http://www.oracle.com/technology/oramag/oracle/06-nov/o66ocp.

html

Testing Database Security

Questions and answers on securing your Oracle database by using FGA and VPD

The Oracle Database 10g: New Features for Administrators exam enables Oracle Certified
Professionals (OCPs) certified on Oracle9i Database to upgrade their certifications to Oracle
Database 10g. This is the only exam OCPs certified on Oracle9i Database need to take to upgrade
their certification credentials to Oracle Database 10g.

This column focuses on the fine-grained auditing (FGA) and virtual private database (VPD) features
in Oracle Database 10g. FGA, introduced in Oracle9i Database, captures user activities at a very
detailed level and helps prevent the need for manual, trigger-based auditing. Introduced in Oracle8i
Database, VPD (also known as fine-grained access control) provides powerful row-level security
capabilities.

The column presents sample questions you may encounter when taking the Oracle Database 10g:
New Features for Administrators OCP exam. Note that the sample question format and the SQL
code have been adjusted for presentation in this article.

Fine-Grained Auditing

Auditing is the monitoring and recording of selected user database actions. In Oracle9i Database,
FGA enabled recording of row-level changes, along with SCN values, to reconstruct old data. FGA
worked for SELECT statements only and not for DML statements such as UPDATE, INSERT, and
DELETE. For instance, by using FGA in Oracle9i Database, you could determine that user Smith
had updated the SALES table that is owned by SH but you could not see if user Smith had updated
the AMOUNT_SOLD column or see the value of the AMOUNT_SOLD column before an update.
In Oracle Database 10g, FGA can audit DML statements.

The policies you establish with FGA can monitor data access on the basis of content. Using policies,
you can specify the columns and conditions for which you want audit records. Conditions can
include limiting the audit to specific types of DML statements used in connection with the columns
you specify. You can also provide the name of the routine (such as a PL/SQL procedure or package)
you want to be called when an audit event occurs.

Which two statements are correct about the features of FGA in Oracle Database 10g?

A. FGA records are stored in the SYS.FGA_LOG$ table and are accessible through the
DBA_FGA_AUDIT_TRAIL view.
B. The EXECUTE privilege on the DBMS_FGA package is needed for administering FGA audit
policies.
C. You must enable FGA at the database level by setting the AUDIT_TRAIL initialization
parameter.
D. FGA policies cannot be enabled and disabled without loss of the metadata information.

The correct answers are A and B. FGA records are stored in the SYS.FGA_LOG$ table and are
accessible through the DBA_FGA_AUDIT_TRAIL view. To administer FGA policies, you require
EXECUTE privileges on the DBMS_FGA package. You use the DBMS_FGA.ADD_POLICY
interface to define each FGA policy for a table or view, identifying any combination of SELECT,
UPDATE, DELETE, and INSERT statements.

Answer C is incorrect because you do not need to set AUDIT_TRAIL to enable fine-grained
auditing. Answer D is incorrect because you can temporarily enable or disable FGA policies without
losing any metadata information. You can use the DBMS_FGA.ENABLE_POLICY and
DBMS_FGA.DISABLE_POLICY procedures to enable and disable audit policies.

You define the following audit policy:

BEGIN
dbms_fga.add_policy(
object_schema => 'HR',
object_name => 'EMP',
policy_name => 'policy_emp_sal_comm',
audit_condition => NULL,
audit_column => 'SALARY,COMMISSION_PCT',
audit_column_opts=> DBMS_FGA.ALL_COLUMNS,
statement_types => 'SELECT, UPDATE');
END;

Which SQL statements would be audited as a result of this audit policy? (Choose all that
apply.)

A.

UPDATE hr.emp
SET SALARY = SALARY+ 4000
WHERE EMP_ID=197;

B.
UPDATE hr.emp
SET SALARY = SALARY+ 4000,
COMMISSION_PCT = COMMISSION_PCT+ 0.5
WHERE COMMISSION_PCT > 0;

C.
SELECT emp_id, salary FROM hr.emp;

D.
DELETE hr.emp WHERE emp_id = 100;

E.
SELECT * FROM hr.emp;

The correct answers are B and E. When you specify DBMS_FGA.ALL_COLUMNS for the
AUDIT_COLUMN_OPTS parameter, audit trail entries are created only when all the columns
specified by the AUDIT_COLUMN parameter are accessed by the operation(s) specified for the
STATEMENT_TYPES parameter. Hence, in the example here, an audit trail would be created when
either the SELECT or the UPDATE operation is performed on the SALARY column and the
COMMISSION_PCT column.
Answer A is incorrect because the UPDATE operation is performed on the SALARY column only.
Answer C is incorrect because the SALARY column and the COMMISSION_PCT column are not
being queried. Answer D is incorrect because the DELETE operation is not specified for the
STATEMENT_TYPES parameter.

You have implemented regular auditing by using the AUDIT command in Oracle Database
10g. Also, you have defined audit policies by using the DBMS_FGA.ADD_POLICY procedure.
You are interested in getting a combined view of regular audits as well as the FGA audit trail.
What would you do?

A. Execute appropriate procedures in the DBMS_CAPTURE_ADM package

B. Execute appropriate procedures in the DBMS_METADATA package
C. Query the DBA_COMMON_AUDIT_TRAIL data dictionary view
D. Query the UNION of DBA_AUDIT_STATEMENT and DBA_AUDIT_POLICIES

The correct answer is C. The DBA_COMMON_AUDIT_TRAIL data dictionary view is a union of

the DBA_AUDIT_TRAIL and DBA_FGA_AUDIT_TRAIL data dictionary views. Note that the
DBA_AUDIT_TRAIL view provides audit trail entries and the DBA_FGA_AUDIT_TRAIL
displays all audit records for fine-grained auditing.

Answers A and B are incorrect because procedures in the DBMS_CAPTURE_ADM and

DBMS_METADATA packages do not provide audit information. Answer D is incorrect because to
get combined audit information, you can either query the UNION of the DBA_AUDIT_TRAIL and
DBA_FGA_AUDIT_TRAIL data dictionary views or query the DBA_COMMON_AUDIT_TRAIL
data dictionary view.

Virtual Private Database

VPD works by transparently modifying requests for data to present a partial view of tables to users,
based on a set of defined criteria. When a user directly or indirectly accesses a table, view, or
synonym protected by a VPD policy, the server dynamically modifies the SQL statement of the user.
The modification creates a WHERE condition (a predicate) returned by a function implementing the
security policy. VPD policies can be applied to SELECT, INSERT, UPDATE, INDEX, and
DELETE statements. Consider a database user who is allowed to see employee records in the Sales
division only. This user issues the following query:

SELECT * FROM emp;

The function implementing the security policy returns this predicate: division = 'SALES', and the
database transparently rewrites the query. The query actually executed becomes

SELECT * FROM emp

WHERE division = 'SALES';

To implement VPD, you use the DBMS_RLS package. Alternatively, you can use the Oracle Policy
Manager graphical user interface, accessed from Oracle Enterprise Manager, to apply security
policies to schema objects.

You added the following VPD policy:

BEGIN
dbms_rls.add_policy
(object_schema=>'hr',
object_name => 'employees',
policy_name => 'hr_policy',
function_schema => 'hr',
policy_function => 'hr_pol',
policy_type => dbms_rls.static,
sec_relevant_cols => 'sal,comm');
END;

Which statements about this policy are correct? (Choose two.)

A. Oracle Database reevaluates the policy function at statement execution time if it detects context
changes since the last use of the cursor.
B. The policy function is not reevaluated for each query on the EMPLOYEES table.
C. The policy is applied to the SELECT statement type only.
D. The policy predicates are cached in the system global area (SGA).

The correct answers are B and D. Note that POLICY_TYPE is specified as static. For a static policy
type, the policy functions are executed once and then cached in the SGA. Note that in previous
releases, policies were dynamic, which means that the database would run the policy function for
each query or DML statement. In addition to dynamic policies, Oracle Database 10g provides static
and context-sensitive policies. These policy types provide a means of improving server performance,
because they do not always rerun policy functions for each DML statement and can be shared across
multiple database objects.

Answer A is incorrect because setting the POLICY_TYPE parameter to CONTEXT_SENSITIVE

causes the database to reevaluate the policy function at statement execution time if it detects context
changes since the last use of the cursor. Answer C is incorrect because the policy applies to
SELECT, INSERT, UPDATE, and DELETE statements when the STATEMENT_TYPES parameter
is not specified.

Smith defines a policy as shown here:

BEGIN
dbms_rls.add_policy(object_schema =>'scott',
object_name=>'emp',
policy_name => 'sp1',
function_schema =>'pol_chk',
policy_function => 'pf_sal_comm',
statement_types => 'SELECT',
sec_relevant_cols => 'sal,comm',
sec_relevant_cols_opt =>
DBMS.RLS.ALL_ROWS);
END;

Smith specified the SEC_RELEVANT_COLS_OPT parameter of the

DBMS_RLS.ADD_POLICY procedure to DBMS_RLS.ALL_ROWS. Smith set the
SEC_RELEVANT_COLS_OPT parameter to DBMS_RLS.ALL_ROWS in order to _ _ _ _ _ _
___
A. Enable the SYS user to see all rows, irrespective of the predicate returned by the policy function
B. Enable any user with the SELECT ANY TABLE privilege to see all rows, irrespective of the
predicate returned by the policy function
C. Ensure that the policy is enabled only if the SAL and COMM columns do not have any null
values in any rows

D. Implement column masking

Next Steps
The correct answer is D. Specifying the
SEC_RELEVANT_COLS_OPT parameter of the READ "Inside OCP" columns
DBMS_RLS.ADD_POLICY procedure to
DBMS_RLS.ALL_ROWS implements VPD column masking. LEARN more about the
Column masking is a new feature introduced in Oracle Database Oracle Certification Program,
10g. VPD column masking behavior is fundamentally different from and download a free exam
all other VPD policies, which return only a subset of rows. The guide
column masking behavior returns all rows specified by the user's
query, but the sensitive column values appear as NULL.

Answers A, B, and C are incorrect. The SYS user is free of any security policy. You need not set
SEC_RELEVANT_COLS_OPT => DBMS_RLS.ALL_ROWS to enable user SYS to see all rows.
Setting SEC_RELEVANT_COLS_OPT => DBMS_RLS.ALL_ROWS does not enable a user with
the SELECT ANY TABLE privilege to see all the rows irrespective of the predicate returned by the
policy function. Also, it does not put any constraint on the policy with respect to the null values in
the rows.

Conclusion

Oracle Database 10g provides several enhancements to FGA and VPD. FGA captures user activities
at a very detailed level, which helps you avoid manual trigger-based auditing, and combines the
trails of standard auditing and FGA. VPD is a very powerful feature with the ability to support a
variety of requirements, such as masking columns selectively, based on the policy and applying the
policy only when certain columns are accessed.