| Security Advisory |
The Oracle Database by default installs a lot of security features available even if they are not configured by default.
As a security-focused administrator it is your responsibility to know which are in use, and to cover their use with licensing if required.
But, equally important, seeing that there is a feature that is not in use should alert you to the fact that you are not protecting your database to the fullest extent possible.
Most of the procedures are owned by SYS and named DBMS_FEATURE_... but at
least one, the one for Label Security, is owned by LBACSYS and justed
FEATURE_USAGE.
This page focuses on the subset of Feature Usage procedures specifically targeting use of security-focused features and options such as those that report on use of encryption/ |
| |
| Recommended Security Rules |
NEVER
- Allow anyone access to any of the DBMS_FEATURE usage procedures whether listed here or not.
- Allow anyone without a need to know produced a feature usage report as information on what is in use, and what is not in use, is valuable to an attacker.
WITH GREAT CARE
CAUTIONS
|
| |
| How Oracle Works |
The Oracle Database, for many versions, has possessed the ability to report on what features are, and are not, in use.
The example at right shows how to produce a full Feature Usage Report. The report has two sections. The first shows when usage was most recently detected. The second show the usage high-water mark. |
set pagesize 999
set linesize 181
set trimspool on
set trim on
spool /home/oracle/feature_usage_rpt.html
SELECT output FROM TABLE(dbms_feature_usage_report.display_html);
spool off
-- open the file resulting file vi and remove artifacts preceding the first HTML tag and following the final tag |
| |
| General |
| These procedures support Oracle's Feature Usage Reporting: See link at page bottom. |
| AUTHID |
DEFINER |
| Dependencies |
The dependences for each procedure are listed with the procedure |
| Documented |
No |
| First Available |
11.2 |
| Security Model |
Owned by SYS with no privileges granted |
| Source Code |
{ORACLE_HOME}/rdbms/admin/ |
| Procedures |
|
| |
| DBMS_FEATURE_ACFS_ENCR |
| Data Dictionary Objects |
| SYS_STUB_FOR_PURITY_ANALYSIS |
V$ASM_ACFS_ENCRYPTION_INFO |
|
|
| Detects ACFS Encryption usage |
dbms_feature_acfs_encr(
is_used OUT NUMBER,
aux_count OUT NUMBER,
feature_info OUT CLOB); |
set serveroutput on
DECLARE
i NUMBER;
j NUMBER;
k CLOB;
BEGIN
sys.dbms_feature_acfs_encr(i, j, k);
dbms_output.put_line('1: ' || i);
dbms_output.put_line('2: ' || j);
dbms_output.put_line('3: ' || k);
END;
/
1: 0
2:
3: |
| |
| DBMS_FEATURE_AUDIT_OPTIONS |
| Dependencies |
| AUDIT$ |
SYS_STUB_FOR_PURITY_ANALYSIS |
V$PARAMETER |
| DBA_OBJ_AUDIT_OPTS |
V$OPTION |
|
|
| Detects audit trail type and the number of system and object audit options available |
dbms_feature_audit_options(
feature_boolean OUT NUMBER,
aux_count OUT NUMBER,
feature_info OUT CLOB); |
set serveroutput on
DECLARE
i NUMBER;
j NUMBER;
k CLOB;
BEGIN
dbms_feature_audit_options(i, j, k);
dbms_output.put_line('1: ' || i);
dbms_output.put_line('2: ' || j);
dbms_output.put_line('3: ' || k);
END;
/
1: 1
2: 0
3: AUDIT_TRAIL=DB; Number of system audit options=234; Number of object audit options=254 |
| |
| DBMS_FEATURE_BACKUP_ENCRYPTION |
| Dependencies |
| DBMS_BACKUP_RESTORE |
SYS_STUB_FOR_PURITY_ANALYSIS |
|
|
| Counts RMAN Backup Encryption usage |
dbms_feature_backup_encryption(
feature_boolean OUT NUMBER,
aux_count OUT NUMBER,
feature_info OUT CLOB); |
set serveroutput on
DECLARE
i NUMBER;
j NUMBER;
k CLOB;
BEGIN
dbms_feature_backup_encryption(i, j, k);
dbms_output.put_line('1: ' || i);
dbms_output.put_line('2: ' || j);
dbms_output.put_line('3: ' || k);
END;
/
1: 0
2: 0
3: |
| |
| DBMS_FEATURE_DATABASE_VAULT |
| Dependencies |
| SYS_STUB_FOR_PURITY_ANALYSIS |
USER$ |
V$OPTION |
|
| Detects Database Vault usage |
dbms_feature_database_vault(
feature_boolean OUT NUMBER,
aux_count OUT NUMBER,
feature_info OUT CLOB); |
set serveroutput on
DECLARE
i NUMBER;
j NUMBER;
k CLOB;
BEGIN
dbms_feature_database_vault(i, j, k);
dbms_output.put_line('1: ' || i);
dbms_output.put_line('2: ' || j);
dbms_output.put_line('3: ' || k);
END;
/
1: 0
2: 0
3: |
| |
| DBMS_FEATURE_DATA_REDACTION |
| Dependencies |
| SYS_STUB_FOR_PURITY_ANALYSIS |
|
|
|
| Detects Data Redaction usage |
dbms_feature_data_redaction(
feature_boolean OUT NUMBER,
aux_count OUT NUMBER,
feature_info OUT CLOB); |
set serveroutput on
DECLARE
i NUMBER;
j NUMBER;
k CLOB;
BEGIN
dbms_feature_data_redaction(i, j, k);
dbms_output.put_line('1: ' || i);
dbms_output.put_line('2: ' || j);
dbms_output.put_line('3: ' || k);
END;
/
1: 0
2: 0
3: Data Redaction usage not detected |
| |
| DBMS_FEATURE_FGA_AUDIT |
| Dependencies |
| DBA_AUDIT_POLICIES |
SYS_STUB_FOR_PURITY_ANALYSIS |
|
|
| Detects usage of Fine Grained Auditing |
dbms_feature_fga_audit(
feature_boolean OUT NUMBER,
aux_count OUT NUMBER,
feature_info OUT CLOB); |
set serveroutput on
DECLARE
i NUMBER;
j NUMBER;
k CLOB;
BEGIN
dbms_feature_fga_audit(i, j, k);
dbms_output.put_line('1: ' || i);
dbms_output.put_line('2: ' || j);
dbms_output.put_line('3: ' || k);
END;
/
1: 0
2: 0
3: Number of FGA policies=0; Number of Enabled FGA policies=0; Number of FGA policies with audit_condition=0; Number of FGA policies
with column-level audit=0; Number of FGA policies with handler=0; Number of FGA policies with DB audit_trail=0; Number of FGA policies with XML audit_trail=0 |
| |
| DBMS_FEATURE_LABEL_SECURITY |
| Dependencies |
| SYS_STUB_FOR_PURITY_ANALYSIS |
|
|
|
| Detects Label Security usage |
dbms_feature_label_security(
feature_boolean OUT NUMBER,
aux_count OUT NUMBER,
feature_info OUT CLOB); |
set serveroutput on
DECLARE
i NUMBER;
j NUMBER;
k CLOB;
BEGIN
dbms_feature_label_security(i, j, k);
dbms_output.put_line('1: ' || i);
dbms_output.put_line('2: ' || j);
dbms_output.put_line('3: ' || k);
END;
/
1: 0
2: 0
3: No. of policies=0 |
| |
| DBMS_FEATURE_PRIV_CAPTURE |
| Dependencies |
| CAPTURE_RUN_LOG$ |
PRIV_CAPTURE$ |
SYS_STUB_FOR_PURITY_ANALYSIS |
|
| Detects Privilege Capture usage |
dbms_feature_priv_capture(
feature_boolean OUT NUMBER,
aux_count OUT NUMBER,
feature_info OUT CLOB); |
set serveroutput on
DECLARE
i NUMBER;
j NUMBER;
k CLOB;
BEGIN
dbms_feature_priv_capture(i, j, k);
dbms_output.put_line('1: ' || i);
dbms_output.put_line('2: ' || j);
dbms_output.put_line('3: ' || k);
END;
/
1: 1
2: 1
3: |
| |
| DBMS_FEATURE_RAS |
| Dependencies |
| DBA_ROLE_PRIVS |
SYS_STUB_FOR_PURITY_ANALYSIS |
XS$OBJ |
| DBA_XS_APPLIED_POLICIES |
XS$ACE |
XS$PRIN |
| DBA_XS_ROLE_GRANTS |
XS$ACL |
XS$PRIV |
| RXS$SESSIONS |
XS$DSEC |
XS$SECCLS |
|
| Detects Real Application Security User |
dbms_feature_ras(
feature_boolean OUT NUMBER,
aux_count OUT NUMBER,
feature_info OUT CLOB); |
set serveroutput on
DECLARE
i NUMBER;
j NUMBER;
k CLOB;
BEGIN
dbms_feature_ras(i, j, k);
dbms_output.put_line('1: ' || i);
dbms_output.put_line('2: ' || j);
dbms_output.put_line('3: ' || k);
END;
/
1: 1
2: 0
3: Real Application Security usage not detected |
| |
| DBMS_FEATURE_SFENCRYPT_SYS |
| Dependencies |
| LOB$ |
OBJ$ |
TAB$ |
| LOBCOMPPART$ |
PARTLOB$ |
USER$ |
| LOBFRAG$ |
SYS_STUB_FOR_PURITY_ANALYSIS |
|
|
| Detects usage of SecureFile Encryption by SYS, SYSTEM, and XDB |
dbms_feature_sfencrypt_sys(
feature_boolean OUT NUMBER,
aux_count OUT NUMBER,
feature_info OUT CLOB); |
set serveroutput on
DECLARE
i NUMBER;
j NUMBER;
k CLOB;
BEGIN
dbms_feature_sfencrypt_sys(i, j, k);
dbms_output.put_line('1: ' || i);
dbms_output.put_line('2: ' || j);
dbms_output.put_line('3: ' || k);
END;
/
1: 0
2: 0
3: |
| |
| DBMS_FEATURE_SFENCRYPT_USR |
| Dependencies |
| LOB$ |
OBJ$ |
TAB$ |
| LOBCOMPPART$ |
PARTLOB$ |
USER$ |
| LOBFRAG$ |
SYS_STUB_FOR_PURITY_ANALYSIS |
|
|
| Detects use of SecureFile Encryption by other than SYS, SYSTEM, and XDB |
dbms_feature_sfencrypt_usr(
feature_boolean OUT NUMBER,
aux_count OUT NUMBER,
feature_info OUT CLOB); |
set serveroutput on
DECLARE
i NUMBER;
j NUMBER;
k CLOB;
BEGIN
dbms_feature_sfencrypt_usr(i, j, k);
dbms_output.put_line('1: ' || i);
dbms_output.put_line('2: ' || j);
dbms_output.put_line('3: ' || k);
END;
/
1: 0
2: 0
3: |
| |
| DBMS_FEATURE_TSDP |
| Dependencies |
| SYS_STUB_FOR_PURITY_ANALYSIS |
|
|
|
| Detects Transparent Sensitive Data Protection Policy usage |
dbms_feature_tsdp(
feature_boolean OUT NUMBER,
aux_count OUT NUMBER,
feature_info OUT CLOB); |
set serveroutput on
DECLARE
i NUMBER;
j NUMBER;
k CLOB;
BEGIN
dbms_feature_tsdp(i, j, k);
dbms_output.put_line('1: ' || i);
dbms_output.put_line('2: ' || j);
dbms_output.put_line('3: ' || k);
END;
/
1: 0
2: 0
3: Transparent Sensitive Data Protection feature not used |
| |
| DBMS_FEATURE_UNIFIED_AUDIT |
| Dependencies |
| AUDIT_NG$ |
AUD_CONTEXT$ |
SYS_STUB_FOR_PURITY_ANALYSIS |
| AUDIT_UNIFIED_POLICIES |
AUD_POLICY$ |
V$OPTION |
|
| Detects usage of Unified Audit |
dbms_feature_unified_audit(
feature_boolean OUT NUMBER,
aux_count OUT NUMBER,
feature_info OUT CLOB); |
set serveroutput on
DECLARE
i NUMBER;
j NUMBER;
k CLOB;
BEGIN
dbms_feature_unified_audit(i, j, k);
dbms_output.put_line('1: ' || i);
dbms_output.put_line('2: ' || j);
dbms_output.put_line('3: ' || k);
END;
/
1: 1
2: 0
3: Number of Unified Audit policies=7; Number of Enabled Unified Audit
policies=1; Number of Unified Audit policies with condition=0; Number of Unified
Audit policies on DV=0; Number of Unified Audit policies on OLS=0; Number of
Unified Audit policies on XS=4; Number of Unified Audit policies on DATAPUMP=0;
Number of Enabled Unified Audit Contexts=0 |
| |
| DBMS_FEATURE_UTILITIES1 |
| Dependencies |
| DBA_FEATURE_USAGE_STATISTICS |
KU_UTLUSE |
SYS_STUB_FOR_PURITY_ANALYSIS |
|
| Detects usage of DataPump Export and associated compression and encryption |
dbms_feature_utilities1(
feature_boolean OUT NUMBER,
aux_count OUT NUMBER,
feature_info OUT CLOB); |
set serveroutput on
DECLARE
i NUMBER;
j NUMBER;
k CLOB;
BEGIN
dbms_feature_utilities1(i, j, k);
dbms_output.put_line('1: ' || i);
dbms_output.put_line('2: ' || j);
dbms_output.put_line('3: ' || k);
END;
/
1: 0
2: 0
3: Oracle Utility Datapump (Export) invoked: 0 times, compression used: 0 times
(BASIC algorithm used: 0 times, LOW algorithm used: 0 times, MEDIUM algorithm
used: 0 times, HIGH algorithm used: 0 times), encryption used: 0 times (AES128
algorithm used: 0 times, AES192 algorithm used: 0 times, AES256 algorithm used:
0 times, PASSWORD mode used: 0 times, DUAL mode used: 0 times, TRANSPARENT mode
used: 0 times), parallel used: 0 times |
| |
| DBMS_FEATURE_UTILITIES2 |
| Dependencies |
| DBA_FEATURE_USAGE_STATISTICS |
KU_UTLUSE |
SYS_STUB_FOR_PURITY_ANALYSIS |
|
| Detects use of DataPump Import and associated compression and encryption |
dbms_feature_utilities2(
feature_boolean OUT NUMBER,
aux_count OUT NUMBER,
feature_info OUT CLOB); |
set serveroutput on
DECLARE
i NUMBER;
j NUMBER;
k CLOB;
BEGIN
dbms_feature_utilities2(i, j, k);
dbms_output.put_line('1: ' || i);
dbms_output.put_line('2: ' || j);
dbms_output.put_line('3: ' || k);
END;
/
1: 0
2: 0
3: Oracle Utility Datapump (Import) invoked: 0 times, parallel used: 0 times |
| |
| DBMS_FEATURE_UTILITIES3 |
| Dependencies |
| DBA_FEATURE_USAGE_STATISTICS |
KU_UTLUSE |
SYS_STUB_FOR_PURITY_ANALYSIS |
|
| Detects usage of Metadata API and associated compression and encryption |
dbms_feature_utilities3(
feature_boolean OUT NUMBER,
aux_count OUT NUMBER,
feature_info OUT CLOB); |
set serveroutput on
DECLARE
i NUMBER;
j NUMBER;
k CLOB;
BEGIN
dbms_feature_utilities3(i, j, k);
dbms_output.put_line('1: ' || i);
dbms_output.put_line('2: ' || j);
dbms_output.put_line('3: ' || k);
END;
/
1: 6
2: 6
3: |
| |
| DBMS_FEATURE_UTILITIES4 |
| Dependencies |
| DBA_FEATURE_USAGE_STATISTICS |
KU_UTLUSE |
SYS_STUB_FOR_PURITY_ANALYSIS |
|
| Detects usage of External Tables and associated compression and encryption |
dbms_feature_utilities4(
feature_boolean OUT NUMBER,
aux_count OUT NUMBER,
feature_info OUT CLOB); |
set serveroutput on
DECLARE
i NUMBER;
j NUMBER;
k CLOB;
BEGIN
dbms_feature_utilities4(i, j, k);
dbms_output.put_line('1: ' || i);
dbms_output.put_line('2: ' || j);
dbms_output.put_line('3: ' || k);
END;
/
1: 0
2: 0
3: Oracle Utility External Table invoked: 0 times, compression used: 0 times
(BASIC algorithm used: 0 times, LOW algorithm used: 0 times, MEDIUM algorithm
used: 0 times, HIGH algorithm used: 0 times), encryption used: 0 times |
| |
| DBMS_FEATURE_VPD |
| Dependencies |
| DBA_POLICIES |
DBA_SEC_RELEVANT_COLS |
DBMS_UTILITY |
| DBA_POLICY_ATTRIBUTES |
DBA_USERS |
SYS_STUB_FOR_PURITY_ANALYSIS |
|
| Counts Virtual Private Database (Row Level Security) usage |
dbms_feature_vpd(
feature_boolean OUT NUMBER,
aux_count OUT NUMBER,
feature_info OUT CLOB); |
set serveroutput on
DECLARE
i NUMBER;
j NUMBER;
k CLOB;
BEGIN
dbms_feature_vpd(i, j, k);
dbms_output.put_line('1: ' || i);
dbms_output.put_line('2: ' || j);
dbms_output.put_line('3: ' || k);
END;
/
1: 0
2: 0
3: Number of policies=0, Number of enabled policies=0, Number of objects that have VPD policies=0, Number of policies on
SELECT statement=0, Number of policies on INSERT statement=0, Number of policies on UPDATE statement=0, Number of
policies on DELETE statement=0, Number of policies on INDEX statement=0, Number of DYNAMIC policies=0, Number of STATIC
policies=0, Number of SHARED_STATIC policies=0, Number of CONTEXT_SENSITIVE policies=0, Number of
SHARED_CONTEXT_SENSITIVE policies=0, Number of attribute associated CONTEXT_SENSITIVE policies=0, Number of policies with
long predicate=0, Number of COLUMN LEVEL policies=0, Number of COMMON policies=0, Number of INHERITED policies=0 |
| |
| FEATURE_USAGE |
| Dependencies |
| OLS$COMPARTMENTS |
OLS$LEVELS |
OLS$PROFILE |
| OLS$GROUPS |
OLS$POL |
SYS_STUB_FOR_PURITY_ANALYSIS |
| OLS$LAB |
OLS$POLT |
|
|
| Label Security usage |
feature_usage(
feature_boolean OUT NUMBER,
aux_count OUT NUMBER,
feature_info OUT CLOB); |
set serveroutput on
DECLARE
fb NUMBER;
ac NUMBER;
fi CLOB;
BEGIN
lbacsys.feature_usage(fb, ac, fi);
dbms_output.put_line(fb);
dbms_output.put_line(ac);
dbms_output.put_line(fi);
END;
/
0
0
No. of policies=0 |