Skip Headers
Oracle® Database Vault Administrator's Guide
10
g
Release 2 (10.2)
Part Number B25166-04
Home
Book List
Index
Master Index
Contact Us
Next
View PDF
Contents
List of Examples
List of Figures
List of Tables
Title and Copyright Information
Preface
Audience
Documentation Accessibility
Related Documents
Conventions
1
Introducing Oracle Database Vault
1.1
What Is Oracle Database Vault?
1.2
Components of Oracle Database Vault
1.2.1
Oracle Database Vault Access Control Components
1.2.2
Oracle Database Vault Administrator (DVA)
1.2.3
Oracle Database Vault DVSYS and DVF Schemas
1.2.4
Oracle Database Vault Configuration Assistant (DVCA)
1.2.5
Oracle Database Vault PL/SQL Interfaces and Packages
1.2.6
Oracle Policy Manager and Oracle Label Security PL/SQL APIs
1.2.7
Oracle Database Vault Reporting and Monitoring Tools
1.3
How Oracle Database Vault Addresses Compliance Regulations
1.4
How Oracle Database Vault Addresses Insider Threats
1.5
How Oracle Database Vault Allows for Flexible Security Policies
1.6
How Oracle Database Vault Addresses Database Consolidation Concerns
1.7
What to Expect Before and After You Install Oracle Database Vault
1.7.1
How Oracle Database Vault Affects Other Oracle Products
1.7.2
Initialization and Password Parameter Settings That Change
1.7.2.1
Initialization Parameter Settings
1.7.3
How Oracle Database Vault Restricts User Authorizations
1.7.4
Using the Password File to Manage Database Authentication
1.7.5
Using New Database Roles to Enforce Separation of Duties
2
Getting Started with Oracle Database Vault
2.1
Setting the Time-out Value for Oracle Database Vault Administrator
2.2
Starting Oracle Database Vault Administrator
2.3
Quick Start Tutorial: Securing a Schema from DBA Access
2.3.1
Step 1: Adding the DV_ACCTMGR Role to the Data Dictionary Realm
2.3.2
Step 2: Log On as SYSTEM to Access the HR Schema
2.3.3
Step 3: Create a Realm
2.3.4
Step 4: Secure the EMPLOYEES Table in the HR Schema
2.3.5
Step 5: Create an Authorization for the Realm
2.3.6
Step 6: Test the Realm
2.3.7
Step 7: Run a Report
2.3.8
Step 8: Optionally, Drop User SEBASTIAN
3
Configuring Realms
3.1
What Are Realms?
3.2
Creating a Realm
3.3
Editing a Realm
3.4
Creating Realm-Secured Objects
3.5
Defining Realm Authorization
3.6
Disabling and Enabling a Realm
3.7
Deleting a Realm
3.8
How Realms Work
3.9
How Authorizations Work in a Realm
3.10
Example of How Realms Work
3.11
How Realms Affect Other Oracle Database Vault Components
3.12
Default Realms
3.13
Guidelines for Designing Realms
3.14
How Realms Affect Performance
3.15
Related Reports
4
Configuring Factors
4.1
What Are Factors?
4.2
Creating a Factor
4.3
Editing a Factor
4.4
Adding an Identity to a Factor
4.4.1
Creating and Configuring an Identity
4.4.2
Mapping Identities
4.5
Deleting a Factor
4.6
How Factors Work
4.6.1
How Factors Are Processed When a Session Is Established
4.6.2
How Factors Are Retrieved
4.6.3
How Factors Are Set
4.7
Example of How Factors Work
4.8
Default Factors
4.9
Guidelines for Designing Factors
4.10
How Factors Affect Performance
4.11
Related Reports
5
Configuring Command Rules
5.1
What Are Command Rules?
5.2
Creating and Editing Command Rules
5.3
Deleting a Command Rule
5.4
How Command Rules Work
5.5
Example of How Command Rules Work
5.6
Default Command Rules
5.7
Guidelines for Designing Command Rules
5.8
How Command Rules Affect Performance
5.9
Related Reports
6
Configuring Rule Sets
6.1
What Are Rule Sets?
6.2
Creating a Rule Set
6.3
Editing a Rule Set
6.4
Creating a Rule to Add to a Rule Set
6.4.1
Creating a New Rule
6.4.2
Adding Existing Rules to a Rule Set
6.5
Deleting a Rule Set
6.6
How Rule Sets Work
6.7
Example of How Rule Sets Work
6.8
Default Rule Sets
6.9
Guidelines for Designing Rule Sets
6.10
How Rule Sets Affect Performance
6.11
Related Reports
7
Configuring Secure Application Roles for Oracle Database Vault
7.1
What Are Oracle Database Vault Secure Application Roles?
7.2
Creating and Editing Secure Application Roles
7.3
Securing a Secure Application Role
7.4
Deleting a Secure Application Role
7.5
How Secure Application Roles Work
7.6
Example of How Secure Application Roles Work
7.6.1
Step 1: Create a Rule Set to Be Used with the Secure Application Role
7.6.2
Step 2: Create the Secure Application Role Using the Rule Set
7.6.3
Step 3: Grant Privileges to the Role
7.6.4
Step 4: Enable the Role in Your Applications
7.6.5
Step 5: Test the New Secure Application Role
7.7
How Secure Application Roles Affect Performance
7.8
Related Reports
8
Integrating Oracle Database Vault with Other Oracle Products
8.1
Integrating Oracle Database Vault with Enterprise User Security
8.2
Integrating Oracle Database Vault with Transparent Data Encryption
8.3
Integrating Oracle Database Vault with Oracle Label Security
8.3.1
How Oracle Database Vault Is Integrated with Oracle Label Security
8.3.2
Requirements for Using Oracle Database Vault with Oracle Label Security
8.3.3
Using an Oracle Database Vault Factor with an Oracle Label Security Policy
8.3.4
Example of Integrating Oracle Database Vault with Oracle Label Security
8.3.4.1
Step 1: Create the Network Factor
8.3.4.2
Step 2: Create Identity Maps for the Network Intranet and Remote Identities
8.3.4.3
Step 3: Associate the Network Factor with an Oracle Label Security Policy
8.3.4.4
Step 4: Test the Configuration
8.3.5
Related Reports
8.4
Using Oracle Database Vault with Oracle Recovery Manager (RMAN)
8.4.1
Step 1: Enable Logins for the SYSDBA Role
8.4.2
Step 2: Use Oracle Recovery Manager as Needed
8.4.2.1
Creating Custom RMAN Scripts to Back Up Oracle Database
8.4.2.2
Using Secure External Password to Prevent Exposing the SYSDBA Password
8.4.3
Step 3: Disable Logins for the SYSDBA Role
9
Generating Oracle Database Vault Reports
9.1
About Oracle Database Vault Reports
9.1.1
Categories of Oracle Database Vault Reports
9.1.2
Who Can Run the Oracle Database Vault Reports?
9.1.3
How to Run Oracle Database Vault Reports
9.2
Generating Oracle Database Vault Reports
9.2.1
Oracle Database Vault Configuration Issues Reports
9.2.1.1
Command Rule Configuration Issues Report
9.2.1.2
Factor Configuration Issues Report
9.2.1.3
Factor Without Identities Report
9.2.1.4
Identity Configuration Issues Report
9.2.1.5
Realm Authorization Configuration Issues Report
9.2.1.6
Rule Set Configuration Issues Report
9.2.1.7
Secure Application Configuration Issues Report
9.2.2
Oracle Database Vault Auditing Reports
9.2.2.1
Realm Audit Report
9.2.2.2
Command Rule Audit Report
9.2.2.3
Factor Audit Report
9.2.2.4
Label Security Integration Audit Report
9.2.2.5
Core Database Vault Audit Report
9.2.2.6
Secure Application Role Audit Report
9.3
Generating General Security Reports
9.3.1
Object Privilege Reports
9.3.1.1
Object Access By PUBLIC Report
9.3.1.2
Object Access Not By PUBLIC Report
9.3.1.3
Direct Object Privileges Report
9.3.1.4
Object Dependencies Report
9.3.2
Database Account System Privileges Reports
9.3.2.1
Direct System Privileges By Database Account Report
9.3.2.2
Direct and Indirect System Privileges By Database Account Report
9.3.2.3
Hierarchical System Privileges by Database Account Report
9.3.2.4
ANY System Privileges for Database Accounts Report
9.3.2.5
System Privileges By Privilege Report
9.3.3
Sensitive Objects Reports
9.3.3.1
Execute Privileges to Strong SYS Packages Report
9.3.3.2
Access to Sensitive Objects Report
9.3.3.3
Public Execute Privilege To SYS PL/SQL Procedures Report
9.3.3.4
Accounts with SYSDBA/SYSOPER Privilege Report
9.3.4
Privilege Management - Summary Reports
9.3.4.1
Privileges Distribution By Grantee Report
9.3.4.2
Privileges Distribution By Grantee, Owner Report
9.3.4.3
Privileges Distribution By Grantee, Owner, Privilege Report
9.3.5
Powerful Database Accounts and Roles Reports
9.3.5.1
WITH ADMIN Privilege Grants Report
9.3.5.2
Accounts With DBA Roles Report
9.3.5.3
Security Policy Exemption Report
9.3.5.4
BECOME USER Report
9.3.5.5
ALTER SYSTEM or ALTER SESSION Report
9.3.5.6
Password History Access Report
9.3.5.7
WITH GRANT Privileges Report
9.3.5.8
Roles/Accounts That Have a Given Role Report
9.3.5.9
Database Accounts With Catalog Roles Report
9.3.5.10
AUDIT Privileges Report
9.3.5.11
OS Security Vulnerability Privileges Report
9.3.6
Initialization Parameters and Profiles Reports
9.3.6.1
Security Related Database Parameters Report
9.3.6.2
Resource Profiles Report
9.3.6.3
System Resource Limits Report
9.3.7
Database Account Password Reports
9.3.7.1
Database Account Default Password Report
9.3.7.2
Database Account Status Report
9.3.8
Security Audit Report: Core Database Audit Report
9.3.9
Other Security Vulnerability Reports
9.3.9.1
Java Policy Grants Report
9.3.9.2
OS Directory Objects Report
9.3.9.3
Objects Dependent on Dynamic SQL Report
9.3.9.4
Unwrapped PL/SQL Package Bodies Report
9.3.9.5
Username/Password Tables Report
9.3.9.6
Tablespace Quotas Report
9.3.9.7
Non-Owner Object Trigger Report
10
Monitoring Oracle Database Vault
10.1
Security Policy Changes by Category
10.2
Security Policy Changes Detail
10.3
Security Violation Attempts
10.4
Database Configuration and Structural Changes
A
Auditing Policies
A.1
Core RDBMS Auditing Policy
A.2
Custom Audit Events
B
Enabling and Disabling Oracle Database Vault
B.1
When You Must Disable Oracle Database Vault
B.2
Step 1: Disable Oracle Database Vault
B.2.1
Disabling Oracle Database Vault on UNIX Systems
B.2.2
Disabling Oracle Database Vault on Windows Systems
B.3
Step 2: Perform the Required Tasks
B.4
Step 3: Enable Oracle Database Vault
B.4.1
Enabling Oracle Database Vault on UNIX Systems
B.4.2
Enabling Oracle Database Vault on Windows Systems
C
Oracle Database Vault Database Objects
C.1
What Are the Oracle Database Vault Database Objects?
C.2
Oracle Database Vault Schemas
C.2.1
DVSYS Schema
C.2.2
DVF Schema
C.3
Oracle Database Vault Database Roles
C.3.1
Oracle Database Vault Owner Role, DV_OWNER
C.3.2
Oracle Database Vault Configuration Administrator Role, DV_ADMIN
C.3.3
Oracle Database Vault User Manager Role, DV_ACCTMGR
C.3.4
Oracle Database Vault PUBLIC Role, DV_PUBLIC
C.3.5
Oracle Database Vault Security Analyst Role, DV_SECANALYST
C.3.6
Oracle Database Vault Application/Realm DBA Role, DV_REALM_OWNER
C.3.7
Oracle Database Vault Application Resource Owner Role, DV_REALM_RESOURCE
C.4
Oracle Database Vault Database Accounts
C.4.1
Database Accounts Creation Scenarios
C.5
Oracle Database Vault Public Views
D
PL/SQL Interfaces to Oracle Database Vault
D.1
Oracle Database Vault Run-Time PL/SQL Procedures and Functions
D.1.1
SET_FACTOR Function
D.1.2
GET_FACTOR Function
D.1.3
GET_TRUST_LEVEL Function
D.1.4
GET_TRUST_LEVEL_FOR_IDENTITY Function
D.1.5
ROLE_IS_ENABLED Function
D.1.6
GET_FACTOR_LABEL Function
D.2
Oracle Database Vault PL/SQL Factor Functions
D.3
Oracle Database Vault PL/SQL Rule Set Functions
D.4
Oracle Database Vault PL/SQL Packages
E
Oracle Database Vault Packages
E.1
DVSYS.DBMS_MACADM Package
E.1.1
Realm Functions Within DVSYS.DBMS_MACADM
E.1.1.1
ADD_AUTH_TO_REALM Function
E.1.1.2
ADD_AUTH_TO_REALM Function
E.1.1.3
ADD_AUTH_TO_REALM Function
E.1.1.4
ADD_AUTH_TO_REALM Function
E.1.1.5
ADD_OBJECT_TO_REALM Function
E.1.1.6
CREATE_REALM Function
E.1.1.7
DELETE_AUTH_FROM_REALM Function
E.1.1.8
DELETE_OBJECT_FROM_REALM Function
E.1.1.9
DELETE_REALM Function
E.1.1.10
DELETE_REALM_CASCADE Function
E.1.1.11
RENAME_REALM Function
E.1.1.12
SET_PRESERVE_CASE Function
E.1.1.13
UPDATE_REALM Function
E.1.1.14
UPDATE_REALM_AUTH Function
E.1.2
Factor Functions Within DVSYS.DBMS_MACADM
E.1.2.1
ADD_FACTOR_LINK Function
E.1.2.2
ADD_POLICY_FACTOR Function
E.1.2.3
CHANGE_IDENTITY_FACTOR Function
E.1.2.4
CHANGE_IDENTITY_VALUE Function
E.1.2.5
CREATE_DOMAIN_IDENTITY Function
E.1.2.6
CREATE_FACTOR Function
E.1.2.7
CREATE_FACTOR_TYPE Function
E.1.2.8
CREATE_IDENTITY Function
E.1.2.9
CREATE_IDENTITY_MAP Function
E.1.2.10
DELETE_FACTOR Function
E.1.2.11
DELETE_FACTOR_LINK Function
E.1.2.12
DELETE_FACTOR_TYPE Function
E.1.2.13
DELETE_IDENTITY Function
E.1.2.14
DELETE_IDENTITY_MAP Function
E.1.2.15
DROP_DOMAIN_IDENTITY Function
E.1.2.16
GET_INSTANCE_INFO Function
E.1.2.17
GET_SESSION_INFO Function
E.1.2.18
RENAME_FACTOR Function
E.1.2.19
RENAME_FACTOR_TYPE Function
E.1.2.20
SET_PRESERVE_CASE Function
E.1.2.21
UPDATE_FACTOR Function
E.1.2.22
UPDATE_FACTOR_TYPE Function
E.1.2.23
UPDATE_IDENTITY Function
E.1.3
Rule Set Functions Within DVSYS.DBMS_MACADM
E.1.3.1
ADD_RULE_TO_RULE_SET Function
E.1.3.2
ADD_RULE_TO_RULE_SET Function
E.1.3.3
ADD_RULE_TO_RULE_SET Function
E.1.3.4
CREATE_RULE Function
E.1.3.5
CREATE_RULE_SET Function
E.1.3.6
DELETE_RULE Function
E.1.3.7
DELETE_RULE_FROM_RULE_SET Function
E.1.3.8
DELETE_RULE_SET Function
E.1.3.9
RENAME_RULE Function
E.1.3.10
RENAME_RULE_SET Function
E.1.3.11
SET_PRESERVE_CASE Function
E.1.3.12
SYNC_RULES Function
E.1.3.13
UPDATE_RULE Function
E.1.3.14
UPDATE_RULE_SET Function
E.1.4
Command Rule Functions Within DVSYS.DBMS_MACADM
E.1.4.1
CREATE_COMMAND_RULE Function
E.1.4.2
DELETE_COMMAND_RULE Function
E.1.4.3
SET_PRESERVE_CASE Function
E.1.4.4
UPDATE_COMMAND_RULE Function
E.1.5
Secure Application Role Functions Within DVSYS.DBMS_MACADM
E.1.5.1
CREATE_ROLE Function
E.1.5.2
DELETE_ROLE Function
E.1.5.3
RENAME_ROLE Function
E.1.5.4
SET_PRESERVE_CASE Function
E.1.5.5
UPDATE_ROLE Function
E.1.6
Oracle Label Security Policy Functions Within DVSYS.DBMS_MACADM
E.1.6.1
CREATE_MAC_POLICY Function
E.1.6.2
CREATE_POLICY_LABEL Function
E.1.6.3
DELETE_MAC_POLICY_CASCADE Function
E.1.6.4
DELETE_POLICY_FACTOR Function
E.1.6.5
DELETE_POLICY_LABEL Function
E.1.6.6
SET_PRESERVE_CASE Function
E.1.6.7
UPDATE_MAC_POLICY Function
E.2
DVSYS.DBMS_MACSEC_ROLES Package
E.2.1
CAN_SET_ROLE Function
E.2.2
SET_ROLE Function
E.3
DVSYS.DBMS_MACUTL Package
E.3.1
Field Summary
E.3.2
Functions Within the DVSYS.DBMS_MACUTL Package
E.3.2.1
CHECK_DVSYS_DML_ALLOWED Function
E.3.2.2
GET_CODE_ID Function
E.3.2.3
GET_CODE_VALUE Function
E.3.2.4
GET_FACTOR_CONTEXT Function
E.3.2.5
GET_SECOND Function
E.3.2.6
GET_MINUTE Function
E.3.2.7
GET_HOUR Function
E.3.2.8
GET_DAY Function
E.3.2.9
GET_MONTH Function
E.3.2.10
GET_YEAR Function
E.3.2.11
GET_SQL_TEXT Function
E.3.2.12
IN_CALL_STACK Function
E.3.2.13
IS_ALPHA Function
E.3.2.14
IS_DIGIT Function
E.3.2.15
IS_DVSYS_OWNER Function
E.3.2.16
IS_OLS_INSTALLED Function
E.3.2.17
IS_OLS_INSTALLED_VARCHAR Function
E.3.2.18
GET_MESSAGE_LABEL Function
E.3.2.19
GET_MESSAGE_LABEL Function
E.3.2.20
RAISE_UNAUTHORIZED_OPERATION Function
E.3.2.21
TO_ORACLE_IDENTIFIER Function
E.3.2.22
USER_HAS_OBJECT_PRIVILEGE Function
E.3.2.23
USER_HAS_ROLE Function
E.3.2.24
USER_HAS_ROLE_VARCHAR Function
E.3.2.25
USER_HAS_SYSTEM_PRIVILEGE Function
F
Oracle Database Vault Security Guidelines
F.1
Accounts and Roles Trusted by Oracle Database Vault
F.2
Accounts and Roles That Should be Limited to Trusted Individuals
F.2.1
Managing Operating System Root Access
F.2.2
Managing the Oracle Software Owner
F.2.3
Managing SYSDBA Access
F.2.4
Managing SYSOPER Access
F.3
Secure Configuration Guidelines
F.3.1
Security Considerations for the UTL_FILE and DBMS_FILE_TRANSFER Packages
F.3.2
Security Considerations for the Recycle Bin
F.3.3
Security Considerations for the CREATE ANY JOB and CREATE JOB Privileges
F.3.4
Security Considerations for the CREATE EXTERNAL JOB Privilege
F.3.5
Security Considerations for the LogMiner Packages
F.3.6
Security Considerations for the ALTER SYSTEM and ALTER SESSION Privileges
F.3.7
Java Stored Procedures and Oracle Database Vault
F.3.7.1
Securing EXECUTE ANY PROCEDURE by Limiting Access to Java Stored Procedures
F.3.7.2
The Difference Between Invoker's and Definer's Rights in Java Stored Procedures
F.3.7.3
Securing Java Stored Procedures
F.3.7.4
Step 1: Identifying the Java Stored Procedures Created with Definer's Rights
F.3.7.5
Step 2: Finding Java Stored Procedures That Access Realm-Protected Objects
F.3.7.6
Step 3: Creating a Package to Wrap Procedures That Access Realm-Protected Objects
F.3.7.7
Step 4: Identifying the Java Stored Procedures Created with Invoker's Rights
F.3.7.8
Step 5: Blocking Execution of Java Stored Procedures
F.3.7.9
Step 6: Verifying Oracle Database Vault Protection for Java Stored Procedures
F.3.7.10
Step 7: Securing Invoker's Rights for New Java Stored Procedures
F.3.8
External C Callouts and Oracle Database Vault
F.3.8.1
Securing EXECUTE ANY PROCEDURE by Limiting Access to External C Callouts
F.3.8.2
The Difference Between Invoker's and Definer's Rights in External C Callouts
F.3.8.3
Securing External C Callouts
F.3.8.4
Step 1: Identifying the External C Callouts Created with Definer's Rights
F.3.8.5
Step 2: Finding the External C That Access Realm-Protected Objects
F.3.8.6
Step 3: Creating a Package to Wrap C Callouts That Access Realm-Protected Objects
F.3.8.7
Step 4: Identifying the External C Callouts Created with Invoker's Rights
F.3.8.8
Step 5: Blocking Execution of Java Stored Procedures
F.3.8.9
Step 6: Verifying Oracle Database Vault Protection for External C Callouts
F.3.8.10
Step 7: Securing Invoker's Rights for New External C Callouts
G
Troubleshooting Oracle Database Vault
G.1
Using Trace Files to Diagnose Events in the Database
G.2
General Diagnostic Tips
G.3
Configuration Problems with Oracle Database Vault Components
Index
