| Oracle® Database Vault Administrator's Guide 11g Release 1 (11.1) Part Number B31222-01 |
|
|
View PDF |
| Oracle® Database Vault Administrator's Guide 11g Release 1 (11.1) Part Number B31222-01 |
|
|
View PDF |
This chapter describes how your Oracle Database installation will change after you have installed Oracle Database Vault.
This chapter includes the following topics:
See also Appendix I, "Oracle Database Vault Security Guidelines" for guidelines on managing security in the Oracle Database configuration.
When you install Oracle Database Vault, the installation process modifies several database initialization parameter settings to increase the security of your database configuration. If these changes adversely affect your organizational processes or database maintenance procedures, you can revert to the original settings.
Table 2-1 describes the initialization parameter settings that Oracle Database Vault modifies. Initialization parameters are stored in the init.ora initialization parameter file, located in $ORACLE_HOME/srvm/admin. For more information about this file, see Oracle Database Administrator's Guide.
Table 2-1 Modified Database Initialization Parameter Settings
| Parameter | Default Value in Database | New Value Set by Database Vault | Impact of the Change |
|---|---|---|---|
|
|
|
Enables the auditing of operations issued by user For more information about |
|
|
|
Null string |
The null string value disables For more information about |
|
|
Not configured. |
|
Disables the operating system to completely manage the granting and revoking of roles to users. Any previous grants of roles to users using For more information about |
|
|
|
|
Oracle Database Vault uses password files to authenticate users. The For more information about |
|
|
|
|
Prevents remote clients from being authenticated with the value of the This prevents a remote user from impersonating another operating system user over a network connection. For more information about |
|
|
|
|
Disables users who are connecting to the database through Oracle Net to have their roles authenticated by the operating system. This includes connections through a shared server configuration, as this connection requires Oracle Net. This restriction is the default because a remote user could impersonate another operating system user over a network connection. For more information about |
|
|
|
|
Ensures that users have been granted the For more information about |
During installation of Oracle Database Vault, the installer prompts for several additional database account names. In addition, several database roles are created. These accounts are part of the separation of duties provided by Oracle Database Vault. One common audit problem that has affected several large organizations is the unauthorized creation of new database accounts by a database administrator within a production instance. Upon installation, Oracle Database Vault prevents anyone other than the Oracle Database Vault account manager or a user granted the Oracle Database Vault account manager role from creating users in the database.
To meet regulatory, privacy and other compliance requirements, Oracle Database Vault implements the concept of separation of duties. Oracle Database Vault makes clear separation between the account management responsibility, data security responsibility, and database resource management responsibility inside the database. This means that the concept of a superprivileged user (for example, DBA) is divided among several new database roles to ensure no one user has full control over both the data and configuration of the system. Oracle Database Vault prevents the SYS user and other accounts with the DBA role and other system privileges from designated protected areas of the database called realms. It also introduces new database roles called the Oracle Database Vault Owner (DV_OWNER) and the Oracle Database Vault Account Manager (DV_ACCTMGR). These new database roles separate the data security and the account management from the traditional DBA role. You should map these roles to distinct security professionals within your organization.
See "Oracle Database Vault Roles" for detailed information about the roles created during the Oracle Database Vault installation. See also "Oracle Database Vault Accounts" for default accounts that are created and for suggestions of additional accounts that you may want to create.
