Index

A B C D E F G H&n bsp; I K L M N O P Q R S T U V W X < /a>

Symbols

"all permissions", 2-5, 7-27

"change_on_install" default password, 2-3, 7-24

"manager" default password, 2-3, 7-24

< /dl>

Numerics

07_DICTIONARY_ACCESSIBILITY, 7-8

A

access control, 5-2

enforce, 7-27

fine-grained access control, 6-3

password encryption, 4-8, 7-5

pri vileges, 5-2

account locking

e xplicit, 7-13

password management, 7-12

example, 7-13

PASSWORD_LOCK_TIM E, 7-13

ADD_CONTEXT procedure, 14-3 6

ADD_GROUPED_POLICY procedure, 14-36

ADD_POLICY p rocedure, 14-35

ADMIN OPTION

about, 10-25

revoking roles/privileges, 10-30

< dd class="L2IX">roles, 5-23

system privileges, 5-4

administration

difficulties in complex environments, 1-4

administrative

delays, 1-4

passwords, 2-4, 7-24

privileges, 7-7

roles, 7-7

administrator

application security, 7-11

administrator connections, 7-7

administrator privileges

statement execution audited, 8-8

write, on listener.ora, 7-30

administrator security, 7-7

AES, i-xxxviii

algorithms

encryption, i-xxxviii

< dd class="L2IX">hash, i-xxxviii

ALTER privilege, 12-15

ALTER PROFILE

password management, 7-12

ALTER RESOURCE COST statement, 10-14

< dd class="L1IX">ALTER ROLE statement

changing authorization method, 10-21

ALTER SESSION SET SCHEMA statement, 13-12

ALTER SESSION statement

SET SCHEMA, 12-13

< /dd>

ALTER TABLE statement

auditing, 8-10

ALTER USER, 7-7, 7-12, 7-14

explicit account unlocking, 7-13< /dd>

password

expire, 7-14

ALTER USER privilege, 10-7

ALTER USER statement

default roles, 10-36

GRANT CONNECT THROUGH c lause, 9-8

REVOKE CONNECT THROUGH clause, 9-8

altering users, 10-7

ANONYMOUS, 7-22

anonymous PL/SQL blocks, 12-9

ANY system privilege, 7-24

application administrator security, 7-11

application administrators, 7-11

application context, 7-3

as secure data cache, 13-16, 14-1, 14-2

bind variables, 13-17

creating, 1 4-6

examples, 14-7

fine-grained access control, 3-9, 13-16

how to use session-based, 14-3

local versus global, 14-2

non-session-based (global), 14-2

parallel query, i-xxxvii, 14-5

performance, 14-1 1

returning predicate, 13-16

security features, 13-10

session-based, 14-2

setting, 14-7

support for database links, 14-18

USERENV namespace, 13-11

using in policy, 14-7

application developer environment

test and production databases, 7-10

application developer security, 7-9

application developers

pr ivileges, 7-9

privileges for, 7-9

roles for, 7-10

application development

CREATE privileges, 7-11

free versus controlled, 7-10

object privileges, 7-11

roles and privileges, 7-10

security domain, 7-11

security for, 7-10

applicatio n roles, 12-5

application security

consi derations for use, 12-2

limitations, 13-5

specifying attributes, 13-10

applications

about security policies for, 12-2

context , 6-6

database users, 12-2

enhancing security with, 5-21

One Big Application User model, 12-3, 12-4

roles, 12-8

roles and, 5-22

security, 12-4, 13-19

application context, 6-6

applications development

sp ace restrictions, 7-11

tablespaces

devel oper restrictions, 7-11

AQ_ADMINISTRATOR_ROLE role, 10-20

AQ_USER_ROLE role, 10-19

AS SYSDBA, 2-4, 2-5

create, drop, delete, etc., 7-8

for administrator access, 2-4, 7-7, 7-8, 7-17, 7-25

AS SYSOPER, 2-4 , 7-8

startup, shutdown, recovery, etc., 7-7

attacks

denial of service, 2-11, 7-32

attributes, USERENV, 13-12

audit files, 11-1, 11-5 , 11-7, 11-9, 11-11, 11-14, 11-20

AUDIT statement

BY proxy clause, 11-13

schema objects, 11-16

statement auditing, 11-15

sys tem privileges, 11-15

audit trail, 11-18

archiving, 11-20

controlling s ize of, 11-18

creating and deleting, 11-22

deleting views, 11-26

dropping, 11-22

interpreting, 11-23

maximum size of, 11-19

protecting integrity of, 11-21< /dd>

purging records from, 11-19

reducing size of, 11-20

table that holds, 11-7

views on, 11-22

audit trail, uniform, i-xxxvii

AUDIT_FILE_DEST initialization parameter, 11-11, 11-12

setting for OS auditing, 11-12< /dd>

AUDIT_SYS_OPERATIONS initialization parameter, 11-11

auditing SYS, 11-4

AUDIT_TRAIL initializati on parameter, 11-11

auditing SYS, 11-5

setting, 11-11

AUDIT_TRAIL=DB, < a href="cfgaudit.htm#1007374">11-11

AUDITED_CURSORID attribute, 13-12

auditing, 11-7

audit option levels, 11-13

audit options, 8-2

audit records, 8-3

audit trail records, 11-8< /a>

audit trails, 8-3

database, 8-4, 11-8

operating system, 8-5, 8-7

by access, 8 -14

mandated for, 8-13

by session, 8-13

prohibited with, 8-13

compromised by One Big Application User, 12-3

database and operating-system usernames, 4-2

DDL statements, 8-9

default options, 11-16

described, 8-1

disabling default options, 11-18

disabling options, 11-10, 11-17, 11-18

disabling options versus auditing, 1 1-17

DML statements, 8-9

enabling options, 11-10

privileges for, 11-10

enabling options versus auditing, 11-14

fine-grain ed, 11-29

guidelines, 11-2

historical information, 11-3

information stored in OS file, 11-9

keeping information manageable, 11-3

managing the audit trail, 11-22

mandatory, 8-7

multi-tier environments, 11-13

ne w features, i-xxxvii

n-tier systems, 15-10

operating-system audit trails, 11-7

policies for, 7-20

privilege audit options, 11-15

privilege use, 8-3, 8-9

pri vileges required for object, 11-16

privileges required for system, 11-16

range of focus, 8-2, 8-12

schema object, 8-3, 8-10

schema objects, 11-16

security and, 8-6

session level, 11-15

statement, 8-3, 8-9, 11-15

statement level, 11-15

successful executions, 8-12

suspicious activity, 11-4

SYS, 11-4

system privileges, 11-15

to OS file, 11-12

transaction independence, 8-8

unsuccessful executions, 8-12

user, 8-15

using the database, 11-7

viewing

active object options, 11-25

active privilege options, 11-25

active statement options, 11-25

default object options, 11-26

views, 11-22

when options take effect, 8-8

auditing extensions, i-xxxviii

auditing policy, 7-20

authentication

b y database, 9-1

by SSL, 9-1, 9-6

certificate, 7-31

client, < a href="policies.htm#1007203">7-27, 7-31

compromised by One Big Applicat ion User, 12-3

database administrators, 4-14< /a>

described, 4-1

directory service, 9-6

external, 9-3

global, 9-5

multitier, 4-10

network, 4-3

n-tier systems, 15-5

operating system, 4-2

Oracle, 4-8< /dd>

password policy, 7-4

proxy, 9-8

public key infrastructure, 4-4

remote, 4-6, 7-27, 7-28

specifying when creating a user, 10-3

strong, 7-24

user, 7-31

users, 7-2

ways to authenticate users, 9-1

AUTHENTICATION_DATA attribute, 13-12

AUTHENTICATION_TYPE attribute, 13-12

authorization

changing for roles, 10-21

global, 9-5

omitting for roles, 10-21

operating-system role management and, 10-23

roles, about, 10-21

Axent, 7-29

B

backups, 7- 1

bfiles, 7-28

BG_JOB_ID attribute, 13-12

bind variables, 13-17

Block cipher, i-xxxviii

C

cascading revokes, 10-32

CATAUDIT.SQL script

running, 11-22

categories of security issues, 1-3

CATNOAUD.SQL, 11-26

CATNOAUD.SQL script

running, 11-26

central repository, 1-5

centralized management with distributable tools, 1-6

certificate authentication, 7-31

certificate key algorithm

Secure Sockets Layer

certificate key algorithm, 2-8

certificates for user and server authentication, 2-9

chaining mode, i-xxxviii

modifiers (CBC, CFB, ECB, OFB, i-xxxviii

character sets

multibyte characters in role names, 10-20

multiby te characters in role passwords, 10-22

checklists and recommendati ons

custom installation, 2-3, 7 -20, 7-21

disallow modifying default permissions for Oracle Database hom e (installation) directory or its contents, 2-6

disallow modifying Oracle ho me default permissions, 7-28

limit the number of operating system users, 2-6, 7-28

limit the privileges of the operat ing system accounts, 2-6, 7-28

networking security, 2-7, 7-28

personnel, 2-2

physical access control, 2-2

restrict symbolic links, 2-6, 7-28

s ecure installation and configuration, 2-3, 7-20

CheckPoint, 7-29

cipher suites

Secure Sockets Layer, 2-8

Cisco, 7-29

client checklist, 2-8

CLIENT_IDENTIFIER

setting and clearing with DBMS_SESSION package, 15-13

setting for applications that use JDBC, 15-14

setting with OC I user session handle attribute, 15-13

CLIENT_IDENTIFIER attribute , 13-12

CLIENT_INFO attribute, USERENV, 13-12

column masking behavior, 13-4, 14-41

column masking behavior restrictions, 14-43

column ma sking behavior, VPD, i-xxxvi, 14-41

column -level VPD, 13-4, 14-40

add ing policies for, 14-40

column masking behavior, 14-41

default behavior, 14-41

does not apply t o synonyms, 14-40

new features, i-xxxvi

column-level VPD column masking restrictions, 14-43

columns

granting privileges for selected, 10-29

granting privileges on, 10-29

INSERT privilege and, 10-29

listing users granted to, 10-43

privileges, 10-29

pseudocolumns

USER, 5-9

revoking privileges on, 10-32

common platform for examples, 7-21

complex environments

administration difficulties, 1-4

concurrency

limits on

for each user, 5-30

configuration files, 2-8, 2-9, 2-11, 4-8, < a href="authmeth.htm#1006419">4-10, 7-25, 7-30, 7-31, 7-32, 8-5, 9-4, 10-23, 10-40, 11-8, 11-11, 11-17, 14-46, 14-47

listener, 7-29

sample listener.ora, 7-30

SSL, 2-7

typical directory, 2-8

CONNECT, 7-25, 7-27

CONNECT /, 7-8

CONNECT role, 5-26, 10-1 8

connection pooling, 4-10

connections

auditing, 11-15

SYS-privileged, 2-5, 7-25

connections as SYS and SYSTEM, 7-7

context-sensitive policy type, i-xxxvi, 14-37, 14-39

controlled development, 7-10

CPU time limit, 5-30

CREA TE

AS SYSDBA, 7-8

CREATE ANY T ABLE, 2-5, 7-25

CREATE CONTEXT statement, 14-6

CREATE DBLINK, 7-27

CREATE PROCEDURE, 7-10

developers, 7-9

CREATE PROFILE, 7-12, 7-14

failed login attempts, 7-12

how long account is locked, 7-12

password aging and expiration, 7-13

password management, 7-12

CREATE ROLE statement

IDENTIFIED BY option, 10-21

IDENTIFIED EXTERNALLY option, 10-22

CREATE SCHEMA statement, 12-12

CREATE SESSION, 7-27< /a>

CREATE SESSION statement, 12-12

CREATE TABLE, 7-10

developers, 7-9

< /dd>

CREATE TABLE statement

auditing, 8-9, 8-12

CREATE USER, 7-12

explicit account locking, 7-13

password

expire, 7-14

CREATE USER state ment

IDENTIFIED BY option, 10-3

IDENTIFI ED EXTERNALLY option, 10-3

CREATE VIEW, 7-10

CREATE_POLICY_GROUP procedure, 14-36

cre ating an audit trail, 11-22

CTXSYS, 7-22< /dd>

CURRENT_BIND attribute, 13-12

CURRENT_SCHEMA attribute , USERENV, 13-12

CURRENT_SCHEMAID attribute, 13-12

CURRENT_SQL attribute, 13-12

CURRENT_SQL_LEN GTH attribute, 13-13

CURRENT_SQL1 to CURRENT_SQL7 attributes, 13-13

CURRENT_USER attribute, USERENV, 13-13

CURRENT_USERID attribute, 13-13

cursors

shared, 13-17

custom installation, 2-3, 7-20, 7-21

D

data

access to

fine-grained access control, 6-3

security level desired, 7-3

data definition language

auditing, 8-9

roles and privileges, 5-24

data dictionary protection, 2-5, 7-24

data dictionary tab les, 7-7

data encryption, 3-3

data files, 7-28

data manipulation language

auditing, 8-9

privileges controlling, 5-6

data security level

based on data sensitivity, 7-3

data security policy, 7-3

database

granting privileges, 10-24

granting roles, 10-24

security and schemas, 12-12

user and application user, 12-2

database administrators

application administrator versus, 7-11

roles

for security, 7-8, 7-9

security for, 7-7

security officer versus, 7-1

database administrators (D BAs)

authentication, 4-14

DBA role, 5-26

password files, 4-15

database authentication, 9-1

Database Configuration Assistant, 2-3, 2-4, 7-21, 7-24

database descriptors, 7-29

database links, 14-18

database links, and SYS_CONTEXT, 14-6

database user management, 7-2

data bases

access control

password encryption, 4-8, 7-5

limitations on usage, 5-28

production, 7-10, 7-11

test, 7-10

DB_DOMAIN attribute, USERENV, 13-13

DB_NAME attribute, 13-13

DBA role, 5-26, 10-18

DBA_COM MON_AUDIT_TRAIL view, i-xxxvii

DBA_ROLE_PRIVS view, 12-5

DBMS_CRYPTO, i-xxxviii, 16-6

DBMS_FGA package, 11-35

DBMS_OBFUSCATION_TOOLKIT, i-xxxviii, 16-6

DBMS_RLS package, 14-35

security policies, 6-5

uses definer's rights, 5-11

DBMS_RLS.ADD_POLICY

sec_relevant_cols parameter, 13-4, 14-41, 14-42

sec_relevant_cols_opt parameter, 14-41

DBMS_SESSION package

SET_CONTEXT procedure, 14-6

SET_ROLE procedure, 12-9, 12-10

DBMS_SQL package

SET_ROLE procedure, 12-12

DBSNMP, 2-4, 7-22, 7-23, 7-24

defa ult

audit options, 11-16

d isabling, 11-18

default accounts

ANONYMOUS, 7-22

CTXSYS, 7-22

DBSNMP, 7-22

DIP, 7-22

DMSYS, 7-22

EXFSYS, 7-22

HR, 7-22

MDDATA, 7-22

MDSYS, 7-22

MGMT_VIEW, 7-22

ODM, 7-22

ODM_MTR, 7-22

OE, 7-22

OLAPSYS, 7-22

ORDPLUGINS, 7-22

ORDSY S, 7-22

OUTLN, 7-22

PM, 7-22

QS, 7-22

QS_ADM, 7-22

QS_CB, 7-22

QS_CBADM, 7-22

QS_CS, 7-22

QS_ES, 7-22

QS_OS, 7-22

QS_WS, 7-22

RMAN, 7-22

SCOTT, 7-22

SH, 7-22

SI_INFORMTN_SCHEMA, 7-22

SYS, 7-22

SYSMAN, 7-22

SYSTEM, 7-22

WK_TEST, 7-22

WKPROXY, 7-22

WKSYS, 7-22

WMSYS, 7-22

XDB, 7-22

default passwords, 2-3, 2-4, 7-7, 7-17, 7-23, 7-24 , 16-4

default permissions, 2-6, 7-28

default roles, 10-35

d efault user

accounts, 2-3, 2-4< /a>, 7-21

passwords, 2-4, 7-23, 7-24

default users

enterprise manager accounts, 7-23

defaults

"change_on_install" or "manager" passwords, 2-3, 7-24

role, 10-8

tablespace quota, 10-4

user tablespaces, 10-3

definer's rights

procedure security, 5-10

delays

administrative, 1-4

< /dd>

DELETE

AS SYSDBA, 7-8

DELETE privilege, 12-15

DELETE_CATALOG_ROLE role, 10-17, 10-19

DELETE_POLICY_GROUPS procedure, 14-36

denial of service attacks, 2-11, 7-32

DES, i-xxxviii, 7-5

developers, application, 7-9

development envir onment

free versus controlled, 7-10

dictionary protection mechanism, 10-15

DIP, 7-22

directory service

See also enterprise directory service.

disable unnecessary services

FTP, TFTP, TELNET, 7-32

DISABLE_GROUPED_POLICY procedure, 14-36

disabling

roles, 3-5

disabling audit options, 11-17, < a href="cfgaudit.htm#1006787">11-18

disabling auditing, 11-10

disabling resource limits, 10-14

disallow modifying default perm issions for database home directory or its contents, 2-6

disallow modifying Oracle home default permissions, 7-28

disconnections

auditing, 11-15

dispatcher processes (Dnnn)

limiting SGA space for each session, 5-31

< /dl>

distinguished names, i-xxxviii

DML support in fine -grained auditing, i-xxxvii

DMSYS, 7-22

DNs, i-xxxviii

DROP

A S SYSDBA, 7-8

DROP ANY TABLE, 7-25< /a>

DROP PROFILE statement, 10-14

DROP ROLE statement, 10-24

DROP TABLE statement

auditing, 8-9, 8-10

DROP USER privilege, 10-8

DROP USER statement, 10-9

DROP_CONTEXT procedure, 14-36

DROP_GROUPED_POLICY procedure, 14-36

DROP_POLICY procedure, 14-36

dropping an audit trail, 11-22

dropping profiles, 10-14

dropping users, 10-8

dynamic predicates

in security policies, 6-5

dynamic SQL, 13-3, 14-29

dynamic VPD policy types, 14-37

testing, 14-37

E

eavesdropping, 2-9

ENABLE_GROUPED_POLICY procedure, 14-36

ENABLE_POLICY procedure, 14-36

enabling

roles, 3-5

enabling resource limits, 10-14

encryption, 2-10, 3-3, 16-6

algorithms, i-xxxviii

database passwords , 9-2

network traffic, 7-32

stored data, 7-26

end-user security, 7-5

enforcement options

exemptions, 13-21

enterprise directory service, 7-7, 10-23

Enterprise Edition, 2-5, 7-24, 7-32

Enterprise Manager

granting roles, 5-23

statistics monitor, 5-3 2

enterprise roles, 7-7, 9-6, 10-23

enterprise user management, 12- 3

Enterprise User Security, 14-22

enterprise users , 7-7, 9-6, 10-23, 12-13

Enterprise users are global users, i-xxxviii< /dd>

ENTRYID attribute, 13-13

event triggers, 14-13

EXECUTE privilege, 2-5, 7-26, 12-15

EXECUTE_CATALOG_ROLE role, 10-16, 10-19

EXEMPT ACCESS POLICY privilege, 13-21

EXFSYS, 7-22

EXP_FULL_DATABASE role , 5-26, 10-19

expired & locked, 7-22

explicitly expiring a password, 7-14

Export utility

policy enforcement, 13-21

extensions to auditing, i-xxxviii

external authe ntication

by network, 9-5

by operating s ystem, 9-4

external tables, 7-28

EXTERNAL_NAME attribute, USERENV, 13-13

F

failed login attempts

account locking, 7-12

password management, 7-12

resetting, 7-13

falsified IP addresses, 2-8

falsif ied or stolen client system identities, 2-8

features, new

See new features

Virtual Private Da tabase, i-xxxvi

FG_JOB_ID attribute, 13-12, 13-13

files

audit, 11-1, 11-5, 11-7, 11-9, 11-11, 11-14, 11-20

bfiles, 2-6, 7-28

BLOB, 16-13

configuration, 2-8, 2-9, 2-11, 4-8, 4-10, 7-25, 7-30, 7-31, 8-5, 9-4, 10-23, 10-40, 11-8, 11-11, 11-17, 14-46, 14-47

data, 2-6, 7-28

externa l tables, 2-6, 7-28

init<sid>.ora, 7-25

init.ora, 8-5, 9-4, 10-23, 10-40, 11-8, 11-11, 11-17, 14-46, 14-47

keys, 16-12

listener.ora, 2-8, 2-9, 7-30< /a>, 7-31

log, 2-6, 7-28, 11-5, 11-12

password, 4-15

protocol.ora, 2-11, 7-31

restrict listener access, 2-9

restrict symbolic links, 2-6, 7-28

serve r.key, 2-8

sqlnet.ora, 4-8, 7-32

SSL, 2-7

trace, 2-6, 7-28

tsnames.ora, 2-8

UTLPWDMG.SQL, 4-10

fine-grained ac cess control, 6-3, 7-3

appl ication context, 3-9, 13-16

features, 13-6

performance, 13-8

fine-grained auditing, 11-29

DML support, i-xxxvii

extensions, i-xxxviii

introduction, 3-4

multiple objects, columns, statements, including INDEX, < a href="policies.htm#1006928">7-20

policies, 7-20

Firewall-1, 7-29

firewalls, 2-10, 7-28

breach

vulnerable data, 2-10, 7-29

ill-configured , 7-29

no holes, 7-29

ports, 2-8

supported

packet-filtered, 7-28

proxy-enabled, 7-28

< /dl>

flashback query, 11-9, 14-47

foreign keys

privilege to use parent key, 5-7

formatting of password complexity verification routine, 7-16

< dd class="L1IX">free development, 7-10

FTP, 7 -32

functions

PL/SQL

privileges for , 5-9

roles, 5-24

G

Gauntlet, 7-29

general user security, 7-4

global authentication and authorization, 9- 5

global roles, 9-5, 10-23

global users, 9-5

identifiers, i-xxxviii

GLOBAL_CONTEXT_MEMORY attribute, 13-13

GLOBAL_UID attribute, 13-13

grace period

example, 7-14

password expiration, 7-13, 7-14

GRANT ALL PRIVILEGES

SELECT ANY DICTIONARY, 7-25

GRANT ANY OBJECT PRIV ILEGE system privilege, 10-27, 10-31

GRAN T ANY PRIVILEGE system privilege, 5-4

GRANT CONNECT THROUGH clause

for proxy authorization, 9-8

GRANT stat ement, 10-24

ADMIN OPTION, 10-2 5

creating a new user, 10-26

object privileges, 10-26, 12-13

system privileges and roles, < a href="admusers.htm#1007714">10-24

when takes effect, 10-35

WITH GRANT OPTION, 10-27

granting

privileges and roles, 5-3

granting privileges and r oles

listing grants, 10-40

GT GlossaryTitle, Glossary-1

GUIDs, i-xxxviii< /dd>

H

hacked operating systems or applications, 2-8

harden

operating system, 7-32

hash

keyed, i-xxxviii

hash algorithms, i-xxxviii

HOST attribute, 13- 13

HR, 7-22

HS_ADMIN_ROLE role, 10-19

HTTP

potentially malicious data transmissions, 7-26

request and retrieve arbitrary data, 7-26

HTTPS port, 2-7

I

identity m anagement

centralized management with distributable tools, 1-6

components, 1-6

desired benefits, 1-5

infrastructure, 1-6

Oracle's infra structure components, 1-6

seamless timely distribution, 1-6

security, 1-4

single sign-on, 1-6

sngle point of integration, 1-6

solution, 1-5

IMP_FULL_DATABASE role, 5-26, 10-19

INDEX privilege, 12-15

init<sid>.ora file, 7-25

init.ora, 11-8, 11-11, 11-17, 14-46, 14-47

init.ora file, 8-5, 9-4, 10-23, 1 0-40

INSERT privilege, 12-15

grantin g, 10-29

revoking, 10-32

< dd class="L1IX">INSTANCE attribute, 13-13

INSTANCE_NAME attribute, 13-13

invoker's rights

procedure security, 5-11

supplied packages, 5-11

invoker's rights stored procedures, 12-9

IP address

fakeable, 2-10

IP addresses, 7-31

IP_ADDRESS attribute, 13-14

ISDBA attribute, USERENV, 13-14

iTAR, 7-33

K

Kerberos, 2-5, 7-24

keyed hash, i-xxxviii

L

LANG attribute, 13-14

LANGUAGE attribute, 13-14

least privilege principle, 2-5, 7-25

Lightweight Directory Access Protocol (LDAP), 14-11

limit operatin g system account privileges, 2-6, 7-28

li mit sensitive data dictionary access, 7-8

limit the number of operating syst em users, 2-6, 7-28

listener, 7-29

checklist, 2-9

establish password, 2-10, 7-29, 7-30

not Oracle owner, 7-29

prevent on-line ad ministration, 7-30

restrict privileges, 2-9, 7-29

sample configuration, 7-29

secure administration, 2-9, 2-10, 7-30

listener.ora, 2-8

< dd class="L2IX">add line, 7-30

control external procedures, 7-31

sample, 7-30

typical directory , 2-8

listener.ora file, 2-9, < a href="policies.htm#1007784">7-30

lock and expire, 2-3, 2-4, 7-21, 7-24

unlock via ALTER USER, 7-7

log files, 7-28, 7-29, 11-5, 11-12

logical reads limit, 5-30

logon triggers, 14-3, 14-8

M

MAC, i-xxxviii

mail messages

arbitrary, 7-26

unautho rized, 7-26

managing roles, 10-20

mandatory auditing, 8-7

MAX_ENABLED_ROLES initializ ation parameter

enabling roles and, 10-36

MD4, i-xxxviii

MD5, i-xxxviii

MDDATA, 7-22

MDSYS, 7-22 , 7-24

memory

viewing per user, 10-12

message authentication code, i-xxx viii

Metalink, 7-32

methods

privileges on, 5-14

MGMT_VIEW, 7-22

middle tier systems, 13-11

mode, SS L, 2-8

monitoring, 8-1

monitoring user actions, 8-1

multiple administrators

roles example, 7-8, 7-9

multiplex multiple client network sessions, 2-10

multi-tier enviro nments

auditing clients, 11-13

N

Net8, 7-28

network

aut hentication, 9-5

Network Associates, 7-29

network authentication, 9-5

network authent ication services, 2-5, 7-24

smart cards, 7-24

token cards, 7-24

X.509 certificates, 7-24

network connections

arbitrary transmissions, 7-26

outgoing, 7-26

network IP addresses, 2-11, < a href="policies.htm#1007807">7-31

NETWORK_PROTOCOL attribute, 13-14

networking security checklists, 2-7, 7-28 < dl class="L2IX">

client checklist, 2-8

listener checklist, 2-9

network checklist, 2-9

SSL, 2-7

configuration files, 2-7

mode, 2-8

tcps, 2-8

networks

network authentication service , 4-3

new features, i-xxxv

auditing, i-xxxvii

column-level VPD, i-xxxvi

policy types, i-xxxvi

Virtual Private Database, i-xxxvi

NLS_CALENDAR attribute, 13-14

NLS_CURRENCY attribute, 13-14

NLS_DATE_FORMAT attribute, 13-14

NLS_DATE_LANGUAGE attribute, 13-14

NLS_SORT attribute, 13-14

NLS_TERRITORY attribute, 13-14

NOAUDIT statement

< dd class="L2IX">disabling audit options, 11-17

disabling default object audi t options, 11-18

disabling object auditing, 1 1-18

disabling statement and privilege auditing, 11-17

O

O7_DICTIONARY_ACCESSIBILITY, 2-5, 7 -25, 10-15, 10-16

initi alization parameter, 10-16

object privileges, 2-5, 5-4, 6-3, 7- 25

developers, 7-11

granting on beha lf of the owner, 10-27

revoking, 10-30

revoking on behalf of owner, 10-31

See also schema object privileges

objects

granting privileges, 12-15

privileges, 12-13

privileges on, 5-14

OCI

enabling roles, 3-6

ODM, 7-22

ODM_MTR, 7- 22

OE, 7-22

OLAPSYS, 7-22

operating system

harden, 7-32

operating system authentication, 7-8

operat ing system security, 7-2

operating system username, 2-4

operating systems

accounts, 1 0-38

authentication, 9-4, 10-36

authentication by, 4-2

default permissions, 2-6, 7-28

enabling and disabling roles, 10-39

role identification, 10-37

ro les and, 5-26, 10-36

security in, 7-2

optimization

query rewrite

in security policies, 6-5

Oracle Advanced Security, 2-5, 7-24, 7-32, 12-13

Oracle Connection Manager, 2-10

Oracle Delegated Administration Service, 1-7

Oracle Directory Integration and Provisioning, 1-6

Oracle Enterprise Secu rity Manager, 4-7

Oracle Internet Directory, 1-6, 4-7, 15-4

Oracle Java Virtual Ma chine (OJVM), 2-5, 7-27

Oracle Net, 7-28

Oracle Net Manager, 7-32

Oracle Technology Network, 7-32

Oracle Universal Installer, 2-3

Oracle Wallet Manager, 4-5

Oracle wallets, 4-5

Oracle Worldwide Support Services, 7-33

OracleAS Certificate Authority, 1-7, 4-5

OracleAS Single Sign-On, 1-7

ORDP LUGINS, 7-22

ORDSYS, 7-22

OS username, 7-8

OS_ROLES parameter

operating-system authorization and, 10-23

REMOTE_OS_ROLES and, 10-40

using, 10-37

OS_USER attribute, USERENV, 13-14

OUTLN, 7-22

P

packages

auditing, 8-1 0

examples of, 5-12, 5-13

privileges

divided by construct, 5-12

executing, 5-9, 5-12

s upplied packages

invoker's or definer's rights, 5-11

Padding forms, i-xxxviii

paragraph tags

GT GlossaryTitle, Glossary-1

parall el execution servers, 14-6

parallel query

and SYS_CONTEXT, i-xxxvii

application context, i-xxxvii

parallel query, and SYS_CONTEXT, 14-5

parameters

protocol.ora, 7-31

pass-phrase

to read and parse server.key file, 2-8

password

establish for listener, 2-1 0, 7-29, 7-30

password agin g and expiration, 7-13

grace period, 7-13, 7-14

example, 7 -14

password complexity verification, 4-10, 7-16

formatting of routine, 7-16

sample routine, 7-17

password files, 4-15, 7-8

password management

< dd class="L2IX">account locking, 7-12

explicit, 7-13

ALTER PROFILE, 7-12

CREATE PROFILE, 7-12

expiration grace period, 7-13, 7-14

explicitly expire, 7-14

failed login attempts, 7-12

failed logins resetting, 7-13

grace period

example, 7-14

history, 7-15

lif etime for password, 7-13

password complexity verification, 7-16

PASSWORD_LOCK_TIME, 7-13

PASSWO RD_REUSE_MAX, 7-15

PASSWORD_REUSE_TIME, 7-15< /a>

sample password complexity verification routine, 7-17

UTLPWDMG.SQL

password management, 7-16

password management policy, 7-12

password security, < a href="policies.htm#1006314">7-4

PASSWORD_LIFE_TIME, 7-13

PASSWORD_LOCK_TIME, 7-13

PASSWORD_REUSE_MAX, 7-15

PASSWORD_REUSE_TIME, 7-15

passwords

account locking, 4-9

administrative, 2-4, 7-24

change via ALTER USER, 7-7

changing for roles, 10-21

complexity verification, 4-10

connecting without, 4-2

database user authentication, 4-8

default , 7-7

duration, 2-4, 7-24

encryption, 4-8, 7-5, 9-2

history, 7-15

PASSWORD_REUSE_MAX, 7-15

PASSWORD_REUSE_TIME, 7-15

length, history, and complexity, 7-24

length, history, and complexity,, 2-4

management, 7-12

management rules, 2-4, 7-24

password files, 4-15

password reuse , 4-9

privileges for changing for roles, 10-2 1

privileges to alter, 10-7

reuse, 2-4, 7-24

role, 3-7

roles, 10-21

security policy for users, 7-4

SYS and SYSTEM, 2-3, 7-23, 7-24

used in roles, 5-21

< dd class="L2IX">user authentication, 9-1

performance

resource limits and, 5-28

permissions

server.key file, 2-8

personnel chec klist, 2-2

personnel security, 1-3

< dd class="L1IX">physical access control checklist, 2-2

physical security, 1-3

PIX Firewall, 7-29

PKCS #5, i-xxxviii

PKI, 4-4

PL/SQL

anonymous blocks, 12-9

auditing of statements within, 8-8

dynamically modifying SQL statements, 13-3

roles in procedures, 5-24

setting context, 14-3

PM, 7-22

policies

auditing, 7-20

password management, 7-12

policy function, 7-4

policy types

context-sensitive, i-xxxvi, 14-37, 14-39

new features, i-xxxvi

shared, i-xxxvi, < a href="apdvcntx.htm#1012791">14-37

static, i-xxxvi, 14-37, 14-39

POLICY_INVOKER attribute, 13-14

practical security concerns, 2-1

predicates

dynamic

in security policies, 6-5

principle of least privilege, 2-5 , 7-25

privacy, 2-3, 7-20

privilege management, 7-5

gran ting privileges and roles

specifying ALL, 10-17

revoking privileges and roles

specifying ALL, 10 -17

privileges, 10-15

See also system privileges.

administrator

statement execution audited, 8-8

altering < dl class="L3IX">

passwords, 10-8

users, 10-7

altering role authentication method, 10-21

application developers, 7-9

application developers and, 7-9

audit object, 11-16

auditing system, 11-16

auditing use of, 8-9, 11-15

cascading revokes, 10-32

column, 10-29

CREATE DBLINK, 7-27

creating roles, 10-20

creating users, 10-2

dropping profiles, 10-14

dropping roles, 10-24

encapsulating in stored procedures, 3-6

granting, 5-3, 5-5, 10-24

examples of, 5-1 2, 5-13

granting object privileges, 10-26

granting system privileges, 10-24

grant ing, about, 10-24

grouping with roles, 10-20< /a>

individual privilege names, 10-15

listing grants, 10-42

managing, 12-4, 12-13

middle tier, 15-7

object, 7-11, 10-17, 12-15

on selected columns, 10-32

overview of, 5-2

policies for managing, 7-5

procedures, 5-9

creating and altering, 5-12< /dd>

executing, 5-9

in packages, 5-12

revoking, 5-3, 5-5, 10-30

revoking object, 10-30

revoking object privileges, 10-30, 10-33

revoking system privileges, 10-30

roles, 5-19

restrictions on, 5-25

schema object, 5-4, 6-3

DML and DDL operations, 5-6

granting and revoking, 5-5

packages, 5-12

procedures, 5-9

SQL statements permitted, 12-15

system, 5-3, 10-15

ANY, 7-24

CREATE, 7-11

DROP ANY TABLE, 7-25

granting and revoking, 5-3

SELECT ANY DICTIONARY, 7-25

SYSTEM and OBJECT, 2-5, 7-25

trig ger privileges, 5-11

views, 5-8

creating, 5-8

using, 5-8

procedural security, 1-3

procedures

auditing, 8-10

definer's ri ghts, 5-10

roles disabled, 5-24

examples of, 5-12, 5-13

invoker's rights, 5-11

roles used, 5-24

supplied packages, 5-11

privileges

create or alter, 5-12

executing, 5-9

executing in packages, 5 -12

security enhanced by, 5-10

supplied packages

invoker's or definer's rights, 5-11

process monitor process (PMON)

cleans up timed-out sessions, 5-31

PRODUCT_USER_PROFILE table, 3-6, 13-19, 13-20

production environment, 7-24

products and options

install only as necess ary, 7-21

profiles, 10-13

disabling resource limits, 10-14

dropping, 10-14

enabling resource limits, 10-14

listing, 10-9

managing, 10-1 3

password management, 4-9, 7-12

privileges for dropping, 10-14

viewing, 10-11

program global area (PGA)

effect of MAX_EN ABLED_ROLES on, 10-36

protocol.ora file, 2-11, 7-31

parameters, 7-31

proxies, 4-11

audit ing clients of, 11-13

proxy authentication and authorization, 9-8

proxy authentication, 9-8

proxy authorization, 9-8

proxy servers

auditing clients, 11-13

PROXY_USER attribute, 13-11, 13-14

PROXY_USERID attribute, 13-14

PROXY_USERS view, 9-8

pseudocol umns

USER, 5-9

PUBLIC, 2-5, 7-26

granting and revoking pr ivileges to, 10-34

procedures and, 10-34< /dd>

revoke all unnecessary privileges and roles, 7-26

user group, 5-24, 10-34

public key infrastructure, 4-4

PUBLIC_DEFAULT profile

dropping profiles and, 10-14

< h2 class="GroupTitlesIX">Q

QS, 7-22

QS_ADM, 7-22

QS_CB, 7-22

QS_CBADM, 7-22

QS_CS, 7-22

QS_ES, 7-22

Q S_OS, 7-22

QS_WS, 7-22

query rewrite

dynamic predicates in security policies, 6-5

quotas

listing, 10-9

revoking from users, 10-5

setting to zero, 10-5

tablespace, 10-4

temporary segmen ts and, 10-4

unlimited, 10-5

viewing, 10-11

R

RADIUS, 4-6

Raptor, 7-29

RC4, i-xxxviii

reads

data block

limits on, 5-30

reauthenticating clients, 15-4

RECOVERY_CATALOG_OWNER role, 10-19

< dd class="L1IX">REFERENCES privilege, 12-15

CASCADE CONSTRAINT S option, 10-32

revoking, 10-32

when granted through a role, 5-25

REFRESH_GROUPED_POL ICY procedure, 14-36, 14-45

REFRESH_POLIC Y procedure, 14-36, 14-45

remote authenti cation, 2-6, 7-27, 7-28

REMOTE_OS_AUTHENT, 7-28

REMOTE_OS_AUTHENT initialization p arameter

setting, 9-4

remote_o s_authentication, 2-6, 7-28

REMOTE_OS_ROL ES initialization parameter

setting, 10-23, 10-40

reparsing, 14-7

reset ting failed login attempts, 7-13

resource limits

call level, 5-30

connect time for each session, 5-31

CPU time limit, 5-30

determining values for, 5-32

disabling, 10-14

enabling, 10-14

idle time in each session, 5-31

logical reads limit, 5-30

number of sessions for each user, 5-30

private SGA space for each session, 5-31

profiles, 10-13

RESOURCE privilege, 12-12

RESOURCE role, 5-26, 10-18

resources

profiles, 10-13

restrict symbolic links, 2-6 , 7-28

restrictions

space

developers, 7-11

tablespaces, 7-11

REVOKE CONNECT THROUGH clause

revoking proxy authorization, 9-8

REVOKE statement, 10-30

when takes effect, 10-35

revoking privileges and roles

on selected columns, 10 -32

REVOKE statement, 10-30

when using operating-s ystem roles, 10-39

rewrite

pre dicates in security policies, 6-5

RMAN, 7-22

role, 7-3

typical develope r, 7-10

role identification

op erating system accounts, 10-38

ROLE_SYS_PRIVS view, 12-5

ROLE_TAB_PRIVS view, 12-5

ro les, 5-19, 7-5, 7-26

ADMIN OPTION and, 10-25

administrative, 7-7

advantages, 12-5

appli cation, 5-22, 12-8, 12-13, < a href="apdvpoli.htm#1006909">13-19

application developers and, 7-10

AQ_ADMINISTRATOR_ROLE, 10-20

AQ_USER_ROLE, 10-19

authorization, 10-21

author ized by enterprise directory service, 10-23

changing authorization for, 10-21

changing passwords, 10-21

CONNECT, 7-27

CONNECT role, 5-26 , 10-18

create your own, 7-27

database authorization, 10-21

DBA role, 5-26, 10-18

DDL statements and, 5-2 4

default, 10-8, 10-35

definer's rights procedures disable, 5-24

definition, 10-18

DELETE_CATALOG_ROLE, 10-19

dependency management in, 5-25

disabling, 10- 35

dropping, 10-24

enabled or disabled, 5-22

enabling, 10-35, 12-8

enabling and disabling, 3-5

enterprise, 9-6, 10-23

example, 7-5, 7-6

explanation, 7-6

EXECUTE_CATALOG_ROLE, 10-19

EXP_FU LL_DATABASE, 10-19

EXP_FULL_DATABASE role, 5- 26

for multiple administrators

example, 7-8, 7-9

functionality, 5-2

global, 9-5, 10-23

global authorization, 10-23

GRANT statement, 10-39

granting, 5-3, 5-23, 10-24

granting, about, 10-24

HS_ADMIN_ROLE, 10-19

IMP_FULL_DATABASE, 10-1 9

IMP_FULL_DATABASE role, 5-26

in applications, 5-21

invoker's rights procedures use, 5-24< /dd>

job responsibility privileges only, 7-27

listing, 10-44

listing grants, 10-42

listing privileges and roles in, 10-44

management using the operating s ystem, 10-36

managing, 10-20, 12-13

managing through operating system, 5-26

< dd class="L2IX">maximum, 10-36

multibyte characters in names, 10-20

multibyte characters in passwords, 10-22

naming, 5-19

network authorization, 10-23

operating system, 10-38

operating syste m granting of, 10-37, 10-39

operating-sys tem authorization, 10-22

OS management and the shared server, 10-40

passwords, 3-7

passwords fo r enabling, 10-21

predefined, 5-26, 10-18

privileges for creating, 10-20

privileges for dropping, 10-24

privileges, changing authorizati on method for, 10-21

privileges, changing passwords, 10-21

RECOVERY_CATALOG_OWNER, 10-19

RESOUR CE role, 5-26, 10-18

restricting from too l users, 13-19

restrictions on privileges of, 5-25

REVOKE statement, 10-39

revoking, 5-23, 10-30

revoking ADMIN OPTION, 10-30

schemas do not contain, 5-19

secure application, 3-4

security and, 7-5

security domains of, 5-23

SELECT_CATALOG_ROLE, 10-19

SET ROLE statement, 10-39

setting in PL/SQL blocks, 5-24

unique names for, 10-20

use of passwords with, 5-21

usefu lness compromised, 12-3

user, 5-22, 12-8, 12-13

users capable of granting, 5-23

uses of, 5-21

WITH GR ANT OPTION and, 10-27

without authorization, 10-21

root file paths

for files and packages outside the data base, 2-5, 7-27

row-level secur ity

see fine-grained access control, v irtual private database (VPD), and Oracle Label Security

rows

row -level security, 6-3

RSA private key, 2-8

run-time facilities, 2-5, 7-27

S< /h2>

sample configuration

listener, 7-29

sample password complexity verification routine, 7-17

Sample Schemas, 7-21

remove or re-lock for production, 7-21

test database, 7-21

schema object privileges, 5-4, 6-3

DML and DDL operations, 5-6

grantin g and revoking, 5-5

views, 5-8
< /dd>
schema objects

auditing, 8-10

cascading effects on revoking, 10-33

default audit options, 11-16

default tablespace for, 10-3

disabling audit options, 11-18

enabling audit options on, 11-16

granting privileges, 10-26

in a revoked tablespace, 10-5

owned by dropped users, 10-8

privileges on, 5-4, 6-3

privileges to access, 10-17

privileges with, 10-17

revoking privileges, 10-30

schema-independent users, 9-6, 12-13
schemas

default, 13-12

unique, 12-12

SCOTT, 2-4, 7-23, 7-24, 7-27

script files, 11-26

CATNOAUD.SQL, 11-26

scripts, 4-10

seamless timely distribution, 1-6

sec_relevant_cols parameter, 13-4, 14-41, 14-42

sec_rele vant_cols_opt parameter, 13-4, 14-41

secu re application, 12-5

secure application role

using to ensure database connection, 12-8

secure installation and configuration checklist, 2-3, 7-20

S ecure Sockets Layer, 2-7, 7-2, 7 -31, 9-1, 9-6

certifica te key algorithm, 2-8

checklist, 2-7

cipher suites, 2-8

configuration files, 2-7

mode, 2-8

pass-phrase, 2-8

RSA private key, 2-8

serv er.key file, 2-8

tcps, 2-8

Secure Sockets Layer (SSL) protocol, 15-4

security

accessing a database, 7-2

administrator of, 7-2

application administration, 7-11
application developers and, 7-9

application enforcement of, < a href="authoriz.htm#1007131">5-21

auditing, 8-1, 8-6

auditing policies, 7-20

authenticatio n of users, 7-2

breach effects, 1-4

data, 7-3

database security, 7-2

database users and, 7-2

default user accounts , 2-3, 7-21

dynamic predicates, 6-5

enforcement in application, 12-4

enforcement in database, 12-4

fine-grained access control, 6-3

general users, 7-4

iden tity management, 1-4

interaction complexity, 1-4

issues by category, 1-3

multibyte characters i n role names, 10-20

multibyte characters in role passwords, 10-22

operating-system security and the database, 7-2

passwords, 4-8

personnel dimension, 1-3

physical dimension, 1-3

policies
administering, 14-35

applied within databas e, 13-4

centrally managed, 13-20

example, 14-29

implementing, 6- 6, 13-16

multiple policies per table, 13- 7

on tables or views, 13-6

technical issues, 3-2

policies for database administrators, 7-7

policy for applications, 12-2, 13-1 9

practical concerns, 2-1

privilege management pol icies, 7-5

privileges, 7-2

procedural dimension, 1-3

procedures enhance, 5-10

protecting the audit trail, 11-21

RE MOTE_OS_ROLES parameter, 10-40

roles to force security, 7-5

roles, advantages, 12-5

security po licies, 6-3

technical dimension, 1-3

test databases, 7-10

threats and countermeasures, 3-1

views enhance, 5-8

security alerts, 7-32

security domain

application development, 7-11

security domains

enabled roles and, 5-22

security patches and workarounds, 2-6, 7-32

security policy fu nction, 7-4

security-relevant columns VPD, 13 -4

SELECT ANY DICTIONARY, 7-25

SELECT privilege, < a href="apdvntro.htm#1006699">12-15

SELECT_CATALOG_ROLE role, 10-16, 10-19

sequences

auditing, 8-10

SERVER_HOST attribute, 13-14

server.key file, 2-8

pass-phrase to read and parse, 2-8

permissions on, 2-8

service names, 7-29

session primitives, 13-11

SESSION_ROLES view

queried from PL/SQL block, 5-24

SESSION_USER attribute, USERENV, 13-14

SESSION_USERID attribute, 13-14

SESSIONID attribute, 13-14

sessions

auditing by, 8-13

auditing connections and disconnections, 11-15< /dd>
defined, 8-13

limits for each user, 5-30

listing privilege domain of, 10-43

time limits on, 5-31

viewing memory use, 1 0-12

when auditing options take effect, 8-8

SET ROLE statement

associating privileges with role, 12-9< /dd>
at startup, 3-5

disabling, 3-6

equivalent to SET_ROLE, 12-9

how password is set, 10-21

role passwords, 3-7
used to enable/disable roles, 10-35

when using operating-syst em roles, 10-39

SET_CONTEXT procedure, 14-6

SET_ROLE procedure, 12-9

SH, 7-23

SHA-1, i-xxxviii

shared pol icy type, i-xxxvi, 14-37

shared server
limiting private SQL areas, 5-31

OS role ma nagement restrictions, 10-40

SI_INFORMTN_SCHEMA, 7-23

SID attribute, 13-14

single sig n-on, 1-6

single source of truth, 1-5

smart cards, 7-24

sngle point of integration, 1-6

space restrictions

developers, 7-11

tablespaces, 7-11
< /dd>
SQL statements, i-xxxviii

auditing, 8-9, 8-12

when records generated , 8-7

disabling audit options, 11-1 7

dynamic, 14-5

enabling audit options on, 11-15

privileges required for, 5-4, 6-3, 12-15

resource limits and, 5-30

restricting ad hoc use, 13-18

SQL text, i-xxxviii

SQLNet, 7-28

SQLPlus

connecting with, 4-2

restricting ad hoc use, 13-18

statistics monitor, 5-32

sqlnet.ora, 7-32

sqln et.ora file, 4-8

SSL, 1-7, 2-7, 7-2, 7-30, 7-31

SSL. See Secure Sockets Layer.
STATEMENTID attribute, 13-15
static, i-xxxvi, 14-37, 14-39

storage

quotas and, 10-4

revoking tablespaces and , 10-5

unlimited quotas, 10-5

stored procedures

encapsulating privileges, 3 -6

invoker's rights, 12-9

using privileges granted to PUBLIC, 10-34

strong authentication, 7-24

supplied packages

invoker's or definer's rights, 5-11

symbolic links, 2-6, 7-28

synonyms

inherit privileges from object, 5-6

SYS, 7-23

SYS a ccount

policies for protecting, 7-7

poli cy enforcement, 13-21

SYS and SYSTEM, 7-23

passwords, 2-3, 7-2 3, 7-24

SYS and SYSTEM connections, 7-7

SYS schema, 14-6

AS SYSDBA, 7-8

SYS username

statement ex ecution audited, 8-8

SYS_CONTEXT

and parallel query, i-xxxvii

SYS_CONTEXT function

access control, 14-13

database links, 14-6

dynamic SQL statements, 14-5

p arallel query, 14-5

syntax, 14-4

USERENV namespace, 13-12

SYS.AUD$, 11-11

SYS.AUD$ table

audit trail, 11-7

creating and deleting, 11-22

SYSMAN, 2-4, 7-23, 7-24
SYS-privileged connections, 2-5, 7-25

SYSTEM, 7-23

SYSTEM account

policies for protecting, 7-7

system global area (SGA)

limiting private SQL areas, 5-31

syst em privileges, 2-5, 5-3, 7-25, 10-15

ADMIN OPTION, 5-4< /dd>
ANY, 7-24

CREATE, 7-11< /a>

described, 5-3, 10-15

DROP ANY TABLE, 7-25

GRANT ANY OBJECT PRIVILEGE, 10-27, 10-31

GRANT ANY PRIVILEGE, 5-4

granting, 10-24

granting and revoking, 5-3

SELECT ANY DICTIONARY, 7-25

system security policy, 7-1

database user management, 7-2

operating system security, 7- 2

user authentication, 7-2

T

tables

auditing, 8-10

privileges on, 5-6

tablespaces

assigning def aults for users, 10-3

default quota, 10-4

quotas for users, 10-4

revoking from users, 10-5

temporary

assigning to users, 10-5

unlimited quotas, 10-5

viewing quotas, 10-11

tcps, 2- 8, 7-30

technical security, 1-3

TELNET, 7-32

TERMINAL attribute, USERENV, 13-15

test and production databases

application developer environment, 7-10

testing VPD policies, 14-37

text level access

host operating system, 7-26

unauthorized, 7-26

TFT P, 7-32

TIGER, 7-24

time stamp, i-xxxviii

token cards, 7-24
trace files, 7-26, 7-28, 7-29, 8-7

triggers

aud iting, 8-10

CREATE TRIGGER ON, 12-15

event, 14-13

login, 14-7

logon, 14-3, 14-8

privileges for executing, 5-11

roles, 5-24

Triple DES, i-xxxviii

tsnames.ora, 2-8

typical directory, 2-8

types

privileges on, 5-14

typical role, 7-10

U

UDP and TCP ports

close for ALL disabled services, 7-32

uniform audit trail, i-xxxvii

UNLIMITED, 7-15

UNLIMITED TABLESPACE privilege, 10-5

unlock locked accounts, 7-7

UPDATE privilege

revoking, 10-32

user authentication

methods, 7-2

user groups, 7-5

USER pseudocolumn, 5-9

use r security policy, 7-4

USERENV function, 13-1 1, 15-9, 16-8

USERENV namespace, 13-11, 13-12

usernames

OS, 7-8

schemas, 12-12

users

altering, 10-7

assigning unlimited quotas for, 10-5

auditing, 8-15

authentication

about, 7- 2, 9-1

authentication of, 4-1

changing default roles, 10-8

database authenticatio n, 9-1

default tablespaces, 10-3

dropping, 10-8

dropping profiles and, 10-14

dropping roles and, 10-24

enabling ro les for, 12-8

end-user security policies, 7-5

enterprise, 9-6, 10-23, 12-13

external authentication, 9-3

global, 9-5

listing, 10-9

listing privileges granted to, 10-42

listing roles granted to, 10-42

managing, 10-1

network authentication, 9-5

objects after dropping, 10-8

operating system authentication, 9-4

p assword encryption, 4-8, 7-5

password sec urity, 7-4

policies for managing privileges, 7-5

privileges for changing passwords, 10-7

privil eges for creating, 10-2

privileges for dropping, 10-8

proxy authentication and authorization, 9-8

PUBLIC group, 10-34

PUBLIC user group, 5-2 4

restricting application roles, 13-19

roles and, 5-20

for types of users, 5-22

schema-independent, 9-6, 12-13

security and, 7-2

security domains of, 5-23

security for general users, 7-4

specifying user names, 10-3

tablespace quotas, 10-4

viewing information on, 10-11

viewing memory use, 10-12

viewing tablespace quotas, 10-11

UTC, i-xxxviii

UTL_FILE, 7-26

UTL_HTTP, 7-26

UTL_SMTP , 7-26

UTL_TCP, 7-26

UTLPWDMG.SQL, 4-10, 7-16

formatting of password complexity verification routine, 7-16

V

valid node checking, 2-11, 7-31

view, 5-7

views, 7-3

auditing, 8-10

privileges for, 5-8

security applications of, 5-8

V irtual Private Database

new features, i-xxxvi
virtual private database (VPD), 3-6, 12-4, 13-2, 13-5, 13-20

column-level VPD, 14-40

defined, 13-2

policies, 13-6

VPD

column masking behavior, 13-4

column masking re strictions, 14-43

objects it applies to, 13-4

sec_relevant_cols parameter, 13-4

see virtual private database

sel_relevant_cols_opt parameter, 13-4

with flashback query, 14-47

VPD default behavior, 14-41

VPD policies

dynamic, 14-37

testing with dynamic policy type, 14-37

vulnerable data behind firewalls, 2- 10, 7-29

vulnerable run-time call, 7-27

made more secure, 7-27

W

Wallet Manager, 4-5

wallets, 4-5

WHERE, 7-4

WHERE clause, dynamic SQL, 13-3

Windows operating system

OS audit trail, 11-7, 11-12

WK_TEST, 7-23

WKPROXY, 7-23

WKSYS, 7-23

WMSYS, 7-23

X

X.509 certificates, 7-24

X.509 Version 3 certificates, 4-5

XDB, 7-23

Index

Symbols

Numerics

A

B

C

D

E

F

G

H hacked operating systems or applications, 2-8 harden operating system, 7-32 hash keyed, i-xxxviii hash algorithms, i-xxxviii HOST attribute, 13- 13 HR, 7-22 HS_ADMIN_ROLE role, 10-19 HTTP potentially malicious data transmissions, 7-26 request and retrieve arbitrary data, 7-26 HTTPS port, 2-7

I

K

L

M

N

O

P

R

T

U

V

W

X