcsoi.o -lperfsrv10 /u02/oracle/10.2/lib/nautab.o /u02/oracle/10.2/lib/naeet.o /u02/oracle/10.2/lib/naect.o /u02/oracle/10.2/lib/naedhs.o /u02/oracle/10.2/rdbms/lib/config.o -bI:/usr/lib/aio.exp -lserver10 /u02/oracle/10.2/lib/libodm10.so -lnnet10 -lskgxp10 -lsthasgen10 /u02/oracle/10.2/has/lib/clssgc.o /u02/oracle/10.2/lib/libstskgxn2.a -lstocr10 -lstocrb10 -lstocrutl10 -lsthasgen10 /u02/oracle/10.2/has/lib/clssgc.o /u02/oracle/10.2/lib/libstskgxn2.a -lclient10 -lvsn10 -lcommon10 -lgeneric10 `if [ -f /u02/oracle/10.2/lib/libavserver10.a ] ; then echo "-lavserver10" ; else echo "-lavstub10"; fi` `if [ -f /u02/oracle/10.2/lib/libavclient10.a ] ; then echo "-lavclient10" ; fi` /u02/oracle/10.2/rdbms/lib/defopt.o -lknlopt `if /bin/ar -X64 tv /u02/oracle/10.2/rdbms/lib/libknlopt.a | grep xsyeolap.o > /dev/null 2>&1 ; then echo "-loraolap10 -bE:/u02/oracle/10.2/rdbms/lib/olap.exp" ; fi` -lslax10 -lpls10 -lplp10 -bE:/u02/oracle/10.2/rdbms/lib/plsqlncomp.exp /u02/oracle/10.2/lib/libstclsra10.a -lstdbcfg10 -lserver10 -lclient10 -lvsn10 -lcommon10 -lgeneric10 -lknlopt -lslax10 -lpls10 -lplp10 -ljox10 -bE:/u02/oracle/10.2/rdbms/lib//oracle.exp `sed -e 's/-ljava//g' /u02/oracle/10.2/lib/ldflags` -lncrypt10 -lnsgr10 -lnzjs10 -ln10 -lnnz10 -lnl10 -lnzjs10 -lnro10 `sed -e 's/-ljava//g' /u02/oracle/10.2/lib/ldflags` -lncrypt10 -lnsgr10 -lnzjs10 -ln10 -lnnz10 -lnl10 -lnzjs10 -lclient10 -lvsn10 -lcommon10 -lgeneric10 -lmm -lsnls10 -lnls10 -lcore10 -lsnls10 -lnls10 -lcore10 -lsnls10 -lnls10 -lxml10 -lcore10 -lunls10 -lsnls10 -lnls10 -lcore10 -lnls10 `sed -e 's/-ljava//g' /u02/oracle/10.2/lib/ldflags` -lncrypt10 -lnsgr10 -lnzjs10 -ln10 -lnnz10 -lnl10 -lnzjs10 -lnro10 `sed -e 's/-ljava//g' /u02/oracle/10.2/lib/ldflags` -lncrypt10 -lnsgr10 -lnzjs10 -ln10 -lnnz10 -lnl10 -lnzjs10 -lclient10 -lvsn10 -lcommon10 -lgeneric10 -lpls10 -lsnls10 -lnls10 -lcore10 -lsnls10 -lnls10 -lcore10 -lsnls10 -lnls10 -lxml10 -lcore10 -lunls10 -lsnls10 -lnls10 -lcore10 -lnls10 -lclient10 -lvsn10 -lcommon10 -lgeneric10 -lsnls10 -lnls10 -lcore10 -lsnls10 -lnls10 -lcore10 -lsnls10 -lnls10 -lxml10 -lcore10 -lunls10 -lsnls10 -lnls10 -lcore10 -lnls10 -lserver10 `if /bin/ar -X64 tv /u02/oracle/10.2/rdbms/lib/libknlopt.a | grep "kxmnsd.o" > /dev/null 2>&1 ; then echo " " ; else echo "-lordsdo10"; fi` -lctxc10 -lctx10 -lzx10 -lgx10 -lctx10 -lzx10 -lgx10 -lordimt10 -lsnls10 -lnls10 -lcore10 -lsnls10 -lnls10 -lcore10 -lsnls10 -lnls10 -lxml10 -lcore10 -lunls10 -lsnls10 -lnls10 -lcore10 -lnls10 -lsnls10 -lunls10 -bE:/u02/oracle/10.2/rdbms/lib//libcorejava.exp -lld -lm `cat /u02/oracle/10.2/lib/sysliblist` -lm `if [ "\`/usr/bin/uname -v\`" = "4" ]; \ then echo "-bI:/u02/oracle/10.2/lib/pw-syscall.exp"; fi;` `if /bin/ar -X64 t /u02/oracle/10.2/rdbms/lib/libknlopt.a | grep '^'kcsm.o > /dev/null 2>&1 ; then echo "-lha_gs_r -lha_em_r -lpthreads"; fi` -locijdbcst10 -lwwg -bpT:0x100000000 -bpD:0x110000000 –bforceimprw ld: 0711-783 WARNING: TOC overflow. TOC size: 142864 Maximum size: 65536 Extra instructions are being generated for each reference to a TOC symbol if the symbol is in the TOC overflow area. mv -f /u02/oracle/10.2/bin/oracle /u02/oracle/10.2/bin/oracleO mv /u02/oracle/10.2/rdbms/lib/oracle /u02/oracle/10.2/bin/oracle chmod 6751 /u02/oracle/10.2/bin/oracle vaultdb:/u02/oracle/10.2/bin> sqlplus system/oracle

SQL*Plus: Release 10.2.0.3.0 - Production on Wed Oct 8 15:20:04 2008

Copyright (c) 1982, 2006, Oracle. All Rights Reserved.

Connected to: Oracle Database 10g Enterprise Edition Release 10.2.0.3.0 - 64bit Production With the Partitioning, OLAP and Data Mining options