Skip Headers
Oracle® Database Vault Administrator's Guide
11g Release 1 (11.1)
Part Number B31222-01
Home
Book List
Index
Master Index
Contact Us
Next
View PDF
Contents
List of Examples
List of Figures
List of Tables
Title and Copyright Information
Preface
Audience
Documentation Accessibility
Related Documents
Conventions
1
Introducing Oracle Database Vault
1.1
What Is Oracle Database Vault?
1.2
Components of Oracle Database Vault
1.2.1
Oracle Database Vault Access Control Components
1.2.2
Oracle Database Vault Administrator (DVA)
1.2.3
Oracle Database Vault Configuration Assistant (DVCA)
1.2.4
Oracle Database Vault DVSYS and DVF Schemas
1.2.5
Oracle Database Vault PL/SQL Interfaces and Packages
1.2.6
Oracle Database Vault and Oracle Label Security PL/SQL APIs
1.2.7
Oracle Database Vault Reporting and Monitoring Tools
1.3
How Oracle Database Vault Addresses Compliance Regulations
1.4
How Oracle Database Vault Addresses Insider Threats
1.5
How Oracle Database Vault Allows for Flexible Security Policies
1.6
How Oracle Database Vault Addresses Database Consolidation Concerns
2
What to Expect After You Install Oracle Database Vault
2.1
Initialization and Password Parameter Settings That Change
2.1.1
Initialization Parameter Settings
2.2
How Oracle Database Vault Restricts User Authorizations
2.3
Using New Database Roles to Enforce Separation of Duties
3
Getting Started with Oracle Database Vault
3.1
Starting Oracle Database Vault Administrator
3.2
Quick Start Tutorial: Securing a Schema from DBA Access
3.2.1
Step 1: Adding the SYSTEM User to the Data Dictionary Realm
3.2.2
Step 2: Log On as SYSTEM to Access the HR Schema
3.2.3
Step 3: Create a Realm
3.2.4
Step 4: Secure the EMPLOYEES Table in the HR Schema
3.2.5
Step 5: Create an Authorization for the Realm
3.2.6
Step 6: Test the Realm
3.2.7
Step 7: Run a Report
3.2.8
Step 8: Remove the Components for This Example
4
Configuring Realms
4.1
What Are Realms?
4.2
Default Realms
4.3
Creating a Realm
4.4
Editing a Realm
4.5
Creating Realm-Secured Objects
4.6
Defining Realm Authorization
4.7
Disabling and Enabling a Realm
4.8
Deleting a Realm
4.9
How Realms Work
4.10
How Authorizations Work in a Realm
4.11
Example of How Realms Work
4.12
How Realms Affect Other Oracle Database Vault Components
4.13
Guidelines for Designing Realms
4.14
How Realms Affect Performance
4.15
Related Reports
5
Configuring Rule Sets
5.1
What Are Rule Sets?
5.2
Default Rule Sets
5.3
Creating a Rule Set
5.4
Configuring or Editing a Rule Set
5.5
Creating a Rule to Add to a Rule Set
5.5.1
Creating a New Rule
5.5.2
Adding Existing Rules to a Rule Set
5.6
Deleting a Rule Set
5.7
How Rule Sets Work
5.7.1
How Oracle Database Vault Evaluates Rules
5.7.2
Improving Performance by Setting the Order in Which Rules Appear in a Rule Set
5.7.3
Nesting Rules Within a Rule Set
5.7.4
Creating Rules to Apply to Everyone Except One User
5.8
Example of How Rule Sets Work
5.8.1
Step 1: Install and Configure the UTL_MAIL PL/SQL Package
5.8.2
Step 2: Create an E-mail Security Alert PL/SQL Procedure
5.8.3
Step 3: Create an Oracle Database Vault Rule Set That Uses the E-mail Security Alert
5.8.4
Step 4: Test the E-mail Security Alert
5.9
Guidelines for Designing Rule Sets
5.10
How Rule Sets Affect Performance
5.11
Related Reports
6
Configuring Command Rules
6.1
What Are Command Rules?
6.2
Commands with Default Rules
6.3
SQL Statements That Can Be Protected by Command Rules
6.4
Creating and Editing a Command Rule
6.5
Deleting a Command Rule
6.6
How Command Rules Work
6.7
Example of How Command Rules Work
6.8
Guidelines for Configuring Command Rules for SQL Statements
6.9
How Command Rules Affect Performance
6.10
Related Reports
7
Configuring Factors
7.1
What Are Factors?
7.2
Default Factors
7.3
Creating a Factor
7.4
Editing a Factor
7.5
Adding an Identity to a Factor
7.5.1
Creating and Configuring an Identity
7.5.2
Mapping an Identity
7.6
Deleting a Factor
7.7
How Factors Work
7.7.1
How Factors Are Processed When a Session Is Established
7.7.2
How Factors Are Retrieved
7.7.3
How Factors Are Set
7.8
Example of How Factors Work
7.9
Guidelines for Designing Factors
7.10
How Factors Affect Performance
7.11
Related Reports
8
Configuring Secure Application Roles for Oracle Database Vault
8.1
What Are Secure Application Roles for Oracle Database Vault?
8.2
Creating and Editing Secure Application Roles
8.3
Securing a Secure Application Role
8.4
Deleting a Secure Application Role
8.5
How Secure Application Roles Work
8.6
Example of How Secure Application Roles Work
8.6.1
Step 1: Create a Rule Set to Be Used with the Secure Application Role
8.6.2
Step 2: Create the Secure Application Role Using the Rule Set
8.6.3
Step 3: Grant Privileges to the Role
8.6.4
Step 4: Enable the Role in Your Applications
8.6.5
Step 5: Test the New Secure Application Role
8.7
How Secure Application Roles Affect Performance
8.8
Related Reports
9
Integrating Oracle Database Vault with Other Oracle Products
9.1
Integrating Oracle Database Vault with Enterprise User Security
9.2
Integrating Oracle Database Vault with Transparent Data Encryption
9.3
Attaching Factors to an Oracle Virtual Private Database
9.4
Integrating Oracle Database Vault with Oracle Label Security
9.4.1
How Oracle Database Vault Is Integrated with Oracle Label Security
9.4.2
Requirements for Using Oracle Database Vault with Oracle Label Security
9.4.3
Using an Oracle Database Vault Factor with an Oracle Label Security Policy
9.4.4
Example of Integrating Oracle Database Vault with Oracle Label Security
9.4.4.1
Step 1: Create the Network Factor
9.4.4.2
Step 2: Create Identity Maps for the Network Intranet and Remote Identities
9.4.4.3
Step 3: Associate the Network Factor with an Oracle Label Security Policy
9.4.4.4
Step 4: Test the Configuration
9.4.5
Related Reports
10
Monitoring Oracle Database Vault
10.1
Security Violation Attempts
10.2
Database Configuration and Structural Changes
10.3
Security Policy Changes by Category
10.4
Security Policy Changes Detail
11
Oracle Database Vault Reports
11.1
Categories of Oracle Database Vault Reports
11.2
Who Can Run the Oracle Database Vault Reports?
11.3
How to Run Oracle Database Vault Reports
11.4
Generating Oracle Database Vault Reports
11.4.1
Oracle Database Vault Configuration Issues Reports
11.4.1.1
Command Rule Configuration Issues Report
11.4.1.2
Factor Configuration Issues Report
11.4.1.3
Factor Without Identities Report
11.4.1.4
Identity Configuration Issues Report
11.4.1.5
Realm Authorization Configuration Issues Report
11.4.1.6
Rule Set Configuration Issues Report
11.4.1.7
Secure Application Configuration Issues Report
11.4.2
Oracle Database Vault Auditing Reports
11.4.2.1
Realm Audit Report
11.4.2.2
Command Rule Audit Report
11.4.2.3
Factor Audit Report
11.4.2.4
Label Security Integration Audit Report
11.4.2.5
Core Database Vault Audit Trail Report
11.4.2.6
Secure Application Role Audit Report
11.5
Generating General Security Reports
11.5.1
Object Privilege Reports
11.5.1.1
Object Access By PUBLIC Report
11.5.1.2
Object Access Not By PUBLIC Report
11.5.1.3
Direct Object Privileges Report
11.5.1.4
Object Dependencies Report
11.5.2
Database Account System Privileges Reports
11.5.2.1
Direct System Privileges By Database Account Report
11.5.2.2
Direct and Indirect System Privileges By Database Account Report
11.5.2.3
Hierarchical System Privileges by Database Account Report
11.5.2.4
ANY System Privileges for Database Accounts Report
11.5.2.5
System Privileges By Privilege Report
11.5.3
Sensitive Objects Reports
11.5.3.1
Execute Privileges to Strong SYS Packages Report
11.5.3.2
Access to Sensitive Objects Report
11.5.3.3
Public Execute Privilege To SYS PL/SQL Procedures Report
11.5.3.4
Accounts with SYSDBA/SYSOPER Privilege Report
11.5.4
Privilege Management - Summary Reports
11.5.4.1
Privileges Distribution By Grantee Report
11.5.4.2
Privileges Distribution By Grantee, Owner Report
11.5.4.3
Privileges Distribution By Grantee, Owner, Privilege Report
11.5.5
Powerful Database Accounts and Roles Reports
11.5.5.1
WITH ADMIN Privilege Grants Report
11.5.5.2
Accounts With DBA Roles Report
11.5.5.3
Security Policy Exemption Report
11.5.5.4
BECOME USER Report
11.5.5.5
ALTER SYSTEM or ALTER SESSION Report
11.5.5.6
Password History Access Report
11.5.5.7
WITH GRANT Privileges Report
11.5.5.8
Roles/Accounts That Have a Given Role Report
11.5.5.9
Database Accounts With Catalog Roles Report
11.5.5.10
AUDIT Privileges Report
11.5.5.11
OS Security Vulnerability Privileges Report
11.5.6
Initialization Parameters and Profiles Reports
11.5.6.1
Security Related Database Parameters Report
11.5.6.2
Resource Profiles Report
11.5.6.3
System Resource Limits Report
11.5.7
Database Account Password Reports
11.5.7.1
Database Account Default Password Report
11.5.7.2
Database Account Status Report
11.5.8
Security Audit Report: Core Database Audit Report
11.5.9
Other Security Vulnerability Reports
11.5.9.1
Java Policy Grants Report
11.5.9.2
OS Directory Objects Report
11.5.9.3
Objects Dependent on Dynamic SQL Report
11.5.9.4
Unwrapped PL/SQL Package Bodies Report
11.5.9.5
Username/Password Tables Report
11.5.9.6
Tablespace Quotas Report
11.5.9.7
Non-Owner Object Trigger Report
A
Oracle Database Vault Auditing Policies
A.1
About the Baseline Oracle Database Vault Auditing Policy
A.2
Enabling Oracle Database Vault Auditing
A.3
Oracle Database Vault Audit Policy Settings
A.4
Oracle Database Vault Specific Audit Events
A.4.1
Custom Audit Events
A.4.2
Format of the Oracle Database Vault Audit Trail
A.5
Archiving the Oracle Database Vault Audit Trail
B
Enabling and Disabling Oracle Database Vault
B.1
When You Must Disable Oracle Database Vault
B.2
Step 1: Disable Oracle Database Vault
B.2.1
Disabling Oracle Database Vault on UNIX Systems
B.2.2
Disabling Oracle Database Vault on Windows Systems
B.3
Step 2: Perform the Required Tasks
B.4
Step 3: Enable Oracle Database Vault
B.4.1
Enabling Oracle Database Vault on UNIX Systems
B.4.2
Enabling Oracle Database Vault on Windows Systems
C
Post-Installation Oracle Database Vault Procedures
C.1
Configuring Oracle Database Vault on RAC Nodes
C.1.1
Syntax for Using DVCA -action optionrac
C.1.2
Procedure for Configuring Oracle Database Vault on RAC Nodes
C.2
Adding Languages to Oracle Database Vault
C.2.1
Syntax for Using DVCA -action addlanguages
C.2.2
Procedure for Adding Languages to Oracle Database Vault
D
Oracle Database Vault Objects
D.1
Oracle Database Vault Schemas
D.1.1
DVSYS Schema
D.1.2
DVF Schema
D.2
Oracle Database Vault Roles
D.2.1
About Oracle Database Vault Roles
D.2.2
Oracle Database Vault Owner Role, DV_OWNER
D.2.3
Oracle Database Vault Realm DBA Role, DV_REALM_OWNER
D.2.4
Oracle Database Vault Application Resource Owner Role, DV_REALM_RESOURCE
D.2.5
Oracle Database Vault Configuration Administrator Role, DV_ADMIN
D.2.6
Oracle Database Vault User Manager Role, DV_ACCTMGR
D.2.7
Oracle Database Vault PUBLIC Role, DV_PUBLIC
D.2.8
Oracle Database Vault Security Analyst Role, DV_SECANALYST
D.3
Oracle Database Vault Accounts
D.3.1
Database Accounts Creation Scenarios
D.4
Oracle Database Vault Public Views
E
Oracle Database Vault DVSYS.DBMS_MACADM Package
E.1
Realm Functions Within DVSYS.DBMS_MACADM
E.1.1
ADD_AUTH_TO_REALM Function
E.1.2
ADD_AUTH_TO_REALM Function
E.1.3
ADD_AUTH_TO_REALM Function
E.1.4
ADD_AUTH_TO_REALM Function
E.1.5
ADD_OBJECT_TO_REALM Function
E.1.6
CREATE_REALM Function
E.1.7
DELETE_AUTH_FROM_REALM Function
E.1.8
DELETE_OBJECT_FROM_REALM Function
E.1.9
DELETE_REALM Function
E.1.10
DELETE_REALM_CASCADE Function
E.1.11
RENAME_REALM Function
E.1.12
UPDATE_REALM Function
E.1.13
UPDATE_REALM_AUTH Function
E.2
Rule Set Functions Within DVSYS.DBMS_MACADM
E.2.1
ADD_RULE_TO_RULE_SET Function
E.2.2
ADD_RULE_TO_RULE_SET Function
E.2.3
ADD_RULE_TO_RULE_SET Function
E.2.4
CREATE_RULE Function
E.2.5
CREATE_RULE_SET Function
E.2.6
DELETE_RULE Function
E.2.7
DELETE_RULE_FROM_RULE_SET Function
E.2.8
DELETE_RULE_SET Function
E.2.9
RENAME_RULE Function
E.2.10
RENAME_RULE_SET Function
E.2.11
SYNC_RULES Function
E.2.12
UPDATE_RULE Function
E.2.13
UPDATE_RULE_SET Function
E.3
Command Rule Functions Within DVSYS.DBMS_MACADM
E.3.1
CREATE_COMMAND_RULE Function
E.3.2
DELETE_COMMAND_RULE Function
E.3.3
UPDATE_COMMAND_RULE Function
E.4
Factor Functions Within DVSYS.DBMS_MACADM
E.4.1
ADD_FACTOR_LINK Function
E.4.2
ADD_POLICY_FACTOR Function
E.4.3
CHANGE_IDENTITY_FACTOR Function
E.4.4
CHANGE_IDENTITY_VALUE Function
E.4.5
CREATE_DOMAIN_IDENTITY Function
E.4.6
CREATE_FACTOR Function
E.4.7
CREATE_FACTOR_TYPE Function
E.4.8
CREATE_IDENTITY Function
E.4.9
CREATE_IDENTITY_MAP Function
E.4.10
DELETE_FACTOR Function
E.4.11
DELETE_FACTOR_LINK Function
E.4.12
DELETE_FACTOR_TYPE Function
E.4.13
DELETE_IDENTITY Function
E.4.14
DELETE_IDENTITY_MAP Function
E.4.15
DROP_DOMAIN_IDENTITY Function
E.4.16
GET_INSTANCE_INFO Function
E.4.17
GET_SESSION_INFO Function
E.4.18
RENAME_FACTOR Function
E.4.19
RENAME_FACTOR_TYPE Function
E.4.20
UPDATE_FACTOR Function
E.4.21
UPDATE_FACTOR_TYPE Function
E.4.22
UPDATE_IDENTITY Function
E.5
Secure Application Role Functions Within DVSYS.DBMS_MACADM
E.5.1
CREATE_ROLE Function
E.5.2
DELETE_ROLE Function
E.5.3
RENAME_ROLE Function
E.5.4
UPDATE_ROLE Function
E.6
Oracle Label Security Policy Functions Within DVSYS.DBMS_MACADM
E.6.1
CREATE_MAC_POLICY Function
E.6.2
CREATE_POLICY_LABEL Function
E.6.3
DELETE_MAC_POLICY_CASCADE Function
E.6.4
DELETE_POLICY_FACTOR Function
E.6.5
DELETE_POLICY_LABEL Function
E.6.6
UPDATE_MAC_POLICY Function
F
Oracle Database Vault DVSYS.DBMS_MACSEC_ROLES Package
F.1
CAN_SET_ROLE Function
F.2
SET_ROLE Function
G
Oracle Database Vault DVSYS.DBMS_MACUTL Package
G.1
Field Summary
G.2
Functions Within the DVSYS.DBMS_MACUTL Package
G.2.1
CHECK_DVSYS_DML_ALLOWED Function
G.2.2
GET_CODE_ID Function
G.2.3
GET_CODE_VALUE Function
G.2.4
GET_FACTOR_CONTEXT Function
G.2.5
GET_SECOND Function
G.2.6
GET_MINUTE Function
G.2.7
GET_HOUR Function
G.2.8
GET_DAY Function
G.2.9
GET_MONTH Function
G.2.10
GET_YEAR Function
G.2.11
GET_SQL_TEXT Function
G.2.12
IN_CALL_STACK Function
G.2.13
IS_ALPHA Function
G.2.14
IS_DIGIT Function
G.2.15
IS_DVSYS_OWNER Function
G.2.16
IS_OLS_INSTALLED Function
G.2.17
IS_OLS_INSTALLED_VARCHAR Function
G.2.18
GET_MESSAGE_LABEL Function
G.2.19
GET_MESSAGE_LABEL Function
G.2.20
RAISE_UNAUTHORIZED_OPERATION Function
G.2.21
TO_ORACLE_IDENTIFIER Function
G.2.22
USER_HAS_OBJECT_PRIVILEGE Function
G.2.23
USER_HAS_ROLE Function
G.2.24
USER_HAS_ROLE_VARCHAR Function
G.2.25
USER_HAS_SYSTEM_PRIVILEGE Function
H
PL/SQL Interfaces to Oracle Database Vault
H.1
Oracle Database Vault Run-Time PL/SQL Procedures and Functions
H.1.1
SET_FACTOR Function
H.1.2
GET_FACTOR Function
H.1.3
GET_TRUST_LEVEL Function
H.1.4
GET_TRUST_LEVEL_FOR_IDENTITY Function
H.1.5
ROLE_IS_ENABLED Function
H.1.6
GET_FACTOR_LABEL Function
H.2
Oracle Database Vault PL/SQL Factor Functions
H.3
Oracle Database Vault PL/SQL Rule Functions
H.4
Oracle Database Vault PL/SQL Packages
I
Oracle Database Vault Security Guidelines
I.1
Accounts and Roles Trusted by Oracle Database Vault
I.2
Accounts and Roles That Should be Limited to Trusted Individuals
I.2.1
Managing Users with Root Access to the Operating System
I.2.2
Managing the Oracle Software Owner
I.2.3
Managing SYSDBA Access
I.2.4
Managing SYSOPER Access
I.3
Secure Configuration Guidelines
I.3.1
Security Considerations for the UTL_FILE and DBMS_FILE_TRANSFER Packages
I.3.2
Security Considerations for the Recycle Bin
I.3.3
Security Considerations for the CREATE ANY JOB and CREATE JOB Privileges
I.3.4
Security Considerations for the CREATE EXTERNAL JOB Privilege
I.3.5
Security Considerations for the LogMiner Packages
I.3.6
Security Considerations for the ALTER SYSTEM and ALTER SESSION Privileges
I.3.7
Security Considerations for Java Stored Procedures and Oracle Database Vault
I.3.7.1
Limiting Access to Java Stored Procedures
I.3.7.2
Securing Java Stored Procedures
I.3.7.3
Step 1: Identifying the Java Stored Procedures Created with Definer's Rights
I.3.7.4
Step 2: Finding Java Stored Procedures That Access Realm-Protected Objects
I.3.7.5
Step 3: Creating a Package to Wrap Procedures Accessing Realm-Protected Objects
I.3.7.6
Step 4: Identifying the Java Stored Procedures Created with Invoker's Rights
I.3.7.7
Step 5: Blocking Execution of Java Stored Procedures
I.3.7.8
Step 6: Verifying Oracle Database Vault Protection for Java Stored Procedures
I.3.7.9
Step 7: Securing Invoker's Rights for New Java Stored Procedures
I.3.8
Security Considerations for External C Callouts and Oracle Database Vault
I.3.8.1
Securing EXECUTE ANY PROCEDURE by Limiting Access to External C Callouts
I.3.8.2
Securing External C Callouts
I.3.8.3
Step 1: Identifying the External C Callouts Created with Definer's Rights
I.3.8.4
Step 2: Finding the External C Callouts That Access Realm-Protected Objects
I.3.8.5
Step 3: Creating a Package to Wrap C Callouts That Access Realm-Protected Objects
I.3.8.6
Step 4: Identifying the External C Callouts Created with Invoker's Rights
I.3.8.7
Step 5: Blocking Execution of Java Stored Procedures
I.3.8.8
Step 6: Verifying Oracle Database Vault Protection for External C Callouts
I.3.8.9
Step 7: Securing Invoker's Rights for New External C Callouts
J
Troubleshooting Oracle Database Vault
J.1
Using Trace Files to Diagnose Events in the Database
J.2
General Diagnostic Tips
J.3
Configuration Problems with Oracle Database Vault Components
Index
