Index

Symbols  Numerics  A  B  C  D  E  F  G  H  I  J  K  L  M  N  O  P  Q  R  S  T  U  V  W  X  

Symbols

  • "all permissions" A.3

Numerics

  • 12C password hash version
  • 12C password version

A

  • about 6.1.1, 7.8.1
  • about connection 6.2.1
  • ACCEPT_MD5_CERTS sqlnet.ora parameter F.5
  • ACCEPT_SHA1_CERTS sqlnet.ora parameter F.5
  • access configuration, DBCA 6.2.2.7.3
  • access configuration, silent mode 6.2.2.7.4
  • access configuration, system parameters 6.2.2.7.2
  • access control
    • encryption, problems not solved by 15.1.1
    • enforcing A.9.1
    • object privileges 4.10.1
    • password encryption 3.2.1
  • access control list (ACL) 8.5.1
    • examples
      • external network connection for email alert 25.4.8.1
      • external network connections 8.7
      • wallet access 8.7
    • external network services
      • about 8.2
      • advantages 8.1
      • affect of upgrade from earlier release 8.4
      • email alert for audit violation tutorial 25.4.8.1
      • finding information about 8.13
      • network hosts, using wildcards to specify 8.8
      • ORA-06512 error 8.12
      • ORA-24247 error 8.12
      • ORA-24247 errors 8.4
      • order of precedence, hosts 8.9
      • port ranges 8.10
      • privilege assignments, about 8.11.1
      • privilege assignments, database administrators checking 8.11.2
      • privilege assignments, users checking 8.11.4
      • revoking privileges 8.5.3
    • wallet access
      • about 8.3
      • advantages 8.3
      • client certificate credentials, using 8.6.1
      • finding information about 8.13
      • non-shared wallets 8.6.1
      • password credentials 8.6.1
      • password credentials, using 8.6.1
      • revoking 8.6.5
      • revoking access 8.6.5
      • shared database session 8.6.1
      • wallets without sensitive information 8.6.1
      • wallets with sensitive information 8.6.1
  • ACCHK_READ role 4.8.2
  • accounting, RADIUS 22.4.4
  • account locking
  • activating checksumming and encryption 16.6.1
  • adapters 18.5
  • ADD_SSLV3_TO_DEFAULT sqlnet.ora parameter 21.8.1.7
  • ADG_ACCOUNT_INFO_TRACKING initialization parameter
    • guideline for securing A.9.1
  • ad hoc tools
    • database access, security problems of 4.8.7.1
  • ADM_PARALLEL_EXECUTE_TASK role
  • administrative accounts
  • administrative privileges
  • administrative user passwords
    • default, importance of changing A.5
  • administrative users
  • administrator privileges
    • access A.9.2
    • operating system authentication 3.3.3
    • passwords 3.3.4, A.5
    • SYSDBA and SYSOPER access, centrally controlling 3.3.2.1
    • write, on listener.ora file A.9.2
  • ADMIN OPTION
  • Advanced Encryption Standard (AES)
  • Advanced Networking Option (ANO) (Oracle native encryption) 16.6.3.3.1
  • AES256 algorithm
    • converting to in Oracle wallets F.6.2.7
  • alerts, used in fine-grained audit policy 25.4.8.1
  • ALTER ANY LIBRARY statement
    • security guidelines A.3
  • ALTER DATABASE DICTIONARY DELETE CREDENTIALS statement 10.5.2
  • ALTER DATABASE DICTIONARY ENCRYPT CREDENTIALS statement 10.5.2
  • ALTER DATABASE DICTIONARY REKEY CREDENTIALS statement 10.5.2
  • altering users 2.3.1
  • ALTER PROCEDURE statement
    • used for compiling procedures 4.13.4
  • ALTER PROFILE statement
  • ALTER RESOURCE COST statement 2.4.4.5, 2.4.4.6
  • ALTER ROLE statement
    • changing authorization method 4.8.3.5
  • ALTER SESSION statement
  • ALTER USER privilege 2.3.1
  • ALTER USER statement
  • ANO encryption
  • anonymous 21.8.1.3.1
  • ANONYMOUS user account 2.6.2
  • ANSI operations
    • Oracle Virtual Private Database affect on 12.5.3
  • ANY system privilege
    • guidelines for security A.6
  • application common users
  • application containers
    • application contexts 11.1.6
    • Transport Layer Security 21.1.2
    • Virtual Private Database policies 12.1.6
  • application contexts 11.4.1
    • See also: client session-based application contexts, database session-based application contexts, global application contexts
  • application developers
  • applications
    • about security policies for 10.1
    • database users 10.2.1
    • enhancing security with 4.8.1.3
    • object privileges 10.11.1
    • object privileges permitting SQL statements 10.11.2
    • One Big Application User authentication
    • Oracle Virtual Private Database, how it works with 12.5.4
    • password handling, guidelines 10.3.1.2
    • password protection strategies 10.3
    • privileges, managing 10.6
    • roles
      • multiple 4.8.1.5
      • privileges, associating with database roles 10.9
    • security 4.8.7, 10.2.2
    • security considerations for use 10.2
    • security limitations 12.5.4
    • security policies 12.3.7.3
    • validating with security policies 12.3.7.5
  • application security
    • finding privilege use by users 5.1.2.1
    • restricting wallet access to current application 8.6.1
    • revoking access control privileges from Oracle wallets 8.6.5
    • sharing wallet with other applications 8.6.1
    • specifying attributes 11.3.3.3
  • application users who are database users
    • Oracle Virtual Private Database, how it works with 12.5.9
  • architecture 6.1.3
  • archiving
  • ASMSNMP user account 2.6.2
  • asymmetric key operations 15.4
  • asynchronous authentication mode in RADIUS 22.3.2
  • attacks
    • See: security attacks
  • AUDIT_ADMIN role 4.8.2
  • AUDIT_VIEWER role 4.8.2
  • audit files
    • operating system audit trail
    • operating system file
    • standard audit trail
  • auditing 25.1
    • See also: unified audit policies
    • administrators, Database Vault 25.2.14.2
    • audit options 25.1
    • audit trail, sensitive data in A.11
    • CDBs 24.9
    • committed data A.11.2
    • cursors, affect on auditing 26.1.3
    • databases, when unavailable 26.1.7
    • database user names 3.6
    • Database Vault administrators 25.2.14.2
    • distributed databases and 24.10
    • DV_ADMIN role user 25.2.14.2
    • DV_OWNER role user 25.2.14.2
    • finding information about audit management 26.4
    • finding information about usage 25.5
    • fine-grained
      • See fine-grained auditing 25.4.1
    • functions 25.2.7.10
    • functions, Oracle Virtual Private Database 25.2.7.12
    • general steps
      • commonly used security-relevant activities 25.1.2
      • specific fine-grained activities 25.1.3
      • SQL statements and other general activities 25.1.1
    • general steps for 25.1
    • guidelines for security A.11
    • historical information A.11.2
    • INHERIT PRIVILEGE privilege 7.5.8
    • keeping information manageable A.11.1
    • loading audit records to unified audit trail 26.1.7
    • mandatory auditing 26.1.2
    • multitier environments
      • See standard auditing 25.2.9
    • One Big Application User authentication, compromised by 10.2.1
    • operating-system user names 3.6
    • Oracle Virtual Private Database policy functions 25.2.7.12
    • packages 25.2.7.10
    • performance 24.3
    • PL/SQL packages 25.2.7.10
    • predefined policies
      • general steps for using 25.1.2
    • privileges required 24.8
    • procedures 25.2.7.10
    • purging records
    • range of focus 25.1
    • READ object privileges in policies 25.2.8.2
    • READ privileges
    • recommended settings A.11.5
    • Sarbanes-Oxley Act
      • auditing, meeting compliance through 24.1
    • SELECT privileges
    • sensitive data A.11.4
    • suspicious activity A.11.3
    • traditional 25.2.20.2
    • triggers 25.2.7.10
    • unified audit trail
    • VPD predicates
    • when audit options take effect 26.1.1
    • when records are created 26.1.1
  • auditing, purging records
  • audit policies 24.1
    • See also: unified audit policies
  • audit policies, application contexts
  • audit records
    • when written to OS files 26.1.6
  • audit trail
    • archiving 26.2.2
    • capturing syslog records 26.1.5.2
    • capturing Windows Event Viewer records 26.1.5.2
    • finding information about audit management 26.4
    • finding information about usage 25.5
    • SYSLOG records 26.1.5.1
    • unified
  • AUDSYS user account 2.6.2
  • AUTHENTICATEDUSER role 4.8.2
  • authentication 3.2.1, 18.5
    • See also: passwords, proxy authentication
    • about 3.1
    • administrators
      • operating system 3.3.3
      • passwords 3.3.4
      • SYSDBA and SYSOPER access, centrally controlling 3.3.2.1
    • by database 3.4
    • by SSL 3.9.2.1
    • client A.9.1
    • client-to-middle tier process 3.13.1.8
    • configuring multiple methods 23.3
    • database administrators 3.3.1
    • databases, using
    • directory-based services 3.7.2.4
    • directory service 3.9.2
    • external authentication
    • global authentication
    • methods 18.4
    • middle-tier authentication
    • modes in RADIUS 22.3
    • multitier 3.11
    • network authentication
    • One Big Application User, compromised by 10.2.1
    • operating system authentication 3.8.1
    • operating system user in PDBs 3.8.1
    • ORA-28040 errors 3.2.8.3
    • PDBs 3.8.1
    • proxy user authentication
    • public key infrastructure 3.7.2.5
    • RADIUS 3.7.2.3
    • remote A.9.1
    • schema-only accounts 3.5
    • schema-only accounts, users created with 3.5.1
    • specifying when creating a user 2.2.5
    • strong A.5
    • SYSDBA on Windows systems 3.3.3
    • Windows native authentication 3.3.3
  • AUTHENTICATION parameter C.2.2
  • authentication types 6.1.4
  • AUTHID DEFINER clause
    • used with Oracle Virtual Private Database functions 12.1.4
  • authorization
  • automatic reparse
    • Oracle Virtual Private Database, how it works with 12.5.5

B

  • banners
    • auditing user actions, configuring 10.12.5
    • unauthorized access, configuring 10.12.5
  • BFILEs
    • guidelines for security A.6
  • bind variables
  • BLOBS

C

  • CAPTURE_ADMIN role 4.8.2
  • cascading revokes 4.16.3
  • catpvf.sql script (password complexity functions) 3.2.6.2
  • CDB_DBA role 4.8.2
  • CDB common users
  • CDBs
    • auditing
    • CBAC role grants with DELEGATE option 7.7.5
    • common privilege grants 4.6.1
    • granting privileges and roles 4.6.4
    • local privilege grants 4.6.1
    • object privileges 4.6.3
    • PDB lockdown profiles 4.9.1, 4.9.2
    • privilege management 4.6
    • privilege profiles 5.1.5
    • revoking privileges 4.6.4
    • roles
    • SYSLOG capture of unified audit records 26.1.5.2
    • system privileges 4.6.2
    • transparent sensitive data protection 13.5
    • user accounts
    • user privileges, how affects 4.3
    • users
    • viewing information about 4.6.6.1
    • Virtual Private Database
  • Center for Internet Security (CIS) 25.3.5
  • centrally managed users
    • Oracle Autonomous Database 6.6
    • troubleshooting 6.7
  • certificate 21.4.2.2
  • certificate authority 21.4.2.1
  • certificate key algorithm
    • Secure Sockets Layer A.9.3
  • certificate revocation list (CRL)
  • certificate revocation lists 21.4.2.3
  • certificate revocation status checking
  • certificates 6.2.2.5
    • creating signed with orapki F.3
  • certificate validation error message
    • CRL could not be found 21.10.7
    • CRL date verification failed with RSA status 21.10.7
    • CRL signature verification failed with RSA status 21.10.7
    • Fetch CRL from CRL DP
    • OID hostname or port number not set 21.10.7
  • challenge-response authentication in RADIUS 22.3.2
  • change_on_install default password A.5
  • character sets
    • role names, multibyte characters in 4.8.3.1
    • role passwords, multibyte characters in 4.8.4.1
  • Cipher Block Chaining (CBC) mode, defined 16.1.2
  • cipher suites
  • Cipher Suites
    • FIPS 140-2 settings E.3.2
  • CLIENT_IDENTIFIER USERENV attribute 3.13.2.4
    • See also: USERENV namespace
    • setting and clearing with DBMS_SESSION package 3.13.2.6
    • setting with OCI user session handle attribute 3.13.2.5
  • client authentication in SSL 21.8.1.5
  • client connections
    • guidelines for security A.9.1
    • secure external password store 3.2.9.3
    • securing A.9.1
  • CLIENTID_OVERWRITE event 3.13.2.6
  • client identifier
    • setting for applications that use JDBC 3.13.2.5
  • client identifiers 11.4.2
    • See also: nondatabase users
    • about 3.13.2.1
    • auditing users 25.2.9
    • consistency between DBMS_SESSION.SET_IDENTIFIER and DBMS_APPLICATION_INFO.SET_CLIENT_INFO 3.13.2.6
    • global application context, independent of 3.13.2.4
    • setting with DBMS_SESSION.SET_IDENTIFIER procedure 11.4.3
  • client session-based application contexts 11.5.1
    • See also: application contexts
    • about 11.5.1
    • CLIENTCONTEXT namespace, clearing value from 11.5.5
    • CLIENTCONTEXT namespace, setting value in 11.5.2
    • retrieving CLIENTCONTEXT namespace 11.5.3
  • code based access control (CBAC)
    • about 7.7.1
    • granting and revoking roles to program unit 7.7.6
    • how works with definers rights 7.7.4
    • how works with invoker’s rights 7.7.3
    • privileges 7.7.2
    • tutorial 7.7.7
  • column masking behavior 12.3.6.4
  • columns
  • command line recall attacks 10.3.1.1, 10.3.1.4
  • committed data
  • common privilege grants
  • common roles
  • common user accounts
    • creating 2.2.10.1
    • enabling access to other PDBs 4.6.6
    • granting privileges to 4.6
  • common users
  • configuration
    • guidelines for security A.8
  • configuration files
  • configuring
  • connecting
    • with username and password 23.1
  • connection pooling
  • CONNECT role
  • CONTAINER_DATA objects
    • viewing information about 4.6.6
  • container database (CDB)
    • See: CDBs
  • container data objects
  • context profiles
    • privilege analysis 5.1.4
  • controlled step-in procedures 7.3
  • CPU time limit 2.4.2.3
  • CREATE ANY LIBRARY statement
    • security guidelines A.3
  • CREATE ANY PROCEDURE system privilege 4.13.3
  • CREATE CONTEXT statement
  • CREATE LOCKDOWN PROFILE statement 4.9.4
  • CREATE PROCEDURE system privilege 4.13.3
  • CREATE PROFILE statement
  • CREATE ROLE statement
    • IDENTIFIED EXTERNALLY option 4.8.4.3
  • CREATE SCHEMA statement
  • CREATE SESSION statement
  • CREATE USER statement
    • explicit account locking 3.2.4.9
    • IDENTIFIED BY option 2.2.5
    • IDENTIFIED EXTERNALLY option 2.2.5
  • creating Oracle service directory user account 6.2.2.1
  • CRL 21.4.2.3
  • CRLAdmins directory administrative group F.9.7
  • CRLs
  • cryptographic hardware devices 21.4.2.5
  • cryptographic libraries
    • FIPS 140-2 E.1
  • CTXAPP role 4.8.2
  • CTXSYS user account 2.6.2
  • cursors
    • affect on auditing 26.1.3
    • reparsing, for application contexts 11.3.5
    • shared, used with Virtual Private Database 12.1.5
  • CWM_USER role 4.8.2

D

  • database administrators (DBAs)
    • access, controlling 15.1.2
    • authentication 3.3.1
    • malicious, encryption not solved by 15.1.2
  • Database Configuration Assistant (DBCA)
    • default passwords, changing A.5
    • user accounts, automatically locking and expiring A.3
  • database links
    • application contexts 11.3.4.6
    • application context support 11.3.10.1
    • authenticating with Kerberos 3.7.2.2
    • authenticating with third-party services 3.7.2.1
    • definer’s rights procedures 7.8.1
    • global user authentication 3.9.3
    • object privileges 4.10.1
    • operating system accounts, care needed 3.6
    • RADIUS not supported 22.1
    • sensitive credential data
      • about 14.1
      • data dictionary views 14.7
      • deleting 14.5
      • encrypting 14.3
      • multitenant environment 14.2
      • rekeying 14.4
      • restoring functioning of after lost keystore 14.6
    • session-based application contexts, accessing 11.3.4.6
  • databases
    • access control
      • password encryption 3.2.1
    • additional security resources 1.2
    • authentication 3.4
    • database user and application user 10.2.1
    • default password security settings 3.2.4.5
    • default security features, summary 1.1
    • granting privileges 4.15
    • granting roles 4.15
    • limitations on usage 2.4.1
    • schema-only accounts 3.5
    • security and schemas 10.10
    • security embedded, advantages of 10.2.2
    • security policies based on 12.1.2.1
  • database session-based application contexts 11.3.1
    • See also: application contexts
  • database upgrades and CONNECT role A.12.2.1
  • data definition language (DDL)
  • data dictionary
  • data encryption and integrity parameters
    • about B.3.1
    • SQLNET.CRYPTO_CHECKSUM_CLIENT B.3.5
    • SQLNET.CRYPTO_CHECKSUM_SERVER B.3.4
    • SQLNET.CRYPTO_CHECKSUM_TYPES_CLIENT B.3.9
    • SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER B.3.8
    • SQLNET.ENCRYPTION_CLIENT B.3.3
    • SQLNET.ENCRYPTION_SERVER B.3.2
    • SQLNET.ENCRYPTION_TYPES_CLIENT B.3.7
    • SQLNET.ENCRYPTION_TYPES_SERVER B.3.6
  • Data Encryption Standard (DES)
    • DES40 encryption algorithm 16.1.3
    • Triple-DES encryption algorithm 16.1.3
  • data files A.6
    • guidelines for security A.6
  • data manipulation language (DML)
    • privileges controlling 4.11.1
  • DATAPUMP_EXP_FULL_DATABASE role 4.8.2
  • DATAPUMP_IMP_FULL_DATABASE role 4.8.2
  • data security
    • encryption, problems not solved by 15.1.3
  • DBA_CONTAINER_DATA data dictionary view 4.6.6.1
  • DBA_ROLE_PRIVS view
    • application privileges, finding 10.7
  • DBA_ROLES data dictionary view
  • DBA role
  • DBFS_ROLE role 4.8.2
  • DBMS_CREDENTIAL.CREATE_CREDENTIAL procedure 10.4.4
  • DBMS_CRYPTO package
    • asymmetric key operations 15.4
    • data encryption storage 15.3
    • examples 15.6.1
    • supported cryptographic algorithms 15.3
  • DBMS_CRYPTO PL/SQL package
    • enabling for FIPS 140-2 E.2
  • DBMS_FGA package
  • DBMS_NETWORK_ACL_ADMIN.REMOVE_HOST_ACE procedure 8.5.3
  • DBMS_PRIVILEGE_CAPTURE PL/SQL package 5.2.1
  • DBMS_RLS.ADD_POLICY
  • DBMS_RLS.ADD_POLICY procedure
    • transparent sensitive data protection polices 13.12.2
  • DBMS_SESSION.SET_CONTEXT procedure
  • DBMS_SESSION.SET_IDENTIFIER procedure
    • client session ID, setting 11.4.3
    • DBMS_APPLICATION.SET_CLIENT_INFO value, overwritten by 3.13.2.6
  • DBMS_SESSION package
  • DBSNMP user account
  • DDL
    • See: data definition language
  • debugging
    • Java stored procedures 8.12
    • PL/SQL stored procedures 8.12
  • default command rules
    • ORA_DV_AUDPOL2 predefined audit policy for 25.3.8
  • default passwords A.5
    • change_on_install or manager passwords A.5
    • changing, importance of 3.2.4.2
    • finding 3.2.4.2
  • default permissions A.6
  • default profiles
  • default realms
    • ORA_DV_AUDPOL2 predefined audit policy for 25.3.8
  • default roles
  • defaults
  • default users
    • accounts A.3
    • Enterprise Manager accounts A.3
    • passwords A.5
  • definers’s rights, database links
  • definer’s rights
    • about 7.2
    • code based access control
      • about 7.7.1
      • granting and revoking roles to program unit 7.7.6
      • how code based access control works 7.7.4
    • compared with invoker’s rights 7.1
    • example of when to use 7.2
    • procedure privileges, used with 7.2
    • procedure security 7.2
    • schema privileges for 7.2
    • secure application roles 10.8.2.1
    • used with Oracle Virtual Private Database functions 12.1.4
    • views 7.6.1
  • definer’s rights, database links
    • grants of INHERIT ANY REMOTE PRIVILEGES 7.8.4
    • grants of INHERIT ANY REMOTE PRIVILEGES on connected user to current user, example 7.8.3
    • grants of INHERIT REMOTE PRIVILEGES to other users 7.8.2
    • revokes of INHERIT [ANY] REMOTE PRIVILEGES 7.8.5
    • revoking INHERIT REMOTE PRIVILEGES from PUBLIC, example 7.8.7
    • revoking INHERIT REMOTE PRIVILEGES on connecting user from procedure owner, example 7.8.6
    • tutorial 7.8.8.1
  • DELETE_CATALOG_ROLE role
    • SYS schema objects, enabling access to 4.5.2.2
  • denial of service (DoS) attacks
    • about
  • denial-of-service (DoS) attacks
    • bad packets, preventing 10.12.1
    • networks, securing A.9.2
    • password concurrent guesses 3.2.1
  • Department of Defense Database Security Technical Implementation Guide 3.2.6.5, 3.2.6.6
  • dictionary tables
  • Diffie-Hellman 21.8.1.3.1
  • Diffie-Hellman key negotiation algorithm 16.5
  • DIP user account 2.6.3
  • directories
  • directory authentication, configuring for SYSDBA or SYSOPER access 3.3.2.2
  • directory-based services authentication 3.7.2.4
  • directory objects
    • granting EXECUTE privilege on 4.15.1.3
  • direct path load
    • fine-grained auditing effects on 25.4.1
  • disabling unnecessary services
    • FTP, TFTP, TELNET A.9.2
  • dispatcher processes (Dnnn)
    • limiting SGA space for each session 2.4.2.5
  • distributed databases
  • DML
    • See: data manipulation language
  • driving context 11.6
  • DROP PROFILE statement
  • DROP ROLE statement
  • DROP USER statement
    • about 2.5.3
    • schema objects of dropped user 2.5.4
  • dsi.ora file
  • DVF schema
    • ORA_DV_AUDPOL predefined audit policy for 25.3.7
  • DVSYS schema
    • ORA_DV_AUDPOL predefined audit policy for 25.3.7
  • dynamic Oracle Virtual Private Database policy types 12.3.8.2
  • DYNAMIC policy type 12.3.8.2

E

  • ECB ciphertext encryption mode 15.5
  • editions
    • application contexts, how affects 11.1.5
    • fine-grained auditing packages, results in 11.4.6.2
    • global application contexts, how affects 11.4.6.2
    • Oracle Virtual Private Database packages, results in 11.4.6.2
  • EJBCLIENT role 4.8.2
  • EM_EXPRESS_ALL role 4.8.2
  • EM_EXPRESS_BASIC role 4.8.2
  • email alert example 25.4.8.1
  • encrypting information in 14.1
  • encryption
  • encryption and checksumming
  • encryption of data dictionary sensitive data 14.1
  • ENFORCE_CREDENTIAL configuration parameter
    • security guideline A.10
  • enterprise directory service 4.8.4.6
  • enterprise roles 3.9.1, 4.8.4.6
  • enterprise user management 10.2.1
  • enterprise users
    • centralized management 3.9.1
    • global role, creating 4.8.4.6
    • One Big Application User authentication, compromised by 10.2.1
    • proxy authentication 3.13.1.1
    • shared schemas, protecting users 10.10.2
  • Enterprise User Security
    • application context, globally initialized 11.3.11.3
    • proxy authentication
      • Oracle Virtual Private Database, how it works with 12.5.9
  • error messages
  • errors
  • example 25.2.19.3
  • examples 12.4
    • See also: tutorials
    • access control lists
      • external network connections 8.7
      • wallet access 8.7
    • account locking 3.2.4.8
    • auditing user SYS 25.2.5.5
    • audit trail, purging unified trail 26.3.6
    • data encryption
      • encrypting and decrypting BLOB data 15.6.3
      • encrypting and decrypting procedure with AES 256-Bit 15.6.2
    • directory objects, granting EXECUTE privilege on 4.15.1.3
    • encrypting procedure 15.6.1
    • Java code to read passwords 10.3.4
    • locking an account with CREATE PROFILE 3.2.4.8
    • login attempt grace period 3.2.4.14
    • nondatabase user authentication 11.4.6.7
    • passwords
    • privileges
    • procedure privileges affecting packages 4.13.5.2, 4.13.5.3
    • profiles, assigning to user 2.2.9
    • roles
    • secure external password store 3.2.9.2
    • session ID of user
    • system privilege and role, granting 4.15.1.2
    • tablespaces
    • type creation 4.14.5
    • users
  • exceptions
    • WHEN NO DATA FOUND, used in application context package 11.3.9.3
    • WHEN OTHERS, used in triggers
      • development environment (debugging) example 11.3.8
      • production environment example 11.3.7
  • Exclusive Mode
    • SHA-2 password hashing algorithm, enabling 3.2.8.2
  • EXECUTE_CATALOG_ROLE role
    • SYS schema objects, enabling access to 4.5.2.2
  • EXECUTE ANY LIBRARY statement
    • security guidelines A.3
  • EXEMPT ACCESS POLICY privilege
    • Oracle Virtual Private Database enforcements, exemption 12.5.7.2
  • EXP_FULL_DATABASE role
  • expiring a password
  • exporting data
    • direct path export impact on Oracle Virtual Private Database 12.5.7.2
    • policy enforcement 12.5.7.2
  • extended data objects
    • views and Virtual Private Database 12.3.2
  • external authentication
  • external network services, fine-grained access to
    • See: access control list (ACL)
  • external network services, syntax for 8.5.1
  • external procedures
    • configuring extproc process for 10.4.4
    • credentials 10.4.1
    • DBMS_CREDENTIAL.CREATE_CREDENTIAL procedure 10.4.4
    • legacy applications 10.4.5
    • security guideline A.10
  • external roles 4.8.3.4
  • external tables A.6
  • extproc process

F

  • failed login attempts
  • fallback authentication, Kerberos 20.5
  • Federal Information Processing Standard (FIPS)
    • DBMS_CRYPTO package E.2
    • FIPS 140-2
      • Cipher Suites E.3.2
      • postinstallation checks E.4
      • SSLFIPS_140 E.3.1
      • SSLFIPS_LIB E.3.1
      • verifying connections E.5
    • Transparent Data Encryption E.2
  • files
    • BFILEs
      • operating system access, restricting A.6
    • BLOB 15.2.6
    • keys 15.2.4.3
    • listener.ora file
    • restrict listener access A.9.2
    • server.key encryption file A.9.3
    • symbolic links, restricting A.6
    • tnsnames.ora A.9.3
  • fine-grained access control
    • See: Oracle Virtual Private Database (VPD)
  • fine-grained auditing
  • fips.ora file E.3.1
  • FIPS 140-2 cryptographic libraries
  • FIPS Parameter
    • Configuring E.3
  • firewalls
  • flashback query
    • Oracle Virtual Private Database, how it works with 12.5.6
  • foreign keys
    • privilege to use parent key 4.11.2
  • FTP service A.9.2
  • functions

G

  • GATHER_SYSTEM_STATISTICS role 4.8.2
  • GLOBAL_AQ_USER_ROLE role 4.8.2
  • GLOBAL_EXTPROC_CREDENTIAL configuration parameter
  • global application contexts 11.4.1
    • See also: application contexts
    • about 11.4.1
    • authenticating nondatabase users 11.4.6.7
    • checking values set globally for all users 11.4.6.5
    • clearing values set globally for all users 11.4.6.5
    • components 11.4.3
    • editions, affect on 11.4.6.2
    • example of authenticating nondatabase users 11.4.6.8
    • example of authenticating user moving to different application 11.4.6.6
    • example of setting values for all users 11.4.6.5
    • Oracle RAC environment 11.4.4
    • Oracle RAC instances 11.4.1
    • ownership 11.4.5.1
    • PL/SQL package creation 11.4.6.1
    • process, lightweight users 11.4.9.2
    • process, standard 11.4.9.1
    • sharing values globally for all users 11.4.6.4
    • system global area 11.4.1
    • tutorial for client session IDs 11.4.8.1
    • used for One Big Application User scenarios 12.5.9
    • uses for 12.5.9
  • global authentication
  • global authorization
  • global roles 4.8.3.4
  • global users 3.9.1
  • grace period for login attempts
  • grace period for password expiration 3.2.4.14
  • gradual database password rollover
    • about 3.2.5.1
    • actions permitted during 3.2.5.7
    • changing password during rollover period 3.2.5.5
    • changing password to begin rollover period 3.2.5.4
    • enabling 3.2.5.3
    • finding users who use old passwords 3.2.5.9
    • manually ending the password before rollover period 3.2.5.6
    • password change life cycle 3.2.5.2
    • server behavior after rollover ends 3.2.5.8
  • GRANT ALL PRIVILEGES statement
    • SELECT ANY DICTIONARY privilege, exclusion of A.6
  • GRANT ANY PRIVILEGE system privilege 4.5.4
  • GRANT CONNECT THROUGH clause
    • consideration when setting FAILED_LOGIN_ATTEMPTS parameter 3.2.4.3
    • for proxy authorization 3.13.1.5
  • granting privileges and roles
  • GRANT statement 4.15.1.1
  • guidelines for security
    • auditing A.11
    • custom installation A.8
    • data files and directories A.6
    • encrypting sensitive data A.6
    • guidelines for security
      • custom installation A.8
    • installation and configuration A.8
    • networking security A.9
    • operating system accounts, limiting privileges A.6
    • operating system users, limiting number of A.6
    • ORACLE_DATAPUMP access driver A.7
    • Oracle home default permissions, disallowing modification A.6
    • passwords A.5
    • products and options
      • install only as necessary A.8
    • sample schemas A.8
    • Sample Schemas
      • remove or relock for production A.8
      • test database A.8
    • Secure Sockets Layer
    • symbolic links, restricting A.6
    • user accounts and privileges A.3

H

  • hackers
    • See: security attacks
  • handshake
  • how it works 6.1.2
  • HR user account 2.6.4
  • HS_ADMIN_EXECUTE_ROLE role
  • HS_ADMIN_ROLE role
  • HS_ADMIN_SELECT_ROLE role
  • HTTP authentication
    • See: access control lists (ACL), wallet access
  • HTTPS
    • port, correct running on A.9.3
  • HTTP verifier removal A.5

I

  • IMP_FULL_DATABASE role
  • INACTIVE_ACCOUNT_TIME profile parameter 3.2.4.6
  • inactive user accounts, locking automatically 3.2.4.6
  • indexed data
  • indirectly granted roles 4.8.1.2
  • INHERIT ANY PRIVILEGES privilege
  • INHERIT ANY REMOTE PRIVILEGES 7.8.1
  • INHERIT PRIVILEGES privilege
  • INHERIT REMOTE PRIVILEGES
  • initialization parameter file
    • parameters for clients and servers using Kerberos C.1
    • parameters for clients and servers using RADIUS C.3
    • parameters for clients and servers using SSL C.2
  • initialization parameters
  • INSERT privilege
  • installation
    • guidelines for security A.8
  • intruders
    • See: security attacks
  • invoker’s rights
    • about 7.3
    • code based access control
      • about 7.7.1
      • granting and revoking roles to program unit 7.7.6
      • how code based access control works 7.7.3
      • tutorial 7.7.7
    • compared with definer’s rights 7.1
    • controlled step-in 7.3
    • procedure privileges, used with 7.2
    • procedure security 7.3
    • secure application roles 10.8.2.1
    • secure application roles, requirement for enabling 10.8.2.1
    • security risk 7.5.1
    • views
      • about 7.6.1
      • finding user who invoked invoker’s right view 7.6.3
  • IP addresses
  • IX user account 2.6.4

J

  • JAVA_ADMIN role 4.8.2
  • JAVA_RESTRICT initialization parameter
    • security guideline A.6
  • Java Byte Code Obfuscation 17.5
  • Java Database Connectivity (JDBC)
    • configuration parameters 17.6.1
    • Oracle extensions 17.2
    • thin driver features 17.3
  • JAVADEBUGPRIV role 4.8.2
  • Java Debug Wire Protocol (JDWP)
    • network access for debugging operations 8.12
  • JAVAIDPRIV role 4.8.2
  • Java schema objects
  • Java stored procedures
    • network access for debugging operations 8.12
  • JAVASYSPRIV role 4.8.2
  • JAVAUSERPRIV role 4.8.2
  • JDBC
    • See: Java Database Connectivity
  • JDBC connections
    • JDBC/OCI proxy authentication 3.13.1.1
      • multiple user sessions 3.13.1.8
      • Oracle Virtual Private Database 12.5.9
    • JDBC Thin Driver proxy authentication
  • JDeveloper
    • debugging using Java Debug Wire Protocol 8.12
  • JMXSERVER role 4.8.2

K

  • Kerberos 18.4.1
    • authentication adapter utilities 20.2
    • authentication fallback behavior 20.5
    • configuring authentication 20.1, 20.1.6.1
    • configuring for database server 20.1.2
    • configuring for Windows 2008 Domain Controller KDC 20.4
    • connecting to database 20.3
    • interoperability with Windows Server Domain Controller KDC 20.4.1
    • kinstance 20.1.2
    • kservice 20.1.2
    • realm 20.1.2
    • sqlnet.ora file sample B.2
    • system requirements 18.6
  • Kerberos authentication 3.7.2.2
    • configuring for SYSDBA or SYSOPER access 3.3.2.3
    • password management A.5
  • Kerberos Key Distribution Center (KDC) 20.4
  • key generation
  • key storage
  • key transmission
  • kinstance (Kerberos) 20.1.2
  • kservice (Kerberos) 20.1.2

L

  • large objects (LOBs)
  • LBAC_DBA role 4.8.2
  • LBACSYS.ORA_GET_AUDITED_LABEL function
  • LBACSYS schema
    • ORA_DV_AUDPOL predefined audit policy for 25.3.7
  • LBACSYS user account 2.6.2
  • ldap.ora
    • which directory SSL port to use for no authentication 21.10.5.4
  • ldap.ora file
  • least privilege principle A.3
    • about A.3
    • granting user privileges A.3
    • middle-tier privileges 3.13.1.9
  • libraries
  • lightweight users
    • example using a global application context 11.4.8.1
    • Lightweight Directory Access Protocol (LDAP) 12.4.2.9
  • listener
    • endpoint
    • not an Oracle owner A.9.2
    • preventing online administration A.9.2
    • restrict privileges A.9.2
    • secure administration A.9.2
  • listener.ora file
    • administering remotely A.9.2
    • default location A.9.3
    • FIPS 140-2 Cipher Suite settings E.3.2
    • online administration, preventing A.9.2
    • Oracle wallet setting C.2.8
    • TCPS, securing A.9.3
  • lists data dictionary
    • See: views
    • data dictionary views
      • See: views
    • granting privileges and roles
      • finding information about 4.20.1
    • privileges
      • finding information about 4.20.1
    • roles
      • finding information about 4.20.1
    • views
  • LOB_SIGNATURE_ENABLE initialization parameter 10.5.1
  • LOBs
  • local privilege grants
  • local roles
  • local user accounts
  • local users
  • lock and expire
    • default accounts A.3
    • predefined user accounts A.3
  • lockdown profiles, PDB 4.9.1
  • locking inactive user accounts automatically 3.2.4.6
  • log files
    • owned by trusted user A.6
  • logical reads limit 2.4.2.4
  • logon triggers
    • externally initialized application contexts 11.3.5
    • for application context packages 11.3.5
    • running database session application context package 11.3.5
    • secure application roles 4.8.8
  • LOGSTDBY_ADMINISTRATOR role 4.8.2

M

  • malicious database administrators 15.1.2
    • See also: security attacks
  • manager default password A.5
  • managing roles with RADIUS server 22.4.8
  • materialized views
  • MD5 message digest algorithm 16.4
  • MDDATA user account 2.6.3
  • MDSYS user account 2.6.2
  • memory
  • MERGE INTO statement, affected by DBMS_RLS.ADD_POLICY statement_types parameter 12.3.4
  • metadata links
  • methods
    • privileges on 4.14
  • Microsoft Active Directory services 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.2.1, 6.2.2.1, 6.2.2.5, 6.2.2.7.2, 6.2.2.7.3
    • about configuring connection 6.2.2.7.1
    • about password authentication 6.3.1.1
    • access, Kerberos authentication 6.3.2
    • access, PKI authentication 6.3.3
    • access configuration, Oracle wallet verification 6.2.2.8
    • access configuration, testing integration 6.2.2.9
    • account policies 6.5
    • administrative user configuration, exclusive mapping 6.4.6.2
    • administrative user configuration, shared access accounts 6.4.6.1
    • dsi.ora file, about 6.2.2.4.2
    • dsi.ora file, compared with ldap.ora 6.2.2.4.1
    • extending Active Directory schema 6.2.2.2
    • ldap.ora file, about 6.2.2.4.4
    • ldap.ora file, compared with dsi.ora 6.2.2.4.1
    • ldap.ora file, creating 6.2.2.4.3, 6.2.2.4.5
    • logon user name with password authentication 6.3.1.3
    • user authorization, about 6.4.1
    • user authorization, mapping Directory user group to global role 6.4.3
    • user authorization, verifying 6.4.7
    • user management, altering mapping definition 6.4.5
    • user management, exclusively mapping Directory user to database global user 6.4.4
    • user management, mapping group to shared global user 6.4.2
    • user management, migrating mapping definition 6.4.5
  • Microsoft Active Directory services integration 6.1.1, 6.1.2
  • Microsoft Directory Access services 6.2.2.7.4
  • Microsoft Windows
    • Kerberos
      • configuring for Windows 2008 Domain Controller KDC 20.4
  • middle-tier systems
  • mining models
  • mixed mode auditing capabilities 24.7.4
  • monitoring user actions 24.1
    • See also: auditing, standard auditing, fine-grained auditing
  • multiplex multiple-client network sessions A.9.2
  • multitenant container database (CDB)
    • See: CDBs
  • multitenant option 6.1.6
  • My Oracle Support
    • security patches, downloading A.2.1
    • user account for logging service requests 2.6.3

N

  • native network encryption
    • compared with Transport Layer Security 16.1.4
  • native network enryption
  • nCipher hardware security module
    • using Oracle Net tracing to troubleshoot 21.11.4.1
  • Net8
    • See: Oracle Net
  • Netscape Communications Corporation 21.1
  • network authentication
    • external authentication 3.10.6
    • guidelines for securing A.5
    • roles, granting using 4.18.1
    • Secure Sockets Layer 3.7.1
    • smart cards A.5
    • third-party services 3.7.2.1
    • token cards A.5
    • X.509 certificates A.5
  • network connections
  • network encryption
  • network IP addresses
    • guidelines for security A.9.2
  • network traffic encryption A.9.2
  • nondatabase users 11.4.2
    • See also: application contexts, client identifiers

O

  • obfuscation 17.5
  • object privileges 4.10.1, A.3
    • See also: schema object privileges
  • objects
    • applications, managing privileges in 10.11
    • granting privileges 10.11.2
    • privileges
    • protecting in shared schemas 10.10.2
    • protecting in unique schemas 10.10.1
    • SYS schema, access to 4.5.2.2
  • object types
  • OEM_ADVISOR role 4.8.2
  • OEM_MONITOR role 4.8.2
  • OE user account 2.6.4
  • OFB ciphertext encryption mode 15.5
  • okcreate
    • Kerberos adapter utility 20.2
  • okcreate options 20.2.4
  • okdstry
    • Kerberos adapter utility 20.2
  • okdstry options 20.2.3
  • okinit
    • Kerberos adapter utility 20.2
  • okinit utility options 20.2.1
  • oklist
    • Kerberos adapter utility 20.2
  • OLAP_DBA role 4.8.2
  • OLAP_USER role 4.8.2
  • OLAP_XS_ADMIN role 4.8.2
  • OLAPSYS user account 2.6.2
  • One Big Application User authentication
    • See: nondatabase users
  • operating system
    • audit files written to 26.1.6
  • operating systems 3.8.1
    • accounts 4.18.2
    • authentication
    • default permissions A.6
    • enabling and disabling roles 4.18.5
    • operating system account privileges, limiting A.6
    • role identification 4.18.2
    • roles, granting using 4.18.1
    • roles and 4.8.1.10
    • users, limiting number of A.6
  • operating system users
    • configuring for PDBs 3.8.2
  • OPTIMIZER_PROCESSING_RATE role 4.8.2
  • ORA_ACCOUNT_MGMT predefined unified audit policy 25.3.4
  • ORA_CIS_RECOMMENDATIONS predefined unified audit policy 25.3.5
  • ORA_DATABASE_PARAMETER predefined unified audit policy 25.3.3
  • ORA_DV_AUDPOL2 predefined unified audit policy 25.3.8
  • ORA_DV_AUDPOL predefined unified audit policy 25.3.7
  • ORA_LOGON_FAILURES predefined unified audit policy 25.3.1
  • ORA_SECURECONFIG predefined unified audit policy 25.3.2
  • ORA_STIG_PROFILE profile 3.2.6.5
  • ORA$DEPENDENCY profile 5.1.6
  • ORA-01720 error 4.12.1
  • ORA-01994 2.3.4.1
  • ORA-06512 error 8.12, 25.4.8.6
  • ORA-06598 error 7.5.2
  • ORA-12650 error B.3.7
  • ORA-1536 error 2.2.7.3
  • ORA-24247 error 8.4, 8.12, 25.4.8.6
  • ORA-28017 error 2.3.4.1
  • ORA-28040 error 3.2.8.3, 3.4.1
  • ORA-28046 error 2.3.4.1
  • ORA-28575 error 10.4.3
  • ORA-40300 error 21.11.4.2
  • ORA-40301 error 21.11.4.2
  • ORA-40302 error 21.11.4.2
  • ORA-45622 errors 13.6.6.2
  • ORA-64219: invalid LOB locator encountered 10.5.1
  • ORACLE_DATAPUMP access driver
    • guidelines for security A.7
  • ORACLE_OCM user account 2.6.3
  • Oracle Advanced Security
    • checksum sample for sqlnet.ora file B.2
    • configuration parameters 17.6.1
    • encryption sample for sqlnet.ora file B.2
    • Java implementation 17.4
    • network authentication services A.5
    • SSL features 21.2
    • user access to application schemas 10.10.2
  • Oracle Audit Vault and Database Firewall
    • schema-only accounts 3.5.1
  • Oracle Autonomous Database
    • centrally managed users 6.6
  • Oracle Call Interface (OCI)
    • application contexts, client session-based 11.5.1
    • proxy authentication 3.13.1.1
      • Oracle Virtual Private Database, how it works with 12.5.9
    • proxy authentication with real user 3.13.1.8
    • security-related initialization parameters 10.12
  • Oracle Connection Manager
    • securing client networks with A.9.2
  • Oracle Database Enterprise User Security
    • password security threats 3.2.8.1
  • Oracle Database Real Application Clusters
  • Oracle Database Real Application Security
  • Oracle Database Vault
  • Oracle Data Guard
    • SYSDG administrative privilege 4.4.5
  • Oracle Data Mining
  • Oracle Data Pump
  • Oracle Developer Tools For Visual Studio (ODT)
    • debugging using Java Debug Wire Protocol 8.12
  • Oracle E-Business Suite
    • schema-only accounts 3.5.1
  • Oracle Enterprise Manager
    • PDBs 9
    • statistics monitor 2.4.3
  • Oracle Enterprise Security Manager
  • Oracle home
    • default permissions, disallowing modification A.6
  • Oracle Internet Directory
  • Oracle Internet Directory (OID)
    • authenticating with directory-based service 3.7.2.4
    • SYSDBA and SYSOPER access, controlling 3.3.2.1
  • Oracle Java Virtual Machine
    • JAVA_RESTRICT initialization parameter security guideline A.6
  • Oracle Java Virtual Machine (OJVM)
    • permissions, restricting A.3
  • Oracle Label Security
  • Oracle Label Security (OLS)
    • Oracle Virtual Private Database, using with 12.5.7.1
  • OracleMetaLink
    • See: My Oracle Support
  • Oracle native encryption
  • Oracle Net
  • Oracle parameters
    • authentication 23.4
  • Oracle Password Protocol 17.4
  • Oracle Real Application Clusters
    • global application contexts 11.4.4
    • SYSRAC administrative privilege 4.4.7
  • Oracle Real Application Security
    • auditing internal predicates in policies 25.2.7.11
  • Oracle Recovery Manager
  • Oracle Scheduler
    • sensitive credential data
      • about 14.1
      • data dictionary views 14.7
      • deleting 14.5
      • encrypting 14.3
      • multitenant environment 14.2
      • rekeying 14.4
      • restoring functioning of lost keystore 14.6
  • Oracle SQL*Loader
  • Oracle Technology Network
  • Oracle Virtual Private Database
    • exporting data using Data Pump Export 12.5.8
  • Oracle Virtual Private Database (VPD)
  • Oracle Virtual Private Datebase (VPD)
    • predicates
      • audited in fine-grained audit policies 25.4.4
      • audited in unified audit policies 25.2.7.11
  • Oracle Wallet Manager
    • X.509 Version 3 certificates 3.7.2.5
  • Oracle wallets
    • authentication method 3.7.2.5
    • setting location 21.8.1.2
    • sqlnet.listener.ora setting C.2.8
    • sqlnet.ora location setting C.2.8
  • orapki utility
    • about F.1
    • adding a certificate request to a wallet with F.6.3.1
    • adding a root certificate to a wallet with F.6.3.2
    • adding a trusted certificate to a wallet with F.6.3.2
    • adding user certificates to a wallet with F.6.3.4
    • cert create command F.9.1
    • cert display command F.9.2
    • certificate revocation lists 21.10.5.1
    • changing the wallet password with F.6.2.6
    • converting wallet to use AES256 algorithm F.6.2.7
    • creating a local auto-login wallet with F.6.2.4
    • creating an auto-login wallet with F.6.2.2, F.6.2.3
    • creating a wallet with F.6.2.1
    • creating signed certificates for testing F.3
    • crl delete command F.9.3
    • crl display command F.9.4
    • crl hash command F.9.5
    • crl list command F.9.6
    • crl upload command F.9.7
    • examples F.8
    • exporting a certificate from a wallet with F.6.4
    • exporting a certificate request from a wallet with F.6.4
    • managing certificate revocation lists F.7
    • syntax F.2
    • viewing a test certificate with F.4
    • viewing a wallet with F.6.2.5
    • wallet add command F.9.8
    • wallet convert command F.9.9
    • wallet create command F.9.10
    • wallet display command F.9.11
    • wallet export command F.9.12
  • ORAPWD utility
  • ORDDATA user account 2.6.2
  • ORDPLUGINS user account 2.6.2
  • ORDSYS user account 2.6.2
  • OS_AUTHENT_PREFIX parameter 23.4.2
  • OS_ROLES initialization parameter
  • OSS.SOURCE.MY_WALLET parameter 21.8.1.2, 21.8.2.3
  • outer join operations
    • Oracle Virtual Private Database affect on 12.5.3

P


Q


R

  • RADIUS 18.4.2
    • accounting 22.4.4
    • asynchronous authentication mode 22.3.2
    • authentication modes 22.3
    • authentication parameters C.3
    • challenge-response
    • configuring 22.4.1
    • database links not supported 22.1
    • initialization parameter file setting C.3.3
    • location of secret key 22.4.1.3.1
    • minimum parameters to set C.3.2
    • smartcards and 18.4.2, 22.3.2.2, 22.4.1.3.2, D.1
    • SQLNET.AUTHENTICATION_SERVICES parameter C.3.1.1
    • sqlnet.ora file sample B.2
    • SQLNET.RADIUS_ALTERNATE_PORT parameter C.3.1.3
    • SQLNET.RADIUS_ALTERNATE_RETRIES parameter C.3.1.5
    • SQLNET.RADIUS_ALTERNATE_TIMEOUT parameter C.3.1.4
    • SQLNET.RADIUS_ALTERNATE parameter C.3.1.2
    • SQLNET.RADIUS_AUTHENTICATION_INTERFACE parameter C.3.1.7
    • SQLNET.RADIUS_AUTHENTICATION_PORT parameter C.3.1.8
    • SQLNET.RADIUS_AUTHENTICATION_RETRIES parameter C.3.1.10
    • SQLNET.RADIUS_AUTHENTICATION parameter C.3.1.6
    • SQLNET.RADIUS_CHALLENGE_KEYWORD parameter C.3.1.12
    • SQLNET.RADIUS_CHALLENGE_RESPONSE parameter C.3.1.11
    • SQLNET.RADIUS_CLASSPATH parameter C.3.1.13
    • SQLNET.RADIUS_SECRET parameter C.3.1.14
    • SQLNET.RADIUS_SEND_ACCOUNTING parameter C.3.1.15
    • synchronous authentication mode 22.3.1
    • system requirements 18.6
  • RADIUS authentication 3.7.2.3
  • READ ANY TABLE system privilege
  • READ object privilege
  • reads
  • realm (Kerberos) 20.1.2
  • REDACT_AUDIT transparent sensitive data protection default policy 13.10.1
  • redo log files
    • auditing committed and rolled back transactions A.11.2
  • REFERENCES privilege
  • REMOTE_OS_AUTHENT initialization parameter
  • REMOTE_OS_ROLES initialization parameter
  • remote authentication A.9.1
  • remote debugging
    • configuring network access 8.12
  • resource limits
  • RESOURCE privilege
    • CREATE SCHEMA statement, needed for 10.10.1
  • RESOURCE role 4.14.1
  • restrictions 18.7
  • REVOKE CONNECT THROUGH clause
  • REVOKE statement
    • system privileges and roles 4.16.1
    • when takes effect 4.19.1
  • revoking privileges and roles
  • ROLE_SYS_PRIVS view
    • application privileges 10.7
  • ROLE_TAB_PRIVS view
    • application privileges, finding 10.7
  • role identification
    • operating system accounts 4.18.2
  • roles 10.8.2.1
    • See also: secure application roles
  • root container
    • viewing information about 4.6.6.1
  • root file paths
    • for files and packages outside the database A.3
  • row-level security
    • See: fine-grained access control, Oracle Virtual Private Database (VPD)
  • RSA private key A.9.3
  • run-time facilities A.3
    • restriction permissions A.3

S

  • Sarbanes-Oxley Act
    • auditing to meet compliance 24.1
  • SCHEDULER_ADMIN role
  • schema-independent users 10.10.2
  • schema object privileges 4.10.1
  • schema objects
  • schema-only accounts 3.5
  • schemas
  • schema user accounts, predefined 2.6.1
  • SCOTT user
  • SCOTT user account
    • restricting privileges of A.4
  • SEC_CASE_SENSITIVE_LOGON initialization parameter
  • SEC_CASE_SENSITIVE_LOGON parameter
    • conflict with SQLNET.ALLOWED_LOGON_VERSION_SERVER setting 3.2.7.1
    • secure role passwords 3.2.7.3
  • SEC_MAX_FAILED_LOGIN_ATTEMPTS initialization parameter 10.12.3
  • SEC_PROTOCOL_ERROR_FURTHER_ACTION initialization parameter 10.12.2
  • sec_relevant_cols_opt parameter 12.3.6.5
  • SEC_RETURN_SERVER_RELEASE_BANNER initialization parameter 10.12.4
  • SEC_USER_AUDIT_ACTION_BANNER initialization parameter 10.12.5
  • SEC_USER_UNAUTHORIZED_ACCESS_BANNER initialization parameter 10.12.5
  • secconf.sql script
  • secret key
  • secure application roles
  • secure external password store
  • Secure Sockets Layer (SSL) 18.4.3
    • about 3.7.1
    • ANO encryption and 16.6.3.3.1
    • architecture 21.5.1
    • AUTHENTICATION parameter C.2.2
    • authentication parameters C.2
    • authentication process in an Oracle environment 21.3
    • certificate key algorithm A.9.3
    • cipher suites A.9.3, C.2.4
    • client and server parameters C.2.2
    • client authentication parameter C.2.6
    • client configuration 21.8.2
    • combining with other authentication methods 21.5
    • configuration files, securing A.9.3
    • configuration troubleshooeting 21.9
    • configuring 21.8
    • configuring ANO encryption with 16.6.3.3.2
    • configuring for SYSDBA or SYSOPER access 3.3.2.4
    • enabling 21.8
    • filtering certificates 21.8.2.7
    • FIPS library location setting (SSLFIPS_LIB) E.3.1
    • FIPS mode setting (SSLFIPS_140) E.3.1
    • global users with private schemas 3.9.2.1
    • guidelines for security A.9.3
    • handshake 21.3
    • industry standard protocol 21.1
    • listener, administering A.9.2
    • MD5 certification F.5
    • mode A.9.3
    • multiple certificates, filtering 21.8.2.7
    • parameters, ways of configuring C.2.1
    • pass phrase A.9.3
    • requiring client authentication 21.8.1.5
    • RSA private key A.9.3
    • Secure Sockets Layer (SSL)
      • SSL_CLIENT_AUTHENTICATION C.2.6
    • securing SSL connection A.9.3
    • server.key file A.9.3
    • server configuration 21.8.1
    • SHA–1 certification F.5
    • SQLNET.AUTHENTICATION_SERVICES parameter C.2.2
    • sqlnet.ora file sample B.2
    • SSL_CIPHER_SUITES parameter C.2.3
    • SSL_CLIENT_AUTHENTICATION parameter C.2.6
    • SSL_SERVER_CERT_DN C.2.7.2
    • SSL_SERVER_DN_MATCH C.2.7.1
    • SSL_VERSION parameter C.2.5
    • system requirements 18.6
    • TCPS A.9.3
    • version parameter C.2.5
    • wallet location, parameter C.2.8
    • ways to configure parameters for C.2
  • SecurID 22.3.1.2
  • security A.3
    • See also: security risks
    • application enforcement of 4.8.1.3
    • default user accounts
      • locked and expired automatically A.3
      • locking and expiring A.3
    • domains, enabled roles and 4.8.5.1
    • enforcement in application 10.2.2
    • enforcement in database 10.2.2
    • multibyte characters in role names 4.8.3.1
    • multibyte characters in role passwords 4.8.4.1
    • passwords 3.4.1
    • policies
    • procedures enhance 7.2
    • resources, additional 1.2
    • roles, advantages in application use 10.7
  • security alerts A.2.1
  • security attacks 3.13.1.7
    • See also: security risks
    • access to server after protocol errors, preventing 10.12.2
    • application context values, attempts to change 11.3.3.2
    • application design to prevent attacks 10.3
    • command line recall attacks 10.3.1.1, 10.3.1.4
    • denial of service A.9.2
    • denial-of-service
    • denial-of-service attacks through listener A.9.2
    • disk flooding, preventing 10.12.1
    • eavesdropping A.9.1
    • encryption, problems not solved by 15.1.2
    • falsified IP addresses A.9.1
    • falsified or stolen client system identities A.9.1
    • hacked operating systems or applications A.9.1
    • intruders 15.1.2
    • password cracking 3.2.1
    • password protections against 3.2.1
    • preventing malicious attacks from clients 10.12
    • preventing password theft with proxy authentication and secure external password store 3.13.1.7
    • session ID, need for encryption 11.4.7.3.2
    • shoulder surfing 10.3.1.4
    • SQL injection attacks 10.3.1.2
    • unlimited authenticated requests, preventing 10.12.3
    • user session output, hiding from intruders 11.3.7
  • security domains
  • security patches
  • security policies
    • See: Oracle Virtual Private Database, policies
  • security risks 3.13.1.7
    • See also: security attacks
    • ad hoc tools 4.8.7.1
    • applications enforcing rather than database 10.2.2
    • application users not being database users 10.2.1
    • bad packets to server 10.12.1
    • database version displaying 10.12.4
    • encryption keys, users managing 15.2.4.4
    • invoker’s rights procedures 7.5.1
    • password files 3.3.5
    • passwords, exposing in programs or scripts 10.3.1.4
    • passwords exposed in large deployments 3.2.9.1
    • positional parameters in SQL scripts 10.3.1.4
    • privileges carelessly granted 4.5.5
    • remote user impersonating another user 4.8.4.5
    • sensitive data in audit trail A.11
    • server falsifying identities A.9.3
    • users with multiple roles 10.9.1
  • security settings scripts
    • password settings
  • Security Sockets Layer (SSL)
    • use of term includes TLS 21.1.1
  • Security Technical Implementation Guide (STIG)
    • ora_stig_profile user profile 2.4.4.2
    • ora12c_stig_verify_function password complexity function 3.2.6.7
  • SELECT_CATALOG_ROLE role
    • SYS schema objects, enabling access to 4.5.2.2
  • SELECT ANY DICTIONARY privilege
    • data dictionary, accessing A.6
    • exclusion from GRANT ALL PRIVILEGES privilege A.6
  • SELECT FOR UPDATE statement in Virtual Private Database policies 12.5.2
  • SELECT object privilege
  • sensitive data, auditing of A.11.4
  • separation of duty concepts
  • sequences
  • server.key file
    • pass phrase to read and parse A.9.3
  • SESSION_ROLES data dictionary view
  • SESSION_ROLES view
  • sessions
    • listing privilege domain of 4.20.5
    • memory use, viewing 2.7.5
    • time limits on 2.4.2.5
    • when auditing options take effect 26.1.1
  • SET ROLE statement
    • application code, including in 10.9.2
    • associating privileges with role 10.9.1
    • disabling roles with 4.19.2
    • enabling roles with 4.19.2
    • when using operating-system roles 4.18.5
  • SGA
    • See: System Global Area (SGA)
  • SHA-512 cryptographic hash function
  • Shared Global Area (SGA)
    • See: System Global Area (SGA)
  • shared server
    • limiting private SQL areas 2.4.2.5
    • operating system role management restrictions 4.18.6
  • shoulder surfing 10.3.1.4
  • SH user account 2.6.4
  • SI_INFORMTN_SCHEMA user account 2.6.2
  • smartcards 18.4.2
  • smart cards
    • guidelines for security A.5
  • SODA_APP role 4.8.2
  • SQL*Net
    • See: Oracle Net Services
  • SQL*Plus
    • connecting with 3.6
    • restricting ad hoc use 4.8.7.1
    • statistics monitor 2.4.3
  • SQL92_SECURITY initialization parameter
  • SQL Developer
    • debugging using Java Debug Wire Protocol 8.12
  • SQL injection attacks 10.3.1.2
  • SQLNET.ALLOWED_LOGON_VERSION
    • See: SQLNET.ALLOWED_LOGON_VERSION_CLIENT, SQLNET.ALLOWED_LOGON_VERSION_SERVER,
  • SQLNET.ALLOWED_LOGON_VERSION_CLIENT
    • target databases from earlier releases 3.2.8.4
  • SQLNET.ALLOWED_LOGON_VERSION_SERVER
    • target databases from earlier releases 3.2.8.4
    • using only 12C password version 3.2.8.3
  • SQLNET.ALLOWED_LOGON_VERSION_SERVER parameter
    • conflict with SEC_CASE_SENSITIVE_LOGON FALSE setting 3.2.7.1
    • effect on role passwords 3.2.7.3
  • SQLNET.AUTHENTICATION_KERBEROS5_SERVICE parameter 20.1.6.1
  • SQLNET.AUTHENTICATION_SERVICES parameter 20.1.6.1, 21.8.1.6, 21.8.2.6, 21.8.2.6.2, 22.4.1.1, 23.2, 23.3, A.9.3, C.2.2, C.3.1.1
  • SQLNET.CRYPTO_CHECKSUM_CLIENT parameter 16.6.3.2, B.3.5
  • SQLNET.CRYPTO_CHECKSUM_SERVER parameter 16.6.3.2, B.3.4
  • SQLNET.CRYPTO_CHECKSUM_TYPES_CLIENT parameter 16.6.3.2, B.3.9
  • SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER parameter 16.6.3.2, B.3.8
  • SQLNET.ENCRYPTION_CLIENT
    • with ANO encryption and SSL authentication 16.6.3.3.1
  • SQLNET.ENCRYPTION_CLIENT parameter 16.6.3.1, 23.2, B.3.3
  • SQLNET.ENCRYPTION_SERVER
    • with ANO encryption and SSL authentication 16.6.3.3.1
  • SQLNET.ENCRYPTION_SERVER parameter 16.6.3.1, 23.2, B.3.2
  • SQLNET.ENCRYPTION_TYPES_CLIENT parameter 16.6.3.1, B.3.7
  • SQLNET.ENCRYPTION_TYPES_SERVER parameter 16.6.3.1, B.3.6
  • SQLNET.IGNORE_ANO_ENCRYPTION_FOR_TCPS
  • SQLNET.KERBEROS5_CC_NAME parameter 20.1.6.3
  • SQLNET.KERBEROS5_CLOCKSKEW parameter 20.1.6.3
  • SQLNET.KERBEROS5_CONF parameter 20.1.6.3
  • SQLNET.KERBEROS5_REALMS parameter 20.1.6.3
  • sqlnet.ora file
    • Common sample B.2
    • FIPS 140-2
      • Cipher Suite settings E.3.2
      • enabling tracing E.5
    • Kerberos sample B.2
    • Oracle Advanced Security checksum sample B.2
    • Oracle Advanced Security encryption sample B.2
    • Oracle wallet setting C.2.8
    • OSS.SOURCE.MY_WALLET parameter 21.8.1.2, 21.8.2.3
    • parameters for clients and servers using Kerberos C.1
    • parameters for clients and servers using RADIUS C.3
    • parameters for clients and servers using SSL C.2
    • PDBs 3.2.8.3
    • RADIUS sample B.2
    • sample B.2
    • SQLNET.AUTHENTICATION_KERBEROS5_SERVICE parameter 20.1.6.1
    • SQLNET.AUTHENTICATION_SERVICES parameter 20.1.6.1, 21.8.1.6, 21.8.2.6, 21.8.2.6.2, 23.2, 23.3, A.9.3
    • SQLNET.CRYPTO_CHECKSUM_CLIENT parameter 16.6.3.2
    • SQLNET.CRYPTO_CHECKSUM_SERVER parameter 16.6.3.2
    • SQLNET.CRYPTO_CHECKSUM_TYPES_CLIENT parameter 16.6.3.2, B.3.9
    • SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER parameter 16.6.3.2, B.3.8
    • SQLNET.ENCRYPTION_CLIEN parameter 23.2
    • SQLNET.ENCRYPTION_CLIENT parameter B.3.3
    • SQLNET.ENCRYPTION_SERVER parameter 16.6.3.1, 23.2, B.3.2
    • SQLNET.ENCRYPTION_TYPES_CLIENT parameter 16.6.3.1
    • SQLNET.ENCRYPTION_TYPES_SERVER parameter 16.6.3.1
    • SQLNET.KERBEROS5_CC_NAME parameter 20.1.6.3
    • SQLNET.KERBEROS5_CLOCKSKEW parameter 20.1.6.3
    • SQLNET.KERBEROS5_CONF parameter 20.1.6.3
    • SQLNET.KERBEROS5_REALMS parameter 20.1.6.3
    • SQLNET.SSL_EXTENDED_KEY_USAGE 21.8.2.7
    • SSL_CLIENT_AUTHENTICATION parameter 21.8.1.5
    • SSL_CLIENT_AUTHETNICATION parameter 21.8.2.3
    • SSL_VERSION parameter 21.8.1.4, 21.8.2.5
    • SSL sample B.2
    • Trace File Set Up sample B.2
  • sqlnet.ora parameters
  • SQLNET.RADIUS_ALTERNATE_PORT parameter 22.4.1.3.3, C.3.1.3
  • SQLNET.RADIUS_ALTERNATE_RETRIES parameter 22.4.1.3.3, C.3.1.5
  • SQLNET.RADIUS_ALTERNATE_TIMEOUT parameter 22.4.1.3.3, C.3.1.4
  • SQLNET.RADIUS_ALTERNATE parameter 22.4.1.3.3, C.3.1.2
  • SQLNET.RADIUS_AUTHENTICATION_INTERFACE parameter C.3.1.7
  • SQLNET.RADIUS_AUTHENTICATION_PORT parameter C.3.1.8
  • SQLNET.RADIUS_AUTHENTICATION_RETRIES parameter C.3.1.10
  • SQLNET.RADIUS_AUTHENTICATION_TIMEOUT parameter C.3.1.9
  • SQLNET.RADIUS_AUTHENTICATION parameter C.3.1.6
  • SQLNET.RADIUS_CHALLENGE_KEYWORDparameter C.3.1.12
  • SQLNET.RADIUS_CHALLENGE_RESPONSE parameter C.3.1.11
  • SQLNET.RADIUS_CLASSPATH parameter C.3.1.13
  • SQLNET.RADIUS_SECRET parameter C.3.1.14
  • SQLNET.RADIUS_SEND_ACCOUNTING parameter 22.4.4.1, C.3.1.15
  • SQLNET.SSL_EXTENDED_KEY_USAGE parameter 21.8.2.7
  • SQL statements
  • SQL statements, top-level in unified audit policies 25.2.19.1
  • SSL
    • See: Secure Sockets Layer (SSL)
  • SSL_CIPHER_SUITES parameter C.2.3
  • SSL_CLIENT_AUTHENTICATION parameter 21.8.1.5, 21.8.2.3
  • SSL_SERVER_CERT_DN parameter C.2.7.2
  • SSL_SERVER_DN_MATCH parameter C.2.7.1
  • SSL_VERSION parameter 21.8.1.4, 21.8.2.5, C.2.5
  • standard auditing
  • standard audit trail
  • statement_types parameter of DBMS_RLS.ADD_POLICY procedure 12.3.4
  • storage
  • stored procedures
    • using privileges granted to PUBLIC role 4.17
  • strong authentication
    • centrally controlling SYSDBA and SYSOPER access to multiple databases 3.3.2.1
    • disabling 23.2
    • guideline A.5
  • symbolic links
    • restricting A.6
  • synchronous authentication mode, RADIUS 22.3.1
  • synonyms
    • object privileges 4.10.5
    • privileges, guidelines on A.3
  • SYS_CONTEXT function
  • SYS_DEFAULT Oracle Virtual Private Database policy group 12.3.7.3
  • SYS_SESSION_ROLES namespace 11.3.4.1
  • SYS.AUD$ table
  • SYS.FGA_LOG$ table
  • SYS.LINK$ system table 14.1
  • SYS.SCHEDULER$_CREDENTIAL system table 14.1
  • SYS account
  • SYS and SYSTEM
    • passwords A.5
  • SYS and SYSTEM accounts
  • SYSASM privilege
  • SYSBACKUP privilege
  • SYSBACKUP user account
  • SYSDBA privilege 4.4.3
  • SYSDG privilege
  • SYSDG user account
  • SYSKM privilege
  • SYSKM user account
  • SYSLOG
  • SYSMAN user account A.5
  • SYS objects
  • SYSOPER privilege 4.4.3
  • SYSRAC privilege
    • operations supported 4.4.7
  • SYS schema
  • System Global Area (SGA)
    • application contexts, storing in 11.1.3
    • global application context information location 11.4.1
    • limiting private SQL areas 2.4.2.5
  • system privileges A.3
  • system requirements
  • SYSTEM user account
  • SYS user
  • SYS user account

T

  • table encryption
    • transparent sensitive data protection policy settings 13.15.2
  • tables
  • tablespaces
  • TCPS protocol
    • Secure Sockets Layer, used with A.9.2
    • tnsnames.ora file, used in A.9.3
  • TELNET service A.9.2
  • TFTP service A.9.2
  • thin JDBC support 17.1
  • TLS See Secure Sockets Layer (SSL) 21.1.1
  • token cards 18.4.2, A.5
  • trace file
    • set up sample for sqlnet.ora file B.2
  • trace files
    • access to, importance of restricting A.6
    • bad packets 10.12.1
    • FIPS 140-2 E.5
    • location of, finding 11.6
  • Transparent Data Encryption
    • about 15.2.4.5
    • enabling for FIPS 140-2 E.2
    • SYSKM administrative privilege 4.4.6
  • Transparent Data Encryption (TDE) 14.1
    • TSDP with TDE column encryption 13.15.1
  • transparent sensitive data protection (TSDP
    • unified auditing
  • transparent sensitive data protection (TSDP)
    • about 13.1
    • altering policies 13.7
    • benefits 13.1
    • bind variables
    • creating policies 13.6
    • disabling policies 13.8
    • disabling REDACT_AUDIT policy 13.10.4
    • dropping policies 13.9
    • enabling REDACT_AUDIT policy 13.10.5
    • finding information about 13.16
    • fine-grained auditing
    • general steps 13.2
    • PDBs 13.5
    • privileges required 13.4
    • REDACT_AUDIT policy 13.10.1
    • sensitive columns in INSERT or UPDATE operations 13.10.2.4
    • sensitive columns in same SELECT query 13.10.2.3
    • sensitive columns in views 13.10.3
    • TDE column encryption
    • unified auditing:settings used 13.13.2
    • use cases 13.3
    • Virtual Private Database
  • transparent sensitive data protection (TSDP);
    • fine-grained auditing
  • transparent tablespace encryption
  • Transport Layer Security
    • compared with native network encryption 16.1.4
  • Transport Layer Security (SSL)
  • Transport Layer Security (TLS)
    • application containers 21.1.2
  • triggers
  • troubleshooting 20.6
    • centrally managed users 6.7
    • finding errors by checking trace files 11.6
  • trusted procedure
    • database session-based application contexts 11.1.2
  • tsnames.ora configuration file A.9.3
  • tutorials 11.3.9
    • See also: examples
    • application context, database session-based 11.3.9
    • auditing
      • creating policy to audit nondatabase users 25.2.25
      • creating policy using email alert 25.4.8.1
    • definer’s rights, database links 7.8.8.1
    • external network services, using email alert 25.4.8.1
    • global application context with client session ID 11.4.8.1
    • invoker’s rights procedure using CBAC 7.7.7
    • nondatabase users
      • creating Oracle Virtual Private Database policy group 12.4.3.1
      • global application context 11.4.8.1
    • Oracle Virtual Private Database
    • privilege analysis 5.5
    • privilege analysis for ANY privileges 5.4
    • TSDP with VPD 13.12.3
  • types

U


V

  • valid node checking A.9.2
  • views
    • about 4.12
    • access control list data
      • external network services 8.13
      • wallet access 8.13
    • application contexts 11.6
    • audited activities 25.5
    • auditing 25.2.7.2
    • audit management settings 26.4
    • audit trail usage 25.5
    • authentication 3.14
    • bind variables in TSDP sensitive columns 13.10.3
    • DBA_COL_PRIVS 4.20.4
    • DBA_HOST_ACES 8.13
    • DBA_HOST_ACLS 8.13
    • DBA_ROLE_PRIVS 4.20.3
    • DBA_ROLES 4.20.6
    • DBA_SYS_PRIVS 4.20.2
    • DBA_TAB_PRIVS 4.20.4
    • DBA_USERS_WITH_DEFPWD 3.2.4.2
    • DBA_WALLET_ACES 8.13
    • DBA_WALLET_ACLS 8.13
    • definer’s rights 7.6.1
    • encrypted data 15.7
    • invoker’s rights 7.6.1
    • Oracle Virtual Private Database policies 12.6
    • privileges 4.12
    • privileges to query views in other schemas 4.12.2
    • profiles 2.7.1
    • ROLE_SYS_PRIVS 4.20.7
    • ROLE_TAB_PRIVS 4.20.7
    • security applications of 4.12.3
    • SESSION_PRIVS 4.20.5
    • SESSION_ROLES 4.20.5
    • transparent sensitive data protection 13.16
    • USER_HOST_ACES 8.13
    • USER_WALLET_ACES 8.13
    • users 2.7.1
  • Virtual Private Database
    • See: Oracle Virtual Private Database
  • VPD
    • See: Oracle Virtual Private Database
  • vulnerable run-time call A.3
    • made more secure A.3

W

  • Wallet Manager
    • See: Oracle Wallet Manager
  • wallets 8.2, 21.4.2.4
    • See also: access control lists (ACL), wallet access
  • Web applications
  • Web-based applications
    • Oracle Virtual Private Database, how it works with 12.5.9
  • WHEN OTHERS exceptions
    • logon triggers, used in 11.3.7
  • Windows Event Viewer
    • capturing audit trail records 26.1.5.2
  • Windows native authentication 3.3.3
  • WITH GRANT OPTION clause
  • WM_ADMIN_ROLE role 4.8.2
  • WMSYS user account 2.6.2

X

  • X.509 certificates
    • guidelines for security A.5
  • XDB_SET_INVOKER role 4.8.2
  • XDB_WEBSERVICES_OVER_HTTP role
  • XDB_WEBSERVICES_WITH_PUBLIC role 4.8.2
  • XDB_WEBSERVICES role 4.8.2
  • XDBADMIN role 4.8.2
  • XDB user account 2.6.2
  • XS_CACHE_ADMIN role 4.8.2
  • XS_NSATTR_ADMIN role 4.8.2
  • XS_RESOURCE role 4.8.2
  • XS$NULL user account 2.6.3