CISOracleDatabase12cBenchmark
v2.0.0-12-28-2016
1|P a g e
ThisworkislicensedunderaCreativeCommonsAttribution-NonCommercial-ShareAlike4.0InternationalPublicLicense.Thelinktothelicensetermscanbefoundathttps://creativecommons.org/licenses/by-nc-sa/4.0/legalcodeTofurtherclarifytheCreativeCommonslicenserelatedtoCISBenchmarkcontent,youareauthorizedtocopyandredistributethecontentforusebyyou,withinyourorganizationandoutsideyourorganizationfornon-commercialpurposesonly,providedthat(i)appropriatecreditisgiventoCIS,(ii)alinktothelicenseisprovided.Additionally,ifyouremix,transformorbuildupontheCISBenchmark(s),youmayonlydistributethemodifiedmaterialsiftheyaresubjecttothesamelicensetermsastheoriginalBenchmarklicenseandyourderivativewillnolongerbeaCISBenchmark.CommercialuseofCISBenchmarksissubjecttothepriorapprovaloftheCenterforInternetSecurity.
2|P a g e
TableofContents
Overview......................................................................................................................................................................9
IntendedAudience..............................................................................................................................................9
ConsensusGuidance...........................................................................................................................................9
TypographicalConventions.........................................................................................................................10
ScoringInformation.........................................................................................................................................10
ProfileDefinitions.............................................................................................................................................11
Acknowledgements..........................................................................................................................................13
Recommendations.................................................................................................................................................14
1OracleDatabaseInstallationandPatchingRequirements..........................................................14
1.1EnsuretheAppropriateVersion/PatchesforOracleSoftwareIsInstalled(NotScored).........................................................................................................................................................14
1.2EnsureAllDefaultPasswordsAreChanged(Scored).....................................................16
1.3EnsureAllSampleDataAndUsersHaveBeenRemoved(Scored)............................18
2OracleParameterSettings.........................................................................................................................20
2.1ListenerSettings...................................................................................................................................21
2.1.1Ensure'SECURE_CONTROL_<listener_name>'IsSetIn'listener.ora'(Scored)21
2.1.2Ensure'extproc'IsNotPresentin'listener.ora'(Scored)..........................................23
2.1.3Ensure'ADMIN_RESTRICTIONS_<listener_name>'IsSetto'ON'(Scored)........24
2.1.4Ensure'SECURE_REGISTER_<listener_name>'IsSetto'TCPS'or'IPC'(Scored).........................................................................................................................................................................26
2.2Databasesettings..................................................................................................................................28
2.2.1Ensure'AUDIT_SYS_OPERATIONS'IsSetto'TRUE'(Scored)..................................28
2.2.2Ensure'AUDIT_TRAIL'IsSetto'OS','DB,EXTENDED',or'XML,EXTENDED'(Scored).......................................................................................................................................................30
2.2.3Ensure'GLOBAL_NAMES'IsSetto'TRUE'(Scored).....................................................31
2.2.4Ensure'LOCAL_LISTENER'IsSetAppropriately(Scored)........................................32
2.2.5Ensure'O7_DICTIONARY_ACCESSIBILITY'IsSetto'FALSE'(Scored).................34
2.2.6Ensure'OS_ROLES'IsSetto'FALSE'(Scored).................................................................35
2.2.7Ensure'REMOTE_LISTENER'IsEmpty(Scored)...........................................................36
2.2.8Ensure'REMOTE_LOGIN_PASSWORDFILE'IsSetto'NONE'(Scored).................37
3|P a g e
2.2.9Ensure'REMOTE_OS_AUTHENT'IsSetto'FALSE'(Scored).....................................38
2.2.10Ensure'REMOTE_OS_ROLES'IsSetto'FALSE'(Scored).........................................39
2.2.11Ensure'UTL_FILE_DIR'IsEmpty(Scored).....................................................................40
2.2.12Ensure'SEC_CASE_SENSITIVE_LOGON'IsSetto'TRUE'(Scored).......................41
2.2.13Ensure'SEC_MAX_FAILED_LOGIN_ATTEMPTS'Is'10'(Scored)..........................43
2.2.14Ensure'SEC_PROTOCOL_ERROR_FURTHER_ACTION'IsSetto'DELAY,3'or'DROP,3'(Scored)....................................................................................................................................44
2.2.15Ensure'SEC_PROTOCOL_ERROR_TRACE_ACTION'IsSetto'LOG'(Scored)...45
2.2.16Ensure'SEC_RETURN_SERVER_RELEASE_BANNER'IsSetto'FALSE'(Scored).........................................................................................................................................................................47
2.2.17Ensure'SQL92_SECURITY'IsSetto'TRUE'(Scored)................................................48
2.2.18Ensure'_TRACE_FILES_PUBLIC'IsSetto'FALSE'(Scored)....................................49
2.2.19Ensure'RESOURCE_LIMIT'IsSetto'TRUE'(Scored)...............................................50
3OracleConnectionandLoginRestrictions.........................................................................................51
3.1Ensure'FAILED_LOGIN_ATTEMPTS'IsLessthanorEqualto'5'(Scored)............51
3.2Ensure'PASSWORD_LOCK_TIME'IsGreaterthanorEqualto'1'(Scored)...........53
3.3Ensure'PASSWORD_LIFE_TIME'IsLessthanorEqualto'90'(Scored).................54
3.4Ensure'PASSWORD_REUSE_MAX'IsGreaterthanorEqualto'20'(Scored).......55
3.5Ensure'PASSWORD_REUSE_TIME'IsGreaterthanorEqualto'365'(Scored)...56
3.6Ensure'PASSWORD_GRACE_TIME'IsLessthanorEqualto'5'(Scored)...............57
3.7Ensure'DBA_USERS.PASSWORD'IsNotSetto'EXTERNAL'forAnyUser(Scored).........................................................................................................................................................................58
3.8Ensure'PASSWORD_VERIFY_FUNCTION'IsSetforAllProfiles(Scored)..............59
3.9Ensure'SESSIONS_PER_USER'IsLessthanorEqualto'10'(Scored)......................60
3.10EnsureNoUsersAreAssignedthe'DEFAULT'Profile(Scored)..............................61
4OracleUserAccessandAuthorizationRestrictions.......................................................................62
4.1DefaultPublicPrivilegesforPackagesandObjectTypes...................................................63
4.1.1Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_ADVISOR'(Scored)...63
4.1.2Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_CRYPTO'(Scored).....64
4.1.3Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_JAVA'(Scored)............65
4|P a g e
4.1.4Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_JAVA_TEST'(Scored).........................................................................................................................................................................66
4.1.5Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_JOB'(Scored)..............67
4.1.6Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_LDAP'(Scored)..........68
4.1.7Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_LOB'(Scored).............69
4.1.8Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_OBFUSCATION_TOOLKIT'(Scored).................................................................................70
4.1.9Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_RANDOM'(Scored)..71
4.1.10Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_SCHEDULER'(Scored).......................................................................................................................................................72
4.1.11Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_SQL'(Scored)...........73
4.1.12Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_XMLGEN'(Scored).74
4.1.13Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_XMLQUERY'(Scored).........................................................................................................................................................................75
4.1.14Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'UTL_FILE'(Scored)..............76
4.1.15Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'UTL_INADDR'(Scored)......77
4.1.16Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'UTL_TCP'(Scored)...............78
4.1.17Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'UTL_MAIL'(Scored)............79
4.1.18Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'UTL_SMTP'(Scored)...........80
4.1.19Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'UTL_DBWS'(Scored)..........81
4.1.20Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'UTL_ORAMTS'(Scored).....82
4.1.21Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'UTL_HTTP'(Scored)...........83
4.1.22Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'HTTPURITYPE'(Scored)...84
4.2RevokeNon-DefaultPrivilegesforPackagesandObjectTypes.......................................85
4.2.1Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_SYS_SQL'(Scored)....85
4.2.2Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_BACKUP_RESTORE'(Scored).......................................................................................................................................................86
4.2.3Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_AQADM_SYSCALLS'(Scored).......................................................................................................................................................87
4.2.4Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_REPCAT_SQL_UTL'(Scored).......................................................................................................................................................88
4.2.5Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'INITJVMAUX'(Scored)..........89
5|P a g e
4.2.6Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_STREAMS_ADM_UTL'(Scored).......................................................................................................................................................90
4.2.7Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_AQADM_SYS'(Scored).........................................................................................................................................................................91
4.2.8Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_STREAMS_RPC'(Scored).......................................................................................................................................................92
4.2.9Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_PRVTAQIM'(Scored).........................................................................................................................................................................93
4.2.10Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'LTADM'(Scored)..................94
4.2.11Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'WWV_DBMS_SQL'(Scored).........................................................................................................................................................................95
4.2.12Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'WWV_EXECUTE_IMMEDIATE'(Scored)......................................................................................96
4.2.13Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_IJOB'(Scored)..........97
4.2.14Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_FILE_TRANSFER'(Scored).......................................................................................................................................................98
4.3RevokeExcessiveSystemPrivileges............................................................................................99
4.3.1Ensure'SELECT_ANY_DICTIONARY'IsRevokedfromUnauthorized'GRANTEE'(Scored).......................................................................................................................................................99
4.3.2Ensure'SELECTANYTABLE'IsRevokedfromUnauthorized'GRANTEE'(Scored)....................................................................................................................................................101
4.3.3Ensure'AUDITSYSTEM'IsRevokedfromUnauthorized'GRANTEE'(Scored)......................................................................................................................................................................102
4.3.4Ensure'EXEMPTACCESSPOLICY'IsRevokedfromUnauthorized'GRANTEE'(Scored)....................................................................................................................................................103
4.3.5Ensure'BECOMEUSER'IsRevokedfromUnauthorized'GRANTEE'(Scored)......................................................................................................................................................................104
4.3.6Ensure'CREATE_PROCEDURE'IsRevokedfromUnauthorized'GRANTEE'(Scored)....................................................................................................................................................105
4.3.7Ensure'ALTERSYSTEM'IsRevokedfromUnauthorized'GRANTEE'(Scored)......................................................................................................................................................................106
4.3.8Ensure'CREATEANYLIBRARY'IsRevokedfromUnauthorized'GRANTEE'(Scored)....................................................................................................................................................107
6|P a g e
4.3.9Ensure'CREATELIBRARY'IsRevokedfromUnauthorized'GRANTEE'(Scored)......................................................................................................................................................................108
4.3.10Ensure'GRANTANYOBJECTPRIVILEGE'IsRevokedfromUnauthorized'GRANTEE'(Scored)............................................................................................................................109
4.3.11Ensure'GRANTANYROLE'IsRevokedfromUnauthorized'GRANTEE'(Scored)....................................................................................................................................................110
4.3.12Ensure'GRANTANYPRIVILEGE'IsRevokedfromUnauthorized'GRANTEE'(Scored)....................................................................................................................................................111
4.4RevokeRolePrivileges....................................................................................................................112
4.4.1Ensure'DELETE_CATALOG_ROLE'IsRevokedfromUnauthorized'GRANTEE'(Scored)....................................................................................................................................................112
4.4.2Ensure'SELECT_CATALOG_ROLE'IsRevokedfromUnauthorized'GRANTEE'(Scored)....................................................................................................................................................113
4.4.3Ensure'EXECUTE_CATALOG_ROLE'IsRevokedfromUnauthorized'GRANTEE'(Scored)....................................................................................................................................................114
4.4.4Ensure'DBA'IsRevokedfromUnauthorized'GRANTEE'(Scored)...................115
4.5RevokeExcessiveTableandViewPrivileges........................................................................116
4.5.1Ensure'ALL'IsRevokedfromUnauthorized'GRANTEE'on'AUD$'(Scored)116
4.5.2Ensure'ALL'IsRevokedfromUnauthorized'GRANTEE'on'USER_HISTORY$'(Scored)....................................................................................................................................................117
4.5.3Ensure'ALL'IsRevokedfromUnauthorized'GRANTEE'on'LINK$'(Scored)......................................................................................................................................................................118
4.5.4Ensure'ALL'IsRevokedfromUnauthorized'GRANTEE'on'SYS.USER$'(Scored)....................................................................................................................................................119
4.5.5Ensure'ALL'IsRevokedfromUnauthorized'GRANTEE'on'DBA_%'(Scored)......................................................................................................................................................................120
4.5.6Ensure'ALL'IsRevokedfromUnauthorized'GRANTEE'on'SYS.SCHEDULER$_CREDENTIAL'(Scored).............................................................................122
4.5.7Ensure'SYS.USER$MIG'HasBeenDropped(Scored)...............................................123
4.6Ensure'%ANY%'IsRevokedfromUnauthorized'GRANTEE'(Scored)..............124
4.7Ensure'DBA_SYS_PRIVS.%'IsRevokedfromUnauthorized'GRANTEE'with'ADMIN_OPTION'Setto'YES'(Scored)......................................................................................125
4.8EnsureProxyUsersHaveOnly'CONNECT'Privilege(Scored)................................126
4.9Ensure'EXECUTEANYPROCEDURE'IsRevokedfrom'OUTLN'(Scored)..........127
7|P a g e
4.10Ensure'EXECUTEANYPROCEDURE'IsRevokedfrom'DBSNMP'(Scored)...128
5Audit/LoggingPoliciesandProcedures...........................................................................................129
5.1TraditionalAuditing.........................................................................................................................130
5.1.1Enable'USER'AuditOption(Scored)...............................................................................130
5.1.2Enable'ALTERUSER'AuditOption(Scored)...............................................................132
5.1.3Enable'DROPUSER'AuditOption(Scored).................................................................133
5.1.4Enable'ROLE'AuditOption(Scored)...............................................................................134
5.1.5Enable'SYSTEMGRANT'AuditOption(Scored).........................................................135
5.1.6Enable'PROFILE'AuditOption(Scored)........................................................................136
5.1.7Enable'ALTERPROFILE'AuditOption(Scored)........................................................138
5.1.8Enable'DROPPROFILE'AuditOption(Scored)..........................................................139
5.1.9Enable'DATABASELINK'AuditOption(Scored).......................................................140
5.1.10Enable'PUBLICDATABASELINK'AuditOption(Scored)...................................141
5.1.11Enable'PUBLICSYNONYM'AuditOption(Scored).................................................142
5.1.12Enable'SYNONYM'AuditOption(Scored)..................................................................143
5.1.13Enable'GRANTDIRECTORY'AuditOption(Scored)..............................................144
5.1.14Enable'SELECTANYDICTIONARY'AuditOption(Scored).................................145
5.1.15Enable'GRANTANYOBJECTPRIVILEGE'AuditOption(Scored).....................146
5.1.16Enable'GRANTANYPRIVILEGE'AuditOption(Scored)......................................147
5.1.17Enable'DROPANYPROCEDURE'AuditOption(Scored).....................................148
5.1.18Enable'ALL'AuditOptionon'SYS.AUD$'(Scored).................................................149
5.1.19Enable'PROCEDURE'AuditOption(Scored).............................................................150
5.1.20Enable'ALTERSYSTEM'AuditOption(Scored).......................................................152
5.1.21Enable'TRIGGER'AuditOption(Scored)....................................................................153
5.1.22Enable'CREATESESSION'AuditOption(Scored)...................................................155
5.2UnifiedAuditing.................................................................................................................................157
5.2.1Enable'CREATEUSER'ActionAudit(Scored).............................................................157
5.2.2Enable'ALTERUSER'ActionAudit(Scored)................................................................159
5.2.3Enable'DROPUSER'AuditOption(Scored).................................................................161
5.2.4Enable'CREATEROLE’ActionAudit(Scored).............................................................163
8|P a g e
5.2.5Enable'ALTERROLE’ActionAudit(Scored)................................................................164
5.2.6Enable'DROPROLE’ActionAudit(Scored)..................................................................166
5.2.7Enable'GRANT'ActionAudit(Scored)............................................................................167
5.2.8Enable'REVOKE'ActionAudit(Scored).........................................................................169
5.2.9Enable'CREATEPROFILE’ActionAudit(Scored)......................................................170
5.2.10Enable'ALTERPROFILE’ActionAudit(Scored)......................................................171
5.2.11Enable'DROPPROFILE’ActionAudit(Scored)........................................................172
5.2.12Enable'CREATEDATABASELINK’ActionAudit(Scored)...................................174
5.2.13Enable'ALTERDATABASELINK’ActionAudit(Scored)......................................175
5.2.14Enable'DROPDATABASELINK’ActionAudit(Scored)........................................176
5.2.15Enable'CREATESYNONYM’ActionAudit(Scored)................................................177
5.2.16Enable'ALTERSYNONYM’ActionAudit(Scored)...................................................179
5.2.17Enable'DROPSYNONYM’ActionAudit(Scored).....................................................181
5.2.18Enable'SELECTANYDICTIONARY’PrivilegeAudit(Scored)............................182
5.2.19Enable'UNIFIED_AUDIT_TRAIL’AccessAudit(Scored).......................................184
5.2.20Enable'CREATEPROCEDURE/FUNCTION/PACKAGE/PACKAGEBODY’ActionAudit(Scored).......................................................................................................................................185
5.2.21Enable'ALTERPROCEDURE/FUNCTION/PACKAGE/PACKAGEBODY’ActionAudit(Scored).......................................................................................................................................187
5.2.22Enable'DROPPROCEDURE/FUNCTION/PACKAGE/PACKAGEBODY’ActionAudit(Scored).......................................................................................................................................189
5.2.23Enable'ALTERSYSTEM’PrivilegeAudit(Scored)...................................................191
5.2.24Enable'CREATETRIGGER’ActionAudit(Scored)...................................................193
5.2.25Enable'ALTERTRIGGER’ActionAudit(Scored)......................................................195
5.2.26Enable'DROPTRIGGER’ActionAudit(Scored)........................................................197
5.2.27Enable'LOGON’AND‘LOGOFF’ActionsAudit(Scored)........................................199
6Appendix:EstablishinganAudit/ScanUser..................................................................................201
Appendix:ChangeHistory..............................................................................................................................210
9|P a g e
OverviewThisdocumentisintendedtoaddresstherecommendedsecuritysettingsforOracleDatabase12c.ThisguidewastestedagainstOracleDatabase12c(version12.1.0.2)installedwithoutpluggabledatabasesupportrunningonaWindowsServer2012R2instanceasastand-alonesystem,andrunningonanOracleLinux7instancealsoasastand-alonesystem.FutureOracleDatabase12ccriticalpatchupdates(CPUs)mayimpacttherecommendationsincludedinthisdocument.
Toobtainthelatestversionofthisguide,pleasevisithttp://benchmarks.cisecurity.org.Ifyouhavequestions,comments,orhaveidentifiedwaystoimprovethisguide,[email protected].
IntendedAudience
Thisbenchmarkisintendedforsystemandapplicationadministrators,securityspecialists,auditors,helpdesk,andplatformdeploymentpersonnelwhoplantodevelop,deploy,assess,orsecuresolutionsthatincorporateOracleDatabase12conOracleLinuxorMicrosoftWindowsServer.
ConsensusGuidance
Thisbenchmarkwascreatedusingaconsensusreviewprocesscomprisedofsubjectmatterexperts.Consensusparticipantsprovideperspectivefromadiversesetofbackgroundsincludingconsulting,softwaredevelopment,auditandcompliance,securityresearch,operations,government,andlegal.
EachCISbenchmarkundergoestwophasesofconsensusreview.Thefirstphaseoccursduringinitialbenchmarkdevelopment.Duringthisphase,subjectmatterexpertsconvenetodiscuss,create,andtestworkingdraftsofthebenchmark.Thisdiscussionoccursuntilconsensushasbeenreachedonbenchmarkrecommendations.Thesecondphasebeginsafterthebenchmarkhasbeenpublished.Duringthisphase,allfeedbackprovidedbytheInternetcommunityisreviewedbytheconsensusteamforincorporationinthebenchmark.Ifyouareinterestedinparticipatingintheconsensusprocess,pleasevisithttps://community.cisecurity.org.
10|P a g e
TypographicalConventions
Thefollowingtypographicalconventionsareusedthroughoutthisguide:
Convention Meaning
Stylized Monospace font Usedforblocksofcode,command,andscriptexamples.Textshouldbeinterpretedexactlyaspresented.
Monospacefont Usedforinlinecode,commands,orexamples.Textshouldbeinterpretedexactlyaspresented.
<italicfontinbrackets> Italictextssetinanglebracketsdenoteavariablerequiringsubstitutionforarealvalue.
Italicfont Usedtodenotethetitleofabook,article,orotherpublication.
Note Additionalinformationorcaveats
ScoringInformation
Ascoringstatusindicateswhethercompliancewiththegivenrecommendationimpactstheassessedtarget'sbenchmarkscore.Thefollowingscoringstatusesareusedinthisbenchmark:
Scored
Failuretocomplywith"Scored"recommendationswilldecreasethefinalbenchmarkscore.Compliancewith"Scored"recommendationswillincreasethefinalbenchmarkscore.
NotScored
Failuretocomplywith"NotScored"recommendationswillnotdecreasethefinalbenchmarkscore.Compliancewith"NotScored"recommendationswillnotincreasethefinalbenchmarkscore.
11|P a g e
ProfileDefinitions
ThefollowingconfigurationprofilesaredefinedbythisBenchmark:
• Level1-RDBMSusingTraditionalAuditing
ItemsinthisprofileapplytoOracleDatabase12cconfiguredtouseTraditionalAuditingandintendto:
o Bepracticalandprudent;o Provideaclearsecuritybenefit;ando Notinhibittheutilityofthetechnologybeyondacceptablemeans.
• Level1-LinuxHostOSusingTraditionalAuditing
ItemsinthisprofileapplytoLinuxHostoperatingsystemswithOracleDatabase12cconfiguredtouseTraditionalAuditingandintendto:
o Bepracticalandprudent;o Provideaclearsecuritybenefit;ando Notinhibittheutilityofthetechnologybeyondacceptablemeans.
• Level1-WindowsServerHostOSusingTraditionalAuditing
ItemsinthisprofileapplytoWindowsServeroperatingsystemswithOracleDatabase12cconfiguredtouseTraditionalAuditingandintendto:
o Bepracticalandprudent;o Provideaclearsecuritybenefit;ando Notinhibittheutilityofthetechnologybeyondacceptablemeans.
• Level1-RDBMSusingUnifiedAuditing
ItemsinthisprofileapplytoOracleDatabase12cconfiguredtouseUnifiedAuditingandintendto:
o Bepracticalandprudent;o Provideaclearsecuritybenefit;ando Notinhibittheutilityofthetechnologybeyondacceptablemeans.
12|P a g e
• Level1-LinuxHostOSusingUnifiedAuditing
ItemsinthisprofileapplytoLinuxHostoperatingsystemswithOracleDatabase12cconfiguredtouseUnifiedAuditingandintendto:
o Bepracticalandprudent;o Provideaclearsecuritybenefit;ando Notinhibittheutilityofthetechnologybeyondacceptablemeans.
• Level1-WindowsServerHostOSusingUnifiedAuditing
ItemsinthisprofileapplytoWindowsServeroperatingsystemswithOracleDatabase12cconfiguredtouseUnifiedAuditingandintendto:
o Bepracticalandprudent;o Provideaclearsecuritybenefit;ando Notinhibittheutilityofthetechnologybeyondacceptablemeans.
13|P a g e
Acknowledgements
Thisbenchmarkexemplifiesthegreatthingsacommunityofusers,vendors,andsubjectmatterexpertscanaccomplishthroughconsensuscollaboration.TheCIScommunitythankstheentireconsensusteamwithspecialrecognitiontothefollowingindividualswhocontributedgreatlytothecreationofthisguide:
ContributorKyleThomasonJustinBrownGijsHasselmanStephenDufourAlexanderKornbrustS.BrianSuddethPieterVanPuymbroeckArmanRawlsAdamMontvilleTimothyHarrisonTungBuiVietJigneshPatelThanThiChamVuDaoQuangQuanBuiYoufengShenOle-AndreJørgensenDeanLackeyEditorAngeloMarcotullioJayMehta
14|P a g e
Recommendations1OracleDatabaseInstallationandPatchingRequirements
OneofthebestwaystoensuresecureOraclesecurityistoimplementCriticalPatchUpdates(CPUs)astheycomeout,alongwithanyapplicableOSpatchesthatwillnotinterferewithsystemoperations.ItisadditionallyprudenttoremoveOraclesampledatafromproductionenvironments.
1.1EnsuretheAppropriateVersion/PatchesforOracleSoftwareIsInstalled(NotScored)
ProfileApplicability:
•Level1-RDBMSusingTraditionalAuditing
•Level1-RDBMSusingUnifiedAuditing
Description:
TheOracleinstallationversion,alongwiththepatchlevel,shouldbethemostrecentthatiscompatiblewiththeorganizations'operationalneeds.
Rationale:
AsusingthemostrecentOracledatabasesoftware,alongwithallapplicablepatchescanhelplimitthepossibilitiesforvulnerabilitiesinthesoftware,theinstallationversionand/orpatchesappliedduringsetupshouldbeestablishedaccordingtotheneedsoftheorganization.EnsureyouareusingareleasethatiscoveredbyalevelofsupportthatincludesthegenerationofCriticalPatchUpdates.
Audit:
Toassessthisrecommendation,usethefollowingexampleshellcommandasappropriateforyourenvironment.
Forexample,onUnix/Linuxsystems:
opatch lsinventory | grep -e "^.*<latest_patch_version_numer>\s*.*$"
ForexampleonWindowssystems:
opatch lsinventory | find "<latest_patch_version_number>"
15|P a g e
Remediation:
DownloadandapplythelatestquarterlyCriticalPatchUpdatepatches.
References:
1. http://www.oracle.com/us/support/assurance/fixing-policies/index.html2. http://www.oracle.com/technetwork/topics/security/alerts-086861.html3. http://www.oracle.com/us/support/library/lifetime-support-technology-
069183.pdf
16|P a g e
1.2EnsureAllDefaultPasswordsAreChanged(Scored)
ProfileApplicability:
•Level1-RDBMSusingTraditionalAuditing
•Level1-RDBMSusingUnifiedAuditing
Description:
TheOracleinstallationhasaviewcalledDBA_USERS_WITH_DEFPWD,whichkeepsalistofalldatabaseusersmakinguseofdefaultpasswords.
Rationale:
Defaultpasswordsshouldbeconsidered"wellknown"toattackers.Consequently,ifdefaultpasswordsremaininplaceanyattackerwithaccesstothedatabasethenhastheabilitytoauthenticateastheuserwiththatdefaultpassword.Whendefaultpasswordsarealtered,thiscircumstanceismitigated.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT USERNAME FROM DBA_USERS_WITH_DEFPWD WHERE USERNAME NOT LIKE '%XS$NULL%';
Theassessmentfailsifresultsarereturned.
Remediation:
Toremediatethisrecommendation,youmayperformeitherofthefollowingactions.
• ManuallyissuethefollowingSQLstatementforeachUSERNAMEreturnedintheAuditProcedure:
PASSWORD <username>
17|P a g e
• ExecutethefollowingSQLscripttorandomlyassignpasswords:
begin for r_user in (select username from dba_users_with_defpwd where username not like '%XS$NULL%') loop DBMS_OUTPUT.PUT_LINE('Password for user '||r_user.username||' will be changed.'); execute immediate 'alter user "'||r_user.username||'" identified by "'||DBMS_RANDOM.string('a',16)||'"account lock password expire'; end loop; end; /
References:
1. http://docs.oracle.com/database/121/TDPSG/GUID-3EC7A894-D620-4497-AFB1-64EB8C33D854.htm#TDPSG20021
18|P a g e
1.3EnsureAllSampleDataAndUsersHaveBeenRemoved(Scored)
ProfileApplicability:
•Level1-RDBMSusingTraditionalAuditing
•Level1-RDBMSusingUnifiedAuditing
Description:
Oraclesampleschemasarenotneededfortheoperationofthedatabase.Theseinclude,amongothers,informationpertainingtoasampleschemaspertainingtoHumanResources,BusinessIntelligence,OrderEntry,andthelike.Thesesamplescreatesampleusers(BI,HR,OE,PM,IX,SH,SCOTT),inadditiontotablesandfictitiousdata.
Rationale:
Thesampledataistypicallynotrequiredforproductionoperationsofthedatabaseandprovidesuserswithwell-knowndefaultpasswords,particularviews,andprocedures/functions.Suchusers,views,and/orprocedures/functionscouldbeusedtolaunchexploitsagainstproductionenvironments.
Audit:
Toassessthisrecommendation,checkforthepresenceofOraclesampleusersbyexecutingthefollowingSQLstatement.
SELECTUSERNAMEFROMALL_USERSWHEREUSERNAMEIN('BI','HR','IX','OE','PM','SCOTT','SH');
Remediation:
Toremediatethissetting,itisrecommendedthatyouexecutethefollowingSQLscript.
$ORACLE_HOME/demo/schema/drop_sch.sql
Then,executethefollowingSQLstatement.
DROP USER SCOTT CASCADE;
NOTE:Therecyclebin isnotsettoOFF withinthedefaultdropscript,whichmeansthatthedatawillstillbepresentinyourenvironmentuntiltherecyclebin isemptied.
19|P a g e
Impact:
TheOraclesampleusernamesmaybeinuseonaproductionbasis.ItisimportantthatyoufirstverifythatBI,HR,IX,OE,PM,SCOTT,and/orSH arenotvalidproductionusernamesbeforeexecutingthedroppingSQLscripts.ThismaybeparticularlytruewiththeHR andBI users.Ifanyoftheseusersarepresent,itisimportanttobecautiousandconfirmtheschemaspresentare,infact,Oraclesampleschemasandnotproductionschemasbeingrelieduponbybusinessoperations.
References:
1. http://docs.oracle.com/database/121/COMSC/toc.htm
20|P a g e
2OracleParameterSettings
TheoperationoftheOracledatabaseinstanceisgovernedbynumerousparametersthataresetinspecificconfigurationfilesandareinstance-specificinscope.Asalterationsoftheseparameterscancauseproblemsrangingfromdenial-of-servicetotheftofproprietaryinformation,theseconfigurationsshouldbecarefullyconsideredandmaintained.
Note:
ForallfilesthathaveparametersthatcanbemodifiedwiththeOSand/orSQLcommands/scripts,thesewillbothbelistedwhereappropriate.
21|P a g e
2.1ListenerSettings
SettingsfortheTNSListenerlistener.orafile.
2.1.1Ensure'SECURE_CONTROL_<listener_name>'IsSetIn'listener.ora'(Scored)
ProfileApplicability:
•Level1-LinuxHostOSusingTraditionalAuditing
•Level1-WindowsServerHostOSusingTraditionalAuditing
Description:
TheSECURE_CONTROL_<listener_name>settingdeterminesthetypeofcontrolconnectiontheOracleserverrequiresforremoteconfigurationofthelistener.
Rationale:
Aslistenerconfigurationchangesviaunencryptedremoteconnectionscanresultinunauthorizeduserssniffingthecontrolconfigurationinformationfromthenetwork,thesecontrolvaluesshouldbesetaccordingtotheneedsoftheorganization.
Audit:
Toauditthisrecommendation,followthesesteps:
• Openthe $ORACLE_HOME/network/admin/listener.orafile(or%ORACLE_HOME%\network\admin\listener.oraonWindows)
• EnsurethateachdefinedlistenerasanassociatedSECURE_CONTROL_<listener_name>directive.
Forexample:
LISTENER1 = (DESCRIPTION= (ADDRESS=(PROTOCOL=TCP) (HOST=sales-server)(PORT=1521)) (ADDRESS=(PROTOCOL=IPC) (KEY=REGISTER)) (ADDRESS=(PROTOCOL=TCPS) (HOST=sales-server)(PORT=1522))) SECURE_CONTROL_LISTENER1=TCPS
22|P a g e
Remediation:
SettheSECURE_CONTROL_<listener_name>foreachdefinedlistenerinthelistener.orafile,accordingtotheneedsoftheorganization.
References:
1. http://docs.oracle.com/database/121/NETRF/listener.htm#NETRF327
23|P a g e
2.1.2Ensure'extproc'IsNotPresentin'listener.ora'(Scored)
ProfileApplicability:
•Level1-LinuxHostOSusingTraditionalAuditing
•Level1-WindowsServerHostOSusingTraditionalAuditing
Description:
Oracleextprocallowsthedatabasetorunproceduresfromoperatingsystemlibraries.Theselibrarycallscan,inturn,runanyoperatingsystemcommand.
Rationale:
extprocshouldberemovedfromthelistener.oratomitigatetheriskthatOSlibrariescanbeinvokedbytheOracleinstance.
Audit:
Toauditthisrecommendation,executethefollowingshellcommandsasappropriateforyourUnix/Windowsenvironment.
Unixenvironment:
grep -i extproc $ORACLE_HOME/network/admin/listener.ora
Windowsenvironment:
find /I extproc %ORACLE_HOME%\network\admin\listener.ora
Ensureextprocdoesnotexist.
Remediation:
Removeextprocfromthelistener.orafile.
References:
1. http://docs.oracle.com/database/121/DBSEG/app_devs.htm#DBSEG656
24|P a g e
2.1.3Ensure'ADMIN_RESTRICTIONS_<listener_name>'IsSetto'ON'(Scored)
ProfileApplicability:
•Level1-LinuxHostOSusingTraditionalAuditing
•Level1-WindowsServerHostOSusingTraditionalAuditing
Description:
Theadmin_restrictions_<listener_name>settinginthelistener.orafilecanrequirethatanyattemptedreal-timealterationoftheparametersinthelistenerviathesetcommandfileberefusedunlessthelistener.orafileismanuallyalteredthenrestartedbyaprivilegeduser.
Rationale:
Asblockingunprivilegedusersfrommakingalterationsofthelistener.orafile,whereremotedata/servicesarespecified,willhelpprotectdataconfidentiality,thisvalueshouldbesettotheneedsoftheorganization.
Audit:
Toauditthisrecommendation,executethefollowingshellcommandsasappropriateforyourUnix/Windowsenvironment.
Unixenvironment:
grep -i admin_restrictions $ORACLE_HOME/network/admin/listener.ora
Windowsenvironment:
find /I admin_restrictions %ORACLE_HOME%|\network\admin\listener.ora
EnsureADMIN_RESTRICTIONS_<listener_name>issettoONforalllisteners.
Remediation:
UseatexteditorsuchasvitosettheADMIN_RESTRICTIONS_<listener_name>tothevalueON.
25|P a g e
DefaultValue:
Notset.
References:
1. http://docs.oracle.com/database/121/NETRF/listener.htm#NETRF310
26|P a g e
2.1.4Ensure'SECURE_REGISTER_<listener_name>'IsSetto'TCPS'or'IPC'(Scored)
ProfileApplicability:
•Level1-LinuxHostOSusingTraditionalAuditing
•Level1-WindowsServerHostOSusingTraditionalAuditing
Description:
TheSECURE_REGISTER_<listener_name>settingspecifiestheprotocolswhichareusedtoconnecttotheTNSlistener.
Rationale:
Aslistenerconfigurationchangesviaunencryptedremoteconnectionscanresultinunauthorizeduserssniffingthecontrolconfigurationinformationfromthenetwork,thesecontrolvaluesshouldbesetaccordingtotheneedsoftheorganization.
Audit:
Toauditthisrecommendation,executethefollowingshellcommandsasappropriateforyourUnix/Windowsenvironment.
Unixenvironment:
grep -i SECURE_REGISTER $ORACLE_HOME/network/admin/listener.ora
Windowsenvironment:
find /I SECURE_REGISTER %ORACLE_HOME%\network\admin\listener.ora
EnsureSECURE_REGISTER_<listener_name>issettoTCPS orIPC.
Remediation:
UseatexteditorsuchasvitosettheSECURE_REGISTER_<listener_name>=TCPSorSECURE_REGISTER_<listener_name>=IPCforeachlistenerfoundin$ORACLE_HOME/network/admin/listener.ora.
27|P a g e
References:
1. http://docs.oracle.com/database/121/NETRF/listener.htm#NETRF3282. https://support.oracle.com/epmos/faces/ui/km/DocumentDisplay.jspx?id=145388
3.13. https://support.oracle.com/epmos/faces/ui/km/DocumentDisplay.jspx?id=134083
1.14. http://www.joxeankoret.com/download/tnspoison.pdf
Notes:
OracleRealApplicationClusterrequireadifferentapproachtofixtheTNSPoisoningproblem.SeeOraclesupportnote1453883.1fordetails.
28|P a g e
2.2Databasesettings
Thissectiondefinesrecommendationscoveringthegeneralsecurityconfigurationofthedatabaseinstance.Thelistedrecommendationsensureauditingisenabled,listenersareappropriatelyconfined,andauthenticationisappropriatelyconfigured.
NOTE:Theremediationproceduresassumetheuseofaserverparameterfile,whichisoftenapreferredmethodofstoringserverinitializationparameters.
ALTER SYSTEM SET <configuration_item> = <value> SCOPE = SPFILE;
Foryourenvironment,leavingofftheSCOPE = SPFILEdirectiveorsubstitutingthatwithSCOPE = BOTHmightbepreferreddependingontherecommendation.
2.2.1Ensure'AUDIT_SYS_OPERATIONS'IsSetto'TRUE'(Scored)
ProfileApplicability:
•Level1-RDBMSusingTraditionalAuditing
•Level1-RDBMSusingUnifiedAuditing
Description:
TheAUDIT_SYS_OPERATIONSsettingprovidesfortheauditingofalluseractivitiesconductedundertheSYSOPERandSYSDBAaccounts.
Rationale:
IftheparameterAUDIT_SYS_OPERATIONSisFALSE,allstatementsexceptofStartup/ShutdownandLogonbySYSDBA/SYSOPERusersarenotaudited.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT UPPER(VALUE) FROM V$PARAMETER WHERE UPPER(NAME) = 'AUDIT_SYS_OPERATIONS';
EnsureVALUE issettoTRUE.
29|P a g e
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
ALTER SYSTEM SET AUDIT_SYS_OPERATIONS = TRUE SCOPE=SPFILE;
References:
1. http://docs.oracle.com/database/121/REFRN/GUID-58176267-238C-40B5-B1F2-BB8BB9518950.htm#REFRN10005
30|P a g e
2.2.2Ensure'AUDIT_TRAIL'IsSetto'OS','DB,EXTENDED',or'XML,EXTENDED'(Scored)
ProfileApplicability:
•Level1-RDBMSusingTraditionalAuditing
Description:
Theaudit_trail settingdetermineswhetherornotOracle'sbasicauditfeaturesareenabled.Thesecanbesetto"Operating System"(OS),"DB","DB,EXTENDED","XML"or"XML,EXTENDED".
Rationale:
AsenablingthebasicauditingfeaturesfortheOracleinstancepermitsthecollectionofdatatotroubleshootproblems,aswellasprovidingvalueforensiclogsinthecaseofasystembreach,thisvalueshouldbesetaccordingtotheneedsoftheorganization.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT UPPER(VALUE) FROM V$PARAMETER WHERE UPPER(NAME)='AUDIT_TRAIL';
EnsureVALUE issettoDB,OS,XMLorDB,EXTENDEDorXML,EXTENDED.
Remediation:
ToremediatethissettingexecuteoneofthefollowingSQLstatements.
ALTER SYSTEM SET AUDIT_TRAIL = DB, EXTENDED SCOPE = SPFILE; ALTER SYSTEM SET AUDIT_TRAIL = OS SCOPE = SPFILE; ALTER SYSTEM SET AUDIT_TRAIL = XML, EXTENDED SCOPE = SPFILE; ALTER SYSTEM SET AUDIT_TRAIL = DB SCOPE = SPFILE; ALTER SYSTEM SET AUDIT_TRAIL = XML SCOPE = SPFILE;
References:
1. http://docs.oracle.com/database/121/REFRN/GUID-BD86F593-B606-4367-9FB6-8DAB2E47E7FA.htm#REFRN10006
2. http://www.oracle.com/technetwork/products/audit-vault/learnmore/twp-security-auditperformance-166655.pdf
31|P a g e
2.2.3Ensure'GLOBAL_NAMES'IsSetto'TRUE'(Scored)
ProfileApplicability:
•Level1-RDBMSusingTraditionalAuditing
•Level1-RDBMSusingUnifiedAuditing
Description:
Theglobal_names settingrequiresthatthenameofadatabaselinkmatchesthatoftheremotedatabaseitwillconnectto.
Rationale:
Asnotrequiringdatabaseconnectionstomatchthedomainthatisbeingcalledremotelycouldallowunauthorizeddomainsourcestopotentiallyconnectviabrute-forcetactics,thisvalueshouldbesetaccordingtotheneedsoftheorganization.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT UPPER(VALUE) FROM V$PARAMETER WHERE UPPER(NAME)='GLOBAL_NAMES';
EnsureVALUE issettoTRUE.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
ALTER SYSTEM SET GLOBAL_NAMES = TRUE SCOPE = SPFILE;
References:
1. http://docs.oracle.com/database/121/REFRN/GUID-221D0483-D814-4963-84E1-7D39A25048ED.htm#REFRN10065
32|P a g e
2.2.4Ensure'LOCAL_LISTENER'IsSetAppropriately(Scored)
ProfileApplicability:
•Level1-RDBMSusingTraditionalAuditing
•Level1-RDBMSusingUnifiedAuditing
Description:
Thelocal_listenersettingspecifiesanetworknamethatresolvestoanaddressoftheOracleTNSlistener.
Rationale:
TheTNSpoisoningattackallowstoredirectTNSnetworktraffictoanothersystembyregisteringalistenertotheTNSlistener.Thisattackcanbeperformedbyunauthorizeduserswithnetworkaccess.ByspecifyingtheIPCprotocol,itisnolongerpossibletoregisterlistenersviaTCP/IP.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT UPPER(VALUE) FROM V$PARAMETER WHERE UPPER(NAME)='LOCAL_LISTENER';
EnsureVALUEissetto(DESCRIPTION=(ADDRESS= (PROTOCOL=IPC)(KEY=REGISTER))).
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
ALTER SYSTEM SET LOCAL_LISTENER='[description]' SCOPE = BOTH;
Replace[description]withtheappropriatedescriptionfromyourlistener.orafile,wherethatdescriptionsetsthePROTOCOLparametertoIPC.Forexample:
ALTER SYSTEM SET LOCAL_LISTENER='(DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=REGISTER)))' SCOPE=BOTH;
33|P a g e
References:
1. http://docs.oracle.com/database/121/REFRN/GUID-70F5D04D-02A3-4E89-8A3F-9410B6861BC4.htm#REFRN10082
2. https://support.oracle.com/epmos/faces/ui/km/DocumentDisplay.jspx?id=1453883.1
3. https://support.oracle.com/epmos/faces/ui/km/DocumentDisplay.jspx?id=1340831.1
4. http://www.joxeankoret.com/download/tnspoison.pdf
Notes:
OracleRealApplicationClusterrequiresadifferentapproachtofixtheTNSPoisoningproblem.SeeOraclesupportnote1453883.1fordetails.
34|P a g e
2.2.5Ensure'O7_DICTIONARY_ACCESSIBILITY'IsSetto'FALSE'(Scored)
ProfileApplicability:
•Level1-RDBMSusingTraditionalAuditing
•Level1-RDBMSusingUnifiedAuditing
Description:
TheO7_dictionary_accessibility settingisadatabaseinitializationsparameterthatallows/disallowswiththeEXECUTE ANY PROCEDUREandSELECT ANY DICTIONARYaccesstoobjectsintheSYSschema;thisfunctionalitywascreatedfortheeaseofmigrationfromOracle7databasestolaterversions.
Rationale:
AsleavingtheSYSschemasoopentoconnectioncouldpermitunauthorizedaccesstocriticaldatastructures,thisvalueshouldbesetaccordingtotheneedsoftheorganization.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT UPPER(VALUE) FROM V$PARAMETER WHERE UPPER(NAME)='O7_DICTIONARY_ACCESSIBILITY';
EnsureVALUE issettoFALSE.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
ALTER SYSTEM SET O7_DICTIONARY_ACCESSIBILITY=FALSE SCOPE = SPFILE;
References:
1. http://docs.oracle.com/database/121/REFRN/GUID-1D1A88F1-B603-48FF-BD30-E6099DB1A1ED.htm#REFRN10133
Notes:
Thevalueforthisis"O(oh)7"not"0(Zero)7"for"O7."Also,for"OracleApplications"uptoversion11.5.9,thissettingisreversed,the"O7_dictionary_accessibility=TRUE"valueisrequiredforcorrectoperations.
35|P a g e
2.2.6Ensure'OS_ROLES'IsSetto'FALSE'(Scored)
ProfileApplicability:
•Level1-RDBMSusingTraditionalAuditing
•Level1-RDBMSusingUnifiedAuditing
Description:
Theos_roles settingpermitsexternallycreatedgroupstobeappliedtodatabasemanagement.
Rationale:
AsallowingtheOSuseexternalgroupsfordatabasemanagementcouldcauseprivilegeoverlapsandgenerallyweakensecurity,thisvalueshouldbesetaccordingtotheneedsoftheorganization.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT UPPER(VALUE) FROM V$PARAMETER WHERE UPPER(NAME)='OS_ROLES';
EnsureVALUE issettoFALSE.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
ALTER SYSTEM SET OS_ROLES = FALSE SCOPE = SPFILE;
References:
1. http://docs.oracle.com/database/121/REFRN/GUID-51CCE2D6-F841-4E02-A89D-EA08FC110CF3.htm#REFRN10153
36|P a g e
2.2.7Ensure'REMOTE_LISTENER'IsEmpty(Scored)
ProfileApplicability:
•Level1-RDBMSusingTraditionalAuditing
•Level1-RDBMSusingUnifiedAuditing
Description:
Theremote_listenersettingdetermineswhetherornotavalidlistenercanbeestablishedonasystemseparatefromthedatabaseinstance.
Rationale:
Aspermittingaremotelistenerforconnectionstothedatabaseinstancecanallowforthepotentialspoofingofconnectionsandthatcouldcompromisedataconfidentialityandintegrity,thisvalueshouldbedisabled/restrictedaccordingtotheneedsoftheorganization.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT UPPER(VALUE) FROM V$PARAMETER WHERE UPPER(NAME)='REMOTE_LISTENER';
EnsureVALUE isempty.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
ALTER SYSTEM SET REMOTE_LISTENER = '' SCOPE = SPFILE;
References:
1. http://docs.oracle.com/database/121/REFRN/GUID-FEE2E8B5-CE02-4158-A6B4-030E59316756.htm#REFRN10183
Notes:
Ifsetatremote_listener=true,theaddress/addresslististakenfromtheTNSNAMES.ORAfile
37|P a g e
2.2.8Ensure'REMOTE_LOGIN_PASSWORDFILE'IsSetto'NONE'(Scored)
ProfileApplicability:
•Level1-RDBMSusingTraditionalAuditing
•Level1-RDBMSusingUnifiedAuditing
Description:
Theremote_login_passwordfile settingspecifieswhetherornotOraclechecksforapasswordfileduringloginandhowmanydatabasescanusethepasswordfile.
Rationale:
Astheuseofthissortofpasswordloginfilecouldpermitunsecured,privilegedconnectionstothedatabase,thisvalueshouldbesetaccordingtotheneedsoftheorganization.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT UPPER(VALUE) FROM V$PARAMETER WHERE UPPER(NAME)='REMOTE_LOGIN_PASSWORDFILE';
EnsureVALUE issettoNONE.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
ALTER SYSTEM SET REMOTE_LOGIN_PASSWORDFILE = 'NONE' SCOPE = SPFILE;
References:
1. http://docs.oracle.com/database/121/REFRN/GUID-6619299E-95E8-4821-B123-3B5899F046C7.htm#REFRN10184
38|P a g e
2.2.9Ensure'REMOTE_OS_AUTHENT'IsSetto'FALSE'(Scored)
ProfileApplicability:
•Level1-RDBMSusingTraditionalAuditing
•Level1-RDBMSusingUnifiedAuditing
Description:
Theremote_os_authentsettingdetermineswhetherornotOS'roles'withtheattendantprivilegesareallowedforremoteclientconnections.
Rationale:
AspermittingOSrolesfordatabaseconnectionstocanallowthespoofingofconnectionsandpermitgrantingtheprivilegesofanOSroletounauthorizeduserstomakeconnections,thisvalueshouldberestrictedaccordingtotheneedsoftheorganization.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT UPPER(VALUE) FROM V$PARAMETER WHERE UPPER(NAME)='REMOTE_OS_AUTHENT';
EnsureVALUE issettoFALSE.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
ALTER SYSTEM SET REMOTE_OS_AUTHENT = FALSE SCOPE = SPFILE;
References:
1. http://docs.oracle.com/database/121/REFRN/GUID-AB66C849-FE5A-4E06-A6E1-AEE775D55703.htm#REFRN10185
39|P a g e
2.2.10Ensure'REMOTE_OS_ROLES'IsSetto'FALSE'(Scored)
ProfileApplicability:
•Level1-RDBMSusingTraditionalAuditing
•Level1-RDBMSusingUnifiedAuditing
Description:
Theremote_os_rolessettingpermitsremoteusers'OSrolestobeappliedtodatabasemanagement.
Rationale:
AsallowingremoteclientsOSrolestohavepermissionsfordatabasemanagementcouldcauseprivilegeoverlapsandgenerallyweakensecurity,thisvalueshouldbesetaccordingtotheneedsoftheorganization.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT UPPER(VALUE) FROM V$PARAMETER WHERE UPPER(NAME)='REMOTE_OS_ROLES';
EnsureVALUE issettoFALSE.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
ALTER SYSTEM SET REMOTE_OS_ROLES = FALSE SCOPE = SPFILE;
References:
1. http://docs.oracle.com/database/121/REFRN/GUID-BAA83447-14C1-4BE7-BB5D-806ED3E00AED.htm#REFRN10186
40|P a g e
2.2.11Ensure'UTL_FILE_DIR'IsEmpty(Scored)
ProfileApplicability:
•Level1-RDBMSusingTraditionalAuditing
•Level1-RDBMSusingUnifiedAuditing
Description:
Theutl_file_dirsettingallowspackageslikeutl_filetoaccess(read/write/modify/delete)filesspecifiedinutl_file_dir.(Thisisdeprecatedbutusablein11g.)
Rationale:
Asusingtheutl_file_dirtocreatedirectoriesallowsthemanipulationoffilesinthesedirectories.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT UPPER(VALUE) FROM V$PARAMETER WHERE UPPER(NAME)='UTL_FILE_DIR';
EnsureVALUE isempty.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
ALTER SYSTEM SET UTL_FILE_DIR = '' SCOPE = SPFILE;
References:
1. http://docs.oracle.com/database/121/REFRN/GUID-DCA8A942-ACE1-46D6-876E-3244F390BCAE.htm#REFRN10230
41|P a g e
2.2.12Ensure'SEC_CASE_SENSITIVE_LOGON'IsSetto'TRUE'(Scored)
ProfileApplicability:
•Level1-RDBMSusingTraditionalAuditing
•Level1-RDBMSusingUnifiedAuditing
Description:
TheSEC_CASE_SENSITIVE_LOGON informationdetermineswhetherornotcase-sensitivityisrequiredforpasswordsduringlogin.
DuetothesecuritybugCVE-2012-3137itisrecommendedtosetthisparametertoTRUEiftheOctober2012CPU/PSUorlaterwasapplied.
IfthepatchwasnotapplieditisrecommendedtosetthisparametertoFALSEtoavoidthatthevulnerabilitycouldbeabused.
Rationale:
Oracle11gdatabaseswithoutCPUOctober2012patchorlaterarevulnerabletoCVE-2012-3137ifcase-sensitiveSHA-1passwordhashesareused.ToavoidthiskindofattacktheoldDES-hasheshavetobeused.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT UPPER(VALUE) FROM V$PARAMETER WHERE UPPER(NAME)='SEC_CASE_SENSITIVE_LOGON';
EnsureVALUE issettoTRUE.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
ALTER SYSTEM SET SEC_CASE_SENSITIVE_LOGON = TRUE SCOPE = SPFILE;
42|P a g e
Impact:
IfSEC_CASE_SENSITIVE_LOGONisFALSE,alluserwithSHA-1hashesonly("select name,password,spare4 from sys.user$ where password is null and spare4 is not
null")arenolongerabletoconnecttothedatabase.InthiscasethepasswordforalluserswithoutDEShashhavetosetagain.
References:
1. http://docs.oracle.com/database/121/REFRN/GUID-F464653A-0D43-4A70-8F05-0274A12C8578.htm#REFRN10299
43|P a g e
2.2.13Ensure'SEC_MAX_FAILED_LOGIN_ATTEMPTS'Is'10'(Scored)
ProfileApplicability:
•Level1-RDBMSusingTraditionalAuditing
•Level1-RDBMSusingUnifiedAuditing
Description:
TheSEC_MAX_FAILED_LOGIN_ATTEMPTS parameterdetermineshowmanyfailedloginattemptsareallowedbeforeOracleclosestheloginconnection.
Rationale:
Asallowinganunlimitednumberofloginattemptsforauserconnectioncanfacilitatebothbrute-forceloginattacksandtheoccurrenceofDenial-of-Service,thisvalue(10)shouldbesetaccordingtotheneedsoftheorganization.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT UPPER(VALUE) FROM V$PARAMETER WHERE UPPER(NAME)='SEC_MAX_FAILED_LOGIN_ATTEMPTS';
EnsureVALUE issetto10.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
ALTER SYSTEM SET SEC_MAX_FAILED_LOGIN_ATTEMPTS = 10 SCOPE = SPFILE;
References:
1. http://docs.oracle.com/database/121/REFRN/GUID-DEC2A3B2-F49B-499E-A3CF-D097F3A5BA83.htm#REFRN10274
44|P a g e
2.2.14Ensure'SEC_PROTOCOL_ERROR_FURTHER_ACTION'IsSetto'DELAY,3'or'DROP,3'(Scored)
ProfileApplicability:
•Level1-RDBMSusingTraditionalAuditing
•Level1-RDBMSusingUnifiedAuditing
Description:
TheSEC_PROTOCOL_ERROR_FURTHER_ACTION settingdeterminestheOracle'sserver'sresponsetobad/malformedpacketsreceivedfromtheclient.
Rationale:
Asbadpacketsreceivedfromtheclientcanpotentiallyindicatepacket-basedattacksonthesystem,suchas"TCPSYNFlood"or"Smurf"attacks,whichcouldresultinaDenial-of-Servicecondition,thisvalueshouldbesetaccordingtotheneedsoftheorganization.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT UPPER(VALUE) FROM V$PARAMETER WHERE UPPER(NAME)='SEC_PROTOCOL_ERROR_FURTHER_ACTION';
EnsureVALUE issettoDELAY,3orDROP,3.
Remediation:
ToremediatethissettingexecuteoneofthefollowingSQLstatements.
ALTER SYSTEM SET SEC_PROTOCOL_ERROR_FURTHER_ACTION = 'DELAY,3' SCOPE = SPFILE; ALTER SYSTEM SET SEC_PROTOCOL_ERROR_FURTHER_ACTION = 'DROP,3' SCOPE = SPFILE;
References:
1. http://docs.oracle.com/database/121/REFRN/GUID-1E8D3C6E-C919-4218-8117-760D31BD0F95.htm#REFRN10282
45|P a g e
2.2.15Ensure'SEC_PROTOCOL_ERROR_TRACE_ACTION'IsSetto'LOG'(Scored)
ProfileApplicability:
•Level1-RDBMSusingTraditionalAuditing
•Level1-RDBMSusingUnifiedAuditing
Description:
TheSEC_PROTOCOL_ERROR_TRACE_ACTION settingdeterminestheOracle'sserver'sloggingresponseleveltobad/malformedpacketsreceivedfromtheclient,bygeneratingALERT,LOG,orTRACE levelsofdetailinthelogfiles.
Rationale:
Asbadpacketsreceivedfromtheclientcanpotentiallyindicatepacket-basedattacksonthesystem,suchas"TCPSYNFlood"or"Smurf"attacks,whichcouldresultinaDenial-of-Servicecondition,thisdiagnostic/loggingvalueforALERT,LOG,orTRACE conditionsshouldbesetaccordingtotheneedsoftheorganization.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT UPPER(VALUE) FROM V$PARAMETER WHERE UPPER(NAME)='SEC_PROTOCOL_ERROR_TRACE_ACTION';
EnsureVALUE issettoLOG.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
ALTER SYSTEM SET SEC_PROTOCOL_ERROR_TRACE_ACTION=LOG SCOPE = SPFILE;
46|P a g e
References:
1. http://docs.oracle.com/database/121/REFRN/GUID-AE811BC1-8CED-4B21-B16C-4B712B127535.htm#REFRN10283
Notes:
SettingthevalueasSEC_PROTOCOL_ERROR_TRACE_ACTION=TRACE cangenerateanenormousamountoflogoutputandshouldbereservedfordebuggingonly.
47|P a g e
2.2.16Ensure'SEC_RETURN_SERVER_RELEASE_BANNER'IsSetto'FALSE'(Scored)
ProfileApplicability:
•Level1-RDBMSusingTraditionalAuditing
•Level1-RDBMSusingUnifiedAuditing
Description:
Theinformationaboutpatch/updatereleasenumberprovidesinformationabouttheexactpatch/updatereleasethatiscurrentlyrunningonthedatabase.
Rationale:
Asallowingthedatabasetoreturninformationaboutthepatch/updatereleasenumbercouldfacilitateunauthorizedusers'attemptstogainaccessbaseduponknownpatchweaknesses,thisvalueshouldbesetaccordingtotheneedsoftheorganization.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT UPPER(VALUE) FROM V$PARAMETER WHERE UPPER(NAME)='SEC_RETURN_SERVER_RELEASE_BANNER';
EnsureVALUEissettoFALSE.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
ALTER SYSTEM SET SEC_RETURN_SERVER_RELEASE_BANNER = FALSE SCOPE = SPFILE;
References:
1. http://docs.oracle.com/database/121/REFRN/GUID-688102A0-11F5-4F06-8868-934D65C4E878.htm#REFRN10275
48|P a g e
2.2.17Ensure'SQL92_SECURITY'IsSetto'TRUE'(Scored)
ProfileApplicability:
•Level1-RDBMSusingTraditionalAuditing
•Level1-RDBMSusingUnifiedAuditing
Description:
TheSQL92_SECURITYparametersettingTRUErequiresthatausermustalsobegrantedtheSELECTobjectprivilegebeforebeingabletoperformUPDATEorDELETEoperationsontablesthathaveWHEREorSETclauses.
Rationale:
AuserwithoutSELECTprivilegecanstillinferthevaluestoredinacolumnbyreferringtothatcolumninaDELETEorUPDATEstatement.ThissettingpreventsinadvertentinformationdisclosurebyensuringthatonlyuserswhoalreadyhaveSELECTprivilegecanexecutethestatementsthatwouldallowthemtoinferthestoredvalues.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT UPPER(VALUE) FROM V$PARAMETER WHERE UPPER(NAME)='SQL92_SECURITY';
EnsureVALUE issettoTRUE.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
ALTER SYSTEM SET SQL92_SECURITY = TRUE SCOPE = SPFILE;
DefaultValue:
FALSE
References:
1. http://docs.oracle.com/database/121/REFRN/GUID-E41087C2-250E-4201-908B-79E659B22A4B.htm#REFRN10210
49|P a g e
2.2.18Ensure'_TRACE_FILES_PUBLIC'IsSetto'FALSE'(Scored)
ProfileApplicability:
•Level1-RDBMSusingTraditionalAuditing
•Level1-RDBMSusingUnifiedAuditing
Description:
The_trace_files_publicsettingdetermineswhetherornotthesystem'stracefileisworldreadable.
Rationale:
Aspermittingthereadpermissiontootheranyonecanreadtheinstance'stracefilesfilewhichcouldcontainsensitiveinformationaboutinstanceoperations,thisvalueshouldberestrictedaccordingtotheneedsoftheorganization.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT VALUE FROM V$PARAMETER WHERE NAME='_trace_files_public';
AVALUE equaltoFALSE orlackofresultsimpliescompliance.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
ALTER SYSTEM SET "_trace_files_public" = FALSE SCOPE = SPFILE;
References:
1. http://asktom.oracle.com/pls/asktom/f?p=100:11:0::::P11_QUESTION_ID:4295521746131
50|P a g e
2.2.19Ensure'RESOURCE_LIMIT'IsSetto'TRUE'(Scored)
ProfileApplicability:
•Level1-RDBMSusingTraditionalAuditing
•Level1-RDBMSusingUnifiedAuditing
Description:
RESOURCE_LIMITdetermineswhetherresourcelimitsareenforcedindatabaseprofiles
Rationale:
Ifresource_limitissettoFALSE,noneofthesystemresourcelimitsthataresetinanydatabaseprofilesareenforced.Ifresource_limitissettoTRUE,thenthelimitssetindatabaseprofilesareenforced.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT UPPER(VALUE) FROM V$PARAMETER WHERE UPPER(NAME)='RESOURCE_LIMIT';
EnsureVALUE issettoTRUE.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
ALTER SYSTEM SET RESOURCE_LIMIT = TRUE SCOPE = SPFILE;
DefaultValue:
FALSE
References:
1. http://docs.oracle.com/database/121/REFRN/GUID-BB0AB177-3867-4D0D-8700-A1AC8BDFEFC3.htm#REFRN10188
51|P a g e
3OracleConnectionandLoginRestrictions
TherestrictionsonClient/UserconnectionstotheOracledatabasehelpblockunauthorizedaccesstodataandservicesbysettingaccessrules.Thesesecuritymeasureshelptoensurethatsuccessfulloginscannotbeeasilymadethroughbrute-forcepasswordattacksorintuitedbycleversocialengineeringexploits.SettingsaregenerallyrecommendedtobeappliedtoalldefinedprofilesratherthanbyusingonlytheDEFAULTprofile.Allvaluesassignedbelowaretherecommendedminimumsormaximums;higher,morerestrictivevaluescanbeappliedatthediscretionoftheorganizationbycreatingaseparateprofiletoassigntoadifferentusergroup.
3.1Ensure'FAILED_LOGIN_ATTEMPTS'IsLessthanorEqualto'5'(Scored)
ProfileApplicability:
•Level1-RDBMSusingTraditionalAuditing
•Level1-RDBMSusingUnifiedAuditing
Description:
Thefailed_login_attemptssettingdetermineshowmanyfailedloginattemptsarepermittedbeforethesystemlockstheuser'saccount.Whiledifferentprofilescanhavedifferentandmorerestrictivesettings,suchasUSERSandAPPS,theminimum(s)recommendedhereshouldbesetontheDEFAULTprofile.
Rationale:
Asrepeatedfailedloginattemptscanindicatetheinitiationofabrute-forceloginattack,thisvalueshouldbesetaccordingtotheneedsoftheorganization(seewarningbelowonaknownbugthatcanmakethissecuritymeasurebackfire).
52|P a g e
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PROFILE, RESOURCE_NAME, LIMIT FROM DBA_PROFILES WHERE RESOURCE_NAME='FAILED_LOGIN_ATTEMPTS' AND ( LIMIT = 'DEFAULT' OR LIMIT = 'UNLIMITED' OR LIMIT > 5 );
Lackofresultsimpliescompliance.
Remediation:
RemediatethissettingbyexecutingthefollowingSQLstatementforeachPROFILEreturnedbytheauditprocedure.
ALTER PROFILE <profile_name> LIMIT FAILED_LOGIN_ATTEMPTS 5;
Warning:
OneverygreatconcernwiththeaboveisthepossibilityofthissettingbeingexploitedtocraftaDDoSattackbyusingtherow-lockingdelaybetweenfailedloginattempts(seeOracleBug7715339–Logonfailurescauses“rowcachelock”waits–Allowdisableoflogondelay[ID7715339.8],sotheconfigurationofthissettingdependsonusingthebugworkaround).Also,whilethesettingforthefailed_login_attemptsvaluecanalsobesetinsqlnet.ora,thisonlyappliestolistedusers.ThesimilarsettingusedtoblockaDDoS,theSEC_MAX_FAILED_LOGIN_ATTEMPTSinitializationparameter,canbeusedtoprotectunauthorizedintrudersfromattackingtheserverprocessesforapplications,butthissettingdoesnotprotectagainstunauthorizedattemptsviavalidusernames.
53|P a g e
3.2Ensure'PASSWORD_LOCK_TIME'IsGreaterthanorEqualto'1'(Scored)
ProfileApplicability:
•Level1-RDBMSusingTraditionalAuditing
•Level1-RDBMSusingUnifiedAuditing
Description:
ThePASSWORD_LOCK_TIME settingdetermineshowmanydaysmustpassfortheuser'saccounttobeunlockedafterthesetnumberoffailedloginattemptshasoccurred.
Rationale:
Aslockingtheuseraccountafterrepeatedfailedloginattemptscanblockfurtherbrute-forceloginattacks,butcancreateadministrativeheadachesasthisaccountunlockingprocessalwaysrequiresDBAintervention,thisvalueshouldbesetaccordingtotheneedsoftheorganization.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PROFILE, RESOURCE_NAME, LIMIT FROM DBA_PROFILES WHERE RESOURCE_NAME='PASSWORD_LOCK_TIME' AND ( LIMIT = 'DEFAULT' OR LIMIT = 'UNLIMITED' OR LIMIT < 1 );
Lackofresultsimpliescompliance.
Remediation:
RemediatethissettingbyexecutingthefollowingSQLstatementforeachPROFILEreturnedbytheauditprocedure.
ALTER PROFILE <profile_name> LIMIT PASSWORD_LOCK_TIME 1;
54|P a g e
3.3Ensure'PASSWORD_LIFE_TIME'IsLessthanorEqualto'90'(Scored)
ProfileApplicability:
•Level1-RDBMSusingTraditionalAuditing
•Level1-RDBMSusingUnifiedAuditing
Description:
Thepassword_life_timesettingdetermineshowlongapasswordmaybeusedbeforetheuserisrequiredtobechangeit.
Rationale:
Asallowingpasswordstoremainunchangedforlongperiodsmakesthesuccessofbrute-forceloginattacksmorelikely,thisvalueshouldbesetaccordingtotheneedsoftheorganization.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PROFILE, RESOURCE_NAME, LIMIT FROM DBA_PROFILES WHERE RESOURCE_NAME='PASSWORD_LIFE_TIME' AND ( LIMIT = 'DEFAULT' OR LIMIT = 'UNLIMITED' OR LIMIT > 90 );
Lackofresultsimpliescompliance.
Remediation:
RemediatethissettingbyexecutingthefollowingSQLstatementforeachPROFILEreturnedbytheauditprocedure.
ALTER PROFILE <profile_name> LIMIT PASSWORD_LIFE_TIME 90;
55|P a g e
3.4Ensure'PASSWORD_REUSE_MAX'IsGreaterthanorEqualto'20'(Scored)
ProfileApplicability:
•Level1-RDBMSusingTraditionalAuditing
•Level1-RDBMSusingUnifiedAuditing
Description:
Thepassword_reuse_max settingdetermineshowmanydifferentpasswordsmustbeusedbeforetheuserisallowedtoreuseapriorpassword.
Rationale:
Asallowingreuseofapasswordwithinashortperiodoftimeafterthepassword'sinitialusecanmakethesuccessofbothsocial-engineeringandbrute-forcepassword-basedattacksmorelikely,thisvalueshouldbesetaccordingtotheneedsoftheorganization.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PROFILE, RESOURCE_NAME, LIMIT FROM DBA_PROFILES WHERE RESOURCE_NAME='PASSWORD_REUSE_MAX' AND ( LIMIT = 'DEFAULT' OR LIMIT = 'UNLIMITED' OR LIMIT < 20 );
Lackofresultsimpliescompliance.
Remediation:
RemediatethissettingbyexecutingthefollowingSQLstatementforeachPROFILEreturnedbytheauditprocedure.
ALTER PROFILE <profile_name> LIMIT PASSWORD_REUSE_MAX 20;
Notes:
Theaboverestrictionshouldbeappliedalongwiththepassword_reuse_timesetting.
56|P a g e
3.5Ensure'PASSWORD_REUSE_TIME'IsGreaterthanorEqualto'365'(Scored)
ProfileApplicability:
•Level1-RDBMSusingTraditionalAuditing
•Level1-RDBMSusingUnifiedAuditing
Description:
Thepassword_reuse_time settingdeterminestheamountoftimeindaysthatmustpassbeforethesamepasswordmaybereused.
Rationale:
Asreusingthesamepasswordafteronlyashortperiodoftimehaspassedmakesthesuccessofbrute-forceloginattacksmorelikely,thisvalueshouldbesetaccordingtotheneedsoftheorganization.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PROFILE, RESOURCE_NAME, LIMIT FROM DBA_PROFILES WHERE RESOURCE_NAME='PASSWORD_REUSE_TIME' AND ( LIMIT = 'DEFAULT' OR LIMIT = 'UNLIMITED' OR LIMIT < 365 );
Lackofresultsimpliescompliance.
Remediation:
RemediatethissettingbyexecutingthefollowingSQLstatementforeachPROFILEreturnedbytheauditprocedure.
ALTER PROFILE <profile_name> LIMIT PASSWORD_REUSE_TIME 365;
Notes:
Theaboverestrictionshouldbeappliedalongwiththepassword_reuse_maxsetting.
57|P a g e
3.6Ensure'PASSWORD_GRACE_TIME'IsLessthanorEqualto'5'(Scored)
ProfileApplicability:
•Level1-RDBMSusingTraditionalAuditing
•Level1-RDBMSusingUnifiedAuditing
Description:
Thepassword_grace_time settingdetermineshowmanydayscanpassaftertheuser'spasswordexpiresbeforetheuser'slogincapabilityisautomaticallylockedout.
Rationale:
Aslockingtheuseraccountaftertheexpirationofthepasswordchangerequirement'sgraceperiodcanhelppreventpassword-basedattackagainstaforgottenordisusedaccounts,whilestillallowingtheaccountanditsinformationtobeaccessiblebyDBAintervention,thisvalueshouldbesetaccordingtotheneedsoftheorganization.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PROFILE, RESOURCE_NAME, LIMIT FROM DBA_PROFILES WHERE RESOURCE_NAME='PASSWORD_GRACE_TIME' AND ( LIMIT = 'DEFAULT' OR LIMIT = 'UNLIMITED' OR LIMIT > 5 );
Lackofresultsimpliescompliance.
Remediation:
RemediatethissettingbyexecutingthefollowingSQLstatementforeachPROFILEreturnedbytheauditprocedure.
ALTER PROFILE <profile_name> LIMIT PASSWORD_GRACE_TIME 5;
58|P a g e
3.7Ensure'DBA_USERS.PASSWORD'IsNotSetto'EXTERNAL'forAnyUser(Scored)
ProfileApplicability:
•Level1-RDBMSusingTraditionalAuditing
•Level1-RDBMSusingUnifiedAuditing
Description:
Thepassword='EXTERNAL' settingdetermineswhetherornotausercanbeauthenticatedbyaremoteOStoallowaccesstothedatabasewithfullauthorization.
Rationale:
AsallowingremoteOSauthenticationofausertothedatabasecanpotentiallyallowsupposed"privilegedusers"toconnectas"authenticated,"evenwhentheremotesystemiscompromised,theseloginsshouldbedisabled/restrictedaccordingtotheneedsoftheorganization.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT USERNAME FROM DBA_USERS WHERE PASSWORD='EXTERNAL';
Lackofresultsimpliescompliance.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
ALTER USER <username> IDENTIFIED BY <password>;
Notes:
ThePASSWORD keyword(column)usedintheSQLforpriorOracleversionshasbeendeprecatedfromversion11.2onwardinfavorofthenewAUTHENTICATION_TYPE keyword(column)fortheDBA_USERS table.However,thePASSWORDcolumnhasstillbeenretainedforbackward-compatability.
59|P a g e
3.8Ensure'PASSWORD_VERIFY_FUNCTION'IsSetforAllProfiles(Scored)
ProfileApplicability:
•Level1-RDBMSusingTraditionalAuditing
•Level1-RDBMSusingUnifiedAuditing
Description:
Thepassword_verify_function determinespasswordsettingsrequirementswhenauserpasswordischangedattheSQLcommandprompt.ThissettingdoesnotapplyforusersmanagedbytheOraclepasswordfile.
Rationale:
Asrequiringuserstoapplythe11gr2securityfeaturesinpasswordcreation,suchasforcingmixed-casecomplexity,theblockingofsimplecombinations,andchange/historysettingscanpotentiallythwartloginsbyunauthorizedusers,thisfunctionshouldbeapplied/enabledaccordingtotheneedsoftheorganization.
Audit:
ToassessthisrecommendationexecutethefollowingSQLstatement.
SELECT PROFILE, RESOURCE_NAME FROM DBA_PROFILES WHERE RESOURCE_NAME='PASSWORD_VERIFY_FUNCTION' AND (LIMIT = 'DEFAULT' OR LIMIT = 'NULL');
Lackofresultsimpliescompliance.
Remediation:
Createacustompasswordverificationfunctionwhichfulfillsthepasswordrequirementsoftheorganization.
60|P a g e
3.9Ensure'SESSIONS_PER_USER'IsLessthanorEqualto'10'(Scored)
ProfileApplicability:
•Level1-RDBMSusingTraditionalAuditing
•Level1-RDBMSusingUnifiedAuditing
Description:
TheSESSIONS_PER_USER (Numberofsessionsallowed)determinesthemaximumnumberofusersessionsthatareallowedtobeopenconcurrently.
Rationale:
AslimitingthenumberoftheSESSIONS_PER_USER canhelppreventmemoryresourceexhaustionbypoorlyformedrequestsorintentionalDenial-of-Serviceattacks,thisvalueshouldbesetaccordingtotheneedsoftheorganization.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PROFILE, RESOURCE_NAME, LIMIT FROM DBA_PROFILES WHERE RESOURCE_NAME='SESSIONS_PER_USER' AND ( LIMIT = 'DEFAULT' OR LIMIT = 'UNLIMITED' OR LIMIT > 10 );
Lackofresultsimpliescompliance.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatementforeachPROFILEreturnedbytheauditprocedure.
ALTER PROFILE <profile_name> LIMIT SESSIONS_PER_USER 10;
Notes:
TheSESSIONS_PER_USERprofilemanagementcapabilitywascreatedtopreventresource(s)exhaustionatatimewhenthesewereveryexpensive.Ascurrentdatabasedesignmayrequiremuchhigherlimitsonthisparameterifone"user"handlesallprocessingforspecifictypesofbatch/customerconnections,thismustbehandledviaanewuserprofile.
61|P a g e
3.10EnsureNoUsersAreAssignedthe'DEFAULT'Profile(Scored)
ProfileApplicability:
•Level1-RDBMSusingTraditionalAuditing
•Level1-RDBMSusingUnifiedAuditing
Description:
UponcreationdatabaseusersareassignedtotheDEFAULTprofileunlessotherwisespecified.
Rationale:
Itisrecommendedthatusersbecreatedwithfunction-appropriateprofiles.TheDEFAULTprofile,beingdefinedbyOracle,issubjecttochangeatanytime(e.g.bypatchorversionupdate).TheDEFAULTprofilehasunlimitedsettingsthatareoftenrequiredbytheSYSuserwhenpatching;suchunlimitedsettingsshouldbetightlyreservedandnotappliedtounnecessaryusers.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT USERNAME FROM DBA_USERS WHERE PROFILE='DEFAULT' AND ACCOUNT_STATUS='OPEN' AND USERNAME NOT IN ('ANONYMOUS', 'CTXSYS', 'DBSNMP', 'EXFSYS', 'LBACSYS', 'MDSYS', 'MGMT_VIEW','OLAPSYS','OWBSYS', 'ORDPLUGINS', 'ORDSYS', 'OUTLN', 'SI_INFORMTN_SCHEMA','SYS', 'SYSMAN', 'SYSTEM', 'TSMSYS', 'WK_TEST', 'WKSYS', 'WKPROXY', 'WMSYS', 'XDB', 'CISSCAN');
Lackofresultsimpliescompliance.
Remediation:
Toremediatethisrecommendation,executethefollowingSQLstatementforeachuserreturnedbytheauditqueryusingafunctional-appropriateprofile.
ALTER USER <username> PROFILE <appropriate_profile>
62|P a g e
4OracleUserAccessandAuthorizationRestrictions
Thecapabilitytousedatabaseresourcesatagivenlevel,oruserauthorizationrules,allowsforusermanipulationofthevariouspartsoftheOracledatabase.Theseauthorizationsmustbestructuredtoblockunauthorizeduseand/orcorruptionofvitaldataandservicesbysettingrestrictionsonusercapabilities,particularlythoseoftheuserPUBLIC.Suchsecuritymeasureshelptoensurethatsuccessfulloginscannotbeeasilyredirected.IMPORTANT:UsecautionwhenrevokingprivilegesfromPUBLIC.Oracleandthird-partyproductsexplicitlyrequiredefaultgrantstoPUBLICforcommonlyusedfunctions,objects,andinviewdefinitions.AfterrevokinganyprivilegefromPUBLIC,verifythatapplicationskeeprunningproperly.AfterrevokingprivilegesfromPUBLIC,recompileinvaliddatabaseobjects.Specificgrantstousersandrolesmaybeneededtomakeallobjectsvalid.PleaseseethefollowingOraclesupportdocumentwhichprovidesfurtherinformationandSQLstatementsthatcanbeusedtodeterminedependenciesthatrequireexplicitgrants.BeCautiousWhenRevokingPrivilegesGrantedtoPUBLIC(DocID247093.1)AlwaystestdatabasechangesinDevelopmentandTestenvironmentsbeforemakingchangestoProductiondatabases.
63|P a g e
4.1DefaultPublicPrivilegesforPackagesandObjectTypes
Revokedefaultpublicexecuteprivilegesfrompowerfulpackagesandobjecttypes.
4.1.1Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_ADVISOR'(Scored)
ProfileApplicability:
•Level1-RDBMSusingTraditionalAuditing
•Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseDBMS_ADVISORpackagecanbeusedtowritefileslocatedontheserverwheretheOracleinstanceisinstalled.
Rationale:
AsuseoftheDBMS_ADVISORpackagecouldallowanunauthorizedusertocorruptoperatingsystemfilesontheinstance'shost,useofthispackageshouldberestrictedaccordingtotheneedsoftheorganization.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_ADVISOR';
Theassessmentfailsifresultsarereturned.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
REVOKE EXECUTE ON DBMS_ADVISOR FROM PUBLIC;
References:
1. http://docs.oracle.com/database/121/ARPLS/d_advis.htm#ARPLS350
64|P a g e
4.1.2Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_CRYPTO'(Scored)
ProfileApplicability:
•Level1-RDBMSusingTraditionalAuditing
•Level1-RDBMSusingUnifiedAuditing
Description:
TheDBMS_CRYPTOsettingsprovideatoolsetthatdeterminesthestrengthoftheencryptionalgorithmusedtoencryptapplicationdataandispartoftheSYSschema.TheDES(56-bitkey),3DES(168-bitkey),3DES-2KEY(112-bitkey),AES(128/192/256-bitkeys),andRC4areavailable.
Rationale:
AsexecutionofthesecryptographyproceduresbytheuserPUBLICcanpotentiallyendangerportionsoforallofthedatastorage,thisvalueshouldbesetaccordingtotheneedsoftheorganization.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND TABLE_NAME='DBMS_CRYPTO';
Theassessmentfailsifresultsarereturned.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
REVOKE EXECUTE ON DBMS_CRYPTO FROM PUBLIC;
References:
1. http://docs.oracle.com/database/121/ARPLS/d_crypto.htm#ARPLS664
65|P a g e
4.1.3Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_JAVA'(Scored)
ProfileApplicability:
•Level1-RDBMSusingTraditionalAuditing
•Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseDBMS_JAVApackagecanrunJavaclasses(e.g.OScommands)orgrantJavaprivileges.
Rationale:
The DBMS_JAVApackagecouldallowanattackertorunoperatingsystemcommandsfromthedatabase.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_JAVA';
Theassessmentfailsifresultsarereturned.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
REVOKE EXECUTE ON DBMS_JAVA FROM PUBLIC;
References:
1. http://docs.oracle.com/database/121/JJDEV/appendixa.htm#JJDEV13000
66|P a g e
4.1.4Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_JAVA_TEST'(Scored)
ProfileApplicability:
•Level1-RDBMSusingTraditionalAuditing
•Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseDBMS_JAVA_TESTpackagecanrunJavaclasses(e.g.OScommands)orgrantJavaprivileges.
Rationale:
TheDBMS_JAVA_TESTpackagecouldallowanattackertorunoperatingsystemcommandsfromthedatabase.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_JAVA_TEST';
Theassessmentfailsifresultsarereturned.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
REVOKE EXECUTE ON DBMS_JAVA_TEST FROM PUBLIC;
Notes:
Undocumented
67|P a g e
4.1.5Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_JOB'(Scored)
ProfileApplicability:
•Level1-RDBMSusingTraditionalAuditing
•Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseDBMS_JOBpackageschedulesandmanagesthejobssenttothejobqueueandhasbeensupersededbytheDBMS_SCHEDULERpackage,eventhoughDBMS_JOBhasbeenretainedforbackwardscompatibility.
Rationale:
AsuseoftheDBMS_JOBpackagecouldallowanunauthorizedusertodisableoroverloadthejobqueueandhasbeensupersededbytheDBMS_SCHEDULERpackage,thispackageshouldbedisabledorrestrictedaccordingtotheneedsoftheorganization.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_JOB';
Theassessmentfailsifresultsarereturned.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
REVOKE EXECUTE ON DBMS_JOB FROM PUBLIC;
References:
1. http://docs.oracle.com/database/121/ARPLS/d_job.htm#ARPLS019
68|P a g e
4.1.6Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_LDAP'(Scored)
ProfileApplicability:
•Level1-RDBMSusingTraditionalAuditing
•Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseDBMS_LDAPpackagecontainsfunctionsandproceduresthatenableprogrammerstoaccessdatafromLDAPservers.
Rationale:
AsuseoftheDBMS_LDAPpackagecanbeusedtocreatespeciallycraftederrormessagesorsendinformationviaDNStotheoutside.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_LDAP';
Theassessmentfailsifresultsarereturned.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
REVOKE EXECUTE ON DBMS_LDAP FROM PUBLIC;
References:
1. http://docs.oracle.com/database/121/ARPLS/d_ldap.htm#ARPLS360
69|P a g e
4.1.7Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_LOB'(Scored)
ProfileApplicability:
•Level1-RDBMSusingTraditionalAuditing
•Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseDBMS_LOBpackageprovidessubprogramsthatcanmanipulateandread/writeonBLOBs,CLOBs,NCLOBs,BFILEs,andtemporaryLOBs.
Rationale:
AsuseoftheDBMS_LOBpackagecouldallowanunauthorizedusertomanipulateBLOBs,CLOBs,NCLOBs,BFILEs,andtemporaryLOBsontheinstance,eitherdestroyingdataorcausingaDenial-of-Serviceconditionduetocorruptionofdiskspace,useofthispackageshouldberestrictedaccordingtotheneedsoftheorganization.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_LOB';
Theassessmentfailsifresultsarereturned.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
REVOKE EXECUTE ON DBMS_LOB FROM PUBLIC;
References:
1. http://docs.oracle.com/database/121/ARPLS/d_lob.htm#ARPLS600
70|P a g e
4.1.8Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_OBFUSCATION_TOOLKIT'(Scored)
ProfileApplicability:
•Level1-RDBMSusingTraditionalAuditing
•Level1-RDBMSusingUnifiedAuditing
Description:
TheDBMS_OBFUSCATION_TOOLKITsettingsprovideoneofthetoolsthatdeterminethestrengthoftheencryptionalgorithmusedtoencryptapplicationdataandispartoftheSYSschema.TheDES(56-bitkey)and3DES(168-bitkey)aretheonlytwotypesavailable.
Rationale:
AsallowingthePUBLICuserprivilegestoaccessthiscapabilitycanbepotentiallyharmthedatastorage,thisaccessshouldbesetaccordingtotheneedsoftheorganization.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_OBFUSCATION_TOOLKIT';
Theassessmentfailsifresultsarereturned.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
REVOKE EXECUTE ON DBMS_OBFUSCATION_TOOLKIT FROM PUBLIC;
71|P a g e
4.1.9Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_RANDOM'(Scored)
ProfileApplicability:
•Level1-RDBMSusingTraditionalAuditing
•Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseDBMS_RANDOMpackageisusedforgeneratingrandomnumbersbutshouldnotbeusedforcryptographicpurposes.
Rationale:
AsassignmentofuseoftheDBMS_RANDOMpackagecanallowtheunauthorizedapplicationoftherandomnumber-generatingfunction,thiscapabilityshouldberestrictedaccordingtotheneedsoftheorganization.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_RANDOM';
Theassessmentfailsifresultsarereturned.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
REVOKE EXECUTE ON DBMS_RANDOM FROM PUBLIC;
References:
1. http://docs.oracle.com/cd/E11882_01/appdev.112/e25788/d_random.htm
Notes:
TheOEMcautionsthatremovingthisfromPUBLICmaybreakcertainapplications.
72|P a g e
4.1.10Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_SCHEDULER'(Scored)
ProfileApplicability:
•Level1-RDBMSusingTraditionalAuditing
•Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseDBMS_SCHEDULERpackageschedulesandmanagesthedatabaseandoperatingsystemjobs.
Rationale:
AsuseoftheDBMS_SCHEDULERpackagecouldallowanunauthorizedusertorundatabaseoroperatingsystemjobs.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_SCHEDULER';
Theassessmentfailsifresultsarereturned.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
REVOKE EXECUTE ON DBMS_SCHEDULER FROM PUBLIC;
References:
1. http://docs.oracle.com/database/121/ARPLS/d_sched.htm#ARPLS72235
73|P a g e
4.1.11Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_SQL'(Scored)
ProfileApplicability:
•Level1-RDBMSusingTraditionalAuditing
•Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseDBMS_SQLpackageisusedforrunningdynamicSQLstatements.
Rationale:
TheDBMS_SQLpackagecouldallowprivilegeescalationiftheinputvalidationisnotdoneproperly.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_SQL';
Theassessmentfailsifresultsarereturned.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
REVOKE EXECUTE ON DBMS_SQL FROM PUBLIC;
References:
1. http://docs.oracle.com/database/121/ARPLS/d_sql.htm#ARPLS058
74|P a g e
4.1.12Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_XMLGEN'(Scored)
ProfileApplicability:
•Level1-RDBMSusingTraditionalAuditing
•Level1-RDBMSusingUnifiedAuditing
Description:
TheDBMS_XMLGEN packagetakesanarbitrarySQLqueryasinput,convertsittoXMLformat,andreturnstheresultasaCLOB.
Rationale:
ThepackageDBMS_XMLGEN canbeusedtosearchtheentiredatabaseforcriticalinformationlikecreditcardnumbers,andothersensitiveinformation.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_XMLGEN';
Theassessmentfailsifresultsarereturned.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
REVOKE EXECUTE ON DBMS_XMLGEN FROM PUBLIC;
References:
1. http://docs.oracle.com/database/121/ARPLS/d_xmlgen.htm#ARPLS3742. http://www.red-database-security.com/wp/confidence2009.pdf
75|P a g e
4.1.13Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_XMLQUERY'(Scored)
ProfileApplicability:
•Level1-RDBMSusingTraditionalAuditing
•Level1-RDBMSusingUnifiedAuditing
Description:
TheOraclepackageDBMS_XMLQUERYtakesanarbitrarySQLquery,convertsittoXMLformat,andreturnstheresult.ThispackageissimilartoDBMS_XMLGEN.
Rationale:
ThepackageDBMS_XMLQUERYcanbeusedtosearchtheentiredatabaseforcriticalinformationlikecreditcardnumbersandothersensitiveinformation.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_XMLQUERY';
Theassessmentfailsifresultsarereturned.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
REVOKE EXECUTE ON DBMS_XMLQUERY FROM PUBLIC;
References:
1. http://docs.oracle.com/database/121/ARPLS/d_xmlque.htm#ARPLS376
76|P a g e
4.1.14Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'UTL_FILE'(Scored)
ProfileApplicability:
•Level1-RDBMSusingTraditionalAuditing
•Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseUTL_FILEpackagecanbeusedtoread/writefileslocatedontheserverwheretheOracleinstanceisinstalled.
Rationale:
AsuseoftheUTL_FILEpackagecouldallowanusertoreadfilesattheoperatingsystem.Thesefilescouldcontainsensitiveinformation(e.g.passwordsin.bash_history).
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='UTL_FILE';
Theassessmentfailsifresultsarereturned.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
REVOKE EXECUTE ON UTL_FILE FROM PUBLIC;
References:
1. http://docs.oracle.com/database/121/ARPLS/u_file.htm#ARPLS069
77|P a g e
4.1.15Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'UTL_INADDR'(Scored)
ProfileApplicability:
•Level1-RDBMSusingTraditionalAuditing
•Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseUTL_INADDRpackagecanbeusedtocreatespeciallycraftederrormessagesorsendinformationviaDNStotheoutside.
Rationale:
AsuseoftheUTL_INADDRpackageisoftenusedinSQLInjectionattacksfromthewebitshouldberevokedfrompublic.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='UTL_INADDR';
Theassessmentfailsifresultsarereturned.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
REVOKE EXECUTE ON UTL_INADDR FROM PUBLIC;
References:
1. http://docs.oracle.com/database/121/ARPLS/u_inaddr.htm#ARPLS071
78|P a g e
4.1.16Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'UTL_TCP'(Scored)
ProfileApplicability:
•Level1-RDBMSusingTraditionalAuditing
•Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseUTL_TCPpackagecanbeusedtoread/writefiletoTCPsocketsontheserverwheretheOracleinstanceisinstalled.
Rationale:
AsuseoftheUTL_TCPpackagecouldallowanunauthorizedusertocorrupttheTCPstreamusedforcarrytheprotocolsthatcommunicatewiththeinstance'sexternalcommunications,useofthispackageshouldberestrictedaccordingtotheneedsoftheorganization.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='UTL_TCP';
Theassessmentfailsifresultsarereturned.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
REVOKE EXECUTE ON UTL_TCP FROM PUBLIC;
References:
1. http://docs.oracle.com/database/121/ARPLS/u_tcp.htm#ARPLS075
79|P a g e
4.1.17Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'UTL_MAIL'(Scored)
ProfileApplicability:
•Level1-RDBMSusingTraditionalAuditing
•Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseUTL_MAILpackagecanbeusedtosendemailfromtheserverwheretheOracleinstanceisinstalled.
Rationale:
AsuseoftheUTL_MAILpackagecouldallowanunauthorizedusertocorrupttheSMTPfunctiontoacceptorgeneratejunkmailthatcanresultinaDenial-of-Serviceconditionduetonetworksaturation,useofthispackageshouldberestrictedaccordingtotheneedsoftheorganization.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='UTL_MAIL';
Theassessmentfailsifresultsarereturned.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
REVOKE EXECUTE ON UTL_MAIL FROM PUBLIC;
References:
1. http://docs.oracle.com/database/121/ARPLS/u_mail.htm#ARPLS384
80|P a g e
4.1.18Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'UTL_SMTP'(Scored)
ProfileApplicability:
•Level1-RDBMSusingTraditionalAuditing
•Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseUTL_SMTPpackagecanbeusedtosendemailfromtheserverwheretheOracleinstanceisinstalled.
Rationale:
AsuseoftheUTL_SMTPpackagecouldallowanunauthorizedusertocorrupttheSMTPfunctiontoacceptorgeneratejunkmailthatcanresultinaDenial-of-Serviceconditionduetonetworksaturation,useofthispackageshouldberestrictedaccordingtotheneedsoftheorganization.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='UTL_SMTP';
Theassessmentfailsifresultsarereturned.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
REVOKE EXECUTE ON UTL_SMTP FROM PUBLIC;
References:
1. http://docs.oracle.com/database/121/ARPLS/u_smtp.htm#ARPLS074
81|P a g e
4.1.19Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'UTL_DBWS'(Scored)
ProfileApplicability:
•Level1-RDBMSusingTraditionalAuditing
•Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseUTL_DBWSpackagecanbeusedtoread/writefiletoweb-basedapplicationsontheserverwheretheOracleinstanceisinstalled.Thispackageisnotautomaticallyinstalledforsecurityreasons.
Rationale:
AsuseoftheUTL_DBWSpackagecouldallowanunauthorizedusertocorrupttheHTTPstreamusedforcarrytheprotocolsthatcommunicatewiththeinstance'sweb-basedexternalcommunications,useofthispackageshouldberestrictedaccordingtotheneedsoftheorganization.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='UTL_DBWS';
Theassessmentfailsifresultsarereturned.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
REVOKE EXECUTE ON UTL_DBWS FROM 'PUBLIC';
References:
1. https://docs.oracle.com/database/121/JJPUB/intro.htm#BHCIBFGJ
82|P a g e
4.1.20Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'UTL_ORAMTS'(Scored)
ProfileApplicability:
•Level1-RDBMSusingTraditionalAuditing
•Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseUTL_ORAMTSpackagecanbeusedtoperformHTTP-requests.Thiscouldbeusedtosendinformationtotheoutside.
Rationale:
AsuseoftheUTL_ORAMTSpackagecouldbeusedtosend(sensitive)informationtoexternalwebsites.Theuseofthispackageshouldberestrictedaccordingtotheneedsoftheorganization.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='UTL_ORAMTS';
Theassessmentfailsifresultsarereturned.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
REVOKE EXECUTE ON UTL_ORAMTS FROM PUBLIC;
References:
1. http://docs.oracle.com/database/121/NTMTS/recovery.htm#sthref73
83|P a g e
4.1.21Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'UTL_HTTP'(Scored)
ProfileApplicability:
•Level1-RDBMSusingTraditionalAuditing
•Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseUTL_HTTPpackagecanbeusedtoperformHTTP-requests.Thiscouldbeusedtosendinformationtotheoutside.
Rationale:
AsuseoftheUTL_HTTPpackagecouldbeusedtosend(sensitive)informationtoexternalwebsites.Theuseofthispackageshouldberestrictedaccordingtotheneedsoftheorganization.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='UTL_HTTP'; The assessment fails if results are returned.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
REVOKE EXECUTE ON UTL_HTTP FROM PUBLIC;
References:
1. http://docs.oracle.com/database/121/ARPLS/u_http.htm#ARPLS070
84|P a g e
4.1.22Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'HTTPURITYPE'(Scored)
ProfileApplicability:
•Level1-RDBMSusingTraditionalAuditing
•Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseHTTPURITYPEobjecttypecanbeusedtoperformHTTP-requests.
Rationale:
TheabilitytoperformHTTPrequestscouldbeusedtoleakinformationfromthedatabasetoanexternaldestination.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='HTTPURITYPE';
Theassessmentfailsifresultsarereturned.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
REVOKE EXECUTE ON HTTPURITYPE FROM PUBLIC;
References:
1. http://docs.oracle.com/database/121/ARPLS/t_dburi.htm#ARPLS71705
85|P a g e
4.2RevokeNon-DefaultPrivilegesforPackagesandObjectTypes
Therecommendationswithinthissectionrevokeexcessiveprivilegesforpackagesandobjecttypes.
4.2.1Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_SYS_SQL'(Scored)
ProfileApplicability:
•Level1-RDBMSusingTraditionalAuditing
•Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseDBMS_SYS_SQLpackageisshippedasundocumented.
Rationale:
AsuseoftheDBMS_SYS_SQLpackagecouldallowanusertoruncodeasadifferentuserwithoutenteringusercredentials.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_SYS_SQL';
Theassessmentfailsifresultsarereturned.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
REVOKE EXECUTE ON DBMS_SYS_SQL FROM PUBLIC;
References:
1. http://asktom.oracle.com/pls/asktom/f?p=100:11:0::::P11_QUESTION_ID:1325202421535
86|P a g e
4.2.2Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_BACKUP_RESTORE'(Scored)
ProfileApplicability:
•Level1-RDBMSusingTraditionalAuditing
•Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseDBMS_BACKUP_RESTOREpackageisusedforapplyingPL/SQLcommandstothenativeRMANsequences.
Rationale:
AsassignmentofuseoftheDBMS_BACKUP_RESTOREpackagecanallowtoaccessfilepermissionsonoperatingsystemlevel.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_BACKUP_RESTORE';
Theassessmentfailsifresultsarereturned.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
REVOKE EXECUTE ON DBMS_BACKUP_RESTORE FROM PUBLIC;
References:
1. http://psoug.org/reference/dbms_backup_restore.html2. http://davidalejomarcos.wordpress.com/2011/09/13/how-to-list-files-on-a-
directory-from-oracle-database/
87|P a g e
4.2.3Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_AQADM_SYSCALLS'(Scored)
ProfileApplicability:
•Level1-RDBMSusingTraditionalAuditing
•Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseDBMS_AQADM_SYSCALLSpackageisshippedasundocumentedandallowstorunSQLcommandsasuserSYS.
Rationale:
AsuseoftheDBMS_AQADM_SYSCALLSpackagecouldallowanunauthorizedusertorunSQLcommandsasuserSYS.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_AQADM_SYSCALLS';
Theassessmentfailsifresultsarereturned.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
REVOKE EXECUTE ON DBMS_AQADM_SYSCALLS FROM PUBLIC;
References:
1. http://securityvulns.ru/files/ohh-indirect-privilege-escalation.pdf
88|P a g e
4.2.4Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_REPCAT_SQL_UTL'(Scored)
ProfileApplicability:
•Level1-RDBMSusingTraditionalAuditing
•Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseDBMS_REPCAT_SQL_UTLpackageisshippedasundocumentedandallowstorunSQLcommandsasuserSYS.
Rationale:
As use of the DBMS_REPCAT_SQL_UTL package could allow an unauthorized user to run SQL commands as user SYS.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_REPCAT_SQL_UTL';
Theassessmentfailsifresultsarereturned.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
revoke execute on DBMS_REPCAT_SQL_UTL FROM PUBLIC;
References:
1. http://securityvulns.ru/files/ohh-indirect-privilege-escalation.pdf
89|P a g e
4.2.5Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'INITJVMAUX'(Scored)
ProfileApplicability:
•Level1-RDBMSusingTraditionalAuditing
•Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseINITJVMAUXpackageisshippedasundocumentedandallowstorunSQLcommandsasuserSYS.
Rationale:
As use of the INITJVMAUX package could allow an unauthorized user to run SQL commands as user SYS.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='INITJVMAUX';
Theassessmentfailsifresultsarereturned.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
REVOKE EXECUTE ON INITJVMAUX FROM PUBLIC;
References:
1. http://securityvulns.ru/files/ohh-indirect-privilege-escalation.pdf
90|P a g e
4.2.6Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_STREAMS_ADM_UTL'(Scored)
ProfileApplicability:
•Level1-RDBMSusingTraditionalAuditing
•Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseDBMS_STREAMS_ADM_UTLpackageisshippedasundocumentedandallowstorunSQLcommandsasuserSYS.
Rationale:
As use of the DBMS_STREAMS_ADM_UTL package could allow an unauthorized user to run SQL commands as user SYS.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_STREAMS_ADM_UTL';
Theassessmentfailsifresultsarereturned.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
REVOKE EXECUTE ON DBMS_STREAMS_ADM_UTL FROM PUBLIC;
References:
1. http://securityvulns.ru/files/ohh-indirect-privilege-escalation.pdf
91|P a g e
4.2.7Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_AQADM_SYS'(Scored)
ProfileApplicability:
•Level1-RDBMSusingTraditionalAuditing
•Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseDBMS_AQADM_SYSpackageisshippedasundocumentedandallowstorunSQLcommandsasuserSYS.
Rationale:
As use of the DBMS_AQADM_SYS package could allow an unauthorized user to run SQL commands as user SYS.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_AQADM_SYS';
Theassessmentfailsifresultsarereturned.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
REVOKE EXECUTE ON DBMS_AQADM_SYS FROM PUBLIC;
92|P a g e
4.2.8Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_STREAMS_RPC'(Scored)
ProfileApplicability:
•Level1-RDBMSusingTraditionalAuditing
•Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseDBMS_STREAMS_RPCpackageisshippedasundocumentedandallowstorunSQLcommandsasuserSYS.
Rationale:
As use of the DBMS_STREAMS_RPC package could allow an unauthorized user to run SQL commands as user SYS.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_STREAMS_RPC';
Theassessmentfailsifresultsarereturned.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
REVOKE EXECUTE ON DBMS_STREAMS_RPC FROM PUBLIC;
References:
1. http://securityvulns.ru/files/ohh-indirect-privilege-escalation.pdf
93|P a g e
4.2.9Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_PRVTAQIM'(Scored)
ProfileApplicability:
•Level1-RDBMSusingTraditionalAuditing
•Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseDBMS_PRVTAQIMpackageisshippedasundocumentedandallowstorunSQLcommandsasuserSYS.
Rationale:
As use of the DBMS_PRVTAQIM package could allow an unauthorized user to escalate privileges because any SQL statements could be executed as user SYS.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_PRVTAQIM';
Theassessmentfailsifresultsarereturned.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
REVOKE EXECUTE ON DBMS_PRVTAQIM FROM PUBLIC;
References:
1. http://securityvulns.ru/files/ohh-indirect-privilege-escalation.pdf
94|P a g e
4.2.10Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'LTADM'(Scored)
ProfileApplicability:
•Level1-RDBMSusingTraditionalAuditing
•Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseLTADMpackageisshippedasundocumentedandallowsprivilegeescalationifgrantedtounprivilegedusers.
Rationale:
As use of the LTADM package could allow an unauthorized user to run any SQL command as user SYS.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='LTADM';
Theassessmentfailsifresultsarereturned.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
REVOKE EXECUTE ON LTADM FROM PUBLIC;
References:
1. http://securityvulns.ru/files/ohh-indirect-privilege-escalation.pdf
95|P a g e
4.2.11Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'WWV_DBMS_SQL'(Scored)
ProfileApplicability:
•Level1-RDBMSusingTraditionalAuditing
•Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseWWV_DBMS_SQLpackageisshippedasundocumentedandallowsOracleApplicationExpresstorundynamicSQLstatements.
Rationale:
As use of the WWV_DBMS_SQL package could allow an unauthorized user to run SQL statements as Application Express (APEX) user.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='WWV_DBMS_SQL';
Theassessmentfailsifresultsarereturned.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
REVOKE EXECUTE ON WWV_DBMS_SQL FROM PUBLIC;
96|P a g e
4.2.12Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'WWV_EXECUTE_IMMEDIATE'(Scored)
ProfileApplicability:
•Level1-RDBMSusingTraditionalAuditing
•Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseWWV_EXECUTE_IMMEDIATEpackageisshippedasundocumentedandallowsOracleApplicationExpresstorundynamicSQLstatements.
Rationale:
As use of the WWV_EXECUTE_IMMEDIATE package could allow an unauthorized user to run SQL statements as Application Express (APEX) user.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='WWV_EXECUTE_IMMEDIATE';
Theassessmentfailsifresultsarereturned.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
REVOKE EXECUTE ON WWV_EXECUTE_IMMEDIATE FROM PUBLIC;
References:
1. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-1811
97|P a g e
4.2.13Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_IJOB'(Scored)
ProfileApplicability:
•Level1-RDBMSusingTraditionalAuditing
•Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseDBMS_IJOBpackageisshippedasundocumentedandallowstorundatabasejobsinthecontextofanotheruser.
Rationale:
As use of the DBMS_IJOB package could allow an attacker to change identities by using a different username to execute a database job.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_IJOB';
Theassessmentfailsifresultsarereturned.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
REVOKE EXECUTE ON DBMS_IJOB FROM PUBLIC;
98|P a g e
4.2.14Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_FILE_TRANSFER'(Scored)
ProfileApplicability:
•Level1-RDBMSusingTraditionalAuditing
•Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseDBMS_FILE_TRANSFERpackageallowstotransferfilesfromonedatabaseservertoanother.
Rationale:
As use of the DBMS_FILE_TRANSFER package could allow to transfer files from one database server to another.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_FILE_TRANSFER';
Theassessmentfailsifresultsarereturned.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
REVOKE EXECUTE ON DBMS_FILE_TRANSFER FROM PUBLIC;
References:
1. http://docs.oracle.com/database/121/ARPLS/d_ftran.htm#ARPLS095
99|P a g e
4.3RevokeExcessiveSystemPrivileges
Therecommendationswithinthissectionrevokeexcessivesystemprivileges.
4.3.1Ensure'SELECT_ANY_DICTIONARY'IsRevokedfromUnauthorized'GRANTEE'(Scored)
ProfileApplicability:
•Level1-RDBMSusingTraditionalAuditing
•Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseSELECT ANY DICTIONARYprivilegeallowsthedesignatedusertoaccessSYSschemaobjects.
Rationale:
TheOracledatabaseSELECT ANY DICTIONARYprivilegeallowsthedesignatedusertoaccessSYSschemaobjects.TheOraclepasswordhashesarepartoftheSYSschemaandcanbeselectedusingSELECTANYDICTIONARYprivileges.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE PRIVILEGE='SELECT ANY DICTIONARY' AND GRANTEE NOT IN ('DBA','DBSNMP','OEM_MONITOR', 'OLAPSYS','ORACLE_OCM','SYSMAN','WMSYS','SYSBACKUP','SYSDG');
Lackofresultsimpliescompliance.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
REVOKE SELECT_ANY_DICTIONARY FROM <grantee>;
100|P a g e
References:
1. http://docs.oracle.com/database/121/DBSEG/authorization.htm#DBSEG998702. http://docs.oracle.com/database/121/REFRN/GUID-10024282-6729-4C66-8679-
FD653C9C7DE7.htm#REFRN-GUID-10024282-6729-4C66-8679-FD653C9C7DE73. http://arup.blogspot.de/2011/07/difference-between-select-any.html
101|P a g e
4.3.2Ensure'SELECTANYTABLE'IsRevokedfromUnauthorized'GRANTEE'(Scored)
ProfileApplicability:
•Level1-RDBMSusingTraditionalAuditing
•Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseSELECT ANY TABLEprivilegeallowsthedesignatedusertoopenanytable,exceptofSYS,toviewit.
Rationale:
AsassignmentoftheSELECT ANY TABLEprivilegecanallowtheunauthorizedviewingofsensitivedata,thiscapabilityshouldberestrictedaccordingtotheneedsoftheorganization.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE PRIVILEGE='SELECT ANY TABLE' AND GRANTEE NOT IN ('DBA', 'MDSYS', 'SYS', 'IMP_FULL_DATABASE', 'EXP_FULL_DATABASE', 'DATAPUMP_IMP_FULL_DATABASE', 'WMSYS', 'SYSTEM','OLAP_DBA', 'DV_REALM_OWNER');
Lackofresultsimpliescompliance.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
REVOKE SELECT ANY TABLE FROM <grantee>;
References:
1. http://docs.oracle.com/database/121/SQLRF/statements_10002.htm#SQLRF01702
Notes:
Ifthe'O7_DICTIONARY_ACCESSIBILITY'hasbeensettoTRUE(non-defaultsetting)thentheSELECT ANY TABLEprivilegeprovidesaccesstoSYSobjects.
102|P a g e
4.3.3Ensure'AUDITSYSTEM'IsRevokedfromUnauthorized'GRANTEE'(Scored)
ProfileApplicability:
•Level1-RDBMSusingTraditionalAuditing
•Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseAUDIT SYSTEMprivilegeallowsthechangeauditingactivitiesonthesystem.
Rationale:
AsassignmentoftheAUDIT SYSTEMprivilegecanallowtheunauthorizedalterationofsystemauditactivities,disablingthecreationofaudittrails,thiscapabilityshouldberestrictedaccordingtotheneedsoftheorganization.
Audit:
Toassesthisrecommendation,executethefollowingSQLstatement.
SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE PRIVILEGE='AUDIT SYSTEM' AND GRANTEE NOT IN ('DBA','DATAPUMP_IMP_FULL_DATABASE','IMP_FULL_DATABASE', 'SYS','AUDIT_ADMIN');
Lackofresultsimpliescompliance.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
REVOKE AUDIT SYSTEM FROM <grantee>;
References:
1. http://docs.oracle.com/database/121/SQLRF/statements_4007.htm#SQLRF011072. http://docs.oracle.com/database/121/SQLRF/statements_4008.htm#SQLRF56110
103|P a g e
4.3.4Ensure'EXEMPTACCESSPOLICY'IsRevokedfromUnauthorized'GRANTEE'(Scored)
ProfileApplicability:
•Level1-RDBMSusingTraditionalAuditing
•Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseEXEMPT ACCESS POLICYkeywordprovidestheuserthecapabilitytoaccessallthetablerowsregardlessofrow-levelsecuritylockouts.
Rationale:
AsassignmentoftheEXEMPT ACCESS POLICYprivilegecanallowanunauthorizedusertopotentiallyaccess/changeconfidentialdata,thiscapabilityshouldberestrictedaccordingtotheneedsoftheorganization.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE PRIVILEGE='EXEMPT ACCESS POLICY';
Lackofresultsimpliescompliance.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
REVOKE EXEMPT ACCESS POLICY FROM <grantee>;
References:
1. http://docs.oracle.com/database/121/DBSEG/audit_config.htm#DBSEG7032. http://docs.oracle.com/database/121/DBSEG/vpd.htm#CIHEEAFJ
104|P a g e
4.3.5Ensure'BECOMEUSER'IsRevokedfromUnauthorized'GRANTEE'(Scored)
ProfileApplicability:
•Level1-RDBMSusingTraditionalAuditing
•Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseBECOME USERprivilegeallowsthedesignatedusertoinherittherightsofanotheruser.
Rationale:
AsassignmentoftheBECOME USERprivilegecanallowtheunauthorizeduseofanotheruser'sprivileges,thiscapabilityshouldberestrictedaccordingtotheneedsoftheorganization.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE PRIVILEGE='BECOME USER' AND GRANTEE NOT IN ('DBA','SYS','IMP_FULL_DATABASE');
Lackofresultsimpliescompliance.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
REVOKE BECOME USER FROM <grantee>;
References:
1. http://docs.oracle.com/database/121/DBSEG/guidelines.htm#DBSEG499
105|P a g e
4.3.6Ensure'CREATE_PROCEDURE'IsRevokedfromUnauthorized'GRANTEE'(Scored)
ProfileApplicability:
•Level1-RDBMSusingTraditionalAuditing
•Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseCREATE PROCEDUREprivilegeallowsthedesignatedusertocreateastoredprocedurethatwillfirewhengiventhecorrectcommandsequence.
Rationale:
AsassignmentoftheCREATE PROCEDUREprivilegecanleadtosevereproblemsinunauthorizedhands,suchasrogueproceduresfacilitatingdatatheftorDenial-of-Servicebycorruptingdatatables,thiscapabilityshouldberestrictedaccordingtotheneedsoftheorganization.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE PRIVILEGE='CREATE PROCEDURE' AND GRANTEE NOT IN ( 'DBA','DBSNMP','MDSYS','OLAPSYS','OWB$CLIENT', 'OWBSYS','RECOVERY_CATALOG_OWNER','SPATIAL_CSW_ADMIN_USR', 'SPATIAL_WFS_ADMIN_USR','SYS','APEX_030200','APEX_040000', 'APEX_040100','APEX_040200','DVF','RESOURCE','DV_REALM_RESOURCE', 'APEX_GRANTS_FOR_NEW_USERS_ROLE','APEX_050000','MGMT_VIEW', 'SYSMAN_MDS','SYSMAN_OPSS','SYSMAN_RO','SYSMAN_STB');
Lackofresultsimpliescompliance.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
REVOKE CREATE_PROCEDURE FROM <grantee>;
References:
1. http://docs.oracle.com/database/121/DBSEG/guidelines.htm#DBSEG499
106|P a g e
4.3.7Ensure'ALTERSYSTEM'IsRevokedfromUnauthorized'GRANTEE'(Scored)
ProfileApplicability:
•Level1-RDBMSusingTraditionalAuditing
•Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseALTER SYSTEMprivilegeallowsthedesignatedusertodynamicallyaltertheinstance'srunningoperations.
Rationale:
AsassignmentoftheALTER SYSTEMprivilegecanleadtosevereproblems,suchastheinstance'ssessionbeingkilledorthestoppingofredologrecording,whichwouldmaketransactionsunrecoverable,thiscapabilityshouldbeseverelyrestrictedaccordingtotheneedsoftheorganization.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE PRIVILEGE='ALTER SYSTEM' AND GRANTEE NOT IN ('SYS','SYSTEM','APEX_030200','APEX_040000', 'APEX_040100','APEX_040200','DBA','EM_EXPRESS_ALL','SYSBACKUP','GSMADMIN_ROLE', 'GSM_INTERNAL','SYSDG','GSMADMIN_INTERNAL');
Lackofresultsimpliescompliance.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
REVOKE ALTER SYSTEM FROM <grantee>;
References:
1. http://docs.oracle.com/database/121/DBSEG/guidelines.htm#DBSEG499
107|P a g e
4.3.8Ensure'CREATEANYLIBRARY'IsRevokedfromUnauthorized'GRANTEE'(Scored)
ProfileApplicability:
•Level1-RDBMSusingTraditionalAuditing
•Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseCREATE ANY LIBRARYprivilegeallowsthedesignatedusertocreateobjectsthatareassociatedtothesharedlibraries.
Rationale:
AsassignmentoftheCREATE ANY LIBRARYprivilegecanallowthecreationofnumerouslibrary-associatedobjectsandpotentiallycorruptthelibraries'integrity,thiscapabilityshouldberestrictedaccordingtotheneedsoftheorganization.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE PRIVILEGE='CREATE ANY LIBRARY' AND GRANTEE NOT IN ('SYS','SYSTEM','DBA','IMP_FULL_DATABASE');
Lackofresultsimpliescompliance.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
REVOKE CREATE ANY LIBRARY FROM <grantee>;
References:
1. http://docs.oracle.com/database/121/DBSEG/guidelines.htm#DBSEG4992. http://docs.oracle.com/database/121/ADMIN/manproc.htm#ADMIN00501
Notes:
Oraclehas2identicalprivileges:CREATELIBRARYandCREATEANYLIBRARY.
108|P a g e
4.3.9Ensure'CREATELIBRARY'IsRevokedfromUnauthorized'GRANTEE'(Scored)
ProfileApplicability:
•Level1-RDBMSusingTraditionalAuditing
•Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseCREATE LIBRARYprivilegeallowsthedesignatedusertocreateobjectsthatareassociatedtothesharedlibraries.
Rationale:
AsassignmentoftheCREATE LIBRARYprivilegecanallowthecreationofnumerouslibrary-associatedobjectsandpotentiallycorruptthelibraries'integrity,thiscapabilityshouldberestrictedaccordingtotheneedsoftheorganization.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE PRIVILEGE='CREATE LIBRARY' AND GRANTEE NOT IN ('SYS','SYSTEM','DBA','MDSYS','SPATIAL_WFS_ADMIN_USR', 'SPATIAL_CSW_ADMIN_USR','DVSYS','GSMADMIN_INTERNAL','XDB');
Lackofresultsimpliescompliance.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
REVOKE CREATE LIBRARY FROM <grantee>;
References:
1. http://docs.oracle.com/database/121/DBSEG/guidelines.htm#DBSEG4992. http://docs.oracle.com/database/121/ADMIN/manproc.htm#ADMIN00501
Notes:
Oraclehas2identicalprivileges:CREATELIBRARYandCREATEANYLIBRARY.
109|P a g e
4.3.10Ensure'GRANTANYOBJECTPRIVILEGE'IsRevokedfromUnauthorized'GRANTEE'(Scored)
ProfileApplicability:
•Level1-RDBMSusingTraditionalAuditing
•Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseGRANT ANY OBJECT PRIVILEGEkeywordprovidesthegranteethecapabilitytograntaccesstoanysingleormultiplecombinationsofobjectstoanygranteeinthecatalogofthedatabase.
Rationale:
AsauthorizationtousetheGRANT ANY OBJECT PRIVILEGEcapabilitycanallowanunauthorizedusertopotentiallyaccess/changeconfidentialdataordamagethedatacatalogduetopotentialcompleteinstanceaccess,thiscapabilityshouldberestrictedaccordingtotheneedsoftheorganization.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE PRIVILEGE='GRANT ANY OBJECT PRIVILEGE' AND GRANTEE NOT IN ('DBA','SYS','IMP_FULL_DATABASE','DATAPUMP_IMP_FULL_DATABASE', 'EM_EXPRESS_ALL', 'DV_REALM_OWNER');
Lackofresultsimpliescompliance.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
REVOKE GRANT ANY OBJECT PRIVILEGE FROM <grantee>;
References:
1. http://docs.oracle.com/database/121/DBSEG/authorization.htm#DBSEG99914
110|P a g e
4.3.11Ensure'GRANTANYROLE'IsRevokedfromUnauthorized'GRANTEE'(Scored)
ProfileApplicability:
•Level1-RDBMSusingTraditionalAuditing
•Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseGRANT ANY ROLEkeywordprovidesthegranteethecapabilitytograntanysingleroletoanygranteeinthecatalogofthedatabase.
Rationale:
AsauthorizationtousetheGRANT ANY ROLEcapabilitycanallowanunauthorizedusertopotentiallyaccess/changeconfidentialdataordamagethedatacatalogduetopotentialcompleteinstanceaccess,thiscapabilityshouldberestrictedaccordingtotheneedsoftheorganization.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE PRIVILEGE='GRANT ANY ROLE' AND GRANTEE NOT IN ('DBA','SYS','DATAPUMP_IMP_FULL_DATABASE','IMP_FULL_DATABASE', 'SPATIAL_WFS_ADMIN_USR','SPATIAL_CSW_ADMIN_USR', 'GSMADMIN_INTERNAL','DV_REALM_OWNER', 'EM_EXPRESS_ALL', 'DV_OWNER');
Lackofresultsimpliescompliance.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
REVOKE GRANT ANY ROLE FROM <grantee>;
References:
1. http://docs.oracle.com/database/121/DBSEG/authorization.htm#DBSEG99945
111|P a g e
4.3.12Ensure'GRANTANYPRIVILEGE'IsRevokedfromUnauthorized'GRANTEE'(Scored)
ProfileApplicability:
•Level1-RDBMSusingTraditionalAuditing
•Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseGRANT ANY PRIVILEGEkeywordprovidesthegranteethecapabilitytograntanysingleprivilegetoanyiteminthecatalogofthedatabase.
Rationale:
AsauthorizationtousetheGRANT ANY PRIVILEGEcapabilitycanallowanunauthorizedusertopotentiallyaccess/changeconfidentialdataordamagethedatacatalogduetopotentialcompleteinstanceaccess,thiscapabilityshouldberestrictedaccordingtotheneedsoftheorganization.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE PRIVILEGE='GRANT ANY PRIVILEGE' AND GRANTEE NOT IN ('DBA','SYS','IMP_FULL_DATABASE','DATAPUMP_IMP_FULL_DATABASE' 'DV_REALM_OWNER', 'EM_EXPRESS_ALL');
Lackofresultsimpliescompliance.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
REVOKE GRANT ANY PRIVILEGE FROM <grantee>;
References:
1. http://docs.oracle.com/database/121/DBSEG/authorization.htm#DBSEG99945
112|P a g e
4.4RevokeRolePrivileges
Therecommendationswithinthissectionintendtorevokepowerfulroleswheretheyarelikelynotneeded.
4.4.1Ensure'DELETE_CATALOG_ROLE'IsRevokedfromUnauthorized'GRANTEE'(Scored)
ProfileApplicability:
•Level1-RDBMSusingTraditionalAuditing
•Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseDELETE_CATALOG_ROLEprovidesDELETEprivilegesfortherecordsinthesystem'saudittable(AUD$).
Rationale:
AspermittingunauthorizedaccesstotheDELETE_CATALOG_ROLEcanallowthedestructionofauditrecordsvitaltotheforensicinvestigationofunauthorizedactivities,thiscapabilityshouldberestrictedaccordingtotheneedsoftheorganization.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT GRANTEE, GRANTED_ROLE FROM DBA_ROLE_PRIVS WHERE granted_role='DELETE_CATALOG_ROLE' AND GRANTEE NOT IN ('DBA','SYS');
Lackofresultsimpliescompliance.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
REVOKE DELETE_CATALOG_ROLE FROM <grantee>;
References:
1. http://docs.oracle.com/database/121/DBSEG/authorization.htm#BABFCAFH
113|P a g e
4.4.2Ensure'SELECT_CATALOG_ROLE'IsRevokedfromUnauthorized'GRANTEE'(Scored)
ProfileApplicability:
•Level1-RDBMSusingTraditionalAuditing
•Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseSELECT_CATALOG_ROLEprovidesSELECTprivilegesonalldatadictionaryviewsheldintheSYSschema.
Rationale:
AspermittingunauthorizedaccesstotheSELECT_CATALOG_ROLEcanallowthedisclosureofalldictionarydata,thiscapabilityshouldberestrictedaccordingtotheneedsoftheorganization.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT GRANTEE, GRANTED_ROLE FROM DBA_ROLE_PRIVS WHERE granted_role='SELECT_CATALOG_ROLE' AND grantee not in ('DBA','SYS','IMP_FULL_DATABASE','EXP_FULL_DATABASE', 'OEM_MONITOR', 'SYSBACKUP','EM_EXPRESS_BASIC','SYSMAN');
Lackofresultsimpliescompliance.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
REVOKE SELECT_CATALOG_ROLE FROM <grantee>;
References:
1. http://docs.oracle.com/database/121/DBSEG/authorization.htm#BABFCAFH
114|P a g e
4.4.3Ensure'EXECUTE_CATALOG_ROLE'IsRevokedfromUnauthorized'GRANTEE'(Scored)
ProfileApplicability:
•Level1-RDBMSusingTraditionalAuditing
•Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseEXECUTE_CATALOG_ROLEprovidesEXECUTEprivilegesforanumberofpackagesandproceduresinthedatadictionaryintheSYSschema.
Rationale:
AspermittingunauthorizedaccesstotheEXECUTE_CATALOG_ROLEcanallowthedisruptionofoperationsbyinitializationofrogueprocedures,thiscapabilityshouldberestrictedaccordingtotheneedsoftheorganization.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT GRANTEE, GRANTED_ROLE FROM DBA_ROLE_PRIVS WHERE granted_role='EXECUTE_CATALOG_ROLE' AND grantee not in ('DBA','SYS','IMP_FULL_DATABASE','EXP_FULL_DATABASE');
Lackofresultsimpliescompliance.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
REVOKE EXECUTE_CATALOG_ROLE FROM <grantee>;
References:
1. http://docs.oracle.com/database/121/DBSEG/authorization.htm#BABFCAFH
115|P a g e
4.4.4Ensure'DBA'IsRevokedfromUnauthorized'GRANTEE'(Scored)
ProfileApplicability:
•Level1-RDBMSusingTraditionalAuditing
•Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseDBAroleisthedefaultdatabaseadministratorroleprovidedfortheallocationofadministrativeprivileges.
Rationale:
AsassignmentoftheDBAroletoanordinaryusercanprovideagreatnumberofunnecessaryprivilegestothatuserandopensthedoortodatabreaches,integrityviolations,andDenial-of-Serviceconditions,applicationofthisroleshouldberestrictedaccordingtotheneedsoftheorganization.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT GRANTEE, GRANTED_ROLE FROM DBA_ROLE_PRIVS WHERE GRANTED_ROLE='DBA' AND GRANTEE NOT IN ('SYS','SYSTEM');
Lackofresultsimpliescompliance.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
REVOKE DBA FROM <grantee>;
References:
1. http://docs.oracle.com/database/121/DBSEG/authorization.htm#DBSEG4414
116|P a g e
4.5RevokeExcessiveTableandViewPrivileges
Therecommendationswithinthissectionintendtorevokeexcessivetableandviewprivileges.
4.5.1Ensure'ALL'IsRevokedfromUnauthorized'GRANTEE'on'AUD$'(Scored)
ProfileApplicability:
•Level1-RDBMSusingTraditionalAuditing
•Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseSYS.AUD$tablecontainsalltheauditrecordsforthedatabaseofthenon-DataManipulationLanguage(DML)events,suchasALTER,DROP,CREATE,andsoforth.(DMLchangesneedtrigger-basedauditeventstorecorddataalterations.)
Rationale:
Aspermittingnon-privilegeduserstheauthorizationtomanipulatetheSYS_AUD$tablecanallowdistortionoftheauditrecords,hidingunauthorizedactivities,thiscapabilityshouldberestrictedaccordingtotheneedsoftheorganization.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT GRANTEE, PRIVILEGE FROM DBA_TAB_PRIVS WHERE TABLE_NAME='AUD$' AND GRANTEE NOT IN ('DELETE_CATALOG_ROLE');
Lackofresultsimpliescompliance.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
REVOKE ALL ON AUD$ FROM <grantee>;
References:
1. http://docs.oracle.com/database/121/DBSEG/audit_admin.htm#DBSEG629
117|P a g e
4.5.2Ensure'ALL'IsRevokedfromUnauthorized'GRANTEE'on'USER_HISTORY$'(Scored)
ProfileApplicability:
•Level1-RDBMSusingTraditionalAuditing
•Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseSYS.USER_HISTORY$tablecontainsalltheauditrecordsfortheuser'spasswordchangehistory.(Thistablegetsupdatedbypasswordchangesiftheuserhasanassignedprofilethathaspasswordreuselimitset,e.g.,PASSWORD_REUSE_TIMEsettootherthanUNLIMITED.)
Rationale:
Aspermittingnon-privilegeduserstheauthorizationtomanipulatetherecordsintheSYS.USER_HISTORY$tablecanallowdistortionoftheaudittrail,potentiallyhidingunauthorizeddataconfidentialityattacksorintegritychanges,thiscapabilityshouldberestrictedaccordingtotheneedsoftheorganization.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT GRANTEE, PRIVILEGE FROM DBA_TAB_PRIVS WHERE TABLE_NAME='USER_HISTORY$' AND OWNER = 'SYS';
Lackofresultsimpliescompliance.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
REVOKE ALL ON USER_HISTORY$ FROM <grantee>;
References:
1. http://marcel.vandewaters.nl/oracle/database-oracle/password-history-reusing-a-password
Notes:
USER_HISTORY$containsonlytheold,case-insensitivepasswords.
118|P a g e
4.5.3Ensure'ALL'IsRevokedfromUnauthorized'GRANTEE'on'LINK$'(Scored)
ProfileApplicability:
•Level1-RDBMSusingTraditionalAuditing
•Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseSYS.LINK$tablecontainsalltheuser'spasswordinformationanddatatablelinkinformation.
Rationale:
Aspermittingnon-privilegeduserstomanipulateorviewtheSYS.LINK$tablecanallowcaptureofpasswordinformationand/orcorrupttheprimarydatabaselinkages,thiscapabilityshouldberestrictedaccordingtotheneedsoftheorganization.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT GRANTEE, PRIVILEGE FROM DBA_TAB_PRIVS WHERE TABLE_NAME='LINK$' AND GRANTEE NOT IN ('DV_SECANALYST') AND OWNER='SYS';
Lackofresultsimpliescompliance.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
REVOKE ALL ON LINK$ FROM <grantee>;
119|P a g e
4.5.4Ensure'ALL'IsRevokedfromUnauthorized'GRANTEE'on'SYS.USER$'(Scored)
ProfileApplicability:
•Level1-RDBMSusingTraditionalAuditing
•Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseSYS.USER$tablecontainstheusers'hashedpasswordinformation.
Rationale:
Aspermittingnon-privilegeduserstheauthorizationtoopentheSYS.USER$tablecanallowthecaptureofpasswordhashesforthelaterapplicationofpasswordcrackingalgorithmstobreachconfidentiality,thiscapabilityshouldberestrictedaccordingtotheneedsoftheorganization.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT GRANTEE, PRIVILEGE FROM DBA_TAB_PRIVS WHERE TABLE_NAME='USER$' AND OWNER='SYS' AND GRANTEE NOT IN ('CTXSYS','XDB','APEX_030200','SYSMAN', 'APEX_040000','APEX_040100','APEX_040200','DV_SECANALYST','DVSYS','ORACLE_OCM');
Lackofresultsimpliescompliance.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
REVOKE ALL ON SYS.USER$ FROM <username>;
References:
1. http://dba.stackexchange.com/questions/17513/what-do-the-columns-in-sys-user-represent
120|P a g e
4.5.5Ensure'ALL'IsRevokedfromUnauthorized'GRANTEE'on'DBA_%'(Scored)
ProfileApplicability:
•Level1-RDBMSusingTraditionalAuditing
•Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseDBA_viewsshowallinformationwhichisrelevanttoadministrativeaccounts.
Rationale:
AspermittinguserstheauthorizationtomanipulatetheDBA_viewscanexposesensitivedata.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT grantee||'.'||table_name FROM DBA_TAB_PRIVS WHERE TABLE_NAME LIKE 'DBA_%' AND GRANTEE NOT IN ('DBA','AUDIT_ADMIN','AUDIT_VIEWER','CAPTURE_ADMIN','DVSYS', 'SYSDG','DV_SECANALYST','SYSKM','DV_MONITOR','ORACLE_OCM','DV_ACCTMGR', 'GSMADMIN_INTERNAL','XDB','SYS','APPQOSSYS','AQ_ADMINISTRATOR_ROLE','CTXSYS', 'EXFSYS','MDSYS','OLAP_XS_ADMIN','OLAPSYS','ORDSYS','OWB$CLIENT','OWBSYS', 'SELECT_CATALOG_ROLE','WM_ADMIN_ROLE','WMSYS','XDBADMIN', 'LBACSYS', 'ADM_PARALLEL_EXECUTE_TASK','CISSCANROLE') AND NOT REGEXP_LIKE(grantee,'^APEX_0[3-9][0-9][0-9][0-9][0-9]$');
Lackofresultsimpliescompliance.
Note:AnorganizationshouldperformproperimpactanalysisbeforerevokinggrantsonDBA_objects.
Remediation:
Replace <Non-DBA/SYS grantee>, in the query below, with the Oracle login(s) or role(s) returned from the associated audit procedure and execute:
REVOKE ALL ON DBA_ FROM <Non-DBA/SYS grantee>;
121|P a g e
References:
1. http://docs.oracle.com/database/121/REFRN/GUID-10024282-6729-4C66-8679-FD653C9C7DE7.htm#REFRN-GUID-10024282-6729-4C66-8679-FD653C9C7DE7
122|P a g e
4.5.6Ensure'ALL'IsRevokedfromUnauthorized'GRANTEE'on'SYS.SCHEDULER$_CREDENTIAL'(Scored)
ProfileApplicability:
•Level1-RDBMSusingTraditionalAuditing
•Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseSCHEDULER$_CREDENTIALtablecontainsthedatabaseschedulercredentialinformation.
Rationale:
Aspermittingnon-privilegeduserstheauthorizationtoopentheSYS.SCHEDULER$_CREDENTIALtable.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT GRANTEE, PRIVILEGE FROM DBA_TAB_PRIVS WHERE TABLE_NAME='SCHEDULER$_CREDENTIAL' AND OWNER='SYS';
Lackofresultsimpliescompliance.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
REVOKE ALL ON SYS.SCHEDULER$_CREDENTIAL FROM <username>;
References:
1. http://docs.oracle.com/database/121/ADMIN/schedadmin.htm#ADMIN120732. http://berxblog.blogspot.de/2012/02/restore-dbmsschedulercreatecredential.html
Notes:
***_SCHEDULER_CREDENTIALSisdeprecatedinOracleDatabase12c,butremainsavailable,forreasonsofbackwardcompatibility.
123|P a g e
4.5.7Ensure'SYS.USER$MIG'HasBeenDropped(Scored)
ProfileApplicability:
•Level1-RDBMSusingTraditionalAuditing
•Level1-RDBMSusingUnifiedAuditing
Description:
Thetablesys.user$migiscreatedduringmigrationandcontainstheOraclepasswordhashesbeforethemigrationstarts.
Rationale:
Thetablesys.user$migisnotdeletedafterthemigration.AnattackercouldaccessthetablecontainingtheOraclepasswordhashes.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT OWNER, TABLE_NAME FROM ALL_TABLES WHERE OWNER='SYS' AND TABLE_NAME='USER$MIG';
Lackofresultsimpliescompliance.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
DROP TABLE SYS.USER$MIG;
124|P a g e
4.6Ensure'%ANY%'IsRevokedfromUnauthorized'GRANTEE'(Scored)
ProfileApplicability:
•Level1-RDBMSusingTraditionalAuditing
•Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseANYkeywordprovidestheuserthecapabilitytoalteranyiteminthecatalogofthedatabase.
Rationale:
AsauthorizationtousetheANYexpansionofaprivilegecanallowanunauthorizedusertopotentiallychangeconfidentialdataordamagethedatacatalog,thiscapabilityshouldberestrictedaccordingtotheneedsoftheorganization.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE PRIVILEGE LIKE '%ANY%' AND GRANTEE NOT IN ('AQ_ADMINISTRATOR_ROLE','DBA','DBSNMP','EXFSYS', 'EXP_FULL_DATABASE','IMP_FULL_DATABASE','DATAPUMP_IMP_FULL_DATABASE', 'JAVADEBUGPRIV','MDSYS','OEM_MONITOR','OLAPSYS','OLAP_DBA','ORACLE_OCM', 'OWB$CLIENT','OWBSYS','SCHEDULER_ADMIN','SPATIAL_CSW_ADMIN_USR', 'SPATIAL_WFS_ADMIN_USR','SYS','SYSMAN','SYSTEM','WMSYS','APEX_030200', 'APEX_040000','APEX_040100','APEX_040200','LBACSYS','SYSBACKUP', 'CTXSYS','OUTLN','DVSYS','ORDPLUGINS','ORDSYS',’RECOVERY_CATALOG_OWNER_VPD’, 'GSMADMIN_INTERNAL','XDB','SYSDG','AUDIT_ADMIN','DV_OWNER','DV_REALM_OWNER', 'EM_EXPRESS_ALL','RECOVERY_CATALOG_OWNER','APEX_050000','SYSMAN_STB', 'SYSMAN_TYPES');
Lackofresultsimpliescompliance.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
REVOKE '<ANY Privilege>' FROM <grantee>;
References:
1. http://docs.oracle.com/database/121/DBSEG/authorization.htm#DBSEG99877
125|P a g e
4.7Ensure'DBA_SYS_PRIVS.%'IsRevokedfromUnauthorized'GRANTEE'with'ADMIN_OPTION'Setto'YES'(Scored)
ProfileApplicability:
•Level1-RDBMSusingTraditionalAuditing
•Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseWITH_ADMINprivilegeallowsthedesignatedusertograntanotheruserthesameprivileges.
Rationale:
AsassignmentoftheWITH_ADMINprivilegecanallowthegrantingofarestrictedprivilegetoanunauthorizeduser,thiscapabilityshouldberestrictedaccordingtotheneedsoftheorganization.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE ADMIN_OPTION='YES' AND GRANTEE not in ('AQ_ADMINISTRATOR_ROLE','DBA','OWBSYS', 'SCHEDULER_ADMIN','SYS','SYSTEM','WMSYS', 'DVSYS','SYSKM','DV_ACCTMGR') AND NOT REGEXP_LIKE(grantee,'^APEX_0[3-9][0-9][0-9][0-9][0-9]$');
Lackofresultsimpliescompliance.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
REVOKE <privilege> FROM <grantee>;
126|P a g e
4.8EnsureProxyUsersHaveOnly'CONNECT'Privilege(Scored)
ProfileApplicability:
•Level1-RDBMSusingTraditionalAuditing
•Level1-RDBMSusingUnifiedAuditing
Description:
Donotgrantprivilegesdirectlytoproxyusers.
Rationale:
Aproxyusershouldonlyhavetheabilitytoconnecttothedatabase.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT GRANTEE,GRANTED_ROLE FROM DBA_ROLE_PRIVS WHERE GRANTEE IN (SELECT PROXY FROM DBA_PROXIES) AND GRANTED_ROLE NOT IN ('CONNECT') UNION SELECT GRANTEE,PRIVILEGE FROM DBA_SYS_PRIVS WHERE GRANTEE IN (SELECT PROXY FROM DBA_PROXIES) AND PRIVILEGE NOT IN ('CREATE SESSION') UNION SELECT GRANTEE,PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE IN (SELECT PROXY FROM DBA_PROXIES);
Lackofresultsimpliescompliance.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatementforeach[PRIVILEGE]returnedbyrunningtheauditprocedure.
REVOKE [PRIVILEGE] FROM <proxy_user>;
127|P a g e
4.9Ensure'EXECUTEANYPROCEDURE'IsRevokedfrom'OUTLN'(Scored)
ProfileApplicability:
•Level1-RDBMSusingTraditionalAuditing
•Level1-RDBMSusingUnifiedAuditing
Description:
RemoveunneededprivilegesfromOUTLN.
Rationale:
MigratedOUTLNusershavemoreprivilegesthanrequired.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE PRIVILEGE='EXECUTE ANY PROCEDURE' AND GRANTEE='OUTLN';
Lackofresultsimpliescompliance.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
REVOKE EXECUTE ANY PROCEDURE FROM OUTLN;
128|P a g e
4.10Ensure'EXECUTEANYPROCEDURE'IsRevokedfrom'DBSNMP'(Scored)
ProfileApplicability:
•Level1-RDBMSusingTraditionalAuditing
•Level1-RDBMSusingUnifiedAuditing
Description:
RemoveunneededprivilegesfromDBSNMP.
Rationale:
MigratedDBSNMPusershavemoreprivilegesthanrequired.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE PRIVILEGE='EXECUTE ANY PROCEDURE' AND GRANTEE='DBSNMP';
Lackofresultsimpliescompliance.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
REVOKE EXECUTE ANY PROCEDURE FROM DBSNMP;
129|P a g e
5Audit/LoggingPoliciesandProcedures
Theabilitytoauditdatabaseactivitiesisamongthemostimportantofalldatabasesecurityfeatures.Decisionsmustbemaderegardingthescopeofauditingsinceauditinghascosts-instoragefortheaudittrailandinperformanceimpactonauditedoperations-andperhapseventhedatabaseorsystemingeneral.Thereisalsotheadditionalcosttomanage(store,backup,secure)andreviewthedatainaudittrail.
Measuresmustbetakentoprotecttheaudittrailitself,foritmaybetargetedforalterationordestructiontohideunauthorizedactivity.Foranauditdestinationoutsidethedatabase,therecommendationsareelsewhereinthisdocument.Auditingrecommendationsforpotentialdatabaseauditdestinationsisbelow.
Auditing"bysession"typicallycreatesfewer(until11g)andslightlysmallerauditrecords,butisdiscouragedinmostsituationssincethereissomelossoffidelity(e.g.objectprivilegeGRANTEE).Moredetailedauditingcreateslargerauditrecords.TheAUDIT_TRAILinitializationparameter(forDB|XML,extended-ornot)isthemaindeterminingfactorforthesizeofagivenauditrecord-andanotablefactorintheperformancecost,althoughthelargestofthelatterisDBversusOSorXML.
ThissectiondealswithstandardOracleauditingsinceauditingofprivilegedconnections(assysdbaorsysoper)isconfiguredviatheAUDIT_SYS_OPERATIONSinitializationparameterandisotherwisenotconfigurable.Thebasictypesofstandardauditingareobjectauditing,statementauditingandprivilegeauditingandeachbehavesdifferently.
Objectauditingappliestospecificobjectsforwhichitisinvokedandalwaysappliestoallusers.Thistypeofauditingisusuallyemployedtoauditapplication-specificsensitiveobjects,butcanbeusedtoprotecttheaudittrailinthedatabase.
Privilegeauditingauditstheuseofspecificsystemprivileges,buttypicallyonlyiftheuseractuallypossessestheauditedprivilege.Attemptsthatfailforlackoftheauditedprivilegearetypicallynotaudited.Thisisthemainweaknessofprivilegeauditingandwhystatementauditingisusuallypreferred,iftheoptionexists.
Statementauditingauditstheissuanceofcertaintypesofstatements,usuallywithoutregardtoprivilegeorlackthereof.Bothprivilegeandstatementauditsmaybespecifiedforspecificusersorallusers(thedefault).
130|P a g e
5.1TraditionalAuditing
Thissectionistobefollowediftraditionalauditingisimplemented.
5.1.1Enable'USER'AuditOption(Scored)
ProfileApplicability:
•Level1-RDBMSusingTraditionalAuditing
Description:
TheUSERobjectintheOracledatabaseanaccountthroughwhichaconnectionmaybemadetointeractwiththedatabaseaccordingtotherolesandprivilegesallottedtoaccount.Itisalsoaschemawhichmayowndatabaseobjects.Thisauditsallactivitiesandrequeststocreate,droporalterauser,includingauserchangingtheirownpassword.(Thelatterisnotauditedby'auditALTERUSER'.)
Rationale:
Anyunauthorizedattemptstocreate,droporalterausershouldcauseconcern,whethersuccessfulornot.Itcanalsobeusefulinforensicsifanaccountiscompromisedandismandatedbymanycommonsecurityinitiatives.Anabnormallyhighnumberoftheseactivitiesinagivenperiodmightbeworthinvestigation.Anyfailedattempttodropauserorcreateausermaybeworthfurtherreview.
Audit:
Toassessthisrecommendation,executethefollowingSQLStatement.
SELECT AUDIT_OPTION, SUCCESS, FAILURE FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION='USER' AND USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = 'BY ACCESS' AND FAILURE = 'BY ACCESS';
Lackofresultsimpliesafinding.
Remediation:
ExecutethefollowingSQLstatementtoremediatethissetting.
AUDIT USER;
131|P a g e
Impact:
Thiswouldthecurrent5.2(auditCREATEUSER),5.3(auditALTERUSER),and5.4(auditDROPUSER)privilegeauditswiththesinglestatementauditingoption"auditUSER".Anyactionauditedbythosethreeprivilegeauditswouldalsobeauditedbythis.Inaddition,thiswouldaudit:
1. AttemptstocreateuserbyanyonewithouttheCREATEUSERsystemprivilege.
2. AttemptstodropuserbyanyonewithouttheDROPUSERsystemprivilege
3. AttemptstoalteruserbyanyonewithouttheALTERUSERsystemprivilege
4. Userschangingorattemptingtochangetheirownpasswords(whichisnotdonebyauditingALTERUSER).
132|P a g e
5.1.2Enable'ALTERUSER'AuditOption(Scored)
ProfileApplicability:
•Level1-RDBMSusingTraditionalAuditing
Description:
TheUSER objectfortheOracledatabaseisaspecificationofanobjectwhichisanaccountthroughwhicheitherahumanoranapplicationcanconnectto,viaaJDBCorloginto,viaaCLI,andinteractwiththedatabaseinstanceaccordingtotherolesandprivilegesallottedtoaccount.
Rationale:
Astheloggingofuseractivitiesinvolvingthecreation,alteration,ordroppingofaUSERcanprovideforensicevidenceaboutapatternofsuspect/unauthorizedactivities,theauditcapabilityshouldbesetaccordingtotheneedsoftheorganization.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT AUDIT_OPTION, SUCCESS, FAILURE FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION='ALTER USER' AND USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = 'BY ACCESS' AND FAILURE = 'BY ACCESS';
Lackofresultsimpliesafinding.
Remediation:
ExecutethefollowingSQLstatementtoremediatethissetting.
AUDIT ALTER USER;
133|P a g e
5.1.3Enable'DROPUSER'AuditOption(Scored)
ProfileApplicability:
•Level1-RDBMSusingTraditionalAuditing
Description:
TheUSER objectfortheOracledatabaseisaspecificationofanobjectwhichisanaccountthroughwhicheitherahumanoranapplicationcanconnectto,viaaJDBCorloginto,viaaCLI,andinteractwiththedatabaseinstanceaccordingtotherolesandprivilegesallottedtoaccount.
Rationale:
Astheloggingofuseractivitiesinvolvingthecreation,alteration,ordroppingofaUSERcanprovideforensicevidenceaboutapatternofsuspect/unauthorizedactivities,theauditcapabilityshouldbesetaccordingtotheneedsoftheorganization.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT AUDIT_OPTION, SUCCESS, FAILURE FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION='DROP USER' AND USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = 'BY ACCESS' AND FAILURE = 'BY ACCESS';
Lackofresultsimpliesafinding.
Remediation:
ExecutethefollowingSQLstatementtoremediatethissetting.
AUDIT DROP USER;
134|P a g e
5.1.4Enable'ROLE'AuditOption(Scored)
ProfileApplicability:
•Level1-RDBMSusingTraditionalAuditing
Description:
TheROLEobjectallowsforthecreationofasetofprivilegesthatcanbegrantedtousersorotherroles.Thisauditsallattempts,successfulornot,tocreate,drop,alterorsetroles.
Rationale:
Roles are a key database security infrastructure component. Any attempt to create, drop or alter a role should be audited. This statement auditing option also audits attempts, successful or not, to set a role in a session. Any unauthorized attempts to create, drop or alter a role may be worthy of investigation. Attempts to set a role by users without the role privilege may warrant investigation.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT AUDIT_OPTION, SUCCESS, FAILURE FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION='ROLE' AND USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = 'BY ACCESS' AND FAILURE = 'BY ACCESS';
Lackofresultsimpliesafinding.
Remediation:
ExecutethefollowingSQLstatementtoremediatethissetting:
AUDIT ROLE;
Impact:
Thechangetotheaudit/checkistoensurethattheauditisineffectforallusers,regardlessofproxyorsuccess.
Thechangetothetitle,descriptionandrationalearetobetterclarifywhatitactuallydoes.(e.g.ItdoesNOTaudit"allROLEactivities/requests".Forexample,itdoesnotauditrolegrantsandrevokes.)
135|P a g e
5.1.5Enable'SYSTEMGRANT'AuditOption(Scored)
ProfileApplicability:
•Level1-RDBMSusingTraditionalAuditing
Description:
Thiswillauditanyattempt,successfulornot,tograntorrevokeanysystemprivilegeorrole-regardlessofprivilegeheldbytheuserattemptingtheoperation.
Rationale:
Loggingofallgrantandrevokes(rolesandsystemprivileges)canprovideforensicevidenceaboutapatternofsuspect/unauthorizedactivities.Anyunauthorizedattemptmaybecauseforfurtherinvestigation.
Audit:
ToassessthisrecommendationexecutethefollowingSQLstatement.
SELECT AUDIT_OPTION, SUCCESS, FAILURE FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION='SYSTEM GRANT' AND USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = 'BY ACCESS' AND FAILURE = 'BY ACCESS';
Lackofresultsimpliesafinding.
Remediation:
ExecutethefollowingSQLstatementtoremediatethissetting.
AUDIT SYSTEM GRANT;
136|P a g e
5.1.6Enable'PROFILE'AuditOption(Scored)
ProfileApplicability:
•Level1-RDBMSusingTraditionalAuditing
Description:
ThePROFILEobjectallowsforthecreationofasetofdatabaseresourcelimitsthatcanbeassignedtoauser,sothatthatusercannotexceedthoseresourcelimitations.Thiswillauditallattempts,successfulornot,tocreate,droporalteranyprofile.
Rationale:
Asprofilesarepartofthedatabasesecurityinfrastructure,auditingthemodificationofprofilesisrecommended.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT AUDIT_OPTION, SUCCESS, FAILURE FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION='PROFILE' AND USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = 'BY ACCESS' AND FAILURE = 'BY ACCESS';
Lackofresultsimpliesafinding.
Remediation:
ExecutethefollowingSQLstatementtoremediatethissetting.
AUDIT PROFILE;
137|P a g e
Impact:
Thestatementauditingoption'auditPROFILE'auditseverythingthatthethreeprivilegeaudits'auditCREATEPROFILE','auditDROPPROFILE'and'auditALTERPROFILE'do,butalsoaudits:
1. AttemptstocreateaprofilebyauserwithouttheCREATEPROFILEsystemprivilege.
2. AttemptstodropaprofilebyauserwithouttheDROPPROFILEsystemprivilege
3. AttemptstoalteraprofilebyauserwithouttheALTERPROFILEsystemprivilege.
138|P a g e
5.1.7Enable'ALTERPROFILE'AuditOption(Scored)
ProfileApplicability:
•Level1-RDBMSusingTraditionalAuditing
Description:
ThePROFILE objectallowsforthecreationofasetofdatabaseresourcelimitsthatcanbeassignedtoauser,sothatthatusercannotexceedthoseresourcelimitations.
Rationale:
Astheloggingofuseractivitiesinvolvingthecreation,alteration,ordroppingofaPROFILE canprovideforensicevidenceaboutapatternofunauthorizedactivities,theauditcapabilityshouldbesetaccordingtotheneedsoftheorganization.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT AUDIT_OPTION, SUCCESS, FAILURE FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION='ALTER PROFILE' AND USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = 'BY ACCESS' AND FAILURE = 'BY ACCESS';
Lackofresultsimpliesafinding.
Remediation:
ExecutethefollowingSQLstatementtoremediatethissetting.
AUDIT ALTER PROFILE;
139|P a g e
5.1.8Enable'DROPPROFILE'AuditOption(Scored)
ProfileApplicability:
•Level1-RDBMSusingTraditionalAuditing
Description:
ThePROFILE objectallowsforthecreationofasetofdatabaseresourcelimitsthatcanbeassignedtoauser,sothatthatusercannotexceedthoseresourcelimitations.
Rationale:
Astheloggingofuseractivitiesinvolvingthecreation,alteration,ordroppingofaPROFILE canprovideforensicevidenceaboutapatternofunauthorizedactivities,theauditcapabilityshouldbesetaccordingtotheneedsoftheorganization.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT AUDIT_OPTION, SUCCESS, FAILURE FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION='DROP PROFILE' AND USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = 'BY ACCESS' AND FAILURE = 'BY ACCESS';
Lackofresultsimpliesafinding.
Remediation:
ExecutethefollowingSQLstatementtoremediatethissetting.
AUDIT DROP PROFILE;
140|P a g e
5.1.9Enable'DATABASELINK'AuditOption(Scored)
ProfileApplicability:
•Level1-RDBMSusingTraditionalAuditing
Description:
Allactivitiesondatabaselinksshouldbeaudited.
Rationale:
AstheloggingofuseractivitiesinvolvingthecreationordroppingofaDATABASE LINKcanprovideforensicevidenceaboutapatternofunauthorizedactivities,theauditcapabilityshouldbesetaccordingtotheneedsoftheorganization.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT AUDIT_OPTION, SUCCESS, FAILURE FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION='DATABASE LINK' AND USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = 'BY ACCESS' AND FAILURE = 'BY ACCESS';
Lackofresultsimpliesafinding.
Remediation:
ExecutethefollowingSQLstatementtoremediatethissetting.
AUDIT DATABASE LINK;
References:
1. http://docs.oracle.com/database/121/DBSEG/audit_config.htm#DBSEG1115
141|P a g e
5.1.10Enable'PUBLICDATABASELINK'AuditOption(Scored)
ProfileApplicability:
•Level1-RDBMSusingTraditionalAuditing
Description:
ThePUBLIC DATABASE LINKobjectallowsforthecreationofapubliclinkforanapplication-based"user"toaccessthedatabaseforconnections/sessioncreation.
Rationale:
Astheloggingofuseractivitiesinvolvingthecreation,alteration,ordroppingofaPUBLIC DATABASE LINKcanprovideforensicevidenceaboutapatternofunauthorizedactivities,theauditcapabilityshouldbesetaccordingtotheneedsoftheorganization.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT AUDIT_OPTION, SUCCESS, FAILURE FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION='PUBLIC DATABASE LINK' AND USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = 'BY ACCESS' AND FAILURE = 'BY ACCESS';
Lackofresultsimpliesafinding.
Remediation:
ExecutethefollowingSQLstatementtoremediatethissetting.
AUDIT PUBLIC DATABASE LINK;
142|P a g e
5.1.11Enable'PUBLICSYNONYM'AuditOption(Scored)
ProfileApplicability:
•Level1-RDBMSusingTraditionalAuditing
Description:
ThePUBLIC SYNONYMobjectallowsforthecreationofanalternatedescriptionofanobjectandpublicsynonymsareaccessiblebyallusersthathavetheappropriateprivilegestotheunderlyingobject.
Rationale:
AstheloggingofuseractivitiesinvolvingthecreationordroppingofaPUBLIC SYNONYMcanprovideforensicevidenceaboutapatternofunauthorizedactivities,theauditcapabilityshouldbesetaccordingtotheneedsoftheorganization.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT AUDIT_OPTION, SUCCESS, FAILURE FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION='PUBLIC SYNONYM' AND USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = 'BY ACCESS' AND FAILURE = 'BY ACCESS';
Lackofresultsimpliesafinding.
Remediation:
ExecutethefollowingSQLstatementtoremediatethissetting.
AUDIT PUBLIC SYNONYM;
143|P a g e
5.1.12Enable'SYNONYM'AuditOption(Scored)
ProfileApplicability:
•Level1-RDBMSusingTraditionalAuditing
Description:
TheSYNONYM operationallowsforthecreationofanalternativenameforadatabaseobjectsuchasaJavaclassschemaobject,materializedview,operator,package,procedure,sequence,storedfunction,table,view,user-definedobjecttype,evenanothersynonym;thissynonymputsadependencyonitstargetandisrenderedinvalidifthetargetobjectischanged/dropped.
Rationale:
AstheloggingofuseractivitiesinvolvingthecreationordroppingofaSYNONYM canprovideforensicevidenceaboutapatternofsuspect/unauthorizedactivities,theauditcapabilityshouldbesetaccordingtotheneedsoftheorganization.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT AUDIT_OPTION, SUCCESS, FAILURE FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION='SYNONYM' AND USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = 'BY ACCESS' AND FAILURE = 'BY ACCESS';
Lackofresultsimpliesafinding.
Remediation:
ExecutethefollowingSQLstatementtoremediatethissetting.
AUDIT SYNONYM;
References:
1. http://docs.oracle.com/database/121/DBSEG/audit_config.htm#DBSEG1115
144|P a g e
5.1.13Enable'GRANTDIRECTORY'AuditOption(Scored)
ProfileApplicability:
•Level1-RDBMSusingTraditionalAuditing
Description:
TheDIRECTORY objectallowsforthecreationofadirectoryobjectthatspecifiesanaliasforadirectoryontheserverfilesystem,wheretheexternalbinaryfileLOBs(BFILEs)/tabledataarelocated.
Rationale:
AstheloggingofuseractivitiesinvolvingthecreationordroppingofaDIRECTORYcanprovideforensicevidenceaboutapatternofunauthorizedactivities,theauditcapabilityshouldbesetaccordingtotheneedsoftheorganization.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT AUDIT_OPTION, SUCCESS, FAILURE FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION='GRANT DIRECTORY' AND USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = 'BY ACCESS' AND FAILURE = 'BY ACCESS';
Lackofresultsimpliesafinding.
Remediation:
ExecutethefollowingSQLstatementtoremediatethissetting.
AUDIT GRANT DIRECTORY;
References:
1. http://docs.oracle.com/database/121/SQLRF/statements_4007.htm#SQLRF01107
Notes:
GrantdirectoryisashortcutforGRANTprivilegeONdirectory,REVOKEprivilegeONdirectory.
145|P a g e
5.1.14Enable'SELECTANYDICTIONARY'AuditOption(Scored)
ProfileApplicability:
•Level1-RDBMSusingTraditionalAuditing
Description:
TheSELECT ANY DICTIONARYcapabilityallowstheusertoviewthedefinitionsofallschemaobjectsinthedatabase.
Rationale:
Astheloggingofuseractivitiesinvolvingthecapabilitytoaccessthedescriptionofallschemaobjectsinthedatabasecanprovideforensicevidenceaboutapatternofunauthorizedactivities,theauditcapabilityshouldbesetaccordingtotheneedsoftheorganization.
Audit:
ToassessthisrecommendationexecutethefollowingSQLstatement.
SELECT AUDIT_OPTION, SUCCESS, FAILURE FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION='SELECT ANY DICTIONARY' AND USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = 'BY ACCESS' AND FAILURE = 'BY ACCESS';
Lackofresultsimpliesafinding.
Remediation:
ExecutethefollowingSQLstatementtoremediatethissetting.
AUDIT SELECT ANY DICTIONARY;
References:
1. http://docs.oracle.com/database/121/DBSEG/guidelines.htm#DBSEG500
146|P a g e
5.1.15Enable'GRANTANYOBJECTPRIVILEGE'AuditOption(Scored)
ProfileApplicability:
•Level1-RDBMSusingTraditionalAuditing
Description:
GRANT ANY OBJECT PRIVILEGEallowstheusertograntorrevokeanyobjectprivilege,whichincludesprivilegesontables,directories,miningmodels,etc.Thisauditsallusesofthatprivilege.
Rationale:
Loggingofprivilegegrantsthatcanleadtothecreation,alteration,ordeletionofcriticaldata,themodificationofobjects,objectprivilegepropagationandothersuchactivitiescanbecriticaltoforensicinvestigations.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PRIVILEGE, SUCCESS, FAILURE FROM DBA_PRIV_AUDIT_OPTS WHERE PRIVILEGE='GRANT ANY OBJECT PRIVILEGE' AND USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = 'BY ACCESS' AND FAILURE = 'BY ACCESS';
Lackofresultsimpliesafinding.
Remediation:
ExecutethefollowingSQLstatementtoremediatethissetting.
AUDIT GRANT ANY OBJECT PRIVILEGE;
147|P a g e
5.1.16Enable'GRANTANYPRIVILEGE'AuditOption(Scored)
ProfileApplicability:
•Level1-RDBMSusingTraditionalAuditing
Description:
ThisauditsallusesofthesystemprivilegenamedGRANT ANY PRIVILEGE.Actionsbyusersnotholdingthisprivilegearenotaudited.
Rationale:
GRANT ANY PRIVILEGEallowsausertograntanysystemprivilege,includingthemostpowerfulprivilegestypicallyavailableonlytoadministrators-tochangethesecurityinfrastructure,todrop/add/modifyusersandmore.Auditingtheuseofthisprivilegeispartofacomprehensiveauditingpolicythatcanhelpindetectingissuesandcanbeusefulinforensics.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PRIVILEGE, SUCCESS, FAILURE FROM DBA_PRIV_AUDIT_OPTS WHERE PRIVILEGE='GRANT ANY PRIVILEGE' AND USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = 'BY ACCESS' AND FAILURE = 'BY ACCESS';
Lackofresultsimpliesafinding.
Remediation:
ExecutethefollowingSQLstatementtoremediatethissetting.
AUDIT GRANT ANY PRIVILEGE;
148|P a g e
5.1.17Enable'DROPANYPROCEDURE'AuditOption(Scored)
ProfileApplicability:
•Level1-RDBMSusingTraditionalAuditing
Description:
TheAUDIT DROP ANY PROCEDUREcommandisauditingthecreationofproceduresinotherschema.
Rationale:
Droppingproceduresofanotherusercouldbepartofanprivilegeescalationexploitandshouldbeaudited.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT AUDIT_OPTION, SUCCESS, FAILURE FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION='DROP ANY PROCEDURE' AND USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = 'BY ACCESS' AND FAILURE = 'BY ACCESS';
Lackofresultsimpliesafinding.
Remediation:
ExecutethefollowingSQLstatementtoremediatethissetting.
AUDIT DROP ANY PROCEDURE;
149|P a g e
5.1.18Enable'ALL'AuditOptionon'SYS.AUD$'(Scored)
ProfileApplicability:
•Level1-RDBMSusingTraditionalAuditing
Description:
TheloggingofattemptstoaltertheaudittrailintheSYS.AUD$table(openforread/update/delete/view)willprovidearecordofanyactivitiesthatmayindicateunauthorizedattemptstoaccesstheaudittrail.
Rationale:
AstheloggingofattemptstoaltertheSYS.AUD$tablecanprovideforensicevidenceoftheinitiationofapatternofunauthorizedactivities,thisloggingcapabilityshouldbesetaccordingtotheneedsoftheorganization.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT * FROM DBA_OBJ_AUDIT_OPTS WHERE OBJECT_NAME='AUD$' AND ALT='A/A' AND AUD='A/A' AND COM='A/A' AND DEL='A/A' AND GRA='A/A' AND IND='A/A' AND INS='A/A' AND LOC='A/A' AND REN='A/A' AND SEL='A/A' AND UPD='A/A' AND FBK='A/A';
Lackofresultsimpliesafinding.
Remediation:
ExecutethefollowingSQLstatementtoremediatethissetting.
AUDIT ALL ON SYS.AUD$ BY ACCESS;
150|P a g e
5.1.19Enable'PROCEDURE'AuditOption(Scored)
ProfileApplicability:
•Level1-RDBMSusingTraditionalAuditing
Description:
Inthisstatementaudit,"PROCEDURE"meansanyprocedure,function,packageorlibrary.Anyattempt,successfulornot,tocreateordropanyofthesetypesofobjectsisaudited,regardlessofprivilegeorlackthereof.Javaschemaobjects(sources,classes,andresources)areconsideredthesameasproceduresforpurposesofauditingSQLstatements.
Rationale:
Anyunauthorizedattemptstocreateordropaprocedureinanother'sschemashouldcauseconcern,whethersuccessfulornot.Changestocriticalstorecodecandramaticallychangethebehavioroftheapplicationandproduceserioussecurityconsequences,includingprivilegeescalationandintroducingSQLinjectionvulnerabilities.Auditrecordsofsuchchangescanbehelpfulinforensics.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT AUDIT_OPTION, SUCCESS, FAILURE FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION='PROCEDURE' AND USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = 'BY ACCESS' AND FAILURE = 'BY ACCESS';
Lackofresultsimpliesafinding.
Remediation:
ExecutethefollowingSQLstatementtoremediatethissetting.
AUDIT PROCEDURE;
151|P a g e
Notes:
Beawarethatnotallauditingoptionsworkalike.Inparticular,thestatementauditingoption"auditPROCEDURE"doesindeedauditcreateanddroplibraryaswellasalltypesofproceduresandjavaschemaobjects.However,privilegeauditsdonotworkthisway.So,forexample,noneof"auditCREATEANYPROCEDURE","auditDROPANYPROCEDURE".'"auditCREATEPROCEDURE"willauditcreateordroplibraryactivities.Instatementauditing,"PROCEDURE"hasalargerscopethaninprivilegeauditing,whereitisspecifictofunctions,packagesandprocedures,butexcludeslibrariesandperhapsotherobjecttypes.
"AuditPROCEDURE"doesnotauditalteringprocedures,eitherinyourownschemaorinanotherviatheALTERANYPROCEDUREsystemprivilege.Thereseemstobenostatementauditthatisabetterreplacementfor"AuditALTERANYPROCEDURE",butbewarethatwillnotcreateanyauditrecordsforusersthatdonothavetheprivilege.Thus,attemptstoalterproceduresinone'sownschemaareneverauditedandattemptstoalterproceduresinanother'sschemathatfailforlackoftheALTERANYPROCEDUREprivilegearenotaudited.ThisissimplyaweaknessinthecurrentstateofOracleauditing.Fortunately,though,allthattheALTERcommandcanbeusedforregardingprocedures,functions,packagesandlibrariesiscompileoptions,sotheinabilitytocomprehensivelyauditalterprocedureactivitiesandrequestsisnotasbadasitwouldbeforotherobjecttypes(USER,PROFIULE,etc.).
152|P a g e
5.1.20Enable'ALTERSYSTEM'AuditOption(Scored)
ProfileApplicability:
•Level1-RDBMSusingTraditionalAuditing
Description:
ThiswillauditallattemptstoALTERSYSTEM,whethersuccessfulornotandregardlessofwhetherornottheALTERSYSTEMprivilegeisheldbytheuserattemptingtheaction.
Rationale:
Altersystemallowsonetochangeinstancesettings,includingsecuritysettingsandauditingoptions.Additionally,altersystemcanbeusedtorunoperatingsystemcommandsusingundocumentedOraclefunctionality.Anyunauthorizedattempttoalterthesystemshouldbecauseforconcern.Alterationsoutsideofsomespecifiedmaintenancewindowmaybeofconcern.Inforensics,theseauditrecordscouldbequiteuseful.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT AUDIT_OPTION, SUCCESS, FAILURE FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION='ALTER SYSTEM' AND USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = 'BY ACCESS' AND FAILURE = 'BY ACCESS';
Lackofresultsimpliesafinding.
Remediation:
ExecutethefollowingSQLstatementtoremediatethissetting.
AUDIT ALTER SYSTEM;
153|P a g e
5.1.21Enable'TRIGGER'AuditOption(Scored)
ProfileApplicability:
•Level1-RDBMSusingTraditionalAuditing
Description:
ATRIGGERmaybeusedtomodifyDMLactionsorinvokeother(recursive)actionswhensometypesofuser-initiatedactionsoccur.Thiswillauditanyattempt,successfulornot,tocreate,drop,enableordisableanyschematriggerinanyschemaregardlessofprivilegeorlackthereof.Forenablinganddisablingatrigger,itcoversbothaltertriggerandaltertable.
Rationale:
Triggersareoftenpartofschemasecurity,datavalidationandothercriticalconstraintsuponactionsanddata.Atriggerinanotherschemamaybeusedtoescalateprivileges,redirectoperations,transformdataandperformothersortsofperhapsundesiredactions.Anyunauthorizedattempttocreate,droporalteratriggerinanotherschemamaybecauseforinvestigation.
Audit:
ToassessthisrecommendationexecutethefollowingSQLstatement.
SELECT AUDIT_OPTION, SUCCESS, FAILURE FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION='TRIGGER' AND USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = 'BY ACCESS' AND FAILURE = 'BY ACCESS';
Lackofresultsimpliesafinding.
Remediation:
ExecutethefollowingSQLstatementtoremediatethissetting.
AUDIT TRIGGER;
154|P a g e
Impact:
Thestatementauditingoption'auditTRIGGER'auditsalmosteverythingthatthethreeprivilegeaudits"auditCREATEANYTRIGGER","auditALTERANYTRIGGER"and"auditDROPANYTRIGGER"audit,butalsoaudits:
1. Statementstocreate,drop,enableordisableatriggerintheuser'sownschema.2. AttemptstocreateatriggerbyauserwithouttheCREATETRIGGERsystem
privilege.3. AttemptstocreateatriggerinanotherschemabyuserswithouttheCREATEANY
TRIGGERprivilege.4. AttemptstodropatriggerinanotherschemabyuserswithouttheDROPANY
TRIGGERprivilege.5. Attemptstodisableorenableatriggerinanotherschemabyuserswithoutthe
ALTERANYTRIGGERprivilege.
Theonethingisauditedbyanyofthethreeprivilegeauditsthatisnotauditedbythisis"altertrigger...compile"ifthetriggerisinanother'sschema,whichisauditedby"auditALTERANYTRIGGER"',butonlyiftheuserattemptingthealterationactuallyholdstheALTERANYTRIGGERsystemprivilege."AuditTRIGGER"onlyaudits"altertable"or"altertrigger"statementsusedtoenableordisabletriggers.Itdoesnotauditaltertriggeroraltertablestatementsusedonlywithcompileoptions.
155|P a g e
5.1.22Enable'CREATESESSION'AuditOption(Scored)
ProfileApplicability:
•Level1-RDBMSusingTraditionalAuditing
Description:
Auditallattemptstoconnecttothedatabase,whethersuccessfulornot.Also,auditssessiondisconnects/logoffs.ThecommandstoauditSESSION,CONNECTorCREATESESSIONallaccomplishexactlythesamething-theyinitiatestatementauditingoftheconnectstatementusedtocreateadatabasesession.
Rationale:
Auditingattemptstoconnecttothedatabaseisbasicandmandatedbymostsecurityinitiatives.Anyattempttologontoalockedaccount,failedattemptstologontodefaultaccountsoranunusuallyhighnumberoffailedlogonattemptsofanysort,foranyuser,inaparticulartimeperiodmayindicateanintrusionattempt.Inforensics,thelogonrecordmaybefirstinachainofevidenceandcontainsinformationfoundinnoothertypeofauditrecordforthesession.Logonandlogoffintheaudittraildefinetheperiodanddurationofthesession.
Audit:
To assess this recommendation, execute the following SQL statement.
SELECT AUDIT_OPTION, SUCCESS, FAILURE FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION='CREATE SESSION' AND USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = 'BY ACCESS' AND FAILURE = 'BY ACCESS';
Lack of results implies a finding.
Remediation:
ExecutethefollowingSQLstatementtoremediatethissetting.
AUDIT SESSION;
156|P a g e
Notes:
Althoughlistinginthedocumentationasaprivilegeaudit,'auditCREATESESSION'actuallyauditstheCONNECTstatement-asevidencedbytheundocumented'auditCONNECT'-whichdoesexactlythesamethingas'auditSESSION'or'auditCREATESESSION'.Thereisnosystemprivilegenamedeither'SESSION'or'CONNECT'(CONNECTisarole,notasystemprivilege).Also,itbehavesasstatementauditingratherthanprivilegeauditinginthatitauditsallattemptstocreateasession,eveniftheuserdoesnotholdthe'CREATESESSION'systemprivilege.
157|P a g e
5.2UnifiedAuditing
Thissectionistobefollowedifunifiedauditingisimplemented.
5.2.1Enable'CREATEUSER'ActionAudit(Scored)
ProfileApplicability:
•Level1-RDBMSusingUnifiedAuditing
Description:
AnOracledatabaseuserisanaccountthroughwhichaconnectiontothedatabaseisestablished.Aschemaisassociatedwiththeuseraccountwhichstoresdata.Auseraccountmaybelongtoanindividualpersonorcanbeusedbyadevice,process,andjoborconnectionpool.CREATE USERstatementisusedtocreateOracledatabaseaccountsandassigndatabasepropertiestoit.ThisunifiedauditactionenablesloggingofallCREATE USERstatements,whethersuccessfulorunsuccessful,issuedbytheusersregardlessoftheprivilegesheldbytheuserstoissuesuchstatements.
Rationale:
Loggingandmonitoringofallattemptstocreateuser,whethersuccessfulorunsuccessful,mayprovidecluesandforensicevidencesaboutpotentialsuspicious/unauthorizedactivities.Anysuchactivitiesmaybeacauseforfurtherinvestigation.Inaddition,organizationsecuritypoliciesandindustry/governmentregulationsmayrequireloggingofallactivitiesinvolvingCREATE USER.
Audit:
Toassessthisrecommendation,executethefollowingSQLStatement.
SELECT AUD.POLICY_NAME, AUD.AUDIT_OPTION, AUD.AUDIT_OPTION_TYPE FROM AUDIT_UNIFIED_POLICIES AUD, AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'CREATE USER' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION' AND ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS';
Lackofresultsimpliesafinding.
158|P a g e
Remediation:
ExecutethefollowingSQLstatementtoremediatethissetting.
ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS CREATE USER;
IfyoudonothaveCIS_UNIFIED_AUDIT_POLICY,pleasecreateoneusingCREATE AUDIT POLICYstatement.
159|P a g e
5.2.2Enable'ALTERUSER'ActionAudit(Scored)
ProfileApplicability:
•Level1-RDBMSusingUnifiedAuditing
Description:
AnOracledatabaseuserisanaccountthroughwhichaconnectiontothedatabaseisestablished.Aschemaisassociatedwiththeuseraccountwhichstoresdata.Auseraccountmaybelongtoanindividualpersonorcanbeusedbyadevice,process,andjoborconnectionpool.ALTER USERstatementisusedtochangedatabaseusers’passwordsortolockanaccountorexpirepasswords.Inaddition,thisstatementisusedtochangedatabasepropertiesofuseraccountssuchasdatabaseprofiles,defaultandtemporarytablespacesorassigntablespacequotas.ThisunifiedauditactionenablesloggingofallALTER USERstatements,whethersuccessfulorunsuccessful,issuedbytheusersregardlessoftheprivilegesheldbytheuserstoissuesuchstatements.
Rationale:
Loggingandmonitoringofallattemptstoalteruser,whethersuccessfulorunsuccessful,mayprovidecluesandforensicevidencesaboutpotentialsuspicious/unauthorizedactivities.Anysuchactivitiesmaybeacauseforfurtherinvestigation.Inaddition,organizationsecuritypoliciesandindustry/governmentregulationsmayrequireloggingofallactivitiesinvolvingALTER USER.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT AUD.POLICY_NAME, AUD.AUDIT_OPTION, AUD.AUDIT_OPTION_TYPE FROM AUDIT_UNIFIED_POLICIES AUD, AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'ALTER USER' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION' AND ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS';
Lackofresultsimpliescompliance.
160|P a g e
Remediation:
ExecutethefollowingSQLstatementtoremediatethissetting.
ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS ALTER USER;
IfyoudonothaveCIS_UNIFIED_AUDIT_POLICY,pleasecreateoneusingCREATEAUDITPOLICYstatement.
161|P a g e
5.2.3Enable'DROPUSER'AuditOption(Scored)
ProfileApplicability:
•Level1-RDBMSusingUnifiedAuditing
Description:
AnOracledatabaseuserisanaccountthroughwhichaconnectiontothedatabaseisestablished.Aschemaisassociatedwiththeuseraccountwhichstoresdata.Auseraccountmaybelongtoanindividualpersonorcanbeusedbyadevice,process,andjoborconnectionpool.DROP USERstatementisusedtodropOracledatabaseaccountsandschemasassociatedwiththem.ThisunifiedauditactionenablesloggingofallDROP USERstatements,whethersuccessfulorunsuccessful,issuedbytheusersregardlessoftheprivilegesheldbytheuserstoissuesuchstatements.
Rationale:
Loggingandmonitoringofallattemptstodropuser,whethersuccessfulorunsuccessful,mayprovidecluesandforensicevidencesaboutpotentialsuspicious/unauthorizedactivities.Anysuchactivitiesmaybeacauseforfurtherinvestigation.Inaddition,organizationsecuritypoliciesandindustry/governmentregulationsmayrequireloggingofallactivitiesinvolvingDROP USER.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT AUD.POLICY_NAME, AUD.AUDIT_OPTION, AUD.AUDIT_OPTION_TYPE FROM AUDIT_UNIFIED_POLICIES AUD, AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'DROP USER' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION' AND ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS';
Lackofresultsimpliescompliance.
162|P a g e
Remediation:
ExecutethefollowingSQLstatementtoremediatethissetting.
ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS DROP USER;
IfyoudonothaveCIS_UNIFIED_AUDIT_POLICY,pleasecreateoneusingCREATE AUDIT POLICY statement.
163|P a g e
5.2.4Enable'CREATEROLE’ActionAudit(Scored)
ProfileApplicability:
•Level1-RDBMSusingUnifiedAuditing
Description:
AnOracledatabaseroleisacollectionorsetofprivilegesthatcanbegrantedtousersorotherroles.Rolesmayincludesystemprivileges,objectprivilegesorotherroles.ThisunifiedauditactionenablesloggingofallCREATE ROLEstatements,whethersuccessfulorunsuccessful,issuedbytheusersregardlessoftheprivilegesheldbytheuserstoissuesuchstatements.
Rationale:
Loggingandmonitoringofallattemptstocreateroles,whethersuccessfulorunsuccessful,mayprovidecluesandforensicevidencesaboutpotentialsuspicious/unauthorizedactivities.Anysuchactivitiesmaybeacauseforfurtherinvestigation.Inaddition,organizationsecuritypoliciesandindustry/governmentregulationsmayrequireloggingofalluseractivitiesinvolvingCREATE ROLE.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT AUD.POLICY_NAME, AUD.AUDIT_OPTION, AUD.AUDIT_OPTION_TYPE FROM AUDIT_UNIFIED_POLICIES AUD, AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'CREATE ROLE' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION' AND ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS';
Lackofresultsimpliescompliance.
Remediation:
ExecutethefollowingSQLstatementtoremediatethissetting.
ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS CREATE ROLE;
IfyoudonothaveCIS_UNIFIED_AUDIT_POLICY,pleasecreateoneusingCREATE AUDIT POLICYstatement.
164|P a g e
5.2.5Enable'ALTERROLE’ActionAudit(Scored)
ProfileApplicability:
•Level1-RDBMSusingUnifiedAuditing
Description:
AnOracledatabaseroleisacollectionorsetofprivilegesthatcanbegrantedtousersorotherroles.Rolesmayincludesystemprivileges,objectprivilegesorotherroles.ALTER ROLEstatementisusedtochangetheauthorizationneededtoenablearole.ThisunifiedauditactionenablesloggingofallALTER ROLEstatements,whethersuccessfulorunsuccessful,issuedbytheusersregardlessoftheprivilegesheldbytheuserstoissuesuchstatements.
Rationale:
Loggingandmonitoringofallattemptstoalterroles,whethersuccessfulorunsuccessful,mayprovidecluesandforensicevidencesaboutpotentialsuspicious/unauthorizedactivities.Anysuchactivitiesmaybeacauseforfurtherinvestigation.Inaddition,organizationsecuritypoliciesandindustry/governmentregulationsmayrequireloggingofalluseractivitiesinvolvingalterationofroles.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT AUD.POLICY_NAME, AUD.AUDIT_OPTION, AUD.AUDIT_OPTION_TYPE FROM AUDIT_UNIFIED_POLICIES AUD, AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'ALTER ROLE' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION' AND ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS';
Lackofresultsimpliescompliance.
165|P a g e
Remediation:
ExecutethefollowingSQLstatementtoremediatethissetting.
ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS ALTER ROLE;
Note:IfyoudonothaveCIS_UNIFIED_AUDIT_POLICY,pleasecreateoneusingCREATE AUDIT POLICYstatement.
166|P a g e
5.2.6Enable'DROPROLE’ActionAudit(Scored)
ProfileApplicability:
•Level1-RDBMSusingUnifiedAuditing
Description:
AnOracledatabaseroleisacollectionorsetofprivilegesthatcanbegrantedtousersorotherroles.Rolesmayincludesystemprivileges,objectprivilegesorotherroles.ThisunifiedauditactionenablesloggingofallDROP ROLEstatements,successfulorunsuccessful,issuedbytheusersregardlessoftheprivilegesheldbytheuserstoissuesuchstatements.
Rationale:
Loggingandmonitoringofallattemptstodroproles,whethersuccessfulorunsuccessful,mayprovidecluesandforensicevidencesaboutpotentialsuspicious/unauthorizedactivities.Anysuchactivitiesmaybeacauseforfurtherinvestigation.Inaddition,organizationsecuritypoliciesandindustry/governmentregulationsmayrequireloggingofalluseractivitiesinvolvingDROP ROLE.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT AUD.POLICY_NAME, AUD.AUDIT_OPTION, AUD.AUDIT_OPTION_TYPE FROM AUDIT_UNIFIED_POLICIES AUD, AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'DROP ROLE' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION' AND ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS';
Lackofresultsimpliescompliance.
Remediation:
ExecutethefollowingSQLstatementtoremediatethissetting.
ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS DROP ROLE;
Note:IfyoudonothaveCIS_UNIFIED_AUDIT_POLICY,pleasecreateoneusingCREATE AUDIT POLICYstatement.
167|P a g e
5.2.7Enable'GRANT'ActionAudit(Scored)
ProfileApplicability:
•Level1-RDBMSusingUnifiedAuditing
Description:
GRANTSQLstatementsareusedtograntprivilegestoOracledatabaseusersandroles,includingthemostpowerfulprivilegesandrolestypicallyavailabletothedatabaseadministrators.ThisunifiedauditactionenablesloggingofallGRANTstatements,whethersuccessfulorunsuccessful,issuedbytheusersregardlessoftheprivilegesheldbytheuserstoissuesuchstatements.
Rationale:
Withunauthorizedgrantsandpermissions,amalicioususermaybeabletochangethesecurityofthedatabase,access/updateconfidentialdataorcompromiseintegrityofthedatabase.Loggingandmonitoringofallattemptstograntsystemprivileges,objectprivilegesorroles,whethersuccessfulorunsuccessful,mayprovideforensicevidenceaboutpotentialsuspicious/unauthorizedactivitiesaswellasprivilegeescalationactivities.Anysuchactivitiesmaybeacauseforfurtherinvestigation.Inaddition,organizationsecuritypoliciesandindustry/governmentregulationsmayrequireloggingofalluseractivitiesinvolvingGRANT.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT AUD.POLICY_NAME, AUD.AUDIT_OPTION, AUD.AUDIT_OPTION_TYPE FROM AUDIT_UNIFIED_POLICIES AUD, AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'GRANT' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION' AND ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS';
Lackofresultsimpliescompliance.
168|P a g e
Remediation:
ExecutethefollowingSQLstatementtoremediatethissetting.
ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS GRANT;
Note:IfyoudonothaveCIS_UNIFIED_AUDIT_POLICY,pleasecreateoneusingCREATEAUDITPOLICYstatement.
169|P a g e
5.2.8Enable'REVOKE'ActionAudit(Scored)
ProfileApplicability:
•Level1-RDBMSusingUnifiedAuditing
Description:
REVOKESQLstatementsareusedtorevokeprivilegesfromOracledatabaseusersandroles.ThisunifiedauditactionenablesloggingofallREVOKEstatements,successfulorunsuccessful,issuedbytheusersregardlessoftheprivilegesheldbytheuserstoissuesuchstatements.
Rationale:
Loggingandmonitoringofallattemptstorevokesystemprivileges,objectprivilegesorroles,whethersuccessfulorunsuccessful,mayprovidecluesandforensicevidenceaboutpotentialsuspicious/unauthorizedactivities.Anysuchactivitiesmaybeacauseforfurtherinvestigation.Inaddition,organizationsecuritypoliciesandindustry/governmentregulationsmayrequireloggingofalluseractivitiesinvolvingREVOKE.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT AUD.POLICY_NAME, AUD.AUDIT_OPTION, AUD.AUDIT_OPTION_TYPE FROM AUDIT_UNIFIED_POLICIES AUD, AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'REVOKE' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION' AND ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS';
Lackofresultsimpliescompliance.
Remediation:
ExecutethefollowingSQLstatementtoremediatethissetting.
ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS REVOKE;
Note:IfyoudonothaveCIS_UNIFIED_AUDIT_POLICY,pleasecreateoneusingCREATE AUDIT POLICYstatement.
170|P a g e
5.2.9Enable'CREATEPROFILE’ActionAudit(Scored)
ProfileApplicability:
•Level1-RDBMSusingUnifiedAuditing
Description:
OracleDatabaseProfilesareusedtoenforceresourceusagelimitsandimplementpasswordpoliciessuchaspasswordcomplexityrulesandreuserestrictions.ThisunifiedauditactionenablesloggingofallCREATE PROFILEstatements,whethersuccessfulorunsuccessful,issuedbytheusersregardlessoftheprivilegesheldbytheuserstoissuesuchstatements.
Rationale:
Loggingandmonitoringofallattemptstocreateprofiles,whethersuccessfulorunsuccessful,mayprovidecluesandforensicevidenceaboutpotentialsuspicious/unauthorizedactivities.Anysuchactivitiesmaybeacauseforfurtherinvestigation.Inaddition,organizationsecuritypoliciesandindustry/governmentregulationsmayrequireloggingofalluseractivitiesinvolvingcreationofdatabaseprofiles.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT AUD.POLICY_NAME, AUD.AUDIT_OPTION, AUD.AUDIT_OPTION_TYPE FROM AUDIT_UNIFIED_POLICIES AUD, AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'CREATE PROFILE' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION' AND ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS';
Lackofresultsimpliescompliance.
Remediation:
ExecutethefollowingSQLstatementtoremediatethissetting.
ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS CREATE PROFILE;
Note:IfyoudonothaveCIS_UNIFIED_AUDIT_POLICY,pleasecreateoneusingCREATE AUDIT POLICYstatement.
171|P a g e
5.2.10Enable'ALTERPROFILE’ActionAudit(Scored)
ProfileApplicability:
•Level1-RDBMSusingUnifiedAuditing
Description:
OracleDatabaseProfilesareusedtoenforceresourceusagelimitsandimplementpasswordpoliciessuchaspasswordcomplexityrulesandreuserestrictions.ThisunifiedauditactionenablesloggingofallALTER PROFILEstatements,whethersuccessfulorunsuccessful,issuedbytheusersregardlessoftheprivilegesheldbytheuserstoissuesuchstatements.
Rationale:
Loggingandmonitoringofallattemptstoalterprofiles,whethersuccessfulorunsuccessful,mayprovideforensicevidenceaboutpotentialsuspicious/unauthorizedactivities.Anysuchactivitiesmaybeacauseforfurtherinvestigation.Inaddition,organizationsecuritypoliciesandindustry/governmentregulationsmayrequireloggingofalluseractivitiesinvolvingalterationofdatabaseprofiles.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT AUD.POLICY_NAME, AUD.AUDIT_OPTION, AUD.AUDIT_OPTION_TYPE FROM AUDIT_UNIFIED_POLICIES AUD, AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'ALTER PROFILE' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION' AND ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS';
Lackofresultsimpliescompliance.
Remediation:
ExecutethefollowingSQLstatementtoremediatethissetting.
ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS ALTER PROFILE;
Note:IfyoudonothaveCIS_UNIFIED_AUDIT_POLICY,pleasecreateoneusingCREATE AUDIT POLICYstatement.
172|P a g e
5.2.11Enable'DROPPROFILE’ActionAudit(Scored)
ProfileApplicability:
•Level1-RDBMSusingUnifiedAuditing
Description:
OracleDatabaseProfilesareusedtoenforceresourceusagelimitsandimplementpasswordpoliciessuchaspasswordcomplexityrulesandreuserestrictions.ThisunifiedauditactionenablesloggingofallDROP PROFILEstatements,whethersuccessfulorunsuccessful,issuedbytheusersregardlessoftheprivilegesheldbytheuserstoissuesuchstatements.
Rationale:
Loggingandmonitoringofallattemptstodropprofiles,whethersuccessfulorunsuccessful,mayprovidecluesandforensicevidenceaboutpotentialsuspicious/unauthorizedactivities.Anysuchactivitiesmaybeacauseforfurtherinvestigation.Inaddition,organizationsecuritypoliciesandindustry/governmentregulationsmayrequireloggingofalluseractivitiesinvolvingdroppingofdatabaseprofiles.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT AUD.POLICY_NAME, AUD.AUDIT_OPTION, AUD.AUDIT_OPTION_TYPE FROM AUDIT_UNIFIED_POLICIES AUD, AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'DROP PROFILE' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION' AND ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS';
Lackofresultsimpliescompliance.
173|P a g e
Remediation:
ExecutethefollowingSQLstatementtoremediatethissetting.
ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS DROP PROFILE;
Note:IfyoudonothaveCIS_UNIFIED_AUDIT_POLICY,pleasecreateoneusingCREATE AUDIT POLICYstatement.
174|P a g e
5.2.12Enable'CREATEDATABASELINK’ActionAudit(Scored)
ProfileApplicability:
•Level1-RDBMSusingUnifiedAuditing
Description:
OracleDatabaseLinksareusedtoestablishdatabase-to-databaseconnectionstootherdatabases.Theseconnectionsareavailablewithoutfurtherauthenticationoncethelinkisestablished.ThisunifiedauditactionenablesloggingofallCREATE DATABASEorCREATE PUBLIC DATABASEstatements,whethersuccessfulorunsuccessful,issuedbytheusersregardlessoftheprivilegesheldbytheuserstoissuesuchstatements.
Rationale:
Loggingandmonitoringofallattemptstocreatedatabaselinks,whethersuccessfulorunsuccessful,mayprovideforensicevidenceaboutpotentialsuspicious/unauthorizedactivities.Anysuchactivitiesmaybeacauseforfurtherinvestigation.Inaddition,organizationsecuritypoliciesandindustry/governmentregulationsmayrequireloggingofalluseractivitiesinvolvingcreationofdatabaselinks.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT AUD.POLICY_NAME, AUD.AUDIT_OPTION, AUD.AUDIT_OPTION_TYPE FROM AUDIT_UNIFIED_POLICIES AUD, AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'CREATE DATABASE LINK' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION' AND ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS';
Lackofresultsimpliescompliance.
Remediation:
ExecutethefollowingSQLstatementtoremediatethissetting.
ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS CREATE DATABASE LINK;
Note:IfyoudonothaveCIS_UNIFIED_AUDIT_POLICY,pleasecreateoneusingCREATE AUDIT POLICYstatement.
175|P a g e
5.2.13Enable'ALTERDATABASELINK’ActionAudit(Scored)
ProfileApplicability:
•Level1-RDBMSusingUnifiedAuditing
Description:
OracleDatabaseLinksareusedtoestablishdatabase-to-databaseconnectionstootherdatabases.Theseconnectionsarealwaysavailablewithoutfurtherauthenticationoncethelinkisestablished.ThisunifiedauditactionenablesloggingofallALTER DATABASEorALTER PUBLIC DATABASEstatements,whethersuccessfulorunsuccessful,issuedbytheusersregardlessoftheprivilegesheldbytheuserstoissuesuchstatements.
Rationale:
Loggingandmonitoringofallattemptstoalterdatabaselinks,whethersuccessfulorunsuccessful,mayprovideforensicevidenceaboutpotentialsuspicious/unauthorizedactivities.Anysuchactivitiesmaybeacauseforfurtherinvestigation.Inaddition,organizationsecuritypoliciesandindustry/governmentregulationsmayrequireloggingofalluseractivitiesinvolvingalterationofdatabaselinks.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT AUD.POLICY_NAME, AUD.AUDIT_OPTION, AUD.AUDIT_OPTION_TYPE FROM AUDIT_UNIFIED_POLICIES AUD, AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'ALTER DATABASE LINK' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION' AND ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS';
Lackofresultsimpliescompliance.
Remediation:
ExecutethefollowingSQLstatementtoremediatethissetting.
ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS ALTER DATABASE LINK;
Note:IfyoudonothaveCIS_UNIFIED_AUDIT_POLICY,pleasecreateoneusingCREATE AUDIT POLICYstatement.
176|P a g e
5.2.14Enable'DROPDATABASELINK’ActionAudit(Scored)
ProfileApplicability:
•Level1-RDBMSusingUnifiedAuditing
Description:
OracleDatabaseLinksareusedtoestablishdatabase-to-databaseconnectionstootherdatabases.Theseconnectionsarealwaysavailablewithoutfurtherauthenticationoncethelinkisestablished.ThisunifiedauditactionenablesloggingofallDROP DATABASEorDROP PUBLIC DATABASE,whethersuccessfulorunsuccessful,statementsissuedbytheusersregardlessoftheprivilegesheldbytheuserstoissuesuchstatements.
Rationale:
Loggingandmonitoringofallattemptstodropdatabaselinks,whethersuccessfulorunsuccessful,mayprovideforensicevidenceaboutpotentialsuspicious/unauthorizedactivities.Anysuchactivitiesmaybeacauseforfurtherinvestigation.Inaddition,organizationsecuritypoliciesandindustry/governmentregulationsmayrequireloggingofalluseractivitiesinvolvingdroppingofdatabaselinks.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT AUD.POLICY_NAME, AUD.AUDIT_OPTION, AUD.AUDIT_OPTION_TYPE FROM AUDIT_UNIFIED_POLICIES AUD, AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'DROP DATABASE LINK' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION' AND ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS';
Lackofresultsimpliescompliance.
Remediation:
ExecutethefollowingSQLstatementtoremediatethissetting.
ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS DROP DATABASE LINK;
Note:IfyoudonothaveCIS_UNIFIED_AUDIT_POLICY,pleasecreateoneusingCREATE AUDIT POLICYstatement.
177|P a g e
5.2.15Enable'CREATESYNONYM’ActionAudit(Scored)
ProfileApplicability:
•Level1-RDBMSusingUnifiedAuditing
Description:
AnOracledatabasesynonymisusedtocreateanalternativenameforadatabaseobjectsuchastable,view,procedure,javaobjectorevenanothersynonym,etc.ThisunifiedauditactionenablesloggingofallCREATE SYNONYMorCREATE PUBLIC SYNONYMstatements,whethersuccessfulorunsuccessful,issuedbytheusersregardlessoftheprivilegesheldbytheuserstoissuesuchstatements.
Rationale:
Loggingandmonitoringofallattemptstocreatesynonyms,whethersuccessfulorunsuccessful,mayprovidecluesandforensicevidenceaboutpotentialsuspicious/unauthorizedactivities.Anysuchactivitiesmaybeacauseforfurtherinvestigation.Inaddition,organizationsecuritypoliciesandindustry/governmentregulationsmayrequireloggingofalluseractivitiesinvolvingcreationofsynonymsorpublicsynonyms.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT AUD.POLICY_NAME, AUD.AUDIT_OPTION, AUD.AUDIT_OPTION_TYPE FROM AUDIT_UNIFIED_POLICIES AUD, AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'CREATE SYNONYM' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION' AND ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS';
Lackofresultsimpliescompliance.
178|P a g e
Remediation:
ExecutethefollowingSQLstatementtoremediatethissetting.
ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS CREATE SYNONYM;
Note:IfyoudonothaveCIS_UNIFIED_AUDIT_POLICY,pleasecreateoneusingCREATE AUDIT POLICYstatement.
179|P a g e
5.2.16Enable'ALTERSYNONYM’ActionAudit(Scored)
ProfileApplicability:
•Level1-RDBMSusingUnifiedAuditing
Description:
AnOracledatabasesynonymisusedtocreateanalternativenameforadatabaseobjectsuchastable,view,procedure,javaobjectorevenanothersynonym,etc.ThisunifiedauditactionenablesloggingofallALTER SYNONYMorALTER PUBLIC SYNONYMstatements,whethersuccessfulorunsuccessful,issuedbytheusersregardlessoftheprivilegesheldbytheuserstoissuesuchstatements.
Rationale:
Loggingandmonitoringofallattemptstoaltersynonyms,whethersuccessfulorunsuccessful,mayprovidecluesandforensicevidenceaboutpotentialsuspicious/unauthorizedactivities.Anysuchactivitiesmaybeacauseforfurtherinvestigation.Inaddition,organizationsecuritypoliciesandindustry/governmentregulationsmayrequireloggingofalluseractivitiesinvolvingalterationofsynonymsorpublicsynonyms.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT AUD.POLICY_NAME, AUD.AUDIT_OPTION, AUD.AUDIT_OPTION_TYPE FROM AUDIT_UNIFIED_POLICIES AUD, AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'ALTER SYNONYM' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION' AND ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS';
Lackofresultsimpliescompliance.
180|P a g e
Remediation:
ExecutethefollowingSQLstatementtoremediatethissetting.
ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS ALTER SYNONYM;
Note:IfyoudonothaveCIS_UNIFIED_AUDIT_POLICY,pleasecreateoneusingCREATE AUDIT POLICYstatement.
181|P a g e
5.2.17Enable'DROPSYNONYM’ActionAudit(Scored)
ProfileApplicability:
•Level1-RDBMSusingUnifiedAuditing
Description:
AnOracledatabasesynonymisusedtocreateanalternativenameforadatabaseobjectsuchastable,view,procedure,javaobjectorevenanothersynonym,etc.ThisunifiedauditactionenablesloggingofallDROP SYNONYMorDROP PUBLIC SYNONYMstatements,whethersuccessfulorunsuccessful,issuedbytheusersregardlessoftheprivilegesheldbytheuserstoissuesuchstatements.
Rationale:
Loggingandmonitoringofallattemptstodropsynonyms,whethersuccessfulorunsuccessful,mayprovideforensicevidenceaboutpotentialsuspicious/unauthorizedactivities.Anysuchactivitiesmaybeacauseforfurtherinvestigation.Inaddition,organizationsecuritypoliciesandindustry/governmentregulationsmayrequireloggingofalluseractivitiesinvolvingdroppingofsynonymsorpublicsynonyms.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT AUD.POLICY_NAME, AUD.AUDIT_OPTION, AUD.AUDIT_OPTION_TYPE FROM AUDIT_UNIFIED_POLICIES AUD, AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'DROP SYNONYM' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION' AND ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS';
Lackofresultsimpliescompliance.
Remediation:
ExecutethefollowingSQLstatementtoremediatethissetting.
ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS DROP SYNONYM;
Note:IfyoudonothaveCIS_UNIFIED_AUDIT_POLICY,pleasecreateoneusingCREATE AUDIT POLICYstatement.
182|P a g e
5.2.18Enable'SELECTANYDICTIONARY’PrivilegeAudit(Scored)
ProfileApplicability:
•Level1-RDBMSusingUnifiedAuditing
Description:
SELECT ANY DICTIONARYsystemprivilegeallowstheusertoviewthedefinitionofallschemaobjectsinthedatabase.ItgrantsSELECTprivilegesonthedatadictionaryobjectstothegrantees,includingSELECTonDBA_views,V$views,X$viewsandunderlyingSYStablessuchasTAB$,OBJ$,etc.Thisprivilegealsoallowsgranteestocreatestoredobjectssuchasprocedures,packagesorviewsontheunderlyingdatadictionaryobjects.Pleasenotethatthisprivilegedoesn’tgrantSELECTontableswithpasswordhashessuchasUSER$,DEFAULT_PWD$,LINK$,andUSER_HISTORY$.Thisauditenablesloggingofactivitiesthatexercisethisprivilege.
Rationale:
Loggingandmonitoringofallattemptstoaccessdatadictionary,whethersuccessfulorunsuccessful,mayprovidecluesandforensicevidenceaboutpotentialsuspicious/unauthorizedactivities.Anysuchactivitiesmaybeacauseforfurtherinvestigation.Inaddition,organizationsecuritypoliciesandindustry/governmentregulationsmayrequireloggingofalluseractivitiesinvolvingaccesstothedatabase.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT AUD.POLICY_NAME, AUD.AUDIT_OPTION, AUD.AUDIT_OPTION_TYPE FROM AUDIT_UNIFIED_POLICIES AUD, AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'SELECT ANY DICTIONARY' AND AUD.AUDIT_OPTION_TYPE = 'SYSTEM PRIVILEGE' AND ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS';
Lackofresultsimpliescompliance.
183|P a g e
Remediation:
ExecutethefollowingSQLstatementtoremediatethissetting.
ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD PRIVILEGES SELECT ANY DICTIONARY;
Note:IfyoudonothaveCIS_UNIFIED_AUDIT_POLICY,pleasecreateoneusingCREATE AUDIT POLICYstatement.
184|P a g e
5.2.19Enable'UNIFIED_AUDIT_TRAIL’AccessAudit(Scored)
ProfileApplicability:
•Level1-RDBMSusingUnifiedAuditing
Description:
UNIFIED_AUDIT_TRAILviewholdsaudittrailrecordsgeneratedbythedatabase.ThisauditactionenablesloggingofallaccessattemptstotheUNIFIED_AUDIT_TRAILview,whethersuccessfulorunsuccessful,regardlessoftheprivilegesheldbytheuserstoissuesuchstatements.
Rationale:
LoggingandmonitoringofallattemptstoaccesstheUNIFIED_AUDIT_TRAILview,whethersuccessfulorunsuccessful,mayprovidecluesandforensicevidenceaboutpotentialsuspicious/unauthorizedactivities.Anysuchactivitiesmaybeacauseforfurtherinvestigation.Inaddition,organizationsecuritypoliciesandindustry/governmentregulationsmayrequireloggingofalluseractivitiesinvolvingaccesstothisview.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT AUD.POLICY_NAME, AUD.AUDIT_OPTION, AUD.AUDIT_OPTION_TYPE FROM AUDIT_UNIFIED_POLICIES AUD, AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'ALL' AND AUD.AUDIT_OPTION_TYPE = 'OBJECT ACTION' AND AUD.OBJECT_SCHEMA = 'SYS' AND AUD.OBJECT_NAME = 'UNIFIED_AUDIT_TRAIL' AND ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS';
Lackofresultsimpliescompliance.
Remediation:
ExecutethefollowingSQLstatementtoremediatethissetting.
ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS ALL on SYS.UNIFIED_AUDIT_TRAIL;
Note:IfyoudonothaveCIS_UNIFIED_AUDIT_POLICY,pleasecreateoneusingCREATE AUDIT POLICYstatement.
185|P a g e
5.2.20Enable'CREATEPROCEDURE/FUNCTION/PACKAGE/PACKAGEBODY’ActionAudit(Scored)
ProfileApplicability:
•Level1-RDBMSusingUnifiedAuditing
Description:
Oracledatabaseprocedures,functionsandpackages,whicharestoredwithinthedatabase,arecreatedtoperformbusinessfunctionsandaccessdatabaseasdefinedbyPL/SQLcodeandSQLstatementscontainedwithintheseobjects.ThisunifiedauditactionenablesloggingofallCREATE PROCEDURE,CREATE FUNCTION,CREATE PACKAGEorCREATE PACKAGE BODY,successfulorunsuccessful,statementsissuedbytheusersregardlessoftheprivilegesheldbytheuserstoissuesuchstatements.
Rationale:
Loggingandmonitoringofallattemptstocreateprocedures,functions,packagesorpackagebodies,whethersuccessfulorunsuccessful,mayprovidecluesandforensicevidenceaboutpotentialsuspicious/unauthorizedactivities.Anysuchactivitiesmaybeacauseforfurtherinvestigation.Inaddition,organizationsecuritypoliciesandindustry/governmentregulationsmayrequireloggingofalluseractivitiesinvolvingcreationofprocedures,functions,packagesorpackagebodies.
186|P a g e
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT * FROM AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS' AND EXISTS ( SELECT 'x' FROM AUDIT_UNIFIED_POLICIES AUD WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'CREATE PROCEDURE' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION') AND EXISTS ( SELECT 'x' FROM AUDIT_UNIFIED_POLICIES AUD WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'CREATE FUNCTION' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION') AND EXISTS ( SELECT 'x' FROM AUDIT_UNIFIED_POLICIES AUD WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'CREATE PACKAGE' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION') AND EXISTS ( SELECT 'x' FROM AUDIT_UNIFIED_POLICIES AUD WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'CREATE PACKAGE BODY' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION');
Lackofresultsimpliescompliance.
Remediation:
ExecutethefollowingSQLstatementtoremediatethissetting.
ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS CREATE PROCEDURE, CREATE FUNCTION, CREATE PACKAGE, CREATE PACKAGE BODY;
Note:IfyoudonothaveCIS_UNIFIED_AUDIT_POLICY,pleasecreateoneusingCREATE AUDIT POLICYstatement.
187|P a g e
5.2.21Enable'ALTERPROCEDURE/FUNCTION/PACKAGE/PACKAGEBODY’ActionAudit(Scored)
ProfileApplicability:
•Level1-RDBMSusingUnifiedAuditing
Description:
Oracledatabaseprocedures,functionsandpackages,whicharestoredwithinthedatabase,arecreatedtocarryoutbusinessfunctionsandaccessdatabaseasdefinedbyPL/SQLcodeandSQLstatementscontainedwithintheseobjects.Thisunifiedauditactionenablesloggingofall,successfulorunsuccessful,ALTER PROCEDURE,ALTER FUNCTION,ALTER PACKAGEorALTER PACKAGE BODYstatementsissuedbytheusersregardlessoftheprivilegesheldbytheuserstoissuesuchstatements.
Rationale:
Unauthorizedalterationofprocedures,functions,packagesorpackagebodiesmayimpactcriticalbusinessfunctionsorcompromiseintegrityofthedatabase.Loggingandmonitoringofallattempts,whethersuccessfulorunsuccessful,toalterprocedures,functions,packagesorpackagebodiesmayprovidecluesandforensicevidenceaboutpotentialsuspicious/unauthorizedactivities.Anysuchactivitiesmaybeacauseforfurtherinvestigation.Inaddition,organizationsecuritypoliciesandindustry/governmentregulationsmayrequireloggingofalluseractivitiesinvolvingalterationofprocedures,functions,packagesorpackagebodies.
188|P a g e
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT * FROM AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS' AND EXISTS ( SELECT 'x' FROM AUDIT_UNIFIED_POLICIES AUD WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'ALTER PROCEDURE' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION') AND EXISTS ( SELECT 'x' FROM AUDIT_UNIFIED_POLICIES AUD WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'ALTER FUNCTION' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION') AND EXISTS ( SELECT 'x' FROM AUDIT_UNIFIED_POLICIES AUD WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'ALTER PACKAGE' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION') AND EXISTS ( SELECT 'x' FROM AUDIT_UNIFIED_POLICIES AUD WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'ALTER PACKAGE BODY' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION') ;
Lackofresultsimpliescompliance.
Remediation:
ExecutethefollowingSQLstatementtoremediatethissetting.
ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS ALTER PROCEDURE, ALTER FUNCTION, ALTER PACKAGE, ALTER PACKAGE BODY;
Note:IfyoudonothaveCIS_UNIFIED_AUDIT_POLICY,pleasecreateoneusingCREATE AUDIT POLICYstatement.
189|P a g e
5.2.22Enable'DROPPROCEDURE/FUNCTION/PACKAGE/PACKAGEBODY’ActionAudit(Scored)
ProfileApplicability:
•Level1-RDBMSusingUnifiedAuditing
Description:
Oracledatabaseprocedures,functionsandpackages,whicharestoredwithinthedatabase,arecreatedtocarryoutbusinessfunctionsandaccessdatabaseasdefinedbyPL/SQLcodeandSQLstatementscontainedwithintheseobjects.Thisunifiedauditactionenablesloggingofall,successfulorunsuccessful,DROP PROCEDURE,DROP FUNCTION,DROPPACKAGEorDROP PACKAGE BODYstatementsissuedbytheusersregardlessoftheprivilegesheldbytheuserstoissuesuchstatements.
Rationale:
Loggingandmonitoringofallattempts,whethersuccessfulorunsuccessful,todropprocedures,functions,packagesorpackagebodiesmayprovideforensicevidenceaboutpotentialsuspicious/unauthorizedactivities.Anysuchactivitiesmaybeacauseforfurtherinvestigation.Inaddition,organizationsecuritypoliciesandindustry/governmentregulationsmayrequireloggingofalluseractivitiesinvolvingdroppingofprocedures,functions,packagesorpackagebodies.
190|P a g e
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT * FROM AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS' AND EXISTS ( SELECT 'x' FROM AUDIT_UNIFIED_POLICIES AUD WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'DROP PROCEDURE' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION') AND EXISTS ( SELECT 'x' FROM AUDIT_UNIFIED_POLICIES AUD WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'DROP FUNCTION' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION') AND EXISTS ( SELECT 'x' FROM AUDIT_UNIFIED_POLICIES AUD WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'DROP PACKAGE' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION') AND EXISTS ( SELECT 'x' FROM AUDIT_UNIFIED_POLICIES AUD WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'DROP PACKAGE BODY' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION');
Lackofresultsimpliescompliance.
Remediation:
ExecutethefollowingSQLstatementtoremediatethissetting.
ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS DROP PROCEDURE, DROP FUNCTION, DROP PACKAGE, DROP PACKAGE BODY;
Note:IfyoudonothaveCIS_UNIFIED_AUDIT_POLICY,pleasecreateoneusingCREATE AUDIT POLICYstatement.
191|P a g e
5.2.23Enable'ALTERSYSTEM’PrivilegeAudit(Scored)
ProfileApplicability:
•Level1-RDBMSusingUnifiedAuditing
Description:
ALTER SYSTEMprivilegeallowstheusertochangeinstancesettingswhichcouldimpactsecurityposture,performanceornormaloperationofthedatabase.Additionally,ALTER SYSTEMprivilegemaybeusedtorunoperatingsystemcommandsusingundocumentedOraclefunctionality.Thisunifiedauditenablesloggingofactivitiesthatinvolveexerciseofthisprivilege,whethersuccessfulorunsuccessful,issuedbytheusersregardlessoftheprivilegesheldbytheuserstoissuesuchstatements.
Rationale:
LoggingandmonitoringofallattemptstoexecuteALTER SYSTEMstatements,whethersuccessfulorunsuccessful,mayprovideforensicevidenceaboutpotentialsuspicious/unauthorizedactivities.Anysuchactivitiesmaybeacauseforfurtherinvestigation.Inaddition,organizationsecuritypoliciesandindustry/governmentregulationsmayrequireloggingofalluseractivitiesthatinvolveALTER SYSTEMstatements.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT AUD.POLICY_NAME, AUD.AUDIT_OPTION, AUD.AUDIT_OPTION_TYPE FROM AUDIT_UNIFIED_POLICIES AUD, AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'ALTER SYSTEM' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION' AND ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS';
Lackofresultsimpliescompliance.
192|P a g e
Remediation:
ExecutethefollowingSQLstatementtoremediatethissetting.
ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS ALTER SYSTEM;
Note:IfyoudonothaveCIS_UNIFIED_AUDIT_POLICY,pleasecreateoneusingCREATE AUDIT POLICYstatement.
193|P a g e
5.2.24Enable'CREATETRIGGER’ActionAudit(Scored)
ProfileApplicability:
•Level1-RDBMSusingUnifiedAuditing
Description:
Oracledatabasetriggersareexecutedautomaticallywhenspecifiedconditionsontheunderlyingobjectsoccur.Triggerbodiescontainthecode,quiteoftentoperformdatavalidation,ensuredataintegrity/securityorenforcecriticalconstraintsonallowableactionsondata.ThisunifiedauditactionenablesloggingofallCREATE TRIGGERstatements,whethersuccessfulorunsuccessful,issuedbytheusersregardlessoftheprivilegesheldbytheuserstoissuesuchstatements.
Rationale:
Loggingandmonitoringofallattemptstocreatetriggers,whethersuccessfulorunsuccessful,mayprovidecluesandforensicevidenceaboutpotentialsuspicious/unauthorizedactivities.Anysuchactivitiesmaybeacauseforfurtherinvestigation.Inaddition,organizationsecuritypoliciesandindustry/governmentregulationsmayrequireloggingofalluseractivitiesinvolvingcreationoftriggers.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT AUD.POLICY_NAME, AUD.AUDIT_OPTION, AUD.AUDIT_OPTION_TYPE FROM AUDIT_UNIFIED_POLICIES AUD, AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'CREATE TRIGGER' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION' AND ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS';
Lackofresultsimpliescompliance.
194|P a g e
Remediation:
ExecutethefollowingSQLstatementtoremediatethissetting.
ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS CREATE TRIGGER;
Note:IfyoudonothaveCIS_UNIFIED_AUDIT_POLICY,pleasecreateoneusingCREATE AUDIT POLICYstatement.
195|P a g e
5.2.25Enable'ALTERTRIGGER’ActionAudit(Scored)
ProfileApplicability:
•Level1-RDBMSusingUnifiedAuditing
Description:
Oracledatabasetriggersareexecutedautomaticallywhenspecifiedconditionsontheunderlyingobjectsoccur.Triggerbodiescontainthecode,quiteoftentoperformdatavalidation,ensuredataintegrity/securityorenforcecriticalconstraintsonallowableactionsondata.ThisunifiedauditactionenablesloggingofallALTER TRIGGERstatements,whethersuccessfulorunsuccessful,issuedbytheusersregardlessoftheprivilegesheldbytheuserstoissuesuchstatements.
Rationale:
Unauthorizedalterationoftriggersmayimpactcriticalbusinessfunctionsorcompromiseintegrity/securityofthedatabase.Loggingandmonitoringofallattemptstoaltertriggers,whethersuccessfulorunsuccessful,mayprovidecluesandforensicevidenceaboutpotentialsuspicious/unauthorizedactivities.Anysuchactivitiesmaybeacauseforfurtherinvestigation.Inaddition,organizationsecuritypoliciesandindustry/governmentregulationsmayrequireloggingofalluseractivitiesinvolvingalterationoftriggers.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT AUD.POLICY_NAME, AUD.AUDIT_OPTION, AUD.AUDIT_OPTION_TYPE FROM AUDIT_UNIFIED_POLICIES AUD, AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'ALTER TRIGGER' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION' AND ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS';
Lackofresultsimpliescompliance.
196|P a g e
Remediation:
ExecutethefollowingSQLstatementtoremediatethissetting.
ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS ALTER TRIGGER;
Note:IfyoudonothaveCIS_UNIFIED_AUDIT_POLICY,pleasecreateoneusingCREATE AUDIT POLICYstatement.
197|P a g e
5.2.26Enable'DROPTRIGGER’ActionAudit(Scored)
ProfileApplicability:
•Level1-RDBMSusingUnifiedAuditing
Description:
Oracledatabasetriggersareexecutedautomaticallywhenspecifiedconditionsontheunderlyingobjectsoccur.Triggerbodiescontainthecode,quiteoftentoperformdatavalidation,ensuredataintegrity/securityorenforcecriticalconstraintsonallowableactionsondata.ThisunifiedauditactionenablesloggingofallDROP TRIGGERstatements,whethersuccessfulorunsuccessful,issuedbytheusersregardlessoftheprivilegesheldbytheuserstoissuesuchstatements.
Rationale:
Loggingandmonitoringofallattemptstodroptriggers,whethersuccessfulorunsuccessful,mayprovideforensicevidenceaboutpotentialsuspicious/unauthorizedactivities.Anysuchactivitiesmaybeacauseforfurtherinvestigation.Inaddition,organizationsecuritypoliciesandindustry/governmentregulationsmayrequireloggingofalluseractivitiesinvolvingdroppingoftriggers.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT AUD.POLICY_NAME, AUD.AUDIT_OPTION, AUD.AUDIT_OPTION_TYPE FROM AUDIT_UNIFIED_POLICIES AUD, AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'DROP TRIGGER' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION' AND ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS';
Lackofresultsimpliescompliance.
198|P a g e
Remediation:
ExecutethefollowingSQLstatementtoremediatethissetting.
ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS DROP TRIGGER;
Note:IfyoudonothaveCIS_UNIFIED_AUDIT_POLICY,pleasecreateoneusingCREATE AUDIT POLICYstatement.
199|P a g e
5.2.27Enable'LOGON’AND‘LOGOFF’ActionsAudit(Scored)
ProfileApplicability:
•Level1-RDBMSusingUnifiedAuditing
Description:
Oracledatabaseuserslogontothedatabasetoperformtheirwork.ThisunifiedauditactionenablesloggingofallLOGONactions,whethersuccessfulorunsuccessful,issuedbytheusersregardlessoftheprivilegesheldbytheuserstologintothedatabase.Inaddition,LOGOFFactionauditcaptureslogoffactivities.Thisauditactionalsocaptureslogon/logofftotheopendatabasebySYSDBAandSYSOPER.
Rationale:
Loggingandmonitoringofallattemptstologontothedatabase,whethersuccessfulorunsuccessful,mayprovideforensicevidenceaboutpotentialsuspicious/unauthorizedactivities.Anysuchactivitiesmaybeacauseforfurtherinvestigation.Inaddition,organizationsecuritypoliciesandindustry/governmentregulationsmayrequireloggingofalluseractivitiesinvolvingLOGONandLOGOFF.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT * FROM AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS' AND EXISTS ( SELECT 'x' FROM AUDIT_UNIFIED_POLICIES AUD WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'LOGON' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION') AND EXISTS ( SELECT 'x' FROM AUDIT_UNIFIED_POLICIES AUD WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'LOGOFF' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION');
Lackofresultsimpliescompliance.
200|P a g e
Remediation:
ExecutethefollowingSQLstatementtoremediatethissetting.
ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS LOGON, LOGOFF;
Note:IfyoudonothaveCIS_UNIFIED_AUDIT_POLICY,pleasecreateoneusingCREATE AUDIT POLICYstatement.
201|P a g e
6Appendix:EstablishinganAudit/ScanUser
Thisdocumenthasbeenauthoredwiththeexpectationthatauserwithappropriatepermissionswillbeusedtoexecutethequeriesandperformotherassessmentactions.WhilethiscouldbeaccomplishedbygrantingDBAprivilegestoagivenuser,thepreferredapproachistocreateadedicateduserandgrantingonlythespecificpermissionsrequiredtoperformtheassessmentsexpressedherein.DoingthisavoidsthenecessityforanyuserassessingthesystemneedstobegrantedDBAprivileges.
TherecommendationsexpressedinthisdocumentassumethepresenceofarolenamedCISSCANROLEandausernamedCISSCAN.ThisroleandusershouldbecreatedbyexecutingthefollowingSQLstatements,beingcarefultosubstituteanappropriatepasswordfor<password>.
-- Create the role CREATE ROLE CISSCANROLE; -- Grant necessary privileges to the role GRANT CREATE SESSION TO CISSCANROLE; GRANT SELECT ON V_$PARAMETER TO CISSCANROLE; GRANT SELECT ON DBA_TAB_PRIVS TO CISSCANROLE; GRANT SELECT ON DBA_PROFILES TO CISSCANROLE; GRANT SELECT ON DBA_SYS_PRIVS TO CISSCANROLE; GRANT SELECT ON DBA_STMT_AUDIT_OPTS TO CISSCANROLE; GRANT SELECT ON DBA_ROLE_PRIVS TO CISSCANROLE; GRANT SELECT ON DBA_OBJ_AUDIT_OPTS TO CISSCANROLE; GRANT SELECT ON DBA_PRIV_AUDIT_OPTS TO CISSCANROLE; GRANT SELECT ON DBA_PROXIES TO CISSCANROLE; GRANT SELECT ON DBA_USERS TO CISSCANROLE; GRANT SELECT ON DBA_USERS_WITH_DEFPWD TO CISSCANROLE; GRANT AUDIT_VIEWER TO CISSCANROLE; -- Create the user and assign the user to the role CREATE USER CISSCAN IDENTIFIED BY <password>; GRANT CISSCANROLE TO CISSCAN;
Ifyourelyonsimilarrolesand/orusers,butwhicharenotnamedasCISSCANROLEorCISSCAN,orifyouhaverolesorusersnamedCISSCANROLEorCISSCANintendedtobeusedfordifferentpurposes,beawarethatsomerecommendationshereinexplicitlynameCISSCANROLEandCISSCAN.
Theseare:
• 3.10EnsureNoUsersAreAssignedthe'DEFAULT'Profile• 4.5.5Ensure'ALL'IsRevokedfromUnauthorized'GRANTEE'on'DBA_%'
202|P a g e
Notethatdifferentorganizationsmaywishtofollowtheinstructionsinthisappendixindifferentways.Formorepermanentorregularassessmentscans,itmaybeacceptabletoretaintheCISSCANROLEandCISSCANuserindefinitely.However,inaconsultativecontextwhereanassessmentisperhapsrunattheoutsetoftheconsultingengagementandagainclosertotheend,afteranyremediationhasbeenperformed,theCISSCANROLEroleandCISSCANusermaybedropped.Suchadecisionisultimatelyleftuptotheimplementingorganization.
203|P a g e
Appendix:SummaryTable
Control SetCorrectlyYes No
1 OracleDatabaseInstallationandPatchingRequirements1.1 EnsuretheAppropriateVersion/PatchesforOracleSoftware
IsInstalled(NotScored) o o
1.2 EnsureAllDefaultPasswordsAreChanged(Scored) o o1.3 EnsureAllSampleDataAndUsersHaveBeenRemoved
(Scored) o o
2 OracleParameterSettings2.1 ListenerSettings2.1.1 Ensure'SECURE_CONTROL_<listener_name>'IsSetIn
'listener.ora'(Scored) o o
2.1.2 Ensure'extproc'IsNotPresentin'listener.ora'(Scored) o o2.1.3 Ensure'ADMIN_RESTRICTIONS_<listener_name>'IsSet
to'ON'(Scored) o o
2.1.4 Ensure'SECURE_REGISTER_<listener_name>'IsSetto'TCPS'or'IPC'(Scored) o o
2.2 Databasesettings2.2.1 Ensure'AUDIT_SYS_OPERATIONS'IsSetto'TRUE'(Scored) o o2.2.2 Ensure'AUDIT_TRAIL'IsSetto'OS','DB,EXTENDED',or
'XML,EXTENDED'(Scored) o o
2.2.3 Ensure'GLOBAL_NAMES'IsSetto'TRUE'(Scored) o o2.2.4 Ensure'LOCAL_LISTENER'IsSetAppropriately(Scored) o o2.2.5 Ensure'O7_DICTIONARY_ACCESSIBILITY'IsSetto'FALSE'
(Scored) o o
2.2.6 Ensure'OS_ROLES'IsSetto'FALSE'(Scored) o o2.2.7 Ensure'REMOTE_LISTENER'IsEmpty(Scored) o o2.2.8 Ensure'REMOTE_LOGIN_PASSWORDFILE'IsSetto'NONE'
(Scored) o o
2.2.9 Ensure'REMOTE_OS_AUTHENT'IsSetto'FALSE'(Scored) o o2.2.10 Ensure'REMOTE_OS_ROLES'IsSetto'FALSE'(Scored) o o2.2.11 Ensure'UTL_FILE_DIR'IsEmpty(Scored) o o2.2.12 Ensure'SEC_CASE_SENSITIVE_LOGON'IsSetto'TRUE'
(Scored) o o
2.2.13 Ensure'SEC_MAX_FAILED_LOGIN_ATTEMPTS'Is'10'(Scored) o o2.2.14 Ensure'SEC_PROTOCOL_ERROR_FURTHER_ACTION'IsSetto
'DELAY,3'or'DROP,3'(Scored) o o
2.2.15 Ensure'SEC_PROTOCOL_ERROR_TRACE_ACTION'IsSetto'LOG'(Scored) o o
2.2.16 Ensure'SEC_RETURN_SERVER_RELEASE_BANNER'IsSetto'FALSE'(Scored) o o
204|P a g e
2.2.17 Ensure'SQL92_SECURITY'IsSetto'TRUE'(Scored) o o2.2.18 Ensure'_TRACE_FILES_PUBLIC'IsSetto'FALSE'(Scored) o o2.2.19 Ensure'RESOURCE_LIMIT'IsSetto'TRUE'(Scored) o o3 OracleConnectionandLoginRestrictions3.1 Ensure'FAILED_LOGIN_ATTEMPTS'IsLessthanorEqualto
'5'(Scored) o o
3.2 Ensure'PASSWORD_LOCK_TIME'IsGreaterthanorEqualto'1'(Scored) o o
3.3 Ensure'PASSWORD_LIFE_TIME'IsLessthanorEqualto'90'(Scored) o o
3.4 Ensure'PASSWORD_REUSE_MAX'IsGreaterthanorEqualto'20'(Scored) o o
3.5 Ensure'PASSWORD_REUSE_TIME'IsGreaterthanorEqualto'365'(Scored) o o
3.6 Ensure'PASSWORD_GRACE_TIME'IsLessthanorEqualto'5'(Scored) o o
3.7 Ensure'DBA_USERS.PASSWORD'IsNotSetto'EXTERNAL'forAnyUser(Scored) o o
3.8 Ensure'PASSWORD_VERIFY_FUNCTION'IsSetforAllProfiles(Scored) o o
3.9 Ensure'SESSIONS_PER_USER'IsLessthanorEqualto'10'(Scored) o o
3.10 EnsureNoUsersAreAssignedthe'DEFAULT'Profile(Scored) o o4 OracleUserAccessandAuthorizationRestrictions4.1 DefaultPublicPrivilegesforPackagesandObjectTypes4.1.1 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on
'DBMS_ADVISOR'(Scored) o o
4.1.2 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_CRYPTO'(Scored) o o
4.1.3 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_JAVA'(Scored) o o
4.1.4 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_JAVA_TEST'(Scored) o o
4.1.5 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_JOB'(Scored) o o
4.1.6 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_LDAP'(Scored) o o
4.1.7 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_LOB'(Scored) o o
4.1.8 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_OBFUSCATION_TOOLKIT'(Scored) o o
4.1.9 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_RANDOM'(Scored) o o
4.1.10 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on o o
205|P a g e
'DBMS_SCHEDULER'(Scored)4.1.11 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_SQL'
(Scored) o o
4.1.12 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_XMLGEN'(Scored) o o
4.1.13 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_XMLQUERY'(Scored) o o
4.1.14 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'UTL_FILE'(Scored) o o
4.1.15 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'UTL_INADDR'(Scored) o o
4.1.16 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'UTL_TCP'(Scored) o o
4.1.17 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'UTL_MAIL'(Scored) o o
4.1.18 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'UTL_SMTP'(Scored) o o
4.1.19 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'UTL_DBWS'(Scored) o o
4.1.20 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'UTL_ORAMTS'(Scored) o o
4.1.21 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'UTL_HTTP'(Scored) o o
4.1.22 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'HTTPURITYPE'(Scored) o o
4.2 RevokeNon-DefaultPrivilegesforPackagesandObjectTypes4.2.1 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on
'DBMS_SYS_SQL'(Scored) o o
4.2.2 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_BACKUP_RESTORE'(Scored) o o
4.2.3 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_AQADM_SYSCALLS'(Scored) o o
4.2.4 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_REPCAT_SQL_UTL'(Scored) o o
4.2.5 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'INITJVMAUX'(Scored) o o
4.2.6 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_STREAMS_ADM_UTL'(Scored) o o
4.2.7 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_AQADM_SYS'(Scored) o o
4.2.8 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_STREAMS_RPC'(Scored) o o
4.2.9 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_PRVTAQIM'(Scored) o o
206|P a g e
4.2.10 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'LTADM'(Scored) o o
4.2.11 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'WWV_DBMS_SQL'(Scored) o o
4.2.12 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'WWV_EXECUTE_IMMEDIATE'(Scored) o o
4.2.13 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_IJOB'(Scored) o o
4.2.14 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_FILE_TRANSFER'(Scored) o o
4.3 RevokeExcessiveSystemPrivileges4.3.1 Ensure'SELECT_ANY_DICTIONARY'IsRevokedfrom
Unauthorized'GRANTEE'(Scored) o o
4.3.2 Ensure'SELECTANYTABLE'IsRevokedfromUnauthorized'GRANTEE'(Scored) o o
4.3.3 Ensure'AUDITSYSTEM'IsRevokedfromUnauthorized'GRANTEE'(Scored) o o
4.3.4 Ensure'EXEMPTACCESSPOLICY'IsRevokedfromUnauthorized'GRANTEE'(Scored) o o
4.3.5 Ensure'BECOMEUSER'IsRevokedfromUnauthorized'GRANTEE'(Scored) o o
4.3.6 Ensure'CREATE_PROCEDURE'IsRevokedfromUnauthorized'GRANTEE'(Scored) o o
4.3.7 Ensure'ALTERSYSTEM'IsRevokedfromUnauthorized'GRANTEE'(Scored) o o
4.3.8 Ensure'CREATEANYLIBRARY'IsRevokedfromUnauthorized'GRANTEE'(Scored) o o
4.3.9 Ensure'CREATELIBRARY'IsRevokedfromUnauthorized'GRANTEE'(Scored) o o
4.3.10 Ensure'GRANTANYOBJECTPRIVILEGE'IsRevokedfromUnauthorized'GRANTEE'(Scored) o o
4.3.11 Ensure'GRANTANYROLE'IsRevokedfromUnauthorized'GRANTEE'(Scored) o o
4.3.12 Ensure'GRANTANYPRIVILEGE'IsRevokedfromUnauthorized'GRANTEE'(Scored) o o
4.4 RevokeRolePrivileges4.4.1 Ensure'DELETE_CATALOG_ROLE'IsRevokedfrom
Unauthorized'GRANTEE'(Scored) o o
4.4.2 Ensure'SELECT_CATALOG_ROLE'IsRevokedfromUnauthorized'GRANTEE'(Scored) o o
4.4.3 Ensure'EXECUTE_CATALOG_ROLE'IsRevokedfromUnauthorized'GRANTEE'(Scored) o o
4.4.4 Ensure'DBA'IsRevokedfromUnauthorized'GRANTEE'(Scored) o o
207|P a g e
4.5 RevokeExcessiveTableandViewPrivileges4.5.1 Ensure'ALL'IsRevokedfromUnauthorized'GRANTEE'on
'AUD$'(Scored) o o
4.5.2 Ensure'ALL'IsRevokedfromUnauthorized'GRANTEE'on'USER_HISTORY$'(Scored) o o
4.5.3 Ensure'ALL'IsRevokedfromUnauthorized'GRANTEE'on'LINK$'(Scored) o o
4.5.4 Ensure'ALL'IsRevokedfromUnauthorized'GRANTEE'on'SYS.USER$'(Scored) o o
4.5.5 Ensure'ALL'IsRevokedfromUnauthorized'GRANTEE'on'DBA_%'(Scored) o o
4.5.6 Ensure'ALL'IsRevokedfromUnauthorized'GRANTEE'on'SYS.SCHEDULER$_CREDENTIAL'(Scored) o o
4.5.7 Ensure'SYS.USER$MIG'HasBeenDropped(Scored) o o4.6 Ensure'%ANY%'IsRevokedfromUnauthorized'GRANTEE'
(Scored) o o
4.7 Ensure'DBA_SYS_PRIVS.%'IsRevokedfromUnauthorized'GRANTEE'with'ADMIN_OPTION'Setto'YES'(Scored) o o
4.8 EnsureProxyUsersHaveOnly'CONNECT'Privilege(Scored) o o4.9 Ensure'EXECUTEANYPROCEDURE'IsRevokedfrom
'OUTLN'(Scored) o o
4.10 Ensure'EXECUTEANYPROCEDURE'IsRevokedfrom'DBSNMP'(Scored) o o
5 Audit/LoggingPoliciesandProcedures5.1 TraditionalAuditing5.1.1 Enable'USER'AuditOption(Scored) o o5.1.2 Enable'ALTERUSER'AuditOption(Scored) o o5.1.3 Enable'DROPUSER'AuditOption(Scored) o o5.1.4 Enable'ROLE'AuditOption(Scored) o o5.1.5 Enable'SYSTEMGRANT'AuditOption(Scored) o o5.1.6 Enable'PROFILE'AuditOption(Scored) o o5.1.7 Enable'ALTERPROFILE'AuditOption(Scored) o o5.1.8 Enable'DROPPROFILE'AuditOption(Scored) o o5.1.9 Enable'DATABASELINK'AuditOption(Scored) o o5.1.10 Enable'PUBLICDATABASELINK'AuditOption(Scored) o o5.1.11 Enable'PUBLICSYNONYM'AuditOption(Scored) o o5.1.12 Enable'SYNONYM'AuditOption(Scored) o o5.1.13 Enable'GRANTDIRECTORY'AuditOption(Scored) o o5.1.14 Enable'SELECTANYDICTIONARY'AuditOption(Scored) o o5.1.15 Enable'GRANTANYOBJECTPRIVILEGE'AuditOption
(Scored) o o
5.1.16 Enable'GRANTANYPRIVILEGE'AuditOption(Scored) o o5.1.17 Enable'DROPANYPROCEDURE'AuditOption(Scored) o o
208|P a g e
5.1.18 Enable'ALL'AuditOptionon'SYS.AUD$'(Scored) o o5.1.19 Enable'PROCEDURE'AuditOption(Scored) o o5.1.20 Enable'ALTERSYSTEM'AuditOption(Scored) o o5.1.21 Enable'TRIGGER'AuditOption(Scored) o o5.1.22 Enable'CREATESESSION'AuditOption(Scored) o o5.2 UnifiedAuditing5.2.1 Enable'CREATEUSER'ActionAudit(Scored) o o5.2.2 Enable'ALTERUSER'ActionAudit(Scored) o o5.2.3 Enable'DROPUSER'AuditOption(Scored)(Scored) o o5.2.4 Enable'CREATEROLE’ActionAudit(Scored)(Scored) o o5.2.5 Enable'ALTERROLE’ActionAudit(Scored)(Scored) o o5.2.6 Enable'DROPROLE’ActionAudit(Scored)(Scored) o o5.2.7 Enable'GRANT'ActionAudit(Scored)(Scored) o o5.2.8 Enable'REVOKE'ActionAudit(Scored)(Scored) o o5.2.9 Enable'CREATEPROFILE’ActionAudit(Scored)(Scored) o o5.2.10 Enable'ALTERPROFILE’ActionAudit(Scored)(Scored) o o5.2.11 Enable'DROPPROFILE’ActionAudit(Scored)(Scored) o o5.2.12 Enable'CREATEDATABASELINK’ActionAudit(Scored)
(Scored) o o
5.2.13 Enable'ALTERDATABASELINK’ActionAudit(Scored)(Scored) o o
5.2.14 Enable'DROPDATABASELINK’ActionAudit(Scored)(Scored) o o
5.2.15 Enable'CREATESYNONYM’ActionAudit(Scored)(Scored) o o5.2.16 Enable'ALTERSYNONYM’ActionAudit(Scored)(Scored) o o5.2.17 Enable'DROPSYNONYM’ActionAudit(Scored)(Scored) o o5.2.18 Enable'SELECTANYDICTIONARY’PrivilegeAudit(Scored)
(Scored) o o
5.2.19 Enable'UNIFIED_AUDIT_TRAIL’AccessAudit(Scored)(Scored) o o
5.2.20 Enable'CREATEPROCEDURE/FUNCTION/PACKAGE/PACKAGEBODY’ActionAudit(Scored)(Scored)
o o
5.2.21 Enable'ALTERPROCEDURE/FUNCTION/PACKAGE/PACKAGEBODY’ActionAudit(Scored)(Scored)
o o
5.2.22 Enable'DROPPROCEDURE/FUNCTION/PACKAGE/PACKAGEBODY’ActionAudit(Scored)(Scored) o o
5.2.23 Enable'ALTERSYSTEM’PrivilegeAudit(Scored)(Scored) o o5.2.24 Enable'CREATETRIGGER’ActionAudit(Scored)(NotScored) o o5.2.25 Enable'ALTERTRIGGER’ActionAudit(Scored)(Scored) o o5.2.26 Enable'DROPTRIGGER’ActionAudit(Scored)(Scored) o o5.2.27 Enable'LOGON’AND‘LOGOFF’ActionsAudit(Scored) o o
209|P a g e
(Scored)6 Appendix:EstablishinganAudit/ScanUser
210|P a g e
Appendix:ChangeHistoryDate Version Changesforthisversion
04-29-2015
1.0.0 InitialRelease
04-30-2015
1.1.0 Ticket#204:Clarificationinoverviewforbenchmarknon-pluggableapplicability
06-29-2015
1.1.0 Ticket#209:Addworkflowadvicetoappendixaboutscanuser
06-29-2015
1.1.0 Ticket#217:Correctedtypeof"repact"with"repcat"
06-29-2015
1.1.0 Ticket#216:Updatedremediationtoreference[PRIVILEGE]list
06-29-2015
1.1.0 Ticket#213:UpdatedauditqueryforregexonAPEXusers
06-29-2015
1.1.0 Ticket#212:CorrectedconfusionbetweenDBMS_RANDOMandDBMS_BACKUP_RESTORE
06-29-2015
1.1.0 Ticket#211:Correctedincorrectrecommendationfrom'FALSE'to'TRUE'
06-29-2015
1.1.0 Ticket#203:Updatedreferencesfrom11gR2to12cwherepossible
03-31-2016
1.2.0 Ticket#259:AddedSYSMANtolistofauthorizedgranteesfor4.4.2
03-31-2016
1.2.0 Ticket#258:AddedAPEX_050000;MGMT_VIEW;SYSMAN_MDS;SYSMAN_OPSS;SYSMAN_RO;SYSMAN_STBtolistofauthorizedgranteesin4.3.6
03-31-2016
1.2.0 Ticket#256:AddedSYSBACKUPandSYSDGtogranteelistfor4.3.1
211|P a g e
03-31-2016
1.2.0 Ticket#254:Updatedrecommendationtexttosay'LessthanorEqualto10'on2.13
03-31-2016
1.2.0 Ticket#241:Addedmissingsemicoloninauditqueryon5.1
03-31-2016
1.2.0 Ticket#253:Removedquotesfromremediationcommandon2.2.2
03-31-2016
1.2.0 Ticket#261:AddedSYStotableownersandSYSMANtolistofauthorizedgranteesfor4.5.4
03-31-2016
1.2.0 Ticket#263:AddedSYStolistoftableowners
03-31-2016
1.2.0 Ticket#264:AddedAPEX_050000;SYSMAN_STB;SYSMAN_TYPEStolistofauthorizedgrantees
03-31-2016
1.2.0 Ticket#225:Updateddescriptionandrationalefor2.2.17
03-31-2016
1.2.0 Ticket#251:AddedAUDIT_ADMIN,AUDIT_VIEWER,CAPTURE_ADMIN,DBA,GSMADMIN_INTERNAL,ORACLE_OCM,SYSDG,SYSKM,XDBtolistofauthorizedgrantees
03-31-2016
1.2.0 Ticket#215:RevisedLISTENERsectionsandincludedLISTENER_HOMEreferences
03-31-2016
1.2.0 Ticket#242:Addedmissingsemicolonto4.1.4
03-31-2016
1.2.0 Ticket#266:Updatedauditquerytocheckforallprivileges,notonlyroles
03-31-2016
1.2.0 Ticket#265:AddedAPEX_050000tolistofauthorizedgranteeson4.7
03-31-2016
1.2.0 Ticket#252:Updateprofiletext(minor)
02-29-2016
2.0.0 Ticket#267:AddedacautionstatementaboutrevokingprivilegesfromPUBLIC.
212|P a g e
10-18-2016
2.0.0 Ticket#207:MovedexistingauditingrecommendationstoasubsectionnamedTraditionalAuditing(5.1)andaddedunifiedauditingrecommendationsunderasiblingsubsectioncalledUnifiedAuditing(5.2).
10-18-2016
2.0.0 Ticket#275:Correctedreferenceincludedfor2.2.2
10-18-2016
2.0.0 Ticket#276:Added‘DB’and‘XML’asvalidparametervaluesfor2.2.2
12-01-2016
2.0.0 Ticket#262:UpdatedGranteelistandaddedanotregardingPUBLICgrantsfor4.5.5
12-01-2016
2.0.0 Ticket#282:Correctedtypoin2.2.11whereitspecifiedUTIL_FILE_DIRinsteadofUTL_FILE_DIR
12-01-2016
2.0.0 Ticket#283:Updatedtitletoread“Ensure‘SEC_MAX_FAILED_LOGIN_ATTEMPTS’is‘10’”for2.2.13
12-01-2016
2.0.0 Ticket#284:Added“andOWNER=’SYS’”tothequeryfor4.5.2
12-01-2016
2.0.0 Ticket#285:Added“andOWNER=’SYS’”tothequeryfor4.5.3
12-01-2016
2.0.0 Ticket#286:Added“andOWNER=’SYS’”tothequeryfor4.5.4
12-01-2016
2.0.0 Ticket#287:Added“andOWNER=’SYS’”tothequeryfor4.5.6
12-28-2016
2.0.0 PlannedUpdate