1. Index

Index

Symbols  Numerics  A  B  C  D  E  F  G  H  I  J  K  L  M  N  O  P  Q  R  S  T  U  V  W  X  

Symbols

  • "all permissions" A.3

Numerics

  • 12C password hash version
  • 12C password version

A

  • about 6.1.1, 7.8.1
  • about connection 6.2.1
  • ACCEPT_MD5_CERTS sqlnet.ora parameter F.5
  • ACCEPT_SHA1_CERTS sqlnet.ora parameter F.5
  • access configuration, DBCA 6.2.2.7.3
  • access configuration, silent mode 6.2.2.7.4
  • access configuration, system parameters 6.2.2.7.2
  • access control
  • access control list (ACL) 8.5.1
    • examples
      • external network connection for email alert 26.5.8.1
      • external network connections 8.7
      • wallet access 8.7
    • external network services
      • about 8.2
      • advantages 8.1
      • affect of upgrade from earlier release 8.4
      • email alert for audit violation tutorial 26.5.8.1
      • finding information about 8.13
      • network hosts, using wildcards to specify 8.8
      • ORA-06512 error 8.12
      • ORA-24247 error 8.12
      • ORA-24247 errors 8.4
      • order of precedence, hosts 8.9
      • port ranges 8.10
      • privilege assignments, about 8.11.1
      • privilege assignments, database administrators checking 8.11.2
      • privilege assignments, users checking 8.11.4
      • revoking privileges 8.5.4
    • wallet access
      • about 8.3
      • advantages 8.3
      • client certificate credentials, using 8.6.1
      • finding information about 8.13
      • non-shared wallets 8.6.1
      • password credentials 8.6.1
      • password credentials, using 8.6.1
      • revoking 8.6.5
      • revoking access 8.6.5
      • shared database session 8.6.1
      • wallets without sensitive information 8.6.1
      • wallets with sensitive information 8.6.1
  • ACCHK_READ role 4.10.2
  • accounting, RADIUS 23.4.4
  • account locking
  • activating checksumming and encryption 17.6.1
  • adapters 19.5
  • ADD_SSLV3_TO_DEFAULT sqlnet.ora parameter 22.9.1.7
  • ADG_ACCOUNT_INFO_TRACKING initialization parameter
    • guideline for securing A.11.1
  • ad hoc tools
    • database access, security problems of 4.10.7.1
  • ADM_PARALLEL_EXECUTE_TASK role
  • administrative accounts
  • administrative privileges
  • administrative user passwords
    • default, importance of changing A.4
  • administrative users
  • administrator privileges
    • access A.11.2
    • operating system authentication 3.3.3
    • passwords 3.3.4, A.4
    • SYSDBA and SYSOPER access, centrally controlling 3.3.2.1
    • write, on listener.ora file A.11.2
  • ADMIN OPTION
  • Advanced Encryption Standard (AES)
  • Advanced Networking Option (ANO) (Oracle native encryption) 17.6.3.3.1
  • AES256 algorithm
    • converting to in Oracle wallets F.6.2.7
  • alerts, used in fine-grained audit policy 26.5.8.1
  • algorithms
    • weaker keys E.8
  • ALTER ANY LIBRARY statement
    • security guidelines A.3
  • ALTER DATABASE DICTIONARY DELETE CREDENTIALS statement 10.5.2
  • ALTER DATABASE DICTIONARY ENCRYPT CREDENTIALS statement 10.5.2
  • ALTER DATABASE DICTIONARY REKEY CREDENTIALS statement 10.5.2
  • altering users 2.3.1
  • ALTER PROCEDURE statement
    • used for compiling procedures 4.15.4
  • ALTER PROFILE statement
  • ALTER RESOURCE COST statement 2.4.4.6, 2.4.4.7
  • ALTER ROLE statement
    • changing authorization method 4.10.3.5
  • ALTER SESSION statement
  • ALTER USER privilege 2.3.1
  • ALTER USER statement
  • ANO encryption
  • anonymous 22.9.1.3.1
  • ANONYMOUS user account 2.6.2
  • ANSI operations
    • Oracle Virtual Private Database affect on 12.5.3
  • ANY system privilege
    • guidelines for security A.7
  • application common users
  • application containers
    • application contexts 11.1.6
    • Transport Layer Security 22.1.2
    • Virtual Private Database policies 12.1.6
  • application contexts 11.4.1
    • See also: client session-based application contexts, database session-based application contexts, global application contexts
  • application developers
  • applications
    • about security policies for 10.1
    • database users 10.2.1
    • enhancing security with 4.10.1.3
    • object privileges 10.11.1
    • object privileges permitting SQL statements 10.11.2
    • One Big Application User authentication
    • Oracle Virtual Private Database, how it works with 12.5.4
    • password handling, guidelines 10.3.1.2
    • password protection strategies 10.3
    • privileges, managing 10.6
    • roles
      • multiple 4.10.1.5
      • privileges, associating with database roles 10.9
    • security 4.10.7, 10.2.2
    • security considerations for use 10.2
    • security limitations 12.5.4
    • security policies 12.3.7.3
    • validating with security policies 12.3.7.5
  • application security
    • finding privilege use by users 5.1.2.1
    • restricting wallet access to current application 8.6.1
    • revoking access control privileges from Oracle wallets 8.6.5
    • sharing wallet with other applications 8.6.1
    • specifying attributes 11.3.3.3
  • application users who are database users
    • Oracle Virtual Private Database, how it works with 12.5.10
  • APPQOSSYS user account 2.6.2
  • architecture 6.1.3
  • archiving
  • ASMSNMP user account 2.6.2
  • asymmetric key operations 16.4
  • asynchronous authentication mode in RADIUS 23.3.2
  • attacks
    • See: security attacks
  • AUDIT_ADMIN role 4.10.2
  • AUDIT_VIEWER role 4.10.2
  • audit files
    • operating system audit trail
    • operating system file
    • standard audit trail
  • auditing 26.2
    • See also: unified audit policies
    • administrators, Database Vault 26.3.14.2
    • audit configurations 26.1, 26.3.21.2
    • audit options 26.2
    • audit policies 26.1, 26.3.21.2
    • audit trail, sensitive data in A.13
    • CDBs 25.9
    • committed data A.13.2
    • common objects 26.1, 26.3.21.2
    • cursors, affect on auditing 27.1.3
    • databases, when unavailable 27.1.8
    • database user names 3.6
    • Database Vault administrators 26.3.14.2
    • disk space size for unified audit records 27.1.4
    • distributed databases and 25.10
    • DV_ADMIN role user 26.3.14.2
    • DV_OWNER role user 26.3.14.2
    • finding information about audit management 27.4
    • finding information about usage 26.6
    • fine-grained
      • See fine-grained auditing 26.5.1
    • functions 26.3.7.11
    • functions, Oracle Virtual Private Database 26.3.7.13
    • general steps
      • commonly used security-relevant activities 26.2.2
      • specific fine-grained activities 26.2.3
      • SQL statements and other general activities 26.2.1
    • general steps for 26.2
    • guidelines for security A.13
    • historical information A.13.2
    • INHERIT PRIVILEGE privilege 7.5.8
    • keeping information manageable A.13.1
    • loading audit records to unified audit trail 27.1.8
    • mandatory auditing 27.1.2
    • multitier environments
      • See standard auditing 26.3.9
    • One Big Application User authentication, compromised by 10.2.1
    • operating-system user names 3.6
    • Oracle Virtual Private Database policy functions 26.3.7.13
    • packages 26.3.7.11
    • performance 25.3
    • PL/SQL packages 26.3.7.11
    • predefined policies
      • general steps for using 26.2.2
    • privileges required 25.8
    • procedures 26.3.7.11
    • purging records
    • range of focus 26.2
    • READ object privileges in policies 26.3.8.2
    • READ privileges
    • recommended settings A.13.5
    • Sarbanes-Oxley Act
      • auditing, meeting compliance through 25.1
    • SELECT privileges
    • sensitive data A.13.4
    • suspicious activity A.13.3
    • traditional 26.3.21.3
    • triggers 26.3.7.11
    • unified audit trail
    • VPD predicates
    • when audit options take effect 27.1.1
    • when records are created 27.1.1
  • auditing, purging records
  • audit policies 25.1
    • See also: unified audit policies
  • audit policies, application contexts
  • audit records
    • when written to OS files 27.1.7
  • audit trail
    • archiving 27.2.2
    • capturing syslog records 27.1.6.2
    • capturing Windows Event Viewer records 27.1.6.2
    • finding information about audit management 27.4
    • finding information about usage 26.6
    • SYSLOG records 27.1.6.1
    • unified
  • AUDSYS user account 2.6.2
  • AUTHENTICATEDUSER role 4.10.2
  • authentication 3.2.1, 19.5
    • See also: passwords, proxy authentication
    • about 3.1
    • administrators
      • operating system 3.3.3
      • passwords 3.3.4
      • SYSDBA and SYSOPER access, centrally controlling 3.3.2.1
    • by database 3.4
    • by SSL 3.9.2.1
    • client A.11.1
    • client-to-middle tier process 3.13.1.8
    • configuring multiple methods 24.3
    • database administrators 3.3.1
    • databases, using
    • directory-based services 3.7.2.4
    • directory service 3.9.2
    • external authentication
    • global authentication
    • methods 19.4
    • middle-tier authentication
    • modes in RADIUS 23.3
    • multitier 3.11
    • network authentication
      • third-party services 3.7.2.1
      • Transport Layer Security 3.7.1
    • One Big Application User, compromised by 10.2.1
    • operating system authentication 3.8.1
    • operating system user in PDBs 3.8.1
    • ORA-28040 errors 3.2.8.3
    • PDBs 3.8.1
    • proxy user authentication
    • public key infrastructure 3.7.2.5
    • RADIUS 3.7.2.3
    • remote A.11.1
    • schema-only accounts 3.5
    • schema-only accounts, users created with 3.5.1
    • security guideline A.5
    • specifying when creating a user 2.2.5
    • strong A.4
    • SYSDBA on Windows systems 3.3.3
    • Windows native authentication 3.3.3
  • AUTHENTICATION parameter C.2.2
  • authentication types 6.1.4
  • AUTHID DEFINER clause
    • used with Oracle Virtual Private Database functions 12.1.4
  • authorization
  • automatic reparse
    • Oracle Virtual Private Database, how it works with 12.5.5

B

  • banners
    • auditing user actions, configuring 10.12.5
    • unauthorized access, configuring 10.12.5
  • BFILEs
    • guidelines for security A.7
  • bind variables
  • BLOBS

C

  • CAPTURE_ADMIN role 4.10.2
  • cascading revokes 4.18.3
  • catpvf.sql script (password complexity functions) 3.2.6.2
  • CDB_DBA role 4.10.2
  • CDB common users
  • CDBs
  • Center for Internet Security (CIS) 26.4.5
    • ORA_CIS_PROFILE user profile 2.4.4.2
    • ORA_LOGON_LOGOFF predefined unified audit policy 26.4.6.3
  • centrally managed users
    • Oracle Autonomous Database 6.6
    • troubleshooting 6.7
  • certificate 22.4.2.2
  • certificate authority 22.4.2.1
  • certificate key algorithm
    • Transport Layer Security A.11.3
  • certificate revocation list (CRL)
  • certificate revocation lists 22.4.2.3
  • certificate revocation status checking
  • certificates 6.2.2.5
    • adding to wallet using orapki F.6.4
    • creating signed with orapki F.3
    • Oracle Real Application Clusters components that need certificates 22.10.3.1
  • certificate validation error message
    • CRL could not be found 22.13.7
    • CRL date verification failed with RSA status 22.13.7
    • CRL signature verification failed with RSA status 22.13.7
    • Fetch CRL from CRL DP
    • OID hostname or port number not set 22.13.7
  • challenge-response authentication in RADIUS 23.3.2
  • change_on_install default password A.4
  • character sets
    • role names, multibyte characters in 4.10.3.1
    • role passwords, multibyte characters in 4.10.4.1
  • Cipher Block Chaining (CBC) mode, defined 17.1.2
  • cipher suites
  • Cipher Suites
    • FIPS 140-2 settings E.3.2
  • ciphertext data
  • CLIENT_IDENTIFIER USERENV attribute 3.13.2.4
    • See also: USERENV namespace
    • setting and clearing with DBMS_SESSION package 3.13.2.6
    • setting with OCI user session handle attribute 3.13.2.5
  • client authentication in TLS 22.9.1.5
  • client connections
  • CLIENTID_OVERWRITE event 3.13.2.6
  • client identifier
    • setting for applications that use JDBC 3.13.2.5
  • client identifiers 11.4.2
    • See also: nondatabase users
    • about 3.13.2.1
    • auditing users 26.3.9
    • consistency between DBMS_SESSION.SET_IDENTIFIER and DBMS_APPLICATION_INFO.SET_CLIENT_INFO 3.13.2.6
    • global application context, independent of 3.13.2.4
    • setting with DBMS_SESSION.SET_IDENTIFIER procedure 11.4.3
  • client session-based application contexts 11.5.1
    • See also: application contexts
    • about 11.5.1
    • CLIENTCONTEXT namespace, clearing value from 11.5.5
    • CLIENTCONTEXT namespace, setting value in 11.5.2
    • retrieving CLIENTCONTEXT namespace 11.5.3
  • CMU_WALLET database property
  • code based access control (CBAC)
    • about 7.7.1
    • granting and revoking roles to program unit 7.7.6
    • how works with definers rights 7.7.4
    • how works with invoker’s rights 7.7.3
    • privileges 7.7.2
    • tutorial 7.7.7
  • column masking behavior 12.3.6.4
  • columns
  • command line recall attacks 10.3.1.1, 10.3.1.4
  • committed data
  • common privilege grants 4.2.6, 4.2.10
  • common roles 4.9.2
  • common user accounts
  • common users
  • configuration
    • guidelines for security A.9
  • configuration files
  • configuring
  • connecting
    • with username and password 24.1
  • connection pooling
  • CONNECT role
  • CONTAINER_DATA objects
    • viewing information about 4.8.6
  • container database (CDB)
    • See: CDBs
  • container data objects
  • context profiles
    • privilege analysis 5.1.4
  • controlled step-in procedures 7.3
  • CPU time limit 2.4.2.3
  • CREATE ANY LIBRARY statement
    • security guidelines A.3
  • CREATE ANY PROCEDURE system privilege 4.15.3
  • CREATE CONTEXT statement
  • CREATE LOCKDOWN PROFILE statement 4.11.2, 4.11.7
  • CREATE PROCEDURE system privilege 4.15.3
  • CREATE PROFILE statement
  • CREATE ROLE statement 4.9.2
  • CREATE SCHEMA statement
  • CREATE SESSION statement
  • CREATE USER statement
    • explicit account locking 3.2.4.9
    • IDENTIFIED BY option 2.2.5
    • IDENTIFIED EXTERNALLY option 2.2.5
  • creating Oracle service directory user account 6.2.2.1
  • credentials
  • CRL 22.4.2.3
  • CRLAdmins directory administrative group F.9.7
  • CRLs
  • cryptographic hardware devices 22.4.2.5
  • cryptographic libraries
    • FIPS 140-2 E.1
  • CTXAPP role 4.10.2
  • CTXSYS user account 2.6.2
  • cursors
    • affect on auditing 27.1.3
    • reparsing, for application contexts 11.3.5
    • shared, used with Virtual Private Database 12.1.5
  • CWM_USER role 4.10.2

D

  • database administrators (DBAs)
    • access, controlling 16.1.2
    • authentication 3.3.1
    • malicious, encryption not solved by 16.1.2
  • Database Configuration Assistant (DBCA)
    • default passwords, changing A.4
    • user accounts, automatically locking and expiring A.3
  • database links 6.1.7
    • application contexts 11.3.4.6
    • application context support 11.3.10.1
    • authenticating with Kerberos 3.7.2.2
    • authenticating with third-party services 3.7.2.1
    • definer’s rights procedures 7.8.1
    • global user authentication 3.9.3
    • object privileges 4.12.1
    • operating system accounts, care needed 3.6
    • RADIUS not supported 23.1
    • sensitive credential data
      • about 14.1
      • data dictionary views 14.7
      • deleting 14.5
      • encrypting 14.3
      • multitenant environment 14.2
      • rekeying 14.4
      • restoring functioning of after lost keystore 14.6
    • session-based application contexts, accessing 11.3.4.6
  • databases
    • access control
      • password encryption 3.2.1
    • additional security products 1.2
    • authentication 3.4
    • database user and application user 10.2.1
    • default password security settings 3.2.4.5
    • default security features, summary 1.1
    • granting privileges 4.17
    • granting roles 4.17
    • limitations on usage 2.4.1
    • schema-only accounts 3.5
    • security and schemas 10.10
    • security embedded, advantages of 10.2.2
    • security policies based on 12.1.2.1
  • database session-based application contexts 11.3.1
    • See also: application contexts
  • database upgrades and CONNECT role A.14.2.1
  • data definition language (DDL)
  • data dictionary
  • data encryption and integrity parameters
    • about B.3.1
    • SQLNET.CRYPTO_CHECKSUM_CLIENT B.3.5
    • SQLNET.CRYPTO_CHECKSUM_SERVER B.3.4
    • SQLNET.CRYPTO_CHECKSUM_TYPES_CLIENT B.3.9
    • SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER B.3.8
    • SQLNET.ENCRYPTION_CLIENT B.3.3
    • SQLNET.ENCRYPTION_SERVER B.3.2
    • SQLNET.ENCRYPTION_TYPES_CLIENT B.3.7
    • SQLNET.ENCRYPTION_TYPES_SERVER B.3.6
  • Data Encryption Standard (DES)
    • DES40 encryption algorithm 17.1.3
    • Triple-DES encryption algorithm 17.1.3
  • data files A.7
    • guidelines for security A.7
  • data manipulation language (DML)
    • privileges controlling 4.13.1
  • DATAPUMP_EXP_FULL_DATABASE role 4.10.2
  • DATAPUMP_IMP_FULL_DATABASE role 4.10.2
  • data security
    • encryption, problems not solved by 16.1.3
  • DBA_CONTAINER_DATA data dictionary view 4.8.6.1
  • DBA_ROLE_PRIVS view
    • application privileges, finding 10.7
  • DBA_ROLES data dictionary view
  • DBA role
  • DBFS_ROLE role 4.10.2
  • DBMS_CREDENTIAL.CREATE_CREDENTIAL procedure 10.4.4
  • DBMS_CREDENTIAL package 3.8.2, 4.11.3
  • DBMS_CRYPTO package
    • asymmetric key operations 16.4
    • data encryption storage 16.3
    • examples 16.6.1
    • supported cryptographic algorithms 16.3
  • DBMS_CRYPTO PL/SQL package
    • enabling for FIPS 140-2 E.2
  • DBMS_FGA package
  • DBMS_NETWORK_ACL_ADMIN.REMOVE_HOST_ACE procedure 8.5.4
  • DBMS_PRIVILEGE_CAPTURE PL/SQL package 5.2.1
  • DBMS_RLS.ADD_POLICY
  • DBMS_RLS.ADD_POLICY procedure
    • transparent sensitive data protection polices 13.12.2
  • DBMS_SESSION.SET_CONTEXT procedure
  • DBMS_SESSION.SET_IDENTIFIER procedure
    • client session ID, setting 11.4.3
    • DBMS_APPLICATION.SET_CLIENT_INFO value, overwritten by 3.13.2.6
  • DBMS_SESSION package
  • DbNest
  • DBNEST_ENABLE initialization parameter 15.2.5.1
  • DBNEST_PDB_FS_CONF initialization parameter 15.2.5.1
  • DBSFWUSER user account 2.6.2
  • DBSNMP user account
  • DDL
    • See: data definition language
  • debugging
    • Java stored procedures 8.12
    • PL/SQL stored procedures 8.12
  • default command rules
    • ORA_DV_AUDPOL2 predefined audit policy for 26.4.9
  • default passwords A.4
    • change_on_install or manager passwords A.4
    • changing, importance of 3.2.4.2
    • finding 3.2.4.2
  • default permissions A.7
  • default profiles
  • default realms
    • ORA_DV_AUDPOL2 predefined audit policy for 26.4.9
  • default roles
  • defaults
  • default users
    • accounts A.3
    • Enterprise Manager accounts A.3
    • passwords A.4
  • definers’s rights, database links
  • definer’s rights
    • about 7.2
    • code based access control
      • about 7.7.1
      • granting and revoking roles to program unit 7.7.6
      • how code based access control works 7.7.4
    • compared with invoker’s rights 7.1
    • example of when to use 7.2
    • procedure privileges, used with 7.2
    • procedure security 7.2
    • schema privileges for 7.2
    • secure application roles 10.8.2.1
    • used with Oracle Virtual Private Database functions 12.1.4
    • views 7.6.1
  • definer’s rights, database links
    • grants of INHERIT ANY REMOTE PRIVILEGES 7.8.4
    • grants of INHERIT ANY REMOTE PRIVILEGES on connected user to current user, example 7.8.3
    • grants of INHERIT REMOTE PRIVILEGES to other users 7.8.2
    • revokes of INHERIT [ANY] REMOTE PRIVILEGES 7.8.5
    • revoking INHERIT REMOTE PRIVILEGES from PUBLIC, example 7.8.7
    • revoking INHERIT REMOTE PRIVILEGES on connecting user from procedure owner, example 7.8.6
    • tutorial 7.8.8.1
  • denial of service (DoS) attacks
    • about
  • denial-of-service (DoS) attacks
    • bad packets, preventing 10.12.1
    • networks, securing A.11.2
    • password concurrent guesses 3.2.1
  • Department of Defense Database Security Technical Implementation Guide 3.2.6.4, 3.2.6.5
  • DGPDB_INT user account 2.6.2
  • diagnostics
    • DIAGNOSTICS_CONTROL initialization parameter 4.7
    • restricting use to SYSDBA and ENABLE DIAGNOSTICS 4.7
  • dictionary tables
  • Diffie-Hellman 22.9.1.3.1
  • Diffie-Hellman key negotiation algorithm 17.5
  • DIP user account 2.6.3
  • directories
  • directory authentication, configuring for SYSDBA or SYSOPER access 3.3.2.2
  • directory-based services authentication 3.7.2.4
  • directory objects
    • granting EXECUTE privilege on 4.17.1.3
  • direct path load
    • fine-grained auditing effects on 26.5.1
  • disabling unnecessary services
  • dispatcher processes (Dnnn)
    • limiting SGA space for each session 2.4.2.5
  • distributed databases
  • DML
    • See: data manipulation language
  • driving context 11.6
  • DROP PROFILE statement
  • DROP ROLE statement
  • DROP USER statement
    • about 2.5.3
    • schema objects of dropped user 2.5.4
  • dsi.ora file
  • DVF schema
    • ORA_DV_AUDPOL predefined audit policy for 26.4.8
  • DVSYS schema
    • ORA_DV_AUDPOL predefined audit policy for 26.4.8
  • dynamic Oracle Virtual Private Database policy types 12.3.8.2
  • DYNAMIC policy type 12.3.8.2

E

  • ECB ciphertext encryption mode 16.5
  • editions
    • application contexts, how affects 11.1.5
    • fine-grained auditing packages, results in 11.4.6.2
    • global application contexts, how affects 11.4.6.2
    • Oracle Virtual Private Database packages, results in 11.4.6.2
  • EJBCLIENT role 4.10.2
  • EM_EXPRESS_ALL role 4.10.2
  • EM_EXPRESS_BASIC role 4.10.2
  • email alert example 26.5.8.1
  • encrypting information in 14.1
  • encryption
  • encryption and checksumming
  • encryption of data dictionary sensitive data 14.1
  • ENFORCE_CREDENTIAL configuration parameter
    • security guideline A.12
  • enterprise directory service 4.10.4.6
  • enterprise roles 3.9.1, 4.10.4.6
  • enterprise user management 10.2.1
  • enterprise users
    • centralized management 3.9.1
    • global role, creating 4.10.4.6
    • One Big Application User authentication, compromised by 10.2.1
    • proxy authentication 3.13.1.1
    • shared schemas, protecting users 10.10.2
  • Enterprise User Security
    • application context, globally initialized 11.3.11.3
    • proxy authentication
      • Oracle Virtual Private Database, how it works with 12.5.10
  • error messages
  • errors
  • example, basic 26.3.20.3
  • example, comparison 26.3.20.4
  • examples 12.4
    • See also: tutorials
    • access control lists
      • external network connections 8.7
      • wallet access 8.7
    • account locking 3.2.4.8
    • auditing GRANT operations 26.3.7.6
    • auditing REVOKE operations 26.3.7.6
    • auditing user SYS 26.3.5.5
    • audit trail, purging unified trail 27.3.6
    • data encryption
      • encrypting and decrypting BLOB data 16.6.3
      • encrypting and decrypting procedure with AES 256-Bit 16.6.2
    • directory objects, granting EXECUTE privilege on 4.17.1.3
    • encrypting procedure 16.6.1
    • Java code to read passwords 10.3.4
    • locking an account with CREATE PROFILE 3.2.4.8
    • login attempt grace period 3.2.4.14
    • nondatabase user authentication 11.4.6.7
    • passwords
    • privileges
    • procedure privileges affecting packages 4.15.5.2, 4.15.5.3
    • profiles, assigning to user 2.2.9
    • roles
    • secure external password store 3.2.9.2
    • session ID of user
    • system privilege and role, granting 4.17.1.2
    • tablespaces
    • type creation 4.16.5
    • users
  • exceptions
    • WHEN NO DATA FOUND, used in application context package 11.3.9.3
    • WHEN OTHERS, used in triggers
      • development environment (debugging) example 11.3.8
      • production environment example 11.3.7
  • Exclusive Mode
    • SHA-2 password hashing algorithm, enabling 3.2.8.2
  • EXECUTE_CATALOG_ROLE role
    • SYS schema objects, enabling access to 4.6.3.2
  • EXECUTE ANY LIBRARY statement
    • security guidelines A.3
  • EXEMPT ACCESS POLICY privilege
    • Oracle Virtual Private Database enforcements, exemption 12.5.7.2
  • EXP_FULL_DATABASE role
  • expiring a password
  • exporting data
    • direct path export impact on Oracle Virtual Private Database 12.5.7.2
    • policy enforcement 12.5.7.2
  • extended data objects
    • views and Virtual Private Database 12.3.2
  • external authentication
  • external network services
    • enabling listener for 8.5.2
  • external network services, fine-grained access to
    • See: access control list (ACL)
  • external network services, syntax for 8.5.1
  • external procedures
    • configuring extproc process for 10.4.4
    • credentials 10.4.1
    • DBMS_CREDENTIAL.CREATE_CREDENTIAL procedure 10.4.4
    • legacy applications 10.4.5
    • security guideline A.12
  • external roles 4.10.3.4
  • external tables A.7
  • extproc process

F

  • failed login attempts
  • fallback authentication, Kerberos 21.5
  • Federal Information Processing Standard (FIPS)
    • cryptography scenarios in database E.5
    • DBMS_CRYPTO package E.2
    • FIPS 140-2
      • Cipher Suites E.3.2
      • postinstallation checks E.6
      • SQLNET.FIPS_140 E.4.2
      • SSLFIPS_140 E.3.1
      • SSLFIPS_LIB E.3.1, E.4.2
      • verifying connections for DBMS_CRYPTO E.7.3
      • verifying connections for network native encryption E.7.2
      • verifying connections for TLS E.7.1
    • Transparent Data Encryption E.2
  • files
    • BFILEs
      • operating system access, restricting A.7
    • BLOB 16.2.6
    • keys 16.2.4.3
    • listener.ora file
    • restrict listener access A.11.2
    • server.key encryption file A.11.3
    • symbolic links, restricting A.7
    • tnsnames.ora A.11.3
  • fine-grained access control
    • See: Oracle Virtual Private Database (VPD)
  • fine-grained auditing
  • FIPS
    • weaker deprecated algorithm keys E.8
  • fips.ora file E.3.1, E.4.2
  • FIPS 140-2 cryptographic libraries
    • about E.1
    • native network encryption E.4.1
  • FIPS parameter
    • configuring E.3
  • firewalls
  • flashback query
    • Oracle Virtual Private Database, how it works with 12.5.6
  • forcetcp parameter in krb5.conf 21.1.6.4
  • foreign keys
    • privilege to use parent key 4.13.2
  • FTP protocol messages, auditing 26.3.19.1
  • FTP service A.11.2
  • functions

G

  • GATHER_SYSTEM_STATISTICS role 4.10.2
  • GLOBAL_AQ_USER_ROLE role 4.10.2
  • GLOBAL_EXTPROC_CREDENTIAL configuration parameter
  • global application contexts 11.4.1
    • See also: application contexts
  • global authentication
  • global authorization
  • global roles 4.10.3.4
  • global users 3.9.1
  • grace period for login attempts
  • grace period for password expiration 3.2.4.14
  • gradual database password rollover
    • about 3.2.5.1
    • actions permitted during 3.2.5.7
    • changing password during rollover period 3.2.5.5
    • changing password to begin rollover period 3.2.5.4
    • enabling 3.2.5.3
    • finding users who use old passwords 3.2.5.12
    • manually ending the password before rollover period 3.2.5.6
    • Oracle Data Guard 3.2.5.11
    • Oracle Data Pump exports 3.2.5.10
    • password change life cycle 3.2.5.2
    • passwords, compromised 3.2.5.9
    • server behavior after rollover ends 3.2.5.8
  • GRANT ALL PRIVILEGES statement
    • SELECT ANY DICTIONARY privilege, exclusion of A.7
  • GRANT ANY PRIVILEGE system privilege 4.6.2
  • GRANT CONNECT THROUGH clause
    • consideration when setting FAILED_LOGIN_ATTEMPTS parameter 3.2.4.3
    • for proxy authorization 3.13.1.5
  • granting privileges and roles
  • GRANT statement 4.17.1.1
  • GSMROOTUSER user account 2.6.2
  • guidelines
    • handling compromised passwords 3.2.5.9
  • guidelines for security
    • auditing A.13
    • custom installation A.9
    • data files and directories A.7
    • encrypting sensitive data A.7
    • guidelines for security
      • custom installation A.9
    • installation and configuration A.9
    • networking security A.11
    • operating system accounts, limiting privileges A.7
    • operating system users, limiting number of A.7
    • ORACLE_DATAPUMP access driver A.8
    • Oracle home default permissions, disallowing modification A.7
    • passwords A.4
    • PDBs A.10
    • products and options
      • install only as necessary A.9
    • sample schemas A.9
    • Sample Schemas
      • remove or relock for production A.9
      • test database A.9
    • symbolic links, restricting A.7
    • Transport Layer Security
    • user accounts and privileges A.3
    • Windows installations A.5

H

  • hackers
    • See: security attacks
  • handshake
  • how it works 6.1.2
  • HS_ADMIN_EXECUTE_ROLE role
  • HS_ADMIN_ROLE role
  • HS_ADMIN_SELECT_ROLE role
  • HTTP authentication
    • See: access control lists (ACL), wallet access
  • HTTP protocol messages, auditing 26.3.19.1
  • HTTPS
    • port, correct running on A.11.3
  • HTTP verifier removal A.4

I

  • IMP_FULL_DATABASE role
  • INACTIVE_ACCOUNT_TIME profile parameter 3.2.4.6
  • inactive user accounts, locking automatically 3.2.4.6
  • indexed data
  • indirectly granted roles 4.10.1.2
  • INHERIT ANY PRIVILEGES privilege
  • INHERIT ANY REMOTE PRIVILEGES 7.8.1
  • INHERIT PRIVILEGES privilege
  • INHERIT REMOTE PRIVILEGES
  • initialization parameter file
    • parameters for clients and servers using Kerberos C.1
    • parameters for clients and servers using RADIUS C.3
    • parameters for clients and servers using TLS C.2
  • initialization parameters
  • initial ticket, defined 21.1.9
  • INSERT privilege
  • installation
    • guidelines for security A.9
  • intruders
    • See: security attacks
  • invoker’s rights
    • about 7.3
    • code based access control
      • about 7.7.1
      • granting and revoking roles to program unit 7.7.6
      • how code based access control works 7.7.3
      • tutorial 7.7.7
    • compared with definer’s rights 7.1
    • controlled step-in 7.3
    • procedure privileges, used with 7.2
    • procedure security 7.3
    • secure application roles 10.8.2.1
    • secure application roles, requirement for enabling 10.8.2.1
    • security risk 7.5.1
    • views
      • about 7.6.1
      • finding user who invoked invoker’s right view 7.6.3
  • IP addresses

J

  • JAVA_ADMIN role 4.10.2
  • JAVA_RESTRICT initialization parameter
    • security guideline A.7
  • Java Byte Code Obfuscation 18.5
  • Java Database Connectivity (JDBC)
    • configuration parameters 18.6.1
    • Oracle extensions 18.2
    • thin driver features 18.3
  • JAVADEBUGPRIV role 4.10.2
  • Java Debug Wire Protocol (JDWP)
    • network access for debugging operations 8.12
  • JAVAIDPRIV role 4.10.2
  • Java schema objects
  • Java stored procedures
    • network access for debugging operations 8.12
  • JAVASYSPRIV role 4.10.2
  • JAVAUSERPRIV role 4.10.2
  • JDBC
    • See: Java Database Connectivity
  • JDBC connections
    • JDBC/OCI proxy authentication 3.13.1.1
    • JDBC Thin Driver proxy authentication
  • JDeveloper
    • debugging using Java Debug Wire Protocol 8.12
  • JMXSERVER role 4.10.2

K

  • Kerberos 19.4.1
    • authentication adapter utilities 21.2
    • authentication fallback behavior 21.5
    • configuring authentication 21.1, 21.1.6.1
    • configuring for database server 21.1.2
    • configuring for Windows Server Domain Controller KDC 21.4
    • connecting to database 21.3
    • interoperability with Windows Server Domain Controller KDC 21.4.1
    • kinstance 21.1.2
    • kservice 21.1.2
    • realm 21.1.2
    • sqlnet.ora file sample B.2
    • system requirements 19.6
  • Kerberos authentication 3.7.2.2
    • configuring for SYSDBA or SYSOPER access 3.3.2.3
    • password management A.4
  • Kerberos Key Distribution Center (KDC) 21.4
  • key generation
  • key storage
  • key transmission
  • kinstance (Kerberos) 21.1.2
  • krb5.conf
    • configuring TCP or UDP connection 21.1.6.4
  • kservice (Kerberos) 21.1.2

L

  • large objects (LOBs)
  • LBAC_DBA role 4.10.2
  • LBACSYS.ORA_GET_AUDITED_LABEL function
  • LBACSYS schema
    • ORA_DV_AUDPOL predefined audit policy for 26.4.8
  • LBACSYS user account 2.6.2
  • ldap.ora
    • which directory SSL port to use for no authentication 22.13.5.4
  • ldap.ora file
  • least privilege principle A.3
    • about A.3
    • granting user privileges A.3
    • middle-tier privileges 3.13.1.9
  • libraries
  • lightweight users
    • example using a global application context 11.4.8.1
    • Lightweight Directory Access Protocol (LDAP) 12.4.2.9
  • listener
    • endpoint
    • not an Oracle owner A.11.2
    • preventing online administration A.11.2
    • restrict privileges A.11.2
    • secure administration A.11.2
  • listener.ora file
    • administering remotely A.11.2
    • default location A.11.3
    • FIPS 140-2 Cipher Suite settings E.3.2
    • online administration, preventing A.11.2
    • Oracle wallet setting C.2.8
    • TCPS, securing A.11.3
  • lists data dictionary
    • See: views
    • data dictionary views
      • See: views
    • granting privileges and roles
      • finding information about 4.22.1
    • privileges
      • finding information about 4.22.1
    • roles
      • finding information about 4.22.1
    • views
  • LOB_SIGNATURE_ENABLE initialization parameter 10.5.1
  • LOBs
  • local privilege grants
  • local privileges
  • local roles 4.2.3, 4.9.9
  • local user accounts
  • local users
  • lock and expire
    • default accounts A.3
    • predefined user accounts A.3
  • lockdown profiles
  • lockdown profiles, PDB 4.11.1
  • locking inactive user accounts automatically 3.2.4.6
  • log files
    • owned by trusted user A.7
  • logical reads limit 2.4.2.4
  • logon triggers
    • externally initialized application contexts 11.3.5
    • for application context packages 11.3.5
    • running database session application context package 11.3.5
    • secure application roles 4.10.8
  • LOGSTDBY_ADMINISTRATOR role 4.10.2

M

  • malicious database administrators 16.1.2
    • See also: security attacks
  • manager default password A.4
  • managing roles with RADIUS server 23.4.8
  • materialized views
  • MD5 message digest algorithm 17.4
  • MDDATA user account 2.6.3
  • MDSYS user account 2.6.2
  • memory
  • MERGE INTO statement, affected by DBMS_RLS.ADD_POLICY statement_types parameter 12.3.4
  • metadata links
  • methods
    • privileges on 4.16
  • Microsoft Active Directory services 6.1.3, 6.1.4, 6.1.5, 6.2.1, 6.2.2.1, 6.2.2.5, 6.2.2.7.2, 6.2.2.7.3
    • about configuring connection 6.2.2.7.1
    • about password authentication 6.3.1.1
    • access, Kerberos authentication 6.3.2
    • access, PKI authentication 6.3.3
    • access configuration, Oracle wallet verification 6.2.2.8
    • access configuration, testing integration 6.2.2.9
    • account policies 6.5
    • administrative user configuration, exclusive mapping 6.4.6.2
    • administrative user configuration, shared access accounts 6.4.6.1
    • dsi.ora file, about 6.2.2.4.2
    • dsi.ora file, compared with ldap.ora 6.2.2.4.1
    • extending Active Directory schema 6.2.2.2
    • ldap.ora file, about 6.2.2.4.4
    • ldap.ora file, compared with dsi.ora 6.2.2.4.1
    • ldap.ora file, creating 6.2.2.4.3, 6.2.2.4.5
    • logon user name with password authentication 6.3.1.3
    • multitenant users, how affected 6.1.6
    • user authorization, about 6.4.1
    • user authorization, mapping Directory user group to global role 6.4.3
    • user authorization, verifying 6.4.7
    • user management, altering mapping definition 6.4.5
    • user management, exclusively mapping Directory user to database global user 6.4.4
    • user management, mapping group to shared global user 6.4.2
    • user management, migrating mapping definition 6.4.5
  • Microsoft Active Directory services integration 6.1.1, 6.1.2, 6.1.7
  • Microsoft Directory Access services 6.2.2.7.4
  • Microsoft Windows
    • Kerberos
      • configuring for Windows Server Domain Controller KDC 21.4
  • middle-tier systems
  • mining models
  • mixed mode auditing capabilities 25.7.4
  • mkstore utility
    • SQL*Loader object store credentials 3.2.9.7
  • monitoring user actions 25.1
    • See also: auditing, standard auditing, fine-grained auditing
  • multiplex multiple-client network sessions A.11.2
  • multitenant container database (CDB)
    • See: CDBs
  • multitenant option
    • centrally managed users, how affected 6.1.6
  • My Oracle Support
    • security patches, downloading A.2.1
    • user account for logging service requests 2.6.3

N

  • native network encryption
    • compared with Transport Layer Security 17.1.4
    • FIPS 140-2 E.4.1
    • FIPS library location setting (SSLFIPS_LIB) E.4.2
    • FIPS mode setting (FIPS_140) E.4.2
  • native network encryption and integrity
  • native network enryption
  • nCipher hardware security module
    • using Oracle Net tracing to troubleshoot 22.14.4.1
  • Net8
    • See: Oracle Net
  • Netscape Communications Corporation 22.1
  • network authentication
    • guidelines for securing A.4
    • roles, granting using 4.20.1
    • smart cards A.4
    • third-party services 3.7.2.1
    • token cards A.4
    • Transport Layer Security 3.7.1
    • X.509 certificates A.4
  • network connections
  • network encryption
  • network IP addresses
    • guidelines for security A.11.2
  • network traffic encryption A.11.2
  • nondatabase users 11.4.2
    • See also: application contexts, client identifiers

O

  • obfuscation 18.5
  • object privileges 4.12.1, A.3
    • See also: schema object privileges
  • objects
    • applications, managing privileges in 10.11
    • granting privileges 10.11.2
    • privileges
    • protecting in shared schemas 10.10.2
    • protecting in unique schemas 10.10.1
    • SYS schema, access to 4.6.3.2
  • object types
  • OEM_ADVISOR role 4.10.2
  • OEM_MONITOR role 4.10.2
  • OFB ciphertext encryption mode 16.5
  • OJVMSYS user account 2.6.2
  • okcreate
    • Kerberos adapter utility 21.2
  • okcreate options 21.2.4
  • okdstry
    • Kerberos adapter utility 21.2
  • okdstry options 21.2.3
  • okinit
    • Kerberos adapter utility 21.2
  • okinit utility options 21.2.1
  • oklist
    • Kerberos adapter utility 21.2
  • OLAP_DBA role 4.10.2
  • OLAP_USER role 4.10.2
  • OLAP_XS_ADMIN role 4.10.2
  • OLAPSYS user account 2.6.2
  • One Big Application User authentication
    • See: nondatabase users
  • operating system
    • audit files written to 27.1.7
  • operating systems 3.8.1
    • accounts 4.20.2
    • authentication
    • default permissions A.7
    • enabling and disabling roles 4.20.5
    • operating system account privileges, limiting A.7
    • role identification 4.20.2
    • roles, granting using 4.20.1
    • roles and 4.10.1.10
    • users, limiting number of A.7
  • operating system users
    • configuring for PDBs 3.8.3
    • setting default credential 3.8.4
  • OPTIMIZER_PROCESSING_RATE role 4.10.2
  • ORA_ACCOUNT_MGMT predefined unified audit policy 26.4.4
  • ORA_ALL_TOPLEVEL_ACTIONS predefined unified audit policy 26.4.6.2
  • ORA_CIS_RECOMMENDATIONS predefined unified audit policy 26.4.5
  • ORA_DATABASE_PARAMETER predefined unified audit policy 26.4.3
  • ORA_DV_AUDPOL2 predefined unified audit policy 26.4.9
  • ORA_DV_AUDPOL predefined unified audit policy 26.4.8
  • ORA_LOGON_FAILURES predefined unified audit policy 26.4.1
  • ORA_LOGON_LOGOFF predefined unified audit policy 26.4.6.3
  • ORA_SECURECONFIG predefined unified audit policy 26.4.2
  • ORA_STIG_PROFILE profile 3.2.6.4
  • ORA_STIG_RECOMMENDATIONS predefined unified audit policy 26.4.6.1
  • ORA$DEPENDENCY profile 5.1.6
  • ORA-01720 error 4.14.1
  • ORA-01994 2.3.4.1
  • ORA-06512 error 8.12, 26.5.8.6
  • ORA-06598 error 7.5.2
  • ORA-12650 error B.3.7
  • ORA-1536 error 2.2.7.3
  • ORA-24247 error 8.4, 8.12, 26.5.8.6
  • ORA-28017 error 2.3.4.1
  • ORA-28040 error 3.2.8.3, 3.4.1
  • ORA-28046 error 2.3.4.1
  • ORA-28575 error 10.4.3
  • ORA-29024 error 8.6.6
  • ORA-40300 error 22.14.4.2
  • ORA-40301 error 22.14.4.2
  • ORA-40302 error 22.14.4.2
  • ORA-45622 errors 13.6.6.2
  • ORA-64219: invalid LOB locator encountered 10.5.1
  • ORACLE_DATAPUMP access driver
    • guidelines for security A.8
  • ORACLE_OCM user account 2.6.3
  • Oracle Advanced Security
    • checksum sample for sqlnet.ora file B.2
    • configuration parameters 18.6.1
    • encryption sample for sqlnet.ora file B.2
    • Java implementation 18.4
    • network authentication services A.4
    • TLS features 22.2
    • user access to application schemas 10.10.2
  • Oracle Audit Vault and Database Firewall
    • schema-only accounts 3.5.1
  • Oracle Autonomous Database
    • centrally managed users 6.6
  • Oracle Call Interface (OCI)
    • application contexts, client session-based 11.5.1
    • proxy authentication 3.13.1.1
      • Oracle Virtual Private Database, how it works with 12.5.10
    • proxy authentication with real user 3.13.1.8
    • security-related initialization parameters 10.12
  • Oracle Connection Manager
    • securing client networks with A.11.2
  • Oracle Database Enterprise User Security
    • password security threats 3.2.8.1
  • Oracle Database Real Application Clusters
  • Oracle Database Real Application Security
  • Oracle Database Vault
  • Oracle Data Guard
    • gradual database password rollover 3.2.5.11
    • SYSDG administrative privilege 4.5.6
  • Oracle Data Pump
    • audit events 26.3.17.2
    • exported data from VPD policies 12.5.8
    • exports during gradual database password rollover 3.2.5.10
    • unified audit trail 27.1.10
  • Oracle Developer Tools For Visual Studio (ODT)
    • debugging using Java Debug Wire Protocol 8.12
  • Oracle E-Business Suite
    • schema-only accounts 3.5.1
  • Oracle Enterprise Manager
    • PDBs 9
    • statistics monitor 2.4.3
  • Oracle Enterprise Security Manager
  • Oracle Flashback Data Archive
    • Oracle Virtual Private Database 12.5.9
  • Oracle home
    • default permissions, disallowing modification A.7
  • Oracle Internet Directory
  • Oracle Internet Directory (OID)
    • authenticating with directory-based service 3.7.2.4
    • SYSDBA and SYSOPER access, controlling 3.3.2.1
    • Transport Layer Security authentication 22.1.3
  • Oracle Java Virtual Machine
    • JAVA_RESTRICT initialization parameter security guideline A.7
  • Oracle Java Virtual Machine (OJVM)
    • permissions, restricting A.3
  • Oracle Label Security
  • Oracle Label Security (OLS)
    • Oracle Virtual Private Database, using with 12.5.7.1
  • Oracle Machine Learning for SQL
  • OracleMetaLink
    • See: My Oracle Support
  • Oracle native encryption
  • Oracle Net
  • Oracle parameters
    • authentication 24.4
  • Oracle Password Protocol 18.4
  • Oracle RAC
  • Oracle Real Application Clusters
    • components that need certificates 22.10.3.1
    • global application contexts 11.4.4
    • SYSRAC administrative privilege 4.5.8
  • Oracle Real Application Security
    • auditing internal predicates in policies 26.3.7.12
  • Oracle Recovery Manager
  • Oracle Scheduler
    • sensitive credential data
      • about 14.1
      • data dictionary views 14.7
      • deleting 14.5
      • encrypting 14.3
      • multitenant environment 14.2
      • rekeying 14.4
      • restoring functioning of lost keystore 14.6
  • Oracle SQL*Loader
  • Oracle Technology Network
  • Oracle Virtual Private Database
    • exporting data using Data Pump Export 12.5.8
    • Oracle Flashback Data Archive 12.5.9
  • Oracle Virtual Private Database (VPD)
  • Oracle Virtual Private Datebase (VPD)
    • predicates
      • audited in fine-grained audit policies 26.5.4
      • audited in unified audit policies 26.3.7.12
  • Oracle Wallet Manager
    • X.509 Version 3 certificates 3.7.2.5
  • Oracle wallets
    • authentication method 3.7.2.5
    • setting location 22.9.1.2
    • sqlnet.listener.ora setting C.2.8
    • sqlnet.ora location setting C.2.8
  • orapki utility
    • about F.1
    • adding a certificate request to a wallet with F.6.3.1
    • adding a root certificate to a wallet with F.6.3.2
    • adding a trusted certificate to a wallet with F.6.3.2
    • adding certificate to wallet F.6.4
    • adding user certificates to a wallet with F.6.3.4
    • adding user-supplied certificate to wallet F.6.4
    • cert create command F.9.1
    • cert display command F.9.2
    • certificate revocation lists 22.13.5.1
    • changing the wallet password with F.6.2.6
    • converting wallet to use AES256 algorithm F.6.2.7
    • creating a local auto-login wallet with F.6.2.4
    • creating an auto-login wallet with F.6.2.2, F.6.2.3
    • creating a wallet with F.6.2.1
    • creating signed certificates for testing F.3
    • crl delete command F.9.3
    • crl display command F.9.4
    • crl hash command F.9.5
    • crl list command F.9.6
    • crl upload command F.9.7
    • examples F.8
    • exporting a certificate from a wallet with F.6.5
    • exporting a certificate request from a wallet with F.6.5
    • managing certificate revocation lists F.7
    • syntax F.2
    • viewing a test certificate with F.4
    • viewing a wallet with F.6.2.5
    • wallet add command F.9.8
    • wallet convert command F.9.9
    • wallet create command F.9.10
    • wallet display command F.9.11
    • wallet export command F.9.12
  • ORAPWD utility
  • ORDDATA user account 2.6.2
  • ORDPLUGINS user account 2.6.2
  • ORDSYS user account 2.6.2
  • OS_AUTHENT_PREFIX parameter 24.4.2
  • OS_ROLES initialization parameter
  • OSS.SOURCE.MY_WALLET parameter 22.9.1.2, 22.9.2.3
  • outer join operations
    • Oracle Virtual Private Database affect on 12.5.3
  • OUTLN user account 2.6.2

P

Q

R

S

  • salt 3.2.8.1
  • Sarbanes-Oxley Act
    • auditing to meet compliance 25.1
  • SCHEDULER_ADMIN role
  • schema-independent users 10.10.2
  • schema object privileges 4.12.1
  • schema objects
  • schema-only accounts 3.5
  • schemas
  • schema user accounts, predefined 2.6.1
  • SCOTT user account
    • restricting privileges of A.6
  • SEC_MAX_FAILED_LOGIN_ATTEMPTS initialization parameter 10.12.3
  • SEC_PROTOCOL_ERROR_FURTHER_ACTION initialization parameter 10.12.2
  • sec_relevant_cols_opt parameter 12.3.6.5
  • SEC_RETURN_SERVER_RELEASE_BANNER initialization parameter 10.12.4
  • SEC_USER_AUDIT_ACTION_BANNER initialization parameter 10.12.5
  • SEC_USER_UNAUTHORIZED_ACCESS_BANNER initialization parameter 10.12.5
  • secconf.sql script
  • secret key
  • secure application roles
  • secure external password store
  • Secure Sockets Layer on Oracle RAC
    • remote client, testing configuration 22.10.8
  • SecurID 23.3.1.2
  • security A.3
    • See also: security risks
    • application enforcement of 4.10.1.3
    • default user accounts
      • locked and expired automatically A.3
      • locking and expiring A.3
    • domains, enabled roles and 4.10.5.1
    • enforcement in application 10.2.2
    • enforcement in database 10.2.2
    • multibyte characters in role names 4.10.3.1
    • multibyte characters in role passwords 4.10.4.1
    • passwords 3.4.1
    • policies
    • procedures enhance 7.2
    • products, additional 1.2
    • roles, advantages in application use 10.7
  • security alerts A.2.1
  • security attacks 3.13.1.7
    • See also: security risks
    • access to server after protocol errors, preventing 10.12.2
    • application context values, attempts to change 11.3.3.2
    • application design to prevent attacks 10.3
    • command line recall attacks 10.3.1.1, 10.3.1.4
    • denial of service A.11.2
    • denial-of-service
    • denial-of-service attacks through listener A.11.2
    • disk flooding, preventing 10.12.1
    • eavesdropping A.11.1
    • encryption, problems not solved by 16.1.2
    • falsified IP addresses A.11.1
    • falsified or stolen client system identities A.11.1
    • hacked operating systems or applications A.11.1
    • intruders 16.1.2
    • password cracking 3.2.1
    • password protections against 3.2.1
    • preventing malicious attacks from clients 10.12
    • preventing password theft with proxy authentication and secure external password store 3.13.1.7
    • session ID, need for encryption 11.4.7.3.2
    • shoulder surfing 10.3.1.4
    • SQL injection attacks 10.3.1.2
    • unlimited authenticated requests, preventing 10.12.3
    • user session output, hiding from intruders 11.3.7
  • security domains
  • security isolation
    • guidelines for A.10
  • security patches
  • security policies
    • See: Oracle Virtual Private Database, policies
  • security risks 3.13.1.7
    • See also: security attacks
    • ad hoc tools 4.10.7.1
    • applications enforcing rather than database 10.2.2
    • application users not being database users 10.2.1
    • bad packets to server 10.12.1
    • database version displaying 10.12.4
    • encryption keys, users managing 16.2.4.4
    • invoker’s rights procedures 7.5.1
    • password files 3.3.5
    • passwords, exposing in programs or scripts 10.3.1.4
    • passwords exposed in large deployments 3.2.9.1
    • positional parameters in SQL scripts 10.3.1.4
    • privileges carelessly granted 4.6.5
    • remote user impersonating another user 4.10.4.5
    • sensitive data in audit trail A.13
    • server falsifying identities A.11.3
    • users with multiple roles 10.9.1
  • security settings scripts
    • password settings
  • Security Sockets Layer (SSL)
    • See: Transport Layer Security (TLS)
  • Security Technical Implementation Guide (STIG)
    • ORA_ALL_TOPLEVEL_ACTIONS predefined unified audit policy 26.4.6.2
    • ORA_LOGON_LOGOFF predefined unified audit policy 26.4.6.3
    • ORA_STIG_PROFILE user profile 2.4.4.3
    • ORA_STIG_RECOMMENDATIONS predefined unified audit policy 26.4.6.1
    • ora12c_stig_verify_function password complexity function 3.2.6.6
  • SELECT_CATALOG_ROLE role
    • SYS schema objects, enabling access to 4.6.3.2
  • SELECT ANY DICTIONARY privilege
    • data dictionary, accessing A.7
    • exclusion from GRANT ALL PRIVILEGES privilege A.7
  • SELECT FOR UPDATE statement in Virtual Private Database policies 12.5.2
  • SELECT object privilege
  • sensitive data, auditing of A.13.4
  • separation of duty concepts
  • sequences
  • server.key file
    • pass phrase to read and parse A.11.3
  • SESSION_ROLES data dictionary view
  • SESSION_ROLES view
  • session key
  • session layer
  • sessions
    • listing privilege domain of 4.22.5
    • memory use, viewing 2.7.5
    • time limits on 2.4.2.5
    • when auditing options take effect 27.1.1
  • SET ROLE statement
    • application code, including in 10.9.2
    • associating privileges with role 10.9.1
    • disabling roles with 4.21.2
    • enabling roles with 4.21.2
    • when using operating-system roles 4.20.5
  • SGA
    • See: System Global Area (SGA)
  • SHA-512 cryptographic hash function
  • Shared Global Area (SGA)
    • See: System Global Area (SGA)
  • shared server
    • limiting private SQL areas 2.4.2.5
    • operating system role management restrictions 4.20.6
  • shoulder surfing 10.3.1.4
  • SI_INFORMTN_SCHEMA user account 2.6.2
  • single sign-on (SSO)
  • smartcards 19.4.2
  • smart cards
    • guidelines for security A.4
  • SODA_APP role 4.10.2
  • SQL*Loader
    • object store credential creation 3.2.9.7
  • SQL*Net
    • See: Oracle Net Services
  • SQL*Plus
  • SQL92_SECURITY initialization parameter
  • SQL Developer
    • debugging using Java Debug Wire Protocol 8.12
  • SQL injection attacks 10.3.1.2
  • SQLNET.ALLOWED_LOGON_VERSION_CLIENT
    • target databases from earlier releases 3.2.8.4
  • SQLNET.ALLOWED_LOGON_VERSION_SERVER
    • target databases from earlier releases 3.2.8.4
    • using only 12C password version 3.2.8.3
  • SQLNET.ALLOWED_LOGON_VERSION_SERVER parameter
  • SQLNET.AUTHENTICATION_KERBEROS5_SERVICE parameter 21.1.6.1
  • SQLNET.AUTHENTICATION_SERVICES parameter 21.1.6.1, 22.9.1.6, 22.9.2.7, 22.9.2.7.2, 23.4.1.1, 24.2, 24.3, A.11.3, C.2.2, C.3.1.1
  • SQLNET.CRYPTO_CHECKSUM_CLIENT parameter 17.6.3.2, B.3.5
  • SQLNET.CRYPTO_CHECKSUM_SERVER parameter 17.6.3.2, B.3.4
  • SQLNET.CRYPTO_CHECKSUM_TYPES_CLIENT parameter 17.6.3.2, B.3.9
  • SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER parameter 17.6.3.2, B.3.8
  • SQLNET.ENCRYPTION_CLIENT
    • with ANO encryption and TLS authentication 17.6.3.3.1
  • SQLNET.ENCRYPTION_CLIENT parameter 17.6.3.1, 24.2, B.3.3
  • SQLNET.ENCRYPTION_SERVER
    • with ANO encryption and TLS authentication 17.6.3.3.1
  • SQLNET.ENCRYPTION_SERVER parameter 17.6.3.1, 24.2, B.3.2
  • SQLNET.ENCRYPTION_TYPES_CLIENT parameter 17.6.3.1, B.3.7
  • SQLNET.ENCRYPTION_TYPES_SERVER parameter 17.6.3.1, B.3.6
  • SQLNET.IGNORE_ANO_ENCRYPTION_FOR_TCPS
  • SQLNET.KERBEROS5_CC_NAME parameter 21.1.6.3
  • SQLNET.KERBEROS5_CLOCKSKEW parameter 21.1.6.3
  • SQLNET.KERBEROS5_CONF parameter 21.1.6.3
  • SQLNET.KERBEROS5_REALMS parameter 21.1.6.3
  • sqlnet.ora file
    • Common sample B.2
    • FIPS 140-2
      • Cipher Suite settings E.3.2
    • Kerberos sample B.2
    • Oracle Advanced Security checksum sample B.2
    • Oracle Advanced Security encryption sample B.2
    • Oracle wallet setting C.2.8
    • OSS.SOURCE.MY_WALLET parameter 22.9.1.2, 22.9.2.3
    • parameters for clients and servers using Kerberos C.1
    • parameters for clients and servers using RADIUS C.3
    • parameters for clients and servers using TLS C.2
    • PDBs 3.2.8.3
    • RADIUS sample B.2
    • sample B.2
    • SQLNET.AUTHENTICATION_KERBEROS5_SERVICE parameter 21.1.6.1
    • SQLNET.AUTHENTICATION_SERVICES parameter 21.1.6.1, 22.9.1.6, 22.9.2.7, 22.9.2.7.2, 24.2, 24.3, A.11.3
    • SQLNET.CRYPTO_CHECKSUM_CLIENT parameter 17.6.3.2
    • SQLNET.CRYPTO_CHECKSUM_SERVER parameter 17.6.3.2
    • SQLNET.CRYPTO_CHECKSUM_TYPES_CLIENT parameter 17.6.3.2, B.3.9
    • SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER parameter 17.6.3.2, B.3.8
    • SQLNET.ENCRYPTION_CLIEN parameter 24.2
    • SQLNET.ENCRYPTION_CLIENT parameter B.3.3
    • SQLNET.ENCRYPTION_SERVER parameter 17.6.3.1, 24.2, B.3.2
    • SQLNET.ENCRYPTION_TYPES_CLIENT parameter 17.6.3.1
    • SQLNET.ENCRYPTION_TYPES_SERVER parameter 17.6.3.1
    • SQLNET.KERBEROS5_CC_NAME parameter 21.1.6.3
    • SQLNET.KERBEROS5_CLOCKSKEW parameter 21.1.6.3
    • SQLNET.KERBEROS5_CONF parameter 21.1.6.3
    • SQLNET.KERBEROS5_REALMS parameter 21.1.6.3
    • SQLNET.SSL_EXTENDED_KEY_USAGE 22.9.2.8
    • SSL_CLIENT_AUTHENTICATION parameter 22.9.1.5
    • SSL_CLIENT_AUTHETNICATION parameter 22.9.2.3
    • SSL_VERSION parameter 22.9.1.4, 22.9.2.6
    • SSL sample B.2
    • Trace File Set Up sample B.2
  • sqlnet.ora parameters
  • SQLNET.RADIUS_ALTERNATE_PORT parameter 23.4.1.3.3, C.3.1.3
  • SQLNET.RADIUS_ALTERNATE_RETRIES parameter 23.4.1.3.3, C.3.1.5
  • SQLNET.RADIUS_ALTERNATE_TIMEOUT parameter 23.4.1.3.3, C.3.1.4
  • SQLNET.RADIUS_ALTERNATE parameter 23.4.1.3.3, C.3.1.2
  • SQLNET.RADIUS_AUTHENTICATION_INTERFACE parameter C.3.1.7
  • SQLNET.RADIUS_AUTHENTICATION_PORT parameter C.3.1.8
  • SQLNET.RADIUS_AUTHENTICATION_RETRIES parameter C.3.1.10
  • SQLNET.RADIUS_AUTHENTICATION_TIMEOUT parameter C.3.1.9
  • SQLNET.RADIUS_AUTHENTICATION parameter C.3.1.6
  • SQLNET.RADIUS_CHALLENGE_KEYWORDparameter C.3.1.12
  • SQLNET.RADIUS_CHALLENGE_RESPONSE parameter C.3.1.11
  • SQLNET.RADIUS_CLASSPATH parameter C.3.1.13
  • SQLNET.RADIUS_SECRET parameter C.3.1.14
  • SQLNET.RADIUS_SEND_ACCOUNTING parameter 23.4.4.1, C.3.1.15
  • SQLNET.SSL_EXTENDED_KEY_USAGE parameter 22.9.2.8
  • SQL statements
  • SQL statements, top-level in unified audit policies 26.3.20.1
  • SSL_CIPHER_SUITES parameter C.2.3
  • SSL_CLIENT_AUTHENTICATION parameter 22.9.1.5, 22.9.2.3
  • SSL_SERVER_CERT_DN parameter C.2.7.2
  • SSL_SERVER_DN_MATCH parameter C.2.7.1
  • SSL_VERSION parameter 22.9.1.4, 22.9.2.6, C.2.5
  • standard auditing
  • standard audit trail
  • statement_types parameter of DBMS_RLS.ADD_POLICY procedure 12.3.4
  • storage
  • stored procedures
    • using privileges granted to PUBLIC role 4.19
  • strong authentication
    • centrally controlling SYSDBA and SYSOPER access to multiple databases 3.3.2.1
    • disabling 24.2
    • guideline A.4
  • symbolic links
    • restricting A.7
  • synchronous authentication mode, RADIUS 23.3.1
  • synonyms
    • object privileges 4.12.5
    • privileges, guidelines on A.3
  • SYS_CONTEXT function
  • SYS_DEFAULT Oracle Virtual Private Database policy group 12.3.7.3
  • SYS_SESSION_ROLES namespace 11.3.4.1
  • SYS.AUD$ table
  • SYS.FGA_LOG$ table
  • SYS.LINK$ system table 14.1
  • SYS.SCHEDULER$_CREDENTIAL system table 14.1
  • SYS$UMF user account 2.6.2
  • SYS account
  • SYS and SYSTEM
    • passwords A.4
  • SYS and SYSTEM accounts
  • SYSASM privilege
  • SYSBACKUP privilege
  • SYSBACKUP user account
  • SYSDBA administrative privilege
    • forcing oracle user to enter password 4.5.4
  • SYSDBA privilege 4.5.3
  • SYSDG privilege
  • SYSDG user account
  • SYSKM privilege
  • SYSKM user account
  • SYSLOG
  • SYSMAN user account A.4
  • SYS objects
  • SYSOPER privilege 4.5.3
  • SYSRAC privilege
    • operations supported 4.5.8
  • SYS schema
  • System Global Area (SGA)
    • application contexts, storing in 11.1.3
    • global application context information location 11.4.1
    • limiting private SQL areas 2.4.2.5
  • system privileges A.3
  • system requirements
  • SYSTEM user account
  • SYS user
  • SYS user account

T

  • table encryption
    • transparent sensitive data protection policy settings 13.15.2
  • tables
  • tablespaces
  • TCP connection
    • Kerberos krb5.conf configuration 21.1.6.4
  • TCPS protocol
    • tnsnames.ora file, used in A.11.3
    • Transport Layer Security, used with A.11.2
  • TELNET service A.11.2
  • TFTP service A.11.2
  • thin JDBC support 18.1
  • TLS
    • See: Transport Layer Security (TLS)
  • token cards 19.4.2, A.4
  • trace file
    • set up sample for sqlnet.ora file B.2
  • trace files
    • access to, importance of restricting A.7
    • bad packets 10.12.1
    • location of, finding 11.6
  • Transparent Data Encryption
    • about 16.2.4.5
    • enabling for FIPS 140-2 E.2
    • SYSKM administrative privilege 4.5.7
  • Transparent Data Encryption (TDE) 14.1
    • TSDP with TDE column encryption 13.15.1
  • transparent sensitive data protection (TSDP
    • unified auditing
  • transparent sensitive data protection (TSDP)
    • about 13.1
    • altering policies 13.7
    • benefits 13.1
    • bind variables
    • creating policies 13.6
    • disabling policies 13.8
    • disabling REDACT_AUDIT policy 13.10.4
    • dropping policies 13.9
    • enabling REDACT_AUDIT policy 13.10.5
    • finding information about 13.16
    • fine-grained auditing
    • general steps 13.2
    • PDBs 13.5
    • privileges required 13.4
    • REDACT_AUDIT policy 13.10.1
    • sensitive columns in INSERT or UPDATE operations 13.10.2.4
    • sensitive columns in same SELECT query 13.10.2.3
    • sensitive columns in views 13.10.3
    • TDE column encryption
    • unified auditing:settings used 13.13.2
    • use cases 13.3
    • Virtual Private Database
  • transparent sensitive data protection (TSDP);
    • fine-grained auditing
  • transparent tablespace encryption
  • transport layer
  • Transport Layer Security
    • compared with native network encryption 17.1.4
  • Transport Layer Security, MCS
    • about 22.11.1
    • configuing database parameters 22.11.9
    • configuring client sqlnet.ora file 22.11.8
    • configuring server listener.ora file 22.11.5
    • configuring server sqlnet.ora file 22.11.6
    • creating and configuring client wallet 22.11.3
    • creating and configuring server wallet 22.11.2
    • creating user account for 22.11.4
    • importing client wallet into Microsoft Certificate Store 22.11.7
    • testing configuration 22.11.10
  • Transport Layer Security (SSL)
    • sqlnet.ora file sample B.2
  • Transport Layer Security (TLS) 19.4.3
    • about 3.7.1
    • ANO encryption and 17.6.3.3.1
    • application containers 22.1.2
    • architecture 22.5.1
    • AUTHENTICATION parameter C.2.2
    • authentication parameters C.2
    • authentication process in an Oracle environment 22.3
    • certificate key algorithm A.11.3
    • cipher suites A.11.3, C.2.4
    • client and server parameters C.2.2
    • client authentication parameter C.2.6
    • client configuration 22.9.2
    • client connections with distinct TLS sessions, about 22.9.2.4.1
    • client connections with distinct TLS sessions, configuring 22.9.2.4.2
    • combining with other authentication methods 22.5
    • compared to SSL 22.1.1
    • configuration files, securing A.11.3
    • configuration troubleshooeting 22.12
    • configuring 22.9
    • configuring ANO encryption with 17.6.3.3.2
    • connection without client wallet, about 22.8.1
    • connection without client wallet, configuring 22.8.2
    • enabling 22.9
    • filtering certificates 22.9.2.8
    • FIPS library location setting (SSLFIPS_LIB) E.3.1
    • FIPS mode setting (SSLFIPS_140) E.3.1
    • global users with private schemas 3.9.2.1
    • guidelines for security A.11.3
    • handshake 22.3
    • industry standard protocol 22.1
    • listener, administering A.11.2
    • MD5 certification F.5
    • mode A.11.3
    • multiple certificates, filtering 22.9.2.8
    • Oracle Internet Directory 22.1.3
    • parameters, ways of configuring C.2.1
    • pass phrase A.11.3
    • requiring client authentication 22.9.1.5
    • RSA private key A.11.3
    • securing TLS connection A.11.3
    • server.key file A.11.3
    • server configuration 22.9.1
    • SHA–1 certification F.5
    • SQLNET.AUTHENTICATION_SERVICES parameter C.2.2
    • SSL_CIPHER_SUITES parameter C.2.3
    • SSL_CLIENT_AUTHENTICATION parameter C.2.6
    • SSL_SERVER_CERT_DN C.2.7.2
    • SSL_SERVER_DN_MATCH C.2.7.1
    • SSL_VERSION parameter C.2.5
    • system requirements 19.6
    • TCPS A.11.3
    • Transport Layer Security (TLS)
      • SSL_CLIENT_AUTHENTICATION C.2.6
    • version parameter C.2.5
    • wallet location, parameter C.2.8
    • ways to configure parameters for C.2
  • Transport Layer Security on Oracle RAC
  • triggers
  • troubleshooting 21.6.3
    • centrally managed users 6.7
    • finding errors by checking trace files 11.6
    • Kerberos common configuration problems 21.6.1
    • ORA-01017 connection errors in CMU configuration 6.7.1
    • ORA-01017 errors in Kerberos configuration 21.6.4
    • ORA-12631 errors in Kerberos configuration 21.6.2
    • ORA-28030 connection errors in CMU configuration 6.7.4
    • ORA-28274 connection errors in CMU configuration 6.7.2
    • ORA-28276 connection errors in CMU configuration 6.7.3
    • trace files for in CMU connection errors 6.7.5
  • trusted procedure
    • database session-based application contexts 11.1.2
  • tsnames.ora configuration file A.11.3
  • tutorials 11.3.9
    • See also: examples
    • application context, database session-based 11.3.9
    • auditing
      • creating policy to audit nondatabase users 26.3.26
      • creating policy using email alert 26.5.8.1
    • definer’s rights, database links 7.8.8.1
    • external network services, using email alert 26.5.8.1
    • global application context with client session ID 11.4.8.1
    • invoker’s rights procedure using CBAC 7.7.7
    • nondatabase users
      • creating Oracle Virtual Private Database policy group 12.4.3.1
      • global application context 11.4.8.1
    • Oracle Virtual Private Database
    • privilege analysis 5.5
    • privilege analysis for ANY privileges 5.4
    • TSDP with VPD 13.12.3
  • types

U

V

  • valid node checking A.11.2
  • views
    • about 4.14
    • access control list data
      • external network services 8.13
      • wallet access 8.13
    • application contexts 11.6
    • audited activities 26.6
    • auditing 26.3.7.2
    • audit management settings 27.4
    • audit trail usage 26.6
    • authentication 3.14
    • bind variables in TSDP sensitive columns 13.10.3
    • DBA_COL_PRIVS 4.22.4
    • DBA_HOST_ACES 8.13
    • DBA_HOST_ACLS 8.13
    • DBA_ROLE_PRIVS 4.22.3
    • DBA_ROLES 4.22.6
    • DBA_SYS_PRIVS 4.22.2
    • DBA_TAB_PRIVS 4.22.4
    • DBA_USERS_WITH_DEFPWD 3.2.4.2
    • DBA_WALLET_ACES 8.13
    • DBA_WALLET_ACLS 8.13
    • definer’s rights 7.6.1
    • encrypted data 16.7
    • invoker’s rights 7.6.1
    • Oracle Virtual Private Database policies 12.6
    • privileges 4.14
    • privileges to query views in other schemas 4.14.2
    • profiles 2.7.1
    • ROLE_SYS_PRIVS 4.22.7
    • ROLE_TAB_PRIVS 4.22.7
    • security applications of 4.14.3
    • SESSION_PRIVS 4.22.5
    • SESSION_ROLES 4.22.5
    • transparent sensitive data protection 13.16
    • USER_HOST_ACES 8.13
    • USER_WALLET_ACES 8.13
    • users 2.7.1
  • Virtual Private Database
    • See: Oracle Virtual Private Database
  • VPD
    • See: Oracle Virtual Private Database
  • vulnerable run-time call A.3
    • made more secure A.3

W

  • Wallet Manager
    • See: Oracle Wallet Manager
  • wallets 8.2, 22.4.2.4
    • See also: access control lists (ACL), wallet access
  • Web applications
  • Web-based applications
    • Oracle Virtual Private Database, how it works with 12.5.10
  • WHEN OTHERS exceptions
    • logon triggers, used in 11.3.7
  • Windows Event Viewer
    • capturing audit trail records 27.1.6.2
  • Windows installations
    • security guideline A.5
  • Windows native authentication 3.3.3
  • WITH GRANT OPTION clause
  • WM_ADMIN_ROLE role 4.10.2
  • WMSYS user account 2.6.2

X

  • X.509 certificates
    • guidelines for security A.4
  • XDB_SET_INVOKER role 4.10.2
  • XDB_WEBSERVICES_OVER_HTTP role
  • XDB_WEBSERVICES_WITH_PUBLIC role 4.10.2
  • XDB_WEBSERVICES role 4.10.2
  • XDBADMIN role 4.10.2
  • XDB user account 2.6.2
  • XS_CACHE_ADMIN role 4.10.2
  • XS_NSATTR_ADMIN role 4.10.2
  • XS_RESOURCE role 4.10.2
  • XS$NULL user account 2.6.3