{"id":28364,"date":"2023-09-27T20:39:35","date_gmt":"2023-09-27T18:39:35","guid":{"rendered":"https:\/\/www.dbi-services.com\/blog\/?p=28364"},"modified":"2023-09-27T21:07:56","modified_gmt":"2023-09-27T19:07:56","slug":"sql-firewall","status":"publish","type":"post","link":"https:\/\/www.dbi-services.com\/blog\/sql-firewall\/","title":{"rendered":"SQL FIREWALL"},"content":{"rendered":"\n

This blog comes to complete the excellent blog written by my colleague Gregory Steulet on the same topic.<\/a><\/p>\n\n\n\n

SQL FIREWALL is a new security layer integrated into Oracle Database 23c.<\/p>\n\n\n\n

First, we create a admin user for which we grant it a new admin privilege “sql_firewall_admin”:<\/p>\n\n\n\n

SQL> drop user if exists lfeadmin cascade;\n\nUser dropped.\n\nSQL>\nSQL> create user lfeadmin identified by lfeadmin;\n\nUser created.\n\nSQL> grant create session to lfeadmin;\n\nGrant succeeded.\n\nSQL> grant sql_firewall_admin to lfeadmin;\n\nGrant succeeded.<\/code><\/pre>\n\n\n\n
We enable the SQL FIREWALL:<\/p>\n\n\n\n
SQL> prompt ENABLE SQL FIREWALL\nENABLE SQL FIREWALL\nSQL> pause\n\nSQL> conn lfeadmin\/lfeadmin@\/\/localhost:1521\/freepdb1\nConnected.\nSQL> exec dbms_sql_firewall.enable;\n\nPL\/SQL procedure successfully completed.\n\nSQL>\nSQL> prompt CHECK THE STATUS OF SQL FIREWALL\nCHECK THE STATUS OF SQL FIREWALL\nSQL> pause\n\nSQL> select status from dba_sql_firewall_status;\n\nSTATUS\n--------\nENABLED<\/code><\/pre>\n\n\n\n
We create a capture process on the user LFE:<\/p>\n\n\n\n
SQL> prompt CREATE CAPTURE FOR USER LFE\nCREATE CAPTURE FOR USER LFE\nSQL> pause\n\nSQL> begin\n  2    dbms_sql_firewall.create_capture (\n  3  \t username\t=> 'LFE',\n  4  \t top_level_only => false,\n  5  \t start_capture\t=> true);\n  6  end;\n  7  \/\n\nPL\/SQL procedure successfully completed.\n<\/code><\/pre>\n\n\n\n
We execute some sql from the user LFE:<\/p>\n\n\n\n
SQL> conn LFE\/LFE4DBIXCHANGE2023@\/\/localhost:1521\/freepdb1\nConnected.\nSQL> start demo_sql_firewall_load.sql\nSQL> set echo on\nSQL> set linesize 2000\nSQL> prompt SESSION 1 - GET SID\nSESSION 1 - GET SID\nSQL> pause\n\nSQL> SELECT SYS_CONTEXT ('USERENV', 'SID') FROM DUAL;\n\nSYS_CONTEXT('USERENV','SID')\n----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------\n44\n\nSQL> prompt SESSION 1 - UPDATE PRICE FOR PRODUCT A1 --> PRICE = PRICE+10\nSESSION 1 - UPDATE PRICE FOR PRODUCT A1 --> PRICE = PRICE+10\nSQL> pause\n\nSQL> select price from products where product='A1';\n\n     PRICE\n----------\n      1629\n\nSQL> update products set price = price+10 where product= 'A1';\n\n1 row updated.\n\nSQL> select price from products where product='A1';\n\n     PRICE\n----------\n      1629\n\nSQL><\/code><\/pre>\n\n\n\n
We stop the capture and we check the capture logs:<\/p>\n\n\n\n
SQL> prompt STOP THE CAPTURE\nSTOP THE CAPTURE\nSQL> pause\n\nSQL> exec dbms_sql_firewall.stop_capture('LFE');\n\nPL\/SQL procedure successfully completed.\n\nSQL>\nSQL> prompt CHECK CAPTURE LOGS\nCHECK CAPTURE LOGS\nSQL> pause\n\nSQL> set linesize 150 pagesize 40\nSQL> column command_type format a12\nSQL> column current_user format a15\nSQL> column client_program format a45\nSQL> column os_user format a10\nSQL> column ip_address format a10\nSQL> column sql_text format a30\nSQL>\nSQL> select command_type,\n  2  \t    current_user,\n  3  \t    client_program,\n  4  \t    os_user,\n  5  \t    ip_address,\n  6  \t    sql_text\n  7  from   dba_sql_firewall_capture_logs\n  8  where  username = 'LFE';\n\nCOMMAND_TYPE CURRENT_USER CLIENT_PROGRAM OS_USER    IP_ADDRESS SQL_TEXT\n------------ --------------- --------------------------------------------- --\nSELECT\t     LFE\t     sqlplus@db23c (TNS V1-V3) oracle     127.0.0.1  SELECT SYS_CONTEXT (:\"SYS_B_0\",:\"SYS_B_1\") FROM DUAL\n\nSELECT\t     LFE\t     sqlplus@db23c (TNS V1-V3) oracle     127.0.0.1  SELECT PRICE FROM PRODUCTS WHERE PRODUCT=:\"SYS_B_0\"\n\nUPDATE\t     LFE\t     sqlplus@db23c (TNS V1-V3) oracle     127.0.0.1  UPDATE PRODUCTS SET PRICE=PRICE +:\"SYS_B_0\" WHERE PRODUCT=:\"SYS_B_1\"\n<\/code><\/pre>\n\n\n\n
Now we generate an allow list based on the capture logs:<\/p>\n\n\n\n
SQL> exec dbms_sql_firewall.generate_allow_list ('LFE');\n\nPL\/SQL procedure successfully completed.\n\nSQL>\nSQL> prompt CHECK THE ALLOW LIST AND NEW DATA DICTIONARY VIEWS\nCHECK THE ALLOW LIST AND NEW DATA DICTIONARY VIEWS\nSQL> pause\n\nSQL> column username format a20\nSQL> select * from  dba_sql_firewall_allowed_ip_addr where username = 'LFE';\n\nUSERNAME\t     IP_ADDRESS\n-------------------- ----------\nLFE\t\t     127.0.0.1\n\nSQL>\nSQL> column os_program format a50\nSQL> select * from dba_sql_firewall_allowed_os_prog where username = 'LFE';\n\nUSERNAME\t     OS_PROGRAM\n-------------------- --------------------------------------------------\nLFE\t\t     sqlplus@db23c (TNS V1-V3)\n\nSQL>\nSQL> column os_user format a10\nSQL> select * from dba_sql_firewall_allowed_os_user where username = 'LFE';\n\nUSERNAME\t     OS_USER\n-------------------- ----------\nLFE\t\t     oracle\n\nSQL>\nSQL> column sql_text format A50\nSQL> select current_user,sql_text from dba_sql_firewall_allowed_sql where username = 'LFE';\n\nCURRENT_USER\tSQL_TEXT\n--------------- --------------------------------------------------\nLFE\t\tUPDATE PRODUCTS SET PRICE=PRICE +:\"SYS_B_0\" WHERE\n\t\tPRODUCT=:\"SYS_B_1\"\n\nLFE\t\tSELECT PRICE FROM PRODUCTS WHERE PRODUCT=:\"SYS_B_0\n\t\t\"\n\nLFE\t\tSELECT SYS_CONTEXT (:\"SYS_B_0\",:\"SYS_B_1\") FROM DU\n\t\tAL\n<\/code><\/pre>\n\n\n\n
The allow list stores the sql statement captures plus his context (IP ADDRESS, OS_PROGRAM, OS_USER).<\/p>\n\n\n\n
We check this allow list and decides which sql statement \/ context authorized or un-authorized to be executed and we enable the allow list, we use the option “dbms_sql_firewall.enforfe_all” to authorize all : the sql statement plus the context. There are different list of options<\/a>.<\/p>\n\n\n\n
SQL> begin\n  2    dbms_sql_firewall.enable_allow_list (\n  3  \t username => 'LFE',\n  4  \t enforce  => dbms_sql_firewall.enforce_all,\n  5  \t block\t  => true);\n  6  end;\n  7  \/\n\nPL\/SQL procedure successfully completed.\n\nSQL> select username,\n    \t    status,\n    \t    top_level_only,\n    \t    enforce,\n    \t    block\n    from   dba_sql_firewall_allow_lists\n    where username='LFE';\n\nUSERNAME\t     STATUS   TOP_LEVEL_ONLY ENFORCE\t     BLOCK\n-------------------- -------- -------------- --------------- --------------\nLFE\t\t     ENABLED  N \t     ENFORCE_ALL     Y<\/code><\/pre>\n\n\n\n
 Now, SQL which are in the allow list are authorized:<\/p>\n\n\n\n
SQL> select price from products where product='A1';\n\n     PRICE\n----------\n      1629\n<\/code><\/pre>\n\n\n\n
But SQL which are not in the allow list are un-authorized:<\/p>\n\n\n\n
SQL> select price,product from products where product='A1';\nselect price,product from products where product='A1'\n                          *\nERROR at line 1:\nORA-47605: SQL Firewall violation<\/code><\/pre>\n\n\n\n
We check the sql firewall violation log table:<\/p>\n\n\n\n
select sql_text,\n           firewall_action,\n           ip_address,\n           cause,\n           occurred_at\n    from   dba_sql_firewall_violations\n    where  username = 'LFE';\n\nSQL_TEXT\n--------------------------------------------------------------------------------\nFIREWAL IP_ADDRESS\t\t\t\t\t CAUSE\n------- ------------------------------------------------ --------------------\nOCCURRED_AT\n---------------------------------------------------------------------------\nSELECT PRICE,PRODUCT FROM PRODUCTS WHERE PRODUCT=:\"SYS_B_0\"\nBlocked 127.0.0.1\t\t\t\t\t SQL violation\n27-SEP-23 06.30.31.875532 PM +00:00\n\n\nSQL><\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"
This blog comes to complete the excellent blog written by my colleague Gregory Steulet on the same topic. SQL FIREWALL is a new security layer integrated into Oracle Database 23c. First, we create a admin user for which we grant it a new admin privilege “sql_firewall_admin”: We enable the SQL FIREWALL: We create a capture […]<\/p>\n","protected":false},"author":27,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[229,198,368,59],"tags":[2833,1672,96,2564],"type_dbi":[],"class_list":["post-28364","post","type-post","status-publish","format-standard","hentry","category-database-administration-monitoring","category-database-management","category-development-performance","category-oracle","tag-23c","tag-new-features","tag-oracle","tag-security-3"],"acf":[],"yoast_head":"\nSQL FIREWALL - dbi Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.dbi-services.com\/blog\/sql-firewall\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"SQL FIREWALL\" \/>\n<meta property=\"og:description\" content=\"This blog comes to complete the excellent blog written by my colleague Gregory Steulet on the same topic. SQL FIREWALL is a new security layer integrated into Oracle Database 23c. First, we create a admin user for which we grant it a new admin privilege “sql_firewall_admin”: We enable the SQL FIREWALL: We create a capture […]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.dbi-services.com\/blog\/sql-firewall\/\" \/>\n<meta property=\"og:site_name\" content=\"dbi Blog\" \/>\n<meta property=\"article:published_time\" content=\"2023-09-27T18:39:35+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2023-09-27T19:07:56+00:00\" \/>\n<meta name=\"author\" content=\"Oracle Team\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Oracle Team\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"1 minute\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.dbi-services.com\\\/blog\\\/sql-firewall\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.dbi-services.com\\\/blog\\\/sql-firewall\\\/\"},\"author\":{\"name\":\"Oracle Team\",\"@id\":\"https:\\\/\\\/www.dbi-services.com\\\/blog\\\/#\\\/schema\\\/person\\\/66ab87129f2d357f09971bc7936a77ee\"},\"headline\":\"SQL FIREWALL\",\"datePublished\":\"2023-09-27T18:39:35+00:00\",\"dateModified\":\"2023-09-27T19:07:56+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.dbi-services.com\\\/blog\\\/sql-firewall\\\/\"},\"wordCount\":186,\"commentCount\":0,\"keywords\":[\"23c\",\"New Features\",\"Oracle\",\"Security\"],\"articleSection\":[\"Database Administration & Monitoring\",\"Database management\",\"Development & Performance\",\"Oracle\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/www.dbi-services.com\\\/blog\\\/sql-firewall\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.dbi-services.com\\\/blog\\\/sql-firewall\\\/\",\"url\":\"https:\\\/\\\/www.dbi-services.com\\\/blog\\\/sql-firewall\\\/\",\"name\":\"SQL FIREWALL - dbi Blog\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.dbi-services.com\\\/blog\\\/#website\"},\"datePublished\":\"2023-09-27T18:39:35+00:00\",\"dateModified\":\"2023-09-27T19:07:56+00:00\",\"author\":{\"@id\":\"https:\\\/\\\/www.dbi-services.com\\\/blog\\\/#\\\/schema\\\/person\\\/66ab87129f2d357f09971bc7936a77ee\"},\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.dbi-services.com\\\/blog\\\/sql-firewall\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.dbi-services.com\\\/blog\\\/sql-firewall\\\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.dbi-services.com\\\/blog\\\/sql-firewall\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Accueil\",\"item\":\"https:\\\/\\\/www.dbi-services.com\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"SQL FIREWALL\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.dbi-services.com\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.dbi-services.com\\\/blog\\\/\",\"name\":\"dbi Blog\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.dbi-services.com\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.dbi-services.com\\\/blog\\\/#\\\/schema\\\/person\\\/66ab87129f2d357f09971bc7936a77ee\",\"name\":\"Oracle Team\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f711f7cd2c9b09bf2627133755b569fb5be0694810cfd33033bdd095fedba86d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f711f7cd2c9b09bf2627133755b569fb5be0694810cfd33033bdd095fedba86d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f711f7cd2c9b09bf2627133755b569fb5be0694810cfd33033bdd095fedba86d?s=96&d=mm&r=g\",\"caption\":\"Oracle Team\"},\"url\":\"https:\\\/\\\/www.dbi-services.com\\\/blog\\\/author\\\/oracle-team\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"SQL FIREWALL - dbi Blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.dbi-services.com\/blog\/sql-firewall\/","og_locale":"en_US","og_type":"article","og_title":"SQL FIREWALL","og_description":"This blog comes to complete the excellent blog written by my colleague Gregory Steulet on the same topic. SQL FIREWALL is a new security layer integrated into Oracle Database 23c. First, we create a admin user for which we grant it a new admin privilege “sql_firewall_admin”: We enable the SQL FIREWALL: We create a capture […]","og_url":"https:\/\/www.dbi-services.com\/blog\/sql-firewall\/","og_site_name":"dbi Blog","article_published_time":"2023-09-27T18:39:35+00:00","article_modified_time":"2023-09-27T19:07:56+00:00","author":"Oracle Team","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Oracle Team","Est. reading time":"1 minute"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.dbi-services.com\/blog\/sql-firewall\/#article","isPartOf":{"@id":"https:\/\/www.dbi-services.com\/blog\/sql-firewall\/"},"author":{"name":"Oracle Team","@id":"https:\/\/www.dbi-services.com\/blog\/#\/schema\/person\/66ab87129f2d357f09971bc7936a77ee"},"headline":"SQL FIREWALL","datePublished":"2023-09-27T18:39:35+00:00","dateModified":"2023-09-27T19:07:56+00:00","mainEntityOfPage":{"@id":"https:\/\/www.dbi-services.com\/blog\/sql-firewall\/"},"wordCount":186,"commentCount":0,"keywords":["23c","New Features","Oracle","Security"],"articleSection":["Database Administration & Monitoring","Database management","Development & Performance","Oracle"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.dbi-services.com\/blog\/sql-firewall\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.dbi-services.com\/blog\/sql-firewall\/","url":"https:\/\/www.dbi-services.com\/blog\/sql-firewall\/","name":"SQL FIREWALL - dbi Blog","isPartOf":{"@id":"https:\/\/www.dbi-services.com\/blog\/#website"},"datePublished":"2023-09-27T18:39:35+00:00","dateModified":"2023-09-27T19:07:56+00:00","author":{"@id":"https:\/\/www.dbi-services.com\/blog\/#\/schema\/person\/66ab87129f2d357f09971bc7936a77ee"},"breadcrumb":{"@id":"https:\/\/www.dbi-services.com\/blog\/sql-firewall\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.dbi-services.com\/blog\/sql-firewall\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.dbi-services.com\/blog\/sql-firewall\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Accueil","item":"https:\/\/www.dbi-services.com\/blog\/"},{"@type":"ListItem","position":2,"name":"SQL FIREWALL"}]},{"@type":"WebSite","@id":"https:\/\/www.dbi-services.com\/blog\/#website","url":"https:\/\/www.dbi-services.com\/blog\/","name":"dbi Blog","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.dbi-services.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/www.dbi-services.com\/blog\/#\/schema\/person\/66ab87129f2d357f09971bc7936a77ee","name":"Oracle Team","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/f711f7cd2c9b09bf2627133755b569fb5be0694810cfd33033bdd095fedba86d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/f711f7cd2c9b09bf2627133755b569fb5be0694810cfd33033bdd095fedba86d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/f711f7cd2c9b09bf2627133755b569fb5be0694810cfd33033bdd095fedba86d?s=96&d=mm&r=g","caption":"Oracle Team"},"url":"https:\/\/www.dbi-services.com\/blog\/author\/oracle-team\/"}]}},"_links":{"self":[{"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/posts\/28364","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/users\/27"}],"replies":[{"embeddable":true,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/comments?post=28364"}],"version-history":[{"count":4,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/posts\/28364\/revisions"}],"predecessor-version":[{"id":28368,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/posts\/28364\/revisions\/28368"}],"wp:attachment":[{"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/media?parent=28364"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/categories?post=28364"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/tags?post=28364"},{"taxonomy":"type","embeddable":true,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/type_dbi?post=28364"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}