CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 |...
Transcript of CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 |...
CISOracleDatabase12cBenchmarkv2.1.0–09-18-2018
1|P a g e
TermsofUsePlease see the below link for our current terms of use: https://www.cisecurity.org/cis-securesuite/cis-securesuite-membership-terms-of-use/
2|P a g e
TableofContentsTermsofUse...................................................................................................................................................................1
Overview...........................................................................................................................................................................9
IntendedAudience..................................................................................................................................................9
ConsensusGuidance...............................................................................................................................................9
TypographicalConventions.............................................................................................................................10
ScoringInformation............................................................................................................................................10
ProfileDefinitions................................................................................................................................................11
Acknowledgements.............................................................................................................................................13
Recommendations.....................................................................................................................................................14
1OracleDatabaseInstallationandPatchingRequirements...........................................................14
1.1EnsuretheAppropriateVersion/PatchesforOracleSoftwareIsInstalled(NotScored).............................................................................................................................................................14
1.2EnsureAllDefaultPasswordsAreChanged(Scored).......................................................16
1.3EnsureAllSampleDataAndUsersHaveBeenRemoved(Scored).............................18
2OracleParameterSettings............................................................................................................................20
2.1ListenerSettings.......................................................................................................................................21
2.1.1Ensure'SECURE_CONTROL_'IsSetIn'listener.ora'(Scored)...................................21
2.1.2Ensure'extproc'IsNotPresentin'listener.ora'(Scored)...........................................23
2.1.3Ensure'ADMIN_RESTRICTIONS_'IsSetto'ON'(Scored)............................................25
2.1.4Ensure'SECURE_REGISTER_'IsSetto'TCPS'or'IPC'(Scored)...............................27
2.2DatabaseSettings.....................................................................................................................................29
2.2.1Ensure'AUDIT_SYS_OPERATIONS'IsSetto'TRUE'(Scored)...................................29
2.2.2Ensure'AUDIT_TRAIL'IsSetto'DB','XML','OS','DB,EXTENDED',or'XML,EXTENDED'(Scored)....................................................................................................................31
2.2.3Ensure'GLOBAL_NAMES'IsSetto'TRUE'(Scored).......................................................33
2.2.4Ensure'O7_DICTIONARY_ACCESSIBILITY'IsSetto'FALSE'(Scored)..................34
2.2.5Ensure'OS_ROLES'IsSetto'FALSE'(Scored)..................................................................36
2.2.6Ensure'REMOTE_LISTENER'IsEmpty(Scored).............................................................37
2.2.7Ensure'REMOTE_LOGIN_PASSWORDFILE'IsSetto'NONE'(Scored).................39
3|P a g e
2.2.8Ensure'REMOTE_OS_AUTHENT'IsSetto'FALSE'(Scored)......................................40
2.2.9Ensure'REMOTE_OS_ROLES'IsSetto'FALSE'(Scored).............................................41
2.2.10Ensure'UTL_FILE_DIR'IsEmpty(Scored).......................................................................42
2.2.11Ensure'SEC_CASE_SENSITIVE_LOGON'IsSetto'TRUE'(Scored).......................43
2.2.12Ensure'SEC_MAX_FAILED_LOGIN_ATTEMPTS'Is'3'orLess(Scored).............44
2.2.13Ensure'SEC_PROTOCOL_ERROR_FURTHER_ACTION'IsSetto'DROP,3'(Scored)...........................................................................................................................................................46
2.2.14Ensure'SEC_PROTOCOL_ERROR_TRACE_ACTION'IsSetto'LOG'(Scored)...48
2.2.15Ensure'SEC_RETURN_SERVER_RELEASE_BANNER'IsSetto'FALSE'(Scored).............................................................................................................................................................................50
2.2.16Ensure'SQL92_SECURITY'IsSetto'TRUE'(Scored)..................................................52
2.2.17Ensure'_trace_files_public'IsSetto'FALSE'(Scored)...............................................54
2.2.18Ensure'RESOURCE_LIMIT'IsSetto'TRUE'(Scored).................................................56
3OracleConnectionandLoginRestrictions...........................................................................................58
3.1Ensure'FAILED_LOGIN_ATTEMPTS'IsLessthanorEqualto'5'(Scored)............58
3.2Ensure'PASSWORD_LOCK_TIME'IsGreaterthanorEqualto'1'(Scored)............60
3.3Ensure'PASSWORD_LIFE_TIME'IsLessthanorEqualto'90'(Scored)..................62
3.4Ensure'PASSWORD_REUSE_MAX'IsGreaterthanorEqualto'20'(Scored)........63
3.5Ensure'PASSWORD_REUSE_TIME'IsGreaterthanorEqualto'365'(Scored)...65
3.6Ensure'PASSWORD_GRACE_TIME'IsLessthanorEqualto'5'(Scored)...............67
3.7Ensure'DBA_USERS.PASSWORD'IsNotSetto'EXTERNAL'forAnyUser(Scored).............................................................................................................................................................................69
3.8Ensure'PASSWORD_VERIFY_FUNCTION'IsSetforAllProfiles(Scored)...............71
3.9Ensure'SESSIONS_PER_USER'IsLessthanorEqualto'10'(Scored).......................72
3.10EnsureNoUsersAreAssignedthe'DEFAULT'Profile(Scored)...............................74
4OracleUserAccessandAuthorizationRestrictions.........................................................................76
4.1DefaultPublicPrivilegesforPackagesandObjectTypes.....................................................77
4.1.1Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_ADVISOR'(Scored)...77
4.1.2Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_CRYPTO'(Scored).....79
4.1.3Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_JAVA'(Scored)............81
4|P a g e
4.1.4Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_JAVA_TEST'(Scored).............................................................................................................................................................................83
4.1.5Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_JOB'(Scored)...............85
4.1.6Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_LDAP'(Scored)...........87
4.1.7Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_LOB'(Scored)..............89
4.1.8Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_OBFUSCATION_TOOLKIT'(Scored)...................................................................................91
4.1.9Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_RANDOM'(Scored)...93
4.1.10Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_SCHEDULER'(Scored)...........................................................................................................................................................95
4.1.11Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_SQL'(Scored)............97
4.1.12Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_XMLGEN'(Scored).98
4.1.13Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_XMLQUERY'(Scored)..........................................................................................................................................................................100
4.1.14Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'UTL_FILE'(Scored)...........102
4.1.15Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'UTL_INADDR'(Scored)...103
4.1.16Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'UTL_TCP'(Scored)............105
4.1.17Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'UTL_MAIL'(Scored)..........106
4.1.18Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'UTL_SMTP'(Scored).........108
4.1.19Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'UTL_DBWS'(Scored)........110
4.1.20Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'UTL_ORAMTS'(Scored)..112
4.1.21Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'UTL_HTTP'(Scored).........114
4.1.22Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'HTTPURITYPE'(Scored)116
4.1.23Ensure'EXECUTE'isrevokedfrom'PUBLIC'on'DBMS_XMLSTORE'(Scored)..........................................................................................................................................................................117
4.1.24Ensure'EXECUTE'isrevokedfrom'PUBLIC'on'DBMS_XMLSAVE'(Scored)..........................................................................................................................................................................119
4.1.25Ensure'EXECUTE'isrevokedfrom'PUBLIC'on'DBMS_REDACT'(Scored)121
4.2RevokeNon-DefaultPrivilegesforPackagesandObjectTypes.....................................122
4.2.1Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_SYS_SQL'(Scored)..122
4.2.2Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_BACKUP_RESTORE'(Scored)........................................................................................................................................................124
5|P a g e
4.2.3Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_AQADM_SYSCALLS'(Scored)........................................................................................................................................................126
4.2.4Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_REPCAT_SQL_UTL'(Scored)........................................................................................................................................................127
4.2.5Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'INITJVMAUX'(Scored).......129
4.2.6Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_STREAMS_ADM_UTL'(Scored)........................................................................................................................................................130
4.2.7Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_AQADM_SYS'(Scored)..........................................................................................................................................................................132
4.2.8Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_STREAMS_RPC'(Scored)........................................................................................................................................................133
4.2.9Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_PRVTAQIM'(Scored)..........................................................................................................................................................................135
4.2.10Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'LTADM'(Scored)................137
4.2.11Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'WWV_DBMS_SQL'(Scored)..........................................................................................................................................................................138
4.2.12Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'WWV_EXECUTE_IMMEDIATE'(Scored).....................................................................................139
4.2.13Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_IJOB'(Scored)........141
4.2.14Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_FILE_TRANSFER'(Scored)........................................................................................................................................................142
4.3RevokeExcessiveSystemPrivileges............................................................................................144
4.3.1Ensure'SELECTANYDICTIONARY'IsRevokedfromUnauthorized'GRANTEE'(Scored)........................................................................................................................................................144
4.3.2Ensure'SELECTANYTABLE'IsRevokedfromUnauthorized'GRANTEE'(Scored)........................................................................................................................................................146
4.3.3Ensure'AUDITSYSTEM'IsRevokedfromUnauthorized'GRANTEE'(Scored)..........................................................................................................................................................................148
4.3.4Ensure'EXEMPTACCESSPOLICY'IsRevokedfromUnauthorized'GRANTEE'(Scored)........................................................................................................................................................150
4.3.5Ensure'BECOMEUSER'IsRevokedfromUnauthorized'GRANTEE'(Scored)..........................................................................................................................................................................152
4.3.6Ensure'CREATE_PROCEDURE'IsRevokedfromUnauthorized'GRANTEE'(Scored)........................................................................................................................................................153
6|P a g e
4.3.7Ensure'ALTERSYSTEM'IsRevokedfromUnauthorized'GRANTEE'(Scored)..........................................................................................................................................................................155
4.3.8Ensure'CREATEANYLIBRARY'IsRevokedfromUnauthorized'GRANTEE'(Scored)........................................................................................................................................................157
4.3.9Ensure'CREATELIBRARY'IsRevokedfromUnauthorized'GRANTEE'(Scored)..........................................................................................................................................................................159
4.3.10Ensure'GRANTANYOBJECTPRIVILEGE'IsRevokedfromUnauthorized'GRANTEE'(Scored)...............................................................................................................................161
4.3.11Ensure'GRANTANYROLE'IsRevokedfromUnauthorized'GRANTEE'(Scored)........................................................................................................................................................163
4.3.12Ensure'GRANTANYPRIVILEGE'IsRevokedfromUnauthorized'GRANTEE'(Scored)........................................................................................................................................................165
4.4RevokeRolePrivileges.......................................................................................................................167
4.4.1Ensure'DELETE_CATALOG_ROLE'IsRevokedfromUnauthorized'GRANTEE'(Scored)........................................................................................................................................................167
4.4.2Ensure'SELECT_CATALOG_ROLE'IsRevokedfromUnauthorized'GRANTEE'(Scored)........................................................................................................................................................169
4.4.3Ensure'EXECUTE_CATALOG_ROLE'IsRevokedfromUnauthorized'GRANTEE'(Scored)........................................................................................................................................................171
4.4.4Ensure'DBA'IsRevokedfromUnauthorized'GRANTEE'(Scored)....................173
4.5RevokeExcessiveTableandViewPrivileges..........................................................................175
4.5.1Ensure'ALL'IsRevokedfromUnauthorized'GRANTEE'on'AUD$'(Scored)175
4.5.2Ensure'ALL'IsRevokedfromUnauthorized'GRANTEE'on'USER_HISTORY$'(Scored)........................................................................................................................................................177
4.5.3Ensure'ALL'IsRevokedfromUnauthorized'GRANTEE'on'LINK$'(Scored)..........................................................................................................................................................................179
4.5.4Ensure'ALL'IsRevokedfromUnauthorized'GRANTEE'on'SYS.USER$'(Scored)........................................................................................................................................................181
4.5.5Ensure'ALL'IsRevokedfromUnauthorized'GRANTEE'on'DBA_%'(Scored)..........................................................................................................................................................................183
4.5.6Ensure'ALL'IsRevokedfromUnauthorized'GRANTEE'on'SYS.SCHEDULER$_CREDENTIAL'(Scored)................................................................................185
4.5.7Ensure'SYS.USER$MIG'HasBeenDropped(Scored)................................................187
4.6Ensure'%ANY%'IsRevokedfromUnauthorized'GRANTEE'(Scored)...............188
7|P a g e
4.7Ensure'DBA_SYS_PRIVS.%'IsRevokedfromUnauthorized'GRANTEE'with'ADMIN_OPTION'Setto'YES'(Scored).........................................................................................190
4.8EnsureProxyUsersHaveOnly'CONNECT'Privilege(Scored).................................191
4.9Ensure'EXECUTEANYPROCEDURE'IsRevokedfrom'OUTLN'(Scored)..........192
4.10Ensure'EXECUTEANYPROCEDURE'IsRevokedfrom'DBSNMP'(Scored)....193
5Audit/LoggingPoliciesandProcedures.............................................................................................194
5.1TraditionalAuditing............................................................................................................................195
5.1.1Ensurethe'USER'AuditOptionIsEnabled(Scored).................................................195
5.1.2Ensurethe'ROLE'AuditOptionIsEnabled(Scored).................................................197
5.1.3Ensurethe'SYSTEMGRANT'AuditOptionIsEnabled(Scored)..........................199
5.1.4Ensurethe'PROFILE'AuditOptionIsEnabled(Scored)..........................................200
5.1.5Ensurethe'DATABASELINK'AuditOptionIsEnabled(Scored).........................202
5.1.6Ensurethe'PUBLICDATABASELINK'AuditOptionIsEnabled(Scored)........204
5.1.7Ensurethe'PUBLICSYNONYM'AuditOptionIsEnabled(Scored).....................206
5.1.8Ensurethe'SYNONYM'AuditOptionIsEnabled(Scored).......................................208
5.1.9Ensurethe'DIRECTORY'AuditOptionIsEnabled(Scored)...................................210
5.1.10Ensurethe'SELECTANYDICTIONARY'AuditOptionIsEnabled(Scored)..212
5.1.11Ensurethe'GRANTANYOBJECTPRIVILEGE'AuditOptionIsEnabled(Scored)........................................................................................................................................................214
5.1.12Ensurethe'GRANTANYPRIVILEGE'AuditOptionIsEnabled(Scored).......216
5.1.13Ensurethe'DROPANYPROCEDURE'AuditOptionIsEnabled(Scored).......218
5.1.14Ensurethe'ALL'AuditOptionon'SYS.AUD$'IsEnabled(Scored)...................220
5.1.15Ensurethe'PROCEDURE'AuditOptionIsEnabled(Scored)...............................222
5.1.16Ensurethe'ALTERSYSTEM'AuditOptionIsEnabled(Scored).........................224
5.1.17Ensurethe'TRIGGER'AuditOptionIsEnabled(Scored)......................................226
5.1.18Ensurethe'CREATESESSION'AuditOptionIsEnabled(Scored).....................228
5.2UnifiedAuditing.....................................................................................................................................230
5.2.1Ensurethe'CREATEUSER'ActionAuditIsEnabled(Scored)...............................230
5.2.2Ensurethe'ALTERUSER'ActionAuditIsEnabled(Scored)..................................232
5.2.3Ensuethe'DROPUSER'AuditOptionIsEnabled(Scored)......................................234
5.2.4Ensurethe'CREATEROLE’ActionAuditIsEnabled(Scored)...............................236
8|P a g e
5.2.5Ensurethe'ALTERROLE’ActionAuditIsEnabled(Scored)..................................238
5.2.6Ensurethe'DROPROLE’ActionAuditIsEnabled(Scored)....................................240
5.2.7Ensurethe'GRANT'ActionAuditIsEnabled(Scored)..............................................242
5.2.8Ensurethe'REVOKE'ActionAuditIsEnabled(Scored)...........................................244
5.2.9Ensurethe'CREATEPROFILE’ActionAuditIsEnabled(Scored)........................246
5.2.10Ensurethe'ALTERPROFILE’ActionAuditIsEnabled(Scored)........................248
5.2.11Ensurethe'DROPPROFILE’ActionAuditIsEnabled(Scored)..........................250
5.2.12Ensurethe'CREATEDATABASELINK’ActionAuditIsEnabled(Scored)....252
5.2.13Ensurethe'ALTERDATABASELINK’ActionAuditIsEnabled(Scored).......254
5.2.14Ensurethe'DROPDATABASELINK’ActionAuditIsEnabled(Scored).........256
5.2.15Ensurethe'CREATESYNONYM’ActionAuditIsEnabled(Scored)..................258
5.2.16Ensurethe'ALTERSYNONYM’ActionAuditIsEnabled(Scored).....................260
5.2.17Ensurethe'DROPSYNONYM’ActionAuditIsEnabled(Scored).......................262
5.2.18Ensurethe'SELECTANYDICTIONARY’PrivilegeAuditIsEnabled(Scored)..........................................................................................................................................................................264
5.2.19Ensurethe'UNIFIED_AUDIT_TRAIL’AccessAuditIsEnabled(Scored)........266
5.2.20Ensurethe'CREATEPROCEDURE/FUNCTION/PACKAGE/PACKAGEBODY’ActionAuditIsEnabled(Scored).....................................................................................................268
5.2.21Ensurethe'ALTERPROCEDURE/FUNCTION/PACKAGE/PACKAGEBODY’ActionAuditIsEnabled(Scored).....................................................................................................270
5.2.22Ensurethe'DROPPROCEDURE/FUNCTION/PACKAGE/PACKAGEBODY’ActionAuditIsEnabled(Scored).....................................................................................................272
5.2.23Ensurethe'ALTERSYSTEM’PrivilegeAuditIsEnabled(Scored)....................274
5.2.24Ensurethe'CREATETRIGGER’ActionAuditIsEnabled(Scored)....................276
5.2.25Ensurethe'ALTERTRIGGER’ActionAuditISEnabled(Scored).......................278
5.2.26Ensurethe'DROPTRIGGER’ActionAuditIsEnabled(Scored)..........................280
5.2.27Ensurethe'LOGON’AND‘LOGOFF’ActionsAuditIsEnabled(Scored).........282
6Appendix:EstablishinganAudit/ScanUser.....................................................................................284
Appendix:SummaryTable.................................................................................................................................286
Appendix:ChangeHistory..................................................................................................................................293
9|P a g e
OverviewThisdocumentisintendedtoaddresstherecommendedsecuritysettingsforOracleDatabase12c.ThisguidewastestedagainstOracleDatabase12c(version12.1.0.2)installedwithoutpluggabledatabasesupportrunningonaWindowsServer2012R2instanceasastand-alonesystemandrunningonanOracleLinux7instancealsoasastand-alonesystem.FutureOracleDatabase12ccriticalpatchupdates(CPUs)mayimpacttherecommendationsincludedinthisdocument.
Toobtainthelatestversionofthisguide,pleasevisithttp://benchmarks.cisecurity.org.Ifyouhavequestions,comments,orhaveidentifiedwaystoimprovethisguide,[email protected].
Intended Audience
Thisbenchmarkisintendedforsystemandapplicationadministrators,securityspecialists,auditors,helpdesk,andplatformdeploymentpersonnelwhoplantodevelop,deploy,assess,orsecuresolutionsthatincorporateOracleDatabase12conOracleLinuxorMicrosoftWindowsServer.
Consensus Guidance
Thisbenchmarkwascreatedusingaconsensusreviewprocesscomprisedofsubjectmatterexperts.Consensusparticipantsprovideperspectivefromadiversesetofbackgroundsincludingconsulting,softwaredevelopment,auditandcompliance,securityresearch,operations,government,andlegal.
EachCISbenchmarkundergoestwophasesofconsensusreview.Thefirstphaseoccursduringinitialbenchmarkdevelopment.Duringthisphase,subjectmatterexpertsconvenetodiscuss,create,andtestworkingdraftsofthebenchmark.Thisdiscussionoccursuntilconsensushasbeenreachedonbenchmarkrecommendations.Thesecondphasebeginsafterthebenchmarkhasbeenpublished.Duringthisphase,allfeedbackprovidedbytheInternetcommunityisreviewedbytheconsensusteamforincorporationinthebenchmark.Ifyouareinterestedinparticipatingintheconsensusprocess,pleasevisithttps://workbench.cisecurity.org/.
10|P a g e
Typographical Conventions
Thefollowingtypographicalconventionsareusedthroughoutthisguide:
Convention Meaning
Stylized Monospace font Usedforblocksofcode,command,andscriptexamples.Textshouldbeinterpretedexactlyaspresented.
Monospace font Usedforinlinecode,commands,orexamples.Textshouldbeinterpretedexactlyaspresented.
<italicfontinbrackets> Italictextssetinanglebracketsdenoteavariablerequiringsubstitutionforarealvalue.
Italicfont Usedtodenotethetitleofabook,article,orotherpublication.
Note Additionalinformationorcaveats
Scoring Information
Ascoringstatusindicateswhethercompliancewiththegivenrecommendationimpactstheassessedtarget'sbenchmarkscore.Thefollowingscoringstatusesareusedinthisbenchmark:
Scored
Failuretocomplywith"Scored"recommendationswilldecreasethefinalbenchmarkscore.Compliancewith"Scored"recommendationswillincreasethefinalbenchmarkscore.
NotScored
Failuretocomplywith"NotScored"recommendationswillnotdecreasethefinalbenchmarkscore.Compliancewith"NotScored"recommendationswillnotincreasethefinalbenchmarkscore.
11|P a g e
Profile Definitions
ThefollowingconfigurationprofilesaredefinedbythisBenchmark:
• Level1-RDBMSusingTraditionalAuditing
ItemsinthisprofileapplytoOracleDatabase12cconfiguredtouseTraditionalAuditingandintendto:
o Bepracticalandprudent;o Provideaclearsecuritybenefit;ando Notinhibittheutilityofthetechnologybeyondacceptablemeans.
• Level1-LinuxHostOSusingTraditionalAuditing
Thisprofileextendsthe“RDBMSusingTraditionalAuditing”profile.ItemsinthisprofileapplytoRDBMSrunningonaLinuxHostoperatingsystemwithOracleDatabase12cconfiguredtouseTraditionalAuditingandintendto:
o Bepracticalandprudent;o Provideaclearsecuritybenefit;ando Notinhibittheutilityofthetechnologybeyondacceptablemeans.
• Level1-WindowsServerHostOSusingTraditionalAuditing
Thisprofileextendsthe“RDBMSusingTraditionalAuditing”profile.ItemsinthisprofileapplytoRDBMSrunningonaWindowsServeroperatingsystemwithOracleDatabase12cconfiguredtouseTraditionalAuditingandintendto:
o Bepracticalandprudent;o Provideaclearsecuritybenefit;ando Notinhibittheutilityofthetechnologybeyondacceptablemeans.
• Level1-RDBMSusingUnifiedAuditing
ItemsinthisprofileapplytoOracleDatabase12cconfiguredtouseUnifiedAuditingandintendto:
o Bepracticalandprudent;o Provideaclearsecuritybenefit;ando Notinhibittheutilityofthetechnologybeyondacceptablemeans.
12|P a g e
• Level1-LinuxHostOSusingUnifiedAuditing
Thisprofileextendsthe“RDBMSusingUnifiedAuditing”profile.ItemsinthisprofileapplytoRDBMSrunningonaLinuxHostoperatingsystemwithOracleDatabase12cconfiguredtouseUnifiedandintendto:
o Bepracticalandprudent;o Provideaclearsecuritybenefit;ando Notinhibittheutilityofthetechnologybeyondacceptablemeans.
• Level1-WindowsServerHostOSusingUnifiedAuditing
Thisprofileextendsthe“RDBMSusingUnifiedAuditing”profile.ItemsinthisprofileapplytoRDBMSrunningonaWindowsServeroperatingsystemwithOracleDatabase12cconfiguredtouseUnifiedandintendto:
o Bepracticalandprudent;o Provideaclearsecuritybenefit;ando Notinhibittheutilityofthetechnologybeyondacceptablemeans.
13|P a g e
Acknowledgements
This benchmark exemplifies the great things a community of users, vendors, and subject matter experts can accomplish through consensus collaboration. The CIS community thanks the entire consensus team with special recognition to the following individuals who contributed greatly to the creation of this guide:
AuthorJayMehta
ContributorAlexanderKornbrustS.BrianSuddethPieterVanPuymbroeckArmanRawlsAdamMontvilleTungBuiVietJigneshPatelThanThiChamDeanLackeyKyleThomasonJustinBrownGijsHasselmanStephenDufourPhilippeLanglois
EditorAngeloMarcotullioTimHarrisonCISSP,ICP,CenterforInternetSecurityKarenScarfone
14|P a g e
Recommendations1 Oracle Database Installation and Patching Requirements
OneofthebestwaystoensuresecureOraclesecurityistoimplementCriticalPatchUpdates(CPUs)astheycomeout,alongwithanyapplicableOSpatchesthatwillnotinterferewithsystemoperations.ItisadditionallyprudenttoremoveOraclesampledatafromproductionenvironments.
1.1 Ensure the Appropriate Version/Patches for Oracle Software Is Installed (Not Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
TheOracleinstallationversionandpatchesshouldbethemostrecentthatarecompatiblewiththeorganization'soperationalneeds.
Rationale:
UsingthemostrecentOracledatabasesoftware,alongwithallapplicablepatchescanhelplimitthepossibilitiesforvulnerabilitiesinthesoftware,theinstallationversionand/orpatchesappliedduringsetupshouldbeestablishedaccordingtotheneedsoftheorganization.EnsureyouareusingareleasethatiscoveredbyalevelofsupportthatincludesthegenerationofCriticalPatchUpdates.
Audit:
Toassessthisrecommendation,usethefollowingexampleshellcommandasappropriateforyourenvironment.
Forexample,onLinuxsystems:
opatch lsinventory | grep -e "^.*<latest_patch_version_numer>\s*.*$"
Forexample,onWindowssystems:
opatch lsinventory | find "<latest_patch_version_number>"
15|P a g e
Remediation:
Performthefollowingstepforremediation:
DownloadandapplythelatestquarterlyCriticalPatchUpdatepatches.
References:
1. http://www.oracle.com/us/support/assurance/fixing-policies/index.html2. http://www.oracle.com/technetwork/topics/security/alerts-086861.html3. http://www.oracle.com/us/support/library/lifetime-support-technology-
069183.pdf
CISControls:
Version6
2InventoryofAuthorizedandUnauthorizedSoftwareInventoryofAuthorizedandUnauthorizedSoftware
16|P a g e
1.2 Ensure All Default Passwords Are Changed (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
DefaultpasswordsshouldnotbeusedbyOracledatabaseusers.
Rationale:
Defaultpasswordsshouldbeconsidered"wellknown"toattackers.Consequently,ifdefaultpasswordsremaininplace,anyattackerwithaccesstothedatabasecanauthenticateastheuserwiththatdefaultpassword.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT USERNAME FROM DBA_USERS_WITH_DEFPWD WHERE USERNAME NOT LIKE '%XS$NULL%';
TheviewcalledDBA_USERS_WITH_DEFPWDshowsalistofalldatabaseusersmakinguseofdefaultpasswords.Theassessmentfailsifresultsarereturned.
Note:PerOracleSupportDocument2173962.1,"aftercreationofanew12cdatabase,theSYSandSYSTEMaccountsarelistedinDBA_USERS_WITH_DEFPWDeventhoughtheaccountswerecreatedwithnon-defaultpasswords.SettingthesamepasswordsagainwithALTER USERcorrectlyrecognizesthattheaccountsdonothavedefaultpasswords."
Remediation:
Toremediatethisrecommendation,youmayperformeitherofthefollowingactions:
• ManuallyissuethefollowingSQLstatementforeachUSERNAMEreturnedintheAuditProcedure:
PASSWORD <username>
17|P a g e
• ExecutethefollowingSQLscripttoassignarandomlygeneratedpasswordtoeachaccountusingadefaultpassword:
begin for r_user in (select username from dba_users_with_defpwd where username not like '%XS$NULL%') loop DBMS_OUTPUT.PUT_LINE('Password for user '||r_user.username||' will be changed.'); execute immediate 'alter user "'||r_user.username||'" identified by "'||DBMS_RANDOM.string('a',16)||'"account lock password expire'; end loop; end;
References:
1. http://docs.oracle.com/database/121/TDPSG/GUID-3EC7A894-D620-4497-AFB1-64EB8C33D854.htm#TDPSG20021
2. https://support.oracle.com/epmos/faces/DocumentDisplay?id=2173962.1
CISControls:
Version6
5.3ChangeDefaultPasswordsOnAllNewDevicesBeforedeployinganynewdevicesinanetworkedenvironment,changealldefaultpasswordsforapplications,operatingsystems,routers,firewalls,wirelessaccesspoints,andothersystemstohavevaluesconsistentwithadministration-levelaccounts.
18|P a g e
1.3 Ensure All Sample Data And Users Have Been Removed (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
Oraclesampleschemascanbeusedtocreatesampleusers(BI,HR,IX,OE,PM,SCOTT,SH),withwell-knowndefaultpasswords,particularviews,andprocedures/functions,inadditiontotablesandfictitiousdata.Thesampleschemasshouldberemoved.
Rationale:
Thesampleschemasaretypicallynotrequiredforproductionoperationsofthedatabase.Thedefaultusers,views,and/orprocedures/functionscreatedbysampleschemascouldbeusedtolaunchexploitsagainstproductionenvironments.
Audit:
Toassessthisrecommendation,checkforthepresenceofOraclesampleusersbyexecutingthefollowingSQLstatement.
SELECT USERNAME FROM ALL_USERS WHERE USERNAME IN ('BI','HR','IX','OE','PM','SCOTT','SH');"
Remediation:
Toremediatethissetting,executethefollowingSQLscript.
$ORACLE_HOME/demo/schema/drop_sch.sql
Then,executethefollowingSQLstatement.
DROP USER SCOTT CASCADE;
Note:TherecyclebinisnotsettoOFFwithinthedefaultdropscript,whichmeansthatthedatawillstillbepresentinyourenvironmentuntiltherecyclebinisemptied.
Impact:
TheOraclesampleusernamesmaybeinuseonaproductionbasis.ItisimportantthatyoufirstverifythatBI,HR,IX,OE,PM,SCOTT,and/orSHarenotvalidproductionusernames
19|P a g e
beforeexecutingthedroppingSQLscripts.ThismaybeparticularlytruewiththeHRandBIusers.Ifanyoftheseusersarepresent,itisimportanttobecautiousandconfirmtheschemaspresentare,infact,Oraclesampleschemasandnotproductionschemasbeingrelieduponbybusinessoperations.
References:
1. http://docs.oracle.com/database/121/COMSC/toc.htm
CISControls:
Version6
18.9SanitizeDeployedSoftwareOfDevelopmentArtifactsForin-housedevelopedapplications,ensurethatdevelopmentartifacts(sampledataandscripts;unusedlibraries,components,debugcode;ortools)arenotincludedinthedeployedsoftware,oraccessibleintheproductionenvironment.
20|P a g e
2 Oracle Parameter Settings
TheoperationoftheOracledatabaseinstanceisgovernedbynumerousparametersthataresetinspecificconfigurationfilesandareinstance-specificinscope.Asalterationsoftheseparameterscancauseproblemsrangingfromdenial-of-servicetotheftofproprietaryinformation,theseconfigurationsshouldbecarefullyconsideredandmaintained.
Note:ForallfilesthathaveparametersthatcanbemodifiedwiththeOSand/orSQLcommands/scripts,thesewillbothbelistedwhereappropriate.
21|P a g e
2.1 Listener Settings
ThissectiondefinesrecommendationsforthesettingsfortheTNSListenerlistener.orafile.
2.1.1 Ensure 'SECURE_CONTROL_' Is Set In 'listener.ora' (Scored)
ProfileApplicability:
• Level1-LinuxHostOSusingTraditionalAuditing• Level1-WindowsServerHostOSusingTraditionalAuditing• Level1-LinuxHostOSusingUnifiedAuditing• Level1-WindowsServerHostOSusingUnifiedAuditing
Description:
TheSECURE_CONTROL_<listener_name>settingdeterminesthetypeofcontrolconnectiontheOracleserverrequiresforremoteconfigurationofthelistener.
Rationale:
Listenerconfigurationchangesviaunencryptedremoteconnectionscanresultinunauthorizeduserssniffingcontrolconfigurationinformationfromthenetwork.
Audit:
Toauditthisrecommendation,followthesesteps:
1. Openthe$ORACLE_HOME/network/admin/listener.orafile(or%ORACLE_HOME%\network\admin\listener.oraonWindows)
2. EnsurethateachdefinedlistenerasanassociatedSECURE_CONTROL_<listener_name>directive.
Forexample:LISTENER1 = (DESCRIPTION= (ADDRESS=(PROTOCOL=TCP) (HOST=sales-server)(PORT=1521)) (ADDRESS=(PROTOCOL=IPC) (KEY=REGISTER)) (ADDRESS=(PROTOCOL=TCPS) (HOST=sales-server)(PORT=1522))) SECURE_CONTROL_LISTENER1=TCPS"
22|P a g e
Remediation:
Toremediatethisrecommendation:
SettheSECURE_CONTROL_<listener_name>foreachdefinedlistenerinthelistener.orafile.
References:
1. http://docs.oracle.com/database/121/NETRF/listener.htm#NETRF327
CISControls:
Version6
3.4UseOnlySecureChannelsForRemoteSystemAdministrationPerformallremoteadministrationofservers,workstation,networkdevices,andsimilarequipmentoversecurechannels.Protocolssuchastelnet,VNC,RDP,orothersthatdonotactivelysupportstrongencryptionshouldonlybeusediftheyareperformedoverasecondaryencryptionchannel,suchasSSL,TLSorIPSEC.
23|P a g e
2.1.2 Ensure 'extproc' Is Not Present in 'listener.ora' (Scored)
ProfileApplicability:
• Level1-LinuxHostOSusingTraditionalAuditing• Level1-WindowsServerHostOSusingTraditionalAuditing• Level1-LinuxHostOSusingUnifiedAuditing• Level1-WindowsServerHostOSusingUnifiedAuditing
Description:
extprocshouldberemovedfromthelistener.oratomitigatetheriskthatOSlibrariescanbeinvokedbytheOracleinstance.
Rationale:
extprocallowsthedatabasetorunproceduresfromOSlibraries.Theselibrarycallscan,inturn,runanyOScommand.
Audit:
Toauditthisrecommendation,executethefollowingshellcommandsasappropriateforyourLinux/Windowsenvironment.
Linuxenvironment:
grep -i extproc $ORACLE_HOME/network/admin/listener.ora
Windowsenvironment:
find /I extproc %ORACLE_HOME%\network\admin\listener.ora
Ensureextprocdoesnotexist.
Remediation:
Toremediatethisrecommendation:
Removeextprocfromthelistener.orafile.
References:
1. http://docs.oracle.com/database/121/DBSEG/app_devs.htm#DBSEG656
24|P a g e
CISControls:
Version6
18.9SanitizeDeployedSoftwareOfDevelopmentArtifactsForin-housedevelopedapplications,ensurethatdevelopmentartifacts(sampledataandscripts;unusedlibraries,components,debugcode;ortools)arenotincludedinthedeployedsoftware,oraccessibleintheproductionenvironment.
25|P a g e
2.1.3 Ensure 'ADMIN_RESTRICTIONS_' Is Set to 'ON' (Scored)
ProfileApplicability:
• Level1-LinuxHostOSusingTraditionalAuditing• Level1-WindowsServerHostOSusingTraditionalAuditing• Level1-LinuxHostOSusingUnifiedAuditing• Level1-WindowsServerHostOSusingUnifiedAuditing
Description:
Theadmin_restrictions_<listener_name>settinginthelistener.orafilecanrequirethatanyattemptedreal-timealterationoftheparametersinthelistenerviathesetcommandfileberefusedunlessthelistener.orafileismanuallyaltered,thenrestartedbyaprivilegeduser.
Rationale:
Blockingunprivilegedusersfrommakingalterationsofthelistener.orafile,whereremotedata/servicesettingsarespecified,willhelpprotectdataconfidentiality.
Audit:
Toauditthisrecommendation,executethefollowingshellcommandsasappropriateforyourLinux/Windowsenvironment.
Linuxenvironment:
grep -i admin_restrictions $ORACLE_HOME/network/admin/listener.ora
Windowsenvironment:
find /I admin_restrictions %ORACLE_HOME%|\network\admin\listener.ora
Ensureadmin_restrictions_<listener_name>issettoONforalllisteners.
Remediation:
Toremediatethisrecommendation:
Useatexteditorsuchasvitosettheadmin_restrictions_<listener_name>tothevalueON.
DefaultValue:
26|P a g e
Notset.
References:
1. http://docs.oracle.com/database/121/NETRF/listener.htm#NETRF310
CISControls:
Version6
5.1MinimizeAndSparinglyUseAdministrativePrivilegesMinimizeadministrativeprivilegesandonlyuseadministrativeaccountswhentheyarerequired.Implementfocusedauditingontheuseofadministrativeprivilegedfunctionsandmonitorforanomalousbehavior.
27|P a g e
2.1.4 Ensure 'SECURE_REGISTER_' Is Set to 'TCPS' or 'IPC' (Scored)
ProfileApplicability:
• Level1-LinuxHostOSusingTraditionalAuditing• Level1-WindowsServerHostOSusingTraditionalAuditing• Level1-LinuxHostOSusingUnifiedAuditing• Level1-WindowsServerHostOSusingUnifiedAuditing
Description:
TheSECURE_REGISTER_<listener_name>settingspecifiestheprotocolsusedtoconnecttotheTNSlistener.EachsettingshouldhaveavalueofeitherTCPSorIPCbasedontheneedsforitsprotocol.
Rationale:
Listenerconfigurationchangesviaunencryptedremoteconnectionscanresultinunauthorizeduserssniffingcontrolconfigurationinformationfromthenetwork.
Audit:
Toauditthisrecommendation,executethefollowingshellcommandsasappropriateforyourLinux/Windowsenvironment.
Linuxenvironment:
grep -i SECURE_REGISTER $ORACLE_HOME/network/admin/listener.ora
Windowsenvironment:
find /I SECURE_REGISTER %ORACLE_HOME%\network\admin\listener.ora
EnsureSECURE_REGISTER_<listener_name>issettoTCPSorIPC.
Remediation:
Toremediatethisrecommendation:
UseatexteditorsuchasvitosettheSECURE_REGISTER_<listener_name>=TCPSorSECURE_REGISTER_<listener_name>=IPCforeachlistenerfoundin$ORACLE_HOME/network/admin/listener.ora.
28|P a g e
References:
1. http://docs.oracle.com/database/121/NETRF/listener.htm#NETRF3282. https://support.oracle.com/epmos/faces/ui/km/DocumentDisplay.jspx?id=145388
3.13. https://support.oracle.com/epmos/faces/ui/km/DocumentDisplay.jspx?id=134083
1.14. http://www.joxeankoret.com/download/tnspoison.pdf
Notes:
OracleRealApplicationClusterrequiresadifferentapproachtofixtheTNSPoisoningproblem.SeeOraclesupportnote1453883.1fordetails.
CISControls:
Version6
14.2EncryptAllSensitiveInformationOverLess-trustedNetworksAllcommunicationofsensitiveinformationoverless-trustednetworksshouldbeencrypted.Wheneverinformationflowsoveranetworkwithalowertrustlevel,theinformationshouldbeencrypted.
29|P a g e
2.2 Database Settings
Thissectiondefinesrecommendationscoveringthegeneralsecurityconfigurationofthedatabaseinstance.Therecommendationsensureauditingisenabled,listenersareappropriatelyconfined,andauthenticationisappropriatelyconfigured.
Note:Theremediationproceduresassumetheuseofaserverparameterfile,whichisoftenapreferredmethodofstoringserverinitializationparameters.
Foryourenvironment,leavingofftheSCOPE = SPFILEdirectiveorsubstitutingitwithSCOPE = BOTHmightbepreferreddependingontherecommendation.
2.2.1 Ensure 'AUDIT_SYS_OPERATIONS' Is Set to 'TRUE' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing
Description:
TheAUDIT_SYS_OPERATIONSsettingprovidesfortheauditingofalluseractivitiesconductedundertheSYSOPERandSYSDBAaccounts.ThesettingshouldbesettoTRUEtoenablethisauditing.
Rationale:
IftheparameterAUDIT_SYS_OPERATIONSisFALSE,allstatementsexceptforStartup/ShutdownandLogonbySYSDBA/SYSOPERusersarenotaudited.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT UPPER(VALUE) FROM V$PARAMETER WHERE UPPER(NAME) = 'AUDIT_SYS_OPERATIONS';
EnsureVALUEissettoTRUE.
Remediation:
Toremediatethissetting,executethefollowingSQLstatement.
ALTER SYSTEM SET AUDIT_SYS_OPERATIONS = TRUE SCOPE=SPFILE;
30|P a g e
References:
1. http://docs.oracle.com/database/121/REFRN/GUID-58176267-238C-40B5-B1F2-BB8BB9518950.htm#REFRN10005
CISControls:
Version6
5.4LogAdministrativeUserAdditionAndRemovalConfiguresystemstoissuealogentryandalertwhenanaccountisaddedtoorremovedfromadomainadministrators’group,orwhenanewlocaladministratoraccountisaddedonasystem.
6.2EnsureAuditLogSettingsSupportAppropriateLogEntryFormattingValidateauditlogsettingsforeachhardwaredeviceandthesoftwareinstalledonit,ensuringthatlogsincludeadate,timestamp,sourceaddresses,destinationaddresses,andvariousotherusefulelementsofeachpacketand/ortransaction.SystemsshouldrecordlogsinastandardizedformatsuchassyslogentriesorthoseoutlinedbytheCommonEventExpressioninitiative.Ifsystemscannotgeneratelogsinastandardizedformat,lognormalizationtoolscanbedeployedtoconvertlogsintosuchaformat.
31|P a g e
2.2.2 Ensure 'AUDIT_TRAIL' Is Set to 'DB', 'XML', 'OS', 'DB,EXTENDED', or 'XML,EXTENDED' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing
Description:
Theaudit_trailsettingdetermineswhetherornotOracle'sbasicauditfeaturesareenabled.Itcanbesetto"OperatingSystem"(OS);DB;DB,EXTENDED;XML;orXML,EXTENDED.Thevalueshouldbesetaccordingtotheneedsoftheorganization.
Rationale:
EnablingthebasicauditingfeaturesfortheOracleinstancepermitsthecollectionofdatatotroubleshootproblems,aswellasprovidesvaluableforensiclogsinthecaseofasystembreachthisvalueshouldbesetaccordingtotheneedsoftheorganization.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT UPPER(VALUE) FROM V$PARAMETER WHERE UPPER(NAME)='AUDIT_TRAIL';
EnsureVALUEissettoDBorOSorXMLorDB,EXTENDEDorXML,EXTENDED.
Remediation:
Toremediatethissetting,executeoneofthefollowingSQLstatements.
ALTER SYSTEM SET AUDIT_TRAIL = DB, EXTENDED SCOPE = SPFILE;
ALTER SYSTEM SET AUDIT_TRAIL = OS SCOPE = SPFILE;
ALTER SYSTEM SET AUDIT_TRAIL = XML, EXTENDED SCOPE = SPFILE;
ALTER SYSTEM SET AUDIT_TRAIL = DB SCOPE = SPFILE;
ALTER SYSTEM SET AUDIT_TRAIL = XML SCOPE = SPFILE;
32|P a g e
References:
1. http://docs.oracle.com/database/121/REFRN/GUID-BD86F593-B606-4367-9FB6-8DAB2E47E7FA.htm#REFRN10006
2. http://www.oracle.com/technetwork/products/audit-vault/learnmore/twp-security-auditperformance-166655.pdf
CISControls:
Version6
6Maintenance,Monitoring,andAnalysisofAuditLogsMaintenance,Monitoring,andAnalysisofAuditLogs
33|P a g e
2.2.3 Ensure 'GLOBAL_NAMES' Is Set to 'TRUE' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
Theglobal_namessettingrequiresthatthenameofadatabaselinkmatchesthatoftheremotedatabaseitwillconnectto.ThissettingshouldhaveavalueofTRUE.
Rationale:
Notrequiringdatabaseconnectionstomatchthedomainthatisbeingcalledremotelycouldallowunauthorizeddomainsourcestopotentiallyconnectviabrute-forcetactics.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT UPPER(VALUE) FROM V$PARAMETER WHERE UPPER(NAME)='GLOBAL_NAMES';
EnsureVALUEissettoTRUE.
Remediation:
Toremediatethissetting,executethefollowingSQLstatement.
ALTER SYSTEM SET GLOBAL_NAMES = TRUE SCOPE = SPFILE;
References:
1. http://docs.oracle.com/database/121/REFRN/GUID-221D0483-D814-4963-84E1-7D39A25048ED.htm#REFRN10065
CISControls:
Version6
9LimitationandControlofNetworkPorts,Protocols,andServicesLimitationandControlofNetworkPorts,Protocols,andServices
34|P a g e
2.2.4 Ensure 'O7_DICTIONARY_ACCESSIBILITY' Is Set to 'FALSE' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
TheO7_dictionary_accessibilitysettingisadatabaseinitializationparameterthatallows/disallowsaccesstoobjectswiththe* ANY *privileges(SELECT ANY TABLE,DELETE ANY TABLE,EXECUTE ANY PROCEDURE,etc.).ThisfunctionalitywascreatedfortheeaseofmigrationfromOracle7databasestolaterversions.ThesettingshouldhaveavalueofFALSE.
Rationale:
LeavingtheSYSschemasoopentoconnectioncouldpermitunauthorizedaccesstocriticaldatastructures.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT UPPER(VALUE) FROM V$PARAMETER WHERE UPPER(NAME)='O7_DICTIONARY_ACCESSIBILITY';
EnsureVALUEissettoFALSE.
Remediation:
Toremediatethissetting,executethefollowingSQLstatement.
ALTER SYSTEM SET O7_DICTIONARY_ACCESSIBILITY=FALSE SCOPE = SPFILE;
References:
1. http://docs.oracle.com/database/121/REFRN/GUID-1D1A88F1-B603-48FF-BD30-E6099DB1A1ED.htm#REFRN10133
35|P a g e
Notes:
Thevalueforthisis"O(oh)7"not"0(Zero)7"forO7.Also,for"OracleApplications"uptoversion11.5.9,thissettingisreversed;theO7_dictionary_accessibility=TRUEvalueisrequiredforcorrectoperations.
CISControls:
Version6
9.1LimitOpenPorts,Protocols,andServicesEnsurethatonlyports,protocols,andserviceswithvalidatedbusinessneedsarerunningoneachsystem.
36|P a g e
2.2.5 Ensure 'OS_ROLES' Is Set to 'FALSE' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
Theos_rolessettingpermitsexternallycreatedgroupstobeappliedtodatabasemanagement.
Rationale:
AllowingtheOStouseexternalgroupsfordatabasemanagementcouldcauseprivilegeoverlapsandgenerallyweakensecurity.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT UPPER(VALUE) FROM V$PARAMETER WHERE UPPER(NAME)='OS_ROLES';
EnsureVALUEissettoFALSE.
Remediation:
Toremediatethissetting,executethefollowingSQLstatement.
ALTER SYSTEM SET OS_ROLES = FALSE SCOPE = SPFILE;
References:
1. http://docs.oracle.com/database/121/REFRN/GUID-51CCE2D6-F841-4E02-A89D-EA08FC110CF3.htm#REFRN10153
CISControls:
Version6
16AccountMonitoringandControlAccountMonitoringandControl
37|P a g e
2.2.6 Ensure 'REMOTE_LISTENER' Is Empty (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
Theremote_listenersettingdetermineswhetherornotavalidlistenercanbeestablishedonasystemseparatefromthedatabaseinstance.Thissettingshouldbeemptyunlesstheorganizationspecificallyneedsavalidlisteneronaseparatesystem.
Rationale:
Permittingaremotelistenerforconnectionstothedatabaseinstancecanallowforthepotentialspoofingofconnectionsandthatcouldcompromisedataconfidentialityandintegrity.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT UPPER(VALUE) FROM V$PARAMETER WHERE UPPER(NAME)='REMOTE_LISTENER';
EnsureVALUEisempty.
Remediation:
Toremediatethissetting,executethefollowingSQLstatement.
ALTER SYSTEM SET REMOTE_LISTENER = '' SCOPE = SPFILE;
References:
1. http://docs.oracle.com/database/121/REFRN/GUID-FEE2E8B5-CE02-4158-A6B4-030E59316756.htm#REFRN10183
Notes:
Ifsetasremote_listener=true,theaddress/addresslististakenfromtheTNSNAMES.ORAfile.
38|P a g e
CISControls:
Version6
9LimitationandControlofNetworkPorts,Protocols,andServicesLimitationandControlofNetworkPorts,Protocols,andServices
39|P a g e
2.2.7 Ensure 'REMOTE_LOGIN_PASSWORDFILE' Is Set to 'NONE' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
Theremote_login_passwordfilesettingspecifieswhetherornotOraclechecksforapasswordfileduringloginandhowmanydatabasescanusethepasswordfile.ThesettingshouldhaveavalueofNONE.
Rationale:
Theuseofthissortofpasswordloginfilecouldpermitunsecured,privilegedconnectionstothedatabase.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT UPPER(VALUE) FROM V$PARAMETER WHERE UPPER(NAME)='REMOTE_LOGIN_PASSWORDFILE';
EnsureVALUEissettoNONE.
Remediation:
Toremediatethissetting,executethefollowingSQLstatement.
ALTER SYSTEM SET REMOTE_LOGIN_PASSWORDFILE = 'NONE' SCOPE = SPFILE;
References:
1. http://docs.oracle.com/database/121/REFRN/GUID-6619299E-95E8-4821-B123-3B5899F046C7.htm#REFRN10184
CISControls:
Version6
16AccountMonitoringandControlAccountMonitoringandControl
40|P a g e
2.2.8 Ensure 'REMOTE_OS_AUTHENT' Is Set to 'FALSE' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
Theremote_os_authentsettingdetermineswhetherornotOS'roles'withtheattendantprivilegesareallowedforremoteclientconnections.ThissettingshouldhaveavalueofFALSE.
Rationale:
PermittingOSrolesfordatabaseconnectionstocanallowthespoofingofconnectionsandpermitgrantingtheprivilegesofanOSroletounauthorizeduserstomakeconnections,thisvalueshouldberestrictedaccordingtotheneedsoftheorganization.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT UPPER(VALUE) FROM V$PARAMETER WHERE UPPER(NAME)='REMOTE_OS_AUTHENT';
EnsureVALUEissettoFALSE.
Remediation:
Toremediatethissetting,executethefollowingSQLstatement.
ALTER SYSTEM SET REMOTE_OS_AUTHENT = FALSE SCOPE = SPFILE;
References:
1. http://docs.oracle.com/database/121/REFRN/GUID-AB66C849-FE5A-4E06-A6E1-AEE775D55703.htm#REFRN10185
CISControls:
Version6
16AccountMonitoringandControlAccountMonitoringandControl
41|P a g e
2.2.9 Ensure 'REMOTE_OS_ROLES' Is Set to 'FALSE' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
Theremote_os_rolessettingpermitsremoteusers'OSrolestobeappliedtodatabasemanagement.ThissettingshouldhaveavalueofFALSE.
Rationale:
AllowingremoteclientsOSrolestohavepermissionsfordatabasemanagementcouldcauseprivilegeoverlapsandgenerallyweakensecurity.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT UPPER(VALUE) FROM V$PARAMETER WHERE UPPER(NAME)='REMOTE_OS_ROLES';
EnsureVALUEissettoFALSE.
Remediation:
Toremediatethissetting,executethefollowingSQLstatement.
ALTER SYSTEM SET REMOTE_OS_ROLES = FALSE SCOPE = SPFILE;
References:
1. http://docs.oracle.com/database/121/REFRN/GUID-BAA83447-14C1-4BE7-BB5D-806ED3E00AED.htm#REFRN10186
CISControls:
Version6
16AccountMonitoringandControlAccountMonitoringandControl
42|P a g e
2.2.10 Ensure 'UTL_FILE_DIR' Is Empty (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
Theutl_file_dirsettingallowspackageslikeutl_filetoaccess(read/write/modify/delete)filesspecifiedinutl_file_dir.Thissettingshouldhaveanemptyvalue.
Rationale:
Usingtheutl_file_dirtocreatedirectoriesallowsthemanipulationoffilesinthesedirectories.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT VALUE FROM V$PARAMETER WHERE UPPER(NAME)='UTL_FILE_DIR';
EnsureVALUEisempty.
Remediation:
Toremediatethissetting,executethefollowingSQLstatement.
ALTER SYSTEM SET UTL_FILE_DIR = '' SCOPE = SPFILE;
References:
1. http://docs.oracle.com/database/121/REFRN/GUID-DCA8A942-ACE1-46D6-876E-3244F390BCAE.htm#REFRN10230
CISControls:
Version6
18ApplicationSoftwareSecurityApplicationSoftwareSecurity
43|P a g e
2.2.11 Ensure 'SEC_CASE_SENSITIVE_LOGON' Is Set to 'TRUE' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
TheSEC_CASE_SENSITIVE_LOGONinformationdetermineswhetherornotcase-sensitivityisrequiredforpasswordsduringlogin.
Rationale:
Oracledatabasepasswordcase-sensitivityincreasesthepoolofcharactersthatcanbechosenforthepasswords,makingbrute-forcepasswordattacksquitedifficult.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT UPPER(VALUE) FROM V$PARAMETER WHERE UPPER(NAME)='SEC_CASE_SENSITIVE_LOGON';
EnsureVALUEissettoTRUE.
Remediation:
Toremediatethissetting,executethefollowingSQLstatement.
ALTER SYSTEM SET SEC_CASE_SENSITIVE_LOGON = TRUE SCOPE = SPFILE;
References:
1. http://docs.oracle.com/database/121/REFRN/GUID-F464653A-0D43-4A70-8F05-0274A12C8578.htm#REFRN10299
CISControls:
Version6
16AccountMonitoringandControlAccountMonitoringandControl
44|P a g e
2.2.12 Ensure 'SEC_MAX_FAILED_LOGIN_ATTEMPTS' Is '3' or Less (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
TheSEC_MAX_FAILED_LOGIN_ATTEMPTSparameterdetermineshowmanyfailedloginattemptsareallowedbeforeOracleclosestheloginconnection.
Rationale:
Allowinganunlimitednumberofloginattemptsforauserconnectioncanfacilitatebothbrute-forceloginattacksandtheoccurrenceofdenial-of-service.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT UPPER(VALUE) FROM V$PARAMETER WHERE UPPER(NAME)='SEC_MAX_FAILED_LOGIN_ATTEMPTS';
EnsureVALUEissetto3.
Remediation:
Toremediatethissetting,executethefollowingSQLstatement.
ALTER SYSTEM SET SEC_MAX_FAILED_LOGIN_ATTEMPTS = 3 SCOPE = SPFILE;
References:
1. http://docs.oracle.com/database/121/REFRN/GUID-DEC2A3B2-F49B-499E-A3CF-D097F3A5BA83.htm#REFRN10274
45|P a g e
CISControls:
Version6
16.7ConfigureAccountLockoutsUseandconfigureaccountlockoutssuchthatafterasetnumberoffailedloginattemptstheaccountislockedforastandardperiodoftime.
46|P a g e
2.2.13 Ensure 'SEC_PROTOCOL_ERROR_FURTHER_ACTION' Is Set to 'DROP,3' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
TheSEC_PROTOCOL_ERROR_FURTHER_ACTIONsettingdeterminestheOracle'sserver'sresponsetobad/malformedpacketsreceivedfromtheclient.ThissettingshouldhaveavalueofDROP,3,whichwillcauseaconnectiontobedroppedafterthreebad/malformedpackets.
Rationale:
Badpacketsreceivedfromtheclientcanpotentiallyindicatepacket-basedattacksonthesystem,suchas"TCPSYNFlood"or"Smurf"attacks,whichcouldresultinadenial-of-servicecondition,thisvalueshouldbesetaccordingtotheneedsoftheorganization.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT UPPER(VALUE) FROM V$PARAMETER WHERE UPPER(NAME)='SEC_PROTOCOL_ERROR_FURTHER_ACTION';
EnsureVALUEissettoDROP,3.
Remediation:
Toremediatethissetting,executeoneofthefollowingSQLstatement.
ALTER SYSTEM SET SEC_PROTOCOL_ERROR_FURTHER_ACTION = 'DROP,3' SCOPE = SPFILE;
References:
1. http://docs.oracle.com/database/121/REFRN/GUID-1E8D3C6E-C919-4218-8117-760D31BD0F95.htm#REFRN10282
47|P a g e
CISControls:
Version6
18ApplicationSoftwareSecurityApplicationSoftwareSecurity
48|P a g e
2.2.14 Ensure 'SEC_PROTOCOL_ERROR_TRACE_ACTION' Is Set to 'LOG' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
TheSEC_PROTOCOL_ERROR_TRACE_ACTIONsettingdeterminestheOracle'sserver'sloggingresponseleveltobad/malformedpacketsreceivedfromtheclientbygeneratingALERT,LOG,orTRACElevelsofdetailinthelogfiles.ThissettingshouldhaveavalueofLOGunlesstheorganizationhasacompellingreasontouseadifferentvaluebecauseLOGshouldcausethenecessaryinformationtobelogged.SettingthevalueasTRACEcangenerateanenormousamountoflogoutputandshouldbereservedfordebuggingonly.
Rationale:
Badpacketsreceivedfromtheclientcanpotentiallyindicatepacket-basedattacksonthesystem,whichcouldresultinadenial-of-servicecondition.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT UPPER(VALUE) FROM V$PARAMETER WHERE UPPER(NAME)='SEC_PROTOCOL_ERROR_TRACE_ACTION';
EnsureVALUEissettoLOG.
Remediation:
Toremediatethissetting,executethefollowingSQLstatement.
ALTER SYSTEM SET SEC_PROTOCOL_ERROR_TRACE_ACTION=LOG SCOPE = SPFILE;
References:
1. http://docs.oracle.com/database/121/REFRN/GUID-AE811BC1-8CED-4B21-B16C-4B712B127535.htm#REFRN10283
49|P a g e
CISControls:
Version6
6.2EnsureAuditLogSettingsSupportAppropriateLogEntryFormattingValidateauditlogsettingsforeachhardwaredeviceandthesoftwareinstalledonit,ensuringthatlogsincludeadate,timestamp,sourceaddresses,destinationaddresses,andvariousotherusefulelementsofeachpacketand/ortransaction.SystemsshouldrecordlogsinastandardizedformatsuchassyslogentriesorthoseoutlinedbytheCommonEventExpressioninitiative.Ifsystemscannotgeneratelogsinastandardizedformat,lognormalizationtoolscanbedeployedtoconvertlogsintosuchaformat.
50|P a g e
2.2.15 Ensure 'SEC_RETURN_SERVER_RELEASE_BANNER' Is Set to 'FALSE' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
Theinformationaboutpatch/updatereleasenumberprovidesinformationabouttheexactpatch/updatereleasethatiscurrentlyrunningonthedatabase.Thisissensitiveinformationthatshouldnotberevealedtoanyonewhorequestsit.
Rationale:
Allowingthedatabasetoreturninformationaboutthepatch/updatereleasenumbercouldfacilitateunauthorizedusers'attemptstogainaccessbaseduponknownpatchweaknesses.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT UPPER(VALUE) FROM V$PARAMETER WHERE UPPER(NAME)='SEC_RETURN_SERVER_RELEASE_BANNER';
EnsureVALUEissettoFALSE.
Remediation:
Toremediatethissetting,executethefollowingSQLstatement.
ALTER SYSTEM SET SEC_RETURN_SERVER_RELEASE_BANNER = FALSE SCOPE = SPFILE;
References:
1. http://docs.oracle.com/database/121/REFRN/GUID-688102A0-11F5-4F06-8868-934D65C4E878.htm#REFRN10275
51|P a g e
CISControls:
Version6
9LimitationandControlofNetworkPorts,Protocols,andServicesLimitationandControlofNetworkPorts,Protocols,andServices
52|P a g e
2.2.16 Ensure 'SQL92_SECURITY' Is Set to 'TRUE' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
TheSQL92_SECURITYparametersettingTRUErequiresthatausermustalsobegrantedtheSELECTobjectprivilegebeforebeingabletoperformUPDATEorDELETEoperationsontablesthathaveWHEREorSETclauses.ThesettingshouldhaveavalueofTRUE.
Rationale:
AuserwithoutSELECTprivilegecanstillinferthevaluestoredinacolumnbyreferringtothatcolumninaDELETEorUPDATEstatement.ThissettingpreventsinadvertentinformationdisclosurebyensuringthatonlyuserswhoalreadyhaveSELECTprivilegecanexecutethestatementsthatwouldallowthemtoinferthestoredvalues.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT UPPER(VALUE) FROM V$PARAMETER WHERE UPPER(NAME)='SQL92_SECURITY';
EnsureVALUEissettoTRUE.
Remediation:
Toremediatethissetting,executethefollowingSQLstatement.
ALTER SYSTEM SET SQL92_SECURITY = TRUE SCOPE = SPFILE;
DefaultValue:
FALSE
References:
1. http://docs.oracle.com/database/121/REFRN/GUID-E41087C2-250E-4201-908B-79E659B22A4B.htm#REFRN10210
53|P a g e
CISControls:
Version6
18ApplicationSoftwareSecurityApplicationSoftwareSecurity
54|P a g e
2.2.17 Ensure '_trace_files_public' Is Set to 'FALSE' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
The_trace_files_publicsettingdetermineswhetherornotthesystem'stracefileisworldreadable.ThissettingshouldhaveavalueofFALSEtorestricttracefileaccess.
Rationale:
Makingthefileworldreadablemeansanyonecanreadtheinstance'stracefile,whichcouldcontainsensitiveinformationaboutinstanceoperations.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT VALUE FROM V$PARAMETER WHERE NAME='_trace_files_public';
AVALUEequaltoFALSEorlackofresultsimpliescompliance.
Remediation:
Toremediatethissetting,executethefollowingSQLstatement.
ALTER SYSTEM SET "_trace_files_public" = FALSE SCOPE = SPFILE;
References:
1. http://asktom.oracle.com/pls/asktom/f?p=100:11:0::::P11_QUESTION_ID:4295521746131
CISControls:
Version6
14.4ProtectInformationWithAccessControlListsAllinformationstoredonsystemsshallbeprotectedwithfilesystem,networkshare,claims,application,ordatabasespecificaccesscontrollists.Thesecontrolswillenforcetheprinciplethatonlyauthorizedindividualsshouldhaveaccessto
55|P a g e
theinformationbasedontheirneedtoaccesstheinformationasapartoftheirresponsibilities.
56|P a g e
2.2.18 Ensure 'RESOURCE_LIMIT' Is Set to 'TRUE' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
RESOURCE_LIMITdetermineswhetherresourcelimitsareenforcedindatabaseprofiles.ThissettingshouldhaveavalueofTRUE.
Rationale:
IfRESOURCE_LIMITissettoFALSE,noneofthesystemresourcelimitsthataresetinanydatabaseprofilesareenforced.IfRESOURCE_LIMITissettoTRUE,thelimitssetindatabaseprofilesareenforced.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT UPPER(VALUE) FROM V$PARAMETER WHERE UPPER(NAME)='RESOURCE_LIMIT';
EnsureVALUEissettoTRUE.
Remediation:
Toremediatethissetting,executethefollowingSQLstatement.
ALTER SYSTEM SET RESOURCE_LIMIT = TRUE SCOPE = SPFILE;
DefaultValue:
FALSE
References:
1. http://docs.oracle.com/database/121/REFRN/GUID-BB0AB177-3867-4D0D-8700-A1AC8BDFEFC3.htm#REFRN10188
57|P a g e
CISControls:
Version6
14.4ProtectInformationWithAccessControlListsAllinformationstoredonsystemsshallbeprotectedwithfilesystem,networkshare,claims,application,ordatabasespecificaccesscontrollists.Thesecontrolswillenforcetheprinciplethatonlyauthorizedindividualsshouldhaveaccesstotheinformationbasedontheirneedtoaccesstheinformationasapartoftheirresponsibilities.
58|P a g e
3 Oracle Connection and Login Restrictions
TherestrictionsonClient/UserconnectionstotheOracledatabasehelpblockunauthorizedaccesstodataandservicesbysettingaccessrules.Thesesecuritymeasureshelptoensurethatsuccessfulloginscannotbeeasilymadethroughbrute-forcepasswordattacksorintuitedbycleversocialengineeringexploits.SettingsaregenerallyrecommendedtobeappliedtoalldefinedprofilesratherthanbyusingonlytheDEFAULTprofile.Allvaluesassignedbelowaretherecommendedminimumsormaximums;higher,morerestrictivevaluescanbeappliedatthediscretionoftheorganizationbycreatingaseparateprofiletoassigntoadifferentusergroup.
3.1 Ensure 'FAILED_LOGIN_ATTEMPTS' Is Less than or Equal to '5' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
TheFAILED_LOGIN_ATTEMPTSsettingdetermineshowmanyfailedloginattemptsarepermittedbeforethesystemlockstheuser'saccount.Whiledifferentprofilescanhavedifferentandmorerestrictivesettings,suchasUSERSandAPPS,theminimum(s)recommendedhereshouldbesetontheDEFAULTprofile.
Rationale:
Repeatedfailedloginattemptscanindicatetheinitiationofabrute-forceloginattack,thisvalueshouldbesetaccordingtotheneedsoftheorganization.(SeetheNotesforawarningonaknownbugthatcanmakethissecuritymeasurebackfire.)
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PROFILE, RESOURCE_NAME, LIMIT FROM DBA_PROFILES WHERE RESOURCE_NAME='FAILED_LOGIN_ATTEMPTS' AND ( LIMIT = 'DEFAULT' OR LIMIT = 'UNLIMITED'
59|P a g e
OR LIMIT > 5 );
Lackofresultsimpliescompliance.
Remediation:
RemediatethissettingbyexecutingthefollowingSQLstatementforeachPROFILEreturnedbytheauditprocedure.
ALTER PROFILE <profile_name> LIMIT FAILED_LOGIN_ATTEMPTS 5;
Notes:
Warning:OnegreatconcernwiththeaboveisthepossibilityofthissettingbeingexploitedtocraftaDDoSattackbyusingtherow-lockingdelaybetweenfailedloginattempts(see_OracleBug7715339–Logonfailurescauses“rowcachelock”waits–Allowdisableoflogondelay[ID7715339.8],sotheconfigurationofthissettingdependsonusingthebugworkaround).Also,whilethesettingfortheFAILED_LOGIN_ATTEMPTSvaluecanalsobesetinsqlnet.ora,thisonlyappliestolistedusers.ThesimilarsettingusedtoblockaDDoS,theSEC_MAX_FAILED_LOGIN_ATTEMPTSinitializationparameter,canbeusedtoprotectunauthorizedintrudersfromattackingtheserverprocessesforapplications,butthissettingdoesnotprotectagainstunauthorizedattemptsviavalidusernames.
CISControls:
Version6
16.7ConfigureAccountLockoutsUseandconfigureaccountlockoutssuchthatafterasetnumberoffailedloginattemptstheaccountislockedforastandardperiodoftime.
60|P a g e
3.2 Ensure 'PASSWORD_LOCK_TIME' Is Greater than or Equal to '1' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
ThePASSWORD_LOCK_TIMEsettingdetermineshowmanydaysmustpassfortheuser'saccounttobeunlockedafterthesetnumberoffailedloginattemptshasoccurred.Thesuggestedvalueforthisisonedayorgreater.
Rationale:
Lockingtheuseraccountafterrepeatedfailedloginattemptscanblockfurtherbrute-forceloginattacks,butcancreateadministrativeheadachesasthisaccountunlockingprocessalwaysrequiresDBAintervention.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PROFILE, RESOURCE_NAME, LIMIT FROM DBA_PROFILES WHERE RESOURCE_NAME='PASSWORD_LOCK_TIME' AND ( LIMIT = 'DEFAULT' OR LIMIT = 'UNLIMITED' OR LIMIT < 1 );
Lackofresultsimpliescompliance.
Remediation:
RemediatethissettingbyexecutingthefollowingSQLstatementforeachPROFILEreturnedbytheauditprocedure.
ALTER PROFILE <profile_name> LIMIT PASSWORD_LOCK_TIME 1;
61|P a g e
CISControls:
Version6
16.7ConfigureAccountLockoutsUseandconfigureaccountlockoutssuchthatafterasetnumberoffailedloginattemptstheaccountislockedforastandardperiodoftime.
62|P a g e
3.3 Ensure 'PASSWORD_LIFE_TIME' Is Less than or Equal to '90' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
ThePASSWORD_LIFE_TIMEsettingdetermineshowlongapasswordmaybeusedbeforetheuserisrequiredtobechangeit.Thesuggestedvalueforthisis90daysorless.
Rationale:
Allowingpasswordstoremainunchangedforlongperiodsmakesthesuccessofbrute-forceloginattacksmorelikely.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PROFILE, RESOURCE_NAME, LIMIT FROM DBA_PROFILES WHERE RESOURCE_NAME='PASSWORD_LIFE_TIME' AND ( LIMIT = 'DEFAULT' OR LIMIT = 'UNLIMITED' OR LIMIT > 90 );
Lackofresultsimpliescompliance.
Remediation:
RemediatethissettingbyexecutingthefollowingSQLstatementforeachPROFILEreturnedbytheauditprocedure.
ALTER PROFILE <profile_name> LIMIT PASSWORD_LIFE_TIME 90;
CISControls:
Version6
16AccountMonitoringandControlAccountMonitoringandControl
63|P a g e
3.4 Ensure 'PASSWORD_REUSE_MAX' Is Greater than or Equal to '20' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
ThePASSWORD_REUSE_MAXsettingdetermineshowmanydifferentpasswordsmustbeusedbeforetheuserisallowedtoreuseapriorpassword.Thesuggestedvalueforthisis20passwordsorgreater.
Rationale:
Allowingreuseofapasswordwithinashortperiodoftimeafterthepassword'sinitialusecanmakethesuccessofbothsocial-engineeringandbrute-forcepassword-basedattacksmorelikely.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PROFILE, RESOURCE_NAME, LIMIT FROM DBA_PROFILES WHERE RESOURCE_NAME='PASSWORD_REUSE_MAX' AND ( LIMIT = 'DEFAULT' OR LIMIT = 'UNLIMITED' OR LIMIT < 20 );
Lackofresultsimpliescompliance.
Remediation:
RemediatethissettingbyexecutingthefollowingSQLstatementforeachPROFILEreturnedbytheauditprocedure.
ALTER PROFILE <profile_name> LIMIT PASSWORD_REUSE_MAX 20;
Notes:
TheaboverestrictionshouldbeappliedalongwiththePASSWORD_REUSE_TIMEsetting.
64|P a g e
CISControls:
Version6
16AccountMonitoringandControlAccountMonitoringandControl
65|P a g e
3.5 Ensure 'PASSWORD_REUSE_TIME' Is Greater than or Equal to '365' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
ThePASSWORD_REUSE_TIMEsettingdeterminestheamountoftimeindaysthatmustpassbeforethesamepasswordmaybereused.Thesuggestedvalueforthisis365daysorgreater.
Rationale:
Reusingthesamepasswordafteronlyashortperiodoftimehaspassedmakesthesuccessofbrute-forceloginattacksmorelikely.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PROFILE, RESOURCE_NAME, LIMIT FROM DBA_PROFILES WHERE RESOURCE_NAME='PASSWORD_REUSE_TIME' AND ( LIMIT = 'DEFAULT' OR LIMIT = 'UNLIMITED' OR LIMIT < 365 );
Lackofresultsimpliescompliance.
Remediation:
RemediatethissettingbyexecutingthefollowingSQLstatementforeachPROFILEreturnedbytheauditprocedure.
ALTER PROFILE <profile_name> LIMIT PASSWORD_REUSE_TIME 365;
Notes:
TheaboverestrictionshouldbeappliedalongwiththePASSWORD_REUSE_MAXsetting.
66|P a g e
CISControls:
Version6
16AccountMonitoringandControlAccountMonitoringandControl
67|P a g e
3.6 Ensure 'PASSWORD_GRACE_TIME' Is Less than or Equal to '5' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
ThePASSWORD_GRACE_TIMEsettingdetermineshowmanydayscanpassaftertheuser'spasswordexpiresbeforetheuser'slogincapabilityisautomaticallylockedout.Thesuggestedvalueforthisisfivedaysorless.
Rationale:
Lockingtheuseraccountaftertheexpirationofthepasswordchangerequirement'sgraceperiodcanhelppreventpassword-basedattacksagainstanyforgottenordisusedaccounts,whilestillallowingtheaccountanditsinformationtobeaccessiblebyDBAintervention.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PROFILE, RESOURCE_NAME, LIMIT FROM DBA_PROFILES WHERE RESOURCE_NAME='PASSWORD_GRACE_TIME' AND ( LIMIT = 'DEFAULT' OR LIMIT = 'UNLIMITED' OR LIMIT > 5 );
Lackofresultsimpliescompliance.
Remediation:
RemediatethissettingbyexecutingthefollowingSQLstatementforeachPROFILEreturnedbytheauditprocedure.
ALTER PROFILE <profile_name> LIMIT PASSWORD_GRACE_TIME 5;
68|P a g e
CISControls:
Version6
16AccountMonitoringandControlAccountMonitoringandControl
69|P a g e
3.7 Ensure 'DBA_USERS.PASSWORD' Is Not Set to 'EXTERNAL' for Any User (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
Thepassword='EXTERNAL'settingdetermineswhetherornotausercanbeauthenticatedbyaremoteOStoallowaccesstothedatabasewithfullauthorization.Thissettingshouldnotbeused.
Rationale:
AllowingremoteOSauthenticationofausertothedatabasecanpotentiallyallowsupposed"privilegedusers"toconnectas"authenticated,"evenwhentheremotesystemiscompromised.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT USERNAME FROM DBA_USERS WHERE PASSWORD='EXTERNAL';
Lackofresultsimpliescompliance.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
ALTER USER <username> INDENTIFIED BY <password>;
Notes:
ThePASSWORDkeyword(column)usedintheSQLforpriorOracleversionshasbeendeprecatedfromversion11.2onwardinfavorofthenewAUTHENTICATION_TYPEkeyword(column)fortheDBA_USERStable.However,thePASSWORDcolumnhasstillbeenretainedforbackwardcompatibility.
70|P a g e
CISControls:
Version6
16AccountMonitoringandControlAccountMonitoringandControl
71|P a g e
3.8 Ensure 'PASSWORD_VERIFY_FUNCTION' Is Set for All Profiles (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
ThePASSWORD_VERIFY_FUNCTIONdeterminespasswordsettingsrequirementswhenauserpasswordischangedattheSQLcommandprompt.Itshouldbesetforallprofiles.NotethatthissettingdoesnotapplyforusersmanagedbytheOraclepasswordfile.
Rationale:
Requiringuserstoapplythe12csecurityfeaturesinpasswordcreation,suchasforcingmixed-casecomplexity,blockingofsimplecombinations,andenforcingchange/historysettingscanpotentiallythwartloginsbyanunauthorizeduser.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PROFILE, RESOURCE_NAME FROM DBA_PROFILES WHERE RESOURCE_NAME='PASSWORD_VERIFY_FUNCTION' AND (LIMIT = 'DEFAULT' OR LIMIT = 'NULL');
Lackofresultsimpliescompliance.
Remediation:
Createacustompasswordverificationfunctionwhichfulfillsthepasswordrequirementsoftheorganization.
CISControls:
Version6
16AccountMonitoringandControlAccountMonitoringandControl
72|P a g e
3.9 Ensure 'SESSIONS_PER_USER' Is Less than or Equal to '10' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
TheSESSIONS_PER_USERsettingdeterminesthemaximumnumberofusersessionsthatareallowedtobeopenconcurrently.Thesuggestedvalueforthisis10orless.
Rationale:
LimitingthenumberoftheSESSIONS_PER_USERcanhelppreventmemoryresourceexhaustionbypoorlyformedrequestsorintentionaldenial-of-serviceattacks.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PROFILE, RESOURCE_NAME, LIMIT FROM DBA_PROFILES WHERE RESOURCE_NAME='SESSIONS_PER_USER' AND ( LIMIT = 'DEFAULT' OR LIMIT = 'UNLIMITED' OR LIMIT > 10 );
Lackofresultsimpliescompliance.
Remediation:
Toremediatethissetting,executethefollowingSQLstatementforeachPROFILEreturnedbytheauditprocedure.
ALTER PROFILE <profile_name> LIMIT SESSIONS_PER_USER 10;
Notes:
TheSESSIONS_PER_USERprofilemanagementcapabilitywascreatedtopreventresource(s)exhaustionatatimewhenresourceusagewasveryexpensive.Ascurrentdatabasedesignmayrequiremuchhigherlimitsonthisparameterifone"user"handlesallprocessingforspecifictypesofbatch/customerconnections,thismustbehandledviaanewuserprofile.
73|P a g e
CISControls:
Version6
18ApplicationSoftwareSecurityApplicationSoftwareSecurity
74|P a g e
3.10 Ensure No Users Are Assigned the 'DEFAULT' Profile (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
UponcreationdatabaseusersareassignedtotheDEFAULTprofileunlessotherwisespecified.Nousersshouldbeassignedtothatprofile.
Rationale:
Usersshouldbecreatedwithfunction-appropriateprofiles.TheDEFAULTprofile,beingdefinedbyOracle,issubjecttochangeatanytime(e.g.bypatchorversionupdate).TheDEFAULTprofilehasunlimitedsettingsthatareoftenrequiredbytheSYSuserwhenpatching;suchunlimitedsettingsshouldbetightlyreservedandnotappliedtounnecessaryusers.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT USERNAME FROM DBA_USERS WHERE PROFILE='DEFAULT' AND ACCOUNT_STATUS='OPEN' AND USERNAME NOT IN ('ANONYMOUS', 'CTXSYS', 'DBSNMP', 'EXFSYS', 'LBACSYS', 'MDSYS', 'MGMT_VIEW','OLAPSYS','OWBSYS', 'ORDPLUGINS', 'ORDSYS', 'OUTLN', 'SI_INFORMTN_SCHEMA','SYS', 'SYSMAN', 'SYSTEM', 'TSMSYS', 'WK_TEST', 'WKSYS', 'WKPROXY', 'WMSYS', 'XDB', 'CISSCAN');
Lackofresultsimpliescompliance.
Remediation:
Toremediatethisrecommendation,executethefollowingSQLstatementforeachuserreturnedbytheauditqueryusingafunctional-appropriateprofile.
ALTER USER <username> PROFILE <appropriate_profile>;
75|P a g e
CISControls:
Version6
16AccountMonitoringandControlAccountMonitoringandControl
76|P a g e
4 Oracle User Access and Authorization Restrictions
Thecapabilitytousedatabaseresourcesatagivenlevel,oruserauthorizationrules,allowsforusermanipulationofthevariouspartsoftheOracledatabase.Theseauthorizationsmustbestructuredtoblockunauthorizeduseand/orcorruptionofvitaldataandservicesbysettingrestrictionsonusercapabilities,particularlythoseoftheuserPUBLIC.Suchsecuritymeasureshelptoensuresuccessfulloginscannotbeeasilyredirected.
IMPORTANT:UsecautionwhenrevokingprivilegesfromPUBLIC.Oracleandthird-partyproductsexplicitlyrequiredefaultgrantstoPUBLICforcommonlyusedfunctions,objects,andinviewdefinitions.AfterrevokinganyprivilegefromPUBLIC,verifythatapplicationskeeprunningproperlyandrecompileinvaliddatabaseobjects.Specificgrantstousersandrolesmaybeneededtomakeallobjectsvalid.PleaseseethefollowingOraclesupportdocumentwhichprovidesfurtherinformationandSQLstatementsthatcanbeusedtodeterminedependenciesthatrequireexplicitgrants:BeCautiousWhenRevokingPrivilegesGrantedtoPUBLIC(DocID247093.1)Alwaystestdatabasechangesindevelopmentandtestenvironmentsbeforemakingchangestoproductiondatabases.
77|P a g e
4.1 Default Public Privileges for Packages and Object Types
Thissectioncontainsrecommendationsthatrevokedefaultpublicexecuteprivilegesfrompowerfulpackagesandobjecttypes.
4.1.1 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_ADVISOR' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseDBMS_ADVISORpackagecanbeusedtowritefileslocatedontheserverwheretheOracleinstanceisinstalled.TheuserPUBLICshouldnotbeabletoexecuteDBMS_ADVISOR.
Rationale:
UseoftheDBMS_ADVISORpackagecouldallowanunauthorizedusertocorruptoperatingsystemfilesontheinstance'shost.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_ADVISOR';
Theassessmentfailsifresultsarereturned.
Remediation:
Toremediatethissetting,executethefollowingSQLstatement.
REVOKE EXECUTE ON DBMS_ADVISOR FROM PUBLIC;
References:
1. http://docs.oracle.com/database/121/ARPLS/d_advis.htm#ARPLS350
78|P a g e
CISControls:
Version6
5.1MinimizeAndSparinglyUseAdministrativePrivilegesMinimizeadministrativeprivilegesandonlyuseadministrativeaccountswhentheyarerequired.Implementfocusedauditingontheuseofadministrativeprivilegedfunctionsandmonitorforanomalousbehavior.
79|P a g e
4.1.2 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_CRYPTO' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
TheDBMS_CRYPTOsettingsprovideatoolsetthatdeterminesthestrengthoftheencryptionalgorithmusedtoencryptapplicationdataandispartoftheSYSschema.TheDES(56-bitkey),3DES(168-bitkey),3DES-2KEY(112-bitkey),AES(128/192/256-bitkeys),andRC4areavailable.TheuserPUBLICshouldnotbeabletoexecuteDBMS_CRYPTO.
Rationale:
ExecutionofthesecryptographyproceduresbytheuserPUBLICcanpotentiallyendangerportionsoforallofthedatastorage.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND TABLE_NAME='DBMS_CRYPTO';
Theassessmentfailsifresultsarereturned.
Remediation:
Toremediatethissetting,executethefollowingSQLstatement.
REVOKE EXECUTE ON DBMS_CRYPTO FROM PUBLIC;
References:
1. http://docs.oracle.com/database/121/ARPLS/d_crypto.htm#ARPLS664
80|P a g e
CISControls:
Version6
5.1MinimizeAndSparinglyUseAdministrativePrivilegesMinimizeadministrativeprivilegesandonlyuseadministrativeaccountswhentheyarerequired.Implementfocusedauditingontheuseofadministrativeprivilegedfunctionsandmonitorforanomalousbehavior.
81|P a g e
4.1.3 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseDBMS_JAVApackagecanrunJavaclasses(e.g.OScommands)orgrantJavaprivileges.TheuserPUBLICshouldnotbeabletoexecuteDBMS_JAVA.
Rationale:
TheDBMS_JAVApackagecouldallowanattackertorunOScommandsfromthedatabase.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_JAVA';
Theassessmentfailsifresultsarereturned.
Remediation:
Toremediatethissetting,executethefollowingSQLstatement.
REVOKE EXECUTE ON DBMS_JAVA FROM PUBLIC;
References:
1. http://docs.oracle.com/database/121/JJDEV/appendixa.htm#JJDEV13000
CISControls:
Version6
18.9SanitizeDeployedSoftwareOfDevelopmentArtifactsForin-housedevelopedapplications,ensurethatdevelopmentartifacts(sample
82|P a g e
dataandscripts;unusedlibraries,components,debugcode;ortools)arenotincludedinthedeployedsoftware,oraccessibleintheproductionenvironment.
83|P a g e
4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseDBMS_JAVA_TESTpackagecanrunJavaclasses(e.g.OScommands)orgrantJavaprivileges.TheuserPUBLICshouldnotbeabletoexecuteDBMS_JAVA_TEST.
Rationale:
TheDBMS_JAVA_TESTpackagecouldallowanattackertorunoperatingsystemcommandsfromthedatabase.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_JAVA_TEST';
Theassessmentfailsifresultsarereturned.
Remediation:
Toremediatethissetting,executethefollowingSQLstatement.
REVOKE EXECUTE ON DBMS_JAVA_TEST FROM PUBLIC;
Notes:
DBMS_JAVA_TESTisanundocumentedPL/SQLpackage,butthepublicgrantshouldberevoked.
84|P a g e
CISControls:
Version6
18.9SanitizeDeployedSoftwareOfDevelopmentArtifactsForin-housedevelopedapplications,ensurethatdevelopmentartifacts(sampledataandscripts;unusedlibraries,components,debugcode;ortools)arenotincludedinthedeployedsoftware,oraccessibleintheproductionenvironment.
85|P a g e
4.1.5 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JOB' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseDBMS_JOBpackageschedulesandmanagesthejobssenttothejobqueueandhasbeensupersededbytheDBMS_SCHEDULERpackage,eventhoughDBMS_JOBhasbeenretainedforbackwardscompatibility.TheuserPUBLICshouldnotbeabletoexecuteDBMS_JOB.
Rationale:
UseoftheDBMS_JOBpackagecouldallowanunauthorizedusertodisableoroverloadthejobqueue.IthasbeensupersededbytheDBMS_SCHEDULERpackage.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_JOB';
Theassessmentfailsifresultsarereturned.
Remediation:
Toremediatethissetting,executethefollowingSQLstatement.
REVOKE EXECUTE ON DBMS_JOB FROM PUBLIC;
References:
1. http://docs.oracle.com/database/121/ARPLS/d_job.htm#ARPLS019
86|P a g e
CISControls:
Version6
5.1MinimizeAndSparinglyUseAdministrativePrivilegesMinimizeadministrativeprivilegesandonlyuseadministrativeaccountswhentheyarerequired.Implementfocusedauditingontheuseofadministrativeprivilegedfunctionsandmonitorforanomalousbehavior.
87|P a g e
4.1.6 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_LDAP' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseDBMS_LDAPpackagecontainsfunctionsandproceduresthatenableprogrammerstoaccessdatafromLDAPservers.TheuserPUBLICshouldnotbeabletoexecuteDBMS_LDAP.
Rationale:
UseoftheDBMS_LDAPpackagecanbeusedtocreatespeciallycraftederrormessagesorsendinformationviaDNStotheoutside.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_LDAP';
Theassessmentfailsifresultsarereturned.
Remediation:
Toremediatethissetting,executethefollowingSQLstatement.
REVOKE EXECUTE ON DBMS_LDAP FROM PUBLIC;
References:
1. http://docs.oracle.com/database/121/ARPLS/d_ldap.htm#ARPLS360
88|P a g e
CISControls:
Version6
18ApplicationSoftwareSecurityApplicationSoftwareSecurity
89|P a g e
4.1.7 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_LOB' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseDBMS_LOBpackageprovidessubprogramsthatcanmanipulateandread/writeonBLOBs,CLOBs,NCLOBs,BFILEs,andtemporaryLOBs.TheuserPUBLICshouldnotbeabletoexecuteDBMS_LOB.
Rationale:
UseoftheDBMS_LOBpackagecouldallowanunauthorizedusertomanipulateBLOBs,CLOBs,NCLOBs,BFILEs,andtemporaryLOBsontheinstance,eitherdestroyingdataorcausingadenial-of-serviceconditionduetocorruptionofdiskspace.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_LOB';
Theassessmentfailsifresultsarereturned.
Remediation:
Toremediatethissetting,executethefollowingSQLstatement.
REVOKE EXECUTE ON DBMS_LOB FROM PUBLIC;
References:
1. http://docs.oracle.com/database/121/ARPLS/d_lob.htm#ARPLS600
90|P a g e
CISControls:
Version6
18ApplicationSoftwareSecurityApplicationSoftwareSecurity
91|P a g e
4.1.8 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_OBFUSCATION_TOOLKIT' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
TheDBMS_OBFUSCATION_TOOLKITprovidesoneofthetoolsthatdeterminethestrengthoftheencryptionalgorithmusedtoencryptapplicationdataandispartoftheSYSschema.TheDES(56-bitkey)and3DES(168-bitkey)aretheonlytwotypesavailable.TheuserPUBLICshouldnotbeabletoexecuteDBMS_OBFUSCATION_TOOLKIT.
Rationale:
AllowingthePUBLICuserprivilegestoaccessthiscapabilitycanbepotentiallyharmdatastorage.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_OBFUSCATION_TOOLKIT';
Theassessmentfailsifresultsarereturned.
Remediation:
Toremediatethissetting,executethefollowingSQLstatement.
REVOKE EXECUTE ON DBMS_OBFUSCATION_TOOLKIT FROM PUBLIC;
CISControls:
Version6
5.1MinimizeAndSparinglyUseAdministrativePrivilegesMinimizeadministrativeprivilegesandonlyuseadministrativeaccountswhenthey
92|P a g e
arerequired.Implementfocusedauditingontheuseofadministrativeprivilegedfunctionsandmonitorforanomalousbehavior.
93|P a g e
4.1.9 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_RANDOM' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseDBMS_RANDOMpackageisusedforgeneratingrandomnumbersbutshouldnotbeusedforcryptographicpurposes.TheuserPUBLICshouldnotbeabletoexecuteDBMS_RANDOM.
Rationale:
UseoftheDBMS_RANDOMpackagecanallowtheunauthorizedapplicationoftherandomnumber-generatingfunction.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_RANDOM';
Theassessmentfailsifresultsarereturned.
Remediation:
Toremediatethissetting,executethefollowingSQLstatement.
REVOKE EXECUTE ON DBMS_RANDOM FROM PUBLIC;
References:
1. http://docs.oracle.com/cd/E11882_01/appdev.112/e25788/d_random.htm
Notes:
TheOEMcautionsthatremovingthisfromPUBLICmaybreakcertainapplications.
94|P a g e
CISControls:
Version6
18ApplicationSoftwareSecurityApplicationSoftwareSecurity
95|P a g e
4.1.10 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_SCHEDULER' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseDBMS_SCHEDULERpackageschedulesandmanagesthedatabaseandoperatingsystemjobs.TheuserPUBLICshouldnotbeabletoexecuteDBMS_SCHEDULER.
Rationale:
UseoftheDBMS_SCHEDULERpackagecouldallowanunauthorizedusertorundatabaseoroperatingsystemjobs.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_SCHEDULER';
Theassessmentfailsifresultsarereturned.
Remediation:
Toremediatethissetting,executethefollowingSQLstatement.
REVOKE EXECUTE ON DBMS_SCHEDULER FROM PUBLIC;
References:
1. http://docs.oracle.com/database/121/ARPLS/d_sched.htm#ARPLS72235
CISControls:
Version6
5.1MinimizeAndSparinglyUseAdministrativePrivilegesMinimizeadministrativeprivilegesandonlyuseadministrativeaccountswhenthey
96|P a g e
arerequired.Implementfocusedauditingontheuseofadministrativeprivilegedfunctionsandmonitorforanomalousbehavior.
97|P a g e
4.1.11 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_SQL' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseDBMS_SQLpackageisusedforrunningdynamicSQLstatements.TheuserPUBLICshouldnotbeabletoexecuteDBMS_SQL.
Rationale:
TheDBMS_SQLpackagecouldallowprivilegeescalationifinputvalidationisnotdoneproperly.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_SQL';
Theassessmentfailsifresultsarereturned.
Remediation:
Toremediatethissetting,executethefollowingSQLstatement.
REVOKE EXECUTE ON DBMS_SQL FROM PUBLIC;
References:
1. http://docs.oracle.com/database/121/ARPLS/d_sql.htm#ARPLS058
CISControls:
Version6
18ApplicationSoftwareSecurityApplicationSoftwareSecurity
98|P a g e
4.1.12 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_XMLGEN' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
TheDBMS_XMLGENpackagetakesanarbitrarySQLqueryasinput,convertsittoXMLformat,andreturnstheresultasaCLOB.TheuserPUBLICshouldnotbeabletoexecuteDBMS_XMLGEN.
Rationale:
ThepackageDBMS_XMLGENcanbeusedtosearchtheentiredatabaseforsensitiveinformationlikecreditcardnumbers.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_XMLGEN';
Theassessmentfailsifresultsarereturned.
Remediation:
Toremediatethissetting,executethefollowingSQLstatement.
REVOKE EXECUTE ON DBMS_XMLGEN FROM PUBLIC;
References:
1. http://docs.oracle.com/database/121/ARPLS/d_xmlgen.htm#ARPLS3742. http://www.red-database-security.com/wp/confidence2009.pdf
99|P a g e
CISControls:
Version6
13DataProtectionDataProtection
100|P a g e
4.1.13 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_XMLQUERY' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
TheOraclepackageDBMS_XMLQUERYtakesanarbitrarySQLquery,convertsittoXMLformat,andreturnstheresult.ThispackageissimilartoDBMS_XMLGEN.TheuserPUBLICshouldnotbeabletoexecuteDBMS_XMLQUERY.
Rationale:
ThepackageDBMS_XMLQUERYcanbeusedtosearchtheentiredatabaseforsensitiveinformationlikecreditcardnumbers.MalicioususersmaybeabletoexploitthispackageasanauxiliaryinjectfunctioninaSQLinjectionattack.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_XMLQUERY';
Theassessmentfailsifresultsarereturned.
Remediation:
Toremediatethissetting,executethefollowingSQLstatement.
REVOKE EXECUTE ON DBMS_XMLQUERY FROM PUBLIC;
References:
1. http://docs.oracle.com/database/121/ARPLS/d_xmlque.htm#ARPLS376
101|P a g e
CISControls:
Version6
13DataProtectionDataProtection
102|P a g e
4.1.14 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'UTL_FILE' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseUTL_FILEpackagecanbeusedtoread/writefileslocatedontheserverwheretheOracleinstanceisinstalled.TheuserPUBLICshouldnotbeabletoexecuteUTL_FILE.
Rationale:
UseoftheUTL_FILEpackagecouldallowanusertoreadOSfiles.Thesefilescouldcontainsensitiveinformation(e.g.passwordsin.bash_history).
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='UTL_FILE';
Theassessmentfailsifresultsarereturned.
Remediation:
Toremediatethissetting,executethefollowingSQLstatement.
REVOKE EXECUTE ON UTL_FILE FROM PUBLIC;
References:
1. http://docs.oracle.com/database/121/ARPLS/u_file.htm#ARPLS069
CISControls:
Version6
14ControlledAccessBasedontheNeedtoKnowControlledAccessBasedontheNeedtoKnow
103|P a g e
4.1.15 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'UTL_INADDR' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseUTL_INADDRpackagecanbeusedtocreatespeciallycraftederrormessagesorsendinformationviaDNStotheoutside.TheuserPUBLICshouldnotbeabletoexecuteUTL_INADDR.
Rationale:
TheUTL_INADDRpackageisoftenusedinSQLinjectionattacksfromthewebitshouldberevokedfrompublic.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='UTL_INADDR';
Theassessmentfailsifresultsarereturned.
Remediation:
Toremediatethissetting,executethefollowingSQLstatement.
REVOKE EXECUTE ON UTL_INADDR FROM PUBLIC;
References:
1. http://docs.oracle.com/database/121/ARPLS/u_inaddr.htm#ARPLS071
104|P a g e
CISControls:
Version6
18ApplicationSoftwareSecurityApplicationSoftwareSecurity
105|P a g e
4.1.16 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'UTL_TCP' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseUTL_TCPpackagecanbeusedtoread/writefiletoTCPsocketsontheserverwheretheOracleinstanceisinstalled.TheuserPUBLICshouldnotbeabletoexecuteUTL_TCP.
Rationale:
TheUTL_TCPpackagecouldallowanunauthorizedusertocorrupttheTCPstreamusedtocarrytheprotocolsthatcommunicatewiththeinstance'sexternalcommunications.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='UTL_TCP';
Theassessmentfailsifresultsarereturned.
Remediation:
Toremediatethissetting,executethefollowingSQLstatement.
REVOKE EXECUTE ON UTL_TCP FROM PUBLIC;
References:
1. http://docs.oracle.com/database/121/ARPLS/u_tcp.htm#ARPLS075
CISControls:
Version6
18ApplicationSoftwareSecurityApplicationSoftwareSecurity
106|P a g e
4.1.17 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'UTL_MAIL' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseUTL_MAILpackagecanbeusedtosendemailfromtheserverwheretheOracleinstanceisinstalled.TheuserPUBLICshouldnotbeabletoexecuteUTL_MAIL.
Rationale:
TheUTL_MAILpackagecouldallowanunauthorizedusertocorrupttheSMTPfunctiontoacceptorgeneratejunkmailthatcanresultinadenial-of-serviceconditionduetonetworksaturation.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='UTL_MAIL';
Theassessmentfailsifresultsarereturned.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
REVOKE EXECUTE ON UTL_MAIL FROM PUBLIC;
References:
1. http://docs.oracle.com/database/121/ARPLS/u_mail.htm#ARPLS384
107|P a g e
CISControls:
Version6
18ApplicationSoftwareSecurityApplicationSoftwareSecurity
108|P a g e
4.1.18 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'UTL_SMTP' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseUTL_SMTPpackagecanbeusedtosendemailfromtheserverwheretheOracleinstanceisinstalled.TheuserPUBLICshouldnotbeabletoexecuteUTL_SMTP.
Rationale:
TheUTL_SMTPpackagecouldallowanunauthorizedusertocorrupttheSMTPfunctiontoacceptorgeneratejunkmailthatcanresultinadenial-of-serviceconditionduetonetworksaturation.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='UTL_SMTP';
Theassessmentfailsifresultsarereturned.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
REVOKE EXECUTE ON UTL_SMTP FROM PUBLIC;
References:
1. http://docs.oracle.com/database/121/ARPLS/u_smtp.htm#ARPLS074
109|P a g e
CISControls:
Version6
18ApplicationSoftwareSecurityApplicationSoftwareSecurity
110|P a g e
4.1.19 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'UTL_DBWS' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseUTL_DBWSpackagecanbeusedtoread/writefiletoweb-basedapplicationsontheserverwheretheOracleinstanceisinstalled.Thispackageisnotautomaticallyinstalledforsecurityreasons.TheuserPUBLICshouldnotbeabletoexecuteUTL_DBWS.
Rationale:
TheUTL_DBWSpackagecouldallowanunauthorizedusertocorrupttheHTTPstreamusedtocarrytheprotocolsthatcommunicatefortheinstance'sweb-basedexternalcommunications.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='UTL_DBWS';
Theassessmentfailsifresultsarereturned.
Remediation:
Toremediatethissetting,executethefollowingSQLstatement.
REVOKE EXECUTE ON UTL_DBWS FROM 'PUBLIC';
References:
1. https://docs.oracle.com/database/121/JJPUB/intro.htm#BHCIBFGJ
CISControls:
111|P a g e
Version6
18ApplicationSoftwareSecurityApplicationSoftwareSecurity
112|P a g e
4.1.20 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'UTL_ORAMTS' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseUTL_ORAMTSpackagecanbeusedtoperformHTTPrequests.Thiscouldbeusedtosendinformationtotheoutside.TheuserPUBLICshouldnotbeabletoexecuteUTL_ORAMTS.
Rationale:
TheUTL_ORAMTSpackagecouldbeusedtosend(sensitive)informationtoexternalwebsites.Theuseofthispackageshouldberestrictedaccordingtotheneedsoftheorganization.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='UTL_ORAMTS';
Theassessmentfailsifresultsarereturned.
Remediation:
Toremediatethissetting,executethefollowingSQLstatement.
REVOKE EXECUTE ON UTL_ORAMTS FROM PUBLIC;
References:
1. http://docs.oracle.com/database/121/NTMTS/recovery.htm#sthref73
113|P a g e
CISControls:
Version6
18ApplicationSoftwareSecurityApplicationSoftwareSecurity
114|P a g e
4.1.21 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'UTL_HTTP' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseUTL_HTTPpackagecanbeusedtoperformHTTPrequests.Thiscouldbeusedtosendinformationtotheoutside.TheuserPUBLICshouldnotbeabletoexecuteUTL_HTTP.
Rationale:
TheUTL_HTTPpackagecouldbeusedtosend(sensitive)informationtoexternalwebsites.Theuseofthispackageshouldberestrictedaccordingtotheneedsoftheorganization.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='UTL_HTTP';
Theassessmentfailsifresultsarereturned.
Remediation:
Toremediatethissetting,executethefollowingSQLstatement.
REVOKE EXECUTE ON UTL_HTTP FROM PUBLIC;
References:
1. http://docs.oracle.com/database/121/ARPLS/u_http.htm#ARPLS070
115|P a g e
CISControls:
Version6
18ApplicationSoftwareSecurityApplicationSoftwareSecurity
116|P a g e
4.1.22 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'HTTPURITYPE' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseHTTPURITYPEobjecttypecanbeusedtoperformHTTPrequests.TheuserPUBLICshouldnotbeabletoexecuteHTTPURITYPE.
Rationale:
TheabilitytoperformHTTPrequestscouldbeusedtoleakinformationfromthedatabasetoanexternaldestination.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='HTTPURITYPE';
Theassessmentfailsifresultsarereturned.
Remediation:
Toremediatethissetting,executethefollowingSQLstatement.
REVOKE EXECUTE ON HTTPURITYPE FROM PUBLIC;
References:
1. http://docs.oracle.com/database/121/ARPLS/t_dburi.htm#ARPLS71705
CISControls:
Version6
18ApplicationSoftwareSecurityApplicationSoftwareSecurity
117|P a g e
4.1.23 Ensure 'EXECUTE' is revoked from 'PUBLIC' on 'DBMS_XMLSTORE' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
TheDBMS_XLMSTOREpackageprovidesXMLfunctionality.ItacceptsatablenameandXMLasinputtoperformDMLoperationsagainstthetable.TheuserPUBLICshouldnotbeabletoexecuteDBMS_XLMSTORE.
Rationale:
MalicioususersmaybeabletoexploitthispackageasanauxiliaryinjectfunctioninaSQLinjectionattack.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT GRANTEE FROM DBA_TAB_PRIVS WHERE TABLE_NAME = 'DBMS_XMLSTORE' AND GRANTEE = 'PUBLIC' AND PRIVILEGE = 'EXECUTE';
Lackofresultsimpliescompliance.
Remediation:
Toremediatethissetting,executethefollowingSQLstatement:
REVOKE EXECUTE ON DBMS_XMLSTORE FROM PUBLIC;
References:
1. http://www.davidlitchfield.com/DBMS_XMLSTORE_PLSQL_Injection.pdf
118|P a g e
CISControls:
Version6
18.3SanitizeInputForIn-houseSoftwareForin-housedevelopedsoftware,ensurethatexpliciterrorcheckingisperformedanddocumentedforallinput,includingforsize,datatype,andacceptablerangesorformats.
119|P a g e
4.1.24 Ensure 'EXECUTE' is revoked from 'PUBLIC' on 'DBMS_XMLSAVE' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
TheDBMS_XLMSTOREpackageprovidesXMLfunctionality.ItacceptsatablenameandXMLasinputandtheninsertsintoorupdatesthattable.TheuserPUBLICshouldnotbeabletoexecuteDBMS_XLMSAVE.
Rationale:
MalicioususersmaybeabletoexploitthispackageasanauxiliaryinjectfunctioninaSQLinjectionattack.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement:
SELECT GRANTEE FROM DBA_TAB_PRIVS WHERE TABLE_NAME = 'DBMS_XMLSAVE' AND GRANTEE = 'PUBLIC' AND PRIVILEGE = 'EXECUTE';
Lackofresultsimpliescompliance.
Remediation:
Toremediatethissetting,executethefollowingSQLstatement
REVOKE EXECUTE ON DBMS_XMLSAVE FROM PUBLIC;
References:
1. http://www.davidlitchfield.com/DBMS_XMLSTORE_PLSQL_Injection.pdf
CISControls:
Version6
18.3SanitizeInputForIn-houseSoftwareForin-housedevelopedsoftware,ensurethatexpliciterrorcheckingisperformed
120|P a g e
anddocumentedforallinput,includingforsize,datatype,andacceptablerangesorformats.
121|P a g e
4.1.25 Ensure 'EXECUTE' is revoked from 'PUBLIC' on 'DBMS_REDACT' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
TheDBMS_REDACTpackageprovidesaninterfacetoOracleDataRedaction,whichenablesyoutomask(redact)datathatisreturnedfromqueriesissuedbylow-privilegedusersoranapplication.TheuserPUBLICshouldnotbeabletoexecuteDBMS_REDACT.
Rationale:
MalicioususersmaybeabletoexploitthispackageasanauxiliaryinjectfunctioninaSQLinjectionattack.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement
SELECT GRANTEE FROM DBA_TAB_PRIVS WHERE TABLE_NAME = 'DBMS_REDACT' AND GRANTEE = 'PUBLIC' AND PRIVILEGE = 'EXECUTE';
Lackofresultsimpliescompliance.
Remediation:
Toremediatethissetting,executethefollowingSQLstatement
REVOKE EXECUTE ON DBMS_REDACT FROM PUBLIC;
CISControls:
Version6
18.3SanitizeInputForIn-houseSoftwareForin-housedevelopedsoftware,ensurethatexpliciterrorcheckingisperformedanddocumentedforallinput,includingforsize,datatype,andacceptablerangesorformats.
122|P a g e
4.2 Revoke Non-Default Privileges for Packages and Object Types
Therecommendationswithinthissectionrevokeexcessiveprivilegesforpackagesandobjecttypes.
4.2.1 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_SYS_SQL' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseDBMS_SYS_SQLpackageisshippedasundocumented.TheuserPUBLICshouldnotbeabletoexecuteDBMS_SYS_SQL.
Rationale:
TheDBMS_SYS_SQLpackagecouldallowanusertoruncodeasadifferentuserwithoutenteringvalidcredentials.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_SYS_SQL';
Theassessmentfailsifresultsarereturned.
Remediation:
Toremediatethissetting,executethefollowingSQLstatement.
REVOKE EXECUTE ON DBMS_SYS_SQL FROM PUBLIC;
123|P a g e
References:
1. http://asktom.oracle.com/pls/asktom/f?p=100:11:0::::P11_QUESTION_ID:1325202421535
CISControls:
Version6
16AccountMonitoringandControlAccountMonitoringandControl
124|P a g e
4.2.2 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_BACKUP_RESTORE' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseDBMS_BACKUP_RESTOREpackageisusedforapplyingPL/SQLcommandstothenativeRMANsequences.TheuserPUBLICshouldnotbeabletoexecuteDBMS_BACKUP_RESTORE.
Rationale:
TheDBMS_BACKUP_RESTOREpackagecanallowaccesstoOSfiles.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_BACKUP_RESTORE';
Theassessmentfailsifresultsarereturned.
Remediation:
Toremediatethissetting,executethefollowingSQLstatement.
REVOKE EXECUTE ON DBMS_BACKUP_RESTORE FROM PUBLIC;
References:
1. http://psoug.org/reference/dbms_backup_restore.html2. http://davidalejomarcos.wordpress.com/2011/09/13/how-to-list-files-on-a-
directory-from-oracle-database/
125|P a g e
CISControls:
Version6
18ApplicationSoftwareSecurityApplicationSoftwareSecurity
126|P a g e
4.2.3 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_AQADM_SYSCALLS' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseDBMS_AQADM_SYSCALLSpackageisshippedasundocumented.TheuserPUBLICshouldnotbeabletoexecuteDBMS_AQADM_SYSCALLS.
Rationale:
TheDBMS_AQADM_SYSCALLSpackagecouldallowanunauthorizedusertorunSQLcommandsasuserSYS.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_AQADM_SYSCALLS';
Theassessmentfailsifresultsarereturned.
Remediation:
Toremediatethissetting,executethefollowingSQLstatement.
REVOKE EXECUTE ON DBMS_AQADM_SYSCALLS FROM PUBLIC;
References:
1. http://securityvulns.ru/files/ohh-indirect-privilege-escalation.pdf
CISControls:
Version6
18ApplicationSoftwareSecurityApplicationSoftwareSecurity
127|P a g e
4.2.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_REPCAT_SQL_UTL' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseDBMS_REPCAT_SQL_UTLpackageisshippedasundocumentedandallowstorunSQLcommandsasuserSYS.TheuserPUBLICshouldnotbeabletoexecuteDBMS_REPCAT_SQL_UTL.
Rationale:
TheDBMS_REPCAT_SQL_UTLpackagecouldallowanunauthorizedusertorunSQLcommandsasuserSYS.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_REPCAT_SQL_UTL';
Theassessmentfailsifresultsarereturned.
Remediation:
Toremediatethissetting,executethefollowingSQLstatement.
revoke execute on DBMS_REPCAT_SQL_UTL FROM PUBLIC;
References:
1. http://securityvulns.ru/files/ohh-indirect-privilege-escalation.pdf
128|P a g e
CISControls:
Version6
18ApplicationSoftwareSecurityApplicationSoftwareSecurity
129|P a g e
4.2.5 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'INITJVMAUX' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseINITJVMAUXpackageisshippedasundocumentedandallowstorunSQLcommandsasuserSYS.TheuserPUBLICshouldnotbeabletoexecuteINITJVMAUX.
Rationale:
TheINITJVMAUXpackagecouldallowanunauthorizedusertorunSQLcommandsasuserSYS.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='INITJVMAUX';
Theassessmentfailsifresultsarereturned.
Remediation:
Toremediatethissetting,executethefollowingSQLstatement.
REVOKE EXECUTE ON INITJVMAUX FROM PUBLIC;
References:
1. http://securityvulns.ru/files/ohh-indirect-privilege-escalation.pdf
CISControls:
Version6
18ApplicationSoftwareSecurityApplicationSoftwareSecurity
130|P a g e
4.2.6 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_STREAMS_ADM_UTL' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseDBMS_STREAMS_ADM_UTLpackageisshippedasundocumentedandallowstorunSQLcommandsasuserSYS.TheuserPUBLICshouldnotbeabletoexecuteDBMS_STREAMS_ADM_UTL.
Rationale:
TheDBMS_STREAMS_ADM_UTLpackagecouldallowanunauthorizedusertorunSQLcommandsasuserSYS.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_STREAMS_ADM_UTL';
Theassessmentfailsifresultsarereturned.
Remediation:
Toremediatethissetting,executethefollowingSQLstatement.
REVOKE EXECUTE ON DBMS_STREAMS_ADM_UTL FROM PUBLIC;
References:
1. http://securityvulns.ru/files/ohh-indirect-privilege-escalation.pdf
131|P a g e
CISControls:
Version6
18ApplicationSoftwareSecurityApplicationSoftwareSecurity
132|P a g e
4.2.7 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_AQADM_SYS' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseDBMS_AQADM_SYSpackageisshippedasundocumentedandallowstorunSQLcommandsasuserSYS.TheuserPUBLICshouldnotbeabletoexecuteDBMS_AQADM_SYS.
Rationale:
TheDBMS_AQADM_SYSpackagecouldallowanunauthorizedusertorunSQLcommandsasuserSYS.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_AQADM_SYS';
Theassessmentfailsifresultsarereturned.
Remediation:
Toremediatethissetting,executethefollowingSQLstatement.
REVOKE EXECUTE ON DBMS_AQADM_SYS FROM PUBLIC;
CISControls:
Version6
18ApplicationSoftwareSecurityApplicationSoftwareSecurity
133|P a g e
4.2.8 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_STREAMS_RPC' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseDBMS_STREAMS_RPCpackageisshippedasundocumentedandallowstorunSQLcommandsasuserSYS.TheuserPUBLICshouldnotbeabletoexecuteDBMS_STREAMS_RPC.
Rationale:
TheDBMS_STREAMS_RPCpackagecouldallowanunauthorizedusertorunSQLcommandsasuserSYS.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_STREAMS_RPC';
Theassessmentfailsifresultsarereturned.
Remediation:
Toremediatethissetting,executethefollowingSQLstatement.
REVOKE EXECUTE ON DBMS_STREAMS_RPC FROM PUBLIC;
References:
1. http://securityvulns.ru/files/ohh-indirect-privilege-escalation.pdf
134|P a g e
CISControls:
Version6
18ApplicationSoftwareSecurityApplicationSoftwareSecurity
135|P a g e
4.2.9 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_PRVTAQIM' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseDBMS_PRVTAQIMpackageisshippedasundocumentedandallowstorunSQLcommandsasuserSYS.TheuserPUBLICshouldnotbeabletoexecuteDBMS_PRVTAQIM.
Rationale:
TheDBMS_PRVTAQIMpackagecouldallowanunauthorizedusertoescalateprivilegesbecauseanySQLstatementscouldbeexecutedasuserSYS.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_PRVTAQIM';
Theassessmentfailsifresultsarereturned.
Remediation:
Toremediatethissetting,executethefollowingSQLstatement.
REVOKE EXECUTE ON DBMS_PRVTAQIM FROM PUBLIC;
References:
1. http://securityvulns.ru/files/ohh-indirect-privilege-escalation.pdf
136|P a g e
CISControls:
Version6
18ApplicationSoftwareSecurityApplicationSoftwareSecurity
137|P a g e
4.2.10 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'LTADM' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseLTADMpackageisshippedasundocumented.Itallowsprivilegeescalationifgrantedtounprivilegedusers.TheuserPUBLICshouldnotbeabletoexecuteLTADM.
Rationale:
TheLTADMpackagecouldallowanunauthorizedusertorunanySQLcommandasuserSYS.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='LTADM';
Theassessmentfailsifresultsarereturned.
Remediation:
Toremediatethissetting,executethefollowingSQLstatement.
REVOKE EXECUTE ON LTADM FROM PUBLIC;
References:
1. http://securityvulns.ru/files/ohh-indirect-privilege-escalation.pdf
CISControls:
Version6
18ApplicationSoftwareSecurityApplicationSoftwareSecurity
138|P a g e
4.2.11 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'WWV_DBMS_SQL' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseWWV_DBMS_SQLpackageisshippedasundocumented.ItallowsOracleApplicationExpresstorundynamicSQLstatements.
Rationale:
TheWWV_DBMS_SQLpackagecouldallowanunauthorizedusertorunSQLstatementsastheApplicationExpress(APEX)user.TheuserPUBLICshouldnotbeabletoexecuteWWV_DBMS_SQL.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='WWV_DBMS_SQL';
Theassessmentfailsifresultsarereturned.
Remediation:
Toremediatethissetting,executethefollowingSQLstatement.
REVOKE EXECUTE ON WWV_DBMS_SQL FROM PUBLIC;
CISControls:
Version6
14ControlledAccessBasedontheNeedtoKnowControlledAccessBasedontheNeedtoKnow
139|P a g e
4.2.12 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'WWV_EXECUTE_IMMEDIATE' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseWWV_EXECUTE_IMMEDIATEpackageisshippedasundocumented.ItallowsOracleApplicationExpresstorundynamicSQLstatements.TheuserPUBLICshouldnotbeabletoexecuteWWV_EXECUTE_IMMEDIATE.
Rationale:
TheWWV_EXECUTE_IMMEDIATEpackagecouldallowanunauthorizedusertorunSQLstatementsastheApplicationExpress(APEX)user.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='WWV_EXECUTE_IMMEDIATE';
Theassessmentfailsifresultsarereturned.
Remediation:
Toremediatethissetting,executethefollowingSQLstatement.
REVOKE EXECUTE ON WWV_EXECUTE_IMMEDIATE FROM PUBLIC;
References:
1. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-1811
140|P a g e
CISControls:
Version6
18ApplicationSoftwareSecurityApplicationSoftwareSecurity
141|P a g e
4.2.13 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_IJOB' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseDBMS_IJOBpackageisshippedasundocumented.Itallowsausertorundatabasejobsinthecontextofanotheruser.TheuserPUBLICshouldnotbeabletoexecuteDBMS_IJOB.
Rationale:
TheDBMS_IJOBpackagecouldallowanattackertochangeidentitiesbyusingadifferentusernametoexecuteadatabasejob.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_IJOB';
Theassessmentfailsifresultsarereturned.
Remediation:
Toremediatethissetting,executethefollowingSQLstatement.
REVOKE EXECUTE ON DBMS_IJOB FROM PUBLIC;
CISControls:
Version6
18ApplicationSoftwareSecurityApplicationSoftwareSecurity
142|P a g e
4.2.14 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_FILE_TRANSFER' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseDBMS_FILE_TRANSFERpackageallowsausertotransferfilesfromonedatabaseservertoanother.TheuserPUBLICshouldnotbeabletoexecuteDBMS_FILE_TRANSFER.
Rationale:
TheDBMS_FILE_TRANSFERpackagecouldallowtotransferfilesfromonedatabaseservertoanotherwithoutauthorizationtodoso.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_FILE_TRANSFER';
Theassessmentfailsifresultsarereturned.
Remediation:
Toremediatethissetting,executethefollowingSQLstatement.
REVOKE EXECUTE ON DBMS_FILE_TRANSFER FROM PUBLIC;
References:
1. http://docs.oracle.com/database/121/ARPLS/d_ftran.htm#ARPLS095
143|P a g e
CISControls:
Version6
18ApplicationSoftwareSecurityApplicationSoftwareSecurity
144|P a g e
4.3 Revoke Excessive System Privileges
Therecommendationswithinthissectionrevokeexcessivesystemprivileges.
4.3.1 Ensure 'SELECT ANY DICTIONARY' Is Revoked from Unauthorized 'GRANTEE' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseSELECT ANY DICTIONARYprivilegeallowsthedesignatedusertoaccessSYSschemaobjects.Unauthorizedgranteesshouldnothavethatprivilege.
Rationale:
TheOraclepasswordhashesarepartoftheSYSschemaandcanbeselectedusingSELECT ANY DICTIONARYprivileges.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE PRIVILEGE='SELECT ANY DICTIONARY' AND GRANTEE NOT IN ('DBA','DBSNMP','OEM_MONITOR', 'OLAPSYS','ORACLE_OCM','SYSMAN','WMSYS','SYSBACKUP','SYSDG');
Lackofresultsimpliescompliance.
Remediation:
Toremediatethissetting,executethefollowingSQLstatement.
REVOKE SELECT_ANY_DICTIONARY FROM <grantee>;
References:
1. http://docs.oracle.com/database/121/DBSEG/authorization.htm#DBSEG998702. http://docs.oracle.com/database/121/REFRN/GUID-10024282-6729-4C66-8679-
FD653C9C7DE7.htm#REFRN-GUID-10024282-6729-4C66-8679-FD653C9C7DE7
145|P a g e
3. http://arup.blogspot.de/2011/07/difference-between-select-any.html
CISControls:
Version6
14.4ProtectInformationWithAccessControlListsAllinformationstoredonsystemsshallbeprotectedwithfilesystem,networkshare,claims,application,ordatabasespecificaccesscontrollists.Thesecontrolswillenforcetheprinciplethatonlyauthorizedindividualsshouldhaveaccesstotheinformationbasedontheirneedtoaccesstheinformationasapartoftheirresponsibilities.
146|P a g e
4.3.2 Ensure 'SELECT ANY TABLE' Is Revoked from Unauthorized 'GRANTEE' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseSELECT ANY TABLEprivilegeallowsthedesignatedusertoopenanytable,exceptSYS,toviewit.Unauthorizedgranteesshouldnothavethatprivilege.
Rationale:
AssignmentoftheSELECT ANY TABLEprivilegecanallowtheunauthorizedviewingofsensitivedata.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE PRIVILEGE='SELECT ANY TABLE' AND GRANTEE NOT IN ('DBA', 'MDSYS', 'SYS', 'IMP_FULL_DATABASE', 'EXP_FULL_DATABASE','DATAPUMP_IMP_FULL_DATABASE', 'WMSYS', 'SYSTEM','OLAP_DBA', 'DV_REALM_OWNER');
Lackofresultsimpliescompliance.
Remediation:
Toremediatethissetting,executethefollowingSQLstatement.
REVOKE SELECT ANY TABLE FROM <grantee>;
References:
1. http://docs.oracle.com/database/121/SQLRF/statements_10002.htm#SQLRF01702
Notes:
IfO7_DICTIONARY_ACCESSIBILITYhasbeensettoTRUE(non-defaultsetting)thentheSELECT ANY TABLEprivilegeprovidesaccesstoSYSobjects.
147|P a g e
CISControls:
Version6
14.4ProtectInformationWithAccessControlListsAllinformationstoredonsystemsshallbeprotectedwithfilesystem,networkshare,claims,application,ordatabasespecificaccesscontrollists.Thesecontrolswillenforcetheprinciplethatonlyauthorizedindividualsshouldhaveaccesstotheinformationbasedontheirneedtoaccesstheinformationasapartoftheirresponsibilities.
148|P a g e
4.3.3 Ensure 'AUDIT SYSTEM' Is Revoked from Unauthorized 'GRANTEE' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseAUDIT SYSTEMprivilegeallowschangestoauditingactivitiesonthesystem.Unauthorizedgranteesshouldnothavethatprivilege.
Rationale:
TheAUDIT SYSTEMprivilegecanallowtheunauthorizedalterationofsystemauditactivities,suchasdisablingthecreationofaudittrails.
Audit:
Toassesthisrecommendation,executethefollowingSQLstatement.
SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE PRIVILEGE='AUDIT SYSTEM' AND GRANTEE NOT IN ('DBA','DATAPUMP_IMP_FULL_DATABASE','IMP_FULL_DATABASE', 'SYS','AUDIT_ADMIN');
Lackofresultsimpliescompliance.
Remediation:
Toremediatethissetting,executethefollowingSQLstatement.
REVOKE AUDIT SYSTEM FROM <grantee>;
References:
1. http://docs.oracle.com/database/121/SQLRF/statements_4007.htm#SQLRF011072. http://docs.oracle.com/database/121/SQLRF/statements_4008.htm#SQLRF56110
149|P a g e
CISControls:
Version6
5.1MinimizeAndSparinglyUseAdministrativePrivilegesMinimizeadministrativeprivilegesandonlyuseadministrativeaccountswhentheyarerequired.Implementfocusedauditingontheuseofadministrativeprivilegedfunctionsandmonitorforanomalousbehavior.
150|P a g e
4.3.4 Ensure 'EXEMPT ACCESS POLICY' Is Revoked from Unauthorized 'GRANTEE' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseEXEMPT ACCESS POLICYkeywordprovidestheuserthecapabilitytoaccessallthetablerowsregardlessofrow-levelsecuritylockouts.Unauthorizedgranteesshouldnothavethatkeywordassignedtothem.
Rationale:
TheEXEMPT ACCESS POLICYprivilegecanallowanunauthorizedusertopotentiallyaccessandchangedata.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE PRIVILEGE='EXEMPT ACCESS POLICY';
Lackofresultsimpliescompliance.
Remediation:
Toremediatethissetting,executethefollowingSQLstatement.
REVOKE EXEMPT ACCESS POLICY FROM <grantee>;
References:
1. http://docs.oracle.com/database/121/DBSEG/audit_config.htm#DBSEG7032. http://docs.oracle.com/database/121/DBSEG/vpd.htm#CIHEEAFJ
151|P a g e
CISControls:
Version6
14.4ProtectInformationWithAccessControlListsAllinformationstoredonsystemsshallbeprotectedwithfilesystem,networkshare,claims,application,ordatabasespecificaccesscontrollists.Thesecontrolswillenforcetheprinciplethatonlyauthorizedindividualsshouldhaveaccesstotheinformationbasedontheirneedtoaccesstheinformationasapartoftheirresponsibilities.
152|P a g e
4.3.5 Ensure 'BECOME USER' Is Revoked from Unauthorized 'GRANTEE' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseBECOME USERprivilegeallowsthedesignatedusertoinherittherightsofanotheruser.Unauthorizedgranteesshouldnothavethatprivilege.
Rationale:
TheBECOME USERprivilegecanallowtheunauthorizeduseofanotheruser'sprivileges,thiscapabilityshouldberestrictedaccordingtotheneedsoftheorganization.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE PRIVILEGE='BECOME USER' AND GRANTEE NOT IN ('DBA','SYS','IMP_FULL_DATABASE');
Lackofresultsimpliescompliance.
Remediation:
Toremediatethissetting,executethefollowingSQLstatement.
REVOKE BECOME USER FROM <grantee>;
References:
1. http://docs.oracle.com/database/121/DBSEG/guidelines.htm#DBSEG499
CISControls:
Version6
16AccountMonitoringandControlAccountMonitoringandControl
153|P a g e
4.3.6 Ensure 'CREATE_PROCEDURE' Is Revoked from Unauthorized 'GRANTEE' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseCREATE PROCEDUREprivilegeallowsthedesignatedusertocreateastoredprocedurethatwillfirewhengiventhecorrectcommandsequence.Unauthorizedgranteesshouldnothavethatprivilege.
Rationale:
TheCREATE PROCEDUREprivilegecanleadtosevereproblemsinunauthorizedhands,suchasrogueproceduresfacilitatingdatatheftordenial-of-servicebycorruptingdatatables.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE PRIVILEGE='CREATE PROCEDURE' AND GRANTEE NOT IN ( 'DBA','DBSNMP','MDSYS','OLAPSYS','OWB$CLIENT', 'OWBSYS','RECOVERY_CATALOG_OWNER','SPATIAL_CSW_ADMIN_USR', 'SPATIAL_WFS_ADMIN_USR','SYS','APEX_030200','APEX_040000', 'APEX_040100','APEX_040200','DVF','RESOURCE','DV_REALM_RESOURCE', 'APEX_GRANTS_FOR_NEW_USERS_ROLE','APEX_050000','MGMT_VIEW', 'SYSMAN_MDS','SYSMAN_OPSS','SYSMAN_RO','SYSMAN_STB');
Lackofresultsimpliescompliance.
Remediation:
Toremediatethissetting,executethefollowingSQLstatement.
REVOKE CREATE PROCEDURE FROM <grantee>;
References:
1. http://docs.oracle.com/database/121/DBSEG/guidelines.htm#DBSEG499
154|P a g e
CISControls:
Version6
5.1MinimizeAndSparinglyUseAdministrativePrivilegesMinimizeadministrativeprivilegesandonlyuseadministrativeaccountswhentheyarerequired.Implementfocusedauditingontheuseofadministrativeprivilegedfunctionsandmonitorforanomalousbehavior.
155|P a g e
4.3.7 Ensure 'ALTER SYSTEM' Is Revoked from Unauthorized 'GRANTEE' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseALTER SYSTEMprivilegeallowsthedesignatedusertodynamicallyaltertheinstance'srunningoperations.Unauthorizedgranteesshouldnothavethatprivilege.
Rationale:
TheALTER SYSTEMprivilegecanleadtosevereproblems,suchastheinstance'ssessionbeingkilledorthestoppingofredologrecording,whichwouldmaketransactionsunrecoverable.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE PRIVILEGE='ALTER SYSTEM' AND GRANTEE NOT IN ('SYS','SYSTEM','APEX_030200','APEX_040000', 'APEX_040100','APEX_040200','DBA','EM_EXPRESS_ALL','SYSBACKUP', 'GSMADMIN_ROLE','GSM_INTERNAL','SYSDG','GSMADMIN_INTERNAL');
Lackofresultsimpliescompliance.
Remediation:
Toremediatethissetting,executethefollowingSQLstatement.
REVOKE ALTER SYSTEM FROM <grantee>;
References:
1. http://docs.oracle.com/database/121/DBSEG/guidelines.htm#DBSEG499
156|P a g e
CISControls:
Version6
5.1MinimizeAndSparinglyUseAdministrativePrivilegesMinimizeadministrativeprivilegesandonlyuseadministrativeaccountswhentheyarerequired.Implementfocusedauditingontheuseofadministrativeprivilegedfunctionsandmonitorforanomalousbehavior.
157|P a g e
4.3.8 Ensure 'CREATE ANY LIBRARY' Is Revoked from Unauthorized 'GRANTEE' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseCREATE ANY LIBRARYprivilegeallowsthedesignatedusertocreateobjectsthatareassociatedtothesharedlibraries.Unauthorizedgranteesshouldnothavethatprivilege.
Rationale:
TheCREATE ANY LIBRARYprivilegecanallowthecreationofnumerouslibrary-associatedobjectsandpotentiallycorruptthelibraries'integrity.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE PRIVILEGE='CREATE ANY LIBRARY' AND GRANTEE NOT IN ('SYS','SYSTEM','DBA','IMP_FULL_DATABASE');
Lackofresultsimpliescompliance.
Remediation:
Toremediatethissetting,executethefollowingSQLstatement.
REVOKE CREATE ANY LIBRARY FROM <grantee>;
References:
1. http://docs.oracle.com/database/121/DBSEG/guidelines.htm#DBSEG4992. http://docs.oracle.com/database/121/ADMIN/manproc.htm#ADMIN00501
Notes:
Oraclehastwoidenticalprivileges:CREATE LIBRARYandCREATE ANY LIBRARY.
158|P a g e
CISControls:
Version6
5.1MinimizeAndSparinglyUseAdministrativePrivilegesMinimizeadministrativeprivilegesandonlyuseadministrativeaccountswhentheyarerequired.Implementfocusedauditingontheuseofadministrativeprivilegedfunctionsandmonitorforanomalousbehavior.
159|P a g e
4.3.9 Ensure 'CREATE LIBRARY' Is Revoked from Unauthorized 'GRANTEE' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseCREATE LIBRARYprivilegeallowsthedesignatedusertocreateobjectsthatareassociatedtothesharedlibraries.Unauthorizedgranteesshouldnothavethatprivilege.
Rationale:
TheCREATE LIBRARYprivilegecanallowthecreationofnumerouslibrary-associatedobjectsandpotentiallycorruptthelibraries'integrity.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE PRIVILEGE='CREATE LIBRARY' AND GRANTEE NOT IN ('SYS','SYSTEM','DBA','MDSYS','SPATIAL_WFS_ADMIN_USR', 'SPATIAL_CSW_ADMIN_USR','DVSYS','GSMADMIN_INTERNAL','XDB');
Lackofresultsimpliescompliance.
Remediation:
Toremediatethissetting,executethefollowingSQLstatement.
REVOKE CREATE LIBRARY FROM <grantee>;
References:
1. http://docs.oracle.com/database/121/DBSEG/guidelines.htm#DBSEG4992. http://docs.oracle.com/database/121/ADMIN/manproc.htm#ADMIN00501
Notes:
Oraclehastwoidenticalprivileges:CREATE LIBRARYandCREATE ANY LIBRARY.
160|P a g e
CISControls:
Version6
5.1MinimizeAndSparinglyUseAdministrativePrivilegesMinimizeadministrativeprivilegesandonlyuseadministrativeaccountswhentheyarerequired.Implementfocusedauditingontheuseofadministrativeprivilegedfunctionsandmonitorforanomalousbehavior.
161|P a g e
4.3.10 Ensure 'GRANT ANY OBJECT PRIVILEGE' Is Revoked from Unauthorized 'GRANTEE' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseGRANT ANY OBJECT PRIVILEGEkeywordprovidesthegranteethecapabilitytograntaccesstoanysingleormultiplecombinationsofobjectstoanygranteeinthecatalogofthedatabase.Unauthorizedgranteesshouldnothavethatkeywordassignedtothem.
Rationale:
TheGRANT ANY OBJECT PRIVILEGEcapabilitycanallowanunauthorizedusertopotentiallyaccessorchangeconfidentialdata,ordamagethedatacatalogduetopotentialcompleteinstanceaccess.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE PRIVILEGE='GRANT ANY OBJECT PRIVILEGE' AND GRANTEE NOT IN ('DBA','SYS','IMP_FULL_DATABASE', 'DATAPUMP_IMP_FULL_DATABASE', 'EM_EXPRESS_ALL', 'DV_REALM_OWNER');
Lackofresultsimpliescompliance.
Remediation:
Toremediatethissetting,executethefollowingSQLstatement.
REVOKE GRANT ANY OBJECT PRIVILEGE FROM <grantee>;
References:
1. http://docs.oracle.com/database/121/DBSEG/authorization.htm#DBSEG99914
162|P a g e
CISControls:
Version6
5.1MinimizeAndSparinglyUseAdministrativePrivilegesMinimizeadministrativeprivilegesandonlyuseadministrativeaccountswhentheyarerequired.Implementfocusedauditingontheuseofadministrativeprivilegedfunctionsandmonitorforanomalousbehavior.
163|P a g e
4.3.11 Ensure 'GRANT ANY ROLE' Is Revoked from Unauthorized 'GRANTEE' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseGRANT ANY ROLEkeywordprovidesthegranteethecapabilitytograntanysingleroletoanygranteeinthecatalogofthedatabase.Unauthorizedgranteesshouldnothavethatkeywordassignedtothem.
Rationale:
TheGRANT ANY ROLEcapabilitycanallowanunauthorizedusertopotentiallyaccessorchangeconfidentialdataordamagethedatacatalogduetopotentialcompleteinstanceaccess.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE PRIVILEGE='GRANT ANY ROLE' AND GRANTEE NOT IN ('DBA','SYS','DATAPUMP_IMP_FULL_DATABASE', 'IMP_FULL_DATABASE','SPATIAL_WFS_ADMIN_USR', 'SPATIAL_CSW_ADMIN_USR','GSMADMIN_INTERNAL', 'DV_REALM_OWNER', 'EM_EXPRESS_ALL', 'DV_OWNER');
Lackofresultsimpliescompliance.
Remediation:
Toremediatethissetting,executethefollowingSQLstatement.
REVOKE GRANT ANY ROLE FROM <grantee>;
References:
1. http://docs.oracle.com/database/121/DBSEG/authorization.htm#DBSEG99945
164|P a g e
CISControls:
Version6
5.1MinimizeAndSparinglyUseAdministrativePrivilegesMinimizeadministrativeprivilegesandonlyuseadministrativeaccountswhentheyarerequired.Implementfocusedauditingontheuseofadministrativeprivilegedfunctionsandmonitorforanomalousbehavior.
165|P a g e
4.3.12 Ensure 'GRANT ANY PRIVILEGE' Is Revoked from Unauthorized 'GRANTEE' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseGRANT ANY PRIVILEGEkeywordprovidesthegranteethecapabilitytograntanysingleprivilegetoanyiteminthecatalogofthedatabase.Unauthorizedgranteesshouldnothavethatprivilege.
Rationale:
TheGRANT ANY PRIVILEGEcapabilitycanallowanunauthorizedusertopotentiallyaccessorchangeconfidentialdataordamagethedatacatalogduetopotentialcompleteinstanceaccess.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE PRIVILEGE='GRANT ANY PRIVILEGE' AND GRANTEE NOT IN ('DBA','SYS','IMP_FULL_DATABASE', 'DATAPUMP_IMP_FULL_DATABASE', 'DV_REALM_OWNER','EM_EXPRESS_ALL');
Lackofresultsimpliescompliance.
Remediation:
Toremediatethissetting,executethefollowingSQLstatement.
REVOKE GRANT ANY PRIVILEGE FROM <grantee>;
References:
1. http://docs.oracle.com/database/121/DBSEG/authorization.htm#DBSEG99945
166|P a g e
CISControls:
Version6
5.1MinimizeAndSparinglyUseAdministrativePrivilegesMinimizeadministrativeprivilegesandonlyuseadministrativeaccountswhentheyarerequired.Implementfocusedauditingontheuseofadministrativeprivilegedfunctionsandmonitorforanomalousbehavior.
167|P a g e
4.4 Revoke Role Privileges
Therecommendationswithinthissectionintendtorevokepowerfulroleswheretheyarelikelynotneeded.
4.4.1 Ensure 'DELETE_CATALOG_ROLE' Is Revoked from Unauthorized 'GRANTEE' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseDELETE_CATALOG_ROLEprovidesDELETEprivilegesfortherecordsinthesystem'saudittable(AUD$).Unauthorizedgranteesshouldnothavethatrole.
Rationale:
PermittingunauthorizedaccesstotheDELETE_CATALOG_ROLEcanallowthedestructionofauditrecordsvitaltotheforensicinvestigationofunauthorizedactivities.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT GRANTEE, GRANTED_ROLE FROM DBA_ROLE_PRIVS WHERE granted_role='DELETE_CATALOG_ROLE' AND GRANTEE NOT IN ('DBA','SYS');
Lackofresultsimpliescompliance.
Remediation:
Toremediatethissetting,executethefollowingSQLstatement.
REVOKE DELETE_CATALOG_ROLE FROM <grantee>;
References:
1. http://docs.oracle.com/database/121/DBSEG/authorization.htm#BABFCAFH
168|P a g e
CISControls:
Version6
6Maintenance,Monitoring,andAnalysisofAuditLogsMaintenance,Monitoring,andAnalysisofAuditLogs
169|P a g e
4.4.2 Ensure 'SELECT_CATALOG_ROLE' Is Revoked from Unauthorized 'GRANTEE' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseSELECT_CATALOG_ROLEprovidesSELECTprivilegesonalldatadictionaryviewsheldintheSYSschema.Unauthorizedgranteesshouldnothavethatrole.
Rationale:
PermittingunauthorizedaccesstotheSELECT_CATALOG_ROLEcanallowthedisclosureofalldictionarydata.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT GRANTEE, GRANTED_ROLE FROM DBA_ROLE_PRIVS WHERE granted_role='SELECT_CATALOG_ROLE' AND grantee not in ('DBA','SYS','IMP_FULL_DATABASE','EXP_FULL_DATABASE', 'OEM_MONITOR', 'SYSBACKUP','EM_EXPRESS_BASIC','SYSMAN');
Lackofresultsimpliescompliance.
Remediation:
Toremediatethissetting,executethefollowingSQLstatement.
REVOKE SELECT_CATALOG_ROLE FROM <grantee>;
References:
1. http://docs.oracle.com/database/121/DBSEG/authorization.htm#BABFCAFH
CISControls:
Version6
5.1MinimizeAndSparinglyUseAdministrativePrivilegesMinimizeadministrativeprivilegesandonlyuseadministrativeaccountswhenthey
170|P a g e
arerequired.Implementfocusedauditingontheuseofadministrativeprivilegedfunctionsandmonitorforanomalousbehavior.
171|P a g e
4.4.3 Ensure 'EXECUTE_CATALOG_ROLE' Is Revoked from Unauthorized 'GRANTEE' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseEXECUTE_CATALOG_ROLEprovidesEXECUTEprivilegesforanumberofpackagesandproceduresinthedatadictionaryintheSYSschema.Unauthorizedgranteesshouldnothavethatrole.
Rationale:
PermittingunauthorizedaccesstotheEXECUTE_CATALOG_ROLEcanallowthedisruptionofoperationsbyinitializationofrogueprocedures,thiscapabilityshouldberestrictedaccordingtotheneedsoftheorganization.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT GRANTEE, GRANTED_ROLE FROM DBA_ROLE_PRIVS WHERE granted_role='EXECUTE_CATALOG_ROLE' AND grantee not in ('DBA','SYS','IMP_FULL_DATABASE','EXP_FULL_DATABASE');
Lackofresultsimpliescompliance.
Remediation:
Toremediatethissetting,executethefollowingSQLstatement.
REVOKE EXECUTE_CATALOG_ROLE FROM <grantee>;
References:
1. http://docs.oracle.com/database/121/DBSEG/authorization.htm#BABFCAFH
172|P a g e
CISControls:
Version6
5.1MinimizeAndSparinglyUseAdministrativePrivilegesMinimizeadministrativeprivilegesandonlyuseadministrativeaccountswhentheyarerequired.Implementfocusedauditingontheuseofadministrativeprivilegedfunctionsandmonitorforanomalousbehavior.
173|P a g e
4.4.4 Ensure 'DBA' Is Revoked from Unauthorized 'GRANTEE' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseDBAroleisthedefaultdatabaseadministratorroleprovidedfortheallocationofadministrativeprivileges.Unauthorizedgranteesshouldnothavethatrole.
Rationale:
AssignmentoftheDBAroletoanordinaryusercanprovideagreatnumberofunnecessaryprivilegestothatuserandopenthedoortodatabreaches,integrityviolations,anddenial-of-serviceconditions.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT GRANTEE, GRANTED_ROLE FROM DBA_ROLE_PRIVS WHERE GRANTED_ROLE='DBA' AND GRANTEE NOT IN ('SYS','SYSTEM');
Lackofresultsimpliescompliance.
Remediation:
Toremediatethissetting,executethefollowingSQLstatement.
REVOKE DBA FROM <grantee>;
References:
1. http://docs.oracle.com/database/121/DBSEG/authorization.htm#DBSEG4414
CISControls:
Version6
5.1MinimizeAndSparinglyUseAdministrativePrivilegesMinimizeadministrativeprivilegesandonlyuseadministrativeaccountswhenthey
174|P a g e
arerequired.Implementfocusedauditingontheuseofadministrativeprivilegedfunctionsandmonitorforanomalousbehavior.
175|P a g e
4.5 Revoke Excessive Table and View Privileges
Therecommendationswithinthissectionintendtorevokeexcessivetableandviewprivileges.
4.5.1 Ensure 'ALL' Is Revoked from Unauthorized 'GRANTEE' on 'AUD$' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseSYS.AUD$tablecontainsalltheauditrecordsforthedatabaseofthenon-DataManipulationLanguage(DML)events,suchasALTER,DROP,andCREATE,andsoforth.(DMLchangesneedtrigger-basedauditeventstorecorddataalterations.)Unauthorizedgranteesshouldnothavefullaccesstothattable.
Rationale:
Permittingnon-privilegeduserstheauthorizationtomanipulatetheSYS.AUD$tablecanallowdistortionoftheauditrecords,hidingunauthorizedactivities.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT GRANTEE, PRIVILEGE FROM DBA_TAB_PRIVS WHERE TABLE_NAME='AUD$' AND GRANTEE NOT IN ('DELETE_CATALOG_ROLE');
Lackofresultsimpliescompliance.
Remediation:
Toremediatethissetting,executethefollowingSQLstatement.
REVOKE ALL ON AUD$ FROM <grantee>;
References:
1. http://docs.oracle.com/database/121/DBSEG/audit_admin.htm#DBSEG629
176|P a g e
CISControls:
Version6
6Maintenance,Monitoring,andAnalysisofAuditLogsMaintenance,Monitoring,andAnalysisofAuditLogs
177|P a g e
4.5.2 Ensure 'ALL' Is Revoked from Unauthorized 'GRANTEE' on 'USER_HISTORY$' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseSYS.USER_HISTORY$tablecontainsalltheauditrecordsfortheuser'spasswordchangehistory.(Thistablegetsupdatedbypasswordchangesiftheuserhasanassignedprofilethathasapasswordreuselimitset,e.g.,PASSWORD_REUSE_TIMEsettootherthanUNLIMITED.)Unauthorizedgranteesshouldnothavefullaccesstothattable.
Rationale:
Permittingnon-privilegeduserstheauthorizationtomanipulatetherecordsintheSYS.USER_HISTORY$tablecanallowdistortionoftheaudittrail,potentiallyhidingunauthorizeddataconfidentialityattacksorintegritychanges.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT GRANTEE, PRIVILEGE FROM DBA_TAB_PRIVS WHERE TABLE_NAME='USER_HISTORY$' AND OWNER = 'SYS';
Lackofresultsimpliescompliance.
Remediation:
Toremediatethissetting,executethefollowingSQLstatement.
REVOKE ALL ON USER_HISTORY$ FROM <grantee>;
References:
1. http://marcel.vandewaters.nl/oracle/database-oracle/password-history-reusing-a-password
Notes:
USER_HISTORY$containsonlytheold,case-insensitivepasswords.
178|P a g e
CISControls:
Version6
5.1MinimizeAndSparinglyUseAdministrativePrivilegesMinimizeadministrativeprivilegesandonlyuseadministrativeaccountswhentheyarerequired.Implementfocusedauditingontheuseofadministrativeprivilegedfunctionsandmonitorforanomalousbehavior.
16.14Encrypt/HashAllAuthenticationFilesAndMonitorTheirAccessVerifythatallauthenticationfilesareencryptedorhashedandthatthesefilescannotbeaccessedwithoutrootoradministratorprivileges.Auditallaccesstopasswordfilesinthesystem.
179|P a g e
4.5.3 Ensure 'ALL' Is Revoked from Unauthorized 'GRANTEE' on 'LINK$' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseSYS.LINK$tablecontainsalltheuser'spasswordinformationanddatatablelinkinformation.Unauthorizedgranteesshouldnothavefullaccesstothattable.
Rationale:
Permittingnon-privilegeduserstomanipulateorviewtheSYS.LINK$tablecanallowcaptureofpasswordinformationand/orcorrupttheprimarydatabaselinkages.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT GRANTEE, PRIVILEGE FROM DBA_TAB_PRIVS WHERE TABLE_NAME='LINK$' AND GRANTEE NOT IN ('DV_SECANALYST') AND OWNER='SYS';
Lackofresultsimpliescompliance.
Remediation:
Toremediatethissetting,executethefollowingSQLstatement.
REVOKE ALL ON LINK$ FROM <grantee>;
CISControls:
Version6
5.1MinimizeAndSparinglyUseAdministrativePrivilegesMinimizeadministrativeprivilegesandonlyuseadministrativeaccountswhentheyarerequired.Implementfocusedauditingontheuseofadministrativeprivilegedfunctionsandmonitorforanomalousbehavior.
180|P a g e
16.14Encrypt/HashAllAuthenticationFilesAndMonitorTheirAccessVerifythatallauthenticationfilesareencryptedorhashedandthatthesefilescannotbeaccessedwithoutrootoradministratorprivileges.Auditallaccesstopasswordfilesinthesystem.
181|P a g e
4.5.4 Ensure 'ALL' Is Revoked from Unauthorized 'GRANTEE' on 'SYS.USER$' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseSYS.USER$tablecontainstheusers'hashedpasswordinformation.Unauthorizedgranteesshouldnothavefullaccesstothattable.
Rationale:
Permittingnon-privilegeduserstheauthorizationtoopentheSYS.USER$tablecanallowthecaptureofpasswordhashesforthelaterapplicationofpasswordcrackingalgorithmstobreachconfidentiality.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT GRANTEE, PRIVILEGE FROM DBA_TAB_PRIVS WHERE TABLE_NAME='USER$' AND OWNER='SYS' AND GRANTEE NOT IN ('CTXSYS','XDB','APEX_030200','SYSMAN','APEX_040000', 'APEX_040100','APEX_040200','DV_SECANALYST','DVSYS','ORACLE_OCM');
Lackofresultsimpliescompliance.
Remediation:
Toremediatethissetting,executethefollowingSQLstatement.
REVOKE ALL ON SYS.USER$ FROM <grantee>;
References:
1. http://dba.stackexchange.com/questions/17513/what-do-the-columns-in-sys-user-represent
182|P a g e
CISControls:
Version6
5.1MinimizeAndSparinglyUseAdministrativePrivilegesMinimizeadministrativeprivilegesandonlyuseadministrativeaccountswhentheyarerequired.Implementfocusedauditingontheuseofadministrativeprivilegedfunctionsandmonitorforanomalousbehavior.
16.14Encrypt/HashAllAuthenticationFilesAndMonitorTheirAccessVerifythatallauthenticationfilesareencryptedorhashedandthatthesefilescannotbeaccessedwithoutrootoradministratorprivileges.Auditallaccesstopasswordfilesinthesystem.
183|P a g e
4.5.5 Ensure 'ALL' Is Revoked from Unauthorized 'GRANTEE' on 'DBA_%' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseDBA_viewsshowallinformationwhichisrelevanttoadministrativeaccounts.Unauthorizedgranteesshouldnothavefullaccesstothoseviews.
Rationale:
PermittinguserstheauthorizationtomanipulatetheDBA_viewscanexposesensitivedata.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT grantee||'.'||table_name FROM DBA_TAB_PRIVS WHERE TABLE_NAME LIKE 'DBA_%' AND GRANTEE NOT IN ('DBA','AUDIT_ADMIN','AUDIT_VIEWER','CAPTURE_ADMIN', 'DVSYS','SYSDG','DV_SECANALYST','SYSKM','DV_MONITOR', 'ORACLE_OCM','DV_ACCTMGR','GSMADMIN_INTERNAL','XDB', 'SYS','APPQOSSYS','AQ_ADMINISTRATOR_ROLE','CTXSYS', 'EXFSYS','MDSYS','OLAP_XS_ADMIN','OLAPSYS','ORDSYS', 'OWB$CLIENT','OWBSYS','SELECT_CATALOG_ROLE', 'WM_ADMIN_ROLE','WMSYS','XDBADMIN','LBACSYS', 'ADM_PARALLEL_EXECUTE_TASK','CISSCANROLE') AND NOT REGEXP_LIKE(grantee,'^APEX_0[3-9][0-9][0-9][0-9][0-9]$');
Lackofresultsimpliescompliance.
Note:AnorganizationshouldperformproperimpactanalysisbeforerevokinggrantsonDBA_objects.
Remediation:
Replace<Non-DBA/SYS grantee>inthequerybelow,withtheOraclelogin(s)orrole(s)returnedfromtheassociatedauditprocedureandexecute:
REVOKE ALL ON DBA_ FROM <NON-DBA/SYS grantee>;
184|P a g e
References:
1. http://docs.oracle.com/database/121/REFRN/GUID-10024282-6729-4C66-8679-FD653C9C7DE7.htm#REFRN-GUID-10024282-6729-4C66-8679-FD653C9C7DE7
CISControls:
Version6
5.1MinimizeAndSparinglyUseAdministrativePrivilegesMinimizeadministrativeprivilegesandonlyuseadministrativeaccountswhentheyarerequired.Implementfocusedauditingontheuseofadministrativeprivilegedfunctionsandmonitorforanomalousbehavior.
185|P a g e
4.5.6 Ensure 'ALL' Is Revoked from Unauthorized 'GRANTEE' on 'SYS.SCHEDULER$_CREDENTIAL' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseSCHEDULER$_CREDENTIALtablecontainsthedatabaseschedulercredentialinformation.Unauthorizedgranteesshouldnothavefullaccesstothattable.
Rationale:
Permittingnon-privilegeduserstheauthorizationtoopentheSYS.SCHEDULER$_CREDENTIALtablecouldexposethecredentialstocompromiseandreuse.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT GRANTEE, PRIVILEGE FROM DBA_TAB_PRIVS WHERE TABLE_NAME='SCHEDULER$_CREDENTIAL' AND OWNER='SYS';
Lackofresultsimpliescompliance.
Remediation:
Toremediatethissetting,executethefollowingSQLstatement.
REVOKE ALL ON SYS.SCHEDULER4_CREDENTIAL FROM <username>;
References:
1. http://docs.oracle.com/database/121/ADMIN/schedadmin.htm#ADMIN120732. http://berxblog.blogspot.de/2012/02/restore-dbmsschedulercreatecredential.html
Notes:
** *_SCHEDULER_CREDENTIALSisdeprecatedinOracleDatabase12c,butremainsavailableforreasonsofbackwardcompatibility.
186|P a g e
CISControls:
Version6
5.1MinimizeAndSparinglyUseAdministrativePrivilegesMinimizeadministrativeprivilegesandonlyuseadministrativeaccountswhentheyarerequired.Implementfocusedauditingontheuseofadministrativeprivilegedfunctionsandmonitorforanomalousbehavior.
16.14Encrypt/HashAllAuthenticationFilesAndMonitorTheirAccessVerifythatallauthenticationfilesareencryptedorhashedandthatthesefilescannotbeaccessedwithoutrootoradministratorprivileges.Auditallaccesstopasswordfilesinthesystem.
187|P a g e
4.5.7 Ensure 'SYS.USER$MIG' Has Been Dropped (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
Thetablesys.user$migiscreatedduringmigrationandcontainstheOraclepasswordhashesbeforethemigrationstarts.Thistableshouldbedropped.
Rationale:
Thetablesys.user$migisnotdeletedafterthemigration.AnattackercouldaccessthetablecontainingtheOraclepasswordhashes.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT OWNER, TABLE_NAME FROM ALL_TABLES WHERE OWNER='SYS' AND TABLE_NAME='USER$MIG';
Lackofresultsimpliescompliance.
Remediation:
Toremediatethissetting,executethefollowingSQLstatement.
DROP TABLE SYS.USER$MIG;
CISControls:
Version6
16.14Encrypt/HashAllAuthenticationFilesAndMonitorTheirAccessVerifythatallauthenticationfilesareencryptedorhashedandthatthesefilescannotbeaccessedwithoutrootoradministratorprivileges.Auditallaccesstopasswordfilesinthesystem.
188|P a g e
4.6 Ensure '%ANY%' Is Revoked from Unauthorized 'GRANTEE' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseANYkeywordprovidestheuserthecapabilitytoalteranyiteminthecatalogofthedatabase.Unauthorizedgranteesshouldnothavethatkeywordassignedtothem.
Rationale:
AuthorizationtousetheANYexpansionofaprivilegecanallowanunauthorizedusertopotentiallychangeconfidentialdataordamagethedatacatalog.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE PRIVILEGE LIKE '%ANY%' AND GRANTEE NOT IN ('AQ_ADMINISTRATOR_ROLE','DBA','DBSNMP','EXFSYS', 'EXP_FULL_DATABASE','IMP_FULL_DATABASE', 'DATAPUMP_IMP_FULL_DATABASE','JAVADEBUGPRIV','MDSYS', 'OEM_MONITOR','OLAPSYS','OLAP_DBA','ORACLE_OCM','OWB$CLIENT', 'OWBSYS','SCHEDULER_ADMIN','SPATIAL_CSW_ADMIN_USR', 'SPATIAL_WFS_ADMIN_USR','SYS','SYSMAN','SYSTEM','WMSYS', 'APEX_030200','APEX_040000','APEX_040100','APEX_040200','LBACSYS', 'SYSBACKUP','CTXSYS','OUTLN','DVSYS','ORDPLUGINS','ORDSYS', 'RECOVERY_CATALOG_OWNER_VPD','GSMADMIN_INTERNAL','XDB','SYSDG', 'AUDIT_ADMIN','DV_OWNER','DV_REALM_OWNER','EM_EXPRESS_ALL', 'RECOVERY_CATALOG_OWNER','APEX_050000','SYSMAN_STB', 'SYSMAN_TYPES');
Lackofresultsimpliescompliance.
Remediation:
Toremediatethissetting,executethefollowingSQLstatement.
REVOKE ‘<ANY Privilege>’ FROM <grantee>;
189|P a g e
References:
1. http://docs.oracle.com/database/121/DBSEG/authorization.htm#DBSEG99877
CISControls:
Version6
14.4ProtectInformationWithAccessControlListsAllinformationstoredonsystemsshallbeprotectedwithfilesystem,networkshare,claims,application,ordatabasespecificaccesscontrollists.Thesecontrolswillenforcetheprinciplethatonlyauthorizedindividualsshouldhaveaccesstotheinformationbasedontheirneedtoaccesstheinformationasapartoftheirresponsibilities.
190|P a g e
4.7 Ensure 'DBA_SYS_PRIVS.%' Is Revoked from Unauthorized 'GRANTEE' with 'ADMIN_OPTION' Set to 'YES' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseWITH_ADMINprivilegeallowsthedesignatedusertograntanotheruserthesameprivileges.Unauthorizedgranteesshouldnothavethatprivilege.
Rationale:
AssignmentoftheWITH_ADMINprivilegecanallowthegrantingofarestrictedprivilegetoanunauthorizeduser.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE ADMIN_OPTION='YES' AND GRANTEE not in ('AQ_ADMINISTRATOR_ROLE','DBA','OWBSYS', 'SCHEDULER_ADMIN','SYS','SYSTEM','WMSYS', 'DVSYS','SYSKM','DV_ACCTMGR') AND NOT REGEXP_LIKE(grantee,'^APEX_0[3-9][0-9][0-9][0-9][0-9]$');
Lackofresultsimpliescompliance.
Remediation:
Toremediatethissetting,executethefollowingSQLstatement.
REVOKE <privilege> FROM <grantee>;
CISControls:
Version6
5.1MinimizeAndSparinglyUseAdministrativePrivilegesMinimizeadministrativeprivilegesandonlyuseadministrativeaccountswhentheyarerequired.Implementfocusedauditingontheuseofadministrativeprivilegedfunctionsandmonitorforanomalousbehavior.
191|P a g e
4.8 Ensure Proxy Users Have Only 'CONNECT' Privilege (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
DonotgrantprivilegesotherthanCONNECTdirectlytoproxyusers.
Rationale:
Aproxyusershouldonlyhavetheabilitytoconnecttothedatabaseorbasedontheneedsoftheorganization.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT GRANTEE,GRANTED_ROLE FROM DBA_ROLE_PRIVS WHERE GRANTEE IN (SELECT PROXY FROM DBA_PROXIES) AND GRANTED_ROLE NOT IN ('CONNECT') UNION SELECT GRANTEE,PRIVILEGE FROM DBA_SYS_PRIVS WHERE GRANTEE IN (SELECT PROXY FROM DBA_PROXIES) AND PRIVILEGE NOT IN ('CREATE SESSION') UNION SELECT GRANTEE,PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE IN (SELECT PROXY FROM DBA_PROXIES);
Lackofresultsimpliescompliance.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatementforeach[PRIVILEGE]returned(otherthanCONNECT)byrunningtheauditprocedure.
REVOKE <privilege> FROM <proxy_user>;
CISControls:
Version6
16AccountMonitoringandControlAccountMonitoringandControl
192|P a g e
4.9 Ensure 'EXECUTE ANY PROCEDURE' Is Revoked from 'OUTLN' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
RemoveunneededEXECUTE ANY PROCEDUREprivilegesfromOUTLN.
Rationale:
MigratedOUTLNusershavemoreprivilegesthanrequired.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE PRIVILEGE='EXECUTE ANY PROCEDURE' AND GRANTEE='OUTLN';
Lackofresultsimpliescompliance.
Remediation:
Toremediatethissetting,executethefollowingSQLstatement.
REVOKE EXECUTE ANY PROCEDURE FROM OUTLN;
CISControls:
Version6
5.1MinimizeAndSparinglyUseAdministrativePrivilegesMinimizeadministrativeprivilegesandonlyuseadministrativeaccountswhentheyarerequired.Implementfocusedauditingontheuseofadministrativeprivilegedfunctionsandmonitorforanomalousbehavior.
193|P a g e
4.10 Ensure 'EXECUTE ANY PROCEDURE' Is Revoked from 'DBSNMP' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
RemoveunneededEXECUTE ANY PROCEDUREprivilegesfromDBSNMP.
Rationale:
MigratedDBSNMPusershavemoreprivilegesthanrequired.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE PRIVILEGE='EXECUTE ANY PROCEDURE' AND GRANTEE='DBSNMP';
Lackofresultsimpliescompliance.
Remediation:
Toremediatethissetting,executethefollowingSQLstatement.
REVOKE EXECUTE ANY PROCEDURE FROM DBSNMP;
CISControls:
Version6
5.1MinimizeAndSparinglyUseAdministrativePrivilegesMinimizeadministrativeprivilegesandonlyuseadministrativeaccountswhentheyarerequired.Implementfocusedauditingontheuseofadministrativeprivilegedfunctionsandmonitorforanomalousbehavior.
194|P a g e
5 Audit/Logging Policies and Procedures
Theabilitytoauditdatabaseactivitiesisamongthemostimportantofalldatabasesecurityfeatures.Decisionsmustbemaderegardingthescopeofauditingsinceauditinghascosts-instoragefortheaudittrailandinperformanceimpactonauditedoperations-andperhapseventhedatabaseorsystemingeneral.Thereisalsotheadditionalcosttomanage(store,backup,secure)andreviewthedataintheaudittrail.
Measuresmustbetakentoprotecttheaudittrailitself,foritmaybetargetedforalterationordestructiontohideunauthorizedactivity.Foranauditdestinationoutsidethedatabase,therecommendationsareelsewhereinthisdocument.Auditingrecommendationsforpotentialdatabaseauditdestinationsarebelow.
Auditing"bysession"typicallycreatesfewer(until11g)andslightlysmallerauditrecords,butisdiscouragedinmostsituationssincethereissomelossoffidelity(e.g.objectprivilegeGRANTEE).Moredetailedauditingcreateslargerauditrecords.TheAUDIT_TRAILinitializationparameter(forDB|XML,extended-ornot)isthemaindeterminingfactorforthesizeofagivenauditrecord-andanotablefactorintheperformancecost,althoughthelargestofthelatterisDBversusOSorXML.
ThissectiondealswithstandardOracleauditingsinceauditingofprivilegedconnections(assysdbaorsysoper)isconfiguredviatheAUDIT_SYS_OPERATIONSinitializationparameterandisotherwisenotconfigurable.Thebasictypesofstandardauditingareobject,statementandprivilegeauditing,andeachbehavesdifferently.
Objectauditingappliestospecificobjectsforwhichitisinvokedandalwaysappliestoallusers.Thistypeofauditingisusuallyemployedtoauditapplication-specificsensitiveobjects,butcanalsobeusedtoprotecttheaudittrailinthedatabase.
Privilegeauditingauditstheuseofspecificsystemprivileges,buttypicallyonlyiftheuseractuallypossessestheauditedprivilege.Attemptsthatfailforlackoftheauditedprivilegearetypicallynotaudited.Thisisthemainweaknessofprivilegeauditingandwhystatementauditingisusuallypreferred,iftheoptionexists.
Statementauditingauditstheissuanceofcertaintypesofstatements,usuallywithoutregardtoprivilegeorlackthereof.Bothprivilegeandstatementauditsmaybespecifiedforspecificusersorallusers(thedefault).
195|P a g e
5.1 Traditional Auditing
Therecommendationsinthissectionshouldbefollowediftraditionalauditingisimplemented.
5.1.1 Ensure the 'USER' Audit Option Is Enabled (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing
Description:
TheUSERobjectallowsforcreatingaccountsthatcaninteractwiththedatabaseaccordingtotherolesandprivilegesallottedtotheaccount.Itmayalsoowndatabaseobjects.Enablingtheauditoptioncausesauditingofallactivitiesandrequeststocreate,droporalterauser,includingauserchangingtheirownpassword.(Thelatterisnotauditedbyaudit ALTER USER.)
Rationale:
Anyunauthorizedattemptstocreate,droporalterausershouldcauseconcern,whethersuccessfulornot.Auditingcanalsobeusefulinforensicsifanaccountiscompromised,andauditingismandatedbymanycommonsecurityinitiatives.Anabnormallyhighnumberoftheseactivitiesinagivenperiodmightbeworthinvestigation.Anyfailedattempttodropauserorcreateausermaybeworthfurtherreview.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT AUDIT_OPTION, SUCCESS, FAILURE FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION='USER' AND USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = 'BY ACCESS' AND FAILURE = 'BY ACCESS';
Lackofresultsimpliesafinding.
Remediation:
ExecutethefollowingSQLstatementtoremediatethissetting.
AUDIT USER;
196|P a g e
CISControls:
Version6
6.2EnsureAuditLogSettingsSupportAppropriateLogEntryFormattingValidateauditlogsettingsforeachhardwaredeviceandthesoftwareinstalledonit,ensuringthatlogsincludeadate,timestamp,sourceaddresses,destinationaddresses,andvariousotherusefulelementsofeachpacketand/ortransaction.SystemsshouldrecordlogsinastandardizedformatsuchassyslogentriesorthoseoutlinedbytheCommonEventExpressioninitiative.Ifsystemscannotgeneratelogsinastandardizedformat,lognormalizationtoolscanbedeployedtoconvertlogsintosuchaformat.
197|P a g e
5.1.2 Ensure the 'ROLE' Audit Option Is Enabled (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing
Description:
TheROLEobjectallowsforthecreationofasetofprivilegesthatcanbegrantedtousersorotherroles.Enablingtheauditoptioncausesauditingofallattempts,successfulornot,tocreate,drop,alterorsetroles.
Rationale:
Rolesareakeydatabasesecurityinfrastructurecomponent.Anyattempttocreate,droporalteraroleshouldbeaudited.Thisstatementauditingoptionalsoauditsattempts,successfulornot,tosetaroleinasession.Anyunauthorizedattemptstocreate,droporalterarolemaybeworthyofinvestigation.Attemptstosetarolebyuserswithouttheroleprivilegemaywarrantinvestigation.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT AUDIT_OPTION, SUCCESS, FAILURE FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION='ROLE' AND USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = 'BY ACCESS' AND FAILURE = 'BY ACCESS';
Lackofresultsimpliesafinding.
Remediation:
ExecutethefollowingSQLstatementtoremediatethissetting:
AUDIT ROLE;
Notes:
Thisoptiondoesnotauditrolegrantsandrevokes.
198|P a g e
CISControls:
Version6
6.2EnsureAuditLogSettingsSupportAppropriateLogEntryFormattingValidateauditlogsettingsforeachhardwaredeviceandthesoftwareinstalledonit,ensuringthatlogsincludeadate,timestamp,sourceaddresses,destinationaddresses,andvariousotherusefulelementsofeachpacketand/ortransaction.SystemsshouldrecordlogsinastandardizedformatsuchassyslogentriesorthoseoutlinedbytheCommonEventExpressioninitiative.Ifsystemscannotgeneratelogsinastandardizedformat,lognormalizationtoolscanbedeployedtoconvertlogsintosuchaformat.
199|P a g e
5.1.3 Ensure the 'SYSTEM GRANT' Audit Option Is Enabled (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing
Description:
EnablingtheauditoptionfortheSYSTEM GRANTobjectcausesauditingofanyattempt,successfulornot,tograntorrevokeanysystemprivilegeorrole,regardlessofprivilegeheldbytheuserattemptingtheoperation.
Rationale:
Loggingofallgrantandrevokes(rolesandsystemprivileges)canprovideforensicevidenceaboutapatternofsuspect/unauthorizedactivities.Anyunauthorizedattemptmaybecauseforfurtherinvestigation.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT AUDIT_OPTION, SUCCESS, FAILURE FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION='SYSTEM GRANT' AND USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = 'BY ACCESS' AND FAILURE = 'BY ACCESS';
Lackofresultsimpliesafinding.
Remediation:
ExecutethefollowingSQLstatementtoremediatethissetting.
AUDIT SYSTEM GRANT;
CISControls:
Version6
5.4LogAdministrativeUserAdditionAndRemovalConfiguresystemstoissuealogentryandalertwhenanaccountisaddedtoorremovedfromadomainadministrators’group,orwhenanewlocaladministratoraccountisaddedonasystem.
200|P a g e
5.1.4 Ensure the 'PROFILE' Audit Option Is Enabled (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing
Description:
ThePROFILEobjectallowsforthecreationofasetofdatabaseresourcelimitsthatcanbeassignedtoauser,sothatthatusercannotexceedthoseresourcelimitations.Enablingtheauditoptioncausesauditingofallattempts,successfulornot,tocreate,droporalteranyprofile.
Rationale:
Asprofilesarepartofthedatabasesecurityinfrastructure,auditingthecreation,modification,anddeletionofprofilesisrecommended.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT AUDIT_OPTION, SUCCESS, FAILURE FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION='PROFILE' AND USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = 'BY ACCESS' AND FAILURE = 'BY ACCESS';
Lackofresultsimpliesafinding.
Remediation:
ExecutethefollowingSQLstatementtoremediatethissetting.
AUDIT PROFILE;
Notes:
Thestatementauditingoptionaudit PROFILEauditseverythingthatthethreeprivilegeauditsaudit CREATE PROFILE,audit DROP PROFILEandaudit ALTER PROFILEdo,butalsoaudits:
1. AttemptstocreateaprofilebyauserwithouttheCREATE PROFILEsystemprivilege.2. AttemptstodropaprofilebyauserwithouttheDROP PROFILEsystemprivilege
201|P a g e
3. AttemptstoalteraprofilebyauserwithouttheALTER PROFILEsystemprivilege.
CISControls:
Version6
6.2EnsureAuditLogSettingsSupportAppropriateLogEntryFormattingValidateauditlogsettingsforeachhardwaredeviceandthesoftwareinstalledonit,ensuringthatlogsincludeadate,timestamp,sourceaddresses,destinationaddresses,andvariousotherusefulelementsofeachpacketand/ortransaction.SystemsshouldrecordlogsinastandardizedformatsuchassyslogentriesorthoseoutlinedbytheCommonEventExpressioninitiative.Ifsystemscannotgeneratelogsinastandardizedformat,lognormalizationtoolscanbedeployedtoconvertlogsintosuchaformat.
202|P a g e
5.1.5 Ensure the 'DATABASE LINK' Audit Option Is Enabled (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing
Description:
EnablingtheauditoptionfortheDATABASELINKobjectcausesallactivitiesondatabaselinkstobeaudited.
Rationale:
AstheloggingofuseractivitiesinvolvingthecreationordroppingofaDATABASE LINKcanprovideforensicevidenceaboutapatternofunauthorizedactivities,theauditcapabilityshouldbeenabled.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT AUDIT_OPTION, SUCCESS, FAILURE FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION='DATABASE LINK' AND USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = 'BY ACCESS' AND FAILURE = 'BY ACCESS';
Lackofresultsimpliesafinding.
Remediation:
ExecutethefollowingSQLstatementtoremediatethissetting.
AUDIT DATABASE LINK;
References:
1. http://docs.oracle.com/database/121/DBSEG/audit_config.htm#DBSEG1115
CISControls:
Version6
6.2EnsureAuditLogSettingsSupportAppropriateLogEntryFormattingValidateauditlogsettingsforeachhardwaredeviceandthesoftwareinstalledonit,
203|P a g e
ensuringthatlogsincludeadate,timestamp,sourceaddresses,destinationaddresses,andvariousotherusefulelementsofeachpacketand/ortransaction.SystemsshouldrecordlogsinastandardizedformatsuchassyslogentriesorthoseoutlinedbytheCommonEventExpressioninitiative.Ifsystemscannotgeneratelogsinastandardizedformat,lognormalizationtoolscanbedeployedtoconvertlogsintosuchaformat.
204|P a g e
5.1.6 Ensure the 'PUBLIC DATABASE LINK' Audit Option Is Enabled (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing
Description:
ThePUBLIC DATABASE LINKobjectallowsforthecreationofapubliclinkforanapplication-based"user"toaccessthedatabaseforconnections/sessioncreation.Enablingtheauditoptioncausesalluseractivitiesinvolvingthecreation,alteration,ordroppingofpubliclinkstobeaudited.
Rationale:
Astheloggingofuseractivitiesinvolvingthecreation,alteration,ordroppingofaPUBLIC DATABASE LINKcanprovideforensicevidenceaboutapatternofunauthorizedactivities,theauditcapabilityshouldbeenabled.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT AUDIT_OPTION, SUCCESS, FAILURE FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION='PUBLIC DATABASE LINK' AND USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = 'BY ACCESS' AND FAILURE = 'BY ACCESS';
Lackofresultsimpliesafinding.
Remediation:
ExecutethefollowingSQLstatementtoremediatethissetting.
AUDIT PUBLIC DATABASE LINK;
CISControls:
Version6
6.2EnsureAuditLogSettingsSupportAppropriateLogEntryFormattingValidateauditlogsettingsforeachhardwaredeviceandthesoftwareinstalledonit,
205|P a g e
ensuringthatlogsincludeadate,timestamp,sourceaddresses,destinationaddresses,andvariousotherusefulelementsofeachpacketand/ortransaction.SystemsshouldrecordlogsinastandardizedformatsuchassyslogentriesorthoseoutlinedbytheCommonEventExpressioninitiative.Ifsystemscannotgeneratelogsinastandardizedformat,lognormalizationtoolscanbedeployedtoconvertlogsintosuchaformat.
206|P a g e
5.1.7 Ensure the 'PUBLIC SYNONYM' Audit Option Is Enabled (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing
Description:
ThePUBLIC SYNONYMobjectallowsforthecreationofanalternatedescriptionofanobject.Publicsynonymsareaccessiblebyallusersthathavetheappropriateprivilegestotheunderlyingobject.Enablingtheauditoptioncausesalluseractivitiesinvolvingthecreationordroppingofpublicsynonymstobeaudited.
Rationale:
AstheloggingofuseractivitiesinvolvingthecreationordroppingofaPUBLIC SYNONYMcanprovideforensicevidenceaboutapatternofunauthorizedactivities,theauditcapabilityshouldbeenabled.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT AUDIT_OPTION, SUCCESS, FAILURE FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION='PUBLIC SYNONYM' AND USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = 'BY ACCESS' AND FAILURE = 'BY ACCESS';
Lackofresultsimpliesafinding.
Remediation:
ExecutethefollowingSQLstatementtoremediatethissetting.
AUDIT PUBLIC SYNONYM;
CISControls:
Version6
6.2EnsureAuditLogSettingsSupportAppropriateLogEntryFormattingValidateauditlogsettingsforeachhardwaredeviceandthesoftwareinstalledonit,ensuringthatlogsincludeadate,timestamp,sourceaddresses,destination
207|P a g e
addresses,andvariousotherusefulelementsofeachpacketand/ortransaction.SystemsshouldrecordlogsinastandardizedformatsuchassyslogentriesorthoseoutlinedbytheCommonEventExpressioninitiative.Ifsystemscannotgeneratelogsinastandardizedformat,lognormalizationtoolscanbedeployedtoconvertlogsintosuchaformat.
208|P a g e
5.1.8 Ensure the 'SYNONYM' Audit Option Is Enabled (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing
Description:
TheSYNONYMoperationallowsforthecreationofanalternativenameforadatabaseobjectsuchasaJavaclassschemaobject,materializedview,operator,package,procedure,sequence,storedfunction,table,view,user-definedobjecttype,orevenanothersynonym.Thissynonymputsadependencyonitstargetandisrenderedinvalidifthetargetobjectischanged/dropped.Enablingtheauditoptioncausesalluseractivitiesinvolvingthecreationordroppingofsynonymstobeaudited.
Rationale:
AstheloggingofuseractivitiesinvolvingthecreationordroppingofaSYNONYMcanprovideforensicevidenceaboutapatternofsuspect/unauthorizedactivities,theauditcapabilityshouldbeenabled.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT AUDIT_OPTION, SUCCESS, FAILURE FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION='SYNONYM' AND USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = 'BY ACCESS' AND FAILURE = 'BY ACCESS';
Lackofresultsimpliesafinding.
Remediation:
ExecutethefollowingSQLstatementtoremediatethissetting.
AUDIT SYNONYM;
References:
1. http://docs.oracle.com/database/121/DBSEG/audit_config.htm#DBSEG1115
209|P a g e
CISControls:
Version6
6.2EnsureAuditLogSettingsSupportAppropriateLogEntryFormattingValidateauditlogsettingsforeachhardwaredeviceandthesoftwareinstalledonit,ensuringthatlogsincludeadate,timestamp,sourceaddresses,destinationaddresses,andvariousotherusefulelementsofeachpacketand/ortransaction.SystemsshouldrecordlogsinastandardizedformatsuchassyslogentriesorthoseoutlinedbytheCommonEventExpressioninitiative.Ifsystemscannotgeneratelogsinastandardizedformat,lognormalizationtoolscanbedeployedtoconvertlogsintosuchaformat.
210|P a g e
5.1.9 Ensure the 'DIRECTORY' Audit Option Is Enabled (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing
Description:
TheDIRECTORYobjectallowsforthecreationofadirectoryobjectthatspecifiesanaliasforadirectoryontheserverfilesystem,wheretheexternalbinaryfileLOBs(BFILEs)/tabledataarelocated.Enablingthisauditoptioncausesalluseractivitiesinvolvingthecreationordroppingofadirectoryaliastobeaudited.
Rationale:
AstheloggingofuseractivitiesinvolvingthecreationordroppingofaDIRECTORYcanprovideforensicevidenceaboutapatternofunauthorizedactivities,theauditcapabilityshouldbeenabled.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT AUDIT_OPTION, SUCCESS, FAILURE FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION='DIRECTORY' AND USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = 'BY ACCESS' AND FAILURE = 'BY ACCESS';
Lackofresultsimpliesafinding.
Remediation:
ExecutethefollowingSQLstatementtoremediatethissetting.
AUDIT DIRECTORY;
References:
1. http://docs.oracle.com/database/121/SQLRF/statements_4007.htm#SQLRF01107
211|P a g e
CISControls:
Version6
6.2EnsureAuditLogSettingsSupportAppropriateLogEntryFormattingValidateauditlogsettingsforeachhardwaredeviceandthesoftwareinstalledonit,ensuringthatlogsincludeadate,timestamp,sourceaddresses,destinationaddresses,andvariousotherusefulelementsofeachpacketand/ortransaction.SystemsshouldrecordlogsinastandardizedformatsuchassyslogentriesorthoseoutlinedbytheCommonEventExpressioninitiative.Ifsystemscannotgeneratelogsinastandardizedformat,lognormalizationtoolscanbedeployedtoconvertlogsintosuchaformat.
212|P a g e
5.1.10 Ensure the 'SELECT ANY DICTIONARY' Audit Option Is Enabled (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing
Description:
TheSELECT ANY DICTIONARYcapabilityallowstheusertoviewthedefinitionsofallschemaobjectsinthedatabase.Enablingtheauditoptioncausesalluseractivitiesinvolvingthiscapabilitytobeaudited.
Rationale:
Astheloggingofuseractivitiesinvolvingthecapabilitytoaccessthedescriptionofallschemaobjectsinthedatabasecanprovideforensicevidenceaboutapatternofunauthorizedactivities,theauditcapabilityshouldbeenabled.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT AUDIT_OPTION, SUCCESS, FAILURE FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION='SELECT ANY DICTIONARY' AND USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = 'BY ACCESS' AND FAILURE = 'BY ACCESS';
Lackofresultsimpliesafinding.
Remediation:
ExecutethefollowingSQLstatementtoremediatethissetting.
AUDIT SELECT ANY DICTIONARY;
References:
1. http://docs.oracle.com/database/121/DBSEG/guidelines.htm#DBSEG500
213|P a g e
CISControls:
Version6
6.2EnsureAuditLogSettingsSupportAppropriateLogEntryFormattingValidateauditlogsettingsforeachhardwaredeviceandthesoftwareinstalledonit,ensuringthatlogsincludeadate,timestamp,sourceaddresses,destinationaddresses,andvariousotherusefulelementsofeachpacketand/ortransaction.SystemsshouldrecordlogsinastandardizedformatsuchassyslogentriesorthoseoutlinedbytheCommonEventExpressioninitiative.Ifsystemscannotgeneratelogsinastandardizedformat,lognormalizationtoolscanbedeployedtoconvertlogsintosuchaformat.
214|P a g e
5.1.11 Ensure the 'GRANT ANY OBJECT PRIVILEGE' Audit Option Is Enabled (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing
Description:
GRANT ANY OBJECT PRIVILEGEallowstheusertograntorrevokeanyobjectprivilege,whichincludesprivilegesontables,directories,miningmodels,etc.Enablingthisauditoptioncausesauditingofallusesofthatprivilege.
Rationale:
Loggingofprivilegegrantsthatcanleadtothecreation,alteration,ordeletionofcriticaldata,themodificationofobjects,objectprivilegepropagationandothersuchactivitiescanbecriticaltoforensicinvestigations.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PRIVILEGE, SUCCESS, FAILURE FROM DBA_PRIV_AUDIT_OPTS WHERE PRIVILEGE='GRANT ANY OBJECT PRIVILEGE' AND USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = 'BY ACCESS' AND FAILURE = 'BY ACCESS';
Lackofresultsimpliesafinding.
Remediation:
ExecutethefollowingSQLstatementtoremediatethissetting.
AUDIT GRANT ANY OBJECT PRIVILEGE;
Notes:
ThisdoesNOTauditallattemptstograntorrevokeobjectprivilegessincethiscanalsobedonebyanyonewhowasgrantedanobjectprivilegewiththegrantoption.Also,thisnevercreatesanauditrecordforanyonewhodoesnotholdtheGRANT ANY OBJECT PRIVILEGEsystemprivilege.Therefore,manyattempts,successfulornot,tograntandrevokeobjectprivilegesarenotauditedbythis.
215|P a g e
CISControls:
Version6
6.2EnsureAuditLogSettingsSupportAppropriateLogEntryFormattingValidateauditlogsettingsforeachhardwaredeviceandthesoftwareinstalledonit,ensuringthatlogsincludeadate,timestamp,sourceaddresses,destinationaddresses,andvariousotherusefulelementsofeachpacketand/ortransaction.SystemsshouldrecordlogsinastandardizedformatsuchassyslogentriesorthoseoutlinedbytheCommonEventExpressioninitiative.Ifsystemscannotgeneratelogsinastandardizedformat,lognormalizationtoolscanbedeployedtoconvertlogsintosuchaformat.
216|P a g e
5.1.12 Ensure the 'GRANT ANY PRIVILEGE' Audit Option Is Enabled (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing
Description:
GRANT ANY PRIVILEGEallowsausertograntanysystemprivilege,includingthemostpowerfulprivilegestypicallyavailableonlytoadministrators-tochangethesecurityinfrastructure,todrop/add/modifyusersandmore.
Rationale:
Auditingtheuseofthisprivilegeispartofacomprehensiveauditingpolicythatcanhelpindetectingissuesandcanbeusefulinforensics.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PRIVILEGE, SUCCESS, FAILURE FROM DBA_PRIV_AUDIT_OPTS WHERE PRIVILEGE='GRANT ANY PRIVILEGE' AND USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = 'BY ACCESS' AND FAILURE = 'BY ACCESS';
Lackofresultsimpliesafinding.
Remediation:
ExecutethefollowingSQLstatementtoremediatethissetting.
AUDIT GRANT ANY PRIVILEGE;
Notes:
ThisdoesNOTauditallattemptstograntorrevokesystemprivilegessincethiscanalsobedonebyanyonewhowasgrantedasystemprivilegewiththeadminoption.Also,thisnevercreatesanauditrecordforanyonewhodoesnotholdtheGRANT ANY PRIVILEGEsystemprivilege.Thus,manyattempts,successfulornot,tograntandrevokesystemprivilegesarenotauditedbythis.
217|P a g e
CISControls:
Version6
5.4LogAdministrativeUserAdditionAndRemovalConfiguresystemstoissuealogentryandalertwhenanaccountisaddedtoorremovedfromadomainadministrators’group,orwhenanewlocaladministratoraccountisaddedonasystem.
6.2EnsureAuditLogSettingsSupportAppropriateLogEntryFormattingValidateauditlogsettingsforeachhardwaredeviceandthesoftwareinstalledonit,ensuringthatlogsincludeadate,timestamp,sourceaddresses,destinationaddresses,andvariousotherusefulelementsofeachpacketand/ortransaction.SystemsshouldrecordlogsinastandardizedformatsuchassyslogentriesorthoseoutlinedbytheCommonEventExpressioninitiative.Ifsystemscannotgeneratelogsinastandardizedformat,lognormalizationtoolscanbedeployedtoconvertlogsintosuchaformat.
218|P a g e
5.1.13 Ensure the 'DROP ANY PROCEDURE' Audit Option Is Enabled (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing
Description:
TheAUDIT DROP ANY PROCEDUREcommandisauditingthedroppingofprocedures.Enablingtheoptioncausesauditingofallsuchactivities.
Rationale:
Droppingproceduresofanotherusercouldbepartofaprivilegeescalationexploitandshouldbeaudited.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT AUDIT_OPTION, SUCCESS, FAILURE FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION='DROP ANY PROCEDURE' AND USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = 'BY ACCESS' AND FAILURE = 'BY ACCESS';
Lackofresultsimpliesafinding.
Remediation:
ExecutethefollowingSQLstatementtoremediatethissetting.
AUDIT DROP ANY PROCEDURE;
CISControls:
Version6
6.2EnsureAuditLogSettingsSupportAppropriateLogEntryFormattingValidateauditlogsettingsforeachhardwaredeviceandthesoftwareinstalledonit,ensuringthatlogsincludeadate,timestamp,sourceaddresses,destinationaddresses,andvariousotherusefulelementsofeachpacketand/ortransaction.Systemsshouldrecordlogsinastandardizedformatsuchassyslogentriesorthose
219|P a g e
outlinedbytheCommonEventExpressioninitiative.Ifsystemscannotgeneratelogsinastandardizedformat,lognormalizationtoolscanbedeployedtoconvertlogsintosuchaformat.
220|P a g e
5.1.14 Ensure the 'ALL' Audit Option on 'SYS.AUD$' Is Enabled (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing
Description:
TheloggingofattemptstoaltertheaudittrailintheSYS.AUD$table(openforread/update/delete/view)willprovidearecordofanyactivitiesthatmayindicateunauthorizedattemptstoaccesstheaudittrail.Enablingtheauditoptionwillcausetheseactivitiestobeaudited.
Rationale:
AstheloggingofattemptstoaltertheSYS.AUD$tablecanprovideforensicevidenceoftheinitiationofapatternofunauthorizedactivities,thisloggingcapabilityshouldbeenabled.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT * FROM DBA_OBJ_AUDIT_OPTS WHERE OBJECT_NAME='AUD$' AND ALT='A/A' AND AUD='A/A' AND COM='A/A' AND DEL='A/A' AND GRA='A/A' AND IND='A/A' AND INS='A/A' AND LOC='A/A' AND REN='A/A' AND SEL='A/A' AND UPD='A/A' AND FBK='A/A';
Lackofresultsimpliesafinding.
Remediation:
ExecutethefollowingSQLstatementtoremediatethissetting.
AUDIT ALL ON SYS.AUD$ BY ACCESS;
221|P a g e
CISControls:
Version6
6.2EnsureAuditLogSettingsSupportAppropriateLogEntryFormattingValidateauditlogsettingsforeachhardwaredeviceandthesoftwareinstalledonit,ensuringthatlogsincludeadate,timestamp,sourceaddresses,destinationaddresses,andvariousotherusefulelementsofeachpacketand/ortransaction.SystemsshouldrecordlogsinastandardizedformatsuchassyslogentriesorthoseoutlinedbytheCommonEventExpressioninitiative.Ifsystemscannotgeneratelogsinastandardizedformat,lognormalizationtoolscanbedeployedtoconvertlogsintosuchaformat.
222|P a g e
5.1.15 Ensure the 'PROCEDURE' Audit Option Is Enabled (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing
Description:
Inthisstatementaudit,PROCEDUREmeansanyprocedure,function,packageorlibrary.Enablingthisauditoptioncausesanyattempt,successfulornot,tocreateordropanyofthesetypesofobjectstobeaudited,regardlessofprivilegeorlackthereof.Javaschemaobjects(sources,classes,andresources)areconsideredthesameasproceduresforthepurposesofauditingSQLstatements.
Rationale:
Anyunauthorizedattemptstocreateordropaprocedureinanother'sschemashouldcauseconcern,whethersuccessfulornot.Changestocriticalstoredcodecandramaticallychangethebehavioroftheapplicationandproduceserioussecurityconsequences,includingenablingprivilegeescalationandintroducingSQLinjectionvulnerabilities.Auditrecordsofsuchchangescanbehelpfulinforensics.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT AUDIT_OPTION, SUCCESS, FAILURE FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION='PROCEDURE' AND USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = 'BY ACCESS' AND FAILURE = 'BY ACCESS';
Lackofresultsimpliesafinding.
Remediation:
ExecutethefollowingSQLstatementtoremediatethissetting.
AUDIT PROCEDURE;"
Notes:
Notallauditingoptionsworkalike.Inparticular,thestatementauditingoptionaudit PROCEDUREdoesindeedauditcreateanddroplibraryaswellasalltypesofproceduresand
223|P a g e
javaschemaobjects.However,privilegeauditsdonotworkthisway.So,forexample,noneofaudit CREATE ANY PROCEDURE,audit DROP ANY PROCEDURE,oraudit CREATE PROCEDUREwillauditcreateordroplibraryactivities.Instatementauditing,PROCEDUREhasalargerscopethaninprivilegeauditing,whereitisspecifictofunctions,packagesandprocedures,butexcludeslibrariesandperhapsotherobjecttypes.
Audit PROCEDUREdoesnotauditalteringprocedures,eitherinyourownschemaorinanotherviatheALTER ANY PROCEDUREsystemprivilege.ThereseemstobenostatementauditthatisabetterreplacementforAudit ALTER ANY PROCEDURE,butbewarethatwillnotcreateanyauditrecordsforusersthatdonothavetheprivilege.Thus,attemptstoalterproceduresinone'sownschemaareneveraudited,andattemptstoalterproceduresinanother'sschemathatfailforlackoftheALTER ANY PROCEDUREprivilegearenotaudited.ThisissimplyaweaknessinthecurrentstateofOracleauditing.Fortunately,though,allthattheALTERcommandcanbeusedforregardingprocedures,functions,packagesandlibrariesiscompileoptions,sotheinabilitytocomprehensivelyauditalterprocedureactivitiesandrequestsisnotasbadasitwouldbeforotherobjecttypes(USER,PROFILE,etc.)
CISControls:
Version6
6.2EnsureAuditLogSettingsSupportAppropriateLogEntryFormattingValidateauditlogsettingsforeachhardwaredeviceandthesoftwareinstalledonit,ensuringthatlogsincludeadate,timestamp,sourceaddresses,destinationaddresses,andvariousotherusefulelementsofeachpacketand/ortransaction.SystemsshouldrecordlogsinastandardizedformatsuchassyslogentriesorthoseoutlinedbytheCommonEventExpressioninitiative.Ifsystemscannotgeneratelogsinastandardizedformat,lognormalizationtoolscanbedeployedtoconvertlogsintosuchaformat.
224|P a g e
5.1.16 Ensure the 'ALTER SYSTEM' Audit Option Is Enabled (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing
Description:
ALTER SYSTEMallowsonetochangeinstancesettings,includingsecuritysettingsandauditingoptions.Additionally,ALTER SYSTEMcanbeusedtorunoperatingsystemcommandsusingundocumentedOraclefunctionality.EnablingtheauditoptionwillauditallattemptstoperformALTER SYSTEM,whethersuccessfulornotandregardlessofwhetherornottheALTER SYSTEMprivilegeisheldbytheuserattemptingtheaction.
Rationale:
Anyunauthorizedattempttoalterthesystemshouldbecauseforconcern.Alterationsoutsideofsomespecifiedmaintenancewindowmaybeofconcern.Inforensics,theseauditrecordscouldbequiteuseful.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT AUDIT_OPTION, SUCCESS, FAILURE FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION='ALTER SYSTEM' AND USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = 'BY ACCESS' AND FAILURE = 'BY ACCESS';
Lackofresultsimpliesafinding.
Remediation:
ExecutethefollowingSQLstatementtoremediatethissetting.
AUDIT ALTER SYSTEM;
CISControls:
Version6
6.2EnsureAuditLogSettingsSupportAppropriateLogEntryFormattingValidateauditlogsettingsforeachhardwaredeviceandthesoftwareinstalledonit,
225|P a g e
ensuringthatlogsincludeadate,timestamp,sourceaddresses,destinationaddresses,andvariousotherusefulelementsofeachpacketand/ortransaction.SystemsshouldrecordlogsinastandardizedformatsuchassyslogentriesorthoseoutlinedbytheCommonEventExpressioninitiative.Ifsystemscannotgeneratelogsinastandardizedformat,lognormalizationtoolscanbedeployedtoconvertlogsintosuchaformat.
226|P a g e
5.1.17 Ensure the 'TRIGGER' Audit Option Is Enabled (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing
Description:
ATRIGGERmaybeusedtomodifyDMLactionsorinvokeother(recursive)actionswhensometypesofuser-initiatedactionsoccur.Enablingthisauditoptionwillcauseauditingofanyattempt,successfulornot,tocreate,drop,enableordisableanyschematriggerinanyschemaregardlessofprivilegeorlackthereof.Forenablinganddisablingatrigger,itcoversbothALTER TRIGGERandALTER TABLE.
Rationale:
Triggersareoftenpartofschemasecurity,datavalidationandothercriticalconstraintsuponactionsanddata.Atriggerinanotherschemamaybeusedtoescalateprivileges,redirectoperations,transformdataandperformothersortsofperhapsundesiredactions.Anyunauthorizedattempttocreate,droporalteratriggerinanotherschemamaybecauseforinvestigation.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT AUDIT_OPTION, SUCCESS, FAILURE FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION='TRIGGER' AND USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = 'BY ACCESS' AND FAILURE = 'BY ACCESS';
Lackofresultsimpliesafinding.
Remediation:
ExecutethefollowingSQLstatementtoremediatethissetting.
AUDIT TRIGGER;
Notes:
ThereisnocurrentCISrecommendationtoaudittheuseofthesystemprivilegeCREATE TRIGGER,asthereisforCREATE SYNONYM,CREATE PROCEDUREandsomeothertypesof
227|P a g e
objects,sothisisactuallyascopeescalationalso-toauditsuchactionsinone'sownschema.However,thisistheonlywaytocomprehensivelyauditthingslikeattemptstocreate,droporaltertriggersinanother'sschemaiftheuserattemptingtooperationdoesnotholdtherequiredANYprivilege-andtheseareexactlythesortsofthingsthatshouldraisealargeredflag.
Thestatementauditingoptionaudit TRIGGERauditsalmosteverythingthatthethreeprivilegeauditsaudit CREATE ANY TRIGGER,audit ALTER ANY TRIGGERandaudit DROP ANY TRIGGERdo,butalsoaudits:
1. Statementstocreate,drop,enableordisableatriggerintheuser'sownschema.2. AttemptstocreateatriggerbyauserwithouttheCREATE TRIGGERsystemprivilege.3. AttemptstocreateatriggerinanotherschemabyuserswithouttheCREATE ANY
TRIGGERprivilege.4. AttemptstodropatriggerinanotherschemabyuserswithouttheDROP ANY
TRIGGERprivilege.5. Attemptstodisableorenableatriggerinanotherschemabyuserswithoutthe
ALTER ANY TRIGGERprivilege.
TheonethingisauditedbyanyofthethreeprivilegeauditsthatisnotauditedbythisisALTER TRIGGER ...COMPILEifthetriggerisinanother'sschema,whichisauditedbyaudit ALTER ANY TRIGGER,butonlyiftheuserattemptingthealterationactuallyholdstheALTER ANY TRIGGERsystemprivilege.Audit TRIGGERonlyauditsALTER TABLEorALTER TRIGGERstatementsusedtoenableordisabletriggers.ItdoesnotauditALTER TRIGGERorALTER TABLEstatementsusedonlywithcompileoptions.
CISControls:
Version6
6.2EnsureAuditLogSettingsSupportAppropriateLogEntryFormattingValidateauditlogsettingsforeachhardwaredeviceandthesoftwareinstalledonit,ensuringthatlogsincludeadate,timestamp,sourceaddresses,destinationaddresses,andvariousotherusefulelementsofeachpacketand/ortransaction.SystemsshouldrecordlogsinastandardizedformatsuchassyslogentriesorthoseoutlinedbytheCommonEventExpressioninitiative.Ifsystemscannotgeneratelogsinastandardizedformat,lognormalizationtoolscanbedeployedtoconvertlogsintosuchaformat.
228|P a g e
5.1.18 Ensure the 'CREATE SESSION' Audit Option Is Enabled (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing
Description:
Enablingthisauditoptionwillcauseauditingofallattemptstoconnecttothedatabase,whethersuccessfulornot,aswellasauditsessiondisconnects/logoffs.ThecommandstoauditSESSION,CONNECTorCREATE SESSIONallaccomplishthesamething-theyinitiatestatementauditingoftheconnectstatementusedtocreateadatabasesession.
Rationale:
Auditingattemptstoconnecttothedatabaseisbasicandmandatedbymostsecurityinitiatives.Anyattempttologontoalockedaccount,failedattemptstologontodefaultaccountsoranunusuallyhighnumberoffailedlogonattemptsofanysort,foranyuser,inaparticulartimeperiodmayindicateanintrusionattempt.Inforensics,thelogonrecordmaybefirstinachainofevidenceandcontaininformationfoundinnoothertypeofauditrecordforthesession.Logonandlogoffintheaudittraildefinetheperiodanddurationofthesession.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT AUDIT_OPTION, SUCCESS, FAILURE FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION='CREATE SESSION' AND USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = 'BY ACCESS' AND FAILURE = 'BY ACCESS';
Lackofresultsimpliesafinding.
Remediation:
ExecutethefollowingSQLstatementtoremediatethissetting.
AUDIT SESSION;
229|P a g e
Notes:
Althoughlistedinthedocumentationasaprivilegeaudit,audit CREATE SESSIONactuallyauditstheCONNECTstatement.Thisisevidencedbytheundocumentedaudit CONNECTwhichhasthesameresultasaudit SESSIONoraudit CREATE SESSION.ThereisnosystemprivilegenamedeitherSESSIONorCONNECT(CONNECTisarole,notasystemprivilege).Also,itbehavesasstatementauditingratherthanprivilegeauditinginthatitauditsallattemptstocreateasession,eveniftheuserdoesnotholdtheCREATE SESSIONsystemprivilege.
CISControls:
Version6
6.2EnsureAuditLogSettingsSupportAppropriateLogEntryFormattingValidateauditlogsettingsforeachhardwaredeviceandthesoftwareinstalledonit,ensuringthatlogsincludeadate,timestamp,sourceaddresses,destinationaddresses,andvariousotherusefulelementsofeachpacketand/ortransaction.SystemsshouldrecordlogsinastandardizedformatsuchassyslogentriesorthoseoutlinedbytheCommonEventExpressioninitiative.Ifsystemscannotgeneratelogsinastandardizedformat,lognormalizationtoolscanbedeployedtoconvertlogsintosuchaformat.
230|P a g e
5.2 Unified Auditing
Therecommendationsinthissectionshouldbefollowedifunifiedauditingisimplemented.
5.2.1 Ensure the 'CREATE USER' Action Audit Is Enabled (Scored)
ProfileApplicability:
• Level1-RDBMSusingUnifiedAuditing
Description:
TheCREATE USERstatementisusedtocreateOracledatabaseaccountsandassigndatabasepropertiestothem.EnablingthisunifiedactionauditcausesloggingofallCREATE USERstatements,whethersuccessfulorunsuccessful,issuedbytheusersregardlessoftheprivilegesheldbytheuserstoissuesuchstatements.
Rationale:
Loggingandmonitoringofallattemptstocreateuseraccounts,whethersuccessfulorunsuccessful,mayprovidecluesandforensicevidencesaboutpotentialsuspicious/unauthorizedactivities.Anysuchactivitiesmaybeacauseforfurtherinvestigation.Inaddition,organizationsecuritypoliciesandindustry/governmentregulationsmayrequireloggingofallactivitiesinvolvingCREATE USER.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT AUD.POLICY_NAME, AUD.AUDIT_OPTION, AUD.AUDIT_OPTION_TYPE FROM AUDIT_UNIFIED_POLICIES AUD, AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'CREATE USER' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION' AND ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS';
Lackofresultsimpliesafinding.
231|P a g e
Remediation:
ExecutethefollowingSQLstatementtoremediatethissetting.
ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS CREATE USER;
Note:IfyoudonothaveCIS_UNIFIED_AUDIT_POLICY,pleasecreateoneusingtheCREATE AUDIT POLICYstatement.
CISControls:
Version6
6.2EnsureAuditLogSettingsSupportAppropriateLogEntryFormattingValidateauditlogsettingsforeachhardwaredeviceandthesoftwareinstalledonit,ensuringthatlogsincludeadate,timestamp,sourceaddresses,destinationaddresses,andvariousotherusefulelementsofeachpacketand/ortransaction.SystemsshouldrecordlogsinastandardizedformatsuchassyslogentriesorthoseoutlinedbytheCommonEventExpressioninitiative.Ifsystemscannotgeneratelogsinastandardizedformat,lognormalizationtoolscanbedeployedtoconvertlogsintosuchaformat.
16AccountMonitoringandControlAccountMonitoringandControl
232|P a g e
5.2.2 Ensure the 'ALTER USER' Action Audit Is Enabled (Scored)
ProfileApplicability:
• Level1-RDBMSusingUnifiedAuditing
Description:
TheALTER USERstatementisusedtochangedatabaseusers’password,lockaccounts,andexpirepasswords.Inaddition,thisstatementisusedtochangedatabasepropertiesofuseraccountssuchasdatabaseprofiles,defaultandtemporarytablespaces,andtablespacequotas.ThisunifiedauditactionenablesloggingofallALTER USERstatements,whethersuccessfulorunsuccessful,issuedbytheusersregardlessoftheprivilegesheldbytheuserstoissuesuchstatements.
Rationale:
Loggingandmonitoringofallattemptstoalteruseraccounts,whethersuccessfulorunsuccessful,mayprovidecluesandforensicevidencesaboutpotentialsuspicious/unauthorizedactivities.Anysuchactivitiesmaybeacauseforfurtherinvestigation.Inaddition,organizationsecuritypoliciesandindustry/governmentregulationsmayrequireloggingofallactivitiesinvolvingALTER USER.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT AUD.POLICY_NAME, AUD.AUDIT_OPTION, AUD.AUDIT_OPTION_TYPE FROM AUDIT_UNIFIED_POLICIES AUD, AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'ALTER USER' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION' AND ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS';
Lackofresultsimpliesafinding.
Remediation:
ExecutethefollowingSQLstatementtoremediatethissetting.
ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS ALTER USER;
233|P a g e
Note:IfyoudonothaveCIS_UNIFIED_AUDIT_POLICY,pleasecreateoneusingtheCREATE AUDIT POLICYstatement.
CISControls:
Version6
6.2EnsureAuditLogSettingsSupportAppropriateLogEntryFormattingValidateauditlogsettingsforeachhardwaredeviceandthesoftwareinstalledonit,ensuringthatlogsincludeadate,timestamp,sourceaddresses,destinationaddresses,andvariousotherusefulelementsofeachpacketand/ortransaction.SystemsshouldrecordlogsinastandardizedformatsuchassyslogentriesorthoseoutlinedbytheCommonEventExpressioninitiative.Ifsystemscannotgeneratelogsinastandardizedformat,lognormalizationtoolscanbedeployedtoconvertlogsintosuchaformat.
16AccountMonitoringandControlAccountMonitoringandControl
234|P a g e
5.2.3 Ensue the 'DROP USER' Audit Option Is Enabled (Scored)
ProfileApplicability:
• Level1-RDBMSusingUnifiedAuditing
Description:
TheDROP USERstatementisusedtodropOracledatabaseaccountsandschemasassociatedwiththem.EnablingthisunifiedactionauditenablesloggingofallDROP USERstatements,whethersuccessfulorunsuccessful,issuedbytheusersregardlessoftheprivilegesheldbytheuserstoissuesuchstatements.
Rationale:
Loggingandmonitoringofallattemptstodropuser,whethersuccessfulorunsuccessful,mayprovidecluesandforensicevidenceaboutpotentialsuspicious/unauthorizedactivities.Anysuchactivitiesmaybeacauseforfurtherinvestigation.Inaddition,organizationsecuritypoliciesandindustry/governmentregulationsmayrequireloggingofallactivitiesinvolvingDROP USER.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT AUD.POLICY_NAME, AUD.AUDIT_OPTION, AUD.AUDIT_OPTION_TYPE FROM AUDIT_UNIFIED_POLICIES AUD, AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'DROP USER' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION' AND ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS';
Lackofresultsimpliesafinding.
Remediation:
ExecutethefollowingSQLstatementtoremediatethissetting.
ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS DROP USER;
235|P a g e
Note:IfyoudonothaveCIS_UNIFIED_AUDIT_POLICY,pleasecreateoneusingtheCREATE AUDIT POLICYstatement.
CISControls:
Version6
6.2EnsureAuditLogSettingsSupportAppropriateLogEntryFormattingValidateauditlogsettingsforeachhardwaredeviceandthesoftwareinstalledonit,ensuringthatlogsincludeadate,timestamp,sourceaddresses,destinationaddresses,andvariousotherusefulelementsofeachpacketand/ortransaction.SystemsshouldrecordlogsinastandardizedformatsuchassyslogentriesorthoseoutlinedbytheCommonEventExpressioninitiative.Ifsystemscannotgeneratelogsinastandardizedformat,lognormalizationtoolscanbedeployedtoconvertlogsintosuchaformat.
16AccountMonitoringandControlAccountMonitoringandControl
236|P a g e
5.2.4 Ensure the 'CREATE ROLE’ Action Audit Is Enabled (Scored)
ProfileApplicability:
• Level1-RDBMSusingUnifiedAuditing
Description:
AnOracledatabaseroleisacollectionorsetofprivilegesthatcanbegrantedtousersorotherroles.Rolesmayincludesystemprivileges,objectprivilegesorotherroles.EnablingthisunifiedauditactionenablesloggingofallCREATE ROLEstatements,whethersuccessfulorunsuccessful,issuedbytheusersregardlessoftheprivilegesheldbytheuserstoissuesuchstatements.
Rationale:
Loggingandmonitoringofallattemptstocreateroles,whethersuccessfulorunsuccessful,mayprovidecluesandforensicevidenceaboutpotentialsuspicious/unauthorizedactivities.Anysuchactivitiesmaybeacauseforfurtherinvestigation.Inaddition,organizationsecuritypoliciesandindustry/governmentregulationsmayrequireloggingofalluseractivitiesinvolvingCREATE ROLE.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT AUD.POLICY_NAME, AUD.AUDIT_OPTION, AUD.AUDIT_OPTION_TYPE FROM AUDIT_UNIFIED_POLICIES AUD, AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'CREATE ROLE' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION' AND ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS';
Lackofresultsimpliesafinding.
Remediation:
ExecutethefollowingSQLstatementtoremediatethissetting.
ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS CREATE ROLE;
237|P a g e
Note:IfyoudonothaveCIS_UNIFIED_AUDIT_POLICY,pleasecreateoneusingtheCREATE AUDIT POLICYstatement.
CISControls:
Version6
6.2EnsureAuditLogSettingsSupportAppropriateLogEntryFormattingValidateauditlogsettingsforeachhardwaredeviceandthesoftwareinstalledonit,ensuringthatlogsincludeadate,timestamp,sourceaddresses,destinationaddresses,andvariousotherusefulelementsofeachpacketand/ortransaction.SystemsshouldrecordlogsinastandardizedformatsuchassyslogentriesorthoseoutlinedbytheCommonEventExpressioninitiative.Ifsystemscannotgeneratelogsinastandardizedformat,lognormalizationtoolscanbedeployedtoconvertlogsintosuchaformat.
16AccountMonitoringandControlAccountMonitoringandControl
238|P a g e
5.2.5 Ensure the 'ALTER ROLE’ Action Audit Is Enabled (Scored)
ProfileApplicability:
• Level1-RDBMSusingUnifiedAuditing
Description:
AnOracledatabaseroleisacollectionorsetofprivilegesthatcanbegrantedtousersorotherroles.Rolesmayincludesystemprivileges,objectprivilegesorotherroles.TheALTER ROLEstatementisusedtochangetheauthorizationneededtoenablearole.EnablingthisunifiedactionauditcausesloggingofallALTER ROLEstatements,whethersuccessfulorunsuccessful,issuedbytheusersregardlessoftheprivilegesheldbytheuserstoissuesuchstatements.
Rationale:
Loggingandmonitoringofallattemptstoalterroles,whethersuccessfulorunsuccessful,mayprovidecluesandforensicevidenceaboutpotentialsuspicious/unauthorizedactivities.Anysuchactivitiesmaybeacauseforfurtherinvestigation.Inaddition,organizationsecuritypoliciesandindustry/governmentregulationsmayrequireloggingofalluseractivitiesinvolvingalterationofroles.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT AUD.POLICY_NAME, AUD.AUDIT_OPTION, AUD.AUDIT_OPTION_TYPE FROM AUDIT_UNIFIED_POLICIES AUD, AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'ALTER ROLE' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION' AND ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS';
Lackofresultsimpliesafinding.
Remediation:
ExecutethefollowingSQLstatementtoremediatethissetting.
ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS ALTER ROLE;
239|P a g e
Note:IfyoudonothaveCIS_UNIFIED_AUDIT_POLICY,pleasecreateoneusingtheCREATE AUDIT POLICYstatement.
CISControls:
Version6
6.2EnsureAuditLogSettingsSupportAppropriateLogEntryFormattingValidateauditlogsettingsforeachhardwaredeviceandthesoftwareinstalledonit,ensuringthatlogsincludeadate,timestamp,sourceaddresses,destinationaddresses,andvariousotherusefulelementsofeachpacketand/ortransaction.SystemsshouldrecordlogsinastandardizedformatsuchassyslogentriesorthoseoutlinedbytheCommonEventExpressioninitiative.Ifsystemscannotgeneratelogsinastandardizedformat,lognormalizationtoolscanbedeployedtoconvertlogsintosuchaformat.
16AccountMonitoringandControlAccountMonitoringandControl
240|P a g e
5.2.6 Ensure the 'DROP ROLE’ Action Audit Is Enabled (Scored)
ProfileApplicability:
• Level1-RDBMSusingUnifiedAuditing
Description:
AnOracledatabaseroleisacollectionorsetofprivilegesthatcanbegrantedtousersorotherroles.Rolesmayincludesystemprivileges,objectprivilegesorotherroles.EnablingthisunifiedauditactionenablesloggingofallDROP ROLEstatements,successfulorunsuccessful,issuedbytheusersregardlessoftheprivilegesheldbytheuserstoissuesuchstatements.
Rationale:
Loggingandmonitoringofallattemptstodroproles,whethersuccessfulorunsuccessful,mayprovidecluesandforensicevidenceaboutpotentialsuspicious/unauthorizedactivities.Anysuchactivitiesmaybeacauseforfurtherinvestigation.Inaddition,organizationsecuritypoliciesandindustry/governmentregulationsmayrequireloggingofalluseractivitiesinvolvingDROP ROLE.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT AUD.POLICY_NAME, AUD.AUDIT_OPTION, AUD.AUDIT_OPTION_TYPE FROM AUDIT_UNIFIED_POLICIES AUD, AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'DROP ROLE' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION' AND ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS';
Lackofresultsimpliesafinding.
Remediation:
ExecutethefollowingSQLstatementtoremediatethissetting.
ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS DROP ROLE;
241|P a g e
Note:IfyoudonothaveCIS_UNIFIED_AUDIT_POLICY,pleasecreateoneusingtheCREATE AUDIT POLICYstatement.
CISControls:
Version6
6.2EnsureAuditLogSettingsSupportAppropriateLogEntryFormattingValidateauditlogsettingsforeachhardwaredeviceandthesoftwareinstalledonit,ensuringthatlogsincludeadate,timestamp,sourceaddresses,destinationaddresses,andvariousotherusefulelementsofeachpacketand/ortransaction.SystemsshouldrecordlogsinastandardizedformatsuchassyslogentriesorthoseoutlinedbytheCommonEventExpressioninitiative.Ifsystemscannotgeneratelogsinastandardizedformat,lognormalizationtoolscanbedeployedtoconvertlogsintosuchaformat.
16AccountMonitoringandControlAccountMonitoringandControl
242|P a g e
5.2.7 Ensure the 'GRANT' Action Audit Is Enabled (Scored)
ProfileApplicability:
• Level1-RDBMSusingUnifiedAuditing
Description:
GRANTstatementsareusedtograntprivilegestoOracledatabaseusersandroles,includingthemostpowerfulprivilegesandrolestypicallyavailabletothedatabaseadministrators.EnablingthisunifiedactionauditenablesloggingofallGRANTstatements,whethersuccessfulorunsuccessful,issuedbytheusersregardlessoftheprivilegesheldbytheuserstoissuesuchstatements.
Rationale:
Withunauthorizedgrantsandpermissions,amalicioususermaybeabletochangethesecurityofthedatabase,access/updateconfidentialdata,orcompromisetheintegrityofthedatabase.Loggingandmonitoringofallattemptstograntsystemprivileges,objectprivilegesorroles,whethersuccessfulorunsuccessful,mayprovideforensicevidenceaboutpotentialsuspicious/unauthorizedactivitiesaswellasprivilegeescalationactivities.Anysuchactivitiesmaybeacauseforfurtherinvestigation.Inaddition,organizationsecuritypoliciesandindustry/governmentregulationsmayrequireloggingofalluseractivitiesinvolvingGRANT.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT AUD.POLICY_NAME, AUD.AUDIT_OPTION, AUD.AUDIT_OPTION_TYPE FROM AUDIT_UNIFIED_POLICIES AUD, AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'GRANT' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION' AND ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS';
Lackofresultsimpliesafinding.
Remediation:
ExecutethefollowingSQLstatementtoremediatethissetting.
243|P a g e
ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS GRANT;
Note:IfyoudonothaveCIS_UNIFIED_AUDIT_POLICY,pleasecreateoneusingtheCREATE AUDIT POLICYstatement.
CISControls:
Version6
6.2EnsureAuditLogSettingsSupportAppropriateLogEntryFormattingValidateauditlogsettingsforeachhardwaredeviceandthesoftwareinstalledonit,ensuringthatlogsincludeadate,timestamp,sourceaddresses,destinationaddresses,andvariousotherusefulelementsofeachpacketand/ortransaction.SystemsshouldrecordlogsinastandardizedformatsuchassyslogentriesorthoseoutlinedbytheCommonEventExpressioninitiative.Ifsystemscannotgeneratelogsinastandardizedformat,lognormalizationtoolscanbedeployedtoconvertlogsintosuchaformat.
16AccountMonitoringandControlAccountMonitoringandControl
244|P a g e
5.2.8 Ensure the 'REVOKE' Action Audit Is Enabled (Scored)
ProfileApplicability:
• Level1-RDBMSusingUnifiedAuditing
Description:
REVOKEstatementsareusedtorevokeprivilegesfromOracledatabaseusersandroles.EnablingthisunifiedactionauditenablesloggingofallREVOKEstatements,successfulorunsuccessful,issuedbytheusersregardlessoftheprivilegesheldbytheuserstoissuesuchstatements.
Rationale:
Loggingandmonitoringofallattemptstorevokesystemprivileges,objectprivilegesorroles,whethersuccessfulorunsuccessful,mayprovidecluesandforensicevidenceaboutpotentialsuspicious/unauthorizedactivities.Anysuchactivitiesmaybeacauseforfurtherinvestigation.Inaddition,organizationsecuritypoliciesandindustry/governmentregulationsmayrequireloggingofalluseractivitiesinvolvingREVOKE.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT AUD.POLICY_NAME, AUD.AUDIT_OPTION, AUD.AUDIT_OPTION_TYPE FROM AUDIT_UNIFIED_POLICIES AUD, AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'REVOKE' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION' AND ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS';
Lackofresultsimpliesafinding.
Remediation:
ExecutethefollowingSQLstatementtoremediatethissetting.
ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS REVOKE;
245|P a g e
Note:IfyoudonothaveCIS_UNIFIED_AUDIT_POLICY,pleasecreateoneusingtheCREATE AUDIT POLICYstatement.
CISControls:
Version6
6.2EnsureAuditLogSettingsSupportAppropriateLogEntryFormattingValidateauditlogsettingsforeachhardwaredeviceandthesoftwareinstalledonit,ensuringthatlogsincludeadate,timestamp,sourceaddresses,destinationaddresses,andvariousotherusefulelementsofeachpacketand/ortransaction.SystemsshouldrecordlogsinastandardizedformatsuchassyslogentriesorthoseoutlinedbytheCommonEventExpressioninitiative.Ifsystemscannotgeneratelogsinastandardizedformat,lognormalizationtoolscanbedeployedtoconvertlogsintosuchaformat.
16AccountMonitoringandControlAccountMonitoringandControl
246|P a g e
5.2.9 Ensure the 'CREATE PROFILE’ Action Audit Is Enabled (Scored)
ProfileApplicability:
• Level1-RDBMSusingUnifiedAuditing
Description:
Oracledatabaseprofilesareusedtoenforceresourceusagelimitsandimplementpasswordpoliciessuchaspasswordcomplexityrulesandreuserestrictions.EnablingthisunifiedactionauditenablesloggingofallCREATE PROFILEstatements,whethersuccessfulorunsuccessful,issuedbytheusersregardlessoftheprivilegesheldbytheuserstoissuesuchstatements.
Rationale:
Loggingandmonitoringofallattemptstocreateprofiles,whethersuccessfulorunsuccessful,mayprovidecluesandforensicevidenceaboutpotentialsuspicious/unauthorizedactivities.Anysuchactivitiesmaybeacauseforfurtherinvestigation.Inaddition,organizationsecuritypoliciesandindustry/governmentregulationsmayrequireloggingofalluseractivitiesinvolvingcreationofdatabaseprofiles.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT AUD.POLICY_NAME, AUD.AUDIT_OPTION, AUD.AUDIT_OPTION_TYPE FROM AUDIT_UNIFIED_POLICIES AUD, AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'CREATE PROFILE' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION' AND ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS';
Lackofresultsimpliesafinding.
Remediation:
ExecutethefollowingSQLstatementtoremediatethissetting.
ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS CREATE PROFILE;
247|P a g e
Note:IfyoudonothaveCIS_UNIFIED_AUDIT_POLICY,pleasecreateoneusingtheCREATE AUDIT POLICYstatement.
CISControls:
Version6
6.2EnsureAuditLogSettingsSupportAppropriateLogEntryFormattingValidateauditlogsettingsforeachhardwaredeviceandthesoftwareinstalledonit,ensuringthatlogsincludeadate,timestamp,sourceaddresses,destinationaddresses,andvariousotherusefulelementsofeachpacketand/ortransaction.SystemsshouldrecordlogsinastandardizedformatsuchassyslogentriesorthoseoutlinedbytheCommonEventExpressioninitiative.Ifsystemscannotgeneratelogsinastandardizedformat,lognormalizationtoolscanbedeployedtoconvertlogsintosuchaformat.
248|P a g e
5.2.10 Ensure the 'ALTER PROFILE’ Action Audit Is Enabled (Scored)
ProfileApplicability:
• Level1-RDBMSusingUnifiedAuditing
Description:
Oracledatabaseprofilesareusedtoenforceresourceusagelimitsandimplementpasswordpoliciessuchaspasswordcomplexityrulesandreuserestrictions.EnablingthisunifiedactionauditenablesloggingofallALTER PROFILEstatements,whethersuccessfulorunsuccessful,issuedbytheusersregardlessoftheprivilegesheldbytheuserstoissuesuchstatements.
Rationale:
Loggingandmonitoringofallattemptstoalterprofiles,whethersuccessfulorunsuccessful,mayprovideforensicevidenceaboutpotentialsuspicious/unauthorizedactivities.Anysuchactivitiesmaybeacauseforfurtherinvestigation.Inaddition,organizationsecuritypoliciesandindustry/governmentregulationsmayrequireloggingofalluseractivitiesinvolvingalterationofdatabaseprofiles.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT AUD.POLICY_NAME, AUD.AUDIT_OPTION, AUD.AUDIT_OPTION_TYPE FROM AUDIT_UNIFIED_POLICIES AUD, AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'ALTER PROFILE' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION' AND ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS';
Lackofresultsimpliesafinding.
Remediation:
ExecutethefollowingSQLstatementtoremediatethissetting.
ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS ALTER PROFILE;
249|P a g e
Note:IfyoudonothaveCIS_UNIFIED_AUDIT_POLICY,pleasecreateoneusingtheCREATE AUDIT POLICYstatement.
CISControls:
Version6
6.2EnsureAuditLogSettingsSupportAppropriateLogEntryFormattingValidateauditlogsettingsforeachhardwaredeviceandthesoftwareinstalledonit,ensuringthatlogsincludeadate,timestamp,sourceaddresses,destinationaddresses,andvariousotherusefulelementsofeachpacketand/ortransaction.SystemsshouldrecordlogsinastandardizedformatsuchassyslogentriesorthoseoutlinedbytheCommonEventExpressioninitiative.Ifsystemscannotgeneratelogsinastandardizedformat,lognormalizationtoolscanbedeployedtoconvertlogsintosuchaformat.
250|P a g e
5.2.11 Ensure the 'DROP PROFILE’ Action Audit Is Enabled (Scored)
ProfileApplicability:
• Level1-RDBMSusingUnifiedAuditing
Description:
Oracledatabaseprofilesareusedtoenforceresourceusagelimitsandimplementpasswordpoliciessuchaspasswordcomplexityrulesandreuserestrictions.EnablingthisunifiedactionauditenablesloggingofallDROP PROFILEstatements,whethersuccessfulorunsuccessful,issuedbytheusersregardlessoftheprivilegesheldbytheuserstoissuesuchstatements.
Rationale:
Loggingandmonitoringofallattemptstodropprofiles,whethersuccessfulorunsuccessful,mayprovidecluesandforensicevidenceaboutpotentialsuspicious/unauthorizedactivities.Anysuchactivitiesmaybeacauseforfurtherinvestigation.Inaddition,organizationsecuritypoliciesandindustry/governmentregulationsmayrequireloggingofalluseractivitiesinvolvingdroppingdatabaseprofiles.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT AUD.POLICY_NAME, AUD.AUDIT_OPTION, AUD.AUDIT_OPTION_TYPE FROM AUDIT_UNIFIED_POLICIES AUD, AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'DROP PROFILE' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION' AND ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS';
Lackofresultsimpliesafinding.
Remediation:
ExecutethefollowingSQLstatementtoremediatethissetting.
ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS DROP PROFILE;
251|P a g e
Note:IfyoudonothaveCIS_UNIFIED_AUDIT_POLICY,pleasecreateoneusingtheCREATE AUDIT POLICYstatement.
CISControls:
Version6
6.2EnsureAuditLogSettingsSupportAppropriateLogEntryFormattingValidateauditlogsettingsforeachhardwaredeviceandthesoftwareinstalledonit,ensuringthatlogsincludeadate,timestamp,sourceaddresses,destinationaddresses,andvariousotherusefulelementsofeachpacketand/ortransaction.SystemsshouldrecordlogsinastandardizedformatsuchassyslogentriesorthoseoutlinedbytheCommonEventExpressioninitiative.Ifsystemscannotgeneratelogsinastandardizedformat,lognormalizationtoolscanbedeployedtoconvertlogsintosuchaformat.
252|P a g e
5.2.12 Ensure the 'CREATE DATABASE LINK’ Action Audit Is Enabled (Scored)
ProfileApplicability:
• Level1-RDBMSusingUnifiedAuditing
Description:
Oracledatabaselinksareusedtoestablishdatabase-to-databaseconnectionstootherdatabases.Theseconnectionsareavailablewithoutfurtherauthenticationoncethelinkisestablished.EnablingthisunifiedactionauditcausesloggingofallCREATE DATABASEandCREATE PUBLIC DATABASEstatements,whethersuccessfulorunsuccessful,issuedbytheusersregardlessoftheprivilegesheldbytheuserstoissuesuchstatements.
Rationale:
Loggingandmonitoringofallattemptstocreatedatabaselinks,whethersuccessfulorunsuccessful,mayprovideforensicevidenceaboutpotentialsuspicious/unauthorizedactivities.Anysuchactivitiesmaybeacauseforfurtherinvestigation.Inaddition,organizationsecuritypoliciesandindustry/governmentregulationsmayrequireloggingofalluseractivitiesinvolvingcreationofdatabaselinks.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT AUD.POLICY_NAME, AUD.AUDIT_OPTION, AUD.AUDIT_OPTION_TYPE FROM AUDIT_UNIFIED_POLICIES AUD, AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'CREATE DATABASE LINK' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION' AND ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS';
Lackofresultsimpliesafinding.
253|P a g e
Remediation:
ExecutethefollowingSQLstatementtoremediatethissetting.
ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS CREATE DATABASE LINK;
Note:IfyoudonothaveCIS_UNIFIED_AUDIT_POLICY,pleasecreateoneusingtheCREATE AUDIT POLICYstatement.
CISControls:
Version6
6.2EnsureAuditLogSettingsSupportAppropriateLogEntryFormattingValidateauditlogsettingsforeachhardwaredeviceandthesoftwareinstalledonit,ensuringthatlogsincludeadate,timestamp,sourceaddresses,destinationaddresses,andvariousotherusefulelementsofeachpacketand/ortransaction.SystemsshouldrecordlogsinastandardizedformatsuchassyslogentriesorthoseoutlinedbytheCommonEventExpressioninitiative.Ifsystemscannotgeneratelogsinastandardizedformat,lognormalizationtoolscanbedeployedtoconvertlogsintosuchaformat.
254|P a g e
5.2.13 Ensure the 'ALTER DATABASE LINK’ Action Audit Is Enabled (Scored)
ProfileApplicability:
• Level1-RDBMSusingUnifiedAuditing
Description:
Oracledatabaselinksareusedtoestablishdatabase-to-databaseconnectionstootherdatabases.Theseconnectionsarealwaysavailablewithoutfurtherauthenticationoncethelinkisestablished.EnablingthisunifiedactionauditcausesloggingofallALTER DATABASEandALTER PUBLIC DATABASEstatements,whethersuccessfulorunsuccessful,issuedbytheusersregardlessoftheprivilegesheldbytheuserstoissuesuchstatements.
Rationale:
Loggingandmonitoringofallattemptstoalterdatabaselinks,whethersuccessfulorunsuccessful,mayprovideforensicevidenceaboutpotentialsuspicious/unauthorizedactivities.Anysuchactivitiesmaybeacauseforfurtherinvestigation.Inaddition,organizationsecuritypoliciesandindustry/governmentregulationsmayrequireloggingofalluseractivitiesinvolvingalterationofdatabaselinks.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT AUD.POLICY_NAME, AUD.AUDIT_OPTION, AUD.AUDIT_OPTION_TYPE FROM AUDIT_UNIFIED_POLICIES AUD, AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'ALTER DATABASE LINK' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION' AND ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS';
Lackofresultsimpliesafinding.
255|P a g e
Remediation:
ExecutethefollowingSQLstatementtoremediatethissetting.
ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS ALTER DATABASE LINK;
Note:IfyoudonothaveCIS_UNIFIED_AUDIT_POLICY,pleasecreateoneusingtheCREATE AUDIT POLICYstatement.
CISControls:
Version6
6.2EnsureAuditLogSettingsSupportAppropriateLogEntryFormattingValidateauditlogsettingsforeachhardwaredeviceandthesoftwareinstalledonit,ensuringthatlogsincludeadate,timestamp,sourceaddresses,destinationaddresses,andvariousotherusefulelementsofeachpacketand/ortransaction.SystemsshouldrecordlogsinastandardizedformatsuchassyslogentriesorthoseoutlinedbytheCommonEventExpressioninitiative.Ifsystemscannotgeneratelogsinastandardizedformat,lognormalizationtoolscanbedeployedtoconvertlogsintosuchaformat.
256|P a g e
5.2.14 Ensure the 'DROP DATABASE LINK’ Action Audit Is Enabled (Scored)
ProfileApplicability:
• Level1-RDBMSusingUnifiedAuditing
Description:
Oracledatabaselinksareusedtoestablishdatabase-to-databaseconnectionstootherdatabases.Theseconnectionsarealwaysavailablewithoutfurtherauthenticationoncethelinkisestablished.EnablingthisunifiedactionauditcausesloggingofallDROP DATABASEandDROP PUBLIC DATABASE,whethersuccessfulorunsuccessful,statementsissuedbytheusersregardlessoftheprivilegesheldbytheuserstoissuesuchstatements.
Rationale:
Loggingandmonitoringofallattemptstodropdatabaselinks,whethersuccessfulorunsuccessful,mayprovideforensicevidenceaboutpotentialsuspicious/unauthorizedactivities.Anysuchactivitiesmaybeacauseforfurtherinvestigation.Inaddition,organizationsecuritypoliciesandindustry/governmentregulationsmayrequireloggingofalluseractivitiesinvolvingdroppingdatabaselinks.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT AUD.POLICY_NAME, AUD.AUDIT_OPTION, AUD.AUDIT_OPTION_TYPE FROM AUDIT_UNIFIED_POLICIES AUD, AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'DROP DATABASE LINK' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION' AND ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS';
Lackofresultsimpliesafinding.
257|P a g e
Remediation:
ExecutethefollowingSQLstatementtoremediatethissetting.
ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS DROP DATABASE LINK;
Note:IfyoudonothaveCIS_UNIFIED_AUDIT_POLICY,pleasecreateoneusingtheCREATE AUDIT POLICYstatement.
CISControls:
Version6
6.2EnsureAuditLogSettingsSupportAppropriateLogEntryFormattingValidateauditlogsettingsforeachhardwaredeviceandthesoftwareinstalledonit,ensuringthatlogsincludeadate,timestamp,sourceaddresses,destinationaddresses,andvariousotherusefulelementsofeachpacketand/ortransaction.SystemsshouldrecordlogsinastandardizedformatsuchassyslogentriesorthoseoutlinedbytheCommonEventExpressioninitiative.Ifsystemscannotgeneratelogsinastandardizedformat,lognormalizationtoolscanbedeployedtoconvertlogsintosuchaformat.
258|P a g e
5.2.15 Ensure the 'CREATE SYNONYM’ Action Audit Is Enabled (Scored)
ProfileApplicability:
• Level1-RDBMSusingUnifiedAuditing
Description:
AnOracledatabasesynonymisusedtocreateanalternativenameforadatabaseobjectsuchastable,view,procedure,javaobjectorevenanothersynonym,etc.EnablingthisunifiedactionauditcausesloggingofallCREATE SYNONYMandCREATE PUBLIC SYNONYMstatements,whethersuccessfulorunsuccessful,issuedbytheusersregardlessoftheprivilegesheldbytheuserstoissuesuchstatements.
Rationale:
Loggingandmonitoringofallattemptstocreatesynonyms,whethersuccessfulorunsuccessful,mayprovidecluesandforensicevidenceaboutpotentialsuspicious/unauthorizedactivities.Anysuchactivitiesmaybeacauseforfurtherinvestigation.Inaddition,organizationsecuritypoliciesandindustry/governmentregulationsmayrequireloggingofalluseractivitiesinvolvingcreationofsynonymsorpublicsynonyms.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT AUD.POLICY_NAME, AUD.AUDIT_OPTION, AUD.AUDIT_OPTION_TYPE FROM AUDIT_UNIFIED_POLICIES AUD, AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'CREATE SYNONYM' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION' AND ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS';
Lackofresultsimpliesafinding.
Remediation:
ExecutethefollowingSQLstatementtoremediatethissetting.
ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS CREATE SYNONYM;
259|P a g e
Note:IfyoudonothaveCIS_UNIFIED_AUDIT_POLICY,pleasecreateoneusingtheCREATE AUDIT POLICYstatement.
CISControls:
Version6
6.2EnsureAuditLogSettingsSupportAppropriateLogEntryFormattingValidateauditlogsettingsforeachhardwaredeviceandthesoftwareinstalledonit,ensuringthatlogsincludeadate,timestamp,sourceaddresses,destinationaddresses,andvariousotherusefulelementsofeachpacketand/ortransaction.SystemsshouldrecordlogsinastandardizedformatsuchassyslogentriesorthoseoutlinedbytheCommonEventExpressioninitiative.Ifsystemscannotgeneratelogsinastandardizedformat,lognormalizationtoolscanbedeployedtoconvertlogsintosuchaformat.
260|P a g e
5.2.16 Ensure the 'ALTER SYNONYM’ Action Audit Is Enabled (Scored)
ProfileApplicability:
• Level1-RDBMSusingUnifiedAuditing
Description:
AnOracledatabasesynonymisusedtocreateanalternativenameforadatabaseobjectsuchastable,view,procedure,orjavaobject,orevenanothersynonym.EnablingthisunifiedactionauditcausesloggingofallALTER SYNONYMandALTER PUBLIC SYNONYMstatements,whethersuccessfulorunsuccessful,issuedbytheusersregardlessoftheprivilegesheldbytheuserstoissuesuchstatements.
Rationale:
Loggingandmonitoringofallattemptstoaltersynonyms,whethersuccessfulorunsuccessful,mayprovidecluesandforensicevidenceaboutpotentialsuspicious/unauthorizedactivities.Anysuchactivitiesmaybeacauseforfurtherinvestigation.Inaddition,organizationsecuritypoliciesandindustry/governmentregulationsmayrequireloggingofalluseractivitiesinvolvingalterationofsynonymsorpublicsynonyms.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT AUD.POLICY_NAME, AUD.AUDIT_OPTION, AUD.AUDIT_OPTION_TYPE FROM AUDIT_UNIFIED_POLICIES AUD, AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'ALTER SYNONYM' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION' AND ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS';
Lackofresultsimpliesafinding.
Remediation:
ExecutethefollowingSQLstatementtoremediatethissetting.
ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS ALTER SYNONYM;
261|P a g e
Note:IfyoudonothaveCIS_UNIFIED_AUDIT_POLICY,pleasecreateoneusingtheCREATE AUDIT POLICYstatement.
CISControls:
Version6
6.2EnsureAuditLogSettingsSupportAppropriateLogEntryFormattingValidateauditlogsettingsforeachhardwaredeviceandthesoftwareinstalledonit,ensuringthatlogsincludeadate,timestamp,sourceaddresses,destinationaddresses,andvariousotherusefulelementsofeachpacketand/ortransaction.SystemsshouldrecordlogsinastandardizedformatsuchassyslogentriesorthoseoutlinedbytheCommonEventExpressioninitiative.Ifsystemscannotgeneratelogsinastandardizedformat,lognormalizationtoolscanbedeployedtoconvertlogsintosuchaformat.
262|P a g e
5.2.17 Ensure the 'DROP SYNONYM’ Action Audit Is Enabled (Scored)
ProfileApplicability:
• Level1-RDBMSusingUnifiedAuditing
Description:
AnOracledatabasesynonymisusedtocreateanalternativenameforadatabaseobjectsuchastable,view,procedure,orjavaobject,orevenanothersynonym.EnablinghisunifiedactionauditcausesloggingofallDROP SYNONYMandDROP PUBLIC SYNONYMstatements,whethersuccessfulorunsuccessful,issuedbytheusersregardlessoftheprivilegesheldbytheuserstoissuesuchstatements.
Rationale:
Loggingandmonitoringofallattemptstodropsynonyms,whethersuccessfulorunsuccessful,mayprovideforensicevidenceaboutpotentialsuspicious/unauthorizedactivities.Anysuchactivitiesmaybeacauseforfurtherinvestigation.Inaddition,organizationsecuritypoliciesandindustry/governmentregulationsmayrequireloggingofalluseractivitiesinvolvingdroppingofsynonymsorpublicsynonyms.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT AUD.POLICY_NAME, AUD.AUDIT_OPTION, AUD.AUDIT_OPTION_TYPE FROM AUDIT_UNIFIED_POLICIES AUD, AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'DROP SYNONYM' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION' AND ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS';
Lackofresultsimpliesafinding.
Remediation:
ExecutethefollowingSQLstatementtoremediatethissetting.
ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS DROP SYNONYM;
263|P a g e
Note:IfyoudonothaveCIS_UNIFIED_AUDIT_POLICY,pleasecreateoneusingtheCREATE AUDIT POLICYstatement.
CISControls:
Version6
6.2EnsureAuditLogSettingsSupportAppropriateLogEntryFormattingValidateauditlogsettingsforeachhardwaredeviceandthesoftwareinstalledonit,ensuringthatlogsincludeadate,timestamp,sourceaddresses,destinationaddresses,andvariousotherusefulelementsofeachpacketand/ortransaction.SystemsshouldrecordlogsinastandardizedformatsuchassyslogentriesorthoseoutlinedbytheCommonEventExpressioninitiative.Ifsystemscannotgeneratelogsinastandardizedformat,lognormalizationtoolscanbedeployedtoconvertlogsintosuchaformat.
264|P a g e
5.2.18 Ensure the 'SELECT ANY DICTIONARY’ Privilege Audit Is Enabled (Scored)
ProfileApplicability:
• Level1-RDBMSusingUnifiedAuditing
Description:
TheSELECT ANY DICTIONARYsystemprivilegeallowstheusertoviewthedefinitionofallschemaobjectsinthedatabase.ItgrantsSELECTprivilegesonthedatadictionaryobjectstothegrantees,includingSELECTonDBA_views,V$views,X$viewsandunderlyingSYStablessuchasTAB$andOBJ$.Thisprivilegealsoallowsgranteestocreatestoredobjectssuchasprocedures,packagesandviewsontheunderlyingdatadictionaryobjects.PleasenotethatthisprivilegedoesnotgrantSELECTontableswithpasswordhashessuchasUSER$,DEFAULT_PWD$,LINK$,andUSER_HISTORY$.Enablingthisauditcausesloggingofactivitiesthatexercisethisprivilege.
Rationale:
Loggingandmonitoringofallattemptstoaccessadatadictionary,whethersuccessfulorunsuccessful,mayprovidecluesandforensicevidenceaboutpotentialsuspicious/unauthorizedactivities.Anysuchactivitiesmaybeacauseforfurtherinvestigation.Inaddition,organizationsecuritypoliciesandindustry/governmentregulationsmayrequireloggingofalluseractivitiesinvolvingaccesstothedatabase.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT AUD.POLICY_NAME, AUD.AUDIT_OPTION, AUD.AUDIT_OPTION_TYPE FROM AUDIT_UNIFIED_POLICIES AUD, AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'SELECT ANY DICTIONARY' AND AUD.AUDIT_OPTION_TYPE = 'SYSTEM PRIVILEGE' AND ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS';
Lackofresultsimpliesafinding.
265|P a g e
Remediation:
ExecutethefollowingSQLstatementtoremediatethissetting.
ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD PRIVILEGES SELECT ANY DICTIONARY;
Note:IfyoudonothaveCIS_UNIFIED_AUDIT_POLICY,pleasecreateoneusingtheCREATE AUDIT POLICYstatement.
CISControls:
Version6
6.2EnsureAuditLogSettingsSupportAppropriateLogEntryFormattingValidateauditlogsettingsforeachhardwaredeviceandthesoftwareinstalledonit,ensuringthatlogsincludeadate,timestamp,sourceaddresses,destinationaddresses,andvariousotherusefulelementsofeachpacketand/ortransaction.SystemsshouldrecordlogsinastandardizedformatsuchassyslogentriesorthoseoutlinedbytheCommonEventExpressioninitiative.Ifsystemscannotgeneratelogsinastandardizedformat,lognormalizationtoolscanbedeployedtoconvertlogsintosuchaformat.
266|P a g e
5.2.19 Ensure the 'UNIFIED_AUDIT_TRAIL’ Access Audit Is Enabled (Scored)
ProfileApplicability:
• Level1-RDBMSusingUnifiedAuditing
Description:
TheUNIFIED_AUDIT_TRAILviewholdsaudittrailrecordsgeneratedbythedatabase.EnablingthisauditactioncausesloggingofallaccessattemptstotheUNIFIED_AUDIT_TRAILview,whethersuccessfulorunsuccessful,regardlessoftheprivilegesheldbytheuserstoissuesuchstatements.
Rationale:
LoggingandmonitoringofallattemptstoaccesstheUNIFIED_AUDIT_TRAILview,whethersuccessfulorunsuccessful,mayprovidecluesandforensicevidenceaboutpotentialsuspicious/unauthorizedactivities.Anysuchactivitiesmaybeacauseforfurtherinvestigation.Inaddition,organizationsecuritypoliciesandindustry/governmentregulationsmayrequireloggingofalluseractivitiesinvolvingaccesstothisview.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT AUD.POLICY_NAME, AUD.AUDIT_OPTION, AUD.AUDIT_OPTION_TYPE FROM AUDIT_UNIFIED_POLICIES AUD, AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'ALL' AND AUD.AUDIT_OPTION_TYPE = 'OBJECT ACTION' AND AUD.OBJECT_SCHEMA = 'SYS' AND AUD.OBJECT_NAME = 'UNIFIED_AUDIT_TRAIL' AND ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS';
Lackofresultsimpliesafinding.
267|P a g e
Remediation:
ExecutethefollowingSQLstatementtoremediatethissetting.
ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS ALL on SYS.UNIFIED_AUDIT_TRAIL;
Note:IfyoudonothaveCIS_UNIFIED_AUDIT_POLICY,pleasecreateoneusingtheCREATE AUDIT POLICYstatement.
CISControls:
Version6
6.2EnsureAuditLogSettingsSupportAppropriateLogEntryFormattingValidateauditlogsettingsforeachhardwaredeviceandthesoftwareinstalledonit,ensuringthatlogsincludeadate,timestamp,sourceaddresses,destinationaddresses,andvariousotherusefulelementsofeachpacketand/ortransaction.SystemsshouldrecordlogsinastandardizedformatsuchassyslogentriesorthoseoutlinedbytheCommonEventExpressioninitiative.Ifsystemscannotgeneratelogsinastandardizedformat,lognormalizationtoolscanbedeployedtoconvertlogsintosuchaformat.
268|P a g e
5.2.20 Ensure the 'CREATE PROCEDURE/FUNCTION/PACKAGE/PACKAGE BODY’ Action Audit Is Enabled (Scored)
ProfileApplicability:
• Level1-RDBMSusingUnifiedAuditing
Description:
Oracledatabaseprocedures,function,packages,andpackagebodies,whicharestoredwithinthedatabase,arecreatedtoperformbusinessfunctionsandaccessdatabaseasdefinedbyPL/SQLcodeandSQLstatementscontainedwithintheseobjects.EnablingthisunifiedactionauditcausesloggingofallCREATE PROCEDURE,CREATE FUNCTION,CREATE PACKAGEandCREATE PACKAGE BODYstatements,successfulorunsuccessful,statementsissuedbytheusersregardlessoftheprivilegesheldbytheuserstoissuesuchstatements.
Rationale:
Loggingandmonitoringofallattemptstocreateprocedures,functions,packagesorpackagebodies,whethersuccessfulorunsuccessful,mayprovidecluesandforensicevidenceaboutpotentialsuspicious/unauthorizedactivities.Anysuchactivitiesmaybeacauseforfurtherinvestigation.Inaddition,organizationsecuritypoliciesandindustry/governmentregulationsmayrequireloggingofalluseractivitiesinvolvingcreationofprocedures,functions,packagesorpackagebodies.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT * FROM AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS' AND EXISTS ( SELECT 'x' FROM AUDIT_UNIFIED_POLICIES AUD WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'CREATE PROCEDURE' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION') AND EXISTS ( SELECT 'x' FROM AUDIT_UNIFIED_POLICIES AUD WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'CREATE FUNCTION' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION') AND EXISTS ( SELECT 'x' FROM AUDIT_UNIFIED_POLICIES AUD
269|P a g e
WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'CREATE PACKAGE' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION') AND EXISTS ( SELECT 'x' FROM AUDIT_UNIFIED_POLICIES AUD WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'CREATE PACKAGE BODY' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION');
Lackofresultsimpliesafinding.
Remediation:
ExecutethefollowingSQLstatementtoremediatethissetting.
ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS CREATE PROCEDURE, CREATE FUNCTION, CREATE PACKAGE, CREATE PACKAGE BODY;
Note:IfyoudonothaveCIS_UNIFIED_AUDIT_POLICY,pleasecreateoneusingtheCREATE AUDIT POLICYstatement.
CISControls:
Version6
6.2EnsureAuditLogSettingsSupportAppropriateLogEntryFormattingValidateauditlogsettingsforeachhardwaredeviceandthesoftwareinstalledonit,ensuringthatlogsincludeadate,timestamp,sourceaddresses,destinationaddresses,andvariousotherusefulelementsofeachpacketand/ortransaction.SystemsshouldrecordlogsinastandardizedformatsuchassyslogentriesorthoseoutlinedbytheCommonEventExpressioninitiative.Ifsystemscannotgeneratelogsinastandardizedformat,lognormalizationtoolscanbedeployedtoconvertlogsintosuchaformat.
270|P a g e
5.2.21 Ensure the 'ALTER PROCEDURE/FUNCTION/PACKAGE/PACKAGE BODY’ Action Audit Is Enabled (Scored)
ProfileApplicability:
• Level1-RDBMSusingUnifiedAuditing
Description:
Oracledatabaseprocedures,functions,packages,andpackagebodies,whicharestoredwithinthedatabase,arecreatedtocarryoutbusinessfunctionsandaccessdatabaseasdefinedbyPL/SQLcodeandSQLstatementscontainedwithintheseobjects.EnablingthisunifiedactionauditcausesloggingofallALTER PROCEDURE,ALTER FUNCTION,ALTER PACKAGEandALTER PACKAGE BODYstatements,successfulorunsuccessful,issuedbytheusersregardlessoftheprivilegesheldbytheuserstoissuesuchstatements.
Rationale:
Unauthorizedalterationofprocedures,functions,packagesorpackagebodiesmayimpactcriticalbusinessfunctionsorcompromiseintegrityofthedatabase.Loggingandmonitoringofallattempts,whethersuccessfulorunsuccessful,toalterprocedures,functions,packagesorpackagebodiesmayprovidecluesandforensicevidenceaboutpotentialsuspicious/unauthorizedactivities.Anysuchactivitiesmaybeacauseforfurtherinvestigation.Inaddition,organizationsecuritypoliciesandindustry/governmentregulationsmayrequireloggingofalluseractivitiesinvolvingalterationofprocedures,functions,packagesorpackagebodies.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT * FROM AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS' AND EXISTS ( SELECT 'x' FROM AUDIT_UNIFIED_POLICIES AUD WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'ALTER PROCEDURE' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION') AND EXISTS ( SELECT 'x' FROM AUDIT_UNIFIED_POLICIES AUD WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'ALTER FUNCTION'
271|P a g e
AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION') AND EXISTS ( SELECT 'x' FROM AUDIT_UNIFIED_POLICIES AUD WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'ALTER PACKAGE' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION') AND EXISTS ( SELECT 'x' FROM AUDIT_UNIFIED_POLICIES AUD WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'ALTER PACKAGE BODY' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION');
Lackofresultsimpliesafinding.
Remediation:
ExecutethefollowingSQLstatementtoremediatethissetting.
ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS ALTER PROCEDURE, ALTER FUNCTION, ALTER PACKAGE, ALTER PACKAGE BODY;
Note:IfyoudonothaveCIS_UNIFIED_AUDIT_POLICY,pleasecreateoneusingtheCREATE AUDIT POLICYstatement.
CISControls:
Version6
6.2EnsureAuditLogSettingsSupportAppropriateLogEntryFormattingValidateauditlogsettingsforeachhardwaredeviceandthesoftwareinstalledonit,ensuringthatlogsincludeadate,timestamp,sourceaddresses,destinationaddresses,andvariousotherusefulelementsofeachpacketand/ortransaction.SystemsshouldrecordlogsinastandardizedformatsuchassyslogentriesorthoseoutlinedbytheCommonEventExpressioninitiative.Ifsystemscannotgeneratelogsinastandardizedformat,lognormalizationtoolscanbedeployedtoconvertlogsintosuchaformat.
272|P a g e
5.2.22 Ensure the 'DROP PROCEDURE/FUNCTION/PACKAGE/PACKAGE BODY’ Action Audit Is Enabled (Scored)
ProfileApplicability:
• Level1-RDBMSusingUnifiedAuditing
Description:
Oracledatabaseprocedures,functions,packages,andpackagebodies,whicharestoredwithinthedatabase,arecreatedtocarryoutbusinessfunctionsandaccessdatabaseasdefinedbyPL/SQLcodeandSQLstatementscontainedwithintheseobjects.EnablingthisunifiedactionauditcausesloggingofallDROP PROCEDURE,DROP FUNCTION,DROP PACKAGEorDROP PACKAGE BODYstatements,successfulorunsuccessful,issuedbytheusersregardlessoftheprivilegesheldbytheuserstoissuesuchstatements.
Rationale:
Loggingandmonitoringofallattempts,whethersuccessfulorunsuccessful,todropprocedures,functions,packagesorpackagebodiesmayprovideforensicevidenceaboutpotentialsuspicious/unauthorizedactivities.Anysuchactivitiesmaybeacauseforfurtherinvestigation.Inaddition,organizationsecuritypoliciesandindustry/governmentregulationsmayrequireloggingofalluseractivitiesinvolvingdroppingprocedures,functions,packagesorpackagebodies.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT * FROM AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS' AND EXISTS ( SELECT 'x' FROM AUDIT_UNIFIED_POLICIES AUD WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'DROP PROCEDURE' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION') AND EXISTS ( SELECT 'x' FROM AUDIT_UNIFIED_POLICIES AUD WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'DROP FUNCTION' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION') AND EXISTS ( SELECT 'x' FROM AUDIT_UNIFIED_POLICIES AUD
273|P a g e
WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'DROP PACKAGE' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION') AND EXISTS ( SELECT 'x' FROM AUDIT_UNIFIED_POLICIES AUD WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'DROP PACKAGE BODY' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION');
Lackofresultsimpliesafinding.
Remediation:
ExecutethefollowingSQLstatementtoremediatethissetting.
ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS DROP PROCEDURE, DROP FUNCTION, DROP PACKAGE, DROP PACKAGE BODY;
Note:IfyoudonothaveCIS_UNIFIED_AUDIT_POLICY,pleasecreateoneusingtheCREATE AUDIT POLICYstatement.
CISControls:
Version6
6.2EnsureAuditLogSettingsSupportAppropriateLogEntryFormattingValidateauditlogsettingsforeachhardwaredeviceandthesoftwareinstalledonit,ensuringthatlogsincludeadate,timestamp,sourceaddresses,destinationaddresses,andvariousotherusefulelementsofeachpacketand/ortransaction.SystemsshouldrecordlogsinastandardizedformatsuchassyslogentriesorthoseoutlinedbytheCommonEventExpressioninitiative.Ifsystemscannotgeneratelogsinastandardizedformat,lognormalizationtoolscanbedeployedtoconvertlogsintosuchaformat.
274|P a g e
5.2.23 Ensure the 'ALTER SYSTEM’ Privilege Audit Is Enabled (Scored)
ProfileApplicability:
• Level1-RDBMSusingUnifiedAuditing
Description:
TheALTER SYSTEMprivilegeallowstheusertochangeinstancesettingswhichcouldimpactsecurityposture,performanceornormaloperationofthedatabase.Additionally,theALTER SYSTEMprivilegemaybeusedtorunoperatingsystemcommandsusingundocumentedOraclefunctionality.Enablingthisunifiedauditcausesloggingofactivitiesthatinvolveexerciseofthisprivilege,whethersuccessfulorunsuccessful,issuedbytheusersregardlessoftheprivilegesheldbytheuserstoissuesuchstatements.
Rationale:
LoggingandmonitoringofallattemptstoexecuteALTER SYSTEMstatements,whethersuccessfulorunsuccessful,mayprovideforensicevidenceaboutpotentialsuspicious/unauthorizedactivities.Anysuchactivitiesmaybeacauseforfurtherinvestigation.Inaddition,organizationsecuritypoliciesandindustry/governmentregulationsmayrequireloggingofalluseractivitiesthatinvolveALTER SYSTEMstatements.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT AUD.POLICY_NAME, AUD.AUDIT_OPTION, AUD.AUDIT_OPTION_TYPE FROM AUDIT_UNIFIED_POLICIES AUD, AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'ALTER SYSTEM' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION' AND ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS';
Lackofresultsimpliesafinding.
Remediation:
ExecutethefollowingSQLstatementtoremediatethissetting.
ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS ALTER SYSTEM;
275|P a g e
Note:IfyoudonothaveCIS_UNIFIED_AUDIT_POLICY,pleasecreateoneusingtheCREATE AUDIT POLICYstatement.
CISControls:
Version6
6.2EnsureAuditLogSettingsSupportAppropriateLogEntryFormattingValidateauditlogsettingsforeachhardwaredeviceandthesoftwareinstalledonit,ensuringthatlogsincludeadate,timestamp,sourceaddresses,destinationaddresses,andvariousotherusefulelementsofeachpacketand/ortransaction.SystemsshouldrecordlogsinastandardizedformatsuchassyslogentriesorthoseoutlinedbytheCommonEventExpressioninitiative.Ifsystemscannotgeneratelogsinastandardizedformat,lognormalizationtoolscanbedeployedtoconvertlogsintosuchaformat.
276|P a g e
5.2.24 Ensure the 'CREATE TRIGGER’ Action Audit Is Enabled (Scored)
ProfileApplicability:
• Level1-RDBMSusingUnifiedAuditing
Description:
Oracledatabasetriggersareexecutedautomaticallywhenspecifiedconditionsontheunderlyingobjectsoccur.Triggerbodiescontainthecode,quiteoftentoperformdatavalidation,ensuredataintegrity/securityorenforcecriticalconstraintsonallowableactionsondata.EnablingthisunifiedauditcausesloggingofallCREATE TRIGGERstatements,whethersuccessfulorunsuccessful,issuedbytheusersregardlessoftheprivilegesheldbytheuserstoissuesuchstatements.
Rationale:
Loggingandmonitoringofallattemptstocreatetriggers,whethersuccessfulorunsuccessful,mayprovidecluesandforensicevidenceaboutpotentialsuspicious/unauthorizedactivities.Anysuchactivitiesmaybeacauseforfurtherinvestigation.Inaddition,organizationsecuritypoliciesandindustry/governmentregulationsmayrequireloggingofalluseractivitiesinvolvingcreationoftriggers.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT AUD.POLICY_NAME, AUD.AUDIT_OPTION, AUD.AUDIT_OPTION_TYPE FROM AUDIT_UNIFIED_POLICIES AUD, AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'CREATE TRIGGER' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION' AND ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS';
Lackofresultsimpliesafinding.
Remediation:
ExecutethefollowingSQLstatementtoremediatethissetting.
ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS CREATE TRIGGER;
277|P a g e
Note:IfyoudonothaveCIS_UNIFIED_AUDIT_POLICY,pleasecreateoneusingtheCREATE AUDIT POLICYstatement.
CISControls:
Version6
6.2EnsureAuditLogSettingsSupportAppropriateLogEntryFormattingValidateauditlogsettingsforeachhardwaredeviceandthesoftwareinstalledonit,ensuringthatlogsincludeadate,timestamp,sourceaddresses,destinationaddresses,andvariousotherusefulelementsofeachpacketand/ortransaction.SystemsshouldrecordlogsinastandardizedformatsuchassyslogentriesorthoseoutlinedbytheCommonEventExpressioninitiative.Ifsystemscannotgeneratelogsinastandardizedformat,lognormalizationtoolscanbedeployedtoconvertlogsintosuchaformat.
278|P a g e
5.2.25 Ensure the 'ALTER TRIGGER’ Action Audit IS Enabled (Scored)
ProfileApplicability:
• Level1-RDBMSusingUnifiedAuditing
Description:
Oracledatabasetriggersareexecutedautomaticallywhenspecifiedconditionsontheunderlyingobjectsoccur.Triggerbodiescontainthecode,quiteoftentoperformdatavalidation,ensuredataintegrity/securityorenforcecriticalconstraintsonallowableactionsondata.EnablingthisunifiedauditcausesloggingofallALTER TRIGGERstatements,whethersuccessfulorunsuccessful,issuedbytheusersregardlessoftheprivilegesheldbytheuserstoissuesuchstatements.
Rationale:
Unauthorizedalterationoftriggersmayimpactcriticalbusinessfunctionsorcompromiseintegrity/securityofthedatabase.Loggingandmonitoringofallattemptstoaltertriggers,whethersuccessfulorunsuccessful,mayprovidecluesandforensicevidenceaboutpotentialsuspicious/unauthorizedactivities.Anysuchactivitiesmaybeacauseforfurtherinvestigation.Inaddition,organizationsecuritypoliciesandindustry/governmentregulationsmayrequireloggingofalluseractivitiesinvolvingalterationoftriggers.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT AUD.POLICY_NAME, AUD.AUDIT_OPTION, AUD.AUDIT_OPTION_TYPE FROM AUDIT_UNIFIED_POLICIES AUD, AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'ALTER TRIGGER' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION' AND ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS';
Lackofresultsimpliesafinding.
279|P a g e
Remediation:
ExecutethefollowingSQLstatementtoremediatethissetting.
ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS ALTER TRIGGER;
Note:IfyoudonothaveCIS_UNIFIED_AUDIT_POLICY,pleasecreateoneusingtheCREATE AUDIT POLICYstatement.
CISControls:
Version6
6.2EnsureAuditLogSettingsSupportAppropriateLogEntryFormattingValidateauditlogsettingsforeachhardwaredeviceandthesoftwareinstalledonit,ensuringthatlogsincludeadate,timestamp,sourceaddresses,destinationaddresses,andvariousotherusefulelementsofeachpacketand/ortransaction.SystemsshouldrecordlogsinastandardizedformatsuchassyslogentriesorthoseoutlinedbytheCommonEventExpressioninitiative.Ifsystemscannotgeneratelogsinastandardizedformat,lognormalizationtoolscanbedeployedtoconvertlogsintosuchaformat.
280|P a g e
5.2.26 Ensure the 'DROP TRIGGER’ Action Audit Is Enabled (Scored)
ProfileApplicability:
• Level1-RDBMSusingUnifiedAuditing
Description:
Oracledatabasetriggersareexecutedautomaticallywhenspecifiedconditionsontheunderlyingobjectsoccur.Triggerbodiescontainthecode,quiteoftentoperformdatavalidation,ensuredataintegrity/securityorenforcecriticalconstraintsonallowableactionsondata.EnablingthisunifiedauditcausesloggingofallDROP TRIGGERstatements,whethersuccessfulorunsuccessful,issuedbytheusersregardlessoftheprivilegesheldbytheuserstoissuesuchstatements.
Rationale:
Loggingandmonitoringofallattemptstodroptriggers,whethersuccessfulorunsuccessful,mayprovideforensicevidenceaboutpotentialsuspicious/unauthorizedactivities.Anysuchactivitiesmaybeacauseforfurtherinvestigation.Inaddition,organizationsecuritypoliciesandindustry/governmentregulationsmayrequireloggingofalluseractivitiesinvolvingdroppingtriggers.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT AUD.POLICY_NAME, AUD.AUDIT_OPTION, AUD.AUDIT_OPTION_TYPE FROM AUDIT_UNIFIED_POLICIES AUD, AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'DROP TRIGGER' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION' AND ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS';
Lackofresultsimpliesafinding.
Remediation:
ExecutethefollowingSQLstatementtoremediatethissetting.
ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS DROP TRIGGER;
281|P a g e
Note:IfyoudonothaveCIS_UNIFIED_AUDIT_POLICY,pleasecreateoneusingtheCREATE AUDIT POLICYstatement.
CISControls:
Version6
6.2EnsureAuditLogSettingsSupportAppropriateLogEntryFormattingValidateauditlogsettingsforeachhardwaredeviceandthesoftwareinstalledonit,ensuringthatlogsincludeadate,timestamp,sourceaddresses,destinationaddresses,andvariousotherusefulelementsofeachpacketand/ortransaction.SystemsshouldrecordlogsinastandardizedformatsuchassyslogentriesorthoseoutlinedbytheCommonEventExpressioninitiative.Ifsystemscannotgeneratelogsinastandardizedformat,lognormalizationtoolscanbedeployedtoconvertlogsintosuchaformat.
282|P a g e
5.2.27 Ensure the 'LOGON’ AND ‘LOGOFF’ Actions Audit Is Enabled (Scored)
ProfileApplicability:
• Level1-RDBMSusingUnifiedAuditing
Description:
Oracledatabaseuserslogontothedatabasetoperformtheirwork.EnablingthisunifiedauditcausesloggingofallLOGONactions,whethersuccessfulorunsuccessful,issuedbytheusersregardlessoftheprivilegesheldbytheuserstologintothedatabase.Inaddition,LOGOFFactionauditcaptureslogoffactivities.Thisauditactionalsocaptureslogon/logofftotheopendatabasebySYSDBAandSYSOPER.
Rationale:
Loggingandmonitoringofallattemptstologontothedatabase,whethersuccessfulorunsuccessful,mayprovideforensicevidenceaboutpotentialsuspicious/unauthorizedactivities.Anysuchactivitiesmaybeacauseforfurtherinvestigation.Inaddition,organizationsecuritypoliciesandindustry/governmentregulationsmayrequireloggingofalluseractivitiesinvolvingLOGONandLOGOFF.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT * FROM AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS' AND EXISTS ( SELECT 'x' FROM AUDIT_UNIFIED_POLICIES AUD WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'LOGON' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION') AND EXISTS ( SELECT 'x' FROM AUDIT_UNIFIED_POLICIES AUD WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'LOGOFF' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION');
Lackofresultsimpliesafinding.
283|P a g e
Remediation:
ExecutethefollowingSQLstatementtoremediatethissetting.
ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS LOGON, LOGOFF;
Note:IfyoudonothaveCIS_UNIFIED_AUDIT_POLICY,pleasecreateoneusingtheCREATE AUDIT POLICYstatement.
CISControls:
Version6
6.2EnsureAuditLogSettingsSupportAppropriateLogEntryFormattingValidateauditlogsettingsforeachhardwaredeviceandthesoftwareinstalledonit,ensuringthatlogsincludeadate,timestamp,sourceaddresses,destinationaddresses,andvariousotherusefulelementsofeachpacketand/ortransaction.SystemsshouldrecordlogsinastandardizedformatsuchassyslogentriesorthoseoutlinedbytheCommonEventExpressioninitiative.Ifsystemscannotgeneratelogsinastandardizedformat,lognormalizationtoolscanbedeployedtoconvertlogsintosuchaformat.
16AccountMonitoringandControlAccountMonitoringandControl
284|P a g e
6 Appendix: Establishing an Audit/Scan User
Thisdocumenthasbeenauthoredwiththeexpectationthatauserwithappropriatepermissionswillbeusedtoexecutethequeriesandperformotherassessmentactions.WhilethiscouldbeaccomplishedbygrantingDBAprivilegestoagivenuser,thepreferredapproachistocreateadedicateduserandgrantonlythespecificpermissionsrequiredtoperformtheassessmentsexpressedherein.DoingthisavoidsthenecessityforanyuserassessingthesystemtobegrantedDBAprivileges.
TherecommendationsexpressedinthisdocumentassumethepresenceofarolenamedCISSCANROLEandausernamedCISSCAN.ThisroleandusershouldbecreatedbyexecutingthefollowingSQLstatements,beingcarefultosubstituteanappropriatepasswordfor<password>.
-- Create the role CREATE ROLE CISSCANROLE; -- Grant necessary privileges to the role GRANT CREATE SESSION TO CISSCANROLE; GRANT SELECT ON V_$PARAMETER TO CISSCANROLE; GRANT SELECT ON DBA_TAB_PRIVS TO CISSCANROLE; GRANT SELECT ON DBA_PROFILES TO CISSCANROLE; GRANT SELECT ON DBA_SYS_PRIVS TO CISSCANROLE; GRANT SELECT ON DBA_STMT_AUDIT_OPTS TO CISSCANROLE; GRANT SELECT ON DBA_ROLE_PRIVS TO CISSCANROLE; GRANT SELECT ON DBA_OBJ_AUDIT_OPTS TO CISSCANROLE; GRANT SELECT ON DBA_PRIV_AUDIT_OPTS TO CISSCANROLE; GRANT SELECT ON DBA_PROXIES TO CISSCANROLE; GRANT SELECT ON DBA_USERS TO CISSCANROLE; GRANT SELECT ON DBA_USERS_WITH_DEFPWD TO CISSCANROLE; GRANT AUDIT_VIEWER TO CISSCANROLE; -- Create the user and assign the user to the role CREATE USER CISSCAN IDENTIFIED BY <password>; GRANT CISSCANROLE TO CISSCAN;
Ifyourelyonsimilarrolesand/orusers,buttheyarenotnamedCISSCANROLEorCISSCAN,orifyouhaverolesorusersnamedCISSCANROLEorCISSCANintendedtobeusedfordifferentpurposes,beawarethatsomerecommendationshereinexplicitlynameCISSCANROLEandCISSCAN.
Theseare:
• 3.10EnsureNoUsersAreAssignedtheDEFAULTProfile• 4.5.5Ensure'ALL'IsRevokedfromUnauthorizedGRANTEEonDBA_%
Note:Differentorganizationsmaywishtofollowtheinstructionsinthisappendixindifferentways.Formorepermanentorregularassessmentscans,itmaybeacceptabletoretaintheCISSCANROLEandCISSCANuserindefinitely.However,inaconsultativecontextwhereanassessmentisperhapsrunattheoutsetoftheconsultingengagementandagain
285|P a g e
closertotheend,afteranyremediationhasbeenperformed,theCISSCANROLEroleandCISSCANusermaybedropped.Suchadecisionisultimatelyleftuptotheimplementingorganization.
286|P a g e
Appendix:SummaryTableControl Set
CorrectlyYes No
1 OracleDatabaseInstallationandPatchingRequirements1.1 EnsuretheAppropriateVersion/PatchesforOracleSoftware
IsInstalled(NotScored) o o
1.2 EnsureAllDefaultPasswordsAreChanged(Scored) o o1.3 EnsureAllSampleDataAndUsersHaveBeenRemoved
(Scored) o o
2 OracleParameterSettings2.1 ListenerSettings2.1.1 Ensure'SECURE_CONTROL_<listener_name>'IsSetIn
'listener.ora'(Scored) o o
2.1.2 Ensure'extproc'IsNotPresentin'listener.ora'(Scored) o o2.1.3 Ensure'ADMIN_RESTRICTIONS_<listener_name>'IsSetto
'ON'(Scored) o o
2.1.4 Ensure'SECURE_REGISTER_<listener_name>'IsSetto'TCPS'or'IPC'(Scored) o o
2.2 DatabaseSettings2.2.1 Ensure'AUDIT_SYS_OPERATIONS'IsSetto'TRUE'(Scored) o o2.2.2 Ensure'AUDIT_TRAIL'IsSetto'DB','XML','OS',
'DB,EXTENDED',or'XML,EXTENDED'(Scored) o o
2.2.3 Ensure'GLOBAL_NAMES'IsSetto'TRUE'(Scored) o o2.2.4 Ensure'O7_DICTIONARY_ACCESSIBILITY'IsSetto'FALSE'
(Scored) o o
2.2.5 Ensure'OS_ROLES'IsSetto'FALSE'(Scored) o o2.2.6 Ensure'REMOTE_LISTENER'IsEmpty(Scored) o o2.2.7 Ensure'REMOTE_LOGIN_PASSWORDFILE'IsSetto'NONE'
(Scored) o o
2.2.8 Ensure'REMOTE_OS_AUTHENT'IsSetto'FALSE'(Scored) o o2.2.9 Ensure'REMOTE_OS_ROLES'IsSetto'FALSE'(Scored) o o2.2.10 Ensure'UTL_FILE_DIR'IsEmpty(Scored) o o2.2.11 Ensure'SEC_CASE_SENSITIVE_LOGON'IsSetto'TRUE'
(Scored) o o
2.2.12 Ensure'SEC_MAX_FAILED_LOGIN_ATTEMPTS'Is'3'orLess(Scored) o o
2.2.13 Ensure'SEC_PROTOCOL_ERROR_FURTHER_ACTION'IsSetto'DROP,3'(Scored) o o
2.2.14 Ensure'SEC_PROTOCOL_ERROR_TRACE_ACTION'IsSetto'LOG'(Scored) o o
287|P a g e
2.2.15 Ensure'SEC_RETURN_SERVER_RELEASE_BANNER'IsSetto'FALSE'(Scored) o o
2.2.16 Ensure'SQL92_SECURITY'IsSetto'TRUE'(Scored) o o2.2.17 Ensure'_trace_files_public'IsSetto'FALSE'(Scored) o o2.2.18 Ensure'RESOURCE_LIMIT'IsSetto'TRUE'(Scored) o o3 OracleConnectionandLoginRestrictions3.1 Ensure'FAILED_LOGIN_ATTEMPTS'IsLessthanorEqualto
'5'(Scored) o o
3.2 Ensure'PASSWORD_LOCK_TIME'IsGreaterthanorEqualto'1'(Scored) o o
3.3 Ensure'PASSWORD_LIFE_TIME'IsLessthanorEqualto'90'(Scored) o o
3.4 Ensure'PASSWORD_REUSE_MAX'IsGreaterthanorEqualto'20'(Scored) o o
3.5 Ensure'PASSWORD_REUSE_TIME'IsGreaterthanorEqualto'365'(Scored) o o
3.6 Ensure'PASSWORD_GRACE_TIME'IsLessthanorEqualto'5'(Scored) o o
3.7 Ensure'DBA_USERS.PASSWORD'IsNotSetto'EXTERNAL'forAnyUser(Scored) o o
3.8 Ensure'PASSWORD_VERIFY_FUNCTION'IsSetforAllProfiles(Scored) o o
3.9 Ensure'SESSIONS_PER_USER'IsLessthanorEqualto'10'(Scored) o o
3.10 EnsureNoUsersAreAssignedthe'DEFAULT'Profile(Scored) o o4 OracleUserAccessandAuthorizationRestrictions4.1 DefaultPublicPrivilegesforPackagesandObjectTypes4.1.1 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on
'DBMS_ADVISOR'(Scored) o o
4.1.2 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_CRYPTO'(Scored) o o
4.1.3 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_JAVA'(Scored) o o
4.1.4 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_JAVA_TEST'(Scored) o o
4.1.5 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_JOB'(Scored) o o
4.1.6 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_LDAP'(Scored) o o
4.1.7 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_LOB'(Scored) o o
288|P a g e
4.1.8 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_OBFUSCATION_TOOLKIT'(Scored) o o
4.1.9 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_RANDOM'(Scored) o o
4.1.10 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_SCHEDULER'(Scored) o o
4.1.11 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_SQL'(Scored) o o
4.1.12 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_XMLGEN'(Scored) o o
4.1.13 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_XMLQUERY'(Scored) o o
4.1.14 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'UTL_FILE'(Scored) o o
4.1.15 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'UTL_INADDR'(Scored) o o
4.1.16 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'UTL_TCP'(Scored) o o
4.1.17 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'UTL_MAIL'(Scored) o o
4.1.18 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'UTL_SMTP'(Scored) o o
4.1.19 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'UTL_DBWS'(Scored) o o
4.1.20 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'UTL_ORAMTS'(Scored) o o
4.1.21 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'UTL_HTTP'(Scored) o o
4.1.22 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'HTTPURITYPE'(Scored) o o
4.1.23 Ensure'EXECUTE'isrevokedfrom'PUBLIC'on'DBMS_XMLSTORE'(Scored) o o
4.1.24 Ensure'EXECUTE'isrevokedfrom'PUBLIC'on'DBMS_XMLSAVE'(Scored) o o
4.1.25 Ensure'EXECUTE'isrevokedfrom'PUBLIC'on'DBMS_REDACT'(Scored) o o
4.2 RevokeNon-DefaultPrivilegesforPackagesandObjectTypes4.2.1 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on
'DBMS_SYS_SQL'(Scored) o o
4.2.2 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_BACKUP_RESTORE'(Scored) o o
289|P a g e
4.2.3 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_AQADM_SYSCALLS'(Scored) o o
4.2.4 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_REPCAT_SQL_UTL'(Scored) o o
4.2.5 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'INITJVMAUX'(Scored) o o
4.2.6 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_STREAMS_ADM_UTL'(Scored) o o
4.2.7 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_AQADM_SYS'(Scored) o o
4.2.8 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_STREAMS_RPC'(Scored) o o
4.2.9 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_PRVTAQIM'(Scored) o o
4.2.10 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'LTADM'(Scored) o o
4.2.11 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'WWV_DBMS_SQL'(Scored) o o
4.2.12 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'WWV_EXECUTE_IMMEDIATE'(Scored) o o
4.2.13 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_IJOB'(Scored) o o
4.2.14 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_FILE_TRANSFER'(Scored) o o
4.3 RevokeExcessiveSystemPrivileges4.3.1 Ensure'SELECTANYDICTIONARY'IsRevokedfrom
Unauthorized'GRANTEE'(Scored) o o
4.3.2 Ensure'SELECTANYTABLE'IsRevokedfromUnauthorized'GRANTEE'(Scored) o o
4.3.3 Ensure'AUDITSYSTEM'IsRevokedfromUnauthorized'GRANTEE'(Scored) o o
4.3.4 Ensure'EXEMPTACCESSPOLICY'IsRevokedfromUnauthorized'GRANTEE'(Scored) o o
4.3.5 Ensure'BECOMEUSER'IsRevokedfromUnauthorized'GRANTEE'(Scored) o o
4.3.6 Ensure'CREATE_PROCEDURE'IsRevokedfromUnauthorized'GRANTEE'(Scored) o o
4.3.7 Ensure'ALTERSYSTEM'IsRevokedfromUnauthorized'GRANTEE'(Scored) o o
4.3.8 Ensure'CREATEANYLIBRARY'IsRevokedfromUnauthorized'GRANTEE'(Scored) o o
290|P a g e
4.3.9 Ensure'CREATELIBRARY'IsRevokedfromUnauthorized'GRANTEE'(Scored) o o
4.3.10 Ensure'GRANTANYOBJECTPRIVILEGE'IsRevokedfromUnauthorized'GRANTEE'(Scored) o o
4.3.11 Ensure'GRANTANYROLE'IsRevokedfromUnauthorized'GRANTEE'(Scored) o o
4.3.12 Ensure'GRANTANYPRIVILEGE'IsRevokedfromUnauthorized'GRANTEE'(Scored) o o
4.4 RevokeRolePrivileges4.4.1 Ensure'DELETE_CATALOG_ROLE'IsRevokedfrom
Unauthorized'GRANTEE'(Scored) o o
4.4.2 Ensure'SELECT_CATALOG_ROLE'IsRevokedfromUnauthorized'GRANTEE'(Scored) o o
4.4.3 Ensure'EXECUTE_CATALOG_ROLE'IsRevokedfromUnauthorized'GRANTEE'(Scored) o o
4.4.4 Ensure'DBA'IsRevokedfromUnauthorized'GRANTEE'(Scored) o o
4.5 RevokeExcessiveTableandViewPrivileges4.5.1 Ensure'ALL'IsRevokedfromUnauthorized'GRANTEE'on
'AUD$'(Scored) o o
4.5.2 Ensure'ALL'IsRevokedfromUnauthorized'GRANTEE'on'USER_HISTORY$'(Scored) o o
4.5.3 Ensure'ALL'IsRevokedfromUnauthorized'GRANTEE'on'LINK$'(Scored) o o
4.5.4 Ensure'ALL'IsRevokedfromUnauthorized'GRANTEE'on'SYS.USER$'(Scored) o o
4.5.5 Ensure'ALL'IsRevokedfromUnauthorized'GRANTEE'on'DBA_%'(Scored) o o
4.5.6 Ensure'ALL'IsRevokedfromUnauthorized'GRANTEE'on'SYS.SCHEDULER$_CREDENTIAL'(Scored) o o
4.5.7 Ensure'SYS.USER$MIG'HasBeenDropped(Scored) o o4.6 Ensure'%ANY%'IsRevokedfromUnauthorized'GRANTEE'
(Scored) o o
4.7 Ensure'DBA_SYS_PRIVS.%'IsRevokedfromUnauthorized'GRANTEE'with'ADMIN_OPTION'Setto'YES'(Scored) o o
4.8 EnsureProxyUsersHaveOnly'CONNECT'Privilege(Scored) o o4.9 Ensure'EXECUTEANYPROCEDURE'IsRevokedfrom
'OUTLN'(Scored) o o
4.10 Ensure'EXECUTEANYPROCEDURE'IsRevokedfrom'DBSNMP'(Scored) o o
5 Audit/LoggingPoliciesandProcedures5.1 TraditionalAuditing5.1.1 Ensurethe'USER'AuditOptionIsEnabled(Scored) o o5.1.2 Ensurethe'ROLE'AuditOptionIsEnabled(Scored) o o
291|P a g e
5.1.3 Ensurethe'SYSTEMGRANT'AuditOptionIsEnabled(Scored) o o
5.1.4 Ensurethe'PROFILE'AuditOptionIsEnabled(Scored) o o5.1.5 Ensurethe'DATABASELINK'AuditOptionIsEnabled
(Scored) o o
5.1.6 Ensurethe'PUBLICDATABASELINK'AuditOptionIsEnabled(Scored) o o
5.1.7 Ensurethe'PUBLICSYNONYM'AuditOptionIsEnabled(Scored) o o
5.1.8 Ensurethe'SYNONYM'AuditOptionIsEnabled(Scored) o o5.1.9 Ensurethe'DIRECTORY'AuditOptionIsEnabled(Scored) o o5.1.10 Ensurethe'SELECTANYDICTIONARY'AuditOptionIs
Enabled(Scored) o o
5.1.11 Ensurethe'GRANTANYOBJECTPRIVILEGE'AuditOptionIsEnabled(Scored) o o
5.1.12 Ensurethe'GRANTANYPRIVILEGE'AuditOptionIsEnabled(Scored) o o
5.1.13 Ensurethe'DROPANYPROCEDURE'AuditOptionIsEnabled(Scored) o o
5.1.14 Ensurethe'ALL'AuditOptionon'SYS.AUD$'IsEnabled(Scored) o o
5.1.15 Ensurethe'PROCEDURE'AuditOptionIsEnabled(Scored) o o5.1.16 Ensurethe'ALTERSYSTEM'AuditOptionIsEnabled(Scored) o o5.1.17 Ensurethe'TRIGGER'AuditOptionIsEnabled(Scored) o o5.1.18 Ensurethe'CREATESESSION'AuditOptionIsEnabled
(Scored) o o
5.2 UnifiedAuditing5.2.1 Ensurethe'CREATEUSER'ActionAuditIsEnabled(Scored) o o5.2.2 Ensurethe'ALTERUSER'ActionAuditIsEnabled(Scored) o o5.2.3 Ensuethe'DROPUSER'AuditOptionIsEnabled(Scored) o o5.2.4 Ensurethe'CREATEROLE’ActionAuditIsEnabled(Scored) o o5.2.5 Ensurethe'ALTERROLE’ActionAuditIsEnabled(Scored) o o5.2.6 Ensurethe'DROPROLE’ActionAuditIsEnabled(Scored) o o5.2.7 Ensurethe'GRANT'ActionAuditIsEnabled(Scored) o o5.2.8 Ensurethe'REVOKE'ActionAuditIsEnabled(Scored) o o5.2.9 Ensurethe'CREATEPROFILE’ActionAuditIsEnabled
(Scored) o o
5.2.10 Ensurethe'ALTERPROFILE’ActionAuditIsEnabled(Scored) o o5.2.11 Ensurethe'DROPPROFILE’ActionAuditIsEnabled(Scored) o o5.2.12 Ensurethe'CREATEDATABASELINK’ActionAuditIs
Enabled(Scored) o o
5.2.13 Ensurethe'ALTERDATABASELINK’ActionAuditIsEnabled(Scored) o o
292|P a g e
5.2.14 Ensurethe'DROPDATABASELINK’ActionAuditIsEnabled(Scored) o o
5.2.15 Ensurethe'CREATESYNONYM’ActionAuditIsEnabled(Scored) o o
5.2.16 Ensurethe'ALTERSYNONYM’ActionAuditIsEnabled(Scored) o o
5.2.17 Ensurethe'DROPSYNONYM’ActionAuditIsEnabled(Scored) o o
5.2.18 Ensurethe'SELECTANYDICTIONARY’PrivilegeAuditIsEnabled(Scored) o o
5.2.19 Ensurethe'UNIFIED_AUDIT_TRAIL’AccessAuditIsEnabled(Scored) o o
5.2.20 Ensurethe'CREATEPROCEDURE/FUNCTION/PACKAGE/PACKAGEBODY’ActionAuditIsEnabled(Scored)
o o
5.2.21 Ensurethe'ALTERPROCEDURE/FUNCTION/PACKAGE/PACKAGEBODY’ActionAuditIsEnabled(Scored)
o o
5.2.22 Ensurethe'DROPPROCEDURE/FUNCTION/PACKAGE/PACKAGEBODY’ActionAuditIsEnabled(Scored)
o o
5.2.23 Ensurethe'ALTERSYSTEM’PrivilegeAuditIsEnabled(Scored) o o
5.2.24 Ensurethe'CREATETRIGGER’ActionAuditIsEnabled(Scored) o o
5.2.25 Ensurethe'ALTERTRIGGER’ActionAuditISEnabled(Scored) o o
5.2.26 Ensurethe'DROPTRIGGER’ActionAuditIsEnabled(Scored) o o5.2.27 Ensurethe'LOGON’AND‘LOGOFF’ActionsAuditIsEnabled
(Scored) o o
6 Appendix:EstablishinganAudit/ScanUser
293|P a g e
Appendix:ChangeHistoryDate Version Changesforthisversion
Apr29,2015 1.0.0 InitialRelease
Apr29,2015 1.1.0 Ticket#216:Updatedremediationtoreference[PRIVILEGE]list
Apr30,2015 1.1.0 Ticket#204:Clarificationinoverviewforbenchmarknon-pluggableapplicability
Jun29,2015 1.1.0 Ticket#209:Addworkflowadvicetoappendixaboutscanuser
Jun29,2015 1.1.0 Ticket#217:Correctedtypeof"repact"with"repcat"
Jun29,2015 1.1.0 Ticket#213:UpdatedauditqueryforregexonAPEXusers
Jun29,2015 1.1.0 Ticket#212:CorrectedconfusionbetweenDBMS_RANDOMandDBMS_BACKUP_RESTORE
Jun29,2015 1.1.0 Ticket#211:Correctedincorrectrecommendationfrom'FALSE'to'TRUE'
Jun29,2015 1.1.0 Ticket#203:Updatedreferencesfrom11gR2to12cwherepossible
Mar31,2016 1.2.0 Ticket#259:AddedSYSMANtolistofauthorizedgranteesfor4.4.2
Mar31,2016 1.2.0 Ticket#258:AddedAPEX_050000;MGMT_VIEW;SYSMAN_MDS;SYSMAN_OPSS;SYSMAN_RO;SYSMAN_STBtolistofauthorizedgranteesin4.3.6
Mar31,2016 1.2.0 Ticket#256:AddedSYSBACKUPandSYSDGtogranteelistfor4.3.1
Mar31,2016 1.2.0 Ticket#254:Updatedrecommendationtexttosay'LessthanorEqualto10'on2.13
294|P a g e
Mar31,2016 1.2.0 Ticket#241:Addedmissingsemicoloninauditqueryon5.1
Mar31,2016 1.2.0 Ticket#253:Removedquotesfromremediationcommandon2.2.2
Mar31,2016 1.2.0 Ticket#261:AddedSYStotableownersandSYSMANtolistofauthorizedgranteesfor4.5.4
Mar31,2016 1.2.0 Ticket#263:AddedSYStolistoftableowners
Mar31,2016 1.2.0 Ticket#264:AddedAPEX_050000;SYSMAN_STB;SYSMAN_TYPEStolistofauthorizedgrantees
Mar31,2016 1.2.0 Ticket#225:Updateddescriptionandrationalefor2.2.17
Mar31,2016 1.2.0 Ticket#251:AddedAUDIT_ADMIN,AUDIT_VIEWER,CAPTURE_ADMIN,DBA,GSMADMIN_INTERNAL,ORACLE_OCM,SYSDG,SYSKM,XDBtolistofauthorizedgrantees
Mar31,2016 1.2.0 Ticket#215:RevisedLISTENERsectionsandincludedLISTENER_HOMEreferences
Mar31,2016 1.2.0 Ticket#242:Addedmissingsemicolonto4.1.4
Mar31,2016 1.2.0 Ticket#266:Updatedauditquerytocheckforallprivileges,notonlyroles
Mar31,2016 1.2.0 Ticket#265:AddedAPEX_050000tolistofauthorizedgranteeson4.7
Mar31,2016 1.2.0 Ticket#252:Updateprofiletext(minor)
Apr1,2016 2.0.0 Ticket#267:AddedacautionstatementaboutrevokingprivilegesfromPUBLIC.
Oct18,2016 2.0.0 Ticket#207:MovedexistingauditingrecommendationstoasubsectionnamedTraditionalAuditing(5.1)andaddedunifiedauditingrecommendationsunderasiblingsubsectioncalledUnifiedAuditing(5.2).
Oct18,2016 2.0.0 Ticket#275:Correctedreferenceincludedfor2.2.2
295|P a g e
Oct18,2016 2.0.0 Ticket#276:Added‘DB’and‘XML’asvalidparametervaluesfor2.2.2
Dec1,2016 2.0.0 Ticket#262:UpdatedGranteelistandaddedanotregardingPUBLICgrantsfor4.5.5
Dec1,2016 2.0.0 Ticket#282:Correctedtypoin2.2.11whereitspecifiedUTIL_FILE_DIRinsteadofUTL_FILE_DIR
Dec1,2016 2.0.0 Ticket#283:Updatedtitletoread“Ensure‘SEC_MAX_FAILED_LOGIN_ATTEMPTS’is‘10’”for2.2.13
Dec1,2016 2.0.0 Ticket#284:Added“andOWNER=’SYS’”tothequeryfor4.5.2
Dec1,2016 2.0.0 Ticket#285:Added“andOWNER=’SYS’”tothequeryfor4.5.3
Dec1,2016 2.0.0 Ticket#286:Added“andOWNER=’SYS’”tothequeryfor4.5.4
Dec1,2016 2.0.0 Ticket#287:Added“andOWNER=’SYS’”tothequeryfor4.5.6
Dec28,2016 2.0.0 PlannedUpdate
Jan18,2017 2.1.0 Ticket#3934:#2924.3.12-Typoinauditprocedure
Jun22,2017 2.1.0 Ticket#3937:#295Remove"Level1-RDBMSusingUnifiedAuditing"from2.2.1
Sep14,2017 2.1.0 Ticket#4759:#297:2.2.13Ensure'SEC_MAX_FAILED_LOGIN_ATTEMPTS'Is'10'
Sep14,2017 2.1.0 Ticket#3938:#2961.2EnsureAllDefaultPasswordsAreChanged(Scored)-Addcomment
Sep14,2017 2.1.0 Ticket#3936:#294Titleof2.2.2isinconsistent
Sep14,2017 2.1.0 Ticket#3935:#293Changeupper(value)fromauditSQLquerytovalue
Sep28,2017 2.1.0 Ticket#3932:#290Reviseprofiledescriptionstoremoveanyambiguity
296|P a g e
Feb1,2018 2.1.0 Ticket#3928:#247Revokedangerouspublicprivileges
Feb1,2018 2.1.0 Ticket#3930:#250CheckforlatestPatchUpdateusingnewnamingformat
Mar16,2018 2.1.0 Ticket#6095:Remove'LOCAL_LISTENER'recommendationfrom12c
Jul10,2018 2.1.0 Editedtotheentirebenchmarktoaddresserrorsandclarifyrecommendations
Sep18,2018 2.1.0 PlannedUpdate