1. Oracle SQL Firewall User's Guide
  2. Configuring Oracle SQL Firewall
  3. Configuring and Managing Oracle SQL Firewall with the DBMS_SQL_FIREWALL Package
  4. Modifications to Oracle SQL Firewall Configurations

2.1.2 Modifications to Oracle SQL Firewall Configurations

After you create an Oracle SQL Firewall configuration for a user, you can modify the configuration as necessary.

To find information about Oracle SQL Firewall configurations, you can query the DBA_SQL_FIREWALL_* data dictionary views.

Table 2-1 lists operations that you can perform after you have configured SQL Firewall.

Table 2-1 Oracle SQL Firewall Modification Procedures

Operation Procedure

Enable SQL Firewall

  • To enable SQL Firewall in the database, use DBMS_SQL_FIREWALL.ENABLE.
Manage captures
  • To create a capture, use DBMS_SQL_FIREWALL.CREATE_CAPTURE.
  • To start a capture, use DBMS_SQL_FIREWALL.START_CAPTURE.
  • To modify a capture, delete the current one by using DBMS_SQL_FIREWALL.DROP_CAPTURE, and then create a new one by using DBMS_SQL_FIREWALL.CREATE_CAPTURE.
  • To stop the SQL Firewall capture for the specified user, use DBMS_SQL_FIREWALL.STOP_CAPTURE.
  • To delete the SQL Firewall capture for a specified user and delete all the existing capture logs for this user:
    1. Use DBMS_SQL_FIREWALL.STOP_CAPTURE to stop the capture process.
    2. Use DBMS_SQL_FIREWALL.DROP_CAPTURE to remove the capture.
Manage allow-lists
  • To generate an allow-list for a given user, use DBMS_SQL_FIREWALL.GENERATE_ALLOW_LIST.
  • To enable an allow-list for a given user, use DBMS_SQL_FIREWALL.ENABLE_ALLOW_LIST.
  • To update an allow-list enforcement, use DBMS_SQL_FIREWALL.UPDATE_ALLOW_LIST_ENFORCEMENT.
  • To prevent SQL Firewall from capturing and enforcing allow-lists for database connections and SQL executions in Oracle Scheduler jobs, use DBMS_SQL_FIREWALL.EXCLUDE.
  • To append all the SQL from a capture log or violation log (or from both) to the allow-list, use the DBMS_SQL_FIREWALL.APPEND_ALLOW_LIST procedure. You can run this procedure when the allow-list is either enabled or disabled. The change takes place immediately.
  • To append a single SQL record from a capture log or violation log to the allow-list, use the DBMS_SQL_FIREWALL.APPEND_ALLOW_LIST_SINGLE_SQL procedure as follows:
    1. Query the DBA_SQL_FIREWALL_VIOLATIONS or the DBA_SQL_FIREWALL_CAPTURE_LOGS data dictionary view to find the target SQL record that you want to add to the allow-list.
    2. Enter the obtained USERNAME, SQL_SIGNATURE, CURRENT_USER, and TOP_LEVEL values of that record in the DBMS_SQL_FIREWALL.APPEND_ALLOW_LIST_SINGLE_SQL procedure to add the target SQL record to the allow-list.

    You can run DBMS_SQL_FIREWALL.APPEND_ALLOW_LIST_SINGLE_SQL when the allow-list is either enabled or disabled. The change takes place immediately.

  • To export the allow-list of a given user to JSON format into the specified CLOB, use DBMS_SQL_FIREWALL.EXPORT_ALLOW_LIST.
  • To import the allow-list for a given user into a target database, use DBMS_SQL_FIREWALL.IMPORT_ALLOW_LIST.
  • To disable an allow-list for a given user, use DBMS_SQL_FIREWALL.DISABLE_ALLOW_LIST.
  • To add or delete any context values from allowed context lists, use DBMS_SQL_FIREWALL.ADD_ALLOWED_CONTEXT or DBMS_SQL_FIREWALL.DELETE_ALLOWED_CONTEXT, respectively.
  • To delete any SQL statement from allowed SQL lists, use DBMS_SQL_FIREWALL.DELETE_ALLOWED_SQL.
  • To delete the allow-list for a specified user:
    1. Disable the allow-list by using DBMS_SQL_FIREWALL.DISABLE_ALLOW_LIST.
    2. Use DBMS_SQL_FIREWALL.DROP_ALLOW_LIST.
Manage allowed contexts
  • To add a specified value to the allowed contexts of a specified user for the given context type, use DBMS_SQL_FIREWALL.ADD_ALLOWED_CONTEXT.
  • To modify an allowed context, delete the current one by using DBMS_SQL_FIREWALL.DELETE_ALLOWED_CONTEXT, and then create a new one by using DBMS_SQL_FIREWALL.ADD_ALLOWED_CONTEXT.
  • To delete the specified value from the allowed contexts of a specified user for the given context type, use DBMS_SQL_FIREWALL.DELETE_ALLOWED_CONTEXT.
Manage allowed SQL
  • To delete the specified entry from the allowed SQL of a specified user, use DBMS_SQL_FIREWALL.DELETE_ALLOWED_SQL. You can run this procedure when the allow-list is either enabled or disabled, and the change takes place immediately.

Manage SQL Firewall log tables
  • To move the SQL Firewall log tables to a different user-defined tablespace other than the default tablespace, SYSAUX:
    1. Disable SQL Firewall by using DBMS_SQL_FIREWALL.DISABLE.
    2. Use the MOVE clause of the ALTER TABLE statement to perform the move operation.

    You can also use the DBMS_SQL_FIREWALL.MOVE_LOG_TABLE procedure to move the SQL Firewall log tables to another tablespace.

  • To purge capture logs or violation logs for a user or all users, use DBMS_SQL_FIREWALL.PURGE_LOG.
  • To flush all the SQL Firewall logs that reside in the memory into the log tables, use DBMS_SQL_FIREWALL.FLUSH_LOGS.

Disable SQL Firewall

  • To disable SQL Firewall in the database and stop all the existing captures and allow-lists that are enabled, use DBMS_SQL_FIREWALL.DISABLE.

Related Topics