Odv oracle customer_demo

18-May-2016

ODV - Oracle Database Vault

Gino D’ Alfonso / Harry Goossens

Program / Agenda

• Overview• Securing Data using Database Vault• Auditing• Exports and Backups

33

Overview

What is Oracle Database Vault ?• Oracle Database Vault (ODV) was introduced in Oracle 9iR2.

• ODV restricts access to specific areas in an Oracle database from any user.

• Enables you to apply access control to sensitive data.

• Protect data from super-privileged (like DBA) users but still let them maintain the Oracle database

44

Overview

Why Oracle Database Vault ?

• Systems with integrity, confidentiality = 3 (IV=3).

• Separation of duties.

• Internal control.

• Reasons like BASEL, SOX, PCI, DSS

• Don’t trust the DBA

55

Overview

66

Overview

• Virtual Private Database (VPD):Restricts access to certain rows for a user by modifying the WHERE clause

• Oracle Label Security (OLS):Mediates access to a given row, based on the label on the row and the security level of the user

• VPD and OLS restrict access at the row level, whereas Oracle Database Vault restricts access at the object and command levels.

• Transparent Data Encryption (TDE) Out of the box, TDE provides (strong) encryption for the database

ODV is integrable with VPD, OLS and TDE

Program / Agenda

• Securing Data using Database Vault

88

Securing Data

Realms (gebieden): Functional grouping of database schemas, objects, and roles that need to be secured.(example: all objects from SCOTT belong to realm RLM_SCOTT)

Command rules: A special rule that you can create to control how users can execute almost any SQL statement, including SELECT, ALTER SYSTEM, database definition language (DDL), and data manipulation language (DML) statements.(example: SELECT on SCOTT objects)

99

Securing Data

Factors: A named variable or attribute, such as a user location, database IP address, or session user, which Oracle Database Vault can recognize and secure.(Example: FAC_HOSTNAME => ‘hostname=‘exdb4002-adm’)

Rule sets: A collection of one or more rules that you can associate with a realm authorization, command rule, factor assignment, or secure application role.(Example: RST_IS_LASTDAYOFMONTH)

Rules:Like “WHERE department = [whatever]”(Example: RUL_DBUSER_ISNOT_GOOSSENSHFM)

1010

Securing Data

1111

Securing Data

connect / as sysdbacreate user harrygrant dba to harry;connect harry

select * from owner_dbt.emp;

1212

Securing Data

connect / as sysdbacreate user harrygrant dba to harry;connect harry

select * from owner_dbt.emp;

1313

Securing Data

1414

Securing Data

The key to Separation of Duties is that no one single ROLE can do everything.

• The DV_OWNER role can only do data security.• The DV_ACCTMGR role can only create/drop users

A DBA role can do anything EXCEPT data security and create/drop users – and is subject to any data security setup by the DV_OWNER role.

By default Rabobank does not separate data and user administration. Both roles (DV_OWNER and DV_ACCTMGR) are granted to the same user.

1515

Securing Data

$ sqlplus system/********

SQL*Plus: Release 11.2.0.4.0 Production on Tue Apr 26 14:27:23 2016

Copyright (c) 1982, 2013, Oracle. All rights reserved.

Connected to:Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 - 64bit ProductionWith the Partitioning, Real Application Clusters, Automatic Storage Management, Oracle Label Security,OLAP, Data Mining, Oracle Database Vault and Real Application Testing options

SYSTEM@OLTB7_1 SQL> SELECT * FROM owner_dbt.emp;

EMPNO ENAME JOB MGR HIREDATE SAL COMM DEPTNO---------- ------------------------------ --------------------------- ---------- ------------------- ---------- ---------- ---------- 7369 SMITH CLERK 7902 14-12-2013:00:00:00 800 20…. 7902 FORD ANALYST 7566 30-11-2014:00:00:00 3000 20 7934 MILLER CLERK 7782 20-01-2015:00:00:00 1300 10

14 rows selected.

SYSTEM@OLTB7_1 SQL>

1616

Securing Data

Realm

Secured Objects (owner_dbt.emp)

Authorizations

One

Many

1717

Securing Data

$ sqlplus system




SYSTEM@OLTB7_1 SQL> select * from owner_dbt.emp;select * from owner_dbt.emp *ERROR at line 1:ORA-01031: insufficient privileges

SYSTEM@OLTB7_1 SQL> select * from owner_dbt.dept;

DEPTNO DNAME LOC---------- ------------------------------------------ --------------------------------------- 10 ACCOUNTING NEW YORK… 40 OPERATIONS BOSTON

SYSTEM@OLTB7_1 SQL>

1818

Securing Data

application user

OWNER_DBT

Application server connects to database as

user user_app_dbt

support users

Support users connect with individual accounts with read-only access

user_dbt

1919

Securing Data

grant select insert update delete

user_app_dbt

owner_dbt_ro_role

user_dbt grant selectall objects

grant role OWNER_DBT

2020

Securing Data

To create the app user we need the special security account with the dv_acctmgr role

SYSTEM@OLTB7_1 SQL> create user user_app_dbt identified by ******* default tablespace users;create user user_app_dbt identified by ******** default tablespace users *ERROR at line 1:ORA-47306: 20006: No way Jose

SYSTEM@OLTB7_1 SQL> connect owner_dvtConnected.OWNER_DVT@OLTB7_1 SQL> create user user_app_dbt identified by ******** default tablespace users;

User created.

OWNER_DVT@OLTB7_1 SQL> grant connect to user_app_dbt;

Grant succeeded.

OWNER_DVT@OLTB7_1 SQL>

2121

Securing Data

Create the RO user and create RO role

OWNER_DVT@OLTB7_1 SQL> create user user_dbt identified by ******** default tablespace users;

User created.

OWNER_DVT@OLTB7_1 SQL> grant connect to user_dbt;

Grant succeeded.

OWNER_DVT@OLTB7_1 SQL>

SYSTEM@OLTB7_1 SQL> create role owner_dbt_ro_role;

Role created.

SYSTEM@OLTB7_1 SQL> grant owner_dbt_ro_role to user_dbt;

Grant succeeded.

SYSTEM@OLTB7_1 SQL>

2222

Securing Data

$ sqlplus owner_dbt/********




OWNER_DBT@OLTB7_1 SQL> grant select, insert, update, delete on emp to user_app_dbt;

Grant succeeded.

OWNER_DBT@OLTB7_1 SQL> grant select on emp to owner_dbt_ro_role;

Grant succeeded.

OWNER_DBT@OLTB7_1 SQL>

2323

Securing Data

grant select insert update delete

user_app_dbt

owner_dbt_ro_role

user_dbt grant selectall objects

grant role OWNER_DBT

2424

Securing Data

USER_DBT@OLTB7_1 SQL> connect user_dbt/********Connected.USER_DBT@OLTB7_1 SQL> select count(*) from owner_dbt.emp;

COUNT(*)---------- 14

USER_DBT@OLTB7_1 SQL> delete from owner_dbt.emp;delete from owner_dbt.emp *ERROR at line 1:ORA-01031: insufficient privileges

READ access granted through “owner_dbt_ro_role”, delete not permitted

2525

Securing Data

SYS@OLTB7_1 SQL> connect user_app_dbt/********Connected.USER_APP_DBT@OLTB7_1 SQL> select count(*) from owner_dbt.emp;

COUNT(*)---------- 14

USER_APP_DBT@OLTB7_1 SQL> delete from owner_dbt.emp;

14 rows deleted.

USER_APP_DBT@OLTB7_1 SQL> rollback;

Rollback complete.

USER_APP_DBT@OLTB7_1 SQL>

READ, WRITE, DELETE and UPDATE access granted through “GRANT”

2626

Securing Data

SYSTEM@OLTB7_1 SQL> select count(*) from owner_dbt.emp;

COUNT(*)---------- 14

SYSTEM@OLTB7_1 SQL> delete from owner_dbt.emp;delete from owner_dbt.emp *ERROR at line 1:ORA-01031: insufficient privileges

What the heck is going on, SYSTEM can still SELECT from OWNER_DBT.EMP?

SYSTEM@OLTB7_1 SQL> select * from session_roles where role like 'OWNER%';

ROLE-----------------OWNER_DBT_RO_ROLE

2727

Securing Data

ROLE has been created by SYSTEM and because of this is granted access also. There is a nice solution for this but we keep it simple for now.

SYSTEM@OLTB7_1 SQL> drop role owner_dbt_ro_role;

Role dropped.

SYSTEM@OLTB7_1 SQL> connect owner_dbt/********Connected.OWNER_DBT@OLTB7_1 SQL> grant select on emp to user_dbt;

Grant succeeded.

OWNER_DBT@OLTB7_1 SQL> connect system/********Connected.SYSTEM@OLTB7_1 SQL> select count(*) from owner_dbt.emp;select count(*) from owner_dbt.emp *ERROR at line 1:ORA-01031: insufficient privileges

SYSTEM@OLTB7_1 SQL> delete from owner_dbt.emp;delete from owner_dbt.emp *ERROR at line 1:ORA-01031: insufficient privileges

2828

Securing Data

$ sqlplus / as sysdba

SQL*Plus: Release 11.2.0.4.0 Production on Thu Apr 28 10:39:25 2016



SYS@OLTB7_1 SQL> select count(*) from owner_dbt.emp;select count(*) from owner_dbt.emp *ERROR at line 1:ORA-01031: insufficient privileges

SYS@OLTB7_1 SQL> delete from owner_dbt.emp;delete from owner_dbt.emp *ERROR at line 1:ORA-01031: insufficient privileges

2929

Securing Data

SYS@OLTB7_1 SQL> connect user_dbt/********Connected.USER_DBT@OLTB7_1 SQL> select count(*) from owner_dbt.emp;

COUNT(*)---------- 14

USER_DBT@OLTB7_1 SQL> delete from owner_dbt.emp;delete from owner_dbt.emp *ERROR at line 1:ORA-01031: insufficient privileges

3030

Securing Data

USER_DBT@OLTB7_1 SQL> connect owner_dvt/********Connected.OWNER_DVT@OLTB7_1 SQL> select count(*) from owner_dbt.emp;select count(*) from owner_dbt.emp *ERROR at line 1:ORA-00942: table or view does not exist

OWNER_DVT@OLTB7_1 SQL> delete from owner_dbt.emp;delete from owner_dbt.emp *ERROR at line 1:ORA-00942: table or view does not exist

Program / Agenda

• Auditing

3232

Auditing

All actions (failed and/or succeeded) are logged within the database.

3333

Auditing

A trigger on audit table makes sure all violations are also written to OS (root)Apr 28 09:44:52 exdb1003-adm goossenshfm: CEF:0|ORACLE|database vault|1.0|001|Realm Violation Audit|10|rt=28-04-2016:09:44:52 fname=3433240261 deviceProcessName=DELETE FROM OWNER_DBT.EMP duser=SYSTEM suser=goossenshfm cs1=on_fail cs1Label=audit_option cs2= cs2Label=rule_set_name cs3=RLM_OWNER_DBT cs3Label=action_object_nameApr 28 10:11:59 exdb1003-adm goossenshfm: CEF:0|ORACLE|database vault|1.0|001|Realm Violation Audit|10|rt=28-04-2016:10:11:59 fname=3433240261 deviceProcessName=SELECT COUNT(*) FROM OWNER_DBT.EMP duser=SYSTEM suser=goossenshfm cs1=on_fail cs1Label=audit_option cs2= cs2Label=rule_set_name cs3=RLM_OWNER_DBT cs3Label=action_object_nameApr 28 10:12:08 exdb1003-adm goossenshfm: CEF:0|ORACLE|database vault|1.0|001|Realm Violation Audit|10|rt=28-04-2016:10:12:08 fname=3433240261 deviceProcessName=DELETE FROM OWNER_DBT.EMP duser=SYSTEM suser=goossenshfm cs1=on_fail cs1Label=audit_option cs2= cs2Label=rule_set_name cs3=RLM_OWNER_DBT cs3Label=action_object_nameApr 28 10:39:34 exdb1003-adm goossenshfm: CEF:0|ORACLE|database vault|1.0|001|Realm Violation Audit|10|rt=28-04-2016:10:39:34 fname=3433240261 deviceProcessName=SELECT COUNT(*) FROM OWNER_DBT.EMP duser=SYS suser=goossenshfm cs1=on_fail cs1Label=audit_option cs2= cs2Label=rule_set_name cs3=RLM_OWNER_DBT cs3Label=action_object_nameApr 28 10:39:39 exdb1003-adm goossenshfm: CEF:0|ORACLE|database vault|1.0|001|Realm Violation Audit|10|rt=28-04-2016:10:39:39 fname=3433240261 deviceProcessName=DELETE FROM OWNER_DBT.EMP duser=SYS suser=goossenshfm cs1=on_fail cs1Label=audit_option cs2= cs2Label=rule_set_name cs3=RLM_OWNER_DBT cs3Label=action_object_nameApr 28 10:52:25 exdb1003-adm goossenshfm: CEF:0|ORACLE|database vault|1.0|001|Realm Violation Audit|10|rt=28-04-2016:10:52:25 fname=3433240261 deviceProcessName=SELECT "OWNER_DBT"."EMP".* FROM "OWNER_DBT"."EMP" duser=SYSTEM suser=goossenshfm cs1=on_fail cs1Label=audit_option cs2= cs2Label=rule_set_name cs3=RLM_OWNER_DBT cs3Label=action_object_name[root@exdb1003-adm oracle_audit]#

Program / Agenda

• Backups

3535

Backups

Impact of Backups• Export• Data Pump• RMAN

3636

Backups

Export….. about to export OWNER_DBT's tables via Conventional Path .... . exporting table AAP 0 rows exported. . exporting table BONUS 0 rows exported. . exporting table DEPT 4 rows exportedEXP-00091: Exporting questionable statistics.. . exporting table DUMMY 1 rows exportedEXP-00091: Exporting questionable statistics.. . exporting table EMPEXP-00056: ORACLE error 1031 encounteredORA-01031: insufficient privileges. . exporting table MIES 0 rows exported. . exporting table NOOT 0 rows exported. . exporting table SALARY 2 rows exportedEXP-00091: Exporting questionable statistics.. . exporting table SALGRADE 5 rows exportedEXP-00091: Exporting questionable statistics.……

3737

Securing Data

Data Pump….Processing object type SCHEMA_EXPORT/POST_SCHEMA/PROCACT_SCHEMAORA-31693: Table data object "OWNER_DBT"."DEPT" failed to load/unload and is being skipped due to error:ORA-02354: error in exporting/importing dataORA-28116: insufficient privileges to do direct path accessORA-31693: Table data object "OWNER_DBT"."DUMMY" failed to load/unload and is being skipped due to error:ORA-02354: error in exporting/importing dataORA-28116: insufficient privileges to do direct path accessORA-31693: Table data object "OWNER_DBT"."EMP" failed to load/unload and is being skipped due to error:ORA-02354: error in exporting/importing dataORA-28116: insufficient privileges to do direct path accessORA-31693: Table data object "OWNER_DBT"."SALARY" failed to load/unload and is being skipped due to error:ORA-02354: error in exporting/importing dataORA-28116: insufficient privileges to do direct path accessORA-31693: Table data object "OWNER_DBT"."SALGRADE" failed to load/unload and is being skipped due to error:ORA-02354: error in exporting/importing dataORA-28116: insufficient privileges to do direct path access….

3838

Backups

RMAN• Requires SYSDBA access• May need to hardcode SYS

password or use wallet• Works successfully

3939

Backups

• EXP/EXPDP need privileges from REALM owner. Export files are non-secured.

• RMAN bacups are block based and recoverable within another database (clone/duplicate)

Odv oracle customer_demo

Design

Transcript of Odv oracle customer_demo