2 Getting Started with Oracle Database Vault

This chapter provides a quick introduction to using Oracle Database Vault. You will learn how to start Oracle Database Vault Administrator, and then explore the basics of using Oracle Database Vault by creating a simple security configuration.

This chapter includes the following sections:

Setting the Time-out Value for Oracle Database Vault Administrator
Starting Oracle Database Vault Administrator
Quick Start Tutorial: Securing a Schema from DBA Access

2.1 Setting the Time-out Value for Oracle Database Vault Administrator

Oracle Database Vault Administrator is a browser-based graphical user interface console that you use to manage Oracle Database Vault. You can modify the length of time Database Vault Administrator stays connected while inactive. By default, the session time is 35 minutes.

To set the session time for Oracle Database Vault Administrator:

Back up the web.xml file, which by default is in the $ORACLE_HOME/dv/jlib/dva_webapp/dva_webapp/WEB-INF directory.
In a text editor, open the web.xml file .

Search for the following setting:

<session-config>
 <session-timeout>35</session-timeout>
</session-config>

Change the <session-timeout> setting to the amount of time in minutes that you prefer.
Save and close the web.xml file.
If the Oracle Database Console is running, restart it.

To check the Oracle Database Console, navigate to the $ORACLE_HOME/bin directory and then enter the following command:
```
./emctl status dbconsole
```
To stop and restart the Database Console, enter the following commands:
```
./emctl stop dbconsole
./emctl start dbconsole
```

2.2 Starting Oracle Database Vault Administrator

This section describes how to start Oracle Database Vault Administrator.

Tip:

If you are using Oracle Enterprise Manager Database Control, you can configure it for an SSL (HTTPS) secure connection. For more information, see Oracle Enterprise Manager Advanced Configuration in Oracle Enterprise Manager 10g Release 10.1. To access this manual, visit Oracle Technology Network (OTN) at

http://www.oracle.com/technology/index.html

Follow these steps:

From the Documentation menu, select Enterprise Manager.
On the Oracle Enterprise Manager 10g Release 2 (10.2) Documentation page, under Other Releases, select the Oracle Enterprise Manager Release 1 (10.1) Documentation link.
On the Oracle Enterprise Manager 10g Release 1 (10.1) Documentation page, select either PDF or HTML for Oracle Enterprise Manager Advanced Configuration, whose part number is B12013-03.
In Chapter 4, "Enterprise Manager Security," go to "Configuring Security for the Database Control."

To start Oracle Database Vault Administrator:

From a browser, enter the following URL:
```
http://host_name:port/dva
```
In this specification:
- host_name is the server where you installed Oracle Database Vault
- port is the Oracle Enterprise Manager Console HTTP port number
For example:
```
http://myserver:1158/dva
```
If you are unsure of the port number, open the ORACLE_HOME/host_sid/sysman/config/emd.properties file and search for REPOSITORY_URL.

If you cannot start Oracle Database Vault Administrator, check that the Oracle database console process is running.
- On UNIX systems: Navigate to the $ORACLE_HOME/bin directory and run the following command:
```
./emctl status dbconsole
```
  If you must start the dbconsole process, run the following command:
```
./emctl start dbconsole
```
- On Microsoft Windows systems: In the Administrative Services, select the Services utility, and then right-click the OracleDBConsolesid service. If necessary, select Start from the menu to start the database console.
Log files are in the following directory:
```
$ORACLE_HOME/sysman/log
```
Log in by using the Oracle Database Vault Owner account that you created during installation.

By default, you cannot log in to Oracle Database Vault Administrator by using the SYS, SYSTEM, or other administrative accounts. You can log in if you have the DV_ADMIN or DV_OWNER roles.

After you log in, the Oracle Database Vault Administrator home page appears, similar to Figure 2-1.

Figure 2-1 Oracle Database Vault Administrator Home Page

Description of "Figure 2-1 Oracle Database Vault Administrator Home Page"

2.3 Quick Start Tutorial: Securing a Schema from DBA Access

In this tutorial, you will create a simple security configuration for the HR sample database schema. In the HR schema, the EMPLOYEES table has information such as salaries that should be hidden from most employees in the company, including those with administrative access. To accomplish this, you will add the HR schema to a named group of schemas called a realm, and then grant limited authorizations to this realm. Afterward, you will test the realm to make sure it has been properly secured. And finally, to see how Oracle Database Vault provides an audit trail on suspicious activities like the one you will try when you test the realm, you will run a report.

You will follow these steps:

Step 1: Adding the DV_ACCTMGR Role to the Data Dictionary Realm
Step 2: Log On as SYSTEM to Access the HR Schema
Step 3: Create a Realm
Step 4: Secure the EMPLOYEES Table in the HR Schema
Step 5: Create an Authorization for the Realm
Step 6: Test the Realm
Step 7: Run a Report
Step 8: Optionally, Drop User SEBASTIAN

2.3.1 Step 1: Adding the DV_ACCTMGR Role to the Data Dictionary Realm

In this tutorial, the DV_ACCTMGR user will grant ANY privileges to a new user account, SEBASTIAN. In order to do this, DV_ACCTMGR will need to be included in the Oracle Data Dictionary realm.

To include DV_ACCTMGR in the Oracle Data Dictionary realm:

In the Administration page of Oracle Database Vault Administrator, under Database Vault Feature Administration, click Realms.
In the Realms page, select Oracle Data Dictionary from the list and then click Edit.
In the Edit Realm: Oracle Data Dictionary page, under Realm Authorizations, click Create.
In the Realm Authorization Page, from the Grantee list, select DV_ACCTMGR [ROLE].
For Authorization Type, select Participant.
Leave Authorization Rule Set at <Non Selected>.
Click OK.

In the Edit Realm: Oracle Data Dictionary page, DV_ACCTMGR should be listed as a participant under the Realm Authorizations.
In the Edit Realm: Oracle Data Dictionary page, click OK to return to the Realms page.
To return to the Administration page, click the Database Instance instance_name breadcrumb over Realms.

2.3.2 Step 2: Log On as SYSTEM to Access the HR Schema

To start, log in to SQL*Plus with administrative privileges and access the HR schema. You will log on using the SYSTEM account.

$ sqlplus system
Enter password: password
SQL> SELECT FIRST_NAME, LAST_NAME, SALARY FROM HR.EMPLOYEES WHERE ROWNUM <10;

FIRST_NAME          LAST_NAME           SALARY
------------------- ---------------- ---------
Steven              King                 24000
Neena               Kochhar              17000
Lex                 De Haan              17000
Alexander           Hunold                9000
David               Austin                4800
Valli               Pataballa             4800
Diana               Lorentz               4200
Nancy               Greenberg            12000

8 rows selected.

As you can see, SYSTEM has access to the salary information in the EMPLOYEES table of the HR schema. This is because SYSTEM is automatically granted the DBA role, which includes the SELECT ANY TABLE system privilege.

2.3.3 Step 3: Create a Realm

Realms can protect one or more schemas, individual schema objects, and database roles. Once you create a realm, you can create security restrictions that apply to the schemas and their schema objects within the realm. Your first step is to create a realm for the HR schema.

Follow these steps:

Log in to Oracle Database Vault Administrator using the instructions under "Starting Oracle Database Vault Administrator".
In the Administration page, under Database Vault Feature Administration, click Realms.
In the Realms page, click Create.
In the Create Realm page, under General, enter HR Realm after Name.
After Status, ensure that Enabled is selected so that the realm can be used.
Under Audit Options, ensure that Audit On Failure is selected so that you can create an audit trial later on.
Click OK.

The Realms page appears, with HR Realm in the list of realms.

2.3.4 Step 4: Secure the EMPLOYEES Table in the HR Schema

At this stage, you are ready to add the EMPLOYEES table in the HR schema to the HR realm.

Follow these steps:

In the Realms page, select HR Realm from the list and then click Edit.
In the Edit Realm: HR Realm page, scroll to Realm Secured Objects and then click Create.
In the Create Realm Secured Object page, enter the following settings:
- Object Owner: Select HR from the list.
- Object Type: Use the default value, % so that you can protect all the schemas in the realm.
- Object Name: Use the default value, %.
Click OK.
In the Edit Realm: HR Realm page, click OK.

2.3.5 Step 5: Create an Authorization for the Realm

At this stage, there are no database accounts or roles authorized to access or otherwise manipulate the database objects the realm will protect. So, the next step is to authorize database accounts or database roles so that they can have access to the schemas within the realm. You will create the SEBASTIAN user account. After you authorize him for the realm, SEBASTIAN will be able to view and modify the EMPLOYEES table.

First, in SQL*Plus, create a regular user account that has SELECT privileges to the EMPLOYEES table in the HR schema. Log on using an account with the DV_ACCTMGR role. (See "Oracle Database Vault User Manager Role, DV_ACCTMGR" for more information about this role.) For example:

SQL> connect macacct
Enter password: password
SQL> CREATE USER SEBASTIAN IDENTIFIED BY seb_456987;
User created.
SQL> GRANT CONNECT TO SEBASTIAN;
Grant succeeded. 
SQL> CONNECT SYSTEM
Enter password: password
Connected. 
SQL> GRANT SELECT ANY TABLE TO SEBASTIAN;
Grant succeeded.

(Do not exit SQL*Plus; you will need it for Step 5, when you test the realm.)

Note that at this point SEBASTIAN can only query the EMPLOYEES table. He cannot perform other operations such as DDL and DML statements on the EMPLOYEES table because he is granted only with the SELECT object privilege to the EMPLOYEES table

Next, authorize user SEBASTIAN to have access to the HR Realm as follows:

In the Realms page, select the HR Realm in the list of realms, and then click Edit.
In the Edit Realm: HR Realm page, scroll down to Realm Authorizations and then click Create.
In the Create Realm Authorization page, under Grantee, select SEBASTIAN from the list.

If SEBASTIAN does not appear in the list, select the Refresh button in your browser.

SEBASTIAN will be the only user who will have access to the EMPLOYEES table in the HR schema.
Under Authorization Type, select Owner.

The Owner authorization allows the user SEBASTIAN in the HR realm to manage the database roles protected by HR, as well as create, access, and manipulate objects within a realm. In this case, the HR user and SEBASTIAN will be the only persons allowed to view and/or modify the EMPLOYEES table.
Under Authorization Rule Set, select <Not Assigned>, because rule sets are not needed to govern this realm.
Click OK.

2.3.6 Step 6: Test the Realm

To test the realm, try accessing the EMPLOYEES table as a user other than HR. The SYS account normally has access to all objects in the HR schema, but now that you have safeguarded the EMPLOYEES table with Oracle Database Vault, this is no longer the case.

$ sqlplus system
Enter password: password
SQL> SELECT FIRST_NAME, LAST_NAME, SALARY FROM HR.EMPLOYEES WHERE ROWNUM <10;

Error at line 1:
ORA-01031: insufficient privileges

As you can see, SYS no longer has access to the salary information in the EMPLOYEES table.

However, user SEBASTIAN does have access to the salary information in the EMPLOYEES table:

SQL> CONNECT SEBASTIAN
Enter password: password
Connected.
SQL> SELECT FIRST_NAME, LAST_NAME, SALARY FROM HR.EMPLOYEES WHERE ROWNUM <10;

FIRST_NAME          LAST_NAME           SALARY
------------------- ---------------- ---------
Steven              King                 24000
Neena               Kochhar              17000
Lex                 De Haan              17000
Alexander           Hunold                9000
David               Austin                4800
Valli               Pataballa             4800
Diana               Lorentz               4200
Nancy               Greenberg            12000

9 rows selected.

2.3.7 Step 7: Run a Report

Because you enabled auditing for the HR Realm, you can generate a report to find any security violations such as the one you attempted in Step 6: Test the Realm.

Follow these steps:

In the Oracle Database Vault Administrator home page, click Database Vault Reports.

To run the report, log in using an account that has the DV_OWNER, DV_ADMIN, or DV_SECANALYST role. Note that user SEBASTIAN cannot run the report, even if it affects his own realm. "Oracle Database Vault Database Roles" describes these roles in detail.
In the Database Vault Reports page, scroll down to Database Vault Auditing Reports and select Realm Audit.
Click Run Report.

Oracle Database Vault generates a report listing the type of violation (in this case, the SELECT statement entered in the previous section), when and where it occurred, the login account who tried the violation, and what the violation was.

2.3.8 Step 8: Optionally, Drop User SEBASTIAN

You can drop user SEBASTIAN, if you want. Log in to SQL*Plus using the Database Vault Owner account you created when you installed Oracle Database Vault and then drop user SEBASTIAN.

$ sqlplus macacct
Enter password: password
SQL> DROP USER SEBASTIAN CASCADE;
User dropped.

Doing so also drops him from the HR Realm.