1 / 85

ORACLE DATABASE VAULT

ORACLE DATABASE VAULT. Đỗ Phước Hậu 50800617 Trương Quốc Khánh 51001496. Contents. Introducing Oracle Database Vault What is a Oracle Database Vault? Components of Oracle Database Vault. Install ODV 11g Release 2 HOWTO use a Realm to secure Data Access from DBA access.

nell-cantu
Download Presentation

ORACLE DATABASE VAULT

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. ORACLE DATABASE VAULT ĐỗPhướcHậu 50800617 TrươngQuốcKhánh 51001496 Oracle Database Vault

  2. Contents • Introducing Oracle Database Vault • What is a Oracle Database Vault? • Components of Oracle Database Vault. • Install ODV 11g Release 2 • HOWTO use a Realm to secure Data Access from DBA access. • HOWTO use a Command rules to secure User Activity. • HOWTO use Rule Sets, Factors, and secure Application roles Oracle Database Vault

  3. Contents • HOWTO Use Reports in DV • HOWTO Disable and Enable DV • HOWTO Better Understand DV’s Impact on Performance Oracle Database Vault

  4. Introducing Oracle Database Vault • What is oracle database vault? • Components of oracle database vault Oracle Database Vault

  5. What is Oracle Database Vault? • Oracle Database Vault (DV) was introduced in Oracle 10gR2, 11g and 9iR2. • DV restricts access to specific areas in an Oracle database from any user. • Enable you to apply access control to your sensitive data. • Protect your data from super-privileged users but still them maintain your Oracle databases. Oracle Database Vault

  6. What is Oracle Datbase Vault? • Help to address the most difficult security problems: protecting against insider threats, meeting regulatory compliance requirements, and enforcing separation of duty. • Manage the security of an individual Oracle Database instance Oracle Database Vault

  7. Components of Oracle Database Vault Oracle Database Vault has the following components: ■ Oracle Database Vault Access Control Components ■ Oracle Database Vault Administrator (DVA) ■ Oracle Database Vault Configuration Assistant (DVCA) ■ Oracle Database Vault DVSYS and DVF Schemas ■ Oracle Database Vault PL/SQL Interfaces and Packages ■ Oracle Database Vault and Oracle Label Security PL/SQL APIs ■ Oracle Database Vault Reporting and Monitoring Tools Oracle Database Vault

  8. Oracle Database Vault Access Control Components • Realms: a functional grouping of database schemas, objects, and roles that must be secured. • Command rules: a special rule that you can create to control how users can execute almost any SQL statement, including SELECT, ALTER SYSTEM, database definition language (DDL), and data manipulation language (DML) statements. Oracle Database Vault

  9. Oracle Database Vault Access Control Components • Factors: a named variable or attribute, such as a user location, database IP address, or session user, which Oracle Database Vault can recognize and secure. • Rule sets: a collection of one or more rules that you can associate with a realm authorization, command rule, factor assignment, or secure application role. • Secure application roles: A secure application role is a special Oracle Database role that can be enabled based on the evaluation of an Oracle Database Vault rule set. Oracle Database Vault

  10. Oracle Database Vault Administrator (DVA) • A Java application that is built on top of the Oracle Database Vault PL/SQL application programming interfaces (API). • Allows security managers who may not be proficient in PL/SQL to configure the access control policy through a user-friendly interface. • An extensive collection of security-related reports that assist in understanding the baseline security configuration. Oracle Database Vault

  11. Oracle Database Vault Access Control Components • Oracle Database Vault Configuration Assistant (DVCA): To perform maintenance tasks on your Oracle Database Vault installation • Oracle Database Vault DVSYS and DVF Schemas: Stores the database objects needed to process Oracle data for Oracle Database Vault, contains the roles, views, accounts, functions, and other database objects that Oracle Database Vault uses. The DVF schema contains public functions to retrieve (at run time) the factor values set in the Oracle Database Vault access control configuration. Oracle Database Vault

  12. Oracle Database Vault Access Control Components • Oracle Database Vault PL/SQL Interfaces and Packages: allow security managers or application developers to configure the access control policy as required. • Oracle Database Vault and Oracle Label Security PL/SQL APIs: enables the security manager to define label security policy and apply it to database objects. • Oracle Database Vault Reporting and Monitoring Tools: generate reports on the various activities that Oracle Database Vault monitors. Oracle Database Vault

  13. HOWTO install Oracle Database Vault • In Oracle 11gR2, all options are already installed, you only need to enable them as follow: • Open Command Prompt, then get to [Oracle Database Homes]/bin • Type: • chopt enable lbac • chopt enable dv Oracle Database Vault

  14. HOWTO install Oracle Database Vault Oracle Database Vault

  15. HOWTO install Oracle Database Vault • Then configure the options using dbca: Oracle Database Vault

  16. HOWTO install Oracle Database Vault • After completion of this, the “Database Vault” option will be available: Oracle Database Vault

  17. HOWTO install Oracle Database Vault • Login Oracle Database Vault Oracle Database Vault

  18. HOWTO use a Realm to secure Data Access from DBA access. • Let’s use SCOTT.EMP—it has salary information in it. Before we define a realm, DBAs have access to this table—for example: Oracle Database Vault

  19. HOWTO use a Realm to secure Data Access from DBA access. Oracle Database Vault

  20. HOWTO use a Realm to secure Data Access from DBA access. Oracle Database Vault

  21. HOWTO use a Realm to secure Data Access from DBA access. Oracle Database Vault

  22. HOWTO use a Realm to secure Data Access from DBA access. Oracle Database Vault

  23. HOWTO use a Realm to secure Data Access from DBA access. Oracle Database Vault

  24. HOWTO use a Realm to secure Data Access from DBA access. Oracle Database Vault

  25. HOWTO use a Realm to secure Data Access from DBA access. Oracle Database Vault

  26. HOWTO use a Realm to secure Data Access from DBA access. • Logged on as SYSTEM you will no longer be able to access the data: Oracle Database Vault

  27. HOWTO use a Realm to secure Data Access from DBA access. • Connect as SCOTT and issue this query you will have access: Oracle Database Vault

  28. More on Realms • Realms contain a larger set of objects – schema, a group of roles or a group of objects which you want to associate a security policy. Example: Associate a role with realm, you can ensure that only you can assign this role and that a DBA can’t grant this role. Oracle Database Vault

  29. More on Realms • Allows to define who the realms owners are. • Realm participants can user their system privileges to access a realm-protected object. Oracle Database Vault

  30. More on realms • DV includes a number of prebuilt realms, they are: • DV Account Management Realm: the most important realm, it limits who can manage and create database accounts. • DV Realm: protects the DV schemas (DVSYS, DVF, and LBACSYS) • Oracle Data Dictionary Realm: protect the catalog, the SYS schema, the SYSTEM schema. • Oracle Enterprise Manager Realm: protect SYSMAN and DBSNMP. Oracle Database Vault

  31. HOWTO use a Command rules to secure User Activity. • A definition can be used to protect any activity on any object in the database. • Based on a security policy phrased within a rule. • A command rule is evaluated after the realm is checked and only if the realm check succeeds. • DV checks all relevant command rules and only if they all evaluate to true will the action be allowed. • Override regular object privilege. Oracle Database Vault

  32. HOWTO use a Command rules to secure User Activity. • Example 1: • Built a command rule disables the ability to update the SCOTT.EMP table Oracle Database Vault

  33. HOWTO use a Command rules to secure User Activity. Oracle Database Vault

  34. HOWTO use a Command rules to secure User Activity. Oracle Database Vault

  35. HOWTO use a Command rules to secure User Activity. Oracle Database Vault

  36. HOWTO use a Command rules to secure User Activity. • Now, SCOTT can insert into this table but can’t update: Oracle Database Vault

  37. HOWTO use a Command rules to secure User Activity. • Example 2: • Allow UPDATES only if the connection is made locally over a bequeath session (BEQ). Oracle Database Vault

  38. HOWTO use a Command rules to secure User Activity. Oracle Database Vault

  39. HOWTO use a Command rules to secure User Activity. Oracle Database Vault

  40. HOWTO use a Command rules to secure User Activity. Oracle Database Vault

  41. HOWTO use a Command rules to secure User Activity. Oracle Database Vault

  42. HOWTO use a Command rules to secure User Activity. Oracle Database Vault

  43. HOWTO use a Command rules to secure User Activity. Oracle Database Vault

  44. HOWTO use a Command rules to secure User Activity. Oracle Database Vault

  45. HOWTO use a Command rules to secure User Activity. Oracle Database Vault

  46. HOWTO use a Command rules to secure User Activity. Oracle Database Vault

  47. HOWTO use a Command rules to secure User Activity. Oracle Database Vault

  48. HOWTO use a Command rules to secure User Activity. • Login to the databases as SCOTT using BEQ connection Oracle Database Vault

  49. HOWTO use a Command rules to secure User Activity. • Login to the databases as SCOTT using a listener connection (TCP connection) Oracle Database Vault

  50. HOWTO use a Command rules to secure User Activity. • DV provide a set of PL/SQL procedures that can be used to create these contructs. • These are part of the DBMS_MACADM package within the DVSYS schema. Oracle Database Vault

More Related