Upload
biju-thomas
View
377
Download
2
Embed Size (px)
DESCRIPTION
Original Magazine at http://www.otechmag.com/2014/otech-magazine-winter-2014/
Citation preview
Winter2014
Content-EnablingYour
Insurance
Business
UsingOracleBPMand
WebCenterContent
ASMMetrics
EnforcingPrincipleof
LeastPrivilege
MaturityofService
OrientedArchitectures
Futureisnow,ODI12c
Andmore:
18authors,17articles,
4ACE's,6ACE
Directors,...
EnforcingPrinciple
ofLeastPrivilege
BijuThomas-OneNeckITSolutions
OneofthetopfeaturesofOracleDatabase
12cthat
attractedmeistheabilityto
enforceprincipleofleast
privilegewithease.Eversince
database
vendorsstarted
takingsecurityseriously,theprincipleofleastprivilege
theoryisinplay.Toidentifytheprivilegesrequiredbyan
applicationoruserinOracledatabase
versionsprior12cwas
atedioustrialanderrorprocess.ManyapplicationsIhave
comeacross
runwithDBAorDBAlikeprivileges,thisis
because
noprivilegeanalysisdoneatapplicationdesignand
developmenttime.Forapplicationdesignanddevelopment
teamthefocusisalwaysongettingthedevelopmentwork
completedanddeliveringtheproject.Security,especially
leastprivilege,isnotafocusitemwhere
teamwantsto
spendtime.Itiseasy
tograntsystemprivileges(especially
DBAorANYprivilegeslikeINSERTANYTABLE)to
getthe
applicationworking.
OracleDatabase
12cbringsthePrivilegeAnalysisfeature
toclearlyidentifytheprivilegesrequiredbyanapplicationfor
itsfunctioningandtellstheDBAwhichprivilegescanbe
revoked,to
enforcetheprincipleofleastprivilegeandmake
thedatabase
andapplicationmore
secure.Privilegeanalysis
feature
isavailableonlyinEnterprise
Editionanditrequires
Database
Vaultlicense,whichisanextracostoption.The
goodthingisthatDatabase
Vaultneednotbeenabledto
use
PrivilegeAnalysis-oneless
thingto
worry.
Inanutshell,privilegeanalysisworksasbelow:
-Defineacapture
-to
identifywhatneedto
beanalyzed
-Enablethecapture,to
startcapturing
-Runtheapplicationorutilitywhose
privilegeneedto
be
analyzed
-Disablethecapture
-Generateresultsfromcapture
forreview
-Im
plementtheresults,fromthefindings
IwillexplainthestepsusingSQLcommandlineaswellas
usingEnterprise
ManagerCloudControl12c.Todothe
privilegeanalysisyouneedtheCAPTURE_ADMIN
role,this
roleisgrantedto
DBArole,so
ifyouhave
DBAprivilegeson
the12cdatabase,youcanperform
theanalysis.
Figure1:PrivilegeAnalysis
Oracle
Database
Security
DemoEnvironment
FordemonstrationpurposesIamgoingto
use
theOE
schemathatcomeswithOracleDatabase
12cexamples-it
has14tablesandseveralotherobjects.Wewantto
analyze
theprivilegesofOE_ADMuserwhocurrentlyhasthe
followingprivileges.
-SELECTANYTABLE
-INSERTANYTABLE
-UPDATEANYTABLE
-DELETEANYTABLE
-ALTERANYTRIGGER
-CREATEPROCEDURE
-CREATETABLE
-CREATESYNONYM
-CREATEANYINDEX
-ALLprivs
onORDERSandORDER_ITEMStables
-CONNECTandDBARoles
SQL>selectobject_type,count(*)from
dba_objects
whereowner=
'OE'group
byobject_type;
OBJECT_TYPE
COUNT(*)
---------------------------------
SEQUENCE
1
LOB
15
TYPEBODY
3
TRIGGER
4
TABLE
14
INDEX
48
SYNONYM
6
VIEW
13
FUNCTION
1
TYPE
37
OE_ADMuserconnectsusingSQL*Developerto
runthe
scriptsandreports.Ourobjectiveisto
remove
theANY
privilegesfromOE_ADMuserandgrantappropriate
privilegesbasedonthetasksperform
edduringtheanalysis
period.
NewpackageDBMS_PRIVILEGE_CAPTUREhasthe
subprogramsto
managetheprivilegeanalysis.The
CAPTURE_ADMIN
rolehasexecute
privilegeonthis
package.
DefineandStartCapture
Theveryfirststepinprivilegeanalysisisto
createacapture,
todefinewhatactionsneedto
bemonitored.Fourtypesof
analysiscanbedefinedinthecapture:
-Database
(G_DATABASE-1):Ifnoconditionisdefined,
analyzesusedprivilegeonallobjectswithinthewhole
database.Noconditionorrolesparameterspecifiedforthis
typeofcapture.
-Role(G_ROLE-2):Analysesprivilegesexercisedthrougha
role.Specifytherolesto
analyze
usingtheROLESparameter.
-Context(G_CONTEXT-3):Use
thisto
analyze
privilegesthat
are
usedthroughanapplicationmoduleorspecificcontext.
SpecifyaCONDITIONto
analyze
-RoleandContext(G_ROLE_AND_CONTEXT-4):Combination
ofroleandcontext.
Oracle
Database
Security
TheCREATE_CAPTUREsubprogramisusedto
definethe
capture.Forourdemo,wewantto
use
theRoleandContext,
because
wewantto
knowwhatprivilegefromtheDBAroleis
beingusedaswellaswhatotherprivilegesgrantedto
OE_ADMare
usedwhentheapplicationusedis“SQL
Developer”.
Figure2:O
EMScreen
toCreateaPrivilegeAnalysisPolicy
Figure
2showstheOEMscreento
createacapture
policy.
Withfewclicksyoucaneasilycreatethepolicy.Basedonthe
contextadditionalinputiscaptured.
TheSQLto
definethepolicy
asshowninFigure
2is:
BEGIN
DBMS_PRIVILEGE_CAPTURE.CREATE_CAPTURE(
name=>'Analyze_OE_ADM'
,
description=>
'Review
Privilegesused
by
OE_ADM
throughSQL
Developer'
,
type=>
DBMS_PRIVILEGE_CAPTURE.G_ROLE_AND_CONTEXT,
roles=>ROLE_NAME_LIST('DBA','CONNECT')
,
condition=>'SYS_CONTEXT(''USERENV'',
''MODULE'')
=''SQL
Developer''AND
SYS_CONTEXT(''USERENV'',
''SESSION_USER'')
=
''OE_ADM''');
END;
/
Oracle
Database
Security
Once
thepolicy
isdefined,itshowsupintheOEMPrivilege
Analysismainscreen,fromwhere
youcanenable,disable,
generatereportanddropthepolicy.Seefigure
3.
Figure3:PrivilegeAnalysisscreen
ofOEM
Youcanclickonthestartbuttonto
startcapture,or
use
thebelowSQLto
startthecapture.
EXECUTE
DBMS_PRIVILEGE_CAPTURE.ENABLE_CAPTURE(name=>
'Analyze_OE_ADM');
Nowruntheapplicationandforaperiodoftime,so
that
Oraclecancapture
alltheprivilegesused.
StopCapture
andGenerate
Reports
Ok,nowthatOE_ADMuserhasperform
edtheirtasksusing
SQLDeveloper,letusstopthecapture
andreviewthe
privilegesused.
EXECUTEDBMS_PRIVILEGE_CAPTURE.DISABLE_CAPTURE
(name=>'Analyze_OE_ADM');
UsingOEMyoucanclickontheStopCapture
buttonas
showninFigure
3.NowclicktheGenerateReportbutton.
UsingSQLyoucanaccomplish
thisby:
EXECUTE
DBMS_PRIVILEGE_CAPTURE.GENERATE_RESULT
(name=>
'Analyze_OE_ADM');
OEMshowsthenumberofunusedprivilegesinthesummary
screenasshowninfigure
4.
Figure4:unusedprivileges
Once
youruntheGenerateResultsprocedure,allthe
DBA_USED_viewsaswellasDBA_UNUSED_viewsare
populated.Youmayquerythese
viewsto
generaterevoke
scriptsorto
prepare
reports.TheDBA_USED_viewsshowthe
privilegesusedbytheuserforthepolicy.TheDBA_UNUSED_
viewsshowtheprivilegesthatare
assignedto
theuser,but
are
notused.The_PATHviewsshowtheprivilegepath
(how
theprivilegedwasgivento
theuser,throughwhichrole).
Oracle
Database
Security
Capture
Privilege-DBAViewsPopulatedwithGenerate
ResultsProcedure
DBA_USED_O
BJPRIVS
DBA_USED_O
BJPRIVS_PATH
DBA_USED_PRIVS
DBA_USED_PUBPRIVS
DBA_USED_SYSPRIVS
DBA_USED_SYSPRIVS_PATH
DBA_USED_USERPRIVS
DBA_USED_USERPRIVS_PATH
DBA_UNUSED_COL_TABS
DBA_UNUSED_O
BJPRIVS
DBA_UNUSED_O
BJPRIVS_PATH
DBA_UNUSED_PRIVS
DBA_UNUSED_SYSPRIVS
DBA_UNUSED_SYSPRIVS_PATH
DBA_UNUSED_USERPRIVS
DBA_UNUSED_USERPRIVS_PATH
OEMmakesiteasieronyouto
seethereportsandeven
generatearevokescript.Figure
5showsthedropdown
menuunderActions.
Figure5:O
EMOptionsunderActions
TheReportsmenushowsasummary,aswellasusedand
unusedprivilegelistingthatyoucanexportto
anexcelfile.
Tobeableto
use
theRevokeScriptsoption,OEMneedsto
completeasetupasshowninfigure
6.
Figure6:O
EMSetupforRevokeScriptsGeneration
Oracle
Database
Security
Therevokescriptrevokesallunusedrolesandprivileges
fromtherolegrantedto
theuser,inthiscase
thisisnot
desired,because
wedonotwantto
mess
withtheDBArole.
Here
theCreateRolemenucomesforhelp.Figure
7shows
theOEMscreento
createtherole;youhave
optionto
customizetherolecreationaswell.
Figure7:CreateRolescreen
ofOEM
Thiscreatesanewroleforyouwithonlytheusedprivileges-
howsw
eetisthat!
BijuThomas
OneNeckITSolutions
Oracle
Database
Security