Database Vault（DBV）和领域管理

DB：11.2.0.4

在安装时，选择安装组件Database Vault（在选择企业版、标准版的界面）
创建完数据库后，使用DBCA->数据库配置，添加Database Vault，会要求创建DBV相关账号。

提示，要在DBCA正式开始添加DBV前（进度条界面还没出来前），重启数据库（会有弹出窗口作如此提示）。要启动到open状态。

完成后，可以登录https://hostname:port/dva进入Web管理页面（记住，里面登录要输入数据库主机地址和监听器端口号）。

DBV将创建3个账户实现职责分离：
安全管理员：DBV对象所有者，DV_OWNER，DV_ADMIN
账户管理员：负责管理账户命令，DV_ACCTMGR。sys用户不再能创建用户。
运行管理员：负责授权，并保护安全相关的参数修改。sys用户将是唯一在该领域的用户。

---

领域管理

创建领域

使用角色为DV_OWNER的用户，

点击(此处)折叠或打开

1. BEGIN
   
2.         dbms_macadm.create_realm(
   
3.            realm_name => 'Cust_Card_realm'
   
4.          , description => 'Protect customer and card details information'
   
5.          , enabled => dbms_macutl.g_yes
   
6.          , audit_options => dbms_macutl.g_realm_audit_fail
   
7.         );
   
8. END;
   
9. /

添加领域的保护对象

点击(此处)折叠或打开

1. BEGIN
   
2.      dbms_macadm.add_object_to_realm (
   
3.        realm_name => 'Cust_Card_realm'
   
4.       ,object_owner => 'HK'
   
5.       ,object_name => '%'
   
6.       ,object_type => '%'
   
7.       );
   
8. END;
   
9. /
   
10. 
    
11. BEGIN
    
12.      dbms_macadm.add_object_to_realm (
    
13.        realm_name => 'Cust_Card_realm'
    
14.       ,object_owner => 'SOE'
    
15.       ,object_name => 'ORDERS'
    
16.       ,object_type => 'TABLE'
    
17.       );
    
18. END;
    
19. /

---

领域带来的权限变化

1. 如果有角色对领域所保护的对象有权限，那么因为DBA有GRANT权限，因此DBA可以把自己GRANT该角色并使用SET ROLE切换到该角色来绕开领域的保护。
应对该问题的方法是：将该角色一道加入领域的保护

点击(此处)折叠或打开

1. BEGIN
   
2.      dbms_macadm.add_object_to_realm (
   
3.        realm_name => 'Cust_Card_realm'
   
4.       ,object_owner => 'SOE'
   
5.       ,object_name => 'SELECT_SOE_ROLE'
   
6.       ,object_type => 'ROLE'
   
7.       );
   
8. END;
   
9. /

2. 领域针对的是对系统ANY权限。意味着光有领域授权，没有ANY权限是无用的；同样如果是对对象object的权限，领域与此无关。
3. 领域管理员自身不能被赋予领域权限，也无法直接访问数据库对象。
4. 在有对象被领域保护后，对象所有者仍然可以对该对象执行SELECT, DML, EXECUTE操作，但DDL，GRANT操作被禁止。
5. 授予用户账户管理领域对象的权限：
管理领域的角色有两种：领域管理员和领域参与者。前者可以：
    1）授予、撤销领域保护对象的权限
    2）授予、撤销领域保护的角色

a. 使用角色为DV_ACCTMGR得账户创建角色

点击(此处)折叠或打开

1. SQL> show user
   
2. USER is "DBVACCMGR"
   
3. SQL>
   
4. SQL> create user batman identified by batman;
   
5. 
   
6. User created.
   
7. 
   
8. SQL> create user robin identified by robin;
   
9. 
   
10. User created.

b. 使用sys账户赋予应用程序管理员ANY权限

点击(此处)折叠或打开

1. SQL> connect / as sysdba
   
2. Connected.
   
3. SQL> grant dba to batman;
   
4. 
   
5. Grant succeeded.
   
6. 
   
7. SQL> grant dba to robin;
   
8. 
   
9. Grant succeeded.

c. 赋予领域权限

点击(此处)折叠或打开

1. --领域管理员
   
2. BEGIN
   
3.   dbms_macadm.add_auth_to_realm (
   
4.       realm_name => 'Customer_Card_realm'
   
5.     , grantee => 'BATMAN'
   
6.     , rule_set_name => NULL
   
7.     , auth_options => dbms_macutl.g_realm_auth_owner );
   
8. END;
   
9. /
   
10. --领域参与者
    
11. BEGIN
    
12.   dbms_macadm.add_auth_to_realm (
    
13.       realm_name => 'Customer_Card_realm'
    
14.     , grantee => 'ROBIN'
    
15.     , rule_set_name => NULL
    
16.     , auth_options => dbms_macutl.g_realm_auth_participant );
    
17. END;
    
18. /

d. 然后使用BATMAN, ROBIN账户登录对领域内对象执行管理任务。
如执行DDL语句，GRANT/REVOKE语句， 角色管理等。

---

使用安全应用程序角色(SAR）管理领域内的对象

与上例的领域拥有者/参与者针对系统权限不同，SAR主要是针对对象权限

摘抄原书：

点击(此处)折叠或打开

1. dbvowner@aos> -- create the DBV Secure Application Role
   dbvowner@aos> BEGIN
       dbms_macadm.create_role(
          role_name     => 'SALES_ARCHIVE_ROLE'
        , enabled       => 'Y'
        , rule_set_name => 'Is System Maintenance Allowed'
        );
   END;
   /
   PL/SQL procedure successfully completed.
   dbvowner@aos> -- protect the role in the Sales History realm
   dbvowner@aos> BEGIN
       dbms_macadm.add_object_to_realm (
         realm_name    => 'Sales History'
        ,object_owner  => 'SH'
        ,object_name   => 'SALES_ARCHIVE_ROLE'
   
2.      ,object_type   => 'ROLE'
        );
   END;
   /
   PL/SQL procedure successfully completed.
   
   
3. --查看当前SAR角色
4. sys@aos>SELECT *
   FROM dba_application_roles
   WHERE role = 'SALES_ARCHIVE_ROLE';
   ROLE                SCHEMA    PACKAGE
   ------------------- --------- ------------------
   SALES_ARCHIVE_ROLE  DVSYS     DBMS_MACSEC_ROLES
   1 row selected.
   
   
5. --使用领域所有者账户为SAR授予对象权限
6. mary@aos> -- grant the require object privileges
   mary@aos> -- to the DBV Secure Application Role
   mary@aos> GRANT DELETE ON sh.channels TO sales_archive_role;
   Grant succeeded.
   mary@aos> GRANT DELETE ON sh.costs TO sales_archive_role;
   Grant succeeded.
   mary@aos> GRANT DELETE ON sh.countries TO sales_archive_role;
   Grant succeeded.
   mary@aos> GRANT DELETE ON sh.customers TO sales_archive_role;
   Grant succeeded.
   mary@aos> GRANT DELETE ON sh.products TO sales_archive_role;
   Grant succeeded.
   mary@aos> GRANT DELETE ON sh.promotions TO sales_archive_role;
   Grant succeeded.
   mary@aos> GRANT DELETE ON sh.sales TO sales_archive_role;
   Grant succeeded.
   mary@aos> -- grant the DBV Secure Application Role
   mary@aos> -- to the account SCOTT
   mary@aos> GRANT sales_archive_role TO scott;
   Grant succeeded.
   
   
7. --验证
8. scott@aos> -- show the date and time of day factors that affect
   scott@aos> -- the DBV Rule Set that controls the role enablement
   scott@aos>SELECT TO_CHAR(SYSDATE,'DAY') "DAY_OF_WEEK",
           TO_CHAR(SYSDATE,'HH24') "HOUR_OF_DAY"
   FROM DUAL;
   DAY_OF_WEEK                          HO
   ------------------------------------ --
   MONDAY                               10
   1 row selected.
   scott@aos> -- attempt to use the privileges granted to the
   scott@aos> -- role to demonstrate the privileges are not enabled
   scott@aos> -- by default as with a normal Oracle role.
   scott@aos> -- We will test deleting records greater than 10 years old
   scott@aos>DELETE sh.sales WHERE time_id < (SYSDATE-(365*10));
   DELETE sh.sales WHERE time_id < (SYSDATE-(365*10))
             *
   ERROR at line 1:
   ORA-01031: insufficient privileges
   scott@aos> -- attempt to enable the role outside of the
   scott@aos> -- authorized system maintenance timeframe
   scott@aos>EXEC dvsys.dbms_macsec_roles.set_role('SALES_ARCHIVE_ROLE');
   BEGIN dvsys.dbms_macsec_roles.set_role('SALES_ARCHIVE_ROLE'); END;
   *
   ERROR at line 1:
   ORA-47305: Rule Set violation on SET ROLE (Is System Maintenance Allowed)
   ORA-06512: at "DVSYS.DBMS_MACUTL", line 38
   ORA-06512: at "DVSYS.DBMS_MACUTL", line 381
   ORA-06512: at "DVSYS.DBMS_MACSEC", line 242
   ORA-06512: at "DVSYS.ROLE_IS_ENABLED", line 4
   ORA-06512: at "DVSYS.DBMS_MACSEC_ROLES", line 24
   ORA-06512: at line 1
   
   
9. scott@aos> -- show the date and time of day factors that affect
   scott@aos> -- the DBV Rule Set that controls the role enablement
   scott@aos>SELECT TO_CHAR(SYSDATE,'DAY') "DAY_OF_WEEK",
           TO_CHAR(SYSDATE,'HH24') "HOUR_OF_DAY"
   FROM DUAL;
   DAY_OF_WEEK                          HO
   ------------------------------------ --
   FRIDAY                               17
   1 row selected.
   scott@aos> -- attempt to enable the role, which will succeed
   scott@aos>EXEC dvsys.dbms_macsec_roles.set_Role('SALES_ARCHIVE_ROLE');
   PL/SQL procedure successfully completed.
   scott@aos> -- attempt to use the privileges granted to the
   scott@aos> -- role by deleting records greater than 10 years old
   scott@aos>DELETE sh.sales WHERE time_id < (SYSDATE-(365*10));
   221651 rows deleted.
   
   

来自 “ ITPUB博客 ” ，链接：http://blog.itpub.net/22621861/viewspace-1393649/，如需转载，请注明出处，否则将追究法律责任。

转载于:http://blog.itpub.net/22621861/viewspace-1393649/