a first look at database vault david bergmeier. overview installation limitations securing data ...
Post on 15-Dec-2015
216 Views
Preview:
TRANSCRIPT
A First look atA First look atDatabase VaultDatabase Vault
David BergmeierDavid Bergmeier
Overview
Installation
Limitations
Securing Data
Backups
A trigger problem
AgendaAgenda
Senior Oracle DBA
Worked for MGA nearly 2 years
Background as an Analyst/Programmer
12 years in financial services industry
Started using Oracle in 1996
About meAbout me
Why Oracle Database Vault?
• Don’t trust the DBA
• Regulatory Compliance(e.g. Sarbanes Oxley)
• Separation of duties
OverviewOverview
Separation of dutiesSeparation of duties
connect / as sysdbacreate user david ...grant dba to david;select * from scott.emp;
Separation of dutiesSeparation of duties
connect / as sysdbacreate user david ...grant dba to david;select * from scott.emp;
Separation of dutiesSeparation of duties
Separation of dutiesSeparation of duties
Separation of dutiesSeparation of duties
Overview
Installation
Limitations
Securing Data
Backups
A trigger problem
AgendaAgenda
• Oracle 10.2.0.3
• 1024 MB of Physical RAM
• Swap space (1.5 times RAM)
• 400 MB in /tmp
• 270 MB for database vault binaries
• 10 MB additional for database files
PrerequisitesPrerequisites
Installation
• Assumes one instance per Oracle home
• But can support more
PrerequisitesPrerequisites
InstallationInstallation
InstallationInstallationUser to receive DV_OWNER role
InstallationInstallationPasswords must
have alpha, numeric & special
InstallationInstallation
User to receive DV_ACCTMGR role
InstallationInstallation
InstallationInstallation
InstallationInstallation
InstallationInstallation
InstallationInstallation
InstallationInstallation
InstallationInstallation
Overview
Installation
Limitations
Securing Data
Backups
A trigger problem
AgendaAgenda
Let’s start the database
The First ProblemThe First Problem
The First ProblemThe First Problem
The First ProblemThe First Problem
I cannot login as SYDBA
So how do I start/stop Oracle?
The First ProblemThe First Problem
connect / as SYSOPER
The First ProblemThe First Problem
The First ProblemThe First Problem
Overview
Installation
Limitations
Securing Data
Backups
A trigger problem
AgendaAgenda
$ lsnrctl start
$ emctl start dbconsole
Securing Some DataSecuring Some Data
$ sqlplus system/manager
SQL> select * from scott.emp;
...
14 rows selected.
SQL>
Securing Some DataSecuring Some Data
Securing Some DataSecuring Some Data
Securing Some DataSecuring Some Data
Securing Some DataSecuring Some Data
Securing Some DataSecuring Some Data
A realm is a
functional grouping of schemas and roles that are
secured.
What is a Realm?What is a Realm?
What is a Realm?What is a Realm?
Realm
Secured Objects Authorizations
One
Many
Securing Some DataSecuring Some Data
Securing Some DataSecuring Some Data
Securing Some DataSecuring Some Data
Securing Some DataSecuring Some Data
Securing Some DataSecuring Some Data
Securing Some DataSecuring Some Data
Securing Some DataSecuring Some Data
SQL> select * from scott.emp;
select * from scott.emp
*
ERROR at line 1:
ORA-01031: Insufficient Privileges
SQL>
Securing Some DataSecuring Some Data
SQL> select * from scott.dept; DEPTNO DNAME LOC---------- -------------- -------- 10 ACCOUNTING NEW YORK 20 RESEARCH DALLAS 30 SALES CHICAGO 40 OPERATIONS BOSTONSQL>
Securing Some DataSecuring Some Data
That’s the end of the tutorial.
So now let’s consider a real world application.
Securing Some DataSecuring Some Data
Real world ExampleReal world Example
EMP
application user
SCOTT
Application server connects to database as
single user
Real world ExampleReal world Example
EMP
application user
support users
SCOTT
Support users connect with
individual accounts with
read-only access
Real world ExampleReal world Example
EMP
grant select insert update delete
scott_app_user
scott_ro_role
scott_rogrant select
grant role
SCOTT
SQL> connect system/manager
SQL> create user scott_app_user
2> identified by tiger
3> default tablespace USERS;
identified by tiger
*
ERROR at line 2:
ORA-01031: Insufficient Privileges
Create UserCreate User
SQL> connect dbu/manager
SQL> create user scott_app_user
2> identified by tiger
3> default tablespace USERS;
User created.
SQL> grant connect to scott_app_user;
Create UserCreate User
SQL> connect dbu/manager
SQL> create user scott_ro
2> identified by tiger
3> default tablespace USERS;
User created.
SQL> grant connect to scott_ro;
Create UserCreate User
SQL> connect system/manager
SQL> create role scott_ro_role;
Role created.
SQL> grant scott_ro_role to scott_ro;
Grant succeeded.
SQL>
Create RoleCreate Role
SQL> connect scott/tiger
SQL> grant select,insert,update,delete on emp to scott_app_user;
Grant succeeded.
SQL> grant select on emp to scott_ro_role;
Grant succeeded.
SQL>
GrantsGrants
Now to test it...
Real world ExampleReal world Example
SQL> connect scott_ro/tiger
SQL> select * from scott.emp;
14 rows selected.
SQL> delete from scott.emp;
delete from scott.emp
*
ERROR at line 1:
ORA-01031: Insufficient Privileges
Testing scott_roTesting scott_ro
SQL> connect scott_ro/tiger
SQL> select * from scott.emp;
14 rows selected.
SQL> delete from scott.emp;
delete from scott.emp
*
ERROR at line 1:
ORA-01031: Insufficient Privileges
Testing scott_roTesting scott_ro
SQL> connect scott_app_user/tiger
SQL> select * from scott.emp;
14 rows selected.
SQL> delete from scott.emp;
14 rows deleted.
SQL> rollback;
Testing scott_app_userTesting scott_app_user
SQL> connect scott_app_user/tiger
SQL> select * from scott.emp;
14 rows selected.
SQL> delete from scott.emp;
14 rows deleted.
SQL> rollback;
Testing scott_app_userTesting scott_app_user
SQL> connect system/manager
SQL> select * from scott.emp;
14 rows selected.
SQL> delete from scott.emp;
delete from scott.emp
*
ERROR at line 1:
ORA-01031: Insufficient Privileges
Testing systemTesting system
SQL> connect system/manager
SQL> select * from scott.emp;
14 rows selected.
SQL> delete from scott.emp;
delete from scott.emp
*
ERROR at line 1:
ORA-01031: Insufficient Privileges
Testing systemTesting system
SQL> connect system/manager
SQL> select * from session_roles;
ROLE---------------------------DV_PUBLICDBA...SCOTT_RO_ROLE
14 rows selected.
SQL>
What went wrong?What went wrong?
How did SYSTEM get
SCOTT_RO_ROLE?
What went wrong?What went wrong?
SQL> connect system/manager
SQL> create role foo;
Role created.
SQL> set role all;
Role set.
SQL> select * from session_roles;
ROLE---------------------------DV_PUBLIC...FOO
What went wrong?What went wrong?
So now we have a problem!
What went wrong?What went wrong?
If we only revoke the role, SYSTEM can grant it again.
How do we prevent this?
SQL> connect system/manager
SQL> drop role scott_ro_role;
Role dropped.
SQL> select * from session_roles;
ROLE---------------------------DV_PUBLIC...MGMT_USER
13 rows selected.
SQL>
Remove the RoleRemove the Role
DV_ACCTMGR has• create/drop user
• alter user account lock/unlock
• alter user password expire
• grant/revoke CONNECT role
Problem with DV_ACCTMGRProblem with DV_ACCTMGR
DV_ACCTMGR needs• create role
• alter any role
• drop any role
• SELECT_CATALOG_ROLE
To get these, we need to login as SYSDBA
Problem with DV_ACCTMGRProblem with DV_ACCTMGR
$ cd $ORACLE_HOME/dbs
$ orapwd file=orapwmozart password=mozart entries=20 force=y nosysdba=n
$ sqlplus sys/mozart as sysdba
SQL> startup
SQL> alter user sys identified by mozart;
Allow SYSDBAAllow SYSDBA
SQL> connect sys/mozart as sysdba
SQL> grant create role to DV_ACCTMGR;
SQL> grant alter any role to DV_ACCTMGR;
SQL> grant drop any role to DV_ACCTMGR;
Grants to DV_ACCTMGRGrants to DV_ACCTMGR
SELECT_CATALOG_ROLESELECT_CATALOG_ROLE
SELECT_CATALOG_ROLESELECT_CATALOG_ROLE
Fixing DV_ACCTMGRFixing DV_ACCTMGR
Fixing DV_ACCTMGRFixing DV_ACCTMGR
Fixing DV_ACCTMGRFixing DV_ACCTMGR
SQL> connect dbu/manager
SQL> create role scott_ro_role;
Role created.
SQL>
Create Role as DV_ACCTMGRCreate Role as DV_ACCTMGR
At this stage we delay granting scott_ro_role
Securing SCOTT_RO_ROLESecuring SCOTT_RO_ROLE
Securing SCOTT_RO_ROLESecuring SCOTT_RO_ROLE
SQL> connect dbu/manager
SQL> grant scott_ro_role to scott_ro;
grant scott_ro_role to scott_ro
*
ERROR at line 1:
ORA-47401: Realm violation for grant role privilege on SCOTT_RO_ROLE
Granting SCOTT_RO_ROLEGranting SCOTT_RO_ROLE
So who can/should
do the grant of SCOTT_RO_ROLE ?
Granting SCOTT_RO_ROLEGranting SCOTT_RO_ROLE
So who can/should
do the grant of SCOTT_RO_ROLE ?
Answer: SCOTT
Granting SCOTT_RO_ROLEGranting SCOTT_RO_ROLE
Answer: SCOTT
Provided SCOTT can only grant SCOTT_RO_ROLE
and not other roles
like DBA.
Granting SCOTT_RO_ROLEGranting SCOTT_RO_ROLE
One more grant as SYSDBA
Granting SCOTT_RO_ROLEGranting SCOTT_RO_ROLE
SQL> connect sys/mozart as sysdba
SQL> grant grant any role to scott;
Grant succeeded.
SQL>
SQL> connect scott/tiger
SQL> grant scott_ro_role to scott_ro;
Grant succeeded.
SQL> revoke scott_ro_role from dbu;
Revoke succeeded.
SQL>
Granting SCOTT_RO_ROLEGranting SCOTT_RO_ROLE
SQL> connect scott/tigerSQL> grant DBA to scott;grant DBA to scott*ERROR at line 1:ORA-00604: error occurred at recursive SQL level 1
ORA-47401: Realm violation for grant role privilege on UNLIMITED TABLESPACE.
Granting SCOTT_RO_ROLEGranting SCOTT_RO_ROLE
WHY?
Granting SCOTT_RO_ROLEGranting SCOTT_RO_ROLE
The DBA role
is protected by the
“Oracle Data Dictionary” Realm.
Granting SCOTT_RO_ROLEGranting SCOTT_RO_ROLE
Now to test it...
Again
Granting SCOTT_RO_ROLEGranting SCOTT_RO_ROLE
SQL> connect scott_ro/tiger
SQL> select * from scott.emp;
14 rows selected.
SQL> delete from scott.emp;
delete from scott.emp
*
ERROR at line 1:
ORA-01031: Insufficient Privileges
Testing scott_ro againTesting scott_ro again
SQL> connect scott_ro/tiger
SQL> select * from scott.emp;
14 rows selected.
SQL> delete from scott.emp;
delete from scott.emp
*
ERROR at line 1:
ORA-01031: Insufficient Privileges
Testing scott_ro againTesting scott_ro again
SQL> connect scott_app_user/tiger
SQL> select * from scott.emp;
14 rows selected.
SQL> delete from scott.emp;
14 rows deleted.
SQL> rollback;
Testing scott_app_userTesting scott_app_user
SQL> connect scott_app_user/tiger
SQL> select * from scott.emp;
14 rows selected.
SQL> delete from scott.emp;
14 rows deleted.
SQL> rollback;
Testing scott_app_userTesting scott_app_user
SQL> connect system/manager
SQL> select * from scott.emp;
ERROR at line 1:
ORA-01031: Insufficient Privileges
SQL> delete from scott.emp;
ERROR at line 1:
ORA-01031: Insufficient Privileges
Testing system againTesting system again
SQL> connect system/manager
SQL> select * from scott.emp;
ERROR at line 1:
ORA-01031: Insufficient Privileges
SQL> delete from scott.emp;
ERROR at line 1:
ORA-01031: Insufficient Privileges
Testing system againTesting system again
SQL> connect sys/mozart as sysdba
SQL> select * from scott.emp;
ERROR at line 1:
ORA-01031: Insufficient Privileges
SQL> delete from scott.emp;
ERROR at line 1:
ORA-01031: Insufficient Privileges
Testing SYSDBATesting SYSDBA
SQL> connect sys/mozart as sysdba
SQL> select * from scott.emp;
ERROR at line 1:
ORA-01031: Insufficient Privileges
SQL> delete from scott.emp;
ERROR at line 1:
ORA-01031: Insufficient Privileges
Testing SYSDBATesting SYSDBA
SQL> connect dbu/manager
SQL> select * from scott.emp;
ERROR at line 1:
ORA-01031: Insufficient Privileges
SQL> delete from scott.emp;
ERROR at line 1:
ORA-01031: Insufficient Privileges
Testing DV_ACCTMGRTesting DV_ACCTMGR
SQL> connect dbu/manager
SQL> select * from scott.emp;
ERROR at line 1:
ORA-01031: Insufficient Privileges
SQL> delete from scott.emp;
ERROR at line 1:
ORA-01031: Insufficient Privileges
Testing DV_ACCTMGRTesting DV_ACCTMGR
SQL> connect dbv/manager
SQL> select * from scott.emp;
ERROR at line 1:
ORA-01031: Insufficient Privileges
SQL> delete from scott.emp;
ERROR at line 1:
ORA-01031: Insufficient Privileges
Testing DV_ADMINTesting DV_ADMIN
SQL> connect dbv/manager
SQL> select * from scott.emp;
ERROR at line 1:
ORA-01031: Insufficient Privileges
SQL> delete from scott.emp;
ERROR at line 1:
ORA-01031: Insufficient Privileges
Testing DV_ADMINTesting DV_ADMIN
Let’s review the actions performed by each of the different users/roles
Separation of DutiesSeparation of Duties
SYS as SYSDBA
• Grant role privileges to DV_ACCTMGR(one time)
• Grant “grant any role” to SCOTT(once per application)
Separation of DutiesSeparation of Duties
DV_ADMIN (user = dbv)
• Realm authorizations (once per application)
• Command Rules(one time)
Separation of DutiesSeparation of Duties
DV_ACCTMGR (user = dbu)
• Create user (ongoing)
• Grant connect (ongoing)
• Create role (once per app)
Separation of DutiesSeparation of Duties
Schema owner (SCOTT)
• Grant object privileges(once per application)
• Grant SCOTT_RO_ROLE (ongoing)
Separation of DutiesSeparation of Duties
DBA (user = system)
• Nothing
Separation of DutiesSeparation of Duties
Overview
Installation
Limitations
Securing Data
Backups
A trigger problem
AgendaAgenda
Impact of Backups
• Export
• Data Pump
• RMAN
BackupsBackups
Export
• Lots of ORA-01031
• Will be unable to Import
• Not viable
BackupsBackups
Data Pump
• Not tested
BackupsBackups
RMAN
• Requires SYSDBA access
• May need to hardcode SYS password or use wallet
• Works successfully
BackupsBackups
Overview
Installation
Limitations
Securing Data
Backups
A trigger problem
AgendaAgenda
Error creating trigger
• Minor changes to whitespace in trigger source caused compile success/failure
• Known Bug: 5630439
• ORA-47999: internal Database Vault error: create trigger
Trigger ProblemTrigger Problem
Workaround available• Login as dv_owner account
• alter trigger dvsys.DV_BEFORE_DDL_TRG disable
• Login as SCOTT and create trigger
• Login as dv_owner account
• alter trigger dvsys.DV_BEFORE_DDL_TRG enable
Trigger ProblemTrigger Problem
You probably don’t need Database Vault
It’s a trade off between more security with more bureaucracy
It seems to work okay but there are some bugs
Typical work arounds involve deactivating Database Vault
ConclusionConclusion
The EndThe End
Thank you for your attendance
dbergmeier@mga-it.com
http://www.mga.com.au
top related