Security is a critical consideration for information systems. According to the widespread attention caused by the explosion of information and data leakage in the world in recent years, without data security, there is no sustained trust from customers, and there is no survival space for enterprises.
Security threats are a comprehensive scope. The main point is that it is composed of many factors, such as the widespread internet attacks by external hackers. However, according to statistics, the vast majority of the situations faced by our company are internal threats to Data. Many confidential and private data are not stolen by "ubiquitous" hackers, but are caused by "moles" in the O & M department, Development Department, and business department.
Internal security is actually a very conflicting non-technical issue. If data is not released to internal personnel, a lot of work cannot be done. If you open data to internal personnel, especially third-party service provider personnel, your data is not guaranteed.
Of course, many organizations and organizations have also tried some ways to deal with such problems. For example, legal confidentiality agreements and multi-layer approval mechanisms can only alleviate the problem to a certain extent. One of the most useful methods is separation of duties and single-person value. That is to say, one person can assume only one single role, but it is only a part of the whole process of data access. The risk of leaks from a single employee is high, but the risk of leaks from all points in the entire workflow and even the entire team is greatly reduced.
As the most mature commercial database, Oracle database provides many security O & M tool solutions for a large number of user groups while stabilizing its core functions. At the data layer, Oracle has three new technologies: Virtual Private Database (VPD), Label Security, and Oracle Vault. VPD is mainly used to add data access permissions to meet data access needs at the application layer. Label Security is an extended upgrade of VPD to some extent. While Vault separates the security responsibilities of Oracle databases, disconnects data security responsibilities from users and even sys, and distributes fine-grained security responsibilities.
1. Oracle Vault Overview
Oracle Vault is one of the officially recommended security policies. It is mainly used for data protection in O & M organizations. In the traditional sense, Oracle Security is a master model of "sys God. Although we have various system, role, and object permissions, although various security manuals require us to use non-sys users for maintenance work, many database administrators still use sys for all work. Some data protection technologies, such as VPD, can implement data-level control, but it is ineffective for sys.
More importantly, the system permissions of some any classes, such as select any table, once granted, the user actually controls the data access to all data tables. This is a very arbitrary practice, with a huge potential.
Under the control of the "sys God", such a situation cannot be controlled. Some O & M operations, such as data backup, import and export, cannot avoid advanced access permissions. "Don't do it, don't worry" is the current situation of many O & M institutions.
Oracle Vault provides a sys user permission reduction option. As an optional Component of Oracle Database, Vault requires additional file links, registration, and installation. After the vault is installed, Oracle will create a brand new user dbvowner. The original sys may also control some data operations and access permissions.
Three core elements in Vault: Realm, Factor, and Rule ). Restrict or protect specific objects from multiple aspects such as data objects and operation commands.
This series describes how to install, configure, and use Oracle Vault. First, we will introduce how to install the vault.
2. Oracle Vault prerequisites
By default, the Vault is not installed on the Enterprise Edition. We need to manually compile and install the tool before it can be used.
We use Oracle 11gR2 for testing. The version is 11.2.0.4.
SQL> select * from v $ version;
BANNER
-----------------------------------------
Oracle Database 11g Enterprise Edition Release 11.2.0.4.0-Production
PL/SQL Release 11.2.0.4.0-Production
CORE 11.2.0.4.0 Production
TNS for Linux: Version 11.2.0.4.0-Production
NLSRTL Version 11.2.0.4.0-Production
Check whether the current vault is installed and view the v $ option view.
SQL> select * from v $ option where parameter like '% Vault % ';
PARAMETER VALUE
-----------------------------------
Oracle Database Vault FALSE
Shut down the database, listener, and DB Console before installing the configuration.
-- Listener
[Oracle @ SimpleLinux ~] $ Lsnrctl stop
LSNRCTL for Linux: Version 11.2.0.4.0-Production on 07-APR-2014 12:41:34
Copyright (c) 1991,201 3, Oracle. All rights reserved.
Connecting to (DESCRIPTION = (ADDRESS = (PROTOCOL = TCP) (HOST = SimpleLinux) (PORT = 1521 )))
The command completed successfully
-- Console
[Oracle @ SimpleLinux ~] $ Emctl stop dbconsole
Oracle Enterprise Manager 11g Database Control Release 11.2.0.4.0
Copyright (c) 1996,201 3 Oracle Corporation. All rights reserved.
Https: // SimpleLinux: 1158/em/console/aboutApplication
Stopping Oracle Enterprise Manager 11g Database Control...
... Stopped.
-- Database Server
SQL> shutdown immediate;
Database closed.
Database dismounted.
ORACLE instance shut down.
3. Component Compilation
Oracle Vault depends on Label Security and must be configured at the operating system level. In Linux/Unix, use make to configure the link.
[Oracle @ SimpleLinux lib] $ cd $ ORACLE_HOME/rdbms/lib
[Oracle @ SimpleLinux lib] $ make-f ins_rdbms.mk dv_on lbac_on ioracle
/Usr/bin/ar d/u01/app/oracle/rdbms/lib/libknlopt. a kzvnewcastle. o
/Usr/bin/ar cr/u01/app/oracle/rdbms/lib/libknlopt. a/u01/app/oracle/rdbms/lib/kzvidv. o
/Usr/bin/ar d/u01/app/oracle/rdbms/lib/libknlopt. a kzlnlbac. o
/Usr/bin/ar cr/u01/app/oracle/rdbms/lib/libknlopt. a/u01/app/oracle/rdbms/lib/kzlilbac. o
Chmod 755/u01/app/oracle/bin
-Linking Oracle
Rm-f/u01/app/oracle/rdbms/lib/oracle
Gcc-o/u01/app/oracle/rdbms/lib/oracle-m32-z noexecstack-L/u01/app/oracle/rdbms/lib/-L/u01/app/ oracle/lib/-L/u01/app/oracle/lib/stubs/-L/u01/app/oracle/lib/-lirc-lipgo-Wl, -E/u01/app/oracle/rdbms/lib/opimai. o
(Space reasons, omitted ......)
-L/u01/app/oracle/lib
Test! -F/u01/app/oracle/bin/oracle | \
Mv-f/u01/app/oracle/bin/oracle/u01/app/oracle/bin/LEO Leo
Mv/u01/app/oracle/rdbms/lib/oracle/u01/app/oracle/bin/oracle
Chmod 6751/u01/app/oracle/bin/oracle
Note: If you need to access the storage using the IPC protocol in Exadata, you need to add the ipc_rds protocol module. In addition, for Windows, the oradv11.dll. dbl command in the $ ORACLE_HOME/bin directory is changed to oradv11.dll.
Then restart the listener and server.
[Oracle @ SimpleLinux lib] $ lsnrctl start
SQL> conn/as sysdba
Connected to an idle instance.
SQL> startup
ORACLE instance started.
Total System Global Area 372449280 bytes
Fixed Size 1364732 bytes
Variable Size 281021700 bytes
For more details, please continue to read the highlights on the next page: