oracle-Component Vault

Http://www.linuxidc.com/Linux/2014-05/101108p2.htm

Oracle Database Vault

Overview
For information systems, security is a critical consideration. In recent years, the global outbreak of information data leakage caused by the widespread concern, no data security, there is no customer continuous trust, there is no business space for survival.

Security threats are a comprehensive range. The main points are made up of a number of factors, such as the widespread concern of the outside hacker network attack. However, after statistics, most of the situations that our enterprises face are the threats to the internal data. Many confidential and private data are not stolen by "ubiquitous" hackers, but are caused by "demons" in operations, development, and business units.

The internal security problem is actually a very contradictory "non-technical" problem. A lot of work cannot be done without the data being released by insiders. If you open data to internal personnel, especially third-party service providers, your data is not guaranteed.

Of course, many organizations and organizations have tried some methods to deal with such problems. such as legal confidentiality agreements, multi-level approval mechanism, but this can only be to some extent to alleviate the problem. A commonly considered useful method is the separation of duties, single-value. That is, a person in a post only to assume a single responsibility, just contact data throughout the process of a link. The risk of a single worker leak is high, but the risk of all points on the workflow and even the entire team being compromised is greatly reduced.

Oracle database, as the most mature business database, has put forward many security operation Tools solutions for a large number of user groups while stabilizing its core functions. At the data level, Oracle has three new technologies representing the latest technology: Virtual Private Database (VPD), Label Security, and Oracle Vault. VPD is mainly to address the application level of data access needs to add data access rights, Label security is VPD to some degree of expansion and upgrade. Vault is primarily a separation of the security responsibilities of the Oracle database, separating the responsibility for data security from the user or even the SYS body, for a fine-grained security responsibility assignment.


Oracle Vault is one of the officially recommended security policies, and is primarily used for data protection in operations and maintenance organizations. Oracle security in the traditional sense is a master model of "Sys God". Although we have various system, role, and object permissions, although various security manuals want us to use non-SYS users for maintenance, many database administrators are still doing all the work with Sys. Some data protection technologies, such as VPD, can achieve data-level control, but are not valid for sys.

More important is the system permissions of any class, such as select any table, once given, the user actually controls the data access for all data tables. This is a very arbitrary approach that lurks a big problem.

Under the premise of "Sys God", such a situation is uncontrollable. Because some operations, such as data backup, import and export, are not able to avoid advanced access rights. "Either do it or leave it alone" is the status quo of many of our current operations agencies.

Oracle Vault provides a choice for SYS user clipping. As an optional component of the Oracle database, Vault requires additional file linking, registration, and installation. After installing Vault, Oracle will create a new user Dbvowner, the original sys for some data operation and access rights, there is also the possibility of control.

The three core elements in Vault: Realm, Factor (factor), and rules (rule). Restrict or protect specific objects from a variety of aspects, such as data objects, operations commands, and so on.


Oracle Vault is currently the officially recommended operational security policy for Oracle. In the practical application, it is easy to restrict the Administrator account authority such as SYS and protect the core business data.
Like many Oracle components, Oracle Vault can be configured through a series of API interface calls. However, due to complexity, Oracle does not recommend the direct use of API interface commands for management, but rather is configured through the provided DBV application. Using the dBV method is much like EM, and avoids the chance of errors.
The method of calling dBV, first of all, is to start emctl. The Https://ip:1158/dva is then called. The port number and EM are the same.


First, pre-installed (this component is checked when installing the database)
Use the address below and log in with the user name you set when installing
Https://192.168.3.183:1158/dva/mac/login
Vault1:vg_fgyoracle1
localhost
1521



Second, after the installation
Call DBCA to compile
Select the Configure Database Options project, from the components, select the Label security and vault option.
The configuration item includes the name of the Oracle Vault user owner and the administrator password. Note: This configuration password link is very strict, requiring a length of 8-30 bits, no repeating characters, and including at least one punctuation mark.
Finally the installation succeeds and ends the GUI interface.


The installation, configuration, and usage of Oracle Vault are described in this series. First, we'll show you how to do a vault installation.
In the default Enterprise Edition, Vault is not installed. We need to manually compile, install, to use.

=================================
SELECT * from V$version;
SELECT * from V$option;
SELECT * from v$option where parameter like '%vault% ';
SELECT * from Product_component_version;

Before you install the configuration, shut down the listener, database, and DB console.
Lsnrctl stop
Shutdown immediate;
Emctl Stop Dbconsole
================================
And then compile the
Oracle Vault relies on label Security and needs to start the configuration at the operating system level. In the Linux/unix environment, use make to configure the link.
[Email protected] lib]$ CD $ORACLE _home/rdbms/lib
[Email protected] lib]$ make-f ins_rdbms.mk dv_on lbac_on ioracle
/usr/bin/ar d/u01/app/oracle/rdbms/lib/libknlopt.a KZVNDV.O
/usr/bin/ar CR/U01/APP/ORACLE/RDBMS/LIB/LIBKNLOPT.A/U01/APP/ORACLE/RDBMS/LIB/KZVIDV.O
/usr/bin/ar d/u01/app/oracle/rdbms/lib/libknlopt.a KZLNLBAC.O
/usr/bin/ar CR/U01/APP/ORACLE/RDBMS/LIB/LIBKNLOPT.A/U01/APP/ORACLE/RDBMS/LIB/KZLILBAC.O
chmod 755/u01/app/oracle/bin

-Linking Oracle
Rm-f/u01/app/oracle/rdbms/lib/oracle
Gcc-o/u01/app/oracle/rdbms/lib/oracle-m32-z noexecstack-l/u01/app/oracle/rdbms/lib/-L/u01/app/oracle/lib/-L/u01 /app/oracle/lib/stubs/-l/u01/app/oracle/lib/-LIRC-LIPGO-WL,-E/U01/APP/ORACLE/RDBMS/LIB/OPIMAI.O
(Space reasons, there are omitted ...) ）
-l/u01/app/oracle/lib
Test! -f/u01/app/oracle/bin/oracle | | \
Mv-f/u01/app/oracle/bin/oracle/u01/app/oracle/bin/oracleo
Mv/u01/app/oracle/rdbms/lib/oracle/u01/app/oracle/bin/oracle
chmod 6751/u01/app/oracle/bin/oracle
==================================
Lsnrctl start
Startup
DBCA Configure and set the account and password
Emctl Start Dbconsole
Https://ip:1158/dva
===================================



Third, the phenomenon, SYS user rights have been cut, began to wonder why, and finally found out the role of the vault component
[Email protected] dbs]$ Sqlplus/as SYSDBA

Sql*plus:release 11.2.0.4.0 Production on Tue 22 10:53:17 2017

Copyright (c) 1982, Oracle. All rights reserved.


Connected to:
Oracle Database 11g Enterprise Edition Release 11.2.0.4.0-64bit Production
With the partitioning, Oracle Label Security, OLAP, Data Mining,
Oracle Database Vault and Real application testing options

Sql> create user test identified by 123456;
Create user test identified by 123456
*
ERROR at line 1:
Ora-01031:insufficient Privileges


Sql> alter system set utl_file_dir= '/u01/app/oracle/admin/fgy1/dpdump/' scope=spfile;
Alter system set utl_file_dir= '/u01/app/oracle/admin/fgy1/dpdump/' scope=spfile
*
ERROR at line 1:
Ora-01031:insufficient Privileges

Iv. unloading (more troublesome)

Oracle Vault is an important part of a security three technology strategy. Compared to the other two, the Label Security and VPD (Virtual Private Database), Oracle Vault More embodies the operation and maintenance system management construction and security rules configuration. After the configuration vault is installed, Oracle's original SYS superuser security role is stripped, and data, operations, and resources are securely restricted in a regular manner. It should be said that when you use vault, you can truly control the behavior of data administrators.

This article mainly describes how to uninstall the Vault, based on the version is 11GR2. Note: There are some differences in the methods for uninstalling in different versions of Oracle Vault, especially in the relink process.
1. Preparation before unloading
Oracle Vault involves several parts of the database: The DVA component is bundled in a web app in the OEM, internal Dbowner and manager management Objects and role permission adjustments. Before the formal uninstall operation, we need to shut down the database and various components.

V. WITH Data pump

Oracle Vault is a relatively complete set of operational security architecture frameworks that Oracle has launched. In many operations organizations, Vault is a very good alternative.

The principle of Oracle vault is the split protection of security responsibilities. From the assumption that the database administrator Sys assumed the security responsibility, it turned into a separate security personnel Dbvowner and Dbvaccount manager for the Security Configuration Center. After that, a lot of security zones were set up from the aspects of behavior, domain and so on, and the security zone was protected by an additional protection policy.

Note: Vault's starting point is an important consideration for our selection. Security threats are multi-class and multilevel. Oracle Vault is a constraint set for the "one-of-a-kind" operations organization, which forms a structure where administrators and security officers are diverted.

Although a database administrator can manage, it does not have access to specific sensitive areas. While security officers have security authorization capabilities, but do not have administrator data authorization (System permissions and Data permissions), security agents can not access sensitive data.

There are some loopholes in this process, such as the possibility of the administrator changing the security code and seizing the security officer's privileges, so Oracle Vault has some default domain and command rules to bind the administrator tightly after the installation.

In addition, administrators have some daily operations, such as the use of DB Control, DataPump, and recovery Manager, all with the risk of triggering security domain rules. How does Oracle handle such a situation? This article starts from the data pump operation, carries on the simple discussion.

1. Data Pump and vault

Oracle data Pump (data pump) is a backup management tool that is available after oracle10g. As an evolutionary version of EXP/IMP, data pump is a good support for a variety of Oracle features and capabilities, and the data pump has a unique advantage when it comes to large-scale operations.
If we have studied the data pump operation process carefully, we can know that the process of pump is not a whole, but a collection of a series of actions. For example: When the data import schema mode, if the target database does not have this user, data pump will create this user. This process is actually the general create User XXX statement execution.
Therefore, the process of export and import data is a multi-authority (System permissions) synthesis process. This is why the permissions for importing and exporting databases in Oracle are two role permissions (import/export full database).
Then, if the administrator (backup operator) needs data import to export sensitive data, it is necessary to touch sensitive information. How do we configure the Oracle vault environment?

oracle-Component Vault