Installing DB Vault to an Oracle 12c non-Container Database

Database Vault is a product by which you can restrict access even for SYS, DBA users and so on , so this tool is for Security Administrators to control even DBAs.

We are configuring Oracle Audit Vault and Database Firewall  which is one product and used to find SQL injections and block harmful SQL statements . This product is perfect when you are not connecting locally. But if you connected to the server via ssh and from there connected to the database using sqlplus then Oracle AVDF will not help. For that case there exists Database Vault.

Don’t be consufed : Database Vault  and Audit Vault are two different products. DB Vault should be inabled from the database , let’s see how we do it:

— To check Oracle Label security And DB Vault use below SQL

SQL> select comp_id,status from dba_registry where comp_id in (‘OLS’,’DV’);
COMP_ID STATUS
—————————— ——————————————–
OLS VALID

Note: As you see in my database Label Security is already installed but Database Vault not.

— Check DB vault if already registered

SQL> SELECT parameter,value FROM gv$OPTION WHERE PARAMETER in
2 ( ‘Oracle Database Vault’,’Oracle Label Security’);
PARAMETER VALUE
—————————————————————- —————————————————————-
Oracle Label Security TRUE
Oracle Database Vault FALSE

–Take  backup of  some tables and views.

SQL> create table a_dba_network_acls as
select * FROM  cdb_network_acls;

SQL> create table a_dba_network_acl_privileges as
select * from cdb_network_acl_privileges;

SQL> create table a_gv$parameter as
select * from gv$parameter ;

SQL> create table a_dba_tab_privs as
Select * from dba_tab_privs;

SQL> create table a_dba_sys_privs as
Select * from dba_sys_privs;

SQL> create table a_dba_sys_privs as
Select * from dba_sys_privs;

SQL> create table a_dba_role_privs as
Select * from dba_role_privs;

SQL> create table a_dba_objects as
select owner,object_name,object_type
from dba_objects
where status=’INVALID’ and object_type <> ‘SYNONYM’ ;

SQL> create table a_dba_registry as
select * from dba_registry;

Note: You must consider that enabling Database Vault causes the followng:

1. Enables parameter sql92_security (needs database restart) .

“The SQL92 standards specify that security administrators should be able to require that users have SELECT privilege on a table when executing an UPDATE or DELETE statement that references table column values in  WHERE or SET clause. SQL92_SECURITY specifies whether users must have been granted the SELECT object privilege in order to execute such UPDATE or DELETE statements.”

So better to generate script that will grant necessary SELECT privileges:

select ‘grant select on ‘||owner||’.”‘||table_name||'” to ‘||grantee||’;’
from (
select grantee, owner, table_name
from dba_tab_privs
where privilege in (‘UPDATE’,’DELETE’,’INSERT’)
minus
select grantee, owner, table_name
from dba_tab_privs
where privilege=’SELECT’
)

Run grants generated above not to have problems after restart.

2. Revokes some privileges from roles and users (even from SYS). So use the following queries to generate grant scripts and in case it is necessary regrant them.

select ‘grant ‘||privilege||’ on ‘||owner||’.’||table_name||’ to ‘|| grantee||’;’
from (
select * from a_dba_tab_privs
minus
select * from dba_tab_privs
);

select ‘grant ‘||privilege||’ to ‘|| grantee||’;’
from (
select * from a_dba_sys_privs
minus
select * from dba_sys_privs
);

select ‘grant ‘||granted_role||’ to ‘|| grantee||’;’
from (
select * from a_dba_role_privs
minus
select * from dba_role_privs
)

–Create DB Vault owner and User Administrator users

SQL> CREATE USER dvowner IDENTIFIED BY oracle
DEFAULT TABLESPACE USERS
QUOTA UNLIMITED ON USERS;

SQL> GRANT CREATE SESSION TO dvowner;

SQL> CREATE USER dvacctmngr IDENTIFIED BY oracle
DEFAULT TABLESPACE USERS
QUOTA UNLIMITED ON USERS;

SQL> GRANT CREATE SESSION TO dvacctmngr;

 

–Configure DB Vault

SQL> BEGIN
DVSYS.CONFIGURE_DV (
dvowner_uname => ‘dvowner’,
dvacctmgr_uname => ‘dvacctmngr’);
END;
/

If your environment is like mine than you will see the followng error and go directly to the section “Scenario 2”

ORA-06550: line 2, column 1:
PLS-00201: identifier ‘DVSYS.CONFIGURE_DV’ must be declared
ORA-06550: line 2, column 1:
PL/SQL: Statement ignored

Let’s continue the Scenario 1 when you have no errors after running DVSYS.CONFIGURE_DV and then I will write how to avoid this error.

–Recompile objects

SQL> @?/rdbms/admin/utlrp.sql

–Enable Database Vault

SQL> EXEC DBMS_MACADM.ENABLE_DV;
SQL> commit;

–Startup the Database and the installation is finished

SQL> shutdown immediate;
SQL> startup;

That’s it.

Scenario 2: Having errors: 

We should use DBCA to add option DV, I don’t support GUIs so writing script in silent mode:

–Check what options we have in DBCA

[oracle@TCIPreRel bin]$ dbca -CONFIGUREDATABASE -silent -h

-configureDatabase
-sourceDB <Database unique name for RAC Database and SID for Single Instance Database>
[-sysDBAUserName <user name with SYSDBA privileges>
-sysDBAPassword <password for sysDBAUserName user name>]
[-registerWithDirService|-unregisterWithDirService|-regenerateDBPassword <true | false>
-dirServiceUserName <user name for directory service>
-dirServicePassword <password for directory service >
-walletPassword <password for database wallet >]
[-addDBOption <Specify any of the following DB Options as a comma separated list: JSERVER | ORACLE_TEXT | IMEDIA | CWMLITE | SPATIAL | OMS | APEX | DV>]

[-dvConfiguration <true | false Specify “true” to configure and enable Database Vault
-dvUserName <Specify Database Vault Owner user name>
-dvUserPassword <Specify Database Vault Owner password>
-dvAccountManagerName <Specify separate Database Vault Account Manager >
-dvAccountManagerPassword <Specify Database Vault Account Manager password>]

–Run the configuration

[oracle@TCIPreRel bin]$ dbca -CONFIGUREDATABASE -silent -sourceDB LBTCI -sysDBAUserName sys -sysDBAPassword oracle -addDBOption DV -dvConfiguration true -dvUserName dvowne -dvUserPassword oracle -dvAccountManagerName dvacctmngr -dvAccountManagerPassword oracle

Preparing to Configure Database
2% complete
5% complete
28% complete
Adding Oracle Database Vault
85% complete
Completing Database Configuration
100% complete
Look at the log file “/u01/app/oracle/cfgtoollogs/dbca/LBTCI/LBTCI0.log” for further details.

–Restart database

srvctl stop database -db LBTCI
srvctl start database -db LBTCI

–Let’s check

SQL> SELECT parameter,value
FROM gv$OPTION
WHERE PARAMETER in ( ‘Oracle Database Vault’,’Oracle Label Security’);
PARAMETER VALUE
—————————————————————- —————————————————————-
Oracle Label Security TRUE
Oracle Database Vault TRUE

 

Install Backup Exec Client(Remote Agent) on Linux

RALUS is a remote agent installation , simply Linux client of Backup exec that can be retrieved from Backup Exec installation DVD in LinuxUnixMac folder.

Some details:

Client Server IP: 10.0.1.100
Client Hostname: orcl_node
Domain: sa.ge
Media Server IP: 192.168.1.100

Create some installation directory and locate RALUS installation file to this folder.

1. Installation

# mkdir /0
# cd /0
# tar -xvf RALUS_RMALS_RAMS-4164.5.tar
# ./installralus

Step 1:

Enter the system names separated by spaces on which to install RALUS: (oracle-node1.tbilisi.gov.ge)10.0.1.100

Checking system communication:

Checking OS version on 10.0.1.100 ………….. Linux 2.6.18-194.el5
Checking system support for 10.0.1.100 … Linux 2.6.18-194.el5 supported by RALUS

Initial system check completed successfully.

Press Enter.

Step 2:

Press Enter.

Step 3:

If the output is:

Checking file system space ……………. required space is available

Then  press Enter

Step 4:

To display the Remote Agent as a selection in a media server’s backup selection tree, and to be able to specify a local network for use between the Remote Agent and a media server, enter the names or IP addresses of the media servers that you want the Remote Agent on ‘10.0.1.100’ to communicate with.

An IP Address: XXX.XXX.XXX.XXX
A Host Name: COMPUTERNAME

Enter a directory host:192.168.1.100

Do you want to add another name or address for this agent? [y, n] (n)

Step 5:

If the information is correct press Enter

Step 6:

In this step beoper group will be created if it doesn’t exist and root user will be added to this group.

Press Enter

Press Enter

Press Enter (choosing y option by default)

Press Enter(choosing n option by default)

Press Enter (choosing y option by default)

Press Enter

Step 7 :

Checking VRTSralus package ………………………… not installed

Press Enter

Step 8:

Installing VRTSralus 13.0.4164 on 10.0.1.100 …… done 1 of 1 steps

Press Enter

Step 9 :

Creating configuration files on 10.0.1.100  ………………… Done

Press Enter

RALUS installation is complete, now it’s time to configure it.

2. Configuration on Client

Step 1:

Run AgentConfig:

# /opt/VRTSralus/bin/AgentConfig

Symantec Backup Exec Remote Agent Utility
Choose one of the following options:
1. Configure database access
2. Configure Oracle instance information
3. Quit
Please enter your selection: 1

Configuring machine information
Choose one of the following options:
1. Add system credentials for Oracle operations
2. Edit system credentials used for Oracle operations
3. Remove system credentials used for Oracle operations
4. View system credentials used for Oracle operations
5. Quit
Please enter your selection: 1
     Enter a user name that has local system credentials: oracle
Enter the password:
Re-enter password:
Validating credentials…….
Do you want to use a custom port to connect to the media server during Oracle operations? (Y/N): N
     Commit Oracle operation settings to the configuration file? (Y/N): Y
     SUCCESS: Successfully added the entry to the configuration file.

Configuring machine information
Choose one of the following options:
1. Add system credentials for Oracle operations
2. Edit system credentials used for Oracle operations
3. Remove system credentials used for Oracle operations
4. View system credentials used for Oracle operations
5. Quit
Please enter your selection: 5

Symantec Backup Exec Remote Agent Utility
Choose one of the following options:
1. Configure database access
2. Configure Oracle instance information
3. Quit
Please enter your selection: 2

If this computer is a RAC node, you must perform additional steps for configuration before you continue. Refer to the readme for these additional steps.

Configuring the Oracle Agent
Choose one of the following options:
1. Add a new Oracle instance to protect
2. Edit an existing Oracle instance
3. Delete an existing Oracle instance
4. View Oracle instance entries that have been added in the Remote Agent Utility
5. Quit
Please enter your selection: 1
     Select an Oracle instance to configure
Entry 1. orcl
Enter the number 0 to go back
Enter your selection: 1
     Enter the Oracle database SYSDBA user name: SYS
Enter the Oracle database SYSDBA password:
Re-enter password:
Validating credentials…….
Enter the media server name or IP address:      The length of the entered data is greater than the maximum permitted length.
Enter the media server name or IP address: 192.168.1.100
     Do you use a recovery catalog? (Y/N):N
     Do you want to use a customized job template? (Y/N): N
     Commit Oracle operation settings to the configuration file? (Y/N): Y
     Created symbolic link for /opt/VRTSralus/bin/libobk.so at /u01/app/oracle/product/11.2.0/db_1/lib/libobk.so
SUCCESS: Successfully added the entry to the configuration file.

Configuring the Oracle Agent
Choose one of the following options:
1. Add a new Oracle instance to protect
2. Edit an existing Oracle instance
3. Delete an existing Oracle instance
4. View Oracle instance entries that have been added in the Remote Agent Utility
5. Quit
Please enter your selection: 5

Symantec Backup Exec Remote Agent Utility
Choose one of the following options:
1. Configure database access
2. Configure Oracle instance information
3. Quit
Please enter your selection: 3

Start agent:

# /etc/init.d/VRTSralus.init start
Starting Symantec Backup Exec Remote Agent ……
Starting Symantec Backup Exec Remote Agent:                              [  OK  ]

3. Configuration on Media Server

To make media server see your client do the following steps:

Step 1:

Run Start->-All Programs>Symantec Backup Exec->Backup Exec 2010

Step 2:

Tools->Options->Oracle –>click Modify List button->click New button and fill the following fields, by the following way:

Oracle or DB2 Server: 10.0.1.100
Logon Account  ->>>>click New button –>click New button and fill the following fields, by the following way:

User name: oracle
Password: enter oracle password for client server
Confirm Password: enter the password again
Account Name: oracle

click OK.

You will also need to configure SYS  user account.

And choose oracle in Logon Account  field.

click OK.

Do the same steps for 2 more times, just change Oracle or DB2 Server filed to orcl_node(instead of 10.0.1.100) for the first time and orcl_node.sa.ge for the second time

Step 3:

On media server , in hosts file add client entry.

That is all.