Oracle® Database Vault Administrator's Guide 10g Release 2 (10.2) Part Number B25166-04 |
|
|
View PDF |
This chapter introduces you to Oracle Database Vault. It includes the following sections:
How Oracle Database Vault Allows for Flexible Security Policies
How Oracle Database Vault Addresses Database Consolidation Concerns
What to Expect Before and After You Install Oracle Database Vault
Oracle Database Vault helps you address the most difficult security problems remaining today: protecting against insider threats, meeting regulatory compliance requirements, and enforcing separation of duty.
It provides a number of flexible features that can be used to apply fine-grained access control to your sensitive data. It hardens your Oracle Database instance and enforces industry standard best practices in terms of separating duties from traditionally powerful users. Most importantly, it protects your data from superprivileged users but still allows them to maintain your Oracle databases. Oracle Database Vault can become an integral component of your enterprise.
You configure Oracle Database Vault to manage the security of an individual Oracle Database instance. You can install Oracle Database Vault on standalone Oracle Database installations, multiple Oracle homes, and in Oracle Real Application Clusters (RAC) environments.
For frequently asked questions about Oracle Database Vault, visit
http://www.oracle.com/database/docs/oracle-database-vault-faq.pdf
For Oracle Technology Network (OTN) information specific to Oracle Database Vault, visit
http://www.oracle.com/technology/deploy/security/db_security/database-vault/
Oracle Database Vault has the following components:
Oracle Database Vault enables you to create the following components to manage security for your database instance:
Realms: A realm is a functional grouping of database schemas and roles that must be secured. For example, you can group a set of schemas and roles that are related to accounting, sales, or human resources. After you have grouped a set of schemas and roles into a realm, you can use the realm to control the use of system privileges to specific accounts or roles. This enables you to provide fine-grained access controls for anyone who wants to use these schemas and roles. Chapter 3, "Configuring Realms" discusses realms in detail.
Command rules: A command rule is a special rule that you can create to control how users can execute almost any SQL statements, including SELECT
, ALTER SYSTEM
, database definition language (DDL), and data manipulation language (DML) statements. Command rules can work with rule sets to determine whether or not the statement is allowed. Chapter 5, "Configuring Command Rules" discusses command rules in detail.
Factors: A factor is a named variable or attribute, such as a user location, database IP address, or session user, that Oracle Database Vault can recognize and secure. You can use factors for activities such as authorizing database accounts to connect to the database or creating filtering logic to restrict the visibility and manageability of data. Each factor can have one or more identities. An identity is the actual value of a factor. A factor can have several identities depending on the factor retrieval method or its identity mapping logic. Chapter 4, "Configuring Factors" discusses factors in detail.
Rule sets: A rule set is a collection of one or more rules that you can associate with a realm authorization, command rule, factor assignment, or secure application role. The rule set evaluates to true or false based on the evaluation of each rule it contains and the evaluation type (All True or Any True). The rule within a rule set is a PL/SQL expression that evaluates to true or false. You can have the same rule in multiple rule sets. Chapter 6, "Configuring Rule Sets" discusses rule sets in detail.
Secure application roles: A secure application role is a special Oracle role that can be enabled based on the evaluation of an Oracle Database Vault rule set. Chapter 7, "Configuring Secure Application Roles for Oracle Database Vault" discusses secure application roles in detail.
To augment these components, Oracle Database Vault provides a set of PL/SQL interfaces and packages. "Oracle Database Vault PL/SQL Interfaces and Packages" provides an overview.
In general, the first step you take is to create a realm composed of the database schemas or database objects that you want to secure. Once you create the realm and grant authorizations to it, you then optionally can further secure the realm by creating rules, command rules, factors, identities, rule sets, and secure application roles. In addition, you can run reports on the activities these components monitor and protect. Chapter 2, "Getting Started with Oracle Database Vault" provides a simple tutorial that will familiarize you with basic Oracle Database Vault functionality. Chapter 9, "Generating Oracle Database Vault Reports" provides more information about how you can run reports to check the configuration and other activities that Oracle Database Vault performs.
Oracle Database Vault Administrator is a Java application that is built on top of the Oracle Database Vault PL/SQL application programming interfaces (API). This application allows security managers who may not be proficient in PL/SQL to configure the access control policy through a user-friendly interface. Oracle Database Vault provides an extensive collection of security-related reports that assist in understanding the baseline security configuration. These reports also help point out deviations from this baseline.
Chapters (UNKNOWN STEP NUMBER) through (UNKNOWN STEP NUMBER) explain how to use Oracle Database Vault Administrator to configure access control policy defined in realms, command rules, factors, rule sets, and secure application roles. Chapter 9, "Generating Oracle Database Vault Reports" explains Oracle Database Vault reporting. To enable the accessibility features of Oracle Database Vault Administrator for users of assistive technology, see "Enabling Oracle Database Vault Accessibility" in Oracle Database Vault Installation Guide.
Oracle Database Vault provides a schema, DVSYS
, that stores the database objects needed to process Oracle data for Oracle Database Vault. This schema contains the roles, views, accounts, functions, and other database objects that Oracle Database Vault uses. The DVF
schema contains public functions to retrieve (at run time) the factor values set in the Oracle Database Vault access control configuration.
Appendix C, "Oracle Database Vault Database Objects" describes these schemas in detail.
To perform maintenance tasks on your Oracle Database Vault installation, use the command-line utiltiy Oracle Database Vault Configuration Assistant (DVCA). For more information, see Oracle Database Vault Installation Guide.
Oracle Database Vault provides a collection of PL/SQL interfaces and packages that allow security managers or application developers to configure the access control policy as required. The PL/SQL procedures and functions allow the general database account to operate within the boundaries of access control policy in the context of a given database session.
See Appendix D, "PL/SQL Interfaces to Oracle Database Vault" and Appendix E, "Oracle Database Vault Packages" for more information.
Oracle Database Vault provides access control capabilities that are built on top of the Oracle Label Security database option. The Oracle Label Security database option includes an Oracle Policy Manager desktop application that allows the security manager to define label security policy and apply it to database objects. Oracle Label Security also provides a collection of PL/SQL APIs that can be used by a database application developer to provide label security policy and protections.
See "Integrating Oracle Database Vault with Oracle Label Security" for more information on how Oracle Database Vault works with Oracle Label Security. See alsoOracle Label Security Administrator's Guide for more information about Oracle Policy Manager.
You can generate reports on the various activities that Oracle Database Vault monitors. In addition, you can monitor policy changes, security violation attempts, and database configuration and structural changes.
See Chapter 9, "Generating Oracle Database Vault Reports" for more information about the reports that you can generate. Chapter 10, "Monitoring Oracle Database Vault" explains how to monitor Oracle Database Vault.
One of the biggest side benefits resulting from regulatory compliance has been security awareness. Historically, the focus of the information technology (IT) department has been on high availability and performance. The focus on regulatory compliance has required everyone to take a step back and look at their IT infrastructure, databases, and applications from a security angle. Common questions include:
Who has access to this information?
Where is the sensitive information stored?
Regulations such as the Sarbanes-Oxley Act, Health Insurance Portability and Accountability Act (HIPAA), International Convergence of Capital Measurement and Capital Standards: a Revised Framework (Basel II), Japan Privacy Law, and the European Union Directive on Privacy and Electronic Communications have common themes that include internal controls, separation of duty, and access control.
While most changes required by regulations such as Sarbanes-Oxly and HIPAA are procedural, the remainder may require technology investments. A common security requirement found in regulations is stringent internal controls. The degree to which Oracle Database Vault helps an organization achieve compliance varies with the regulation. In general, Oracle Database Vault realms, separation of duty features, command rules, and factors help reduce the overall security risks that regulation provisions worldwide address.
Table 1-1 lists regulations that address potential security threats.
Table 1-1 Regulations That Address Potential Security Threats
Regulation | Potential Security Threat |
---|---|
Sarbanes-Oxley Section 302 |
Unauthorized changes to data |
Sarbanes-Oxley Section 404 |
Modification to data, unauthorized access |
Sarbanes-Oxley Section 409 |
Denial of service, unauthorized access |
Gramm-Leach-Bliley |
Unauthorized access, modification, or disclosure |
HIPAA 164.306 |
Unauthorized access to data |
HIPAA 164.312 |
Unauthorized access to data |
Basel II – Internal Risk Management |
Unauthorized access to data |
CFR Part 11 |
Unauthorized access to data |
Japan Privacy Law |
Unauthorized access to data |
For many years, worms, viruses, and the external intruder (hacker) have been perceived as the biggest threats to computer systems. Unfortunately, what is often overlooked is the potential for someone who is trusted and with special privileges or access to steal or modify data.
Oracle Database Vault protects against the insider threat by using realms, factors, and command rules. Combined, these provide powerful security tools to help secure access to databases, applications, and sensitive information. You can combine rules and factors to control the conditions under which commands in the database are allowed to execute, and to control access to data protected by a realm. For example, you can create rules and factors to control access to data based on IP addresses, the time of day, and specific programs. These can limit access to only those connections originating from the middle tier during specific hours. This can prevent unauthorized access to the application as well as access to the database by unauthorized applications.
Oracle Database Vault provides built-in factors that you can use in combination with rules to control access to the database, realm-protected applications, and commands within the database.
Rules and factors can be associated with dozens of commands within the database. Rules provide stronger internal controls within the database—you can customize these to meet the operational policies for your site. For example, you could define a rule to limit execution of the ALTER SYSTEM
statement to a specific IP address and host name.
Oracle Database Vault helps you design flexible security policies for your database. For example, any database user, such as SYSTEM
, who has the DBA role can make modifications to basic parameters in a database. Suppose an inexperienced administrator who has SYSTEM
privileges decides to start a new redo log file but does not realize that doing so at a particular time may cause problems for the database. With Oracle Database Vault, you can create a command rule to prevent this user from making such modifications by limiting his or her usage of the ALTER SYSTEM SWITCH LOGFILE
statement. Not only that, but you can attach rules to the command rule to restrict activity further, such as limiting the statement's execution in the following ways:
By time, for example, only during 4 p.m and 5 p.m. on Friday afternoons
By local access only, that is, not remotely
By IP address, for example, allowing the action on only a specified range of IP addresses
In this way, you can carefully control and protect your system. You can disable and reenable command rules when you need to, and easily maintain them from one central location in Oracle Database Vault Administrator.
Oracle customers today still have hundreds and even thousands of databases distributed throughout the enterprise and around the world. However, Database consolidation will continue as a cost-saving strategy in the coming years. The physical security provided by the distributed database architecture must be available in the consolidated environment. Oracle Database Vault addresses the primary security concerns of database consolidation.
Figure 1-1 illustrates how Oracle Database Vault addresses the following database security concerns:
Administrative privileged account access to application data: In this case, Oracle Database Vault prevents the DBA from accessing the schemas that are protected by the FIN Realm. Although the DBA is the most powerful and trusted user, the DBA does not need access to application data residing within the database.
Separation of duties for application data access: In this case, the FIN Realm Owner, created in Oracle Database Vault, has access to the FIN Realm schemas.
Figure 1-1 Oracle Database Vault Security
Database consolidation can result in multiple powerful user accounts residing in a single database. This means that in addition to the overall database DBA, individual application schema owners also may have powerful privileges. Revoking some privileges may adversely affect existing applications. Using Oracle Database Vault realms, you can enforce access to applications through a trusted path, preventing database users who have not been specifically authorized access from using powerful privileges to look at application data. For example, a DBA who has the SELECT ANY TABLE
privilege can be prevented from using that privilege to view application data.
This section explores the following topics:
See also Appendix F, "Oracle Database Vault Security Guidelines" for guidelines on managing security in the Oracle Database configuration.
When you install Oracle Database Vault, by default it disables the operating system authentication for accounts that use the SYSDBA
privilege. In addition, it disables connections that use the SYSDBA
privilege (for example, logging in to the database using AS SYSDBA
clause), including those connections using the SYS
account. You can reenable the ability to connect to the Oracle Database Vault database with the SYSDBA
privilege. See Chapter 2 of Oracle Database Vault Installation Guide for instructions on enabling connections with the SYSDBA
privilege.
Because of this security feature, the Oracle Database Vault instance may affect the following utilities and other Oracle products that use this privilege:
Table 1-2 Oracle Utilities and Products Affected by Oracle Database Vault
Utility or Product | Suggested Action |
---|---|
Oracle Data Guard and Oracle Data Guard Broker command-line utilities |
Reenable connections that use the |
Reenable connections that use the |
|
Reenable connections that use the |
|
Reenable connections that use the |
|
Perform the following:
|
|
Oracle Enterprise Manager Database Control |
Reenable connections that use the |
If you use these products in scripts and want to avoid specifying account names and passwords in your scripts, use a Secure External Password store configuration using Oracle Wallet Manager or SSL authentication of the Enterprise User Security features of Oracle Database. For more information about these configurations, see Oracle Database Security Guide, Oracle Database Advanced Security Administrator's Guide, and Oracle Database Enterprise User Security Administrator's Guide.
You should perform a careful analysis of the other processes and programs that normally access your Oracle database instance. Scheduled jobs, batch programs, and other tasks that normally access your database instance may require the addition of the database accounts that are used as logins for the protected Oracle Database Vault realms, or object privileges on the protected objects explicitly granted to these accounts.
When you install Oracle Database Vault, the installation process modifies several database initialization parameter settings to better secure your database configuration, and several password profile settings to secure your database passwords. If these changes adversely affect your organizational processes or database maintenance procedures, you can revert to the original settings.
Table 1-3 describes the initialization parameter settings that Oracle Database Vault modifies. Initialization parameters are stored in the init.ora
initialization parameter file, located in $ORACLE_HOME/srvm/admin
. For more information about this file, see Oracle Database Administrator's Guide.
Table 1-3 Modified Database Initialization Parameter Settings
Parameter | Default Value in Database | New Value Set by Database Vault | Description |
---|---|---|---|
|
|
Enables or disables the auditing of operations issued by user For more information about |
|
|
Null string |
Specifies a prefix that Oracle uses to authenticate users attempting to connect to the server. The null string value disables this feature. For more information about |
|
Not configured. |
|
Enables or disables the operating system to completely manage the granting and revoking of roles to users. Any previous grants of roles to users using For more information about |
|
|
|
Specifies whether Oracle checks for a password file. Oracle Database Vault uses password files to authenticate users. The For more information about |
|
|
|
Enables or disables operating system-authenticated logins only over secure connections, which precludes using Oracle Net and a shared server configuration. When set to For more information about |
|
|
|
Enables or disables users who are connecting to the database through Oracle Net to have their roles authenticated by the operating system. This includes connections through a shared server configuration, as this connection requires Oracle Net. This restriction is the default because a remote user could impersonate another operating system user over a network connection. For more information about |
|
|
|
Specifies whether users must have been granted the For more information about |
During installation of Oracle Database Vault, the installer prompts for several additional database account names. In addition, several database roles are created. These accounts are part of the separation of duties provided by Oracle Database Vault. One common audit problem that has affected several large organizations is the unauthorized creation of new database accounts by a DBA within a production instance. Upon installation, Oracle Database Vault prevents anyone other than the Oracle Database Vault account manager or a user granted the Oracle Database Vault account manager role from creating users in the database.
Oracle Database Vault uses password file authentication to protect database passwords. This means that the Oracle Database Vault instance uses password files to manage accounts that use the SYSDBA
and SYSOPER
privileges, such as SYS
. You can use the orapwd
utility and the REMOTE_LOGIN_PASSWORDFILE
initialization parameter setting to update the password files of each instance if the security procedures of your organization mandate periodic password changes.
Remember that this feature affects how you log in to an Oracle database. For example, the following method of logging in as SYS
is not allowed by Oracle Database Vault:
$ sqlplus "/ as sysoper"
Instead, log in using a valid account and password, for example:
$ sqlplus "sys / as sysoper"
Enter password: password
See also the following sections or documents:
To use orapwd
to reenable connections with the SYSDBA
privilege, see Chapter 2 of Oracle Database Vault Installation Guide for instructions on enabling connections with the SYSDBA
privilege.
For information about creating and maintaining a password file, see Oracle Database Administrator's Guide.
See "Managing SYSDBA Access" for security guidelines for SYSDBA
.
See "Managing SYSOPER Access" for security guidelines for SYSOPER
.
To meet regulatory, privacy and other compliance requirements, Oracle Database Vault implements the concept of separation of duties. This means that the concept of a superprivileged user (for example, DBA
) is divided among several new database roles to ensure no one user has full control over both the data and configuration of the system. Oracle Database Vault prevents the SYS
user and other accounts with the DBA
role and other system privileges from designated protected areas of the database called realms. It also introduces new database roles called the Oracle Database Vault Owner (DV_OWNER
) and the Oracle Database Vault Account Manager (DV_ACCTMGR
). These new database roles separate the database administration and the account management duties from the traditional DBA role. You should map these roles to distinct security professionals within your organization.
See "Oracle Database Vault Database Roles" for detailed information about the roles created during the Oracle Database Vault installation. See also "Oracle Database Vault Database Accounts" for default accounts that are created and for suggestions of additional accounts that you may want to create.