Oracle® Enterprise Manager Policy Reference Manual 10g Release 2 (10.2) Part Number B16231-01 |
|
|
View PDF |
This chapter provides the following information for each of the Database Instance policies:
Brief description of the policy
Summary of the policy's main properties
Default values for the policy: parameters with their default values and objects excluded by default
Impact of the policy violation
Action to perform when the violation occurs
The Database Instance policies are categorized as follows:
The configuration policies for the Database Instance target are:
This policy checks if the STATISTICS_LEVEL initialization parameter is set to BASIC.
The STATISTICS_LEVEL initialization parameter has three valid settings, TYPICAL, ALL, and BASIC.
The default setting of TYPICAL ensures collection of all major statistics required for database self-management and functionality and provides best overall performance. The default value should be adequate for most environments.
Setting the parameter to ALL collects all the same statistics that are collected with the TYPICAL setting, plus timed OS and plan execution statistics.
Setting the parameter to BASIC disables the collection of many important statistics that are required by Oracle Database features and functionality.
Policy Summary
The following table lists the policy's main properties.
Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
---|---|---|---|---|---|---|
Critical | Configuration | Database Instance | Oracle Server 10g Release | The underlying metric has a collection frequency of once every 24 hours. | Yes | Your database is set to BASIC. Many important statistics required by Oracle database features and functionality are disabled. |
Defaults
Parameters and Their Default Values
STATISTICS_LEVEL: TYPICAL
Objects Excluded by Default
Not Applicable
Impact of Violation
Automatic statistics collection allows the optimizer to generate accurate execution plans and is essential for identifying and correcting performance problems. By default, STATISTICS_LEVEL is set to TYPICAL. If the STATISTICS_LEVEL initialization parameter is set to BASIC, the collection of many important statistics, required by Oracle database features and functionality, are disabled.
Action
Set the STATISTICS_LEVEL initialization parameter to TYPICAL.
When Data Guard Broker is being used, this policy checks the primary database for disabled force logging.
Policy Summary
The following table lists the policy's main properties.
Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
---|---|---|---|---|---|---|
Informational | Configuration | Database Instance; Cluster Database | Oracle Server 9i Release 2 or later | The underlying metrics have a collection frequency of once every 24 hours. | Yes | The primary database is not in force logging mode. As a result, unlogged direct writes in the primary database cannot be propagated to the standby database. |
Defaults
Parameters and Their Default Values
Not Applicable
Objects Excluded by Default
Not Applicable
Impact of Violation
The primary database is not in force logging mode. As a result, unlogged direct writes in the primary database cannot be propagated to the standby database.
Action
The primary database should be put in force logging mode using the ALTER DATABASE FORCE LOGGING parameter.
This policy checks for installation of JAccelerator (NCOMP) that improves Java Virtual Machine performance by running natively compiled (NCOMP) classes.
Policy Summary
The following table lists the policy's main properties.
Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
---|---|---|---|---|---|---|
Informational | Configuration | Database Instance; Cluster Database | All | The underlying metric has a collection frequency of once every 24 hours. | Yes | JAccelerator (NCOMP) is not installed. Without JAccelerator Java VM performance will be suboptimal. |
Defaults
Parameters and Their Default Values
Parameter default values are dependent on the version of the Oracle Database target. Refer to the Oracle Database documentation for that version of the database target to learn about the parameters and their default values.
Objects Excluded by Default
Not Applicable
Impact of Violation
Java VM performance will be sub-optimal.
Action
For improved Java Virtual Machine performance, install JAccelerator (NCOMP) which typically contains Natively compiled (NCOMP) classes.
This policy checks for use of a single control file.
Policy Summary
The following table lists the policy's main properties.
Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
---|---|---|---|---|---|---|
Critical | Configuration | Database Instance; Cluster Database | All | The underlying metric has a collection frequency of once every 24 hours. | Yes | Your database has insufficient control files. If you lose the only copy of the control file due to a media error, there will be unnecessary down time and other risks. |
Defaults
Parameters and Their Default Values
Parameter default values are dependent on the version of the Oracle Database target. Refer to the Oracle Database documentation for that version of the database target to learn about the parameters and their default values.
Objects Excluded by Default
Not Applicable
Impact of Violation
The control file is one of the most important files in an Oracle database. It maintains many physical characteristics and important recovery information about the database. If you lose the only copy of the control file due to a media error, there will be unnecessary down time and other risks.
Action
Use at least two control files that are multiplexed on different disks.
This policy checks for use of less than three redo logs.
Policy Summary
The following table lists the policy's main properties.
Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
---|---|---|---|---|---|---|
Warning | Configuration | Database Instance; Cluster Database | All | The underlying metric has a collection frequency of once every 24 hours. | Yes | Your database has insufficient number of redo log files. When the size and number of online redo logs are inadequate, LGWR will wait for ARCH to complete its writing to the archived log destination, before it overwrites that log. This can cause severe performance slowdowns during peak activity periods. |
Defaults
Parameters and Their Default Values
Parameter default values are dependent on the version of the Oracle Database target. Refer to the Oracle Database documentation for that version of the database target to learn about the parameters and their default values.
Objects Excluded by Default
Not Applicable
Impact of Violation
The online redo log files are used to record changes in the database for the purposes of recoverability. When archiving is enabled, these online redo logs need to be archived before they can be reused. Every database requires at least two online redo log groups to be up and running. When the size and number of online redo logs are inadequate, LGWR will wait for ARCH to complete its writing to the archived log destination, before it overwrites that log. This can cause severe performance slowdowns during peak activity periods.
Action
Oracle recommends having at least three online redo log groups with at least two members in each group. For obvious reasons, members of the same group must be on different disk drives.
This policy checks if the PGA_AGGREGATE_TARGET initialization parameter has a value of 0 or if WORKAREA_SIZE_POLICY has value of MANUAL.
This parameter automatically controls the amount of memory allocated for sorts and hash joins. Larger amounts of memory allocated for sorts or hash joins reduce the optimizer cost of these operations.
For OLTP systems, the PGA memory typically accounts for a small fraction of the total memory available (for example, 20%), leaving 80% for the SGA.
For DSS systems running large, memory-intensive queries, PGA memory can typically use up to 70% of that total (up to 2.2 GB in this example).
Good initial values for the parameter PGA_AGGREGATE_TARGET might be:
For OLTP: PGA_AGGREGATE_TARGET = (total_mem * 80%) * 20%
For DSS: PGA_AGGREGATE_TARGET = (total_mem * 80%) * 50% where total_mem is the total amount of physical memory available on the system.
Policy Summary
The following table lists the policy's main properties.
Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
---|---|---|---|---|---|---|
Warning | Configuration | Database Instance | Oracle Server 9i or later | The underlying metric has a collection frequency of once every 24 hours. | Yes | Your database is not using Automatic PGA memory management. It simplifies and improves the way PGA memory is allocated. |
Defaults
Parameters and Their Default Values
PGA_AGGREGATE_TARGET: 0
WORKAREA_SIZE_POLICY: MANUAL
Objects Excluded by Default
Not Applicable
Impact of Violation
Automatic PGA memory management simplifies and improves the way PGA memory is allocated. When enabled, Oracle can dynamically adjust the portion of the PGA memory dedicated to work areas while honoring the PGA_AGGREGATE_TARGET limit set by the DBA.
Action
Enable Automatic PGA Memory Management and set the PGA_AGGREGATE_TARGET initialization parameter to a non-zero number. Use Oracle PGA advice to help set PGA_AGGREGATE_TARGET to the best size.
This policy checks if the SGA_TARGET initialization parameter has a value of zero.
By setting the SGA_TARGET to the desired size of the SGA, Oracle automatically manages the size of the shared pool (SHARED_POOL_SIZE), large pool (LARGE_POOL_SIZE), java pool (JAVA_POOL_SIZE), and buffer cache (DB_CACHE_SIZE). Therefore, instead of setting four initialization parameters, you only need to set one. The only exception to this is if some application has a minimum requirement on these pool sizes. In this case, the initialization parameter can be set, but it will be treated as a minimum.
Policy Summary
The following table lists the policy's main properties.
Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
---|---|---|---|---|---|---|
Informational | Configuration | Database Instance | Oracle Server 10g Release 1 or later | The underlying metric has a collection frequency of once every 24 hours. | Yes | Your database is not using automatic shared memory management that simplifies the configuration of the SGA. |
Defaults
Parameters and Their Default Values
Parameter default values are dependent on the version of the Oracle Database target. Refer to the Oracle Database documentation for that version of the database target to learn about the parameters and their default values.
Objects Excluded by Default
Not Applicable
Impact of Violation
The SGA_TARGET initialization parameter is set to zero. This means that all SGA memory management must be done manually. Specify a non-zero SGA_TARGET so that SHARED_POOL_SIZE, LARGE_POOL_SIZE, JAVA_POOL_SIZE, and DB_CACHE_SIZE can be managed automatically.
By setting SGA_TARGET, these parameters will be set to zero, allowing Oracle to use the entire SGA_TARGET size for dynamic adjustment. Before setting SGA_TARGET, determine if any pool sizes should be set to support application level minimum pool size requirements.
Action
Automatic Shared Memory Management simplifies the configuration of the SGA and is the recommended memory configuration. To use Automatic Shared Memory Management, set the SGA_TARGET initialization parameter to the amount of memory you want to dedicate to the SGA. The amount can be less than or equal to the value of the SGA_MAX_SIZE initialization parameter. Once you set the SGA_TARGET initialization parameter, verify that the STATISTICS_LEVEL initialization parameter is set to TYPICAL.
Clicking the statistics level link displays the Initialization Parameters page, statistics_level is automatically filled in to the search criteria. Clicking on the sga_target link displays the Memory Parameters SGA page from the Administration tab where you can enable automatic shared memory management.
This policy checks for automatic undo space management not being used.
Policy Summary
The following table lists the policy's main properties.
Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
---|---|---|---|---|---|---|
Critical | Configuration | Database Instance | Oracle Server 9.2 or later | The underlying metric has a collection frequency of once every 24 hours. | Yes | Your database is not using automatic undo management. This can cause unnecessary contention and performance issues. |
Defaults
Parameters and Their Default Values
Parameter default values are dependent on the version of the Oracle Database target. Refer to the Oracle Database documentation for that version of the database target to learn about the parameters and their default values.
Objects Excluded by Default
None
Impact of Violation
Not using automatic undo management can cause unnecessary contention and performance issues in your database. This may include among other issues, contention for the rollback segment header blocks, in the form of buffer busy waits and increased probability of ORA-1555s (Snapshot Too Old).
Action
Use automatic undo space management instead of manual undo or rollback segments.
This policy checks if OPTIMIZER_FEATURES_ENABLE has a value that is lower than the latest optimizer version.
Policy Summary
The following table lists the policy's main properties.
Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
---|---|---|---|---|---|---|
Warning | Configuration | Database Instance | All | The underlying metric has a collection frequency of once every 24 hours. | Yes | Your database is not using the latest optimizer version. The new version of the optimizer has better information to help it determine the most efficient way to run a SQL Statement. |
Defaults
Parameters and Their Default Values
Parameter default values are dependent on the version of the Oracle Database target. Refer to the Oracle Database documentation for that version of the database target to learn about the parameters and their default values.
Objects Excluded by Default
Not Applicable
Impact of Violation
Using older versions of the optimizer can lead to execution plan or query performance issues. The Oracle optimizer does not make the same decisions from one version to the next. The new version of the optimizer has better information to help it determine the most efficient way to run a SQL Statement.
Action
Set the OPTIMIZER_FEATURES_ENABLE parameter to the latest version. This allows the optimizer to use the latest functionality. Any queries that were tuned for an older version of the optimizer, and are experiencing execution plan or query performance issues, should be fixed on a case-by-case basis.
Clicking the OPTIMIZER_FEATURES_ENABLE link displays the Initialization Parameters page with OPTIMIZER_FEATURES_ENABLE automatically filled in to the search criteria. From this page, you can change the setting of the OPTIMIZER_FEATURES_ENABLE to the latest version.
This policy checks for SPFILE (server parameter file) not being used.
Policy Summary
The following table lists the policy's main properties.
Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
---|---|---|---|---|---|---|
Critical | Configuration | Database Instance | Oracle Server 9i or later | The underlying metric has a collection frequency of once every 24 hours. | Yes | Your database is not using spfile. The changes made using ALTER SYSTEM commands will not persist. |
Defaults
Parameters and Their Default Values
Parameter default values are dependent on the version of the Oracle Database target. Refer to the Oracle Database documentation for that version of the database target to learn about the parameters and their default values.
Objects Excluded by Default
Not Applicable
Impact of Violation
The SPFILE (server parameter file) enables you to persist any dynamic changes to the Oracle initialization parameters using ALTER SYSTEM commands. This persistence is provided across database shutdowns. When a database has an SPFILE configured, you do not have to remember to make the corresponding changes to the Oracle initialization file. In addition, any changes that are made using the ALTER SYSTEM commands are not lost after a shutdown and restart.
Action
Use the server side parameter file to update changes dynamically.
This policy checks if the DB_RECOVERY_FILE_DEST initialization parameter is set.
Policy Summary
The following table lists the policy's main properties.
Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
---|---|---|---|---|---|---|
Informational | Configuration | Database Instance; Cluster Database | Oracle Server 10g Release1 or later | The underlying metric has a collection frequency of once every 24 hours. | Yes | The recovery area location is not set. Setting the recovery area location provides a unified storage location for all recovery components. |
Defaults
Parameters and Their Default Values
Not Applicable
Objects Excluded by Default
Not Applicable
Impact of Violation
Not setting the recovery area location results in a divided storage location for all recovery components.
Action
Set the recovery area location to provide a unified storage location for all recovery components.
This policy checks if the STATISTICS_LEVEL initialization parameter is set to ALL.
Policy Summary
The following table lists the policy's main properties.
Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
---|---|---|---|---|---|---|
Informational | Configuration | Database Instance | Oracle Server 10g Release 1 or later | The underlying metric has a collection frequency of once every 24 hours. | Yes | Unnecessary timed OS and plan execution statistics are being collected. This creates additional overhead on the system. |
Defaults
Parameters and Their Default Values
Parameter default values are dependent on the version of the Oracle Database target. Refer to the Oracle Database documentation for that version of the database target to learn about the parameters and their default values.
Objects Excluded by Default
Not Applicable
Impact of Violation
When the database collects more statistics than are actually needed, this creates additional overhead on the system.
Action
Collect only those statistics that are needed.
This policy checks for use of non-standard initialization parameters.
Policy Summary
The following table lists the policy's main properties.
Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
---|---|---|---|---|---|---|
Informational | Configuration | Database Instance | All | The underlying metric has a collection frequency of once every 24 hours. | Yes | Your database is using non-standard initialization parameter %INIT_PARAM_NAME%. Using these parameters may cause problems that can require considerable investigation. |
Defaults
Parameters and Their Default Values
Parameter default values are dependent on the version of the Oracle Database target. Refer to the Oracle Database documentation for that version of the database target to learn about the parameters and their default values.
Objects Excluded by Default
Parameters starting with two underscore characters (__). These parameters are special and are reserved for the Oracle Database.
Impact of Violation
Non-standard initialization parameters are being used. These may have been implemented based on poor advice or incorrect assumptions. In particular, parameters associated with SPIN_COUNT on latches and undocumented optimizer features can cause a great deal of problems that can require considerable investigation.
Action
Avoid use of non-standard initialization parameters.
The security policies for the Database Instance target on UNIX are:
This policy ensures restricted access to ALL_SOURCE view.
Policy Summary
The following table lists the policy's main properties.
Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
---|---|---|---|---|---|---|
Informational | Security | Database Instance; Cluster Database | Oracle Server 8 or later | The underlying metric has a collection frequency of once every 24 hours. | No | Database is in an insecure state. User %grantee% has %privilege% privilege to the ALL_SOURCE view. |
Defaults
Parameters and Their Default Values
Not Applicable
Objects Excluded by Default
Not Applicable
Impact of Violation
ALL_SOURCE view contains the source of all the stored packages in the database.
Action
Revoke access to the ALL_SOURCE view from the non-SYS database users.
This policy ensures restricted access to DBA_ROLE_PRIVS view.
Policy Summary
The following table lists the policy's main properties.
Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
---|---|---|---|---|---|---|
Informational | Security | Database Instance; Cluster Database | Oracle Server 8 or later | The underlying metric has a collection frequency of once every 24 hours. | No | Database is in an insecure state. User %grantee% has %privilege% privilege on the DBA_ROLE_PRIVS view. |
Defaults
Parameters and Their Default Values
Not Applicable
Objects Excluded by Default
Not Applicable
Impact of Violation
The DBA_ROLE_PRIVS view lists the roles granted to users and other roles. Knowledge of the structure of roles in the database can be exploited by a malicious user.
Action
Restrict access to DBA_ROLE_PRIVS view.
This policy ensures restricted access to DBA_ROLES view.
Policy Summary
The following table lists the policy's main properties.
Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
---|---|---|---|---|---|---|
Informational | Security | Database Instance; Cluster Database | Oracle Server 8 or later | The underlying metric has a collection frequency of once every 24 hours. | No | Database is in an insecure state. User %grantee% has %privilege% privilege on the DBA_ROLES view. |
Defaults
Parameters and Their Default Values
Not Applicable
Objects Excluded by Default
Not Applicable
Impact of Violation
DBA_ROLES view contains details of all roles in the database. Knowledge of the structure of roles in the database can be exploited by a malicious user. For example, a public select privilege might increase the likelihood of Denial of Service attacks.
Action
Restrict access to DBA_ROLES view.
This policy ensures restricted access to DBA_SYS_PRIVS view.
Policy Summary
The following table lists the policy's main properties.
Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
---|---|---|---|---|---|---|
Informational | Security | Database Instance; Cluster Database | Oracle Server 8 or later | The underlying metric has a collection frequency of once every 24 hours. | No | Database is in an insecure state. User %grantee% has %privilege% privilege on the DBA_SYS_PRIVS view. |
Defaults
Parameters and Their Default Values
Not Applicable
Objects Excluded by Default
Not Applicable
Impact of Violation
DBA_SYS_PRIVS view can be queried to find system privileges granted to roles and users. Knowledge of the structure of roles in the database can be exploited by a malicious user.
Action
Restrict access to DBA_SYS_PRIVS view.
This policy ensures restricted access to DBA_TAB_PRIVS view.
Policy Summary
The following table lists the policy's main properties.
Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
---|---|---|---|---|---|---|
Informational | Security | Database Instance; Cluster Database | Oracle Server 8 or later | The underlying metric has a collection frequency of once every 24 hours. | No | Database may be insecure as user %grantee% has %privilege% privilege to the DBA_TAB_PRIVS view. |
Defaults
Parameters and Their Default Values
Not Applicable
Objects Excluded by Default
Not Applicable
Impact of Violation
Lists privileges granted to users or roles on objects in the database. Knowledge of the structure of roles in the database can be exploited by a malicious user.
Action
Restrict access to DBA_TAB_PRIVS view.
This policy ensures restricted access to DBA_USERS view.
Policy Summary
The following table lists the policy's main properties.
Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
---|---|---|---|---|---|---|
Informational | Security | Database Instance; Cluster Database | Oracle Server 8 or later | The underlying metric has a collection frequency of once every 24 hours. | No | Database is in an insecure state. User %grantee% has %privilege% privilege on the DBA_USERS view. |
Defaults
Parameters and Their Default Values
Not Applicable
Objects Excluded by Default
Not Applicable
Impact of Violation
Contains user name and password hashes and other account information. Access to this information can be used to mount brute-force attacks against the database.
Action
Restrict access to DBA_USERS view.
This policy ensures restricted access to ROLE_ROLE_PRIVS view.
Policy Summary
The following table lists the policy's main properties.
Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
---|---|---|---|---|---|---|
Informational | Security | Database Instance; Cluster Database | Oracle Server 8 or later | The underlying metric has a collection frequency of once every 24 hours. | No | Database is in an insecure state. User %grantee% has %privilege% privilege on the ROLE_ROLE_PRIVS view. |
Defaults
Parameters and Their Default Values
Not Applicable
Objects Excluded by Default
Not Applicable
Impact of Violation
Lists roles granted to other roles. Knowledge of the structure of roles in the database can be exploited by a malicious user.
Action
Restrict access to ROLE_ROLE_PRIVS view.
This policy ensures restricted access to the STATS$SQL_SUMMARY table.
Policy Summary
The following table lists the policy's main properties.
Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
---|---|---|---|---|---|---|
Informational | Security | Database Instance; Cluster Database | Oracle Server 8 or later | The underlying metric has a collection frequency of once every 24 hours. | No | Database is in an insecure. User %grantee% has %privilege% privilege on the STATS$SQL_SUMMARY table. |
Defaults
Parameters and Their Default Values
Not Applicable
Objects Excluded by Default
Not Applicable
Impact of Violation
Contains first few lines of SQL text of the most resource intensive commands given to the server. SQL statements executed without bind variables can appear and expose privileged information.
Action
Restrict access to the STATS$SQL_SUMMARY table.
This policy ensures restricted access to the STATS$SQLTEXT table.
Policy Summary
The following table lists the policy's main properties.
Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
---|---|---|---|---|---|---|
Informational | Security | Database Instance; Cluster Database | Oracle Server 8 or later | The underlying metric has a collection frequency of once every 24 hours. | No | Database is in an insecure state. User %grantee% has %privilege% privilege on STATS$SQLTEXT table. |
Defaults
Parameters and Their Default Values
Not Applicable
Objects Excluded by Default
Not Applicable
Impact of Violation
The STATS$SQLTEXT table provides the full text of the recently-executed SQL statements. The SQL statements can reveal sensitive information.
Action
Restrict access to the STATS$SQLTEXT table.
This policy ensures restricted access to the SYS.AUD$ table.
Policy Summary
The following table lists the policy's main properties.
Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
---|---|---|---|---|---|---|
Informational | Security | Database Instance; Cluster Database | Oracle Server 8 or later | The underlying metric has a collection frequency of once every 24 hours. | No | Database is in an insecure state. User %grantee% has %privilege% privilege on the SYS.AUD$ table. |
Defaults
Parameters and Their Default Values
Not Applicable
Objects Excluded by Default
Not Applicable
Impact of Violation
The SYS.AUD$ table is the system audit table. If you set the parameter AUDIT_TRAIL to DB, all audited activity will be written to the SYS.AUD$ table. Thus a malicious user can gain access to the sensitive audit information.
Action
Revoke access to the SYS.AUD$ table from the non-DBA/SYS database users.
This policy ensures restricted access to the SYS.LINK$ table.
Policy Summary
The following table lists the policy's main properties.
Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
---|---|---|---|---|---|---|
Informational | Security | Database Instance; Cluster Database | Oracle Server 8 or later | The underlying metric has a collection frequency of once every 24 hours. | No | Database is in an insecure state. User %grantee% has %privilege% privilege on the USER$ table. |
Defaults
Parameters and Their Default Values
Not Applicable
Objects Excluded by Default
Not Applicable
Impact of Violation
A malicious user can gain access to user names and passwords from the SYS.LINK$ table.
Action
Revoke access to SYS.LINK$ table.
This policy ensures restricted access to the SYS.SOURCE$ table.
Policy Summary
The following table lists the policy's main properties.
Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
---|---|---|---|---|---|---|
Informational | Security | Database Instance; Cluster Database | Oracle Server 8 or later | The underlying metric has a collection frequency of once every 24 hours. | No | Database is in an insecure state. User %grantee% has %privilege% privilege on the SOURCE$ table. |
Defaults
Parameters and Their Default Values
Not Applicable
Objects Excluded by Default
Not Applicable
Impact of Violation
A malicious user can gain access to the source of all stored packages in the database.
Action
Revoke access to the SYS.SOURCE$ table from the non-SYS/DBA database users.
This policy ensures restricted access to the SYS.USER$ table.
Policy Summary
The following table lists the policy's main properties.
Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
---|---|---|---|---|---|---|
Informational | Security | Database Instance; Cluster Database | Oracle Server 8 or later | The underlying metric has a collection frequency of once every 24 hours. | No | Database is in an insecure state. User %grantee% has %privilege% privilege on the USER$ table. |
Defaults
Parameters and Their Default Values
Not Applicable
Objects Excluded by Default
Not Applicable
Impact of Violation
User name and password hash may be read from the SYS.USER$ table, enabling a malicious user to launch a brute-force attack against the database.
Action
Restrict access to SYS.USER$ table.
This policy ensures restricted access to the SYS.USER_HISTORY$ table.
Policy Summary
The following table lists the policy's main properties.
Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
---|---|---|---|---|---|---|
Informational | Security | Database Instance; Cluster Database | Oracle Server 8 or later | The underlying metric has a collection frequency of once every 24 hours. | No | Database is in an insecure state. User %grantee% has %privilege% privilege on the SYS.USER_HISTORY$ table. |
Defaults
Parameters and Their Default Values
Not Applicable
Objects Excluded by Default
Not Applicable
Impact of Violation
User name and password hash may be read from the SYS.USER_HISTORY$ table, enabling a malicious user to launch a brute-force attack.
Action
Revoke access to SYS.USER_HISTORY$ table from the non-DBA/SYS database users.
This policy ensures restricted to the USER_ROLE_PRIVS view.
Policy Summary
The following table lists the policy's main properties.
Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
---|---|---|---|---|---|---|
Informational | Security | Database Instance; Cluster Database | Oracle Server 8 or later | The underlying metric has a collection frequency of once every 24 hours. | No | Database is in an insecure state. User %grantee% has %privilege% privilege on the USER_ROLE_PRIVS view. |
Defaults
Parameters and Their Default Values
Not Applicable
Objects Excluded by Default
Not Applicable
Impact of Violation
Lists the roles granted to the current user. Knowledge of the structure of roles in the database can be exploited by a malicious user.
Action
Restrict access to the USER_ROLE_PRIVS view.
This policy ensures restricted access to the USER_TAB_PRIVS table.
Policy Summary
The following table lists the policy's main properties.
Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
---|---|---|---|---|---|---|
Informational | Security | Database Instance; Cluster Database | Oracle Server 8 or later | The underlying metric has a collection frequency of once every 24 hours. | No | Database is in an insecure state. User %grantee% has %privilege% privilege on the USER_TAB_PRIVS view. |
Defaults
Parameters and Their Default Values
Not Applicable
Objects Excluded by Default
Not Applicable
Impact of Violation
Lists the grants on objects for which the user is the owner, grantor, or grantee. Knowledge of the grants in the database can be exploited by a malicious user.
Action
Restrict access to the USER_TAB_PRIVS view.
This policy ensures that access to the audit files directory is restricted to the owner of the Oracle software set and the DBA group.
Policy Summary
The following table lists the policy's main properties.
Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
---|---|---|---|---|---|---|
Critical | Security | Database Instance | Oracle Server 8 or later | The underlying metric has a collection frequency of once every 24 hours. | Yes | The audit file directory has insecure permissions. The audit file directory (%dir_name%) permission is %permission%. |
Defaults
Parameters and Their Default Values
Not Applicable
Objects Excluded by Default
Not Applicable
Impact of Violation
The AUDIT_FILE_DEST initialization parameter specifies the directory where the Oracle auditing facility creates the audit files. Giving public read permission to this directory may reveal important information such as logging information of startup, shutdown, and privileged connections.
Action
Restrict permissions to the Audit File directory to:
Owner of the Oracle software set
DBA group
Do not give read, write, and execute permissions to public.
This policy ensures that access to the trace files directory is restricted to the owner of the Oracle software set and the DBA group.
Policy Summary
The following table lists the policy's main properties.
Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
---|---|---|---|---|---|---|
Critical | Security | Database Instance | Oracle Server 8 or later | The underlying metric has a collection frequency of once every 24 hours. | Yes | The background dump directory has insecure permissions. The background dump directory (%dir_name%) permission is %permission%. |
Defaults
Parameters and Their Default Values
Not Applicable
Objects Excluded by Default
Not Applicable
Impact of Violation
Background processes such as the log writer process and the database writer process use trace files to record occurrences and exceptions of database operations, as well as errors. The trace files are stored in the directory specified by the BACKGROUND_DUMP_DEST initialization parameter. Giving public read permission to this directory may reveal important and sensitive internal details of the database and applications.
Action
Restrict permissions to the Background Dump directory to:
Owner of the Oracle software set
DBA group
Do not give read, write, and execute permissions to public.
This policy ensures that access to the control files directory is restricted to the owner of the Oracle software set and the DBA group.
Policy Summary
The following table lists the policy's main properties.
Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
---|---|---|---|---|---|---|
Critical | Security | Database Instance; Cluster Database | Oracle Server 8 | The underlying metric has a collection frequency of once every 24 hours. | Yes | Database is in an insecure state. The control file (%file_name%) permission is %permission%. |
Defaults
Parameters and Their Default Values
Not Applicable
Objects Excluded by Default
Not Applicable
Impact of Violation
Control files are binary configuration files that control access to data files. Control files are stored in the directory specified by the CONTROL_FILES initialization parameter. A public write privilege on this directory could pose a serious security risk.
Action
Restrict permission to the control files to:
Owner of the Oracle software installation
DBA group
Do not give read and write permissions to public.
This policy ensures that access to the core dump files directory is restricted to the owner of the Oracle software set and the DBA group.
Policy Summary
The following table lists the policy's main properties.
Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
---|---|---|---|---|---|---|
Critical | Security | Database Instance | Oracle Server 8 or later | The underlying metric has a collection frequency of once every 24 hours. | Yes | The core dump directory has insecure permissions. The core dump directory (%dir_name%) permission is %permission%. |
Defaults
Parameters and Their Default Values
Not Applicable
Objects Excluded by Default
Not Applicable
Impact of Violation
Core dump files are stored in the directory specified by the CORE_DUMP_DEST initialization parameter. A public read privilege on this directory could expose sensitive information from the core dump files.
Action
Restrict permissions to the Core Dump directory to:
Owner of the Oracle software set
DBA group
Do not give read, write, and execute permissions to public.
This policy ensures there are no default passwords for known accounts.
Policy Summary
The following table lists the policy's main properties.
Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
---|---|---|---|---|---|---|
Warning | Security | Database Instance; Cluster Database | Oracle Server 8 or later | The underlying metric has a collection frequency of once every 24 hours. | Yes | Database is in an insecure state. Default password for the account %dbaccount% has not been changed. |
Defaults
Parameters and Their Default Values
Not Applicable
Objects Excluded by Default
Not Applicable
Impact of Violation
A malicious user can gain access to the database using default passwords.
Action
Change all default passwords.
This policy ensures that users are not assigned SYSTEM or SYSAUX as their default tablespace.
Policy Summary
The following table lists the policy's main properties.
Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
---|---|---|---|---|---|---|
Warning | Security | Database Instance | Oracle Server 8 or later | The underlying metric has a collection frequency of once every 24 hours. | Yes | Database is in an insecure state. The tablespace %tablespace% is the default tablespace for user %dbuser%. |
Defaults
Parameters and Their Default Values
Not Applicable
Objects Excluded by Default
Not Applicable
Impact of Violation
Users objects are created in the default tablespaces. An incorrectly set default tablespace (SYSTEM or SYSAUX) for a user can consume all available space thus causing the database to stop working.
A user assigned the default tablespace as SYSTEM can potentially fill up the space and cause the database to stop responding. This can also cause denial of service exploits. The SYSTEM tablespace always contains the data dictionary tables for the entire database.
All data stored on behalf of stored PL/SQL program units (procedures, functions, packages, and triggers) resides in the SYSTEM tablespace.
Action
Reassign the tablespace of users having SYSTEM or SYSAUX defined as their default tablespace.
This policy ensures that the number of allowed failed login attempts is no more than 10.
The FAILED_LOGIN_ATTEMPTS parameter defines the number of successive failed login attempts that can be performed before an account's status is changed to locked. This protects against malicious users attempting to guess a password for an account.
Policy Summary
The following table lists the policy's main properties.
Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
---|---|---|---|---|---|---|
Critical | Security | Database Instance; Cluster Database | Oracle Server 8 or later | The underlying metric has a collection frequency of once every 24 hours. | Yes | Database is in an insecure state. FAILED_LOGIN_ATTEMPTS is set to %limit% for the profile %profile%. |
Defaults
Parameters and Their Default Values
Maximum FAILED_LOGIN_ATTEMPTS: 10 failed attempts
Objects Excluded by Default
None
Impact of Violation
Permits manual and automated password guessing by a malicious user.
By setting the parameter to UNLIMITED, a malicious user can attempt an unlimited amount of guesses of the password for all accounts granted the specified profile. However, setting the value too low may result in valid users locking their accounts when mistyping a password.
Action
In user profiles, set the value for the FAILED_LOGIN_ATTEMPTS setting to no more than 10.
Checks for PUBLIC having execute privileges on powerful packages (UTL_HTTP, UTL_TCP and UTL_SMTP).
Policy Summary
The following table lists the policy's main properties.
Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
---|---|---|---|---|---|---|
Critical | Security | Database Instance; Cluster Database | Oracle Server 8 or later | The underlying metric has a collection frequency of once every 24 hours. | Yes | Database is in insecure state. EXECUTE privilege on the package %package% is granted to the PUBLIC role. |
Defaults
Parameters and Their Default Values
Not Applicable
Objects Excluded by Default
Not Applicable
Impact of Violation
Privileges granted to the PUBLIC role automatically apply to all users. A malicious user can gain access to e-mail, network, and http modules using the EXECUTE privilege.
Action
Revoke EXECUTE privileges on powerful packages.
This policy ensures the PUBLIC role does not have EXECUTE privilege on the UTL_FILE package.
Policy Summary
The following table lists the policy's main properties.
Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
---|---|---|---|---|---|---|
Critical | Security | Database Instance; Cluster Database | Oracle Server 8 or later | The underlying metric has a collection frequency of once every 24 hours. | Yes | Database is in an insecure state. EXECUTE privilege on UTL_FILE package is granted to PUBLIC. |
Defaults
Parameters and Their Default Values
Not Applicable
Objects Excluded by Default
Not Applicable
Impact of Violation
Privileges granted to the PUBLIC role automatically apply to all users. A malicious user can read and write arbitrary files in the system when granted the UTL_FILE privilege.
Action
Revoke EXECUTE privileges granted to UTL_FILE package from PUBLIC.
This policy ensures that access to the files referenced by the IFILE parameter is restricted to the owner of the Oracle software set and the DBA group.
Policy Summary
The following table lists the policy's main properties.
Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
---|---|---|---|---|---|---|
Critical | Security | Database Instance | Oracle Server 8 or later | The underlying metric has a collection frequency of once every 24 hours. | Yes | Database is in an insecure state. The IFILE parameter referenced file (%file_name%) permission is %permission%. |
Defaults
Parameters and Their Default Values
Not Applicable
Objects Excluded by Default
Not Applicable
Impact of Violation
The IFILE initialization parameter can be used to embed the contents of another initialization parameter file into the current initialization parameter file. A publicly accessible initialization parameter file can be scanned for sensitive initialization parameters exposing the security policies of the database. The initialization parameter file can also be searched for the weaknesses of the Oracle database configuration setting.
Action
Restrict access to the files referenced by the IFILE initialization parameter to:
Owner of Oracle software installation
DBA group
Do not give read, write, and execute permissions to public.
This policy ensures that access to the initialization parameter file is restricted to the owner of the Oracle software set and the DBA group.
Policy Summary
The following table lists the policy's main properties.
Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
---|---|---|---|---|---|---|
Warning | Security | Database Instance | Oracle Server 8 or later | The underlying metric has a collection frequency of once every 24 hours. | Yes | Database is in an insecure state. The text initialization parameter file (%file_name%) permission is %permission%. |
Defaults
Parameters and Their Default Values
Not Applicable
Objects Excluded by Default
Not Applicable
Impact of Violation
Oracle traditionally stored initialization parameters in a text initialization parameter file. A publicly accessible initialization parameter file can be scanned for sensitive initialization parameters exposing the security policies of the database. The IFILE can also be searched for the weaknesses of the Oracle database configuration setting.
Action
Restrict access to the initialization parameter file to:
Owner of Oracle software installation
DBA group
Do not give read and write permissions to public.
This policy ensures that the server's archive logs directory is a valid directory owned by the Oracle software owner and that there are no permissions to public.
Policy Summary
The following table lists the policy's main properties.
Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
---|---|---|---|---|---|---|
Critical | Security | Database Instance | Oracle Server 8 or later | The underlying metric has a collection frequency of once every 24 hours. | Yes | Database is in an insecure state as the directory (%dir_name%) specified by the LOG_ARCHIVE_DEST parameter is owned by %owner%. |
Defaults
Parameters and Their Default Values
None
Objects Excluded by Default
None
Impact of Violation
LogMiner can be used to extract database information from the archive logs if the directory specified by LOG_ARCHIVE_DEST parameter (in the init.ora file) is not owned by the owner of the Oracle software installation or has permissions for others.
In other words, if the path or device name specified by the LOG_ARCHIVE_DEST initialization parameter is not owned by the owner of the Oracle software installation, anyone can use LogMiner to extract database information from the archive logs.
Action
Directory specified by LOG_ARCHIVE_DEST parameter should be owned by the Oracle software set.
Do not grant public read permission to the LOG_ARCHIVE_DEST initialization parameter. Restrict access to the path or device name referenced by the LOG_ARCHIVE_DEST initialization parameter to the owner of the Oracle software installation.
This policy ensures that the server's archive logs are not accessible to public.
Policy Summary
The following table lists the policy's main properties.
Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
---|---|---|---|---|---|---|
Critical | Security | Database Instance | Oracle Server 8 or later | The underlying metric has a collection frequency of once every 24 hours. | Yes | Database is in an insecure state. The directory (%dir_name%) specified by the LOG_ARCHIVE_DEST parameter has an inappropriate permission: %permission%. |
Defaults
Parameters and Their Default Values
None
Objects Excluded by Default
None
Impact of Violation
LogMiner can be used to extract database information from the archive logs if the directory specified by LOG_ARCHIVE_DEST parameter (in the init.ora file) is not owned by the owner of the Oracle software installation or has permissions for others.
Action
Permissions of the directory specified by LOG_ARCHIVE_DEST parameter should be restricted to the owner of the Oracle software set and DBA group with no permissions to public.
This policy ensures that the server's archive logs directory is a valid directory owned by the Oracle software owner and that there are no permissions to public.
Policy Summary
The following table lists the policy's main properties.
Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
---|---|---|---|---|---|---|
Critical | Security | Database Instance | Oracle Server 8 or later | The underlying metric has a collection frequency of once every 24 hours. | Yes | Database is in an insecure state as the directory (%dir_name%) specified by the LOG_ARCHIVE_DUPLEX_DEST parameter is owned by %owner%. |
Defaults
Parameters and Their Default Values
Not Applicable
Objects Excluded by Default
Not Applicable
Impact of Violation
LogMiner can be used to extract database information from the archive logs if the directory specified by LOG_ARCHIVE_DUPLEX_DEST parameter (in init.ora file) is not owned by the owner of the Oracle software installation or has permissions for others.
In other words, if the path or device name specified by the LOG_ARCHIVE_DUPLIEX_DEST initialization parameter is not owned by the owner of the Oracle software installation, anyone can use LogMiner to extract database information from the archive logs.
Action
Directory specified by LOG_ARCHIVE_DUPLEX_DEST parameter should be owned by the Oracle software set.
This policy ensures that the server's archive logs are not accessible to public.
Policy Summary
The following table lists the policy's main properties.
Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
---|---|---|---|---|---|---|
Critical | Security | Database Instance | Oracle Server 8 or later | The underlying metric has a collection frequency of once every 24 hours. | Yes | Database is in an insecure state. The directory(%dir_name%) specified by the LOG_ARCHIVE_DUPLEX_DEST parameter has an inappropriate permission: %permission%. |
Defaults
Parameters and Their Default Values
Not Applicable
Objects Excluded by Default
Not Applicable
Impact of Violation
LogMiner can be used to extract database information from the archive logs if the directory specified by LOG_ARCHIVE_DUPLEX_DEST parameter (in init.ora file) is not owned by the owner of the Oracle software installation or has permissions for others.
Action
Permissions of the directory specified by LOG_ARCHIVE_DUPLEX_DEST parameter should be restricted to the owner of the Oracle software set and DBA group with no permissions to public.
This policy ensures that the name of a database link is the same as that of the remote database.
Policy Summary
The following table lists the policy's main properties.
Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
---|---|---|---|---|---|---|
Warning | Security | Database Instance | Oracle Server 8 or later | The underlying metric has a collection frequency of once every 24 hours. | Yes | Database is in an insecure state. The GLOBAL_NAMES parameter is set to %:value%. |
Defaults
Parameters and Their Default Values
Not Applicable
Objects Excluded by Default
Not Applicable
Impact of Violation
Database link names that do not match the global names of the databases to which they are connecting can cause an administrator to inadvertently give access to a production server from a test or development server. Knowledge of this can be used by a malicious user to gain access to the target database.
Action
If you use or plan to use distributed processing, Oracle recommends that you set the GLOBAL_NAMES initialization parameter to TRUE to ensure the use of consistent naming conventions for databases and links in a networked environment.
This policy ensures that access to the datafiles is restricted to the owner of the Oracle software set and the DBA group.
Policy Summary
The following table lists the policy's main properties.
Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
---|---|---|---|---|---|---|
Critical | Security | Database Instance; Cluster Database | Oracle Server 8 or later | The underlying metric has a collection frequency of once every 24 hours. | Yes | Database is in an insecure state. The datafile (%file_name%) permission is %permission%. |
Defaults
Parameters and Their Default Values
Not Applicable
Objects Excluded by Default
Not Applicable
Impact of Violation
The datafiles contain all the database data. If datafiles are made readable to public, they can be read by a user who has no database privileges on the data.
Action
Restrict permissions to the datafiles to:
Owner of the Oracle software set
DBA group
Do not give read and write permissions to public.
This policy ensures that the ownership of all files and directories in the ORACLE_HOME/bin folder is the same as the Oracle software installation owner.
Policy Summary
The following table lists the policy's main properties.
Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
---|---|---|---|---|---|---|
Critical | Security | Database Instance | Oracle Server 8 or later | The underlying metric has a collection frequency of once every 24 hours. | Yes | Database is in an insecure state. Owner of (%file_name%) is %owner% who is not the owner of the Oracle software installation. |
Defaults
Parameters and Their Default Values
Not Applicable
Objects Excluded by Default
Not Applicable
Impact of Violation
Incorrect file permissions on some of the Oracle files can cause major security issues. For example, SQL*Plus could be replaced with a malicious script which the user might run inadvertently.
Action
For files and directories in the ORACLE_HOME/bin folder that do not have the same owner as the Oracle software installation, change their owner to the installation owner.
This policy ensures that all files in the ORACLE_HOME/bin folder have permissions set to 0751 or less.
For Oracle9i Release 2, permissions should be set to 0755. This means that Group and Others have only read and execute permissions; no write permission.
Policy Summary
The following table lists the policy's main properties.
Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
---|---|---|---|---|---|---|
Warning | Security | Database Instance | Oracle Server 8 or later | The underlying metric has a collection frequency of once every 24 hours. | Yes | Database is in an insecure state. File (%file_name%) permission is %permission%. |
Defaults
Parameters and Their Default Values
Not Applicable
Objects Excluded by Default
Not Applicable
Impact of Violation
Incorrect file permissions on some of the Oracle files can cause major security issues.
Action
For files in the ORACLE_HOME/bin folder that do not have permissions set to 0751 or less, change their file permissions to 0751 or less.
For Oracle9i Release 2, set permissions to 0755.
This policy ensures that all files in the ORACLE_HOME directories (except for ORACLE_HOME/bin) have permission set to 0750 or less.
Normally, only the owner and DBA group members must be allowed to work with non-executable files in the Oracle Home.
Policy Summary
The following table lists the policy's main properties.
Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
---|---|---|---|---|---|---|
Warning | Security | Database Instance | Oracle Server 8 or later | The underlying metric has a collection frequency of once every 24 hours. | Yes | Database is in an insecure state. File (%file_name%) permission is %permission%. |
Defaults
Parameters and Their Default Values
Not Applicable
Objects Excluded by Default
Not Applicable
Impact of Violation
Incorrect file permissions on some of the Oracle files can cause major security issues.
Action
All files in $ORACLE_HOME directories (except for $ORACLE_HOME/bin) must have permission set to 0750 or less.
This policy ensures that all profiles have PASSWORD_GRACE_TIME set to a reasonable number of days.
Policy Summary
The following table lists the policy's main properties.
Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
---|---|---|---|---|---|---|
Critical | Security | Database Instance; Cluster Database | Oracle Server 8 or later | The underlying metric has a collection frequency of once every 24 hours. | Yes | Database is in an insecure state. PASSWORD_GRACE_TIME is set to %limit% days for the profile %profile%. |
Defaults
Parameters and Their Default Values
MAX_PASSWORD_GRACE_TIME = 3
Objects Excluded by Default
Not Applicable
Impact of Violation
A high value for the PASSWORD_GRACE_TIME parameter may cause serious database security issues by allowing the user to keep the same password for a long time.
Action
Set the PASSWORD_GRACE_TIME parameter to no more than 3 days for all profiles.
This policy ensures that all profiles have PASSWORD_LIFE_TIME set to a reasonable number of days.
Policy Summary
The following table lists the policy's main properties.
Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
---|---|---|---|---|---|---|
Warning | Security | Database Instance; Cluster Database | Oracle Server 8 or later | The underlying metric has a collection frequency of once every 24 hours. | Yes | Database is in an insecure state. PASSWORD_LIFE_TIME is set to %limit% days for the profile %profile%. |
Defaults
Parameters and Their Default Values
MAX_PASSWORD_LIFE_TIME = 90
Objects Excluded by Default
Not Applicable
Impact of Violation
A long password life time gives malicious users a long time to decipher the password. May cause serious database security issues.
Action
Set the PASSWORD_LIFE_TIME parameter to no more than 90 days for all profiles.
This policy ensures that PASSWORD_LOCK_TIME is set to a reasonable number of days for all profiles.
Policy Summary
The following table lists the policy's main properties.
Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
---|---|---|---|---|---|---|
Critical | Security | Database Instance; Cluster Database | Oracle Server 8 or later | The underlying metric has a collection frequency of once every 24 hours. | Yes | Database is in an insecure state. PASSWORD_LOCK_TIME is set to %limit% days for the profile %profile%. |
Defaults
Parameters and Their Default Values
MIN_PASSWORD_LOCK_TIME = 1
Objects Excluded by Default
Not Applicable
Impact of Violation
The PASSWORD_LOCK_TIME resource relates to the number of days an account is locked after a user tries unsuccessfully to login for more than FAILED_LOGIN_ATTEMPTS (another related resource) times. Having a low value for this resource increases the likelihood of Denial of Service attacks.
Action
Set the PASSWORD_LOCK_TIME parameter to no less than 1 for all the profiles.
This policy ensures that all profiles have PASSWORD_REUSE_MAX set to a reasonable number of times.
Policy Summary
The following table lists the policy's main properties.
Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
---|---|---|---|---|---|---|
Critical | Security | Database Instance; Cluster Database | Oracle Server 8 or later | The underlying metric has a collection frequency of once every 24 hours. | Yes | Database is in an insecure state. PASSWORD_REUSE_MAX is set to %limit% times for the profile %profile%. |
Defaults
Parameters and Their Default Values
MAX_PASSWORD_REUSE_MAX = 20
Objects Excluded by Default
Not Applicable
Impact of Violation
The PASSWORD_REUSE_MAX parameter specifies the number of password changes required before the current password can be reused. Old passwords are usually the best guesses for the current password. A low value for the PASSWORD_REUSE_MAX parameter may cause serious database security issues by allowing users to reuse their old passwords more often. Ensuring a reasonable value for this resource will discourage users from reusing their passwords resulting in more secure password usage.
Action
Set the PASSWORD_REUSE_MAX parameter to no less than 20 times for all profiles.
This policy ensures that all profiles have PASSWORD_REUSE_TIME set to a reasonable number of days.
Policy Summary
The following table lists the policy's main properties.
Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
---|---|---|---|---|---|---|
Critical | Security | Database Instance; Cluster Database | Oracle Server 8 or later | The underlying metric has a collection frequency of once every 24 hours. | Yes | Database is in an insecure state. PASSWORD_REUSE_TIME is set to %limit% for the profile %profile%. |
Defaults
Parameters and Their Default Values
MAX_PASSWORD_REUSE_TIME = 2147483647
Objects Excluded by Default
Not Applicable
Impact of Violation
The PASSWORD_REUSE_TIME parameter defines the number of days before a password can be reused. A low value for the password reuse time can increase the danger of an already leaked password to cause serious database security issues.
Ensuring a reasonable value for this resource will discourage users from reusing their passwords resulting in more secure password usage.
Action
Set the PASSWORD_REUSE_TIME parameter to UNLIMITED for all profiles.
This policy ensures that the number of allowed failed login attempts is no more than 10.
The FAILED_LOGIN_ATTEMPTS parameter defines the number of successive failed login attempts that can be performed before an account's status is changed to locked. This protects against malicious users attempting to guess a password for an account.
Policy Summary
The following table lists the policy's main properties.
Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
---|---|---|---|---|---|---|
Critical | Security | Database Instance; Cluster Database | Oracle Server 8 or later | The underlying metric has a collection frequency of once every 24 hours. | Yes | Database is in an insecure state. FAILED_LOGIN_ATTEMPTS is set to %limit% for the profile %profile%. |
Defaults
Parameters and Their Default Values
Maximum FAILED_LOGIN_ATTEMPTS: 10 failed attempts
Objects Excluded by Default
Not Applicable
Impact of Violation
Permits manual and automated password guessing by a malicious user.
By setting the parameter to UNLIMITED, a malicious user can attempt an unlimited amount of guesses of the password for all accounts granted the specified profile. However, setting the value too low may result in valid users locking their accounts when mistyping a password.
Action
In user profiles, set the value for the FAILED_LOGIN_ATTEMPTS setting to no more than 10.
This policy ensures PUBLIC is not granted EXECUTE privileges on DBMS_JOB package.
Policy Summary
The following table lists the policy's main properties.
Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
---|---|---|---|---|---|---|
Warning | Security | Database Instance; Cluster Database | Oracle Server 8 or later | The underlying metric has a collection frequency of once every 24 hours. | Yes | Database is in an insecure state. DBMS_JOB package has PUBLIC EXECUTE privileges. |
Defaults
Parameters and Their Default Values
Not Applicable
Objects Excluded by Default
Not Applicable
Impact of Violation
Granting EXECUTE privilege to PUBLIC on DBMS_JOB package allows all users to schedule jobs on the database.
Action
PUBLIC must not be granted EXECUTE privileges on DBMS_JOB package.
This policy ensures PUBLIC group is not granted EXECUTE privileges to the DBMS_LOB package.
Policy Summary
The following table lists the policy's main properties.
Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
---|---|---|---|---|---|---|
Critical | Security | Database Instance; Cluster Database | Oracle Server 8 or later | The underlying metric has a collection frequency of once every 24 hours. | Yes | Database is in an insecure state. DBMS_LOB package has PUBLIC EXECUTE privileges. |
Defaults
Parameters and Their Default Values
Not Applicable
Objects Excluded by Default
Not Applicable
Impact of Violation
The DBMS_LOB package can be used to access any file on the system as the owner of the Oracle software installation.
Action
Revoke the EXECUTE privileges on DBMS_LOB package from the PUBLIC group.
This policy ensures PUBLIC is not granted EXECUTE privileges on DBMS_SYS_SQL package.
Policy Summary
The following table lists the policy's main properties.
Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
---|---|---|---|---|---|---|
Critical | Security | Database Instance; Cluster Database | Oracle Server 8 or later | The underlying metric has a collection frequency of once every 24 hours. | Yes | Database is in an insecure state. DBMS_SYS_SQL package has PUBLIC EXECUTE privileges. |
Defaults
Parameters and Their Default Values
Not Applicable
Objects Excluded by Default
Not Applicable
Impact of Violation
The DBMS_SYS_SQL package can be used to run PL/SQL and SQL as the owner of the procedure rather than the caller.
Action
Revoke the EXECUTE privileges on DBMS_SYS_SQL package from the PUBLIC group.
This policy ensures database trace files are not public readable.
Policy Summary
The following table lists the policy's main properties.
Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
---|---|---|---|---|---|---|
Critical | Security | Database Instance; Cluster Database | Oracle Server 8 or later | The underlying metric has a collection frequency of once every 24 hours. | Yes | Database is in an insecure state. _TRACE_FILES_PUBLIC initialization parameter is set to :%value%. |
Defaults
Parameters and Their Default Values
Not Applicable
Objects Excluded by Default
Not Applicable
Impact of Violation
If trace files are readable by the PUBLIC group, a malicious user may attempt to read the trace files. This could lead to sensitive information being exposed, for example, creation or deletion of tablespace information.
Action
Set the initialization parameter _TRACE_FILES_PUBLIC to FALSE.
This policy ensures REMOTE_OS_AUTHENT initialization parameter is set to FALSE.
Policy Summary
The following table lists the policy's main properties.
Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
---|---|---|---|---|---|---|
Critical | Security | Database Instance | Oracle Server 8 or later | The underlying metric has a collection frequency of once every 24 hours. | Yes | Database is in an insecure state. REMOTE_OS_AUTHENT initialization parameter is set to %remote_os_auth%. |
Defaults
Parameters and Their Default Values
Not Applicable
Objects Excluded by Default
Not Applicable
Impact of Violation
A malicious user can gain access to the database if remote OS authentication is allowed. This feature allows external users (authenticated by the remote OS) to connect to the database without having password authentication done by the database.
Action
Disable this feature by setting the REMOTE_OS_AUTHENT initialization parameter to FALSE.
This policy ensures REMOTE_OS_ROLES initialization parameter is set to FALSE.
Policy Summary
The following table lists the policy's main properties.
Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
---|---|---|---|---|---|---|
Critical | Security | Database Instance | Oracle Server 8 or later | The underlying metric has a collection frequency of once every 24 hours. | Yes | Database is in an insecure state. REMOTE_OS_ROLES initialization parameter is set to %value%. |
Defaults
Parameters and Their Default Values
Not Applicable
Objects Excluded by Default
Not Applicable
Impact of Violation
A malicious user can gain access to the database if remote users can be granted privileged roles.
Action
Disable this feature by setting the REMOTE_OS_ROLES initialization parameter to FALSE.
This policy ensures that the REMOTE_LOGIN_PASSWORDFILE initialization parameter is set to EXCLUSIVE.
Policy Summary
The following table lists the policy's main properties.
Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
---|---|---|---|---|---|---|
Warning | Security | Database Instance | Oracle Server 8 or later | The underlying metric has a collection frequency of once every 24 hours. | Yes | Database is in an insecure state. REMOTE_LOGIN_PASSWORDFILE initialization parameter is set to %value%. |
Defaults
Parameters and Their Default Values
Not Applicable
Objects Excluded by Default
Not Applicable
Impact of Violation
A malicious user can gain access to the database if remote password files are allowed.
Action
For non-RAC configurations, set the REMOTE_LOGIN_PASSWORDFILE setting to EXCLUSIVE mode, thereby assigning specific users the SYSDBA/SYSOPER privilege to manage the database.
This policy ensures that AUDIT_SYSLOG_LEVEL is set to a non-default value when OS-level auditing is enabled, on UNIX systems.
Policy Summary
The following table lists the policy's main properties.
Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
---|---|---|---|---|---|---|
Warning | Security | Database Instance | Oracle Server 8 or later | The underlying metric has a collection frequency of once every 24 hours. | Yes | Database is in an insecure state. The AUDIT_SYSLOG_LEVEL initialization parameter is set to %logLevel%. |
Defaults
Parameters and Their Default Values
None
Objects Excluded by Default
None
Impact of Violation
Setting the AUDIT_SYSLOG_LEVEL initialization parameter to the default value (NONE) will result in DBAs gaining access to the OS audit records.
Action
When operating system auditing is enabled, set the AUDIT_SYSLOG_LEVEL initialization parameter to a valid value and configure /etc/syslog.conf so that Oracle OS audit records are written to a separate file.
This policy ensures that access to the server parameter file (SPFILE) is restricted to the owner of the Oracle software set and the DBA group.
Policy Summary
The following table lists the policy's main properties.
Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
---|---|---|---|---|---|---|
Critical | Security | Database Instance | Oracle Server 8 or later | The underlying metric has a collection frequency of once every 24 hours. | Yes | Database is in an insecure state. The server parameter file (%file_name%) permission is %permission%. |
Defaults
Parameters and Their Default Values
Not Applicable
Objects Excluded by Default
Not Applicable
Impact of Violation
A server parameter file (SPFILE) lets you store and manage your initialization parameters persistently in a server-side disk file. A publicly accessible SPFILE can be scanned for sensitive initialization parameters exposing the security policies of the database. The SPFILE can also be searched for the weaknesses of the Oracle database configuration setting.
Action
Restrict permission to the server parameter file (SPFILE) to:
Oracle software owner
Oracle group
Do not give read and write permissions to public.
This policy ensures system privileges are not granted to PUBLIC.
Policy Summary
The following table lists the policy's main properties.
Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
---|---|---|---|---|---|---|
Critical | Security | Database Instance; Cluster Database | Oracle Server 8 or later | The underlying metric has a collection frequency of once every 24 hours. | Yes | Database is in an insecure state. System privilege %privilege% is assigned to the PUBLIC role. |
Defaults
Parameters and Their Default Values
Not Applicable
Objects Excluded by Default
Not Applicable
Impact of Violation
Privileges granted to the PUBLIC role automatically apply to all users. There are security risks when granting SYSTEM privileges to all users.
Action
Revoke SYSTEM privileges from the PUBLIC role.
This policy ensures that database users are allocated a limited tablespace quota.
Policy Summary
The following table lists the policy's main properties.
Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
---|---|---|---|---|---|---|
Warning | Security | Database Instance; Cluster Database | Oracle Server 8 or later | The underlying metric has a collection frequency of once every 24 hours. | Yes | Database is in an insecure state. User %dbuser% has an unlimited tablespace quota. |
Defaults
Parameters and Their Default Values
Not Applicable
Objects Excluded by Default
Not Applicable
Impact of Violation
Granting unlimited tablespace quotas can cause the filling up of the allocated disk space. This can lead to an unresponsive database.
Action
For users with an unlimited tablespace quota, reallocate their tablespace quotas to a specific limit.
On UNIX systems, this policy ensures that log and trace files do not become accessible to the public.
Policy Summary
The following table lists the policy's main properties.
Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
---|---|---|---|---|---|---|
Warning | Security | Database Instance | Oracle Server 8 or later | The underlying metric has a collection frequency of once every 24 hours. | Yes | Database is in an insecure state. The umask value for the Oracle software owner is set to %umask%. |
Defaults
Parameters and Their Default Values
Not Applicable
Objects Excluded by Default
Not Applicable
Impact of Violation
If umask is not set to an appropriate value (such as 022), log or trace files might become accessible to the public, thus exposing sensitive information.
Action
Set umask to 022 for the owner of Oracle software.
This policy ensures that archiving of redo logs is done automatically and prevents suspension of instance operations when redo logs fill. Only applicable if database is in archivelog mode.
Policy Summary
The following table lists the policy's main properties.
Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
---|---|---|---|---|---|---|
Critical | Security | Database Instance | Oracle Server 8 or later | The underlying metric has a collection frequency of once every 24 hours. | Yes | Database is in an insecure state. LOG_ARCHIVE_START initialization parameter is set to %value%. |
Defaults
Parameters and Their Default Values
Not Applicable
Objects Excluded by Default
Not Applicable
Impact of Violation
Setting the LOG_ARCHIEVE_START initialization parameter to TRUE ensures that the archiving of redo logs is done automatically and prevents suspension of instance operations when redo logs fill. This feature is only applicable if the database is in archivelog mode.
If the LOG_ARCHIVE_START initialization parameter is set to FALSE, redo log files are not automatically archived and instance operations are suspended when the redo logs are full.
Action
Set the value of the LOG_ARCHIVE_START initialization parameter to TRUE.
This policy ensures that basic auditing features are enabled.
Policy Summary
The following table lists the policy's main properties.
Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
---|---|---|---|---|---|---|
Informational | Security | Database Instance | Oracle Server 8 or later | The underlying metric has a collection frequency of once every 24 hours. | Yes | Database is in an insecure state. AUDIT_TRAIL initialization parameter is set to %value%. |
Defaults
Parameters and Their Default Values
Not Applicable
Objects Excluded by Default
Not Applicable
Impact of Violation
Not enabling basic audit features might increase the likelihood of a denial of service attack going unnoticed.
Action
Enable auditing by setting the AUDIT_TRAIL initialization parameter to a value other than NONE or FALSE. A value of OS is the most secure setting.
Ensures database links with clear text passwords are not used, that is, the password is hashed or encrypted.
Policy Summary
The following table lists the policy's main properties.
Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
---|---|---|---|---|---|---|
Warning | Security | Database Instance; Cluster Database | Oracle Server 9i and pre-9i | The underlying metric has a collection frequency of once every 24 hours. | Yes | Database is in an insecure state. Database link %link% has clear text password. |
Defaults
Parameters and Their Default Values
Not Applicable
Objects Excluded by Default
Not Applicable
Impact of Violation
The table SYS.LINK$ contains the clear text password used by the database link. A malicious user can read clear text password from SYS.LINK$ table that can lead to undesirable consequences.
Action
Avoid creating fixed user database links.
This policy ensures listener instances on a remote machine separate from the database instance are not used.
Policy Summary
The following table lists the policy's main properties.
Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
---|---|---|---|---|---|---|
Warning | Security | Database Instance; Cluster Database | Oracle Server 8 or later | The underlying metric has a collection frequency of once every 24 hours. | Yes | Database may be in an insecure state as REMOTE_LISTENER initialization parameter is set to %value%. |
Defaults
Parameters and Their Default Values
Not Applicable
Objects Excluded by Default
Not Applicable
Impact of Violation
The REMOTE_LISTENER initialization parameter can be used to allow a listener on a remote machine to access the database. This parameter is not applicable in a multi-master replication or RAC environment where this setting provides a load balancing mechanism for the listener.
Action
REMOTE_LISTENER should be set to the null string (""). This parameter is not applicable in a multi-master replication or RAC environment where this setting provides a load balancing mechanism for the listener.
This policy ensures the use of the SQL92 security features.
Policy Summary
The following table lists the policy's main properties.
Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
---|---|---|---|---|---|---|
Warning | Security | Database Instance; Cluster Database | Oracle Server 9i and pre-9i | The underlying metric has a collection frequency of once every 24 hours. | Yes | Database is in an insecure state. SQL92 security features are not enabled. |
Defaults
Parameters and Their Default Values
Not Applicable
Objects Excluded by Default
Not Applicable
Impact of Violation
If SQL92 security features are not enabled, a user might be able to execute an UPDATE or DELETE statement using a WHERE clause without having select privilege on a table.
Action
Enable SQL92 security features by setting the initialization parameter SQL92_SECURITY to TRUE.
This policy ensures that access to the trace files directory is restricted to the owner of the Oracle software set and the DBA group.
Policy Summary
The following table lists the policy's main properties.
Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
---|---|---|---|---|---|---|
Critical | Security | Database Instance | Oracle Server 8 or later | The underlying metric has a collection frequency of once every 24 hours. | Yes | The user dump directory has insecure permissions. The user dump directory (%dir_name%) permission is %permission%. |
Defaults
Parameters and Their Default Values
Not Applicable
Objects Excluded by Default
Not Applicable
Impact of Violation
The trace files for server processes are stored in the directory specified by the USER_DUMP_DEST initialization parameter. Giving public read permission to this directory may reveal important and sensitive internal details of the database and applications.
Action
Restrict permissions to the User Dump directory to:
Owner of the Oracle software set
DBA group
Do not give read, write, and execute permissions to public.
This policy ensures that users are not assigned SYSTEM or SYSAUX as their temporary tablespace.
Policy Summary
The following table lists the policy's main properties.
Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
---|---|---|---|---|---|---|
Warning | Security | Database Instance | Oracle Server 8 or later | The underlying metric has a collection frequency of once every 24 hours. | Yes | Database is in an insecure state. The tablespace %tablespace% is the default temporary tablespace for user %dbuser%. |
Defaults
Parameters and Their Default Values
Not Applicable
Objects Excluded by Default
Not Applicable
Impact of Violation
The user's temporary objects are created in the temporary tablespace. An incorrectly set temporary tablespace (SYSTEM or SYSAUX) for a user can consume all available space thus causing the database to stop working.
A user assigned the default tablespace as SYSTEM can potentially fill up the space and cause the database to stop responding. This can also cause denial of service exploits. The SYSTEM tablespace always contains the data dictionary tables for the entire database.
All data stored on behalf of stored PL/SQL program units (procedures, functions, packages, and triggers) resides in the SYSTEM tablespace.
Action
Reassign the tablespace of users having SYSTEM or SYSAUX defined as their default temporary tablespace.
This policy ensures that the OS_AUTHENT_PREFIX is set to a value other than OPS$ or null string ("").
Policy Summary
The following table lists the policy's main properties.
Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
---|---|---|---|---|---|---|
Warning | Security | Database Instance | Oracle Server 8 or later | The underlying metric has a collection frequency of once every 24 hours. | Yes | Database is in an insecure state. Operating System authentication prefix is set to %value%. |
Defaults
Parameters and Their Default Values
Not Applicable
Objects Excluded by Default
Not Applicable
Impact of Violation
Setting this parameter ensures that the only way an account can be used externally is by specifying IDENTIFIED EXTERNALLY when creating a user.
Action
The identified externally approach should only be used on development and test databases. On a production system, ensure that the user cannot access the operating system level.
This policy ensures that the Utility File Directory (UTL_FILE_DIR) initialization parameter is not set to one of the following: asterisk (*), period (.), or core dump trace file locations.
Policy Summary
The following table lists the policy's main properties.
Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
---|---|---|---|---|---|---|
Critical | Security | Database Instance | Oracle Server 8 | The underlying metric has a collection frequency of once every 24 hours. | Yes | Database is in an insecure state. UTL_FILE_DIR parameter is set to %dir_name%. |
Defaults
Parameters and Their Default Values
Not Applicable
Objects Excluded by Default
Not Applicable
Impact of Violation
Specifies the directories which the UTL_FILE package can access. Having the parameter set to asterisk (*), period (.), or to sensitive directories, could expose them to all users having execute privilege on the UTL_FILE package.
Action
Change the UTL_FILE_DIR initialization parameter to a value other than asterisk (*), period (.), or to core dump trace locations.
This policy ensures that the UTL_FILE_DIR initialization parameter is not used in Oracle9i Release 1 and later.
Policy Summary
The following table lists the policy's main properties.
Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
---|---|---|---|---|---|---|
Critical | Security | Database Instance | Oracle Server 9i or later | The underlying metric has a collection frequency of once every 24 hours. | Yes | Database is in an insecure state. UTL_FILE_DIR parameter (set to %dir_name%) is used in a 9i+ server. |
Defaults
Parameters and Their Default Values
Not Applicable
Objects Excluded by Default
Not Applicable
Impact of Violation
Specifies the directories which UTL_FILE package can access. Having the parameter set to asterisk (*), period (.), or to sensitive directories could expose them to all users having execute privilege on UTL_FILE package.
Using the UTL_FILE package it is possible to write programs to access the directories set by utl_file_dir (assuming the user has execute privilege on this package). There is a possibility that the program is used to read files and data that should not be otherwise possible.
Action
For Oracle 9i Release 1 and later, remove the UTL_FILE_DIR initialization parameter. Instead, use the CREATE DIRECTORY feature.
This policy ensures well-known accounts are expired and locked.
Policy Summary
The following table lists the policy's main properties.
Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
---|---|---|---|---|---|---|
Warning | Security | Database Instance; Cluster Database | Oracle Server 8 or later | The underlying metric has a collection frequency of once every 24 hours. | Yes | Database is in an insecure state. Account %dbaccount% is not locked and terminated. |
Defaults
Parameters and Their Default Values
Not Applicable
Objects Excluded by Default
Not Applicable
Impact of Violation
A malicious user can gain access to the database using a well-known account.
Action
Expire and lock well-known accounts.
This policy ensures well-known accounts are expired and locked.
Policy Summary
The following table lists the policy's main properties.
Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
---|---|---|---|---|---|---|
Warning | Security | Database Instance; Cluster Database | Oracle Server 8 or later | The underlying metric has a collection frequency of once every 24 hours. | Yes | Database is in an insecure state. Account %dbaccount% is not locked and terminated. |
Defaults
Parameters and Their Default Values
Not Applicable
Objects Excluded by Default
Not Applicable
Impact of Violation
A malicious user can gain access to the database using a well-known account.
Action
Expire and lock well-known accounts.
The security policies for the Database Instance on Windows target are:
This policy ensures that access to the audit files directory is restricted to the owner of the Oracle software set and the DBA group. The following permissions on Windows NT based platforms are considered critical: DELETE, WRITE_DAC, WRITE_OWNER, CHANGE, ADD, and FULL. The policy gives the number of users or user groups which have been granted such permissions, and lists the users and user groups in parentheses.
Policy Summary
The following table lists the policy's main properties.
Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
---|---|---|---|---|---|---|
Critical | Security | Database Instance | Oracle Server 8 or later | The underlying metric has a collection frequency of once every 24 hours. | Yes | The audit file directory has insecure permissions. The users %users% have critical permissions on audit file directory %dir_name% |
Defaults
Parameters and Their Default Values
Not Applicable
Objects Excluded by Default
Not Applicable
Impact of Violation
The AUDIT_FILE_DEST initialization parameter specifies the directory where the Oracle auditing facility creates the audit files. Giving public read permission to this directory may reveal important information such as logging information of startup, shutdown, and privileged connections.
Action
Restrict permissions to the Audit File directory to:
Owner of the Oracle software set
DBA group
Do not give read, write, and execute permissions to public.
This policy ensures that access to the trace files directory is restricted to the owner of the Oracle software set and the DBA group.The following permissions on Windows NT based platforms are considered critical: DELETE, WRITE_DAC, WRITE_OWNER, CHANGE, ADD, and FULL. The policy gives the number of users or user groups which have been granted such permissions, and lists the users and user groups in parentheses.
Policy Summary
The following table lists the policy's main properties.
Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
---|---|---|---|---|---|---|
Critical | Security | Database Instance | Oracle Server 8 or later | The underlying metric has a collection frequency of once every 24 hours. | Yes | The background dump directory has insecure permissions. The users %users% have critical permissions on background dump directory (%dir_name%). |
Defaults
Parameters and Their Default Values
Not Applicable
Objects Excluded by Default
Not Applicable
Impact of Violation
Background processes such as the log writer process and the database writer process use trace files to record occurrences and exceptions of database operations, as well as errors. The trace files are stored in the directory specified by the BACKGROUND_DUMP_DEST initialization parameter. Giving public read permission to this directory may reveal important and sensitive internal details of the database and applications.
Action
Restrict permissions to the Background Dump directory to:
Owner of the Oracle software set
DBA group
Do not give read, write, and execute permissions to public.
This policy ensures that access to the control files directory is restricted to the owner of the Oracle software set and the DBA group. The following permissions on Windows NT based platforms are considered critical: DELETE, WRITE_DAC, WRITE_OWNER, CHANGE, ADD, and FULL. The policy gives the number of users or user groups which have been granted such permissions, and lists the users and user groups in parentheses.
Policy Summary
The following table lists the policy's main properties.
Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
---|---|---|---|---|---|---|
Critical | Security | Database Instance; Cluster Database | Oracle Server 8 | The underlying metric has a collection frequency of once every 24 hours. | Yes | Database is in an insecure state. The users %users% have critical permissions on the control file (%file_name%). |
Defaults
Parameters and Their Default Values
Not Applicable
Objects Excluded by Default
Not Applicable
Impact of Violation
Control files are binary configuration files that control access to data files. Control files are stored in the directory specified by the CONTROL_FILES initialization parameter. A public write privilege on this directory could pose a serious security risk.
Action
Restrict permission to the control files to:
Owner of the Oracle software installation
DBA group
Do not give read and write permissions to public.
This policy ensures that access to the core dump files directory is restricted to the owner of the Oracle software set and the DBA group. The following permissions on Windows NT based platforms are considered critical: DELETE, WRITE_DAC, WRITE_OWNER, CHANGE, ADD, and FULL. The policy gives the number of users or user groups which have been granted such permissions, and lists the users and user groups in parentheses.
Policy Summary
The following table lists the policy's main properties.
Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
---|---|---|---|---|---|---|
Critical | Security | Database Instance | Oracle Server 8 or later | The underlying metric has a collection frequency of once every 24 hours. | Yes | The core dump directory has insecure permissions. The users %users% have critical permissions on core dump directory (%dir_name%). |
Defaults
Parameters and Their Default Values
Not Applicable
Objects Excluded by Default
Not Applicable
Impact of Violation
Core dump files are stored in the directory specified by the CORE_DUMP_DEST initialization parameter. A public read privilege on this directory could expose sensitive information from the core dump files.
Action
Restrict permissions to the Core Dump directory to:
Owner of the Oracle software set
DBA group
Do not give read, write, and execute permissions to public.
This policy ensures that access to the files referenced by the IFILE parameter is restricted to the owner of the Oracle software set and the DBA group. The following permissions on Windows NT based platforms are considered critical: DELETE, WRITE_DAC, WRITE_OWNER, CHANGE, ADD, and FULL. The policy gives the number of users or user groups which have been granted such permissions, and lists the users and user groups in parentheses.
Policy Summary
The following table lists the policy's main properties.
Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
---|---|---|---|---|---|---|
Critical | Security | Database Instance | Oracle Server 8 or later | The underlying metric has a collection frequency of once every 24 hours. | Yes | Database is in an insecure state. The users %users% have critical permissions on the IFILE parameter referenced file (%file_name%). |
Defaults
Parameters and Their Default Values
Not Applicable
Objects Excluded by Default
Not Applicable
Impact of Violation
The IFILE initialization parameter can be used to embed the contents of another initialization parameter file into the current initialization parameter file. A publicly accessible initialization parameter file can be scanned for sensitive initialization parameters exposing the security policies of the database. The initialization parameter file can also be searched for the weaknesses of the Oracle database configuration setting.
Action
Restrict access to the files referenced by the IFILE initialization parameter to:
Owner of Oracle software installation
DBA group
Do not give read, write, and execute permissions to public.
This policy ensures that access to the initialization parameter file is restricted to the owner of the Oracle software set and the DBA group. The following permissions on Windows NT based platforms are considered critical: DELETE, WRITE_DAC, WRITE_OWNER, CHANGE, ADD, and FULL. The policy gives the number of users or user groups which have been granted such permissions, and lists the users and user groups in parentheses.
Policy Summary
The following table lists the policy's main properties.
Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
---|---|---|---|---|---|---|
Warning | Security | Database Instance | Oracle Server 8 or later | The underlying metric has a collection frequency of once every 24 hours. | Yes | Database is in an insecure state. The users %users% have critical permissions on the text initialization parameter file (%file_name%). |
Defaults
Parameters and Their Default Values
Not Applicable
Objects Excluded by Default
Not Applicable
Impact of Violation
Oracle traditionally stored initialization parameters in a text initialization parameter file. A publicly accessible initialization parameter file can be scanned for sensitive initialization parameters exposing the security policies of the database. The IFILE can also be searched for the weaknesses of the Oracle database configuration setting.
Action
Restrict access to the initialization parameter file to:
Owner of Oracle software installation
DBA group
Do not give read and write permissions to public.
This policy ensures that the server's archive logs are not accessible to public.The following permissions on Windows NT based platforms are considered critical: DELETE, WRITE_DAC, WRITE_OWNER, CHANGE, ADD, and FULL. The policy gives the number of users or user groups which have been granted such permissions, and lists the users and user groups in parentheses.
Policy Summary
The following table lists the policy's main properties.
Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
---|---|---|---|---|---|---|
Critical | Security | Database Instance | Oracle Server 8 or later | The underlying metric has a collection frequency of once every 24 hours. | Yes | Database is in an insecure state. The users %users% have critical permissions on the directory (%dir_name%) specified by the LOG_ARCHIVE_DEST parameter. |
Defaults
Parameters and Their Default Values
Database may be in insecure state as the directory (%file_name%) specified by the LOG_ARCHIVE_DEST parameter has an inappropriate permission or owner: %permission%.
Objects Excluded by Default
Database may be in insecure state as the directory (%file_name%) specified by the LOG_ARCHIVE_DEST parameter has an inappropriate permission or owner: %permission%.
Impact of Violation
LogMiner can be used to extract database information from the archive logs if the directory specified by LOG_ARCHIVE_DEST parameter (in the init.ora file) is not owned by the owner of the Oracle software installation or has permissions for others.
Action
Permissions of the directory specified by LOG_ARCHIVE_DEST parameter should be restricted to the owner of the Oracle software set and DBA group with no permissions to public.
This policy ensures that the server's archive logs are not accessible to public. The following permissions on Windows NT based platforms are considered critical: DELETE, WRITE_DAC, WRITE_OWNER, CHANGE, ADD, and FULL. The policy gives the number of users or user groups which have been granted such permissions, and lists the users and user groups in parentheses.
Policy Summary
The following table lists the policy's main properties.
Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
---|---|---|---|---|---|---|
Critical | Security | Database Instance | Oracle Server 8 or later | The underlying metric has a collection frequency of once every 24 hours. | Yes | Database is in an insecure state. The users %users% have critical permissions on the directory (%dir_name%) specified by the LOG_ARCHIVE_DUPLEX_DEST parameter. |
Defaults
Parameters and Their Default Values
Not Applicable
Objects Excluded by Default
Not Applicable
Impact of Violation
LogMiner can be used to extract database information from the archive logs if the directory specified by LOG_ARCHIVE_DUPLEX_DEST parameter (in init.ora file) is not owned by the owner of the Oracle software installation or has permissions for others.
Action
Permissions of the directory specified by LOG_ARCHIVE_DUPLEX_DEST parameter should be restricted to the owner of the Oracle software set and DBA group with no permissions to public.
This policy ensures that access to the datafiles is restricted to the owner of the Oracle software set and the DBA group. The following permissions on Windows NT based platforms are considered critical: DELETE, WRITE_DAC, WRITE_OWNER, CHANGE, ADD, and FULL. The policy gives the number of users or user groups which have been granted such permissions, and lists the users and user groups in parentheses.
Policy Summary
The following table lists the policy's main properties.
Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
---|---|---|---|---|---|---|
Critical | Security | Database Instance; Cluster Database | Oracle Server 8 or later | The underlying metric has a collection frequency of once every 24 hours. | Yes | Database is in an insecure state. The users %users% have critical permissions on the datafile (%file_name%). |
Defaults
Parameters and Their Default Values
Not Applicable
Objects Excluded by Default
Not Applicable
Impact of Violation
The datafiles contain all the database data. If datafiles are made readable to public, they can be read by a user who has no database privileges on the data.
Action
Restrict permissions to the datafiles to:
Owner of the Oracle software set
DBA group
Do not give read and write permissions to public.
This policy ensures that all files in the ORACLE_HOME/bin folder have appropriate permissions. The following permissions on Windows NT based platforms are considered critical: DELETE, WRITE_DAC, WRITE_OWNER, CHANGE, ADD, and FULL. The policy gives the number of users or user groups which have been granted such permissions, and lists the users and user groups in parentheses.
Policy Summary
The following table lists the policy's main properties.
Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
---|---|---|---|---|---|---|
Warning | Security | Database Instance | Oracle Server 8 or later | The underlying metric has a collection frequency of once every 24 hours. | Yes | Database is in an insecure state. The users %users% have critical permissions on file (%file_name%). |
Defaults
Parameters and Their Default Values
Not Applicable
Objects Excluded by Default
Not Applicable
Impact of Violation
Incorrect file permissions on some of the Oracle files can cause major security issues.
Action
For files in the ORACLE_HOME/bin folder, revoke unnecessary right given to users or user groups.
This policy ensures that all files in the ORACLE_HOME directories (except for ORACLE_HOME/bin) have permission set appropriately. The following permissions on Windows NT based platforms are considered critical: DELETE, WRITE_DAC, WRITE_OWNER, CHANGE, ADD, and FULL. The policy gives the number of users or user groups which have been granted such permissions, and lists the users and user groups in parentheses.
Normally, only the owner and DBA group members must be allowed to work with non-executable files in the Oracle Home.
Policy Summary
The following table lists the policy's main properties.
Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
---|---|---|---|---|---|---|
Warning | Security | Database Instance | Oracle Server 8 or later | The underlying metric has a collection frequency of once every 24 hours. | Yes | Database is in an insecure state. The users %users% have critical permissions on file (%file_name%). |
Defaults
Parameters and Their Default Values
Not Applicable
Objects Excluded by Default
Not Applicable
Impact of Violation
Incorrect file permissions on some of the Oracle files can cause major security issues.
Action
All files in $ORACLE_HOME directories must have permission set appropriately.
This policy ensures that access to the server parameter file (SPFILE) is restricted to the owner of the Oracle software set and the DBA group. The following permissions on Windows NT based platforms are considered critical: DELETE, WRITE_DAC, WRITE_OWNER, CHANGE, ADD, and FULL. The policy gives the number of users or user groups which have been granted such permissions, and lists the users and user groups in parentheses.
Policy Summary
The following table lists the policy's main properties.
Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
---|---|---|---|---|---|---|
Critical | Security | Database Instance | Oracle Server 8 or later | The underlying metric has a collection frequency of once every 24 hours. | Yes | Database is in an insecure state. The users %users% have critical permissions on the server parameter file (%file_name%). |
Defaults
Parameters and Their Default Values
Not Applicable
Objects Excluded by Default
Not Applicable
Impact of Violation
A server parameter file (SPFILE) lets you store and manage your initialization parameters persistently in a server-side disk file. A publicly accessible SPFILE can be scanned for sensitive initialization parameters exposing the security policies of the database. The SPFILE can also be searched for the weaknesses of the Oracle database configuration setting.
Action
Restrict permission to the server parameter file (SPFILE) to:
Oracle software owner
Oracle group
Do not give read and write permissions to public.
This policy ensures externally identified users specify the domain while connecting.
Policy Summary
The following table lists the policy's main properties.
Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
---|---|---|---|---|---|---|
Critical | Security | Database Instance | Oracle Server 8 or later | The underlying metric has a collection frequency of once every 24 hours. | Yes | Database is in an insecure state. OSAUTH_PREFIX_DOMAIN is not set to TRUE. |
Defaults
Parameters and Their Default Values
Not Applicable
Objects Excluded by Default
Not Applicable
Impact of Violation
If externally identified accounts are required, setting OSAUTH_PREFIX_DOMAIN to TRUE in the registry forces the account to specify the domain. This prevents spoofing of user access from an alternate domain or local system.
Action
For externally identified users from Windows systems, set the OSAUTH_PREFIX_DOMAIN initialization parameter to TRUE.
This policy ensures that access to the trace files directory is restricted to the owner of the Oracle software set and the DBA group. The following permissions on Windows NT based platforms are considered critical: DELETE, WRITE_DAC, WRITE_OWNER, CHANGE, ADD, and FULL. The policy gives the number of users or user groups which have been granted such permissions, and lists the users and user groups in parentheses.
Policy Summary
The following table lists the policy's main properties.
Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
---|---|---|---|---|---|---|
Critical | Security | Database Instance | Oracle Server 8 or later | The underlying metric has a collection frequency of once every 24 hours. | Yes | The user dump directory has insecure permissions. The users %users% have critical permissions on user dump directory (%dir_name%). |
Defaults
Parameters and Their Default Values
Not Applicable
Objects Excluded by Default
Not Applicable
Impact of Violation
The trace files for server processes are stored in the directory specified by the USER_DUMP_DEST initialization parameter. Giving public read permission to this directory may reveal important and sensitive internal details of the database and applications.
Action
Restrict permissions to the User Dump directory to:
Owner of the Oracle software set
DBA group
Do not give read, write, and execute permissions to public.
The storage policies for the Database Instance target are:
This policy verifies that the DEFAULT_PERMANENT_TABLESPACE database property is set to a non-system tablespace. The default permanent tablespace for the database is used as the default permanent tablespace for any users who are not explicitly assigned a permanent tablespace. The default permanent tablespace is defaulted to the SYSTEM tablespace until it is changed by a DBA.
Policy Summary
The following table lists the policy's main properties.
Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
---|---|---|---|---|---|---|
Warning | Storage | Database Instance; Cluster Database | Oracle Server 10g Release 1 or later | The underlying metric has a collection frequency of once every 24 hours. | Yes | The default permanent tablespace is not set explicitly and defaults to SYSTEM tablespace. |
Defaults
Parameters and Their Default Values
SYSTEM
Objects Excluded by Default
Not Applicable
Impact of Violation
If not specified explicitly, the DEFAULT_PERMANENT_TABLESPACE is defaulted to the SYSTEM tablespace. This is not the recommended setting. The default permanent tablespace for the database is used as the permanent tablespace for any non-SYSTEM users who are not explicitly assigned a permanent tablespace. If the database default permanent tablespace is set to a system tablespace, then any user who is not explicitly assigned a tablespace uses the system tablespace. Non-SYSTEM users should not be using a system tablespaces to store data. Doing so may result in performance degradation for the database.
Action
Set the DEFAULT_PERMANENT_TABLESPACE to a non-system tablespace. Create or edit a tablespace and set it to be the default permanent tablespace.
Clicking the DEFAULT_PERMANENT_TABLESPACE link will bring up the Tablespace Search page. From this page you can create or edit a tablespace and set it to be the default permanent tablespace.
On the Administration property page for the database instance, click Tablespaces under the Storage options. After providing your credentials, create or edit a permanent tablespace and set it to be the default permanent tablespace.
This policy verifies that the DEFAULT_TEMP_TABLESPACE database property is set to a non-system tablespace. The default temporary tablespace for the database is used as the temporary tablespace for any users that are not explicitly assigned a temporary tablespace. The temporary tablespace is defaulted to the SYSTEM tablespace until it is changed by a DBA.
Policy Summary
The following table lists the policy's main properties.
Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
---|---|---|---|---|---|---|
Warning | Storage | Database Instance; Cluster Database | Oracle Server 9i or later | The underlying metric has a collection frequency of once every 24 hours. | Yes | The default temporary tablespace is not set explicitly and defaults to SYSTEM tablespace. |
Defaults
Parameters and Their Default Values
Parameter default values are dependent on the version of the Oracle Database target. Refer to the Oracle Database documentation for that version of the database target to learn about the parameters and their default values.
Objects Excluded by Default
Not Applicable
Impact of Violation
If not specified explicitly, the DEFAULT_TEMP_TABLESPACE defaults to the SYSTEM tablespace. This is not the recommended setting. The default temporary tablespace is used as the temporary tablespace for any users who are not explicitly assigned a temporary tablespace. If the database default temporary tablespace is set to a system tablespace, then any user who is not explicitly assigned a temporary tablespace uses the system tablespace as their temporary tablespace. System tablespaces should not be used to store temporary data. Doing so can result in performance degradation for the database.
Action
Set the DEFAULT_TEMP_TABLESPACE to a non-system temporary tablespace. In Oracle Database 10g Release 1 or later, you can also set the DEFAULT_TEMP_TABLESPACE to a temporary tablespace group. Create or edit a temporary tablespace, or temporary tablespace group, and set it to be the default temporary tablespace.
Clicking the DEFAULT_TEMP_TABLESPACE link will bring up the Tablespace Search page. From this page the user can create or edit a temporary tablespace and set it to be the default temporary tablespace.
On the Administration property page for the database instance, click Tablespaces under the Storage options. After providing your credentials, create or edit a temporary tablespace and set it to be the default temporary tablespace.
This policy determines whether dictionary managed tablespaces are being used. Use locally managed tablespaces.
Policy Summary
The following table lists the policy's main properties.
Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
---|---|---|---|---|---|---|
Informational | Storage | Database Instance; Cluster Database | All | The underlying metric has a collection frequency of once every 24 hours. | Yes | Tablespace %TABLESPACE_NAME% is dictionary managed. Oracle recommends using locally managed tablespaces, with AUTO segment-space management, to enhance performance and ease of space management. |
Defaults
Parameters and Their Default Values
Not Applicable
Objects Excluded by Default
Not Applicable
Impact of Violation
These tablespaces are dictionary managed. Oracle recommends using locally managed tablespaces, with AUTO segment-space management, to enhance performance and ease of space management.
Action
Redefine these tablespaces to be locally managed.
This policy, using the SMALL_REDO_LOGS parameter, checks for redo log files that are less than 1 MB.
Policy Summary
The following table lists the policy's main properties.
Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
---|---|---|---|---|---|---|
Critical | Storage | Database Instance; Cluster Database | All | The underlying metric has a collection frequency of once every 24 hours. | Yes | Your database has redo log that has insufficient size. |
Defaults
Parameters and Their Default Values
Parameter default values are dependent on the version of the Oracle Database target. Refer to the Oracle Database documentation for that version of the database target to learn about the parameters and their default values.
Objects Excluded by Default
Not Applicable
Impact of Violation
Small redo logs cause system checkpoints to continuously put a high load on the buffer cache and I/O system.
Action
Increase size of the redo logs to at least 1 MB.
Redefine the tablespaces containing the segments to be locally managed; or, reorganize these segments, specifying a Next Extent value that is a multiple of Initial Extent, and a Percent Increase value of 0.
Policy Summary
The following table lists the policy's main properties.
Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
---|---|---|---|---|---|---|
Informational | Storage | Database Instance; Cluster Database | All | The underlying metric has a collection frequency of once every 24 hours. | Yes | Segment %OBJECT% belonging to non-system users are stored in system tablespace %TABLESPACE_NAME%. This makes it more difficult to manage these data segments and may result in performance degradation in the system tablespace. |
Defaults
Parameters and Their Default Values
Parameter default values are dependent on the version of the Oracle Database target. Refer to the Oracle Database documentation for that version of the database target to learn about the parameters and their default values.
Objects Excluded by Default
Cluster object types because the Reorganize Objects wizard does not support them.
All user accounts that are, by default, part of the Oracle Database or Enterprise Manager. For example: SYS, SYSTEM, SYSMAN, CTXSYS, SCOTT, ADAMS, and so on.
Impact of Violation
These segments belonging to non-system users are stored in system tablespaces SYSTEM or SYSAUX. This violation makes it more difficult to manage these data segments and may result in performance degradation in the system tablespace. System users include users that are part of the DBMS such as SYS and SYSTEM, or that are part of Oracle-supplied facilities: for example, CTXSYS, SYSMAN, and OLAPSYS.
Action
Relocate the non-system segments to a non-system tablespace.
This policy checks for tablespaces with non-uniform default extent size.
Policy Summary
The following table lists the policy's main properties.
Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
---|---|---|---|---|---|---|
Informational | Storage | Database Instance; Cluster Database | All | The underlying metric has a collection frequency of once every 24 hours. | Yes | Tablespace %TABLESPACE_NAME% uses non-uniform extents. Using uniform extents ensures that any free extent in the tablespace can always be used for any segment in the tablespace. |
Defaults
Parameters and Their Default Values
Parameter default values are dependent on the version of the Oracle Database target. Refer to the Oracle Database documentation for that version of the database target to learn about the parameters and their default values.
Objects Excluded by Default
SYSTEM tablespace. This policy is only applicable to PERMANENT DICTIONARY tablespaces.
Impact of Violation
Tablespaces using a non-uniform default extent size exist. Extents in a tablespace should be the same size. This ensures that any free extent in the tablespace can always be used for any segment in the tablespace.
Action
To ensure uniform extent sizes, set each tablespace's default storage clause so that the NEXT value should be equal to or a multiple of the INITIAL value, and the PCTINCREASE value is set to zero. Then never explicitly specify a storage clause at the segment level. Instead, let the storage values for the segments be inherited from the default storage clause of the tablespace.
Rollback in SYSTEM Tablespace.
Policy Summary
The following table lists the policy's main properties.
Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
---|---|---|---|---|---|---|
Informational | Storage | Database Instance; Cluster Database | All | See following table | Yes | Your SYSTEM tablespace contains rollback segment %RBS_NAME%. The SYSTEM tablespace should be reserved only for the Oracle data dictionary and its associated objects. |
The following table lists the policy's underlying metrics.
Underlying Metric | Collection Frequency |
---|---|
db_init_params | Every 24 hours |
db_rollback_segs | Every 24 hours |
Defaults
Parameters and Their Default Values
Parameter default values are dependent on the version of the Oracle Database target. Refer to the Oracle Database documentation for that version of the database target to learn about the parameters and their default values.
Objects Excluded by Default
Not Applicable
Impact of Violation
The SYSTEM tablespace should be reserved only for the Oracle data dictionary and its associated objects. It should NOT be used to store any other types of objects such as user tables, user indexes, user views, rollback segments, undo segments, or temporary segments.
Action
Use a tablespace dedicated to undo instead of the SYSTEM tablespace.
This policy, using the SEG_EXT_GROWTH_VIO parameter, checks for segments in dictionary managed tablespaces having irregular extent sizes and/or non-zero Percent Increase settings.
Policy Summary
The following table lists the policy's main properties.
Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
---|---|---|---|---|---|---|
Informational | Storage | Database Instance; Cluster Database | All | The underlying metric has a collection frequency of once every 24 hours. | Yes | Segment %OBJECT% in dictionary managed tablespace %TABLESPACE_NAME% has irregular extent sizes and/or non-zero Percent Increase settings. This can result in inefficient reuse of space and fragmentation problems. |
Defaults
Parameters and Their Default Values
Parameter default values are dependent on the version of the Oracle Database target. Refer to the Oracle Database documentation for that version of the database target to learn about the parameters and their default values.
Objects Excluded by Default
Not Applicable
Impact of Violation
These segments have extents with sizes that are not multiples of the initial extent, and/or a non-zero Percent Increase setting. This can result in inefficient reuse of space and fragmentation problems.
Action
Redefine the tablespaces containing the segments to be locally managed; or, reorganize these segments, specifying a Next Extent value that is a multiple of Initial Extent, and a Percent Increase value of 0.
This policy checks for locally managed tablespaces that are using MANUAL segment space management.
There are two segment-space management settings, MANUAL and AUTO.
MANUAL segment-space management uses free lists to manage free space within segments. Free lists are lists of data blocks that have space available for inserting rows. With this form of segment-space management, you must specify and tune the PCTUSED, FREELISTS and FREELIST GROUPS storage parameters for schema objects created in the tablespace.
AUTO segment-space management uses bitmaps to manage the free space in segments. The bitmap describes the status of each data block within a segment with respect to the amount of space in the block available for inserting rows. These bitmaps allow the database to manage free space automatically.
Policy Summary
The following table lists the policy's main properties.
Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
---|---|---|---|---|---|---|
Informational | Storage | Database Instance; Cluster Database | Oracle Server 9.2 or later | The underlying metric has a collection frequency of once every 24 hours. | Yes | Tablespace %TABLESPACE_NAME% is not using automatic segment-space management. |
Defaults
Parameters and Their Default Values
Parameter default values are dependent on the version of the Oracle Database target. Refer to the Oracle Database documentation for that version of the database target to learn about the parameters and their default values.
Objects Excluded by Default
Not Applicable
Impact of Violation
Automatic segment-space management is a simpler and more efficient way of managing space within a segment. It completely eliminates any need to specify and tune the PCTUSED, FREELISTS and FREELIST GROUPS storage parameters for schema objects created in the tablespace.
In a RAC environment, there is the additional benefit of avoiding the hard partitioning of space inherent with using free list groups.
Action
Change the segment-space management of all permanent locally managed tablespaces to AUTO.
Clicking the name of each tablespace listed will bring up the Reorganize Objects wizard with the tablespace automatically selected. This wizard allows you to change the segment-space management of the tablespace from MANUAL to AUTO.
This policy, using the TBSP_MIXED_SEGS parameter, checks for tablespaces containing both rollback and data segments.
Policy Summary
The following table lists the policy's main properties.
Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
---|---|---|---|---|---|---|
Informational | Storage | Database Instance; Cluster Database | All | The underlying metric has a collection frequency of once every 24 hours. | Yes | Tablespace %TABLESPACE_NAME% contains both rollback and data segments. Mixing segment types in this way makes it more difficult to manage space and may degrade performance in the tablespace. |
Defaults
Parameters and Their Default Values
Parameter default values are dependent on the version of the Oracle Database target. Refer to the Oracle Database documentation for that version of the database target to learn about the parameters and their default values.
Objects Excluded by Default
SYSTEM tablespace
Impact of Violation
These tablespaces contain both rollback and data segments. Mixing segment types in this way makes it more difficult to manage space and may degrade performance in the tablespace. Use of a dedicated tablespace for rollback segments enhances availability and performance.
Action
Use Automatic Undo Management (in Oracle Server Release 9.0.1 or later) and perform one of the following:
Drop the rollback segments from this tablespace.
Create one or more tablespaces dedicated to rollback segments and drop the rollback segments from this tablespace.
Dedicate this tablespace to rollback segments and move the data segments to another tablespace.
This policy, using the SYSTEM_AS_DEFAULT_TBSP parameter, checks for any user having a System tablespace listed as their default tablespace.
Policy Summary
The following table lists the policy's main properties.
Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
---|---|---|---|---|---|---|
Informational | Storage | Database Instance; Cluster Database | All | The underlying metric has a collection frequency of once every 24 hours. | Yes | User %USER_NAME% uses SYSTEM tablespace as the default tablespace. This will result in non-system data segments being added to the SYSTEM tablespace and possible performance degradation in the SYSTEM tablespace. |
Defaults
Parameters and Their Default Values
Parameter default values are dependent on the version of the Oracle Database target. Refer to the Oracle Database documentation for that version of the database target to learn about the parameters and their default values.
Objects Excluded by Default
Cluster object types because the Reorganize Objects wizard does not support them.
All user accounts that are, by default, part of the Oracle Database or Enterprise Manager. For example: SYS, SYSTEM, SYSMAN, CTXSYS, SCOTT, ADAMS, and so on.
Impact of Violation
These users use a system tablespace as the default tablespace. This violation will result in non-system data segments being added to the system tablespace, making it more difficult to manage these data segments and possibly resulting in performance degradation in the system tablespace.
Action
Change the default tablespace for these users to specify a non-system tablespace.
This policy checks the PERM_AS_TEMP_TBSP parameter to detect whether a permanent tablespace is being used as a temporary tablespace.
Policy Summary
The following table lists the policy's main properties.
Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
---|---|---|---|---|---|---|
Informational | Storage | Database Instance; Cluster Database | Oracle Server 9.2 or later | The underlying metric has a collection frequency of once every 24 hours. | Yes | User %USER_NAME% uses permanent tablespace %TABLESPACE_NAME% as the temporary tablespace. Using a permanent tablespace as the temporary tablespace may result in performance degradation, especially for Real Application Clusters. |
Defaults
Parameters and Their Default Values
Parameter default values are dependent on the version of the Oracle Database target. Refer to the Oracle Database documentation for that version of the database target to learn about the parameters and their default values.
Objects Excluded by Default
Not Applicable
Impact of Violation
These users use a permanent tablespace as the temporary tablespace. Using temporary tablespaces allows space management for sort operations to be more efficient. Using a permanent tablespace for these operations may result in performance degradation, especially for Real Application Clusters.
Action
Change the temporary tablespace for these users to specify a tablespace of type TEMPORARY.