Skip Headers
Oracle® Database Vault Administrator's Guide
10
g
Release 2 (10.2)
Part Number B25166-01
Home
Book List
Index
Master Index
Contact Us
Next
View PDF
Contents
List of Examples
List of Figures
List of Tables
Title and Copyright Information
Preface
Audience
Documentation Accessibility
Related Documents
Conventions
1
Introducing Oracle Database Vault
1.1
What Is Oracle Database Vault?
1.2
Components of Oracle Database Vault
1.2.1
Oracle Database Vault Access Control Components
1.2.2
Oracle Database Vault Administrator (DVA)
1.2.3
Oracle Database Vault DVSYS and DVF Schemas
1.2.4
Oracle Database Vault Configuration Assistant (DVCA)
1.2.5
Oracle Database Vault PL/SQL Interfaces and Packages
1.2.6
Oracle Policy Manager and Oracle Label Security PL/SQL APIs
1.2.7
Oracle Database Vault Reporting and Monitoring Tools
1.3
How Oracle Database Vault Addresses Compliance Regulations
1.4
How Oracle Database Vault Addresses Insider Threats
1.5
How Oracle Database Vault Allows for Flexible Security Policies
1.6
How Oracle Database Vault Addresses Database Consolidation Concerns
1.7
What to Expect Before and After You Install Oracle Database Vault
1.7.1
How Oracle Database Vault Affects Other Oracle Products
1.7.2
Initialization and Password Parameter Settings That Change
1.7.2.1
Initialization Parameter Settings
1.7.2.2
Password Profile Parameter Settings
1.7.3
How Oracle Database Vault Restricts User Authorizations
1.7.4
Using the Password File to Manage Database Authentication
1.7.5
Using New Database Roles to Enforce Separation of Duties
2
Getting Started with Oracle Database Vault
2.1
Starting Oracle Database Vault Administrator
2.2
Quick Start Tutorial: Securing a Schema from DBA Access
2.2.1
Step 1: Log On as SYS to Access the HR Schema
2.2.2
Step 2: Create a Realm
2.2.3
Step 3: Secure the EMPLOYEES Table in the HR Schema
2.2.4
Step 4: Create an Authorization for the Realm
2.2.5
Step 5: Test the Realm
2.2.6
Step 6: Run a Report
2.2.7
Step 7: Optionally, Drop User SEBASTIAN
3
Configuring Realms
3.1
What Are Realms?
3.2
Creating a Realm
3.3
Editing a Realm
3.4
Creating Realm-Secured Objects
3.5
Defining Realm Authorization
3.6
Disabling and Enabling a Realm
3.7
Deleting a Realm
3.8
How Realms Work
3.9
How Authorizations Work in a Realm
3.10
Example of How Realms Work
3.11
How Realms Affect Other Oracle Database Vault Components
3.12
Default Realms
3.13
Guidelines for Designing Realms
3.14
How Realms Affect Performance
3.15
Related Reports
4
Configuring Factors
4.1
What Are Factors?
4.2
Creating a Factor
4.3
Editing a Factor
4.4
Adding an Identity to a Factor
4.4.1
Creating and Configuring an Identity
4.4.2
Mapping Identities
4.5
Deleting a Factor
4.6
How Factors Work
4.6.1
How Factors Are Processed When a Session Is Established
4.6.2
How Factors Are Retrieved
4.6.3
How Factors Are Set
4.7
Example of How Factors Work
4.8
Default Factors
4.9
Guidelines for Designing Factors
4.10
How Factors Affect Performance
4.11
Related Reports
5
Configuring Command Rules
5.1
What Are Command Rules?
5.2
Creating and Editing Command Rules
5.3
Deleting a Command Rule
5.4
How Command Rules Work
5.5
Example of How Command Rules Work
5.6
Default Command Rules
5.7
Guidelines for Designing Command Rules
5.8
How Command Rules Affect Performance
5.9
Related Reports
6
Configuring Rule Sets
6.1
What Are Rule Sets?
6.2
Creating a Rule Set
6.3
Editing a Rule Set
6.4
Creating a Rule to Add to a Rule Set
6.4.1
Creating a New Rule
6.4.2
Adding Existing Rules to a Rule Set
6.5
Deleting a Rule Set
6.6
How Rule Sets Work
6.7
Example of How Rule Sets Work
6.8
Default Rule Sets
6.9
Guidelines for Designing Rule Sets
6.10
How Rule Sets Affect Performance
6.11
Related Reports
7
Configuring Secure Application Roles
7.1
What Are Secure Application Roles?
7.2
Creating and Editing Secure Application Roles
7.3
Deleting a Secure Application Role
7.4
How Secure Application Roles Work
7.5
Example of How Secure Application Roles Work
7.5.1
Step 1: Create a Rule Set to Be Used with the Secure Application Role
7.5.2
Step 2: Create the Secure Application Role Using the Rule Set
7.5.3
Step 3: Grant Privileges to the Role
7.5.4
Step 4: Enable the Role in Your Applications
7.5.5
Step 5: Test the New Secure Application Role
7.6
How Secure Application Roles Affect Performance
7.7
Related Reports
8
Integrating Oracle Database Vault with Oracle Label Security
8.1
How Oracle Database Vault Is Integrated with Oracle Label Security
8.2
Requirements for Using Oracle Database Vault with Oracle Label Security
8.3
Using an Oracle Database Vault Factor with an Oracle Label Security Policy
8.4
Example of Integrating Oracle Database Vault with Oracle Label Security
8.4.1
Step 1: Create the Network Factor
8.4.2
Step 2: Create Identity Maps for the Network Intranet and Remote Identities
8.4.3
Step 3: Associate the Network Factor with an Oracle Label Security Policy
8.4.4
Step 4: Test the Configuration
8.5
Related Reports
9
Generating Oracle Database Vault Reports
9.1
About Oracle Database Vault Reports
9.1.1
Categories of Oracle Database Vault Reports
9.1.2
Who Can Run the Oracle Database Vault Reports?
9.1.3
How to Run Oracle Database Vault Reports
9.2
Generating Oracle Database Vault Reports
9.2.1
Oracle Database Vault Configuration Issues Reports
9.2.1.1
Command Rule Configuration Issues Report
9.2.1.2
Factor Configuration Issues Report
9.2.1.3
Factor Without Identities Report
9.2.1.4
Identity Configuration Issues Report
9.2.1.5
Realm Authorization Configuration Issues Report
9.2.1.6
Rule Set Configuration Issues Report
9.2.1.7
Secure Application Configuration Issues Report
9.2.2
Oracle Database Vault Auditing Reports
9.2.2.1
Realm Audit Report
9.2.2.2
Command Rule Audit Report
9.2.2.3
Factor Audit Report
9.2.2.4
Label Security Integration Audit Report
9.2.2.5
Core Database Vault Audit Report
9.2.2.6
Secure Application Role Audit Report
9.3
Generating General Security Reports
9.3.1
Object Privilege Reports
9.3.1.1
Object Access By PUBLIC Report
9.3.1.2
Object Access Not By PUBLIC Report
9.3.1.3
Direct Object Privileges Report
9.3.1.4
Object Dependencies Report
9.3.2
Database Account System Privileges Reports
9.3.2.1
Direct System Privileges By Database Account Report
9.3.2.2
Direct and Indirect System Privileges By Database Account Report
9.3.2.3
Hierarchical System Privileges by Database Account Report
9.3.2.4
ANY System Privileges for Database Accounts Report
9.3.2.5
System Privileges By Privilege Report
9.3.3
Sensitive Objects Reports
9.3.3.1
Execute Privileges to Strong SYS Packages Report
9.3.3.2
Access to Sensitive Objects Report
9.3.3.3
Public Execute Privilege To SYS PL/SQL Procedures Report
9.3.3.4
Accounts with SYSDBA/SYSOPER Privilege Report
9.3.4
Privilege Management - Summary Reports
9.3.4.1
Privileges Distribution By Grantee Report
9.3.4.2
Privileges Distribution By Grantee, Owner Report
9.3.4.3
Privileges Distribution By Grantee, Owner, Privilege Report
9.3.5
Powerful Database Accounts and Roles Reports
9.3.5.1
WITH ADMIN Privilege Grants Report
9.3.5.2
Accounts With DBA Roles Report
9.3.5.3
Security Policy Exemption Report
9.3.5.4
BECOME USER Report
9.3.5.5
ALTER SYSTEM or ALTER SESSION Report
9.3.5.6
Password History Access Report
9.3.5.7
WITH GRANT Privileges Report
9.3.5.8
Roles/Accounts That Have a Given Role Report
9.3.5.9
Database Accounts With Catalog Roles Report
9.3.5.10
AUDIT Privileges Report
9.3.5.11
OS Security Vulnerability Privileges Report
9.3.6
Initialization Parameters and Profiles Reports
9.3.6.1
Security Related Database Parameters Report
9.3.6.2
Resource Profiles Report
9.3.6.3
System Resource Limits Report
9.3.7
Database Account Password Reports
9.3.7.1
Database Account Default Password Report
9.3.7.2
Database Account Status Report
9.3.8
Security Audit Report: Core Database Audit Report
9.3.9
Other Security Vulnerability Reports
9.3.9.1
Java Policy Grants Report
9.3.9.2
OS Directory Objects Report
9.3.9.3
Objects Dependent on Dynamic SQL Report
9.3.9.4
Unwrapped PL/SQL Package Bodies Report
9.3.9.5
Username/Password Tables Report
9.3.9.6
Tablespace Quotas Report
9.3.9.7
Non-Owner Object Trigger Report
10
Monitoring Oracle Database Vault
10.1
Security Policy Changes by Category
10.2
Security Policy Changes Detail
10.3
Security Violation Attempts
10.4
Database Configuration and Structural Changes
A
Auditing Policies
A.1
Core RDBMS Auditing Policy
A.2
Custom Audit Events
B
Enabling and Disabling Oracle Database Vault
B.1
When You Must Disable Oracle Database Vault
B.2
Step 1: Disable Oracle Database Vault
B.3
Step 2: Perform the Required Tasks
B.4
Step 3: Enable Oracle Database Vault
C
Oracle Database Vault Database Objects
C.1
What Are the Oracle Database Vault Database Objects?
C.2
Oracle Database Vault Schemas
C.2.1
DVSYS Schema
C.2.2
DVF Schema
C.3
Oracle Database Vault Database Roles
C.3.1
Oracle Database Vault Owner Role, DV_OWNER
C.3.2
Oracle Database Vault Configuration Administrator Role, DV_ADMIN
C.3.3
Oracle Database Vault User Manager Role, DV_ACCTMGR
C.3.4
Oracle Database Vault PUBLIC Role, DV_PUBLIC
C.3.5
Oracle Database Vault Security Analyst Role, DV_SECANALYST
C.3.6
Oracle Database Vault Application/Realm DBA Role, DV_REALM_OWNER
C.3.7
Oracle Database Vault Application Resource Owner Role, DV_REALM_RESOURCE
C.4
Oracle Database Vault Database Accounts
C.4.1
Database Accounts Creation Scenarios
C.5
Oracle Database Vault Public Views
D
PL/SQL Interfaces to Oracle Database Vault
D.1
Current Status of the PL/SQL Interfaces in This Release of Oracle Database Vault
D.2
Oracle Database Vault Run-Time PL/SQL Procedures and Functions
D.3
Oracle Database Vault PL/SQL Factor Functions
D.4
Oracle Database Vault PL/SQL Rule Set Functions
D.5
Oracle Database Vault PL/SQL Packages
E
Oracle Database Vault Packages
E.1
Current Status of the Packages in This Release of Oracle Database Vault
E.2
DVSYS.DBMS_MACADM Package
E.2.1
Realm Functions Within DVSYS.DBMS_MACADM
E.2.2
Factor Functions Within DVSYS.DBMS_MACADM
E.2.3
Rule Set Functions Within DVSYS.DBMS_MACADM
E.2.4
Command Rule Functions Within DVSYS.DBMS_MACADM
E.2.5
Secure Application Role Functions Within DVSYS.DBMS_MACADM
E.2.6
Oracle Label Security Policy Functions Within DVSYS.DBMS_MACADM
E.3
DVSYS.DBMS_MACSEC_ROLES Package
E.4
DVSYS.DBMS_MACUTL Package
E.4.1
Field Summary
E.4.2
Functions within the DVSYS.DBMS_MACUTL Package
F
Troubleshooting Oracle Database Vault
F.1
Using Trace Files to Diagnose Events in the Database
F.2
General Diagnostic Tips
F.3
Configuration Problems with Oracle Database Vault Components
Index
