Oracle 数据库保险库中的SYS_CONTEXT('userenv'，'module') 行为

你好，汤姆，

我已经在12.2.0.1.0 Oracle数据库上实现了DB Vault。我创建了一个Vault策略来阻止使用数据库工具 (如Toad等) 对应用程序架构的自组织访问。该策略应仅允许从具有IP 192.168.1.10的应用程序服务器到DB的应用程序连接，并限制从其他任何地方连接到应用程序架构。但是这里的模块因素似乎不起作用，因为它允许从192.168.1.10服务器的临时工具进行连接。除了登录触发器之外，还有什么替代方法可以用来实现这一点？

下面提供的代码是用于实现vault策略的代码。

BEGIN 
DBMS_MACADM.CREATE_RULE_SET( 
rule_set_name => 'Limit_SQL_Plus_Access', 
description => 'Limits access to SQL*Plus for Apps Schemas', 
enabled => DBMS_MACUTL.G_YES, 
eval_options => DBMS_MACUTL.G_RULESET_EVAL_ALL, 
audit_options => DBMS_MACUTL.G_RULESET_AUDIT_OFF, 
fail_options => DBMS_MACUTL.G_RULESET_FAIL_SHOW, 
fail_message => 'ad-hoc access denied for Apps Schemas', 
fail_code => 20461, 
handler_options => DBMS_MACUTL.G_RULESET_HANDLER_OFF, 
handler => NULL); 
END; 
/ 

BEGIN 
DBMS_MACADM.CREATE_FACTOR( 
factor_name => 'MODULE', 
factor_type_name => 'Application', 
description => 'Stores client program name that connects to database', 
rule_set_name => 'Limit_SQL_Plus_Access', 
validate_expr => NULL, 
get_expr => 'UPPER(SYS_CONTEXT(''USERENV'',''MODULE''))', 
identify_by => DBMS_MACUTL.G_IDENTIFY_BY_METHOD, 
labeled_by => 0, 
eval_options => DBMS_MACUTL.G_EVAL_ON_SESSION, 
audit_options => DBMS_MACUTL.G_AUDIT_OFF, 
fail_options => DBMS_MACUTL.G_FAIL_WITH_MESSAGE); 
END; 
/ 

BEGIN 
DBMS_MACADM.CREATE_FACTOR( 
factor_name => 'PROGRAM', 
factor_type_name => 'Application', 
description => 'Stores client program name that connects to database', 
rule_set_name => 'Limit_SQL_Plus_Access', 
validate_expr => NULL, 
get_expr => 'UPPER(SYS_CONTEXT(''USERENV'',''CLIENT_PROGRAM_NAME''))', 
identify_by => DBMS_MACUTL.G_IDENTIFY_BY_METHOD, 
labeled_by => 0, 
eval_options => DBMS_MACUTL.G_EVAL_ON_ACCESS, 
audit_options => DBMS_MACUTL.G_AUDIT_OFF, 
fail_options => DBMS_MACUTL.G_FAIL_WITH_MESSAGE); 
END; 
/ 

BEGIN 
DBMS_MACADM.CREATE_RULE( 
rule_name => 'Rule_Connect', 
rule_expr => 'UPPER(DVF.F$MODULE) in (''APPS.WINSERVICE.EXE'') AND DVF.F$SESSION_USER IN (''APPS'') AND DVF.F$CLIENT_IP IN (''192.168.1.10') AND UPPER(DVF.F$PROGRAM) in (''APPS.WINSERVICE.EXE'')'); 
END; 
/ 

BEGIN 
DBMS_MACADM.ADD_RULE_TO_RULE_SET( 
rule_set_name => 'Limit_SQL_Plus_Access', 
rule_name => 'Rule_Connect' 
); 
END; 
/ 

BEGIN 
DBMS_MACADM.CREATE_CONNECT_COMMAND_RULE( 
rule_set_name => 'Limit_SQL_Plus_Access', 
user_name => 'APPS' 
enabled => DBMS_MACUTIL.G_YES, 
scope => DBMS_MACUTIL.G_SCOPE_LOCAL); 
END;
复制

我不熟悉数据库保险库。因此，我联系了数据库保管库的PM Alan Williams。他这样说:

I notice they are using factors – that’s not necessary and I recommend just using rules to access context directly. Factors adds another layer of complication and since it’s rarely (if at all used), may not be as well understood.

I recommend creating the connection command rule/rule set and then taking it step by step

- Create rule set (as below)
- Create command rule (as below)
- Use the out of the box ‘enabled’ and ‘disabled’ rules to make sure the command rule is working as anticipated
- Then replace the OOTB rule with the IP rule and test
- Then test with another rule (setting aside the IP rule) and test the new rule independently
- In fact, test with each rule independently to make sure each rule is working as anticipated
- Then start concatenating rules together

If they aren’t sure if the parameter values are correct, they can use the new 12.2 simulation mode to capture the factors first

- Create rule set/command rule/enabled command rule – set to simulation mode
- Connect as the user from the application
- Review the simulation log and look into the factor column to review the factors that were used