CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 |...

CISOracleDatabase12cBenchmarkv2.1.0–09-18-2018

1|P a g e

TermsofUsePlease see the below link for our current terms of use: https://www.cisecurity.org/cis-securesuite/cis-securesuite-membership-terms-of-use/

2|P a g e

TableofContentsTermsofUse...................................................................................................................................................................1

Overview...........................................................................................................................................................................9

IntendedAudience..................................................................................................................................................9

ConsensusGuidance...............................................................................................................................................9

TypographicalConventions.............................................................................................................................10

ScoringInformation............................................................................................................................................10

ProfileDefinitions................................................................................................................................................11

Acknowledgements.............................................................................................................................................13

Recommendations.....................................................................................................................................................14

1OracleDatabaseInstallationandPatchingRequirements...........................................................14

1.1EnsuretheAppropriateVersion/PatchesforOracleSoftwareIsInstalled(NotScored).............................................................................................................................................................14

1.2EnsureAllDefaultPasswordsAreChanged(Scored).......................................................16

1.3EnsureAllSampleDataAndUsersHaveBeenRemoved(Scored).............................18

2OracleParameterSettings............................................................................................................................20

2.1ListenerSettings.......................................................................................................................................21

2.1.1Ensure'SECURE_CONTROL_'IsSetIn'listener.ora'(Scored)...................................21

2.1.2Ensure'extproc'IsNotPresentin'listener.ora'(Scored)...........................................23

2.1.3Ensure'ADMIN_RESTRICTIONS_'IsSetto'ON'(Scored)............................................25

2.1.4Ensure'SECURE_REGISTER_'IsSetto'TCPS'or'IPC'(Scored)...............................27

2.2DatabaseSettings.....................................................................................................................................29

2.2.1Ensure'AUDIT_SYS_OPERATIONS'IsSetto'TRUE'(Scored)...................................29

2.2.2Ensure'AUDIT_TRAIL'IsSetto'DB','XML','OS','DB,EXTENDED',or'XML,EXTENDED'(Scored)....................................................................................................................31

2.2.3Ensure'GLOBAL_NAMES'IsSetto'TRUE'(Scored).......................................................33

2.2.4Ensure'O7_DICTIONARY_ACCESSIBILITY'IsSetto'FALSE'(Scored)..................34

2.2.5Ensure'OS_ROLES'IsSetto'FALSE'(Scored)..................................................................36

2.2.6Ensure'REMOTE_LISTENER'IsEmpty(Scored).............................................................37

2.2.7Ensure'REMOTE_LOGIN_PASSWORDFILE'IsSetto'NONE'(Scored).................39

3|P a g e

2.2.8Ensure'REMOTE_OS_AUTHENT'IsSetto'FALSE'(Scored)......................................40

2.2.9Ensure'REMOTE_OS_ROLES'IsSetto'FALSE'(Scored).............................................41

2.2.10Ensure'UTL_FILE_DIR'IsEmpty(Scored).......................................................................42

2.2.11Ensure'SEC_CASE_SENSITIVE_LOGON'IsSetto'TRUE'(Scored).......................43

2.2.12Ensure'SEC_MAX_FAILED_LOGIN_ATTEMPTS'Is'3'orLess(Scored).............44

2.2.13Ensure'SEC_PROTOCOL_ERROR_FURTHER_ACTION'IsSetto'DROP,3'(Scored)...........................................................................................................................................................46

2.2.14Ensure'SEC_PROTOCOL_ERROR_TRACE_ACTION'IsSetto'LOG'(Scored)...48

2.2.15Ensure'SEC_RETURN_SERVER_RELEASE_BANNER'IsSetto'FALSE'(Scored).............................................................................................................................................................................50

2.2.16Ensure'SQL92_SECURITY'IsSetto'TRUE'(Scored)..................................................52

2.2.17Ensure'_trace_files_public'IsSetto'FALSE'(Scored)...............................................54

2.2.18Ensure'RESOURCE_LIMIT'IsSetto'TRUE'(Scored).................................................56

3OracleConnectionandLoginRestrictions...........................................................................................58

3.1Ensure'FAILED_LOGIN_ATTEMPTS'IsLessthanorEqualto'5'(Scored)............58

3.2Ensure'PASSWORD_LOCK_TIME'IsGreaterthanorEqualto'1'(Scored)............60

3.3Ensure'PASSWORD_LIFE_TIME'IsLessthanorEqualto'90'(Scored)..................62

3.4Ensure'PASSWORD_REUSE_MAX'IsGreaterthanorEqualto'20'(Scored)........63

3.5Ensure'PASSWORD_REUSE_TIME'IsGreaterthanorEqualto'365'(Scored)...65

3.6Ensure'PASSWORD_GRACE_TIME'IsLessthanorEqualto'5'(Scored)...............67

3.7Ensure'DBA_USERS.PASSWORD'IsNotSetto'EXTERNAL'forAnyUser(Scored).............................................................................................................................................................................69

3.8Ensure'PASSWORD_VERIFY_FUNCTION'IsSetforAllProfiles(Scored)...............71

3.9Ensure'SESSIONS_PER_USER'IsLessthanorEqualto'10'(Scored).......................72

3.10EnsureNoUsersAreAssignedthe'DEFAULT'Profile(Scored)...............................74

4OracleUserAccessandAuthorizationRestrictions.........................................................................76

4.1DefaultPublicPrivilegesforPackagesandObjectTypes.....................................................77

4.1.1Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_ADVISOR'(Scored)...77

4.1.2Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_CRYPTO'(Scored).....79

4.1.3Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_JAVA'(Scored)............81

4|P a g e

4.1.4Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_JAVA_TEST'(Scored).............................................................................................................................................................................83

4.1.5Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_JOB'(Scored)...............85

4.1.6Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_LDAP'(Scored)...........87

4.1.7Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_LOB'(Scored)..............89

4.1.8Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_OBFUSCATION_TOOLKIT'(Scored)...................................................................................91

4.1.9Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_RANDOM'(Scored)...93

4.1.10Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_SCHEDULER'(Scored)...........................................................................................................................................................95

4.1.11Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_SQL'(Scored)............97

4.1.12Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_XMLGEN'(Scored).98

4.1.13Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_XMLQUERY'(Scored)..........................................................................................................................................................................100

4.1.14Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'UTL_FILE'(Scored)...........102

4.1.15Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'UTL_INADDR'(Scored)...103

4.1.16Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'UTL_TCP'(Scored)............105

4.1.17Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'UTL_MAIL'(Scored)..........106

4.1.18Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'UTL_SMTP'(Scored).........108

4.1.19Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'UTL_DBWS'(Scored)........110

4.1.20Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'UTL_ORAMTS'(Scored)..112

4.1.21Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'UTL_HTTP'(Scored).........114

4.1.22Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'HTTPURITYPE'(Scored)116

4.1.23Ensure'EXECUTE'isrevokedfrom'PUBLIC'on'DBMS_XMLSTORE'(Scored)..........................................................................................................................................................................117

4.1.24Ensure'EXECUTE'isrevokedfrom'PUBLIC'on'DBMS_XMLSAVE'(Scored)..........................................................................................................................................................................119

4.1.25Ensure'EXECUTE'isrevokedfrom'PUBLIC'on'DBMS_REDACT'(Scored)121

4.2RevokeNon-DefaultPrivilegesforPackagesandObjectTypes.....................................122

4.2.1Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_SYS_SQL'(Scored)..122

4.2.2Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_BACKUP_RESTORE'(Scored)........................................................................................................................................................124

5|P a g e

4.2.3Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_AQADM_SYSCALLS'(Scored)........................................................................................................................................................126

4.2.4Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_REPCAT_SQL_UTL'(Scored)........................................................................................................................................................127

4.2.5Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'INITJVMAUX'(Scored).......129

4.2.6Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_STREAMS_ADM_UTL'(Scored)........................................................................................................................................................130

4.2.7Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_AQADM_SYS'(Scored)..........................................................................................................................................................................132

4.2.8Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_STREAMS_RPC'(Scored)........................................................................................................................................................133

4.2.9Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_PRVTAQIM'(Scored)..........................................................................................................................................................................135

4.2.10Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'LTADM'(Scored)................137

4.2.11Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'WWV_DBMS_SQL'(Scored)..........................................................................................................................................................................138

4.2.12Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'WWV_EXECUTE_IMMEDIATE'(Scored).....................................................................................139

4.2.13Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_IJOB'(Scored)........141

4.2.14Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_FILE_TRANSFER'(Scored)........................................................................................................................................................142

4.3RevokeExcessiveSystemPrivileges............................................................................................144

4.3.1Ensure'SELECTANYDICTIONARY'IsRevokedfromUnauthorized'GRANTEE'(Scored)........................................................................................................................................................144

4.3.2Ensure'SELECTANYTABLE'IsRevokedfromUnauthorized'GRANTEE'(Scored)........................................................................................................................................................146

4.3.3Ensure'AUDITSYSTEM'IsRevokedfromUnauthorized'GRANTEE'(Scored)..........................................................................................................................................................................148

4.3.4Ensure'EXEMPTACCESSPOLICY'IsRevokedfromUnauthorized'GRANTEE'(Scored)........................................................................................................................................................150

4.3.5Ensure'BECOMEUSER'IsRevokedfromUnauthorized'GRANTEE'(Scored)..........................................................................................................................................................................152

4.3.6Ensure'CREATE_PROCEDURE'IsRevokedfromUnauthorized'GRANTEE'(Scored)........................................................................................................................................................153

6|P a g e

4.3.7Ensure'ALTERSYSTEM'IsRevokedfromUnauthorized'GRANTEE'(Scored)..........................................................................................................................................................................155

4.3.8Ensure'CREATEANYLIBRARY'IsRevokedfromUnauthorized'GRANTEE'(Scored)........................................................................................................................................................157

4.3.9Ensure'CREATELIBRARY'IsRevokedfromUnauthorized'GRANTEE'(Scored)..........................................................................................................................................................................159

4.3.10Ensure'GRANTANYOBJECTPRIVILEGE'IsRevokedfromUnauthorized'GRANTEE'(Scored)...............................................................................................................................161

4.3.11Ensure'GRANTANYROLE'IsRevokedfromUnauthorized'GRANTEE'(Scored)........................................................................................................................................................163

4.3.12Ensure'GRANTANYPRIVILEGE'IsRevokedfromUnauthorized'GRANTEE'(Scored)........................................................................................................................................................165

4.4RevokeRolePrivileges.......................................................................................................................167

4.4.1Ensure'DELETE_CATALOG_ROLE'IsRevokedfromUnauthorized'GRANTEE'(Scored)........................................................................................................................................................167

4.4.2Ensure'SELECT_CATALOG_ROLE'IsRevokedfromUnauthorized'GRANTEE'(Scored)........................................................................................................................................................169

4.4.3Ensure'EXECUTE_CATALOG_ROLE'IsRevokedfromUnauthorized'GRANTEE'(Scored)........................................................................................................................................................171

4.4.4Ensure'DBA'IsRevokedfromUnauthorized'GRANTEE'(Scored)....................173

4.5RevokeExcessiveTableandViewPrivileges..........................................................................175

4.5.1Ensure'ALL'IsRevokedfromUnauthorized'GRANTEE'on'AUD$'(Scored)175

4.5.2Ensure'ALL'IsRevokedfromUnauthorized'GRANTEE'on'USER_HISTORY$'(Scored)........................................................................................................................................................177

4.5.3Ensure'ALL'IsRevokedfromUnauthorized'GRANTEE'on'LINK$'(Scored)..........................................................................................................................................................................179

4.5.4Ensure'ALL'IsRevokedfromUnauthorized'GRANTEE'on'SYS.USER$'(Scored)........................................................................................................................................................181

4.5.5Ensure'ALL'IsRevokedfromUnauthorized'GRANTEE'on'DBA_%'(Scored)..........................................................................................................................................................................183

4.5.6Ensure'ALL'IsRevokedfromUnauthorized'GRANTEE'on'SYS.SCHEDULER$_CREDENTIAL'(Scored)................................................................................185

4.5.7Ensure'SYS.USER$MIG'HasBeenDropped(Scored)................................................187

4.6Ensure'%ANY%'IsRevokedfromUnauthorized'GRANTEE'(Scored)...............188

7|P a g e

4.7Ensure'DBA_SYS_PRIVS.%'IsRevokedfromUnauthorized'GRANTEE'with'ADMIN_OPTION'Setto'YES'(Scored).........................................................................................190

4.8EnsureProxyUsersHaveOnly'CONNECT'Privilege(Scored).................................191

4.9Ensure'EXECUTEANYPROCEDURE'IsRevokedfrom'OUTLN'(Scored)..........192

4.10Ensure'EXECUTEANYPROCEDURE'IsRevokedfrom'DBSNMP'(Scored)....193

5Audit/LoggingPoliciesandProcedures.............................................................................................194

5.1TraditionalAuditing............................................................................................................................195

5.1.1Ensurethe'USER'AuditOptionIsEnabled(Scored).................................................195

5.1.2Ensurethe'ROLE'AuditOptionIsEnabled(Scored).................................................197

5.1.3Ensurethe'SYSTEMGRANT'AuditOptionIsEnabled(Scored)..........................199

5.1.4Ensurethe'PROFILE'AuditOptionIsEnabled(Scored)..........................................200

5.1.5Ensurethe'DATABASELINK'AuditOptionIsEnabled(Scored).........................202

5.1.6Ensurethe'PUBLICDATABASELINK'AuditOptionIsEnabled(Scored)........204

5.1.7Ensurethe'PUBLICSYNONYM'AuditOptionIsEnabled(Scored).....................206

5.1.8Ensurethe'SYNONYM'AuditOptionIsEnabled(Scored).......................................208

5.1.9Ensurethe'DIRECTORY'AuditOptionIsEnabled(Scored)...................................210

5.1.10Ensurethe'SELECTANYDICTIONARY'AuditOptionIsEnabled(Scored)..212

5.1.11Ensurethe'GRANTANYOBJECTPRIVILEGE'AuditOptionIsEnabled(Scored)........................................................................................................................................................214

5.1.12Ensurethe'GRANTANYPRIVILEGE'AuditOptionIsEnabled(Scored).......216

5.1.13Ensurethe'DROPANYPROCEDURE'AuditOptionIsEnabled(Scored).......218

5.1.14Ensurethe'ALL'AuditOptionon'SYS.AUD$'IsEnabled(Scored)...................220

5.1.15Ensurethe'PROCEDURE'AuditOptionIsEnabled(Scored)...............................222

5.1.16Ensurethe'ALTERSYSTEM'AuditOptionIsEnabled(Scored).........................224

5.1.17Ensurethe'TRIGGER'AuditOptionIsEnabled(Scored)......................................226

5.1.18Ensurethe'CREATESESSION'AuditOptionIsEnabled(Scored).....................228

5.2UnifiedAuditing.....................................................................................................................................230

5.2.1Ensurethe'CREATEUSER'ActionAuditIsEnabled(Scored)...............................230

5.2.2Ensurethe'ALTERUSER'ActionAuditIsEnabled(Scored)..................................232

5.2.3Ensuethe'DROPUSER'AuditOptionIsEnabled(Scored)......................................234

5.2.4Ensurethe'CREATEROLE’ActionAuditIsEnabled(Scored)...............................236

8|P a g e

5.2.5Ensurethe'ALTERROLE’ActionAuditIsEnabled(Scored)..................................238

5.2.6Ensurethe'DROPROLE’ActionAuditIsEnabled(Scored)....................................240

5.2.7Ensurethe'GRANT'ActionAuditIsEnabled(Scored)..............................................242

5.2.8Ensurethe'REVOKE'ActionAuditIsEnabled(Scored)...........................................244

5.2.9Ensurethe'CREATEPROFILE’ActionAuditIsEnabled(Scored)........................246

5.2.10Ensurethe'ALTERPROFILE’ActionAuditIsEnabled(Scored)........................248

5.2.11Ensurethe'DROPPROFILE’ActionAuditIsEnabled(Scored)..........................250

5.2.12Ensurethe'CREATEDATABASELINK’ActionAuditIsEnabled(Scored)....252

5.2.13Ensurethe'ALTERDATABASELINK’ActionAuditIsEnabled(Scored).......254

5.2.14Ensurethe'DROPDATABASELINK’ActionAuditIsEnabled(Scored).........256

5.2.15Ensurethe'CREATESYNONYM’ActionAuditIsEnabled(Scored)..................258

5.2.16Ensurethe'ALTERSYNONYM’ActionAuditIsEnabled(Scored).....................260

5.2.17Ensurethe'DROPSYNONYM’ActionAuditIsEnabled(Scored).......................262

5.2.18Ensurethe'SELECTANYDICTIONARY’PrivilegeAuditIsEnabled(Scored)..........................................................................................................................................................................264

5.2.19Ensurethe'UNIFIED_AUDIT_TRAIL’AccessAuditIsEnabled(Scored)........266

5.2.20Ensurethe'CREATEPROCEDURE/FUNCTION/PACKAGE/PACKAGEBODY’ActionAuditIsEnabled(Scored).....................................................................................................268

5.2.21Ensurethe'ALTERPROCEDURE/FUNCTION/PACKAGE/PACKAGEBODY’ActionAuditIsEnabled(Scored).....................................................................................................270

5.2.22Ensurethe'DROPPROCEDURE/FUNCTION/PACKAGE/PACKAGEBODY’ActionAuditIsEnabled(Scored).....................................................................................................272

5.2.23Ensurethe'ALTERSYSTEM’PrivilegeAuditIsEnabled(Scored)....................274

5.2.24Ensurethe'CREATETRIGGER’ActionAuditIsEnabled(Scored)....................276

5.2.25Ensurethe'ALTERTRIGGER’ActionAuditISEnabled(Scored).......................278

5.2.26Ensurethe'DROPTRIGGER’ActionAuditIsEnabled(Scored)..........................280

5.2.27Ensurethe'LOGON’AND‘LOGOFF’ActionsAuditIsEnabled(Scored).........282

6Appendix:EstablishinganAudit/ScanUser.....................................................................................284

Appendix:SummaryTable.................................................................................................................................286

Appendix:ChangeHistory..................................................................................................................................293

9|P a g e

OverviewThisdocumentisintendedtoaddresstherecommendedsecuritysettingsforOracleDatabase12c.ThisguidewastestedagainstOracleDatabase12c(version12.1.0.2)installedwithoutpluggabledatabasesupportrunningonaWindowsServer2012R2instanceasastand-alonesystemandrunningonanOracleLinux7instancealsoasastand-alonesystem.FutureOracleDatabase12ccriticalpatchupdates(CPUs)mayimpacttherecommendationsincludedinthisdocument.

Toobtainthelatestversionofthisguide,pleasevisithttp://benchmarks.cisecurity.org.Ifyouhavequestions,comments,orhaveidentifiedwaystoimprovethisguide,pleasewriteusatfeedback@cisecurity.org.

Intended Audience

Thisbenchmarkisintendedforsystemandapplicationadministrators,securityspecialists,auditors,helpdesk,andplatformdeploymentpersonnelwhoplantodevelop,deploy,assess,orsecuresolutionsthatincorporateOracleDatabase12conOracleLinuxorMicrosoftWindowsServer.

Consensus Guidance

Thisbenchmarkwascreatedusingaconsensusreviewprocesscomprisedofsubjectmatterexperts.Consensusparticipantsprovideperspectivefromadiversesetofbackgroundsincludingconsulting,softwaredevelopment,auditandcompliance,securityresearch,operations,government,andlegal.

EachCISbenchmarkundergoestwophasesofconsensusreview.Thefirstphaseoccursduringinitialbenchmarkdevelopment.Duringthisphase,subjectmatterexpertsconvenetodiscuss,create,andtestworkingdraftsofthebenchmark.Thisdiscussionoccursuntilconsensushasbeenreachedonbenchmarkrecommendations.Thesecondphasebeginsafterthebenchmarkhasbeenpublished.Duringthisphase,allfeedbackprovidedbytheInternetcommunityisreviewedbytheconsensusteamforincorporationinthebenchmark.Ifyouareinterestedinparticipatingintheconsensusprocess,pleasevisithttps://workbench.cisecurity.org/.

10|P a g e

Typographical Conventions

Thefollowingtypographicalconventionsareusedthroughoutthisguide:

Convention Meaning

Stylized Monospace font Usedforblocksofcode,command,andscriptexamples.Textshouldbeinterpretedexactlyaspresented.

Monospace font Usedforinlinecode,commands,orexamples.Textshouldbeinterpretedexactlyaspresented.

<italicfontinbrackets> Italictextssetinanglebracketsdenoteavariablerequiringsubstitutionforarealvalue.

Italicfont Usedtodenotethetitleofabook,article,orotherpublication.

Note Additionalinformationorcaveats

Scoring Information

Ascoringstatusindicateswhethercompliancewiththegivenrecommendationimpactstheassessedtarget'sbenchmarkscore.Thefollowingscoringstatusesareusedinthisbenchmark:

Scored

Failuretocomplywith"Scored"recommendationswilldecreasethefinalbenchmarkscore.Compliancewith"Scored"recommendationswillincreasethefinalbenchmarkscore.

NotScored

Failuretocomplywith"NotScored"recommendationswillnotdecreasethefinalbenchmarkscore.Compliancewith"NotScored"recommendationswillnotincreasethefinalbenchmarkscore.

11|P a g e

Profile Definitions

ThefollowingconfigurationprofilesaredefinedbythisBenchmark:

• Level1-RDBMSusingTraditionalAuditing

ItemsinthisprofileapplytoOracleDatabase12cconfiguredtouseTraditionalAuditingandintendto:

o Bepracticalandprudent;o Provideaclearsecuritybenefit;ando Notinhibittheutilityofthetechnologybeyondacceptablemeans.

• Level1-LinuxHostOSusingTraditionalAuditing

Thisprofileextendsthe“RDBMSusingTraditionalAuditing”profile.ItemsinthisprofileapplytoRDBMSrunningonaLinuxHostoperatingsystemwithOracleDatabase12cconfiguredtouseTraditionalAuditingandintendto:

• Level1-WindowsServerHostOSusingTraditionalAuditing

Thisprofileextendsthe“RDBMSusingTraditionalAuditing”profile.ItemsinthisprofileapplytoRDBMSrunningonaWindowsServeroperatingsystemwithOracleDatabase12cconfiguredtouseTraditionalAuditingandintendto:

• Level1-RDBMSusingUnifiedAuditing

ItemsinthisprofileapplytoOracleDatabase12cconfiguredtouseUnifiedAuditingandintendto:

12|P a g e

• Level1-LinuxHostOSusingUnifiedAuditing

Thisprofileextendsthe“RDBMSusingUnifiedAuditing”profile.ItemsinthisprofileapplytoRDBMSrunningonaLinuxHostoperatingsystemwithOracleDatabase12cconfiguredtouseUnifiedandintendto:

• Level1-WindowsServerHostOSusingUnifiedAuditing

Thisprofileextendsthe“RDBMSusingUnifiedAuditing”profile.ItemsinthisprofileapplytoRDBMSrunningonaWindowsServeroperatingsystemwithOracleDatabase12cconfiguredtouseUnifiedandintendto:

13|P a g e

Acknowledgements

This benchmark exemplifies the great things a community of users, vendors, and subject matter experts can accomplish through consensus collaboration. The CIS community thanks the entire consensus team with special recognition to the following individuals who contributed greatly to the creation of this guide:

AuthorJayMehta

ContributorAlexanderKornbrustS.BrianSuddethPieterVanPuymbroeckArmanRawlsAdamMontvilleTungBuiVietJigneshPatelThanThiChamDeanLackeyKyleThomasonJustinBrownGijsHasselmanStephenDufourPhilippeLanglois

EditorAngeloMarcotullioTimHarrisonCISSP,ICP,CenterforInternetSecurityKarenScarfone

14|P a g e

Recommendations1 Oracle Database Installation and Patching Requirements

OneofthebestwaystoensuresecureOraclesecurityistoimplementCriticalPatchUpdates(CPUs)astheycomeout,alongwithanyapplicableOSpatchesthatwillnotinterferewithsystemoperations.ItisadditionallyprudenttoremoveOraclesampledatafromproductionenvironments.

1.1 Ensure the Appropriate Version/Patches for Oracle Software Is Installed (Not Scored)

ProfileApplicability:

• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing

Description:

TheOracleinstallationversionandpatchesshouldbethemostrecentthatarecompatiblewiththeorganization'soperationalneeds.

Rationale:

UsingthemostrecentOracledatabasesoftware,alongwithallapplicablepatchescanhelplimitthepossibilitiesforvulnerabilitiesinthesoftware,theinstallationversionand/orpatchesappliedduringsetupshouldbeestablishedaccordingtotheneedsoftheorganization.EnsureyouareusingareleasethatiscoveredbyalevelofsupportthatincludesthegenerationofCriticalPatchUpdates.

Audit:

Toassessthisrecommendation,usethefollowingexampleshellcommandasappropriateforyourenvironment.

Forexample,onLinuxsystems:

opatch lsinventory | grep -e "^.*<latest_patch_version_numer>\s*.*$"

Forexample,onWindowssystems:

opatch lsinventory | find "<latest_patch_version_number>"

15|P a g e

Remediation:

Performthefollowingstepforremediation:

DownloadandapplythelatestquarterlyCriticalPatchUpdatepatches.

References:

1. http://www.oracle.com/us/support/assurance/fixing-policies/index.html2. http://www.oracle.com/technetwork/topics/security/alerts-086861.html3. http://www.oracle.com/us/support/library/lifetime-support-technology-

069183.pdf

CISControls:

Version6

2InventoryofAuthorizedandUnauthorizedSoftwareInventoryofAuthorizedandUnauthorizedSoftware

16|P a g e

1.2 Ensure All Default Passwords Are Changed (Scored)

Description:

DefaultpasswordsshouldnotbeusedbyOracledatabaseusers.

Rationale:

Defaultpasswordsshouldbeconsidered"wellknown"toattackers.Consequently,ifdefaultpasswordsremaininplace,anyattackerwithaccesstothedatabasecanauthenticateastheuserwiththatdefaultpassword.

Audit:

Toassessthisrecommendation,executethefollowingSQLstatement.

SELECT USERNAME FROM DBA_USERS_WITH_DEFPWD WHERE USERNAME NOT LIKE '%XS$NULL%';

TheviewcalledDBA_USERS_WITH_DEFPWDshowsalistofalldatabaseusersmakinguseofdefaultpasswords.Theassessmentfailsifresultsarereturned.

Note:PerOracleSupportDocument2173962.1,"aftercreationofanew12cdatabase,theSYSandSYSTEMaccountsarelistedinDBA_USERS_WITH_DEFPWDeventhoughtheaccountswerecreatedwithnon-defaultpasswords.SettingthesamepasswordsagainwithALTER USERcorrectlyrecognizesthattheaccountsdonothavedefaultpasswords."

Remediation:

Toremediatethisrecommendation,youmayperformeitherofthefollowingactions:

• ManuallyissuethefollowingSQLstatementforeachUSERNAMEreturnedintheAuditProcedure:

PASSWORD <username>

17|P a g e

• ExecutethefollowingSQLscripttoassignarandomlygeneratedpasswordtoeachaccountusingadefaultpassword:

begin for r_user in (select username from dba_users_with_defpwd where username not like '%XS$NULL%') loop DBMS_OUTPUT.PUT_LINE('Password for user '||r_user.username||' will be changed.'); execute immediate 'alter user "'||r_user.username||'" identified by "'||DBMS_RANDOM.string('a',16)||'"account lock password expire'; end loop; end;

References:

1. http://docs.oracle.com/database/121/TDPSG/GUID-3EC7A894-D620-4497-AFB1-64EB8C33D854.htm#TDPSG20021

2. https://support.oracle.com/epmos/faces/DocumentDisplay?id=2173962.1

CISControls:

Version6

5.3ChangeDefaultPasswordsOnAllNewDevicesBeforedeployinganynewdevicesinanetworkedenvironment,changealldefaultpasswordsforapplications,operatingsystems,routers,firewalls,wirelessaccesspoints,andothersystemstohavevaluesconsistentwithadministration-levelaccounts.

18|P a g e

1.3 Ensure All Sample Data And Users Have Been Removed (Scored)

Description:

Oraclesampleschemascanbeusedtocreatesampleusers(BI,HR,IX,OE,PM,SCOTT,SH),withwell-knowndefaultpasswords,particularviews,andprocedures/functions,inadditiontotablesandfictitiousdata.Thesampleschemasshouldberemoved.

Rationale:

Thesampleschemasaretypicallynotrequiredforproductionoperationsofthedatabase.Thedefaultusers,views,and/orprocedures/functionscreatedbysampleschemascouldbeusedtolaunchexploitsagainstproductionenvironments.

Audit:

Toassessthisrecommendation,checkforthepresenceofOraclesampleusersbyexecutingthefollowingSQLstatement.

SELECT USERNAME FROM ALL_USERS WHERE USERNAME IN ('BI','HR','IX','OE','PM','SCOTT','SH');"

Remediation:

Toremediatethissetting,executethefollowingSQLscript.

$ORACLE_HOME/demo/schema/drop_sch.sql

Then,executethefollowingSQLstatement.

DROP USER SCOTT CASCADE;

Note:TherecyclebinisnotsettoOFFwithinthedefaultdropscript,whichmeansthatthedatawillstillbepresentinyourenvironmentuntiltherecyclebinisemptied.

Impact:

TheOraclesampleusernamesmaybeinuseonaproductionbasis.ItisimportantthatyoufirstverifythatBI,HR,IX,OE,PM,SCOTT,and/orSHarenotvalidproductionusernames

19|P a g e

beforeexecutingthedroppingSQLscripts.ThismaybeparticularlytruewiththeHRandBIusers.Ifanyoftheseusersarepresent,itisimportanttobecautiousandconfirmtheschemaspresentare,infact,Oraclesampleschemasandnotproductionschemasbeingrelieduponbybusinessoperations.

References:

1. http://docs.oracle.com/database/121/COMSC/toc.htm

CISControls:

Version6

18.9SanitizeDeployedSoftwareOfDevelopmentArtifactsForin-housedevelopedapplications,ensurethatdevelopmentartifacts(sampledataandscripts;unusedlibraries,components,debugcode;ortools)arenotincludedinthedeployedsoftware,oraccessibleintheproductionenvironment.

20|P a g e

2 Oracle Parameter Settings

TheoperationoftheOracledatabaseinstanceisgovernedbynumerousparametersthataresetinspecificconfigurationfilesandareinstance-specificinscope.Asalterationsoftheseparameterscancauseproblemsrangingfromdenial-of-servicetotheftofproprietaryinformation,theseconfigurationsshouldbecarefullyconsideredandmaintained.

Note:ForallfilesthathaveparametersthatcanbemodifiedwiththeOSand/orSQLcommands/scripts,thesewillbothbelistedwhereappropriate.

21|P a g e

2.1 Listener Settings

ThissectiondefinesrecommendationsforthesettingsfortheTNSListenerlistener.orafile.

2.1.1 Ensure 'SECURE_CONTROL_' Is Set In 'listener.ora' (Scored)

• Level1-LinuxHostOSusingTraditionalAuditing• Level1-WindowsServerHostOSusingTraditionalAuditing• Level1-LinuxHostOSusingUnifiedAuditing• Level1-WindowsServerHostOSusingUnifiedAuditing

Description:

TheSECURE_CONTROL_<listener_name>settingdeterminesthetypeofcontrolconnectiontheOracleserverrequiresforremoteconfigurationofthelistener.

Rationale:

Listenerconfigurationchangesviaunencryptedremoteconnectionscanresultinunauthorizeduserssniffingcontrolconfigurationinformationfromthenetwork.

Audit:

Toauditthisrecommendation,followthesesteps:

1. Openthe$ORACLE_HOME/network/admin/listener.orafile(or%ORACLE_HOME%\network\admin\listener.oraonWindows)

2. EnsurethateachdefinedlistenerasanassociatedSECURE_CONTROL_<listener_name>directive.

Forexample:LISTENER1 = (DESCRIPTION= (ADDRESS=(PROTOCOL=TCP) (HOST=sales-server)(PORT=1521)) (ADDRESS=(PROTOCOL=IPC) (KEY=REGISTER)) (ADDRESS=(PROTOCOL=TCPS) (HOST=sales-server)(PORT=1522))) SECURE_CONTROL_LISTENER1=TCPS"

22|P a g e

Remediation:

Toremediatethisrecommendation:

SettheSECURE_CONTROL_<listener_name>foreachdefinedlistenerinthelistener.orafile.

References:

1. http://docs.oracle.com/database/121/NETRF/listener.htm#NETRF327

CISControls:

Version6

3.4UseOnlySecureChannelsForRemoteSystemAdministrationPerformallremoteadministrationofservers,workstation,networkdevices,andsimilarequipmentoversecurechannels.Protocolssuchastelnet,VNC,RDP,orothersthatdonotactivelysupportstrongencryptionshouldonlybeusediftheyareperformedoverasecondaryencryptionchannel,suchasSSL,TLSorIPSEC.

23|P a g e

2.1.2 Ensure 'extproc' Is Not Present in 'listener.ora' (Scored)

Description:

extprocshouldberemovedfromthelistener.oratomitigatetheriskthatOSlibrariescanbeinvokedbytheOracleinstance.

Rationale:

extprocallowsthedatabasetorunproceduresfromOSlibraries.Theselibrarycallscan,inturn,runanyOScommand.

Audit:

Toauditthisrecommendation,executethefollowingshellcommandsasappropriateforyourLinux/Windowsenvironment.

Linuxenvironment:

grep -i extproc $ORACLE_HOME/network/admin/listener.ora

Windowsenvironment:

find /I extproc %ORACLE_HOME%\network\admin\listener.ora

Ensureextprocdoesnotexist.

Remediation:

Removeextprocfromthelistener.orafile.

References:

1. http://docs.oracle.com/database/121/DBSEG/app_devs.htm#DBSEG656

24|P a g e

CISControls:

Version6

25|P a g e

2.1.3 Ensure 'ADMIN_RESTRICTIONS_' Is Set to 'ON' (Scored)

Description:

Theadmin_restrictions_<listener_name>settinginthelistener.orafilecanrequirethatanyattemptedreal-timealterationoftheparametersinthelistenerviathesetcommandfileberefusedunlessthelistener.orafileismanuallyaltered,thenrestartedbyaprivilegeduser.

Rationale:

Blockingunprivilegedusersfrommakingalterationsofthelistener.orafile,whereremotedata/servicesettingsarespecified,willhelpprotectdataconfidentiality.

Audit:

Linuxenvironment:

grep -i admin_restrictions $ORACLE_HOME/network/admin/listener.ora

Windowsenvironment:

find /I admin_restrictions %ORACLE_HOME%|\network\admin\listener.ora

Ensureadmin_restrictions_<listener_name>issettoONforalllisteners.

Remediation:

Useatexteditorsuchasvitosettheadmin_restrictions_<listener_name>tothevalueON.

DefaultValue:

26|P a g e

Notset.

References:

1. http://docs.oracle.com/database/121/NETRF/listener.htm#NETRF310

CISControls:

Version6

5.1MinimizeAndSparinglyUseAdministrativePrivilegesMinimizeadministrativeprivilegesandonlyuseadministrativeaccountswhentheyarerequired.Implementfocusedauditingontheuseofadministrativeprivilegedfunctionsandmonitorforanomalousbehavior.

27|P a g e

2.1.4 Ensure 'SECURE_REGISTER_' Is Set to 'TCPS' or 'IPC' (Scored)

Description:

TheSECURE_REGISTER_<listener_name>settingspecifiestheprotocolsusedtoconnecttotheTNSlistener.EachsettingshouldhaveavalueofeitherTCPSorIPCbasedontheneedsforitsprotocol.

Rationale:

Listenerconfigurationchangesviaunencryptedremoteconnectionscanresultinunauthorizeduserssniffingcontrolconfigurationinformationfromthenetwork.

Audit:

Linuxenvironment:

grep -i SECURE_REGISTER $ORACLE_HOME/network/admin/listener.ora

Windowsenvironment:

find /I SECURE_REGISTER %ORACLE_HOME%\network\admin\listener.ora

EnsureSECURE_REGISTER_<listener_name>issettoTCPSorIPC.

Remediation:

UseatexteditorsuchasvitosettheSECURE_REGISTER_<listener_name>=TCPSorSECURE_REGISTER_<listener_name>=IPCforeachlistenerfoundin$ORACLE_HOME/network/admin/listener.ora.

28|P a g e

References:

1. http://docs.oracle.com/database/121/NETRF/listener.htm#NETRF3282. https://support.oracle.com/epmos/faces/ui/km/DocumentDisplay.jspx?id=145388

3.13. https://support.oracle.com/epmos/faces/ui/km/DocumentDisplay.jspx?id=134083

1.14. http://www.joxeankoret.com/download/tnspoison.pdf

Notes:

OracleRealApplicationClusterrequiresadifferentapproachtofixtheTNSPoisoningproblem.SeeOraclesupportnote1453883.1fordetails.

CISControls:

Version6

14.2EncryptAllSensitiveInformationOverLess-trustedNetworksAllcommunicationofsensitiveinformationoverless-trustednetworksshouldbeencrypted.Wheneverinformationflowsoveranetworkwithalowertrustlevel,theinformationshouldbeencrypted.

29|P a g e

2.2 Database Settings

Thissectiondefinesrecommendationscoveringthegeneralsecurityconfigurationofthedatabaseinstance.Therecommendationsensureauditingisenabled,listenersareappropriatelyconfined,andauthenticationisappropriatelyconfigured.

Note:Theremediationproceduresassumetheuseofaserverparameterfile,whichisoftenapreferredmethodofstoringserverinitializationparameters.

Foryourenvironment,leavingofftheSCOPE = SPFILEdirectiveorsubstitutingitwithSCOPE = BOTHmightbepreferreddependingontherecommendation.

2.2.1 Ensure 'AUDIT_SYS_OPERATIONS' Is Set to 'TRUE' (Scored)

Description:

TheAUDIT_SYS_OPERATIONSsettingprovidesfortheauditingofalluseractivitiesconductedundertheSYSOPERandSYSDBAaccounts.ThesettingshouldbesettoTRUEtoenablethisauditing.

Rationale:

IftheparameterAUDIT_SYS_OPERATIONSisFALSE,allstatementsexceptforStartup/ShutdownandLogonbySYSDBA/SYSOPERusersarenotaudited.

Audit:

SELECT UPPER(VALUE) FROM V$PARAMETER WHERE UPPER(NAME) = 'AUDIT_SYS_OPERATIONS';

EnsureVALUEissettoTRUE.

Remediation:

Toremediatethissetting,executethefollowingSQLstatement.

ALTER SYSTEM SET AUDIT_SYS_OPERATIONS = TRUE SCOPE=SPFILE;

30|P a g e

References:

1. http://docs.oracle.com/database/121/REFRN/GUID-58176267-238C-40B5-B1F2-BB8BB9518950.htm#REFRN10005

CISControls:

Version6

5.4LogAdministrativeUserAdditionAndRemovalConfiguresystemstoissuealogentryandalertwhenanaccountisaddedtoorremovedfromadomainadministrators’group,orwhenanewlocaladministratoraccountisaddedonasystem.

6.2EnsureAuditLogSettingsSupportAppropriateLogEntryFormattingValidateauditlogsettingsforeachhardwaredeviceandthesoftwareinstalledonit,ensuringthatlogsincludeadate,timestamp,sourceaddresses,destinationaddresses,andvariousotherusefulelementsofeachpacketand/ortransaction.SystemsshouldrecordlogsinastandardizedformatsuchassyslogentriesorthoseoutlinedbytheCommonEventExpressioninitiative.Ifsystemscannotgeneratelogsinastandardizedformat,lognormalizationtoolscanbedeployedtoconvertlogsintosuchaformat.

31|P a g e

2.2.2 Ensure 'AUDIT_TRAIL' Is Set to 'DB', 'XML', 'OS', 'DB,EXTENDED', or 'XML,EXTENDED' (Scored)

Description:

Theaudit_trailsettingdetermineswhetherornotOracle'sbasicauditfeaturesareenabled.Itcanbesetto"OperatingSystem"(OS);DB;DB,EXTENDED;XML;orXML,EXTENDED.Thevalueshouldbesetaccordingtotheneedsoftheorganization.

Rationale:

EnablingthebasicauditingfeaturesfortheOracleinstancepermitsthecollectionofdatatotroubleshootproblems,aswellasprovidesvaluableforensiclogsinthecaseofasystembreachthisvalueshouldbesetaccordingtotheneedsoftheorganization.

Audit:

SELECT UPPER(VALUE) FROM V$PARAMETER WHERE UPPER(NAME)='AUDIT_TRAIL';

EnsureVALUEissettoDBorOSorXMLorDB,EXTENDEDorXML,EXTENDED.

Remediation:

Toremediatethissetting,executeoneofthefollowingSQLstatements.

ALTER SYSTEM SET AUDIT_TRAIL = DB, EXTENDED SCOPE = SPFILE;

ALTER SYSTEM SET AUDIT_TRAIL = OS SCOPE = SPFILE;

ALTER SYSTEM SET AUDIT_TRAIL = XML, EXTENDED SCOPE = SPFILE;

ALTER SYSTEM SET AUDIT_TRAIL = DB SCOPE = SPFILE;

ALTER SYSTEM SET AUDIT_TRAIL = XML SCOPE = SPFILE;

32|P a g e

References:

1. http://docs.oracle.com/database/121/REFRN/GUID-BD86F593-B606-4367-9FB6-8DAB2E47E7FA.htm#REFRN10006

2. http://www.oracle.com/technetwork/products/audit-vault/learnmore/twp-security-auditperformance-166655.pdf

CISControls:

Version6

6Maintenance,Monitoring,andAnalysisofAuditLogsMaintenance,Monitoring,andAnalysisofAuditLogs

33|P a g e

2.2.3 Ensure 'GLOBAL_NAMES' Is Set to 'TRUE' (Scored)

Description:

Theglobal_namessettingrequiresthatthenameofadatabaselinkmatchesthatoftheremotedatabaseitwillconnectto.ThissettingshouldhaveavalueofTRUE.

Rationale:

Notrequiringdatabaseconnectionstomatchthedomainthatisbeingcalledremotelycouldallowunauthorizeddomainsourcestopotentiallyconnectviabrute-forcetactics.

Audit:

SELECT UPPER(VALUE) FROM V$PARAMETER WHERE UPPER(NAME)='GLOBAL_NAMES';

Remediation:

ALTER SYSTEM SET GLOBAL_NAMES = TRUE SCOPE = SPFILE;

References:

1. http://docs.oracle.com/database/121/REFRN/GUID-221D0483-D814-4963-84E1-7D39A25048ED.htm#REFRN10065

CISControls:

Version6

9LimitationandControlofNetworkPorts,Protocols,andServicesLimitationandControlofNetworkPorts,Protocols,andServices

34|P a g e

2.2.4 Ensure 'O7_DICTIONARY_ACCESSIBILITY' Is Set to 'FALSE' (Scored)

Description:

TheO7_dictionary_accessibilitysettingisadatabaseinitializationparameterthatallows/disallowsaccesstoobjectswiththe* ANY *privileges(SELECT ANY TABLE,DELETE ANY TABLE,EXECUTE ANY PROCEDURE,etc.).ThisfunctionalitywascreatedfortheeaseofmigrationfromOracle7databasestolaterversions.ThesettingshouldhaveavalueofFALSE.

Rationale:

LeavingtheSYSschemasoopentoconnectioncouldpermitunauthorizedaccesstocriticaldatastructures.

Audit:

SELECT UPPER(VALUE) FROM V$PARAMETER WHERE UPPER(NAME)='O7_DICTIONARY_ACCESSIBILITY';

EnsureVALUEissettoFALSE.

Remediation:

ALTER SYSTEM SET O7_DICTIONARY_ACCESSIBILITY=FALSE SCOPE = SPFILE;

References:

1. http://docs.oracle.com/database/121/REFRN/GUID-1D1A88F1-B603-48FF-BD30-E6099DB1A1ED.htm#REFRN10133

35|P a g e

Notes:

Thevalueforthisis"O(oh)7"not"0(Zero)7"forO7.Also,for"OracleApplications"uptoversion11.5.9,thissettingisreversed;theO7_dictionary_accessibility=TRUEvalueisrequiredforcorrectoperations.

CISControls:

Version6

9.1LimitOpenPorts,Protocols,andServicesEnsurethatonlyports,protocols,andserviceswithvalidatedbusinessneedsarerunningoneachsystem.

36|P a g e

2.2.5 Ensure 'OS_ROLES' Is Set to 'FALSE' (Scored)

Description:

Theos_rolessettingpermitsexternallycreatedgroupstobeappliedtodatabasemanagement.

Rationale:

AllowingtheOStouseexternalgroupsfordatabasemanagementcouldcauseprivilegeoverlapsandgenerallyweakensecurity.

Audit:

SELECT UPPER(VALUE) FROM V$PARAMETER WHERE UPPER(NAME)='OS_ROLES';

Remediation:

ALTER SYSTEM SET OS_ROLES = FALSE SCOPE = SPFILE;

References:

1. http://docs.oracle.com/database/121/REFRN/GUID-51CCE2D6-F841-4E02-A89D-EA08FC110CF3.htm#REFRN10153

CISControls:

Version6

16AccountMonitoringandControlAccountMonitoringandControl

37|P a g e

2.2.6 Ensure 'REMOTE_LISTENER' Is Empty (Scored)

Description:

Theremote_listenersettingdetermineswhetherornotavalidlistenercanbeestablishedonasystemseparatefromthedatabaseinstance.Thissettingshouldbeemptyunlesstheorganizationspecificallyneedsavalidlisteneronaseparatesystem.

Rationale:

Permittingaremotelistenerforconnectionstothedatabaseinstancecanallowforthepotentialspoofingofconnectionsandthatcouldcompromisedataconfidentialityandintegrity.

Audit:

SELECT UPPER(VALUE) FROM V$PARAMETER WHERE UPPER(NAME)='REMOTE_LISTENER';

EnsureVALUEisempty.

Remediation:

ALTER SYSTEM SET REMOTE_LISTENER = '' SCOPE = SPFILE;

References:

1. http://docs.oracle.com/database/121/REFRN/GUID-FEE2E8B5-CE02-4158-A6B4-030E59316756.htm#REFRN10183

Notes:

Ifsetasremote_listener=true,theaddress/addresslististakenfromtheTNSNAMES.ORAfile.

38|P a g e

CISControls:

Version6

39|P a g e

2.2.7 Ensure 'REMOTE_LOGIN_PASSWORDFILE' Is Set to 'NONE' (Scored)

Description:

Theremote_login_passwordfilesettingspecifieswhetherornotOraclechecksforapasswordfileduringloginandhowmanydatabasescanusethepasswordfile.ThesettingshouldhaveavalueofNONE.

Rationale:

Theuseofthissortofpasswordloginfilecouldpermitunsecured,privilegedconnectionstothedatabase.

Audit:

SELECT UPPER(VALUE) FROM V$PARAMETER WHERE UPPER(NAME)='REMOTE_LOGIN_PASSWORDFILE';

EnsureVALUEissettoNONE.

Remediation:

ALTER SYSTEM SET REMOTE_LOGIN_PASSWORDFILE = 'NONE' SCOPE = SPFILE;

References:

1. http://docs.oracle.com/database/121/REFRN/GUID-6619299E-95E8-4821-B123-3B5899F046C7.htm#REFRN10184

CISControls:

Version6

40|P a g e

2.2.8 Ensure 'REMOTE_OS_AUTHENT' Is Set to 'FALSE' (Scored)

Description:

Theremote_os_authentsettingdetermineswhetherornotOS'roles'withtheattendantprivilegesareallowedforremoteclientconnections.ThissettingshouldhaveavalueofFALSE.

Rationale:

PermittingOSrolesfordatabaseconnectionstocanallowthespoofingofconnectionsandpermitgrantingtheprivilegesofanOSroletounauthorizeduserstomakeconnections,thisvalueshouldberestrictedaccordingtotheneedsoftheorganization.

Audit:

SELECT UPPER(VALUE) FROM V$PARAMETER WHERE UPPER(NAME)='REMOTE_OS_AUTHENT';

Remediation:

ALTER SYSTEM SET REMOTE_OS_AUTHENT = FALSE SCOPE = SPFILE;

References:

1. http://docs.oracle.com/database/121/REFRN/GUID-AB66C849-FE5A-4E06-A6E1-AEE775D55703.htm#REFRN10185

CISControls:

Version6

41|P a g e

2.2.9 Ensure 'REMOTE_OS_ROLES' Is Set to 'FALSE' (Scored)

Description:

Theremote_os_rolessettingpermitsremoteusers'OSrolestobeappliedtodatabasemanagement.ThissettingshouldhaveavalueofFALSE.

Rationale:

AllowingremoteclientsOSrolestohavepermissionsfordatabasemanagementcouldcauseprivilegeoverlapsandgenerallyweakensecurity.

Audit:

SELECT UPPER(VALUE) FROM V$PARAMETER WHERE UPPER(NAME)='REMOTE_OS_ROLES';

Remediation:

ALTER SYSTEM SET REMOTE_OS_ROLES = FALSE SCOPE = SPFILE;

References:

1. http://docs.oracle.com/database/121/REFRN/GUID-BAA83447-14C1-4BE7-BB5D-806ED3E00AED.htm#REFRN10186

CISControls:

Version6

42|P a g e

2.2.10 Ensure 'UTL_FILE_DIR' Is Empty (Scored)

Description:

Theutl_file_dirsettingallowspackageslikeutl_filetoaccess(read/write/modify/delete)filesspecifiedinutl_file_dir.Thissettingshouldhaveanemptyvalue.

Rationale:

Usingtheutl_file_dirtocreatedirectoriesallowsthemanipulationoffilesinthesedirectories.

Audit:

SELECT VALUE FROM V$PARAMETER WHERE UPPER(NAME)='UTL_FILE_DIR';

EnsureVALUEisempty.

Remediation:

ALTER SYSTEM SET UTL_FILE_DIR = '' SCOPE = SPFILE;

References:

1. http://docs.oracle.com/database/121/REFRN/GUID-DCA8A942-ACE1-46D6-876E-3244F390BCAE.htm#REFRN10230

CISControls:

Version6

18ApplicationSoftwareSecurityApplicationSoftwareSecurity

43|P a g e

2.2.11 Ensure 'SEC_CASE_SENSITIVE_LOGON' Is Set to 'TRUE' (Scored)

Description:

TheSEC_CASE_SENSITIVE_LOGONinformationdetermineswhetherornotcase-sensitivityisrequiredforpasswordsduringlogin.

Rationale:

Oracledatabasepasswordcase-sensitivityincreasesthepoolofcharactersthatcanbechosenforthepasswords,makingbrute-forcepasswordattacksquitedifficult.

Audit:

SELECT UPPER(VALUE) FROM V$PARAMETER WHERE UPPER(NAME)='SEC_CASE_SENSITIVE_LOGON';

Remediation:

ALTER SYSTEM SET SEC_CASE_SENSITIVE_LOGON = TRUE SCOPE = SPFILE;

References:

1. http://docs.oracle.com/database/121/REFRN/GUID-F464653A-0D43-4A70-8F05-0274A12C8578.htm#REFRN10299

CISControls:

Version6

44|P a g e

2.2.12 Ensure 'SEC_MAX_FAILED_LOGIN_ATTEMPTS' Is '3' or Less (Scored)

Description:

TheSEC_MAX_FAILED_LOGIN_ATTEMPTSparameterdetermineshowmanyfailedloginattemptsareallowedbeforeOracleclosestheloginconnection.

Rationale:

Allowinganunlimitednumberofloginattemptsforauserconnectioncanfacilitatebothbrute-forceloginattacksandtheoccurrenceofdenial-of-service.

Audit:

SELECT UPPER(VALUE) FROM V$PARAMETER WHERE UPPER(NAME)='SEC_MAX_FAILED_LOGIN_ATTEMPTS';

EnsureVALUEissetto3.

Remediation:

ALTER SYSTEM SET SEC_MAX_FAILED_LOGIN_ATTEMPTS = 3 SCOPE = SPFILE;

References:

1. http://docs.oracle.com/database/121/REFRN/GUID-DEC2A3B2-F49B-499E-A3CF-D097F3A5BA83.htm#REFRN10274

45|P a g e

CISControls:

Version6

16.7ConfigureAccountLockoutsUseandconfigureaccountlockoutssuchthatafterasetnumberoffailedloginattemptstheaccountislockedforastandardperiodoftime.

46|P a g e

2.2.13 Ensure 'SEC_PROTOCOL_ERROR_FURTHER_ACTION' Is Set to 'DROP,3' (Scored)

Description:

TheSEC_PROTOCOL_ERROR_FURTHER_ACTIONsettingdeterminestheOracle'sserver'sresponsetobad/malformedpacketsreceivedfromtheclient.ThissettingshouldhaveavalueofDROP,3,whichwillcauseaconnectiontobedroppedafterthreebad/malformedpackets.

Rationale:

Badpacketsreceivedfromtheclientcanpotentiallyindicatepacket-basedattacksonthesystem,suchas"TCPSYNFlood"or"Smurf"attacks,whichcouldresultinadenial-of-servicecondition,thisvalueshouldbesetaccordingtotheneedsoftheorganization.

Audit:

SELECT UPPER(VALUE) FROM V$PARAMETER WHERE UPPER(NAME)='SEC_PROTOCOL_ERROR_FURTHER_ACTION';

EnsureVALUEissettoDROP,3.

Remediation:

Toremediatethissetting,executeoneofthefollowingSQLstatement.

ALTER SYSTEM SET SEC_PROTOCOL_ERROR_FURTHER_ACTION = 'DROP,3' SCOPE = SPFILE;

References:

1. http://docs.oracle.com/database/121/REFRN/GUID-1E8D3C6E-C919-4218-8117-760D31BD0F95.htm#REFRN10282

47|P a g e

CISControls:

Version6

48|P a g e

2.2.14 Ensure 'SEC_PROTOCOL_ERROR_TRACE_ACTION' Is Set to 'LOG' (Scored)

Description:

TheSEC_PROTOCOL_ERROR_TRACE_ACTIONsettingdeterminestheOracle'sserver'sloggingresponseleveltobad/malformedpacketsreceivedfromtheclientbygeneratingALERT,LOG,orTRACElevelsofdetailinthelogfiles.ThissettingshouldhaveavalueofLOGunlesstheorganizationhasacompellingreasontouseadifferentvaluebecauseLOGshouldcausethenecessaryinformationtobelogged.SettingthevalueasTRACEcangenerateanenormousamountoflogoutputandshouldbereservedfordebuggingonly.

Rationale:

Badpacketsreceivedfromtheclientcanpotentiallyindicatepacket-basedattacksonthesystem,whichcouldresultinadenial-of-servicecondition.

Audit:

SELECT UPPER(VALUE) FROM V$PARAMETER WHERE UPPER(NAME)='SEC_PROTOCOL_ERROR_TRACE_ACTION';

EnsureVALUEissettoLOG.

Remediation:

ALTER SYSTEM SET SEC_PROTOCOL_ERROR_TRACE_ACTION=LOG SCOPE = SPFILE;

References:

1. http://docs.oracle.com/database/121/REFRN/GUID-AE811BC1-8CED-4B21-B16C-4B712B127535.htm#REFRN10283

49|P a g e

CISControls:

Version6

50|P a g e

2.2.15 Ensure 'SEC_RETURN_SERVER_RELEASE_BANNER' Is Set to 'FALSE' (Scored)

Description:

Theinformationaboutpatch/updatereleasenumberprovidesinformationabouttheexactpatch/updatereleasethatiscurrentlyrunningonthedatabase.Thisissensitiveinformationthatshouldnotberevealedtoanyonewhorequestsit.

Rationale:

Allowingthedatabasetoreturninformationaboutthepatch/updatereleasenumbercouldfacilitateunauthorizedusers'attemptstogainaccessbaseduponknownpatchweaknesses.

Audit:

SELECT UPPER(VALUE) FROM V$PARAMETER WHERE UPPER(NAME)='SEC_RETURN_SERVER_RELEASE_BANNER';

Remediation:

ALTER SYSTEM SET SEC_RETURN_SERVER_RELEASE_BANNER = FALSE SCOPE = SPFILE;

References:

1. http://docs.oracle.com/database/121/REFRN/GUID-688102A0-11F5-4F06-8868-934D65C4E878.htm#REFRN10275

51|P a g e

CISControls:

Version6

52|P a g e

2.2.16 Ensure 'SQL92_SECURITY' Is Set to 'TRUE' (Scored)

Description:

TheSQL92_SECURITYparametersettingTRUErequiresthatausermustalsobegrantedtheSELECTobjectprivilegebeforebeingabletoperformUPDATEorDELETEoperationsontablesthathaveWHEREorSETclauses.ThesettingshouldhaveavalueofTRUE.

Rationale:

AuserwithoutSELECTprivilegecanstillinferthevaluestoredinacolumnbyreferringtothatcolumninaDELETEorUPDATEstatement.ThissettingpreventsinadvertentinformationdisclosurebyensuringthatonlyuserswhoalreadyhaveSELECTprivilegecanexecutethestatementsthatwouldallowthemtoinferthestoredvalues.

Audit:

SELECT UPPER(VALUE) FROM V$PARAMETER WHERE UPPER(NAME)='SQL92_SECURITY';

Remediation:

ALTER SYSTEM SET SQL92_SECURITY = TRUE SCOPE = SPFILE;

DefaultValue:

References:

1. http://docs.oracle.com/database/121/REFRN/GUID-E41087C2-250E-4201-908B-79E659B22A4B.htm#REFRN10210

53|P a g e

CISControls:

Version6

54|P a g e

2.2.17 Ensure '_trace_files_public' Is Set to 'FALSE' (Scored)

Description:

The_trace_files_publicsettingdetermineswhetherornotthesystem'stracefileisworldreadable.ThissettingshouldhaveavalueofFALSEtorestricttracefileaccess.

Rationale:

Makingthefileworldreadablemeansanyonecanreadtheinstance'stracefile,whichcouldcontainsensitiveinformationaboutinstanceoperations.

Audit:

SELECT VALUE FROM V$PARAMETER WHERE NAME='_trace_files_public';

AVALUEequaltoFALSEorlackofresultsimpliescompliance.

Remediation:

ALTER SYSTEM SET "_trace_files_public" = FALSE SCOPE = SPFILE;

References:

1. http://asktom.oracle.com/pls/asktom/f?p=100:11:0::::P11_QUESTION_ID:4295521746131

CISControls:

Version6

14.4ProtectInformationWithAccessControlListsAllinformationstoredonsystemsshallbeprotectedwithfilesystem,networkshare,claims,application,ordatabasespecificaccesscontrollists.Thesecontrolswillenforcetheprinciplethatonlyauthorizedindividualsshouldhaveaccessto

55|P a g e

theinformationbasedontheirneedtoaccesstheinformationasapartoftheirresponsibilities.

56|P a g e

2.2.18 Ensure 'RESOURCE_LIMIT' Is Set to 'TRUE' (Scored)

Description:

RESOURCE_LIMITdetermineswhetherresourcelimitsareenforcedindatabaseprofiles.ThissettingshouldhaveavalueofTRUE.

Rationale:

IfRESOURCE_LIMITissettoFALSE,noneofthesystemresourcelimitsthataresetinanydatabaseprofilesareenforced.IfRESOURCE_LIMITissettoTRUE,thelimitssetindatabaseprofilesareenforced.

Audit:

SELECT UPPER(VALUE) FROM V$PARAMETER WHERE UPPER(NAME)='RESOURCE_LIMIT';

Remediation:

ALTER SYSTEM SET RESOURCE_LIMIT = TRUE SCOPE = SPFILE;

DefaultValue:

References:

1. http://docs.oracle.com/database/121/REFRN/GUID-BB0AB177-3867-4D0D-8700-A1AC8BDFEFC3.htm#REFRN10188

57|P a g e

CISControls:

Version6

14.4ProtectInformationWithAccessControlListsAllinformationstoredonsystemsshallbeprotectedwithfilesystem,networkshare,claims,application,ordatabasespecificaccesscontrollists.Thesecontrolswillenforcetheprinciplethatonlyauthorizedindividualsshouldhaveaccesstotheinformationbasedontheirneedtoaccesstheinformationasapartoftheirresponsibilities.

58|P a g e

3 Oracle Connection and Login Restrictions

TherestrictionsonClient/UserconnectionstotheOracledatabasehelpblockunauthorizedaccesstodataandservicesbysettingaccessrules.Thesesecuritymeasureshelptoensurethatsuccessfulloginscannotbeeasilymadethroughbrute-forcepasswordattacksorintuitedbycleversocialengineeringexploits.SettingsaregenerallyrecommendedtobeappliedtoalldefinedprofilesratherthanbyusingonlytheDEFAULTprofile.Allvaluesassignedbelowaretherecommendedminimumsormaximums;higher,morerestrictivevaluescanbeappliedatthediscretionoftheorganizationbycreatingaseparateprofiletoassigntoadifferentusergroup.

3.1 Ensure 'FAILED_LOGIN_ATTEMPTS' Is Less than or Equal to '5' (Scored)

Description:

TheFAILED_LOGIN_ATTEMPTSsettingdetermineshowmanyfailedloginattemptsarepermittedbeforethesystemlockstheuser'saccount.Whiledifferentprofilescanhavedifferentandmorerestrictivesettings,suchasUSERSandAPPS,theminimum(s)recommendedhereshouldbesetontheDEFAULTprofile.

Rationale:

Repeatedfailedloginattemptscanindicatetheinitiationofabrute-forceloginattack,thisvalueshouldbesetaccordingtotheneedsoftheorganization.(SeetheNotesforawarningonaknownbugthatcanmakethissecuritymeasurebackfire.)

Audit:

SELECT PROFILE, RESOURCE_NAME, LIMIT FROM DBA_PROFILES WHERE RESOURCE_NAME='FAILED_LOGIN_ATTEMPTS' AND ( LIMIT = 'DEFAULT' OR LIMIT = 'UNLIMITED'

59|P a g e

OR LIMIT > 5 );

Lackofresultsimpliescompliance.

Remediation:

RemediatethissettingbyexecutingthefollowingSQLstatementforeachPROFILEreturnedbytheauditprocedure.

ALTER PROFILE <profile_name> LIMIT FAILED_LOGIN_ATTEMPTS 5;

Notes:

Warning:OnegreatconcernwiththeaboveisthepossibilityofthissettingbeingexploitedtocraftaDDoSattackbyusingtherow-lockingdelaybetweenfailedloginattempts(see_OracleBug7715339–Logonfailurescauses“rowcachelock”waits–Allowdisableoflogondelay[ID7715339.8],sotheconfigurationofthissettingdependsonusingthebugworkaround).Also,whilethesettingfortheFAILED_LOGIN_ATTEMPTSvaluecanalsobesetinsqlnet.ora,thisonlyappliestolistedusers.ThesimilarsettingusedtoblockaDDoS,theSEC_MAX_FAILED_LOGIN_ATTEMPTSinitializationparameter,canbeusedtoprotectunauthorizedintrudersfromattackingtheserverprocessesforapplications,butthissettingdoesnotprotectagainstunauthorizedattemptsviavalidusernames.

CISControls:

Version6

60|P a g e

3.2 Ensure 'PASSWORD_LOCK_TIME' Is Greater than or Equal to '1' (Scored)

Description:

ThePASSWORD_LOCK_TIMEsettingdetermineshowmanydaysmustpassfortheuser'saccounttobeunlockedafterthesetnumberoffailedloginattemptshasoccurred.Thesuggestedvalueforthisisonedayorgreater.

Rationale:

Lockingtheuseraccountafterrepeatedfailedloginattemptscanblockfurtherbrute-forceloginattacks,butcancreateadministrativeheadachesasthisaccountunlockingprocessalwaysrequiresDBAintervention.

Audit:

SELECT PROFILE, RESOURCE_NAME, LIMIT FROM DBA_PROFILES WHERE RESOURCE_NAME='PASSWORD_LOCK_TIME' AND ( LIMIT = 'DEFAULT' OR LIMIT = 'UNLIMITED' OR LIMIT < 1 );

Remediation:

ALTER PROFILE <profile_name> LIMIT PASSWORD_LOCK_TIME 1;

61|P a g e

CISControls:

Version6

62|P a g e

3.3 Ensure 'PASSWORD_LIFE_TIME' Is Less than or Equal to '90' (Scored)

Description:

ThePASSWORD_LIFE_TIMEsettingdetermineshowlongapasswordmaybeusedbeforetheuserisrequiredtobechangeit.Thesuggestedvalueforthisis90daysorless.

Rationale:

Allowingpasswordstoremainunchangedforlongperiodsmakesthesuccessofbrute-forceloginattacksmorelikely.

Audit:

SELECT PROFILE, RESOURCE_NAME, LIMIT FROM DBA_PROFILES WHERE RESOURCE_NAME='PASSWORD_LIFE_TIME' AND ( LIMIT = 'DEFAULT' OR LIMIT = 'UNLIMITED' OR LIMIT > 90 );

Remediation:

ALTER PROFILE <profile_name> LIMIT PASSWORD_LIFE_TIME 90;

CISControls:

Version6

63|P a g e

3.4 Ensure 'PASSWORD_REUSE_MAX' Is Greater than or Equal to '20' (Scored)

Description:

ThePASSWORD_REUSE_MAXsettingdetermineshowmanydifferentpasswordsmustbeusedbeforetheuserisallowedtoreuseapriorpassword.Thesuggestedvalueforthisis20passwordsorgreater.

Rationale:

Allowingreuseofapasswordwithinashortperiodoftimeafterthepassword'sinitialusecanmakethesuccessofbothsocial-engineeringandbrute-forcepassword-basedattacksmorelikely.

Audit:

SELECT PROFILE, RESOURCE_NAME, LIMIT FROM DBA_PROFILES WHERE RESOURCE_NAME='PASSWORD_REUSE_MAX' AND ( LIMIT = 'DEFAULT' OR LIMIT = 'UNLIMITED' OR LIMIT < 20 );

Remediation:

ALTER PROFILE <profile_name> LIMIT PASSWORD_REUSE_MAX 20;

Notes:

TheaboverestrictionshouldbeappliedalongwiththePASSWORD_REUSE_TIMEsetting.

64|P a g e

CISControls:

Version6

65|P a g e

3.5 Ensure 'PASSWORD_REUSE_TIME' Is Greater than or Equal to '365' (Scored)

Description:

ThePASSWORD_REUSE_TIMEsettingdeterminestheamountoftimeindaysthatmustpassbeforethesamepasswordmaybereused.Thesuggestedvalueforthisis365daysorgreater.

Rationale:

Reusingthesamepasswordafteronlyashortperiodoftimehaspassedmakesthesuccessofbrute-forceloginattacksmorelikely.

Audit:

SELECT PROFILE, RESOURCE_NAME, LIMIT FROM DBA_PROFILES WHERE RESOURCE_NAME='PASSWORD_REUSE_TIME' AND ( LIMIT = 'DEFAULT' OR LIMIT = 'UNLIMITED' OR LIMIT < 365 );

Remediation:

ALTER PROFILE <profile_name> LIMIT PASSWORD_REUSE_TIME 365;

Notes:

TheaboverestrictionshouldbeappliedalongwiththePASSWORD_REUSE_MAXsetting.

66|P a g e

CISControls:

Version6

67|P a g e

3.6 Ensure 'PASSWORD_GRACE_TIME' Is Less than or Equal to '5' (Scored)

Description:

ThePASSWORD_GRACE_TIMEsettingdetermineshowmanydayscanpassaftertheuser'spasswordexpiresbeforetheuser'slogincapabilityisautomaticallylockedout.Thesuggestedvalueforthisisfivedaysorless.

Rationale:

Lockingtheuseraccountaftertheexpirationofthepasswordchangerequirement'sgraceperiodcanhelppreventpassword-basedattacksagainstanyforgottenordisusedaccounts,whilestillallowingtheaccountanditsinformationtobeaccessiblebyDBAintervention.

Audit:

SELECT PROFILE, RESOURCE_NAME, LIMIT FROM DBA_PROFILES WHERE RESOURCE_NAME='PASSWORD_GRACE_TIME' AND ( LIMIT = 'DEFAULT' OR LIMIT = 'UNLIMITED' OR LIMIT > 5 );

Remediation:

ALTER PROFILE <profile_name> LIMIT PASSWORD_GRACE_TIME 5;

68|P a g e

CISControls:

Version6

69|P a g e

3.7 Ensure 'DBA_USERS.PASSWORD' Is Not Set to 'EXTERNAL' for Any User (Scored)

Description:

Thepassword='EXTERNAL'settingdetermineswhetherornotausercanbeauthenticatedbyaremoteOStoallowaccesstothedatabasewithfullauthorization.Thissettingshouldnotbeused.

Rationale:

AllowingremoteOSauthenticationofausertothedatabasecanpotentiallyallowsupposed"privilegedusers"toconnectas"authenticated,"evenwhentheremotesystemiscompromised.

Audit:

SELECT USERNAME FROM DBA_USERS WHERE PASSWORD='EXTERNAL';

Remediation:

ToremediatethissettingexecutethefollowingSQLstatement.

ALTER USER <username> INDENTIFIED BY <password>;

Notes:

ThePASSWORDkeyword(column)usedintheSQLforpriorOracleversionshasbeendeprecatedfromversion11.2onwardinfavorofthenewAUTHENTICATION_TYPEkeyword(column)fortheDBA_USERStable.However,thePASSWORDcolumnhasstillbeenretainedforbackwardcompatibility.

70|P a g e

CISControls:

Version6

71|P a g e

3.8 Ensure 'PASSWORD_VERIFY_FUNCTION' Is Set for All Profiles (Scored)

Description:

ThePASSWORD_VERIFY_FUNCTIONdeterminespasswordsettingsrequirementswhenauserpasswordischangedattheSQLcommandprompt.Itshouldbesetforallprofiles.NotethatthissettingdoesnotapplyforusersmanagedbytheOraclepasswordfile.

Rationale:

Requiringuserstoapplythe12csecurityfeaturesinpasswordcreation,suchasforcingmixed-casecomplexity,blockingofsimplecombinations,andenforcingchange/historysettingscanpotentiallythwartloginsbyanunauthorizeduser.

Audit:

SELECT PROFILE, RESOURCE_NAME FROM DBA_PROFILES WHERE RESOURCE_NAME='PASSWORD_VERIFY_FUNCTION' AND (LIMIT = 'DEFAULT' OR LIMIT = 'NULL');

Remediation:

Createacustompasswordverificationfunctionwhichfulfillsthepasswordrequirementsoftheorganization.

CISControls:

Version6

72|P a g e

3.9 Ensure 'SESSIONS_PER_USER' Is Less than or Equal to '10' (Scored)

Description:

TheSESSIONS_PER_USERsettingdeterminesthemaximumnumberofusersessionsthatareallowedtobeopenconcurrently.Thesuggestedvalueforthisis10orless.

Rationale:

LimitingthenumberoftheSESSIONS_PER_USERcanhelppreventmemoryresourceexhaustionbypoorlyformedrequestsorintentionaldenial-of-serviceattacks.

Audit:

SELECT PROFILE, RESOURCE_NAME, LIMIT FROM DBA_PROFILES WHERE RESOURCE_NAME='SESSIONS_PER_USER' AND ( LIMIT = 'DEFAULT' OR LIMIT = 'UNLIMITED' OR LIMIT > 10 );

Remediation:

Toremediatethissetting,executethefollowingSQLstatementforeachPROFILEreturnedbytheauditprocedure.

ALTER PROFILE <profile_name> LIMIT SESSIONS_PER_USER 10;

Notes:

TheSESSIONS_PER_USERprofilemanagementcapabilitywascreatedtopreventresource(s)exhaustionatatimewhenresourceusagewasveryexpensive.Ascurrentdatabasedesignmayrequiremuchhigherlimitsonthisparameterifone"user"handlesallprocessingforspecifictypesofbatch/customerconnections,thismustbehandledviaanewuserprofile.

73|P a g e

CISControls:

Version6

74|P a g e

3.10 Ensure No Users Are Assigned the 'DEFAULT' Profile (Scored)

Description:

UponcreationdatabaseusersareassignedtotheDEFAULTprofileunlessotherwisespecified.Nousersshouldbeassignedtothatprofile.

Rationale:

Usersshouldbecreatedwithfunction-appropriateprofiles.TheDEFAULTprofile,beingdefinedbyOracle,issubjecttochangeatanytime(e.g.bypatchorversionupdate).TheDEFAULTprofilehasunlimitedsettingsthatareoftenrequiredbytheSYSuserwhenpatching;suchunlimitedsettingsshouldbetightlyreservedandnotappliedtounnecessaryusers.

Audit:

SELECT USERNAME FROM DBA_USERS WHERE PROFILE='DEFAULT' AND ACCOUNT_STATUS='OPEN' AND USERNAME NOT IN ('ANONYMOUS', 'CTXSYS', 'DBSNMP', 'EXFSYS', 'LBACSYS', 'MDSYS', 'MGMT_VIEW','OLAPSYS','OWBSYS', 'ORDPLUGINS', 'ORDSYS', 'OUTLN', 'SI_INFORMTN_SCHEMA','SYS', 'SYSMAN', 'SYSTEM', 'TSMSYS', 'WK_TEST', 'WKSYS', 'WKPROXY', 'WMSYS', 'XDB', 'CISSCAN');

Remediation:

Toremediatethisrecommendation,executethefollowingSQLstatementforeachuserreturnedbytheauditqueryusingafunctional-appropriateprofile.

ALTER USER <username> PROFILE <appropriate_profile>;

75|P a g e

CISControls:

Version6

76|P a g e

4 Oracle User Access and Authorization Restrictions

Thecapabilitytousedatabaseresourcesatagivenlevel,oruserauthorizationrules,allowsforusermanipulationofthevariouspartsoftheOracledatabase.Theseauthorizationsmustbestructuredtoblockunauthorizeduseand/orcorruptionofvitaldataandservicesbysettingrestrictionsonusercapabilities,particularlythoseoftheuserPUBLIC.Suchsecuritymeasureshelptoensuresuccessfulloginscannotbeeasilyredirected.

IMPORTANT:UsecautionwhenrevokingprivilegesfromPUBLIC.Oracleandthird-partyproductsexplicitlyrequiredefaultgrantstoPUBLICforcommonlyusedfunctions,objects,andinviewdefinitions.AfterrevokinganyprivilegefromPUBLIC,verifythatapplicationskeeprunningproperlyandrecompileinvaliddatabaseobjects.Specificgrantstousersandrolesmaybeneededtomakeallobjectsvalid.PleaseseethefollowingOraclesupportdocumentwhichprovidesfurtherinformationandSQLstatementsthatcanbeusedtodeterminedependenciesthatrequireexplicitgrants:BeCautiousWhenRevokingPrivilegesGrantedtoPUBLIC(DocID247093.1)Alwaystestdatabasechangesindevelopmentandtestenvironmentsbeforemakingchangestoproductiondatabases.

77|P a g e

4.1 Default Public Privileges for Packages and Object Types

Thissectioncontainsrecommendationsthatrevokedefaultpublicexecuteprivilegesfrompowerfulpackagesandobjecttypes.

4.1.1 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_ADVISOR' (Scored)

Description:

TheOracledatabaseDBMS_ADVISORpackagecanbeusedtowritefileslocatedontheserverwheretheOracleinstanceisinstalled.TheuserPUBLICshouldnotbeabletoexecuteDBMS_ADVISOR.

Rationale:

UseoftheDBMS_ADVISORpackagecouldallowanunauthorizedusertocorruptoperatingsystemfilesontheinstance'shost.

Audit:

SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_ADVISOR';

Theassessmentfailsifresultsarereturned.

Remediation:

REVOKE EXECUTE ON DBMS_ADVISOR FROM PUBLIC;

References:

1. http://docs.oracle.com/database/121/ARPLS/d_advis.htm#ARPLS350

78|P a g e

CISControls:

Version6

79|P a g e

4.1.2 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_CRYPTO' (Scored)

Description:

TheDBMS_CRYPTOsettingsprovideatoolsetthatdeterminesthestrengthoftheencryptionalgorithmusedtoencryptapplicationdataandispartoftheSYSschema.TheDES(56-bitkey),3DES(168-bitkey),3DES-2KEY(112-bitkey),AES(128/192/256-bitkeys),andRC4areavailable.TheuserPUBLICshouldnotbeabletoexecuteDBMS_CRYPTO.

Rationale:

ExecutionofthesecryptographyproceduresbytheuserPUBLICcanpotentiallyendangerportionsoforallofthedatastorage.

Audit:

SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND TABLE_NAME='DBMS_CRYPTO';

Remediation:

REVOKE EXECUTE ON DBMS_CRYPTO FROM PUBLIC;

References:

1. http://docs.oracle.com/database/121/ARPLS/d_crypto.htm#ARPLS664

80|P a g e

CISControls:

Version6

81|P a g e

4.1.3 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA' (Scored)

Description:

TheOracledatabaseDBMS_JAVApackagecanrunJavaclasses(e.g.OScommands)orgrantJavaprivileges.TheuserPUBLICshouldnotbeabletoexecuteDBMS_JAVA.

Rationale:

TheDBMS_JAVApackagecouldallowanattackertorunOScommandsfromthedatabase.

Audit:

SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_JAVA';

Remediation:

REVOKE EXECUTE ON DBMS_JAVA FROM PUBLIC;

References:

1. http://docs.oracle.com/database/121/JJDEV/appendixa.htm#JJDEV13000

CISControls:

Version6

18.9SanitizeDeployedSoftwareOfDevelopmentArtifactsForin-housedevelopedapplications,ensurethatdevelopmentartifacts(sample

82|P a g e

dataandscripts;unusedlibraries,components,debugcode;ortools)arenotincludedinthedeployedsoftware,oraccessibleintheproductionenvironment.

83|P a g e

4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored)

Description:

TheOracledatabaseDBMS_JAVA_TESTpackagecanrunJavaclasses(e.g.OScommands)orgrantJavaprivileges.TheuserPUBLICshouldnotbeabletoexecuteDBMS_JAVA_TEST.

Rationale:

TheDBMS_JAVA_TESTpackagecouldallowanattackertorunoperatingsystemcommandsfromthedatabase.

Audit:

SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_JAVA_TEST';

Remediation:

REVOKE EXECUTE ON DBMS_JAVA_TEST FROM PUBLIC;

Notes:

DBMS_JAVA_TESTisanundocumentedPL/SQLpackage,butthepublicgrantshouldberevoked.

84|P a g e

CISControls:

Version6

85|P a g e

4.1.5 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JOB' (Scored)

Description:

TheOracledatabaseDBMS_JOBpackageschedulesandmanagesthejobssenttothejobqueueandhasbeensupersededbytheDBMS_SCHEDULERpackage,eventhoughDBMS_JOBhasbeenretainedforbackwardscompatibility.TheuserPUBLICshouldnotbeabletoexecuteDBMS_JOB.

Rationale:

UseoftheDBMS_JOBpackagecouldallowanunauthorizedusertodisableoroverloadthejobqueue.IthasbeensupersededbytheDBMS_SCHEDULERpackage.

Audit:

SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_JOB';

Remediation:

REVOKE EXECUTE ON DBMS_JOB FROM PUBLIC;

References:

1. http://docs.oracle.com/database/121/ARPLS/d_job.htm#ARPLS019

86|P a g e

CISControls:

Version6

87|P a g e

4.1.6 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_LDAP' (Scored)

Description:

TheOracledatabaseDBMS_LDAPpackagecontainsfunctionsandproceduresthatenableprogrammerstoaccessdatafromLDAPservers.TheuserPUBLICshouldnotbeabletoexecuteDBMS_LDAP.

Rationale:

UseoftheDBMS_LDAPpackagecanbeusedtocreatespeciallycraftederrormessagesorsendinformationviaDNStotheoutside.

Audit:

SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_LDAP';

Remediation:

REVOKE EXECUTE ON DBMS_LDAP FROM PUBLIC;

References:

1. http://docs.oracle.com/database/121/ARPLS/d_ldap.htm#ARPLS360

88|P a g e

CISControls:

Version6

89|P a g e

4.1.7 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_LOB' (Scored)

Description:

TheOracledatabaseDBMS_LOBpackageprovidessubprogramsthatcanmanipulateandread/writeonBLOBs,CLOBs,NCLOBs,BFILEs,andtemporaryLOBs.TheuserPUBLICshouldnotbeabletoexecuteDBMS_LOB.

Rationale:

UseoftheDBMS_LOBpackagecouldallowanunauthorizedusertomanipulateBLOBs,CLOBs,NCLOBs,BFILEs,andtemporaryLOBsontheinstance,eitherdestroyingdataorcausingadenial-of-serviceconditionduetocorruptionofdiskspace.

Audit:

SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_LOB';

Remediation:

REVOKE EXECUTE ON DBMS_LOB FROM PUBLIC;

References:

1. http://docs.oracle.com/database/121/ARPLS/d_lob.htm#ARPLS600

90|P a g e

CISControls:

Version6

91|P a g e

4.1.8 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_OBFUSCATION_TOOLKIT' (Scored)

Description:

TheDBMS_OBFUSCATION_TOOLKITprovidesoneofthetoolsthatdeterminethestrengthoftheencryptionalgorithmusedtoencryptapplicationdataandispartoftheSYSschema.TheDES(56-bitkey)and3DES(168-bitkey)aretheonlytwotypesavailable.TheuserPUBLICshouldnotbeabletoexecuteDBMS_OBFUSCATION_TOOLKIT.

Rationale:

AllowingthePUBLICuserprivilegestoaccessthiscapabilitycanbepotentiallyharmdatastorage.

Audit:

SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_OBFUSCATION_TOOLKIT';

Remediation:

REVOKE EXECUTE ON DBMS_OBFUSCATION_TOOLKIT FROM PUBLIC;

CISControls:

Version6

5.1MinimizeAndSparinglyUseAdministrativePrivilegesMinimizeadministrativeprivilegesandonlyuseadministrativeaccountswhenthey

92|P a g e

arerequired.Implementfocusedauditingontheuseofadministrativeprivilegedfunctionsandmonitorforanomalousbehavior.

93|P a g e

4.1.9 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_RANDOM' (Scored)

Description:

TheOracledatabaseDBMS_RANDOMpackageisusedforgeneratingrandomnumbersbutshouldnotbeusedforcryptographicpurposes.TheuserPUBLICshouldnotbeabletoexecuteDBMS_RANDOM.

Rationale:

UseoftheDBMS_RANDOMpackagecanallowtheunauthorizedapplicationoftherandomnumber-generatingfunction.

Audit:

SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_RANDOM';

Remediation:

REVOKE EXECUTE ON DBMS_RANDOM FROM PUBLIC;

References:

1. http://docs.oracle.com/cd/E11882_01/appdev.112/e25788/d_random.htm

Notes:

TheOEMcautionsthatremovingthisfromPUBLICmaybreakcertainapplications.

94|P a g e

CISControls:

Version6

95|P a g e

4.1.10 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_SCHEDULER' (Scored)

Description:

TheOracledatabaseDBMS_SCHEDULERpackageschedulesandmanagesthedatabaseandoperatingsystemjobs.TheuserPUBLICshouldnotbeabletoexecuteDBMS_SCHEDULER.

Rationale:

UseoftheDBMS_SCHEDULERpackagecouldallowanunauthorizedusertorundatabaseoroperatingsystemjobs.

Audit:

SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_SCHEDULER';

Remediation:

REVOKE EXECUTE ON DBMS_SCHEDULER FROM PUBLIC;

References:

1. http://docs.oracle.com/database/121/ARPLS/d_sched.htm#ARPLS72235

CISControls:

Version6

96|P a g e

97|P a g e

4.1.11 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_SQL' (Scored)

Description:

TheOracledatabaseDBMS_SQLpackageisusedforrunningdynamicSQLstatements.TheuserPUBLICshouldnotbeabletoexecuteDBMS_SQL.

Rationale:

TheDBMS_SQLpackagecouldallowprivilegeescalationifinputvalidationisnotdoneproperly.

Audit:

SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_SQL';

Remediation:

REVOKE EXECUTE ON DBMS_SQL FROM PUBLIC;

References:

1. http://docs.oracle.com/database/121/ARPLS/d_sql.htm#ARPLS058

CISControls:

Version6

98|P a g e

4.1.12 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_XMLGEN' (Scored)

Description:

TheDBMS_XMLGENpackagetakesanarbitrarySQLqueryasinput,convertsittoXMLformat,andreturnstheresultasaCLOB.TheuserPUBLICshouldnotbeabletoexecuteDBMS_XMLGEN.

Rationale:

ThepackageDBMS_XMLGENcanbeusedtosearchtheentiredatabaseforsensitiveinformationlikecreditcardnumbers.

Audit:

SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_XMLGEN';

Remediation:

REVOKE EXECUTE ON DBMS_XMLGEN FROM PUBLIC;

References:

1. http://docs.oracle.com/database/121/ARPLS/d_xmlgen.htm#ARPLS3742. http://www.red-database-security.com/wp/confidence2009.pdf

99|P a g e

CISControls:

Version6

13DataProtectionDataProtection

100|P a g e

4.1.13 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_XMLQUERY' (Scored)

Description:

TheOraclepackageDBMS_XMLQUERYtakesanarbitrarySQLquery,convertsittoXMLformat,andreturnstheresult.ThispackageissimilartoDBMS_XMLGEN.TheuserPUBLICshouldnotbeabletoexecuteDBMS_XMLQUERY.

Rationale:

ThepackageDBMS_XMLQUERYcanbeusedtosearchtheentiredatabaseforsensitiveinformationlikecreditcardnumbers.MalicioususersmaybeabletoexploitthispackageasanauxiliaryinjectfunctioninaSQLinjectionattack.

Audit:

SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_XMLQUERY';

Remediation:

REVOKE EXECUTE ON DBMS_XMLQUERY FROM PUBLIC;

References:

1. http://docs.oracle.com/database/121/ARPLS/d_xmlque.htm#ARPLS376

101|P a g e

CISControls:

Version6

13DataProtectionDataProtection

102|P a g e

4.1.14 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'UTL_FILE' (Scored)

Description:

TheOracledatabaseUTL_FILEpackagecanbeusedtoread/writefileslocatedontheserverwheretheOracleinstanceisinstalled.TheuserPUBLICshouldnotbeabletoexecuteUTL_FILE.

Rationale:

UseoftheUTL_FILEpackagecouldallowanusertoreadOSfiles.Thesefilescouldcontainsensitiveinformation(e.g.passwordsin.bash_history).

Audit:

SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='UTL_FILE';

Remediation:

REVOKE EXECUTE ON UTL_FILE FROM PUBLIC;

References:

1. http://docs.oracle.com/database/121/ARPLS/u_file.htm#ARPLS069

CISControls:

Version6

14ControlledAccessBasedontheNeedtoKnowControlledAccessBasedontheNeedtoKnow

103|P a g e

4.1.15 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'UTL_INADDR' (Scored)

Description:

TheOracledatabaseUTL_INADDRpackagecanbeusedtocreatespeciallycraftederrormessagesorsendinformationviaDNStotheoutside.TheuserPUBLICshouldnotbeabletoexecuteUTL_INADDR.

Rationale:

TheUTL_INADDRpackageisoftenusedinSQLinjectionattacksfromthewebitshouldberevokedfrompublic.

Audit:

SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='UTL_INADDR';

Remediation:

REVOKE EXECUTE ON UTL_INADDR FROM PUBLIC;

References:

1. http://docs.oracle.com/database/121/ARPLS/u_inaddr.htm#ARPLS071

104|P a g e

CISControls:

Version6

105|P a g e

4.1.16 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'UTL_TCP' (Scored)

Description:

TheOracledatabaseUTL_TCPpackagecanbeusedtoread/writefiletoTCPsocketsontheserverwheretheOracleinstanceisinstalled.TheuserPUBLICshouldnotbeabletoexecuteUTL_TCP.

Rationale:

TheUTL_TCPpackagecouldallowanunauthorizedusertocorrupttheTCPstreamusedtocarrytheprotocolsthatcommunicatewiththeinstance'sexternalcommunications.

Audit:

SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='UTL_TCP';

Remediation:

REVOKE EXECUTE ON UTL_TCP FROM PUBLIC;

References:

1. http://docs.oracle.com/database/121/ARPLS/u_tcp.htm#ARPLS075

CISControls:

Version6

106|P a g e

4.1.17 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'UTL_MAIL' (Scored)

Description:

TheOracledatabaseUTL_MAILpackagecanbeusedtosendemailfromtheserverwheretheOracleinstanceisinstalled.TheuserPUBLICshouldnotbeabletoexecuteUTL_MAIL.

Rationale:

TheUTL_MAILpackagecouldallowanunauthorizedusertocorrupttheSMTPfunctiontoacceptorgeneratejunkmailthatcanresultinadenial-of-serviceconditionduetonetworksaturation.

Audit:

SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='UTL_MAIL';

Remediation:

REVOKE EXECUTE ON UTL_MAIL FROM PUBLIC;

References:

1. http://docs.oracle.com/database/121/ARPLS/u_mail.htm#ARPLS384

107|P a g e

CISControls:

Version6

108|P a g e

4.1.18 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'UTL_SMTP' (Scored)

Description:

TheOracledatabaseUTL_SMTPpackagecanbeusedtosendemailfromtheserverwheretheOracleinstanceisinstalled.TheuserPUBLICshouldnotbeabletoexecuteUTL_SMTP.

Rationale:

TheUTL_SMTPpackagecouldallowanunauthorizedusertocorrupttheSMTPfunctiontoacceptorgeneratejunkmailthatcanresultinadenial-of-serviceconditionduetonetworksaturation.

Audit:

SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='UTL_SMTP';

Remediation:

REVOKE EXECUTE ON UTL_SMTP FROM PUBLIC;

References:

1. http://docs.oracle.com/database/121/ARPLS/u_smtp.htm#ARPLS074

109|P a g e

CISControls:

Version6

110|P a g e

4.1.19 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'UTL_DBWS' (Scored)

Description:

TheOracledatabaseUTL_DBWSpackagecanbeusedtoread/writefiletoweb-basedapplicationsontheserverwheretheOracleinstanceisinstalled.Thispackageisnotautomaticallyinstalledforsecurityreasons.TheuserPUBLICshouldnotbeabletoexecuteUTL_DBWS.

Rationale:

TheUTL_DBWSpackagecouldallowanunauthorizedusertocorrupttheHTTPstreamusedtocarrytheprotocolsthatcommunicatefortheinstance'sweb-basedexternalcommunications.

Audit:

SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='UTL_DBWS';

Remediation:

REVOKE EXECUTE ON UTL_DBWS FROM 'PUBLIC';

References:

1. https://docs.oracle.com/database/121/JJPUB/intro.htm#BHCIBFGJ

CISControls:

111|P a g e

Version6

112|P a g e

4.1.20 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'UTL_ORAMTS' (Scored)

Description:

TheOracledatabaseUTL_ORAMTSpackagecanbeusedtoperformHTTPrequests.Thiscouldbeusedtosendinformationtotheoutside.TheuserPUBLICshouldnotbeabletoexecuteUTL_ORAMTS.

Rationale:

TheUTL_ORAMTSpackagecouldbeusedtosend(sensitive)informationtoexternalwebsites.Theuseofthispackageshouldberestrictedaccordingtotheneedsoftheorganization.

Audit:

SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='UTL_ORAMTS';

Remediation:

REVOKE EXECUTE ON UTL_ORAMTS FROM PUBLIC;

References:

1. http://docs.oracle.com/database/121/NTMTS/recovery.htm#sthref73

113|P a g e

CISControls:

Version6

114|P a g e

4.1.21 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'UTL_HTTP' (Scored)

Description:

TheOracledatabaseUTL_HTTPpackagecanbeusedtoperformHTTPrequests.Thiscouldbeusedtosendinformationtotheoutside.TheuserPUBLICshouldnotbeabletoexecuteUTL_HTTP.

Rationale:

TheUTL_HTTPpackagecouldbeusedtosend(sensitive)informationtoexternalwebsites.Theuseofthispackageshouldberestrictedaccordingtotheneedsoftheorganization.

Audit:

SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='UTL_HTTP';

Remediation:

REVOKE EXECUTE ON UTL_HTTP FROM PUBLIC;

References:

1. http://docs.oracle.com/database/121/ARPLS/u_http.htm#ARPLS070

115|P a g e

CISControls:

Version6

116|P a g e

4.1.22 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'HTTPURITYPE' (Scored)

Description:

TheOracledatabaseHTTPURITYPEobjecttypecanbeusedtoperformHTTPrequests.TheuserPUBLICshouldnotbeabletoexecuteHTTPURITYPE.

Rationale:

TheabilitytoperformHTTPrequestscouldbeusedtoleakinformationfromthedatabasetoanexternaldestination.

Audit:

SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='HTTPURITYPE';

Remediation:

REVOKE EXECUTE ON HTTPURITYPE FROM PUBLIC;

References:

1. http://docs.oracle.com/database/121/ARPLS/t_dburi.htm#ARPLS71705

CISControls:

Version6

117|P a g e

4.1.23 Ensure 'EXECUTE' is revoked from 'PUBLIC' on 'DBMS_XMLSTORE' (Scored)

Description:

TheDBMS_XLMSTOREpackageprovidesXMLfunctionality.ItacceptsatablenameandXMLasinputtoperformDMLoperationsagainstthetable.TheuserPUBLICshouldnotbeabletoexecuteDBMS_XLMSTORE.

Rationale:

MalicioususersmaybeabletoexploitthispackageasanauxiliaryinjectfunctioninaSQLinjectionattack.

Audit:

SELECT GRANTEE FROM DBA_TAB_PRIVS WHERE TABLE_NAME = 'DBMS_XMLSTORE' AND GRANTEE = 'PUBLIC' AND PRIVILEGE = 'EXECUTE';

Remediation:

Toremediatethissetting,executethefollowingSQLstatement:

REVOKE EXECUTE ON DBMS_XMLSTORE FROM PUBLIC;

References:

1. http://www.davidlitchfield.com/DBMS_XMLSTORE_PLSQL_Injection.pdf

118|P a g e

CISControls:

Version6

18.3SanitizeInputForIn-houseSoftwareForin-housedevelopedsoftware,ensurethatexpliciterrorcheckingisperformedanddocumentedforallinput,includingforsize,datatype,andacceptablerangesorformats.

119|P a g e

4.1.24 Ensure 'EXECUTE' is revoked from 'PUBLIC' on 'DBMS_XMLSAVE' (Scored)

Description:

TheDBMS_XLMSTOREpackageprovidesXMLfunctionality.ItacceptsatablenameandXMLasinputandtheninsertsintoorupdatesthattable.TheuserPUBLICshouldnotbeabletoexecuteDBMS_XLMSAVE.

Rationale:

Audit:

Toassessthisrecommendation,executethefollowingSQLstatement:

SELECT GRANTEE FROM DBA_TAB_PRIVS WHERE TABLE_NAME = 'DBMS_XMLSAVE' AND GRANTEE = 'PUBLIC' AND PRIVILEGE = 'EXECUTE';

Remediation:

Toremediatethissetting,executethefollowingSQLstatement

REVOKE EXECUTE ON DBMS_XMLSAVE FROM PUBLIC;

References:

1. http://www.davidlitchfield.com/DBMS_XMLSTORE_PLSQL_Injection.pdf

CISControls:

Version6

18.3SanitizeInputForIn-houseSoftwareForin-housedevelopedsoftware,ensurethatexpliciterrorcheckingisperformed

120|P a g e

anddocumentedforallinput,includingforsize,datatype,andacceptablerangesorformats.

121|P a g e

4.1.25 Ensure 'EXECUTE' is revoked from 'PUBLIC' on 'DBMS_REDACT' (Scored)

Description:

TheDBMS_REDACTpackageprovidesaninterfacetoOracleDataRedaction,whichenablesyoutomask(redact)datathatisreturnedfromqueriesissuedbylow-privilegedusersoranapplication.TheuserPUBLICshouldnotbeabletoexecuteDBMS_REDACT.

Rationale:

Audit:

Toassessthisrecommendation,executethefollowingSQLstatement

SELECT GRANTEE FROM DBA_TAB_PRIVS WHERE TABLE_NAME = 'DBMS_REDACT' AND GRANTEE = 'PUBLIC' AND PRIVILEGE = 'EXECUTE';

Remediation:

Toremediatethissetting,executethefollowingSQLstatement

REVOKE EXECUTE ON DBMS_REDACT FROM PUBLIC;

CISControls:

Version6

18.3SanitizeInputForIn-houseSoftwareForin-housedevelopedsoftware,ensurethatexpliciterrorcheckingisperformedanddocumentedforallinput,includingforsize,datatype,andacceptablerangesorformats.

122|P a g e

4.2 Revoke Non-Default Privileges for Packages and Object Types

Therecommendationswithinthissectionrevokeexcessiveprivilegesforpackagesandobjecttypes.

4.2.1 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_SYS_SQL' (Scored)

Description:

TheOracledatabaseDBMS_SYS_SQLpackageisshippedasundocumented.TheuserPUBLICshouldnotbeabletoexecuteDBMS_SYS_SQL.

Rationale:

TheDBMS_SYS_SQLpackagecouldallowanusertoruncodeasadifferentuserwithoutenteringvalidcredentials.

Audit:

SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_SYS_SQL';

Remediation:

REVOKE EXECUTE ON DBMS_SYS_SQL FROM PUBLIC;

123|P a g e

References:

1. http://asktom.oracle.com/pls/asktom/f?p=100:11:0::::P11_QUESTION_ID:1325202421535

CISControls:

Version6

124|P a g e

4.2.2 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_BACKUP_RESTORE' (Scored)

Description:

TheOracledatabaseDBMS_BACKUP_RESTOREpackageisusedforapplyingPL/SQLcommandstothenativeRMANsequences.TheuserPUBLICshouldnotbeabletoexecuteDBMS_BACKUP_RESTORE.

Rationale:

TheDBMS_BACKUP_RESTOREpackagecanallowaccesstoOSfiles.

Audit:

SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_BACKUP_RESTORE';

Remediation:

REVOKE EXECUTE ON DBMS_BACKUP_RESTORE FROM PUBLIC;

References:

1. http://psoug.org/reference/dbms_backup_restore.html2. http://davidalejomarcos.wordpress.com/2011/09/13/how-to-list-files-on-a-

directory-from-oracle-database/

125|P a g e

CISControls:

Version6

126|P a g e

4.2.3 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_AQADM_SYSCALLS' (Scored)

Description:

TheOracledatabaseDBMS_AQADM_SYSCALLSpackageisshippedasundocumented.TheuserPUBLICshouldnotbeabletoexecuteDBMS_AQADM_SYSCALLS.

Rationale:

TheDBMS_AQADM_SYSCALLSpackagecouldallowanunauthorizedusertorunSQLcommandsasuserSYS.

Audit:

SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_AQADM_SYSCALLS';

Remediation:

REVOKE EXECUTE ON DBMS_AQADM_SYSCALLS FROM PUBLIC;

References:

1. http://securityvulns.ru/files/ohh-indirect-privilege-escalation.pdf

CISControls:

Version6

127|P a g e

4.2.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_REPCAT_SQL_UTL' (Scored)

Description:

TheOracledatabaseDBMS_REPCAT_SQL_UTLpackageisshippedasundocumentedandallowstorunSQLcommandsasuserSYS.TheuserPUBLICshouldnotbeabletoexecuteDBMS_REPCAT_SQL_UTL.

Rationale:

TheDBMS_REPCAT_SQL_UTLpackagecouldallowanunauthorizedusertorunSQLcommandsasuserSYS.

Audit:

SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_REPCAT_SQL_UTL';

Remediation:

revoke execute on DBMS_REPCAT_SQL_UTL FROM PUBLIC;

References:

128|P a g e

CISControls:

Version6

129|P a g e

4.2.5 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'INITJVMAUX' (Scored)

Description:

TheOracledatabaseINITJVMAUXpackageisshippedasundocumentedandallowstorunSQLcommandsasuserSYS.TheuserPUBLICshouldnotbeabletoexecuteINITJVMAUX.

Rationale:

TheINITJVMAUXpackagecouldallowanunauthorizedusertorunSQLcommandsasuserSYS.

Audit:

SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='INITJVMAUX';

Remediation:

REVOKE EXECUTE ON INITJVMAUX FROM PUBLIC;

References:

CISControls:

Version6

130|P a g e

4.2.6 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_STREAMS_ADM_UTL' (Scored)

Description:

TheOracledatabaseDBMS_STREAMS_ADM_UTLpackageisshippedasundocumentedandallowstorunSQLcommandsasuserSYS.TheuserPUBLICshouldnotbeabletoexecuteDBMS_STREAMS_ADM_UTL.

Rationale:

TheDBMS_STREAMS_ADM_UTLpackagecouldallowanunauthorizedusertorunSQLcommandsasuserSYS.

Audit:

SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_STREAMS_ADM_UTL';

Remediation:

REVOKE EXECUTE ON DBMS_STREAMS_ADM_UTL FROM PUBLIC;

References:

131|P a g e

CISControls:

Version6

132|P a g e

4.2.7 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_AQADM_SYS' (Scored)

Description:

TheOracledatabaseDBMS_AQADM_SYSpackageisshippedasundocumentedandallowstorunSQLcommandsasuserSYS.TheuserPUBLICshouldnotbeabletoexecuteDBMS_AQADM_SYS.

Rationale:

TheDBMS_AQADM_SYSpackagecouldallowanunauthorizedusertorunSQLcommandsasuserSYS.

Audit:

SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_AQADM_SYS';

Remediation:

REVOKE EXECUTE ON DBMS_AQADM_SYS FROM PUBLIC;

CISControls:

Version6

133|P a g e

4.2.8 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_STREAMS_RPC' (Scored)

Description:

TheOracledatabaseDBMS_STREAMS_RPCpackageisshippedasundocumentedandallowstorunSQLcommandsasuserSYS.TheuserPUBLICshouldnotbeabletoexecuteDBMS_STREAMS_RPC.

Rationale:

TheDBMS_STREAMS_RPCpackagecouldallowanunauthorizedusertorunSQLcommandsasuserSYS.

Audit:

SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_STREAMS_RPC';

Remediation:

REVOKE EXECUTE ON DBMS_STREAMS_RPC FROM PUBLIC;

References:

134|P a g e

CISControls:

Version6

135|P a g e

4.2.9 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_PRVTAQIM' (Scored)

Description:

TheOracledatabaseDBMS_PRVTAQIMpackageisshippedasundocumentedandallowstorunSQLcommandsasuserSYS.TheuserPUBLICshouldnotbeabletoexecuteDBMS_PRVTAQIM.

Rationale:

TheDBMS_PRVTAQIMpackagecouldallowanunauthorizedusertoescalateprivilegesbecauseanySQLstatementscouldbeexecutedasuserSYS.

Audit:

SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_PRVTAQIM';

Remediation:

REVOKE EXECUTE ON DBMS_PRVTAQIM FROM PUBLIC;

References:

136|P a g e

CISControls:

Version6

137|P a g e

4.2.10 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'LTADM' (Scored)

Description:

TheOracledatabaseLTADMpackageisshippedasundocumented.Itallowsprivilegeescalationifgrantedtounprivilegedusers.TheuserPUBLICshouldnotbeabletoexecuteLTADM.

Rationale:

TheLTADMpackagecouldallowanunauthorizedusertorunanySQLcommandasuserSYS.

Audit:

SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='LTADM';

Remediation:

REVOKE EXECUTE ON LTADM FROM PUBLIC;

References:

CISControls:

Version6

138|P a g e

4.2.11 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'WWV_DBMS_SQL' (Scored)

Description:

TheOracledatabaseWWV_DBMS_SQLpackageisshippedasundocumented.ItallowsOracleApplicationExpresstorundynamicSQLstatements.

Rationale:

TheWWV_DBMS_SQLpackagecouldallowanunauthorizedusertorunSQLstatementsastheApplicationExpress(APEX)user.TheuserPUBLICshouldnotbeabletoexecuteWWV_DBMS_SQL.

Audit:

SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='WWV_DBMS_SQL';

Remediation:

REVOKE EXECUTE ON WWV_DBMS_SQL FROM PUBLIC;

CISControls:

Version6

14ControlledAccessBasedontheNeedtoKnowControlledAccessBasedontheNeedtoKnow

139|P a g e

4.2.12 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'WWV_EXECUTE_IMMEDIATE' (Scored)

Description:

TheOracledatabaseWWV_EXECUTE_IMMEDIATEpackageisshippedasundocumented.ItallowsOracleApplicationExpresstorundynamicSQLstatements.TheuserPUBLICshouldnotbeabletoexecuteWWV_EXECUTE_IMMEDIATE.

Rationale:

TheWWV_EXECUTE_IMMEDIATEpackagecouldallowanunauthorizedusertorunSQLstatementsastheApplicationExpress(APEX)user.

Audit:

SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='WWV_EXECUTE_IMMEDIATE';

Remediation:

REVOKE EXECUTE ON WWV_EXECUTE_IMMEDIATE FROM PUBLIC;

References:

1. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-1811

140|P a g e

CISControls:

Version6

141|P a g e

4.2.13 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_IJOB' (Scored)

Description:

TheOracledatabaseDBMS_IJOBpackageisshippedasundocumented.Itallowsausertorundatabasejobsinthecontextofanotheruser.TheuserPUBLICshouldnotbeabletoexecuteDBMS_IJOB.

Rationale:

TheDBMS_IJOBpackagecouldallowanattackertochangeidentitiesbyusingadifferentusernametoexecuteadatabasejob.

Audit:

SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_IJOB';

Remediation:

REVOKE EXECUTE ON DBMS_IJOB FROM PUBLIC;

CISControls:

Version6

142|P a g e

4.2.14 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_FILE_TRANSFER' (Scored)

Description:

TheOracledatabaseDBMS_FILE_TRANSFERpackageallowsausertotransferfilesfromonedatabaseservertoanother.TheuserPUBLICshouldnotbeabletoexecuteDBMS_FILE_TRANSFER.

Rationale:

TheDBMS_FILE_TRANSFERpackagecouldallowtotransferfilesfromonedatabaseservertoanotherwithoutauthorizationtodoso.

Audit:

SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_FILE_TRANSFER';

Remediation:

REVOKE EXECUTE ON DBMS_FILE_TRANSFER FROM PUBLIC;

References:

1. http://docs.oracle.com/database/121/ARPLS/d_ftran.htm#ARPLS095

143|P a g e

CISControls:

Version6

144|P a g e

4.3 Revoke Excessive System Privileges

Therecommendationswithinthissectionrevokeexcessivesystemprivileges.

4.3.1 Ensure 'SELECT ANY DICTIONARY' Is Revoked from Unauthorized 'GRANTEE' (Scored)

Description:

TheOracledatabaseSELECT ANY DICTIONARYprivilegeallowsthedesignatedusertoaccessSYSschemaobjects.Unauthorizedgranteesshouldnothavethatprivilege.

Rationale:

TheOraclepasswordhashesarepartoftheSYSschemaandcanbeselectedusingSELECT ANY DICTIONARYprivileges.

Audit:

SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE PRIVILEGE='SELECT ANY DICTIONARY' AND GRANTEE NOT IN ('DBA','DBSNMP','OEM_MONITOR', 'OLAPSYS','ORACLE_OCM','SYSMAN','WMSYS','SYSBACKUP','SYSDG');

Remediation:

REVOKE SELECT_ANY_DICTIONARY FROM <grantee>;

References:

1. http://docs.oracle.com/database/121/DBSEG/authorization.htm#DBSEG998702. http://docs.oracle.com/database/121/REFRN/GUID-10024282-6729-4C66-8679-

FD653C9C7DE7.htm#REFRN-GUID-10024282-6729-4C66-8679-FD653C9C7DE7

145|P a g e

3. http://arup.blogspot.de/2011/07/difference-between-select-any.html

CISControls:

Version6

146|P a g e

4.3.2 Ensure 'SELECT ANY TABLE' Is Revoked from Unauthorized 'GRANTEE' (Scored)

Description:

TheOracledatabaseSELECT ANY TABLEprivilegeallowsthedesignatedusertoopenanytable,exceptSYS,toviewit.Unauthorizedgranteesshouldnothavethatprivilege.

Rationale:

AssignmentoftheSELECT ANY TABLEprivilegecanallowtheunauthorizedviewingofsensitivedata.

Audit:

SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE PRIVILEGE='SELECT ANY TABLE' AND GRANTEE NOT IN ('DBA', 'MDSYS', 'SYS', 'IMP_FULL_DATABASE', 'EXP_FULL_DATABASE','DATAPUMP_IMP_FULL_DATABASE', 'WMSYS', 'SYSTEM','OLAP_DBA', 'DV_REALM_OWNER');

Remediation:

REVOKE SELECT ANY TABLE FROM <grantee>;

References:

1. http://docs.oracle.com/database/121/SQLRF/statements_10002.htm#SQLRF01702

Notes:

IfO7_DICTIONARY_ACCESSIBILITYhasbeensettoTRUE(non-defaultsetting)thentheSELECT ANY TABLEprivilegeprovidesaccesstoSYSobjects.

147|P a g e

CISControls:

Version6

148|P a g e

4.3.3 Ensure 'AUDIT SYSTEM' Is Revoked from Unauthorized 'GRANTEE' (Scored)

Description:

TheOracledatabaseAUDIT SYSTEMprivilegeallowschangestoauditingactivitiesonthesystem.Unauthorizedgranteesshouldnothavethatprivilege.

Rationale:

TheAUDIT SYSTEMprivilegecanallowtheunauthorizedalterationofsystemauditactivities,suchasdisablingthecreationofaudittrails.

Audit:

Toassesthisrecommendation,executethefollowingSQLstatement.

SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE PRIVILEGE='AUDIT SYSTEM' AND GRANTEE NOT IN ('DBA','DATAPUMP_IMP_FULL_DATABASE','IMP_FULL_DATABASE', 'SYS','AUDIT_ADMIN');

Remediation:

REVOKE AUDIT SYSTEM FROM <grantee>;

References:

1. http://docs.oracle.com/database/121/SQLRF/statements_4007.htm#SQLRF011072. http://docs.oracle.com/database/121/SQLRF/statements_4008.htm#SQLRF56110

149|P a g e

CISControls:

Version6

150|P a g e

4.3.4 Ensure 'EXEMPT ACCESS POLICY' Is Revoked from Unauthorized 'GRANTEE' (Scored)

Description:

TheOracledatabaseEXEMPT ACCESS POLICYkeywordprovidestheuserthecapabilitytoaccessallthetablerowsregardlessofrow-levelsecuritylockouts.Unauthorizedgranteesshouldnothavethatkeywordassignedtothem.

Rationale:

TheEXEMPT ACCESS POLICYprivilegecanallowanunauthorizedusertopotentiallyaccessandchangedata.

Audit:

SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE PRIVILEGE='EXEMPT ACCESS POLICY';

Remediation:

REVOKE EXEMPT ACCESS POLICY FROM <grantee>;

References:

1. http://docs.oracle.com/database/121/DBSEG/audit_config.htm#DBSEG7032. http://docs.oracle.com/database/121/DBSEG/vpd.htm#CIHEEAFJ

151|P a g e

CISControls:

Version6

152|P a g e

4.3.5 Ensure 'BECOME USER' Is Revoked from Unauthorized 'GRANTEE' (Scored)

Description:

TheOracledatabaseBECOME USERprivilegeallowsthedesignatedusertoinherittherightsofanotheruser.Unauthorizedgranteesshouldnothavethatprivilege.

Rationale:

TheBECOME USERprivilegecanallowtheunauthorizeduseofanotheruser'sprivileges,thiscapabilityshouldberestrictedaccordingtotheneedsoftheorganization.

Audit:

SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE PRIVILEGE='BECOME USER' AND GRANTEE NOT IN ('DBA','SYS','IMP_FULL_DATABASE');

Remediation:

REVOKE BECOME USER FROM <grantee>;

References:

1. http://docs.oracle.com/database/121/DBSEG/guidelines.htm#DBSEG499

CISControls:

Version6

153|P a g e

4.3.6 Ensure 'CREATE_PROCEDURE' Is Revoked from Unauthorized 'GRANTEE' (Scored)

Description:

TheOracledatabaseCREATE PROCEDUREprivilegeallowsthedesignatedusertocreateastoredprocedurethatwillfirewhengiventhecorrectcommandsequence.Unauthorizedgranteesshouldnothavethatprivilege.

Rationale:

TheCREATE PROCEDUREprivilegecanleadtosevereproblemsinunauthorizedhands,suchasrogueproceduresfacilitatingdatatheftordenial-of-servicebycorruptingdatatables.

Audit:

SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE PRIVILEGE='CREATE PROCEDURE' AND GRANTEE NOT IN ( 'DBA','DBSNMP','MDSYS','OLAPSYS','OWB$CLIENT', 'OWBSYS','RECOVERY_CATALOG_OWNER','SPATIAL_CSW_ADMIN_USR', 'SPATIAL_WFS_ADMIN_USR','SYS','APEX_030200','APEX_040000', 'APEX_040100','APEX_040200','DVF','RESOURCE','DV_REALM_RESOURCE', 'APEX_GRANTS_FOR_NEW_USERS_ROLE','APEX_050000','MGMT_VIEW', 'SYSMAN_MDS','SYSMAN_OPSS','SYSMAN_RO','SYSMAN_STB');

Remediation:

REVOKE CREATE PROCEDURE FROM <grantee>;

References:

154|P a g e

CISControls:

Version6

155|P a g e

4.3.7 Ensure 'ALTER SYSTEM' Is Revoked from Unauthorized 'GRANTEE' (Scored)

Description:

TheOracledatabaseALTER SYSTEMprivilegeallowsthedesignatedusertodynamicallyaltertheinstance'srunningoperations.Unauthorizedgranteesshouldnothavethatprivilege.

Rationale:

TheALTER SYSTEMprivilegecanleadtosevereproblems,suchastheinstance'ssessionbeingkilledorthestoppingofredologrecording,whichwouldmaketransactionsunrecoverable.

Audit:

SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE PRIVILEGE='ALTER SYSTEM' AND GRANTEE NOT IN ('SYS','SYSTEM','APEX_030200','APEX_040000', 'APEX_040100','APEX_040200','DBA','EM_EXPRESS_ALL','SYSBACKUP', 'GSMADMIN_ROLE','GSM_INTERNAL','SYSDG','GSMADMIN_INTERNAL');

Remediation:

REVOKE ALTER SYSTEM FROM <grantee>;

References:

156|P a g e

CISControls:

Version6

157|P a g e

4.3.8 Ensure 'CREATE ANY LIBRARY' Is Revoked from Unauthorized 'GRANTEE' (Scored)

Description:

TheOracledatabaseCREATE ANY LIBRARYprivilegeallowsthedesignatedusertocreateobjectsthatareassociatedtothesharedlibraries.Unauthorizedgranteesshouldnothavethatprivilege.

Rationale:

TheCREATE ANY LIBRARYprivilegecanallowthecreationofnumerouslibrary-associatedobjectsandpotentiallycorruptthelibraries'integrity.

Audit:

SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE PRIVILEGE='CREATE ANY LIBRARY' AND GRANTEE NOT IN ('SYS','SYSTEM','DBA','IMP_FULL_DATABASE');

Remediation:

REVOKE CREATE ANY LIBRARY FROM <grantee>;

References:

1. http://docs.oracle.com/database/121/DBSEG/guidelines.htm#DBSEG4992. http://docs.oracle.com/database/121/ADMIN/manproc.htm#ADMIN00501

Notes:

Oraclehastwoidenticalprivileges:CREATE LIBRARYandCREATE ANY LIBRARY.

158|P a g e

CISControls:

Version6

159|P a g e

4.3.9 Ensure 'CREATE LIBRARY' Is Revoked from Unauthorized 'GRANTEE' (Scored)

Description:

TheOracledatabaseCREATE LIBRARYprivilegeallowsthedesignatedusertocreateobjectsthatareassociatedtothesharedlibraries.Unauthorizedgranteesshouldnothavethatprivilege.

Rationale:

TheCREATE LIBRARYprivilegecanallowthecreationofnumerouslibrary-associatedobjectsandpotentiallycorruptthelibraries'integrity.

Audit:

SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE PRIVILEGE='CREATE LIBRARY' AND GRANTEE NOT IN ('SYS','SYSTEM','DBA','MDSYS','SPATIAL_WFS_ADMIN_USR', 'SPATIAL_CSW_ADMIN_USR','DVSYS','GSMADMIN_INTERNAL','XDB');

Remediation:

REVOKE CREATE LIBRARY FROM <grantee>;

References:

1. http://docs.oracle.com/database/121/DBSEG/guidelines.htm#DBSEG4992. http://docs.oracle.com/database/121/ADMIN/manproc.htm#ADMIN00501

Notes:

Oraclehastwoidenticalprivileges:CREATE LIBRARYandCREATE ANY LIBRARY.

160|P a g e

CISControls:

Version6

161|P a g e

4.3.10 Ensure 'GRANT ANY OBJECT PRIVILEGE' Is Revoked from Unauthorized 'GRANTEE' (Scored)

Description:

TheOracledatabaseGRANT ANY OBJECT PRIVILEGEkeywordprovidesthegranteethecapabilitytograntaccesstoanysingleormultiplecombinationsofobjectstoanygranteeinthecatalogofthedatabase.Unauthorizedgranteesshouldnothavethatkeywordassignedtothem.

Rationale:

TheGRANT ANY OBJECT PRIVILEGEcapabilitycanallowanunauthorizedusertopotentiallyaccessorchangeconfidentialdata,ordamagethedatacatalogduetopotentialcompleteinstanceaccess.

Audit:

SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE PRIVILEGE='GRANT ANY OBJECT PRIVILEGE' AND GRANTEE NOT IN ('DBA','SYS','IMP_FULL_DATABASE', 'DATAPUMP_IMP_FULL_DATABASE', 'EM_EXPRESS_ALL', 'DV_REALM_OWNER');

Remediation:

REVOKE GRANT ANY OBJECT PRIVILEGE FROM <grantee>;

References:

1. http://docs.oracle.com/database/121/DBSEG/authorization.htm#DBSEG99914

162|P a g e

CISControls:

Version6

163|P a g e

4.3.11 Ensure 'GRANT ANY ROLE' Is Revoked from Unauthorized 'GRANTEE' (Scored)

Description:

TheOracledatabaseGRANT ANY ROLEkeywordprovidesthegranteethecapabilitytograntanysingleroletoanygranteeinthecatalogofthedatabase.Unauthorizedgranteesshouldnothavethatkeywordassignedtothem.

Rationale:

TheGRANT ANY ROLEcapabilitycanallowanunauthorizedusertopotentiallyaccessorchangeconfidentialdataordamagethedatacatalogduetopotentialcompleteinstanceaccess.

Audit:

SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE PRIVILEGE='GRANT ANY ROLE' AND GRANTEE NOT IN ('DBA','SYS','DATAPUMP_IMP_FULL_DATABASE', 'IMP_FULL_DATABASE','SPATIAL_WFS_ADMIN_USR', 'SPATIAL_CSW_ADMIN_USR','GSMADMIN_INTERNAL', 'DV_REALM_OWNER', 'EM_EXPRESS_ALL', 'DV_OWNER');

Remediation:

REVOKE GRANT ANY ROLE FROM <grantee>;

References:

164|P a g e

CISControls:

Version6

165|P a g e

4.3.12 Ensure 'GRANT ANY PRIVILEGE' Is Revoked from Unauthorized 'GRANTEE' (Scored)

Description:

TheOracledatabaseGRANT ANY PRIVILEGEkeywordprovidesthegranteethecapabilitytograntanysingleprivilegetoanyiteminthecatalogofthedatabase.Unauthorizedgranteesshouldnothavethatprivilege.

Rationale:

TheGRANT ANY PRIVILEGEcapabilitycanallowanunauthorizedusertopotentiallyaccessorchangeconfidentialdataordamagethedatacatalogduetopotentialcompleteinstanceaccess.

Audit:

SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE PRIVILEGE='GRANT ANY PRIVILEGE' AND GRANTEE NOT IN ('DBA','SYS','IMP_FULL_DATABASE', 'DATAPUMP_IMP_FULL_DATABASE', 'DV_REALM_OWNER','EM_EXPRESS_ALL');

Remediation:

REVOKE GRANT ANY PRIVILEGE FROM <grantee>;

References:

166|P a g e

CISControls:

Version6

167|P a g e

4.4 Revoke Role Privileges

Therecommendationswithinthissectionintendtorevokepowerfulroleswheretheyarelikelynotneeded.

4.4.1 Ensure 'DELETE_CATALOG_ROLE' Is Revoked from Unauthorized 'GRANTEE' (Scored)

Description:

TheOracledatabaseDELETE_CATALOG_ROLEprovidesDELETEprivilegesfortherecordsinthesystem'saudittable(AUD$).Unauthorizedgranteesshouldnothavethatrole.

Rationale:

PermittingunauthorizedaccesstotheDELETE_CATALOG_ROLEcanallowthedestructionofauditrecordsvitaltotheforensicinvestigationofunauthorizedactivities.

Audit:

SELECT GRANTEE, GRANTED_ROLE FROM DBA_ROLE_PRIVS WHERE granted_role='DELETE_CATALOG_ROLE' AND GRANTEE NOT IN ('DBA','SYS');

Remediation:

REVOKE DELETE_CATALOG_ROLE FROM <grantee>;

References:

1. http://docs.oracle.com/database/121/DBSEG/authorization.htm#BABFCAFH

168|P a g e

CISControls:

Version6

169|P a g e

4.4.2 Ensure 'SELECT_CATALOG_ROLE' Is Revoked from Unauthorized 'GRANTEE' (Scored)

Description:

TheOracledatabaseSELECT_CATALOG_ROLEprovidesSELECTprivilegesonalldatadictionaryviewsheldintheSYSschema.Unauthorizedgranteesshouldnothavethatrole.

Rationale:

PermittingunauthorizedaccesstotheSELECT_CATALOG_ROLEcanallowthedisclosureofalldictionarydata.

Audit:

SELECT GRANTEE, GRANTED_ROLE FROM DBA_ROLE_PRIVS WHERE granted_role='SELECT_CATALOG_ROLE' AND grantee not in ('DBA','SYS','IMP_FULL_DATABASE','EXP_FULL_DATABASE', 'OEM_MONITOR', 'SYSBACKUP','EM_EXPRESS_BASIC','SYSMAN');

Remediation:

REVOKE SELECT_CATALOG_ROLE FROM <grantee>;

References:

CISControls:

Version6

170|P a g e

171|P a g e

4.4.3 Ensure 'EXECUTE_CATALOG_ROLE' Is Revoked from Unauthorized 'GRANTEE' (Scored)

Description:

TheOracledatabaseEXECUTE_CATALOG_ROLEprovidesEXECUTEprivilegesforanumberofpackagesandproceduresinthedatadictionaryintheSYSschema.Unauthorizedgranteesshouldnothavethatrole.

Rationale:

PermittingunauthorizedaccesstotheEXECUTE_CATALOG_ROLEcanallowthedisruptionofoperationsbyinitializationofrogueprocedures,thiscapabilityshouldberestrictedaccordingtotheneedsoftheorganization.

Audit:

SELECT GRANTEE, GRANTED_ROLE FROM DBA_ROLE_PRIVS WHERE granted_role='EXECUTE_CATALOG_ROLE' AND grantee not in ('DBA','SYS','IMP_FULL_DATABASE','EXP_FULL_DATABASE');

Remediation:

REVOKE EXECUTE_CATALOG_ROLE FROM <grantee>;

References:

172|P a g e

CISControls:

Version6

173|P a g e

4.4.4 Ensure 'DBA' Is Revoked from Unauthorized 'GRANTEE' (Scored)

Description:

TheOracledatabaseDBAroleisthedefaultdatabaseadministratorroleprovidedfortheallocationofadministrativeprivileges.Unauthorizedgranteesshouldnothavethatrole.

Rationale:

AssignmentoftheDBAroletoanordinaryusercanprovideagreatnumberofunnecessaryprivilegestothatuserandopenthedoortodatabreaches,integrityviolations,anddenial-of-serviceconditions.

Audit:

SELECT GRANTEE, GRANTED_ROLE FROM DBA_ROLE_PRIVS WHERE GRANTED_ROLE='DBA' AND GRANTEE NOT IN ('SYS','SYSTEM');

Remediation:

REVOKE DBA FROM <grantee>;

References:

CISControls:

Version6

174|P a g e

175|P a g e

4.5 Revoke Excessive Table and View Privileges

Therecommendationswithinthissectionintendtorevokeexcessivetableandviewprivileges.

4.5.1 Ensure 'ALL' Is Revoked from Unauthorized 'GRANTEE' on 'AUD$' (Scored)

Description:

TheOracledatabaseSYS.AUD$tablecontainsalltheauditrecordsforthedatabaseofthenon-DataManipulationLanguage(DML)events,suchasALTER,DROP,andCREATE,andsoforth.(DMLchangesneedtrigger-basedauditeventstorecorddataalterations.)Unauthorizedgranteesshouldnothavefullaccesstothattable.

Rationale:

Permittingnon-privilegeduserstheauthorizationtomanipulatetheSYS.AUD$tablecanallowdistortionoftheauditrecords,hidingunauthorizedactivities.

Audit:

SELECT GRANTEE, PRIVILEGE FROM DBA_TAB_PRIVS WHERE TABLE_NAME='AUD$' AND GRANTEE NOT IN ('DELETE_CATALOG_ROLE');

Remediation:

REVOKE ALL ON AUD$ FROM <grantee>;

References:

1. http://docs.oracle.com/database/121/DBSEG/audit_admin.htm#DBSEG629

176|P a g e

CISControls:

Version6

177|P a g e

4.5.2 Ensure 'ALL' Is Revoked from Unauthorized 'GRANTEE' on 'USER_HISTORY$' (Scored)

Description:

TheOracledatabaseSYS.USER_HISTORY$tablecontainsalltheauditrecordsfortheuser'spasswordchangehistory.(Thistablegetsupdatedbypasswordchangesiftheuserhasanassignedprofilethathasapasswordreuselimitset,e.g.,PASSWORD_REUSE_TIMEsettootherthanUNLIMITED.)Unauthorizedgranteesshouldnothavefullaccesstothattable.

Rationale:

Permittingnon-privilegeduserstheauthorizationtomanipulatetherecordsintheSYS.USER_HISTORY$tablecanallowdistortionoftheaudittrail,potentiallyhidingunauthorizeddataconfidentialityattacksorintegritychanges.

Audit:

SELECT GRANTEE, PRIVILEGE FROM DBA_TAB_PRIVS WHERE TABLE_NAME='USER_HISTORY$' AND OWNER = 'SYS';

Remediation:

REVOKE ALL ON USER_HISTORY$ FROM <grantee>;

References:

1. http://marcel.vandewaters.nl/oracle/database-oracle/password-history-reusing-a-password

Notes:

USER_HISTORY$containsonlytheold,case-insensitivepasswords.

178|P a g e

CISControls:

Version6

16.14Encrypt/HashAllAuthenticationFilesAndMonitorTheirAccessVerifythatallauthenticationfilesareencryptedorhashedandthatthesefilescannotbeaccessedwithoutrootoradministratorprivileges.Auditallaccesstopasswordfilesinthesystem.

179|P a g e

4.5.3 Ensure 'ALL' Is Revoked from Unauthorized 'GRANTEE' on 'LINK$' (Scored)

Description:

TheOracledatabaseSYS.LINK$tablecontainsalltheuser'spasswordinformationanddatatablelinkinformation.Unauthorizedgranteesshouldnothavefullaccesstothattable.

Rationale:

Permittingnon-privilegeduserstomanipulateorviewtheSYS.LINK$tablecanallowcaptureofpasswordinformationand/orcorrupttheprimarydatabaselinkages.

Audit:

SELECT GRANTEE, PRIVILEGE FROM DBA_TAB_PRIVS WHERE TABLE_NAME='LINK$' AND GRANTEE NOT IN ('DV_SECANALYST') AND OWNER='SYS';

Remediation:

REVOKE ALL ON LINK$ FROM <grantee>;

CISControls:

Version6

180|P a g e

181|P a g e

4.5.4 Ensure 'ALL' Is Revoked from Unauthorized 'GRANTEE' on 'SYS.USER$' (Scored)

Description:

TheOracledatabaseSYS.USER$tablecontainstheusers'hashedpasswordinformation.Unauthorizedgranteesshouldnothavefullaccesstothattable.

Rationale:

Permittingnon-privilegeduserstheauthorizationtoopentheSYS.USER$tablecanallowthecaptureofpasswordhashesforthelaterapplicationofpasswordcrackingalgorithmstobreachconfidentiality.

Audit:

SELECT GRANTEE, PRIVILEGE FROM DBA_TAB_PRIVS WHERE TABLE_NAME='USER$' AND OWNER='SYS' AND GRANTEE NOT IN ('CTXSYS','XDB','APEX_030200','SYSMAN','APEX_040000', 'APEX_040100','APEX_040200','DV_SECANALYST','DVSYS','ORACLE_OCM');

Remediation:

REVOKE ALL ON SYS.USER$ FROM <grantee>;

References:

1. http://dba.stackexchange.com/questions/17513/what-do-the-columns-in-sys-user-represent

182|P a g e

CISControls:

Version6

183|P a g e

4.5.5 Ensure 'ALL' Is Revoked from Unauthorized 'GRANTEE' on 'DBA_%' (Scored)

Description:

TheOracledatabaseDBA_viewsshowallinformationwhichisrelevanttoadministrativeaccounts.Unauthorizedgranteesshouldnothavefullaccesstothoseviews.

Rationale:

PermittinguserstheauthorizationtomanipulatetheDBA_viewscanexposesensitivedata.

Audit:

SELECT grantee||'.'||table_name FROM DBA_TAB_PRIVS WHERE TABLE_NAME LIKE 'DBA_%' AND GRANTEE NOT IN ('DBA','AUDIT_ADMIN','AUDIT_VIEWER','CAPTURE_ADMIN', 'DVSYS','SYSDG','DV_SECANALYST','SYSKM','DV_MONITOR', 'ORACLE_OCM','DV_ACCTMGR','GSMADMIN_INTERNAL','XDB', 'SYS','APPQOSSYS','AQ_ADMINISTRATOR_ROLE','CTXSYS', 'EXFSYS','MDSYS','OLAP_XS_ADMIN','OLAPSYS','ORDSYS', 'OWB$CLIENT','OWBSYS','SELECT_CATALOG_ROLE', 'WM_ADMIN_ROLE','WMSYS','XDBADMIN','LBACSYS', 'ADM_PARALLEL_EXECUTE_TASK','CISSCANROLE') AND NOT REGEXP_LIKE(grantee,'^APEX_0[3-9][0-9][0-9][0-9][0-9]$');

Note:AnorganizationshouldperformproperimpactanalysisbeforerevokinggrantsonDBA_objects.

Remediation:

Replace<Non-DBA/SYS grantee>inthequerybelow,withtheOraclelogin(s)orrole(s)returnedfromtheassociatedauditprocedureandexecute:

REVOKE ALL ON DBA_ FROM <NON-DBA/SYS grantee>;

184|P a g e

References:

1. http://docs.oracle.com/database/121/REFRN/GUID-10024282-6729-4C66-8679-FD653C9C7DE7.htm#REFRN-GUID-10024282-6729-4C66-8679-FD653C9C7DE7

CISControls:

Version6

185|P a g e

4.5.6 Ensure 'ALL' Is Revoked from Unauthorized 'GRANTEE' on 'SYS.SCHEDULER$_CREDENTIAL' (Scored)

Description:

TheOracledatabaseSCHEDULER$_CREDENTIALtablecontainsthedatabaseschedulercredentialinformation.Unauthorizedgranteesshouldnothavefullaccesstothattable.

Rationale:

Permittingnon-privilegeduserstheauthorizationtoopentheSYS.SCHEDULER$_CREDENTIALtablecouldexposethecredentialstocompromiseandreuse.

Audit:

SELECT GRANTEE, PRIVILEGE FROM DBA_TAB_PRIVS WHERE TABLE_NAME='SCHEDULER$_CREDENTIAL' AND OWNER='SYS';

Remediation:

REVOKE ALL ON SYS.SCHEDULER4_CREDENTIAL FROM <username>;

References:

1. http://docs.oracle.com/database/121/ADMIN/schedadmin.htm#ADMIN120732. http://berxblog.blogspot.de/2012/02/restore-dbmsschedulercreatecredential.html

Notes:

** *_SCHEDULER_CREDENTIALSisdeprecatedinOracleDatabase12c,butremainsavailableforreasonsofbackwardcompatibility.

186|P a g e

CISControls:

Version6

187|P a g e

4.5.7 Ensure 'SYS.USER$MIG' Has Been Dropped (Scored)

Description:

Thetablesys.user$migiscreatedduringmigrationandcontainstheOraclepasswordhashesbeforethemigrationstarts.Thistableshouldbedropped.

Rationale:

Thetablesys.user$migisnotdeletedafterthemigration.AnattackercouldaccessthetablecontainingtheOraclepasswordhashes.

Audit:

SELECT OWNER, TABLE_NAME FROM ALL_TABLES WHERE OWNER='SYS' AND TABLE_NAME='USER$MIG';

Remediation:

DROP TABLE SYS.USER$MIG;

CISControls:

Version6

188|P a g e

4.6 Ensure '%ANY%' Is Revoked from Unauthorized 'GRANTEE' (Scored)

Description:

TheOracledatabaseANYkeywordprovidestheuserthecapabilitytoalteranyiteminthecatalogofthedatabase.Unauthorizedgranteesshouldnothavethatkeywordassignedtothem.

Rationale:

AuthorizationtousetheANYexpansionofaprivilegecanallowanunauthorizedusertopotentiallychangeconfidentialdataordamagethedatacatalog.

Audit:

SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE PRIVILEGE LIKE '%ANY%' AND GRANTEE NOT IN ('AQ_ADMINISTRATOR_ROLE','DBA','DBSNMP','EXFSYS', 'EXP_FULL_DATABASE','IMP_FULL_DATABASE', 'DATAPUMP_IMP_FULL_DATABASE','JAVADEBUGPRIV','MDSYS', 'OEM_MONITOR','OLAPSYS','OLAP_DBA','ORACLE_OCM','OWB$CLIENT', 'OWBSYS','SCHEDULER_ADMIN','SPATIAL_CSW_ADMIN_USR', 'SPATIAL_WFS_ADMIN_USR','SYS','SYSMAN','SYSTEM','WMSYS', 'APEX_030200','APEX_040000','APEX_040100','APEX_040200','LBACSYS', 'SYSBACKUP','CTXSYS','OUTLN','DVSYS','ORDPLUGINS','ORDSYS', 'RECOVERY_CATALOG_OWNER_VPD','GSMADMIN_INTERNAL','XDB','SYSDG', 'AUDIT_ADMIN','DV_OWNER','DV_REALM_OWNER','EM_EXPRESS_ALL', 'RECOVERY_CATALOG_OWNER','APEX_050000','SYSMAN_STB', 'SYSMAN_TYPES');

Remediation:

REVOKE ‘<ANY Privilege>’ FROM <grantee>;

189|P a g e

References:

CISControls:

Version6

190|P a g e

4.7 Ensure 'DBA_SYS_PRIVS.%' Is Revoked from Unauthorized 'GRANTEE' with 'ADMIN_OPTION' Set to 'YES' (Scored)

Description:

TheOracledatabaseWITH_ADMINprivilegeallowsthedesignatedusertograntanotheruserthesameprivileges.Unauthorizedgranteesshouldnothavethatprivilege.

Rationale:

AssignmentoftheWITH_ADMINprivilegecanallowthegrantingofarestrictedprivilegetoanunauthorizeduser.

Audit:

SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE ADMIN_OPTION='YES' AND GRANTEE not in ('AQ_ADMINISTRATOR_ROLE','DBA','OWBSYS', 'SCHEDULER_ADMIN','SYS','SYSTEM','WMSYS', 'DVSYS','SYSKM','DV_ACCTMGR') AND NOT REGEXP_LIKE(grantee,'^APEX_0[3-9][0-9][0-9][0-9][0-9]$');

Remediation:

REVOKE <privilege> FROM <grantee>;

CISControls:

Version6

191|P a g e

4.8 Ensure Proxy Users Have Only 'CONNECT' Privilege (Scored)

Description:

DonotgrantprivilegesotherthanCONNECTdirectlytoproxyusers.

Rationale:

Aproxyusershouldonlyhavetheabilitytoconnecttothedatabaseorbasedontheneedsoftheorganization.

Audit:

SELECT GRANTEE,GRANTED_ROLE FROM DBA_ROLE_PRIVS WHERE GRANTEE IN (SELECT PROXY FROM DBA_PROXIES) AND GRANTED_ROLE NOT IN ('CONNECT') UNION SELECT GRANTEE,PRIVILEGE FROM DBA_SYS_PRIVS WHERE GRANTEE IN (SELECT PROXY FROM DBA_PROXIES) AND PRIVILEGE NOT IN ('CREATE SESSION') UNION SELECT GRANTEE,PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE IN (SELECT PROXY FROM DBA_PROXIES);

Remediation:

ToremediatethissettingexecutethefollowingSQLstatementforeach[PRIVILEGE]returned(otherthanCONNECT)byrunningtheauditprocedure.

REVOKE <privilege> FROM <proxy_user>;

CISControls:

Version6

192|P a g e

4.9 Ensure 'EXECUTE ANY PROCEDURE' Is Revoked from 'OUTLN' (Scored)

Description:

RemoveunneededEXECUTE ANY PROCEDUREprivilegesfromOUTLN.

Rationale:

MigratedOUTLNusershavemoreprivilegesthanrequired.

Audit:

SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE PRIVILEGE='EXECUTE ANY PROCEDURE' AND GRANTEE='OUTLN';

Remediation:

REVOKE EXECUTE ANY PROCEDURE FROM OUTLN;

CISControls:

Version6

193|P a g e

4.10 Ensure 'EXECUTE ANY PROCEDURE' Is Revoked from 'DBSNMP' (Scored)

Description:

RemoveunneededEXECUTE ANY PROCEDUREprivilegesfromDBSNMP.

Rationale:

MigratedDBSNMPusershavemoreprivilegesthanrequired.

Audit:

SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE PRIVILEGE='EXECUTE ANY PROCEDURE' AND GRANTEE='DBSNMP';

Remediation:

REVOKE EXECUTE ANY PROCEDURE FROM DBSNMP;

CISControls:

Version6

194|P a g e

5 Audit/Logging Policies and Procedures

Theabilitytoauditdatabaseactivitiesisamongthemostimportantofalldatabasesecurityfeatures.Decisionsmustbemaderegardingthescopeofauditingsinceauditinghascosts-instoragefortheaudittrailandinperformanceimpactonauditedoperations-andperhapseventhedatabaseorsystemingeneral.Thereisalsotheadditionalcosttomanage(store,backup,secure)andreviewthedataintheaudittrail.

Measuresmustbetakentoprotecttheaudittrailitself,foritmaybetargetedforalterationordestructiontohideunauthorizedactivity.Foranauditdestinationoutsidethedatabase,therecommendationsareelsewhereinthisdocument.Auditingrecommendationsforpotentialdatabaseauditdestinationsarebelow.

Auditing"bysession"typicallycreatesfewer(until11g)andslightlysmallerauditrecords,butisdiscouragedinmostsituationssincethereissomelossoffidelity(e.g.objectprivilegeGRANTEE).Moredetailedauditingcreateslargerauditrecords.TheAUDIT_TRAILinitializationparameter(forDB|XML,extended-ornot)isthemaindeterminingfactorforthesizeofagivenauditrecord-andanotablefactorintheperformancecost,althoughthelargestofthelatterisDBversusOSorXML.

ThissectiondealswithstandardOracleauditingsinceauditingofprivilegedconnections(assysdbaorsysoper)isconfiguredviatheAUDIT_SYS_OPERATIONSinitializationparameterandisotherwisenotconfigurable.Thebasictypesofstandardauditingareobject,statementandprivilegeauditing,andeachbehavesdifferently.

Objectauditingappliestospecificobjectsforwhichitisinvokedandalwaysappliestoallusers.Thistypeofauditingisusuallyemployedtoauditapplication-specificsensitiveobjects,butcanalsobeusedtoprotecttheaudittrailinthedatabase.

Privilegeauditingauditstheuseofspecificsystemprivileges,buttypicallyonlyiftheuseractuallypossessestheauditedprivilege.Attemptsthatfailforlackoftheauditedprivilegearetypicallynotaudited.Thisisthemainweaknessofprivilegeauditingandwhystatementauditingisusuallypreferred,iftheoptionexists.

Statementauditingauditstheissuanceofcertaintypesofstatements,usuallywithoutregardtoprivilegeorlackthereof.Bothprivilegeandstatementauditsmaybespecifiedforspecificusersorallusers(thedefault).

195|P a g e

5.1 Traditional Auditing

Therecommendationsinthissectionshouldbefollowediftraditionalauditingisimplemented.

5.1.1 Ensure the 'USER' Audit Option Is Enabled (Scored)

Description:

TheUSERobjectallowsforcreatingaccountsthatcaninteractwiththedatabaseaccordingtotherolesandprivilegesallottedtotheaccount.Itmayalsoowndatabaseobjects.Enablingtheauditoptioncausesauditingofallactivitiesandrequeststocreate,droporalterauser,includingauserchangingtheirownpassword.(Thelatterisnotauditedbyaudit ALTER USER.)

Rationale:

Anyunauthorizedattemptstocreate,droporalterausershouldcauseconcern,whethersuccessfulornot.Auditingcanalsobeusefulinforensicsifanaccountiscompromised,andauditingismandatedbymanycommonsecurityinitiatives.Anabnormallyhighnumberoftheseactivitiesinagivenperiodmightbeworthinvestigation.Anyfailedattempttodropauserorcreateausermaybeworthfurtherreview.

Audit:

SELECT AUDIT_OPTION, SUCCESS, FAILURE FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION='USER' AND USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = 'BY ACCESS' AND FAILURE = 'BY ACCESS';

Lackofresultsimpliesafinding.

Remediation:

ExecutethefollowingSQLstatementtoremediatethissetting.

AUDIT USER;

196|P a g e

CISControls:

Version6

197|P a g e

5.1.2 Ensure the 'ROLE' Audit Option Is Enabled (Scored)

Description:

TheROLEobjectallowsforthecreationofasetofprivilegesthatcanbegrantedtousersorotherroles.Enablingtheauditoptioncausesauditingofallattempts,successfulornot,tocreate,drop,alterorsetroles.

Rationale:

Rolesareakeydatabasesecurityinfrastructurecomponent.Anyattempttocreate,droporalteraroleshouldbeaudited.Thisstatementauditingoptionalsoauditsattempts,successfulornot,tosetaroleinasession.Anyunauthorizedattemptstocreate,droporalterarolemaybeworthyofinvestigation.Attemptstosetarolebyuserswithouttheroleprivilegemaywarrantinvestigation.

Audit:

SELECT AUDIT_OPTION, SUCCESS, FAILURE FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION='ROLE' AND USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = 'BY ACCESS' AND FAILURE = 'BY ACCESS';

Remediation:

ExecutethefollowingSQLstatementtoremediatethissetting:

AUDIT ROLE;

Notes:

Thisoptiondoesnotauditrolegrantsandrevokes.

198|P a g e

CISControls:

Version6

199|P a g e

5.1.3 Ensure the 'SYSTEM GRANT' Audit Option Is Enabled (Scored)

Description:

EnablingtheauditoptionfortheSYSTEM GRANTobjectcausesauditingofanyattempt,successfulornot,tograntorrevokeanysystemprivilegeorrole,regardlessofprivilegeheldbytheuserattemptingtheoperation.

Rationale:

Loggingofallgrantandrevokes(rolesandsystemprivileges)canprovideforensicevidenceaboutapatternofsuspect/unauthorizedactivities.Anyunauthorizedattemptmaybecauseforfurtherinvestigation.

Audit:

SELECT AUDIT_OPTION, SUCCESS, FAILURE FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION='SYSTEM GRANT' AND USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = 'BY ACCESS' AND FAILURE = 'BY ACCESS';

Remediation:

AUDIT SYSTEM GRANT;

CISControls:

Version6

200|P a g e

5.1.4 Ensure the 'PROFILE' Audit Option Is Enabled (Scored)

Description:

ThePROFILEobjectallowsforthecreationofasetofdatabaseresourcelimitsthatcanbeassignedtoauser,sothatthatusercannotexceedthoseresourcelimitations.Enablingtheauditoptioncausesauditingofallattempts,successfulornot,tocreate,droporalteranyprofile.

Rationale:

Asprofilesarepartofthedatabasesecurityinfrastructure,auditingthecreation,modification,anddeletionofprofilesisrecommended.

Audit:

SELECT AUDIT_OPTION, SUCCESS, FAILURE FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION='PROFILE' AND USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = 'BY ACCESS' AND FAILURE = 'BY ACCESS';

Remediation:

AUDIT PROFILE;

Notes:

Thestatementauditingoptionaudit PROFILEauditseverythingthatthethreeprivilegeauditsaudit CREATE PROFILE,audit DROP PROFILEandaudit ALTER PROFILEdo,butalsoaudits:

1. AttemptstocreateaprofilebyauserwithouttheCREATE PROFILEsystemprivilege.2. AttemptstodropaprofilebyauserwithouttheDROP PROFILEsystemprivilege

201|P a g e

3. AttemptstoalteraprofilebyauserwithouttheALTER PROFILEsystemprivilege.

CISControls:

Version6

202|P a g e

5.1.5 Ensure the 'DATABASE LINK' Audit Option Is Enabled (Scored)

Description:

EnablingtheauditoptionfortheDATABASELINKobjectcausesallactivitiesondatabaselinkstobeaudited.

Rationale:

AstheloggingofuseractivitiesinvolvingthecreationordroppingofaDATABASE LINKcanprovideforensicevidenceaboutapatternofunauthorizedactivities,theauditcapabilityshouldbeenabled.

Audit:

SELECT AUDIT_OPTION, SUCCESS, FAILURE FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION='DATABASE LINK' AND USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = 'BY ACCESS' AND FAILURE = 'BY ACCESS';

Remediation:

AUDIT DATABASE LINK;

References:

1. http://docs.oracle.com/database/121/DBSEG/audit_config.htm#DBSEG1115

CISControls:

Version6

6.2EnsureAuditLogSettingsSupportAppropriateLogEntryFormattingValidateauditlogsettingsforeachhardwaredeviceandthesoftwareinstalledonit,

203|P a g e

ensuringthatlogsincludeadate,timestamp,sourceaddresses,destinationaddresses,andvariousotherusefulelementsofeachpacketand/ortransaction.SystemsshouldrecordlogsinastandardizedformatsuchassyslogentriesorthoseoutlinedbytheCommonEventExpressioninitiative.Ifsystemscannotgeneratelogsinastandardizedformat,lognormalizationtoolscanbedeployedtoconvertlogsintosuchaformat.

204|P a g e

5.1.6 Ensure the 'PUBLIC DATABASE LINK' Audit Option Is Enabled (Scored)

Description:

ThePUBLIC DATABASE LINKobjectallowsforthecreationofapubliclinkforanapplication-based"user"toaccessthedatabaseforconnections/sessioncreation.Enablingtheauditoptioncausesalluseractivitiesinvolvingthecreation,alteration,ordroppingofpubliclinkstobeaudited.

Rationale:

Astheloggingofuseractivitiesinvolvingthecreation,alteration,ordroppingofaPUBLIC DATABASE LINKcanprovideforensicevidenceaboutapatternofunauthorizedactivities,theauditcapabilityshouldbeenabled.

Audit:

SELECT AUDIT_OPTION, SUCCESS, FAILURE FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION='PUBLIC DATABASE LINK' AND USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = 'BY ACCESS' AND FAILURE = 'BY ACCESS';

Remediation:

AUDIT PUBLIC DATABASE LINK;

CISControls:

Version6

205|P a g e

206|P a g e

5.1.7 Ensure the 'PUBLIC SYNONYM' Audit Option Is Enabled (Scored)

Description:

ThePUBLIC SYNONYMobjectallowsforthecreationofanalternatedescriptionofanobject.Publicsynonymsareaccessiblebyallusersthathavetheappropriateprivilegestotheunderlyingobject.Enablingtheauditoptioncausesalluseractivitiesinvolvingthecreationordroppingofpublicsynonymstobeaudited.

Rationale:

AstheloggingofuseractivitiesinvolvingthecreationordroppingofaPUBLIC SYNONYMcanprovideforensicevidenceaboutapatternofunauthorizedactivities,theauditcapabilityshouldbeenabled.

Audit:

SELECT AUDIT_OPTION, SUCCESS, FAILURE FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION='PUBLIC SYNONYM' AND USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = 'BY ACCESS' AND FAILURE = 'BY ACCESS';

Remediation:

AUDIT PUBLIC SYNONYM;

CISControls:

Version6

6.2EnsureAuditLogSettingsSupportAppropriateLogEntryFormattingValidateauditlogsettingsforeachhardwaredeviceandthesoftwareinstalledonit,ensuringthatlogsincludeadate,timestamp,sourceaddresses,destination

207|P a g e

addresses,andvariousotherusefulelementsofeachpacketand/ortransaction.SystemsshouldrecordlogsinastandardizedformatsuchassyslogentriesorthoseoutlinedbytheCommonEventExpressioninitiative.Ifsystemscannotgeneratelogsinastandardizedformat,lognormalizationtoolscanbedeployedtoconvertlogsintosuchaformat.

208|P a g e

5.1.8 Ensure the 'SYNONYM' Audit Option Is Enabled (Scored)

Description:

TheSYNONYMoperationallowsforthecreationofanalternativenameforadatabaseobjectsuchasaJavaclassschemaobject,materializedview,operator,package,procedure,sequence,storedfunction,table,view,user-definedobjecttype,orevenanothersynonym.Thissynonymputsadependencyonitstargetandisrenderedinvalidifthetargetobjectischanged/dropped.Enablingtheauditoptioncausesalluseractivitiesinvolvingthecreationordroppingofsynonymstobeaudited.

Rationale:

AstheloggingofuseractivitiesinvolvingthecreationordroppingofaSYNONYMcanprovideforensicevidenceaboutapatternofsuspect/unauthorizedactivities,theauditcapabilityshouldbeenabled.

Audit:

SELECT AUDIT_OPTION, SUCCESS, FAILURE FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION='SYNONYM' AND USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = 'BY ACCESS' AND FAILURE = 'BY ACCESS';

Remediation:

AUDIT SYNONYM;

References:

1. http://docs.oracle.com/database/121/DBSEG/audit_config.htm#DBSEG1115

209|P a g e

CISControls:

Version6

210|P a g e

5.1.9 Ensure the 'DIRECTORY' Audit Option Is Enabled (Scored)

Description:

TheDIRECTORYobjectallowsforthecreationofadirectoryobjectthatspecifiesanaliasforadirectoryontheserverfilesystem,wheretheexternalbinaryfileLOBs(BFILEs)/tabledataarelocated.Enablingthisauditoptioncausesalluseractivitiesinvolvingthecreationordroppingofadirectoryaliastobeaudited.

Rationale:

AstheloggingofuseractivitiesinvolvingthecreationordroppingofaDIRECTORYcanprovideforensicevidenceaboutapatternofunauthorizedactivities,theauditcapabilityshouldbeenabled.

Audit:

SELECT AUDIT_OPTION, SUCCESS, FAILURE FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION='DIRECTORY' AND USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = 'BY ACCESS' AND FAILURE = 'BY ACCESS';

Remediation:

AUDIT DIRECTORY;

References:

1. http://docs.oracle.com/database/121/SQLRF/statements_4007.htm#SQLRF01107

211|P a g e

CISControls:

Version6

212|P a g e

5.1.10 Ensure the 'SELECT ANY DICTIONARY' Audit Option Is Enabled (Scored)

Description:

TheSELECT ANY DICTIONARYcapabilityallowstheusertoviewthedefinitionsofallschemaobjectsinthedatabase.Enablingtheauditoptioncausesalluseractivitiesinvolvingthiscapabilitytobeaudited.

Rationale:

Astheloggingofuseractivitiesinvolvingthecapabilitytoaccessthedescriptionofallschemaobjectsinthedatabasecanprovideforensicevidenceaboutapatternofunauthorizedactivities,theauditcapabilityshouldbeenabled.

Audit:

SELECT AUDIT_OPTION, SUCCESS, FAILURE FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION='SELECT ANY DICTIONARY' AND USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = 'BY ACCESS' AND FAILURE = 'BY ACCESS';

Remediation:

AUDIT SELECT ANY DICTIONARY;

References:

213|P a g e

CISControls:

Version6

214|P a g e

5.1.11 Ensure the 'GRANT ANY OBJECT PRIVILEGE' Audit Option Is Enabled (Scored)

Description:

GRANT ANY OBJECT PRIVILEGEallowstheusertograntorrevokeanyobjectprivilege,whichincludesprivilegesontables,directories,miningmodels,etc.Enablingthisauditoptioncausesauditingofallusesofthatprivilege.

Rationale:

Loggingofprivilegegrantsthatcanleadtothecreation,alteration,ordeletionofcriticaldata,themodificationofobjects,objectprivilegepropagationandothersuchactivitiescanbecriticaltoforensicinvestigations.

Audit:

SELECT PRIVILEGE, SUCCESS, FAILURE FROM DBA_PRIV_AUDIT_OPTS WHERE PRIVILEGE='GRANT ANY OBJECT PRIVILEGE' AND USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = 'BY ACCESS' AND FAILURE = 'BY ACCESS';

Remediation:

AUDIT GRANT ANY OBJECT PRIVILEGE;

Notes:

ThisdoesNOTauditallattemptstograntorrevokeobjectprivilegessincethiscanalsobedonebyanyonewhowasgrantedanobjectprivilegewiththegrantoption.Also,thisnevercreatesanauditrecordforanyonewhodoesnotholdtheGRANT ANY OBJECT PRIVILEGEsystemprivilege.Therefore,manyattempts,successfulornot,tograntandrevokeobjectprivilegesarenotauditedbythis.

215|P a g e

CISControls:

Version6

216|P a g e

5.1.12 Ensure the 'GRANT ANY PRIVILEGE' Audit Option Is Enabled (Scored)

Description:

GRANT ANY PRIVILEGEallowsausertograntanysystemprivilege,includingthemostpowerfulprivilegestypicallyavailableonlytoadministrators-tochangethesecurityinfrastructure,todrop/add/modifyusersandmore.

Rationale:

Auditingtheuseofthisprivilegeispartofacomprehensiveauditingpolicythatcanhelpindetectingissuesandcanbeusefulinforensics.

Audit:

SELECT PRIVILEGE, SUCCESS, FAILURE FROM DBA_PRIV_AUDIT_OPTS WHERE PRIVILEGE='GRANT ANY PRIVILEGE' AND USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = 'BY ACCESS' AND FAILURE = 'BY ACCESS';

Remediation:

AUDIT GRANT ANY PRIVILEGE;

Notes:

ThisdoesNOTauditallattemptstograntorrevokesystemprivilegessincethiscanalsobedonebyanyonewhowasgrantedasystemprivilegewiththeadminoption.Also,thisnevercreatesanauditrecordforanyonewhodoesnotholdtheGRANT ANY PRIVILEGEsystemprivilege.Thus,manyattempts,successfulornot,tograntandrevokesystemprivilegesarenotauditedbythis.

217|P a g e

CISControls:

Version6

218|P a g e

5.1.13 Ensure the 'DROP ANY PROCEDURE' Audit Option Is Enabled (Scored)

Description:

TheAUDIT DROP ANY PROCEDUREcommandisauditingthedroppingofprocedures.Enablingtheoptioncausesauditingofallsuchactivities.

Rationale:

Droppingproceduresofanotherusercouldbepartofaprivilegeescalationexploitandshouldbeaudited.

Audit:

SELECT AUDIT_OPTION, SUCCESS, FAILURE FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION='DROP ANY PROCEDURE' AND USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = 'BY ACCESS' AND FAILURE = 'BY ACCESS';

Remediation:

AUDIT DROP ANY PROCEDURE;

CISControls:

Version6

6.2EnsureAuditLogSettingsSupportAppropriateLogEntryFormattingValidateauditlogsettingsforeachhardwaredeviceandthesoftwareinstalledonit,ensuringthatlogsincludeadate,timestamp,sourceaddresses,destinationaddresses,andvariousotherusefulelementsofeachpacketand/ortransaction.Systemsshouldrecordlogsinastandardizedformatsuchassyslogentriesorthose

219|P a g e

outlinedbytheCommonEventExpressioninitiative.Ifsystemscannotgeneratelogsinastandardizedformat,lognormalizationtoolscanbedeployedtoconvertlogsintosuchaformat.

220|P a g e

5.1.14 Ensure the 'ALL' Audit Option on 'SYS.AUD$' Is Enabled (Scored)

Description:

TheloggingofattemptstoaltertheaudittrailintheSYS.AUD$table(openforread/update/delete/view)willprovidearecordofanyactivitiesthatmayindicateunauthorizedattemptstoaccesstheaudittrail.Enablingtheauditoptionwillcausetheseactivitiestobeaudited.

Rationale:

AstheloggingofattemptstoaltertheSYS.AUD$tablecanprovideforensicevidenceoftheinitiationofapatternofunauthorizedactivities,thisloggingcapabilityshouldbeenabled.

Audit:

SELECT * FROM DBA_OBJ_AUDIT_OPTS WHERE OBJECT_NAME='AUD$' AND ALT='A/A' AND AUD='A/A' AND COM='A/A' AND DEL='A/A' AND GRA='A/A' AND IND='A/A' AND INS='A/A' AND LOC='A/A' AND REN='A/A' AND SEL='A/A' AND UPD='A/A' AND FBK='A/A';

Remediation:

AUDIT ALL ON SYS.AUD$ BY ACCESS;

221|P a g e

CISControls:

Version6

222|P a g e

5.1.15 Ensure the 'PROCEDURE' Audit Option Is Enabled (Scored)

Description:

Inthisstatementaudit,PROCEDUREmeansanyprocedure,function,packageorlibrary.Enablingthisauditoptioncausesanyattempt,successfulornot,tocreateordropanyofthesetypesofobjectstobeaudited,regardlessofprivilegeorlackthereof.Javaschemaobjects(sources,classes,andresources)areconsideredthesameasproceduresforthepurposesofauditingSQLstatements.

Rationale:

Anyunauthorizedattemptstocreateordropaprocedureinanother'sschemashouldcauseconcern,whethersuccessfulornot.Changestocriticalstoredcodecandramaticallychangethebehavioroftheapplicationandproduceserioussecurityconsequences,includingenablingprivilegeescalationandintroducingSQLinjectionvulnerabilities.Auditrecordsofsuchchangescanbehelpfulinforensics.

Audit:

SELECT AUDIT_OPTION, SUCCESS, FAILURE FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION='PROCEDURE' AND USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = 'BY ACCESS' AND FAILURE = 'BY ACCESS';

Remediation:

AUDIT PROCEDURE;"

Notes:

Notallauditingoptionsworkalike.Inparticular,thestatementauditingoptionaudit PROCEDUREdoesindeedauditcreateanddroplibraryaswellasalltypesofproceduresand

223|P a g e

javaschemaobjects.However,privilegeauditsdonotworkthisway.So,forexample,noneofaudit CREATE ANY PROCEDURE,audit DROP ANY PROCEDURE,oraudit CREATE PROCEDUREwillauditcreateordroplibraryactivities.Instatementauditing,PROCEDUREhasalargerscopethaninprivilegeauditing,whereitisspecifictofunctions,packagesandprocedures,butexcludeslibrariesandperhapsotherobjecttypes.

Audit PROCEDUREdoesnotauditalteringprocedures,eitherinyourownschemaorinanotherviatheALTER ANY PROCEDUREsystemprivilege.ThereseemstobenostatementauditthatisabetterreplacementforAudit ALTER ANY PROCEDURE,butbewarethatwillnotcreateanyauditrecordsforusersthatdonothavetheprivilege.Thus,attemptstoalterproceduresinone'sownschemaareneveraudited,andattemptstoalterproceduresinanother'sschemathatfailforlackoftheALTER ANY PROCEDUREprivilegearenotaudited.ThisissimplyaweaknessinthecurrentstateofOracleauditing.Fortunately,though,allthattheALTERcommandcanbeusedforregardingprocedures,functions,packagesandlibrariesiscompileoptions,sotheinabilitytocomprehensivelyauditalterprocedureactivitiesandrequestsisnotasbadasitwouldbeforotherobjecttypes(USER,PROFILE,etc.)

CISControls:

Version6

224|P a g e

5.1.16 Ensure the 'ALTER SYSTEM' Audit Option Is Enabled (Scored)

Description:

ALTER SYSTEMallowsonetochangeinstancesettings,includingsecuritysettingsandauditingoptions.Additionally,ALTER SYSTEMcanbeusedtorunoperatingsystemcommandsusingundocumentedOraclefunctionality.EnablingtheauditoptionwillauditallattemptstoperformALTER SYSTEM,whethersuccessfulornotandregardlessofwhetherornottheALTER SYSTEMprivilegeisheldbytheuserattemptingtheaction.

Rationale:

Anyunauthorizedattempttoalterthesystemshouldbecauseforconcern.Alterationsoutsideofsomespecifiedmaintenancewindowmaybeofconcern.Inforensics,theseauditrecordscouldbequiteuseful.

Audit:

SELECT AUDIT_OPTION, SUCCESS, FAILURE FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION='ALTER SYSTEM' AND USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = 'BY ACCESS' AND FAILURE = 'BY ACCESS';

Remediation:

AUDIT ALTER SYSTEM;

CISControls:

Version6

225|P a g e

226|P a g e

5.1.17 Ensure the 'TRIGGER' Audit Option Is Enabled (Scored)

Description:

ATRIGGERmaybeusedtomodifyDMLactionsorinvokeother(recursive)actionswhensometypesofuser-initiatedactionsoccur.Enablingthisauditoptionwillcauseauditingofanyattempt,successfulornot,tocreate,drop,enableordisableanyschematriggerinanyschemaregardlessofprivilegeorlackthereof.Forenablinganddisablingatrigger,itcoversbothALTER TRIGGERandALTER TABLE.

Rationale:

Triggersareoftenpartofschemasecurity,datavalidationandothercriticalconstraintsuponactionsanddata.Atriggerinanotherschemamaybeusedtoescalateprivileges,redirectoperations,transformdataandperformothersortsofperhapsundesiredactions.Anyunauthorizedattempttocreate,droporalteratriggerinanotherschemamaybecauseforinvestigation.

Audit:

SELECT AUDIT_OPTION, SUCCESS, FAILURE FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION='TRIGGER' AND USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = 'BY ACCESS' AND FAILURE = 'BY ACCESS';

Remediation:

AUDIT TRIGGER;

Notes:

ThereisnocurrentCISrecommendationtoaudittheuseofthesystemprivilegeCREATE TRIGGER,asthereisforCREATE SYNONYM,CREATE PROCEDUREandsomeothertypesof

227|P a g e

objects,sothisisactuallyascopeescalationalso-toauditsuchactionsinone'sownschema.However,thisistheonlywaytocomprehensivelyauditthingslikeattemptstocreate,droporaltertriggersinanother'sschemaiftheuserattemptingtooperationdoesnotholdtherequiredANYprivilege-andtheseareexactlythesortsofthingsthatshouldraisealargeredflag.

Thestatementauditingoptionaudit TRIGGERauditsalmosteverythingthatthethreeprivilegeauditsaudit CREATE ANY TRIGGER,audit ALTER ANY TRIGGERandaudit DROP ANY TRIGGERdo,butalsoaudits:

1. Statementstocreate,drop,enableordisableatriggerintheuser'sownschema.2. AttemptstocreateatriggerbyauserwithouttheCREATE TRIGGERsystemprivilege.3. AttemptstocreateatriggerinanotherschemabyuserswithouttheCREATE ANY

TRIGGERprivilege.4. AttemptstodropatriggerinanotherschemabyuserswithouttheDROP ANY

TRIGGERprivilege.5. Attemptstodisableorenableatriggerinanotherschemabyuserswithoutthe

ALTER ANY TRIGGERprivilege.

TheonethingisauditedbyanyofthethreeprivilegeauditsthatisnotauditedbythisisALTER TRIGGER ...COMPILEifthetriggerisinanother'sschema,whichisauditedbyaudit ALTER ANY TRIGGER,butonlyiftheuserattemptingthealterationactuallyholdstheALTER ANY TRIGGERsystemprivilege.Audit TRIGGERonlyauditsALTER TABLEorALTER TRIGGERstatementsusedtoenableordisabletriggers.ItdoesnotauditALTER TRIGGERorALTER TABLEstatementsusedonlywithcompileoptions.

CISControls:

Version6

228|P a g e

5.1.18 Ensure the 'CREATE SESSION' Audit Option Is Enabled (Scored)

Description:

Enablingthisauditoptionwillcauseauditingofallattemptstoconnecttothedatabase,whethersuccessfulornot,aswellasauditsessiondisconnects/logoffs.ThecommandstoauditSESSION,CONNECTorCREATE SESSIONallaccomplishthesamething-theyinitiatestatementauditingoftheconnectstatementusedtocreateadatabasesession.

Rationale:

Auditingattemptstoconnecttothedatabaseisbasicandmandatedbymostsecurityinitiatives.Anyattempttologontoalockedaccount,failedattemptstologontodefaultaccountsoranunusuallyhighnumberoffailedlogonattemptsofanysort,foranyuser,inaparticulartimeperiodmayindicateanintrusionattempt.Inforensics,thelogonrecordmaybefirstinachainofevidenceandcontaininformationfoundinnoothertypeofauditrecordforthesession.Logonandlogoffintheaudittraildefinetheperiodanddurationofthesession.

Audit:

SELECT AUDIT_OPTION, SUCCESS, FAILURE FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION='CREATE SESSION' AND USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = 'BY ACCESS' AND FAILURE = 'BY ACCESS';

Remediation:

AUDIT SESSION;

229|P a g e

Notes:

Althoughlistedinthedocumentationasaprivilegeaudit,audit CREATE SESSIONactuallyauditstheCONNECTstatement.Thisisevidencedbytheundocumentedaudit CONNECTwhichhasthesameresultasaudit SESSIONoraudit CREATE SESSION.ThereisnosystemprivilegenamedeitherSESSIONorCONNECT(CONNECTisarole,notasystemprivilege).Also,itbehavesasstatementauditingratherthanprivilegeauditinginthatitauditsallattemptstocreateasession,eveniftheuserdoesnotholdtheCREATE SESSIONsystemprivilege.

CISControls:

Version6

230|P a g e

5.2 Unified Auditing

Therecommendationsinthissectionshouldbefollowedifunifiedauditingisimplemented.

5.2.1 Ensure the 'CREATE USER' Action Audit Is Enabled (Scored)

Description:

TheCREATE USERstatementisusedtocreateOracledatabaseaccountsandassigndatabasepropertiestothem.EnablingthisunifiedactionauditcausesloggingofallCREATE USERstatements,whethersuccessfulorunsuccessful,issuedbytheusersregardlessoftheprivilegesheldbytheuserstoissuesuchstatements.

Rationale:

Loggingandmonitoringofallattemptstocreateuseraccounts,whethersuccessfulorunsuccessful,mayprovidecluesandforensicevidencesaboutpotentialsuspicious/unauthorizedactivities.Anysuchactivitiesmaybeacauseforfurtherinvestigation.Inaddition,organizationsecuritypoliciesandindustry/governmentregulationsmayrequireloggingofallactivitiesinvolvingCREATE USER.

Audit:

SELECT AUD.POLICY_NAME, AUD.AUDIT_OPTION, AUD.AUDIT_OPTION_TYPE FROM AUDIT_UNIFIED_POLICIES AUD, AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'CREATE USER' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION' AND ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS';

231|P a g e

Remediation:

ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS CREATE USER;

Note:IfyoudonothaveCIS_UNIFIED_AUDIT_POLICY,pleasecreateoneusingtheCREATE AUDIT POLICYstatement.

CISControls:

Version6

232|P a g e

5.2.2 Ensure the 'ALTER USER' Action Audit Is Enabled (Scored)

Description:

TheALTER USERstatementisusedtochangedatabaseusers’password,lockaccounts,andexpirepasswords.Inaddition,thisstatementisusedtochangedatabasepropertiesofuseraccountssuchasdatabaseprofiles,defaultandtemporarytablespaces,andtablespacequotas.ThisunifiedauditactionenablesloggingofallALTER USERstatements,whethersuccessfulorunsuccessful,issuedbytheusersregardlessoftheprivilegesheldbytheuserstoissuesuchstatements.

Rationale:

Loggingandmonitoringofallattemptstoalteruseraccounts,whethersuccessfulorunsuccessful,mayprovidecluesandforensicevidencesaboutpotentialsuspicious/unauthorizedactivities.Anysuchactivitiesmaybeacauseforfurtherinvestigation.Inaddition,organizationsecuritypoliciesandindustry/governmentregulationsmayrequireloggingofallactivitiesinvolvingALTER USER.

Audit:

SELECT AUD.POLICY_NAME, AUD.AUDIT_OPTION, AUD.AUDIT_OPTION_TYPE FROM AUDIT_UNIFIED_POLICIES AUD, AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'ALTER USER' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION' AND ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS';

Remediation:

ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS ALTER USER;

233|P a g e

CISControls:

Version6

234|P a g e

5.2.3 Ensue the 'DROP USER' Audit Option Is Enabled (Scored)

Description:

TheDROP USERstatementisusedtodropOracledatabaseaccountsandschemasassociatedwiththem.EnablingthisunifiedactionauditenablesloggingofallDROP USERstatements,whethersuccessfulorunsuccessful,issuedbytheusersregardlessoftheprivilegesheldbytheuserstoissuesuchstatements.

Rationale:

Loggingandmonitoringofallattemptstodropuser,whethersuccessfulorunsuccessful,mayprovidecluesandforensicevidenceaboutpotentialsuspicious/unauthorizedactivities.Anysuchactivitiesmaybeacauseforfurtherinvestigation.Inaddition,organizationsecuritypoliciesandindustry/governmentregulationsmayrequireloggingofallactivitiesinvolvingDROP USER.

Audit:

SELECT AUD.POLICY_NAME, AUD.AUDIT_OPTION, AUD.AUDIT_OPTION_TYPE FROM AUDIT_UNIFIED_POLICIES AUD, AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'DROP USER' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION' AND ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS';

Remediation:

ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS DROP USER;

235|P a g e

CISControls:

Version6

236|P a g e

5.2.4 Ensure the 'CREATE ROLE’ Action Audit Is Enabled (Scored)

Description:

AnOracledatabaseroleisacollectionorsetofprivilegesthatcanbegrantedtousersorotherroles.Rolesmayincludesystemprivileges,objectprivilegesorotherroles.EnablingthisunifiedauditactionenablesloggingofallCREATE ROLEstatements,whethersuccessfulorunsuccessful,issuedbytheusersregardlessoftheprivilegesheldbytheuserstoissuesuchstatements.

Rationale:

Loggingandmonitoringofallattemptstocreateroles,whethersuccessfulorunsuccessful,mayprovidecluesandforensicevidenceaboutpotentialsuspicious/unauthorizedactivities.Anysuchactivitiesmaybeacauseforfurtherinvestigation.Inaddition,organizationsecuritypoliciesandindustry/governmentregulationsmayrequireloggingofalluseractivitiesinvolvingCREATE ROLE.

Audit:

SELECT AUD.POLICY_NAME, AUD.AUDIT_OPTION, AUD.AUDIT_OPTION_TYPE FROM AUDIT_UNIFIED_POLICIES AUD, AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'CREATE ROLE' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION' AND ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS';

Remediation:

ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS CREATE ROLE;

237|P a g e

CISControls:

Version6

238|P a g e

5.2.5 Ensure the 'ALTER ROLE’ Action Audit Is Enabled (Scored)

Description:

AnOracledatabaseroleisacollectionorsetofprivilegesthatcanbegrantedtousersorotherroles.Rolesmayincludesystemprivileges,objectprivilegesorotherroles.TheALTER ROLEstatementisusedtochangetheauthorizationneededtoenablearole.EnablingthisunifiedactionauditcausesloggingofallALTER ROLEstatements,whethersuccessfulorunsuccessful,issuedbytheusersregardlessoftheprivilegesheldbytheuserstoissuesuchstatements.

Rationale:

Loggingandmonitoringofallattemptstoalterroles,whethersuccessfulorunsuccessful,mayprovidecluesandforensicevidenceaboutpotentialsuspicious/unauthorizedactivities.Anysuchactivitiesmaybeacauseforfurtherinvestigation.Inaddition,organizationsecuritypoliciesandindustry/governmentregulationsmayrequireloggingofalluseractivitiesinvolvingalterationofroles.

Audit:

SELECT AUD.POLICY_NAME, AUD.AUDIT_OPTION, AUD.AUDIT_OPTION_TYPE FROM AUDIT_UNIFIED_POLICIES AUD, AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'ALTER ROLE' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION' AND ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS';

Remediation:

ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS ALTER ROLE;

239|P a g e

CISControls:

Version6

240|P a g e

5.2.6 Ensure the 'DROP ROLE’ Action Audit Is Enabled (Scored)

Description:

AnOracledatabaseroleisacollectionorsetofprivilegesthatcanbegrantedtousersorotherroles.Rolesmayincludesystemprivileges,objectprivilegesorotherroles.EnablingthisunifiedauditactionenablesloggingofallDROP ROLEstatements,successfulorunsuccessful,issuedbytheusersregardlessoftheprivilegesheldbytheuserstoissuesuchstatements.

Rationale:

Loggingandmonitoringofallattemptstodroproles,whethersuccessfulorunsuccessful,mayprovidecluesandforensicevidenceaboutpotentialsuspicious/unauthorizedactivities.Anysuchactivitiesmaybeacauseforfurtherinvestigation.Inaddition,organizationsecuritypoliciesandindustry/governmentregulationsmayrequireloggingofalluseractivitiesinvolvingDROP ROLE.

Audit:

SELECT AUD.POLICY_NAME, AUD.AUDIT_OPTION, AUD.AUDIT_OPTION_TYPE FROM AUDIT_UNIFIED_POLICIES AUD, AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'DROP ROLE' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION' AND ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS';

Remediation:

ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS DROP ROLE;

241|P a g e

CISControls:

Version6

242|P a g e

5.2.7 Ensure the 'GRANT' Action Audit Is Enabled (Scored)

Description:

GRANTstatementsareusedtograntprivilegestoOracledatabaseusersandroles,includingthemostpowerfulprivilegesandrolestypicallyavailabletothedatabaseadministrators.EnablingthisunifiedactionauditenablesloggingofallGRANTstatements,whethersuccessfulorunsuccessful,issuedbytheusersregardlessoftheprivilegesheldbytheuserstoissuesuchstatements.

Rationale:

Withunauthorizedgrantsandpermissions,amalicioususermaybeabletochangethesecurityofthedatabase,access/updateconfidentialdata,orcompromisetheintegrityofthedatabase.Loggingandmonitoringofallattemptstograntsystemprivileges,objectprivilegesorroles,whethersuccessfulorunsuccessful,mayprovideforensicevidenceaboutpotentialsuspicious/unauthorizedactivitiesaswellasprivilegeescalationactivities.Anysuchactivitiesmaybeacauseforfurtherinvestigation.Inaddition,organizationsecuritypoliciesandindustry/governmentregulationsmayrequireloggingofalluseractivitiesinvolvingGRANT.

Audit:

SELECT AUD.POLICY_NAME, AUD.AUDIT_OPTION, AUD.AUDIT_OPTION_TYPE FROM AUDIT_UNIFIED_POLICIES AUD, AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'GRANT' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION' AND ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS';

Remediation:

243|P a g e

ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS GRANT;

CISControls:

Version6

244|P a g e

5.2.8 Ensure the 'REVOKE' Action Audit Is Enabled (Scored)

Description:

REVOKEstatementsareusedtorevokeprivilegesfromOracledatabaseusersandroles.EnablingthisunifiedactionauditenablesloggingofallREVOKEstatements,successfulorunsuccessful,issuedbytheusersregardlessoftheprivilegesheldbytheuserstoissuesuchstatements.

Rationale:

Loggingandmonitoringofallattemptstorevokesystemprivileges,objectprivilegesorroles,whethersuccessfulorunsuccessful,mayprovidecluesandforensicevidenceaboutpotentialsuspicious/unauthorizedactivities.Anysuchactivitiesmaybeacauseforfurtherinvestigation.Inaddition,organizationsecuritypoliciesandindustry/governmentregulationsmayrequireloggingofalluseractivitiesinvolvingREVOKE.

Audit:

SELECT AUD.POLICY_NAME, AUD.AUDIT_OPTION, AUD.AUDIT_OPTION_TYPE FROM AUDIT_UNIFIED_POLICIES AUD, AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'REVOKE' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION' AND ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS';

Remediation:

ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS REVOKE;

245|P a g e

CISControls:

Version6

246|P a g e

5.2.9 Ensure the 'CREATE PROFILE’ Action Audit Is Enabled (Scored)

Description:

Oracledatabaseprofilesareusedtoenforceresourceusagelimitsandimplementpasswordpoliciessuchaspasswordcomplexityrulesandreuserestrictions.EnablingthisunifiedactionauditenablesloggingofallCREATE PROFILEstatements,whethersuccessfulorunsuccessful,issuedbytheusersregardlessoftheprivilegesheldbytheuserstoissuesuchstatements.

Rationale:

Loggingandmonitoringofallattemptstocreateprofiles,whethersuccessfulorunsuccessful,mayprovidecluesandforensicevidenceaboutpotentialsuspicious/unauthorizedactivities.Anysuchactivitiesmaybeacauseforfurtherinvestigation.Inaddition,organizationsecuritypoliciesandindustry/governmentregulationsmayrequireloggingofalluseractivitiesinvolvingcreationofdatabaseprofiles.

Audit:

SELECT AUD.POLICY_NAME, AUD.AUDIT_OPTION, AUD.AUDIT_OPTION_TYPE FROM AUDIT_UNIFIED_POLICIES AUD, AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'CREATE PROFILE' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION' AND ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS';

Remediation:

ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS CREATE PROFILE;

247|P a g e

CISControls:

Version6

248|P a g e

5.2.10 Ensure the 'ALTER PROFILE’ Action Audit Is Enabled (Scored)

Description:

Oracledatabaseprofilesareusedtoenforceresourceusagelimitsandimplementpasswordpoliciessuchaspasswordcomplexityrulesandreuserestrictions.EnablingthisunifiedactionauditenablesloggingofallALTER PROFILEstatements,whethersuccessfulorunsuccessful,issuedbytheusersregardlessoftheprivilegesheldbytheuserstoissuesuchstatements.

Rationale:

Loggingandmonitoringofallattemptstoalterprofiles,whethersuccessfulorunsuccessful,mayprovideforensicevidenceaboutpotentialsuspicious/unauthorizedactivities.Anysuchactivitiesmaybeacauseforfurtherinvestigation.Inaddition,organizationsecuritypoliciesandindustry/governmentregulationsmayrequireloggingofalluseractivitiesinvolvingalterationofdatabaseprofiles.

Audit:

SELECT AUD.POLICY_NAME, AUD.AUDIT_OPTION, AUD.AUDIT_OPTION_TYPE FROM AUDIT_UNIFIED_POLICIES AUD, AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'ALTER PROFILE' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION' AND ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS';

Remediation:

ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS ALTER PROFILE;

249|P a g e

CISControls:

Version6

250|P a g e

5.2.11 Ensure the 'DROP PROFILE’ Action Audit Is Enabled (Scored)

Description:

Oracledatabaseprofilesareusedtoenforceresourceusagelimitsandimplementpasswordpoliciessuchaspasswordcomplexityrulesandreuserestrictions.EnablingthisunifiedactionauditenablesloggingofallDROP PROFILEstatements,whethersuccessfulorunsuccessful,issuedbytheusersregardlessoftheprivilegesheldbytheuserstoissuesuchstatements.

Rationale:

Loggingandmonitoringofallattemptstodropprofiles,whethersuccessfulorunsuccessful,mayprovidecluesandforensicevidenceaboutpotentialsuspicious/unauthorizedactivities.Anysuchactivitiesmaybeacauseforfurtherinvestigation.Inaddition,organizationsecuritypoliciesandindustry/governmentregulationsmayrequireloggingofalluseractivitiesinvolvingdroppingdatabaseprofiles.

Audit:

SELECT AUD.POLICY_NAME, AUD.AUDIT_OPTION, AUD.AUDIT_OPTION_TYPE FROM AUDIT_UNIFIED_POLICIES AUD, AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'DROP PROFILE' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION' AND ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS';

Remediation:

ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS DROP PROFILE;

251|P a g e

CISControls:

Version6

252|P a g e

5.2.12 Ensure the 'CREATE DATABASE LINK’ Action Audit Is Enabled (Scored)

Description:

Oracledatabaselinksareusedtoestablishdatabase-to-databaseconnectionstootherdatabases.Theseconnectionsareavailablewithoutfurtherauthenticationoncethelinkisestablished.EnablingthisunifiedactionauditcausesloggingofallCREATE DATABASEandCREATE PUBLIC DATABASEstatements,whethersuccessfulorunsuccessful,issuedbytheusersregardlessoftheprivilegesheldbytheuserstoissuesuchstatements.

Rationale:

Loggingandmonitoringofallattemptstocreatedatabaselinks,whethersuccessfulorunsuccessful,mayprovideforensicevidenceaboutpotentialsuspicious/unauthorizedactivities.Anysuchactivitiesmaybeacauseforfurtherinvestigation.Inaddition,organizationsecuritypoliciesandindustry/governmentregulationsmayrequireloggingofalluseractivitiesinvolvingcreationofdatabaselinks.

Audit:

SELECT AUD.POLICY_NAME, AUD.AUDIT_OPTION, AUD.AUDIT_OPTION_TYPE FROM AUDIT_UNIFIED_POLICIES AUD, AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'CREATE DATABASE LINK' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION' AND ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS';

253|P a g e

Remediation:

ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS CREATE DATABASE LINK;

CISControls:

Version6

254|P a g e

5.2.13 Ensure the 'ALTER DATABASE LINK’ Action Audit Is Enabled (Scored)

Description:

Oracledatabaselinksareusedtoestablishdatabase-to-databaseconnectionstootherdatabases.Theseconnectionsarealwaysavailablewithoutfurtherauthenticationoncethelinkisestablished.EnablingthisunifiedactionauditcausesloggingofallALTER DATABASEandALTER PUBLIC DATABASEstatements,whethersuccessfulorunsuccessful,issuedbytheusersregardlessoftheprivilegesheldbytheuserstoissuesuchstatements.

Rationale:

Loggingandmonitoringofallattemptstoalterdatabaselinks,whethersuccessfulorunsuccessful,mayprovideforensicevidenceaboutpotentialsuspicious/unauthorizedactivities.Anysuchactivitiesmaybeacauseforfurtherinvestigation.Inaddition,organizationsecuritypoliciesandindustry/governmentregulationsmayrequireloggingofalluseractivitiesinvolvingalterationofdatabaselinks.

Audit:

SELECT AUD.POLICY_NAME, AUD.AUDIT_OPTION, AUD.AUDIT_OPTION_TYPE FROM AUDIT_UNIFIED_POLICIES AUD, AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'ALTER DATABASE LINK' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION' AND ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS';

255|P a g e

Remediation:

ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS ALTER DATABASE LINK;

CISControls:

Version6

256|P a g e

5.2.14 Ensure the 'DROP DATABASE LINK’ Action Audit Is Enabled (Scored)

Description:

Oracledatabaselinksareusedtoestablishdatabase-to-databaseconnectionstootherdatabases.Theseconnectionsarealwaysavailablewithoutfurtherauthenticationoncethelinkisestablished.EnablingthisunifiedactionauditcausesloggingofallDROP DATABASEandDROP PUBLIC DATABASE,whethersuccessfulorunsuccessful,statementsissuedbytheusersregardlessoftheprivilegesheldbytheuserstoissuesuchstatements.

Rationale:

Loggingandmonitoringofallattemptstodropdatabaselinks,whethersuccessfulorunsuccessful,mayprovideforensicevidenceaboutpotentialsuspicious/unauthorizedactivities.Anysuchactivitiesmaybeacauseforfurtherinvestigation.Inaddition,organizationsecuritypoliciesandindustry/governmentregulationsmayrequireloggingofalluseractivitiesinvolvingdroppingdatabaselinks.

Audit:

SELECT AUD.POLICY_NAME, AUD.AUDIT_OPTION, AUD.AUDIT_OPTION_TYPE FROM AUDIT_UNIFIED_POLICIES AUD, AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'DROP DATABASE LINK' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION' AND ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS';

257|P a g e

Remediation:

ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS DROP DATABASE LINK;

CISControls:

Version6

258|P a g e

5.2.15 Ensure the 'CREATE SYNONYM’ Action Audit Is Enabled (Scored)

Description:

AnOracledatabasesynonymisusedtocreateanalternativenameforadatabaseobjectsuchastable,view,procedure,javaobjectorevenanothersynonym,etc.EnablingthisunifiedactionauditcausesloggingofallCREATE SYNONYMandCREATE PUBLIC SYNONYMstatements,whethersuccessfulorunsuccessful,issuedbytheusersregardlessoftheprivilegesheldbytheuserstoissuesuchstatements.

Rationale:

Loggingandmonitoringofallattemptstocreatesynonyms,whethersuccessfulorunsuccessful,mayprovidecluesandforensicevidenceaboutpotentialsuspicious/unauthorizedactivities.Anysuchactivitiesmaybeacauseforfurtherinvestigation.Inaddition,organizationsecuritypoliciesandindustry/governmentregulationsmayrequireloggingofalluseractivitiesinvolvingcreationofsynonymsorpublicsynonyms.

Audit:

SELECT AUD.POLICY_NAME, AUD.AUDIT_OPTION, AUD.AUDIT_OPTION_TYPE FROM AUDIT_UNIFIED_POLICIES AUD, AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'CREATE SYNONYM' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION' AND ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS';

Remediation:

ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS CREATE SYNONYM;

259|P a g e

CISControls:

Version6

260|P a g e

5.2.16 Ensure the 'ALTER SYNONYM’ Action Audit Is Enabled (Scored)

Description:

AnOracledatabasesynonymisusedtocreateanalternativenameforadatabaseobjectsuchastable,view,procedure,orjavaobject,orevenanothersynonym.EnablingthisunifiedactionauditcausesloggingofallALTER SYNONYMandALTER PUBLIC SYNONYMstatements,whethersuccessfulorunsuccessful,issuedbytheusersregardlessoftheprivilegesheldbytheuserstoissuesuchstatements.

Rationale:

Loggingandmonitoringofallattemptstoaltersynonyms,whethersuccessfulorunsuccessful,mayprovidecluesandforensicevidenceaboutpotentialsuspicious/unauthorizedactivities.Anysuchactivitiesmaybeacauseforfurtherinvestigation.Inaddition,organizationsecuritypoliciesandindustry/governmentregulationsmayrequireloggingofalluseractivitiesinvolvingalterationofsynonymsorpublicsynonyms.

Audit:

SELECT AUD.POLICY_NAME, AUD.AUDIT_OPTION, AUD.AUDIT_OPTION_TYPE FROM AUDIT_UNIFIED_POLICIES AUD, AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'ALTER SYNONYM' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION' AND ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS';

Remediation:

ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS ALTER SYNONYM;

261|P a g e

CISControls:

Version6

262|P a g e

5.2.17 Ensure the 'DROP SYNONYM’ Action Audit Is Enabled (Scored)

Description:

AnOracledatabasesynonymisusedtocreateanalternativenameforadatabaseobjectsuchastable,view,procedure,orjavaobject,orevenanothersynonym.EnablinghisunifiedactionauditcausesloggingofallDROP SYNONYMandDROP PUBLIC SYNONYMstatements,whethersuccessfulorunsuccessful,issuedbytheusersregardlessoftheprivilegesheldbytheuserstoissuesuchstatements.

Rationale:

Loggingandmonitoringofallattemptstodropsynonyms,whethersuccessfulorunsuccessful,mayprovideforensicevidenceaboutpotentialsuspicious/unauthorizedactivities.Anysuchactivitiesmaybeacauseforfurtherinvestigation.Inaddition,organizationsecuritypoliciesandindustry/governmentregulationsmayrequireloggingofalluseractivitiesinvolvingdroppingofsynonymsorpublicsynonyms.

Audit:

SELECT AUD.POLICY_NAME, AUD.AUDIT_OPTION, AUD.AUDIT_OPTION_TYPE FROM AUDIT_UNIFIED_POLICIES AUD, AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'DROP SYNONYM' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION' AND ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS';

Remediation:

ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS DROP SYNONYM;

263|P a g e

CISControls:

Version6

264|P a g e

5.2.18 Ensure the 'SELECT ANY DICTIONARY’ Privilege Audit Is Enabled (Scored)

Description:

TheSELECT ANY DICTIONARYsystemprivilegeallowstheusertoviewthedefinitionofallschemaobjectsinthedatabase.ItgrantsSELECTprivilegesonthedatadictionaryobjectstothegrantees,includingSELECTonDBA_views,V$views,X$viewsandunderlyingSYStablessuchasTAB$andOBJ$.Thisprivilegealsoallowsgranteestocreatestoredobjectssuchasprocedures,packagesandviewsontheunderlyingdatadictionaryobjects.PleasenotethatthisprivilegedoesnotgrantSELECTontableswithpasswordhashessuchasUSER$,DEFAULT_PWD$,LINK$,andUSER_HISTORY$.Enablingthisauditcausesloggingofactivitiesthatexercisethisprivilege.

Rationale:

Loggingandmonitoringofallattemptstoaccessadatadictionary,whethersuccessfulorunsuccessful,mayprovidecluesandforensicevidenceaboutpotentialsuspicious/unauthorizedactivities.Anysuchactivitiesmaybeacauseforfurtherinvestigation.Inaddition,organizationsecuritypoliciesandindustry/governmentregulationsmayrequireloggingofalluseractivitiesinvolvingaccesstothedatabase.

Audit:

SELECT AUD.POLICY_NAME, AUD.AUDIT_OPTION, AUD.AUDIT_OPTION_TYPE FROM AUDIT_UNIFIED_POLICIES AUD, AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'SELECT ANY DICTIONARY' AND AUD.AUDIT_OPTION_TYPE = 'SYSTEM PRIVILEGE' AND ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS';

265|P a g e

Remediation:

ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD PRIVILEGES SELECT ANY DICTIONARY;

CISControls:

Version6

266|P a g e

5.2.19 Ensure the 'UNIFIED_AUDIT_TRAIL’ Access Audit Is Enabled (Scored)

Description:

TheUNIFIED_AUDIT_TRAILviewholdsaudittrailrecordsgeneratedbythedatabase.EnablingthisauditactioncausesloggingofallaccessattemptstotheUNIFIED_AUDIT_TRAILview,whethersuccessfulorunsuccessful,regardlessoftheprivilegesheldbytheuserstoissuesuchstatements.

Rationale:

LoggingandmonitoringofallattemptstoaccesstheUNIFIED_AUDIT_TRAILview,whethersuccessfulorunsuccessful,mayprovidecluesandforensicevidenceaboutpotentialsuspicious/unauthorizedactivities.Anysuchactivitiesmaybeacauseforfurtherinvestigation.Inaddition,organizationsecuritypoliciesandindustry/governmentregulationsmayrequireloggingofalluseractivitiesinvolvingaccesstothisview.

Audit:

SELECT AUD.POLICY_NAME, AUD.AUDIT_OPTION, AUD.AUDIT_OPTION_TYPE FROM AUDIT_UNIFIED_POLICIES AUD, AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'ALL' AND AUD.AUDIT_OPTION_TYPE = 'OBJECT ACTION' AND AUD.OBJECT_SCHEMA = 'SYS' AND AUD.OBJECT_NAME = 'UNIFIED_AUDIT_TRAIL' AND ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS';

267|P a g e

Remediation:

ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS ALL on SYS.UNIFIED_AUDIT_TRAIL;

CISControls:

Version6

268|P a g e

5.2.20 Ensure the 'CREATE PROCEDURE/FUNCTION/PACKAGE/PACKAGE BODY’ Action Audit Is Enabled (Scored)

Description:

Oracledatabaseprocedures,function,packages,andpackagebodies,whicharestoredwithinthedatabase,arecreatedtoperformbusinessfunctionsandaccessdatabaseasdefinedbyPL/SQLcodeandSQLstatementscontainedwithintheseobjects.EnablingthisunifiedactionauditcausesloggingofallCREATE PROCEDURE,CREATE FUNCTION,CREATE PACKAGEandCREATE PACKAGE BODYstatements,successfulorunsuccessful,statementsissuedbytheusersregardlessoftheprivilegesheldbytheuserstoissuesuchstatements.

Rationale:

Loggingandmonitoringofallattemptstocreateprocedures,functions,packagesorpackagebodies,whethersuccessfulorunsuccessful,mayprovidecluesandforensicevidenceaboutpotentialsuspicious/unauthorizedactivities.Anysuchactivitiesmaybeacauseforfurtherinvestigation.Inaddition,organizationsecuritypoliciesandindustry/governmentregulationsmayrequireloggingofalluseractivitiesinvolvingcreationofprocedures,functions,packagesorpackagebodies.

Audit:

SELECT * FROM AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS' AND EXISTS ( SELECT 'x' FROM AUDIT_UNIFIED_POLICIES AUD WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'CREATE PROCEDURE' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION') AND EXISTS ( SELECT 'x' FROM AUDIT_UNIFIED_POLICIES AUD WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'CREATE FUNCTION' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION') AND EXISTS ( SELECT 'x' FROM AUDIT_UNIFIED_POLICIES AUD

269|P a g e

WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'CREATE PACKAGE' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION') AND EXISTS ( SELECT 'x' FROM AUDIT_UNIFIED_POLICIES AUD WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'CREATE PACKAGE BODY' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION');

Remediation:

ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS CREATE PROCEDURE, CREATE FUNCTION, CREATE PACKAGE, CREATE PACKAGE BODY;

CISControls:

Version6

270|P a g e

5.2.21 Ensure the 'ALTER PROCEDURE/FUNCTION/PACKAGE/PACKAGE BODY’ Action Audit Is Enabled (Scored)

Description:

Oracledatabaseprocedures,functions,packages,andpackagebodies,whicharestoredwithinthedatabase,arecreatedtocarryoutbusinessfunctionsandaccessdatabaseasdefinedbyPL/SQLcodeandSQLstatementscontainedwithintheseobjects.EnablingthisunifiedactionauditcausesloggingofallALTER PROCEDURE,ALTER FUNCTION,ALTER PACKAGEandALTER PACKAGE BODYstatements,successfulorunsuccessful,issuedbytheusersregardlessoftheprivilegesheldbytheuserstoissuesuchstatements.

Rationale:

Unauthorizedalterationofprocedures,functions,packagesorpackagebodiesmayimpactcriticalbusinessfunctionsorcompromiseintegrityofthedatabase.Loggingandmonitoringofallattempts,whethersuccessfulorunsuccessful,toalterprocedures,functions,packagesorpackagebodiesmayprovidecluesandforensicevidenceaboutpotentialsuspicious/unauthorizedactivities.Anysuchactivitiesmaybeacauseforfurtherinvestigation.Inaddition,organizationsecuritypoliciesandindustry/governmentregulationsmayrequireloggingofalluseractivitiesinvolvingalterationofprocedures,functions,packagesorpackagebodies.

Audit:

SELECT * FROM AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS' AND EXISTS ( SELECT 'x' FROM AUDIT_UNIFIED_POLICIES AUD WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'ALTER PROCEDURE' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION') AND EXISTS ( SELECT 'x' FROM AUDIT_UNIFIED_POLICIES AUD WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'ALTER FUNCTION'

271|P a g e

AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION') AND EXISTS ( SELECT 'x' FROM AUDIT_UNIFIED_POLICIES AUD WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'ALTER PACKAGE' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION') AND EXISTS ( SELECT 'x' FROM AUDIT_UNIFIED_POLICIES AUD WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'ALTER PACKAGE BODY' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION');

Remediation:

ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS ALTER PROCEDURE, ALTER FUNCTION, ALTER PACKAGE, ALTER PACKAGE BODY;

CISControls:

Version6

272|P a g e

5.2.22 Ensure the 'DROP PROCEDURE/FUNCTION/PACKAGE/PACKAGE BODY’ Action Audit Is Enabled (Scored)

Description:

Oracledatabaseprocedures,functions,packages,andpackagebodies,whicharestoredwithinthedatabase,arecreatedtocarryoutbusinessfunctionsandaccessdatabaseasdefinedbyPL/SQLcodeandSQLstatementscontainedwithintheseobjects.EnablingthisunifiedactionauditcausesloggingofallDROP PROCEDURE,DROP FUNCTION,DROP PACKAGEorDROP PACKAGE BODYstatements,successfulorunsuccessful,issuedbytheusersregardlessoftheprivilegesheldbytheuserstoissuesuchstatements.

Rationale:

Loggingandmonitoringofallattempts,whethersuccessfulorunsuccessful,todropprocedures,functions,packagesorpackagebodiesmayprovideforensicevidenceaboutpotentialsuspicious/unauthorizedactivities.Anysuchactivitiesmaybeacauseforfurtherinvestigation.Inaddition,organizationsecuritypoliciesandindustry/governmentregulationsmayrequireloggingofalluseractivitiesinvolvingdroppingprocedures,functions,packagesorpackagebodies.

Audit:

SELECT * FROM AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS' AND EXISTS ( SELECT 'x' FROM AUDIT_UNIFIED_POLICIES AUD WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'DROP PROCEDURE' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION') AND EXISTS ( SELECT 'x' FROM AUDIT_UNIFIED_POLICIES AUD WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'DROP FUNCTION' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION') AND EXISTS ( SELECT 'x' FROM AUDIT_UNIFIED_POLICIES AUD

273|P a g e

WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'DROP PACKAGE' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION') AND EXISTS ( SELECT 'x' FROM AUDIT_UNIFIED_POLICIES AUD WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'DROP PACKAGE BODY' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION');

Remediation:

ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS DROP PROCEDURE, DROP FUNCTION, DROP PACKAGE, DROP PACKAGE BODY;

CISControls:

Version6

274|P a g e

5.2.23 Ensure the 'ALTER SYSTEM’ Privilege Audit Is Enabled (Scored)

Description:

TheALTER SYSTEMprivilegeallowstheusertochangeinstancesettingswhichcouldimpactsecurityposture,performanceornormaloperationofthedatabase.Additionally,theALTER SYSTEMprivilegemaybeusedtorunoperatingsystemcommandsusingundocumentedOraclefunctionality.Enablingthisunifiedauditcausesloggingofactivitiesthatinvolveexerciseofthisprivilege,whethersuccessfulorunsuccessful,issuedbytheusersregardlessoftheprivilegesheldbytheuserstoissuesuchstatements.

Rationale:

LoggingandmonitoringofallattemptstoexecuteALTER SYSTEMstatements,whethersuccessfulorunsuccessful,mayprovideforensicevidenceaboutpotentialsuspicious/unauthorizedactivities.Anysuchactivitiesmaybeacauseforfurtherinvestigation.Inaddition,organizationsecuritypoliciesandindustry/governmentregulationsmayrequireloggingofalluseractivitiesthatinvolveALTER SYSTEMstatements.

Audit:

SELECT AUD.POLICY_NAME, AUD.AUDIT_OPTION, AUD.AUDIT_OPTION_TYPE FROM AUDIT_UNIFIED_POLICIES AUD, AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'ALTER SYSTEM' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION' AND ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS';

Remediation:

ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS ALTER SYSTEM;

275|P a g e

CISControls:

Version6

276|P a g e

5.2.24 Ensure the 'CREATE TRIGGER’ Action Audit Is Enabled (Scored)

Description:

Oracledatabasetriggersareexecutedautomaticallywhenspecifiedconditionsontheunderlyingobjectsoccur.Triggerbodiescontainthecode,quiteoftentoperformdatavalidation,ensuredataintegrity/securityorenforcecriticalconstraintsonallowableactionsondata.EnablingthisunifiedauditcausesloggingofallCREATE TRIGGERstatements,whethersuccessfulorunsuccessful,issuedbytheusersregardlessoftheprivilegesheldbytheuserstoissuesuchstatements.

Rationale:

Loggingandmonitoringofallattemptstocreatetriggers,whethersuccessfulorunsuccessful,mayprovidecluesandforensicevidenceaboutpotentialsuspicious/unauthorizedactivities.Anysuchactivitiesmaybeacauseforfurtherinvestigation.Inaddition,organizationsecuritypoliciesandindustry/governmentregulationsmayrequireloggingofalluseractivitiesinvolvingcreationoftriggers.

Audit:

SELECT AUD.POLICY_NAME, AUD.AUDIT_OPTION, AUD.AUDIT_OPTION_TYPE FROM AUDIT_UNIFIED_POLICIES AUD, AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'CREATE TRIGGER' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION' AND ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS';

Remediation:

ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS CREATE TRIGGER;

277|P a g e

CISControls:

Version6

278|P a g e

5.2.25 Ensure the 'ALTER TRIGGER’ Action Audit IS Enabled (Scored)

Description:

Oracledatabasetriggersareexecutedautomaticallywhenspecifiedconditionsontheunderlyingobjectsoccur.Triggerbodiescontainthecode,quiteoftentoperformdatavalidation,ensuredataintegrity/securityorenforcecriticalconstraintsonallowableactionsondata.EnablingthisunifiedauditcausesloggingofallALTER TRIGGERstatements,whethersuccessfulorunsuccessful,issuedbytheusersregardlessoftheprivilegesheldbytheuserstoissuesuchstatements.

Rationale:

Unauthorizedalterationoftriggersmayimpactcriticalbusinessfunctionsorcompromiseintegrity/securityofthedatabase.Loggingandmonitoringofallattemptstoaltertriggers,whethersuccessfulorunsuccessful,mayprovidecluesandforensicevidenceaboutpotentialsuspicious/unauthorizedactivities.Anysuchactivitiesmaybeacauseforfurtherinvestigation.Inaddition,organizationsecuritypoliciesandindustry/governmentregulationsmayrequireloggingofalluseractivitiesinvolvingalterationoftriggers.

Audit:

SELECT AUD.POLICY_NAME, AUD.AUDIT_OPTION, AUD.AUDIT_OPTION_TYPE FROM AUDIT_UNIFIED_POLICIES AUD, AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'ALTER TRIGGER' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION' AND ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS';

279|P a g e

Remediation:

ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS ALTER TRIGGER;

CISControls:

Version6

280|P a g e

5.2.26 Ensure the 'DROP TRIGGER’ Action Audit Is Enabled (Scored)

Description:

Oracledatabasetriggersareexecutedautomaticallywhenspecifiedconditionsontheunderlyingobjectsoccur.Triggerbodiescontainthecode,quiteoftentoperformdatavalidation,ensuredataintegrity/securityorenforcecriticalconstraintsonallowableactionsondata.EnablingthisunifiedauditcausesloggingofallDROP TRIGGERstatements,whethersuccessfulorunsuccessful,issuedbytheusersregardlessoftheprivilegesheldbytheuserstoissuesuchstatements.

Rationale:

Loggingandmonitoringofallattemptstodroptriggers,whethersuccessfulorunsuccessful,mayprovideforensicevidenceaboutpotentialsuspicious/unauthorizedactivities.Anysuchactivitiesmaybeacauseforfurtherinvestigation.Inaddition,organizationsecuritypoliciesandindustry/governmentregulationsmayrequireloggingofalluseractivitiesinvolvingdroppingtriggers.

Audit:

SELECT AUD.POLICY_NAME, AUD.AUDIT_OPTION, AUD.AUDIT_OPTION_TYPE FROM AUDIT_UNIFIED_POLICIES AUD, AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'DROP TRIGGER' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION' AND ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS';

Remediation:

ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS DROP TRIGGER;

281|P a g e

CISControls:

Version6

282|P a g e

5.2.27 Ensure the 'LOGON’ AND ‘LOGOFF’ Actions Audit Is Enabled (Scored)

Description:

Oracledatabaseuserslogontothedatabasetoperformtheirwork.EnablingthisunifiedauditcausesloggingofallLOGONactions,whethersuccessfulorunsuccessful,issuedbytheusersregardlessoftheprivilegesheldbytheuserstologintothedatabase.Inaddition,LOGOFFactionauditcaptureslogoffactivities.Thisauditactionalsocaptureslogon/logofftotheopendatabasebySYSDBAandSYSOPER.

Rationale:

Loggingandmonitoringofallattemptstologontothedatabase,whethersuccessfulorunsuccessful,mayprovideforensicevidenceaboutpotentialsuspicious/unauthorizedactivities.Anysuchactivitiesmaybeacauseforfurtherinvestigation.Inaddition,organizationsecuritypoliciesandindustry/governmentregulationsmayrequireloggingofalluseractivitiesinvolvingLOGONandLOGOFF.

Audit:

SELECT * FROM AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS' AND EXISTS ( SELECT 'x' FROM AUDIT_UNIFIED_POLICIES AUD WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'LOGON' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION') AND EXISTS ( SELECT 'x' FROM AUDIT_UNIFIED_POLICIES AUD WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'LOGOFF' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION');

283|P a g e

Remediation:

ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS LOGON, LOGOFF;

CISControls:

Version6

284|P a g e

6 Appendix: Establishing an Audit/Scan User

Thisdocumenthasbeenauthoredwiththeexpectationthatauserwithappropriatepermissionswillbeusedtoexecutethequeriesandperformotherassessmentactions.WhilethiscouldbeaccomplishedbygrantingDBAprivilegestoagivenuser,thepreferredapproachistocreateadedicateduserandgrantonlythespecificpermissionsrequiredtoperformtheassessmentsexpressedherein.DoingthisavoidsthenecessityforanyuserassessingthesystemtobegrantedDBAprivileges.

TherecommendationsexpressedinthisdocumentassumethepresenceofarolenamedCISSCANROLEandausernamedCISSCAN.ThisroleandusershouldbecreatedbyexecutingthefollowingSQLstatements,beingcarefultosubstituteanappropriatepasswordfor<password>.

-- Create the role CREATE ROLE CISSCANROLE; -- Grant necessary privileges to the role GRANT CREATE SESSION TO CISSCANROLE; GRANT SELECT ON V_$PARAMETER TO CISSCANROLE; GRANT SELECT ON DBA_TAB_PRIVS TO CISSCANROLE; GRANT SELECT ON DBA_PROFILES TO CISSCANROLE; GRANT SELECT ON DBA_SYS_PRIVS TO CISSCANROLE; GRANT SELECT ON DBA_STMT_AUDIT_OPTS TO CISSCANROLE; GRANT SELECT ON DBA_ROLE_PRIVS TO CISSCANROLE; GRANT SELECT ON DBA_OBJ_AUDIT_OPTS TO CISSCANROLE; GRANT SELECT ON DBA_PRIV_AUDIT_OPTS TO CISSCANROLE; GRANT SELECT ON DBA_PROXIES TO CISSCANROLE; GRANT SELECT ON DBA_USERS TO CISSCANROLE; GRANT SELECT ON DBA_USERS_WITH_DEFPWD TO CISSCANROLE; GRANT AUDIT_VIEWER TO CISSCANROLE; -- Create the user and assign the user to the role CREATE USER CISSCAN IDENTIFIED BY <password>; GRANT CISSCANROLE TO CISSCAN;

Ifyourelyonsimilarrolesand/orusers,buttheyarenotnamedCISSCANROLEorCISSCAN,orifyouhaverolesorusersnamedCISSCANROLEorCISSCANintendedtobeusedfordifferentpurposes,beawarethatsomerecommendationshereinexplicitlynameCISSCANROLEandCISSCAN.

Theseare:

• 3.10EnsureNoUsersAreAssignedtheDEFAULTProfile• 4.5.5Ensure'ALL'IsRevokedfromUnauthorizedGRANTEEonDBA_%

Note:Differentorganizationsmaywishtofollowtheinstructionsinthisappendixindifferentways.Formorepermanentorregularassessmentscans,itmaybeacceptabletoretaintheCISSCANROLEandCISSCANuserindefinitely.However,inaconsultativecontextwhereanassessmentisperhapsrunattheoutsetoftheconsultingengagementandagain

285|P a g e

closertotheend,afteranyremediationhasbeenperformed,theCISSCANROLEroleandCISSCANusermaybedropped.Suchadecisionisultimatelyleftuptotheimplementingorganization.

286|P a g e

Appendix:SummaryTableControl Set

CorrectlyYes No

1 OracleDatabaseInstallationandPatchingRequirements1.1 EnsuretheAppropriateVersion/PatchesforOracleSoftware

IsInstalled(NotScored) o o

1.2 EnsureAllDefaultPasswordsAreChanged(Scored) o o1.3 EnsureAllSampleDataAndUsersHaveBeenRemoved

(Scored) o o

2 OracleParameterSettings2.1 ListenerSettings2.1.1 Ensure'SECURE_CONTROL_<listener_name>'IsSetIn

'listener.ora'(Scored) o o

2.1.2 Ensure'extproc'IsNotPresentin'listener.ora'(Scored) o o2.1.3 Ensure'ADMIN_RESTRICTIONS_<listener_name>'IsSetto

'ON'(Scored) o o

2.1.4 Ensure'SECURE_REGISTER_<listener_name>'IsSetto'TCPS'or'IPC'(Scored) o o

2.2 DatabaseSettings2.2.1 Ensure'AUDIT_SYS_OPERATIONS'IsSetto'TRUE'(Scored) o o2.2.2 Ensure'AUDIT_TRAIL'IsSetto'DB','XML','OS',

'DB,EXTENDED',or'XML,EXTENDED'(Scored) o o

2.2.3 Ensure'GLOBAL_NAMES'IsSetto'TRUE'(Scored) o o2.2.4 Ensure'O7_DICTIONARY_ACCESSIBILITY'IsSetto'FALSE'

(Scored) o o

2.2.5 Ensure'OS_ROLES'IsSetto'FALSE'(Scored) o o2.2.6 Ensure'REMOTE_LISTENER'IsEmpty(Scored) o o2.2.7 Ensure'REMOTE_LOGIN_PASSWORDFILE'IsSetto'NONE'

(Scored) o o

2.2.8 Ensure'REMOTE_OS_AUTHENT'IsSetto'FALSE'(Scored) o o2.2.9 Ensure'REMOTE_OS_ROLES'IsSetto'FALSE'(Scored) o o2.2.10 Ensure'UTL_FILE_DIR'IsEmpty(Scored) o o2.2.11 Ensure'SEC_CASE_SENSITIVE_LOGON'IsSetto'TRUE'

(Scored) o o

2.2.12 Ensure'SEC_MAX_FAILED_LOGIN_ATTEMPTS'Is'3'orLess(Scored) o o

2.2.13 Ensure'SEC_PROTOCOL_ERROR_FURTHER_ACTION'IsSetto'DROP,3'(Scored) o o

2.2.14 Ensure'SEC_PROTOCOL_ERROR_TRACE_ACTION'IsSetto'LOG'(Scored) o o

287|P a g e

2.2.15 Ensure'SEC_RETURN_SERVER_RELEASE_BANNER'IsSetto'FALSE'(Scored) o o

2.2.16 Ensure'SQL92_SECURITY'IsSetto'TRUE'(Scored) o o2.2.17 Ensure'_trace_files_public'IsSetto'FALSE'(Scored) o o2.2.18 Ensure'RESOURCE_LIMIT'IsSetto'TRUE'(Scored) o o3 OracleConnectionandLoginRestrictions3.1 Ensure'FAILED_LOGIN_ATTEMPTS'IsLessthanorEqualto

'5'(Scored) o o

3.2 Ensure'PASSWORD_LOCK_TIME'IsGreaterthanorEqualto'1'(Scored) o o

3.3 Ensure'PASSWORD_LIFE_TIME'IsLessthanorEqualto'90'(Scored) o o

3.4 Ensure'PASSWORD_REUSE_MAX'IsGreaterthanorEqualto'20'(Scored) o o

3.5 Ensure'PASSWORD_REUSE_TIME'IsGreaterthanorEqualto'365'(Scored) o o

3.6 Ensure'PASSWORD_GRACE_TIME'IsLessthanorEqualto'5'(Scored) o o

3.7 Ensure'DBA_USERS.PASSWORD'IsNotSetto'EXTERNAL'forAnyUser(Scored) o o

3.8 Ensure'PASSWORD_VERIFY_FUNCTION'IsSetforAllProfiles(Scored) o o

3.9 Ensure'SESSIONS_PER_USER'IsLessthanorEqualto'10'(Scored) o o

3.10 EnsureNoUsersAreAssignedthe'DEFAULT'Profile(Scored) o o4 OracleUserAccessandAuthorizationRestrictions4.1 DefaultPublicPrivilegesforPackagesandObjectTypes4.1.1 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on

'DBMS_ADVISOR'(Scored) o o

4.1.2 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_CRYPTO'(Scored) o o

4.1.3 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_JAVA'(Scored) o o

4.1.4 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_JAVA_TEST'(Scored) o o

4.1.5 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_JOB'(Scored) o o

4.1.6 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_LDAP'(Scored) o o

4.1.7 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_LOB'(Scored) o o

288|P a g e

4.1.8 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_OBFUSCATION_TOOLKIT'(Scored) o o

4.1.9 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_RANDOM'(Scored) o o

4.1.10 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_SCHEDULER'(Scored) o o

4.1.11 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_SQL'(Scored) o o

4.1.12 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_XMLGEN'(Scored) o o

4.1.13 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_XMLQUERY'(Scored) o o

4.1.14 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'UTL_FILE'(Scored) o o

4.1.15 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'UTL_INADDR'(Scored) o o

4.1.16 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'UTL_TCP'(Scored) o o

4.1.17 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'UTL_MAIL'(Scored) o o

4.1.18 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'UTL_SMTP'(Scored) o o

4.1.19 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'UTL_DBWS'(Scored) o o

4.1.20 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'UTL_ORAMTS'(Scored) o o

4.1.21 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'UTL_HTTP'(Scored) o o

4.1.22 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'HTTPURITYPE'(Scored) o o

4.1.23 Ensure'EXECUTE'isrevokedfrom'PUBLIC'on'DBMS_XMLSTORE'(Scored) o o

4.1.24 Ensure'EXECUTE'isrevokedfrom'PUBLIC'on'DBMS_XMLSAVE'(Scored) o o

4.1.25 Ensure'EXECUTE'isrevokedfrom'PUBLIC'on'DBMS_REDACT'(Scored) o o

4.2 RevokeNon-DefaultPrivilegesforPackagesandObjectTypes4.2.1 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on

'DBMS_SYS_SQL'(Scored) o o

4.2.2 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_BACKUP_RESTORE'(Scored) o o

289|P a g e

4.2.3 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_AQADM_SYSCALLS'(Scored) o o

4.2.4 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_REPCAT_SQL_UTL'(Scored) o o

4.2.5 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'INITJVMAUX'(Scored) o o

4.2.6 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_STREAMS_ADM_UTL'(Scored) o o

4.2.7 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_AQADM_SYS'(Scored) o o

4.2.8 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_STREAMS_RPC'(Scored) o o

4.2.9 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_PRVTAQIM'(Scored) o o

4.2.10 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'LTADM'(Scored) o o

4.2.11 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'WWV_DBMS_SQL'(Scored) o o

4.2.12 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'WWV_EXECUTE_IMMEDIATE'(Scored) o o

4.2.13 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_IJOB'(Scored) o o

4.2.14 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_FILE_TRANSFER'(Scored) o o

4.3 RevokeExcessiveSystemPrivileges4.3.1 Ensure'SELECTANYDICTIONARY'IsRevokedfrom

Unauthorized'GRANTEE'(Scored) o o

4.3.2 Ensure'SELECTANYTABLE'IsRevokedfromUnauthorized'GRANTEE'(Scored) o o

4.3.3 Ensure'AUDITSYSTEM'IsRevokedfromUnauthorized'GRANTEE'(Scored) o o

4.3.4 Ensure'EXEMPTACCESSPOLICY'IsRevokedfromUnauthorized'GRANTEE'(Scored) o o

4.3.5 Ensure'BECOMEUSER'IsRevokedfromUnauthorized'GRANTEE'(Scored) o o

4.3.6 Ensure'CREATE_PROCEDURE'IsRevokedfromUnauthorized'GRANTEE'(Scored) o o

4.3.7 Ensure'ALTERSYSTEM'IsRevokedfromUnauthorized'GRANTEE'(Scored) o o

4.3.8 Ensure'CREATEANYLIBRARY'IsRevokedfromUnauthorized'GRANTEE'(Scored) o o

290|P a g e

4.3.9 Ensure'CREATELIBRARY'IsRevokedfromUnauthorized'GRANTEE'(Scored) o o

4.3.10 Ensure'GRANTANYOBJECTPRIVILEGE'IsRevokedfromUnauthorized'GRANTEE'(Scored) o o

4.3.11 Ensure'GRANTANYROLE'IsRevokedfromUnauthorized'GRANTEE'(Scored) o o

4.3.12 Ensure'GRANTANYPRIVILEGE'IsRevokedfromUnauthorized'GRANTEE'(Scored) o o

4.4 RevokeRolePrivileges4.4.1 Ensure'DELETE_CATALOG_ROLE'IsRevokedfrom

Unauthorized'GRANTEE'(Scored) o o

4.4.2 Ensure'SELECT_CATALOG_ROLE'IsRevokedfromUnauthorized'GRANTEE'(Scored) o o

4.4.3 Ensure'EXECUTE_CATALOG_ROLE'IsRevokedfromUnauthorized'GRANTEE'(Scored) o o

4.4.4 Ensure'DBA'IsRevokedfromUnauthorized'GRANTEE'(Scored) o o

4.5 RevokeExcessiveTableandViewPrivileges4.5.1 Ensure'ALL'IsRevokedfromUnauthorized'GRANTEE'on

'AUD$'(Scored) o o

4.5.2 Ensure'ALL'IsRevokedfromUnauthorized'GRANTEE'on'USER_HISTORY$'(Scored) o o

4.5.3 Ensure'ALL'IsRevokedfromUnauthorized'GRANTEE'on'LINK$'(Scored) o o

4.5.4 Ensure'ALL'IsRevokedfromUnauthorized'GRANTEE'on'SYS.USER$'(Scored) o o

4.5.5 Ensure'ALL'IsRevokedfromUnauthorized'GRANTEE'on'DBA_%'(Scored) o o

4.5.6 Ensure'ALL'IsRevokedfromUnauthorized'GRANTEE'on'SYS.SCHEDULER$_CREDENTIAL'(Scored) o o

4.5.7 Ensure'SYS.USER$MIG'HasBeenDropped(Scored) o o4.6 Ensure'%ANY%'IsRevokedfromUnauthorized'GRANTEE'

(Scored) o o

4.7 Ensure'DBA_SYS_PRIVS.%'IsRevokedfromUnauthorized'GRANTEE'with'ADMIN_OPTION'Setto'YES'(Scored) o o

4.8 EnsureProxyUsersHaveOnly'CONNECT'Privilege(Scored) o o4.9 Ensure'EXECUTEANYPROCEDURE'IsRevokedfrom

'OUTLN'(Scored) o o

4.10 Ensure'EXECUTEANYPROCEDURE'IsRevokedfrom'DBSNMP'(Scored) o o

5 Audit/LoggingPoliciesandProcedures5.1 TraditionalAuditing5.1.1 Ensurethe'USER'AuditOptionIsEnabled(Scored) o o5.1.2 Ensurethe'ROLE'AuditOptionIsEnabled(Scored) o o

291|P a g e

5.1.3 Ensurethe'SYSTEMGRANT'AuditOptionIsEnabled(Scored) o o

5.1.4 Ensurethe'PROFILE'AuditOptionIsEnabled(Scored) o o5.1.5 Ensurethe'DATABASELINK'AuditOptionIsEnabled

(Scored) o o

5.1.6 Ensurethe'PUBLICDATABASELINK'AuditOptionIsEnabled(Scored) o o

5.1.7 Ensurethe'PUBLICSYNONYM'AuditOptionIsEnabled(Scored) o o

5.1.8 Ensurethe'SYNONYM'AuditOptionIsEnabled(Scored) o o5.1.9 Ensurethe'DIRECTORY'AuditOptionIsEnabled(Scored) o o5.1.10 Ensurethe'SELECTANYDICTIONARY'AuditOptionIs

Enabled(Scored) o o

5.1.11 Ensurethe'GRANTANYOBJECTPRIVILEGE'AuditOptionIsEnabled(Scored) o o

5.1.12 Ensurethe'GRANTANYPRIVILEGE'AuditOptionIsEnabled(Scored) o o

5.1.13 Ensurethe'DROPANYPROCEDURE'AuditOptionIsEnabled(Scored) o o

5.1.14 Ensurethe'ALL'AuditOptionon'SYS.AUD$'IsEnabled(Scored) o o

5.1.15 Ensurethe'PROCEDURE'AuditOptionIsEnabled(Scored) o o5.1.16 Ensurethe'ALTERSYSTEM'AuditOptionIsEnabled(Scored) o o5.1.17 Ensurethe'TRIGGER'AuditOptionIsEnabled(Scored) o o5.1.18 Ensurethe'CREATESESSION'AuditOptionIsEnabled

(Scored) o o

5.2 UnifiedAuditing5.2.1 Ensurethe'CREATEUSER'ActionAuditIsEnabled(Scored) o o5.2.2 Ensurethe'ALTERUSER'ActionAuditIsEnabled(Scored) o o5.2.3 Ensuethe'DROPUSER'AuditOptionIsEnabled(Scored) o o5.2.4 Ensurethe'CREATEROLE’ActionAuditIsEnabled(Scored) o o5.2.5 Ensurethe'ALTERROLE’ActionAuditIsEnabled(Scored) o o5.2.6 Ensurethe'DROPROLE’ActionAuditIsEnabled(Scored) o o5.2.7 Ensurethe'GRANT'ActionAuditIsEnabled(Scored) o o5.2.8 Ensurethe'REVOKE'ActionAuditIsEnabled(Scored) o o5.2.9 Ensurethe'CREATEPROFILE’ActionAuditIsEnabled

(Scored) o o

5.2.10 Ensurethe'ALTERPROFILE’ActionAuditIsEnabled(Scored) o o5.2.11 Ensurethe'DROPPROFILE’ActionAuditIsEnabled(Scored) o o5.2.12 Ensurethe'CREATEDATABASELINK’ActionAuditIs

Enabled(Scored) o o

5.2.13 Ensurethe'ALTERDATABASELINK’ActionAuditIsEnabled(Scored) o o

292|P a g e

5.2.14 Ensurethe'DROPDATABASELINK’ActionAuditIsEnabled(Scored) o o

5.2.15 Ensurethe'CREATESYNONYM’ActionAuditIsEnabled(Scored) o o

5.2.16 Ensurethe'ALTERSYNONYM’ActionAuditIsEnabled(Scored) o o

5.2.17 Ensurethe'DROPSYNONYM’ActionAuditIsEnabled(Scored) o o

5.2.18 Ensurethe'SELECTANYDICTIONARY’PrivilegeAuditIsEnabled(Scored) o o

5.2.19 Ensurethe'UNIFIED_AUDIT_TRAIL’AccessAuditIsEnabled(Scored) o o

5.2.20 Ensurethe'CREATEPROCEDURE/FUNCTION/PACKAGE/PACKAGEBODY’ActionAuditIsEnabled(Scored)

5.2.21 Ensurethe'ALTERPROCEDURE/FUNCTION/PACKAGE/PACKAGEBODY’ActionAuditIsEnabled(Scored)

5.2.22 Ensurethe'DROPPROCEDURE/FUNCTION/PACKAGE/PACKAGEBODY’ActionAuditIsEnabled(Scored)

5.2.23 Ensurethe'ALTERSYSTEM’PrivilegeAuditIsEnabled(Scored) o o

5.2.24 Ensurethe'CREATETRIGGER’ActionAuditIsEnabled(Scored) o o

5.2.25 Ensurethe'ALTERTRIGGER’ActionAuditISEnabled(Scored) o o

5.2.26 Ensurethe'DROPTRIGGER’ActionAuditIsEnabled(Scored) o o5.2.27 Ensurethe'LOGON’AND‘LOGOFF’ActionsAuditIsEnabled

(Scored) o o

6 Appendix:EstablishinganAudit/ScanUser

293|P a g e

Appendix:ChangeHistoryDate Version Changesforthisversion

Apr29,2015 1.0.0 InitialRelease

Apr29,2015 1.1.0 Ticket#216:Updatedremediationtoreference[PRIVILEGE]list

Apr30,2015 1.1.0 Ticket#204:Clarificationinoverviewforbenchmarknon-pluggableapplicability

Jun29,2015 1.1.0 Ticket#209:Addworkflowadvicetoappendixaboutscanuser

Jun29,2015 1.1.0 Ticket#217:Correctedtypeof"repact"with"repcat"

Jun29,2015 1.1.0 Ticket#213:UpdatedauditqueryforregexonAPEXusers

Jun29,2015 1.1.0 Ticket#212:CorrectedconfusionbetweenDBMS_RANDOMandDBMS_BACKUP_RESTORE

Jun29,2015 1.1.0 Ticket#211:Correctedincorrectrecommendationfrom'FALSE'to'TRUE'

Jun29,2015 1.1.0 Ticket#203:Updatedreferencesfrom11gR2to12cwherepossible

Mar31,2016 1.2.0 Ticket#259:AddedSYSMANtolistofauthorizedgranteesfor4.4.2

Mar31,2016 1.2.0 Ticket#258:AddedAPEX_050000;MGMT_VIEW;SYSMAN_MDS;SYSMAN_OPSS;SYSMAN_RO;SYSMAN_STBtolistofauthorizedgranteesin4.3.6

Mar31,2016 1.2.0 Ticket#256:AddedSYSBACKUPandSYSDGtogranteelistfor4.3.1

Mar31,2016 1.2.0 Ticket#254:Updatedrecommendationtexttosay'LessthanorEqualto10'on2.13

294|P a g e

Mar31,2016 1.2.0 Ticket#241:Addedmissingsemicoloninauditqueryon5.1

Mar31,2016 1.2.0 Ticket#253:Removedquotesfromremediationcommandon2.2.2

Mar31,2016 1.2.0 Ticket#261:AddedSYStotableownersandSYSMANtolistofauthorizedgranteesfor4.5.4

Mar31,2016 1.2.0 Ticket#263:AddedSYStolistoftableowners

Mar31,2016 1.2.0 Ticket#264:AddedAPEX_050000;SYSMAN_STB;SYSMAN_TYPEStolistofauthorizedgrantees

Mar31,2016 1.2.0 Ticket#225:Updateddescriptionandrationalefor2.2.17

Mar31,2016 1.2.0 Ticket#251:AddedAUDIT_ADMIN,AUDIT_VIEWER,CAPTURE_ADMIN,DBA,GSMADMIN_INTERNAL,ORACLE_OCM,SYSDG,SYSKM,XDBtolistofauthorizedgrantees

Mar31,2016 1.2.0 Ticket#215:RevisedLISTENERsectionsandincludedLISTENER_HOMEreferences

Mar31,2016 1.2.0 Ticket#242:Addedmissingsemicolonto4.1.4

Mar31,2016 1.2.0 Ticket#266:Updatedauditquerytocheckforallprivileges,notonlyroles

Mar31,2016 1.2.0 Ticket#265:AddedAPEX_050000tolistofauthorizedgranteeson4.7

Mar31,2016 1.2.0 Ticket#252:Updateprofiletext(minor)

Apr1,2016 2.0.0 Ticket#267:AddedacautionstatementaboutrevokingprivilegesfromPUBLIC.

Oct18,2016 2.0.0 Ticket#207:MovedexistingauditingrecommendationstoasubsectionnamedTraditionalAuditing(5.1)andaddedunifiedauditingrecommendationsunderasiblingsubsectioncalledUnifiedAuditing(5.2).

Oct18,2016 2.0.0 Ticket#275:Correctedreferenceincludedfor2.2.2

295|P a g e

Oct18,2016 2.0.0 Ticket#276:Added‘DB’and‘XML’asvalidparametervaluesfor2.2.2

Dec1,2016 2.0.0 Ticket#262:UpdatedGranteelistandaddedanotregardingPUBLICgrantsfor4.5.5

Dec1,2016 2.0.0 Ticket#282:Correctedtypoin2.2.11whereitspecifiedUTIL_FILE_DIRinsteadofUTL_FILE_DIR

Dec1,2016 2.0.0 Ticket#283:Updatedtitletoread“Ensure‘SEC_MAX_FAILED_LOGIN_ATTEMPTS’is‘10’”for2.2.13

Dec1,2016 2.0.0 Ticket#284:Added“andOWNER=’SYS’”tothequeryfor4.5.2

Dec28,2016 2.0.0 PlannedUpdate

Jan18,2017 2.1.0 Ticket#3934:#2924.3.12-Typoinauditprocedure

Jun22,2017 2.1.0 Ticket#3937:#295Remove"Level1-RDBMSusingUnifiedAuditing"from2.2.1

Sep14,2017 2.1.0 Ticket#4759:#297:2.2.13Ensure'SEC_MAX_FAILED_LOGIN_ATTEMPTS'Is'10'

Sep14,2017 2.1.0 Ticket#3938:#2961.2EnsureAllDefaultPasswordsAreChanged(Scored)-Addcomment

Sep14,2017 2.1.0 Ticket#3936:#294Titleof2.2.2isinconsistent

Sep14,2017 2.1.0 Ticket#3935:#293Changeupper(value)fromauditSQLquerytovalue

Sep28,2017 2.1.0 Ticket#3932:#290Reviseprofiledescriptionstoremoveanyambiguity

296|P a g e

Feb1,2018 2.1.0 Ticket#3928:#247Revokedangerouspublicprivileges

Feb1,2018 2.1.0 Ticket#3930:#250CheckforlatestPatchUpdateusingnewnamingformat

Mar16,2018 2.1.0 Ticket#6095:Remove'LOCAL_LISTENER'recommendationfrom12c

Jul10,2018 2.1.0 Editedtotheentirebenchmarktoaddresserrorsandclarifyrecommendations

Sep18,2018 2.1.0 PlannedUpdate

CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 |...

Documents

Transcript of CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 |...

IP Packet Switching Reading: Sect 4.1.1 – 4.1.4, 4.3.5

4.1.4 Dea Delaney

User guide of plan module v2.1.0

User guide of profile module v2.1.0

4.1.1- 4.1.4 | Chromosomes, genes, alleles and mutations

UNIVERSITY OF CYPRUS - ucy.ac.cy · PDF filecen cen cis cis cis cis cis cis cis cis cis cis cis cis cis cis cis cis 101 102 600 600 600 600 600 600 600 600 600 600 600 600 600 600

GLAST LAT ProjectMarch 24, 2003 6B Tracker Peer Review, WBS 4.1.4 1 GLAST Large Area Telescope: Tracker Subsystem WBS 4.1.4 6B: Silicon Strip Detector.

POS-PHY Level 4 MegaCore Function v2.1.0 Wrapper Features · 2021. 1. 6. · 4 Altera Corporation Preliminary POS-PHY Level 4 MegaCore Function v2.1.0 Wrapper Features 1 Keep in mind

4.1.4: How Do I Shift Trig Functions?

Draft ETSI EN 302 208-1 V2.1.0 (2014-06) Electromagnetic ...Draft ETSI EN 302 208-1 V2.1.0 (2014-06) Electromagnetic compatibility and Radio spectrum Matters (ERM); Radio Frequency

Çankırı Karatekin University...Ders Kodu TDi-101 ATA-101 YDÍ-IOI CIS 109 CIS 103 CIS 101 CIS 107 CIS 105 Ders Kodu CIS 205 CIS 207 CIS CIS 203 CIS 225 CIS 221 CIS 201 CIS 215 CIS

CIS MS Windows Server 2008 R2 MS V2.1.0

4.1.4 - Factorisation II - Quadratics · 4.1 - Algebra - Expressions 4.1.4 - Factorisation II - Quadratics Higher Level & Ordinary Level 3 / 5. General method to factorise ax2 + bx

Interactionanalysisofcolumn-andplate-like ......Contents 4.1.4 Interpolationbetweenplateandcolumnbehaviour. . . . . . . . 39 4.2 Eurocode’sapproachbasedonreducedstressmethod. . .

GLAST LAT ProjectMarch 24, 2003 6D Tracker Peer Review, WBS 4.1.4 1 GLAST Large Area Telescope: Tracker Subsystem WBS 4.1.4 6D: Composite Panel Fabrication.

BK5823datasheet en V2.1.0 - belon.cn · BK5823 Datasheet ETC OBU SOC ...

US-Hikvision Day Night Color Camera v2.1.0

Manual vBulletin Version 4.1.4

4.1.4 Los Manglares.pdf

CIS Microsoft Windows Server 2008 R2 Benchmark v2.1.0 - 12 ...urbanteach.org/.../3/34238252/windows_server_2008_r2_benchmark_… · CIS Microsoft Windows Server 2008 R2 Benchmark