Changes in This Release for Oracle Database Vault Administrator's Guide
This preface contains:
Changes in Oracle Database Vault 23ai
The following are changes in Oracle Database Vault Administrator's Guide for Oracle Database 23ai.
- Ability to Control Authorizations for Unified Auditing and Traditional Auditing
Starting with Oracle Database 23ai, you can have tighter control on audit management with audit authorizations. - Ability to Control Authorizations for Oracle SQL Firewall
Starting with Oracle Database 23ai, you can control the authorization of users to use Oracle SQL Firewall, new to this release, in an Oracle Database Vault environment. - Desupport of Traditional Auditing in Oracle Database Vault
Starting with Oracle Database 23ai, traditional auditing is desupported.
Ability to Control Authorizations for Unified Auditing and Traditional Auditing
Starting with Oracle Database 23ai, you can have tighter control on audit management with audit authorizations.
Starting in this release, when Oracle Database Vault is configured and enabled on a new or upgraded, database, audit authorizations will be required for any user who wants to query audit-related tables and views, or manage traditional or unified audit policies, without first being authorized by Oracle Database Vault. This applies to SYS
, SYSTEM
, and any user with the SYSDBA
administrative privilege, or with the DBA
, AUDIT_ADMIN
, or AUDIT_VIEWER
roles.
This feature provides the following audit-related enhancements for an Oracle Database Vault environment:
- It protects both unified auditing and traditional auditing.
- It blocks direct modification of the
SYS.AUD$
andSYS.FGA_LOG$
database tables except through theDBMS_AUDIT_MGMT
PL/SQL package by authorized users. - It provides a new mandatory default realm for audit-related objects,
Oracle Audit Realm
, to protect theAUDSYS
schema and audit-related objects in theSYS
schema.
The following new procedures are available for this feature:
DVSYS.DBMS_MACADM.AUTHORIZE_AUDIT_ADMIN
DVSYS.DBMS_MACADM.UNAUTHORIZE_AUDIT_ADMIN
DVSYS.DBMS_MACADM.AUTHORIZE_AUDIT_VIEWER
DVSYS.DBMS_MACADM.UNAUTHORIZE_AUDIT_VIEWER
The following new data dictionary views are available:
DVSYS.DBA_DV_AUDIT_ADMIN_AUTH
DVSYS.DBA_DV_AUDIT_VIEWER_AUTH
The ALTER SYSTEM
command rule now requires AUDIT_ADMIN
authorization for the AUDIT_FILE_DEST
, AUDIT_TRAIL
, AUDIT_SYS_OPERATIONS
, and AUDIT_SYSLOG_LEVEL
parameters. (Note that these parameteres have been deprecated starting in this release.) Querying audit trails in the SYS
and AUDSYS
schemas now requires AUDIT_ADMIN
or AUDIT_VIEWER
authorization.
In previous releases, to control or restrict auditing, the Database Vault administrator had to create command rules for the audit-related PL/SQL statements such as CREATE AUDIT POLICY
. Traditional auditing requires the modification of system parameters such as AUDIT_FILE_DEST
. This new authorization does not consolidate or replace the required database privileges. The audit authorization is additional requirement for managing audit in an Oracle Database Vault environment. That is, users are required to have sufficient privileges and audit authorization in order to manage audit when Oracle Database Vault is enabled. In addition to facilitating the granting of audit-related privileges to the user, this enhancement provides greater separation of duties for managing auditing in an Oracle Database Vault environment.
Related Topics
Parent topic: Changes in Oracle Database Vault 23ai
Ability to Control Authorizations for Oracle SQL Firewall
Starting with Oracle Database 23ai, you can control the authorization of users to use Oracle SQL Firewall, new to this release, in an Oracle Database Vault environment.
In addition to granting a user the ability to perform SQL Firewall operations, you can prevent the user from using SQL Firewall to apply policies that could affect users who have been granted the DV_OWNER
and DV_ACCTMGR
roles.
The following new DBMS_MACADM
package procedures are available for this feature:
DVSYS.DBMS_MACADM.AUTHORIZE_SQL_FIREWALL
DVSYS.DBMS_MACADM.UNAUTHORIZE_SQL_FIREWALL
This enhancement also includes the DBA_DV_SQL_FIREWALL_AUTH
data dictionary view, which provides information about SQL Firewall authorizations.
Related Topics
Parent topic: Changes in Oracle Database Vault 23ai
Desupport of Traditional Auditing in Oracle Database Vault
Starting with Oracle Database 23ai, traditional auditing is desupported.
Unified auditing is the way forward to perform Oracle Database Vault auditing. Unified auditing offers more flexibility to perform selective and effective auditing, which helps you focus on activities that really matter to your enterprise. Unified auditing has one single and secure unified trail, conditional policy for audit selectivity, and default predefined policies for simplicity. To improve security and compliance, Oracle strongly recommends that you use unified auditing.
The main impact of the desupport of traditional auditing in Oracle Database Vault is with the audit_options
parameter in the APIs for realms, rule sets, and factors.
Related Topics
Parent topic: Changes in Oracle Database Vault 23ai
Updates to Oracle Database Vault 23ai
Oracle Database Vault Administrator’s Guide for Oracle Database 23ai has new security features.
- Ability to Set Tracing Using Oracle Database Vault APIs
You now can use two new Oracle Database Vault APIs to control and view Database Vault tracing settings. - New Utility Functions for Finding Client Host and IP Information
You now can use two new Oracle Database Vault utility functions to find information about client hosts and IPs. - Fewer Parameters to Specify When Creating or Updating Controls
You now can greatly simplify creating or updating realms, rules, command rules, factors, and policies by using the new default behaviors of the administration procedures.
Ability to Set Tracing Using Oracle Database Vault APIs
You now can use two new Oracle Database Vault APIs to control and view Database Vault tracing settings.
These new APIs are as follows:
DBMS_MACADM.SET_DV_TRACE_LEVEL
DBMS_MACUTL.GET_DV_TRACE_LEVEL
This enhancement enables users who have been granted the DV_ADMIN
role to enable or disable Database Vault system level tracing, which applies to all database sessions. In previous releases, this user needed the ALTER SYSTEM
and the ALTER SESSION
system privileges to perform this task, in addition to the DV_ADMIN
role. (The ALTER SYSTEM
system procedure for tracing is still supported.) The enhancement also provides the DBMS_MACUTL.GET_DV_TRACE_LEVEL
function, which returns the trace level that has been set for the current database session. (This trace level can have been set by ALTER SYSTEM
, ALTER SESSION
, or DBMS_MACADM.SET_DV_TRACE_LEVEL
.)
Parent topic: Updates to Oracle Database Vault 23ai
New Utility Functions for Finding Client Host and IP Information
You now can use two new Oracle Database Vault utility functions to find information about client hosts and IPs.
These new utility functions are as follows:
DBMS_MACUTL.CONTAINS_HOST
DBMS_MACUTL.IS_CLIENT_IP_CONTAINED
These utility functions enable you to conveniently check if an IP address (or a host) is contained in a domain (or subnet range). They are useful for configuring rules and rule sets.
Related Topics
Parent topic: Updates to Oracle Database Vault 23ai
Fewer Parameters to Specify When Creating or Updating Controls
You now can greatly simplify creating or updating realms, rules, command rules, factors, and policies by using the new default behaviors of the administration procedures.
This enhancement, which streamlines the Oracle Database Vault configuration, enables you to omit parameters in the following cases:
- If you are creating a new control, omitting the parameter specifies its default value.
- If you are updating an existing control, omitting the parameter retains the current setting.
The procedures that are affected are as follows:
DBMS_MACADM.CREATE_COMMAND_RULE
DBMS_MACADM.CREATE_CONNECT_COMMAND_RULE
DBMS_MACADM.CREATE_FACTOR
DBMS_MACADM.CREATE_POLICY
DBMS_MACADM.CREATE_REALM
DBMS_MACADM.CREATE_RULE
DBMS_MACADM.CREATE_RULE_SET
DBMS_MACADM.CREATE_SESSION_EVENT_CMD_RULE
DBMS_MACADM.CREATE_SYSTEM_EVENT_CMD_RULE
DBMS_MACADM.UPDATE_COMMAND_RULE
DBMS_MACADM.UPDATE_CONNECT_COMMAND_RULE
DBMS_MACADM.UPDATE_FACTOR
DBMS_MACADM.UPDATE_POLICY_STATE
DBMS_MACADM.UPDATE_REALM
DBMS_MACADM.UPDATE_RULE
DBMS_MACADM.UPDATE_RULE_SET
DBMS_MACADM.UPDATE_SESSION_EVENT_CMD_RULE
DBMS_MACADM.UPDATE_SYSTEM_EVENT_CMD_RULE