You are on page 1of 119

A First look at

Database Vault
David Bergmeier

Agenda

Overview
Installation
Limitations
Securing Data
Backups
A trigger problem

About me

Senior Oracle DBA


Worked for MGA nearly 2 years
Background as an Analyst/Programmer
12 years in financial services industry
Started using Oracle in 1996

Overview
Why Oracle Database Vault?
Dont trust the DBA
Regulatory Compliance

(e.g. Sarbanes Oxley)


Separation of duties

Separation of duties

connect / as sysdba
create user david ...
grant dba to david;
select * from scott.emp;

Separation of duties

connect / as sysdba
create user david ...
grant dba to david;
select * from scott.emp;

Separation of duties

Separation of duties

Separation of duties

Agenda

Overview
Installation
Limitations
Securing Data
Backups
A trigger problem

Prerequisites
Oracle 10.2.0.3

1024 MB of Physical RAM


Swap space (1.5 times RAM)
400 MB in /tmp
270 MB for database vault binaries
10 MB additional for database files

Prerequisites
Installation

Assumes one instance per Oracle home

But can support more

Installation

Installation
User to receive
DV_OWNER role

Installation
Passwords must
have alpha,
numeric & special

Installation
User to receive
DV_ACCTMGR role

Installation

Installation

Installation

Installation

Installation

Installation

Installation

Agenda

Overview
Installation
Limitations
Securing Data
Backups
A trigger problem

The First Problem

Lets start the database

The First Problem

The First Problem

The First Problem

I cannot login as SYDBA

So how do I start/stop Oracle?

The First Problem

connect / as SYSOPER

The First Problem

Agenda

Overview
Installation
Limitations
Securing Data
Backups
A trigger problem

Securing Some Data

$ lsnrctl start
$ emctl start dbconsole

Securing Some Data

$ sqlplus system/manager
SQL> select * from scott.emp;

...
14 rows selected.
SQL>

Securing Some Data

Securing Some Data

Securing Some Data

Securing Some Data

What is a Realm?

A realm is a
functional grouping of
schemas and roles
that are secured.

What is a Realm?
Realm

One
Many
Secured Objects

Authorizations

Securing Some Data

Securing Some Data

Securing Some Data

Securing Some Data

Securing Some Data

Securing Some Data

Securing Some Data

Securing Some Data


SQL> select * from scott.emp;
select * from scott.emp
*
ERROR at line 1:
ORA-01031: Insufficient Privileges
SQL>

Securing Some Data


SQL> select * from scott.dept;
DEPTNO DNAME
LOC
---------- -------------- -------10 ACCOUNTING
NEW YORK
20 RESEARCH
DALLAS
30 SALES
CHICAGO
40 OPERATIONS
BOSTON
SQL>

Securing Some Data

Thats the end of the tutorial.


So now lets consider a real world
application.

Real world Example

application user

Application server
connects to
database as single
user

SCOTT

EMP

Real world Example

application user
Support users
connect with
individual
accounts with
read-only access

SCOTT

EMP
support users

Real world Example


grant select insert
update delete
scott_app_user

scott_ro_role

SCOTT

grant role

scott_ro

EMP
grant select

Create User
SQL> connect system/manager
SQL> create user scott_app_user

2> identified by tiger


3> default tablespace USERS;

identified by tiger
*
ERROR at line 2:
ORA-01031: Insufficient Privileges

Create User
SQL> connect dbu/manager
SQL> create user scott_app_user

2> identified by tiger


3> default tablespace USERS;
User created.
SQL> grant connect to
scott_app_user;

Create User
SQL> connect dbu/manager
SQL> create user scott_ro

2> identified by tiger


3> default tablespace USERS;
User created.
SQL> grant connect to scott_ro;

Create Role
SQL> connect system/manager
SQL> create role scott_ro_role;
Role created.

SQL> grant scott_ro_role


to scott_ro;
Grant succeeded.
SQL>

Grants
SQL> connect scott/tiger
SQL> grant select,insert,update,
delete on emp to scott_app_user;
Grant succeeded.

SQL> grant select on emp to


scott_ro_role;
Grant succeeded.
SQL>

Real world Example

Now to test it...

Testing scott_ro
SQL> connect scott_ro/tiger
SQL> select * from scott.emp;
14 rows selected.
SQL> delete from scott.emp;
delete from scott.emp
*

ERROR at line 1:
ORA-01031: Insufficient Privileges

Testing scott_ro
SQL> connect scott_ro/tiger
SQL> select * from scott.emp;
14 rows selected.
SQL> delete from scott.emp;
delete from scott.emp
*

ERROR at line 1:
ORA-01031: Insufficient Privileges

Testing scott_app_user
SQL> connect scott_app_user/tiger
SQL> select * from scott.emp;
14 rows selected.
SQL> delete from scott.emp;
14 rows deleted.

SQL> rollback;

Testing scott_app_user
SQL> connect scott_app_user/tiger
SQL> select * from scott.emp;
14 rows selected.
SQL> delete from scott.emp;
14 rows deleted.

SQL> rollback;

Testing system
SQL> connect system/manager
SQL> select * from scott.emp;
14 rows selected.
SQL> delete from scott.emp;
delete from scott.emp
*

ERROR at line 1:
ORA-01031: Insufficient Privileges

Testing system
SQL> connect system/manager
SQL> select * from scott.emp;
14 rows selected.
SQL> delete from scott.emp;
delete from scott.emp
*

ERROR at line 1:
ORA-01031: Insufficient Privileges

What went wrong?


SQL> connect system/manager
SQL> select * from session_roles;

ROLE
--------------------------DV_PUBLIC
DBA
...
SCOTT_RO_ROLE
14 rows selected.
SQL>

What went wrong?

How did SYSTEM get


SCOTT_RO_ROLE?

What went wrong?


SQL> connect system/manager
SQL> create role foo;
Role created.
SQL> set role all;
Role set.
SQL> select * from session_roles;
ROLE
--------------------------DV_PUBLIC
...
FOO

What went wrong?

So now we have a problem!


If we only revoke the role,
SYSTEM can grant it again.
How do we prevent this?

Remove the Role


SQL> connect system/manager
SQL> drop role scott_ro_role;
Role dropped.
SQL> select * from session_roles;
ROLE
--------------------------DV_PUBLIC
...
MGMT_USER
13 rows selected.
SQL>

Problem with DV_ACCTMGR

DV_ACCTMGR has
create/drop user
alter user account lock/unlock

alter user password expire


grant/revoke CONNECT role

Problem with DV_ACCTMGR

DV_ACCTMGR needs
create role
alter any role

drop any role


SELECT_CATALOG_ROLE

To get these, we need to login


as SYSDBA

Allow SYSDBA
$ cd $ORACLE_HOME/dbs
$ orapwd file=orapwmozart
password=mozart
entries=20
force=y
nosysdba=n
$ sqlplus sys/mozart as sysdba
SQL> startup

SQL> alter user sys identified


by mozart;

Grants to DV_ACCTMGR
SQL> connect sys/mozart as sysdba
SQL> grant create role
to DV_ACCTMGR;
SQL> grant alter any role
to DV_ACCTMGR;
SQL> grant drop any role
to DV_ACCTMGR;

SELECT_CATALOG_ROLE

SELECT_CATALOG_ROLE

Fixing DV_ACCTMGR

Fixing DV_ACCTMGR

Fixing DV_ACCTMGR

Create Role as DV_ACCTMGR


SQL> connect dbu/manager
SQL> create role scott_ro_role;
Role created.

SQL>

At this stage we delay granting


scott_ro_role

Securing SCOTT_RO_ROLE

Securing SCOTT_RO_ROLE

Granting SCOTT_RO_ROLE
SQL> connect dbu/manager
SQL> grant scott_ro_role
to scott_ro;
grant scott_ro_role to scott_ro
*
ERROR at line 1:
ORA-47401: Realm violation for
grant role privilege on
SCOTT_RO_ROLE

Granting SCOTT_RO_ROLE

So who can/should

do the grant of
SCOTT_RO_ROLE ?

Granting SCOTT_RO_ROLE

So who can/should

do the grant of
SCOTT_RO_ROLE ?
Answer: SCOTT

Granting SCOTT_RO_ROLE

Answer: SCOTT

Provided SCOTT can only


grant SCOTT_RO_ROLE
and not other roles
like DBA.

Granting SCOTT_RO_ROLE

One more grant as SYSDBA


SQL> connect sys/mozart as sysdba
SQL> grant grant any role to scott;

Grant succeeded.
SQL>

Granting SCOTT_RO_ROLE
SQL> connect scott/tiger
SQL> grant scott_ro_role
to scott_ro;
Grant succeeded.

SQL> revoke scott_ro_role


from dbu;
Revoke succeeded.

SQL>

Granting SCOTT_RO_ROLE
SQL> connect scott/tiger
SQL> grant DBA to scott;
grant DBA to scott
*
ERROR at line 1:
ORA-00604: error occurred at
recursive SQL level 1
ORA-47401: Realm violation for
grant role privilege on
UNLIMITED TABLESPACE.

Granting SCOTT_RO_ROLE

WHY?

Granting SCOTT_RO_ROLE

The DBA role

is protected by the
Oracle Data Dictionary
Realm.

Granting SCOTT_RO_ROLE

Now to test it...


Again

Testing scott_ro again


SQL> connect scott_ro/tiger
SQL> select * from scott.emp;
14 rows selected.
SQL> delete from scott.emp;
delete from scott.emp
*

ERROR at line 1:
ORA-01031: Insufficient Privileges

Testing scott_ro again


SQL> connect scott_ro/tiger
SQL> select * from scott.emp;
14 rows selected.
SQL> delete from scott.emp;
delete from scott.emp
*

ERROR at line 1:
ORA-01031: Insufficient Privileges

Testing scott_app_user
SQL> connect scott_app_user/tiger
SQL> select * from scott.emp;
14 rows selected.
SQL> delete from scott.emp;
14 rows deleted.

SQL> rollback;

Testing scott_app_user
SQL> connect scott_app_user/tiger
SQL> select * from scott.emp;
14 rows selected.
SQL> delete from scott.emp;
14 rows deleted.

SQL> rollback;

Testing system again


SQL> connect system/manager
SQL> select * from scott.emp;

ERROR at line 1:
ORA-01031: Insufficient Privileges

SQL> delete from scott.emp;


ERROR at line 1:

ORA-01031: Insufficient Privileges

Testing system again


SQL> connect system/manager
SQL> select * from scott.emp;

ERROR at line 1:
ORA-01031: Insufficient Privileges

SQL> delete from scott.emp;


ERROR at line 1:

ORA-01031: Insufficient Privileges

Testing SYSDBA
SQL> connect sys/mozart as sysdba
SQL> select * from scott.emp;

ERROR at line 1:
ORA-01031: Insufficient Privileges

SQL> delete from scott.emp;


ERROR at line 1:

ORA-01031: Insufficient Privileges

Testing SYSDBA
SQL> connect sys/mozart as sysdba
SQL> select * from scott.emp;

ERROR at line 1:
ORA-01031: Insufficient Privileges

SQL> delete from scott.emp;


ERROR at line 1:

ORA-01031: Insufficient Privileges

Testing DV_ACCTMGR
SQL> connect dbu/manager
SQL> select * from scott.emp;

ERROR at line 1:
ORA-01031: Insufficient Privileges

SQL> delete from scott.emp;


ERROR at line 1:

ORA-01031: Insufficient Privileges

Testing DV_ACCTMGR
SQL> connect dbu/manager
SQL> select * from scott.emp;

ERROR at line 1:
ORA-01031: Insufficient Privileges

SQL> delete from scott.emp;


ERROR at line 1:

ORA-01031: Insufficient Privileges

Testing DV_ADMIN
SQL> connect dbv/manager
SQL> select * from scott.emp;

ERROR at line 1:
ORA-01031: Insufficient Privileges

SQL> delete from scott.emp;


ERROR at line 1:

ORA-01031: Insufficient Privileges

Testing DV_ADMIN
SQL> connect dbv/manager
SQL> select * from scott.emp;

ERROR at line 1:
ORA-01031: Insufficient Privileges

SQL> delete from scott.emp;


ERROR at line 1:

ORA-01031: Insufficient Privileges

Separation of Duties

Lets review the actions


performed by each of the
different users/roles

Separation of Duties

SYS as SYSDBA
Grant role privileges to

DV_ACCTMGR
(one time)
Grant grant any role to

SCOTT
(once per application)

Separation of Duties

DV_ADMIN (user = dbv)


Realm authorizations

(once per application)


Command Rules

(one time)

Separation of Duties

DV_ACCTMGR (user = dbu)


Create user (ongoing)

Grant connect (ongoing)


Create role (once per app)

Separation of Duties

Schema owner (SCOTT)


Grant object privileges

(once per application)


Grant SCOTT_RO_ROLE

(ongoing)

Separation of Duties

DBA (user = system)


Nothing

Agenda

Overview
Installation
Limitations
Securing Data
Backups
A trigger problem

Backups

Impact of Backups
Export

Data Pump
RMAN

Backups

Export
Lots of ORA-01031

Will be unable to Import


Not viable

Backups

Data Pump
Not tested

Backups

RMAN
Requires SYSDBA access

May need to hardcode SYS

password or use wallet


Works successfully

Agenda

Overview
Installation
Limitations
Securing Data
Backups
A trigger problem

Trigger Problem

Error creating trigger


Minor changes to whitespace

in trigger source caused


compile success/failure
Known Bug: 5630439
ORA-47999: internal Database

Vault error: create trigger

Trigger Problem

Workaround available
Login as dv_owner account
alter trigger

dvsys.DV_BEFORE_DDL_TRG disable
Login as SCOTT and create trigger
Login as dv_owner account

alter trigger

dvsys.DV_BEFORE_DDL_TRG enable

Conclusion
You probably dont need

Database Vault

Its a trade off between more

security with more bureaucracy

It seems to work okay

but there are some bugs

Typical work arounds involve

deactivating Database Vault

The End
Thank you for your attendance

dbergmeier@mga-it.com
http://www.mga.com.au

You might also like