Index

A B C D E F G H I K L M N O P Q R S T U V W X

Symbols

"all permissions", 2.3, 7.6

"change_on_install" default password, 2.3, 7.6

"manager" default password, 2.3, 7.6

Numerics

07_DICTIONARY_ACCESSIBILITY, 7.3.3.2

A

access control, 5.1

enforce, 7.6

fine-grained access control, 6.2

password encryption, 4.3.1, 7.3.1.1

privileges, 5.1

account locking

explicit, 7.4.1

password management, 7.4.1

example, 7.4.1

PASSWORD_LOCK_TIME, 7.4.1

ADD_CONTEXT procedure, 15.10

ADD_GROUPED_POLICY procedure, 15.10

ADD_POLICY procedure, 15.10

ADMIN OPTION

about, 11.6.1.1

revoking roles/privileges, 11.7.1

roles, 5.2.3.1

system privileges, 5.1.1.2

administration

difficulties in complex environments, 1.1

administrative

delays, 1.1

passwords, 2.3, 7.6

privileges, 7.3.3

roles, 7.3.3

administrator

application security, 7.3.5

administrator connections, 7.3.3.2

administrator privileges

statement execution audited, 8.1.2

write, on listener.ora, 7.6

administrator security, 7.3.3

adump directory, 12.2.4

AES, Preface

algorithms

encryption, Preface

hash, Preface, Preface

ALTER privilege statement, 13.7.2

ALTER PROFILE statement

password management, 7.4

ALTER RESOURCE COST statement, 11.3.1, 11.3.1

ALTER ROLE statement

changing authorization method, 11.5.1

ALTER SESSION SET SCHEMA statement, 14.3.1.2

ALTER SESSION statement

SET SCHEMA, 13.6.1

ALTER TABLE statement

auditing, 8.3

ALTER USER privilege, 11.1.2

ALTER USER statement, 7.3.3.1, 7.4, 7.4.2

default roles, 11.9.2

explicit account unlocking, 7.4.1

GRANT CONNECT THROUGH clause, 10.1.4

password

expire, 7.4.2

REVOKE CONNECT THROUGH clause, 10.1.4

altering users, 11.1.2

ANONYMOUS, 7.6

anonymous PL/SQL blocks, 13.5.2

ANY system privilege, 7.6

application administrator security, 7.3.5

application administrators, 7.3.5

application context, 7.2

as secure data cache, 14.3.2.1, 15, 15.1

bind variables, 14.3.2.3

creating, 15.2.2

examples, 15.3

fine-grained access control, 3.2.6, 14.3.2

how to use session-based, 15.2

parallel query, Preface, 15.2.1.4

performance, 15.3.1.4

returning predicate, 14.3.2.2

security features, 14.3.1

setting, 15.2.3

support for database links, 15.4

USERENV namespace, 14.3.1.2

using in policy, 15.2.4

application developer environment

test and production databases, 7.3.4.2

application developer security, 7.3.4

application developers

privileges, 7.3.4.1

privileges for, 7.3.4.1

roles for, 7.3.4.4

application development

CREATE privileges, 7.3.4.4

free versus controlled, 7.3.4.3

object privileges, 7.3.4.4

roles and privileges, 7.3.4.4

security domain, 7.3.4.5

security for, 7.3.4.3

application roles, 13.4

application security

considerations for use, 13.2

limitations, 14.1.1.3

specifying attributes, 14.3.1.1

applications

about security policies for, 13.1

context, 6.2.2

database users, 13.2.1

enhancing security with, 5.2.1

One Big Application User model, 13.2.1, 13.2.2

roles, 13.5

roles and, 5.2.2.1

security, 13.2.2, 14.5.2

application context, 6.2.2

applications development

space restrictions, 7.3.4.5

tablespaces

developer restrictions, 7.3.4.5

AQ_ADMINISTRATOR_ROLE role, 11.4.3

AQ_USER_ROLE role, 11.4.3

AS SYSDBA, 2.3, 2.3

create, drop, delete, etc., 7.3.3.2

for administrator access, 2.3, 7.3.3.2, 7.3.3.2, 7.3.3.2, 7.4.5.2, 7.6

AS SYSOPER, 2.3, 7.3.3.2

startup, shutdown, recovery, etc., 7.3.3.2

attacks

denial of service, 2.4.4, 7.6

attributes, USERENV, 14.3.1.2

audit directory, 12.2.4

audit filenames, 12.2.4

audit files, 12.1, 12.2.4, 12.2.4, 12.2.6, 12.3, 12.3.2, 12.4.1.1, 12.4.5.2

AUDIT statement

BY proxy clause, 12.4.2

schema objects, 12.4.3.3

statement auditing, 12.4.3.1.1

system privileges, 12.4.3.1.1

audit trail, 12.4.5

archiving, 12.4.5.2

controlling size of, 12.4.5

creating and deleting, 12.5

deleting views, 12.5.3

dropping, 12.5

interpreting, 12.5.2

maximum size of, 12.4.5

protecting integrity of, 12.4.6

purging records from, 12.4.5.1

reducing size of, 12.4.5.3

table that holds, 12.2.6

views on, 12.5.1

audit trail, uniform, Preface

AUDIT_FILE_DEST initialization parameter, 12.4.1, 12.4.1.2

setting for OS auditing, 12.4.1.2

AUDIT_SYS_OPERATIONS initialization parameter, 12.4.1

auditing SYS, 12.2.4

AUDIT_TRAIL initialization parameter, 12.4.1

auditing SYS, 12.2.4

DB, EXTENDED setting, 12.4.1.1

setting, 12.4.1.1

AUDIT_TRAIL=DB, 12.4.1.1

AUDITED_CURSORID attribute, 14.3.1.2

auditing, 12.2.6

audit option levels, 12.4.3

audit options, 8.1

audit records, 8.1.1

audit trail records, 12.3.1

audit trails, 8.1.1

database, 8.1.1.1, 12.3.1

operating system, 8.1.1.2, 8.1.1.5

syslog, 8.1.1.3

by access, 8.5.2.2

mandated for, 8.5.2

by session, 8.5.2.1

prohibited with, 8.5.2

compromised by One Big Application User, 13.2.1

database and operating-system usernames, 4.1

DDL statements, 8.2

default options, 12.4.3.3

described, 8

disabling default options, 12.4.4.2

disabling options, 12.4.1, 12.4.4, 12.4.4.1, 12.4.4.2, 12.4.4.3

disabling options versus auditing, 12.4.4

DML statements, 8.2

enabling options, 12.4.1

privileges for, 12.4.1

enabling options versus auditing, 12.4.3

fine-grained, 12.6

guidelines, 12.2

historical information, 12.2.2

information stored in OS file, 12.3.2

keeping information manageable, 12.2.1

managing the audit trail, 12.5

mandatory, 8.1.1.5

multi-tier environments, 12.4.2

network, 12.4.3.4

turning off, 12.4.4.3

turning on, 12.4.3.4

new features, Preface

n-tier systems, 16.2.1.4

object

turning off, 12.4.4.2

turning on, 12.4.3.3

operating-system audit trails, 12.2.6

policies for, 7.5

privilege

turning on, 12.4.3.2

privilege audit options, 12.4.3.2

privilege use, 8.1, 8.3

privileges required for object, 12.4.3.3

privileges required for system, 12.4.3.2

range of focus, 8.1, 8.5

schema object, 8.1, 8.1, 8.4

schema objects, 12.4.3.3

security and, 8.1.1.2

session level, 12.4.3.1.1

statement, 8.1, 8.2, 12.4.3.1.1

turning on, 12.4.3.1

statement and privilege

turning off, 12.4.4.1

statement level, 12.4.3.1

successful executions, 8.5.1

suspicious activity, 12.2.3

SYS, 12.2.4

system privileges, 12.4.3.1.1

to OS file, 12.4.1.2

transaction independence, 8.1.2

unsuccessful executions, 8.5.1

user, 8.5.3

using the database, 12.2.6

using the operating system, 12.2.6

viewing

active object options, 12.5.2.3

active privilege options, 12.5.2.2

active statement options, 12.5.2.1

default object options, 12.5.2.4

views, 12.5.1

when options take effect, 8.1.2

auditing policy, 7.5

AUTHENTICATED_IDENTITY attribute, 14.3.1.2

authentication

by database, 10.1.1

by SSL, 10.1, 10.1.3.1.1

certificate, 7.6

client, 7.6, 7.6

compromised by One Big Application User, 13.2.1

database administrators, 4.5

described, 4

directory service, 10.1.3.1

external, 10.1.2

global, 10.1.3

multitier, 4.4

network, 4.2.2

n-tier systems, 16.2.1.1

operating system, 4.1

Oracle, 4.3

password policy, 7.3.1.1

proxy, 10.1.4

public key infrastructure, 4.2.2.2

remote, 4.2.2.3, 7.6, 7.6

specifying when creating a user, 11.1.1.2

strong, 7.6

SYSDBA on Windows systems, 4.5

user, 7.6

users, 7.1.2

ways to authenticate users, 10.1

Windows native authentication, 4.5

AUTHENTICATION_DATA attribute, 14.3.1.2

AUTHENTICATION_METHOD attribute, 14.3.1.2

authorization

changing for roles, 11.5.1

global, 10.1.3

omitting for roles, 11.5.1

operating-system role management and, 11.5.2.3.1

roles, about, 11.5.2

Axent, 7.6

B

backups, 7

batch jobs, authenticating users in, 9

bfiles, 7.6

BG_JOB_ID attribute, 14.3.1.2

bind variables, 14.3.2.3

information captured in audit trail, 12.4.1.1

Block cipher, Preface

C

cascading revokes, 11.7.3

CATAUDIT.SQL script

running, 12.5.1

categories of security issues, 1

CATNOAUD.SQL, 12.5.3

CATNOAUD.SQL script

running, 12.5.3

central repository, 1.1

centralized management with distributable tools, 1.1.1

certificate authentication, 7.6

certificate key algorithm

Secure Sockets Layer

certificate key algorithm, 2.4.1

certificates for user and server authentication, 2.4.2

chaining mode, Preface

modifiers (CBC, CFB, ECB, OFB, Preface

character sets

multibyte characters in role names, 11.5.1

multibyte characters in role passwords, 11.5.2.1

checklists and recommendations, 2

custom installation, 2.3, 7.6, 7.6

disallow modifying default permissions for Oracle Database home (installation) directory or its contents, 2.3

disallow modifying Oracle home default permissions, 7.6

limit the number of operating system users, 2.3, 7.6

limit the privileges of the operating system accounts, 2.3, 7.6

networking security, 2.4, 7.6

personnel, 2.2

physical access control, 2.1

restrict symbolic links, 2.3, 7.6

secure installation and configuration, 2.3, 7.6

CheckPoint, 7.6

cipher suites

Secure Sockets Layer, 2.4.1

Cisco, 7.6

client checklist, 2.4.2

CLIENT_IDENTIFIER

setting and clearing with DBMS_SESSION package, 16.2.2.3

setting for applications that use JDBC, 16.2.2.3

setting with OCI user session handle attribute, 16.2.2.3

CLIENT_IDENTIFIER attribute, 14.3.1.2

CLIENT_INFO attribute, USERENV, 14.3.1.2

column masking behavior, 14.1.1.2, 15.10.3

column masking behavior restrictions, 15.10.3.2

column masking behavior, VPD, Preface, 15.10.3.2

column-level VPD, 14.1.1.1, 15.10.3

adding policies for, 15.10.3

column masking behavior, 15.10.3.2

column masking restrictions, 15.10.3.2

does not apply to synonyms, 15.10.3

new features, Preface

columns

granting privileges for selected, 11.6.2.3

granting privileges on, 11.6.2.3

INSERT privilege and, 11.6.2.3

listing users granted to, 11.11.3

privileges, 11.6.2.3

pseudocolumns

USER, 5.1.4.2

revoking privileges on, 11.7.2.2

common platform for examples, 7.6

complex environments

administration difficulties, 1.1, 1.1

concurrency

limits on

for each user, 5.3.1.5

configuration files, 2.4.1, 2.4.1, 2.4.1

listener, 7.6

sample listener.ora, 7.6

sqlnet.ora, 4.3

SSL, 2.4.1

typical directory, 2.4.1

CONNECT /, 7.3.3.2

CONNECT role, 5.2.7, 5.2.7, 11.4.3

CONNECT statement, 7.6, 7.6, 11.4.3

connection pooling, 4.4

connections

auditing, 12.4.3.1.1

SYS-privileged, 2.3, 7.6

connections as SYS and SYSTEM, 7.3.3.1

context-sensitive policy type, Preface, 15.10.1, 15.10.2.2

controlled development, 7.3.4.3

CPU time limit, 5.3.1.3

CREATE ANY TABLE statement, 2.3, 7.6

CREATE CONTEXT statement, 15.2.2

CREATE DBLINK statement, 7.6

CREATE PROCEDURE statement, 7.3.4.4

developers, 7.3.4.1

CREATE PROFILE statement, 7.4, 7.4.2

failed login attempts, 7.4.1

how long account is locked, 7.4.1

password aging and expiration, 7.4.2

password management, 7.4

CREATE ROLE statement

IDENTIFIED BY option, 11.5.2.1

IDENTIFIED EXTERNALLY option, 11.5.2.3

CREATE SCHEMA statement, 13.6.1

CREATE SESSION statement, 7.6, 11.4.3, 13.6.1

CREATE statement

AS SYSDBA, 7.3.3.2

CREATE TABLE statement, 7.3.4.4

auditing, 8.2, 8.3, 8.5.1

developers, 7.3.4.1

CREATE USER statement, 7.4

explicit account locking, 7.4.1

IDENTIFIED BY option, 11.1.1.2

IDENTIFIED EXTERNALLY option, 11.1.1.2

password

expire, 7.4.2

CREATE VIEW statement, 7.3.4.4

CREATE_POLICY_GROUP procedure, 15.10

creating an audit trail, 12.5

CTXSYS, 7.6

CURRENT_BIND attribute, 14.3.1.2

CURRENT_SCHEMA attribute, USERENV, 14.3.1.2

CURRENT_SCHEMAID attribute, 14.3.1.2

CURRENT_SQL attribute, 14.3.1.2

CURRENT_SQL_LENGTH attribute, 14.3.1.2

CURRENT_SQL1 to CURRENT_SQL7 attributes, 14.3.1.2

cursors

shared, 14.3.2.3

custom installation, 2.3, 7.6, 7.6

D

data

access to

fine-grained access control, 6.2

security level desired, 7.2

data definition language

auditing, 8.2

roles and privileges, 5.2.6

data dictionary protection, 2.3, 7.6

data dictionary tables, 7.3.3.1

data encryption, 3.1.2

data files, 7.6

data manipulation language

auditing, 8.2

privileges controlling, 5.1.3.1

data security level

based on data sensitivity, 7.2

data security policy, 7.2

database

granting privileges, 11.6

granting roles, 11.6

security and schemas, 13.6

user and application user, 13.2.1

database administrators

application administrator versus, 7.3.5

roles

for security, 7.3.3.3, 7.3.3.3, 7.3.3.3, 7.3.3.3, 7.3.3.3

security for, 7.3.3

security officer versus, 7.1

database administrators (DBAs)

authentication, 4.5

DBA role, 5.2.7

password files, 4.5

database authentication, 10.1.1

Database Configuration Assistant, 2.3, 2.3, 7.6, 7.6

database descriptors, 7.6

database link, 4.1, 4.2.2, 4.2.2.1, 5.1.2, 6.1, 8.4, 10.1.3.2

database links, 15.4

database links, and SYS_CONTEXT, 15.2.1.5

database security

elements and operations, 1

database user management, 7.1.1

databases

access control

password encryption, 4.3.1, 7.3.1.1

limitations on usage, 5.3

production, 7.3.4.2, 7.3.5

test, 7.3.4.2

DB_DOMAIN attribute, USERENV, 14.3.1.2

DB_NAME attribute, 14.3.1.2

DB_UNIQUE_NAME, 12.2.4

DBA role, 5.2.7, 11.4.3

DBA_COMMON_AUDIT_TRAIL view, Preface

DBA_ROLE_PRIVS view, 13.3

DBA_ROLES data dictionary view

PUBLIC role, 11.8

DBMS_CRYPTO, Preface, 17.3, 17.3.1

DBMS_FGA package, 12.7

DBMS_OBFUSCATION_TOOLKIT, Preface, 17.3

DBMS_RLS package, 15.10

security policies, 6.2

DBMS_RLS.ADD_POLICY

sec_relevant_cols parameter, 14.1.1.1, 15.10.3.1

sec_relevant_cols_opt parameter, 15.10.3.2

DBMS_SESSION package

SET_CONTEXT procedure, 15.2.2

SET_ROLE procedure, 13.5.2, 13.5.2

DBMS_SQL package

SET_ROLE procedure, 13.5.3

DBMS_SQLHASH Package, B.1

DBMS_SQLHASH.GETHASH Function, B.2

DBSNMP, 2.3, 2.3, 7.6, 7.6, 7.6, 7.6

default

audit options, 12.4.3.3

disabling, 12.4.4.2

default accounts

ANONYMOUS, 7.6

CTXSYS, 7.6

DBSNMP, 7.6

DIP, 7.6

DMSYS, 7.6

EXFSYS, 7.6

HR, 7.6

MDDATA, 7.6

MDSYS, 7.6

MGMT_VIEW, 7.6

ODM, 7.6

ODM_MTR, 7.6

OE, 7.6

OLAPSYS, 7.6

ORDPLUGINS, 7.6

ORDSYS, 7.6

OUTLN, 7.6

PM, 7.6

QS, 7.6

QS_ADM, 7.6

QS_CB, 7.6

QS_CBADM, 7.6

QS_CS, 7.6

QS_ES, 7.6

QS_OS, 7.6

QS_WS, 7.6

RMAN, 7.6

SCOTT, 7.6

SH, 7.6

SI_INFORMTN_SCHEMA, 7.6

SYS, 7.6

SYSMAN, 7.6

SYSTEM, 7.6

WK_TEST, 7.6

WKPROXY, 7.6

WKSYS, 7.6

WMSYS, 7.6

XDB, 7.6

default passwords, 2.3, 2.3, 2.3, 2.3, 2.3, 7.3.3.1, 7.3.3.1, 7.4.5.2, 7.6, 7.6, 7.6, 7.6, 7.6, 7.6, 17.2.2

default permissions, 2.3, 7.6

default roles, 11.9.2

default user

accounts, 2.3, 2.3, 7.6, 7.6

passwords, 2.3, 7.6, 7.6, 7.6

default users

enterprise manager accounts, 7.6

defaults

"change_on_install" or "manager" passwords, 2.3, 7.6

role, 11.1.2.2

tablespace quota, 11.1.1.4

user tablespaces, 11.1.1.3

definer's rights

procedure security, 5.1.5.1

delays

administrative, 1.1

DELETE privilege, 13.7.2

DELETE statement, 7.3.3.2

AS SYSDBA, 7.3.3.2

DELETE_CATALOG_ROLE role, 11.4.1.2, 11.4.3

DELETE_POLICY_GROUPS procedure, 15.10

denial of service attacks, 2.4.4, 7.6

DES, Preface

developers, application, 7.3.4.1

development environment

free versus controlled, 7.3.4.3

dictionary protection mechanism, 11.4.1.1

DIP, 7.6

directory service

E

eavesdropping, 2.4.2

ENABLE_GROUPED_POLICY procedure, 15.10

ENABLE_POLICY procedure, 15.10

enabling

roles, 3.2.1

enabling resource limits, 11.3

encryption, 2.4.4, 3.1.2, 17.3, 17.3.1

algorithms, Preface

database passwords, 10.1.1

fine-grained audit policies on encrypted columns, 12.7.1.3

network traffic, 7.6

stored data, 7.6

end-user security, 7.3.2

enforcement options

exemptions, 14.5.3

enterprise directory service, 7.3.2.2, 11.5.2.4

Enterprise Edition, 2.3, 7.6, 7.6

Enterprise Manager

granting roles, 5.2.3

statistics monitor, 5.4.1

enterprise roles, 7.3.2.2, 10.1.3, 11.5.2.4

enterprise user management, 13.2.1

Enterprise User Security, 15.5.2

enterprise users, 7.3.2.2, 10.1.3, 11.5.2.4, 13.6.2

ENTERPRISE_IDENTITY attribute, 14.3.1.2

ENTRYID attribute, 14.3.1.2

errors

ORA-28133, 12.7.1.3

event triggers, 15.3.3

EXECUTE privilege, 2.3, 7.6, 13.7.2

EXECUTE_CATALOG_ROLE role, 11.4.1.2, 11.4.3

EXEMPT ACCESS POLICY privilege, 14.5.3

EXFSYS, 7.6

EXP_FULL_DATABASE role, 5.2.7, 11.4.3

expired & locked, 7.6

expiring

passwords, 4.3.3

explicitly expiring a password, 7.4.2

Export utility

policy enforcement, 14.5.3

EXTENDED, 12.4.1.1, 12.4.1.2

external authentication

by network, 10.1.2.3

by operating system, 10.1.2.2

external tables, 7.6

F

failed login attempts

account locking, 7.4.1

password management, 7.4.1

resetting, 7.4.1

falsified IP addresses, 2.4.2

falsified or stolen client system identities, 2.4.2

features, new

See new features

Virtual Private Database, Preface

FG_JOB_ID attribute, 14.3.1.2

files

audit, 12.1, 12.2.4, 12.2.4, 12.2.6, 12.3, 12.3.2, 12.4.1.1, 12.4.5.2

bfiles, 2.3, 7.6

BLOB, 17.4.6

configuration, 2.4.1, 4.3.5, 7.6

data, 2.3, 7.6

external tables, 2.3, 7.6

init<sid>.ora, 7.6

keys, 17.4.4.2

listener.ora, 2.4.1

log, 2.3, 7.6, 12.2.4, 12.4.1.2

password, 4.5

restrict listener access, 2.4.3

restrict symbolic links, 2.3, 7.6

server.key, 2.4.1, 2.4.1

SSL, 2.4.1

trace, 2.3, 7.6

UTLPWDMG.SQL, 4.3.5

fine-grained access control, 6.2, 7.2

application context, 3.2.6, 14.3.2

features, 14.2.1

performance, 14.2.1.4

fine-grained auditing, 12.6

encrypted table columns, 12.7.1.3

introduction, 3.1.2

multiple objects, columns, statements, including INDEX, 7.5

policies, 7.5

Firewall-1, 7.6

firewalls, 2.4.4, 2.4.4, 2.4.4, 7.6, 7.6

breach

vulnerable data, 2.4.4, 7.6

ill-configured, 7.6

no holes, 7.6

ports, 2.4.1

supported

packet-filtered, 7.6

proxy-enabled, 7.6

flashback query, 12.3.1, 15.14

foreign keys

privilege to use parent key, 5.1.3.2

formatting of password complexity verification routine, 7.4.5.1

free development, 7.3.4.3

FTP, 7.6

functions

PL/SQL

privileges for, 5.1.5

roles, 5.2.5

G

Gauntlet, 7.6

general user security, 7.3.1

global authentication and authorization, 10.1.3

global roles, 10.1.3, 11.5.2.4

global users, 10.1.3

GLOBAL_CONTEXT_MEMORY attribute, 14.3.1.2

GLOBAL_UID attribute, 14.3.1.2

good security

what it requires, 2

grace period

example, 7.4.2

password expiration, 7.4.2, 7.4.2

GRANT ALL PRIVILEGES

SELECT ANY DICTIONARY, 7.6

GRANT ANY OBJECT PRIVILEGE system privilege, 11.6.2.2, 11.7.2.1

GRANT ANY PRIVILEGE system privilege, 5.1.1.2

GRANT CONNECT THROUGH clause

for proxy authorization, 10.1.4

GRANT statement, 11.6.1

ADMIN OPTION, 11.6.1.1

creating a new user, 11.6.1.2

object privileges, 11.6.2, 13.7.1

system privileges and roles, 11.6

when takes effect, 11.9

WITH GRANT OPTION, 11.6.2.1

granting

privileges and roles, 5.1.1.1

granting privileges and roles

listing grants, 11.11

specifying ALL, 11.4.2

H

hacked operating systems or applications, 2.4.2

harden

operating system, 7.6

hash

keyed, Preface

hash algorithms, Preface

HOST attribute, 14.3.1.2

HR, 7.6

HS_ADMIN_ROLE role, 11.4.3

HTTPS port, 2.4.1

I

identity management

centralized management with distributable tools, 1.1.1

components, 1.1.2

desired benefits, 1.1.1

infrastructure, 1.1.2

Oracle's infrastructure components, 1.1.2

seamless timely distribution, 1.1.1

security, 1.1

single sign-on, 1.1.1

sngle point of integration, 1.1.1

solution, 1.1

IMP_FULL_DATABASE role, 5.2.7, 11.4.3

INDEX privilege, 13.7.2

init<sid>.ora file, 7.6

INSERT privilege, 13.7.2

granting, 11.6.2.3

revoking, 11.7.2.2

INSTANCE attribute, 14.3.1.2

INSTANCE_NAME attribute, 14.3.1.2

invoker's rights

procedure security, 5.1.5.1

invoker's rights stored procedures, 13.5.2

IP address

fakeable, 2.4.4

IP addresses, 7.6, 7.6

IP_ADDRESS attribute, 14.3.1.2

ISDBA attribute, USERENV, 14.3.1.2

iTAR, 7.6

K

Kerberos, 2.3, 7.6

keyed hash, Preface

L

LANG attribute, 14.3.1.2

LANGUAGE attribute, 14.3.1.2

least privilege principle, 2.3, 7.6, 7.6, 7.6

lifetime for passwords, 4.3.3

Lightweight Directory Access Protocol (LDAP), 15.3.1.4

limit operating system account privileges, 2.3, 7.6

limit sensitive data dictionary access, 7.3.3.2

limit the number of operating system users, 2.3, 7.6

listener, 7.6

checklist, 2.4.3

establish password, 2.4.4, 2.4.4, 7.6, 7.6

not Oracle owner, 7.6

prevent on-line administration, 7.6

restrict privileges, 2.4.3, 7.6

sample configuration, 7.6

secure administration, 2.4.3, 2.4.4, 7.6

listener.ora, 2.4.1

add line, 7.6

sample, 7.6

typical directory, 2.4.1

lock and expire, 2.3, 2.3, 2.3, 7.6, 7.6, 7.6

unlock via ALTER USER statement, 7.3.3.1

log files, 7.6, 7.6, 12.2.4, 12.4.1.2

logical reads limit, 5.3.1.4

logon triggers, 15.2.1, 15.3.1

M

MAC, Preface

mail messages

arbitrary, 7.6

unauthorized, 7.6

managing roles, 11.5

mandatory auditing, 8.1.1.5

MAX_ENABLED_ROLES initialization parameter

enabling roles and, 11.9.3

MD4, Preface

MD5, Preface

MDDATA, 7.6

MDSYS, 7.6, 7.6

memory

viewing per user, 11.2.5

message authentication code, Preface

methods

privileges on, 5.1.6

MGMT_VIEW, 7.6

middle tier systems, 14.3.1.2

mode, SSL, 2.4.1

monitoring, 8

monitoring user actions, 8

multiple administrators

roles example, 7.3.3.3, 7.3.3.3, 7.3.3.3, 7.3.3.3, 7.3.3.3

multiplex multiple client network sessions, 2.4.4

multi-tier environments

auditing clients, 12.4.2

N

Net8, 7.6

network

auditing, 12.4.3.4

authentication, 10.1.2.3

Network Associates, 7.6

network auditing

turning off, 12.4.4.3

turning on, 12.4.3.4

network authentication, 10.1.2.3

network authentication services, 2.3, 7.6

smart cards, 7.6

token cards, 7.6

X.509 certificates, 7.6

network connections

arbitrary transmissions, 7.6

outgoing, 7.6

network IP addresses, 2.4.4, 7.6

NETWORK_PROTOCOL attribute, 14.3.1.2

networking security checklists, 2.4, 7.6

client checklist, 2.4.2

listener checklist, 2.4.3

network checklist, 2.4.4

SSL, 2.4.1

configuration files, 2.4.1

mode, 2.4.1

tcps, 2.4.1

networks

network authentication service, 4.2.2

new features, Preface

auditing, Preface

column-level VPD, Preface

policy types, Preface

Virtual Private Database, Preface

NLS_CALENDAR attribute, 14.3.1.2

NLS_CURRENCY attribute, 14.3.1.2

NLS_DATE_FORMAT attribute, 14.3.1.2

NLS_DATE_LANGUAGE attribute, 14.3.1.2

NLS_SORT attribute, 14.3.1.2

NLS_TERRITORY attribute, 14.3.1.2

NOAUDIT statement

disabling audit options, 12.4.4

disabling default object audit options, 12.4.4.2

disabling network auditing, 12.4.4.3, 12.4.4.3

disabling object auditing, 12.4.4.2

disabling statement and privilege auditing, 12.4.4.1, 12.4.4.1

O

O7_DICTIONARY_ACCESSIBILITY, 2.3, 7.6, 7.6, 11.4.1.1, 11.4.1.1, 11.4.1.1, 11.4.1.1, 11.4.1.1

initialization parameter, 11.4.1.1

object auditing

turning off, 12.4.4.2

turning on, 12.4.3.3

object privileges, 2.3, 5.1.2, 6.1, 7.6

developers, 7.3.4.4

granting on behalf of the owner, 11.6.2.2

revoking, 11.7.2

revoking on behalf of owner, 11.7.2.1

schema object privileges, 5.1.2, 6.1

P

packages

auditing, 8.4

examples of, 5.1.5.3, 5.1.5.3

privileges

divided by construct, 5.1.5.3

executing, 5.1.5, 5.1.5.3

Padding forms, Preface

parallel execution servers, 15.2.1.4

parallel query

and SYS_CONTEXT, Preface

application context, Preface

parallel query, and SYS_CONTEXT, 15.2.1.4

pass-phrase

to read and parse server.key file, 2.4.1

password

establish for listener, 2.4.4, 2.4.4, 7.6, 7.6

password aging and expiration, 7.4.2

grace period, 7.4.2, 7.4.2

example, 7.4.2

password complexity verification, 4.3.5, 7.4.5

formatting of routine, 7.4.5.1

sample routine, 7.4.5.2

password files, 4.5, 7.3.3.2, 7.3.3.2

password management

account locking, 7.4.1

explicit, 7.4.1

ALTER PROFILE statement, 7.4

CREATE PROFILE statement, 7.4

expiration grace period, 7.4.2, 7.4.2

explicitly expire, 7.4.2

failed login attempts, 7.4.1

failed logins resetting, 7.4.1

grace period

example, 7.4.2

history, 7.4.4

lifetime for password, 7.4.2

password complexity verification, 7.4.5

PASSWORD_LOCK_TIME, 7.4.1

PASSWORD_REUSE_MAX, 7.4.4

PASSWORD_REUSE_TIME, 7.4.4

sample password complexity verification routine, 7.4.5.2

UTLPWDMG.SQL

password management, 7.4.5

password management policy, 7.4

password security, 7.3.1.1

PASSWORD_LIFE_TIME, 7.4.2

PASSWORD_LOCK_TIME, 7.4.1

PASSWORD_REUSE_MAX, 7.4.4

PASSWORD_REUSE_TIME, 7.4.4

passwords

account locking, 4.3.2

administrative, 2.3, 7.6

change via ALTER USER statement, 7.3.3.1

changing for roles, 11.5.1

complexity verification, 4.3.5

connecting without, 4.1

database user authentication, 4.3

default, 7.3.3.1

duration, 2.3, 7.6

encryption, 4.3.1, 7.3.1.1, 10.1.1

expiring, 4.3.3

history, 7.4.4

PASSWORD_REUSE_MAX, 7.4.4

PASSWORD_REUSE_TIME, 7.4.4

length, history, and complexity, 7.6

length, history, and complexity,, 2.3

life time set too low, 7.4.3

management, 7.4

management rules, 2.3, 7.6

password files, 4.5

password reuse, 4.3.4

privileges for changing for roles, 11.5.1

privileges to alter, 11.1.2

reuse, 2.3, 7.6

role, 3.2.3

roles, 11.5.2.1

security policy for users, 7.3.1.1

SYS and SYSTEM, 2.3, 7.6, 7.6

used in roles, 5.2.1

user authentication, 10.1.1

performance

resource limits and, 5.3

permissions

server.key file, 2.4.1

personnel checklist, 2.2

personnel security, 1

physical access control checklist, 2.1

physical security, 1

PIX Firewall, 7.6

PKCS #5, Preface

PKI, 4.2.2.2

PL/SQL

anonymous blocks, 13.5.2

auditing of statements within, 8.1.2

dynamically modifying SQL statements, 14.1.1

roles in procedures, 5.2.5

setting context, 15.2.1

PM, 7.6

policies

auditing, 7.5

password management, 7.4

policy function, 7.2

policy types

context-sensitive, Preface, 15.10.1, 15.10.2.2

new features, Preface

shared, Preface, 15.10.1

static, Preface, 15.10.1, 15.10.2.1

POLICY_INVOKER attribute, 14.3.1.2

practical security concerns, 2

predicates

dynamic

in security policies, 6.2.1

principle of least privilege, 2.3, 7.6, 7.6, 7.6

privacy, 2.3, 7.6

Private Schemas, 10.1.3.1.1

privilege auditing

turning off, 12.4.4.1

turning on, 12.4.3.2

privilege management, 7.3.1.2

privileges, 11.4

Q

QS, 7.6

QS_ADM, 7.6

QS_CB, 7.6

QS_CBADM, 7.6

QS_CS, 7.6

QS_ES, 7.6

QS_OS, 7.6

QS_WS, 7.6

query rewrite

dynamic predicates in security policies, 6.2.1

quotas

listing, 11.2.1

revoking from users, 11.1.1.4.1

setting to zero, 11.1.1.4.1

tablespace, 11.1.1.4

temporary segments and, 11.1.1.4

unlimited, 11.1.1.4.2

viewing, 11.2.3

R

RADIUS, 4.2.2.3

Raptor, 7.6

RC4, Preface

reads

data block

limits on, 5.3.1.4

reauthenticating clients, 16.1.4.3, 16.1.4.3

RECOVERY_CATALOG_OWNER role, 11.4.3

REFERENCES privilege, 13.7.2

CASCADE CONSTRAINTS option, 11.7.2.3

revoking, 11.7.2.2, 11.7.2.3

when granted through a role, 5.2.6

REFRESH_GROUPED_POLICY procedure, 15.10, 15.11

REFRESH_POLICY procedure, 15.10, 15.11

remote authentication, 2.3, 7.6, 7.6

REMOTE_OS_AUTHENT, 7.6

REMOTE_OS_AUTHENT initialization parameter

setting, 10.1.2.2

remote_os_authentication, 2.3, 7.6, 7.6

REMOTE_OS_ROLES initialization parameter

setting, 11.5.2.3.2, 11.10.5

reparsing, 15.2.3

resetting failed login attempts, 7.4.1

resource limits

call level, 5.3.1.2

connect time for each session, 5.3.1.5

CPU time limit, 5.3.1.3

determining values for, 5.4.1

disabling, 11.3

enabling, 11.3

idle time in each session, 5.3.1.5

logical reads limit, 5.3.1.4

number of sessions for each user, 5.3.1.5

private SGA space for each session, 5.3.1.5

profiles, 11.3

RESOURCE privilege, 13.6.1

RESOURCE role, 5.1.6.1, 5.2.7, 11.4.3

resources

profiles, 11.3

restrict symbolic links, 2.3, 7.6

restrictions

space

developers, 7.3.4.5

tablespaces, 7.3.4.5

REVOKE CONNECT THROUGH clause

revoking proxy authorization, 10.1.4

REVOKE statement, 11.7.1

when takes effect, 11.9

revoking privileges and roles

on selected columns, 11.7.2.2

specifying ALL, 11.4.2

REVOKE statement, 11.7.1

when using operating-system roles, 11.10.3

rewrite

predicates in security policies, 6.2.1

RMAN, 7.6

role, 7.2

typical developer, 7.3.4.4

role identification

operating system accounts, 11.10.1

ROLE_SYS_PRIVS view, 13.3

ROLE_TAB_PRIVS view, 13.3

roles, 5.2, 7.3.1.2, 7.3.2, 7.6

ADMIN OPTION and, 11.6.1.1

administrative, 7.3.3

advantages, 13.3

application, 5.2.2.1, 13.5, 13.5, 13.7, 14.5.2

application developers and, 7.3.4.4

AQ_ADMINISTRATOR_ROLE, 11.4.3

AQ_USER_ROLE, 11.4.3

authorization, 11.5.2

authorized by enterprise directory service, 11.5.2.4

changing authorization for, 11.5.1

changing passwords, 11.5.1

CONNECT role, 5.2.7, 11.4.3

CONNECT statement, 7.6, 11.4.3

create your own, 7.6

database authorization, 11.5.2.1

DBA role, 5.2.7, 11.4.3

DDL statements and, 5.2.6

default, 11.1.2.2, 11.9.2

definer's rights procedures disable, 5.2.5.1

definition, 11.4.3

DELETE_CATALOG_ROLE, 11.4.3

dependency management in, 5.2.6

disabling, 11.9.1

dropping, 11.5.3

enabled or disabled, 5.2.3

enabling, 11.9.1, 13.5

enabling and disabling, 3.2.1

enterprise, 10.1.3, 11.5.2.4

example, 7.3.2.1, 7.3.2.1, 7.3.2.1

explanation, 7.3.2.1

EXECUTE_CATALOG_ROLE, 11.4.3

EXP_FULL_DATABASE, 11.4.3

EXP_FULL_DATABASE role, 5.2.7

for multiple administrators

example, 7.3.3.3, 7.3.3.3, 7.3.3.3, 7.3.3.3, 7.3.3.3

functionality, 5.1

global, 10.1.3, 11.5.2.4

global authorization, 11.5.2.4

GRANT statement, 11.10.4

granting, 5.1.1.1, 5.2.3, 11.6.1

granting, about, 11.6

HS_ADMIN_ROLE, 11.4.3

IMP_FULL_DATABASE, 11.4.3

IMP_FULL_DATABASE role, 5.2.7

in applications, 5.2.1

invoker's rights procedures use, 5.2.5.2

job responsibility privileges only, 7.6

listing, 11.11.5

listing grants, 11.11.2

listing privileges and roles in, 11.11.6

management using the operating system, 11.10

managing, 11.5, 13.7

managing through operating system, 5.2.8

maximum, 11.9.3

multibyte characters in names, 11.5.1

multibyte characters in passwords, 11.5.2.1

naming, 5.2

network authorization, 11.5.2.3.2

operating system, 11.10.1

operating system granting of, 11.10.1, 11.10.4

operating-system authorization, 11.5.2.3

OS management and the shared server, 11.10.5

passwords, 3.2.3

passwords for enabling, 11.5.2.1

predefined, 5.2.7, 11.4.3

privileges for creating, 11.5.1

privileges for dropping, 11.5.3

privileges, changing authorization method for, 11.5.1

privileges, changing passwords, 11.5.1

RECOVERY_CATALOG_OWNER, 11.4.3

RESOURCE role, 5.2.7, 11.4.3

restricting from tool users, 14.5.2

restrictions on privileges of, 5.2.6

REVOKE statement, 11.10.4

revoking, 5.2.3, 11.7.1

revoking ADMIN OPTION, 11.7.1

schemas do not contain, 5.2

secure application, 3.1.2

security and, 7.3.2.1

security domains of, 5.2.4

SELECT_CATALOG_ROLE, 11.4.3

SET ROLE statement, 11.10.4

setting in PL/SQL blocks, 5.2.5.2

unique names for, 11.5.1

use of passwords with, 5.2.1

usefulness compromised, 13.2.1

user, 5.2.2.2, 13.5, 13.7

users capable of granting, 5.2.3.1

uses of, 5.2.2

WITH GRANT OPTION and, 11.6.2.1

without authorization, 11.5.1

root file paths

for files and packages outside the database, 2.3, 7.6

row-level security

see fine-grained access control, virtual private database (VPD), and Oracle Label Security

rows

row-level security, 6.2

RSA private key, 2.4.1

run-time facilities, 2.3, 7.6

S

sample configuration

listener, 7.6

sample password complexity verification routine, 7.4.5.2

Sample Schemas, 7.6

remove or re-lock for production, 7.6

test database, 7.6

schema object privileges, 5.1.2, 6.1

DML and DDL operations, 5.1.3

granting and revoking, 5.1.2.1

views, 5.1.4

schema objects

auditing, 8.4

cascading effects on revoking, 11.7.3.2

default audit options, 12.4.3.3

default tablespace for, 11.1.1.3

disabling audit options, 12.4.4.1, 12.4.4.2, 12.4.4.3

enabling audit options on, 12.4.3.3

granting privileges, 11.6.2

in a revoked tablespace, 11.1.1.4.1

owned by dropped users, 11.1.3

privileges on, 5.1.2, 6.1

privileges to access, 11.4.2

privileges with, 11.4.2

revoking privileges, 11.7.2

schema-independent users, 13.6.2

schemas

default, 14.3.1.2

unique, 13.6

SCOTT, 2.3, 7.6, 7.6, 7.6, 7.6

script files, 12.5.3

CATNOAUD.SQL, 12.5.3

scripts, 4.3.5

scripts, authenticating users in, 9

seamless timely distribution, 1.1.1

sec_relevant_cols parameter, 14.1.1.1, 15.10.3.1

sec_relevant_cols_opt parameter, 14.1.1.2, 15.10.3.2

secure application, 13.4

secure application role

using to ensure database connection, 13.4.1

secure installation and configuration checklist, 2.3, 7.6

Secure Sockets Layer, 2.4.1, 2.4.1, 7.1.2, 7.6, 10.1, 10.1.3.1.1

certificate key algorithm, 2.4.1

checklist, 2.4.1

cipher suites, 2.4.1

configuration files, 2.4.1

mode, 2.4.1

pass-phrase, 2.4.1

RSA private key, 2.4.1

server.key file, 2.4.1

tcps, 2.4.1

Secure Sockets Layer (SSL) protocol, 16.1.4.3

security

accessing a database, 7.1

administrator of, 7.1

application administration, 7.3.5

application developers and, 7.3.4

application enforcement of, 5.2.1

auditing, 8, 8.1.1.2

auditing policies, 7.5

authentication of users, 7.1.2

breach effects, 1.1

checklists and recommendations, 2

data, 7.2, 7.2

database security, 7.1

database users and, 7.1.1

default user accounts, 2.3, 7.6, 7.6

dynamic predicates, 6.2.1

effectiveness, 1

elements and operations, 1

enforcement in application, 13.2.2

enforcement in database, 13.2.2

fine-grained access control, 6.2

general principles, 1

general users, 7.3.1

identity management, 1.1

impacts, 1

interaction complexity, 1.1

issues by category, 1

management costs

escalation, 1

multibyte characters in role names, 11.5.1

multibyte characters in role passwords, 11.5.2.1

operating-system security and the database, 7.1.3

passwords, 4.3

personnel dimension, 1

physical dimension, 1

policies

administering, 15.10

applied within database, 14.1.1.3

centrally managed, 14.5.2.3

example, 15.8

implementing, 6.2.2, 14.3.2

multiple policies per table, 14.2.1.2

on tables or views, 14.2.1.1

technical issues, 3.1.2

policies for database administrators, 7.3.3

policy for applications, 13.1, 14.5.2

practical concerns, 2

privilege management policies, 7.3.1.2

privileges, 7.1

procedural dimension, 1

procedures enhance, 5.1.5.1

protecting the audit trail, 12.4.6

REMOTE_OS_ROLES parameter, 11.10.5

requirements and principles, 1

roles to force security, 7.3.2.1

roles, advantages, 13.3

security policies, 6.2

technical dimension, 1

test databases, 7.3.4.2

threats and countermeasures, 3.1.1

total costs, 1

views enhance, 5.1.4.2

what good security requires, 2

security alerts, 7.6

security domain

application development, 7.3.4.5

security domains

enabled roles and, 5.2.3

security patches and workarounds, 2.3, 7.6

security policy function, 7.2

security requirements and principles, 1

security-relevant columns VPD, 14.1.1.1

SELECT ANY DICTIONARY, 7.6, 7.6

SELECT privilege, 13.7.2

SELECT_CATALOG_ROLE role, 11.4.1.2, 11.4.3

sequences

auditing, 8.4

SERVER_HOST attribute, 14.3.1.2

server.key file, 2.4.1, 2.4.1

pass-phrase to read and parse, 2.4.1

permissions on, 2.4.1

service names, 7.6

session primitives, 14.3.1.2

SESSION_ROLES data dictionary view

PUBLIC role, 11.8

SESSION_ROLES view

queried from PL/SQL block, 5.2.5.1

SESSION_USER attribute, USERENV, 14.3.1.2

SESSION_USERID attribute, 14.3.1.2

SESSIONID attribute, 14.3.1.2

sessions

auditing by, 8.5.2.1

auditing connections and disconnections, 12.4.3.1.1

defined, 8.5.2.1

limits for each user, 5.3.1.5

listing privilege domain of, 11.11.4

time limits on, 5.3.1.5

viewing memory use, 11.2.5

when auditing options take effect, 8.1.2

SET ROLE statement

associating privileges with role, 13.5

at startup, 3.2.1

disabling, 3.2.1

equivalent to SET_ROLE, 13.5.2

how password is set, 11.5.2.1

role passwords, 3.2.3

used to enable/disable roles, 11.9.1

when using operating-system roles, 11.10.4

SET_CONTEXT procedure, 15.2.2

SET_ROLE procedure, 13.5.2

SH, 7.6

SHA-1, Preface

shared policy type, Preface, 15.10.1

Shared Schemas, 10.1.3.1.2

shared server

limiting private SQL areas, 5.3.1.5

OS role management restrictions, 11.10.5

SI_INFORMTN_SCHEMA, 7.6

SID attribute, 14.3.1.2

single sign-on, 1.1.1

single source of truth, 1.1

smart cards, 7.6

sngle point of integration, 1.1.1

space restrictions

developers, 7.3.4.5

tablespaces, 7.3.4.5

SQL statements

auditing, 8.2, 8.5.1

when records generated, 8.1.2

disabling audit options, 12.4.4.1, 12.4.4.3

dynamic, 15.2.1.3

enabling audit options on, 12.4.3.1.1

privileges required for, 5.1.2, 6.1, 13.7.2

resource limits and, 5.3.1.2

restricting ad hoc use, 14.5.1, 14.5.1

SQL*Net, 7.6

SQL*Plus

connecting with, 4.1

restricting ad hoc use, 14.5.1, 14.5.1

statistics monitor, 5.4.1

SSL, 1.1.2, 2.4.1, 2.4.1, 7.1.2, 7.6, 7.6

SSL. See Secure Sockets Layer.

statement auditing

turning off, 12.4.4.1

turning on, 12.4.3.1

STATEMENTID attribute, 14.3.1.2

static, Preface, 15.10.1, 15.10.2.1

storage

quotas and, 11.1.1.4

revoking tablespaces and, 11.1.1.4.1

unlimited quotas, 11.1.1.4.2

stored procedures

encapsulating privileges, 3.2.2

invoker's rights, 13.5.2

using privileges granted to PUBLIC, 11.8

strong authentication, 7.6

symbolic links, 2.3, 7.6

synonyms

inherit privileges from object, 5.1.2.3

SYS, 7.6

SYS account

policies for protecting, 7.3.3.1

policy enforcement, 14.5.3

SYS and SYSTEM, 7.6

passwords, 2.3, 7.6, 7.6

SYS and SYSTEM connections, 7.3.3.1

SYS schema, 15.2.2

AS SYSDBA, 7.3.3.2

SYS username

statement execution audited, 8.1.2

SYS_CONTEXT

and parallel query, Preface

SYS_CONTEXT function

access control, 15.3.2.3

database links, 15.2.1.5

dynamic SQL statements, 15.2.1.3

parallel query, 15.2.1.4

syntax, 15.2.1.1

USERENV namespace, 14.3.1.2

SYS.AUD$, 12.4.1.1, 12.4.1.1

SYS.AUD$ table

audit trail, 12.2.6

creating and deleting, 12.5

SYSMAN, 2.3, 7.6, 7.6, 7.6

SYS-privileged connections, 2.3, 7.6

SYSTEM, 7.6

SYSTEM account

policies for protecting, 7.3.3.1

system global area (SGA)

limiting private SQL areas, 5.3.1.5

system privileges, 2.3, 5.1.1, 7.6, 11.4.1

ADMIN OPTION, 5.1.1.2

ANY, 7.6

CREATE, 7.3.4.4

described, 5.1.1, 11.4.1

DROP ANY TABLE statement, 7.6

GRANT ANY OBJECT PRIVILEGE, 11.6.2.2, 11.7.2.1

GRANT ANY PRIVILEGE, 5.1.1.2

granting, 11.6.1

granting and revoking, 5.1.1.1

SELECT ANY DICTIONARY, 7.6

system security policy, 7.1

database user management, 7.1.1

operating system security, 7.1.3

user authentication, 7.1.2

T

tables

auditing, 8.4

privileges on, 5.1.3

tablespaces

assigning defaults for users, 11.1.1.3

default quota, 11.1.1.4

quotas for users, 11.1.1.4

revoking from users, 11.1.1.4.1

temporary

assigning to users, 11.1.1.5

unlimited quotas, 11.1.1.4.2

viewing quotas, 11.2.3

tcps, 2.4.1, 7.6

technical security, 1

TELNET, 7.6

TERMINAL attribute, USERENV, 14.3.1.2

test and production databases

application developer environment, 7.3.4.2

testing VPD policies, 15.10.1

TFTP, 7.6

TIGER, 7.6

token cards, 7.6

trace files, 7.6, 7.6, 8.1.1.5

triggers

auditing, 8.4.1

CREATE TRIGGER ON, 13.7.2

event, 15.3.3

logon, 15.2.1, 15.3.1

privileges for executing, 5.1.5.1

roles, 5.2.5

Triple DES, Preface

turning off

network auditing, 12.4.4.3

object auditing, 12.4.4.2

statement and privilege auditing, 12.4.4.1

turning on

network auditing, 12.4.3.4

object auditing, 12.4.3.3

privilege auditing, 12.4.3.2

statement auditing, 12.4.3.1

types

privileges on, 5.1.6

typical role, 7.3.4.4

U

UDP and TCP ports

close for ALL disabled services, 7.6

uniform audit trail, Preface

UNLIMITED, 7.4.4, 7.4.4

UNLIMITED TABLESPACE privilege, 11.1.1.4.2

unlock locked accounts, 7.3.3.1

UPDATE privilege

revoking, 11.7.2.2

user authentication

methods, 7.1.2

user groups, 7.3.2

USER pseudocolumn, 5.1.4.2

user security policy, 7.3

USERENV function, 14.3.1.2, 16.2.1.3.2, 17.3.1

USERENV namespace, 14.3.1.2, 14.3.1.2

usernames

OS, 7.3.3.2

schemas, 13.6

users

altering, 11.1.2

assigning unlimited quotas for, 11.1.1.4.2

auditing, 8.5.3

authentication

about, 7.1.2, 10.1

authentication of, 4

changing default roles, 11.1.2.2

database authentication, 10.1.1

default tablespaces, 11.1.1.3

dropping, 11.1.3

dropping profiles and, 11.3.1

dropping roles and, 11.5.3

enabling roles for, 13.5

end-user security policies, 7.3.2

enterprise, 10.1.3, 11.5.2.4, 13.6.2

external authentication, 10.1.2

global, 10.1.3

listing, 11.2.1

listing privileges granted to, 11.11.1

listing roles granted to, 11.11.2

managing, 11.1

network authentication, 10.1.2.3

objects after dropping, 11.1.3

operating system authentication, 10.1.2.2

password encryption, 4.3.1, 7.3.1.1

password security, 7.3.1.1

policies for managing privileges, 7.3.1.2

privileges for changing passwords, 11.1.2

privileges for creating, 11.1.1

privileges for dropping, 11.1.3

proxy authentication and authorization, 10.1.4

PUBLIC role, 5.2.4, 11.8

restricting application roles, 14.5.2

roles and, 5.2.1

for types of users, 5.2.2.2

schema-independent, 13.6.2

security and, 7.1.1

security domains of, 5.2.4

security for general users, 7.3.1

specifying user names, 11.1.1.1

tablespace quotas, 11.1.1.4

viewing information on, 11.2.2

viewing memory use, 11.2.5

viewing tablespace quotas, 11.2.3

UTL_HTTP, 7.6

UTL_SMTP, 7.6

UTL_TCP, 7.6

UTLPWDMG.SQL, 4.3.5, 7.4.5

formatting of password complexity verification routine, 7.4.5.1

V

valid node checking, 2.4.4, 7.6

view, 5.1.4

views, 7.2

auditing, 8.4, 8.4.1

privileges for, 5.1.4

security applications of, 5.1.4.2

Virtual Private Database

new features, Preface

virtual private database (VPD), 3.2.1, 13.2.2, 14.1.1, 14.1.1.3, 14.5.2.3

column-level VPD, 15.10.3

defined, 14.1

policies, 14.2

VPD

column masking behavior, 14.1.1.2

column masking restrictions, 15.10.3.2

objects it applies to, 14.1.1.1

sec_relevant_cols parameter, 14.1.1.1

see virtual private database

sel_relevant_cols_opt parameter, 14.1.1.2

with flashback query, 15.14

VPD policies

dynamic, 15.10.1

testing with dynamic policy type, 15.10.1

vulnerable data behind firewalls, 2.4.4, 7.6, 7.6

vulnerable run-time call, 7.6

made more secure, 7.6

W

Wallet Manager, 4.2.2.2

wallets, 4.2.2.2

WHERE, 7.2

WHERE clause, dynamic SQL, 14.1.1

Windows native authentication, 4.5

Windows operating system

OS audit trail, 12.2.6, 12.4.1.2

WK_TEST, 7.6

WKPROXY, 7.6

WKSYS, 7.6

WMSYS, 7.6

X

X.509 certificates, 7.6

X.509 Version 3 certificates, 4.2.2.2

XDB, 7.6

XML, 12.4.1.1, 12.4.1.2