2 What to Expect After You Enable Oracle Database Vault

When you enable Oracle Database Vault, several Oracle Database security features, such as default user authorizations, are modified to provide stronger security restrictions.

2.1 Initialization and Password Parameter Settings That Change

The Oracle Database Vault configuration modifies several database initialization parameter settings to better secure your database configuration.

If these changes adversely affect your organizational processes or database maintenance procedures, then contact Oracle Support for help in resolving the issue.

Table 2-1 describes the initialization parameter settings that Oracle Database Vault modifies. Initialization parameters are stored in the init.ora initialization parameter file. On UNIX and Linux, this file is located in $ORACLE_HOME/dbs. On Windows, this file is located in $ORACLE_HOME/database. For more information about this file, see Oracle Database Reference.

Table 2-1 Modified Database Initialization Parameter Settings

Parameter Default Value in Database New Value Set by Database Vault Impact of the Change

AUDIT_SYS_OPERATIONS

FALSE

TRUE

Enables the auditing of top-level operations directly issued by user SYS, and users connecting with SYSDBA or SYSOPER privilege.

For more information about AUDIT_SYS_OPERATIONS, see Oracle Database Reference.

OS_ROLES

Not configured

FALSE

Disables the operating system to completely manage the granting and revoking of roles to users. Any previous grants of roles to users using GRANT statements do not change, because they are still listed in the data dictionary. Only the role grants made at the operating system-level to users apply. Users can still grant privileges to roles and users.

For more information about OS_ROLES, see Oracle Database Reference.

REMOTE_LOGIN_PASSWORDFILE

EXCLUSIVE

EXCLUSIVE

Specifies whether Oracle Database checks for a password file. The EXCLUSIVE setting enforces the use of the password file, if you installed Oracle Database Vault into a database where REMOTE_LOGIN_PASSWORDFILE is not set to EXCLUSIVE.

For more information about REMOTE_LOGIN_PASSWORDFILE, see Oracle Database Reference.

SQL92_SECURITY

TRUE

TRUE

Ensures that if a user has been granted the UPDATE or DELETE object privilege, then the user must also be granted the SELECT object privilege before being able to perform UPDATE or DELETE operations on tables that have WHERE or SET clauses.

Be aware that if the user is only granted the READ object privilege (instead of SELECT), then the user is not able to perform UPDATE or DELETE operations.

For more information about SQL92_SECURITY, see Oracle Database Reference.

2.2 How Oracle Database Vault Restricts User Authorizations

The Oracle Database configuration requires two additional administrative database account names.

In addition, several database roles are created. These accounts are part of the separation of duties provided by Oracle Database Vault. One common audit problem that has affected several large organizations is the unauthorized creation of new database accounts by a database administrator within a production instance. Upon installation, Oracle Database Vault prevents anyone other than the Oracle Database Vault account manager or a user granted the Oracle Database Vault account manager role from creating users in the database.

2.3 New Database Roles to Enforce Separation of Duties

The Oracle Database Vault configuration implements the concept of separation of duty so that you can meet regulatory, privacy and other compliance requirements.

Oracle Database Vault makes clear separation between the account management responsibility, data security responsibility, and database management responsibility inside the database. This means that the concept of a super-privileged user (for example, DBA) is divided among several new database roles to ensure no one user has full control over both the data and configuration of the system. Oracle Database Vault prevents privileged users (those with the DBA and other privileged roles and system privileges) from accessing designated protected areas of the database called realms. It also introduces new database roles called the Oracle Database Vault Owner (DV_OWNER) and the Oracle Database Vault Account Manager (DV_ACCTMGR). These new database roles separate the data security and the account management from the traditional DBA role. You should map these roles to distinct security professionals within your organization.

2.4 Privileges That Are Revoked from Existing Users and Roles

The Oracle Database Vault configuration revokes privileges from several Oracle Database-supplied users and roles, for better separation of duty.

Table 2-2 lists privileges that Oracle Database Vault revokes from the Oracle Database-supplied users and roles. Be aware that if you disable Oracle Database Vault, these privileges remain revoked. If your applications depend on these privileges, then grant them to application owner directly. In a multitenant environment, these privileges are revoked from the users and roles in the CDB root and its PDBs and from the application root and its PDBs.

Table 2-2 Privileges Oracle Database Vault Revokes

User or Role Privilege That Is Revoked

DBA role

  • BECOME USER

  • SELECT ANY TRANSACTION

  • CREATE ANY JOB

  • CREATE EXTERNAL JOB

  • EXECUTE ANY PROGRAM

  • EXECUTE ANY CLASS

  • MANAGE SCHEDULER

  • DEQUEUE ANY QUEUE

  • ENQUEUE ANY QUEUE

  • MANAGE ANY QUEUE

IMP_FULL_DATABASE roleFoot 1

  • BECOME USER

  • MANAGE ANY QUEUE

EXECUTE_CATALOG_ROLE role

  • EXECUTE ON SYS.DBMS_LOGMNR_D

  • EXECUTE ON SYS.DBMS_LOGMNR_LOGREP_DICT

  • EXECUTE ON SYS.DBMS_FILE_TRANSFER

  • EXECUTE ON SYS.DBMS_LOGMNR

PUBLIC user

  • EXECUTE ON UTL_FILE during the execution of the CONFIGURE_DV procedure, but before this revocation takes place, CONFIGURE_DV grants the object privilege directly to any schema that is dependent on this procedure

SCHEDULER_ADMIN roleFoot 2

  • CREATE ANY JOB

  • CREATE EXTERNAL JOB

  • EXECUTE ANY PROGRAM

  • EXECUTE ANY CLASS

  • MANAGE SCHEDULER

Footnote 1

To authorize users to export and import data using Oracle Data Pump, see Using Oracle Data Pump with Oracle Database Vault.

Footnote 2

To authorize users to schedule database jobs, see Using Oracle Scheduler with Oracle Database Vault.

Note:

Both the SYS and SYSTEM users retain the SELECT privilege for the DBA_USERS_WITH_DEFPWD data dictionary view, which lists user accounts that use default passwords. If you want other users to have access to this view, grant them the SELECT privilege on it.

2.5 Privileges That Are Prevented for Existing Users and Roles

The Oracle Database Vault configuration prevents several privileges for all users and roles who have been granted these privileges, including users SYS and SYSTEM.

The DV_ACCTMGR role has these privileges for separation of duty:

  • ALTER PROFILE

  • ALTER USER

  • CREATE PROFILE

  • CREATE USER

  • DROP PROFILE

  • DROP USER

For better security and to maintain separation-of-duty standards, do not enable SYS or SYSTEM users the ability to create or manage user accounts.

Any role can be granted to user SYS, but SYS cannot use the role because no roles are enabled in the SYS session.

2.6 Modified AUDIT Statement Settings for a Non-Unified Audit Environment

When you configure Oracle Database Vault and if you decide not to use unified auditing, then Database Vault configures several AUDIT statements.