Database Vault quick setup

Preamble

There are quite a lot of available options to secure your database and they are all about security and confidentiality. All solutions that covert those two distinct subjects are often club in security solution term.

First step is to secure your Operating System and database by applying latest security patches (OS and database) and applying best practices security rules (close unused OS ports, remove unused OS/database accounts, strong passwords, …). Then you can imagine to put your database server in a De Militarized Zone (DMZ), encrypt SQL*Net protocol with Advanced Security option and filter database accesses with Database Firewall.

You must then strictly control who has authorizations to access to your database (different authentications are available) and strictly control database system and objects privileges given to users.

Once done for confidentiality you have following options:

  • Virtual Private Database (VPD)
  • Oracle Label Security (OLS)
  • Oracle Database Vault
  • Transparent Data Encryption

Virtual Private Database and Oracle Label Security restrict data that different users can see (rows and columns). They provide fine-grained access control on objects to your sensitive data. If getting lost when to choose one of these products check in 2 Day + Security Guide Oracle at this page.

Oracle Database Vault restricts access to specific areas of your database to users, including users who have administrative access (i.e. DBA and SYSDBA roles), it also provides fine-grained access control. This product is mainly used to separate duties between normal DBAs (that can be from another company) and applicative people that handle secure data (salaries, credit card numbers, …).

Transparent Data Encryption encrypt figures of your database and backup files you generate. It avoids for example OS super users (root) to search at OS level in your datafiles to retrieve confidential information or a thief to use your stolen backup tapes.

To Completely describe Oracle offer it is worth to mention Oracle Database Masking to remove confidential data from copy of production databases and Oracle Audit Vault to manage a secure repository of audit data (forbid, for example, DBAs to remove their own trace of audit).

Please note that all those options are non-free and you must purchase them either as option of Oracle Enterprise Edition (Database Vault, Transparent Data Encryption, …) or as completely separate product (Database Firewall, ..).

Database Vault installation

Normally product should not be installed and you can confirm it with something like:

SQL> SET lines 200
SQL> SELECT * FROM V$OPTION WHERE PARAMETER = 'Oracle Database Vault';
 
PARAMETER                                                        VALUE
---------------------------------------------------------------- ----------------------------------------------------------------
Oracle DATABASE Vault                                            FALSE

To install it, stop database, listener and database console and enable Database Vault link product with:

[oracle@server1 ~]$ cd $ORACLE_HOME/rdbms/lib
[oracle@server1 lib]$ make -f ins_rdbms.mk dv_on lbac_on ioracle
/usr/bin/ar d /oracle/software/rdbms/lib/libknlopt.a kzvndv.o
/usr/bin/ar cr /oracle/software/rdbms/lib/libknlopt.a /oracle/software/rdbms/lib/kzvidv.o
/usr/bin/ar d /oracle/software/rdbms/lib/libknlopt.a kzlnlbac.o
/usr/bin/ar cr /oracle/software/rdbms/lib/libknlopt.a /oracle/software/rdbms/lib/kzlilbac.o
chmod 755 /oracle/software/bin
 
 - Linking Oracle
rm -f /oracle/software/rdbms/lib/oracle
gcc  -o /oracle/software/rdbms/lib/oracle -m64 -L/oracle/software/rdbms/lib/ -L/oracle/software/lib/ -L/oracle/software/lib/stubs/   -Wl,-E /oracle/software/rdbms/lib/opimai.o /oracle/software/rdbms/lib/ssoraed.o /oracle/software/rdbms/lib/ttcsoi.o  -Wl,--whole-archive -lperfsrv11 -Wl,--no-whole-archive /oracle/software/lib/nautab.o /oracle/software/lib/naeet.o /oracle/software/lib/naect.o /oracle/software/lib/naedhs.o /oracle/software/rdbms/lib/config.o  -lserver11 -lodm11 -lcell11 -lnnet11 -lskgxp11 -lsnls11 -lnls11  -lcore11 -lsnls11 -lnls11 -lcore11
-lsnls11 -lnls11 -lxml11 -lcore11 -lunls11 -lsnls11 -lnls11 -lcore11 -lnls11 -lclient11  -lvsn11 -lcommon11 -lgeneric11 -lknlopt `if /usr/bin/ar tv /oracle/software/rdbms/lib/libknlopt.a | grep xsyeolap.o > /dev/null 2>&1 ; then echo "-loraolap11" ; fi` -lslax11 -lpls11  -lrt -lplp11 -lserver11 -lclient11  -lvsn11 -lcommon11
-lgeneric11 `if [ -f /oracle/software/lib/libavserver11.a ] ; then echo "-lavserver11" ; else echo "-lavstub11"; fi` `if [ -f /oracle/software/lib/libavclient11.a ] ; then echo "-lavclient11" ; fi` -lknlopt -lslax11 -lpls11  -lrt -lplp11 -ljavavm11 -lserver11  -lwwg  `cat /oracle/software/lib/ldflags`    -lncrypt11 -lnsgr11 -lnzjs11 -ln11 -lnl11 -lnro11 `cat /oracle/software/lib/ldflags`    -lncrypt11 -lnsgr11 -lnzjs11 -ln11 -lnl11 -lnnz11 -lzt11 -lztkg11 -lmm -lsnls11 -lnls11  -lcore11 -lsnls11 -lnls11 -lcore11 -lsnls11 -lnls11 -lxml11 -lcore11 -lunls11 -lsnls11 -lnls11 -lcore11 -lnls11 -lztkg11 `cat /oracle/software/lib/ldflags`    -lncrypt11 -lnsgr11 -lnzjs11
-ln11 -lnl11 -lnro11 `cat /oracle/software/lib/ldflags`    -lncrypt11 -lnsgr11 -lnzjs11 -ln11 -lnl11 -lnnz11 -lzt11 -lztkg11   -lsnls11 -lnls11  -lcore11 -lsnls11 -lnls11 -lcore11 -lsnls11 -lnls11 -lxml11 -lcore11 -lunls11 -lsnls11 -lnls11 -lcore11 -lnls11 `if /usr/bin/ar tv /oracle/software/rdbms/lib/libknlopt.a | grep "kxmnsd.o" > /dev/null 2>&1 ; then echo " " ; else echo "-lordsdo11"; fi` -L/oracle/software/ctx/lib/ -lctxc11 -lctx11 -lzx11 -lgx11 -lctx11 -lzx11 -lgx11 -lordimt11 -lclsra11 -ldbcfg11 -lhasgen11 -lskgxn2 -lnnz11 -lzt11 -lxml11 -locr11 -locrb11 -locrutl11 -lhasgen11 -lskgxn2 -lnnz11 -lzt11 -lxml11  -loraz -llzopro -lorabz2 -lipp_z
-lipp_bz2 -lippdcemerged -lippsemerged -lippdcmerged  -lippsmerged -lippcore  -lippcpemerged -lippcpmerged  -lsnls11 -lnls11  -lcore11 -lsnls11 -lnls11 -lcore11 -lsnls11 -lnls11 -lxml11 -lcore11 -lunls11 -lsnls11 -lnls11 -lcore11 -lnls11 -lsnls11 -lunls11  -lsnls11 -lnls11  -lcore11 -lsnls11 -lnls11 -lcore11 -lsnls11 -lnls11 -lxml11 -lcore11 -lunls11 -lsnls11 -lnls11 -lcore11 -lnls11 -lasmclnt11 -lcommon11 -lcore11 -laio    `cat /oracle/software/lib/sysliblist` -Wl,-rpath,/oracle/software/lib -lm    `cat /oracle/software/lib/sysliblist` -ldl -lm   -L/oracle/software/lib
test ! -f /oracle/software/bin/oracle ||\
           mv -f /oracle/software/bin/oracle /oracle/software/bin/oracleO
mv /oracle/software/rdbms/lib/oracle /oracle/software/bin/oracle
chmod 6751 /oracle/software/bin/oracle

Then restart database, listener and database console.

Configure Database Vault paid option with Database Configuration Assistant (dbca), make sure you have an entry in /etc/oratab for your database unless option are not accessible. No screen shots here as it is really easy, choose configure database options. Activating Database Vault requires you also activate Label Security.

Then dbca prompts you to choose Database Vault Owner account (suggested account name is DBVOWNER) and Database Vault Account Manager (suggested account name is DBVACCTMGR). Database Vault Account Manager is not mandatory account but more segregate duties between different person. DBVOWNER account will be used to manage access rights (realms, ..) and DBVACCTMGR account will be used to create account. DBAs will not be able to create accounts anymore and will stick on pure database administration tasks.

You will also have to choose connection mode to your database (shared or dedicated). Then Database Configuration Assistant will work for you and configure Database Vault.

Once completed grant SELECT_CATALOG_ROLE and SELECT ANY DICTIONARY to DBVACCTMGR account.

When you login on database again you will see:

[oracle@server1 ~]$ sqlplus / AS sysdba
 
SQL*Plus: RELEASE 11.2.0.2.0 Production ON Tue Aug 30 16:17:14 2011
 
Copyright (c) 1982, 2010, Oracle.  ALL rights reserved.
 
 
Connected TO:
Oracle DATABASE 11g Enterprise Edition RELEASE 11.2.0.2.0 - 64bit Production
WITH the Partitioning, Oracle Label Security, OLAP, Data Mining,
Oracle DATABASE Vault AND REAL Application Testing options
 
SQL> SET lines 200
SQL> SELECT * FROM V$OPTION WHERE PARAMETER = 'Oracle Database Vault';
 
PARAMETER                                                        VALUE
---------------------------------------------------------------- ----------------------------------------------------------------
Oracle DATABASE Vault                                            TRUE

Database Vault testing

As suggested in documentation let’s try to restrict access to SOE.CUSTOMERS table, with my own account (DBA role) I obviously have access to all objects:

SQL> CONNECT yjaquier
Enter password:
Connected.
SQL> DESC soe.customers
 Name                                      NULL?    TYPE
 ----------------------------------------- -------- ----------------------------
 CUSTOMER_ID                                        NUMBER(12)
 CUST_FIRST_NAME                           NOT NULL VARCHAR2(30)
 CUST_LAST_NAME                            NOT NULL VARCHAR2(30)
 NLS_LANGUAGE                                       VARCHAR2(3)
 NLS_TERRITORY                                      VARCHAR2(30)
 CREDIT_LIMIT                                       NUMBER(9,2)
 CUST_EMAIL                                         VARCHAR2(100)
 ACCOUNT_MGR_ID                                     NUMBER(6)
 
SQL> SELECT COUNT(*) FROM soe.customers;
 
  COUNT(*)
----------
 101221463

To restrict access to this table (to all, including users with DBA roles and SYS account) we will create a realm called "SOE Customers".

Then either you follow support note 1212124.1 to configure Database Console for DBVOWNER account or you directly access (in any case Database Console is simply launching the below url so no added value in configuring it):

https://hostname:port/dva

In first panel, called administration, select realms hyper link. You see the four default realms that come with product installation:

  • Database Vault Account Management
  • Oracle Data Dictionary
  • Oracle Database Vault
  • Oracle Enterprise Manager

Click on create button and create a new one called "SOE Customers" with audit on failure default option (at that stage you cannot add objects on which you want to restrict access).

Once created edit it and add SOE.CUSTOMERS table in Realm Secured Objects section (please note that any wild cards are allowed in this part) and do not grant it to anyone.

Now if you select on SOE.CUSTOMERS table you get (even with SYS account):

SQL> SELECT COUNT(*) FROM soe.customers;
SELECT COUNT(*) FROM soe.customers
                         *
ERROR AT line 1:
ORA-01031: insufficient PRIVILEGES

Remark:
The access violations appear in monitor part of Database Vault graphical interface.

Now let’s grant access to YJAQUIER account on SOE.CUSTOMERS table, if you do it with graphical interface you get something like:

dbv1
dbv1

Then the SOE.CUSTOMERS table is accessible again with YJAQUIER account but still not with other account (including SYS).

PeopleSoft Case

Database Vault is certified with few products including PeopleSoft and SAP. Please refer to Oracle web site for latest Database Vault certifications.

What is really interesting is in Oracle Database Vault downloads page, Oracle corporation freely provide the Database Vault PeopleSoft policies. Please note that starting with 11g Database Vault binaries are included in database medias.

The zip you can download contains few SQL scripts that will create all what is needed to secure your PeopleSoft installation.

References

  • Delete or Configure Database Options Are Disabled In DBCA [ID 579171.1]
  • Accessing Database Vault Through Enterprise Manager Is Failing With “You Must Have Operator Target Privilege” [ID 1212124.1]
  • Master Note For Oracle Database Vault [ID 1195205.1]
  • Oracle Database Vault reference

One thought on “Database Vault quick setup

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes:

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>