Skip Headers
Oracle® Database Security Guide
10g Release 2 (10.2)

Part Number B14266-08
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Master Index
Master Index
Go to Feedback page
Contact Us

Go to previous page
Previous
PDF · Mobi · ePub

Index

A  B  C  D  E  F  G  H  I  K  L  M  N  O  P  Q  R  S  T  U  V  W  X 

Symbols

"all permissions", 2.3, 7.6
"change_on_install" default password, 2.3, 7.6
"manager" default password, 2.3, 7.6

Numerics

07_DICTIONARY_ACCESSIBILITY, 7.3.3.2

A

access control, 5.1
enforce, 7.6
fine-grained access control, 6.2
password encryption, 4.3.1, 7.3.1.1
privileges, 5.1
account locking
explicit, 7.4.1
password management, 7.4.1
example, 7.4.1
PASSWORD_LOCK_TIME, 7.4.1
ADD_CONTEXT procedure, 15.10
ADD_GROUPED_POLICY procedure, 15.10
ADD_POLICY procedure, 15.10
ADMIN OPTION
about, 11.6.1.1
revoking roles/privileges, 11.7.1
roles, 5.2.3.1
system privileges, 5.1.1.2
administration
difficulties in complex environments, 1.1
administrative
delays, 1.1
passwords, 2.3, 7.6
privileges, 7.3.3
roles, 7.3.3
administrator
application security, 7.3.5
administrator connections, 7.3.3.2
administrator privileges
statement execution audited, 8.1.2
write, on listener.ora, 7.6
administrator security, 7.3.3
adump directory, 12.2.4
AES, Preface
algorithms
encryption, Preface
hash, Preface, Preface
ALTER privilege statement, 13.7.2
ALTER PROFILE statement
password management, 7.4
ALTER RESOURCE COST statement, 11.3.1, 11.3.1
ALTER ROLE statement
changing authorization method, 11.5.1
ALTER SESSION SET SCHEMA statement, 14.3.1.2
ALTER SESSION statement
SET SCHEMA, 13.6.1
ALTER TABLE statement
auditing, 8.3
ALTER USER privilege, 11.1.2
ALTER USER statement, 7.3.3.1, 7.4, 7.4.2
default roles, 11.9.2
explicit account unlocking, 7.4.1
GRANT CONNECT THROUGH clause, 10.1.4
password
expire, 7.4.2
REVOKE CONNECT THROUGH clause, 10.1.4
altering users, 11.1.2
ANONYMOUS, 7.6
anonymous PL/SQL blocks, 13.5.2
ANY system privilege, 7.6
application administrator security, 7.3.5
application administrators, 7.3.5
application context, 7.2
as secure data cache, 14.3.2.1, 15, 15.1
bind variables, 14.3.2.3
creating, 15.2.2
examples, 15.3
fine-grained access control, 3.2.6, 14.3.2
how to use session-based, 15.2
parallel query, Preface, 15.2.1.4
performance, 15.3.1.4
returning predicate, 14.3.2.2
security features, 14.3.1
setting, 15.2.3
support for database links, 15.4
USERENV namespace, 14.3.1.2
using in policy, 15.2.4
application developer environment
test and production databases, 7.3.4.2
application developer security, 7.3.4
application developers
privileges, 7.3.4.1
privileges for, 7.3.4.1
roles for, 7.3.4.4
application development
CREATE privileges, 7.3.4.4
free versus controlled, 7.3.4.3
object privileges, 7.3.4.4
roles and privileges, 7.3.4.4
security domain, 7.3.4.5
security for, 7.3.4.3
application roles, 13.4
application security
considerations for use, 13.2
limitations, 14.1.1.3
specifying attributes, 14.3.1.1
applications
about security policies for, 13.1
context, 6.2.2
database users, 13.2.1
enhancing security with, 5.2.1
One Big Application User model, 13.2.1, 13.2.2
roles, 13.5
roles and, 5.2.2.1
security, 13.2.2, 14.5.2
application context, 6.2.2
applications development
space restrictions, 7.3.4.5
tablespaces
developer restrictions, 7.3.4.5
AQ_ADMINISTRATOR_ROLE role, 11.4.3
AQ_USER_ROLE role, 11.4.3
AS SYSDBA, 2.3, 2.3
create, drop, delete, etc., 7.3.3.2
for administrator access, 2.3, 7.3.3.2, 7.3.3.2, 7.3.3.2, 7.4.5.2, 7.6
AS SYSOPER, 2.3, 7.3.3.2
startup, shutdown, recovery, etc., 7.3.3.2
attacks
denial of service, 2.4.4, 7.6
attributes, USERENV, 14.3.1.2
audit directory, 12.2.4
audit filenames, 12.2.4
audit files, 12.1, 12.2.4, 12.2.4, 12.2.6, 12.3, 12.3.2, 12.4.1.1, 12.4.5.2
AUDIT statement
BY proxy clause, 12.4.2
schema objects, 12.4.3.3
statement auditing, 12.4.3.1.1
system privileges, 12.4.3.1.1
audit trail, 12.4.5
archiving, 12.4.5.2
controlling size of, 12.4.5
creating and deleting, 12.5
deleting views, 12.5.3
dropping, 12.5
interpreting, 12.5.2
maximum size of, 12.4.5
protecting integrity of, 12.4.6
purging records from, 12.4.5.1
reducing size of, 12.4.5.3
table that holds, 12.2.6
views on, 12.5.1
audit trail, uniform, Preface
AUDIT_FILE_DEST initialization parameter, 12.4.1, 12.4.1.2
setting for OS auditing, 12.4.1.2
AUDIT_SYS_OPERATIONS initialization parameter, 12.4.1
auditing SYS, 12.2.4
AUDIT_TRAIL initialization parameter, 12.4.1
auditing SYS, 12.2.4
DB, EXTENDED setting, 12.4.1.1
setting, 12.4.1.1
AUDIT_TRAIL=DB, 12.4.1.1
AUDITED_CURSORID attribute, 14.3.1.2
auditing, 12.2.6
audit option levels, 12.4.3
audit options, 8.1
audit records, 8.1.1
audit trail records, 12.3.1
audit trails, 8.1.1
database, 8.1.1.1, 12.3.1
operating system, 8.1.1.2, 8.1.1.5
syslog, 8.1.1.3
by access, 8.5.2.2
mandated for, 8.5.2
by session, 8.5.2.1
prohibited with, 8.5.2
compromised by One Big Application User, 13.2.1
database and operating-system usernames, 4.1
DDL statements, 8.2
default options, 12.4.3.3
described, 8
disabling default options, 12.4.4.2
disabling options, 12.4.1, 12.4.4, 12.4.4.1, 12.4.4.2, 12.4.4.3
disabling options versus auditing, 12.4.4
DML statements, 8.2
enabling options, 12.4.1
privileges for, 12.4.1
enabling options versus auditing, 12.4.3
fine-grained, 12.6
guidelines, 12.2
historical information, 12.2.2
information stored in OS file, 12.3.2
keeping information manageable, 12.2.1
managing the audit trail, 12.5
mandatory, 8.1.1.5
multi-tier environments, 12.4.2
network, 12.4.3.4
turning off, 12.4.4.3
turning on, 12.4.3.4
new features, Preface
n-tier systems, 16.2.1.4
object
turning off, 12.4.4.2
turning on, 12.4.3.3
operating-system audit trails, 12.2.6
policies for, 7.5
privilege
turning on, 12.4.3.2
privilege audit options, 12.4.3.2
privilege use, 8.1, 8.3
privileges required for object, 12.4.3.3
privileges required for system, 12.4.3.2
range of focus, 8.1, 8.5
schema object, 8.1, 8.1, 8.4
schema objects, 12.4.3.3
security and, 8.1.1.2
session level, 12.4.3.1.1
statement, 8.1, 8.2, 12.4.3.1.1
turning on, 12.4.3.1
statement and privilege
turning off, 12.4.4.1
statement level, 12.4.3.1
successful executions, 8.5.1
suspicious activity, 12.2.3
SYS, 12.2.4
system privileges, 12.4.3.1.1
to OS file, 12.4.1.2
transaction independence, 8.1.2
unsuccessful executions, 8.5.1
user, 8.5.3
using the database, 12.2.6
using the operating system, 12.2.6
viewing
active object options, 12.5.2.3
active privilege options, 12.5.2.2
active statement options, 12.5.2.1
default object options, 12.5.2.4
views, 12.5.1
when options take effect, 8.1.2
auditing policy, 7.5
AUTHENTICATED_IDENTITY attribute, 14.3.1.2
authentication
by database, 10.1.1
by SSL, 10.1, 10.1.3.1.1
certificate, 7.6
client, 7.6, 7.6
compromised by One Big Application User, 13.2.1
database administrators, 4.5
described, 4
directory service, 10.1.3.1
external, 10.1.2
global, 10.1.3
multitier, 4.4
network, 4.2.2
n-tier systems, 16.2.1.1
operating system, 4.1
Oracle, 4.3
password policy, 7.3.1.1
proxy, 10.1.4
public key infrastructure, 4.2.2.2
remote, 4.2.2.3, 7.6, 7.6
specifying when creating a user, 11.1.1.2
strong, 7.6
SYSDBA on Windows systems, 4.5
user, 7.6
users, 7.1.2
ways to authenticate users, 10.1
Windows native authentication, 4.5
AUTHENTICATION_DATA attribute, 14.3.1.2
AUTHENTICATION_METHOD attribute, 14.3.1.2
authorization
changing for roles, 11.5.1
global, 10.1.3
omitting for roles, 11.5.1
operating-system role management and, 11.5.2.3.1
roles, about, 11.5.2
Axent, 7.6

B

backups, 7
batch jobs, authenticating users in, 9
bfiles, 7.6
BG_JOB_ID attribute, 14.3.1.2
bind variables, 14.3.2.3
information captured in audit trail, 12.4.1.1
Block cipher, Preface

C

cascading revokes, 11.7.3
CATAUDIT.SQL script
running, 12.5.1
categories of security issues, 1
CATNOAUD.SQL, 12.5.3
CATNOAUD.SQL script
running, 12.5.3
central repository, 1.1
centralized management with distributable tools, 1.1.1
certificate authentication, 7.6
certificate key algorithm
Secure Sockets Layer
certificate key algorithm, 2.4.1
certificates for user and server authentication, 2.4.2
chaining mode, Preface
modifiers (CBC, CFB, ECB, OFB, Preface
character sets
multibyte characters in role names, 11.5.1
multibyte characters in role passwords, 11.5.2.1
checklists and recommendations, 2
custom installation, 2.3, 7.6, 7.6
disallow modifying default permissions for Oracle Database home (installation) directory or its contents, 2.3
disallow modifying Oracle home default permissions, 7.6
limit the number of operating system users, 2.3, 7.6
limit the privileges of the operating system accounts, 2.3, 7.6
networking security, 2.4, 7.6
personnel, 2.2
physical access control, 2.1
restrict symbolic links, 2.3, 7.6
secure installation and configuration, 2.3, 7.6
CheckPoint, 7.6
cipher suites
Secure Sockets Layer, 2.4.1
Cisco, 7.6
client checklist, 2.4.2
CLIENT_IDENTIFIER
setting and clearing with DBMS_SESSION package, 16.2.2.3
setting for applications that use JDBC, 16.2.2.3
setting with OCI user session handle attribute, 16.2.2.3
CLIENT_IDENTIFIER attribute, 14.3.1.2
CLIENT_INFO attribute, USERENV, 14.3.1.2
column masking behavior, 14.1.1.2, 15.10.3
column masking behavior restrictions, 15.10.3.2
column masking behavior, VPD, Preface, 15.10.3.2
column-level VPD, 14.1.1.1, 15.10.3
adding policies for, 15.10.3
column masking behavior, 15.10.3.2
column masking restrictions, 15.10.3.2
does not apply to synonyms, 15.10.3
new features, Preface
columns
granting privileges for selected, 11.6.2.3
granting privileges on, 11.6.2.3
INSERT privilege and, 11.6.2.3
listing users granted to, 11.11.3
privileges, 11.6.2.3
pseudocolumns
USER, 5.1.4.2
revoking privileges on, 11.7.2.2
common platform for examples, 7.6
complex environments
administration difficulties, 1.1, 1.1
concurrency
limits on
for each user, 5.3.1.5
configuration files, 2.4.1, 2.4.1, 2.4.1
listener, 7.6
sample listener.ora, 7.6
sqlnet.ora, 4.3
SSL, 2.4.1
typical directory, 2.4.1
CONNECT /, 7.3.3.2
CONNECT role, 5.2.7, 5.2.7, 11.4.3
CONNECT statement, 7.6, 7.6, 11.4.3
connection pooling, 4.4
connections
auditing, 12.4.3.1.1
SYS-privileged, 2.3, 7.6
connections as SYS and SYSTEM, 7.3.3.1
context-sensitive policy type, Preface, 15.10.1, 15.10.2.2
controlled development, 7.3.4.3
CPU time limit, 5.3.1.3
CREATE ANY TABLE statement, 2.3, 7.6
CREATE CONTEXT statement, 15.2.2
CREATE DBLINK statement, 7.6
CREATE PROCEDURE statement, 7.3.4.4
developers, 7.3.4.1
CREATE PROFILE statement, 7.4, 7.4.2
failed login attempts, 7.4.1
how long account is locked, 7.4.1
password aging and expiration, 7.4.2
password management, 7.4
CREATE ROLE statement
IDENTIFIED BY option, 11.5.2.1
IDENTIFIED EXTERNALLY option, 11.5.2.3
CREATE SCHEMA statement, 13.6.1
CREATE SESSION statement, 7.6, 11.4.3, 13.6.1
CREATE statement
AS SYSDBA, 7.3.3.2
CREATE TABLE statement, 7.3.4.4
auditing, 8.2, 8.3, 8.5.1
developers, 7.3.4.1
CREATE USER statement, 7.4
explicit account locking, 7.4.1
IDENTIFIED BY option, 11.1.1.2
IDENTIFIED EXTERNALLY option, 11.1.1.2
password
expire, 7.4.2
CREATE VIEW statement, 7.3.4.4
CREATE_POLICY_GROUP procedure, 15.10
creating an audit trail, 12.5
CTXSYS, 7.6
CURRENT_BIND attribute, 14.3.1.2
CURRENT_SCHEMA attribute, USERENV, 14.3.1.2
CURRENT_SCHEMAID attribute, 14.3.1.2
CURRENT_SQL attribute, 14.3.1.2
CURRENT_SQL_LENGTH attribute, 14.3.1.2
CURRENT_SQL1 to CURRENT_SQL7 attributes, 14.3.1.2
cursors
shared, 14.3.2.3
custom installation, 2.3, 7.6, 7.6

D

data
access to
fine-grained access control, 6.2
security level desired, 7.2
data definition language
auditing, 8.2
roles and privileges, 5.2.6
data dictionary protection, 2.3, 7.6
data dictionary tables, 7.3.3.1
data encryption, 3.1.2
data files, 7.6
data manipulation language
auditing, 8.2
privileges controlling, 5.1.3.1
data security level
based on data sensitivity, 7.2
data security policy, 7.2
database
granting privileges, 11.6
granting roles, 11.6
security and schemas, 13.6
user and application user, 13.2.1
database administrators
application administrator versus, 7.3.5
roles
for security, 7.3.3.3, 7.3.3.3, 7.3.3.3, 7.3.3.3, 7.3.3.3
security for, 7.3.3
security officer versus, 7.1
database administrators (DBAs)
authentication, 4.5
DBA role, 5.2.7
password files, 4.5
database authentication, 10.1.1
Database Configuration Assistant, 2.3, 2.3, 7.6, 7.6
database descriptors, 7.6
database link, 4.1, 4.2.2, 4.2.2.1, 5.1.2, 6.1, 8.4, 10.1.3.2
database links, 15.4
database links, and SYS_CONTEXT, 15.2.1.5
database security
elements and operations, 1
database user management, 7.1.1
databases
access control
password encryption, 4.3.1, 7.3.1.1
limitations on usage, 5.3
production, 7.3.4.2, 7.3.5
test, 7.3.4.2
DB_DOMAIN attribute, USERENV, 14.3.1.2
DB_NAME attribute, 14.3.1.2
DB_UNIQUE_NAME, 12.2.4
DBA role, 5.2.7, 11.4.3
DBA_COMMON_AUDIT_TRAIL view, Preface
DBA_ROLE_PRIVS view, 13.3
DBA_ROLES data dictionary view
PUBLIC role, 11.8
DBMS_CRYPTO, Preface, 17.3, 17.3.1
DBMS_FGA package, 12.7
DBMS_OBFUSCATION_TOOLKIT, Preface, 17.3
DBMS_RLS package, 15.10
security policies, 6.2
DBMS_RLS.ADD_POLICY
sec_relevant_cols parameter, 14.1.1.1, 15.10.3.1
sec_relevant_cols_opt parameter, 15.10.3.2
DBMS_SESSION package
SET_CONTEXT procedure, 15.2.2
SET_ROLE procedure, 13.5.2, 13.5.2
DBMS_SQL package
SET_ROLE procedure, 13.5.3
DBMS_SQLHASH Package, B.1
DBMS_SQLHASH.GETHASH Function, B.2
DBSNMP, 2.3, 2.3, 7.6, 7.6, 7.6, 7.6
default
audit options, 12.4.3.3
disabling, 12.4.4.2
default accounts
ANONYMOUS, 7.6
CTXSYS, 7.6
DBSNMP, 7.6
DIP, 7.6
DMSYS, 7.6
EXFSYS, 7.6
HR, 7.6
MDDATA, 7.6
MDSYS, 7.6
MGMT_VIEW, 7.6
ODM, 7.6
ODM_MTR, 7.6
OE, 7.6
OLAPSYS, 7.6
ORDPLUGINS, 7.6
ORDSYS, 7.6
OUTLN, 7.6
PM, 7.6
QS, 7.6
QS_ADM, 7.6
QS_CB, 7.6
QS_CBADM, 7.6
QS_CS, 7.6
QS_ES, 7.6
QS_OS, 7.6
QS_WS, 7.6
RMAN, 7.6
SCOTT, 7.6
SH, 7.6
SI_INFORMTN_SCHEMA, 7.6
SYS, 7.6
SYSMAN, 7.6
SYSTEM, 7.6
WK_TEST, 7.6
WKPROXY, 7.6
WKSYS, 7.6
WMSYS, 7.6
XDB, 7.6
default passwords, 2.3, 2.3, 2.3, 2.3, 2.3, 7.3.3.1, 7.3.3.1, 7.4.5.2, 7.6, 7.6, 7.6, 7.6, 7.6, 7.6, 17.2.2
default permissions, 2.3, 7.6
default roles, 11.9.2
default user
accounts, 2.3, 2.3, 7.6, 7.6
passwords, 2.3, 7.6, 7.6, 7.6
default users
enterprise manager accounts, 7.6
defaults
"change_on_install" or "manager" passwords, 2.3, 7.6
role, 11.1.2.2
tablespace quota, 11.1.1.4
user tablespaces, 11.1.1.3
definer's rights
procedure security, 5.1.5.1
delays
administrative, 1.1
DELETE privilege, 13.7.2
DELETE statement, 7.3.3.2
AS SYSDBA, 7.3.3.2
DELETE_CATALOG_ROLE role, 11.4.1.2, 11.4.3
DELETE_POLICY_GROUPS procedure, 15.10
denial of service attacks, 2.4.4, 7.6
DES, Preface
developers, application, 7.3.4.1
development environment
free versus controlled, 7.3.4.3
dictionary protection mechanism, 11.4.1.1
DIP, 7.6
directory service
See also enterprise directory service.
disable unnecessary services
FTP, TFTP, TELNET, 7.6
DISABLE_GROUPED_POLICY procedure, 15.10
disabling
roles, 3.2.1
disabling audit options, 12.4.4, 12.4.4.1, 12.4.4.2, 12.4.4.3
disabling auditing, 12.4.1
disabling resource limits, 11.3
disallow modifying default permissions for database home directory or its contents, 2.3
disallow modifying Oracle home default permissions, 7.6
disconnections
auditing, 12.4.3.1.1
dispatcher processes (Dnnn)
limiting SGA space for each session, 5.3.1.5
DMSYS, 7.6
DROP ANY TABLEstatement, 7.6
DROP PROFILE statement, 11.3.1
DROP ROLE statement, 11.5.3, 11.5.3
DROP statement, 7.3.3.2
AS SYSDBA, 7.3.3.2
DROP TABLE statement
auditing, 8.2, 8.3
DROP USER privilege, 11.1.3
DROP USER statement, 11.1.3
DROP_CONTEXT procedure, 15.10
DROP_GROUPED_POLICY procedure, 15.10
DROP_POLICY procedure, 15.10
dropping an audit trail, 12.5
dropping profiles, 11.3.1
dropping users, 11.1.3
dynamic predicates
in security policies, 6.2.1
dynamic SQL, 14.1.1, 15.8
dynamic VPD policy types, 15.10.1
testing, 15.10.1

E

eavesdropping, 2.4.2
ENABLE_GROUPED_POLICY procedure, 15.10
ENABLE_POLICY procedure, 15.10
enabling
roles, 3.2.1
enabling resource limits, 11.3
encryption, 2.4.4, 3.1.2, 17.3, 17.3.1
algorithms, Preface
database passwords, 10.1.1
fine-grained audit policies on encrypted columns, 12.7.1.3
network traffic, 7.6
stored data, 7.6
end-user security, 7.3.2
enforcement options
exemptions, 14.5.3
enterprise directory service, 7.3.2.2, 11.5.2.4
Enterprise Edition, 2.3, 7.6, 7.6
Enterprise Manager
granting roles, 5.2.3
statistics monitor, 5.4.1
enterprise roles, 7.3.2.2, 10.1.3, 11.5.2.4
enterprise user management, 13.2.1
Enterprise User Security, 15.5.2
enterprise users, 7.3.2.2, 10.1.3, 11.5.2.4, 13.6.2
ENTERPRISE_IDENTITY attribute, 14.3.1.2
ENTRYID attribute, 14.3.1.2
errors
ORA-28133, 12.7.1.3
event triggers, 15.3.3
EXECUTE privilege, 2.3, 7.6, 13.7.2
EXECUTE_CATALOG_ROLE role, 11.4.1.2, 11.4.3
EXEMPT ACCESS POLICY privilege, 14.5.3
EXFSYS, 7.6
EXP_FULL_DATABASE role, 5.2.7, 11.4.3
expired & locked, 7.6
expiring
passwords, 4.3.3
explicitly expiring a password, 7.4.2
Export utility
policy enforcement, 14.5.3
EXTENDED, 12.4.1.1, 12.4.1.2
external authentication
by network, 10.1.2.3
by operating system, 10.1.2.2
external tables, 7.6

F

failed login attempts
account locking, 7.4.1
password management, 7.4.1
resetting, 7.4.1
falsified IP addresses, 2.4.2
falsified or stolen client system identities, 2.4.2
features, new
See new features
Virtual Private Database, Preface
FG_JOB_ID attribute, 14.3.1.2
files
audit, 12.1, 12.2.4, 12.2.4, 12.2.6, 12.3, 12.3.2, 12.4.1.1, 12.4.5.2
bfiles, 2.3, 7.6
BLOB, 17.4.6
configuration, 2.4.1, 4.3.5, 7.6
data, 2.3, 7.6
external tables, 2.3, 7.6
init<sid>.ora, 7.6
keys, 17.4.4.2
listener.ora, 2.4.1
log, 2.3, 7.6, 12.2.4, 12.4.1.2
password, 4.5
restrict listener access, 2.4.3
restrict symbolic links, 2.3, 7.6
server.key, 2.4.1, 2.4.1
SSL, 2.4.1
trace, 2.3, 7.6
UTLPWDMG.SQL, 4.3.5
fine-grained access control, 6.2, 7.2
application context, 3.2.6, 14.3.2
features, 14.2.1
performance, 14.2.1.4
fine-grained auditing, 12.6
encrypted table columns, 12.7.1.3
introduction, 3.1.2
multiple objects, columns, statements, including INDEX, 7.5
policies, 7.5
Firewall-1, 7.6
firewalls, 2.4.4, 2.4.4, 2.4.4, 7.6, 7.6
breach
vulnerable data, 2.4.4, 7.6
ill-configured, 7.6
no holes, 7.6
ports, 2.4.1
supported
packet-filtered, 7.6
proxy-enabled, 7.6
flashback query, 12.3.1, 15.14
foreign keys
privilege to use parent key, 5.1.3.2
formatting of password complexity verification routine, 7.4.5.1
free development, 7.3.4.3
FTP, 7.6
functions
PL/SQL
privileges for, 5.1.5
roles, 5.2.5

G

Gauntlet, 7.6
general user security, 7.3.1
global authentication and authorization, 10.1.3
global roles, 10.1.3, 11.5.2.4
global users, 10.1.3
GLOBAL_CONTEXT_MEMORY attribute, 14.3.1.2
GLOBAL_UID attribute, 14.3.1.2
good security
what it requires, 2
grace period
example, 7.4.2
password expiration, 7.4.2, 7.4.2
GRANT ALL PRIVILEGES
SELECT ANY DICTIONARY, 7.6
GRANT ANY OBJECT PRIVILEGE system privilege, 11.6.2.2, 11.7.2.1
GRANT ANY PRIVILEGE system privilege, 5.1.1.2
GRANT CONNECT THROUGH clause
for proxy authorization, 10.1.4
GRANT statement, 11.6.1
ADMIN OPTION, 11.6.1.1
creating a new user, 11.6.1.2
object privileges, 11.6.2, 13.7.1
system privileges and roles, 11.6
when takes effect, 11.9
WITH GRANT OPTION, 11.6.2.1
granting
privileges and roles, 5.1.1.1
granting privileges and roles
listing grants, 11.11
specifying ALL, 11.4.2

H

hacked operating systems or applications, 2.4.2
harden
operating system, 7.6
hash
keyed, Preface
hash algorithms, Preface
HOST attribute, 14.3.1.2
HR, 7.6
HS_ADMIN_ROLE role, 11.4.3
HTTPS port, 2.4.1

I

identity management
centralized management with distributable tools, 1.1.1
components, 1.1.2
desired benefits, 1.1.1
infrastructure, 1.1.2
Oracle's infrastructure components, 1.1.2
seamless timely distribution, 1.1.1
security, 1.1
single sign-on, 1.1.1
sngle point of integration, 1.1.1
solution, 1.1
IMP_FULL_DATABASE role, 5.2.7, 11.4.3
INDEX privilege, 13.7.2
init<sid>.ora file, 7.6
INSERT privilege, 13.7.2
granting, 11.6.2.3
revoking, 11.7.2.2
INSTANCE attribute, 14.3.1.2
INSTANCE_NAME attribute, 14.3.1.2
invoker's rights
procedure security, 5.1.5.1
invoker's rights stored procedures, 13.5.2
IP address
fakeable, 2.4.4
IP addresses, 7.6, 7.6
IP_ADDRESS attribute, 14.3.1.2
ISDBA attribute, USERENV, 14.3.1.2
iTAR, 7.6

K

Kerberos, 2.3, 7.6
keyed hash, Preface

L

LANG attribute, 14.3.1.2
LANGUAGE attribute, 14.3.1.2
least privilege principle, 2.3, 7.6, 7.6, 7.6
lifetime for passwords, 4.3.3
Lightweight Directory Access Protocol (LDAP), 15.3.1.4
limit operating system account privileges, 2.3, 7.6
limit sensitive data dictionary access, 7.3.3.2
limit the number of operating system users, 2.3, 7.6
listener, 7.6
checklist, 2.4.3
establish password, 2.4.4, 2.4.4, 7.6, 7.6
not Oracle owner, 7.6
prevent on-line administration, 7.6
restrict privileges, 2.4.3, 7.6
sample configuration, 7.6
secure administration, 2.4.3, 2.4.4, 7.6
listener.ora, 2.4.1
add line, 7.6
sample, 7.6
typical directory, 2.4.1
lock and expire, 2.3, 2.3, 2.3, 7.6, 7.6, 7.6
unlock via ALTER USER statement, 7.3.3.1
log files, 7.6, 7.6, 12.2.4, 12.4.1.2
logical reads limit, 5.3.1.4
login triggers, 15.2.3
logon triggers, 15.2.1, 15.3.1

M

MAC, Preface
mail messages
arbitrary, 7.6
unauthorized, 7.6
managing roles, 11.5
mandatory auditing, 8.1.1.5
MAX_ENABLED_ROLES initialization parameter
enabling roles and, 11.9.3
MD4, Preface
MD5, Preface
MDDATA, 7.6
MDSYS, 7.6, 7.6
memory
viewing per user, 11.2.5
message authentication code, Preface
methods
privileges on, 5.1.6
MGMT_VIEW, 7.6
middle tier systems, 14.3.1.2
mode, SSL, 2.4.1
monitoring, 8
monitoring user actions, 8
multiple administrators
roles example, 7.3.3.3, 7.3.3.3, 7.3.3.3, 7.3.3.3, 7.3.3.3
multiplex multiple client network sessions, 2.4.4
multi-tier environments
auditing clients, 12.4.2

N

Net8, 7.6
network
auditing, 12.4.3.4
authentication, 10.1.2.3
Network Associates, 7.6
network auditing
turning off, 12.4.4.3
turning on, 12.4.3.4
network authentication, 10.1.2.3
network authentication services, 2.3, 7.6
smart cards, 7.6
token cards, 7.6
X.509 certificates, 7.6
network connections
arbitrary transmissions, 7.6
outgoing, 7.6
network IP addresses, 2.4.4, 7.6
NETWORK_PROTOCOL attribute, 14.3.1.2
networking security checklists, 2.4, 7.6
client checklist, 2.4.2
listener checklist, 2.4.3
network checklist, 2.4.4
SSL, 2.4.1
configuration files, 2.4.1
mode, 2.4.1
tcps, 2.4.1
networks
network authentication service, 4.2.2
new features, Preface
auditing, Preface
column-level VPD, Preface
policy types, Preface
Virtual Private Database, Preface
NLS_CALENDAR attribute, 14.3.1.2
NLS_CURRENCY attribute, 14.3.1.2
NLS_DATE_FORMAT attribute, 14.3.1.2
NLS_DATE_LANGUAGE attribute, 14.3.1.2
NLS_SORT attribute, 14.3.1.2
NLS_TERRITORY attribute, 14.3.1.2
NOAUDIT statement
disabling audit options, 12.4.4
disabling default object audit options, 12.4.4.2
disabling network auditing, 12.4.4.3, 12.4.4.3
disabling object auditing, 12.4.4.2
disabling statement and privilege auditing, 12.4.4.1, 12.4.4.1

O

O7_DICTIONARY_ACCESSIBILITY, 2.3, 7.6, 7.6, 11.4.1.1, 11.4.1.1, 11.4.1.1, 11.4.1.1, 11.4.1.1
initialization parameter, 11.4.1.1
object auditing
turning off, 12.4.4.2
turning on, 12.4.3.3
object privileges, 2.3, 5.1.2, 6.1, 7.6
developers, 7.3.4.4
granting on behalf of the owner, 11.6.2.2
revoking, 11.7.2
revoking on behalf of owner, 11.7.2.1
schema object privileges, 5.1.2, 6.1
See also schema object privileges
objects
granting privileges, 13.7.2
privileges, 13.7.1
privileges on, 5.1.6
OCI
enabling roles, 3.2.1
ODM, 7.6
ODM_MTR, 7.6
OE, 7.6
OLAPSYS, 7.6
operating system
harden, 7.6
operating system authentication, 7.3.3.2
operating system security, 7.1.3
operating system username, 2.3
operating systems
accounts, 11.10.1
authentication, 10.1.2.2, 11.10
authentication by, 4.1
default permissions, 2.3, 7.6
enabling and disabling roles, 11.10.4
role identification, 11.10.1
roles and, 5.2.8, 11.10
security in, 7.1.3
optimization
query rewrite
in security policies, 6.2.1
ORA-28002 error, 7.4.3
Oracle Advanced Security, 2.3, 7.6, 7.6, 13.6.2
Oracle Connection Manager, 2.4.4
Oracle Delegated Administration Service, 1.1.2
Oracle Directory Integration and Provisioning, 1.1.2
Oracle Enterprise Security Manager, 4.2.2.4
Oracle Internet Directory, 1.1.2, 4.2.2.4, 16.1.4.3
Oracle Java Virtual Machine (OJVM), 2.3, 7.6
Oracle Net, 7.6
Oracle Net Manager, 7.6
Oracle Technology Network, 7.6
Oracle Universal Installer, 2.3
Oracle Wallet Manager, 4.2.2.2
Oracle wallets, 4.2.2.2
Oracle Worldwide Support Services, 7.6
OracleAS Certificate Authority, 1.1.2, 4.2.2.2
OracleAS Single Sign-On, 1.1.2
ORDPLUGINS, 7.6
ORDSYS, 7.6
OS, 12.4.1.1, 12.4.1.2
OS username, 7.3.3.2
OS_ROLES parameter
operating-system authorization and, 11.5.2.3.1
REMOTE_OS_ROLES and, 11.10.5
using, 11.10.1
OS_USER attribute, USERENV, 14.3.1.2
OUTLN, 7.6

P

packages
auditing, 8.4
examples of, 5.1.5.3, 5.1.5.3
privileges
divided by construct, 5.1.5.3
executing, 5.1.5, 5.1.5.3
Padding forms, Preface
parallel execution servers, 15.2.1.4
parallel query
and SYS_CONTEXT, Preface
application context, Preface
parallel query, and SYS_CONTEXT, 15.2.1.4
pass-phrase
to read and parse server.key file, 2.4.1
password
establish for listener, 2.4.4, 2.4.4, 7.6, 7.6
password aging and expiration, 7.4.2
grace period, 7.4.2, 7.4.2
example, 7.4.2
password complexity verification, 4.3.5, 7.4.5
formatting of routine, 7.4.5.1
sample routine, 7.4.5.2
password files, 4.5, 7.3.3.2, 7.3.3.2
password management
account locking, 7.4.1
explicit, 7.4.1
ALTER PROFILE statement, 7.4
CREATE PROFILE statement, 7.4
expiration grace period, 7.4.2, 7.4.2
explicitly expire, 7.4.2
failed login attempts, 7.4.1
failed logins resetting, 7.4.1
grace period
example, 7.4.2
history, 7.4.4
lifetime for password, 7.4.2
password complexity verification, 7.4.5
PASSWORD_LOCK_TIME, 7.4.1
PASSWORD_REUSE_MAX, 7.4.4
PASSWORD_REUSE_TIME, 7.4.4
sample password complexity verification routine, 7.4.5.2
UTLPWDMG.SQL
password management, 7.4.5
password management policy, 7.4
password security, 7.3.1.1
PASSWORD_LIFE_TIME, 7.4.2
PASSWORD_LOCK_TIME, 7.4.1
PASSWORD_REUSE_MAX, 7.4.4
PASSWORD_REUSE_TIME, 7.4.4
passwords
account locking, 4.3.2
administrative, 2.3, 7.6
change via ALTER USER statement, 7.3.3.1
changing for roles, 11.5.1
complexity verification, 4.3.5
connecting without, 4.1
database user authentication, 4.3
default, 7.3.3.1
duration, 2.3, 7.6
encryption, 4.3.1, 7.3.1.1, 10.1.1
expiring, 4.3.3
history, 7.4.4
PASSWORD_REUSE_MAX, 7.4.4
PASSWORD_REUSE_TIME, 7.4.4
length, history, and complexity, 7.6
length, history, and complexity,, 2.3
life time set too low, 7.4.3
management, 7.4
management rules, 2.3, 7.6
password files, 4.5
password reuse, 4.3.4
privileges for changing for roles, 11.5.1
privileges to alter, 11.1.2
reuse, 2.3, 7.6
role, 3.2.3
roles, 11.5.2.1
security policy for users, 7.3.1.1
SYS and SYSTEM, 2.3, 7.6, 7.6
used in roles, 5.2.1
user authentication, 10.1.1
performance
resource limits and, 5.3
permissions
server.key file, 2.4.1
personnel checklist, 2.2
personnel security, 1
physical access control checklist, 2.1
physical security, 1
PIX Firewall, 7.6
PKCS #5, Preface
PKI, 4.2.2.2
PL/SQL
anonymous blocks, 13.5.2
auditing of statements within, 8.1.2
dynamically modifying SQL statements, 14.1.1
roles in procedures, 5.2.5
setting context, 15.2.1
PM, 7.6
policies
auditing, 7.5
password management, 7.4
policy function, 7.2
policy types
context-sensitive, Preface, 15.10.1, 15.10.2.2
new features, Preface
shared, Preface, 15.10.1
static, Preface, 15.10.1, 15.10.2.1
POLICY_INVOKER attribute, 14.3.1.2
practical security concerns, 2
predicates
dynamic
in security policies, 6.2.1
principle of least privilege, 2.3, 7.6, 7.6, 7.6
privacy, 2.3, 7.6
Private Schemas, 10.1.3.1.1
privilege auditing
turning off, 12.4.4.1
turning on, 12.4.3.2
privilege management, 7.3.1.2
privileges, 11.4
See also system privileges.
administrator
statement execution audited, 8.1.2
altering
passwords, 11.1.2.1
users, 11.1.2
altering role authentication method, 11.5.1
application developers, 7.3.4.1
application developers and, 7.3.4.1
audit object, 12.4.3.3
auditing system, 12.4.3.2
auditing use of, 8.3, 12.4.3.2
cascading revokes, 11.7.3
column, 11.6.2.3
CREATE DBLINK statement, 7.6
creating roles, 11.5.1
creating users, 11.1.1
dropping profiles, 11.3.1
dropping roles, 11.5.3
encapsulating in stored procedures, 3.2.2
granting, 5.1.1.1, 5.1.2.1, 11.6.1
examples of, 5.1.5.3, 5.1.5.3
granting object privileges, 11.6.2
granting system privileges, 11.6
granting, about, 11.6
grouping with roles, 11.5
individual privilege names, 11.4.1
listing grants, 11.11.1
managing, 13.3, 13.7
middle tier, 16.2.1.2
object, 7.3.4.4, 11.4.2, 13.7.2
on selected columns, 11.7.2.2
overview of, 5.1
policies for managing, 7.3.1.2
procedures, 5.1.5
creating and altering, 5.1.5.2
executing, 5.1.5
in packages, 5.1.5.3
revoking, 5.1.1.1, 5.1.2.1, 11.7.2
revoking object, 11.7.2
revoking object privileges, 11.7.2, 11.7.3.2
revoking system privileges, 11.7.1
roles, 5.2
restrictions on, 5.2.6
schema object, 5.1.2, 6.1
DML and DDL operations, 5.1.3
granting and revoking, 5.1.2.1
packages, 5.1.5.3
procedures, 5.1.5
SQL statements permitted, 13.7.2
system, 5.1.1, 11.4.1
ANY, 7.6
CREATE, 7.3.4.4
DROP ANY TABLE, 7.6
granting and revoking, 5.1.1.1
SELECT ANY DICTIONARY, 7.6
SYSTEM and OBJECT, 2.3, 7.6
trigger privileges, 5.1.5.1
views, 5.1.4
creating, 5.1.4.1
using, 5.1.4.2
procedural security, 1
procedures
auditing, 8.4, 8.4.1
definer's rights, 5.1.5.1
roles disabled, 5.2.5.1
examples of, 5.1.5.3, 5.1.5.3
invoker's rights, 5.1.5.1
roles used, 5.2.5.2
privileges
create or alter, 5.1.5.2
executing, 5.1.5
executing in packages, 5.1.5.3
security enhanced by, 5.1.5.1
process monitor process (PMON)
cleans up timed-out sessions, 5.3.1.5
PRODUCT_USER_PROFILE table, 3.2.1, 14.5.2.1, 14.5.2.1
production environment, 7.6
products and options
install only as necessary, 7.6
profile parameters
PASSWORD_LIFE_TIME, 7.4.3
profiles, 11.3
disabling resource limits, 11.3
dropping, 11.3.1
enabling resource limits, 11.3
listing, 11.2.1
managing, 11.3
password management, 4.3.2, 7.4
privileges for dropping, 11.3.1
viewing, 11.2.4
program global area (PGA)
effect of MAX_ENABLED_ROLES on, 11.9.3
proxies, 4.4.1
auditing clients of, 12.4.2
proxy authentication and authorization, 10.1.4
proxy authentication, 10.1.4
proxy authorization, 10.1.4
proxy servers
auditing clients, 12.4.2
PROXY_USER attribute, 14.3.1.2, 14.3.1.2
PROXY_USERID attribute, 14.3.1.2
PROXY_USERS view, 10.1.4
pseudocolumns
USER, 5.1.4.2
public key infrastructure, 4.2.2.2
PUBLIC role
about, 11.8
granting and revoking privileges to, 11.8
procedures and, 11.8
revoke all unnecessary privileges and roles, 7.6
security guidelines, 2.3
users, 5.2.4
UTL_SMTP PL/SQL package, 7.6
PUBLIC_DEFAULT profile
dropping profiles and, 11.3.1

Q

QS, 7.6
QS_ADM, 7.6
QS_CB, 7.6
QS_CBADM, 7.6
QS_CS, 7.6
QS_ES, 7.6
QS_OS, 7.6
QS_WS, 7.6
query rewrite
dynamic predicates in security policies, 6.2.1
quotas
listing, 11.2.1
revoking from users, 11.1.1.4.1
setting to zero, 11.1.1.4.1
tablespace, 11.1.1.4
temporary segments and, 11.1.1.4
unlimited, 11.1.1.4.2
viewing, 11.2.3

R

RADIUS, 4.2.2.3
Raptor, 7.6
RC4, Preface
reads
data block
limits on, 5.3.1.4
reauthenticating clients, 16.1.4.3, 16.1.4.3
RECOVERY_CATALOG_OWNER role, 11.4.3
REFERENCES privilege, 13.7.2
CASCADE CONSTRAINTS option, 11.7.2.3
revoking, 11.7.2.2, 11.7.2.3
when granted through a role, 5.2.6
REFRESH_GROUPED_POLICY procedure, 15.10, 15.11
REFRESH_POLICY procedure, 15.10, 15.11
remote authentication, 2.3, 7.6, 7.6
REMOTE_OS_AUTHENT, 7.6
REMOTE_OS_AUTHENT initialization parameter
setting, 10.1.2.2
remote_os_authentication, 2.3, 7.6, 7.6
REMOTE_OS_ROLES initialization parameter
setting, 11.5.2.3.2, 11.10.5
reparsing, 15.2.3
resetting failed login attempts, 7.4.1
resource limits
call level, 5.3.1.2
connect time for each session, 5.3.1.5
CPU time limit, 5.3.1.3
determining values for, 5.4.1
disabling, 11.3
enabling, 11.3
idle time in each session, 5.3.1.5
logical reads limit, 5.3.1.4
number of sessions for each user, 5.3.1.5
private SGA space for each session, 5.3.1.5
profiles, 11.3
RESOURCE privilege, 13.6.1
RESOURCE role, 5.1.6.1, 5.2.7, 11.4.3
resources
profiles, 11.3
restrict symbolic links, 2.3, 7.6
restrictions
space
developers, 7.3.4.5
tablespaces, 7.3.4.5
REVOKE CONNECT THROUGH clause
revoking proxy authorization, 10.1.4
REVOKE statement, 11.7.1
when takes effect, 11.9
revoking privileges and roles
on selected columns, 11.7.2.2
specifying ALL, 11.4.2
REVOKE statement, 11.7.1
when using operating-system roles, 11.10.3
rewrite
predicates in security policies, 6.2.1
RMAN, 7.6
role, 7.2
typical developer, 7.3.4.4
role identification
operating system accounts, 11.10.1
ROLE_SYS_PRIVS view, 13.3
ROLE_TAB_PRIVS view, 13.3
roles, 5.2, 7.3.1.2, 7.3.2, 7.6
ADMIN OPTION and, 11.6.1.1
administrative, 7.3.3
advantages, 13.3
application, 5.2.2.1, 13.5, 13.5, 13.7, 14.5.2
application developers and, 7.3.4.4
AQ_ADMINISTRATOR_ROLE, 11.4.3
AQ_USER_ROLE, 11.4.3
authorization, 11.5.2
authorized by enterprise directory service, 11.5.2.4
changing authorization for, 11.5.1
changing passwords, 11.5.1
CONNECT role, 5.2.7, 11.4.3
CONNECT statement, 7.6, 11.4.3
create your own, 7.6
database authorization, 11.5.2.1
DBA role, 5.2.7, 11.4.3
DDL statements and, 5.2.6
default, 11.1.2.2, 11.9.2
definer's rights procedures disable, 5.2.5.1
definition, 11.4.3
DELETE_CATALOG_ROLE, 11.4.3
dependency management in, 5.2.6
disabling, 11.9.1
dropping, 11.5.3
enabled or disabled, 5.2.3
enabling, 11.9.1, 13.5
enabling and disabling, 3.2.1
enterprise, 10.1.3, 11.5.2.4
example, 7.3.2.1, 7.3.2.1, 7.3.2.1
explanation, 7.3.2.1
EXECUTE_CATALOG_ROLE, 11.4.3
EXP_FULL_DATABASE, 11.4.3
EXP_FULL_DATABASE role, 5.2.7
for multiple administrators
example, 7.3.3.3, 7.3.3.3, 7.3.3.3, 7.3.3.3, 7.3.3.3
functionality, 5.1
global, 10.1.3, 11.5.2.4
global authorization, 11.5.2.4
GRANT statement, 11.10.4
granting, 5.1.1.1, 5.2.3, 11.6.1
granting, about, 11.6
HS_ADMIN_ROLE, 11.4.3
IMP_FULL_DATABASE, 11.4.3
IMP_FULL_DATABASE role, 5.2.7
in applications, 5.2.1
invoker's rights procedures use, 5.2.5.2
job responsibility privileges only, 7.6
listing, 11.11.5
listing grants, 11.11.2
listing privileges and roles in, 11.11.6
management using the operating system, 11.10
managing, 11.5, 13.7
managing through operating system, 5.2.8
maximum, 11.9.3
multibyte characters in names, 11.5.1
multibyte characters in passwords, 11.5.2.1
naming, 5.2
network authorization, 11.5.2.3.2
operating system, 11.10.1
operating system granting of, 11.10.1, 11.10.4
operating-system authorization, 11.5.2.3
OS management and the shared server, 11.10.5
passwords, 3.2.3
passwords for enabling, 11.5.2.1
predefined, 5.2.7, 11.4.3
privileges for creating, 11.5.1
privileges for dropping, 11.5.3
privileges, changing authorization method for, 11.5.1
privileges, changing passwords, 11.5.1
RECOVERY_CATALOG_OWNER, 11.4.3
RESOURCE role, 5.2.7, 11.4.3
restricting from tool users, 14.5.2
restrictions on privileges of, 5.2.6
REVOKE statement, 11.10.4
revoking, 5.2.3, 11.7.1
revoking ADMIN OPTION, 11.7.1
schemas do not contain, 5.2
secure application, 3.1.2
security and, 7.3.2.1
security domains of, 5.2.4
SELECT_CATALOG_ROLE, 11.4.3
SET ROLE statement, 11.10.4
setting in PL/SQL blocks, 5.2.5.2
unique names for, 11.5.1
use of passwords with, 5.2.1
usefulness compromised, 13.2.1
user, 5.2.2.2, 13.5, 13.7
users capable of granting, 5.2.3.1
uses of, 5.2.2
WITH GRANT OPTION and, 11.6.2.1
without authorization, 11.5.1
root file paths
for files and packages outside the database, 2.3, 7.6
row-level security
see fine-grained access control, virtual private database (VPD), and Oracle Label Security
rows
row-level security, 6.2
RSA private key, 2.4.1
run-time facilities, 2.3, 7.6

S

sample configuration
listener, 7.6
sample password complexity verification routine, 7.4.5.2
Sample Schemas, 7.6
remove or re-lock for production, 7.6
test database, 7.6
schema object privileges, 5.1.2, 6.1
DML and DDL operations, 5.1.3
granting and revoking, 5.1.2.1
views, 5.1.4
schema objects
auditing, 8.4
cascading effects on revoking, 11.7.3.2
default audit options, 12.4.3.3
default tablespace for, 11.1.1.3
disabling audit options, 12.4.4.1, 12.4.4.2, 12.4.4.3
enabling audit options on, 12.4.3.3
granting privileges, 11.6.2
in a revoked tablespace, 11.1.1.4.1
owned by dropped users, 11.1.3
privileges on, 5.1.2, 6.1
privileges to access, 11.4.2
privileges with, 11.4.2
revoking privileges, 11.7.2
schema-independent users, 13.6.2
schemas
default, 14.3.1.2
unique, 13.6
SCOTT, 2.3, 7.6, 7.6, 7.6, 7.6
script files, 12.5.3
CATNOAUD.SQL, 12.5.3
scripts, 4.3.5
scripts, authenticating users in, 9
seamless timely distribution, 1.1.1
sec_relevant_cols parameter, 14.1.1.1, 15.10.3.1
sec_relevant_cols_opt parameter, 14.1.1.2, 15.10.3.2
secure application, 13.4
secure application role
using to ensure database connection, 13.4.1
secure installation and configuration checklist, 2.3, 7.6
Secure Sockets Layer, 2.4.1, 2.4.1, 7.1.2, 7.6, 10.1, 10.1.3.1.1
certificate key algorithm, 2.4.1
checklist, 2.4.1
cipher suites, 2.4.1
configuration files, 2.4.1
mode, 2.4.1
pass-phrase, 2.4.1
RSA private key, 2.4.1
server.key file, 2.4.1
tcps, 2.4.1
Secure Sockets Layer (SSL) protocol, 16.1.4.3
security
accessing a database, 7.1
administrator of, 7.1
application administration, 7.3.5
application developers and, 7.3.4
application enforcement of, 5.2.1
auditing, 8, 8.1.1.2
auditing policies, 7.5
authentication of users, 7.1.2
breach effects, 1.1
checklists and recommendations, 2
data, 7.2, 7.2
database security, 7.1
database users and, 7.1.1
default user accounts, 2.3, 7.6, 7.6
dynamic predicates, 6.2.1
effectiveness, 1
elements and operations, 1
enforcement in application, 13.2.2
enforcement in database, 13.2.2
fine-grained access control, 6.2
general principles, 1
general users, 7.3.1
identity management, 1.1
impacts, 1
interaction complexity, 1.1
issues by category, 1
management costs
escalation, 1
multibyte characters in role names, 11.5.1
multibyte characters in role passwords, 11.5.2.1
operating-system security and the database, 7.1.3
passwords, 4.3
personnel dimension, 1
physical dimension, 1
policies
administering, 15.10
applied within database, 14.1.1.3
centrally managed, 14.5.2.3
example, 15.8
implementing, 6.2.2, 14.3.2
multiple policies per table, 14.2.1.2
on tables or views, 14.2.1.1
technical issues, 3.1.2
policies for database administrators, 7.3.3
policy for applications, 13.1, 14.5.2
practical concerns, 2
privilege management policies, 7.3.1.2
privileges, 7.1
procedural dimension, 1
procedures enhance, 5.1.5.1
protecting the audit trail, 12.4.6
REMOTE_OS_ROLES parameter, 11.10.5
requirements and principles, 1
roles to force security, 7.3.2.1
roles, advantages, 13.3
security policies, 6.2
technical dimension, 1
test databases, 7.3.4.2
threats and countermeasures, 3.1.1
total costs, 1
views enhance, 5.1.4.2
what good security requires, 2
security alerts, 7.6
security domain
application development, 7.3.4.5
security domains
enabled roles and, 5.2.3
security patches and workarounds, 2.3, 7.6
security policy function, 7.2
security requirements and principles, 1
security-relevant columns VPD, 14.1.1.1
SELECT ANY DICTIONARY, 7.6, 7.6
SELECT privilege, 13.7.2
SELECT_CATALOG_ROLE role, 11.4.1.2, 11.4.3
sequences
auditing, 8.4
SERVER_HOST attribute, 14.3.1.2
server.key file, 2.4.1, 2.4.1
pass-phrase to read and parse, 2.4.1
permissions on, 2.4.1
service names, 7.6
session primitives, 14.3.1.2
SESSION_ROLES data dictionary view
PUBLIC role, 11.8
SESSION_ROLES view
queried from PL/SQL block, 5.2.5.1
SESSION_USER attribute, USERENV, 14.3.1.2
SESSION_USERID attribute, 14.3.1.2
SESSIONID attribute, 14.3.1.2
sessions
auditing by, 8.5.2.1
auditing connections and disconnections, 12.4.3.1.1
defined, 8.5.2.1
limits for each user, 5.3.1.5
listing privilege domain of, 11.11.4
time limits on, 5.3.1.5
viewing memory use, 11.2.5
when auditing options take effect, 8.1.2
SET ROLE statement
associating privileges with role, 13.5
at startup, 3.2.1
disabling, 3.2.1
equivalent to SET_ROLE, 13.5.2
how password is set, 11.5.2.1
role passwords, 3.2.3
used to enable/disable roles, 11.9.1
when using operating-system roles, 11.10.4
SET_CONTEXT procedure, 15.2.2
SET_ROLE procedure, 13.5.2
SH, 7.6
SHA-1, Preface
shared policy type, Preface, 15.10.1
Shared Schemas, 10.1.3.1.2
shared server
limiting private SQL areas, 5.3.1.5
OS role management restrictions, 11.10.5
SI_INFORMTN_SCHEMA, 7.6
SID attribute, 14.3.1.2
single sign-on, 1.1.1
single source of truth, 1.1
smart cards, 7.6
sngle point of integration, 1.1.1
space restrictions
developers, 7.3.4.5
tablespaces, 7.3.4.5
SQL statements
auditing, 8.2, 8.5.1
when records generated, 8.1.2
disabling audit options, 12.4.4.1, 12.4.4.3
dynamic, 15.2.1.3
enabling audit options on, 12.4.3.1.1
privileges required for, 5.1.2, 6.1, 13.7.2
resource limits and, 5.3.1.2
restricting ad hoc use, 14.5.1, 14.5.1
SQL*Net, 7.6
SQL*Plus
connecting with, 4.1
restricting ad hoc use, 14.5.1, 14.5.1
statistics monitor, 5.4.1
SSL, 1.1.2, 2.4.1, 2.4.1, 7.1.2, 7.6, 7.6
SSL. See Secure Sockets Layer.
statement auditing
turning off, 12.4.4.1
turning on, 12.4.3.1
STATEMENTID attribute, 14.3.1.2
static, Preface, 15.10.1, 15.10.2.1
storage
quotas and, 11.1.1.4
revoking tablespaces and, 11.1.1.4.1
unlimited quotas, 11.1.1.4.2
stored procedures
encapsulating privileges, 3.2.2
invoker's rights, 13.5.2
using privileges granted to PUBLIC, 11.8
strong authentication, 7.6
symbolic links, 2.3, 7.6
synonyms
inherit privileges from object, 5.1.2.3
SYS, 7.6
SYS account
policies for protecting, 7.3.3.1
policy enforcement, 14.5.3
SYS and SYSTEM, 7.6
passwords, 2.3, 7.6, 7.6
SYS and SYSTEM connections, 7.3.3.1
SYS schema, 15.2.2
AS SYSDBA, 7.3.3.2
SYS username
statement execution audited, 8.1.2
SYS_CONTEXT
and parallel query, Preface
SYS_CONTEXT function
access control, 15.3.2.3
database links, 15.2.1.5
dynamic SQL statements, 15.2.1.3
parallel query, 15.2.1.4
syntax, 15.2.1.1
USERENV namespace, 14.3.1.2
SYS.AUD$, 12.4.1.1, 12.4.1.1
SYS.AUD$ table
audit trail, 12.2.6
creating and deleting, 12.5
SYSMAN, 2.3, 7.6, 7.6, 7.6
SYS-privileged connections, 2.3, 7.6
SYSTEM, 7.6
SYSTEM account
policies for protecting, 7.3.3.1
system global area (SGA)
limiting private SQL areas, 5.3.1.5
system privileges, 2.3, 5.1.1, 7.6, 11.4.1
ADMIN OPTION, 5.1.1.2
ANY, 7.6
CREATE, 7.3.4.4
described, 5.1.1, 11.4.1
DROP ANY TABLE statement, 7.6
GRANT ANY OBJECT PRIVILEGE, 11.6.2.2, 11.7.2.1
GRANT ANY PRIVILEGE, 5.1.1.2
granting, 11.6.1
granting and revoking, 5.1.1.1
SELECT ANY DICTIONARY, 7.6
system security policy, 7.1
database user management, 7.1.1
operating system security, 7.1.3
user authentication, 7.1.2

T

tables
auditing, 8.4
privileges on, 5.1.3
tablespaces
assigning defaults for users, 11.1.1.3
default quota, 11.1.1.4
quotas for users, 11.1.1.4
revoking from users, 11.1.1.4.1
temporary
assigning to users, 11.1.1.5
unlimited quotas, 11.1.1.4.2
viewing quotas, 11.2.3
tcps, 2.4.1, 7.6
technical security, 1
TELNET, 7.6
TERMINAL attribute, USERENV, 14.3.1.2
test and production databases
application developer environment, 7.3.4.2
testing VPD policies, 15.10.1
TFTP, 7.6
TIGER, 7.6
token cards, 7.6
trace files, 7.6, 7.6, 8.1.1.5
triggers
auditing, 8.4.1
CREATE TRIGGER ON, 13.7.2
event, 15.3.3
login, 15.2.3
logon, 15.2.1, 15.3.1
privileges for executing, 5.1.5.1
roles, 5.2.5
Triple DES, Preface
turning off
network auditing, 12.4.4.3
object auditing, 12.4.4.2
statement and privilege auditing, 12.4.4.1
turning on
network auditing, 12.4.3.4
object auditing, 12.4.3.3
privilege auditing, 12.4.3.2
statement auditing, 12.4.3.1
types
privileges on, 5.1.6
typical role, 7.3.4.4

U

UDP and TCP ports
close for ALL disabled services, 7.6
uniform audit trail, Preface
UNLIMITED, 7.4.4, 7.4.4
UNLIMITED TABLESPACE privilege, 11.1.1.4.2
unlock locked accounts, 7.3.3.1
UPDATE privilege
revoking, 11.7.2.2
user authentication
methods, 7.1.2
user groups, 7.3.2
USER pseudocolumn, 5.1.4.2
user security policy, 7.3
USERENV function, 14.3.1.2, 16.2.1.3.2, 17.3.1
USERENV namespace, 14.3.1.2, 14.3.1.2
usernames
OS, 7.3.3.2
schemas, 13.6
users
altering, 11.1.2
assigning unlimited quotas for, 11.1.1.4.2
auditing, 8.5.3
authentication
about, 7.1.2, 10.1
authentication of, 4
changing default roles, 11.1.2.2
database authentication, 10.1.1
default tablespaces, 11.1.1.3
dropping, 11.1.3
dropping profiles and, 11.3.1
dropping roles and, 11.5.3
enabling roles for, 13.5
end-user security policies, 7.3.2
enterprise, 10.1.3, 11.5.2.4, 13.6.2
external authentication, 10.1.2
global, 10.1.3
listing, 11.2.1
listing privileges granted to, 11.11.1
listing roles granted to, 11.11.2
managing, 11.1
network authentication, 10.1.2.3
objects after dropping, 11.1.3
operating system authentication, 10.1.2.2
password encryption, 4.3.1, 7.3.1.1
password security, 7.3.1.1
policies for managing privileges, 7.3.1.2
privileges for changing passwords, 11.1.2
privileges for creating, 11.1.1
privileges for dropping, 11.1.3
proxy authentication and authorization, 10.1.4
PUBLIC role, 5.2.4, 11.8
restricting application roles, 14.5.2
roles and, 5.2.1
for types of users, 5.2.2.2
schema-independent, 13.6.2
security and, 7.1.1
security domains of, 5.2.4
security for general users, 7.3.1
specifying user names, 11.1.1.1
tablespace quotas, 11.1.1.4
viewing information on, 11.2.2
viewing memory use, 11.2.5
viewing tablespace quotas, 11.2.3
UTL_HTTP, 7.6
UTL_SMTP, 7.6
UTL_TCP, 7.6
UTLPWDMG.SQL, 4.3.5, 7.4.5
formatting of password complexity verification routine, 7.4.5.1

V

valid node checking, 2.4.4, 7.6
view, 5.1.4
views, 7.2
auditing, 8.4, 8.4.1
privileges for, 5.1.4
security applications of, 5.1.4.2
Virtual Private Database
new features, Preface
virtual private database (VPD), 3.2.1, 13.2.2, 14.1.1, 14.1.1.3, 14.5.2.3
column-level VPD, 15.10.3
defined, 14.1
policies, 14.2
VPD
column masking behavior, 14.1.1.2
column masking restrictions, 15.10.3.2
objects it applies to, 14.1.1.1
sec_relevant_cols parameter, 14.1.1.1
see virtual private database
sel_relevant_cols_opt parameter, 14.1.1.2
with flashback query, 15.14
VPD policies
dynamic, 15.10.1
testing with dynamic policy type, 15.10.1
vulnerable data behind firewalls, 2.4.4, 7.6, 7.6
vulnerable run-time call, 7.6
made more secure, 7.6

W

Wallet Manager, 4.2.2.2
wallets, 4.2.2.2
WHERE, 7.2
WHERE clause, dynamic SQL, 14.1.1
Windows native authentication, 4.5
Windows operating system
OS audit trail, 12.2.6, 12.4.1.2
WK_TEST, 7.6
WKPROXY, 7.6
WKSYS, 7.6
WMSYS, 7.6

X

X.509 certificates, 7.6
X.509 Version 3 certificates, 4.2.2.2
XDB, 7.6
XML, 12.4.1.1, 12.4.1.2