Symantec Enterprise Security Manager Modules for … Enterprise Security Manager Modules for Oracle Databases (Windows) User Guide Release4.1forSymantecESM6.5.xand 9.0 For Windows

Symantec™ EnterpriseSecurity Manager Modulesfor Oracle Databases(Windows) User Guide

Release 4.1 for Symantec ESM 6.5.x and9.0 For Windows 2000, 2003, 2008

Symantec™ Enterprise Security Manager Modules forOracle Databases (Windows) User Guide 4.1

The software described in this book is furnished under a license agreement andmay be usedonly in accordance with the terms of the agreement.

Documentation version: 4.1

Legal NoticeCopyright © 2009 Symantec Corporation. All rights reserved.

Symantec, the Symantec Logo, LiveUpdate, andSymantec SecurityResponse are trademarksor registered trademarks of Symantec Corporation or its affiliates in the U.S. and othercountries. Other names may be trademarks of their respective owners.

This Symantec product may contain third party software for which Symantec is requiredto provide attribution to the third party (“Third Party Programs”). Some of the Third PartyPrograms are available under open source or free software licenses. The LicenseAgreementaccompanying the Software does not alter any rights or obligations you may have underthose open source or free software licenses. Please see theThird Party LegalNoticeAppendixto this Documentation or TPIP ReadMe File accompanying this Symantec product for moreinformation on the Third Party Programs.

The product described in this document is distributed under licenses restricting its use,copying, distribution, and decompilation/reverse engineering. No part of this documentmay be reproduced in any form by any means without prior written authorization ofSymantec Corporation and its licensors, if any.

THEDOCUMENTATIONISPROVIDED"ASIS"ANDALLEXPRESSORIMPLIEDCONDITIONS,REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OFMERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT,ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TOBELEGALLYINVALID.SYMANTECCORPORATIONSHALLNOTBELIABLEFORINCIDENTALOR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING,PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINEDIN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.

The Licensed Software andDocumentation are deemed to be commercial computer softwareas defined in FAR12.212 and subject to restricted rights as defined in FARSection 52.227-19"Commercial Computer Software - Restricted Rights" and DFARS 227.7202, "Rights inCommercial Computer Software or Commercial Computer Software Documentation", asapplicable, and any successor regulations. Any use, modification, reproduction release,performance, display or disclosure of the Licensed Software andDocumentation by theU.S.Government shall be solely in accordance with the terms of this Agreement.

Symantec Corporation350 Ellis StreetMountain View, CA 94043

http://www.symantec.com

http://www.symantec.com

Technical SupportSymantec Technical Support maintains support centers globally. TechnicalSupport’s primary role is to respond to specific queries about product featuresand functionality. TheTechnical Support group also creates content for our onlineKnowledge Base. The Technical Support group works collaboratively with theother functional areas within Symantec to answer your questions in a timelyfashion. For example, theTechnical Support groupworkswithProductEngineeringand Symantec Security Response to provide alerting services and virus definitionupdates.

Symantec’s maintenance offerings include the following:

■ A range of support options that give you the flexibility to select the rightamount of service for any size organization

■ Telephone and Web-based support that provides rapid response andup-to-the-minute information

■ Upgrade assurance that delivers automatic software upgrade protection

■ Global support that is available 24 hours a day, 7 days a week

■ Advanced features, including Account Management Services

For information about Symantec’sMaintenance Programs, you can visit ourWebsite at the following URL:

www.symantec.com/techsupp/

Contacting Technical SupportCustomerswith a currentmaintenance agreementmay access Technical Supportinformation at the following URL:


Before contacting Technical Support, make sure you have satisfied the systemrequirements that are listed in your product documentation. Also, you should beat the computer onwhich theproblemoccurred, in case it is necessary to replicatethe problem.

When you contact Technical Support, please have the following informationavailable:

■ Product release level

■ Hardware information

■ Available memory, disk space, and NIC information

■ Operating system



■ Version and patch level

■ Network topology

■ Router, gateway, and IP address information

■ Problem description:

■ Error messages and log files

■ Troubleshooting that was performed before contacting Symantec

■ Recent software configuration changes and network changes

Licensing and registrationIf yourSymantecproduct requires registrationor a licensekey, access our technicalsupport Web page at the following URL:


Customer serviceCustomer service information is available at the following URL:


Customer Service is available to assist with the following types of issues:

■ Questions regarding product licensing or serialization

■ Product registration updates, such as address or name changes

■ General product information (features, language availability, local dealers)

■ Latest information about product updates and upgrades

■ Information about upgrade assurance and maintenance contracts

■ Information about the Symantec Buying Programs

■ Advice about Symantec's technical support options

■ Nontechnical presales questions

■ Issues that are related to CD-ROMs or manuals



Maintenance agreement resourcesIf you want to contact Symantec regarding an existing maintenance agreement,please contact the maintenance agreement administration team for your regionas follows:

[email protected] and Japan

[email protected], Middle-East, and Africa

[email protected] America and Latin America

Additional enterprise servicesSymantec offers a comprehensive set of services that allow you tomaximize yourinvestment in Symantec products and to develop your knowledge, expertise, andglobal insight, which enable you to manage your business risks proactively.

Enterprise services that are available include the following:

These solutions provide early warning of cyber attacks, comprehensive threatanalysis, and countermeasures to prevent attacks before they occur.

SymantecEarlyWarningSolutions

These services remove the burdenofmanaging andmonitoring security devicesand events, ensuring rapid response to real threats.

Managed Security Services

Symantec Consulting Services provide on-site technical expertise fromSymantec and its trustedpartners. SymantecConsultingServices offer a varietyof prepackaged and customizable options that include assessment, design,implementation,monitoring, andmanagement capabilities. Each is focused onestablishing andmaintaining the integrity and availability of your IT resources.

Consulting Services

Educational Services provide a full array of technical training, securityeducation, security certification, and awareness communication programs.

Educational Services

To access more information about Enterprise services, please visit our Web siteat the following URL:

www.symantec.com

Select your country or language from the site index.

mailto:[email protected]



www.symantec.com

Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Chapter 1 Introducing Symantec ESM modules for OracleDatabases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

About the Symantec ESM modules for Oracle Databases ... . . . . . . . . . . . . . . . . . . 11What you can do with the Symantec ESM modules for Oracle

databases ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12Template ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12Where you can get more information .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Chapter 2 Installing Symantec ESM modules for OracleDatabases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Installing ESM modules for Oracle Databases ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15Before you install .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15Minimum account privileges ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16System requirements ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18About using parameters in the oraenv.dat file ... . . . . . . . . . . . . . . . . . . . . . . . . . . 19About installing the ESM modules for Oracle databases ... . . . . . . . . . . . . . . 22How to run the installation program and register the files? ... . . . . . . . . . 23How to add configuration records to enable the ESM security

checking for the Oracle database? ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25Silently installing the ESM modules for Oracle databases ... . . . . . . . . . . . 30

About registering agents ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32About customizing checks ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

Customizing the .m files ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

Chapter 3 About the Symantec ESM Modules for OracleDatabases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

About Oracle SID Discovery .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33Configuring theOracle database instances byusing theDiscovery

module ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34Editing default settings ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35Reporting SID Discovery .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

About Oracle accounts ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

Contents

Establishing a baseline snapshot ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38Editing default settings ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38Reporting operating system access ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39Reporting user roles ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40Reporting user privileges ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42Reporting user accounts ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43Reporting account changes ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45Reporting account defaults ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

About Oracle auditing .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48Establishing a baseline snapshot ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48Editing default settings ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48Reporting audit status and access ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48Audit reporting methods .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49Reporting statement audits ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50Reporting object audits ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52Reporting privilege audits ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

About Oracle configuration .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56Editing default settings ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56Reporting Oracle version information .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57Reporting link password encryption .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59Reporting operating system account prefixes ... . . . . . . . . . . . . . . . . . . . . . . . . . . . 59Reporting parameter values ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

About Oracle networks ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64Editing default settings ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64Reporting SID configuration status ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65Oracle net configuration watch .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65Oracle EXTPROC listeners ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

About Oracle objects ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66Editing default settings ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66Reporting table privileges ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

About Oracle passwords .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69Editing default settings ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69Specifying check variations .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70Comparing passwords to word lists ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71Detecting well-known passwords .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72

About Oracle patches ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73Edit default settings ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73Oracle patches ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74

About Oracle profiles ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75Establishing a baseline snapshot ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75Editing default settings ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75Reporting profiles and their limits ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76Reporting CPU limit violations .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78

Contents8

Reporting password violations .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80About Oracle roles ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83

Establishing a baseline snapshot ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84Editing default settings ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84Reporting roles ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84Reporting role privileges ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85Reporting role access ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88

About Oracle tablespace .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90Creating a baseline snapshot ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90Editing default settings ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91Reporting tablespaces ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91Reporting tablespace datafiles ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92Reporting SYSTEM tablespace information .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93Reporting DBA tablespace quotas ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94

9Contents

Contents10

Introducing Symantec ESMmodules for OracleDatabases

This chapter includes the following topics:

■ About the Symantec ESM modules for Oracle Databases

■ What you can do with the Symantec ESM modules for Oracle databases

■ Template

■ Where you can get more information

About the Symantec ESM modules for OracleDatabases

The Symantec Enterprise Security Manager (ESM) modules for Oracle databasesextend theSymantecESMprotection to your databases. Thesemodules implementthe checks and options that are specific to Oracle databases, to protect them fromexposure to known security problems. The modules may be installed locally onthe Symantec ESM agent that is installed on the same computer where the Oracledatabase resides. You can use the Symantec ESM modules for Oracle database inthe same way that you use for other Symantec ESM modules.

1Chapter

What you can dowith the Symantec ESMmodules forOracle databases

You can use the ESM Application modules to scan the Oracle databases forreporting vulnerabilities, such as weak passwords, patches update, and so on.

You can perform the following tasks using the ESM console:

■ Create a policy.

■ Configure the policy.

■ Create a rules template.

■ Run the policy.

■ Review the policy run.

■ Correct security problems from the console.

■ Create reports.

TemplateSeveral of the documented modules use templates to store the Oracle databasesparameters and object settings. Differences between the current settings andtemplate values are reported when the modules run.

Table 1-1 Template name

Predefinedtemplate

Template nameCheck nameModule

oraclecriticalobjects.rcoOracle Critical ObjectOracle Criticalobjects

Oracle Objectsmodule

orawinpatch.orpOracle PatchOracleTemplate filesOracle Patchesmodule

Where you can get more informationFor more information about Symantec ESM modules and Security Updates, seethe latest versions of the SymantecEnterprise SecurityAdministrator’sGuide andthe Symantec ESM Security Update User’s Guide.

Formore information onSymantec Enterprise SecurityManager (ESM), SymantecESMSecurityUpdates, and Symantec ESM support for database products, see the

Introducing Symantec ESM modules for Oracle DatabasesWhat you can do with the Symantec ESM modules for Oracle databases

12

Symantec Security Response Web site at the following URL: Security ResponseWeb site

13Introducing Symantec ESM modules for Oracle DatabasesWhere you can get more information

http://www.symantec.com/business/security_response/securityupdates/list.jsp?fid=esm


Introducing Symantec ESM modules for Oracle DatabasesWhere you can get more information

14

Installing Symantec ESMmodules for OracleDatabases


■ Installing ESM modules for Oracle Databases

■ About registering agents

■ About customizing checks

Installing ESM modules for Oracle DatabasesYou can install the Symantec Enterprise Security Manager (ESM) on Oracle onWindows 2000, 2003, and 2008:

Before you installBefore you install Symantec ESMModules forOracleDatabases, youneed to verifythe following:

At least one computer must have a CD-ROM drive on yournetwork.

CD-ROM access

Youmusthaveadministrator rights oneachcomputerwhereyou plan to install the modules.

Account privileges

The Symantec ESM enterprise console must be able toconnect to the Symantec ESM manager.

Connection to the manager

2Chapter

A Symantec ESM agent must be installed on the samecomputer where the Oracle database resides.

Agent and Manager

Minimum account privilegesTable 2-1 lists the minimum privileges that are assigned to the ESMDBA accountif the database instance is configured by using “/ as sysdba”.

Table 2-1 Minimum account privileges assigned to the ESMDBA account

Object privilegesSystem privilegesOracle version

■ sys.dba_data_files

■ sys.dba_indexes

■ sys.dba_obj_audit_opts

■ sys.dba_priv_audit_opts

■ sys.product_component_version

■ sys.dba_profiles

■ sys.dba_role_privs

■ sys.dba_roles

■ sys.dba_stmt_audit_opts

■ sys.dba_sys_privs

■ sys.dba_tab_privs

■ sys.dba_tables

■ sys.dba_tablespaces

■ sys.dba_ts_quotas

■ sys.dba_users

■ sys.dba_temp_files

■ sys.registry$history

■ sys.user$

■ v$controlfile

■ v$instance

■ v$logfile

■ v$parameter

■ v$version

■ v$database

■ Alter User

■ Create session

9.0.x

Installing Symantec ESM modules for Oracle DatabasesInstalling ESM modules for Oracle Databases

16

Table 2-1 Minimum account privileges assigned to the ESMDBA account(continued)


■ sys.dba_data_files

■ sys.dba_indexes

■ sys.dba_obj_audit_opts

■ sys.dba_priv_audit_opts

■ sys.product_component_version

■ sys.dba_profiles

■ sys.dba_role_privs

■ sys.dba_roles

■ sys.dba_stmt_audit_opts

■ sys.dba_sys_privs

■ sys.dba_tab_privs

■ sys.dba_tables

■ sys.dba_tablespaces

■ sys.dba_ts_quotas

■ sys.dba_users

■ sys.dba_temp_files

■ sys.registry$history

■ sys.user$

■ v$controlfile

■ v$instance

■ v$logfile

■ v$parameter

■ v$version

■ v$database

Create session9.x, 10.x, and11.1.0.6.0

Table 2-2 lists the minimum privileges that are assigned to the ESMDBA accountif the database instance is configured by using “SYSTEM”:

Table 2-2 Minimum account privileges assigned to the ESMDBA


N/A■ Alter User

■ Create session

■ Select any Dictionary

9.0.x

N/A■ Create session

■ Select any Dictionary

9.x, 10.x, and 11.1.0.6.0

17Installing Symantec ESM modules for Oracle DatabasesInstalling ESM modules for Oracle Databases

Table 2-3 lists the roles that can be assigned to a pre-created account instead ofassigning the privileges.

Note:Apre-created account is an existing account that youmust create and assignminimum required privileges or roles before the configuration.

Table 2-3 Roles that can be assigned to a pre-created account

System rolesObject privilegesSystem privilegesOracle version

■ CONNECT

■ SELECT_CATALOG_ROLE

NA■ Alter User

■ Create session

■ Select anyDictionary

9.0.x

■ CONNECT

■ SELECT_CATALOG_ROLE

NA■ Create session

■ Select anyDictionary

9.x, 10.x, and11.1.0.6.0

System requirementsTable 2-4 lists the operating systems that support the ESM Application modulesfor Oracle on Windows.

Note:As per Symantec's End of Life product support policy, the ESM Modules forOracle Databases are not supported on ESM 6.0.

Table 2-4 Supported operating systems for ESM modules on Oracle

SupportedOracleversions

Supported OS versionsArchitectureSupportedoperatingsystems

9.0.1, 9.2.0.x,10.1.0.x, 10.2.0.x,11.1.0.6.0

Windows 2000x86Windows (32-bit)

9.0.1, 9.2.0.x,10.1.0.x, 10.2.0.x,11.1.0.6.0


10.1.0.x, 10.2.0.x,11.1.0.6.0



18

Table 2-4 Supported operating systems for ESM modules on Oracle (continued)

SupportedOracleversions

Supported OS versionsArchitectureSupportedoperatingsystems

10.1.0.x, 10.2.0.x,11.1.0.6.0


10.1.0.x, 10.2.0.x,11.1.0.6.0


Note: The ESM Oracle Application Module is a 32-bit module and uses a 32-bitOracle client library to connect to 32-bit or 64-bit Oracle installations. If the 32-bitlibrary is not present, then the module reports an error message.

Table 2-5 lists the Real Application Clustering (RAC) support on Windows.

Table 2-5 Real Application Clustering (RAC) support on Windows

Supported Oracleversions

Supported OSversions

ArchitectureSupportedoperating systems

9.2.0.x, 10.2.0.x,11.1.0.6.0


Table 2-6 lists the disk space requirements only for the Symantec ESM Modulesfor Oracle Databases and not for the ESM agents.

Table 2-6 Disk space requirements

Disk spaceAgent operating system

35 MBWindows 2000 (32-bit)





About using parameters in the oraenv.dat fileThis table lists the different parameters that you can use in the oraenv.dat fileto work with the Symantec ESM modules for Oracle. The oraenv.dat file is a


configuration file that stores the configuration parameters that control certainfunctions of the ESM modules. You can create the oraenv.dat file in the\esm\config directory, to specify the parameters. If the oraenv.dat file does notexist then the default values are used.

Note: The parameters only affect the Symantec ESM modules and do not affectthe settings of the Oracle database.

Table 2-7 Parameters and their usage

ExampleParameter valueDescriptionParametername

unset ORA_LANGYou can unset theORA_LANGenvironmentvariable by addingunset ORA_LANG entryin the oraenv.dat file.

You canuse this parameterto unset an environmentvariable during an ESMOracle module policy run.

ORA_LANG

config DebugFlag 1You can configure thedebug level by addingconfig DebugFlag

1entry in theoraenv.dat file.

The default debug levelis 0.

You canuse this parameterto configure the debuglevel.

DebugFlag

configPassCreationLog 1

You can configure thelogging level forpassword creation byadding configPassCreationLog 1

entry in theoraenv.dat file.

You canuse this parameterto configure the logginglevel for passwordcreation.

The default logging level is0.

PassCreationLog


20

Table 2-7 Parameters and their usage (continued)


configPassSpecString $#_

The default specialcharacters are theunderscore (_), plus (+),dash (-), equal to (=),brackets (<>, ()), questionmark (?), asterisk (*),percent (%), hash (#),exclamation mark (!).

You can add thisparameter to theoraenv.dat file asconfig PassSpecString<special characters>.

You canuse this parameterto specify the specialcharacters that youcanusewhile generating thepassword for theconfigured account.

PassSpecString

configPassChangePeriod30

If youwant to change thepassword of yourconfigured account thenyou set the Passwordexpiration intervalsetting parameter to 0.

If you do not specify anyvalue then by default thevalue is 35 days.

You can add thisparameter to theoraenv.dat file asconfigPassChangedPeriod<number of days>.

You canuse this parameterto specify the period afterwhich you want to changethe password of theconfigured account.

PassChangePeriod


Table 2-7 Parameters and their usage (continued)


set MinPrivilegeYES

If MinPrivilege is set toYes, then the privilegesare assigned to theESMDBA account if thedatabase instance isconfigured by using “/ assysdba”.

SeeTable 2-1 onpage16.

Thedefault value is ‘Yes’.

If MinPrivilege is set toNo, then the privilegesare assigned to theESMDBA account if thedatabase instance isconfigured by using “/ assysdba”.

SeeTable 2-2 onpage17.

You can assign minimumprivileges to the ESMDBAuser. You can use thisparameter only if SID isconfigured by using the ‘/as sysdba’ method.

MinPrivilege

See “About installing the ESM modules for Oracle databases” on page 22.

About installing the ESM modules for Oracle databasesThe installation program does the following:

■ Extracts and installs module executables, configuration (.m) files, and thetemplate files.

■ Registers the .m and the template files to the ESM manager by using the ESMagent’s registration program.

■ Launches the esmorasetup program to create the ESMDBA account forreporting. The esmorasetup is a configuration utility that is used during theinstallation setup. The password of ESMDBA account is 12 characters longand is generated randomly. The password is encrypted by using the 256-bitAES encryption algorithm and is stored in the \esm\config\oracle.dat file.

■ Auto-generates the password for the ESMDBA account. The ESM modules fortheOracle databases consider the followingparameters during auto-generationof the passwords :

■ PassChangedPeriod


22

The “PassChangedPeriod” parameter specifies the number of days afterwhich the program automatically changes the password of the configuredaccount. The default days of "PassChangedPeriod" is 35 days. The passwordmust contain at least one uppercase, one lower-case, onenumeric character(0-9), and one special character. The default special characters are theunderscore (_), plus (+), dash (-), equal to (=), brackets (<>), question mark(?), brackets (()), asterisk (*), percent (%), hash (#), and exclamation mark(!).

■ PassSpecStringThe "PassSpecString" parameter specifies the special characters that youcanusewhile generating thepassword for the configured account.Use thisparameter if the config PassSpecString entry is not defined in the\esm\config\oraenv.dat file. If you want to use other special characters,you can also add a parameter "config PassSpecString $#_" entry into theesm\config\oraenv.dat file before you run esmorasetup configuration.

■ Grants the system privileges based on predefined roles.See Table 2-3 on page 18.

During the policy runs, the ESMDBA account does not create any object in thedatabase.

Note: If you change the password for the pre-created account then you mustmodify the configuration records by using the\esm\bin\<platform>\esmorasetup.exe.

Note:TheESMApplicationmodule should be installed on all theOracle databases,including failover. Themodule doesnot automatically detect the failover databasesunless it is installed and configured on the same.

How to run the installation program and register the files?You can install the modules on the ESM agent computer by using theesmoracletpi.exe.


To run the installation program and register the files

1 At the command prompt, type cd <path> to open the directory thatcorresponds to your vendor\operating system\architecture\esmoracletpi.exe.

You can also download and copy the esmoracletpi.exe from the SecurityResponse Web site to the desired location.

2 Choose one of the following options:

To display the contents of the package.Option 1

To install the module.Option 2

3 The Do you want to register the template or .m files? message appears. Doone of the following:

■ Type a Y, if the files are not registered with the manager.

■ Type an N, if the files have already been registered.

Note: You must register the template or *.m files at least once with theagent that is installed on the same operating system and is registered tothe same manager.

4 Enter the ESM manager that the agent is registered to.

Usually, it is the name of the computer that the manager is installed on.

5 Enter the ESM access name (logon name) for the manager.

6 Enter the name of the agent as it is currently registered to the ESMmanager.

Usually, it is the name of the computer that the agent is installed on.

7 Enter the ESM password that is used to log on to the ESM manager.

8 Enter the network protocol that is used to contact the ESM manager.

9 Enter the port that is used to contact the ESM Manager.

The default port is 5600.

10 The Is this information correct? message appears. Do one of the following:

■ Type a Y, the agent continues with the registration to the ESM manager.

■ Type an N, the setup prompts to re-enter the details of the new manager.


24



How to add configuration records to enable the ESM security checkingfor the Oracle database?

When the extraction is complete, the installation program prompts you to addESMdatabase configuration records to enable the security checking for the oracledatabase.

To add configuration records

1 The Do you want to continue and add configuration records to enable theESM security checking for the Oracle database? [Yes] message appears. Doone of the following:

■ Type a Y, to continue the installation and connect to the current SID.

■ Type an N, to end the installation without adding the security checks.

2 TheDoyouwanttoconfigurethe<SID_Name>fortheESMsecuritychecks?[Y/N] message appears. Do one of the following:

■ Type an A to connect using the "SYSTEM" account.You can press Enter to connect by using the SYSTEM account or enter apre-created account name to configure with. A pre-created account is anexisting account that you must create before the configuration.To connect by using the SYSTEM account, See “To add security checkingusing the default SYSTEM account” on page 25.To connect by entering the pre-created account,See “To add security checking using a pre-created account” on page 27.

■ Type a B to connect using the "/as sysdba" method.See “To configure Oracle SID by using the /as sysdbamethod” on page 26.

To add security checking using the default SYSTEM account

1 Type the Oracle Home path, or press Enter to accept the default path.

2 Type the SYSTEM account password.

3 Retype the password.

4 Type the name of the temporary tablespace for the ESMDBA user or pressEnter to accept the default name.

5 Type the name of the default tablespace for the ESMDBAuser, or press Enterto accept the default name.

6 Type the name of the profile for the ESMDBA user or press Enter to acceptthe default name.

7 Review the summary information that the installation program displays.Type a Y to begin the installation.


Symantec ESM does the following:

■ Verifies the password.

■ Connects you to the database as a SYSTEM user.

■ Creates an ESMDBA user account in your Oracle database with privilegesto perform security checksThe SYSTEM account password is not stored. The ESMDBA user accountis used to perform security checks.If an ESMDBA account already exists, Symantec ESM drops it, and thenrecreates it.

■ Finds the next SID in the oratab file and prompts you to continue.

8 Do one of the following:

■ Type a Y, to add security checking for the next SID.

■ Type an N, to continue without adding security checks to the next SID.

9 Repeat steps 1 through 8 until you have skipped the installation on everySID.

Note: Symantec recommends that you do not change the privileges orpassword of the ESMDBA account. If you change the privileges, then somechecks may not report. If you change the password of the ESMDBA account,then you must configure the Oracle database again. Drop this account onlyif you uninstall the agent from the computer.

To configure Oracle SID by using the /as sysdba method


2 Type a Y, to add security checking for the designated SID.

3 Type the name of the temporary tablespace for the ESMDBA user or pressEnter to accept the default name.

4 Type the name of the default tablespace for the ESMDBAuser, or press Enterto accept the default name.

5 Type the name of the profile for the ESMDBA user or press Enter to acceptthe default name.

6 Do one of the following:

■ Type a Y, to configure the next SID.


26

■ Type an N, to continue without configuring the next SID.

7 Repeat steps 1 through 6 until you have skipped the installation on everySID.

Note: Symantec recommends that you do not change the privileges orpassword of the ESMDBA account. If you change the privileges, then somechecks may not report. If you change the password of the ESMDBA account,then you must configure the Oracle database again. Drop this account onlyif you uninstall the agent from the computer.

If a database ismoved to the restrictedmode after you create anESMDBAaccount,then you must grant the Restricted Session privilege to the ESMDBA account. Ifyou have used a pre-created account to configure a database in the restrictedmode, then grant the Restricted Session privilege to the pre-created account.

To add security checking using a pre-created account

1 Type the Oracle Home path, or press Enter to accept the default path. Do oneof the following:

■ Type a Y, to continue the installation and connect to the current SID.

■ Type an N, to end the installation without adding the security checks.

2 Type a Y, to configure the designated SID for security checking.

3 Type an A, to configure the SID by using the Oracle database account.


5 Type the pre-created Oracle account name.

A pre-created Oracle account, used to perform the security checks, will bechecked for CONNECT and SELECT privileges.

6 Type the pre-created Oracle account password.

7 Retype the password.

8 The installation program prompts you to add the security checking for SID.Type a Y or an N.

Repeat steps 4 through 7 until you have skipped the installation on everySID.

To add or update configuration record for a pre-created Oracle account

■ At the command prompt, type the following:esmorasetup -a {SID} [-A{ACCOUNT}] [-P{PASSWORD}] [-H{ORAHOME}]


Predefined Oracle database logon account-A {Account}

Predefined Oracle database logon account password-P {Password}

Oracle home directory-H {OraHome}

To add or update configuration record for a SID created in RAC environment

■ At the command prompt, type the following:esmorasetup -a {SID} -A (Pre-create account) -P {PASSWORD} [-T

{TEMP}] [-S {USERS}] [-W {DEFAULT}

Predefined Oracle database logon account-A {Account}

Predefined Oracle database logon account password-P {Password}

Oracle TEMPORARY table space for ESMDBA user-T {TblSpace}

Oracle DEFAULT table space for ESMDBA user-S {TblSpace}

Oracle PROFILE for ESMDBA user-W {Profile}

Note: You can configure the Oracle SIDs in the RAC environment only by usingpre-created accounts.

About configuring SIDsChange the Oracle instances that are included in security checks by using theesmorasetup program that is located in the \esm\bin\<OS_Arch> directory.

Table 2-8 lists the SID configuration options.

Table 2-8 SID configuration options

TypeTo do this

esmorasetup.exe –hDisplay Help

esmorasetup.exe -a {SID} [-H {ORAHOME}]Configure a new SID

esmorasetup.exe - a allConfigure all SIDs

esmorasetup.exe -H {ORAHOME}Register anOracleHome intoSymantec ESM modules forOracle Databases


28

Table 2-8 SID configuration options (continued)

TypeTo do this

esmorasetup.exe -R {ORAHOME}Remove a registered oraclehome from Symantec ESMmodules forOracleDatabases

esmorasetup.exe -d {SID} [-P {PASSWORD}]Remove (delete) a SID

Esmorasetup.exe -d allRemove (delete) all SIDs(both using the SYSTEMaccount and “/as sysdba”method)

esmorasetup.exe -R {ORAHOME}Remove a registered OracleHome from Symantec ESMmodules forOracleDatabases

esmorasetup.exe -U {SID} [-H { ORAHOME }]Update an oracle Home forone registered SID

esmorasetup.exe -U allUpdate an oracle Home forall registered SID

esmorasetup.exe -lList all registered SIDs

For example, to specify a SIDwith a password by using the interactivemode, typethe following at the command prompt:

esmorasetup <-a|-d> <sid_name|all> [-P <SYS_PASSWORD>]

You can silently change the Oracle instances that are included in security checksby using the esmorasetup program that is installed in the \esm directory.

Table 2-9 lists the Silent SID configuartion options.

Table 2-9 Silent SID configuartion options

TypeTo do this

esmorasetup -a {SID} -A

Pre-created account -P {PASSWORD}

[-T {TEMP}] [- S {USERS}][-W

{DEFAULT}] -Q

Configure aSID created inRACenvironmentinto Symantec ESM modules for OracleDatabases silently using a pre-createdaccount


Table 2-9 Silent SID configuartion options (continued)

TypeTo do this

esmorasetup -a <SID_name> [-f

<file_name>] -A <account_name> -P

<password> [-H <OraHome>] [-T

<Temp>] [-S <Users>] [-W

<Default>] - Q

Configure a SID silently by connecting to thedatabase as SYSTEM account

esmorasetup -a <SID_name> [-f

<file_name>] -A oracle_owner [-H

<OraHome>] [-T <Temp>] [-S

<Users>] [-W <Default>] -Q

Configure a SID silently by connecting to thedatabase by using the “/as sysdba” method

esmorasetup -a ALL -A SYSTEM -P

<password> [-T <Temp>] [-S

<Users>] [- W <Default>] -Q

Configure all SIDs silently by connecting tothe database as SYSTEM account

esmorasetup -a ALL -A oracle_owner

[-T <Temp>] [-S <Users>] [-W

<Default>] - Q

Configure all SIDs silently by connecting tothe database by using the “/as sysdba”method

Note:Youcannotusepre-createdaccountswhenyouperformasilent configurationof the module with the -a ALL option.

Silently installing the ESM modules for Oracle databasesYou can silently install the ESMModules forOracle by using the esmoracletpi.exe.

Table 2-10 lists the command line options for silently installing the ESMmodulesfor Oracle.

Table 2-10 Options to silently install the ESM modules for Oracle databases

DescriptionOption

Display thedescription and contents of thisTune-upor third-partyinstallation package.

-d

Install this Tune-up or third-party installation package.-i

Specify ESM access record name.-U

Specify ESM access record password.-P

Specify the TCP Port to use.-p


30

Table 2-10 Options to silently install the ESM modules for Oracle databases(continued)

DescriptionOption

Specify the ESM manager name.-m

Connect to the ESM manager using TCP.-t

Connect to the ESM manager using IPX.-x

Specify the ESM agent name to use for reregistration.-g

Do not update the report content file on the ESM manager.

Note: The Report Content File (.rdl) lets you correlate checkmessage mapping between the latest content update and theSymantec ESM manager. The Report Content File is the name ofthe file that is sent from the agent to the manager. You can changethe location of the .rdl or update the content manually from thecommand prompt at anytime. See “How to run the installationprogram and register the files?” on page 23.

-N

Update the report content file on the ESM manager.-Y

Do not prompt for and do the re-registration of agents.-K

Specify the Oracle SYSTEM user.-A

Specify the password for Oracle SYSTEM user.-C

Specify the temporary tablespace.

This option is used by the ESMDBAuser. The default value is TEMP.

-T

Specify the default tablespace.

This option is usedby theESMDBAuser. Thedefault value isUSERS.

-S

Specify the user’s profile.

This option is used by the ESMDBA user. The default value isDEFAULT.

-W

Display help on the usage of options that can be used for silentinstallation.

-h

Install the modules without configuring the SIDs.-e

To install the ESM modules for Oracle silently

■ Copy the .tpi to a folder on your computer and at the command prompt, typecd <path> to open the directory.


■ Type the following at the command prompt:esmoracletpi.exe {-it} {-m} {-U} {-p} {-P} {-g} {Y} {-e}

This command only installs the ESM modules for Oracle. To configure theSIDs for security checking, run esmorasetup from the \esm\bin\<platform>directory.

To install the ESM modules for Oracle and configure all SIDs silently

■ Type the following at the command prompt:esmoracletpi.exe {-it} {-m} {-U} {-p} {-P} {-g} {Y} {-A} {-C} [-T]

[-S] [-W]

The configuration log file EsmOraConfig.log is created in the\esm\system\<system name> folder.

About registering agentsEach agent must re-register with a manager. The esmrd.tpi program promptsyou for the required information when the agent is installed with new modules.

Tomanually reregister anagent toadditionalmanagers, use theesmsetupprogram.See your Symantec ESM Installation Guide for information about accessing andrunning the esmsetup program.

About customizing checksAfter installation, you can customize the security checks in the .m files.

Customizing the .m filesModule configuration (.m) files contain the message information that ESM usesto report security check results.

For instructions for customizing the .m files, see the SymantecEnterprise SecurityManager Security Update User’s Guide.

Installing Symantec ESM modules for Oracle DatabasesAbout registering agents

32

About the Symantec ESMModules for OracleDatabases


■ About Oracle SID Discovery

■ About Oracle accounts

■ About Oracle auditing

■ About Oracle configuration

■ About Oracle networks

■ About Oracle objects

■ About Oracle passwords

■ About Oracle patches

■ About Oracle profiles

■ About Oracle roles

■ About Oracle tablespace

About Oracle SID DiscoveryChecks in this module report the following information:

■ Detects new Oracle database instances.

3Chapter

■ Reports unreachable or deleted Oracle database instances.

■ Provides an option to automatically configure the newly discovered Oracledatabase instances.

■ Provides an option to automatically remove the unreachable and the deletedOracle database instances that are still configured.

Note: The Oracle SID Discovery is a host-based module.

Configuring the Oracle database instances by using the Discoverymodule

The ESM Oracle Discovery module is a host-based module that automates theprocess of detection and configuration of new database instances that are not yetconfigured on the local ESM agent computers. The ESMOracle Discoverymodulealso detects the unreachable and deleted database instances that are stillconfigured on the ESM agent computers. The ESM Oracle Discovery module letsyou delete the unreachable database instances from the ESM agent computers.

Configuring a new Oracle database instanceTo report on the Oracle database instance, you should first configure the Oracledatabase instance on an ESM agent computer.

To configure a new Oracle database instance

1 Run the Discovery module on the ESM agent computers that have Oracledatabase installed.

The module lists all the new database instances that were not previouslyconfigured.

2 Select multiple database instances and do one of the following:

■ Right-click, select Correction option, and enter your system account orpre-created account credentials.The Correction option configures the database instances with SYSTEMaccount credentials or pre-created account credentials.

■ Right-click and select Snapshot Update option.The Snapshot Update option configures the database instance with / asSYSDBA method.

About the Symantec ESM Modules for Oracle DatabasesAbout Oracle SID Discovery

34

Note: The / as SYSDBA method does not work in case of Oracle Real ApplicationCluster (RAC). You must use the correct option and specify pre-created accountcredentials.

Removing unreachable/deleted instancesAlthough you may have deleted an Oracle database instance, the configurationinformation still exists in the ESM module. As a result, when you execute themodule, it reports the deleted Oracle database instances as deleted unreachableinstances.

To remove unreachable/deleted instances

1 Run the Discovery module on the target ESM agent computers.

Themodule lists all the unreachable and deleted database instances thatwereconfigured earlier.

2 Selectmultiple database instances, right-click, and select theSnapshotUpdateoption.

The Snapshot Update option deletes the configuration information of suchinstances.

Editing default settingsUse the checks in this group to edit the default settings for all the security checksin the module.

Temporary TablespaceYou canuse this option to enter the temporary tablespace name in theTemporaryTablespace text box. If the tablespace that you specify does not exist in thedatabase, then the module uses the default temporary tablespace to create theESMDBA account.

Default TablespaceYou can use this option to enter the default tablespace name in the DefaultTablespace text box. The check reports an error message if the tablespace thatyou specify does not exist in the database. However, the check continues with theconfiguration of the rest of the SIDs.

35About the Symantec ESM Modules for Oracle DatabasesAbout Oracle SID Discovery

ProfileYou can use the name list in this check to provide the profile name and thepassword parameters. If the profile that you specify exists in the database, thenthe module uses the existing profile. If the profile that you specify does not existin the database, then the module creates a new profile with the parameters thatyou specify in the name list.

Following are the default values of the profile name and the password parameters:

■ PROFILE=DEFAULT

■ FAILED_LOGIN_ATTEMPTS=DEFAULT

■ PASSWORD_GRACE_TIME=DEFAULT

■ PASSWORD_LIFE_TIME=DEFAULT

■ PASSWORD_LOCK_TIME=DEFAULT

■ PASSWORD_REUSE_MAX=DEFAULT

■ PASSWORD_REUSE_TIME=DEFAULT

■ PASSWORD_VERIFY_FUNCTION=DEFAULT

Reporting SID DiscoveryThe Symantec ESM module for Oracle SID Discovery includes four checks thatlet you automate the detection and the configuration of the oracle databaseinstances on the host computer.

You can use the Symantec ESM module for Oracle SID Discovery to detect andconfigure newly detected database instances and the database instances that havebeen uninstalled.

Detect New InstanceThis check reports the database instances that are newly discovered on the ESMagent computers and which were not configured earlier. Use the name list toinclude or exclude the Oracle SIDs from the configuration file.

This check lets you use the Correct and the Snapshot Update options from theconsole.

With the Correct option, you can configure the database instance by using theSYSTEM account or a pre-created account. With the Snapshot Update option,you can configure the database instance by using the /as sysdba method.

The SnapshotUpdate or Correct operation for an Oracle instance functions onlyif the corresponding entries for theOracle instances are present in the oratab file.

About the Symantec ESM Modules for Oracle DatabasesAbout Oracle SID Discovery

36

You can check the EsmOraConfig.log file for details.

Table 3-1 lists the messages that this check reports.

Table 3-1 Detect New Instance messages

SeverityTitleMessage name

Yellow - 1New InstanceESM_ORACLE_NEW_INSTANCE_DETECTED

Yellow - 1Added New InstanceESM_ORACLE_NEW_INSTANCE_ADDED

Yellow - 1Failed to Add New InstanceESM_ORACLE_ADD_INSTANCE_FAILED

Detect Retired InstanceThis check reports all the database instances that are deleted but are stillconfigured on the ESM agent computers. Use name list to include or exclude theOracle SIDs from configuration. This check lets you use the Snapshot Updateoption that removes the entry of database instance from the oracle.dat file.


Table 3-2 Detect Retired Instance messages


Yellow - 1Retired InstanceESM_ORACLE_DEL_INSTANCE_DETECTED

Yellow - 1Deleted RetiredInstance

ESM_ORACLE_INSTANCE_DELETED

Automatically Add New InstanceThis check automatically configures all the newly detected instances. This checkworks with the Detect New Instance check. You can use this check to automatethe module to connect to each newly detected database instance by using the / assysdba method. In case of a successful connection, the module configures theinstance by adding entry in the oracle.dat file.

An error message displays if the module fails to connect to the newly detecteddatabase instance byusing the / as sysdbamethod. You can right-click themessageand click Correct to connect to the newly detected database instance. You have

37About the Symantec ESM Modules for Oracle DatabasesAbout Oracle SID Discovery

to use the SYSTEM or pre-created account credentials to connect to the newlydetected database instance.

Note: This check does not work in case of Oracle Real Application Cluster (RAC).You must use the correct option and specify pre-created account credentials.

Automatically Delete Retired InstanceThis check automatically deletes the corresponding server records from theconfiguration file. This checkworks with the DetectRetiredInstance check. Youcan use this check to automate the module to detect the uninstalled databaseinstances and then to delete the corresponding entries from the oracle.dat file.

About Oracle accountsThis module checks for the user accounts based on the options that you havespecified.

Establishing a baseline snapshotTo establish a baseline snapshot file, run the Symantec ESM module for Oracleaccounts once. Periodically re-run the module to detect changes and update thesnapshot when appropriate.

Automatically update snapshotsEnable this check to automatically update the snapshots with the currentinformation.

Editing default settingsUse the check in this group to edit default settings for all security checks in themodule.

Use the Oracle system identifiers (SIDS) check's name list to include or excludetheOracle system identifiers (SIDs) that the security checks in themodule shouldreport on. By default, the security checks report all the SIDs that are you specifywhen you configure the Symantec ESM modules for Oracle databases. Theconfiguration file for Symantec ESM modules for Oracle databases are stored in\esm\config\oracle.dat file.

About the Symantec ESM Modules for Oracle DatabasesAbout Oracle accounts

38

Reporting operating system accessThe OS administrators have exceptional privileges. Some users can access thedatabase directly from the operating system without the protection of Oracleauthentication. Both the user groups should be monitored to ensure that yourcomputers are protected. The checks in this group monitor these users.

Users to skip in OS DBA groupsUse the name list to exclude the users for the Users in OS DBA groups check. Bydefault, all users in each group are included.

Users in OS DBA groupsThis check reports theuserswhocanconnect to adatabase as INTERNAL, SYSDBA,or SYSOPER. The check also reports users who connect as members of ORA_DBAand ORA_OPER groups.

Use the name list to exclude the users (usually administrators) and include theOS database administrator groups for this check.

Symantec recommends that you remove the unauthorized users from theOSDBAgroups.


Table 3-3 User in OS DBA groups message


Red - 4User in OS DBA groupUNAUTHORIZED_INTERNAL

OS authenticated usersThis check reports the users who are authenticated only by the operating system,without Oracle authentication. Use the name list to exclude the users for thischeck.

In a testing or a development environment, you can log on to Oracle databasewithout providing a user name and password; however, Symantec recommendsthat you must not follow this method of authentication on a productionenvironment. We also recommend that you change the user’s passwordauthentication from external to local and enable the Oracle authentication to addanother level of security.


39About the Symantec ESM Modules for Oracle DatabasesAbout Oracle accounts

Table 3-4 OS authenticated user message


Yellow - 1User authenticated by OSonly

USER_AUTHORIZED_EXTERNAL

Globally authenticated usersThis check reports theusers that are authenticatedglobally bySSL,whosedatabaseaccess is through global roles, authorized by an enterprise directory. Use theUsers to Skip name list to exclude the users from reporting.

A centralized directory service, which is outside of the database, manages theusers without Oracle authentication. You require Oracle user authentication foradditional identity verification.


Table 3-5 Globally authenticated users message


Yellow - 1User authenticated globallyUSER_AUTHORIZED_GLOBAL

Reporting user rolesThese checks report roles that have been directly granted to users or revokedfrom the users and the associated user names. Nested roles are not reported.

For the checks that report role definitions, See “About Oracle roles” on page 83.

RolesUse the name list to exclude or include the roles for the Directly-granted rolesand Grantable roles checks to report on.

Grantable rolesThis check reports the user names with permissions to grant roles to other users.Use the name list to exclude users for this check.

Symantec recommends that you revoke the grantable roles from any user who isnot authorized to grant it. Periodically, you can review all the userswith grantableroles to ensure that they are currently authorized to grant their grantable roles.



40

Table 3-6 Grantable role message


Yellow - 1Grantable roleGRANTABLE_ROLE

Directly-granted rolesThis check reports the roles that have been directly granted to the users. The rolesthat were nested in the directly-granted roles are deleted, but are not reported.Use the name list to exclude the users for this check.

Symantec recommends that periodically you review this check to ensure that theusers with the directly-granted roles are authorized. Based on the results, youcan revoke inappropriately directly-granted roles.


Table 3-7 Role directly-granted to user message


Green - 0Role directly-granted touserPRIVILEGE_LIST_ROLES

New directly-granted rolesThis check reports the user names with the roles that were directly granted tothem after the last snapshot update. The check does not report the roles that arenested in directly-granted roles. Use the name list to exclude users for this check.

If the user is authorized, Symantec recommends that you either update thesnapshot or revoke it from the users.


Table 3-8 New directly-granted role message


Yellow - 1New role granted to userUSER_ROLE_ADDED

Deleted directly-granted rolesThis check reports the user names with the directly-granted roles that wererevoked or dropped after the last snapshot update. The check does not report theroles that are nested within the directly-granted role and are deleted or revoked.Use the name list to exclude the users for this check.


If the deletion is authorized, Symantec recommends that you either update thesnapshot or restore the role to the user.


Table 3-9 Deleted directly-granted role message


Yellow - 1Role deleted from userUSER_ROLE_DELETED

Reporting user privilegesThe checks in this group report the users with grantable privileges and theprivileges that have been directly granted to users or revoked from the users.

PrivilegesUse the name list to include or exclude the system privileges for the Grantableand Directly-granted privileges checks to report on.

Grantable privilegesThis check reports the users with the privileges that they can directly grant. Usethe name list to exclude the users for this check.

Symantec recommends that you revoke the privilege from any user who is notauthorized to grant it. Periodically, you must review the grantable privileges toensure that users are currently authorized to grant their grantable privileges.


Table 3-10 Grantable privilege message


Green - 0Grantable privilegeGRANTABLE_PRIV

Directly-granted privilegesThis check reports the users with the system privileges that have been directlygranted to them. Use the name list to exclude users for this check. Generally, toreduce maintenance the privileges are often granted in roles.

Symantec recommends that you revoke the privilege from any user who is notauthorized for it.



42

Table 3-11 Directly-granted privilege


Green - 0Privilege directly-grantedPRIVILEGE_LIST_DIRECT

New directly-granted privilegesThis check reports the userswith the privileges thatwere directly granted to themafter the last snapshot update. Use the name list to exclude the users for thischeck. Generally, to reducemaintenance the privileges are often granted in roles.

If the user is authorized for this privilege, Symantec recommends that you eitherupdate the snapshot or revoke the privilege.


Table 3-12 New granted privilege message


Yellow - 1Newprivilege granted touserUSER_PRIV_ADDED

Deleted directly-granted privilegesThis check reports theuserswith the directly-grantedprivileges thatwere revokedor dropped after the last snapshot update. Use the name list to exclude the usersfor this check.

If the deletion is authorized, Symantec recommends that you either update thesnapshot or restore the privilege.


Table 3-13 Directly-granted privilege deleted message


Yellow - 1Privilege deleted from userUSER_PRIV_DELETED

Reporting user accountsThe checks in this group report the database accounts that are current, new,active, inactive, and deleted.


Database accountsThis check reports the user accounts, their tablespaces, and account creationdates. Use the name list to exclude the users for this check.

Symantec recommends that you delete any unauthorized or out-of-date accounts.Periodically, you must review the database accounts to ensure that the databaseaccounts and their tablespaces are currently authorized.


Table 3-14 Database account message


Green - 0Database accountUSER_ACCT

New database accountsThis check reports the user accounts that were added to the database after thelast snapshot update. Use the name list to exclude the users for this check.

If the new account is authorized, Symantec recommends that you either updatethe snapshot or delete it.


Table 3-15 New database account message


Yellow - 1New database accountUSER_ACCT_ADDED

Active database accountsThis check reports active user accountswith their tablespaces, profile, and accountcreation date. Periodically, youmust review the user accounts to ensure that theyare current and authorized.


Table 3-16 Active database accounts message


Green - 0Active database accountACTIVE_USER_ACCT


44

Inactive database accountsThis check reports the inactive user accounts with their inactive status, date, andaccount creation date. Periodically, you must review the user accounts to ensurethat they are current and authorized.


Table 3-17 Inactive database accounts message


Green - 0Inactive database accountINACTIVE_USER_ACCT

Deleted database accountsThis check reports the user accounts that were deleted after the last snapshotupdate. Use the name list to exclude the users for this check.

If the deletion is authorized, Symantec recommends that you either update thesnapshot or restore the account.


Table 3-18 Deleted database account message


Yellow - 1Deleted database accountUSER_ACCT_DELETED

Reporting account changesThe checks in this group report the changes to the tablespace assignments andcreation dates.

Database account tablespace changedThis check reports the accounts with the default tablespaces that were changedafter the last snapshot update. Use the name list to exclude the users for thischeck.

If the change is authorized, Symantec recommends that you either update thesnapshot or restore the tablespace.



Table 3-19 Changed tablespace message


Yellow - 1Database account tablespacechanged

USER_ACCT_TABLESPACE

Database account creation date changedThis check reports the database accounts with the creation dates that changedafter the last snapshot update. The change in the creation date indicates that theuser account has been deleted and recreated. When a user account is deleted, alldata that is associated with it can also be deleted. Use the name list to exclude theusers for this check.

If the change is authorized, Symantec recommends that you either update thesnapshot or drop the account.


Table 3-20 Database account creation date changed message


Green - 0Database account creationdatechanged

USER_ACCT_CREATION

Reporting account defaultsThe checks under this group report the password-protected roles that are usedas default roles and default accounts with default passwords.

Password-protected default roleThis check reports the users who have been granted the password protected rolesas default roles. Verify that the users are authorized to use the roles withoutentering passwords.

Symantec recommends that for anunauthorizeduser, you either assign adifferentdefault role to the user or remove the password protection from the role.



46

Table 3-21 Password-protected role as default message


Yellow - 1Default role with passwordprotection

DEFAULT_ROLE_WITH_PASSWORD

Active default accountsThis check reports the default accounts that are present on your computer. Bydefault, the name list includes all the Oracle default accounts.

Symantec recommends that you remove, lock, or disable the account to preventintruders from using it to access your database.


Table 3-22 Active default account message


Yellow - 1Active default accountACTIVE_DEFAULT_ACCT

Users to checkUse the name list to include or exclude the prohibited roles for the Grantedprohibited roles check to report on.

Granted prohibited rolesThis check reports the users who have been granted prohibited roles. Use thename list to exclude the prohibited roles for this check.

Symantec recommends that you remove any prohibited role.

Note:Youmust never directly grant a few default Oracle roles, the DBA (databaseadministrator) role, and the connect role to the users.


Table 3-23 Prohibited role granted message


Yellow - 1Prohibited role grantedROLE_GRANTED


About Oracle auditingThis module checks for the auditing setup that is based on the options that youhave specified.

Establishing a baseline snapshotTo establish a baseline, run the Symantec ESM module for auditing Oracledatabases. This creates a snapshot of the current audit information that you canupdate when you run the checks for new, deleted, or changed information.


Editing default settingsUse this check to edit the default settings of all the security checks in themodule.

Use the name list to include the Oracle system identifiers (SIDs) for the modulechecks. By default, the module examines all the SIDs that you specify when youconfigure Symantec ESM modules for Oracle databases. The configuration filefor the Symantec ESM modules for the Oracle databases is stored in the\esm\config\oracle.dat file.

Reporting audit status and accessThe checks in this group report whether auditing is enabled and who has accessto the audit trail database.

Audit trail enabledThis check reports whether an audit trail is available for the SID.

Symantec recommends that while you are in the production environment, toensure that the audit trail is enabled you must set the AUDIT_TRAIL parameterto DB or OS.


About the Symantec ESM Modules for Oracle DatabasesAbout Oracle auditing

48

Table 3-24 Auditing not enabled message


Red - 4Auditing not enabled for theSID

AUDIT_DISABLE

Audit trail protectionThis check reports the users and the roles that have privileges that allow themto make changes or deletions to the audit trail database.

Symantec recommends that you grant access to the audit trail database only toadministrators or users with administrator roles. You can drop the role from theuser if the user is not authorized to access the audit trail database and at the sametime you can drop the privilege of an inappropriately defined role. You mustensure that the auditing options of DEL, INS, and UPD for SYS.AUD$ are setproperly to A/A in the dba_obj_audit_opts.


Table 3-25 Audit trail protection message


Yellow - 2Audit trail protectionAUDIT_PROTECTION

Audit reporting methodsThe success or failure of an audited operation is identified by the followingOraclecodes, separated by the forward slash (/) character:

■ A indicates reporting is BY ACCESS.

■ S indicates reporting is BY SESSION.

Table 3-26 lists the reporting methods.

Table 3-26 Reporting methods

Description of reportMethod

Every successful and failed operationA/A

Every successful operation, but only sessions in which failed operationsoccur

A/S

Every session in which successful and failed operations occurS/S

49About the Symantec ESM Modules for Oracle DatabasesAbout Oracle auditing

Table 3-26 Reporting methods (continued)

Description of reportMethod

Every session in which an operation was successful and every failedoperation

S/A

Reporting statement auditsThe checks in this group report SQL statements that are audited. Security checksreport statements that were set or removed for auditing and statements with thesuccess or the failure reporting methods that changed after the last snapshotupdate.

Audits at the statement level can require considerable resources. BY ACCESS (A)reporting consumes more resources than BY SESSION (S) reporting.

Auditing optionsUse the name list to include or exclude the audit options for the Statementauditing , the New statement auditing, Deleted statement auditing, and theChanged statement auditing checks.

Statement auditingThis check reports the user SQL statements that are audited and theSuccess/Failure reporting methods that are used. Use the name list to excludethe users for this check.

Symantec recommends that you remove all unauthorized or out-of-datestatements. Youmust ensure that you use appropriate reportingmethods for theavailable resources and perceived risks.


Table 3-27 Statement auditing message


Green - 0Statement auditingSTMT_AUDITING

New statement auditingThis check reports the SQL statements that were set for auditing after the lastsnapshot update, and the Success/Failure reporting methods that are used. Usethe name list to exclude the users for this check.


50

Symantec recommends that you remove all unauthorized or out-to-datestatements. You must update the snapshot if the auditing of statement isauthorized and the reporting method is correct. You must deactivate the audit ifthe auditing of the statement is not authorized. You must change the reportingmethods if the reporting methods are inappropriate for the available resourcesand perceived risks.


Table 3-28 New statement auditing message


Yellow - 1New statement auditingNEW_STMT_AUDITING

Deleted statement auditingThis check reports the user statements that were removed from auditing afterthe last snapshot update. Use the name list to exclude the users for this check.

If the statement deletion is authorized, Symantec recommends that you eitherupdate the snapshot or restore the audit settings.


Table 3-29 Deleted statement auditing message


Yellow - 1Deleted statement auditingDELETED_STMT_AUDITING

Changed statement auditingThis check reports the audited user statementswith the Success/Failure reportingmethods that changed after the last snapshot update.Use thename list to excludethe users for this check.

If the change is authorized, Symantec recommends that you either update thesnapshot or restore the previous statement settings.


Table 3-30 Changed statement auditing message


Yellow - 1Statement auditing changedCHANGED_STMT_AUDITING


Reporting object auditsThe first check of this group reports the objects that are audited. The second andthird checks report the objects that were set for auditing and removed fromauditing after the last snapshot update. The fourth check reports the objects withthe reporting methods that were changed after the last snapshot update.

There are 16 options for audited objects.

Table 3-31 lists the audits that this check reports on.

Table 3-31 Audited object options

DescriptionOptionAudit number

ALTERALT1

AUDITAUD2

COMMENTCOM3

DELETEDEL4

GRANTGRA5

INDEXIND6

INSERTINS7

LOCKLOC8

RENAMEREN9

SELECTSEL10

UPDATEUPD11

REFERREF12

EXECUTEEXE13

CREATECRE14

READREA15

WRITEWRI16


52

Note: Unavailable and unaudited options appear as -/-. For example, with A/A inthe fourth position, every auditable DEL operation is recorded as successful orfailed. A/S reports every auditable DEL operation that is successful, but only thesessions that contain one or more failed operations.

Auditing objectsUse the name list to include or exclude the object such as tables or views that areto be included for the object auditing.

Object auditingThis check reports the user objects that are audited and the Success/Failurereporting methods that are used. Use the name list to exclude the users for thischeck.

Symantec recommends that you removeall unauthorizedorout-of-date statementsfrom auditing. Periodically, you must review audited objects to ensure that theaudit is currently authorized and the reporting methods are appropriate for theavailable resources and perceived risks.


Table 3-32 Object auditing message


Green - 0Object auditingOBJ_AUDITING

New object auditingThis check reports theuser objects thatwere set for auditing after the last snapshotupdate, and the Success/Failure reporting methods that are used. Use the namelist to exclude the users for this check.

For the options that canbe reported for audit objects, See “Reporting object audits”on page 52.

If the auditing of the object is authorized, Symantec recommends that you eitherupdate the snapshot or remove the object fromauditing. If the reportingmethodsare incorrect then you must correct them.



Table 3-33 New object auditing message


Yellow - 1New object auditingNEW_OBJ_AUDITING

Deleted object auditingThis check reports the user objects and the object options thatwere removed fromauditing after the last snapshot update. Use the name list to exclude the users forthis check.


If the deletion is authorized, Symantec recommends that you either update thesnapshot or restore audit of the object.


Table 3-34 Deleted object auditing message


Yellow - 1Deleted object auditingDELETED_OBJ_AUDITING

Changed object auditingThis check reports the audited user objects with the Success/Failure reportingmethods that changed after the last snapshot update and their current reportingmethods.


If the change is authorized, Symantec recommends that you either update thesnapshot or restore the previous settings.


Table 3-35 Changed object auditing message


Yellow - 1Object auditing changedCHANGED_OBJ_AUDITING


54

Reporting privilege auditsThe first of these checks report the privileges that are audited. The second andthird checks report the privileges that were set for auditing and removed fromauditing after the last snapshot update. The fifth check reports the privilegeswiththe reporting methods that were changed after the last snapshot update.

Auditing privilegesUse the name list to include or exclude the privileges for the privilege auditingchecks.

Privilege auditingThis check reports the user privileges that are audited, and the Success/Failurereporting methods that are used. Use the name list to exclude the users for thischeck.

Symantec recommends that you periodically review the privilege auditing toensure that the audits are currently authorized and that the reporting methodsare appropriate for available resources and perceived risks.


Table 3-36 Privilege auditing message


Green - 0Privilege auditingPRIV_AUDITING

New privilege auditingThis check reports the user privileges that were set for auditing after the lastsnapshot update and the Success/Failure reporting methods that are used. Usethe name list to exclude the users for this check.

If the new privilege and its reporting methods are authorized, Symantecrecommends that you update the snapshot. If the new privilege is not authorizedthen you must change the privileges. If the user is unauthorized for the privilegethen you must remove the privilege from the user.


Table 3-37 New privilege auditing message


Green - 0New privilege auditingNEW_PRIV_AUDITING


Deleted privilege auditingThis check reports the user privileges that were removed from auditing after thelast snapshot update. Use the name list to exclude the users for this check.

If the deletion is authorized, Symantec recommends that you either update thesnapshot or restore the user privilege to auditing.


Table 3-38 Deleted privilege auditing message


Yellow - 1Deleted privilege auditingDELETED_PRIV_AUDITING

Changed privilege auditingThis check reports the audited user privileges with Success/Failure reportingmethods that changed after the last snapshot update.Use thename list to excludethe users for this check.

If the change is authorized, Symantec recommends that you either update thesnapshot or restore the previous audit settings.


Table 3-39 Changed privilege auditing message


Yellow - 1Privilege auditing changedCHANGED_PRIV_AUDITING

About Oracle configurationThis module checks for the setting of the Oracle parameters and configurationthat can affect the security of the database.

Editing default settingsUse the checks in this group to edit the settings of all the security checks.


About the Symantec ESM Modules for Oracle DatabasesAbout Oracle configuration

56

Oracle system identifiers (SIDs)Use the name list to include or exclude the Oracle system identifiers (SIDs) forthis check. By default, the check examines all the SIDs that you specify when youconfigure the Symantec ESM modules for the Oracle databases. The SymantecESM modules for Oracle databases configuration are stored in\esm\config\oracle.dat file.

Reporting Oracle version informationThe checks in this group report Oracle version, status, trace, and alert log fileinformation.

For the location of USER_DUMP_DEST files, use Trace file.

For the maximum size of trace files, specified by MAX_DUMP_FILE_SIZE, useTrace file size.

Oracle serverThis check reports the version number and the status of the installed Oraclecomponents on the agent.

Table 3-40 lists the message that this check reports.

Table 3-40 Oracle server version and status message


Green - 0Oracle server versionSERVER_VERSION

Oracle componentsThis check reports the version number and status of all Oracle components,including the version and status of the Oracle server.


Table 3-41 Oracle component version and status message


Green - 0Oracle product componentversion

PRODUCT_COMPONENT_VERSION

57About the Symantec ESM Modules for Oracle DatabasesAbout Oracle configuration

Trace filesThis check reports the location of the trace files that are specified byUSER_DUMP_DEST.


Table 3-42 Trace file location message


Green - 0Location of trace filesTRACE_FILE_DEST

Trace file sizeThis check reports the maximum sizes of trace files that are specified byMAX_DUMP_FILE_SIZE.


Table 3-43 Trace file size message


Green - 0Maximum size for trace filesMAX_DUMP_FILE_SIZE

Alert fileThis check reports the location of debugging trace files for background processessuch as LGWR and DBWR. The Alert_[SID].log file at this location containsinformation for global and instance operations.


Table 3-44 Alert file path message


Green - 0Directory path for alert filesALERT_FILE_DEST

List SID:HOME (oracle.dat)This check reports all the SIDs and their Oracle homes from the oracle.dat file.The configuration information of the Symantec ESMmodules for Oracle is storedin oracle.dat, which is located in the \esm\config directory.



58

Table 3-45 List SID:HOME (oracle.dat) message


Green - 0Oracle.dat file informationSID_HOME_DATFILE

Reporting link password encryptionThe checks in this group report whether encryption is required for the databaselink passwords.

DB link encrypted passwordThis check examines the DBLINK_ENCRYPT_LOGIN setting to report whetherthe encrypted passwords require connecting to other Oracle servers through thedatabase links. This parameter is no longer supported on Oracle 10g and laterversions.

The first attempt to connect to another Oracle server always sends encryptedpasswords. If the reported setting is TRUE, a failed connectionwill not be retried.If FALSE, Oracle reattempts the connection with an unencrypted version of thepassword. TRUE settings provide the best protection for your database.


Table 3-46 Password encrypting for links message


Green - 0Connect to database withencrypted password

DBLINK_ENCRYPT

Reporting operating system account prefixesThe checks in this group report prefixes for operating system accounts andwhether SELECT and SYSTEM privileges are required to change table columnvalues.

Prefix for OS accountThis check reports the characters that are attached to the beginning of accountnames that operating systems authenticate. OS_AUTHENT_PREFIX specifies thecharacters. The default OPS$ prefix gives you access to a database from theoperating system by typing a slash (/) instead of the username/password string.



Table 3-47 OS account prefix message


Green - 0Prefix for OS accountOS_AUTHENT_PREFIX

Table-level SELECT privilegesThis check reportswhether the SELECTprivileges are required to update or deletethe table column values.

If TRUE is reported, then table-level SELECT privileges are required to update ordelete table column values. If FALSE, SELECT privileges are not required.SQL92_SECURITY parameter specifies the setting.


Table 3-48 SELECT privileges at the table level message


Green - 0Table-level SELECTprivileges

SQL92_SECURITY

Restrictions on system privilegesThis check reports whether access to objects in the SYS schema is allowed whileyou migrate from Oracle 7 to Oracle 8.

You must set the parameter to FALSE. If you set the parameter to TRUE, thenaccess to objects in the SYS schema is allowed. You can specify the settings byusing the 07_DICTIONARY_ACCESSIBILITY parameter.


Table 3-49 Restrictions on system privileges message


Green - 0Restrictions on systemprivileges

O7_DICTIONARY_ACCESSIBILITY

Reporting parameter valuesThe checks in this group report the Oracle configuration parameter values.


60

Remote login password fileThis check reports whether the value of theREMOTE_LOGIN_PASSWORDFILEparameter matches with the value that you specify in the Parameter Value textbox. Use the name list to include or exclude the values for this check. The defaultvalue is None.

Symantec recommends that you change the value of theREMOTE_LOGIN_PASSWORDFILEparameter tomatchwithyoursecuritypolicy.


Table 3-50 Remote login password file message


Yellow - 3Remote login password fileREMOTE_LOGIN_PASSWORDFILE

UTL_FILE accessible directoriesThis check reports whether the value of the UTL_FILE_DIR parameter matcheswith the value that you specify in the Parameter Value text box. You can use theUTL_FILE_DIR parameter to specify one or more directories that Oracle can usefor PL/SQL file I/O. The exclude tag of the parameter value specifies acceptablevalues and the include tag specifies unacceptable values.

If the location of the UTL_FILE_DIR is not authorized, Symantec recommendsthat you change the configuration of the SID’s UTL_FILE_DIR parameter tospecify an authorized location; also update the snapshot.


Table 3-51 UTL_FILE accessible directories message


Yellow - 3UTL_FILE accessibledirectories

UTL_FILE_DIR

Oracle configuration watchThis check reports the unmatched initialization and configuration parametersthat are defined in the templates. Use the name list to include the template filefor this check.



Table 3-52 Oracle configuration watch messages


Red - 4Red level conditionORC_RUNTIME_RED

Yellow - 1Yellow level conditionORC_RUNTIME_YELLOW

Green - 0Green level conditionORC_RUNTIME_GREEN

Red - 4Red level conditionORC_INITFILE_RED

Yellow - 1Yellow level conditionORC_INITFILE_YELLOW

Green - 0Green level conditionORC_INITFILE_GREEN

Green - 0Required oracle parameternot found

ORC_PARAMETER_NOT_FOUND

Redo log filesThis check reports the locations of the SID's redo log files and permissions on thelog files in the Information field. Use the name list to include or exclude the filestatuses for this check. The file status values are INVALID, STALE, DELETED,INUSED. In the Permission field, do one of the following:

■ Specify 0 for the check to report the location and the status of the SID redolog file.

■ Specify a permission value more restrictive than the SID's redo log filepermission for the check to report an error.

Symantec recommends that you periodically review the redo log file location toensure that it is in a secure, authorized location. If the file’s permissions areexcessive, reset the redo log file’s permission to conform to your security policy.If the owner of the redo log file is not authorized for the file, immediately takeownership of the file and review it for possible tampering.


Table 3-53 Redo log files message


Yellow - 2Redo log file permissionREDOLOGFILE_PERM

Green - 0Redo log fileASM_REDOLOGFILE


62

New redo log filesThis check reports the redo log files thatwere added after the last snapshot update,their locations, and the status of the files. Use the name list to exclude the redolog file status reporting for this check.

If the addition is authorized, Symantec recommends that you either update thesnapshot or delete the new redo log file.


Table 3-54 New redo log files message


Yellow - 1New redo log fileADDED_REDOLOGFILE

Deleted redo log filesThis check reports redo log files that were deleted after the last snapshot update.

If the deletion is authorized, Symantec recommends that you either update thesnapshot or restore the file.


Table 3-55 Deleted redo log files message


Yellow - 1Deleted redo log fileDELETED_REDOLOGFILE

Control filesThis check reports the locations of the SID's control files, violations of controlfile permissions, discrepancies in control file ownership, and file status.

If you specify a permission value more restrictive than the SID's control filepermission, the check reports a violation.

Symantec recommends that you periodically review the locations of the controlfile to ensure that they are in secure, authorized locations. If the file’s permissionsare excessive then reset the control file’s permission to conform to your securitypolicy.



Table 3-56 Control files message


Yellow - 2Control file permissionCONTROLFILE_PERM

Green - 0Control fileASM_CONTROLFILE

New control filesThis check reports the control files thatwere added after the last snapshot update.

If the addition is authorized, Symantec recommends you to either update thesnapshot or delete the new control file.


Table 3-57 New control files message


Yellow - 1New control fileADDED_CONTROLFILE

Deleted control filesThis check reports the control files that were deleted after the last snapshotupdate.

If the deletion is authorized, Symantec recommends you to either update thesnapshot or restore the control file.


Table 3-58 Deleted control files message


Yellow - 1Deleted control fileDELETED_CONTROLFILE

About Oracle networksThismodule checks for the oracle network configuration that you have specified.

Editing default settingsUse the name list to edit the default settings for all security checks in themodule.

About the Symantec ESM Modules for Oracle DatabasesAbout Oracle networks

64

Oracle system identifiers (SIDs)Use the name list to include or exclude the Oracle system identifiers (SIDs) forthis check. By default, the check examines all the SIDs that you specify when youconfigure the Symantec ESM modules for the Oracle databases. The SymantecESM modules for Oracle Databases configuration are stored in the\esm\config\oracle.dat file.

Reporting SID configuration statusThe check in this group report the SIDs that are not configured.

SID configurationThis check reports theSIDs that arenot configured for theSymantecESMmodulesfor Oracle Databases. Use name list to exclude the SID’s for this check.


Table 3-59 SID configuration message


Yellow - 3SID not configured formodules

UNCONFIG_SID

Oracle net configuration watchThis check reports Oracle Listener, Sqlnet, and Names configuration parametervalues that violate conditions of the corresponding Oracle Net Watch templateparameters. Use the name list to enable and disable the template files for thischeck.


Table 3-60 Net configuration messages


Red - 4Red level conditionORC_NETCONFIG_RED

Yellow - 1Yellow level conditionORC_NETCONFIG_YELLOW

Green - 0Green level conditionORC_NETCONFIG_GREEN

Yellow - 3Required parameter notfound

ORC_NETCONFIG_PARA_MISSING

65About the Symantec ESM Modules for Oracle DatabasesAbout Oracle networks

Oracle EXTPROC listenersThis check reports the Oracle listeners that have EXTPROC-specific entries. Inthe text box, specify 1 to allow the TCP Protocol, on doing so the database listenerports should be different than the EXTPROC ports. Separate listeners must bespecified for the Oracle Databases and for the EXTPROC process. You must usethe IPC protocol for listeners configured for EXTPROC.


Table 3-61 Oracle EXTPROC listeners messages


Yellow-3Listener for EXTPROC foundORA_EXTPROC_LISTENER_FOUND

Red-4EXTPROC entries found inListener for Databases

ORA_EXTPROC_IN_DB_LISTENER

Red-4Listener for EXTPROC is notconfiguredwith IPCProtocol

ORA_NON_IPC_EXTPROC

Red-4The ports configured forEXTPROC listeners conflictwith database listeners

ORA_TCP_PORT_EXTPROC

About Oracle objectsThis module checks for the access privileges to the Oracle objects that are basedon the options that you have specified.

Editing default settingsThe check in this group edits the default settings for all security checks in themodule.


About the Symantec ESM Modules for Oracle DatabasesAbout Oracle objects

66

Reporting table privilegesThe checks in this group report entities that can:

■ Access SYS.ALL_SOURCE

■ Grant privileges to Oracle objects such as tables, indexes, and views

■ Have directly granted table privileges to Oracle objects

Access to SYS.ALL_SOURCEThis check reports the roles, accounts, and synonyms that have access privilegesto theSYS.ALL_SOURCEsystem table. TheALL_SOURCE table contains the sourcecode for user-defined objects in all schemas of the SID. Verify that the entity'sdirect access to SYS.ALL_SOURCE is authorized. Use the Grantees to skip namelist to exclude the grantees for this check.


Table 3-62 Access to SYS.ALL_SOURCE


Yellow - 3Access to SYS.ALL_SOURCEmessage

ACCESS_ALL_SOURCE

Table privilegesUse this name list to include or exclude the table privileges for the Grantableprivilege and Directly granted privilege checks to report on.

Object nameUse this name list to include or exclude the object names for the Grantableprivilege and Directly granted privilege checks to report on.

GrantorsUse this name list to include or exclude the grantors for the Grantableprivilegesand Directly granted privilege checks to report on.

Grantable privilegeThis check reports the roles, the accounts, or the synonyms that have grantabletable privileges to Oracle objects. Use the name list to include and exclude thegrantees for this check.

67About the Symantec ESM Modules for Oracle DatabasesAbout Oracle objects




Yellow-3Grantable table privilegeGRANTABLE

Directly granted privilegeThis check reports the roles, the accounts, or the synonyms that have directlygranted table privileges to Oracle objects. Use the name list to include or excludethe grantees for this check.


Table 3-64 Directly granted privilege message


Yellow - 3Directly granted tableprivilege

DIRECT_GRANTED

Critical objectsThis check works with the Grantable privilege check or the Directly grantedprivilege check. The Critical objects check reports on the objects that it finds onthe ESM agent computer with the objects that you specify in the template. Forexample, sys.kupw$wor, sys.dbms_ddl, and so on. Use the name list to enable ordisable the template file.


Table 3-65 Critical objects messages


Red - 4Grantable table privilegeGRANTABLE_RED

Red - 4Directly granted tableprivilege

DIRECT_GRANTED_RED

Object PrivilegesThis check uses the specified template to report on the object privileges. Use thename list to enable or disable the template file.


About the Symantec ESM Modules for Oracle DatabasesAbout Oracle objects

68

Table 3-66 Object privileges messages


Green - 0Unauthorised objectprivilege

OBJ_PRIV_G

Yellow - 1Unauthorised objectprivilege

OBJ_PRIV_Y

Red - 4Unauthorised objectprivilege

OBJ_PRIV_R

Red - 4Object not foundOBJ_NOT_FOUND

About Oracle passwordsThis module checks for the password integrity of the Oracle accounts based onthe options that you specify.

Editing default settingsThe check in this group edits the default settings for all the security checks in themodule.


Users to checkUse the name list to include or exclude the users or the roles for all the passwordguessing checks.

Account statusUse the name list to include or exclude the statuses for all the password guessingchecks.

69About the Symantec ESM Modules for Oracle DatabasesAbout Oracle passwords

Password displayThis checkworkswith thePassword=wordlistword,Password=username, andPassword = any username checks. Enable this check to display the guessedpasswords in the <first character>*<last character> format.

Specifying check variationsYou can use the checks under this group to set conditions for guessing thepasswords of the Oracle accounts. You can display the results with or without thefirst and last characters of the password.

Reverse orderEnable this option to have Password = checks report passwords that match thebackward spelling of user names or common words. For example, in Password =wordlist word, password flog matches the word golf.

Double occurrencesEnable this option to have Password = checks report the passwords that matchesthe user names or common words spelled twice. For example, in Password =wordlist word, password golfgolf matches the word golf.

PluralThis option directs Password = checks to compare the plural forms of user names,role names, or common words with the password. For example, in “Password =user name,” the password “golfs” matches the user name “golf.”

PrefixEnable this option so that Password = checks reports the passwords that beginwith a prefix in the user names, role names, or common words. For example, if"pro" is a prefix and "golf" is a user name, then the Password = user name checkreports "progolf " as a weak password.

SuffixEnable this option so that Password = checks reports the passwords that endwitha suffix in the user names, role names, or common words. For example, if “pro”is a suffix and “golf” is a user name, then the Password = user name check reports“golfpro” as a weak password.

About the Symantec ESM Modules for Oracle DatabasesAbout Oracle passwords

70

Comparing passwords to word listsThe checks in this group compare the passwords to words that are found in theword lists or the user names. Any matched word is a weak password and shouldbe changed immediately.

Password = wordlist wordThis check compares the encrypted version of the user and the role passwordwiththe encrypted version of the words that are included in the common words andnames file. The check then reports the matches. You can specify the word andname files that you want to check. Do not use common words or names aspasswords.

Symantec recommends that youdonot use commonwords ornames aspasswords.You must assign a more secure password immediately to the user accounts thatare reported by this check, then notify each user to log in using the more securepassword.Have theusers complete theprocess by changing their passwords again.

A secure passwordhas six to eight characterswith at least onenumeric character,and one special character. The password must not match an account name ormust not be found in the word file.


Table 3-67 Password = word list messages


Red - 4Weak user passwordPASS_GUESSED

Red - 4No word files specifiedNO_WORDS

Password = usernameThis check reports the users and the roles that use their own user names or rolenames as passwords. The check is not as comprehensive as the Password = anyusername check. However, if the Password = any user name check takes longeror consumesmore CPUusage, then use the Password = user name check daily andthePassword=anyusernamecheckonweekends. The reportedpasswordmatchesthe sameuser account name. Thepasswords that closely resemble account namesare easily guessed.

Symantec recommends that youmust immediately assignmore securepasswordsto reported user accounts. Then notify the users and ask them to log in with themore secure passwords. Have the users complete the process by changing theirpasswords again.

71About the Symantec ESM Modules for Oracle DatabasesAbout Oracle passwords

Asecure passwordhas six to eight characterswith at least onenumeric character,and one special character. The password must not match an account name ormust not be found in the word file.


Table 3-68 Password = user name message



Password = any usernameThis check reports the users and the roles whose passwords already exist as usernames in the database. The reported passwords are weak and must be changed.The reported passwordmatches a user account name or a variation of that name.Passwords that closely resemble account names are easily guessed.

Symantec recommends that you immediately assign more secure passwords toreported user accounts. Then notify the users and ask them to log in with themore secure passwords. Have the users complete the process by changing theirpasswords again.



Table 3-69 Password = any user name message



Detecting well-known passwordsOracle products ship with default, or sample, accounts and passwords that arewidely known. These passwords should be changed as soon as soon as possible.Otherwise, unauthorized users can log in as SYS or SYSTEM with administratorprivileges.

Well-known passwordsThis check reports the well known account/password combinations that youspecify in the name list and default Oracle account/password combinations such

About the Symantec ESM Modules for Oracle DatabasesAbout Oracle passwords

72

as scott/tiger. You should not allowwell known account/password combinations.Use the name list to include the account and password combinations for thischeck.

Symantec recommends that youmust assignamore securepassword immediately.You must instruct the user to log in with the more secure password and changethe password again.



Table 3-70 Well known password message


Red - 4Well knownaccount/password found

DEFAULT_PASSWORD

About Oracle patchesThis module identifies the Oracle security patches that are not installed on yourcomputers.

Edit default settingsThe check in this group edits the default settings for all the security checks in themodule.

Oracle Home PathsUse the name list to include or exclude the Oracle home paths for this check. Bydefault, the check examines all the Home paths that you specify when youconfigure the Symantec ESMmodules for theOracle databases. The configurationfor Symantec ESM Modules for Oracle Databases are stored in the oracle.datfile that is located in the \esm\config\ folder.

Template filesUse the name list to enable or disable the template files for this check. OraclePatch template files are identified by .orp file extensions.

73About the Symantec ESM Modules for Oracle DatabasesAbout Oracle patches

Oracle patchesThe checks in this group report the patches that are released by Oracle and thatare not applied on the database server.

Patch informationThis check reports information about the patches that have been released withinthe number of days that you specify in the check. The information includes patchtype and number, ID number, patch release date, and description. You shouldverify that all current patches are installed on your Oracle clients and servers.Use the name list to include the template files for this check.

You can download patch updates by using LiveUpdate.

Symantec recommends that you verify that your Oracle server and componentshave the current applicable patches.


Table 3-71 Patch information messages


Yellow - 1Patch availablePATCH_AVAILABLE

Yellow - 1Patchset availablePATCHSET_AVAILABLE

Opatch ToolThis check enables ESM to use the opatch tool and reports the opatch tool versioninformation. Opatch is the Oracle patch tool, which is a set of PERL scripts thatrun with PERL 5.005_03 and later. You have JRE and JDK installed in the OracleHome to run the OPatch tool. The commands such as jar, java, ar, cp, and make(depending on platforms) available should be present in the Opatch path. Bydefault, the Opatch tools check searches for the OPatch directory that containsthe opatch tool in ORACLE HOME. If the check fails to find the tool in ORACLEHOME, then it takes the path of the opatch tool thatmentioned in the check. Thisapplication can be downloaded from the following URL: http://www.oracle.com.


Table 3-72 Opatch Tool message


Green - 0Opatch InformationOPATCH_INFO

About the Symantec ESM Modules for Oracle DatabasesAbout Oracle patches

74

Table 3-72 Opatch Tool message (continued)


Green - 0Opatch versionOPATCH_VERSION

Installed PatchesThis check reports the patches that are currently installed on your computers.


Table 3-73 Patch information message


Green - 0Installed patchesINSTALLED_PATCH

About Oracle profilesThis module checks for the Oracle profiles table that is based on the options thatyou have specified. It reports SIDs, profile names, profile resource names, andresource limits as applicable.

Establishing a baseline snapshotTo establish a baseline, run the Profilesmodule. This creates a snapshot of currentprofile information that you canupdatewhen you run the checks that report new,deleted, or changed information.


Editing default settingsUse the check in this group to edit the default settings for all the security checksin the module.

Oracle system identifiers (SIDs)Use the name list to include or exclude the Oracle system identifiers (SIDs) forthis check. By default, the check examines all the SIDs that you specify when youconfigure the Symantec ESMmodules for theOracle databases. The configuration

75About the Symantec ESM Modules for Oracle DatabasesAbout Oracle profiles

for Symantec ESM Modules for Oracle Databases is stored in\esm\config\oracle.dat.

Reporting profiles and their limitsThe checks in this group report the existing, new, and deleted profiles and theirresource limits.

Profile enforcementThis check reports SIDs that do not enforce profiles.

Symantec recommends that in the database's parameter file, change the value ofthe RESOURCE_LIMIT parameter from FALSE to TRUE so that the profiles areenforced.


Table 3-74 Profiles not enabled message


Red-4Profiles are not enabledPROFILE_NOT_ENABLED

ProfilesThis check reports all profiles that are defined in the database. Use the name listto exclude profiles for this check. You should periodically review the profiles toensure that all profiles are authorized and that profile resources and resourcelimits are allocated efficiently.


Table 3-75 Existing profiles message


Green-0Existing profilesPROFILE_LIST

New profilesThis check reports all profiles that were defined in the database after the lastsnapshot update. Use the name list to exclude profiles for this check.

If the addition is authorized, Symantec recommends that you either update thesnapshot or delete the profile.


About the Symantec ESM Modules for Oracle DatabasesAbout Oracle profiles

76

Table 3-76 New profile message


Yellow-1New profilePROFILE_ADDED

Deleted profilesThis check reports all profiles that were deleted from the database after the lastsnapshot update. Use the name list to exclude profiles for this check.

If the deletion is authorized, Symantec recommends that you either update thesnapshot or restore the profile.


Table 3-77 Deleted profiles message


Green-0Deleted profilePROFILE_DELETED

Profile resourcesThis check reports profile resource limits. Use the name list to exclude profilesfor this check.

Symantec recommends that you must ensure that the profile resource limitsmatches with the company's security policies.


Table 3-78 Profile resources message


Green-0Profile resource limitsPROFILE_LIMIT_LIST

Changed resource limitsThis check reports the profile resource limits that changed after the last snapshotupdate. Use the name list to exclude profiles for this check.

If the change is authorized, Symantec recommends that you either update thesnapshot or restore the previous limit.



Table 3-79 Changed profile resource limit message


Yellow-1Changed profile resourcelimits

PROFILE_LIMIT_CHANGED

Reporting CPU limit violationsThe checks in this group report the CPU resource limits.

Oracle profilesUse the name list to include or exclude the Oracle profiles for the resourcelimitation checks.

Sessions per userThis check reports the profiles that allow more number of concurrent sessionsfor each user than the number that you specify in the MaxSession/User text box.As to prevent access by other users,multiple users should not be given concurrentsession permission.


Table 3-80 Sessions per user message


Yellow-1Sessions per user too highPROFILE_SESSIONS_PER_USER

CPU time per sessionThis check reports profiles that allowmoreCPU timeper session than the amountthat you specify in the check. Specify themaximumamount of time that is allowedper session in hundredths of a second.

Symantec recommends that you specify a maximum CPU time per session limitthat allow users to perform their duties without frequent logging on and loggingout. It prevents a small number of users from denying service to others by usingexcessive CPU resources.



78

Table 3-81 CPU time per session message


Yellow-1CPUtimeper session exceedslimit

PROFILE_CPU_PER_SESSION

CPU time per callThis check reports the profiles that allow more CPU time for each call, such asfetch, execute, and parse, than the amount of time that you specify in the check.Specify the maximum amount of time that is allowed per call in hundredths of asecond.

Symantec recommends that you specify a maximum CPU time per call limit thatallow users perform their duties and that prevents a small number of users fromdenying service to others by using excessive CPU resources.


Table 3-82 CPU time per call message


Yellow-1CPU time per call exceedslimit

PROFILE_CPU_PER_CALL

Connection timeThis check reports profiles that allowmore elapsed connection time for an accountthan the number of minutes that you specify in the check.

Symantec recommends that you specify a realistic limit that allowusers to performtheir duties and that prevents a few connections from denying service to othersby using excessive CPU resources.


Table 3-83 Connection time message


Yellow-1Connect time exceeds limitPROFILE_CONNECT_TIME

Idle timeThis check reports profiles that allow more idle time before a process isdisconnected than the number of minutes that you specify in the check.


Connections that are idle for a long period may indicate that the machine isunattended.

Symantec recommends that you specify a realistic amount of time before aninactive process is disconnected.


Table 3-84 Idle time message


Yellow-1Idle time exceeds limitPROFILE_IDLE_TIME

Reporting password violationsThe checks in this group report the profiles with settings for the number of failedlogon attempts, password grace time, password duration, password lock time, andpassword reuse requirements that violate your security policy. Password strengthchecks, which compare passwords to commonwords and user names, See “AboutOracle passwords” on page 69.

Failed loginsThis check reports profiles that allowmore failed login attempts than thenumberthat you specify in the check.

Symantec recommends that you restrict the number of permitted failed loginattempts tominimize the likelihood of break-in by intruderswho attempt to guessuser names and passwords.


Table 3-85 Failed logins message


Red-4Failed login attempts exceedlimit

PROFILE_FAILED_LOGIN_ATTEMPT S

Password grace timeThis check reports the profiles that have their password grace days different thanthe number that you specify in the Password Grace text box. Now, you can alsouse the comparison operators before specifying the value in the text box. Thevalue that you specify in the text box refers to the number of days wherein awarning is given before your password expires. The comparison operators are the


80

Equal (=), Not equal (!=), Less than (<), Greater than (>), Less than or equal to (<=),Greater than or equal to (>=).

Symantec recommends that you specify realistic number of days for a user tochange a password after being warned that it is about to expire.


Table 3-86 Password grace time message


Yellow-1Password grace time differsfrom limit

PROFILE_PASS_GRACE_TIME

Password durationThis check reports the profiles that permit a password to be used for more daysthan the number that you specify in the check.

Symantec recommends that you change your password often to minimize thepossibility that an intruder will discover the passwords but not so often that youhave difficulty remembering your passwords.


Table 3-87 Password duration message


Red-4Password duration too highPROFILE_PASS_LIFE_TIME

Password lock timeThis check reports the profiles that lock accounts for fewer days than the numberthat you specify in the check. Accounts are locked after the number of failed loginattempts that you specify in the FAILED_LOGIN_ATTEMPTS parameter of theprofile. PASSWORD_LOCK_TIME parameter specifies the number of days thatan account is locked.

Symantec recommends that you change the resource parameterPASSWORD_LOCK_TIME setting to match with your security policy.



Table 3-88 Password lock time message


Yellow-1Password lock time too lowPROFILE_PASS_LOCK_TIME

Password reuse maxThis check reports profiles that require fewer password changes before a passwordcan be reused than the number that you specify in the check.

Note: If you set a PASSWORD_REUSE_MAX value, PASSWORD_REUSE_TIMEmust be UNLIMITED.

Symantec recommends that you change the resource parameterPASSWORD_REUSE_MAX to require a realistic number of times that a passwordmust be changed before it can be reused.


Table 3-89 Password reuse max message


Yellow-1Password reuse maximumtoo low

PROFILE_PASS_REUSE_MAX

Password reuse timeThis check reports profiles that require fewer days before a password can bereused than the number that you specify in the check.

Note: If this settinghas a value,PASSWORD_REUSE_TIMEmust beUNLIMITED.If you set a PASSWORD_REUSE_TIME value, PASSWORD_REUSE_MAX mustbe UNLIMITED.

Symantec recommends that you change the resource parameterPASSWORD_REUSE_TIME to require a realistic amount of time that must passbefore it can be reused.



82

Table 3-90 Password reuse time message


Yellow-1Password reuse time too lowPROFILE_PASS_REUSE_TIME

Password verify functionThis check reports profiles that donot use one ormore of the password complexityfunctions that you specify in the name list. Use the name list to include thefunctions for this check.

Note: Password complexity functions are specified in the resource parameterPASSWORD_VERIFY_FUNCTION.

Symantec recommends thatyou immediately assigna securepasswordand instructthe user to log on with the secure password and change the password again.


Table 3-91 Password verification function message


Yellow-1Password verify functionPROFILE_PASS_VERIFY_FUNCTION

Invalid profilesThis check reports users that are assigned to profiles that fail one or more of theenabled resource limitation checks. Use the name list to exclude the users for thischeck.


Table 3-92 Invalid profile message


Yellow-3Invalid profile assignedINVALID_PROFILE_ASSIGNED

About Oracle rolesThis module checks for the Oracle roles that are based on the options that youhave specified.

83About the Symantec ESM Modules for Oracle DatabasesAbout Oracle roles

Establishing a baseline snapshotTo establish a baseline, run the Roles module. This creates a snapshot of currentrole information that you can update when you run checks for new, deleted, orchanged information.



Oracle system identifiers (SIDs)Use the name list to include the Oracle system identifiers (SIDs) for this check.By default, the check examines all the SIDs that you specify when you configurethe Symantec ESM modules for the Oracle databases. The configuration forSymantecESMModules forOracleDatabases is stored in\esm\config\oracle.datfile.

Reporting rolesThe checks in this group report the existing roles and the roles that have beenadded or deleted since the last snapshot update.

RolesThis check reports roles that are defined in the database. Use the name list toexclude the roles for this check.

Symantec recommends that you remove the roles that are not authorized or areout of date. Youmust periodically review the roles to ensure that they are currentlyauthorized.


Table 3-93 Roles message


Green-0Defined roleEXISTING_ROLES

About the Symantec ESM Modules for Oracle DatabasesAbout Oracle roles

84

New rolesThis check reports roles that were added to the database after the last snapshotupdate. Use the name list to exclude the roles for this check.

If the new role is authorized, Symantec recommends that you either update thesnapshot or drop the role.


Table 3-94 New roles message


Yellow-1New roleADDED_ROLES

Deleted rolesThis check reports roles that have been deleted from the database since the lastsnapshot update. Use the name list to exclude the roles for this check.

If the deletion is authorized, Symantec recommends that you either update thesnapshot or restore the role.


Table 3-95 Deleted roles message


Yellow-1Deleted roleDELETED_ROLES

Reporting role privilegesThe checks in this group report the role privileges and the privileges that weregranted to or removed from the roles after the last snapshot update, and grantablerole privileges.

PrivilegesThis check reports privileges that have been granted to roles. Use the name listto exclude the roles for this check.

Symantec recommends that you add or remove the privileges for the roles asappropriate. Periodically, you must review the roles to ensure that the privilegesgranted to them are consistent with the current user duties.



Table 3-96 Role privilege message


Green-0Role privilegeROLE_PRIVILEGE

New privilegesThis check reports privileges that were directly granted to roles after the lastsnapshot update. Use the name list to exclude the roles for this check.

If the new privilege is authorized, Symantec recommends that you either updatethe snapshot or drop the privilege from the role.


Table 3-97 New privilege message


Yellow-1New role privilegeADDED_ROLE_PRIVILEGE

Deleted privilegesThis check reports privileges that were dropped from the roles after the lastsnapshot update. Use the name list to exclude the roles for this check.

If the deletion is authorized, Symantec recommends that you either update thesnapshot or restore the privilege.


Table 3-98 Deleted privilege message


Yellow-1Deleted role privilegeDELETED_ROLE_PRIVILEGE

Grantable privilegesThis check reports the grantable privileges that have been granted to the roles.Use the name list to exclude the roles for this check.

Symantec recommends that you periodically review all grantable role privilegesto ensure that the grantable privilege is appropriate for the role. Youmust revokegrantable role privileges from the users who are not authorized to grant them.



86



Green-0Grantable role privilegeGRANTABLE_ROLE_PRIVILEGE

Reporting nested rolesThe checks in this group report the existing nested roles and the nested roles thathave been added to or removed from their parent roles since the last snapshotupdate.

Nested rolesThis check reports roles and the nested roles that they contain. Use the name listto include or exclude the roles for this check.


Table 3-100 Nested role message


Green-0Nested roleROLE_ROLE

New nested rolesThis check reports roles that were directly granted to other roles after the lastsnapshot update. Use the name list to include or exclude the roles for this check.

If the change is authorized, Symantec recommends that you either update thesnapshot or drop the nested role.


Table 3-101 New nested role message


Yellow-1New nested roleADDED_ROLE_ROLE

Deleted nested roleThis check reports the nested roles that were removed from parent roles sincethe last snapshot update. Use the name list to include or exclude the roles for thischeck.


If the deletion is authorized, Symantec recommends that you either update thesnapshot or restore the nested role.


Table 3-102 Deleted nested role message


Yellow-1Nested role deletedDELETED_ROLE_ROLE

Grantable nested roleThis check reports the grantable roles that have been granted to other roles. Usethe name list to exclude the grantee roles for this check.

Symantec recommends that you periodically review the grantable nested roles toensure that they are currently authorized for the roleswhere they reside and thatthe roles are currently authorized to grant the nested roles.


Table 3-103 Grantable nested role message


Green-0Grantable nested roleGRANTABLE_ROLE_ROLE

Reporting role accessThe checks in this group report password-protected roles that are used as defaultroles, directly granted DBA roles, roles without password protection, and tablesaccessed by the public role.

Password-protected default roleThis check reports the password-protected default roles of the roles.

For example

■ Create a Role ‘Role A.’

■ Create another role that is identified by a password ‘Role B.’

■ Assign ‘Role B’ to ‘Role A.’Now ‘Role B’ is the default password-protected role of ‘Role A' and the checkreports 'Role B', which is the default password-protected role of ‘Role A.’


88

The default roles do not require any passwords. Usually, a password-protectedrole has the privileges or roles that require authorization. Users withpassword-protected default roles are not required to enter their passwords to usethe roles. Use the name list to exclude the roles for this check.

Symantec recommends that for anunauthorizeduser, you either assign adifferentdefault role to the user or remove the password protection from the role.


Table 3-104 Password-protected default role message


Yellow-1Default role requirespassword

DEFAULT_ROLE_PASS_REQUIRED

DBA equivalent rolesUse the name list to include or exclude roles for the Granted Oracle DBA rolecheck to report on.

Granted Oracle DBA roleThis check reports users and roles that have been directly granted to an Oracledatabase administrator (DBA) role or equivalent. Use the name list to exclude theusers for this check.

Symantec recommends that you either revoke the DBA roles from unauthorizedusers or tightly control the database administrator rights.


Table 3-105 Granted Oracle DBA role message


Yellow-1UsergrantedOracleDBAroleDBA_ROLE_USERS

Roles without passwordsThis check reports the roles that do not require passwords. The roles that areauthenticated as External or Global are skipped. Use the name list to exclude theroles for this check.

If the role could be exploited to give the users access to security-relatedinformation, Symantec recommends that you password-protect the role. You cancontrol the permissions that are granted to roles that do not require passwords.



Table 3-106 Role without passwords message


Yellow-1Password not required forrole

ROLE_PASSWORD

PUBLIC role accessThis check reports the tables that users can access with a PUBLIC role and theprivileges that are used.

Symantec recommends that you control the permissions that are granted to thePUBLIC role. The preferred method of granting access is to give EXECUTE to theprocedures.


Table 3-107 Publicly accessible table message


Green-0Table accessible to PUBLICPUBLIC_ACCESS

About Oracle tablespaceThis module checks for the tablespaces that are based on the options that youhave specified.

Creating a baseline snapshotTo establish a baseline, run the Tablespace module. This creates a snapshot ofcurrent account information that you can update when you run the checks thatreport new, deleted, or changed information.


About the Symantec ESM Modules for Oracle DatabasesAbout Oracle tablespace

90


Oracle system identifiers (SIDs)Use the name list to include the Oracle system identifiers (SIDs) for this check.By default, the check examines all the SIDs that you specify when you configurethe Symantec ESMmodules for theOracle databases. The Symantec ESMmodulesfor Oracle Databases configuration are stored in \esm\config\oracle.dat file.

Reporting tablespacesThe checks in this group report the existing tablespaces and the tablespaces thathave been added or deleted since the last snapshot update.

TablespacesThis check reports all the tablespaces that are created in the Oracle database. Onthe Oracle 11g and later versions, the check also reports the encryption status ofthe tablespaces. Use the name list to exclude the authorized tablespaces for thischeck.

Symantec recommends that you periodically review the tablespaces to ensurethat they are all authorized.


Table 3-108 Tablespaces message


Green-0Oracle tablespaceTABLESPACE

New tablespacesThis check reports the tablespaces that were created in the Oracle database afterthe last snapshot update. Use the name list to exclude the authorized tablespacesfor this check.

If the addition is authorized, Symantec recommends that you either update thesnapshot or delete the new tablespace.


91About the Symantec ESM Modules for Oracle DatabasesAbout Oracle tablespace

Table 3-109 New tablespace message


Yellow-1New Oracle tablespaceADDED_TABLESPACE

Deleted tablespacesThis check reports the tablespaces that were deleted from the Oracle databaseafter the last snapshot update. Use the name list to exclude the authorizedtablespaces for this check.

If the deletion is authorized, Symantec recommends that you either update thesnapshot or restore the tablespace.


Table 3-110 Deleted tablespace message


Yellow-1Deleted Oracle tablespaceDELETED_TABLESPACE

Reporting tablespace datafilesThe checks in this group report the existing datafiles and the datafiles that wereadded to or dropped from the database after the last snapshot update.

Tablespace datafilesThis check reports the locations of all the tablespace datafiles and lists all theOperating system accounts that have permissions on the file. Use the name listto exclude the tablespaces for this check.

If the file permissions are less restrictive than your security policy, you mustspecify a permission value for the datafile thatmatcheswith your security policy.Periodically, you must review the tablespace datafiles to ensure that they areauthorized and that the file permissions match with your security policy.


Table 3-111 Tablespace datafile messages


Yellow-2Tablespace file permissionDATAFILE_PERM

Green-0Tablespace fileASM_DATAFILE


92

New tablespace datafilesThis check reports the datafiles that were added to tablespaces after the lastsnapshot update. Use the name list to exclude the tablespaces for this check.

If the change is authorized, Symantec recommends that you either update thesnapshot or drop the datafile from the tablespace.


Table 3-112 New tablespace datafile message


Yellow-1New tablespace datafileADDED_DATAFILE

Deleted tablespace datafilesThis checkworkswith theNewtablespacedatafiles check and reports thedatafilesthat were deleted after the last snapshot update. Use the name list to exclude thetablespaces for this check.

If the deletion is authorized, Symantec recommends that you either update thesnapshot or restore the datafile.


Table 3-113 Deleted tablespace datafile message


Yellow-1Deleted tablespace datafileDELETED_DATAFILE

Reporting SYSTEM tablespace informationThe checks in this group report objects in the SYSTEMtablespace anduserswhosedefault or temporary tablespace is the SYSTEM tablespace.

Objects in SYSTEM tablespaceThis check reports tables and indexes that are in the SYSTEM tablespace. Use thename list to exclude users (owners) for this check.

Symantec recommends that you ensure only authorized objects reside in theSYSTEM tablespace.



Table 3-114 Objects in SYSTEM tablespace message


Green-0Object defined in SYSTEMtablespace

TAB_IN_SYS_TABLESPACE

SYSTEM tablespace assigned to userThis check reports the users whose default or temporary tablespaces are theSYSTEM tablespace. Use the name list to exclude users for this check.

Symantec recommends that you ensure only authorized objects reside in theSYSTEM tablespace.


Table 3-115 SYSTEM tablespace user message


Green-0SYSTEM tablespace userUSER_USING_SYS_TABLESPACE

Reporting DBA tablespace quotasThe checks in this group report violations of MAX_BYTES and MAX_BLOCKStablespace quotas.

Oracle tablespacesUse the name list to include or exclude the tables for the You can use this optionto specify tables for the MAX_BYTES in DBA_TS_QUOTAS and MAX_BLOCKSin DBA_TS_QUOTAS checks.

MAX_BYTES in DBA_TS_QUOTASThis check reports users with resource rights to tablespaces whose MAX_BYTESvalues exceed the value that you specify in the check. For an unlimited numberof bytes, specify -1 in the MAX_BYTES field. Use the name list to exclude anyauthorized users for this check.

Symantec recommends that you drop the user or change the user's MAX_BYTESsetting for the tablespace.



94

Table 3-116 MAX_BYTES message


Yellow-1MAX_BYTES per tablespaceexceeded

MAX_BYTES_QUOTA

MAX_BLOCKS in DBA_TS_QUOTASThis check reports userswith resource rights to tablespaceswhoseMAX_BLOCKSvalues exceed the value that you specify in the check. For an unlimited numberof bytes, specify -1 in the MAX_BLOCKS field. Use the name list to exclude anyauthorized users for this check.

Symantec recommends that you drop the user or change the user'sMAX_BLOCKSsetting for the tablespace.


Table 3-117 MAX_BLOCKS message


Yellow-1MAX_BLOCKSper tablespaceexceeded

MAX_BLOCKS_QUOTA



96

Documents

Symantec Enterprise Security Manager Modules for … Enterprise Security Manager Modules for Oracle Databases (Windows) User Guide Release4.1forSymantecESM6.5.xand 9.0 For Windows