HOUG SZAKMAI NAP 2015

Oracle Database 12c Security New Features: Privilege Capture

Előadó: Tóth Balázs

Oracle Database 12c offers a new package to analyze used privileges.

• You can use a privilege analysis policy to identify used and unused object and system privileges.

• You can generate reports of used and unused privileges during the analysis period.

• The report helps the security officer revoke unnecessary privileges by comparing the used and unused granted privileges lists.

WEBváltó - 2015

Privilege Analysis

• Benefits and Use Cases• Unecessarily Granted Priviliges of Applications• Development of Secure Applications

• Multitenant Environment Supported• You can define at PDB level

WEBváltó - 2015

Privilege Analysis

• Increase database security: Revoke unused privileges– Analyze used privileges to revoke unnecessary

privileges.– Use new package: DBMS_PRIVILEGE_CAPTURE

WEBváltó - 2015

Privilege Analysis

6. Revoke unused privileges

4. Generate reporting

5. Compare with unused privileges

2. Start analyzing used privileges3. Stop analyzing

1. Create analysis

• Requires CAPTURE_ADMIN role

WEBváltó - 2015

General Steps for Managing Privilege Analysis

DBA_USED_PUBPRIVS DBA_USED_OBJPRIVS DBA_USED_SYSPRIVS DBA_USED_PRIVS DBA_USED_OBJPRIVS_PATH DBA_USED_SYSPRIVS_PATH

1

4

DBMS_PRIVILEGE_CAPTURE.CREATE_CAPTURE

Report used privileges

Define types and conditions of analysis

DBA_UNUSED_OBJPRIVS DBA_UNUSED_SYSPRIVS DBA_UNUSED_PRIVS DBA_UNUSED_OBJPRIVS_PATH DBA_UNUSED_SYSPRIVS_PATH

DBMS_PRIVILEGE_CAPTURE.GENERATE_RESULT

Start / stop analyzing used privileges

2DBMS_PRIVILEGE_CAPTURE.ENABLE_CAPTURE

DBMS_PRIVILEGE_CAPTURE.DISABLE_CAPTURE 3

• 1.1 Create a database analysis policy

• 1.2 Create a role analysis policy

WEBváltó - 2015

1. Create analysis

SQL> exec SYS.DBMS_PRIVILEGE_CAPTURE.CREATE_CAPTURE ( - 2 name => 'All_privs', - 3 description => 'Captures all privilege use', - 4 type => dbms_privilege_capture.g_database);

SQL> exec SYS.DBMS_PRIVILEGE_CAPTURE.CREATE_CAPTURE ( - 2 name => 'Audit_privs_capture', - 3 description => 'Privileges used by audit roles', - 4 type => dbms_privilege_capture.g_role, - 5 roles => role_name_list('AUDIT_ADMIN','AUDIT_VIEWER'))

• 1.3 Create a context analysis policy.

WEBváltó - 2015

1. Create analysis

SQL> exec SYS.DBMS_PRIVILEGE_CAPTURE.CREATE_CAPTURE ( - 2 name => 'Privs_HR_OE_logged_users', - 3 description => 'All privileges used by HR,OE', - 4 type => dbms_privilege_capture.g_context, - 5 condition => - 6 'SYS_CONTEXT(''USERENV'',''SESSION_USER'')=''HR'' - 7 OR - 8 SYS_CONTEXT(''USERENV'',''SESSION_USER'')=''OE''')

SQL> exec SYS.DBMS_PRIVILEGE_CAPTURE.CREATE_CAPTURE ( - 2 name => 'Privs_AcctPayable_capture', - 3 description => 'All privileges used by module', - 4 type => dbms_privilege_capture.g_context, - 5 condition => 'SYS_CONTEXT - 6 (''USERENV'', ''MODULE'')=''Account Payable''')

• 1.3 Create a policy combining two analysis types

WEBváltó - 2015

1. Create analysis

SQL> exec SYS.DBMS_PRIVILEGE_CAPTURE.CREATE_CAPTURE ( - 2 name => 'Privs_context_role', - 3 description => 'Captures Context and role', - 4 type => dbms_privilege_capture.g_role_and_context, - 5 roles => role_name_list('PUBLIC') 6 condition => 'SYS_CONTEXT - 7 (''USERENV'', ''MODULE'')=''Account Payable''')

• 2.1 Enable the policy to start analyzing

• 2.2 After a certain time, Disable policy to stop analyzing

WEBváltó - 2015

2. Start and Stop Analyzing

SQL> exec SYS.DBMS_PRIVILEGE_CAPTURE.ENABLE_CAPTURE ( - 2 name => 'All_privs')

SQL> exec SYS.DBMS_PRIVILEGE_CAPTURE.DISABLE_CAPTURE ( - 2 name => 'All_privs')

• 4.1 Generate the report

• 4.2 View the results

WEBváltó - 2015

4. Reporting

SQL> exec SYS.DBMS_PRIVILEGE_CAPTURE.GENERATE_RESULT ( - 2 name => 'All_privs')

DBA_USED_PUBPRIVS DBA_USED_OBJPRIVS DBA_USED_SYSPRIVS DBA_USED_PRIVS DBA_USED_OBJPRIVS_PATH DBA_USED_SYSPRIVS_PATH

DBA_UNUSED_OBJPRIVS DBA_UNUSED_SYSPRIVS DBA_UNUSED_PRIVS DBA_UNUSED_OBJPRIVS_PATH DBA_UNUSED_SYSPRIVS_PATH

• 4.2.1 View SYSTEM privileges used during the entire analysis

• 4.2.2 View OBJECT privileges used during the entire analysis

WEBváltó - 2015

4. Reporting

SQL> select USERNAME, SYS_PRIV from DBA_USED_SYSPRIVS;

USERNAME SYS_PRIV------------ --------------------TOM CREATE SESSIONOE UPDATE ANY TABLEOE CREATE SESSIONJIM CREATE SESSION

SQL> select USERNAME, OBJECT_OWNER, OBJECT_NAME, OBJ_PRIV 2 from DBA_USED_OBJPRIVS where username in ('JIM','TOM');

USERNAME OBJECT_OWNER OBJECT_NAME OBJ_PRIV------------ ------------ ------------------------ ----------JIM SYS DBMS_APPLICATION_INFO EXECUTEJIM HR EMPLOYEES DELETETOM SH SALES SELECT

• 4.2.3 Compare Used and Unused Privileges

• …….

WEBváltó - 2015

4. Reporting

SQL> select USERNAME, OBJ_PRIV, OBJECT_NAME, PATH 2 from DBA_UNUSED_PRIVS where username='JIM';

USERNAME OBJ_PRIV OBJECT_NAME PATH-------- -------- ------------- --------- --------------------JIM INSERT EMPLOYEES GRANT_PATH('JIM','HR_MGR')JIM UPDATE EMPLOYEES GRANT_PATH('JIM','HR_MGR')

• 5.1 DBA_PRIV_CAPTURES lists the privilege analysis policies in the database

• 5.2 Disable the analysis

WEBváltó - 2015

5. Dropping an Analysis

SQL> exec dbms_privilege_capture.DROP_CAPTURE('Capture1')BEGIN dbms_privilege_capture.DROP_CAPTURE('Capture1'); END;

*ERROR at line 1:ORA-47932: Privilege capture Capture1 is still enabled.ORA-06512: at "SYS.DBMS_PRIVILEGE_CAPTURE", line 82ORA-06512: at line 1

SQL> exec dbms_privilege_capture.DISABLE_CAPTURE('Capture1')PL/SQL procedure successfully completed.

• 5.3 Drop the analysis

WEBváltó - 2015

5. Dropping an Analysis

SQL> exec dbms_privilege_capture.DROP_CAPTURE('Capture1')PL/SQL procedure successfully completed.

• Security menu, select Privilege Analysis

WEBváltó - 2015

Cloud Control / Privilege Analysis

WEBváltó - 2015

Restrictions

• You can enable only one privilege analysis policy at a time. (Exception: you can enable a database-wide privilege analysis policy at the same time as a non-database-wide privilege analysis policy.)

• You cannot analyze the privileges of the SYS user.• Privilege analysis shows the grant paths to the privilege but

it does not suggest which grant path to keep.• If the role, user, or object has been dropped, then the

values that reflect the privilege captures for these in the privilege analysis data dictionary views are dropped as well.

WEBváltó - 2015

Licensing / Documentation

• Licensing

• Documentation– Database Vault Administrator’s Guide:https://docs.oracle.com/database/121/DVADM/priv_analysis.htm#DVADM591

WEBváltó - 2015

Demo session

WEBváltó Kft.1095 Budapest,

Soroksári út 32-34.E épület 6. emelet

Haller Gardens

Tel./Fax: +36 1 201 9947E-mail: info@webvalto.hu

www.webvalto.hu

Köszönöm a figyelmet!