symantec enterprise security manager modules for oracle
TRANSCRIPT
Symantec™ EnterpriseSecurity Manager Modulesfor Oracle Databases UserGuide for UNIX
Release 5.0 for Symantec ESM 9.0 and10.0 For Solaris, AIX, HP-UX, and RedHat Linux
Symantec™ Enterprise Security Manager Modules forOracle Databases User Guide for UNIX
The software described in this book is furnished under a license agreement andmay be usedonly in accordance with the terms of the agreement.
Documentation version: 5.0
Legal NoticeCopyright © 2011 Symantec Corporation. All rights reserved.
Symantec, the Symantec Logo, ActiveAdmin, BindView, bv-Control, Enterprise SecurityManager, andLiveUpdate are trademarks or registered trademarks of SymantecCorporationor its affiliates in the U.S. and other countries. Other names may be trademarks of theirrespective owners.
The product described in this document is distributed under licenses restricting its use,copying, distribution, and decompilation/reverse engineering. No part of this documentmay be reproduced in any form by any means without prior written authorization ofSymantec Corporation and its licensors, if any.
THEDOCUMENTATIONISPROVIDED"ASIS"ANDALLEXPRESSORIMPLIEDCONDITIONS,REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OFMERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT,ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TOBELEGALLYINVALID.SYMANTECCORPORATIONSHALLNOTBELIABLEFORINCIDENTALOR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING,PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINEDIN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.
The Licensed Software andDocumentation are deemed to be commercial computer softwareas defined in FAR12.212 and subject to restricted rights as defined in FARSection 52.227-19"Commercial Computer Software - Restricted Rights" and DFARS 227.7202, "Rights inCommercial Computer Software or Commercial Computer Software Documentation", asapplicable, and any successor regulations. Any use, modification, reproduction release,performance, display or disclosure of the Licensed Software andDocumentation by theU.S.Government shall be solely in accordance with the terms of this Agreement.
Symantec Corporation350 Ellis StreetMountain View, CA 94043
http://www.symantec.com
Printed in the United States of America.
10 9 8 7 6 5 4 3 2 1
Technical SupportSymantec Technical Support maintains support centers globally. TechnicalSupport’s primary role is to respond to specific queries about product featuresand functionality. TheTechnical Support group also creates content for our onlineKnowledge Base. The Technical Support group works collaboratively with theother functional areas within Symantec to answer your questions in a timelyfashion. For example, theTechnical Support groupworkswithProductEngineeringand Symantec Security Response to provide alerting services and virus definitionupdates.
Symantec’s support offerings include the following:
■ A range of support options that give you the flexibility to select the rightamount of service for any size organization
■ Telephone and/or Web-based support that provides rapid response andup-to-the-minute information
■ Upgrade assurance that delivers software upgrades
■ Global support purchased on a regional business hours or 24 hours a day, 7days a week basis
■ Premium service offerings that include Account Management Services
For information about Symantec’s support offerings, you can visit our Web siteat the following URL:
www.symantec.com/business/support/
All support services will be delivered in accordance with your support agreementand the then-current enterprise technical support policy.
Contacting Technical SupportCustomers with a current support agreement may access Technical Supportinformation at the following URL:
www.symantec.com/business/support/
Before contacting Technical Support, make sure you have satisfied the systemrequirements that are listed in your product documentation. Also, you should beat the computer onwhich theproblemoccurred, in case it is necessary to replicatethe problem.
When you contact Technical Support, please have the following informationavailable:
■ Product release level
■ Hardware information
■ Available memory, disk space, and NIC information
■ Operating system
■ Version and patch level
■ Network topology
■ Router, gateway, and IP address information
■ Problem description:
■ Error messages and log files
■ Troubleshooting that was performed before contacting Symantec
■ Recent software configuration changes and network changes
Licensing and registrationIf yourSymantecproduct requires registrationor a licensekey, access our technicalsupport Web page at the following URL:
www.symantec.com/business/support/
Customer serviceCustomer service information is available at the following URL:
www.symantec.com/business/support/
Customer Service is available to assist with non-technical questions, such as thefollowing types of issues:
■ Questions regarding product licensing or serialization
■ Product registration updates, such as address or name changes
■ General product information (features, language availability, local dealers)
■ Latest information about product updates and upgrades
■ Information about upgrade assurance and support contracts
■ Information about the Symantec Buying Programs
■ Advice about Symantec's technical support options
■ Nontechnical presales questions
■ Issues that are related to CD-ROMs or manuals
Support agreement resourcesIf youwant to contact Symantec regarding an existing support agreement, pleasecontact the support agreement administration team for your region as follows:
[email protected] and Japan
[email protected], Middle-East, and Africa
[email protected] America and Latin America
Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Chapter 1 Introducing Symantec ESM modules for OracleDatabases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
About the Symantec ESM modules for Oracle Databases ... . . . . . . . . . . . . . . . . . . 11What you can do with the Symantec ESM modules for Oracle
databases ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12Templates ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12Where you can get more information .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13About the Logging functionality on the Oracle database
modules ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13About the log levels of the messages ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14Creating the configuration file ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15Parameters of the configuration file ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15About the log file ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16Format of the log file ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17About the backup of logs ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Chapter 2 Installing Symantec ESM modules for OracleDatabases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
About installing ESM modules for Oracle Databases ... . . . . . . . . . . . . . . . . . . . . . . . . 19Before you install .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19Minimum account privileges ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20About Oracle account creation scripts ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21System requirements ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23About using parameters in the oraenv.dat file ... . . . . . . . . . . . . . . . . . . . . . . . . . . 26About using an alternate account ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Installing the ESM modules for Oracle databases ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30Running the installation program and registering the files ... . . . . . . . . . 31Silently installing the ESM modules for Oracle databases ... . . . . . . . . . . . 32
Adding configuration records to enable the ESM security checkingfor the Oracle database ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34About configuring SIDs .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Silently uninstalling the ESM modules for Oracle Databases ... . . . . . . . . . . . . . 42Uninstalling the Oracle Application module ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Contents
How to run the uninstallation program .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43About the uninstallation logs ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Chapter 3 About the Symantec ESM Modules for OracleDatabases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
About the Oracle SID Discovery module ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47Configuring theOracle database instances byusing theDiscovery
module ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48Editing default settings ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49Reporting SID Discovery .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
About the Oracle Accounts module ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53Establishing a baseline snapshot ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53Editing default settings ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53Reporting operating system access ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53Reporting user roles ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56Reporting user privileges ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60Reporting user accounts ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64Reporting account changes ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68Reporting account defaults ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
About the Oracle Auditing module ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73Establishing a baseline snapshot ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73Editing default settings ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73Reporting audit status and access ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74Audit reporting methods .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75Reporting statement audits ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76Reporting object audits ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80Reporting privilege audits ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91Audit settings ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95About the Oracle Auditing template ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
About the Oracle Configuration module ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99Editing default settings ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99Reporting Oracle version information .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100Reporting link password encryption .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103Reporting operating system account prefixes ... . . . . . . . . . . . . . . . . . . . . . . . . . 105Reporting parameter values ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
About the Oracle Networks module ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126Editing default settings ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126Reporting SID configuration status ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126Oracle net configuration watch .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127About the Oracle Net Configuration Watch template ... . . . . . . . . . . . . . . . . 129Oracle EXTPROC listeners ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
About the Oracle Objects module ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
Contents8
Editing default settings ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139Reporting table privileges ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
About the Oracle Passwords module ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156Editing default settings ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156Specifying check variations .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156Comparing passwords to word lists ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157Detecting well-known passwords .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
About the Oracle Patches module ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162Edit default settings ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163Oracle patches ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163SID info .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
About the Oracle Profiles module ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171Establishing a baseline snapshot ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171Editing default settings ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171Reporting profiles and their limits ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171Reporting CPU limit violations .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175Reporting password violations .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180Profile settings ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188About the Oracle Profiles template ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
About the Oracle Roles module ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191Establishing a baseline snapshot ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192Editing default settings ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192Reporting roles ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192Reporting role privileges ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194Reporting role access ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199Granted roles ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203About the Oracle Roles template ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204Granted privileges ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206About the Oracle System Privileges template ... . . . . . . . . . . . . . . . . . . . . . . . . . . 208
About the Oracle Tablespace module ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210Creating a baseline snapshot ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211Editing default settings ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211Reporting tablespaces ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211Reporting tablespace datafiles ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214Reporting SYSTEM tablespace information .... . . . . . . . . . . . . . . . . . . . . . . . . . . . 219Reporting DBA tablespace quotas ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
9Contents
Introducing Symantec ESMmodules for OracleDatabases
This chapter includes the following topics:
■ About the Symantec ESM modules for Oracle Databases
■ What you can do with the Symantec ESM modules for Oracle databases
■ Templates
■ Where you can get more information
■ About the Logging functionality on the Oracle database modules
About the Symantec ESM modules for OracleDatabases
The Symantec Enterprise Security Manager (ESM) modules for Oracle databasesextend theSymantecESMprotection to your databases. Thesemodules implementthe checks and options that are specific to Oracle databases, to protect them fromexposure to known security problems. The modules may be installed locally onthe Symantec ESM agent that is installed on the same computer where the Oracledatabase resides. You can use the Symantec ESM modules for Oracle database inthe same way that you use for other Symantec ESM modules.
1Chapter
What you can dowith the Symantec ESMmodules forOracle databases
You can use the ESM Application modules to scan the Oracle databases forreporting vulnerabilities, such as weak passwords, patches update, and so on.
You can perform the following tasks using the ESM console:
■ Create a policy.
■ Configure the policy.
■ Create a rules template.
■ Run the policy.
■ Review the policy run.
■ Correct security problems from the console.
■ Create reports.
TemplatesSeveral of the documented modules use templates to store the Oracle databaseparameters and object settings. Differences between the current settings andtemplate values are reported when the modules run. Modules use templates tostore Oracle database parameters and object settings.
Table 1-1 Template name
Predefinedtemplate
Template nameCheck nameModule
oraaudit.oadOracle AuditingAudit settingsOracle Auditing
NAOracle ConfigurationWatch
Oracle configurationwatch
Oracle Configuration
NAOracle NetConfigurationWatch
Oracle netconfiguration watch
Oracle Networks
oraclecriticalobjects.rcoOracle CriticalObjects
Critical ObjectsOracle Objects
oracleobjectprivileges.oopOracle ObjectPrivileges
Object PrivilegesOracle Objects
oraclefw.fwNew File -allNew FileFile Watch
Introducing Symantec ESM modules for Oracle DatabasesWhat you can do with the Symantec ESM modules for Oracle databases
12
Table 1-1 Template name (continued)
Predefinedtemplate
Template nameCheck nameModule
orabin.aixNew File - AIXNew FileFile Watch
orabin.hpxNew File - HP-UXNew FileFile Watch
orabin.liNew File - LinuxNew FileFile Watch
orabin.solNew File - SolarisNew FileFile Watch
orapatch.orpOracle PatchTemplate filesOracle Patches
ora_cpu_psu.orpOracle PatchOracleTemplate filesOracle Patches
NAOracle SystemPrivileges
Granted privilegesOracle Roles
NAOracle RolesGranted rolesOracle Roles
NAOracle ProfilesProfile settingsOracle Profiles
Where you can get more informationFor more information about Symantec ESM modules and Security Updates, seethe latest versions of the SymantecEnterprise SecurityAdministrator’sGuide andthe Symantec ESM Security Update User’s Guide.
Formore information onSymantec Enterprise SecurityManager (ESM), SymantecESMSecurityUpdates, and Symantec ESM support for database products, see theSymantec Security Response Web site at the following URL: Security ResponseWeb site
About the Logging functionality on the Oracledatabase modules
ALogging featurehasbeen introducedon theOracle databasemodules that enablesESMto log the information, such as errors and exceptions, that amodule generatesat the runtime.
13Introducing Symantec ESM modules for Oracle DatabasesWhere you can get more information
About the log levels of the messagesThe log level specifies the type and criticality of a message. You can manuallycreate a configuration file and specify the log level of themessages that youwantto be logged.
ESM checks the log level that you set in the configuration file and stores only thequalifying messages in the log file.
You can specify the following log levels:
Disable logging for the moduleESMNOLOG
All critical failures are logged.
ESM always logs all critical failures irrespective of the loglevel that you specify in the configuration file. However, ifESMNOLOG is specified in the configuration file, ESM doesnot log the critical failures.
ESMCRITICALFAILURES is the default log level and youneednot explicitly specify it in the configuration file.
ESMCRITICALFAILURES
All errors are logged.
The following are some examples of the errors:
■ Template file not found
■ Configuration file not found
ESMERRORS
All exceptions are logged.ESMEXCEPTIONS
All warnings are logged.ESMWARNINGS
All information messages are logged.
The information that is gathered during a policy run is alsologged at this level.
Note: Enabling this level may affect the performance of themodule since all the information messages get logged.
ESMINFORMATION
All debug information is logged.ESMTRACE
All time-consuming operations are logged.ESMPERFMANCETIMING
All audit information is logged.
This level covers the data modification operations such asCorrection and Update.
ESMAUDIT
Includes all log levels except ESMNOLOG.ESMMAXIMUM
Introducing Symantec ESM modules for Oracle DatabasesAbout the Logging functionality on the Oracle database modules
14
You specify the log level using the LogLevel parameter of the configuration file.For example, to log the messages that are related to critical failures, specify thelog level as follows:
[<module>_LogLevel]= ESMCRITICALFAILURES
You can also specifymultiple log levels by separating themwith a pipe (|) characteras follows:
[<module>_LogLevel]= ESMCRITICALFAILURES|ESMPERFMANCETIMING
You can use log levels for specific operations as follows:
ESMCRITICALFAILURES and ESMERRORSFor regular policy runs
ESMCRITICALFAILURES, ESMERRORS,ESMTRACE, and ESMINFORMATION
To generate detailed logs for policyfailure
Creating the configuration fileYou must create a configuration file named esmlog.conf in the<esm_install_dir>/config folder and specify the values that ESMuses to store thelogs of a module.
To create the configuration file
1 Change to the <esm_install_dir>/config folder.
2 Create a new text file and specify the parameters and their values.
3 Save the text file as esmlog.conf.
The following is an example of the entries in the configuration file:
[MaxFileSize] = 1024
[NoOfBackupFile] = 20
[LogFileDirectory] = <esm_install_dir>\system\agentname\logs
[password_LogLevel] = ESMINFORMATION|ESMTRACE
[pwdll_LogLevel] = ESMMAXIMUM
Note: No default configuration file is shipped with the current release. You needto manually create the file and specify the parameters in it.
Parameters of the configuration fileTable 1-2 lists the parameters that you need to specify in the configuration file.
15Introducing Symantec ESM modules for Oracle DatabasesAbout the Logging functionality on the Oracle database modules
Table 1-2 Configuration file parameters
Default valueRange of valuesDescriptionParameter name
1 MB1 MB to 1024 MB (1GB)
Specify themaximum file sizefor the log file in MB
[MaxFileSize]
10 to 20Specify the numberof backup files of logsthat canbe storedpermodule.
For example, if thevalue ofNOOFBACKUPFILEis3, then ESM stores amaximum of 3backup files for themodule.
[NoOfBackupFile]
Theesm/system/tmpdirectory is used onthe Windowsoperating systems.
N/ASpecify the absolutepath to store the logfile and backup logfiles.
[LogFileDirectory]
ESMCRITICALFAILURES(unlessESMNOLOGSis specified)
N/ASpecify the log levelalong with the shortname of the module.
For example, to logall errormessages forthe PasswordStrength module,specify the following:
[password_LogLevel]=ESMERRORS
[<module>_LogLevel]
If the configuration file is not present, ESM considers the default values of all theparameters to store the logs.
About the log fileBy default, ESM stores the log file for a module in the temporary directory of theoperating system. Separate log files are stored for each module.
The log file has the following format:
<module_name>.log
Introducing Symantec ESM modules for Oracle DatabasesAbout the Logging functionality on the Oracle database modules
16
The <module_name> is the short name of the module. For example, the log fileof the Password Strength module is named password.log. The backup file namefor password strength module is named password.log_1.bak and so on.
Note: During the process of logging, ESM locks the log file to store the logginginformation. If the log file is open at that time, the information about the logsmight get lost.
Format of the log fileA log file contains the following fields:
Serial number of the log file entry
The serial number is displayed in hexadecimal format.
The serial number gets reset in the next policy run on themodule.
Serial Number
Thread identifier of the process that generated the messageThread ID
Name of the source file that caused the message to begenerated
Source File Name
Line number in the source file from where the message wasgenerated
Line Number
Date on which the log was createdDate
Time at which the log was createdTime
The actual message that was generated along with the loglevel of that message
Message
About the backup of logsWhen the log file reaches a specified size limit, ESM backs up the log file. Thissize limit is configurable and you can specify it in the MaxFileSize parameter ofthe configuration file.
If the log file reaches the MaxFileSize value, ESM creates a backup of the log filedepending on theNoOfBackupFile value that is specified in configuration file. Forexample, if the NoOfBackupFile value is 0, ESM overwrites the existing log file, ifany, for the module.
17Introducing Symantec ESM modules for Oracle DatabasesAbout the Logging functionality on the Oracle database modules
Introducing Symantec ESM modules for Oracle DatabasesAbout the Logging functionality on the Oracle database modules
18
Installing Symantec ESMmodules for OracleDatabases
This chapter includes the following topics:
■ About installing ESM modules for Oracle Databases
■ Installing the ESM modules for Oracle databases
■ Adding configuration records to enable the ESM security checking for theOracle database
■ Silently uninstalling the ESM modules for Oracle Databases
■ Uninstalling the Oracle Application module
About installing ESM modules for Oracle DatabasesYoucan install the followingSymantecEnterpriseSecurityManager (ESM)modulesfor Oracle on Solaris, HP-UX, RedHat Enterprise Linux, and AIX platforms.
Before you installBefore you install Symantec ESM Modules for Oracle Databases, you must verifythe following:
At least one computer in your networkmust have aCD-ROMdrive.
CD-ROM access
2Chapter
Youmust have access with the root privileges to an accounton each computer where you plan to install the modules.
Account privileges
The Symantec ESM enterprise console must be able toconnect to the Symantec ESM manager.
Connection to the manager
The Symantec ESM agent must be running and registeredwith at least one Symantec ESM manager.
Agent and manager
Minimum account privilegesTable 2-1 lists the minimum privileges that are assigned to the ESMDBA accountif the database instance is configured by using “/ as sysdba”.
Table 2-1 Minimum account privileges assigned to the ESMDBA account
Object privilegesSystem privilegesOracle version
■ sys.dba_data_files
■ sys.dba_indexes
■ sys.dba_obj_audit_opts
■ sys.dba_priv_audit_opts
■ sys.product_component_version
■ sys.dba_profiles
■ sys.dba_role_privs
■ sys.dba_roles
■ sys.dba_stmt_audit_opts
■ sys.dba_sys_privs
■ sys.dba_tab_privs
■ sys.dba_tables
■ sys.dba_tablespaces
■ sys.dba_ts_quotas
■ sys.dba_users
■ sys.dba_temp_files
■ sys.registry$history
■ sys.user$
■ v$controlfile
■ v$instance
■ v$logfile
■ v$parameter
■ v$version
■ v$database
Create session10.x and 11.x
Installing Symantec ESM modules for Oracle DatabasesAbout installing ESM modules for Oracle Databases
20
Table 2-2 lists the minimum privileges that are assigned to the ESMDBA accountif the database instance is configured by using “SYSTEM”:
Table 2-2 Minimum account privileges assigned to the ESMDBA
Object privilegesSystem privilegesOracle version
N/A■ Create session
■ Select any Dictionary
10.x and 11.x
Table 2-3 lists the roles that can be assigned to a pre-created account instead ofassigning the privileges.
Note:Apre-created account is an existing account that youmust create and assignminimum required privileges or roles before the configuration.
To assign object privileges, refer to Table 2-1 . To assign system privileges, referto Table 2-2. To assign minimum privileges, refer to Table 2-3.
Table 2-3 Roles that can be assigned to a pre-created account
System rolesOracle version
■ CONNECT
■ SELECT_ CATALOG_ROLE
10.x and 11.x
Warning: If you use less than the recommended privileges for the accounts thatthe Oracle Application module uses for reporting, then a few checks may notfunction correctly. This could also result in any intentional or unintentionalblocking of themodule's ability to report on the conditions youmay need to knowexists.
About Oracle account creation scriptsThis section contains the scripts that you can use for creating an Oracle user andassigning the required privileges to it. You must create a .sql file, copy the script,and paste in the .sql file. You can then run the file to create a user and use thisuser while configuring the Oracle module.
Note: You can use either of the script to create a user account.
21Installing Symantec ESM modules for Oracle DatabasesAbout installing ESM modules for Oracle Databases
Script for creating a user on Oracle 10.0 or later versionsThis section contains the script that you can use for creating a user with systemand object privileges on Oracle10.0 or later versions.
CREATE USER ESMDBA IDENTIFIED by Rnm2np4 DEFAULT TABLESPACE USERS
TEMPORARY TABLESPACE TEMP PROFILE DEFAULT;
GRANT CREATE SESSION to ESMDBA;
GRANT SELECT on sys.dba_data_files to ESMDBA;
GRANT SELECT on sys.dba_indexes to ESMDBA;
GRANT SELECT on sys.dba_obj_audit_opts to ESMDBA;
GRANT SELECT on sys.dba_priv_audit_opts to ESMDBA;
GRANT SELECT on sys.product_component_version to ESMDBA;
GRANT SELECT on sys.dba_profiles to ESMDBA;
GRANT SELECT on sys.dba_role_privs to ESMDBA;
GRANT SELECT on sys.dba_roles to ESMDBA;
GRANT SELECT on sys.dba_stmt_audit_opts to ESMDBA;
GRANT SELECT on sys.dba_sys_privs to ESMDBA;
GRANT SELECT on sys.dba_tab_privs to ESMDBA;
GRANT SELECT on sys.dba_tables to ESMDBA;
GRANT SELECT on sys.dba_tablespaces to ESMDBA;
GRANT SELECT on sys.dba_ts_quotas to ESMDBA;
GRANT SELECT on sys.dba_users to ESMDBA;
GRANT SELECT on sys.dba_temp_files to ESMDBA;
GRANT SELECT on sys.registry$history to ESMDBA;
GRANT SELECT on sys.user$ to ESMDBA;
GRANT SELECT on v_$controlfile to ESMDBA;
GRANT SELECT on v_$instance to ESMDBA;
GRANT SELECT on v_$logfile to ESMDBA;
GRANT SELECT on v_$parameter to ESMDBA;
GRANT SELECT on v_$version to ESMDBA;
GRANT SELECT on v_$database to ESMDBA;
Installing Symantec ESM modules for Oracle DatabasesAbout installing ESM modules for Oracle Databases
22
Script for assigning system privileges to the user on Oracle10.0 or later versionsThis section contains the script that you can use for system privileges to the userthat you create on Oracle 10.0 or later versions.
CREATE USER ESMDBA IDENTIFIED by Rnm2np4 DEFAULT TABLESPACE USERS
TEMPORARY TABLESPACE TEMP PROFILE DEFAULT;
GRANT CREATE SESSION, SELECT ANY DICTIONARY to ESMDBA;
GRANT SELECT on sys.registry$history to ESMDBA;
GRANT SELECT on v_$version to ESMDBA;
See Table 2-3 on page 21.
System requirementsTable 2-4 lists the operating systems that support the ESM Application modulesfor Oracle on UNIX.
Note:As per Symantec's End of Life product support policy, the ESM Modules forOracle Databases are not supported on ESM 6.0. The support for Oracle version9.0.x has been removed per the End of Support policy of Oracle.
Table 2-4 Supported operating systems for ESM modules on Oracle
OracleESMModule
Operating System
ClientLibraries
TypeVersionTypeVersionTypeArchitectureOS
23Installing Symantec ESM modules for Oracle DatabasesAbout installing ESM modules for Oracle Databases
Table 2-4 Supported operating systems for ESM modules on Oracle (continued)
OracleESMModule
Operating System
32-bit32-bit10.1.0.x,10.2.0.x
32-bit5.232-bitRS6KAIX
64-bit64-bit10.1.0.x,10.2.0.x
64-bit5.264-bitPPC64
64-bit64-bit10.1.0.x,10.2.0.x,11.1.0.6.0,11.2.0.1.0
64-bit5.364-bitPPC64
64-bit64-bit10.1.0.0,10.2.0.0,11.1.0.6.0,11.2.0.1.0
64-bit6.164-bitPPC64
64-bit64-bit10.1.0.0,10.2.0.0,11.1.0.6.0,11.2.0.1.0
64-bit7.164-bitPPC64
64-bit10.1.0.x,10.2.0.x,11.2.0.1.0
32-bit11.1164-bitPARISCHP-UX
64-bit10.1.0.x,10.2.0.x,11.2.0.1.0
32-bit11.2364-bitPARISC
64-bit64-bit10.1.0.x,10.2.0.x,11.1.0.6.0,11.2.0.1.0
64-bit11.2364-bitIA64
64-bit10.1.0.x,10.2.0.x,11.1.0.6.0,11.2.0.1.0
32-bit11.3164-bitPARISC
64-bit64-bit10.1.0.x,10.2.0.x,11.1.0.6.0,11.2.0.1.0
64-bit11.3164-bitIA64
Installing Symantec ESM modules for Oracle DatabasesAbout installing ESM modules for Oracle Databases
24
Table 2-4 Supported operating systems for ESM modules on Oracle (continued)
OracleESMModule
Operating System
64-bit10.1.0.x,10.2.0.x,11.1.0.6.0,11.2.0.1.0
32-bit2.964-bitSPARCSolaris
64-bit10.1.0.x,10.2.0.x,11.1.0.6.0,11.2.0.1.0
32-bit2.1064-bitSPARC
32-bit10.1.0.x,10.2.0.x,11.1.0.6.0,11.2.0.1.0
32-bitES 432-bitx86RHEL
x86_6410.1.0.x,10.2.0.x,11.1.0.6.0,11.2.0.1.0
32-bit5.xx86_64x86_64
Table 2-5 lists the Real Application Clustering (RAC) support on UNIX.
Table 2-5 Real Application Clustering (RAC) support on UNIX
Supported Oracleversions
Supported OSversions
ArchitectureSupportedoperating systems
10.2.0.x, 11.2.0.16.1, 7.1PPC64AIX
11.1.0.6.011.23, 11.31PARISCHP-UX
10.2.0.x, 11.1.0.6.011.31IA64HP-UX
10.2.0.x, 11.1.0.6.02.10SPARCSolaris
10.2.0.3, 11.2.0.14, 5x86Red Hat EnterpriseLinux
Note: For AIX 5.2 (32-bit and 64-bit), install the RS6K agent, and then use theRS6K tpi.
Table 2-6 lists the disk space requirements only for the Symantec ESM Modulesfor Oracle Databases and not for the ESM agents.
25Installing Symantec ESM modules for Oracle DatabasesAbout installing ESM modules for Oracle Databases
Table 2-6 Disk space requirements
Disk spaceAgent operating system
75 MBAIX (RS6K)
95 MBAIX (PPC64)
120 MBHP-UX (PARISC)
75 MBHP-UX (IA64)
96 MBSolaris (SPARC)
82 MBRed Hat Enterprise Linux (x86)
82 MBRed Hat Enterprise Linux (x86_64)
About using parameters in the oraenv.dat fileThis table lists the different parameters that you can use in the oraenv.datfile towork with the Symantec ESM modules for Oracle. The oraenv.dat file is aconfiguration file that stores the configuration parameters that control certainfunctions of theESMmodules. You can create the oraenv.dat file in the /esm/configdirectory, to specify the parameters. If the oraenv.dat file does not exist then thedefault values are used
Note: The parameters only affect the Symantec ESM modules and do not affectthe settings of the Oracle database.
Installing Symantec ESM modules for Oracle DatabasesAbout installing ESM modules for Oracle Databases
26
Table 2-7 Parameters and their usage
ExampleParameter valueDescriptionParametername
configMANAGEORAUSERPASSWORD 1
By default, this parameteris set to 0. To enable, setthe parameter to 1.
When enabled, the ESMOracle modules for Oracledatabase manage thepasswords for thepre-created accounts thatare explicitly configuredwith the respective Oracledatabases.
If you set the parameter to1, then thepassword of thepre-created configuredaccount changesdepending on the valuethat you set for thePassChangedPeriodparameter.
You can use thisparameter to enable thepassword managementfor the pre-createdaccounts.
MANAGEORAUSERPASSWORD
set SHELL /bin/bashYou can set the SHELLenvironment variable byadding the set SHELL/bin/bash entry in theoraenv.dat file.
You can set anenvironment variableduring an ESM Oraclemodule policy run.
SHELL
unset ORA_LANGYou can unset theORA_LANG environmentvariable by adding unsetORA_LANG entry in theoraenv.dat file.
You can use thisparameter to unset anenvironment variableduring an ESM Oraclemodule policy run.
ORA_LANG
configPassCreationLog 1
You can configure thelogging level for passwordcreationbyaddingconfigPassCreationLog 1
entry in the oraenv.datfile.
You can use thisparameter to configurethe logging level forpassword creation.
The default logging levelis 0.
PassCreationLog
27Installing Symantec ESM modules for Oracle DatabasesAbout installing ESM modules for Oracle Databases
Table 2-7 Parameters and their usage (continued)
ExampleParameter valueDescriptionParametername
configPassSpecString $#_
The default specialcharacters are theunderscore (_), plus (+),dash (-), equal to (=),brackets (<>, ()), questionmark (?), asterisk (*),percent (%), hash (#),exclamation mark (!).
You can add thisparameter to theoraenv.dat file as configPassSpecString <specialcharacters>.
You can use thisparameter to specify thespecial characters thatyou can use whilegenerating thepasswordfor the configuredaccount.
PassSpecString
configPassChangedPeriod30
If you do not specify anyvalue then ESM Oracledatabase modulesconsiders 35 days as thedefault value. On policyrun, the password changes35 days before thepassword expiration date.
You can add thisparameter to theoraenv.dat file as configpassChangedPeriod<number of days>.
You can use thisparameter to specify theperiod that you want tochange the password ofthe configured accountbefore the expirationperiod.
PassChangedPeriod
Installing Symantec ESM modules for Oracle DatabasesAbout installing ESM modules for Oracle Databases
28
Table 2-7 Parameters and their usage (continued)
ExampleParameter valueDescriptionParametername
setMinPrivilegeYESIf MinPrivilege is set toYes, then theprivileges areassigned to the ESMDBAaccount if the databaseinstance is configured byusing “/ as sysdba”.
See Table 2-1 on page 20.
The default value is ‘Yes’.
IfMinPrivilege is set toNo,then the privileges areassigned to the ESMDBAaccount if the databaseinstance is configured byusing “/ as sysdba”.
See Table 2-2 on page 21.
Youcanassignminimumprivileges to theESMDBA user. You canuse this parameter onlyif SID is configured byusing the ‘/ as sysdba’method.
MinPrivilege
See “Installing the ESM modules for Oracle databases” on page 30.
About using an alternate accountInitially, to install the ESM modules for Oracle and configure the SIDs on thedatabases, a user was required to log on to the computer as SYSTEM.
An alternate method "/as sysdba" has been introduced in the ESM modules forOracle version 2.7 onwards. Using the "/as sysdba" method, a user can log on tothe Oracle server without providing a user name and password, and configure allSIDs.
The superuser needs to change the ownership of the tpi to enable the other usersto do the installation.
To use the alternate account
1 Log on to the computer as the superuser.
2 Copy esmora.tpi.
3 Change the ownership of esmora.tpi by typing the following command:
chown root: oinstall esmora.tpi
The users of the install group get the superuser privileges to use esmora.tpi.
29Installing Symantec ESM modules for Oracle DatabasesAbout installing ESM modules for Oracle Databases
4 Apply sticky bit to esmora.tpi by typing the following command:
chmod 4750 esmora.tpi
5 Log on to the Oracle server as an Oracle account.
6 Run the tpi and configure the SIDs.
Installing the ESM modules for Oracle databasesThe installation program does the following:
■ Extracts and installs module executables, configuration (.m) files, and thetemplate files.
■ Registers the .m and the template files to the ESM manager by using the ESMagent’s registration program.
■ Launches the esmora.tpi executable to create the ESMDBA account forreporting. The esmorasetup is a configuration utility that is used during theinstallation setup. The password of ESMDBA account is 12 characters longand is generated randomly. The password is encrypted by using the 256-bitAES encryption algorithm and is stored in the /esm/config/oracle.dat file.
■ Auto-generates the password for the ESMDBA account. The ESM modules fortheOracle databases consider the followingparameters during auto-generationof the passwords :
■ PassChangedPeriodThe “PassChangedPeriod” parameter specifies the number of days afterwhich the program automatically changes the password of the configuredaccount. The default days of "PassChangedPeriod" is 35 days. The passwordmust contain at least one uppercase, one lower-case, onenumeric character(0-9), and one special character. The default special characters are theunderscore (_), plus (+), dash (-), equal to (=), brackets (<>), question mark(?), brackets (()), asterisk (*), percent (%), hash (#), and exclamation mark(!).
■ PassSpecStringThe "PassSpecString" parameter specifies the special characters that youcanusewhile generating thepassword for the configured account.Use thisparameter if the config PassSpecString entry is not defined in the/esm/config/oraenv.datfile. If you want to use other special characters,you can also add a parameter "config PassSpecString $#_" entry into the/esm/config/oraenv.dat file before you run esmorasetup configuration.
■ Grants the system privileges based on predefined roles.See Table 2-3 on page 21.
Installing Symantec ESM modules for Oracle DatabasesInstalling the ESM modules for Oracle databases
30
During the policy runs, the ESMDBA account does not create any object in thedatabase.
Note: If you change the password for the pre-created account then you mustmodify the configuration records by using the/esm/bin/<platform>/esmorasetup.exe.
Note:TheESMApplicationmodule should be installed on all theOracle databases,including failover. Themodule doesnot automatically detect the failover databasesunless it is installed and configured on the same.
Running the installation program and registering the filesYou can install the modules on the ESM agent computer by using the esmora.tpiexecutable.
To run the installation program and register the files
1 At the command prompt, type cd <path> to change to the directory thatcorresponds to your vendor/ operating system/architecture/esmora.tpi.
You can also download and copy the esmora.tpi from the Security ResponseWeb site to the desired location.
2 Choose one of the following options:
To display the contents of the package.Option 1
To install the module.Option 2
3 The Do you want to register the template or .m files? message appears. Doone of the following:
■ Type a Y, if the files are not registered with the manager.
■ Type an N, if the files have already been registered.
Note: You must register the template or *.m files at least once with theagent that is installed on the same operating system and is registered tothe same manager.
4 Enter the ESM manager that the agent is registered to.
Usually, it is the name of the computer that the manager is installed on.
31Installing Symantec ESM modules for Oracle DatabasesInstalling the ESM modules for Oracle databases
5 Enter the ESM access name (logon name) for the manager.
6 Enter the name of the agent as it is currently registered to the ESMmanager.
Usually, it is the name of the computer that the agent is installed on.
7 Enter the ESM password that is used to log on to the ESM manager.
8 Enter the network protocol that is used to contact the ESM manager.
9 Enter the port that is used to contact the ESM Manager.
The default port is 5600.
10 The Is this information correct? message appears. Do one of the following:
■ Type a Y, the agent continues with the registration to the ESM manager.
■ Type an N, the setup prompts to re-enter the details of the new manager.
Silently installing the ESM modules for Oracle databasesYou can silently install the ESM Modules for Oracle by using the esmora.tpi.
Table 2-8 lists the command line options for silently installing the ESM modulesfor Oracle.
Table 2-8 Options to silently install the ESM modules for Oracle databases
DescriptionOption
Display thedescription and contents of thisTune-upor third-partyinstallation package.
-d
Install this Tune-up or third-party installation package.-i
Specify ESM access record name.-U
Specify ESM access record password.-P
Specify the TCP Port to use.-p
Specify the ESM manager name.-m
Connect to the ESM manager using TCP.-t
Connect to the ESM manager using IPX.-x
Specify the ESM agent name to use for Re-registration.-g
Installing Symantec ESM modules for Oracle DatabasesInstalling the ESM modules for Oracle databases
32
Table 2-8 Options to silently install the ESM modules for Oracle databases(continued)
DescriptionOption
Do not update the report content file on the ESM manager.
Note: The Report Content File (.rdl) lets you correlate checkmessage mapping between the latest content update and theSymantec ESM manager. The Report Content File is the name ofthe file that is sent from the agent to the manager. You can changethe location of the .rdl or update the content manually from thecommand prompt at anytime. See “Running the installationprogram and registering the files” on page 31.
-N
Update the report content file on the ESM manager.-Y
Do not prompt for and do the re-registration of agents.-K
Specify the Oracle SYSTEM user.-A
Specify the password for Oracle SYSTEM user.-C
Specify the temporary tablespace.
This option is used by the ESMDBAuser. The default value is TEMP.
-T
Specify the default tablespace.
This option is usedby theESMDBAuser. Thedefault value isUSERS.
-S
Specify the user’s profile.
This option is used by the ESMDBA user. The default value isDEFAULT.
-W
Display help on the usage of options that can be used for silentinstallation.
-h
Install the modules without configuring the SIDs.-e
To install the ESM modules for Oracle silently
■ Copy the .tpi to a folder on your computer and at the command prompt, typecd <path> to open the directory.
■ Type the following at the command prompt:./esmora.tpi {-it} {-m} {-U} {-p} {-P} {-g} {Y} {-e}
This command only installs the ESM modules for Oracle. To configure theSIDs for security checking, run esmorasetup from the\esm\bin\<platform>directory.
33Installing Symantec ESM modules for Oracle DatabasesInstalling the ESM modules for Oracle databases
To install the ESM modules for Oracle and configure all SIDs silently
■ Type the following at the command prompt:./esmora.tpi {-it} {-m} {-U} {-p} {-P} {-g} {Y} {-A} {-C} [-T]
[-S] [-W]
To install the ESM modules for Oracle and silently configure without providingthe password string at the command prompt:
■ You can use the shell parameters instead of the actual password strings. Typethe following at the command prompt:
■ export ESMPASS = <esm-password>
■ export ESMORAPASS = <oracle-account-password>
■ If you use the shell parameters during installation and configuration, you donot have to provide the password options. Type the following at the commandprompt:
■ ./esmorasetup -a {SID} –A Pre-created account
■ ./esmora.tpi –it –{-m} {-U} {-p} {-g} {-Y} {-A}
Note: The configuration log file, EsmOraConfig.log is created in the<esm_install_dir>/ system/<system name> folder.
Adding configuration records to enable the ESMsecurity checking for the Oracle database
When the extraction is complete, the installation program prompts you to addESMdatabase configuration records to enable the security checking for the oracledatabase.
To add configuration records
1 The Do you want to continue and add configuration records to enable theESM security checking for the Oracle database? [Yes] message appears. Doone of the following:
■ Type a Y, to continue the installation and connect to the current SID.
■ Type an N, to end the installation without adding the security checks.
2 The Do you want to configure the SID NEWINST for the ESM securitychecks? [Y/N] message appears. Do one of the following:
■ Type an A to connect using the "SYSTEM" account.
Installing Symantec ESM modules for Oracle DatabasesAdding configuration records to enable the ESM security checking for the Oracle database
34
Theprogramprompts you to either connect by using the SYSTEMaccountor by using a pre-created account. A pre-created account is an existingaccount that you must create before the configuration.To connect by using the SYSTEM account, See “To add security checkingusing the default SYSTEM account” on page 35.To connect byusing thepre-created account, See “Toadd security checkingusing a pre-created account” on page 27.
■ Type a B to connect using the "/as sysdba" method.See “To configure Oracle SID by using the /as sysdbamethod” on page 36.
To add security checking using the default SYSTEM account
1 Type the Oracle Home path, or press Enter to accept the default path.
2 Type the SYSTEM account password.
3 Retype the password.
4 Type the name of the temporary tablespace for the ESMDBA user or pressEnter to accept the default name.
5 Type the name of the default tablespace for the ESMDBAuser, or press Enterto accept the default name.
6 Type the name of the profile for the ESMDBA user or press Enter to acceptthe default name.
7 Review the summary information that the installation program displays.Type a Y to begin the installation.
Symantec ESM does the following:
■ Verifies the password.
■ Connects you to the database as a SYSTEM user.
■ Creates an ESMDBA user account in your Oracle database with privilegesto perform security checks.The SYSTEM account password is not stored. The ESMDBA user accountis used to perform security checks.If an ESMDBA account already exists, Symantec ESM drops it, and thenrecreates it.
8 Do one of the following:
■ Type a Y, to add security checking for the next SID.
35Installing Symantec ESM modules for Oracle DatabasesAdding configuration records to enable the ESM security checking for the Oracle database
■ Type an N, to continue without adding security checks to the next SID.
9 Repeat steps 1 through 8 until you have skipped the installation on everySID.
Note: Symantec recommends that you do not change the privileges orpassword of the ESMDBA account. If you change the privileges, then somechecks may not report. If you change the password of the ESMDBA account,then you must configure the Oracle database again. Drop this account onlyif you uninstall the agent from the computer.
To configure Oracle SID by using the /as sysdba method
1 Type the Oracle Home path, or press Enter to accept the default path.
2 Type a Y, to add security checking for the designated SID.
3 Type the name of the temporary tablespace for the ESMDBA user or pressEnter to accept the default name.
4 Type the name of the default tablespace for the ESMDBAuser, or press Enterto accept the default name.
5 Type the name of the profile for the ESMDBA user or press Enter to acceptthe default name.
6 Do one of the following:
■ Type a Y, to configure the next SID.
■ Type an N, to continue without configuring the next SID.
7 Repeat steps 1 through 6 until you have skipped the installation on everySID.
Note: Symantec recommends that you do not change the privileges orpassword of the ESMDBA account. If you change the privileges, then somechecks may not report. If you change the password of the ESMDBA account,then you must configure the Oracle database again. Drop this account onlyif you uninstall the agent from the computer.
If a database ismoved to the restrictedmode after you create anESMDBAaccount,then you must grant the Restricted Session privilege to the ESMDBA account. Ifyou have used a pre-created account to configure a database in the restrictedmode, then grant the Restricted Session privilege to the pre-created account.
Installing Symantec ESM modules for Oracle DatabasesAdding configuration records to enable the ESM security checking for the Oracle database
36
The configuration of the Oracle SIDs that uses the "/as sysdba" method to addsecurity checkingsuses the srvctl utility fromthe<ORACLE_HOME>/bindirectory.For successful configuration of the Oracle SIDs, the srvctl utility should producecorrect output.
You must have a pre-created oracle account to run the ESM security checks inRAC mode. ESMDBA user accounts are not created for RAC. The RAC mode doesnot support the /as sysdba method of configuring the SIDs.
To add security checking using a pre-created account
1 Type the Oracle Home path, or press Enter to accept the default path. Do oneof the following:
■ Type a Y, to continue the installation and connect to the current SID.
■ Type an N, to end the installation without adding the security checks.
2 Type a Y, to configure the designated SID for security checking.
3 Type an A, to configure the SID by using the Oracle database account.
4 Type the Oracle Home path, or press Enter to accept the default path.
5 Type the pre-created Oracle account name.
A pre-created Oracle account, used to perform the security checks, will bechecked for CONNECT and SELECT privileges.
6 Type the pre-created Oracle account password.
7 Retype the password.
8 The installation program prompts you to add the security checking for SID.Type a Y or an N.
Repeat steps 4 through 7 until you have skipped the installation on everySID.
If you configure an instance that is mounted in RAC cluster database mode, youmust use a pre-created account. Otherwise, the esmorasetup program displaysthe following message:
The<SID>instanceismountedinclusterdatabasemode.Topreventconflictingpassword for the ESMDBA account, you need to provide a pre-created logonaccount to be used by the ESM Modules for Oracle Database security checks.Failed to configure Oracle SID <SID>.
To add or update configuration record for a pre-created Oracle account
■ At the command prompt, type the following:esmorasetup -a {SID} [-A{ACCOUNT}] [-P{PASSWORD}] [-H{ORAHOME}]
37Installing Symantec ESM modules for Oracle DatabasesAdding configuration records to enable the ESM security checking for the Oracle database
Predefined Oracle database logon account-A {Account}
Predefined Oracle database logon account password-P {Password}
Oracle home directory-H {OraHome}
To add or update configuration record for a SID created in RAC environment
■ At the command prompt, type the following:esmorasetup -a {SID} -A (Pre-create account) -P {PASSWORD} [-T
{TEMP}] [-S {USERS}] [-W {DEFAULT}
Predefined Oracle database logon account-A {Account}
Predefined Oracle database logon account password-P {Password}
Oracle TEMPORARY table space for ESMDBA user-T {TblSpace}
Oracle DEFAULT table space for ESMDBA user-S {TblSpace}
Oracle PROFILE for ESMDBA user-W {Profile}
Note: You can configure the Oracle SIDs in the RAC environment only by usingpre-created accounts.
About configuring SIDsYou can use the esmorasetup program that is located in the /esm/bin/<platform>directory to add, modify, or remove the Oracle instances on which the securitycheck reports.
Table 2-9 lists the SID configuration options.
Table 2-9 SID configuration options
TypeTo do this
esmorasetupDisplay Help
esmorasetup -a <sid_name>Configure a new SID
esmorasetup - a all [-f <file_name>]Configure all SIDs
esmorasetup -a <sid_name> -f <file name>Configure a new SID using aspecified oratab file
Installing Symantec ESM modules for Oracle DatabasesAdding configuration records to enable the ESM security checking for the Oracle database
38
Table 2-9 SID configuration options (continued)
TypeTo do this
esmorasetup -H <OraHome>Register anOracleHome intoSymantec ESM modules forOracle Databases
esmorasetup -d <SID_name>Remove (delete) a SID
esmorasetup -d allRemove (delete) all SIDs(both using the SYSTEMaccount and “/as sysdba”method)
esmorasetup -R <OraHome>Remove a registered OracleHome from Symantec ESMmodules forOracleDatabases
esmorasetup -a <SID_name> [-f file name>] -A
SYSTEM -P <password> [- H <OraHome>]
Specify an Oracle databaseSYSTEM password
esmorasetup -U all [-f <file name>]Update Oracle home for allregistered SIDs
esmorasetup -U <SID_name> [-f <file name>]
[-H <OraHome>]
Update Oracle home for oneregistered SID
esmorasetup -lList all registered SIDs
esmorasetup -eof <output_file>Specify the file name thatgets created with theencrypted credentials. Youare prompted to provide thecredentials that are stored inthis file in the encryptedformat.
This file can be used toconfigure the Oracle SIDs onany ESM agent computerprovided the encryptedcredentials of the Oracleaccount are the same.
39Installing Symantec ESM modules for Oracle DatabasesAdding configuration records to enable the ESM security checking for the Oracle database
Table 2-9 SID configuration options (continued)
TypeTo do this
esmorasetup -eif <input_file>Specify the file name thatcontains the encryptedcredentials.
While configuring a SIDwith-a option or deleting aconfiguration record with -doption, you can provide thecredentails stored in theencrypted format in a file.
esmorasetup -NSpecify this optionduring theSID configuration, if you donot want to verify the SIDname in the oratab file.
Note: You must specify onein theCheckSIDprocess onlytext box if you want to runthe Oracle SID Discoverymodule after you haveupdated the configurationfile using the –N option. Thedefault value of the text boxis zero. If the text box is setto zero, then the modulereports the instance asretired instance.
For example, to specify an oratab on a SID, with a password, and using theinteractive mode, type the following:
./esmorasetup <-a|-d> <sid_name|all> [-P <SYS_PASSWORD>] [-f
<file_name>]
You can silently change the Oracle instances that are included in security checksby using the esmorasetup program that is installed in the /esm directory.
Table 2-10 lists the Silent SID configuration options.
Installing Symantec ESM modules for Oracle DatabasesAdding configuration records to enable the ESM security checking for the Oracle database
40
Table 2-10 Silent SID configuration options
TypeTo do this
esmorasetup -a {SID} -A
Pre-created account -P {PASSWORD}
[-T {TEMP}] [- S {USERS}][-W
{DEFAULT}] -Q
Configure aSID created inRACenvironmentinto the Symantec ESM modules for OracleDatabases silently using a pre-createdaccount
esmorasetup -a {SID} -eif
<filename> [-T {TEMP}] [- S
{USERS}][-W {DEFAULT}] -Q
Configure a SID into the Symantec ESMmodules for Oracle Databases silently usingthe file name that contains the encryptedcredentials.
esmorasetup -a <SID_name> [-f
<file_name>] -A <account_name> -P
<password> [-H <OraHome>] [-T
<Temp>] [-S <Users>] [-W
<Default>] - Q
Configure a SID silently by connecting to thedatabase as SYSTEM account
esmorasetup -a <SID_name> [-f
<file_name>] -eif <filename> [-H
<OraHome>] [-T <Temp>] [-S
<Users>] [-W <Default>] - Q
Configure a SID silently by connecting to thedatabase as SYSTEM account using the filename that contains the encryptedcredentials.
esmorasetup -a <SID_name> [-f
<file_name>] -A oracle_owner [-H
<OraHome>] [-T <Temp>] [-S
<Users>] [-W <Default>] -Q
Configure a SID silently by connecting to thedatabase by using the “/as sysdba” method
esmorasetup -a ALL -A SYSTEM -P
<password> [-T <Temp>] [-S
<Users>] [- W <Default>] -Q
Configure all SIDs silently by connecting tothe database as SYSTEM account
esmorasetup -a ALL -eif
<filename>[-T <Temp>] [-S <Users>]
[- W <Default>] -Q
Configure all SIDs silently by connecting tothe database using the file name thatcontains the encrypted credentials.
esmorasetup -a ALL -A oracle_owner
[-T <Temp>] [-S <Users>] [-W
<Default>] - Q
Configure all SIDs silently by connecting tothe database by using the “/as sysdba”method
41Installing Symantec ESM modules for Oracle DatabasesAdding configuration records to enable the ESM security checking for the Oracle database
Table 2-10 Silent SID configuration options (continued)
TypeTo do this
esmorasetup -a {SID} -H {ORAHOME}
–N
During the SID configuration, if you do notwant to verify the SID name in the oratabfile, then use –N option.
You can combine –N option with only –a{SID} and –H {ORAHOME} options. You canuse the option during interactive and silentconfiguration.
Note:Youcannotusepre-createdaccountswhenyouperformasilent configurationof the module with the -a ALL option.
Silently uninstalling the ESM modules for OracleDatabases
You can silently uninstall the ESM Modules for Oracle by using theesmorauninstall.
Table 2-11 lists the command line options for silently uninstalling the ESMmodules for Oracle.
Table 2-11 Options to silently uninstall the ESM modules for Oracle Databases
DescriptionOption
Display Help.-h
Specify the file that contains name and credentials of one ormultiple managers that the agent is registered to. Use the -mfileoption to create the file.
-F
Specify to create a file that contains name and credentials of oneor multiple managers that the agent is registered to.
-mfile
Silent mode uninstall. If only -S is specified, then theuninstallation program does not perform re-registration.
-S
Specify the ESM manager name.-m
Specify the agent name as registered to manager.-N
Specify the TCP port to use.-p
Installing Symantec ESM modules for Oracle DatabasesSilently uninstalling the ESM modules for Oracle Databases
42
Table 2-11 Options to silently uninstall the ESM modules for Oracle Databases(continued)
DescriptionOption
Specify the ESM access record name.-U
Specify the ESM access record password.-P
For example: ./esmorauninstall [-h ] [-F {mgrfile}] [-mfile {mgrfile}]
Uninstalling the Oracle Application moduleYou can uninstall all the components of the Oracle Application module that areinstalled on theESMagent computer andunregister themodule fromthemanager.You can uninstall the Oracle Application module using the uninstaller program.
The esmorauninstall executable uninstalls the following components:
■ Application executables
■ .m files of the modules
■ Templates
■ Configuration files
■ Environment configuration files
■ Configuration file with server records
■ Snapshot files
■ Property file
■ Oracle Application module version file
■ Application-specific log file
■ Manifest entries of the Oracle Application module
■ ESM Oracle Application module entry in the agentapp.dat file
How to run the uninstallation programYou can uninstall the Oracle Application modules on the ESM agent computer byusing the esmorauninstall executable.
43Installing Symantec ESM modules for Oracle DatabasesUninstalling the Oracle Application module
To uninstall the Oracle Application module
1 At the command prompt, type cd <path> to open the directory thatcorresponds to vendor/bin/operating system/esmorauninstall.
The program first checks for the version of the installed register binary. Theregister binary that is required touninstall theESMOracleApplicationModulemust be of version 10.0.285.10003 or later. If the program does not find therequired version, it reports an error and aborts the uninstallation process.You canuse the ./register -Q command to check the version of the registerbinary.
2 The This will uninstall the application module permanently. Do you wantto continue? [yes] message appears. Do one of the following:
■ Type a Y, if you want to continue with the uninstallation.
■ Type an N, if you want to exit.
3 The Do you want to register the agent to the manager after uninstallation?[yes] message appears. Do one of the following:
■ Type a Y, if you want to register the agent to the manager.The program informs the manager about the uninstallation of the OracleApplication module from the agent computer that is registered to it.
■ Type an N, if you do not want to register the agent to the manager.
4 Enter the ESM manager that the agent is registered to.
Usually, it is the name of the computer that the manager is installed on.
5 Enter the name of the agent as it is currently registered to the ESMmanager.
Usually, it is the name of the computer that the agent is installed on.
6 Enter the ESM access name (logon name) for the manager.
7 Enter the ESM password that is used to log on to the ESM manager.
8 Re-enter the password.
9 Enter the port that is used to contact the ESM Manager.
The default port is 5600.
10 The Is this information correct? message appears. Do one of the following:
■ Type a Y, the agent continues with the registration to the ESM manager.
■ Type an N, the setup prompts to re-enter the details of the new manager.
Installing Symantec ESM modules for Oracle DatabasesUninstalling the Oracle Application module
44
Note:Theuninstaller programvalidates themanager namewith themanagername that is present in the manager.dat file. If the manager name does notmatch, the program reports a message, Specified manager is not found inmanager.dat file. Skipping re-registration for <manager name>.
11 The Would you like to add registration information of another manager?[no] message appears. Do one of the following:
■ Type a Y, the agent continues with the registration of another manager.
■ Type an N, the agent is successfully registered to the manager.
Note: If the uninstallation fails, thenESMrolls-back the uninstallation action andbrings back the agent to its original state.
About the uninstallation logsThe uninstaller creates a log file for you to know about the changes that theuninstaller program performed. The log file, ESM_Oracle_Uninstall.log is storedin the system folder. The specified folder is located at:<esm_install_dir>/ESM/system/<Host_Name>. The uninstaller programautomatically creates the log file and captures the uninstallation events and errorsin it.
45Installing Symantec ESM modules for Oracle DatabasesUninstalling the Oracle Application module
About the Symantec ESMModules for OracleDatabases
This chapter includes the following topics:
■ About the Oracle SID Discovery module
■ About the Oracle Accounts module
■ About the Oracle Auditing module
■ About the Oracle Configuration module
■ About the Oracle Networks module
■ About the Oracle Objects module
■ About the Oracle Passwords module
■ About the Oracle Patches module
■ About the Oracle Profiles module
■ About the Oracle Roles module
■ About the Oracle Tablespace module
About the Oracle SID Discovery moduleChecks in this module report the following information:
■ Detects new Oracle database instances.
3Chapter
■ Reports deleted Oracle database instances.
■ Provides an option to automatically configure the newly discovered Oracledatabase instances.
■ Provides an option to automatically remove the deleted Oracle databaseinstances that are still configured.
Note: The Oracle SID Discovery is a host-based module.
Configuring the Oracle database instances by using the Discoverymodule
The ESM Oracle Discovery module is a host-based module that automates theprocess of detection and configuration of new database instances that are not yetconfigured on the local ESM agent computers. The ESMOracle Discoverymodulealso detects the deleted database instances that are still configured on the ESMagent computers. TheESMOracleDiscoverymodule lets youdelete theuninstalleddatabase instances from the ESM agent computers.
Configuring a new Oracle database instanceTo report on the Oracle database instance, you should first configure the Oracledatabase instance on an ESM agent computer.
To configure a new Oracle database instance
1 Run the Discovery module on the ESM agent computers that have Oracledatabase installed.
The module lists all the new database instances that were not previouslyconfigured.
2 Select multiple database instances and do one of the following:
■ Right-click, select Correction option, and enter your system account orpre-created account credentials.The Correction option configures the database instances with SYSTEMaccount credentials or pre-created account credentials.
■ Right-click and select Snapshot Update option.The Snapshot Update option configures the database instance with / asSYSDBA method.
About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle SID Discovery module
48
Note: The / as SYSDBA method does not work in case of Oracle Real ApplicationCluster (RAC). You must use the correct option and specify pre-created accountcredentials.
Editing default settingsUse the checks in this group to edit the default settings for all the security checksin the module.
Temporary TablespaceYou canuse this option to enter the temporary tablespace name in theTemporaryTablespace text box. If the tablespace that you specify does not exist in thedatabase, then the module uses the default temporary tablespace to create theESMDBA account.
Default TablespaceYou can use this option to enter the default tablespace name in the DefaultTablespace text box. The check reports an error message if the tablespace thatyou specify does not exist in the database. However, the check continues with theconfiguration of the rest of the SIDs.
ProfileYou can use the name list in this check to provide the profile name and thepassword parameters. If the profile that you specify exists in the database, thenthe module uses the existing profile. If the profile that you specify does not existin the database, then the module creates a new profile with the parameters thatyou specify in the name list.
Following are the default values of the profile name and the password parameters:
■ PROFILE=DEFAULT
■ FAILED_LOGIN_ATTEMPTS=DEFAULT
■ PASSWORD_GRACE_TIME=DEFAULT
■ PASSWORD_LIFE_TIME=DEFAULT
■ PASSWORD_LOCK_TIME=DEFAULT
■ PASSWORD_REUSE_MAX=DEFAULT
■ PASSWORD_REUSE_TIME=DEFAULT
■ PASSWORD_VERIFY_FUNCTION=DEFAULT
49About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle SID Discovery module
Reporting SID DiscoveryThe Symantec ESM module for Oracle SID Discovery includes four checks thatlet you automate the detection and the configuration of the oracle databaseinstances on the host computer.
You can use the Symantec ESM module for Oracle SID Discovery to detect andconfigure newly detected database instances and the database instances that havebeen uninstalled.
Detect New InstanceThis check reports the instances that are newly discovered on the ESM agentcomputers and which are not configured in the ESM Oracle configuration file.These instances should be present in the oratab file and the correspondingOracleservice of the instances should also be available.
This check lets you use the Correct and the Snapshot Update options from theconsole.
With the Correct option, you can configure the database instance by using theSYSTEMaccount or a pre-created account.With the SnapshotUpdate option, youcan configure the database instance by using the /as sysdba method. You cancheck the EsmOraConfig.log file for details.
The following table lists the messages for the check.
About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle SID Discovery module
50
Table 3-1 Messages for Detect New Instance
AdditionalInformation
Message TitleandDescription
Platform andMessageNumeric ID
Message String ID andCategory
Severity:yellow-1
Correctable: true
SnapshotUpdatable: true
TemplateUpdatable: false
InformationField Format:[%s]
Title: NewInstance
Description: Anew instancehas beendetected on thelocal computer.To configure thenewly detectedinstance, eitheruse the Updateoption toconfigure usingSYSDBAmethodor use theCorrect option toprovide theappropriatelogoncredentials.
■ UNIX(31831)String ID:ESM_ORACLE_NEW_INSTANCE_DETECTED
Category: ESM AdministrativeInformation
Severity:yellow-1
Correctable:false
SnapshotUpdatable: false
TemplateUpdatable: false
InformationField Format:[%s]
Title: AddedNew Instance
Description: Anew serverinstance hasbeen detected.Theconfigurationrecord for thenewly detectedinstance hasbeensuccessfullyadded to theconfigurationfile.
■ UNIX(31832)String ID:ESM_ORACLE_NEW_INSTANCE_ADDED
Category: ESM AdministrativeInformation
51About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle SID Discovery module
Table 3-1 Messages for Detect New Instance (continued)
AdditionalInformation
Message TitleandDescription
Platform andMessageNumeric ID
Message String ID andCategory
Severity:yellow-1
Correctable: true
SnapshotUpdatable: true
TemplateUpdatable: false
InformationField Format:[%s]
Title: Failed toAdd NewInstance
Description: Themodule failed toadd a record intheconfigurationfile for the newinstance thatwas detectedusing theSYSDBAmethod. Use theCorrect optionorUpdateoptionfor configuringthe newlydetectedinstance.
■ UNIX(31833)String ID:ESM_ORACLE_ADD_INSTANCE_FAILED
Category: ESM AdministrativeInformation
Automatically Add New InstanceThis check automatically configures all the newly detected instances. This checkworks with the Detect New Instance check. You can use this check to automatethe module to connect to each newly detected database instance by using the / assysdba method. In case of a successful connection, the module configures theinstance by adding entry in the oracle.dat file.
An error message displays if the module fails to connect to the newly detecteddatabase instance byusing the / as sysdbamethod. You can right-click themessageand click Correct to connect to the newly detected database instance. You haveto use the SYSTEM or pre-created account credentials to connect to the newlydetected database instance.
Note: This check does not work in case of Oracle Real Application Cluster (RAC).You must use the correct option and specify pre-created account credentials.
About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle SID Discovery module
52
Automatically Delete Retired InstanceThis check works with the Detect Retired Instance check and automaticallydeletes the corresponding retired server records from the configuration file. Youcan use this check to automate the module, to detect the uninstalled databaseinstances or to detect the instances that are unavailable, and then to delete thecorresponding entries from the oracle.dat file.
About the Oracle Accounts moduleThis module checks for the user accounts based on the options that you havespecified.
Establishing a baseline snapshotTo establish a baseline snapshot file, run the Symantec ESM module for Oracleaccounts once. Periodically rerun the module to detect changes and update thesnapshot when appropriate.
Automatically update snapshotsEnable this check to automatically update the snapshots with the currentinformation.
Editing default settingsThemodule forOracle accounts includes one option that you canuse to edit defaultsettings for all security checks in the module.
Oracle system identifiers (SIDs)Use the name list to include or exclude the Oracle system identifiers (SIDs) forthis check. By default, the check examines all the SIDs that you specify when youconfigure the Symantec ESM modules for the Oracle databases. The SymantecESM modules for Oracle databases configuration are stored in/esm/config/oracle.dat file.
Reporting operating system accessThe OS administrators have exceptional privileges. Some users can access thedatabase directly from the operating system without the protection of Oracleauthentication. Both the user groups should be monitored to ensure that yourcomputers are protected. The checks in this group monitor these users.
53About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Accounts module
Users to skip in OS DBA groupsUse the name list to exclude the users for the Users in OSDBA groups check. Bydefault, all users in each group are included.
Users in OS DBA groupsThis check reports theuserswhocanconnect to adatabase as INTERNAL, SYSDBA,or SYSOPER. The check also reports users who connect as members of ORA_DBAand ORA_OPER groups.
Use the name list to exclude the users (usually administrators) and include theOS database administrator groups for this check.
Symantec recommends that you remove the unauthorized users from theOSDBAgroups.
The following table lists the message for the check.
Table 3-2 Message for Users in OS DBA groups
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: red-4
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title:User inOSDBAgroup
Description:Theusercan connect to thedatabase asINTERNAL,SYSDBA,or SYSOPER, andstart your database,shut it down, andperform othersystemoperations. Ifthe user is not anauthorizedadministrator,remove theuser fromthe OS DBA group.
■ UNIX (30130)String ID: ORA_UNAUTHORIZED_INTERNAL
Category: PolicyCompliance
OS authenticated usersThis check reports the users who are authenticated only by the operating system,without Oracle authentication. Use the name list to exclude the users for thischeck.
About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Accounts module
54
In a testing or a development environment, you can log on to Oracle databasewithout providing a user name and password; however, Symantec recommendsthat you must not follow this method of authentication on a productionenvironment. We also recommend that you change the user’s passwordauthentication from external to local and enable the Oracle authentication to addanother level of security.
The following table lists the message for the check.
Table 3-3 Message for OS authenticated users
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: yellow-1
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: Userauthenticated by OSonly
Description:Theuseris authenticated onlyby the operatingsystem and can logon to Oracle withoutproviding a username and password.Require Oracleauthentication to addanother level ofsecurity.
■ UNIX (30132)String ID:ORA_USER_AUTHORIZED_EXTERNAL
Category: PolicyCompliance
Globally authenticated usersThis check reports theusers that are authenticatedglobally bySSL,whosedatabaseaccess is through global roles, authorized by an enterprise directory. Use theUsers to Skip name list to exclude the users from reporting.
A centralized directory service, which is outside of the database, manages theusers without Oracle authentication. You require Oracle user authentication foradditional identity verification.
The following table lists the message for the check.
55About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Accounts module
Table 3-4 Message for Globally authenticated users
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: yellow-1
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: Userauthenticatedglobally
Description:Theuseris authenticated bySSL and themanagement of thisuser is done outsideof the database bythe centralizeddirectory service.Theuser can log on toOracle databasewithout providing auser name andpassword. Usersrequire Oracleauthentication to addone more level ofsecurity.
■ UNIXString ID:ORA_USER_AUTHORIZED_GLOBAL
Category: PolicyCompliance
Reporting user rolesThe checks in this group report the roles that have been directly granted to theusers or revoked from the users and the associated user names. Nested roles arenot reported.
RolesUse thename list to exclude or include the roles for theDirectly-grantedrolesandGrantable roles checks to report on.
Grantable rolesThis check reports the user names with permissions to grant roles to other users.Use the name list to exclude users for this check.
Symantec recommends that you revoke the grantable roles from any user who isnot authorized to grant it. Periodically, you can review all the userswith grantableroles to ensure that they are currently authorized to grant their grantable roles.
About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Accounts module
56
The following table lists the message for the check.
Table 3-5 Message for Grantable roles
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: green-0
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: Grantable role
Description:Theusercan grant the role.Verify that the useris authorized to grantthe role.
■ UNIX (30146)String ID:ORA_GRANTABLE_ROLE
Category: SystemInformation
Deleted directly granted rolesThis check reports the user names with the directly-granted roles that wererevoked or dropped after the last snapshot update. The check does not report theroles that are nested within the directly-granted role and are deleted or revoked.Use the name list to exclude the users for this check.
If the deletion is authorized, Symantec recommends that you either update thesnapshot or restore the role to the user.
The following table lists the message for the check.
57About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Accounts module
Table 3-6 Message for Deleted directly granted roles
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: yellow-1
Correctable: false
Snapshot Updatable:true
Template Updatable:false
Information FieldFormat: [%s]
Title: Role deletedfrom user
Description: Thedirectly granted userrole that is reportedin the User Role fieldwas dropped fromthe database orrevoked from theuser after the lastsnapshot update.Roles within thedirectly granted rolewere also deleted orrevoked. If thedeletion orrevocation isauthorized, updatethe snapshot. If thedeletion orrevocation is notauthorized, restorethe role to the user.
■ UNIX (30138)String ID:ORA_USER_ROLE_DELETED
Category: ChangeNotification
New directly-granted rolesThis check reports the user names with the roles that were directly granted tothem after the last snapshot update. The check does not report the roles that arenested in directly-granted roles. Use the name list to exclude users for this check.
If the user is authorized, Symantec recommends that you either update thesnapshot or revoke it from the users.
The following table lists the message for the check.
About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Accounts module
58
Table 3-7 Message for New directly granted roles
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: yellow-1
Correctable: false
Snapshot Updatable:true
Template Updatable:false
Information FieldFormat: [%s]
Title: New roledirectly granted touser
Description:Theuserrole was directlygranted after the lastsnapshot update. Iftheuser is authorizedfor the role, updatethe snapshot. If theuser is notauthorized for therole, revoke the role.
■ UNIX (30136)String ID:ORA_USER_ROLE_ADDED
Category: ChangeNotification
Directly-granted rolesThis check reports the roles that have been directly granted to the users. The rolesthat were nested in the directly-granted roles are deleted, but are not reported.Use the name list to exclude the users for this check.
Symantec recommends that periodically you review this check to ensure that theusers with the directly-granted roles are authorized. Based on the results, youcan revoke inappropriately directly-granted roles.
The following table lists the message for the check.
59About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Accounts module
Table 3-8 Message for Directly granted roles
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: green-0
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: Role directlygranted to user
Description:Theuserhas been directlygranted the role thatis reported in theUser Role field.Verify that the role isappropriate for theuser'sresponsibilities.
■ UNIX (30133)String ID:ORA_PRIVILEGE_LIST_ROLES
Category: SystemInformation
Reporting user privilegesThe checks in this group report the users with grantable privileges and theprivileges that have been directly granted to users or revoked from the users.
PrivilegesUse the name list to include or exclude the systemprivileges for theGrantableandDirectly-granted privileges checks to report on.
Grantable privilegesThis check reports the users with the privileges that they can directly grant. Usethe name list to exclude the users for this check.
Symantec recommends that you revoke the privilege from any user who is notauthorized to grant it. Periodically, you must review the grantable privileges toensure that users are currently authorized to grant their grantable privileges.
The following table lists the message for the check.
About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Accounts module
60
Table 3-9 Message for Grantable privileges
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: green-0
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: Grantableprivilege
Description:Theusercan grant theprivilege to others.Verify that the useris authorized to grantthis privilege.
■ UNIX (30145)String ID:ORA_GRANTABLE_PRIV
Category: SystemInformation
Directly-granted privilegesThis check reports the users with the system privileges that have been directlygranted to them. Use the name list to exclude users for this check. Generally, toreduce maintenance the privileges are often granted in roles.
Symantec recommends that you revoke the privilege from any user who is notauthorized for it.
The following table lists the message for the check.
61About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Accounts module
Table 3-10 Message for Directly granted privileges
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: green-0
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: Privilegedirectly granted
Description:Theuserhas been directlygranted the privilegethat is reported inthe User Privilegefield. Verify that theuser is authorized forthe privilege andconsider whether arole should becreated or redefinedto include theprivilege.
■ UNIX (30134)String ID:ORA_PRIVILEGE_LIST_DIRECT
Category: SystemInformation
New directly-granted privilegesThis check reports the userswith the privileges thatwere directly granted to themafter the last snapshot update. Use the name list to exclude the users for thischeck. Generally, to reducemaintenance the privileges are often granted in roles.
If the user is authorized for this privilege, Symantec recommends that you eitherupdate the snapshot or revoke the privilege.
The following table lists the message for the check.
About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Accounts module
62
Table 3-11 Message for New directly granted privileges
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: yellow-1
Correctable: false
Snapshot Updatable:true
Template Updatable:false
Information FieldFormat: [%s]
Title: New privilegegranted to user
Description:Theuserwas directly grantedthe privilege that isreported in the UserPrivilege field afterthe last snapshotupdate. If the user isauthorized for thisprivilege, update thesnapshot. If the useris not authorized forthis privilege, revokethe privilege.
■ UNIX (30137)String ID:ORA_USER_PRIV_ADDED
Category: ChangeNotification
Deleted directly-granted privilegesThis check reports theuserswith the directly-grantedprivileges thatwere revokedor dropped after the last snapshot update. Use the name list to exclude the usersfor this check.
If the deletion is authorized, Symantec recommends that you either update thesnapshot or restore the privilege.
The following table lists the message for the check.
63About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Accounts module
Table 3-12 Message for Deleted directly granted privileges
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: yellow-1
Correctable: false
Snapshot Updatable:true
Template Updatable:false
Information FieldFormat: [%s]
Title: Privilegedeleted from user
Description: Thedirectly grantedprivilege that isreported in the UserPrivilege field wasdropped from thedatabase or revokedfrom the user afterthe last snapshotupdate. Privilegeswithin the directlygranted privilegewere also deleted orrevoked. If thedeletion isauthorized, updatethe snapshot. If thedeletion is notauthorized, restorethe privilege to theuser
■ UNIX (30139)String ID:ORA_USER_PRIV_DELETED
Category: ChangeNotification
Reporting user accountsThe checks in this group report the database accounts that are current, new,active, inactive, and deleted.
Database accountsThis check reports the user accounts, their tablespaces, and account creationdates. Use the name list to exclude the users for this check.
Symantec recommends that you delete any unauthorized or out-of-date accounts.Periodically, you must review the database accounts to ensure that the databaseaccounts and their tablespaces are currently authorized.
The following table lists the message for the check.
About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Accounts module
64
Table 3-13 Message for Database accounts
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: green-0
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: Databaseaccount
Description:Theuseraccount is reportedwith its tablespaceand date that theaccount was created.Verify that theaccount is currentlyauthorized. Dropunauthorized or outof date accounts.
■ UNIX (30140)String ID:ORA_USER_ACCT
Category: SystemInformation
New database accountsThis check reports the user accounts that were added to the database after thelast snapshot update. Use the name list to exclude the users for this check.
If the new account is authorized, Symantec recommends that you either updatethe snapshot or delete it.
The following table lists the message for the check.
65About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Accounts module
Table 3-14 Message for New database accounts
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: yellow-1
Correctable: false
Snapshot Updatable:true
Template Updatable:false
Information FieldFormat: [%s]
Title: New databaseaccount
Description:Theuseraccountwas added tothe database afterthe last snapshotupdate. If the newaccount isauthorized, updatethe snapshot. If thenew account is notauthorized, drop theaccount.
■ UNIX (30141)String ID:ORA_USER_ACCT_ADDED
Category: ChangeNotification
Active database accountsThis check reports active user accountswith their tablespaces, profile, and accountcreation date. Periodically, youmust review the user accounts to ensure that theyare current and authorized.
The following table lists the message for the check.
About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Accounts module
66
Table 3-15 Message for Active database accounts
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: green-0
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: Active databaseaccount
Description: Theactive user account isreported with itstablespaces, profile,and date that theaccount was created.Verify that theaccount is currentlyauthorized. Dropunauthorized or outof date accounts.
■ UNIX (30151)String ID:ORA_ACTIVE_USER_ACCT
Category: PolicyCompliance
Inactive database accountsThis check reports the inactive user accounts with their inactive status, date, andaccount creation date. Periodically, you must review the user accounts to ensurethat they are current and authorized.
The following table lists the message for the check.
Table 3-16 Message for Inactive database accounts
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: green-0
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: Inactivedatabase account
Description: Theinactive user accountis reported with itsinactive status anddate that the accountwas created. Verifythat the account iscurrently authorized.Dropunauthorizedorout of date accounts.
■ UNIX (30150)String ID:ORA_INACTIVE_USER_ACCT
Category: PolicyCompliance
67About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Accounts module
Deleted database accountsThis check reports the user accounts that were deleted after the last snapshotupdate. Use the name list to exclude the users for this check.
If the deletion is authorized, Symantec recommends that you either update thesnapshot or restore the account.
The following table lists the message for the check.
Table 3-17 Message for Deleted database accounts
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: yellow-1
Correctable: false
Snapshot Updatable:true
Template Updatable:false
Information FieldFormat: [%s]
Title: Deleteddatabase account
Description:Theuseraccountwas droppedfrom the databaseafter the lastsnapshot update. Ifthe deletion isauthorized, updatethe snapshot. If thedeletion is notauthorized, restorethe account.
■ UNIX (30142)String ID:ORA_USER_ACCT_DELETED
Category: ChangeNotification
Reporting account changesThe checks in this group report the changes to the tablespace assignments andthe creation dates.
Database account tablespace changedThis check reports the accounts with the default tablespaces that were changedafter the last snapshot update. Use the name list to exclude the users for thischeck.
If the change is authorized, Symantec recommends that you either update thesnapshot or restore the tablespace.
The following table lists the message for the check.
About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Accounts module
68
Table 3-18 Message for Database account tablespace changed
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: yellow-1
Correctable: false
Snapshot Updatable:true
Template Updatable:false
Information FieldFormat: [%s]
Title: Databaseaccount tablespacechanged
Description: Theuser's tablespacechangedafter the lastsnapshot update.Verify thattablespace resourcesare adequately andefficiently allocated.If the change isauthorized, updatethe snapshot. If thechange is notauthorized, restorethe tablespace.
■ UNIX (30143)String ID:ORA_USER_ACCT_TABLESPACE
Category: ChangeNotification
Database account creation date changedThis check reports the database accounts with the creation dates that changedafter the last snapshot update. The change in the creation date indicates that theuser account has been deleted and recreated. When a user account is deleted, alldata that is associated with it can also be deleted. Use the name list to exclude theusers for this check.
If the change is authorized, Symantec recommends that you either update thesnapshot or drop the account.
The following table lists the message for the check.
69About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Accounts module
Table 3-19 Message for Database account creation date changed
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: yellow-1
Correctable: false
Snapshot Updatable:true
Template Updatable:false
Information FieldFormat: [%s]
Title: Databaseaccount creationdatechanged
Description: Theuser's creation datechangedafter the lastsnapshot update.Verify that the userhas been re-createdwith authorizedroles, and restorenecessary data if itwas deleted. If thechange is authorized,update the snapshot.If the change is notauthorized, drop theaccount.
■ UNIX (30144)String ID:ORA_USER_ACCT_CREATION
Category: ChangeNotification
Reporting account defaults
Password-protected default roleThis check reports the users who have been granted the password protected rolesas default roles. Verify that the users are authorized to use the roles withoutentering passwords.
Symantec recommends that for anunauthorizeduser, you either assign adifferentdefault role to the user or remove the password protection from the role.
The following table lists the message for the check.
About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Accounts module
70
Table 3-20 Message for Password protected default role
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: yellow-1
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: Default rolewith passwordprotection
Description: Theuser's default role isdefined in thedatabaseaspasswordprotected.Verify thattheuser is authorizedto use the rolewithout entering apassword. To requirethe user to enter apassword to use therole, set the role as anon-default role.
■ UNIX (30147)String ID:ORA_DEFAULT_ROLE_WITH_PASSWORD
Category: SystemInformation
Active default accountsThis check reports the default accounts that are present on your computer. Bydefault, the name list includes all the Oracle default accounts.
Symantec recommends that you remove, lock, or disable the account to preventintruders from using it to access your database.
The following table lists the message for the check.
71About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Accounts module
Table 3-21 Message for Active default accounts
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: yellow-1
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: Active defaultaccount
Description:Theuseraccount is a defaultaccount that shipswith an Oracleprogram. Itspassword is wellknown.Remove, lock,or disable theaccount to preventintruders from usingit to access yourdatabase.
■ UNIX (30148)String ID:ORA_ACTIVE_DEFAULT_ACCT
Category: PolicyCompliance
Users to checkUse the name list to include or exclude the prohibited roles for the Grantedprohibited roles check to report on.
Granted prohibited rolesThis check reports the users who have been granted prohibited roles. Use thename list to exclude the prohibited roles for this check.
Symantec recommends that you remove any prohibited role.
Note:Youmust never directly grant a few default Oracle roles, the DBA (databaseadministrator) role, and the connect role to the users.
The following table lists the message for the check.
About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Accounts module
72
Table 3-22 Message for Granted prohibited roles
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: yellow-1
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: Prohibited rolegranted
Description: Thereare a few defaultOracle roles thatshould never bedirectly granted tousers, such as dbaand connect.
■ UNIX (30149)String ID:ORA_ROLE_GRANTED
Category: PolicyCompliance
About the Oracle Auditing moduleThis module checks for the auditing setup that is based on the options that youhave specified.
Establishing a baseline snapshotTo establish a baseline, run the Symantec ESM module for auditing Oracledatabases. This creates a snapshot of the current audit information that you canupdate when you run the checks for new, deleted, or changed information.
Automatically update snapshotsEnable this check to automatically update the snapshots with the currentinformation.
Editing default settingsUse this check to edit the default settings of all the security checks in themodule.
Oracle system identifiers (SIDs)Use the name list to include or exclude the Oracle system identifiers (SIDs) forthis check. By default, the check examines all the SIDs that you specify when youconfigure the Symantec ESM modules for the Oracle databases. The SymantecESM modules for Oracle databases configuration are stored in/esm/config/oracle.dat file.
73About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Auditing module
Reporting audit status and accessThe checks in this group report whether auditing is enabled and who has accessto the audit trail database.
Audit trail enabledThis check reports whether an audit trail is available for the SID.
Symantec recommends that while you are in the production environment, toensure that the audit trail is enabled you must set the AUDIT_TRAIL parameterto DB or OS.
The following table lists the message for the check.
Table 3-23 Message for Audit trail enabled
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: red-4
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: Auditing notenabled for the SID
Description: AnAUDIT_TRAILsetting of NONEindicates auditing isnot enabledandaudittrails are not beinggenerated. Enableauditing to monitordatabase activitiesand ensure corporatesecurity policies areimplemented.
■ UNIX (31138)String ID:ORA_AUDIT_DISABLE
Category: PolicyCompliance
Audit trail protectionThis check reports the users and the roles that have privileges that allow themto make changes or deletions to the audit trail database.
Symantec recommends that you grant access to the audit trail database only toadministrators or users with administrator roles. You can drop the role from theuser if the user is not authorized to access the audit trail database and at the sametime you can drop the privilege of an inappropriately defined role. You mustensure that the auditing options of DEL, INS, and UPD for SYS.AUD$ are setproperly to A/A in the dba_obj_audit_opts.
About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Auditing module
74
The following table lists the message for the check.
Table 3-24 Message for Audit trail protection
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: yellow-2
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: Audit trailprotection
Description:Theuserhas access to theaudit trail table.Verify that the useris authorized tochange or delete theaudit trail table.Verify that this rightis appropriate for theuser's role and thatauditingoptionsDEL,INS, and UPD forSYS.AUD$ are setproperly to A/A indba_obj_audit_opts.
■ UNIX (31139)String ID:ORA_AUDIT_PROTECTION
Category: SystemInformation
Audit reporting methodsThe success or failure of an audited operation is identified by the followingOraclecodes, separated by the forward slash (/) character:
■ A indicates reporting is BY ACCESS.
■ S indicates reporting is BY SESSION.
Table 3-25 lists the reporting methods.
Table 3-25 Reporting methods
Description of reportMethod
Every successful and failed operationA/A
Every successful operation, but only sessions in which failedoperations occur
A/S
Every session in which successful and failed operations occurS/S
75About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Auditing module
Table 3-25 Reporting methods (continued)
Description of reportMethod
Every session in which an operation was successful and everyfailed operation
S/A
Reporting statement auditsThe checks in this group report SQL statements that are audited. Security checksreport statements that were set or removed for auditing and statements with thesuccess or the failure reporting methods that changed after the last snapshotupdate.
Audits at the statement level can require considerable resources. BY ACCESS (A)reporting consumes more resources than BY SESSION (S) reporting.
Auditing optionsUse the name list to include or exclude the object such as tables or views that areto be included for the object auditing.
Statement auditingThis check reports the user SQL statements that are audited and theSuccess/Failure reporting methods that are used. Use the name list to excludethe users for this check.
Symantec recommends that you remove all unauthorized or out-of-datestatements. Youmust ensure that you use appropriate reportingmethods for theavailable resources and perceived risks.
The following table lists the message for the check.
About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Auditing module
76
Table 3-26 Message for Statement auditing
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: green-0
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: Statementauditing
Description:TheuserSQL statement isaudited, using theSuccess/Failurereporting reportingmethods that arereported in the Inforfield. BY ACCESSreports everyinstance, and BYSESSION reportsevery session, inwhich the statementis executed. Verifythat auditing thestatement isauthorized and thereporting method isappropriate.
■ UNIX (31148)String ID:ORA_STMT_AUDITING
Category: SystemInformation
New statement auditingThis check reports the SQL statements that were set for auditing after the lastsnapshot update, and the Success/Failure reporting methods that are used. Usethe name list to exclude the users for this check.
Symantec recommends that you remove all unauthorized or out-to-datestatements. You must update the snapshot if the auditing of statement isauthorized and the reporting method is correct. You must deactivate the audit ifthe auditing of the statement is not authorized. You must change the reportingmethods if the reporting methods are inappropriate for the available resourcesand perceived risks.
The following table lists the message for the check.
77About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Auditing module
Table 3-27 Message for New statement auditing
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: yellow-1
Correctable: false
Snapshot Updatable:true
Template Updatable:false
Information FieldFormat: [%s]
Title: New statementauditing
Description: TheSID's user statementand its auditingSuccess/Failurereporting methodsare reported in theInfo field. BYACCESSreports every timethe statement isexecuted, and BYSESSION reportsevery session inwhich the statementis executed. Ifauditing thestatement isauthorized and thereporting methodsare appropriate,update the snapshot.If auditing thestatement is notauthorized,deactivate theauditing. If thereporting methodsare not appropriate,correct them.
■ UNIX (31149)String ID:ORA_NEW_STMT_AUDITING
Category: ChangeNotification
Deleted statement auditingThis check reports the user statements that were removed from auditing afterthe last snapshot update. Use the name list to exclude the users for this check.
If the statement deletion is authorized, Symantec recommends that you eitherupdate the snapshot or restore the audit settings.
The following table lists the message for the check.
About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Auditing module
78
Table 3-28 Message for Deleted statement auditing
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: yellow-1
Correctable: false
Snapshot Updatable:true
Template Updatable:false
Information FieldFormat: [%s]
Title: Deletedstatement auditing
Description:Theuserstatement wasremoved fromauditing after the lastsnapshot update. Ifthe deletion isauthorized, updatethe snapshot. If it isnot authorized,restore the auditsetting.
■ UNIX (31150)String ID:ORA_DELETED_STMT_AUDITING
Category: ChangeNotification
Changed statement auditingThis check reports the audited user statementswith the Success/Failure reportingmethods that changed after the last snapshot update.Use thename list to excludethe users for this check.
If the change is authorized, Symantec recommends that you either update thesnapshot or restore the previous statement settings.
The following table lists the message for the check.
79About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Auditing module
Table 3-29 Message for Changed statement auditing
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: yellow-1
Correctable: false
Snapshot Updatable:true
Template Updatable:false
Information FieldFormat: [%s]
Title: Statementauditing changed
Description: TheSuccess/Failurereportingmethods ofthe SID's userstatement changedafter the lastsnapshot update. BYACCESS reportsevery instance, andBY SESSION reportsevery session, inwhich the statementis executed. Ifauditing thestatement isauthorized and thereporting methodsare appropriate,update the snapshot.If the auditing is notauthorized,deactivate the audit.If the reportingmethods are notappropriate, correctthem.
■ UNIX (31151)String ID:ORA_CHANGED_STMT_AUDITING
Category: ChangeNotification
Reporting object auditsThe first check of this group reports the objects that are audited. The second andthird checks report the objects that were set for auditing and removed fromauditing after the last snapshot update. The fourth check reports the objects withthe reporting methods that were changed after the last snapshot update.
There are 16 options for audited objects.
Table 3-30 lists the audits that this check reports on.
About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Auditing module
80
Table 3-30 Audited object options
DescriptionOptionAudit number
ALTERALT1
AUDITAUD2
COMMENTCOM3
DELETEDEL4
GRANTGRA5
INDEXIND6
INSERTINS7
LOCKLOC8
RENAMEREN9
SELECTSEL10
UPDATEUPD11
REFERREF12
EXECUTEEXE13
CRETECRE14
READREA15
WRITEWRI16
Note: Unavailable and unaudited options appear as -/-. For example, with A/A inthe fourth position, every auditable DEL operation is recorded as successful orfailed. A/S reports every auditable DEL operation that is successful, but only thesessions that contain one or more failed operations.
Auditing objectsUse the name list to include or exclude the object such as tables or views that areto be included for the object auditing.
81About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Auditing module
Object auditingThis check reports the user objects that are audited and the Success/Failurereporting methods that are used. Use the name list to exclude the users for thischeck.
Symantec recommends that you removeall unauthorizedorout-of-date statementsfrom auditing. Periodically, you must review audited objects to ensure that theaudit is currently authorized and the reporting methods are appropriate for theavailable resources and perceived risks.
The following table lists the message for the check.
About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Auditing module
82
Table 3-31 Message for Object auditing
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: green-0
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: Object auditing
Description:Theuserobject is audited. ForOracle8 and later,sixteen objectoptions arerepresented in theorder ALT, AUD,COM,DEL,GRA, IND,INS, LOC, REN, SEL,UPD, REF, EXE, CRE,REA, WRI. Oracle7uses only the firstthirteen options.Unavailable andunaudited optionsappear as -/-.Success/Failurereporting methodsare anA (BYACCESS)or an S (BY SESSION)on each side of theslash. For example,with A/A in thefourthposition, everyauditable DELoperation is recordedas successful orfailed. A/S reportsevery auditable DELoperation that issuccessful, but onlysessions that containone or more failedoperation.Verify thatthe user objectshould be auditedand that thereporting method isappropriate.
■ UNIX (31144)String ID:ORA_OBJ_AUDITING
Category: SystemInformation
83About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Auditing module
New object auditingThis check reports theuser objects thatwere set for auditing after the last snapshotupdate, and the Success/Failure reporting methods that are used. Use the namelist to exclude the users for this check.
If the auditing of the object is authorized, Symantec recommends that you eitherupdate the snapshot or remove the object fromauditing. If the reportingmethodsare incorrect then you must correct them.
The following table lists the message for the check.
About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Auditing module
84
Table 3-32 Message for New object auditing
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: yellow-1
Correctable: false
Snapshot Updatable:true
Template Updatable:false
Information FieldFormat: [%s]
■ UNIX (31145)String ID:ORA_NEW_OBJ_AUDITING
Category: ChangeNotification
85About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Auditing module
Table 3-32 Message for New object auditing (continued)
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Title: New objectauditing
Description:Theuserobject was set forauditing after the lastsnapshot update. ForOracle8 and later,sixteen objectoptions arerepresented in theorder ALT, AUD,COM,DEL,GRA, IND,INS, LOC, REN, SEL,UPD, REF, EXE, CRE,REA, WRI. Oracle7uses only the firstthirteen options.Unavailable andunaudited optionsappear as -/-.Success/Failurereporting methodsare anA (BYACCESS)or an S (BY SESSION)on each side of theslash. For example,with A/A in thefourthposition, everyauditable DELoperation is recordedas successful orfailed. A/S reportsevery auditable DELoperation that issuccessful, but onlysessions that containone or more failedoperation. If auditingof the object isauthorized, update
About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Auditing module
86
Table 3-32 Message for New object auditing (continued)
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
the snapshot. If it isnot authorized, ropthe object fromauditing.
Deleted object auditingThis check reports the user objects and the object options thatwere removed fromauditing after the last snapshot update. Use the name list to exclude the users forthis check.
If the deletion is authorized, Symantec recommends that you either update thesnapshot or restore audit of the object.
The following table lists the message for the check.
Table 3-33 Message for Deleted object auditing
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: yellow-1
Correctable: false
Snapshot Updatable:true
Template Updatable:false
Information FieldFormat: [%s]
Title: Deleted objectauditing
Description:Auditingof the user objectwasdroppedafter the lastsnapshot update. Ifthe change isauthorized, updatethe snapshot. If thechange is notauthorized, restorethe auditing of theobject.
■ UNIX (31146)String ID:ORA_DELETED_OBJ_AUDITING
Category: ChangeNotification
Changed object auditingThis check reports the audited user objects with the Success/Failure reportingmethods that changed after the last snapshot update and their current reportingmethods.
87About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Auditing module
If the change is authorized, Symantec recommends that you either update thesnapshot or restore the previous settings.
The following table lists the message for the check.
About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Auditing module
88
Table 3-34 Message for Changed object auditing
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: yellow-1
Correctable: false
Snapshot Updatable:true
Template Updatable:false
Information FieldFormat: [%s]
■ UNIX (31147)String ID:ORA_CHANGED_OBJ_AUDITING
Category: ChangeNotification
89About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Auditing module
Table 3-34 Message for Changed object auditing (continued)
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Title: Object auditingchanged
Description:Success/Failurereportingmethods ofthe named objectoption were changedsince the lastsnapshot update. ForOracle8 and later,sixteen objectoptions arerepresented in theorder ALT, AUD,COM,DEL,GRA, IND,INS, LOC, REN, SEL,UPD, REF, EXE, CRE,REA, WRI. Oracle7uses only the firstthirteen options.Unavailable andunaudited optionsappear as -/-.Success/Failurereporting methodsare anA (BYACCESS)or an S (BY SESSION)on each side of theslash. For example,with A/A in thefourthposition, everyauditable DELoperation is recordedas successful orfailed. A/S reportsevery auditable DELoperation that issuccessful, but onlysessions that containone or more failed
About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Auditing module
90
Table 3-34 Message for Changed object auditing (continued)
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
operation. If thechange is authorized,update the snapshot.If the change is notauthorized, restorethe previousmethods.
Reporting privilege auditsThe first of these checks report the privileges that are audited. The second andthird checks report the privileges that were set for auditing and removed fromauditing after the last snapshot update. The fifth check reports the privilegeswiththe reporting methods that were changed after the last snapshot update.
Auditing privilegesUse the name list to include or exclude the privileges for the privilege auditingchecks.
Privilege auditingThis check reports the user privileges that are audited, and the Success/Failurereporting methods that are used. Use the name list to exclude the users for thischeck.
Symantec recommends that you periodically review the privilege auditing toensure that the audits are currently authorized and that the reporting methodsare appropriate for available resources and perceived risks.
The following table lists the message for the check.
91About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Auditing module
Table 3-35 Message for Privilege auditing
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: green-0
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: Privilegeauditing
Description:Theuserprivilege is auditedand the specifiedSuccess/Failurereporting methodsare used. Verify thatthis user privilegeshould be auditedand that thereporting method isappropriate.
■ UNIX (31140)String ID:ORA_PRIV_AUDITING
Category: SystemInformation
New privilege auditingThis check reports the user privileges that were set for auditing after the lastsnapshot update and the Success/Failure reporting methods that are used. Usethe name list to exclude the users for this check.
If the new privilege and its reporting methods are authorized, Symantecrecommends that you update the snapshot. If the new privilege is not authorizedthen you must change the privileges. If the user is unauthorized for the privilegethen you must remove the privilege from the user.
The following table lists the message for the check.
About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Auditing module
92
Table 3-36 Message for New privilege auditing
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: yellow-1
Correctable: false
Snapshot Updatable:true
Template Updatable:false
Information FieldFormat: [%s]
Title: New privilegeauditing
Description:Theuserprivilege was set forauditing with thespecifiedSuccess/Failurereporting methodssince the lastsnapshot update. Ifauditing theprivilegeis authorized, updatethe snapshot.Remove the privilegefrom auditing if it isnot authorized.
■ UNIX (31141)String ID:ORA_NEW_PRIV_AUDITING
Category: ChangeNotification
Deleted privilege auditingThis check reports the user privileges that were removed from auditing after thelast snapshot update. Use the name list to exclude the users for this check.
If the deletion is authorized, Symantec recommends that you either update thesnapshot or restore the user privilege to auditing.
93About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Auditing module
Table 3-37 Message for Deleted privilege auditing
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: yellow-1
Correctable: false
Snapshot Updatable:true
Template Updatable:false
Information FieldFormat: [%s]
Title: Deletedprivilege auditing
Description:Theuserprivilege wasremoved fromauditing after the lastsnapshot update. Ifthe deletion isauthorized, updatethe snapshot. If thedeletion is notauthorized, restorethe user privilege toauditing.
■ UNIX (31142)String ID:ORA_DELETED_PRIV_AUDITING
Category: ChangeNotification
Changed privilege auditingThis check reports the audited user privileges with Success/Failure reportingmethods that changed after the last snapshot update.Use thename list to excludethe users for this check.
If the change is authorized, Symantec recommends that you either update thesnapshot or restore the previous audit settings.
The following table lists the message for the check.
About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Auditing module
94
Table 3-38 Message for Changed privilege auditing
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: yellow-1
Correctable: false
Snapshot Updatable:true
Template Updatable:false
Information FieldFormat: [%s]
Title: Privilegeauditing changed
Description: TheSuccess/FailureUpdate reportingmethods of theaudited privilegechangedafter the lastsnapshotupdate.Thecurrent method isdisplayed. If thechange is authorized,update the snapshot.If the change is notauthorized, restorethe the previousreporting methods.
■ UNIX (31143)String ID:ORA_CHANGED_PRIV_AUDITING
Category: ChangeNotification
Audit settingsThis check reports the audit settings that do not match the settings that arespecified in the template file. Use the name list to enable or disable the templatefiles.
The following table lists the message for the check.
95About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Auditing module
Table 3-39 Message for Template - Oracle Auditing
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: red-4
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: Audit settingsmismatch
Description: Theaudit settings thatare present in thedatabase do notmatch with thesettings that arespecified in thetemplate file. Formore information,refer thecorrespondingInformation column.
■ UNIX (31152)String ID:ORA_AUDIT_R
Category: PolicyCompliance
Severity: yellow-1
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: Audit settingsmismatch
Description: Theaudit settings thatare present in thedatabase do notmatch with thesettings that arespecified in thetemplate file. Formore information,refer thecorrespondingInformation column.
■ UNIX (31153)String ID:ORA_AUDIT_Y
Category: PolicyCompliance
About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Auditing module
96
Table 3-39 Message for Template - Oracle Auditing (continued)
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: green-0
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: Audit settingsmismatch
Description: Theaudit settings thatare present in thedatabase do notmatch with thesettings that arespecified in thetemplate file. Formore information,refer thecorrespondingInformation column.
■ UNIX (31154)String ID:ORA_AUDIT_G
Category: PolicyCompliance
About the Oracle Auditing templateIn the Oracle Auditing module, the Audit Setting check uses the Oracle Auditingtemplate. The check reports the audit settings that do notmatch the settings thatare specified in the template file.
The default templates are available for each supported operating system.
Creating the Oracle Auditing templateYou must create and enable a new Oracle Audting template before you run theAudit setting check.
To create a Oracle Auditing template
1 In the tree view, right-click Templates, and then click New.
2 In the Create New Template dialog box, select Oracle Auditing- all.
3 In the Template file name (no extension) text box, type new template filename. Symantec ESM adds the .oad extension to the template file name.
4 Click OK.
About using the Oracle Auditing templateThe Oracle Audting template contains the following fields:
97About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Auditing module
Table 3-40 Field and Values/Options descriptions
Values/OptionsDescriptionField
■ PRIV (PrivilegeAuditing)
Select this option if youwant the check to reporton the privileges.
■ STMT (Statementauditing)
Select this option if youwant the check to reporton the statements.
Lets you specify an audit thatis based on either astatement or a privilege.
Audit Type
Enter the name of the auditoption.
For example: CREATESESSION
Lets you specify the auditoption for the audit type thatyou specify.
For example: PRIV
Audit Option
Enter the name of the user.
You can use the keyword,‘ANY’ while specifying theuser name.
Lets you specify theuserwhoexecutes the statementor theprivilege.
User
■ BY ACCESS
This option is based onper access auditing.
■ BY SESSION
This option is based onper session auditing.
■ NOT SET
This session is not set forauditing.
■ IS SET
This option is either setfor session or accessauditing.
Lets you specify a state forthe audit that you specify.
Success
About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Auditing module
98
Table 3-40 Field and Values/Options descriptions (continued)
Values/OptionsDescriptionField
■ BY ACCESS
This option is based onper access auditing.
■ BY SESSION
This option is based onper session auditing.
■ NOT SET
This session is not set forauditing.
■ IS SET
This option is either setfor session or accessauditing.
Lets you specify a state forthe audit that you specify.
Failure
■ Green
Select Green for anInformation message.
■ Yellow
Select Yellow for aWarning message.
■ Red
Select Red for an Errormessage.
Lets you specify the severitylevel for the audit type thatyou select.
Severity
About the Oracle Configuration moduleThis module checks for the Oracle settings that can affect the security of thesystem.
Editing default settingsUse the checks in this group to edit the settings of all the security checks.
Automatically update snapshotsEnable this check to automatically update the snapshots with the currentinformation.
99About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Configuration module
Oracle system identifiers (SIDs)Use the name list to include or exclude the Oracle system identifiers (SIDs) forthis check. By default, the check examines all the SIDs that you specify when youconfigure the Symantec ESM modules for the Oracle databases. The SymantecESM modules for Oracle databases configuration are stored in/esm/config/oracle.dat file.
Reporting Oracle version informationThe checks in this group report Oracle version, status, trace, and alert log fileinformation.
For the location of USER_DUMP_DEST files, use Trace file.
For the maximum size of trace files, specified by MAX_DUMP_FILE_SIZE, useTrace file size.
Oracle serverThis check reports the version number and the status of the installed Oraclecomponents on the agent.
The following table lists the message for the check.
Table 3-41 Message for Oracle server
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: green-0
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: Oracle serverversion
Description: Theversion and status ofthe Oracle server arereported.
■ UNIX (30630)String ID:ORA_SERVER_VERSION
Category: SystemInformation
Oracle componentsThis check reports the version number and status of all Oracle components,including the version and status of the Oracle server.
The following table lists the message for the check.
About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Configuration module
100
Table 3-42 Message for Oracle components
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: green-0
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: Oracle productcomponent version
Description: Theversion and status ofthe Oraclecomponent arereported in the Infofield.
■ UNIX (30631)String ID:ORA_PRODUCT_COMPONENT_VERSION
Category: SystemInformation
Trace filesThis check reports the location of the trace files that are specified byUSER_DUMP_DEST.
The following table lists the message for the check.
Table 3-43 Message for Trace files
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: green-0
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: Location oftrace files
Description: Thelocation of SID tracefiles is reported inthe Info field.
■ UNIX (30632)String ID:ORA_TRACE_FILE_DEST
Category: SystemInformation
Trace file sizeThis check reports the maximum sizes of trace files that are specified byMAX_DUMP_FILE_SIZE.
The following table lists the message for the check.
101About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Configuration module
Table 3-44 Message for Trace file size
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: green-0
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: Maximum sizefor trace files
Description: Themaximumsize of SIDtrace files is reportedin the Info field.
■ UNIX (30634)String ID:ORA_MAX_DUMP_FILE_SIZE
Category: SystemInformation
Alert fileThis check reports the location of debugging trace files for background processessuch as LGWR and DBWR. The Alert_[SID].log file at this location containsinformation for global and instance operations.
The following table lists the message for the check.
Table 3-45 Message for Alert file
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: green-0
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: Directory pathfor alert files
Description: Thelocation of SID tracefiles that are used forOracle backgroundprocesses is reportedin the Info field.BACKGROUND_DUMP_DESTspecifies the location.
■ UNIX (30633)String ID:ORA_ALERT_FILE_DEST
Category: SystemInformation
List SID:HOME (oracle.dat)This check reports all the SIDs and their Oracle homes from the oracle.dat file.The configuration information of the Symantec ESMmodules for Oracle is storedin oracle.dat, which is located in the \esm\config directory.
About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Configuration module
102
The following table lists the message for the check.
Table 3-46 Message for List SID:HOME (oracle.dat)
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: green-0
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: Oracle.dat fileinformation
Description: Theoracle.dat file iscreated whileconfiguring ESMmodules for oracle.
■ UNIX (30656)String ID:ORA_SID_HOME_DATFILE
Category: SystemInformation
List SID:HOME (oratab)This check reports all the SIDs and their Oracle homes from the oratab file. Theoratab file is created during the installation of Oracle server.
The following table lists the message for the check.
Table 3-47 Message for List SID:HOME (oratab)
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: green-0
Correctable: false
Snapshot Updatable:true
Template Updatable:false
Information FieldFormat: [%s]
Title: Oratab fileinformation
Description: Theoratab file is createdwhile installingoracle databaseserver.
■ UNIX (30657)String ID:ORA_SID_HOME_TABFILE
Category: SystemInformation
Reporting link password encryptionThe checks in this group report whether encryption is required for the databaselink passwords.
103About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Configuration module
DB link encrypted passwordThis check examines the DBLINK_ENCRYPT_LOGIN setting to report whetherthe encrypted passwords require connecting to other Oracle servers through thedatabase links. This parameter is no longer supported on Oracle 10g and laterversions.
The first attempt to connect to another Oracle server always sends encryptedpasswords. If the reported setting is TRUE, a failed connectionwill not be retried.If FALSE, Oracle reattempts the connection with an unencrypted version of thepassword. TRUE settings provide the best protection for your database.
The following table lists the message for the check.
Table 3-48 Message for DB link encrypted password
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: green-0
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: Connect todatabase withencrypted password
Description: TheSID's encryptedpassword setting isreported in the Infofield. The firstattempt to connect toanotherOracle serveralways sendsencryptedpasswords.If the reportedsetting is TRUE, afailed connection isnot be retried. IfFALSE, Oraclere-tries theconnection with anunencrypted versionof the password.TRUE settingsprovide the bestprotection for yourdatabase.
■ UNIX (30635)String ID:ORA_DBLINK_ENCRYPT
Category: SystemInformation
About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Configuration module
104
Reporting operating system account prefixesThe checks in this group report prefixes for operating system accounts andwhether SELECT and SYSTEM privileges are required to change table columnvalues.
Prefix for OS accountThis check reports the characters that are attached to the beginning of accountnames that operating systems authenticate. OS_AUTHENT_PREFIX specifies thecharacters. The default OPS$ prefix gives you access to a database from theoperating system by typing a slash (/) instead of the username/password string.
The following table lists the message for the check.
Table 3-49 Message for Prefix for OS account
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: green-0
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: Prefix for OSaccount
Description: Thedefault OPS$ prefixgives a user access toa database from theoperating system bytyping a slash (/)instead of theusername/passwordstring.
■ UNIX (30636)String ID:ORA_OS_AUTHENT_PREFIX
Category: SystemInformation
Table-level SELECT privilegesThis check reportswhether the SELECTprivileges are required to update or deletethe table column values.
If TRUE is reported, then table-level SELECT privileges are required to update ordelete table column values. If FALSE, SELECT privileges are not required.SQL92_SECURITY parameter specifies the setting.
The following table lists the message for the check.
105About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Configuration module
Table 3-50 Message for Table-level SELECT privileges
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: green-0
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: Table-levelSELECT privileges
Description: If TRUEis reported in theInfo field, table-levelSELECT privilegesare required toupdate or delete tablecolumn values. IfFALSE, SELECTprivileges are notrequired.SQL92_SECURITYspecifies the setting.
■ UNIX (30637)String ID:ORA_SQL92_SECURITY
Category: SystemInformation
Restrictions on system privilegesThis check reports whether access to objects in the SYS schema is allowed whileyou migrate from Oracle 7 to Oracle 8.
You must set the parameter to FALSE. If you set the parameter to TRUE, thenaccess to objects in the SYS schema is allowed. You can specify the settings byusing the 07_DICTIONARY_ACCESSIBILITY parameter.
The following table lists the messages for the check.
About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Configuration module
106
Table 3-51 Messages for Restrictions on system privileges
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: green-0
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: Restrictions onsystem privileges
Description: If FALSEis reported in theInfo field, systemprivileges that allowaccess to objects inany schema do notallow access toobjects in SYSschema. If TRUE,access to objects inthe SYS schema isallowed (Oracle7behavior).O7_DICTIONARY_ACCESSIBILITYspecifies the setting.
■ UNIX (30638)String ID:ORA_O7_DICTIONARY_ACCESSIBILITY
Category: SystemInformation
Severity: yellow-3
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: Remote loginpassword file
Description: Thevalue of theREMOTE_LOGIN_PASSWORDFILEparameter is notacceptable.
■ UNIX (30639)String ID:ORA_REMOTE_LOGIN_PASSWORDFILE
Category: SystemInformation
Reporting parameter valuesThe checks in this group report the Oracle configuration parameter values.
Remote login password fileThis check reports whether the value of the REMOTE_LOGIN_PASSWORDFILEparameter matches with the value that you specify in the Parameter Value textbox. Use the name list to include or exclude the values for this check. The defaultvalue is None.
107About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Configuration module
Symantec recommends that you change the value of theREMOTE_LOGIN_PASSWORDFILEparameter tomatchwith your security policy.
The following table lists the message for the check.
Table 3-52 Message for Remote login password file
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: yellow-3
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: Remote loginpassword file
Description: Thevalue of theREMOTE_LOGIN_PASSWORDFILEparameter is notacceptable.
■ UNIX (30639)String ID:ORA_REMOTE_LOGIN_PASSWORDFILE
Category: SystemInformation
UTL_FILE accessible directoriesThis check reports whether the value of the UTL_FILE_DIR parameter matcheswith the value that you specify in the Parameter Value text box. You can use theUTL_FILE_DIR parameter to specify one or more directories that Oracle can usefor PL/SQL file I/O. The exclude tag of the parameter value specifies acceptablevalues and the include tag specifies unacceptable values.
If the location of the UTL_FILE_DIR is not authorized, Symantec recommendsthat you change the configurationof theSID’sUTL_FILE_DIRparameter to specifyan authorized location; also update the snapshot.
The following table lists the message for the check.
About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Configuration module
108
Table 3-53 Message for UTL_FILE accessible directories
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: yellow-3
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: UTL_FILEaccessible directories
Description: Thevalue of theUTL_FILE_DIRparameter is notacceptable.
■ UNIX (30640)String ID:ORA_UTL_FILE_DIR
Category: SystemInformation
Oracle configuration watchThis check reports the unmatched initialization and configuration parametersthat are defined in the templates. Use the name list to include the template filefor this check.
The following table lists the messages for the check.
Table 3-54 Messages for Oracle configuration watch
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: red-4
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: Red levelcondition
Description: Thevalue of the SID'sparameter atruntime, which isreported in the Infofield, violates theconditions of thecorrespondingparameter in theOracle ConfigurationWatch template atthe Red severitylevel. See the Infofield for details.
■ UNIX (30641)String ID:ORA_ORC_RUNTIME_RED
Category: PolicyCompliance
109About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Configuration module
Table 3-54 Messages for Oracle configuration watch (continued)
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: yellow-1
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: Yellow levelcondition
Description: Thevalue of the SID'sparameter atruntime, which isreported in the Infofield, violates theconditions of thecorrespondingparameter in theOracle ConfigurationWatch template atthe Yellow severitylevel. See the Infofield for details.
■ UNIX (30642)String ID:ORA_ORC_RUNTIME_YELLOW
Category: PolicyCompliance
Severity: green-0
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: Green levelcondition
Description: Thevalue of the SID'sparameter atruntime, which isreported in the Infofield, violates theconditions of thecorrespondingparameter in theOracle ConfigurationWatch template atthe Green severitylevel. See the Infofield for details.
■ UNIX (30643)String ID:ORA_ORC_RUNTIME_GREEN
Category: PolicyCompliance
About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Configuration module
110
Table 3-54 Messages for Oracle configuration watch (continued)
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: red-4
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: Red levelcondition
Description: Thevalue of theparameter that isdefined for the SID inthe initialization fileviolates theconditions of thecorrespondingparameter in theOracle ConfigurationWatch template atthe red severity level.See the Info field fordetails.
■ UNIX (30644)String ID:ORA_ORC_INITFILE_RED
Category: PolicyCompliance
Severity: yellow-1
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: Yellow levelcondition
Description: Thevalue of theparameter that isdefined for the SID inthe initialization fileviolates theconditions of thecorrespondingparameter in theOracle ConfigurationWatch template atthe yellow severitylevel. See the Infofield for details.
■ UNIX (30645)String ID:ORA_ORC_INITFILE_YELLOW
Category: PolicyCompliance
111About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Configuration module
Table 3-54 Messages for Oracle configuration watch (continued)
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: green-0
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: Green levelcondition
Description: Thevalue of theparameter that isdefined for the SID inthe initialization fileviolates theconditions of thecorrespondingparameter in theOracle ConfigurationWatch template atthe green severitylevel. See the Infofield for details.
■ UNIX (30646)String ID:ORA_ORC_INITFILE_GREEN
Category: PolicyCompliance
Severity: green-0
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: RequiredOracle parameternotfound
Description: Eitherthe init script ismissing an Oracleparameter that thetemplate specifies asrequired, or anOracle runtimeprarameter that isspecified in thetemplate was not setin the runninginstance of Oracle.
■ UNIX (30647)String ID:ORA_ORC_PARAMETER_NOT_FOUND
Category: SystemError
About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Configuration module
112
Table 3-54 Messages for Oracle configuration watch (continued)
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: green-0
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: Oracleconfigurationparameter
Description: TheOracle configurationparameter value.
■ UNIX (30658)String ID:ORA_CONFIG_PARA_VALUE
Category: SystemInformation
About the Oracle Configuration Watch templateThe Oracle configuration watch check of the Oracle configuration module usesthe Oracle Configuration Watch template. By using this template, the check letsyou enable or disable the templates that specify initialization and the configurationparameters that should be watched.
Creating the Oracle Configuration Watch template
You must create and enable a new Oracle Configuration Watch template beforeyou run the Oracle configuration watch check.
To create an Oracle Configuration Watch template
1 In the tree view, right-click Templates, and then click New.
2 In the Create New Template dialog box, select Oracle Configuration Watch- all.
3 In the Template file name (no extension) text box, type new template filename.
4 After Symantec ESM adds the .ocw extension to the template file name, clickOK.
About using the Oracle Configuration Watch template
The Oracle Configuration Watch template contains the following fields:
113About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Configuration module
Table 3-55 Field and Values/Options descriptions
Values/OptionsDescriptionField
NALets you specify adescriptionfor the parameter that youenter in theParameter field.
Description
Enter the configuration orinitialization parameter ofOracle that you want thecheck to report on.
Lets you specify theparameter.
Parameter
Select the check box toexamine the runtime values.
Lets you select this check boxif you want this check toexamine the runtime values.
Runtime Value
■ Optional
Reports the parametervalues that violate thevalue that is defined ininit<SID>.ora.
■ Required
Report a violation if theparameter is not definedin init<SID>.ora.
■ Skipped
Ignore the parametervalue that is defined ininit<SID>.ora.
Lets you specify an optionalvalue.
Init File Value
About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Configuration module
114
Table 3-55 Field and Values/Options descriptions (continued)
Values/OptionsDescriptionField
■ Prohibited Value
Select the check box todesignate the value asprohibited.
■ Value
Enter a regularexpression or as anumeric comparison.
■ You can use thefollowing specialcases:
+
■ NULL or null
empty string
If the value begins withone of the followingnumeric comparisonoperators, a numericcomparison is performed:
■ =
equal to
■ <
less than
■ >
greater than
■ !=
not equal to
■ <=
less than or equal to
■ >=
greater than or equal to
Note: If you specify a pathname in the value, you needto escape the ‘\’ character byusing another ‘\’.
Note: For example, specifythe path namec:\test\test.txt asfollows:c:\\test\\test.txt.
Lets you specify a value forthe parameter by using theTemplate Sublist Editor.
Parameter Values
115About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Configuration module
Table 3-55 Field and Values/Options descriptions (continued)
Values/OptionsDescriptionField
■ Green
Select Green for anInformation message.
■ Yellow
Select Yellow for aWarning message.
■ Red
Select Red for an Errormessage.
Specify the severity for themessages that ESM reportswhen the parameter value isviolated.
Severity
■ empty
All releases (default if norelease specified)
■ 9.0
Release 9.0.x
■ +9
Release 9.2.x and later
■ +10
Release 10.2.x and later
■ +11
Release 11.1.x and later
Lets you specify the Oracleversion of the target serverthat you want the check toreport on.
Oracle Version
Select the check box todisplay the configurationvalue.
Lets you select this check boxif you want this check todisplay the configurationvalue.
Display configuration value
Redo log filesThis check reports the locations of the SID's redo log files, the violations of redolog file permissions, the discrepancies in the redo log file ownerships, and the filestatus. In the Permission field, do one of the following:
■ Specify 0 for the check to report the location and the status of the SID redolog file.
■ Specify a permission value more restrictive than the SID's redo log filepermission for the check to report an error.
The check reports an error message, if the SID redo log file ownership (UID/GID)does not match with the ownership that you specify in the Oracle database. Youcan specify the permission values as three-digit octal numbers.
About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Configuration module
116
Use the name list to include or exclude the status of the files for this check. Thepossible file status values are INVALID, STALE, DELETED, and INUSED.
Symantec recommends that you periodically review the redo log file location toensure that they are in a secure, authorized locations. If the file’s permissions areexcessive then reset the redo log files permission to match with your securitypolicy. If the owner of the redo log file is not authorized for the file then youmustimmediately take ownership of the file and review it for possible tampering.
The following table lists the messages for the check.
Table 3-56 Messages for Redo log files
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: green-0
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: Redo log file
Description: TheSID's redo log filesreside in the locationthat is reported inthe Redo Log Filefield.
■ UNIX (30648)String ID:ORA_REDOLOGFILE
Category: SystemInformation
Severity: yellow-2
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: Redo log filepermission
Description:Permission of redolog files
■ UNIX (30651)String ID:ORA_REDOLOGFILE_PERM
Category: PolicyCompliance
Severity: green-0
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [""]
Title: Locked Oraclefile
Description: Filepermissions cannotbe reported becausethe file is being usedby another process.
■ UNIX (30008)String ID:ORA_FILE_LOCKED
Category: SystemError
117About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Configuration module
Table 3-56 Messages for Redo log files (continued)
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: green-0
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [""]
Title: Oracle File orfolder not found
Description: Filepermissions cannotbe reported becausethe file beingreferenced cannot befound.
■ UNIX (30009)String ID:ORA_FILE_NOT_FOUND
Category: SystemError
Severity: green-0
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: Oracle Folderpermissions
Description: ReportsDirectorypermissions.
■ UNIX (30010)ORA_DIRECTORY_PERMS
Category: SystemError
Severity: green-0
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: Functionalitynot Supported
Description: Thisfunctionality is notsupported by ESMoracle app module.
■ UNIX (30011)ORA_NOT_SUPPORTED
Category: SystemInformation
About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Configuration module
118
Table 3-56 Messages for Redo log files (continued)
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: green-0
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: Redo log file
Description: TheSID's ASM managedredo log files residein the location that isreported in the RedoLog File field.
■ UNIX (60)String ID:ORA_ASM_REDOLOGFILE
Category: SystemInformation
Redo log fileThis check reports the locations of the SID's redo log files and permissions on thelog files in the Information field. Use the name list to include or exclude the filestatuses for this check. The file status values are INVALID, STALE, DELETED,INUSED. In the Permission field, do one of the following:
■ Specify 0 for the check to report the location and the status of the SID redolog file.
■ Specify a permission value more restrictive than the SID's redo log filepermission for the check to report an error.
Symantec recommends that you periodically review the redo log file location toensure that it is in a secure, authorized location. If the file’s permissions areexcessive, reset the redo log file’s permission to conform to your security policy.If the owner of the redo log file is not authorized for the file, immediately takeownership of the file and review it for possible tampering.
The following table lists the messages for the check.
New redo log filesThis check reports redo log files that were added after the last snapshot update,their locations, and the status of the files. Use the name list to exclude the redolog file status reporting for this check.
If the addition is authorized, Symantec recommends that you either update thesnapshot or delete the new redo log file.
The following table lists the message for the check.
119About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Configuration module
Table 3-57 Message for New redo log files
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: yellow-1
Correctable: false
Snapshot Updatable:true
Template Updatable:false
Information FieldFormat: [%s]
Title: New redo logfile
Description: TheSID's new redo logfile was added to thelocation that isreported in the RedoLog File field afterthe last snapshotupdate. If theaddition isauthorized, updatethe snapshot. If theaddition is notauthorized, deletethe new redo log file.
■ UNIX (30649)String ID:ORA_ADDED_REDOLOGFILE
Category: ChangeNotification
Deleted redo log filesThis check reports redo log files that were deleted after the last snapshot update.
If the deletion is authorized, Symantec recommends that you either update thesnapshot or restore the file.
The following table lists the message for the check.
About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Configuration module
120
Table 3-58 Message for Deleted redo log files
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: yellow-1
Correctable: false
Snapshot Updatable:true
Template Updatable:false
Information FieldFormat: [%s]
Title: Deleted redolog file
Description: TheSID's redo log filethat is reported inthe Redo Log Filefield was deletedafter the lastsnapshot update. Ifthe deletion isauthorized, updatethe snapshot. If thedeletion is notauthorized, restorethe file.
■ UNIX (30650)String ID:ORA_DELETED_REDOLOGFILE
Category: ChangeNotification
Control filesThis check reports the locations of the SID's control files, violations of controlfile permissions, discrepancies in control file ownership, and file status. In thePermission text box, do one of the following:
■ Specify 0 for the check to report the location and status of the SID's controlfiles.
■ Specify a permission value more restrictive than the SID's control filepermission for the check to report a violation.You can specify the Permission values as three-digit octal numbers.
Symantec recommends that you periodically review the locations of the controlfile to ensure that they are in secure, authorized locations. If the file’s permissionsare excessive then reset the control file’s permission to match with your securitypolicy.
The following table lists the messages for the check.
121About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Configuration module
Table 3-59 Messages for Control files
AdditionalInformation
Message Title andDescription
Platform andMessageNumeric ID
Message String ID andCategory
Severity: green-0
Correctable: false
SnapshotUpdatable:false
TemplateUpdatable:false
Information FieldFormat: [%s]
Title: Control file
Description: TheSID's control filelocation is reportedin the Redo Log Filefield.
■ UNIX (30652)String ID:ORA_CONTROLFILE
Category: SystemInformation
Severity: yellow-2
Correctable: false
SnapshotUpdatable:false
TemplateUpdatable:false
Information FieldFormat: [%s]
Title: Control filepermission
Description:Permission ofcontrol files
■ UNIX (30655)String ID:ORA_CONTROLFILE_PERM
Category: PolicyCompliance
Severity: green-0
Correctable: false
SnapshotUpdatable:false
TemplateUpdatable:false
Information FieldFormat: [""]
Title:Locked Oraclefile
Description: Filepermissions cannotbe reported becausethe file is being usedby another process.
■ UNIX (30008)String ID:ORA_FILE_LOCKED
Category:System Error
About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Configuration module
122
Table 3-59 Messages for Control files (continued)
AdditionalInformation
Message Title andDescription
Platform andMessageNumeric ID
Message String ID andCategory
Severity: green-0
Correctable: false
SnapshotUpdatable:false
TemplateUpdatable:false
Information FieldFormat: [""]
Title: Oracle File orfolder not found
Description: Filepermissions cannotbe reported becausethe file beingreferenced cannotbe found.
■ UNIX (30009)String ID:ORA_FILE_NOT_FOUND
Category:System Error
Severity: green-0
Correctable: false
SnapshotUpdatable:false
TemplateUpdatable:false
Information FieldFormat: [%s]
Title: Oracle Folderpermissions
Description:ReportsDirectorypermissions.
■ UNIX(300010)
String ID:ORA_DIRECTORY_PERMS
Category:System Error
Severity: green-0
Correctable: false
SnapshotUpdatable:false
TemplateUpdatable:false
Information FieldFormat: [%s]
Title: Functionalitynot Supported
Description: Thisfunctionality is notsupported by ESMoracle app module.
■ UNIX(300011)
String ID:ORA_NOT_SUPPORTED
Category: SystemInformation
123About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Configuration module
Table 3-59 Messages for Control files (continued)
AdditionalInformation
Message Title andDescription
Platform andMessageNumeric ID
Message String ID andCategory
Severity: green-0
Correctable: false
SnapshotUpdatable:false
TemplateUpdatable:false
Information FieldFormat: [%s]
Title: Control file
Description: TheSID's ASM managedcontrol file locationis reported in theRedo Log File field.
■ UNIX (59)String ID:ORA_ASM_CONTROLFILE
Category: SystemInformation
New control filesThis check reports the control files thatwere added after the last snapshot update.
If the addition is authorized, Symantec recommends you to either update thesnapshot or delete the new control file.
The following table lists the message for the check.
Table 3-60 Message for New control files
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: yellow-1
Correctable: false
Snapshot Updatable:true
Template Updatable:false
Information FieldFormat: [%s]
Title:Newcontrol file
Description: Thecontrol file that isreported in the Infofieldwas added to theSID after the lastsnapshot update. Ifthe addition isauthorized, updatethe snapshot. If theaddition is notauthorized, deletethe new control file.
■ UNIX (30653)String ID:ORA_ADDED_CONTROLFILE
Category: ChangeNotification
About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Configuration module
124
Deleted control filesThis check reports the control files that were deleted after the last snapshotupdate.
If the deletion is authorized, Symantec recommends you to either update thesnapshot or restore the control file.
The following table lists the message for the check.
Table 3-61 Message for Deleted control files
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: yellow-1
Correctable: false
Snapshot Updatable:true
Template Updatable:false
Information FieldFormat: [%s]
Title: Deleted controlfile
Description: Thecontrol file that isreported in the Infofield was deletedafter the lastsnapshot update. Ifthe deletion isauthorized, updatethe snapshot. If thedeletion is notauthorized, restorethe control file.
■ UNIX (30654)String ID:ORA_DELETED_CONTROLFILE
Category: ChangeNotification
List SID:HOME (oracle.dat)This check reports all the SIDs and their Oracle homes from the oracle.dat file.The configuration information of the Symantec ESMmodules for Oracle is storedin oracle.dat, which is located in the \esm\config directory.
The following table lists the message for the check.
125About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Configuration module
Table 3-62 Message for List SID:HOME (oracle.dat)
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: green-0
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: Oracle.dat fileinformation
Description: Theoracle.dat file iscreated whileconfiguring ESMmodules for oracle.
■ UNIX (30656)String ID:ORA_SID_HOME_DATFILE
Category: SystemInformation
About the Oracle Networks moduleThismodule checks for the oracle network configuration that you have specified.
Editing default settingsUse the name list to edit the default settings for all security checks in themodule.
Oracle system identifiers (SIDS)Use the name list to include or exclude the Oracle system identifiers (SIDs) forthis check. By default, the check examines all the SIDs that you specify when youconfigure the Symantec ESM modules for the Oracle databases. The SymantecESM modules for Oracle Databases configuration are stored in the\esm\config\oracle.dat file.
Reporting SID configuration statusThe check in this group report the SIDs that are not configured.
SID configurationThis check reports SIDs that are not configured for Symantec ESM modules forOracle Databases. If an oratab file resides in a different location than /etc/oratabor /var/opt/oracle/oratab, change the value in the oratab file field to specify thefull path. Use name list to exclude the SID’s for this check.
The following table lists the message for the check.
About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Networks module
126
Table 3-63 Message for SID configuration
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: yellow-3
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: SID notconfigured formodules
Description: The SIDis not configured forSymantec ESMModules for OracleDatabases.
■ UNIX (31730)String ID:ORA_UNCONFIG_SID
Category: SystemError
Oracle net configuration watchThis check reports Oracle Listener, Sqlnet, and Names configuration parametervalues that violate conditions of the corresponding Oracle Net Watch templateparameters. Use the name list to enable and disable the template files for thischeck.
The following table lists the messages for the check.
127About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Networks module
Table 3-64 Messages for Oracle net configuration watch
AdditionalInformation
Message Titleand Description
PlatformandMessageNumericID
Message String ID and Category
Severity: red-4
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: Red levelcondition
Description: Theparameter valuefound in theconfiguration fileviolates theconditions of thecorrespondingparameter in theOracle Net Watchtemplate. See theInfo field fordetails.
■ UNIX(31731)
String ID:ORA_ORC_NETCONFIG_RED
Category: Policy Compliance
Severity: yellow-1
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: Yellow levelcondition
Description: Theparameter valuefound in theconfiguration fileviolates theconditions of thecorrespondingparameter in theOracle Net Watchtemplate. See theInfo field fordetails.
■ UNIX(31732)
String ID:ORA_ORC_NETCONFIG_YELLOW
Category: Policy Compliance
About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Networks module
128
Table 3-64 Messages for Oracle net configuration watch (continued)
AdditionalInformation
Message Titleand Description
PlatformandMessageNumericID
Message String ID and Category
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: Green levelcondition
Description: Theparameter valuefound in theconfiguration fileviolates theconditions of thecorrespondingparameter in theOracle Net Watchtemplate. See theInfo field fordetails.
■ UNIX(31733)
String ID:ORA_ORC_NETCONFIG_GREEN
Category: Policy Compliance
Severity: yellow-3
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: Requiredparameter notfound
Description: Therequired netconfigurationparameter that isspecified in theOracleConfigurationWatch template isnot found for theSID. See the Infofield for details.
■ UNIX(31734)
String ID:ORA_ORC_NETCONFIG_PARA_MISSING
Category: Policy Compliance
About the Oracle Net Configuration Watch templateThe Oracle net configuration watch check of the Oracle networks module usesthe Oracle Net Configuration Watch template. By using this template, the checkreports on theOracle Listener, Sqlnet, andNames configuration parameter valuesthat violate conditions of the corresponding template parameters.
129About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Networks module
Creating the Oracle Net Configuration Watch templateYoumust create and enable anewOracleNetConfigurationWatch template beforeyou run the Oracle net configuration watch check.
To create an Oracle Net Configuration Watch template
1 In the tree view, right-click Templates, and then click New.
2 In the Create New Template dialog box, select Oracle Net Watch - all.
3 In the Template file name (no extension) text box, type new template filename.
4 After Symantec ESM adds the .onw extension to the template file name, clickOK.
About using the Oracle Net Configuration Watch templateThe Oracle Net Configuration Watch template contains the following fields:
Table 3-65 Field and Values/Options descriptions
Values/OptionsDescriptionField
NALets you specify adescriptionfor the parameter that youenter in theParameter field.
Description
Enter a name of theparameter that youwant thecheck to report on.
Lets you specify a parametername.
Parameter
About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Networks module
130
Table 3-65 Field and Values/Options descriptions (continued)
Values/OptionsDescriptionField
■ Listener ControlParameter
Lets the Symantec ESMcompare the values in theOracle Net Watchtemplate with theparameter values in thelistener.ora file.
■ Sqlnet Profile Parameter
Lets the Symantec ESMcompare the values in theOracle Net Watchtemplate with theparameter values in thesqlnet.ora file.
■ Oracle Names Parameter
Lets the Symantec ESMcompare the values in theOracle Net Watchtemplate with theparameter values in thenames.ora file.
Lets you select a parametertype.
Parameter Type
Select the check box for thecheck to report on thisparameter.
Note: SymantecESMreportsif this parameter is not foundand if the parameter is foundbut fails the comparisonwithtemplate values. If youdonotselect this check box, thenSymantec ESM reports onlyif this parameter is foundand fails the templatecomparison.
Lets you select this check boxif youwant this parameter asrequired.
Required Parameter
131About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Networks module
Table 3-65 Field and Values/Options descriptions (continued)
Values/OptionsDescriptionField
Lets you specify a value forthe parameter by using theTemplate Sublist Editor.
Parameter Values
About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Networks module
132
Table 3-65 Field and Values/Options descriptions (continued)
Values/OptionsDescriptionField
■ Prohibited Value
Select the check box todesignate the value asprohibited.
■ Value
Enter a regularexpression or as anumeric comparison.
■ You can use thefollowing specialcases:
+
‘+’ character
■ NULL or null
empty string
If the value begins withone of the followingnumeric comparisonoperators, a numericcomparison is performed:
■ =
equal to
■ <
less than
■ >
greater than
■ !=
not equal to
■ <=
less than or equal to
■ >=
greater than or equal to
Note: If you specify a pathname in the value, you needto escape the ‘\’ character byusing another ‘\’.
Note: For example, specifythe path namec:\test\test.txt asfollows:
133About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Networks module
Table 3-65 Field and Values/Options descriptions (continued)
Values/OptionsDescriptionField
c:\\test\\test.txt.
■ Green
Select Green for anInformation message.
■ Yellow
Select Yellow for aWarning message.
■ Red
Select Red for an Errormessage.
Specify the severity for themessages that ESM reportswhen the parameter value isviolated.
Severity
■ 9.0
Release 9.0.x
■ +9
Release 9.2.x and later
■ +10
Release 10.2.x and later
■ +11
Release 11.1.x and later
Lets you specify the Oracleversion of the target serverthat you want the check toreport on.
Oracle Version
See “Examples of using theOracleNetConfigurationWatch template”onpage134.
Examplesof using theOracleNetConfigurationWatch templateThis section contains examples on the values that youmust enter in the templatefield for the check to report on.
Table 3-66 contains the template field and its respective values that you mustenter if you want to check on the valid configuration parameters.
About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Networks module
134
Table 3-66 Examples of Listener Control Parameter
ValueOracle fileParameter type
■ ADMIN_RESTRICTIONS
■ LOG_FILE
■ PASSWORDS
■ SAVE_CONFIG_ON_STOP
■ STARTUP_WAIT_TIME
■ TRACE_DIRECTORY,TRACE_FILE
■ ADMIN_RESTRICTIONS_LISTENER
■ INBOUND_CONNECT_TIMEOUT_LISTENER
■ LOGGING_LISTENER
■ LOG_DIRECTORY
■ LOG_FILE_LISTENER
■ PASSWORDS_LISTENER
■ SAVE_CONFIG_ON_STO_LISTENERP
■ SSL_CLIENT_AUTHENTICATION_LISTENER
■ STARTUP_WAIT_TIME_LISTENER
■ TRACE_DIRECTORY_LISTENER
■ TRACE_FILE_LISTENER
■ TRACE_FILELEN_LISTENER
■ TRACE_FILENO_LISTENER
■ TRACE_LEVEL_LISTENER
■ TRACE_TIMESTAMP_LISTENER
■ USE_CKPFILE
■ LOCAL_OS_AUTHENTICATION
■ SUBSCRIBE_FOR_NODE_DOWN_EVENT
listener.oraListener Control Parameter
Table 3-67 contains the template field and its respective values that you mustenter if you want to check on the valid configuration parameters.
135About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Networks module
Table 3-67 Examples of Sqlnet Profile Parameter
ValueOracle fileParameter type
■ BEQUEATH_DETACH
■ DAEMON.TRACE_DIRECTORY
■ DISABLE_OOB
■ LOG_DIRECTORY_CLIENT
■ LOG_DIRECTORY_SERVER
■ NAMES.CONNECT_TIMEOUT
sqlnet.oraSqlnet Profile Parameter
Table 3-68 contains the template field and its respective values that you mustenter if you want to check on the valid configuration parameters.
Table 3-68 Examples of Oracle Names Parameter
ValueOracle fileParameter type
■ NAMES.ADDRESSES
■ NAMES.ADMIN_REGION
■ NAMES.AUTHORITY_REQUIRED
■ NAMES.CONFIG_CHECKPOINT_FILE
■ NAMES.DOMAIN_HINTS
■ NAMES.LOG_FILE
names.oraOracle Names Parameter
Oracle EXTPROC listenersThis check reports the Oracle listeners that have EXTPROC-specific entries. Inthe text box, specify 1 to allow the TCP Protocol, on doing so the database listenerports should be different than the EXTPROC ports. Separate listeners must bespecified for the Oracle Databases and for the EXTPROC process. You must usethe IPC protocol for listeners configured for EXTPROC.
The following table lists the messages for the check.
About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Networks module
136
Table 3-69 Messages for Oracle EXTPROC listeners
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: yellow-3
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: Listener forEXTPROC found
Description: Thislistener has beenconfigured forPL/SQL EXTPROC. Ifthe PL/SQLEXTPROCfunctionality is notrequired, werecommend that youremove thisfunctionality fromthe ESM agent thathosts the OracleDatabase server.
■ UNIX ()String ID:ORA_EXTPROC_LISTENER_FOUND
Category: PolicyCompliance
Severity: red-4
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: EXTPROCentries found inListener forDatabases
Description: TheEXTPROC-specificentrieswere found inthe Oracle listenerfor the Database.Different listenersshould be specifiedfor the OracleDatabases and for thePL/SQL EXTPROC.
■ UNIX ()String ID:ORA_EXTPROC_IN_DB_LISTENER
Category: PolicyCompliance
137About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Networks module
Table 3-69 Messages for Oracle EXTPROC listeners (continued)
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: red-4
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: Listener forEXTPROC is notconfigured with IPCProtocol
Description: TheOracle listener forPL/SQL EXTPROCshould only beconfigured with anIPCprotocol address.If the user allowsTCP, then theviolation for theprotocols other thanthe TCP/TCPS/IPC isreported.
■ UNIX ()String ID:ORA_NON_IPC_EXTPROC
Category: PolicyCompliance
Severity: red-4
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: The portsconfigured forEXTPROC listenersconflict withdatabase listeners
Description: If theTCP protocol is usedto configure listenerswith EXTPROC thenuse the port that isdifferent than theports that the Oraclelistener for thedatabases uses.
■ UNIX ()String ID:ORA_TCP_PORT_EXTPROC
Category: PolicyCompliance
About the Oracle Objects moduleThis module checks for the access privileges to the Oracle objects that are basedon the options that you have specified.
About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Objects module
138
Editing default settingsThe check in this group edits the default settings for all security checks in themodule.
Oracle system identifiers (SIDs)Use the name list to include or exclude the Oracle system identifiers (SIDs) forthis check. By default, the check examines all the SIDs that you specify when youconfigure the Symantec ESM modules for the Oracle databases. The SymantecESM modules for Oracle Databases configuration are stored in the/esm/config/oracle.dat file.
Reporting table privilegesThe checks in this group report entities that can:
■ Access SYS.ALL_SOURCE
■ Grant privileges to Oracle objects such as tables, indexes, and views
■ Have directly granted table privileges to Oracle objects
Access to SYS.ALL_SOURCEThis check reports the roles, accounts, and synonyms that have access privilegesto theSYS.ALL_SOURCEsystem table. TheALL_SOURCE table contains the sourcecode for user-defined objects in all schemas of the SID. Verify that the entity'sdirect access to SYS.ALL_SOURCE is authorized. Use the Grantees to skip namelist to exclude the grantees for this check.
The following table lists the message for the check.
139About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Objects module
Table 3-70 Message for Access to SYS.ALL_SOURCE
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: yellow-3
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: Access toSYS.ALL_SOURCE
Description:Theuseror role that isreported in the Infofield has access to theALL_SOURCE table.Verify that the accessis authorized.
■ UNIX (31630)String ID:ORA_ACCESS_ALL_SOURCE
Category: PolicyCompliance
Table privilegesUse this name list to include or exclude the table privileges for the Grantableprivilege and Directly granted privilege checks to report on.
Object nameUse this name list to include or exclude the object names for the Grantableprivilege and Directly granted privilege checks to report on.
GrantorsUse this name list to include or exclude the grantors for the Grantableprivilegesand Directly granted privilege checks to report on.
Grantable privilegeThis check reports the roles, the accounts, or the synonyms that have grantabletable privileges to Oracle objects. Use the name list to include and exclude thegrantees for this check.
The following table lists the message for the check.
About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Objects module
140
Table 3-71 Message for Grantable privilege
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: yellow-3
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: Grantable tableprivilege
Description: Thegrantable tableprivilege of theOracle object isgranted to theuser orrole. Verify that theuser or role isauthorized to grantthe table privilege.
■ UNIX (31631)String ID:ORA_GRANTABLE
Category: PolicyCompliance
Directly granted privilegeThis check reports the roles, the accounts, or the synonyms that have directlygranted table privileges to Oracle objects. Use the name list to include or excludethe grantees for this check.
The following table lists the message for the check.
Table 3-72 Message for Directly granted privilege
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: yellow-3
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: Directlygranted tableprivilege
Description: Thedirectly granted tableprivilege of theOracle object isdirectly granted tothe user or role.Verify that the useror role is authorizedfor the tableprivilege.
■ UNIX (31632)String ID:ORA_DIRECT_GRANTED
Category: PolicyCompliance
141About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Objects module
Critical objectsThis check works with the Grantable privilege check or the Directly grantedprivilege check. The Critical objects check reports on the objects that it finds onthe ESM agent computer with the objects that you specify in the template. Forexample, sys.kupw$wor, sys.dbms_ddl, and so on. Use the name list to enable ordisable the template file.
The following table lists the messages for the check.
Table 3-73 Messages for Critical objects
AdditionalInformation
Message Titleand Description
Platform andMessageNumeric ID
Message String ID andCategory
Severity: red-4
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: Noword filesspecified
Description:"Critical objects"was enabledbutnoword files werespecified. Changeyour policy so thatat least one wordfile is enabled.
■ UNIX (31633)String ID:ESM_NOWORDFILES
Category: ESM Error
Severity: red-4
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: Grantabletable privilege
Description: Thegrantable tableprivilege of theOracle object isgranted to theuseror role. Verify thatthe user or role isauthorized togrant the tableprivilege.
■ UNIX (31634)String ID:ORA_GRANTABLE_RED
Category: Policy Compliance
About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Objects module
142
Table 3-73 Messages for Critical objects (continued)
AdditionalInformation
Message Titleand Description
Platform andMessageNumeric ID
Message String ID andCategory
Severity: red-4
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: Directlygranted tableprivilege
Description: Thedirectly grantedtable privilege oftheOracle object isdirectly granted tothe user or role.Verify that theuser or role isauthorized for thetable privilege.
■ UNIX (31635)String ID:ORA_DIRECT_GRANTED_RED
Category: Policy Compliance
About the Oracle Critical Object templateThe Critical objects check of the Oracle Objects module uses the Oracle CriticalObject template. By using this template, the check iterates through all objects andreports critical objects that you specify in the template.
Creating the Oracle Critical Object template
You must create and enable a new Oracle Critical Object template before you runthe Critical objects check.
To create an Oracle Critical Object template
1 In the tree view, right-click Templates, and then click New.
2 In the Create New Template dialog box, select Oracle Critical Object - all.
3 In the Template file name (no extension) text box, type new template filename.
4 After Symantec ESM adds the .rco extension to the template file name, clickOK.
About using the Oracle Critical Object template
The Oracle Critical Object template contains the following field:
143About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Objects module
Table 3-74 Field and Values/Options descriptions
Values/OptionsDescriptionField
Enter the name of the objectthat you want the check toreport on.
Lets you enter the objectname that you want thecheck to report on.
Object
Object PrivilegesThis check uses the specified template to report on the object privileges. Use thename list to enable or disable the template file.
The following table lists the messages for the check.
Table 3-75 Messages for Object Privileges
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: red-4
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: Object notfound
Description: Objectnot found. Theselected object maynot be present in thedatabase, or theinformation for theselected object isincorrect in thetemplate. Verify thetemplate entries, orverify if the objectwith the given owneris present in thedatabase.
■ UNIX (31636)String ID:ORA_OBJ_NOT_FOUND
Category: PolicyCompliance
About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Objects module
144
Table 3-75 Messages for Object Privileges (continued)
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: red-4
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: Unauthorisedobject privilege
Description: There isa mismatch in theactual objectprivilege present inthe database and theprivilege that ismentioned in thetemplate. Check ifthe object that ismarked as"Prohibited" in thetemplate is present inthe database, orcheck if the objectthat is marked as"Mandatory" in thetemplate is notpresent in thedatabase. For moreinformation, see thecorrespondingInformation column.
■ UNIX (31637)String ID:ORA_OBJ_PRIV_R
Category: PolicyCompliance
145About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Objects module
Table 3-75 Messages for Object Privileges (continued)
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: yellow-1
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: Unauthorisedobject privilege
Description: There isa mismatch in theactual objectprivilege present inthe database and theprivilege that ismentioned in thetemplate. Check ifthe object that ismarked as"Prohibited" in thetemplate is present inthe database, orcheck if the objectthat is marked as"Mandatory" in thetemplate is notpresent in thedatabase. For moreinformation, see thecorrespondingInformation column.
■ UNIX (31638)String ID:ORA_OBJ_PRIV_Y
Category: PolicyCompliance
About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Objects module
146
Table 3-75 Messages for Object Privileges (continued)
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: green-0
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: Unauthorisedobject privilege
Description: There isa mismatch in theactual objectprivilege present inthe database and theprivilege that ismentioned in thetemplate. Check ifthe object that ismarked as"Prohibited" in thetemplate is present inthe database, orcheck if the objectthat is marked as"Mandatory" in thetemplate is notpresent in thedatabase. For moreinformation, see thecorrespondingInformation column.
■ UNIX (31639)String ID:ORA_OBJ_PRIV_G
Category: PolicyCompliance
147About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Objects module
Table 3-75 Messages for Object Privileges (continued)
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: red-4
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: Unauthorisedobject privilege
Description: There isa mismatch in theactual objectprivilege present inthe database and theprivilege that ismentioned in thetemplate. Check ifthe object that ismarked as"Prohibited" in thetemplate is present inthe database, orcheck if the objectthat is marked as"Mandatory" in thetemplate is notpresent in thedatabase. For moreinformation, see thecorrespondingInformation column.
■ UNIX ( 37)String ID:ORA_OBJ_PRIV_R
Category: PolicyCompliance
About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Objects module
148
Table 3-75 Messages for Object Privileges (continued)
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: green-0
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: Unauthorisedobject privilege
Description: There isa mismatch in theactual objectprivilege present inthe database and theprivilege that ismentioned in thetemplate. Check ifthe object that ismarked as"Prohibited" in thetemplate is present inthe database, orcheck if the objectthat is marked as"Mandatory" in thetemplate is notpresent in thedatabase. For moreinformation, see thecorrespondingInformation column.
■ UNIX ( 39)String ID:ORA_OBJ_PRIV_G
Category: PolicyCompliance
149About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Objects module
Table 3-75 Messages for Object Privileges (continued)
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: yellow-1
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: Unauthorisedobject privilege
Description: There isa mismatch in theactual objectprivilege present inthe database and theprivilege that ismentioned in thetemplate. Check ifthe object that ismarked as"Prohibited" in thetemplate is present inthe database, orcheck if the objectthat is marked as"Mandatory" in thetemplate is notpresent in thedatabase. For moreinformation, see thecorrespondingInformation column.
■ UNIX ( 38)String ID:ORA_OBJ_PRIV_Y
Category: PolicyCompliance
About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Objects module
150
Table 3-75 Messages for Object Privileges (continued)
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: red-4
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: Object notfound
Description: Objectnot found. Theselected object maynot be present in thedatabase, or theinformation for theselected object isincorrect in thetemplate. Verify thetemplate entries, orverify if the objectwith the given owneris presnt in thedatabase.
■ UNIX ( 36)String ID:ORA_OBJ_NOT_FOUND
Category: PolicyCompliance
About the Oracle Object Privileges templateThe Object Privileges check of the Oracle objects module uses the Oracle ObjectPrivileges template. By using this template, the check lets you report on the objectprivileges that you specify in the template.
Creating the Oracle Object Privileges template
You must create and enable a new Oracle Object Privileges template before yourun the Object Privileges check.
To create an Oracle Object Privileges template
1 In the tree view, right-click Templates, and then click New.
2 In theCreateNewTemplatedialog box, selectOracleObjectPrivilegesWatch- all.
3 In the Template file name (no extension) text box, type new template filename.
4 After Symantec ESM adds the .oop extension to the template file name, clickOK.
151About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Objects module
About using the Oracle Object Privileges template
The Oracle Object Privileges template contains the following fields:
Table 3-76 Field and Values/Options descriptions
Values/OptionsDescriptionField
Enter the name of the objectthat you want the check toreport on.
Lets you specify an objectname that you want thecheck to report on.
Object Name
Enter the owner name of theobject that you want thecheck to report on.
Lets you specify an ownername of the object that youwant the check to report on.
Owner
NALets you enter additionalcomments on the object.
Comments
■ Green
Select Green for anInformation message.
■ Yellow
Select Yellow for aWarning message.
■ Red
Select Red for an Errormessage.
Lets you select the severityfor the messages that thecheck reports on the data.
Severity
■ 9.0
Release 9.0.x
■ +9
Release 9.2.x and later
■ +10
Release 10.2.x and later
■ +11
Release 11.1.x and later
Lets you specify the Oracleversion of the target serverthat you want the check toreport on.
Version
About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Objects module
152
Table 3-76 Field and Values/Options descriptions (continued)
Values/OptionsDescriptionField
Lets you specify theprivileges by using theTemplate Sublist Editor.
Privilege List
153About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Objects module
Table 3-76 Field and Values/Options descriptions (continued)
Values/OptionsDescriptionField
■ Required
Lets you specify if theexistence of the object onthe target server ismandatory, prohibited, orallowed.
■ Prohibited
Object must not exist.
■ Mandatory
Object must exist.
■ Allowed
Object existence isallowed.
■ Object Privilege
Lets you enter the accessprivileges based on thedatabase objects that youspecify in the ObjectName field.
■ Grantor
Lets you enter the nameof the grantor based onthe object name andobject privileges that youspecify in the ObjectName and ObjectPrivilege fieldsrespectively.
■ Grantee
Lets you enter the nameof the grantee based onthe object name andobject privileges that youspecify in the ObjectName and ObjectPrivilege fieldsrespectively.
■ With Grant Option
Select this check box ifyou want the privilegeswith grant options thatyou specify in the Object
About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Objects module
154
Table 3-76 Field and Values/Options descriptions (continued)
Values/OptionsDescriptionField
Privilege field to bereported.
■ Exclude
Specify the privilege thatyou want to exclude.
You can specify one of thefollowing:
■ Object Name
Select this option ifyou want to excludethe name of theobject.
■ Owner
Select this option ifyou want to excludethe owner of theobject.
■ Object Privilege
Select this option ofyou want to excludethe privileges of theobject.
■ Grantor
Select this option ifyou want to excludethe grantor of theobject.
■ Grantee
Select this option ifyou want to excludethe grantee of theobject.
■ Name
Enter the name of theobject that you want toexclude.
Lets you exclude the objectprivileges by using theTemplate Sublist Editor.
Exclude List
155About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Objects module
About the Oracle Passwords moduleThis module checks for the password integrity that Oracle user accounts usesthat is based on the options that you have specified.
Editing default settingsThe checks in this group edits the default settings for all the security checks inthe module.
Oracle system identifiers (SIDs)Use the name list to include or exclude the Oracle system identifiers (SIDs) forthis check. By default, the check examines all the SIDs that you specify when youconfigure the SymantecESMmodules for the Oracle databases. The configurationfor Symantec ESM Modules for Oracle Databases is stored in/esm/config/oracle.dat.
Users to checkUse the name list to include or exclude the users or the roles for all the passwordguessing checks.
Account statusUse the name list to include or exclude the statuses for all the password guessingchecks.
Password displayThis check works with the Password=wordlistword, Password=username, andPassword = any username checks. Enable this check to display the guessedpasswords in the <first character>*<last character> format.
Specifying check variationsYou can use the checks under this group to set conditions for guessing thepasswords of the Oracle accounts. You can display the results with or without thefirst and last characters of the password.
About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Passwords module
156
Reverse orderEnable this option to have Password = checks report passwords that match thebackward spelling of user names or common words. For example, in Password =wordlist word, password flog matches the word golf.
Double occurrencesEnable this option to have Password = checks report the passwords that matchesthe user names or common words spelled twice. For example, in Password =wordlist word, password golfgolf matches the word golf.
PluralThis option directs Password = checks to compare the plural forms of user names,role names, or common words with the password. For example, in “Password =user name,” the password “golfs” matches the user name “golf.”
PrefixEnable this option so that Password = checks reports the passwords that beginwith a prefix in the user names, role names, or common words. For example, if"pro" is a prefix and "golf" is a user name, then the Password = user name checkreports "progolf " as a weak password.
SuffixEnable this option so that Password = checks reports the passwords that endwitha suffix in the user names, role names, or common words. For example, if “pro”is a suffix and “golf” is a user name, then the Password = user name check reports“golfpro” as a weak password.
Comparing passwords to word listsThe checks in this group compare the passwords to words that are found in theword lists or the user names. Any matched word is a weak password and shouldbe changed immediately.
Password = wordlist wordThis check compares the encrypted version of the user and the role passwordwiththe encrypted version of the words that are included in the common words andnames file. The check then reports the matches. You can specify the word andname files that you want to check. Do not use common words or names aspasswords.
157About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Passwords module
Symantec recommends that youdonot usecommonwords or names as passwords.You must assign a more secure password immediately to the user accounts thatare reported by this check, then notify each user to log in using the more securepassword.Have theusers complete theprocess by changing their passwords again.
A secure passwordhas six to eight characterswith at least onenumeric character,and one special character. The password must not match an account name ormust not be found in the word file.
The following table lists the messages for the check.
Table 3-77 Messages for Password = wordlist word
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: red-4
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: Weak userpassword
Description: Thepassword is a formofa user name orcommon word. It is aweak password.Assign amore securepasswordimmediately. Theninstruct the user tolog in with the moresecure password andchange the passwordagain. A securepassword has 6-8characters, includingat least onenon-alphabeticcharacter, shouldnotbe found in anydictionary, andshould not match anaccount name.
■ UNIX (30334)String ID:ORA_PASS_GUESSED
Category: PolicyCompliance
About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Passwords module
158
Table 3-77 Messages for Password = wordlist word (continued)
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: red-4
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: No word filesspecified
Description:Password = wordlistword was enabled,but no word fileswere specified.Enable at least oneword file.
■ UNIX (30336)String ID:ORA_NO_WORDS
Category: ESM Error
Password = usernameThis check reports the users and the roles that use their own user names or rolenames as passwords. The check is not as comprehensive as the Password = anyusername check. However, if the Password = any user name check takes longeror consumesmore CPUusage, then use the Password = user name check daily andthePassword=anyusernamecheckonweekends. The reportedpasswordmatchesthe sameuser account name. Thepasswords that closely resemble account namesare easily guessed.
Symantec recommends that youmust immediately assignmore securepasswordsto reported user accounts. Then notify the users and ask them to log in with themore secure passwords. Have the users complete the process by changing theirpasswords again.
A secure passwordhas six to eight characterswith at least onenumeric character,and one special character. The password must not match an account name ormust not be found in the word file.
The following table lists the message for the check.
159About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Passwords module
Table 3-78 Message for Password = username
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: red-4
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: Weak userpassword
Description: Thepassword is a formofa user name orcommon word. It is aweak password.Assign amore securepasswordimmediately. Theninstruct the user tolog in with the moresecure password andchange the passwordagain. A securepassword has 6-8characters, includingat least onenon-alphabeticcharacter, shouldnotbe found in anydictionary, andshould not match anaccount name.
■ UNIX (30334)String ID:ORA_PASS_GUESSED
Category: PolicyCompliance
Password = any usernameThis check compares the encrypted version of the user and the role passwordwiththe encrypted version of the words that are included in the common words andnames file. The check then reports the matches. You can specify the word andname files that you want to check. Do not use common words or names aspasswords.
Symantec recommends that youdonot usecommonwords or names as passwords.You must assign a more secure password immediately to the user accounts thatare reported by this check, then notify each user to log in using the more securepassword.Have theusers complete theprocess by changing their passwords again.
About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Passwords module
160
Asecure passwordhas six to eight characterswith at least onenumeric character,and one special character. The password must not match an account name ormust not be found in the word file.
The following table lists the message for the check.
Table 3-79 Message for Password = any username
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: red-4
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: Weak userpassword
Description: Thepassword is a formofa user name orcommon word. It is aweak password.Assign amore securepasswordimmediately. Theninstruct the user tolog in with the moresecure password andchange the passwordagain. A securepassword has 6-8characters, includingat least onenon-alphabeticcharacter, shouldnotbe found in anydictionary, andshould not match anaccount name.
■ UNIX (30334)String ID:ORA_PASS_GUESSED
Category: PolicyCompliance
Detecting well-known passwordsOracle products ship with default, or sample, accounts and passwords that arewidely known. These passwords should be changed as soon as soon as possible.Otherwise, unauthorized users can log in as SYS or SYSTEM with administratorprivileges.
161About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Passwords module
Well known passwordsThis check reports the well known account/password combinations that youspecify in the name list and default Oracle account/password combinations suchas scott/tiger. You should not allowwell known account/password combinations.Use the name list to include the account and password combinations for thischeck.
Symantec recommends that youmust assignamore securepassword immediately.You must instruct the user to log in with the more secure password and changethe password again.
Asecure password has six to eight characterswith at least one numeric character,and one special character. The password must not match an account name ormust not be found in the word file.
The following table lists the message for the check.
Table 3-80 Message for Well known passwords
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: red-4
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: Well knownaccount/passwordfound
Description: Changeor delete all wellknownaccount/passwordcombinations.
■ UNIX (30337)String ID:ORA_DEFAULT_PASSWORD
Category: PolicyCompliance
About the Oracle Patches moduleThis module identifies the Oracle security patches that are not installed on yourcomputers.
Note:Themodulemaynot report correctmessages if the opatch utility andOraclePatchesmodule is concurrently runningon the sameagent. Symantec recommendsnot to run the Oracle Patches module on the same agent while opatch utility isalready running.
About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Patches module
162
Edit default settingsThe check in this group edits the default settings for all the security checks in themodule.
Template filesUse the name list to enable or disable the template files for this check. OraclePatch template files are identified by .orp file extensions.
The following table lists the message for the check.
Table 3-81 Message for Template files
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: red-4
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: No templatefiles specified
Description: TheOracle Patchesmodule was runwithout any templatefiles. No patchrelated checks wereperformed. Checkyour policy to ensurethat at least onetemplate file isenabled for theagent's operatingsystem.
■ UNIX (31035)String ID:ORA_TEMPLATEFILE_MISSING
Category: ESM Error
Oracle patchesThe checks in this group report the patches that are released by Oracle and thatare not applied on the database server.
Patch informationThis check reports information about the patches that have been released withinthe number of days that you specify in the check. The information includes patchtype and number, ID number, patch release date, and description. You shouldverify that all current patches are installed on your Oracle clients and servers.Use the name list to include the template files for this check. When the Patch
163About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Patches module
Information check is run along with the SID Info check, the relevant SIDs arealso reported.
You can download patch updates by using LiveUpdate.
Symantec recommends that you verify that your Oracle server and componentshave the current applicable patches.
The following table lists the messages for the check.
Table 3-82 Messages for Patch information
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: yellow-1
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: Patch available
Description: Thepatch is available atOracle's patchesWebsite.
■ UNIX (31030)String ID:ORA_PATCH_AVAILABLE
Category: PolicyCompliance
Severity: yellow-1
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: Patchsetavailable
Description: Thepatchset is availableat Oracle's patchesWeb site.
■ UNIX (31031)String ID:ORA_PATCHSET_AVAILABLE
Category: PolicyCompliance
About the Oracle Patch templateThe Patch information check of the Oracle patchesmodule uses the Oracle Patchtemplate. By using this template, the check reports information about the patchesthat have been released within the number of days that you specify in the check.
Updates on the Oracle Patch template
From this release onwards, following changes are made to the existing OraclePatch template:
About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Patches module
164
■ The template only includes the patches that are critical, legislative,recommended, and are related to security.
■ The template only includes the patch entries that are present on the Oraclesite.
■ The template that is being shipped with Oracle 5.0 release overwrites theearlier template.
Note: The changes are made to keep alignment with the changes that are madeon the Oracle site.
Creating the Oracle Patch template
Youmust create and enable anewOracle Patch template before you run thePatchinformation check.
To create an Oracle Patch template
1 In the tree view, right-click Templates, and then click New.
2 In the Create New Template dialog box, select Oracle Patch - all.
3 In the Template file name (no extension) text box, type new template filename.
4 After Symantec ESM adds the .orp extension to the template file name, clickOK.
About using the Oracle Patch template
The Oracle Patch template contains the following fields:
Table 3-83 Field and Values/Options descriptions
Values/OptionsDescriptionField
Enter the patch versionnumber that you want thecheck to report on.
Lets you specify the Oracledatabase version of thetarget server that you wantthe check to report on.
Version
165About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Patches module
Table 3-83 Field and Values/Options descriptions (continued)
Values/OptionsDescriptionField
Lets you specify the platformof the target server that youwant the check to report on.
Platform
About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Patches module
166
Table 3-83 Field and Values/Options descriptions (continued)
Values/OptionsDescriptionField
■ All
Select this value for thecheck to report on allplatforms.
■ aix
Select this value for thecheck to report on Aixplatforms.
■ hpux-hppa
Select this value for thecheck to report onHpux-hppa platforms.
■ linux
Select this value for thecheck to report on Linuxplatforms.
■ solaris-sparc
Select this value for thecheck to report onSolaris-sparc platforms.
■ hpux-ia64
Select this value for thecheck to report onHpux-ia64 platforms.
■ hpux-hppa/HP-UX 10.20
Select this value for thecheck to report onHP-UX10.20 platforms.
■ redhat-x86
Select this value for thecheck to report onRedHat platforms.
■ WIN2K
Select this value for thecheck to report on allWindows2000platforms.
■ WIN3S
Select this value for thecheck to report on allWindows2003platforms.
■ WIN8S
167About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Patches module
Table 3-83 Field and Values/Options descriptions (continued)
Values/OptionsDescriptionField
Select this value for thecheck to report on allWindows2008platforms.
Enter the name of theproduct that is installed onthe server. For example,Oracle Database server.
Lets you specify the productname that is installed on theserver.
Note: The check does notconsider the product namefor the verification report.
Product
Enter the ID that you wantthe check to report on.
Lets you specify the ID thatyou want the check to reporton.
ID
Enter the Patch ID that youwant the check to report on.
Lets you specify the Patch IDthat you want the check toreport on.
The check reports a violationif the Patch ID that youspecify in the template isgreater than the Patch IDthat is applied on the targetserver.
Patch ID
Enter the date in thefollowing format:YYYY/MM/DD.
Lets you specify the releasedate of the Patch.
Date
■ All
Select this value for thecheck to report on allprocessors.
■ 32 bits
Select this value for thecheck to report on 32-bitprocessor.
■ 64 bits
Select this value for thecheck to report on 64-bitprocessor.
Lets you specify thearchitecture of the serverthat you want the check toreport on.
Architecture
About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Patches module
168
Table 3-83 Field and Values/Options descriptions (continued)
Values/OptionsDescriptionField
NALets you enter a descriptionfor the patch.
Description
Select the patch set.Lets you select the patch set.Patch Set
■ Patch ID
Enter the name of thepatch ID that youwant tomerge.
Lets you specify the patchesthat you want to merge byusing the Template SublistEditor.
Merged Patches
Opatch toolThis check enables ESM to use the opatch tool and reports the opatch tool versioninformation. Opatch is the Oracle patch tool, which is a set of PERL scripts thatrun with PERL 5.005_03 and later. You have JRE and JDK installed in the OracleHome to run the OPatch tool. The commands such as jar, java, ar, cp, and make(depending on platforms) available should be present in the Opatch path. Bydefault, the Opatch tools check searches for the OPatch directory that containsthe opatch tool in ORACLE HOME. If the check fails to find the tool in ORACLEHOME, then it takes the path of the opatch tool thatmentioned in the check. Thisapplication can be downloaded from the following URL: http://www.oracle.com.
The following table lists the messages for the check.
Table 3-84 Messages for Opatch tool
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: green-0
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: Opatch version
Description: Theopatch tool is at theshown version.
■ UNIX (31032)String ID:ORA_OPATCH_VERSION
Category: SystemInformation
169About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Patches module
Table 3-84 Messages for Opatch tool (continued)
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: green-0
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: OpatchInformation
Description: Thespecified opatch toolreports in theinformation field.
■ UNIX (31033)String ID:ORA_OPATCH_INFO
Category: SystemError
Installed patchesThis checkworks with the Opatchtool check and reports the patches, the opatchtool detects. When the Installed Patches check is run along with the SID Infocheck, the relevant SIDs are also reported.
The following table lists the message for the check.
Table 3-85 Message for Installed patches
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: green-0
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: Installedpatches
Description: Theinstalled patch isdetected by theopatch tool.
■ UNIX (31034)String ID:ORA_INSTALLED_PATCH
Category: PolicyCompliance
SID infoThis check add on the relevant SIDs to the patchmessages that are reported fromthe Patch information and Installed patches checks.
About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Patches module
170
About the Oracle Profiles moduleThis module checks for the Oracle profiles table that is based on the options thatyou have specified. It reports SIDs, profile names, profile resource names, andresource limits as applicable.
Establishing a baseline snapshotTo establish a baseline, run the Profilesmodule. This creates a snapshot of currentprofile information that you canupdatewhen you run the checks that report new,deleted, or changed information.
Automatically update snapshotsEnable this check to automatically update the snapshots with the currentinformation.
Editing default settingsUse the check in this group to edit the default settings for all the security checksin the module.
Oracle system identifiers (SIDs)Use the name list to include or exclude the Oracle system identifiers (SIDs) forthis check. By default, the check examines all the SIDs that you specify when youconfigure the SymantecESMmodules for the Oracle databases. The configurationfor Symantec ESM Modules for Oracle Databases is stored in/esm/config/oracle.dat.
Reporting profiles and their limitsThe checks in this group report the existing, new, and deleted profiles and theirresource limits.
Profile enforcementThis check reports SIDs that do not enforce profiles.
Symantec recommends that in the database's parameter file, change the value ofthe RESOURCE_LIMIT parameter from FALSE to TRUE so that the profiles areenforced.
The following table lists the message for the check.
171About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Profiles module
Table 3-86 Message for Profile enforcement
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: red-4
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: Profiles are notenabled
Description: Theprofile is notenforced in thedatabase. By defaultno profiles areenforced until youchange the value oftheRESOURCE_LIMITparameter fromFALSE to TRUE forthe database'sinstance.
■ UNIX (30949)String ID:ORA_PROFILE_NOT_ENABLED
Category: SystemInformation
ProfilesThis check reports all profiles that are defined in the database. Use the name listto exclude profiles for this check. You should periodically review the profiles toensure that all profiles are authorized and that profile resources and resourcelimits are allocated efficiently.
The following table lists the message for the check.
Table 3-87 Message for Profiles
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: green-0
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: Existingprofiles
Description: Theprofile is defined inthe database.
■ UNIX (30930)String ID:ORA_PROFILE_LIST
Category: SystemInformation
About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Profiles module
172
New profilesThis check reports all profiles that were defined in the database after the lastsnapshot update. Use the name list to exclude profiles for this check.
If the addition is authorized, Symantec recommends that you either update thesnapshot or delete the profile.
The following table lists the message for the check.
Table 3-88 Message for New profiles
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: yellow-1
Correctable: false
Snapshot Updatable:true
Template Updatable:false
Information FieldFormat: [%s]
Title: New profile
Description: Theprofile was added tothe database afterthe last snapshotupdate. If theaddition isauthorized, updatethe snapshot. If theaddition is notauthorized, deletethe profile.
■ UNIX (30931)String ID:ORA_PROFILE_ADDED
Category: ChangeNotification
Deleted profilesThis check reports all the profiles that were deleted from the database after thelast snapshot update. Use the name list to exclude profiles for this check.
If the deletion is authorized, Symantec recommends that you either update thesnapshot or restore the profile.
The following table lists the message for the check.
173About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Profiles module
Table 3-89 Message for Deleted profiles
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: yellow-1
Correctable: false
Snapshot Updatable:true
Template Updatable:false
Information FieldFormat: [%s]
Title: Deleted profile
Description: Theprofile was droppedfrom the databaseafter the lastsnapshot update. Ifthe deletion isauthorized, updatethe snapshot. If thedeletion is notauthorized, restorethe profile.
■ UNIX (30932)String ID:ORA_PROFILE_DELETED
Category: ChangeNotification
Profile resourcesThis check reports profile resource limits. Use the name list to exclude profilesfor this check.
Symantec recommends that you must ensure that the profile resource limitsmatches with the company's security policies.
The following table lists the message for the check.
Table 3-90 Message for Profile resources
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: green-0
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: Profile resourcelimits
Description: Theprofile and itsresource limits aredefined in thedatabase. Verify thatthe profile resourcelimits conform tocompany securitypolicies.
■ UNIX (30933)String ID:ORA_PROFILE_LIMIT_LIST
Category: SystemInformation
About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Profiles module
174
Changed resource limitsThis check reports the profile resource limits that changed after the last snapshotupdate. Use the name list to exclude profiles for this check.
If the change is authorized, Symantec recommends that you either update thesnapshot or restore the previous limit.
The following table lists the message for the check.
Table 3-91 Message for Changed resource limits
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: yellow-1
Correctable: false
Snapshot Updatable:true
Template Updatable:false
Information FieldFormat: [%s]
Title: Changedprofileresource limit
Description: Theprofile's resourcelimit changed afterthe last snapshotupdate. Update thesnapshot if theresource limit isappropriate; changethe limit if it is notappropriate. Limitsshould be highenough to permitnormal resourceusagebut lowenoughto prevent abuse.
■ UNIX (30936)String ID:ORA_PROFILE_LIMIT_CHANGED
Category: ChangeNotification
Reporting CPU limit violationsThe checks in this group report the CPU resource limits.
Oracle profilesUse the name list to include or exclude the Oracle profiles for the resourcelimitation checks.
Sessions per userThis check reports the profiles that allow more number of concurrent sessionsfor each user than the number that you specify in the MaxSession/User text box.
175About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Profiles module
As to prevent access by other users,multiple users should not be given concurrentsession permission.
The following table lists the message for the check.
Table 3-92 Message for Sessions per user
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: yellow-1
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: Sessions peruser too high
Description: Theprofile permits moresessions per userthan you specifiedfor the check.SESSIONS_PER_USERspecifies themaximumnumber ofconcurrent sessionsper user.
■ UNIX (30948)String ID:ORA_PROFILE_SESSIONS_PER_USER
Category: PolicyCompliance
CPU time per sessionThis check reports profiles that allowmoreCPUtime per session than the amountthat you specify in the check. Specify themaximumamount of time that is allowedper session in hundredths of a second.
Symantec recommends that you specify a maximum CPU time per session limitthat allow users to perform their duties without frequent logging on and loggingout. It prevents a small number of users from denying service to others by usingexcessive CPU resources.
The following table lists the message for the check.
About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Profiles module
176
Table 3-93 Message for CPU time per session
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: yellow-1
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: CPU time persession exceeds limit
Description: Theprofile's maximumCPU time per sessionexceeds the amountthat you specified inthe check. Time isexpressed inhundredths of asecond. Specify arealistic limit toprevent one or moreusers from lockingout other users byusing all of the CPUcapacity.
■ UNIX (30937)String ID:ORA_PROFILE_CPU_PER_SESSION
Category: PolicyCompliance
CPU time per callThis check reports the profiles that allow more CPU time for each call, such asfetch, execute, and parse, than the amount of time that you specify in the check.Specify the maximum amount of time that is allowed per call in hundredths of asecond.
Symantec recommends that you specify a maximum CPU time per call limit thatallow users perform their duties and that prevents a small number of users fromdenying service to others by using excessive CPU resources.
The following table lists the message for the check.
177About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Profiles module
Table 3-94 Message for CPU time per call
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: yellow-1
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: CPU time percall exceeds limit
Description: Theprofile's maximumCPU time per callexceeds the amountthat you specified inthe check. Time isexpressed inhundredths of asecond. Specify arealistic limit toprevent one or morecalls from lockingoutother calls by usingall of the CPUcapacity.
■ UNIX (30938)String ID:ORA_PROFILE_CPU_PER_CALL
Category: PolicyCompliance
Connection timeThis check reports the profiles that allow more elapsed connection time for anaccount than the number of minutes that you specify in the check.
Symantec recommends that you specify a realistic limit that allowusers to performtheir duties and that prevents a few connections from denying service to othersby using excessive CPU resources.
The following table lists the message for the check.
About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Profiles module
178
Table 3-95 Message for Connection time
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: yellow-1
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: Connect timeexceeds limit
Description: Thenumber of minutesallowed for theprofile's connectionexceeds the numberof minutes that youspecified in thecheck. Specify arealistic limit toprevent one or moreconnections fromdenying service toother users bymonopolizing CPUcapacity.
■ UNIX (30939)String ID:ORA_PROFILE_CONNECT_TIME
Category: PolicyCompliance
Idle timeThis check reports profiles that allow more idle time before a process isdisconnected than the number of minutes that you specify in the check.
The connections that are idle for a long period may indicate that the machine isunattended.
Symantec recommends that you specify a realistic amount of time before aninactive process is disconnected.
The following table lists the message for the check.
179About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Profiles module
Table 3-96 Message for Idle time
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: yellow-1
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: Idle timeexceeds limit
Description: Theprofile's maximumidle time exceeds thelimit that youspecified in thecheck. Specify arealistic amount oftime before aninactive process isdisconnected.Connections that areidle for a long periodmay indicate that themachine isunattended, whichwould pose a securitythreat.
■ UNIX (30941)String ID:ORA_PROFILE_IDLE_TIME
Category: PolicyCompliance
Reporting password violationsThe checks in this group report the profiles with settings for the number of failedlogon attempts, password grace time, password duration, password lock time, andpassword reuse requirements that violate your security policy. Password strengthchecks, which compare passwords to common words and user names,
Failed loginsThis check reports the profiles that allow more failed login attempts than thenumber that you specify in the check.
Symantec recommends that you restrict the number of permitted failed loginattempts tominimize the likelihood of break-in by intruderswho attempt to guessuser names and passwords.
The following table lists the message for the check.
About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Profiles module
180
Table 3-97 Message for Failed logins
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: red-4
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: Failed loginattempts exceed limit
Description: Thenumber of failedlogins permittedbefore an account islocked exceeds thenumber that youspecified in thecheck. Restrict thenumber of failedattempts permittedto minimize thelikelihood ofintruders guessinguser names andpasswords.
■ UNIX (30940)String ID:ORA_PROFILE_FAILED_LOGIN_ATTEMPTS
Category: PolicyCompliance
Password grace timeThis check reports the profiles that have their password grace days different thanthe number that you specify in the Password Grace text box. Now, you can alsouse the comparison operators before specifying the value in the text box. Thevalue that you specify in the text box refers to the number of days wherein awarning is given before your password expires. The comparison operators are asfollows: Equal (=), Not equal (!=), Less than (<), Greater than (>), Less than or equalto (<=), Greater than or equal to (>=).
Symantec recommends that you specify realistic number of days for a user tochange a password after being warned that it is about to expire.
The following table lists the message for the check.
181About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Profiles module
Table 3-98 Message for Password grace time
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: yellow-1
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: Password gracetime differs fromlimit
Description: Theprofile's passwordgrace time is not thesameas the limit thatyou specified in thecheck. Specify arealistic number ofdays for a user tochange a passwordafter being warnedthat it is about toexpire.
■ UNIX (30942)String ID:ORA_PROFILE_PASS_GRACE_TIME
Category: PolicyCompliance
Password durationThis check reports the profiles that permit a password to be used for more daysthan the number that you specify in the check.
Symantec recommends that you change your password often to minimize thepossibility that an intruder will discover the passwords but not so often that youhave difficulty remembering your passwords.
The following table lists the message for the check.
About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Profiles module
182
Table 3-99 Message for Password duration
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: red-4
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: Passwordduration too high
Description: Themaximumnumber ofdays permitted forthe profile'spasswordexceeds thenumber of days thatyou specified in thecheck. Requirepassword changesoften tominimize thelikelihood that theywill be discovered byan intruder.
■ UNIX (30943)String ID:ORA_PROFILE_PASS_LIFE_TIME
Category: PolicyCompliance
Password lock timeThis check reports the profiles that lock accounts for fewer days than the numberthat you specify in the check. Accounts are locked after the number of failed loginattempts that you specify in the FAILED_LOGIN_ATTEMPTS parameter of theprofile. PASSWORD_LOCK_TIMEparameter specifies the number of days that anaccount is locked.
Symantec recommends that you change the resource parameterPASSWORD_LOCK_TIME setting to match with your security policy.
The following table lists the message for the check.
183About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Profiles module
Table 3-100 Message for Password lock time
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: yellow-1
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: Password locktime too low
Description: Theprofile's passwordlock time is lowerthan the number ofdays that youspecified in thecheck.Verify that thePASSWORD_LOCK_TIMEparameter settingconformstocompanysecurity policies.
■ UNIX (30944)String ID:ORA_PROFILE_PASS_LOCK_TIME
Category: PolicyCompliance
Password reuse maxThis check reports profiles that require fewer password changes before a passwordcan be reused than the number that you specify in the check.
Note: If you set a PASSWORD_REUSE_MAX value, PASSWORD_REUSE_TIMEmust be UNLIMITED.
Symantec recommends that you change the resource parameterPASSWORD_REUSE_MAXto require a realistic number of times that a passwordmust be changed before it can be reused.
The following table lists the message for the check.
About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Profiles module
184
Table 3-101 Message for Password reuse max
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: yellow-1
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: Password reusemaximum too low
Description: Theprofile permits apassword to be reusedafter fewer changesthan the number ofchanges that youspecified in the check.If you set aPASSWORD_REUSE_MAXvalue,PASSWORD_REUSE_TIMEmust be UNLIMITED.
■ UNIX (30945)String ID:ORA_PROFILE_PASS_REUSE_MAX
Category: PolicyCompliance
Severity: yellow-1
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: Password reusesettings weaker thanexpected
Description: Thepassword reusesettings in the profileare weaker than thevalues that arespecified in the check.
■ UNIX (30955)String ID:ORA_PROFILE_PASS_REUSE_WEAK
Category: PolicyCompliance
Password reuse timeThis check reports profiles that require fewer days before a password can bereused than the number that you specify in the check.
Note: If this setting has a value,PASSWORD_REUSE_TIMEmust be UNLIMITED.If you set a PASSWORD_REUSE_TIME value, PASSWORD_REUSE_MAX must beUNLIMITED.
Symantec recommends that you change the resource parameterPASSWORD_REUSE_TIME to require a realistic amount of time that must passbefore it can be reused.
The following table lists the message for the check.
185About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Profiles module
Table 3-102 Message for Password reuse time
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: yellow-1
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: Password reusetime too low
Description: Theprofile permits apassword to bereused after fewerdays than youspecified in thecheck. If you specifyaPASSWORD_REUSE_TIMEvalue,PASSWORD_REUSE_MAXmustbeUNLIMITED.
■ UNIX (30946)String ID:ORA_PROFILE_PASS_REUSE_TIME
Category: PolicyCompliance
Severity: yellow-1
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: Password reusesettings weaker thanexpected
Description: Thepassword reusesettings in the profileare weaker than thevalues that arespecified in thecheck.
■ UNIX (30955)String ID:ORA_PROFILE_PASS_REUSE_WEAK
Category: PolicyCompliance
Password verify functionThis check reports profiles that donot use one ormore of the password complexityfunctions that you specify in the name list. Use the name list to include thefunctions for this check.
Note: Password complexity functions are specified in the resource parameterPASSWORD_VERIFY_FUNCTION.
Symantec recommends thatyou immediately assigna securepasswordand instructthe user to log on with the secure password and change the password again.
The following table lists the message for the check.
About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Profiles module
186
Table 3-103 Message for Password verify function
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: yellow-1
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: Passwordverifyfunction
Description: Theprofile's passwordverification functiona name that does notexist in the list thatyou specified in thecheck. Specify thename of a script tocall forPROFILE_PASS_VERIFY_FUNCTION.
■ UNIX (30947)String ID:ORA_PROFILE_PASS_VERIFY_FUNCTION
Category: PolicyCompliance
Invalid profilesThis check reports users that are assigned to profiles that fail one or more of theenabled resource limitation checks. Use the name list to exclude the users for thischeck.
The following table lists the message for the check.
Table 3-104 Message for Invalid profiles
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: yellow-3
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: Invalid profileassigned
Description: Theuser's profile isinvalid. It fails one ormore enabled profileresource limitationchecks. Verify thatthe profile iscorrectly defined inthe database.
■ UNIX (30950)String ID:ORA_INVALID_PROFILE_ASSIGNED
Category: PolicyCompliance
187About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Profiles module
Profile settingsThis check reports the profile settings that do not match the settings that arespecified in the template file. Use the name list to enable or disable the templatefiles.
The following table lists the message for the check.
Table 3-105 Message for Profile settings
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: red-4
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: Object notfound
Description: Noprofile found thatmatches the name asspecified in thetemplate. For moreinformation, referthe Informationcolumn.
■ UNIX (30954)String ID:ORA_PROF_NOT_FOUND
Category: PolicyCompliance
Severity: red-4
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: Profile settingsmismatch
Description: Theprofile settings thatare present in thedatabase do notmatch with thesettings that arespecified in thetemplate. For moreinformation, referthe Informationcolumn.
■ UNIX (30251)String ID:ORA_PROF_R
Category: PolicyCompliance
About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Profiles module
188
Table 3-105 Message for Profile settings (continued)
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: yellow-1
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: Profile settingsmismatch
Description: Theprofile settings thatare present in thedatabase do notmatch with thesettings that arespecified in thetemplate. For moreinformation, referthe Informationcolumn.
■ UNIX (30252)String ID:ORA_PROF_Y
Category: PolicyCompliance
Severity: green-0
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: Profile settingsmismatch
Description: Theprofile settings thatare present in thedatabase do notmatch with thesettings that arespecified in thetemplate. For moreinformation, referthe Informationcolumn.
■ UNIX (30253)String ID:ORA_PROF_G
Category: PolicyCompliance
About the Oracle Profiles templateIn the Oracle Profiles module, the Profile settings check uses the Oracle Profilestemplate. The check reports the profile settings that do not match the settingsthat are specified in the template.
Creating the Oracle Profiles templateYou must create and enable a new Oracle Profiles template before you run theProfile settings check.
189About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Profiles module
To create an Oracle Profiles template
1 In the tree view, right-click Templates, and then click New.
2 In the Create New Template dialog box, select Oracle Profiles - all.
3 In the Template file name (no extension) text box, type new template filename.
4 After Symantec ESM adds the .opa extension to the template file name, clickOK.
About using the Oracle Profiles templateThe Oracle Profiles template contains the following fields:
Table 3-106 Field and Values/Options descriptions
Values/OptionsDescriptionField
Enter a name for the profile.Lets you specify the name ofthe profile.
Profile Name
Enter the number ofconcurrent sessions for auser.
Lets you specify number ofconcurrent sessions for auser.
Sessions per User
Enter the CPU time a call.Lets you specify the CPUtime for a call.
CPU time per call
Enter a connection time foran account.
Lets you specify theconnection time for anaccount.
Connection time
Enter the idle time that yourequire before the process isdisconnected.
Lets you specify the idle timethat is required before aprocess is disconnected.
Idle time
Enter a number to allowfailed login attempts.
Lets you specify a period forthe failed login attempts.
Failed logins
Enter a number for thepassword grace period.
Lets you specify thepassword grace period.
Password grace time
About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Profiles module
190
Table 3-106 Field and Values/Options descriptions (continued)
Values/OptionsDescriptionField
Enter password duration forthe number of failed logonattempts, password gracetime, password duration,password lock time, andpassword reuserequirements.
Lets you specify the settingsfor the number of failedlogon attempts, passwordgrace time, passwordduration, password lock time,and password reuserequirements that violateyour security policy.
Password duration
Enter a number for thepassword lock time period.
Lets you specify thepassword lock time period.
Password lock time
Enter anumber to specify themaximum period for thepassword usage.
Lets you specify themaximum period for thepassword usage.
Password reuse max
Enter anumber to specify themaximum period for thepassword reuse.
Lets you specify themaximum period before thepassword can be reused.
Password reuse time
Enter a password complexityfunction.
Lets you specify thepassword complexityfunctions.
Password verify function
■ Green
Select Green for anInformation message.
■ Yellow
Select Yellow for aWarning message.
■ Red
Select Red for an Errormessage.
Lets you specify the severityfor the messages that thecheck reports.
Severity
About the Oracle Roles moduleThis module checks for the Oracle roles that are based on the options that youhave specified.
191About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Roles module
Establishing a baseline snapshotTo establish a baseline, run the Roles module. This creates a snapshot of currentrole information that you can update when you run checks for new, deleted, orchanged information.
Automatically update snapshotsEnable this check to automatically update the snapshots with the currentinformation.
Editing default settingsUse the check in this group to edit the default settings for all the security checksin the module.
Oracle system identifiers (SIDs)Use the name list to include the Oracle system identifiers (SIDs) for this check.By default, the check examines all the SIDs that you specify when you configurethe Symantec ESM modules for the Oracle databases. The configuration forSymantec ESM Modules for Oracle Databases is stored in /esm/config/oracle.datfile.
Reporting rolesThe checks in this group report the existing roles and the roles that have beenadded or deleted since the last snapshot update.
RolesThis check reports roles that are defined in the database. Use the name list toexclude the roles for this check.
Symantec recommends that you remove the roles that are not authorized or areout of date. Periodically, youmust review the roles to ensure that they are currentlyauthorized.
The following table lists the message for the check.
About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Roles module
192
Table 3-107 Message for Roles
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: green-0
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: Defined role
Description: The roleis defined for the SID.
■ UNIX (30236)String ID:ORA_EXISTING_ROLES
Category: SystemInformation
New rolesThis check reports roles that were added to the database after the last snapshotupdate. Use the name list to exclude the roles for this check.
If the new role is authorized, Symantec recommends that you either update thesnapshot or drop the role.
The following table lists the message for the check.
Table 3-108 Message for New roles
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: yellow-1
Correctable: false
Snapshot Updatable:true
Template Updatable:false
Information FieldFormat: [%s]
Title: New role
Description: The rolewas added to thedatabase after thelast snapshot update.If the addition isauthorized, updatethe snapshot. If theaddition is notauthorized, deletethe role.
■ UNIX (30237)String ID:ORA_ADDED_ROLES
Category: ChangeNotification
193About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Roles module
Deleted rolesThis check reports roles that have been deleted from the database since the lastsnapshot update. Use the name list to exclude the roles for this check.
If the deletion is authorized, Symantec recommends that you either update thesnapshot or restore the role.
The following table lists the message for the check.
Table 3-109 Message for Deleted roles
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: yellow-1
Correctable: false
Snapshot Updatable:true
Template Updatable:false
Information FieldFormat: [%s]
Title: Deleted role
Description: The rolewas deleted from thedatabase after thelast snapshot update.Update the snapshotif the deletion isauthorized; restorethe role if thedeletion is notauthorized.
■ UNIX (30238)String ID:ORA_DELETED_ROLES
Category: ChangeNotification
Reporting role privilegesThe checks in this group report the role privileges and the privileges that weregranted to or removed from the roles after the last snapshot update, and grantablerole privileges.
PrivilegesThis check reports privileges that have been granted to roles. Use the name listto exclude the roles for this check.
Symantec recommends that you add or remove the privileges for the roles asappropriate. Periodically, you must review the roles to ensure that the privilegesgranted to them are consistent with the current user duties.
The following table lists the message for the check.
About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Roles module
194
Table 3-110 Message for Privileges
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: green-0
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: Role privilege
Description: The roleincludes theprivilegethat is reported inthe Info field.
■ UNIX (30239)String ID:ORA_ROLE_PRIVILEGE
Category: SystemInformation
New privilegesThis check reports privileges that were directly granted to roles after the lastsnapshot update. Use the name list to exclude the roles for this check.
If the new privilege is authorized, Symantec recommends that you either updatethe snapshot or drop the privilege from the role.
The following table lists the message for the check.
Table 3-111 Message for New privileges
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: yellow-1
Correctable: false
Snapshot Updatable:true
Template Updatable:false
Information FieldFormat: [%s]
Title: New roleprivilege
Description: Theprivilegewas directlygranted to the roleafter the lastsnapshot update. Ifthe addition isauthorized, updatethe snapshot. If theaddition is notauthorized, drop theprivilege from therole.
■ UNIX (30240)String ID:ORA_ADDED_ROLE_PRIVILEGE
Category: ChangeNotification
195About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Roles module
Deleted privilegesThis check reports privileges that were dropped from the roles after the lastsnapshot update. Use the name list to exclude the roles for this check.
If the deletion is authorized, Symantec recommends that you either update thesnapshot or restore the privilege.
The following table lists the message for the check.
Table 3-112 Message for Deleted privileges
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: yellow-1
Correctable: false
Snapshot Updatable:true
Template Updatable:false
Information FieldFormat: [%s]
Title: Deleted roleprivilege
Description: Thedirectly grantedprivilege wasdropped from therole after the lastsnapshot update. Ifthe deletion isauthorized, updatethe snapshot. If thedeletion is notauthorized, restorethe privilege to therole.
■ UNIX (30241)String ID:ORA_DELETED_ROLE_PRIVILEGE
Category: ChangeNotification
Grantable privilegesThis check reports the grantable privileges that have been granted to the roles.Use the name list to exclude the roles for this check.
Symantec recommends that you periodically review all grantable role privilegesto ensure that the grantable privilege is appropriate for the role. Youmust revokegrantable role privileges from the users who are not authorized to grant them.
The following table lists the message for the check.
About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Roles module
196
Table 3-113 Message for Grantable privileges
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: green-0
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: Grantable roleprivilege
Description: Theprivilege of the roleis grantable. Verifythat the privilege isappropriate for therole.
■ UNIX (30242)String ID:ORA_GRANTABLE_ROLE_PRIVILEGE
Category: SystemInformation
Nested rolesThis check reports roles and the nested roles that they contain. Use the name listto include or exclude the roles for this check.
Table 3-114 Message for Nested roles
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: green-0
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: Nested role
Description: The rolehas been directlygranted to the role.
■ UNIX (30243)String ID:ORA_ROLE_ROLE
Category: SystemInformation
New nested rolesThis check reports roles that were directly granted to other roles after the lastsnapshot update. Use the name list to include or exclude the roles for this check.
If the change is authorized, Symantec recommends that you either update thesnapshot or drop the nested role.
The following table lists the message for the check.
197About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Roles module
Table 3-115 Message for New nested roles
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: yellow-1
Correctable: false
Snapshot Updatable:true
Template Updatable:false
Information FieldFormat: [%s]
Title:Newnested role
Description: The rolewas directly grantedto the role after thelast snapshot update.If the addition isauthorized, updatethe snapshot. If theaddition is notauthorized, drop thenested role from therole.
■ UNIX (30244)String ID:ORA_ADDED_ROLE_ROLE
Category: ChangeNotification
Deleted nested roleThis check reports the nested roles that were removed from parent roles sincethe last snapshot update. Use the name list to include or exclude the roles for thischeck.
The following table lists the message for the check.
Table 3-116 Message for Deleted nested role
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: yellow-1
Correctable: false
Snapshot Updatable:true
Template Updatable:false
Information FieldFormat: [%s]
Title: Nested roledeleted
Description: Thenested role wasdropped from roleafter the lastsnapshot update. Ifthe deletion isauthorized, updatethe snapshot. If thedeletion is notauthorized, restorethe nested role.
■ UNIX (30245)String ID:ORA_DELETED_ROLE_ROLE
Category: ChangeNotification
About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Roles module
198
Grantable nested roleThis check reports the grantable roles that have been granted to other roles. Usethe name list to exclude the grantee roles for this check.
Symantec recommends that you periodically review the grantable nested roles toensure that they are currently authorized for the roleswhere they reside and thatthe roles are currently authorized to grant the nested roles.
The following table lists the message for the check.
Table 3-117 Message for Grantable nested role
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: green-0
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: Grantablenested role
Description: The roleincludes the nestedgrantable role. Verifythat the role grantedto the grantee isauthorized, and thatthe grantee isauthorized to havethe grantable role.
■ UNIX (30246)String ID:ORA_GRANTABLE_ROLE_ROLE
Category: SystemInformation
Reporting role accessThe checks in this group report password-protected roles that are used as defaultroles, directly granted DBA roles, roles without password protection, and tablesaccessed by the public role.
Password-protected default roleThis check reports the password-protected default roles of the roles.
For example:
■ Create a Role ‘Role A.’
■ Create another role that is identified by a password ‘Role B’.
■ Assign ‘Role B’ to ‘Role A.Now ‘Role B’ is the default password-protected role of Role A and the checkreports 'Role B', which is the default password-protected role of ‘Role A.’
199About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Roles module
The default roles do not require any passwords. Usually, a password-protectedrole has the privileges or roles that require authorization. Users withpassword-protected default roles are not required to enter their passwords to usethe roles. Use the name list to exclude the roles for this check.
Symantec recommends that for anunauthorizeduser, you either assign adifferentdefault role to the user or remove the password protection from the role.
The following table lists the message for the check.
Table 3-118 Message for Password-protected default role
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: yellow-1
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: Default rolerequires password
Description: Thedefault role ispassword protected.Password protectedroles usually includeprivileges that aresecurity sensitive. Ifthe role is a role'sdefault role, the roleis not required toenter a password.Verify that thepassword protectedrole is authorized tobe a default role.
■ UNIX (30247)String ID:ORA_DEFAULT_ROLE_PASS_REQUIRED
Category: SystemInformation
DBA equivalent rolesUse the name list to include or exclude roles for the Granted Oracle DBA rolecheck to report on.
Granted Oracle DBA roleThis check reports users and roles that have been directly granted to an Oracledatabase administrator (DBA) role or equivalent. Use the name list to exclude theusers for this check.
Symantec recommends that you either revoke the DBA roles from unauthorizedusers or tightly control the database administrator rights.
About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Roles module
200
The following table lists the message for the check.
Table 3-119 Message for Granted Oracle DBA role
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: yellow-1
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: User grantedOracle DBA role
Description:Theuserhas been granted thedatabaseadministrator (DBA)role or equivalent.DBAshave full rightsto system andapplication data,including creatingnew users and roles,granting accessrights, and deletingdatabases. RevokeDBA privileges fromunauthorized usersimmediately, andtightly controladministrator rights.
■ UNIX (30230)String ID:ORA_DBA_ROLE_USERS
Category: PolicyCompliance
Roles without passwordsThis check reports the roles that do not require passwords. The roles that areauthenticated as External or Global are skipped. Use the name list to exclude theroles for this check.
If the role could be exploited to give the users access to security-relatedinformation, Symantec recommends that you password-protect the role. You cancontrol the permissions that are granted to roles that do not require passwords.
The following table lists the message for the check.
201About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Roles module
Table 3-120 Message for Roles without passwords
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: yellow-1
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: Password notrequired for role
Description: The roleis not passwordprotected.
■ UNIX (30233)String ID:ORA_ROLE_PASSWORD
Category: PolicyCompliance
PUBLIC role accessThis check reports the tables that users can access with a PUBLIC role and theprivileges that are used.
Symantec recommends that you control the permissions that are granted to thePUBLIC role. The preferred method of granting access is to give EXECUTE to theprocedures.
The following table lists the message for the check.
Table 3-121 Message for PUBLIC role access
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: green-0
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: Tableaccessible to PUBLIC
Description: Thetable is accessible toall users through thePUBLIC roleprivilege.
■ UNIX (30234)String ID:ORA_PUBLIC_ACCESS
Category: PolicyCompliance
About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Roles module
202
Granted rolesThis check reports the users and the roles that violate the conditions that youspecify in the template. Use the name list to enable or disable the template file.
The following table lists the message for the check.
Table 3-122 Message for Granted roles
AdditionalInformation
Message Titleand Description
Platform andMessageNumeric ID
Message String ID andCategory
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: Grantedroles
Description: Therole that isgranted to theaccount is not asper the conditionthat is specifiedin the template.
■ UNIX (30248)String ID:ORA_ROLE_TEMPLATE_G
Category: Policy Compliance
Severity: red-4
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: Grantedroles
Description: Therole that isgranted to theaccount is not asper the conditionthat is specifiedin the template.
■ UNIX (30249)String ID:ORA_ROLE_TEMPLATE_R
Category: Policy Compliance
Severity: yellow-1
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: Grantedroles
Description: Therole that isgranted to theaccount is not asper the conditionthat is specifiedin the template.
■ UNIX (30250)String ID:ORA_ROLE_TEMPLATE_Y
Category: Policy Compliance
203About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Roles module
Table 3-122 Message for Granted roles (continued)
AdditionalInformation
Message Titleand Description
Platform andMessageNumeric ID
Message String ID andCategory
Severity: red-4
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: Incorrectwildcard templateentry
Description: TheMandatoryoptiondoes not supportwildcardcharacterstherefore youmust enter theexact text whenyou select theMandatoryoption.
■ UNIX (30254)String ID:WILDCARD_WITH_MANDATORY_R
Category: ESM Error
About the Oracle Roles templateIn theOracleRolesmodule, theGrantedroles checkuses theOracleRole template.The check lets you report on the roles that you specify in the template.
Creating the Oracle Roles templateYou must create and enable a new Oracle Roles template before you run theGranted roles check.
To create an Oracle Roles template
1 In the tree view, right-click Templates, and then click New.
2 In the Create New Template dialog box, select Oracle Roles - all.
3 In the Template file name (no extension) text box, type new template filename.
4 After Symantec ESM adds the .ogr extension to the template file name, clickOK.
About using the Oracle Roles templateThe Oracle Roles template contains the following fields:
About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Roles module
204
Table 3-123 Field and Values/Options descriptions
Wildcard supportValues/OptionsDescriptionField
You can use thewildcard character '*'while specifying therole.
Enter the name of arole for the check toreport on.
Lets you specify therole that you wantthe check to reporton.
Role
You can use thewildcard character '*'while specifying thegrantee.
Enter thenameof thegrantee.
Lets you specify thename of the grantee.
Grantee
NASelect the Adminoption for thegrantee. The optionsare as follows:
■ Yes (With Adminoptions)
■ No (WithoutAdmin options)
■ Either(With/withoutAdmin options)
Lets you specify theAdmin option for thegrantee.
Admin option
NA■ Prohibited
ESM reports amessage if theprivilege is foundon the Oracledatabase.
■ Mandatory
ESM reports amessage if theprivilege is notfound on theOracle database.
Lets you specifywhether you wantESM to report thespecified privilegesas mandatory orprohibited.
Required
NANALets you specify anadditional comment.
Comment
205About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Roles module
Table 3-123 Field and Values/Options descriptions (continued)
Wildcard supportValues/OptionsDescriptionField
NA■ Green
Select Green foran Informationmessage.
■ Yellow
Select Yellow fora Warningmessage.
Red
Select Red for anError message.
Lets you specify theseverity for themessages that thecheck reports.
Severity
NAEnter an Oracleversion.
If youdonot enter anOracle version, thecheck reports on allthe Oracle databaseversions.
Lets you specify theOracle version for thecheck to report on.
Version
NA■ Exclude
Select theprivilege or thegrantee that youwant to excludefor the check toreport on.
■ Name
Enter the namefor the privilegeor the grantee.
Lets you display theTemplate SublistEditor window whenyou click the ExcludeList field.
Exclude List
Granted privilegesThis check reports the privileges and the associated users and roles that violatethe conditions that you specify in the template. Use the name list to enable ordisable the template file.
The following table lists the message for the check.
About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Roles module
206
Table 3-124 Message for Granted privileges
AdditionalInformation
Message Titleand Description
Platform andMessageNumeric ID
Message String ID andCategory
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: Grantedprivileges
Description: Thesystem privilegesthat are grantedare not as per theconditions thatare specified inthe template.
■ UNIX (30251)String ID:SYSTEM_PRIVILEGES_TEMPLATE_G
Category: Policy Compliance
Severity: red-4
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: Grantedprivileges
Description: Thesystem privilegesthat are grantedare not as per theconditions thatare specified inthe template.
■ UNIX (30252)String ID:SYSTEM_PRIVILEGES_TEMPLATE_R
Category: Policy Compliance
Severity: yellow-1
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: Grantedprivileges
Description: Thesystem privilegesthat are grantedare not as per theconditions thatare specified inthe template.
■ UNIX (30253)String ID:SYSTEM_PRIVILEGES_TEMPLATE_Y
Category: Policy Compliance
207About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Roles module
Table 3-124 Message for Granted privileges (continued)
AdditionalInformation
Message Titleand Description
Platform andMessageNumeric ID
Message String ID andCategory
Severity: red-4
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: Incorrectwildcard templateentry
Description: TheMandatoryoptiondoes not supportwildcardcharacterstherefore youmust enter theexact text whenyou select theMandatoryoption.
■ UNIX (30254)String ID:WILDCARD_WITH_MANDATORY_R
Category: ESM Error
About the Oracle System Privileges templateIn the Oracle Rolesmodule, the Grantedprivileges check uses the Oracle SystemPrivileges template. The check lets you report on the system privileges that youspecify in the template.
Creating the Oracle System Privileges templateYou must create and enable a new Oracle System Privileges template before yourun the Granted privileges check.
To create an Oracle System Privileges template
1 In the tree view, right-click Templates, and then click New.
2 In the Create New Template dialog box, select Oracle System Privileges - all.
3 In the Template file name (no extension) text box, type new template filename.
4 After Symantec ESM adds the .osp extension to the template file name, clickOK.
About using the Oracle System Privileges templateThe Oracle System Privileges template contains the following fields:
About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Roles module
208
Table 3-125 Field and Values/Options descriptions
Wildcard supportValues/OptionsDescriptionField
You can use thewildcard character '*'while specifying theprivilege.
Enter a privilegename for the check toreport on.
Lets you specify theprivilege that youwant the check toreport on.
Privilege
You can use thewildcard character '*'while specifying thegrantee.
Enter thenameof thegrantee.
Lets you specify thename of the grantee.
Grantee
NASelect the Adminoption for thegrantee. The optionsare as follows:
■ Yes (With Adminoptions)
■ No (WithoutAdmin options)
■ Either(With/withoutAdmin options)
Lets you specify theAdmin option for thegrantee.
Admin option
NA■ Prohibited
ESM reports amessage if theprivilege is foundon the Oracledatabase.
■ Mandatory
ESM reports amessage if theprivilege is notfound on theOracle database.
■ Allowed
ESM reports amessage if all theprivileges are notfound on theOracle database.
Lets you specifywhether you wantESM to report thespecified privilegesas mandatory,prohibited, orallowed.
Required
NANALets you specify anadditional comment.
Comment
209About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Roles module
Table 3-125 Field and Values/Options descriptions (continued)
Wildcard supportValues/OptionsDescriptionField
NA■ Green
Select Green foran Informationmessage.
■ Yellow
Select Yellow fora Warningmessage.
Red
Select Red for anError message.
Lets you specify theseverity for themessages that thecheck reports.
Severity
NAEnter an Oracleversion.
If youdonot enter anOracle version, thecheck reports on allthe Oracle databaseversions.
Lets you specify theOracle version for thecheck to report on.
Version
NA■ Exclude
Select theprivilege or thegrantee that youwant to excludefor the check toreport on.
■ Name
Enter the namefor the privilegeor the grantee.
Lets you display theTemplate SublistEditor window whenyou click the ExcludeList field.
Exclude List
About the Oracle Tablespace moduleThis module checks for the tablespaces that are based on the options that youhave specified.
About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Tablespace module
210
Creating a baseline snapshotTo establish a baseline, run the Tablespace module. This creates a snapshot ofcurrent account information that you can update when you run the checks thatreport new, deleted, or changed information.
Automatically update snapshotsEnable this check to automatically update the snapshots with the currentinformation.
Editing default settingsUse the check in this group to edit the default settings for all the security checksin the module.
Oracle system identifiers (SIDs)Use the name list to include the Oracle system identifiers (SIDs) for this check.By default, the check examines all the SIDs that you specify when you configurethe SymantecESMmodules for the Oracle databases. The SymantecESMmodulesfor Oracle Databases configuration are stored in /esm/config/oracle.dat file.
Reporting tablespacesThe checks in this group report the existing tablespaces and the tablespaces thathave been added or deleted since the last snapshot update.
TablespacesThis check reports all the tablespaces that are created in the Oracle database. Onthe Oracle 11g and later versions, the check also reports the encryption status ofthe tablespaces. Use the name list to exclude the authorized tablespaces for thischeck.
Symantec recommends that you periodically review the tablespaces to ensurethat they are all authorized.
The following table lists the message for the check.
211About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Tablespace module
Table 3-126 Message for Tablespaces
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: green-0
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: Oracletablespace
Description: Thetablespace is definedin the database.
■ UNIX (30430)String ID:ORA_TABLESPACE
Category: SystemInformation
New tablespacesThis check reports the tablespaces that were created in the Oracle database afterthe last snapshot update. Use the name list to exclude the authorized tablespacesfor this check.
If the addition is authorized, Symantec recommends that you either update thesnapshot or delete the new tablespace.
The following table lists the message for the check.
About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Tablespace module
212
Table 3-127 Message for New tablespaces
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: yellow-1
Correctable: false
Snapshot Updatable:true
Template Updatable:false
Information FieldFormat: [%s]
Title: New Oracletablespace
Description: Thetablespace that isreported in theDatabase Tablespacefield was createdafter the lastsnapshot update. Ifthe tablespace isauthorized, updatethe snapshot. If thetablespace is notauthorized, delete it.
■ UNIX (30431)String ID:ORA_ADDED_TABLESPACE
Category: ChangeNotification
Deleted tablespacesThis check reports the tablespaces that were deleted from the Oracle databaseafter the last snapshot update. Use the name list to exclude the authorizedtablespaces for this check.
If the deletion is authorized, Symantec recommends that you either update thesnapshot or restore the tablespace.
The following table lists the message for the check.
213About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Tablespace module
Table 3-128 Message for Deleted tablespaces
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: yellow-1
Correctable: false
Snapshot Updatable:true
Template Updatable:false
Information FieldFormat: [%s]
Title: Deleted Oracletablespace
Description: Thetablespace that isreported in theDatabase Tablespacefield was deletedafter the lastsnapshot update. Ifthe deletion isauthorized, updatethe snapshot. If thedeletion is notauthorized, restorethe tablespace.
■ UNIX (30432)String ID:ORA_DELETED_TABLESPACE
Category: ChangeNotification
Reporting tablespace datafilesThe checks in this group report the existing datafiles and the datafiles that wereadded to or dropped from the database after the last snapshot update.
Tablespace datafilesThis check reports the locations of all tablespace datafiles if the Permission settingis 0. Otherwise, the check reports either tablespace datafiles that have filepermissions which are less restrictive than you specify in the Permission field,or tablespace datafiles that haveUID/GIDswhich donotmatch the correspondingUID/GIDs in the Oracle database. In the check’s TablespacestoSkip field, specifytablespaces that are to be excluded for the check. In the Permission field, specifya permission value as a three-digit octal number. Use the name list to exclude thetablespaces for this check.
If the file permissions are less restrictive than your security policy, you mustspecify a permission value for the datafile thatmatcheswith your security policy.Periodically, you must review the tablespace datafiles to ensure that they areauthorized and that the file permissions match with your security policy.
The following table lists the messages for the check.
About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Tablespace module
214
Table 3-129 Messages for Tablespace datafiles
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: green-0
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: Tablespace file
Description: Thetablespace datafile isreported in theTablespace Datafilefield.
■ UNIX (30433)String ID:ORA_DATAFILE
Category: SystemInformation
Severity: yellow-2
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: Tablespace filepermission
Description: Thetablespace datafilepermission isexcessive, or itsownership does notmatch thecorrespondingOracledatabasepermissions.
■ UNIX (30440)String ID:ORA_DATAFILE_PERM
Category: PolicyCompliance
Severity: green-0
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [""]
Title: Locked Oraclefile
Description: Filepermissions cannotbe reported becausethe file is being usedby another process.
■ UNIX (30008)String ID:ORA_FILE_LOCKED
Category: SystemError
215About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Tablespace module
Table 3-129 Messages for Tablespace datafiles (continued)
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: green-0
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [""]
Title: Oracle File orfolder not found
Description: Filepermissions cannotbe reported becausethe file beingreferenced cannot befound.
■ UNIX (30009)String ID:ORA_FILE_NOT_FOUND
Category: SystemError
Severity: green-0
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: Oracle Folderpermissions
Description: ReportsDirectorypermissions.
■ UNIX (30010)ORA_DIRECTORY_PERMS
Category: SystemError
Severity: green-0
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: Functionalitynot Supported
Description: Thisfunctionality is notsupported by ESMoracle app module.
■ UNIX (30011)ORA_NOT_SUPPORTED
Category: SystemInformation
About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Tablespace module
216
Table 3-129 Messages for Tablespace datafiles (continued)
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: green-0
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: Tablespace file
Description: TheASM managedtablespace datafile isreported in theTablespace Datafilefield.
■ UNIX (41)ORA_ASM_DATAFILE
Category: SystemInformation
Tablespace datafilesThis check reports the locations of all the tablespace datafiles and lists all theOperating system accounts that have permissions on the file. Use the name listto exclude the tablespaces for this check.
If the file permissions are less restrictive than your security policy, you mustspecify a permission value for the datafile thatmatcheswith your security policy.Periodically, you must review the tablespace datafiles to ensure that they areauthorized and that the file permissions match with your security policy.
The following table lists the messages for the check.
New tablespace datafilesThis check reports the datafiles that were added to tablespaces after the lastsnapshot update. Use the name list to exclude the tablespaces for this check.
If the change is authorized, Symantec recommends that you either update thesnapshot or drop the datafile from the tablespace.
The following table lists the message for the check.
217About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Tablespace module
Table 3-130 Message for New tablespace datafiles
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: yellow-1
Correctable: false
Snapshot Updatable:true
Template Updatable:false
Information FieldFormat: [%s]
Title: New tablespacedatafile
Description: Thetablespace datafilethat is reported inthe TablespaceDatafile field wasadded to thetablespace after thelast snapshot update.If the addition isauthorized, updatethe snapshot. If theaddition is notauthorized, drop thedatafile from thetablespace.
■ UNIX (30434)String ID:ORA_ADDED_DATAFILE
Category: ChangeNotification
Deleted tablespace datafilesThis checkworkswith theNew tablespace datafiles check and reports the datafilesthat were deleted after the last snapshot update. Use the name list to exclude thetablespaces for this check.
If the deletion is authorized, Symantec recommends that you either update thesnapshot or restore the datafile.
The following table lists the message for the check.
About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Tablespace module
218
Table 3-131 Message for Deleted tablespace datafiles
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: yellow-1
Correctable: false
Snapshot Updatable:true
Template Updatable:false
Information FieldFormat: [%s]
Title: Deletedtablespace datafile
Description: Thetablespace datafilethat is reported inthe TablespaceDatafile field wasdropped from thereported tablespaceafter the lastsnapshot update. Ifthe deletion isauthorized, updatethe snapshot. If thedeletion is notauthorized, restorethe datafile to thetablespace.
■ UNIX (30435)String ID:ORA_DELETED_DATAFILE
Category: ChangeNotification
Reporting SYSTEM tablespace informationThe checks in this group report objects in the SYSTEMtablespace anduserswhosedefault or temporary tablespace is the SYSTEM tablespace.
Objects in SYSTEM tablespaceThis check reports tables and indexes that are in the SYSTEM tablespace. Use thename list to exclude users (owners) for this check.
Symantec recommends that you ensure only authorized objects reside in theSYSTEM tablespace.
The following table lists the message for the check.
219About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Tablespace module
Table 3-132 Message for Object in SYSTEM tablespace
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: green-0
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: Object inSYSTEM tablespace
Description: Theobject that isreported in theTablespace Objectfield is in theSYSTEM tablespace.Drop the object ormove it to anauthorizedtablespace.
■ UNIX (30436)String ID:ORA_TAB_IN_SYS_TABLESPACE
Category: PolicyCompliance
SYSTEM tablespace assigned to userThis check reports the users whose default or temporary tablespaces are theSYSTEM tablespace. Use the name list to exclude users for this check.
Symantec recommends that you ensure only authorized objects reside in theSYSTEM tablespace.
The following table lists the message for the check.
Table 3-133 Message for SYSTEM tablespace assigned to user
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: green-0
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: SYSTEMtablespace assignedto user
Description:Theuserthat is reported inthe User field usesthe SYSTEMtablespace as adefault or temporarytablespace. Drop theuser or change theuser's tablespace.
■ UNIX (30437)String ID:ORA_USER_USING_SYS_TABLESPACE
Category: PolicyCompliance
About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Tablespace module
220
Reporting DBA tablespace quotasThe checks in this group report violations of MAX_BYTES and MAX_BLOCKStablespace quotas.
Oracle tablespacesUse the name list to include or exclude the tables for the You can use this optionto specify tables for the MAX_BYTES in DBA_TS_QUOTAS and MAX_BLOCKS inDBA_TS_QUOTAS checks.
MAX_BYTES in DBA_TS_QUOTASThis check reports users with resource rights to tablespaces whose MAX_BYTESvalues exceed the value that you specify in the check. For an unlimited numberof bytes, specify -1 in the MAX_BYTES field. Use the name list to exclude anyauthorized users for this check.
Symantec recommends that you drop the user or change the user's MAX_BYTESsetting for the tablespace.
The following table lists the message for the check.
Table 3-134 Message for MAX_BYTES in DBA_TS_QUOTAS
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: yellow-1
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: MAX_BYTESper tablespaceexceeded
Description:Theuserexceeds themaximumnumber ofMAX_BYTES inDBA_TS_QUOTASfor the tablespacethat is reported inthe Info field. Dropthe user or changethe user'sMAX_BYTES settingfor the reportedtablespace.
■ UNIX (30438)String ID:ORA_MAX_BYTES_QUOTA
Category: PolicyCompliance
221About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Tablespace module
MAX_BLOCKS in DBA_TS_QUOTASThis check reports userswith resource rights to tablespaceswhoseMAX_BLOCKSvalues exceed the value that you specify in the check. For an unlimited numberof bytes, specify -1 in the MAX_BLOCKS field. Use the name list to exclude anyauthorized users for this check.
Symantec recommends that you drop the user or change the user'sMAX_BLOCKSsetting for the tablespace.
The following table lists the message for the check.
Table 3-135 Message for MAX_BLOCKS in DBA_TS_QUOTAS
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: yellow-1
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: MAX_BLOCKSper tablespaceexceeded
Description:Theuserexceeds themaximumnumber ofMAX_BLOCKS inDBA_TS_QUOTASfor the tablespacethat is reported inthe Info field. Dropthe user or changethe user'sMAX_BLOCKSsetting for thereported tablespace.
■ UNIX (30439)String ID:ORA_MAX_BLOCKS_QUOTA
Category: PolicyCompliance
About the Symantec ESM Modules for Oracle DatabasesAbout the Oracle Tablespace module
222