OCA/OCP Oracle Database 11g All-in-One Exam Guide 246 Argument Description STATEMENT_TYPES One or more of SELECT, INSERT, UPDATE, or DELETE to define which statement types should be audited. Default is SELECT only. AUDIT_TRAIL Controls whether to write out the actual SQL statement and its bind variables to the FGA audit trail. The default is to do so. AUDIT_COLUMN_OPTS Determines whether to audit if a statement addresses any or all of the columns listed in the AUDIT_COLUMNS argument. Options are DBMS_FGA.ANY_COLUMNS, the default, or DBMS_FGA_ALL_COLUMNS. The other DBMS_FGA procedures are to enable, disable, or drop FGA policies. To see the results of fine-grained auditing, query the DBA_FGA_AUDIT_TRAIL view: SQL> describe dba_fga_audit_trail; Name Null? Type SESSION_ID NOT NULL NUMBER TIMESTAMP DATE DB_USER VARCHAR2(30) OS_USER VARCHAR2(255) USERHOST VARCHAR2(128) CLIENT_ID VARCHAR2(64) EXT_NAME VARCHAR2(4000) OBJECT_SCHEMA VARCHAR2(30) OBJECT_NAME VARCHAR2(128) POLICY_NAME VARCHAR2(30) SCN NUMBER SQL_TEXT NVARCHAR2(2000) SQL_BIND NVARCHAR2(2000) COMMENT$TEXT VARCHAR2(4000) STATEMENT_TYPE VARCHAR2(7) EXTENDED_TIMESTAMP TIMESTAMP(6) WITH TIME ZONE PROXY_SESSIONID NUMBER GLOBAL_UID VARCHAR2(32) INSTANCE_NUMBER NUMBER OS_PROCESS VARCHAR2(16) TRANSACTIONID RAW(8) STATEMENTID NUMBER ENTRYID NUMBER This procedure call will create a policy POL1 that will record all SELECT statements that read the SALARY column of the HR.EMPLOYEES table, if at least one of the rows retrieved is in department 80: SQL> execute dbms_fga.add_policy(- > object_schema=>'HR',- > object_name=>'EMPLOYEES',- > policy_name=>'POL1',- > audit_condition=>'department_id=80',- > audit_column=>'SALARY'); In addition to the DBA_AUDIT_TRAIL view, which shows the results of standard database auditing, and the DBA_FGA_AUDIT_TRAIL view, which shows the results of Chapter 6: Oracle Security 247 PART I fine-grained auditing, the DBA_COMMON_AUDIT_TRAIL view shows audit events from both types of auditing. EXAM TIP Which views show the audit trail? DBA_AUDIT_TRIAL is used for standard database auditing; DBA_FGA_AUDIT_TRAIL is used for fine- grained auditing; while DBA_COMMON_AUDIT_TRAIL is used for both. To see the results of auditing with triggers, you must create your own views that address your own tables. Exercise 6-6: Use Standard Database Auditing In this exercise you will enable standard database auditing and see the results, using either Database Control or SQL*Plus. If you use Database Control, be sure to click the SHOW SQL button whenever possible to see the SQL statements being generated. 1. Connect to your database as user SYSTEM and create a user and a table to be used for the exercise: create user auditor identified by oracle; create table system.audi as select * from all_users; grant create session, select any table to auditor; grant select on audi to auditor; 2. Enable auditing of AUDITOR’s use of SELECT ANY PRIVILEGE, and of all accesses to the table AUDI. With SQL*Plus: audit select any table by access; audit all on system.audi by access; With Database Control, this can be done from the Audit Settings window. 3. Connect to the database as user SYS. This is necessary, as this step involves restarting the instance. Set the audit trail destination to DB and enable auditing of privileged users, and bounce the instance. Using SQL*Plus: alter system set audit_trail='DB_EXTENDED' scope=spfile; alter system set audit_sys_operations=true scope =spfile; startup force; Using Database Control, a possible navigation path from the database home page is to take the Server tab, and then the Audit Settings link in the Security section. Clicking the link labeled Audit Trail in the Configuration section will take you to a window where you can modify the parameter settings in the spfile. Alternatively, go directly to the Initialization Parameters window from the Server tab by taking the Initialization Parameters link in the Database Configuration section. Set the two parameters in the spfile, and then from the database home page shut down and restart the database. 4. While connected as SYS, all statements will be audited. Run this statement: select count(*) from system.audi; OCA/OCP Oracle Database 11g All-in-One Exam Guide 248 5. If using Linux or Unix, identify the location of the system audit trail by querying the parameter AUDIT_FILE_DEST. This will be used for the auditing of SYS operations, irrespective of the setting for AUDIT_DEST. With SQL*Plus: select value from v$parameter where name='audit_file_dest'; Using an operating system utility, navigate to this directory and open the most recently created file. If using Microsoft Windows, open the Application Log in the Event Viewer. Either way, you will see the SELECT statement that you executed as SYS, with details of the operating system user and hostname. 6. Connect to the database as AUDITOR, and run these queries: select count(*)from system.audi; select count(*) from system.product_user_profile; 7. As user SYSTEM, run this query to see the audit events: select sql_text,priv_used,action_name from dba_audit_trail where username='AUDITOR'; Note that the lowest possible privilege is used: access to the AUDI table was through the SELECT object privilege, not through the much more powerful (SELECT ANY TABLE) system privilege that was needed to get to PRODUCT_ USER_PROFILE. 8. Tidy up: drop user auditor; drop table system.audi; Two-Minute Drill Create and Manage Database User Accounts • Users connect to a user account, which is coupled with a schema. • All users must be authenticated before they can connect. • A user must have a quota on a tablespace before they create any objects. • A user who owns objects cannot be dropped, unless the CASCADE keyword is used. Grant and Revoke Privileges • By default, a user can do nothing. You can’t even log on. • Direct privileges are always enabled. • A revocation of a system privilege does not cascade; a revocation of an object privilege does. Chapter 6: Oracle Security 249 PART I Create and Manage Roles • Roles are not schema objects. • Roles can contain both system and object privileges, and other roles. • A role can be enabled or disabled for a session. Create and Manage Profiles • Profiles can manage passwords and resource limits. • Password limits are always enforced; resource limits are dependent on an instance parameter. • Every user is associated with a profile, which by default is the DEFAULT profile. Database Security and Principle of Least Privilege • Everything not specifically permitted should be forbidden. • The database administrator and the system administrator should not be the same person. • Privileges granted to the PUBLIC role must be monitored. • Security-critical instance parameters must be monitored and cannot be changed without restarting the instance. Work with Standard Database Auditing • Database auditing can be oriented toward privileges, commands, or objects. • Audit records can be directed toward a database table or an operating system file. • Database audit records are stored in the SYS.AUD$ data dictionary table. • Fine-grained auditing can be directed toward particular rows and columns. • Auditing can also be implemented with database triggers. Self Test 1. How can you permit users to connect without requiring them to authenticate themselves? (Choose the best answer.) A. Grant CREATE SESSION to PUBLIC. B. Create a user such as this, without a password: CREATE USER ANON IDENTIFIED BY ‘'; C. Create a profile that disables password authentication and assign it to the users. D. You cannot do this because all users must be authenticated. OCA/OCP Oracle Database 11g All-in-One Exam Guide 250 2. You create a user with this statement: create user jon identified by oracle default tablespace example; What more must be done before he can create a table in the EXAMPLE tablespace? (Choose all correct answers.) A. Nothing more is necessary. B. Give him a quota on EXAMPLE. C. Grant him the CREATE TABLE privilege. D. Grant him the CREATE SESSION privilege. E. Grant him the MANAGE TABLESPACE privilege. 3. If a user owns tables in a tablespace, what will be the effect of attempting to reduce their quota on the tablespace to zero? (Choose the best answer.) A. The tables will survive, but INSERTs will fail. B. The tables will survive but cannot get bigger. C. The attempt will fail unless the tables are dropped first. D. The tables will be dropped automatically if the CASCADE keyword is used. 4. If you create a user without specifying a temporary tablespace, what temporary tablespace will be assigned? (Choose the best answer.) A. You must specify a temporary tablespace B. SYSTEM C. TEMP D. The database default temporary tablespace E. The user will not have a temporary tablespace 5. You issue these commands: a. grant select on hr.regions to jon; b. grant all on hr.regions to jon; c. grant dba to jon; d. grant select on hr.regions to public; Which grants could be revoked to prevent JON from seeing the contents of HR.REGIONS? (Choose all correct answers.) A. a, b, c, and d B. a, c, and d C. b, c, and d D. c and d E. a, b, and c 6. Which of these statements about system privileges are correct? (Choose all correct answers.) A. Only the SYS and SYSTEM users can grant system privileges. Chapter 6: Oracle Security 251 PART I B. If a system privilege is revoked from you, it will also be revoked from all users to whom you granted it. C. If a system privilege is revoked from you, it will not be revoked from all users to whom you granted it. D. CREATE TABLE is a system privilege. E. CREATE ANY TABLE is a system privilege. 7. Study this script (line numbers have been added): 1 create role hr_role identified by pass; 2 grant create table to hr_role; 3 grant select table to hr_role; 4 grant connect to hr_role; Which line will cause an error? (Choose the best answer.) A. Line 1, because only users, not roles, have passwords. B. Line 2, because only users, not roles, can create and own tables. C. Line 3, because SELECT TABLE is not a privilege. D. Line 4, because a role cannot have a system privilege in addition to table privileges. 8. Which of these statements is incorrect regarding roles? (Choose the best answer.) A. You can grant object privileges and system privileges and roles to a role. B. A role cannot have the same name as a table. C. A role cannot have the same name as a user. D. Roles can be enabled or disabled within a session. 9. You have created a profile with LIMIT SESSIONS_PER_USER 1 and granted it to a user, but you find that they are still able to log on several times concurrently. Why could this be? (Choose the best answer.) A. The user has been granted CREATE SESSION more than once. B. The user has been granted the DBA role. C. The RESOURCE_LIMIT parameter has not been set. D. The RESOURCE_MANAGER_PLAN parameter has not been set. 10. Which of these can be controlled by a password profile? (Choose all correct answers.) A. Two or more users choosing the same password B. Preventing the reuse of a password by the same user C. Forcing a user to change password D. Enabling or disabling password file authentication OCA/OCP Oracle Database 11g All-in-One Exam Guide 252 11. Under what circumstances should you set the REMOTE_LOGIN_PASSWORDFILE instance parameter to EXCLUSIVE? (Choose two correct answers.) A. You need a SYSDBA connection when you are logged on to a machine other than the server. B. You want to disable operating system authentication. C. You want to add users to the password file. D. You want to prevent other users from being added to the password file. 12. If you execute this command as user SYSTEM, it will fail. Why? (Choose the best answer.) alter system set audit_sys_operations=false; A. The parameter can only be changed by the SYS user. B. The parameter can only be adjusted in NOMOUNT or MOUNT mode, and SYSTEM can only connect when the database is OPEN. C. The principle of “separation of duties” means that only the system administrator, not the database administrator, can change this parameter. D. The parameter is a static parameter. 13. What conditions must hold before a database session can create a file stored by the operating system of the server? (Choose three correct answers.) A. The session must be connected to a database account with execute permission on the package UTL_FILE. B. The session must be connected to a database account with execute permission on the package DBMS_OUTPUT. C. The parameter UTL_FILE_DIR must have been set. D. The parameter DB_WRITER_PROCESSES must be set to greater than zero. E. The parameter DB_CREATE_FILE_DEST must be set. F. The operating system account under which the Oracle instance is running must have write permission on the directory that will store the file. 14. If you want a block of PL/SQL code to run whenever certain data is accessed with a SELECT statement, what auditing technique could you use? (Choose the best answer.) A. Database auditing B. Fine-grained auditing C. Database triggers D. You cannot do this 15. What is necessary to audit actions done by a user connected with the SYSDBA privilege? (Choose the best answer.) A. Set the AUDIT_SYS_OPERATIONS instance parameter to TRUE. B. Use database auditing to audit use of the SYSDBA privilege. Chapter 6: Oracle Security 253 PART I C. Set the REMOTE_LOGIN_PASSWORDFILE instance parameter to NONE, so that SYSDBA connections can only be made with operating system authentication. Then set the AUDIT_TRIAL parameter to OS, and make sure that the DBA does not have access to it. D. This is not possible: any user with SYSDBA privilege can always bypass the auditing mechanisms. 16. Where can you see the results of standard database auditing? (Choose all correct answers.) A. In the DBA_AUDIT_TRAIL view, if the AUDIT_TRAIL parameter is set to DB B. In the DBA_COMMON_AUDIT_TRAIL view, if the AUDIT_TRAIL parameter is set to DB C. In the operating system audit trail, if the AUDIT_TRAIL parameter is set to OS D. In the operating system audit trail, if the AUDIT_TRAIL parameter is set to XML 17. You issue this statement: audit select on hr.emp by access; but when you issue the command: select * from hr.emp where employee_id=0; no audit record is generated. Why might this be? (Choose the best answer.) A. You are connected as SYS, and the parameter AUDIT_SYS_OPERATIONS is set to FALSE. B. The AUDIT_TRAIL parameter is set to NONE. C. The statement did not access any rows; there is no row with EMPLOYEE_ ID equal to zero. D. The instance must be restarted before any change to auditing comes into effect. Self Test Answers 1. þ D. All users must be authenticated. ý A, B, C. A is wrong because while this will give all users permission to connect, they will still have to authenticate. B is wrong because a NULL is not acceptable as a password. C is wrong because a profile can only manage passwords, not disable them. 2. þ B, C, and D. All these actions are necessary. ý A and E. A is wrong because without privileges and quota, JON cannot connect and create a table. E is wrong because this privilege lets you manage a tablespace, not create objects in it. OCA/OCP Oracle Database 11g All-in-One Exam Guide 254 3. þ B. It will not be possible to allocate further extents to the tables. ý A, C, and D. A is wrong because inserts will succeed as long as there is space in the extents already allocated. C is wrong because there is no need to drop the tables. D is wrong because CASCADE cannot be applied to a quota command. 4. þ D. There is always a database-wide default, which (by default) is SYSTEM. In many cases, it will have been set to TEMP. ý A, B, C, and E. A is wrong because there is a default. B is wrong because the default may not be SYSTEM (though it is by default). C is wrong because while TEMP is a frequently used default, it may not be. E is wrong because all user accounts must have a temporary tablespace. 5. þ A, B, and C. Any of these will prevent the access. ý D and E. D is wrong because the grants in (a) and (b) will remain in effect. Note that ALL is implemented as a set of grants (or revokes) of each privilege, so it is not necessary to grant or revoke SELECT as well as ALL. E is wrong because the grant to PUBLIC in (d) will remain in effect. 6. þ C, D, and E. C is correct because the revocation of a system privilege does not cascade. D and E are correct because any action that updates the data dictionary is a system privilege. ý A and B. A is wrong because system privileges can be granted by any user who has been granted the privilege WITH ADMIN OPTION. B is wrong because the revocation of a system privilege does not cascade. 7. þ C. There is no such privilege as SELECT TABLE; it is granted implicitly with CREATE TABLE. ý A, B, and D. A is wrong because roles can be password protected. B is wrong because even though tables must be owned by users, permission to create them can be granted to a role. D is wrong because a role can have any combination of object and system privileges. 8. þ B. Roles are not schema objects, and so can have the same names as tables. ý A, C, and D. A is wrong because roles can have any combination of system, object, and role privileges. C is wrong because roles cannot have the same names as users. D is wrong because roles can be enabled and disabled at any time. 9. þ C. The RESOURCE_LIMIT parameter will default to FALSE, and without this resource limits are not enforced. ý A, B, and D. A is wrong because this privilege controls whether users can connect to the account at all, not how many times. B is wrong because no role can exempt a user from profile limits. D is wrong because this parameter controls which Resource Manager plan is active, which is not relevant to whether resource limits are enforced. Chapter 6: Oracle Security 255 PART I 10. þ B and C. These are both password limits. ý A and D. A is wrong because this cannot be prevented by any means. D is wrong because profiles only apply to password authentication; password file authentication is managed separately. 11. þ A and C. Password file authentication is necessary if SYSDBA connections need to be made across a network, and if you want to grant SYSDBA or SYSOPER to any other database users. ý B and D. B is wrong because operating system authentication can never be disabled. D is wrong because EXCLUSIVE doesn’t exclude users; it means one password file per instance. 12. þ D. No matter who you are connected as, the parameter is static and will therefore require a SCOPE=SPFILE clause when changing it. ý A, B, and C. A is wrong because SYSTEM can adjust the parameter (as can anyone to whom the ALTER SYSTEM privilege has been granted). B is wrong because the parameter can be changed in any mode—if the SCOPE is SPFILE. C is wrong because the system administrator cannot change parameters: only a database administrator can do this. 13. þ A, C, and F. The necessary conditions are that the session must be able to execute the UTL_FILE procedures, and that the UTL_FILE_DIR parameter must point to a directory on which the Oracle user has the necessary permissions. ý B, D, and E. B is wrong because DBMS_OUTPUT is used to write to the user process, not to the operating system. D is wrong because DB_WRITER_ PROCESSES controls the number of database writers. E is wrong because DB_CREATE_FILE_DEST sets a default location for datafiles. 14. þ B. A fine-grained auditing policy can nominate a PL/SQL function to run whenever the audit condition is violated. ý A, C, and D. A is wrong because database auditing can do no more than record events. C is wrong because database triggers can only be defined for DML and not for SELECT statements. D is wrong because FGA can indeed do this. 15. þ A. Setting this parameter is all that is necessary, though on Unix and Linux you may want to adjust AUDIT_FILE_DEST as well. ý B, C, and D. B is wrong because this is a privilege whose use cannot be audited, because it can apply before the database is open. C is wrong because the method of gaining SYSDBA access is not relevant to whether it is audited. D is wrong because SYS cannot bypass this audit technique. 16. þ A, B, C, and D. These are all correct. ý None. . Create a profile that disables password authentication and assign it to the users. D. You cannot do this because all users must be authenticated. OCA/ OCP Oracle Database 11g All-in-One Exam Guide 250 . you manage a tablespace, not create objects in it. OCA/ OCP Oracle Database 11g All-in-One Exam Guide 254 3. þ B. It will not be possible to allocate further extents to the tables. ý A, C, and. Auditing • Database auditing can be oriented toward privileges, commands, or objects. • Audit records can be directed toward a database table or an operating system file. • Database audit records are