Professional Documents
Culture Documents
1)To check if Database Vault/Advances Security options are Enabled or Disabled.(Default is Disabled)
Start the Database Creation Utility (DBCA) for configuring Advanced Security Options from
Command Prompt:
Select the Option of Dedicated Server Mode and click on Finish to complete the configuration.
At this Stage Vault installation is completed Vault schema named “DBVOWNER” is created in
database which is to be used for vault configuration and other admin options
Note: Grant select_catalog_role and select any dictionary privilege to dbvowner.
1) Creating Realm(Rule) which prohibits sys or any superuser to access sensitive data from the
database schemas:
Sys or any Superuser have all access on schema objects after creating realm from DB vault we can
protect this unauthorized access:
Rule created to protect access for test50 schema
By creating this Rule sys user or user with admin options can no longer have access to objects to
test50 schema. This makes application data to be out of reach of Admins
Similar privileges can be given for insert, update and delete from local or remote manchine.
3) Not allowing users to connect from sqlplus or any other tool except superadmins from server
even if they have privileges. This prevents unnecessary direct access to database
If same user tries to access data remotely or through any other machine he will get below error:
5) Allowing all connections to database from authenticated host:
This rule will disallow any connection to database other than hosts we specified, hence only
authorized hosts are allowed to establish connection.
Create Rule set followed by creating command rule,
Rule set condition:
If using Ip:- SYS_CONTEXT('USERENV','HOST') = 'standby.dba.com'
All Vault violations are available under Database Vault Reports tab:
General Database Reports relating with security of Database is available under General Security
Reports.
e.g Report for users with DBA role:
Data Masking
Data Masking is option of Advanced Security which is enabled automatically after enabling Advanced
Security option. Oracle provides dbms_crypto in earlier version but it is advised to use Data Masking
pack starting from 11g.
Important columns data is masked in order to keep sensitive data out of reach to some set of people
working with the data.
Data Masking is also important when someone from offshore wants to work with live data where
sensitive data has be masked
1) Masking important data from PRIV1 schema table named INFO_ACCESS which contains credit card
numbers and password and providing this data which is copied over to offshore/remote location.
Data Masking is done by Specifying Definitions as seen below:Masked columns are Name,
Card_Number and Password
Message Script Not Generated is because Data is cloned directly on remote host and masked on
local host.
Once the Definition is created using appropriate Format options this data can be transferred to
remote location with help of standard oracle tools
This Data is dumped to another database named “testdb” with masked values of columns.
Similarly Sensitive columns can be masked.
Note: Columns which are referencing to Primary key(Foreign key) are automatically masked even
though we don’t define a definition for them.
Supplier Table:
SUPPLIER_ID SUPPLIER_NAME CONTACT_NAME EMAIL_ID
-------------------------------------------------- --------------------
121 athens greece athen.gre@gmail.com
As seen above foreign key is automatically added to the configuration.Format Option can be used to
specify type of data to be generated
Status of the job can be seen by View Details option Data will be masked if all Execution status
returns as “succeeded”.
Verifying Data:
Masked Values from Supplier Table:
CREDIT_NO PIN
---------------- ----------
459865212547893 4587
458963154785249 6584
456398754312598 8954
458596357845215 4575
453545781524569 2547
FIRST_NAME LAST_NAME
---------- ----------
wayne rooney
google chrome
firefox mozilla
microsoft azure
cloud sales
Columns CREDIT_NO and PIN,and NAME will be masked as below:
If want to create new format click on Import Format option from where Default formats can be
added or created
Similar formats can be described for remaining columns. Run this rule using same method as
described above.
With this encryption algorithm data can’t be read from any OS tools