• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar

The Geek Diary

CONCEPTS | BASICS | HOWTO

  • OS
    • Linux
    • CentOS/RHEL
    • Solaris
    • Oracle Linux
    • Linux Services
    • VCS
  • Database
    • oracle
    • oracle 12c
    • ASM
    • mysql
    • MariaDB
    • Data Guard
  • DevOps
    • Docker
    • Shell Scripting
  • Interview Questions
  • Big Data
    • Hadoop
    • Cloudera
    • Hortonworks HDP

What are Oracle Database Valut Schemas

By admin

Two other accounts are created in a Database Vault installation that are locked and not intended to be connected in a session. They hold the schemas for Database Vault–specific objects. The DVSYS schema contains:

  • The views that display information about all the Database Vault objects
  • The packages that provide the Database Vault API functionality
  • Realm definitions, command rule definitions, and other Database Vault definitions that have been configured
  • The Database Vault audit information Note that in a unified auditing enabled database, the Database Vault audit information is stored in SYS schema tables.

The DVF schema contains all the Database Vault functions used to retrieve factor identities.

What to Expect After You Enable Database Vault

One common audit problem that has affected several large organizations is the unauthorized creation of new database accounts by a database administrator within a production instance. Upon installation, Database Vault prevents anyone other than the Database Vault account manager or a user granted the Database Vault account manager role from creating users in the database.

To meet regulatory, privacy, and other compliance requirements, Database Vault implements the concept of separation of duty. Database Vault makes a clear separation between the account management responsibility, data security responsibility, and database resource management responsibility inside the database. This means that the concept of a super privileged user (for example, DBA) is divided among several new database roles to ensure that no one user has full control over both the data and configuration of the system. Database Vault prevents the SYS user and other accounts with the DBA role and other system privileges from accessing designated protected areas of the database called realms.

When you configure Database Vault and if you decide not to use unified auditing, Database Vault configures several AUDIT statements in the database.

Database Parameters Altered During Configuration

Parameter Default Value New Value
AUDIT_SYS_OPERATIONS FALSE TRUE
OS_ROLES Not Configured FALSE
RECYCLEBIN ON OFF
REMOTE_LOGIN_PASSWORDFILE EXCLUSIVE EXCLUSIVE
SQL92_SECURITY FALSE TRUE

The Database Vault configuration modifies several database initialization parameter settings to better secure your database configuration. If these changes adversely affect your organizational processes or database maintenance procedures, you can revert to the original settings. The parameters are changed regardless of whether the parameter was a default or custom value before the Database Vault configuration:

  • AUDIT_SYS_OPERATIONS = TRUE: This enables the auditing of operations that are issued by the SYS user and users connecting with the SYSDBA or SYSOPER privileges.
  • OS_ROLES = FALSE: This disables the operating system to completely manage the granting and revoking of roles to users.
  • RECYCLEBIN=OFF: This turnsoff RECYCLEBIN so thatdropped tables do notgo into the recycle bin. If the recycle bin is enabled, the realm-protected objects that are dropped would go into the recycle bin, and then the object would no longer be protected by the realm.
  • REMOTE_LOGIN_PASSWORDFILE = EXCLUSIVE: This enforces the use of a password file to authenticate users.
  • SQL92_SECURITY = TRUE: This specifies that users must have been granted the SELECT object privilege on a table to execute the UPDATE and DELETE statements where that table is referencedin a WHERE or SET clause is referenced in a WHERE or SET clause.

Revoked Privileges

When you install Database Vault, it revokes a set of privileges from several Oracle Databasesupplied users and roles, as part of the separation of duty and to help achieve a least-privilege model that makes the databases and applications more secure.

Privileges that are revoked from existing users and roles:

DBA role:

SELECT ANY TRANSACTION 
CREATE ANY JOB
CREATE EXTERNAL JOB 
EXECUTE ANY PROGRAM 
EXECUTE ANY CLASS 
MANAGE SCHEDULER 
DEQUEUE ANY QUEUE 
ENQUEUE ANY QUEUE 
MANAGE ANY QUEUE

EXECUTE_CATALOG_ROLE role:

EXECUTE ON DBMS_LOGMNR
EXECUTE ON DBMS_LOGMNR_D
EXECUTE ON DBMS_LOGMNR_LOGREP_DICT 
EXECUTE ON DBMS_LOGMNR_SESSION 
EXECUTE ON DBMS_FILE_TRANSFER

IMP_FULL_DATABASE role:

BECOME USER
MANAGE ANY QUEUE

PUBLIC role:

EXECUTE ON UTL_FILE

SCHEDULER_ADMIN role:

CREATE ANY JOB
CREATE EXTERNAL JOB 
EXECUTE ANY PROGRAM 
EXECUTE ANY CLASS 
MANAGE SCHEDULER

Prevented Privileges

The privileges listed below are prevented for all users and roles that have been granted these privileges, including users SYS and SYSTEM. This reduces the attack surface that a potential intruder can misuse.

  • CREATE USER
  • ALTER USER
  • DROP USER
  • CREATE PROFILE
  • CREATE PROFILE
  • ALTER PROFILE
  • DROP PROFILE

Securing Data in Multitenant Environments

In a Container Database, the DVSYS and DVF schemas are common users stored in the root. Configure and enable Database Vault at the pluggable database (PDB) level. Database Vault policies are scoped to individual pluggable databases, including realms, rules, rule sets, command rules, and secure application roles. This means that each PDB has its own database vault metadata.

  1. In the PDB, connect to the PDB as SYS to create the users representing the Database Vault owner and the optional Database Vault account manager as local users.
  2. As LEO_DVOWNER in the PDB, connect to configure and enable Database Vault.
  3. As SYS in the PDB, connect to restart the PDB.
  4. Check that Database Vault is enabled in the PDB:
    SQL> select parameter, value from v$option 
    2  where parameter like '%Vault';
     PARAMETER                      VALUE 
    ------------------------------ -------
    Oracle Database Vault          TRUE

Filed Under: oracle

Some more articles you might also be interested in …

  1. Interview Questions : Oracle 12c Multitenant Database Architecture
  2. How to Create a Physical Standby from ASM Primary
  3. New Oracle Net features in version 12c
  4. Managing Rollback/Undo Segments in AUM (Automatic Undo Management)
  5. How To Create an Encrypted Tablespace in Oracle 12c Pluggable Database
  6. Where to find ASMLib / oracleasm RPMs for CentOS/RHEL, SUSE, OEL
  7. Oracle Database 12.2 RMAN Cross Platform Tablespace Transport Over Network
  8. Oracle Database 12c New Feature – Move a Datafile Online
  9. How to resize an OCFS2 filesystem on Linux
  10. How To Recover From Lost SYS Password in Oracle Database

You May Also Like

Primary Sidebar

Recent Posts

  • SQL script to find tables that are fragmented
  • TRUNCATE TABLE not releasing space from tablespace
  • How to reclaim entire space of an oracle database table with “Truncate Table” statement
  • Oracle SQL Script to Report Tablespace Free and Fragmentation
  • Archives
  • Contact Us
  • Copyright

© 2021 · The Geek Diary