Winter2014

Content-EnablingYour

Insurance

Business

UsingOracleBPMand

WebCenterContent

ASMMetrics

EnforcingPrincipleof

LeastPrivilege

MaturityofService

OrientedArchitectures

Futureisnow,ODI12c

Andmore:

18authors,17articles,

4ACE's,6ACE

Directors,...

EnforcingPrinciple

ofLeastPrivilege

BijuThomas-OneNeckITSolutions

OneofthetopfeaturesofOracleDatabase

12cthat

attractedmeistheabilityto

enforceprincipleofleast

privilegewithease.Eversince

database

vendorsstarted

takingsecurityseriously,theprincipleofleastprivilege

theoryisinplay.Toidentifytheprivilegesrequiredbyan

applicationoruserinOracledatabase

versionsprior12cwas

atedioustrialanderrorprocess.ManyapplicationsIhave

comeacross

runwithDBAorDBAlikeprivileges,thisis

because

noprivilegeanalysisdoneatapplicationdesignand

developmenttime.Forapplicationdesignanddevelopment

teamthefocusisalwaysongettingthedevelopmentwork

completedanddeliveringtheproject.Security,especially

leastprivilege,isnotafocusitemwhere

teamwantsto

spendtime.Itiseasy

tograntsystemprivileges(especially

DBAorANYprivilegeslikeINSERTANYTABLE)to

getthe

applicationworking.

OracleDatabase

12cbringsthePrivilegeAnalysisfeature

toclearlyidentifytheprivilegesrequiredbyanapplicationfor

itsfunctioningandtellstheDBAwhichprivilegescanbe

revoked,to

enforcetheprincipleofleastprivilegeandmake

thedatabase

andapplicationmore

secure.Privilegeanalysis

feature

isavailableonlyinEnterprise

Editionanditrequires

Database

Vaultlicense,whichisanextracostoption.The

goodthingisthatDatabase

Vaultneednotbeenabledto

use

PrivilegeAnalysis-oneless

thingto

worry.

Inanutshell,privilegeanalysisworksasbelow:

-Defineacapture

-to

identifywhatneedto

beanalyzed

-Enablethecapture,to

startcapturing

-Runtheapplicationorutilitywhose

privilegeneedto

be

analyzed

-Disablethecapture

-Generateresultsfromcapture

forreview

-Im

plementtheresults,fromthefindings

IwillexplainthestepsusingSQLcommandlineaswellas

usingEnterprise

ManagerCloudControl12c.Todothe

privilegeanalysisyouneedtheCAPTURE_ADMIN

role,this

roleisgrantedto

DBArole,so

ifyouhave

DBAprivilegeson

the12cdatabase,youcanperform

theanalysis.

Figure1:PrivilegeAnalysis

Oracle

Database

Security

DemoEnvironment

FordemonstrationpurposesIamgoingto

use

theOE

schemathatcomeswithOracleDatabase

12cexamples-it

has14tablesandseveralotherobjects.Wewantto

analyze

theprivilegesofOE_ADMuserwhocurrentlyhasthe

followingprivileges.

-SELECTANYTABLE

-INSERTANYTABLE

-UPDATEANYTABLE

-DELETEANYTABLE

-ALTERANYTRIGGER

-CREATEPROCEDURE

-CREATETABLE

-CREATESYNONYM

-CREATEANYINDEX

-ALLprivs

onORDERSandORDER_ITEMStables

-CONNECTandDBARoles

SQL>selectobject_type,count(*)from

dba_objects

whereowner=

'OE'group

byobject_type;

OBJECT_TYPE

COUNT(*)

---------------------------------

SEQUENCE

1

LOB

15

TYPEBODY

3

TRIGGER

4

TABLE

14

INDEX

48

SYNONYM

6

VIEW

13

FUNCTION

1

TYPE

37

OE_ADMuserconnectsusingSQL*Developerto

runthe

scriptsandreports.Ourobjectiveisto

remove

theANY

privilegesfromOE_ADMuserandgrantappropriate

privilegesbasedonthetasksperform

edduringtheanalysis

period.

NewpackageDBMS_PRIVILEGE_CAPTUREhasthe

subprogramsto

managetheprivilegeanalysis.The

CAPTURE_ADMIN

rolehasexecute

privilegeonthis

package.

DefineandStartCapture

Theveryfirststepinprivilegeanalysisisto

createacapture,

todefinewhatactionsneedto

bemonitored.Fourtypesof

analysiscanbedefinedinthecapture:

-Database

(G_DATABASE-1):Ifnoconditionisdefined,

analyzesusedprivilegeonallobjectswithinthewhole

database.Noconditionorrolesparameterspecifiedforthis

typeofcapture.

-Role(G_ROLE-2):Analysesprivilegesexercisedthrougha

role.Specifytherolesto

analyze

usingtheROLESparameter.

-Context(G_CONTEXT-3):Use

thisto

analyze

privilegesthat

are

usedthroughanapplicationmoduleorspecificcontext.

SpecifyaCONDITIONto

analyze

-RoleandContext(G_ROLE_AND_CONTEXT-4):Combination

ofroleandcontext.

Oracle

Database

Security

TheCREATE_CAPTUREsubprogramisusedto

definethe

capture.Forourdemo,wewantto

use

theRoleandContext,

because

wewantto

knowwhatprivilegefromtheDBAroleis

beingusedaswellaswhatotherprivilegesgrantedto

OE_ADMare

usedwhentheapplicationusedis“SQL

Developer”.

Figure2:O

EMScreen

toCreateaPrivilegeAnalysisPolicy

Figure

2showstheOEMscreento

createacapture

policy.

Withfewclicksyoucaneasilycreatethepolicy.Basedonthe

contextadditionalinputiscaptured.

TheSQLto

definethepolicy

asshowninFigure

2is:

BEGIN

DBMS_PRIVILEGE_CAPTURE.CREATE_CAPTURE(

name=>'Analyze_OE_ADM'

,

description=>

'Review

Privilegesused

by

OE_ADM

throughSQL

Developer'

,

type=>

DBMS_PRIVILEGE_CAPTURE.G_ROLE_AND_CONTEXT,

roles=>ROLE_NAME_LIST('DBA','CONNECT')

,

condition=>'SYS_CONTEXT(''USERENV'',

''MODULE'')

=''SQL

Developer''AND

SYS_CONTEXT(''USERENV'',

''SESSION_USER'')

=

''OE_ADM''');

END;

/

Oracle

Database

Security

Once

thepolicy

isdefined,itshowsupintheOEMPrivilege

Analysismainscreen,fromwhere

youcanenable,disable,

generatereportanddropthepolicy.Seefigure

3.

Figure3:PrivilegeAnalysisscreen

ofOEM

Youcanclickonthestartbuttonto

startcapture,or

use

thebelowSQLto

startthecapture.

EXECUTE

DBMS_PRIVILEGE_CAPTURE.ENABLE_CAPTURE(name=>

'Analyze_OE_ADM');

Nowruntheapplicationandforaperiodoftime,so

that

Oraclecancapture

alltheprivilegesused.

StopCapture

andGenerate

Reports

Ok,nowthatOE_ADMuserhasperform

edtheirtasksusing

SQLDeveloper,letusstopthecapture

andreviewthe

privilegesused.

EXECUTEDBMS_PRIVILEGE_CAPTURE.DISABLE_CAPTURE

(name=>'Analyze_OE_ADM');

UsingOEMyoucanclickontheStopCapture

buttonas

showninFigure

3.NowclicktheGenerateReportbutton.

UsingSQLyoucanaccomplish

thisby:

EXECUTE

DBMS_PRIVILEGE_CAPTURE.GENERATE_RESULT

(name=>

'Analyze_OE_ADM');

OEMshowsthenumberofunusedprivilegesinthesummary

screenasshowninfigure

4.

Figure4:unusedprivileges

Once

youruntheGenerateResultsprocedure,allthe

DBA_USED_viewsaswellasDBA_UNUSED_viewsare

populated.Youmayquerythese

viewsto

generaterevoke

scriptsorto

prepare

reports.TheDBA_USED_viewsshowthe

privilegesusedbytheuserforthepolicy.TheDBA_UNUSED_

viewsshowtheprivilegesthatare

assignedto

theuser,but

are

notused.The_PATHviewsshowtheprivilegepath

(how

theprivilegedwasgivento

theuser,throughwhichrole).

Oracle

Database

Security

Capture

Privilege-DBAViewsPopulatedwithGenerate

ResultsProcedure

DBA_USED_O

BJPRIVS

DBA_USED_O

BJPRIVS_PATH

DBA_USED_PRIVS

DBA_USED_PUBPRIVS

DBA_USED_SYSPRIVS

DBA_USED_SYSPRIVS_PATH

DBA_USED_USERPRIVS

DBA_USED_USERPRIVS_PATH

DBA_UNUSED_COL_TABS

DBA_UNUSED_O

BJPRIVS

DBA_UNUSED_O

BJPRIVS_PATH

DBA_UNUSED_PRIVS

DBA_UNUSED_SYSPRIVS

DBA_UNUSED_SYSPRIVS_PATH

DBA_UNUSED_USERPRIVS

DBA_UNUSED_USERPRIVS_PATH

OEMmakesiteasieronyouto

seethereportsandeven

generatearevokescript.Figure

5showsthedropdown

menuunderActions.

Figure5:O

EMOptionsunderActions

TheReportsmenushowsasummary,aswellasusedand

unusedprivilegelistingthatyoucanexportto

anexcelfile.

Tobeableto

use

theRevokeScriptsoption,OEMneedsto

completeasetupasshowninfigure

6.

Figure6:O

EMSetupforRevokeScriptsGeneration

Oracle

Database

Security

Therevokescriptrevokesallunusedrolesandprivileges

fromtherolegrantedto

theuser,inthiscase

thisisnot

desired,because

wedonotwantto

mess

withtheDBArole.

Here

theCreateRolemenucomesforhelp.Figure

7shows

theOEMscreento

createtherole;youhave

optionto

customizetherolecreationaswell.

Figure7:CreateRolescreen

ofOEM

Thiscreatesanewroleforyouwithonlytheusedprivileges-

howsw

eetisthat!

BijuThomas

OneNeckITSolutions

Oracle

Database

Security