Oracle® Database Vault Administrator's Guide 10g Release 2 (10.2) Part Number B25166-04 |
|
|
View PDF |
This appendix describes security guidelines for Oracle Database Vault. It includes the following sections:
Oracle Database Vault restricts access to application data from many privileged users and roles in the database. However, in some cases, Oracle Database Vaults trusts certain accounts and roles.
Table F-1 lists the trusted accounts and roles that are created when you install Oracle Database Vault.
Table F-1 Trusted Oracle Database Vault Accounts and Roles
Account or Role | Status | Description |
---|---|---|
|
Open |
Account name specified during installation and used for creating new database accounts |
|
Open |
Account name specified during installation and used for managing realms, factors and command rules. This user cannot add himself or herself to realm authorizations, nor can users who have the |
|
Disabled |
Required by some Oracle features. See "Managing SYSDBA Access" for guidelines on managing |
|
Enabled |
Database startup and shutdown. Granted to |
Several accounts and roles have very powerful privileges in a default Oracle Database installation. You should limit these accounts and roles only to trusted individuals.
Users who have root user access have full control over the system, including the following activities:
Reading unencrypted files
Moving and deleting any files
Starting or stopping any program on the system
Logging in as any user, including the user who owns the Oracle Database installation
Oracle Database Vault does not provide protection against the operating system root access. Ensure that you grant root user privileges only to the appropriate people with the appropriate responsibility.
Users who have access to a system as the Oracle software owner have control over the Oracle software, including the following activities:
Disabling Oracle Database Vault in the given system
Reading unencrypted files
Moving and deleting files
Starting or stopping Oracle programs in the system
Oracle Database Vault does not provide protection against the operating system access of the Oracle software owner. Ensure that you grant Oracle software owner access only to the appropriate people with the appropriate responsibility.
Oracle Database Vault does not provide full protection against users with SYSDBA
access. By default, Oracle Database Vault disables SYSDBA
access upon installation. A number of Oracle components, still require SYSDBA
access. These components are:
Oracle Data Guard and Data Guard Broker command line utilities
Oracle Recovery Manager command line utility
Oracle Real Application Clusters
Oracle Automatic Storage Management command line utilities
Unless your installation requires SYSDBA
access, Oracle recommends not enabling SYSDBA
access. Remember that SYSDBA
actions are audited by default.
See Oracle Database Vault Installation Guide for instructions on how to enable and disable SYSDBA
access.
By default, Oracle Database Vault limits SYSOPER
access to operating system users in the SYSOPER
group and the user SYS
. It prevents connections as SYSOPER
from modifying the Oracle data dictionary directly. The SYSOPER
role has limited privileges within the database, but individuals with the role can start and shut down the Oracle database and manage the initialization parameters. Only grant the SYSOPER
role to trusted individuals.
Follow these configuration and security guidelines:
Security Considerations for the UTL_FILE and DBMS_FILE_TRANSFER Packages
Security Considerations for the CREATE ANY JOB and CREATE JOB Privileges
Security Considerations for the CREATE EXTERNAL JOB Privilege
Security Considerations for the ALTER SYSTEM and ALTER SESSION Privileges
Note:
Be aware of the following:Installing patches and new applications might regrant some of the privileges that Oracle recommends that you revoke here. Check these privileges after you install patches and new applications to verify that they are still revoked.
When you revoke EXECUTE
privileges on packages, ensure that you grant EXECUTE
on the packages to the owner, check the package dependencies, and recompile any invalid packages after the revoke.
To find users who have access to the package, log in as SYSTEM
and issue the following query.
SQL> SELECT * FROM dba_tab_privs
2 WHERE tab_name = package_name;
package_name
is the name of the package you are looking for.
To find the users, packages, procedures, and functions that are dependent on the package, issue this query:
SQL> SELECT owner, name, type
2 FROM all_dependencies
3 WHERE referenced_name = package_name;
Note that these two queries do not identify references to packages made through dynamic SQL.
The UTL_FILE
package is owned by SYS
and granted to PUBLIC
. However, a user must have access to the directory object in order to manipulate the files in that operating system directory. You can configure the UTL_FILE
package securely; see Oracle Database PL/SQL Packages and Types Reference for more information.
The DBMS_FILE_TRANSFER
package is owned by SYS
and granted to the EXECUTE_CATALOG_ROLE
. Users with EXECUTE
access on this package can move files from one location to another on the same file system. They also can move files between database instances, including databases on remote systems.
To secure the DBMS_FILE_TRANSFER
package, do the following:
Revoke the EXECUTE
privilege from it and grant it only to trusted users who need it.
Create command rules to control the CREATE DATABASE LINK
and CREATE DIRECTORY
SQL statements.
See "Creating and Editing Command Rules" for information on creating command rules by using Oracle Database Vault Administrator.
Alternatively, Example F-1 and Example F-2 show you can use the Oracle Database Vault MACADM
package to create command rules that limit and enable access to the CREATE DATABASE LINK
statement that is used to establish connections to remote databases. To use this method, log into SQL*Plus using the Oracle Database Vault Owner account.
Example F-1 Creating a Command Rule to Limit Access to CREATE DATABASE LINK
begin dbms_macadm.create_command_rule (command => 'CREATE DATABASE LINK', rule_set_name => 'Disabled', object_owner => '%', object_name => '%', enabled => dbms_macutl.g_yes); end; / commit;
When a user needs to use this command, the Oracle Database Vault owner can re-enable it from Oracle Database Vault Administrator or issue the following commands in SQL*Plus.
Example F-2 Creating a Command Rule to Enable Access to CREATE DATABASE LINK
begin dbms_macadm.update_command_rule (command => 'CREATE DATABASE LINK', rule_set_name => 'Enabled', object_owner => '%', object_name => '%', enabled => dbms_macutl.g_yes); end; / commit;
Similarly, Example F-3 shows command rules that disable and enable access to CREATE DIRECTORY
.
Example F-3 Command Rules to Disable and Enable Access to CREATE DIRECTORY
-- Disable access to CREATE DIRECTORY begin dbms_macadm.create_command_rule (command => 'CREATE DIRECTORY', rule_set_name => 'Disabled', object_owner => '%', object_name => '%', enabled => dbms_macutl.g_yes); end; / commit; -- Enable access to CREATE DIRECTORY begin dbms_macadm.update_command_rule (command => 'CREATE DIRECTORY', rule_set_name => 'Enabled', object_owner => '%', object_name => '%', enabled => dbms_macutl.g_yes); end; / commit;
In this release of Oracle Database Vault, the RECYCLE BIN
feature has been disabled, and a command rule has been created to prevent it from being turned on. If you need to use the RECYCLE BIN, disable the command rule ALTER SYSTEM and then enable the RECYCLE BIN as follows:
SQL> ALTER SYSTEM SET RECYCLEBIN=ON;
In this release of Oracle Database Vault, the CREATE ANY JOB
privilege has been revoked from the DBA
and the SCHEDULER_ADMIN
roles. Ensure that this change does not affect your applications.
The CREATE EXTERNAL JOB
privilege was introduced in Oracle Database 10g Release 2 (10.2). It is required for database users who want to execute jobs that run on the operating system outside the database. By default, this privilege is granted to all users who have been granted the CREATE JOB
privilege. For greater security, revoke this privilege from users who do not need it and then grant it only to those users who do need it.
In this release of Oracle Database Vault, the role EXECUTE_CATALOG_ROLE
no longer has EXECUTE
privileges granted by default on the following LogMiner packages:
DBMS_LOGMNR
DBMS_LOGMNR_D
DBMS_LOGMNR_LOGREP_DICT
DBMS_LOGMNR_SESSION
Ensure that this change does not affect your applications.
Be aware that trace and debug commands have the potential to show Oracle database memory information. Oracle Database Vault does not protect against these commands. To help secure the Oracle database memory information, Oracle recommends that you strictly control access to the ALTER SYSTEM
and ALTER SESSION
privileges. These privileges can be granted by the user SYS
when connected as SYSDBA
and by any user granted the DBA
role.
Oracle also recommends that you add rules to the existing command rule for ALTER SYSTEM
statement. Example F-4 shows how you can create such a rule. This rule prevent users with ALTER SYSTEM
privilege from issuing the command ALTER SYSTEM DUMP
. Log into SQL*Plus as the Oracle Database Vault Owner when you create this command rule.
Example F-4 Adding Rules to the Existing ALTER SYSTEM Command Rule
SQL> CONNECT dv_owner_acct
Enter password: password
SQL> begin
2 dbms_macadm.create_rule('NO_SYSTEM_DUMP',
3 '(INSTR(UPPER(DVSYS.DV_SQL_TEXT),''DUMP'') = 0)');
4 end;
/
SQL> exec dbms_macadm.add_rule_to_rule_set
2 ('Check trigger init parameter','NO_SYSTEM_DUMP');
SQL> commit;
Alternatively, you can use Oracle Database Vault Administrator to create a rule and add it to a rule set. See "Creating a Rule to Add to a Rule Set" for more information.
Oracle Database Vault security works by intercepting calls made within the Oracle Database.
For definer rights Java stored procedures, the execution of the stored procedure is not blocked and realm protection is not enforced. However, underlying objects accessed by the Java stored procedure are protected by Oracle Database Vault command rules.
For invoker rights Java stored procedures, the execution of the stored procedure is not blocked. However, underlying objects accessed by the Java stored procedure are protected by both Oracle Database Vault realms and command rules.
By default the EXECUTE ANY PROCEDURE
privilege is granted to the DBA
, EXPORT_FULL_DATABASE
, and IMPORT_FULL_DATABASE
roles. You can limit access to Java stored procedures by revoking the EXECUTE ANY PROCEDURE
from users and roles who do not require it. Note also that revoking the EXECUTE ANY PROCEDURE
from users further secures the database by limiting access to SYS
-owned packages.
A definer's rights stored procedure relies on the privileges of the owner of the stored procedure to access objects referenced within the stored procedure. Invoker's rights stored procedures rely on the privileges of the executor of the stored procedure to access objects referenced within the stored procedure. The default for Java stored procedures is invoker's rights.
Oracle recommends that you analyze your Java stored procedures when using Oracle Database Vault to maximize security. You can do so by following these steps:
Step 1: Identifying the Java Stored Procedures Created with Definer's Rights
Step 2: Finding Java Stored Procedures That Access Realm-Protected Objects
Step 3: Creating a Package to Wrap Procedures That Access Realm-Protected Objects
Step 4: Identifying the Java Stored Procedures Created with Invoker's Rights
Step 6: Verifying Oracle Database Vault Protection for Java Stored Procedures
Step 7: Securing Invoker's Rights for New Java Stored Procedures
Identify the Java stored procedures that were created with definers rights by running the query in Example F-5. This query returns only Java stored procedures that connect to the database, and then it spools the results to the file java_dr.lst
.
Example F-5 Query to Identify Definers Rights Java Stored Procedures
COLUMN plsql_owner FORMAT a8 COLUMN plsql FORMAT a30 COLUMN java_owner FORMAT a8 COLUMN java FORMAT a30 SPOOL java_dr select distinct plu.name plsql_owner, plo.name plsql, ju.name java_owner, jo.name java from obj$ plo, user$ plu, user$ ju, obj$ jo, procedurejava$ j where jo.name=j.classname and ju.user#=jo.owner# and ju.name=j.ownername and jo.type#=29 and bitand(jo.flags, 8)=0 and plo.owner#=plu.user# and j.obj#=plo.obj# and bitand(plo.flags, 8)=0 and ju.name not in ('SYS', 'ORDSYS') and jo.obj# in (select d_obj# from dependency$ connect by d_obj#=prior p_obj# start with p_obj#=(select obj# from obj$ where name='java/sql/Connection' and owner#=0)); SPOOL off
Analyze the Java stored procedures you queried in Step 1 and determine whether any of them access Realm protected objects. You can find a list of the realm-secured objects in the current database instance by using the DBA_DV_REALM_OBJECT
view, which is described in Table C-3, "Oracle Database Vault Database Views".
For Java stored procedures that do access realm-protected objects, create a PL/SQL package to wrap the Java stored procedure. Due to PL/SQL optimizations, the PL/SQL package wrapper must have a dummy variable defined in the package header. Adding the dummy variable enables Oracle Database Vault to intercept and block execution of Java stored procedures. Bear in mind that while this method does secure the execution of the Java stored procedure, it does not provide protection against calls to other Java stored procedures that may be embedded.
Example F-6 shows the PL/SQL package mypackage
being created to wrap the Java class emp_count
.
Example F-6 Creating a PL/SQL Wrapper
SQL> CREATE OR REPLACE PACKAGE SCOTT.MYPACKAGE AS tmp varchar2(200) := 'TEST'; -- dummy variable FUNCTION empcount RETURN VARCHAR2; end; / Package created. SQL> CREATE OR REPLACE PACKAGE BODY SCOTT.MYPACKAGE AS FUNCTION empcount RETURN VARCHAR2 AS LANGUAGE JAVA NAME 'emp_count.count() return java.lang.String'; END; / Package body created.
Next, you are ready to identify the Java stored procedures that were created with invoker's rights. Do so by running the query in Example F-7. This query only returns Java stored procedures that connect to the database, and then it spools the results to the file java_dr.lst
.
Example F-7 Identifying Java Stored Procedures with Invoker's Rights
COLUMN plsql_owner FORMAT a8 COLUMN plsql FORMAT a30 COLUMN java_owner FORMAT a8 COLUMN java FORMAT a30 spool java_ir select distinct plu.name plsql_owner, plo.name plsql, ju.name java_owner, jo.name java from obj$ plo, user$ plu, user$ ju, obj$ jo, procedurejava$ j where jo.name=j.classname and ju.user#=jo.owner# and ju.name=j.ownername and jo.type#=29 and bitand(jo.flags, 8)=8 and plo.owner#=plu.user# and j.obj#=plo.obj# and bitand(plo.flags, 8)=0 and ju.name not in ('SYS', 'ORDSYS') and jo.obj# in (select d_obj# from dependency$ connect by d_obj#=prior p_obj# start with p_obj#=(select obj# from obj$ where name='java/sql/Connection' and owner#=0)); spool off
Oracle Database Vault realm and command rules are enforced for invoker's rights stored procedures. However, it can be useful to even block execution on Java stored procedures. You can do this by following Step 3: Creating a Package to Wrap Procedures That Access Realm-Protected Objects.
Verify that Oracle Database Vault is protecting your Java stored procedures. Example F-8 show how you can test Oracle Database Vault security. Log in to a tool such as SQL*Plus. Then try to access a realm-protected object directly and execute a Java stored procedure to access a realm protected object.
Example F-8 Testing Oracle Database Vault Protection for Java Stored Procedures
SQL> connect u1
Enter password: password
Connected.
SQL> select * from session_privs;
PRIVILEGE
----------------------------------------
CREATE SESSION
SELECT ANY TABLE
CREATE PROCEDURE
EXECUTE ANY PROCEDURE
Protecting access on direct SQL access
SQL> select count(*) from scott.emp;
select count(*) from scott.emp
*
ERROR at line 1:
ORA-01031: insufficient privileges
Now show protecting access through Java
SQL> select scott.mypackage.empcount from dual;
select scott.mypackage.empcount from dual
*
ERROR at line 1:
ORA-01031: insufficient privileges
ORA-06512: at "SCOTT.MYPACKAGE", line 2
If you are writing new Java stored procedures, ensure that Java classes execute with invoker's rights and define them in a PL/SQL package specification. Remember, it is important to include a dummy PL/SQL variable in the package header. Adding the dummy variable enables Oracle Database Vault to intercept and block execution of Java stored procedures.
Oracle Database Vault security works by intercepting calls made within the Oracle Database.
By default the EXECUTE ANY PROCEDURE
privilege is granted to the DBA
, EXPORT_FULL_DATABASE
, and IMPORT_FULL_DATABASE
roles. You can limit access to external C callouts by revoking the EXECUTE ANY PROCEDURE
from users and roles who do not require it. Note also that revoking the EXECUTE ANY PROCEDURE
from users further secures the database by limiting access to SYS
-owned packages.
For definer rights external C callouts, the execution of the callout is not blocked and realm protection is not enforced. However, underlying objects accessed by the external C callout are protected by Oracle Database Vault command rules. The default for external C callouts is invoker's rights.
For invoker rights external C callouts, the execution of the external C callout is not blocked. However, underlying objects accessed by the external C callouts are protected by both Oracle Database Vault realms and command rules.
Oracle recommends that you analyze your external C callouts to maximize security when using Oracle Database Vault. You can do so by following these steps:
Step 1: Identifying the External C Callouts Created with Definer's Rights
Step 2: Finding the External C That Access Realm-Protected Objects
Step 3: Creating a Package to Wrap C Callouts That Access Realm-Protected Objects
Step 4: Identifying the External C Callouts Created with Invoker's Rights
Step 6: Verifying Oracle Database Vault Protection for External C Callouts
Step 7: Securing Invoker's Rights for New External C Callouts
Identify the external C callouts that were created with definer's rights by running the query in Example F-9. This query spools the results to the file external_wrap.lst
.
Example F-9 Identifying External C Callouts That Are Wrapped by PL/SQL Packages
spool external_wrap select u.name OWNER, o.name object, o.type#, o.flags from sys.obj$ o, sys.user$ u where o.owner# = u.user# and u.name not in ('MDSYS', 'ORDSYS', 'SYS') and o.obj# in ( select d_obj# from dependency$ connect by d_obj#=prior p_obj# start with p_obj# in (select obj# from library$ where property = 0)) order by owner, object; spool off
Analyze the external C callouts and determine whether any of them access realm-protected objects. You can find a list of the realm-secured objects in the current database instance by using the DBA_DV_REALM_OBJECT
view, which is described in Table C-3, "Oracle Database Vault Database Views".
For external C callouts that do access realm-protected objects, create a PL/SQL package to wrap the external C callout. Due to PL/SQL optimizations, the PL/SQL package wrapper must have a dummy variable defined in the package header. Adding the dummy variable enables Oracle Database Vault to intercept and block execution of external C callout stored procedures. Bear in mind that while this method does secure the execution of the external C callout, it does not provide protection against calls to other external C callouts that may be embedded.
Example F-10 Creating a PL/SQL Wrapper
create or replace package scott.mytestpkg1 as tmp integer; /* create a dummy plsql variable */ function test return binary_integer; end; / create or replace package body scott.mytestpkg1 as function test return binary_integer as language C library c_utils name "test" with context parameters(context, return indicator short, return int); end; /
Identify the external C callouts that were created with invoker's rights by running the query in Example F-11. This query spool the results to the file external_standalone.lst
.
Example F-11 Identifying External C Callouts That Are Wrapped by PL/SQL Packages
spool external_standalone select u.name OWNER, o.name object, o.type#, o.flags from sys.obj$ o, sys.user$ u where o.owner# = u.user# and u.name not in ('MDSYS', 'ORDSYS', 'SYS') and o.type# in (7,8) and o.obj# in ( select d_obj# from dependency$ connect by d_obj#=prior p_obj# start with p_obj# in (select obj# from library$ where property = 0)) order by owner, object; spool off
Oracle Database Vault realm and command rules are enforced for external C callouts. However, it can be useful to even block execution on external C callouts. You can accomplish this by following Step 3: Creating a Package to Wrap C Callouts That Access Realm-Protected Objects.
Verify Oracle Database Vault protection for external C callouts. Example F-12 shows how you can test Oracle Database Vault security by logging into a tool such as SQL*Plus and attempting to execute an external C callout.
Example F-12 Testing Oracle Database Security for an External C Callout
SQL> connect u1
Enter password: password
Connected.
SQL>
SQL> select * from session_privs;
PRIVILEGE
----------------------------------------
CREATE SESSION
SELECT ANY TABLE
CREATE PROCEDURE
EXECUTE ANY PROCEDURE
SQL>
SQL> select count(*) from scott.emp;
select count(*) from scott.emp
*
ERROR at line 1:
ORA-01031: insufficient privileges
SQL> select test from dual;
TEST
-------------------------------------------------------------------------------
14
SQL>
SQL> select scott.mypackage1.test from dual;
select scott.mypackage1.test from dual
*
ERROR at line 1:
ORA-01031: insufficient privileges
ORA-06512: at "SCOTT.MYPACKAGE1", line 2
If you are writing new external C callouts, ensure they are wrapped in an invoker's rights PL/SQL package specification. Remember, it is important to include a dummy PL/SQL variable in the package header. Adding the dummy variable enables Oracle Database Vault to intercept and block execution of external C callouts.