DBSecWorx: XS_ADMIN

Oracle XS_ADMIN_INT Built-In Package Versions 12.1 - 19.3

Security Advisory

This package is part of Oracle Database Real Application Security (RAS) and is used perform a number of internal administrative functions including at least one connected to auditing.

Oracle has very responsibly granted no permissions to EXECUTE for this package though we would have preferred that they had added an ACCESSIBLE BY clause so that it could not be executed ad hoc as we have done in a few demos on this page.

Recommended Security Rules

NEVER

Grant access to this package to any user for any reason

WITH GREAT CARE

Review audit logs for package use or attempts to use this package

CAUTIONS

How Oracle Works

Oracle has released an option named Real Application Security (RAS) that contains a lot of moving pieces of which this is one of them. We are currently working on a single comprehensive monograph to explain RAS from the standpoint of what it offers, the pieces required to make it work, and any risks associated either with its use or how Oracle has implemented it.

One of our biggest concerns is the lack of good documentation about the many pieces of the puzzle and while this package, other than a lack of an ACCESSIBLE BY clause is not of specific concern it is best to monitor any calls or requests pertaining to any of the pieces with care.

XS_ADMIN_INT Package Information

AUTHID CURRENT_USER

Constants

Name	Data Type	Value
Dependency Types
ROLE_GRANT_PROXY_DEP	PLS_INTEGER	1
SC_INHERIT_DEP	PLS_INTEGER	2
SCOPE_ACL_DEP	PLS_INTEGER	3
ACL_INHERIT_DEP	PLS_INTEGER	4
PROTECT_INST_SET_DEP	PLS_INTEGER	5
GRANT_DENY_PRNC_DEP	PLS_INTEGER	6
ROLE_ROLESET_DEP	PLS_INTEGER	7
DELETE_ENTITY Returned Values
DELETE_SUCCESS	PLS_INTEGER	0
WARN_DEP_EXISTS	PLS_INTEGER	1
WARN_CONSTRIANTS_EXISTS	PLS_INTEGER	2
Object Creation Status Values
OBJ_WITH_STATUS_NOT_EXISTS	PLS_INTEGER	0
OBJ_WITH_STATUS_EXISTS	PLS_INTEGER	1
OBJ_WITH_STATUS_EXTERNAL	PLS_INTEGER	2
System Privileges for Operating Non-Schema Objects
SPRIV_DBA	PLS_INTEGER	0
SPRIV_CREATE_USER	PLS_INTEGER	1
SPRIV_CREATE_ROLE	PLS_INTEGER	2
SPRIV_DROP_USER	PLS_INTEGER	3
SPRIV_DROP_ROLE	PLS_INTEGER	4
SPRIV_GRANT_ROLE	PLS_INTEGER	5
SPRIV_ALTER_USER	PLS_INTEGER	6
SPRIV_ALTER_ROLE	PLS_INTEGER	7
Triton Admin Audit Actions
AUDIT_CREATE_USER	PLS_INTEGER	1
AUDIT_UPDATE_USER	PLS_INTEGER	2
AUDIT_DELETE_USER	PLS_INTEGER	3
AUDIT_CREATE_ROLE	PLS_INTEGER	4
AUDIT_UPDATE_ROLE	PLS_INTEGER	5
AUDIT_DELETE_ROLE	PLS_INTEGER	6
AUDIT_GRANT_ROLE	PLS_INTEGER	7
AUDIT_REVOKE_ROLE	PLS_INTEGER	8
AUDIT_ADD_PROXY	PLS_INTEGER	9
AUDIT_REMOVE_PROXY	PLS_INTEGER	10
AUDIT_SET_PASSWORD	PLS_INTEGER	11
AUDIT_SET_VERIFIER	PLS_INTEGER	12
AUDIT_CREATE_ROLESET	PLS_INTEGER	13
AUDIT_UPDATE_ROLESET	PLS_INTEGER	14
AUDIT_DELETE_ROLESET	PLS_INTEGER	15
AUDIT_CREATE_SECURITY_CLASS	PLS_INTEGER	16
AUDIT_UPDATE_SECURITY_CLASS	PLS_INTEGER	17
AUDIT_DELETE_SECURITY_CLASS	PLS_INTEGER	18
AUDIT_CREATE_NAMESPACE	PLS_INTEGER	19
AUDIT_UPDATE_NAMESPACE	PLS_INTEGER	20
AUDIT_DELETE_NAMESPACE	PLS_INTEGER	21
AUDIT_CREATE_ACL	PLS_INTEGER	22
AUDIT_UPDATE_ACL	PLS_INTEGER	23
AUDIT_DELETE_ACL	PLS_INTEGER	24
AUDIT_CREATE_DATA_SECURITY	PLS_INTEGER	25
AUDIT_UPDATE_DATA_SECURITY	PLS_INTEGER	26
AUDIT_DELETE_DATA_SECURITY	PLS_INTEGER	27
AUDIT_ENABLE_DATA_SECURITY	PLS_INTEGER	28
AUDIT_DISABLE_DATA_SECURITY	PLS_INTEGER	29
AUDIT_ENABLE_ROLE	PLS_INTEGER	33
AUDIT_DISABLE_ROLE	PLS_INTEGER	34
AUDIT_SET_PROFILE	PLS_INTEGER	47
AUDIT_GRANT_PRIVILEGE	PLS_INTEGER	48
AUDIT_REVOKE_PRIVILEGE	PLS_INTEGER	49
Indices in DBMS_XS_AUDLIST
AUD_TARGETPNAME	PLS_INTEGER	1
AUD_PROXYUNAME	PLS_INTEGER	2
AUD_POLICYNAME	PLS_INTEGER	3
AUD_SCHEMANAME	PLS_INTEGER	4
AUD_ENABLEDROLE	PLS_INTEGER	5
AUD_OBJOWN	PLS_INTEGER	6
AUD_OBJNAME	PLS_INTEGER	7
Auditing Entity Types
UD_ENTITY_TYPE_USER	PLS_INTEGER	1
AUD_ENTITY_TYPE_SECURITY_CLASS	PLS_INTEGER	2
AUD_ENTITY_TYPE_ACL	PLS_INTEGER	3
AUD_ENTITY_TYPE_ROLE	PLS_INTEGER	4
AUD_ENTITY_TYPE_DATA_SECURITY	PLS_INTEGER	5
AUD_ENTITY_TYPE_ROLESET	PLS_INTEGER	6
AUD_ENTITY_TYPE_NSTEMPL	PLS_INTEGER	7

Data Types TYPE dbms_xs_audlit IS VARRAY(7) OF VARCHAR2(4000);

Dependencies

DBMS_RXS_LIB	XS_DATA_SECURITY	XS_PRINCIPAL_INT
PLITBLM	XS_DATA_SECURITY_INT	XS_ROLESET
XS_ACL	XS_DIAG	XS_ROLESET_INT
XS_ACL_INT	XS_NAMESPACE	XS_SECURITY_CLASS
XS_ADMIN_UTIL	XS_NAMESPACE_INT	XS_SECURITY_CLASS_INT
XS_ADMIN_UTIL_INT	XS_PRINCIPAL

Documented No

Exceptions

Error Code	Reason
ORA-46050	Oracle Real Application Security internal error.
ORA-46215	XS entity by the name <object_name_string> did not exist.

First Available 12.1

Security Model Owned by SYS with no privileges granted

Source {ORACLE_HOME}/rdbms/admin/xsadmi.sql

Subprograms

ADMIN_AUDIT	CREATE_ENTITY	GET_ENTITY_ID
CHECK_PERMISSION	DELETE_DEPENDENCY	INVALIDATE_ENTITY
CREATE_DEPENDENCY	DELETE_ENTITY	VALIDATE_ENTITY_NAME

ADMIN_AUDIT

Audit wrapper xs_admin_int.admin_audit ( act IN PLS_INTEGER, auderr IN PLS_INTEGER, entitytype IN PLS_INTEGER, audrec_index1 IN PLS_INTEGER := 0, audrec1 IN VARCHAR2 := NULL, audrec_index2 IN PLS_INTEGER := 0, audrec2 IN VARCHAR2 := NULL, audrec_index3 IN PLS_INTEGER := 0, audrec3 IN VARCHAR2 := NULL);

TBD

CHECK_PERMISSION

Check object permissions xs_admin_int.check_permission( obj_name IN VARCHAR2, obj_type IN PLS_INTEGER, sys_priv IN PLS_INTEGER := NULL, scope IN PLS_INTEGER := 1, aclid IN NUMBER := NULL, access_type IN PLS_INTEGER := NULL, tab_schema IN VARCHAR2 := NULL, check_any_privs IN BOOLEAN := FALSE);

CREATE OR REPLACE PROCEDURE testproc AUTHID DEFINER IS

      BEGIN

        NULL;

      END testproc;

      /

      

      exec xs_admin_int.check_permission('TESTPROC', 2);

      

      PL/SQL procedure successfully completed.

CREATE_DEPENDENCY

Create a Triton dependency xs_admin_int.create_dependency( dep_type IN PLS_INTEGER, obj_name1 IN VARCHAR2, obj_type1 IN PLS_INTEGER, obj_id1 IN OUT NUMBER, obj_name2 IN VARCHAR2, obj_type2 IN PLS_INTEGER, obj_id2 IN OUT NUMBER);

TBD

CREATE_ENTITY

Create a Triton object xs_admin_int.create_entity( obj_name IN VARCHAR2, obj_type IN PLS_INTEGER, obj_status IN PLS_INTEGER, obj_id OUT NUMBER);

TBD

DELETE_DEPENDENCY

Delete a Triton dependency xs_admin_int.delete_dependency( dep_type IN PLS_INTEGER, obj_name1 IN VARCHAR2, obj_type1 IN PLS_INTEGER, obj_id1 IN OUT NUMBER, obj_name2 IN VARCHAR2, obj_type2 IN PLS_INTEGER, obj_id2 IN OUT NUMBER);

TBD

DELETE_ENTITY

Delete a Triton entity xs_admin_int.delete_entity( obj_name IN VARCHAR2, obj_type IN PLS_INTEGER, opt IN PLS_INTEGER, obj_id IN OUT NUMBER, ret_status OUT PLS_INTEGER);

TBD

GET_ENTITY_ID

Returns the entity identifier xs_admin_int.get_entity_id( obj_name IN VARCHAR2, obj_type IN PLS_INTEGER, obj_status OUT PLS_INTEGER, obj_schema OUT VARCHAR2, obj_oname OUT VARCHAR2, obj_id OUT NUMBER);

DECLARE

       ostat PLS_INTEGER;

       oscma VARCHAR2(30);

       oname VARCHAR2(30);

       oid   NUMBER;

      BEGIN

        xs_admin_int.get_entity_id('TESTPROC', 2, ostat, oscma, oname, oid);

        dbms_output.put_line(ostat);

        dbms_output.put_line(oscma);

        dbms_output.put_line(oname);

        dbms_output.put_line(oid);

      END;

      /

      SYS

      TESTPROC

      

      PL/SQL procedure successfully completed.

INVALIDATE_ENTITY

Invalidate a Triton object xs_admin_int.invalidate_entity( obj_id IN NUMBER, obj_type IN PLS_INTEGER, cleanup_priv IN BOOLEAN := FALSE);

TBD

VALIDATE_ENTITY_NAME

Parse and validate a RAS qualified name in the form schema_name.entity_name xs_admin_int.validate_entity_name( obj_name IN VARCHAR2, obj_type IN PLS_INTEGER, obj_schema OUT VARCHAR2, obj_ename OUT VARCHAR2);

DECLARE

       sname VARCHAR2(30);

       ename VARCHAR2(30);

      BEGIN

        xs_admin_int.validate_entity_name('TESTPROC', 2, sname, ename);

        dbms_output.put_line(sname);

        dbms_output.put_line(ename);

      END;

      /

      SYS

      TESTPROC

      

      PL/SQL procedure successfully completed.