See Also:
Appendix D, "Oracle Database Vault Security Guidelines," for guidelines on managing security in the Oracle Database configurationWhen you install Oracle Database Vault, the installation process modifies several database initialization parameter settings to better secure your database configuration. If these changes adversely affect your organizational processes or database maintenance procedures, then contact Oracle Support for help in resolving the issue.
Table 2-1 describes the initialization parameter settings that Oracle Database Vault modifies. Initialization parameters are stored in the init.ora
initialization parameter file, located in $ORACLE_HOME/srvm/admin
. For more information about this file, see Oracle Database Administrator's Guide.
Table 2-1 Modified Database Initialization Parameter Settings
Parameter | Default Value in Database | New Value Set by Database Vault | Impact of the Change |
---|---|---|---|
|
|
Enables the auditing of top-level operations directly issued by user For more information about |
|
Not configured. |
|
Disables the operating system to completely manage the granting and revoking of roles to users. Any previous grants of roles to users using For more information about |
|
|
|
Controls whether the Flashback Drop feature is turned on or off. If See Also:
|
|
|
|
Specifies whether Oracle Database checks for a password file. The For more information about |
|
|
|
Ensures that if a user has been granted the For more information about |
During installation of Oracle Database Vault, the installer prompts for two additional database account names. In addition, several database roles are created. These accounts are part of the separation of duties provided by Oracle Database Vault. One common audit problem that has affected several large organizations is the unauthorized creation of new database accounts by a database administrator within a production instance. Upon installation, Oracle Database Vault prevents anyone other than the Oracle Database Vault account manager or a user granted the Oracle Database Vault account manager role from creating users in the database.
For guidelines on managing separation of duty, see "Separation of Duty Guidelines".
To meet regulatory, privacy and other compliance requirements, Oracle Database Vault implements the concept of separation of duty. Oracle Database Vault makes clear separation between the account management responsibility, data security responsibility, and database resource management responsibility inside the database. This means that the concept of a super-privileged user (for example, DBA
) is divided among several new database roles to ensure no one user has full control over both the data and configuration of the system. Oracle Database Vault prevents the SYS
user and other accounts with the DBA
role and other system privileges from designated protected areas of the database called realms. It also introduces new database roles called the Oracle Database Vault Owner (DV_OWNER
) and the Oracle Database Vault Account Manager (DV_ACCTMGR
). These new database roles separate the data security and the account management from the traditional DBA
role. You should map these roles to distinct security professionals within your organization.
See Also:
"Separation of Duty Guidelines" for advice on managing separation of duty for your site
"Oracle Database Vault Roles" for detailed information about the roles created during the Oracle Database Vault installation
"Oracle Database Vault Accounts" for default accounts that are created and for suggestions of additional accounts that you may want to create
When you install Oracle Database Vault, it revokes a set of privileges from several Oracle Database-supplied roles, as part of the separation of duty enhancement.
Table 2-2 lists privileges that Oracle Database Vault revokes from existing users and roles. Be aware that if you disable Oracle Database Vault, these privileges remain revoked. If your applications depend on these privileges, then grant them to application owner directly.
Table 2-2 Privileges Oracle Database Vault Revokes
User or Role | Privilege That Is Revoked |
---|---|
|
|
|
|
|
|
|
|
|
|
Footnote 1 To authorize users to export and import data using Oracle Data Pump, see "Using Oracle Data Pump in an Oracle Database Vault Environment".
Footnote 2 To authorize users to schedule database jobs, see "Scheduling Database Jobs in an Oracle Database Vault Environment".
The following privileges are prevented for all users and roles who have been granted these privileges, including users SYS
and SYSTEM
:
ALTER PROFILE
ALTER USER
(but users can still use the ALTER USER
statement to change their own passwords)
CREATE PROFILE
CREATE USER
DROP PROFILE
DROP USER
For better security and to maintain separation-of-duty standards, do not enable SYS
or SYSTEM
users the ability to create or manage user accounts.
This section contains:
In an Oracle Database Vault environment, when Oracle Label Security is enabled, the AUD$
table is moved from the SYS
schema to the SYSTEM
schema. The synonym SYS.AUD$
is created to refer to the SYSTEM.AUD$
table.
Tip:
For greater security, create a realm around theSYSTEM.AUD$
and SYS.FGA_LOG$
tables. See Chapter 4, "Configuring Realms," for more information about realms.When you install Oracle Database Vault, it configures several AUDIT
statement settings in the database. See "Oracle Database Audit Settings Created for Oracle Database Vault" for more information.