Skip navigation.

Stephen Kost's E-Business Suite Security Blog

Syndicate content
Integrigy's Oracle Security Blog with information on security for the Oracle Database, Oracle E-Business Suite and other Oracle products.
Updated: 3 hours 58 min ago

What Is Oracle 12 Unified Auditing? The View UNIFIED_AUDIT_TRAIL with 94 Columns

Mon, 2014-11-24 06:00

What is Oracle 12c Unified Auditing? The short answer is the view UNIFED_AUDIT_TRAIL. This view consolidates all logging and auditing information into a single source. Regardless of using either Mixed Mode or Pure Unified Auditing, the SYS.UNIFIED_AUDIT_TRAIL can be used. 

The key column in SYS.UNIFIED_AUDIT_TRAIL is AUDIT_TYPE.  This column shows from which Oracle component the log data originated -

SYS.UNIFIED_AUDIT_TRAIL Component Sources

Column AUDIT_TYPE Value

Description

Number of Columns in Table

Standard

Standard auditing including SYS audit records

44

XS

Real Application Security (RAS)and RAS auditing

17

Label Security

Oracle Label Security

14

Datapump

Oracle Data Pump

2

FineGrainedAudit

Fine grained audit(FGA)

1

Database Vault

Data Vault(DV)

10

RMAN_AUDIT

Oracle RMAN

5

Direct path API

SQL*Loader Direct Load

1

 

Total

94

If you have questions, please contact us at mailto:info@integrigy.com

Reference Tags: AuditingOracle Database
Categories: APPS Blogs, Security Blogs

Oracle 12c Unified Auditing - Mixed Mode

Fri, 2014-11-21 06:00

Next in our blog series on Oracle 12 Unified Auditing is a discussion of Mixed Mode. Mixed Mode is the default auditing mode for Oracle 12c.  Oracle describes Mixed Mode auditing as a means of becoming familiar with Unified Auditing prior to migrating to Pure Unified Auditing.  Mixed Mode allows for all traditional, pre-12c log and audit functionality to co-exist with Unified Auditing.  More importantly, Mixed Mode will support any current Syslog-based logging solution.

Mixed mode auditing provides the following key capabilities –

  • All existing (pre-12c) auditing initialization configurations and parameters are used such as AUDIT_TRAILAUDIT_FILE_DESTAUDIT_SYS_OPERATIONS, and AUDIT_SYSLOG_LEVEL
  • The format of the audit records remains the same as in Oracle Database 11g Release 2
  • Writes mandatory audit records to the traditional audit trails
  • If the AUDIT_SYS_OPERATIONS initialization parameter is set to TRUE, writes audit records only to the traditional audit trails

With Mixed Mode, audit data can be found both in the traditional locations as well as in SYS.UNIFIED_AUDIT_TRAIL.  This is because the Unified Auditing Policy ORA_SECURECONFIG is enabled by default.  ORA_SECURECONFIG audits the same default audit settings from Oracle Database Release 11g.  Integrigy recommends to either periodically purge Unified Auditing data or disable the policy.  To disable ORA_SECURECONFIG policy follow the instructions in Oracle Support Note Doc ID 1624051.1.

The following table shows the definition of the default policy ORA_SECURECONFIG.  Note the column ‘Common’ that shows that the policy is defined for all PDBs (tenant) databases.

Mixed Mode Default Unified Policy ORA_SECURECONFIG

Audit Option

Option Type

Common

Integrigy Framework

ADMINISTER KEY MANAGEMENT

SYSTEM PRIVILEGE

YES

E11 - Privileged commands

ALTER ANY PROCEDURE

SYSTEM PRIVILEGE

YES

E13 – Objects

ALTER ANY SQL TRANSLATION PROFILE

SYSTEM PRIVILEGE

YES

E11 - Privileged commands

ALTER ANY TABLE

SYSTEM PRIVILEGE

YES

E13 – Objects

ALTER DATABASE

SYSTEM PRIVILEGE

YES

E11 - Privileged commands

ALTER DATABASE LINK

STANDARD ACTION

YES

E13 – Objects

ALTER PLUGGABLE DATABASE

STANDARD ACTION

YES

E11 - Privileged commands

ALTER PROFILE

STANDARD ACTION

YES

E14 - Modify configuration settings

ALTER ROLE

STANDARD ACTION

YES

E8 - Modify role

ALTER SYSTEM

SYSTEM PRIVILEGE

YES

E14 - Modify configuration settings

ALTER USER

STANDARD ACTION

YES

E6 - Modify user account

AUDIT SYSTEM

SYSTEM PRIVILEGE

YES

E11 - Privileged commands

CREATE ANY JOB

SYSTEM PRIVILEGE

YES

E13 – Objects

CREATE ANY LIBRARY

SYSTEM PRIVILEGE

YES

E13 – Objects

CREATE ANY PROCEDURE

SYSTEM PRIVILEGE

YES

E13 – Objects

CREATE ANY SQL TRANSLATION PROFILE

SYSTEM PRIVILEGE

YES

E11 - Privileged commands

CREATE ANY TABLE

SYSTEM PRIVILEGE

YES

E13 – Objects

CREATE DATABASE LINK

STANDARD ACTION

YES

E13 – Objects

CREATE DIRECTORY

STANDARD ACTION

YES

E13 – Objects

CREATE EXTERNAL JOB

SYSTEM PRIVILEGE

YES

E13 – Objects

CREATE PLUGGABLE DATABASE

STANDARD ACTION

YES

E11 - Privileged commands

CREATE PROFILE

STANDARD ACTION

YES

E11 - Privileged commands

CREATE PUBLIC SYNONYM

SYSTEM PRIVILEGE

YES

E13 – Objects

CREATE ROLE

STANDARD ACTION

YES

E7 - Create role

CREATE SQL TRANSLATION PROFILE

SYSTEM PRIVILEGE

YES

E13 – Objects

CREATE USER

SYSTEM PRIVILEGE

YES

E5 – Create user account

DROP ANY PROCEDURE

SYSTEM PRIVILEGE

YES

E13 – Objects

DROP ANY SQL TRANSLATION PROFILE

SYSTEM PRIVILEGE

YES

E13 - Objects

DROP ANY TABLE

SYSTEM PRIVILEGE

YES

E13 – Objects

DROP DATABASE LINK

STANDARD ACTION

YES

E13 – Objects

DROP DIRECTORY

STANDARD ACTION

YES

E13 – Objects

DROP PLUGGABLE DATABASE

STANDARD ACTION

YES

E11 - Privileged commands

DROP PROFILE

STANDARD ACTION

YES

E14 - Modify configuration settings

DROP PUBLIC SYNONYM

SYSTEM PRIVILEGE

YES

E13 – Objects

DROP ROLE

STANDARD ACTION

YES

E8 - Modify role

DROP USER

SYSTEM PRIVILEGE

YES

E6 - Modify user account

EXEMPT ACCESS POLICY

SYSTEM PRIVILEGE

YES

E14 - Modify configuration settings

EXEMPT REDACTION POLICY

SYSTEM PRIVILEGE

YES

E14 - Modify configuration settings

GRANT ANY OBJECT PRIVILEGE

SYSTEM PRIVILEGE

YES

E9 - Grant/revoke user privileges

GRANT ANY PRIVILEGE

SYSTEM PRIVILEGE

YES

E9 - Grant/revoke user privileges

GRANT ANY ROLE

SYSTEM PRIVILEGE

YES

E9 - Grant/revoke user privileges

LOGMINING

SYSTEM PRIVILEGE

YES

E12 - Modify audit and logging

LOGOFF

STANDARD ACTION

YES

E2 - Logoff

LOGON

STANDARD ACTION

YES

E1 - Login

PURGE DBA_RECYCLEBIN

SYSTEM PRIVILEGE

YES

E11 - Privileged commands

SET ROLE

STANDARD ACTION

YES

E11 - Privileged commands

TRANSLATE ANY SQL

SYSTEM PRIVILEGE

YES

E11 - Privileged commands

If you have questions, please contact us at mailto:info@integrigy.com

Reference Tags: AuditingOracle Database
Categories: APPS Blogs, Security Blogs

Oracle 12c Unified Auditing - Pure Mode

Wed, 2014-11-19 06:00

Continuing our blog series on Oracle 12 Unified Auditing is a discussion of Pure  Mode. Mixed mode is intended by Oracle to introduce Unified Auditing and provide a transition from the traditional Oracle database auditing.  Migrating to PURE Unified Auditing requires the database be stopped, the Oracle binary linked to uniaud_on, and then restarted.  This operation can be reversed if auditing needs to be changed back to Mixed Mode. 

When changing from Mixed to pure Unified Audit, two key changes occur.  The first is the audit trails are no longer written to their traditional pre-12c audit locations.  Auditing is consolidated into the Unified Audit views and stored using Oracle SecureFiles.  Oracle Secured Files use a proprietary format which means that Unified Audit logs cannot be viewed using editors such vi and may preclude or affect the use of third party logging solutions such as Splunk or HP ArcSight.  As such, Syslog auditing is not possible with Pure Unified Audit.

Unified Audit Mixed vs. Pure Mode Audit Locations

System Tables

Mixed Mode

Pure Unified Audit Impact

SYS.AUD$

Same as 11g

Exists, but will only have pre-unified audit records

SYS.FGA_LOG$

Same as 11g

Exists, but will only have pre-unified audit records

The second change is that the traditional audit configurations are no longer used.  For example, traditional auditing is largely driven by the AUDIT_TRAIL initialization parameter.  With pure Unified Audit, the initialization parameter AUDIT_TRAIL is ignored.

Unified Audit Mixed vs. Pure Mode Audit Configurations

System Parameters

Mixed Mode

Pure Unified Audit Impact

AUDIT_TRAIL

Same as 11g

Exists, but will not have any effect

AUDIT_FILE_DEST

Same as 11g

Exists, but will not have any effect

AUDIT_SYS_OPERATIONS

Same as 11g

Exists, but will not have any effect

AUDIT_SYSLOG_LEVEL

Same as 11g

Exists, but will not have any effect

UNIFIED_AUDIT_SGA_QUEUE_SIZE

Same as 11g

Yes

If you have questions, please contact us at mailto:info@integrigy.com

Reference Tags: AuditingOracle Database
Categories: APPS Blogs, Security Blogs

What Mode of Oracle 12c Unified Auditing Are You Using and Default Auditing Policies?

Mon, 2014-11-17 06:00

Continuing our blog series on Oracle 12 Unified Auditing, how do you know what mode of Unified Auditing that you are using? Use the following SQL –

SELECT VALUE FROM V$OPTION WHERE PARAMETER = 'Unified Auditing';

The result will be TRUE or FALSE.  If TRUE, the database is using PURE Unified Auditing.  If FALSE, the database is using Mixed Mode, which is the Oracle 12c default.  Remember that V$OPTION shows what database options are installed, and V$PARAMETER shows the startup parameters for the options which have been installed.  Unified Auditing is enabled by being installed and not by being configured in V$PARAMETER.

Unified Auditing is configured through policies.  If Oracle 12c tenant databases (PDBs) are being used, these polices can be applied to common objects in all PDBs or to individual PDBs.  The table below show the policies installed and/or enabled by default –

Unified Audit Polices Installed With Oracle 12c

Policy Name

Default Enabled

Description

ORA_SECURECONFIG

Yes

Secure configuration audit options

ORA_RAS_POLICY_MGMT

No

Oracle Real Application Security administrative actions on application users, roles, and policies.

ORA_RAS_SESSION_MGMT

No

Run-time Oracle Real Application Security session actions and namespace actions

ORA_ACCOUNT_MGMT

No

Commonly used user account and privilege settings for create user, role, and privilege grants

ORA_DATABASE_PARAMETER

No

Audits commonly used Oracle Database parameter settings, e.g., the initialization file (spfile) changes

To query what policies have been defined you may use –

SELECT * FROM SYS.AUDIT_UNIFIED_POLICIES

To query what polices have been enabled you may use –

SELECT * FROM SYS.AUDIT_UNIFIED_ENABLED_POLICIES

If you have questions, please contact us at mailto:info@integrigy.com

Reference

For more information on Unified Auditing can be found here:

Tags: AuditingOracle Database
Categories: APPS Blogs, Security Blogs

What Is Oracle Release 12c Unified Auditing?

Fri, 2014-11-14 06:00

In Oracle 12c, a new database auditing foundation has been introduced.  Oracle Unified Auditing changes the fundamental auditing functionality of the database.  In previous releases of Oracle, there were separate audit trails for each individual component.  Unified Auditing consolidates all auditing into a single repository and view.  This provides a two-fold simplification: audit data can now be found in a single location, and all audit data is in a single format.  Oracle 12c Unified Auditing supports –

  • Standard database auditing
  • SYS operations auditing (AUDIT_SYS_OPERATIONS)
  • Fine Grained Audit (FGA)
  • Data Pump
  • Oracle RMAN
  • Oracle Label Security (OLS)
  • Database Vault (DV)
  • Real Application Security (RAS)
  • SQL*Loader Direct Load

Unified Auditing comes standard with Oracle Enterprise Edition; no additional license is required.  It is installed by default, but not fully enabled by default.  There are two modes of operation to allow for a transition from pre-12c auditing –

  • Mixed Mode – default 12c option.  All pre-12c log and audit functionality and configurations work as before.  New Unified Auditing functionality is also available.  Log data is available in both the traditional locations as well as a new view SYS.UNIFIED_AUDIT_TRAIL.  Also, log data continues to be written in clear text when Syslog is used. 
  • Full Mode or PURE mode – enabled only by stopping the database and relinking the Oracle kernel.  Once enabled, pre-12c log and audit configurations are ignored, and audit data is saved using the Oracle SecureFiles, which is a proprietary file format.  Because of this, Syslog is not supported.  All audit data can be found in the view SYS.UNIFIED_AUDIT_TRAIL.

Figure 1 – Auditing Pre-Oracle 12c

 

Figure 2 – Oracle 12c Unified Auditing – Mixed Mode

 

Figure 3 – Oracle 12c Unified Auditing – Pure Mode

 

Figure 4 – Oracle 12c Unified Audit

 

If you have questions, please contact us at mailto:info@integrigy.com

Reference

For more information on Unified Auditing can be found here:

Tags: AuditingOracle Database
Categories: APPS Blogs, Security Blogs

Oracle Database Last Logins with Oracle 12c

Mon, 2014-11-10 06:00

Tracking when database users last logged in is a common security and compliance requirement – for example to reconcile users and identify stale users. With Oracle 12c this analysis can now be done through standard functionality. New with Oracle12c, the SYS.DBA_USERS has a new column: last_login. 

select username, account_status, common, last_login

from sys.dba_users

order by last_login asc;

 

Username

Account_Status

Common

Last_Login

C##INTEGRIGY

OPEN

YES

05-AUG-14 12.46.52.000000000 PM AMERICA/NEW_YORK

C##INTEGRIGY_TEST_2

OPEN

YES

02-SEP-14 12.29.04.000000000 PM AMERICA/NEW_YORK

XS$NULL

EXPIRED & LOCKED

YES

02-SEP-14 12.35.56.000000000 PM AMERICA/NEW_YORK

SYSTEM

OPEN

YES

04-SEP-14 05.03.53.000000000 PM AMERICA/NEW_YORK

If you have questions, please contact us at mailto:info@integrigy.com

Reference Tags: AuditingOracle Database
Categories: APPS Blogs, Security Blogs

Logging Oracle Database Link Activity

Fri, 2014-11-07 06:00

A database link is a one-way connection between two databases.  Starting with Oracle version 11.2.0.3, database session information now reports additional information for those sessions involving database links.  As often database links are created between databases of different security profiles; it is important to log session activity that includes the details of the database link.

DBLINK_INFO returns the source of a database link.  Specifically, it returns a string of the form –

SOURCE_GLOBAL_NAME=dblink_src_global_name

DBLINK_NAME=dblink_name

SOURCE_AUDIT_SESSIONID=dblink_src_audit_sessionid

where:

  • dblink_src_global_name is the unique global name of the source database
  • dblink_name is the name of the database link on the source database
  • dblink_src_audit_sessionid is the audit session ID of the session on the source database that initiated the connection to the remote database using dblink_name

You can verify DBLINK_INFO –

  • Oracle 12c provides a DBLINK_INFO column in SYS.UNIFIED_AUDIT_TRAIL.
  • SELECT SYS_CONTEXT('USERENV','DBLINK_INFO') FROM DUAL

If you have questions, please contact us at mailto:info@integrigy.com

Reference Tags: AuditingOracle Database
Categories: APPS Blogs, Security Blogs

Logging Actual Application User Names for Oracle E-Business Suite, SAP, PeopleSoft, and OBIEE

Mon, 2014-11-03 06:00

Knowing which person, not just which database account, has been a challenge for database logging and auditing when working with enterprise software applications such as the Oracle E-Business Suite, SAP, PeopleSoft, and OBIEE.  Knowing which application user did what and when is now much easier because of adoption of standard Oracle functionality.

Standard functionality of Oracle database is the CLIENT_IDENTIFER attribute.  The CLIENT_IDENTIFIER is a predefined attribute of the built-in application context namespace, USERENV, and can be used to capture the application user name.

CLIENT IDENTIFIER is set using the DBMS_SESSION.SET_IDENTIFIER procedure to store the application username.  The CLIENT IDENTIFIER attribute is one the same as V$SESSION.CLIENT_IDENTIFIER.  Once set, you can query V$SESSION or select sys_context('userenv','client_identifier') from dual.

The table below offers examples of how CLIENT_IDENTIFIER is now being used by the Oracle E-Business Suite, SAP, and PeopleSoft. If you are running one of these software packages, Integrigy highly recommends that you incorporate the information that the CLIENT_IDENTIFIER provides into your logging and auditing solution.

Oracle CLIENT_IDENTIFIER

Application

Application Usage

Oracle

E-Business Suite

As of Release 12, the Oracle E-Business Suite automatically sets and updates client_identifier to the FND_USER.USERNAME of the user logged on.  Prior to Release 12, follow Support Note How to add DBMS_SESSION.SET_IDENTIFIER(FND_GLOBAL.USER_NAME) to FND_GLOBAL.APPS_INITIALIZE procedure (Doc ID 1130254.1)

Oracle

PeopleSoft

Starting with PeopleTools 8.50, the PSOPRID is now additionally set in the Oracle database CLIENT_IDENTIFIER attribute. 

SAP

With SAP version 7.10 above, the SAP user name is stored in the CLIENT_IDENTIFIER.

Oracle Business Intelligence Enterprise Edition(OBIEE)

When querying an Oracle database using OBIEE the connection pool username is passed to the database.  To also pass the middle-tier username, set the user identifier on the session.  To do this in OBIEE, open the RPD, edit the connection pool settings and create a new connection script to run at connect time.  Add the following line to the connect script:

CALL DBMS_SESSION.SET_IDENTIFIER('VALUEOF(NQ_SESSION.USER)')

If you have questions, please contact us at mailto:info@integrigy.com

Reference Tags: AuditingOracle DatabaseOracle E-Business SuiteOracle PeopleSoftSAPOracle Business Intelligence (OBIEE)
Categories: APPS Blogs, Security Blogs

Oracle Critical Patch Update October 2014 - Massive Patch

Mon, 2014-10-13 13:49

Just when you thought the Oracle Database world was getting safer, Oracle will be releasing fixes for 32 database security bugs on Tuesday, October 14th.  This is in stark contrast to the previous twenty-five quarters where the high was 16 database bugs and average per quarter was 8.2 database bugs.  For the previous two years, the most database bugs fixed in a single quarter was six.

In addition to the 32 database security bugs, there are a total of 155 security bugs fixed in 44 different products.

Here is a brief analysis of the pre-release announcement for the upcoming October 2014 Oracle Critical Patch Update (CPU).

Oracle Database

  • There are 32 database vulnerabilities; only one is remotely exploitable without authentication and 4 are applicable to client-side only installations.
  • Since at least one database vulnerability has a CVSS 2.0 metric of 9.0 (critical for a database vulnerability), this is a fairly important CPU due to severity and volume of fixes.
  • The remotely exploitable without authentication bug is likely in Application Express (APEX).  Any organizations running APEX externally on the Internet should look to apply the relevant patches immediately.  To patch APEX, the newest version must be installed, which requires appropriate testing and upgrading of applications.
  • There are four cilent-side only installations and likely most are in JDBC.
  • Core RDBMS and PL/SQL are listed as patched components, so most likely there are critical security vulnerabilities in all database implementations.

Oracle Fusion Middleware

  • There are 17 new Oracle Fusion Middleware vulnerabilities, 13 of which are remotely exploitable without authentication and the highest CVSS score being 7.5.
  • Various Fusion Middleware products are listed as vulnerable, so you should carefully review this CPU to determine the exact impact to your environment.
  • The core WebLogic Server is listed as a patched component, therefore, most likely all Fusion Middleware customers will have to apply the patch.

Oracle E-Business Suite 11i and R12

  • There are nine new Oracle E-Business Suite 11i and R12 vulnerabilities, seven of which are remotely exploitable without authentication.  Many of these are in core Oracle EBS components such as Oracle Applications Framework (OAF) and Application Object Library (AOL/FND).  Even though the maximum CVSS score is 5.0, most of these vulnerabilities should be considered high risk.
  • All DMZ implementations of Oracle EBS should carefully review the CPU to determine if there environment is vulnerable.  As all Oracle EBS CPU patches are now cumulative, the CPU patch should be prioritized or mitigating controls, such as AppDefend, be implemented.

Planning Impact

  • We anticipate this quarter's CPU to be higher risk than most and should be prioritized.  Based on the patched components, this may be a higher than average risk CPU for all Oracle database environments.
  • As with all previous CPUs, this quarter's security patches should be deemed critical and you should adhere to the established procedures and timing used for previous CPUs.
  • For Oracle E-Business Suite customers, DMZ implementations may have to apply this quarter's patch faster than previous quarters due to the number and severity of bugs.
Tags: Oracle Critical Patch Updates
Categories: APPS Blogs, Security Blogs

Oracle 12c Real Application Security and Standard Database Auditing - Warning Database Logins Not Logged

Fri, 2014-09-05 05:00

Oracle 12c introduces several major new security features. Data redaction is one new feature and Real Application Security (RAS) is another.  Per Oracle, RAS is the next generation Virtual Private Database (VPD) and is installed with Oracle Enterprise Edition – no additional license required. RAS is a new declarative and granular authorization model and is designed to be an application security platform for end-to-end application security. For those developing APEX applications (also installed with Enterprise Edition), RAS will certainly become an integral tool.

With RAS, developers define security policies instead of having to create and maintain PL/SQL code. Most notably, RAS however extends the security solution to define both application users and roles separate from database users and roles.

RAS allows for the creation of users, complete with user names and passwords, and stores them in the database. RAS users are not stored in DBA_USERS. RAS users are defined in DBA_XS_USERS, and their passwords are stored in SYS. XS$VERIFIERS.

With 12.1.0.1, RAS users can also directly connect to the database. It appears that with 12.1.0.2, RAS users can be defined with a flag to allow or disallow direct database logons. As any database security monitoring and logging solution should be monitoring database logon activity, it should be known that RAS users will NOT show up in standard Oracle database auditing. Standard database auditing instead picks up login activity by the generic user XS$NULL. Because it is designed to be part of an application, RAS has its own logging and auditing solution.

Basic logon activity for RAS users, however is logged in SYS.UNIFIED_AUDIT_TRAIL.  Even if you have NOT enabled Unified Auditing in 12c, SYS.UNIFIED_AUDIT_TRAIL is being populated. Why this is the case will be the topic of another blog post.  If you have compliance requirements to log and audit database logons, you will need to monitor SYS.UNIFIED_AUDIT_TRAIL for RAS user activity as well as for the creation of RAS users if not also potentially configuring RAS auditing. The example below should get you started.

With the below you can test for yourself how standard database auditing logs RAS user logons:

  1. Ensure auditing for create session is enabled, if not: audit create session by access;
  2. Create Real application security user

BEGIN

XS_PRINCIPAL.CREATE_USER(NAME=>'INTEGRIGY_RAS_USER');

END;

  1. Set password for Real Application Security user

BEGIN

XS_PRINCIPAL.SET_PASSWORD('INTEGRIGY_RAS_USER','oracle');

END;

  1. Review both dba_users and dba_xs_users to see for yourself where RAS users are defined.
  2. Log into the database with: INTEGRIGY_RAS_USER/oracle
  3. Look at your auditing and see a logon from XS$NULL instead of INTEGRIGY_RAS_USER

select * from sys.aud$ order by 1 desc

  1. Now look at SYS.UNIFIED_AUDIT_TRAIL. You will see XS$NULL for the DBUSERNAME but you will see  'INTEGRIGY_RAS_USER' in XS_USER_NAME.

select dbusername,xs_user_name ,event_timestamp

from SYS.UNIFIED_AUDIT_TRAIL

where xs_user_name = 'INTEGRIGY_RAS_USER'

order by event_timestamp

If you are not familiar with XS$NULL, XS$NULL is created when the database component Oracle XML Database (XDB) is installed. XDB is now a mandatory component of 12c and as such, XS$NULL must exist in the database.  Per Oracle, XS$NULL is an internal account that represents the absence of a user in a session.  It is used by the lightweight session infrastructure for APEX, RAS and XDB and the name of this user is hard coded in those modules.  Because XS$NULL is not really a user, this account can only be accessed by the Oracle Database instance.  XS$NULL has no privileges, and no one can authenticate as XS$NULL, nor can authentication credentials ever be assigned to XS$NULL. 

If you have questions, please contact us at info@integrigy.com

References Tags: AuditingSecurity Strategy and StandardsOracle Database
Categories: APPS Blogs, Security Blogs