8/2/2019 Testing Database Security Orac

1/5

http://www.oracle.com/technology/oramag/oracle/06-nov/o66ocp.html

Testing Database Security

Questions and answers on securing your Oracle database by using FGA and VPD

The Oracle Database 10g: New Features for Administrators exam enables Oracle CertifiedProfessionals (OCPs) certified on Oracle9i Database to upgrade their certifications to Oracle Database10g. This is the only exam OCPs certified on Oracle9i Database need to take to upgrade theircertification credentials to Oracle Database 10g.

This column focuses on the fine-grained auditing (FGA) and virtual private database (VPD) features inOracle Database 10g. FGA, introduced in Oracle9i Database, captures user activities at a very detailedlevel and helps prevent the need for manual, trigger-based auditing. Introduced in Oracle8i Database,VPD (also known as fine-grained access control) provides powerful row-level security capabilities.

The column presents sample questions you may encounter when taking the Oracle Database 10g: NewFeatures for Administrators OCP exam. Note that the sample question format and the SQL code havebeen adjusted for presentation in this article.

Fine-Grained Auditing

Auditing is the monitoring and recording of selected user database actions. In Oracle9 i Database, FGAenabled recording of row-level changes, along with SCN values, to reconstruct old data. FGA workedfor SELECT statements only and not for DML statements such as UPDATE, INSERT, and DELETE.For instance, by using FGA in Oracle9i Database, you could determine that user Smith had updated theSALES table that is owned by SH but you could not see if user Smith had updated theAMOUNT_SOLD column or see the value of the AMOUNT_SOLD column before an update. InOracle Database 10g, FGA can audit DML statements.

The policies you establish with FGA can monitor data access on the basis of content. Using policies,you can specify the columns and conditions for which you want audit records. Conditions can includelimiting the audit to specific types of DML statements used in connection with the columns youspecify. You can also provide the name of the routine (such as a PL/SQL procedure or package) youwant to be called when an audit event occurs.

Which two statements are correct about the features of FGA in Oracle Database 10g?

A. FGA records are stored in the SYS.FGA_LOG$ table and are accessible through theDBA_FGA_AUDIT_TRAIL view.B. The EXECUTE privilege on the DBMS_FGA package is needed for administering FGA auditpolicies.C. You must enable FGA at the database level by setting the AUDIT_TRAIL initialization parameter.D. FGA policies cannot be enabled and disabled without loss of the metadata information.

The correct answers are A and B. FGA records are stored in the SYS.FGA_LOG$ table and areaccessible through the DBA_FGA_AUDIT_TRAIL view. To administer FGA policies, you requireEXECUTE privileges on the DBMS_FGA package. You use the DBMS_FGA.ADD_POLICYinterface to define each FGA policy for a table or view, identifying any combination of SELECT,UPDATE, DELETE, and INSERT statements.

http://www.oracle.com/technology/oramag/oracle/06-nov/o66ocp.htmlhttp://www.oracle.com/technology/oramag/oracle/06-nov/o66ocp.html

8/2/2019 Testing Database Security Orac

2/5

Answer C is incorrect because you do not need to set AUDIT_TRAIL to enable fine-grained auditing.Answer D is incorrect because you can temporarily enable or disable FGA policies without losing anymetadata information. You can use the DBMS_FGA.ENABLE_POLICY andDBMS_FGA.DISABLE_POLICY procedures to enable and disable audit policies.

You define the following audit policy:

BEGINdbms_fga.add_policy(

object_schema => 'HR',object_name => 'EMP',

policy_name => 'policy_emp_sal_comm',audit_condition => NULL,

audit_column => 'SALARY,COMMISSION_PCT',

audit_column_opts=> DBMS_FGA.ALL_COLUMNS,

statement_types => 'SELECT, UPDATE');END;

Which SQL statements would be audited as a result of this audit policy? (Choose all that apply.)

A.

UPDATE hr.empSET SALARY = SALARY+ 4000

WHERE EMP_ID=197;

B.UPDATE hr.emp

SET SALARY = SALARY+ 4000,COMMISSION_PCT = COMMISSION_PCT+ 0.5

WHERE COMMISSION_PCT > 0;

C.SELECT emp_id, salary FROM hr.emp;

D.DELETE hr.emp WHERE emp_id = 100;

E.SELECT * FROM hr.emp;

The correct answers are B and E. When you specify DBMS_FGA.ALL_COLUMNS for theAUDIT_COLUMN_OPTS parameter, audit trail entries are created only when all the columnsspecified by the AUDIT_COLUMN parameter are accessed by the operation(s) specified for theSTATEMENT_TYPES parameter. Hence, in the example here, an audit trail would be created when

either the SELECT or the UPDATE operation is performed on the SALARY column and theCOMMISSION_PCT column.

Answer A is incorrect because the UPDATE operation is performed on the SALARY column only.Answer C is incorrect because the SALARY column and the COMMISSION_PCT column are notbeing queried. Answer D is incorrect because the DELETE operation is not specified for theSTATEMENT_TYPES parameter.

8/2/2019 Testing Database Security Orac

3/5

You have implemented regular auditing by using the AUDIT command in Oracle Database 10g.

Also, you have defined audit policies by using the DBMS_FGA.ADD_POLICY procedure. You

are interested in getting a combined view of regular audits as well as the FGA audit trail. What

would you do?

A. Execute appropriate procedures in the DBMS_CAPTURE_ADM packageB. Execute appropriate procedures in the DBMS_METADATA packageC. Query the DBA_COMMON_AUDIT_TRAIL data dictionary viewD. Query the UNION of DBA_AUDIT_STATEMENT and DBA_AUDIT_POLICIES

The correct answer is C. The DBA_COMMON_AUDIT_TRAIL data dictionary view is a union of theDBA_AUDIT_TRAIL and DBA_FGA_AUDIT_TRAIL data dictionary views. Note that theDBA_AUDIT_TRAIL view provides audit trail entries and the DBA_FGA_AUDIT_TRAIL displaysall audit records for fine-grained auditing.

Answers A and B are incorrect because procedures in the DBMS_CAPTURE_ADM andDBMS_METADATA packages do not provide audit information. Answer D is incorrect because toget combined audit information, you can either query the UNION of the DBA_AUDIT_TRAIL andDBA_FGA_AUDIT_TRAIL data dictionary views or query the DBA_COMMON_AUDIT_TRAILdata dictionary view.

Virtual Private Database

VPD works by transparently modifying requests for data to present a partial view of tables to users,based on a set of defined criteria. When a user directly or indirectly accesses a table, view, or synonymprotected by a VPD policy, the server dynamically modifies the SQL statement of the user. Themodification creates a WHERE condition (a predicate) returned by a function implementing thesecurity policy. VPD policies can be applied to SELECT, INSERT, UPDATE, INDEX, and DELETEstatements. Consider a database user who is allowed to see employee records in the Sales divisiononly. This user issues the following query:

SELECT * FROM emp;

The function implementing the security policy returns this predicate: division = 'SALES', and the

database transparently rewrites the query. The query actually executed becomes

SELECT * FROM emp

WHERE division = 'SALES';

To implement VPD, you use the DBMS_RLS package. Alternatively, you can use the Oracle PolicyManager graphical user interface, accessed from Oracle Enterprise Manager, to apply security policiesto schema objects.

You added the following VPD policy:

BEGIN

dbms_rls.add_policy(object_schema=>'hr',

object_name => 'employees',policy_name => 'hr_policy',

function_schema => 'hr',

8/2/2019 Testing Database Security Orac

4/5

policy_function => 'hr_pol',policy_type => dbms_rls.static,

sec_relevant_cols => 'sal,comm');END;

Which statements about this policy are correct? (Choose two.)

A. Oracle Database reevaluates the policy function at statement execution time if it detects contextchanges since the last use of the cursor.

B. The policy function is not reevaluated for each query on the EMPLOYEES table.C. The policy is applied to the SELECT statement type only.D. The policy predicates are cached in the system global area (SGA).

The correct answers are B and D. Note that POLICY_TYPE is specified as static. For a static policytype, the policy functions are executed once and then cached in the SGA. Note that in previousreleases, policies were dynamic, which means that the database would run the policy function for eachquery or DML statement. In addition to dynamic policies, Oracle Database 10gprovides static andcontext-sensitive policies. These policy types provide a means of improving server performance,because they do not always rerun policy functions for each DML statement and can be shared acrossmultiple database objects.

Answer A is incorrect because setting the POLICY_TYPE parameter to CONTEXT_SENSITIVEcauses the database to reevaluate the policy function at statement execution time if it detects contextchanges since the last use of the cursor. Answer C is incorrect because the policy applies to SELECT,INSERT, UPDATE, and DELETE statements when the STATEMENT_TYPES parameter is notspecified.

Smith defines a policy as shown here:

BEGINdbms_rls.add_policy(object_schema =>'scott',

object_name=>'emp',

policy_name => 'sp1',function_schema =>'pol_chk',policy_function => 'pf_sal_comm',

statement_types => 'SELECT',

sec_relevant_cols => 'sal,comm',

sec_relevant_cols_opt =>DBMS.RLS.ALL_ROWS);

END;

Smith specified the SEC_RELEVANT_COLS_OPT parameter of the

DBMS_RLS.ADD_POLICY procedure to DBMS_RLS.ALL_ROWS. Smith set the

SEC_RELEVANT_COLS_OPT parameter to DBMS_RLS.ALL_ROWS in order to _ _ _ _ _ _ _

_ _

A. Enable the SYS user to see all rows, irrespective of the predicate returned by the policy functionB. Enable any user with the SELECT ANY TABLE privilege to see all rows, irrespective of thepredicate returned by the policy functionC. Ensure that the policy is enabled only if the SAL and COMM columns do not have any null valuesin any rows

8/2/2019 Testing Database Security Orac

5/5

D. Implement column masking

The correct answer is D. Specifying theSEC_RELEVANT_COLS_OPT parameter of theDBMS_RLS.ADD_POLICY procedure to DBMS_RLS.ALL_ROWSimplements VPD column masking. Column masking is a new featureintroduced in Oracle Database 10g. VPD column masking behavior isfundamentally different from all other VPD policies, which returnonly a subset of rows. The column masking behavior returns all rowsspecified by the user's query, but the sensitive column values appearas NULL.

Answers A, B, and C are incorrect. The SYS user is free of any security policy. You need not setSEC_RELEVANT_COLS_OPT => DBMS_RLS.ALL_ROWS to enable user SYS to see all rows.Setting SEC_RELEVANT_COLS_OPT => DBMS_RLS.ALL_ROWS does not enable a user with theSELECT ANY TABLE privilege to see all the rows irrespective of the predicate returned by the policyfunction. Also, it does not put any constraint on the policy with respect to the null values in the rows.

Conclusion

Oracle Database 10gprovides several enhancements to FGA and VPD. FGA captures user activities ata very detailed level, which helps you avoid manual trigger-based auditing, and combines the trails ofstandard auditing and FGA. VPD is a very powerful feature with the ability to support a variety ofrequirements, such as masking columns selectively, based on the policy and applying the policy onlywhen certain columns are accessed.

Next Steps

READ "Inside OCP" columns

LEARN more about theOracle Certification Program,anddownload a free examguide

http://www.oracle.com/technology/oramag/oracle/ocphttp://www.oracle.com/technology/oramag/oracle/ocphttp://www.oracle.com/education/certificationhttp://www.oracle.com/education/certificationhttp://www.oracle.com/education/certificationhttp://www.oracle.com/technology/oramag/oracle/ocphttp://www.oracle.com/education/certificationhttp://www.oracle.com/education/certification