Pete Finnigan's Oracle Security Weblog

I have been involved with Oracle Database Vault recently with a deployment and I was asked how can someone view the database vault dictionary views when DV is installed.

So, if we start with no DV enabled in our database and we will focus on the view DBA_DV_FACTOR. With no Database Vault we can connect as SYSDBA and see the view:

SQL> select name from dba_dv_factor;

NAME
--------------------------------------------------------------------------------
Database_Hostname
Database_IP
Database_Instance
Client_IP
Authentication_Method
Identification_Type
Database_Domain
Database_Name
Lang
Language
Network_Protocol

NAME
--------------------------------------------------------------------------------
Proxy_User
Proxy_Enterprise_Identity
Session_User
Domain
Machine
Enterprise_Identity
DV$_Module
DV$_Client_Identifier
DV$_Dblink_Info

20 rows selected.

SQL>

SYSDBA can see the contents of this view. Who owns the view:

SQL> select owner from dba_views where view_name='DBA_DV_FACTOR';

OWNER
--------------------------------------------------------------------------------
DVSYS

SQL>

What permissions are granted on this view:

SQL> select grantee,privilege from dba_tab_privs where table_name='DBA_DV_FACTOR';

GRANTEE
--------------------------------------------------------------------------------------------------------------------------------
PRIVILEGE
----------------------------------------
DV_SECANALYST
SELECT


1 row selected.

SQL>

Check who has been granted DV_SECANALYST:

SQL> select grantee,admin_option from dba_role_privs where granted_role='DV_SECANALYST';

GRANTEE
--------------------------------------------------------------------------------------------------------------------------------
ADM
---
DV_ADMIN
NO

DV_OWNER
YES


2 rows selected.

SQL>

Only DV_OWNER and DV_ADMIN roles have been granted access to this DV_SECANALYST role and DV_OWNER can grant it on. How did SYS access the DBA_DV_FACTOR view:

SQL> create user test_dv identified by test_dv;

User created.

SQL> grant create session, select any table to test_dv;

Grant succeeded.

SQL> connect test_dv/test_dv@//192.168.56.33:1539/xepdb1
Connected.
SQL> select name from dba_dv_factor;

NAME
--------------------------------------------------------------------------------------------------------------------------------
Database_Hostname
Database_IP
Database_Instance
Client_IP
Authentication_Method
Identification_Type
Database_Domain
Database_Name
Lang
Language
Network_Protocol
Proxy_User
Proxy_Enterprise_Identity
Session_User
Domain
Machine
Enterprise_Identity
DV$_Module
DV$_Client_Identifier
DV$_Dblink_Info

20 rows selected.

SQL>

Clearly the access to this view is through SELECT ANY TABLE. I will now enable DV in the CDB and PDB as as there are a lot of steps I will resume after the enable completes:

...
SQL> select * from dba_dv_status;

NAME                STATUS
------------------- --------------
DV_CONFIGURE_STATUS TRUE
DV_ENABLE_STATUS    TRUE
DV_APP_PROTECTION   NOT CONFIGURED

SQL>
SQL> select * from dba_ols_status;

NAME                 STATU
-------------------- -----
DESCRIPTION
------------------------------------------------------------------------------------------------------------------------
OLS_CONFIGURE_STATUS TRUE
Determines if OLS is configured

OLS_DIRECTORY_STATUS FALSE
Determines if OID is enabled with OLS

OLS_ENABLE_STATUS    TRUE
Determines if OLS is enabled


SQL>
...

Database Vault is installed. Let us try and access the DBA_DV_FACTOR view as SYSDBA:

SQL> connect sys/oracle1@//192.168.56.33:1539/xepdb1 as sysdba
Connected.
SQL> select name from dba_dv_factor;
select name from dba_dv_factor
                 *
ERROR at line 1:
ORA-01031: insufficient privileges


SQL>

No luck, what if i grant DV_SECANALYST to SYSDBA:

SQL> grant dv_secanalyst to sys;
grant dv_secanalyst to sys
*
ERROR at line 1:
ORA-47410: Realm violation for GRANT on DV_SECANALYST


SQL> connect c##dvo/oracle1@//192.168.56.33:1539/xepdb1
Connected.
SQL> grant dv_secanalyst to sys;

Grant succeeded.

SQL> connect sys/oracle1@//192.168.56.33:1539/xepdb1 as sysdba
Connected.
SQL> select name from dba_dv_factor;
select name from dba_dv_factor
                 *
ERROR at line 1:
ORA-01031: insufficient privileges


SQL>

So, SYS cannot grant DV roles, so we must use DVO to do this BUT when we connect again as SYS it still cannot access the DBA_DV_FACTOR view as it is blocked by DV even when it has the correct role.

What if we grant DV_SECANALYST to our test user:

SQL> connect test_dv/test_dv@//192.168.56.33:1539/xepdb1
Connected.
SQL> select name from dba_dv_factor;
select name from dba_dv_factor
                 *
ERROR at line 1:
ORA-01031: insufficient privileges


SQL> connect c##dvo/oracle1@//192.168.56.33:1539/xepdb1
Connected.
SQL> grant dv_secanalyst to test_dv;

Grant succeeded.

SQL> connect test_dv/test_dv@//192.168.56.33:1539/xepdb1
Connected.
SQL> select name from dba_dv_factor;

NAME
------------------------------------------------------------------------------------------------------------------------
Database_Hostname
Database_IP
Database_Instance
Client_IP
Authentication_Method
Identification_Type
Database_Domain
Database_Name
Lang
Language
Network_Protocol
Proxy_User
Proxy_Enterprise_Identity
Session_User
Domain
Machine
Enterprise_Identity
DV$_Module
DV$_Client_Identifier
DV$_Dblink_Info

20 rows selected.

SQL>

It works. So, in a vanilla DV install a user with SELECT ANY TABLE cannot see DBA_DV_FACTOR but if granted the DV_SECANALYST role it can.

Maintenance is more complex with DV enabled as we need DV_SECANALYST to see the DV views and we cannot see them with SYSDBA even when it has this role. We also must use a DVO user to make the grants and a DV_ACCTMGR user to create and maintain users. This is separation of duties.

#oracleace #sym_42 #oracle #databasevault #vault #dv #dv_secanalyst