Oracle Database 11 g - Online Public Access Catalog

262 CHAPTER 5 ■ DATABASE SECURITYsecure databases for all applications that leverage OCI. The OCI security enhancements areenabled for databases starting in Oracle Release 1(11.1) and for any version of the client. OracleDatabase 11g OCI security allows you to harden the database further by enabling you to dothe following:• Set the level of information captured for perceived bad packets on the server.• Drop or delay database connections because of bad packet overflow.• Configure the maximum number of connection attempts.• Control the display of database release information.• Set up the banner for unauthorized access.Set the Level of Information Captured for Bad PacketsFirst we’ll show what you can do in Oracle Database11g relative to bad packets received on thedatabase tier. Bad packets can be received because of network protocol errors or maliciousattacks by hackers to send a large amount of bad packets. Either way, bad packets can createhavoc to the database environment by causing disk space outages or denial of service.Now, you can leverage the SEC_PROTOCOL_ERROR_TRACE_ACTION database initialization parameterto determine the level of information you want to capture for bad packets. This parameteraccepts the values for NONE, TRACE, LOG, and ALERT. The default setting for this parameter is TRACE.When SEC_PROTOCOL_ERROR_TRACE_ACTION is set to TRACE, trace files generate on the databaseserver. You can leave this setting for debugging purposes. The LOG value produces an entry inthe alert log file but does not generate a trace file. This is the preferable option for a lot of DBAs.You can set this parameter to LOG, and if problems persist, you can change the parameter toALERT. By setting the parameter to ALERT, Oracle will produce an entry in the alert log file andyet generate a trace file. Lastly, SEC_PROTOCOL_ERROR_TRACE_ACTION can be set to NONE to specifythat you do not want to generate a trace file or produce alert log entries for bad packets. Youcan set this parameter to LOG using the alter system command, as shown here:SQL> alter system set sec_protocol_error_trace_action = LOG;System altered.Delay or Drop Database ConnectionsNot only can Oracle Database 11g protect you from a flood of bad packets to the database server,but it can also protect you by disconnecting or deferring the connections made to the server.The initialization parameter SEC_PROTOCOL_ERROR_FURTHER_ACTION controls this behavior. Bydefault, this parameter value is set to CONTINUE and does not stop connections from being droppedor deferred. You can modify the behavior of server continuity by using the following syntax:1* alter system set sec_protocol_error_further_action = "(DROP,30)"SQL> /System altered.