Two other accounts are created in a Database Vault installation that are locked and not intended to be connected in a session. They hold the schemas for Database Vault–specific objects. The DVSYS schema contains:
- The views that display information about all the Database Vault objects
- The packages that provide the Database Vault API functionality
- Realm definitions, command rule definitions, and other Database Vault definitions that have been configured
- The Database Vault audit information Note that in a unified auditing enabled database, the Database Vault audit information is stored in SYS schema tables.
The DVF schema contains all the Database Vault functions used to retrieve factor identities.
What to Expect After You Enable Database Vault
One common audit problem that has affected several large organizations is the unauthorized creation of new database accounts by a database administrator within a production instance. Upon installation, Database Vault prevents anyone other than the Database Vault account manager or a user granted the Database Vault account manager role from creating users in the database.
To meet regulatory, privacy, and other compliance requirements, Database Vault implements the concept of separation of duty. Database Vault makes a clear separation between the account management responsibility, data security responsibility, and database resource management responsibility inside the database. This means that the concept of a super privileged user (for example, DBA) is divided among several new database roles to ensure that no one user has full control over both the data and configuration of the system. Database Vault prevents the SYS user and other accounts with the DBA role and other system privileges from accessing designated protected areas of the database called realms.
When you configure Database Vault and if you decide not to use unified auditing, Database Vault configures several AUDIT statements in the database.
Database Parameters Altered During Configuration
Parameter | Default Value | New Value |
---|---|---|
AUDIT_SYS_OPERATIONS | FALSE | TRUE |
OS_ROLES | Not Configured | FALSE |
RECYCLEBIN | ON | OFF |
REMOTE_LOGIN_PASSWORDFILE | EXCLUSIVE | EXCLUSIVE |
SQL92_SECURITY | FALSE | TRUE |
The Database Vault configuration modifies several database initialization parameter settings to better secure your database configuration. If these changes adversely affect your organizational processes or database maintenance procedures, you can revert to the original settings. The parameters are changed regardless of whether the parameter was a default or custom value before the Database Vault configuration:
- AUDIT_SYS_OPERATIONS = TRUE: This enables the auditing of operations that are issued by the SYS user and users connecting with the SYSDBA or SYSOPER privileges.
- OS_ROLES = FALSE: This disables the operating system to completely manage the granting and revoking of roles to users.
- RECYCLEBIN=OFF: This turnsoff RECYCLEBIN so thatdropped tables do notgo into the recycle bin. If the recycle bin is enabled, the realm-protected objects that are dropped would go into the recycle bin, and then the object would no longer be protected by the realm.
- REMOTE_LOGIN_PASSWORDFILE = EXCLUSIVE: This enforces the use of a password file to authenticate users.
- SQL92_SECURITY = TRUE: This specifies that users must have been granted the SELECT object privilege on a table to execute the UPDATE and DELETE statements where that table is referencedin a WHERE or SET clause is referenced in a WHERE or SET clause.
Revoked Privileges
When you install Database Vault, it revokes a set of privileges from several Oracle Databasesupplied users and roles, as part of the separation of duty and to help achieve a least-privilege model that makes the databases and applications more secure.
Privileges that are revoked from existing users and roles:
DBA role:
SELECT ANY TRANSACTION CREATE ANY JOB CREATE EXTERNAL JOB EXECUTE ANY PROGRAM EXECUTE ANY CLASS MANAGE SCHEDULER DEQUEUE ANY QUEUE ENQUEUE ANY QUEUE MANAGE ANY QUEUE
EXECUTE_CATALOG_ROLE role:
EXECUTE ON DBMS_LOGMNR EXECUTE ON DBMS_LOGMNR_D EXECUTE ON DBMS_LOGMNR_LOGREP_DICT EXECUTE ON DBMS_LOGMNR_SESSION EXECUTE ON DBMS_FILE_TRANSFER
IMP_FULL_DATABASE role:
BECOME USER MANAGE ANY QUEUE
PUBLIC role:
EXECUTE ON UTL_FILE
SCHEDULER_ADMIN role:
CREATE ANY JOB CREATE EXTERNAL JOB EXECUTE ANY PROGRAM EXECUTE ANY CLASS MANAGE SCHEDULER
Prevented Privileges
The privileges listed below are prevented for all users and roles that have been granted these privileges, including users SYS and SYSTEM. This reduces the attack surface that a potential intruder can misuse.
- CREATE USER
- ALTER USER
- DROP USER
- CREATE PROFILE
- CREATE PROFILE
- ALTER PROFILE
- DROP PROFILE
Securing Data in Multitenant Environments
In a Container Database, the DVSYS and DVF schemas are common users stored in the root. Configure and enable Database Vault at the pluggable database (PDB) level. Database Vault policies are scoped to individual pluggable databases, including realms, rules, rule sets, command rules, and secure application roles. This means that each PDB has its own database vault metadata.
- In the PDB, connect to the PDB as SYS to create the users representing the Database Vault owner and the optional Database Vault account manager as local users.
- As LEO_DVOWNER in the PDB, connect to configure and enable Database Vault.
- As SYS in the PDB, connect to restart the PDB.
- Check that Database Vault is enabled in the PDB:
SQL> select parameter, value from v$option 2 where parameter like '%Vault'; PARAMETER VALUE ------------------------------ ------- Oracle Database Vault TRUE