Skip Headers
Oracle® Database Vault Administrator's Guide
Oracle9i Release 2 (9.2.0.8)

Part Number B32509-01
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Index
Index
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
View PDF

2 What to Expect After You Install Oracle Database Vault

This chapter describes how your Oracle Database installation will change after you have installed Oracle Database Vault.

This chapter includes the following topics:

See also Appendix H, "Oracle Database Vault Security Guidelines" for guidelines on managing security in the Oracle Database configuration.

2.1 How Oracle Database Vault Affects Other Oracle Products

When you install Oracle Database Vault, by default it disables the operating system authentication for accounts that use the SYSDBA privilege. In addition, it disables connections that use the SYSDBA privilege (for example, logging in to the database using AS SYSDBA clause), including those connections using the SYS account. You can reenable the ability to connect to the Oracle Database Vault database with the SYSDBA privilege. See "Enable or Disable SYSDBA Logins" in Oracle Database Vault Installation Guide for instructions on enabling connections with the SYSDBA privilege.

Because of this security feature, the Oracle Database Vault instance may affect the Oracle Real Application Clusters svrctl utility. To resolve this problem, reenable connections that use the SYSDBA privilege, and then use the svrctl utility to manage the environment by using the -c parameter. If you want to avoid specifying account names and passwords in your scripts, use a Secure External Password store configuration using Oracle Wallet Manager or SSL authentication of the Enterprise User Security features of Oracle Database. For more information about these configurations, see Oracle Database Advanced Security Administrator's Guide.

If you use these products in scripts and want to avoid specifying account names and passwords in your scripts, use a Secure External Password store configuration using Oracle Wallet Manager or SSL authentication of the Enterprise User Security features of Oracle Database. For more information about these configurations, see Oracle Database Security Guide, Oracle Database Advanced Security Administrator's Guide, and Oracle Database Enterprise User Security Administrator's Guide.

You should perform a careful analysis of the other processes and programs that normally access your Oracle database instance. Scheduled jobs, batch programs, and other tasks that normally access your database instance may require the addition of the database accounts that are used as logins for the protected Oracle Database Vault realms, or object privileges on the protected objects explicitly granted to these accounts.

2.2 Initialization and Password Parameter Settings That Change

When you install Oracle Database Vault, the installation process modifies several database initialization parameter settings to better secure your database configuration. If these changes adversely affect your organizational processes or database maintenance procedures, you can revert to the original settings.

2.2.1 Initialization Parameter Settings

Table 2-1 describes the initialization parameter settings that Oracle Database Vault modifies. Initialization parameters are stored in the init.ora initialization parameter file, located in $ORACLE_HOME/srvm/admin. For more information about this file, see Oracle Database Administrator's Guide.

Table 2-1 Modified Database Initialization Parameter Settings

Parameter Default Value in Database New Value Set by Database Vault Description

AUDIT_SYS_OPERATIONS

FALSE

TRUE

Enables or disables the auditing of operations issued by user SYS, and users connecting with SYSDBA or SYSOPER privileges.

For more information about AUDIT_SYS_OPERATIONS, see Oracle Database SQL Reference.

OS_AUTHENT_PREFIX

ops$

Null string

Specifies a prefix that Oracle uses to authenticate users attempting to connect to the server.

The null string value disables SYSDBA operating system authentication only. SYSOPER is still available for use.

For more information about OS_AUTHENT_PREFIX, see Oracle Database SQL Reference.

OS_ROLES

Not configured.

FALSE

Enables or disables the operating system to completely manage the granting and revoking of roles to users. Any previous grants of roles to users using GRANT statements do not apply, however, because they are still listed in the data dictionary. Only the role grants made at the operating system-level to users apply. Users can still grant privileges to roles and users.

For more information about OS_ROLES, see Oracle Database SQL Reference.

REMOTE_LOGIN_PASSWORDFILE

EXCLUSIVE

EXCLUSIVE

Specifies whether Oracle checks for a password file.

Oracle Database Vault uses password files to authenticate users. The EXCLUSIVE setting enforces the use of the password file, if you installed Oracle Database Vault into a database where REMOTE_LOGIN_PASSWORDFILE is not set to EXCLUSIVE.

For more information about REMOTE_LOGIN_PASSWORDFILE, see Oracle Database SQL Reference.

REMOTE_OS_AUTHENT

FALSE

FALSE

Enables or disables operating system-authenticated logins only over secure connections, which precludes using Oracle Net and a shared server configuration.

When set to FALSE, this prevents a remote user from impersonating another operating system user over a network connection.

For more information about REMOTE_OS_AUTHENT, see Oracle Database Security Guide.

REMOTE_OS_ROLES

FALSE

FALSE

Enables or disables users who are connecting to the database through Oracle Net to have their roles authenticated by the operating system.

This includes connections through a shared server configuration, as this connection requires Oracle Net. This restriction is the default because a remote user could impersonate another operating system user over a network connection.

For more information about REMOTE_OS_ROLES, see Oracle Database Security Guide.


2.3 How Oracle Database Vault Restricts User Authorizations

During installation of Oracle Database Vault, the installer prompts for several additional database account names. In addition, several database roles are created. These accounts are part of the separation of duties provided by Oracle Database Vault. One common audit problem that has affected several large organizations is the unauthorized creation of new database accounts by a database administrator within a production instance. Upon installation, Oracle Database Vault prevents anyone other than the Oracle Database Vault account manager or a user granted the Oracle Database Vault account manager role from creating users in the database.

2.4 Using the Password File to Manage Database Authentication

Oracle Database Vault uses password file authentication to protect database passwords. This means that the Oracle Database Vault instance uses password files to manage accounts that use the SYSDBA and SYSOPER privileges, such as SYS. You can use the orapwd utility and the REMOTE_LOGIN_PASSWORDFILE initialization parameter setting to update the password files of each instance if the security procedures of your organization mandate periodic password changes.

See also the following sections or documents:

2.5 Using New Database Roles to Enforce Separation of Duties

To meet regulatory, privacy and other compliance requirements, Oracle Database Vault implements the concept of separation of duties. Oracle Database Vault makes clear separation between the account management responsibility, data security responsibility, and database resource management responsibility inside the database. This means that the concept of a superprivileged user (for example, DBA) is divided among several new database roles to ensure no one user has full control over both the data and configuration of the system. Oracle Database Vault prevents the SYS user and other accounts with the DBA role and other system privileges from designated protected areas of the database called realms. It also introduces new database roles called the Oracle Database Vault Owner (DV_OWNER) and the Oracle Database Vault Account Manager (DV_ACCTMGR). These new database roles separate the data security and the account management from the traditional DBA role You should map these roles to distinct security professionals within your organization.

See "Oracle Database Vault Roles" for detailed information about the roles created during the Oracle Database Vault installation. See also "Oracle Database Vault Accounts" for default accounts that are created and for suggestions of additional accounts that you may want to create.