Sunday, June 1, 2014

Installing Oracle Database Vault - Part 2

In Part 1 I went over installing Oracle Database Vault and re-enabling SYS privileges like creating a user.

In this post I'll explain how to use Database Vault to restrict and enable access to individual tables and schemas, which is probably why someone wanted to install database vault in the first place.

Managing Schema Access

In order to restrict privileged user access to specific schemas or objects, the following method is used.

Realms can protect one or more schemas, individual schema objects, and database roles. Once you create a realm, you can create security restrictions that apply to the schemas and their schema objects within the realm.

For example, the DBA can view salary details in an employee table by using the SYS id. To prevent this, follow this process to create a REALM:

As sys, before adding a REALM –

$ sqlplus “/ as sysdba”
SQL> SELECT FIRST_NAME, LAST_NAME, SALARY FROM HR.EMPLOYEES WHERE ROWNUM < 10;

FIRST_NAME           LAST_NAME                     SALARY
-------------------- ------------------------- ----------
Steven               King                           24000
Neena                Kochhar                        17000
Lex                  De Haan                        17000
Alexander            Hunold                          9000
Bruce                Ernst                           6000
David                Austin                          4800
Valli                Pataballa                       4800
Diana                Lorentz                         4200
Nancy                Greenberg                      12008

9 rows selected.


After adding a realm and specifying the EMPLOYEES table as the protected object:

$ sqlplus “/ as sysdba”
SQL> SELECT FIRST_NAME, LAST_NAME, SALARY FROM HR.EMPLOYEES WHERE ROWNUM < 10;
SELECT FIRST_NAME, LAST_NAME, SALARY FROM HR.EMPLOYEES WHERE ROWNUM < 10
                                                 *
ERROR at line 1:
ORA-01031: insufficient privileges


Creating a Realm

Navigate to the dva home page and select “Realms”.


Click on “Create” and create the realm with a suitable name and description:






Click on “OK”
Select the new Realm and click on “Edit”
Under “Realm Secured Objects”, click on “Create”




Use the drop-down lists to select the owner, object type and enter the object name – note, to restrict access to an entire schema, leave the “%” in the object name field.





Click on “OK”
Click on “OK” again.
If the query is attempted again by the SYS user, they are denied access:

$ sqlplus “/ as sysdba”
SQL> SELECT FIRST_NAME, LAST_NAME, SALARY FROM HR.EMPLOYEES WHERE ROWNUM < 10;
SELECT FIRST_NAME, LAST_NAME, SALARY FROM HR.EMPLOYEES WHERE ROWNUM < 10
                                                 *
ERROR at line 1:
ORA-01031: insufficient privileges



Allowing a specific user access to an object


To allow a specific user access to this table:

Create a user, sebastian, and grant select any table.

    $ sqlplus “/ as sysdba”
    SQL> create user sebastian identified by dhdgfgf;
    SQL> grant create session to sebastian;
    SQL> grant select any table to sebastian;


At this stage, even though SEBASTIAN has the SELECT ANY TABLE privilege, he cannot select from the HR.EMPLOYEES table because it is protected by a realm.

$ sqlplus sebastian/dhdgfgf
SQL> SELECT FIRST_NAME, LAST_NAME, SALARY FROM HR.EMPLOYEES WHERE ROWNUM < 10;
SELECT FIRST_NAME, LAST_NAME, SALARY FROM HR.EMPLOYEES WHERE ROWNUM < 10
                                                 *
ERROR at line 1:
ORA-01031: insufficient privilege
s

To authorize user SEBASTIAN to have access to the HR Realm as follows, using the Database Vault web pages:

Click on the “Realms” item:




Edit the HR_EMPLOYEES Realm and click ‘create’ in authorizations


Select SEBASTIAN from the grantee drop down
Leave the rest to default, and click OK, then OK again.

Log into the database as sebastian:

$sqlplus sebastian/dhdgfgf 

SQL> SELECT FIRST_NAME, LAST_NAME, SALARY FROM HR.EMPLOYEES WHERE ROWNUM < 10;

FIRST_NAME           LAST_NAME                     SALARY
-------------------- ------------------------- ----------
Steven               King                           24000
Neena                Kochhar                        17000
Lex                  De Haan                        17000
Alexander            Hunold                          9000
Bruce                Ernst                           6000
David                Austin                          4800
Valli                Pataballa                       4800
Diana                Lorentz                         4200
Nancy                Greenberg                      12008

9 rows selected.


So, the sebastian user now has access to the table.

You should be able to use this to specify other access.

One of my colleagues pointed out that the access is controlled by database grants. So for example, if you allow SYS access to the table realm, then SYS can do everything to that table - drop, truncate etc, because SYS can do that.

So a realm is used to restrict access to an object specifically, but if a user is allowed into that realm, the access is based on the grants in the database.

Also, to grant access to export:



# sqlplus dbvault_owner/password

SQL> EXEC DVSYS.DBMS_MACADM.AUTHORIZE_DATAPUMP_USER('SEBASTIAN');

Installing Oracle Database Vault - Part 1

I recently had cause to install Oracle Database Vault at a client.

Before doing it for real, I decided to do it on a database of my own,and just as well.

So before you do this, a word of warning - it stops the SYS user from being able to do stuff. In this post I go over how to re-enable it, but this is just an overview so make sure anything you do is tested. Note that it also needs a licence.

I'd also advise asking the person who requested this for a clear policy document - Database Vault is more complicated than assigning roles, and you need to know the access that is required and it needs to be written down - Database Vault will break applications if not set up correctly.

It also needs a database and listener outage, so be aware of that.

So, disclaimers and CMA done, here we go.

Here's the official documentation:


Preparing the database


Stop the database and listener, and database control if running, and enable database vault:

Set the Oracle environment to the target database:

. oraenv
(enter the ORACLE_SID)

Stop the Oracle listener (this assumes the listener name is LISTENER – if not, the name needs to be specified)

lsnrctl stop

Log into the database as SYS and shut it down:

sqlplus “/ as sysdba”
SQL> shutdown immediate


Shut down Oracle Database Control if it is running:

    $ emctl stop dbconsole

Enable Oracle Database Vault by relinking:

$ cd $ORACLE_HOME/rdbms/lib
$ make -f ins_rdbms.mk dv_on lbac_on ioracle


Restart the database and listener (but not dbcontrol if it was running)

    $ lsnrctl start

    $ sqlplus “/ as sysdba”
    SQL> startup



Create Database Control if not using Grid Control or Cloud Control

If Grid Control or Cloud control is used, this next section is not required.

Run the DBCA and create database control for the database if it not in place.
(Note, you need an X-Windows server on the PC to run the DBCA)

    $ dbca

I won't post all the screenshots of the dbca, just the relevant ones.
At the first screen, check "Configure Database Options" and click "Next".

The next screen will show a list of the databases - highlight the one you want to install database vault on and click "Next".

At the next screen make sure the "Configure the database with Enterprise Manager" and "Use Database Control for Database Management" items are checked. You can leave the email and backup fields blank. Click "Next"

 At the next screen, make sure "Enterprise Manager Repository" is checked, and either select a tablespace or let it default to SYSAUX. Do not check "Oracle Label Security" yet. Click "Next".

At the next screen, enter the passwords as required. Click "Next".

Let the server mode default, and click on "Finish".

Click "OK" at the Confirmation screen.

It will install database control, and will show a screen with the database control URL, usually "https://host_name:port/em" - but make a note.

Click "OK" and it will exit.

Right, now that you've installed database control, or if it was already installed, you need to stop it to install Database Vault.
     $ emctl stop dbconsole

Implementing Database Vault with DBCA

Restart the DBCA to implement Database Vault and Oracle Label Security

    $ dbca


At the first screen, select "Configure Database Options" and click "Next".
At the next screen select the database that is to have Database Vault installed, click "Next".
At the next screen, check "Oracle Label Security" and "Oracle Database Vault".
Click "Next"
At the next screen, enter a database vault owner username and password. The account manager is optional, but I'd create it just in case. I used "dbvault_owner" and "dbvault_manager" for the usernames.
You should make these passwords strong - for obvious reasons.
Click "Next".
At the next page, let the "Server Mode" default, and click "Finish".
The dbca will restart the database, so make sure that you've arranged an outage.

One thing I noticed is that if there are other databases in the same ORACLE_HOME, this is now shown on login:
Connected to:
Oracle Database 11g Enterprise Edition Release 11.2.0.3.0 - 64bit Production
With the Partitioning, Oracle Label Security, OLAP, Data Mining,
Oracle Database Vault and Real Application Testing options


This had me worried - did it mean that this would affect all the databases, and that now SYS functionality is changed. The short answer is no. These need to be enabled for the individual database through the dbca,

Once complete, you need to log into the database as the dbvault_owner and grant privileges.

Adding required privileges


To perform the necessary grants to the database vault users, sign into the database as the dbvault_owner and run the grant commands:

$ sqlplus dbvault_owner/password


SQL> grant dv_owner to dbvault_owner;

Grant succeeded.

SQL> grant dv_admin to dbvault_manager;

Grant succeeded.


So, that's it installed. Now you can log in from a browser.

 

Logging into the Database Vault Web Page

Log into Database Vault as the dbvault_owner from a browser.

If the connection does not work, you should check the firewall settings for the host / site.

There are separate instructions on how to access database vault features from Grid / Cloud Control or Database Control, but the dva console is the preferred method as it provides full functionality.

Note the hostname and port will be site specific. For me, it is
https://andy-mga:5500/dva

After logging in, the various features can be used to restrict and grant access to database objects and commands.


Enabling Oracle Administration functionality for SYS

One thing that enabling database vault does once installed is restrict the SYS user from performing some database administration functions. These need to be enabled to allow normal administration.

For example, a standard DBA task is to create users in the database, but this is restricted once Database Vault is enabled:

$ sqlplus "/ as sysdba"

SQL*Plus: Release 11.2.0.3.0 Production on Tue May 13 14:07:32 2014

Copyright (c) 1982, 2011, Oracle.  All rights reserved.


Connected to:
Oracle Database 11g Enterprise Edition Release 11.2.0.3.0 - 64bit Production
With the Partitioning, Oracle Label Security, OLAP, Data Mining,
Oracle Database Vault and Real Application Testing options

SQL> create user andy identified by andy;
create user andy identified by andy
                               *
ERROR at line 1:
ORA-01031: insufficient privileges



To allow this again, follow this procedure:

Creating a RULE SET

Login to the database vault page.
Select “Rule Sets” from the home page of the dva.


Click on Create
Call it something suitable like ‘SYS_USER_ADMIN’
Click on OK
Select it from the list and click on “Edit”
Scroll down to “Rules Associated To The Rule Set’ and click on “Create”


 Use the name “SYS_USER_ADMIN”
Enter this in the expression  field – dvf.f$session_user = ‘SYS’

Click on OK to save it, then on OK again.

Go back to the home page, and click on “Command Rules”

Select the “CREATE USER” item and click on “Edit”

Leave the command as “CREATE USER”, and in the “RULE SET” drop-down choose “SYS_USER_ADMIN”
Click on OK
Edit the DROP USER and repeat
Edit the ALTER USER and repeat

The sys user can now create, alter and drop users in the database.

    $ sqlplus “/ as sysdba”

SQL> create user andy identified by andy;

User created.


That's Part 1.

In Part 2, I explain how to enable and restrict access to tables and schemas.