USING ORACLE 10G DATABASE VAULT

USING ORACLE 10g DATABASE VAULT

CONFIGURING DATABASE VAULT OPTIONS TO AN EXISTING ORACLE_HOME AND SETTING UP THE DATA VAULT OWNER IN THE DATABASE ‘VAULTDB’

dvca -action option -oh $ORACLE_HOME -s_path /tmp -logfile /tmp/log.out -owner_account dvo -owner_passwd Salom#2401 -jdbc_str jdbc:oracle:oci:@vaultdb -sys_passwd oracle -nodecrypt -silent

vaultdb:/u02/oracle/10.2/bin> ./dvca -action option -oh $ORACLE_HOME -s_path /tmp -logfile /tmp/log.out -owner_account dvo -owner_passwd Salom#2401 -jdbc_>

DVCA started

Executing task RESTART_SERVICES_PATCH

MANAGE_INSTANCE stop isqlplus

MANAGE_INSTANCE stop OC4J

MANAGE_LISTENER start listener

MANAGE_LISTENER start listener result=/u02/oracle/10.2/bin/dvca_start_listener.sh,1,

MANAGE_LISTENER start listener log=

LSNRCTL for IBM/AIX RISC System/6000: Version 10.2.0.3.0 - Production on 08-OCT-2008 04:10:00

TNS-01106: Listener using listener name LISTENER has already been started

MANAGE_INSTANCE start RDBMS

Executing task SQLPLUS_CATOLS

Executing task RESTART_SERVICES_OLS

MANAGE_INSTANCE stop isqlplus

MANAGE_INSTANCE stop OC4J

MANAGE_LISTENER start listener

MANAGE_LISTENER start listener result=/u02/oracle/10.2/bin/dvca_start_listener.sh,1,

MANAGE_LISTENER start listener log=

LSNRCTL for IBM/AIX RISC System/6000: Version 10.2.0.3.0 - Production on 08-OCT-2008 04:15:52

TNS-01106: Listener using listener name LISTENER has already been started

MANAGE_INSTANCE start RDBMS

Executing task SQLPLUS_CATMAC

Executing task UNLOCK_DVSYS

Executing task LOAD_NLS_FILES

Executing task ACCOUNT_CREATE_OWNER

Executing task GRANT_CONNECT_OWNER

Executing task GRANT_ADMIN_DB_TRIG

Executing task GRANT_ALTER_ANY_TRIG

Executing task PASSWORD_CHANGE_DVSYS

Executing task PASSWORD_CHANGE_DVF

RULE_SYNC:TRUE

Executing task GRANT_DV_OWNER_OWNER

Executing task GRANT_DBMS_RLS_OWNER

Executing task GRANT_AUDIT_TRAIL

Executing task GRANT_DV_ACCTMGR_OWNER

COMMAND_RULES:9

Executing task ALTER_TRIGGER_BEFORE_DDL

Executing task ALTER_TRIGGER_AFTER_DDL

Executing task REVOKE_CONNECT_DVSYS

Executing task REVOKE_CONNECT_DVF

Executing task LOCK_DVSYS

Executing task LOCK_DVF

Executing task ALTER_TRIGGER_LBACSYS1

Executing task ALTER_TRIGGER_LBACSYS2

Executing task ALTER_TRIGGER_LBACSYS3

Executing task DEPLOY_DVA

DEPLOY_DVA,validate

DEPLOY_DVA get EM home

DEPLOY_DVA get EM home instance=tmpu008.bankwest.com_vaultdb

DEPLOY_DVA stop isqlplus

DEPLOY_DVA stop OC4J

DEPLOY_DVA,modify /u02/oracle/10.2/oc4j/j2ee/OC4J_DBConsole_tmpu008.bankwest.com_vaultdb/config/server.xml

DEPLOY_DVA,modify /u02/oracle/10.2/oc4j/j2ee/OC4J_DBConsole_tmpu008.bankwest.com_vaultdb/config/http-web-site.xml

Executing task SQLPLUS_UTLRP

Executing task INIT_AUDIT_SYS_OPERATIONS

Executing task INIT_REMOTE_OS_AUTHENT

Executing task INIT_REMOTE_OS_ROLES

Executing task INIT_OS_ROLES

Executing task INIT_SQL92_SECURITY

Executing task INIT_OS_AUTHENT_PREFIX

Executing task INIT_REMOTE_LOGIN_PASSWORDFILE

Executing task INIT_RECYCLEBIN

Executing task RESTART_SERVICES

MANAGE_INSTANCE stop isqlplus

MANAGE_INSTANCE stop OC4J

MANAGE_INSTANCE stop RDBMS

MANAGE_LISTENER stop listener

MANAGE_LISTENER start listener

MANAGE_INSTANCE start RDBMS

MANAGE_INSTANCE start OC4J

vaultdb:/u02/oracle/10.2/bin>

Launch the Oracle Database Vault web application from the URL:

http://tmpu008:1158/dva

CASE 1

User SYSTEM has SELECT ANY TABLE privilege and can select all the rows of the HR.REGIONS table.

Note that the banner indicates that Database Vault option has been added to the Oracle software

vaultdb:/u02/oracle/10.2/install> sqlplus system/oracle

SQL*Plus: Release 10.2.0.3.0 - Production on Wed Oct 8 13:03:43 2008

Connected to:

Oracle Database 10g Enterprise Edition Release 10.2.0.3.0 - 64bit Production

With the Partitioning, Oracle Label Security, OLAP, Data Mining

and Oracle Database Vault options

SQL> select * from hr.regions;

REGION_ID REGION_NAME

------

1 Europe

2 Americas

3 Asia

4 Middle East and Africa

Using Database Vault, we will set up security so that even a privileged user like SYSTEM is not able to access any tables owned by the schema HR

Connect as the Database Vault owner - dvo

Create a new security realm PROTECT_HR

ADD ALL TABLES OWNED BY HR TO THE SECURED REALM PROTECT_HR

TEST THE SAME BY CONNECTING AS SYSTEM AND TRYING TO ACCESS ANY TABLES OWNED BY HR

vaultdb:/u02/oracle/10.2/install> sqlplus system/oracle

SQL*Plus: Release 10.2.0.3.0 - Production on Wed Oct 8 13:28:18 2008

Connected to:

Oracle Database 10g Enterprise Edition Release 10.2.0.3.0 - 64bit Production

With the Partitioning, Oracle Label Security, OLAP, Data Mining

and Oracle Database Vault options

SQL> select * from hr.regions;

select * from hr.regions

ERROR at line 1:

ORA-01031: insufficient privileges

HOWEVER, SYSTEM USER CAN ACCESS OTHER TABLES IN THE DATABASE IN SCHEMAS OTHER THAN HR

SQL> select count(*) from sh.sales;

COUNT(*)

------

918843

DATABASE VAULT ALSO TRACKS AND REPORTS ANY SECURITY VIOLATIONS THAT HAVE OCCURRED

CASE TWO

In the second case study we will set up security using Database Vault so that any DELETE operation on a certain table can ONLY BE PERFORMED IF YOU CONNECT FROM A CLIENT MACHINE WITH A PARTICULAR IP ADDRESS – this will prevent any unauthorized access to data stored in sensitive tables

CREATE A NEW RULE SET CALLED PRIVILEGED_CLIENT_MACHINE

While creating the RULE SET, we will provide the IP ADDRESS of the particular client machine that we want to restrict connections to.

NEXT WE ASSOCIATE THE RULE SET WE JUST CREATED WITH A PARTICULAR COMMAND – IN OUR CASE THE COMMAND IS DELETE

TEST THE SAME BY CONNECTING AS SYSTEM FROM A SQL*PLUS SESSION DIRECTLY FROM THE SERVER

vaultdb:/u02/oracle/10.2/install> sqlplus system/oracle

SQL*Plus: Release 10.2.0.3.0 - Production on Wed Oct 8 14:48:56 2008

Connected to:

Oracle Database 10g Enterprise Edition Release 10.2.0.3.0 - 64bit Production

With the Partitioning, Oracle Label Security, OLAP, Data Mining

and Oracle Database Vault options

SQL> delete sh.sales where rownum < 10;

delete sh.sales where rownum < 10

ERROR at line 1:

ORA-01031: insufficient privileges

ON THE CLIENT MACHINE WHICH HAS BEEN GRANTED ACCESS, CONFIGURE A LOCAL TNSNAMES.ORA CLIENT CONNECTION TO THE VAULTDB DATABASE AND CONNECT AS THE USER SYSTEM

NOTE THAT SINCE WE CONNECTING TO THE DATABASE FROM A CONNECTION THAT HAS BEEN SECURED BY DATABASE VAULT, THE DELETE OPERATION ON THE TABLE SALES CAN BE PERFORMED

DISABLE DATABASE VAULT

vaultdb:/u02/oracle/10.2/install> cd $ORACLE_HOME/rdbms/lib

vaultdb:/u02/oracle/10.2/rdbms/lib> make -f ins_rdbms.mk dv_off lbac_off

/bin/ar -X64 d /u02/oracle/10.2/rdbms/lib/libknlopt.a kzvidv.o

/bin/ar -X64 cr /u02/oracle/10.2/rdbms/lib/libknlopt.a /u02/oracle/10.2/rdbms/lib/kzvndv.o

/bin/ar -X64 d /u02/oracle/10.2/rdbms/lib/libknlopt.a kzlilbac.o

/bin/ar -X64 cr /u02/oracle/10.2/rdbms/lib/libknlopt.a /u02/oracle/10.2/rdbms/lib/kzlnlbac.o

vaultdb:/u02/oracle/10.2/bin> relink oracle

chmod 755 /u02/oracle/10.2/bin

- Linking Oracle

rm -f /u02/oracle/10.2/rdbms/lib/oracle

ld -b64 -o /u02/oracle/10.2/rdbms/lib/oracle -L/u02/oracle/10.2/rdbms/lib/ -L/u02/oracle/10.2/lib/ -bbigtoc -bnoipath -bI:/u02/oracle/10.2/lib/ksms.imp /u02/oracle/10.2/rdbms/lib/opimai.o /u02/oracle/10.2/rdbms/lib/ssoraed.o /u02/oracle/10.2/rdbms/lib/ttcsoi.o -lperfsrv10 /u02/oracle/10.2/lib/nautab.o /u02/oracle/10.2/lib/naeet.o /u02/oracle/10.2/lib/naect.o /u02/oracle/10.2/lib/naedhs.o /u02/oracle/10.2/rdbms/lib/config.o -bI:/usr/lib/aio.exp -lserver10 /u02/oracle/10.2/lib/libodm10.so -lnnet10 -lskgxp10 -lsthasgen10 /u02/oracle/10.2/has/lib/clssgc.o /u02/oracle/10.2/lib/libstskgxn2.a -lstocr10 -lstocrb10 -lstocrutl10 -lsthasgen10 /u02/oracle/10.2/has/lib/clssgc.o /u02/oracle/10.2/lib/libstskgxn2.a -lclient10 -lvsn10 -lcommon10 -lgeneric10 ìf [ -f /u02/oracle/10.2/lib/libavserver10.a ] ; then echo "-lavserver10" ; else echo "-lavstub10"; fi` ìf [ -f /u02/oracle/10.2/lib/libavclient10.a ] ; then echo "-lavclient10" ; fi` /u02/oracle/10.2/rdbms/lib/defopt.o -lknlopt ìf /bin/ar -X64 tv /u02/oracle/10.2/rdbms/lib/libknlopt.a | grep xsyeolap.o > /dev/null 2&1 ; then echo "-loraolap10 -bE:/u02/oracle/10.2/rdbms/lib/olap.exp" ; fi` -lslax10 -lpls10 -lplp10 -bE:/u02/oracle/10.2/rdbms/lib/plsqlncomp.exp /u02/oracle/10.2/lib/libstclsra10.a -lstdbcfg10 -lserver10 -lclient10 -lvsn10 -lcommon10 -lgeneric10 -lknlopt -lslax10 -lpls10 -lplp10 -ljox10 -bE:/u02/oracle/10.2/rdbms/lib//oracle.exp `sed -e 's/-ljava//g' /u02/oracle/10.2/lib/ldflags` -lncrypt10 -lnsgr10 -lnzjs10 -ln10 -lnnz10 -lnl10 -lnzjs10 -lnro10 `sed -e 's/-ljava//g' /u02/oracle/10.2/lib/ldflags` -lncrypt10 -lnsgr10 -lnzjs10 -ln10 -lnnz10 -lnl10 -lnzjs10 -lclient10 -lvsn10 -lcommon10 -lgeneric10 -lmm -lsnls10 -lnls10 -lcore10 -lsnls10 -lnls10 -lcore10 -lsnls10 -lnls10 -lxml10 -lcore10 -lunls10 -lsnls10 -lnls10 -lcore10 -lnls10 `sed -e 's/-ljava//g' /u02/oracle/10.2/lib/ldflags` -lncrypt10 -lnsgr10 -lnzjs10 -ln10 -lnnz10 -lnl10 -lnzjs10 -lnro10 `sed -e 's/-ljava//g' /u02/oracle/10.2/lib/ldflags` -lncrypt10 -lnsgr10 -lnzjs10 -ln10 -lnnz10 -lnl10 -lnzjs10 -lclient10 -lvsn10 -lcommon10 -lgeneric10 -lpls10 -lsnls10 -lnls10 -lcore10 -lsnls10 -lnls10 -lcore10 -lsnls10 -lnls10 -lxml10 -lcore10 -lunls10 -lsnls10 -lnls10 -lcore10 -lnls10 -lclient10 -lvsn10 -lcommon10 -lgeneric10 -lsnls10 -lnls10 -lcore10 -lsnls10 -lnls10 -lcore10 -lsnls10 -lnls10 -lxml10 -lcore10 -lunls10 -lsnls10 -lnls10 -lcore10 -lnls10 -lserver10 ìf /bin/ar -X64 tv /u02/oracle/10.2/rdbms/lib/libknlopt.a | grep "kxmnsd.o" > /dev/null 2&1 ; then echo " " ; else echo "-lordsdo10"; fi` -lctxc10 -lctx10 -lzx10 -lgx10 -lctx10 -lzx10 -lgx10 -lordimt10 -lsnls10 -lnls10 -lcore10 -lsnls10 -lnls10 -lcore10 -lsnls10 -lnls10 -lxml10 -lcore10 -lunls10 -lsnls10 -lnls10 -lcore10 -lnls10 -lsnls10 -lunls10 -bE:/u02/oracle/10.2/rdbms/lib//libcorejava.exp -lld -lm `cat /u02/oracle/10.2/lib/sysliblist` -lm ìf [ "\`/usr/bin/uname -v\`" = "4" ]; \

then echo "-bI:/u02/oracle/10.2/lib/pw-syscall.exp"; fi;` `if /bin/ar -X64 t /u02/oracle/10.2/rdbms/lib/libknlopt.a | grep '^'kcsm.o > /dev/null 2&1 ; then echo "-lha_gs_r -lha_em_r -lpthreads"; fi` -locijdbcst10 -lwwg -bpT:0x100000000 -bpD:0x110000000 –bforceimprw

ld: 0711-783 WARNING: TOC overflow. TOC size: 142864 Maximum size: 65536

Extra instructions are being generated for each reference to a TOC

symbol if the symbol is in the TOC overflow area.

mv -f /u02/oracle/10.2/bin/oracle /u02/oracle/10.2/bin/oracleO

mv /u02/oracle/10.2/rdbms/lib/oracle /u02/oracle/10.2/bin/oracle

chmod 6751 /u02/oracle/10.2/bin/oracle

vaultdb:/u02/oracle/10.2/bin> sqlplus system/oracle

SQL*Plus: Release 10.2.0.3.0 - Production on Wed Oct 8 15:20:04 2008

Connected to:

Oracle Database 10g Enterprise Edition Release 10.2.0.3.0 - 64bit Production

With the Partitioning, OLAP and Data Mining options