System control Commands such as ALTER SYSTEM and ALTER DATABASE. Session control Commands such as ALTER SESSION and SET ROLE.

Similar documents
Security Benefits of Implementing Database Vault. -Arpita Ghatak

Oracle Database 11g: Security Release 2

Oracle Database 11g: Security Release 2

SANS Institute Product Review: Oracle Database Vault

Real Application Security Administration

Oracle Database: SQL and PL/SQL Fundamentals

Oracle Database Vault

Oracle Database 12c: Administration Workshop Ed 2

Oracle Database 12c: Administration Workshop Ed 2

Oracle Database. Installation and Configuration of Real Application Security Administration (RASADM) Prerequisites

Oracle Database 12c: Administration Workshop Duration: 5 Days Method: Instructor-Led

Oracle Database Vault

Explore the Oracle 10g database architecture. Install software with the Oracle Universal Installer (OUI)

Oracle 12C DBA Online Training. Course Modules of Oracle 12C DBA Online Training: 1 Oracle Database 12c: Introduction to SQL:

PL/SQL. Exception. When the PL/SQL engine cannot execute the PLSQL block it raise an error. Every Oracle error has an error number

ORACLE DATABASE 12C INTRODUCTION

An Oracle White Paper March Oracle Database Vault for SAP

Oracle Database 12c: Administration Workshop Ed 2 NEW

5. Single-row function

Version Date Changes Author Feb-2008 Initial Writing I-flex

Oracle Database Auditing

You Don t Have Database Vault

Oracle Database 12c R2: Administration Workshop Ed 3 NEW

Database access control, activity monitoring and real time protection

ORACLE DBA TRAINING IN BANGALORE

Oracle Database 12c R2: Administration Workshop Ed 3

Survey of Oracle Database

Oracle Database 12c Administration Workshop

Oracle Advanced Security: Enterprise User Management. An Oracle Technical White Paper November 1999

Copyright 2012, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 13

Oracle Database Vault

supporting Oracle products. An OCA credential is available for several of today s most in -demand technology job roles. OCA & OCP Requirement

1Z0-144 Q&As Oracle Database 11g: Program with PL/ SQL

Course: Oracle Database 12c R2: Administration Workshop Ed 3

OpenLAB ELN Supporting 21 CFR Part 11 Compliance

HOMELESS INDIVIDUALS AND FAMILIES INFORMATION SYSTEM HIFIS 4.0 TECHNICAL ARCHITECTURE AND DEPLOYMENT REFERENCE

Copyright 2014, Oracle and/or its affiliates. All rights reserved.

ORACLE DBA I. Exploring Oracle Database Architecture

Quick Start Guide. FactoryTalk Security System Configuration Guide

Introduction to Computer Science and Business

RSA Solution Brief. The RSA Solution for VMware. Key Manager RSA. RSA Solution Brief

Oracle - Oracle Database 12c R2: Administration Workshop Ed 3

Reference manual Integrated database authentication

Netwrix Auditor. Administration Guide. Version: /31/2017

Oracle Audit Vault. Trust-but-Verify for Enterprise Databases. Tammy Bednar Sr. Principal Product Manager Oracle Database Security

Oracle Exam 1z0-144 Oracle Database 11g: Program with PL/SQL Version: 8.5 [ Total Questions: 103 ]

Database Vault Installation and Configuration

Oracle User Administration

Lateral SQL Injection Revisited

HIPAA Controls. Powered by Auditor Mapping.

Oracle Database Security - Top Things You Could & Should Be Doing Differently

Integration of Agilent UV-Visible ChemStation with OpenLAB ECM

Vendor: Oracle. Exam Code: 1Z Exam Name: Oracle Database 11g: Program with PL/ SQL. Version: Demo

Projects. Corporate Trainer s Profile. CMM (Capability Maturity Model) level Project Standard:- TECHNOLOGIES

"Charting the Course... Oracle 18c DBA I (3 Day) Course Summary

Business Analytics. SQL PL SQL [Oracle 10 g] P r i n c e S e t h i w w w. x l m a c r o. w e b s. c o m

CSN38: Tracking Privileged User Access within an ArcSight Logger and SIEM Environment Philip Lieberman, President and CEO

maxecurity Product Suite

Agilent ICP-MS ChemStation Complying with 21 CFR Part 11. Application Note. Overview

<Insert Picture Here> Get the best out of Oracle Scheduler: Learn how you can leverage Scheduler for enterprise scheduling

Drop Failed For User Principal Owns A Schema

Governance, Risk, and Compliance: A Practical Guide to Points of Entry

Software Development & Education Center

McAfee Database Security

Recovering Oracle Databases

Course Outline and Objectives: Database Programming with SQL

Oracle 1Z0-053 Exam Questions & Answers

Data Security and Privacy. Topic 11: Virtual Private Databases Based on Prof. Bertino s Slides

A Practical Step-by-Step Guide to Managing Cloud Access in your Organization

Lab # 4. Data Definition Language (DDL)

PROCEDURAL DATABASE PROGRAMMING ( PL/SQL AND T-SQL)

A Quick Guide to EPCS. What You Need to Know to Implement Electronic Prescriptions for Controlled Substances

Implementing, Managing, and Maintaining a Microsoft Windows Server 2003 Network Infrastructure

Lab # 2. Data Definition Language (DDL) Eng. Alaa O Shama

Integration of Agilent OpenLAB CDS EZChrom Edition with OpenLAB ECM Compliance with 21 CFR Part 11

Creating and Managing Tables Schedule: Timing Topic

Oracle Database Vault with Oracle Database 12c ORACLE WHITE PAPER MAY 2015

Laserfiche Rio 10.3: Deployment Guide. White Paper

Holistic Database Security

Oracle Database. Security Guide 11g Release 2 (11.2) E

Oracle Database 10g: Introduction to SQL

Introduction to Computer Science and Business

ORACLE CERTIFIED ASSOCIATE ORACLE DATABASE 11g ADMINISTRATOR

NETWRIX ACTIVE DIRECTORY CHANGE REPORTER

User Guide. Version R94. English

Oracle Payment Interface Token Proxy Service Security Guide Release 6.1 E November 2017

UT HEALTH SAN ANTONIO HANDBOOK OF OPERATING PROCEDURES

Agilent Response to 21CFR Part11 requirements for the Agilent ChemStation Plus

Evolution Of The Need For IAM. Securing connections between people, applications, and networks

Netwrix Auditor. Visibility platform for user behavior analysis and risk mitigation. Mason Takacs Systems Engineer

Oracle DBA workshop I

Copyright 2013, Oracle and/or its affiliates. All rights reserved.

Fine Grained Access Control

Oracle Database 11g: Administration Workshop I

Sponsored by Oracle. SANS Institute Product Review: Oracle Audit Vault. March A SANS Whitepaper. Written by: Tanya Baccam

VMware vcloud Air SOC 1 Control Matrix

Sparta Systems Stratas Solution

GDPR Controls and Netwrix Auditor Mapping

Novell Access Manager 3.1

Oracle Healthcare Foundation

Transcription:

144 Part II: Oracle Database Vault Data Definition Language Database structure related commands that typically have the form CREATE <object type>, ALTER <object type>, and DROP <object type>, such as CREATE TABLE, ALTER TABLE, and DROP TABLE. This category also includes privilege-related commands such as GRANT and REVOKE, auditing commands such as AUDIT and NOAUDIT, and data table administration commands such as ANALYZE, COMMENT, FLASHBACK, PURGE, RENAME, and TRUNCATE. System control Commands such as ALTER SYSTEM and ALTER DATABASE. Session control Commands such as ALTER SESSION and SET ROLE. Transaction control Commands such as COMMIT and ROLLBACK. SELECT and DML commands cannot use '%' for both the object owner and object name, and command rules for these commands cannot be applied for the SYS or DVSYS account. DBV does not offer command rules for transaction control commands, as these commands are not security relevant nor do they operate on database objects. By security relevant, we mean the commands do not change session user, change the current user, or give the session user any additional system or object privileges for the session. Command rules cannot be defined on the ALTER DATABASE or ALTER SESSION commands. The SET ROLE command is not directly supported, but the DBV Secure Application Role feature offers a mechanism to control the activation of a database role with a DBV rule set providing the decision point. With the remaining command categories, more than 100 distinct commands can be controlled by the security administrator with DBV command rules. DBV CONNECT Command Rule One of the most powerful command rules available controls when accounts that have been granted specific roles can establish connections to the database. This command rule uses a special DBV database operation named CONNECT that simply implies a command rule that authorizes a database connection once the standard authentication processing within Oracle has completed. Using this command rule, we can offer higher levels of assurance around when and how (conditions) an account is able to connect to the database. Let s consider MARY, our senior DBA for Sales History data, in an example. Suppose the IT department wants to tighten the controls around database administrators connecting to the database. The data and applications with which they are working are very sensitive. The first step is to decide under what conditions MARY and other database administrators are allowed to perform administration tasks. If the IT departments allow MARY VPN access to the corporate network, doesn t that mean she can be sitting in a coffee shop with a laptop viewing sensitive financial data? VPN access is typically much less secure than access at the company s office building because the networks are more open to snooping and the environment is less secure from a physical perspective. Who else has access to her laptop if she walks away from her computer to take a break? Would the customers in the stored in the CUSTOMERS table approve of this access? With DBV command rules, we can simply define a rule set that resolves whether the database session is being established from a machine that is physically located within the company s building(s). The IT department could establish a policy that mandates the use of a secure authentication method to all sensitive databases. The Oracle Advanced Security option provides authentication methods based on Public Key Infrastructure (PKI)Secure Sockets Layer (SSL) or Kerberos that could be leveraged. The policy could also dictate that the credential stores used for

Chapter 5: Database Vault Fundamentals 145 this authentication could be limited (in deployment) to machines that are located in the company offices. Once the policy is established, a level of trust can be established for all connections to the database. The rule used in the DBV rule set would leverage the Oracle built-in, read-only application context USERENV that stores security-related attributes about the database session. The rule can read the application context values using the PLSQL function SYS_CONTEXT as follows: dbms_macadm.create_rule( rule_name => 'Is Secure Authentication Method', rule_expr => 'SYS_CONTEXT(''USERENV'', ''AUTHENTICATION_METHOD'') IN (''SSL'', ''KERBEROS'')' PLSQL procedure successfully completed. Requiring PKISSL or Kerberos is a well-founded requirement because it establishes something a client might have, such as a certificate, and reduces password-based hacking. This increases the assurance that the database access is from a machine physically located at the company. The IT department will also need to account for database administrators working on the console of a database server by inspecting the client IP address of the session. Console-based access to the database implies that the database session was not established through the Oracle database listener that enables remote connectivity to an Oracle database. With remote database clients, the USERENV application context maintains the IP address of the client. The second rule for the DBV rule set is then as follows: dbms_macadm.create_rule( rule_name => 'Is Console Client', rule_expr => 'SYS_CONTEXT(''USERENV'', ''IP_ADDRESS'') IS NULL' PLSQL procedure successfully completed. With the rules defined for both remote database clients and console clients, we can configure the DBV rule set required for the DBV CONNECT command rule. DBV includes a predefined DBV rule set named Allow Sessions that is intended for this usage. For this example, we need to reconfigure the eval_options parameter of this DBV rule set to return TRUE if either rule is valid (a secure authentication method or a console-based client), and then associate the DBV rules to the DBV rule set. The default configuration of the Allows Sessions DBV rule set is TRUE if all associated rules are valid. dbvowner@aos> -- Reconfigure the "eval_options" parameter to use dbvowner@aos> -- the "any rule true" algorithm dbms_macadm.update_rule_set( rule_set_name =>'Allow Sessions', description =>'Rule set that controls the ability to create a session in the database.',

146 Part II: Oracle Database Vault enabled =>dbms_macutl.g_yes, eval_options =>dbms_macutl.g_ruleset_eval_any, audit_options =>dbms_macutl.g_ruleset_audit_fail, fail_options =>dbms_macutl.g_ruleset_fail_show, fail_message =>NULL, fail_code =>NULL, handler_options =>dbms_macutl.g_ruleset_handler_off, handler =>NULL PLSQL procedure successfully completed. dbvowner@aos> -- Associate the two rules to the rule set dbms_macadm.add_rule_to_rule_set ( rule_set_name => 'Allow Sessions', rule_name => 'Is Secure Authentication Method' PLSQL procedure successfully completed. dbms_macadm.add_rule_to_rule_set ( rule_set_name => 'Allow Sessions', rule_name => 'Is Console Client' PLSQL procedure successfully completed. Finally, we need to create the DBV CONNECT command rule that uses this DBV rule set. One word of caution here regarding the DBV CONNECT command rule: Make sure you keep a SQL*Plus session open as your DBV security administrator (DBVOWNER) in case you have developed PLSQL rule expressions that are incomplete, inaccurate, or that produce errors at runtime. You could inadvertently lock out every account from the database, including the DBV security administrator, with these types of problems. Having this SQL*Plus session open allows you to disable or drop the DBV CONNECT command rule if problems arise in the development and testing of the authorization logic. dbms_macadm.create_command_rule ( command => 'CONNECT',rule_set_name => 'Allow Sessions',object_owner => '%',object_name => '%',enabled => 'Y' PLSQL procedure successfully completed.

Chapter 5: Database Vault Fundamentals 147 At this point, if MARY were to attempt to log into the database from her VPN connection, sitting in the coffee shop, the connection would not be authorized and the session would be terminated immediately by DBV: $ sqlplus mary@aos SQL*Plus: Release 11.1.0.6.0 - Production on Tue Mar 10 17:04:12 2009 Copyright (c) 1982, 2007, Oracle. All rights reserved. Enter password: ERROR: ORA-47400: Command Rule violation for CONNECT on LOGON These examples demonstrate the separation of duty for privileged administrators. Using DBV command rules, we can add a layer of control that accounts for business rules and IT policies an organization must support. The access controls provided by DBV realms and DBV command rules are configured in a protected account (DVSYS) with an enforcement mechanism integrated directly into the Oracle database kernel s SQL engine. Application logic that issues SQL to an Oracle database does not need to change to leverage these DBV access controls. The main benefit of this external enforcement point model is that DBV can help cover the gaps in your application s security model so that you can meet compliance regulations without the need to recode or redesign the application. Rule Sets A DBV rule is an elementary logic component that is evaluated by DBV. These logic components are written as Oracle PLSQL expressions to return Boolean results. A simple rule would be USER!= 'SYS'. This rule uses a standard Oracle PLSQL function, USER, that returns the database account that was logged into and returns a Boolean result of whether or not the account logged into is SYS. Your own DBV rules can use PLSQL code you have or will develop. A DBV rule can be associated in more than one DBV rule set so that you can develop a library of DBV rules that can be used throughout your DBV security policy. TIP You can create DBV rules as reusable security policy controls applicable to more than one application. We have demonstrated example usages of DBV rule sets with the two primary DBV access control components: DBV realms (authorizations) and DBV command rules. DBV rule sets can also control the assignment of DBV factors and the ability to enable DBV Secure Application Roles (SARs). The auditing of these components is controlled by the audit configuration of the DBV rule set. DBV rule sets can be configured to execute custom PLSQL procedures so that if a DBV command rule is violated, for example, you could pass this information to another system or alert the security administrator in real time. Rule Set Evaluation Mode The configuration of DBV Rule sets allows for the association of multiple DBV rules (PLSQL expressions). DBV rule sets have an evaluation mode that can be configured to require that all associated rules return TRUE, or at least one rule returns TRUE. To help in clarifying the runtime impact of the evaluation mode configuration, consider an example: Suppose we ve defined a

148 Part II: Oracle Database Vault DBV rule set, Rule Set #1, depicted in the following table. This DBV rule set has an evaluation mode of ALL TRUE with two DBV rules associated to it. The DBV rule set evaluation result is depicted for the various results returned by the two associated DBV rules. Rule Set Evaluation Mode Rule #1 Result Rule #2 Result Rule Set Result Rule Set #1 ALL TRUE FALSE FALSE FALSE Rule Set #1 ALL TRUE TRUE FALSE FALSE Rule Set #1 ALL TRUE FALSE TRUE FALSE Rule Set #1 ALL TRUE TRUE TRUE TRUE Now suppose we have a second DBV rule set, Rule Set #2, with an evaluation mode of ANY TRUE. The same two DBV rules are associated with this second DBV rule set. The following table depicts the evaluation results for this configuration of the evaluation mode. Rule Set Evaluation Mode Rule #1 Result Rule #2 Result Rule Set Result Rule Set #2 ANY TRUE FALSE FALSE FALSE Rule Set #2 ANY TRUE TRUE FALSE TRUE Rule Set #2 ANY TRUE FALSE TRUE TRUE Rule Set #2 ANY TRUE TRUE TRUE TRUE The DBV rule set configuration allows for a DBV rule set to be disabled. The net effect of disabling a DBV rule set is that the DBV rules engine will return TRUE if the rule set is evaluated within the context of its usage such as a DBV realm authorization or DBV command rule. To clarify the effect of disabling a DBV rule set, consider the example rule set Using Financials Application from the Command Rules section earlier in the chapter. If we disable the rule set, then all UPDATE statements on the SH.SALES table will be allowed if the session has direct object privileges or the realm authorization is valid. Rule Set Auditing When we configured the rule set Using Financials Application in the DBV command rule example, we used the constant dbms_macutl.g_ruleset_audit_fail, which means audit on failure only or audit when the DBV rule set evaluation is FALSE. DBV rule set failure can be stated simply as the access control decision points (DBV rules) returned FALSE and the access attempt failed. Let s examine the DBV rule set configuration using the DBV Administrator page, as shown in Figure 5-8. Auditing on a failed access attempt would be considered a minimum requirement for all DBV rule sets, yet some regulatory requirements may mandate auditing on any data access (in other words, the evaluation result of the DBV rule set). You just need to consider the performance impacts of this level of auditing, given the frequency of evaluation in your production system, as auditing in any software component has some associated overhead. When we examine the DBV audit trail for the DBV command rule example for an UPDATE on the SH.SALES table (Figure 5-9), we can see the audit trail contains both the DBV rule set and command that triggered the audit. This information can be very useful in developing a policy that can prove your stated security posture.

Chapter 5: Database Vault Fundamentals 149 FIGURE 5-8 DBV rule set configuration FIGURE 5-9 DBV command rule violation report

150 Part II: Oracle Database Vault Custom Event Handlers The DBV rule set auditing component can be extended using the custom event handlers feature of the rule set configuration. This feature allows you to integrate DBV with external alerting, systems management, and monitoring systems. Like DBV rule set auditing, this feature can be configured to trigger based on a failure only or on a success and failure. To enable this feature, you need to follow these steps: 1. Define a package procedure or stand-alone procedure that will be triggered when the DBV rule set is evaluated. 2. Grant EXECUTE on the procedure to DVSYS. The DVSYS account executes the DBV rules engine and calls the procedure. 3. Configure the DBV rule set to use the custom event handling procedure. The details of integrating with an external alerting or monitoring system is a bit beyond the scope of this book, so let s just look at a trivial table-based logging example for now: mary@aos> -- First create a table to hold the alerts mary@aos> create table sh.alerts ( msg varchar2(4000), msgdate date default sysdate Table created. mary@aos> -- next create a package to process the alerts mary@aos> CREATE OR REPLACE package sh.sales_alerts as PROCEDURE sales_update_alert(ruleset_name IN VARCHAR2, ruleset_result IN VARCHAR2 end; Package created. mary@aos> CREATE OR REPLACE PACKAGE BODY sh.sales_alerts AS PROCEDURE sales_update_alert(ruleset_name IN VARCHAR2, ruleset_result IN VARCHAR2) is PRAGMA AUTONOMOUS_TRANSACTION; BEGIN INSERT into sh.alerts (msg ) VALUES ('Alert for Rule Set:' ruleset_name ', result is ' ruleset_result COMMOT; Package created. mary@aos> -- GRANT EXECUTE on the handler package to DVSYS mary@aos> GRANT EXECUTE ON sh.sales_alerts TO dvsys; Grant succeeded. mary@aos> -- Update the rule set to use the handler package mary@aos> -- on rule set failure (failed access attempt)

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback