Create Custom Security Policies

Create Custom Security Policies

1. Under Security center, click Security policies.
2. Click Create security policy.
3. Enter a name and description for the security policy.
4. Select which compartment the security policy will be available and stored in.
5. Click Create.

An empty security policy will be created. You must then add unified audit policies to this security policy and set the configuration .

Add Unified Audit Policies to Custom Security Policies

Add unified audit policies to security policies to collect audit data on target databases.

1. Under Security center, click Security policies.
2. Click the Custom security policies tab.
3. Click the security policy you want to add unified audit policies to.
4. Under Resources, click Unified audit policies.
5. Click Add unified audit policies.
6. Enter the audit policy name, description, and select the compartment the unified audit policy will be stored in.
7. Select a unified audit policy definition.
8. Configure the audit conditions for All users, Only a specific set of users and/or roles, or All users except a specific set of users.
9. If applicable based on the previous step, select the users/roles to be included or excluded and the conditions for their auditing.

   Tip:

   Ensure that any attribute sets are populated in order for the audit policy to work as expected.

   You may select multiple users or roles at once. However, they must come from the same database to be selected at the same time. You may also add additional users or roles by selecting from the lists and clicking Add for each entry. You must select the type, target database (if applicable), and operation status for each.

   When adding users you use the target database drop-down to filter the list of available users. However any selected user names are independent of the database. For example, if user JOE appears in database1 and database2, assuming the policy is deployed to both these databases, JOE's activity will be audited in both databases regardless of which database was selected when adding JOE to the list of users to include.

   Note:

   Only one attribute set may be used in a unified audit policy and attributes sets can only be used to define included users/roles.
10. If applicable, determine when to audit based on operation success or failure.
11. Click Add.

Import Audit Policies Into a Security Policy

You can import existing audit policies on a target database to a security policy which can then be deployed to several target databases.

1. Under Security center, click Security policies.
2. Under Related resources, click Unified audit policies.
3. Click the Target Summary tab.
4. Click on the target you want to use the audit policies from.
5. Select the unified audit policy(ies) that you want to import into a security policy.
6. Click Import audit policies into Data Safe.
7. Select which existing security policy you want to add the audit policy(ies) to or create a new security policy for the selected audit policy(ies).
8. Click Import.

   Do not click out of import panel until the action is complete.

The security policy can then be deployed to any number of target databases and will retain the same audit policy configuration.

Edit the Configuration of a Custom Security Policy

Edit if the activity of the Data Safe user is excluded or included in unified audit policies. Additionally, you can edit the SQL Firewall configuration.

1. Under Security center, click Security policies.
2. Click on a custom security policy from the Custom security policies tab.
3. Click Edit config.
4. Set the unified audit policy and SQL Firewall configurations as desired.

   Note:

   Excluded the Data Safe user for audit policies will fail for the following instances:

   • RDBMS mandatory auditing
   • Compliance policies, such as STIG and CIS
   • Any custom audit policies that are provisioned exclusively on the Data Safe user
   • Any audit policies that audit a role that is already assigned to the Data Safe user
   • Audit records generated by a traditional audit trail

   For the SQL Firewall configuration to affect a target database, you must edit the configuration of the security policy that is automatically created when an Oracle Database 23ai target is registered.

5. Click Save.