Oracle Database Vault

This is a very powerful and easy to use security tool and can be easily deployed to enforcesecurity and also comply with audit requirements.

In the first case study, a user with all database privileges (DBA) can still be 'locked out' andprevented from accessing certain tables in a particular schema.

In the second case study, security is enforced by ensuring that any DELETE operations on aparticular table can only be possible if a user connects from a client machine having a particularIP address.

Using the web UI, creating rule sets and security realms is very easy and this is a way of ensuringthat all different kinds of audit and security requirements are very easily and effectively met withminimum effort.

CONFIGURE OEM:

SQL> alter user sysman identified by sysman;

User altered.

SQL> alter user dbsnmp identified by dbsnmp;

User altered.

SQL> alter user sysman account unlock;

User altered.

SQL> alter user dbsnmp account unlock;

User altered.

SQL> !

[oracle@database ~]$ netmgr (TO CREATE LISTENER & TNS BOTH)

[oracle@database ~]$ lsnrctl start test

LSNRCTL for Linux: Version 11.2.0.3.0 - Production on 13-APR-2016 11:34:33

Copyright (c) 1991, 2011, Oracle. All rights reserved.

Starting /u01/app/oracle/product/11.2.0/dbhome_1/bin/tnslsnr: please wait...

TNSLSNR for Linux: Version 11.2.0.3.0 - Production

System parameter file is /u01/app/oracle/product/11.2.0/dbhome_1/network/admin/listener.ora

Log messages written to /u01/app/oracle/diag/tnslsnr/database/test/alert/log.xml

Listening on: (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=database.mustak.com)(PORT=1521)))

Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=database.mustak.com)(PORT=1521)))

STATUS of the LISTENER

------------------------

Alias test

Version TNSLSNR for Linux: Version 11.2.0.3.0 - Production

Start Date 13-APR-2016 11:34:33

Uptime 0 days 0 hr. 0 min. 0 sec

Trace Level off

Security ON: Local OS Authentication

SNMP OFF

Listener Parameter File /u01/app/oracle/product/11.2.0/dbhome_1/network/admin/listener.ora

Listener Log File /u01/app/oracle/diag/tnslsnr/database/test/alert/log.xml

Listening Endpoints Summary...

(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=database.mustak.com)(PORT=1521)))

Services Summary...

Service "TEST" has 1 instance(s).

Instance "TEST", status UNKNOWN, has 1 handler(s) for this service...

The command completed successfully

[oracle@database ~]$ tnsping test

TNS Ping Utility for Linux: Version 11.2.0.3.0 - Production on 13-APR-2016 11:34:39

Copyright (c) 1997, 2011, Oracle. All rights reserved.

Used parameter files:

Used TNSNAMES adapter to resolve the alias

Attempting to contact (DESCRIPTION = (ADDRESS_LIST = (ADDRESS = (PROTOCOL = TCP)(HOST = 192.168.1.82)(PORT = 1521))) (CONNECT_DATA = (SERVICE_NAME = TEST)))

OK (0 msec)

[oracle@database ~]$ emca -config dbcontrol db -repose create

STARTED EMCA at Apr 13, 2016 11:35:56 AM

EM Configuration Assistant, Version 11.2.0.3.0 Production

Copyright (c) 2003, 2011, Oracle. All rights reserved.

Enter the following information:

Database SID: TEST

Listener port number: 1521

Listener ORACLE_HOME [ /u01/app/oracle/product/11.2.0/dbhome_1 ]:

Password for SYS user:

Password for DBSNMP user:

Password for SYSMAN user:

Email address for notifications (optional):

Outgoing Mail (SMTP) server for notifications (optional):

You have specified the following settings

Database ORACLE_HOME ................ /u01/app/oracle/product/11.2.0/dbhome_1

Local hostname ................ database.mustak.com

Listener ORACLE_HOME ................ /u01/app/oracle/product/11.2.0/dbhome_1

Listener port number ................ 1521

Database SID ................ TEST

Email address for notifications ...............

Outgoing Mail (SMTP) server for notifications ...............

-----------------------------------------------------------------

Do you wish to continue? [yes(Y)/no(N)]: Y

Apr 13, 2016 11:36:18 AM oracle.sysman.emcp.EMConfig perform

INFO: This operation is being logged at /u01/app/oracle/cfgtoollogs/emca/TEST/emca_2016_04_13_11_35_56.log.

Apr 13, 2016 11:36:22 AM oracle.sysman.emcp.EMReposConfig uploadConfigDataToRepository

INFO: Uploading configuration data to EM repository (this may take a while) ...

Apr 13, 2016 11:37:01 AM oracle.sysman.emcp.EMReposConfig invoke

INFO: Uploaded configuration data successfully

Apr 13, 2016 11:37:03 AM oracle.sysman.emcp.util.DBControlUtil secureDBConsole

INFO: Securing Database Control (this may take a while) ...

Apr 13, 2016 11:38:18 AM oracle.sysman.emcp.util.DBControlUtil secureDBConsole

INFO: Database Control secured successfully.

Apr 13, 2016 11:38:18 AM oracle.sysman.emcp.util.DBControlUtil startOMS

INFO: Starting Database Control (this may take a while) ...

Apr 13, 2016 11:38:56 AM oracle.sysman.emcp.EMDBPostConfig performConfiguration

INFO: Database Control started successfully

Apr 13, 2016 11:38:56 AM oracle.sysman.emcp.EMDBPostConfig performConfiguration

INFO: >>>>>>>>>>> The Database Control URL is https://database.mustak.com:1158/em <<<<<<<<<<<

Apr 13, 2016 11:38:58 AM oracle.sysman.emcp.EMDBPostConfig invoke

WARNING:

************************ WARNING ************************

Management Repository has been placed in secure mode wherein Enterprise Manager data will be encrypted. The encryption key has been placed in the file: /u01/app/oracle/product/11.2.0/dbhome_1/database.mustak.com_TEST/sysman/config/emkey.ora. Ensure this file is backed up as the encrypted data will become unusable if this file is lost.

***********************************************************

Enterprise Manager configuration completed successfully

FINISHED EMCA at Apr 13, 2016 11:38:58 AM

CONFIGURING DATABASE VAULT OPTIONS TO AN EXISTING ORACLE_HOME AND SETTING UP THE DATA VAULT OWNER IN THE DATABASE ‘DBVOWNER’

[oracle@database ]$ dbca

PASSWORD=welcome#123

CHECK DATABASE VAULT ENABLE OR NOTSQL> select * from v$option where parameter ='Oracle Database Vault';PARAMETER                                                        VALUE------------------------------- --------------------------------Oracle Database Vault                                            FALSE

CONFIGURE DATABASE VAULT

1)Ensure that the computer on which you want to register Oracle Database Vault has the OracleEnterprise Manager Database Console available

./emctl status dbconsole

2)Stop the database, Database Control console process, and listener.SQL> SHUTDOWN IMMEDIATESQL> EXIT$ emctl stop dbconsole$ lsnrctl stop TEST

For Oracle RAC installations, shut down each database instance as follows:$ srvctl stop database -d db_name

3)Enable Oracle Database Vault as follows

$ cd $ORACLE_HOME/rdbms/lib$ make -f ins_rdbms.mk dv_on lbac_on ioracle

4) Restart the database and listener. (Do not restart the Database Control console process yet.)

sqlplus sys as sysoperEnter password: passwordSQL> STARTUPSQL> EXIT$ lsnrctl start TEST

[oracle@database lib]$ emctl start dbconsole

to enable database vault make sure database , dbconsole and listener are shutdown:

SQL> select * from v$option where parameter ='Oracle Database Vault';PARAMETER                                                        VALUE----------------------------------------------------------------Oracle Database Vault                                            TRUE

User SYS has SELECT ANY TABLE privilege and can select all the rows of the SCOTT.EMP table.

SQL> conn / as sysdba

Connected.

SQL> select count(*) from scott.emp;

COUNT(*)

----------

14

https://database.mustak.com:1158/dva

EMP Table OWNED BY SCOTT TO THE SECURED REALM scott

DEMO:-

SQL> conn / as sysdba

Connected.

SQL> select * from scott.emp;

select * from scott.emp

SQL> alter user scott account lock;

alter user scott account lock

*

ERROR at line 1:

ORA-01031: insufficient privileges

SQL> alter user scott identified by scott;

alter user scott identified by scott

*

ERROR at line 1:

ORA-01031: insufficient privileges

ALL TABLES OWNED BY SCOTT TO THE SECURED REALM SCOTT_FULL

SQL> show user

USER is "SYS"

SQL> select * from scott.dept;

select * from scott.dept

*

ERROR at line 1:

ORA-01031: insufficient privileges

SQL> select * from scott.emp;

select * from scott.emp

*

ERROR at line 1:

ORA-01031: insufficient privileges

CASE TWO

In the second case study we will set up security using Database Vault so that any DELETE operation on a certain table can ONLY BE PERFORMED IF YOU CONNECT FROM A CLIENT MACHINE WITH A PARTICULAR IP ADDRESS – this will prevent any unauthorized access to data stored in sensitive tables

CREATE A NEW RULE SET

DISABLE DATABASE VAULT

1. Stop oem2. Stop database3. Stop listener4. $ cd $ORACLE_HOME/rdbms/lib5. $ make -f ins_rdbms.mk dv_off lbac_off 6. $ Cd $ORACLE_HOME/bin7. $ relink oracle