We use the database vault for integrity protection – the data in a certain schema must not be tampered with, not even by dba or by SYSDBA.
Now this article is specifically about the protection from SYSDBA. Of course Oracle writes that even with the Database Vault SYSDBA are still powerful privileges, so you should limit the access to it as much as possible. Still – there is nowhere a statement like you shouldn’t even try to protect from SYSDBA.
And in principle it works. You define a realm – sysdba does not have access anymore. However we came across the different ways in which oracle allows to influence query results – this could be used by SYSDBA to influence the query results of realm users and thereby affect the integrity of the protected information.
For example – on a statement like “insert into a select c from b where …” – if you could influence the result of the subselect then you can tamper with table a.
Now Oracle has (fortunately or unfortunately) several ways of doing such things:
- Advanced Query Rewrites (dbms_advanced_rewrite)
- SQL translation framework (dbms_sql_translator)
- Redaction (dbms_redact)
- possibly others ….
It is easy to see that anyone having access to this functionality could compromise the integrity. So does the database vault protect here ? First thing we saw – by default, no. SYSDBA can freely and happily use all this functionality.
Now – can we protect from this ? First idea- command rules. But unfortunately, no :
BEGIN
object_owner => 'SYS',
DBMS_MACADM.CREATE_COMMAND_RULE(
command => 'EXECUTE',
rule_set_name => 'Disabled',
object_owner => 'SYS',
object_name => 'DBMS_ADVANCED_REWRITE',
enabled => DBMS_MACUTL.G_YES,
scope => DBMS_MACUTL.G_SCOPE_LOCAL);
END;
10 /
BEGIN
*
ERROR at line 1:
ORA-47105: invalid object owner SYS for command EXECUTE
ORA-06512: at "DVSYS.DBMS_MACADM", line 1735
ORA-06512: at line 2
This is even documented, here :
"Note that the SELECT
, INSERT
, UPDATE
, DELETE
, and EXECUTE
statements are not allowed for a selection of all (%) or the SYS
and DVSYS
schemas.".
Next idea – define a mandatory realm protecting access to these packages ? This should block access from SYS:
BEGIN
DBMS_MACADM.CREATE_REALM(
realm_name => 'Test Realm Rewrite',
description => 'Test Realm Rewrite',
enabled => DBMS_MACUTL.G_YES,
audit_options => DBMS_MACUTL.G_REALM_AUDIT_FAIL,
realm_type => 1);
END;
/
BEGIN
DBMS_MACADM.ADD_OBJECT_TO_REALM(
realm_name => 'Test Realm Rewrite',
object_owner => 'SYS',
object_name => 'DBMS_ADVANCED_REWRITE',
object_type => 'PACKAGE');
END;
/
but … unfortunately ….
BEGIN
DBMS_ADVANCED_REWRITE.declare_rewrite_equivalence (
name => 'test_rewrite',
source_stmt => 'select 1 from testuser.test',
destination_stmt => 'select 2 from testuser.test',
validate => FALSE,
rewrite_mode => 'TEXT_MATCH');
END;
/
succeeds. And this does not appear to be documented anywhere. We found then bug 26825142 – which describes exactly this behaviour and which has been classified as “expected behaviour” and “documentation bug”.
This is of course very unfortunate. So access to these packages by SYSDBA cannot be prevented. What are the possibilities ? Luckily, for the query rewrite and the translation framework parameters or events need to be set – and this can be prevented via command rules ! For example
BEGIN
DBMS_MACADM.CREATE_COMMAND_RULE(
command => 'ALTER SYSTEM',
rule_set_name => 'Disabled',
object_owner => '%',
object_name => '%',
enabled => DBMS_MACUTL.G_YES,
clause_name => 'SET',
parameter_name => 'QUERY_REWRITE_INTEGRITY',
scope => DBMS_MACUTL.G_SCOPE_LOCAL);
END;
/
Now not even SYS can set this event – and not use the advanced query rewrite for tampering anymore.
So there are ways – but it would be much better if Oracle would include such protection by default. I have a case open with them – I will update if I have news.