Contents

List of Tables

Title and Copyright Information

Preface

• Audience
• Documentation Accessibility
• Related Documents
• Conventions

1 Introduction to Oracle Database Security

• 1.1 About This Guide
  • 1.1.1 Before Using This Guide
  • 1.1.2 What This Guide Is and Is Not
• 1.2 Common Database Security Tasks
• 1.3 Tools for Securing Your Database
• 1.4 Securing Your Database: A Roadmap

2 Securing the Database Installation and Configuration

• 2.1 About Securing the Database Installation and Configuration
• 2.2 Enabling the Default Security Settings
• 2.3 Securing the Oracle Data Dictionary
  • 2.3.1 About the Oracle Data Dictionary
  • 2.3.2 Enabling Data Dictionary Protection
• 2.4 Restricting Operating System Access
• 2.5 Restricting Permissions on Run-Time Facilities
• 2.6 Initialization Parameters Used for Installation and Configuration Security
  • 2.6.1 Modifying the Value of an Initialization Parameter

3 Securing Oracle Database User Accounts

• 3.1 About Securing Oracle Database User Accounts
• 3.2 Predefined User Accounts Provided by Oracle Database
  • 3.2.1 Predefined Administrative Accounts
  • 3.2.2 Predefined Non-Administrative User Accounts
  • 3.2.3 Predefined Sample Schema User Accounts
• 3.3 Expiring and Locking Database Accounts
• 3.4 Requirements for Creating Passwords
• 3.5 Finding and Changing Default Passwords
• 3.6 Changing the Default Administrative User Passwords
• 3.7 Enforcing Password Management
• 3.8 Initialization Parameters Used to Secure User Accounts

4 Managing User Privileges

• 4.1 About Privilege Management
• 4.2 Granting Necessary Privileges Only
• 4.3 Revoking Privileges from the PUBLIC User Group
• 4.4 Granting Roles to Users
• 4.5 Controlling Access to Applications with Secure Application Roles
  • 4.5.1 About Secure Application Roles
  • 4.5.2 Example: Creating a Secure Application Role
    • 4.5.2.1 Step 1: Create a Security Administrator Account
    • 4.5.2.2 Step 2: Create User Accounts for This Example
    • 4.5.2.3 Step 3: Create the Secure Application Role
    • 4.5.2.4 Step 4: Create a Lookup Table
    • 4.5.2.5 Step 5: Create the PL/SQL Package to Set the Secure Application Role
    • 4.5.2.6 Step 6: Grant EXECUTE Privileges for the Procedure to Matthew and Winston
    • 4.5.2.7 Step 7: Test the EMPLOYEE_ROLE Secure Application Role
    • 4.5.2.8 Step 8: Optionally, Remove the Components for This Example
• 4.6 Initialization Parameters Used for Privilege Security

5 Securing the Network

• 5.1 About Securing the Network
• 5.2 Securing the Client Connection on the Network
  • 5.2.1 Guidelines for Securing Client Connections
  • 5.2.2 Securing the Network Connection
  • 5.2.3 Securing a Secure Sockets Layer Connection
• 5.3 Protecting Data on the Network by Using Network Encryption
  • 5.3.1 About Network Encryption
  • 5.3.2 Configuring Network Encryption
• 5.4 Initialization Parameters Used for Network Security

6 Securing Data

• 6.1 About Securing Data
• 6.2 Encrypting Data Transparently with Transparent Data Encryption
  • 6.2.1 About Encrypting Sensitive Data
  • 6.2.2 When Should You Encrypt Data?
  • 6.2.3 How Transparent Data Encryption Works
  • 6.2.4 Configuring Data to Use Transparent Data Encryption
    • 6.2.4.1 Step 1: Configure the Wallet Location
    • 6.2.4.2 Step 2: Create the Wallet
    • 6.2.4.3 Step 3: Open (or Close) the Wallet
    • 6.2.4.4 Step 4: Encrypt (or Decrypt) Data
  • 6.2.5 Checking Existing Encrypted Data
    • 6.2.5.1 Checking Whether a Wallet Is Open or Closed
    • 6.2.5.2 Checking Encrypted Columns of an Individual Table
    • 6.2.5.3 Checking All Encrypted Table Columns in the Current Database Instance
    • 6.2.5.4 Checking Encrypted Tablespaces in the Current Database Instance
• 6.3 Controlling Data Access with Oracle Virtual Private Database
  • 6.3.1 About Oracle Virtual Private Database
  • 6.3.2 Example: Creating an Oracle Virtual Private Database Policy
    • 6.3.2.1 Step 1: If Necessary, Create the Security Administrator Account
    • 6.3.2.2 Step 2: Update the Security Administrator Account
    • 6.3.2.3 Step 3: Create User Accounts for This Example
    • 6.3.2.4 Step 4: Create the F_POLICY_ORDERS Policy Function
    • 6.3.2.5 Step 5: Create the ACCESSCONTROL_ORDERS Virtual Private Database Policy
    • 6.3.2.6 Step 6: Test the ACCESSCONTROL_ORDERS Virtual Private Database Policy
    • 6.3.2.7 Step 7: Optionally, Remove the Components for This Example
• 6.4 Enforcing Row-Level Security with Oracle Label Security
  • 6.4.1 About Oracle Label Security
  • 6.4.2 Guidelines for Planning an Oracle Label Security Policy
  • 6.4.3 Example: Applying Security Labels to the HR.LOCATIONS Table
    • 6.4.3.1 Step 1: Install Oracle Label Security and Enable User LBACSYS
    • 6.4.3.2 Step 2: Create a Role and Three Users for the Oracle Label Security Example
    • 6.4.3.3 Step 3: Create the ACCESS_LOCATIONS Oracle Label Security Policy
    • 6.4.3.4 Step 4: Define the ACCESS_LOCATIONS Policy-Level Components
    • 6.4.3.5 Step 5: Create the ACCESS_LOCATIONS Policy Data Labels
    • 6.4.3.6 Step 6: Create the ACCESS_LOCATIONS Policy User Authorizations
    • 6.4.3.7 Step 7: Apply the ACCESS_LOCATIONS Policy to the HR.LOCATIONS Table
    • 6.4.3.8 Step 8: Add the ACCESS_LOCATIONS Labels to the HR.LOCATIONS Data
    • 6.4.3.9 Step 9: Test the ACCESS_LOCATIONS Policy
    • 6.4.3.10 Step 10: Optionally, Remove the Components for This Example

7 Auditing Database Activity

• 7.1 About Auditing
• 7.2 Why Is Auditing Used?
• 7.3 Where Are Standard Audited Activities Recorded?
• 7.4 Auditing General Activities Using Standard Auditing
  • 7.4.1 About Standard Auditing
  • 7.4.2 Enabling or Disabling the Standard Audit Trail
  • 7.4.3 Using Default Auditing for Security-Relevant SQL Statements and Privileges
    • 7.4.3.1 About Default Auditing
    • 7.4.3.2 Enabling Default Auditing
  • 7.4.4 Individually Auditing SQL Statements
  • 7.4.5 Individually Auditing Privileges
  • 7.4.6 Using Proxies to Audit SQL Statements and Privileges in a Multitier Environment
  • 7.4.7 Individually Auditing Schema Objects
  • 7.4.8 Auditing Network Activity
• 7.5 Example: Creating a Standard Audit Trail
  • 7.5.1 Step 1: Log In and Enable Standard Auditing
  • 7.5.2 Step 2: Enable Auditing for SELECT Statements on the OE.CUSTOMERS Table
  • 7.5.3 Step 3: Test the Audit Settings
  • 7.5.4 Step 4: Optionally, Remove the Components for This Example
  • 7.5.5 Step 5: Remove the SEC_ADMIN Security Administrator Account
• 7.6 Guidelines for Auditing
  • 7.6.1 Enabling Default Auditing of SQL Statements and Privileges
  • 7.6.2 Keeping Audited Information Manageable
  • 7.6.3 Auditing Typical Database Activity
  • 7.6.4 Auditing Suspicious Database Activity
• 7.7 Initialization Parameters Used for Auditing

Index