Restricting Command Execution Using Oracle Database Vault

Purpose

This tutorial shows you how Oracle Database Vault prevents a powerful user with the DBA role from executing basic database modifications remotely.

Time to Complete

Approximately 15 minutes

Topics

This tutorial covers the following topics:

 Overview
 Prerequisites

Creating a SYSTEM Database Connection

Making Modifications to Basic Database Parameters as the SYSTEM User

 Modifying a Rule Set to Disallow Remote Alter System Command Execution
 Testing the Alter System Command Rule

Creating a Database Link as the SYSTEM User

 Creating a Command Rule to Disallow Remote Create Database Link Command Execution
 Testing the Create Database Link Command Rule
 Producing an Audit Report
 Summary

Viewing Screenshots

 Place the cursor over this icon to load and view all the screenshots for this tutorial. (Caution: This action loads all screenshots simultaneously, so response time may be slow depending on your Internet connection.)

Note: Alternatively, you can place the cursor over each individual icon in the following steps to load and view only the screenshot associated with that step.

Overview

Oracle Database Vault helps customers address the most difficult security problems remaining today - protecting against the insider threat, meeting regulatory compliance requirements and enforcing separation of duty. Oracle Database Vault keeps the DBA from viewing application data, a top concern for customers who must protect sensitive business information or privacy data related to partners, employees and customers. Oracle Database Vault keeps the powerful application DBAs from accessing other applications and from performing tasks outside their authorized responsibilities. Oracle Database Vault can protect existing applications quickly and easily without interfering with the application functionality.

Back to Topic List

Prerequisites

Before you perform this tutorial, you should:

1.

Install Oracle Database 11g Release 11.1.0.6. Create a database with the sample schemas (either during install process or after).

2.

Download and unzip Oracle SQL Developer.

3.

Configure the Oracle Database Vault Option for your database. Oracle Database Vault is not installed in a default Oracle Database installation, but it is part of the products available in the Oracle Database installation media. You can install it into an existing database by using Oracle Universal Installer. After you install Oracle Database Vault use the Database Configuration Assistant ( dbca ) to to register database vault with your database and then create the required database vault accounts.(see the Oracle Database 2Day + Security Guide 11g Release 1(11.1) online documentation for more information).

Note: For this OBE to be successful you should be performing the steps from a different (remote) machine than the one you have installed the database with Oracle Database Vault option configured.

Back to Topic List

Creating a SYSTEM Database Connection

You want to create a database connection as SYSTEM. Perform the following steps:

1.

Open Oracle SQL Developer. Right-click on Connections and select New Connection.


2.

Enter the following information and click Test.

Connection Name: system@database vault
Username: system
Password: <your_system_password>
Save Password: checked
Hostname: <your_hostname or ip >
Port: <your_database_port>
SID: <your_database_sid>


3.

When the status is successful, click Connect.


4.

Your connection was made.


Back to Topic List

Making Modifications to Basic Database Parameters as the SYSTEM User

In this tutorial, you want to make sure adhoc changes to (approved) database configurations are not possible from a remote computer. In this topic you try to create a new redo log file as the SYSTEM user. Perform the following steps:

1.

Enter the following SELECT statement in the SQL Worksheet area and select the Execute Statement icon  or press F9.

                               
alter system switch logfile
                            


2.

The SYSTEM user was able to perform the action.

 

Back to Topic List

Modifying a Rule Set to Disallow Remote Alter System Command Execution

In this topic you add a rule to an existing rule set to disallow a privileged user from executing a command against the database based remotely (based on their ip address). Perform the following steps:

1.

Open your browser and enter the following URL:

                               
https://<your_hostname>:1158/dva
                            

Enter the following information and click Login.

User Name: <your_database_vault_owner>
Password: <your_database_vault_owner_password>
Host: <your_hostname>
Port: <your_database_port>
SID / Service: <select SID and enter your_database_sid>


2.

Click the Command Rules link.

 

3.

Notice that the ALTER SYSTEM command has the Allow System Parameters rule set associated with it. Click the Database Instance breadcrumb to go back to the main page.

 

4.

Click the Rule Sets link.

 

5.

Rules Sets are highly customizable parameters used by Command Rules. Since you don't want DBAs to perform the ALTER SYSTEM command remotely, you can add a rule to the Allow System Parameters rule set ( Note: you saw previously that the ALTER SYSTEM command is associated with the Allow System Parameters rule set already). Select Allow System Parameters rule set and click Edit.


6.

Scroll down to the bottom of the page.

 

7.

Under Rules Associated to the Rule Set, click Create.

 

8.

The Application Context feature leveraged by Oracle Database Vault provides a large number of pre-defined 'primitives' like 'ip_address' which can be used to determine access or execution rights. Specify a Name and enter the following in the Rule Expression field and click OK.

                               
sys_context('userenv','ip_address')='<your_host_ip_address>'
                            

where <your_host_ip_address> is the ip_address for your host machine

 

9.

Review the Rule Set you just added. Then scroll up to the top of the form.

 

10.

Make sure Status is Enabled and click OK.

 

11.

The Rule Set has been applied. Click the Database Instance breadcrumb to take you back to the main page. In the next section you test the command.

 

Back to Topic List

Testing the Alter System Command Rule

Re-execute the SQL statement you previously ran. This time you see that the SYSTEM user can not execute the command because the only IP address that results in a 'TRUE' value in our rule set is the Database Vault server's IP address. The IP address from the computer accessing the server is different and in this tutorial you want to disable remote changes to a database. Perform the following steps:

1.

Switch back to Oracle SQL Developer. Click the Execute Statement icon  or press F9 to re-execute the SQL you ran previously.


2 .

This time when SYSTEM tries to perform the ALTER SYSTEM command, a violation occurs.

 

Back to Topic List

Creating a Database Link as the SYSTEM User

Lets take a look at another scenario where you also want to ensure adhoc changes to (approved) database configurations are not possible from a remote computer. In this topic you try to create a database link as the SYSTEM user. Perform the following steps:

1.

Enter the following statement in the SQL Worksheet area and select the Execute Statement icon  or press F9.

                               
create database link mylink
                            


2.

The SYSTEM user was able to perform the action.

 

Back to Topic List

Creating a Command Rule to Disallow Remote Create Database Link Command Execution

In this topic you add a rule to an existing rule set disallow a privileged user from executing the CREATE DATABASE LINK command against the database remotely (based on their ip address). Perform the following steps:

1.

Switch back to Oracle Database Vault and from the main page click the Command Rules link.

                                
                            


2.

Click Create.

 

3.

From the list of Commands, select CREATE DATABASE LINK. From the list of Rule Sets, select Allow System Parameters (this is the rule set you modified earlier by adding a rule to check the ip address of the machine issuing the command). Click OK.

 

4.

Notice that the CREATE DATABASE LINK command rule now appears in the list and is associated with the Allow Systems Parameters rule set. Click the Database Instance breadcrumb to return to the main page. In the next section you test the command.

 

Back to Topic List

Testing the Create Database Link Command Rule

Re-execute the SQL statement you previously ran. This time you see that the SYSTEM user can not execute the command because the only IP address that results in a 'TRUE' value in our rule set is the Database Vault server's IP address. The IP address from the computer accessing the server is different and in this tutorial you want to disable remote changes to a database. Perform the following steps:

1.

Switch back to Oracle SQL Developer and attempt to create a second database link. Enter the following statement in the SQL Worksheet area and select the Execute Statement icon  or press F9.

create database link mylink2


2 .

This time when SYSTEM tries to perform the CREATE DATABASE LINK command, a violation occurs.

 

 

Producing an Audit Report

When the Rule Set was created, the auditing option was set to Audit on Failure. Perform the following steps to verify the audit:

1.

Switch back to Oracle Database Vault. Click the Data Vault Reports tab.


2 .

Under the Data Vault Reporting category, select Command Rule Audit and click Run Report.

 

3.

The report is displayed. Notice that in this case, the commands run are displayed and the rule set you altered was invoked.

 

Back to Topic List

Summary

In this tutorial, you learned how to prevent a DBA user from executing a database command remotely .

Back to Topic List

 Place the cursor over this icon to hide all screenshots.

 

 

Left Curve
Popular Downloads
Right Curve
Untitled Document