Contents

List of Tables

Title and Copyright Information

Preface

• Audience
• Documentation Accessibility
• Related Documents
• Conventions

1 Introduction to Oracle Database Security

• About This Guide
  • Before Using This Guide
  • What This Guide Is and Is Not
• Common Database Security Tasks
• Tools for Securing Your Database
• Securing Your Database: A Roadmap

2 Securing the Database Installation and Configuration

• About Securing the Database Installation and Configuration
• Using the Default Security Settings
• Securing the Oracle Data Dictionary
  • About the Oracle Data Dictionary
  • Enabling Data Dictionary Protection
• Guidelines for Securing Operating System Access to Oracle Database
• Guideline for Granting Permissions to Run-Time Facilities
• Initialization Parameters Used for Installation and Configuration Security
  • Modifying the Value of an Initialization Parameter

3 Securing Oracle Database User Accounts

• About Securing Oracle Database User Accounts
• Predefined User Accounts Provided by Oracle Database
  • Predefined Administrative Accounts
  • Predefined Non-Administrative User Accounts
  • Predefined Sample Schema User Accounts
• Expiring and Locking Database Accounts
• Requirements for Creating Passwords
• Finding and Changing Default Passwords
• Guideline for Handling the Default Administrative User Passwords
• Guideline for Enforcing Password Management
• Parameters Used to Secure User Accounts

4 Managing User Privileges

• About Privilege Management
• Guideline for Granting Privileges
• Guideline for Granting Roles to Users
• Guideline for Handling Privileges for the PUBLIC Role
• Controlling Access to Applications with Secure Application Roles
  • About Secure Application Roles
  • Tutorial: Creating a Secure Application Role
    • Step 1: Create a Security Administrator Account
    • Step 2: Create User Accounts for This Tutorial
    • Step 3: Create the Secure Application Role
    • Step 4: Create a Lookup View
    • Step 5: Create the PL/SQL Procedure to Set the Secure Application Role
    • Step 6: Grant the EXECUTE Privilege for the Procedure to Matthew and Winston
    • Step 7: Test the EMPLOYEE_ROLE Secure Application Role
    • Step 8: Optionally, Remove the Components for This Tutorial
• Initialization Parameters Used for Privilege Security

5 Securing the Network

• About Securing the Network
• Securing the Client Connection on the Network
  • Guidelines for Securing Client Connections
  • Guidelines for Securing the Network Connection
• Protecting Data on the Network by Using Network Encryption
  • About Network Encryption
  • Configuring Network Encryption
• Initialization Parameters Used for Network Security

6 Securing Data

• About Securing Data
• Encrypting Data Transparently with Transparent Data Encryption
  • About Encrypting Sensitive Data
  • When Should You Encrypt Data?
  • How Transparent Data Encryption Works
  • Configuring Data to Use Transparent Data Encryption
    • Step 1: Configure the Wallet Location
    • Step 2: Create the Wallet
    • Step 3: Open (or Close) the Wallet
    • Step 4: Encrypt (or Decrypt) Data
  • Checking Existing Encrypted Data
    • Checking Whether a Wallet Is Open or Closed
    • Checking Encrypted Columns of an Individual Table
    • Checking All Encrypted Table Columns in the Current Database Instance
    • Checking Encrypted Tablespaces in the Current Database Instance
• Choosing Between Oracle Virtual Private Database and Oracle Label Security
• Controlling Data Access with Oracle Virtual Private Database
  • About Oracle Virtual Private Database
  • Tutorial: Creating an Oracle Virtual Private Database Policy
    • Step 1: If Necessary, Create the Security Administrator Account
    • Step 2: Update the Security Administrator Account
    • Step 3: Create User Accounts for This Tutorial
    • Step 4: Create the F_POLICY_ORDERS Policy Function
    • Step 5: Create the ACCESSCONTROL_ORDERS Virtual Private Database Policy
    • Step 6: Test the ACCESSCONTROL_ORDERS Virtual Private Database Policy
    • Step 7: Optionally, Remove the Components for This Tutorial
• Enforcing Row-Level Security with Oracle Label Security
  • About Oracle Label Security
  • Guidelines for Planning an Oracle Label Security Policy
  • Tutorial: Applying Security Labels to the HR.LOCATIONS Table
    • Step 1: Register Oracle Label Security and Enable the LBACSYS Account
    • Step 2: Create a Role and Three Users for the Oracle Label Security Tutorial
    • Step 3: Create the ACCESS_LOCATIONS Oracle Label Security Policy
    • Step 4: Define the ACCESS_LOCATIONS Policy-Level Components
    • Step 5: Create the ACCESS_LOCATIONS Policy Data Labels
    • Step 6: Create the ACCESS_LOCATIONS Policy User Authorizations
    • Step 7: Apply the ACCESS_LOCATIONS Policy to the HR.LOCATIONS Table
    • Step 8: Add the ACCESS_LOCATIONS Labels to the HR.LOCATIONS Data
    • Step 9: Test the ACCESS_LOCATIONS Policy
    • Step 10: Optionally, Remove the Components for This Tutorial
• Controlling Administrator Access with Oracle Database Vault
  • About Oracle Database Vault
  • Tutorial: Controlling Administrator Access to the OE Schema
    • Step 1: Enable Oracle Database Vault
    • Step 2: Grant the SELECT Privilege on the OE.CUSTOMERS Table to User SCOTT
    • Step 3: Select from the OE.CUSTOMERS Table as Users SYS and SCOTT
    • Step 4: Create a Realm to Protect the OE.CUSTOMERS Table
    • Step 5: Test the OE Protections Realm
    • Step 6: Optionally, Remove the Components for This Tutorial

7 Auditing Database Activity

• About Auditing
• Why Is Auditing Used?
• Where Are Standard Audit Activities Recorded?
• Auditing General Activities Using Standard Auditing
  • About Standard Auditing
  • Enabling or Disabling the Standard Audit Trail
  • Using Default Auditing for Security-Relevant SQL Statements and Privileges
  • Individually Auditing SQL Statements
  • Individually Auditing Privileges
  • Using Proxies to Audit SQL Statements and Privileges in a Multitier Environment
  • Individually Auditing Schema Objects
  • Auditing Network Activity
• Tutorial: Creating a Standard Audit Trail
  • Step 1: Log In and Enable Standard Auditing
  • Step 2: Enable Auditing for SELECT Statements on the OE.CUSTOMERS Table
  • Step 3: Test the Audit Settings
  • Step 4: Optionally, Remove the Components for This Tutorial
  • Step 5: Remove the SEC_ADMIN Security Administrator Account
• Guidelines for Auditing
  • Guideline for Using Default Auditing of SQL Statements and Privileges
  • Guidelines for Managing Audited Information
  • Guidelines for Auditing Typical Database Activity
  • Guidelines for Auditing Suspicious Database Activity
• Initialization Parameters Used for Auditing

Index