houg szakmai nap 2015 oracle database 12c security new features: privilege capture előadó: tóth...
TRANSCRIPT
HOUG SZAKMAI NAP 2015
Oracle Database 12c Security New Features: Privilege Capture
Előadó: Tóth Balázs
Oracle Database 12c offers a new package to analyze used privileges.
• You can use a privilege analysis policy to identify used and unused object and system privileges.
• You can generate reports of used and unused privileges during the analysis period.
• The report helps the security officer revoke unnecessary privileges by comparing the used and unused granted privileges lists.
WEBváltó - 2015
Privilege Analysis
• Benefits and Use Cases• Unecessarily Granted Priviliges of Applications• Development of Secure Applications
• Multitenant Environment Supported• You can define at PDB level
WEBváltó - 2015
Privilege Analysis
• Increase database security: Revoke unused privileges– Analyze used privileges to revoke unnecessary
privileges.– Use new package: DBMS_PRIVILEGE_CAPTURE
WEBváltó - 2015
Privilege Analysis
6. Revoke unused privileges
4. Generate reporting
5. Compare with unused privileges
2. Start analyzing used privileges3. Stop analyzing
1. Create analysis
• Requires CAPTURE_ADMIN role
WEBváltó - 2015
General Steps for Managing Privilege Analysis
DBA_USED_PUBPRIVS DBA_USED_OBJPRIVS DBA_USED_SYSPRIVS DBA_USED_PRIVS DBA_USED_OBJPRIVS_PATH DBA_USED_SYSPRIVS_PATH
1
4
DBMS_PRIVILEGE_CAPTURE.CREATE_CAPTURE
Report used privileges
Define types and conditions of analysis
DBA_UNUSED_OBJPRIVS DBA_UNUSED_SYSPRIVS DBA_UNUSED_PRIVS DBA_UNUSED_OBJPRIVS_PATH DBA_UNUSED_SYSPRIVS_PATH
DBMS_PRIVILEGE_CAPTURE.GENERATE_RESULT
Start / stop analyzing used privileges
2DBMS_PRIVILEGE_CAPTURE.ENABLE_CAPTURE
DBMS_PRIVILEGE_CAPTURE.DISABLE_CAPTURE 3
• 1.1 Create a database analysis policy
• 1.2 Create a role analysis policy
WEBváltó - 2015
1. Create analysis
SQL> exec SYS.DBMS_PRIVILEGE_CAPTURE.CREATE_CAPTURE ( - 2 name => 'All_privs', - 3 description => 'Captures all privilege use', - 4 type => dbms_privilege_capture.g_database);
SQL> exec SYS.DBMS_PRIVILEGE_CAPTURE.CREATE_CAPTURE ( - 2 name => 'Audit_privs_capture', - 3 description => 'Privileges used by audit roles', - 4 type => dbms_privilege_capture.g_role, - 5 roles => role_name_list('AUDIT_ADMIN','AUDIT_VIEWER'))
• 1.3 Create a context analysis policy.
WEBváltó - 2015
1. Create analysis
SQL> exec SYS.DBMS_PRIVILEGE_CAPTURE.CREATE_CAPTURE ( - 2 name => 'Privs_HR_OE_logged_users', - 3 description => 'All privileges used by HR,OE', - 4 type => dbms_privilege_capture.g_context, - 5 condition => - 6 'SYS_CONTEXT(''USERENV'',''SESSION_USER'')=''HR'' - 7 OR - 8 SYS_CONTEXT(''USERENV'',''SESSION_USER'')=''OE''')
SQL> exec SYS.DBMS_PRIVILEGE_CAPTURE.CREATE_CAPTURE ( - 2 name => 'Privs_AcctPayable_capture', - 3 description => 'All privileges used by module', - 4 type => dbms_privilege_capture.g_context, - 5 condition => 'SYS_CONTEXT - 6 (''USERENV'', ''MODULE'')=''Account Payable''')
• 1.3 Create a policy combining two analysis types
WEBváltó - 2015
1. Create analysis
SQL> exec SYS.DBMS_PRIVILEGE_CAPTURE.CREATE_CAPTURE ( - 2 name => 'Privs_context_role', - 3 description => 'Captures Context and role', - 4 type => dbms_privilege_capture.g_role_and_context, - 5 roles => role_name_list('PUBLIC') 6 condition => 'SYS_CONTEXT - 7 (''USERENV'', ''MODULE'')=''Account Payable''')
• 2.1 Enable the policy to start analyzing
• 2.2 After a certain time, Disable policy to stop analyzing
WEBváltó - 2015
2. Start and Stop Analyzing
SQL> exec SYS.DBMS_PRIVILEGE_CAPTURE.ENABLE_CAPTURE ( - 2 name => 'All_privs')
SQL> exec SYS.DBMS_PRIVILEGE_CAPTURE.DISABLE_CAPTURE ( - 2 name => 'All_privs')
• 4.1 Generate the report
• 4.2 View the results
WEBváltó - 2015
4. Reporting
SQL> exec SYS.DBMS_PRIVILEGE_CAPTURE.GENERATE_RESULT ( - 2 name => 'All_privs')
DBA_USED_PUBPRIVS DBA_USED_OBJPRIVS DBA_USED_SYSPRIVS DBA_USED_PRIVS DBA_USED_OBJPRIVS_PATH DBA_USED_SYSPRIVS_PATH
DBA_UNUSED_OBJPRIVS DBA_UNUSED_SYSPRIVS DBA_UNUSED_PRIVS DBA_UNUSED_OBJPRIVS_PATH DBA_UNUSED_SYSPRIVS_PATH
• 4.2.1 View SYSTEM privileges used during the entire analysis
• 4.2.2 View OBJECT privileges used during the entire analysis
WEBváltó - 2015
4. Reporting
SQL> select USERNAME, SYS_PRIV from DBA_USED_SYSPRIVS;
USERNAME SYS_PRIV------------ --------------------TOM CREATE SESSIONOE UPDATE ANY TABLEOE CREATE SESSIONJIM CREATE SESSION
SQL> select USERNAME, OBJECT_OWNER, OBJECT_NAME, OBJ_PRIV 2 from DBA_USED_OBJPRIVS where username in ('JIM','TOM');
USERNAME OBJECT_OWNER OBJECT_NAME OBJ_PRIV------------ ------------ ------------------------ ----------JIM SYS DBMS_APPLICATION_INFO EXECUTEJIM HR EMPLOYEES DELETETOM SH SALES SELECT
• 4.2.3 Compare Used and Unused Privileges
• …….
WEBváltó - 2015
4. Reporting
SQL> select USERNAME, OBJ_PRIV, OBJECT_NAME, PATH 2 from DBA_UNUSED_PRIVS where username='JIM';
USERNAME OBJ_PRIV OBJECT_NAME PATH-------- -------- ------------- --------- --------------------JIM INSERT EMPLOYEES GRANT_PATH('JIM','HR_MGR')JIM UPDATE EMPLOYEES GRANT_PATH('JIM','HR_MGR')
• 5.1 DBA_PRIV_CAPTURES lists the privilege analysis policies in the database
• 5.2 Disable the analysis
WEBváltó - 2015
5. Dropping an Analysis
SQL> exec dbms_privilege_capture.DROP_CAPTURE('Capture1')BEGIN dbms_privilege_capture.DROP_CAPTURE('Capture1'); END;
*ERROR at line 1:ORA-47932: Privilege capture Capture1 is still enabled.ORA-06512: at "SYS.DBMS_PRIVILEGE_CAPTURE", line 82ORA-06512: at line 1
SQL> exec dbms_privilege_capture.DISABLE_CAPTURE('Capture1')PL/SQL procedure successfully completed.
• 5.3 Drop the analysis
WEBváltó - 2015
5. Dropping an Analysis
SQL> exec dbms_privilege_capture.DROP_CAPTURE('Capture1')PL/SQL procedure successfully completed.
• Security menu, select Privilege Analysis
WEBváltó - 2015
Cloud Control / Privilege Analysis
WEBváltó - 2015
Restrictions
• You can enable only one privilege analysis policy at a time. (Exception: you can enable a database-wide privilege analysis policy at the same time as a non-database-wide privilege analysis policy.)
• You cannot analyze the privileges of the SYS user.• Privilege analysis shows the grant paths to the privilege but
it does not suggest which grant path to keep.• If the role, user, or object has been dropped, then the
values that reflect the privilege captures for these in the privilege analysis data dictionary views are dropped as well.
WEBváltó - 2015
Licensing / Documentation
• Licensing
• Documentation– Database Vault Administrator’s Guide:https://docs.oracle.com/database/121/DVADM/priv_analysis.htm#DVADM591
WEBváltó - 2015
Demo session
WEBváltó Kft.1095 Budapest,
Soroksári út 32-34.E épület 6. emelet
Haller Gardens
Tel./Fax: +36 1 201 9947E-mail: [email protected]
www.webvalto.hu
Köszönöm a figyelmet!