| Oracle® Enterprise Manager Policy Reference Manual 10g Release 5 (10.2.0.5) Part Number B16231-02 |
|
|
PDF · Mobi · ePub |
| Oracle® Enterprise Manager Policy Reference Manual 10g Release 5 (10.2.0.5) Part Number B16231-02 |
|
|
PDF · Mobi · ePub |
This chapter provides the following information for each of the Cluster Database policies:
Brief description of the policy
Summary of the policy's main properties
Default values for the policy: parameters with their default values and objects excluded by default
Impact of the policy violation
Action to perform when the violation occurs
The Cluster Database policies are categorized as follows
The configuration policies for the Cluster Database target are:
When Data Guard Broker is being used, this policy checks the primary database for disabled force logging.
The following table lists the policy's main properties.
| Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
|---|---|---|---|---|---|---|
| Informational | Configuration | Database Instance; Cluster Database | Oracle Server 9i Release 2 or later | The underlying metrics have a collection frequency of once every 24 hours. | Yes | The primary database is not in force logging mode. As a result, unlogged direct writes in the primary database cannot be propagated to the standby database. |
Footnote 1 The policy rule is evaluated each time its underlying db_init_params and ha_info metrics are collected.
Parameters and Their Default Values
Not Applicable
Objects Excluded by Default
Not Applicable
The primary database is not in force logging mode. As a result, unlogged direct writes in the primary database cannot be propagated to the standby database.
The primary database should be put in force logging mode using the ALTER DATABASE FORCE LOGGING parameter.
This policy checks for use of a single control file.
The following table lists the policy's main properties.
| Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
|---|---|---|---|---|---|---|
| Critical | Configuration | Database Instance; Cluster Database | All | The underlying metric has a collection frequency of once every 24 hours. | Yes | Your database has insufficient control files. If you lose the only copy of the control file due to a media error, there will be unnecessary down time and other risks. |
Footnote 1 The policy rule is evaluated each time its underlying db_controlfiles metric are collected.
Parameters and Their Default Values
Parameter default values are dependent on the version of the Oracle Database target. Refer to the Oracle Database documentation for that version of the database target to learn about the parameters and their default values.
Objects Excluded by Default
Not Applicable
The control file is one of the most important files in an Oracle database. It maintains many physical characteristics and important recovery information about the database. If you lose the only copy of the control file due to a media error, there will be unnecessary down time and other risks.
Use at least two control files that are multiplexed on different disks.
This policy checks for use of less than three redo logs.
The following table lists the policy's main properties.
| Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
|---|---|---|---|---|---|---|
| Warning | Configuration | Database Instance; Cluster Database | All | The underlying metric has a collection frequency of once every 24 hours. | Yes | Your database has insufficient number of redo log files. When the size and number of online redo logs are inadequate, LGWR will wait for ARCH to complete its writing to the archived log destination, before it overwrites that log. This can cause severe performance slowdowns during peak activity periods. |
Footnote 1 The policy rule is evaluated each time its underlying db_redoLogs metric is collected.
Parameters and Their Default Values
Parameter default values are dependent on the version of the Oracle Database target. Refer to the Oracle Database documentation for that version of the database target to learn about the parameters and their default values.
Objects Excluded by Default
Not Applicable
The online redo log files are used to record changes in the database for the purposes of recoverability. When archiving is enabled, these online redo logs need to be archived before they can be reused. Every database requires at least two online redo log groups to be up and running. When the size and number of online redo logs are inadequate, LGWR will wait for ARCH to complete its writing to the archived log destination, before it overwrites that log. This can cause severe performance slowdowns during peak activity periods.
Oracle recommends having at least three online redo log groups with at least two members in each group. For obvious reasons, members of the same group must be on different disk drives.
This policy checks if the DB_RECOVERY_FILE_DEST initialization parameter is set.
The following table lists the policy's main properties.
| Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
|---|---|---|---|---|---|---|
| Informational | Configuration | Database Instance; Cluster Database | Oracle Server 10g Release1 or later | The underlying metric has a collection frequency of once every 24 hours. | Yes | The recovery area location is not set. Setting the recovery area location provides a unified storage location for all recovery components. |
Footnote 1 The policy rule is evaluated each time its underlying db_init_params metric is collected.
Parameters and Their Default Values
Not Applicable
Objects Excluded by Default
Not Applicable
Not setting the recovery area location results in a divided storage location for all recovery components.
Set the recovery area location to provide a unified storage location for all recovery components.
The security policies for the Cluster Database target for UNIX are:
This policy ensures that the grant of %_CATALOG_% is restricted.
The following table lists the policy's main properties.
| Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
|---|---|---|---|---|---|---|
| Warning | Security | Database Instance; Cluster Database | Oracle Server 8 or later | The underlying metric has a collection frequency of once every 24 hours. | No | Database is in an insecure state. %path% is assign to %user%. |
Footnote 1 The policy rule is evaluated each time its underlying catalogRolesRep metric is collected.
Parameters and Their Default Values
Not Applicable
Objects Excluded by Default
Not Applicable
%_CATALOG_% Roles have critical access to database objects that can lead to exposure of vital information in a database system.
Do not assign any _CATALOG_ Role to any user.
This policy ensures restricted access to ALL_SOURCE view.
The following table lists the policy's main properties.
| Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
|---|---|---|---|---|---|---|
| Informational | Security | Database Instance; Cluster Database | Oracle Server 8 or later | The underlying metric has a collection frequency of once every 24 hours. | No | Database is in an insecure state. User %grantee% has %privilege% privilege to the ALL_SOURCE view. |
Footnote 1 The policy rule is evaluated each time its underlying allSourceRep metric is collected.
Parameters and Their Default Values
Not Applicable
Objects Excluded by Default
Not Applicable
ALL_SOURCE view contains the source of all the stored packages in the database.
Revoke access to the ALL_SOURCE view from the non-SYS database users.
This policy ensures SELECT privilege is never granted to any DBA_ view.
The following table lists the policy's main properties.
| Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
|---|---|---|---|---|---|---|
| Warning | Security | Database Instance; Cluster Database | Oracle Server 8 or later | The underlying metric has a collection frequency of once every 24 hours. | No | Database is in an insecure state. Granted Select Privilege to DBA_ views can be misused. |
Footnote 1 The policy rule is evaluated each time its underlying select_privilegeRep metric is collected.
Parameters and Their Default Values
Not Applicable
Objects Excluded by Default
Not Applicable
The DBA_* views provide access to privileges and policy settings of the database. Some of these views also allow viewing of sensitive PL/SQL code that can be used to understand the security policies.
None of the DBA_ views should be granted SELECT privileges. If there are users with the SELECT privilege, ensure all access to the DBA_ view is audited.
This policy ensures restricted access to DBA_ROLE_PRIVS view.
The following table lists the policy's main properties.
| Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
|---|---|---|---|---|---|---|
| Informational | Security | Database Instance; Cluster Database | Oracle Server 8 or later | The underlying metric has a collection frequency of once every 24 hours. | No | Database is in an insecure state. User %grantee% has %privilege% privilege on the DBA_ROLE_PRIVS view. |
Footnote 1 The policy rule is evaluated each time its underlying dbaRolePrivsRec metric is collected.
Parameters and Their Default Values
Not Applicable
Objects Excluded by Default
Not Applicable
The DBA_ROLE_PRIVS view lists the roles granted to users and other roles. Knowledge of the structure of roles in the database can be exploited by a malicious user.
Restrict access to DBA_ROLE_PRIVS view.
This policy ensures restricted access to DBA_ROLES view.
The following table lists the policy's main properties.
| Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
|---|---|---|---|---|---|---|
| Informational | Security | Database Instance; Cluster Database | Oracle Server 8 or later | The underlying metric has a collection frequency of once every 24 hours. | No | Database is in an insecure state. User %grantee% has %privilege% privilege on the DBA_ROLES view. |
Footnote 1 The policy rule is evaluated each time its underlying dbaRoleRep metric is collected.
Parameters and Their Default Values
Not Applicable
Objects Excluded by Default
Not Applicable
DBA_ROLES view contains details of all roles in the database. Knowledge of the structure of roles in the database can be exploited by a malicious user. For example, a public select privilege might increase the likelihood of Denial of Service attacks.
Restrict access to DBA_ROLES view.
This policy ensures restricted access to DBA_SYS_PRIVS view.
The following table lists the policy's main properties.
| Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
|---|---|---|---|---|---|---|
| Informational | Security | Database Instance; Cluster Database | Oracle Server 8 or later | The underlying metric has a collection frequency of once every 24 hours. | No | Database is in an insecure state. User %grantee% has %privilege% privilege on the DBA_SYS_PRIVS view. |
Footnote 1 The policy rule is evaluated each time its underlying dbaSysPrivsRec metric is collected.
Parameters and Their Default Values
Not Applicable
Objects Excluded by Default
Not Applicable
DBA_SYS_PRIVS view can be queried to find system privileges granted to roles and users. Knowledge of the structure of roles in the database can be exploited by a malicious user.
Restrict access to DBA_SYS_PRIVS view.
This policy ensures restricted access to DBA_TAB_PRIVS view.
The following table lists the policy's main properties.
| Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
|---|---|---|---|---|---|---|
| Informational | Security | Database Instance; Cluster Database | Oracle Server 8 or later | The underlying metric has a collection frequency of once every 24 hours. | No | Database may be insecure as user %grantee% has %privilege% privilege to the DBA_TAB_PRIVS view. |
Footnote 1 The policy rule is evaluated each time its underlying dbaTabPrivsRep metric is collected.
Parameters and Their Default Values
Not Applicable
Objects Excluded by Default
Not Applicable
Lists privileges granted to users or roles on objects in the database. Knowledge of the structure of roles in the database can be exploited by a malicious user.
Restrict access to DBA_TAB_PRIVS view.
This policy ensures restricted access to DBA_USERS view.
The following table lists the policy's main properties.
| Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
|---|---|---|---|---|---|---|
| Informational | Security | Database Instance; Cluster Database | Oracle Server 8 or later | The underlying metric has a collection frequency of once every 24 hours. | No | Database is in an insecure state. User %grantee% has %privilege% privilege on the DBA_USERS view. |
Footnote 1 The policy rule is evaluated each time its underlying dbaUsersRep metric is collected.
Parameters and Their Default Values
Not Applicable
Objects Excluded by Default
Not Applicable
Contains user name and password hashes and other account information. Access to this information can be used to mount brute-force attacks against the database.
Restrict access to DBA_USERS view.
This policy ensures restricted access to ROLE_ROLE_PRIVS view.
The following table lists the policy's main properties.
| Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
|---|---|---|---|---|---|---|
| Informational | Security | Database Instance; Cluster Database | Oracle Server 8 or later | The underlying metric has a collection frequency of once every 24 hours. | No | Database is in an insecure state. User %grantee% has %privilege% privilege on the ROLE_ROLE_PRIVS view. |
Footnote 1 The policy rule is evaluated each time its underlying rolerolePrivsRep metric is collected.
Parameters and Their Default Values
Not Applicable
Objects Excluded by Default
Not Applicable
Lists roles granted to other roles. Knowledge of the structure of roles in the database can be exploited by a malicious user.
Restrict access to ROLE_ROLE_PRIVS view.
This policy ensures restricted access to the STATS$SQLTEXT table.
The following table lists the policy's main properties.
| Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
|---|---|---|---|---|---|---|
| Informational | Security | Database Instance; Cluster Database | Oracle Server 8 or later | The underlying metric has a collection frequency of once every 24 hours. | No | Database is in an insecure state. User %grantee% has %privilege% privilege on STATS$SQLTEXT table. |
Footnote 1 The policy rule is evaluated each time its underlying sqlTextRep metric is collected.
Parameters and Their Default Values
Not Applicable
Objects Excluded by Default
Not Applicable
The STATS$SQLTEXT table provides the full text of the recently-executed SQL statements. The SQL statements can reveal sensitive information.
Restrict access to the STATS$SQLTEXT table.
This policy ensures restricted access to the STATS$SQL_SUMMARY table.
The following table lists the policy's main properties.
| Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
|---|---|---|---|---|---|---|
| Informational | Security | Database Instance; Cluster Database | Oracle Server 8 or later | The underlying metric has a collection frequency of once every 24 hours. | No | Database is in an insecure. User %grantee% has %privilege% privilege on the STATS$SQL_SUMMARY table. |
Footnote 1 The policy rule is evaluated each time its underlying sqlSummaryRep metric is collected.
Parameters and Their Default Values
Not Applicable
Objects Excluded by Default
Not Applicable
Contains first few lines of SQL text of the most resource intensive commands given to the server. SQL statements executed without bind variables can appear and expose privileged information.
Restrict access to the STATS$SQL_SUMMARY table.
This policy ensures restricted access to the SYS.AUD$ table.
The following table lists the policy's main properties.
| Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
|---|---|---|---|---|---|---|
| Informational | Security | Database Instance; Cluster Database | Oracle Server 8 or later | The underlying metric has a collection frequency of once every 24 hours. | No | Database is in an insecure state. User %grantee% has %privilege% privilege on the SYS.AUD$ table. |
Footnote 1 The policy rule is evaluated each time its underlying audTabRep metric is collected.
Parameters and Their Default Values
Not Applicable
Objects Excluded by Default
Not Applicable
The SYS.AUD$ table is the system audit table. If you set the parameter AUDIT_TRAIL to DB, all audited activity will be written to the SYS.AUD$ table. Thus a malicious user can gain access to the sensitive audit information.
Revoke access to the SYS.AUD$ table from the non-DBA/SYS database users.
This policy ensures restricted access to the SYS.LINK$ table.
The following table lists the policy's main properties.
| Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
|---|---|---|---|---|---|---|
| Informational | Security | Database Instance; Cluster Database | Oracle Server 8 or later | The underlying metric has a collection frequency of once every 24 hours. | No | Database is in an insecure state. User %grantee% has %privilege% privilege on the USER$ table. |
Footnote 1 The policy rule is evaluated each time its underlying linkTabRep metric is collected.
Parameters and Their Default Values
Not Applicable
Objects Excluded by Default
Not Applicable
A malicious user can gain access to user names and passwords from the SYS.LINK$ table.
Revoke access to SYS.LINK$ table.
This policy ensures restricted access to the SYS.SOURCE$ table.
The following table lists the policy's main properties.
| Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
|---|---|---|---|---|---|---|
| Informational | Security | Database Instance; Cluster Database | Oracle Server 8 or later | The underlying metric has a collection frequency of once every 24 hours. | No | Database is in an insecure state. User %grantee% has %privilege% privilege on the SOURCE$ table. |
Footnote 1 The policy rule is evaluated each time its underlying sourceTabRep metric is collected.
Parameters and Their Default Values
Not Applicable
Objects Excluded by Default
Not Applicable
A malicious user can gain access to the source of all stored packages in the database.
Revoke access to the SYS.SOURCE$ table from the non-SYS/DBA database users.
This policy ensures restricted access to the SYS.USER$ table.
The following table lists the policy's main properties.
| Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
|---|---|---|---|---|---|---|
| Informational | Security | Database Instance; Cluster Database | Oracle Server 8 or later | The underlying metric has a collection frequency of once every 24 hours. | No | Database is in an insecure state. User %grantee% has %privilege% privilege on the USER$ table. |
Footnote 1 The policy rule is evaluated each time its underlying userTabRep metric is collected.
Parameters and Their Default Values
Not Applicable
Objects Excluded by Default
Not Applicable
User name and password hash may be read from the SYS.USER$ table, enabling a malicious user to launch a brute-force attack against the database.
Restrict access to SYS.USER$ table.
This policy ensures restricted access to the SYS.USER_HISTORY$ table.
The following table lists the policy's main properties.
| Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
|---|---|---|---|---|---|---|
| Informational | Security | Database Instance; Cluster Database | Oracle Server 8 or later | The underlying metric has a collection frequency of once every 24 hours. | No | Database is in an insecure state. User %grantee% has %privilege% privilege on the SYS.USER_HISTORY$ table. |
Footnote 1 The policy rule is evaluated each time its underlying userHistRep metric is collected.
Parameters and Their Default Values
Not Applicable
Objects Excluded by Default
Not Applicable
User name and password hash may be read from the SYS.USER_HISTORY$ table, enabling a malicious user to launch a brute-force attack.
Revoke access to SYS.USER_HISTORY$ table from the non-DBA/SYS database users.
This policy ensures restricted to the USER_ROLE_PRIVS view.
The following table lists the policy's main properties.
| Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
|---|---|---|---|---|---|---|
| Informational | Security | Database Instance; Cluster Database | Oracle Server 8 or later | The underlying metric has a collection frequency of once every 24 hours. | No | Database is in an insecure state. User %grantee% has %privilege% privilege on the USER_ROLE_PRIVS view. |
Footnote 1 The policy rule is evaluated each time its underlying userRolePrivsRep metric is collected.
Parameters and Their Default Values
Not Applicable
Objects Excluded by Default
Not Applicable
Lists the roles granted to the current user. Knowledge of the structure of roles in the database can be exploited by a malicious user.
Restrict access to the USER_ROLE_PRIVS view.
This policy ensures restricted access to the USER_TAB_PRIVS table.
The following table lists the policy's main properties.
| Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
|---|---|---|---|---|---|---|
| Informational | Security | Database Instance; Cluster Database | Oracle Server 8 or later | The underlying metric has a collection frequency of once every 24 hours. | No | Database is in an insecure state. User %grantee% has %privilege% privilege on the USER_TAB_PRIVS view. |
Footnote 1 The policy rule is evaluated each time its underlying userTabPrivsRep metric is collected.
Parameters and Their Default Values
Not Applicable
Objects Excluded by Default
Not Applicable
Lists the grants on objects for which the user is the owner, grantor, or grantee. Knowledge of the grants in the database can be exploited by a malicious user.
Restrict access to the USER_TAB_PRIVS view.
This policy ensures that on X$ views is restricted.
The following table lists the policy's main properties.
| Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
|---|---|---|---|---|---|---|
| Warning | Security | Database Instance; Cluster Database | Oracle Server 8 or later | The underlying metric has a collection frequency of once every 24 hours. | Yes | Database is in an insecure state. %grantee% has access to %path%. |
Footnote 1 The policy rule is evaluated each time its underlying xviewRep metric is collected.
Parameters and Their Default Values
Not Applicable
Objects Excluded by Default
Not Applicable
This can lead to the revealing of internal database structure information.
Revoke access to X_$ views.
This policy ensures that insert failures are audited for critical data objects.
The following table lists the policy's main properties.
| Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
|---|---|---|---|---|---|---|
| Warning | Security | Database Instance; Cluster Database | Oracle Server 8 or later | The underlying metric has a collection frequency of once every 24 hours. | No | System is in an insecure state. Insert failures for critical data objects are not audited. |
Footnote 1 The policy rule is evaluated each time its underlying backgrdDumpDestRep metric is collected.
Parameters and Their Default Values
Parameter name: CRITICAL_OBJECT_LIST
Default value: None
Objects Excluded by Default
Not Applicable
Not auditing insert failures for critical data objects may allow a malicious user to infiltrate system security.
Audit insert failures for critical data objects.
This policy ensures that access to the control files directory is restricted to the owner of the Oracle software set and the DBA group.
The following table lists the policy's main properties.
| Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
|---|---|---|---|---|---|---|
| Critical | Security | Database Instance; Cluster Database | Oracle Server 8 | The underlying metric has a collection frequency of once every 24 hours. | Yes | Database is in an insecure state. The control file (%file_name%) permission is %permission%. |
Footnote 1 The policy rule is evaluated each time its underlying dbControlFilesPermRep metric is collected.
Parameters and Their Default Values
Not Applicable
Objects Excluded by Default
Not Applicable
Control files are binary configuration files that control access to data files. Control files are stored in the directory specified by the CONTROL_FILES initialization parameter. A public write privilege on this directory could pose a serious security risk.
Restrict permission to the control files to:
Owner of the Oracle software installation
DBA group
Do not give read and write permissions to public
This policy ensures there are no default passwords for known accounts.
The following table lists the policy's main properties.
| Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
|---|---|---|---|---|---|---|
| Warning | Security | Database Instance; Cluster Database | Oracle Server 8 or later | The underlying metric has a collection frequency of once every 24 hours. | Yes | Database is in an insecure state. Default password for the account %dbaccount% has not been changed. |
Footnote 1 The policy rule is evaluated each time its underlying defaultAccountPasswordsRep metric is collected.
Parameters and Their Default Values
Not Applicable
Objects Excluded by Default
Not Applicable
A malicious user can gain access to the database using default passwords.
Change all default passwords.
This policy ensures PUBLIC does not have execute privileges on the SYS.DBMS_EXPORT_EXTENSION package.
The following table lists the policy's main properties.
| Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
|---|---|---|---|---|---|---|
| Warning | Security | Database Instance; Cluster Database | Oracle Server 8 or later | The underlying metric has a collection frequency of once every 24 hours. | Yes | Database is in an insecure state. EXECUTE privilege on the package %package% is granted to PUBLIC. |
Footnote 1 The policy rule is evaluated each time its underlying dbmsPkgsRep metric is collected.
Parameters and Their Default Values
Not Applicable
Objects Excluded by Default
Not Applicable
Privileges granted to the PUBLIC role automatically apply to all users. DBMS_EXPORT_EXTENSION can allow sql injection. Thus a malicious user will be able to take advantage.
Revoke EXECUTE privilege on SYS.DBMS_EXPORT_EXTENSION to PUBLIC.
This policy ensures that PUBLIC does not have execute privileges on the SYS.DBMS_RANDOM package.
The following table lists the policy's main properties.
| Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
|---|---|---|---|---|---|---|
| Warning | Security | Database Instance; Cluster Database | Oracle Server 8 or later | The underlying metric has a collection frequency of once every 24 hours. | Yes | Database is in an insecure state. EXECUTE privilege on the package %package% is granted to PUBLIC. |
Footnote 1 The policy rule is evaluated each time its underlying dbmsPkgsRep metric is collected.
Parameters and Their Default Values
Not Applicable
Objects Excluded by Default
Not Applicable
Privileges granted to the PUBLIC role automatically apply to all users. DBMS_RANDOM can allow sql injection. Thus a malicious user will be able to take advantage.
Revoke EXECUTE privilege on SYS.DBMS_RANDOM to PUBLIC.
This policy ensures PUBLIC is not granted EXECUTE privileges on DBMS_JOB package.
The following table lists the policy's main properties.
| Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
|---|---|---|---|---|---|---|
| Warning | Security | Database Instance; Cluster Database | Oracle Server 8 or later | The underlying metric has a collection frequency of once every 24 hours. | Yes | Database is in an insecure state. DBMS_JOB package has PUBLIC EXECUTE privileges. |
Footnote 1 The policy rule is evaluated each time its underlying dbmsJobPrivsRep metric is collected.
Parameters and Their Default Values
Not Applicable
Objects Excluded by Default
Not Applicable
Granting EXECUTE privilege to PUBLIC on DBMS_JOB package allows all users to schedule jobs on the database.
PUBLIC must not be granted EXECUTE privileges on DBMS_JOB package.
This policy ensures PUBLIC is not granted EXECUTE privileges on DBMS_LOB package.
The following table lists the policy's main properties.
| Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
|---|---|---|---|---|---|---|
| Critical | Security | Database Instance; Cluster Database | Oracle Server 8 or later | The underlying metric has a collection frequency of once every 24 hours. | Yes | Database is in an insecure state. DBMS_LOB package has PUBLIC EXECUTE privileges. |
Footnote 1 The policy rule is evaluated each time its underlying dbmsJobPrivsRep metric is collected.
Parameters and Their Default Values
Not Applicable
Objects Excluded by Default
Not Applicable
The DBMS_LOB package can be used to access any file on the system as the owner of the Oracle software installation.
Revoke the EXECUTE privileges on DBMS_LOB package from the PUBLIC group.
This policy ensures PUBLIC is not granted EXECUTE privileges on DBMS_SYS_SQL package.
The following table lists the policy's main properties.
| Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
|---|---|---|---|---|---|---|
| Critical | Security | Database Instance; Cluster Database | Oracle Server 8 or later | The underlying metric has a collection frequency of once every 24 hours. | Yes | Database is in an insecure state. DBMS_SYS_SQL package has PUBLIC EXECUTE privileges. |
Footnote 1 The policy rule is evaluated each time its underlying dbmsSysSqlRep metric is collected.
Parameters and Their Default Values
Not Applicable
Objects Excluded by Default
Not Applicable
The DBMS_SYS_SQL package can be used to run PL/SQL and SQL as the owner of the procedure rather than the caller.
Revoke the EXECUTE privileges on DBMS_SYS_SQL package from the PUBLIC group.
This policy ensures SELECT ANY TABLE privilege is never granted to any user or role.
The following table lists the policy's main properties.
| Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
|---|---|---|---|---|---|---|
| Warning | Security | Database Instance; Cluster Database | Oracle Server 8 or later | The underlying metric has a collection frequency of once every 24 hours. | No | Database is in an insecure state. SELECT ANY TABLE privilege granted. |
Footnote 1 The policy rule is evaluated each time its underlying select_any_tableRep metric is collected.
Parameters and Their Default Values
Not Applicable
Objects Excluded by Default
Not Applicable
The SELECT ANY TABLE privilege can be used to grant users or roles with the ability to view data in tables that are not owned by them. A malicious user with access to any user account that has this privilege can use this to gain access to sensitive data.
Revoke SELECT ANY TABLE privilege.
This policy ensures that database accounts do not rely on OS authentication.
The following table lists the policy's main properties.
| Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
|---|---|---|---|---|---|---|
| Warning | Security | Database Instance; Cluster Databse | Oracle Server 8 or later | The underlying metric has a collection frequency of once every 24 hours. | Yes | Database is in an insecure state. the %user% uses OS authentication. |
Footnote 1 The policy rule is evaluated each time its underlying userExtPassRep metric is collected.
Parameters and Their Default Values
Not Applicable
Objects Excluded by Default
Not Applicable
If the host operating system has a required userid for a database account for which password is set EXTERNAL, then Oracle does not check its credentials anymore. It simply assumes the host must have done its authentication and lets the user into the database without any further checking.
Do not use OS authentication. Never create accounts identified externally.
This policy ensures that access to the datafiles is restricted to the owner of the Oracle software set and the DBA group.
The following table lists the policy's main properties.
| Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
|---|---|---|---|---|---|---|
| Critical | Security | Database Instance; Cluster Database | Oracle Server 8 or later | The underlying metric has a collection frequency of once every 24 hours. | Yes | Database is in an insecure state. The datafile (%file_name%) permission is %permission%. |
Footnote 1 The policy rule is evaluated each time its underlying dbDataFilesPermRep metric is collected.
Parameters and Their Default Values
Not Applicable
Objects Excluded by Default
Not Applicable
The datafiles contain all the database data. If datafiles are made readable to public, they can be read by a user who has no database privileges on the data.
Restrict permissions to the datafiles to:
Owner of the Oracle software set
DBA group
Do not give read and write permissions to public.
This policy ensures that the PASSWORD_VERIFY_FUNCTION resource for the profile is set.
The following table lists the policy's main properties.
| Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
|---|---|---|---|---|---|---|
| Critical | Security | Database Instance; Cluster Database | Oracle Server 8 or later | The underlying metric has a collection frequency of once every 24 hours. | Yes | Database is in an insecure state. PASSWORD_VERIFY_FUNCTION resource is not set for the profile %profile%. |
Footnote 1 The policy rule is evaluated each time its underlying pwdComplixityFnRep metric is collected.
Parameters and Their Default Values
Not Applicable
Objects Excluded by Default
Not Applicable
Having passwords that do not meet minimum complexity requirements offer substantially less protection than complex passwords.
Set the PASSWORD_VERIFY_FUNCTION resource of the profile.
This policy ensures that all profiles have PASSWORD_GRACE_TIME set to a reasonable number of days.
The following table lists the policy's main properties.
| Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
|---|---|---|---|---|---|---|
| Critical | Security | Database Instance; Cluster Database | Oracle Server 8 or later | The underlying metric has a collection frequency of once every 24 hours. | Yes | Database is in an insecure state. PASSWORD_GRACE_TIME is set to %limit% days for the profile %profile%. |
Footnote 1 The policy rule is evaluated each time its underlying pwdGraceRep metric is collected.
Parameters and Their Default Values
MAX_PASSWORD_GRACE_TIME = 3
Objects Excluded by Default
Not Applicable
A high value for the PASSWORD_GRACE_TIME parameter may cause serious database security issues by allowing the user to keep the same password for a long time.
Set the PASSWORD_GRACE_TIME parameter to no more than 3 days for all profiles.
This policy ensures that all profiles have PASSWORD_LIFE_TIME set to a reasonable number of days.
The following table lists the policy's main properties.
| Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
|---|---|---|---|---|---|---|
| Warning | Security | Database Instance; Cluster Database | Oracle Server 8 or later | The underlying metric has a collection frequency of once every 24 hours. | Yes | Database is in an insecure state. PASSWORD_LIFE_TIME is set to %limit% days for the profile %profile%. |
Footnote 1 The policy rule is evaluated each time its underlying pwdLifeRep metric is collected.
Parameters and Their Default Values
MAX_PASSWORD_LIFE_TIME = 90
Objects Excluded by Default
Not Applicable
A long password life time gives malicious users a long time to decipher the password. May cause serious database security issues.
Set the PASSWORD_LIFE_TIME parameter to no more than 90 days for all profiles.
This policy ensures that PASSWORD_LOCK_TIME is set to a reasonable number of days for all profiles.
The following table lists the policy's main properties.
| Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
|---|---|---|---|---|---|---|
| Critical | Security | Database Instance; Cluster Database | Oracle Server 8 or later | The underlying metric has a collection frequency of once every 24 hours. | Yes | Database is in an insecure state. PASSWORD_LOCK_TIME is set to %limit% days for the profile %profile%. |
Footnote 1 The policy rule is evaluated each time its underlying pwdLockRep metric is collected.
Parameters and Their Default Values
MIN_PASSWORD_LOCK_TIME = 1
Objects Excluded by Default
Not Applicable
The PASSWORD_LOCK_TIME resource relates to the number of days an account is locked after a user tries unsuccessfully to login for more than FAILED_LOGIN_ATTEMPTS (another related resource) times. Having a low value for this resource increases the likelihood of Denial of Service attacks.
Set the PASSWORD_LOCK_TIME parameter to no less than 1 for all the profiles.
This policy ensures that all profiles have PASSWORD_REUSE_MAX set to a reasonable number of times.
The following table lists the policy's main properties.
| Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
|---|---|---|---|---|---|---|
| Critical | Security | Database Instance; Cluster Database | Oracle Server 8 or later | The underlying metric has a collection frequency of once every 24 hours. | Yes | Database is in an insecure state. PASSWORD_REUSE_MAX is set to %limit% times for the profile %profile%. |
Footnote 1 The policy rule is evaluated each time its underlying reuseMaxRep metric is collected.
Parameters and Their Default Values
MAX_PASSWORD_REUSE_MAX = 20
Objects Excluded by Default
Not Applicable
The PASSWORD_REUSE_MAX parameter specifies the number of password changes required before the current password can be reused. Old passwords are usually the best guesses for the current password. A low value for the PASSWORD_REUSE_MAX parameter may cause serious database security issues by allowing users to reuse their old passwords more often. Ensuring a reasonable value for this resource will discourage users from reusing their passwords resulting in more secure password usage.
Set the PASSWORD_REUSE_MAX parameter to no less than 20 times for all profiles.
This policy ensures that all profiles have PASSWORD_REUSE_TIME set to a reasonable number of days.
The following table lists the policy's main properties.
| Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
|---|---|---|---|---|---|---|
| Critical | Security | Database Instance; Cluster Database | Oracle Server 8 or later | The underlying metric has a collection frequency of once every 24 hours. | Yes | Database is in an insecure state. PASSWORD_REUSE_TIME is set to %limit% for the profile %profile%. |
Footnote 1 The policy rule is evaluated each time its underlying passwdReuseTimeRep metric is collected.
Parameters and Their Default Values
MAX_PASSWORD_REUSE_TIME = 2147483647
Objects Excluded by Default
Not Applicable
The PASSWORD_REUSE_TIME parameter defines the number of days before a password can be reused. A low value for the password reuse time can increase the danger of an already leaked password to cause serious database security issues.
Ensuring a reasonable value for this resource will discourage users from reusing their passwords resulting in more secure password usage.
Set the PASSWORD_REUSE_TIME parameter to UNLIMITED for all profiles.
This policy ensures that the number of allowed failed login attempts is no more than 10.
The FAILED_LOGIN_ATTEMPTS parameter defines the number of successive failed login attempts that can be performed before an account's status is changed to locked. This protects against malicious users attempting to guess a password for an account.
The following table lists the policy's main properties.
| Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
|---|---|---|---|---|---|---|
| Critical | Security | Database Instance; Cluster Database | Oracle Server 8 or later | The underlying metric has a collection frequency of once every 24 hours. | Yes | Database is in an insecure state. FAILED_LOGIN_ATTEMPTS is set to %limit% for the profile %profile%. |
Footnote 1 The policy rule is evaluated each time its underlying loginserver_failed_logins metric is collected.
Parameters and Their Default Values
Maximum FAILED_LOGIN_ATTEMPTS: 10 failed attempts
Objects Excluded by Default
Not Applicable
Permits manual and automated password guessing by a malicious user.
By setting the parameter to UNLIMITED, a malicious user can attempt an unlimited amount of guesses of the password for all accounts granted the specified profile. However, setting the value too low may result in valid users locking their accounts when mistyping a password.
In user profiles, set the value for the FAILED_LOGIN_ATTEMPTS setting to no more than 10.
This policy ensures that the proxy accounts have limited privileges.
The following table lists the policy's main properties.
| Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
|---|---|---|---|---|---|---|
| Warning | Security | Database Instance; Cluster Database | Oracle Server 8 or later | The underlying metric has a collection frequency of once every 24 hours. | No | Database is in an insecure state. |
Footnote 1 The policy rule is evaluated each time its underlying metric is collected.
Parameters and Their Default Values
Not Applicable
Objects Excluded by Default
Not Applicable
Not Available
Not Available
This policy ensures that PUBLIC does not have execute privileges on the UTL_HTTP package.
The following table lists the policy's main properties.
| Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
|---|---|---|---|---|---|---|
| Critical | Security | Database Instance; Cluster Database | Oracle Server 9i or later | The underlying metric has a collection frequency of once every 24 hours. | Yes | Database is in insecure state. EXECUTE privilege on the package %package% is granted to PUBLIC. |
Footnote 1 The policy rule is evaluated each time its underlying executePrivilegesRep metric is collected.
Parameters and Their Default Values
Not Applicable
Objects Excluded by Default
Not Applicable
Privileges granted to the PUBLIC role automatically apply to all users. A malicious user can gain access to e-mail, network and http modules using the EXECUTE privilege.
Revoke EXECUTE privileges on the UTL_HTTP package.
This policy ensures that PUBLIC does not have execute privileges on the UTL_SMTP package.
The following table lists the policy's main properties.
| Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
|---|---|---|---|---|---|---|
| Critical | Security | Database Instance; Cluster Database | Oracle Server 9i or later | The underlying metric has a collection frequency of once every 24 hours. | Yes | Database is in insecure state. EXECUTE privilege on the package %package% is granted to PUBLIC. |
Footnote 1 The policy rule is evaluated each time its underlying executePrivilegesRep metric is collected.
Parameters and Their Default Values
Not Applicable
Objects Excluded by Default
Not Applicable
Privileges granted to the PUBLIC role automatically apply to all users. A malicious user can gain access to e-mail, network and http modules using the EXECUTE privilege.
Revoke EXECUTE privileges on the UTL_SMTP package.
This policy ensures that PUBLIC does not have execute privileges on the UTL_TCP package.
The following table lists the policy's main properties.
| Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
|---|---|---|---|---|---|---|
| Critical | Security | Database Instance; Cluster Database | Oracle Server 9i or later | The underlying metric has a collection frequency of once every 24 hours. | Yes | Database is in insecure state. EXECUTE privilege on the package %package% is granted to PUBLIC. |
Footnote 1 The policy rule is evaluated each time its underlying executePrivilegesRep metric is collected.
Parameters and Their Default Values
Not Applicable
Objects Excluded by Default
Not Applicable
Privileges granted to the PUBLIC role automatically apply to all users. A malicious user can gain access to e-mail, network and http modules using the EXECUTE privilege.
Revoke EXECUTE privileges on the UTL_TCP package.
This policy ensures system privileges are not granted to PUBLIC.
The following table lists the policy's main properties.
| Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
|---|---|---|---|---|---|---|
| Critical | Security | Database Instance; Cluster Database | Oracle Server 8 or later | The underlying metric has a collection frequency of once every 24 hours. | Yes | Database is in an insecure state. System privilege %privilege% is assigned to the PUBLIC role. |
Footnote 1 The policy rule is evaluated each time its underlying systemPrivilegesRep metric is collected.
Parameters and Their Default Values
Not Applicable
Objects Excluded by Default
Not Applicable
Privileges granted to the PUBLIC role automatically apply to all users. There are security risks when granting SYSTEM privileges to all users.
Revoke SYSTEM privileges from the PUBLIC role.
This policy ensures that database users are allocated a limited tablespace quota.
The following table lists the policy's main properties.
| Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
|---|---|---|---|---|---|---|
| Warning | Security | Database Instance; Cluster Database | Oracle Server 8 or later | The underlying metric has a collection frequency of once every 24 hours. | Yes | Database is in an insecure state. User %dbuser% has an unlimited tablespace quota. |
Footnote 1 The policy rule is evaluated each time its underlying tableSpaceQuotaRep metric is collected.
Parameters and Their Default Values
Not Applicable
Objects Excluded by Default
Not Applicable
Granting unlimited tablespace quotas can cause the filling up of the allocated disk space. This can lead to an unresponsive database.
For users with an unlimited tablespace quota, reallocate their tablespace quotas to a specific limit.
Ensures database links with clear text passwords are not used, that is, the password is hashed or encrypted.
The following table lists the policy's main properties.
| Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
|---|---|---|---|---|---|---|
| Warning | Security | Database Instance; Cluster Database | Oracle Server 9i and pre-9i | The underlying metric has a collection frequency of once every 24 hours. | Yes | Database is in an insecure state. Database link %link% has clear text password. |
Footnote 1 The policy rule is evaluated each time its underlying dbLinkPwdRep metric is collected.
Parameters and Their Default Values
Not Applicable
Objects Excluded by Default
Not Applicable
The table SYS.LINK$ contains the clear text password used by the database link. A malicious user can read clear text password from SYS.LINK$ table that can lead to undesirable consequences.
Avoid creating fixed user database links.
This policy ensures that the number of allowed failed login attempts is no more than 10.
The FAILED_LOGIN_ATTEMPTS parameter defines the number of successive failed login attempts that can be performed before an account's status is changed to locked. This protects against malicious users attempting to guess a password for an account
The following table lists the policy's main properties.
| Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
|---|---|---|---|---|---|---|
| Critical | Security | Database Instance; Cluster Database | Oracle Server 8 or later | The underlying metric has a collection frequency of once every 24 hours. | Yes | Database may be in an insecure state as the UNLIMITED FAILED_LOGIN_ATTEMPTS is assigned to user %dbuser%. |
Footnote 1 The policy rule is evaluated each time its underlying unlimited FailedLoginAttempts10gR1RepsAuthRep metric is collected.
Parameters and Their Default Values
None
Objects Excluded by Default
None
Permits manual and automated password guessing by a malicious user.
By setting the parameter to UNLIMITED, a malicious user can attempt an unlimited amount of guesses of the password for all accounts granted the specified profile. However, setting the value too low may result in valid users locking their accounts when mistyping a password.
In user profiles, set the value for the FAILED_LOGIN_ATTEMPTS setting to no more than 10.
This policy ensures well-known accounts are expired and locked.
The following table lists the policy's main properties.
| Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
|---|---|---|---|---|---|---|
| Warning | Security | Database Instance; Cluster Database | Oracle Server 8 or later | The underlying metric has a collection frequency of once every 24 hours. | Yes | Database is in an insecure state. Account %dbaccount% is not locked and terminated. |
Footnote 1 The policy rule is evaluated each time its underlying installAndDemoAcccountsRep metric is collected.
Parameters and Their Default Values
Not Applicable
Objects Excluded by Default
Not Applicable
A malicious user can gain access to the database using a well-known account.
Expire and lock well-known accounts.
This policy ensures well-known accounts are expired and locked.
The following table lists the policy's main properties.
| Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
|---|---|---|---|---|---|---|
| Warning | Security | Database Instance; Cluster Database | Oracle Server 8 or later | The underlying metric has a collection frequency of once every 24 hours. | Yes | Database is in an insecure state. Account %dbaccount% is not locked and terminated. |
Footnote 1 The policy rule is evaluated each time its underlying installAndDemoAccountsRepmetric is collected.
Parameters and Their Default Values
Not Applicable
Objects Excluded by Default
Not Applicable
A malicious user can gain access to the database using a well-known account.
Expire and lock well-known accounts.
The security policies for the Cluster Database target for Windows are:
This policy ensures that access to the control files directory is restricted to the owner of the Oracle software set and the DBA group. The following permissions on Windows NT based platforms are considered critical: DELETE, WRITE_DAC, WRITE_OWNER, CHANGE, ADD, and FULL. The policy gives the number of users or user groups which have been granted such permissions, and lists the users and user groups in parentheses.
The following table lists the policy's main properties.
| Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
|---|---|---|---|---|---|---|
| Critical | Security | Database Instance; Cluster Database | Oracle Server 8 | The underlying metric has a collection frequency of once every 24 hours. | No | Database is in an insecure state. The users %users% have critical permissions on the control file (%file_name%). |
Footnote 1 The policy rule is evaluated each time its underlying dbControlFilesPermNTRep metric is collected.
Parameters and Their Default Values
Not Applicable
Objects Excluded by Default
Not Applicable
Control files are binary configuration files that control access to data files. Control files are stored in the directory specified by the CONTROL_FILES initialization parameter. A public write privilege on this directory could pose a serious security risk.
Restrict permission to the control files to:
Owner of the Oracle software installation
DBA group
Do not give read and write permissions to public.
This policy ensures that access to the datafiles is restricted to the owner of the Oracle software set and the DBA group. The following permissions on Windows NT based platforms are considered critical: DELETE, WRITE_DAC, WRITE_OWNER, CHANGE, ADD, and FULL. The policy gives the number of users or user groups which have been granted such permissions, and lists the users and user groups in parentheses.
The following table lists the policy's main properties.
| Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
|---|---|---|---|---|---|---|
| Critical | Security | Database Instance; Cluster Database | Oracle Server 8 or later | The underlying metric has a collection frequency of once every 24 hours. | Yes | Database is in an insecure state. The users %users% have critical permissions on the datafile (%file_name%). |
Footnote 1 The policy rule is evaluated each time its underlying dbDataFilesPermNTRep metric is collected.
Parameters and Their Default Values
Not Applicable
Objects Excluded by Default
Not Applicable
The datafiles contain all the database data. If datafiles are made readable to public, they can be read by a user who has no database privileges on the data.
Restrict permissions to the datafiles to:
Owner of the Oracle software set
DBA group
Do not give read and write permissions to public.
The storage policies for the Cluster Database target are:
This policy verifies that the DEFAULT_PERMANENT_TABLESPACE database property is set to a non-system tablespace. The default permanent tablespace for the database is used as the default permanent tablespace for any users who are not explicitly assigned a permanent tablespace. The default permanent tablespace is defaulted to the SYSTEM tablespace until it is changed by a DBA.
The following table lists the policy's main properties.
| Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
|---|---|---|---|---|---|---|
| Warning | Storage | Database Instance; Cluster Database | Oracle Server 10g Release 1 or later | The underlying metric has a collection frequency of once every 24 hours. | Yes | The default permanent tablespace is not set explicitly and defaults to SYSTEM tablespace. |
Footnote 1 The policy rule is evaluated each time its underlying db_recTablespaceSettings metric is collected.
Parameters and Their Default Values
SYSTEM
Objects Excluded by Default
Not Applicable
If not specified explicitly, the DEFAULT_PERMANENT_TABLESPACE is defaulted to the SYSTEM tablespace. This is not the recommended setting. The default permanent tablespace for the database is used as the permanent tablespace for any non-SYSTEM users who are not explicitly assigned a permanent tablespace. If the database default permanent tablespace is set to a system tablespace, then any user who is not explicitly assigned a tablespace uses the system tablespace. Non-SYSTEM users should not be using a system tablespaces to store data. Doing so may result in performance degradation for the database.
Set the DEFAULT_PERMANENT_TABLESPACE to a non-system tablespace. Create or edit a tablespace and set it to be the default permanent tablespace.
Clicking the DEFAULT_PERMANENT_TABLESPACE link will bring up the Tablespace Search page. From this page you can create or edit a tablespace and set it to be the default permanent tablespace.
On the Administration property page for the database instance, click Tablespaces under the Storage options. After providing your credentials, create or edit a permanent tablespace and set it to be the default permanent tablespace.
This policy verifies that the DEFAULT_TEMP_TABLESPACE database property is set to a non-system tablespace. The default temporary tablespace for the database is used as the temporary tablespace for any users that are not explicitly assigned a temporary tablespace. The temporary tablespace is defaulted to the SYSTEM tablespace until it is changed by a DBA.
The following table lists the policy's main properties.
| Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
|---|---|---|---|---|---|---|
| Warning | Storage | Database Instance; Cluster Database | Oracle Server 9i or later | The underlying metric has a collection frequency of once every 24 hours. | Yes | The default temporary tablespace is not set explicitly and defaults to SYSTEM tablespace. |
Footnote 1 The policy rule is evaluated each time its underlying db_recTablespaceSettings metric is collected.
Parameters and Their Default Values
Parameter default values are dependent on the version of the Oracle Database target. Refer to the Oracle Database documentation for that version of the database target to learn about the parameters and their default values.
Objects Excluded by Default
Not Applicable
If not specified explicitly, the DEFAULT_TEMP_TABLESPACE defaults to the SYSTEM tablespace. This is not the recommended setting. The default temporary tablespace is used as the temporary tablespace for any users who are not explicitly assigned a temporary tablespace. If the database default temporary tablespace is set to a system tablespace, then any user who is not explicitly assigned a temporary tablespace uses the system tablespace as their temporary tablespace. System tablespaces should not be used to store temporary data. Doing so can result in performance degradation for the database.
Set the DEFAULT_TEMP_TABLESPACE to a non-system temporary tablespace. In Oracle Database 10g Release 1 or later, you can also set the DEFAULT_TEMP_TABLESPACE to a temporary tablespace group. Create or edit a temporary tablespace, or temporary tablespace group, and set it to be the default temporary tablespace.
Clicking the DEFAULT_TEMP_TABLESPACE link will bring up the Tablespace Search page. From this page the user can create or edit a temporary tablespace and set it to be the default temporary tablespace.
On the Administration property page for the database instance, click Tablespaces under the Storage options. After providing your credentials, create or edit a temporary tablespace and set it to be the default temporary tablespace.
This policy determines whether dictionary managed tablespaces are being used. Use locally managed tablespaces.
The following table lists the policy's main properties.
| Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
|---|---|---|---|---|---|---|
| Informational | Storage | Database Instance; Cluster Database | All | The underlying metric has a collection frequency of once every 24 hours. | Yes | Tablespace %TABLESPACE_NAME% is dictionary managed. Oracle recommends using locally managed tablespaces, with AUTO segment-space management, to enhance performance and ease of space management. |
Footnote 1 The policy rule is evaluated each time its underlying db_recTablespaceSettings metric is collected.
Parameters and Their Default Values
Not Applicable
Objects Excluded by Default
Not Applicable
These tablespaces are dictionary managed. Oracle recommends using locally managed tablespaces, with AUTO segment-space management, to enhance performance and ease of space management.
Redefine these tablespaces to be locally managed.
This policy, using the SMALL_REDO_LOGS parameter, checks for redo log files that are less than 1 MB.
The following table lists the policy's main properties.
| Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
|---|---|---|---|---|---|---|
| Critical | Storage | Database Instance; Cluster Database | All | The underlying metric has a collection frequency of once every 24 hours. | Yes | Your database has redo log that has insufficient size. |
Footnote 1 The policy rule is evaluated each time its underlying db_redo_logs metric is collected.
Parameters and Their Default Values
Parameter default values are dependent on the version of the Oracle Database target. Refer to the Oracle Database documentation for that version of the database target to learn about the parameters and their default values.
Objects Excluded by Default
Not Applicable
Small redo logs cause system checkpoints to continuously put a high load on the buffer cache and I/O system.
Increase size of the redo logs to at least 1 MB.
Redefine the tablespaces containing the segments to be locally managed; or, reorganize these segments, specifying a Next Extent value that is a multiple of Initial Extent, and a Percent Increase value of 0.
The following table lists the policy's main properties.
| Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
|---|---|---|---|---|---|---|
| Informational | Storage | Database Instance; Cluster Database | All | The underlying metric has a collection frequency of once every 24 hours. | Yes | Segment %OBJECT% belonging to non-system users are stored in system tablespace %TABLESPACE_NAME%. This makes it more difficult to manage these data segments and may result in performance degradation in the system tablespace. |
Footnote 1 The policy rule is evaluated each time its underlying db_recSegmentSettings metric is collected.
Parameters and Their Default Values
Parameter default values are dependent on the version of the Oracle Database target. Refer to the Oracle Database documentation for that version of the database target to learn about the parameters and their default values.
Objects Excluded by Default
Cluster object types because the Reorganize Objects wizard does not support them.
All user accounts that are, by default, part of the Oracle Database or Enterprise Manager. For example: SYS, SYSTEM, SYSMAN, CTXSYS, SCOTT, ADAMS, and so on.
These segments belonging to non-system users are stored in system tablespaces SYSTEM or SYSAUX. This violation makes it more difficult to manage these data segments and may result in performance degradation in the system tablespace. System users include users that are part of the DBMS such as SYS and SYSTEM, or that are part of facilities supplied by Oracle: for example, CTXSYS, SYSMAN, and OLAPSYS.
Relocate the non-system segments to a non-system tablespace.
This policy, using the SYSTEM_AS_DEFAULT_TBSP parameter, checks for any user having a System tablespace listed as their default tablespace.
The following table lists the policy's main properties.
| Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
|---|---|---|---|---|---|---|
| Informational | Storage | Database Instance; Cluster Database | All | The underlying metric has a collection frequency of once every 24 hours. | Yes | User %USER_NAME% uses SYSTEM tablespace as the default tablespace. This will result in non-system data segments being added to the SYSTEM tablespace and possible performance degradation in the SYSTEM tablespace.. |
Footnote 1 The policy rule is evaluated each time its underlying db_recUserSettings metric is collected.
Parameters and Their Default Values
Parameter default values are dependent on the version of the Oracle Database target. Refer to the Oracle Database documentation for that version of the database target to learn about the parameters and their default values.
Objects Excluded by Default
Cluster object types because the Reorganize Objects wizard does not support them.
All user accounts that are, by default, part of the Oracle Database or Enterprise Manager. For example: SYS, SYSTEM, SYSMAN, CTXSYS, SCOTT, ADAMS, and so on.
These users use a system tablespace as the default tablespace. This violation will result in non-system data segments being added to the system tablespace, making it more difficult to manage these data segments and possibly resulting in performance degradation in the system tablespace.
Change the default tablespace for these users to specify a non-system tablespace.
This policy checks for tablespaces with non-uniform default extent size.
The following table lists the policy's main properties.
| Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
|---|---|---|---|---|---|---|
| Informational | Storage | Database Instance; Cluster Database | All | The underlying metric has a collection frequency of once every 24 hours. | Yes | Tablespace %TABLESPACE_NAME% uses non-uniform extents. Using uniform extents ensures that any free extent in the tablespace can always be used for any segment in the tablespace. |
Footnote 1 The policy rule is evaluated each time its underlying db_tablespaces metric is collected.
Parameters and Their Default Values
Parameter default values are dependent on the version of the Oracle Database target. Refer to the Oracle Database documentation for that version of the database target to learn about the parameters and their default values.
Objects Excluded by Default
SYSTEM tablespace. This policy is only applicable to PERMANENT DICTIONARY tablespaces.
Tablespaces using a non-uniform default extent size exist. Extents in a tablespace should be the same size. This ensures that any free extent in the tablespace can always be used for any segment in the tablespace.
To ensure uniform extent sizes, set each tablespace's default storage clause so that the NEXT value should be equal to or a multiple of the INITIAL value, and the PCTINCREASE value is set to zero. Then never explicitly specify a storage clause at the segment level. Instead, let the storage values for the segments be inherited from the default storage clause of the tablespace.
Rollback in SYSTEM Tablespace.
The following table lists the policy's main properties.
| Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
|---|---|---|---|---|---|---|
| Informational | Storage | Database Instance; Cluster Database | All | See following table | Yes | Your SYSTEM tablespace contains rollback segment %RBS_NAME%. The SYSTEM tablespace should be reserved only for the Oracle data dictionary and its associated objects. |
Footnote 1 The policy rule is evaluated each time its underlying metric is collected.
The following table lists the policy's underlying metrics.
| Underlying Metric | Collection Frequency |
|---|---|
| db_init_params | Every 24 hours |
| db_rollback_segs | Every 24 hours |
Parameters and Their Default Values
Parameter default values are dependent on the version of the Oracle Database target. Refer to the Oracle Database documentation for that version of the database target to learn about the parameters and their default values.
Objects Excluded by Default
Not Applicable
The SYSTEM tablespace should be reserved only for the Oracle data dictionary and its associated objects. It should NOT be used to store any other types of objects such as user tables, user indexes, user views, rollback segments, undo segments, or temporary segments.
Use a tablespace dedicated to undo instead of the SYSTEM tablespace.
This policy, using the SEG_EXT_GROWTH_VIO parameter, checks for segments in dictionary managed tablespaces having irregular extent sizes and/or non-zero Percent Increase settings.
The following table lists the policy's main properties.
| Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
|---|---|---|---|---|---|---|
| Informational | Storage | Database Instance; Cluster Database | All | The underlying metric has a collection frequency of once every 24 hours. | Yes | Segment %OBJECT% in dictionary managed tablespace %TABLESPACE_NAME% has irregular extent sizes and/or non-zero Percent Increase settings. This can result in inefficient reuse of space and fragmentation problems. |
Footnote 1 The policy rule is evaluated each time its underlying db_recSegmentSettings metric is collected.
Parameters and Their Default Values
Parameter default values are dependent on the version of the Oracle Database target. Refer to the Oracle Database documentation for that version of the database target to learn about the parameters and their default values.
Objects Excluded by Default
Not Applicable
These segments have extents with sizes that are not multiples of the initial extent, and/or a non-zero Percent Increase setting. This can result in inefficient reuse of space and fragmentation problems.
Redefine the tablespaces containing the segments to be locally managed; or, reorganize these segments, specifying a Next Extent value that is a multiple of Initial Extent, and a Percent Increase value of 0.
This policy checks for locally managed tablespaces that are using MANUAL segment space management.
There are two segment-space management settings: MANUAL and AUTO.
MANUAL segment-space management uses free lists to manage free space within segments. Free lists are lists of data blocks that have space available for inserting rows. With this form of segment-space management, you must specify and tune the PCTUSED, FREELISTS and FREELIST GROUPS storage parameters for schema objects created in the tablespace.
AUTO segment-space management uses bitmaps to manage the free space in segments. The bitmap describes the status of each data block within a segment with respect to the amount of space in the block available for inserting rows. These bitmaps allow the database to manage free space automatically.
The following table lists the policy's main properties.
| Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
|---|---|---|---|---|---|---|
| Informational | Storage | Database Instance; Cluster Database | Oracle Server 9.2 or later | The underlying metric has a collection frequency of once every 24 hours. | Yes | Tablespace %TABLESPACE_NAME% is not using automatic segment-space management. |
Footnote 1 The policy rule is evaluated each time its underlying db_recTablespaceSettings metric is collected.
Parameters and Their Default Values
Parameter default values are dependent on the version of the Oracle Database target. Refer to the Oracle Database documentation for that version of the database target to learn about the parameters and their default values.
Objects Excluded by Default
Not Applicable
Automatic segment-space management is a simpler and more efficient way of managing space within a segment. It completely eliminates any need to specify and tune the PCTUSED, FREELISTS and FREELIST GROUPS storage parameters for schema objects created in the tablespace.
In a RAC environment, there is the additional benefit of avoiding the hard partitioning of space inherent with using free list groups.
Change the segment-space management of all permanent locally managed tablespaces to AUTO.
Clicking the name of each tablespace listed will bring up the Reorganize Objects wizard with the tablespace automatically selected. This wizard allows you to change the segment-space management of the tablespace from MANUAL to AUTO.
This policy, using the TBSP_MIXED_SEGS parameter, checks for tablespaces containing both rollback and data segments.
The following table lists the policy's main properties.
| Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
|---|---|---|---|---|---|---|
| Informational | Storage | Database Instance; Cluster Database | All | The underlying metric has a collection frequency of once every 24 hours. | Yes | Tablespace %TABLESPACE_NAME% contains both rollback and data segments. Mixing segment types in this way makes it more difficult to manage space and may degrade performance in the tablespace. |
Footnote 1 The policy rule is evaluated each time its underlying db_recTablespaceSettings metric is collected.
Parameters and Their Default Values
Parameter default values are dependent on the version of the Oracle Database target. Refer to the Oracle Database documentation for that version of the database target to learn about the parameters and their default values.
Objects Excluded by Default
SYSTEM tablespace
These tablespaces contain both rollback and data segments. Mixing segment types in this way makes it more difficult to manage space and may degrade performance in the tablespace. Use of a dedicated tablespace for rollback segments enhances availability and performance.
Use Automatic Undo Management (in Oracle Server Release 9.0.1 or later) and perform one of the following:
Drop the rollback segments from this tablespace
Create one or more tablespaces dedicated to rollback segments and drop the rollback segments from this tablespace
Dedicate this tablespace to rollback segments and move the data segments to another tablespace
This policy checks the PERM_AS_TEMP_TBSP parameter to detect whether a permanent tablespace is being used as a temporary tablespace.
The following table lists the policy's main properties.
| Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
|---|---|---|---|---|---|---|
| Informational | Storage | Database Instance; Cluster Database | Oracle Server 9.2 or later | The underlying metric has a collection frequency of once every 24 hours. | Yes | User %USER_NAME% uses permanent tablespace %TABLESPACE_NAME% as the temporary tablespace. Using a permanent tablespace as the temporary tablespace may result in performance degradation, especially for Real Application Clusters. |
Footnote 1 The policy rule is evaluated each time its underlying Db_recUserSettings metric is collected.
Parameters and Their Default Values
Parameter default values are dependent on the version of the Oracle Database target. Refer to the Oracle Database documentation for that version of the database target to learn about the parameters and their default values.
Objects Excluded by Default
Not Applicable
These users use a permanent tablespace as the temporary tablespace. Using temporary tablespaces allows space management for sort operations to be more efficient. Using a permanent tablespace for these operations may result in performance degradation, especially for Real Application Clusters.
Change the temporary tablespace for these users to specify a tablespace of type TEMPORARY.
|
 Copyright © 2005, 2009, Oracle and/or its affiliates. All rights reserved. Legal Notices |
|
