CIS Oracle Database 12c Benchmark v2.0.0-cc - itsecure.hu€¦ · 1 | Page This work is licensed...

CISOracleDatabase12cBenchmark

v2.0.0-12-28-2016

1|P a g e

ThisworkislicensedunderaCreativeCommonsAttribution-NonCommercial-ShareAlike4.0InternationalPublicLicense.Thelinktothelicensetermscanbefoundathttps://creativecommons.org/licenses/by-nc-sa/4.0/legalcodeTofurtherclarifytheCreativeCommonslicenserelatedtoCISBenchmarkcontent,youareauthorizedtocopyandredistributethecontentforusebyyou,withinyourorganizationandoutsideyourorganizationfornon-commercialpurposesonly,providedthat(i)appropriatecreditisgiventoCIS,(ii)alinktothelicenseisprovided.Additionally,ifyouremix,transformorbuildupontheCISBenchmark(s),youmayonlydistributethemodifiedmaterialsiftheyaresubjecttothesamelicensetermsastheoriginalBenchmarklicenseandyourderivativewillnolongerbeaCISBenchmark.CommercialuseofCISBenchmarksissubjecttothepriorapprovaloftheCenterforInternetSecurity.

2|P a g e

TableofContents

Overview......................................................................................................................................................................9

IntendedAudience..............................................................................................................................................9

ConsensusGuidance...........................................................................................................................................9

TypographicalConventions.........................................................................................................................10

ScoringInformation.........................................................................................................................................10

ProfileDefinitions.............................................................................................................................................11

Acknowledgements..........................................................................................................................................13

Recommendations.................................................................................................................................................14

1OracleDatabaseInstallationandPatchingRequirements..........................................................14

1.1EnsuretheAppropriateVersion/PatchesforOracleSoftwareIsInstalled(NotScored).........................................................................................................................................................14

1.2EnsureAllDefaultPasswordsAreChanged(Scored).....................................................16

1.3EnsureAllSampleDataAndUsersHaveBeenRemoved(Scored)............................18

2OracleParameterSettings.........................................................................................................................20

2.1ListenerSettings...................................................................................................................................21

2.1.1Ensure'SECURE_CONTROL_<listener_name>'IsSetIn'listener.ora'(Scored)21

2.1.2Ensure'extproc'IsNotPresentin'listener.ora'(Scored)..........................................23

2.1.3Ensure'ADMIN_RESTRICTIONS_<listener_name>'IsSetto'ON'(Scored)........24

2.1.4Ensure'SECURE_REGISTER_<listener_name>'IsSetto'TCPS'or'IPC'(Scored).........................................................................................................................................................................26

2.2Databasesettings..................................................................................................................................28

2.2.1Ensure'AUDIT_SYS_OPERATIONS'IsSetto'TRUE'(Scored)..................................28

2.2.2Ensure'AUDIT_TRAIL'IsSetto'OS','DB,EXTENDED',or'XML,EXTENDED'(Scored).......................................................................................................................................................30

2.2.3Ensure'GLOBAL_NAMES'IsSetto'TRUE'(Scored).....................................................31

2.2.4Ensure'LOCAL_LISTENER'IsSetAppropriately(Scored)........................................32

2.2.5Ensure'O7_DICTIONARY_ACCESSIBILITY'IsSetto'FALSE'(Scored).................34

2.2.6Ensure'OS_ROLES'IsSetto'FALSE'(Scored).................................................................35

2.2.7Ensure'REMOTE_LISTENER'IsEmpty(Scored)...........................................................36

2.2.8Ensure'REMOTE_LOGIN_PASSWORDFILE'IsSetto'NONE'(Scored).................37

3|P a g e

2.2.9Ensure'REMOTE_OS_AUTHENT'IsSetto'FALSE'(Scored).....................................38

2.2.10Ensure'REMOTE_OS_ROLES'IsSetto'FALSE'(Scored).........................................39

2.2.11Ensure'UTL_FILE_DIR'IsEmpty(Scored).....................................................................40

2.2.12Ensure'SEC_CASE_SENSITIVE_LOGON'IsSetto'TRUE'(Scored).......................41

2.2.13Ensure'SEC_MAX_FAILED_LOGIN_ATTEMPTS'Is'10'(Scored)..........................43

2.2.14Ensure'SEC_PROTOCOL_ERROR_FURTHER_ACTION'IsSetto'DELAY,3'or'DROP,3'(Scored)....................................................................................................................................44

2.2.15Ensure'SEC_PROTOCOL_ERROR_TRACE_ACTION'IsSetto'LOG'(Scored)...45

2.2.16Ensure'SEC_RETURN_SERVER_RELEASE_BANNER'IsSetto'FALSE'(Scored).........................................................................................................................................................................47

2.2.17Ensure'SQL92_SECURITY'IsSetto'TRUE'(Scored)................................................48

2.2.18Ensure'_TRACE_FILES_PUBLIC'IsSetto'FALSE'(Scored)....................................49

2.2.19Ensure'RESOURCE_LIMIT'IsSetto'TRUE'(Scored)...............................................50

3OracleConnectionandLoginRestrictions.........................................................................................51

3.1Ensure'FAILED_LOGIN_ATTEMPTS'IsLessthanorEqualto'5'(Scored)............51

3.2Ensure'PASSWORD_LOCK_TIME'IsGreaterthanorEqualto'1'(Scored)...........53

3.3Ensure'PASSWORD_LIFE_TIME'IsLessthanorEqualto'90'(Scored).................54

3.4Ensure'PASSWORD_REUSE_MAX'IsGreaterthanorEqualto'20'(Scored).......55

3.5Ensure'PASSWORD_REUSE_TIME'IsGreaterthanorEqualto'365'(Scored)...56

3.6Ensure'PASSWORD_GRACE_TIME'IsLessthanorEqualto'5'(Scored)...............57

3.7Ensure'DBA_USERS.PASSWORD'IsNotSetto'EXTERNAL'forAnyUser(Scored).........................................................................................................................................................................58

3.8Ensure'PASSWORD_VERIFY_FUNCTION'IsSetforAllProfiles(Scored)..............59

3.9Ensure'SESSIONS_PER_USER'IsLessthanorEqualto'10'(Scored)......................60

3.10EnsureNoUsersAreAssignedthe'DEFAULT'Profile(Scored)..............................61

4OracleUserAccessandAuthorizationRestrictions.......................................................................62

4.1DefaultPublicPrivilegesforPackagesandObjectTypes...................................................63

4.1.1Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_ADVISOR'(Scored)...63

4.1.2Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_CRYPTO'(Scored).....64

4.1.3Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_JAVA'(Scored)............65

4|P a g e

4.1.4Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_JAVA_TEST'(Scored).........................................................................................................................................................................66

4.1.5Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_JOB'(Scored)..............67

4.1.6Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_LDAP'(Scored)..........68

4.1.7Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_LOB'(Scored).............69

4.1.8Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_OBFUSCATION_TOOLKIT'(Scored).................................................................................70

4.1.9Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_RANDOM'(Scored)..71

4.1.10Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_SCHEDULER'(Scored).......................................................................................................................................................72

4.1.11Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_SQL'(Scored)...........73

4.1.12Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_XMLGEN'(Scored).74

4.1.13Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_XMLQUERY'(Scored).........................................................................................................................................................................75

4.1.14Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'UTL_FILE'(Scored)..............76

4.1.15Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'UTL_INADDR'(Scored)......77

4.1.16Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'UTL_TCP'(Scored)...............78

4.1.17Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'UTL_MAIL'(Scored)............79

4.1.18Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'UTL_SMTP'(Scored)...........80

4.1.19Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'UTL_DBWS'(Scored)..........81

4.1.20Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'UTL_ORAMTS'(Scored).....82

4.1.21Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'UTL_HTTP'(Scored)...........83

4.1.22Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'HTTPURITYPE'(Scored)...84

4.2RevokeNon-DefaultPrivilegesforPackagesandObjectTypes.......................................85

4.2.1Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_SYS_SQL'(Scored)....85

4.2.2Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_BACKUP_RESTORE'(Scored).......................................................................................................................................................86

4.2.3Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_AQADM_SYSCALLS'(Scored).......................................................................................................................................................87

4.2.4Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_REPCAT_SQL_UTL'(Scored).......................................................................................................................................................88

4.2.5Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'INITJVMAUX'(Scored)..........89

5|P a g e

4.2.6Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_STREAMS_ADM_UTL'(Scored).......................................................................................................................................................90

4.2.7Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_AQADM_SYS'(Scored).........................................................................................................................................................................91

4.2.8Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_STREAMS_RPC'(Scored).......................................................................................................................................................92

4.2.9Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_PRVTAQIM'(Scored).........................................................................................................................................................................93

4.2.10Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'LTADM'(Scored)..................94

4.2.11Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'WWV_DBMS_SQL'(Scored).........................................................................................................................................................................95

4.2.12Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'WWV_EXECUTE_IMMEDIATE'(Scored)......................................................................................96

4.2.13Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_IJOB'(Scored)..........97

4.2.14Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_FILE_TRANSFER'(Scored).......................................................................................................................................................98

4.3RevokeExcessiveSystemPrivileges............................................................................................99

4.3.1Ensure'SELECT_ANY_DICTIONARY'IsRevokedfromUnauthorized'GRANTEE'(Scored).......................................................................................................................................................99

4.3.2Ensure'SELECTANYTABLE'IsRevokedfromUnauthorized'GRANTEE'(Scored)....................................................................................................................................................101

4.3.3Ensure'AUDITSYSTEM'IsRevokedfromUnauthorized'GRANTEE'(Scored)......................................................................................................................................................................102

4.3.4Ensure'EXEMPTACCESSPOLICY'IsRevokedfromUnauthorized'GRANTEE'(Scored)....................................................................................................................................................103

4.3.5Ensure'BECOMEUSER'IsRevokedfromUnauthorized'GRANTEE'(Scored)......................................................................................................................................................................104

4.3.6Ensure'CREATE_PROCEDURE'IsRevokedfromUnauthorized'GRANTEE'(Scored)....................................................................................................................................................105

4.3.7Ensure'ALTERSYSTEM'IsRevokedfromUnauthorized'GRANTEE'(Scored)......................................................................................................................................................................106

4.3.8Ensure'CREATEANYLIBRARY'IsRevokedfromUnauthorized'GRANTEE'(Scored)....................................................................................................................................................107

6|P a g e

4.3.9Ensure'CREATELIBRARY'IsRevokedfromUnauthorized'GRANTEE'(Scored)......................................................................................................................................................................108

4.3.10Ensure'GRANTANYOBJECTPRIVILEGE'IsRevokedfromUnauthorized'GRANTEE'(Scored)............................................................................................................................109

4.3.11Ensure'GRANTANYROLE'IsRevokedfromUnauthorized'GRANTEE'(Scored)....................................................................................................................................................110

4.3.12Ensure'GRANTANYPRIVILEGE'IsRevokedfromUnauthorized'GRANTEE'(Scored)....................................................................................................................................................111

4.4RevokeRolePrivileges....................................................................................................................112

4.4.1Ensure'DELETE_CATALOG_ROLE'IsRevokedfromUnauthorized'GRANTEE'(Scored)....................................................................................................................................................112

4.4.2Ensure'SELECT_CATALOG_ROLE'IsRevokedfromUnauthorized'GRANTEE'(Scored)....................................................................................................................................................113

4.4.3Ensure'EXECUTE_CATALOG_ROLE'IsRevokedfromUnauthorized'GRANTEE'(Scored)....................................................................................................................................................114

4.4.4Ensure'DBA'IsRevokedfromUnauthorized'GRANTEE'(Scored)...................115

4.5RevokeExcessiveTableandViewPrivileges........................................................................116

4.5.1Ensure'ALL'IsRevokedfromUnauthorized'GRANTEE'on'AUD$'(Scored)116

4.5.2Ensure'ALL'IsRevokedfromUnauthorized'GRANTEE'on'USER_HISTORY$'(Scored)....................................................................................................................................................117

4.5.3Ensure'ALL'IsRevokedfromUnauthorized'GRANTEE'on'LINK$'(Scored)......................................................................................................................................................................118

4.5.4Ensure'ALL'IsRevokedfromUnauthorized'GRANTEE'on'SYS.USER$'(Scored)....................................................................................................................................................119

4.5.5Ensure'ALL'IsRevokedfromUnauthorized'GRANTEE'on'DBA_%'(Scored)......................................................................................................................................................................120

4.5.6Ensure'ALL'IsRevokedfromUnauthorized'GRANTEE'on'SYS.SCHEDULER$_CREDENTIAL'(Scored).............................................................................122

4.5.7Ensure'SYS.USER$MIG'HasBeenDropped(Scored)...............................................123

4.6Ensure'%ANY%'IsRevokedfromUnauthorized'GRANTEE'(Scored)..............124

4.7Ensure'DBA_SYS_PRIVS.%'IsRevokedfromUnauthorized'GRANTEE'with'ADMIN_OPTION'Setto'YES'(Scored)......................................................................................125

4.8EnsureProxyUsersHaveOnly'CONNECT'Privilege(Scored)................................126

4.9Ensure'EXECUTEANYPROCEDURE'IsRevokedfrom'OUTLN'(Scored)..........127

7|P a g e

4.10Ensure'EXECUTEANYPROCEDURE'IsRevokedfrom'DBSNMP'(Scored)...128

5Audit/LoggingPoliciesandProcedures...........................................................................................129

5.1TraditionalAuditing.........................................................................................................................130

5.1.1Enable'USER'AuditOption(Scored)...............................................................................130

5.1.2Enable'ALTERUSER'AuditOption(Scored)...............................................................132

5.1.3Enable'DROPUSER'AuditOption(Scored).................................................................133

5.1.4Enable'ROLE'AuditOption(Scored)...............................................................................134

5.1.5Enable'SYSTEMGRANT'AuditOption(Scored).........................................................135

5.1.6Enable'PROFILE'AuditOption(Scored)........................................................................136

5.1.7Enable'ALTERPROFILE'AuditOption(Scored)........................................................138

5.1.8Enable'DROPPROFILE'AuditOption(Scored)..........................................................139

5.1.9Enable'DATABASELINK'AuditOption(Scored).......................................................140

5.1.10Enable'PUBLICDATABASELINK'AuditOption(Scored)...................................141

5.1.11Enable'PUBLICSYNONYM'AuditOption(Scored).................................................142

5.1.12Enable'SYNONYM'AuditOption(Scored)..................................................................143

5.1.13Enable'GRANTDIRECTORY'AuditOption(Scored)..............................................144

5.1.14Enable'SELECTANYDICTIONARY'AuditOption(Scored).................................145

5.1.15Enable'GRANTANYOBJECTPRIVILEGE'AuditOption(Scored).....................146

5.1.16Enable'GRANTANYPRIVILEGE'AuditOption(Scored)......................................147

5.1.17Enable'DROPANYPROCEDURE'AuditOption(Scored).....................................148

5.1.18Enable'ALL'AuditOptionon'SYS.AUD$'(Scored).................................................149

5.1.19Enable'PROCEDURE'AuditOption(Scored).............................................................150

5.1.20Enable'ALTERSYSTEM'AuditOption(Scored).......................................................152

5.1.21Enable'TRIGGER'AuditOption(Scored)....................................................................153

5.1.22Enable'CREATESESSION'AuditOption(Scored)...................................................155

5.2UnifiedAuditing.................................................................................................................................157

5.2.1Enable'CREATEUSER'ActionAudit(Scored).............................................................157

5.2.2Enable'ALTERUSER'ActionAudit(Scored)................................................................159

5.2.3Enable'DROPUSER'AuditOption(Scored).................................................................161

5.2.4Enable'CREATEROLE’ActionAudit(Scored).............................................................163

8|P a g e

5.2.5Enable'ALTERROLE’ActionAudit(Scored)................................................................164

5.2.6Enable'DROPROLE’ActionAudit(Scored)..................................................................166

5.2.7Enable'GRANT'ActionAudit(Scored)............................................................................167

5.2.8Enable'REVOKE'ActionAudit(Scored).........................................................................169

5.2.9Enable'CREATEPROFILE’ActionAudit(Scored)......................................................170

5.2.10Enable'ALTERPROFILE’ActionAudit(Scored)......................................................171

5.2.11Enable'DROPPROFILE’ActionAudit(Scored)........................................................172

5.2.12Enable'CREATEDATABASELINK’ActionAudit(Scored)...................................174

5.2.13Enable'ALTERDATABASELINK’ActionAudit(Scored)......................................175

5.2.14Enable'DROPDATABASELINK’ActionAudit(Scored)........................................176

5.2.15Enable'CREATESYNONYM’ActionAudit(Scored)................................................177

5.2.16Enable'ALTERSYNONYM’ActionAudit(Scored)...................................................179

5.2.17Enable'DROPSYNONYM’ActionAudit(Scored).....................................................181

5.2.18Enable'SELECTANYDICTIONARY’PrivilegeAudit(Scored)............................182

5.2.19Enable'UNIFIED_AUDIT_TRAIL’AccessAudit(Scored).......................................184

5.2.20Enable'CREATEPROCEDURE/FUNCTION/PACKAGE/PACKAGEBODY’ActionAudit(Scored).......................................................................................................................................185

5.2.21Enable'ALTERPROCEDURE/FUNCTION/PACKAGE/PACKAGEBODY’ActionAudit(Scored).......................................................................................................................................187

5.2.22Enable'DROPPROCEDURE/FUNCTION/PACKAGE/PACKAGEBODY’ActionAudit(Scored).......................................................................................................................................189

5.2.23Enable'ALTERSYSTEM’PrivilegeAudit(Scored)...................................................191

5.2.24Enable'CREATETRIGGER’ActionAudit(Scored)...................................................193

5.2.25Enable'ALTERTRIGGER’ActionAudit(Scored)......................................................195

5.2.26Enable'DROPTRIGGER’ActionAudit(Scored)........................................................197

5.2.27Enable'LOGON’AND‘LOGOFF’ActionsAudit(Scored)........................................199

6Appendix:EstablishinganAudit/ScanUser..................................................................................201

Appendix:ChangeHistory..............................................................................................................................210

9|P a g e

OverviewThisdocumentisintendedtoaddresstherecommendedsecuritysettingsforOracleDatabase12c.ThisguidewastestedagainstOracleDatabase12c(version12.1.0.2)installedwithoutpluggabledatabasesupportrunningonaWindowsServer2012R2instanceasastand-alonesystem,andrunningonanOracleLinux7instancealsoasastand-alonesystem.FutureOracleDatabase12ccriticalpatchupdates(CPUs)mayimpacttherecommendationsincludedinthisdocument.

Toobtainthelatestversionofthisguide,pleasevisithttp://benchmarks.cisecurity.org.Ifyouhavequestions,comments,orhaveidentifiedwaystoimprovethisguide,[email protected].

IntendedAudience

Thisbenchmarkisintendedforsystemandapplicationadministrators,securityspecialists,auditors,helpdesk,andplatformdeploymentpersonnelwhoplantodevelop,deploy,assess,orsecuresolutionsthatincorporateOracleDatabase12conOracleLinuxorMicrosoftWindowsServer.

ConsensusGuidance

Thisbenchmarkwascreatedusingaconsensusreviewprocesscomprisedofsubjectmatterexperts.Consensusparticipantsprovideperspectivefromadiversesetofbackgroundsincludingconsulting,softwaredevelopment,auditandcompliance,securityresearch,operations,government,andlegal.

EachCISbenchmarkundergoestwophasesofconsensusreview.Thefirstphaseoccursduringinitialbenchmarkdevelopment.Duringthisphase,subjectmatterexpertsconvenetodiscuss,create,andtestworkingdraftsofthebenchmark.Thisdiscussionoccursuntilconsensushasbeenreachedonbenchmarkrecommendations.Thesecondphasebeginsafterthebenchmarkhasbeenpublished.Duringthisphase,allfeedbackprovidedbytheInternetcommunityisreviewedbytheconsensusteamforincorporationinthebenchmark.Ifyouareinterestedinparticipatingintheconsensusprocess,pleasevisithttps://community.cisecurity.org.

10|P a g e

TypographicalConventions

Thefollowingtypographicalconventionsareusedthroughoutthisguide:

Convention Meaning

Stylized Monospace font Usedforblocksofcode,command,andscriptexamples.Textshouldbeinterpretedexactlyaspresented.

Monospacefont Usedforinlinecode,commands,orexamples.Textshouldbeinterpretedexactlyaspresented.

<italicfontinbrackets> Italictextssetinanglebracketsdenoteavariablerequiringsubstitutionforarealvalue.

Italicfont Usedtodenotethetitleofabook,article,orotherpublication.

Note Additionalinformationorcaveats

ScoringInformation

Ascoringstatusindicateswhethercompliancewiththegivenrecommendationimpactstheassessedtarget'sbenchmarkscore.Thefollowingscoringstatusesareusedinthisbenchmark:

Scored

Failuretocomplywith"Scored"recommendationswilldecreasethefinalbenchmarkscore.Compliancewith"Scored"recommendationswillincreasethefinalbenchmarkscore.

NotScored

Failuretocomplywith"NotScored"recommendationswillnotdecreasethefinalbenchmarkscore.Compliancewith"NotScored"recommendationswillnotincreasethefinalbenchmarkscore.

11|P a g e

ProfileDefinitions

ThefollowingconfigurationprofilesaredefinedbythisBenchmark:

• Level1-RDBMSusingTraditionalAuditing

ItemsinthisprofileapplytoOracleDatabase12cconfiguredtouseTraditionalAuditingandintendto:

o Bepracticalandprudent;o Provideaclearsecuritybenefit;ando Notinhibittheutilityofthetechnologybeyondacceptablemeans.

• Level1-LinuxHostOSusingTraditionalAuditing

ItemsinthisprofileapplytoLinuxHostoperatingsystemswithOracleDatabase12cconfiguredtouseTraditionalAuditingandintendto:


• Level1-WindowsServerHostOSusingTraditionalAuditing

ItemsinthisprofileapplytoWindowsServeroperatingsystemswithOracleDatabase12cconfiguredtouseTraditionalAuditingandintendto:


• Level1-RDBMSusingUnifiedAuditing

ItemsinthisprofileapplytoOracleDatabase12cconfiguredtouseUnifiedAuditingandintendto:


12|P a g e

• Level1-LinuxHostOSusingUnifiedAuditing

ItemsinthisprofileapplytoLinuxHostoperatingsystemswithOracleDatabase12cconfiguredtouseUnifiedAuditingandintendto:


• Level1-WindowsServerHostOSusingUnifiedAuditing

ItemsinthisprofileapplytoWindowsServeroperatingsystemswithOracleDatabase12cconfiguredtouseUnifiedAuditingandintendto:


13|P a g e

Acknowledgements

Thisbenchmarkexemplifiesthegreatthingsacommunityofusers,vendors,andsubjectmatterexpertscanaccomplishthroughconsensuscollaboration.TheCIScommunitythankstheentireconsensusteamwithspecialrecognitiontothefollowingindividualswhocontributedgreatlytothecreationofthisguide:

ContributorKyleThomasonJustinBrownGijsHasselmanStephenDufourAlexanderKornbrustS.BrianSuddethPieterVanPuymbroeckArmanRawlsAdamMontvilleTimothyHarrisonTungBuiVietJigneshPatelThanThiChamVuDaoQuangQuanBuiYoufengShenOle-AndreJørgensenDeanLackeyEditorAngeloMarcotullioJayMehta

14|P a g e

Recommendations1OracleDatabaseInstallationandPatchingRequirements

OneofthebestwaystoensuresecureOraclesecurityistoimplementCriticalPatchUpdates(CPUs)astheycomeout,alongwithanyapplicableOSpatchesthatwillnotinterferewithsystemoperations.ItisadditionallyprudenttoremoveOraclesampledatafromproductionenvironments.

1.1EnsuretheAppropriateVersion/PatchesforOracleSoftwareIsInstalled(NotScored)

ProfileApplicability:

•Level1-RDBMSusingTraditionalAuditing

•Level1-RDBMSusingUnifiedAuditing

Description:

TheOracleinstallationversion,alongwiththepatchlevel,shouldbethemostrecentthatiscompatiblewiththeorganizations'operationalneeds.

Rationale:

AsusingthemostrecentOracledatabasesoftware,alongwithallapplicablepatchescanhelplimitthepossibilitiesforvulnerabilitiesinthesoftware,theinstallationversionand/orpatchesappliedduringsetupshouldbeestablishedaccordingtotheneedsoftheorganization.EnsureyouareusingareleasethatiscoveredbyalevelofsupportthatincludesthegenerationofCriticalPatchUpdates.

Audit:

Toassessthisrecommendation,usethefollowingexampleshellcommandasappropriateforyourenvironment.

Forexample,onUnix/Linuxsystems:

opatch lsinventory | grep -e "^.*<latest_patch_version_numer>\s*.*$"

ForexampleonWindowssystems:

opatch lsinventory | find "<latest_patch_version_number>"

15|P a g e

Remediation:

DownloadandapplythelatestquarterlyCriticalPatchUpdatepatches.

References:

1. http://www.oracle.com/us/support/assurance/fixing-policies/index.html2. http://www.oracle.com/technetwork/topics/security/alerts-086861.html3. http://www.oracle.com/us/support/library/lifetime-support-technology-

069183.pdf

16|P a g e

1.2EnsureAllDefaultPasswordsAreChanged(Scored)




Description:

TheOracleinstallationhasaviewcalledDBA_USERS_WITH_DEFPWD,whichkeepsalistofalldatabaseusersmakinguseofdefaultpasswords.

Rationale:

Defaultpasswordsshouldbeconsidered"wellknown"toattackers.Consequently,ifdefaultpasswordsremaininplaceanyattackerwithaccesstothedatabasethenhastheabilitytoauthenticateastheuserwiththatdefaultpassword.Whendefaultpasswordsarealtered,thiscircumstanceismitigated.

Audit:

Toassessthisrecommendation,executethefollowingSQLstatement.

SELECT USERNAME FROM DBA_USERS_WITH_DEFPWD WHERE USERNAME NOT LIKE '%XS$NULL%';

Theassessmentfailsifresultsarereturned.

Remediation:

Toremediatethisrecommendation,youmayperformeitherofthefollowingactions.

• ManuallyissuethefollowingSQLstatementforeachUSERNAMEreturnedintheAuditProcedure:

PASSWORD <username>

17|P a g e

• ExecutethefollowingSQLscripttorandomlyassignpasswords:

begin for r_user in (select username from dba_users_with_defpwd where username not like '%XS$NULL%') loop DBMS_OUTPUT.PUT_LINE('Password for user '||r_user.username||' will be changed.'); execute immediate 'alter user "'||r_user.username||'" identified by "'||DBMS_RANDOM.string('a',16)||'"account lock password expire'; end loop; end; /

References:

1. http://docs.oracle.com/database/121/TDPSG/GUID-3EC7A894-D620-4497-AFB1-64EB8C33D854.htm#TDPSG20021

18|P a g e

1.3EnsureAllSampleDataAndUsersHaveBeenRemoved(Scored)




Description:

Oraclesampleschemasarenotneededfortheoperationofthedatabase.Theseinclude,amongothers,informationpertainingtoasampleschemaspertainingtoHumanResources,BusinessIntelligence,OrderEntry,andthelike.Thesesamplescreatesampleusers(BI,HR,OE,PM,IX,SH,SCOTT),inadditiontotablesandfictitiousdata.

Rationale:

Thesampledataistypicallynotrequiredforproductionoperationsofthedatabaseandprovidesuserswithwell-knowndefaultpasswords,particularviews,andprocedures/functions.Suchusers,views,and/orprocedures/functionscouldbeusedtolaunchexploitsagainstproductionenvironments.

Audit:

Toassessthisrecommendation,checkforthepresenceofOraclesampleusersbyexecutingthefollowingSQLstatement.

SELECTUSERNAMEFROMALL_USERSWHEREUSERNAMEIN('BI','HR','IX','OE','PM','SCOTT','SH');

Remediation:

Toremediatethissetting,itisrecommendedthatyouexecutethefollowingSQLscript.

$ORACLE_HOME/demo/schema/drop_sch.sql

Then,executethefollowingSQLstatement.

DROP USER SCOTT CASCADE;

NOTE:Therecyclebin isnotsettoOFF withinthedefaultdropscript,whichmeansthatthedatawillstillbepresentinyourenvironmentuntiltherecyclebin isemptied.

19|P a g e

Impact:

TheOraclesampleusernamesmaybeinuseonaproductionbasis.ItisimportantthatyoufirstverifythatBI,HR,IX,OE,PM,SCOTT,and/orSH arenotvalidproductionusernamesbeforeexecutingthedroppingSQLscripts.ThismaybeparticularlytruewiththeHR andBI users.Ifanyoftheseusersarepresent,itisimportanttobecautiousandconfirmtheschemaspresentare,infact,Oraclesampleschemasandnotproductionschemasbeingrelieduponbybusinessoperations.

References:

1. http://docs.oracle.com/database/121/COMSC/toc.htm

20|P a g e

2OracleParameterSettings

TheoperationoftheOracledatabaseinstanceisgovernedbynumerousparametersthataresetinspecificconfigurationfilesandareinstance-specificinscope.Asalterationsoftheseparameterscancauseproblemsrangingfromdenial-of-servicetotheftofproprietaryinformation,theseconfigurationsshouldbecarefullyconsideredandmaintained.

Note:

ForallfilesthathaveparametersthatcanbemodifiedwiththeOSand/orSQLcommands/scripts,thesewillbothbelistedwhereappropriate.

21|P a g e

2.1ListenerSettings

SettingsfortheTNSListenerlistener.orafile.

2.1.1Ensure'SECURE_CONTROL_<listener_name>'IsSetIn'listener.ora'(Scored)


•Level1-LinuxHostOSusingTraditionalAuditing

•Level1-WindowsServerHostOSusingTraditionalAuditing

Description:

TheSECURE_CONTROL_<listener_name>settingdeterminesthetypeofcontrolconnectiontheOracleserverrequiresforremoteconfigurationofthelistener.

Rationale:

Aslistenerconfigurationchangesviaunencryptedremoteconnectionscanresultinunauthorizeduserssniffingthecontrolconfigurationinformationfromthenetwork,thesecontrolvaluesshouldbesetaccordingtotheneedsoftheorganization.

Audit:

Toauditthisrecommendation,followthesesteps:

• Openthe $ORACLE_HOME/network/admin/listener.orafile(or%ORACLE_HOME%\network\admin\listener.oraonWindows)

• EnsurethateachdefinedlistenerasanassociatedSECURE_CONTROL_<listener_name>directive.

Forexample:

LISTENER1 = (DESCRIPTION= (ADDRESS=(PROTOCOL=TCP) (HOST=sales-server)(PORT=1521)) (ADDRESS=(PROTOCOL=IPC) (KEY=REGISTER)) (ADDRESS=(PROTOCOL=TCPS) (HOST=sales-server)(PORT=1522))) SECURE_CONTROL_LISTENER1=TCPS

22|P a g e

Remediation:

SettheSECURE_CONTROL_<listener_name>foreachdefinedlistenerinthelistener.orafile,accordingtotheneedsoftheorganization.

References:

1. http://docs.oracle.com/database/121/NETRF/listener.htm#NETRF327

23|P a g e

2.1.2Ensure'extproc'IsNotPresentin'listener.ora'(Scored)




Description:

Oracleextprocallowsthedatabasetorunproceduresfromoperatingsystemlibraries.Theselibrarycallscan,inturn,runanyoperatingsystemcommand.

Rationale:

extprocshouldberemovedfromthelistener.oratomitigatetheriskthatOSlibrariescanbeinvokedbytheOracleinstance.

Audit:

Toauditthisrecommendation,executethefollowingshellcommandsasappropriateforyourUnix/Windowsenvironment.

Unixenvironment:

grep -i extproc $ORACLE_HOME/network/admin/listener.ora

Windowsenvironment:

find /I extproc %ORACLE_HOME%\network\admin\listener.ora

Ensureextprocdoesnotexist.

Remediation:

Removeextprocfromthelistener.orafile.

References:

1. http://docs.oracle.com/database/121/DBSEG/app_devs.htm#DBSEG656

24|P a g e

2.1.3Ensure'ADMIN_RESTRICTIONS_<listener_name>'IsSetto'ON'(Scored)




Description:

Theadmin_restrictions_<listener_name>settinginthelistener.orafilecanrequirethatanyattemptedreal-timealterationoftheparametersinthelistenerviathesetcommandfileberefusedunlessthelistener.orafileismanuallyalteredthenrestartedbyaprivilegeduser.

Rationale:

Asblockingunprivilegedusersfrommakingalterationsofthelistener.orafile,whereremotedata/servicesarespecified,willhelpprotectdataconfidentiality,thisvalueshouldbesettotheneedsoftheorganization.

Audit:


Unixenvironment:

grep -i admin_restrictions $ORACLE_HOME/network/admin/listener.ora

Windowsenvironment:

find /I admin_restrictions %ORACLE_HOME%|\network\admin\listener.ora

EnsureADMIN_RESTRICTIONS_<listener_name>issettoONforalllisteners.

Remediation:

UseatexteditorsuchasvitosettheADMIN_RESTRICTIONS_<listener_name>tothevalueON.

25|P a g e

DefaultValue:

Notset.

References:

1. http://docs.oracle.com/database/121/NETRF/listener.htm#NETRF310

26|P a g e

2.1.4Ensure'SECURE_REGISTER_<listener_name>'IsSetto'TCPS'or'IPC'(Scored)




Description:

TheSECURE_REGISTER_<listener_name>settingspecifiestheprotocolswhichareusedtoconnecttotheTNSlistener.

Rationale:

Aslistenerconfigurationchangesviaunencryptedremoteconnectionscanresultinunauthorizeduserssniffingthecontrolconfigurationinformationfromthenetwork,thesecontrolvaluesshouldbesetaccordingtotheneedsoftheorganization.

Audit:


Unixenvironment:

grep -i SECURE_REGISTER $ORACLE_HOME/network/admin/listener.ora

Windowsenvironment:

find /I SECURE_REGISTER %ORACLE_HOME%\network\admin\listener.ora

EnsureSECURE_REGISTER_<listener_name>issettoTCPS orIPC.

Remediation:

UseatexteditorsuchasvitosettheSECURE_REGISTER_<listener_name>=TCPSorSECURE_REGISTER_<listener_name>=IPCforeachlistenerfoundin$ORACLE_HOME/network/admin/listener.ora.

27|P a g e

References:

1. http://docs.oracle.com/database/121/NETRF/listener.htm#NETRF3282. https://support.oracle.com/epmos/faces/ui/km/DocumentDisplay.jspx?id=145388

3.13. https://support.oracle.com/epmos/faces/ui/km/DocumentDisplay.jspx?id=134083

1.14. http://www.joxeankoret.com/download/tnspoison.pdf

Notes:

OracleRealApplicationClusterrequireadifferentapproachtofixtheTNSPoisoningproblem.SeeOraclesupportnote1453883.1fordetails.

28|P a g e

2.2Databasesettings

Thissectiondefinesrecommendationscoveringthegeneralsecurityconfigurationofthedatabaseinstance.Thelistedrecommendationsensureauditingisenabled,listenersareappropriatelyconfined,andauthenticationisappropriatelyconfigured.

NOTE:Theremediationproceduresassumetheuseofaserverparameterfile,whichisoftenapreferredmethodofstoringserverinitializationparameters.

ALTER SYSTEM SET <configuration_item> = <value> SCOPE = SPFILE;

Foryourenvironment,leavingofftheSCOPE = SPFILEdirectiveorsubstitutingthatwithSCOPE = BOTHmightbepreferreddependingontherecommendation.

2.2.1Ensure'AUDIT_SYS_OPERATIONS'IsSetto'TRUE'(Scored)




Description:

TheAUDIT_SYS_OPERATIONSsettingprovidesfortheauditingofalluseractivitiesconductedundertheSYSOPERandSYSDBAaccounts.

Rationale:

IftheparameterAUDIT_SYS_OPERATIONSisFALSE,allstatementsexceptofStartup/ShutdownandLogonbySYSDBA/SYSOPERusersarenotaudited.

Audit:


SELECT UPPER(VALUE) FROM V$PARAMETER WHERE UPPER(NAME) = 'AUDIT_SYS_OPERATIONS';

EnsureVALUE issettoTRUE.

29|P a g e

Remediation:

ToremediatethissettingexecutethefollowingSQLstatement.

ALTER SYSTEM SET AUDIT_SYS_OPERATIONS = TRUE SCOPE=SPFILE;

References:

1. http://docs.oracle.com/database/121/REFRN/GUID-58176267-238C-40B5-B1F2-BB8BB9518950.htm#REFRN10005

30|P a g e

2.2.2Ensure'AUDIT_TRAIL'IsSetto'OS','DB,EXTENDED',or'XML,EXTENDED'(Scored)



Description:

Theaudit_trail settingdetermineswhetherornotOracle'sbasicauditfeaturesareenabled.Thesecanbesetto"Operating System"(OS),"DB","DB,EXTENDED","XML"or"XML,EXTENDED".

Rationale:

AsenablingthebasicauditingfeaturesfortheOracleinstancepermitsthecollectionofdatatotroubleshootproblems,aswellasprovidingvalueforensiclogsinthecaseofasystembreach,thisvalueshouldbesetaccordingtotheneedsoftheorganization.

Audit:


SELECT UPPER(VALUE) FROM V$PARAMETER WHERE UPPER(NAME)='AUDIT_TRAIL';

EnsureVALUE issettoDB,OS,XMLorDB,EXTENDEDorXML,EXTENDED.

Remediation:

ToremediatethissettingexecuteoneofthefollowingSQLstatements.

ALTER SYSTEM SET AUDIT_TRAIL = DB, EXTENDED SCOPE = SPFILE; ALTER SYSTEM SET AUDIT_TRAIL = OS SCOPE = SPFILE; ALTER SYSTEM SET AUDIT_TRAIL = XML, EXTENDED SCOPE = SPFILE; ALTER SYSTEM SET AUDIT_TRAIL = DB SCOPE = SPFILE; ALTER SYSTEM SET AUDIT_TRAIL = XML SCOPE = SPFILE;

References:

1. http://docs.oracle.com/database/121/REFRN/GUID-BD86F593-B606-4367-9FB6-8DAB2E47E7FA.htm#REFRN10006

2. http://www.oracle.com/technetwork/products/audit-vault/learnmore/twp-security-auditperformance-166655.pdf

31|P a g e

2.2.3Ensure'GLOBAL_NAMES'IsSetto'TRUE'(Scored)




Description:

Theglobal_names settingrequiresthatthenameofadatabaselinkmatchesthatoftheremotedatabaseitwillconnectto.

Rationale:

Asnotrequiringdatabaseconnectionstomatchthedomainthatisbeingcalledremotelycouldallowunauthorizeddomainsourcestopotentiallyconnectviabrute-forcetactics,thisvalueshouldbesetaccordingtotheneedsoftheorganization.

Audit:


SELECT UPPER(VALUE) FROM V$PARAMETER WHERE UPPER(NAME)='GLOBAL_NAMES';


Remediation:


ALTER SYSTEM SET GLOBAL_NAMES = TRUE SCOPE = SPFILE;

References:

1. http://docs.oracle.com/database/121/REFRN/GUID-221D0483-D814-4963-84E1-7D39A25048ED.htm#REFRN10065

32|P a g e

2.2.4Ensure'LOCAL_LISTENER'IsSetAppropriately(Scored)




Description:

Thelocal_listenersettingspecifiesanetworknamethatresolvestoanaddressoftheOracleTNSlistener.

Rationale:

TheTNSpoisoningattackallowstoredirectTNSnetworktraffictoanothersystembyregisteringalistenertotheTNSlistener.Thisattackcanbeperformedbyunauthorizeduserswithnetworkaccess.ByspecifyingtheIPCprotocol,itisnolongerpossibletoregisterlistenersviaTCP/IP.

Audit:


SELECT UPPER(VALUE) FROM V$PARAMETER WHERE UPPER(NAME)='LOCAL_LISTENER';

EnsureVALUEissetto(DESCRIPTION=(ADDRESS= (PROTOCOL=IPC)(KEY=REGISTER))).

Remediation:


ALTER SYSTEM SET LOCAL_LISTENER='[description]' SCOPE = BOTH;

Replace[description]withtheappropriatedescriptionfromyourlistener.orafile,wherethatdescriptionsetsthePROTOCOLparametertoIPC.Forexample:

ALTER SYSTEM SET LOCAL_LISTENER='(DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=REGISTER)))' SCOPE=BOTH;

33|P a g e

References:

1. http://docs.oracle.com/database/121/REFRN/GUID-70F5D04D-02A3-4E89-8A3F-9410B6861BC4.htm#REFRN10082

2. https://support.oracle.com/epmos/faces/ui/km/DocumentDisplay.jspx?id=1453883.1

3. https://support.oracle.com/epmos/faces/ui/km/DocumentDisplay.jspx?id=1340831.1

4. http://www.joxeankoret.com/download/tnspoison.pdf

Notes:

OracleRealApplicationClusterrequiresadifferentapproachtofixtheTNSPoisoningproblem.SeeOraclesupportnote1453883.1fordetails.

34|P a g e

2.2.5Ensure'O7_DICTIONARY_ACCESSIBILITY'IsSetto'FALSE'(Scored)




Description:

TheO7_dictionary_accessibility settingisadatabaseinitializationsparameterthatallows/disallowswiththeEXECUTE ANY PROCEDUREandSELECT ANY DICTIONARYaccesstoobjectsintheSYSschema;thisfunctionalitywascreatedfortheeaseofmigrationfromOracle7databasestolaterversions.

Rationale:

AsleavingtheSYSschemasoopentoconnectioncouldpermitunauthorizedaccesstocriticaldatastructures,thisvalueshouldbesetaccordingtotheneedsoftheorganization.

Audit:


SELECT UPPER(VALUE) FROM V$PARAMETER WHERE UPPER(NAME)='O7_DICTIONARY_ACCESSIBILITY';

EnsureVALUE issettoFALSE.

Remediation:


ALTER SYSTEM SET O7_DICTIONARY_ACCESSIBILITY=FALSE SCOPE = SPFILE;

References:

1. http://docs.oracle.com/database/121/REFRN/GUID-1D1A88F1-B603-48FF-BD30-E6099DB1A1ED.htm#REFRN10133

Notes:

Thevalueforthisis"O(oh)7"not"0(Zero)7"for"O7."Also,for"OracleApplications"uptoversion11.5.9,thissettingisreversed,the"O7_dictionary_accessibility=TRUE"valueisrequiredforcorrectoperations.

35|P a g e

2.2.6Ensure'OS_ROLES'IsSetto'FALSE'(Scored)




Description:

Theos_roles settingpermitsexternallycreatedgroupstobeappliedtodatabasemanagement.

Rationale:

AsallowingtheOSuseexternalgroupsfordatabasemanagementcouldcauseprivilegeoverlapsandgenerallyweakensecurity,thisvalueshouldbesetaccordingtotheneedsoftheorganization.

Audit:


SELECT UPPER(VALUE) FROM V$PARAMETER WHERE UPPER(NAME)='OS_ROLES';


Remediation:


ALTER SYSTEM SET OS_ROLES = FALSE SCOPE = SPFILE;

References:

1. http://docs.oracle.com/database/121/REFRN/GUID-51CCE2D6-F841-4E02-A89D-EA08FC110CF3.htm#REFRN10153

36|P a g e

2.2.7Ensure'REMOTE_LISTENER'IsEmpty(Scored)




Description:

Theremote_listenersettingdetermineswhetherornotavalidlistenercanbeestablishedonasystemseparatefromthedatabaseinstance.

Rationale:

Aspermittingaremotelistenerforconnectionstothedatabaseinstancecanallowforthepotentialspoofingofconnectionsandthatcouldcompromisedataconfidentialityandintegrity,thisvalueshouldbedisabled/restrictedaccordingtotheneedsoftheorganization.

Audit:


SELECT UPPER(VALUE) FROM V$PARAMETER WHERE UPPER(NAME)='REMOTE_LISTENER';

EnsureVALUE isempty.

Remediation:


ALTER SYSTEM SET REMOTE_LISTENER = '' SCOPE = SPFILE;

References:

1. http://docs.oracle.com/database/121/REFRN/GUID-FEE2E8B5-CE02-4158-A6B4-030E59316756.htm#REFRN10183

Notes:

Ifsetatremote_listener=true,theaddress/addresslististakenfromtheTNSNAMES.ORAfile

37|P a g e

2.2.8Ensure'REMOTE_LOGIN_PASSWORDFILE'IsSetto'NONE'(Scored)




Description:

Theremote_login_passwordfile settingspecifieswhetherornotOraclechecksforapasswordfileduringloginandhowmanydatabasescanusethepasswordfile.

Rationale:

Astheuseofthissortofpasswordloginfilecouldpermitunsecured,privilegedconnectionstothedatabase,thisvalueshouldbesetaccordingtotheneedsoftheorganization.

Audit:


SELECT UPPER(VALUE) FROM V$PARAMETER WHERE UPPER(NAME)='REMOTE_LOGIN_PASSWORDFILE';

EnsureVALUE issettoNONE.

Remediation:


ALTER SYSTEM SET REMOTE_LOGIN_PASSWORDFILE = 'NONE' SCOPE = SPFILE;

References:

1. http://docs.oracle.com/database/121/REFRN/GUID-6619299E-95E8-4821-B123-3B5899F046C7.htm#REFRN10184

38|P a g e

2.2.9Ensure'REMOTE_OS_AUTHENT'IsSetto'FALSE'(Scored)




Description:

Theremote_os_authentsettingdetermineswhetherornotOS'roles'withtheattendantprivilegesareallowedforremoteclientconnections.

Rationale:

AspermittingOSrolesfordatabaseconnectionstocanallowthespoofingofconnectionsandpermitgrantingtheprivilegesofanOSroletounauthorizeduserstomakeconnections,thisvalueshouldberestrictedaccordingtotheneedsoftheorganization.

Audit:


SELECT UPPER(VALUE) FROM V$PARAMETER WHERE UPPER(NAME)='REMOTE_OS_AUTHENT';


Remediation:


ALTER SYSTEM SET REMOTE_OS_AUTHENT = FALSE SCOPE = SPFILE;

References:

1. http://docs.oracle.com/database/121/REFRN/GUID-AB66C849-FE5A-4E06-A6E1-AEE775D55703.htm#REFRN10185

39|P a g e

2.2.10Ensure'REMOTE_OS_ROLES'IsSetto'FALSE'(Scored)




Description:

Theremote_os_rolessettingpermitsremoteusers'OSrolestobeappliedtodatabasemanagement.

Rationale:

AsallowingremoteclientsOSrolestohavepermissionsfordatabasemanagementcouldcauseprivilegeoverlapsandgenerallyweakensecurity,thisvalueshouldbesetaccordingtotheneedsoftheorganization.

Audit:


SELECT UPPER(VALUE) FROM V$PARAMETER WHERE UPPER(NAME)='REMOTE_OS_ROLES';


Remediation:


ALTER SYSTEM SET REMOTE_OS_ROLES = FALSE SCOPE = SPFILE;

References:

1. http://docs.oracle.com/database/121/REFRN/GUID-BAA83447-14C1-4BE7-BB5D-806ED3E00AED.htm#REFRN10186

40|P a g e

2.2.11Ensure'UTL_FILE_DIR'IsEmpty(Scored)




Description:

Theutl_file_dirsettingallowspackageslikeutl_filetoaccess(read/write/modify/delete)filesspecifiedinutl_file_dir.(Thisisdeprecatedbutusablein11g.)

Rationale:

Asusingtheutl_file_dirtocreatedirectoriesallowsthemanipulationoffilesinthesedirectories.

Audit:


SELECT UPPER(VALUE) FROM V$PARAMETER WHERE UPPER(NAME)='UTL_FILE_DIR';

EnsureVALUE isempty.

Remediation:


ALTER SYSTEM SET UTL_FILE_DIR = '' SCOPE = SPFILE;

References:

1. http://docs.oracle.com/database/121/REFRN/GUID-DCA8A942-ACE1-46D6-876E-3244F390BCAE.htm#REFRN10230

41|P a g e

2.2.12Ensure'SEC_CASE_SENSITIVE_LOGON'IsSetto'TRUE'(Scored)




Description:

TheSEC_CASE_SENSITIVE_LOGON informationdetermineswhetherornotcase-sensitivityisrequiredforpasswordsduringlogin.

DuetothesecuritybugCVE-2012-3137itisrecommendedtosetthisparametertoTRUEiftheOctober2012CPU/PSUorlaterwasapplied.

IfthepatchwasnotapplieditisrecommendedtosetthisparametertoFALSEtoavoidthatthevulnerabilitycouldbeabused.

Rationale:

Oracle11gdatabaseswithoutCPUOctober2012patchorlaterarevulnerabletoCVE-2012-3137ifcase-sensitiveSHA-1passwordhashesareused.ToavoidthiskindofattacktheoldDES-hasheshavetobeused.

Audit:


SELECT UPPER(VALUE) FROM V$PARAMETER WHERE UPPER(NAME)='SEC_CASE_SENSITIVE_LOGON';


Remediation:


ALTER SYSTEM SET SEC_CASE_SENSITIVE_LOGON = TRUE SCOPE = SPFILE;

42|P a g e

Impact:

IfSEC_CASE_SENSITIVE_LOGONisFALSE,alluserwithSHA-1hashesonly("select name,password,spare4 from sys.user$ where password is null and spare4 is not

null")arenolongerabletoconnecttothedatabase.InthiscasethepasswordforalluserswithoutDEShashhavetosetagain.

References:

1. http://docs.oracle.com/database/121/REFRN/GUID-F464653A-0D43-4A70-8F05-0274A12C8578.htm#REFRN10299

43|P a g e

2.2.13Ensure'SEC_MAX_FAILED_LOGIN_ATTEMPTS'Is'10'(Scored)




Description:

TheSEC_MAX_FAILED_LOGIN_ATTEMPTS parameterdetermineshowmanyfailedloginattemptsareallowedbeforeOracleclosestheloginconnection.

Rationale:

Asallowinganunlimitednumberofloginattemptsforauserconnectioncanfacilitatebothbrute-forceloginattacksandtheoccurrenceofDenial-of-Service,thisvalue(10)shouldbesetaccordingtotheneedsoftheorganization.

Audit:


SELECT UPPER(VALUE) FROM V$PARAMETER WHERE UPPER(NAME)='SEC_MAX_FAILED_LOGIN_ATTEMPTS';

EnsureVALUE issetto10.

Remediation:


ALTER SYSTEM SET SEC_MAX_FAILED_LOGIN_ATTEMPTS = 10 SCOPE = SPFILE;

References:

1. http://docs.oracle.com/database/121/REFRN/GUID-DEC2A3B2-F49B-499E-A3CF-D097F3A5BA83.htm#REFRN10274

44|P a g e

2.2.14Ensure'SEC_PROTOCOL_ERROR_FURTHER_ACTION'IsSetto'DELAY,3'or'DROP,3'(Scored)




Description:

TheSEC_PROTOCOL_ERROR_FURTHER_ACTION settingdeterminestheOracle'sserver'sresponsetobad/malformedpacketsreceivedfromtheclient.

Rationale:

Asbadpacketsreceivedfromtheclientcanpotentiallyindicatepacket-basedattacksonthesystem,suchas"TCPSYNFlood"or"Smurf"attacks,whichcouldresultinaDenial-of-Servicecondition,thisvalueshouldbesetaccordingtotheneedsoftheorganization.

Audit:


SELECT UPPER(VALUE) FROM V$PARAMETER WHERE UPPER(NAME)='SEC_PROTOCOL_ERROR_FURTHER_ACTION';

EnsureVALUE issettoDELAY,3orDROP,3.

Remediation:

ToremediatethissettingexecuteoneofthefollowingSQLstatements.

ALTER SYSTEM SET SEC_PROTOCOL_ERROR_FURTHER_ACTION = 'DELAY,3' SCOPE = SPFILE; ALTER SYSTEM SET SEC_PROTOCOL_ERROR_FURTHER_ACTION = 'DROP,3' SCOPE = SPFILE;

References:

1. http://docs.oracle.com/database/121/REFRN/GUID-1E8D3C6E-C919-4218-8117-760D31BD0F95.htm#REFRN10282

45|P a g e

2.2.15Ensure'SEC_PROTOCOL_ERROR_TRACE_ACTION'IsSetto'LOG'(Scored)




Description:

TheSEC_PROTOCOL_ERROR_TRACE_ACTION settingdeterminestheOracle'sserver'sloggingresponseleveltobad/malformedpacketsreceivedfromtheclient,bygeneratingALERT,LOG,orTRACE levelsofdetailinthelogfiles.

Rationale:

Asbadpacketsreceivedfromtheclientcanpotentiallyindicatepacket-basedattacksonthesystem,suchas"TCPSYNFlood"or"Smurf"attacks,whichcouldresultinaDenial-of-Servicecondition,thisdiagnostic/loggingvalueforALERT,LOG,orTRACE conditionsshouldbesetaccordingtotheneedsoftheorganization.

Audit:


SELECT UPPER(VALUE) FROM V$PARAMETER WHERE UPPER(NAME)='SEC_PROTOCOL_ERROR_TRACE_ACTION';

EnsureVALUE issettoLOG.

Remediation:


ALTER SYSTEM SET SEC_PROTOCOL_ERROR_TRACE_ACTION=LOG SCOPE = SPFILE;

46|P a g e

References:

1. http://docs.oracle.com/database/121/REFRN/GUID-AE811BC1-8CED-4B21-B16C-4B712B127535.htm#REFRN10283

Notes:

SettingthevalueasSEC_PROTOCOL_ERROR_TRACE_ACTION=TRACE cangenerateanenormousamountoflogoutputandshouldbereservedfordebuggingonly.

47|P a g e

2.2.16Ensure'SEC_RETURN_SERVER_RELEASE_BANNER'IsSetto'FALSE'(Scored)




Description:

Theinformationaboutpatch/updatereleasenumberprovidesinformationabouttheexactpatch/updatereleasethatiscurrentlyrunningonthedatabase.

Rationale:

Asallowingthedatabasetoreturninformationaboutthepatch/updatereleasenumbercouldfacilitateunauthorizedusers'attemptstogainaccessbaseduponknownpatchweaknesses,thisvalueshouldbesetaccordingtotheneedsoftheorganization.

Audit:


SELECT UPPER(VALUE) FROM V$PARAMETER WHERE UPPER(NAME)='SEC_RETURN_SERVER_RELEASE_BANNER';

EnsureVALUEissettoFALSE.

Remediation:


ALTER SYSTEM SET SEC_RETURN_SERVER_RELEASE_BANNER = FALSE SCOPE = SPFILE;

References:

1. http://docs.oracle.com/database/121/REFRN/GUID-688102A0-11F5-4F06-8868-934D65C4E878.htm#REFRN10275

48|P a g e

2.2.17Ensure'SQL92_SECURITY'IsSetto'TRUE'(Scored)




Description:

TheSQL92_SECURITYparametersettingTRUErequiresthatausermustalsobegrantedtheSELECTobjectprivilegebeforebeingabletoperformUPDATEorDELETEoperationsontablesthathaveWHEREorSETclauses.

Rationale:

AuserwithoutSELECTprivilegecanstillinferthevaluestoredinacolumnbyreferringtothatcolumninaDELETEorUPDATEstatement.ThissettingpreventsinadvertentinformationdisclosurebyensuringthatonlyuserswhoalreadyhaveSELECTprivilegecanexecutethestatementsthatwouldallowthemtoinferthestoredvalues.

Audit:


SELECT UPPER(VALUE) FROM V$PARAMETER WHERE UPPER(NAME)='SQL92_SECURITY';


Remediation:


ALTER SYSTEM SET SQL92_SECURITY = TRUE SCOPE = SPFILE;

DefaultValue:

FALSE

References:

1. http://docs.oracle.com/database/121/REFRN/GUID-E41087C2-250E-4201-908B-79E659B22A4B.htm#REFRN10210

49|P a g e

2.2.18Ensure'_TRACE_FILES_PUBLIC'IsSetto'FALSE'(Scored)




Description:

The_trace_files_publicsettingdetermineswhetherornotthesystem'stracefileisworldreadable.

Rationale:

Aspermittingthereadpermissiontootheranyonecanreadtheinstance'stracefilesfilewhichcouldcontainsensitiveinformationaboutinstanceoperations,thisvalueshouldberestrictedaccordingtotheneedsoftheorganization.

Audit:


SELECT VALUE FROM V$PARAMETER WHERE NAME='_trace_files_public';

AVALUE equaltoFALSE orlackofresultsimpliescompliance.

Remediation:


ALTER SYSTEM SET "_trace_files_public" = FALSE SCOPE = SPFILE;

References:

1. http://asktom.oracle.com/pls/asktom/f?p=100:11:0::::P11_QUESTION_ID:4295521746131

50|P a g e

2.2.19Ensure'RESOURCE_LIMIT'IsSetto'TRUE'(Scored)




Description:

RESOURCE_LIMITdetermineswhetherresourcelimitsareenforcedindatabaseprofiles

Rationale:

Ifresource_limitissettoFALSE,noneofthesystemresourcelimitsthataresetinanydatabaseprofilesareenforced.Ifresource_limitissettoTRUE,thenthelimitssetindatabaseprofilesareenforced.

Audit:


SELECT UPPER(VALUE) FROM V$PARAMETER WHERE UPPER(NAME)='RESOURCE_LIMIT';


Remediation:


ALTER SYSTEM SET RESOURCE_LIMIT = TRUE SCOPE = SPFILE;

DefaultValue:

FALSE

References:

1. http://docs.oracle.com/database/121/REFRN/GUID-BB0AB177-3867-4D0D-8700-A1AC8BDFEFC3.htm#REFRN10188

51|P a g e

3OracleConnectionandLoginRestrictions

TherestrictionsonClient/UserconnectionstotheOracledatabasehelpblockunauthorizedaccesstodataandservicesbysettingaccessrules.Thesesecuritymeasureshelptoensurethatsuccessfulloginscannotbeeasilymadethroughbrute-forcepasswordattacksorintuitedbycleversocialengineeringexploits.SettingsaregenerallyrecommendedtobeappliedtoalldefinedprofilesratherthanbyusingonlytheDEFAULTprofile.Allvaluesassignedbelowaretherecommendedminimumsormaximums;higher,morerestrictivevaluescanbeappliedatthediscretionoftheorganizationbycreatingaseparateprofiletoassigntoadifferentusergroup.

3.1Ensure'FAILED_LOGIN_ATTEMPTS'IsLessthanorEqualto'5'(Scored)




Description:

Thefailed_login_attemptssettingdetermineshowmanyfailedloginattemptsarepermittedbeforethesystemlockstheuser'saccount.Whiledifferentprofilescanhavedifferentandmorerestrictivesettings,suchasUSERSandAPPS,theminimum(s)recommendedhereshouldbesetontheDEFAULTprofile.

Rationale:

Asrepeatedfailedloginattemptscanindicatetheinitiationofabrute-forceloginattack,thisvalueshouldbesetaccordingtotheneedsoftheorganization(seewarningbelowonaknownbugthatcanmakethissecuritymeasurebackfire).

52|P a g e

Audit:


SELECT PROFILE, RESOURCE_NAME, LIMIT FROM DBA_PROFILES WHERE RESOURCE_NAME='FAILED_LOGIN_ATTEMPTS' AND ( LIMIT = 'DEFAULT' OR LIMIT = 'UNLIMITED' OR LIMIT > 5 );

Lackofresultsimpliescompliance.

Remediation:

RemediatethissettingbyexecutingthefollowingSQLstatementforeachPROFILEreturnedbytheauditprocedure.

ALTER PROFILE <profile_name> LIMIT FAILED_LOGIN_ATTEMPTS 5;

Warning:

OneverygreatconcernwiththeaboveisthepossibilityofthissettingbeingexploitedtocraftaDDoSattackbyusingtherow-lockingdelaybetweenfailedloginattempts(seeOracleBug7715339–Logonfailurescauses“rowcachelock”waits–Allowdisableoflogondelay[ID7715339.8],sotheconfigurationofthissettingdependsonusingthebugworkaround).Also,whilethesettingforthefailed_login_attemptsvaluecanalsobesetinsqlnet.ora,thisonlyappliestolistedusers.ThesimilarsettingusedtoblockaDDoS,theSEC_MAX_FAILED_LOGIN_ATTEMPTSinitializationparameter,canbeusedtoprotectunauthorizedintrudersfromattackingtheserverprocessesforapplications,butthissettingdoesnotprotectagainstunauthorizedattemptsviavalidusernames.

53|P a g e

3.2Ensure'PASSWORD_LOCK_TIME'IsGreaterthanorEqualto'1'(Scored)




Description:

ThePASSWORD_LOCK_TIME settingdetermineshowmanydaysmustpassfortheuser'saccounttobeunlockedafterthesetnumberoffailedloginattemptshasoccurred.

Rationale:

Aslockingtheuseraccountafterrepeatedfailedloginattemptscanblockfurtherbrute-forceloginattacks,butcancreateadministrativeheadachesasthisaccountunlockingprocessalwaysrequiresDBAintervention,thisvalueshouldbesetaccordingtotheneedsoftheorganization.

Audit:


SELECT PROFILE, RESOURCE_NAME, LIMIT FROM DBA_PROFILES WHERE RESOURCE_NAME='PASSWORD_LOCK_TIME' AND ( LIMIT = 'DEFAULT' OR LIMIT = 'UNLIMITED' OR LIMIT < 1 );


Remediation:


ALTER PROFILE <profile_name> LIMIT PASSWORD_LOCK_TIME 1;

54|P a g e

3.3Ensure'PASSWORD_LIFE_TIME'IsLessthanorEqualto'90'(Scored)




Description:

Thepassword_life_timesettingdetermineshowlongapasswordmaybeusedbeforetheuserisrequiredtobechangeit.

Rationale:

Asallowingpasswordstoremainunchangedforlongperiodsmakesthesuccessofbrute-forceloginattacksmorelikely,thisvalueshouldbesetaccordingtotheneedsoftheorganization.

Audit:


SELECT PROFILE, RESOURCE_NAME, LIMIT FROM DBA_PROFILES WHERE RESOURCE_NAME='PASSWORD_LIFE_TIME' AND ( LIMIT = 'DEFAULT' OR LIMIT = 'UNLIMITED' OR LIMIT > 90 );


Remediation:


ALTER PROFILE <profile_name> LIMIT PASSWORD_LIFE_TIME 90;

55|P a g e

3.4Ensure'PASSWORD_REUSE_MAX'IsGreaterthanorEqualto'20'(Scored)




Description:

Thepassword_reuse_max settingdetermineshowmanydifferentpasswordsmustbeusedbeforetheuserisallowedtoreuseapriorpassword.

Rationale:

Asallowingreuseofapasswordwithinashortperiodoftimeafterthepassword'sinitialusecanmakethesuccessofbothsocial-engineeringandbrute-forcepassword-basedattacksmorelikely,thisvalueshouldbesetaccordingtotheneedsoftheorganization.

Audit:


SELECT PROFILE, RESOURCE_NAME, LIMIT FROM DBA_PROFILES WHERE RESOURCE_NAME='PASSWORD_REUSE_MAX' AND ( LIMIT = 'DEFAULT' OR LIMIT = 'UNLIMITED' OR LIMIT < 20 );


Remediation:


ALTER PROFILE <profile_name> LIMIT PASSWORD_REUSE_MAX 20;

Notes:

Theaboverestrictionshouldbeappliedalongwiththepassword_reuse_timesetting.

56|P a g e

3.5Ensure'PASSWORD_REUSE_TIME'IsGreaterthanorEqualto'365'(Scored)




Description:

Thepassword_reuse_time settingdeterminestheamountoftimeindaysthatmustpassbeforethesamepasswordmaybereused.

Rationale:

Asreusingthesamepasswordafteronlyashortperiodoftimehaspassedmakesthesuccessofbrute-forceloginattacksmorelikely,thisvalueshouldbesetaccordingtotheneedsoftheorganization.

Audit:


SELECT PROFILE, RESOURCE_NAME, LIMIT FROM DBA_PROFILES WHERE RESOURCE_NAME='PASSWORD_REUSE_TIME' AND ( LIMIT = 'DEFAULT' OR LIMIT = 'UNLIMITED' OR LIMIT < 365 );


Remediation:


ALTER PROFILE <profile_name> LIMIT PASSWORD_REUSE_TIME 365;

Notes:

Theaboverestrictionshouldbeappliedalongwiththepassword_reuse_maxsetting.

57|P a g e

3.6Ensure'PASSWORD_GRACE_TIME'IsLessthanorEqualto'5'(Scored)




Description:

Thepassword_grace_time settingdetermineshowmanydayscanpassaftertheuser'spasswordexpiresbeforetheuser'slogincapabilityisautomaticallylockedout.

Rationale:

Aslockingtheuseraccountaftertheexpirationofthepasswordchangerequirement'sgraceperiodcanhelppreventpassword-basedattackagainstaforgottenordisusedaccounts,whilestillallowingtheaccountanditsinformationtobeaccessiblebyDBAintervention,thisvalueshouldbesetaccordingtotheneedsoftheorganization.

Audit:


SELECT PROFILE, RESOURCE_NAME, LIMIT FROM DBA_PROFILES WHERE RESOURCE_NAME='PASSWORD_GRACE_TIME' AND ( LIMIT = 'DEFAULT' OR LIMIT = 'UNLIMITED' OR LIMIT > 5 );


Remediation:


ALTER PROFILE <profile_name> LIMIT PASSWORD_GRACE_TIME 5;

58|P a g e

3.7Ensure'DBA_USERS.PASSWORD'IsNotSetto'EXTERNAL'forAnyUser(Scored)




Description:

Thepassword='EXTERNAL' settingdetermineswhetherornotausercanbeauthenticatedbyaremoteOStoallowaccesstothedatabasewithfullauthorization.

Rationale:

AsallowingremoteOSauthenticationofausertothedatabasecanpotentiallyallowsupposed"privilegedusers"toconnectas"authenticated,"evenwhentheremotesystemiscompromised,theseloginsshouldbedisabled/restrictedaccordingtotheneedsoftheorganization.

Audit:


SELECT USERNAME FROM DBA_USERS WHERE PASSWORD='EXTERNAL';


Remediation:


ALTER USER <username> IDENTIFIED BY <password>;

Notes:

ThePASSWORD keyword(column)usedintheSQLforpriorOracleversionshasbeendeprecatedfromversion11.2onwardinfavorofthenewAUTHENTICATION_TYPE keyword(column)fortheDBA_USERS table.However,thePASSWORDcolumnhasstillbeenretainedforbackward-compatability.

59|P a g e

3.8Ensure'PASSWORD_VERIFY_FUNCTION'IsSetforAllProfiles(Scored)




Description:

Thepassword_verify_function determinespasswordsettingsrequirementswhenauserpasswordischangedattheSQLcommandprompt.ThissettingdoesnotapplyforusersmanagedbytheOraclepasswordfile.

Rationale:

Asrequiringuserstoapplythe11gr2securityfeaturesinpasswordcreation,suchasforcingmixed-casecomplexity,theblockingofsimplecombinations,andchange/historysettingscanpotentiallythwartloginsbyunauthorizedusers,thisfunctionshouldbeapplied/enabledaccordingtotheneedsoftheorganization.

Audit:

ToassessthisrecommendationexecutethefollowingSQLstatement.

SELECT PROFILE, RESOURCE_NAME FROM DBA_PROFILES WHERE RESOURCE_NAME='PASSWORD_VERIFY_FUNCTION' AND (LIMIT = 'DEFAULT' OR LIMIT = 'NULL');


Remediation:

Createacustompasswordverificationfunctionwhichfulfillsthepasswordrequirementsoftheorganization.

60|P a g e

3.9Ensure'SESSIONS_PER_USER'IsLessthanorEqualto'10'(Scored)




Description:

TheSESSIONS_PER_USER (Numberofsessionsallowed)determinesthemaximumnumberofusersessionsthatareallowedtobeopenconcurrently.

Rationale:

AslimitingthenumberoftheSESSIONS_PER_USER canhelppreventmemoryresourceexhaustionbypoorlyformedrequestsorintentionalDenial-of-Serviceattacks,thisvalueshouldbesetaccordingtotheneedsoftheorganization.

Audit:


SELECT PROFILE, RESOURCE_NAME, LIMIT FROM DBA_PROFILES WHERE RESOURCE_NAME='SESSIONS_PER_USER' AND ( LIMIT = 'DEFAULT' OR LIMIT = 'UNLIMITED' OR LIMIT > 10 );


Remediation:

ToremediatethissettingexecutethefollowingSQLstatementforeachPROFILEreturnedbytheauditprocedure.

ALTER PROFILE <profile_name> LIMIT SESSIONS_PER_USER 10;

Notes:

TheSESSIONS_PER_USERprofilemanagementcapabilitywascreatedtopreventresource(s)exhaustionatatimewhenthesewereveryexpensive.Ascurrentdatabasedesignmayrequiremuchhigherlimitsonthisparameterifone"user"handlesallprocessingforspecifictypesofbatch/customerconnections,thismustbehandledviaanewuserprofile.

61|P a g e

3.10EnsureNoUsersAreAssignedthe'DEFAULT'Profile(Scored)




Description:

UponcreationdatabaseusersareassignedtotheDEFAULTprofileunlessotherwisespecified.

Rationale:

Itisrecommendedthatusersbecreatedwithfunction-appropriateprofiles.TheDEFAULTprofile,beingdefinedbyOracle,issubjecttochangeatanytime(e.g.bypatchorversionupdate).TheDEFAULTprofilehasunlimitedsettingsthatareoftenrequiredbytheSYSuserwhenpatching;suchunlimitedsettingsshouldbetightlyreservedandnotappliedtounnecessaryusers.

Audit:


SELECT USERNAME FROM DBA_USERS WHERE PROFILE='DEFAULT' AND ACCOUNT_STATUS='OPEN' AND USERNAME NOT IN ('ANONYMOUS', 'CTXSYS', 'DBSNMP', 'EXFSYS', 'LBACSYS', 'MDSYS', 'MGMT_VIEW','OLAPSYS','OWBSYS', 'ORDPLUGINS', 'ORDSYS', 'OUTLN', 'SI_INFORMTN_SCHEMA','SYS', 'SYSMAN', 'SYSTEM', 'TSMSYS', 'WK_TEST', 'WKSYS', 'WKPROXY', 'WMSYS', 'XDB', 'CISSCAN');


Remediation:

Toremediatethisrecommendation,executethefollowingSQLstatementforeachuserreturnedbytheauditqueryusingafunctional-appropriateprofile.

ALTER USER <username> PROFILE <appropriate_profile>

62|P a g e

4OracleUserAccessandAuthorizationRestrictions

Thecapabilitytousedatabaseresourcesatagivenlevel,oruserauthorizationrules,allowsforusermanipulationofthevariouspartsoftheOracledatabase.Theseauthorizationsmustbestructuredtoblockunauthorizeduseand/orcorruptionofvitaldataandservicesbysettingrestrictionsonusercapabilities,particularlythoseoftheuserPUBLIC.Suchsecuritymeasureshelptoensurethatsuccessfulloginscannotbeeasilyredirected.IMPORTANT:UsecautionwhenrevokingprivilegesfromPUBLIC.Oracleandthird-partyproductsexplicitlyrequiredefaultgrantstoPUBLICforcommonlyusedfunctions,objects,andinviewdefinitions.AfterrevokinganyprivilegefromPUBLIC,verifythatapplicationskeeprunningproperly.AfterrevokingprivilegesfromPUBLIC,recompileinvaliddatabaseobjects.Specificgrantstousersandrolesmaybeneededtomakeallobjectsvalid.PleaseseethefollowingOraclesupportdocumentwhichprovidesfurtherinformationandSQLstatementsthatcanbeusedtodeterminedependenciesthatrequireexplicitgrants.BeCautiousWhenRevokingPrivilegesGrantedtoPUBLIC(DocID247093.1)AlwaystestdatabasechangesinDevelopmentandTestenvironmentsbeforemakingchangestoProductiondatabases.

63|P a g e

4.1DefaultPublicPrivilegesforPackagesandObjectTypes

Revokedefaultpublicexecuteprivilegesfrompowerfulpackagesandobjecttypes.

4.1.1Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_ADVISOR'(Scored)




Description:

TheOracledatabaseDBMS_ADVISORpackagecanbeusedtowritefileslocatedontheserverwheretheOracleinstanceisinstalled.

Rationale:

AsuseoftheDBMS_ADVISORpackagecouldallowanunauthorizedusertocorruptoperatingsystemfilesontheinstance'shost,useofthispackageshouldberestrictedaccordingtotheneedsoftheorganization.

Audit:


SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_ADVISOR';


Remediation:


REVOKE EXECUTE ON DBMS_ADVISOR FROM PUBLIC;

References:

1. http://docs.oracle.com/database/121/ARPLS/d_advis.htm#ARPLS350

64|P a g e

4.1.2Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_CRYPTO'(Scored)




Description:

TheDBMS_CRYPTOsettingsprovideatoolsetthatdeterminesthestrengthoftheencryptionalgorithmusedtoencryptapplicationdataandispartoftheSYSschema.TheDES(56-bitkey),3DES(168-bitkey),3DES-2KEY(112-bitkey),AES(128/192/256-bitkeys),andRC4areavailable.

Rationale:

AsexecutionofthesecryptographyproceduresbytheuserPUBLICcanpotentiallyendangerportionsoforallofthedatastorage,thisvalueshouldbesetaccordingtotheneedsoftheorganization.

Audit:


SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND TABLE_NAME='DBMS_CRYPTO';


Remediation:


REVOKE EXECUTE ON DBMS_CRYPTO FROM PUBLIC;

References:

1. http://docs.oracle.com/database/121/ARPLS/d_crypto.htm#ARPLS664

65|P a g e

4.1.3Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_JAVA'(Scored)




Description:

TheOracledatabaseDBMS_JAVApackagecanrunJavaclasses(e.g.OScommands)orgrantJavaprivileges.

Rationale:

The DBMS_JAVApackagecouldallowanattackertorunoperatingsystemcommandsfromthedatabase.

Audit:


SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_JAVA';


Remediation:


REVOKE EXECUTE ON DBMS_JAVA FROM PUBLIC;

References:

1. http://docs.oracle.com/database/121/JJDEV/appendixa.htm#JJDEV13000

66|P a g e

4.1.4Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_JAVA_TEST'(Scored)




Description:

TheOracledatabaseDBMS_JAVA_TESTpackagecanrunJavaclasses(e.g.OScommands)orgrantJavaprivileges.

Rationale:

TheDBMS_JAVA_TESTpackagecouldallowanattackertorunoperatingsystemcommandsfromthedatabase.

Audit:


SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_JAVA_TEST';


Remediation:


REVOKE EXECUTE ON DBMS_JAVA_TEST FROM PUBLIC;

Notes:

Undocumented

67|P a g e

4.1.5Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_JOB'(Scored)




Description:

TheOracledatabaseDBMS_JOBpackageschedulesandmanagesthejobssenttothejobqueueandhasbeensupersededbytheDBMS_SCHEDULERpackage,eventhoughDBMS_JOBhasbeenretainedforbackwardscompatibility.

Rationale:

AsuseoftheDBMS_JOBpackagecouldallowanunauthorizedusertodisableoroverloadthejobqueueandhasbeensupersededbytheDBMS_SCHEDULERpackage,thispackageshouldbedisabledorrestrictedaccordingtotheneedsoftheorganization.

Audit:


SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_JOB';


Remediation:


REVOKE EXECUTE ON DBMS_JOB FROM PUBLIC;

References:

1. http://docs.oracle.com/database/121/ARPLS/d_job.htm#ARPLS019

68|P a g e

4.1.6Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_LDAP'(Scored)




Description:

TheOracledatabaseDBMS_LDAPpackagecontainsfunctionsandproceduresthatenableprogrammerstoaccessdatafromLDAPservers.

Rationale:

AsuseoftheDBMS_LDAPpackagecanbeusedtocreatespeciallycraftederrormessagesorsendinformationviaDNStotheoutside.

Audit:


SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_LDAP';


Remediation:


REVOKE EXECUTE ON DBMS_LDAP FROM PUBLIC;

References:

1. http://docs.oracle.com/database/121/ARPLS/d_ldap.htm#ARPLS360

69|P a g e

4.1.7Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_LOB'(Scored)




Description:

TheOracledatabaseDBMS_LOBpackageprovidessubprogramsthatcanmanipulateandread/writeonBLOBs,CLOBs,NCLOBs,BFILEs,andtemporaryLOBs.

Rationale:

AsuseoftheDBMS_LOBpackagecouldallowanunauthorizedusertomanipulateBLOBs,CLOBs,NCLOBs,BFILEs,andtemporaryLOBsontheinstance,eitherdestroyingdataorcausingaDenial-of-Serviceconditionduetocorruptionofdiskspace,useofthispackageshouldberestrictedaccordingtotheneedsoftheorganization.

Audit:


SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_LOB';


Remediation:


REVOKE EXECUTE ON DBMS_LOB FROM PUBLIC;

References:

1. http://docs.oracle.com/database/121/ARPLS/d_lob.htm#ARPLS600

70|P a g e

4.1.8Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_OBFUSCATION_TOOLKIT'(Scored)




Description:

TheDBMS_OBFUSCATION_TOOLKITsettingsprovideoneofthetoolsthatdeterminethestrengthoftheencryptionalgorithmusedtoencryptapplicationdataandispartoftheSYSschema.TheDES(56-bitkey)and3DES(168-bitkey)aretheonlytwotypesavailable.

Rationale:

AsallowingthePUBLICuserprivilegestoaccessthiscapabilitycanbepotentiallyharmthedatastorage,thisaccessshouldbesetaccordingtotheneedsoftheorganization.

Audit:


SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_OBFUSCATION_TOOLKIT';


Remediation:


REVOKE EXECUTE ON DBMS_OBFUSCATION_TOOLKIT FROM PUBLIC;

71|P a g e

4.1.9Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_RANDOM'(Scored)




Description:

TheOracledatabaseDBMS_RANDOMpackageisusedforgeneratingrandomnumbersbutshouldnotbeusedforcryptographicpurposes.

Rationale:

AsassignmentofuseoftheDBMS_RANDOMpackagecanallowtheunauthorizedapplicationoftherandomnumber-generatingfunction,thiscapabilityshouldberestrictedaccordingtotheneedsoftheorganization.

Audit:


SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_RANDOM';


Remediation:


REVOKE EXECUTE ON DBMS_RANDOM FROM PUBLIC;

References:

1. http://docs.oracle.com/cd/E11882_01/appdev.112/e25788/d_random.htm

Notes:

TheOEMcautionsthatremovingthisfromPUBLICmaybreakcertainapplications.

72|P a g e

4.1.10Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_SCHEDULER'(Scored)




Description:

TheOracledatabaseDBMS_SCHEDULERpackageschedulesandmanagesthedatabaseandoperatingsystemjobs.

Rationale:

AsuseoftheDBMS_SCHEDULERpackagecouldallowanunauthorizedusertorundatabaseoroperatingsystemjobs.

Audit:


SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_SCHEDULER';


Remediation:


REVOKE EXECUTE ON DBMS_SCHEDULER FROM PUBLIC;

References:

1. http://docs.oracle.com/database/121/ARPLS/d_sched.htm#ARPLS72235

73|P a g e

4.1.11Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_SQL'(Scored)




Description:

TheOracledatabaseDBMS_SQLpackageisusedforrunningdynamicSQLstatements.

Rationale:

TheDBMS_SQLpackagecouldallowprivilegeescalationiftheinputvalidationisnotdoneproperly.

Audit:


SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_SQL';


Remediation:


REVOKE EXECUTE ON DBMS_SQL FROM PUBLIC;

References:

1. http://docs.oracle.com/database/121/ARPLS/d_sql.htm#ARPLS058

74|P a g e

4.1.12Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_XMLGEN'(Scored)




Description:

TheDBMS_XMLGEN packagetakesanarbitrarySQLqueryasinput,convertsittoXMLformat,andreturnstheresultasaCLOB.

Rationale:

ThepackageDBMS_XMLGEN canbeusedtosearchtheentiredatabaseforcriticalinformationlikecreditcardnumbers,andothersensitiveinformation.

Audit:


SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_XMLGEN';


Remediation:


REVOKE EXECUTE ON DBMS_XMLGEN FROM PUBLIC;

References:

1. http://docs.oracle.com/database/121/ARPLS/d_xmlgen.htm#ARPLS3742. http://www.red-database-security.com/wp/confidence2009.pdf

75|P a g e

4.1.13Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_XMLQUERY'(Scored)




Description:

TheOraclepackageDBMS_XMLQUERYtakesanarbitrarySQLquery,convertsittoXMLformat,andreturnstheresult.ThispackageissimilartoDBMS_XMLGEN.

Rationale:

ThepackageDBMS_XMLQUERYcanbeusedtosearchtheentiredatabaseforcriticalinformationlikecreditcardnumbersandothersensitiveinformation.

Audit:


SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_XMLQUERY';


Remediation:


REVOKE EXECUTE ON DBMS_XMLQUERY FROM PUBLIC;

References:

1. http://docs.oracle.com/database/121/ARPLS/d_xmlque.htm#ARPLS376

76|P a g e

4.1.14Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'UTL_FILE'(Scored)




Description:

TheOracledatabaseUTL_FILEpackagecanbeusedtoread/writefileslocatedontheserverwheretheOracleinstanceisinstalled.

Rationale:

AsuseoftheUTL_FILEpackagecouldallowanusertoreadfilesattheoperatingsystem.Thesefilescouldcontainsensitiveinformation(e.g.passwordsin.bash_history).

Audit:


SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='UTL_FILE';


Remediation:


REVOKE EXECUTE ON UTL_FILE FROM PUBLIC;

References:

1. http://docs.oracle.com/database/121/ARPLS/u_file.htm#ARPLS069

77|P a g e

4.1.15Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'UTL_INADDR'(Scored)




Description:

TheOracledatabaseUTL_INADDRpackagecanbeusedtocreatespeciallycraftederrormessagesorsendinformationviaDNStotheoutside.

Rationale:

AsuseoftheUTL_INADDRpackageisoftenusedinSQLInjectionattacksfromthewebitshouldberevokedfrompublic.

Audit:


SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='UTL_INADDR';


Remediation:


REVOKE EXECUTE ON UTL_INADDR FROM PUBLIC;

References:

1. http://docs.oracle.com/database/121/ARPLS/u_inaddr.htm#ARPLS071

78|P a g e

4.1.16Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'UTL_TCP'(Scored)




Description:

TheOracledatabaseUTL_TCPpackagecanbeusedtoread/writefiletoTCPsocketsontheserverwheretheOracleinstanceisinstalled.

Rationale:

AsuseoftheUTL_TCPpackagecouldallowanunauthorizedusertocorrupttheTCPstreamusedforcarrytheprotocolsthatcommunicatewiththeinstance'sexternalcommunications,useofthispackageshouldberestrictedaccordingtotheneedsoftheorganization.

Audit:


SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='UTL_TCP';


Remediation:


REVOKE EXECUTE ON UTL_TCP FROM PUBLIC;

References:

1. http://docs.oracle.com/database/121/ARPLS/u_tcp.htm#ARPLS075

79|P a g e

4.1.17Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'UTL_MAIL'(Scored)




Description:

TheOracledatabaseUTL_MAILpackagecanbeusedtosendemailfromtheserverwheretheOracleinstanceisinstalled.

Rationale:

AsuseoftheUTL_MAILpackagecouldallowanunauthorizedusertocorrupttheSMTPfunctiontoacceptorgeneratejunkmailthatcanresultinaDenial-of-Serviceconditionduetonetworksaturation,useofthispackageshouldberestrictedaccordingtotheneedsoftheorganization.

Audit:


SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='UTL_MAIL';


Remediation:


REVOKE EXECUTE ON UTL_MAIL FROM PUBLIC;

References:

1. http://docs.oracle.com/database/121/ARPLS/u_mail.htm#ARPLS384

80|P a g e

4.1.18Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'UTL_SMTP'(Scored)




Description:

TheOracledatabaseUTL_SMTPpackagecanbeusedtosendemailfromtheserverwheretheOracleinstanceisinstalled.

Rationale:

AsuseoftheUTL_SMTPpackagecouldallowanunauthorizedusertocorrupttheSMTPfunctiontoacceptorgeneratejunkmailthatcanresultinaDenial-of-Serviceconditionduetonetworksaturation,useofthispackageshouldberestrictedaccordingtotheneedsoftheorganization.

Audit:


SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='UTL_SMTP';


Remediation:


REVOKE EXECUTE ON UTL_SMTP FROM PUBLIC;

References:

1. http://docs.oracle.com/database/121/ARPLS/u_smtp.htm#ARPLS074

81|P a g e

4.1.19Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'UTL_DBWS'(Scored)




Description:

TheOracledatabaseUTL_DBWSpackagecanbeusedtoread/writefiletoweb-basedapplicationsontheserverwheretheOracleinstanceisinstalled.Thispackageisnotautomaticallyinstalledforsecurityreasons.

Rationale:

AsuseoftheUTL_DBWSpackagecouldallowanunauthorizedusertocorrupttheHTTPstreamusedforcarrytheprotocolsthatcommunicatewiththeinstance'sweb-basedexternalcommunications,useofthispackageshouldberestrictedaccordingtotheneedsoftheorganization.

Audit:


SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='UTL_DBWS';


Remediation:


REVOKE EXECUTE ON UTL_DBWS FROM 'PUBLIC';

References:

1. https://docs.oracle.com/database/121/JJPUB/intro.htm#BHCIBFGJ

82|P a g e

4.1.20Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'UTL_ORAMTS'(Scored)




Description:

TheOracledatabaseUTL_ORAMTSpackagecanbeusedtoperformHTTP-requests.Thiscouldbeusedtosendinformationtotheoutside.

Rationale:

AsuseoftheUTL_ORAMTSpackagecouldbeusedtosend(sensitive)informationtoexternalwebsites.Theuseofthispackageshouldberestrictedaccordingtotheneedsoftheorganization.

Audit:


SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='UTL_ORAMTS';


Remediation:


REVOKE EXECUTE ON UTL_ORAMTS FROM PUBLIC;

References:

1. http://docs.oracle.com/database/121/NTMTS/recovery.htm#sthref73

83|P a g e

4.1.21Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'UTL_HTTP'(Scored)




Description:

TheOracledatabaseUTL_HTTPpackagecanbeusedtoperformHTTP-requests.Thiscouldbeusedtosendinformationtotheoutside.

Rationale:

AsuseoftheUTL_HTTPpackagecouldbeusedtosend(sensitive)informationtoexternalwebsites.Theuseofthispackageshouldberestrictedaccordingtotheneedsoftheorganization.

Audit:


SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='UTL_HTTP'; The assessment fails if results are returned.

Remediation:


REVOKE EXECUTE ON UTL_HTTP FROM PUBLIC;

References:

1. http://docs.oracle.com/database/121/ARPLS/u_http.htm#ARPLS070

84|P a g e

4.1.22Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'HTTPURITYPE'(Scored)




Description:

TheOracledatabaseHTTPURITYPEobjecttypecanbeusedtoperformHTTP-requests.

Rationale:

TheabilitytoperformHTTPrequestscouldbeusedtoleakinformationfromthedatabasetoanexternaldestination.

Audit:


SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='HTTPURITYPE';


Remediation:


REVOKE EXECUTE ON HTTPURITYPE FROM PUBLIC;

References:

1. http://docs.oracle.com/database/121/ARPLS/t_dburi.htm#ARPLS71705

85|P a g e

4.2RevokeNon-DefaultPrivilegesforPackagesandObjectTypes

Therecommendationswithinthissectionrevokeexcessiveprivilegesforpackagesandobjecttypes.

4.2.1Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_SYS_SQL'(Scored)




Description:

TheOracledatabaseDBMS_SYS_SQLpackageisshippedasundocumented.

Rationale:

AsuseoftheDBMS_SYS_SQLpackagecouldallowanusertoruncodeasadifferentuserwithoutenteringusercredentials.

Audit:


SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_SYS_SQL';


Remediation:


REVOKE EXECUTE ON DBMS_SYS_SQL FROM PUBLIC;

References:

1. http://asktom.oracle.com/pls/asktom/f?p=100:11:0::::P11_QUESTION_ID:1325202421535

86|P a g e

4.2.2Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_BACKUP_RESTORE'(Scored)




Description:

TheOracledatabaseDBMS_BACKUP_RESTOREpackageisusedforapplyingPL/SQLcommandstothenativeRMANsequences.

Rationale:

AsassignmentofuseoftheDBMS_BACKUP_RESTOREpackagecanallowtoaccessfilepermissionsonoperatingsystemlevel.

Audit:


SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_BACKUP_RESTORE';


Remediation:


REVOKE EXECUTE ON DBMS_BACKUP_RESTORE FROM PUBLIC;

References:

1. http://psoug.org/reference/dbms_backup_restore.html2. http://davidalejomarcos.wordpress.com/2011/09/13/how-to-list-files-on-a-

directory-from-oracle-database/

87|P a g e

4.2.3Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_AQADM_SYSCALLS'(Scored)




Description:

TheOracledatabaseDBMS_AQADM_SYSCALLSpackageisshippedasundocumentedandallowstorunSQLcommandsasuserSYS.

Rationale:

AsuseoftheDBMS_AQADM_SYSCALLSpackagecouldallowanunauthorizedusertorunSQLcommandsasuserSYS.

Audit:


SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_AQADM_SYSCALLS';


Remediation:


REVOKE EXECUTE ON DBMS_AQADM_SYSCALLS FROM PUBLIC;

References:

1. http://securityvulns.ru/files/ohh-indirect-privilege-escalation.pdf

88|P a g e

4.2.4Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_REPCAT_SQL_UTL'(Scored)




Description:

TheOracledatabaseDBMS_REPCAT_SQL_UTLpackageisshippedasundocumentedandallowstorunSQLcommandsasuserSYS.

Rationale:

As use of the DBMS_REPCAT_SQL_UTL package could allow an unauthorized user to run SQL commands as user SYS.

Audit:


SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_REPCAT_SQL_UTL';


Remediation:


revoke execute on DBMS_REPCAT_SQL_UTL FROM PUBLIC;

References:


89|P a g e

4.2.5Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'INITJVMAUX'(Scored)




Description:

TheOracledatabaseINITJVMAUXpackageisshippedasundocumentedandallowstorunSQLcommandsasuserSYS.

Rationale:

As use of the INITJVMAUX package could allow an unauthorized user to run SQL commands as user SYS.

Audit:


SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='INITJVMAUX';


Remediation:


REVOKE EXECUTE ON INITJVMAUX FROM PUBLIC;

References:


90|P a g e

4.2.6Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_STREAMS_ADM_UTL'(Scored)




Description:

TheOracledatabaseDBMS_STREAMS_ADM_UTLpackageisshippedasundocumentedandallowstorunSQLcommandsasuserSYS.

Rationale:

As use of the DBMS_STREAMS_ADM_UTL package could allow an unauthorized user to run SQL commands as user SYS.

Audit:


SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_STREAMS_ADM_UTL';


Remediation:


REVOKE EXECUTE ON DBMS_STREAMS_ADM_UTL FROM PUBLIC;

References:


91|P a g e

4.2.7Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_AQADM_SYS'(Scored)




Description:

TheOracledatabaseDBMS_AQADM_SYSpackageisshippedasundocumentedandallowstorunSQLcommandsasuserSYS.

Rationale:

As use of the DBMS_AQADM_SYS package could allow an unauthorized user to run SQL commands as user SYS.

Audit:


SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_AQADM_SYS';


Remediation:


REVOKE EXECUTE ON DBMS_AQADM_SYS FROM PUBLIC;

92|P a g e

4.2.8Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_STREAMS_RPC'(Scored)




Description:

TheOracledatabaseDBMS_STREAMS_RPCpackageisshippedasundocumentedandallowstorunSQLcommandsasuserSYS.

Rationale:

As use of the DBMS_STREAMS_RPC package could allow an unauthorized user to run SQL commands as user SYS.

Audit:


SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_STREAMS_RPC';


Remediation:


REVOKE EXECUTE ON DBMS_STREAMS_RPC FROM PUBLIC;

References:


93|P a g e

4.2.9Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_PRVTAQIM'(Scored)




Description:

TheOracledatabaseDBMS_PRVTAQIMpackageisshippedasundocumentedandallowstorunSQLcommandsasuserSYS.

Rationale:

As use of the DBMS_PRVTAQIM package could allow an unauthorized user to escalate privileges because any SQL statements could be executed as user SYS.

Audit:


SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_PRVTAQIM';


Remediation:


REVOKE EXECUTE ON DBMS_PRVTAQIM FROM PUBLIC;

References:


94|P a g e

4.2.10Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'LTADM'(Scored)




Description:

TheOracledatabaseLTADMpackageisshippedasundocumentedandallowsprivilegeescalationifgrantedtounprivilegedusers.

Rationale:

As use of the LTADM package could allow an unauthorized user to run any SQL command as user SYS.

Audit:


SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='LTADM';


Remediation:


REVOKE EXECUTE ON LTADM FROM PUBLIC;

References:


95|P a g e

4.2.11Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'WWV_DBMS_SQL'(Scored)




Description:

TheOracledatabaseWWV_DBMS_SQLpackageisshippedasundocumentedandallowsOracleApplicationExpresstorundynamicSQLstatements.

Rationale:

As use of the WWV_DBMS_SQL package could allow an unauthorized user to run SQL statements as Application Express (APEX) user.

Audit:


SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='WWV_DBMS_SQL';


Remediation:


REVOKE EXECUTE ON WWV_DBMS_SQL FROM PUBLIC;

96|P a g e

4.2.12Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'WWV_EXECUTE_IMMEDIATE'(Scored)




Description:

TheOracledatabaseWWV_EXECUTE_IMMEDIATEpackageisshippedasundocumentedandallowsOracleApplicationExpresstorundynamicSQLstatements.

Rationale:

As use of the WWV_EXECUTE_IMMEDIATE package could allow an unauthorized user to run SQL statements as Application Express (APEX) user.

Audit:


SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='WWV_EXECUTE_IMMEDIATE';


Remediation:


REVOKE EXECUTE ON WWV_EXECUTE_IMMEDIATE FROM PUBLIC;

References:

1. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-1811

97|P a g e

4.2.13Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_IJOB'(Scored)




Description:

TheOracledatabaseDBMS_IJOBpackageisshippedasundocumentedandallowstorundatabasejobsinthecontextofanotheruser.

Rationale:

As use of the DBMS_IJOB package could allow an attacker to change identities by using a different username to execute a database job.

Audit:


SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_IJOB';


Remediation:


REVOKE EXECUTE ON DBMS_IJOB FROM PUBLIC;

98|P a g e

4.2.14Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_FILE_TRANSFER'(Scored)




Description:

TheOracledatabaseDBMS_FILE_TRANSFERpackageallowstotransferfilesfromonedatabaseservertoanother.

Rationale:

As use of the DBMS_FILE_TRANSFER package could allow to transfer files from one database server to another.

Audit:


SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_FILE_TRANSFER';


Remediation:


REVOKE EXECUTE ON DBMS_FILE_TRANSFER FROM PUBLIC;

References:

1. http://docs.oracle.com/database/121/ARPLS/d_ftran.htm#ARPLS095

99|P a g e

4.3RevokeExcessiveSystemPrivileges

Therecommendationswithinthissectionrevokeexcessivesystemprivileges.

4.3.1Ensure'SELECT_ANY_DICTIONARY'IsRevokedfromUnauthorized'GRANTEE'(Scored)




Description:

TheOracledatabaseSELECT ANY DICTIONARYprivilegeallowsthedesignatedusertoaccessSYSschemaobjects.

Rationale:

TheOracledatabaseSELECT ANY DICTIONARYprivilegeallowsthedesignatedusertoaccessSYSschemaobjects.TheOraclepasswordhashesarepartoftheSYSschemaandcanbeselectedusingSELECTANYDICTIONARYprivileges.

Audit:


SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE PRIVILEGE='SELECT ANY DICTIONARY' AND GRANTEE NOT IN ('DBA','DBSNMP','OEM_MONITOR', 'OLAPSYS','ORACLE_OCM','SYSMAN','WMSYS','SYSBACKUP','SYSDG');


Remediation:


REVOKE SELECT_ANY_DICTIONARY FROM <grantee>;

100|P a g e

References:

1. http://docs.oracle.com/database/121/DBSEG/authorization.htm#DBSEG998702. http://docs.oracle.com/database/121/REFRN/GUID-10024282-6729-4C66-8679-

FD653C9C7DE7.htm#REFRN-GUID-10024282-6729-4C66-8679-FD653C9C7DE73. http://arup.blogspot.de/2011/07/difference-between-select-any.html

101|P a g e

4.3.2Ensure'SELECTANYTABLE'IsRevokedfromUnauthorized'GRANTEE'(Scored)




Description:

TheOracledatabaseSELECT ANY TABLEprivilegeallowsthedesignatedusertoopenanytable,exceptofSYS,toviewit.

Rationale:

AsassignmentoftheSELECT ANY TABLEprivilegecanallowtheunauthorizedviewingofsensitivedata,thiscapabilityshouldberestrictedaccordingtotheneedsoftheorganization.

Audit:


SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE PRIVILEGE='SELECT ANY TABLE' AND GRANTEE NOT IN ('DBA', 'MDSYS', 'SYS', 'IMP_FULL_DATABASE', 'EXP_FULL_DATABASE', 'DATAPUMP_IMP_FULL_DATABASE', 'WMSYS', 'SYSTEM','OLAP_DBA', 'DV_REALM_OWNER');


Remediation:


REVOKE SELECT ANY TABLE FROM <grantee>;

References:

1. http://docs.oracle.com/database/121/SQLRF/statements_10002.htm#SQLRF01702

Notes:

Ifthe'O7_DICTIONARY_ACCESSIBILITY'hasbeensettoTRUE(non-defaultsetting)thentheSELECT ANY TABLEprivilegeprovidesaccesstoSYSobjects.

102|P a g e

4.3.3Ensure'AUDITSYSTEM'IsRevokedfromUnauthorized'GRANTEE'(Scored)




Description:

TheOracledatabaseAUDIT SYSTEMprivilegeallowsthechangeauditingactivitiesonthesystem.

Rationale:

AsassignmentoftheAUDIT SYSTEMprivilegecanallowtheunauthorizedalterationofsystemauditactivities,disablingthecreationofaudittrails,thiscapabilityshouldberestrictedaccordingtotheneedsoftheorganization.

Audit:

Toassesthisrecommendation,executethefollowingSQLstatement.

SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE PRIVILEGE='AUDIT SYSTEM' AND GRANTEE NOT IN ('DBA','DATAPUMP_IMP_FULL_DATABASE','IMP_FULL_DATABASE', 'SYS','AUDIT_ADMIN');


Remediation:


REVOKE AUDIT SYSTEM FROM <grantee>;

References:

1. http://docs.oracle.com/database/121/SQLRF/statements_4007.htm#SQLRF011072. http://docs.oracle.com/database/121/SQLRF/statements_4008.htm#SQLRF56110

103|P a g e

4.3.4Ensure'EXEMPTACCESSPOLICY'IsRevokedfromUnauthorized'GRANTEE'(Scored)




Description:

TheOracledatabaseEXEMPT ACCESS POLICYkeywordprovidestheuserthecapabilitytoaccessallthetablerowsregardlessofrow-levelsecuritylockouts.

Rationale:

AsassignmentoftheEXEMPT ACCESS POLICYprivilegecanallowanunauthorizedusertopotentiallyaccess/changeconfidentialdata,thiscapabilityshouldberestrictedaccordingtotheneedsoftheorganization.

Audit:


SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE PRIVILEGE='EXEMPT ACCESS POLICY';


Remediation:


REVOKE EXEMPT ACCESS POLICY FROM <grantee>;

References:

1. http://docs.oracle.com/database/121/DBSEG/audit_config.htm#DBSEG7032. http://docs.oracle.com/database/121/DBSEG/vpd.htm#CIHEEAFJ

104|P a g e

4.3.5Ensure'BECOMEUSER'IsRevokedfromUnauthorized'GRANTEE'(Scored)




Description:

TheOracledatabaseBECOME USERprivilegeallowsthedesignatedusertoinherittherightsofanotheruser.

Rationale:

AsassignmentoftheBECOME USERprivilegecanallowtheunauthorizeduseofanotheruser'sprivileges,thiscapabilityshouldberestrictedaccordingtotheneedsoftheorganization.

Audit:


SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE PRIVILEGE='BECOME USER' AND GRANTEE NOT IN ('DBA','SYS','IMP_FULL_DATABASE');


Remediation:


REVOKE BECOME USER FROM <grantee>;

References:

1. http://docs.oracle.com/database/121/DBSEG/guidelines.htm#DBSEG499

105|P a g e

4.3.6Ensure'CREATE_PROCEDURE'IsRevokedfromUnauthorized'GRANTEE'(Scored)




Description:

TheOracledatabaseCREATE PROCEDUREprivilegeallowsthedesignatedusertocreateastoredprocedurethatwillfirewhengiventhecorrectcommandsequence.

Rationale:

AsassignmentoftheCREATE PROCEDUREprivilegecanleadtosevereproblemsinunauthorizedhands,suchasrogueproceduresfacilitatingdatatheftorDenial-of-Servicebycorruptingdatatables,thiscapabilityshouldberestrictedaccordingtotheneedsoftheorganization.

Audit:


SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE PRIVILEGE='CREATE PROCEDURE' AND GRANTEE NOT IN ( 'DBA','DBSNMP','MDSYS','OLAPSYS','OWB$CLIENT', 'OWBSYS','RECOVERY_CATALOG_OWNER','SPATIAL_CSW_ADMIN_USR', 'SPATIAL_WFS_ADMIN_USR','SYS','APEX_030200','APEX_040000', 'APEX_040100','APEX_040200','DVF','RESOURCE','DV_REALM_RESOURCE', 'APEX_GRANTS_FOR_NEW_USERS_ROLE','APEX_050000','MGMT_VIEW', 'SYSMAN_MDS','SYSMAN_OPSS','SYSMAN_RO','SYSMAN_STB');


Remediation:


REVOKE CREATE_PROCEDURE FROM <grantee>;

References:


106|P a g e

4.3.7Ensure'ALTERSYSTEM'IsRevokedfromUnauthorized'GRANTEE'(Scored)




Description:

TheOracledatabaseALTER SYSTEMprivilegeallowsthedesignatedusertodynamicallyaltertheinstance'srunningoperations.

Rationale:

AsassignmentoftheALTER SYSTEMprivilegecanleadtosevereproblems,suchastheinstance'ssessionbeingkilledorthestoppingofredologrecording,whichwouldmaketransactionsunrecoverable,thiscapabilityshouldbeseverelyrestrictedaccordingtotheneedsoftheorganization.

Audit:


SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE PRIVILEGE='ALTER SYSTEM' AND GRANTEE NOT IN ('SYS','SYSTEM','APEX_030200','APEX_040000', 'APEX_040100','APEX_040200','DBA','EM_EXPRESS_ALL','SYSBACKUP','GSMADMIN_ROLE', 'GSM_INTERNAL','SYSDG','GSMADMIN_INTERNAL');


Remediation:


REVOKE ALTER SYSTEM FROM <grantee>;

References:


107|P a g e

4.3.8Ensure'CREATEANYLIBRARY'IsRevokedfromUnauthorized'GRANTEE'(Scored)




Description:

TheOracledatabaseCREATE ANY LIBRARYprivilegeallowsthedesignatedusertocreateobjectsthatareassociatedtothesharedlibraries.

Rationale:

AsassignmentoftheCREATE ANY LIBRARYprivilegecanallowthecreationofnumerouslibrary-associatedobjectsandpotentiallycorruptthelibraries'integrity,thiscapabilityshouldberestrictedaccordingtotheneedsoftheorganization.

Audit:


SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE PRIVILEGE='CREATE ANY LIBRARY' AND GRANTEE NOT IN ('SYS','SYSTEM','DBA','IMP_FULL_DATABASE');


Remediation:


REVOKE CREATE ANY LIBRARY FROM <grantee>;

References:

1. http://docs.oracle.com/database/121/DBSEG/guidelines.htm#DBSEG4992. http://docs.oracle.com/database/121/ADMIN/manproc.htm#ADMIN00501

Notes:

Oraclehas2identicalprivileges:CREATELIBRARYandCREATEANYLIBRARY.

108|P a g e

4.3.9Ensure'CREATELIBRARY'IsRevokedfromUnauthorized'GRANTEE'(Scored)




Description:

TheOracledatabaseCREATE LIBRARYprivilegeallowsthedesignatedusertocreateobjectsthatareassociatedtothesharedlibraries.

Rationale:

AsassignmentoftheCREATE LIBRARYprivilegecanallowthecreationofnumerouslibrary-associatedobjectsandpotentiallycorruptthelibraries'integrity,thiscapabilityshouldberestrictedaccordingtotheneedsoftheorganization.

Audit:


SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE PRIVILEGE='CREATE LIBRARY' AND GRANTEE NOT IN ('SYS','SYSTEM','DBA','MDSYS','SPATIAL_WFS_ADMIN_USR', 'SPATIAL_CSW_ADMIN_USR','DVSYS','GSMADMIN_INTERNAL','XDB');


Remediation:


REVOKE CREATE LIBRARY FROM <grantee>;

References:

1. http://docs.oracle.com/database/121/DBSEG/guidelines.htm#DBSEG4992. http://docs.oracle.com/database/121/ADMIN/manproc.htm#ADMIN00501

Notes:

Oraclehas2identicalprivileges:CREATELIBRARYandCREATEANYLIBRARY.

109|P a g e

4.3.10Ensure'GRANTANYOBJECTPRIVILEGE'IsRevokedfromUnauthorized'GRANTEE'(Scored)




Description:

TheOracledatabaseGRANT ANY OBJECT PRIVILEGEkeywordprovidesthegranteethecapabilitytograntaccesstoanysingleormultiplecombinationsofobjectstoanygranteeinthecatalogofthedatabase.

Rationale:

AsauthorizationtousetheGRANT ANY OBJECT PRIVILEGEcapabilitycanallowanunauthorizedusertopotentiallyaccess/changeconfidentialdataordamagethedatacatalogduetopotentialcompleteinstanceaccess,thiscapabilityshouldberestrictedaccordingtotheneedsoftheorganization.

Audit:


SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE PRIVILEGE='GRANT ANY OBJECT PRIVILEGE' AND GRANTEE NOT IN ('DBA','SYS','IMP_FULL_DATABASE','DATAPUMP_IMP_FULL_DATABASE', 'EM_EXPRESS_ALL', 'DV_REALM_OWNER');


Remediation:


REVOKE GRANT ANY OBJECT PRIVILEGE FROM <grantee>;

References:

1. http://docs.oracle.com/database/121/DBSEG/authorization.htm#DBSEG99914

110|P a g e

4.3.11Ensure'GRANTANYROLE'IsRevokedfromUnauthorized'GRANTEE'(Scored)




Description:

TheOracledatabaseGRANT ANY ROLEkeywordprovidesthegranteethecapabilitytograntanysingleroletoanygranteeinthecatalogofthedatabase.

Rationale:

AsauthorizationtousetheGRANT ANY ROLEcapabilitycanallowanunauthorizedusertopotentiallyaccess/changeconfidentialdataordamagethedatacatalogduetopotentialcompleteinstanceaccess,thiscapabilityshouldberestrictedaccordingtotheneedsoftheorganization.

Audit:


SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE PRIVILEGE='GRANT ANY ROLE' AND GRANTEE NOT IN ('DBA','SYS','DATAPUMP_IMP_FULL_DATABASE','IMP_FULL_DATABASE', 'SPATIAL_WFS_ADMIN_USR','SPATIAL_CSW_ADMIN_USR', 'GSMADMIN_INTERNAL','DV_REALM_OWNER', 'EM_EXPRESS_ALL', 'DV_OWNER');


Remediation:


REVOKE GRANT ANY ROLE FROM <grantee>;

References:


111|P a g e

4.3.12Ensure'GRANTANYPRIVILEGE'IsRevokedfromUnauthorized'GRANTEE'(Scored)




Description:

TheOracledatabaseGRANT ANY PRIVILEGEkeywordprovidesthegranteethecapabilitytograntanysingleprivilegetoanyiteminthecatalogofthedatabase.

Rationale:

AsauthorizationtousetheGRANT ANY PRIVILEGEcapabilitycanallowanunauthorizedusertopotentiallyaccess/changeconfidentialdataordamagethedatacatalogduetopotentialcompleteinstanceaccess,thiscapabilityshouldberestrictedaccordingtotheneedsoftheorganization.

Audit:


SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE PRIVILEGE='GRANT ANY PRIVILEGE' AND GRANTEE NOT IN ('DBA','SYS','IMP_FULL_DATABASE','DATAPUMP_IMP_FULL_DATABASE' 'DV_REALM_OWNER', 'EM_EXPRESS_ALL');


Remediation:


REVOKE GRANT ANY PRIVILEGE FROM <grantee>;

References:


112|P a g e

4.4RevokeRolePrivileges

Therecommendationswithinthissectionintendtorevokepowerfulroleswheretheyarelikelynotneeded.

4.4.1Ensure'DELETE_CATALOG_ROLE'IsRevokedfromUnauthorized'GRANTEE'(Scored)




Description:

TheOracledatabaseDELETE_CATALOG_ROLEprovidesDELETEprivilegesfortherecordsinthesystem'saudittable(AUD$).

Rationale:

AspermittingunauthorizedaccesstotheDELETE_CATALOG_ROLEcanallowthedestructionofauditrecordsvitaltotheforensicinvestigationofunauthorizedactivities,thiscapabilityshouldberestrictedaccordingtotheneedsoftheorganization.

Audit:


SELECT GRANTEE, GRANTED_ROLE FROM DBA_ROLE_PRIVS WHERE granted_role='DELETE_CATALOG_ROLE' AND GRANTEE NOT IN ('DBA','SYS');


Remediation:


REVOKE DELETE_CATALOG_ROLE FROM <grantee>;

References:

1. http://docs.oracle.com/database/121/DBSEG/authorization.htm#BABFCAFH

113|P a g e

4.4.2Ensure'SELECT_CATALOG_ROLE'IsRevokedfromUnauthorized'GRANTEE'(Scored)




Description:

TheOracledatabaseSELECT_CATALOG_ROLEprovidesSELECTprivilegesonalldatadictionaryviewsheldintheSYSschema.

Rationale:

AspermittingunauthorizedaccesstotheSELECT_CATALOG_ROLEcanallowthedisclosureofalldictionarydata,thiscapabilityshouldberestrictedaccordingtotheneedsoftheorganization.

Audit:


SELECT GRANTEE, GRANTED_ROLE FROM DBA_ROLE_PRIVS WHERE granted_role='SELECT_CATALOG_ROLE' AND grantee not in ('DBA','SYS','IMP_FULL_DATABASE','EXP_FULL_DATABASE', 'OEM_MONITOR', 'SYSBACKUP','EM_EXPRESS_BASIC','SYSMAN');


Remediation:


REVOKE SELECT_CATALOG_ROLE FROM <grantee>;

References:


114|P a g e

4.4.3Ensure'EXECUTE_CATALOG_ROLE'IsRevokedfromUnauthorized'GRANTEE'(Scored)




Description:

TheOracledatabaseEXECUTE_CATALOG_ROLEprovidesEXECUTEprivilegesforanumberofpackagesandproceduresinthedatadictionaryintheSYSschema.

Rationale:

AspermittingunauthorizedaccesstotheEXECUTE_CATALOG_ROLEcanallowthedisruptionofoperationsbyinitializationofrogueprocedures,thiscapabilityshouldberestrictedaccordingtotheneedsoftheorganization.

Audit:


SELECT GRANTEE, GRANTED_ROLE FROM DBA_ROLE_PRIVS WHERE granted_role='EXECUTE_CATALOG_ROLE' AND grantee not in ('DBA','SYS','IMP_FULL_DATABASE','EXP_FULL_DATABASE');


Remediation:


REVOKE EXECUTE_CATALOG_ROLE FROM <grantee>;

References:


115|P a g e

4.4.4Ensure'DBA'IsRevokedfromUnauthorized'GRANTEE'(Scored)




Description:

TheOracledatabaseDBAroleisthedefaultdatabaseadministratorroleprovidedfortheallocationofadministrativeprivileges.

Rationale:

AsassignmentoftheDBAroletoanordinaryusercanprovideagreatnumberofunnecessaryprivilegestothatuserandopensthedoortodatabreaches,integrityviolations,andDenial-of-Serviceconditions,applicationofthisroleshouldberestrictedaccordingtotheneedsoftheorganization.

Audit:


SELECT GRANTEE, GRANTED_ROLE FROM DBA_ROLE_PRIVS WHERE GRANTED_ROLE='DBA' AND GRANTEE NOT IN ('SYS','SYSTEM');


Remediation:


REVOKE DBA FROM <grantee>;

References:


116|P a g e

4.5RevokeExcessiveTableandViewPrivileges

Therecommendationswithinthissectionintendtorevokeexcessivetableandviewprivileges.

4.5.1Ensure'ALL'IsRevokedfromUnauthorized'GRANTEE'on'AUD$'(Scored)




Description:

TheOracledatabaseSYS.AUD$tablecontainsalltheauditrecordsforthedatabaseofthenon-DataManipulationLanguage(DML)events,suchasALTER,DROP,CREATE,andsoforth.(DMLchangesneedtrigger-basedauditeventstorecorddataalterations.)

Rationale:

Aspermittingnon-privilegeduserstheauthorizationtomanipulatetheSYS_AUD$tablecanallowdistortionoftheauditrecords,hidingunauthorizedactivities,thiscapabilityshouldberestrictedaccordingtotheneedsoftheorganization.

Audit:


SELECT GRANTEE, PRIVILEGE FROM DBA_TAB_PRIVS WHERE TABLE_NAME='AUD$' AND GRANTEE NOT IN ('DELETE_CATALOG_ROLE');


Remediation:


REVOKE ALL ON AUD$ FROM <grantee>;

References:

1. http://docs.oracle.com/database/121/DBSEG/audit_admin.htm#DBSEG629

117|P a g e

4.5.2Ensure'ALL'IsRevokedfromUnauthorized'GRANTEE'on'USER_HISTORY$'(Scored)




Description:

TheOracledatabaseSYS.USER_HISTORY$tablecontainsalltheauditrecordsfortheuser'spasswordchangehistory.(Thistablegetsupdatedbypasswordchangesiftheuserhasanassignedprofilethathaspasswordreuselimitset,e.g.,PASSWORD_REUSE_TIMEsettootherthanUNLIMITED.)

Rationale:

Aspermittingnon-privilegeduserstheauthorizationtomanipulatetherecordsintheSYS.USER_HISTORY$tablecanallowdistortionoftheaudittrail,potentiallyhidingunauthorizeddataconfidentialityattacksorintegritychanges,thiscapabilityshouldberestrictedaccordingtotheneedsoftheorganization.

Audit:


SELECT GRANTEE, PRIVILEGE FROM DBA_TAB_PRIVS WHERE TABLE_NAME='USER_HISTORY$' AND OWNER = 'SYS';


Remediation:


REVOKE ALL ON USER_HISTORY$ FROM <grantee>;

References:

1. http://marcel.vandewaters.nl/oracle/database-oracle/password-history-reusing-a-password

Notes:

USER_HISTORY$containsonlytheold,case-insensitivepasswords.

118|P a g e

4.5.3Ensure'ALL'IsRevokedfromUnauthorized'GRANTEE'on'LINK$'(Scored)




Description:

TheOracledatabaseSYS.LINK$tablecontainsalltheuser'spasswordinformationanddatatablelinkinformation.

Rationale:

Aspermittingnon-privilegeduserstomanipulateorviewtheSYS.LINK$tablecanallowcaptureofpasswordinformationand/orcorrupttheprimarydatabaselinkages,thiscapabilityshouldberestrictedaccordingtotheneedsoftheorganization.

Audit:


SELECT GRANTEE, PRIVILEGE FROM DBA_TAB_PRIVS WHERE TABLE_NAME='LINK$' AND GRANTEE NOT IN ('DV_SECANALYST') AND OWNER='SYS';


Remediation:


REVOKE ALL ON LINK$ FROM <grantee>;

119|P a g e

4.5.4Ensure'ALL'IsRevokedfromUnauthorized'GRANTEE'on'SYS.USER$'(Scored)




Description:

TheOracledatabaseSYS.USER$tablecontainstheusers'hashedpasswordinformation.

Rationale:

Aspermittingnon-privilegeduserstheauthorizationtoopentheSYS.USER$tablecanallowthecaptureofpasswordhashesforthelaterapplicationofpasswordcrackingalgorithmstobreachconfidentiality,thiscapabilityshouldberestrictedaccordingtotheneedsoftheorganization.

Audit:


SELECT GRANTEE, PRIVILEGE FROM DBA_TAB_PRIVS WHERE TABLE_NAME='USER$' AND OWNER='SYS' AND GRANTEE NOT IN ('CTXSYS','XDB','APEX_030200','SYSMAN', 'APEX_040000','APEX_040100','APEX_040200','DV_SECANALYST','DVSYS','ORACLE_OCM');


Remediation:


REVOKE ALL ON SYS.USER$ FROM <username>;

References:

1. http://dba.stackexchange.com/questions/17513/what-do-the-columns-in-sys-user-represent

120|P a g e

4.5.5Ensure'ALL'IsRevokedfromUnauthorized'GRANTEE'on'DBA_%'(Scored)




Description:

TheOracledatabaseDBA_viewsshowallinformationwhichisrelevanttoadministrativeaccounts.

Rationale:

AspermittinguserstheauthorizationtomanipulatetheDBA_viewscanexposesensitivedata.

Audit:


SELECT grantee||'.'||table_name FROM DBA_TAB_PRIVS WHERE TABLE_NAME LIKE 'DBA_%' AND GRANTEE NOT IN ('DBA','AUDIT_ADMIN','AUDIT_VIEWER','CAPTURE_ADMIN','DVSYS', 'SYSDG','DV_SECANALYST','SYSKM','DV_MONITOR','ORACLE_OCM','DV_ACCTMGR', 'GSMADMIN_INTERNAL','XDB','SYS','APPQOSSYS','AQ_ADMINISTRATOR_ROLE','CTXSYS', 'EXFSYS','MDSYS','OLAP_XS_ADMIN','OLAPSYS','ORDSYS','OWB$CLIENT','OWBSYS', 'SELECT_CATALOG_ROLE','WM_ADMIN_ROLE','WMSYS','XDBADMIN', 'LBACSYS', 'ADM_PARALLEL_EXECUTE_TASK','CISSCANROLE') AND NOT REGEXP_LIKE(grantee,'^APEX_0[3-9][0-9][0-9][0-9][0-9]$');


Note:AnorganizationshouldperformproperimpactanalysisbeforerevokinggrantsonDBA_objects.

Remediation:

Replace <Non-DBA/SYS grantee>, in the query below, with the Oracle login(s) or role(s) returned from the associated audit procedure and execute:

REVOKE ALL ON DBA_ FROM <Non-DBA/SYS grantee>;

121|P a g e

References:

1. http://docs.oracle.com/database/121/REFRN/GUID-10024282-6729-4C66-8679-FD653C9C7DE7.htm#REFRN-GUID-10024282-6729-4C66-8679-FD653C9C7DE7

122|P a g e

4.5.6Ensure'ALL'IsRevokedfromUnauthorized'GRANTEE'on'SYS.SCHEDULER$_CREDENTIAL'(Scored)




Description:

TheOracledatabaseSCHEDULER$_CREDENTIALtablecontainsthedatabaseschedulercredentialinformation.

Rationale:

Aspermittingnon-privilegeduserstheauthorizationtoopentheSYS.SCHEDULER$_CREDENTIALtable.

Audit:


SELECT GRANTEE, PRIVILEGE FROM DBA_TAB_PRIVS WHERE TABLE_NAME='SCHEDULER$_CREDENTIAL' AND OWNER='SYS';


Remediation:


REVOKE ALL ON SYS.SCHEDULER$_CREDENTIAL FROM <username>;

References:

1. http://docs.oracle.com/database/121/ADMIN/schedadmin.htm#ADMIN120732. http://berxblog.blogspot.de/2012/02/restore-dbmsschedulercreatecredential.html

Notes:

***_SCHEDULER_CREDENTIALSisdeprecatedinOracleDatabase12c,butremainsavailable,forreasonsofbackwardcompatibility.

123|P a g e

4.5.7Ensure'SYS.USER$MIG'HasBeenDropped(Scored)




Description:

Thetablesys.user$migiscreatedduringmigrationandcontainstheOraclepasswordhashesbeforethemigrationstarts.

Rationale:

Thetablesys.user$migisnotdeletedafterthemigration.AnattackercouldaccessthetablecontainingtheOraclepasswordhashes.

Audit:


SELECT OWNER, TABLE_NAME FROM ALL_TABLES WHERE OWNER='SYS' AND TABLE_NAME='USER$MIG';


Remediation:


DROP TABLE SYS.USER$MIG;

124|P a g e

4.6Ensure'%ANY%'IsRevokedfromUnauthorized'GRANTEE'(Scored)




Description:

TheOracledatabaseANYkeywordprovidestheuserthecapabilitytoalteranyiteminthecatalogofthedatabase.

Rationale:

AsauthorizationtousetheANYexpansionofaprivilegecanallowanunauthorizedusertopotentiallychangeconfidentialdataordamagethedatacatalog,thiscapabilityshouldberestrictedaccordingtotheneedsoftheorganization.

Audit:


SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE PRIVILEGE LIKE '%ANY%' AND GRANTEE NOT IN ('AQ_ADMINISTRATOR_ROLE','DBA','DBSNMP','EXFSYS', 'EXP_FULL_DATABASE','IMP_FULL_DATABASE','DATAPUMP_IMP_FULL_DATABASE', 'JAVADEBUGPRIV','MDSYS','OEM_MONITOR','OLAPSYS','OLAP_DBA','ORACLE_OCM', 'OWB$CLIENT','OWBSYS','SCHEDULER_ADMIN','SPATIAL_CSW_ADMIN_USR', 'SPATIAL_WFS_ADMIN_USR','SYS','SYSMAN','SYSTEM','WMSYS','APEX_030200', 'APEX_040000','APEX_040100','APEX_040200','LBACSYS','SYSBACKUP', 'CTXSYS','OUTLN','DVSYS','ORDPLUGINS','ORDSYS',’RECOVERY_CATALOG_OWNER_VPD’, 'GSMADMIN_INTERNAL','XDB','SYSDG','AUDIT_ADMIN','DV_OWNER','DV_REALM_OWNER', 'EM_EXPRESS_ALL','RECOVERY_CATALOG_OWNER','APEX_050000','SYSMAN_STB', 'SYSMAN_TYPES');


Remediation:


REVOKE '<ANY Privilege>' FROM <grantee>;

References:


125|P a g e

4.7Ensure'DBA_SYS_PRIVS.%'IsRevokedfromUnauthorized'GRANTEE'with'ADMIN_OPTION'Setto'YES'(Scored)




Description:

TheOracledatabaseWITH_ADMINprivilegeallowsthedesignatedusertograntanotheruserthesameprivileges.

Rationale:

AsassignmentoftheWITH_ADMINprivilegecanallowthegrantingofarestrictedprivilegetoanunauthorizeduser,thiscapabilityshouldberestrictedaccordingtotheneedsoftheorganization.

Audit:


SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE ADMIN_OPTION='YES' AND GRANTEE not in ('AQ_ADMINISTRATOR_ROLE','DBA','OWBSYS', 'SCHEDULER_ADMIN','SYS','SYSTEM','WMSYS', 'DVSYS','SYSKM','DV_ACCTMGR') AND NOT REGEXP_LIKE(grantee,'^APEX_0[3-9][0-9][0-9][0-9][0-9]$');


Remediation:


REVOKE <privilege> FROM <grantee>;

126|P a g e

4.8EnsureProxyUsersHaveOnly'CONNECT'Privilege(Scored)




Description:

Donotgrantprivilegesdirectlytoproxyusers.

Rationale:

Aproxyusershouldonlyhavetheabilitytoconnecttothedatabase.

Audit:


SELECT GRANTEE,GRANTED_ROLE FROM DBA_ROLE_PRIVS WHERE GRANTEE IN (SELECT PROXY FROM DBA_PROXIES) AND GRANTED_ROLE NOT IN ('CONNECT') UNION SELECT GRANTEE,PRIVILEGE FROM DBA_SYS_PRIVS WHERE GRANTEE IN (SELECT PROXY FROM DBA_PROXIES) AND PRIVILEGE NOT IN ('CREATE SESSION') UNION SELECT GRANTEE,PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE IN (SELECT PROXY FROM DBA_PROXIES);


Remediation:

ToremediatethissettingexecutethefollowingSQLstatementforeach[PRIVILEGE]returnedbyrunningtheauditprocedure.

REVOKE [PRIVILEGE] FROM <proxy_user>;

127|P a g e

4.9Ensure'EXECUTEANYPROCEDURE'IsRevokedfrom'OUTLN'(Scored)




Description:

RemoveunneededprivilegesfromOUTLN.

Rationale:

MigratedOUTLNusershavemoreprivilegesthanrequired.

Audit:


SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE PRIVILEGE='EXECUTE ANY PROCEDURE' AND GRANTEE='OUTLN';


Remediation:


REVOKE EXECUTE ANY PROCEDURE FROM OUTLN;

128|P a g e

4.10Ensure'EXECUTEANYPROCEDURE'IsRevokedfrom'DBSNMP'(Scored)




Description:

RemoveunneededprivilegesfromDBSNMP.

Rationale:

MigratedDBSNMPusershavemoreprivilegesthanrequired.

Audit:


SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE PRIVILEGE='EXECUTE ANY PROCEDURE' AND GRANTEE='DBSNMP';


Remediation:


REVOKE EXECUTE ANY PROCEDURE FROM DBSNMP;

129|P a g e

5Audit/LoggingPoliciesandProcedures

Theabilitytoauditdatabaseactivitiesisamongthemostimportantofalldatabasesecurityfeatures.Decisionsmustbemaderegardingthescopeofauditingsinceauditinghascosts-instoragefortheaudittrailandinperformanceimpactonauditedoperations-andperhapseventhedatabaseorsystemingeneral.Thereisalsotheadditionalcosttomanage(store,backup,secure)andreviewthedatainaudittrail.

Measuresmustbetakentoprotecttheaudittrailitself,foritmaybetargetedforalterationordestructiontohideunauthorizedactivity.Foranauditdestinationoutsidethedatabase,therecommendationsareelsewhereinthisdocument.Auditingrecommendationsforpotentialdatabaseauditdestinationsisbelow.

Auditing"bysession"typicallycreatesfewer(until11g)andslightlysmallerauditrecords,butisdiscouragedinmostsituationssincethereissomelossoffidelity(e.g.objectprivilegeGRANTEE).Moredetailedauditingcreateslargerauditrecords.TheAUDIT_TRAILinitializationparameter(forDB|XML,extended-ornot)isthemaindeterminingfactorforthesizeofagivenauditrecord-andanotablefactorintheperformancecost,althoughthelargestofthelatterisDBversusOSorXML.

ThissectiondealswithstandardOracleauditingsinceauditingofprivilegedconnections(assysdbaorsysoper)isconfiguredviatheAUDIT_SYS_OPERATIONSinitializationparameterandisotherwisenotconfigurable.Thebasictypesofstandardauditingareobjectauditing,statementauditingandprivilegeauditingandeachbehavesdifferently.

Objectauditingappliestospecificobjectsforwhichitisinvokedandalwaysappliestoallusers.Thistypeofauditingisusuallyemployedtoauditapplication-specificsensitiveobjects,butcanbeusedtoprotecttheaudittrailinthedatabase.

Privilegeauditingauditstheuseofspecificsystemprivileges,buttypicallyonlyiftheuseractuallypossessestheauditedprivilege.Attemptsthatfailforlackoftheauditedprivilegearetypicallynotaudited.Thisisthemainweaknessofprivilegeauditingandwhystatementauditingisusuallypreferred,iftheoptionexists.

Statementauditingauditstheissuanceofcertaintypesofstatements,usuallywithoutregardtoprivilegeorlackthereof.Bothprivilegeandstatementauditsmaybespecifiedforspecificusersorallusers(thedefault).

130|P a g e

5.1TraditionalAuditing

Thissectionistobefollowediftraditionalauditingisimplemented.

5.1.1Enable'USER'AuditOption(Scored)



Description:

TheUSERobjectintheOracledatabaseanaccountthroughwhichaconnectionmaybemadetointeractwiththedatabaseaccordingtotherolesandprivilegesallottedtoaccount.Itisalsoaschemawhichmayowndatabaseobjects.Thisauditsallactivitiesandrequeststocreate,droporalterauser,includingauserchangingtheirownpassword.(Thelatterisnotauditedby'auditALTERUSER'.)

Rationale:

Anyunauthorizedattemptstocreate,droporalterausershouldcauseconcern,whethersuccessfulornot.Itcanalsobeusefulinforensicsifanaccountiscompromisedandismandatedbymanycommonsecurityinitiatives.Anabnormallyhighnumberoftheseactivitiesinagivenperiodmightbeworthinvestigation.Anyfailedattempttodropauserorcreateausermaybeworthfurtherreview.

Audit:

Toassessthisrecommendation,executethefollowingSQLStatement.

SELECT AUDIT_OPTION, SUCCESS, FAILURE FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION='USER' AND USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = 'BY ACCESS' AND FAILURE = 'BY ACCESS';

Lackofresultsimpliesafinding.

Remediation:

ExecutethefollowingSQLstatementtoremediatethissetting.

AUDIT USER;

131|P a g e

Impact:

Thiswouldthecurrent5.2(auditCREATEUSER),5.3(auditALTERUSER),and5.4(auditDROPUSER)privilegeauditswiththesinglestatementauditingoption"auditUSER".Anyactionauditedbythosethreeprivilegeauditswouldalsobeauditedbythis.Inaddition,thiswouldaudit:

1. AttemptstocreateuserbyanyonewithouttheCREATEUSERsystemprivilege.

2. AttemptstodropuserbyanyonewithouttheDROPUSERsystemprivilege

3. AttemptstoalteruserbyanyonewithouttheALTERUSERsystemprivilege

4. Userschangingorattemptingtochangetheirownpasswords(whichisnotdonebyauditingALTERUSER).

132|P a g e

5.1.2Enable'ALTERUSER'AuditOption(Scored)



Description:

TheUSER objectfortheOracledatabaseisaspecificationofanobjectwhichisanaccountthroughwhicheitherahumanoranapplicationcanconnectto,viaaJDBCorloginto,viaaCLI,andinteractwiththedatabaseinstanceaccordingtotherolesandprivilegesallottedtoaccount.

Rationale:

Astheloggingofuseractivitiesinvolvingthecreation,alteration,ordroppingofaUSERcanprovideforensicevidenceaboutapatternofsuspect/unauthorizedactivities,theauditcapabilityshouldbesetaccordingtotheneedsoftheorganization.

Audit:


SELECT AUDIT_OPTION, SUCCESS, FAILURE FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION='ALTER USER' AND USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = 'BY ACCESS' AND FAILURE = 'BY ACCESS';


Remediation:


AUDIT ALTER USER;

133|P a g e

5.1.3Enable'DROPUSER'AuditOption(Scored)



Description:

TheUSER objectfortheOracledatabaseisaspecificationofanobjectwhichisanaccountthroughwhicheitherahumanoranapplicationcanconnectto,viaaJDBCorloginto,viaaCLI,andinteractwiththedatabaseinstanceaccordingtotherolesandprivilegesallottedtoaccount.

Rationale:

Astheloggingofuseractivitiesinvolvingthecreation,alteration,ordroppingofaUSERcanprovideforensicevidenceaboutapatternofsuspect/unauthorizedactivities,theauditcapabilityshouldbesetaccordingtotheneedsoftheorganization.

Audit:


SELECT AUDIT_OPTION, SUCCESS, FAILURE FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION='DROP USER' AND USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = 'BY ACCESS' AND FAILURE = 'BY ACCESS';


Remediation:


AUDIT DROP USER;

134|P a g e

5.1.4Enable'ROLE'AuditOption(Scored)



Description:

TheROLEobjectallowsforthecreationofasetofprivilegesthatcanbegrantedtousersorotherroles.Thisauditsallattempts,successfulornot,tocreate,drop,alterorsetroles.

Rationale:

Roles are a key database security infrastructure component. Any attempt to create, drop or alter a role should be audited. This statement auditing option also audits attempts, successful or not, to set a role in a session. Any unauthorized attempts to create, drop or alter a role may be worthy of investigation. Attempts to set a role by users without the role privilege may warrant investigation.

Audit:


SELECT AUDIT_OPTION, SUCCESS, FAILURE FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION='ROLE' AND USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = 'BY ACCESS' AND FAILURE = 'BY ACCESS';


Remediation:

ExecutethefollowingSQLstatementtoremediatethissetting:

AUDIT ROLE;

Impact:

Thechangetotheaudit/checkistoensurethattheauditisineffectforallusers,regardlessofproxyorsuccess.

Thechangetothetitle,descriptionandrationalearetobetterclarifywhatitactuallydoes.(e.g.ItdoesNOTaudit"allROLEactivities/requests".Forexample,itdoesnotauditrolegrantsandrevokes.)

135|P a g e

5.1.5Enable'SYSTEMGRANT'AuditOption(Scored)



Description:

Thiswillauditanyattempt,successfulornot,tograntorrevokeanysystemprivilegeorrole-regardlessofprivilegeheldbytheuserattemptingtheoperation.

Rationale:

Loggingofallgrantandrevokes(rolesandsystemprivileges)canprovideforensicevidenceaboutapatternofsuspect/unauthorizedactivities.Anyunauthorizedattemptmaybecauseforfurtherinvestigation.

Audit:


SELECT AUDIT_OPTION, SUCCESS, FAILURE FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION='SYSTEM GRANT' AND USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = 'BY ACCESS' AND FAILURE = 'BY ACCESS';


Remediation:


AUDIT SYSTEM GRANT;

136|P a g e

5.1.6Enable'PROFILE'AuditOption(Scored)



Description:

ThePROFILEobjectallowsforthecreationofasetofdatabaseresourcelimitsthatcanbeassignedtoauser,sothatthatusercannotexceedthoseresourcelimitations.Thiswillauditallattempts,successfulornot,tocreate,droporalteranyprofile.

Rationale:

Asprofilesarepartofthedatabasesecurityinfrastructure,auditingthemodificationofprofilesisrecommended.

Audit:


SELECT AUDIT_OPTION, SUCCESS, FAILURE FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION='PROFILE' AND USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = 'BY ACCESS' AND FAILURE = 'BY ACCESS';


Remediation:


AUDIT PROFILE;

137|P a g e

Impact:

Thestatementauditingoption'auditPROFILE'auditseverythingthatthethreeprivilegeaudits'auditCREATEPROFILE','auditDROPPROFILE'and'auditALTERPROFILE'do,butalsoaudits:

1. AttemptstocreateaprofilebyauserwithouttheCREATEPROFILEsystemprivilege.

2. AttemptstodropaprofilebyauserwithouttheDROPPROFILEsystemprivilege

3. AttemptstoalteraprofilebyauserwithouttheALTERPROFILEsystemprivilege.

138|P a g e

5.1.7Enable'ALTERPROFILE'AuditOption(Scored)



Description:

ThePROFILE objectallowsforthecreationofasetofdatabaseresourcelimitsthatcanbeassignedtoauser,sothatthatusercannotexceedthoseresourcelimitations.

Rationale:

Astheloggingofuseractivitiesinvolvingthecreation,alteration,ordroppingofaPROFILE canprovideforensicevidenceaboutapatternofunauthorizedactivities,theauditcapabilityshouldbesetaccordingtotheneedsoftheorganization.

Audit:


SELECT AUDIT_OPTION, SUCCESS, FAILURE FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION='ALTER PROFILE' AND USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = 'BY ACCESS' AND FAILURE = 'BY ACCESS';


Remediation:


AUDIT ALTER PROFILE;

139|P a g e

5.1.8Enable'DROPPROFILE'AuditOption(Scored)



Description:

ThePROFILE objectallowsforthecreationofasetofdatabaseresourcelimitsthatcanbeassignedtoauser,sothatthatusercannotexceedthoseresourcelimitations.

Rationale:

Astheloggingofuseractivitiesinvolvingthecreation,alteration,ordroppingofaPROFILE canprovideforensicevidenceaboutapatternofunauthorizedactivities,theauditcapabilityshouldbesetaccordingtotheneedsoftheorganization.

Audit:


SELECT AUDIT_OPTION, SUCCESS, FAILURE FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION='DROP PROFILE' AND USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = 'BY ACCESS' AND FAILURE = 'BY ACCESS';


Remediation:


AUDIT DROP PROFILE;

140|P a g e

5.1.9Enable'DATABASELINK'AuditOption(Scored)



Description:

Allactivitiesondatabaselinksshouldbeaudited.

Rationale:

AstheloggingofuseractivitiesinvolvingthecreationordroppingofaDATABASE LINKcanprovideforensicevidenceaboutapatternofunauthorizedactivities,theauditcapabilityshouldbesetaccordingtotheneedsoftheorganization.

Audit:


SELECT AUDIT_OPTION, SUCCESS, FAILURE FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION='DATABASE LINK' AND USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = 'BY ACCESS' AND FAILURE = 'BY ACCESS';


Remediation:


AUDIT DATABASE LINK;

References:

1. http://docs.oracle.com/database/121/DBSEG/audit_config.htm#DBSEG1115

141|P a g e

5.1.10Enable'PUBLICDATABASELINK'AuditOption(Scored)



Description:

ThePUBLIC DATABASE LINKobjectallowsforthecreationofapubliclinkforanapplication-based"user"toaccessthedatabaseforconnections/sessioncreation.

Rationale:

Astheloggingofuseractivitiesinvolvingthecreation,alteration,ordroppingofaPUBLIC DATABASE LINKcanprovideforensicevidenceaboutapatternofunauthorizedactivities,theauditcapabilityshouldbesetaccordingtotheneedsoftheorganization.

Audit:


SELECT AUDIT_OPTION, SUCCESS, FAILURE FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION='PUBLIC DATABASE LINK' AND USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = 'BY ACCESS' AND FAILURE = 'BY ACCESS';


Remediation:


AUDIT PUBLIC DATABASE LINK;

142|P a g e

5.1.11Enable'PUBLICSYNONYM'AuditOption(Scored)



Description:

ThePUBLIC SYNONYMobjectallowsforthecreationofanalternatedescriptionofanobjectandpublicsynonymsareaccessiblebyallusersthathavetheappropriateprivilegestotheunderlyingobject.

Rationale:

AstheloggingofuseractivitiesinvolvingthecreationordroppingofaPUBLIC SYNONYMcanprovideforensicevidenceaboutapatternofunauthorizedactivities,theauditcapabilityshouldbesetaccordingtotheneedsoftheorganization.

Audit:


SELECT AUDIT_OPTION, SUCCESS, FAILURE FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION='PUBLIC SYNONYM' AND USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = 'BY ACCESS' AND FAILURE = 'BY ACCESS';


Remediation:


AUDIT PUBLIC SYNONYM;

143|P a g e

5.1.12Enable'SYNONYM'AuditOption(Scored)



Description:

TheSYNONYM operationallowsforthecreationofanalternativenameforadatabaseobjectsuchasaJavaclassschemaobject,materializedview,operator,package,procedure,sequence,storedfunction,table,view,user-definedobjecttype,evenanothersynonym;thissynonymputsadependencyonitstargetandisrenderedinvalidifthetargetobjectischanged/dropped.

Rationale:

AstheloggingofuseractivitiesinvolvingthecreationordroppingofaSYNONYM canprovideforensicevidenceaboutapatternofsuspect/unauthorizedactivities,theauditcapabilityshouldbesetaccordingtotheneedsoftheorganization.

Audit:


SELECT AUDIT_OPTION, SUCCESS, FAILURE FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION='SYNONYM' AND USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = 'BY ACCESS' AND FAILURE = 'BY ACCESS';


Remediation:


AUDIT SYNONYM;

References:

1. http://docs.oracle.com/database/121/DBSEG/audit_config.htm#DBSEG1115

144|P a g e

5.1.13Enable'GRANTDIRECTORY'AuditOption(Scored)



Description:

TheDIRECTORY objectallowsforthecreationofadirectoryobjectthatspecifiesanaliasforadirectoryontheserverfilesystem,wheretheexternalbinaryfileLOBs(BFILEs)/tabledataarelocated.

Rationale:

AstheloggingofuseractivitiesinvolvingthecreationordroppingofaDIRECTORYcanprovideforensicevidenceaboutapatternofunauthorizedactivities,theauditcapabilityshouldbesetaccordingtotheneedsoftheorganization.

Audit:


SELECT AUDIT_OPTION, SUCCESS, FAILURE FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION='GRANT DIRECTORY' AND USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = 'BY ACCESS' AND FAILURE = 'BY ACCESS';


Remediation:


AUDIT GRANT DIRECTORY;

References:

1. http://docs.oracle.com/database/121/SQLRF/statements_4007.htm#SQLRF01107

Notes:

GrantdirectoryisashortcutforGRANTprivilegeONdirectory,REVOKEprivilegeONdirectory.

145|P a g e

5.1.14Enable'SELECTANYDICTIONARY'AuditOption(Scored)



Description:

TheSELECT ANY DICTIONARYcapabilityallowstheusertoviewthedefinitionsofallschemaobjectsinthedatabase.

Rationale:

Astheloggingofuseractivitiesinvolvingthecapabilitytoaccessthedescriptionofallschemaobjectsinthedatabasecanprovideforensicevidenceaboutapatternofunauthorizedactivities,theauditcapabilityshouldbesetaccordingtotheneedsoftheorganization.

Audit:


SELECT AUDIT_OPTION, SUCCESS, FAILURE FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION='SELECT ANY DICTIONARY' AND USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = 'BY ACCESS' AND FAILURE = 'BY ACCESS';


Remediation:


AUDIT SELECT ANY DICTIONARY;

References:


146|P a g e

5.1.15Enable'GRANTANYOBJECTPRIVILEGE'AuditOption(Scored)



Description:

GRANT ANY OBJECT PRIVILEGEallowstheusertograntorrevokeanyobjectprivilege,whichincludesprivilegesontables,directories,miningmodels,etc.Thisauditsallusesofthatprivilege.

Rationale:

Loggingofprivilegegrantsthatcanleadtothecreation,alteration,ordeletionofcriticaldata,themodificationofobjects,objectprivilegepropagationandothersuchactivitiescanbecriticaltoforensicinvestigations.

Audit:


SELECT PRIVILEGE, SUCCESS, FAILURE FROM DBA_PRIV_AUDIT_OPTS WHERE PRIVILEGE='GRANT ANY OBJECT PRIVILEGE' AND USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = 'BY ACCESS' AND FAILURE = 'BY ACCESS';


Remediation:


AUDIT GRANT ANY OBJECT PRIVILEGE;

147|P a g e

5.1.16Enable'GRANTANYPRIVILEGE'AuditOption(Scored)



Description:

ThisauditsallusesofthesystemprivilegenamedGRANT ANY PRIVILEGE.Actionsbyusersnotholdingthisprivilegearenotaudited.

Rationale:

GRANT ANY PRIVILEGEallowsausertograntanysystemprivilege,includingthemostpowerfulprivilegestypicallyavailableonlytoadministrators-tochangethesecurityinfrastructure,todrop/add/modifyusersandmore.Auditingtheuseofthisprivilegeispartofacomprehensiveauditingpolicythatcanhelpindetectingissuesandcanbeusefulinforensics.

Audit:


SELECT PRIVILEGE, SUCCESS, FAILURE FROM DBA_PRIV_AUDIT_OPTS WHERE PRIVILEGE='GRANT ANY PRIVILEGE' AND USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = 'BY ACCESS' AND FAILURE = 'BY ACCESS';


Remediation:


AUDIT GRANT ANY PRIVILEGE;

148|P a g e

5.1.17Enable'DROPANYPROCEDURE'AuditOption(Scored)



Description:

TheAUDIT DROP ANY PROCEDUREcommandisauditingthecreationofproceduresinotherschema.

Rationale:

Droppingproceduresofanotherusercouldbepartofanprivilegeescalationexploitandshouldbeaudited.

Audit:


SELECT AUDIT_OPTION, SUCCESS, FAILURE FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION='DROP ANY PROCEDURE' AND USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = 'BY ACCESS' AND FAILURE = 'BY ACCESS';


Remediation:


AUDIT DROP ANY PROCEDURE;

149|P a g e

5.1.18Enable'ALL'AuditOptionon'SYS.AUD$'(Scored)



Description:

TheloggingofattemptstoaltertheaudittrailintheSYS.AUD$table(openforread/update/delete/view)willprovidearecordofanyactivitiesthatmayindicateunauthorizedattemptstoaccesstheaudittrail.

Rationale:

AstheloggingofattemptstoaltertheSYS.AUD$tablecanprovideforensicevidenceoftheinitiationofapatternofunauthorizedactivities,thisloggingcapabilityshouldbesetaccordingtotheneedsoftheorganization.

Audit:


SELECT * FROM DBA_OBJ_AUDIT_OPTS WHERE OBJECT_NAME='AUD$' AND ALT='A/A' AND AUD='A/A' AND COM='A/A' AND DEL='A/A' AND GRA='A/A' AND IND='A/A' AND INS='A/A' AND LOC='A/A' AND REN='A/A' AND SEL='A/A' AND UPD='A/A' AND FBK='A/A';


Remediation:


AUDIT ALL ON SYS.AUD$ BY ACCESS;

150|P a g e

5.1.19Enable'PROCEDURE'AuditOption(Scored)



Description:

Inthisstatementaudit,"PROCEDURE"meansanyprocedure,function,packageorlibrary.Anyattempt,successfulornot,tocreateordropanyofthesetypesofobjectsisaudited,regardlessofprivilegeorlackthereof.Javaschemaobjects(sources,classes,andresources)areconsideredthesameasproceduresforpurposesofauditingSQLstatements.

Rationale:

Anyunauthorizedattemptstocreateordropaprocedureinanother'sschemashouldcauseconcern,whethersuccessfulornot.Changestocriticalstorecodecandramaticallychangethebehavioroftheapplicationandproduceserioussecurityconsequences,includingprivilegeescalationandintroducingSQLinjectionvulnerabilities.Auditrecordsofsuchchangescanbehelpfulinforensics.

Audit:


SELECT AUDIT_OPTION, SUCCESS, FAILURE FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION='PROCEDURE' AND USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = 'BY ACCESS' AND FAILURE = 'BY ACCESS';


Remediation:


AUDIT PROCEDURE;

151|P a g e

Notes:

Beawarethatnotallauditingoptionsworkalike.Inparticular,thestatementauditingoption"auditPROCEDURE"doesindeedauditcreateanddroplibraryaswellasalltypesofproceduresandjavaschemaobjects.However,privilegeauditsdonotworkthisway.So,forexample,noneof"auditCREATEANYPROCEDURE","auditDROPANYPROCEDURE".'"auditCREATEPROCEDURE"willauditcreateordroplibraryactivities.Instatementauditing,"PROCEDURE"hasalargerscopethaninprivilegeauditing,whereitisspecifictofunctions,packagesandprocedures,butexcludeslibrariesandperhapsotherobjecttypes.

"AuditPROCEDURE"doesnotauditalteringprocedures,eitherinyourownschemaorinanotherviatheALTERANYPROCEDUREsystemprivilege.Thereseemstobenostatementauditthatisabetterreplacementfor"AuditALTERANYPROCEDURE",butbewarethatwillnotcreateanyauditrecordsforusersthatdonothavetheprivilege.Thus,attemptstoalterproceduresinone'sownschemaareneverauditedandattemptstoalterproceduresinanother'sschemathatfailforlackoftheALTERANYPROCEDUREprivilegearenotaudited.ThisissimplyaweaknessinthecurrentstateofOracleauditing.Fortunately,though,allthattheALTERcommandcanbeusedforregardingprocedures,functions,packagesandlibrariesiscompileoptions,sotheinabilitytocomprehensivelyauditalterprocedureactivitiesandrequestsisnotasbadasitwouldbeforotherobjecttypes(USER,PROFIULE,etc.).

152|P a g e

5.1.20Enable'ALTERSYSTEM'AuditOption(Scored)



Description:

ThiswillauditallattemptstoALTERSYSTEM,whethersuccessfulornotandregardlessofwhetherornottheALTERSYSTEMprivilegeisheldbytheuserattemptingtheaction.

Rationale:

Altersystemallowsonetochangeinstancesettings,includingsecuritysettingsandauditingoptions.Additionally,altersystemcanbeusedtorunoperatingsystemcommandsusingundocumentedOraclefunctionality.Anyunauthorizedattempttoalterthesystemshouldbecauseforconcern.Alterationsoutsideofsomespecifiedmaintenancewindowmaybeofconcern.Inforensics,theseauditrecordscouldbequiteuseful.

Audit:


SELECT AUDIT_OPTION, SUCCESS, FAILURE FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION='ALTER SYSTEM' AND USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = 'BY ACCESS' AND FAILURE = 'BY ACCESS';


Remediation:


AUDIT ALTER SYSTEM;

153|P a g e

5.1.21Enable'TRIGGER'AuditOption(Scored)



Description:

ATRIGGERmaybeusedtomodifyDMLactionsorinvokeother(recursive)actionswhensometypesofuser-initiatedactionsoccur.Thiswillauditanyattempt,successfulornot,tocreate,drop,enableordisableanyschematriggerinanyschemaregardlessofprivilegeorlackthereof.Forenablinganddisablingatrigger,itcoversbothaltertriggerandaltertable.

Rationale:

Triggersareoftenpartofschemasecurity,datavalidationandothercriticalconstraintsuponactionsanddata.Atriggerinanotherschemamaybeusedtoescalateprivileges,redirectoperations,transformdataandperformothersortsofperhapsundesiredactions.Anyunauthorizedattempttocreate,droporalteratriggerinanotherschemamaybecauseforinvestigation.

Audit:


SELECT AUDIT_OPTION, SUCCESS, FAILURE FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION='TRIGGER' AND USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = 'BY ACCESS' AND FAILURE = 'BY ACCESS';


Remediation:


AUDIT TRIGGER;

154|P a g e

Impact:

Thestatementauditingoption'auditTRIGGER'auditsalmosteverythingthatthethreeprivilegeaudits"auditCREATEANYTRIGGER","auditALTERANYTRIGGER"and"auditDROPANYTRIGGER"audit,butalsoaudits:

1. Statementstocreate,drop,enableordisableatriggerintheuser'sownschema.2. AttemptstocreateatriggerbyauserwithouttheCREATETRIGGERsystem

privilege.3. AttemptstocreateatriggerinanotherschemabyuserswithouttheCREATEANY

TRIGGERprivilege.4. AttemptstodropatriggerinanotherschemabyuserswithouttheDROPANY

TRIGGERprivilege.5. Attemptstodisableorenableatriggerinanotherschemabyuserswithoutthe

ALTERANYTRIGGERprivilege.

Theonethingisauditedbyanyofthethreeprivilegeauditsthatisnotauditedbythisis"altertrigger...compile"ifthetriggerisinanother'sschema,whichisauditedby"auditALTERANYTRIGGER"',butonlyiftheuserattemptingthealterationactuallyholdstheALTERANYTRIGGERsystemprivilege."AuditTRIGGER"onlyaudits"altertable"or"altertrigger"statementsusedtoenableordisabletriggers.Itdoesnotauditaltertriggeroraltertablestatementsusedonlywithcompileoptions.

155|P a g e

5.1.22Enable'CREATESESSION'AuditOption(Scored)



Description:

Auditallattemptstoconnecttothedatabase,whethersuccessfulornot.Also,auditssessiondisconnects/logoffs.ThecommandstoauditSESSION,CONNECTorCREATESESSIONallaccomplishexactlythesamething-theyinitiatestatementauditingoftheconnectstatementusedtocreateadatabasesession.

Rationale:

Auditingattemptstoconnecttothedatabaseisbasicandmandatedbymostsecurityinitiatives.Anyattempttologontoalockedaccount,failedattemptstologontodefaultaccountsoranunusuallyhighnumberoffailedlogonattemptsofanysort,foranyuser,inaparticulartimeperiodmayindicateanintrusionattempt.Inforensics,thelogonrecordmaybefirstinachainofevidenceandcontainsinformationfoundinnoothertypeofauditrecordforthesession.Logonandlogoffintheaudittraildefinetheperiodanddurationofthesession.

Audit:

To assess this recommendation, execute the following SQL statement.

SELECT AUDIT_OPTION, SUCCESS, FAILURE FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION='CREATE SESSION' AND USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = 'BY ACCESS' AND FAILURE = 'BY ACCESS';

Lack of results implies a finding.

Remediation:


AUDIT SESSION;

156|P a g e

Notes:

Althoughlistinginthedocumentationasaprivilegeaudit,'auditCREATESESSION'actuallyauditstheCONNECTstatement-asevidencedbytheundocumented'auditCONNECT'-whichdoesexactlythesamethingas'auditSESSION'or'auditCREATESESSION'.Thereisnosystemprivilegenamedeither'SESSION'or'CONNECT'(CONNECTisarole,notasystemprivilege).Also,itbehavesasstatementauditingratherthanprivilegeauditinginthatitauditsallattemptstocreateasession,eveniftheuserdoesnotholdthe'CREATESESSION'systemprivilege.

157|P a g e

5.2UnifiedAuditing

Thissectionistobefollowedifunifiedauditingisimplemented.

5.2.1Enable'CREATEUSER'ActionAudit(Scored)



Description:

AnOracledatabaseuserisanaccountthroughwhichaconnectiontothedatabaseisestablished.Aschemaisassociatedwiththeuseraccountwhichstoresdata.Auseraccountmaybelongtoanindividualpersonorcanbeusedbyadevice,process,andjoborconnectionpool.CREATE USERstatementisusedtocreateOracledatabaseaccountsandassigndatabasepropertiestoit.ThisunifiedauditactionenablesloggingofallCREATE USERstatements,whethersuccessfulorunsuccessful,issuedbytheusersregardlessoftheprivilegesheldbytheuserstoissuesuchstatements.

Rationale:

Loggingandmonitoringofallattemptstocreateuser,whethersuccessfulorunsuccessful,mayprovidecluesandforensicevidencesaboutpotentialsuspicious/unauthorizedactivities.Anysuchactivitiesmaybeacauseforfurtherinvestigation.Inaddition,organizationsecuritypoliciesandindustry/governmentregulationsmayrequireloggingofallactivitiesinvolvingCREATE USER.

Audit:

Toassessthisrecommendation,executethefollowingSQLStatement.

SELECT AUD.POLICY_NAME, AUD.AUDIT_OPTION, AUD.AUDIT_OPTION_TYPE FROM AUDIT_UNIFIED_POLICIES AUD, AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'CREATE USER' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION' AND ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS';


158|P a g e

Remediation:


ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS CREATE USER;

IfyoudonothaveCIS_UNIFIED_AUDIT_POLICY,pleasecreateoneusingCREATE AUDIT POLICYstatement.

159|P a g e

5.2.2Enable'ALTERUSER'ActionAudit(Scored)



Description:

AnOracledatabaseuserisanaccountthroughwhichaconnectiontothedatabaseisestablished.Aschemaisassociatedwiththeuseraccountwhichstoresdata.Auseraccountmaybelongtoanindividualpersonorcanbeusedbyadevice,process,andjoborconnectionpool.ALTER USERstatementisusedtochangedatabaseusers’passwordsortolockanaccountorexpirepasswords.Inaddition,thisstatementisusedtochangedatabasepropertiesofuseraccountssuchasdatabaseprofiles,defaultandtemporarytablespacesorassigntablespacequotas.ThisunifiedauditactionenablesloggingofallALTER USERstatements,whethersuccessfulorunsuccessful,issuedbytheusersregardlessoftheprivilegesheldbytheuserstoissuesuchstatements.

Rationale:

Loggingandmonitoringofallattemptstoalteruser,whethersuccessfulorunsuccessful,mayprovidecluesandforensicevidencesaboutpotentialsuspicious/unauthorizedactivities.Anysuchactivitiesmaybeacauseforfurtherinvestigation.Inaddition,organizationsecuritypoliciesandindustry/governmentregulationsmayrequireloggingofallactivitiesinvolvingALTER USER.

Audit:


SELECT AUD.POLICY_NAME, AUD.AUDIT_OPTION, AUD.AUDIT_OPTION_TYPE FROM AUDIT_UNIFIED_POLICIES AUD, AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'ALTER USER' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION' AND ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS';


160|P a g e

Remediation:


ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS ALTER USER;

IfyoudonothaveCIS_UNIFIED_AUDIT_POLICY,pleasecreateoneusingCREATEAUDITPOLICYstatement.

161|P a g e

5.2.3Enable'DROPUSER'AuditOption(Scored)



Description:

AnOracledatabaseuserisanaccountthroughwhichaconnectiontothedatabaseisestablished.Aschemaisassociatedwiththeuseraccountwhichstoresdata.Auseraccountmaybelongtoanindividualpersonorcanbeusedbyadevice,process,andjoborconnectionpool.DROP USERstatementisusedtodropOracledatabaseaccountsandschemasassociatedwiththem.ThisunifiedauditactionenablesloggingofallDROP USERstatements,whethersuccessfulorunsuccessful,issuedbytheusersregardlessoftheprivilegesheldbytheuserstoissuesuchstatements.

Rationale:

Loggingandmonitoringofallattemptstodropuser,whethersuccessfulorunsuccessful,mayprovidecluesandforensicevidencesaboutpotentialsuspicious/unauthorizedactivities.Anysuchactivitiesmaybeacauseforfurtherinvestigation.Inaddition,organizationsecuritypoliciesandindustry/governmentregulationsmayrequireloggingofallactivitiesinvolvingDROP USER.

Audit:


SELECT AUD.POLICY_NAME, AUD.AUDIT_OPTION, AUD.AUDIT_OPTION_TYPE FROM AUDIT_UNIFIED_POLICIES AUD, AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'DROP USER' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION' AND ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS';


162|P a g e

Remediation:


ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS DROP USER;

IfyoudonothaveCIS_UNIFIED_AUDIT_POLICY,pleasecreateoneusingCREATE AUDIT POLICY statement.

163|P a g e

5.2.4Enable'CREATEROLE’ActionAudit(Scored)



Description:

AnOracledatabaseroleisacollectionorsetofprivilegesthatcanbegrantedtousersorotherroles.Rolesmayincludesystemprivileges,objectprivilegesorotherroles.ThisunifiedauditactionenablesloggingofallCREATE ROLEstatements,whethersuccessfulorunsuccessful,issuedbytheusersregardlessoftheprivilegesheldbytheuserstoissuesuchstatements.

Rationale:

Loggingandmonitoringofallattemptstocreateroles,whethersuccessfulorunsuccessful,mayprovidecluesandforensicevidencesaboutpotentialsuspicious/unauthorizedactivities.Anysuchactivitiesmaybeacauseforfurtherinvestigation.Inaddition,organizationsecuritypoliciesandindustry/governmentregulationsmayrequireloggingofalluseractivitiesinvolvingCREATE ROLE.

Audit:


SELECT AUD.POLICY_NAME, AUD.AUDIT_OPTION, AUD.AUDIT_OPTION_TYPE FROM AUDIT_UNIFIED_POLICIES AUD, AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'CREATE ROLE' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION' AND ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS';


Remediation:


ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS CREATE ROLE;

IfyoudonothaveCIS_UNIFIED_AUDIT_POLICY,pleasecreateoneusingCREATE AUDIT POLICYstatement.

164|P a g e

5.2.5Enable'ALTERROLE’ActionAudit(Scored)



Description:

AnOracledatabaseroleisacollectionorsetofprivilegesthatcanbegrantedtousersorotherroles.Rolesmayincludesystemprivileges,objectprivilegesorotherroles.ALTER ROLEstatementisusedtochangetheauthorizationneededtoenablearole.ThisunifiedauditactionenablesloggingofallALTER ROLEstatements,whethersuccessfulorunsuccessful,issuedbytheusersregardlessoftheprivilegesheldbytheuserstoissuesuchstatements.

Rationale:

Loggingandmonitoringofallattemptstoalterroles,whethersuccessfulorunsuccessful,mayprovidecluesandforensicevidencesaboutpotentialsuspicious/unauthorizedactivities.Anysuchactivitiesmaybeacauseforfurtherinvestigation.Inaddition,organizationsecuritypoliciesandindustry/governmentregulationsmayrequireloggingofalluseractivitiesinvolvingalterationofroles.

Audit:


SELECT AUD.POLICY_NAME, AUD.AUDIT_OPTION, AUD.AUDIT_OPTION_TYPE FROM AUDIT_UNIFIED_POLICIES AUD, AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'ALTER ROLE' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION' AND ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS';


165|P a g e

Remediation:


ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS ALTER ROLE;

Note:IfyoudonothaveCIS_UNIFIED_AUDIT_POLICY,pleasecreateoneusingCREATE AUDIT POLICYstatement.

166|P a g e

5.2.6Enable'DROPROLE’ActionAudit(Scored)



Description:

AnOracledatabaseroleisacollectionorsetofprivilegesthatcanbegrantedtousersorotherroles.Rolesmayincludesystemprivileges,objectprivilegesorotherroles.ThisunifiedauditactionenablesloggingofallDROP ROLEstatements,successfulorunsuccessful,issuedbytheusersregardlessoftheprivilegesheldbytheuserstoissuesuchstatements.

Rationale:

Loggingandmonitoringofallattemptstodroproles,whethersuccessfulorunsuccessful,mayprovidecluesandforensicevidencesaboutpotentialsuspicious/unauthorizedactivities.Anysuchactivitiesmaybeacauseforfurtherinvestigation.Inaddition,organizationsecuritypoliciesandindustry/governmentregulationsmayrequireloggingofalluseractivitiesinvolvingDROP ROLE.

Audit:


SELECT AUD.POLICY_NAME, AUD.AUDIT_OPTION, AUD.AUDIT_OPTION_TYPE FROM AUDIT_UNIFIED_POLICIES AUD, AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'DROP ROLE' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION' AND ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS';


Remediation:


ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS DROP ROLE;


167|P a g e

5.2.7Enable'GRANT'ActionAudit(Scored)



Description:

GRANTSQLstatementsareusedtograntprivilegestoOracledatabaseusersandroles,includingthemostpowerfulprivilegesandrolestypicallyavailabletothedatabaseadministrators.ThisunifiedauditactionenablesloggingofallGRANTstatements,whethersuccessfulorunsuccessful,issuedbytheusersregardlessoftheprivilegesheldbytheuserstoissuesuchstatements.

Rationale:

Withunauthorizedgrantsandpermissions,amalicioususermaybeabletochangethesecurityofthedatabase,access/updateconfidentialdataorcompromiseintegrityofthedatabase.Loggingandmonitoringofallattemptstograntsystemprivileges,objectprivilegesorroles,whethersuccessfulorunsuccessful,mayprovideforensicevidenceaboutpotentialsuspicious/unauthorizedactivitiesaswellasprivilegeescalationactivities.Anysuchactivitiesmaybeacauseforfurtherinvestigation.Inaddition,organizationsecuritypoliciesandindustry/governmentregulationsmayrequireloggingofalluseractivitiesinvolvingGRANT.

Audit:


SELECT AUD.POLICY_NAME, AUD.AUDIT_OPTION, AUD.AUDIT_OPTION_TYPE FROM AUDIT_UNIFIED_POLICIES AUD, AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'GRANT' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION' AND ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS';


168|P a g e

Remediation:


ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS GRANT;

Note:IfyoudonothaveCIS_UNIFIED_AUDIT_POLICY,pleasecreateoneusingCREATEAUDITPOLICYstatement.

169|P a g e

5.2.8Enable'REVOKE'ActionAudit(Scored)



Description:

REVOKESQLstatementsareusedtorevokeprivilegesfromOracledatabaseusersandroles.ThisunifiedauditactionenablesloggingofallREVOKEstatements,successfulorunsuccessful,issuedbytheusersregardlessoftheprivilegesheldbytheuserstoissuesuchstatements.

Rationale:

Loggingandmonitoringofallattemptstorevokesystemprivileges,objectprivilegesorroles,whethersuccessfulorunsuccessful,mayprovidecluesandforensicevidenceaboutpotentialsuspicious/unauthorizedactivities.Anysuchactivitiesmaybeacauseforfurtherinvestigation.Inaddition,organizationsecuritypoliciesandindustry/governmentregulationsmayrequireloggingofalluseractivitiesinvolvingREVOKE.

Audit:


SELECT AUD.POLICY_NAME, AUD.AUDIT_OPTION, AUD.AUDIT_OPTION_TYPE FROM AUDIT_UNIFIED_POLICIES AUD, AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'REVOKE' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION' AND ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS';


Remediation:


ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS REVOKE;


170|P a g e

5.2.9Enable'CREATEPROFILE’ActionAudit(Scored)



Description:

OracleDatabaseProfilesareusedtoenforceresourceusagelimitsandimplementpasswordpoliciessuchaspasswordcomplexityrulesandreuserestrictions.ThisunifiedauditactionenablesloggingofallCREATE PROFILEstatements,whethersuccessfulorunsuccessful,issuedbytheusersregardlessoftheprivilegesheldbytheuserstoissuesuchstatements.

Rationale:

Loggingandmonitoringofallattemptstocreateprofiles,whethersuccessfulorunsuccessful,mayprovidecluesandforensicevidenceaboutpotentialsuspicious/unauthorizedactivities.Anysuchactivitiesmaybeacauseforfurtherinvestigation.Inaddition,organizationsecuritypoliciesandindustry/governmentregulationsmayrequireloggingofalluseractivitiesinvolvingcreationofdatabaseprofiles.

Audit:


SELECT AUD.POLICY_NAME, AUD.AUDIT_OPTION, AUD.AUDIT_OPTION_TYPE FROM AUDIT_UNIFIED_POLICIES AUD, AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'CREATE PROFILE' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION' AND ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS';


Remediation:


ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS CREATE PROFILE;


171|P a g e

5.2.10Enable'ALTERPROFILE’ActionAudit(Scored)



Description:

OracleDatabaseProfilesareusedtoenforceresourceusagelimitsandimplementpasswordpoliciessuchaspasswordcomplexityrulesandreuserestrictions.ThisunifiedauditactionenablesloggingofallALTER PROFILEstatements,whethersuccessfulorunsuccessful,issuedbytheusersregardlessoftheprivilegesheldbytheuserstoissuesuchstatements.

Rationale:

Loggingandmonitoringofallattemptstoalterprofiles,whethersuccessfulorunsuccessful,mayprovideforensicevidenceaboutpotentialsuspicious/unauthorizedactivities.Anysuchactivitiesmaybeacauseforfurtherinvestigation.Inaddition,organizationsecuritypoliciesandindustry/governmentregulationsmayrequireloggingofalluseractivitiesinvolvingalterationofdatabaseprofiles.

Audit:


SELECT AUD.POLICY_NAME, AUD.AUDIT_OPTION, AUD.AUDIT_OPTION_TYPE FROM AUDIT_UNIFIED_POLICIES AUD, AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'ALTER PROFILE' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION' AND ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS';


Remediation:


ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS ALTER PROFILE;


172|P a g e

5.2.11Enable'DROPPROFILE’ActionAudit(Scored)



Description:

OracleDatabaseProfilesareusedtoenforceresourceusagelimitsandimplementpasswordpoliciessuchaspasswordcomplexityrulesandreuserestrictions.ThisunifiedauditactionenablesloggingofallDROP PROFILEstatements,whethersuccessfulorunsuccessful,issuedbytheusersregardlessoftheprivilegesheldbytheuserstoissuesuchstatements.

Rationale:

Loggingandmonitoringofallattemptstodropprofiles,whethersuccessfulorunsuccessful,mayprovidecluesandforensicevidenceaboutpotentialsuspicious/unauthorizedactivities.Anysuchactivitiesmaybeacauseforfurtherinvestigation.Inaddition,organizationsecuritypoliciesandindustry/governmentregulationsmayrequireloggingofalluseractivitiesinvolvingdroppingofdatabaseprofiles.

Audit:


SELECT AUD.POLICY_NAME, AUD.AUDIT_OPTION, AUD.AUDIT_OPTION_TYPE FROM AUDIT_UNIFIED_POLICIES AUD, AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'DROP PROFILE' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION' AND ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS';


173|P a g e

Remediation:


ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS DROP PROFILE;


174|P a g e

5.2.12Enable'CREATEDATABASELINK’ActionAudit(Scored)



Description:

OracleDatabaseLinksareusedtoestablishdatabase-to-databaseconnectionstootherdatabases.Theseconnectionsareavailablewithoutfurtherauthenticationoncethelinkisestablished.ThisunifiedauditactionenablesloggingofallCREATE DATABASEorCREATE PUBLIC DATABASEstatements,whethersuccessfulorunsuccessful,issuedbytheusersregardlessoftheprivilegesheldbytheuserstoissuesuchstatements.

Rationale:

Loggingandmonitoringofallattemptstocreatedatabaselinks,whethersuccessfulorunsuccessful,mayprovideforensicevidenceaboutpotentialsuspicious/unauthorizedactivities.Anysuchactivitiesmaybeacauseforfurtherinvestigation.Inaddition,organizationsecuritypoliciesandindustry/governmentregulationsmayrequireloggingofalluseractivitiesinvolvingcreationofdatabaselinks.

Audit:


SELECT AUD.POLICY_NAME, AUD.AUDIT_OPTION, AUD.AUDIT_OPTION_TYPE FROM AUDIT_UNIFIED_POLICIES AUD, AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'CREATE DATABASE LINK' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION' AND ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS';


Remediation:


ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS CREATE DATABASE LINK;


175|P a g e

5.2.13Enable'ALTERDATABASELINK’ActionAudit(Scored)



Description:

OracleDatabaseLinksareusedtoestablishdatabase-to-databaseconnectionstootherdatabases.Theseconnectionsarealwaysavailablewithoutfurtherauthenticationoncethelinkisestablished.ThisunifiedauditactionenablesloggingofallALTER DATABASEorALTER PUBLIC DATABASEstatements,whethersuccessfulorunsuccessful,issuedbytheusersregardlessoftheprivilegesheldbytheuserstoissuesuchstatements.

Rationale:

Loggingandmonitoringofallattemptstoalterdatabaselinks,whethersuccessfulorunsuccessful,mayprovideforensicevidenceaboutpotentialsuspicious/unauthorizedactivities.Anysuchactivitiesmaybeacauseforfurtherinvestigation.Inaddition,organizationsecuritypoliciesandindustry/governmentregulationsmayrequireloggingofalluseractivitiesinvolvingalterationofdatabaselinks.

Audit:


SELECT AUD.POLICY_NAME, AUD.AUDIT_OPTION, AUD.AUDIT_OPTION_TYPE FROM AUDIT_UNIFIED_POLICIES AUD, AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'ALTER DATABASE LINK' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION' AND ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS';


Remediation:


ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS ALTER DATABASE LINK;


176|P a g e

5.2.14Enable'DROPDATABASELINK’ActionAudit(Scored)



Description:

OracleDatabaseLinksareusedtoestablishdatabase-to-databaseconnectionstootherdatabases.Theseconnectionsarealwaysavailablewithoutfurtherauthenticationoncethelinkisestablished.ThisunifiedauditactionenablesloggingofallDROP DATABASEorDROP PUBLIC DATABASE,whethersuccessfulorunsuccessful,statementsissuedbytheusersregardlessoftheprivilegesheldbytheuserstoissuesuchstatements.

Rationale:

Loggingandmonitoringofallattemptstodropdatabaselinks,whethersuccessfulorunsuccessful,mayprovideforensicevidenceaboutpotentialsuspicious/unauthorizedactivities.Anysuchactivitiesmaybeacauseforfurtherinvestigation.Inaddition,organizationsecuritypoliciesandindustry/governmentregulationsmayrequireloggingofalluseractivitiesinvolvingdroppingofdatabaselinks.

Audit:


SELECT AUD.POLICY_NAME, AUD.AUDIT_OPTION, AUD.AUDIT_OPTION_TYPE FROM AUDIT_UNIFIED_POLICIES AUD, AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'DROP DATABASE LINK' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION' AND ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS';


Remediation:


ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS DROP DATABASE LINK;


177|P a g e

5.2.15Enable'CREATESYNONYM’ActionAudit(Scored)



Description:

AnOracledatabasesynonymisusedtocreateanalternativenameforadatabaseobjectsuchastable,view,procedure,javaobjectorevenanothersynonym,etc.ThisunifiedauditactionenablesloggingofallCREATE SYNONYMorCREATE PUBLIC SYNONYMstatements,whethersuccessfulorunsuccessful,issuedbytheusersregardlessoftheprivilegesheldbytheuserstoissuesuchstatements.

Rationale:

Loggingandmonitoringofallattemptstocreatesynonyms,whethersuccessfulorunsuccessful,mayprovidecluesandforensicevidenceaboutpotentialsuspicious/unauthorizedactivities.Anysuchactivitiesmaybeacauseforfurtherinvestigation.Inaddition,organizationsecuritypoliciesandindustry/governmentregulationsmayrequireloggingofalluseractivitiesinvolvingcreationofsynonymsorpublicsynonyms.

Audit:


SELECT AUD.POLICY_NAME, AUD.AUDIT_OPTION, AUD.AUDIT_OPTION_TYPE FROM AUDIT_UNIFIED_POLICIES AUD, AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'CREATE SYNONYM' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION' AND ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS';


178|P a g e

Remediation:


ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS CREATE SYNONYM;


179|P a g e

5.2.16Enable'ALTERSYNONYM’ActionAudit(Scored)



Description:

AnOracledatabasesynonymisusedtocreateanalternativenameforadatabaseobjectsuchastable,view,procedure,javaobjectorevenanothersynonym,etc.ThisunifiedauditactionenablesloggingofallALTER SYNONYMorALTER PUBLIC SYNONYMstatements,whethersuccessfulorunsuccessful,issuedbytheusersregardlessoftheprivilegesheldbytheuserstoissuesuchstatements.

Rationale:

Loggingandmonitoringofallattemptstoaltersynonyms,whethersuccessfulorunsuccessful,mayprovidecluesandforensicevidenceaboutpotentialsuspicious/unauthorizedactivities.Anysuchactivitiesmaybeacauseforfurtherinvestigation.Inaddition,organizationsecuritypoliciesandindustry/governmentregulationsmayrequireloggingofalluseractivitiesinvolvingalterationofsynonymsorpublicsynonyms.

Audit:


SELECT AUD.POLICY_NAME, AUD.AUDIT_OPTION, AUD.AUDIT_OPTION_TYPE FROM AUDIT_UNIFIED_POLICIES AUD, AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'ALTER SYNONYM' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION' AND ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS';


180|P a g e

Remediation:


ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS ALTER SYNONYM;


181|P a g e

5.2.17Enable'DROPSYNONYM’ActionAudit(Scored)



Description:

AnOracledatabasesynonymisusedtocreateanalternativenameforadatabaseobjectsuchastable,view,procedure,javaobjectorevenanothersynonym,etc.ThisunifiedauditactionenablesloggingofallDROP SYNONYMorDROP PUBLIC SYNONYMstatements,whethersuccessfulorunsuccessful,issuedbytheusersregardlessoftheprivilegesheldbytheuserstoissuesuchstatements.

Rationale:

Loggingandmonitoringofallattemptstodropsynonyms,whethersuccessfulorunsuccessful,mayprovideforensicevidenceaboutpotentialsuspicious/unauthorizedactivities.Anysuchactivitiesmaybeacauseforfurtherinvestigation.Inaddition,organizationsecuritypoliciesandindustry/governmentregulationsmayrequireloggingofalluseractivitiesinvolvingdroppingofsynonymsorpublicsynonyms.

Audit:


SELECT AUD.POLICY_NAME, AUD.AUDIT_OPTION, AUD.AUDIT_OPTION_TYPE FROM AUDIT_UNIFIED_POLICIES AUD, AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'DROP SYNONYM' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION' AND ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS';


Remediation:


ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS DROP SYNONYM;


182|P a g e

5.2.18Enable'SELECTANYDICTIONARY’PrivilegeAudit(Scored)



Description:

SELECT ANY DICTIONARYsystemprivilegeallowstheusertoviewthedefinitionofallschemaobjectsinthedatabase.ItgrantsSELECTprivilegesonthedatadictionaryobjectstothegrantees,includingSELECTonDBA_views,V$views,X$viewsandunderlyingSYStablessuchasTAB$,OBJ$,etc.Thisprivilegealsoallowsgranteestocreatestoredobjectssuchasprocedures,packagesorviewsontheunderlyingdatadictionaryobjects.Pleasenotethatthisprivilegedoesn’tgrantSELECTontableswithpasswordhashessuchasUSER$,DEFAULT_PWD$,LINK$,andUSER_HISTORY$.Thisauditenablesloggingofactivitiesthatexercisethisprivilege.

Rationale:

Loggingandmonitoringofallattemptstoaccessdatadictionary,whethersuccessfulorunsuccessful,mayprovidecluesandforensicevidenceaboutpotentialsuspicious/unauthorizedactivities.Anysuchactivitiesmaybeacauseforfurtherinvestigation.Inaddition,organizationsecuritypoliciesandindustry/governmentregulationsmayrequireloggingofalluseractivitiesinvolvingaccesstothedatabase.

Audit:


SELECT AUD.POLICY_NAME, AUD.AUDIT_OPTION, AUD.AUDIT_OPTION_TYPE FROM AUDIT_UNIFIED_POLICIES AUD, AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'SELECT ANY DICTIONARY' AND AUD.AUDIT_OPTION_TYPE = 'SYSTEM PRIVILEGE' AND ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS';


183|P a g e

Remediation:


ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD PRIVILEGES SELECT ANY DICTIONARY;


184|P a g e

5.2.19Enable'UNIFIED_AUDIT_TRAIL’AccessAudit(Scored)



Description:

UNIFIED_AUDIT_TRAILviewholdsaudittrailrecordsgeneratedbythedatabase.ThisauditactionenablesloggingofallaccessattemptstotheUNIFIED_AUDIT_TRAILview,whethersuccessfulorunsuccessful,regardlessoftheprivilegesheldbytheuserstoissuesuchstatements.

Rationale:

LoggingandmonitoringofallattemptstoaccesstheUNIFIED_AUDIT_TRAILview,whethersuccessfulorunsuccessful,mayprovidecluesandforensicevidenceaboutpotentialsuspicious/unauthorizedactivities.Anysuchactivitiesmaybeacauseforfurtherinvestigation.Inaddition,organizationsecuritypoliciesandindustry/governmentregulationsmayrequireloggingofalluseractivitiesinvolvingaccesstothisview.

Audit:


SELECT AUD.POLICY_NAME, AUD.AUDIT_OPTION, AUD.AUDIT_OPTION_TYPE FROM AUDIT_UNIFIED_POLICIES AUD, AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'ALL' AND AUD.AUDIT_OPTION_TYPE = 'OBJECT ACTION' AND AUD.OBJECT_SCHEMA = 'SYS' AND AUD.OBJECT_NAME = 'UNIFIED_AUDIT_TRAIL' AND ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS';


Remediation:


ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS ALL on SYS.UNIFIED_AUDIT_TRAIL;


185|P a g e

5.2.20Enable'CREATEPROCEDURE/FUNCTION/PACKAGE/PACKAGEBODY’ActionAudit(Scored)



Description:

Oracledatabaseprocedures,functionsandpackages,whicharestoredwithinthedatabase,arecreatedtoperformbusinessfunctionsandaccessdatabaseasdefinedbyPL/SQLcodeandSQLstatementscontainedwithintheseobjects.ThisunifiedauditactionenablesloggingofallCREATE PROCEDURE,CREATE FUNCTION,CREATE PACKAGEorCREATE PACKAGE BODY,successfulorunsuccessful,statementsissuedbytheusersregardlessoftheprivilegesheldbytheuserstoissuesuchstatements.

Rationale:

Loggingandmonitoringofallattemptstocreateprocedures,functions,packagesorpackagebodies,whethersuccessfulorunsuccessful,mayprovidecluesandforensicevidenceaboutpotentialsuspicious/unauthorizedactivities.Anysuchactivitiesmaybeacauseforfurtherinvestigation.Inaddition,organizationsecuritypoliciesandindustry/governmentregulationsmayrequireloggingofalluseractivitiesinvolvingcreationofprocedures,functions,packagesorpackagebodies.

186|P a g e

Audit:


SELECT * FROM AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS' AND EXISTS ( SELECT 'x' FROM AUDIT_UNIFIED_POLICIES AUD WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'CREATE PROCEDURE' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION') AND EXISTS ( SELECT 'x' FROM AUDIT_UNIFIED_POLICIES AUD WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'CREATE FUNCTION' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION') AND EXISTS ( SELECT 'x' FROM AUDIT_UNIFIED_POLICIES AUD WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'CREATE PACKAGE' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION') AND EXISTS ( SELECT 'x' FROM AUDIT_UNIFIED_POLICIES AUD WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'CREATE PACKAGE BODY' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION');


Remediation:


ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS CREATE PROCEDURE, CREATE FUNCTION, CREATE PACKAGE, CREATE PACKAGE BODY;


187|P a g e

5.2.21Enable'ALTERPROCEDURE/FUNCTION/PACKAGE/PACKAGEBODY’ActionAudit(Scored)



Description:

Oracledatabaseprocedures,functionsandpackages,whicharestoredwithinthedatabase,arecreatedtocarryoutbusinessfunctionsandaccessdatabaseasdefinedbyPL/SQLcodeandSQLstatementscontainedwithintheseobjects.Thisunifiedauditactionenablesloggingofall,successfulorunsuccessful,ALTER PROCEDURE,ALTER FUNCTION,ALTER PACKAGEorALTER PACKAGE BODYstatementsissuedbytheusersregardlessoftheprivilegesheldbytheuserstoissuesuchstatements.

Rationale:

Unauthorizedalterationofprocedures,functions,packagesorpackagebodiesmayimpactcriticalbusinessfunctionsorcompromiseintegrityofthedatabase.Loggingandmonitoringofallattempts,whethersuccessfulorunsuccessful,toalterprocedures,functions,packagesorpackagebodiesmayprovidecluesandforensicevidenceaboutpotentialsuspicious/unauthorizedactivities.Anysuchactivitiesmaybeacauseforfurtherinvestigation.Inaddition,organizationsecuritypoliciesandindustry/governmentregulationsmayrequireloggingofalluseractivitiesinvolvingalterationofprocedures,functions,packagesorpackagebodies.

188|P a g e

Audit:


SELECT * FROM AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS' AND EXISTS ( SELECT 'x' FROM AUDIT_UNIFIED_POLICIES AUD WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'ALTER PROCEDURE' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION') AND EXISTS ( SELECT 'x' FROM AUDIT_UNIFIED_POLICIES AUD WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'ALTER FUNCTION' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION') AND EXISTS ( SELECT 'x' FROM AUDIT_UNIFIED_POLICIES AUD WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'ALTER PACKAGE' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION') AND EXISTS ( SELECT 'x' FROM AUDIT_UNIFIED_POLICIES AUD WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'ALTER PACKAGE BODY' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION') ;


Remediation:


ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS ALTER PROCEDURE, ALTER FUNCTION, ALTER PACKAGE, ALTER PACKAGE BODY;


189|P a g e

5.2.22Enable'DROPPROCEDURE/FUNCTION/PACKAGE/PACKAGEBODY’ActionAudit(Scored)



Description:

Oracledatabaseprocedures,functionsandpackages,whicharestoredwithinthedatabase,arecreatedtocarryoutbusinessfunctionsandaccessdatabaseasdefinedbyPL/SQLcodeandSQLstatementscontainedwithintheseobjects.Thisunifiedauditactionenablesloggingofall,successfulorunsuccessful,DROP PROCEDURE,DROP FUNCTION,DROPPACKAGEorDROP PACKAGE BODYstatementsissuedbytheusersregardlessoftheprivilegesheldbytheuserstoissuesuchstatements.

Rationale:

Loggingandmonitoringofallattempts,whethersuccessfulorunsuccessful,todropprocedures,functions,packagesorpackagebodiesmayprovideforensicevidenceaboutpotentialsuspicious/unauthorizedactivities.Anysuchactivitiesmaybeacauseforfurtherinvestigation.Inaddition,organizationsecuritypoliciesandindustry/governmentregulationsmayrequireloggingofalluseractivitiesinvolvingdroppingofprocedures,functions,packagesorpackagebodies.

190|P a g e

Audit:


SELECT * FROM AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS' AND EXISTS ( SELECT 'x' FROM AUDIT_UNIFIED_POLICIES AUD WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'DROP PROCEDURE' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION') AND EXISTS ( SELECT 'x' FROM AUDIT_UNIFIED_POLICIES AUD WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'DROP FUNCTION' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION') AND EXISTS ( SELECT 'x' FROM AUDIT_UNIFIED_POLICIES AUD WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'DROP PACKAGE' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION') AND EXISTS ( SELECT 'x' FROM AUDIT_UNIFIED_POLICIES AUD WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'DROP PACKAGE BODY' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION');


Remediation:


ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS DROP PROCEDURE, DROP FUNCTION, DROP PACKAGE, DROP PACKAGE BODY;


191|P a g e

5.2.23Enable'ALTERSYSTEM’PrivilegeAudit(Scored)



Description:

ALTER SYSTEMprivilegeallowstheusertochangeinstancesettingswhichcouldimpactsecurityposture,performanceornormaloperationofthedatabase.Additionally,ALTER SYSTEMprivilegemaybeusedtorunoperatingsystemcommandsusingundocumentedOraclefunctionality.Thisunifiedauditenablesloggingofactivitiesthatinvolveexerciseofthisprivilege,whethersuccessfulorunsuccessful,issuedbytheusersregardlessoftheprivilegesheldbytheuserstoissuesuchstatements.

Rationale:

LoggingandmonitoringofallattemptstoexecuteALTER SYSTEMstatements,whethersuccessfulorunsuccessful,mayprovideforensicevidenceaboutpotentialsuspicious/unauthorizedactivities.Anysuchactivitiesmaybeacauseforfurtherinvestigation.Inaddition,organizationsecuritypoliciesandindustry/governmentregulationsmayrequireloggingofalluseractivitiesthatinvolveALTER SYSTEMstatements.

Audit:


SELECT AUD.POLICY_NAME, AUD.AUDIT_OPTION, AUD.AUDIT_OPTION_TYPE FROM AUDIT_UNIFIED_POLICIES AUD, AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'ALTER SYSTEM' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION' AND ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS';


192|P a g e

Remediation:


ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS ALTER SYSTEM;


193|P a g e

5.2.24Enable'CREATETRIGGER’ActionAudit(Scored)



Description:

Oracledatabasetriggersareexecutedautomaticallywhenspecifiedconditionsontheunderlyingobjectsoccur.Triggerbodiescontainthecode,quiteoftentoperformdatavalidation,ensuredataintegrity/securityorenforcecriticalconstraintsonallowableactionsondata.ThisunifiedauditactionenablesloggingofallCREATE TRIGGERstatements,whethersuccessfulorunsuccessful,issuedbytheusersregardlessoftheprivilegesheldbytheuserstoissuesuchstatements.

Rationale:

Loggingandmonitoringofallattemptstocreatetriggers,whethersuccessfulorunsuccessful,mayprovidecluesandforensicevidenceaboutpotentialsuspicious/unauthorizedactivities.Anysuchactivitiesmaybeacauseforfurtherinvestigation.Inaddition,organizationsecuritypoliciesandindustry/governmentregulationsmayrequireloggingofalluseractivitiesinvolvingcreationoftriggers.

Audit:


SELECT AUD.POLICY_NAME, AUD.AUDIT_OPTION, AUD.AUDIT_OPTION_TYPE FROM AUDIT_UNIFIED_POLICIES AUD, AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'CREATE TRIGGER' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION' AND ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS';


194|P a g e

Remediation:


ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS CREATE TRIGGER;


195|P a g e

5.2.25Enable'ALTERTRIGGER’ActionAudit(Scored)



Description:

Oracledatabasetriggersareexecutedautomaticallywhenspecifiedconditionsontheunderlyingobjectsoccur.Triggerbodiescontainthecode,quiteoftentoperformdatavalidation,ensuredataintegrity/securityorenforcecriticalconstraintsonallowableactionsondata.ThisunifiedauditactionenablesloggingofallALTER TRIGGERstatements,whethersuccessfulorunsuccessful,issuedbytheusersregardlessoftheprivilegesheldbytheuserstoissuesuchstatements.

Rationale:

Unauthorizedalterationoftriggersmayimpactcriticalbusinessfunctionsorcompromiseintegrity/securityofthedatabase.Loggingandmonitoringofallattemptstoaltertriggers,whethersuccessfulorunsuccessful,mayprovidecluesandforensicevidenceaboutpotentialsuspicious/unauthorizedactivities.Anysuchactivitiesmaybeacauseforfurtherinvestigation.Inaddition,organizationsecuritypoliciesandindustry/governmentregulationsmayrequireloggingofalluseractivitiesinvolvingalterationoftriggers.

Audit:


SELECT AUD.POLICY_NAME, AUD.AUDIT_OPTION, AUD.AUDIT_OPTION_TYPE FROM AUDIT_UNIFIED_POLICIES AUD, AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'ALTER TRIGGER' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION' AND ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS';


196|P a g e

Remediation:


ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS ALTER TRIGGER;


197|P a g e

5.2.26Enable'DROPTRIGGER’ActionAudit(Scored)



Description:

Oracledatabasetriggersareexecutedautomaticallywhenspecifiedconditionsontheunderlyingobjectsoccur.Triggerbodiescontainthecode,quiteoftentoperformdatavalidation,ensuredataintegrity/securityorenforcecriticalconstraintsonallowableactionsondata.ThisunifiedauditactionenablesloggingofallDROP TRIGGERstatements,whethersuccessfulorunsuccessful,issuedbytheusersregardlessoftheprivilegesheldbytheuserstoissuesuchstatements.

Rationale:

Loggingandmonitoringofallattemptstodroptriggers,whethersuccessfulorunsuccessful,mayprovideforensicevidenceaboutpotentialsuspicious/unauthorizedactivities.Anysuchactivitiesmaybeacauseforfurtherinvestigation.Inaddition,organizationsecuritypoliciesandindustry/governmentregulationsmayrequireloggingofalluseractivitiesinvolvingdroppingoftriggers.

Audit:


SELECT AUD.POLICY_NAME, AUD.AUDIT_OPTION, AUD.AUDIT_OPTION_TYPE FROM AUDIT_UNIFIED_POLICIES AUD, AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'DROP TRIGGER' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION' AND ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS';


198|P a g e

Remediation:


ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS DROP TRIGGER;


199|P a g e

5.2.27Enable'LOGON’AND‘LOGOFF’ActionsAudit(Scored)



Description:

Oracledatabaseuserslogontothedatabasetoperformtheirwork.ThisunifiedauditactionenablesloggingofallLOGONactions,whethersuccessfulorunsuccessful,issuedbytheusersregardlessoftheprivilegesheldbytheuserstologintothedatabase.Inaddition,LOGOFFactionauditcaptureslogoffactivities.Thisauditactionalsocaptureslogon/logofftotheopendatabasebySYSDBAandSYSOPER.

Rationale:

Loggingandmonitoringofallattemptstologontothedatabase,whethersuccessfulorunsuccessful,mayprovideforensicevidenceaboutpotentialsuspicious/unauthorizedactivities.Anysuchactivitiesmaybeacauseforfurtherinvestigation.Inaddition,organizationsecuritypoliciesandindustry/governmentregulationsmayrequireloggingofalluseractivitiesinvolvingLOGONandLOGOFF.

Audit:


SELECT * FROM AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS' AND EXISTS ( SELECT 'x' FROM AUDIT_UNIFIED_POLICIES AUD WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'LOGON' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION') AND EXISTS ( SELECT 'x' FROM AUDIT_UNIFIED_POLICIES AUD WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'LOGOFF' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION');


200|P a g e

Remediation:


ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS LOGON, LOGOFF;


201|P a g e

6Appendix:EstablishinganAudit/ScanUser

Thisdocumenthasbeenauthoredwiththeexpectationthatauserwithappropriatepermissionswillbeusedtoexecutethequeriesandperformotherassessmentactions.WhilethiscouldbeaccomplishedbygrantingDBAprivilegestoagivenuser,thepreferredapproachistocreateadedicateduserandgrantingonlythespecificpermissionsrequiredtoperformtheassessmentsexpressedherein.DoingthisavoidsthenecessityforanyuserassessingthesystemneedstobegrantedDBAprivileges.

TherecommendationsexpressedinthisdocumentassumethepresenceofarolenamedCISSCANROLEandausernamedCISSCAN.ThisroleandusershouldbecreatedbyexecutingthefollowingSQLstatements,beingcarefultosubstituteanappropriatepasswordfor<password>.

-- Create the role CREATE ROLE CISSCANROLE; -- Grant necessary privileges to the role GRANT CREATE SESSION TO CISSCANROLE; GRANT SELECT ON V_$PARAMETER TO CISSCANROLE; GRANT SELECT ON DBA_TAB_PRIVS TO CISSCANROLE; GRANT SELECT ON DBA_PROFILES TO CISSCANROLE; GRANT SELECT ON DBA_SYS_PRIVS TO CISSCANROLE; GRANT SELECT ON DBA_STMT_AUDIT_OPTS TO CISSCANROLE; GRANT SELECT ON DBA_ROLE_PRIVS TO CISSCANROLE; GRANT SELECT ON DBA_OBJ_AUDIT_OPTS TO CISSCANROLE; GRANT SELECT ON DBA_PRIV_AUDIT_OPTS TO CISSCANROLE; GRANT SELECT ON DBA_PROXIES TO CISSCANROLE; GRANT SELECT ON DBA_USERS TO CISSCANROLE; GRANT SELECT ON DBA_USERS_WITH_DEFPWD TO CISSCANROLE; GRANT AUDIT_VIEWER TO CISSCANROLE; -- Create the user and assign the user to the role CREATE USER CISSCAN IDENTIFIED BY <password>; GRANT CISSCANROLE TO CISSCAN;

Ifyourelyonsimilarrolesand/orusers,butwhicharenotnamedasCISSCANROLEorCISSCAN,orifyouhaverolesorusersnamedCISSCANROLEorCISSCANintendedtobeusedfordifferentpurposes,beawarethatsomerecommendationshereinexplicitlynameCISSCANROLEandCISSCAN.

Theseare:

• 3.10EnsureNoUsersAreAssignedthe'DEFAULT'Profile• 4.5.5Ensure'ALL'IsRevokedfromUnauthorized'GRANTEE'on'DBA_%'

202|P a g e

Notethatdifferentorganizationsmaywishtofollowtheinstructionsinthisappendixindifferentways.Formorepermanentorregularassessmentscans,itmaybeacceptabletoretaintheCISSCANROLEandCISSCANuserindefinitely.However,inaconsultativecontextwhereanassessmentisperhapsrunattheoutsetoftheconsultingengagementandagainclosertotheend,afteranyremediationhasbeenperformed,theCISSCANROLEroleandCISSCANusermaybedropped.Suchadecisionisultimatelyleftuptotheimplementingorganization.

203|P a g e

Appendix:SummaryTable

Control SetCorrectlyYes No

1 OracleDatabaseInstallationandPatchingRequirements1.1 EnsuretheAppropriateVersion/PatchesforOracleSoftware

IsInstalled(NotScored) o o

1.2 EnsureAllDefaultPasswordsAreChanged(Scored) o o1.3 EnsureAllSampleDataAndUsersHaveBeenRemoved

(Scored) o o

2 OracleParameterSettings2.1 ListenerSettings2.1.1 Ensure'SECURE_CONTROL_<listener_name>'IsSetIn

'listener.ora'(Scored) o o

2.1.2 Ensure'extproc'IsNotPresentin'listener.ora'(Scored) o o2.1.3 Ensure'ADMIN_RESTRICTIONS_<listener_name>'IsSet

to'ON'(Scored) o o

2.1.4 Ensure'SECURE_REGISTER_<listener_name>'IsSetto'TCPS'or'IPC'(Scored) o o

2.2 Databasesettings2.2.1 Ensure'AUDIT_SYS_OPERATIONS'IsSetto'TRUE'(Scored) o o2.2.2 Ensure'AUDIT_TRAIL'IsSetto'OS','DB,EXTENDED',or

'XML,EXTENDED'(Scored) o o

2.2.3 Ensure'GLOBAL_NAMES'IsSetto'TRUE'(Scored) o o2.2.4 Ensure'LOCAL_LISTENER'IsSetAppropriately(Scored) o o2.2.5 Ensure'O7_DICTIONARY_ACCESSIBILITY'IsSetto'FALSE'

(Scored) o o

2.2.6 Ensure'OS_ROLES'IsSetto'FALSE'(Scored) o o2.2.7 Ensure'REMOTE_LISTENER'IsEmpty(Scored) o o2.2.8 Ensure'REMOTE_LOGIN_PASSWORDFILE'IsSetto'NONE'

(Scored) o o

2.2.9 Ensure'REMOTE_OS_AUTHENT'IsSetto'FALSE'(Scored) o o2.2.10 Ensure'REMOTE_OS_ROLES'IsSetto'FALSE'(Scored) o o2.2.11 Ensure'UTL_FILE_DIR'IsEmpty(Scored) o o2.2.12 Ensure'SEC_CASE_SENSITIVE_LOGON'IsSetto'TRUE'

(Scored) o o

2.2.13 Ensure'SEC_MAX_FAILED_LOGIN_ATTEMPTS'Is'10'(Scored) o o2.2.14 Ensure'SEC_PROTOCOL_ERROR_FURTHER_ACTION'IsSetto

'DELAY,3'or'DROP,3'(Scored) o o

2.2.15 Ensure'SEC_PROTOCOL_ERROR_TRACE_ACTION'IsSetto'LOG'(Scored) o o

2.2.16 Ensure'SEC_RETURN_SERVER_RELEASE_BANNER'IsSetto'FALSE'(Scored) o o

204|P a g e

2.2.17 Ensure'SQL92_SECURITY'IsSetto'TRUE'(Scored) o o2.2.18 Ensure'_TRACE_FILES_PUBLIC'IsSetto'FALSE'(Scored) o o2.2.19 Ensure'RESOURCE_LIMIT'IsSetto'TRUE'(Scored) o o3 OracleConnectionandLoginRestrictions3.1 Ensure'FAILED_LOGIN_ATTEMPTS'IsLessthanorEqualto

'5'(Scored) o o

3.2 Ensure'PASSWORD_LOCK_TIME'IsGreaterthanorEqualto'1'(Scored) o o

3.3 Ensure'PASSWORD_LIFE_TIME'IsLessthanorEqualto'90'(Scored) o o

3.4 Ensure'PASSWORD_REUSE_MAX'IsGreaterthanorEqualto'20'(Scored) o o

3.5 Ensure'PASSWORD_REUSE_TIME'IsGreaterthanorEqualto'365'(Scored) o o

3.6 Ensure'PASSWORD_GRACE_TIME'IsLessthanorEqualto'5'(Scored) o o

3.7 Ensure'DBA_USERS.PASSWORD'IsNotSetto'EXTERNAL'forAnyUser(Scored) o o

3.8 Ensure'PASSWORD_VERIFY_FUNCTION'IsSetforAllProfiles(Scored) o o

3.9 Ensure'SESSIONS_PER_USER'IsLessthanorEqualto'10'(Scored) o o

3.10 EnsureNoUsersAreAssignedthe'DEFAULT'Profile(Scored) o o4 OracleUserAccessandAuthorizationRestrictions4.1 DefaultPublicPrivilegesforPackagesandObjectTypes4.1.1 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on

'DBMS_ADVISOR'(Scored) o o

4.1.2 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_CRYPTO'(Scored) o o

4.1.3 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_JAVA'(Scored) o o

4.1.4 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_JAVA_TEST'(Scored) o o

4.1.5 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_JOB'(Scored) o o

4.1.6 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_LDAP'(Scored) o o

4.1.7 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_LOB'(Scored) o o

4.1.8 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_OBFUSCATION_TOOLKIT'(Scored) o o

4.1.9 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_RANDOM'(Scored) o o

4.1.10 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on o o

205|P a g e

'DBMS_SCHEDULER'(Scored)4.1.11 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_SQL'

(Scored) o o

4.1.12 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_XMLGEN'(Scored) o o

4.1.13 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_XMLQUERY'(Scored) o o

4.1.14 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'UTL_FILE'(Scored) o o

4.1.15 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'UTL_INADDR'(Scored) o o

4.1.16 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'UTL_TCP'(Scored) o o

4.1.17 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'UTL_MAIL'(Scored) o o

4.1.18 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'UTL_SMTP'(Scored) o o

4.1.19 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'UTL_DBWS'(Scored) o o

4.1.20 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'UTL_ORAMTS'(Scored) o o

4.1.21 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'UTL_HTTP'(Scored) o o

4.1.22 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'HTTPURITYPE'(Scored) o o

4.2 RevokeNon-DefaultPrivilegesforPackagesandObjectTypes4.2.1 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on

'DBMS_SYS_SQL'(Scored) o o

4.2.2 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_BACKUP_RESTORE'(Scored) o o

4.2.3 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_AQADM_SYSCALLS'(Scored) o o

4.2.4 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_REPCAT_SQL_UTL'(Scored) o o

4.2.5 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'INITJVMAUX'(Scored) o o

4.2.6 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_STREAMS_ADM_UTL'(Scored) o o

4.2.7 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_AQADM_SYS'(Scored) o o

4.2.8 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_STREAMS_RPC'(Scored) o o

4.2.9 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_PRVTAQIM'(Scored) o o

206|P a g e

4.2.10 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'LTADM'(Scored) o o

4.2.11 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'WWV_DBMS_SQL'(Scored) o o

4.2.12 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'WWV_EXECUTE_IMMEDIATE'(Scored) o o

4.2.13 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_IJOB'(Scored) o o

4.2.14 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_FILE_TRANSFER'(Scored) o o

4.3 RevokeExcessiveSystemPrivileges4.3.1 Ensure'SELECT_ANY_DICTIONARY'IsRevokedfrom

Unauthorized'GRANTEE'(Scored) o o

4.3.2 Ensure'SELECTANYTABLE'IsRevokedfromUnauthorized'GRANTEE'(Scored) o o

4.3.3 Ensure'AUDITSYSTEM'IsRevokedfromUnauthorized'GRANTEE'(Scored) o o

4.3.4 Ensure'EXEMPTACCESSPOLICY'IsRevokedfromUnauthorized'GRANTEE'(Scored) o o

4.3.5 Ensure'BECOMEUSER'IsRevokedfromUnauthorized'GRANTEE'(Scored) o o

4.3.6 Ensure'CREATE_PROCEDURE'IsRevokedfromUnauthorized'GRANTEE'(Scored) o o

4.3.7 Ensure'ALTERSYSTEM'IsRevokedfromUnauthorized'GRANTEE'(Scored) o o

4.3.8 Ensure'CREATEANYLIBRARY'IsRevokedfromUnauthorized'GRANTEE'(Scored) o o

4.3.9 Ensure'CREATELIBRARY'IsRevokedfromUnauthorized'GRANTEE'(Scored) o o

4.3.10 Ensure'GRANTANYOBJECTPRIVILEGE'IsRevokedfromUnauthorized'GRANTEE'(Scored) o o

4.3.11 Ensure'GRANTANYROLE'IsRevokedfromUnauthorized'GRANTEE'(Scored) o o

4.3.12 Ensure'GRANTANYPRIVILEGE'IsRevokedfromUnauthorized'GRANTEE'(Scored) o o

4.4 RevokeRolePrivileges4.4.1 Ensure'DELETE_CATALOG_ROLE'IsRevokedfrom

Unauthorized'GRANTEE'(Scored) o o

4.4.2 Ensure'SELECT_CATALOG_ROLE'IsRevokedfromUnauthorized'GRANTEE'(Scored) o o

4.4.3 Ensure'EXECUTE_CATALOG_ROLE'IsRevokedfromUnauthorized'GRANTEE'(Scored) o o

4.4.4 Ensure'DBA'IsRevokedfromUnauthorized'GRANTEE'(Scored) o o

207|P a g e

4.5 RevokeExcessiveTableandViewPrivileges4.5.1 Ensure'ALL'IsRevokedfromUnauthorized'GRANTEE'on

'AUD$'(Scored) o o

4.5.2 Ensure'ALL'IsRevokedfromUnauthorized'GRANTEE'on'USER_HISTORY$'(Scored) o o

4.5.3 Ensure'ALL'IsRevokedfromUnauthorized'GRANTEE'on'LINK$'(Scored) o o

4.5.4 Ensure'ALL'IsRevokedfromUnauthorized'GRANTEE'on'SYS.USER$'(Scored) o o

4.5.5 Ensure'ALL'IsRevokedfromUnauthorized'GRANTEE'on'DBA_%'(Scored) o o

4.5.6 Ensure'ALL'IsRevokedfromUnauthorized'GRANTEE'on'SYS.SCHEDULER$_CREDENTIAL'(Scored) o o

4.5.7 Ensure'SYS.USER$MIG'HasBeenDropped(Scored) o o4.6 Ensure'%ANY%'IsRevokedfromUnauthorized'GRANTEE'

(Scored) o o

4.7 Ensure'DBA_SYS_PRIVS.%'IsRevokedfromUnauthorized'GRANTEE'with'ADMIN_OPTION'Setto'YES'(Scored) o o

4.8 EnsureProxyUsersHaveOnly'CONNECT'Privilege(Scored) o o4.9 Ensure'EXECUTEANYPROCEDURE'IsRevokedfrom

'OUTLN'(Scored) o o

4.10 Ensure'EXECUTEANYPROCEDURE'IsRevokedfrom'DBSNMP'(Scored) o o

5 Audit/LoggingPoliciesandProcedures5.1 TraditionalAuditing5.1.1 Enable'USER'AuditOption(Scored) o o5.1.2 Enable'ALTERUSER'AuditOption(Scored) o o5.1.3 Enable'DROPUSER'AuditOption(Scored) o o5.1.4 Enable'ROLE'AuditOption(Scored) o o5.1.5 Enable'SYSTEMGRANT'AuditOption(Scored) o o5.1.6 Enable'PROFILE'AuditOption(Scored) o o5.1.7 Enable'ALTERPROFILE'AuditOption(Scored) o o5.1.8 Enable'DROPPROFILE'AuditOption(Scored) o o5.1.9 Enable'DATABASELINK'AuditOption(Scored) o o5.1.10 Enable'PUBLICDATABASELINK'AuditOption(Scored) o o5.1.11 Enable'PUBLICSYNONYM'AuditOption(Scored) o o5.1.12 Enable'SYNONYM'AuditOption(Scored) o o5.1.13 Enable'GRANTDIRECTORY'AuditOption(Scored) o o5.1.14 Enable'SELECTANYDICTIONARY'AuditOption(Scored) o o5.1.15 Enable'GRANTANYOBJECTPRIVILEGE'AuditOption

(Scored) o o

5.1.16 Enable'GRANTANYPRIVILEGE'AuditOption(Scored) o o5.1.17 Enable'DROPANYPROCEDURE'AuditOption(Scored) o o

208|P a g e

5.1.18 Enable'ALL'AuditOptionon'SYS.AUD$'(Scored) o o5.1.19 Enable'PROCEDURE'AuditOption(Scored) o o5.1.20 Enable'ALTERSYSTEM'AuditOption(Scored) o o5.1.21 Enable'TRIGGER'AuditOption(Scored) o o5.1.22 Enable'CREATESESSION'AuditOption(Scored) o o5.2 UnifiedAuditing5.2.1 Enable'CREATEUSER'ActionAudit(Scored) o o5.2.2 Enable'ALTERUSER'ActionAudit(Scored) o o5.2.3 Enable'DROPUSER'AuditOption(Scored)(Scored) o o5.2.4 Enable'CREATEROLE’ActionAudit(Scored)(Scored) o o5.2.5 Enable'ALTERROLE’ActionAudit(Scored)(Scored) o o5.2.6 Enable'DROPROLE’ActionAudit(Scored)(Scored) o o5.2.7 Enable'GRANT'ActionAudit(Scored)(Scored) o o5.2.8 Enable'REVOKE'ActionAudit(Scored)(Scored) o o5.2.9 Enable'CREATEPROFILE’ActionAudit(Scored)(Scored) o o5.2.10 Enable'ALTERPROFILE’ActionAudit(Scored)(Scored) o o5.2.11 Enable'DROPPROFILE’ActionAudit(Scored)(Scored) o o5.2.12 Enable'CREATEDATABASELINK’ActionAudit(Scored)

(Scored) o o

5.2.13 Enable'ALTERDATABASELINK’ActionAudit(Scored)(Scored) o o

5.2.14 Enable'DROPDATABASELINK’ActionAudit(Scored)(Scored) o o

5.2.15 Enable'CREATESYNONYM’ActionAudit(Scored)(Scored) o o5.2.16 Enable'ALTERSYNONYM’ActionAudit(Scored)(Scored) o o5.2.17 Enable'DROPSYNONYM’ActionAudit(Scored)(Scored) o o5.2.18 Enable'SELECTANYDICTIONARY’PrivilegeAudit(Scored)

(Scored) o o

5.2.19 Enable'UNIFIED_AUDIT_TRAIL’AccessAudit(Scored)(Scored) o o

5.2.20 Enable'CREATEPROCEDURE/FUNCTION/PACKAGE/PACKAGEBODY’ActionAudit(Scored)(Scored)

o o

5.2.21 Enable'ALTERPROCEDURE/FUNCTION/PACKAGE/PACKAGEBODY’ActionAudit(Scored)(Scored)

o o

5.2.22 Enable'DROPPROCEDURE/FUNCTION/PACKAGE/PACKAGEBODY’ActionAudit(Scored)(Scored) o o

5.2.23 Enable'ALTERSYSTEM’PrivilegeAudit(Scored)(Scored) o o5.2.24 Enable'CREATETRIGGER’ActionAudit(Scored)(NotScored) o o5.2.25 Enable'ALTERTRIGGER’ActionAudit(Scored)(Scored) o o5.2.26 Enable'DROPTRIGGER’ActionAudit(Scored)(Scored) o o5.2.27 Enable'LOGON’AND‘LOGOFF’ActionsAudit(Scored) o o

209|P a g e

(Scored)6 Appendix:EstablishinganAudit/ScanUser

210|P a g e

Appendix:ChangeHistoryDate Version Changesforthisversion

04-29-2015

1.0.0 InitialRelease

04-30-2015

1.1.0 Ticket#204:Clarificationinoverviewforbenchmarknon-pluggableapplicability

06-29-2015

1.1.0 Ticket#209:Addworkflowadvicetoappendixaboutscanuser

06-29-2015

1.1.0 Ticket#217:Correctedtypeof"repact"with"repcat"

06-29-2015

1.1.0 Ticket#216:Updatedremediationtoreference[PRIVILEGE]list

06-29-2015

1.1.0 Ticket#213:UpdatedauditqueryforregexonAPEXusers

06-29-2015

1.1.0 Ticket#212:CorrectedconfusionbetweenDBMS_RANDOMandDBMS_BACKUP_RESTORE

06-29-2015

1.1.0 Ticket#211:Correctedincorrectrecommendationfrom'FALSE'to'TRUE'

06-29-2015

1.1.0 Ticket#203:Updatedreferencesfrom11gR2to12cwherepossible

03-31-2016

1.2.0 Ticket#259:AddedSYSMANtolistofauthorizedgranteesfor4.4.2

03-31-2016

1.2.0 Ticket#258:AddedAPEX_050000;MGMT_VIEW;SYSMAN_MDS;SYSMAN_OPSS;SYSMAN_RO;SYSMAN_STBtolistofauthorizedgranteesin4.3.6

03-31-2016

1.2.0 Ticket#256:AddedSYSBACKUPandSYSDGtogranteelistfor4.3.1

211|P a g e

03-31-2016

1.2.0 Ticket#254:Updatedrecommendationtexttosay'LessthanorEqualto10'on2.13

03-31-2016

1.2.0 Ticket#241:Addedmissingsemicoloninauditqueryon5.1

03-31-2016

1.2.0 Ticket#253:Removedquotesfromremediationcommandon2.2.2

03-31-2016

1.2.0 Ticket#261:AddedSYStotableownersandSYSMANtolistofauthorizedgranteesfor4.5.4

03-31-2016

1.2.0 Ticket#263:AddedSYStolistoftableowners

03-31-2016

1.2.0 Ticket#264:AddedAPEX_050000;SYSMAN_STB;SYSMAN_TYPEStolistofauthorizedgrantees

03-31-2016

1.2.0 Ticket#225:Updateddescriptionandrationalefor2.2.17

03-31-2016

1.2.0 Ticket#251:AddedAUDIT_ADMIN,AUDIT_VIEWER,CAPTURE_ADMIN,DBA,GSMADMIN_INTERNAL,ORACLE_OCM,SYSDG,SYSKM,XDBtolistofauthorizedgrantees

03-31-2016

1.2.0 Ticket#215:RevisedLISTENERsectionsandincludedLISTENER_HOMEreferences

03-31-2016

1.2.0 Ticket#242:Addedmissingsemicolonto4.1.4

03-31-2016

1.2.0 Ticket#266:Updatedauditquerytocheckforallprivileges,notonlyroles

03-31-2016

1.2.0 Ticket#265:AddedAPEX_050000tolistofauthorizedgranteeson4.7

03-31-2016

1.2.0 Ticket#252:Updateprofiletext(minor)

02-29-2016

2.0.0 Ticket#267:AddedacautionstatementaboutrevokingprivilegesfromPUBLIC.

212|P a g e

10-18-2016

2.0.0 Ticket#207:MovedexistingauditingrecommendationstoasubsectionnamedTraditionalAuditing(5.1)andaddedunifiedauditingrecommendationsunderasiblingsubsectioncalledUnifiedAuditing(5.2).

10-18-2016

2.0.0 Ticket#275:Correctedreferenceincludedfor2.2.2

10-18-2016

2.0.0 Ticket#276:Added‘DB’and‘XML’asvalidparametervaluesfor2.2.2

12-01-2016

2.0.0 Ticket#262:UpdatedGranteelistandaddedanotregardingPUBLICgrantsfor4.5.5

12-01-2016

2.0.0 Ticket#282:Correctedtypoin2.2.11whereitspecifiedUTIL_FILE_DIRinsteadofUTL_FILE_DIR

12-01-2016

2.0.0 Ticket#283:Updatedtitletoread“Ensure‘SEC_MAX_FAILED_LOGIN_ATTEMPTS’is‘10’”for2.2.13

12-01-2016

2.0.0 Ticket#284:Added“andOWNER=’SYS’”tothequeryfor4.5.2

12-01-2016


12-01-2016


12-01-2016


12-28-2016

2.0.0 PlannedUpdate

Date post:	08-Apr-2018
Category:	Documents
Upload:	dangtruc
View:	263 times
Download:	5 times

CIS Oracle Database 12c Benchmark v2.0.0-cc - itsecure.hu€¦ · 1 | Page This work is licensed...

Documents