11 Using Simulation Mode for Logging Realm and Command Rule Activities
Simulation mode writes the activities performed on realms and command rules to a log file, which is accessible through a data dictionary view.
- About Simulation Mode
Simulation mode enables you to capture a record of errors during the development phase of a realm or command rule. - Simulation Mode Use Cases
Simulation mode is useful for testing a development configuration of new realms and command rules. - Tutorial: Tracking Violations to a Realm Using Simulation Mode
This tutorial shows how to create a realm that uses simulation mode and then test violations to the realm.
11.1 About Simulation Mode
Simulation mode enables you to capture a record of errors during the development phase of a realm or command rule.
Simulation mode stores the errors that are captured in one location for easy analysis. To use simulation mode, when you create or update a realm or command rule, instead of enabling or disabling the realm or command rule, you can set it to simulation mode. The realm or command rule is still enabled, but because violations are not blocked and are instead recorded to the simulation log file, you can test it for any potential errors before you enable it for a production environment.
For example, the following creation statement for a realm enables simulation mode:
BEGIN DBMS_MACADM.CREATE_REALM( realm_name => 'HR Apps', description => 'Realm to protect the HR realm', enabled => DBMS_MACUTL.G_SIMULATION, audit_options => DBMS_MACUTL.G_REALM_AUDIT_FAIL, realm_type => 1, realm_scope => DBMS_MACUTL.G_SCOPE_LOCAL); END; /
At this stage, SQL statements that violate realms or command rules are still able to execute, but these activities are recorded to the DBA_DV_SIMULATION_LOG
data dictionary view. For example, the following query finds violations against the HR Apps realm:
SELECT USERNAME, COMMAND, SQLTEXT, VIOLATION_TYPE FROM DBA_DV_SIMULATION_LOG WHERE REALM_NAME = "HR APPS"; USERNAME COMMAND SQLTEXT VIOLATION_TYPE -------- ---------- ------------------------------- -------------- DGRANT SELECT SELECT SALARY FROM HR.EMPLOYEES; Realm Violation
After you have completed testing the realm or command rule, a user who has been granted the DV_ADMIN
or DV_OWNER
role can clear the DBA_DV_SIMULATION_LOG
data dictionary view by deleting the contents of the underlying table of this view, DVSYS.SIMULATION_LOG$
.
For example:
DELETE FROM DVSYS.SIMULATION_LOG$;
Or:
DELETE FROM DVSYS.SIMULATION_LOG$ WHERE COMMAND = 'SELECT';
11.2 Simulation Mode Use Cases
Simulation mode is useful for testing a development configuration of new realms and command rules.
Use cases are as follows:
-
Application certification
When you are certifying applications, you can use simulation mode as follows in an application test environment:
-
Put all schemas for the application into mandatory realms with simulation mode enabled.
-
Run a full regression test.
-
Analyze the simulation mode log by querying the
DBA_DV_SIMULATION_LOG
data dictionary view to find who can access these schemas. -
Update the realms with new authorizations, and the enable the realms (that is, not using simulation mode).
-
Re-run the regression test.
-
-
Introduction of a new command rule
You can use simulation mode on a production database that has Oracle Database Vault enabled.
-
Put the new command rule into production in simulation mode for however many weeks that are necessary.
-
Analyze the simulation mode log by querying
DBA_DV_SIMULATION_LOG
to determine if the command rule is working correctly. -
Make changes to the command rule as necessary.
-
Enable the command rule.
-
-
Putting a new realm into a production database in simulation mode.
This method can help to find the system context information needed to set the trusted path rules in rule sets and find authorized users for realms.
-
Create the new realm in mandatory mode and add the protected objects
-
Do not add any authorized users.
-
Run applications and development operations from the normal IP addresses that will be used.
-
Check the simulation log file for both authorized users and system context information that you can use to create trusted paths.
-
Create the trusted paths, and then add the authorized users.
-
Clear the simulation log and run the application and development operation tasks again.
-
After a period of time, review the simulation log. If all the controls were updated correctly, then the simulation log is empty. Log entries in the simulation mode indicate additional changes that you need to make to the realm and rule sets or the log entries may indicate a malicious use.
-
11.3 Tutorial: Tracking Violations to a Realm Using Simulation Mode
This tutorial shows how to create a realm that uses simulation mode and then test violations to the realm.
- About This Tutorial
In this tutorial, you will create a realm around theHR.EMPLOYEES
schema and test violations against it. - Step 1: Create Users for This Tutorial
You must create three users for this tutorial. . - Step 2: Create a Realm and an Oracle Database Vault Policy
Next, you create a realm around theHR.EMPLOYEES
table, and then add this realm to an Oracle Database Vault policy. - Step 3: Test the Realm and Policy
Usertjones_dba
will commit a violation on the realm to test the realm and policy. - Step 4: Query the DBA_DV_SIMULATION_LOG View for Violations
Now you can check the simulation mode log for the violations that usertjones_dba
committed. - Step 5: Enable and Re-test the Realm
Now that you have captured the violations, userpsmith
can update theHR.EMPLOYEES_pol
policy. - Step 6: Remove the Components for This Tutorial
You can remove the components that you created for this tutorial if you no longer need them.
11.3.1 About This Tutorial
In this tutorial, you will create a realm around the HR.EMPLOYEES
schema and test violations against it.
The HR.EMPLOYEES
schema contains confidential data such employee salaries. To test the realm, an administrator, tjones_dba
, will look up and modify the salary of another employee, smavris
. The Database Vault administrator, leo_dvowner
, will use simulation mode to track the violations to the HR.EMPLOYEES
schema. To accomplish this, user leo_dvowner
will create a Database Vault policy, which a delegated administrator, user psmith
, will own. User psmith
will then be able to make limited changes to the policy without needing the DV_OWNER
or DV_ADMIN
role.
11.3.2 Step 1: Create Users for This Tutorial
You must create three users for this tutorial. .
psmith
, who is the Database Vault policy owner; tjones_dba
, who commits violations on the HR.EMPLOYEES
table; and smavris
, whose salary is the recipient of tjones_dba
’s violations.
11.3.3 Step 2: Create a Realm and an Oracle Database Vault Policy
Next, you create a realm around the HR.EMPLOYEES
table, and then add this realm to an Oracle Database Vault policy.
11.3.4 Step 3: Test the Realm and Policy
User tjones_dba
will commit a violation on the realm to test the realm and policy.
tjones_dba
’s violations have been recorded in the DBA_DV_SIMULATION_LOG
data dictionary view.
11.3.5 Step 4: Query the DBA_DV_SIMULATION_LOG View for Violations
Now you can check the simulation mode log for the violations that user tjones_dba
committed.
tjones_dba
has committed two offences: first, he looked at another employee’s salary, and not only that, he cut it in half. The violation type is a realm violation. The query by smavris
was not captured because she legitimately can look at her salary.
11.3.6 Step 5: Enable and Re-test the Realm
Now that you have captured the violations, user psmith
can update the HR.EMPLOYEES_pol
policy.
HR.EMPLOYEES_realm
realm can be enabled. Then you can test the violations again.