Restricting Command Execution Using Oracle Database Vault

Purpose

This tutorial shows you how Oracle Database Vault prevents a powerful user with the DBA role from executing basic database modifications remotely.

Time to Complete

Approximately 15 minutes

Topics

This tutorial covers the following topics:

 Overview
 Prerequisites

Creating a SYSTEM Database Connection

Making Modifications to Basic Database Parameters as the SYSTEM User

 Creating a Command Rule to Disallow Remote Command Execution
 Testing the Command Rule
 Producing an Audit Report
 Summary

Viewing Screenshots

 Place the cursor over this icon to load and view all the screenshots for this tutorial. (Caution: This action loads all screenshots simultaneously, so response time may be slow depending on your Internet connection.)

Note: Alternatively, you can place the cursor over each individual icon in the following steps to load and view only the screenshot associated with that step.

Overview

Oracle Database Vault helps customers address the most difficult security problems remaining today - protecting against the insider threat, meeting regulatory compliance requirements and enforcing separation of duty. Oracle Database Vault keeps the DBA from viewing application data, a top concern for customers who must protect sensitive business information or privacy data related to partners, employees and customers. Oracle Database Vault keeps the powerful application DBAs from accessing other applications and from performing tasks outside their authorized responsibilities. Oracle Database Vault can protect existing applications quickly and easily without interfering with the application functionality.

Back to Topic List

Prerequisites

Before you perform this tutorial, you should:

1.

Install Oracle Database 10g Release 10.2.0.2.

2.

Download and unzip Oracle SQL Developer.

3.

Install the Oracle Database Vault Option (coming soon)

Back to Topic List

Creating a SYSTEM Database Connection

You want to create a database connection as SYSTEM. Perform the following steps:

1.

Open Oracle SQL Developer. Right-click on Connections and select New Database Connection.


2.

Enter the following information and click Test.

Connection Name: system@database vault
Username: system
Password: <your_system_password>
Save Password: checked
Hostname: <your_hostname>
Port: <your_database_port>
SID: <your_database_sid>


3.

When the status is successful, click Connect.


4.

Your connection was made.


Making Modifications to Basic Database Parameters as the SYSTEM User

In this tutorial, you want to make sure adhoc changes to (approved) database configurations are not possible, remotely. In this topic you try to create a new redo log file as the SYSTEM user. Perform the following steps:

1.

Enter the following SELECT statement in the SQL Worksheet area and select the Execute Statement icon  or press F9.

                               
alter system switch logfile;
                            


2.

The SYSTEM user was able to perform the action.

 

Back to Topic List

Creating a Command Rule to Disallow Remote Command Execution

In this topic you create a command rule to disallow a privileged user from executing a command against the database remotely. Perform the following steps:

1.

Open your browser and enter the following URL:

                               
http://<your_hostname:port>/dva

                            
Enter dvowner for the User Name and <your_password> for the Password. Then click Login.


2.

Click the Rule Sets link.

 

3.

Rules Sets are highly customizable parameters used by Command Rules. Before the Command Rule can be enabled, the Rule Set needs to be defined. Since you don't want DBAs to perform basic modifications remotely, you can define the enforce local access rule set. Select Enforce Local Access and click Edit.


4.

Scroll down to the bottom of the form

 

5.

Under Rules Associated to the Rule Set, click Create.

 

6.

The Application Context feature leveraged by Oracle Database Vault provides a large number of pre-defined 'primitives' like 'ip_address' which can be used to determine access or execution rights. Specify a Name and enter the following in the Rule Expression field and click OK.

                               
sys_context('userenv','ip_address')='<your_host_ip_address>'
                            

where <your_host_ip_address> is the ip_address for your host machine

 

7.

Review the Rule Set you just added. Then scroll up to the top of the form.

 

8.

Make sure Status is Enabled and click OK.

 

9.

The Enforce Local Access rule has been defined and enabled. Now you can associated the Rule Set you just defined to the ALTER SYSTEM Command Rule. Click you Database breadcrumb.

 

10.

Click the Command Rules link.

 

11.

The Command you wanted to associate the Enforce Local Access rule set to is ALTER SYSTEM. Select ALTER SYSTEM and click Edit.

 

12.

Select Enforce Local Access from the list of Rule Sets and click Enable. Then click OK.

 

13.

The Rule Set has been applied. Click the Database breadcrumb. In the next section you test the command.

 

Back to Topic List

Testing the Command Rule

Re-execute the SQL statement you previously ran. This time you see that the SYSTEM user can not execute the command because the only IP address that results in a 'TRUE' value in our rule set is 130.35.46.19 (whic is the Database Vault server's IP address). The IP address from the computer accessing the server is different and in this tutorial you want to disable remote changes to a database. Perform the following steps:

1.

Switch back to Oracle SQL Developer. Click the Execute Statement icon  or press F9 to re-execute the SQL you ran previously.


2 .

This time when SYSTEM tries to perform the ALTER SYSTEM command, a violation occurs.

 

Back to Topic List

Producing an Audit Report

When the Rule Set was created, the auditing option was set to Audit on Failure. Perform the following steps to verify the audit:

1.

Switch back to Oracle Database Vault. Click the Data Vault Reports tab.


2 .

Under the Data Vault Reporting category, select Command Rule Audit and click Run Report.

 

3.

The report is displayed. Notice that in this case, the command run is displayed and the rule set that is invoked.

 

Back to Topic List

Summary

In this tutorial, you learned how to prevent a DBA user from executing a database command remotely .

Back to Topic List

 Place the cursor over this icon to hide all screenshots.

 

 

Left Curve
Popular Downloads
Right Curve
Untitled Document