Index

A  B  C  D  E  F  G  H  I  K  L  M  N  O  P  R  S  T  U  V  W  X 

A

access control
data encryption, 6.2.2
enforcing, 5.2.1
Oracle Label Security, 6.5.1
administrative accounts
about, 3.2.1
access, 5.2.2
passwords, 3.6
predefined, listed, 3.2.1
administrators
privileges for listener.ora file, 5.2.2
restricting access of, 6.6
separation of duty, 6.6.1
ANONYMOUS user, 3.2.1
ANY system privilege, protecting data dictionary, 2.3.2
APEX_PUBLIC_USER user, 3.2.2
application contexts
Oracle Virtual Private Database, used with, 6.4.1
audit files
archiving and purging, 7.6.3
operating system file, writing to, 7.4.2
audit records
types, 7.3
viewing, 7.3
audit trail
DB setting, 7.4.2
XML file output, 7.4.2
auditing
about, 7.1
DDL statements, 7.4.4
default security setting, modified by, 7.4.3
DML statements, 7.4.4
fine-grained auditing, 7.1
guidelines, security, 7.6
historical information, 7.6.3
keeping information manageable, 7.6.2
monitoring user actions, 7.1
privilege audit options, 7.4.5
reasons to audit, 7.2
Sarbanes-Oxley Act
default auditing, 7.6.1
requirements, 7.4.3.1
suspicious activity, 7.6.4
viewing audit records, 7.3
where recorded, 7.3
authentication
certificate, 5.2.1
client, 5.2.1, 5.2.1
remote, 5.2.1, 5.2.1
strong, 3.7
user, 5.2.1
AUTHID CURRENT USER invoker's rights clause, 4.5.2.5

B

BFILEs
restricting access, 2.4
BI user, 3.2.3

C

certificate authentication, 5.2.1
certificates for user and server authentication, 5.2.1
client connections
stolen, 5.2.1
client guidelines, 5.2.1
configuration files
listener.ora
administering listener remotely, 5.2.2
sample, 5.2.2
CONNECT role, privilege available to, 4.4
CONNECT statement
AS SYSDBA privilege, connecting with, 2.3.2
connections
AS SYSDBA privilege, 2.3.2
securing, 5.2
SYS user, 4.2
CREATE ANY TABLE statement, 4.2
CREATE DBLINK statement, 4.4
CREATE EXTERNAL JOB privilege
default security setting, modified by, 2.2
CREATE SESSION statement, 4.4
CREATE TABLE statement, auditing, 7.4.4
CTXSYS user, 3.2.1

D

data definition language
auditing, 7.4.4
data dictionary
about, 2.3.1
securing, 2.3.2
data dictionary views
DBA_USERS, 3.7
DBA_USERS_WITH_DEFPWD, 3.5
data files
restricting access, 2.4
data manipulation language, auditing, 7.4.4
database
restarting, 7.5.2
shutting down, 7.5.2
starting, 7.5.2
database accounts
See user accounts
Database Configuration Assistant
auditing by default, 7.4.3.1
default passwords, changing, 3.6
Oracle Database Vault, installing, 6.6.2.1
Oracle Label Security, installing, 6.5.3.1
Database Control
See Oracle Enterprise Manager Database Control
DBA_USERS data dictionary view, 3.7
DBA_USERS_WITH_DEFPWD data dictionary view, 3.5
DBCA
See Database Configuration Assistant
DBSNMP user
about, 3.2.1
passwords, default, 3.6
default passwords
administrative accounts, using with, 3.6
importance of changing, 3.5
default permissions, 2.4
default security settings
about, 2.2
enabling, 2.2
Denial of Service (DoS) attacks
audit trail, writing to operating system file, 7.4.2
networks, addressing, 5.2.2
See also security attacks
DIP user, 3.2.2
disabling unnecessary services, 5.2.2
DROP ANY TABLE statement, 2.3.2
DROP TABLE statement, auditing, 7.4.4

E

encryption
about, 6.2.1
algorithms, described, 5.3.2
components, 6.2.1
data transfer, 5.2.2
network, 5.3
network traffic, 5.2.2
reasons not to encrypt, 6.2.2
reasons to encrypt, 6.2.2
Enterprise Edition, 3.7
errors
WHEN NO_DATA_FOUND exception example, 4.5.2.5
examples
user session information, retrieving with SYS_CONTEXT, 6.4.2.4
See also tutorials
exceptions
WHEN NO_DATA_FOUND example, 4.5.2.5
EXFSYS user, 3.2.1
external tables, 2.4

F

files
audit
archiving, 7.6.3
DoS attacks, recommendations, 7.4.2
configuration, 5.2.2
listener.ora, 5.2.2
restrict listener access, 5.2.2
restricting access, 2.4
symbolic links, restricting, 2.4
fine-grained auditing, 7.1
firewalls
Axent, 5.2.2
CheckPoint, 5.2.2
Cisco, 5.2.2
database server, keeping behind, 5.2.2
Firewall-1, 5.2.2
Gauntlet, 5.2.2
guidelines, 5.2.2
Network Associates, 5.2.2
PIX Firewall, 5.2.2
Raptor, 5.2.2
supported
packet-filtered, 5.2.2
proxy-enabled, 5.2.2
FLOWS_30000 user, 3.2.2
FLOWS_FILES user, 3.2.2
FTP service
disabling, 5.2.2

G

GRANT ALL PRIVILEGES privilege, 2.3.2
guidelines for security
auditing
audited information, managing, 7.6.2
database activity, typical, 7.6.3
default auditing, 7.6.1
client connections, 5.2.1
database activity, suspicious, 7.6.4
network connections, 5.2.2
operating access to database, 2.4
operating system accounts, limiting privileges, 2.4
operating system users, limiting number of, 2.4
Oracle home default permissions, disallowing modifying of, 2.4
Oracle Label Security policies, planning, 6.5.2
passwords
administrative, 3.6
creating, 3.4
management, enforcing, 3.7
privileges, granting, 4.2
PUBLIC role, privileges, 4.3
roles, granting to users, 4.4
run-time facilities, granting permissions to, 2.5
symbolic links, restricting, 2.4

H

HR user, 3.2.3

I

identity theft
See security attacks
initialization parameters
AUDIT_FILE_DESTINATION, 7.7
AUDIT_SYS_OPERATIONS, 7.7
AUDIT_SYSLOG_LEVEL, 7.7
AUDIT_TRAIL, 7.7
configuration related, 2.6
default security, modified by, 2.2
FAILED_LOGIN_ATTEMPTS, 3.8
installation related, 2.6
MAX_ENABLED_ROLES, 4.6
modifying, 2.6.1
O7_DICTIONARY_ACCESSIBILITY
about, 2.6
data dictionary, protecting, 2.3.2
default setting, 2.3.2
setting in Database Control, 2.3.2
OS_AUTHENT_PREFIX, 5.4
OS_ROLES, 4.6
PASSWORD_GRACE_TIME, 3.8
PASSWORD_LIFE_TIME, 3.8
PASSWORD_LOCK_TIME, 3.8
PASSWORD_REUSE_MAX, 3.8
PASSWORD_REUSE_TIME, 3.8
REMOTE_LISTENER, 5.4
REMOTE_OS_AUTHENT, 5.2.1, 5.4
REMOTE_OS_ROLES, 4.6, 5.4
SEC_CASE_SENSITIVE_LOGIN, 3.8
SEC_MAX_FAILED_LOGIN_ATTEMPTS, 3.8
SEC_RETURN_SERVER_RELEASE_BANNER, 2.6
SQL92_SECURITY, 4.6
invoker's rights, 4.5.2.5
IP addresses
falsifying, 5.2.2
guidelines, 5.2.1
IX user, 3.2.3

K

Kerberos authentication
password management, 3.7

L

LBACSYS user, 3.2.1
least privilege principle, 4.2, 4.2
listener
not an Oracle owner, 5.2.2
preventing online administration, 5.2.2
restrict privileges, 5.2.2, 5.2.2
secure administration, 5.2.2
listener.ora file
administering remotely, 5.2.2
online administration, preventing, 5.2.2
log files
restricting access, 2.4

M

MDDATA user, 3.2.2
MDSYS user, 3.2.1
MGMT_VIEW user, 3.2.1
monitoring
See auditing
multiplex multiple-client network sessions, 5.2.2
multitier environments, auditing, 7.4.6
My Oracle Support
about, Preface

N

Net8 network utility
See Oracle Net
network activity
auditing, 7.4.8
network authentication services, 3.7
smart cards, 3.7
token cards, 3.7
X.509 certificates, 3.7
network encryption
about, 5.3.1
components, 5.3.1
configuring, 5.3.2
network IP addresses, 5.2.2
network security
Denial of Service attacks, addressing, 5.2.2
guidelines for clients, 5.2.1

O

object privileges, 4.2
OE user, 3.2.3
OLAPSYS user, 3.2.1
operating system access, restricting, 2.4
operating system account privileges, limiting, 2.4
operating system users, limiting number of, 2.4
operating systems
compromised, 5.2.1
default permissions, 2.4
Oracle Advanced Security
authentication protection, 3.7
network traffic encryption, 5.2.2
Oracle Connection Manager
firewall configuration, 5.2.2
Oracle Database Vault
about, 6.6.1
components, 6.6.1
installing, 6.6.2.1, 6.6.2.1
registering with database, 6.6.2.1
regulatory compliances, how meets, 6.6.1
tutorial, 6.6.2
Oracle Enterprise Manager Database Control
about, 1.3
starting, 2.3.2
Oracle home
default permissions, disallowing modifying of, 2.4
Oracle Java Virtual Machine (OJVM), 2.5
Oracle Label Security (OLS)
about, 6.5.1
compared with Oracle Virtual Private Database, 6.3
components, 6.5.1
guidelines in planning, 6.5.2
how it works, 6.5.1
installing, 6.5.3.1
tutorial, 6.5.3
used with Oracle Virtual Private Database, 6.3
Oracle MetaLink
See My Oracle Support
Oracle Net
encrypting network traffic, 5.3.2
firewall support, 5.2.2
Oracle Virtual Private Database (VPD)
about, 6.4.1
advantages, 6.4.1
application contexts, 6.4.1
compared with Oracle Label Security, 6.3
components, 6.4.1
tutorial, 6.4.2
used with Oracle Label Security, 6.3
Oracle Wallet Manager
wallet, creating, 6.2.4.1
with transparent data encryption, 6.2.4.2
ORACLE_OCM user, 3.2.2
ORDPLUGINS user, 3.2.1
ORDSYS user, 3.2.1
OUTLN user, 3.2.1
OWBSYS user, 3.2.1

P

passwords
administrative, 3.6
administrative user, 3.6
changing, 3.5
complexity, 3.7
default security setting, modified by, 2.2
default user account, 3.5
history, 3.7
length, 3.7
management, 3.7
management rules, 3.7
profiles
enabling default settings, 7.4.3.2
SYS user, 3.6
SYSTEM user, 3.6
passwords for security
requirements, 3.4
permissions
default, 2.4
run-time facilities, 2.5
PM user, 3.2.3
principle of least privilege, 4.2, 4.2
privileges
about, 4.1
auditing, 7.4.5, 7.4.5
CREATE DBLINK statement, 4.4
system
ANY, 2.3.2
DROP ANY TABLE, 2.3.2
SELECT ANY DICTIONARY, 2.3.2
SYSTEM and OBJECT, 4.2
using proxies to audit, 7.4.6
PUBLIC role, revoking unnecessary privileges and roles, 4.3

R

remote authentication, 5.2.1, 5.2.1
REMOTE_OS_AUTHENT initialization parameter, 5.2.1
roles
CONNECT, 4.4
create your own, 4.4
job responsibility privileges only, 4.4
root file paths
for files and packages outside the database, 2.5
run-time facilities, restricting permissions, 2.5

S

Sarbanes-Oxley Act
auditing requirements, 7.4.3.1
default auditing, 7.6.1
schema objects, auditing, 7.4.7
SCOTT user
about, 3.2.3
restricting privileges of, 4.4
sec_admin example security administrator
creating, 4.5.2.1
removing, 7.5.5
secure application roles
about, 4.5.1
advantages, 4.5.1
components, 4.5.1
invoker's rights, 4.5.2.5
tutorial, 4.5.2
user environment information from SYS_CONTEXT SQL function, 4.5.2.5
Secure Sockets Layer (SSL)
administering listener remotely, 5.2.2
certificates, enabling for user and server, 5.2.1
security administrator
example of creating, 4.5.2.1
removing sec_admin, 7.5.5
security attacks
applications, 5.2.1
client connections, 5.2.1
Denial of Service, 5.2.2
eavesdropping, 5.2.1
falsified IP addresses, 5.2.1
falsified or stolen client system identities, 5.2.1
network connections, 5.2.2
security tasks, common, 1.2
SELECT ANY DICTIONARY privilege
data dictionary, accessing, 2.3.2
GRANT ALL PRIVILEGES privilege, not included in, 2.3.2
sensitive data
Oracle Label Security, 6.5.1
Oracle Virtual Private Database, 6.4.1
secure application roles, 4.5.1
separation of duty concepts, 4.5.2.1
separation-of-duty principles
about, 6.6.1
Oracle Database Vault, 6.6.2.2
session information, retrieving, 6.4.1
SH user, 3.2.3
SI_INFORMTN_SCHEMA user, 3.2.1
smart cards, 3.7
SPATIAL_CSW_ADMIN_USR user, 3.2.2
SPATIAL_WFS_ADMIN_USR user, 3.2.2
SQL statements
auditing, 7.4.4
using proxies to audit, 7.4.6
SQL*Net network utility, 5.2.2
standard auditing
about, 7.4.1
auditing by default, 7.4.3.1
enabling or disabling audit trail, 7.4.2
in multitier environment, 7.4.6
network activity, 7.4.8
privileges, 7.4.5
proxies, 7.4.6, 7.4.6
schema objects, 7.4.7
SQL statements, 7.4.4
tutorial, 7.5
strong authentication, 3.7
symbolic links, restricting, 2.4
SYS user
about, 3.2.1
password use, 3.6
SYS_CONTEXT SQL function
example, 6.4.2.4
validating users, 4.5.2.5
SYS.AUD$ database audit trail table
about, 7.4.2
DB (database) option, 7.5.1
DB, EXTENDED option, 7.4.2
XML, EXTENDED option, 7.4.2
SYSDBA system privilege, 7.5.2
SYSMAN user
about, 3.2.1
password use, 3.6
passwords, default, 3.6
SYS-privileged connections, 4.2
system administrator
See administrative accounts, security administrator
system identities, stolen, 5.2.1
system privileges, 4.2
ANY, 2.3.2
DROP ANY TABLE statement, 2.3.2
SELECT ANY DICTIONARY, 2.3.2
SYSTEM user
about, 3.2.1
password use, 3.6

T

tablespaces
encrypting, 6.2.4.4.2
TCP ports
closing for ALL disabled services, 5.2.2
TCPS protocol
Secure Sockets Layer, used with, 5.2.2
TDE
See transparent data encryption
TELNET service, disabling, 5.2.2
TFTP service
disabling, 5.2.2
token cards, 3.7
trace files restricting access, 2.4
transparent data encryption
about, 6.2.3
advantages, 6.2.3
components, 6.2.3
configuring, 6.2.4
how it works, 6.2.3
performance effects, 6.2.3
storage space, 6.2.3
table columns
checking in database instances, 6.2.5.3
checking individual tables, 6.2.5.2
encrypting, 6.2.4.4.1
tablespaces
checking, 6.2.5.4
tablespaces, encrypting, 6.2.4.4.2
wallets, 6.2.4.2
TSMSYS user, 3.2.1
tutorials
Oracle Database Vault, 6.6.2
Oracle Label Security, 6.5.3
Oracle Virtual Private Database, 6.4.2
secure application roles, 4.5.2
standard auditing, 7.5

U

UDP ports
closing for ALL disabled services, 5.2.2
user accounts
about, 3.1
administrative user passwords, 3.6
default, changing password, 3.5
expiring, 3.3
finding information about, 3.7
locking, 3.3
password requirements, 3.4
predefined
administrative, 3.2.1
non-administrative, 3.2.2
sample schema, 3.2.3
securing, 3
unlocking, 3.3
user accounts, predefined
ANONYMOUS, 3.2.1
APEX_PUBLIC_USER, 3.2.2
BI, 3.2.3
CTXSYS, 3.2.1
DBSNMP, 3.2.1
DIP, 3.2.2
EXFSYS, 3.2.1
FLOWS_30000, 3.2.2
FLOWS_FILES, 3.2.2
HR, 3.2.3
IX, 3.2.3
LBACSYS, 3.2.1
MDDATA, 3.2.2
MDSYS, 3.2.1
MGMT_VIEW, 3.2.1
OE, 3.2.3
OLAPSYS, 3.2.1
ORACLE_OCM, 3.2.2
ORDPLUGINS, 3.2.1
ORDSYS, 3.2.1
OUTLN, 3.2.1
OWBSYS, 3.2.1
PM, 3.2.3
SCOTT, 3.2.3, 4.4
SH, 3.2.3
SI_INFORMTN_SCHEMA, 3.2.1
SPATIAL_CSW_ADMIN_USR, 3.2.2
SPATIAL_WFS_ADMIN_USR, 3.2.2
SYS, 3.2.1
SYSMAN, 3.2.1
SYSTEM, 3.2.1
TSMSYS, 3.2.1
WK_TEST, 3.2.1
WKPROXY, 3.2.1
WKSYS, 3.2.1
WMSYS, 3.2.1
XDB, 3.2.1
XS$NULL, 3.2.2
user session information, retrieving, 6.4.1

V

valid node checking, 5.2.2
views
See data dictionary views
Virtual Private Database
See Oracle Virtual Private Database
VPD
See Oracle Virtual Private Database
vulnerable run-time call, 2.5
made more secure, 2.5

W

WK_TEST user, 3.2.1
WKPROXY user, 3.2.1
WKSYS user, 3.2.1
WMSYS user, 3.2.1

X

X.509 certificates, 3.7
XDB user, 3.2.1
XS$NULL user, 3.2.2