Oracle Database Vault Author 유광복 Creation Date 2010-02-25 Last Updated Version Copyright(C) 2004 Goodus Inc. All Rights Reserved Version 변경일자변경자 ( 작성자 ) 주요내용
Contents 1. Database Vault 란?... 4 1.1. 오라클보안제품구성도... 5 2. Installing Database Vault (10g)... 6 2.1. S/W download... 6 2.2. Installation Requirement... 6 3. Starting Database Vault Admin(DVA)... 9 3.1. Em(DB Console) 을통한접속... 9 3.2. Database Vault Role... 10 3.2.1. DV_SECANALYST... 11 3.2.2. DV_Admin... 11 3.2.3. DV_OWNER (Database Vault Owner : Mandatory)... 11 3.2.4. DV_ACCTMGR (Database Vault Account Manager : Optional)... 11 3.2.5. DV_REALM_OWNER... 11 3.2.6. DV_REALM_RESOURCE... 11 3.2.7. DV_PUBLIC... 11 3.3. Database Vault Schema... 11 3.3.1. DVSYS... 11 3.3.2. DVF... 11 4. Access Control Components... 12 4.1. Realm ( 보안영역 )... 12 4.2. Command Rule ( 명령어규칙 )... 12 4.3. Factor ( 계수 )... 12 4.4. Rule ( 규칙 )... 12 4.5. Rule Set ( 규칙집합 )... 13 4.6. 구동방식... 13 4.7. Database Vault 설치후 Revoke 된 privilege... 14 5. Example... 15 5.1. Realm ( 보안영역 )... 15 5.1.1. Realm ( 보안영역 ) 조회... 15 5.1.2. Realm ( 보안영역 ) 생성... 16 5.1.3. Realm ( 보안영역 ) Object 지정... 17 5.1.4. Realm ( 보안영역 ) Object 조회... 20 5.1.5. Audit log 조회 어떤위반사항이발생하였는지확인가능... 20 5.2. Command rule ( 명령어규칙 )... 22 5.3. Factor ( 계수 )... 30 6. 끝맺음... 42 7. Append... 43 7.1. How to enable database vault using dvca for newly created database [ID 473610.1]... 43 7.2. How to Disable / Enable Database Vault (Unix)... 44 2
3
1. Database Vault 란? Database Vault 오라클 Database vault 란오라클에서제공되는접근제어솔루션입니다. 은행의안전금고와유사한개념의혁신적접근법을통해자동화, 투명성, 사전침입방지및탐지등의핵심적인보안요구사항을만족합니다 과도한권한이있는사용자의애플리케이션데이터접근을차단하고임의적인데이터베이스변경을제한하며애플리케이션데이터의접근방법, 시기및장소에대한통제정책을적용합니다 예를들어 SYS 권한을가진 DBA 의권한남용으로일반데이터를억세스하는권한제어, 서비스중시간대의 DDL 금지, 특정 IP Address 가진시스템의접근제어등폭넓고다양하게접근제어를구축할수있는솔루션입니다. 이 Vault 는데이터베이스커널에위치하며커널의최상위에서동작하게되므로우회접근을통한보안위협의문제도해결할수있습니다.. Oracle Database Vault는애플리케이션및민감한데이터를보호할수있도록강력한보안통제를제공합니다. 4
1.1. 오라클보안제품구성도 Database Vault 아래표는오라클제품으로구현가능한데이터암호화, 비인가된사용자접근제어, 감사및모니터링기능에대한설명입니다. 분류 Enterprise 계정관리및인증 Edition 권한및 role Auditing Virtual Private Database Encryption API Enterprise User Security Advanced Strong Authentication Security Encryption Network Option Encryption Transparent Data Encryption Oracle Label Security Database Vault Audit Vault 설명 DB 계정관리및암호기반인증전통적인 DAC & RBAC 감사기능. 효율적인감사를위한 Fine Grained Auditing 기능포함행단위의접근제어데이터암호화 API DB 계정이아닌실사용자관리기능 3rd Party 표준인증서비스와의연동 클라이언트와데이터베이스서버간의모든네트워크통신패킷을암호화사용자 SQL 에투명한데이터자동암호화 / 복호화행단위접근제어및보안등급관리단일 DB 안에서업무별로독립적인보호영역을구축. 또한, DB 의어떤명령에대해서도조건에따라실행권한을제어할수있게해주는내부통제기능여러 DB 또는 Auditing Tool 에분산되어있는 Audit 정보통합관리 참고로최근에개인정보중요성에대한인식이높아짐과동시에사회적관심이높아짐에따라아래와같이간략한정보통신망법을언급하였습니다. 정보통신망법시행 (2010년 1월 29일 ) 정보통신망을이용한서비스사업자들은앞으로고객의주요정보 ( 주민등록번호, 카드번호, 계좌번호 ) 등을의무적으로암호화하여저장하여야한다. 1월 28일자로유예기간이종료됨으로해당사업자들은개인정보를안전하게저장, 전송하는암호화기술을이용한보안조치를반드시취해야한다. 이에해당하는오라클제품은 Oracle Advanced Security Option( 암호화 ) 의 TDE, 접근제어의 Database Vault 로구현이가능합니다. 5
2. Installing Database Vault (10g) 2.1. S/W download - 10g : otn 싸이트에서별도옵션으로 download 받아설치해야함 - 11g : Database S/W 포함되어추가설치없이옵션체크로만설치가능함 2.2. Installation Requirement - 10.2.0.2 이상 - Oracle Label Security (OLS) 설치되어야함 SQL> select comp_id,status,version from dba_registry where comp_id='ols'; COMP_ID STATUS VERSION ------------------------------ OLS VALID 10.2.0.4.0 - DB Console(EM) 은 optional(web base 작업이많으므로설치하면편리함 ) - /etc/oratab, /var/opt/oracle/oratab SID 등록되어있는지확인 $ pwd /data/source/vault/datavault lkb1 $./runinstaller ** DB 를수동으로생성한경우 /var/opt/oracle/oratab 파일에 sid 를등록해야함 6
** 존재하는 Database 를선택함 sys / passwd 입력 ** Database Vault Owner 입력 (mandatory) Database Vault account manager (Optional) ** Vault Schema, DB Console 등을구성함 7
** Database Vault Summary ** GUI 로설치도중에러가발생하면수동으로 DVCA 를실행해준다. Lkb1 $ dvca -action option -oh /ora10/product/10.2 -owner_account dvo -owner_passwd????? -jdbc_str jdbc:oracle:oci:@ora -sys_passwd manager -logfile./dvca.log nodecrypt DVCA started Executing task RESTART_SERVICES_PATCH MANAGE_INSTANCE stop isqlplus MANAGE_INSTANCE stop OC4J MANAGE_LISTENER start listener MANAGE_INSTANCE start RDBMS Executing task SQLPLUS_CATOLS Executing task RESTART_SERVICES_OLS MANAGE_INSTANCE stop isqlplus MANAGE_INSTANCE stop OC4J.. Executing task INIT_OS_ROLES Executing task INIT_SQL92_SECURITY Executing task INIT_OS_AUTHENT_PREFIX Executing task INIT_REMOTE_LOGIN_PASSWORDFILE Executing task INIT_RECYCLEBIN Executing task RESTART_SERVICES MANAGE_INSTANCE stop isqlplus MANAGE_INSTANCE stop OC4J MANAGE_INSTANCE stop RDBMS MANAGE_LISTENER stop listener MANAGE_LISTENER start listener MANAGE_INSTANCE start RDBMS MANAGE_INSTANCE start OC4J RAC 인경우 action optionrac 로입력함. 8
3. Starting Database Vault Admin(DVA) 3.1. Em(DB Console) 을통한접속 lkb1 $ emctl start dbconsole Oracle Enterprise Manager 10g Database Control Release 10.2.0.4.0 Copyright (c) 1996, 2007 Oracle Corporation. All rights reserved. https://lkb1:1150/em/console/aboutapplication Starting Oracle Enterprise Manager 10g Database Control... started. ------------------------------------------------------------------ Logs are generated in directory /ora10/product/10.2/lkb1_ora/sysman/log lkb1 $ Database Vault 환경을조회및변경작업을하고자할경우 Command line 에서도가능하지만해당 API(pkg) 사용시긴문장사용의불편함과결과를보기위한컬럼조정이불가피함으로인해 Web Base GUI 를권고합니다. DB Console 를통하여구성이가능하며 Secure mode 로설정하여야합니다. URL : https://lkb1:1150/dva (10g 화면 ) URL : https://lkb1:1150/dva 11g 화면 9
<< 로그인후화면모습 >> Database Vault 3.2. Database Vault Role Database Vault 설치시아래 7개의 role 이생성되며각각부여된 role 따라실행할수있는 Layer 가달라진다. 10
3.2.1. DV_SECANALYST DVA (Database Vault Administrator) 내의모니터링의감사레포트기능부여 3.2.2. DV_Admin DV_SECANALYST + DVA 모든기능제어가능 3.2.3. DV_OWNER (Database Vault Owner : Mandatory) DV_ADMIN + 해당권한을 other 에게부여가능하며 DV_ACCTMGR role 부여된스키마를지정하지않을경우해당권한까지부여받는다. Database vault 설치시반드시필요함 - DVA 접근 - Database Vault Security 수정가능 - Security Component 변경및 audit 수정가능 3.2.4. DV_ACCTMGR (Database Vault Account Manager : Optional) user 나 profile 생성, 변경은이 role 을가진사용자만가능함. 더이상 sys 계정에서사용자생성및변경은불가함 - User 생성 - User 패스워드변경 3.2.5. DV_REALM_OWNER REALM( 보안영역 ) 의 owner 이며해당보안영역에포함된객체애대하여 create any, alter any, drop any 권한을갖는다. dv_owner, dv_admin 권한은없음 3.2.6. DV_REALM_RESOURCE Oracle RESOURCE ROLE 와비슷하며 (create object) 보안영역내에서수행가능함 3.2.7. DV_PUBLIC database vault procedures 의다수수행권한이있음 3.3. Database Vault Schema Database Vault 를운영하기위한 2 개의 Schema 가생성된다. 3.3.1. DVSYS 아래의권한소유자이다 - Database Vault View - Database Vault API 3.3.2. DVF Factor definition 의소유자이다 11
4. Access Control Components 4.1. Realm ( 보안영역 ) - SYSDBA 도접근이불가능한보안영역 (Realm) 제공 - Select Any Table 권한을부여받은사용자도접근불가 4.2. Command Rule ( 명령어규칙 ) - 의심스러운 IP 를통한 CONNECT 불가예 ) 업무시간대에 DDL 문장수행금지설정가능 - 모든데이터베이스관리명령어에대해, 룰을적용함으로써, 불필요한명령어및권한남용을미연에방지 4.3. Factor ( 계수 ) - 미리정의된다양한 Factor 를이용하여접근제어규칙을생성 - 사용자정의 Factor를이용하여다양한접근제어규칙을추가할수있음 - User Factors (Name, Ahthentication type, session user, Proxy Enterprise Idnetity) - Network Factors (Machine name, Client IP, Network Protocols) - Databse Factors (Database IP, Database Instance, Database Hostname, Database Sid) - Runtime Factors (Language, Date, Time) 4.4. Rule ( 규칙 ) Rule 을실제표현하는기술문입니다. Ex) rule name : Local Access 표현식 : sys_context('userenv','ip_address')='61.250.123.81' 12
4.5. Rule Set ( 규칙집합 ) Database Vault 4.4 에나열된 Rule 들의집합을의미하며 1개이상의 Rule 을포함할수있습니다. 각각의 Rule 들이모두참, 거짓일때해당조건을허용합니다. Ex) Rule Set name : Internal DBA working hours - Rule name: Working Hours 표현식 : TO_CHAR(SYSDATE,'HH24') BETWEEN '09' AND '18' - Rule name : Week Day 표현식 : TO_CHAR(SYSDATE,'D') BETWEEN '2' AND '6' - Rule name : Internal DBA 표현식 : DVF.F$SESSION_USER='SCOTT' 4.6. 구동방식 보안적용을위한정책은 Realm, 과 Command Rule 를통해서최종적으로허락여부를판단합니다. Realm 과 Command Rule 는소그룹으로 Rule Set, Factor 등을포함하여좀더세부적인조건을추가하여접근제어를설정할수있습니다. 13
4.7. Database Vault 설치후 Revoke 된 privilege ROLE DBA IMP_FULL_DATABASE EXECUTE_CATALOG_ROLE PUBLIC SCHEDULAR_ADMIN Revoke 된 privilege BECOME USER SELECT ANY TRANSACTION CREATE ANY JOB CREATE EXTERNAL JOB EXECUTE ANY PROGRAM EXECUTE ANY CLASS MANAGE SCHEDULER DEQUEUE ANY QUEUE ENQUEUE ANY QUEUE MANAGE ANY QUEUE BECOME USER MANAGE ANY QUEUE EXECUTE ON DBMS_LOGMNR EXECUTE ON DBMS_LOGMNR_D EXECUTE ON DBMS_LOGMNR_LOGREP_DICT EXECUTE ON DBMS_LOGMNR_SESSION EXECUTE ON DBMS_FILE_TRANSFER EXECUTE ON UTL_FILE CREATE ANY JOB USER SYS SYSTEM Revoke 된 privilege ALTER USER CREATE USER DROP USER ALTER PROFILE CREATE PROFILE DROP PROFILE ALTER USER CREATE USER DROP USER ALTER PROFILE CREATE PROFILE DROP PROFILE 14
5. Example 5.1. Realm ( 보안영역 ) : SYS, SYSTEM 계정으로부터의 application user 의데이터보호일반적으로 SYS 계정에서 scott.emp 테이블조회가가능함. SYS@ORA> select * from scott.emp; EMPNO ENAME JOB MGR HIREDATE SAL COMM DEPTNO -------------------------------------------------------------------------------------- 7369 SMITH CLERK 7902 17-DEC-80 800 20 7499 ALLEN SALESMAN 7698 20-FEB-81 1600 300 30 7521 WARD SALESMAN 7698 22-FEB-81 1250 500 30 7566 JONES MANAGER 7839 02-APR-81 2975 20 7654 MARTIN SALESMAN 7698 28-SEP-81 1250 1400 30 7698 BLAKE MANAGER 7839 01-MAY-81 2850 30 7782 CLARK MANAGER 7839 09-JUN-81 2450 10 7788 SCOTT ANALYST 7566 19-APR-87 3000 20 7839 KING PRESIDENT 17-NOV-81 5000 10 7844 TURNER SALESMAN 7698 08-SEP-81 1500 0 30 7876 ADAMS CLERK 7788 23-MAY-87 1100 20 7900 JAMES CLERK 7698 03-DEC-81 950 30 7902 FORD ANALYST 7566 03-DEC-81 3000 20 7934 MILLER CLERK 7782 23-JAN-82 1300 10 14 rows selected. SYS@ORA> 5.1.1. Realm ( 보안영역 ) 조회 15
DVO@ORA> select name, AUDIT_OPTIONS, ENABLED from dvsys.dba_dv_realm; NAME ---------------------------------------------------------------- Oracle Data Dictionary Oracle Database Vault Database Vault Account Management Oracle Enterprise Manager AUDIT_OPTIONS ENABL 1 Y 1 Y 1 Y 1 Y DVO@ORA> 5.1.2. Realm ( 보안영역 ) 생성 Scott 계정특정테이블을보안영역으로등록하고자한다. Realm 을생성한다. 이름입력 Protect Scott 16
Protect Scott 편집 DVO@ORA> BEGIN 2 DVSYS.DBMS_MACADM.CREATE_REALM( 3 realm_name => 'Protect Scott', 4 description => 'Protect Scott', 5 enabled => 'DBMS_MACUTL.G_YES', 6 audit_options => DBMS_MACUTL.G_REALM_AUDIT_FAIL); 7 END; 8 / PL/SQL procedure successfully completed. DVO@ORA> select name, AUDIT_OPTIONS, ENABLED from dvsys.dba_dv_realm; NAME --------------------------------------------------------------------- Oracle Data Dictionary Oracle Database Vault Database Vault Account Management Oracle Enterprise Manager Protect Scott AUDIT_OPTIONS ENABLED 1 Y 1 Y 1 Y 1 Y 1 N DVO@ORA> 5.1.3. Realm ( 보안영역 ) Object 지정 Protect Scott 의보안영역에 Scott.emp 테이블을지정함 17
Object 선택하기위함 18
API 방식으로 Realm 설정 DVO@ORA> Begin DVSYS.DBMS_MACADM.ADD_OBJECT_TO_REALM (realm_name => 'Protect Scott', object_owner => 'SCOTT', object_name => 'EMP', object_type => 'TABLE'); end; / PL/SQL procedure successfully completed. DVO@ORA> select * from dvsys.dba_dv_realm_object where realm_name='protect Scott'; REALM_NAME OWNER OBJECT_NAME OBJECT_TYPE ------------------------------------------------------------------------------- Protect Scott SCOTT EMP TABLE DVO@ORA> 19
5.1.4. Realm ( 보안영역 ) Object 조회 Database Vault SYS 계정으로 scott.emp 테이블 access 불가하고 drop, truncate 로불가함 DVO@ORA> conn /as sysdba Connected. SYS@ORA> select * from scott.emp; select * from scott.emp * ERROR at line 1: ORA-01031: insufficient privileges SYS@ORA> SCOTT@ORA> drop table emp; drop table emp * ERROR at line 1: ORA-00604: error occurred at recursive SQL level 1 ORA-47401: Realm violation for drop table on SCOTT.EMP ORA-06512: at "DVSYS.AUTHORIZE_EVENT", line 55 ORA-06512: at line 31 SCOTT@ORA> truncate table emp; truncate table emp * ERROR at line 1: ORA-00604: error occurred at recursive SQL level 1 ORA-47401: Realm violation for truncate table on SCOTT.EMP ORA-06512: at "DVSYS.AUTHORIZE_EVENT", line 55 ORA-06512: at line 31 SCOTT@ORA> 5.1.5. Audit log 조회 어떤위반사항이발생하였는지확인가능 20
21
5.2. Command rule ( 명령어규칙 ) Database Vault : Alter System ***** 명령어를 Local IP ( 즉 DB 서버에서만수행이가능하도록설정한다.) System 계정이라할지라도 remote 에서접속한사용자는수행이불가하도록설정한다. lkb1 $ sqlplus system/manager@ora SQL*Plus: Release 10.2.0.4.0 - Production on Wed Feb 24 16:18:58 2010 Copyright (c) 1982, 2007, Oracle. All Rights Reserved. Connected to: Oracle Database 10g Enterprise Edition Release 10.2.0.4.0-64bit Production With the Partitioning, Oracle Label Security, Data Mining, Oracle Database Vault and Real Application Testing options SYSTEM@ora> select sys_context('userenv','ip_address') from dual; 접속한사용자의 IP Address 확인 SYS_CONTEXT('USERENV','IP_ADDRESS') ----------------------------------------------------------------------------------------------------------------------------------- 61.250.123.81 SYSTEM@ora> alter system switch logfile; System altered. SYSTEM@ora> 규칙집합 선택 22
생성 선택 Enforce Local Address Rule Set 에 Rule 을추가하기 위하여편집선택 23
Rule 을생성함 Rule 표현식지정 61.250.99.81 만접속허용 24
25
명령규칙 선택 Alter system 명령을정의 26 규칙집합선택함
API 로작업가능 1. Rule set 조회 DVO@ORA> select rule_set_name, enabled from dvsys.dba_dv_rule_set; RULE_SET_NAME ------------------------------ Enabled Y Disabled Y Can Maintain Accounts/Profiles Y Can Maintain Own Account Y Allow Sessions Y Can Grant VPD Administration Y Allow System Parameters Y Drop table Y EN 8 rows selected. DVO@ORA> 2. Rule set 생성 BEGIN DVSYS.DBMS_MACADM.CREATE_RULE_SET( rule_set_name => 'Enforce Local Address', description => 'Enforce Local Address', enabled => 'Y', eval_options => 2, audit_options => DBMS_MACUTL.G_RULESET_AUDIT_FAIL, fail_options => 2, fail_message => ' ', fail_code => 20461, handler_options => DBMS_MACUTL.G_RULESET_HANDLER_FAIL, handler => ' '); END; / 3. Rule Set 에추가할 Rule 생성 BEGIN 27
DVSYS.DBMS_MACADM.CREATE_RULE( rule_name => 'Local Access', rule_expr =>'SYS_CONTEXT(''USERENV'',''SESSION_USER'') = ''61.250.123.81'''); END; / 4. 생성된 Rule set 과 Rule 조회 select rs.rule_set_name, rs.enabled, rsr.rule_name, rsr.rule_expr from dvsys.dba_dv_rule_set rs, dvsys.dba_dv_rule_set_rule rsr where rs.rule_set_name=rsr.rule_set_name and rs.rule_set_name='enforce Local Address'; RULE_SET_NAME EN RULE_NAME RULE_EXPR -------------------------------------------------------------------------------------------------------------------- Enforce Local Address Y Local Access sys_context('userenv','ip_address')='61.250.123.81' 61.250.123.81 로접속하는 IP 만허용하고그외의 IP Address 불허함. 5. 명령규칙 (Command Rule) 생성 BEGIN DVSYS.DBMS_MACADM.CREATE_COMMAND_RULE( command => 'ALTER SYSTEM', rule_set_name => 'Enforce Local Address', object_owner => '%', object_name => '%', enabled => 'DBMS_MACUTL.G_YES'); END; / 6. Command Rule 에적용된 Rule set 조회 DVO@ORA> select * from dvsys.dba_dv_command_rule where command='alter SYSTEM'; COMMAND RULE_SET_NAME OBJECT_OWN OBJECT_NAM ENA PRIVILEGE_SCOPE ---------------------------------------------------------------------------------------- ALTER SYSTEM Enforce Local Address % % Y 7. Test DVO@ORA> lkb1 $ sqlplus system/manager@ora SQL*Plus: Release 10.2.0.4.0 - Production on Wed Feb 24 17:19:05 2010 Copyright (c) 1982, 2007, Oracle. All Rights Reserved. Connected to: Oracle Database 10g Enterprise Edition Release 10.2.0.4.0-64bit Production With the Partitioning, Oracle Label Security, Data Mining, Oracle Database Vault and Real Application Testing options SYSTEM@ora> select sys_context('userenv','ip_address') from dual; SYS_CONTEXT('USERENV','IP_ADDRESS') ----------------------------------------------------------------------------------------------------------------------------------- 61.250.123.81 SYSTEM@ora> alter system switch logfile; System altered. SYSTEM@ora> Local IP Address 로접속히정상적으로 switch logfile 이수행됨. 28
lkb2 $ sqlplus system/manager@ora1 SQL*Plus: Release 11.1.0.7.0 - Production on Tue Feb 23 10:08:28 2010 Copyright (c) 1982, 2008, Oracle. All rights reserved. Connected to: Oracle Database 10g Enterprise Edition Release 10.2.0.4.0-64bit Production With the Partitioning, Oracle Label Security, Data Mining, Oracle Database Vault and Real Application Testing options 10:08:28 SYSTEM@ora1> select sys_context('userenv','ip_address') from dual; SYS_CONTEXT('USERENV','IP_ADDRESS') ------------------------------------------------------------------------------------------------------------------------ 61.250.123.82 Elapsed: 00:00:00.03 10:08:30 SYSTEM@ora1> alter system switch logfile; alter system switch logfile * ERROR at line 1: ORA-01031: insufficient privileges Elapsed: 00:00:04.78 10:08:39 SYSTEM@ora1> Remote IP Address 로접속시권한부족으로 switch logfile 이수행안됨. 29
5.3. Factor ( 계수 ) Database Vault : Truncate table 명령어를휴일, 업무시간외, Local 서버에서접속한 session 에서만가능하도록설정한다. 미리정의된 Domain, Client IP 등을이용하여접속정보를 Check 하여허용여부를판단함 계수선택 Domain 선택 Network 대역을선택하여제한하고자함 30
계수의 Identifier 생성함 허용하고자하는 IP ID 31
편집 선택 Client IP 대역선택 생성 선택 32
접속불가 id 생성 편집 선택 신뢰하지않음 33
61.250.123.82 이상불가 61.250.123.81 이하불가 Rule Set 정의 34
생성 DBA 작업시간설정 35 Ruleset 에 Rule 추가
4 개의 Rule 생성 Scott 계정만허용 36
61.250.99.81, 82 IP 만허용 주말제외 37
업무시간에만 4 개 Rule 생성 완료 38
TEST 1) 2. 21 ( 일 ) 오후 07 시 00 에 local 에서 Scott 계정으로접속하여작업수행 => Command Rule 위반으로작업수행불가 lkb1 $ date 2010 년 2 월 21 일일요일오후 07 시 00 분 03 초 lkb1 $ sqlplus scott/tiger@ora SQL*Plus: Release 10.2.0.4.0 - Production on Sun Feb 21 19:00:06 2010 Copyright (c) 1982, 2007, Oracle. All Rights Reserved. Connected to: Oracle Database 10g Enterprise Edition Release 10.2.0.4.0-64bit Production With the Partitioning, Oracle Label Security, Data Mining, Oracle Database Vault and Real Application Testing options SCOTT@ora> select dvf.f$domain from dual; F$DOMAIN ------------------------------------------------------------------------------------------------------------------------------------ Highly Secured Internal Network SCOTT@ora> truncate table tb1; truncate table tb1 * ERROR at line 1: ORA-00604: error occurred at recursive SQL level 1 ORA-47400: Command Rule violation for truncate table on SCOTT.TB1 ORA-06512: at "DVSYS.AUTHORIZE_EVENT", line 55 ORA-06512: at line 31 SCOTT@ora> show user USER is "SCOTT" SCOTT@ora> quit date Disconnected from Oracle Database 10g Enterprise Edition Release 10.2.0.4.0-64bit Production With the Partitioning, Oracle Label Security, Data Mining, Oracle Database Vault 39
and Real Application Testing options Database Vault 2) 2. 25 ( 목 ) 오후 05 시 50 에 local 에서 scott 계정으로접속하여작업수행 => Command Rule 정상수행. lkb1 $ date 2010 년 2 월 25 일목요일오후 05 시 50 분 05 초 lkb1 $ sqlplus scott/tiger@ora SQL*Plus: Release 10.2.0.4.0 - Production on Thu Feb 25 17:50:09 2010 Copyright (c) 1982, 2007, Oracle. All Rights Reserved. Connected to: Oracle Database 10g Enterprise Edition Release 10.2.0.4.0-64bit Production With the Partitioning, Oracle Label Security, Data Mining, Oracle Database Vault and Real Application Testing options SCOTT@ora> select dvf.f$domain from dual; F$DOMAIN ------------------------------------------------------------------------------------------------------------------------------------ Highly Secured Internal Network SCOTT@ora>!date 2010 년 2 월 25 일목요일오후 05 시 50 분 35 초 SCOTT@ora> truncate table tb1; Table truncated. SCOTT@ora> 3) 2. 25 ( 목 ) 오후 05 시 50 에 local 에서 System 계정으로접속하여작업수행 => Command Rule 위반으로작업수행불가. SCOTT@ora> conn system/manager Connected. SYSTEM@ORA> create table t1 (a varchar2(10)); Table created. SYSTEM@ORA> truncate table t1; truncate table t1 * ERROR at line 1: ORA-00604: error occurred at recursive SQL level 1 ORA-47400: Command Rule violation for truncate table on SYSTEM.T1 ORA-06512: at "DVSYS.AUTHORIZE_EVENT", line 55 ORA-06512: at line 31 SYSTEM@ORA> 4) 2. 23 ( 화 ) 오후 03 시 50 에 remote 에서 scott 계정으로접속하여작업수행 => Command Rule 정상수행. 40
** 2 번노드에서수행 lkb2 $ ifconfig -a lo0: flags=2001000849<up,loopback,running,multicast,ipv4,virtual> mtu 8232 index 1 inet 127.0.0.1 netmask ff000000 hme0: flags=1000843<up,broadcast,running,multicast,ipv4> mtu 1500 index 2 inet 61.250.123.82 netmask ffffff80 broadcast 61.250.123.127 groupname sc_ipmp0 qfe1: flags=1008843<up,broadcast,running,multicast,private,ipv4> mtu 1500 index 4 inet 172.16.0.129 netmask ffffff80 broadcast 172.16.0.255 qfe2: flags=1008843<up,broadcast,running,multicast,private,ipv4> mtu 1500 index 3 inet 172.16.1.1 netmask ffffff80 broadcast 172.16.1.127 clprivnet0: flags=1009843<up,broadcast,running,multicast,multi_bcast,private,ipv4> mtu 1500 index 5 inet 172.16.193.1 netmask ffffff00 broadcast 172.16.193.255 lo0: flags=2002000849<up,loopback,running,multicast,ipv6,virtual> mtu 8252 index 1 inet6 ::1/128 qfe1: flags=2008841<up,running,multicast,private,ipv6> mtu 1500 index 4 inet6 fe80::a00:20ff:fef2:aeb1/10 qfe2: flags=2008841<up,running,multicast,private,ipv6> mtu 1500 index 3 inet6 fe80::a00:20ff:fef2:aeb2/10 lkb2 $ lkb2 $ sqlplus scott/tiger@ora1 SQL*Plus: Release 11.1.0.7.0 - Production on Tue Feb 23 15:50:44 2010 Copyright (c) 1982, 2008, Oracle. All rights reserved. Connected to: Oracle Database 10g Enterprise Edition Release 10.2.0.4.0-64bit Production With the Partitioning, Oracle Label Security, Data Mining, Oracle Database Vault and Real Application Testing options 15:50:45 SCOTT@ora1> select dvf.f$domain from dual; F$DOMAIN ------------------------------------------------------------------------------------------------------------------------ Highly Secured Internal Network => 접속허용함 Elapsed: 00:00:00.10 15:50:50 SCOTT@ora1> 15:50:51 SCOTT@ora1>!date 2010 년 2 월 23 일화요일오후 03 시 50 분 56 초 => 작업허용시간 15:50:56 SCOTT@ora1> truncate table tb1; Table truncated. Elapsed: 00:00:00.09 15:51:00 SCOTT@ora1> 41
6. 끝맺음 오라클 Database Vault 는오라클 DBMS 내의또다른방화벽기능으로서 DB 관라지의막강한권한을제한하고 (SYS, SYSTEM) 의외부침입자, 내부관리자등의접근을제한할수있는솔루션이다. 또한중요서비스시간대에서명령어실행제한, 의심스러운사용자데이터접근을사전에차단함으로써고객사데이터를안전하고투명하게보호할수있다. 42
7. Append 7.1. How to enable database vault using dvca for newly created database [ID 473610.1] DVCA loads the Database Vault schema objects into the new database, creates the DV_OWNER and optional DV_ACCTMGR accounts, and deploys the Database Vault Administrator application for the database For 11g $ dbca -silent -configuredatabase -SourceDB score -sysdbausername sys -sysdbapassword oracle - adddboption DV -dvusername dvo -dvuserpassword Oracle1234# Preparing to Configure Database 2% complete 5% complete 28% complete Adding Oracle Database Vault 45% complete 62% complete 85% complete Completing Database Configuration Oracle Enterprise Manager 11g Database Control Release 11.1.0.6.0 Copyright (c) 1996, 2007 Oracle Corporation. All rights reserved. EMHOME=/opt/11g/dv11g.idc.oracle.com_score 100% complete Look at the log file "/opt/cfgtoollogs/dbca/score/score.log" for further details. For 10g $ export ORACLE_SID=dvdb $ dvca -action option -oh $ORACLE_HOME -s_path /tmp -logfile /tmp/log.out -owner_account dvo - owner_passwd Oracle1234# -jdbc_str jdbc:oracle:oci:@dvdb -sys_passwd sys -nodecrypt -silent DVCA started Executing task RESTART_SERVICES_PATCH MANAGE_INSTANCE stop isqlplus MANAGE_INSTANCE stop OC4J MANAGE_LISTENER start listener MANAGE_LISTENER start listener result=/opt/10g/bin/dvca_start_listener.sh,1, MANAGE_LISTENER start listener log= LSNRCTL for Linux: Version 10.2.0.3.0 - Production on 10-JAN-2008 23:23:07 Copyright (c) 1991, 2006, Oracle. All rights reserved.... Executing task INIT_RECYCLEBIN Executing task RESTART_SERVICES MANAGE_INSTANCE stop isqlplus MANAGE_INSTANCE stop OC4J MANAGE_INSTANCE stop RDBMS MANAGE_LISTENER stop listener MANAGE_LISTENER start listener MANAGE_INSTANCE start RDBMS MANAGE_INSTANCE start OC4J 43
SQL>select * from v$option where parameter like '%Vault%'; PARAMETER VALUE ---------------------------------- Oracle Database Vault TRUE 7.2. How to Disable / Enable Database Vault (Unix) For Disable DBMS shutdown $ cd $ORACLE_HOME/rdbms/lib $ make -f ins_rdbms.mk dv_off $ cd $ORACLE_HOME/bin $ relink oracle $ SQLPLUS / as sysdba SQL>startup $ dvca -action disable -service TARDA1 -sys_passwd test -owner_account -owner_passwd test123#_ - logfile./dvca.log -nodecrypt silent SQL> drop user DVF cascade; SQL> drop user DVSYS cascade; SQL> drop user <dv_owner_username> cascade; SQL> drop user <dv_account manager> cascade; For Enable $ cd ORACLE_HOME/rdbms/lib $ make -f ins_rdbms.mk dv_on $ cd $ORACLE_HOME/bin $ relink oracle $ SQLPLUS / as sysdba SQL>startup $ dvca -action option -oh D:\oracle\dbs102\product\10.2.0\db_1 -jdbc_str dbc:oracle:oci:@dbs102 - sys_passwd oracle -owner_account dvowner -owner_passwd oracle123# -logfile./dvca.log -nodecrypt silent 44