Skip Headers
Oracle® Database Security Guide
11
g
Release 2 (11.2)
Part Number E16543-14
Home
Book List
Index
Master Index
Contact Us
Next
PDF
·
Mobi
·
ePub
Contents
List of Examples
List of Figures
List of Tables
Title and Copyright Information
Preface
Audience
Documentation Accessibility
Related Documents
Conventions
What's New in Oracle Database Security?
Oracle Database 11
g
Release 2 (11.2.0.2) New Security Features
Oracle Database 11
g
Release 2 (11.2.0.1) New Security Features
Oracle Database 11
g
Release 1 (11.1) New Security Features
1
Introducing Oracle Database Security
About Oracle Database Security
Additional Database Security Resources
2
Managing Security for Oracle Database Users
About User Security
Creating User Accounts
Creating a New User Account
Specifying a User Name
Assigning the User a Password
Assigning a Default Tablespace for the User
Assigning a Tablespace Quota for the User
Restricting the Quota Limits for User Objects in a Tablespace
Granting Users the UNLIMITED TABLESPACE System Privilege
Assigning a Temporary Tablespace for the User
Specifying a Profile for the User
Setting a Default Role for the User
Altering User Accounts
About Altering User Accounts
Using the ALTER USER Statement to Alter a User Account
Changing Non-SYS User Passwords
Changing the SYS User Password
Configuring User Resource Limits
About User Resource Limits
Types of System Resources and Limits
Limiting the User Session Level
Limiting Database Call Levels
Limiting CPU Time
Limiting Logical Reads
Limiting Other Resources
Determining Values for Resource Limits of Profiles
Managing Resources with Profiles
Creating Profiles
Dropping Profiles
Deleting User Accounts
Finding Information About Database Users and Profiles
Using Data Dictionary Views to Find Information About Users and Profiles
Listing All Users and Associated Information
Listing All Tablespace Quotas
Listing All Profiles and Assigned Limits
Viewing Memory Use for Each User Session
3
Configuring Authentication
About Authentication
Configuring Password Protection
What Are the Oracle Database Built-in Password Protections?
Minimum Requirements for Passwords
Using a Password Management Policy
About Managing Passwords
Finding User Accounts That Have Default Passwords
Configuring Password Settings in the Default Profile
Disabling and Enabling the Default Password Security Settings
Automatically Locking a User Account After a Failed Login
Controlling User Ability to Reuse Previous Passwords
Controlling Password Aging and Expiration
Setting the PASSWORD_LIFE_TIME Profile Parameter to a Low Value
Enforcing Password Complexity Verification
Enabling or Disabling Password Case Sensitivity
Ensuring Against Password Security Threats by Using the SHA-1 Hashing Algorithm
Managing the Secure External Password Store for Password Credentials
About the Secure External Password Store
How Does the External Password Store Work?
Configuring Clients to Use the External Password Store
Managing External Password Store Credentials
Authenticating Database Administrators
Strong Authentication and Centralized Management for Database Administrators
Configuring Directory Authentication for Administrative Users
Configuring Kerberos Authentication for Administrative Users
Configuring Secure Sockets Layer Authentication for Administrative Users
Authenticating Database Administrators by Using the Operating System
Authenticating Database Administrators by Using Their Passwords
Using the Database to Authenticate Users
About Database Authentication
Advantages of Database Authentication
Creating a User Who Is Authenticated by the Database
Using the Operating System to Authenticate Users
Using the Network to Authenticate Users
Authentication Using Secure Sockets Layer
Authentication Using Third-Party Services
Configuring Global User Authentication and Authorization
Creating a User Who Is Authorized by a Directory Service
Creating a Global User Who Has a Private Schema
Creating Multiple Enterprise Users Who Share Schemas
Advantages of Global Authentication and Global Authorization
Configuring an External Service to Authenticate Users and Passwords
About External Authentication
Advantages of External Authentication
Creating a User Who Is Authenticated Externally
Authenticating User Logins Using the Operating System
Authentication User Logins Using Network Authentication
Using Multitier Authentication and Authorization
Administration and Security in Clients, Application Servers, and Database Servers
Preserving User Identity in Multitiered Environments
Using a Middle Tier Server for Proxy Authentication
About Proxy Authentication
Advantages of Proxy Authentication
Who Can Create Proxy User Accounts?
Creating Proxy User Accounts and Authorizing Users to Connect Through Them
Using Proxy Authentication with the Secure External Password Store
Passing Through the Identity of the Real User by Using Proxy Authentication
Limiting the Privilege of the Middle Tier
Authorizing a Middle Tier to Proxy and Authenticate a User
Authorizing a Middle Tier to Proxy a User Authenticated by Other Means
Reauthenticating the User Through the Middle Tier to the Database
Using Client Identifiers to Identify Application Users Not Known to the Database
About Client Identifiers
How Client Identifiers Work in Middle Tier Systems
Using the CLIENT_IDENTIFIER Attribute to Preserve User Identity
Using CLIENT_IDENTIFIER Independent of Global Application Context
Using the DBMS_SESSION PL/SQL Package to Set and Clear the Client Identifier
Finding Information About User Authentication
4
Configuring Privilege and Role Authorization
About Privileges and Roles
Who Should Be Granted Privileges?
Managing System Privileges
About System Privileges
Why Is It Important to Restrict System Privileges?
Restricting System Privileges by Securing the Data Dictionary
Allowing Access to Objects in the SYS Schema
Granting and Revoking System Privileges
Who Can Grant or Revoke System Privileges?
About ANY Privileges and the PUBLIC Role
Managing User Roles
About User Roles
The Functionality of Roles
Properties of Roles and Why They Are Advantageous
Common Uses of Roles
How Roles Affect the Scope of a User's Privileges
How Roles Work in PL/SQL Blocks
How Roles Aid or Restrict DDL Usage
How Operating Systems Can Aid Roles
How Roles Work in a Distributed Environment
Predefined Roles in an Oracle Database Installation
Creating a Role
Specifying the Type of Role Authorization
Authorizing a Role by Using the Database
Authorizing a Role by Using an Application
Authorizing a Role by Using an External Source
Global Role Authorization by an Enterprise Directory Service
Granting and Revoking Roles
Who Can Grant or Revoke Roles?
Dropping Roles
Restricting SQL*Plus Users from Using Database Roles
Potential Security Problems of Using Ad Hoc Tools
Limiting Roles Through the PRODUCT_USER_PROFILE Table
Using Stored Procedures to Encapsulate Business Logic
Securing Role Privileges by Using Secure Application Roles
Managing Object Privileges
About Object Privileges
Granting or Revoking Object Privileges
Managing Object Privileges
Granting and Revoking Object Privileges
Who Can Grant Object Privileges?
Using Object Privileges with Synonyms
Managing Table Privileges
How Table Privileges Affect Data Manipulation Language Operations
How Table Privileges Affect Data Definition Language Operations
Managing View Privileges
About View Privileges
Privileges Required to Create Views
Increasing Table Security with Views
Managing Procedure Privileges
Using the EXECUTE Privilege for Procedure Privileges
Procedure Execution and Security Domains
How Procedure Privileges Affect Definer's Rights
How Procedure Privileges Affect Invoker's Rights
System Privileges Required to Create or Replace a Procedure
System Privileges Required to Compile a Procedure
How Procedure Privileges Affect Packages and Package Objects
Managing Type Privileges
System Privileges for Named Types
Object Privileges
Method Execution Model
Privileges Required to Create Types and Tables Using Types
Example of Privileges for Creating Types and Tables Using Types
Privileges on Type Access and Object Access
Type Dependencies
Granting a User Privileges and Roles
Granting System Privileges and Roles
Granting the ADMIN Option
Creating a New User with the GRANT Statement
Granting Object Privileges
Specifying the GRANT OPTION Clause
Granting Object Privileges on Behalf of the Object Owner
Granting Privileges on Columns
Row-Level Access Control
Revoking Privileges and Roles from a User
Revoking System Privileges and Roles
Revoking Object Privileges
Revoking Object Privileges on Behalf of the Object Owner
Revoking Column-Selective Object Privileges
Revoking the REFERENCES Object Privilege
Cascading Effects of Revoking Privileges
Cascading Effects When Revoking System Privileges
Cascading Effects When Revoking Object Privileges
Granting to and Revoking from the PUBLIC Role
Granting Roles Using the Operating System or Network
About Granting Roles Using the Operating System or Network
Using Operating System Role Identification
Using Operating System Role Management
Granting and Revoking Roles When OS_ROLES Is Set to TRUE
Enabling and Disabling Roles When OS_ROLES Is Set to TRUE
Using Network Connections with Operating System Role Management
When Do Grants and Revokes Take Effect?
How the SET ROLE Statement Affects Grants and Revokes
Specifying Default Roles
The Maximum Number of Roles That a User Can Enable
Managing Fine-Grained Access in PL/SQL Packages and Types
About Fine-Grained Access Control to External Network Services
About Access Control to Wallets
Upgrading Applications That Depend on Packages That Use External Network Services
Creating an Access Control List for External Network Services
Step 1: Create the Access Control List and Its Privilege Definitions
Step 2: Assign the Access Control List to One or More Network Hosts
Configuring Access Control to a Wallet
Step 1: Create an Oracle Wallet
Step 2: Create an Access Control List that Grants the Wallet Privileges
Step 3: Assign the Access Control List to the Wallet
Step 4: Make the HTTP Request with the Passwords and Client Certificates
Examples of Creating Access Control Lists
Example of an Access Control List for a Single Role and Network Connection
Example of an Access Control List with Multiple Roles Assigned to Multiple Hosts
Example of an Access Control List for Using Passwords in a Non-Shared Wallet
Example of an Access Control List for Wallets in a Shared Database Session
Specifying a Group of Network Host Computers
Precedence Order for a Host Computer in Multiple Access Control List Assignments
Precedence Order for a Host in Access Control List Assignments with Port Ranges
Checking Privilege Assignments That Affect User Access to a Network Host
How a DBA Can Check User Network Connection and Domain Privileges
How Users Can Check Their Network Connection and Domain Privileges
Setting the Precedence of Multiple Users and Roles in One Access Control List
Finding Information About Access Control Lists Configured for User Access
Finding Information About User Privileges and Roles
Listing All System Privilege Grants
Listing All Role Grants
Listing Object Privileges Granted to a User
Listing the Current Privilege Domain of Your Session
Listing Roles of the Database
Listing Information About the Privilege Domains of Roles
5
Managing Security for Application Developers
About Application Security Policies
Considerations for Using Application-Based Security
Are Application Users Also Database Users?
Is Security Better Enforced in the Application or in the Database?
Securing Passwords in Application Design
General Guidelines for Securing Passwords in Applications
Platform-Specific Security Threats
Designing Applications to Handle Password Input
Configuring Password Formats and Behavior
Handling Passwords in SQL*Plus and SQL Scripts
Securing Passwords Using an External Password Store
Securing Passwords Using the orapwd Utility
Example of Reading Passwords in Java
Managing Application Privileges
Creating Secure Application Roles to Control Access to Applications
Step 1: Create the Secure Application Role
Step 2: Create a PL/SQL Package to Define the Access Policy for the Application
Associating Privileges with User Database Roles
Why Users Should Only Have the Privileges of the Current Database Role
Using the SET ROLE Statement to Automatically Enable or Disable Roles
Protecting Database Objects by Using Schemas
Protecting Database Objects in a Unique Schema
Protecting Database Objects in a Shared Schema
Managing Object Privileges in an Application
What Application Developers Need to Know About Object Privileges
SQL Statements Permitted by Object Privileges
Parameters for Enhanced Security of Database Communication
Reporting Bad Packets Received on the Database from Protocol Errors
Terminating or Resuming Server Execution After Receiving a Bad Packet
Configuring the Maximum Number of Authentication Attempts
Controlling the Display of the Database Version Banner
Configuring Banners for Unauthorized Access and Auditing User Actions
6
Using Application Contexts to Retrieve User Information
About Application Contexts
What Is an Application Context?
Components of the Application Context
Where Are the Application Context Values Stored?
Benefits of Using Application Contexts
How Editions Affects Application Context Values
Types of Application Contexts
Using Database Session-Based Application Contexts
About Database Session-Based Application Contexts
Creating a Database Session-Based Application Context
Creating a PL/SQL Package to Set the Database Session-Based Application Context
About the Package That Manages the Database Session-Based Application Context
Using SYS_CONTEXT to Retrieve Session Information
Using Dynamic SQL with SYS_CONTEXT
Using SYS_CONTEXT in a Parallel Query
Using SYS_CONTEXT with Database Links
Using DBMS_SESSION.SET_CONTEXT to Set Session Information
Creating a Logon Trigger to Run a Database Session Application Context Package
Tutorial: Creating and Using a Database Session-Based Application Context
About This Tutorial
Step 1: Create User Accounts and Ensure the User SCOTT Is Active
Step 2: Create the Database Session-Based Application Context
Step 3: Create a Package to Retrieve Session Data and Set the Application Context
Step 4: Create a Logon Trigger for the Package
Step 5: Test the Application Context
Step 6: Remove the Components for This Tutorial
Initializing Database Session-Based Application Contexts Externally
Obtaining Default Values from Users
Obtaining Values from Other External Resources
Initializing Application Context Values from a Middle-Tier Server
Initializing Database Session-Based Application Contexts Globally
About Initializing Database Session-Based Application Contexts Globally
Using Database Session-Based Application Contexts with LDAP
How Globally Initialized Database Session-Based Application Contexts Work
Example of Initializing a Database Session-Based Application Context Globally
Using Externalized Database Session-Based Application Contexts
Using Global Application Contexts
About Global Application Contexts
Creating a Global Application Context
Creating a PL/SQL Package to Manage a Global Application Context
About the Package That Manages the Global Application Context
How Editions Affects the Results of a Global Application Context PL/SQL Package
Setting the DBMS_SESSION.SET_CONTEXT username and client_id Parameters
Sharing Global Application Context Values for All Database Users
Setting a Global Context for Database Users Who Move Between Applications
Setting a Global Application Context for Nondatabase Users
Clearing Session Data When the Session Closes
Embedding Calls in Middle-Tier Applications to Manage the Client Session ID
About Managing Client Session IDs Using a Middle-Tier Application
Retrieving the Client Session ID Using a Middle-Tier Application
Setting the Client Session ID Using a Middle-Tier Application
Clearing Session Data Using a Middle-Tier Application
Tutorial: Creating a Global Application Context That Uses a Client Session ID
About This Tutorial
Step 1: Create User Accounts
Step 2: Create the Global Application Context
Step 3: Create a Package for the Global Application Context
Step 4: Test the Global Application Context
Step 5: Remove the Components for This Tutorial
Global Application Context Processes
Simple Global Application Context Process
Global Application Context Process for Lightweight Users
Using Client Session-Based Application Contexts
About Client Session-Based Application Contexts
Setting a Value in the CLIENTCONTEXT Namespace
Retrieving the CLIENTCONTEXT Namespace
Clearing a Setting in the CLIENTCONTEXT Namespace
Clearing All Settings in the CLIENTCONTEXT Namespace
Finding Information About Application Contexts
7
Using Oracle Virtual Private Database to Control Data Access
About Oracle Virtual Private Database
What Is Oracle Virtual Private Database?
Benefits of Using Oracle Virtual Private Database Policies
Basing Security Policies on Database Objects Rather Than Applications
Controlling How Oracle Database Evaluates Policy Functions
Which Privileges Are Used to Run Oracle Virtual Private Database Policy Functions?
Using Oracle Virtual Private Database with an Application Context
Components of an Oracle Virtual Private Database Policy
Creating a Function to Generate the Dynamic WHERE Clause
Creating a Policy to Attach the Function to the Objects You Want to Protect
Configuring an Oracle Virtual Private Database Policy
About Oracle Virtual Private Database Policies
Attaching a Policy a Database Table, View, or Synonym
Enforcing Policies on Specific SQL Statement Types
Controlling the Display of Column Data with Policies
Adding Policies for Column-Level Oracle Virtual Private Database
Displaying Only the Column Rows Relevant to the Query
Using Column Masking to Display Sensitive Columns as NULL Values
Working with Oracle Virtual Private Database Policy Groups
About Oracle Virtual Private Database Policy Groups
Creating a New Oracle Virtual Private Database Policy Group
Designating a Default Policy Group with the SYS_DEFAULT Policy Group
Establishing Multiple Policies for Each Table, View, or Synonym
Validating the Application Used to Connect to the Database
Optimizing Performance by Using Oracle Virtual Private Database Policy Types
About Oracle Virtual Private Database Policy Types
Using the Dynamic Policy Type to Automatically Rerun Policy Functions
Using a Static Policy to Prevent Policy Functions from Rerunning for Each Query
Using a Shared Static Policy to Share a Policy with Multiple Objects
When to Use Static and Shared Static Policies
Using a Context-Sensitive Policy for Predicates That Do Not Change After Parsing
Using a Shared Context Sensitive Policy to Share a Policy with Multiple Objects
When to Use Context-Sensitive and Shared Context-Sensitive Policies
Summary of the Five Oracle Virtual Private Database Policy Types
Tutorials: Creating Oracle Virtual Private Database Policies
Tutorial: Creating a Simple Oracle Virtual Private Database Policy
About This Tutorial
Step 1: Ensure That the OE User Account Is Active
Step 2: Create a Policy Function
Step 3: Create the Oracle Virtual Private Database Policy
Step 4: Test the Policy
Step 5: Remove the Components for This Tutorial
Tutorial: Implementing a Policy with a Database Session-Based Application Context
About This Tutorial
Step 1: Create User Accounts and Sample Tables
Step 2: Create a Database Session-Based Application Context
Step 3: Create a PL/SQL Package to Set the Application Context
Step 4: Create a Logon Trigger to Run the Application Context PL/SQL Package
Step 5: Create a PL/SQL Policy Function to Limit User Access to Their Orders
Step 6: Create the New Security Policy
Step 7: Test the New Policy
Step 8: Remove the Components for This Tutorial
Tutorial: Implementing an Oracle Virtual Private Database Policy Group
About This Tutorial
Step 1: Create User Accounts and Other Components for This Tutorial
Step 2: Create the Two Policy Groups
Step 3: Create PL/SQL Functions to Control the Policy Groups
Step 4: Add the PL/SQL Functions to the Policy Groups
Step 5: Create the Driving Application Context
Step 6: Test the Policy Groups
Step 7: Remove the Components for This Tutorial
How Oracle Virtual Private Database Works with Other Oracle Features
Using Oracle Virtual Private Database Policies with Editions
Using SELECT FOR UPDATE in User Queries on VPD-Protected Tables
How Oracle Virtual Private Database Policies Affect Outer or ANSI Join Operations
How Oracle Virtual Private Database Security Policies Work with Applications
Using Automatic Reparsing for Fine-Grained Access Control Policy Functions
Using Oracle Virtual Private Database Policies and Flashback Query
Using Oracle Virtual Private Database and Oracle Label Security
Using Oracle Virtual Private Database to Enforce Oracle Label Security Policies
Oracle Virtual Private Database and Oracle Label Security Exceptions
Exporting Data Using the EXPDP Utility access_method Parameter
User Models and Oracle Virtual Private Database
Finding Information About Oracle Virtual Private Database Policies
8
Developing Applications Using the Data Encryption API
Security Problems That Encryption Does Not Solve
Principle 1: Encryption Does Not Solve Access Control Problems
Principle 2: Encryption Does Not Protect Against a Malicious Database Administrator
Principle 3: Encrypting Everything Does Not Make Data Secure
Data Encryption Challenges
Encrypting Indexed Data
Generating Encryption Keys
Transmitting Encryption Keys
Storing Encryption Keys
Storing the Encryption Keys in the Database
Storing the Encryption Keys in the Operating System
Users Managing Their Own Encryption Keys
Using Transparent Database Encryption and Tablespace Encryption
Changing Encryption Keys
Encrypting Binary Large Objects
Storing Data Encryption by Using the DBMS_CRYPTO Package
Verifying Data Integrity with the DBMS_SQLHASH Package
About the DBMS_SQLHASH Package
Using the DBMS_SQLHASH.GETHASH Function
Syntax
Parameters
Examples of Using the Data Encryption API
Example of a Data Encryption Procedure
Example of AES 256-Bit Data Encryption and Decryption Procedures
Example of Encryption and Decryption Procedures for BLOB Data
Finding Information About Encrypted Data
9
Verifying Security Access with Auditing
About Auditing
What Is Auditing?
Why Is Auditing Used?
Protecting the Database Audit Trail
Activities That Are Always Written to the Standard and Fine-Grained Audit Records
Activities That Are Always Audited for All Platforms
Auditing in a Distributed Database
Best Practices for Auditing
Selecting an Auditing Type
Auditing General Activities with Standard Auditing
About Standard Auditing
What Is Standard Auditing?
Who Can Perform Standard Auditing?
When Are Standard Audit Records Created?
Configuring Standard Auditing with the AUDIT_TRAIL Initialization Parameter
Enabling or Disabling the Standard Audit Trail
Settings for the AUDIT_TRAIL Initialization Parameter
What Do the Operating System and Database Audit Trails Have in Common?
Using the Operating System Audit Trail
About the Operating System Trail
What Do Operating System Audit Trail Records Look Like?
Advantages of the Operating System Audit Trail
How the Operating System Audit Trail Works
Specifying a Directory for the Operating System Audit Trail
Using the Syslog Audit Trail on UNIX Systems
About the Syslog Audit Trail
Format of the Information Stored in the Syslog Audit Trail
What Does the Syslog Audit Trail Look Like?
Configuring Syslog Auditing
How the AUDIT and NOAUDIT SQL Statements Work
Enabling Standard Auditing with the AUDIT SQL Statement
Auditing Statement Executions: Successful, Unsuccessful, or Both
How Standard Audit Records Are Generated
How Do Cursors Affect Standard Auditing?
Benefits of Using the BY ACCESS Clause in the AUDIT Statement
Auditing Actions Performed by Specific Users
Removing the Audit Option with the NOAUDIT SQL Statement
Auditing SQL Statements
About SQL Statement Auditing
Types of SQL Statements That Are Audited
Configuring SQL Statement Auditing
Removing SQL Statement Auditing
Auditing Privileges
About Privilege Auditing
Types of Privileges That Can Be Audited
Configuring Privilege Auditing
Removing Privilege Auditing
Auditing SQL Statements and Privileges in a Multitier Environment
Auditing Schema Objects
About Schema Object Auditing
Types of Schema Objects That Can Be Audited
Using Standard Auditing with Editioned Objects
Schema Object Audit Options for Views, Procedures, and Other Elements
Configuring Schema Object Auditing
Removing Object Auditing
Setting Audit Options for Objects That May Be Created in the Future
Auditing Directory Objects
About Directory Object Auditing
Configuring Directory Object Auditing
Removing Directory Object Auditing
Auditing Functions, Procedures, Packages, and Triggers
About Auditing Functions, Procedures, Packages, and Triggers
Configuring the Auditing of Functions, Procedures, Packages, and Triggers
Removing the Auditing of Functions, Procedures, Packages, and Triggers
Auditing Network Activity
About Network Auditing
Configuring Network Auditing
Removing Network Auditing
Using Default Auditing for Security-Relevant SQL Statements and Privileges
About the Default Auditing Settings
Privileges That Oracle Database Audits by Default
Disabling and Enabling Default Audit Settings
Auditing Specific Activities with Fine-Grained Auditing
About Fine-Grained Auditing
Where Are Fine-Grained Audit Records Stored?
Advantages of Fine-Grained Auditing
What Permissions Are Needed to Create a Fine-Grained Audit Policy?
Activities That Are Always Audited in Fine-Grained Auditing
Using Fine-Grained Audit Policies with Editions
Creating an Audit Trail for Fine-Grained Audit Records
How the Fine-Grained Audit Trail Generates Records
Using the DBMS_FGA Package to Manage Fine-Grained Audit Policies
About the DBMS_FGA PL/SQL Package
Creating a Fine-Grained Audit Policy
Disabling and Enabling a Fine-Grained Audit Policy
Dropping a Fine-Grained Audit Policy
Tutorial: Adding an Email Alert to a Fine-Grained Audit Policy
About This Tutorial
Step 1: Install and Configure the UTL_MAIL PL/SQL Package
Step 2: Create User Accounts
Step 3: Configure an Access Control List File for Network Services
Step 4: Create the Email Security Alert PL/SQL Procedure
Step 5: Create and Test the Fine-Grained Audit Policy Settings
Step 6: Test the Alert
Step 7: Remove the Components for This Tutorial
Tutorial: Auditing Nondatabase Users
About This Tutorial
Step 1: Create the User Account and Ensure the User HR Is Active
Step 2: Create the Fine-Grained Audit Policy
Step 3: Test the Policy
Step 4: Remove the Components for This Tutorial
Auditing SYS Administrative Users
Auditing User SYSTEM
Auditing User SYS and Users Who Connect as SYSDBA and SYSOPER
Using Triggers to Write Audit Data to a Separate Table
Managing Audit Trail Records
About Audit Records
Managing the Database Audit Trail
Database Audit Trail Contents
Controlling the Size of the Database Audit Trail
Moving the Database Audit Trail to a Different Tablespace
Auditing the Database Audit Trail
Archiving the Database Audit Trail
Managing the Operating System Audit Trail
If the Operating System Audit Trail Becomes Full
Setting the Size of the Operating System Audit Trail
Setting the Age of the Operating System Audit Trail
Archiving the Operating System Audit Trail
Purging Audit Trail Records
About Purging Audit Trail Records
Selecting an Audit Trail Purge Method
Scheduling an Automatic Purge Job for the Audit Trail
Step 1: If Necessary, Tune Online and Archive Redo Log Sizes
Step 2: Plan a Timestamp and Archive Strategy
Step 3: Initialize the Audit Trail Cleanup Operation
Step 4: Optionally, Set an Archive Timestamp for Audit Records
Step 5: Create and Schedule the Purge Job
Step 6: Optionally, Configure the Audit Trail Records to be Deleted in Batches
Manually Purging the Audit Trail
Purging a Subset of Records from the Database Audit Trail
Other Audit Trail Purge Operations
Verifying That the Audit Trail Is Initialized for Cleanup
Setting the Default Audit Trail Purge Interval for Any Audit Trail Type
Cancelling the Initialization Cleanup Settings
Enabling or Disabling an Audit Trail Purge Job
Setting the Default Audit Trail Purge Job Interval for a Specified Purge Job
Deleting an Audit Trail Purge Job
Clearing the Archive Timestamp Setting
Clearing the Database Audit Trail Batch Size
Example: Directly Calling a Database Audit Trail Purge Operation
Finding Information About Audited Activities
Using Data Dictionary Views to Find Information About the Audit Trail
Using Audit Trail Views to Investigate Suspicious Activities
Listing Active Statement Audit Options
Listing Active Privilege Audit Options
Listing Active Object Audit Options for Specific Objects
Listing Default Object Audit Options
Listing Audit Records
Listing Audit Records for the AUDIT SESSION Option
Deleting the Audit Trail Views
10
Keeping Your Oracle Database Secure
About the Security Guidelines in This Chapter
Downloading Security Patches and Contacting Oracle Regarding Vulnerabilities
Applying Security Patches and Workaround Solutions
Contacting Oracle Security Regarding Vulnerabilities in Oracle Database
Guidelines for Securing User Accounts and Privileges
Guidelines for Securing Roles
Guidelines for Securing Passwords
Guidelines for Securing Data
Guidelines for Securing the ORACLE_LOADER Access Driver
Guidelines for Securing a Database Installation and Configuration
Guidelines for Securing the Network
Securing the Client Connection
Securing the Network Connection
Securing a Secure Sockets Layer Connection
Guidelines for Auditing
Auditing Sensitive Information
Keeping Audited Information Manageable
Auditing Typical Database Activity
Auditing Suspicious Database Activity
Recommended Audit Settings
Addressing the CONNECT Role Change
Why Was the CONNECT Role Changed?
How the CONNNECT Role Change Affects Applications
How the CONNECT Role Change Affects Database Upgrades
How the CONNECT Role Change Affects Account Provisioning
How the CONNECT Role Change Affects Applications Using New Databases
How the CONNECT Role Change Affects Users
How the CONNECT Role Change Affects General Users
How the CONNECT Role Change Affects Application Developers
How the CONNECT Role Change Affects Client Server Applications
Approaches to Addressing the CONNECT Role Change
Approach 1: Create a New Database Role
Approach 2: Restore CONNECT Privileges
Approach 3: Conduct Least Privilege Analysis
Glossary
Index
Scripting on this page enhances content navigation, but does not change the content in any way.