Upload
trankiet
View
234
Download
0
Embed Size (px)
Citation preview
Oracle Database Vault
This is a very powerful and easy to use security tool and can be easily deployed to enforcesecurity and also comply with audit requirements.
In the first case study, a user with all database privileges (DBA) can still be 'locked out' andprevented from accessing certain tables in a particular schema.
In the second case study, security is enforced by ensuring that any DELETE operations on aparticular table can only be possible if a user connects from a client machine having a particularIP address.
Using the web UI, creating rule sets and security realms is very easy and this is a way of ensuringthat all different kinds of audit and security requirements are very easily and effectively met withminimum effort.
CONFIGURE OEM:
SQL> alter user sysman identified by sysman;
User altered.
SQL> alter user dbsnmp identified by dbsnmp;
User altered.
SQL> alter user sysman account unlock;
User altered.
SQL> alter user dbsnmp account unlock;
User altered.
SQL> !
[oracle@database ~]$ netmgr (TO CREATE LISTENER & TNS BOTH)
[oracle@database ~]$ lsnrctl start test
LSNRCTL for Linux: Version 11.2.0.3.0 - Production on 13-APR-2016 11:34:33
Copyright (c) 1991, 2011, Oracle. All rights reserved.
Starting /u01/app/oracle/product/11.2.0/dbhome_1/bin/tnslsnr: please wait...
TNSLSNR for Linux: Version 11.2.0.3.0 - Production
System parameter file is /u01/app/oracle/product/11.2.0/dbhome_1/network/admin/listener.ora
Log messages written to /u01/app/oracle/diag/tnslsnr/database/test/alert/log.xml
Listening on: (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=database.mustak.com)(PORT=1521)))
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=database.mustak.com)(PORT=1521)))
STATUS of the LISTENER
------------------------
Alias test
Version TNSLSNR for Linux: Version 11.2.0.3.0 - Production
Start Date 13-APR-2016 11:34:33
Uptime 0 days 0 hr. 0 min. 0 sec
Trace Level off
Security ON: Local OS Authentication
SNMP OFF
Listener Parameter File /u01/app/oracle/product/11.2.0/dbhome_1/network/admin/listener.ora
Listener Log File /u01/app/oracle/diag/tnslsnr/database/test/alert/log.xml
Listening Endpoints Summary...
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=database.mustak.com)(PORT=1521)))
Services Summary...
Service "TEST" has 1 instance(s).
Instance "TEST", status UNKNOWN, has 1 handler(s) for this service...
The command completed successfully
[oracle@database ~]$ tnsping test
TNS Ping Utility for Linux: Version 11.2.0.3.0 - Production on 13-APR-2016 11:34:39
Copyright (c) 1997, 2011, Oracle. All rights reserved.
Used parameter files:
Used TNSNAMES adapter to resolve the alias
Attempting to contact (DESCRIPTION = (ADDRESS_LIST = (ADDRESS = (PROTOCOL = TCP)(HOST = 192.168.1.82)(PORT = 1521))) (CONNECT_DATA = (SERVICE_NAME = TEST)))
OK (0 msec)
[oracle@database ~]$ emca -config dbcontrol db -repose create
STARTED EMCA at Apr 13, 2016 11:35:56 AM
EM Configuration Assistant, Version 11.2.0.3.0 Production
Copyright (c) 2003, 2011, Oracle. All rights reserved.
Enter the following information:
Database SID: TEST
Listener port number: 1521
Listener ORACLE_HOME [ /u01/app/oracle/product/11.2.0/dbhome_1 ]:
Password for SYS user:
Password for DBSNMP user:
Password for SYSMAN user:
Email address for notifications (optional):
Outgoing Mail (SMTP) server for notifications (optional):
You have specified the following settings
Database ORACLE_HOME ................ /u01/app/oracle/product/11.2.0/dbhome_1
Local hostname ................ database.mustak.com
Listener ORACLE_HOME ................ /u01/app/oracle/product/11.2.0/dbhome_1
Listener port number ................ 1521
Database SID ................ TEST
Email address for notifications ...............
Outgoing Mail (SMTP) server for notifications ...............
-----------------------------------------------------------------
Do you wish to continue? [yes(Y)/no(N)]: Y
Apr 13, 2016 11:36:18 AM oracle.sysman.emcp.EMConfig perform
INFO: This operation is being logged at /u01/app/oracle/cfgtoollogs/emca/TEST/emca_2016_04_13_11_35_56.log.
Apr 13, 2016 11:36:22 AM oracle.sysman.emcp.EMReposConfig uploadConfigDataToRepository
INFO: Uploading configuration data to EM repository (this may take a while) ...
Apr 13, 2016 11:37:01 AM oracle.sysman.emcp.EMReposConfig invoke
INFO: Uploaded configuration data successfully
Apr 13, 2016 11:37:03 AM oracle.sysman.emcp.util.DBControlUtil secureDBConsole
INFO: Securing Database Control (this may take a while) ...
Apr 13, 2016 11:38:18 AM oracle.sysman.emcp.util.DBControlUtil secureDBConsole
INFO: Database Control secured successfully.
Apr 13, 2016 11:38:18 AM oracle.sysman.emcp.util.DBControlUtil startOMS
INFO: Starting Database Control (this may take a while) ...
Apr 13, 2016 11:38:56 AM oracle.sysman.emcp.EMDBPostConfig performConfiguration
INFO: Database Control started successfully
Apr 13, 2016 11:38:56 AM oracle.sysman.emcp.EMDBPostConfig performConfiguration
INFO: >>>>>>>>>>> The Database Control URL is https://database.mustak.com:1158/em <<<<<<<<<<<
Apr 13, 2016 11:38:58 AM oracle.sysman.emcp.EMDBPostConfig invoke
WARNING:
************************ WARNING ************************
Management Repository has been placed in secure mode wherein Enterprise Manager data will be encrypted. The encryption key has been placed in the file: /u01/app/oracle/product/11.2.0/dbhome_1/database.mustak.com_TEST/sysman/config/emkey.ora. Ensure this file is backed up as the encrypted data will become unusable if this file is lost.
***********************************************************
Enterprise Manager configuration completed successfully
FINISHED EMCA at Apr 13, 2016 11:38:58 AM
CONFIGURING DATABASE VAULT OPTIONS TO AN EXISTING ORACLE_HOME AND SETTING UP THE DATA VAULT OWNER IN THE DATABASE ‘DBVOWNER’
[oracle@database ]$ dbca
PASSWORD=welcome#123
CHECK DATABASE VAULT ENABLE OR NOTSQL> select * from v$option where parameter ='Oracle Database Vault';PARAMETER VALUE------------------------------- --------------------------------Oracle Database Vault FALSE
CONFIGURE DATABASE VAULT
1)Ensure that the computer on which you want to register Oracle Database Vault has the OracleEnterprise Manager Database Console available
./emctl status dbconsole
2)Stop the database, Database Control console process, and listener.SQL> SHUTDOWN IMMEDIATESQL> EXIT$ emctl stop dbconsole$ lsnrctl stop TEST
For Oracle RAC installations, shut down each database instance as follows:$ srvctl stop database -d db_name
3)Enable Oracle Database Vault as follows
$ cd $ORACLE_HOME/rdbms/lib$ make -f ins_rdbms.mk dv_on lbac_on ioracle
4) Restart the database and listener. (Do not restart the Database Control console process yet.)
sqlplus sys as sysoperEnter password: passwordSQL> STARTUPSQL> EXIT$ lsnrctl start TEST
[oracle@database lib]$ emctl start dbconsole
to enable database vault make sure database , dbconsole and listener are shutdown:
SQL> select * from v$option where parameter ='Oracle Database Vault';PARAMETER VALUE----------------------------------------------------------------Oracle Database Vault TRUE
User SYS has SELECT ANY TABLE privilege and can select all the rows of the SCOTT.EMP table.
SQL> conn / as sysdba
Connected.
SQL> select count(*) from scott.emp;
COUNT(*)
----------
14
https://database.mustak.com:1158/dva
EMP Table OWNED BY SCOTT TO THE SECURED REALM scott
DEMO:-
SQL> conn / as sysdba
Connected.
SQL> select * from scott.emp;
select * from scott.emp
SQL> alter user scott account lock;
alter user scott account lock
*
ERROR at line 1:
ORA-01031: insufficient privileges
SQL> alter user scott identified by scott;
alter user scott identified by scott
*
ERROR at line 1:
ORA-01031: insufficient privileges
ALL TABLES OWNED BY SCOTT TO THE SECURED REALM SCOTT_FULL
SQL> show user
USER is "SYS"
SQL> select * from scott.dept;
select * from scott.dept
*
ERROR at line 1:
ORA-01031: insufficient privileges
SQL> select * from scott.emp;
select * from scott.emp
*
ERROR at line 1:
ORA-01031: insufficient privileges
CASE TWO
In the second case study we will set up security using Database Vault so that any DELETE operation on a certain table can ONLY BE PERFORMED IF YOU CONNECT FROM A CLIENT MACHINE WITH A PARTICULAR IP ADDRESS – this will prevent any unauthorized access to data stored in sensitive tables
CREATE A NEW RULE SET
DISABLE DATABASE VAULT
1. Stop oem2. Stop database3. Stop listener4. $ cd $ORACLE_HOME/rdbms/lib5. $ make -f ins_rdbms.mk dv_off lbac_off 6. $ Cd $ORACLE_HOME/bin7. $ relink oracle