Upload
others
View
4
Download
0
Embed Size (px)
Citation preview
Symantec™ EnterpriseSecurity Manager OracleDatabase Modules UserGuide
Version 5.4
Symantec™ Enterprise Security Manager OracleDatabase Modules User Guide
Documentation version: 5.4
Legal NoticeCopyright © 2015 Symantec Corporation. All rights reserved.
Symantec, the Symantec Logo, ActiveAdmin, BindView, bv-Control, and LiveUpdate aretrademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. andother countries. Other names may be trademarks of their respective owners.
This Symantec product may contain third party software for which Symantec is required toprovide attribution to the third party (“Third Party Programs”). Some of the Third Party Programsare available under open source or free software licenses. The License Agreementaccompanying the Software does not alter any rights or obligations you may have under thoseopen source or free software licenses. Please see the Third Party Legal Notice Appendix tothis Documentation or TPIP ReadMe File accompanying this Symantec product for moreinformation on the Third Party Programs.
The product described in this document is distributed under licenses restricting its use, copying,distribution, and decompilation/reverse engineering. No part of this document may bereproduced in any form by any means without prior written authorization of SymantecCorporation and its licensors, if any.
THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIEDCONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIEDWARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE ORNON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCHDISCLAIMERSAREHELD TOBE LEGALLY INVALID. SYMANTECCORPORATIONSHALLNOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTIONWITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THEINFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGEWITHOUT NOTICE.
The Licensed Software and Documentation are deemed to be commercial computer softwareas defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19"Commercial Computer Software - Restricted Rights" and DFARS 227.7202, "Rights inCommercial Computer Software or Commercial Computer Software Documentation", asapplicable, and any successor regulations. Any use, modification, reproduction release,performance, display or disclosure of the Licensed Software and Documentation by the U.S.Government shall be solely in accordance with the terms of this Agreement.
Symantec Corporation350 Ellis StreetMountain View, CA 94043
http://www.symantec.com
Technical SupportSymantec Technical Support maintains support centers globally. Technical Support’sprimary role is to respond to specific queries about product features and functionality.The Technical Support group also creates content for our online Knowledge Base.The Technical Support group works collaboratively with the other functional areaswithin Symantec to answer your questions in a timely fashion. For example, theTechnical Support group works with Product Engineering and Symantec SecurityResponse to provide alerting services and virus definition updates.
Symantec’s support offerings include the following:
■ A range of support options that give you the flexibility to select the right amountof service for any size organization
■ Telephone and/or Web-based support that provides rapid response andup-to-the-minute information
■ Upgrade assurance that delivers software upgrades
■ Global support purchased on a regional business hours or 24 hours a day, 7days a week basis
■ Premium service offerings that include Account Management Services
For information about Symantec’s support offerings, you can visit our website atthe following URL:
www.symantec.com/business/support/
All support services will be delivered in accordance with your support agreementand the then-current enterprise technical support policy.
Contacting Technical SupportCustomers with a current support agreement may access Technical Supportinformation at the following URL:
www.symantec.com/business/support/
Before contacting Technical Support, make sure you have satisfied the systemrequirements that are listed in your product documentation. Also, you should be atthe computer on which the problem occurred, in case it is necessary to replicatethe problem.
When you contact Technical Support, please have the following informationavailable:
■ Product release level
■ Hardware information
■ Available memory, disk space, and NIC information
■ Operating system
■ Version and patch level
■ Network topology
■ Router, gateway, and IP address information
■ Problem description:
■ Error messages and log files
■ Troubleshooting that was performed before contacting Symantec
■ Recent software configuration changes and network changes
Licensing and registrationIf your Symantec product requires registration or a license key, access our technicalsupport Web page at the following URL:
www.symantec.com/business/support/
Customer serviceCustomer service information is available at the following URL:
www.symantec.com/business/support/
Customer Service is available to assist with non-technical questions, such as thefollowing types of issues:
■ Questions regarding product licensing or serialization
■ Product registration updates, such as address or name changes
■ General product information (features, language availability, local dealers)
■ Latest information about product updates and upgrades
■ Information about upgrade assurance and support contracts
■ Information about the Symantec Buying Programs
■ Advice about Symantec's technical support options
■ Nontechnical presales questions
■ Issues that are related to CD-ROMs, DVDs, or manuals
Support agreement resourcesIf you want to contact Symantec regarding an existing support agreement, pleasecontact the support agreement administration team for your region as follows:
[email protected] and Japan
[email protected], Middle-East, and Africa
[email protected] America and Latin America
Technical Support ............................................................................................... 4
Chapter 1 Introducing Symantec ESM Modules for OracleDatabases ....................................................................... 14
About the Symantec ESM modules for Oracle Databases .................... 14What you can do with the Symantec ESM modules for Oracle
databases ............................................................................. 14Where you can get more information ................................................ 15
Chapter 2 Understanding the ESM Oracle DatabaseModules ........................................................................... 16
About the Oracle Accounts module .................................................. 16Establishing a baseline snapshot ............................................... 17Editing default settings ............................................................ 17Reporting operating system access ............................................ 17Reporting user roles ................................................................ 17Reporting user privileges ......................................................... 17Reporting user accounts .......................................................... 17Reporting account changes ...................................................... 17Reporting account defaults ....................................................... 18Active database accounts ........................................................ 18Active default accounts ........................................................... 18Automatically update snapshots ................................................ 19Database account creation date changed ................................... 19Database account tablespace changed ....................................... 21Database accounts ................................................................. 22Deleted database accounts ...................................................... 22Deleted directly-granted privileges ............................................ 23Deleted directly granted roles .................................................... 24Directly-granted privileges ....................................................... 26Directly-granted roles ............................................................. 27Grantable privileges ................................................................ 27Grantable roles ..................................................................... 28Granted prohibited roles .......................................................... 29Inactive database accounts ..................................................... 30
Contents
New database accounts .......................................................... 31New directly-granted privileges .................................................. 32New directly-granted roles ........................................................ 33OS authenticated users .......................................................... 34Oracle system identifiers (SIDs) ................................................ 35Password-protected default role ............................................... 36Privileges ............................................................................. 37Roles ................................................................................... 37Users in OS DBA groups ......................................................... 37Users to check ....................................................................... 38Users to skip in OS DBA groups ............................................... 38Globally authenticated users ..................................................... 39
About the Oracle Auditing module .................................................... 40Establishing a baseline snapshot ............................................... 40Editing default settings ............................................................ 40Reporting audit status and access ............................................. 40Audit reporting methods ........................................................... 40Reporting statement audits ....................................................... 41Reporting object audits ............................................................ 41Reporting privilege audits ......................................................... 42Audit settings ......................................................................... 42Audit trail enabled ................................................................... 44Audit trail protection ................................................................ 45Auditing objects ..................................................................... 46Auditing options .................................................................... 46Auditing privileges .................................................................. 47Automatically update snapshots ................................................ 47Changed object auditing .......................................................... 47Changed privilege auditing ...................................................... 50Changed statement auditing .................................................... 51Deleted object auditing ........................................................... 53Deleted privilege auditing ........................................................ 53Deleted statement auditing ....................................................... 54New object auditing ................................................................ 55New privilege auditing ............................................................ 58New statement auditing ........................................................... 59Object auditing ....................................................................... 61Oracle system identifiers (SIDs) ................................................ 64Privilege auditing ................................................................... 64Statement auditing ................................................................. 65
About the Oracle Configuration module ............................................. 66Editing default settings ............................................................ 66Reporting Oracle version information .......................................... 67
8Contents
Reporting link password encryption ............................................ 67Reporting operating system account prefixes ............................... 67Reporting parameter values ...................................................... 67Report all configured DB links ................................................... 67Report only fixed user configured DB links .................................. 68Alert file ............................................................................... 68Automatically update snapshots ............................................... 69Control files ........................................................................... 69Control files .......................................................................... 72DB link encrypted password ..................................................... 75Deleted control files ................................................................ 76Deleted redo log files .............................................................. 77List SID:HOME (oracle.dat) ..................................................... 78List SID:HOME (oratab) .......................................................... 79New control files ..................................................................... 80New redo log files .................................................................. 81Oracle components ................................................................ 82Oracle configuration watch ....................................................... 83Oracle system identifiers (SIDs) ................................................ 88Prefix for OS account .............................................................. 88Redo log files ........................................................................ 89Redo log file .......................................................................... 92Remote login password file ....................................................... 95Restrictions on system privileges .............................................. 96Table-level SELECT privileges .................................................. 98Trace file size ........................................................................ 98Trace files ............................................................................. 99UTL_FILE accessible directories ............................................. 100
About the Oracle Networks module ................................................ 101Editing default settings ........................................................... 101Reporting SID configuration status ........................................... 101Oracle net configuration watch ................................................ 101Oracle system identifiers (SIDS) ............................................. 104SID configuration .................................................................. 104SID configuration ................................................................. 105Oracle EXTPROC listeners .................................................... 105
About the Oracle Objects module ................................................... 108Editing default settings ........................................................... 108Reporting table privileges ....................................................... 108Access to SYS.ALL_SOURCE ................................................ 108Critical objects ..................................................................... 109Directly granted privilege ....................................................... 111Grantable privilege ................................................................ 112
9Contents
Grantors ............................................................................ 113Object Privileges .................................................................. 113Object name ........................................................................ 121Oracle system identifiers (SIDs) ............................................... 121Table privileges .................................................................... 122
About the Oracle Passwords module .............................................. 122Editing default settings ........................................................... 122Specifying check variations ..................................................... 122Comparing passwords to word lists .......................................... 122Detecting well-known passwords ............................................. 123Account status .................................................................... 123Double occurrences ............................................................. 123Oracle system identifiers (SIDs) ............................................... 123Password = any username .................................................... 123Password = username .......................................................... 124Password = wordlist word ....................................................... 126Password display .................................................................. 128Plural ................................................................................. 128Prefix ................................................................................ 128Reverse order ...................................................................... 128Suffix ................................................................................. 129Users to check .................................................................... 129Well known passwords .......................................................... 129Password = SID .................................................................. 130
About the Oracle Patches module .................................................. 130Edit default settings ............................................................... 130Oracle patches ..................................................................... 130SID info .............................................................................. 131Installed patches .................................................................. 131Opatch tool .......................................................................... 131Oracle Home Paths .............................................................. 133Patch information ................................................................. 133Template files ....................................................................... 134
About the Oracle Profiles module ................................................... 135Establishing a baseline snapshot ............................................. 135Editing default settings ........................................................... 136Reporting profiles and their limits ............................................. 136Reporting CPU limit violations ................................................. 136Reporting password violations ................................................. 136Profile settings ..................................................................... 136Automatically update snapshots ............................................... 138CPU time per call ................................................................. 138CPU time per session ............................................................ 139
10Contents
Changed resource limits ......................................................... 140Connection time ................................................................... 141Deleted profiles .................................................................... 142Failed logins ....................................................................... 143Idle time ............................................................................. 144Invalid profiles ...................................................................... 145New profiles ........................................................................ 146Oracle profiles ..................................................................... 147Oracle system identifiers (SIDs) ............................................... 147Password duration ............................................................... 148Password grace time ............................................................. 149Password lock time ............................................................... 150Password reuse max ............................................................ 151Password reuse time ............................................................. 152Password verify function ........................................................ 154Profile enforcement ............................................................... 155Profile resources .................................................................. 155Profiles ............................................................................... 156Sessions per user ................................................................ 157
About the Oracle Roles module ..................................................... 158Establishing a baseline snapshot ............................................. 158Editing default settings ........................................................... 158Reporting roles ..................................................................... 159Reporting role privileges ......................................................... 159Reporting role access ............................................................ 159Granted roles ....................................................................... 159Granted privileges ................................................................. 161Automatically update snapshots .............................................. 163DBA equivalent roles ............................................................. 163Deleted nested role ............................................................... 163Deleted privileges ................................................................ 164Deleted roles ....................................................................... 165Grantable nested role ............................................................ 166Grantable privileges .............................................................. 167Granted Oracle DBA role ........................................................ 168Nested roles ....................................................................... 169New nested roles .................................................................. 170New privileges ..................................................................... 171New roles ............................................................................ 172Oracle system identifiers (SIDs) .............................................. 173PUBLIC role access .............................................................. 173Password-protected default role .............................................. 174Privileges ............................................................................ 176
11Contents
Roles ................................................................................ 176Roles without passwords ....................................................... 177
About the Oracle SID Discovery module .......................................... 178Editing default settings ........................................................... 179Reporting SID Discovery ........................................................ 179Configuring the Oracle database instances by using the Discovery
module ......................................................................... 179Configuring a new Oracle database instance .............................. 179Removing deleted instances ................................................... 180Automatically Add New Instance .............................................. 180Oratab file locations .............................................................. 181Automatically Delete Retired Instance ....................................... 181Default Tablespace ............................................................... 181Detect New Instance ............................................................. 181Detect Retired Instance ......................................................... 183Profile ................................................................................ 184Temporary Tablespace .......................................................... 185Detect Instance:Listener ......................................................... 185Create user in RAC database .................................................. 185
About the Oracle Tablespace module .............................................. 185Creating a baseline snapshot .................................................. 186Editing default settings ........................................................... 186Reporting tablespaces ........................................................... 186Reporting tablespace datafiles ................................................ 186Reporting SYSTEM tablespace information ................................ 186Reporting DBA tablespace quotas ............................................ 186Automatically update snapshots ............................................... 186Deleted tablespace datafiles ................................................... 186Deleted tablespaces .............................................................. 187MAX_BLOCKS in DBA_TS_QUOTAS ...................................... 188MAX_BYTES in DBA_TS_QUOTAS ........................................ 189New tablespace datafiles ........................................................ 190New tablespaces .................................................................. 191Objects in SYSTEM tablespace ............................................... 192Oracle system identifiers (SIDs) .............................................. 193Oracle tablespaces ............................................................... 193SYSTEM tablespace assigned to user ...................................... 194Tablespace datafiles .............................................................. 194Tablespace datafiles ............................................................. 197Tablespaces ........................................................................ 200
12Contents
Chapter 3 Working with the Oracle templates ............................... 202
Templates ................................................................................. 202About the Oracle Profiles template ................................................. 204
Creating the Oracle Profiles template ........................................ 204About using the Oracle Profiles template .................................. 204
About the Oracle Roles template .................................................... 206Creating the Oracle Roles template .......................................... 206About using the Oracle Roles template ..................................... 206
About the Oracle System Privileges template ................................... 208Creating the Oracle System Privileges template .......................... 209About using the Oracle System Privileges template ..................... 209
About the Oracle Roles template .................................................... 211Creating the Oracle Roles template .......................................... 211About using the Oracle Roles template ..................................... 211
About the Oracle System Privileges template ................................... 213Creating the Oracle System Privileges template .......................... 214About using the Oracle System Privileges template ..................... 214
About the Oracle Configuration Watch template ................................ 216Creating the Oracle Configuration Watch template ....................... 216About using the Oracle Configuration Watch template ................. 216
About the Oracle Net Configuration Watch template ........................... 219Creating the Oracle Net Configuration Watch template ................. 219About using the Oracle Net Configuration Watch template ............. 220Examples of using the Oracle Net Configuration Watch
template ....................................................................... 224About the Oracle Object Privileges template ..................................... 226
Creating the Oracle Object Privileges template ........................... 226About using the Oracle Object Privileges template ...................... 227
About the Oracle Patch template .................................................... 231Creating the Oracle Patch template ......................................... 231About using the Oracle Patch template ..................................... 231
About the Oracle Critical Object template ......................................... 235Creating the Oracle Critical Object template .............................. 235About using the Oracle Critical Object template .......................... 235
About the Oracle Auditing template ................................................ 236Creating the Oracle Auditing template ...................................... 236About using the Oracle Auditing template .................................. 236
13Contents
Introducing Symantec ESMModules for OracleDatabases
This chapter includes the following topics:
■ About the Symantec ESM modules for Oracle Databases
■ What you can do with the Symantec ESM modules for Oracle databases
■ Where you can get more information
About the Symantec ESM modules for OracleDatabases
The Symantec Enterprise Security Manager (ESM) modules for Oracle databasesextend the Symantec ESM protection to your databases. These modules implementthe checks and options that are specific to Oracle databases, to protect them fromexposure to known security problems. The modules may be installed locally on theSymantec ESM agent that is installed on the same computer where the Oracledatabase resides. You can use the Symantec ESM modules for Oracle databasein the same way that you use for other Symantec ESM modules.
What you can dowith the Symantec ESMmodules forOracle databases
You can use the ESM Application modules to scan the Oracle databases forreporting vulnerabilities, such as weak passwords, patches update, and so on.
1Chapter
You can perform the following tasks using the ESM console:
■ Create a policy.
■ Configure the policy.
■ Create a rules template.
■ Run the policy.
■ Review the policy run.
■ Correct security problems from the console.
■ Create reports.
Where you can get more informationFor more information about Symantec ESM modules and Security Updates, seethe latest versions of the Symantec Enterprise Security Administrator’s Guide andthe Symantec ESM Security Update User’s Guide.
For more information on Symantec Enterprise Security Manager (ESM), SymantecESM Security Updates, and Symantec ESM support for database products, seethe Symantec Security ResponseWeb site at the following URL: Security ResponseWeb site.
15Introducing Symantec ESM Modules for Oracle DatabasesWhere you can get more information
Understanding the ESMOracle Database Modules
This chapter includes the following topics:
■ About the Oracle Accounts module
■ About the Oracle Auditing module
■ About the Oracle Configuration module
■ About the Oracle Networks module
■ About the Oracle Objects module
■ About the Oracle Passwords module
■ About the Oracle Patches module
■ About the Oracle Profiles module
■ About the Oracle Roles module
■ About the Oracle SID Discovery module
■ About the Oracle Tablespace module
About the Oracle Accounts moduleThis module checks for the user accounts based on the options that you havespecified.
2Chapter
Establishing a baseline snapshotTo establish a baseline snapshot file, run the Symantec ESM module for Oracleaccounts once. Periodically rerun the module to detect changes and update thesnapshot when appropriate.
Editing default settingsThemodule for Oracle accounts includes one option that you can use to edit defaultsettings for all security checks in the module.
Reporting operating system accessThe OS administrators have exceptional privileges. Some users can access thedatabase directly from the operating system without the protection of Oracleauthentication. Both the user groups should be monitored to ensure that yourcomputers are protected. The checks in this group monitor these users.
Reporting user rolesThe checks in this group report the roles that have been directly granted to theusers or revoked from the users and the associated user names. Nested roles arenot reported.
Reporting user privilegesThe checks in this group report the users with grantable privileges and the privilegesthat have been directly granted to users or revoked from the users.
Reporting user accountsThe checks in this group report the database accounts that are current, new, active,inactive, and deleted.
Reporting account changesThe checks in this group report the changes to the tablespace assignments andthe creation dates.
17Understanding the ESM Oracle Database ModulesAbout the Oracle Accounts module
Reporting account defaults
Active database accountsThis check reports active user accounts with their tablespaces, profile, and accountcreation date. Periodically, you must review the user accounts to ensure that theyare current and authorized.
The following table lists the message for the check.
Table 2-1 Message for Active database accounts
AdditionalInformation
Message Title andDescription
Platform andMessageNumericID
MessageString ID andCategory
Severity: green-0
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: Activedatabase account
Description: Theactive user accountis reported with itstablespaces, profile,and date that theaccount was created.Verify that theaccount is currentlyauthorized. Dropunauthorized or outof date accounts.
■ UNIX (30151)■ Windows 2000
(239151)■ Windows 2003
(242151)■ Windows 2008
(255151)
String ID:ORA_ACTIVE_USER_ACCT
Category: PolicyCompliance
Severity: green-0
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: ESM checksexecuted on OracleSID
Description: Thechecks are executedon the Oracle SID.
■ UNIX (30014)■ Windows 2003
(30014)■ Windows 2008
(30014)
String ID:ORA_SID_PROCESSED
Category: ESMAdministrativeInformation
Active default accountsThis check reports the default accounts that are present on your computer. Bydefault, the name list includes all the Oracle default accounts.
18Understanding the ESM Oracle Database ModulesAbout the Oracle Accounts module
Symantec recommends that you remove, lock, or disable the account to preventintruders from using it to access your database.
The following table lists the message for the check.
Table 2-2 Message for Active default accounts
AdditionalInformation
Message Titleand Description
Platform andMessage Numeric ID
Message String IDand Category
Severity: yellow-1
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: Active defaultaccount
Description: Theuser account is adefault accountthat ships with anOracle program. Itspassword is wellknown. Remove,lock, or disable theaccount to preventintruders fromusing it to accessyour database.
■ UNIX (30148)■ Windows 2000
(239148)■ Windows 2003
(242148)■ Windows 2008
(255148)
String ID:ORA_ACTIVE_DEFAULT_ACCT
Category: PolicyCompliance
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: ESM checksexecuted onOracle SID
Description: Thechecks areexecuted on theOracle SID.
■ UNIX (30014)■ Windows 2003
(30014)■ Windows 2008
(30014)
String ID:ORA_SID_PROCESSED
Category: ESMAdministrativeInformation
Automatically update snapshotsEnable this check to automatically update the snapshots with the current information.
Database account creation date changedThis check reports the database accounts with the creation dates that changedafter the last snapshot update. The change in the creation date indicates that theuser account has been deleted and recreated. When a user account is deleted, all
19Understanding the ESM Oracle Database ModulesAbout the Oracle Accounts module
data that is associated with it can also be deleted. Use the name list to exclude theusers for this check.
If the change is authorized, Symantec recommends that you either update thesnapshot or drop the account.
The following table lists the message for the check.
Table 2-3 Message for Database account creation date changed
AdditionalInformation
Message Title andDescription
Platform andMessageNumeric ID
Message String ID andCategory
Severity: yellow-1
Correctable: false
Snapshot Updatable:true
Template Updatable:false
Information FieldFormat: [%s]
Title: Databaseaccount creation datechanged
Description: Theuser's creation datechanged after thelast snapshot update.Verify that the userhas been re-createdwith authorized roles,and restorenecessary data if itwas deleted. If thechange is authorized,update the snapshot.If the change is notauthorized, drop theaccount.
■ UNIX (30144)■ Windows
2000(239144)
■ Windows2003(242144)
■ Windows2008(255144)
String ID:ORA_USER_ACCT_CREATION
Category: ChangeNotification
Severity: green-0
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: ESM checksexecuted on OracleSID
Description: Thechecks are executedon the Oracle SID.
■ UNIX (30014)■ Windows
2003 (30014)■ Windows
2008 (30014)
String ID:ORA_SID_PROCESSED
Category: ESMAdministrative Information
20Understanding the ESM Oracle Database ModulesAbout the Oracle Accounts module
Database account tablespace changedThis check reports the accounts with the default tablespaces that were changedafter the last snapshot update. Use the name list to exclude the users for this check.
If the change is authorized, Symantec recommends that you either update thesnapshot or restore the tablespace.
The following table lists the message for the check.
Table 2-4 Message for Database account tablespace changed
AdditionalInformation
Message Title andDescription
Platform andMessageNumericID
Message String ID andCategory
Severity: yellow-1
Correctable: false
SnapshotUpdatable: true
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: Databaseaccount tablespacechanged
Description: Theuser's tablespacechanged after thelast snapshotupdate. Verify thattablespaceresources areadequately andefficiently allocated.If the change isauthorized, updatethe snapshot. If thechange is notauthorized, restorethe tablespace.
■ UNIX (30143)■ Windows 2000
(239143)■ Windows 2003
(242143)■ Windows 2008
(255143)
String ID:ORA_USER_ACCT_TABLESPACE
Category: ChangeNotification
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: ESM checksexecuted on OracleSID
Description: Thechecks are executedon the Oracle SID.
■ UNIX (30014)■ Windows 2003
(30014)■ Windows 2008
(30014)
String ID:ORA_SID_PROCESSED
Category: ESMAdministrative Information
21Understanding the ESM Oracle Database ModulesAbout the Oracle Accounts module
Database accountsThis check reports the user accounts, their tablespaces, and account creation dates.Use the name list to exclude the users for this check.
Symantec recommends that you delete any unauthorized or out-of-date accounts.Periodically, you must review the database accounts to ensure that the databaseaccounts and their tablespaces are currently authorized.
The following table lists the message for the check.
Table 2-5 Message for Database accounts
AdditionalInformation
Message Title andDescription
Platform andMessageNumericID
Message String ID andCategory
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: Databaseaccount
Description: Theuser account isreported with itstablespace and datethat the account wascreated. Verify thatthe account iscurrently authorized.Drop unauthorizedor out of dateaccounts.
■ UNIX (30140)■ Windows 2000
(239140)■ Windows 2003
(242140)■ Windows 2008
(255140)
String ID:ORA_USER_ACCT
Category: SystemInformation
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: ESM checksexecuted on OracleSID
Description: Thechecks are executedon the Oracle SID.
■ UNIX (30014)■ Windows 2003
(30014)■ Windows 2008
(30014)
String ID:ORA_SID_PROCESSED
Category: ESMAdministrative Information
Deleted database accountsThis check reports the user accounts that were deleted after the last snapshotupdate. Use the name list to exclude the users for this check.
22Understanding the ESM Oracle Database ModulesAbout the Oracle Accounts module
If the deletion is authorized, Symantec recommends that you either update thesnapshot or restore the account.
The following table lists the message for the check.
Table 2-6 Message for Deleted database accounts
AdditionalInformation
Message Title andDescription
Platform andMessageNumericID
Message String ID andCategory
Severity: yellow-1
Correctable: false
SnapshotUpdatable: true
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: Deleteddatabase account
Description: Theuser account wasdropped from thedatabase after thelast snapshotupdate. If thedeletion isauthorized, updatethe snapshot. If thedeletion is notauthorized, restorethe account.
■ UNIX (30142)■ Windows 2000
(239142)■ Windows 2003
(242142)■ Windows 2008
(255142)
String ID:ORA_USER_ACCT_DELETED
Category: ChangeNotification
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: ESM checksexecuted on OracleSID
Description: Thechecks are executedon the Oracle SID.
■ UNIX (30014)■ Windows 2003
(30014)■ Windows 2008
(30014)
String ID:ORA_SID_PROCESSED
Category: ESMAdministrative Information
Deleted directly-granted privilegesThis check reports the users with the directly-granted privileges that were revokedor dropped after the last snapshot update. Use the name list to exclude the usersfor this check.
If the deletion is authorized, Symantec recommends that you either update thesnapshot or restore the privilege.
The following table lists the message for the check.
23Understanding the ESM Oracle Database ModulesAbout the Oracle Accounts module
Table 2-7 Message for Deleted directly granted privileges
AdditionalInformation
Message Title andDescription
Platform andMessageNumericID
Message String ID andCategory
Severity: yellow-1
Correctable: false
SnapshotUpdatable: true
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: Privilegedeleted from user
Description: Thedirectly grantedprivilege that isreported in the UserPrivilege field wasdropped from thedatabase or revokedfrom the user afterthe last snapshotupdate. Privilegeswithin the directlygranted privilegewere also deleted orrevoked. If thedeletion isauthorized, updatethe snapshot. If thedeletion is notauthorized, restorethe privilege to theuser
■ UNIX (30139)■ Windows 2000
(239139)■ Windows 2003
(242139)■ Windows 2008
(255139)
String ID:ORA_USER_PRIV_DELETED
Category: ChangeNotification
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: ESM checksexecuted on OracleSID
Description: Thechecks are executedon the Oracle SID.
■ UNIX (30014)■ Windows 2003
(30014)■ Windows 2008
(30014)
String ID:ORA_SID_PROCESSED
Category: ESMAdministrative Information
Deleted directly granted rolesThis check reports the user names with the directly-granted roles that were revokedor dropped after the last snapshot update. The check does not report the roles that
24Understanding the ESM Oracle Database ModulesAbout the Oracle Accounts module
are nested within the directly-granted role and are deleted or revoked. Use thename list to exclude the users for this check.
If the deletion is authorized, Symantec recommends that you either update thesnapshot or restore the role to the user.
The following table lists the message for the check.
Table 2-8 Message for Deleted directly granted roles
AdditionalInformation
Message Title andDescription
Platform andMessageNumericID
Message String ID andCategory
Severity: yellow-1
Correctable: false
SnapshotUpdatable: true
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: Role deletedfrom user
Description: Thedirectly granted userrole that is reportedin the User Rolefield was droppedfrom the databaseor revoked from theuser after the lastsnapshot update.Roles within thedirectly granted rolewere also deleted orrevoked. If thedeletion orrevocation isauthorized, updatethe snapshot. If thedeletion orrevocation is notauthorized, restorethe role to the user.
■ UNIX (30138)■ Windows 2000
(239138)■ Windows 2003
(242138)■ Windows 2008
(255138)
String ID:ORA_USER_ROLE_DELETED
Category: ChangeNotification
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: ESM checksexecuted on OracleSID
Description: Thechecks are executedon the Oracle SID.
■ UNIX (30014)■ Windows 2003
(30014)■ Windows 2008
(30014)
String ID:ORA_SID_PROCESSED
Category: ESMAdministrative Information
25Understanding the ESM Oracle Database ModulesAbout the Oracle Accounts module
Directly-granted privilegesThis check reports the users with the system privileges that have been directlygranted to them. Use the name list to exclude users for this check. Generally, toreduce maintenance the privileges are often granted in roles.
Symantec recommends that you revoke the privilege from any user who is notauthorized for it.
The following table lists the message for the check.
Table 2-9 Message for Directly granted privileges
AdditionalInformation
Message Title andDescription
Platform andMessageNumericID
Message String ID andCategory
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: Privilegedirectly granted
Description: Theuser has beendirectly granted theprivilege that isreported in the UserPrivilege field. Verifythat the user isauthorized for theprivilege andconsider whether arole should becreated or redefinedto include theprivilege.
■ UNIX (30134)■ Windows 2000
(239134)■ Windows 2003
(242134)■ Windows 2008
(255134)
String ID:ORA_PRIVILEGE_LIST_DIRECT
Category: SystemInformation
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: ESM checksexecuted on OracleSID
Description: Thechecks are executedon the Oracle SID.
■ UNIX (30014)■ Windows 2003
(30014)■ Windows 2008
(30014)
String ID:ORA_SID_PROCESSED
Category: ESMAdministrative Information
26Understanding the ESM Oracle Database ModulesAbout the Oracle Accounts module
Directly-granted rolesThis check reports the roles that have been directly granted to the users. The rolesthat were nested in the directly-granted roles are deleted, but are not reported. Usethe name list to exclude the users for this check.
Symantec recommends that periodically you review this check to ensure that theusers with the directly-granted roles are authorized. Based on the results, you canrevoke inappropriately directly-granted roles.
The following table lists the message for the check.
Table 2-10 Message for Directly granted roles
AdditionalInformation
Message Title andDescription
Platform andMessageNumeric ID
Message String IDand Category
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: Role directlygranted to user
Description: The userhas been directlygranted the role that isreported in the UserRole field. Verify that therole is appropriate forthe user'sresponsibilities.
■ UNIX (30133)■ Windows 2000
(239133)■ Windows 2003
(242133)■ Windows 2008
(255133)
String ID:ORA_PRIVILEGE_LIST_ROLES
Category: SystemInformation
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: ESM checksexecuted on Oracle SID
Description: The checksare executed on theOracle SID.
■ UNIX (30014)■ Windows 2003
(30014)■ Windows 2008
(30014)
String ID:ORA_SID_PROCESSED
Category: ESMAdministrativeInformation
Grantable privilegesThis check reports the users with the privileges that they can directly grant. Usethe name list to exclude the users for this check.
Symantec recommends that you revoke the privilege from any user who is notauthorized to grant it. Periodically, you must review the grantable privileges toensure that users are currently authorized to grant their grantable privileges.
27Understanding the ESM Oracle Database ModulesAbout the Oracle Accounts module
The following table lists the message for the check.
Table 2-11 Message for Grantable privileges
AdditionalInformation
Message Title andDescription
Platform andMessageNumericID
Message String ID andCategory
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: Grantableprivilege
Description: Theuser can grant theprivilege to others.Verify that the useris authorized togrant this privilege.
■ UNIX (30145)■ Windows 2000
(239145)■ Windows 2003
(242145)■ Windows 2008
(255145)
String ID:ORA_GRANTABLE_PRIV
Category: SystemInformation
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: ESM checksexecuted on OracleSID
Description: Thechecks are executedon the Oracle SID.
■ UNIX (30014)■ Windows 2003
(30014)■ Windows 2008
(30014)
String ID:ORA_SID_PROCESSED
Category: ESMAdministrative Information
Grantable rolesThis check reports the user names with permissions to grant roles to other users.Use the name list to exclude users for this check.
Symantec recommends that you revoke the grantable roles from any user who isnot authorized to grant it. Periodically, you can review all the users with grantableroles to ensure that they are currently authorized to grant their grantable roles.
The following table lists the message for the check.
28Understanding the ESM Oracle Database ModulesAbout the Oracle Accounts module
Table 2-12 Message for Grantable roles
AdditionalInformation
Message Title andDescription
Platform andMessageNumericID
Message String ID andCategory
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: Grantable role
Description: Theuser can grant therole. Verify that theuser is authorized togrant the role.
■ UNIX (30146)■ Windows 2000
(239146)■ Windows 2003
(242146)■ Windows 2008
(255146)
String ID:ORA_GRANTABLE_ROLE
Category: SystemInformation
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: ESM checksexecuted on OracleSID
Description: Thechecks are executedon the Oracle SID.
■ UNIX (30014)■ Windows 2003
(30014)■ Windows 2008
(30014)
String ID:ORA_SID_PROCESSED
Category: ESMAdministrative Information
Granted prohibited rolesThis check reports the users who have been granted prohibited roles. Use the namelist to exclude the prohibited roles for this check.
Symantec recommends that you remove any prohibited role.
Note: You must never directly grant a few default Oracle roles, the DBA (databaseadministrator) role, and the connect role to the users.
The following table lists the message for the check.
29Understanding the ESM Oracle Database ModulesAbout the Oracle Accounts module
Table 2-13 Message for Granted prohibited roles
AdditionalInformation
Message Title andDescription
Platform andMessageNumericID
Message String ID andCategory
Severity: yellow-1
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: Prohibited rolegranted
Description: Thereare a few defaultOracle roles thatshould never bedirectly granted tousers, such as dbaand connect.
■ UNIX (30149)■ Windows 2000
(239149)■ Windows 2003
(242149)■ Windows 2008
(255149)
String ID:ORA_ROLE_GRANTED
Category: PolicyCompliance
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: ESM checksexecuted on OracleSID
Description: Thechecks are executedon the Oracle SID.
■ UNIX (30014)■ Windows 2003
(30014)■ Windows 2008
(30014)
String ID:ORA_SID_PROCESSED
Category: ESMAdministrative Information
Inactive database accountsThis check reports the inactive user accounts with their inactive status, date, andaccount creation date. Periodically, you must review the user accounts to ensurethat they are current and authorized.
The following table lists the message for the check.
30Understanding the ESM Oracle Database ModulesAbout the Oracle Accounts module
Table 2-14 Message for Inactive database accounts
AdditionalInformation
Message Title andDescription
Platform andMessageNumericID
Message String ID andCategory
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: Inactivedatabase account
Description: Theinactive useraccount is reportedwith its inactivestatus and date thatthe account wascreated. Verify thatthe account iscurrently authorized.Drop unauthorizedor out of dateaccounts.
■ UNIX (30150)■ Windows 2000
(239150)■ Windows 2003
(242150)■ Windows 2008
(255150)
String ID:ORA_INACTIVE_USER_ACCT
Category: PolicyCompliance
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: ESM checksexecuted on OracleSID
Description: Thechecks are executedon the Oracle SID.
■ UNIX (30014)■ Windows 2003
(30014)■ Windows 2008
(30014)
String ID:ORA_SID_PROCESSED
Category: ESMAdministrative Information
New database accountsThis check reports the user accounts that were added to the database after the lastsnapshot update. Use the name list to exclude the users for this check.
If the new account is authorized, Symantec recommends that you either updatethe snapshot or delete it.
The following table lists the message for the check.
31Understanding the ESM Oracle Database ModulesAbout the Oracle Accounts module
Table 2-15 Message for New database accounts
AdditionalInformation
Message Title andDescription
Platform andMessageNumericID
Message String ID andCategory
Severity: yellow-1
Correctable: false
SnapshotUpdatable: true
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: New databaseaccount
Description: Theuser account wasadded to thedatabase after thelast snapshotupdate. If the newaccount isauthorized, updatethe snapshot. If thenew account is notauthorized, drop theaccount.
■ UNIX (30141)■ Windows 2000
(239141)■ Windows 2003
(242141)■ Windows 2008
(255141)
String ID:ORA_USER_ACCT_ADDED
Category: ChangeNotification
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: ESM checksexecuted on OracleSID
Description: Thechecks are executedon the Oracle SID.
■ UNIX (30014)■ Windows 2003
(30014)■ Windows 2008
(30014)
String ID:ORA_SID_PROCESSED
Category: ESMAdministrative Information
New directly-granted privilegesThis check reports the users with the privileges that were directly granted to themafter the last snapshot update. Use the name list to exclude the users for this check.Generally, to reduce maintenance the privileges are often granted in roles.
If the user is authorized for this privilege, Symantec recommends that you eitherupdate the snapshot or revoke the privilege.
The following table lists the message for the check.
32Understanding the ESM Oracle Database ModulesAbout the Oracle Accounts module
Table 2-16 Message for New directly granted privileges
AdditionalInformation
Message Title andDescription
Platform andMessageNumericID
Message String ID andCategory
Severity: yellow-1
Correctable: false
SnapshotUpdatable: true
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: New privilegegranted to user
Description: Theuser was directlygranted the privilegethat is reported inthe User Privilegefield after the lastsnapshot update. Ifthe user isauthorized for thisprivilege, update thesnapshot. If the useris not authorized forthis privilege, revokethe privilege.
■ UNIX (30137)■ Windows 2000
(239137)■ Windows 2003
(242137)■ Windows 2008
(255137)
String ID:ORA_USER_PRIV_ADDED
Category: ChangeNotification
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: ESM checksexecuted on OracleSID
Description: Thechecks are executedon the Oracle SID.
■ UNIX (30014)■ Windows 2003
(30014)■ Windows 2008
(30014)
String ID:ORA_SID_PROCESSED
Category: ESMAdministrative Information
New directly-granted rolesThis check reports the user names with the roles that were directly granted to themafter the last snapshot update. The check does not report the roles that are nestedin directly-granted roles. Use the name list to exclude users for this check.
If the user is authorized, Symantec recommends that you either update the snapshotor revoke it from the users.
The following table lists the message for the check.
33Understanding the ESM Oracle Database ModulesAbout the Oracle Accounts module
Table 2-17 Message for New directly granted roles
AdditionalInformation
Message Title andDescription
Platform andMessageNumericID
Message String ID andCategory
Severity: yellow-1
Correctable: false
SnapshotUpdatable: true
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: New roledirectly granted touser
Description: Theuser role wasdirectly granted afterthe last snapshotupdate. If the user isauthorized for therole, update thesnapshot. If the useris not authorized forthe role, revoke therole.
■ UNIX (30136)■ Windows 2000
(239136)■ Windows 2003
(242136)■ Windows 2008
(255136)
String ID:ORA_USER_ROLE_ADDED
Category: ChangeNotification
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: ESM checksexecuted on OracleSID
Description: Thechecks are executedon the Oracle SID.
■ UNIX (30014)■ Windows 2003
(30014)■ Windows 2008
(30014)
String ID:ORA_SID_PROCESSED
Category: ESMAdministrative Information
OS authenticated usersThis check reports the users who are authenticated only by the operating system,without Oracle authentication. Use the name list to exclude the users for this check.
In a testing or a development environment, you can log on to Oracle databasewithout providing a user name and password; however, Symantec recommendsthat you must not follow this method of authentication on a production environment.We also recommend that you change the user’s password authentication fromexternal to local and enable the Oracle authentication to add another level of security.
The following table lists the message for the check.
34Understanding the ESM Oracle Database ModulesAbout the Oracle Accounts module
Table 2-18 Message for OS authenticated users
AdditionalInformation
Message Title andDescription
Platform andMessageNumericID
Message String ID andCategory
Severity: yellow-1
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: Userauthenticated by OSonly
Description: Theuser isauthenticated onlyby the operatingsystem and can logon to Oracle withoutproviding a username andpassword. RequireOracleauthentication toadd another level ofsecurity.
■ UNIX (30132)■ Windows 2000
(239132)■ Windows 2003
(242132)■ Windows 2008
(255132)
String ID:ORA_USER_AUTHORIZED_EXTERNAL
Category: PolicyCompliance
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: ESM checksexecuted on OracleSID
Description: Thechecks are executedon the Oracle SID.
■ UNIX (30014)■ Windows 2003
(30014)■ Windows 2008
(30014)
String ID:ORA_SID_PROCESSED
Category: ESMAdministrative Information
Oracle system identifiers (SIDs)Use the name list to include or exclude the Oracle system identifiers (SIDs) for thischeck. By default, the check examines all the SIDs that you specify when youconfigure the Symantec ESM modules for the Oracle databases. On Windows, theSymantec ESM modules for Oracle databases configuration are stored in\esm\config\oracle.dat file. On UNIX, the Symantec ESM modules for Oracledatabases configuration are stored in /esm/config/oracle.dat file.
35Understanding the ESM Oracle Database ModulesAbout the Oracle Accounts module
Password-protected default roleThis check reports the users who have been granted the password-protected rolesas default roles. Verify that the users are authorized to use the roles without enteringpasswords.
Symantec recommends that for an unauthorized user, you either assign a differentdefault role to the user or remove the password protection from the role.
The following table lists the message for the check.
Table 2-19 Message for Password-protected default role
AdditionalInformation
Message Title andDescription
Platform andMessageNumericID
Message String ID andCategory
Severity: yellow-1
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: Default rolewith passwordprotection
Description: Theuser's default role isdefined in thedatabase aspassword protected.Verify that the useris authorized to usethe role withoutentering apassword. Torequire the user toenter a password touse the role, set therole as a non-defaultrole.
■ UNIX (30147)■ Windows 2000
(239147)■ Windows 2003
(242147)■ Windows 2008
(255147)
String ID:ORA_DEFAULT_ROLE_WITH_PASSWORD
Category: SystemInformation
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: ESM checksexecuted on OracleSID
Description: Thechecks are executedon the Oracle SID.
■ UNIX (30014)■ Windows 2003
(30014)■ Windows 2008
(30014)
String ID:ORA_SID_PROCESSED
Category: ESMAdministrative Information
36Understanding the ESM Oracle Database ModulesAbout the Oracle Accounts module
PrivilegesUse the name list to include or exclude the system privileges for the GrantableandDirectly-granted privileges checks to report on.
RolesUse the name list to exclude or include the roles for the Directly-granted rolesandGrantable roles checks to report on.
Users in OS DBA groupsThis check reports the users who can connect to a database as INTERNAL,SYSDBA, or SYSOPER. The check also reports users who connect as membersof ORA_DBA and ORA_OPER groups.
Use the name list to exclude the users (usually administrators) and include the OSdatabase administrator groups for this check.
Symantec recommends that you remove the unauthorized users from the OSDBAgroups.
The following table lists the message for the check.
37Understanding the ESM Oracle Database ModulesAbout the Oracle Accounts module
Table 2-20 Message for Users in OS DBA groups
AdditionalInformation
Message Title andDescription
Platform andMessageNumericID
Message String ID andCategory
Severity: red-4
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: User in OSDBA group
Description: Theuser can connect tothe database asINTERNAL,SYSDBA, orSYSOPER, andstart your database,shut it down, andperform othersystem operations.If the user is not anauthorizedadministrator,remove the userfrom the OS DBAgroup.
■ UNIX (30130)■ Windows 2000
(239130)■ Windows 2003
(242130)■ Windows 2008
(255130)
String ID:ORA_UNAUTHORIZED_INTERNAL
Category: PolicyCompliance
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: ESM checksexecuted on OracleSID
Description: Thechecks are executedon the Oracle SID.
■ UNIX (30014)■ Windows 2003
(30014)■ Windows 2008
(30014)
String ID:ORA_SID_PROCESSED
Category: ESMAdministrative Information
Users to checkUse the name list to include or exclude the prohibited roles for the Grantedprohibited roles check to report on.
Users to skip in OS DBA groupsUse the name list to exclude the users for the Users in OSDBA groups check. Bydefault, all users in each group are included.
38Understanding the ESM Oracle Database ModulesAbout the Oracle Accounts module
Globally authenticated usersThis check reports the users that are authenticated globally by SSL, whose databaseaccess is through global roles, authorized by an enterprise directory. Use theUsersto Skip name list to exclude the users from reporting.
A centralized directory service, which is outside of the database, manage the userswithout Oracle authentication. You require Oracle user authentication for additionalidentity verification.
The following table lists the message for the check.
Table 2-21 Message for Globally authenticated users
AdditionalInformation
Message Title andDescription
Platform andMessageNumericID
Message String ID andCategory
Severity: yellow-1
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: Userauthenticatedglobally
Description: Theuser isauthenticated bySSL and themanagement of thisuser is done outsideof the database bythe centralizeddirectory service.The user can log onto Oracle databasewithout providing auser name andpassword. Usersrequire Oracleauthentication toadd one more levelof security.
■ UNIX (30152)■ Windows 2000■ Windows 2003
(2421052)■ Windows 2008
(255152)
String ID:ORA_USER_AUTHORIZED_GLOBAL
Category: PolicyCompliance
39Understanding the ESM Oracle Database ModulesAbout the Oracle Accounts module
Table 2-21 Message for Globally authenticated users (continued)
AdditionalInformation
Message Title andDescription
Platform andMessageNumericID
Message String ID andCategory
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: ESM checksexecuted on OracleSID
Description: Thechecks are executedon the Oracle SID.
■ UNIX (30014)■ Windows 2003
(30014)■ Windows 2008
(30014)
String ID:ORA_SID_PROCESSED
Category: ESMAdministrative Information
About the Oracle Auditing moduleThis module checks for the auditing setup that is based on the options that youhave specified.
Establishing a baseline snapshotTo establish a baseline, run the Symantec ESM module for auditing Oracledatabases. This creates a snapshot of the current audit information that you canupdate when you run the checks for new, deleted, or changed information.
Editing default settingsUse this check to edit the default settings of all the security checks in the module.
Reporting audit status and accessThe checks in this group report whether auditing is enabled and who has accessto the audit trail database.
Audit reporting methodsThe success or failure of an audited operation is identified by the following Oraclecodes, separated by the forward slash (/) character:
■ A indicates reporting is BY ACCESS.
■ S indicates reporting is BY SESSION.
40Understanding the ESM Oracle Database ModulesAbout the Oracle Auditing module
Table 2-22 lists the reporting methods.
Table 2-22 Reporting methods
Description of reportMethod
Every successful and failed operationA/A
Every successful operation, but only sessions in which failedoperations occur
A/S
Every session in which successful and failed operations occurS/S
Every session in which an operation was successful and everyfailed operation
S/A
Reporting statement auditsThe checks in this group report SQL statements that are audited. Security checksreport statements that were set or removed for auditing and statements with thesuccess or the failure reporting methods that changed after the last snapshot update.
Audits at the statement level can require considerable resources. BY ACCESS (A)reporting consumes more resources than BY SESSION (S) reporting.
Reporting object auditsThe first check of this group reports the objects that are audited. The second andthird checks report the objects that were set for auditing and removed from auditingafter the last snapshot update. The fourth check reports the objects with the reportingmethods that were changed after the last snapshot update.
There are 16 options for audited objects.
Table 2-23 lists the audits that this check reports on.
Table 2-23 Audited object options
DescriptionOptionAudit number
ALTERALT1
AUDITAUD2
COMMENTCOM3
DELETEDEL4
GRANTGRA5
41Understanding the ESM Oracle Database ModulesAbout the Oracle Auditing module
Table 2-23 Audited object options (continued)
DescriptionOptionAudit number
INDEXIND6
INSERTINS7
LOCKLOC8
RENAMEREN9
SELECTSEL10
UPDATEUPD11
REFERREF12
EXECUTEEXE13
CRETECRE14
READREA15
WRITEWRI16
Note: Unavailable and unaudited options appear as -/-. For example, with A/A inthe fourth position, every auditable DEL operation is recorded as successful orfailed. A/S reports every auditable DEL operation that is successful, but only thesessions that contain one or more failed operations.
Reporting privilege auditsThe first of these checks report the privileges that are audited. The second andthird checks report the privileges that were set for auditing and removed fromauditing after the last snapshot update. The fifth check reports the privileges withthe reporting methods that were changed after the last snapshot update.
Audit settingsThis check reports the audit settings that do not match the settings that are specifiedin the template file. Use the name list to enable or disable the template files.
The following table lists the message for the check.
42Understanding the ESM Oracle Database ModulesAbout the Oracle Auditing module
Table 2-24 Message for Template - Oracle Auditing
AdditionalInformation
Message Title andDescription
Platform andMessageNumericID
Message String ID andCategory
Severity: red-4
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: Audit settingsmismatch
Description: Theaudit settings thatare present in thedatabase do notmatch with thesettings that arespecified in thetemplate file. Formore information,refer thecorrespondingInformation column.
■ UNIX (31152)■ Windows 2000
(240152)■ Windows 2003
(243152)■ Windows 2008
(256152)
String ID: ORA_AUDIT_R
Category: PolicyCompliance
Severity: yellow-1
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: Audit settingsmismatch
Description: Theaudit settings thatare present in thedatabase do notmatch with thesettings that arespecified in thetemplate file. Formore information,refer thecorrespondingInformation column.
■ UNIX (31153)■ Windows 2000
(240153)■ Windows 2003
(243153)■ Windows 2008
(256153)
String ID: ORA_AUDIT_Y
Category: PolicyCompliance
43Understanding the ESM Oracle Database ModulesAbout the Oracle Auditing module
Table 2-24 Message for Template - Oracle Auditing (continued)
AdditionalInformation
Message Title andDescription
Platform andMessageNumericID
Message String ID andCategory
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: Audit settingsmismatch
Description: Theaudit settings thatare present in thedatabase do notmatch with thesettings that arespecified in thetemplate file. Formore information,refer thecorrespondingInformation column.
■ UNIX (31154)■ Windows 2000
(240154)■ Windows 2003
(243154)■ Windows 2008
(256154)
String ID: ORA_AUDIT_G
Category: PolicyCompliance
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: ESM checksexecuted on OracleSID
Description: Thechecks are executedon the Oracle SID.
■ UNIX (30014)■ Windows 2003
(30014)■ Windows 2008
(30014)
String ID:ORA_SID_PROCESSED
Category: ESMAdministrative Information
Audit trail enabledThis check reports whether an audit trail is available for the SID.
Symantec recommends that while you are in the production environment, to ensurethat the audit trail is enabled you must set the AUDIT_TRAIL parameter to DB orOS.
The following table lists the message for the check.
44Understanding the ESM Oracle Database ModulesAbout the Oracle Auditing module
Table 2-25 Message for Audit trail enabled
AdditionalInformation
Message Title andDescription
Platform andMessageNumericID
Message String ID andCategory
Severity: red-4
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: Auditing notenabled for the SID
Description: AnAUDIT_TRAILsetting of NONEindicates auditing isnot enabled andaudit trails are notbeing generated.Enable auditing tomonitor databaseactivities and ensurethat corporatesecurity policies areimplemented.
■ UNIX (31138)■ Windows 2000
(240138)■ Windows 2003
(243138)■ Windows 2008
(256138)
String ID:ORA_AUDIT_DISABLE
Category: PolicyCompliance
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: ESM checksexecuted on OracleSID
Description: Thechecks are executedon the Oracle SID.
■ UNIX (30014)■ Windows 2003
(30014)■ Windows 2008
(30014)
String ID:ORA_SID_PROCESSED
Category: ESMAdministrative Information
Audit trail protectionThis check reports the users and the roles that have the privileges that allow themto make changes or deletions to the audit trail database.
Symantec recommends that you grant access to the audit trail database only toadministrators or users with administrator roles. You can drop the role from theuser if the user is not authorized to access the audit trail database and at the sametime you can drop the privilege of an inappropriately defined role. You must ensurethat the auditing options of DEL, INS, and UPD for SYS.AUD$ are set properly toA/A in the dba_obj_audit_opts.
The following table lists the message for the check.
45Understanding the ESM Oracle Database ModulesAbout the Oracle Auditing module
Table 2-26 Message for Audit trail protection
AdditionalInformation
Message Title andDescription
Platform andMessageNumericID
Message String ID andCategory
Severity: yellow-2
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: Audit trailprotection
Description: Theuser has access tothe audit trail table.Verify that the useris authorized tochange or delete theaudit trail table.Verify that this rightis appropriate for theuser's role and thatauditing optionsDEL, INS, and UPDfor SYS.AUD$ areset properly to A/Aindba_obj_audit_opts.
■ UNIX (31139)■ Windows 2000
(240139)■ Windows 2003
(243139)■ Windows 2008
(256139)
String ID:ORA_AUDIT_PROTECTION
Category: SystemInformation
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: ESM checksexecuted on OracleSID
Description: Thechecks are executedon the Oracle SID.
■ UNIX (30014)■ Windows 2003
(30014)■ Windows 2008
(30014)
String ID:ORA_SID_PROCESSED
Category: ESMAdministrative Information
Auditing objectsUse the name list to include or exclude the object such as tables or views that areto be included for the object auditing.
Auditing optionsUse the name list to include or exclude the object such as tables or views that areto be included for the object auditing.
46Understanding the ESM Oracle Database ModulesAbout the Oracle Auditing module
Auditing privilegesUse the name list to include or exclude the privileges for the privilege auditingchecks.
Automatically update snapshotsEnable this check to automatically update the snapshots with the current information.
Changed object auditingThis check reports the audited user objects with the Success/Failure reportingmethods that changed after the last snapshot update and their current reportingmethods.
If the change is authorized, Symantec recommends that you either update thesnapshot or restore the previous settings.
The following table lists the message for the check.
47Understanding the ESM Oracle Database ModulesAbout the Oracle Auditing module
Table 2-27 Message for Changed object auditing
AdditionalInformation
Message Title andDescription
Platform andMessageNumericID
Message String ID andCategory
Severity: yellow-1
Correctable: false
SnapshotUpdatable: true
TemplateUpdatable: false
Information FieldFormat: [%s]
■ UNIX (31147)■ Windows 2000
(240147)■ Windows 2003
(243147)■ Windows 2008
(256147)
String ID:ORA_CHANGED_OBJ_AUDITING
Category: ChangeNotification
48Understanding the ESM Oracle Database ModulesAbout the Oracle Auditing module
Table 2-27 Message for Changed object auditing (continued)
AdditionalInformation
Message Title andDescription
Platform andMessageNumericID
Message String ID andCategory
Title: Object auditingchanged
Description:Success/Failurereportingmethods ofthe named objectoption werechanged since thelast snapshotupdate. For Oracle8and later, sixteenobject options arerepresented in theorder ALT, AUD,COM, DEL, GRA,IND, INS, LOC,REN, SEL, UPD,REF, EXE, CRE,REA, WRI. Oracle7uses only the firstthirteen options.Unavailable andunaudited optionsappear as -/-.Success/Failurereporting methodsare an A (BYACCESS) or an S(BY SESSION) oneach side of theslash. For example,with A/A in thefourth position,every auditable DELoperation isrecorded assuccessful or failed.A/S reports everyauditable DELoperation that is
49Understanding the ESM Oracle Database ModulesAbout the Oracle Auditing module
Table 2-27 Message for Changed object auditing (continued)
AdditionalInformation
Message Title andDescription
Platform andMessageNumericID
Message String ID andCategory
successful, but onlysessions thatcontain one or morefailed operation. Ifthe change isauthorized, updatethe snapshot. If thechange is notauthorized, restorethe previousmethods.
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: ESM checksexecuted on OracleSID
Description: Thechecks are executedon the Oracle SID.
■ UNIX (30014)■ Windows 2003
(30014)■ Windows 2008
(30014)
String ID:ORA_SID_PROCESSED
Category: ESMAdministrative Information
Changed privilege auditingThis check reports the audited user privileges with Success/Failure reportingmethods that changed after the last snapshot update. Use the name list to excludethe users for this check.
If the change is authorized, Symantec recommends that you either update thesnapshot or restore the previous audit settings.
The following table lists the message for the check.
50Understanding the ESM Oracle Database ModulesAbout the Oracle Auditing module
Table 2-28 Message for Changed privilege auditing
AdditionalInformation
Message Title andDescription
Platform andMessageNumericID
Message String ID andCategory
Severity: yellow-1
Correctable: false
SnapshotUpdatable: true
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: Privilegeauditing changed
Description: TheSuccess/FailureUpdate reportingmethods of theaudited privilegechanged after thelast snapshotupdate. The currentmethod is displayed.If the change isauthorized, updatethe snapshot. If thechange is notauthorized, restorethe the previousreporting methods.
■ UNIX (31143)■ Windows 2000
(240143)■ Windows 2003
(243143)■ Windows 2008
(256143)
String ID:ORA_CHANGED_PRIV_AUDITING
Category: ChangeNotification
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: ESM checksexecuted on OracleSID
Description: Thechecks are executedon the Oracle SID.
■ UNIX (30014)■ Windows 2003
(30014)■ Windows 2008
(30014)
String ID:ORA_SID_PROCESSED
Category: ESMAdministrative Information
Changed statement auditingThis check reports the audited user statements with the Success/Failure reportingmethods that changed after the last snapshot update. Use the name list to excludethe users for this check.
If the change is authorized, Symantec recommends that you either update thesnapshot or restore the previous statement settings.
The following table lists the message for the check.
51Understanding the ESM Oracle Database ModulesAbout the Oracle Auditing module
Table 2-29 Message for Changed statement auditing
AdditionalInformation
Message Title andDescription
Platform andMessageNumericID
Message String ID andCategory
Severity: yellow-1
Correctable: false
SnapshotUpdatable: true
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: Statementauditing changed
Description: TheSuccess/Failurereportingmethods ofthe SID's userstatement changedafter the lastsnapshot update.BYACCESS reportsevery instance, andBY SESSIONreports everysession, in whichthe statement isexecuted. If auditingthe statement isauthorized and thereporting methodsare appropriate,update thesnapshot. If theauditing is notauthorized,deactivate the audit.If the reportingmethods are notappropriate, correctthem.
■ UNIX (31151)■ Windows 2000
(240151)■ Windows 2003
(243151)■ Windows 2008
(256151)
String ID:ORA_CHANGED_STMT_AUDITING
Category: ChangeNotification
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: ESM checksexecuted on OracleSID
Description: Thechecks are executedon the Oracle SID.
■ UNIX (30014)■ Windows 2003
(30014)■ Windows 2008
(30014)
String ID:ORA_SID_PROCESSED
Category: ESMAdministrative Information
52Understanding the ESM Oracle Database ModulesAbout the Oracle Auditing module
Deleted object auditingThis check reports the user objects and the object options that were removed fromauditing after the last snapshot update. Use the name list to exclude the users forthis check.
If the deletion is authorized, Symantec recommends that you either update thesnapshot or restore audit of the object.
The following table lists the message for the check.
Table 2-30 Message for Deleted object auditing
AdditionalInformation
Message Title andDescription
Platform andMessageNumericID
Message String ID andCategory
Severity: yellow-1
Correctable: false
SnapshotUpdatable: true
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: Deleted objectauditing
Description: Auditingof the user objectwas dropped afterthe last snapshotupdate. If thechange isauthorized, updatethe snapshot. If thechange is notauthorized, restorethe auditing of theobject.
■ UNIX (31146)■ Windows 2000
(240146)■ Windows 2003
(243146)■ Windows 2008
(256146)
String ID:ORA_DELETED_OBJ_AUDITING
Category: ChangeNotification
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: ESM checksexecuted on OracleSID
Description: Thechecks are executedon the Oracle SID.
■ UNIX (30014)■ Windows 2003
(30014)■ Windows 2008
(30014)
String ID:ORA_SID_PROCESSED
Category: ESMAdministrative Information
Deleted privilege auditingThis check reports the user privileges that were removed from auditing after thelast snapshot update. Use the name list to exclude the users for this check.
53Understanding the ESM Oracle Database ModulesAbout the Oracle Auditing module
If the deletion is authorized, Symantec recommends that you either update thesnapshot or restore the user privilege to auditing.
Table 2-31 Message for Deleted privilege auditing
AdditionalInformation
Message Title andDescription
Platform andMessageNumericID
Message String ID andCategory
Severity: yellow-1
Correctable: false
SnapshotUpdatable: true
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: Deletedprivilege auditing
Description: Theuser privilege wasremoved fromauditing after thelast snapshotupdate. If thedeletion isauthorized, updatethe snapshot. If thedeletion is notauthorized, restorethe user privilege toauditing.
■ UNIX (31142)■ Windows 2000
(240142)■ Windows 2003
(243142)■ Windows 2008
(256142)
String ID:ORA_DELETED_PRIV_AUDITING
Category: ChangeNotification
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: ESM checksexecuted on OracleSID
Description: Thechecks are executedon the Oracle SID.
■ UNIX (30014)■ Windows 2003
(30014)■ Windows 2008
(30014)
String ID:ORA_SID_PROCESSED
Category: ESMAdministrative Information
Deleted statement auditingThis check reports the user statements that were removed from auditing after thelast snapshot update. Use the name list to exclude the users for this check.
If the statement deletion is authorized, Symantec recommends that you eitherupdate the snapshot or restore the audit settings.
The following table lists the message for the check.
54Understanding the ESM Oracle Database ModulesAbout the Oracle Auditing module
Table 2-32 Message for Deleted statement auditing
AdditionalInformation
Message Title andDescription
Platform andMessageNumericID
Message String ID andCategory
Severity: yellow-1
Correctable: false
SnapshotUpdatable: true
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: Deletedstatement auditing
Description: Theuser statement wasremoved fromauditing after thelast snapshotupdate. If thedeletion isauthorized, updatethe snapshot. If it isnot authorized,restore the auditsetting.
■ UNIX (31150)■ Windows 2000
(240150)■ Windows 2003
(243150)■ Windows 2008
(256150)
String ID:ORA_DELETED_STMT_AUDITING
Category: ChangeNotification
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: ESM checksexecuted on OracleSID
Description: Thechecks are executedon the Oracle SID.
■ UNIX (30014)■ Windows 2003
(30014)■ Windows 2008
(30014)
String ID:ORA_SID_PROCESSED
Category: ESMAdministrative Information
New object auditingThis check reports the user objects that were set for auditing after the last snapshotupdate, and the Success/Failure reporting methods that are used. Use the namelist to exclude the users for this check.
If the auditing of the object is authorized, Symantec recommends that you eitherupdate the snapshot or remove the object from auditing. If the reporting methodsare incorrect then you must correct them.
The following table lists the message for the check.
55Understanding the ESM Oracle Database ModulesAbout the Oracle Auditing module
Table 2-33 Message for New object auditing
AdditionalInformation
Message Title andDescription
Platform andMessageNumericID
Message String ID andCategory
Severity: yellow-1
Correctable: false
SnapshotUpdatable: true
TemplateUpdatable: false
Information FieldFormat: [%s]
■ UNIX (31145)■ Windows 2000
(240145)■ Windows 2003
(243145)■ Windows 2008
(256145)
String ID:ORA_NEW_OBJ_AUDITING
Category: ChangeNotification
56Understanding the ESM Oracle Database ModulesAbout the Oracle Auditing module
Table 2-33 Message for New object auditing (continued)
AdditionalInformation
Message Title andDescription
Platform andMessageNumericID
Message String ID andCategory
Title: New objectauditing
Description: Theuser object was setfor auditing after thelast snapshotupdate. For Oracle8and later, sixteenobject options arerepresented in theorder ALT, AUD,COM, DEL, GRA,IND, INS, LOC,REN, SEL, UPD,REF, EXE, CRE,REA, WRI. Oracle7uses only the firstthirteen options.Unavailable andunaudited optionsappear as -/-.Success/Failurereporting methodsare an A (BYACCESS) or an S(BY SESSION) oneach side of theslash. For example,with A/A in thefourth position,every auditable DELoperation isrecorded assuccessful or failed.A/S reports everyauditable DELoperation that issuccessful, but onlysessions thatcontain one or more
57Understanding the ESM Oracle Database ModulesAbout the Oracle Auditing module
Table 2-33 Message for New object auditing (continued)
AdditionalInformation
Message Title andDescription
Platform andMessageNumericID
Message String ID andCategory
failed operation. Ifauditing of theobject is authorized,update thesnapshot. If it is notauthorized, rop theobject from auditing.
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: ESM checksexecuted on OracleSID
Description: Thechecks are executedon the Oracle SID.
■ UNIX (30014)■ Windows 2003
(30014)■ Windows 2008
(30014)
String ID:ORA_SID_PROCESSED
Category: ESMAdministrative Information
New privilege auditingThis check reports the user privileges that were set for auditing after the lastsnapshot update and the Success/Failure reporting methods that are used. Usethe name list to exclude the users for this check.
If the new privilege and its reportingmethods are authorized, Symantec recommendsthat you update the snapshot. If the new privilege is not authorized then you mustchange the privileges. If the user is unauthorized for the privilege then you mustremove the privilege from the user.
The following table lists the message for the check.
58Understanding the ESM Oracle Database ModulesAbout the Oracle Auditing module
Table 2-34 Message for New privilege auditing
AdditionalInformation
Message Title andDescription
Platform andMessageNumericID
Message String ID andCategory
Severity: yellow-1
Correctable: false
SnapshotUpdatable: true
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: New privilegeauditing
Description: Theuser privilege wasset for auditing withthe specifiedSuccess/Failurereporting methodssince the lastsnapshot update. Ifauditing the privilegeis authorized,update thesnapshot. Removethe privilege fromauditing if it is notauthorized.
■ UNIX (31141)■ Windows 2000
(240141)■ Windows 2003
(243141)■ Windows 2008
(256141)
String ID:ORA_NEW_PRIV_AUDITING
Category: ChangeNotification
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: ESM checksexecuted on OracleSID
Description: Thechecks are executedon the Oracle SID.
■ UNIX (30014)■ Windows 2003
(30014)■ Windows 2008
(30014)
String ID:ORA_SID_PROCESSED
Category: ESMAdministrative Information
New statement auditingThis check reports the SQL statements that were set for auditing after the lastsnapshot update, and the Success/Failure reporting methods that are used. Usethe name list to exclude the users for this check.
Symantec recommends that you remove all unauthorized or out-to-date statements.You must update the snapshot if the auditing of statement is authorized and thereporting method is correct. You must deactivate the audit if the auditing of thestatement is not authorized. You must change the reporting methods if the reportingmethods are inappropriate for the available resources and perceived risks.
59Understanding the ESM Oracle Database ModulesAbout the Oracle Auditing module
The following table lists the message for the check.
Table 2-35 Message for New statement auditing
AdditionalInformation
Message Title andDescription
Platform andMessageNumericID
Message String ID andCategory
Severity: yellow-1
Correctable: false
SnapshotUpdatable: true
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: New statementauditing
Description: TheSID's userstatement and itsauditingSuccess/Failurereporting methodsare reported in theInfo field. BYACCESS reportsevery time thestatement isexecuted, and BYSESSION reportsevery session inwhich the statementis executed. Ifauditing thestatement isauthorized and thereporting methodsare appropriate,update thesnapshot. If auditingthe statement is notauthorized,deactivate theauditing. If thereporting methodsare not appropriate,correct them.
■ UNIX (31149)■ Windows 2000
(240149)■ Windows 2003
(243149)■ Windows 2008
(256149)
String ID:ORA_NEW_STMT_AUDITING
Category: ChangeNotification
60Understanding the ESM Oracle Database ModulesAbout the Oracle Auditing module
Table 2-35 Message for New statement auditing (continued)
AdditionalInformation
Message Title andDescription
Platform andMessageNumericID
Message String ID andCategory
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: ESM checksexecuted on OracleSID
Description: Thechecks are executedon the Oracle SID.
■ UNIX (30014)■ Windows 2003
(30014)■ Windows 2008
(30014)
String ID:ORA_SID_PROCESSED
Category: ESMAdministrative Information
Object auditingThis check reports the user objects that are audited and the Success/Failurereporting methods that are used. Use the name list to exclude the users for thischeck.
Symantec recommends that you remove all unauthorized or out-of-date statementsfrom auditing. Periodically, you must review audited objects to ensure that the auditis currently authorized and the reporting methods are appropriate for the availableresources and perceived risks.
The following table lists the message for the check.
61Understanding the ESM Oracle Database ModulesAbout the Oracle Auditing module
Table 2-36 Message for Object auditing
AdditionalInformation
Message Title andDescription
Platform andMessageNumericID
Message String ID andCategory
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
■ UNIX (31144)■ Windows 2000
(240144)■ Windows 2003
(243144)■ Windows 2008
(256144)
String ID:ORA_OBJ_AUDITING
Category: SystemInformation
62Understanding the ESM Oracle Database ModulesAbout the Oracle Auditing module
Table 2-36 Message for Object auditing (continued)
AdditionalInformation
Message Title andDescription
Platform andMessageNumericID
Message String ID andCategory
Title: Object auditing
Description: Theuser object isaudited. For Oracle8and later, sixteenobject options arerepresented in theorder ALT, AUD,COM, DEL, GRA,IND, INS, LOC,REN, SEL, UPD,REF, EXE, CRE,REA, WRI. Oracle7uses only the firstthirteen options.Unavailable andunaudited optionsappear as -/-.Success/Failurereporting methodsare an A (BYACCESS) or an S(BY SESSION) oneach side of theslash. For example,with A/A in thefourth position,every auditable DELoperation isrecorded assuccessful or failed.A/S reports everyauditable DELoperation that issuccessful, but onlysessions thatcontain one or morefailed operation.Verify that the userobject should be
63Understanding the ESM Oracle Database ModulesAbout the Oracle Auditing module
Table 2-36 Message for Object auditing (continued)
AdditionalInformation
Message Title andDescription
Platform andMessageNumericID
Message String ID andCategory
audited and that thereporting method isappropriate.
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: ESM checksexecuted on OracleSID
Description: Thechecks are executedon the Oracle SID.
■ UNIX (30014)■ Windows 2003
(30014)■ Windows 2008
(30014)
String ID:ORA_SID_PROCESSED
Category: ESMAdministrative Information
Oracle system identifiers (SIDs)Use the name list to include or exclude the Oracle system identifiers (SIDs) for thischeck. By default, the check examines all the SIDs that you specify when youconfigure the Symantec ESMmodules for the Oracle databases. OnWindows, TheSymantec ESM modules for Oracle databases configuration are stored in\esm\config\oracle.dat file. On UNIX, the Symantec ESM modules for Oracledatabases configuration are stored in /esm/config/oracle.dat file.
Privilege auditingThis check reports the user privileges that are audited, and the Success/Failurereporting methods that are used. Use the name list to exclude the users for thischeck.
Symantec recommends that you periodically review the privilege auditing to ensurethat the audits are currently authorized and that the reporting methods areappropriate for available resources and perceived risks.
The following table lists the message for the check.
64Understanding the ESM Oracle Database ModulesAbout the Oracle Auditing module
Table 2-37 Message for Privilege auditing
AdditionalInformation
Message Title andDescription
Platform andMessageNumericID
Message String ID andCategory
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: Privilegeauditing
Description: Theuser privilege isaudited and thespecifiedSuccess/Failurereporting methodsare used. Verify thatthis user privilegeshould be auditedand that thereporting method isappropriate.
■ UNIX (31140)■ Windows 2000
(240140)■ Windows 2003
(243140)■ Windows 2008
(256140)
String ID:ORA_PRIV_AUDITING
Category: SystemInformation
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: ESM checksexecuted on OracleSID
Description: Thechecks are executedon the Oracle SID.
■ UNIX (30014)■ Windows 2003
(30014)■ Windows 2008
(30014)
String ID:ORA_SID_PROCESSED
Category: ESMAdministrative Information
Statement auditingThis check reports the user SQL statements that are audited and the Success/Failurereporting methods that are used. Use the name list to exclude the users for thischeck.
Symantec recommends that you remove all unauthorized or out-of-date statements.You must ensure that you use appropriate reporting methods for the availableresources and perceived risks.
The following table lists the message for the check.
65Understanding the ESM Oracle Database ModulesAbout the Oracle Auditing module
Table 2-38 Message for Statement auditing
AdditionalInformation
Message Title andDescription
Platform andMessageNumericID
Message String ID andCategory
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: Statementauditing
Description: Theuser SQL statementis audited, using theSuccess/Failurereporting reportingmethods that arereported in the Infofield. BY ACCESSreports everyinstance, and BYSESSION reportsevery session, inwhich the statementis executed. Verifythat auditing thestatement isauthorized and thereporting method isappropriate.
■ UNIX (31148)■ Windows 2000
(240148)■ Windows 2003
(243148)■ Windows 2008
(256148)
String ID:ORA_STMT_AUDITING
Category: SystemInformation
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: ESM checksexecuted on OracleSID
Description: Thechecks are executedon the Oracle SID.
■ UNIX (30014)■ Windows 2003
(30014)■ Windows 2008
(30014)
String ID:ORA_SID_PROCESSED
Category: ESMAdministrative Information
About the Oracle Configuration moduleThis module checks for the Oracle settings that can affect the security of the system.
Editing default settingsUse the checks in this group to edit the settings of all the security checks.
66Understanding the ESM Oracle Database ModulesAbout the Oracle Configuration module
Reporting Oracle version informationThe checks in this group report Oracle version, status, trace, and alert log fileinformation.
For the location of USER_DUMP_DEST files, use Trace file.
For the maximum size of trace files, specified by MAX_DUMP_FILE_SIZE, useTrace file size.
Reporting link password encryptionThe checks in this group report whether encryption is required for the database linkpasswords.
Reporting operating system account prefixesThe checks in this group report prefixes for operating system accounts and whetherSELECT and SYSTEM privileges are required to change table column values.
Reporting parameter valuesThe checks in this group report the Oracle configuration parameter values.
Report all configured DB linksThis check retrieves information on all the database links that are configured.
The following table lists the messages for the check.
Table 2-39 Messages for Report all configured DB links
AdditionalInformation
Message Title andDescription
Platform andMessageNumericID
Message String ID andCategory
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: Database linksconfigured
Description: Refer tothe Information fieldto view informationon the configureddatabase link.
■ UNIX (30661)■ Windows 2003
(242661)■ Windows 2008
(255661)
String ID: ORA_DB_LINK
Category: SystemInformation
67Understanding the ESM Oracle Database ModulesAbout the Oracle Configuration module
Report only fixed user configured DB linksWhen run along with theReport all configured DB links check, this check retrievesinformation only on the fixed user configured database links.
Table 2-40 Messages for Report all configured DB links
AdditionalInformation
Message Title andDescription
Platform andMessageNumericID
Message String ID andCategory
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: Database linksconfigured
Description: Refer tothe Information fieldto view informationon the configureddatabase link.
■ UNIX (30661)■ Windows 2003
(242661)■ Windows 2008
(255661)
String ID: ORA_DB_LINK
Category: SystemInformation
Alert fileThis check reports the location of debugging trace files for background processessuch as LGWR and DBWR. The Alert_[SID].log file at this location containsinformation for global and instance operations.
The following table lists the message for the check.
68Understanding the ESM Oracle Database ModulesAbout the Oracle Configuration module
Table 2-41 Message for Alert file
AdditionalInformation
Message Title andDescription
Platform andMessageNumericID
Message String ID andCategory
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: Directory pathfor alert files
Description: Thelocation of SID tracefiles that are usedfor Oraclebackgroundprocesses isreported in the Infofield.BACKGROUND_DUMP_DESTspecifies thelocation.
■ UNIX (30633)■ Windows 2000
(239633)■ Windows 2003
(242633)■ Windows 2008
(255633)
String ID:ORA_ALERT_FILE_DEST
Category: SystemInformation
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: ESM checksexecuted on OracleSID
Description: Thechecks are executedon the Oracle SID.
■ UNIX (30014)■ Windows 2003
(30014)■ Windows 2008
(30014)
String ID:ORA_SID_PROCESSED
Category: ESMAdministrative Information
Automatically update snapshotsEnable this check to automatically update the snapshots with the current information.
Control filesThis check reports the locations of the SID's control files, violations of control filepermissions, discrepancies in control file ownership, and file status. In the Permissiontext box, do one of the following:
■ Specify 0 for the check to report the location and status of the SID's control files.
■ Specify a permission value more restrictive than the SID's control file permissionfor the check to report a violation.You can specify the Permission values as three-digit octal numbers.
69Understanding the ESM Oracle Database ModulesAbout the Oracle Configuration module
Symantec recommends that you periodically review the locations of the control fileto ensure that they are in secure, authorized locations. If the file’s permissions areexcessive then reset the control file’s permission to match with your security policy.
The following table lists the messages for the check.
Table 2-42 Messages for Control files
AdditionalInformation
Message Title andDescription
Platform andMessageNumericID
Message String ID andCategory
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: Control file
Description: TheSID's control filelocation is reportedin the Redo Log Filefield.
■ UNIX (30652)String ID:ORA_CONTROLFILE
Category: SystemInformation
Severity: yellow-2
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: Control filepermission
Description:Permission ofcontrol files
■ UNIX (30655)String ID:ORA_CONTROLFILE_PERM
Category: PolicyCompliance
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [""]
Title:Locked Oraclefile
Description: Filepermissions cannotbe reported becausethe file is being usedby another process.
■ UNIX (30008)String ID:ORA_FILE_LOCKED
Category:System Error
70Understanding the ESM Oracle Database ModulesAbout the Oracle Configuration module
Table 2-42 Messages for Control files (continued)
AdditionalInformation
Message Title andDescription
Platform andMessageNumericID
Message String ID andCategory
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [""]
Title: Oracle File orfolder not found
Description: Filepermissions cannotbe reported becausethe file beingreferenced cannotbe found.
■ UNIX (30009)String ID:ORA_FILE_NOT_FOUND
Category:System Error
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: Oracle Folderpermissions
Description: ReportsDirectorypermissions.
■ UNIX (300010)String ID:ORA_DIRECTORY_PERMS
Category:System Error
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: Functionalitynot Supported
Description: Thisfunctionality is notsupported by ESMoracle app module.
■ UNIX (300011)String ID:ORA_NOT_SUPPORTED
Category: SystemInformation
71Understanding the ESM Oracle Database ModulesAbout the Oracle Configuration module
Table 2-42 Messages for Control files (continued)
AdditionalInformation
Message Title andDescription
Platform andMessageNumericID
Message String ID andCategory
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: Control file
Description: TheSID's ASMmanaged control filelocation is reportedin the Redo Log Filefield.
■ UNIX (30059)String ID:ORA_ASM_CONTROLFILE
Category: SystemInformation
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: ESM checksexecuted on OracleSID
Description: Thechecks are executedon the Oracle SID.
■ UNIX (30014)String ID:ORA_SID_PROCESSED
Category: ESMAdministrative Information
Control filesThis check reports the locations of the SID's control files, violations of control filepermissions, discrepancies in control file ownership, and file status.
If you specify a permission value more restrictive than the SID's control filepermission, the check reports a violation.
Symantec recommends that you periodically review the locations of the control fileto ensure that they are in secure, authorized locations. If the file’s permissions areexcessive then reset the control file’s permission to conform to your security policy.
The following table lists the messages for the check.
72Understanding the ESM Oracle Database ModulesAbout the Oracle Configuration module
Table 2-43 Messages for Control files
AdditionalInformation
MessageTitle andDescription
Platform andMessage NumericID
Message String ID andCategory
Severity: green-0
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: Control file
Description: TheSID's control filelocation is reportedin the Redo Log Filefield.
■ Windows 2000(239652)
■ Windows 2003(242652)
■ Windows 2008(255652)
String ID:ORA_CONTROLFILE
Category: SystemInformation
Severity: yellow-2
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: Control filepermission
Description:Permission ofcontrol files
■ Windows 2000(239655)
■ Windows 2003(242655)
■ Windows 2008(255655)
String ID:ORA_CONTROLFILE_PERM
Category: PolicyCompliance
Severity: green-0
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [""]
Title:Locked Oraclefile
Description: Filepermissions cannotbe reportedbecause the file isbeing used byanother process.
■ Windows (30008)String ID:ORA_FILE_LOCKED
Category:System Error
73Understanding the ESM Oracle Database ModulesAbout the Oracle Configuration module
Table 2-43 Messages for Control files (continued)
AdditionalInformation
MessageTitle andDescription
Platform andMessage NumericID
Message String ID andCategory
Severity: green-0
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [""]
Title: Oracle File orfolder not found
Description: Filepermissions cannotbe reportedbecause the filebeing referencedcannot be found.
■ Windows (30009)String ID:ORA_FILE_NOT_FOUND
Category:System Error
Severity: green-0
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: Oracle Folderpermissions
Description:Reports Directorypermissions.
■ Windows(300010)
String ID:ORA_DIRECTORY_PERMS
Category:System Error
Severity: green-0
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: Functionalitynot Supported
Description: Thisfunctionality is notsupported by ESMoracle app module.
■ Windows(300011)
String ID:ORA_NOT_SUPPORTED
Category: SystemInformation
74Understanding the ESM Oracle Database ModulesAbout the Oracle Configuration module
Table 2-43 Messages for Control files (continued)
AdditionalInformation
MessageTitle andDescription
Platform andMessage NumericID
Message String ID andCategory
Severity: green-0
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: Control file
Description: TheSID's ASMmanaged controlfile location isreported in theRedo Log File field.
■ Windows (59)String ID:ORA_ASM_CONTROLFILE
Category: SystemInformation
Severity: green-0
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: ESM checksexecuted on OracleSID
Description: Thechecks areexecuted on theOracle SID.
■ Windows 2003(30014)
■ Windows 2008(30014)
String ID:ORA_SID_PROCESSED
Category: ESMAdministrativeInformation
DB link encrypted passwordThis check examines the DBLINK_ENCRYPT_LOGIN setting to report whether theencrypted passwords require connecting to other Oracle servers through thedatabase links. This parameter is no longer supported on Oracle 10g and laterversions.
The first attempt to connect to another Oracle server always sends encryptedpasswords. If the reported setting is TRUE, a failed connection will not be retried.If FALSE, Oracle reattempts the connection with an unencrypted version of thepassword. TRUE settings provide the best protection for your database.
The following table lists the message for the check.
75Understanding the ESM Oracle Database ModulesAbout the Oracle Configuration module
Table 2-44 Message for DB link encrypted password
AdditionalInformation
Message Title andDescription
Platform andMessageNumericID
Message String ID andCategory
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: Connect todatabase withencrypted password
Description: TheSID's encryptedpassword setting isreported in the Infofield. The firstattempt to connectto another Oracleserver always sendsencryptedpasswords. If thereported setting isTRUE, a failedconnection is not beretried. If FALSE,Oracle re-tries theconnection with anunencrypted versionof the password.TRUE settingsprovide the bestprotection for yourdatabase.
■ UNIX (30635)■ Windows 2000
(239635)■ Windows 2003
(242635)■ Windows 2008
(255635)
String ID:ORA_DBLINK_ENCRYPT
Category: SystemInformation
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: ESM checksexecuted on OracleSID
Description: Thechecks are executedon the Oracle SID.
■ UNIX (30014)■ Windows 2003
(30014)■ Windows 2008
(30014)
String ID:ORA_SID_PROCESSED
Category: ESMAdministrative Information
Deleted control filesThis check reports the control files that were deleted after the last snapshot update.
76Understanding the ESM Oracle Database ModulesAbout the Oracle Configuration module
If the deletion is authorized, Symantec recommends you to either update thesnapshot or restore the control file.
The following table lists the message for the check.
Table 2-45 Message for Deleted control files
AdditionalInformation
Message Title andDescription
Platform andMessageNumericID
Message String ID andCategory
Severity: yellow-1
Correctable: false
SnapshotUpdatable: true
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: Deleted controlfile
Description: Thecontrol file that isreported in the Infofield was deletedafter the lastsnapshot update. Ifthe deletion isauthorized, updatethe snapshot. If thedeletion is notauthorized, restorethe control file.
■ UNIX (30654)■ Windows 2000
(239654)■ Windows 2003
(242654)■ Windows 2008
(255654)
String ID:ORA_DELETED_CONTROLFILE
Category: ChangeNotification
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: ESM checksexecuted on OracleSID
Description: Thechecks are executedon the Oracle SID.
■ UNIX (30014)■ Windows 2003
(30014)■ Windows 2008
(30014)
String ID:ORA_SID_PROCESSED
Category: ESMAdministrative Information
Deleted redo log filesThis check reports redo log files that were deleted after the last snapshot update.
If the deletion is authorized, Symantec recommends that you either update thesnapshot or restore the file.
The following table lists the message for the check.
77Understanding the ESM Oracle Database ModulesAbout the Oracle Configuration module
Table 2-46 Message for Deleted redo log files
AdditionalInformation
Message Title andDescription
Platform andMessageNumericID
Message String ID andCategory
Severity: yellow-1
Correctable: false
SnapshotUpdatable: true
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: Deleted redolog file
Description: TheSID's redo log filethat is reported inthe Redo Log Filefield was deletedafter the lastsnapshot update. Ifthe deletion isauthorized, updatethe snapshot. If thedeletion is notauthorized, restorethe file.
■ UNIX (30650)■ Windows 2000
(239650)■ Windows 2003
(242650)■ Windows 2008
(255650)
String ID:ORA_DELETED_REDOLOGFILE
Category: ChangeNotification
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: ESM checksexecuted on OracleSID
Description: Thechecks are executedon the Oracle SID.
■ UNIX (30014)■ Windows 2003
(30014)■ Windows 2008
(30014)
String ID:ORA_SID_PROCESSED
Category: ESMAdministrative Information
List SID:HOME (oracle.dat)This check reports all the SIDs and their Oracle homes from the oracle.dat file. Theconfiguration information of the Symantec ESM modules for Oracle is stored inoracle.dat, which is located in the \esm\config directory.
The following table lists the message for the check.
78Understanding the ESM Oracle Database ModulesAbout the Oracle Configuration module
Table 2-47 Message for List SID:HOME (oracle.dat)
AdditionalInformation
Message Title andDescription
Platform andMessageNumericID
Message String ID andCategory
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: Oracle.dat fileinformation
Description: Theoracle.dat file iscreated whileconfiguring ESMmodules for oracle.
■ UNIX (30656)■ Windows 2000
(239656)■ Windows 2003
(242656)■ Windows 2008
(255656)
String ID:ORA_SID_HOME_DATFILE
Category: SystemInformation
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: ESM checksexecuted on OracleSID
Description: Thechecks are executedon the Oracle SID.
■ UNIX (30014)■ Windows 2003
(30014)■ Windows 2008
(30014)
String ID:ORA_SID_PROCESSED
Category: ESMAdministrative Information
List SID:HOME (oratab)This check reports all the SIDs and their Oracle homes from the oratab file. Theoratab file is created during the installation of Oracle server.
The following table lists the message for the check.
79Understanding the ESM Oracle Database ModulesAbout the Oracle Configuration module
Table 2-48 Message for List SID:HOME (oratab)
AdditionalInformation
Message Title andDescription
Platform andMessageNumericID
Message String ID andCategory
Severity: green-0
Correctable: false
SnapshotUpdatable: true
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: Oratab fileinformation
Description: Theoratab file is createdwhile installingoracle databaseserver.
■ UNIX (30657)String ID:ORA_SID_HOME_TABFILE
Category: SystemInformation
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: ESM checksexecuted on OracleSID
Description: Thechecks are executedon the Oracle SID.
■ UNIX (30014)String ID:ORA_SID_PROCESSED
Category: ESMAdministrative Information
New control filesThis check reports the control files that were added after the last snapshot update.
If the addition is authorized, Symantec recommends you to either update thesnapshot or delete the new control file.
The following table lists the message for the check.
80Understanding the ESM Oracle Database ModulesAbout the Oracle Configuration module
Table 2-49 Message for New control files
AdditionalInformation
Message Title andDescription
Platform andMessageNumericID
Message String ID andCategory
Severity: yellow-1
Correctable: false
SnapshotUpdatable: true
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: New controlfile
Description: Thecontrol file that isreported in the Infofield was added tothe SID after the lastsnapshot update. Ifthe addition isauthorized, updatethe snapshot. If theaddition is notauthorized, deletethe new control file.
■ UNIX (30653)■ Windows 2000
(239653)■ Windows 2003
(242653)■ Windows 2008
(255653)
String ID: ORA_ADDED_CONTROLFILE
Category: ChangeNotification
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: ESM checksexecuted on OracleSID
Description: Thechecks are executedon the Oracle SID.
■ Windows 2003(30014)
■ Windows 2008(30014)
String ID:ORA_SID_PROCESSED
Category: ESMAdministrative Information
New redo log filesThis check reports redo log files that were added after the last snapshot update,their locations, and the status of the files. Use the name list to exclude the redo logfile status reporting for this check.
If the addition is authorized, Symantec recommends that you either update thesnapshot or delete the new redo log file.
The following table lists the message for the check.
81Understanding the ESM Oracle Database ModulesAbout the Oracle Configuration module
Table 2-50 Message for New redo log files
AdditionalInformation
Message Title andDescription
Platform andMessageNumericID
Message String ID andCategory
Severity: yellow-1
Correctable: false
SnapshotUpdatable: true
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: New redo logfile
Description: TheSID's new redo logfile was added to thelocation that isreported in the RedoLog File field afterthe last snapshotupdate. If theaddition isauthorized, updatethe snapshot. If theaddition is notauthorized, deletethe new redo logfile.
■ UNIX (30649)■ Windows 2000
(239649)■ Windows 2003
(242649)■ Windows 2008
(255649)
String ID: ORA_ADDED_REDOLOGFILE
Category: ChangeNotification
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: ESM checksexecuted on OracleSID
Description: Thechecks are executedon the Oracle SID.
■ UNIX (30014)■ Windows 2003
(30014)■ Windows 2008
(30014)
String ID:ORA_SID_PROCESSED
Category: ESMAdministrative Information
Oracle componentsThis check reports the version number and status of all Oracle components, includingthe version and status of the Oracle server.
The following table lists the message for the check.
82Understanding the ESM Oracle Database ModulesAbout the Oracle Configuration module
Table 2-51 Message for Oracle components
AdditionalInformation
Message Title andDescription
Platform andMessageNumericID
Message String ID andCategory
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: Oracle productcomponent version
Description: Theversion and statusof the Oraclecomponent arereported in the Infofield.
■ UNIX (30631)■ Windows 2000
(239631)■ Windows 2003
(242631)■ Windows 2008
(255631)
String ID:ORA_PRODUCT_COMPONENT_VERSION
Category: SystemInformation
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: ESM checksexecuted on OracleSID
Description: Thechecks are executedon the Oracle SID.
■ UNIX (30014)■ Windows 2003
(30014)■ Windows 2008
(30014)
String ID:ORA_SID_PROCESSED
Category: ESMAdministrative Information
Oracle configuration watchThis check reports the unmatched initialization and configuration parameters thatare defined in the templates. Use the name list to include the template file for thischeck.
The following table lists the messages for the check.
83Understanding the ESM Oracle Database ModulesAbout the Oracle Configuration module
Table 2-52 Messages for Oracle configuration watch
AdditionalInformation
Message Titleand Description
Platform andMessageNumeric ID
Message String ID andCategory
Severity: red-4
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: Red levelcondition
Description: Thevalue of the SID'sparameter atruntime, which isreported in the Infofield, violates theconditions of thecorrespondingparameter in theOracleConfigurationWatch template atthe Red severitylevel. See the Infofield for details.
■ UNIX (30641)■ Windows2000
(239641)■ Windows2003
(242641)■ Windows2008
(255641)
String ID:ORA_ORC_RUNTIME_RED
Category: Policy Compliance
Severity: yellow-1
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: Yellow levelcondition
Description: Thevalue of the SID'sparameter atruntime, which isreported in the Infofield, violates theconditions of thecorrespondingparameter in theOracleConfigurationWatch template atthe Yellow severitylevel. See the Infofield for details.
■ UNIX (30642)■ Windows2000
(239642)■ Windows2003
(242642)■ Windows2008
(255642)
String ID:ORA_ORC_RUNTIME_YELLOW
Category: Policy Compliance
84Understanding the ESM Oracle Database ModulesAbout the Oracle Configuration module
Table 2-52 Messages for Oracle configuration watch (continued)
AdditionalInformation
Message Titleand Description
Platform andMessageNumeric ID
Message String ID andCategory
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: Green levelcondition
Description: Thevalue of the SID'sparameter atruntime, which isreported in the Infofield, violates theconditions of thecorrespondingparameter in theOracleConfigurationWatch template atthe Green severitylevel. See the Infofield for details.
■ UNIX (30643)■ Windows2000
(239643)■ Windows2003
(242643)■ Windows2008
(255643)
String ID:ORA_ORC_RUNTIME_GREEN
Category: Policy Compliance
Severity: red-4
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: Red levelcondition
Description: Thevalue of theparameter that isdefined for the SIDin the initializationfile violates theconditions of thecorrespondingparameter in theOracleConfigurationWatch template atthe red severitylevel. See the Infofield for details.
■ UNIX (30644)■ Windows2000
(239644)■ Windows2003
(242644)■ Windows2008
(255644)
String ID:ORA_ORC_INITFILE_RED
Category: Policy Compliance
85Understanding the ESM Oracle Database ModulesAbout the Oracle Configuration module
Table 2-52 Messages for Oracle configuration watch (continued)
AdditionalInformation
Message Titleand Description
Platform andMessageNumeric ID
Message String ID andCategory
Severity: yellow-1
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: Yellow levelcondition
Description: Thevalue of theparameter that isdefined for the SIDin the initializationfile violates theconditions of thecorrespondingparameter in theOracleConfigurationWatch template atthe yellow severitylevel. See the Infofield for details.
■ UNIX (30645)■ Windows2000
(239645)■ Windows2003
(242645)■ Windows2008
(255645)
String ID:ORA_ORC_INITFILE_YELLOW
Category: Policy Compliance
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: Green levelcondition
Description: Thevalue of theparameter that isdefined for the SIDin the initializationfile violates theconditions of thecorrespondingparameter in theOracleConfigurationWatch template atthe green severitylevel. See the Infofield for details.
■ UNIX (30646)■ Windows2000
(239646)■ Windows2003
(242646)■ Windows2008
(255646)
String ID:ORA_ORC_INITFILE_GREEN
Category: Policy Compliance
86Understanding the ESM Oracle Database ModulesAbout the Oracle Configuration module
Table 2-52 Messages for Oracle configuration watch (continued)
AdditionalInformation
Message Titleand Description
Platform andMessageNumeric ID
Message String ID andCategory
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: RequiredOracle parameternot found
Description: Eitherthe init script ismissing an Oracleparameter that thetemplate specifiesas required, or anOracle runtimeprarameter that isspecified in thetemplate was notset in the runninginstance of Oracle.
■ UNIX (30647)■ Windows2000
(239647)■ Windows2003
(242647)■ Windows2008
(255647)
String ID:ORA_ORC_PARAMETER_NOT_FOUND
Category: System Error
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: Oracleconfigurationparameter
Description: TheOracleconfigurationparameter value.
■ UNIX (30658)■ Windows2000
(239658)■ Windows2003
(242658)■ Windows2008
(255658)
String ID:ORA_CONFIG_PARA_VALUE
Category: System Information
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: ESM checksexecuted onOracleSID
Description: Thechecks areexecuted on theOracle SID.
■ UNIX (30014)■ Windows2003
(30014)■ Windows2008
(30014)
String ID:ORA_SID_PROCESSED
Category: ESM AdministrativeInformation
87Understanding the ESM Oracle Database ModulesAbout the Oracle Configuration module
Oracle system identifiers (SIDs)Use the name list to include or exclude the Oracle system identifiers (SIDs) for thischeck. By default, the check examines all the SIDs that you specify when youconfigure the Symantec ESM modules for the Oracle databases. On Windows, theSymantec ESM modules for Oracle databases configuration are stored in\esm\config\oracle.dat file. On UNIX, the Symantec ESM modules for Oracledatabases configuration are stored in /esm/config/oracle.dat file.
Prefix for OS accountThis check reports the characters that are attached to the beginning of accountnames that operating systems authenticate. OS_AUTHENT_PREFIX specifies thecharacters. The default OPS$ prefix gives you access to a database from theoperating system by typing a slash (/) instead of the username/password string.
The following table lists the message for the check.
Table 2-53 Message for Prefix for OS account
AdditionalInformation
Message Title andDescription
Platform andMessageNumericID
Message String ID andCategory
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: Prefix for OSaccount
Description: Thedefault OPS$ prefixgives a user accessto a database fromthe operatingsystem by typing aslash (/) instead oftheusername/passwordstring.
■ UNIX (30636)■ Windows 2000
(239636)■ Windows 2003
(242636)■ Windows 2008
(255636)
String ID:ORA_OS_AUTHENT_PREFIX
Category: SystemInformation
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: ESM checksexecuted on OracleSID
Description: Thechecks are executedon the Oracle SID.
■ UNIX (30014)■ Windows 2003
(30014)■ Windows 2008
(30014)
String ID:ORA_SID_PROCESSED
Category: ESMAdministrative Information
88Understanding the ESM Oracle Database ModulesAbout the Oracle Configuration module
Redo log filesThis check reports the locations of the SID's redo log files, the violations of redolog file permissions, the discrepancies in the redo log file ownerships, and the filestatus. In the Permission field, do one of the following:
■ Specify 0 for the check to report the location and the status of the SID redo logfile.
■ Specify a permission valuemore restrictive than the SID's redo log file permissionfor the check to report an error.
The check reports an error message, if the SID redo log file ownership (UID/GID)does not match with the ownership that you specify in the Oracle database. Youcan specify the permission values as three-digit octal numbers.
Use the name list to include or exclude the status of the files for this check. Thepossible file status values are INVALID, STALE, DELETED, and INUSED.
Symantec recommends that you periodically review the redo log file location toensure that they are in a secure, authorized locations. If the file’s permissions areexcessive then reset the redo log files permission to match with your security policy.If the owner of the redo log file is not authorized for the file then you mustimmediately take ownership of the file and review it for possible tampering.
The following table lists the messages for the check.
Table 2-54 Messages for Redo log files
AdditionalInformation
Message Title andDescription
Platform andMessageNumericID
Message String ID andCategory
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: Redo log file
Description: TheSID's redo log filesreside in the locationthat is reported inthe Redo Log Filefield.
■ UNIX (30648)String ID:ORA_REDOLOGFILE
Category: SystemInformation
89Understanding the ESM Oracle Database ModulesAbout the Oracle Configuration module
Table 2-54 Messages for Redo log files (continued)
AdditionalInformation
Message Title andDescription
Platform andMessageNumericID
Message String ID andCategory
Severity: yellow-2
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: Redo log filepermission
Description:Permission of redolog files
■ UNIX (30651)String ID:ORA_REDOLOGFILE_PERM
Category: PolicyCompliance
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [""]
Title: Locked Oraclefile
Description: Filepermissions cannotbe reported becausethe file is being usedby another process.
■ UNIX (30008)String ID:ORA_FILE_LOCKED
Category: System Error
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [""]
Title: Oracle File orfolder not found
Description: Filepermissions cannotbe reported becausethe file beingreferenced cannotbe found.
■ UNIX (30009)String ID:ORA_FILE_NOT_FOUND
Category: System Error
90Understanding the ESM Oracle Database ModulesAbout the Oracle Configuration module
Table 2-54 Messages for Redo log files (continued)
AdditionalInformation
Message Title andDescription
Platform andMessageNumericID
Message String ID andCategory
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: Oracle Folderpermissions
Description: ReportsDirectorypermissions.
■ UNIX (30010)ORA_DIRECTORY_PERMS
Category: System Error
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: Functionalitynot Supported
Description: Thisfunctionality is notsupported by ESMoracle app module.
■ UNIX (30011)ORA_NOT_SUPPORTED
Category: SystemInformation
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: Redo log file
Description: TheSID's ASMmanaged redo logfiles reside in thelocation that isreported in the RedoLog File field.
■ UNIX (60)String ID:ORA_ASM_REDOLOGFILE
Category: SystemInformation
91Understanding the ESM Oracle Database ModulesAbout the Oracle Configuration module
Table 2-54 Messages for Redo log files (continued)
AdditionalInformation
Message Title andDescription
Platform andMessageNumericID
Message String ID andCategory
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: ESM checksexecuted on OracleSID
Description: Thechecks are executedon the Oracle SID.
■ UNIX (30014)String ID:ORA_SID_PROCESSED
Category: ESMAdministrative Information
Redo log fileThis check reports the locations of the SID's redo log files and permissions on thelog files in the Information field. Use the name list to include or exclude the filestatuses for this check. The file status values are INVALID, STALE, DELETED,INUSED. In the Permission field, do one of the following:
■ Specify 0 for the check to report the location and the status of the SID redo logfile.
■ Specify a permission valuemore restrictive than the SID's redo log file permissionfor the check to report an error.
Symantec recommends that you periodically review the redo log file location toensure that it is in a secure, authorized location. If the file’s permissions areexcessive, reset the redo log file’s permission to conform to your security policy. Ifthe owner of the redo log file is not authorized for the file, immediately take ownershipof the file and review it for possible tampering.
The following table lists the messages for the check.
92Understanding the ESM Oracle Database ModulesAbout the Oracle Configuration module
Table 2-55 Messages for Redo log files
AdditionalInformation
Message Title andDescription
Platform andMessageNumericID
Message String ID andCategory
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: Redo log file
Description: TheSID's redo log filesreside in the locationthat is reported inthe Redo Log Filefield.
■ Windows 2000(239648)
■ Windows 2003(242648)
■ Windows 2008(255648)
String ID:ORA_REDOLOGFILE
Category: SystemInformation
Severity: yellow-2
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: Redo log filepermission
Description:Permission of redolog files
■ Windows 2000(239651)
■ Windows 2003(242651)
■ Windows 2008(255651)
String ID:ORA_REDOLOGFILE_PERM
Category: PolicyCompliance
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [""]
Title:Locked Oraclefile
File permissionscannot be reportedbecause the file isbeing used byanother process.
■ Windows(30008)
String ID:ORA_FILE_LOCKED
Category: System Error
93Understanding the ESM Oracle Database ModulesAbout the Oracle Configuration module
Table 2-55 Messages for Redo log files (continued)
AdditionalInformation
Message Title andDescription
Platform andMessageNumericID
Message String ID andCategory
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [""]
Title: Oracle File orfolder not found
Description: Filepermissions cannotbe reported becausethe file beingreferenced cannotbe found.
■ Windows(30009)
String ID:ORA_FILE_NOT_FOUND
Category: System Error
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: Oracle Folderpermissions
Description: ReportsDirectorypermissions.
■ Windows(30010)
String ID:ORA_DIRECTORY_PERMS
Category: System Error
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: Functionalitynot Supported
Description: Thisfunctionality is notsupported by ESMoracle app module.
■ Windows(30011)
String ID:ORA_NOT_SUPPORTED
Category: SystemInformation
94Understanding the ESM Oracle Database ModulesAbout the Oracle Configuration module
Table 2-55 Messages for Redo log files (continued)
AdditionalInformation
Message Title andDescription
Platform andMessageNumericID
Message String ID andCategory
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: Redo log file
Description: TheSID's ASMmanaged redo logfiles reside in thelocation that isreported in the RedoLog File field.
■ Windows (60)String ID:ORA_ASM_REDOLOGFILE
Category: SystemInformation
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: ESM checksexecuted on OracleSID
Description: Thechecks are executedon the Oracle SID.
■ Windows 2003(30014)
■ Windows 2008(30014)
String ID:ORA_SID_PROCESSED
Category: ESMAdministrative Information
Remote login password fileThis check reports whether the value of the REMOTE_LOGIN_PASSWORDFILEparameter matches with the value that you specify in the Parameter Value text box.Use the name list to include or exclude the values for this check. The default valueis None.
Symantec recommends that you change the value of theREMOTE_LOGIN_PASSWORDFILE parameter to match with your security policy.
The following table lists the message for the check.
95Understanding the ESM Oracle Database ModulesAbout the Oracle Configuration module
Table 2-56 Message for Remote login password file
AdditionalInformation
Message Title andDescription
Platform andMessageNumericID
Message String ID andCategory
Severity: yellow-3
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: Remote loginpassword file
Description: Thevalue of theREMOTE_LOGIN_PASSWORDFILEparameter is notacceptable.
■ UNIX (30639)■ Windows 2000
(239639)■ Windows 2003
(242639)■ Windows 2008
(255639)
String ID:ORA_REMOTE_LOGIN_PASSWORDFILE
Category: SystemInformation
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: ESM checksexecuted on OracleSID
Description: Thechecks are executedon the Oracle SID.
■ UNIX (30014)■ Windows 2003
(30014)■ Windows 2008
(30014)
String ID:ORA_SID_PROCESSED
Category: ESMAdministrative Information
Restrictions on system privilegesThis check reports whether access to objects in the SYS schema is allowed whileyou migrate from Oracle 7 to Oracle 8.
You must set the parameter to FALSE. If you set the parameter to TRUE, thenaccess to objects in the SYS schema is allowed. You can specify the settings byusing the 07_DICTIONARY_ACCESSIBILITY parameter.
The following table lists the messages for the check.
96Understanding the ESM Oracle Database ModulesAbout the Oracle Configuration module
Table 2-57 Messages for Restrictions on system privileges
AdditionalInformation
Message Title andDescription
Platform andMessageNumericID
Message String ID andCategory
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: Restrictions onsystem privileges
Description: IfFALSE is reportedin the Info field,system privilegesthat allow access toobjects in anyschema do not allowaccess to objects inSYS schema. IfTRUE, access toobjects in the SYSschema is allowed(Oracle7 behavior).O7_DICTIONARY_ACCESSIBILITYspecifies the setting.
■ UNIX (30638)■ Windows 2000
(239638)■ Windows 2003
(242638)■ Windows 2008
(255638)
String ID:ORA_O7_DICTIONARY_ACCESSIBILITY
Category: SystemInformation
Severity: yellow-3
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: Remote loginpassword file
Description: Thevalue of theREMOTE_LOGIN_PASSWORDFILEparameter is notacceptable.
■ UNIX (30639)■ Windows 2000
(239639)■ Windows 2003
(242639)■ Windows 2008
(255639)
String ID:ORA_REMOTE_LOGIN_PASSWORDFILE
Category: SystemInformation
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: ESM checksexecuted on OracleSID
Description: Thechecks are executedon the Oracle SID.
■ UNIX (30014)■ Windows 2003
(30014)■ Windows 2008
(30014)
String ID:ORA_SID_PROCESSED
Category: ESMAdministrative Information
97Understanding the ESM Oracle Database ModulesAbout the Oracle Configuration module
Table-level SELECT privilegesThis check reports whether the SELECT privileges are required to update or deletethe table column values.
If TRUE is reported, then table-level SELECT privileges are required to update ordelete table column values. If FALSE, SELECT privileges are not required.SQL92_SECURITY parameter specifies the setting.
The following table lists the message for the check.
Table 2-58 Message for Table-level SELECT privileges
AdditionalInformation
Message Title andDescription
Platform andMessageNumericID
Message String ID andCategory
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: Table-levelSELECT privileges
Description: If TRUEis reported in theInfo field, table-levelSELECT privilegesare required toupdate or deletetable column values.If FALSE, SELECTprivileges are notrequired.SQL92_SECURITYspecifies the setting.
■ UNIX (30637)■ Windows 2000
(239637)■ Windows 2003
(242637)■ Windows 2008
(255637)
String ID:ORA_SQL92_SECURITY
Category: SystemInformation
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: ESM checksexecuted on OracleSID
Description: Thechecks are executedon the Oracle SID.
■ UNIX (30014)■ Windows 2003
(30014)■ Windows 2008
(30014)
String ID:ORA_SID_PROCESSED
Category: ESMAdministrative Information
Trace file sizeThis check reports the maximum sizes of trace files that are specified byMAX_DUMP_FILE_SIZE.
98Understanding the ESM Oracle Database ModulesAbout the Oracle Configuration module
The following table lists the message for the check.
Table 2-59 Message for Trace file size
AdditionalInformation
Message Title andDescription
Platform andMessageNumericID
Message String ID andCategory
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: Maximum sizefor trace files
Description: Themaximum size ofSID trace files isreported in the Infofield.
■ UNIX (30634)■ Windows 2000
(239634)■ Windows 2003
(242634)■ Windows 2008
(255634)
String ID:ORA_MAX_DUMP_FILE_SIZE
Category: SystemInformation
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: ESM checksexecuted on OracleSID
Description: Thechecks are executedon the Oracle SID.
■ UNIX (30014)■ Windows 2003
(30014)■ Windows 2008
(30014)
String ID:ORA_SID_PROCESSED
Category: ESMAdministrative Information
Trace filesThis check reports the location of the trace files that are specified byUSER_DUMP_DEST.
The following table lists the message for the check.
99Understanding the ESM Oracle Database ModulesAbout the Oracle Configuration module
Table 2-60 Message for Trace files
AdditionalInformation
Message Title andDescription
Platform andMessageNumericID
Message String ID andCategory
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: Location oftrace files
Description: Thelocation of SID tracefiles is reported inthe Info field.
■ UNIX (30632)■ Windows 2000
(239632)■ Windows 2003
(242632)■ Windows 2008
(255632)
String ID:ORA_TRACE_FILE_DEST
Category: SystemInformation
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: ESM checksexecuted on OracleSID
Description: Thechecks are executedon the Oracle SID.
■ UNIX (30014)■ Windows 2003
(30014)■ Windows 2008
(30014)
String ID:ORA_SID_PROCESSED
Category: ESMAdministrative Information
UTL_FILE accessible directoriesThis check reports whether the value of the UTL_FILE_DIR parameter matcheswith the value that you specify in the Parameter Value text box. You can use theUTL_FILE_DIR parameter to specify one or more directories that Oracle can usefor PL/SQL file I/O. The exclude tag of the parameter value specifies acceptablevalues and the include tag specifies unacceptable values.
If the location of the UTL_FILE_DIR is not authorized, Symantec recommends thatyou change the configuration of the SID’s UTL_FILE_DIR parameter to specify anauthorized location; also update the snapshot.
The following table lists the message for the check.
100Understanding the ESM Oracle Database ModulesAbout the Oracle Configuration module
Table 2-61 Message for UTL_FILE accessible directories
AdditionalInformation
Message Title andDescription
Platform andMessageNumericID
Message String ID andCategory
Severity: yellow-3
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: UTL_FILEaccessibledirectories
Description: Thevalue of theUTL_FILE_DIRparameter is notacceptable.
■ UNIX (30640)■ Windows 2000
(239640)■ Windows 2003
(242640)■ Windows 2008
(255640)
String ID:ORA_UTL_FILE_DIR
Category: SystemInformation
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: ESM checksexecuted on OracleSID
Description: Thechecks are executedon the Oracle SID.
■ UNIX (30014)■ Windows 2003
(30014)■ Windows 2008
(30014)
String ID:ORA_SID_PROCESSED
Category: ESMAdministrative Information
About the Oracle Networks moduleThis module checks for the oracle network configuration that you have specified.
Editing default settingsUse the name list to edit the default settings for all security checks in the module.
Reporting SID configuration statusThe check in this group report the SIDs that are not configured.
Oracle net configuration watchThis check reports Oracle Listener, Sqlnet, and Names configuration parametervalues that violate conditions of the corresponding Oracle Net Watch templateparameters. Use the name list to enable and disable the template files for this check.
101Understanding the ESM Oracle Database ModulesAbout the Oracle Networks module
The following table lists the messages for the check.
Table 2-62 Messages for Oracle net configuration watch
AdditionalInformation
Message Title andDescription
Platform andMessageNumericID
Message String ID andCategory
Severity: red-4
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: Red levelcondition
Description: Theparameter valuefound in theconfiguration fileviolates theconditions of thecorrespondingparameter in theOracle Net Watchtemplate. See theInfo field for details.
■ UNIX (31731)■ Windows 2000
(240731)■ Windows 2003
(243731)■ Windows 2008
(256731)
String ID:ORA_ORC_NETCONFIG_RED
Category: PolicyCompliance
Severity: yellow-1
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: Yellow levelcondition
Description: Theparameter valuefound in theconfiguration fileviolates theconditions of thecorrespondingparameter in theOracle Net Watchtemplate. See theInfo field for details.
■ UNIX (31732)■ Windows 2000
(240732)■ Windows 2003
(243732)■ Windows 2008
(256732)
String ID:ORA_ORC_NETCONFIG_YELLOW
Category: PolicyCompliance
102Understanding the ESM Oracle Database ModulesAbout the Oracle Networks module
Table 2-62 Messages for Oracle net configuration watch (continued)
AdditionalInformation
Message Title andDescription
Platform andMessageNumericID
Message String ID andCategory
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: Green levelcondition
Description: Theparameter valuefound in theconfiguration fileviolates theconditions of thecorrespondingparameter in theOracle Net Watchtemplate. See theInfo field for details.
■ UNIX (31733)■ Windows 2000
(240733)■ Windows 2003
(243733)■ Windows 2008
(256733)
String ID:ORA_ORC_NETCONFIG_GREEN
Category: PolicyCompliance
Severity: yellow-3
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: Requiredparameter not found
Description: Therequired netconfigurationparameter that isspecified in theOracle ConfigurationWatch template isnot found for theSID. See the Infofield for details.
■ UNIX (31734)■ Windows 2000
(240734)■ Windows 2003
(243734)■ Windows 2008
(256734)
String ID:ORA_ORC_NETCONFIG_PARA_MISSING
Category: PolicyCompliance
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: ESM checksexecuted on OracleSID
Description: Thechecks are executedon the Oracle SID.
■ UNIX (30014)■ Windows 2003
(30014)■ Windows 2008
(30014)
String ID:ORA_SID_PROCESSED
Category: ESMAdministrative Information
103Understanding the ESM Oracle Database ModulesAbout the Oracle Networks module
Oracle system identifiers (SIDS)Use the name list to include or exclude the Oracle system identifiers (SIDs) for thischeck. By default, the check examines all the SIDs that you specify when youconfigure the Symantec ESM modules for the Oracle databases. The SymantecESM modules for Oracle Databases configuration are stored in the\esm\config\oracle.dat file.
SID configurationThis check reports SIDs that are not configured for Symantec ESM modules forOracle Databases. If an oratab file resides in a different location than /etc/oratabor /var/opt/oracle/oratab, change the value in the oratab file field to specify the fullpath. Use name list to exclude the SID’s for this check.
The following table lists the message for the check.
Table 2-63 Message for SID configuration
AdditionalInformation
Message Title andDescription
Platform andMessageNumericID
Message String ID andCategory
Severity: yellow-3
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: SID notconfigured formodules
Description: TheSID is notconfigured forSymantec ESMModules for OracleDatabases.
■ UNIX (31730)String ID:ORA_UNCONFIG_SID
Category: System Error
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: ESM checksexecuted on OracleSID
Description: Thechecks are executedon the Oracle SID.
■ UNIX (30014)String ID:ORA_SID_PROCESSED
Category: ESMAdministrative Information
104Understanding the ESM Oracle Database ModulesAbout the Oracle Networks module
SID configurationThis check reports the SIDs that are not configured for the SymantecESMmodulesfor Oracle Databases. Use name list to exclude the SID’s for this check.
The following table lists the message for the check.
Table 2-64 Message for SID configuration
AdditionalInformation
Message Title andDescription
Platform andMessageNumericID
Message String ID andCategory
Severity: yellow-3
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: SID notconfigured formodules
Description: TheSID is notconfigured forSymantec ESMModules for OracleDatabases.
■ Windows 2000(240730)
■ Windows 2003(243730)
■ Windows 2008(256730)
String ID:ORA_UNCONFIG_SID
Category: System Error
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: ESM checksexecuted on OracleSID
Description: Thechecks are executedon the Oracle SID.
■ Windows 2003(30014)
■ Windows 2008(30014)
String ID:ORA_SID_PROCESSED
Category: ESMAdministrative Information
Oracle EXTPROC listenersThis check reports the Oracle listeners that have EXTPROC-specific entries. In thetext box, specify 1 to allow the TCP Protocol, on doing so the database listenerports should be different than the EXTPROC ports. Separate listeners must bespecified for the Oracle Databases and for the EXTPROC process. You must usethe IPC protocol for listeners configured for EXTPROC.
The following table lists the messages for the check.
105Understanding the ESM Oracle Database ModulesAbout the Oracle Networks module
Table 2-65 Messages for Oracle EXTPROC listeners
AdditionalInformation
Message Title andDescription
Platform andMessageNumericID
Message String ID andCategory
Severity: yellow-3
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: Listener forEXTPROC found
Description: Thislistener has beenconfigured forPL/SQLEXTPROC.If the PL/SQLEXTPROCfunctionality is notrequired, werecommend that youremove thisfunctionality fromthe ESM agent thathosts the OracleDatabase server.
■ UNIX (31735)■ Windows 2000 ()■ Windows 2003
(243735)■ Windows 2008
(256735)
String ID:ORA_EXTPROC_LISTENER_FOUND
Category: PolicyCompliance
Severity: red-4
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: EXTPROCentries found inListener forDatabases
Description: TheEXTPROC-specificentries were foundin the Oracle listenerfor the Database.Different listenersshould be specifiedfor the OracleDatabases and forthe PL/SQLEXTPROC.
■ UNIX (31736)■ Windows 2000 ()■ Windows 2003
(243736)■ Windows 2008
(256736)
String ID:ORA_EXTPROC_IN_DB_LISTENER
Category: PolicyCompliance
106Understanding the ESM Oracle Database ModulesAbout the Oracle Networks module
Table 2-65 Messages for Oracle EXTPROC listeners (continued)
AdditionalInformation
Message Title andDescription
Platform andMessageNumericID
Message String ID andCategory
Severity: red-4
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: Listener forEXTPROC is notconfigured with IPCProtocol
Description: TheOracle listener forPL/SQL EXTPROCshould only beconfigured with anIPC protocoladdress. If the userallows TCP, thenthe violation for theprotocols other thanthe TCP/TCPS/IPCis reported.
■ UNIX (31737)■ Windows 2000 ()■ Windows 2003
(243737)■ Windows 2008
(256737)
String ID:ORA_NON_IPC_EXTPROC
Category: PolicyCompliance
Severity: red-4
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: The portsconfigured forEXTPROC listenersconflict withdatabase listeners
Description: If theTCP protocol isused to configurelisteners withEXTPROC then usethe port that isdifferent than theports that the Oraclelistener for thedatabases uses.
■ UNIX (31738)■ Windows 2000 ()■ Windows 2003
(243738)■ Windows 2008
(256738)
String ID:ORA_TCP_PORT_EXTPROC
Category: PolicyCompliance
107Understanding the ESM Oracle Database ModulesAbout the Oracle Networks module
Table 2-65 Messages for Oracle EXTPROC listeners (continued)
AdditionalInformation
Message Title andDescription
Platform andMessageNumericID
Message String ID andCategory
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: ESM checksexecuted on OracleSID
Description: Thechecks are executedon the Oracle SID.
■ UNIX (30014)■ Windows 2003
(30014)■ Windows 2008
(30014)
String ID:ORA_SID_PROCESSED
Category: ESMAdministrative Information
About the Oracle Objects moduleThis module checks for the access privileges to the Oracle objects that are basedon the options that you have specified.
Editing default settingsThe check in this group edits the default settings for all security checks in the module.
Reporting table privilegesThe checks in this group report entities that can:
■ Access SYS.ALL_SOURCE
■ Grant privileges to Oracle objects such as tables, indexes, and views
■ Have directly granted table privileges to Oracle objects
Access to SYS.ALL_SOURCEThis check reports the roles, accounts, and synonyms that have access privilegesto the SYS.ALL_SOURCE system table. The ALL_SOURCE table contains thesource code for user-defined objects in all schemas of the SID. Verify that theentity's direct access to SYS.ALL_SOURCE is authorized. Use the Grantees toskip name list to exclude the grantees for this check.
The following table lists the message for the check.
108Understanding the ESM Oracle Database ModulesAbout the Oracle Objects module
Table 2-66 Message for Access to SYS.ALL_SOURCE
AdditionalInformation
Message Title andDescription
Platform andMessageNumericID
Message String ID andCategory
Severity: yellow-3
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: Access toSYS.ALL_SOURCE
Description: Theuser or role that isreported in the Infofield has access tothe ALL_SOURCEtable. Verify that theaccess isauthorized.
■ UNIX (31630)■ Windows 2000
(240630)■ Windows 2003
(243630)■ Windows 2008
(256630)
String ID:ORA_ACCESS_ALL_SOURCE
Category: PolicyCompliance
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: ESM checksexecuted on OracleSID
Description: Thechecks are executedon the Oracle SID.
■ UNIX (30014)■ Windows 2003
(30014)■ Windows 2008
(30014)
String ID:ORA_SID_PROCESSED
Category: ESMAdministrative Information
Critical objectsThis check works with the Grantable privilege check or the Directly granted privilegecheck. The Critical objects check reports on the objects that it finds on the ESMagent computer with the objects that you specify in the template. For example,sys.kupw$wor, sys.dbms_ddl, and so on. Use the name list to enable or disablethe template file.
The following table lists the messages for the check.
109Understanding the ESM Oracle Database ModulesAbout the Oracle Objects module
Table 2-67 Messages for Critical objects
AdditionalInformation
Message Titleand Description
Platform and MessageNumeric ID
Message String IDand Category
Severity: red-4
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: No word filesspecified
Description:"Critical objects"was enabled butno word files werespecified. Changeyour policy so thatat least one wordfile is enabled.
■ UNIX (31633)■ Windows 2000
(240633)■ Windows 2003
(243633)■ Windows 2008
(256633)
String ID:ESM_NOWORDFILES
Category: ESM Error
Severity: red-4
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: Grantabletable privilege
Description: Thegrantable tableprivilege of theOracle object isgranted to theuser or role. Verifythat the user orrole is authorizedto grant the tableprivilege.
■ UNIX (31634)■ Windows 2000
(240634)■ Windows 2003
(243634)■ Windows 2008
(256634)
String ID:ORA_GRANTABLE_RED
Category: PolicyCompliance
Severity: red-4
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: Directlygranted tableprivilege
Description: Thedirectly grantedtable privilege ofthe Oracle objectis directly grantedto the user or role.Verify that theuser or role isauthorized for thetable privilege.
■ UNIX (31635)■ Windows 2000
(240635)■ Windows 2003
(243635)■ Windows 2008
(256635)
String ID:ORA_DIRECT_GRANTED_RED
Category: PolicyCompliance
110Understanding the ESM Oracle Database ModulesAbout the Oracle Objects module
Table 2-67 Messages for Critical objects (continued)
AdditionalInformation
Message Titleand Description
Platform and MessageNumeric ID
Message String IDand Category
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: ESM checksexecuted onOracle SID
Description: Thechecks areexecuted on theOracle SID.
■ UNIX (30014)■ Windows 2003
(30014)■ Windows 2008
(30014)
String ID:ORA_SID_PROCESSED
Category: ESMAdministrativeInformation
Directly granted privilegeThis check reports the roles, the accounts, or the synonyms that have directlygranted table privileges to Oracle objects. Use the name list to include or excludethe grantees for this check.
The following table lists the message for the check.
Table 2-68 Message for Directly granted privilege
AdditionalInformation
Message Title andDescription
Platform andMessageNumericID
Message String ID andCategory
Severity: yellow-3
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: Directlygranted tableprivilege
Description: Thedirectly grantedtable privilege of theOracle object isdirectly granted tothe user or role.Verify that the useror role is authorizedfor the tableprivilege.
■ UNIX (31632)■ Windows 2000
(240632)■ Windows 2003
(243632)■ Windows 2008
(256632)
String ID:ORA_DIRECT_GRANTED
Category: PolicyCompliance
111Understanding the ESM Oracle Database ModulesAbout the Oracle Objects module
Table 2-68 Message for Directly granted privilege (continued)
AdditionalInformation
Message Title andDescription
Platform andMessageNumericID
Message String ID andCategory
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: ESM checksexecuted on OracleSID
Description: Thechecks are executedon the Oracle SID.
■ UNIX (30014)■ Windows 2003
(30014)■ Windows 2008
(30014)
String ID:ORA_SID_PROCESSED
Category: ESMAdministrative Information
Grantable privilegeThis check reports the roles, the accounts, or the synonyms that have grantabletable privileges to Oracle objects. Use the name list to include and exclude thegrantees for this check.
The following table lists the message for the check.
Table 2-69 Message for Grantable privilege
AdditionalInformation
Message Title andDescription
Platform andMessageNumericID
Message String ID andCategory
Severity: yellow-3
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: Grantabletable privilege
Description: Thegrantable tableprivilege of theOracle object isgranted to the useror role. Verify thatthe user or role isauthorized to grantthe table privilege.
■ UNIX (31631)■ Windows 2000
(240631)■ Windows 2003
(243631)■ Windows 2008
(256631)
String ID:ORA_GRANTABLE
Category: PolicyCompliance
112Understanding the ESM Oracle Database ModulesAbout the Oracle Objects module
Table 2-69 Message for Grantable privilege (continued)
AdditionalInformation
Message Title andDescription
Platform andMessageNumericID
Message String ID andCategory
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: ESM checksexecuted on OracleSID
Description: Thechecks are executedon the Oracle SID.
■ UNIX (30014)■ Windows 2003
(30014)■ Windows 2008
(30014)
String ID:ORA_SID_PROCESSED
Category: ESMAdministrative Information
GrantorsUse this name list to include or exclude the grantors for the Grantable privilegesand Directly granted privilege checks to report on.
Object PrivilegesThis check uses the specified template to report on the object privileges. Use thename list to enable or disable the template file.
The following table lists the messages for the check.
113Understanding the ESM Oracle Database ModulesAbout the Oracle Objects module
Table 2-70 Messages for Object Privileges
AdditionalInformation
Message Title andDescription
Platform andMessageNumericID
Message String ID andCategory
Severity: red-4
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: Object notfound
Description: Objectnot found. Theselected object maynot be present in thedatabase, or theinformation for theselected object isincorrect in thetemplate. Verify thetemplate entries, orverify if the objectwith the given owneris present in thedatabase.
■ UNIX (31636)■ Windows 2000
(240636)■ Windows 2003
(243636)■ Windows 2008
(256636)
String ID:ORA_OBJ_NOT_FOUND
Category: PolicyCompliance
114Understanding the ESM Oracle Database ModulesAbout the Oracle Objects module
Table 2-70 Messages for Object Privileges (continued)
AdditionalInformation
Message Title andDescription
Platform andMessageNumericID
Message String ID andCategory
Severity: red-4
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: Unauthorizedobject privilege
Description: Thereis a mismatch in theactual objectprivilege present inthe database andthe privilege that ismentioned in thetemplate. Check ifthe object that ismarked as"Prohibited" in thetemplate is presentin the database, orcheck if the objectthat is marked as"Mandatory" in thetemplate is notpresent in thedatabase. For moreinformation, see thecorrespondingInformation column.
■ UNIX (31637)■ Windows 2000
(240637)■ Windows 2003
(243637)■ Windows 2008
(256637)
String ID:ORA_OBJ_PRIV_R
Category: PolicyCompliance
115Understanding the ESM Oracle Database ModulesAbout the Oracle Objects module
Table 2-70 Messages for Object Privileges (continued)
AdditionalInformation
Message Title andDescription
Platform andMessageNumericID
Message String ID andCategory
Severity: yellow-1
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: Unauthorizedobject privilege
Description: Thereis a mismatch in theactual objectprivilege present inthe database andthe privilege that ismentioned in thetemplate. Check ifthe object that ismarked as"Prohibited" in thetemplate is presentin the database, orcheck if the objectthat is marked as"Mandatory" in thetemplate is notpresent in thedatabase. For moreinformation, see thecorrespondingInformation column.
■ UNIX (31638)■ Windows 2000
(240638)■ Windows 2003
(243638)■ Windows 2008
(256638)
String ID:ORA_OBJ_PRIV_Y
Category: PolicyCompliance
116Understanding the ESM Oracle Database ModulesAbout the Oracle Objects module
Table 2-70 Messages for Object Privileges (continued)
AdditionalInformation
Message Title andDescription
Platform andMessageNumericID
Message String ID andCategory
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: Unauthorizedobject privilege
Description: Thereis a mismatch in theactual objectprivilege present inthe database andthe privilege that ismentioned in thetemplate. Check ifthe object that ismarked as"Prohibited" in thetemplate is presentin the database, orcheck if the objectthat is marked as"Mandatory" in thetemplate is notpresent in thedatabase. For moreinformation, see thecorrespondingInformation column.
■ UNIX (31639)■ Windows 2000
(240639)■ Windows 2003
(243639)■ Windows 2008
(256639)
String ID:ORA_OBJ_PRIV_G
Category: PolicyCompliance
117Understanding the ESM Oracle Database ModulesAbout the Oracle Objects module
Table 2-70 Messages for Object Privileges (continued)
AdditionalInformation
Message Title andDescription
Platform andMessageNumericID
Message String ID andCategory
Severity: red-4
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: Unauthorizedobject privilege
Description: Thereis a mismatch in theactual objectprivilege present inthe database andthe privilege that ismentioned in thetemplate. Check ifthe object that ismarked as"Prohibited" in thetemplate is presentin the database, orcheck if the objectthat is marked as"Mandatory" in thetemplate is notpresent in thedatabase. For moreinformation, see thecorrespondingInformation column.
■ UNIX ( 31737)■ Windows 2003
(243737)■ Windows 2008
(256737)
String ID:ORA_OBJ_PRIV_R
Category: PolicyCompliance
118Understanding the ESM Oracle Database ModulesAbout the Oracle Objects module
Table 2-70 Messages for Object Privileges (continued)
AdditionalInformation
Message Title andDescription
Platform andMessageNumericID
Message String ID andCategory
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: Unauthorizedobject privilege
Description: Thereis a mismatch in theactual objectprivilege present inthe database andthe privilege that ismentioned in thetemplate. Check ifthe object that ismarked as"Prohibited" in thetemplate is presentin the database, orcheck if the objectthat is marked as"Mandatory" in thetemplate is notpresent in thedatabase. For moreinformation, see thecorrespondingInformation column.
■ UNIX (31739)■ Windows 2003
(243739)■ Windows 2008
(253739)
String ID:ORA_OBJ_PRIV_G
Category: PolicyCompliance
119Understanding the ESM Oracle Database ModulesAbout the Oracle Objects module
Table 2-70 Messages for Object Privileges (continued)
AdditionalInformation
Message Title andDescription
Platform andMessageNumericID
Message String ID andCategory
Severity: yellow-1
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: Unauthorizedobject privilege
Description: Thereis a mismatch in theactual objectprivilege present inthe database andthe privilege that ismentioned in thetemplate. Check ifthe object that ismarked as"Prohibited" in thetemplate is presentin the database, orcheck if the objectthat is marked as"Mandatory" in thetemplate is notpresent in thedatabase. For moreinformation, see thecorrespondingInformation column.
■ UNIX ( 31738)■ Windows 2003
(243738)■ Windows 2008
(253738)
String ID:ORA_OBJ_PRIV_Y
Category: PolicyCompliance
120Understanding the ESM Oracle Database ModulesAbout the Oracle Objects module
Table 2-70 Messages for Object Privileges (continued)
AdditionalInformation
Message Title andDescription
Platform andMessageNumericID
Message String ID andCategory
Severity: red-4
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: Object notfound
Description: Objectnot found. Theselected object maynot be present in thedatabase, or theinformation for theselected object isincorrect in thetemplate. Verify thetemplate entries, orverify if the objectwith the given owneris present in thedatabase.
■ UNIX (31736)■ Windows 2003
(243736)■ Windows 2008
(253736)
String ID:ORA_OBJ_NOT_FOUND
Category: PolicyCompliance
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: ESM checksexecuted on OracleSID
Description: Thechecks are executedon the Oracle SID.
■ UNIX (30014)■ Windows 2003
(30014)■ Windows 2008
(30014)
String ID:ORA_SID_PROCESSED
Category: ESMAdministrative Information
Object nameUse this name list to include or exclude the object names for theGrantable privilegeand Directly granted privilege checks to report on.
Oracle system identifiers (SIDs)Use the name list to include or exclude the Oracle system identifiers (SIDs) for thischeck. By default, the check examines all the SIDs that you specify when youconfigure the Symantec ESM modules for the Oracle databases. On Windows, theSymantec ESM modules for Oracle Databases configuration are stored in the
121Understanding the ESM Oracle Database ModulesAbout the Oracle Objects module
\esm\config\oracle.dat file. On UNIX, the Symantec ESM modules for OracleDatabases configuration are stored in the /esm/config/oracle.dat file.
Table privilegesUse this name list to include or exclude the table privileges for the Grantableprivilege and Directly granted privilege checks to report on.
About the Oracle Passwords moduleThis module checks for the password integrity of the Oracle user accounts. Thesechecks are based on the options that you have specified.
Note: Refer to the following:
■ Certain functionalities of the Oracle Passwords module are developed basedon the concept provided in the white paper An Assessment of the OraclePassword Hashing Algorithm courtesy of SANS Institute and/or its licensors.
■ The password hashing checks do not report on the passwords when exclusivemode is enabled in Oracle 11g or later to use SHA-1 / Salt Hashing Algorithm.
Editing default settingsThe checks in this group edits the default settings for all the security checks in themodule.
Specifying check variationsYou can use the checks under this group to set conditions for guessing thepasswords of the Oracle accounts. You can display the results with or without thefirst and last characters of the password.
Comparing passwords to word listsThe checks in this group compare the passwords to words that are found in theword lists or the user names. Any matched word is a weak password and shouldbe changed immediately.
122Understanding the ESM Oracle Database ModulesAbout the Oracle Passwords module
Detecting well-known passwordsOracle products ship with default, or sample, accounts and passwords that arewidely known. These passwords should be changed as soon as soon as possible.Otherwise, unauthorized users can log in as SYS or SYSTEM with administratorprivileges.
Account statusUse the name list to include or exclude the statuses for all the password guessingchecks.
Double occurrencesEnable this option to have Password = checks report the passwords that matchesthe user names or common words spelled twice. For example, in Password =wordlist word, password golfgolf matches the word golf.
Oracle system identifiers (SIDs)Use the name list to include or exclude the Oracle system identifiers (SIDs) for thischeck. By default, the check examines all the SIDs that you specify when youconfigure the SymantecESMmodules for the Oracle databases. On Windows, theconfiguration for Symantec ESM Modules for Oracle Databases is stored in\esm\config\oracle.dat. On UNIX, the configuration for Symantec ESMModules forOracle Databases is stored in /esm/config/oracle.dat.
Password = any usernameThis check compares the encrypted version of the user and the role password withthe encrypted version of the words that are included in the common words andnames file. The check then reports the matches. You can specify the word andname files that you want to check. Do not use common words or names aspasswords.
Symantec recommends that you do not use commonwords or names as passwords.You must assign a more secure password immediately to the user accounts thatare reported by this check, then notify each user to log in using the more securepassword. Have the users complete the process by changing their passwords again.
A secure password has six to eight characters with at least one numeric character,and one special character. The password must not match an account name or mustnot be found in the word file.
The following table lists the message for the check.
123Understanding the ESM Oracle Database ModulesAbout the Oracle Passwords module
Table 2-71 Message for Password = any username
AdditionalInformation
Message Title andDescription
Platform andMessageNumericID
Message String ID andCategory
Severity: red-4
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: Weak userpassword
Description: Thepassword is a formof a user name orcommon word. It isa weak password.Assign a moresecure passwordimmediately. Theninstruct the user tolog in with the moresecure passwordand change thepassword again. Asecure passwordhas 6-8 characters,including at leastone non-alphabeticcharacter, shouldnot be found in anydictionary, andshould not match anaccount name.
■ UNIX (30334)■ Windows 2000
(239334)■ Windows 2003
(242334)■ Windows 2008
(255334)
String ID:ORA_PASS_GUESSED
Category: PolicyCompliance
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: ESM checksexecuted on OracleSID
Description: Thechecks are executedon the Oracle SID.
■ UNIX (30014)■ Windows 2003
(30014)■ Windows 2008
(30014)
String ID:ORA_SID_PROCESSED
Category: ESMAdministrative Information
Password = usernameThis check reports the users and the roles that use their own user names or rolenames as passwords. The check is not as comprehensive as the Password = any
124Understanding the ESM Oracle Database ModulesAbout the Oracle Passwords module
username check. However, if the Password = any user name check takes longeror consumes more CPU usage, then use the Password = user name check dailyand the Password = any user name check on weekends. The reported passwordmatches the same user account name. The passwords that closely resemble accountnames are easily guessed.
Symantec recommends that you must immediately assign more secure passwordsto reported user accounts. Then notify the users and ask them to log in with themore secure passwords. Have the users complete the process by changing theirpasswords again.
A secure password has six to eight characters with at least one numeric character,and one special character. The password must not match an account name or mustnot be found in the word file.
The following table lists the message for the check.
Table 2-72 Message for Password = username
AdditionalInformation
Message Title andDescription
Platform andMessageNumericID
Message String ID andCategory
Severity: red-4
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: Weak userpassword
Description: Thepassword is a formof a user name orcommon word. It isa weak password.Assign a moresecure passwordimmediately. Theninstruct the user tolog in with the moresecure passwordand change thepassword again. Asecure passwordhas 6-8 characters,including at leastone non-alphabeticcharacter, shouldnot be found in anydictionary, andshould not match anaccount name.
■ UNIX (30334)■ Windows 2000
(239334)■ Windows 2003
(242334)■ Windows 2008
(255334)
String ID:ORA_PASS_GUESSED
Category: PolicyCompliance
125Understanding the ESM Oracle Database ModulesAbout the Oracle Passwords module
Table 2-72 Message for Password = username (continued)
AdditionalInformation
Message Title andDescription
Platform andMessageNumericID
Message String ID andCategory
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: ESM checksexecuted on OracleSID
Description: Thechecks are executedon the Oracle SID.
■ UNIX (30014)■ Windows 2003
(30014)■ Windows 2008
(30014)
String ID:ORA_SID_PROCESSED
Category: ESMAdministrative Information
Password = wordlist wordThis check compares the encrypted version of the user and the role password withthe encrypted version of the words that are included in the common words andnames file. The check then reports the matches. You can specify the word andname files that you want to check. Do not use common words or names aspasswords.
Symantec recommends that you do not use commonwords or names as passwords.You must assign a more secure password immediately to the user accounts thatare reported by this check, then notify each user to log in using the more securepassword. Have the users complete the process by changing their passwords again.
A secure password has six to eight characters with at least one numeric character,and one special character. The password must not match an account name or mustnot be found in the word file.
The following table lists the messages for the check.
126Understanding the ESM Oracle Database ModulesAbout the Oracle Passwords module
Table 2-73 Messages for Password = wordlist word
AdditionalInformation
Message Title andDescription
Platform andMessageNumericID
Message String ID andCategory
Severity: red-4
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: Weak userpassword
Description: Thepassword is a formof a user name orcommon word. It isa weak password.Assign a moresecure passwordimmediately. Theninstruct the user tolog in with the moresecure passwordand change thepassword again. Asecure passwordhas 6-8 characters,including at leastone non-alphabeticcharacter, shouldnot be found in anydictionary, andshould not match anaccount name.
■ UNIX (30334)■ Windows 2000
(239334)■ Windows 2003
(242334)■ Windows 2008
(255334)
String ID:ORA_PASS_GUESSED
Category: PolicyCompliance
Severity: red-4
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: No word filesspecified
Description:Password = wordlistword was enabled,but no word fileswere specified.Enable at least oneword file.
■ UNIX (30336)■ Windows 2000
(239336)■ Windows 2003
(242336)■ Windows 2008
(255336)
String ID:ORA_NO_WORDS
Category: ESM Error
127Understanding the ESM Oracle Database ModulesAbout the Oracle Passwords module
Table 2-73 Messages for Password = wordlist word (continued)
AdditionalInformation
Message Title andDescription
Platform andMessageNumericID
Message String ID andCategory
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: ESM checksexecuted on OracleSID
Description: Thechecks are executedon the Oracle SID.
■ UNIX (30014)■ Windows 2003
(30014)■ Windows 2008
(30014)
String ID:ORA_SID_PROCESSED
Category: ESMAdministrative Information
Password displayThis check works with the Password=wordlistword, Password=username, andPassword = any username checks. Enable this check to display the guessedpasswords in the <first character>*<last character> format.
PluralThis option directs Password = checks to compare the plural forms of user names,role names, or common words with the password. For example, in “Password =user name,” the password “golfs” matches the user name “golf.”
PrefixEnable this option so that Password = checks reports the passwords that beginwith a prefix in the user names, role names, or common words. For example, if"pro" is a prefix and "golf" is a user name, then the Password = user name checkreports "progolf " as a weak password.
Reverse orderEnable this option to have Password = checks report passwords that match thebackward spelling of user names or common words. For example, in Password =wordlist word, password flog matches the word golf.
128Understanding the ESM Oracle Database ModulesAbout the Oracle Passwords module
SuffixEnable this option so that Password = checks reports the passwords that end witha suffix in the user names, role names, or common words. For example, if “pro” isa suffix and “golf” is a user name, then the Password = user name check reports“golfpro” as a weak password.
Users to checkUse the name list to include or exclude the users or the roles for all the passwordguessing checks.
Well known passwordsThis check reports the well known account/password combinations that you specifyin the name list and default Oracle account/password combinations such asscott/tiger. You should not allow well known account/password combinations. Usethe name list to include the account and password combinations for this check.
Symantec recommends that you must assign a more secure password immediately.You must instruct the user to log in with the more secure password and change thepassword again.
A secure password has six to eight characters with at least one numeric character,and one special character. The password must not match an account name or mustnot be found in the word file.
The following table lists the message for the check.
Table 2-74 Message for Well known passwords
AdditionalInformation
Message Title andDescription
Platform andMessageNumericID
Message String ID andCategory
Severity: red-4
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: Well knownaccount/passwordfound
Description: Changeor delete all wellknownaccount/passwordcombinations.
■ UNIX (30337)■ Windows 2000
(239337)■ Windows 2003
(242337)■ Windows 2008
(255337)
String ID:ORA_DEFAULT_PASSWORD
Category: PolicyCompliance
129Understanding the ESM Oracle Database ModulesAbout the Oracle Passwords module
Table 2-74 Message for Well known passwords (continued)
AdditionalInformation
Message Title andDescription
Platform andMessageNumericID
Message String ID andCategory
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: ESM checksexecuted on OracleSID
Description: Thechecks are executedon the Oracle SID.
■ UNIX (30014)■ Windows 2003
(30014)■ Windows 2008
(30014)
String ID:ORA_SID_PROCESSED
Category: ESMAdministrative Information
Password = SIDThis check reports the users and roles who use their SID names as passwords.This is applicable only for the configured SIDs.
About the Oracle Patches moduleThis module identifies the Oracle security patches that are not installed on yourcomputers.
Note: The module may not report correct messages if the opatch utility and OraclePatches module is concurrently running on the same agent. Symantec recommendsnot to run the Oracle Patches module on the same agent while opatch utility isalready running.
Edit default settingsThe check in this group edits the default settings for all the security checks in themodule.
Oracle patchesThe checks in this group report the patches that are released by Oracle and thatare not applied on the database server.
130Understanding the ESM Oracle Database ModulesAbout the Oracle Patches module
SID infoThis check add on the relevant SIDs to the patch messages that are reported fromthe Patch information and Installed patches checks.
Installed patchesThis check works with the Opatch tool check and reports the patches, the opatchtool detects. When the Installed Patches check is run along with the SID Infocheck, the relevant SIDs are also reported.
The following table lists the message for the check.
Table 2-75 Message for Installed patches
AdditionalInformation
Message Title andDescription
Platform andMessageNumericID
Message String ID andCategory
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: Installedpatches
Description: Theinstalled patch isdetected by theopatch tool.
■ UNIX (31034)■ Windows 2000
(240034)■ Windows 2003
(243034)■ Windows 2008 (
256034)
String ID:ORA_INSTALLED_PATCH
Category: PolicyCompliance
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: ESM checksexecuted on OracleHome
Description: Thechecks are executedon the OracleHome.
■ UNIX (256037)■ Windows 2000
(240034)■ Windows 2003
(243037)■ Windows 2008 (
256037)
String ID:ORA_HOME_PROCESSED
Category: ESMAdministrative Information
Opatch toolThis check enables ESM to use the opatch tool and reports the opatch tool versioninformation. Opatch is the Oracle patch tool, which is a set of PERL scripts that runwith PERL 5.005_03 and later. You have JRE and JDK installed in the Oracle Hometo run the OPatch tool. The commands such as jar, java, ar, cp, and make
131Understanding the ESM Oracle Database ModulesAbout the Oracle Patches module
(depending on platforms) available should be present in the Opatch path. By default,the Opatch tools check searches for the OPatch directory that contains the opatchtool in ORACLE HOME. If the check fails to find the tool in ORACLE HOME, thenit takes the path of the opatch tool that mentioned in the check. This applicationcan be downloaded from the following URL: http://www.oracle.com.
The following table lists the messages for the check.
Table 2-76 Messages for Opatch tool
AdditionalInformation
Message Title andDescription
Platform andMessageNumericID
Message String ID andCategory
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: Opatch version
Description: Theopatch tool is at theshown version.
■ UNIX (31032)■ Windows 2000
(240032)■ Windows 2003
(243032)■ Windows 2008
(256032)
String ID:ORA_OPATCH_VERSION
Category: SystemInformation
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: OpatchInformation
Description: Thespecified opatch toolreports in theinformation field.
■ UNIX (31033)■ Windows 2000
(240033)■ Windows 2003
(243033)■ Windows 2008
(256033)
String ID:ORA_OPATCH_INFO
Category: System Error
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: ESM checksexecuted on OracleHome
Description: Thechecks are executedon the OracleHome.
■ UNIX (256037)■ Windows 2000
(240034)■ Windows 2003
(243037)■ Windows 2008 (
256037)
String ID:ORA_HOME_PROCESSED
Category: ESMAdministrative Information
132Understanding the ESM Oracle Database ModulesAbout the Oracle Patches module
Oracle Home PathsUse the name list to include or exclude the Oracle home paths for this check. Bydefault, the check examines all the Home paths that you specify when you configurethe SymantecESMmodules for the Oracle databases. OnWindows, the configurationfor Symantec ESM Modules for Oracle Databases are stored in the oracle.dat filethat is located in the \esm\config\ folder. On UNIX, the configuration for SymantecESM Modules for Oracle Databases are stored in the oracle.dat file that is locatedin the /esm/config/ folder.
Patch informationThis check reports information about the patches that have been released withinthe number of days that you specify in the check. The information includes patchtype and number, ID number, patch release date, and description. You should verifythat all current patches are installed on your Oracle clients and servers. Use thename list to include the template files for this check. When the Patch Informationcheck is run along with the SID Info check, the relevant SIDs are also reported.
You can download patch updates by using LiveUpdate.
Symantec recommends that you verify that your Oracle server and componentshave the current applicable patches.
The following table lists the messages for the check.
Table 2-77 Messages for Patch information
AdditionalInformation
Message Title andDescription
Platform andMessageNumericID
Message String ID andCategory
Severity: yellow-1
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: Patchavailable
Description: Thepatch is available atOracle's patchesWeb site.
■ UNIX (31030)■ Windows 2000
(240030)■ Windows 2003
(243030)■ Windows 2008
(256030)
String ID:ORA_PATCH_AVAILABLE
Category: PolicyCompliance
133Understanding the ESM Oracle Database ModulesAbout the Oracle Patches module
Table 2-77 Messages for Patch information (continued)
AdditionalInformation
Message Title andDescription
Platform andMessageNumericID
Message String ID andCategory
Severity: yellow-1
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: Patchsetavailable
Description: Thepatchset is availableat Oracle's patchesWeb site.
■ UNIX (31031)■ Windows 2000
(240031)■ Windows 2003
(243031)■ Windows 2008
(256031)
String ID:ORA_PATCHSET_AVAILABLE
Category: PolicyCompliance
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: ESM checksexecuted on OracleHome
Description: Thechecks are executedon the OracleHome.
■ UNIX (256037)■ Windows 2000
(240034)■ Windows 2003
(243037)■ Windows 2008 (
256037)
String ID:ORA_HOME_PROCESSED
Category: ESMAdministrative Information
Template filesUse the name list to enable or disable the template files for this check. Oracle Patchtemplate files are identified by .orp file extensions.
The following table lists the message for the check.
134Understanding the ESM Oracle Database ModulesAbout the Oracle Patches module
Table 2-78 Message for Template files
AdditionalInformation
Message Title andDescription
Platform andMessageNumericID
Message String ID andCategory
Severity: red-4
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: No templatefiles specified
Description: TheOracle Patchesmodule was runwithout any templatefiles. No patchrelated checks wereperformed. Checkyour policy toensure that at leastone template file isenabled for theagent's operatingsystem.
■ UNIX (31035)■ Windows 2000
(240035)■ Windows 2003
(243035)■ Windows 2008
(256035)
String ID:ORA_TEMPLATEFILE_MISSING
Category: ESM Error
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: ESM checksexecuted on OracleHome
Description: Thechecks are executedon the OracleHome.
■ UNIX (256037)■ Windows 2000
(240034)■ Windows 2003
(243037)■ Windows 2008 (
256037)
String ID:ORA_HOME_PROCESSED
Category: ESMAdministrative Information
About the Oracle Profiles moduleThis module checks for the Oracle profiles table that is based on the options thatyou have specified. It reports SIDs, profile names, profile resource names, andresource limits as applicable.
Establishing a baseline snapshotTo establish a baseline, run the Profiles module. This creates a snapshot of currentprofile information that you can update when you run the checks that report new,deleted, or changed information.
135Understanding the ESM Oracle Database ModulesAbout the Oracle Profiles module
Editing default settingsUse the check in this group to edit the default settings for all the security checks inthe module.
Reporting profiles and their limitsThe checks in this group report the existing, new, and deleted profiles and theirresource limits.
Reporting CPU limit violationsThe checks in this group report the CPU resource limits.
Reporting password violationsThe checks in this group report the profiles with settings for the number of failedlogon attempts, password grace time, password duration, password lock time, andpassword reuse requirements that violate your security policy. Password strengthchecks, which compare passwords to common words and user names,
Profile settingsThis check reports the profile settings that do not match the settings that arespecified in the template file. Use the name list to enable or disable the templatefiles.
The following table lists the message for the check.
Table 2-79 Message for Profile settings
AdditionalInformation
Message Title andDescription
Platform andMessageNumericID
Message String ID andCategory
Severity: red-4
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: Object notfound
Description: Noprofile found thatmatches the nameas specified in thetemplate. For moreinformation, referthe Informationcolumn.
■ UNIX (30954)■ Windows 2000
(239954)■ Windows 2003
(242954)■ Windows 2008
(255954)
String ID:ORA_PROF_NOT_FOUND
Category: PolicyCompliance
136Understanding the ESM Oracle Database ModulesAbout the Oracle Profiles module
Table 2-79 Message for Profile settings (continued)
AdditionalInformation
Message Title andDescription
Platform andMessageNumericID
Message String ID andCategory
Severity: red-4
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: Profile settingsmismatch
Description: Theprofile settings thatare present in thedatabase do notmatch with thesettings that arespecified in thetemplate. For moreinformation, referthe Informationcolumn.
■ UNIX (30251)■ Windows 2000
(239251)■ Windows 2003
(242251)■ Windows 2008
(255251)
String ID: ORA_PROF_R
Category: PolicyCompliance
Severity: yellow-1
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: Profile settingsmismatch
Description: Theprofile settings thatare present in thedatabase do notmatch with thesettings that arespecified in thetemplate. For moreinformation, referthe Informationcolumn.
■ UNIX (30252)■ Windows 2000
(239252)■ Windows 2003
(242252)■ Windows 2008
(255252)
String ID: ORA_PROF_Y
Category: PolicyCompliance
137Understanding the ESM Oracle Database ModulesAbout the Oracle Profiles module
Table 2-79 Message for Profile settings (continued)
AdditionalInformation
Message Title andDescription
Platform andMessageNumericID
Message String ID andCategory
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: Profile settingsmismatch
Description: Theprofile settings thatare present in thedatabase do notmatch with thesettings that arespecified in thetemplate. For moreinformation, referthe Informationcolumn.
■ UNIX (30253)■ Windows 2000
(239253)■ Windows 2003
(242253)■ Windows 2008
(255253)
String ID: ORA_PROF_G
Category: PolicyCompliance
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: ESM checksexecuted on OracleSID
Description: Thechecks are executedon the Oracle SID.
■ UNIX (30014)■ Windows 2003
(30014)■ Windows 2008
(30014)
String ID:ORA_SID_PROCESSED
Category: ESMAdministrative Information
Automatically update snapshotsEnable this check to automatically update the snapshots with the current information.
CPU time per callThis check reports the profiles that allow more CPU time for each call, such asfetch, execute, and parse, than the amount of time that you specify in the check.Specify the maximum amount of time that is allowed per call in hundredths of asecond.
Symantec recommends that you specify a maximum CPU time per call limit thatallow users perform their duties and that prevents a small number of users fromdenying service to others by using excessive CPU resources.
The following table lists the message for the check.
138Understanding the ESM Oracle Database ModulesAbout the Oracle Profiles module
Table 2-80 Message for CPU time per call
AdditionalInformation
Message Title andDescription
Platform andMessageNumericID
Message String ID andCategory
Severity: yellow-1
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: CPU time percall exceeds limit
Description: Theprofile's maximumCPU time per callexceeds the amountthat you specified inthe check. Time isexpressed inhundredths of asecond. Specify arealistic limit toprevent one or morecalls from lockingout other calls byusing all of the CPUcapacity.
■ UNIX (30938)■ Windows 2000
(239938)■ Windows 2003
(242938)■ Windows 2008
(255938)
String ID:ORA_PROFILE_CPU_PER_CALL
Category: PolicyCompliance
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: ESM checksexecuted on OracleSID
Description: Thechecks are executedon the Oracle SID.
■ UNIX (30014)■ Windows 2003
(30014)■ Windows 2008
(30014)
String ID:ORA_SID_PROCESSED
Category: ESMAdministrative Information
CPU time per sessionThis check reports profiles that allow more CPU time per session then the amountthat you specify in the check. Specify the maximum amount of time that is allowedper session in hundredths of a second.
Symantec recommends that you specify a maximum CPU time per session limitthat allow users to perform their duties without frequent logging on and logging out.It prevents a small number of users from denying service to others by usingexcessive CPU resources.
The following table lists the message for the check.
139Understanding the ESM Oracle Database ModulesAbout the Oracle Profiles module
Table 2-81 Message for CPU time per session
AdditionalInformation
Message Title andDescription
Platform andMessageNumericID
Message String ID andCategory
Severity: yellow-1
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: CPU time persession exceedslimit
Description: Theprofile's maximumCPU time persession exceeds theamount that youspecified in thecheck. Time isexpressed inhundredths of asecond. Specify arealistic limit toprevent one or moreusers from lockingout other users byusing all of the CPUcapacity.
■ UNIX (30937)■ Windows 2000
(239937)■ Windows 2003
(242937)■ Windows 2008
(255937)
String ID:ORA_PROFILE_CPU_PER_SESSION
Category: PolicyCompliance
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: ESM checksexecuted on OracleSID
Description: Thechecks are executedon the Oracle SID.
■ UNIX (30014)■ Windows 2003
(30014)■ Windows 2008
(30014)
String ID:ORA_SID_PROCESSED
Category: ESMAdministrative Information
Changed resource limitsThis check reports the profile resource limits that changed after the last snapshotupdate. Use the name list to exclude profiles for this check.
If the change is authorized, Symantec recommends that you either update thesnapshot or restore the previous limit.
The following table lists the message for the check.
140Understanding the ESM Oracle Database ModulesAbout the Oracle Profiles module
Table 2-82 Message for Changed resource limits
AdditionalInformation
Message Title andDescription
Platform andMessageNumericID
Message String ID andCategory
Severity: yellow-1
Correctable: false
SnapshotUpdatable: true
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: Changedprofile resource limit
Description: Theprofile's resourcelimit changed afterthe last snapshotupdate. Update thesnapshot if theresource limit isappropriate; changethe limit if it is notappropriate. Limitsshould be highenough to permitnormal resourceusage but lowenough to preventabuse.
■ UNIX (30936)■ Windows 2000
(239936)■ Windows 2003
(242936)■ Windows 2008
(255936)
String ID:ORA_PROFILE_LIMIT_CHANGED
Category: ChangeNotification
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: ESM checksexecuted on OracleSID
Description: Thechecks are executedon the Oracle SID.
■ UNIX (30014)■ Windows 2003
(30014)■ Windows 2008
(30014)
String ID:ORA_SID_PROCESSED
Category: ESMAdministrative Information
Connection timeThis check reports the profiles that allow more elapsed connection time for anaccount than the number of minutes that you specify in the check.
Symantec recommends that you specify a realistic limit that allow users to performtheir duties and that prevents a few connections from denying service to others byusing excessive CPU resources.
The following table lists the message for the check.
141Understanding the ESM Oracle Database ModulesAbout the Oracle Profiles module
Table 2-83 Message for Connection time
AdditionalInformation
Message Title andDescription
Platform andMessageNumericID
Message String ID andCategory
Severity: yellow-1
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: Connect timeexceeds limit
Description: Thenumber of minutesallowed for theprofile's connectionexceeds the numberof minutes that youspecified in thecheck. Specify arealistic limit toprevent one or moreconnections fromdenying service toother users bymonopolizing CPUcapacity.
■ UNIX (30939)■ Windows 2000
(239939)■ Windows 2003
(242939)■ Windows 2008
(255939)
String ID:ORA_PROFILE_CONNECT_TIME
Category: PolicyCompliance
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: ESM checksexecuted on OracleSID
Description: Thechecks are executedon the Oracle SID.
■ UNIX (30014)■ Windows 2003
(30014)■ Windows 2008
(30014)
String ID:ORA_SID_PROCESSED
Category: ESMAdministrative Information
Deleted profilesThis check reports all the profiles that were deleted from the database after the lastsnapshot update. Use the name list to exclude profiles for this check.
If the deletion is authorized, Symantec recommends that you either update thesnapshot or restore the profile.
The following table lists the message for the check.
142Understanding the ESM Oracle Database ModulesAbout the Oracle Profiles module
Table 2-84 Message for Deleted profiles
AdditionalInformation
Message Title andDescription
Platform andMessageNumericID
Message String ID andCategory
Severity: yellow-1
Correctable: false
SnapshotUpdatable: true
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: Deleted profile
Description: Theprofile was droppedfrom the databaseafter the lastsnapshot update. Ifthe deletion isauthorized, updatethe snapshot. If thedeletion is notauthorized, restorethe profile.
■ UNIX (30932)■ Windows 2000
(239932)■ Windows 2003
(242932)■ Windows 2008
(255932)
String ID:ORA_PROFILE_DELETED
Category: ChangeNotification
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: ESM checksexecuted on OracleSID
Description: Thechecks are executedon the Oracle SID.
■ UNIX (30014)■ Windows 2003
(30014)■ Windows 2008
(30014)
String ID:ORA_SID_PROCESSED
Category: ESMAdministrative Information
Failed loginsThis check reports the profiles that allow more failed login attempts than the numberthat you specify in the check.
Symantec recommends that you restrict the number of permitted failed login attemptsto minimize the likelihood of break-in by intruders who attempt to guess user namesand passwords.
The following table lists the message for the check.
143Understanding the ESM Oracle Database ModulesAbout the Oracle Profiles module
Table 2-85 Message for Failed logins
AdditionalInformation
Message Title andDescription
Platform andMessageNumericID
Message String ID andCategory
Severity: red-4
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: Failed loginattempts exceedlimit
Description: Thenumber of failedlogins permittedbefore an account islocked exceeds thenumber that youspecified in thecheck. Restrict thenumber of failedattempts permittedto minimize thelikelihood ofintruders guessinguser names andpasswords.
■ UNIX (30940)■ Windows 2000
(239940)■ Windows 2003
(242940)■ Windows 2008
(255940)
String ID:ORA_PROFILE_FAILED_LOGIN_ATTEMPTS
Category: PolicyCompliance
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: ESM checksexecuted on OracleSID
Description: Thechecks are executedon the Oracle SID.
■ UNIX (30014)■ Windows 2003
(30014)■ Windows 2008
(30014)
String ID:ORA_SID_PROCESSED
Category: ESMAdministrative Information
Idle timeThis check reports profiles that allowmore idle time before a process is disconnectedthan the number of minutes that you specify in the check.
The connections that are idle for a long period may indicate that the computer isunattended.
Symantec recommends that you specify a realistic amount of time before an inactiveprocess is disconnected.
The following table lists the message for the check.
144Understanding the ESM Oracle Database ModulesAbout the Oracle Profiles module
Table 2-86 Message for Idle time
AdditionalInformation
Message Title andDescription
Platform andMessageNumericID
Message String ID andCategory
Severity: yellow-1
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: Idle timeexceeds limit
Description: Theprofile's maximumidle time exceedsthe limit that youspecified in thecheck. Specify arealistic amount oftime before aninactive process isdisconnected.Connections thatare idle for a longperiod may indicatethat the computer isunattended, whichwould pose asecurity threat.
■ UNIX (30941)■ Windows 2000
(239941)■ Windows 2003
(242941)■ Windows 2008
(255941)
String ID:ORA_PROFILE_IDLE_TIME
Category: PolicyCompliance
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: ESM checksexecuted on OracleSID
Description: Thechecks are executedon the Oracle SID.
■ UNIX (30014)■ Windows 2003
(30014)■ Windows 2008
(30014)
String ID:ORA_SID_PROCESSED
Category: ESMAdministrative Information
Invalid profilesThis check reports users that are assigned to profiles that fail one or more of theenabled resource limitation checks. Use the name list to exclude the users for thischeck.
The following table lists the message for the check.
145Understanding the ESM Oracle Database ModulesAbout the Oracle Profiles module
Table 2-87 Message for Invalid profiles
AdditionalInformation
Message Title andDescription
Platform andMessageNumericID
Message String ID andCategory
Severity: yellow-3
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: Invalid profileassigned
Description: Theuser's profile isinvalid. It fails one ormore enabled profileresource limitationchecks. Verify thatthe profile iscorrectly defined inthe database.
■ UNIX (30950)■ Windows 2000
(239950)■ Windows 2003
(242950)■ Windows 2008
(255950)
String ID:ORA_INVALID_PROFILE_ASSIGNED
Category: PolicyCompliance
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: ESM checksexecuted on OracleSID
Description: Thechecks are executedon the Oracle SID.
■ UNIX (30014)■ Windows 2003
(30014)■ Windows 2008
(30014)
String ID:ORA_SID_PROCESSED
Category: ESMAdministrative Information
New profilesThis check reports all profiles that were defined in the database after the lastsnapshot update. Use the name list to exclude profiles for this check.
If the addition is authorized, Symantec recommends that you either update thesnapshot or delete the profile.
The following table lists the message for the check.
146Understanding the ESM Oracle Database ModulesAbout the Oracle Profiles module
Table 2-88 Message for New profiles
AdditionalInformation
Message Title andDescription
Platform andMessageNumericID
Message String ID andCategory
Severity: yellow-1
Correctable: false
SnapshotUpdatable: true
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: New profile
Description: Theprofile was added tothe database afterthe last snapshotupdate. If theaddition isauthorized, updatethe snapshot. If theaddition is notauthorized, deletethe profile.
■ UNIX (30931)■ Windows 2000
(239931)■ Windows 2003
(242931)■ Windows 2008
(255931)
String ID:ORA_PROFILE_ADDED
Category: ChangeNotification
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: ESM checksexecuted on OracleSID
Description: Thechecks are executedon the Oracle SID.
■ UNIX (30014)■ Windows 2003
(30014)■ Windows 2008
(30014)
String ID:ORA_SID_PROCESSED
Category: ESMAdministrative Information
Oracle profilesUse the name list to include or exclude the Oracle profiles for the resource limitationchecks.
Oracle system identifiers (SIDs)Use the name list to include or exclude the Oracle system identifiers (SIDs) for thischeck. By default, the check examines all the SIDs that you specify when youconfigure the SymantecESMmodules for the Oracle databases. On Windows, theconfiguration for Symantec ESM Modules for Oracle Databases is stored in\esm\config\oracle.dat. On UNIX, the configuration for Symantec ESMModules forOracle Databases is stored in /esm/config/oracle.dat.
147Understanding the ESM Oracle Database ModulesAbout the Oracle Profiles module
Password durationThis check reports the profiles that permit a password to be used for more daysthan the number that you specify in the check.
Symantec recommends that you change your password often to minimize thepossibility that an intruder will discover the passwords but not so often that youhave difficulty remembering your passwords.
The following table lists the message for the check.
Table 2-89 Message for Password duration
AdditionalInformation
Message Title andDescription
Platform andMessageNumericID
Message String ID andCategory
Severity: red-4
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: Passwordduration too high
Description: Themaximumnumber ofdays permitted forthe profile'spassword exceedsthe number of daysthat you specified inthe check. Requirepassword changesoften to minimizethe likelihood thatthey will bediscovered by anintruder.
■ UNIX (30943)■ Windows 2000
(239943)■ Windows 2003
(242943)■ Windows 2008
(255943)
String ID:ORA_PROFILE_PASS_LIFE_TIME
Category: PolicyCompliance
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: ESM checksexecuted on OracleSID
Description: Thechecks are executedon the Oracle SID.
■ UNIX (30014)■ Windows 2003
(30014)■ Windows 2008
(30014)
String ID:ORA_SID_PROCESSED
Category: ESMAdministrative Information
148Understanding the ESM Oracle Database ModulesAbout the Oracle Profiles module
Password grace timeThis check reports the profiles that have their password grace days different thanthe number that you specify in the Password Grace text box. Now, you can alsouse the comparison operators before specifying the value in the text box. The valuethat you specify in the text box refers to the number of days wherein a warning isgiven before your password expires. The comparison operators are as follows:Equal (=), Not equal (!=), Less than (<), Greater than (>), Less than or equal to(<=), Greater than or equal to (>=).
Symantec recommends that you specify realistic number of days for a user tochange a password after being warned that it is about to expire.
The following table lists the message for the check.
Table 2-90 Message for Password grace time
AdditionalInformation
Message Title andDescription
Platform andMessageNumericID
Message String ID andCategory
Severity: yellow-1
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: Passwordgrace time differsfrom limit
Description: Theprofile's passwordgrace time is not thesame as the limitthat you specified inthe check. Specify arealistic number ofdays for a user tochange a passwordafter being warnedthat it is about toexpire.
■ UNIX (30942)■ Windows 2000
(239942)■ Windows 2003
(242942)■ Windows 2008
(255942)
String ID:ORA_PROFILE_PASS_GRACE_TIME
Category: PolicyCompliance
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: ESM checksexecuted on OracleSID
Description: Thechecks are executedon the Oracle SID.
■ UNIX (30014)■ Windows 2003
(30014)■ Windows 2008
(30014)
String ID:ORA_SID_PROCESSED
Category: ESMAdministrative Information
149Understanding the ESM Oracle Database ModulesAbout the Oracle Profiles module
Password lock timeThis check reports the profiles that lock accounts for fewer days than the numberthat you specify in the check. Accounts are locked after the number of failed loginattempts that you specify in the FAILED_LOGIN_ATTEMPTS parameter of theprofile. PASSWORD_LOCK_TIME parameter specifies the number of days that anaccount is locked.
Symantec recommends that you change the resource parameterPASSWORD_LOCK_TIME setting to match with your security policy.
The following table lists the message for the check.
Table 2-91 Message for Password lock time
AdditionalInformation
Message Title andDescription
Platform andMessageNumericID
Message String ID andCategory
Severity: yellow-1
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: Password locktime too low
Description: Theprofile's passwordlock time is lowerthan the number ofdays that youspecified in thecheck. Verify thatthePASSWORD_LOCK_TIMEparameter settingconforms tocompany securitypolicies.
■ UNIX (30944)■ Windows 2000
(239944)■ Windows 2003
(242944)■ Windows 2008
(255944)
String ID:ORA_PROFILE_PASS_LOCK_TIME
Category: PolicyCompliance
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: ESM checksexecuted on OracleSID
Description: Thechecks are executedon the Oracle SID.
■ UNIX (30014)■ Windows 2003
(30014)■ Windows 2008
(30014)
String ID:ORA_SID_PROCESSED
Category: ESMAdministrative Information
150Understanding the ESM Oracle Database ModulesAbout the Oracle Profiles module
Password reuse maxThis check reports profiles that require fewer password changes before a passwordcan be reused than the number that you specify in the check.
Note: If you set a PASSWORD_REUSE_MAX value, PASSWORD_REUSE_TIMEmust be UNLIMITED.
Symantec recommends that you change the resource parameterPASSWORD_REUSE_MAXto require a realistic number of times that a passwordmust be changed before it can be reused.
The following table lists the message for the check.
Table 2-92 Message for Password reuse max
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
MessageString ID andCategory
Severity: yellow-1
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: Password reusemaximum too low
Description: Theprofile permits apassword to bereused after fewerchanges than thenumber of changesthat you specified inthe check. If you setaPASSWORD_REUSE_MAXvalue,PASSWORD_REUSE_TIMEmust beUNLIMITED.
■ UNIX (30945)■ Windows 2000
(239945)■ Windows 2003
(242945)■ Windows 2008
(255945)
String ID:ORA_PROFILE_PASS_REUSE_MAX
Category: PolicyCompliance
Severity: yellow-1
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: Password reusesettings weaker thanexpected
Description: Thepassword reusesettings in the profileare weaker than thevalues that arespecified in thecheck.
■ UNIX (30955)■ Windows 2000
(239955)■ Windows 2003
(242955)■ Windows 2008
(255955)
String ID:ORA_PROFILE_PASS_REUSE_WEAK
Category: PolicyCompliance
151Understanding the ESM Oracle Database ModulesAbout the Oracle Profiles module
Table 2-92 Message for Password reuse max (continued)
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
MessageString ID andCategory
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: ESM checksexecuted on OracleSID
Description: Thechecks are executedon the Oracle SID.
■ UNIX (30014)■ Windows 2003
(30014)■ Windows 2008
(30014)
String ID:ORA_SID_PROCESSED
Category: ESMAdministrativeInformation
Password reuse timeThis check reports profiles that require fewer days before a password can be reusedthan the number that you specify in the check.
Note: If this setting has a value,PASSWORD_REUSE_TIMEmust be UNLIMITED.If you set a PASSWORD_REUSE_TIME value, PASSWORD_REUSE_MAX mustbe UNLIMITED.
Symantec recommends that you change the resource parameterPASSWORD_REUSE_TIME to require a realistic amount of time that must passbefore it can be reused.
The following table lists the message for the check.
152Understanding the ESM Oracle Database ModulesAbout the Oracle Profiles module
Table 2-93 Message for Password reuse time
AdditionalInformation
Message Title andDescription
Platform andMessageNumericID
Message String ID andCategory
Severity: yellow-1
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: Passwordreuse time too low
Description: Theprofile permits apassword to bereused after fewerdays than youspecified in thecheck. If you specifyaPASSWORD_REUSE_TIMEvalue,PASSWORD_REUSE_MAXmust beUNLIMITED.
■ UNIX (30946)■ Windows 2000
(239946)■ Windows 2003
(242946)■ Windows 2008
(255946)
String ID:ORA_PROFILE_PASS_REUSE_TIME
Category: PolicyCompliance
Severity: yellow-1
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: Passwordreuse settingsweaker thanexpected
Description: Thepassword reusesettings in the profileare weaker than thevalues that arespecified in thecheck.
■ UNIX (30955)■ Windows 2000
(239955)■ Windows 2003
(242955)■ Windows 2008
(255955)
String ID:ORA_PROFILE_PASS_REUSE_WEAK
Category: PolicyCompliance
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: ESM checksexecuted on OracleSID
Description: Thechecks are executedon the Oracle SID.
■ UNIX (30014)■ Windows 2003
(30014)■ Windows 2008
(30014)
String ID:ORA_SID_PROCESSED
Category: ESMAdministrative Information
153Understanding the ESM Oracle Database ModulesAbout the Oracle Profiles module
Password verify functionThis check reports profiles that do not use one or more of the password complexityfunctions that you specify in the name list. Use the name list to include the functionsfor this check.
Note: Password complexity functions are specified in the resource parameterPASSWORD_VERIFY_FUNCTION.
Symantec recommends that you immediately assign a secure password and instructthe user to log on with the secure password and change the password again.
The following table lists the message for the check.
Table 2-94 Message for Password verify function
AdditionalInformation
Message Title andDescription
Platform andMessageNumericID
Message String ID andCategory
Severity: yellow-1
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: Passwordverify function
Description: Theprofile's passwordverification functiona name that doesnot exist in the listthat you specified inthe check. Specifythe name of a scriptto call forPROFILE_PASS_VERIFY_FUNCTION.
■ UNIX (30947)■ Windows 2000
(239947)■ Windows 2003
(242947)■ Windows 2008
(255947)
String ID:ORA_PROFILE_PASS_VERIFY_FUNCTION
Category: PolicyCompliance
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: ESM checksexecuted on OracleSID
Description: Thechecks are executedon the Oracle SID.
■ UNIX (30014)■ Windows 2003
(30014)■ Windows 2008
(30014)
String ID:ORA_SID_PROCESSED
Category: ESMAdministrative Information
154Understanding the ESM Oracle Database ModulesAbout the Oracle Profiles module
Profile enforcementThis check reports SIDs that do not enforce profiles.
Symantec recommends that in the database's parameter file, change the value ofthe RESOURCE_LIMIT parameter from FALSE to TRUE so that the profiles areenforced.
The following table lists the message for the check.
Table 2-95 Message for Profile enforcement
AdditionalInformation
Message Title andDescription
Platform andMessageNumericID
Message String ID andCategory
Severity: red-4
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: Profiles are notenabled
Description: Theprofile is notenforced in thedatabase. By defaultno profiles areenforced until youchange the value oftheRESOURCE_LIMITparameter fromFALSE to TRUE forthe database'sinstance.
■ UNIX (30949)■ Windows 2000
(239949)■ Windows 2003
(242949)■ Windows 2008
(255949)
String ID:ORA_PROFILE_NOT_ENABLED
Category: SystemInformation
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: ESM checksexecuted on OracleSID
Description: Thechecks are executedon the Oracle SID.
■ UNIX (30014)■ Windows 2003
(30014)■ Windows 2008
(30014)
String ID:ORA_SID_PROCESSED
Category: ESMAdministrative Information
Profile resourcesThis check reports profile resource limits. Use the name list to exclude profiles forthis check.
155Understanding the ESM Oracle Database ModulesAbout the Oracle Profiles module
Symantec recommends that youmust ensure that the profile resource limits matcheswith the company's security policies.
The following table lists the message for the check.
Table 2-96 Message for Profile resources
AdditionalInformation
Message Title andDescription
Platform andMessageNumericID
Message String ID andCategory
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: Profileresource limits
Description: Theprofile and itsresource limits aredefined in thedatabase. Verify thatthe profile resourcelimits conform tocompany securitypolicies.
■ UNIX (30933)■ Windows 2000
(239933)■ Windows 2003
(242933)■ Windows 2008
(255933)
String ID:ORA_PROFILE_LIMIT_LIST
Category: SystemInformation
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: ESM checksexecuted on OracleSID
Description: Thechecks are executedon the Oracle SID.
■ UNIX (30014)■ Windows 2003
(30014)■ Windows 2008
(30014)
String ID:ORA_SID_PROCESSED
Category: ESMAdministrative Information
ProfilesThis check reports all profiles that are defined in the database. Use the name listto exclude profiles for this check. You should periodically review the profiles toensure that all profiles are authorized and that profile resources and resource limitsare allocated efficiently.
The following table lists the message for the check.
156Understanding the ESM Oracle Database ModulesAbout the Oracle Profiles module
Table 2-97 Message for Profiles
AdditionalInformation
Message Title andDescription
Platform andMessageNumericID
Message String ID andCategory
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: Existingprofiles
Description: Theprofile is defined inthe database.
■ UNIX (30930)■ Windows 2000
(239930)■ Windows 2003
(242930)■ Windows 2008
(255930)
String ID:ORA_PROFILE_LIST
Category: SystemInformation
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: ESM checksexecuted on OracleSID
Description: Thechecks are executedon the Oracle SID.
■ UNIX (30014)■ Windows 2003
(30014)■ Windows 2008
(30014)
String ID:ORA_SID_PROCESSED
Category: ESMAdministrative Information
Sessions per userThis check reports the profiles that allow more number of concurrent sessions foreach user than the number that you specify in the MaxSession/User text box. Asto prevent access by other users, multiple users should not be given concurrentsession permission.
The following table lists the message for the check.
157Understanding the ESM Oracle Database ModulesAbout the Oracle Profiles module
Table 2-98 Message for Sessions per user
AdditionalInformation
Message Title andDescription
Platform andMessageNumericID
Message String ID andCategory
Severity: yellow-1
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: Sessions peruser too high
Description: Theprofile permits moresessions per userthan you specifiedfor the check.SESSIONS_PER_USERspecifies themaximumnumber ofconcurrent sessionsper user.
■ UNIX (30948)■ Windows 2000
(239948)■ Windows 2003
(242948)■ Windows 2008
(255948)
String ID:ORA_PROFILE_SESSIONS_PER_USER
Category: PolicyCompliance
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: ESM checksexecuted on OracleSID
Description: Thechecks are executedon the Oracle SID.
■ UNIX (30014)■ Windows 2003
(30014)■ Windows 2008
(30014)
String ID:ORA_SID_PROCESSED
Category: ESMAdministrative Information
About the Oracle Roles moduleThis module checks for the Oracle roles that are based on the options that youhave specified.
Establishing a baseline snapshotTo establish a baseline, run the Roles module. This creates a snapshot of currentrole information that you can update when you run checks for new, deleted, orchanged information.
Editing default settingsUse the check in this group to edit the default settings for all the security checks inthe module.
158Understanding the ESM Oracle Database ModulesAbout the Oracle Roles module
Reporting rolesThe checks in this group report the existing roles and the roles that have beenadded or deleted since the last snapshot update.
Reporting role privilegesThe checks in this group report the role privileges and the privileges that weregranted to or removed from the roles after the last snapshot update, and grantablerole privileges.
Reporting role accessThe checks in this group report password-protected roles that are used as defaultroles, directly granted DBA roles, roles without password protection, and tablesaccessed by the public role.
Granted rolesThis check reports the users and the roles that violate the conditions that you specifyin the template. Use the name list to enable or disable the template file.
The following table lists the message for the check.
Table 2-99 Message for Granted roles
AdditionalInformation
Message Title andDescription
Platform andMessageNumericID
Message String ID andCategory
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: Granted roles
Description: Therole that is grantedto the account is notas per the conditionthORA_ROLE_TEMPLATEORA_ROLE_TEMPLATEatis specified in thetemplate.
■ UNIX (30248)■ Windows 2000
(239248)■ Windows 2003
(242248)■ Windows 2008
(255248)
String ID:ORA_ROLE_TEMPLATE_G
Category: PolicyCompliance
159Understanding the ESM Oracle Database ModulesAbout the Oracle Roles module
Table 2-99 Message for Granted roles (continued)
AdditionalInformation
Message Title andDescription
Platform andMessageNumericID
Message String ID andCategory
Severity: red-4
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: Granted roles
Description: Therole that is grantedto the account is notas per the conditionthat is specified inthe template.
■ UNIX (30249)■ Windows 2000
(239249)■ Windows 2003
(242249)■ Windows 2008
(255249)
String ID:ORA_ROLE_TEMPLATE_R
Category: PolicyCompliance
Severity: yellow-1
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: Granted roles
Description: Therole that is grantedto the account is notas per the conditionthat is specified inthe template.
■ UNIX (30250)■ Windows 2000
(239250)■ Windows 2003
(242250)■ Windows 2008
(255250)
String ID:ORA_ROLE_TEMPLATE_Y
Category: PolicyCompliance
Severity: red-4
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: Incorrectwildcard templateentry
Description: TheMandatory optiondoes not supportwildcard characterstherefore you mustenter the exact textwhen you select theMandatory option.
■ UNIX (30254)■ Windows 2000
(239254)■ Windows 2003
(242254)■ Windows 2008
(255254)
String ID:WILDCARD_WITH_MANDATORY_R
Category: ESM Error
160Understanding the ESM Oracle Database ModulesAbout the Oracle Roles module
Table 2-99 Message for Granted roles (continued)
AdditionalInformation
Message Title andDescription
Platform andMessageNumericID
Message String ID andCategory
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: ESM checksexecuted on OracleSID
Description: Thechecks are executedon the Oracle SID.
■ UNIX (30014)■ Windows 2003
(30014)■ Windows 2008
(30014)
String ID:ORA_SID_PROCESSED
Category: ESMAdministrative Information
Granted privilegesThis check reports the privileges and the associated users and roles that violatethe conditions that you specify in the template. Use the name list to enable or disablethe template file.
The following table lists the message for the check.
Table 2-100 Message for Granted privileges
AdditionalInformation
Message Title andDescription
Platform andMessageNumericID
Message String ID andCategory
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: Grantedprivileges
Description: Thesystem privilegesthat are granted arenot as per theconditions that arespecified in thetemplate.
■ UNIX (30251)■ Windows 2000
(239251)■ Windows 2003
(242251)■ Windows 2008
(255251)
String ID:SYSTEM_PRIVILEGES_TEMPLATE_G
Category: PolicyCompliance
161Understanding the ESM Oracle Database ModulesAbout the Oracle Roles module
Table 2-100 Message for Granted privileges (continued)
AdditionalInformation
Message Title andDescription
Platform andMessageNumericID
Message String ID andCategory
Severity: red-4
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: Grantedprivileges
Description: Thesystem privilegesthat are granted arenot as per theconditions that arespecified in thetemplate.
■ UNIX (30252)■ Windows 2000
(239252)■ Windows 2003
(242252)■ Windows 2008
(255252)
String ID:SYSTEM_PRIVILEGES_TEMPLATE_R
Category: PolicyCompliance
Severity: yellow-1
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: Grantedprivileges
Description: Thesystem privilegesthat are granted arenot as per theconditions that arespecified in thetemplate.
■ UNIX (30253)■ Windows 2000
(239253)■ Windows 2003
(242253)■ Windows 2008
(255253)
String ID:SYSTEM_PRIVILEGES_TEMPLATE_Y
Category: PolicyCompliance
Severity: red-4
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: Incorrectwildcard templateentry
Description: TheMandatory optiondoes not supportwildcard characterstherefore you mustenter the exact textwhen you select theMandatory option.
■ UNIX (30254)■ Windows 2000
(239254)■ Windows 2003
(242254)■ Windows 2008
(255254)
String ID:WILDCARD_WITH_MANDATORY_R
Category: ESM Error
162Understanding the ESM Oracle Database ModulesAbout the Oracle Roles module
Table 2-100 Message for Granted privileges (continued)
AdditionalInformation
Message Title andDescription
Platform andMessageNumericID
Message String ID andCategory
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: ESM checksexecuted on OracleSID
Description: Thechecks are executedon the Oracle SID.
■ UNIX (30014)■ Windows 2003
(30014)■ Windows 2008
(30014)
String ID:ORA_SID_PROCESSED
Category: ESMAdministrative Information
Automatically update snapshotsEnable this check to automatically update the snapshots with the current information.
DBA equivalent rolesUse the name list to include or exclude roles for the Granted Oracle DBA role checkto report on.
Deleted nested roleThis check reports the nested roles that were removed from parent roles since thelast snapshot update. Use the name list to include or exclude the roles for thischeck.
The following table lists the message for the check.
163Understanding the ESM Oracle Database ModulesAbout the Oracle Roles module
Table 2-101 Message for Deleted nested role
AdditionalInformation
Message Title andDescription
Platform andMessageNumericID
Message String ID andCategory
Severity: yellow-1
Correctable: false
SnapshotUpdatable: true
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: Nested roledeleted
Description: Thenested role wasdropped from roleafter the lastsnapshot update. Ifthe deletion isauthorized, updatethe snapshot. If thedeletion is notauthorized, restorethe nested role.
■ UNIX (30245)■ Windows 2000
(239245)■ Windows 2003
(242245)■ Windows 2008
(255245)
String ID:ORA_DELETED_ROLE_ROLE
Category: ChangeNotification
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: ESM checksexecuted on OracleSID
Description: Thechecks are executedon the Oracle SID.
■ UNIX (30014)■ Windows 2003
(30014)■ Windows 2008
(30014)
String ID:ORA_SID_PROCESSED
Category: ESMAdministrative Information
Deleted privilegesThis check reports privileges that were dropped from the roles after the last snapshotupdate. Use the name list to exclude the roles for this check.
If the deletion is authorized, Symantec recommends that you either update thesnapshot or restore the privilege.
The following table lists the message for the check.
164Understanding the ESM Oracle Database ModulesAbout the Oracle Roles module
Table 2-102 Message for Deleted privileges
AdditionalInformation
Message Title andDescription
Platform andMessageNumericID
Message String ID andCategory
Severity: yellow-1
Correctable: false
SnapshotUpdatable: true
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: Deleted roleprivilege
Description: Thedirectly grantedprivilege wasdropped from therole after the lastsnapshot update. Ifthe deletion isauthorized, updatethe snapshot. If thedeletion is notauthorized, restorethe privilege to therole.
■ UNIX (30241)■ Windows 2000
(239241)■ Windows 2003
(242241)■ Windows 2008
(255241)
String ID:ORA_DELETED_ROLE_PRIVILEGE
Category: ChangeNotification
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: ESM checksexecuted on OracleSID
Description: Thechecks are executedon the Oracle SID.
■ UNIX (30014)■ Windows 2003
(30014)■ Windows 2008
(30014)
String ID:ORA_SID_PROCESSED
Category: ESMAdministrative Information
Deleted rolesThis check reports roles that have been deleted from the database since the lastsnapshot update. Use the name list to exclude the roles for this check.
If the deletion is authorized, Symantec recommends that you either update thesnapshot or restore the role.
The following table lists the message for the check.
165Understanding the ESM Oracle Database ModulesAbout the Oracle Roles module
Table 2-103 Message for Deleted roles
AdditionalInformation
Message Title andDescription
Platform andMessageNumericID
Message String ID andCategory
Severity: yellow-1
Correctable: false
SnapshotUpdatable: true
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: Deleted role
Description: Therole was deletedfrom the databaseafter the lastsnapshot update.Update thesnapshot if thedeletion isauthorized; restorethe role if thedeletion is notauthorized.
■ UNIX (30238)■ Windows 2000
(239238)■ Windows 2003
(242238)■ Windows 2008
(255238)
String ID:ORA_DELETED_ROLES
Category: ChangeNotification
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: ESM checksexecuted on OracleSID
Description: Thechecks are executedon the Oracle SID.
■ UNIX (30014)■ Windows 2003
(30014)■ Windows 2008
(30014)
String ID:ORA_SID_PROCESSED
Category: ESMAdministrative Information
Grantable nested roleThis check reports the grantable roles that have been granted to other roles. Usethe name list to exclude the grantee roles for this check.
Symantec recommends that you periodically review the grantable nested roles toensure that they are currently authorized for the roles where they reside and thatthe roles are currently authorized to grant the nested roles.
The following table lists the message for the check.
166Understanding the ESM Oracle Database ModulesAbout the Oracle Roles module
Table 2-104 Message for Grantable nested roles
AdditionalInformation
Message Title andDescription
Platform andMessageNumericID
Message String ID andCategory
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: Grantablenested role
Description: Therole includes thenested grantablerole. Verify that therole granted to thegrantee isauthorized, and thatthe grantee isauthorized to havethe grantable role.
■ UNIX (30246)■ Windows 2000
(239246)■ Windows 2003
(242246)■ Windows 2008
(255246)
String ID:ORA_GRANTABLE_ROLE_ROLE
Category: SystemInformation
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: ESM checksexecuted on OracleSID
Description: Thechecks are executedon the Oracle SID.
■ UNIX (30014)■ Windows 2003
(30014)■ Windows 2008
(30014)
String ID:ORA_SID_PROCESSED
Category: ESMAdministrative Information
Grantable privilegesThis check reports the grantable privileges that have been granted to the roles. Usethe name list to exclude the roles for this check.
Symantec recommends that you periodically review all grantable role privileges toensure that the grantable privilege is appropriate for the role. You must revokegrantable role privileges from the users who are not authorized to grant them.
The following table lists the message for the check.
167Understanding the ESM Oracle Database ModulesAbout the Oracle Roles module
Table 2-105 Message for Grantable privileges
AdditionalInformation
Message Title andDescription
Platform andMessageNumericID
Message String ID andCategory
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: Grantable roleprivilege
Description: Theprivilege of the roleis grantable. Verifythat the privilege isappropriate for therole.
■ UNIX (30242)■ Windows 2000
(239242)■ Windows 2003
(242242)■ Windows 2008
(255242)
String ID:ORA_GRANTABLE_ROLE_PRIVILEGE
Category: SystemInformation
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: ESM checksexecuted on OracleSID
Description: Thechecks are executedon the Oracle SID.
■ UNIX (30014)■ Windows 2003
(30014)■ Windows 2008
(30014)
String ID:ORA_SID_PROCESSED
Category: ESMAdministrative Information
Granted Oracle DBA roleThis check reports users and roles that have been directly granted to an Oracledatabase administrator (DBA) role or equivalent. Use the name list to exclude theusers for this check.
Symantec recommends that you either revoke the DBA roles from unauthorizedusers or tightly control the database administrator rights.
The following table lists the message for the check.
168Understanding the ESM Oracle Database ModulesAbout the Oracle Roles module
Table 2-106 Message for Granted Oracle DBA role
AdditionalInformation
Message Title andDescription
Platform andMessageNumericID
Message String ID andCategory
Severity: yellow-1
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: User grantedOracle DBA role
Description: Theuser has beengranted thedatabaseadministrator (DBA)role or equivalent.DBAs have fullrights to system andapplication data,including creatingnew users androles, grantingaccess rights, anddeleting databases.Revoke DBAprivileges fromunauthorized usersimmediately, andtightly controladministrator rights.
■ UNIX (30230)■ Windows 2000
(239230)■ Windows 2003
(242230)■ Windows 2008
(255230)
String ID:ORA_DBA_ROLE_USERS
Category: PolicyCompliance
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: ESM checksexecuted on OracleSID
Description: Thechecks are executedon the Oracle SID.
■ UNIX (30014)■ Windows 2003
(30014)■ Windows 2008
(30014)
String ID:ORA_SID_PROCESSED
Category: ESMAdministrative Information
Nested rolesThis check reports roles and the nested roles that they contain. Use the name listto include or exclude the roles for this check.
169Understanding the ESM Oracle Database ModulesAbout the Oracle Roles module
Table 2-107 Message for Nested roles
AdditionalInformation
Message Title andDescription
Platform andMessageNumericID
Message String ID andCategory
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: Nested role
Description: Therole has beendirectly granted tothe role.
■ UNIX (30243)■ Windows 2000
(239243)■ Windows 2003
(242243)■ Windows 2008
(255243)
String ID:ORA_ROLE_ROLE
Category: SystemInformation
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: ESM checksexecuted on OracleSID
Description: Thechecks are executedon the Oracle SID.
■ UNIX (30014)■ Windows 2003
(30014)■ Windows 2008
(30014)
String ID:ORA_SID_PROCESSED
Category: ESMAdministrative Information
New nested rolesThis check reports roles that were directly granted to other roles after the lastsnapshot update. Use the name list to include or exclude the roles for this check.
If the change is authorized, Symantec recommends that you either update thesnapshot or drop the nested role.
The following table lists the message for the check.
170Understanding the ESM Oracle Database ModulesAbout the Oracle Roles module
Table 2-108 Message for New nested roles
AdditionalInformation
Message Title andDescription
Platform andMessageNumericID
Message String ID andCategory
Severity: yellow-1
Correctable: false
SnapshotUpdatable: true
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: New nestedrole
Description: Therole was directlygranted to the roleafter the lastsnapshot update. Ifthe addition isauthorized, updatethe snapshot. If theaddition is notauthorized, drop thenested role from therole.
■ UNIX (30244)■ Windows 2000
(239244)■ Windows 2003
(242244)■ Windows 2008
(255244)
String ID:ORA_ADDED_ROLE_ROLE
Category: ChangeNotification
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: ESM checksexecuted on OracleSID
Description: Thechecks are executedon the Oracle SID.
■ UNIX (30014)■ Windows 2003
(30014)■ Windows 2008
(30014)
String ID:ORA_SID_PROCESSED
Category: ESMAdministrative Information
New privilegesThis check reports privileges that were directly granted to roles after the lastsnapshot update. Use the name list to exclude the roles for this check.
If the new privilege is authorized, Symantec recommends that you either updatethe snapshot or drop the privilege from the role.
The following table lists the message for the check.
171Understanding the ESM Oracle Database ModulesAbout the Oracle Roles module
Table 2-109 Message for New privileges
AdditionalInformation
Message Title andDescription
Platform andMessageNumericID
Message String ID andCategory
Severity: yellow-1
Correctable: false
SnapshotUpdatable: true
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: New roleprivilege
Description: Theprivilege wasdirectly granted tothe role after the lastsnapshot update. Ifthe addition isauthorized, updatethe snapshot. If theaddition is notauthorized, drop theprivilege from therole.
■ UNIX (30240)■ Windows 2000
(239240)■ Windows 2003
(242240)■ Windows 2008
(255240)
String ID:ORA_ADDED_ROLE_PRIVILEGE
Category: ChangeNotification
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: ESM checksexecuted on OracleSID
Description: Thechecks are executedon the Oracle SID.
■ UNIX (30014)■ Windows 2003
(30014)■ Windows 2008
(30014)
String ID:ORA_SID_PROCESSED
Category: ESMAdministrative Information
New rolesThis check reports roles that were added to the database after the last snapshotupdate. Use the name list to exclude the roles for this check.
If the new role is authorized, Symantec recommends that you either update thesnapshot or drop the role.
The following table lists the message for the check.
172Understanding the ESM Oracle Database ModulesAbout the Oracle Roles module
Table 2-110 Message for New roles
AdditionalInformation
Message Title andDescription
Platform andMessageNumericID
Message String ID andCategory
Severity: yellow-1
Correctable: false
SnapshotUpdatable: true
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: New role
Description: Therole was added tothe database afterthe last snapshotupdate. If theaddition isauthorized, updatethe snapshot. If theaddition is notauthorized, deletethe role.
■ UNIX (30237)■ Windows 2000
(239237)■ Windows 2003
(242237)■ Windows 2008
(255237)
String ID:ORA_ADDED_ROLES
Category: ChangeNotification
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: ESM checksexecuted on OracleSID
Description: Thechecks are executedon the Oracle SID.
■ UNIX (30014)■ Windows 2003
(30014)■ Windows 2008
(30014)
String ID:ORA_SID_PROCESSED
Category: ESMAdministrative Information
Oracle system identifiers (SIDs)Use the name list to include the Oracle system identifiers (SIDs) for this check. Bydefault, the check examines all the SIDs that you specify when you configure theSymantec ESM modules for the Oracle databases. On Windows, the configurationfor Symantec ESMModules for Oracle Databases is stored in \esm\config\oracle.datfile. On UNIX, the configuration for Symantec ESM Modules for Oracle Databasesis stored in /esm/config/oracle.dat file.
PUBLIC role accessThis check reports the tables that users can access with a PUBLIC role and theprivileges that are used.
173Understanding the ESM Oracle Database ModulesAbout the Oracle Roles module
Symantec recommends that you control the permissions that are granted to thePUBLIC role. The preferred method of granting access is to give EXECUTE to theprocedures.
The following table lists the message for the check.
Table 2-111 Message for PUBLIC role access
AdditionalInformation
Message Title andDescription
Platform andMessageNumericID
Message String ID andCategory
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: Tableaccessible toPUBLIC
Description: Thetable is accessibleto all users throughthe PUBLIC roleprivilege.
■ UNIX (30234)■ Windows 2000
(239234)■ Windows 2003
(242234)■ Windows 2008
(255234)
String ID:ORA_PUBLIC_ACCESS
Category: PolicyCompliance
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: ESM checksexecuted on OracleSID
Description: Thechecks are executedon the Oracle SID.
■ UNIX (30014)■ Windows 2003
(30014)■ Windows 2008
(30014)
String ID:ORA_SID_PROCESSED
Category: ESMAdministrative Information
Password-protected default roleThis check reports the password-protected default roles of the roles.
For example:
■ Create a Role ‘Role A.’
■ Create another role that is identified by a password ‘Role B’.
■ Assign ‘Role B’ to ‘Role A.Now ‘Role B’ is the default password-protected role of Role A and the checkreports 'Role B', which is the default password-protected role of ‘Role A.’
174Understanding the ESM Oracle Database ModulesAbout the Oracle Roles module
The default roles do not require any passwords. Usually, a password-protected rolehas the privileges or roles that require authorization. Users with password-protecteddefault roles are not required to enter their passwords to use the roles. Use thename list to exclude the roles for this check.
Symantec recommends that for an unauthorized user, you either assign a differentdefault role to the user or remove the password protection from the role.
The following table lists the message for the check.
Table 2-112 Message for Password-protected default role
AdditionalInformation
Message Title andDescription
Platform andMessageNumericID
Message String ID andCategory
Severity: yellow-1
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: Default rolerequires password
Description: Thedefault role ispassword protected.Password protectedroles usually includeprivileges that aresecurity sensitive. Ifthe role is a role'sdefault role, the roleis not required toenter a password.Verify that thepassword protectedrole is authorized tobe a default role.
■ UNIX (30247)■ Windows 2000
(239247)■ Windows 2003
(242247)■ Windows 2008
(255247)
String ID:ORA_DEFAULT_ROLE_PASS_REQUIRED
Category: SystemInformation
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: ESM checksexecuted on OracleSID
Description: Thechecks are executedon the Oracle SID.
■ UNIX (30014)■ Windows 2003
(30014)■ Windows 2008
(30014)
String ID:ORA_SID_PROCESSED
Category: ESMAdministrative Information
175Understanding the ESM Oracle Database ModulesAbout the Oracle Roles module
PrivilegesThis check reports privileges that have been granted to roles. Use the name list toexclude the roles for this check.
Symantec recommends that you add or remove the privileges for the roles asappropriate. Periodically, you must review the roles to ensure that the privilegesgranted to them are consistent with the current user duties.
The following table lists the message for the check.
Table 2-113 Message for Privileges
AdditionalInformation
Message Title andDescription
Platform andMessageNumericID
Message String ID andCategory
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: Role privilege
Description: Therole includes theprivilege that isreported in the Infofield.
■ UNIX (30239)■ Windows 2000
(239239)■ Windows 2003
(242239)■ Windows 2008
(255239)
String ID:ORA_ROLE_PRIVILEGE
Category: SystemInformation
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: ESM checksexecuted on OracleSID
Description: Thechecks are executedon the Oracle SID.
■ UNIX (30014)■ Windows 2003
(30014)■ Windows 2008
(30014)
String ID:ORA_SID_PROCESSED
Category: ESMAdministrative Information
RolesThis check reports roles that are defined in the database. Use the name list toexclude the roles for this check.
Symantec recommends that you remove the roles that are not authorized or areout of date. Periodically, you must review the roles to ensure that they are currentlyauthorized.
The following table lists the message for the check.
176Understanding the ESM Oracle Database ModulesAbout the Oracle Roles module
Table 2-114 Message for Roles
AdditionalInformation
Message Title andDescription
Platform andMessageNumericID
Message String ID andCategory
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: Defined role
Description: Therole is defined forthe SID.
■ UNIX (30236)■ Windows 2000
(239236)■ Windows 2003
(242236)■ Windows 2008
(255236)
String ID:ORA_EXISTING_ROLES
Category: SystemInformation
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: ESM checksexecuted on OracleSID
Description: Thechecks are executedon the Oracle SID.
■ UNIX (30014)■ Windows 2003
(30014)■ Windows 2008
(30014)
String ID:ORA_SID_PROCESSED
Category: ESMAdministrative Information
Roles without passwordsThis check reports the roles that do not require passwords. The roles that areauthenticated as External or Global are skipped. Use the name list to exclude theroles for this check.
If the role could be exploited to give the users access to security-related information,Symantec recommends that you password-protect the role. You can control thepermissions that are granted to roles that do not require passwords.
The following table lists the message for the check.
177Understanding the ESM Oracle Database ModulesAbout the Oracle Roles module
Table 2-115 Message for Roles without passwords
AdditionalInformation
Message Title andDescription
Platform andMessageNumericID
Message String ID andCategory
Severity: yellow-1
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: Password notrequired for role
Description: Therole is not passwordprotected.
■ UNIX (30233)■ Windows 2000
(239233)■ Windows 2003
(242233)■ Windows 2008
(255233)
String ID:ORA_ROLE_PASSWORD
Category: PolicyCompliance
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: ESM checksexecuted on OracleSID
Description: Thechecks are executedon the Oracle SID.
■ UNIX (30014)■ Windows 2003
(30014)■ Windows 2008
(30014)
String ID:ORA_SID_PROCESSED
Category: ESMAdministrative Information
About the Oracle SID Discovery moduleChecks in this module report the following information:
■ Detects new Oracle database instances.
■ Reports deleted Oracle database instances.
■ Provides an option to automatically configure the newly discovered Oracledatabase instances.
■ Provides an option to automatically remove the deleted Oracle databaseinstances that are still configured.
Note: The Oracle SID Discovery is a host-based module.
178Understanding the ESM Oracle Database ModulesAbout the Oracle SID Discovery module
Editing default settingsUse the checks in this group to edit the default settings for all the security checksin the module.
Reporting SID DiscoveryThe Symantec ESM module for Oracle SID Discovery includes four checks that letyou automate the detection and the configuration of the oracle database instanceson the host computer.
You can use the Symantec ESM module for Oracle SID Discovery to detect andconfigure newly detected database instances and the database instances that havebeen uninstalled.
Configuring the Oracle database instances by using the Discoverymodule
The ESM Oracle Discovery module is a host-based module that automates theprocess of detection and configuration of new database instances that are not yetconfigured on the local ESM agent computers. The ESM Oracle Discovery modulealso detects the deleted database instances that are still configured on the ESMagent computers. The ESMOracle Discovery module lets you delete the uninstalleddatabase instances from the ESM agent computers.
Configuring a new Oracle database instanceTo report on the Oracle database instance, you should first configure the Oracledatabase instance on an ESM agent computer.
To configure a new Oracle database instance
1 Run the Discovery module on the ESM agent computers that have Oracledatabase installed.
The module lists all the new database instances that were not previouslyconfigured.
2 Select multiple database instances and do one of the following:
■ Right-click, select Correction option, and enter your system account orpre-created account credentials.The Correction option configures the database instances with SYSTEMaccount credentials or pre-created account credentials.
■ Right-click and select Snapshot Update option.
179Understanding the ESM Oracle Database ModulesAbout the Oracle SID Discovery module
The Snapshot Update option configures the database instance with / asSYSDBA method.
Note: The / as SYSDBA method does not work in case of Oracle Real ApplicationCluster (RAC). You must use the correct option and specify pre-created accountcredentials.
Removing deleted instancesAlthough you may have deleted an Oracle database instance, the configurationinformation still exists in the ESMmodule. As a result, when you execute the module,it reports the deleted Oracle database instances as deleted database instances.
To remove deleted instances
1 Run the Discovery module on the target ESM agent computers.
Themodule lists all the deleted database instances that were configured earlier.
2 Select multiple database instances, right-click and select the Snapshot Updateoption.
The Snapshot Update option deletes the configuration information of suchinstances
Automatically Add New InstanceThis check automatically configures all the newly detected instances. This checkworks with the Detect New Instance check. You can use this check to automatethe module to connect to each newly detected database instance by using the / assysdba method. In case of a successful connection, the module configures theinstance by adding entry in the oracle.dat file.
An error message displays if the module fails to connect to the newly detecteddatabase instance by using the / as sysdbamethod. You can right-click the messageand click Correct to connect to the newly detected database instance. You haveto use the SYSTEM or pre-created account credentials to connect to the newlydetected database instance.
Note: This check does not work in case of Oracle Real Application Cluster (RAC).You must use the correct option and specify pre-created account credentials.
180Understanding the ESM Oracle Database ModulesAbout the Oracle SID Discovery module
Oratab file locationsThis check works with the Detect New Instance and Detect Retired Instancechecks. Use the name list of theOratab file locations check to specify the directorypaths that contains the oratab file. Apart from the directory paths that are specifiedin the name list, the check also takes into consideration the following:
■ Checks for the default location of the oratab file.
■ Considers only the directory paths as valid entries in the name list.
■ Checks for the presence of the oratab file for every specified path.
■ Collects information from multiple oratab files.
This check is only supported on UNIX.
Automatically Delete Retired InstanceThis check works with theDetect Retired Instance check and automatically deletesthe corresponding retired server records from the configuration file. You can usethis check to automate the module, to detect the uninstalled database instances orto detect the instances that are unavailable, and then to delete the correspondingentries from the oracle.dat file.
Default TablespaceYou can use this option to enter the default tablespace name in the DefaultTablespace text box. The check reports an error message if the tablespace thatyou specify does not exist in the database. However, the check continues with theconfiguration of the rest of the SIDs.
Detect New InstanceOn UNIX, this check reports the instances that are newly discovered on the ESMagent computers and which are not configured in the ESMOracle configuration file.These instances should be present in the oratab file and the corresponding Oracleservice of the instances should also be available.
On Windows, this check reports the instances that are newly discovered on theESM agent computers and which are not configured in the ESMOracle configurationfile. The corresponding Oracle service of the instances should also be available inrunning state. Use the name list to include or exclude the Oracle SIDs from theconfiguration file.
On both UNIX andWindows, this check lets you use theCorrect and the SnapshotUpdate options from the console. With the Correct option, you can configure the
181Understanding the ESM Oracle Database ModulesAbout the Oracle SID Discovery module
database instance by using the SYSTEM account or a pre-created account. Withthe Snapshot Update option, you can configure the database instance by using the/as sysdba method. You can check the EsmOraConfig.log file for details.
The following table lists the messages for the check.
Table 2-116 Messages for Detect New Instance
AdditionalInformation
Message TitleandDescription
Platform andMessageNumeric ID
Message String ID andCategory
Severity: yellow-1
Correctable: true
SnapshotUpdatable: true
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: NewInstance
Description: Anew instance hasbeen detected onthe localcomputer. Toconfigure thenewly detectedinstance, eitheruse the Updateoption toconfigure usingSYSDBA methodor use the Correctoption to providethe appropriatelogon credentials.
■ UNIX (31831)■ Windows 2000
(240831)■ Windows 2003
(243831)■ Windows 2008
(256831)
String ID:ESM_ORACLE_NEW_INSTANCE_DETECTED
Category: ESM AdministrativeInformation
Severity: yellow-1
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: Added NewInstance
Description: Anew serverinstance has beendetected. Theconfigurationrecord for thenewly detectedinstance has beensuccessfullyadded to theconfiguration file.
■ UNIX (31832)■ Windows 2000
(240832)■ Windows 2003
(243832)■ Windows 2008
(256832)
String ID:ESM_ORACLE_NEW_INSTANCE_ADDED
Category: ESM AdministrativeInformation
182Understanding the ESM Oracle Database ModulesAbout the Oracle SID Discovery module
Table 2-116 Messages for Detect New Instance (continued)
AdditionalInformation
Message TitleandDescription
Platform andMessageNumeric ID
Message String ID andCategory
Severity: yellow-1
Correctable: true
SnapshotUpdatable: true
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: Failed toAddNew Instance
Description: Themodule failed toadd a record inthe configurationfile for the newinstance that wasdetected using theSYSDBAmethod.Use the Correctoption or Updateoption forconfiguring thenewly detectedinstance.
■ UNIX (31833)■ Windows 2000
(240833)■ Windows 2003
(243833)■ Windows 2008
(256833)
String ID:ESM_ORACLE_ADD_INSTANCE_FAILED
Category: ESM AdministrativeInformation
Detect Retired InstanceOnWindows, this check reports all the instances that are present in the ESMOracleconfiguration file, but the Oracle service is unavailable.
Note:The Check SID process only text box is only applicable for the UNIX platforms.
On UNIX, this check reports all the instances that are present in the ESM Oracleconfiguration file and are not there in the oratab file or the Oracle service isunavailable. If you specify zero in Check SID process only the text box, the checkverifies the state of Oracle instance if its entry is present in the oratab file. If youspecify one in the text box, the check reports the retired Oracle instance irrespectiveof its presence in the oratab file.
The following table lists the messages for the check.
183Understanding the ESM Oracle Database ModulesAbout the Oracle SID Discovery module
Table 2-117 Messages for Detect Retired Instance
AdditionalInformation
Message Title andDescription
Platform andMessageNumericID
Message String ID andCategory
Severity: yellow-1
Correctable: false
SnapshotUpdatable: true
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: RetiredInstance
Description: Aretired instance hasbeen detected onthe local computer.The configurationfile contains theconfigurationinformation for theRetired serverinstance. Use theUpdate option todelete theconfigurationinformation from theESM Oracleconfiguration file.
■ UNIX (31834)■ Windows 2000
(240834)■ Windows 2003
(243834)■ Windows 2008
(256834)
String ID:ESM_ORACLE_DEL_INSTANCE_DETECTED
Category: ESMAdministrative Information
Severity: yellow-1
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: DeletedRetired Instance
Description: Theconfiguration recordfor the retiredinstance has beendeleted from theESM Oracleconfiguration file.
■ UNIX (31835)■ Windows 2000
(240835)■ Windows 2003
(243835)■ Windows 2008
(256835)
String ID:ESM_ORACLE_INSTANCE_DELETED
Category: ESMAdministrative Information
ProfileYou can use the name list in this check to provide the profile name and the passwordparameters. If the profile that you specify exists in the database, then the moduleuses the existing profile. If the profile that you specify does not exist in the database,then the module creates a new profile with the parameters that you specify in thename list.
Following are the default values of the profile name and the password parameters:
■ PROFILE=DEFAULT
184Understanding the ESM Oracle Database ModulesAbout the Oracle SID Discovery module
■ FAILED_LOGIN_ATTEMPTS=DEFAULT
■ PASSWORD_GRACE_TIME=DEFAULT
■ PASSWORD_LIFE_TIME=DEFAULT
■ PASSWORD_LOCK_TIME=DEFAULT
■ PASSWORD_REUSE_MAX=DEFAULT
■ PASSWORD_REUSE_TIME=DEFAULT
■ PASSWORD_VERIFY_FUNCTION=DEFAULT
Temporary TablespaceYou can use this option to enter the temporary tablespace name in the TemporaryTablespace text box. If the tablespace that you specify does not exist in thedatabase, then the module uses the default temporary tablespace to create theESMDBA account.
Detect Instance:ListenerYou can use this option to detect oracle instances from the listener.ora file alongwith the oratab file. This check works with the Detect New Instance and DetectRetired Instance checks. This check takes into consideration only the defaultlocation of the listener.ora file.
This check discovers only those instances that have the SID_LIST_LISTENERparameter configured.
Create user in RAC databaseThis check works with the Automatically Add New Instance check and createsthe ESM login account ESMDBA_<hostname> in the RAC database. The hostname is of the RAC node on which the discovery module is executed.
About the Oracle Tablespace moduleThis module checks for the tablespaces that are based on the options that you havespecified.
185Understanding the ESM Oracle Database ModulesAbout the Oracle Tablespace module
Creating a baseline snapshotTo establish a baseline, run the Tablespace module. This creates a snapshot ofcurrent account information that you can update when you run the checks thatreport new, deleted, or changed information.
Editing default settingsUse the check in this group to edit the default settings for all the security checks inthe module.
Reporting tablespacesThe checks in this group report the existing tablespaces and the tablespaces thathave been added or deleted since the last snapshot update.
Reporting tablespace datafilesThe checks in this group report the existing datafiles and the datafiles that wereadded to or dropped from the database after the last snapshot update.
Reporting SYSTEM tablespace informationThe checks in this group report objects in the SYSTEM tablespace and users whosedefault or temporary tablespace is the SYSTEM tablespace.
Reporting DBA tablespace quotasThe checks in this group report violations of MAX_BYTES and MAX_BLOCKStablespace quotas.
Automatically update snapshotsEnable this check to automatically update the snapshots with the current information.
Deleted tablespace datafilesThis check works with the New tablespace datafiles check and reports the datafilesthat were deleted after the last snapshot update. Use the name list to exclude thetablespaces for this check.
If the deletion is authorized, Symantec recommends that you either update thesnapshot or restore the datafile.
The following table lists the message for the check.
186Understanding the ESM Oracle Database ModulesAbout the Oracle Tablespace module
Table 2-118 Message for Deleted tablespace datafiles
AdditionalInformation
Message Title andDescription
Platform andMessageNumericID
Message String ID andCategory
Severity: yellow-1
Correctable: false
SnapshotUpdatable: true
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: Deletedtablespace datafile
Description: Thetablespace datafilethat is reported inthe TablespaceDatafile field wasdropped from thereported tablespaceafter the lastsnapshot update. Ifthe deletion isauthorized, updatethe snapshot. If thedeletion is notauthorized, restorethe datafile to thetablespace.
■ UNIX (30435)■ Windows 2000
(239435)■ Windows 2003
(242435)■ Windows 2008
(255435)
String ID:ORA_DELETED_DATAFILE
Category: ChangeNotification
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: ESM checksexecuted on OracleSID
Description: Thechecks are executedon the Oracle SID.
■ UNIX (30014)■ Windows 2003
(30014)■ Windows 2008
(30014)
String ID:ORA_SID_PROCESSED
Category: ESMAdministrative Information
Deleted tablespacesThis check reports the tablespaces that were deleted from the Oracle databaseafter the last snapshot update. Use the name list to exclude the authorizedtablespaces for this check.
If the deletion is authorized, Symantec recommends that you either update thesnapshot or restore the tablespace.
The following table lists the message for the check.
187Understanding the ESM Oracle Database ModulesAbout the Oracle Tablespace module
Table 2-119 Message for Deleted tablespaces
AdditionalInformation
Message Title andDescription
Platform andMessageNumericID
Message String ID andCategory
Severity: yellow-1
Correctable: false
SnapshotUpdatable: true
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: Deleted Oracletablespace
Description: Thetablespace that isreported in theDatabaseTablespace fieldwas deleted afterthe last snapshotupdate. If thedeletion isauthorized, updatethe snapshot. If thedeletion is notauthorized, restorethe tablespace.
■ UNIX (30432)■ Windows 2000
(239432)■ Windows 2003
(242432)■ Windows 2008
(255432)
String ID:ORA_DELETED_TABLESPACE
Category: ChangeNotification
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: ESM checksexecuted on OracleSID
Description: Thechecks are executedon the Oracle SID.
■ UNIX (30014)■ Windows 2003
(30014)■ Windows 2008
(30014)
String ID:ORA_SID_PROCESSED
Category: ESMAdministrative Information
MAX_BLOCKS in DBA_TS_QUOTASThis check reports users with resource rights to tablespaces whoseMAX_BLOCKSvalues exceed the value that you specify in the check. For an unlimited number ofbytes, specify -1 in the MAX_BLOCKS field. Use the name list to exclude anyauthorized users for this check.
Symantec recommends that you drop the user or change the user's MAX_BLOCKSsetting for the tablespace.
The following table lists the message for the check.
188Understanding the ESM Oracle Database ModulesAbout the Oracle Tablespace module
Table 2-120 Message for MAX_BLOCKS in DBA_TS_QUOTAS
AdditionalInformation
Message Title andDescription
Platform andMessageNumericID
Message String ID andCategory
Severity: yellow-1
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title:MAX_BLOCKS pertablespaceexceeded
Description: Theuser exceeds themaximumnumber ofMAX_BLOCKS inDBA_TS_QUOTASfor the tablespacethat is reported inthe Info field. Dropthe user or changethe user'sMAX_BLOCKSsetting for thereported tablespace.
■ UNIX (30439)■ Windows 2000
(239439)■ Windows 2003
(242439)■ Windows 2008
(255439)
String ID:ORA_MAX_BLOCKS_QUOTA
Category: PolicyCompliance
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: ESM checksexecuted on OracleSID
Description: Thechecks are executedon the Oracle SID.
■ UNIX (30014)■ Windows 2003
(30014)■ Windows 2008
(30014)
String ID:ORA_SID_PROCESSED
Category: ESMAdministrative Information
MAX_BYTES in DBA_TS_QUOTASThis check reports users with resource rights to tablespaces whose MAX_BYTESvalues exceed the value that you specify in the check. For an unlimited number ofbytes, specify -1 in the MAX_BYTES field. Use the name list to exclude anyauthorized users for this check.
Symantec recommends that you drop the user or change the user's MAX_BYTESsetting for the tablespace.
The following table lists the message for the check.
189Understanding the ESM Oracle Database ModulesAbout the Oracle Tablespace module
Table 2-121 Message for MAX_BYTES in DBA_TS_QUOTAS
AdditionalInformation
Message Title andDescription
Platform andMessageNumericID
Message String ID andCategory
Severity: yellow-1
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: MAX_BYTESper tablespaceexceeded
Description: Theuser exceeds themaximumnumber ofMAX_BYTES inDBA_TS_QUOTASfor the tablespacethat is reported inthe Info field. Dropthe user or changethe user'sMAX_BYTESsetting for thereported tablespace.
■ UNIX (30438)■ Windows 2000
(239438)■ Windows 2003
(242438)■ Windows 2008
(255438)
String ID:ORA_MAX_BYTES_QUOTA
Category: PolicyCompliance
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: ESM checksexecuted on OracleSID
Description: Thechecks are executedon the Oracle SID.
■ UNIX (30014)■ Windows 2003
(30014)■ Windows 2008
(30014)
String ID:ORA_SID_PROCESSED
Category: ESMAdministrative Information
New tablespace datafilesThis check reports the datafiles that were added to tablespaces after the lastsnapshot update. Use the name list to exclude the tablespaces for this check.
If the change is authorized, Symantec recommends that you either update thesnapshot or drop the datafile from the tablespace.
The following table lists the message for the check.
190Understanding the ESM Oracle Database ModulesAbout the Oracle Tablespace module
Table 2-122 Message for New tablespace datafiles
AdditionalInformation
Message Title andDescription
Platform andMessageNumericID
Message String ID andCategory
Severity: yellow-1
Correctable: false
SnapshotUpdatable: true
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: Newtablespace datafile
Description: Thetablespace datafilethat is reported inthe TablespaceDatafile field wasadded to thetablespace after thelast snapshotupdate. If theaddition isauthorized, updatethe snapshot. If theaddition is notauthorized, drop thedatafile from thetablespace.
■ UNIX (30434)■ Windows 2000
(239434)■ Windows 2003
(242434)■ Windows 2008
(255434)
String ID:ORA_ADDED_DATAFILE
Category: ChangeNotification
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: ESM checksexecuted on OracleSID
Description: Thechecks are executedon the Oracle SID.
■ UNIX (30014)■ Windows 2003
(30014)■ Windows 2008
(30014)
String ID:ORA_SID_PROCESSED
Category: ESMAdministrative Information
New tablespacesThis check reports the tablespaces that were created in the Oracle database afterthe last snapshot update. Use the name list to exclude the authorized tablespacesfor this check.
If the addition is authorized, Symantec recommends that you either update thesnapshot or delete the new tablespace.
The following table lists the message for the check.
191Understanding the ESM Oracle Database ModulesAbout the Oracle Tablespace module
Table 2-123 Message for New tablespaces
AdditionalInformation
Message Title andDescription
Platform andMessageNumericID
Message String ID andCategory
Severity: yellow-1
Correctable: false
SnapshotUpdatable: true
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: New Oracletablespace
Description: Thetablespace that isreported in theDatabaseTablespace fieldwas created afterthe last snapshotupdate. If thetablespace isauthorized, updatethe snapshot. If thetablespace is notauthorized, delete it.
■ UNIX (30431)■ Windows 2000
(239431)■ Windows 2003
(242431)■ Windows 2008
(255431)
String ID:ORA_ADDED_TABLESPACE
Category: ChangeNotification
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: ESM checksexecuted on OracleSID
Description: Thechecks are executedon the Oracle SID.
■ UNIX (30014)■ Windows 2003
(30014)■ Windows 2008
(30014)
String ID:ORA_SID_PROCESSED
Category: ESMAdministrative Information
Objects in SYSTEM tablespaceThis check reports tables and indexes that are in the SYSTEM tablespace. Use thename list to exclude users (owners) for this check.
Symantec recommends that you ensure only authorized objects reside in theSYSTEM tablespace.
The following table lists the message for the check.
192Understanding the ESM Oracle Database ModulesAbout the Oracle Tablespace module
Table 2-124 Message for Object in SYSTEM tablespace
AdditionalInformation
Message Title andDescription
Platform and MessageNumeric ID
MessageString IDand Category
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: Object inSYSTEMtablespace
Description: Theobject that isreported in theTablespace Objectfield is in theSYSTEMtablespace. Dropthe object or move itto an authorizedtablespace.
■ UNIX (30436)■ Windows 2000
(239436)■ Windows 2003
(242436)■ Windows 2008
(255436)
String ID:ORA_TAB_IN_SYS_TABLESPACE
Category: PolicyCompliance
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: ESM checksexecuted on OracleSID
Description: Thechecks are executedon the Oracle SID.
■ UNIX (30014)■ Windows 2003
(30014)■ Windows 2008
(30014)
String ID:ORA_SID_PROCESSED
Category: ESMAdministrativeInformation
Oracle system identifiers (SIDs)Use the name list to include the Oracle system identifiers (SIDs) for this check. Bydefault, the check examines all the SIDs that you specify when you configure theSymantecESMmodules for the Oracle databases. OnWindows, the Symantec ESMmodules for Oracle Databases configuration are stored in \esm\config\oracle.datfile. On UNIX, the Symantec ESM modules for Oracle Databases configuration arestored in /esm/config/oracle.dat file.
Oracle tablespacesUse the name list to include or exclude the tables for the You can use this optionto specify tables for the MAX_BYTES in DBA_TS_QUOTAS and MAX_BLOCKSin DBA_TS_QUOTAS checks.
193Understanding the ESM Oracle Database ModulesAbout the Oracle Tablespace module
SYSTEM tablespace assigned to userThis check reports the users whose default or temporary tablespaces are theSYSTEM tablespace. Use the name list to exclude users for this check.
Symantec recommends that you ensure only authorized objects reside in theSYSTEM tablespace.
The following table lists the message for the check.
Table 2-125 Message for SYSTEM tablespace assigned to user
AdditionalInformation
Message Title andDescription
Platform andMessageNumericID
Message String ID andCategory
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: SYSTEMtablespace assignedto user
Description: Theuser that is reportedin the User fielduses the SYSTEMtablespace as adefault or temporarytablespace. Dropthe user or changethe user'stablespace.
■ UNIX (30437)■ Windows 2000
(239437)■ Windows 2003
(242437)■ Windows 2008
(255437)
String ID:ORA_USER_USING_SYS_TABLESPACE
Category: PolicyCompliance
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: ESM checksexecuted on OracleSID
Description: Thechecks are executedon the Oracle SID.
■ UNIX (30014)■ Windows 2003
(30014)■ Windows 2008
(30014)
String ID:ORA_SID_PROCESSED
Category: ESMAdministrative Information
Tablespace datafilesThis check reports the locations of all tablespace datafiles if the Permission settingis 0. Otherwise, the check reports either tablespace datafiles that have filepermissions which are less restrictive than you specify in the Permission field, ortablespace datafiles that have UID/GIDs which do not match the corresponding
194Understanding the ESM Oracle Database ModulesAbout the Oracle Tablespace module
UID/GIDs in the Oracle database. In the check’s TablespacestoSkip field, specifytablespaces that are to be excluded for the check. In the Permission field, specifya permission value as a three-digit octal number. Use the name list to exclude thetablespaces for this check.
If the file permissions are less restrictive than your security policy, you must specifya permission value for the datafile that matches with your security policy. Periodically,you must review the tablespace datafiles to ensure that they are authorized andthat the file permissions match with your security policy.
The following table lists the messages for the check.
Table 2-126 Messages for Tablespace datafiles
AdditionalInformation
Message Title andDescription
Platform andMessageNumericID
Message String ID andCategory
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: Tablespace file
Description: Thetablespace datafileis reported in theTablespace Datafilefield.
■ UNIX (30433)String ID:ORA_DATAFILE
Category: SystemInformation
Severity: yellow-2
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: Tablespace filepermission
Description: Thetablespace datafilepermission isexcessive, or itsownership does notmatch thecorrespondingOracle databasepermissions.
■ UNIX (30440)String ID:ORA_DATAFILE_PERM
Category: PolicyCompliance
195Understanding the ESM Oracle Database ModulesAbout the Oracle Tablespace module
Table 2-126 Messages for Tablespace datafiles (continued)
AdditionalInformation
Message Title andDescription
Platform andMessageNumericID
Message String ID andCategory
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [""]
Title: Locked Oraclefile
Description: Filepermissions cannotbe reported becausethe file is being usedby another process.
■ UNIX (30008)String ID:ORA_FILE_LOCKED
Category: System Error
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [""]
Title: Oracle File orfolder not found
Description: Filepermissions cannotbe reported becausethe file beingreferenced cannotbe found.
■ UNIX (30009)String ID:ORA_FILE_NOT_FOUND
Category: System Error
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: Oracle Folderpermissions
Description: ReportsDirectorypermissions.
■ UNIX (30010)ORA_DIRECTORY_PERMS
Category: System Error
196Understanding the ESM Oracle Database ModulesAbout the Oracle Tablespace module
Table 2-126 Messages for Tablespace datafiles (continued)
AdditionalInformation
Message Title andDescription
Platform andMessageNumericID
Message String ID andCategory
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: Functionalitynot Supported
Description: Thisfunctionality is notsupported by ESMoracle app module.
■ UNIX (30011)ORA_NOT_SUPPORTED
Category: SystemInformation
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: Tablespace file
Description: TheASM managedtablespace datafileis reported in theTablespace Datafilefield.
■ UNIX (30041)ORA_ASM_DATAFILE
Category: SystemInformation
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: ESM checksexecuted on OracleSID
Description: Thechecks are executedon the Oracle SID.
■ UNIX (30014)String ID:ORA_SID_PROCESSED
Category: ESMAdministrative Information
Tablespace datafilesThis check reports the locations of all the tablespace datafiles and lists all theOperating system accounts that have permissions on the file. Use the name list toexclude the tablespaces for this check.
If the file permissions are less restrictive than your security policy, you must specifya permission value for the datafile that matches with your security policy. Periodically,
197Understanding the ESM Oracle Database ModulesAbout the Oracle Tablespace module
you must review the tablespace datafiles to ensure that they are authorized andthat the file permissions match with your security policy.
The following table lists the messages for the check.
Table 2-127 Messages for Tablespace datafiles
AdditionalInformation
Message Title andDescription
Platform andMessageNumericID
Message String ID andCategory
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: Tablespace file
Description: Thetablespace datafileis reported in theTablespace Datafilefield.
■ Windows 2000(239433)
■ Windows 2003(242433)
■ Windows 2008(255433)
String ID:ORA_DATAFILE
Category: SystemInformation
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [""]
Title:Locked Oraclefile
File permissionscannot be reportedbecause the file isbeing used byanother process.
■ Windows 2000(239434)
■ Windows 2003(242434)
■ Windows 2008(255434)
String ID:ORA_FILE_LOCKED
Category: System Error
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [""]
Title: Oracle File orfolder not found
Description: Filepermissions cannotbe reported becausethe file beingreferenced cannotbe found.
■ Windows 2000(239435)
■ Windows 2003(242435)
■ Windows 2008(255435)
String ID:ORA_FILE_NOT_FOUND
Category: System Error
198Understanding the ESM Oracle Database ModulesAbout the Oracle Tablespace module
Table 2-127 Messages for Tablespace datafiles (continued)
AdditionalInformation
Message Title andDescription
Platform andMessageNumericID
Message String ID andCategory
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: Oracle Folderpermissions
Description: ReportsDirectorypermissions.
■ Windows 2000(239436)
■ Windows 2003(242436)
■ Windows 2008(255436)
String ID:ORA_DIRECTORY_PERMS
Category: System Error
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: Functionalitynot Supported
Description: Thisfunctionality is notsupported by ESMoracle app module.
■ Windows 2000(239436)
■ Windows 2003(242436)
■ Windows 2008(255436)
String ID:ORA_NOT_SUPPORTED
Category: SystemInformation
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: Tablespace file
Description: TheASM managedtablespace datafileis reported in theTablespace Datafilefield.
■ Windows 2000(239437)
■ Windows 2003(242437)
■ Windows 2008(255437)
ORA_ASM_DATAFILE
Category: SystemInformation
199Understanding the ESM Oracle Database ModulesAbout the Oracle Tablespace module
Table 2-127 Messages for Tablespace datafiles (continued)
AdditionalInformation
Message Title andDescription
Platform andMessageNumericID
Message String ID andCategory
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: ESM checksexecuted on OracleSID
Description: Thechecks are executedon the Oracle SID.
■ Windows 2003(30014)
■ Windows 2008(30014)
String ID:ORA_SID_PROCESSED
Category: ESMAdministrative Information
TablespacesThis check reports all the tablespaces that are created in the Oracle database. Onthe Oracle 11g and later versions, the check also reports the encryption status ofthe tablespaces. Use the name list to exclude the authorized tablespaces for thischeck.
Symantec recommends that you periodically review the tablespaces to ensure thatthey are all authorized.
The following table lists the message for the check.
Table 2-128 Message for Tablespaces
AdditionalInformation
Message Title andDescription
Platform andMessageNumericID
Message String ID andCategory
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: Oracletablespace
Description: Thetablespace isdefined in thedatabase.
■ UNIX (30430)■ Windows 2000
(239430)■ Windows 2003
(242430)■ Windows 2008
(255430)
String ID:ORA_TABLESPACE
Category: SystemInformation
200Understanding the ESM Oracle Database ModulesAbout the Oracle Tablespace module
Table 2-128 Message for Tablespaces (continued)
AdditionalInformation
Message Title andDescription
Platform andMessageNumericID
Message String ID andCategory
Severity: green-0
Correctable: false
SnapshotUpdatable: false
TemplateUpdatable: false
Information FieldFormat: [%s]
Title: ESM checksexecuted on OracleSID
Description: Thechecks are executedon the Oracle SID.
■ UNIX (30014)■ Windows 2003
(30014)■ Windows 2008
(30014)
String ID:ORA_SID_PROCESSED
Category: ESMAdministrative Information
201Understanding the ESM Oracle Database ModulesAbout the Oracle Tablespace module
Working with the Oracletemplates
This chapter includes the following topics:
■ Templates
■ About the Oracle Profiles template
■ About the Oracle Roles template
■ About the Oracle System Privileges template
■ About the Oracle Roles template
■ About the Oracle System Privileges template
■ About the Oracle Configuration Watch template
■ About the Oracle Net Configuration Watch template
■ About the Oracle Object Privileges template
■ About the Oracle Patch template
■ About the Oracle Critical Object template
■ About the Oracle Auditing template
TemplatesSeveral of the documented modules use templates to store the Oracle databaseparameters and object settings. The differences between the current settings andtemplate values are reported when the modules run. Modules use templates tostore Oracle database parameters and object settings.
3Chapter
Table 3-1 UNIX Templates
Predefined templateTemplate nameCheck nameModule
oraaudit.oadOracle AuditingAudit settingsOracle Auditing
NAOracle ConfigurationWatch
Oracle configurationwatch
Oracle Configuration
NAOracle NetConfiguration Watch
Oracle netconfiguration watch
Oracle Networks
oraclecriticalobjects.rcoOracle CriticalObjects
Critical ObjectsOracle Objects
oracleobjectprivileges.oopOracle ObjectPrivileges
Object PrivilegesOracle Objects
oraclefw.fwNew File -allNew FileFile Watch
orabin.aixNew File - AIXNew FileFile Watch
orabin.hpxNew File - HP-UXNew FileFile Watch
orabin.liNew File - LinuxNew FileFile Watch
orabin.solNew File - SolarisNew FileFile Watch
orapatch.orpOracle PatchTemplate filesOracle Patches
ora_cpu_psu.orpOracle PatchOracle Templatefiles
Oracle Patches
NAOracle SystemPrivileges
Granted privilegesOracle Roles
NAOracle RolesGranted rolesOracle Roles
NAOracle ProfilesProfile settingsOracle Profiles
Table 3-2 Windows Templates
Predefined templateTemplate nameCheck nameModule
oraaudit.oadOracle AuditingAudit settingsOracle Auditing
NAOracle ConfigurationWatch
Oracle configurationwatch
Oracle Configuration
NAOracle NetConfiguration Watch
Oracle netconfiguration watch
Oracle Networks
203Working with the Oracle templatesTemplates
Table 3-2 Windows Templates (continued)
Predefined templateTemplate nameCheck nameModule
oraclecriticalobjects.rcoOracle Critical ObjectsCritical ObjectsOracle Objects
oracleobjectprivileges.oopOracle ObjectPrivileges
Object PrivilegesOracle Objects
orawinpatch.orpOracle PatchTemplate filesOracle Patches
ora_cpu_psu.orpOracle PatchOracle Templatefiles
Oracle Patches
NAOracle SystemPrivileges
Granted privilegesOracle Roles
NAOracle RolesGranted rolesOracle Roles
NAOracle ProfilesProfile settingsOracle Profiles
About the Oracle Profiles templateIn the Oracle Profiles module, the Profile settings check uses the Oracle Profilestemplate. The check reports the profile settings that do not match the settings thatare specified in the template.
Creating the Oracle Profiles templateYou must create and enable a new Oracle Profiles template before you run theProfile settings check.
To create an Oracle Profiles template
1 In the tree view, right-click Templates, and then click New.
2 In the Create New Template dialog box, select Oracle Profiles - all.
3 In the Template file name (no extension) text box, type new template filename.
4 After Symantec ESM adds the .opa extension to the template file name, clickOK.
About using the Oracle Profiles templateThe Oracle Profiles template contains the following fields:
204Working with the Oracle templatesAbout the Oracle Profiles template
Table 3-3 Field and Values/Options descriptions
Values/OptionsDescriptionField
Enter a name for the profile.Lets you specify the name ofthe profile.
Profile Name
Enter the number ofconcurrent sessions for auser.
Lets you specify number ofconcurrent sessions for auser.
Sessions per User
Enter the CPU time a call.Lets you specify the CPUtime for a call.
CPU time per call
Enter a connection time foran account.
Lets you specify theconnection time for anaccount.
Connection time
Enter the idle time that yourequire before the process isdisconnected.
Lets you specify the idle timethat is required before aprocess is disconnected.
Idle time
Enter a number to allow failedlogin attempts.
Lets you specify a period forthe failed login attempts.
Failed logins
Enter a number for thepassword grace period.
Lets you specify thepassword grace period.
Password grace time
Enter password duration forthe number of failed logonattempts, password gracetime, password duration,password lock time, andpassword reuserequirements.
Lets you specify the settingsfor the number of failed logonattempts, password gracetime, password duration,password lock time, andpassword reuse requirementsthat violate your securitypolicy.
Password duration
Enter a number for thepassword lock time period.
Lets you specify thepassword lock time period.
Password lock time
Enter a number to specify themaximum period for thepassword usage.
Lets you specify themaximum period for thepassword usage.
Password reuse max
Enter a number to specify themaximum period for thepassword reuse.
Lets you specify themaximum period before thepassword can be reused.
Password reuse time
205Working with the Oracle templatesAbout the Oracle Profiles template
Table 3-3 Field and Values/Options descriptions (continued)
Values/OptionsDescriptionField
Enter a password complexityfunction.
Lets you specify thepassword complexityfunctions.
Password verify function
■ GreenSelect Green for anInformation message.
■ YellowSelect Yellow for aWarning message.
■ RedSelect Red for an Errormessage.
Lets you specify the severityfor the messages that thecheck reports.
Severity
About the Oracle Roles templateIn the Oracle Rolesmodule, theGranted roles check uses the Oracle Role template.The check lets you report on the roles that you specify in the template.
Creating the Oracle Roles templateYou must create and enable a new Oracle Roles template before you run theGranted roles check.
To create an Oracle Roles template
1 In the tree view, right-click Templates, and then click New.
2 In the Create New Template dialog box, select Oracle Roles - all.
3 In the Template file name (no extension) text box, type new template filename.
4 After Symantec ESM adds the .ogr extension to the template file name, clickOK.
About using the Oracle Roles templateThe Oracle Roles template contains the following fields:
206Working with the Oracle templatesAbout the Oracle Roles template
Table 3-4 Field and Values/Options descriptions
Wildcard supportValues/OptionsDescriptionField
You can use thewildcard character '*'while specifying therole.
Enter the name of arole for the check toreport on.
Lets you specify therole that you want thecheck to report on.
Role
You can use thewildcard character '*'while specifying thegrantee.
Enter the name of thegrantee.
Lets you specify thename of the grantee.
Grantee
NASelect the Adminoption for the grantee.The options are asfollows:
■ Yes (With Adminoptions)
■ No (WithoutAdmin options)
■ Either(With/withoutAdmin options)
Lets you specify theAdmin option for thegrantee.
Admin option
NA■ ProhibitedESM reports amessage if theprivilege is foundon the Oracledatabase.
■ MandatoryESM reports amessage if theprivilege is notfound on theOracle database.
Lets you specifywhether you wantESM to report thespecified privileges asmandatory orprohibited.
Required
NANALets you specify anadditional comment.
Comment
207Working with the Oracle templatesAbout the Oracle Roles template
Table 3-4 Field and Values/Options descriptions (continued)
Wildcard supportValues/OptionsDescriptionField
NA■ GreenSelect Green foran Informationmessage.
■ YellowSelect Yellow fora Warningmessage.RedSelect Red for anError message.
Lets you specify theseverity for themessages that thecheck reports.
Severity
NAEnter an Oracleversion.
If you do not enter anOracle version, thecheck reports on allthe Oracle databaseversions.
Lets you specify theOracle version for thecheck to report on.
Version
NA■ ExcludeSelect theprivilege or thegrantee that youwant to excludefor the check toreport on.
■ NameEnter the namefor the privilege orthe grantee.
Lets you display theTemplate SublistEditor window whenyou click the ExcludeList field.
Exclude List
About the Oracle System Privileges templateIn the Oracle Roles module, theGranted privileges check uses the Oracle SystemPrivileges template. The check lets you report on the system privileges that youspecify in the template.
208Working with the Oracle templatesAbout the Oracle System Privileges template
Creating the Oracle System Privileges templateYou must create and enable a new Oracle System Privileges template before yourun the Granted privileges check.
To create an Oracle System Privileges template
1 In the tree view, right-click Templates, and then click New.
2 In the Create New Template dialog box, select Oracle System Privileges - all.
3 In the Template file name (no extension) text box, type new template file name.
4 After Symantec ESM adds the .osp extension to the template file name, clickOK.
About using the Oracle System Privileges templateThe Oracle System Privileges template contains the following fields:
Table 3-5 Field and Values/Options descriptions
Wildcard supportValues/OptionsDescriptionField
You can use thewildcard character '*'while specifying theprivilege.
Enter a privilegename for the check toreport on.
Lets you specify theprivilege that youwant the check toreport on.
Privilege
You can use thewildcard character '*'while specifying thegrantee.
Enter the name of thegrantee.
Lets you specify thename of the grantee.
Grantee
NASelect the Adminoption for the grantee.The options are asfollows:
■ Yes (With Adminoptions)
■ No (WithoutAdmin options)
■ Either(With/withoutAdmin options)
Lets you specify theAdmin option for thegrantee.
Admin option
209Working with the Oracle templatesAbout the Oracle System Privileges template
Table 3-5 Field and Values/Options descriptions (continued)
Wildcard supportValues/OptionsDescriptionField
NA■ ProhibitedESM reports amessage if theprivilege is foundon the Oracledatabase.
■ MandatoryESM reports amessage if theprivilege is notfound on theOracle database.
■ AllowedESM reports amessage if all theprivileges are notfound on theOracle database.
Lets you specifywhether you wantESM to report thespecified privileges asmandatory,prohibited, or allowed.
Required
NANALets you specify anadditional comment.
Comment
NA■ GreenSelect Green foran Informationmessage.
■ YellowSelect Yellow fora Warningmessage.RedSelect Red for anError message.
Lets you specify theseverity for themessages that thecheck reports.
Severity
NAEnter an Oracleversion.
If you do not enter anOracle version, thecheck reports on allthe Oracle databaseversions.
Lets you specify theOracle version for thecheck to report on.
Version
210Working with the Oracle templatesAbout the Oracle System Privileges template
Table 3-5 Field and Values/Options descriptions (continued)
Wildcard supportValues/OptionsDescriptionField
NA■ ExcludeSelect theprivilege or thegrantee that youwant to excludefor the check toreport on.
■ NameEnter the namefor the privilege orthe grantee.
Lets you display theTemplate SublistEditor window whenyou click the ExcludeList field.
Exclude List
About the Oracle Roles templateIn the Oracle Rolesmodule, theGranted roles check uses the Oracle Role template.The check lets you report on the roles that you specify in the template.
Creating the Oracle Roles templateYou must create and enable a new Oracle Roles template before you run theGranted roles check.
To create an Oracle Roles template
1 In the tree view, right-click Templates, and then click New.
2 In the Create New Template dialog box, select Oracle Roles - all.
3 In the Template file name (no extension) text box, type new template filename.
4 After Symantec ESM adds the .ogr extension to the template file name, clickOK.
About using the Oracle Roles templateThe Oracle Roles template contains the following fields:
211Working with the Oracle templatesAbout the Oracle Roles template
Table 3-6 Field and Values/Options descriptions
Wildcard supportValues/OptionsDescriptionField
You can use thewildcard character '*'while specifying therole.
Enter the name of arole for the check toreport on.
Lets you specify therole that you want thecheck to report on.
Role
You can use thewildcard character '*'while specifying thegrantee.
Enter the name of thegrantee.
Lets you specify thename of the grantee.
Grantee
NASelect the Adminoption for the grantee.The options are asfollows:
■ Yes (With Adminoptions)
■ No (WithoutAdmin options)
■ Either(With/withoutAdmin options)
Lets you specify theAdmin option for thegrantee.
Admin option
NA■ ProhibitedESM reports amessage if theprivilege is foundon the Oracledatabase.
■ MandatoryESM reports amessage if theprivilege is notfound on theOracle database.
■ AllowedESM reports amessage if all theprivileges are notfound on theOracle database.
Lets you specifywhether you wantESM to report thespecified privileges asmandatory,prohibited, or allowed.
Required
NANALets you specify anadditional comment.
Comment
212Working with the Oracle templatesAbout the Oracle Roles template
Table 3-6 Field and Values/Options descriptions (continued)
Wildcard supportValues/OptionsDescriptionField
NA■ GreenSelect Green foran Informationmessage.
■ YellowSelect Yellow fora Warningmessage.RedSelect Red for anError message.
Lets you specify theseverity for themessages that thecheck reports.
Severity
NAEnter an Oracleversion.
If you do not enter anOracle version, thecheck reports on allthe Oracle databaseversions.
Lets you specify theOracle version for thecheck to report on.
Version
NA■ ExcludeSelect theprivilege or thegrantee that youwant to excludefor the check toreport on.
■ NameEnter the namefor the privilege orthe grantee.
Lets you display theTemplate SublistEditor window whenyou click the ExcludeList field.
Exclude List
About the Oracle System Privileges templateIn the Oracle Roles module, theGranted privileges check uses the Oracle SystemPrivileges template. The check lets you report the privileges and the associatedusers and roles that violate the conditions that you specify in the template.
213Working with the Oracle templatesAbout the Oracle System Privileges template
Creating the Oracle System Privileges templateYou must create and enable a new Oracle System Privileges template before yourun the Granted privileges check.
To create an Oracle System Privileges template
1 In the tree view, right-click Templates, and then click New.
2 In the Create New Template dialog box, select Oracle System Privileges - all.
3 In the Template file name (no extension) text box, type new template file name.
4 After Symantec ESM adds the .osp extension to the template file name, clickOK.
About using the Oracle System Privileges templateThe Oracle System Privileges template contains the following fields:
Table 3-7 Field and Values/Options descriptions
Wildcard supportValues/OptionsDescriptionField
You can use thewildcard character '*'while specifying theprivilege.
Enter a privilegename for the check toreport on.
Lets you specify theprivilege that youwant the check toreport on.
Privilege
You can use thewildcard character '*'while specifying thegrantee.
Enter the name of thegrantee.
Lets you specify thename of the grantee.
Grantee
NASelect the Adminoption for the grantee.The options are asfollows:
■ Yes (With Adminoptions)
■ No (WithoutAdmin options)
■ Either(With/withoutAdmin options)
Lets you specify theAdmin option for thegrantee.
Admin option
214Working with the Oracle templatesAbout the Oracle System Privileges template
Table 3-7 Field and Values/Options descriptions (continued)
Wildcard supportValues/OptionsDescriptionField
NA■ ProhibitedESM reports amessage if theprivilege is foundon the Oracledatabase.
■ MandatoryESM reports amessage if theprivilege is notfound on theOracle database.
■ AllowedESM reports amessage if all theprivileges are notfound on theOracle database.
Lets you specifywhether you wantESM to report thespecified privileges asmandatory,prohibited, or allowed.
Required
NANALets you specify anadditional comment.
Comment
NA■ GreenSelect Green foran Informationmessage.
■ YellowSelect Yellow fora Warningmessage.RedSelect Red for anError message.
Lets you specify theseverity for themessages that thecheck reports.
Severity
NAEnter an Oracleversion.
If you do not enter anOracle version, thecheck reports on allthe Oracle databaseversions.
Lets you specify theOracle version for thecheck to report on.
Version
215Working with the Oracle templatesAbout the Oracle System Privileges template
Table 3-7 Field and Values/Options descriptions (continued)
Wildcard supportValues/OptionsDescriptionField
NA■ ExcludeSelect theprivilege or thegrantee that youwant to excludefor the check toreport on.
■ NameEnter the namefor the privilege orthe grantee.
Lets you display theTemplate SublistEditor window whenyou click the ExcludeList field.
Exclude List
About the Oracle Configuration Watch templateThe Oracle configuration watch check of the Oracle configuration module usesthe Oracle Configuration Watch template. By using this template, the check letsyou enable or disable the templates that specify initialization and the configurationparameters that should be watched.
Creating the Oracle Configuration Watch templateYou must create and enable a new Oracle Configuration Watch template beforeyou run the Oracle configuration watch check.
To create an Oracle Configuration Watch template
1 In the tree view, right-click Templates, and then click New.
2 In the Create New Template dialog box, select Oracle Configuration Watch- all.
3 In the Template file name (no extension) text box, type new template filename.
4 After Symantec ESM adds the .ocw extension to the template file name, clickOK.
About using the Oracle Configuration Watch templateThe Oracle Configuration Watch template contains the following fields:
216Working with the Oracle templatesAbout the Oracle Configuration Watch template
Table 3-8 Field and Values/Options descriptions
Values/OptionsDescriptionField
NALets you specify a descriptionfor the parameter that youenter in the Parameter field.
Description
Enter the configuration orinitialization parameter ofOracle that you want thecheck to report on.
Lets you specify theparameter.
Parameter
Select the check box toexamine the runtime values.
Lets you select this check boxif you want this check toexamine the runtime values.
Runtime Value
■ OptionalReports the parametervalues that violate thevalue that is defined ininit<SID>.ora.
■ RequiredReport a violation if theparameter is not definedin init<SID>.ora.
■ SkippedIgnore the parametervalue that is defined ininit<SID>.ora.
Lets you specify an optionalvalue.
Init File Value
217Working with the Oracle templatesAbout the Oracle Configuration Watch template
Table 3-8 Field and Values/Options descriptions (continued)
Values/OptionsDescriptionField
■ Prohibited ValueSelect the check box todesignate the value asprohibited.
■ ValueEnter a regular expressionor as a numericcomparison.■ You can use the
following specialcases:+
■ NULL or nullempty string
If the value begins withone of the followingnumeric comparisonoperators, a numericcomparison is performed:
■ =equal to
■ <less than
■ >greater than
■ !=not equal to
■ <=less than or equal to
■ >=greater than or equal to
Note: If you specify a pathname in the value, you needto escape the ‘\’ character byusing another ‘\’.
Note: For example, specifythe path namec:\test\test.txt asfollows:c:\\test\\test.txt.
Lets you specify a value forthe parameter by using theTemplate Sublist Editor.
Parameter Values
218Working with the Oracle templatesAbout the Oracle Configuration Watch template
Table 3-8 Field and Values/Options descriptions (continued)
Values/OptionsDescriptionField
■ GreenSelect Green for anInformation message.
■ YellowSelect Yellow for aWarning message.
■ RedSelect Red for an Errormessage.
Specify the severity for themessages that ESM reportswhen the parameter value isviolated.
Severity
■ emptyAll releases (default if norelease specified)
■ 9.0Release 9.0.x
■ +9Release 9.2.x and later
■ +10Release 10.2.x and later
■ +11Release 11.1.x and later
Lets you specify the Oracleversion of the target serverthat you want the check toreport on.
Oracle Version
Select the check box todisplay the configurationvalue.
Lets you select this check boxif you want this check todisplay the configurationvalue.
Display configuration value
About the Oracle Net Configuration Watch templateThe Oracle net configuration watch check of the Oracle networks module usesthe Oracle Net Configuration Watch template. By using this template, the checkreports on the Oracle Listener, Sqlnet, and Names configuration parameter valuesthat violate conditions of the corresponding template parameters.
Creating the Oracle Net Configuration Watch templateYoumust create and enable a newOracle Net ConfigurationWatch template beforeyou run the Oracle net configuration watch check.
219Working with the Oracle templatesAbout the Oracle Net Configuration Watch template
To create an Oracle Net Configuration Watch template
1 In the tree view, right-click Templates, and then click New.
2 In the Create New Template dialog box, select Oracle Net Watch - all.
3 In the Template file name (no extension) text box, type new template filename.
4 After Symantec ESM adds the .onw extension to the template file name, clickOK.
About using the Oracle Net Configuration Watch templateThe Oracle Net Configuration Watch template contains the following fields:
Table 3-9 Field and Values/Options descriptions
Values/OptionsDescriptionField
NALets you specify a descriptionfor the parameter that youenter in the Parameter field.
Description
Enter a name of theparameter that you want thecheck to report on.
Lets you specify a parametername.
Parameter
220Working with the Oracle templatesAbout the Oracle Net Configuration Watch template
Table 3-9 Field and Values/Options descriptions (continued)
Values/OptionsDescriptionField
■ Listener ControlParameterLets the Symantec ESMcompare the values in theOracle Net Watchtemplate with theparameter values in thelistener.ora file.
■ Sqlnet Profile ParameterLets the Symantec ESMcompare the values in theOracle Net Watchtemplate with theparameter values in thesqlnet.ora file.
■ Oracle Names ParameterLets the Symantec ESMcompare the values in theOracle Net Watchtemplate with theparameter values in thenames.ora file.
Lets you select a parametertype.
Parameter Type
Select the check box for thecheck to report on thisparameter.
Note:Symantec ESM reportsif this parameter is not foundand if the parameter is foundbut fails the comparison withtemplate values. If you do notselect this check box, thenSymantec ESM reports onlyif this parameter is found andfails the template comparison.
Lets you select this check boxif you want this parameter asrequired.
Required Parameter
221Working with the Oracle templatesAbout the Oracle Net Configuration Watch template
Table 3-9 Field and Values/Options descriptions (continued)
Values/OptionsDescriptionField
Lets you specify a value forthe parameter by using theTemplate Sublist Editor.
Parameter Values
222Working with the Oracle templatesAbout the Oracle Net Configuration Watch template
Table 3-9 Field and Values/Options descriptions (continued)
Values/OptionsDescriptionField
■ Prohibited ValueSelect the check box todesignate the value asprohibited.
■ ValueEnter a regular expressionor as a numericcomparison.■ You can use the
following specialcases:+‘+’ character
■ NULL or nullempty string
If the value begins withone of the followingnumeric comparisonoperators, a numericcomparison is performed:
■ =equal to
■ <less than
■ >greater than
■ !=not equal to
■ <=less than or equal to
■ >=greater than or equal to
Note: If you specify a pathname in the value, you needto escape the ‘\’ character byusing another ‘\’.
Note: For example, specifythe path namec:\test\test.txt asfollows:
223Working with the Oracle templatesAbout the Oracle Net Configuration Watch template
Table 3-9 Field and Values/Options descriptions (continued)
Values/OptionsDescriptionField
c:\\test\\test.txt.
■ GreenSelect Green for anInformation message.
■ YellowSelect Yellow for aWarning message.
■ RedSelect Red for an Errormessage.
Specify the severity for themessages that ESM reportswhen the parameter value isviolated.
Severity
■ 9.0Release 9.0.x
■ +9Release 9.2.x and later
■ +10Release 10.2.x and later
■ +11Release 11.1.x and later
Lets you specify the Oracleversion of the target serverthat you want the check toreport on.
Oracle Version
See “Examples of using the Oracle Net ConfigurationWatch template” on page 224.
Examples of using the Oracle Net Configuration Watch templateThis section contains examples on the values that you must enter in the templatefield for the check to report on.
Table 3-10 contains the template field and its respective values that you must enterif you want to check on the valid configuration parameters.
224Working with the Oracle templatesAbout the Oracle Net Configuration Watch template
Table 3-10 Examples of Listener Control Parameter
ValueOracle fileParameter type
■ ADMIN_RESTRICTIONS■ LOG_FILE■ PASSWORDS■ SAVE_CONFIG_ON_STOP■ STARTUP_WAIT_TIME■ TRACE_DIRECTORY,
TRACE_FILE■ ADMIN_RESTRICTIONS_LISTENER■ INBOUND_CONNECT_TIMEOUT_LIS
TENER■ LOGGING_LISTENER■ LOG_DIRECTORY■ LOG_FILE_LISTENER■ PASSWORDS_LISTENER■ SAVE_CONFIG_ON_STO_LISTENER
P■ SSL_CLIENT_AUTHENTICATION_LIS
TENER■ STARTUP_WAIT_TIME_LISTENER■ TRACE_DIRECTORY_LISTENER■ TRACE_FILE_LISTENER■ TRACE_FILELEN_LISTENER■ TRACE_FILENO_LISTENER■ TRACE_LEVEL_LISTENER■ TRACE_TIMESTAMP_LISTENER■ USE_CKPFILE■ LOCAL_OS_AUTHENTICATION■ SUBSCRIBE_FOR_NODE_DOWN_EVE
NT
listener.oraListener Control Parameter
Table 3-11 contains the template field and its respective values that you must enterif you want to check on the valid configuration parameters.
225Working with the Oracle templatesAbout the Oracle Net Configuration Watch template
Table 3-11 Examples of Sqlnet Profile Parameter
ValueOracle fileParameter type
■ BEQUEATH_DETACH■ DAEMON.TRACE_DIRECTORY■ DISABLE_OOB■ LOG_DIRECTORY_CLIENT■ LOG_DIRECTORY_SERVER■ NAMES.CONNECT_TIMEOUT
sqlnet.oraSqlnet Profile Parameter
Table 3-12 contains the template field and its respective values that you must enterif you want to check on the valid configuration parameters.
Table 3-12 Examples of Oracle Names Parameter
ValueOracle fileParameter type
■ NAMES.ADDRESSES■ NAMES.ADMIN_REGION■ NAMES.AUTHORITY_REQUIRED■ NAMES.CONFIG_CHECKPOINT_FILE■ NAMES.DOMAIN_HINTS■ NAMES.LOG_FILE
names.oraOracle Names Parameter
About the Oracle Object Privileges templateThe Object Privileges check of the Oracle objects module uses the Oracle ObjectPrivileges template. By using this template, the check lets you report on the objectprivileges that you specify in the template.
Creating the Oracle Object Privileges templateYou must create and enable a new Oracle Object Privileges template before yourun the Object Privileges check.
To create an Oracle Object Privileges template
1 In the tree view, right-click Templates, and then click New.
2 In the Create New Template dialog box, select Oracle Object PrivilegesWatch - all.
226Working with the Oracle templatesAbout the Oracle Object Privileges template
3 In the Template file name (no extension) text box, type new template filename.
4 After Symantec ESM adds the .oop extension to the template file name, clickOK.
About using the Oracle Object Privileges templateThe Oracle Object Privileges template contains the following fields:
Table 3-13 Field and Values/Options descriptions
Values/OptionsDescriptionField
Enter the name of the objectthat you want the check toreport on.
Lets you specify an objectname that you want the checkto report on.
Object Name
Enter the owner name of theobject that you want thecheck to report on.
Lets you specify an ownername of the object that youwant the check to report on.
Owner
NALets you enter additionalcomments on the object.
Comments
■ GreenSelect Green for anInformation message.
■ YellowSelect Yellow for aWarning message.
■ RedSelect Red for an Errormessage.
Lets you select the severityfor the messages that thecheck reports on the data.
Severity
■ 9.0Release 9.0.x
■ +9Release 9.2.x and later
■ +10Release 10.2.x and later
■ +11Release 11.1.x and later
Lets you specify the Oracleversion of the target serverthat you want the check toreport on.
Version
227Working with the Oracle templatesAbout the Oracle Object Privileges template
Table 3-13 Field and Values/Options descriptions (continued)
Values/OptionsDescriptionField
Lets you specify the privilegesby using the TemplateSublist Editor.
Privilege List
228Working with the Oracle templatesAbout the Oracle Object Privileges template
Table 3-13 Field and Values/Options descriptions (continued)
Values/OptionsDescriptionField
■ RequiredLets you specify if theexistence of the object onthe target server ismandatory, prohibited, orallowed.■ Prohibited
Object must not exist.■ Mandatory
Object must exist.■ Allowed
Object existence isallowed.
■ Object PrivilegeLets you enter the accessprivileges based on thedatabase objects that youspecify in the ObjectName field.
■ GrantorLets you enter the nameof the grantor based onthe object name andobject privileges that youspecify in the ObjectName and ObjectPrivilege fieldsrespectively.
■ GranteeLets you enter the nameof the grantee based onthe object name andobject privileges that youspecify in the ObjectName and ObjectPrivilege fieldsrespectively.
■ With Grant OptionSelect this check box ifyou want the privilegeswith grant options that youspecify in the Object
229Working with the Oracle templatesAbout the Oracle Object Privileges template
Table 3-13 Field and Values/Options descriptions (continued)
Values/OptionsDescriptionField
Privilege field to bereported.
■ ExcludeSpecify the privilege thatyou want to exclude.You can specify one of thefollowing:■ Object Name
Select this option ifyou want to excludethe name of the object.
■ OwnerSelect this option ifyou want to excludethe owner of theobject.
■ Object PrivilegeSelect this option ofyou want to excludethe privileges of theobject.
■ GrantorSelect this option ifyou want to excludethe grantor of theobject.
■ GranteeSelect this option ifyou want to excludethe grantee of theobject.
■ NameEnter the name of theobject that you want toexclude.
Lets you exclude the objectprivileges by using theTemplate Sublist Editor.
Exclude List
230Working with the Oracle templatesAbout the Oracle Object Privileges template
About the Oracle Patch templateThe Patch information check of the Oracle patches module uses the Oracle Patchtemplate. By using this template, the check reports information about the patchesthat have been released within the number of days that you specify in the check.
Creating the Oracle Patch templateYoumust create and enable a new Oracle Patch template before you run the Patchinformation check.
To create an Oracle Patch template
1 In the tree view, right-click Templates, and then click New.
2 In the Create New Template dialog box, select Oracle Patch - all.
3 In the Template file name (no extension) text box, type new template filename.
4 After Symantec ESM adds the .orp extension to the template file name, clickOK.
About using the Oracle Patch templateThe Oracle Patch template contains the following fields:
Table 3-14 Field and Values/Options descriptions
Values/OptionsDescriptionField
Enter the patch versionnumber that you want thecheck to report on.
Lets you specify the Oracledatabase version of the targetserver that you want thecheck to report on.
Version
231Working with the Oracle templatesAbout the Oracle Patch template
Table 3-14 Field and Values/Options descriptions (continued)
Values/OptionsDescriptionField
Lets you specify the platformof the target server that youwant the check to report on.
Platform
232Working with the Oracle templatesAbout the Oracle Patch template
Table 3-14 Field and Values/Options descriptions (continued)
Values/OptionsDescriptionField
■ AllSelect this value for thecheck to report on allplatforms.
■ aixSelect this value for thecheck to report on Aixplatforms.
■ hpux-hppaSelect this value for thecheck to report onHpux-hppa platforms.
■ linuxSelect this value for thecheck to report on Linuxplatforms.
■ solaris-sparcSelect this value for thecheck to report onSolaris-sparc platforms.
■ hpux-ia64Select this value for thecheck to report onHpux-ia64 platforms.
■ hpux-hppa/HP-UX 10.20Select this value for thecheck to report on HP-UX10.20 platforms.
■ redhat-x86Select this value for thecheck to report on RedHatplatforms.
■ WIN2KSelect this value for thecheck to report on allWindows 2000 platforms.
■ WIN3SSelect this value for thecheck to report on allWindows 2003 platforms.
■ WIN8S
233Working with the Oracle templatesAbout the Oracle Patch template
Table 3-14 Field and Values/Options descriptions (continued)
Values/OptionsDescriptionField
Select this value for thecheck to report on allWindows 2008 platforms.
Enter the name of the productthat is installed on the server.For example, OracleDatabase server.
Lets you specify the productname that is installed on theserver.
Note: The check does notconsider the product name forthe verification report.
Product
Enter the ID that you want thecheck to report on.
Lets you specify the ID thatyou want the check to reporton.
ID
Enter the Patch ID that youwant the check to report on.
Lets you specify the Patch IDthat you want the check toreport on.
The check reports a violationif the Patch ID that youspecify in the template isgreater than the Patch ID thatis applied on the targetserver.
Patch ID
Enter the date in the followingformat: YYYY/MM/DD.
Lets you specify the releasedate of the Patch.
Date
■ AllSelect this value for thecheck to report on allprocessors.
■ 32 bitsSelect this value for thecheck to report on 32-bitprocessor.
■ 64 bitsSelect this value for thecheck to report on 64-bitprocessor.
Lets you specify thearchitecture of the server thatyou want the check to reporton.
Architecture
NALets you enter a descriptionfor the patch.
Description
234Working with the Oracle templatesAbout the Oracle Patch template
Table 3-14 Field and Values/Options descriptions (continued)
Values/OptionsDescriptionField
Select the patch set.Lets you select the patch set.Patch Set
■ Patch IDEnter the name of thepatch ID that you want tomerge.
Lets you specify the patchesthat you want to merge byusing the Template SublistEditor.
Merged Patches
About the Oracle Critical Object templateThe Critical objects check of the Oracle Objects module uses the Oracle CriticalObject template. By using this template, the check iterates through all objects andreports critical objects that you specify in the template.
Creating the Oracle Critical Object templateYou must create and enable a new Oracle Critical Object template before you runthe Critical objects check.
To create an Oracle Critical Object template
1 In the tree view, right-click Templates, and then click New.
2 In the Create New Template dialog box, select Oracle Critical Object - all.
3 In the Template file name (no extension) text box, type new template filename.
4 After Symantec ESM adds the .rco extension to the template file name, clickOK.
About using the Oracle Critical Object templateThe Oracle Critical Object template contains the following field:
Table 3-15 Field and Values/Options descriptions
Values/OptionsDescriptionField
Enter the name of the objectthat you want the check toreport on.
Lets you enter the objectname that you want the checkto report on.
Object
235Working with the Oracle templatesAbout the Oracle Critical Object template
About the Oracle Auditing templateIn the Oracle Auditing module, the Audit Setting check uses the Oracle Auditingtemplate. The check reports the audit settings that do not match the settings thatare specified in the template file.
The default templates are available for each supported operating system.
Creating the Oracle Auditing templateYou must create and enable a new Oracle Audting template before you run theAudit setting check.
To create a Oracle Auditing template
1 In the tree view, right-click Templates, and then click New.
2 In the Create New Template dialog box, select Oracle Auditing- all.
3 In the Template file name (no extension) text box, type new template filename. Symantec ESM adds the .oad extension to the template file name.
4 Click OK.
About using the Oracle Auditing templateThe Oracle Audting template contains the following fields:
Table 3-16 Field and Values/Options descriptions
Values/OptionsDescriptionField
■ PRIV (Privilege Auditing)Select this option if youwant the check to reporton the privileges.
■ STMT (Statementauditing)Select this option if youwant the check to reporton the statements.
Lets you specify an audit thatis based on either astatement or a privilege.
Audit Type
Enter the name of the auditoption.
For example: CREATESESSION
Lets you specify the auditoption for the audit type thatyou specify.
For example: PRIV
Audit Option
236Working with the Oracle templatesAbout the Oracle Auditing template
Table 3-16 Field and Values/Options descriptions (continued)
Values/OptionsDescriptionField
Enter the name of the user.
You can use the keyword,‘ANY’ while specifying theuser name.
Lets you specify the user whoexecutes the statement or theprivilege.
User
■ BY ACCESSThis option is based onper access auditing.
■ BY SESSIONThis option is based onper session auditing.
■ NOT SETThis session is not set forauditing.
■ IS SETThis option is either set forsession or accessauditing.
Lets you specify a state forthe audit that you specify.
Success
■ BY ACCESSThis option is based onper access auditing.
■ BY SESSIONThis option is based onper session auditing.
■ NOT SETThis session is not set forauditing.
■ IS SETThis option is either set forsession or accessauditing.
Lets you specify a state forthe audit that you specify.
Failure
237Working with the Oracle templatesAbout the Oracle Auditing template
Table 3-16 Field and Values/Options descriptions (continued)
Values/OptionsDescriptionField
■ GreenSelect Green for anInformation message.
■ YellowSelect Yellow for aWarning message.
■ RedSelect Red for an Errormessage.
Lets you specify the severitylevel for the audit type thatyou select.
Severity
238Working with the Oracle templatesAbout the Oracle Auditing template