USING ORACLE 10g DATABASE VAULT

CONFIGURING DATABASE VAULT OPTIONS TO AN EXISTING ORACLE_HOME AND SETTING UP THE DATA VAULT
OWNER IN THE DATABASE VAULTDB
dvca -action option -oh $ORACLE_HOME -s_path /tmp -logfile /tmp/log.out -owner_account dvo -owner_passwd Salom#2401 -jdbc_str
jdbc:oracle:oci:@vaultdb -sys_passwd oracle -nodecrypt -silent
vaultdb:/u02/oracle/10.2/bin> ./dvca -action option -oh $ORACLE_HOME -s_path /tmp -logfile /tmp/log.out -owner_account dvo
-owner_passwd Salom#2401 -jdbc_>
DVCA started
Executing task RESTART_SERVICES_PATCH
MANAGE_INSTANCE stop isqlplus
MANAGE_INSTANCE stop OC4J
MANAGE_LISTENER start listener
MANAGE_LISTENER start listener result=/u02/oracle/10.2/bin/dvca_start_listener.sh,1,
MANAGE_LISTENER start listener log=
LSNRCTL for IBM/AIX RISC System/6000: Version 10.2.0.3.0 - Production on 08-OCT-2008 04:10:00
Copyright (c) 1991, 2006, Oracle. All rights reserved.
TNS-01106: Listener using listener name LISTENER has already been started
MANAGE_INSTANCE start RDBMS
Executing task SQLPLUS_CATOLS
Executing task RESTART_SERVICES_OLS
MANAGE_INSTANCE stop isqlplus
MANAGE_INSTANCE stop OC4J

MANAGE_LISTENER start listener

MANAGE_LISTENER start listener result=/u02/oracle/10.2/bin/dvca_start_listener.sh,1,
MANAGE_LISTENER start listener log=
LSNRCTL for IBM/AIX RISC System/6000: Version 10.2.0.3.0 - Production on 08-OCT-2008 04:15:52
Copyright (c) 1991, 2006, Oracle. All rights reserved.
TNS-01106: Listener using listener name LISTENER has already been started
MANAGE_INSTANCE start RDBMS
Executing task SQLPLUS_CATMAC
Executing task UNLOCK_DVSYS
Executing task LOAD_NLS_FILES
Executing task ACCOUNT_CREATE_OWNER
Executing task GRANT_CONNECT_OWNER
Executing task GRANT_ADMIN_DB_TRIG
Executing task GRANT_ALTER_ANY_TRIG
Executing task PASSWORD_CHANGE_DVSYS
Executing task PASSWORD_CHANGE_DVF
RULE_SYNC:TRUE
Executing task GRANT_DV_OWNER_OWNER
Executing task GRANT_DBMS_RLS_OWNER
Executing task GRANT_AUDIT_TRAIL
Executing task GRANT_DV_ACCTMGR_OWNER
COMMAND_RULES:9
Executing task ALTER_TRIGGER_BEFORE_DDL
Executing task ALTER_TRIGGER_AFTER_DDL
Executing task REVOKE_CONNECT_DVSYS
Executing task REVOKE_CONNECT_DVF
Executing task LOCK_DVSYS

Executing task LOCK_DVF

Executing task ALTER_TRIGGER_LBACSYS1
Executing task ALTER_TRIGGER_LBACSYS2
Executing task ALTER_TRIGGER_LBACSYS3
Executing task DEPLOY_DVA
DEPLOY_DVA,validate
DEPLOY_DVA get EM home
DEPLOY_DVA get EM home instance=tmpu008.bankwest.com_vaultdb
DEPLOY_DVA stop isqlplus
DEPLOY_DVA stop OC4J
DEPLOY_DVA,modify /u02/oracle/10.2/oc4j/j2ee/OC4J_DBConsole_tmpu008.bankwest.com_vaultdb/config/server.xml
DEPLOY_DVA,modify /u02/oracle/10.2/oc4j/j2ee/OC4J_DBConsole_tmpu008.bankwest.com_vaultdb/config/http-web-site.xml
Executing task SQLPLUS_UTLRP
Executing task INIT_AUDIT_SYS_OPERATIONS
Executing task INIT_REMOTE_OS_AUTHENT
Executing task INIT_REMOTE_OS_ROLES
Executing task INIT_OS_ROLES
Executing task INIT_SQL92_SECURITY
Executing task INIT_OS_AUTHENT_PREFIX
Executing task INIT_REMOTE_LOGIN_PASSWORDFILE
Executing task INIT_RECYCLEBIN
Executing task RESTART_SERVICES
MANAGE_INSTANCE stop isqlplus
MANAGE_INSTANCE stop OC4J
MANAGE_INSTANCE stop RDBMS
MANAGE_LISTENER stop listener
MANAGE_LISTENER start listener
MANAGE_INSTANCE start RDBMS
MANAGE_INSTANCE start OC4J
vaultdb:/u02/oracle/10.2/bin>

Launch the Oracle Database Vault web application from the URL:
http://tmpu008:1158/dva

CASE 1
User SYSTEM has SELECT ANY TABLE privilege and can select all the rows of the HR.REGIONS table.
Note that the banner indicates that Database Vault option has been added to the Oracle software
vaultdb:/u02/oracle/10.2/install> sqlplus system/oracle
SQL*Plus: Release 10.2.0.3.0 - Production on Wed Oct 8 13:03:43 2008
Copyright (c) 1982, 2006, Oracle. All Rights Reserved.
Connected to:
Oracle Database 10g Enterprise Edition Release 10.2.0.3.0 - 64bit Production
With the Partitioning, Oracle Label Security, OLAP, Data Mining

and Oracle Database Vault options

SQL> select * from hr.regions;
REGION_ID REGION_NAME
---------- ------------------------1 Europe
2 Americas
3 Asia
4 Middle East and Africa

Using Database Vault, we will set up security so that even a privileged user like SYSTEM is not able to access any tables owned by the
schema HR
Connect as the Database Vault owner - dvo

Create a new security realm PROTECT_HR

ADD ALL TABLES OWNED BY HR TO THE SECURED REALM PROTECT_HR

TEST THE SAME BY CONNECTING AS SYSTEM AND TRYING TO ACCESS ANY TABLES OWNED BY HR
vaultdb:/u02/oracle/10.2/install> sqlplus system/oracle
SQL*Plus: Release 10.2.0.3.0 - Production on Wed Oct 8 13:28:18 2008
Copyright (c) 1982, 2006, Oracle. All Rights Reserved.
Connected to:
Oracle Database 10g Enterprise Edition Release 10.2.0.3.0 - 64bit Production
With the Partitioning, Oracle Label Security, OLAP, Data Mining
and Oracle Database Vault options
SQL> select * from hr.regions;
select * from hr.regions
*
ERROR at line 1:
ORA-01031: insufficient privileges
HOWEVER, SYSTEM USER CAN ACCESS OTHER TABLES IN THE DATABASE IN SCHEMAS OTHER THAN HR
SQL> select count(*) from sh.sales;
COUNT(*)
---------918843

DATABASE VAULT ALSO TRACKS AND REPORTS ANY SECURITY VIOLATIONS THAT HAVE OCCURRED

CASE TWO
In the second case study we will set up security using Database Vault so that any DELETE operation on a certain table can ONLY BE
PERFORMED IF YOU CONNECT FROM A CLIENT MACHINE WITH A PARTICULAR IP ADDRESS this will prevent any
unauthorized access to data stored in sensitive tables

CREATE A NEW RULE SET CALLED PRIVILEGED_CLIENT_MACHINE

While creating the RULE SET, we will provide the IP ADDRESS of the particular client machine that we want to restrict connections to.

NEXT WE ASSOCIATE THE RULE SET WE JUST CREATED WITH A PARTICULAR COMMAND IN OUR CASE THE
COMMAND IS DELETE

TEST THE SAME BY CONNECTING AS SYSTEM FROM A SQL*PLUS SESSION DIRECTLY FROM THE SERVER
vaultdb:/u02/oracle/10.2/install> sqlplus system/oracle
SQL*Plus: Release 10.2.0.3.0 - Production on Wed Oct 8 14:48:56 2008
Copyright (c) 1982, 2006, Oracle. All Rights Reserved.
Connected to:
Oracle Database 10g Enterprise Edition Release 10.2.0.3.0 - 64bit Production
With the Partitioning, Oracle Label Security, OLAP, Data Mining
and Oracle Database Vault options
SQL> delete sh.sales where rownum < 10;
delete sh.sales where rownum < 10
*
ERROR at line 1:
ORA-01031: insufficient privileges

ON THE CLIENT MACHINE WHICH HAS BEEN GRANTED ACCESS, CONFIGURE A LOCAL TNSNAMES.ORA CLIENT
CONNECTION TO THE VAULTDB DATABASE AND CONNECT AS THE USER SYSTEM

NOTE THAT SINCE WE CONNECTING TO THE DATABASE FROM A CONNECTION THAT HAS BEEN SECURED BY
DATABASE VAULT, THE DELETE OPERATION ON THE TABLE SALES CAN BE PERFORMED

DISABLE DATABASE VAULT

vaultdb:/u02/oracle/10.2/install> cd $ORACLE_HOME/rdbms/lib
vaultdb:/u02/oracle/10.2/rdbms/lib> make -f ins_rdbms.mk dv_off lbac_off
/bin/ar -X64 d /u02/oracle/10.2/rdbms/lib/libknlopt.a kzvidv.o
/bin/ar -X64 cr /u02/oracle/10.2/rdbms/lib/libknlopt.a /u02/oracle/10.2/rdbms/lib/kzvndv.o
/bin/ar -X64 d /u02/oracle/10.2/rdbms/lib/libknlopt.a kzlilbac.o
/bin/ar -X64 cr /u02/oracle/10.2/rdbms/lib/libknlopt.a /u02/oracle/10.2/rdbms/lib/kzlnlbac.o
vaultdb:/u02/oracle/10.2/bin> relink oracle
chmod 755 /u02/oracle/10.2/bin
- Linking Oracle
rm -f /u02/oracle/10.2/rdbms/lib/oracle
ld -b64 -o /u02/oracle/10.2/rdbms/lib/oracle -L/u02/oracle/10.2/rdbms/lib/ -L/u02/oracle/10.2/lib/ -bbigtoc -bnoipath
-bI:/u02/oracle/10.2/lib/ksms.imp /u02/oracle/10.2/rdbms/lib/opimai.o /u02/oracle/10.2/rdbms/lib/ssoraed.o /u02/oracle/10.2/rdbms/lib/ttcsoi.o
-lperfsrv10 /u02/oracle/10.2/lib/nautab.o /u02/oracle/10.2/lib/naeet.o /u02/oracle/10.2/lib/naect.o /u02/oracle/10.2/lib/naedhs.o
/u02/oracle/10.2/rdbms/lib/config.o -bI:/usr/lib/aio.exp -lserver10 /u02/oracle/10.2/lib/libodm10.so -lnnet10 -lskgxp10 -lsthasgen10
/u02/oracle/10.2/has/lib/clssgc.o /u02/oracle/10.2/lib/libstskgxn2.a -lstocr10 -lstocrb10 -lstocrutl10 -lsthasgen10
/u02/oracle/10.2/has/lib/clssgc.o /u02/oracle/10.2/lib/libstskgxn2.a -lclient10 -lvsn10 -lcommon10 -lgeneric10 `if [ -f
/u02/oracle/10.2/lib/libavserver10.a ] ; then echo "-lavserver10" ; else echo "-lavstub10"; fi` `if [ -f /u02/oracle/10.2/lib/libavclient10.a ] ; then
echo "-lavclient10" ; fi` /u02/oracle/10.2/rdbms/lib/defopt.o -lknlopt `if /bin/ar -X64 tv /u02/oracle/10.2/rdbms/lib/libknlopt.a | grep xsyeolap.o
> /dev/null 2>&1 ; then echo "-loraolap10 -bE:/u02/oracle/10.2/rdbms/lib/olap.exp" ; fi` -lslax10 -lpls10 -lplp10
-bE:/u02/oracle/10.2/rdbms/lib/plsqlncomp.exp /u02/oracle/10.2/lib/libstclsra10.a -lstdbcfg10 -lserver10 -lclient10 -lvsn10 -lcommon10
-lgeneric10 -lknlopt -lslax10 -lpls10 -lplp10 -ljox10 -bE:/u02/oracle/10.2/rdbms/lib//oracle.exp `sed -e 's/-ljava//g'
/u02/oracle/10.2/lib/ldflags`
-lncrypt10 -lnsgr10 -lnzjs10 -ln10 -lnnz10 -lnl10 -lnzjs10 -lnro10 `sed -e 's/-ljava//g' /u02/oracle/10.2/lib/ldflags`
-lncrypt10 -lnsgr10 -lnzjs10 -ln10 -lnnz10 -lnl10 -lnzjs10 -lclient10 -lvsn10 -lcommon10 -lgeneric10 -lmm -lsnls10 -lnls10 -lcore10 -lsnls10
-lnls10 -lcore10 -lsnls10 -lnls10 -lxml10 -lcore10 -lunls10 -lsnls10 -lnls10 -lcore10 -lnls10 `sed -e 's/-ljava//g' /u02/oracle/10.2/lib/ldflags`

-lncrypt10 -lnsgr10 -lnzjs10 -ln10 -lnnz10 -lnl10 -lnzjs10 -lnro10 `sed -e 's/-ljava//g' /u02/oracle/10.2/lib/ldflags`
-lncrypt10 -lnsgr10
-lnzjs10 -ln10 -lnnz10 -lnl10 -lnzjs10 -lclient10 -lvsn10 -lcommon10 -lgeneric10 -lpls10 -lsnls10 -lnls10 -lcore10 -lsnls10 -lnls10 -lcore10
-lsnls10 -lnls10 -lxml10 -lcore10 -lunls10 -lsnls10 -lnls10 -lcore10 -lnls10 -lclient10 -lvsn10 -lcommon10 -lgeneric10 -lsnls10 -lnls10
-lcore10 -lsnls10 -lnls10 -lcore10 -lsnls10 -lnls10 -lxml10 -lcore10 -lunls10 -lsnls10 -lnls10 -lcore10 -lnls10 -lserver10 `if /bin/ar -X64 tv
/u02/oracle/10.2/rdbms/lib/libknlopt.a | grep "kxmnsd.o" > /dev/null 2>&1 ; then echo " " ; else echo "-lordsdo10"; fi` -lctxc10 -lctx10 -lzx10
-lgx10 -lctx10 -lzx10 -lgx10 -lordimt10 -lsnls10 -lnls10 -lcore10 -lsnls10 -lnls10 -lcore10 -lsnls10 -lnls10 -lxml10 -lcore10 -lunls10 -lsnls10
-lnls10 -lcore10 -lnls10 -lsnls10 -lunls10 -bE:/u02/oracle/10.2/rdbms/lib//libcorejava.exp -lld -lm `cat /u02/oracle/10.2/lib/sysliblist` -lm `if
[ "\`/usr/bin/uname -v\`" = "4" ]; \
then echo "-bI:/u02/oracle/10.2/lib/pw-syscall.exp"; fi;` `if /bin/ar -X64 t /u02/oracle/10.2/rdbms/lib/libknlopt.a | grep '^'kcsm.o > /dev/null
2>&1 ; then echo "-lha_gs_r -lha_em_r -lpthreads"; fi` -locijdbcst10 -lwwg -bpT:0x100000000 -bpD:0x110000000 bforceimprw
ld: 0711-783 WARNING: TOC overflow. TOC size: 142864 Maximum size: 65536
Extra instructions are being generated for each reference to a TOC
symbol if the symbol is in the TOC overflow area.
mv -f /u02/oracle/10.2/bin/oracle /u02/oracle/10.2/bin/oracleO
mv /u02/oracle/10.2/rdbms/lib/oracle /u02/oracle/10.2/bin/oracle
chmod 6751 /u02/oracle/10.2/bin/oracle
vaultdb:/u02/oracle/10.2/bin> sqlplus system/oracle
SQL*Plus: Release 10.2.0.3.0 - Production on Wed Oct 8 15:20:04 2008
Copyright (c) 1982, 2006, Oracle. All Rights Reserved.
Connected to:
Oracle Database 10g Enterprise Edition Release 10.2.0.3.0 - 64bit Production
With the Partitioning, OLAP and Data Mining options