Index

A B C D E F G H I K L M N O P R S T U V W X

A

access control

data encryption, 6.2.2

enforcing, 5.2.1

Oracle Label Security, 6.4.1

administrative accounts

about, 3.2.1

access, 5.2.2

passwords, 3.6

predefined, listed, 3.2.1

administrators

privileges for listener.ora file, 5.2.2

restricting access of, 6.5

separation of duty, 6.5.1

ANONYMOUS user, 3.2.1

ANY system privilege, protecting data dictionary, 2.3.2

APEX_PUBLIC_USER user, 3.2.2

application contexts

Oracle Virtual Private Database, used with, 6.3.1

audit files

archiving and purging, 7.6.3

operating system file, writing to, 7.4.2

audit records

types, 7.3

viewing, 7.3

audit trail

DB setting, 7.4.2

XML file output, 7.4.2

auditing

about, 7.1

DDL statements, 7.4.4

default security setting, modified by, 7.4.3

DML statements, 7.4.4

fine-grained auditing, 7.1

guidelines, security, 7.6

historical information, 7.6.3

keeping information manageable, 7.6.2

monitoring user actions, 7.1

privilege audit options, 7.4.5

reasons to audit, 7.2

Sarbanes-Oxley Act

default auditing, 7.6.1

requirements, 7.4.3.1

suspicious activity, 7.6.4

viewing audit records, 7.3

where recorded, 7.3

authentication

certificate, 5.2.1

client, 5.2.1, 5.2.1

remote, 5.2.1, 5.2.1

strong, 3.7

user, 5.2.1

AUTHID CURRENT USER invoker's rights clause, 4.5.2.5

B

BFILEs

restricting access, 2.4

BI user, 3.2.3

C

certificate authentication, 5.2.1

certificate key algorithm, Secure Sockets Layer, 5.2.3

certificates for user and server authentication, 5.2.1

cipher suites, Secure Sockets Layer, 5.2.3

client connections

stolen, 5.2.1

client guidelines, 5.2.1

configuration files, 5.2.3, 5.2.3

listener.ora

administering listener remotely, 5.2.2

sample, 5.2.2

tnsnames.ora, 5.2.3

typical directory, 5.2.3, 5.2.3

CONNECT role, privilege available to, 4.4

CONNECT statement

AS SYSDBA privilege, connecting with, 2.3.2

connections

AS SYSDBA privilege, 2.3.2

securing, 5.2

SYS user, 4.2

CREATE ANY TABLE statement, 4.2

CREATE DBLINK statement, 4.4

CREATE EXTERNAL JOB privilege

default security setting, modified by, 2.2

CREATE SESSION statement, 4.4

CREATE TABLE statement, auditing, 7.4.4

CTXSYS user, 3.2.1

D

data definition language

auditing, 7.4.4

data dictionary

about, 2.3.1

securing, 2.3.2

data dictionary views

DBA_USERS, 3.7

DBA_USERS_WITH_DEFPWD, 3.5

data files

restricting access, 2.4

data manipulation language, auditing, 7.4.4

database

restarting, 7.5.2

shutting down, 7.5.2

starting, 7.5.2

database accounts

See user accounts

Database Configuration Assistant

auditing by default, 7.4.3.1

default passwords, changing, 3.6

Oracle Database Vault, installing, 6.5.2.1

Oracle Label Security, installing, 6.4.3.1

Database Control

See Oracle Enterprise Manager Database Control

DBA_USERS data dictionary view, 3.7

DBA_USERS_WITH_DEFPWD data dictionary view, 3.5

DBCA

See Database Configuration Assistant

DBSNMP user

about, 3.2.1

passwords, default, 3.6

default passwords

administrative accounts, using with, 3.6

importance of changing, 3.5

default permissions, 2.4

default security settings

about, 2.2

enabling, 2.2

Denial of Service (DoS) attacks

audit trail, writing to operating system file, 7.4.2

networks, addressing, 5.2.2

E

encryption

about, 6.2.1

algorithms, described, 5.3.2

components, 6.2.1

data transfer, 5.2.2

network, 5.3

network traffic, 5.2.2

reasons not to encrypt, 6.2.2

reasons to encrypt, 6.2.2

Enterprise Edition, 3.7

examples

Oracle Label Security, 6.4.3

Oracle Virtual Private Database, 6.3.2

secure application roles, 4.5.2

standard auditing, 7.5

user session information, retrieving with SYS_CONTEXT, 6.3.2.4

EXECUTE privilege, 4.3

EXFSYS user, 3.2.1

external tables, 2.4

F

files

audit

archiving, 7.6.3

DoS attacks, recommendations, 7.4.2

configuration, 5.2.2

listener.ora, 5.2.2, 5.2.3

restrict listener access, 5.2.2

restricting access, 2.4

server.key, 5.2.3

symbolic links, restricting, 2.4

tsnames.ora, 5.2.3

fine-grained auditing, 7.1

firewalls

Axent, 5.2.2

CheckPoint, 5.2.2

Cisco, 5.2.2

database server, keeping behind, 5.2.2

Firewall-1, 5.2.2

Gauntlet, 5.2.2

guidelines, 5.2.2

Network Associates, 5.2.2

PIX Firewall, 5.2.2

ports, 5.2.3

Raptor, 5.2.2

supported

packet-filtered, 5.2.2

proxy-enabled, 5.2.2

FLOWS_30000 user, 3.2.2

FLOWS_FILES user, 3.2.2

FTP service

disabling, 5.2.2

G

GRANT ALL PRIVILEGES privilege, 2.3.2

guidelines for security

auditing, security, 7.6

operating system accounts, limiting privileges, 2.4

operating system users, limiting number of, 2.4

Oracle home default permissions, disallowing modifying of, 2.4

passwords, 3.4

Secure Sockets Layer

mode, 5.2.3

TCPS protocol, 5.2.3

symbolic links, restricting, 2.4

H

HR user, 3.2.3

HTTPS port, 5.2.3

I

identity theft

See security attacks

initialization parameters

AUDIT_FILE_DESTINATION, 7.7

AUDIT_SYS_OPERATIONS, 7.7

AUDIT_SYSLOG_LEVEL, 7.7

AUDIT_TRAIL, 7.7

configuration related, 2.6

default security, modified by, 2.2

FAILED_LOGIN_ATTEMPTS, 3.8

installation related, 2.6

MAX_ENABLED_ROLES, 4.6

modifying, 2.6.1

O7_DICTIONARY_ACCESSIBILITY

about, 2.6

data dictionary, protecting, 2.3.2

default setting, 2.3.2

setting in Database Control, 2.3.2

OS_AUTHENT_PREFIX, 5.4

OS_ROLES, 4.6

PASSWORD_GRACE_TIME, 3.8

PASSWORD_LIFE_TIME, 3.8

PASSWORD_LOCK_TIME, 3.8

PASSWORD_REUSE_MAX, 3.8

PASSWORD_REUSE_TIME, 3.8

REMOTE_LISTENER, 5.4

REMOTE_OS_AUTHENT, 5.2.1, 5.4

REMOTE_OS_ROLES, 4.6, 5.4

SEC_CASE_SENSITIVE_LOGIN, 3.8

SEC_MAX_FAILED_LOGIN_ATTEMPTS, 3.8

SEC_RETURN_SERVER_RELEASE_BANNER, 2.6

SQL92_SECURITY, 4.6

invoker's rights, 4.5.2.5

IP addresses

falsifying, 5.2.2

guidelines, 5.2.1

IX user, 3.2.3

K

Kerberos authentication

password management, 3.7

L

LBACSYS user, 3.2.1

least privilege principle, 4.2, 4.2

listener

establishing a password, 5.2.2

not an Oracle owner, 5.2.2

preventing online administration, 5.2.2

restrict privileges, 5.2.2, 5.2.2

secure administration, 5.2.2

listener.ora file

administering remotely, 5.2.2

default location, 5.2.3

online administration, preventing, 5.2.2

TCPS, securing, 5.2.3

log files

restricting access, 2.4

M

MDDATA user, 3.2.2

MDSYS user, 3.2.1

MGMT_VIEW user, 3.2.1

monitoring

See auditing

multiplex multiple-client network sessions, 5.2.2

multitier environments, auditing, 7.4.6

N

Net8 network utility

See Oracle Net

network activity

auditing, 7.4.8

network authentication services, 3.7

smart cards, 3.7

token cards, 3.7

X.509 certificates, 3.7

network encryption

about, 5.3.1

components, 5.3.1

configuring, 5.3.2

network IP addresses, 5.2.2

network security

Denial of Service attacks, addressing, 5.2.2

guidelines for clients, 5.2.1

Secure Sockets Layer guidelines, 5.2.3

O

object privileges, 4.2

OE user, 3.2.3

OLAPSYS user, 3.2.1

operating system access, restricting, 2.4

operating system account privileges, limiting, 2.4

operating system users, limiting number of, 2.4

operating systems

compromised, 5.2.1

default permissions, 2.4

Oracle Advanced Security

authentication protection, 3.7

network traffic encryption, 5.2.2

Oracle Connection Manager

firewall configuration, 5.2.2

Oracle Database Vault

about, 6.5.1

components, 6.5.1

example, 6.5.2

installing, 6.5.2.1, 6.5.2.1

registering with database, 6.5.2.1

regulatory compliances, how meets, 6.5.1

Oracle Enterprise Manager Database Control

about, 1.3

starting, 2.3.2

Oracle home

default permissions, disallowing modifying of, 2.4

Oracle Java Virtual Machine (OJVM), 2.5

Oracle Label Security (OLS)

about, 6.4.1

components, 6.4.1

example, 6.4.3

guidelines in planning, 6.4.2

how it works, 6.4.1

installing, 6.4.3.1

Oracle Net

encrypting network traffic, 5.3.2

firewall support, 5.2.2

Oracle Virtual Private Database (VPD)

about, 6.3.1

advantages, 6.3.1

application contexts, 6.3.1

components, 6.3.1

example, 6.3.2

Oracle Wallet Manager

wallet, creating, 6.2.4.1

with transparent data encryption, 6.2.4.2

ORACLE_OCM user, 3.2.2

ORDPLUGINS user, 3.2.1

ORDSYS user, 3.2.1

OUTLN user, 3.2.1

OWBSYS user, 3.2.1

P

pass phrase

read and parse server.key file, 5.2.3

passwords

administrative, 3.6

administrative user, 3.6

changing, 3.5

complexity, 3.7

default security setting, modified by, 2.2

default user account, 3.5

history, 3.7

length, 3.7

listener, establishing for, 5.2.2

management, 3.7

management rules, 3.7

profiles

enabling default settings, 7.4.3.2

SYS user, 3.6

SYSTEM user, 3.6

passwords for security

requirements, 3.4

permissions

default, 2.4

run-time facilities, 2.5

PM user, 3.2.3

principle of least privilege, 4.2, 4.2

privileges

about, 4.1

auditing, 7.4.5, 7.4.5

CREATE DBLINK statement, 4.4

system

ANY, 2.3.2

DROP ANY TABLE, 2.3.2

SELECT ANY DICTIONARY, 2.3.2

SYSTEM and OBJECT, 4.2

using proxies to audit, 7.4.6

PUBLIC user, 3.2.2

PUBLIC user group, revoking unnecessary privileges and roles, 4.3

R

remote authentication, 5.2.1, 5.2.1

REMOTE_OS_AUTHENT initialization parameter, 5.2.1

roles

CONNECT, 4.4

create your own, 4.4

job responsibility privileges only, 4.4

root file paths

for files and packages outside the database, 2.5

RSA private key, 5.2.3

run-time facilities, restricting permissions, 2.5

S

Sarbanes-Oxley Act

auditing requirements, 7.4.3.1

default auditing, 7.6.1

schema objects, auditing, 7.4.7

SCOTT user

about, 3.2.3

restricting privileges of, 4.4

sec_admin example security administrator

creating, 4.5.2.1

removing, 7.5.5

secure application roles

about, 4.5.1

advantages, 4.5.1

components, 4.5.1

example, 4.5.2

invoker's rights, 4.5.2.5

user environment information from SYS_CONTEXT SQL function, 4.5.2.5

Secure Sockets Layer (SSL)

administering listener remotely, 5.2.2

certificate key algorithm, 5.2.3

certificates, enabling for user and server, 5.2.1

cipher suites, 5.2.3

configuration files, securing, 5.2.3

guidelines for security, 5.2.3

mode, 5.2.3

pass phrase, 5.2.3

RSA private key, 5.2.3

server.key file, 5.2.3

TCPS, 5.2.3

security administrator

example of creating, 4.5.2.1

removing sec_admin, 7.5.5

security attacks

applications, 5.2.1

client connections, 5.2.1

Denial of Service, 5.2.2

eavesdropping, 5.2.1

falsified IP addresses, 5.2.1

falsified or stolen client system identities, 5.2.1

network connections, 5.2.2

Secure Sockets Layer connections, 5.2.3

security tasks, common, 1.2

SELECT ANY DICTIONARY privilege

data dictionary, accessing, 2.3.2

GRANT ALL PRIVILEGES privilege, not included in, 2.3.2

sensitive data

Oracle Label Security, 6.4.1

Oracle Virtual Private Database, 6.3.1

secure application roles, 4.5.1

separation of duty concepts, 4.5.2.1

separation-of-duty principles

about, 6.5.1

Oracle Database Vault, 6.5.2.2

server.key file

pass phrase to read and parse, 5.2.3

session information, retrieving, 6.3.1

SH user, 3.2.3

SI_INFORMTN_SCHEMA user, 3.2.1

smart cards, 3.7

SPATIAL_CSW_ADMIN_USR user, 3.2.2

SPATIAL_WFS_ADMIN_USR user, 3.2.2

SQL statements

auditing, 7.4.4

using proxies to audit, 7.4.6

SQL*Net network utility, 5.2.2

SSL

See Secure Sockets Layer

standard auditing

about, 7.4.1

auditing by default, 7.4.3.1

enabling or disabling audit trail, 7.4.2

example, 7.5

in multitier environment, 7.4.6

network activity, 7.4.8

privileges, 7.4.5

proxies, 7.4.6, 7.4.6

schema objects, 7.4.7

SQL statements, 7.4.4

strong authentication, 3.7

symbolic links, restricting, 2.4

SYS user

about, 3.2.1

password use, 3.6

SYS_CONTEXT SQL function

example, 6.3.2.4

validating users, 4.5.2.5

SYS.AUD$ database audit trail table

about, 7.4.2

DB (database) option, 7.5.1

DB, EXTENDED option, 7.4.2

XML, EXTENDED option, 7.4.2

SYSDBA system privilege, 7.5.2

SYSMAN user

about, 3.2.1

password use, 3.6

passwords, default, 3.6

SYS-privileged connections, 4.2

system administrator

See administrative accounts, security administrator

system identities, stolen, 5.2.1

system privileges, 4.2

ANY, 2.3.2

DROP ANY TABLE statement, 2.3.2

SELECT ANY DICTIONARY, 2.3.2

SYSTEM user

about, 3.2.1

password use, 3.6

T

tablespaces

encrypting, 6.2.4.4.2

TCP ports

closing for ALL disabled services, 5.2.2

TCPS protocol

Secure Sockets Layer, used with, 5.2.2

tnsnames.ora file, used in, 5.2.3

TDE

See transparent data encryption

TELNET service, disabling, 5.2.2

TFTP service

disabling, 5.2.2

token cards, 3.7

trace files restricting access, 2.4

transparent data encryption

about, 6.2.3

advantages, 6.2.3

components, 6.2.3

configuring, 6.2.4

how it works, 6.2.3

performance effects, 6.2.3

storage space, 6.2.3

table columns

checking in database instances, 6.2.5.3

checking individual tables, 6.2.5.2

encrypting, 6.2.4.4.1

tablespaces

checking, 6.2.5.4

tablespaces, encrypting, 6.2.4.4.2

wallets, 6.2.4.2

TSMSYS user, 3.2.1

tsnames.ora

guidelines, 5.2.3

typical directory, 5.2.3

U

UDP ports

closing for ALL disabled services, 5.2.2

user accounts

about, 3.1

administrative user passwords, 3.6

default, changing password, 3.5

expiring, 3.3

finding information about, 3.7

locking, 3.3

password requirements, 3.4

predefined

administrative, 3.2.1

non-administrative, 3.2.2

sample schema, 3.2.3

securing, 3

unlocking, 3.3

user accounts, predefined

ANONYMOUS, 3.2.1

APEX_PUBLIC_USER, 3.2.2

BI, 3.2.3

CTXSYS, 3.2.1

DBSNMP, 3.2.1

DIP, 3.2.2

EXFSYS, 3.2.1

FLOWS_30000, 3.2.2

FLOWS_FILES, 3.2.2

HR, 3.2.3

IX, 3.2.3

LBACSYS, 3.2.1

MDDATA, 3.2.2

MDSYS, 3.2.1

MGMT_VIEW, 3.2.1

OE, 3.2.3

OLAPSYS, 3.2.1

ORACLE_OCM, 3.2.2

ORDPLUGINS, 3.2.1

ORDSYS, 3.2.1

OUTLN, 3.2.1

OWBSYS, 3.2.1

PM, 3.2.3

PUBLIC, 3.2.2

SCOTT, 3.2.3, 4.4

SH, 3.2.3

SI_INFORMTN_SCHEMA, 3.2.1

SPATIAL_CSW_ADMIN_USR, 3.2.2

SPATIAL_WFS_ADMIN_USR, 3.2.2

SYS, 3.2.1

SYSMAN, 3.2.1

SYSTEM, 3.2.1

TSMSYS, 3.2.1

WK_TEST, 3.2.1

WKPROXY, 3.2.1

WKSYS, 3.2.1

WMSYS, 3.2.1

XDB, 3.2.1

XS$NULL, 3.2.2

user session information, retrieving, 6.3.1

V

valid node checking, 5.2.2

views

See data dictionary views

Virtual Private Database

See Oracle Virtual Private Database

VPD

See Oracle Virtual Private Database

vulnerable run-time call, 2.5

made more secure, 2.5

W

WK_TEST user, 3.2.1

WKPROXY user, 3.2.1

WKSYS user, 3.2.1

WMSYS user, 3.2.1

X

X.509 certificates, 3.7

XDB user, 3.2.1

XS$NULL user, 3.2.2