vault note Factor





1 What Are Factors?

1.1 A factor is a named variable or attribute, such as a user location, database IP address, or session user, that Oracle Database Vault can recognize.

1.2 You can use factors for activities such as authorizing database accounts to connect to the database or creating filtering logic to restrict the visibility and manageability of data.

2 Default Factors

2.1 Oracle Database Vault provides a set of default factors.

2.2 For each of these factors, there is an associated function that retrieves the value of the factor.

2.3 You can create custom factors by using your own PL/SQL retrieval methods.

2.4 After you create the custom factor, you can query its values similar to the functions used to query the default factors.

3 Creating a Factor

3.1 Retrieval Method

3.1.1 Under Retrieval Method, enter a PL/SQL expression that retrieves the identity of a factor or a constant.

3.1.2 You can create your own PL/SQL retrieval methods, or use the functions supplied with Oracle Database Vault.

3.1.3 You can include any package function or standalone function in the expression.

4 Editing a Factor

5 Adding an Identity to a Factor

5.1 After you create a new factor, you optionally can add an identity to it. An identity is the actual value of the factor. For example, the identity of an IP_Address factor could be the IP address of 192.0.2.4.

5.2 A factor identity for a given database session is assigned at run time using the Factor Identification and Retrieval Method fields. You can further configure the identity for the following reasons:

5.2.1 To define the known identities for a factor

5.2.2 To add a trust level to a factor identity

5.2.3 To add an Oracle Label Security label to a factor identity

5.2.4 To resolve a factor identity through its child factors, by using Identity Mapping

6 Deleting a Factor

7 How Factors Work

7.1 order

7.1.1 fact -> command rule -> rule set -> audit

8 Tutorial: Preventing Ad Hoc Tool Access to the Database

8.1 About This Tutorial

8.1.1 在一些应用程序中,非管理用户(用户)可能在应用程序的层面实现了访问控制,但是当这些用户通过数据库工具(工具,比如SQL*Plus)访问数据库时,便没有任何限制。这个演示就是实现用户无法通过工具来访问数据库。

8.1.2 Many database applications contain features to explicitly control the actions of a user.

8.1.3 However, an ad hoc query tool, such as SQL*Plus, may not have these controls. As a result, a user could use an ad hoc tool to perform actions in the database that he or she would normally be prevented from performing in a regular database application.

8.1.4 Youcan use a combination of Oracle Database Vault factors, rule sets, and command rules to prevent unauthorized access to the database by ad hoc query tools.

8.1.5 In the following tutorial, you limit the use of SQL*Plus to only four users: the Database Vault Owner, the Database Vault Account Manager, SYSTEM, and SYS.

8.1.6 To accomplish this, you must create a factor to find the applications on your system and a rule and rule set to limit SQL*Plus to these four users.

8.1.7 Then you create a command rule for the CONNECT SQL statement, which is associated with the rule set.

8.1.8 When you successfully complete this tutorial, then only the administrative users you specify should be able to connect to the database using SQL*Plus.

8.2 Step 1: Enable the SCOTT User Account

8.3 Step 2: Create the Module Factor

clip_image002

clip_image004

clip_image006

8.4 Step 3: Create the Limit SQL*Plus Access Rule and Rule Set

clip_image008

clip_image010

clip_image012

8.5 Step 4: Create the CONNECT Command Rule

clip_image014

8.6 Step 5: Test the Ad Hoc Tool Access Restriction

SQL> CONNECT system/oracle_4U

Connected.

SQL> connect scott/tigger

ERROR:

ORA-47400: Command Rule violation for CONNECT on LOGON

Warning: You are no longer connected to ORACLE.

9 Tutorial: Restricting User Activities Based on Session Data

9.1 About This Tutorial

9.1.1 在登陆时增加指定IP,指定时间段的factor来限制登陆以及对数据库具体的操作。

9.1.1.1 在指定的时间段,指定的ip,才能执行CREATE TABLE的操作

9.1.2 You can use factor identity mapping to set session-based user restrictions for database activities.

9.1.3 For example, suppose you wanted to restrict administrative access to a database using the following criteria:

9.1.3.1 Ensure that the administrator is accessing the database from the correct IP address.

9.1.3.2 Limit the database access to the standard business hours of the administrator.

9.1.4 This type of configuration is useful for restricting different types of administrators: not only local, internal administrators, but offshore and contract administrators as well.

9.1.5 In this tutorial, you modify the Domain factor to include identities for a secure and non-secure network access, which are based on the IP address of the computer the administrator is using.

9.1.6 If the administrator tries to perform an action outside the standard working hours or from a different IP address, then Oracle Database Vault prevents him from doing so.

9.2 Step 2: Add Identities to the Domain Factor

9.3 Step 3: Map the Domain Factor Identities to the Client_IP Factor

clip_image016

clip_image018

clip_image020

SQL> connect dvam/oracle_4U

Connected.

SQL> create user mwaldron identified by oracle_4U;

User created.

SQL> connect / as sysdba

Connected.

SQL> grant create session, dba to mwaldron;

Grant succeeded.

SQL> connect mwaldron/oracle_4U

Connected.

SQL> SELECT DVF.F$CLIENT_IP FROM DUAL;

F$CLIENT_IP

——————————————————————————–

SQL> SELECT DVF.F$DOMAIN FROM DUAL;

F$DOMAIN

——————————————————————————–

NOT SECURE

SQL> connect mwaldron/oracle_4U@vault

Connected.

SQL> SELECT DVF.F$CLIENT_IP FROM DUAL;

F$CLIENT_IP

——————————————————————————–

192.168.40.203

SQL> SELECT DVF.F$DOMAIN FROM DUAL;

F$DOMAIN

——————————————————————————–

HIGHLY SECURE INTERNAL NETWORK

9.4 Step 4: Create a Rule Set to Set the Hours and Select the Factor Identity

clip_image022

clip_image024

clip_image026

9.5 Step 5: Create a Command Rule That Uses the Rule Set

clip_image028

9.6 Step 6: Test the Factor Identity Settings

[oracle@vault ~]$ date

Sat Apr 7 15:47:58 CST 2012

[oracle@vault ~]$ sqlplus /nolog

SQL*Plus: Release 11.2.0.3.0 Production on Sat Apr 7 15:48:09 2012

Copyright (c) 1982, 2011, Oracle. All rights reserved.

SQL> connect mwaldron/oracle_4U@vault

Connected.

SQL> create table test (num number);

create table test (num number)

*

ERROR at line 1:

ORA-47400: Command Rule violation for CREATE TABLE on MWALDRON.TEST

将时间改成符合rule set中的工作时间

SQL> connect MWALDRON/oracle_4U@vault

Connected.

SQL> !date

Wed Apr 4 14:14:14 CST 2012

SQL> select TO_CHAR(SYSDATE, ‘D’) from dual;

T

-

4

SQL> select TO_CHAR(SYSDATE, ‘HH24′) from dual;

TO

14

SQL> select DVF.F$SESSION_USER from dual;

F$SESSION_USER

——————————————————————————–

MWALDRON

SQL> select DVF.F$DOMAIN from dual;

F$DOMAIN

——————————————————————————–

HIGHLY SECURE INTERNAL NETWORK

SQL> create table t (name varchar2(10));

Table created.

SQL> drop table t purge;

Table dropped.

10 小结:

10.1 factor的加入使得vault对Oracle DB的控制更加灵活和细粒度;

10.2 但由于有多个函数需要匹配(视安全逻辑而定),所以,一旦逻辑过于复杂,性能将受到影响;

10.3 在做Tutorial: Restricting User Activities Based on Session Data测试时,由于HIGHLY SECURE INTERNAL NETWORK头部多一个空格,造成测试失败,花去不少排查的时间,可以说vault的规则还是很死板的,多一个少一个空格就会有截然相反的结果。




Related posts

coded by nessus
分享:  DeliciousGReader鲜果豆瓣CSDN网摘
Trackback

no comment untill now

Add your comment now

无觅相关文章插件