Oracle DB Vault New Features in Oracle 12c Release 1 – Part 3 :  Oracle Enterprise Manager Cloud Control to Manage DB Vault.

After Oracle 12c Release 1 version you can use all DB Vault functionality with Oracle Enterprise Manager Cloud Control . DBMS_MACADM PL/SQL package procedures and functions have included in Oracle Enterprise Manager. For each operation you can see the running script by pressing Show SQL button.

You should connect to Enterprise Manager to run  Database Vault  Administrator with  a user who has DV_OWNER role. After logon  Database Vault home page appears like this;

db-vault01

At this page ;  you can see

  • Violations that were made against to DB Vault rules
  • Database Vault Alerts
  • Audit Reports

In order to make operations on DB Vault objects; you have to go Administration section . In the below picture ; you can see Command Rules page in Administration  section.

db-vault02

If you want to see all default rules ; you should check Show Oracle defined Command Rules box.If you want to create a new command rule;  just click Create button

db-vault03

You can enter all necessary parameter to create a new Command Rule at this page. After clicking Show SQL button you can see the necessary script to create a new command rule

db-vault04

 

For example ; If you want to see all details about a Command Rule; Choose the Command rule 

db-vault05

 

And then just double click on it.

db-vault06

Another functionality of DB Vault is you can control the authorization on some database operations . For example ; you can identify which user can make data pump operations , Goldengate operations or database patching. You can define all these users  from Oracle Enterprise Manager by choosing ; Database Operation Authorization section

db-vault08

 

After choosing Database Operation Authorization section ; you can see all database operations which are controlled by DB Vault

db-vault09

 

You can add , edit or delete usernames from this page for each database operations.

As you see ; In Oracle 12c Release 1 version you can use all functionality of Oracle DB Vault and the most important thing is Oracle does not support old Oracle DB Vault Console after Oracle 12c version.  Therefore if you are a Database Vault administrator you should learn Oracle Enterprise Manager DB Vault functionality. 

Oracle DB Vault New Features in Oracle 12c R1 – Part 2 : Enabling DB Vault

In this article I will continue to describe the changes in Oracle DB Vault in  Oracle 12c version.

At the below note I explained the changes at DB Vault installation . At this note I will show you what has been changed to enable and disable DB Vault in Oracle 12c version.

https://yusufanilakduygu.wordpress.com/2017/04/16/oracle-db-vault-new-features-in-oracle-12c-changes-at-db-vault-installation/

The major changes is you have to connect to database as DB vault owner to disable and enable DB Vault in Oracle 12c. But in Oracle 11g version ,  oracle operating system user can enable and disable Oracle DB Vault. It means that ;  Oracle DBA can change DB vault status in Oracle 11g . But in version Oracle 12c only DB Vault owner can do this.

This is a big change and It makes DB Vault much more secure in Oracle 12c.

In Oracle 11g version

In Oracle 11g , you can disable and enable DB Vault bu only chopt command. Only oracle user ( operation system user ) can run this command from operating system. DBAs can disable Oracle DB Vault in Oracle 11g version and then after making changes at the Database DBAs can enable Oracle DB Vault without asking the Database Security officer. This is an insecure situation and Oracle changed it in Oracle 12c version.

Enable DB Vault in Oracle 11g

Shutdown the database
CONNECT SYS AS SYSOPER
Enter password: password

SHUTDOWN IMMEDIATE

Enable Oracle DB Vault

$ chopt enable lbac

$ chopt enable dv

And then startup the database

CONNECT SYS AS SYSOPER
Enter password: password

STARTUP

DISABLE DB Vault in Oracle 11g

Shutdown the database
CONNECT SYS AS SYSOPER
Enter password: password

SHUTDOWN IMMEDIATE

Disable  Oracle DB Vault

$ chopt disable dv

$ chopt disable lbac

And then startup the database

CONNECT SYS AS SYSOPER
Enter password: password

STARTUP

In Oracle 12c version

In Oracle 12c version you have to connect the database with an account which is a database owner. Simple; database owner can enable and disable Oracle DB vault in Oracle 12c version. And this is much more secure if you compare it with Oracle 11g version.

Enable DB Vault in Oracle 12c

connect as the Oracle Database Owner (DV_OWNER) account, and then enable Oracle Database Vault.

SQL> CONNECT dvowner
Enter password:
Connected.
SQL> EXEC DBMS_MACADM.ENABLE_DV;
PL/SQL procedure successfully completed.
SQL> commit;
Commit complete.

Note ; If Oracle Label security is not enabled before , You should enable it

CONNECT SYS AS SYSDBA
Enter password: password

EXEC LBACSYS.CONFIGURE_OLS;
EXEC LBACSYS.OLS_ENFORCEMENT.ENABLE_OLS;

and then restart the database;

CONNECT SYS AS SYSOPER
Enter password: password

SHUTDOWN IMMEDIATE

STARTUP 

Disable  DB Vault in Oracle 12c

connect as the Oracle Database Owner (DV_OWNER) account, and then disable Oracle Database Vault.

SQL> CONNECT dvowner
Enter password:
Connected.
SQL> EXEC DBMS_MACADM.DISABLE_DV;
PL/SQL procedure successfully completed.
SQL> commit;
Commit complete.

and then restart the database;

CONNECT SYS AS SYSOPER
Enter password: password

SHUTDOWN IMMEDIATE

STARTUP 

 

Finding Oracle Users with Import – Export Privileges – 2

Oracle Users with  IMPORT/EXPORT  role -2  DATAPUMP_IMP_FULL_DATABASE

Export utilities are used for extracting database objects and data from database to a file, and Import utilities are used for importing these extracted files into databases. In order to run IMPORT/EXPORT utilities you would have to have system roles which are given below.

  • IMP_FULL_DATABASE
  • DATAPUMP_IMP_FULL_DATABASE
  • EXP_FULL_DATABASE
  • DATAPUMP_EXP_FULL_DATABASE

These privileges should only be granted to authorized users. Normally database administrators should perform export and import operations. Therefore during our database assessment; we should find that these grants would only be given to DBA users.

If you want to list Oracle users  ( or roles ) which have DATAPUMP_IMP_FULL_DATABASE system role,  we could use the below query.  This query is developed by hierarchical query technique. Same query can be used on Oracle 11g and Oracle 12c versions.

Capture

The text version of the SQL are given below
SELECT
DISTINCT A.GRANTEE,
A.GRANTED_ROLE,
‘DATAPUMP_IMP_FULL_DATABASE’ GRANTED_CRITIC_ROLE
FROM
(
SELECT
DISTINCT LEVEL LEVEL_DEEP,
GRANTEE,
GRANTED_ROLE
FROM
DBA_ROLE_PRIVS
START WITH GRANTED_ROLE = ‘DATAPUMP_IMP_FULL_DATABASE’
CONNECT BY PRIOR GRANTEE = GRANTED_ROLE
) A,
DBA_USERS B
WHERE
A.GRANTEE = B.USERNAME
AND B.USERNAME NOT IN(
‘SYSTEM’,
‘SYS’
)
AND B.ACCOUNT_STATUS = ‘OPEN’;

 

In order to list users with DATAPUMP_IMP_FULL_DATABASE   in the multitenant architecture, we use the below query.

 

Capture

The text version of this query is given below.

SELECT
DISTINCT A.GRANTEE,
A.GRANTED_ROLE,
B.COMMON,
C.NAME,
‘DATAPUMP_IMP_FULL_DATABASE’ GRANTED_CRITIC_ROLE
FROM
(
SELECT
DISTINCT LEVEL LEVEL_DEEP,
GRANTEE,
GRANTED_ROLE,
CON_ID
FROM
CDB_ROLE_PRIVS
START WITH GRANTED_ROLE = ‘DATAPUMP_IMP_FULL_DATABASE’
CONNECT BY PRIOR GRANTEE = GRANTED_ROLE
AND PRIOR CON_ID = CON_ID
) A,
CDB_USERS B,
V$CONTAINERS C
WHERE
A.GRANTEE = B.USERNAME
AND B.USERNAME NOT IN(
‘SYSTEM’,
‘SYS’
)
AND B.ACCOUNT_STATUS = ‘OPEN’
AND A.CON_ID = C.CON_ID
AND B.CON_ID = C.CON_ID ;

 

Finding  users with  EXP_FULL_DATABASE Role;

Capture

And the last one DATAPUMP_EXP_FULL_DATABASE ;

Capture.JPG

 

Now look the the same SQLs in Multitenant Architecture ;

EXP_FULL_DATABASE Role for Multitenant Architecture

Capture

 

And the last one DATAPUMP_EXP_FULL_DATABASE for Multitenant Architecture

Capture

 

If we want to revoke IMPORT/EXPORT privileges from a user;  we could use below commands

 

REVOKE IMP_FULL_DATABASE FROM UserName;

REVOKE DATAPUMP_ FULL_DATABASE FROM UserName;

REVOKE EXP_FULL_DATABASE FROM UserName;

REVOKE DATAPUMP_EXP_FULL_DATABASE FROM UserName;

Oracle DB Vault New Features in Oracle 12c R1 – Part1 : Changes at DB Vault Installation

There are many changes at Oracle DB Vault in Oracle 12c version. At this note I will give you information about  the change at DB  Vault Installation .

  1. DB Vault Installation

At Oracle 11g version you need to  relink Oracle binary before installing Oracle DB Vault. You do not need this operation in Oracle 12c.

At Oracle 11g version you need to relink binary with chopt command like below

$ chopt enable lbac

$ chopt enable dv

And You do not need in Oracl 12c vesion

In order to install and configure DB Vault In Oracle 11g version, you have to use dbca. At Oracle 12c you only need dbca to install Oracle Label Security and Oracle DB vault component . You can use DVSYS.CONFIGURE_DV packet to configure DB vault. Actually still you can do this configuration with dbca but it is optional.

DB Vault component installation is made with this page in  dbca in Oracle 12c version.

Capture

And DB Vault configuration can be made by dbca but It is optional

Capture

This gives us flexibility ; During database installation DBAs can install Oracle DB Vault without making any configuration on it. After the DB Vault installation is completed, you can make DB Vault configuration as a security officer without DBA intervention.

The below  query shows that DB Vault component is installed. But It does not mean that It is enabled.

SQL> select comp_id,status from dba_registry where comp_id in (‘OLS’,’DV’);

COMP_ID STATUS
—————————— ———–
DV VALID
OLS VALID

With DVSYS.CONFIGURE_DV; you can mention which user is DB Vault admin and which user database account manager.

SQL> BEGIN
2 DVSYS.CONFIGURE_DV (
3 dvowner_uname => ‘dvowner’,
4 dvacctmgr_uname => ‘dvacctmngr’);
5 END;
6 /

PL/SQL procedure successfully completed.

This packet is new in Oracle 12c and It gives us flexibility to security officer to configure DB vault alone. After DB Vault component installation tou do not need to rebound the database bu you need to run utlrp.sql to compile all invalid objects.

 

 

 

 

 

Installing Oracle DB Vault to Oracle 11g Database

Installing Oracle DB Vault to Oracle 11g Database

At this document; I will show you how you can install Oracle DB vault to Oracle 11g Database.

Step 1: Check If DB Vault installed before

We use GV$OPTION view to check this. I checked DB vault in two nodes RAC database.

SQL> column parameter format a25

SQL> column value format a25

SQL> SELECT * FROM gV$OPTION WHERE PARAMETER in ( ‘Oracle Database Vault’,’Oracle Label Security’);

INST_ID|PARAMETER |VALUE

———-|————————-|————————-

1|Oracle Label Security |FALSE

1|Oracle Database Vault |FALSE

2|Oracle Label Security |FALSE

2|Oracle Database Vault |FALSE

If Oracle database Vault and Oracle Label Security are already installed ( It means all TRUE returned from this query ) goto step 3;

Step 2: Enable Oracle Label Security and Oracle DB Vault

2.1 Close the Database

Shutdown Oracle database , stop listener ( If you opened a listener with this binary ) and stop enterprise manager ( If Enterprise manager uses this binary )

SQL> SHUTDOWN IMMEDIATE

$ lsnrctl stop listener

$ emctl stop dbconsole

2.2 Enable DB Vault Binaries

Now enable Oracle Label Security and Oracle database vault consequently with the following commands

$ chopt enable lbac

$ chopt enable dv

2.3 Open the Database

After enabling Oracle Label security and DB vault you have to open database and other closed applications.

SQL> startup

$ lsnrctl start listener

$ emctl start dbconsole

2.4 Check if Binaries linked properly

Now Check DB vault and Oracle Label Security.

SQL> column parameter format a25

SQL> column value format a25

SQL> SELECT * FROM gV$OPTION WHERE PARAMETER in ( ‘Oracle Database Vault’,’Oracle Label Security’);

INST_ID|PARAMETER |VALUE

———-|————————-|————————-

1|Oracle Label Security |TRUE

1|Oracle Database Vault |TRUE

2|Oracle Label Security |TRUE

2|Oracle Database Vault |TRUE

All returned values have to be TRUE

Step 3 : Install DB Vault

Now It is time  to install DB vault. Start installation with dbca

$ dbca

Choose Configure database option.

null

Chose the correct DB name to install DB vault.( If there are multiple instances at the same ORACLE_HOME)

null

Skip Enterprise Manager Configuration

null

Now Chose Oracle LAbel Security and Oracle Database Vault to install them

null

Now enter the usernames and passwords for Database Vault Owner and Account Manager separately.

null

Chose Finish to start the Installation

null

Now the installation will start

null

After this windows and the installation window will appear and shows the status of installation. After the installation finishes you can close dbca.

Now you installed Oracle DB Vault to your database. Just connect with  DB Owner and Account Manager usernames to the database to check the installation

At the following notes I will show you how you can manage Oracle DB Vault.

Creating Oracle Users

At this note; I will teach you how you can create a simple Oracle user. In fact there are many types of Oracle users , but at this note we only discuss about simple Oracle users.

To create an Oracle user first you need CREATE USER privilege. When you create a new database ; SYS user has DBA role and consequently has CREATE USER privilege.

Now check which users have  CREATE USER privilege with the below  query;

select grantee from dba_sys_privs where privilege=’CREATE USER’;
GRANTEE
——————————
DBA
SYS
APEX_040000
IMP_FULL_DATABASE

At the simplest way you can create an Oracle user with the below command. This command work on Oracle 11g and Oracle 12c databases.

CREATE USER test01
IDENTIFIED BY oracle
DEFAULT TABLESPACE users
QUOTA 500K ON users
TEMPORARY TABLESPACE temp
PROFILE DEFAULT;
User created.

This command was run by SYS user. You can find all details about CREATE USER command at Oracle documents.

https://docs.oracle.com/cd/B28359_01/server.111/b28286/statements_8003.htm#SQLRF01503

https://docs.oracle.com/database/121/SQLRF/statements_8003.htm#SQLRF01503

 

After creating an Oracle user ;  you should give CREATE SESSION privilege  to the user. By this way your created user can connect to Oracle database. Otherwise It can not connect to the database.

SQL> Grant CREATE SESSION to test01;
Grant succeeded.

As you see; this user has very simple password.  Simple passwords are  not a good way to protect our users. The complex passwords is the first defense line to protect our databases. User password should be complex to predict by others. This is the first very important rule to protect our databases. At the same time you should not share the passwords with other persons. The passwords should only be known with the person to know.  And you should change the passwords periodically.

Put in a nut shell.

The simple rules to protect Database users is to manage user passwords correctly with below methods.

  • Use complex passwords
  • Do not share your passwords
  • The passwords should only be known with the person to know
  • Change your passwords periodically.

 

At the next notes I will write about how we can achive these goals.

 

 

 

 

How to find hidden granted roles at Oracle Database

This is very critical issue to find hidden granted roles to any user. For example If you want to find users whose have granted DBA roles.Normally , you can use below query at your database

SELECT GRANTEE, GRANTED_ROLE   FROM DBA_ROLE_PRIVS

WHERE GRANTED_ROLE=’DBA’

AND GRANTEE NOT IN (‘SYS’,’SYSTEM’);

But this kind of search does not show DBA users all time.

Lets give an example ;

We have an user named  appuser03 and we have two roles;  admin_role and admin_role01

Now ; give DBA grant to admin_role01 and assign   admin_role01 to admin_role and at the end assign admin_role to appuser03;

Let’s show it;

SQL> create role admin_role01;

Role created.

SQL> create role admin_role;

Role created.

SQL> grant dba to admin_role01;

Grant succeeded.

SQL> grant admin_role01 to admin_role;

Grant succeeded.

SQL> grant admin_role to appuser03;

Grant succeeded.

Now check the DBA users at your database;

SQL>

SELECT GRANTEE, GRANTED_ROLE
FROM DBA_ROLE_PRIVS
WHERE GRANTED_ROLE=’DBA’
AND GRANTEE NOT IN (‘SYS’,’SYSTEM’);

GRANTEE                GRANTED_ROLE
————       —————–
ADMIN_ROLE01     DBA

As you see;  you can not see that APPUSER03 have DBA grant you still you have to make investigation about Admin_role01 to find APPUSER03 have DBA grant.

Instead use hierarchical  queries ; like this

SELECT DISTINCT a.grantee , granted_role
FROM
(
SELECT DISTINCT LEVEL level_deep, grantee, granted_role
FROM dba_role_privs
START WITH granted_role = ‘DBA’
CONNECT BY PRIOR grantee = granted_role ) a, dba_users b
WHERE a.GRANTEE = b.USERNAME AND
b.USERNAME NOT IN (‘SYSTEM’,’SYS’) AND
b.ACCOUNT_STATUS = ‘OPEN’

GRANTEE            GRANTED_ROLE
——————– ——————–
APPUSER03          ADMIN_ROLE

Bingo, at this query you can find that APPUSER03 have DBA role via ADMIN_ROLE role. Simply  you should revoke ADMIN_ROLE from APPUSER03 .

By hierarchical queries ; you can see which roles are granted to other roles.

The hierarchy of granted roles are shown below.

SQL>

SELECT DISTINCT LEVEL level_deep, grantee,granted_role
FROM  dba_role_privs WHERE grantee NOT in (‘SYS’,’SYSTEM’)
START WITH granted_role = ‘DBA’
CONNECT BY PRIOR grantee = granted_role
ORDER BY level_deep desc

LEVEL_DEEP   GRANTEE        GRANTED_ROLE
----------  -----------     --------------------
 3          APPUSER03        ADMIN_ROLE
 2          ADMIN_ROLE       ADMIN_ROLE01
 1          ADMIN_ROLE01     DBA

 

You can use this query to find other granted system roles like EXP_FULL_DATABASE or IMP_FULL_DATABASE ..

See you on the next note.

Anil Akduygu.