Académique Documents
Professionnel Documents
Culture Documents
CONFIGURING DATABASE VAULT OPTIONS TO AN EXISTING ORACLE_HOME AND SETTING UP THE DATA VAULT
OWNER IN THE DATABASE VAULTDB
dvca -action option -oh $ORACLE_HOME -s_path /tmp -logfile /tmp/log.out -owner_account dvo -owner_passwd Salom#2401 -jdbc_str
jdbc:oracle:oci:@vaultdb -sys_passwd oracle -nodecrypt -silent
vaultdb:/u02/oracle/10.2/bin> ./dvca -action option -oh $ORACLE_HOME -s_path /tmp -logfile /tmp/log.out -owner_account dvo
-owner_passwd Salom#2401 -jdbc_>
DVCA started
Executing task RESTART_SERVICES_PATCH
MANAGE_INSTANCE stop isqlplus
MANAGE_INSTANCE stop OC4J
MANAGE_LISTENER start listener
MANAGE_LISTENER start listener result=/u02/oracle/10.2/bin/dvca_start_listener.sh,1,
MANAGE_LISTENER start listener log=
LSNRCTL for IBM/AIX RISC System/6000: Version 10.2.0.3.0 - Production on 08-OCT-2008 04:10:00
Copyright (c) 1991, 2006, Oracle. All rights reserved.
TNS-01106: Listener using listener name LISTENER has already been started
MANAGE_INSTANCE start RDBMS
Executing task SQLPLUS_CATOLS
Executing task RESTART_SERVICES_OLS
MANAGE_INSTANCE stop isqlplus
MANAGE_INSTANCE stop OC4J
Launch the Oracle Database Vault web application from the URL:
http://tmpu008:1158/dva
CASE 1
User SYSTEM has SELECT ANY TABLE privilege and can select all the rows of the HR.REGIONS table.
Note that the banner indicates that Database Vault option has been added to the Oracle software
vaultdb:/u02/oracle/10.2/install> sqlplus system/oracle
SQL*Plus: Release 10.2.0.3.0 - Production on Wed Oct 8 13:03:43 2008
Copyright (c) 1982, 2006, Oracle. All Rights Reserved.
Connected to:
Oracle Database 10g Enterprise Edition Release 10.2.0.3.0 - 64bit Production
With the Partitioning, Oracle Label Security, OLAP, Data Mining
Using Database Vault, we will set up security so that even a privileged user like SYSTEM is not able to access any tables owned by the
schema HR
Connect as the Database Vault owner - dvo
TEST THE SAME BY CONNECTING AS SYSTEM AND TRYING TO ACCESS ANY TABLES OWNED BY HR
vaultdb:/u02/oracle/10.2/install> sqlplus system/oracle
SQL*Plus: Release 10.2.0.3.0 - Production on Wed Oct 8 13:28:18 2008
Copyright (c) 1982, 2006, Oracle. All Rights Reserved.
Connected to:
Oracle Database 10g Enterprise Edition Release 10.2.0.3.0 - 64bit Production
With the Partitioning, Oracle Label Security, OLAP, Data Mining
and Oracle Database Vault options
SQL> select * from hr.regions;
select * from hr.regions
*
ERROR at line 1:
ORA-01031: insufficient privileges
HOWEVER, SYSTEM USER CAN ACCESS OTHER TABLES IN THE DATABASE IN SCHEMAS OTHER THAN HR
SQL> select count(*) from sh.sales;
COUNT(*)
---------918843
DATABASE VAULT ALSO TRACKS AND REPORTS ANY SECURITY VIOLATIONS THAT HAVE OCCURRED
CASE TWO
In the second case study we will set up security using Database Vault so that any DELETE operation on a certain table can ONLY BE
PERFORMED IF YOU CONNECT FROM A CLIENT MACHINE WITH A PARTICULAR IP ADDRESS this will prevent any
unauthorized access to data stored in sensitive tables
While creating the RULE SET, we will provide the IP ADDRESS of the particular client machine that we want to restrict connections to.
NEXT WE ASSOCIATE THE RULE SET WE JUST CREATED WITH A PARTICULAR COMMAND IN OUR CASE THE
COMMAND IS DELETE
TEST THE SAME BY CONNECTING AS SYSTEM FROM A SQL*PLUS SESSION DIRECTLY FROM THE SERVER
vaultdb:/u02/oracle/10.2/install> sqlplus system/oracle
SQL*Plus: Release 10.2.0.3.0 - Production on Wed Oct 8 14:48:56 2008
Copyright (c) 1982, 2006, Oracle. All Rights Reserved.
Connected to:
Oracle Database 10g Enterprise Edition Release 10.2.0.3.0 - 64bit Production
With the Partitioning, Oracle Label Security, OLAP, Data Mining
and Oracle Database Vault options
SQL> delete sh.sales where rownum < 10;
delete sh.sales where rownum < 10
*
ERROR at line 1:
ORA-01031: insufficient privileges
ON THE CLIENT MACHINE WHICH HAS BEEN GRANTED ACCESS, CONFIGURE A LOCAL TNSNAMES.ORA CLIENT
CONNECTION TO THE VAULTDB DATABASE AND CONNECT AS THE USER SYSTEM
NOTE THAT SINCE WE CONNECTING TO THE DATABASE FROM A CONNECTION THAT HAS BEEN SECURED BY
DATABASE VAULT, THE DELETE OPERATION ON THE TABLE SALES CAN BE PERFORMED
-lncrypt10 -lnsgr10 -lnzjs10 -ln10 -lnnz10 -lnl10 -lnzjs10 -lnro10 `sed -e 's/-ljava//g' /u02/oracle/10.2/lib/ldflags`
-lncrypt10 -lnsgr10
-lnzjs10 -ln10 -lnnz10 -lnl10 -lnzjs10 -lclient10 -lvsn10 -lcommon10 -lgeneric10 -lpls10 -lsnls10 -lnls10 -lcore10 -lsnls10 -lnls10 -lcore10
-lsnls10 -lnls10 -lxml10 -lcore10 -lunls10 -lsnls10 -lnls10 -lcore10 -lnls10 -lclient10 -lvsn10 -lcommon10 -lgeneric10 -lsnls10 -lnls10
-lcore10 -lsnls10 -lnls10 -lcore10 -lsnls10 -lnls10 -lxml10 -lcore10 -lunls10 -lsnls10 -lnls10 -lcore10 -lnls10 -lserver10 `if /bin/ar -X64 tv
/u02/oracle/10.2/rdbms/lib/libknlopt.a | grep "kxmnsd.o" > /dev/null 2>&1 ; then echo " " ; else echo "-lordsdo10"; fi` -lctxc10 -lctx10 -lzx10
-lgx10 -lctx10 -lzx10 -lgx10 -lordimt10 -lsnls10 -lnls10 -lcore10 -lsnls10 -lnls10 -lcore10 -lsnls10 -lnls10 -lxml10 -lcore10 -lunls10 -lsnls10
-lnls10 -lcore10 -lnls10 -lsnls10 -lunls10 -bE:/u02/oracle/10.2/rdbms/lib//libcorejava.exp -lld -lm `cat /u02/oracle/10.2/lib/sysliblist` -lm `if
[ "\`/usr/bin/uname -v\`" = "4" ]; \
then echo "-bI:/u02/oracle/10.2/lib/pw-syscall.exp"; fi;` `if /bin/ar -X64 t /u02/oracle/10.2/rdbms/lib/libknlopt.a | grep '^'kcsm.o > /dev/null
2>&1 ; then echo "-lha_gs_r -lha_em_r -lpthreads"; fi` -locijdbcst10 -lwwg -bpT:0x100000000 -bpD:0x110000000 bforceimprw
ld: 0711-783 WARNING: TOC overflow. TOC size: 142864 Maximum size: 65536
Extra instructions are being generated for each reference to a TOC
symbol if the symbol is in the TOC overflow area.
mv -f /u02/oracle/10.2/bin/oracle /u02/oracle/10.2/bin/oracleO
mv /u02/oracle/10.2/rdbms/lib/oracle /u02/oracle/10.2/bin/oracle
chmod 6751 /u02/oracle/10.2/bin/oracle
vaultdb:/u02/oracle/10.2/bin> sqlplus system/oracle
SQL*Plus: Release 10.2.0.3.0 - Production on Wed Oct 8 15:20:04 2008
Copyright (c) 1982, 2006, Oracle. All Rights Reserved.
Connected to:
Oracle Database 10g Enterprise Edition Release 10.2.0.3.0 - 64bit Production
With the Partitioning, OLAP and Data Mining options