Jump to content

Sharath Thoniyot

Members
  • Content count

    2
  • Joined

  • Last visited

Community Reputation

0 Neutral

About Sharath Thoniyot

  • Rank
    Newbie
  1. I have implemented DB Vault on a 12.2.0.1.0 Oracle database. I created a Vault policy to block adhoc access to application schema using DB tools like Toad etc. The policy should allow only application connection to DB from application server with IP 192.168.1.10 and restrict connection to the APPS schema from anywhere else. But here the MODULE factor does not seem to work, as it is allowing connection from ad-hoc tools from 192.168.1.10 server. Is there any alternative I can use to achieve this apart from logon triggers ? The below provided piece of code is what has been used to implement the vault policy. BEGIN DBMS_MACADM.CREATE_RULE_SET( rule_set_name => 'Limit_SQL_Plus_Access', description => 'Limits access to SQL*Plus for Apps Schemas', enabled => DBMS_MACUTL.G_YES, eval_options => DBMS_MACUTL.G_RULESET_EVAL_ALL, audit_options => DBMS_MACUTL.G_RULESET_AUDIT_OFF, fail_options => DBMS_MACUTL.G_RULESET_FAIL_SHOW, fail_message => 'ad-hoc access denied for Apps Schemas', fail_code => 20461, handler_options => DBMS_MACUTL.G_RULESET_HANDLER_OFF, handler => NULL); END; / BEGIN DBMS_MACADM.CREATE_FACTOR( factor_name => 'MODULE', factor_type_name => 'Application', description => 'Stores client program name that connects to database', rule_set_name => 'Limit_SQL_Plus_Access', validate_expr => NULL, get_expr => 'UPPER(SYS_CONTEXT(''USERENV'',''MODULE''))', identify_by => DBMS_MACUTL.G_IDENTIFY_BY_METHOD, labeled_by => 0, eval_options => DBMS_MACUTL.G_EVAL_ON_SESSION, audit_options => DBMS_MACUTL.G_AUDIT_OFF, fail_options => DBMS_MACUTL.G_FAIL_WITH_MESSAGE); END; / BEGIN DBMS_MACADM.CREATE_FACTOR( factor_name => 'PROGRAM', factor_type_name => 'Application', description => 'Stores client program name that connects to database', rule_set_name => 'Limit_SQL_Plus_Access', validate_expr => NULL, get_expr => 'UPPER(SYS_CONTEXT(''USERENV'',''CLIENT_PROGRAM_NAME''))', identify_by => DBMS_MACUTL.G_IDENTIFY_BY_METHOD, labeled_by => 0, eval_options => DBMS_MACUTL.G_EVAL_ON_ACCESS, audit_options => DBMS_MACUTL.G_AUDIT_OFF, fail_options => DBMS_MACUTL.G_FAIL_WITH_MESSAGE); END; / BEGIN DBMS_MACADM.CREATE_RULE( rule_name => 'Rule_Connect', rule_expr => 'UPPER(DVF.F$MODULE) in (''APPS.WINSERVICE.EXE'') AND DVF.F$SESSION_USER IN (''APPS'') AND DVF.F$CLIENT_IP IN (''192.168.1.10') AND UPPER(DVF.F$PROGRAM) in (''APPS.WINSERVICE.EXE'')'); END; / BEGIN DBMS_MACADM.ADD_RULE_TO_RULE_SET( rule_set_name => 'Limit_SQL_Plus_Access', rule_name => 'Rule_Connect' ); END; / BEGIN DBMS_MACADM.CREATE_CONNECT_COMMAND_RULE( rule_set_name => 'Limit_SQL_Plus_Access', user_name => 'APPS' enabled => DBMS_MACUTIL.G_YES, scope => DBMS_MACUTIL.G_SCOPE_LOCAL); END;
×