Oracle Vault has an integrated reporting system that can be used for generating reports for specific Oracle Database Vault components, and for general database security. In the next series of recipes, we will generate some specific Oracle Database Vault reports as well as some reports related to general database security.
In the previous recipes, we have created all the Oracle Vault objects with the audit options disabled. During this series of recipes, we will enable the Audit Options to Audit On Success or Failure on the realms and command rules created earlier, and we will generate several related audit reports. We will also generate some general database security reports related to privileges, audit, passwords, and so on.
The reporting system provided by Oracle Database Vault is a built in component of Oracle Database Vault Administrator Console:
,
and click on Edit. In the Audit Options panel, check Audit on Success or Failure and click OK:Create views for end of the month reporting
ruleset.SELECT
against the employees
table, with the user system
:SQL> conn system Enter password: Connected. SQL> select first_name from hr.employees where employee_id=100; select first_name from hr.employees where employee_id=100 * ERROR at line 1: ORA-01031: insufficient privileges SQL>
HR
:SQL> conn HR Enter password: Connected. SQL> select first_name from hr.employees where employee_id=100; FIRST_NAME -------------------- Steven SQL>
system
try to issue a SELECT
against emp_details_view
:SQL> conn system Enter password: Connected. SQL> select first_name from hr.emp_details_view where employee_id=100; select first_name from hr.emp_details_view where employee_id=100 * ERROR at line 1: ORA-01031: insufficient privileges SQL>
vw_europe
issue the same SELECT
:SQL> conn vw_europe/ Enter password: Connected. SQL> select first_name from hr.emp_details_view where employee_id=100; FIRST_NAME -------------------- Steven SQL>
SELECT
as the user HR
:SQL> conn HR Enter password: Connected. SQL> select first_name from hr.emp_details_view where employee_id=100; select first_name from hr.emp_details_view where employee_id=100 * ERROR at line 1: ORA-47306: 20998: You are not allowed to report from this view SQL>
Here we violated the Report from HR
views ruleset.
HR
, to violate the Create views for end of the month reporting
ruleset:SQL> create or replace view names_view as select first_name,last_name from employees; create or replace view names_view as select first_name,last_name from employees * ERROR at line 1: ORA-47306: 20999: You are not allowed to create reports until the end of the month SQL>
The return code 1031 is identical to ORA-01031: insufficient privileges
.
SYS
will look like the following screenshot:Reports can be created and generated by the users with the DV_OWNER
, DV_SECANALYST
, and DV_ADMIN
roles.
As we have seen, there are plenty of security reports that may be generated. It is recommended that you run and review the security reports at regular intervals. This is especially important if you have reason to suspect that there may have been attempts to access any sensitive data, that is, being protected by Oracle Database Vault features described in this chapter, and especially if there is high suspicion related to attempts to access sensitive data.
3.144.37.196