Data Pump tools used by OracleVault

OracleVault is a complete O & M Security System Framework launched by Oracle. Vault is a good option among many O & M organizations. OracleVault principles

Oracle Vault is a complete O & M Security System Framework launched by Oracle. Vault is a good option among many O & M organizations. Oracle Vault principles

Oracle Vault is a complete O & M Security System Framework launched by Oracle. Vault is a good option among many O & M organizations.

The principle of Oracle Vault is the split protection of security responsibilities. From the assumption that the original database administrator sys assumes security responsibilities, dbvowner and dbvaccount manager become the Security Configuration center. Afterwards, many security zones have been set up in terms of behaviors and fields, and additional security policies have been adopted to shield administrators.

Note: The starting point of Vault is an important consideration for selection. Security threats are categorized and multilevel. Oracle Vault is a type of constraint setting for O & M organizations to restrict administrators and security personnel.

Although the database administrator can perform management, the database administrator cannot access specific sensitive areas. Although security personnel have security authorization capabilities, they do not have administrator data authorization (system permission and data permission) and cannot access sensitive data.

There are some vulnerabilities in this process. For example, the Administrator may modify the Security Officer password to gain the Security Officer permission. Therefore, after installing Oracle Vault, there are some default fields and command rules, strictly restrict administrators.

In addition, the Administrator has some daily operations, such as using DB Control, Datapump, and Recovery Manager, which all have risks that touch security rules. In this case, what does Oracle do? This article starts with the Data Pump operation and briefly discusses it.

1. Data Pump and Vault

Oracle Data Pump (Data Pump) is a Data backup management tool launched after Oracle10g. As an evolutionary version of Exp/Imp, Data Pump provides better support for various new features and functions of Oracle. It also has a unique advantage in massive Data operations.

If we have carefully studied the Data Pump operation process, we can know that the Oracle Data Pump Data import process is not a whole, but a collection of actions. For example, if the target database does not have this user when importing Data into the Schema mode, the user will be created during Data Pump. This process is actually a general create user xxx statement execution.

Therefore, the process of export and import data is a process of Combining Multiple permissions (system permissions. This is why the permissions for importing and exporting databases in Oracle are two role permissions (Import/Export Full Database ).

Therefore, if the administrator (Backup operator) needs to import and export sensitive data, sensitive information will be triggered. In the Oracle Vault environment, how do we configure it?

2. default behavior Configuration

In this experiment, Oracle 11gR2 is selected, and the Vault component has been configured for the database. Protect scott data, even if the sys administrator cannot access it.

SQL> show user;

User is "SYS"

SQL> select count (*) from scott. emp;

Select count (*) from scott. emp

ORA-01031: insufficient Permissions

Create a directory object and export data.

[Oracle @ SimpleLinux ~] $ Cd/dumps/

[Oracle @ SimpleLinux dumps] $ ls-l

Total 0

Create directory object dumps in Oracle. Try to export.

[Oracle @ SimpleLinux dumps] $ expdp \ "/as sysdba \" directory = dumps schemas = scott dumpfile = scottvault. dmp

Export: Release 11.2.0.4.0-Production on Fri Apr 4 15:21:30 2014

Copyright (c) 1982,201 1, Oracle and/or its affiliates. All rights reserved.

Connected to: Oracle Database 11g Enterprise Edition Release 11.2.0.4.0-Production

(Space reasons, omitted ......)

Processing object type SCHEMA_EXPORT/TABLE/CONSTRAINT/REF_CONSTRAINT

ORA-39127: unexpected error from call to export_string: = SYS. Loads ('aq $ _ mgmt_policy_qtable_s ', 'sysmanc', 1, 1, '11. 02.0000004.00', newblock)

ORA-01031: insufficient privileges

ORA-06512: at "SYS. DBMS_TRANSFORM_EXIMP", line 197

ORA-06512: at line 1

ORA-06512: at "SYS. DBMS_METADATA", line 9876

ORA-39127: unexpected error from call to export_string: = SYS. Loads ('aq $ _ MGMT_LOADER_QTABLE_S ', 'sysmanc', '11. 02.0000004.00', newblock)

ORA-01031: insufficient privileges

ORA-06512: at "SYS. DBMS_TRANSFORM_EXIMP", line 197

ORA-06512: at line 1

ORA-06512: at "SYS. DBMS_METADATA", line 9876

Processing object type SCHEMA_EXPORT/POST_SCHEMA/PROCACT_SCHEMA

ORA-31693: Table data object "SCOTT". "DEPT" failed to load/unload and is being skipped due to error:

ORA-02354: error in exporting/importing data

ORA-28116: insufficient privileges to do direct path access

ORA-31693: Table data object "SCOTT". "EMP" failed to load/unload and is being skipped due to error:

ORA-02354: error in exporting/importing data

ORA-28116: insufficient privileges to do direct path access

ORA-31693: Table data object "SCOTT". "SALGRADE" failed to load/unload and is being skipped due to error:

ORA-02354: error in exporting/importing data

ORA-28116: insufficient privileges to do direct path access

.. Exported "SCOTT". "BONUS" 0 KB 0 rows

Master table "SYS". "SYS_EXPORT_SCHEMA_01" successfully loaded/unloaded

**************************************** **************************************

Dump file set for SYS. SYS_EXPORT_SCHEMA_01 is:

/Dumps/scottvault. dmp

Job "SYS". "SYS_EXPORT_SCHEMA_01" completed with 5 error (s) at Fri Apr 4 15:22:22 2014 elapsed 0 00:00:41

From the error message, we can see that the essence of Data Pump is to call a series of packet methods to export Data. The Sys user has the permission to export data, but by default, an error is returned if sensitive information is touched.

For more details, please continue to read the highlights on the next page: