940 likes | 1.57k Views
ORACLE DATABASE VAULT. Đỗ Phước Hậu 50800617 Trương Quốc Khánh 51001496. Contents. Introducing Oracle Database Vault What is a Oracle Database Vault? Components of Oracle Database Vault. Install ODV 11g Release 2 HOWTO use a Realm to secure Data Access from DBA access.
E N D
ORACLE DATABASE VAULT ĐỗPhướcHậu 50800617 TrươngQuốcKhánh 51001496 Oracle Database Vault
Contents • Introducing Oracle Database Vault • What is a Oracle Database Vault? • Components of Oracle Database Vault. • Install ODV 11g Release 2 • HOWTO use a Realm to secure Data Access from DBA access. • HOWTO use a Command rules to secure User Activity. • HOWTO use Rule Sets, Factors, and secure Application roles Oracle Database Vault
Contents • HOWTO Use Reports in DV • HOWTO Disable and Enable DV • HOWTO Better Understand DV’s Impact on Performance Oracle Database Vault
Introducing Oracle Database Vault • What is oracle database vault? • Components of oracle database vault Oracle Database Vault
What is Oracle Database Vault? • Oracle Database Vault (DV) was introduced in Oracle 10gR2, 11g and 9iR2. • DV restricts access to specific areas in an Oracle database from any user. • Enable you to apply access control to your sensitive data. • Protect your data from super-privileged users but still them maintain your Oracle databases. Oracle Database Vault
What is Oracle Datbase Vault? • Help to address the most difficult security problems: protecting against insider threats, meeting regulatory compliance requirements, and enforcing separation of duty. • Manage the security of an individual Oracle Database instance Oracle Database Vault
Components of Oracle Database Vault Oracle Database Vault has the following components: ■ Oracle Database Vault Access Control Components ■ Oracle Database Vault Administrator (DVA) ■ Oracle Database Vault Configuration Assistant (DVCA) ■ Oracle Database Vault DVSYS and DVF Schemas ■ Oracle Database Vault PL/SQL Interfaces and Packages ■ Oracle Database Vault and Oracle Label Security PL/SQL APIs ■ Oracle Database Vault Reporting and Monitoring Tools Oracle Database Vault
Oracle Database Vault Access Control Components • Realms: a functional grouping of database schemas, objects, and roles that must be secured. • Command rules: a special rule that you can create to control how users can execute almost any SQL statement, including SELECT, ALTER SYSTEM, database definition language (DDL), and data manipulation language (DML) statements. Oracle Database Vault
Oracle Database Vault Access Control Components • Factors: a named variable or attribute, such as a user location, database IP address, or session user, which Oracle Database Vault can recognize and secure. • Rule sets: a collection of one or more rules that you can associate with a realm authorization, command rule, factor assignment, or secure application role. • Secure application roles: A secure application role is a special Oracle Database role that can be enabled based on the evaluation of an Oracle Database Vault rule set. Oracle Database Vault
Oracle Database Vault Administrator (DVA) • A Java application that is built on top of the Oracle Database Vault PL/SQL application programming interfaces (API). • Allows security managers who may not be proficient in PL/SQL to configure the access control policy through a user-friendly interface. • An extensive collection of security-related reports that assist in understanding the baseline security configuration. Oracle Database Vault
Oracle Database Vault Access Control Components • Oracle Database Vault Configuration Assistant (DVCA): To perform maintenance tasks on your Oracle Database Vault installation • Oracle Database Vault DVSYS and DVF Schemas: Stores the database objects needed to process Oracle data for Oracle Database Vault, contains the roles, views, accounts, functions, and other database objects that Oracle Database Vault uses. The DVF schema contains public functions to retrieve (at run time) the factor values set in the Oracle Database Vault access control configuration. Oracle Database Vault
Oracle Database Vault Access Control Components • Oracle Database Vault PL/SQL Interfaces and Packages: allow security managers or application developers to configure the access control policy as required. • Oracle Database Vault and Oracle Label Security PL/SQL APIs: enables the security manager to define label security policy and apply it to database objects. • Oracle Database Vault Reporting and Monitoring Tools: generate reports on the various activities that Oracle Database Vault monitors. Oracle Database Vault
HOWTO install Oracle Database Vault • In Oracle 11gR2, all options are already installed, you only need to enable them as follow: • Open Command Prompt, then get to [Oracle Database Homes]/bin • Type: • chopt enable lbac • chopt enable dv Oracle Database Vault
HOWTO install Oracle Database Vault Oracle Database Vault
HOWTO install Oracle Database Vault • Then configure the options using dbca: Oracle Database Vault
HOWTO install Oracle Database Vault • After completion of this, the “Database Vault” option will be available: Oracle Database Vault
HOWTO install Oracle Database Vault • Login Oracle Database Vault Oracle Database Vault
HOWTO use a Realm to secure Data Access from DBA access. • Let’s use SCOTT.EMP—it has salary information in it. Before we define a realm, DBAs have access to this table—for example: Oracle Database Vault
HOWTO use a Realm to secure Data Access from DBA access. Oracle Database Vault
HOWTO use a Realm to secure Data Access from DBA access. Oracle Database Vault
HOWTO use a Realm to secure Data Access from DBA access. Oracle Database Vault
HOWTO use a Realm to secure Data Access from DBA access. Oracle Database Vault
HOWTO use a Realm to secure Data Access from DBA access. Oracle Database Vault
HOWTO use a Realm to secure Data Access from DBA access. Oracle Database Vault
HOWTO use a Realm to secure Data Access from DBA access. Oracle Database Vault
HOWTO use a Realm to secure Data Access from DBA access. • Logged on as SYSTEM you will no longer be able to access the data: Oracle Database Vault
HOWTO use a Realm to secure Data Access from DBA access. • Connect as SCOTT and issue this query you will have access: Oracle Database Vault
More on Realms • Realms contain a larger set of objects – schema, a group of roles or a group of objects which you want to associate a security policy. Example: Associate a role with realm, you can ensure that only you can assign this role and that a DBA can’t grant this role. Oracle Database Vault
More on Realms • Allows to define who the realms owners are. • Realm participants can user their system privileges to access a realm-protected object. Oracle Database Vault
More on realms • DV includes a number of prebuilt realms, they are: • DV Account Management Realm: the most important realm, it limits who can manage and create database accounts. • DV Realm: protects the DV schemas (DVSYS, DVF, and LBACSYS) • Oracle Data Dictionary Realm: protect the catalog, the SYS schema, the SYSTEM schema. • Oracle Enterprise Manager Realm: protect SYSMAN and DBSNMP. Oracle Database Vault
HOWTO use a Command rules to secure User Activity. • A definition can be used to protect any activity on any object in the database. • Based on a security policy phrased within a rule. • A command rule is evaluated after the realm is checked and only if the realm check succeeds. • DV checks all relevant command rules and only if they all evaluate to true will the action be allowed. • Override regular object privilege. Oracle Database Vault
HOWTO use a Command rules to secure User Activity. • Example 1: • Built a command rule disables the ability to update the SCOTT.EMP table Oracle Database Vault
HOWTO use a Command rules to secure User Activity. Oracle Database Vault
HOWTO use a Command rules to secure User Activity. Oracle Database Vault
HOWTO use a Command rules to secure User Activity. Oracle Database Vault
HOWTO use a Command rules to secure User Activity. • Now, SCOTT can insert into this table but can’t update: Oracle Database Vault
HOWTO use a Command rules to secure User Activity. • Example 2: • Allow UPDATES only if the connection is made locally over a bequeath session (BEQ). Oracle Database Vault
HOWTO use a Command rules to secure User Activity. Oracle Database Vault
HOWTO use a Command rules to secure User Activity. Oracle Database Vault
HOWTO use a Command rules to secure User Activity. Oracle Database Vault
HOWTO use a Command rules to secure User Activity. Oracle Database Vault
HOWTO use a Command rules to secure User Activity. Oracle Database Vault
HOWTO use a Command rules to secure User Activity. Oracle Database Vault
HOWTO use a Command rules to secure User Activity. Oracle Database Vault
HOWTO use a Command rules to secure User Activity. Oracle Database Vault
HOWTO use a Command rules to secure User Activity. Oracle Database Vault
HOWTO use a Command rules to secure User Activity. Oracle Database Vault
HOWTO use a Command rules to secure User Activity. • Login to the databases as SCOTT using BEQ connection Oracle Database Vault
HOWTO use a Command rules to secure User Activity. • Login to the databases as SCOTT using a listener connection (TCP connection) Oracle Database Vault
HOWTO use a Command rules to secure User Activity. • DV provide a set of PL/SQL procedures that can be used to create these contructs. • These are part of the DBMS_MACADM package within the DVSYS schema. Oracle Database Vault