oracle audit vault server 初识一

时间：2010-10-16 来源：fuguizhong

转载的一位前辈的东西地址http://space.itpub.net/785478/viewspace-571125

随后奉上详细的安装过程

今天在windows安装了Oracle Database Vault 10.2.0.4. 关于Database Vault的功能很早以前就了解了,也曾给别人讲过类似的东西,但缺没有亲自研究过,今天

得空装了一个,没想到第一亲密接触,就把我给"雷"了一下

在安装的过程中,提示我输入DV的拥有者用户名和口令,同时建议我们创建一个帐户管理者.安装完后,一切OK,

SQL> select * from v$version;

BANNER
----------------------------------------------------------------
Oracle Database 10g Enterprise Edition Release 10.2.0.4.0 - Prod
PL/SQL Release 10.2.0.4.0 - Production
CORE    10.2.0.4.0      Production

TNS for 32-bit Windows: Version 10.2.0.4.0 - Production
NLSRTL Version 10.2.0.4.0 - Production

SQL> select * from v$option where parameter='Oracle Database Vault';

PARAMETER                       VALUE
------------------------------- -------
Oracle Database Vault           TRUE

SQL> 

然后我想查看一下dvsys下一些对象的属性和预定的一些规则,缺发现dvsys帐户被lock.
SQL> select username,account_status from dba_users where username='DVSYS';

USERNAME        ACCOUNT_STATUS
--------------- -----------------
DVSYS           LOCKED

SQL> 

SQL> conn /as sysdba
已连接。
SQL> alter user dvsys account unlock;
alter user dvsys account unlock
*
第 1 行出现错误:
ORA-01031: 权限不足


SQL>
SQL> conn dv_acct/Dv_sys123
已连接。
SQL> alter user dvsys account unlock;
alter user dvsys account unlock
*
第 1 行出现错误:
ORA-01031: 权限不足

SQL>

天啊,败了,Oracle Database Vault完善了对于数据库SYSDBA的权限控制,但好的东西总是双刃剑,同时不方便的一面也体现出来了.

SQL> select owner,object_name,object_type from dba_objects where object_name='DBA_DV_REALM';

OWNER      OBJECT_NAME      OBJECT_TYPE
---------- ---------------- ---------------
DVSYS      DBA_DV_REALM     VIEW

SQL> show user
User is "SYS"

SQL> select * from dvsys.dba_dv_realm;

select * from dvsys.dba_dv_realm

ORA-01031: 权限不足


怎么办呢? 有没有什么办法可以先disable掉Oracle Database Vault呢?查阅了一些资料后总算找到一个解决方法

Disabling Oracle Database Vault

1. Stop the database service 'OracleServiceSID' and the Listener service 'OracleHOMETNSListener'
2. Under ORACLE_HOMEbin, rename oradv10.dll oradv10.dll.bak
3. Restart the database service 'OracleServiceSID' and the Listener service 'OracleHOMETNSListener'
   (For RAC systems, repeat these steps for each node on which the database is installed)
4. Run Oracle Database Vault Configuration Assistant (DVCA) by using the dvca -action disable option.
   dvca -action disable -service service_name -instance Oracle_instance_name
                        -dbname database_name -sys_passwd SYS_password 
                        -owner_account DV_owner_account_name 
                        -owner_passwd DV_owner_account_password
                        [-logfile ./dvca.log] [-nodecrypt] [-racnode node]

Enabling Oracle Database Vault
1. Use DVCA to re-enable Oracle Database Vault.
   dvca -action enable -oh c:oracleproduct11.1.0db_1 -service myservicename -instance myinstance 
                       -dbname mydbname -owner_account myownername
                       -logfile dvcalog.txt 
2. Stop the database service 'OracleServiceSID' and the Listener service 'OracleHOMETNSListener'
3. Under ORACLE_HOMEbin, rename oradv10.dll.bak oradv10.dll
4. Restart the database service 'OracleServiceSID' and the Listener service 'OracleHOMETNSListener'

按照上面的方法,总算把问题解决了

现在可以用dvsys访问我想要的东西了:

SQL> conn dvsys/dvsys@ora10g
Connected to Oracle Database 10g Enterprise Edition Release 10.2.0.4.0 
Connected as dvsys

SQL> select * from dvsys.dba_dv_realm;

NAME                       DESCRIPTION                                                                      AUDIT_OPTIONS ENABLED
-------------------------- -------------------------------------------------------------------------------- ------------- -------
Oracle 数据字典            定义 Oracle 目录方案, SYS, SYSTEM, SYSMAN, MDSYS 等等的领域。另外控制授予系统权?             1 Y
Oracle Database Vault      定义以下 Oracle Database Vault 方案的领域 - DVSYS, DVF 和 LBACSYS, 其中包含 Data             1 Y
Database Vault 帐户管理    定义创建和管理数据库帐户及概要文件的管理员的领域。                                           1 Y
Oracle Enterprise Manager  定义 Enterprise Manager 监视和管理领域。                                                     1 Y

但我的是在Linux下，而且版本已经差两个了。找了半天都找不见，最后只能跑otn上找了。没想到还真有收获啊：

http://download.oracle.com/docs/cd/B28359_01/server.111/b28300/upgrade.htm#UPGRD12401


This appendix contains:

When You Must Disable Oracle Database Vault
Checking if Oracle Database Vault Is Enabled or Disabled
Step 1: Disable Oracle Database Vault
Step 2: Perform the Required Tasks
Step 3: Enable Oracle Database Vault

When You Must Disable Oracle Database Vault
You may need to disable Oracle Database Vault to perform upgrade tasks or correct erroneous configurations. You can reenable Oracle Database Vault after you complete the corrective tasks.
Note:Be aware that if you disable Oracle Database Vault, the privileges that were revoked from existing users and roles during installation remain in effect. See "Privileges That Are Revoked or Prevented from Existing Users and Roles" for a listing of the revoked privileges.
The following situations require you to disable Oracle Database Vault:

The Oracle Database Vault user accounts have been inadvertently locked or their passwords forgotten. (See the tip under "Oracle Database Vault Accounts" for a guideline for avoiding this problem in the future.)
A rule set associated with the CONNECT role has been configured incorrectly. This is resulting in failed database logins for all accounts, including those with the DV_OWNER or DV_ADMIN role, who could correct this problem.
You must perform maintenance tasks on Oracle Database Vault.
You must install any of the Oracle Database optional products or features, such as Oracle Spatial Data Option, or Oracle interMedia, by using Database Configuration Assistant (DBCA).
You are about to install a third-party product, install an Oracle product, or perform an Oracle patch update whose installation may be prevented if Oracle Database Vault is running.
You must archive the Oracle Database Vault audit trail.

Checking if Oracle Database Vault Is Enabled or Disabled
You can check if Oracle Database Vault has already been enabled or disabled by querying the V$OPTION table. Any user can query this table. If Oracle Database Vault is enabled, the query returns TRUE. Otherwise, it returns FALSE.
Remember that the PARAMETER column value is case sensitive. For example:SELECT * FROM V$OPTION WHERE PARAMETER = 'Oracle Database Vault';

If Oracle Database Vault is enabled, the following output appears:

PARAMETER                     VALUE
----------------------------- -----------------------
Oracle Database Vault         TRUE

Step 1: Disable Oracle Database Vault

To disable Oracle Database Vault:

Stop the database, Database Control console process, and listener.
- UNIX: Ensure that the environment variables, ORACLE_HOME, ORACLE_SID, and PATH are correctly set. Log in to SQL*Plus as user SYS with the SYSOPER privilege and shut down the database. Then from the command line, stop the Database Control console process and listener.
  
  For example:
```
sqlplus sys as sysoper
Enter password: password

SQL> SHUTDOWN IMMEDIATE
SQL> EXIT

$ emctl stop dbconsole
$ lsnrctl stop [listener_name]
```
  For Oracle RAC installations, shut down each database instance as follows:
```
$ srvctl stop database -d db_name
```
- Windows: Stop the database, Database Control console process, and listener from the Services tool in the Control Panel. The names of Oracle Database services begin with Oracle.
Disable the Oracle Database Vault option.
- UNIX: Run the following commands:
```
cd $ORACLE_HOME/rdbms/lib
make -f ins_rdbms.mk dv_off
cd $ORACLE_HOME/bin
relink all
```
  For Oracle RAC installations, run these commands on all nodes.
- Windows: In the ORACLE_HOME\bin directory, rename the oradvll.dll file to another name, such as oradvll.dll.dbl.
Restart the database, Database Control console process, and listener.
- UNIX: Log in to SQL*Plus as user SYS with the SYSOPER privilege and restart the database. Then from the command line, restart the Database Control console process and listener.
  
  For example:
```
sqlplus sys as sysoper
Enter password: password

SQL> STARTUP
SQL> EXIT

$ emctl start dbconsole
$ lsnrctl start [listener_name]
```
  For Oracle RAC installations, restart each database instance as follows:
```
$ srvctl start database -d db_name
```
- Windows: Restart the database, Database Control console process, and listener from the Services tool in the Control Panel. The names of Oracle Database services begin with Oracle.
If the reason you needed to disable Oracle Database Vault was because of forgotten passwords, then connect as SYS or SYSTEM and reset the password.

For example:
```
CONNECT SYSTEM
Enter password: password

ALTER USER lbrown_dvowner IDENTIFIED BY password;
```
At a command prompt, run Oracle Database Vault Configuration Assistant (DVCA) by using the dvca -action disable option.

The syntax for dvca -action disable is as follows:
```
dvca -action disable 
  -oh Oracle_home_directory
  -service service_name 
  -instance Oracle_instance_name 
  -dbname database_name 
  -sys_passwd SYS_password 
  -owner_account DV_owner_account_name 
  -owner_passwd DV_owner_account_password 
  [-logfile ./dvca.log] 
  [-nodecrypt] 
  [-racnode node]
```
In this specification:
- -action is the action to perform. In this case the action is disable.
- -oh is the path to the Oracle home directory. Enter the absolute path.
  
  For example:
  - UNIX: -oh /u01/app/oracle/product/10.2.0/db_1
  - Windows: -oh c:\oracle\product\db_1
- -service is the name of the database specifier. The specifier can be a connect descriptor or net service name. For more information about database specifiers, see Oracle Database JDBC Developer's Guide and Reference.
- -instance is the name of the database instance.
- -dbname is the database name.
- -sys_passwd is the SYS password. If you use a cleartext password on the command line, you must include the nodecrypt option. If you omit the password, DVCA prompts you for it. Preferably, omit the password and then enter it interactively when prompted.
- -owner_account is the Oracle Database Vault Owner account name.
- -owner_passwd is the Oracle Database Vault Owner account password. If you use a cleartext password on the command line, you must include the nodecrypt option. If you omit the password, DVCA prompts you for it. Preferably, omit the password and then enter it interactively when prompted.
- -logfile is an optional flag to specify a log file name and location. You can enter an absolute path, or enter a path that is relative to the location of the $ORACLE_HOME/bin directory.
- -silent is the option to run in command line mode. This option is required if you are not running DVCA in an xterm window.
- -nodecrypt is the option to read plaintext passwords.
- -lockout is the flag to use to disable SYSDBA operating system authentication.
For example:
```
dvca -action disable 
  -oh /u01/app/oracle/product/10.2.0/db_1
  -service conn_alias 
  -instance orcl 
  -dbname orcl 
  -owner_account lbrown_dvowner 
  -logfile dvcalog.txt 
  
Enter SYS password: sys_password
Enter owner password: owner_password
```
Connect to SQL*Plus as SYS using the SYSDBA privilege, and then run the following ALTER TRIGGER statement:
```
CONNECT SYS / AS SYSDBA
Enter password: password

ALTER TRIGGER LBACSYS.LBAC$LOGON ENABLE;
```

Step 2: Perform the Required Tasks

At this stage Oracle Database Vault is disabled. You can perform the following types of activities:

Use the Oracle Database Vault PL/SQL packages and functions. For example, to correct a login or CONNECT rule set error, use the DBMS_MACADM PL/SQL package or the Oracle Database Vault Administrator interface.
Use the SYSTEM or SYS accounts to perform tasks such as creating or changing passwords, or locking and unlocking accounts. In addition to modifying regular database and administrative user accounts, you can modify passwords and the lock status of any of the Oracle Database Vault-specific accounts, such as users who have been granted the DV_ADMIN or DV_ACCTMGR roles. (See the tip under "Oracle Database Vault Accounts" for a guideline for avoiding this problem in the future.)
Perform the installation, upgrade, or other tasks that require security protections to be disabled. If you must run Oracle Database Vault Configuration Assistant (DVCA), ensure that the Oracle Database listener is running. To start the listener, run the following command from the $ORACLE_HOME/bin directory:
```
$ ./lsnrctl start [listener_name]
```

Step 3: Enable Oracle Database Vault

To enable Oracle Database Vault:

At a command prompt, use DVCA to reenable Oracle Database Vault.

For example:

dvca -action enable 
  -oh /u01/app/oracle/product/10.2.0/db_1
  -service conn_alias 
  -instance orcl 
  -dbname orcl 
  -owner_account lbrown_dvowner 
  -logfile dvcalog.txt 

Enter SYS password: sys_password
Enter owner password: owner_password

See Step 5 under "Disabling and Enabling Oracle Database Vault" for detailed information about the DVCA syntax.

Stop the database, Database Control console process, and listener.
- UNIX: Ensure that the environment variables, ORACLE_HOME, ORACLE_SID, and PATH are correctly set. Log in to SQL*Plus as user SYS with the SYSOPER privilege and shut down the database. Then from the command line, stop the Database Control console process and listener.
  
  For example:
```
sqlplus sys as sysoper
Enter password: password

SQL> SHUTDOWN IMMEDIATE
SQL> EXIT

$ emctl stop dbconsole
$ lsnrctl stop [listener_name]
```
  For Oracle RAC installations, shut down each database instance as follows:
```
$ srvctl stop database -d db_name
```
- Windows: Stop the database, Database Control console process, and listener from the Services tool in the Control Panel. The names of Oracle Database services begin with Oracle.
Enable the Oracle Database Vault option as follows:
- UNIX: Run the following commands. The make command enables both Oracle Database Vault (dv_on) and Oracle Label Security (lbac_on). You must enable Oracle Label Security before you can use Database Vault.
```
cd $ORACLE_HOME/rdbms/lib
make -f ins_rdbms.mk dv_on lbac_on
cd $ORACLE_HOME/bin
relink all
```
- Windows: In the ORACLE_HOME\bin directory, rename the backed up copy of the oradvll.dll file (for example, oradv11.dll.dbl) to oradvll.dll. Ensure that the name of the Oracle Label Security executable is oralbacll.dll (and not oralbacll.dll.dbl or some other backup name). You must enable Oracle Label Security before you can use Database Vault.
Restart the database, Database Control console process, and listener.
- UNIX: Ensure that the environment variables, ORACLE_HOME, ORACLE_SID, and PATH are correctly set. Log in to SQL*Plus as user SYS with the SYSOPER privilege and restart the database. Then from the command line, restart the Database Control console process and listener.
  
  For example:
```
sqlplus sys as sysoper
Enter password: password

SQL> STARTUP
SQL> EXIT

$ emctl start dbconsole
$ lsnrctl start [listener_name]
```
  For Oracle RAC installations, restart each database instance as follows:
```
$ srvctl start database -d db_name
```
- Windows: Restart the database, Database Control Console process, and listener from the Services tool in the Control Panel. The names of Oracle Database services begin with Oracle.
For Oracle RAC installations, repeat these steps for each node on which the database is installed.