Symantec Enterprise Security Manager Oracle …...2011/12/06 · Security Manager Oracle Database Modules User Guide Version 5.1 Symantec Enterprise Security Manager Oracle Database

Symantec™ EnterpriseSecurity Manager OracleDatabase Modules UserGuide

Version 5.1

Symantec™ Enterprise Security Manager OracleDatabase Modules User Guide

The software described in this book is furnished under a license agreement andmay be usedonly in accordance with the terms of the agreement.

Documentation version: 5.1

Legal NoticeCopyright © 2011 Symantec Corporation. All rights reserved.

Symantec, the Symantec Logo, ActiveAdmin, BindView, bv-Control, and LiveUpdate aretrademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S.and other countries. Other names may be trademarks of their respective owners.

This Symantec product may contain third party software for which Symantec is requiredto provide attribution to the third party (“Third Party Programs”). Some of the Third PartyPrograms are available under open source or free software licenses. The LicenseAgreementaccompanying the Software does not alter any rights or obligations you may have underthose open source or free software licenses. Please see theThird Party LegalNoticeAppendixto this Documentation or TPIP ReadMe File accompanying this Symantec product for moreinformation on the Third Party Programs.

The product described in this document is distributed under licenses restricting its use,copying, distribution, and decompilation/reverse engineering. No part of this documentmay be reproduced in any form by any means without prior written authorization ofSymantec Corporation and its licensors, if any.

THEDOCUMENTATIONISPROVIDED"ASIS"ANDALLEXPRESSORIMPLIEDCONDITIONS,REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OFMERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT,ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TOBELEGALLYINVALID.SYMANTECCORPORATIONSHALLNOTBELIABLEFORINCIDENTALOR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING,PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINEDIN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.

The Licensed Software andDocumentation are deemed to be commercial computer softwareas defined in FAR12.212 and subject to restricted rights as defined in FARSection 52.227-19"Commercial Computer Software - Restricted Rights" and DFARS 227.7202, "Rights inCommercial Computer Software or Commercial Computer Software Documentation", asapplicable, and any successor regulations. Any use, modification, reproduction release,performance, display or disclosure of the Licensed Software andDocumentation by theU.S.Government shall be solely in accordance with the terms of this Agreement.

Symantec Corporation350 Ellis StreetMountain View, CA 94043

http://www.symantec.com

Printed in the United States of America.

10 9 8 7 6 5 4 3 2 1

http://www.symantec.com

Technical SupportSymantec Technical Support maintains support centers globally. TechnicalSupport’s primary role is to respond to specific queries about product featuresand functionality. TheTechnical Support group also creates content for our onlineKnowledge Base. The Technical Support group works collaboratively with theother functional areas within Symantec to answer your questions in a timelyfashion. For example, theTechnical Support groupworkswithProductEngineeringand Symantec Security Response to provide alerting services and virus definitionupdates.

Symantec’s support offerings include the following:

■ A range of support options that give you the flexibility to select the rightamount of service for any size organization

■ Telephone and/or Web-based support that provides rapid response andup-to-the-minute information

■ Upgrade assurance that delivers software upgrades

■ Global support purchased on a regional business hours or 24 hours a day, 7days a week basis

■ Premium service offerings that include Account Management Services

For information about Symantec’s support offerings, you can visit our Web siteat the following URL:

www.symantec.com/business/support/

All support services will be delivered in accordance with your support agreementand the then-current enterprise technical support policy.

Contacting Technical SupportCustomers with a current support agreement may access Technical Supportinformation at the following URL:


Before contacting Technical Support, make sure you have satisfied the systemrequirements that are listed in your product documentation. Also, you should beat the computer onwhich theproblemoccurred, in case it is necessary to replicatethe problem.

When you contact Technical Support, please have the following informationavailable:

■ Product release level



■ Hardware information

■ Available memory, disk space, and NIC information

■ Operating system

■ Version and patch level

■ Network topology

■ Router, gateway, and IP address information

■ Problem description:

■ Error messages and log files

■ Troubleshooting that was performed before contacting Symantec

■ Recent software configuration changes and network changes

Licensing and registrationIf yourSymantecproduct requires registrationor a licensekey, access our technicalsupport Web page at the following URL:


Customer serviceCustomer service information is available at the following URL:


Customer Service is available to assist with non-technical questions, such as thefollowing types of issues:

■ Questions regarding product licensing or serialization

■ Product registration updates, such as address or name changes

■ General product information (features, language availability, local dealers)

■ Latest information about product updates and upgrades

■ Information about upgrade assurance and support contracts

■ Information about the Symantec Buying Programs

■ Advice about Symantec's technical support options

■ Nontechnical presales questions

■ Issues that are related to CD-ROMs, DVDs, or manuals



Support agreement resourcesIf youwant to contact Symantec regarding an existing support agreement, pleasecontact the support agreement administration team for your region as follows:

[email protected] and Japan

[email protected], Middle-East, and Africa

[email protected] America and Latin America

mailto:[email protected]



Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Chapter 1 Introducing Symantec ESM Modules for OracleDatabases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

About the Symantec ESM modules for Oracle Databases ... . . . . . . . . . . . . . . . . . . 15What you can do with the Symantec ESM modules for Oracle

databases ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15Where you can get more information .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Chapter 2 Understanding the ESM Oracle DatabaseModules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

About the Oracle Accounts module ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17Establishing a baseline snapshot ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18Editing default settings ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18Reporting operating system access ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18Reporting user roles ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18Reporting user privileges ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18Reporting user accounts ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18Reporting account changes ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18Reporting account defaults ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19Active database accounts ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19Active default accounts ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19Automatically update snapshots ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20Database account creation date changed .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20Database account tablespace changed .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22Database accounts ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23Deleted database accounts ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23Deleted directly-granted privileges ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24Deleted directly granted roles ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25Directly-granted privileges ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27Directly-granted roles ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28Grantable privileges ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29Grantable roles ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30Granted prohibited roles ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31Inactive database accounts ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

Contents

New database accounts ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33New directly-granted privileges ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34New directly-granted roles ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35OS authenticated users ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36Oracle system identifiers (SIDs) ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37Password-protected default role ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38Privileges ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39Roles ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39Users in OS DBA groups .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39Users to check .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40Users to skip in OS DBA groups .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40Globally authenticated users ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

About the Oracle Auditing module ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42Establishing a baseline snapshot ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42Editing default settings ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42Reporting audit status and access ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42Audit reporting methods .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42Reporting statement audits ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43Reporting object audits ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43Reporting privilege audits ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44Audit settings ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44Audit trail enabled .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46Audit trail protection .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47Auditing objects ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48Auditing options .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48Auditing privileges ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49Automatically update snapshots ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49Changed object auditing .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49Changed privilege auditing .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52Changed statement auditing .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53Deleted object auditing .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55Deleted privilege auditing .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55Deleted statement auditing .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56New object auditing .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57New privilege auditing .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60New statement auditing .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61Object auditing .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63Oracle system identifiers (SIDs) ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66Privilege auditing .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66Statement auditing .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

About the Oracle Configuration module ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68Editing default settings ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69Reporting Oracle version information .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

Contents8

Reporting link password encryption .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69Reporting operating system account prefixes ... . . . . . . . . . . . . . . . . . . . . . . . . . . . 69Reporting parameter values ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69Report all configured DB links ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69Report only fixed user configured DB links ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70Alert file ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70Automatically update snapshots ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71Control files ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71Control files ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74DB link encrypted password .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77Deleted control files ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79Deleted redo log files ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79List SID:HOME (oracle.dat) .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80List SID:HOME (oratab) ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81New control files ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82New redo log files ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83Oracle components ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84Oracle configuration watch .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85Oracle system identifiers (SIDs) ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90Prefix for OS account ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90Redo log files ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91Redo log file ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94Remote login password file ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97Restrictions on system privileges ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98Table-level SELECT privileges ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100Trace file size ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101Trace files ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101UTL_FILE accessible directories ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102

About the Oracle Networks module ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103Editing default settings ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103Reporting SID configuration status ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103Oracle net configuration watch .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103Oracle system identifiers (SIDS) ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106SID configuration .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106SID configuration .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107Oracle EXTPROC listeners ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107

About the Oracle Objects module ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110Editing default settings ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110Reporting table privileges ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110Access to SYS.ALL_SOURCE .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110Critical objects ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111Directly granted privilege ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113Grantable privilege ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114

9Contents

Grantors ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115Object Privileges ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115Object name .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123Oracle system identifiers (SIDs) ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123Table privileges ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124

About the Oracle Passwords module ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124Editing default settings ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124Specifying check variations .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124Comparing passwords to word lists ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124Detecting well-known passwords .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125Account status ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125Double occurrences ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125Oracle system identifiers (SIDs) ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125Password = any username .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125Password = username .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126Password = wordlist word .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128Password display .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130Plural ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130Prefix ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130Reverse order ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130Suffix ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131Users to check .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131Well known passwords .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131Password = SID .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132

About the Oracle Patches module ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132Edit default settings ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132Oracle patches ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132SID info .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133Installed patches ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133Opatch tool ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133Oracle Home Paths .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135Patch information .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135Template files ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136

About the Oracle Profiles module ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137Establishing a baseline snapshot ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137Editing default settings ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138Reporting profiles and their limits ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138Reporting CPU limit violations .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138Reporting password violations .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138Profile settings ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138Automatically update snapshots ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140CPU time per call .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140CPU time per session .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141

Contents10

Changed resource limits ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142Connection time .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143Deleted profiles ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144Failed logins ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145Idle time .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146Invalid profiles ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147New profiles ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148Oracle profiles ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149Oracle system identifiers (SIDs) ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149Password duration .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150Password grace time .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151Password lock time .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152Password reuse max .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153Password reuse time .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154Password verify function .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156Profile enforcement ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157Profile resources ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157Profiles ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158Sessions per user ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159

About the Oracle Roles module ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160Establishing a baseline snapshot ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160Editing default settings ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161Reporting roles ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161Reporting role privileges ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161Reporting role access ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161Granted roles ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161Granted privileges ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163Automatically update snapshots ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165DBA equivalent roles ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165Deleted nested role ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165Deleted privileges ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166Deleted roles ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167Grantable nested role ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168Grantable privileges ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169Granted Oracle DBA role ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170Nested roles ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171New nested roles ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172New privileges ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173New roles ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174Oracle system identifiers (SIDs) ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175PUBLIC role access ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175Password-protected default role ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176Privileges ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178

11Contents

Roles ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178Roles without passwords .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179

About the Oracle SID Discovery module ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180Editing default settings ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181Reporting SID Discovery .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181Configuring theOracle database instances byusing theDiscovery

module ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181Configuring a new Oracle database instance .... . . . . . . . . . . . . . . . . . . . . . . . . . . 181Removing deleted instances ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182Automatically Add New Instance .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182Oratab file locations .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183Automatically Delete Retired Instance .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183Default Tablespace .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183Detect New Instance .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183Detect Retired Instance .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185Profile ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186Temporary Tablespace .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187

About the Oracle Tablespace module ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187Creating a baseline snapshot ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187Editing default settings ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187Reporting tablespaces ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187Reporting tablespace datafiles ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187Reporting SYSTEM tablespace information .... . . . . . . . . . . . . . . . . . . . . . . . . . . . 188Reporting DBA tablespace quotas ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188Automatically update snapshots ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188Deleted tablespace datafiles ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188Deleted tablespaces ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189MAX_BLOCKS in DBA_TS_QUOTAS .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190MAX_BYTES in DBA_TS_QUOTAS .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191New tablespace datafiles ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192New tablespaces ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193Objects in SYSTEM tablespace .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194Oracle system identifiers (SIDs) ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195Oracle tablespaces ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195SYSTEM tablespace assigned to user ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196Tablespace datafiles ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196Tablespace datafiles ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199Tablespaces ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202

Chapter 3 Working with the Oracle templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205

Templates ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205About the Oracle Profiles template ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207

Contents12

Creating the Oracle Profiles template ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207About using the Oracle Profiles template ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208

About the Oracle Roles template ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209Creating the Oracle Roles template ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209About using the Oracle Roles template ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209

About the Oracle System Privileges template ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211Creating the Oracle System Privileges template ... . . . . . . . . . . . . . . . . . . . . . . 212About using the Oracle System Privileges template ... . . . . . . . . . . . . . . . . . 212

About the Oracle Roles template ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214Creating the Oracle Roles template ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214About using the Oracle Roles template ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214

About the Oracle System Privileges template ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216Creating the Oracle System Privileges template ... . . . . . . . . . . . . . . . . . . . . . . 217About using the Oracle System Privileges template ... . . . . . . . . . . . . . . . . . 217

About the Oracle Configuration Watch template ... . . . . . . . . . . . . . . . . . . . . . . . . . . . 219Creating the Oracle Configuration Watch template ... . . . . . . . . . . . . . . . . . . 219About using the Oracle Configuration Watch template ... . . . . . . . . . . . . 219

About the Oracle Net Configuration Watch template ... . . . . . . . . . . . . . . . . . . . . . . 222Creating the Oracle Net Configuration Watch template ... . . . . . . . . . . . . 222About using the Oracle Net Configuration Watch template ... . . . . . . . . 223Examples of using the Oracle Net Configuration Watch

template ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227About the Oracle Object Privileges template ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229

Creating the Oracle Object Privileges template ... . . . . . . . . . . . . . . . . . . . . . . . . 229About using the Oracle Object Privileges template ... . . . . . . . . . . . . . . . . . . 230

About the Oracle Patch template ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234Creating the Oracle Patch template ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234About using the Oracle Patch template ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234

About the Oracle Critical Object template ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238Creating the Oracle Critical Object template ... . . . . . . . . . . . . . . . . . . . . . . . . . . 238About using the Oracle Critical Object template ... . . . . . . . . . . . . . . . . . . . . . . 238

About the Oracle Auditing template ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239Creating the Oracle Auditing template ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239About using the Oracle Auditing template ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239

13Contents

Contents14

Introducing Symantec ESMModules for OracleDatabases

This chapter includes the following topics:

■ About the Symantec ESM modules for Oracle Databases

■ What you can do with the Symantec ESM modules for Oracle databases

■ Where you can get more information

About the Symantec ESM modules for OracleDatabases

The Symantec Enterprise Security Manager (ESM) modules for Oracle databasesextend theSymantecESMprotection to your databases. Thesemodules implementthe checks and options that are specific to Oracle databases, to protect them fromexposure to known security problems. The modules may be installed locally onthe Symantec ESM agent that is installed on the same computer where the Oracledatabase resides. You can use the Symantec ESM modules for Oracle database inthe same way that you use for other Symantec ESM modules.

What you can dowith the Symantec ESMmodules forOracle databases

You can use the ESM Application modules to scan the Oracle databases forreporting vulnerabilities, such as weak passwords, patches update, and so on.

1Chapter

You can perform the following tasks using the ESM console:

■ Create a policy.

■ Configure the policy.

■ Create a rules template.

■ Run the policy.

■ Review the policy run.

■ Correct security problems from the console.

■ Create reports.

Where you can get more informationFor more information about Symantec ESM modules and Security Updates, seethe latest versions of the SymantecEnterprise SecurityAdministrator’sGuide andthe Symantec ESM Security Update User’s Guide.

Formore information onSymantec Enterprise SecurityManager (ESM), SymantecESMSecurityUpdates, and Symantec ESM support for database products, see theSymantec Security Response Web site at the following URL: Security ResponseWeb site.

Introducing Symantec ESM Modules for Oracle DatabasesWhere you can get more information

16

http://www.symantec.com/business/security_response/securityupdates/list.jsp?fid=esm

http://www.symantec.com/business/security_response/securityupdates/list.jsp?fid=esm

Understanding the ESMOracle Database Modules


■ About the Oracle Accounts module

■ About the Oracle Auditing module

■ About the Oracle Configuration module

■ About the Oracle Networks module

■ About the Oracle Objects module

■ About the Oracle Passwords module

■ About the Oracle Patches module

■ About the Oracle Profiles module

■ About the Oracle Roles module

■ About the Oracle SID Discovery module

■ About the Oracle Tablespace module

About the Oracle Accounts moduleThis module checks for the user accounts based on the options that you havespecified.

2Chapter

Establishing a baseline snapshotTo establish a baseline snapshot file, run the Symantec ESM module for Oracleaccounts once. Periodically rerun the module to detect changes and update thesnapshot when appropriate.

Editing default settingsThemodule forOracle accounts includes one option that you canuse to edit defaultsettings for all security checks in the module.

Reporting operating system accessThe OS administrators have exceptional privileges. Some users can access thedatabase directly from the operating system without the protection of Oracleauthentication. Both the user groups should be monitored to ensure that yourcomputers are protected. The checks in this group monitor these users.

Reporting user rolesThe checks in this group report the roles that have been directly granted to theusers or revoked from the users and the associated user names. Nested roles arenot reported.

Reporting user privilegesThe checks in this group report the users with grantable privileges and theprivileges that have been directly granted to users or revoked from the users.

Reporting user accountsThe checks in this group report the database accounts that are current, new,active, inactive, and deleted.

Reporting account changesThe checks in this group report the changes to the tablespace assignments andthe creation dates.

Understanding the ESM Oracle Database ModulesAbout the Oracle Accounts module

18

Reporting account defaults

Active database accountsThis check reports active user accountswith their tablespaces, profile, and accountcreation date. Periodically, youmust review the user accounts to ensure that theyare current and authorized.

The following table lists the message for the check.

Table 2-1 Message for Active database accounts

AdditionalInformation

Message Title andDescription

Platform andMessageNumericID

MessageString ID andCategory

Severity: green-0

Correctable: false

SnapshotUpdatable:false

TemplateUpdatable:false

Information FieldFormat: [%s]

Title: Activedatabase account

Description: Theactive user accountis reported with itstablespaces, profile,and date that theaccountwas created.Verify that theaccount is currentlyauthorized. Dropunauthorized or outof date accounts.

■ UNIX (30151)

■ Windows 2003(242151)

■ Windows 2008(255151)

String ID:ORA_ACTIVE_USER_ACCT

Category: PolicyCompliance

Severity: green-0

Correctable: false




Title: ESM checksexecuted on OracleSID

Description: Thechecks are executedon the Oracle SID.

■ UNIX (30014)

■ Windows 2003(30014)

■ Windows 2008(30014)

String ID:ORA_SID_PROCESSED

Category: ESMAdministrativeInformation

Active default accountsThis check reports the default accounts that are present on your computer. Bydefault, the name list includes all the Oracle default accounts.

19Understanding the ESM Oracle Database ModulesAbout the Oracle Accounts module

Symantec recommends that you remove, lock, or disable the account to preventintruders from using it to access your database.


Table 2-2 Message for Active default accounts


Message Titleand Description

Platform andMessage Numeric ID

Message String IDand Category

Severity: yellow-1

Correctable: false

SnapshotUpdatable: false

TemplateUpdatable: false


Title: Activedefault account

Description: Theuser account is adefault accountthat ships with anOracle program.Its password iswell known.Remove, lock, ordisable theaccount to preventintruders fromusing it to accessyour database.

■ UNIX (30148)

■ Windows 2003(242148)

■ Windows 2008(255148)

String ID:ORA_ACTIVE_DEFAULT_ACCT


Severity: green-0

Correctable: false




Title: ESM checksexecutedonOracleSID

Description: Thechecks areexecuted on theOracle SID.

■ UNIX (30014)

■ Windows 2003(30014)

■ Windows 2008(30014)



Automatically update snapshotsEnable this check to automatically update the snapshots with the currentinformation.

Database account creation date changedThis check reports the database accounts with the creation dates that changedafter the last snapshot update. The change in the creation date indicates that the


20

user account has been deleted and recreated. When a user account is deleted, alldata that is associated with it can also be deleted. Use the name list to exclude theusers for this check.

If the change is authorized, Symantec recommends that you either update thesnapshot or drop the account.


Table 2-3 Message for Database account creation date changed



Platform andMessageNumeric ID

Message String ID andCategory

Severity: yellow-1

Correctable: false

SnapshotUpdatable:true



Title: Databaseaccount creationdate changed

Description: Theuser's creation datechanged after thelast snapshotupdate.Verify that the userhas been re-createdwith authorizedroles, and restorenecessary data if itwas deleted. If thechange is authorized,update the snapshot.If the change is notauthorized, drop theaccount.

■ UNIX(30144)

■ Windows2003(242144)

■ Windows2008(255144)

String ID:ORA_USER_ACCT_CREATION

Category: ChangeNotification

Severity: green-0

Correctable: false






■ UNIX(30014)

■ Windows2003 (30014)

■ Windows2008 (30014)




Database account tablespace changedThis check reports the accounts with the default tablespaces that were changedafter the last snapshot update. Use the name list to exclude the users for thischeck.

If the change is authorized, Symantec recommends that you either update thesnapshot or restore the tablespace.


Table 2-4 Message for Database account tablespace changed





Severity: yellow-1

Correctable: false

SnapshotUpdatable: true



Title: Databaseaccount tablespacechanged

Description: Theuser's tablespacechanged after thelast snapshotupdate. Verify thattablespaceresources areadequately andefficientlyallocated. If thechange isauthorized, updatethe snapshot. If thechange is notauthorized, restorethe tablespace.

■ UNIX (30143)

■ Windows 2003(242143)

■ Windows 2008(255143)

String ID:ORA_USER_ACCT_TABLESPACE


Severity: green-0

Correctable: false






■ UNIX (30014)

■ Windows 2003(30014)

■ Windows 2008(30014)




22

Database accountsThis check reports the user accounts, their tablespaces, and account creationdates. Use the name list to exclude the users for this check.

Symantec recommends that you delete any unauthorized or out-of-date accounts.Periodically, you must review the database accounts to ensure that the databaseaccounts and their tablespaces are currently authorized.


Table 2-5 Message for Database accounts





Severity: green-0

Correctable: false




Title: Databaseaccount

Description: Theuser account isreported with itstablespace and datethat the accountwas created. Verifythat the account iscurrentlyauthorized. Dropunauthorizedor outof date accounts.

■ UNIX (30140)

■ Windows 2003(242140)

■ Windows 2008(255140)

String ID:ORA_USER_ACCT

Category: SystemInformation

Severity: green-0

Correctable: false






■ UNIX (30014)

■ Windows 2003(30014)

■ Windows 2008(30014)



Deleted database accountsThis check reports the user accounts that were deleted after the last snapshotupdate. Use the name list to exclude the users for this check.


If the deletion is authorized, Symantec recommends that you either update thesnapshot or restore the account.


Table 2-6 Message for Deleted database accounts





Severity: yellow-1

Correctable: false




Title: Deleteddatabase account

Description: Theuser account wasdropped from thedatabase after thelast snapshotupdate. If thedeletion isauthorized, updatethe snapshot. If thedeletion is notauthorized, restorethe account.

■ UNIX (30142)

■ Windows 2003(242142)

■ Windows 2008(255142)

String ID:ORA_USER_ACCT_DELETED


Severity: green-0

Correctable: false






■ UNIX (30014)

■ Windows 2003(30014)

■ Windows 2008(30014)



Deleted directly-granted privilegesThis check reports theuserswith the directly-grantedprivileges thatwere revokedor dropped after the last snapshot update. Use the name list to exclude the usersfor this check.

If the deletion is authorized, Symantec recommends that you either update thesnapshot or restore the privilege.



24

Table 2-7 Message for Deleted directly granted privileges





Severity: yellow-1

Correctable: false




Title: Privilegedeleted from user

Description: Thedirectly grantedprivilege that isreported in theUserPrivilege field wasdropped from thedatabase or revokedfrom the user afterthe last snapshotupdate. Privilegeswithin the directlygranted privilegewere also deleted orrevoked. If thedeletion isauthorized, updatethe snapshot. If thedeletion is notauthorized, restorethe privilege to theuser

■ UNIX (30139)

■ Windows 2003(242139)

■ Windows 2008(255139)

String ID:ORA_USER_PRIV_DELETED


Severity: green-0

Correctable: false






■ UNIX (30014)

■ Windows 2003(30014)

■ Windows 2008(30014)



Deleted directly granted rolesThis check reports the user names with the directly-granted roles that wererevoked or dropped after the last snapshot update. The check does not report the


roles that are nested within the directly-granted role and are deleted or revoked.Use the name list to exclude the users for this check.

If the deletion is authorized, Symantec recommends that you either update thesnapshot or restore the role to the user.


Table 2-8 Message for Deleted directly granted roles





Severity: yellow-1

Correctable: false




Title: Role deletedfrom user

Description: Thedirectly granteduser role that isreported in theUserRole field wasdropped from thedatabase or revokedfrom the user afterthe last snapshotupdate. Roleswithin the directlygranted role werealso deleted orrevoked. If thedeletion orrevocation isauthorized, updatethe snapshot. If thedeletion orrevocation is notauthorized, restorethe role to the user.

■ UNIX (30138)

■ Windows 2003(242138)

■ Windows 2008(255138)

String ID:ORA_USER_ROLE_DELETED



26

Table 2-8 Message for Deleted directly granted roles (continued)





Severity: green-0

Correctable: false






■ UNIX (30014)

■ Windows 2003(30014)

■ Windows 2008(30014)



Directly-granted privilegesThis check reports the users with the system privileges that have been directlygranted to them. Use the name list to exclude users for this check. Generally, toreduce maintenance the privileges are often granted in roles.

Symantec recommends that you revoke the privilege from any user who is notauthorized for it.



Table 2-9 Message for Directly granted privileges





Severity: green-0

Correctable: false




Title: Privilegedirectly granted

Description: Theuser has beendirectly granted theprivilege that isreported in theUserPrivilege field.Verify that the useris authorized for theprivilege andconsider whether arole should becreatedor redefinedto include theprivilege.

■ UNIX (30134)

■ Windows 2003(242134)

■ Windows 2008(255134)

String ID:ORA_PRIVILEGE_LIST_DIRECT


Severity: green-0

Correctable: false






■ UNIX (30014)

■ Windows 2003(30014)

■ Windows 2008(30014)



Directly-granted rolesThis check reports the roles that have been directly granted to the users. The rolesthat were nested in the directly-granted roles are deleted, but are not reported.Use the name list to exclude the users for this check.

Symantec recommends that periodically you review this check to ensure that theusers with the directly-granted roles are authorized. Based on the results, youcan revoke inappropriately directly-granted roles.



28

Table 2-10 Message for Directly granted roles





Severity: green-0

Correctable: false




Title: Role directlygranted to user

Description: The userhas been directlygranted the role that isreported in the UserRole field. Verify thatthe role is appropriatefor the user'sresponsibilities.

■ UNIX (30133)

■ Windows 2003(242133)

■ Windows 2008(255133)

String ID:ORA_PRIVILEGE_LIST_ROLES


Severity: green-0

Correctable: false




Title: ESM checksexecuted on Oracle SID

Description: The checksare executed on theOracle SID.

■ UNIX (30014)

■ Windows 2003(30014)

■ Windows 2008(30014)



Grantable privilegesThis check reports the users with the privileges that they can directly grant. Usethe name list to exclude the users for this check.

Symantec recommends that you revoke the privilege from any user who is notauthorized to grant it. Periodically, you must review the grantable privileges toensure that users are currently authorized to grant their grantable privileges.



Table 2-11 Message for Grantable privileges





Severity: green-0

Correctable: false




Title: Grantableprivilege

Description: Theuser can grant theprivilege to others.Verify that the useris authorized togrant this privilege.

■ UNIX (30145)

■ Windows 2003(242145)

■ Windows 2008(255145)

String ID:ORA_GRANTABLE_PRIV


Severity: green-0

Correctable: false






■ UNIX (30014)

■ Windows 2003(30014)

■ Windows 2008(30014)



Grantable rolesThis check reports the user names with permissions to grant roles to other users.Use the name list to exclude users for this check.

Symantec recommends that you revoke the grantable roles from any user who isnot authorized to grant it. Periodically, you can review all the userswith grantableroles to ensure that they are currently authorized to grant their grantable roles.



30

Table 2-12 Message for Grantable roles





Severity: green-0

Correctable: false




Title:Grantable role

Description: Theuser can grant therole. Verify that theuser is authorizedto grant the role.

■ UNIX (30146)

■ Windows 2003(242146)

■ Windows 2008(255146)

String ID:ORA_GRANTABLE_ROLE


Severity: green-0

Correctable: false






■ UNIX (30014)

■ Windows 2003(30014)

■ Windows 2008(30014)



Granted prohibited rolesThis check reports the users who have been granted prohibited roles. Use thename list to exclude the prohibited roles for this check.

Symantec recommends that you remove any prohibited role.

Note:Youmust never directly grant a few default Oracle roles, the DBA (databaseadministrator) role, and the connect role to the users.



Table 2-13 Message for Granted prohibited roles





Severity: yellow-1

Correctable: false




Title: Prohibitedrole granted

Description: Thereare a few defaultOracle roles thatshould never bedirectly granted tousers, such as dbaand connect.

■ UNIX (30149)

■ Windows 2003(242149)

■ Windows 2008(255149)

String ID:ORA_ROLE_GRANTED


Severity: green-0

Correctable: false






■ UNIX (30014)

■ Windows 2003(30014)

■ Windows 2008(30014)



Inactive database accountsThis check reports the inactive user accounts with their inactive status, date, andaccount creation date. Periodically, you must review the user accounts to ensurethat they are current and authorized.



32

Table 2-14 Message for Inactive database accounts





Severity: green-0

Correctable: false




Title: Inactivedatabase account

Description: Theinactive useraccount is reportedwith its inactivestatus anddate thatthe account wascreated. Verify thatthe account iscurrentlyauthorized. Dropunauthorizedor outof date accounts.

■ UNIX (30150)

■ Windows 2003(242150)

■ Windows 2008(255150)

String ID:ORA_INACTIVE_USER_ACCT


Severity: green-0

Correctable: false






■ UNIX (30014)

■ Windows 2003(30014)

■ Windows 2008(30014)



New database accountsThis check reports the user accounts that were added to the database after thelast snapshot update. Use the name list to exclude the users for this check.

If the new account is authorized, Symantec recommends that you either updatethe snapshot or delete it.



Table 2-15 Message for New database accounts





Severity: yellow-1

Correctable: false




Title: New databaseaccount

Description: Theuser account wasadded to thedatabase after thelast snapshotupdate. If the newaccount isauthorized, updatethe snapshot. If thenew account is notauthorized, dropthe account.

■ UNIX (30141)

■ Windows 2003(242141)

■ Windows 2008(255141)

String ID:ORA_USER_ACCT_ADDED


Severity: green-0

Correctable: false






■ UNIX (30014)

■ Windows 2003(30014)

■ Windows 2008(30014)



New directly-granted privilegesThis check reports the userswith the privileges thatwere directly granted to themafter the last snapshot update. Use the name list to exclude the users for thischeck. Generally, to reducemaintenance the privileges are often granted in roles.

If the user is authorized for this privilege, Symantec recommends that you eitherupdate the snapshot or revoke the privilege.



34

Table 2-16 Message for New directly granted privileges





Severity: yellow-1

Correctable: false




Title: New privilegegranted to user

Description: Theuser was directlygranted theprivilege that isreported in theUserPrivilege field afterthe last snapshotupdate. If the useris authorized forthis privilege,update thesnapshot. If theuser is notauthorized for thisprivilege, revokethe privilege.

■ UNIX (30137)

■ Windows 2003(242137)

■ Windows 2008(255137)

String ID:ORA_USER_PRIV_ADDED


Severity: green-0

Correctable: false






■ UNIX (30014)

■ Windows 2003(30014)

■ Windows 2008(30014)



New directly-granted rolesThis check reports the user names with the roles that were directly granted tothem after the last snapshot update. The check does not report the roles that arenested in directly-granted roles. Use the name list to exclude users for this check.

If the user is authorized, Symantec recommends that you either update thesnapshot or revoke it from the users.



Table 2-17 Message for New directly granted roles





Severity: yellow-1

Correctable: false




Title: New roledirectly granted touser

Description: Theuser role wasdirectly grantedafter the lastsnapshot update. Ifthe user isauthorized for therole, update thesnapshot. If theuser is notauthorized for therole, revoke therole.

■ UNIX (30136)

■ Windows 2003(242136)

■ Windows 2008(255136)

String ID:ORA_USER_ROLE_ADDED


Severity: green-0

Correctable: false






■ UNIX (30014)

■ Windows 2003(30014)

■ Windows 2008(30014)



OS authenticated usersThis check reports the users who are authenticated only by the operating system,without Oracle authentication. Use the name list to exclude the users for thischeck.

In a testing or a development environment, you can log on to Oracle databasewithout providing a user name and password; however, Symantec recommendsthat you must not follow this method of authentication on a productionenvironment. We also recommend that you change the user’s passwordauthentication from external to local and enable the Oracle authentication to addanother level of security.


36


Table 2-18 Message for OS authenticated users





Severity: yellow-1

Correctable: false




Title: UserauthenticatedbyOSonly

Description: Theuser isauthenticated onlyby the operatingsystem and can logon to Oraclewithout providing auser name andpassword. RequireOracleauthentication toadd another level ofsecurity.

■ UNIX (30132)

■ Windows 2003(242132)

■ Windows 2008(255132)

String ID:ORA_USER_AUTHORIZED_EXTERNAL


Severity: green-0

Correctable: false






■ UNIX (30014)

■ Windows 2003(30014)

■ Windows 2008(30014)



Oracle system identifiers (SIDs)Use the name list to include or exclude the Oracle system identifiers (SIDs) forthis check. By default, the check examines all the SIDs that you specify when youconfigure the Symantec ESMmodules for the Oracle databases. OnWindows, theSymantec ESM modules for Oracle databases configuration are stored in\esm\config\oracle.dat file. On UNIX, the Symantec ESM modules for Oracledatabases configuration are stored in /esm/config/oracle.dat file.


Password-protected default roleThis check reports the userswhohave been granted the password-protected rolesas default roles. Verify that the users are authorized to use the roles withoutentering passwords.

Symantec recommends that for anunauthorizeduser, you either assign adifferentdefault role to the user or remove the password protection from the role.


Table 2-19 Message for Password-protected default role





Severity: yellow-1

Correctable: false




Title: Default rolewith passwordprotection

Description: Theuser's default role isdefined in thedatabase aspasswordprotected.Verify that the useris authorized to usethe role withoutentering apassword. Torequire the user toenter a password touse the role, set therole as anon-default role.

■ UNIX (30147)

■ Windows 2003(242147)

■ Windows 2008(255147)

String ID:ORA_DEFAULT_ROLE_WITH_PASSWORD


Severity: green-0

Correctable: false






■ UNIX (30014)

■ Windows 2003(30014)

■ Windows 2008(30014)




38

PrivilegesUse the name list to include or exclude the systemprivileges for theGrantableandDirectly-granted privileges checks to report on.

RolesUse thename list to exclude or include the roles for theDirectly-grantedrolesandGrantable roles checks to report on.

Users in OS DBA groupsThis check reports theuserswhocanconnect to adatabase as INTERNAL, SYSDBA,or SYSOPER. The check also reports users who connect as members of ORA_DBAand ORA_OPER groups.

Use the name list to exclude the users (usually administrators) and include theOS database administrator groups for this check.

Symantec recommends that you remove the unauthorized users from theOSDBAgroups.



Table 2-20 Message for Users in OS DBA groups





Severity: red-4

Correctable: false




Title: User in OSDBA group

Description: Theuser can connect tothe database asINTERNAL,SYSDBA, orSYSOPER, andstartyour database, shutit down, andperform othersystem operations.If the user is not anauthorizedadministrator,remove the userfrom the OS DBAgroup.

■ UNIX (30130)

■ Windows 2003(242130)

■ Windows 2008(255130)

String ID:ORA_UNAUTHORIZED_INTERNAL


Severity: green-0

Correctable: false






■ UNIX (30014)

■ Windows 2003(30014)

■ Windows 2008(30014)



Users to checkUse the name list to include or exclude the prohibited roles for the Grantedprohibited roles check to report on.

Users to skip in OS DBA groupsUse the name list to exclude the users for the Users in OSDBA groups check. Bydefault, all users in each group are included.


40

Globally authenticated usersThis check reports theusers that are authenticatedglobally bySSL,whosedatabaseaccess is through global roles, authorized by an enterprise directory. Use theUsers to Skip name list to exclude the users from reporting.

A centralized directory service, which is outside of the database,manage the userswithout Oracle authentication. You require Oracle user authentication foradditional identity verification.


Table 2-21 Message for Globally authenticated users





Severity: yellow-1

Correctable: false




Title: Userauthenticatedglobally

Description: Theuser isauthenticated bySSL and themanagement of thisuser is done outsideof the database bythe centralizeddirectory service.The user can log onto Oracle databasewithout providing auser name andpassword. Usersrequire Oracleauthentication toadd one more levelof security.

■ UNIX (30152)

■ Windows 2003(2421052)

■ Windows 2008(255152)

String ID:ORA_USER_AUTHORIZED_GLOBAL



Table 2-21 Message for Globally authenticated users (continued)





Severity: green-0

Correctable: false






■ UNIX (30014)

■ Windows 2003(30014)

■ Windows 2008(30014)



About the Oracle Auditing moduleThis module checks for the auditing setup that is based on the options that youhave specified.

Establishing a baseline snapshotTo establish a baseline, run the Symantec ESM module for auditing Oracledatabases. This creates a snapshot of the current audit information that you canupdate when you run the checks for new, deleted, or changed information.

Editing default settingsUse this check to edit the default settings of all the security checks in themodule.

Reporting audit status and accessThe checks in this group report whether auditing is enabled and who has accessto the audit trail database.

Audit reporting methodsThe success or failure of an audited operation is identified by the followingOraclecodes, separated by the forward slash (/) character:

■ A indicates reporting is BY ACCESS.

■ S indicates reporting is BY SESSION.

Understanding the ESM Oracle Database ModulesAbout the Oracle Auditing module

42

Table 2-22 lists the reporting methods.

Table 2-22 Reporting methods

Description of reportMethod

Every successful and failed operationA/A

Every successful operation, but only sessions in which failedoperations occur

A/S

Every session in which successful and failed operations occurS/S

Every session in which an operation was successful and everyfailed operation

S/A

Reporting statement auditsThe checks in this group report SQL statements that are audited. Security checksreport statements that were set or removed for auditing and statements with thesuccess or the failure reporting methods that changed after the last snapshotupdate.

Audits at the statement level can require considerable resources. BY ACCESS (A)reporting consumes more resources than BY SESSION (S) reporting.

Reporting object auditsThe first check of this group reports the objects that are audited. The second andthird checks report the objects that were set for auditing and removed fromauditing after the last snapshot update. The fourth check reports the objects withthe reporting methods that were changed after the last snapshot update.

There are 16 options for audited objects.

Table 2-23 lists the audits that this check reports on.

Table 2-23 Audited object options

DescriptionOptionAudit number

ALTERALT1

AUDITAUD2

COMMENTCOM3

DELETEDEL4

43Understanding the ESM Oracle Database ModulesAbout the Oracle Auditing module

Table 2-23 Audited object options (continued)

DescriptionOptionAudit number

GRANTGRA5

INDEXIND6

INSERTINS7

LOCKLOC8

RENAMEREN9

SELECTSEL10

UPDATEUPD11

REFERREF12

EXECUTEEXE13

CRETECRE14

READREA15

WRITEWRI16

Note: Unavailable and unaudited options appear as -/-. For example, with A/A inthe fourth position, every auditable DEL operation is recorded as successful orfailed. A/S reports every auditable DEL operation that is successful, but only thesessions that contain one or more failed operations.

Reporting privilege auditsThe first of these checks report the privileges that are audited. The second andthird checks report the privileges that were set for auditing and removed fromauditing after the last snapshot update. The fifth check reports the privilegeswiththe reporting methods that were changed after the last snapshot update.

Audit settingsThis check reports the audit settings that do not match the settings that arespecified in the template file. Use the name list to enable or disable the templatefiles.



44

Table 2-24 Message for Template - Oracle Auditing





Severity: red-4

Correctable: false




Title: Audit settingsmismatch

Description: Theaudit settings thatare present in thedatabase do notmatch with thesettings that arespecified in thetemplate file. Formore information,refer thecorrespondingInformationcolumn.

■ UNIX (31152)

■ Windows 2003(243152)

■ Windows 2008(256152)

String ID:ORA_AUDIT_R


Severity: yellow-1

Correctable: false






■ UNIX (31153)

■ Windows 2003(243153)

■ Windows 2008(256153)

String ID:ORA_AUDIT_Y



Table 2-24 Message for Template - Oracle Auditing (continued)





Severity: green-0

Correctable: false






■ UNIX (31154)

■ Windows 2003(243154)

■ Windows 2008(256154)

String ID:ORA_AUDIT_G


Severity: green-0

Correctable: false






■ UNIX (30014)

■ Windows 2003(30014)

■ Windows 2008(30014)



Audit trail enabledThis check reports whether an audit trail is available for the SID.

Symantec recommends that while you are in the production environment, toensure that the audit trail is enabled you must set the AUDIT_TRAIL parameterto DB or OS.



46

Table 2-25 Message for Audit trail enabled





Severity: red-4

Correctable: false




Title: Auditing notenabled for the SID

Description: AnAUDIT_TRAILsetting of NONEindicates auditing isnot enabled andaudit trails are notbeing generated.Enable auditing tomonitor databaseactivities andensure thatcorporate securitypolicies areimplemented.

■ UNIX (31138)

■ Windows 2003(243138)

■ Windows 2008(256138)

String ID:ORA_AUDIT_DISABLE


Severity: green-0

Correctable: false






■ UNIX (30014)

■ Windows 2003(30014)

■ Windows 2008(30014)



Audit trail protectionThis check reports the users and the roles that have the privileges that allow themto make changes or deletions to the audit trail database.

Symantec recommends that you grant access to the audit trail database only toadministrators or users with administrator roles. You can drop the role from theuser if the user is not authorized to access the audit trail database and at the sametime you can drop the privilege of an inappropriately defined role. You mustensure that the auditing options of DEL, INS, and UPD for SYS.AUD$ are setproperly to A/A in the dba_obj_audit_opts.



Table 2-26 Message for Audit trail protection





Severity: yellow-2

Correctable: false




Title: Audit trailprotection

Description: Theuser has access tothe audit trail table.Verify that the useris authorized tochangeor delete theaudit trail table.Verify that thisright is appropriatefor the user's roleand that auditingoptions DEL, INS,and UPD forSYS.AUD$ are setproperly to A/A indba_obj_audit_opts.

■ UNIX (31139)

■ Windows 2003(243139)

■ Windows 2008(256139)

String ID:ORA_AUDIT_PROTECTION


Severity: green-0

Correctable: false






■ UNIX (30014)

■ Windows 2003(30014)

■ Windows 2008(30014)



Auditing objectsUse the name list to include or exclude the object such as tables or views that areto be included for the object auditing.

Auditing optionsUse the name list to include or exclude the object such as tables or views that areto be included for the object auditing.


48

Auditing privilegesUse the name list to include or exclude the privileges for the privilege auditingchecks.


Changed object auditingThis check reports the audited user objects with the Success/Failure reportingmethods that changed after the last snapshot update and their current reportingmethods.

If the change is authorized, Symantec recommends that you either update thesnapshot or restore the previous settings.



Table 2-27 Message for Changed object auditing





Severity: yellow-1

Correctable: false




■ UNIX (31147)

■ Windows 2003(243147)

■ Windows 2008(256147)

String ID:ORA_CHANGED_OBJ_AUDITING



50

Table 2-27 Message for Changed object auditing (continued)





Title: Objectauditing changed

Description:Success/Failurereporting methodsof the named objectoption werechanged since thelast snapshotupdate. For Oracle8and later, sixteenobject options arerepresented in theorder ALT, AUD,COM, DEL, GRA,IND, INS, LOC,REN,SEL,UPD,REF,EXE,CRE, REA, WRI.Oracle7 uses onlythe first thirteenoptions.Unavailable andunaudited optionsappear as -/-.Success/Failurereporting methodsare an A (BYACCESS) or anS (BYSESSION) on eachside of the slash.For example, withA/A in the fourthposition, everyauditable DELoperation isrecorded assuccessful or failed.A/S reports everyauditable DELoperation that is


Table 2-27 Message for Changed object auditing (continued)





successful, but onlysessions thatcontain oneormorefailed operation. Ifthe change isauthorized, updatethe snapshot. If thechange is notauthorized, restorethe previousmethods.

Severity: green-0

Correctable: false






■ UNIX (30014)

■ Windows 2003(30014)

■ Windows 2008(30014)



Changed privilege auditingThis check reports the audited user privileges with Success/Failure reportingmethods that changed after the last snapshot update.Use thename list to excludethe users for this check.

If the change is authorized, Symantec recommends that you either update thesnapshot or restore the previous audit settings.



52

Table 2-28 Message for Changed privilege auditing





Severity: yellow-1

Correctable: false




Title: Privilegeauditing changed

Description: TheSuccess/FailureUpdate reportingmethods of theaudited privilegechanged after thelast snapshotupdate. The currentmethod isdisplayed. If thechange isauthorized, updatethe snapshot. If thechange is notauthorized, restorethe the previousreporting methods.

■ UNIX (31143)

■ Windows 2003(243143)

■ Windows 2008(256143)

String ID:ORA_CHANGED_PRIV_AUDITING


Severity: green-0

Correctable: false






■ UNIX (30014)

■ Windows 2003(30014)

■ Windows 2008(30014)



Changed statement auditingThis check reports the audited user statementswith the Success/Failure reportingmethods that changed after the last snapshot update.Use thename list to excludethe users for this check.

If the change is authorized, Symantec recommends that you either update thesnapshot or restore the previous statement settings.



Table 2-29 Message for Changed statement auditing





Severity: yellow-1

Correctable: false




Title: Statementauditing changed

Description: TheSuccess/Failurereporting methodsof the SID's userstatement changedafter the lastsnapshot update.BY ACCESS reportsevery instance, andBYSESSIONreportsevery session, inwhich thestatement isexecuted. Ifauditing thestatement isauthorized and thereporting methodsare appropriate,update thesnapshot. If theauditing is notauthorized,deactivate theaudit.If the reportingmethods are notappropriate, correctthem.

■ UNIX (31151)

■ Windows 2003(243151)

■ Windows 2008(256151)

String ID:ORA_CHANGED_STMT_AUDITING


Severity: green-0

Correctable: false






■ UNIX (30014)

■ Windows 2003(30014)

■ Windows 2008(30014)




54

Deleted object auditingThis check reports the user objects and the object options thatwere removed fromauditing after the last snapshot update. Use the name list to exclude the users forthis check.

If the deletion is authorized, Symantec recommends that you either update thesnapshot or restore audit of the object.


Table 2-30 Message for Deleted object auditing





Severity: yellow-1

Correctable: false




Title: Deleted objectauditing

Description:Auditing of the userobject was droppedafter the lastsnapshot update. Ifthe change isauthorized, updatethe snapshot. If thechange is notauthorized, restorethe auditing of theobject.

■ UNIX (31146)

■ Windows 2003(243146)

■ Windows 2008(256146)

String ID:ORA_DELETED_OBJ_AUDITING


Severity: green-0

Correctable: false






■ UNIX (30014)

■ Windows 2003(30014)

■ Windows 2008(30014)



Deleted privilege auditingThis check reports the user privileges that were removed from auditing after thelast snapshot update. Use the name list to exclude the users for this check.


If the deletion is authorized, Symantec recommends that you either update thesnapshot or restore the user privilege to auditing.

Table 2-31 Message for Deleted privilege auditing





Severity: yellow-1

Correctable: false




Title: Deletedprivilege auditing

Description: Theuser privilege wasremoved fromauditing after thelast snapshotupdate. If thedeletion isauthorized, updatethe snapshot. If thedeletion is notauthorized, restorethe user privilege toauditing.

■ UNIX (31142)

■ Windows 2003(243142)

■ Windows 2008(256142)

String ID:ORA_DELETED_PRIV_AUDITING


Severity: green-0

Correctable: false






■ UNIX (30014)

■ Windows 2003(30014)

■ Windows 2008(30014)



Deleted statement auditingThis check reports the user statements that were removed from auditing afterthe last snapshot update. Use the name list to exclude the users for this check.

If the statement deletion is authorized, Symantec recommends that you eitherupdate the snapshot or restore the audit settings.



56

Table 2-32 Message for Deleted statement auditing





Severity: yellow-1

Correctable: false




Title: Deletedstatement auditing

Description: Theuser statement wasremoved fromauditing after thelast snapshotupdate. If thedeletion isauthorized, updatethe snapshot. If it isnot authorized,restore the auditsetting.

■ UNIX (31150)

■ Windows 2003(243150)

■ Windows 2008(256150)

String ID:ORA_DELETED_STMT_AUDITING


Severity: green-0

Correctable: false






■ UNIX (30014)

■ Windows 2003(30014)

■ Windows 2008(30014)



New object auditingThis check reports theuser objects thatwere set for auditing after the last snapshotupdate, and the Success/Failure reporting methods that are used. Use the namelist to exclude the users for this check.

If the auditing of the object is authorized, Symantec recommends that you eitherupdate the snapshot or remove the object fromauditing. If the reportingmethodsare incorrect then you must correct them.



Table 2-33 Message for New object auditing





Severity: yellow-1

Correctable: false




■ UNIX (31145)

■ Windows 2003(243145)

■ Windows 2008(256145)

String ID:ORA_NEW_OBJ_AUDITING



58

Table 2-33 Message for New object auditing (continued)





Title: New objectauditing

Description: Theuser object was setfor auditing afterthe last snapshotupdate. For Oracle8and later, sixteenobject options arerepresented in theorder ALT, AUD,COM, DEL, GRA,IND, INS, LOC,REN,SEL,UPD,REF,EXE,CRE, REA, WRI.Oracle7 uses onlythe first thirteenoptions.Unavailable andunaudited optionsappear as -/-.Success/Failurereporting methodsare an A (BYACCESS) or anS (BYSESSION) on eachside of the slash.For example, withA/A in the fourthposition, everyauditable DELoperation isrecorded assuccessful or failed.A/S reports everyauditable DELoperation that issuccessful, but onlysessions thatcontain oneormore


Table 2-33 Message for New object auditing (continued)





failed operation. Ifauditing of theobject is authorized,update thesnapshot. If it is notauthorized, rop theobject fromauditing.

Severity: green-0

Correctable: false






■ UNIX (30014)

■ Windows 2003(30014)

■ Windows 2008(30014)



New privilege auditingThis check reports the user privileges that were set for auditing after the lastsnapshot update and the Success/Failure reporting methods that are used. Usethe name list to exclude the users for this check.

If the new privilege and its reporting methods are authorized, Symantecrecommends that you update the snapshot. If the new privilege is not authorizedthen you must change the privileges. If the user is unauthorized for the privilegethen you must remove the privilege from the user.



60

Table 2-34 Message for New privilege auditing





Severity: yellow-1

Correctable: false




Title: New privilegeauditing

Description: Theuser privilege wasset for auditingwiththe specifiedSuccess/Failurereporting methodssince the lastsnapshot update. Ifauditing theprivilege isauthorized, updatethe snapshot.Remove theprivilege fromauditing if it is notauthorized.

■ UNIX (31141)

■ Windows 2003(243141)

■ Windows 2008(256141)

String ID:ORA_NEW_PRIV_AUDITING


Severity: green-0

Correctable: false






■ UNIX (30014)

■ Windows 2003(30014)

■ Windows 2008(30014)



New statement auditingThis check reports the SQL statements that were set for auditing after the lastsnapshot update, and the Success/Failure reporting methods that are used. Usethe name list to exclude the users for this check.

Symantec recommends that you remove all unauthorized or out-to-datestatements. You must update the snapshot if the auditing of statement isauthorized and the reporting method is correct. You must deactivate the audit ifthe auditing of the statement is not authorized. You must change the reporting


methods if the reporting methods are inappropriate for the available resourcesand perceived risks.


Table 2-35 Message for New statement auditing





Severity: yellow-1

Correctable: false




Title: Newstatement auditing

Description: TheSID's userstatement and itsauditingSuccess/Failurereporting methodsare reported in theInfo field. BYACCESS reportsevery time thestatement isexecuted, and BYSESSION reportsevery session inwhich thestatement isexecuted. Ifauditing thestatement isauthorized and thereporting methodsare appropriate,update thesnapshot. Ifauditing thestatement is notauthorized,deactivate theauditing. If thereporting methodsarenot appropriate,correct them.

■ UNIX (31149)

■ Windows 2003(243149)

■ Windows 2008(256149)

String ID:ORA_NEW_STMT_AUDITING



62

Table 2-35 Message for New statement auditing (continued)





Severity: green-0

Correctable: false






■ UNIX (30014)

■ Windows 2003(30014)

■ Windows 2008(30014)



Object auditingThis check reports the user objects that are audited and the Success/Failurereporting methods that are used. Use the name list to exclude the users for thischeck.

Symantec recommends that you removeall unauthorizedorout-of-date statementsfrom auditing. Periodically, you must review audited objects to ensure that theaudit is currently authorized and the reporting methods are appropriate for theavailable resources and perceived risks.



Table 2-36 Message for Object auditing





Severity: green-0

Correctable: false




■ UNIX (31144)

■ Windows 2003(243144)

■ Windows 2008(256144)

String ID:ORA_OBJ_AUDITING



64

Table 2-36 Message for Object auditing (continued)





Title: Objectauditing

Description: Theuser object isaudited. ForOracle8and later, sixteenobject options arerepresented in theorder ALT, AUD,COM, DEL, GRA,IND, INS, LOC,REN,SEL,UPD,REF,EXE,CRE, REA, WRI.Oracle7 uses onlythe first thirteenoptions.Unavailable andunaudited optionsappear as -/-.Success/Failurereporting methodsare an A (BYACCESS) or anS (BYSESSION) on eachside of the slash.For example, withA/A in the fourthposition, everyauditable DELoperation isrecorded assuccessful or failed.A/S reports everyauditable DELoperation that issuccessful, but onlysessions thatcontain oneormorefailed operation.Verify that the user


Table 2-36 Message for Object auditing (continued)





object should beaudited and that thereportingmethod isappropriate.

Severity: green-0

Correctable: false






■ UNIX (30014)

■ Windows 2003(30014)

■ Windows 2008(30014)



Oracle system identifiers (SIDs)Use the name list to include or exclude the Oracle system identifiers (SIDs) forthis check. By default, the check examines all the SIDs that you specify when youconfigure the Symantec ESMmodules for theOracle databases. OnWindows, TheSymantec ESM modules for Oracle databases configuration are stored in\esm\config\oracle.dat file. On UNIX, the Symantec ESM modules for Oracledatabases configuration are stored in /esm/config/oracle.dat file.

Privilege auditingThis check reports the user privileges that are audited, and the Success/Failurereporting methods that are used. Use the name list to exclude the users for thischeck.

Symantec recommends that you periodically review the privilege auditing toensure that the audits are currently authorized and that the reporting methodsare appropriate for available resources and perceived risks.



66

Table 2-37 Message for Privilege auditing





Severity: green-0

Correctable: false




Title: Privilegeauditing

Description: Theuser privilege isaudited and thespecifiedSuccess/Failurereporting methodsareused.Verify thatthis user privilegeshould be auditedand that thereportingmethod isappropriate.

■ UNIX (31140)

■ Windows 2003(243140)

■ Windows 2008(256140)

String ID:ORA_PRIV_AUDITING


Severity: green-0

Correctable: false






■ UNIX (30014)

■ Windows 2003(30014)

■ Windows 2008(30014)



Statement auditingThis check reports the user SQL statements that are audited and theSuccess/Failure reporting methods that are used. Use the name list to excludethe users for this check.

Symantec recommends that you remove all unauthorized or out-of-datestatements. Youmust ensure that you use appropriate reportingmethods for theavailable resources and perceived risks.



Table 2-38 Message for Statement auditing





Severity: green-0

Correctable: false




Title: Statementauditing

Description: Theuser SQL statementis audited, using theSuccess/Failurereporting reportingmethods that arereported in the Infofield. BY ACCESSreports everyinstance, and BYSESSION reportsevery session, inwhich thestatement isexecuted. Verifythat auditing thestatement isauthorized and thereportingmethod isappropriate.

■ UNIX (31148)

■ Windows 2003(243148)

■ Windows 2008(256148)

String ID:ORA_STMT_AUDITING


Severity: green-0

Correctable: false






■ UNIX (30014)

■ Windows 2003(30014)

■ Windows 2008(30014)



About the Oracle Configuration moduleThis module checks for the Oracle settings that can affect the security of thesystem.

Understanding the ESM Oracle Database ModulesAbout the Oracle Configuration module

68

Editing default settingsUse the checks in this group to edit the settings of all the security checks.

Reporting Oracle version informationThe checks in this group report Oracle version, status, trace, and alert log fileinformation.

For the location of USER_DUMP_DEST files, use Trace file.

For the maximum size of trace files, specified by MAX_DUMP_FILE_SIZE, useTrace file size.

Reporting link password encryptionThe checks in this group report whether encryption is required for the databaselink passwords.

Reporting operating system account prefixesThe checks in this group report prefixes for operating system accounts andwhether SELECT and SYSTEM privileges are required to change table columnvalues.

Reporting parameter valuesThe checks in this group report the Oracle configuration parameter values.

Report all configured DB linksThis check retrieves information on all the database links that are configured.

The following table lists the messages for the check.

69Understanding the ESM Oracle Database ModulesAbout the Oracle Configuration module

Table 2-39 Messages for Report all configured DB links





Severity: green-0

Correctable: false




Title:Database linksconfigured

Description: Referto the Informationfield to viewinformation on theconfigureddatabaselink.

■ UNIX (30661)

■ Windows 2003(242661)

■ Windows 2008(255661)

String ID:ORA_DB_LINK


Report only fixed user configured DB linksWhenrunalongwith theReportallconfiguredDBlinks check, this check retrievesinformation only on the fixed user configured database links.

Table 2-40 Messages for Report all configured DB links





Severity: green-0

Correctable: false




Title:Database linksconfigured

Description: Referto the Informationfield to viewinformation on theconfigureddatabaselink.

■ UNIX (30661)

■ Windows 2003(242661)

■ Windows 2008(255661)

String ID:ORA_DB_LINK


Alert fileThis check reports the location of debugging trace files for background processessuch as LGWR and DBWR. The Alert_[SID].log file at this location containsinformation for global and instance operations.



70

Table 2-41 Message for Alert file





Severity: green-0

Correctable: false




Title: Directorypath for alert files

Description: Thelocation of SIDtrace files that areused for Oraclebackgroundprocesses isreported in the Infofield.BACKGROUND_DUMP_DESTspecifies thelocation.

■ UNIX (30633)

■ Windows 2003(242633)

■ Windows 2008(255633)

String ID:ORA_ALERT_FILE_DEST


Severity: green-0

Correctable: false






■ UNIX (30014)

■ Windows 2003(30014)

■ Windows 2008(30014)




Control filesThis check reports the locations of the SID's control files, violations of controlfile permissions, discrepancies in control file ownership, and file status. In thePermission text box, do one of the following:

■ Specify 0 for the check to report the location and status of the SID's controlfiles.

■ Specify a permission value more restrictive than the SID's control filepermission for the check to report a violation.


You can specify the Permission values as three-digit octal numbers.

Symantec recommends that you periodically review the locations of the controlfile to ensure that they are in secure, authorized locations. If the file’s permissionsare excessive then reset the control file’s permission to match with your securitypolicy.


Table 2-42 Messages for Control files





Severity: green-0

Correctable: false




Title: Control file

Description: TheSID's control filelocation is reportedin the Redo Log Filefield.

■ UNIX (30652)String ID:ORA_CONTROLFILE


Severity: yellow-2

Correctable: false




Title: Control filepermission

Description:Permission ofcontrol files

■ UNIX (30655)String ID:ORA_CONTROLFILE_PERM


Severity: green-0

Correctable: false



Information FieldFormat: [""]

Title:Locked Oraclefile

Description: Filepermissions cannotbe reported becausethe file is beingused by anotherprocess.

■ UNIX (30008)String ID:ORA_FILE_LOCKED

Category:System Error


72

Table 2-42 Messages for Control files (continued)





Severity: green-0

Correctable: false




Title: Oracle File orfolder not found

Description: Filepermissions cannotbe reported becausethe file beingreferenced cannotbe found.

■ UNIX (30009)String ID:ORA_FILE_NOT_FOUND


Severity: green-0

Correctable: false




Title: Oracle Folderpermissions

Description:Reports Directorypermissions.

■ UNIX (300010)String ID:ORA_DIRECTORY_PERMS


Severity: green-0

Correctable: false




Title: Functionalitynot Supported

Description: Thisfunctionality is notsupported by ESMoracle app module.

■ UNIX (300011)String ID:ORA_NOT_SUPPORTED








Severity: green-0

Correctable: false




Title: Control file

Description: TheSID'sASMmanagedcontrol file locationis reported in theRedo Log File field.

■ UNIX (30059)String ID:ORA_ASM_CONTROLFILE


Severity: green-0

Correctable: false






■ UNIX (30014)String ID:ORA_SID_PROCESSED


Control filesThis check reports the locations of the SID's control files, violations of controlfile permissions, discrepancies in control file ownership, and file status.

If you specify a permission value more restrictive than the SID's control filepermission, the check reports a violation.

Symantec recommends that you periodically review the locations of the controlfile to ensure that they are in secure, authorized locations. If the file’s permissionsare excessive then reset the control file’s permission to conform to your securitypolicy.



74

Table 2-43 Messages for Control files


MessageTitle andDescription

Platform andMessage NumericID


Severity: green-0

Correctable: false




Title: Control file

Description: TheSID's control filelocation is reportedin theRedo Log Filefield.

■ Windows 2003(242652)

■ Windows 2008(255652)

String ID:ORA_CONTROLFILE


Severity: yellow-2

Correctable: false




Title: Control filepermission

Description:Permission ofcontrol files

■ Windows 2003(242655)

■ Windows 2008(255655)

String ID:ORA_CONTROLFILE_PERM


Severity: green-0

Correctable: false




Title:LockedOraclefile

Description: Filepermissions cannotbe reportedbecausethe file is beingused by anotherprocess.

■ Windows(30008)String ID:ORA_FILE_LOCKED








Severity: green-0

Correctable: false





Description: Filepermissions cannotbe reportedbecausethe file beingreferenced cannotbe found.

■ Windows(30009)String ID:ORA_FILE_NOT_FOUND


Severity: green-0

Correctable: false






■ Windows(300010)

String ID:ORA_DIRECTORY_PERMS


Severity: green-0

Correctable: false






■ Windows(300011)

String ID:ORA_NOT_SUPPORTED



76






Severity: green-0

Correctable: false




Title: Control file

Description: TheSID's ASMmanaged controlfile location isreported in theRedo Log File field.

■ Windows (59)String ID:ORA_ASM_CONTROLFILE


Severity: green-0

Correctable: false





Description: Thechecksareexecutedon the Oracle SID.

■ Windows 2003(30014)

■ Windows 2008(30014)



DB link encrypted passwordThis check examines the DBLINK_ENCRYPT_LOGIN setting to report whetherthe encrypted passwords require connecting to other Oracle servers through thedatabase links. This parameter is no longer supported on Oracle 10g and laterversions.

The first attempt to connect to another Oracle server always sends encryptedpasswords. If the reported setting is TRUE, a failed connectionwill not be retried.If FALSE, Oracle reattempts the connection with an unencrypted version of thepassword. TRUE settings provide the best protection for your database.



Table 2-44 Message for DB link encrypted password





Severity: green-0

Correctable: false




Title: Connect todatabase withencryptedpassword

Description: TheSID's encryptedpassword setting isreported in the Infofield. The firstattempt to connectto another Oracleserver always sendsencryptedpasswords. If thereported setting isTRUE, a failedconnection is not beretried. If FALSE,Oracle re-tries theconnection with anunencryptedversion of thepassword. TRUEsettings provide thebest protection foryour database.

■ UNIX (30635)

■ Windows 2003(242635)

■ Windows 2008(255635)

String ID:ORA_DBLINK_ENCRYPT


Severity: green-0

Correctable: false






■ UNIX (30014)

■ Windows 2003(30014)

■ Windows 2008(30014)




78

Deleted control filesThis check reports the control files that were deleted after the last snapshotupdate.

If the deletion is authorized, Symantec recommends you to either update thesnapshot or restore the control file.


Table 2-45 Message for Deleted control files





Severity: yellow-1

Correctable: false




Title: Deletedcontrol file

Description: Thecontrol file that isreported in the Infofield was deletedafter the lastsnapshot update. Ifthe deletion isauthorized, updatethe snapshot. If thedeletion is notauthorized, restorethe control file.

■ UNIX (30654)

■ Windows 2003(242654)

■ Windows 2008(255654)

String ID:ORA_DELETED_CONTROLFILE


Severity: green-0

Correctable: false






■ UNIX (30014)

■ Windows 2003(30014)

■ Windows 2008(30014)



Deleted redo log filesThis check reports redo log files that were deleted after the last snapshot update.

If the deletion is authorized, Symantec recommends that you either update thesnapshot or restore the file.



Table 2-46 Message for Deleted redo log files





Severity: yellow-1

Correctable: false




Title: Deleted redolog file

Description: TheSID's redo log filethat is reported inthe Redo Log Filefield was deletedafter the lastsnapshot update. Ifthe deletion isauthorized, updatethe snapshot. If thedeletion is notauthorized, restorethe file.

■ UNIX (30650)

■ Windows 2003(242650)

■ Windows 2008(255650)

String ID:ORA_DELETED_REDOLOGFILE


Severity: green-0

Correctable: false






■ UNIX (30014)

■ Windows 2003(30014)

■ Windows 2008(30014)



List SID:HOME (oracle.dat)This check reports all the SIDs and their Oracle homes from the oracle.dat file.The configuration information of the Symantec ESMmodules for Oracle is storedin oracle.dat, which is located in the \esm\config directory.



80

Table 2-47 Message for List SID:HOME (oracle.dat)





Severity: green-0

Correctable: false




Title: Oracle.dat fileinformation

Description: Theoracle.dat file iscreated whileconfiguring ESMmodules for oracle.

■ UNIX (30656)

■ Windows 2003(242656)

■ Windows 2008(255656)

String ID:ORA_SID_HOME_DATFILE


Severity: green-0

Correctable: false






■ UNIX (30014)

■ Windows 2003(30014)

■ Windows 2008(30014)



List SID:HOME (oratab)This check reports all the SIDs and their Oracle homes from the oratab file. Theoratab file is created during the installation of Oracle server.



Table 2-48 Message for List SID:HOME (oratab)





Severity: green-0

Correctable: false




Title: Oratab fileinformation

Description: Theoratab file iscreated whileinstalling oracledatabase server.

■ UNIX (30657)String ID:ORA_SID_HOME_TABFILE


Severity: green-0

Correctable: false








New control filesThis check reports the control files thatwere added after the last snapshot update.

If the addition is authorized, Symantec recommends you to either update thesnapshot or delete the new control file.



82

Table 2-49 Message for New control files





Severity: yellow-1

Correctable: false




Title: New controlfile

Description: Thecontrol file that isreported in the Infofield was added tothe SID after thelast snapshotupdate. If theaddition isauthorized, updatethe snapshot. If theaddition is notauthorized, deletethe new control file.

■ UNIX (30653)

■ Windows 2003(242653)

■ Windows 2008(255653)

String ID: ORA_ADDED_CONTROLFILE


Severity: green-0

Correctable: false






■ Windows 2003(30014)

■ Windows 2008(30014)



New redo log filesThis check reports redo log files that were added after the last snapshot update,their locations, and the status of the files. Use the name list to exclude the redolog file status reporting for this check.

If the addition is authorized, Symantec recommends that you either update thesnapshot or delete the new redo log file.



Table 2-50 Message for New redo log files





Severity: yellow-1

Correctable: false




Title: New redo logfile

Description: TheSID's new redo logfile was added tothe location that isreported in theRedo Log File fieldafter the lastsnapshot update. Ifthe addition isauthorized, updatethe snapshot. If theaddition is notauthorized, deletethe new redo logfile.

■ UNIX (30649)

■ Windows 2003(242649)

■ Windows 2008(255649)

String ID: ORA_ADDED_REDOLOGFILE


Severity: green-0

Correctable: false






■ UNIX (30014)

■ Windows 2003(30014)

■ Windows 2008(30014)



Oracle componentsThis check reports the version number and status of all Oracle components,including the version and status of the Oracle server.



84

Table 2-51 Message for Oracle components





Severity: green-0

Correctable: false




Title: Oracleproduct componentversion

Description: Theversion and statusof the Oraclecomponent arereported in the Infofield.

■ UNIX (30631)

■ Windows 2003(242631)

■ Windows 2008(255631)

String ID:ORA_PRODUCT_COMPONENT_VERSION


Severity: green-0

Correctable: false






■ UNIX (30014)

■ Windows 2003(30014)

■ Windows 2008(30014)



Oracle configuration watchThis check reports the unmatched initialization and configuration parametersthat are defined in the templates. Use the name list to include the template filefor this check.



Table 2-52 Messages for Oracle configuration watch





Severity: red-4

Correctable: false



InformationFieldFormat: [%s]

Title: Red levelcondition

Description: Thevalue of the SID'sparameter atruntime, which isreported in theInfo field, violatesthe conditions ofthe correspondingparameter in theOracleConfigurationWatch template atthe Red severitylevel. See the Infofield for details.

■ UNIX (30641)

■ Windows2003 (242641)

■ Windows2008 (255641)

String ID:ORA_ORC_RUNTIME_RED

Category: Policy Compliance

Severity:yellow-1

Correctable: false




Title: Yellow levelcondition

Description: Thevalue of the SID'sparameter atruntime, which isreported in theInfo field, violatesthe conditions ofthe correspondingparameter in theOracleConfigurationWatch template attheYellow severitylevel. See the Infofield for details.

■ UNIX (30642)

■ Windows2003 (242642)

■ Windows2008 (255642)

String ID:ORA_ORC_RUNTIME_YELLOW



86

Table 2-52 Messages for Oracle configuration watch (continued)





Severity: green-0

Correctable: false




Title: Green levelcondition

Description: Thevalue of the SID'sparameter atruntime, which isreported in theInfo field, violatesthe conditions ofthe correspondingparameter in theOracleConfigurationWatch template atthe Green severitylevel. See the Infofield for details.

■ UNIX (30643)

■ Windows2003 (242643)

■ Windows2008 (255643)

String ID:ORA_ORC_RUNTIME_GREEN


Severity: red-4

Correctable: false





Description: Thevalue of theparameter that isdefined for the SIDin the initializationfile violates theconditions of thecorrespondingparameter in theOracleConfigurationWatch template atthe red severitylevel. See the Infofield for details.

■ UNIX (30644)

■ Windows2003 (242644)

■ Windows2008 (255644)

String ID:ORA_ORC_INITFILE_RED








Severity:yellow-1

Correctable: false





Description: Thevalue of theparameter that isdefined for the SIDin the initializationfile violates theconditions of thecorrespondingparameter in theOracleConfigurationWatch template atthe yellow severitylevel. See the Infofield for details.

■ UNIX (30645)

■ Windows2003 (242645)

■ Windows2008 (255645)

String ID:ORA_ORC_INITFILE_YELLOW


Severity: green-0

Correctable: false





Description: Thevalue of theparameter that isdefined for the SIDin the initializationfile violates theconditions of thecorrespondingparameter in theOracleConfigurationWatch template atthe green severitylevel. See the Infofield for details.

■ UNIX (30646)

■ Windows2003 (242646)

■ Windows2008 (255646)

String ID:ORA_ORC_INITFILE_GREEN



88






Severity: green-0

Correctable: false




Title: RequiredOracle parameternot found

Description: Eitherthe init script ismissing an Oracleparameter that thetemplate specifiesas required, or anOracle runtimeprarameter that isspecified in thetemplate was notset in the runninginstance of Oracle.

■ UNIX (30647)

■ Windows2003 (242647)

■ Windows2008 (255647)

String ID:ORA_ORC_PARAMETER_NOT_FOUND

Category: System Error

Severity: green-0

Correctable: false




Title: Oracleconfigurationparameter

Description: TheOracleconfigurationparameter value.

■ UNIX (30658)

■ Windows2003 (242658)

■ Windows2008 (255658)

String ID:ORA_CONFIG_PARA_VALUE

Category: System Information

Severity: green-0

Correctable: false




Title: ESM checksexecuted onOracleSID


■ UNIX (30014)

■ Windows2003 (30014)

■ Windows2008 (30014)


Category: ESM AdministrativeInformation


Oracle system identifiers (SIDs)Use the name list to include or exclude the Oracle system identifiers (SIDs) forthis check. By default, the check examines all the SIDs that you specify when youconfigure the Symantec ESMmodules for the Oracle databases. OnWindows, theSymantec ESM modules for Oracle databases configuration are stored in\esm\config\oracle.dat file. On UNIX, the Symantec ESM modules for Oracledatabases configuration are stored in /esm/config/oracle.dat file.

Prefix for OS accountThis check reports the characters that are attached to the beginning of accountnames that operating systems authenticate. OS_AUTHENT_PREFIX specifies thecharacters. The default OPS$ prefix gives you access to a database from theoperating system by typing a slash (/) instead of the username/password string.


Table 2-53 Message for Prefix for OS account





Severity: green-0

Correctable: false




Title: Prefix for OSaccount

Description: Thedefault OPS$ prefixgives a user accessto a database fromthe operatingsystem by typing aslash (/) instead oftheusername/passwordstring.

■ UNIX (30636)

■ Windows 2003(242636)

■ Windows 2008(255636)

String ID:ORA_OS_AUTHENT_PREFIX


Severity: green-0

Correctable: false






■ UNIX (30014)

■ Windows 2003(30014)

■ Windows 2008(30014)




90

Redo log filesThis check reports the locations of the SID's redo log files, the violations of redolog file permissions, the discrepancies in the redo log file ownerships, and the filestatus. In the Permission field, do one of the following:

■ Specify 0 for the check to report the location and the status of the SID redolog file.

■ Specify a permission value more restrictive than the SID's redo log filepermission for the check to report an error.

The check reports an error message, if the SID redo log file ownership (UID/GID)does not match with the ownership that you specify in the Oracle database. Youcan specify the permission values as three-digit octal numbers.

Use the name list to include or exclude the status of the files for this check. Thepossible file status values are INVALID, STALE, DELETED, and INUSED.

Symantec recommends that you periodically review the redo log file location toensure that they are in a secure, authorized locations. If the file’s permissions areexcessive then reset the redo log files permission to match with your securitypolicy. If the owner of the redo log file is not authorized for the file then youmustimmediately take ownership of the file and review it for possible tampering.


Table 2-54 Messages for Redo log files





Severity: green-0

Correctable: false




Title: Redo log file

Description: TheSID's redo log filesreside in thelocation that isreported in theRedo Log File field.

■ UNIX (30648)String ID:ORA_REDOLOGFILE



Table 2-54 Messages for Redo log files (continued)





Severity: yellow-2

Correctable: false




Title: Redo log filepermission

Description:Permission of redolog files

■ UNIX (30651)String ID:ORA_REDOLOGFILE_PERM


Severity: green-0

Correctable: false




Title: LockedOraclefile




Severity: green-0

Correctable: false









92






Severity: green-0

Correctable: false






■ UNIX (30010)ORA_DIRECTORY_PERMS


Severity: green-0

Correctable: false






■ UNIX (30011)ORA_NOT_SUPPORTED


Severity: green-0

Correctable: false





Description: TheSID'sASMmanagedredo log files residein the location thatis reported in theRedo Log File field.

■ UNIX (60)String ID:ORA_ASM_REDOLOGFILE








Severity: green-0

Correctable: false








Redo log fileThis check reports the locations of the SID's redo log files and permissions on thelog files in the Information field. Use the name list to include or exclude the filestatuses for this check. The file status values are INVALID, STALE, DELETED,INUSED. In the Permission field, do one of the following:

■ Specify 0 for the check to report the location and the status of the SID redolog file.

■ Specify a permission value more restrictive than the SID's redo log filepermission for the check to report an error.

Symantec recommends that you periodically review the redo log file location toensure that it is in a secure, authorized location. If the file’s permissions areexcessive, reset the redo log file’s permission to conform to your security policy.If the owner of the redo log file is not authorized for the file, immediately takeownership of the file and review it for possible tampering.



94

Table 2-55 Messages for Redo log files





Severity: green-0

Correctable: false





Description: TheSID's redo log filesreside in thelocation that isreported in theRedo Log File field.

■ Windows 2003(242648)

■ Windows 2008(255648)

String ID:ORA_REDOLOGFILE


Severity: yellow-2

Correctable: false




Title: Redo log filepermission

Description:Permission of redolog files

■ Windows 2003(242651)

■ Windows 2008(255651)

String ID:ORA_REDOLOGFILE_PERM


Severity: green-0

Correctable: false





File permissionscannot be reportedbecause the file isbeing used byanother process.

■ Windows(30008)

String ID:ORA_FILE_LOCKED








Severity: green-0

Correctable: false






■ Windows(30009)

String ID:ORA_FILE_NOT_FOUND


Severity: green-0

Correctable: false






■ Windows(30010)



Severity: green-0

Correctable: false






■ Windows(30011)




96






Severity: green-0

Correctable: false





Description: TheSID'sASMmanagedredo log files residein the location thatis reported in theRedo Log File field.

■ Windows (60)String ID:ORA_ASM_REDOLOGFILE


Severity: green-0

Correctable: false






■ Windows 2003(30014)

■ Windows 2008(30014)



Remote login password fileThis check reports whether the value of the REMOTE_LOGIN_PASSWORDFILEparameter matches with the value that you specify in the Parameter Value textbox. Use the name list to include or exclude the values for this check. The defaultvalue is None.

Symantec recommends that you change the value of theREMOTE_LOGIN_PASSWORDFILEparameter tomatchwith your security policy.



Table 2-56 Message for Remote login password file





Severity: yellow-3

Correctable: false




Title: Remote loginpassword file

Description: Thevalue of theREMOTE_LOGIN_PASSWORDFILEparameter is notacceptable.

■ UNIX (30639)

■ Windows 2003(242639)

■ Windows 2008(255639)

String ID:ORA_REMOTE_LOGIN_PASSWORDFILE


Severity: green-0

Correctable: false






■ UNIX (30014)

■ Windows 2003(30014)

■ Windows 2008(30014)



Restrictions on system privilegesThis check reports whether access to objects in the SYS schema is allowed whileyou migrate from Oracle 7 to Oracle 8.

You must set the parameter to FALSE. If you set the parameter to TRUE, thenaccess to objects in the SYS schema is allowed. You can specify the settings byusing the 07_DICTIONARY_ACCESSIBILITY parameter.



98

Table 2-57 Messages for Restrictions on system privileges





Severity: green-0

Correctable: false




Title: Restrictionson systemprivileges

Description: IfFALSE is reportedin the Info field,system privilegesthat allow access toobjects in anyschemadonot allowaccess to objects inSYS schema. IfTRUE, access toobjects in the SYSschema is allowed(Oracle7 behavior).O7_DICTIONARY_ACCESSIBILITYspecifies thesetting.

■ UNIX (30638)

■ Windows 2003(242638)

■ Windows 2008(255638)

String ID:ORA_O7_DICTIONARY_ACCESSIBILITY


Severity: yellow-3

Correctable: false




Title: Remote loginpassword file

Description: Thevalue of theREMOTE_LOGIN_PASSWORDFILEparameter is notacceptable.

■ UNIX (30639)

■ Windows 2003(242639)

■ Windows 2008(255639)

String ID:ORA_REMOTE_LOGIN_PASSWORDFILE


Severity: green-0

Correctable: false






■ UNIX (30014)

■ Windows 2003(30014)

■ Windows 2008(30014)




Table-level SELECT privilegesThis check reportswhether the SELECTprivileges are required to update or deletethe table column values.

If TRUE is reported, then table-level SELECT privileges are required to update ordelete table column values. If FALSE, SELECT privileges are not required.SQL92_SECURITY parameter specifies the setting.


Table 2-58 Message for Table-level SELECT privileges





Severity: green-0

Correctable: false




Title: Table-levelSELECT privileges

Description: IfTRUE is reported inthe Info field,table-level SELECTprivileges arerequired to updateor delete tablecolumn values. IfFALSE, SELECTprivileges are notrequired.SQL92_SECURITYspecifies thesetting.

■ UNIX (30637)

■ Windows 2003(242637)

■ Windows 2008(255637)

String ID:ORA_SQL92_SECURITY


Severity: green-0

Correctable: false






■ UNIX (30014)

■ Windows 2003(30014)

■ Windows 2008(30014)




100

Trace file sizeThis check reports the maximum sizes of trace files that are specified byMAX_DUMP_FILE_SIZE.


Table 2-59 Message for Trace file size





Severity: green-0

Correctable: false




Title:Maximumsizefor trace files

Description: Themaximum size ofSID trace files isreported in the Infofield.

■ UNIX (30634)

■ Windows 2003(242634)

■ Windows 2008(255634)

String ID:ORA_MAX_DUMP_FILE_SIZE


Severity: green-0

Correctable: false






■ UNIX (30014)

■ Windows 2003(30014)

■ Windows 2008(30014)



Trace filesThis check reports the location of the trace files that are specified byUSER_DUMP_DEST.



Table 2-60 Message for Trace files





Severity: green-0

Correctable: false




Title: Location oftrace files

Description: Thelocation of SIDtrace files isreported in the Infofield.

■ UNIX (30632)

■ Windows 2003(242632)

■ Windows 2008(255632)

String ID:ORA_TRACE_FILE_DEST


Severity: green-0

Correctable: false






■ UNIX (30014)

■ Windows 2003(30014)

■ Windows 2008(30014)



UTL_FILE accessible directoriesThis check reports whether the value of the UTL_FILE_DIR parameter matcheswith the value that you specify in the Parameter Value text box. You can use theUTL_FILE_DIR parameter to specify one or more directories that Oracle can usefor PL/SQL file I/O. The exclude tag of the parameter value specifies acceptablevalues and the include tag specifies unacceptable values.

If the location of the UTL_FILE_DIR is not authorized, Symantec recommendsthat you change the configurationof theSID’sUTL_FILE_DIRparameter to specifyan authorized location; also update the snapshot.



102

Table 2-61 Message for UTL_FILE accessible directories





Severity: yellow-3

Correctable: false




Title: UTL_FILEaccessibledirectories

Description: Thevalue of theUTL_FILE_DIRparameter is notacceptable.

■ UNIX (30640)

■ Windows 2003(242640)

■ Windows 2008(255640)

String ID:ORA_UTL_FILE_DIR


Severity: green-0

Correctable: false






■ UNIX (30014)

■ Windows 2003(30014)

■ Windows 2008(30014)



About the Oracle Networks moduleThismodule checks for the oracle network configuration that you have specified.

Editing default settingsUse the name list to edit the default settings for all security checks in themodule.

Reporting SID configuration statusThe check in this group report the SIDs that are not configured.

Oracle net configuration watchThis check reports Oracle Listener, Sqlnet, and Names configuration parametervalues that violate conditions of the corresponding Oracle Net Watch template

103Understanding the ESM Oracle Database ModulesAbout the Oracle Networks module

parameters. Use the name list to enable and disable the template files for thischeck.


Table 2-62 Messages for Oracle net configuration watch





Severity: red-4

Correctable: false





Description: Theparameter valuefound in theconfiguration fileviolates theconditions of thecorrespondingparameter in theOracle Net Watchtemplate. See theInfo field fordetails.

■ UNIX (31731)

■ Windows 2003(243731)

■ Windows 2008(256731)

String ID:ORA_ORC_NETCONFIG_RED


Severity: yellow-1

Correctable: false






■ UNIX (31732)

■ Windows 2003(243732)

■ Windows 2008(256732)

String ID:ORA_ORC_NETCONFIG_YELLOW


Understanding the ESM Oracle Database ModulesAbout the Oracle Networks module

104

Table 2-62 Messages for Oracle net configuration watch (continued)





Severity: green-0

Correctable: false






■ UNIX (31733)

■ Windows 2003(243733)

■ Windows 2008(256733)

String ID:ORA_ORC_NETCONFIG_GREEN


Severity: yellow-3

Correctable: false




Title: Requiredparameter notfound

Description: Therequired netconfigurationparameter that isspecified in theOracleConfigurationWatch template isnot found for theSID. See the Infofield for details.

■ UNIX (31734)

■ Windows 2003(243734)

■ Windows 2008(256734)

String ID:ORA_ORC_NETCONFIG_PARA_MISSING


Severity: green-0

Correctable: false






■ UNIX (30014)

■ Windows 2003(30014)

■ Windows 2008(30014)




Oracle system identifiers (SIDS)Use the name list to include or exclude the Oracle system identifiers (SIDs) forthis check. By default, the check examines all the SIDs that you specify when youconfigure the Symantec ESM modules for the Oracle databases. The SymantecESM modules for Oracle Databases configuration are stored in the\esm\config\oracle.dat file.

SID configurationThis check reports SIDs that are not configured for Symantec ESM modules forOracle Databases. If an oratab file resides in a different location than /etc/oratabor /var/opt/oracle/oratab, change the value in the oratab file field to specify thefull path. Use name list to exclude the SID’s for this check.


Table 2-63 Message for SID configuration





Severity: yellow-3

Correctable: false




Title: SID notconfigured formodules

Description: TheSID is notconfigured forSymantec ESMModules for OracleDatabases.

■ UNIX (31730)String ID:ORA_UNCONFIG_SID


Severity: green-0

Correctable: false









106

SID configurationThis check reports the SIDs that are not configured for the SymantecESMmodulesfor Oracle Databases. Use name list to exclude the SID’s for this check.


Table 2-64 Message for SID configuration





Severity: yellow-3

Correctable: false




Title: SID notconfigured formodules

Description: TheSID is notconfigured forSymantec ESMModules for OracleDatabases.

■ Windows 2003(243730)

■ Windows 2008(256730)

String ID:ORA_UNCONFIG_SID


Severity: green-0

Correctable: false






■ Windows 2003(30014)

■ Windows 2008(30014)



Oracle EXTPROC listenersThis check reports the Oracle listeners that have EXTPROC-specific entries. Inthe text box, specify 1 to allow the TCP Protocol, on doing so the database listenerports should be different than the EXTPROC ports. Separate listeners must bespecified for the Oracle Databases and for the EXTPROC process. You must usethe IPC protocol for listeners configured for EXTPROC.



Table 2-65 Messages for Oracle EXTPROC listeners





Severity: yellow-3

Correctable: false




Title: Listener forEXTPROC found

Description: Thislistener has beenconfigured forPL/SQL EXTPROC.If the PL/SQLEXTPROCfunctionality is notrequired, werecommend thatyou remove thisfunctionality fromthe ESM agent thathosts the OracleDatabase server.

■ UNIX (31735)

■ Windows 2003(243735)

■ Windows 2008(256735)

String ID:ORA_EXTPROC_LISTENER_FOUND


Severity: red-4

Correctable: false




Title: EXTPROCentries found inListener forDatabases

Description: TheEXTPROC-specificentries were foundin the Oraclelistener for theDatabase. Differentlisteners should bespecified for theOracle Databasesand for the PL/SQLEXTPROC.

■ UNIX (31736)

■ Windows 2003(243736)

■ Windows 2008(256736)

String ID:ORA_EXTPROC_IN_DB_LISTENER



108

Table 2-65 Messages for Oracle EXTPROC listeners (continued)





Severity: red-4

Correctable: false




Title: Listener forEXTPROC is notconfiguredwith IPCProtocol

Description: TheOracle listener forPL/SQL EXTPROCshould only beconfigured with anIPC protocoladdress. If the userallows TCP, thenthe violation for theprotocols otherthan theTCP/TCPS/IPC isreported.

■ UNIX (31737)

■ Windows 2003(243737)

■ Windows 2008(256737)

String ID:ORA_NON_IPC_EXTPROC


Severity: red-4

Correctable: false




Title: The portsconfigured forEXTPROC listenersconflict withdatabase listeners

Description: If theTCPprotocol is usedto configurelisteners withEXTPROC then usethe port that isdifferent than theports that theOracle listener forthe databases uses.

■ UNIX (31738)

■ Windows 2003(243738)

■ Windows 2008(256738)

String ID:ORA_TCP_PORT_EXTPROC



Table 2-65 Messages for Oracle EXTPROC listeners (continued)





Severity: green-0

Correctable: false






■ UNIX (30014)

■ Windows 2003(30014)

■ Windows 2008(30014)



About the Oracle Objects moduleThis module checks for the access privileges to the Oracle objects that are basedon the options that you have specified.

Editing default settingsThe check in this group edits the default settings for all security checks in themodule.

Reporting table privilegesThe checks in this group report entities that can:

■ Access SYS.ALL_SOURCE

■ Grant privileges to Oracle objects such as tables, indexes, and views

■ Have directly granted table privileges to Oracle objects

Access to SYS.ALL_SOURCEThis check reports the roles, accounts, and synonyms that have access privilegesto theSYS.ALL_SOURCEsystem table. TheALL_SOURCE table contains the sourcecode for user-defined objects in all schemas of the SID. Verify that the entity'sdirect access to SYS.ALL_SOURCE is authorized. Use the Grantees to skip namelist to exclude the grantees for this check.


Understanding the ESM Oracle Database ModulesAbout the Oracle Objects module

110

Table 2-66 Message for Access to SYS.ALL_SOURCE





Severity: yellow-3

Correctable: false




Title: Access toSYS.ALL_SOURCE

Description: Theuser or role that isreported in the Infofield has access tothe ALL_SOURCEtable. Verify thatthe access isauthorized.

■ UNIX (31630)

■ Windows 2003(243630)

■ Windows 2008(256630)

String ID:ORA_ACCESS_ALL_SOURCE


Severity: green-0

Correctable: false






■ UNIX (30014)

■ Windows 2003(30014)

■ Windows 2008(30014)



Critical objectsThis check works with the Grantable privilege check or the Directly grantedprivilege check. The Critical objects check reports on the objects that it finds onthe ESM agent computer with the objects that you specify in the template. Forexample, sys.kupw$wor, sys.dbms_ddl, and so on. Use the name list to enable ordisable the template file.


111Understanding the ESM Oracle Database ModulesAbout the Oracle Objects module

Table 2-67 Messages for Critical objects



Platform and MessageNumeric ID


Severity: red-4

Correctable: false




Title: No wordfiles specified

Description:"Critical objects"was enabled butnoword fileswerespecified. Changeyour policy sothat at least oneword file isenabled.

■ UNIX (31633)

■ Windows 2003(243633)

■ Windows 2008(256633)

String ID:ESM_NOWORDFILES

Category: ESM Error

Severity: red-4

Correctable: false




Title: Grantabletable privilege

Description: Thegrantable tableprivilege of theOracle object isgranted to theuser or role.Verify that theuser or role isauthorized togrant the tableprivilege.

■ UNIX (31634)

■ Windows 2003(243634)

■ Windows 2008(256634)

String ID:ORA_GRANTABLE_RED


Severity: red-4

Correctable: false




Title: Directlygranted tableprivilege

Description: Thedirectly grantedtable privilege ofthe Oracle objectis directly grantedto the user or role.Verify that theuser or role isauthorized for thetable privilege.

■ UNIX (31635)

■ Windows 2003(243635)

■ Windows 2008(256635)

String ID:ORA_DIRECT_GRANTED_RED



112

Table 2-67 Messages for Critical objects (continued)





Severity: green-0

Correctable: false




Title: ESM checksexecuted onOracle SID


■ UNIX (30014)

■ Windows 2003(30014)

■ Windows 2008(30014)



Directly granted privilegeThis check reports the roles, the accounts, or the synonyms that have directlygranted table privileges to Oracle objects. Use the name list to include or excludethe grantees for this check.


Table 2-68 Message for Directly granted privilege





Severity: yellow-3

Correctable: false




Title: Directlygranted tableprivilege

Description: Thedirectly grantedtable privilegeofORA_DIRECT_GRANTEthe Oracle object isdirectly granted tothe user or role.Verify that the useror role is authorizedfor the tableprivilege.

■ UNIX (31632)

■ Windows 2003(243632)

■ Windows 2008(256632)

String ID:ORA_DIRECT_GRANTED



Table 2-68 Message for Directly granted privilege (continued)





Severity: green-0

Correctable: false






■ UNIX (30014)

■ Windows 2003(30014)

■ Windows 2008(30014)



Grantable privilegeThis check reports the roles, the accounts, or the synonyms that have grantabletable privileges to Oracle objects. Use the name list to include and exclude thegrantees for this check.


Table 2-69 Message for Grantable privilege





Severity: yellow-3

Correctable: false




Title: Grantabletable privilege

Description: Thegrantable tableprivilege of theOracle object isgranted to the useror role. Verify thatthe user or role isauthorized to grantthe table privilege.

■ UNIX (31631)

■ Windows 2003(243631)

■ Windows 2008(256631)

String ID:ORA_GRANTABLE



114

Table 2-69 Message for Grantable privilege (continued)





Severity: green-0

Correctable: false






■ UNIX (30014)

■ Windows 2003(30014)

■ Windows 2008(30014)



GrantorsUse this name list to include or exclude the grantors for the Grantableprivilegesand Directly granted privilege checks to report on.

Object PrivilegesThis check uses the specified template to report on the object privileges. Use thename list to enable or disable the template file.



Table 2-70 Messages for Object Privileges





Severity: red-4

Correctable: false




Title: Object notfound

Description: Objectnot found. Theselected object maynot be present inthe database, or theinformation for theselected object isincorrect in thetemplate. Verify thetemplate entries, orverify if the objectwith the givenowner is present inthe database.

■ UNIX (31636)

■ Windows 2003(243636)

■ Windows 2008(256636)

String ID:ORA_OBJ_NOT_FOUND



116

Table 2-70 Messages for Object Privileges (continued)





Severity: red-4

Correctable: false




Title: Unauthorizedobject privilege

Description: Thereis amismatch in theactual objectprivilege present inthe database andthe privilege that ismentioned in thetemplate. Check ifthe object that ismarked as"Prohibited" in thetemplate is presentin the database, orcheck if the objectthat is marked as"Mandatory" in thetemplate is notpresent in thedatabase. For moreinformation, see thecorrespondingInformationcolumn.

■ UNIX (31637)

■ Windows 2003(243637)

■ Windows 2008(256637)

String ID:ORA_OBJ_PRIV_R








Severity: yellow-1

Correctable: false






■ UNIX (31638)

■ Windows 2003(243638)

■ Windows 2008(256638)

String ID:ORA_OBJ_PRIV_Y



118






Severity: green-0

Correctable: false






■ UNIX (31639)

■ Windows 2003(243639)

■ Windows 2008(256639)

String ID:ORA_OBJ_PRIV_G








Severity: red-4

Correctable: false






■ UNIX ( 31737)

■ Windows 2003(243737)

■ Windows 2008(256737)

String ID:ORA_OBJ_PRIV_R



120






Severity: green-0

Correctable: false






■ UNIX (31739)

■ Windows 2003(243739)

■ Windows 2008(253739)

String ID:ORA_OBJ_PRIV_G








Severity: yellow-1

Correctable: false






■ UNIX ( 31738)

■ Windows 2003(243738)

■ Windows 2008(253738)

String ID:ORA_OBJ_PRIV_Y



122






Severity: red-4

Correctable: false





Description: Objectnot found. Theselected object maynot be present inthe database, or theinformation for theselected object isincorrect in thetemplate. Verify thetemplate entries, orverify if the objectwith the givenowner is present inthe database.

■ UNIX (31736)

■ Windows 2003(243736)

■ Windows 2008(253736)

String ID:ORA_OBJ_NOT_FOUND


Severity: green-0

Correctable: false






■ UNIX (30014)

■ Windows 2003(30014)

■ Windows 2008(30014)



Object nameUse this name list to include or exclude the object names for the Grantableprivilege and Directly granted privilege checks to report on.

Oracle system identifiers (SIDs)Use the name list to include or exclude the Oracle system identifiers (SIDs) forthis check. By default, the check examines all the SIDs that you specify when youconfigure the Symantec ESMmodules for the Oracle databases. OnWindows, theSymantec ESM modules for Oracle Databases configuration are stored in the


\esm\config\oracle.dat file. On UNIX, the Symantec ESM modules for OracleDatabases configuration are stored in the /esm/config/oracle.dat file.

Table privilegesUse this name list to include or exclude the table privileges for the Grantableprivilege and Directly granted privilege checks to report on.

About the Oracle Passwords moduleThis module checks for the password integrity that Oracle user accounts usesthat is based on the options that you have specified.

Note: Refer to the following:

■ Certain functionalities of the Oracle Passwords module are developed basedon the concept provided in the white paper An Assessment of the OraclePassword Hashing Algorithm courtesy of SANS Institute and/or its licensors.

■ The password hashing checks do not report on the passwords when exclusivemode is enabled in Oracle 11g or later to use SHA-1 / Salt Hashing Algorithm.

Editing default settingsThe checks in this group edits the default settings for all the security checks inthe module.

Specifying check variationsYou can use the checks under this group to set conditions for guessing thepasswords of the Oracle accounts. You can display the results with or without thefirst and last characters of the password.

Comparing passwords to word listsThe checks in this group compare the passwords to words that are found in theword lists or the user names. Any matched word is a weak password and shouldbe changed immediately.

Understanding the ESM Oracle Database ModulesAbout the Oracle Passwords module

124

Detecting well-known passwordsOracle products ship with default, or sample, accounts and passwords that arewidely known. These passwords should be changed as soon as soon as possible.Otherwise, unauthorized users can log in as SYS or SYSTEM with administratorprivileges.

Account statusUse the name list to include or exclude the statuses for all the password guessingchecks.

Double occurrencesEnable this option to have Password = checks report the passwords that matchesthe user names or common words spelled twice. For example, in Password =wordlist word, password golfgolf matches the word golf.

Oracle system identifiers (SIDs)Use the name list to include or exclude the Oracle system identifiers (SIDs) forthis check. By default, the check examines all the SIDs that you specify when youconfigure the SymantecESMmodules for the Oracle databases. On Windows, theconfiguration for Symantec ESM Modules for Oracle Databases is stored in\esm\config\oracle.dat. On UNIX, the configuration for Symantec ESM Modulesfor Oracle Databases is stored in /esm/config/oracle.dat.

Password = any usernameThis check compares the encrypted version of the user and the role passwordwiththe encrypted version of the words that are included in the common words andnames file. The check then reports the matches. You can specify the word andname files that you want to check. Do not use common words or names aspasswords.

Symantec recommends that youdonot use commonwords ornames aspasswords.You must assign a more secure password immediately to the user accounts thatare reported by this check, then notify each user to log in using the more securepassword.Have theusers complete theprocess by changing their passwords again.

A secure passwordhas six to eight characterswith at least onenumeric character,and one special character. The password must not match an account name ormust not be found in the word file.


125Understanding the ESM Oracle Database ModulesAbout the Oracle Passwords module

Table 2-71 Message for Password = any username





Severity: red-4

Correctable: false




Title: Weak userpassword

Description: Thepassword is a formof a user name orcommon word. It isa weak password.Assign a moresecure passwordimmediately. Theninstruct the user tolog inwith themoresecure passwordand change thepassword again. Asecure passwordhas 6-8 characters,including at leastone non-alphabeticcharacter, shouldnot be found in anydictionary, andshould not matchan account name.

■ UNIX (30334)

■ Windows 2003(242334)

■ Windows 2008(255334)

String ID:ORA_PASS_GUESSED


Severity: green-0

Correctable: false






■ UNIX (30014)

■ Windows 2003(30014)

■ Windows 2008(30014)



Password = usernameThis check reports the users and the roles that use their own user names or rolenames as passwords. The check is not as comprehensive as the Password = any


126

username check. However, if the Password = any user name check takes longeror consumesmore CPUusage, then use the Password = user name check daily andthePassword=anyusernamecheckonweekends. The reportedpasswordmatchesthe sameuser account name. Thepasswords that closely resemble account namesare easily guessed.

Symantec recommends that youmust immediately assignmore securepasswordsto reported user accounts. Then notify the users and ask them to log in with themore secure passwords. Have the users complete the process by changing theirpasswords again.



Table 2-72 Message for Password = username





Severity: red-4

Correctable: false






■ UNIX (30334)

■ Windows 2003(242334)

■ Windows 2008(255334)




Table 2-72 Message for Password = username (continued)





Severity: green-0

Correctable: false






■ UNIX (30014)

■ Windows 2003(30014)

■ Windows 2008(30014)



Password = wordlist wordThis check compares the encrypted version of the user and the role passwordwiththe encrypted version of the words that are included in the common words andnames file. The check then reports the matches. You can specify the word andname files that you want to check. Do not use common words or names aspasswords.

Symantec recommends that youdonot use commonwords ornames aspasswords.You must assign a more secure password immediately to the user accounts thatare reported by this check, then notify each user to log in using the more securepassword.Have theusers complete theprocess by changing their passwords again.




128

Table 2-73 Messages for Password = wordlist word





Severity: red-4

Correctable: false






■ UNIX (30334)

■ Windows 2003(242334)

■ Windows 2008(255334)



Severity: red-4

Correctable: false




Title: No word filesspecified

Description:Password=wordlistword was enabled,but no word fileswere specified.Enable at least oneword file.

■ UNIX (30336)

■ Windows 2003(242336)

■ Windows 2008(255336)

String ID:ORA_NO_WORDS

Category: ESM Error


Table 2-73 Messages for Password = wordlist word (continued)





Severity: green-0

Correctable: false






■ UNIX (30014)

■ Windows 2003(30014)

■ Windows 2008(30014)



Password displayThis check works with the Password=wordlistword, Password=username, andPassword = any username checks. Enable this check to display the guessedpasswords in the <first character>*<last character> format.

PluralThis option directs Password = checks to compare the plural forms of user names,role names, or common words with the password. For example, in “Password =user name,” the password “golfs” matches the user name “golf.”

PrefixEnable this option so that Password = checks reports the passwords that beginwith a prefix in the user names, role names, or common words. For example, if"pro" is a prefix and "golf" is a user name, then the Password = user name checkreports "progolf " as a weak password.

Reverse orderEnable this option to have Password = checks report passwords that match thebackward spelling of user names or common words. For example, in Password =wordlist word, password flog matches the word golf.


130

SuffixEnable this option so that Password = checks reports the passwords that endwitha suffix in the user names, role names, or common words. For example, if “pro”is a suffix and “golf” is a user name, then the Password = user name check reports“golfpro” as a weak password.

Users to checkUse the name list to include or exclude the users or the roles for all the passwordguessing checks.

Well known passwordsThis check reports the well known account/password combinations that youspecify in the name list and default Oracle account/password combinations suchas scott/tiger. You should not allowwell known account/password combinations.Use the name list to include the account and password combinations for thischeck.

Symantec recommends that youmust assignamore securepassword immediately.You must instruct the user to log in with the more secure password and changethe password again.



Table 2-74 Message for Well known passwords





Severity: red-4

Correctable: false




Title: Well knownaccount/passwordfound

Description:Changeor delete all wellknownaccount/passwordcombinations.

■ UNIX (30337)

■ Windows 2003(242337)

■ Windows 2008(255337)

String ID:ORA_DEFAULT_PASSWORD



Table 2-74 Message for Well known passwords (continued)





Severity: green-0

Correctable: false






■ UNIX (30014)

■ Windows 2003(30014)

■ Windows 2008(30014)



Password = SIDThis check reports the users and roles who use their SID names as passwords.This is applicable only for the configured SIDs.

About the Oracle Patches moduleThis module identifies the Oracle security patches that are not installed on yourcomputers.

Note:Themodulemaynot report correctmessages if the opatch utility andOraclePatchesmodule is concurrently runningon the sameagent. Symantec recommendsnot to run the Oracle Patches module on the same agent while opatch utility isalready running.

Edit default settingsThe check in this group edits the default settings for all the security checks in themodule.

Oracle patchesThe checks in this group report the patches that are released by Oracle and thatare not applied on the database server.

Understanding the ESM Oracle Database ModulesAbout the Oracle Patches module

132

SID infoThis check add on the relevant SIDs to the patchmessages that are reported fromthe Patch information and Installed patches checks.

Installed patchesThis checkworks with the Opatchtool check and reports the patches, the opatchtool detects. When the Installed Patches check is run along with the SID Infocheck, the relevant SIDs are also reported.


Table 2-75 Message for Installed patches





Severity: green-0

Correctable: false




Title: Installedpatches

Description: Theinstalled patch isdetected by theopatch tool.

■ UNIX (31034)

■ Windows 2003(243034)

■ Windows 2008 (256034)

String ID:ORA_INSTALLED_PATCH


Severity: green-0

Correctable: false




Title: ESM checksexecuted on OracleHome

Description: Thechecks are executedon theOracleHome.

■ UNIX (256037)

■ Windows 2003(243037)

■ Windows 2008 (256037)

String ID:ORA_HOME_PROCESSED


Opatch toolThis check enables ESM to use the opatch tool and reports the opatch tool versioninformation. Opatch is the Oracle patch tool, which is a set of PERL scripts thatrun with PERL 5.005_03 and later. You have JRE and JDK installed in the OracleHome to run the OPatch tool. The commands such as jar, java, ar, cp, and make

133Understanding the ESM Oracle Database ModulesAbout the Oracle Patches module

(depending on platforms) available should be present in the Opatch path. Bydefault, the Opatch tools check searches for the OPatch directory that containsthe opatch tool in ORACLE HOME. If the check fails to find the tool in ORACLEHOME, then it takes the path of the opatch tool thatmentioned in the check. Thisapplication can be downloaded from the following URL: http://www.oracle.com.


Table 2-76 Messages for Opatch tool





Severity: green-0

Correctable: false




Title: Opatchversion

Description: Theopatch tool is at theshown version.

■ UNIX (31032)

■ Windows 2003(243032)

■ Windows 2008(256032)

String ID:ORA_OPATCH_VERSION


Severity: green-0

Correctable: false




Title: OpatchInformation

Description: Thespecified opatchtool reports in theinformation field.

■ UNIX (31033)

■ Windows 2003(243033)

■ Windows 2008(256033)

String ID:ORA_OPATCH_INFO


Severity: green-0

Correctable: false






■ UNIX (256037)

■ Windows 2003(243037)

■ Windows 2008 (256037)




134

Oracle Home PathsUse the name list to include or exclude the Oracle home paths for this check. Bydefault, the check examines all the Home paths that you specify when youconfigure the SymantecESMmodules for the Oracle databases. On Windows, theconfiguration for Symantec ESM Modules for Oracle Databases are stored in theoracle.dat file that is located in the \esm\config\ folder. OnUNIX, the configurationfor Symantec ESM Modules for Oracle Databases are stored in the oracle.dat filethat is located in the /esm/config/ folder.

Patch informationThis check reports information about the patches that have been released withinthe number of days that you specify in the check. The information includes patchtype and number, ID number, patch release date, and description. You shouldverify that all current patches are installed on your Oracle clients and servers.Use the name list to include the template files for this check. When the PatchInformation check is run along with the SID Info check, the relevant SIDs arealso reported.

You can download patch updates by using LiveUpdate.

Symantec recommends that you verify that your Oracle server and componentshave the current applicable patches.


Table 2-77 Messages for Patch information





Severity: yellow-1

Correctable: false




Title: Patchavailable

Description: Thepatch is available atOracle's patchesWeb site.

■ UNIX (31030)

■ Windows 2003(243030)

■ Windows 2008(256030)

String ID:ORA_PATCH_AVAILABLE


135Understanding the ESM Oracle Database ModulesAbout the Oracle Patches module

Table 2-77 Messages for Patch information (continued)





Severity: yellow-1

Correctable: false




Title: Patchsetavailable

Description: Thepatchset is availableat Oracle's patchesWeb site.

■ UNIX (31031)

■ Windows 2003(243031)

■ Windows 2008(256031)

String ID:ORA_PATCHSET_AVAILABLE


Severity: green-0

Correctable: false






■ UNIX (256037)

■ Windows 2003(243037)

■ Windows 2008 (256037)



Template filesUse the name list to enable or disable the template files for this check. OraclePatch template files are identified by .orp file extensions.



136

Table 2-78 Message for Template files





Severity: red-4

Correctable: false




Title: No templatefiles specified

Description: TheOracle Patchesmodule was runwithout anytemplate files. Nopatch relatedchecks wereperformed. Checkyour policy toensure that at leastone template file isenabled for theagent's operatingsystem.

■ UNIX (31035)

■ Windows 2003(243035)

■ Windows 2008(256035)

String ID:ORA_TEMPLATEFILE_MISSING

Category: ESM Error

Severity: green-0

Correctable: false






■ UNIX (256037)

■ Windows 2003(243037)

■ Windows 2008 (256037)



About the Oracle Profiles moduleThis module checks for the Oracle profiles table that is based on the options thatyou have specified. It reports SIDs, profile names, profile resource names, andresource limits as applicable.

Establishing a baseline snapshotTo establish a baseline, run the Profilesmodule. This creates a snapshot of currentprofile information that you canupdatewhen you run the checks that report new,deleted, or changed information.

137Understanding the ESM Oracle Database ModulesAbout the Oracle Profiles module

Editing default settingsUse the check in this group to edit the default settings for all the security checksin the module.

Reporting profiles and their limitsThe checks in this group report the existing, new, and deleted profiles and theirresource limits.

Reporting CPU limit violationsThe checks in this group report the CPU resource limits.

Reporting password violationsThe checks in this group report the profiles with settings for the number of failedlogon attempts, password grace time, password duration, password lock time, andpassword reuse requirements that violate your security policy. Password strengthchecks, which compare passwords to common words and user names,

Profile settingsThis check reports the profile settings that do not match the settings that arespecified in the template file. Use the name list to enable or disable the templatefiles.


Table 2-79 Message for Profile settings





Severity: red-4

Correctable: false





Description: Noprofile found thatmatches the nameas specified in thetemplate. For moreinformation, referthe Informationcolumn.

■ UNIX (30954)

■ Windows 2003(242954)

■ Windows 2008(255954)

String ID:ORA_PROF_NOT_FOUND


Understanding the ESM Oracle Database ModulesAbout the Oracle Profiles module

138

Table 2-79 Message for Profile settings (continued)





Severity: red-4

Correctable: false




Title: Profilesettings mismatch

Description: Theprofile settings thatare present in thedatabase do notmatch with thesettings that arespecified in thetemplate. For moreinformation, referthe Informationcolumn.

■ UNIX (30251)

■ Windows 2003(242251)

■ Windows 2008(255251)

String ID: ORA_PROF_R


Severity: yellow-1

Correctable: false






■ UNIX (30252)

■ Windows 2003(242252)

■ Windows 2008(255252)

String ID: ORA_PROF_Y



Table 2-79 Message for Profile settings (continued)





Severity: green-0

Correctable: false






■ UNIX (30253)

■ Windows 2003(242253)

■ Windows 2008(255253)

String ID: ORA_PROF_G


Severity: green-0

Correctable: false






■ UNIX (30014)

■ Windows 2003(30014)

■ Windows 2008(30014)




CPU time per callThis check reports the profiles that allow more CPU time for each call, such asfetch, execute, and parse, than the amount of time that you specify in the check.Specify the maximum amount of time that is allowed per call in hundredths of asecond.

Symantec recommends that you specify a maximum CPU time per call limit thatallow users perform their duties and that prevents a small number of users fromdenying service to others by using excessive CPU resources.


140


Table 2-80 Message for CPU time per call





Severity: yellow-1

Correctable: false




Title: CPU time percall exceeds limit

Description: Theprofile's maximumCPU time per callexceeds the amountthat you specified inthe check. Time isexpressed inhundredths of asecond. Specify arealistic limit topreventoneormorecalls from lockingout other calls byusing all of the CPUcapacity.

■ UNIX (30938)

■ Windows 2003(242938)

■ Windows 2008(255938)

String ID:ORA_PROFILE_CPU_PER_CALL


Severity: green-0

Correctable: false






■ UNIX (30014)

■ Windows 2003(30014)

■ Windows 2008(30014)



CPU time per sessionThis check reports profiles that allowmoreCPU timeper session then the amountthat you specify in the check. Specify themaximumamount of time that is allowedper session in hundredths of a second.

Symantec recommends that you specify a maximum CPU time per session limitthat allow users to perform their duties without frequent logging on and loggingout. It prevents a small number of users from denying service to others by usingexcessive CPU resources.



Table 2-81 Message for CPU time per session





Severity: yellow-1

Correctable: false




Title: CPU time persession exceedslimit

Description: Theprofile's maximumCPU time persession exceeds theamount that youspecified in thecheck. Time isexpressed inhundredths of asecond. Specify arealistic limit topreventoneormoreusers from lockingout other users byusing all of the CPUcapacity.

■ UNIX (30937)

■ Windows 2003(242937)

■ Windows 2008(255937)

String ID:ORA_PROFILE_CPU_PER_SESSION


Severity: green-0

Correctable: false






■ UNIX (30014)

■ Windows 2003(30014)

■ Windows 2008(30014)



Changed resource limitsThis check reports the profile resource limits that changed after the last snapshotupdate. Use the name list to exclude profiles for this check.

If the change is authorized, Symantec recommends that you either update thesnapshot or restore the previous limit.


142


Table 2-82 Message for Changed resource limits





Severity: yellow-1

Correctable: false




Title: Changedprofile resourcelimit

Description: Theprofile's resourcelimit changed afterthe last snapshotupdate. Update thesnapshot if theresource limit isappropriate; changethe limit if it is notappropriate. Limitsshould be highenough to permitnormal resourceusage but lowenough to preventabuse.

■ UNIX (30936)

■ Windows 2003(242936)

■ Windows 2008(255936)

String ID:ORA_PROFILE_LIMIT_CHANGED


Severity: green-0

Correctable: false






■ UNIX (30014)

■ Windows 2003(30014)

■ Windows 2008(30014)



Connection timeThis check reports the profiles that allow more elapsed connection time for anaccount than the number of minutes that you specify in the check.

Symantec recommends that you specify a realistic limit that allowusers to performtheir duties and that prevents a few connections from denying service to othersby using excessive CPU resources.



Table 2-83 Message for Connection time





Severity: yellow-1

Correctable: false




Title: Connect timeexceeds limit

Description: Thenumber of minutesallowed for theprofile's connectionexceeds thenumberof minutes that youspecified in thecheck. Specify arealistic limit topreventoneormoreconnections fromdenying service toother users bymonopolizing CPUcapacity.

■ UNIX (30939)

■ Windows 2003(242939)

■ Windows 2008(255939)

String ID:ORA_PROFILE_CONNECT_TIME


Severity: green-0

Correctable: false






■ UNIX (30014)

■ Windows 2003(30014)

■ Windows 2008(30014)



Deleted profilesThis check reports all the profiles that were deleted from the database after thelast snapshot update. Use the name list to exclude profiles for this check.

If the deletion is authorized, Symantec recommends that you either update thesnapshot or restore the profile.



144

Table 2-84 Message for Deleted profiles





Severity: yellow-1

Correctable: false




Title: Deletedprofile

Description: Theprofilewas droppedfrom the databaseafter the lastsnapshot update. Ifthe deletion isauthorized, updatethe snapshot. If thedeletion is notauthorized, restorethe profile.

■ UNIX (30932)

■ Windows 2003(242932)

■ Windows 2008(255932)

String ID:ORA_PROFILE_DELETED


Severity: green-0

Correctable: false






■ UNIX (30014)

■ Windows 2003(30014)

■ Windows 2008(30014)



Failed loginsThis check reports the profiles that allow more failed login attempts than thenumber that you specify in the check.

Symantec recommends that you restrict the number of permitted failed loginattempts tominimize the likelihood of break-in by intruderswho attempt to guessuser names and passwords.



Table 2-85 Message for Failed logins





Severity: red-4

Correctable: false




Title: Failed loginattempts exceedlimit

Description: Thenumber of failedlogins permittedbefore an account islocked exceeds thenumber that youspecified in thecheck. Restrict thenumber of failedattempts permittedto minimize thelikelihood ofintruders guessinguser names andpasswords.

■ UNIX (30940)

■ Windows 2003(242940)

■ Windows 2008(255940)

String ID:ORA_PROFILE_FAILED_LOGIN_ATTEMPTS


Severity: green-0

Correctable: false






■ UNIX (30014)

■ Windows 2003(30014)

■ Windows 2008(30014)



Idle timeThis check reports profiles that allow more idle time before a process isdisconnected than the number of minutes that you specify in the check.

The connections that are idle for a long period may indicate that the computer isunattended.

Symantec recommends that you specify a realistic amount of time before aninactive process is disconnected.



146

Table 2-86 Message for Idle time





Severity: yellow-1

Correctable: false




Title: Idle timeexceeds limit

Description: Theprofile's maximumidle time exceedsthe limit that youspecified in thecheck. Specify arealistic amount oftime before aninactive process isdisconnected.Connections thatare idle for a longperiodmay indicatethat the computeris unattended,which would pose asecurity threat.

■ UNIX (30941)

■ Windows 2003(242941)

■ Windows 2008(255941)

String ID:ORA_PROFILE_IDLE_TIME


Severity: green-0

Correctable: false






■ UNIX (30014)

■ Windows 2003(30014)

■ Windows 2008(30014)



Invalid profilesThis check reports users that are assigned to profiles that fail one or more of theenabled resource limitation checks. Use the name list to exclude the users for thischeck.



Table 2-87 Message for Invalid profiles





Severity: yellow-3

Correctable: false




Title: Invalid profileassigned

Description: Theuser's profile isinvalid. It fails oneor more enabledprofile resourcelimitation checks.Verify that theprofile is correctlydefined in thedatabase.

■ UNIX (30950)

■ Windows 2003(242950)

■ Windows 2008(255950)

String ID:ORA_INVALID_PROFILE_ASSIGNED


Severity: green-0

Correctable: false






■ UNIX (30014)

■ Windows 2003(30014)

■ Windows 2008(30014)



New profilesThis check reports all profiles that were defined in the database after the lastsnapshot update. Use the name list to exclude profiles for this check.

If the addition is authorized, Symantec recommends that you either update thesnapshot or delete the profile.



148

Table 2-88 Message for New profiles





Severity: yellow-1

Correctable: false




Title: New profile

Description: Theprofilewas added tothe database afterthe last snapshotupdate. If theaddition isauthorized, updatethe snapshot. If theaddition is notauthorized, deletethe profile.

■ UNIX (30931)

■ Windows 2003(242931)

■ Windows 2008(255931)

String ID:ORA_PROFILE_ADDED


Severity: green-0

Correctable: false






■ UNIX (30014)

■ Windows 2003(30014)

■ Windows 2008(30014)



Oracle profilesUse the name list to include or exclude the Oracle profiles for the resourcelimitation checks.

Oracle system identifiers (SIDs)Use the name list to include or exclude the Oracle system identifiers (SIDs) forthis check. By default, the check examines all the SIDs that you specify when youconfigure the SymantecESMmodules for the Oracle databases. On Windows, theconfiguration for Symantec ESM Modules for Oracle Databases is stored in\esm\config\oracle.dat. On UNIX, the configuration for Symantec ESM Modulesfor Oracle Databases is stored in /esm/config/oracle.dat.


Password durationThis check reports the profiles that permit a password to be used for more daysthan the number that you specify in the check.

Symantec recommends that you change your password often to minimize thepossibility that an intruder will discover the passwords but not so often that youhave difficulty remembering your passwords.


Table 2-89 Message for Password duration





Severity: red-4

Correctable: false




Title: Passwordduration too high

Description: Themaximum numberof days permittedfor the profile'spassword exceedsthe number of daysthat you specified inthe check. Requirepassword changesoften to minimizethe likelihood thatthey will bediscovered by anintruder.

■ UNIX (30943)

■ Windows 2003(242943)

■ Windows 2008(255943)

String ID:ORA_PROFILE_PASS_LIFE_TIME


Severity: green-0

Correctable: false






■ UNIX (30014)

■ Windows 2003(30014)

■ Windows 2008(30014)




150

Password grace timeThis check reports the profiles that have their password grace days different thanthe number that you specify in the Password Grace text box. Now, you can alsouse the comparison operators before specifying the value in the text box. Thevalue that you specify in the text box refers to the number of days wherein awarning is given before your password expires. The comparison operators are asfollows: Equal (=), Not equal (!=), Less than (<), Greater than (>), Less than or equalto (<=), Greater than or equal to (>=).

Symantec recommends that you specify realistic number of days for a user tochange a password after being warned that it is about to expire.


Table 2-90 Message for Password grace time





Severity: yellow-1

Correctable: false




Title: Passwordgrace time differsfrom limit

Description: Theprofile's passwordgrace time is not thesame as the limitthat you specified inthe check. Specify arealistic number ofdays for a user tochange a passwordafter being warnedthat it is about toexpire.

■ UNIX (30942)

■ Windows 2003(242942)

■ Windows 2008(255942)

String ID:ORA_PROFILE_PASS_GRACE_TIME


Severity: green-0

Correctable: false






■ UNIX (30014)

■ Windows 2003(30014)

■ Windows 2008(30014)




Password lock timeThis check reports the profiles that lock accounts for fewer days than the numberthat you specify in the check. Accounts are locked after the number of failed loginattempts that you specify in the FAILED_LOGIN_ATTEMPTS parameter of theprofile. PASSWORD_LOCK_TIMEparameter specifies the number of days that anaccount is locked.

Symantec recommends that you change the resource parameterPASSWORD_LOCK_TIME setting to match with your security policy.


Table 2-91 Message for Password lock time





Severity: yellow-1

Correctable: false




Title: Password locktime too low

Description: Theprofile's passwordlock time is lowerthan the number ofdays that youspecified in thecheck. Verify thatthePASSWORD_LOCK_TIMEparameter settingconforms tocompany securitypolicies.

■ UNIX (30944)

■ Windows 2003(242944)

■ Windows 2008(255944)

String ID:ORA_PROFILE_PASS_LOCK_TIME


Severity: green-0

Correctable: false






■ UNIX (30014)

■ Windows 2003(30014)

■ Windows 2008(30014)




152

Password reuse maxThis check reports profiles that require fewer password changes before a passwordcan be reused than the number that you specify in the check.

Note: If you set a PASSWORD_REUSE_MAX value, PASSWORD_REUSE_TIMEmust be UNLIMITED.

Symantec recommends that you change the resource parameterPASSWORD_REUSE_MAXto require a realistic number of times that a passwordmust be changed before it can be reused.


Table 2-92 Message for Password reuse max





Severity: yellow-1

Correctable: false




Title: Password reusemaximum too low

Description: Theprofile permits apassword to bereused after fewerchanges than thenumber of changesthat you specified inthe check. If you setaPASSWORD_REUSE_MAXvalue,PASSWORD_REUSE_TIMEmustbeUNLIMITED.

■ UNIX (30945)

■ Windows 2003(242945)

■ Windows 2008(255945)

String ID:ORA_PROFILE_PASS_REUSE_MAX


Severity: yellow-1

Correctable: false




Title: Password reusesettings weaker thanexpected

Description: Thepassword reusesettings in theprofileare weaker than thevalues that arespecified in thecheck.

■ UNIX (30955)

■ Windows 2003(242955)

■ Windows 2008(255955)

String ID:ORA_PROFILE_PASS_REUSE_WEAK



Table 2-92 Message for Password reuse max (continued)





Severity: green-0

Correctable: false






■ UNIX (30014)

■ Windows 2003(30014)

■ Windows 2008(30014)



Password reuse timeThis check reports profiles that require fewer days before a password can bereused than the number that you specify in the check.

Note: If this setting has a value,PASSWORD_REUSE_TIMEmust be UNLIMITED.If you set a PASSWORD_REUSE_TIME value, PASSWORD_REUSE_MAX must beUNLIMITED.

Symantec recommends that you change the resource parameterPASSWORD_REUSE_TIME to require a realistic amount of time that must passbefore it can be reused.



154

Table 2-93 Message for Password reuse time





Severity: yellow-1

Correctable: false




Title: Passwordreuse time too low

Description: Theprofile permits apassword to bereused after fewerdays than youspecified in thecheck. If you specifyaPASSWORD_REUSE_TIMEvalue,PASSWORD_REUSE_MAXmust beUNLIMITED.

■ UNIX (30946)

■ Windows 2003(242946)

■ Windows 2008(255946)

String ID:ORA_PROFILE_PASS_REUSE_TIME


Severity: yellow-1

Correctable: false




Title: Passwordreuse settingsweaker thanexpected

Description: Thepassword reusesettings in theprofile are weakerthan the values thatare specified in thecheck.

■ UNIX (30955)

■ Windows 2003(242955)

■ Windows 2008(255955)

String ID:ORA_PROFILE_PASS_REUSE_WEAK


Severity: green-0

Correctable: false






■ UNIX (30014)

■ Windows 2003(30014)

■ Windows 2008(30014)




Password verify functionThis check reports profiles that donot use one ormore of the password complexityfunctions that you specify in the name list. Use the name list to include thefunctions for this check.

Note: Password complexity functions are specified in the resource parameterPASSWORD_VERIFY_FUNCTION.

Symantec recommends thatyou immediately assigna securepasswordand instructthe user to log on with the secure password and change the password again.


Table 2-94 Message for Password verify function





Severity: yellow-1

Correctable: false




Title: Passwordverify function

Description: Theprofile's passwordverificationfunction a namethat does not existin the list that youspecified in thecheck. Specify thename of a script tocall forPROFILE_PASS_VERIFY_FUNCTION.

■ UNIX (30947)

■ Windows 2003(242947)

■ Windows 2008(255947)

String ID:ORA_PROFILE_PASS_VERIFY_FUNCTION


Severity: green-0

Correctable: false






■ UNIX (30014)

■ Windows 2003(30014)

■ Windows 2008(30014)




156

Profile enforcementThis check reports SIDs that do not enforce profiles.

Symantec recommends that in the database's parameter file, change the value ofthe RESOURCE_LIMIT parameter from FALSE to TRUE so that the profiles areenforced.


Table 2-95 Message for Profile enforcement





Severity: red-4

Correctable: false




Title: Profiles arenot enabled

Description: Theprofile is notenforced in thedatabase. Bydefaultno profiles areenforced until youchange the value oftheRESOURCE_LIMITparameter fromFALSE to TRUE forthe database'sinstance.

■ UNIX (30949)

■ Windows 2003(242949)

■ Windows 2008(255949)

String ID:ORA_PROFILE_NOT_ENABLED


Severity: green-0

Correctable: false






■ UNIX (30014)

■ Windows 2003(30014)

■ Windows 2008(30014)



Profile resourcesThis check reports profile resource limits. Use the name list to exclude profilesfor this check.


Symantec recommends that you must ensure that the profile resource limitsmatches with the company's security policies.


Table 2-96 Message for Profile resources





Severity: green-0

Correctable: false




Title: Profileresource limits

Description: Theprofile and itsresource limits aredefined in thedatabase. Verifythat the profileresource limitsconform tocompany securitypolicies.

■ UNIX (30933)

■ Windows 2003(242933)

■ Windows 2008(255933)

String ID:ORA_PROFILE_LIMIT_LIST


Severity: green-0

Correctable: false






■ UNIX (30014)

■ Windows 2003(30014)

■ Windows 2008(30014)



ProfilesThis check reports all profiles that are defined in the database. Use the name listto exclude profiles for this check. You should periodically review the profiles toensure that all profiles are authorized and that profile resources and resourcelimits are allocated efficiently.



158

Table 2-97 Message for Profiles





Severity: green-0

Correctable: false




Title: Existingprofiles

Description: Theprofile is defined inthe database.

■ UNIX (30930)

■ Windows 2003(242930)

■ Windows 2008(255930)

String ID:ORA_PROFILE_LIST


Severity: green-0

Correctable: false






■ UNIX (30014)

■ Windows 2003(30014)

■ Windows 2008(30014)



Sessions per userThis check reports the profiles that allow more number of concurrent sessionsfor each user than the number that you specify in the MaxSession/User text box.As to prevent access by other users,multiple users should not be given concurrentsession permission.



Table 2-98 Message for Sessions per user





Severity: yellow-1

Correctable: false




Title: Sessions peruser too high

Description: Theprofile permitsmore sessions peruser than youspecified for thecheck.SESSIONS_PER_USERspecifies themaximum numberof concurrentsessions per user.

■ UNIX (30948)

■ Windows 2003(242948)

■ Windows 2008(255948)

String ID:ORA_PROFILE_SESSIONS_PER_USER


Severity: green-0

Correctable: false






■ UNIX (30014)

■ Windows 2003(30014)

■ Windows 2008(30014)



About the Oracle Roles moduleThis module checks for the Oracle roles that are based on the options that youhave specified.

Establishing a baseline snapshotTo establish a baseline, run the Roles module. This creates a snapshot of currentrole information that you can update when you run checks for new, deleted, orchanged information.

Understanding the ESM Oracle Database ModulesAbout the Oracle Roles module

160


Reporting rolesThe checks in this group report the existing roles and the roles that have beenadded or deleted since the last snapshot update.

Reporting role privilegesThe checks in this group report the role privileges and the privileges that weregranted to or removed from the roles after the last snapshot update, and grantablerole privileges.

Reporting role accessThe checks in this group report password-protected roles that are used as defaultroles, directly granted DBA roles, roles without password protection, and tablesaccessed by the public role.

Granted rolesThis check reports the users and the roles that violate the conditions that youspecify in the template. Use the name list to enable or disable the template file.


Table 2-99 Message for Granted roles





Severity: green-0

Correctable: false




Title: Granted roles

Description: Therole that is grantedto the account is notas per the conditionthORA_ROLE_TEMPLATEORA_ROLE_TEMPLATEatis specified in thetemplate.

■ UNIX (30248)

■ Windows 2003(242248)

■ Windows 2008(255248)

String ID:ORA_ROLE_TEMPLATE_G


161Understanding the ESM Oracle Database ModulesAbout the Oracle Roles module

Table 2-99 Message for Granted roles (continued)





Severity: red-4

Correctable: false





Description: Therole that is grantedto the account is notas per the conditionthat is specified inthe template.

■ UNIX (30249)

■ Windows 2003(242249)

■ Windows 2008(255249)

String ID:ORA_ROLE_TEMPLATE_R


Severity: yellow-1

Correctable: false





Description: Therole that is grantedto the account is notas per the conditionthat is specified inthe template.

■ UNIX (30250)

■ Windows 2003(242250)

■ Windows 2008(255250)

String ID:ORA_ROLE_TEMPLATE_Y


Severity: red-4

Correctable: false




Title: Incorrectwildcard templateentry

Description: TheMandatory optiondoes not supportwildcard characterstherefore you mustenter the exact textwhen you select theMandatory option.

■ UNIX (30254)

■ Windows 2003(242254)

■ Windows 2008(255254)

String ID:WILDCARD_WITH_MANDATORY_R

Category: ESM Error


162

Table 2-99 Message for Granted roles (continued)





Severity: green-0

Correctable: false






■ UNIX (30014)

■ Windows 2003(30014)

■ Windows 2008(30014)



Granted privilegesThis check reports the privileges and the associated users and roles that violatethe conditions that you specify in the template. Use the name list to enable ordisable the template file.


Table 2-100 Message for Granted privileges





Severity: green-0

Correctable: false




Title: Grantedprivileges

Description: Thesystem privilegesthat are granted arenot as per theconditions that arespecified in thetemplate.

■ UNIX (30251)

■ Windows 2003(242251)

■ Windows 2008(255251)

String ID:SYSTEM_PRIVILEGES_TEMPLATE_G



Table 2-100 Message for Granted privileges (continued)





Severity: red-4

Correctable: false






■ UNIX (30252)

■ Windows 2003(242252)

■ Windows 2008(255252)

String ID:SYSTEM_PRIVILEGES_TEMPLATE_R


Severity: yellow-1

Correctable: false






■ UNIX (30253)

■ Windows 2003(242253)

■ Windows 2008(255253)

String ID:SYSTEM_PRIVILEGES_TEMPLATE_Y


Severity: red-4

Correctable: false




Title: Incorrectwildcard templateentry

Description: TheMandatory optiondoes not supportwildcard characterstherefore you mustenter the exact textwhen you select theMandatory option.

■ UNIX (30254)

■ Windows 2003(242254)

■ Windows 2008(255254)

String ID:WILDCARD_WITH_MANDATORY_R

Category: ESM Error


164

Table 2-100 Message for Granted privileges (continued)





Severity: green-0

Correctable: false






■ UNIX (30014)

■ Windows 2003(30014)

■ Windows 2008(30014)




DBA equivalent rolesUse the name list to include or exclude roles for the Granted Oracle DBA rolecheck to report on.

Deleted nested roleThis check reports the nested roles that were removed from parent roles sincethe last snapshot update. Use the name list to include or exclude the roles for thischeck.



Table 2-101 Message for Deleted nested role





Severity: yellow-1

Correctable: false




Title: Nested roledeleted

Description: Thenested role wasdropped from roleafter the lastsnapshot update. Ifthe deletion isauthorized, updatethe snapshot. If thedeletion is notauthorized, restorethe nested role.

■ UNIX (30245)

■ Windows 2003(242245)

■ Windows 2008(255245)

String ID:ORA_DELETED_ROLE_ROLE


Severity: green-0

Correctable: false






■ UNIX (30014)

■ Windows 2003(30014)

■ Windows 2008(30014)



Deleted privilegesThis check reports privileges that were dropped from the roles after the lastsnapshot update. Use the name list to exclude the roles for this check.

If the deletion is authorized, Symantec recommends that you either update thesnapshot or restore the privilege.



166

Table 2-102 Message for Deleted privileges





Severity: yellow-1

Correctable: false




Title: Deleted roleprivilege

Description: Thedirectly grantedprivilege wasdropped from therole after the lastsnapshot update. Ifthe deletion isauthorized, updatethe snapshot. If thedeletion is notauthorized, restorethe privilege to therole.

■ UNIX (30241)

■ Windows 2003(242241)

■ Windows 2008(255241)

String ID:ORA_DELETED_ROLE_PRIVILEGE


Severity: green-0

Correctable: false






■ UNIX (30014)

■ Windows 2003(30014)

■ Windows 2008(30014)



Deleted rolesThis check reports roles that have been deleted from the database since the lastsnapshot update. Use the name list to exclude the roles for this check.

If the deletion is authorized, Symantec recommends that you either update thesnapshot or restore the role.



Table 2-103 Message for Deleted roles





Severity: yellow-1

Correctable: false




Title: Deleted role

Description: Therole was deletedfrom the databaseafter the lastsnapshot update.Update thesnapshot if thedeletion isauthorized; restorethe role if thedeletion is notauthorized.

■ UNIX (30238)

■ Windows 2003(242238)

■ Windows 2008(255238)

String ID:ORA_DELETED_ROLES


Severity: green-0

Correctable: false






■ UNIX (30014)

■ Windows 2003(30014)

■ Windows 2008(30014)



Grantable nested roleThis check reports the grantable roles that have been granted to other roles. Usethe name list to exclude the grantee roles for this check.

Symantec recommends that you periodically review the grantable nested roles toensure that they are currently authorized for the roleswhere they reside and thatthe roles are currently authorized to grant the nested roles.



168

Table 2-104 Message for Grantable nested roles





Severity: green-0

Correctable: false




Title: Grantablenested role

Description: Therole includes thenested grantablerole. Verify that therole granted to thegrantee isauthorized, andthat the grantee isauthorized to havethe grantable role.

■ UNIX (30246)

■ Windows 2003(242246)

■ Windows 2008(255246)

String ID:ORA_GRANTABLE_ROLE_ROLE


Severity: green-0

Correctable: false






■ UNIX (30014)

■ Windows 2003(30014)

■ Windows 2008(30014)



Grantable privilegesThis check reports the grantable privileges that have been granted to the roles.Use the name list to exclude the roles for this check.

Symantec recommends that you periodically review all grantable role privilegesto ensure that the grantable privilege is appropriate for the role. Youmust revokegrantable role privileges from the users who are not authorized to grant them.



Table 2-105 Message for Grantable privileges





Severity: green-0

Correctable: false




Title:Grantable roleprivilege

Description: Theprivilege of the roleis grantable. Verifythat the privilege isappropriate for therole.

■ UNIX (30242)

■ Windows 2003(242242)

■ Windows 2008(255242)

String ID:ORA_GRANTABLE_ROLE_PRIVILEGE


Severity: green-0

Correctable: false






■ UNIX (30014)

■ Windows 2003(30014)

■ Windows 2008(30014)



Granted Oracle DBA roleThis check reports users and roles that have been directly granted to an Oracledatabase administrator (DBA) role or equivalent. Use the name list to exclude theusers for this check.

Symantec recommends that you either revoke the DBA roles from unauthorizedusers or tightly control the database administrator rights.



170

Table 2-106 Message for Granted Oracle DBA role





Severity: yellow-1

Correctable: false




Title: User grantedOracle DBA role

Description: Theuser has beengranted thedatabaseadministrator (DBA)role or equivalent.DBAs have fullrights to systemand applicationdata, includingcreating new usersand roles, grantingaccess rights, anddeleting databases.Revoke DBAprivileges fromunauthorized usersimmediately, andtightly controladministratorrights.

■ UNIX (30230)

■ Windows 2003(242230)

■ Windows 2008(255230)

String ID:ORA_DBA_ROLE_USERS


Severity: green-0

Correctable: false






■ UNIX (30014)

■ Windows 2003(30014)

■ Windows 2008(30014)



Nested rolesThis check reports roles and the nested roles that they contain. Use the name listto include or exclude the roles for this check.


Table 2-107 Message for Nested roles





Severity: green-0

Correctable: false




Title: Nested role

Description: Therole has beendirectly granted tothe role.

■ UNIX (30243)

■ Windows 2003(242243)

■ Windows 2008(255243)

String ID:ORA_ROLE_ROLE


Severity: green-0

Correctable: false






■ UNIX (30014)

■ Windows 2003(30014)

■ Windows 2008(30014)



New nested rolesThis check reports roles that were directly granted to other roles after the lastsnapshot update. Use the name list to include or exclude the roles for this check.

If the change is authorized, Symantec recommends that you either update thesnapshot or drop the nested role.



172

Table 2-108 Message for New nested roles





Severity: yellow-1

Correctable: false




Title: New nestedrole

Description: Therole was directlygranted to the roleafter the lastsnapshot update. Ifthe addition isauthorized, updatethe snapshot. If theaddition is notauthorized, dropthenested role fromthe role.

■ UNIX (30244)

■ Windows 2003(242244)

■ Windows 2008(255244)

String ID:ORA_ADDED_ROLE_ROLE


Severity: green-0

Correctable: false






■ UNIX (30014)

■ Windows 2003(30014)

■ Windows 2008(30014)



New privilegesThis check reports privileges that were directly granted to roles after the lastsnapshot update. Use the name list to exclude the roles for this check.

If the new privilege is authorized, Symantec recommends that you either updatethe snapshot or drop the privilege from the role.



Table 2-109 Message for New privileges





Severity: yellow-1

Correctable: false




Title: New roleprivilege

Description: Theprivilege wasdirectly granted tothe role after thelast snapshotupdate. If theaddition isauthorized, updatethe snapshot. If theaddition is notauthorized, dropthe privilege fromthe role.

■ UNIX (30240)

■ Windows 2003(242240)

■ Windows 2008(255240)

String ID:ORA_ADDED_ROLE_PRIVILEGE


Severity: green-0

Correctable: false






■ UNIX (30014)

■ Windows 2003(30014)

■ Windows 2008(30014)



New rolesThis check reports roles that were added to the database after the last snapshotupdate. Use the name list to exclude the roles for this check.

If the new role is authorized, Symantec recommends that you either update thesnapshot or drop the role.



174

Table 2-110 Message for New roles





Severity: yellow-1

Correctable: false




Title: New role

Description: Therole was added tothe database afterthe last snapshotupdate. If theaddition isauthorized, updatethe snapshot. If theaddition is notauthorized, deletethe role.

■ UNIX (30237)

■ Windows 2003(242237)

■ Windows 2008(255237)

String ID:ORA_ADDED_ROLES


Severity: green-0

Correctable: false






■ UNIX (30014)

■ Windows 2003(30014)

■ Windows 2008(30014)



Oracle system identifiers (SIDs)Use the name list to include the Oracle system identifiers (SIDs) for this check.By default, the check examines all the SIDs that you specify when you configurethe Symantec ESM modules for the Oracle databases. On Windows, theconfiguration for Symantec ESM Modules for Oracle Databases is stored in\esm\config\oracle.dat file.OnUNIX, the configuration forSymantecESMModulesfor Oracle Databases is stored in /esm/config/oracle.dat file.

PUBLIC role accessThis check reports the tables that users can access with a PUBLIC role and theprivileges that are used.


Symantec recommends that you control the permissions that are granted to thePUBLIC role. The preferred method of granting access is to give EXECUTE to theprocedures.


Table 2-111 Message for PUBLIC role access





Severity: green-0

Correctable: false




Title: Tableaccessible toPUBLIC

Description: Thetable is accessible toall users throughthe PUBLIC roleprivilege.

■ UNIX (30234)

■ Windows 2003(242234)

■ Windows 2008(255234)

String ID:ORA_PUBLIC_ACCESS


Severity: green-0

Correctable: false






■ UNIX (30014)

■ Windows 2003(30014)

■ Windows 2008(30014)



Password-protected default roleThis check reports the password-protected default roles of the roles.

For example:

■ Create a Role ‘Role A.’

■ Create another role that is identified by a password ‘Role B’.

■ Assign ‘Role B’ to ‘Role A.Now ‘Role B’ is the default password-protected role of Role A and the checkreports 'Role B', which is the default password-protected role of ‘Role A.’


176

The default roles do not require any passwords. Usually, a password-protectedrole has the privileges or roles that require authorization. Users withpassword-protected default roles are not required to enter their passwords to usethe roles. Use the name list to exclude the roles for this check.

Symantec recommends that for anunauthorizeduser, you either assign adifferentdefault role to the user or remove the password protection from the role.


Table 2-112 Message for Password-protected default role





Severity: yellow-1

Correctable: false




Title: Default rolerequires password

Description: Thedefault role ispasswordprotected.Password protectedroles usuallyinclude privilegesthat are securitysensitive. If the roleis a role's defaultrole, the role is notrequired to enter apassword. Verifythat the passwordprotected role isauthorized to be adefault role.

■ UNIX (30247)

■ Windows 2003(242247)

■ Windows 2008(255247)

String ID:ORA_DEFAULT_ROLE_PASS_REQUIRED


Severity: green-0

Correctable: false






■ UNIX (30014)

■ Windows 2003(30014)

■ Windows 2008(30014)




PrivilegesThis check reports privileges that have been granted to roles. Use the name listto exclude the roles for this check.

Symantec recommends that you add or remove the privileges for the roles asappropriate. Periodically, you must review the roles to ensure that the privilegesgranted to them are consistent with the current user duties.


Table 2-113 Message for Privileges





Severity: green-0

Correctable: false




Title: Role privilege

Description: Therole includes theprivilege that isreported in the Infofield.

■ UNIX (30239)

■ Windows 2003(242239)

■ Windows 2008(255239)

String ID:ORA_ROLE_PRIVILEGE


Severity: green-0

Correctable: false






■ UNIX (30014)

■ Windows 2003(30014)

■ Windows 2008(30014)



RolesThis check reports roles that are defined in the database. Use the name list toexclude the roles for this check.

Symantec recommends that you remove the roles that are not authorized or areout of date. Periodically, youmust review the roles to ensure that they are currentlyauthorized.



178

Table 2-114 Message for Roles





Severity: green-0

Correctable: false




Title: Defined role

Description: Therole is defined forthe SID.

■ UNIX (30236)

■ Windows 2003(242236)

■ Windows 2008(255236)

String ID:ORA_EXISTING_ROLES


Severity: green-0

Correctable: false






■ UNIX (30014)

■ Windows 2003(30014)

■ Windows 2008(30014)



Roles without passwordsThis check reports the roles that do not require passwords. The roles that areauthenticated as External or Global are skipped. Use the name list to exclude theroles for this check.

If the role could be exploited to give the users access to security-relatedinformation, Symantec recommends that you password-protect the role. You cancontrol the permissions that are granted to roles that do not require passwords.



Table 2-115 Message for Roles without passwords





Severity: yellow-1

Correctable: false




Title: Password notrequired for role

Description: Therole is not passwordprotected.

■ UNIX (30233)

■ Windows 2003(242233)

■ Windows 2008(255233)

String ID:ORA_ROLE_PASSWORD


Severity: green-0

Correctable: false






■ UNIX (30014)

■ Windows 2003(30014)

■ Windows 2008(30014)



About the Oracle SID Discovery moduleChecks in this module report the following information:

■ Detects new Oracle database instances.

■ Reports deleted Oracle database instances.

■ Provides an option to automatically configure the newly discovered Oracledatabase instances.

■ Provides an option to automatically remove the deleted Oracle databaseinstances that are still configured.

Note: The Oracle SID Discovery is a host-based module.

Understanding the ESM Oracle Database ModulesAbout the Oracle SID Discovery module

180

Editing default settingsUse the checks in this group to edit the default settings for all the security checksin the module.

Reporting SID DiscoveryThe Symantec ESM module for Oracle SID Discovery includes four checks thatlet you automate the detection and the configuration of the oracle databaseinstances on the host computer.

You can use the Symantec ESM module for Oracle SID Discovery to detect andconfigure newly detected database instances and the database instances that havebeen uninstalled.

Configuring the Oracle database instances by using the Discoverymodule

The ESM Oracle Discovery module is a host-based module that automates theprocess of detection and configuration of new database instances that are not yetconfigured on the local ESM agent computers. The ESMOracle Discoverymodulealso detects the deleted database instances that are still configured on the ESMagent computers. TheESMOracleDiscoverymodule lets youdelete theuninstalleddatabase instances from the ESM agent computers.

Configuring a new Oracle database instanceTo report on the Oracle database instance, you should first configure the Oracledatabase instance on an ESM agent computer.

To configure a new Oracle database instance

1 Run the Discovery module on the ESM agent computers that have Oracledatabase installed.

The module lists all the new database instances that were not previouslyconfigured.

2 Select multiple database instances and do one of the following:

■ Right-click, select Correction option, and enter your system account orpre-created account credentials.The Correction option configures the database instances with SYSTEMaccount credentials or pre-created account credentials.

■ Right-click and select Snapshot Update option.

181Understanding the ESM Oracle Database ModulesAbout the Oracle SID Discovery module

The Snapshot Update option configures the database instance with / asSYSDBA method.

Note: The / as SYSDBA method does not work in case of Oracle Real ApplicationCluster (RAC). You must use the correct option and specify pre-created accountcredentials.

Removing deleted instancesAlthough you may have deleted an Oracle database instance, the configurationinformation still exists in the ESM module. As a result, when you execute themodule, it reports the deleted Oracle database instances as deleted databaseinstances.

To remove deleted instances

1 Run the Discovery module on the target ESM agent computers.

The module lists all the deleted database instances that were configuredearlier.

2 Selectmultiple database instances, right-click and select theSnapshotUpdateoption.

The Snapshot Update option deletes the configuration information of suchinstances

Automatically Add New InstanceThis check automatically configures all the newly detected instances. This checkworks with the Detect New Instance check. You can use this check to automatethe module to connect to each newly detected database instance by using the / assysdba method. In case of a successful connection, the module configures theinstance by adding entry in the oracle.dat file.

An error message displays if the module fails to connect to the newly detecteddatabase instance byusing the / as sysdbamethod. You can right-click themessageand click Correct to connect to the newly detected database instance. You haveto use the SYSTEM or pre-created account credentials to connect to the newlydetected database instance.

Note: This check does not work in case of Oracle Real Application Cluster (RAC).You must use the correct option and specify pre-created account credentials.


182

Oratab file locationsThis check works with the Detect New Instance and Detect Retired Instancechecks.Use thename list of theOratabfile locations check to specify the directorypaths that contains theoratab file. Apart fromthedirectorypaths that are specifiedin the name list, the check also takes into consideration the following:

■ Checks for the default location of the oratab file.

■ Considers only the directory paths as valid entries in the name list.

■ Checks for the presence of the oratab file for every specified path.

■ Collects information from multiple oratab files.

This check is only supported on UNIX.

Automatically Delete Retired InstanceThis check works with the Detect Retired Instance check and automaticallydeletes the corresponding retired server records from the configuration file. Youcan use this check to automate the module, to detect the uninstalled databaseinstances or to detect the instances that are unavailable, and then to delete thecorresponding entries from the oracle.dat file.

Default TablespaceYou can use this option to enter the default tablespace name in the DefaultTablespace text box. The check reports an error message if the tablespace thatyou specify does not exist in the database. However, the check continues with theconfiguration of the rest of the SIDs.

Detect New InstanceOn UNIX, this check reports the instances that are newly discovered on the ESMagent computers and which are not configured in the ESM Oracle configurationfile. These instances should be present in the oratab file and the correspondingOracle service of the instances should also be available.

On Windows, this check reports the instances that are newly discovered on theESM agent computers and which are not configured in the ESM Oracleconfiguration file. The corresponding Oracle service of the instances should alsobe available in running state. Use the name list to include or exclude the OracleSIDs from the configuration file.

OnbothUNIXandWindows, this check lets youuse theCorrect and theSnapshotUpdate options from the console.With the Correct option, you can configure the


database instance by using the SYSTEM account or a pre-created account. Withthe Snapshot Update option, you can configure the database instance by usingthe /as sysdba method. You can check the EsmOraConfig.log file for details.


Table 2-116 Messages for Detect New Instance


Message TitleandDescription



Severity: yellow-1

Correctable: true




Title: NewInstance

Description: Anew instance hasbeen detected onthe localcomputer. Toconfigure thenewly detectedinstance, eitheruse the Updateoption toconfigure usingSYSDBA methodor use the Correctoption to providethe appropriatelogon credentials.

■ UNIX (31831)

■ Windows2003 (243831)

■ Windows2008 (256831)

String ID:ESM_ORACLE_NEW_INSTANCE_DETECTED


Severity: yellow-1

Correctable: false




Title: Added NewInstance

Description: Anew serverinstancehas beendetected. Theconfigurationrecord for thenewly detectedinstancehas beensuccessfullyadded to theconfiguration file.

■ UNIX (31832)

■ Windows2003 (243832)

■ Windows2008 (256832)

String ID:ESM_ORACLE_NEW_INSTANCE_ADDED



184

Table 2-116 Messages for Detect New Instance (continued)


Message TitleandDescription



Severity: yellow-1

Correctable: true




Title: Failed toAddNewInstance

Description: Themodule failed toadd a record inthe configurationfile for the newinstance that wasdetected usingthe SYSDBAmethod. Use theCorrect option orUpdate option forconfiguring thenewly detectedinstance.

■ UNIX (31833)

■ Windows2003 (243833)

■ Windows2008 (256833)

String ID:ESM_ORACLE_ADD_INSTANCE_FAILED


Detect Retired InstanceOn Windows, this check reports all the instances that are present in the ESMOracle configuration file, but the Oracle service is unavailable.

Note: The Check SID process only text box is only applicable for the UNIXplatforms.

On UNIX, this check reports all the instances that are present in the ESM Oracleconfiguration file and are not there in the oratab file or the Oracle service isunavailable. If you specify zero in CheckSIDprocessonly the text box, the checkverifies the state of Oracle instance if its entry is present in the oratab file. If youspecify one in the text box, the check reports the retired Oracle instanceirrespective of its presence in the oratab file.



Table 2-117 Messages for Detect Retired Instance





Severity: yellow-1

Correctable: false




Title: RetiredInstance

Description: Aretired instance hasbeen detected onthe local computer.The configurationfile contains theconfigurationinformation for theRetired serverinstance. Use theUpdate option todelete theconfigurationinformation fromthe ESM Oracleconfiguration file.

■ UNIX (31834)

■ Windows 2003(243834)

■ Windows 2008(256834)

String ID:ESM_ORACLE_DEL_INSTANCE_DETECTED


Severity: yellow-1

Correctable: false




Title: DeletedRetired Instance

Description: Theconfigurationrecord for theretired instance hasbeen deleted fromthe ESM Oracleconfiguration file.

■ UNIX (31835)

■ Windows 2003(243835)

■ Windows 2008(256835)

String ID:ESM_ORACLE_INSTANCE_DELETED


ProfileYou can use the name list in this check to provide the profile name and thepassword parameters. If the profile that you specify exists in the database, thenthe module uses the existing profile. If the profile that you specify does not existin the database, then the module creates a new profile with the parameters thatyou specify in the name list.

Following are the default values of the profile name and the password parameters:

■ PROFILE=DEFAULT


186

■ FAILED_LOGIN_ATTEMPTS=DEFAULT

■ PASSWORD_GRACE_TIME=DEFAULT

■ PASSWORD_LIFE_TIME=DEFAULT

■ PASSWORD_LOCK_TIME=DEFAULT

■ PASSWORD_REUSE_MAX=DEFAULT

■ PASSWORD_REUSE_TIME=DEFAULT

■ PASSWORD_VERIFY_FUNCTION=DEFAULT

Temporary TablespaceYou canuse this option to enter the temporary tablespace name in theTemporaryTablespace text box. If the tablespace that you specify does not exist in thedatabase, then the module uses the default temporary tablespace to create theESMDBA account.

About the Oracle Tablespace moduleThis module checks for the tablespaces that are based on the options that youhave specified.

Creating a baseline snapshotTo establish a baseline, run the Tablespace module. This creates a snapshot ofcurrent account information that you can update when you run the checks thatreport new, deleted, or changed information.


Reporting tablespacesThe checks in this group report the existing tablespaces and the tablespaces thathave been added or deleted since the last snapshot update.

Reporting tablespace datafilesThe checks in this group report the existing datafiles and the datafiles that wereadded to or dropped from the database after the last snapshot update.

187Understanding the ESM Oracle Database ModulesAbout the Oracle Tablespace module

Reporting SYSTEM tablespace informationThe checks in this group report objects in the SYSTEMtablespace anduserswhosedefault or temporary tablespace is the SYSTEM tablespace.

Reporting DBA tablespace quotasThe checks in this group report violations of MAX_BYTES and MAX_BLOCKStablespace quotas.


Deleted tablespace datafilesThis checkworkswith theNew tablespace datafiles check and reports the datafilesthat were deleted after the last snapshot update. Use the name list to exclude thetablespaces for this check.

If the deletion is authorized, Symantec recommends that you either update thesnapshot or restore the datafile.


Understanding the ESM Oracle Database ModulesAbout the Oracle Tablespace module

188

Table 2-118 Message for Deleted tablespace datafiles





Severity: yellow-1

Correctable: false




Title: Deletedtablespace datafile

Description: Thetablespace datafilethat is reported inthe TablespaceDatafile field wasdropped from thereported tablespaceafter the lastsnapshot update. Ifthe deletion isauthorized, updatethe snapshot. If thedeletion is notauthorized, restorethe datafile to thetablespace.

■ UNIX (30435)

■ Windows 2003(242435)

■ Windows 2008(255435)

String ID:ORA_DELETED_DATAFILE


Severity: green-0

Correctable: false






■ UNIX (30014)

■ Windows 2003(30014)

■ Windows 2008(30014)



Deleted tablespacesThis check reports the tablespaces that were deleted from the Oracle databaseafter the last snapshot update. Use the name list to exclude the authorizedtablespaces for this check.

If the deletion is authorized, Symantec recommends that you either update thesnapshot or restore the tablespace.



Table 2-119 Message for Deleted tablespaces





Severity: yellow-1

Correctable: false




Title: DeletedOracle tablespace

Description: Thetablespace that isreported in theDatabaseTablespace fieldwas deleted afterthe last snapshotupdate. If thedeletion isauthorized, updatethe snapshot. If thedeletion is notauthorized, restorethe tablespace.

■ UNIX (30432)

■ Windows 2003(242432)

■ Windows 2008(255432)

String ID:ORA_DELETED_TABLESPACE


Severity: green-0

Correctable: false






■ UNIX (30014)

■ Windows 2003(30014)

■ Windows 2008(30014)



MAX_BLOCKS in DBA_TS_QUOTASThis check reports userswith resource rights to tablespaceswhoseMAX_BLOCKSvalues exceed the value that you specify in the check. For an unlimited numberof bytes, specify -1 in the MAX_BLOCKS field. Use the name list to exclude anyauthorized users for this check.

Symantec recommends that you drop the user or change the user'sMAX_BLOCKSsetting for the tablespace.



190

Table 2-120 Message for MAX_BLOCKS in DBA_TS_QUOTAS





Severity: yellow-1

Correctable: false




Title:MAX_BLOCKSper tablespaceexceeded

Description: Theuser exceeds themaximum numberof MAX_BLOCKS inDBA_TS_QUOTASfor the tablespacethat is reported inthe Info field. Dropthe user or changethe user'sMAX_BLOCKSsetting for thereported tablespace.

■ UNIX (30439)

■ Windows 2003(242439)

■ Windows 2008(255439)

String ID:ORA_MAX_BLOCKS_QUOTA


Severity: green-0

Correctable: false






■ UNIX (30014)

■ Windows 2003(30014)

■ Windows 2008(30014)



MAX_BYTES in DBA_TS_QUOTASThis check reports users with resource rights to tablespaces whose MAX_BYTESvalues exceed the value that you specify in the check. For an unlimited numberof bytes, specify -1 in the MAX_BYTES field. Use the name list to exclude anyauthorized users for this check.

Symantec recommends that you drop the user or change the user's MAX_BYTESsetting for the tablespace.



Table 2-121 Message for MAX_BYTES in DBA_TS_QUOTAS





Severity: yellow-1

Correctable: false




Title: MAX_BYTESper tablespaceexceeded

Description: Theuser exceeds themaximum numberof MAX_BYTES inDBA_TS_QUOTASfor the tablespacethat is reported inthe Info field. Dropthe user or changethe user'sMAX_BYTESsettingfor the reportedtablespace.

■ UNIX (30438)

■ Windows 2003(242438)

■ Windows 2008(255438)

String ID:ORA_MAX_BYTES_QUOTA


Severity: green-0

Correctable: false






■ UNIX (30014)

■ Windows 2003(30014)

■ Windows 2008(30014)



New tablespace datafilesThis check reports the datafiles that were added to tablespaces after the lastsnapshot update. Use the name list to exclude the tablespaces for this check.

If the change is authorized, Symantec recommends that you either update thesnapshot or drop the datafile from the tablespace.



192

Table 2-122 Message for New tablespace datafiles





Severity: yellow-1

Correctable: false




Title: Newtablespace datafile

Description: Thetablespace datafilethat is reported inthe TablespaceDatafile field wasadded to thetablespace after thelast snapshotupdate. If theaddition isauthorized, updatethe snapshot. If theaddition is notauthorized, dropthe datafile fromthe tablespace.

■ UNIX (30434)

■ Windows 2003(242434)

■ Windows 2008(255434)

String ID:ORA_ADDED_DATAFILE


Severity: green-0

Correctable: false






■ UNIX (30014)

■ Windows 2003(30014)

■ Windows 2008(30014)



New tablespacesThis check reports the tablespaces that were created in the Oracle database afterthe last snapshot update. Use the name list to exclude the authorized tablespacesfor this check.

If the addition is authorized, Symantec recommends that you either update thesnapshot or delete the new tablespace.



Table 2-123 Message for New tablespaces





Severity: yellow-1

Correctable: false




Title: New Oracletablespace

Description: Thetablespace that isreported in theDatabaseTablespace fieldwas created afterthe last snapshotupdate. If thetablespace isauthorized, updatethe snapshot. If thetablespace is notauthorized, deleteit.

■ UNIX (30431)

■ Windows 2003(242431)

■ Windows 2008(255431)

String ID:ORA_ADDED_TABLESPACE


Severity: green-0

Correctable: false






■ UNIX (30014)

■ Windows 2003(30014)

■ Windows 2008(30014)



Objects in SYSTEM tablespaceThis check reports tables and indexes that are in the SYSTEM tablespace. Use thename list to exclude users (owners) for this check.

Symantec recommends that you ensure only authorized objects reside in theSYSTEM tablespace.



194

Table 2-124 Message for Object in SYSTEM tablespace




MessageString IDand Category

Severity: green-0

Correctable: false




Title: Object inSYSTEMtablespace

Description: Theobject that isreported in theTablespace Objectfield is in theSYSTEMtablespace.Drop the object ormove it to anauthorizedtablespace.

■ UNIX (30436)

■ Windows 2003(242436)

■ Windows 2008(255436)

String ID:ORA_TAB_IN_SYS_TABLESPACE


Severity: green-0

Correctable: false






■ UNIX (30014)

■ Windows 2003(30014)

■ Windows 2008(30014)



Oracle system identifiers (SIDs)Use the name list to include the Oracle system identifiers (SIDs) for this check.By default, the check examines all the SIDs that you specify when you configurethe SymantecESMmodules for the Oracle databases. On Windows, the SymantecESM modules for Oracle Databases configuration are stored in\esm\config\oracle.dat file. On UNIX, the Symantec ESM modules for OracleDatabases configuration are stored in /esm/config/oracle.dat file.

Oracle tablespacesUse the name list to include or exclude the tables for the You can use this optionto specify tables for the MAX_BYTES in DBA_TS_QUOTAS and MAX_BLOCKS inDBA_TS_QUOTAS checks.


SYSTEM tablespace assigned to userThis check reports the users whose default or temporary tablespaces are theSYSTEM tablespace. Use the name list to exclude users for this check.

Symantec recommends that you ensure only authorized objects reside in theSYSTEM tablespace.


Table 2-125 Message for SYSTEM tablespace assigned to user





Severity: green-0

Correctable: false




Title: SYSTEMtablespace assignedto user

Description: Theuser that isreported in theUserfield uses theSYSTEMtablespaceas a default ortemporarytablespace. Dropthe user or changethe user'stablespace.

■ UNIX (30437)

■ Windows 2003(242437)

■ Windows 2008(255437)

String ID:ORA_USER_USING_SYS_TABLESPACE


Severity: green-0

Correctable: false






■ UNIX (30014)

■ Windows 2003(30014)

■ Windows 2008(30014)



Tablespace datafilesThis check reports the locations of all tablespace datafiles if the Permission settingis 0. Otherwise, the check reports either tablespace datafiles that have filepermissions which are less restrictive than you specify in the Permission field,


196

or tablespace datafiles that haveUID/GIDswhich donotmatch the correspondingUID/GIDs in the Oracle database. In the check’s TablespacestoSkip field, specifytablespaces that are to be excluded for the check. In the Permission field, specifya permission value as a three-digit octal number. Use the name list to exclude thetablespaces for this check.

If the file permissions are less restrictive than your security policy, you mustspecify a permission value for the datafile thatmatcheswith your security policy.Periodically, you must review the tablespace datafiles to ensure that they areauthorized and that the file permissions match with your security policy.


Table 2-126 Messages for Tablespace datafiles





Severity: green-0

Correctable: false




Title: Tablespacefile

Description: Thetablespace datafileis reported in theTablespaceDatafilefield.

■ UNIX (30433)String ID:ORA_DATAFILE


Severity: yellow-2

Correctable: false




Title: Tablespacefile permission

Description: Thetablespace datafilepermission isexcessive, or itsownership does notmatch thecorrespondingOracle databasepermissions.

■ UNIX (30440)String ID:ORA_DATAFILE_PERM



Table 2-126 Messages for Tablespace datafiles (continued)





Severity: green-0

Correctable: false




Title: LockedOraclefile




Severity: green-0

Correctable: false








Severity: green-0

Correctable: false






■ UNIX (30010)ORA_DIRECTORY_PERMS



198






Severity: green-0

Correctable: false






■ UNIX (30011)ORA_NOT_SUPPORTED


Severity: green-0

Correctable: false





Description: TheASM managedtablespace datafileis reported in theTablespaceDatafilefield.

■ UNIX (30041)ORA_ASM_DATAFILE


Severity: green-0

Correctable: false








Tablespace datafilesThis check reports the locations of all the tablespace datafiles and lists all theOperating system accounts that have permissions on the file. Use the name listto exclude the tablespaces for this check.

If the file permissions are less restrictive than your security policy, you mustspecify a permission value for the datafile thatmatcheswith your security policy.


Periodically, you must review the tablespace datafiles to ensure that they areauthorized and that the file permissions match with your security policy.


Table 2-127 Messages for Tablespace datafiles





Severity: green-0

Correctable: false





Description: Thetablespace datafileis reported in theTablespaceDatafilefield.

■ Windows 2003(242433)

■ Windows 2008(255433)

String ID:ORA_DATAFILE


Severity: green-0

Correctable: false





File permissionscannot be reportedbecause the file isbeing used byanother process.

■ Windows 2003(242434)

■ Windows 2008(255434)

String ID:ORA_FILE_LOCKED


Severity: green-0

Correctable: false






■ Windows 2003(242435)

■ Windows 2008(255435)

String ID:ORA_FILE_NOT_FOUND



200






Severity: green-0

Correctable: false






■ Windows 2003(242436)

■ Windows 2008(255436)



Severity: green-0

Correctable: false






■ Windows 2003(242436)

■ Windows 2008(255436)



Severity: green-0

Correctable: false





Description: TheASM managedtablespace datafileis reported in theTablespaceDatafilefield.

■ Windows 2003(242437)

■ Windows 2008(255437)

ORA_ASM_DATAFILE








Severity: green-0

Correctable: false






■ Windows 2003(30014)

■ Windows 2008(30014)



TablespacesThis check reports all the tablespaces that are created in the Oracle database. Onthe Oracle 11g and later versions, the check also reports the encryption status ofthe tablespaces. Use the name list to exclude the authorized tablespaces for thischeck.

Symantec recommends that you periodically review the tablespaces to ensurethat they are all authorized.


Table 2-128 Message for Tablespaces





Severity: green-0

Correctable: false




Title: Oracletablespace

Description: Thetablespace isdefined in thedatabase.

■ UNIX (30430)

■ Windows 2003(242430)

■ Windows 2008(255430)

String ID:ORA_TABLESPACE



202

Table 2-128 Message for Tablespaces (continued)





Severity: green-0

Correctable: false






■ UNIX (30014)

■ Windows 2003(30014)

■ Windows 2008(30014)





204

Working with the Oracletemplates


■ Templates

■ About the Oracle Profiles template

■ About the Oracle Roles template

■ About the Oracle System Privileges template

■ About the Oracle Roles template

■ About the Oracle System Privileges template

■ About the Oracle Configuration Watch template

■ About the Oracle Net Configuration Watch template

■ About the Oracle Object Privileges template

■ About the Oracle Patch template

■ About the Oracle Critical Object template

■ About the Oracle Auditing template

TemplatesSeveral of the documented modules use templates to store the Oracle databaseparameters and object settings. The differences between the current settings andtemplate values are reported when the modules run. Modules use templates tostore Oracle database parameters and object settings.

3Chapter

Table 3-1 UNIX Templates

Predefined templateTemplate nameCheck nameModule

oraaudit.oadOracle AuditingAudit settingsOracle Auditing

NAOracle ConfigurationWatch

Oracleconfigurationwatch

Oracle Configuration

NAOracle NetConfigurationWatch

Oracle netconfigurationwatch

Oracle Networks

oraclecriticalobjects.rcoOracle CriticalObjects

Critical ObjectsOracle Objects

oracleobjectprivileges.oopOracle ObjectPrivileges

Object PrivilegesOracle Objects

oraclefw.fwNew File -allNew FileFile Watch

orabin.aixNew File - AIXNew FileFile Watch

orabin.hpxNew File - HP-UXNew FileFile Watch

orabin.liNew File - LinuxNew FileFile Watch

orabin.solNew File - SolarisNew FileFile Watch

orapatch.orpOracle PatchTemplate filesOracle Patches

ora_cpu_psu.orpOracle PatchOracle Templatefiles

Oracle Patches

NAOracle SystemPrivileges

Granted privilegesOracle Roles

NAOracle RolesGranted rolesOracle Roles

NAOracle ProfilesProfile settingsOracle Profiles

Table 3-2 Windows Templates


oraaudit.oadOracle AuditingAudit settingsOracle Auditing

NAOracle ConfigurationWatch

Oracleconfigurationwatch

OracleConfiguration

Working with the Oracle templatesTemplates

206

Table 3-2 Windows Templates (continued)


NAOracle NetConfiguration Watch

Oracle netconfigurationwatch

Oracle Networks

oraclecriticalobjects.rcoOracle CriticalObjects

Critical ObjectsOracle Objects

oracleobjectprivileges.oopOracle ObjectPrivileges

Object PrivilegesOracle Objects

orawinpatch.orpOracle PatchTemplate filesOracle Patches

ora_cpu_psu.orpOracle PatchOracle Templatefiles

Oracle Patches

NAOracle SystemPrivileges

Granted privilegesOracle Roles

NAOracle RolesGranted rolesOracle Roles

NAOracle ProfilesProfile settingsOracle Profiles

About the Oracle Profiles templateIn the Oracle Profiles module, the Profile settings check uses the Oracle Profilestemplate. The check reports the profile settings that do not match the settingsthat are specified in the template.

Creating the Oracle Profiles templateYou must create and enable a new Oracle Profiles template before you run theProfile settings check.

To create an Oracle Profiles template

1 In the tree view, right-click Templates, and then click New.

2 In the Create New Template dialog box, select Oracle Profiles - all.

3 In the Template file name (no extension) text box, type new template filename.

4 After Symantec ESM adds the .opa extension to the template file name, clickOK.

207Working with the Oracle templatesAbout the Oracle Profiles template

About using the Oracle Profiles templateThe Oracle Profiles template contains the following fields:

Table 3-3 Field and Values/Options descriptions

Values/OptionsDescriptionField

Enter a name for the profile.Lets you specify the name ofthe profile.

Profile Name

Enter the number ofconcurrent sessions for auser.

Lets you specify number ofconcurrent sessions for auser.

Sessions per User

Enter the CPU time a call.Lets you specify the CPUtime for a call.

CPU time per call

Enter a connection time foran account.

Lets you specify theconnection time for anaccount.

Connection time

Enter the idle time that yourequire before the process isdisconnected.

Lets you specify the idle timethat is required before aprocess is disconnected.

Idle time

Enter a number to allowfailed login attempts.

Lets you specify a period forthe failed login attempts.

Failed logins

Enter a number for thepassword grace period.

Lets you specify thepassword grace period.

Password grace time

Enter password duration forthe number of failed logonattempts, password gracetime, password duration,password lock time, andpassword reuserequirements.

Lets you specify the settingsfor the number of failedlogon attempts, passwordgrace time, passwordduration, password lock time,and password reuserequirements that violateyour security policy.

Password duration

Enter a number for thepassword lock time period.

Lets you specify thepassword lock time period.

Password lock time

Enter anumber to specify themaximum period for thepassword usage.

Lets you specify themaximum period for thepassword usage.

Password reuse max

Working with the Oracle templatesAbout the Oracle Profiles template

208

Table 3-3 Field and Values/Options descriptions (continued)


Enter anumber to specify themaximum period for thepassword reuse.

Lets you specify themaximum period before thepassword can be reused.

Password reuse time

Enter a password complexityfunction.

Lets you specify thepassword complexityfunctions.

Password verify function

■ Green

Select Green for anInformation message.

■ Yellow

Select Yellow for aWarning message.

■ Red

Select Red for an Errormessage.

Lets you specify the severityfor the messages that thecheck reports.

Severity

About the Oracle Roles templateIn theOracleRolesmodule, theGrantedroles checkuses theOracleRole template.The check lets you report on the roles that you specify in the template.

Creating the Oracle Roles templateYou must create and enable a new Oracle Roles template before you run theGranted roles check.

To create an Oracle Roles template


2 In the Create New Template dialog box, select Oracle Roles - all.


4 After Symantec ESM adds the .ogr extension to the template file name, clickOK.

About using the Oracle Roles templateThe Oracle Roles template contains the following fields:

209Working with the Oracle templatesAbout the Oracle Roles template


Wildcard supportValues/OptionsDescriptionField

You can use thewildcard character '*'while specifying therole.

Enter the name of arole for the check toreport on.

Lets you specify therole that you wantthe check to reporton.

Role

You can use thewildcard character '*'while specifying thegrantee.

Enter thenameof thegrantee.

Lets you specify thename of the grantee.

Grantee

NASelect the Adminoption for thegrantee. The optionsare as follows:

■ Yes (With Adminoptions)

■ No (WithoutAdmin options)

■ Either(With/withoutAdmin options)

Lets you specify theAdmin option for thegrantee.

Admin option

NA■ Prohibited

ESM reports amessage if theprivilege is foundon the Oracledatabase.

■ Mandatory

ESM reports amessage if theprivilege is notfound on theOracle database.

Lets you specifywhether you wantESM to report thespecified privilegesas mandatory orprohibited.

Required

NANALets you specify anadditional comment.

Comment

Working with the Oracle templatesAbout the Oracle Roles template

210



NA■ Green

Select Green foran Informationmessage.

■ Yellow

Select Yellow fora Warningmessage.

Red

Select Red for anError message.

Lets you specify theseverity for themessages that thecheck reports.

Severity

NAEnter an Oracleversion.

If youdonot enter anOracle version, thecheck reports on allthe Oracle databaseversions.

Lets you specify theOracle version for thecheck to report on.

Version

NA■ Exclude

Select theprivilege or thegrantee that youwant to excludefor the check toreport on.

■ Name

Enter the namefor the privilegeor the grantee.

Lets you display theTemplate SublistEditor window whenyou click the ExcludeList field.

Exclude List

About the Oracle System Privileges templateIn the Oracle Rolesmodule, the Grantedprivileges check uses the Oracle SystemPrivileges template. The check lets you report on the system privileges that youspecify in the template.

211Working with the Oracle templatesAbout the Oracle System Privileges template

Creating the Oracle System Privileges templateYou must create and enable a new Oracle System Privileges template before yourun the Granted privileges check.

To create an Oracle System Privileges template


2 In the Create New Template dialog box, select Oracle System Privileges - all.


4 After Symantec ESM adds the .osp extension to the template file name, clickOK.

About using the Oracle System Privileges templateThe Oracle System Privileges template contains the following fields:



You can use thewildcard character '*'while specifying theprivilege.

Enter a privilegename for the check toreport on.

Lets you specify theprivilege that youwant the check toreport on.

Privilege




Grantee






Admin option

Working with the Oracle templatesAbout the Oracle System Privileges template

212



NA■ Prohibited


■ Mandatory


■ Allowed

ESM reports amessage if all theprivileges are notfound on theOracle database.

Lets you specifywhether you wantESM to report thespecified privilegesas mandatory,prohibited, orallowed.

Required


Comment

NA■ Green


■ Yellow


Red



Severity




Version




NA■ Exclude


■ Name



Exclude List

About the Oracle Roles templateIn theOracleRolesmodule, theGrantedroles checkuses theOracleRole template.The check lets you report on the roles that you specify in the template.

Creating the Oracle Roles templateYou must create and enable a new Oracle Roles template before you run theGranted roles check.

To create an Oracle Roles template


2 In the Create New Template dialog box, select Oracle Roles - all.


4 After Symantec ESM adds the .ogr extension to the template file name, clickOK.

About using the Oracle Roles templateThe Oracle Roles template contains the following fields:

Working with the Oracle templatesAbout the Oracle Roles template

214



You can use thewildcard character '*'while specifying therole.

Enter the name of arole for the check toreport on.

Lets you specify therole that you wantthe check to reporton.

Role




Grantee






Admin option

NA■ Prohibited


■ Mandatory


■ Allowed



Required


Comment

215Working with the Oracle templatesAbout the Oracle Roles template



NA■ Green


■ Yellow


Red



Severity




Version

NA■ Exclude


■ Name



Exclude List

About the Oracle System Privileges templateIn the Oracle Rolesmodule, the Grantedprivileges check uses the Oracle SystemPrivileges template. The check lets you report the privileges and the associatedusers and roles that violate the conditions that you specify in the template.


216

Creating the Oracle System Privileges templateYou must create and enable a new Oracle System Privileges template before yourun the Granted privileges check.

To create an Oracle System Privileges template


2 In the Create New Template dialog box, select Oracle System Privileges - all.


4 After Symantec ESM adds the .osp extension to the template file name, clickOK.

About using the Oracle System Privileges templateThe Oracle System Privileges template contains the following fields:



You can use thewildcard character '*'while specifying theprivilege.

Enter a privilegename for the check toreport on.

Lets you specify theprivilege that youwant the check toreport on.

Privilege




Grantee






Admin option




NA■ Prohibited


■ Mandatory


■ Allowed



Required


Comment

NA■ Green


■ Yellow


Red



Severity




Version


218



NA■ Exclude


■ Name



Exclude List

About the Oracle Configuration Watch templateThe Oracle configuration watch check of the Oracle configuration module usesthe Oracle Configuration Watch template. By using this template, the check letsyou enable or disable the templates that specify initialization and the configurationparameters that should be watched.

Creating the Oracle Configuration Watch templateYou must create and enable a new Oracle Configuration Watch template beforeyou run the Oracle configuration watch check.

To create an Oracle Configuration Watch template


2 In the Create New Template dialog box, select Oracle Configuration Watch- all.


4 After Symantec ESM adds the .ocw extension to the template file name, clickOK.

About using the Oracle Configuration Watch templateThe Oracle Configuration Watch template contains the following fields:

219Working with the Oracle templatesAbout the Oracle Configuration Watch template



NALets you specify adescriptionfor the parameter that youenter in theParameter field.

Description

Enter the configuration orinitialization parameter ofOracle that you want thecheck to report on.

Lets you specify theparameter.

Parameter

Select the check box toexamine the runtime values.

Lets you select this check boxif you want this check toexamine the runtime values.

Runtime Value

■ Optional

Reports the parametervalues that violate thevalue that is defined ininit<SID>.ora.

■ Required

Report a violation if theparameter is not definedin init<SID>.ora.

■ Skipped

Ignore the parametervalue that is defined ininit<SID>.ora.

Lets you specify an optionalvalue.

Init File Value

Working with the Oracle templatesAbout the Oracle Configuration Watch template

220



■ Prohibited Value

Select the check box todesignate the value asprohibited.

■ Value

Enter a regularexpression or as anumeric comparison.

■ You can use thefollowing specialcases:

+

■ NULL or null

empty string

If the value begins withone of the followingnumeric comparisonoperators, a numericcomparison is performed:

■ =

equal to

■ <

less than

■ >

greater than

■ !=

not equal to

■ <=

less than or equal to

■ >=

greater than or equal to

Note: If you specify a pathname in the value, you needto escape the ‘\’ character byusing another ‘\’.

Note: For example, specifythe path namec:\test\test.txt asfollows:c:\\test\\test.txt.

Lets you specify a value forthe parameter by using theTemplate Sublist Editor.

Parameter Values

221Working with the Oracle templatesAbout the Oracle Configuration Watch template



■ Green


■ Yellow


■ Red


Specify the severity for themessages that ESM reportswhen the parameter value isviolated.

Severity

■ empty

All releases (default if norelease specified)

■ 9.0

Release 9.0.x

■ +9

Release 9.2.x and later

■ +10


■ +11


Lets you specify the Oracleversion of the target serverthat you want the check toreport on.

Oracle Version

Select the check box todisplay the configurationvalue.

Lets you select this check boxif you want this check todisplay the configurationvalue.

Display configuration value

About the Oracle Net Configuration Watch templateThe Oracle net configuration watch check of the Oracle networks module usesthe Oracle Net Configuration Watch template. By using this template, the checkreports on theOracle Listener, Sqlnet, andNames configuration parameter valuesthat violate conditions of the corresponding template parameters.

Creating the Oracle Net Configuration Watch templateYoumust create and enable anewOracleNetConfigurationWatch template beforeyou run the Oracle net configuration watch check.

Working with the Oracle templatesAbout the Oracle Net Configuration Watch template

222

To create an Oracle Net Configuration Watch template


2 In the Create New Template dialog box, select Oracle Net Watch - all.


4 After Symantec ESM adds the .onw extension to the template file name, clickOK.

About using the Oracle Net Configuration Watch templateThe Oracle Net Configuration Watch template contains the following fields:



NALets you specify adescriptionfor the parameter that youenter in theParameter field.

Description

Enter a name of theparameter that youwant thecheck to report on.

Lets you specify a parametername.

Parameter

223Working with the Oracle templatesAbout the Oracle Net Configuration Watch template



■ Listener ControlParameter

Lets the Symantec ESMcompare the values in theOracle Net Watchtemplate with theparameter values in thelistener.ora file.

■ Sqlnet Profile Parameter

Lets the Symantec ESMcompare the values in theOracle Net Watchtemplate with theparameter values in thesqlnet.ora file.

■ Oracle Names Parameter

Lets the Symantec ESMcompare the values in theOracle Net Watchtemplate with theparameter values in thenames.ora file.

Lets you select a parametertype.

Parameter Type

Select the check box for thecheck to report on thisparameter.

Note: SymantecESMreportsif this parameter is not foundand if the parameter is foundbut fails the comparisonwithtemplate values. If youdonotselect this check box, thenSymantec ESM reports onlyif this parameter is foundand fails the templatecomparison.

Lets you select this check boxif youwant this parameter asrequired.

Required Parameter


224



Lets you specify a value forthe parameter by using theTemplate Sublist Editor.

Parameter Values




■ Prohibited Value

Select the check box todesignate the value asprohibited.

■ Value

Enter a regularexpression or as anumeric comparison.

■ You can use thefollowing specialcases:

+

‘+’ character

■ NULL or null

empty string

If the value begins withone of the followingnumeric comparisonoperators, a numericcomparison is performed:

■ =

equal to

■ <

less than

■ >

greater than

■ !=

not equal to

■ <=

less than or equal to

■ >=

greater than or equal to

Note: If you specify a pathname in the value, you needto escape the ‘\’ character byusing another ‘\’.

Note: For example, specifythe path namec:\test\test.txt asfollows:


226



c:\\test\\test.txt.

■ Green


■ Yellow


■ Red


Specify the severity for themessages that ESM reportswhen the parameter value isviolated.

Severity

■ 9.0

Release 9.0.x

■ +9


■ +10


■ +11



Oracle Version

See “Examples of using theOracleNetConfigurationWatch template”onpage227.

Examples of using the Oracle Net Configuration Watch templateThis section contains examples on the values that youmust enter in the templatefield for the check to report on.

Table 3-10 contains the template field and its respective values that you mustenter if you want to check on the valid configuration parameters.


Table 3-10 Examples of Listener Control Parameter

ValueOracle fileParameter type

■ ADMIN_RESTRICTIONS

■ LOG_FILE

■ PASSWORDS

■ SAVE_CONFIG_ON_STOP

■ STARTUP_WAIT_TIME

■ TRACE_DIRECTORY,TRACE_FILE

■ ADMIN_RESTRICTIONS_LISTENER

■ INBOUND_CONNECT_TIMEOUT_LISTENER

■ LOGGING_LISTENER

■ LOG_DIRECTORY

■ LOG_FILE_LISTENER

■ PASSWORDS_LISTENER

■ SAVE_CONFIG_ON_STO_LISTENERP

■ SSL_CLIENT_AUTHENTICATION_LISTENER

■ STARTUP_WAIT_TIME_LISTENER

■ TRACE_DIRECTORY_LISTENER

■ TRACE_FILE_LISTENER

■ TRACE_FILELEN_LISTENER

■ TRACE_FILENO_LISTENER

■ TRACE_LEVEL_LISTENER

■ TRACE_TIMESTAMP_LISTENER

■ USE_CKPFILE

■ LOCAL_OS_AUTHENTICATION

■ SUBSCRIBE_FOR_NODE_DOWN_EVENT

listener.oraListener Control Parameter



228

Table 3-11 Examples of Sqlnet Profile Parameter


■ BEQUEATH_DETACH

■ DAEMON.TRACE_DIRECTORY

■ DISABLE_OOB

■ LOG_DIRECTORY_CLIENT

■ LOG_DIRECTORY_SERVER

■ NAMES.CONNECT_TIMEOUT

sqlnet.oraSqlnet Profile Parameter


Table 3-12 Examples of Oracle Names Parameter


■ NAMES.ADDRESSES

■ NAMES.ADMIN_REGION

■ NAMES.AUTHORITY_REQUIRED

■ NAMES.CONFIG_CHECKPOINT_FILE

■ NAMES.DOMAIN_HINTS

■ NAMES.LOG_FILE

names.oraOracle Names Parameter

About the Oracle Object Privileges templateThe Object Privileges check of the Oracle objects module uses the Oracle ObjectPrivileges template. By using this template, the check lets you report on the objectprivileges that you specify in the template.

Creating the Oracle Object Privileges templateYou must create and enable a new Oracle Object Privileges template before yourun the Object Privileges check.

To create an Oracle Object Privileges template


2 In theCreateNewTemplatedialog box, selectOracleObjectPrivilegesWatch- all.

229Working with the Oracle templatesAbout the Oracle Object Privileges template


4 After Symantec ESM adds the .oop extension to the template file name, clickOK.

About using the Oracle Object Privileges templateThe Oracle Object Privileges template contains the following fields:



Enter the name of the objectthat you want the check toreport on.

Lets you specify an objectname that you want thecheck to report on.

Object Name

Enter the owner name of theobject that you want thecheck to report on.

Lets you specify an ownername of the object that youwant the check to report on.

Owner

NALets you enter additionalcomments on the object.

Comments

■ Green


■ Yellow


■ Red


Lets you select the severityfor the messages that thecheck reports on the data.

Severity

■ 9.0

Release 9.0.x

■ +9


■ +10


■ +11



Version

Working with the Oracle templatesAbout the Oracle Object Privileges template

230



Lets you specify theprivileges by using theTemplate Sublist Editor.

Privilege List




■ Required

Lets you specify if theexistence of the object onthe target server ismandatory, prohibited, orallowed.

■ Prohibited

Object must not exist.

■ Mandatory

Object must exist.

■ Allowed

Object existence isallowed.

■ Object Privilege

Lets you enter the accessprivileges based on thedatabase objects that youspecify in the ObjectName field.

■ Grantor

Lets you enter the nameof the grantor based onthe object name andobject privileges that youspecify in the ObjectName and ObjectPrivilege fieldsrespectively.

■ Grantee

Lets you enter the nameof the grantee based onthe object name andobject privileges that youspecify in the ObjectName and ObjectPrivilege fieldsrespectively.

■ With Grant Option

Select this check box ifyou want the privilegeswith grant options thatyou specify in the Object

Working with the Oracle templatesAbout the Oracle Object Privileges template

232



Privilege field to bereported.

■ Exclude

Specify the privilege thatyou want to exclude.

You can specify one of thefollowing:

■ Object Name

Select this option ifyou want to excludethe name of theobject.

■ Owner

Select this option ifyou want to excludethe owner of theobject.

■ Object Privilege

Select this option ofyou want to excludethe privileges of theobject.

■ Grantor

Select this option ifyou want to excludethe grantor of theobject.

■ Grantee

Select this option ifyou want to excludethe grantee of theobject.

■ Name

Enter the name of theobject that you want toexclude.

Lets you exclude the objectprivileges by using theTemplate Sublist Editor.

Exclude List


About the Oracle Patch templateThe Patch information check of the Oracle patchesmodule uses the Oracle Patchtemplate. By using this template, the check reports information about the patchesthat have been released within the number of days that you specify in the check.

Creating the Oracle Patch templateYoumust create and enable anewOracle Patch template before you run thePatchinformation check.

To create an Oracle Patch template


2 In the Create New Template dialog box, select Oracle Patch - all.


4 After Symantec ESM adds the .orp extension to the template file name, clickOK.

About using the Oracle Patch templateThe Oracle Patch template contains the following fields:



Enter the patch versionnumber that you want thecheck to report on.

Lets you specify the Oracledatabase version of thetarget server that you wantthe check to report on.

Version

Working with the Oracle templatesAbout the Oracle Patch template

234



Lets you specify the platformof the target server that youwant the check to report on.

Platform

235Working with the Oracle templatesAbout the Oracle Patch template



■ All

Select this value for thecheck to report on allplatforms.

■ aix

Select this value for thecheck to report on Aixplatforms.

■ hpux-hppa

Select this value for thecheck to report onHpux-hppa platforms.

■ linux

Select this value for thecheck to report on Linuxplatforms.

■ solaris-sparc

Select this value for thecheck to report onSolaris-sparc platforms.

■ hpux-ia64

Select this value for thecheck to report onHpux-ia64 platforms.

■ hpux-hppa/HP-UX 10.20

Select this value for thecheck to report onHP-UX10.20 platforms.

■ redhat-x86

Select this value for thecheck to report onRedHat platforms.

■ WIN2K

Select this value for thecheck to report on allWindows2000platforms.

■ WIN3S


■ WIN8S

Working with the Oracle templatesAbout the Oracle Patch template

236




Enter the name of theproduct that is installed onthe server. For example,Oracle Database server.

Lets you specify the productname that is installed on theserver.

Note: The check does notconsider the product namefor the verification report.

Product

Enter the ID that you wantthe check to report on.

Lets you specify the ID thatyou want the check to reporton.

ID

Enter the Patch ID that youwant the check to report on.

Lets you specify the Patch IDthat you want the check toreport on.

The check reports a violationif the Patch ID that youspecify in the template isgreater than the Patch IDthat is applied on the targetserver.

Patch ID

Enter the date in thefollowing format:YYYY/MM/DD.

Lets you specify the releasedate of the Patch.

Date

■ All

Select this value for thecheck to report on allprocessors.

■ 32 bits

Select this value for thecheck to report on 32-bitprocessor.

■ 64 bits

Select this value for thecheck to report on 64-bitprocessor.

Lets you specify thearchitecture of the serverthat you want the check toreport on.

Architecture

237Working with the Oracle templatesAbout the Oracle Patch template



NALets you enter a descriptionfor the patch.

Description

Select the patch set.Lets you select the patch set.Patch Set

■ Patch ID

Enter the name of thepatch ID that youwant tomerge.

Lets you specify the patchesthat you want to merge byusing the Template SublistEditor.

Merged Patches

About the Oracle Critical Object templateThe Critical objects check of the Oracle Objects module uses the Oracle CriticalObject template. By using this template, the check iterates through all objects andreports critical objects that you specify in the template.

Creating the Oracle Critical Object templateYou must create and enable a new Oracle Critical Object template before you runthe Critical objects check.

To create an Oracle Critical Object template


2 In the Create New Template dialog box, select Oracle Critical Object - all.


4 After Symantec ESM adds the .rco extension to the template file name, clickOK.

About using the Oracle Critical Object templateThe Oracle Critical Object template contains the following field:



Enter the name of the objectthat you want the check toreport on.

Lets you enter the objectname that you want thecheck to report on.

Object

Working with the Oracle templatesAbout the Oracle Critical Object template

238

About the Oracle Auditing templateIn the Oracle Auditing module, the Audit Setting check uses the Oracle Auditingtemplate. The check reports the audit settings that do notmatch the settings thatare specified in the template file.

The default templates are available for each supported operating system.

Creating the Oracle Auditing templateYou must create and enable a new Oracle Audting template before you run theAudit setting check.

To create a Oracle Auditing template


2 In the Create New Template dialog box, select Oracle Auditing- all.

3 In the Template file name (no extension) text box, type new template filename. Symantec ESM adds the .oad extension to the template file name.

4 Click OK.

About using the Oracle Auditing templateThe Oracle Audting template contains the following fields:



■ PRIV (PrivilegeAuditing)

Select this option if youwant the check to reporton the privileges.

■ STMT (Statementauditing)

Select this option if youwant the check to reporton the statements.

Lets you specify an audit thatis based on either astatement or a privilege.

Audit Type

Enter the name of the auditoption.

For example: CREATESESSION

Lets you specify the auditoption for the audit type thatyou specify.

For example: PRIV

Audit Option

239Working with the Oracle templatesAbout the Oracle Auditing template



Enter the name of the user.

You can use the keyword,‘ANY’ while specifying theuser name.

Lets you specify theuserwhoexecutes the statementor theprivilege.

User

■ BY ACCESS

This option is based onper access auditing.

■ BY SESSION

This option is based onper session auditing.

■ NOT SET

This session is not set forauditing.

■ IS SET

This option is either setfor session or accessauditing.

Lets you specify a state forthe audit that you specify.

Success

■ BY ACCESS

This option is based onper access auditing.

■ BY SESSION

This option is based onper session auditing.

■ NOT SET

This session is not set forauditing.

■ IS SET

This option is either setfor session or accessauditing.

Lets you specify a state forthe audit that you specify.

Failure

Working with the Oracle templatesAbout the Oracle Auditing template

240



■ Green


■ Yellow


■ Red


Lets you specify the severitylevel for the audit type thatyou select.

Severity

241Working with the Oracle templatesAbout the Oracle Auditing template

Working with the Oracle templatesAbout the Oracle Auditing template

242

Documents

Symantec Enterprise Security Manager Oracle …...2011/12/06 · Security Manager Oracle Database Modules User Guide Version 5.1 Symantec Enterprise Security Manager Oracle Database