| Oracle® Database Vault Administrator's Guide 10g Release 2 (10.2) Part Number B25166-04 |
|
|
View PDF |
| Oracle® Database Vault Administrator's Guide 10g Release 2 (10.2) Part Number B25166-04 |
|
|
View PDF |
This chapter describes how to create and configure command rules. It includes the following sections:
A command rule is a rule that you create to protect SELECT, ALTER SYSTEM, database definition language (DDL), and data manipulation language (DML) statements that affect one or more database objects through Oracle Database Vault rule sets at run time. When such a statement is executed, the realm authorization is checked first. If no realm violation is found and the associated command rules are enabled, then the associated rule sets are evaluated. If all the rule sets evaluate to TRUE, then the statement is authorized for further processing. If any of the rule sets evaluate to FALSE, then the statement is not authorized and a command rule violation is created. Chapter 6, "Configuring Rule Sets" describes rule sets in detail.
You can also define a command rule for a CONNECT event that can determine whether a session is allowed after the normal authentication process, Oracle Label Security initialization, factor initialization, and the Oracle Label Security integration complete. In addition, you can disable or enable a command rule when necessary, and apply the same rule to realms and command rules.
Note the difference between rule sets and command rules: A rule set is a group of customized rules written in PL/SQL that you create in Oracle Database Vault for realms. A command rule is a global rule that you create to control the use of the standard SELECT, ALTER SYSTEM, DDL, and DML SQL statements and operations available in Oracle Database. A command rule also has five attributes: command, owner, object, enabled, and rule set, in addition to its bonding operations and authorization functionality. For more information about SQL statements and operations, refer to Oracle Database SQL Reference.
For example, you can configure the following types of command rules:
Allow DDL statements such as CREATE TABLE, DROP TABLE, and ALTER TABLE in the BIZAPP schema to be authorized after business hours, but not during business hours.
Allow only a database account with the DV_ACCTMGR role to successfully issue the CREATE USER and DROP USER statements. Without such command rules, any user with the CREATE USER or DROP USER system privilege can create a new user account or drop a user account.
You can run reports on the command rules that you create in Oracle Database Vault. See "Related Reports" for more information.
This chapter explains how to configure command rules by using Oracle Database Vault Administrator. To configure command rules by using the PL/SQL interfaces and packages provided by Oracle Database Vault, refer to the following appendixes:
Log in to Oracle Database Vault Administrator using a database account granted with the DV_OWNER role.
At a minimum, you must have the DV_ADMIN role. "Starting Oracle Database Vault Administrator" explains how to log in.
In the Administration page, under Database Vault Feature Administration, click Command Rules.
In the Command Rules page:
To create a new command rule, click Create.
To edit an existing command rule, select it from the list and then click Edit.
In the Create (or Edit) Command Rule page, enter the following settings, and then click OK.
General
Enter the following settings:
Command: Select the SQL statement or operation for which you want to create a command rule. This attribute is mandatory.
Status: Select either Enabled or Disabled to enable or disable the command rule during run time. This attribute is mandatory.
Applicability
Enter the following settings:
Object Owner: From the list, select the owner of the object the command rule will affect. You can use wildcard characters such as %. This attribute is mandatory for all SQL statements except for the following, which do not have an owner in the database:
ALTER PROFILE |
CREATE CONTEXT |
|
ALTER ROLE |
CREATE DATABASE LINK |
|
ALTER ROLLBACK SEGMENT |
DROP CONTEXT |
|
ALTER SYSTEM |
DROP DATABASE LINK |
|
ALTER TABLESPACE |
DROP PROFILE |
|
ALTER USER |
DROP ROLE |
|
CONNECT |
DROP ROLLBACK SEGMENT |
|
CREATE PROFILE |
DROP TABLESPACE |
|
CREATE ROLE |
DROP USER |
|
CREATE ROLLBACK SEGMENT |
GRANT system_privilege |
|
CREATE TABLESPACE |
REVOKE system_privilege |
|
CREATE USER |
Note that the SELECT, INSERT, UPDATE, DELETE, and EXECUTE statements are not allowed for a selection of all (%) or the SYS and DVSYS schemas.
Object Name: Enter the name of the database object that the command rule will affect, or specify % to select all database objects. However, you cannot use wildcard characters such as % to specify multiple object names, for example, EMP_% to specify all tables beginning with the characters EMP_. This attribute is mandatory.
Note the following restrictions:
You cannot list objects individually in the Object Name field. Instead, create a separate command rule for each object.
You cannot enter the name of a realm to restrict users from an entire realm. Instead, create command rules to restrict users from each schema within the realm.
You can run Oracle Database Vault reports on objects that the command rule affects. See the "Related Reports" for more information.
Rule Set
From the list, select the rule set that you want to associate with the command rule. This attribute is mandatory.
If the rule set evaluates to true, then the command rule succeeds. If it evaluates to false, the command rule fails. When the command rule fails, Oracle Database Vault creates a command rule violation. (You can track such rule violations by using the Command Rule Configuration Issues Report, discussed in Chapter 9.) Any auditing and custom event handling associated with the rule set occurs as a part of the command rule processing.
See Chapter 6, "Configuring Rule Sets" for more information about rule sets.
Before you delete a command rule, you can locate the various references to it by querying the command rule-related Oracle Database Vault views. See "Oracle Database Vault Public Views" for more information.
In the Oracle Database Vault Administration page, select Command Rules.
In the Command Rules page, select the command rule that you want to remove.
Click Remove.
In the Confirmation page, click Yes.
"How Realms Work" describes what happens when a database account issues a SELECT, DDL, or DML command that affects objects within a realm. For the execution of a command rule itself, the following actions occur:
Oracle Database Vault queries for all command rules that the account is attempting to use.
For SELECT, DDL, and DML statements, more than one command rule may apply because the object owner and object name support wildcard notation.
Both a realm authorization and a command rule can be governed by a rule set. Oracle Database Vault evaluates the realm authorization rule set first, then it evaluates the rule sets that apply to the command type being evaluated.
For each command rule that applies, Oracle Database Vault evaluates its associated rule set.
If the associated rule set of any of the applicable command rules returns false or errors, Oracle Database Vault prevents the command from executing. Otherwise, the command is authorized for further processing. The configuration of the rule set with respect to auditing and event handlers dictates the auditing or custom processing that occurs.
Command rules override object privileges. For example, suppose you have been granted the SELECT privilege on a table, and there is a command rule on the use of a SELECT statement on that table. If the rule set has been set to Disabled, then you are prevented from querying the table. (Only the rule set has been disabled, not the command itself.)
Suppose you want to allow only the accounts with a role called FIN_ACCTMGR to create new users. You could create a command rule with the following settings:
Command: CREATE USER
Object Owner: %
Object Name: %
Rule Set: Can Maintain Accounts/Profiles
The Can Maintain Accounts/Profiles rule set includes a rule that checks to see if the account has the FIN_ACCTMGR role.
If a database account with CREATE USER privileges issues the CREATE USER command but does not have the FIN_ACCTMGR role, then Oracle Database Vault prevents the account from creating the new user and generates an error.
SQL> CREATE USER newuser IDENTIFIED BY password; CREATE USER newuser IDENTIFIED BY password * ERROR at line 1: ORA-00604: error occurred at recursive SQL level 1 ORA-20400: Command Rule Violation for CREATE ORA-06512: at "DVSYS.AUTHORIZE_EVENT", line 35 ORA-06512: at line 13
See also "Example of How Rule Sets Work" for another example of how a command rule can work with a rule set.
Table 5-1 lists that default command rules that Oracle Database Vault provides.
Table 5-1 Default Command Rules
| Statement | Object Owner | Object Name | Rule Set Name |
|---|---|---|---|
|
|
% |
% |
Can Maintain Accounts/Profiles |
|
|
% |
% |
Can Maintain Own Account |
|
|
% |
% |
Can Maintain Accounts/Profiles |
|
|
% |
% |
Can Maintain Accounts/Profiles |
|
|
% |
% |
Can Maintain Accounts/Profiles |
|
|
% |
% |
Can Maintain Accounts/Profiles |
|
|
SYS |
DBMS_RLS |
Can Grant VPD Administration |
|
|
SYS |
DBMS_RLS |
Can Grant VPD Administration |
The following set of command rules helps you to achieve the separation of duty concepts:
ALTER PROFILE
ALTER USER
CREATE PROFILE
CREATE USER
DROP PROFILE
DROP USER
The following command rules on an Oracle Virtual Private Database (VPD) prevent the DBA from giving VPD capabilities to an account.
GRANT
REVOKE
Only the accounts with the DV_OWNER role can use the GRANT and REVOKE statements pertaining to the SYS.DBMS_RLS object and the EXECUTE privilege.
Follow these guidelines for designing command rules:
Create finer-grained command rules, because they are far easier to maintain.
For example, if you want to prevent SELECT statements from occurring on specific schemas, design the command rule to stop the SELECT statement on those specific schemas, rather than creating a general command rule to prevent SELECT statements in all cases.
When designing command rules for the CONNECT event, be careful to include logic that does not inadvertently lock out the Oracle Database Vault Owner or Administrator.
The following rule expression is an example of how to prevent inadvertent lockouts:
DVSYS.DBMS_MACUTL.USER_HAS_ROLE_VARCHAR('DV_ADMIN') = 'Y'
If the account has been locked out, you can disable Oracle Database Vault, unlock the account, and then reenable Oracle Database Vault. See Appendix B, "Enabling and Disabling Oracle Database Vault" for more information.
Sometimes you need to temporarily relax a command rule for an administrative task. Rather than disabling the command rule, have the Security Manager (the account with the DV_ADMIN or DV_OWNER role) log in, set the rule set to Enabled, turn on Auditing on Success or Failure for the Enabled rule set, and then set the command rule back to its original rule set when the task is complete.
When designing command rules, be careful to consider automated processes such as backup or extracts where these procedures may be inadvertently disabled. You can account for these tasks by creating command rules that allow the command when a series of Oracle Database Vault factors is known to be true, for example, the program being used, and the account being used or the computer or network on which the client program is running.
DML operations while command rules are in place have little performance effect. However, the performance of a rule set that a command rule uses depends on the complexity of the rule set. For example, suppose a rule set invokes a PL/SQL function that takes an hour to run. In this case, a command rule that uses that rule set would take an hour to grant access for the command statement to run.
Oracle recommends that you carefully plan and design the command rules and not let them proliferate so that maintenance becomes difficult.
You can check the system performance by running tools such as Oracle Enterprise Manager (including Oracle Enterprise Manager Database Control, which is installed by default with Oracle Database), Statspack, and TKPROF. For more information about Oracle Enterprise Manager, see the Oracle Enterprise Manager documentation set. For information about Database Control, refer to its online Help. Oracle Database Performance Tuning Guide describes the Statspack and TKPROF utilities.
Table 5-2 lists Oracle Database Vault reports that are useful for analyzing command rules. See Chapter 9, "Generating Oracle Database Vault Reports" for information about how to run these reports.
Table 5-2 Reports Related to Command Rules
| Report | Purpose |
|---|---|
|
|
To find audit records generated by command rule processing operations |
|
"Command Rule Configuration Issues Report" |
To track rule violations, in addition to other configuration issues the command rule may have |
|
|
To find object privileges that the command rule affects |
|
|
To find objects that the command rule affects |
|
"Rule Set Configuration Issues Report" |
To find rules sets that have no rules defined or enabled, which may affect the command rules that use them |
