Lesson 1: Security Requirements 1-1 Objectives 1-2 Industry-Security Requirements 1-3 Hidden 1-4 Security Standards 1-5 Fundamental

Data-Security Requirements 1-6 (hidden) 1-7 Components for Enforcing Security 1-8 Security Risks 1-9 hidden 1-10 Risk Analysis 1-11 Principle of Least Privilege 1-12 Defining a Security Policy 1-13 hidden 1-14 Developing Your Security Policy 1-15 Examining All Aspects of Security 1-16 Implementing a Security Policy 1-17 Defense in Depth 1-18 Hardening the Operating System 1-19 hidden 1-20 Easing Administration 1-21 hidden 1-22 Using a Firewall to Restrict Network Access 1-23 Hardening Oracle Services 1-24 Summary 1-25 Lesson 2: Security Solutions 2-1 Objectives 2-2 Preventing Exploits 2-3 Maintaining Data Integrity 2-4 Data Protection 2-5 Access Control 2-6 Middle-Tier Authentication and Authorization 2-7 Network-wide Authentication 2-8 Summary 2-9 Lesson 3: Internal Database Security 3-1 Objectives 3-2 Database Security: Checklist 3-3 Reducing Administration Effort 3-4 Installing Only What Is Required 3-5 Applying Security Patches 3-6 SYS and SYSTEM Accounts 3-7 SYSOPER and SYSDBA 3-8 Locking and Expiring Default User Accounts 3-9 3-10 Changing Default Account Passwords 3-11 3-12 Enforcing Password Management 3-13 3-14 Protecting the Data Dictionary 3-15 System and Object Privileges 3-16 Restricting the Directories Accessibleby the User 3-17 Limiting Users with Administrative Privileges 3-18 Separation of Responsibilities 3-19 3-20 Using Other Database Security Features 3-21 Summary 3-22

Lesson 4: Database Auditing 4-1 Objectives 4-2 Monitoring for Suspicious Activity 4-3 4-4 Audit Tool Comparisons 4-5 Standard Database Auditing 4-6 Specifying Audit Options 4-7 Specifying Audit OptionsFull Notes Page 4-8 Auditing Sessions 4-9 4-10 Viewing Auditing Options 4-11 Standard Database Auditing 4-12 Viewing Auditing Results 4-13 Auditing the SYSDBA and SYSOPER Users 4-14 Viewing the SYSDBA Audit Trails 4-15 4-16 Value-Based Auditing 4-17 Value-Based AuditingFull Notes Page 4-18 Triggers and Autonomous Transactions 4-19 4-20 Summary 4-21 Lesson 5: Fine-Grained Auditing 5-1 Objectives 5-2 Fine-Grained Auditing (FGA) 5-3 FGA Policy 5-4 (Hidden) 5-5 Triggering Audit Events 5-6 Data Dictionary Views 5-7 DBA_FGA_AUDIT_TRAIL 5-8 5-9 DBMS_FGA Package 5-10 Enabling and Disabling an FGA Policy 5-11 Dropping an FGA Policy 5-12 FGA Usage 5-13 FGA GuidelinesFull Notes Page 5-14 Maintaining the Audit Trail 5-15 Selective Audit 5-16 Summary 5-17 Lesson 6: Basic User Authentication 6-1 Objectives 6-2 User Authentication 6-3 User Identified by a Password 6-4 User Identified Externally 6-5 Protecting Passwords 6-6 Restricting Remote Database Authentication 6-7 Fixed Database Links 6-8 Viewing Database Link Passwords 6-9 Database Links Without Credentials 6-10 (hidden) 6-11 Audit Database Links 6-12 Summary 6-13 Lesson 7: Strong Authentication 7-1 Objectives 7-2 Strong User Authentication 7-3 hidden 7-4 Single Sign-On 7-5 Public Key Infrastructure (PKI) Tools 7-6

Certificates 7-7 How to Use Certificates for Authentication 7-8 Configuring SSL on the Server 7-9 Configuring Oracle Net Files on the Server 7-10 Configuring SSL on the Client 7-11 Configuring Oracle Net Files on the Client 7-12 hidden 7-13 Creating a User Identified by Certificate 7-14 Connecting to the Database 7-15 orapki Utility 7-16 How to Use Kerberos for Authentication 7-17 hidden 7-18 How to Use KDC with Windows 2000 for Authentication 7-19 (hidden) 7-20 RADIUS Authentication: Overview 7-21 Summary 7-22 Lesson 8: Enterprise User Security 8-1 Objectives 8-2 Enterprise User Security 8-3 Oracle Identity Management Infrastructure: Default Deployment 8-4 Oracle Database: Enterprise User Security Architecture 8-5 Enterprise User Security (EUS)by Database Version 8-6 Authenticating Enterprise Users 8-7 Setting Up Enterprise User Security 8-9 Installing OracleAS Infrastructure 8-10 Registering the Database 8-11 Creating an Enterprise User 8-12 Creating an Enterprise User in the Directory 8-13 Creating a Schema Mapping Objectin the Directory 8-14 Identifying the Enterprise User 8-15 Enabling Current User Database Links 8-16 Creating an Enterprise Role 8-17 Assigning a Global Roleto an Enterprise Role 8-18 Assigning an Enterprise Userto an Enterprise Role 8-19 User Migration Utility 8-20 Enterprise-User Auditing 8-22 Demonstration 8-23 Summary 8-24 Lesson 9: Proxy Authentication 9-1 Objectives 9-2 Security Challenges ofThree-Tier Computing 9-3 Who Is the Real User? 9-4 User Reauthentication 9-5 Common Implementations of Authentication 9-7 Does the Middle Tier Have More Privileges Than Required? 9-9 Implementing Proxy Authentication Solutions 9-10 9-11 Authenticating Database andEnterprise Users 9-12 9-13 Using Proxy Authenticationfor Database Users 9-14 9-15 Using Proxy Authentication for Enterprise Users 9-16 9-17 Revoking Proxy Authentication 9-18 Application-User Model 9-19 9-20 Data Dictionary Views forProxy Authentication 9-21 Data Dictionary Views: DBA_PROXIES and USER_PROXIES 9-22

Data Dictionary Views: Auditing Actions Taken 9-25 Data Dictionary Views: Data Dictionary Views: Summary 9-28

V$SESSION_CONNECT_INFO 9-23 on Behalfof the Real User 9-24 DBA_STMT_AUDIT_OPTS 9-26 DBA_AUDIT_TRAIL 9-27

Lesson 10: Authorization Methods 10-1 Objectives 10-2 Authorization 10-3 Privileges 10-4 Roles 10-5 Benefits of Roles 10-6 Predefined Roles 10-7 Using Proxy Authentication with Roles 10-8 Securing Objects with Procedures 10-9 Secure Application Role 10-10 Implementing a Secure Application Role 10-11 Step 1: Create the Role 10-12 Step 2.1: Create the Package Specification 10-13 Step 2.2: Create the Package Body 10-14 10-15 Step 3: Grant the EXECUTE Privilege on the Package 10-16 Step 4: Write the Application Server Code That Sets the Role 10-17 Data Dictionary Views 10-18 Summary 10-19 10-20 Lesson 11: Using Application Contexts 11-1 Objectives 11-2 Application Context: Description 11-3 Namespace 11-4 Using the Application Context 11-5 Setting the Application Context 11-6 Application Context Data Sources 11-7 11-8 Implementing a Local Context 11-9 Step 1: Create an Application Context 11-10 11-11 Step 2: Create a PL/SQL PackageThat Sets the Context 11-12 Step 3: Call the Package 11-13 Step 4: Read the Context Attributein the Application 11-14 SYS_CONTEXT PL/SQL Function 11-15 Application Context Accessed Globally 11-16 11-17 How the Application Context Accessed Globally Works 11-18 11-19 PL/SQL Packages and Procedures 11-20 11-21 11-22 Implementing the Application Context Accessed Globally 11-23 Step 1: Create the Application Context Accessed Globally 11-24 Step 2: Establish a Session 11-25 Step 3: Handle Subsequent Requests 11-26 Step 4: End a Session 11-27 Data Dictionary Views 11-28 11-29 Guidelines 11-30 11-31 Summary 11-32

Lesson 12: Using Fine-Grained Access Control 12-1 Objectives 12-2 Fine-Grained Access Control: Overview 12-3 12-4 Benefits 12-5 Virtual Private Database 12-6 Examples of the Virtual Private Database 12-7 12-8 How Fine-Grained Access Control Works 12-9 12-10 Tools 12-11 12-12 Oracle Policy Manager 12-13 DBMS_RLS 12-14 12-15 Column-Level VPD 12-16 Column-Level VPD: Example 12-17 Policy Types: Overview 12-18 Static Policies 12-19 Context-Sensitive Policies 12-20 Sharing Policy Functions 12-21 Exceptions to FGAC Policies 12-22 Implementing a VPD 12-23 12-24 Step 3: Write the Function ThatCreates a Predicate 12-25 12-26 Testing the Security Function 12-27 Writing a Function That Returns Different Predicates 12-28 12-29 Step 4: Create a Policy 12-30 12-31 Partitioned Fine-Grained Access Control 12-32 12-33 Grouping Policies 12-34 Default Policy Group 12-35 12-36 Creating a Driving Context 12-37 12-38 Making the Context a Driving Context 12-39 12-40 Creating a Policy Group 12-41 Adding a Policy to a Group 12-42 12-43 Guidelines 12-44 12-45 Performance: 12-46 12-47 Export and Import 12-48 Policy Views 12-49 12-50 12-51 Checking for Policies Applied to SQL Statements 12-52 Summary 12-53 Lesson 13: Installing Oracle Label Security 13-1 Objectives 13-2 Access Control: Overview 13-3 Discretionary Access Control 13-4 Oracle Label Security 13-5

How Sensitivity Labels Are Used 13-6 Installing Oracle Label Security 13-7 Oracle Label Security: Features 13-8 (hidden) 13-9 Comparing Oracle Label Security and the VPD 13-10 When to Use Oracle Label Security 13-11 Summary 13-12 Lesson 14: Implementing Oracle Label Security 14-1 Objectives 14-2 Implementing the Oracle Label Security Policy 14-3 (hidden) 14-4 Analyzing the Needs 14-5 Creating Policies 14-6 Defining Labels: Overview 14-7 Defining Levels 14-8 Creating Levels 14-9 Defining Groups 14-10 Creating Groups 14-11 Defining Compartments 14-12 Creating Compartments 14-13 Identifying Data Labels 14-14 Creating Data Labels 14-15 Assigning User Authorization Labels 14-16 (hidden) 14-17 Access Mediation 14-18 Administering Labels 14-19 Adding Labels to Data 14-20 Policy-Enforcement Options 14-21 14-22 Applying the Policy to a Table 14-23 Oracle Label Security Privileges 14-24 Example: READ Privilege 14-25 Example: FULL Privilege 14-26 Example: COMPACCESS Privilege 14-27 Using SET_ACCESS_PROFILE 14-28 14-29 Trusted Stored Package Units 14-30 Exporting with Oracle Label Security 14-31 Importing with Oracle Label Security 14-32 Performance Tips 14-33 14-34 Summary 14-35 Lesson 15: Encrypting Table Data 15-1 Objectives 15-2 Overview 15-3 Encryption Issues: Cost 15-4 Encryption Issues: Access Control 15-5 Encryption Issues: Access by Privileged Users 15-6 15-7 Encryption Issues: Do Not Encrypt Everything 15-8 Data Encryption: Challenges 15-9 Encryption Key Management: Key Generation 15-10 Encryption Key Management: Key Modification and Transmission 15-11 Encryption Key Management: Storage 15-12 Storing the Key in the Database 15-13 (hidden) 15-14 Storing the Key in the Operating System 15-15 Letting the User Manage the Key 15-16

Encrypting Special Types of Data 15-17 15-18 Comparing DBMS_CRYPTO withDBMS_OBFUSCATION_TOOLKIT 15-19 DBMS_CRYPTO Package 15-20 15-21 Using ENCRYPT and DECRYPT 15-22 15-23 15-24 Using RANDOMBYTES 15-25 15-26 (hidden) 15-27 Enhanced Security Using the Cipher Block Modes 15-28 Hash and Message Authentication Code 15-29 15-30 15-31 Summary 15-32 Lesson 16: Oracle Net Services:Security Checklists 16-1 Objectives 16-2 Overview: Security Checklists 16-3 Client Checklist 16-4 Securing the Client Computer 16-5 Configuring the Browser 16-6 Configuring the Client 16-7 Using Certificates 16-8 16-9 Network Security: Checklist 16-10 Using a Firewall to Restrict Network Access 16-11 Restricting Network IP Addresses:Valid Node Checking 16-12 16-13 Restricting Network IP Addresses:Guidelines 16-14 Configuring IP Restrictions with Net Manager 16-15 Restricting Open Ports 16-16 Encrypting Network Traffic 16-17 16-18 End-to-End Encryption 16-19 Checksumming 16-20 Oracle Net Services Log Files 16-21 16-22 Summary 16-23 Lesson 17: Securing the Listener 17-1 Objectives 17-2 Listener Security: Checklist 17-3 Restricting the Privileges of the Listener 17-4 (hidden) 17-5 Use the CREATE LIBRARYPrivilege Sparingly 17-6 Password Protect the Listener 17-7 17-8 Preventing Online Administration of the Listener 17-9 Administering the Listener Using TCP/IP with SSL 17-10 INBOUND_CONNECT_TIMEOUT 17-11 (hidden) 17-12 Setting Listener Logging Parameters 17-13 (hidden) 17-14 Analyzing Listener Log Files 17-15 (hidden) 17-16 Listener Log Connect: Examples 17-17 17-18 Listener Log Command: Examples 17-19

17-20 Summary 17-21 17-22