Index

A  B  C  D  E  F  G  H  I  K  L  M  N  O  P  R  S  T  U  V  W  X 

A

access control
data encryption, 6.2.2
enforcing, 5.2.1
Oracle Label Security, 6.5.1
administrative accounts
about, 3.2.1
access, 5.2.2
passwords, 3.6
predefined, listed, 3.2.1
administrators
privileges for listener.ora file, 5.2.2
restricting access of, 6.6
separation of duty, 6.6.1
ANONYMOUS user account, 3.2.1
ANY system privilege, protecting data dictionary, 2.3.2
APEX_PUBLIC_USER user account, 3.2.2
application contexts
Oracle Virtual Private Database, used with, 6.4.1
ASMSNMP user account, 3.2.1
audit files
archiving and purging, 7.6.3
operating system file, writing to, 7.4.2
audit records
types, 7.3
viewing, 7.3
audit trail
DB setting, 7.4.2
XML file output, 7.4.2
auditing
about, 7.1
DDL statements, 7.4.4
default security setting, modified by, 7.4.3
DML statements, 7.4.4
fine-grained auditing, 7.1
guidelines, security, 7.6
historical information, 7.6.3
keeping information manageable, 7.6.2
monitoring user actions, 7.1
privilege audit options, 7.4.5
reasons to audit, 7.2
Sarbanes-Oxley Act
requirements, 7.4.3
suspicious activity, 7.6.4
viewing audit records, 7.3
where recorded, 7.3
authentication
client, 5.2.1
remote, 5.2.1, 5.2.1
strong, 3.7
AUTHID CURRENT USER invoker’s rights clause, 4.5.2.5

B

BFILE files
restricting access, 2.4
BI user account, 3.2.3

C

client connections
stolen, 5.2.1
client guidelines, 5.2.1
configuration files
listener.ora
administering listener remotely, 5.2.2
sample, 5.2.2
CONNECT role, privilege available to, 4.3
connections
securing, 5.2
SYS user, 4.2
CREATE ANY TABLE statement, 4.2
CREATE DATABASE LINK statement, 4.3
CREATE EXTERNAL JOB privilege
default security setting, modified by, 2.2
CREATE SESSION statement, 4.3
CREATE TABLE statement, auditing, 7.4.4
CTXSYS user account, 3.2.1

D

data definition language
auditing, 7.4.4
data dictionary
about, 2.3.1
securing, 2.3.2
data dictionary views
DBA_USERS, 3.7
DBA_USERS_WITH_DEFPWD, 3.5
data files
restricting access, 2.4
data manipulation language, auditing, 7.4.4
database
checking compatibility, 6.2.4.1
database accounts
See user accounts
Database Configuration Assistant
auditing by default, 7.4.3
default passwords, changing, 3.6
Database Control
See Oracle Enterprise Manager Database Control
DBA_USERS data dictionary view, 3.7
DBA_USERS_WITH_DEFPWD data dictionary view, 3.5
DBCA
See Database Configuration Assistant
DBSNMP user account
about, 3.2.1
passwords, default, 3.6
default passwords
administrative accounts, using with, 3.6
importance of changing, 3.5
default permissions, 2.4
default security settings
about, 2.2
Denial of Service (DoS) attacks
networks, addressing, 5.2.2
See also security attacks
DIP user account, 3.2.2
disabling unnecessary services, 5.2.2
DROP TABLE statement, auditing, 7.4.4

E

encryption
about, 6.2.1
algorithms, described, 5.3.2
components, 6.2.1
data transfer, 5.2.2
network, 5.3
network traffic, 5.2.2
reasons not to encrypt, 6.2.2
reasons to encrypt, 6.2.2
Enterprise Edition, 3.7
errors
checking trace files, 4.5.2.5
WHEN NO_DATA_FOUND exception example, 4.5.2.5
examples
user session information, retrieving with SYS_CONTEXT, 6.4.2.4
See also tutorials
exceptions
WHEN NO_DATA_FOUND example, 4.5.2.5
EXFSYS user account, 3.2.1
external tables, 2.4

F

files
audit
archiving, 7.6.3
DoS attacks, recommendations, 7.4.2
configuration, 5.2.2
listener.ora, 5.2.2
restrict listener access, 5.2.2
restricting access, 2.4
symbolic links, restricting, 2.4
fine-grained auditing, 7.1
firewalls
Axent, 5.2.2
CheckPoint, 5.2.2
Cisco, 5.2.2
database server, keeping behind, 5.2.2
Firewall-1, 5.2.2
Gauntlet, 5.2.2
guidelines, 5.2.2
Network Associates, 5.2.2
PIX Firewall, 5.2.2
Raptor, 5.2.2
supported
packet-filtered, 5.2.2
proxy-enabled, 5.2.2
FLOWS_040100 user account, 3.2.2
FLOWS_FILES user account, 3.2.2
FTP service
disabling, 5.2.2

G

GRANT ALL PRIVILEGES privilege, 2.3.2
guidelines for security
auditing
audited information, managing, 7.6.2
database activity, typical, 7.6.3
default auditing, 7.6.1
client connections, 5.2.1
database activity, suspicious, 7.6.4
network connections, 5.2.2
operating access to database, 2.4
operating system accounts, limiting privileges, 2.4
operating system users, limiting number of, 2.4
Oracle home default permissions, disallowing modifying of, 2.4
Oracle Label Security policies, planning, 6.5.2
passwords
administrative, 3.6
creating, 3.4
management, enforcing, 3.7
privileges, granting, 4.2
PUBLIC role, privileges, 4.4
roles, granting to users, 4.3
run-time facilities, granting permissions to, 2.5
symbolic links, restricting, 2.4

H

HR user account, 3.2.3

I

identity theft
See security attacks
initialization parameters
AUDIT_FILE_DESTINATION, 7.7
AUDIT_SYS_OPERATIONS, 7.7
AUDIT_SYSLOG_LEVEL, 7.7
AUDIT_TRAIL, 7.7
configuration related, 2.6
default security, modified by, 2.2
FAILED_LOGIN_ATTEMPTS, 3.8
installation related, 2.6
MAX_ENABLED_ROLES, 4.6
modifying, 2.6.1
O7_DICTIONARY_ACCESSIBILITY
about, 2.6
data dictionary, protecting, 2.3.2
default setting, 2.3.2
setting in Database Control, 2.3.2
OS_AUTHENT_PREFIX, 5.4
OS_ROLES, 4.6
PASSWORD_GRACE_TIME, 3.8
PASSWORD_LIFE_TIME, 3.8
PASSWORD_LOCK_TIME, 3.8
PASSWORD_REUSE_MAX, 3.8
PASSWORD_REUSE_TIME, 3.8
REMOTE_LISTENER, 5.4
REMOTE_OS_AUTHENT, 5.2.1, 5.4
REMOTE_OS_ROLES, 4.6, 5.4
SEC_CASE_SENSITIVE_LOGIN, 3.8
SEC_MAX_FAILED_LOGIN_ATTEMPTS, 3.8
SEC_RETURN_SERVER_RELEASE_BANNER, 2.6
SQL92_SECURITY, 4.6
invoker’s rights, 4.5.2.5
IP addresses
falsifying, 5.2.2
IX user account, 3.2.3

K

Kerberos authentication
password management, 3.7

L

LBACSYS user account, 3.2.1
least privilege principle, 4.2, 4.2
listener
not an Oracle owner, 5.2.2
preventing online administration, 5.2.2
restrict privileges, 5.2.2, 5.2.2
secure administration, 5.2.2
listener.ora file
administering remotely, 5.2.2
online administration, preventing, 5.2.2
log files
restricting access, 2.4

M

MDDATA user account, 3.2.2
MDSYS user account, 3.2.1
MGMT_VIEW user account, 3.2.1
monitoring
See auditing
multiplex multiple-client network sessions, 5.2.2
multitier environments, auditing, 7.4.6
My Oracle Support
about, Preface
user account for logging service requests, 3.2.2

N

Net8 network utility
See Oracle Net
network activity
auditing, 7.4.8
network authentication services, 3.7
smart cards, 3.7
token cards, 3.7
X.509 certificates, 3.7
network encryption
about, 5.3.1
components, 5.3.1
configuring, 5.3.2
network IP addresses, 5.2.2
network security
Denial of Service attacks, addressing, 5.2.2
guidelines for clients, 5.2.1
nondatabase users, 6.4.1

O

object privileges, 4.2
OE user account, 3.2.3
OLAPSYS user account, 3.2.1
operating system access, restricting, 2.4
operating system account privileges, limiting, 2.4
operating system users, limiting number of, 2.4
operating systems
compromised, 5.2.1
default permissions, 2.4
Oracle Advanced Security
authentication protection, 3.7
network traffic encryption, 5.2.2
Oracle Connection Manager
firewall configuration, 5.2.2
Oracle Database Vault
about, 6.6.1
components, 6.6.1
registering with database, 6.6.2.1.1
regulatory compliances, how meets, 6.6.1
tutorial, 6.6.2
Oracle Enterprise Manager Database Control
about, 1.3
starting, 2.3.2
Oracle home
default permissions, disallowing modifying of, 2.4
Oracle Java Virtual Machine (OJVM), 2.5
Oracle Label Security (OLS)
about, 6.5.1
compared with Oracle Virtual Private Database, 6.3
components, 6.5.1
guidelines in planning, 6.5.2
how it works, 6.5.1
registering with Oracle Database, 6.5.3.1
tutorial, 6.5.3
used with Oracle Virtual Private Database, 6.3
Oracle MetaLink
See My Oracle Support
Oracle Net
encrypting network traffic, 5.3.2
firewall support, 5.2.2
Oracle Virtual Private Database (VPD)
about, 6.4.1
advantages, 6.4.1
application contexts, 6.4.1
compared with Oracle Label Security, 6.3
components, 6.4.1
tutorial, 6.4.2
used with Oracle Label Security, 6.3
ORACLE_OCM user account, 3.2.2
ORDDATA user account, 3.2.1
ORDPLUGINS user account, 3.2.1
ORDSYS user account, 3.2.1
OUTLN user account, 3.2.1
OWBSYS user account, 3.2.1

P

passwords
administrative, 3.6
administrative user, 3.6
changing, 3.5
complexity, 3.7
default security setting, modified by, 2.2
default user account, 3.5
history, 3.7
length, 3.7
management, 3.7
management rules, 3.7
SYS user, 3.6
SYSTEM user, 3.6
passwords for security
requirements, 3.4
permissions
default, 2.4
run-time facilities, 2.5
PM user account, 3.2.3
principle of least privilege, 4.2, 4.2
privileges
about, 4.1
audited when default auditing is enabled, 7.4.3
auditing, 7.4.5, 7.4.5
CREATE DATABASE LINK statement, 4.3
system
ANY, 2.3.2
SYSTEM and OBJECT, 4.2
using proxies to audit, 7.4.6
PUBLIC role, revoking unnecessary privileges and roles, 4.4

R

remote authentication, 5.2.1, 5.2.1
REMOTE_OS_AUTHENT initialization parameter, 5.2.1
roles
CONNECT, 4.3
create your own, 4.3
job responsibility privileges only, 4.3
root file paths
for files and packages outside the database, 2.5
run-time facilities, restricting permissions, 2.5

S

Sarbanes-Oxley Act
auditing requirements, 7.4.3
schema objects, auditing, 7.4.7
SCOTT user
about, 3.2.3
restricting privileges of, 4.3
sec_admin example security administrator
creating, 4.5.2.1
removing, 7.5.5
secure application roles
about, 4.5.1
advantages, 4.5.1
components, 4.5.1
invoker’s rights, 4.5.2.5
tutorial, 4.5.2
user environment information from SYS_CONTEXT SQL function, 4.5.2.5
Secure Sockets Layer (SSL)
administering listener remotely, 5.2.2
security administrator
example of creating, 4.5.2.1
removing sec_admin, 7.5.5
security attacks
applications, 5.2.1
client connections, 5.2.1
Denial of Service, 5.2.2
eavesdropping, 5.2.1
falsified IP addresses, 5.2.1
falsified or stolen client system identities, 5.2.1
network connections, 5.2.2
security tasks, common, 1.2
SELECT ANY DICTIONARY privilege
GRANT ALL PRIVILEGES privilege, not included in, 2.3.2
sensitive data
Oracle Label Security, 6.5.1
Oracle Virtual Private Database, 6.4.1
secure application roles, 4.5.1
separation of duty concepts, 4.5.2.1
separation-of-duty principles
about, 6.6.1
Oracle Database Vault, 6.6.2.2
session information, retrieving, 6.4.1
SH user account, 3.2.3
SI_INFORMTN_SCHEMA user account, 3.2.1
smart cards, 3.7
SPATIAL_CSW_ADMIN_USR user account, 3.2.2
SPATIAL_WFS_ADMIN_USR user account, 3.2.2
SQL statements
audited when default auditing is enabled, 7.4.3
auditing, 7.4.4
using proxies to audit, 7.4.6
SQL*Net network utility, 5.2.2
standard auditing
about, 7.4.1
auditing by default, 7.4.3
enabling or disabling audit trail, 7.4.2
in multitier environment, 7.4.6
network activity, 7.4.8
privileges, 7.4.5
proxies, 7.4.6, 7.4.6
schema objects, 7.4.7
SQL statements, 7.4.4
tutorial, 7.5
strong authentication, 3.7
symbolic links, restricting, 2.4
SYS user account
about, 3.2.1
password use, 3.6
SYS_CONTEXT SQL function
example, 6.4.2.4
validating users, 4.5.2.5
SYS.AUD$ database audit trail table
about, 7.4.2
DB (database) option, 7.5.1
DB, EXTENDED option, 7.4.2
XML, EXTENDED option, 7.4.2
SYSMAN user account
about, 3.2.1
password use, 3.6
passwords, default, 3.6
SYS-privileged connections, 4.2
system administrator
See administrative accounts, security administrator
system identities, stolen, 5.2.1
system privileges, 4.2
ANY, 2.3.2
SYSTEM user account
about, 3.2.1
password use, 3.6

T

tablespaces
encrypting, 6.2.4.4.2
TCP ports
closing for ALL disabled services, 5.2.2
TCPS protocol
Secure Sockets Layer, used with, 5.2.2
TDE
See transparent data encryption
TELNET service, disabling, 5.2.2
TFTP service
disabling, 5.2.2
token cards, 3.7
trace files
checking for errors, 4.5.2.5
restricting access, 2.4
transparent data encryption
about, 6.2.3
advantages, 6.2.3
components, 6.2.3
configuring, 6.2.4
how it works, 6.2.3
performance effects, 6.2.3
storage space, 6.2.3
table columns
checking in database instances, 6.2.5.3
checking individual tables, 6.2.5.2
encrypting, 6.2.4.4.1
tablespaces
checking, 6.2.5.4
tablespaces, encrypting, 6.2.4.4.2
wallets, 6.2.4.2
troubleshooting
checking trace files, 4.5.2.5
tutorials
Oracle Database Vault, 6.6.2
Oracle Label Security, 6.5.3
Oracle Virtual Private Database, 6.4.2
secure application roles, 4.5.2
standard auditing, 7.5

U

UDP ports
closing for ALL disabled services, 5.2.2
user accounts
about, 3.1
administrative user passwords, 3.6
default, changing password, 3.5
expiring, 3.3
finding information about, 3.7
locking, 3.3
password requirements, 3.4
predefined
administrative, 3.2.1
non-administrative, 3.2.2
sample schema, 3.2.3
securing, 3
unlocking, 3.3
user accounts, predefined
ANONYMOUS, 3.2.1
APEX_PUBLIC_USER, 3.2.2
ASMSNMP, 3.2.1
BI, 3.2.3
CTXSYS, 3.2.1
DBSNMP, 3.2.1
DIP, 3.2.2
EXFSYS, 3.2.1
FLOWS_040100, 3.2.2
FLOWS_FILES, 3.2.2
HR, 3.2.3
IX, 3.2.3
LBACSYS, 3.2.1
MDDATA, 3.2.2
MDSYS, 3.2.1
MGMT_VIEW, 3.2.1
OE, 3.2.3
OLAPSYS, 3.2.1
ORACLE_OCM, 3.2.2
ORDDATA, 3.2.1
ORDPLUGINS, 3.2.1
ORDSYS, 3.2.1
OUTLN, 3.2.1
OWBSYS, 3.2.1
PM, 3.2.3
SCOTT, 3.2.3, 4.3
SH, 3.2.3
SI_INFORMTN_SCHEMA, 3.2.1
SPATIAL_CSW_ADMIN_USR, 3.2.2
SPATIAL_WFS_ADMIN_USR, 3.2.2
SYS, 3.2.1
SYSMAN, 3.2.1
SYSTEM, 3.2.1
WK_TEST, 3.2.1
WKPROXY, 3.2.1
WKSYS, 3.2.1
WMSYS, 3.2.1
XDB, 3.2.1
XS$NULL, 3.2.2
user session information, retrieving, 6.4.1

V

valid node checking, 5.2.2
views
See data dictionary views
Virtual Private Database
See Oracle Virtual Private Database
VPD
See Oracle Virtual Private Database
vulnerable run-time call, 2.5
made more secure, 2.5

W

wallets
closing, 6.2.4.3
creating, 6.2.4.1
with transparent data encryption, 6.2.4.2
WK_TEST user account, 3.2.1
WKPROXY user account, 3.2.1
WKSYS user account, 3.2.1
WMSYS user account, 3.2.1

X

X.509 certificates, 3.7
XDB user account, 3.2.1
XS$NULL user account, 3.2.2