1. Administrator's Guide
  2. Changes in This Release for Oracle Database Vault Administrator's Guide

Changes in This Release for Oracle Database Vault Administrator's Guide

This preface contains:

Changes in Oracle Database Vault 23ai

The following are changes in Oracle Database Vault Administrator's Guide for Oracle Database 23ai.

Parent topic: Changes in This Release for Oracle Database Vault Administrator's Guide

Ability to Control Authorizations for Unified Auditing and Traditional Auditing

Starting with Oracle Database 23ai, you can have tighter control on audit management with audit authorizations.

Starting in this release, when Oracle Database Vault is configured and enabled on a new or upgraded, database, audit authorizations will be required for any user who wants to query audit-related tables and views, or manage traditional or unified audit policies, without first being authorized by Oracle Database Vault. This applies to SYS, SYSTEM, and any user with the SYSDBA administrative privilege, or with the DBA, AUDIT_ADMIN, or AUDIT_VIEWER roles.

This feature provides the following audit-related enhancements for an Oracle Database Vault environment:

  • It protects both unified auditing and traditional auditing.
  • It blocks direct modification of the SYS.AUD$ and SYS.FGA_LOG$ database tables except through the DBMS_AUDIT_MGMT PL/SQL package by authorized users.
  • It provides a new mandatory default realm for audit-related objects, Oracle Audit Realm, to protect the AUDSYS schema and audit-related objects in the SYS schema.

The following new procedures are available for this feature:

  • DVSYS.DBMS_MACADM.AUTHORIZE_AUDIT_ADMIN
  • DVSYS.DBMS_MACADM.UNAUTHORIZE_AUDIT_ADMIN
  • DVSYS.DBMS_MACADM.AUTHORIZE_AUDIT_VIEWER
  • DVSYS.DBMS_MACADM.UNAUTHORIZE_AUDIT_VIEWER

The following new data dictionary views are available:

  • DVSYS.DBA_DV_AUDIT_ADMIN_AUTH
  • DVSYS.DBA_DV_AUDIT_VIEWER_AUTH

The ALTER SYSTEM command rule now requires AUDIT_ADMIN authorization for the AUDIT_FILE_DEST, AUDIT_TRAIL, AUDIT_SYS_OPERATIONS, and AUDIT_SYSLOG_LEVEL parameters. (Note that these parameteres have been deprecated starting in this release.) Querying audit trails in the SYS and AUDSYS schemas now requires AUDIT_ADMIN or AUDIT_VIEWER authorization.

In previous releases, to control or restrict auditing, the Database Vault administrator had to create command rules for the audit-related PL/SQL statements such as CREATE AUDIT POLICY. Traditional auditing requires the modification of system parameters such as AUDIT_FILE_DEST. This new authorization does not consolidate or replace the required database privileges. The audit authorization is additional requirement for managing audit in an Oracle Database Vault environment. That is, users are required to have sufficient privileges and audit authorization in order to manage audit when Oracle Database Vault is enabled. In addition to facilitating the granting of audit-related privileges to the user, this enhancement provides greater separation of duties for managing auditing in an Oracle Database Vault environment.

Related Topics

Parent topic: Changes in Oracle Database Vault 23ai

Ability to Control Authorizations for Oracle SQL Firewall

Starting with Oracle Database 23ai, you can control the authorization of users to use Oracle SQL Firewall, new to this release, in an Oracle Database Vault environment.

In addition to granting a user the ability to perform SQL Firewall operations, you can prevent the user from using SQL Firewall to apply policies that could affect users who have been granted the DV_OWNER and DV_ACCTMGR roles.

The following new DBMS_MACADM package procedures are available for this feature:

  • DVSYS.DBMS_MACADM.AUTHORIZE_SQL_FIREWALL
  • DVSYS.DBMS_MACADM.UNAUTHORIZE_SQL_FIREWALL

This enhancement also includes the DBA_DV_SQL_FIREWALL_AUTH data dictionary view, which provides information about SQL Firewall authorizations.

Related Topics

Parent topic: Changes in Oracle Database Vault 23ai

Desupport of Traditional Auditing in Oracle Database Vault

Starting with Oracle Database 23ai, traditional auditing is desupported.

Unified auditing is the way forward to perform Oracle Database Vault auditing. Unified auditing offers more flexibility to perform selective and effective auditing, which helps you focus on activities that really matter to your enterprise. Unified auditing has one single and secure unified trail, conditional policy for audit selectivity, and default predefined policies for simplicity. To improve security and compliance, Oracle strongly recommends that you use unified auditing.

The main impact of the desupport of traditional auditing in Oracle Database Vault is with the audit_options parameter in the APIs for realms, rule sets, and factors.

Related Topics

Parent topic: Changes in Oracle Database Vault 23ai

Updates to Oracle Database Vault 23ai

Oracle Database Vault Administrator’s Guide for Oracle Database 23ai has new security features.

Parent topic: Changes in This Release for Oracle Database Vault Administrator's Guide

Ability to Set Tracing Using Oracle Database Vault APIs

You now can use two new Oracle Database Vault APIs to control and view Database Vault tracing settings.

These new APIs are as follows:

  • DBMS_MACADM.SET_DV_TRACE_LEVEL
  • DBMS_MACUTL.GET_DV_TRACE_LEVEL

This enhancement enables users who have been granted the DV_ADMIN role to enable or disable Database Vault system level tracing, which applies to all database sessions. In previous releases, this user needed the ALTER SYSTEM and the ALTER SESSION system privileges to perform this task, in addition to the DV_ADMIN role. (The ALTER SYSTEM system procedure for tracing is still supported.) The enhancement also provides the DBMS_MACUTL.GET_DV_TRACE_LEVEL function, which returns the trace level that has been set for the current database session. (This trace level can have been set by ALTER SYSTEM, ALTER SESSION, or DBMS_MACADM.SET_DV_TRACE_LEVEL.)

Related Topics

Parent topic: Updates to Oracle Database Vault 23ai

New Utility Functions for Finding Client Host and IP Information

You now can use two new Oracle Database Vault utility functions to find information about client hosts and IPs.

These new utility functions are as follows:

  • DBMS_MACUTL.CONTAINS_HOST
  • DBMS_MACUTL.IS_CLIENT_IP_CONTAINED

These utility functions enable you to conveniently check if an IP address (or a host) is contained in a domain (or subnet range). They are useful for configuring rules and rule sets.

Related Topics

Parent topic: Updates to Oracle Database Vault 23ai

Fewer Parameters to Specify When Creating or Updating Controls

You now can greatly simplify creating or updating realms, rules, command rules, factors, and policies by using the new default behaviors of the administration procedures.

This enhancement, which streamlines the Oracle Database Vault configuration, enables you to omit parameters in the following cases:

  • If you are creating a new control, omitting the parameter specifies its default value.
  • If you are updating an existing control, omitting the parameter retains the current setting.

The procedures that are affected are as follows:

  • DBMS_MACADM.CREATE_COMMAND_RULE
  • DBMS_MACADM.CREATE_CONNECT_COMMAND_RULE
  • DBMS_MACADM.CREATE_FACTOR
  • DBMS_MACADM.CREATE_POLICY
  • DBMS_MACADM.CREATE_REALM
  • DBMS_MACADM.CREATE_RULE
  • DBMS_MACADM.CREATE_RULE_SET
  • DBMS_MACADM.CREATE_SESSION_EVENT_CMD_RULE
  • DBMS_MACADM.CREATE_SYSTEM_EVENT_CMD_RULE
  • DBMS_MACADM.UPDATE_COMMAND_RULE
  • DBMS_MACADM.UPDATE_CONNECT_COMMAND_RULE
  • DBMS_MACADM.UPDATE_FACTOR
  • DBMS_MACADM.UPDATE_POLICY_STATE
  • DBMS_MACADM.UPDATE_REALM
  • DBMS_MACADM.UPDATE_RULE
  • DBMS_MACADM.UPDATE_RULE_SET
  • DBMS_MACADM.UPDATE_SESSION_EVENT_CMD_RULE
  • DBMS_MACADM.UPDATE_SYSTEM_EVENT_CMD_RULE

Related Topics

Parent topic: Updates to Oracle Database Vault 23ai