Table of Contents

• List of Tables
• Title and Copyright Information
• Preface
  • Audience
  • Documentation Accessibility
  • Related Documents
  • Conventions
• Changes in This Release for Oracle Database 2 Day + Security Guide
  • Changes in Oracle Database 12c Release 2 (12.2)
    • New Features
    • Desupported Features
• 1 Introduction to Oracle Database Security
  • 1.1 About This Guide
    • 1.1.1 Before Using This Guide
    • 1.1.2 What This Guide Is and Is Not
  • 1.2 Common Database Security Tasks
  • 1.3 Tools for Securing Your Database
  • 1.4 Securing Your Database: A Roadmap
• 2 Securing the Database Installation and Configuration
  • 2.1 About Securing the Database Installation and Configuration
  • 2.2 Securing Access to the Oracle Database Installation
    • 2.2.1 Default Security Settings
    • 2.2.2 Security for the Oracle Data Dictionary
      • 2.2.2.1 About the Oracle Data Dictionary
      • 2.2.2.2 Enabling Data Dictionary Protection
    • 2.2.3 Initialization Parameters Used for Installation and Configuration Security
    • 2.2.4 Modifying the Value of an Initialization Parameter
  • 2.3 Security for the Network
    • 2.3.1 About Securing the Network
    • 2.3.2 Protecting Data on the Network by Using Network Encryption
      • 2.3.2.1 About Network Encryption
      • 2.3.2.2 Configuring Network Encryption
    • 2.3.3 Initialization Parameters Used for Network Security
  • 2.4 Securing User Accounts
    • 2.4.1 About Securing Oracle Database User Accounts
    • 2.4.2 Predefined User Accounts Provided by Oracle Database
      • 2.4.2.1 Predefined Administrative Accounts
      • 2.4.2.2 Predefined Non-Administrative User Accounts
      • 2.4.2.3 Predefined Sample Schema User Accounts
    • 2.4.3 Expiring and Locking Database Accounts
    • 2.4.4 Requirements for Creating Passwords
    • 2.4.5 Finding and Changing Default Passwords
      • 2.4.5.1 About Finding and Changing Default Passwords
      • 2.4.5.2 Finding and Changing Default Passwords from SQL*Plus
      • 2.4.5.3 Finding and Changing Default Passwords from Enterprise Manager
    • 2.4.6 Parameters Used to Secure User Accounts
• 3 Managing User Privileges
  • 3.1 About Privilege Management
  • 3.2 When to Grant Privileges to Users
  • 3.3 When to Grant Roles to Users
  • 3.4 Controlling Access to Applications with Secure Application Roles
    • 3.4.1 About Secure Application Roles
    • 3.4.2 Tutorial: Creating a Secure Application Role
      • 3.4.2.1 Step 1: Create User Accounts for This Tutorial
      • 3.4.2.2 Step 2: Create a Security Administrator Account
      • 3.4.2.3 Step 3: Create a Lookup View
      • 3.4.2.4 Step 4: Create the PL/SQL Procedure to Set the Secure Application Role
      • 3.4.2.5 Step 5: Create the Secure Application Role
      • 3.4.2.6 Step 6: Grant SELECT for the EMP_ROLE Role to the OE.ORDERS Table
      • 3.4.2.7 Step 7: Grant the EXECUTE Privilege for the Procedure to Matthew and Winston
      • 3.4.2.8 Step 8: Test the EMP_ROLE Secure Application Role
        • 3.4.2.8.1 Testing the emp_role Secure Application Role as User MWEISS
        • 3.4.2.8.2 Testing the emp_role Secure Application Role as User WTAYLOR
      • 3.4.2.9 Step 9: Optionally, Remove the Components for This Tutorial
  • 3.5 Initialization Parameters Used for Privilege Security
• 4 Encrypting Data with Oracle Transparent Data Encryption
  • 4.1 About Encrypting Sensitive Data
  • 4.2 When Should You Encrypt Data?
  • 4.3 How Transparent Data Encryption Works
  • 4.4 Configuring Data to Use Transparent Data Encryption
    • 4.4.1 Step 1: Configure the Keystore Location
    • 4.4.2 Step 2: Check the COMPATIBLE Initialization Parameter Setting
    • 4.4.3 Step 3: Create the Software Password-Based Keystore
    • 4.4.4 Step 4: Open (or Close) the Keystore
      • 4.4.4.1 Opening a Keystore
      • 4.4.4.2 Closing a Keystore
    • 4.4.5 Step 5: Create the Master Encryption Key
    • 4.4.6 Step 6: Encrypt Data
      • 4.4.6.1 Encrypting Individual Table Columns
      • 4.4.6.2 Encrypting a Tablespace
  • 4.5 Checking Existing Encrypted Data
    • 4.5.1 Finding the Type of Keystore That Was Created
    • 4.5.2 Finding the Keystore Location
    • 4.5.3 Checking Whether a Keystore Is Open or Closed
    • 4.5.4 Checking Encrypted Columns of an Individual Table
    • 4.5.5 Checking All Encrypted Table Columns in the Current Database Instance
    • 4.5.6 Data Dictionary Views for Checking Encrypted Tablespaces
• 5 Controlling Access with Oracle Database Vault
  • 5.1 About Oracle Database Vault
  • 5.2 Tutorial: Controlling Administrator Access to a User Schema
    • 5.2.1 Step 1: Enable Oracle Database Vault
    • 5.2.2 Step 2: Grant SELECT on the OE.CUSTOMERS Table to User SCOTT
      • 5.2.2.1 Enabling User SCOTT for Oracle Database Vault
      • 5.2.2.2 Granting User SCOTT the SELECT Privilege on the OE.CUSTOMERS Table
    • 5.2.3 Step 3: Select from the OE.CUSTOMERS Table as Users SYS and SCOTT
    • 5.2.4 Step 4: Create a Realm to Protect the OE.CUSTOMERS Table
    • 5.2.5 Step 5: Test the OE Protections Realm
    • 5.2.6 Step 6: Optionally, Remove the Components for This Tutorial
      • 5.2.6.1 Dropping the OE Protections Realm
      • 5.2.6.2 Revoking the SELECT Privilege on OE.CUSTOMERS from User SCOTT
      • 5.2.6.3 Disabling Oracle Database Vault and Oracle Label Security
• 6 Restricting Access with Oracle Virtual Private Database
  • 6.1 About Oracle Virtual Private Database
  • 6.2 Tutorial: Limiting Access to Data Based on the Querying User
    • 6.2.1 About Limiting Access to Data Based on the Querying User
    • 6.2.2 Step 1: Create User Accounts for This Tutorial
    • 6.2.3 Step 2: If Necessary, Create the Security Administrator Account
    • 6.2.4 Step 3: Update the Security Administrator Account
    • 6.2.5 Step 4: Create the F_POLICY_ORDERS Policy Function
    • 6.2.6 Step 5: Create the ACCESSCONTROL_ORDERS Virtual Private Database Policy
    • 6.2.7 Step 6: Test the ACCESSCONTROL_ORDERS Virtual Private Database Policy
    • 6.2.8 Step 7: Optionally, Remove the Components for This Tutorial
      • 6.2.8.1 Removing the Data Structures Created by sec_admin
      • 6.2.8.2 Removing the User Accounts
      • 6.2.8.3 Revoking Privileges on DBMS_RLS from User sec_admin
• 7 Limiting Access to Sensitive Data Using Oracle Data Redaction
  • 7.1 About Oracle Data Redaction
  • 7.2 Tutorial: Redacting Data for a Select Group of Users
    • 7.2.1 About Redacting Data for a Select Group of Users
    • 7.2.2 Step 1: Create User Accounts and Grant Them the Necessary Privileges
    • 7.2.3 Step 2: Create and Populate the SALES_OPPS Sales Opportunities Table
    • 7.2.4 Step 3: Create the SALES_OPPS_POL Oracle Data Redaction Policy
    • 7.2.5 Step 4: Test the SALES_OPPS_POL Oracle Data Redaction Policy
    • 7.2.6 Step 5: Optionally, Remove the Components for This Tutorial
• 8 Enforcing Row-Level Security with Oracle Label Security
  • 8.1 About Oracle Label Security
  • 8.2 Virtual Private Database, Oracle Label Security, and Data Redaction Differences
  • 8.3 Guidelines for Planning an Oracle Label Security Policy
  • 8.4 Tutorial: Creating Levels of Access to Table Data Based on the User
    • 8.4.1 About Creating Levels of Access to Table Data Based on the User
    • 8.4.2 Step 1: Enable Oracle Label Security
    • 8.4.3 Step 2: Enable the LBACSYS Account
    • 8.4.4 Step 3: Create a Role and Three Users for the Oracle Label Security Tutorial
      • 8.4.4.1 Creating a Role
      • 8.4.4.2 Creating the Oracle Label Security Users
    • 8.4.5 Step 4: Create the ACCESS_LOCATIONS Oracle Label Security Policy
    • 8.4.6 Step 5: Define the ACCESS_LOCATIONS Policy-Level Components
    • 8.4.7 Step 6: Create the ACCESS_LOCATIONS Policy Data Labels
    • 8.4.8 Step 7: Create the ACCESS_LOCATIONS Policy User Authorizations
    • 8.4.9 Step 8: Apply the ACCESS_LOCATIONS Policy to the HR.LOCATIONS Table
    • 8.4.10 Step 9: Add the ACCESS_LOCATIONS Labels to the HR.LOCATIONS Data
      • 8.4.10.1 Granting HR FULL Policy Privilege for the HR.LOCATIONS Table
      • 8.4.10.2 Updating the OLS_COLUMN Table in HR.LOCATIONS
    • 8.4.11 Step 10: Test the ACCESS_LOCATIONS Policy
    • 8.4.12 Step 11: Optionally, Remove the Components for This Tutorial
• 9 Auditing Database Activity
  • 9.1 About Auditing
  • 9.2 Why Is Auditing Used?
  • 9.3 Tutorial: Creating a Unified Audit Policy
    • 9.3.1 Step 1: If Necessary, Enable Unified Auditing
    • 9.3.2 Step 2: Grant the SEC_ADMIN User the AUDIT_ADMIN Role
    • 9.3.3 Step 3: Create and Enable a Unified Audit Policy
    • 9.3.4 Step 4: Test the Unified Audit Policy
    • 9.3.5 Step 5: Optionally, Remove the Components for This Tutorial
    • 9.3.6 Step 6: Optionally, Remove the SEC_ADMIN Security Administrator Account
• Index