Logon triggers

I've wanted to do this for a long time, but now a migration project to both a new data centre, and a new version of Oracle means I have opportunity to do it and hopefully, do it right.

The current database design is not perfect.  There is one application user which is used by apps, users, support and development teams.  At the moment, there is no way to separate traffic, prevent connections from people to the wrong place or from unexpected places, or to do resource limiting.  I can't do any sensible auditing.

This changes as of the migration to 12c.  I have defined 7 different services, which will all have different sets of expected users.  After logon triggers will be set up so that all connections to the controlled services have the connection source IP and database username checked.  If either isn't appropriate for the service, the connection attempt is logged and the connection terminated.

CREATE OR REPLACE TRIGGER SYSTEM.check_service_appropriate AFTER LOGON ON DATABASE
  DECLARE
    v_servname  VARCHAR (100);
    v_ipaddress VARCHAR(15);
    v_hostname  VARCHAR(4000);
    v_osuser    VARCHAR(25);
    v_sessionid NUMBER;
    v_errortext VARCHAR(4000);
    NOACCESS    EXCEPTION;
  BEGIN
    SELECT SYS_CONTEXT('USERENV', 'SERVICE_NAME') INTO v_servname FROM dual;
    SELECT SYS_CONTEXT('USERENV', 'IP_ADDRESS') INTO v_ipaddress FROM dual;
    SELECT SYS_CONTEXT('USERENV', 'HOST') INTO v_hostname FROM dual;
    SELECT SYS_CONTEXT('USERENV', 'OS_USER') INTO v_osuser FROM dual;
    SELECT SYS_CONTEXT('USERENV', 'UNIFIED_AUDIT_SESSIONID') INTO v_sessionid FROM dual;
    
    CASE v_servname
    WHEN 'reporting.xxxx.national' THEN
      IF ((USER NOT IN ('READONLY','XXX_REP','YYY_RO')) OR (v_hostname NOT LIKE 'ip-10-%')) THEN
        RAISE NOACCESS;
      END IF;
    WHEN 'datamanagement.xxxx.national' THEN
      IF ((USER NOT IN ('XXX_REP')) OR (v_hostname NOT LIKE 'ip-10%')) THEN
        RAISE NOACCESS;
      END IF;
    WHEN 'admin.xxxx.national' THEN
      IF ((USER IN ('READONLY','XXX_REP','YYY_RO','C##F5MONITOR')) OR (v_ipaddress NOT LIKE '10.%')) THEN
        RAISE NOACCESS;
      END IF;
    END CASE;

   EXCEPTION
    WHEN NOACCESS THEN
      INSERT
      INTO SYSTEM.audit_rejected_logins
        (
          time#
        , service
        , ipaddr
        , hostname
        , osuser
        , sessionid
        )
        VALUES
        (
          sysdate
        , v_servname
        , v_ipaddress
        , v_hostname
        , v_osuser
        , to_char(v_sessionid)
        );
    COMMIT;
    v_errortext := 'Attempt to log in using inappropriate DB service, from unexpected IP address or using wrong username (' || USER || ')';
    v_errortext := v_errortext || ' to service (' || v_servname || ')';
    v_errortext := v_errortext || ' from host (' || v_hostname || '). ';
    v_errortext := v_errortext || ' OS user (' || v_osuser || ')';
    RAISE_APPLICATION_ERROR(-20000, v_errortext);
  END;

Using these services, I will also be able to do sensible auditing, using unified auditing putting a condition on so that all DML when using the "admin" service is audited, whereas only specific DML using the application services is recorded.

Services are simple to set up, but their potential is surprisingly flexible.

Comments

Post a Comment

Popular posts from this blog

Data Guard with Transparent Application Failover (TAF)

One of the problems with Data Guard is that even after switching/failing over to the standby database, all clients need to be reconfigured to communicate with the new primary. The simplest way to achieve this (if using a centralised tnsnames.ora ), is to modify the file and  add the line " (FAILOVER=YES) ",  and either multiple ( DESCRIPTION=...) or (ADDRESS=...)  lines, one for each of the standby systems, in the order that the client should attempt connections . This tells the client to try each address in turn until one succeeds. Doing so provides basic failover functionality within Oracle Net, and will probably function correctly most of the time.  Though be aware - because both primary and standby can share the same instance name (e.g. the same SID, therefore the same connection string), there is potential for this simple scheme to go wrong. An example in an active data guard environment (where the standby is open read only): a temporary network issue causes all c
Read more

RMAN-05531 During RMAN Duplicate from Active Data Guard Standby

[oracle@target dbs]$ rman auxiliary sys@dup target sys@source [...] RMAN> duplicate target database to DUP from active database db_file_name_convert '/u2/data/PROD','/u2/data/DUP' LOG_FILE_NAME_CONVERT '/u2/data/PROD/onlinelog','/u2/data/DUP' nofilenamecheck; Starting Duplicate Db at 25-FEB-15 using target database control file instead of recovery catalog allocated channel: ORA_AUX_DISK_1 channel ORA_AUX_DISK_1: SID=171 device type=DISK RMAN-00571: =================================================== RMAN-00569: =============== ERROR MESSAGE STACK FOLLOWS ======= RMAN-00571: =================================================== RMAN-03002: failure of Duplicate Db command at 02/25/2015 16:04:44 RMAN-05501: aborting duplication of target database RMAN-05531: a mounted database cannot be duplicated while datafiles are fuzzy Using Oracle 11.2.0.3 (anything below 11.2.0.3.6), this is the error if an attempt is made to duplicate from an activ
Read more

Data pump - "ORA-39786: Number of columns does not match between export and import databases"

Today I was asked if it was possible to import data for a specific table from a data pump export file, which was taken from when a table had a different structure to what it has now. e.g. when the export was taken, there were 10 columns.  Now there are 11. I thought that was simple, and I was sure I'd heard of this being done before.  Simply import using the "CONTENT=DATA_ONLY" parameter.  Right? Apparently not: Centos-/home/oracle/demo> impdp DEMO_USER/yyyyyyy directory=INBOUND dumpfile=demo_data.dmp logfile=impdpdemo.log content=data_only tables=xxxxxxxx Import: Release 10.2.0.4.0 - 64bit Production on Tuesday, 08 July, 2014 14:32:20 Copyright (c) 2003, 2007, Oracle.  All rights reserved. Connected to: Oracle Database 10g Release 10.2.0.4.0 - 64bit Production Master table "DEMO_USER"."SYS_IMPORT_TABLE_01" successfully loaded/unloaded Starting "DEMO_USER"."SYS_IMPORT_TABLE_01":  xxxxxxxx/******** directory=INBOUND dumpfile
Read more