Logon triggers

I've wanted to do this for a long time, but now a migration project to both a new data centre, and a new version of Oracle means I have opportunity to do it and hopefully, do it right.

The current database design is not perfect.  There is one application user which is used by apps, users, support and development teams.  At the moment, there is no way to separate traffic, prevent connections from people to the wrong place or from unexpected places, or to do resource limiting.  I can't do any sensible auditing.

This changes as of the migration to 12c.  I have defined 7 different services, which will all have different sets of expected users.  After logon triggers will be set up so that all connections to the controlled services have the connection source IP and database username checked.  If either isn't appropriate for the service, the connection attempt is logged and the connection terminated.

CREATE OR REPLACE TRIGGER SYSTEM.check_service_appropriate AFTER LOGON ON DATABASE
  DECLARE
    v_servname  VARCHAR (100);
    v_ipaddress VARCHAR(15);
    v_hostname  VARCHAR(4000);
    v_osuser    VARCHAR(25);
    v_sessionid NUMBER;
    v_errortext VARCHAR(4000);
    NOACCESS    EXCEPTION;
  BEGIN
    SELECT SYS_CONTEXT('USERENV', 'SERVICE_NAME') INTO v_servname FROM dual;
    SELECT SYS_CONTEXT('USERENV', 'IP_ADDRESS') INTO v_ipaddress FROM dual;
    SELECT SYS_CONTEXT('USERENV', 'HOST') INTO v_hostname FROM dual;
    SELECT SYS_CONTEXT('USERENV', 'OS_USER') INTO v_osuser FROM dual;
    SELECT SYS_CONTEXT('USERENV', 'UNIFIED_AUDIT_SESSIONID') INTO v_sessionid FROM dual;
    
    CASE v_servname
    WHEN 'reporting.xxxx.national' THEN
      IF ((USER NOT IN ('READONLY','XXX_REP','YYY_RO')) OR (v_hostname NOT LIKE 'ip-10-%')) THEN
        RAISE NOACCESS;
      END IF;
    WHEN 'datamanagement.xxxx.national' THEN
      IF ((USER NOT IN ('XXX_REP')) OR (v_hostname NOT LIKE 'ip-10%')) THEN
        RAISE NOACCESS;
      END IF;
    WHEN 'admin.xxxx.national' THEN
      IF ((USER IN ('READONLY','XXX_REP','YYY_RO','C##F5MONITOR')) OR (v_ipaddress NOT LIKE '10.%')) THEN
        RAISE NOACCESS;
      END IF;
    END CASE;

   EXCEPTION
    WHEN NOACCESS THEN
      INSERT
      INTO SYSTEM.audit_rejected_logins
        (
          time#
        , service
        , ipaddr
        , hostname
        , osuser
        , sessionid
        )
        VALUES
        (
          sysdate
        , v_servname
        , v_ipaddress
        , v_hostname
        , v_osuser
        , to_char(v_sessionid)
        );
    COMMIT;
    v_errortext := 'Attempt to log in using inappropriate DB service, from unexpected IP address or using wrong username (' || USER || ')';
    v_errortext := v_errortext || ' to service (' || v_servname || ')';
    v_errortext := v_errortext || ' from host (' || v_hostname || '). ';
    v_errortext := v_errortext || ' OS user (' || v_osuser || ')';
    RAISE_APPLICATION_ERROR(-20000, v_errortext);
  END;

Using these services, I will also be able to do sensible auditing, using unified auditing putting a condition on so that all DML when using the "admin" service is audited, whereas only specific DML using the application services is recorded.

Services are simple to set up, but their potential is surprisingly flexible.

Comments

Post a Comment

Popular posts from this blog

Data pump - "ORA-39786: Number of columns does not match between export and import databases"

Today I was asked if it was possible to import data for a specific table from a data pump export file, which was taken from when a table had a different structure to what it has now. e.g. when the export was taken, there were 10 columns.  Now there are 11. I thought that was simple, and I was sure I'd heard of this being done before.  Simply import using the "CONTENT=DATA_ONLY" parameter.  Right? Apparently not: Centos-/home/oracle/demo> impdp DEMO_USER/yyyyyyy directory=INBOUND dumpfile=demo_data.dmp logfile=impdpdemo.log content=data_only tables=xxxxxxxx Import: Release 10.2.0.4.0 - 64bit Production on Tuesday, 08 July, 2014 14:32:20 Copyright (c) 2003, 2007, Oracle.  All rights reserved. Connected to: Oracle Database 10g Release 10.2.0.4.0 - 64bit Production Master table "DEMO_USER"."SYS_IMPORT_TABLE_01" successfully loaded/unloaded Starting "DEMO_USER"."SYS_IMPORT_TABLE_01":  xxxxxxxx/******** directory=INBOUND dumpfile...
Read more

APEX, SERT, and EPG

APEX, SERT, and EPG Application Express, Security Evaluation and Recommendation Tool, and the Embedded PL/SQL Gateway My organisation has only just started seriously working with APEX and have recently launched our first internal production app (that was a challenge... I was told that this app needed to be in production in 2 days and nobody had bothered to check with me what was needed to make this happen).  I've learned a lot about APEX in the past few weeks and I've got a lot more to go. I recently came across SERT ( https://github.com/OraOpenSource/apex-sert ) and it sounds like a really nifty tool.  Today I found some time to try it out and see if our dev team might find it useful.  I decided to install it in our dev database.  This uses the EPG rather than ORDS. The install didn't go so well.  The first install failed near the end because I think I used a lowercase 'y' for a response somewhere and it got confused, bombing out with an ORA-06502...
Read more

RMAN-05531 During RMAN Duplicate from Active Data Guard Standby

[oracle@target dbs]$ rman auxiliary sys@dup target sys@source [...] RMAN> duplicate target database to DUP from active database db_file_name_convert '/u2/data/PROD','/u2/data/DUP' LOG_FILE_NAME_CONVERT '/u2/data/PROD/onlinelog','/u2/data/DUP' nofilenamecheck; Starting Duplicate Db at 25-FEB-15 using target database control file instead of recovery catalog allocated channel: ORA_AUX_DISK_1 channel ORA_AUX_DISK_1: SID=171 device type=DISK RMAN-00571: =================================================== RMAN-00569: =============== ERROR MESSAGE STACK FOLLOWS ======= RMAN-00571: =================================================== RMAN-03002: failure of Duplicate Db command at 02/25/2015 16:04:44 RMAN-05501: aborting duplication of target database RMAN-05531: a mounted database cannot be duplicated while datafiles are fuzzy Using Oracle 11.2.0.3 (anything below 11.2.0.3.6), this is the error if an attempt is made to duplicate from an activ...
Read more