Oracle Feature Procedures
Versions 11.2 - 21c

Security Advisory
The Oracle Database by default installs a lot of security features available even if they are not configured by default. As a security-focused administrator it is your responsibility to know which are in use, and to cover their use with licensing if required. But, equally important, seeing that there is a feature that is not in use should alert you to the fact that you are not protecting your database to the fullest extent possible.

Most of the procedures are owned by SYS and named DBMS_FEATURE_... but at least one, the one for Label Security, is owned by LBACSYS and justed FEATURE_USAGE.

This page focuses on the subset of Feature Usage procedures specifically targeting use of security-focused features and options such as those that report on use of encryption/
 
Recommended Security Rules

 NEVER
  • Allow anyone access to any of the DBMS_FEATURE usage procedures whether listed here or not.
  • Allow anyone without a need to know produced a feature usage report as information on what is in use, and what is not in use, is valuable to an attacker.
 WITH GREAT CARE
  • N/A
 CAUTIONS
  • N/A
 
How Oracle Works
The Oracle Database, for many versions, has possessed the ability to report on what features are, and are not, in use.

The example at right shows how to produce a full Feature Usage Report. The report has two sections. The first shows when usage was most recently detected. The second show the usage high-water mark.
set pagesize 999
set linesize 181
set trimspool on
set trim on

spool /home/oracle/feature_usage_rpt.html

SELECT output FROM TABLE(dbms_feature_usage_report.display_html);

spool off

-- open the file resulting file vi and remove artifacts preceding the first HTML tag and following the final tag
 
General
These procedures support Oracle's Feature Usage Reporting: See link at page bottom.
AUTHID DEFINER
Dependencies The dependences for each procedure are listed with the procedure
Documented No
First Available 11.2
Security Model Owned by SYS with no privileges granted
Source Code {ORACLE_HOME}/rdbms/admin/
Procedures
 
DBMS_FEATURE_ACFS_ENCR
Data Dictionary Objects
SYS_STUB_FOR_PURITY_ANALYSIS V$ASM_ACFS_ENCRYPTION_INFO  
Detects ACFS Encryption usage dbms_feature_acfs_encr(
is_used      OUT NUMBER,
aux_count    OUT NUMBER,
feature_info OUT CLOB);
set serveroutput on

DECLARE
 i NUMBER;
 j NUMBER;
 k CLOB;
BEGIN
  sys.dbms_feature_acfs_encr(i, j, k);
  dbms_output.put_line('1: ' || i);
  dbms_output.put_line('2: ' || j);
  dbms_output.put_line('3: ' || k);
END;
/
1: 0
2:
3:
 
DBMS_FEATURE_AUDIT_OPTIONS
Dependencies
AUDIT$ SYS_STUB_FOR_PURITY_ANALYSIS V$PARAMETER
DBA_OBJ_AUDIT_OPTS V$OPTION  
Detects audit trail type and the number of system and object audit options available dbms_feature_audit_options(
feature_boolean OUT NUMBER,
aux_count       OUT NUMBER,
feature_info    OUT CLOB);
set serveroutput on

DECLARE
 i NUMBER;
 j NUMBER;
 k CLOB;
BEGIN
  dbms_feature_audit_options(i, j, k);
  dbms_output.put_line('1: ' || i);
  dbms_output.put_line('2: ' || j);
  dbms_output.put_line('3: ' || k);
END;
/
1: 1
2: 0
3: AUDIT_TRAIL=DB; Number of system audit options=234; Number of object audit options=254
 
DBMS_FEATURE_BACKUP_ENCRYPTION
Dependencies
DBMS_BACKUP_RESTORE SYS_STUB_FOR_PURITY_ANALYSIS  
Counts RMAN Backup Encryption usage dbms_feature_backup_encryption(
feature_boolean OUT NUMBER,
aux_count       OUT NUMBER,
feature_info    OUT CLOB);
set serveroutput on

DECLARE
 i NUMBER;
 j NUMBER;
 k CLOB;
BEGIN
  dbms_feature_backup_encryption(i, j, k);
  dbms_output.put_line('1: ' || i);
  dbms_output.put_line('2: ' || j);
  dbms_output.put_line('3: ' || k);
END;
/
1: 0
2: 0
3:
 
DBMS_FEATURE_DATABASE_VAULT
Dependencies
SYS_STUB_FOR_PURITY_ANALYSIS USER$ V$OPTION
Detects Database Vault usage dbms_feature_database_vault(
feature_boolean OUT NUMBER,
aux_count       OUT NUMBER,
feature_info    OUT CLOB);
set serveroutput on

DECLARE
 i NUMBER;
 j NUMBER;
 k CLOB;
BEGIN
  dbms_feature_database_vault(i, j, k);
  dbms_output.put_line('1: ' || i);
  dbms_output.put_line('2: ' || j);
  dbms_output.put_line('3: ' || k);
END;
/
1: 0
2: 0
3:
 
DBMS_FEATURE_DATA_REDACTION
Dependencies
SYS_STUB_FOR_PURITY_ANALYSIS    
Detects Data Redaction usage dbms_feature_data_redaction(
feature_boolean OUT NUMBER,
aux_count       OUT NUMBER,
feature_info    OUT CLOB);
set serveroutput on

DECLARE
 i NUMBER;
 j NUMBER;
 k CLOB;
BEGIN
  dbms_feature_data_redaction(i, j, k);
  dbms_output.put_line('1: ' || i);
  dbms_output.put_line('2: ' || j);
  dbms_output.put_line('3: ' || k);
END;
/
1: 0
2: 0
3: Data Redaction usage not detected
 
DBMS_FEATURE_FGA_AUDIT
Dependencies
DBA_AUDIT_POLICIES SYS_STUB_FOR_PURITY_ANALYSIS  
Detects usage of Fine Grained Auditing dbms_feature_fga_audit(
feature_boolean OUT NUMBER,
aux_count       OUT NUMBER,
feature_info    OUT CLOB);
set serveroutput on

DECLARE
 i NUMBER;
 j NUMBER;
 k CLOB;
BEGIN
  dbms_feature_fga_audit(i, j, k);
  dbms_output.put_line('1: ' || i);
  dbms_output.put_line('2: ' || j);
  dbms_output.put_line('3: ' || k);
END;
/
1: 0
2: 0
3: Number of FGA policies=0; Number of Enabled FGA policies=0; Number of FGA policies with audit_condition=0; Number of FGA policies with column-level audit=0; Number of FGA policies with handler=0; Number of FGA policies with DB audit_trail=0; Number of FGA policies with XML audit_trail=0
 
DBMS_FEATURE_LABEL_SECURITY
Dependencies
SYS_STUB_FOR_PURITY_ANALYSIS    
Detects Label Security usage dbms_feature_label_security(
feature_boolean OUT NUMBER,
aux_count       OUT NUMBER,
feature_info    OUT CLOB);
set serveroutput on

DECLARE
 i NUMBER;
 j NUMBER;
 k CLOB;
BEGIN
  dbms_feature_label_security(i, j, k);
  dbms_output.put_line('1: ' || i);
  dbms_output.put_line('2: ' || j);
  dbms_output.put_line('3: ' || k);
END;
/
1: 0
2: 0
3: No. of policies=0
 
DBMS_FEATURE_PRIV_CAPTURE
Dependencies
CAPTURE_RUN_LOG$ PRIV_CAPTURE$ SYS_STUB_FOR_PURITY_ANALYSIS
Detects Privilege Capture usage dbms_feature_priv_capture(
feature_boolean OUT NUMBER,
aux_count       OUT NUMBER,
feature_info    OUT CLOB);
set serveroutput on

DECLARE
 i NUMBER;
 j NUMBER;
 k CLOB;
BEGIN
  dbms_feature_priv_capture(i, j, k);
  dbms_output.put_line('1: ' || i);
  dbms_output.put_line('2: ' || j);
  dbms_output.put_line('3: ' || k);
END;
/
1: 1
2: 1
3:
 
DBMS_FEATURE_RAS
Dependencies
DBA_ROLE_PRIVS SYS_STUB_FOR_PURITY_ANALYSIS XS$OBJ
DBA_XS_APPLIED_POLICIES XS$ACE XS$PRIN
DBA_XS_ROLE_GRANTS XS$ACL XS$PRIV
RXS$SESSIONS XS$DSEC XS$SECCLS
Detects Real Application Security User dbms_feature_ras(
feature_boolean OUT NUMBER,
aux_count       OUT NUMBER,
feature_info    OUT CLOB);
set serveroutput on

DECLARE
 i NUMBER;
 j NUMBER;
 k CLOB;
BEGIN
  dbms_feature_ras(i, j, k);
  dbms_output.put_line('1: ' || i);
  dbms_output.put_line('2: ' || j);
  dbms_output.put_line('3: ' || k);
END;
/
1: 1
2: 0
3: Real Application Security usage not detected
 
DBMS_FEATURE_SFENCRYPT_SYS
Dependencies
LOB$ OBJ$ TAB$
LOBCOMPPART$ PARTLOB$ USER$
LOBFRAG$ SYS_STUB_FOR_PURITY_ANALYSIS  
Detects usage of SecureFile Encryption by SYS, SYSTEM, and XDB dbms_feature_sfencrypt_sys(
feature_boolean OUT NUMBER,
aux_count       OUT NUMBER,
feature_info    OUT CLOB);
set serveroutput on

DECLARE
 i NUMBER;
 j NUMBER;
 k CLOB;
BEGIN
  dbms_feature_sfencrypt_sys(i, j, k);
  dbms_output.put_line('1: ' || i);
  dbms_output.put_line('2: ' || j);
  dbms_output.put_line('3: ' || k);
END;
/
1: 0
2: 0
3:
 
DBMS_FEATURE_SFENCRYPT_USR
Dependencies
LOB$ OBJ$ TAB$
LOBCOMPPART$ PARTLOB$ USER$
LOBFRAG$ SYS_STUB_FOR_PURITY_ANALYSIS  
Detects use of SecureFile Encryption by other than SYS, SYSTEM, and XDB dbms_feature_sfencrypt_usr(
feature_boolean OUT NUMBER,
aux_count       OUT NUMBER,
feature_info    OUT CLOB);
set serveroutput on

DECLARE
 i NUMBER;
 j NUMBER;
 k CLOB;
BEGIN
  dbms_feature_sfencrypt_usr(i, j, k);
  dbms_output.put_line('1: ' || i);
  dbms_output.put_line('2: ' || j);
  dbms_output.put_line('3: ' || k);
END;
/
1: 0
2: 0
3:
 
DBMS_FEATURE_TSDP
Dependencies
SYS_STUB_FOR_PURITY_ANALYSIS    
Detects Transparent Sensitive Data Protection Policy usage dbms_feature_tsdp(
feature_boolean OUT NUMBER,
aux_count       OUT NUMBER,
feature_info    OUT CLOB);
set serveroutput on

DECLARE
 i NUMBER;
 j NUMBER;
 k CLOB;
BEGIN
  dbms_feature_tsdp(i, j, k);
  dbms_output.put_line('1: ' || i);
  dbms_output.put_line('2: ' || j);
  dbms_output.put_line('3: ' || k);
END;
/
1: 0
2: 0
3: Transparent Sensitive Data Protection feature not used
 
DBMS_FEATURE_UNIFIED_AUDIT
Dependencies
AUDIT_NG$ AUD_CONTEXT$ SYS_STUB_FOR_PURITY_ANALYSIS
AUDIT_UNIFIED_POLICIES AUD_POLICY$ V$OPTION
Detects usage of Unified Audit dbms_feature_unified_audit(
feature_boolean OUT NUMBER,
aux_count       OUT NUMBER,
feature_info    OUT CLOB);
set serveroutput on

DECLARE
 i NUMBER;
 j NUMBER;
 k CLOB;
BEGIN
  dbms_feature_unified_audit(i, j, k);
  dbms_output.put_line('1: ' || i);
  dbms_output.put_line('2: ' || j);
  dbms_output.put_line('3: ' || k);
END;
/
1: 1
2: 0
3: Number of Unified Audit policies=7; Number of Enabled Unified Audit
policies=1; Number of Unified Audit policies with condition=0; Number of Unified
Audit policies on DV=0; Number of Unified Audit policies on OLS=0; Number of
Unified Audit policies on XS=4; Number of Unified Audit policies on DATAPUMP=0;
Number of Enabled Unified Audit Contexts=0
 
DBMS_FEATURE_UTILITIES1
Dependencies
DBA_FEATURE_USAGE_STATISTICS KU_UTLUSE SYS_STUB_FOR_PURITY_ANALYSIS
Detects usage of DataPump Export and associated compression and encryption dbms_feature_utilities1(
feature_boolean OUT NUMBER,
aux_count       OUT NUMBER,
feature_info    OUT CLOB);
set serveroutput on

DECLARE
 i NUMBER;
 j NUMBER;
 k CLOB;
BEGIN
  dbms_feature_utilities1(i, j, k);
  dbms_output.put_line('1: ' || i);
  dbms_output.put_line('2: ' || j);
  dbms_output.put_line('3: ' || k);
END;
/
1: 0
2: 0
3: Oracle Utility Datapump (Export) invoked: 0 times, compression used: 0 times
(BASIC algorithm used: 0 times, LOW algorithm used: 0 times, MEDIUM algorithm
used: 0 times, HIGH algorithm used: 0 times), encryption used: 0 times (AES128
algorithm used: 0 times, AES192 algorithm used: 0 times, AES256 algorithm used:
0 times, PASSWORD mode used: 0 times, DUAL mode used: 0 times, TRANSPARENT mode
used: 0 times), parallel used: 0 times
 
DBMS_FEATURE_UTILITIES2
Dependencies
DBA_FEATURE_USAGE_STATISTICS KU_UTLUSE SYS_STUB_FOR_PURITY_ANALYSIS
Detects use of DataPump Import and associated compression and encryption dbms_feature_utilities2(
feature_boolean OUT NUMBER,
aux_count       OUT NUMBER,
feature_info    OUT CLOB);
set serveroutput on

DECLARE
 i NUMBER;
 j NUMBER;
 k CLOB;
BEGIN
  dbms_feature_utilities2(i, j, k);
  dbms_output.put_line('1: ' || i);
  dbms_output.put_line('2: ' || j);
  dbms_output.put_line('3: ' || k);
END;
/
1: 0
2: 0
3: Oracle Utility Datapump (Import) invoked: 0 times, parallel used: 0 times
 
DBMS_FEATURE_UTILITIES3
Dependencies
DBA_FEATURE_USAGE_STATISTICS KU_UTLUSE SYS_STUB_FOR_PURITY_ANALYSIS
Detects usage of Metadata API and associated compression and encryption dbms_feature_utilities3(
feature_boolean OUT NUMBER,
aux_count       OUT NUMBER,
feature_info    OUT CLOB);
set serveroutput on

DECLARE
 i NUMBER;
 j NUMBER;
 k CLOB;
BEGIN
  dbms_feature_utilities3(i, j, k);
  dbms_output.put_line('1: ' || i);
  dbms_output.put_line('2: ' || j);
  dbms_output.put_line('3: ' || k);
END;
/
1: 6
2: 6
3:
 
DBMS_FEATURE_UTILITIES4
Dependencies
DBA_FEATURE_USAGE_STATISTICS KU_UTLUSE SYS_STUB_FOR_PURITY_ANALYSIS
Detects usage of External Tables and associated compression and encryption dbms_feature_utilities4(
feature_boolean OUT NUMBER,
aux_count       OUT NUMBER,
feature_info    OUT CLOB);
set serveroutput on

DECLARE
 i NUMBER;
 j NUMBER;
 k CLOB;
BEGIN
  dbms_feature_utilities4(i, j, k);
  dbms_output.put_line('1: ' || i);
  dbms_output.put_line('2: ' || j);
  dbms_output.put_line('3: ' || k);
END;
/
1: 0
2: 0
3: Oracle Utility External Table invoked: 0 times, compression used: 0 times
(BASIC algorithm used: 0 times, LOW algorithm used: 0 times, MEDIUM algorithm
used: 0 times, HIGH algorithm used: 0 times), encryption used: 0 times
 
DBMS_FEATURE_VPD
Dependencies
DBA_POLICIES DBA_SEC_RELEVANT_COLS DBMS_UTILITY
DBA_POLICY_ATTRIBUTES DBA_USERS SYS_STUB_FOR_PURITY_ANALYSIS
Counts Virtual Private Database (Row Level Security) usage dbms_feature_vpd(
feature_boolean OUT NUMBER,
aux_count       OUT NUMBER,
feature_info    OUT CLOB);
set serveroutput on

DECLARE
 i NUMBER;
 j NUMBER;
 k CLOB;
BEGIN
  dbms_feature_vpd(i, j, k);
  dbms_output.put_line('1: ' || i);
  dbms_output.put_line('2: ' || j);
  dbms_output.put_line('3: ' || k);
END;
/
1: 0
2: 0
3: Number of policies=0, Number of enabled policies=0, Number of objects that have VPD policies=0, Number of policies on
SELECT statement=0, Number of policies on INSERT statement=0, Number of policies on UPDATE statement=0, Number of
policies on DELETE statement=0, Number of policies on INDEX statement=0, Number of DYNAMIC policies=0, Number of STATIC
policies=0, Number of SHARED_STATIC policies=0, Number of CONTEXT_SENSITIVE policies=0, Number of
SHARED_CONTEXT_SENSITIVE policies=0, Number of attribute associated CONTEXT_SENSITIVE policies=0, Number of policies with
long predicate=0, Number of COLUMN LEVEL policies=0, Number of COMMON policies=0, Number of INHERITED policies=0
 
FEATURE_USAGE
Dependencies
OLS$COMPARTMENTS OLS$LEVELS OLS$PROFILE
OLS$GROUPS OLS$POL SYS_STUB_FOR_PURITY_ANALYSIS
OLS$LAB OLS$POLT  
Label Security usage feature_usage(
feature_boolean OUT NUMBER,
aux_count       OUT NUMBER,
feature_info    OUT CLOB);
set serveroutput on

DECLARE
 fb NUMBER;
 ac NUMBER;
 fi CLOB;
BEGIN
  lbacsys.feature_usage(fb, ac, fi);
  dbms_output.put_line(fb);
  dbms_output.put_line(ac);
  dbms_output.put_line(fi);
END;
/
0
0
No. of policies=0

Related Topics
DBMS_FEATURE_USAGE
DBMS_FEATURE_USAGE_REPORT