As Published In
Oracle Magazine
November/December 2006

TECHNOLOGY: Inside OCP


Testing Database Security

By Aradhana Puri

Questions and answers on securing your Oracle database by using FGA and VPD

The Oracle Database 10g: New Features for Administrators exam enables Oracle Certified Professionals (OCPs) certified on Oracle9i Database to upgrade their certifications to Oracle Database 10g. This is the only exam OCPs certified on Oracle9i Database need to take to upgrade their certification credentials to Oracle Database 10g.

This column focuses on the fine-grained auditing (FGA) and virtual private database (VPD) features in Oracle Database 10g. FGA, introduced in Oracle9i Database, captures user activities at a very detailed level and helps prevent the need for manual, trigger-based auditing. Introduced in Oracle8i Database, VPD (also known as fine-grained access control) provides powerful row-level security capabilities.

The column presents sample questions you may encounter when taking the Oracle Database 10g: New Features for Administrators OCP exam. Note that the sample question format and the SQL code have been adjusted for presentation in this article.

Fine-Grained Auditing

Auditing is the monitoring and recording of selected user database actions. In Oracle9i Database, FGA enabled recording of row-level changes, along with SCN values, to reconstruct old data. FGA worked for SELECT statements only and not for DML statements such as UPDATE, INSERT, and DELETE. For instance, by using FGA in Oracle9i Database, you could determine that user Smith had updated the SALES table that is owned by SH but you could not see if user Smith had updated the AMOUNT_SOLD column or see the value of the AMOUNT_SOLD column before an update. In Oracle Database 10g, FGA can audit DML statements.

The policies you establish with FGA can monitor data access on the basis of content. Using policies, you can specify the columns and conditions for which you want audit records. Conditions can include limiting the audit to specific types of DML statements used in connection with the columns you specify. You can also provide the name of the routine (such as a PL/SQL procedure or package) you want to be called when an audit event occurs.

Which two statements are correct about the features of FGA in Oracle Database 10g?

A. FGA records are stored in the SYS.FGA_LOG$ table and are accessible through the DBA_FGA_AUDIT_TRAIL view.
B. The EXECUTE privilege on the DBMS_FGA package is needed for administering FGA audit policies.
C. You must enable FGA at the database level by setting the AUDIT_TRAIL initialization parameter.
D. FGA policies cannot be enabled and disabled without loss of the metadata information.

The correct answers are A and B. FGA records are stored in the SYS.FGA_LOG$ table and are accessible through the DBA_FGA_AUDIT_TRAIL view. To administer FGA policies, you require EXECUTE privileges on the DBMS_FGA package. You use the DBMS_FGA.ADD_POLICY interface to define each FGA policy for a table or view, identifying any combination of SELECT, UPDATE, DELETE, and INSERT statements.

Answer C is incorrect because you do not need to set AUDIT_TRAIL to enable fine-grained auditing. Answer D is incorrect because you can temporarily enable or disable FGA policies without losing any metadata information. You can use the DBMS_FGA.ENABLE_POLICY and DBMS_FGA.DISABLE_POLICY procedures to enable and disable audit policies.

You define the following audit policy: 

BEGIN
        dbms_fga.add_policy(
        object_schema => 'HR',
        object_name  => 'EMP',
        policy_name  => 'policy_emp_sal_comm',
        audit_condition  => NULL,
        audit_column  => 'SALARY,COMMISSION_PCT',
        audit_column_opts=> DBMS_FGA.ALL_COLUMNS,
        statement_types => 'SELECT,  UPDATE');
END;

Which SQL statements would be audited as a result of this audit policy? (Choose all that apply.)

A.

 UPDATE hr.emp 
SET SALARY = SALARY+ 4000
WHERE EMP_ID=197;

B.
 UPDATE hr.emp
SET SALARY = SALARY+ 4000,
COMMISSION_PCT = COMMISSION_PCT+ 0.5
WHERE COMMISSION_PCT > 0; 

C.
 SELECT emp_id, salary FROM hr.emp;

D.
 DELETE hr.emp WHERE emp_id = 100;

E.
 SELECT * FROM hr.emp;

The correct answers are B and E. When you specify DBMS_FGA.ALL_COLUMNS for the AUDIT_COLUMN_OPTS parameter, audit trail entries are created only when all the columns specified by the AUDIT_COLUMN parameter are accessed by the operation(s) specified for the STATEMENT_TYPES parameter. Hence, in the example here, an audit trail would be created when either the SELECT or the UPDATE operation is performed on the SALARY column and the COMMISSION_PCT column.

Answer A is incorrect because the UPDATE operation is performed on the SALARY column only. Answer C is incorrect because the SALARY column and the COMMISSION_PCT column are not being queried. Answer D is incorrect because the DELETE operation is not specified for the STATEMENT_TYPES parameter.

You have implemented regular auditing by using the AUDIT command in Oracle Database 10g. Also, you have defined audit policies by using the DBMS_FGA.ADD_POLICY procedure. You are interested in getting a combined view of regular audits as well as the FGA audit trail. What would you do?

A. Execute appropriate procedures in the DBMS_CAPTURE_ADM package
B. Execute appropriate procedures in the DBMS_METADATA package
C. Query the DBA_COMMON_AUDIT_TRAIL data dictionary view
D. Query the UNION of DBA_AUDIT_STATEMENT and DBA_AUDIT_POLICIES

The correct answer is C. The DBA_COMMON_AUDIT_TRAIL data dictionary view is a union of the DBA_AUDIT_TRAIL and DBA_FGA_AUDIT_TRAIL data dictionary views. Note that the DBA_AUDIT_TRAIL view provides audit trail entries and the DBA_FGA_AUDIT_TRAIL displays all audit records for fine-grained auditing.

Answers A and B are incorrect because procedures in the DBMS_CAPTURE_ADM and DBMS_METADATA packages do not provide audit information. Answer D is incorrect because to get combined audit information, you can either query the UNION of the DBA_AUDIT_TRAIL and DBA_FGA_AUDIT_TRAIL data dictionary views or query the DBA_COMMON_AUDIT_TRAIL data dictionary view.

Virtual Private Database

VPD works by transparently modifying requests for data to present a partial view of tables to users, based on a set of defined criteria. When a user directly or indirectly accesses a table, view, or synonym protected by a VPD policy, the server dynamically modifies the SQL statement of the user. The modification creates a WHERE condition (a predicate) returned by a function implementing the security policy. VPD policies can be applied to SELECT, INSERT, UPDATE, INDEX, and DELETE statements. Consider a database user who is allowed to see employee records in the Sales division only. This user issues the following query: 

SELECT * FROM emp;

The function implementing the security policy returns this predicate: division = 'SALES ', and the database transparently rewrites the query. The query actually executed becomes 

SELECT * FROM emp 
WHERE division = 'SALES'; 

To implement VPD, you use the DBMS_RLS package. Alternatively, you can use the Oracle Policy Manager graphical user interface, accessed from Oracle Enterprise Manager, to apply security policies to schema objects.

You added the following VPD policy: 

BEGIN
     dbms_rls.add_policy 
    (object_schema=>'hr',
   object_name => 'employees',
   policy_name => 'hr_policy',
   function_schema => 'hr',
   policy_function => 'hr_pol',
   policy_type => dbms_rls.static,
   sec_relevant_cols => 'sal,comm');
END;

Which statements about this policy are correct? (Choose two.)

A. Oracle Database reevaluates the policy function at statement execution time if it detects context changes since the last use of the cursor.
B. The policy function is not reevaluated for each query on the EMPLOYEES table.
C. The policy is applied to the SELECT statement type only.
D. The policy predicates are cached in the system global area (SGA).

The correct answers are B and D. Note that POLICY_TYPE is specified as static. For a static policy type, the policy functions are executed once and then cached in the SGA. Note that in previous releases, policies were dynamic, which means that the database would run the policy function for each query or DML statement. In addition to dynamic policies, Oracle Database 10g provides static and context-sensitive policies. These policy types provide a means of improving server performance, because they do not always rerun policy functions for each DML statement and can be shared across multiple database objects.

Answer A is incorrect because setting the POLICY_TYPE parameter to CONTEXT_SENSITIVE causes the database to reevaluate the policy function at statement execution time if it detects context changes since the last use of the cursor. Answer C is incorrect because the policy applies to SELECT, INSERT, UPDATE, and DELETE statements when the STATEMENT_TYPES parameter is not specified.

Smith defines a policy as shown here: 

BEGIN
     dbms_rls.add_policy(object_schema =>'scott', 
      object_name=>'emp',
      policy_name => 'sp1', 
      function_schema =>'pol_chk',
      policy_function => 'pf_sal_comm',
      statement_types => 'SELECT',
      sec_relevant_cols => 'sal,comm',
      sec_relevant_cols_opt => 
DBMS.RLS.ALL_ROWS);
END;

Smith specified the SEC_RELEVANT_COLS_OPT parameter of the DBMS_RLS.ADD_POLICY procedure to DBMS_RLS.ALL_ROWS. Smith set the SEC_RELEVANT_COLS_OPT parameter to DBMS_RLS.ALL_ROWS in order to _ _ _ _ _ _ _ _ _

A. Enable the SYS user to see all rows, irrespective of the predicate returned by the policy function
B. Enable any user with the SELECT ANY TABLE privilege to see all rows, irrespective of the predicate returned by the policy function
C. Ensure that the policy is enabled only if the SAL and COMM columns do not have any null values in any rows
D. Implement column masking

Next Steps


 READ "Inside OCP" columns

 LEARN more about the Oracle Certification Program, and download a free exam guide

The correct answer is D. Specifying the SEC_RELEVANT_COLS_OPT parameter of the DBMS_RLS.ADD_POLICY procedure to DBMS_RLS.ALL_ROWS implements VPD column masking. Column masking is a new feature introduced in Oracle Database 10g. VPD column masking behavior is fundamentally different from all other VPD policies, which return only a subset of rows. The column masking behavior returns all rows specified by the user's query, but the sensitive column values appear as NULL.

Answers A, B, and C are incorrect. The SYS user is free of any security policy. You need not set SEC_RELEVANT_COLS_OPT => DBMS_RLS.ALL_ROWS to enable user SYS to see all rows. Setting SEC_RELEVANT_COLS_OPT => DBMS_RLS.ALL_ROWS does not enable a user with the SELECT ANY TABLE privilege to see all the rows irrespective of the predicate returned by the policy function. Also, it does not put any constraint on the policy with respect to the null values in the rows.

Conclusion

Oracle Database 10g provides several enhancements to FGA and VPD. FGA captures user activities at a very detailed level, which helps you avoid manual trigger-based auditing, and combines the trails of standard auditing and FGA. VPD is a very powerful feature with the ability to support a variety of requirements, such as masking columns selectively, based on the policy and applying the policy only when certain columns are accessed.

 


Aradhana Puri (ocpexam_ww@oracle.com) is a manager, Certification Exam Development, at Oracle. She has been with the company since 2000.


Send us your comments