| Oracle® Database Vault Administrator's Guide 10g Release 2 (10.2) Part Number B25166-09 |
|
|
View PDF |
| Oracle® Database Vault Administrator's Guide 10g Release 2 (10.2) Part Number B25166-09 |
|
|
View PDF |
In this chapter:
A command rule is a rule that you create to protect SELECT, ALTER SYSTEM, database definition language (DDL), and data manipulation language (DML) statements that affect one or more database objects. To customize and enforce the command rule, you associate it with a rule set, which is a collection of one or more rules. The command rule executes at run time. Command rules affect anyone who tries to use the SQL statements it protects, regardless of the realm in which the object exists. If you want to protect realm-specific objects, see "Defining Realm Authorization".
A command rule has the following attributes, in addition to its bonding operations and authorization functionality:
SQL statement the command rule will protect
Owner of the object the command rule will affect
Database object the command rule will affect
Whether the command rule is enabled or not
An associated rule set
For more information about SQL statements and operations, refer to Oracle Database SQL Reference. See also "SQL Statements That Can Be Protected by Command Rules".
Command rules can be categorized as follows:
Command rules that have a system-wide scope. With this type, you can only create one command rule for each database instance. Examples are command rules for the ALTER SYSTEM and CONNECT statements.
Command rules that are schema specific. An example is creating a command rule for the DROP TABLE statement.
Command rules that are object specific. An example is creating a command rule for the DROP TABLE statement with a specific table included in the command rule definition.
When a user executes a statement affected by a command rule, Oracle Database Vault checks the realm authorization first. If it finds no realm violation and if the associated command rules are enabled, then Database Vault evaluates the associated rule sets. If all the rule sets evaluate to TRUE, then the statement is authorized for further processing. If any of the rule sets evaluate to FALSE, then the statement is not authorized and a command rule violation is created. Chapter 5, "Configuring Rule Sets" describes rule sets in detail.
You can define a command rule for a CONNECT event that can determine whether a session is allowed after the normal authentication process, Oracle Label Security initialization, factor initialization, and the Oracle Label Security integration complete. In addition, you can disable or enable a command rule when necessary, and apply the same rule to realms and command rules.
For example, you can configure a command rule that allows DDL statements such as CREATE TABLE, DROP TABLE, and ALTER TABLE in the BIZAPP schema to be authorized after business hours, but not during business hours.
You can run reports on the command rules that you create in Oracle Database Vault. See "Related Reports and Data Dictionary View" for more information.
This chapter explains how to configure command rules by using Oracle Database Vault Administrator. To configure command rules by using the PL/SQL interfaces and packages provided by Oracle Database Vault, refer to the following chapters:
Table 6-1 lists default command rules that Oracle Database Vault provides.
Table 6-1 Default Command Rules
| SQL Statement | Object Name | Rule Set Name |
|---|---|---|
|
|
- |
Can Maintain Accounts/Profiles |
|
|
- |
Allow System Parameters |
|
|
- |
Can Maintain Own Account |
|
|
- |
Can Maintain Accounts/Profiles |
|
|
- |
Can Maintain Accounts/Profiles |
|
|
- |
Can Maintain Accounts/Profiles |
|
|
- |
Can Maintain Accounts/Profiles |
|
|
|
Can Grant VPD Administration |
|
|
|
Can Grant VPD Administration |
The following set of command rules helps you to achieve separation of duty for user management:
ALTER PROFILE
ALTER USER
CREATE PROFILE
CREATE USER
DROP PROFILE
DROP USER
To grant a user the ability to use these commands, you can grant the user the role that the rule set checks. For example, the CREATE USER command rule ensures that a user who tries to run a CREATE USER statement has the DV_ACCTMGR role.
The following default command rules on an Oracle Virtual Private Database (VPD) prevent the database administrator from giving VPD capabilities to an account.
GRANT
REVOKE
Only the accounts with the DV_OWNER role can use the GRANT and REVOKE statements pertaining to the SYS.DBMS_RLS object and the EXECUTE privilege.
You can protect the following SQL statements by using command rules:
ALTER CLUSTER |
CREATE CONTEXT |
DROP FUNCTION |
ALTER DIMENSION |
CREATE DATABASE LINK |
DROP INDEX |
ALTER FUNCTION |
CREATE DIMENSION |
DROP INDEXTYPE |
ALTER INDEX |
CREATE DIRECTORY |
DROP JAVA |
ALTER INDEXTYPE |
CREATE FUNCTION |
DROP LIBRARY |
ALTER JAVA |
CREATE INDEX |
DROP OPERATOR |
ALTER OPERATOR |
CREATE INDEXTYPE |
DROP OUTLINE |
ALTER OUTLINE |
CREATE JAVA |
DROP PACKAGE |
ALTER PACKAGE |
CREATE LIBRARY |
DROP PACKAGE BODY |
ALTER PACKAGE BODY |
CREATE OPERATOR |
DROP PROCEDURE |
ALTER PROCEDURE |
CREATE OUTLINE |
DROP PROFILE |
ALTER PROFILE |
CREATE PACKAGE |
DROP ROLE |
ALTER RESOURCE COST |
CREATE PACKAGE BODY |
DROP ROLLBACK SEGMENT |
ALTER ROLE |
CREATE PROCEDURE |
DROP SEQUENCE |
ALTER ROLLBACK SEGMENT |
CREATE PROFILE |
DROP SNAPSHOT |
ALTER SEQUENCE |
CREATE ROLE |
DROP SNAPSHOT LOG |
ALTER SNAPSHOT |
CREATE ROLLBACK SEGMENT |
DROP SYNONYM |
ALTER SNAPSHOT LOG |
CREATE SCHEMA |
DROP TABLE |
ALTER SYNONYM |
CREATE SEQUENCE |
DROP TABLESPACE |
ALTER SYSTEM |
CREATE SNAPSHOT |
DROP TRIGGER |
ALTER TABLE |
CREATE SNAPSHOT LOG |
DROP TYPE |
ALTER TABLESPACE |
CREATE SYNONYM |
DROP TYPE BODY |
ALTER TRIGGER |
CREATE TABLE |
DROP USER |
ALTER TYPE |
CREATE TABLESPACE |
DROP VIEW |
ALTER TYPE BODY |
CREATE TRIGGER |
EXECUTE |
ALTER USER |
CREATE TYPE |
GRANT |
ALTER VIEW |
CREATE TYPE BODY |
INSERT |
ANALYZE CLUSTER |
CREATE USER |
NOAUDIT |
ANALYZE INDEX |
CREATE VIEW |
RENAME |
ANALYZE TABLE |
DELETE |
REVOKE |
ASSOCIATE STATISTICS |
DISASSOCIATE STATISTICS |
SELECT |
AUDIT |
DROP CLUSTER |
TRUNCATE CLUSTER |
COMMENT |
DROP CONTEXT |
TRUNCATE TABLE |
COMMIT |
DROP DATABASE LINK |
UPDATE |
CONNECT |
DROP DIMENSION |
|
CREATE CLUSTER |
DROP DIRECTORY |
Log in to Oracle Database Vault Administrator using a database account that has been granted the Database Vault Owner (DV_OWNER) role.
At a minimum, you must have the DV_ADMIN role. "Starting Oracle Database Vault Administrator" explains how to log in.
In the Administration page, under Database Vault Feature Administration, click Command Rules.
In the Command Rules page:
To create a new command rule, click Create.
To edit an existing command rule, select it from the list and then click Edit.
In the Create (or Edit) Command Rule page, enter the following settings, and then click OK.
General
Enter the following settings:
Command: Select the SQL statement or operation for which you want to create a command rule. This attribute is mandatory.
Status: Select either Enabled or Disabled to enable or disable the command rule during run time. The default is Enabled. This attribute is mandatory.
Applicability
Enter the following settings:
Object Owner: From the list, select the owner of the object the command rule will affect. You can use wildcard characters such as %. (However, you cannot use wildcard characters with text, such as EM% to select all owners whose names begin in EM.) This attribute is mandatory for all SQL statements that operate on objects within a specific schema. See "SQL Statements That Can Be Protected by Command Rules" for a list of supported SQL statements.
Note that the SELECT, INSERT, UPDATE, DELETE, and EXECUTE statements are not allowed for a selection of all (%) or the SYS and DVSYS schemas.
Object Name: Enter the name of the database object that the command rule will affect, or specify % to select all database objects. However, you cannot use wildcard characters with text, for example, EMP_% to specify all tables beginning with the characters EMP_. This attribute is mandatory, if you selected an object owner from the Object Owner list.
You can run Oracle Database Vault reports on objects that the command rule affects. See the "Related Reports and Data Dictionary View" for more information.
Rule Set
From the list, select the rule set that you want to associate with the command rule. This attribute is mandatory.
If the rule set evaluates to true, then the SQL statement succeeds. If it evaluates to false, the statement fails, and then Oracle Database Vault creates a command rule violation. (You can track such rule violations by using the Command Rule Configuration Issues Report, discussed in Chapter 16.) Any auditing and custom event handling associated with the rule set occurs as a part of the command rule processing.
See Chapter 5, "Configuring Rule Sets" for more information about rule sets.
Before you delete a command rule, you can locate the various references to it by querying the command rule-related Oracle Database Vault views. See "Oracle Database Vault Data Dictionary Views" for more information.
In the Oracle Database Vault Administration page, select Command Rules.
In the Command Rules page, select the command rule that you want to remove.
Click Remove.
In the Confirmation page, click Yes.
"How Realms Work" describes what happens when a database account issues a SELECT, DDL, or DML statement that affects objects within a realm.
The following actions take place when a command rule is executed:
Oracle Database Vault queries for all rules that the account is attempting to use.
For SELECT, DDL, and DML statements, more than one command rule may apply because the object owner and object name support wildcard notation.
You can associate rule sets with both command rules and realm authorizations. Oracle Database Vault evaluates the realm authorization rule set first, and then it evaluates the rule sets that apply to the command type being evaluated.
For each command rule that applies, Oracle Database Vault evaluates its associated rule set.
If the associated rule set of any of the applicable command rules returns false or errors, Oracle Database Vault prevents the command from executing. Otherwise, the command is authorized for further processing. The configuration of the rule set with respect to auditing and event handlers dictates the auditing or custom processing that occurs.
Command rules override object privileges. You can disable (or set the Disabled setting for) either a command or a rule set of a command. If a command is disabled, then the command is not allowed to run regardless of its associated rule set. That is, the command itself is disabled. However, if you disable a rule set of a command, then the rule set is not checked. In that case, the command is allowed to run without any condition. If the command has been set to the Disabled setting, then you are prevented from querying the table even though you have the SELECT privilege on the table. (Only the rule set has been disabled, not the command itself.)
In this tutorial, you will create a simple command rule that disables and then enables the ability of user SCOTT to create tables.
In this tutorial:
See Also:
"Tutorial: Creating an E-mail Alert for Security Violations" for another example of how a command rule can work with a rule set to send an e-mail alert when a violation occursLog in to SQL*Plus as user SCOTT.
sqlplus SCOTT
Enter password: password
If the SCOTT account is locked and expired, then log in as the Database Vault Account Manager and unlock SCOTT and create a new password. For example:
sqlplus dbvacctmgr Enter password: password SQL> ALTER USER SCOTT ACCOUNT UNLOCK IDENTIFIED BY password;
Replace password with a password that is secure. See Oracle Database Security Guide for the minimum requirements for creating passwords.
SQL> CONNECT SCOTT
Enter password: password
As user SCOTT, create a table.
SQL> CREATE TABLE t1 (num NUMBER);
Now drop the table.
SQL> DROP TABLE t1;
At this stage, user SCOTT can create and drop tables. Do not exit SQL*Plus yet, and remain connected as SCOTT. You will use it later on when SCOTT tries to create another table.
Log in to Oracle Database Vault Administrator using a database account that has been granted the Database Vault Owner (DV_OWNER) role.
"Starting Oracle Database Vault Administrator" explains how to log in.
In the Oracle Database Vault Administrator Administration page, click Command Rules.
The Command Rules page appears.
Click Create.
The Create Command Rule page appears.
Enter the following settings:
Command list: Select CREATE TABLE
Status: Set to Enabled so that the command rule will be active.
Object Owner: Select SCOTT.
Object Name: Set to % so that it applies to all objects in the SCOTT schema.
Rule Set: Select Disabled so that user SCOTT will be prevented from creating tables.
Click OK.
Do not exit Database Vault Administrator
Command rules take effect immediately. Right away, user SCOTT will be prevented from creating tables, even though he is still in the same user session he was in a moment ago, before you created the CREATE TABLE command rule.
In SQL*Plus, ensure that you are logged on as user SCOTT.
SQL> CONNECT SCOTT
Enter password: password
Try to create a table.
SQL> CREATE TABLE t1 (num NUMBER); ERROR at line 1: ORA-00604: error occurred at recursive SQL level 1 ORA-47400: Command Rule violation for create table on SCOTT.T1 ORA-06512: at "DVSYS.AUTHORIZE_EVENT", line 55 ORA-06512: at line 31
As you can see, SCOTT is no longer allowed to create tables, even in his own schema.
In Oracle Database Vault Administrator, do the following:
In the Command Rules page, select the CREATE TABLE command rule and then click Edit.
In the Edit Command Rule page, select Enabled from the Rule Set list.
Click OK.
In SQL*Plus, as user SCOTT, try creating the table again.
SQL> CREATE TABLE t1 (num NUMBER); Table created.
Now that the CREATE TABLE command rule is set to Enabled, user SCOTT is once again permitted to create tables. (Do not exit SQL*Plus.)
In Oracle Database Vault Administrator, remove the CREATE TABLE command rule as follows:
Return to the Command Rules page.
Select the CREATE TABLE command rule and then click Remove.
In the Confirmation page, click Yes.
Log in to SQL*Plus as user SCOTT and remove the t1 table.
SQL> DROP TABLE t1;
If you no longer need the SCOTT account to be available, then connect as the Database Vault Account Manager and enter the following ALTER USER statement:
SQL> CONNECT dbvacctmgr
Enter password: password
SQL> ALTER USER SCOTT ACCOUNT LOCK PASSWORD EXPIRE;
Follow these guidelines to configure command rules:
Create finer-grained command rules, because they are far easier to maintain.
For example, if you want to prevent SELECT statements from occurring on specific schemas, design the command rule to stop the SELECT statement on those specific schemas, rather than creating a general command rule to prevent SELECT statements in all cases.
When designing rules for the CONNECT event, be careful to include logic that does not inadvertently lock out the Oracle Database Vault Owner or Administrator.
If the account has been locked out, you can disable Oracle Database Vault, correct the rule that is causing the lock-out problem, and then reenable Oracle Database Vault. Even when Oracle Database Vault is disabled, you still can use Database Vault Administrator and the Database Vault PL/SQL packages. See Appendix B, "Enabling and Disabling Oracle Database Vault" for instructions on disabling and re-enabling Database Vault.
Sometimes you need to temporarily relax an enabled command rule for an administrative task. Rather than disabling the command rule, have the Security Manager (the account with the DV_ADMIN or DV_OWNER role) log in, set the rule set to Enabled, turn on Auditing on Success or Failure for the default rule set named Enabled, and then set the command rule back to its original rule set when the task is complete.
When designing command rules, be careful to consider automated processes such as backup where these procedures may be inadvertently disabled. You can account for these tasks by creating rules that allow the command when a series of Oracle Database Vault factors is known to be true, for example, the program being used, and the account being used or the computer or network on which the client program is running.
The performance of a command rule depends on the complexity of the rules in the rule set associated with the command rule. For example, suppose a rule set invokes a PL/SQL function that takes 5 seconds to run. In this case, a command rule that uses that rule set would take 5 second to grant access for the command statement to run.
You can check the system performance by running tools such as Oracle Enterprise Manager (including Oracle Enterprise Manager Database Control, which is installed by default with Oracle Database), Statspack, and TKPROF. For more information about Oracle Enterprise Manager, see the Oracle Enterprise Manager documentation set. For information about Database Control, refer to its online Help. Oracle Database Performance Tuning Guide describes the Statspack and TKPROF utilities.
Table 6-2 lists Oracle Database Vault reports that are useful for analyzing command rules. See Chapter 16, "Oracle Database Vault Reports" for information about how to run these reports.
Table 6-2 Reports Related to Command Rules
| Report | Description |
|---|---|
|
Lists audit records generated by command rule processing operations |
|
|
Tracks rule violations, in addition to other configuration issues the command rule may have |
|
|
Lists object privileges that the command rule affects |
|
|
Lists objects that the command rule affects |
|
|
Lists rules sets that have no rules defined or enabled, which may affect the command rules that use them |
You can use the DBA_DV_COMMAND_RULE data dictionary view to find the SQL statements that are protected by command rules. See "DBA_DV_COMMAND_RULE View" for more information.
