Security Policies Overview

Learn why you should use security policies and what permissions you need to use them.

About Security Policies

In the Security Policies feature you create security policies which allow you to create, deploy, and manage audit policies across target database groups and target databases.

Each security policy should have at least one unified audit policy assigned to it. A security policy can then be deployed to target database groups and individual target databases. After deploying a security policy to a target database group or target database, the associated unified audit policies will be applied to the database(s). After a security policy has been deployed to a target database group, whenever a target is added to or removed from the group, the unified audit policies associated with the security policy will automatically be added to or removed from the target. After an audit trail collection is started, the audit data can be viewed in Activity Auditing.

There are a number of Oracle predefined security policies available for use or you can create custom security policies. Custom security policies can either be created with the available Oracle predefined audit policies, audit policies that you import from an existing target database, or with custom audit policies that you create with the available unified audit policy definitions.

Terms in Security Policies

Learn the terms used in Security Policies.

Security policy: A Data Safe resource that stores unified audit policy configurations. Security policies allow you to easily apply unified audit policies to multiple target database groups and/or target databases at once.
Unified audit policy: Consists of a unified audit policy definition and the audit conditions associated with the unified audit policy definitions. Audit conditions determine which users the audit policy is applicable to and on what operation activities should be audited.
Unified audit policy definition: Defines what actions in the database will be audited.

For example, the COMMON_USER_LOGON audit policy definition will apply the following to your targets. The audit conditions you specify in the unified audit policy determine for which users and operations this applies to.
```
CREATE AUDIT POLICY common_user_logons ACTIONS LOGON CONTAINER=ALL
```
Security policy deployment: Defines what target database groups and/or target databases a security policy is deployed to. When a security policy is deployed to a database, the audit policies that are defined by the security policy become applicable to that database.

Oracle Predefined Security Policies

The following table describes the Oracle predefined security policies.

Oracle Predefined Security Policy Name	Description
Admin activity auditing	Audits all activities for users who have admin privileges or roles.
Basic auditing	Audits critical activities, e.g., when a user, role, or profile is created, modified, or dropped, user login and logoff, and schema changes in the database.
Center for Internet Security (CIS) audit recommendations	Audits the activities that the Center for Internet Security (CIS) recommends.
Center for Internet Security (CIS) audit recommendations (26ai and above)	Audits the activities that the Center for Internet Security (CIS) recommends and are applicable for the Oracle AI Database 26ai and above.
Oracle predefined audit policies	A set of predefined best practice audit policies provided by the Oracle Database. They cover audit settings that are commonly relevant to security.
Oracle predefined audit policies (Autonomous Database)	A set of predefined audit policies provided by the Oracle Autonomous Database. They cover audit settings that are commonly relevant to security.
Oracle predefined audit policies (introduced in 21c)	A set of predefined audit policies for the Oracle Database 21c. They cover audit settings that are commonly relevant to security.
Oracle predefined audit policies (introduced in 26ai)	A set of predefined audit policies for the Oracle AI Database 26ai. They cover audit settings that are commonly relevant to security.
Oracle predefined audit policies (mandatory)	A set of predefined audit policies provided by the Oracle Database that cannot be disabled. They cover audit settings that are commonly relevant to security.
Security Technical Implementation Guide (STIG) audit configuration	Audit the activities that the Security Technical Implementation Guide (STIG) recommends.
Security Technical Implementation Guide (STIG) audit configuration (26ai and above)	Audit the activities that Security Technical Implementation Guide (STIG) recommends and are applicable for the Oracle AI Database 26ai and above.
User activity auditing	Audits all user-initiated activities by users who may have access to sensitive data or broader access to the database.

Prerequisites for Security Policies

These are the prerequisites for using Security Policies:

Register the target databases that you want to use with Security Policies.
Grant the Audit Collection and Audit Setting roles on the target database. A Database Administrator can grant these roles to the Oracle Data Safe Service Account on the target database.

Tip: Non-Autonomous Databases will need to re-run the privilege script even if the Data Safe service account already has the AUDIT_COLLECTION and AUDIT_SETTING roles.
Obtain permission in Oracle Cloud Infrastructure Identity and Access Management (IAM) to use the Security Policies feature in Oracle Data Safe. An OCI administrator can grant use or manage permission as needed on the following resources:
- data-safe-unified-audit-policies
- data-safe-unified-audit-policy-definition
- data-safe-security-policies
- data-safe-security-policy-config
- data-safe-security-policy-deployments
- data-safe-attribute-sets

As an alternative to selectively granting permissions, you can grant permissions on data-safe-audit-family or data-safe-unified-audit-policy-family in the relevant compartments, which would include permissions on all of the resources above. See data-safe-audit-family Resource or data-safe-unified-audit-policy-family.

Grant Roles to the Oracle Data Safe Service Account on Your Target Database

Security Policy Workflow

The general steps for creating and deploying security policies for target databases depend on whether you are using predefined or custom security policies.

Register target databases and create target database groups as needed. See the following:
- Target Database Registration
- Create Target Database Group
If you are using a predefined security policy, deploy the security policy to the desired target database group(s) and target database(s). See Deploy Security Policies.
If you are using a custom security policy, following these steps:

a) Create a custom security policy. See Create Custom Security Policies.

b) Set the security policy's configuration. See Edit the Configuration of a Custom Security Policy.

c) Add or import unified audit policies to the security policy. See the following:
- Add Unified Audit Policies to Custom Security Policies
- Import Audit Policies Into a Security Policy
c) Deploy the security policy to the desired target database group(s) and target database(s). See Deploy Security Policies.