Oracle Database Vault

Oracle Database Vault
What about the OS Accounts?
Stefan Oehrli
Discipline Manager
Oracle Security
stefan.oehrli@trivadis.com
Geneva, 18.11.2009
Basel
Baden
Brugg
Bern
Lausanne
Zrich
Dsseldorf
Frankfurt/M.
Freiburg i. Br.
Hamburg
Mnchen
Stuttgart
Wien
Agenda
Introduction
Database Vault in a Nutshell
Situation with Anonymous Accounts
Approach and Challenges
DBA- and Operation Tasks
Daten sind
immer im Spiel.
Administrative Privileges
(SYSDBA and SYSOPER)
SUDO
Miscellaneous
Conclusion
Data Security Geneva 2009 - Oracle Database Vault What about the OS Accounts?
2009
Introduction
Oracle Database Vault addresses common regulatory compliance
requirements and reduces the risk of insider threats by:
Preventing highly privileged users (DBA) from accessing application
data
Enforcing separation of duty
Providing controls over who, when, where and how applications, data
and databases can be accessed.
Source: Oracle Database Vault Home Page
But is this enough to protect the whole Oracle environment?
2009
Introduction
Excerpt from Oracle Database Vault Administrator's Guide:
Managing Root and Operating System Access
Oracle Database Vault does not prevent highly privileged operating
system users from directly accessing database files. For this kind of
protection, use transparent data encryption ..... Carefully review and
restrict direct access to the operating systems.
You should have personalized accounts access the operating system.
These personalized accounts should, in the Linux or UNIX
environments, login using sudo to the oracle software owner when
needed. With sudo, you can control which specific command each
personalized user can execute. Be sure to prevent the use of the make,
relink, gdb, or other commands that could potentially harm the DB
Appendix D Oracle Database Vault Administrator's Guide

2009
Introduction
This section at the end of the documentation can cause some
confusion
To some extent Database Vault is sold as a complete Security
Solution but need some additional considerations.
This information could apparently be placed a bit more central.
This Presentation will cover the following questions:
What's covered by Database Vault?

Motivation for personalized Accounts?
Possible solution and concepts?
Challenges for the conception and the Implementation?
Configuration of SYSOPER / SYSDBA?
Configuration and application of SUDO?
2009
Agenda
Introduction
Daten sind
immer im Spiel.
SUDO
Miscellaneous
Conclusion
2009

Another Oracle Security Innovation to protect from
DBA respectively SYSDBA
High system privileges like SELECT ANY TABLE, EXEMPT
ACCESS POLICY
Available as an Enterprise Edition Option

Separate download for 10g and 9i
Integrated component within Oracle 11g R1 and R2
2009

Additional Layer within Oracle Kernel
New Components added by Database Vault
Realms
Command Rules
Factors
Rule Sets
Extended functionality for
Secure Application Roles
Label Security Integration
No impact for object grants

(except for command Rules)
Restrict any select statement
Source: Oracle Database Vault - An Oracle White Paper June

2007
2009
Database Vault Data Privacy and Data Theft (1)

Access to data through an
instance is protected by
database authentication,
authorizing and auditing (AAA)
End User,
Developer,
DBA
Authorizations for data can be

defined at row level
Instance
Virtual
Private
Database
Label
Security
Database Files
2009

How to authorize users based on criteria like time, network
protocol or IP of the client?
Virtual
Private
Database
Database
Vault
Secure
Application
Roles
But what about the System privileges like SELECT ANY TABLE,
EXEMPT ACCESS POLICY a s o. which are granted to DBAs
and enabled for Connection through SYSDBA?
Database
Vault
2009

End User,
Developer, DBA
Transparent
Data
Encryption
Hacker
Instance
Database Files
Database AAA does not

protect access to shared
memory and data files!
And what
about
backups?
RMAN
Backup
Encryption
2009
Database Vault Eavesdropping and Hijacking

End User,
Developer, DBA
(Alice)
Database
Server (Bob)
Oracle Net
Advanced
Security
Hacker
2009
Agenda
Introduction
Daten sind
immer im Spiel.
SUDO
Miscellaneous
Conclusion
2009

Administration Tasks are not traceable
When and who did a listener or database restart.
Who changed the environment (e.g Shell settings)
Auditing on the OS is only partially reasonable

Its possible to see that user oracle did something but who logged in
as oracle?
Installation of Software / Patch Set / CPUs is not traceable
Compliance according SOX, Basel II, etc not possible
Security protection mechanism can be bypassed anytime

Relink Oracle binaries to switch off Database Vault
Direct access of Datafiles and/or Memory
OSDBA, OSOPER and OSASM is usually not defined or default

2009
Dynamically Relink
On some OS and database version it is possible to relink the
oracle binaries even when the database is running. After relink
and switch off DBV the data can be access without any
restriction.
cd $ORACLE_HOME/rdbms/lib
make -f ins_rdbms.mk dv_off
cd $ORACLE_HOME/bin
relink oracle
A warning is will be shown in the ALERT.LOG but there is

also a hint displayed how this warning can be suppressed
WARNING: Oracle executable binary mismatch detected.
Binary of new process does not match binary which started
instance
issue alter system set "_disable_image_check" = true to
disable these messages
2009
Additional Possibilities
Change passwords within the Datenfile of SYSTEM Tablespace
(see Trivadis Training O-AI-DSI)
Modify or access data directly within a data file
2009
Agenda
Introduction
Daten sind
immer im Spiel.
SUDO
Miscellaneous
Conclusion
2009

Acceptance
Intermediate
Acceptance
Commissioning
Operation
No Protection,
functional
Accounts
Personalized Accounts,
sudo, scripts etc
Decommissioning
No Protection,
functional
Accounts
2009

There is no protection in the commissioning and
decommissioning phase
After the acceptance the functional account oracle is locked
DBA and Operation tasks will be done via sudo, group privileges
and scripts
Usage of SYSOPER, SYSDBA and DBA has to be adjusted
If the functional account or the environment will be opened an
intermediate acceptance has to be initiated
E.g. bigger changes, hardware replacement etc
2009

DBA and operation tasks has to be defined
Who has to do what and when? How my access what?
Create a catalog of tasks
DBA and operation tasks to be standardized on a high level e.g

scripts for certain tasks are available
A role concept within the DB is must be available
Adjustment with OSDBA and OSOPER reasonable
If not implemented properly there is a risk that loopholes will

remain
It is not possible to lock out the root account. Only monitoring and
auditing is possible
2009
Agenda
Introduction
Daten sind
immer im Spiel.
SUDO
Miscellaneous
Conclusion
2009

Deployment of Software, Patch sets, CPUs and so on
Stop / start database, agent and listener
Accessing log and trace files (DBA)
Accessing data files
Maintain scripts
Tuning, Monitoring etc
Backup / Restore
Change initialization parameter
2009

Tasks
Typ
Engineering
Operation
Application
Operation
Initial Installation
OS
As user oracle
n/a
n/a
Initial Create Database
DB
As user oracle
n/a
n/a
Patch set Installation (Software)
OS
sudo script
(Silent Install)
n/a
n/a
Patch set Installation (Upgrade)
DB
sysdba oder
sudo script
n/a
n/a
CPU / OPatch Installation
OS
sudo
n/a
n/a
DB Start / Stopp
OS
sudo script
or SYSOPER
sudo script
or SYSOPER
n/a
Listener Start / Stopp
OS
sudo script
sudo script
n/a
Agent / Konsole Start / Stopp
OS
sudo script
sudo script
n/a
2009
Tasks
Typ
Engineering
Operation
Application
Operation
Additional DB Tools (runInstaller,

dbca, dvca, netca, etc)
OS
sudo
sudo
n/a
Houskeeping of trace and log

files
OS
script/ cronjob
script/ cronjob
Read trace
files
Maintain Scripts(Entwicklung auf

DBA Server mit Version Control)
OS
Deploment
script
n/a
n/a
Monitoring
DB
Within DB / role
Within DB / role
n/a
Accounting
DB
n/a
Within DB / role
n/a
Space Management (e.g. TS)
DB
Within DB / role
Within DB / role
n/a
Backup & Recovery
DB
As SYSDBA or
SYSOPER
n/a
2009
Database Admin / Engineering

Personalized UX Accounts with OSDBA or OSOPER group
Stop / start database with sqlplus as sysoper
sqlplus userxy/tiger@TMAC01 as sysoper
Use scripts and sudo to stop / start listener, agents etc.

Deployment of patchs and software will be done with scripts as a silent
installation
Housekeeping (Permissions, Truncate etc) of log and trace files will be
done with scripts started by cron
DBA tasks (alter system, alter tablespace etc) are done via Grid Control
and / or with personalized DBA accounts.
Prsentationskennung
Data
Security Geneva 2009
- Eintrag
- Oracle
ber Database
Kopf-/Fusszeile
Vault What about the OS Accounts?
25
2009
DB Operation
Personalized UX Accounts without OSDBA or OSOPER group
Stop / start database with sqlplus as sysoper
.
sqlplus userxy/tiger@oraemst as sysoper
Use scripts and sudo to stop / start listener, agents etc.

Limited access within the database. Required system privileges are
granted by an operation role. Operators are working with personalized
accounts
Prsentationskennung
Data
- Eintrag
- Oracle
ber Database
Kopf-/Fusszeile
26
2009
Additional Users
Additional Users like Developer, Account Manager etc only get access
on the database level.
Access to log and trace files on special request
Limited access within the database. Required system privileges (alter

user, etc) are granted by a dedicated role.
All user are working with personalized accounts
Prsentationskennung
Data
- Eintrag
- Oracle
ber Database
Kopf-/Fusszeile
27
2009
Agenda
Introduction
Daten sind
immer im Spiel.
SUDO
Miscellaneous
Conclusion
2009
Administrative Privilegien
There are two main administrative privileges in Oracle
SYSOPER
SYSDBA
And SYSASM since Oracle 11g
SYSDBA and SYSOPER are special privileges as they allow access to

a database instance even when it is not running
The control of these privileges is totally outside of the database itself
By certain OS groups which are linked into the binaries (OSDBA, OSOPER
as well as OSASM since Oracle 11g)
By an oracle password
2009
OSDBA / OSOPER groups on Unix (1)

The 'OSDBA' and 'OSOPER' groups are chosen at installation time and
usually both default to the group 'dba
These groups are compiled into the 'oracle' executable and so are the
same for all databases running from a given ORACLE_HOME
Verify the groups
cat $ORACLE_HOME/rdbms/lib/config.c
Later change of the groups (relink of oracle binaries is required!)

vi config.c
# Adjust the goups
=> #define SS_DBA_GRP osdba
=> #define SS_OPER_GRP osoper
mv config.o config.o.orig
# Backup of config.o
make -f ins_rdbms.mk ioracle # DBs must be stopped!
2009
OSDBA / OSOPER group on Unix (2)

Usage of SYSDBA (SYSOPER is used similar)
eng001 : id
uid=101(muster) gid=20(users) groups=30(dba),101(osoper)
eng001 : sqlplus / as sysdba
SQL*Plus: Release 10.2.0.4.0 - Production on Thu Feb 19 08:49:34
2009
Copyright (c) 1982, 2007, Oracle.
All Rights Reserved.
Connected to:
Oracle Database 10g Enterprise Edition Release 10.2.0.4.0 64bit Production
With the Partitioning, Data Mining and Real Application Testing
options
SQL>
2009
SYSDBA / SYSOPER (1)

To access a database as SYSDBA or SYSOPER over SQLNET a
password file is required
Create a new password files
oracle : orapwd file=${ORACLE_HOME}/dbs/orapw${ORACLE_SID}
password=manager entries=5
Define the according INIT.ORA parameters

SQL> alter system set remote_login_passwordfile='EXCLUSIVE'
scope=spfile;
2009
SYSDBA / SYSOPER (2)

Add additional user with a grant
SQL> grant SYSOPER to muster;
List all users with SYSOPER or SYSDBA privileges

SQL> select * from V$PWFILE_USERS;
USERNAME
-----------------------------SYS
SYSTEM
MUSTER
SYSDB
----TRUE
FALSE
FALSE
SYSOP
----TRUE
TRUE
TRUE
2009
Difference SYSOPER / SYSDBA

SYSOPER privilege allows operations such as:
Instance startup, mount & database open
Instance shutdown, dismount & database close
Alter database BACKUP, ARCHIVE LOG, and RECOVER
This privilege allows the user to perform basic operational tasks

without the ability to look at user data.
SYSDBA privilege includes all SYSOPER privileges plus full

system privileges
(with the ADMIN option), plus 'CREATE DATABASE' etc...
This is effectively the same set of privileges available when previously
connected INTERNAL.
=> Regards Oracle Database Vault it does make sense to use
SYSOPER/SYSDBA respectively OSDBA/OSOPER. At which it is
recommended to use SYSOPER in this context
2009
SYSDBA vs. SYSOPER (1)

Privilege
SYSDBA
SYSOPER
STARTUP and SHUTDOWN
CREATE/DROP DATABASE
CREATE SPFILE
ALTER DATABASE OPEN/MOUNT
ALTER DATABASE ARCHIVELOG
ALTER DATABASE BACKUP/RECOVER
1 only a complete recovery

2009
Agenda
Introduction
Daten sind
immer im Spiel.
SUDO
Miscellaneous
Conclusion
2009
SUDO
SUDO allows to configure which user or user group can execute
which commands or scripts as certain user e.g root or oracle
Its possible to define a set of command for different user groups
e.g. DBAs, Operators, Developers etc.
Exectution of any sudo is written to syslog
root : grep sudo /var/adm/syslog/syslog.log
Feb 19 10:44:52 urania sudo: meier : TTY=pts/2 ; PWD=/home/meier ;
USER=oracle ; COMMAND=/u00/app/oracle/product/10.2_1/bin/lsnrctl status
Feb 19 10:44:56 urania sudo: meier : TTY=pts/2 ; PWD=/home/meier;
USER=root ; COMMAND=list
2009
SUDO Configuration
/usr/local/sbin/visudo
## User alias specification
User_Alias
DBADMIN = dummy
User_Alias
DBOPER = meier
User_Alias
DBUSER = muster, russo, smith
## Runas alias specification
Runas_Alias
DB = oracle
## Cmnd alias specification
Cmnd_Alias
DBOPER = /u00/app/oracle/local/custom/bin/dbtool
Cmnd_Alias
DBADMIN= /u00/app/oracle/product/10.2_?/OPatch/opatch,
/u00/app/oracle/product/10.2_?/oui/bin/run
Installer, /u00/app/oracle/product/10.2_?/bin/dvca,
/u00/app/oracle/product/10.2_?/bin/dbca, /u00/app/oracle/product/10.2_?/bin/netca
# User specification
# root and users in group wheel can run anything on any machine as any user
root
ALL = (ALL) ALL
DBADMIN
ALL = (DB) NOPASSWD: DBADMIN, DBOPER, /usr/local/bin/truss
DBOPER
ALL = (DB) NOPASSWD: DBOPER,
/u00/app/oracle/product/10.2_?/bin/lsnrctl
2009
SUDO Usage
meier
: id
uid=108(meier) gid=20(users) groups=101(osoper)
meier
: sudo -l
User oper001 may run the following commands on this host:
(oracle) NOPASSWD: /u00/app/oracle/local/custom/bin/dbca
(oracle) NOPASSWD: /u00/app/oracle/product/10.2_?/bin/lsnrctl
meier
: sudo -u oracle dbca
Or even a bit more simpler when using aliases

Alias dbtool='sudo -u oracle dbtool'
2009
SUDO constraints
SUDO is executing commands and scripts as the user specified
for execution e.g oracle. The environment settings will be the one
for the user specified at the sudo command.
If possible define only simple commands to be used with sudo eg.
/usr/local/bin/truss
More complex commands should be executed within a shell which
cares about parameters, errors etc.
sudo -u oracle lsnrctl.ksh t oraemst start
SUDO hast to be manually installed on HP-UX and Solaris

A SUDO Configuration file can be distributed over network
2009
Agenda
Introduction
Daten sind
immer im Spiel.
SUDO
Miscellaneous
Conclusion
2009
Miscellaneous
OP an interesting alternative for SUDO
Open Source alternative http://swapoff.org/wiki/op
Major difference is the possibilities to use mnemonics rather than
commands
Mit SUDO:
sudo /bin/mount -t iso9660 /dev/cdrom /mnt/cdrom
Mit OP:
op mount cd
Set the S-Bit for individual commands

oracle@urania:/u00/app/oracle/product/11.1.0/bin/ [rdbms1110]
ls -al oracle*
-rwsr-s--x 1 oracle osdba 158489970 Mar 8 14:15 oracle
2009
Script maintenance
Scripts should be maintained in a central repository eg.
Subversion, CVS or something similar.
DB Adminss may create new revision of the scripts on there
development system.
New revision have to be commited to the repository
Subversion commandline fr Windows
Tortoise SVN Client
Oracle SQL Developer
Deployment of scripts and configuration should be done with a

deployment process (e.g Jumpstart server, Grid Control,..)
Only a defined and accepted version of the scripts will be used on

the systems
2009
Agenda
Introduction
Daten sind
immer im Spiel.
SUDO
Miscellaneous
Conclusion
2009
Conclusion
A reliable protection with Database Vault is possible but
additional considerations have to be taken
Auditing anonymous user does only provide limited information
Personalized Accounts are recommended for Database Vault

System / DBA task can clearly assigned (Engineering, Operation,...)
Traceability can be guaranteed
To have personalized accounts a standardized environment is

recommended and will allow a simpler implementation of SUDO
Stable Environment
Documented tasks and responsibilities
2009
Conclusion
The application of personalized accounts can be implemented
step by step
A combination of SUDO and OSDBA / OSOPER can reasonable
Initial engineering work has to be done but none Database Vault

environment can also benefit
2009
Thank you!
?
www.trivadis.com
Basel
Baden
Brugg
Bern
Lausanne
Zrich
Dsseldorf
Frankfurt/M.
Freiburg i. Br.
Hamburg
Mnchen
Stuttgart
Wien
Backup Slide Not covered by DBV (1)

Risk
Action
Data within data files is stored in clear text

(OS- and SAN-Admin as well the OracleUnix-Account can read the data)
Encryption of data files with TDE

(10g on row level, 11g on tablespace level)
Data in backups as clear text
Encrypt data with RMAN
SYS-Account has to be open for RAC and

RMAN. This account is not fully prodeced by
database vault
Personalized Accounts on Unix und

Database + SUDO concept
Use of SYSOPER
Accept SYSDBA-Connections only at the
time when RMAN has to run
2009
Backup Slide Not covered by DBV (1)

Risk
Action
While the database is patched Database

Vault has to be switched off (e.g. CPUs) this
is also true for database migrationens
Personalized Accounts on Unix und

Database + SUDO concept
Monitoring on the OS (inode+ctime Checks,
e.g. manual, Nimbus,iwatch (Linux, based
on inotify))
Data on the network is send as clear text (as

well interconnect on RAC Environments)
Use of Advanced Security Option to encrypt

network traffic.
Direct grants on object
Existing grants must be known and has to

be verified. Database Vault Admin Console
provides reports for this
Export possibilities on application level
This can only be checked on application

level. Possible restriction based on rules
(e.g. from a certain IP,)
2009
Backup Slide Separation of Duties

Task
Responsible
Operation of Database and Instance

(Create, Parameterize, Instance tuning,
Patching, Updates, TablespaceManagement, )
Security Management
Create Realms, Define Objects which have
to be protected
Assign User to Realms
Create application roles
Assign object privilege to roles/users
Account Management + assign roles
Create technical roles, initial assignment of
system privileges to roles (not application
roles!)
2009

Oracle Database Vault - What About The OS Accounts

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Oracle Database Vault - What About The OS Accounts

Uploaded by

Copyright:

Available Formats

What about the OS Accounts?

But is this enough to protect the whole Oracle environment?

Appendix D Oracle Database Vault Administrator's Guide

This Presentation will cover the following questions:

What's covered by Database Vault?

Database Vault in a Nutshell

Available as an Enterprise Edition Option

Integrated component within Oracle 11g R1 and R2

Database Vault in a Nutshell

No impact for object grants

Source: Oracle Database Vault - An Oracle White Paper June

Database Vault Data Privacy and Data Theft (1)

Authorizations for data can be

Database Vault Data Privacy and Data Theft (2)

Database Vault Data Privacy and Data Theft (3)

Database AAA does not

Database Vault Eavesdropping and Hijacking

Situation with Anonymous Accounts

Auditing on the OS is only partially reasonable

Security protection mechanism can be bypassed anytime

OSDBA, OSOPER and OSASM is usually not defined or default

A warning is will be shown in the ALERT.LOG but there is

Approach and Challenges

Approach and Challenges

Approach and Challenges

DBA and operation tasks to be standardized on a high level e.g

If not implemented properly there is a risk that loopholes will

DBA- and Operation Tasks

DBA- and Operation Tasks

Initial Create Database

Patch set Installation (Software)

Patch set Installation (Upgrade)

CPU / OPatch Installation

Listener Start / Stopp

Agent / Konsole Start / Stopp

DBA- and Operation Tasks

Additional DB Tools (runInstaller,

Houskeeping of trace and log

Maintain Scripts(Entwicklung auf

Space Management (e.g. TS)

Backup & Recovery

Database Admin / Engineering

Use scripts and sudo to stop / start listener, agents etc.

sqlplus userxy/tiger@oraemst as sysoper

Use scripts and sudo to stop / start listener, agents etc.

Limited access within the database. Required system privileges (alter

SYSDBA and SYSOPER are special privileges as they allow access to

OSDBA / OSOPER groups on Unix (1)

Later change of the groups (relink of oracle binaries is required!)

OSDBA / OSOPER group on Unix (2)

All Rights Reserved.

SYSDBA / SYSOPER (1)

Define the according INIT.ORA parameters

SYSDBA / SYSOPER (2)

List all users with SYSOPER or SYSDBA privileges

Difference SYSOPER / SYSDBA

This privilege allows the user to perform basic operational tasks

SYSDBA privilege includes all SYSOPER privileges plus full

SYSDBA vs. SYSOPER (1)

STARTUP and SHUTDOWN

ALTER DATABASE OPEN/MOUNT

ALTER DATABASE ARCHIVELOG