EN 300 253 - V2.1.0 - Environmental Engineering (EE); Earthing
CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 |...
Transcript of CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 |...
![Page 1: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/1.jpg)
CISOracleDatabase12cBenchmarkv2.1.0–09-18-2018
![Page 2: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/2.jpg)
1|P a g e
TermsofUsePlease see the below link for our current terms of use: https://www.cisecurity.org/cis-securesuite/cis-securesuite-membership-terms-of-use/
![Page 3: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/3.jpg)
2|P a g e
TableofContentsTermsofUse...................................................................................................................................................................1
Overview...........................................................................................................................................................................9
IntendedAudience..................................................................................................................................................9
ConsensusGuidance...............................................................................................................................................9
TypographicalConventions.............................................................................................................................10
ScoringInformation............................................................................................................................................10
ProfileDefinitions................................................................................................................................................11
Acknowledgements.............................................................................................................................................13
Recommendations.....................................................................................................................................................14
1OracleDatabaseInstallationandPatchingRequirements...........................................................14
1.1EnsuretheAppropriateVersion/PatchesforOracleSoftwareIsInstalled(NotScored).............................................................................................................................................................14
1.2EnsureAllDefaultPasswordsAreChanged(Scored).......................................................16
1.3EnsureAllSampleDataAndUsersHaveBeenRemoved(Scored).............................18
2OracleParameterSettings............................................................................................................................20
2.1ListenerSettings.......................................................................................................................................21
2.1.1Ensure'SECURE_CONTROL_'IsSetIn'listener.ora'(Scored)...................................21
2.1.2Ensure'extproc'IsNotPresentin'listener.ora'(Scored)...........................................23
2.1.3Ensure'ADMIN_RESTRICTIONS_'IsSetto'ON'(Scored)............................................25
2.1.4Ensure'SECURE_REGISTER_'IsSetto'TCPS'or'IPC'(Scored)...............................27
2.2DatabaseSettings.....................................................................................................................................29
2.2.1Ensure'AUDIT_SYS_OPERATIONS'IsSetto'TRUE'(Scored)...................................29
2.2.2Ensure'AUDIT_TRAIL'IsSetto'DB','XML','OS','DB,EXTENDED',or'XML,EXTENDED'(Scored)....................................................................................................................31
2.2.3Ensure'GLOBAL_NAMES'IsSetto'TRUE'(Scored).......................................................33
2.2.4Ensure'O7_DICTIONARY_ACCESSIBILITY'IsSetto'FALSE'(Scored)..................34
2.2.5Ensure'OS_ROLES'IsSetto'FALSE'(Scored)..................................................................36
2.2.6Ensure'REMOTE_LISTENER'IsEmpty(Scored).............................................................37
2.2.7Ensure'REMOTE_LOGIN_PASSWORDFILE'IsSetto'NONE'(Scored).................39
![Page 4: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/4.jpg)
3|P a g e
2.2.8Ensure'REMOTE_OS_AUTHENT'IsSetto'FALSE'(Scored)......................................40
2.2.9Ensure'REMOTE_OS_ROLES'IsSetto'FALSE'(Scored).............................................41
2.2.10Ensure'UTL_FILE_DIR'IsEmpty(Scored).......................................................................42
2.2.11Ensure'SEC_CASE_SENSITIVE_LOGON'IsSetto'TRUE'(Scored).......................43
2.2.12Ensure'SEC_MAX_FAILED_LOGIN_ATTEMPTS'Is'3'orLess(Scored).............44
2.2.13Ensure'SEC_PROTOCOL_ERROR_FURTHER_ACTION'IsSetto'DROP,3'(Scored)...........................................................................................................................................................46
2.2.14Ensure'SEC_PROTOCOL_ERROR_TRACE_ACTION'IsSetto'LOG'(Scored)...48
2.2.15Ensure'SEC_RETURN_SERVER_RELEASE_BANNER'IsSetto'FALSE'(Scored).............................................................................................................................................................................50
2.2.16Ensure'SQL92_SECURITY'IsSetto'TRUE'(Scored)..................................................52
2.2.17Ensure'_trace_files_public'IsSetto'FALSE'(Scored)...............................................54
2.2.18Ensure'RESOURCE_LIMIT'IsSetto'TRUE'(Scored).................................................56
3OracleConnectionandLoginRestrictions...........................................................................................58
3.1Ensure'FAILED_LOGIN_ATTEMPTS'IsLessthanorEqualto'5'(Scored)............58
3.2Ensure'PASSWORD_LOCK_TIME'IsGreaterthanorEqualto'1'(Scored)............60
3.3Ensure'PASSWORD_LIFE_TIME'IsLessthanorEqualto'90'(Scored)..................62
3.4Ensure'PASSWORD_REUSE_MAX'IsGreaterthanorEqualto'20'(Scored)........63
3.5Ensure'PASSWORD_REUSE_TIME'IsGreaterthanorEqualto'365'(Scored)...65
3.6Ensure'PASSWORD_GRACE_TIME'IsLessthanorEqualto'5'(Scored)...............67
3.7Ensure'DBA_USERS.PASSWORD'IsNotSetto'EXTERNAL'forAnyUser(Scored).............................................................................................................................................................................69
3.8Ensure'PASSWORD_VERIFY_FUNCTION'IsSetforAllProfiles(Scored)...............71
3.9Ensure'SESSIONS_PER_USER'IsLessthanorEqualto'10'(Scored).......................72
3.10EnsureNoUsersAreAssignedthe'DEFAULT'Profile(Scored)...............................74
4OracleUserAccessandAuthorizationRestrictions.........................................................................76
4.1DefaultPublicPrivilegesforPackagesandObjectTypes.....................................................77
4.1.1Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_ADVISOR'(Scored)...77
4.1.2Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_CRYPTO'(Scored).....79
4.1.3Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_JAVA'(Scored)............81
![Page 5: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/5.jpg)
4|P a g e
4.1.4Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_JAVA_TEST'(Scored).............................................................................................................................................................................83
4.1.5Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_JOB'(Scored)...............85
4.1.6Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_LDAP'(Scored)...........87
4.1.7Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_LOB'(Scored)..............89
4.1.8Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_OBFUSCATION_TOOLKIT'(Scored)...................................................................................91
4.1.9Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_RANDOM'(Scored)...93
4.1.10Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_SCHEDULER'(Scored)...........................................................................................................................................................95
4.1.11Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_SQL'(Scored)............97
4.1.12Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_XMLGEN'(Scored).98
4.1.13Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_XMLQUERY'(Scored)..........................................................................................................................................................................100
4.1.14Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'UTL_FILE'(Scored)...........102
4.1.15Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'UTL_INADDR'(Scored)...103
4.1.16Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'UTL_TCP'(Scored)............105
4.1.17Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'UTL_MAIL'(Scored)..........106
4.1.18Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'UTL_SMTP'(Scored).........108
4.1.19Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'UTL_DBWS'(Scored)........110
4.1.20Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'UTL_ORAMTS'(Scored)..112
4.1.21Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'UTL_HTTP'(Scored).........114
4.1.22Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'HTTPURITYPE'(Scored)116
4.1.23Ensure'EXECUTE'isrevokedfrom'PUBLIC'on'DBMS_XMLSTORE'(Scored)..........................................................................................................................................................................117
4.1.24Ensure'EXECUTE'isrevokedfrom'PUBLIC'on'DBMS_XMLSAVE'(Scored)..........................................................................................................................................................................119
4.1.25Ensure'EXECUTE'isrevokedfrom'PUBLIC'on'DBMS_REDACT'(Scored)121
4.2RevokeNon-DefaultPrivilegesforPackagesandObjectTypes.....................................122
4.2.1Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_SYS_SQL'(Scored)..122
4.2.2Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_BACKUP_RESTORE'(Scored)........................................................................................................................................................124
![Page 6: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/6.jpg)
5|P a g e
4.2.3Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_AQADM_SYSCALLS'(Scored)........................................................................................................................................................126
4.2.4Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_REPCAT_SQL_UTL'(Scored)........................................................................................................................................................127
4.2.5Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'INITJVMAUX'(Scored).......129
4.2.6Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_STREAMS_ADM_UTL'(Scored)........................................................................................................................................................130
4.2.7Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_AQADM_SYS'(Scored)..........................................................................................................................................................................132
4.2.8Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_STREAMS_RPC'(Scored)........................................................................................................................................................133
4.2.9Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_PRVTAQIM'(Scored)..........................................................................................................................................................................135
4.2.10Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'LTADM'(Scored)................137
4.2.11Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'WWV_DBMS_SQL'(Scored)..........................................................................................................................................................................138
4.2.12Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'WWV_EXECUTE_IMMEDIATE'(Scored).....................................................................................139
4.2.13Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_IJOB'(Scored)........141
4.2.14Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_FILE_TRANSFER'(Scored)........................................................................................................................................................142
4.3RevokeExcessiveSystemPrivileges............................................................................................144
4.3.1Ensure'SELECTANYDICTIONARY'IsRevokedfromUnauthorized'GRANTEE'(Scored)........................................................................................................................................................144
4.3.2Ensure'SELECTANYTABLE'IsRevokedfromUnauthorized'GRANTEE'(Scored)........................................................................................................................................................146
4.3.3Ensure'AUDITSYSTEM'IsRevokedfromUnauthorized'GRANTEE'(Scored)..........................................................................................................................................................................148
4.3.4Ensure'EXEMPTACCESSPOLICY'IsRevokedfromUnauthorized'GRANTEE'(Scored)........................................................................................................................................................150
4.3.5Ensure'BECOMEUSER'IsRevokedfromUnauthorized'GRANTEE'(Scored)..........................................................................................................................................................................152
4.3.6Ensure'CREATE_PROCEDURE'IsRevokedfromUnauthorized'GRANTEE'(Scored)........................................................................................................................................................153
![Page 7: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/7.jpg)
6|P a g e
4.3.7Ensure'ALTERSYSTEM'IsRevokedfromUnauthorized'GRANTEE'(Scored)..........................................................................................................................................................................155
4.3.8Ensure'CREATEANYLIBRARY'IsRevokedfromUnauthorized'GRANTEE'(Scored)........................................................................................................................................................157
4.3.9Ensure'CREATELIBRARY'IsRevokedfromUnauthorized'GRANTEE'(Scored)..........................................................................................................................................................................159
4.3.10Ensure'GRANTANYOBJECTPRIVILEGE'IsRevokedfromUnauthorized'GRANTEE'(Scored)...............................................................................................................................161
4.3.11Ensure'GRANTANYROLE'IsRevokedfromUnauthorized'GRANTEE'(Scored)........................................................................................................................................................163
4.3.12Ensure'GRANTANYPRIVILEGE'IsRevokedfromUnauthorized'GRANTEE'(Scored)........................................................................................................................................................165
4.4RevokeRolePrivileges.......................................................................................................................167
4.4.1Ensure'DELETE_CATALOG_ROLE'IsRevokedfromUnauthorized'GRANTEE'(Scored)........................................................................................................................................................167
4.4.2Ensure'SELECT_CATALOG_ROLE'IsRevokedfromUnauthorized'GRANTEE'(Scored)........................................................................................................................................................169
4.4.3Ensure'EXECUTE_CATALOG_ROLE'IsRevokedfromUnauthorized'GRANTEE'(Scored)........................................................................................................................................................171
4.4.4Ensure'DBA'IsRevokedfromUnauthorized'GRANTEE'(Scored)....................173
4.5RevokeExcessiveTableandViewPrivileges..........................................................................175
4.5.1Ensure'ALL'IsRevokedfromUnauthorized'GRANTEE'on'AUD$'(Scored)175
4.5.2Ensure'ALL'IsRevokedfromUnauthorized'GRANTEE'on'USER_HISTORY$'(Scored)........................................................................................................................................................177
4.5.3Ensure'ALL'IsRevokedfromUnauthorized'GRANTEE'on'LINK$'(Scored)..........................................................................................................................................................................179
4.5.4Ensure'ALL'IsRevokedfromUnauthorized'GRANTEE'on'SYS.USER$'(Scored)........................................................................................................................................................181
4.5.5Ensure'ALL'IsRevokedfromUnauthorized'GRANTEE'on'DBA_%'(Scored)..........................................................................................................................................................................183
4.5.6Ensure'ALL'IsRevokedfromUnauthorized'GRANTEE'on'SYS.SCHEDULER$_CREDENTIAL'(Scored)................................................................................185
4.5.7Ensure'SYS.USER$MIG'HasBeenDropped(Scored)................................................187
4.6Ensure'%ANY%'IsRevokedfromUnauthorized'GRANTEE'(Scored)...............188
![Page 8: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/8.jpg)
7|P a g e
4.7Ensure'DBA_SYS_PRIVS.%'IsRevokedfromUnauthorized'GRANTEE'with'ADMIN_OPTION'Setto'YES'(Scored).........................................................................................190
4.8EnsureProxyUsersHaveOnly'CONNECT'Privilege(Scored).................................191
4.9Ensure'EXECUTEANYPROCEDURE'IsRevokedfrom'OUTLN'(Scored)..........192
4.10Ensure'EXECUTEANYPROCEDURE'IsRevokedfrom'DBSNMP'(Scored)....193
5Audit/LoggingPoliciesandProcedures.............................................................................................194
5.1TraditionalAuditing............................................................................................................................195
5.1.1Ensurethe'USER'AuditOptionIsEnabled(Scored).................................................195
5.1.2Ensurethe'ROLE'AuditOptionIsEnabled(Scored).................................................197
5.1.3Ensurethe'SYSTEMGRANT'AuditOptionIsEnabled(Scored)..........................199
5.1.4Ensurethe'PROFILE'AuditOptionIsEnabled(Scored)..........................................200
5.1.5Ensurethe'DATABASELINK'AuditOptionIsEnabled(Scored).........................202
5.1.6Ensurethe'PUBLICDATABASELINK'AuditOptionIsEnabled(Scored)........204
5.1.7Ensurethe'PUBLICSYNONYM'AuditOptionIsEnabled(Scored).....................206
5.1.8Ensurethe'SYNONYM'AuditOptionIsEnabled(Scored).......................................208
5.1.9Ensurethe'DIRECTORY'AuditOptionIsEnabled(Scored)...................................210
5.1.10Ensurethe'SELECTANYDICTIONARY'AuditOptionIsEnabled(Scored)..212
5.1.11Ensurethe'GRANTANYOBJECTPRIVILEGE'AuditOptionIsEnabled(Scored)........................................................................................................................................................214
5.1.12Ensurethe'GRANTANYPRIVILEGE'AuditOptionIsEnabled(Scored).......216
5.1.13Ensurethe'DROPANYPROCEDURE'AuditOptionIsEnabled(Scored).......218
5.1.14Ensurethe'ALL'AuditOptionon'SYS.AUD$'IsEnabled(Scored)...................220
5.1.15Ensurethe'PROCEDURE'AuditOptionIsEnabled(Scored)...............................222
5.1.16Ensurethe'ALTERSYSTEM'AuditOptionIsEnabled(Scored).........................224
5.1.17Ensurethe'TRIGGER'AuditOptionIsEnabled(Scored)......................................226
5.1.18Ensurethe'CREATESESSION'AuditOptionIsEnabled(Scored).....................228
5.2UnifiedAuditing.....................................................................................................................................230
5.2.1Ensurethe'CREATEUSER'ActionAuditIsEnabled(Scored)...............................230
5.2.2Ensurethe'ALTERUSER'ActionAuditIsEnabled(Scored)..................................232
5.2.3Ensuethe'DROPUSER'AuditOptionIsEnabled(Scored)......................................234
5.2.4Ensurethe'CREATEROLE’ActionAuditIsEnabled(Scored)...............................236
![Page 9: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/9.jpg)
8|P a g e
5.2.5Ensurethe'ALTERROLE’ActionAuditIsEnabled(Scored)..................................238
5.2.6Ensurethe'DROPROLE’ActionAuditIsEnabled(Scored)....................................240
5.2.7Ensurethe'GRANT'ActionAuditIsEnabled(Scored)..............................................242
5.2.8Ensurethe'REVOKE'ActionAuditIsEnabled(Scored)...........................................244
5.2.9Ensurethe'CREATEPROFILE’ActionAuditIsEnabled(Scored)........................246
5.2.10Ensurethe'ALTERPROFILE’ActionAuditIsEnabled(Scored)........................248
5.2.11Ensurethe'DROPPROFILE’ActionAuditIsEnabled(Scored)..........................250
5.2.12Ensurethe'CREATEDATABASELINK’ActionAuditIsEnabled(Scored)....252
5.2.13Ensurethe'ALTERDATABASELINK’ActionAuditIsEnabled(Scored).......254
5.2.14Ensurethe'DROPDATABASELINK’ActionAuditIsEnabled(Scored).........256
5.2.15Ensurethe'CREATESYNONYM’ActionAuditIsEnabled(Scored)..................258
5.2.16Ensurethe'ALTERSYNONYM’ActionAuditIsEnabled(Scored).....................260
5.2.17Ensurethe'DROPSYNONYM’ActionAuditIsEnabled(Scored).......................262
5.2.18Ensurethe'SELECTANYDICTIONARY’PrivilegeAuditIsEnabled(Scored)..........................................................................................................................................................................264
5.2.19Ensurethe'UNIFIED_AUDIT_TRAIL’AccessAuditIsEnabled(Scored)........266
5.2.20Ensurethe'CREATEPROCEDURE/FUNCTION/PACKAGE/PACKAGEBODY’ActionAuditIsEnabled(Scored).....................................................................................................268
5.2.21Ensurethe'ALTERPROCEDURE/FUNCTION/PACKAGE/PACKAGEBODY’ActionAuditIsEnabled(Scored).....................................................................................................270
5.2.22Ensurethe'DROPPROCEDURE/FUNCTION/PACKAGE/PACKAGEBODY’ActionAuditIsEnabled(Scored).....................................................................................................272
5.2.23Ensurethe'ALTERSYSTEM’PrivilegeAuditIsEnabled(Scored)....................274
5.2.24Ensurethe'CREATETRIGGER’ActionAuditIsEnabled(Scored)....................276
5.2.25Ensurethe'ALTERTRIGGER’ActionAuditISEnabled(Scored).......................278
5.2.26Ensurethe'DROPTRIGGER’ActionAuditIsEnabled(Scored)..........................280
5.2.27Ensurethe'LOGON’AND‘LOGOFF’ActionsAuditIsEnabled(Scored).........282
6Appendix:EstablishinganAudit/ScanUser.....................................................................................284
Appendix:SummaryTable.................................................................................................................................286
Appendix:ChangeHistory..................................................................................................................................293
![Page 10: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/10.jpg)
9|P a g e
OverviewThisdocumentisintendedtoaddresstherecommendedsecuritysettingsforOracleDatabase12c.ThisguidewastestedagainstOracleDatabase12c(version12.1.0.2)installedwithoutpluggabledatabasesupportrunningonaWindowsServer2012R2instanceasastand-alonesystemandrunningonanOracleLinux7instancealsoasastand-alonesystem.FutureOracleDatabase12ccriticalpatchupdates(CPUs)mayimpacttherecommendationsincludedinthisdocument.
Toobtainthelatestversionofthisguide,pleasevisithttp://benchmarks.cisecurity.org.Ifyouhavequestions,comments,orhaveidentifiedwaystoimprovethisguide,[email protected].
Intended Audience
Thisbenchmarkisintendedforsystemandapplicationadministrators,securityspecialists,auditors,helpdesk,andplatformdeploymentpersonnelwhoplantodevelop,deploy,assess,orsecuresolutionsthatincorporateOracleDatabase12conOracleLinuxorMicrosoftWindowsServer.
Consensus Guidance
Thisbenchmarkwascreatedusingaconsensusreviewprocesscomprisedofsubjectmatterexperts.Consensusparticipantsprovideperspectivefromadiversesetofbackgroundsincludingconsulting,softwaredevelopment,auditandcompliance,securityresearch,operations,government,andlegal.
EachCISbenchmarkundergoestwophasesofconsensusreview.Thefirstphaseoccursduringinitialbenchmarkdevelopment.Duringthisphase,subjectmatterexpertsconvenetodiscuss,create,andtestworkingdraftsofthebenchmark.Thisdiscussionoccursuntilconsensushasbeenreachedonbenchmarkrecommendations.Thesecondphasebeginsafterthebenchmarkhasbeenpublished.Duringthisphase,allfeedbackprovidedbytheInternetcommunityisreviewedbytheconsensusteamforincorporationinthebenchmark.Ifyouareinterestedinparticipatingintheconsensusprocess,pleasevisithttps://workbench.cisecurity.org/.
![Page 11: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/11.jpg)
10|P a g e
Typographical Conventions
Thefollowingtypographicalconventionsareusedthroughoutthisguide:
Convention Meaning
Stylized Monospace font Usedforblocksofcode,command,andscriptexamples.Textshouldbeinterpretedexactlyaspresented.
Monospace font Usedforinlinecode,commands,orexamples.Textshouldbeinterpretedexactlyaspresented.
<italicfontinbrackets> Italictextssetinanglebracketsdenoteavariablerequiringsubstitutionforarealvalue.
Italicfont Usedtodenotethetitleofabook,article,orotherpublication.
Note Additionalinformationorcaveats
Scoring Information
Ascoringstatusindicateswhethercompliancewiththegivenrecommendationimpactstheassessedtarget'sbenchmarkscore.Thefollowingscoringstatusesareusedinthisbenchmark:
Scored
Failuretocomplywith"Scored"recommendationswilldecreasethefinalbenchmarkscore.Compliancewith"Scored"recommendationswillincreasethefinalbenchmarkscore.
NotScored
Failuretocomplywith"NotScored"recommendationswillnotdecreasethefinalbenchmarkscore.Compliancewith"NotScored"recommendationswillnotincreasethefinalbenchmarkscore.
![Page 12: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/12.jpg)
11|P a g e
Profile Definitions
ThefollowingconfigurationprofilesaredefinedbythisBenchmark:
• Level1-RDBMSusingTraditionalAuditing
ItemsinthisprofileapplytoOracleDatabase12cconfiguredtouseTraditionalAuditingandintendto:
o Bepracticalandprudent;o Provideaclearsecuritybenefit;ando Notinhibittheutilityofthetechnologybeyondacceptablemeans.
• Level1-LinuxHostOSusingTraditionalAuditing
Thisprofileextendsthe“RDBMSusingTraditionalAuditing”profile.ItemsinthisprofileapplytoRDBMSrunningonaLinuxHostoperatingsystemwithOracleDatabase12cconfiguredtouseTraditionalAuditingandintendto:
o Bepracticalandprudent;o Provideaclearsecuritybenefit;ando Notinhibittheutilityofthetechnologybeyondacceptablemeans.
• Level1-WindowsServerHostOSusingTraditionalAuditing
Thisprofileextendsthe“RDBMSusingTraditionalAuditing”profile.ItemsinthisprofileapplytoRDBMSrunningonaWindowsServeroperatingsystemwithOracleDatabase12cconfiguredtouseTraditionalAuditingandintendto:
o Bepracticalandprudent;o Provideaclearsecuritybenefit;ando Notinhibittheutilityofthetechnologybeyondacceptablemeans.
• Level1-RDBMSusingUnifiedAuditing
ItemsinthisprofileapplytoOracleDatabase12cconfiguredtouseUnifiedAuditingandintendto:
o Bepracticalandprudent;o Provideaclearsecuritybenefit;ando Notinhibittheutilityofthetechnologybeyondacceptablemeans.
![Page 13: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/13.jpg)
12|P a g e
• Level1-LinuxHostOSusingUnifiedAuditing
Thisprofileextendsthe“RDBMSusingUnifiedAuditing”profile.ItemsinthisprofileapplytoRDBMSrunningonaLinuxHostoperatingsystemwithOracleDatabase12cconfiguredtouseUnifiedandintendto:
o Bepracticalandprudent;o Provideaclearsecuritybenefit;ando Notinhibittheutilityofthetechnologybeyondacceptablemeans.
• Level1-WindowsServerHostOSusingUnifiedAuditing
Thisprofileextendsthe“RDBMSusingUnifiedAuditing”profile.ItemsinthisprofileapplytoRDBMSrunningonaWindowsServeroperatingsystemwithOracleDatabase12cconfiguredtouseUnifiedandintendto:
o Bepracticalandprudent;o Provideaclearsecuritybenefit;ando Notinhibittheutilityofthetechnologybeyondacceptablemeans.
![Page 14: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/14.jpg)
13|P a g e
Acknowledgements
This benchmark exemplifies the great things a community of users, vendors, and subject matter experts can accomplish through consensus collaboration. The CIS community thanks the entire consensus team with special recognition to the following individuals who contributed greatly to the creation of this guide:
AuthorJayMehta
ContributorAlexanderKornbrustS.BrianSuddethPieterVanPuymbroeckArmanRawlsAdamMontvilleTungBuiVietJigneshPatelThanThiChamDeanLackeyKyleThomasonJustinBrownGijsHasselmanStephenDufourPhilippeLanglois
EditorAngeloMarcotullioTimHarrisonCISSP,ICP,CenterforInternetSecurityKarenScarfone
![Page 15: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/15.jpg)
14|P a g e
Recommendations1 Oracle Database Installation and Patching Requirements
OneofthebestwaystoensuresecureOraclesecurityistoimplementCriticalPatchUpdates(CPUs)astheycomeout,alongwithanyapplicableOSpatchesthatwillnotinterferewithsystemoperations.ItisadditionallyprudenttoremoveOraclesampledatafromproductionenvironments.
1.1 Ensure the Appropriate Version/Patches for Oracle Software Is Installed (Not Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
TheOracleinstallationversionandpatchesshouldbethemostrecentthatarecompatiblewiththeorganization'soperationalneeds.
Rationale:
UsingthemostrecentOracledatabasesoftware,alongwithallapplicablepatchescanhelplimitthepossibilitiesforvulnerabilitiesinthesoftware,theinstallationversionand/orpatchesappliedduringsetupshouldbeestablishedaccordingtotheneedsoftheorganization.EnsureyouareusingareleasethatiscoveredbyalevelofsupportthatincludesthegenerationofCriticalPatchUpdates.
Audit:
Toassessthisrecommendation,usethefollowingexampleshellcommandasappropriateforyourenvironment.
Forexample,onLinuxsystems:
opatch lsinventory | grep -e "^.*<latest_patch_version_numer>\s*.*$"
Forexample,onWindowssystems:
opatch lsinventory | find "<latest_patch_version_number>"
![Page 16: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/16.jpg)
15|P a g e
Remediation:
Performthefollowingstepforremediation:
DownloadandapplythelatestquarterlyCriticalPatchUpdatepatches.
References:
1. http://www.oracle.com/us/support/assurance/fixing-policies/index.html2. http://www.oracle.com/technetwork/topics/security/alerts-086861.html3. http://www.oracle.com/us/support/library/lifetime-support-technology-
069183.pdf
CISControls:
Version6
2InventoryofAuthorizedandUnauthorizedSoftwareInventoryofAuthorizedandUnauthorizedSoftware
![Page 17: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/17.jpg)
16|P a g e
1.2 Ensure All Default Passwords Are Changed (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
DefaultpasswordsshouldnotbeusedbyOracledatabaseusers.
Rationale:
Defaultpasswordsshouldbeconsidered"wellknown"toattackers.Consequently,ifdefaultpasswordsremaininplace,anyattackerwithaccesstothedatabasecanauthenticateastheuserwiththatdefaultpassword.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT USERNAME FROM DBA_USERS_WITH_DEFPWD WHERE USERNAME NOT LIKE '%XS$NULL%';
TheviewcalledDBA_USERS_WITH_DEFPWDshowsalistofalldatabaseusersmakinguseofdefaultpasswords.Theassessmentfailsifresultsarereturned.
Note:PerOracleSupportDocument2173962.1,"aftercreationofanew12cdatabase,theSYSandSYSTEMaccountsarelistedinDBA_USERS_WITH_DEFPWDeventhoughtheaccountswerecreatedwithnon-defaultpasswords.SettingthesamepasswordsagainwithALTER USERcorrectlyrecognizesthattheaccountsdonothavedefaultpasswords."
Remediation:
Toremediatethisrecommendation,youmayperformeitherofthefollowingactions:
• ManuallyissuethefollowingSQLstatementforeachUSERNAMEreturnedintheAuditProcedure:
PASSWORD <username>
![Page 18: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/18.jpg)
17|P a g e
• ExecutethefollowingSQLscripttoassignarandomlygeneratedpasswordtoeachaccountusingadefaultpassword:
begin for r_user in (select username from dba_users_with_defpwd where username not like '%XS$NULL%') loop DBMS_OUTPUT.PUT_LINE('Password for user '||r_user.username||' will be changed.'); execute immediate 'alter user "'||r_user.username||'" identified by "'||DBMS_RANDOM.string('a',16)||'"account lock password expire'; end loop; end;
References:
1. http://docs.oracle.com/database/121/TDPSG/GUID-3EC7A894-D620-4497-AFB1-64EB8C33D854.htm#TDPSG20021
2. https://support.oracle.com/epmos/faces/DocumentDisplay?id=2173962.1
CISControls:
Version6
5.3ChangeDefaultPasswordsOnAllNewDevicesBeforedeployinganynewdevicesinanetworkedenvironment,changealldefaultpasswordsforapplications,operatingsystems,routers,firewalls,wirelessaccesspoints,andothersystemstohavevaluesconsistentwithadministration-levelaccounts.
![Page 19: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/19.jpg)
18|P a g e
1.3 Ensure All Sample Data And Users Have Been Removed (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
Oraclesampleschemascanbeusedtocreatesampleusers(BI,HR,IX,OE,PM,SCOTT,SH),withwell-knowndefaultpasswords,particularviews,andprocedures/functions,inadditiontotablesandfictitiousdata.Thesampleschemasshouldberemoved.
Rationale:
Thesampleschemasaretypicallynotrequiredforproductionoperationsofthedatabase.Thedefaultusers,views,and/orprocedures/functionscreatedbysampleschemascouldbeusedtolaunchexploitsagainstproductionenvironments.
Audit:
Toassessthisrecommendation,checkforthepresenceofOraclesampleusersbyexecutingthefollowingSQLstatement.
SELECT USERNAME FROM ALL_USERS WHERE USERNAME IN ('BI','HR','IX','OE','PM','SCOTT','SH');"
Remediation:
Toremediatethissetting,executethefollowingSQLscript.
$ORACLE_HOME/demo/schema/drop_sch.sql
Then,executethefollowingSQLstatement.
DROP USER SCOTT CASCADE;
Note:TherecyclebinisnotsettoOFFwithinthedefaultdropscript,whichmeansthatthedatawillstillbepresentinyourenvironmentuntiltherecyclebinisemptied.
Impact:
TheOraclesampleusernamesmaybeinuseonaproductionbasis.ItisimportantthatyoufirstverifythatBI,HR,IX,OE,PM,SCOTT,and/orSHarenotvalidproductionusernames
![Page 20: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/20.jpg)
19|P a g e
beforeexecutingthedroppingSQLscripts.ThismaybeparticularlytruewiththeHRandBIusers.Ifanyoftheseusersarepresent,itisimportanttobecautiousandconfirmtheschemaspresentare,infact,Oraclesampleschemasandnotproductionschemasbeingrelieduponbybusinessoperations.
References:
1. http://docs.oracle.com/database/121/COMSC/toc.htm
CISControls:
Version6
18.9SanitizeDeployedSoftwareOfDevelopmentArtifactsForin-housedevelopedapplications,ensurethatdevelopmentartifacts(sampledataandscripts;unusedlibraries,components,debugcode;ortools)arenotincludedinthedeployedsoftware,oraccessibleintheproductionenvironment.
![Page 21: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/21.jpg)
20|P a g e
2 Oracle Parameter Settings
TheoperationoftheOracledatabaseinstanceisgovernedbynumerousparametersthataresetinspecificconfigurationfilesandareinstance-specificinscope.Asalterationsoftheseparameterscancauseproblemsrangingfromdenial-of-servicetotheftofproprietaryinformation,theseconfigurationsshouldbecarefullyconsideredandmaintained.
Note:ForallfilesthathaveparametersthatcanbemodifiedwiththeOSand/orSQLcommands/scripts,thesewillbothbelistedwhereappropriate.
![Page 22: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/22.jpg)
21|P a g e
2.1 Listener Settings
ThissectiondefinesrecommendationsforthesettingsfortheTNSListenerlistener.orafile.
2.1.1 Ensure 'SECURE_CONTROL_' Is Set In 'listener.ora' (Scored)
ProfileApplicability:
• Level1-LinuxHostOSusingTraditionalAuditing• Level1-WindowsServerHostOSusingTraditionalAuditing• Level1-LinuxHostOSusingUnifiedAuditing• Level1-WindowsServerHostOSusingUnifiedAuditing
Description:
TheSECURE_CONTROL_<listener_name>settingdeterminesthetypeofcontrolconnectiontheOracleserverrequiresforremoteconfigurationofthelistener.
Rationale:
Listenerconfigurationchangesviaunencryptedremoteconnectionscanresultinunauthorizeduserssniffingcontrolconfigurationinformationfromthenetwork.
Audit:
Toauditthisrecommendation,followthesesteps:
1. Openthe$ORACLE_HOME/network/admin/listener.orafile(or%ORACLE_HOME%\network\admin\listener.oraonWindows)
2. EnsurethateachdefinedlistenerasanassociatedSECURE_CONTROL_<listener_name>directive.
Forexample:LISTENER1 = (DESCRIPTION= (ADDRESS=(PROTOCOL=TCP) (HOST=sales-server)(PORT=1521)) (ADDRESS=(PROTOCOL=IPC) (KEY=REGISTER)) (ADDRESS=(PROTOCOL=TCPS) (HOST=sales-server)(PORT=1522))) SECURE_CONTROL_LISTENER1=TCPS"
![Page 23: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/23.jpg)
22|P a g e
Remediation:
Toremediatethisrecommendation:
SettheSECURE_CONTROL_<listener_name>foreachdefinedlistenerinthelistener.orafile.
References:
1. http://docs.oracle.com/database/121/NETRF/listener.htm#NETRF327
CISControls:
Version6
3.4UseOnlySecureChannelsForRemoteSystemAdministrationPerformallremoteadministrationofservers,workstation,networkdevices,andsimilarequipmentoversecurechannels.Protocolssuchastelnet,VNC,RDP,orothersthatdonotactivelysupportstrongencryptionshouldonlybeusediftheyareperformedoverasecondaryencryptionchannel,suchasSSL,TLSorIPSEC.
![Page 24: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/24.jpg)
23|P a g e
2.1.2 Ensure 'extproc' Is Not Present in 'listener.ora' (Scored)
ProfileApplicability:
• Level1-LinuxHostOSusingTraditionalAuditing• Level1-WindowsServerHostOSusingTraditionalAuditing• Level1-LinuxHostOSusingUnifiedAuditing• Level1-WindowsServerHostOSusingUnifiedAuditing
Description:
extprocshouldberemovedfromthelistener.oratomitigatetheriskthatOSlibrariescanbeinvokedbytheOracleinstance.
Rationale:
extprocallowsthedatabasetorunproceduresfromOSlibraries.Theselibrarycallscan,inturn,runanyOScommand.
Audit:
Toauditthisrecommendation,executethefollowingshellcommandsasappropriateforyourLinux/Windowsenvironment.
Linuxenvironment:
grep -i extproc $ORACLE_HOME/network/admin/listener.ora
Windowsenvironment:
find /I extproc %ORACLE_HOME%\network\admin\listener.ora
Ensureextprocdoesnotexist.
Remediation:
Toremediatethisrecommendation:
Removeextprocfromthelistener.orafile.
References:
1. http://docs.oracle.com/database/121/DBSEG/app_devs.htm#DBSEG656
![Page 25: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/25.jpg)
24|P a g e
CISControls:
Version6
18.9SanitizeDeployedSoftwareOfDevelopmentArtifactsForin-housedevelopedapplications,ensurethatdevelopmentartifacts(sampledataandscripts;unusedlibraries,components,debugcode;ortools)arenotincludedinthedeployedsoftware,oraccessibleintheproductionenvironment.
![Page 26: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/26.jpg)
25|P a g e
2.1.3 Ensure 'ADMIN_RESTRICTIONS_' Is Set to 'ON' (Scored)
ProfileApplicability:
• Level1-LinuxHostOSusingTraditionalAuditing• Level1-WindowsServerHostOSusingTraditionalAuditing• Level1-LinuxHostOSusingUnifiedAuditing• Level1-WindowsServerHostOSusingUnifiedAuditing
Description:
Theadmin_restrictions_<listener_name>settinginthelistener.orafilecanrequirethatanyattemptedreal-timealterationoftheparametersinthelistenerviathesetcommandfileberefusedunlessthelistener.orafileismanuallyaltered,thenrestartedbyaprivilegeduser.
Rationale:
Blockingunprivilegedusersfrommakingalterationsofthelistener.orafile,whereremotedata/servicesettingsarespecified,willhelpprotectdataconfidentiality.
Audit:
Toauditthisrecommendation,executethefollowingshellcommandsasappropriateforyourLinux/Windowsenvironment.
Linuxenvironment:
grep -i admin_restrictions $ORACLE_HOME/network/admin/listener.ora
Windowsenvironment:
find /I admin_restrictions %ORACLE_HOME%|\network\admin\listener.ora
Ensureadmin_restrictions_<listener_name>issettoONforalllisteners.
Remediation:
Toremediatethisrecommendation:
Useatexteditorsuchasvitosettheadmin_restrictions_<listener_name>tothevalueON.
DefaultValue:
![Page 27: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/27.jpg)
26|P a g e
Notset.
References:
1. http://docs.oracle.com/database/121/NETRF/listener.htm#NETRF310
CISControls:
Version6
5.1MinimizeAndSparinglyUseAdministrativePrivilegesMinimizeadministrativeprivilegesandonlyuseadministrativeaccountswhentheyarerequired.Implementfocusedauditingontheuseofadministrativeprivilegedfunctionsandmonitorforanomalousbehavior.
![Page 28: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/28.jpg)
27|P a g e
2.1.4 Ensure 'SECURE_REGISTER_' Is Set to 'TCPS' or 'IPC' (Scored)
ProfileApplicability:
• Level1-LinuxHostOSusingTraditionalAuditing• Level1-WindowsServerHostOSusingTraditionalAuditing• Level1-LinuxHostOSusingUnifiedAuditing• Level1-WindowsServerHostOSusingUnifiedAuditing
Description:
TheSECURE_REGISTER_<listener_name>settingspecifiestheprotocolsusedtoconnecttotheTNSlistener.EachsettingshouldhaveavalueofeitherTCPSorIPCbasedontheneedsforitsprotocol.
Rationale:
Listenerconfigurationchangesviaunencryptedremoteconnectionscanresultinunauthorizeduserssniffingcontrolconfigurationinformationfromthenetwork.
Audit:
Toauditthisrecommendation,executethefollowingshellcommandsasappropriateforyourLinux/Windowsenvironment.
Linuxenvironment:
grep -i SECURE_REGISTER $ORACLE_HOME/network/admin/listener.ora
Windowsenvironment:
find /I SECURE_REGISTER %ORACLE_HOME%\network\admin\listener.ora
EnsureSECURE_REGISTER_<listener_name>issettoTCPSorIPC.
Remediation:
Toremediatethisrecommendation:
UseatexteditorsuchasvitosettheSECURE_REGISTER_<listener_name>=TCPSorSECURE_REGISTER_<listener_name>=IPCforeachlistenerfoundin$ORACLE_HOME/network/admin/listener.ora.
![Page 29: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/29.jpg)
28|P a g e
References:
1. http://docs.oracle.com/database/121/NETRF/listener.htm#NETRF3282. https://support.oracle.com/epmos/faces/ui/km/DocumentDisplay.jspx?id=145388
3.13. https://support.oracle.com/epmos/faces/ui/km/DocumentDisplay.jspx?id=134083
1.14. http://www.joxeankoret.com/download/tnspoison.pdf
Notes:
OracleRealApplicationClusterrequiresadifferentapproachtofixtheTNSPoisoningproblem.SeeOraclesupportnote1453883.1fordetails.
CISControls:
Version6
14.2EncryptAllSensitiveInformationOverLess-trustedNetworksAllcommunicationofsensitiveinformationoverless-trustednetworksshouldbeencrypted.Wheneverinformationflowsoveranetworkwithalowertrustlevel,theinformationshouldbeencrypted.
![Page 30: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/30.jpg)
29|P a g e
2.2 Database Settings
Thissectiondefinesrecommendationscoveringthegeneralsecurityconfigurationofthedatabaseinstance.Therecommendationsensureauditingisenabled,listenersareappropriatelyconfined,andauthenticationisappropriatelyconfigured.
Note:Theremediationproceduresassumetheuseofaserverparameterfile,whichisoftenapreferredmethodofstoringserverinitializationparameters.
Foryourenvironment,leavingofftheSCOPE = SPFILEdirectiveorsubstitutingitwithSCOPE = BOTHmightbepreferreddependingontherecommendation.
2.2.1 Ensure 'AUDIT_SYS_OPERATIONS' Is Set to 'TRUE' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing
Description:
TheAUDIT_SYS_OPERATIONSsettingprovidesfortheauditingofalluseractivitiesconductedundertheSYSOPERandSYSDBAaccounts.ThesettingshouldbesettoTRUEtoenablethisauditing.
Rationale:
IftheparameterAUDIT_SYS_OPERATIONSisFALSE,allstatementsexceptforStartup/ShutdownandLogonbySYSDBA/SYSOPERusersarenotaudited.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT UPPER(VALUE) FROM V$PARAMETER WHERE UPPER(NAME) = 'AUDIT_SYS_OPERATIONS';
EnsureVALUEissettoTRUE.
Remediation:
Toremediatethissetting,executethefollowingSQLstatement.
ALTER SYSTEM SET AUDIT_SYS_OPERATIONS = TRUE SCOPE=SPFILE;
![Page 31: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/31.jpg)
30|P a g e
References:
1. http://docs.oracle.com/database/121/REFRN/GUID-58176267-238C-40B5-B1F2-BB8BB9518950.htm#REFRN10005
CISControls:
Version6
5.4LogAdministrativeUserAdditionAndRemovalConfiguresystemstoissuealogentryandalertwhenanaccountisaddedtoorremovedfromadomainadministrators’group,orwhenanewlocaladministratoraccountisaddedonasystem.
6.2EnsureAuditLogSettingsSupportAppropriateLogEntryFormattingValidateauditlogsettingsforeachhardwaredeviceandthesoftwareinstalledonit,ensuringthatlogsincludeadate,timestamp,sourceaddresses,destinationaddresses,andvariousotherusefulelementsofeachpacketand/ortransaction.SystemsshouldrecordlogsinastandardizedformatsuchassyslogentriesorthoseoutlinedbytheCommonEventExpressioninitiative.Ifsystemscannotgeneratelogsinastandardizedformat,lognormalizationtoolscanbedeployedtoconvertlogsintosuchaformat.
![Page 32: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/32.jpg)
31|P a g e
2.2.2 Ensure 'AUDIT_TRAIL' Is Set to 'DB', 'XML', 'OS', 'DB,EXTENDED', or 'XML,EXTENDED' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing
Description:
Theaudit_trailsettingdetermineswhetherornotOracle'sbasicauditfeaturesareenabled.Itcanbesetto"OperatingSystem"(OS);DB;DB,EXTENDED;XML;orXML,EXTENDED.Thevalueshouldbesetaccordingtotheneedsoftheorganization.
Rationale:
EnablingthebasicauditingfeaturesfortheOracleinstancepermitsthecollectionofdatatotroubleshootproblems,aswellasprovidesvaluableforensiclogsinthecaseofasystembreachthisvalueshouldbesetaccordingtotheneedsoftheorganization.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT UPPER(VALUE) FROM V$PARAMETER WHERE UPPER(NAME)='AUDIT_TRAIL';
EnsureVALUEissettoDBorOSorXMLorDB,EXTENDEDorXML,EXTENDED.
Remediation:
Toremediatethissetting,executeoneofthefollowingSQLstatements.
ALTER SYSTEM SET AUDIT_TRAIL = DB, EXTENDED SCOPE = SPFILE;
ALTER SYSTEM SET AUDIT_TRAIL = OS SCOPE = SPFILE;
ALTER SYSTEM SET AUDIT_TRAIL = XML, EXTENDED SCOPE = SPFILE;
ALTER SYSTEM SET AUDIT_TRAIL = DB SCOPE = SPFILE;
ALTER SYSTEM SET AUDIT_TRAIL = XML SCOPE = SPFILE;
![Page 33: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/33.jpg)
32|P a g e
References:
1. http://docs.oracle.com/database/121/REFRN/GUID-BD86F593-B606-4367-9FB6-8DAB2E47E7FA.htm#REFRN10006
2. http://www.oracle.com/technetwork/products/audit-vault/learnmore/twp-security-auditperformance-166655.pdf
CISControls:
Version6
6Maintenance,Monitoring,andAnalysisofAuditLogsMaintenance,Monitoring,andAnalysisofAuditLogs
![Page 34: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/34.jpg)
33|P a g e
2.2.3 Ensure 'GLOBAL_NAMES' Is Set to 'TRUE' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
Theglobal_namessettingrequiresthatthenameofadatabaselinkmatchesthatoftheremotedatabaseitwillconnectto.ThissettingshouldhaveavalueofTRUE.
Rationale:
Notrequiringdatabaseconnectionstomatchthedomainthatisbeingcalledremotelycouldallowunauthorizeddomainsourcestopotentiallyconnectviabrute-forcetactics.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT UPPER(VALUE) FROM V$PARAMETER WHERE UPPER(NAME)='GLOBAL_NAMES';
EnsureVALUEissettoTRUE.
Remediation:
Toremediatethissetting,executethefollowingSQLstatement.
ALTER SYSTEM SET GLOBAL_NAMES = TRUE SCOPE = SPFILE;
References:
1. http://docs.oracle.com/database/121/REFRN/GUID-221D0483-D814-4963-84E1-7D39A25048ED.htm#REFRN10065
CISControls:
Version6
9LimitationandControlofNetworkPorts,Protocols,andServicesLimitationandControlofNetworkPorts,Protocols,andServices
![Page 35: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/35.jpg)
34|P a g e
2.2.4 Ensure 'O7_DICTIONARY_ACCESSIBILITY' Is Set to 'FALSE' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
TheO7_dictionary_accessibilitysettingisadatabaseinitializationparameterthatallows/disallowsaccesstoobjectswiththe* ANY *privileges(SELECT ANY TABLE,DELETE ANY TABLE,EXECUTE ANY PROCEDURE,etc.).ThisfunctionalitywascreatedfortheeaseofmigrationfromOracle7databasestolaterversions.ThesettingshouldhaveavalueofFALSE.
Rationale:
LeavingtheSYSschemasoopentoconnectioncouldpermitunauthorizedaccesstocriticaldatastructures.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT UPPER(VALUE) FROM V$PARAMETER WHERE UPPER(NAME)='O7_DICTIONARY_ACCESSIBILITY';
EnsureVALUEissettoFALSE.
Remediation:
Toremediatethissetting,executethefollowingSQLstatement.
ALTER SYSTEM SET O7_DICTIONARY_ACCESSIBILITY=FALSE SCOPE = SPFILE;
References:
1. http://docs.oracle.com/database/121/REFRN/GUID-1D1A88F1-B603-48FF-BD30-E6099DB1A1ED.htm#REFRN10133
![Page 36: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/36.jpg)
35|P a g e
Notes:
Thevalueforthisis"O(oh)7"not"0(Zero)7"forO7.Also,for"OracleApplications"uptoversion11.5.9,thissettingisreversed;theO7_dictionary_accessibility=TRUEvalueisrequiredforcorrectoperations.
CISControls:
Version6
9.1LimitOpenPorts,Protocols,andServicesEnsurethatonlyports,protocols,andserviceswithvalidatedbusinessneedsarerunningoneachsystem.
![Page 37: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/37.jpg)
36|P a g e
2.2.5 Ensure 'OS_ROLES' Is Set to 'FALSE' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
Theos_rolessettingpermitsexternallycreatedgroupstobeappliedtodatabasemanagement.
Rationale:
AllowingtheOStouseexternalgroupsfordatabasemanagementcouldcauseprivilegeoverlapsandgenerallyweakensecurity.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT UPPER(VALUE) FROM V$PARAMETER WHERE UPPER(NAME)='OS_ROLES';
EnsureVALUEissettoFALSE.
Remediation:
Toremediatethissetting,executethefollowingSQLstatement.
ALTER SYSTEM SET OS_ROLES = FALSE SCOPE = SPFILE;
References:
1. http://docs.oracle.com/database/121/REFRN/GUID-51CCE2D6-F841-4E02-A89D-EA08FC110CF3.htm#REFRN10153
CISControls:
Version6
16AccountMonitoringandControlAccountMonitoringandControl
![Page 38: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/38.jpg)
37|P a g e
2.2.6 Ensure 'REMOTE_LISTENER' Is Empty (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
Theremote_listenersettingdetermineswhetherornotavalidlistenercanbeestablishedonasystemseparatefromthedatabaseinstance.Thissettingshouldbeemptyunlesstheorganizationspecificallyneedsavalidlisteneronaseparatesystem.
Rationale:
Permittingaremotelistenerforconnectionstothedatabaseinstancecanallowforthepotentialspoofingofconnectionsandthatcouldcompromisedataconfidentialityandintegrity.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT UPPER(VALUE) FROM V$PARAMETER WHERE UPPER(NAME)='REMOTE_LISTENER';
EnsureVALUEisempty.
Remediation:
Toremediatethissetting,executethefollowingSQLstatement.
ALTER SYSTEM SET REMOTE_LISTENER = '' SCOPE = SPFILE;
References:
1. http://docs.oracle.com/database/121/REFRN/GUID-FEE2E8B5-CE02-4158-A6B4-030E59316756.htm#REFRN10183
Notes:
Ifsetasremote_listener=true,theaddress/addresslististakenfromtheTNSNAMES.ORAfile.
![Page 39: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/39.jpg)
38|P a g e
CISControls:
Version6
9LimitationandControlofNetworkPorts,Protocols,andServicesLimitationandControlofNetworkPorts,Protocols,andServices
![Page 40: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/40.jpg)
39|P a g e
2.2.7 Ensure 'REMOTE_LOGIN_PASSWORDFILE' Is Set to 'NONE' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
Theremote_login_passwordfilesettingspecifieswhetherornotOraclechecksforapasswordfileduringloginandhowmanydatabasescanusethepasswordfile.ThesettingshouldhaveavalueofNONE.
Rationale:
Theuseofthissortofpasswordloginfilecouldpermitunsecured,privilegedconnectionstothedatabase.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT UPPER(VALUE) FROM V$PARAMETER WHERE UPPER(NAME)='REMOTE_LOGIN_PASSWORDFILE';
EnsureVALUEissettoNONE.
Remediation:
Toremediatethissetting,executethefollowingSQLstatement.
ALTER SYSTEM SET REMOTE_LOGIN_PASSWORDFILE = 'NONE' SCOPE = SPFILE;
References:
1. http://docs.oracle.com/database/121/REFRN/GUID-6619299E-95E8-4821-B123-3B5899F046C7.htm#REFRN10184
CISControls:
Version6
16AccountMonitoringandControlAccountMonitoringandControl
![Page 41: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/41.jpg)
40|P a g e
2.2.8 Ensure 'REMOTE_OS_AUTHENT' Is Set to 'FALSE' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
Theremote_os_authentsettingdetermineswhetherornotOS'roles'withtheattendantprivilegesareallowedforremoteclientconnections.ThissettingshouldhaveavalueofFALSE.
Rationale:
PermittingOSrolesfordatabaseconnectionstocanallowthespoofingofconnectionsandpermitgrantingtheprivilegesofanOSroletounauthorizeduserstomakeconnections,thisvalueshouldberestrictedaccordingtotheneedsoftheorganization.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT UPPER(VALUE) FROM V$PARAMETER WHERE UPPER(NAME)='REMOTE_OS_AUTHENT';
EnsureVALUEissettoFALSE.
Remediation:
Toremediatethissetting,executethefollowingSQLstatement.
ALTER SYSTEM SET REMOTE_OS_AUTHENT = FALSE SCOPE = SPFILE;
References:
1. http://docs.oracle.com/database/121/REFRN/GUID-AB66C849-FE5A-4E06-A6E1-AEE775D55703.htm#REFRN10185
CISControls:
Version6
16AccountMonitoringandControlAccountMonitoringandControl
![Page 42: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/42.jpg)
41|P a g e
2.2.9 Ensure 'REMOTE_OS_ROLES' Is Set to 'FALSE' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
Theremote_os_rolessettingpermitsremoteusers'OSrolestobeappliedtodatabasemanagement.ThissettingshouldhaveavalueofFALSE.
Rationale:
AllowingremoteclientsOSrolestohavepermissionsfordatabasemanagementcouldcauseprivilegeoverlapsandgenerallyweakensecurity.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT UPPER(VALUE) FROM V$PARAMETER WHERE UPPER(NAME)='REMOTE_OS_ROLES';
EnsureVALUEissettoFALSE.
Remediation:
Toremediatethissetting,executethefollowingSQLstatement.
ALTER SYSTEM SET REMOTE_OS_ROLES = FALSE SCOPE = SPFILE;
References:
1. http://docs.oracle.com/database/121/REFRN/GUID-BAA83447-14C1-4BE7-BB5D-806ED3E00AED.htm#REFRN10186
CISControls:
Version6
16AccountMonitoringandControlAccountMonitoringandControl
![Page 43: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/43.jpg)
42|P a g e
2.2.10 Ensure 'UTL_FILE_DIR' Is Empty (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
Theutl_file_dirsettingallowspackageslikeutl_filetoaccess(read/write/modify/delete)filesspecifiedinutl_file_dir.Thissettingshouldhaveanemptyvalue.
Rationale:
Usingtheutl_file_dirtocreatedirectoriesallowsthemanipulationoffilesinthesedirectories.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT VALUE FROM V$PARAMETER WHERE UPPER(NAME)='UTL_FILE_DIR';
EnsureVALUEisempty.
Remediation:
Toremediatethissetting,executethefollowingSQLstatement.
ALTER SYSTEM SET UTL_FILE_DIR = '' SCOPE = SPFILE;
References:
1. http://docs.oracle.com/database/121/REFRN/GUID-DCA8A942-ACE1-46D6-876E-3244F390BCAE.htm#REFRN10230
CISControls:
Version6
18ApplicationSoftwareSecurityApplicationSoftwareSecurity
![Page 44: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/44.jpg)
43|P a g e
2.2.11 Ensure 'SEC_CASE_SENSITIVE_LOGON' Is Set to 'TRUE' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
TheSEC_CASE_SENSITIVE_LOGONinformationdetermineswhetherornotcase-sensitivityisrequiredforpasswordsduringlogin.
Rationale:
Oracledatabasepasswordcase-sensitivityincreasesthepoolofcharactersthatcanbechosenforthepasswords,makingbrute-forcepasswordattacksquitedifficult.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT UPPER(VALUE) FROM V$PARAMETER WHERE UPPER(NAME)='SEC_CASE_SENSITIVE_LOGON';
EnsureVALUEissettoTRUE.
Remediation:
Toremediatethissetting,executethefollowingSQLstatement.
ALTER SYSTEM SET SEC_CASE_SENSITIVE_LOGON = TRUE SCOPE = SPFILE;
References:
1. http://docs.oracle.com/database/121/REFRN/GUID-F464653A-0D43-4A70-8F05-0274A12C8578.htm#REFRN10299
CISControls:
Version6
16AccountMonitoringandControlAccountMonitoringandControl
![Page 45: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/45.jpg)
44|P a g e
2.2.12 Ensure 'SEC_MAX_FAILED_LOGIN_ATTEMPTS' Is '3' or Less (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
TheSEC_MAX_FAILED_LOGIN_ATTEMPTSparameterdetermineshowmanyfailedloginattemptsareallowedbeforeOracleclosestheloginconnection.
Rationale:
Allowinganunlimitednumberofloginattemptsforauserconnectioncanfacilitatebothbrute-forceloginattacksandtheoccurrenceofdenial-of-service.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT UPPER(VALUE) FROM V$PARAMETER WHERE UPPER(NAME)='SEC_MAX_FAILED_LOGIN_ATTEMPTS';
EnsureVALUEissetto3.
Remediation:
Toremediatethissetting,executethefollowingSQLstatement.
ALTER SYSTEM SET SEC_MAX_FAILED_LOGIN_ATTEMPTS = 3 SCOPE = SPFILE;
References:
1. http://docs.oracle.com/database/121/REFRN/GUID-DEC2A3B2-F49B-499E-A3CF-D097F3A5BA83.htm#REFRN10274
![Page 46: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/46.jpg)
45|P a g e
CISControls:
Version6
16.7ConfigureAccountLockoutsUseandconfigureaccountlockoutssuchthatafterasetnumberoffailedloginattemptstheaccountislockedforastandardperiodoftime.
![Page 47: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/47.jpg)
46|P a g e
2.2.13 Ensure 'SEC_PROTOCOL_ERROR_FURTHER_ACTION' Is Set to 'DROP,3' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
TheSEC_PROTOCOL_ERROR_FURTHER_ACTIONsettingdeterminestheOracle'sserver'sresponsetobad/malformedpacketsreceivedfromtheclient.ThissettingshouldhaveavalueofDROP,3,whichwillcauseaconnectiontobedroppedafterthreebad/malformedpackets.
Rationale:
Badpacketsreceivedfromtheclientcanpotentiallyindicatepacket-basedattacksonthesystem,suchas"TCPSYNFlood"or"Smurf"attacks,whichcouldresultinadenial-of-servicecondition,thisvalueshouldbesetaccordingtotheneedsoftheorganization.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT UPPER(VALUE) FROM V$PARAMETER WHERE UPPER(NAME)='SEC_PROTOCOL_ERROR_FURTHER_ACTION';
EnsureVALUEissettoDROP,3.
Remediation:
Toremediatethissetting,executeoneofthefollowingSQLstatement.
ALTER SYSTEM SET SEC_PROTOCOL_ERROR_FURTHER_ACTION = 'DROP,3' SCOPE = SPFILE;
References:
1. http://docs.oracle.com/database/121/REFRN/GUID-1E8D3C6E-C919-4218-8117-760D31BD0F95.htm#REFRN10282
![Page 48: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/48.jpg)
47|P a g e
CISControls:
Version6
18ApplicationSoftwareSecurityApplicationSoftwareSecurity
![Page 49: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/49.jpg)
48|P a g e
2.2.14 Ensure 'SEC_PROTOCOL_ERROR_TRACE_ACTION' Is Set to 'LOG' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
TheSEC_PROTOCOL_ERROR_TRACE_ACTIONsettingdeterminestheOracle'sserver'sloggingresponseleveltobad/malformedpacketsreceivedfromtheclientbygeneratingALERT,LOG,orTRACElevelsofdetailinthelogfiles.ThissettingshouldhaveavalueofLOGunlesstheorganizationhasacompellingreasontouseadifferentvaluebecauseLOGshouldcausethenecessaryinformationtobelogged.SettingthevalueasTRACEcangenerateanenormousamountoflogoutputandshouldbereservedfordebuggingonly.
Rationale:
Badpacketsreceivedfromtheclientcanpotentiallyindicatepacket-basedattacksonthesystem,whichcouldresultinadenial-of-servicecondition.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT UPPER(VALUE) FROM V$PARAMETER WHERE UPPER(NAME)='SEC_PROTOCOL_ERROR_TRACE_ACTION';
EnsureVALUEissettoLOG.
Remediation:
Toremediatethissetting,executethefollowingSQLstatement.
ALTER SYSTEM SET SEC_PROTOCOL_ERROR_TRACE_ACTION=LOG SCOPE = SPFILE;
References:
1. http://docs.oracle.com/database/121/REFRN/GUID-AE811BC1-8CED-4B21-B16C-4B712B127535.htm#REFRN10283
![Page 50: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/50.jpg)
49|P a g e
CISControls:
Version6
6.2EnsureAuditLogSettingsSupportAppropriateLogEntryFormattingValidateauditlogsettingsforeachhardwaredeviceandthesoftwareinstalledonit,ensuringthatlogsincludeadate,timestamp,sourceaddresses,destinationaddresses,andvariousotherusefulelementsofeachpacketand/ortransaction.SystemsshouldrecordlogsinastandardizedformatsuchassyslogentriesorthoseoutlinedbytheCommonEventExpressioninitiative.Ifsystemscannotgeneratelogsinastandardizedformat,lognormalizationtoolscanbedeployedtoconvertlogsintosuchaformat.
![Page 51: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/51.jpg)
50|P a g e
2.2.15 Ensure 'SEC_RETURN_SERVER_RELEASE_BANNER' Is Set to 'FALSE' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
Theinformationaboutpatch/updatereleasenumberprovidesinformationabouttheexactpatch/updatereleasethatiscurrentlyrunningonthedatabase.Thisissensitiveinformationthatshouldnotberevealedtoanyonewhorequestsit.
Rationale:
Allowingthedatabasetoreturninformationaboutthepatch/updatereleasenumbercouldfacilitateunauthorizedusers'attemptstogainaccessbaseduponknownpatchweaknesses.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT UPPER(VALUE) FROM V$PARAMETER WHERE UPPER(NAME)='SEC_RETURN_SERVER_RELEASE_BANNER';
EnsureVALUEissettoFALSE.
Remediation:
Toremediatethissetting,executethefollowingSQLstatement.
ALTER SYSTEM SET SEC_RETURN_SERVER_RELEASE_BANNER = FALSE SCOPE = SPFILE;
References:
1. http://docs.oracle.com/database/121/REFRN/GUID-688102A0-11F5-4F06-8868-934D65C4E878.htm#REFRN10275
![Page 52: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/52.jpg)
51|P a g e
CISControls:
Version6
9LimitationandControlofNetworkPorts,Protocols,andServicesLimitationandControlofNetworkPorts,Protocols,andServices
![Page 53: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/53.jpg)
52|P a g e
2.2.16 Ensure 'SQL92_SECURITY' Is Set to 'TRUE' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
TheSQL92_SECURITYparametersettingTRUErequiresthatausermustalsobegrantedtheSELECTobjectprivilegebeforebeingabletoperformUPDATEorDELETEoperationsontablesthathaveWHEREorSETclauses.ThesettingshouldhaveavalueofTRUE.
Rationale:
AuserwithoutSELECTprivilegecanstillinferthevaluestoredinacolumnbyreferringtothatcolumninaDELETEorUPDATEstatement.ThissettingpreventsinadvertentinformationdisclosurebyensuringthatonlyuserswhoalreadyhaveSELECTprivilegecanexecutethestatementsthatwouldallowthemtoinferthestoredvalues.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT UPPER(VALUE) FROM V$PARAMETER WHERE UPPER(NAME)='SQL92_SECURITY';
EnsureVALUEissettoTRUE.
Remediation:
Toremediatethissetting,executethefollowingSQLstatement.
ALTER SYSTEM SET SQL92_SECURITY = TRUE SCOPE = SPFILE;
DefaultValue:
FALSE
References:
1. http://docs.oracle.com/database/121/REFRN/GUID-E41087C2-250E-4201-908B-79E659B22A4B.htm#REFRN10210
![Page 54: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/54.jpg)
53|P a g e
CISControls:
Version6
18ApplicationSoftwareSecurityApplicationSoftwareSecurity
![Page 55: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/55.jpg)
54|P a g e
2.2.17 Ensure '_trace_files_public' Is Set to 'FALSE' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
The_trace_files_publicsettingdetermineswhetherornotthesystem'stracefileisworldreadable.ThissettingshouldhaveavalueofFALSEtorestricttracefileaccess.
Rationale:
Makingthefileworldreadablemeansanyonecanreadtheinstance'stracefile,whichcouldcontainsensitiveinformationaboutinstanceoperations.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT VALUE FROM V$PARAMETER WHERE NAME='_trace_files_public';
AVALUEequaltoFALSEorlackofresultsimpliescompliance.
Remediation:
Toremediatethissetting,executethefollowingSQLstatement.
ALTER SYSTEM SET "_trace_files_public" = FALSE SCOPE = SPFILE;
References:
1. http://asktom.oracle.com/pls/asktom/f?p=100:11:0::::P11_QUESTION_ID:4295521746131
CISControls:
Version6
14.4ProtectInformationWithAccessControlListsAllinformationstoredonsystemsshallbeprotectedwithfilesystem,networkshare,claims,application,ordatabasespecificaccesscontrollists.Thesecontrolswillenforcetheprinciplethatonlyauthorizedindividualsshouldhaveaccessto
![Page 56: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/56.jpg)
55|P a g e
theinformationbasedontheirneedtoaccesstheinformationasapartoftheirresponsibilities.
![Page 57: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/57.jpg)
56|P a g e
2.2.18 Ensure 'RESOURCE_LIMIT' Is Set to 'TRUE' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
RESOURCE_LIMITdetermineswhetherresourcelimitsareenforcedindatabaseprofiles.ThissettingshouldhaveavalueofTRUE.
Rationale:
IfRESOURCE_LIMITissettoFALSE,noneofthesystemresourcelimitsthataresetinanydatabaseprofilesareenforced.IfRESOURCE_LIMITissettoTRUE,thelimitssetindatabaseprofilesareenforced.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT UPPER(VALUE) FROM V$PARAMETER WHERE UPPER(NAME)='RESOURCE_LIMIT';
EnsureVALUEissettoTRUE.
Remediation:
Toremediatethissetting,executethefollowingSQLstatement.
ALTER SYSTEM SET RESOURCE_LIMIT = TRUE SCOPE = SPFILE;
DefaultValue:
FALSE
References:
1. http://docs.oracle.com/database/121/REFRN/GUID-BB0AB177-3867-4D0D-8700-A1AC8BDFEFC3.htm#REFRN10188
![Page 58: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/58.jpg)
57|P a g e
CISControls:
Version6
14.4ProtectInformationWithAccessControlListsAllinformationstoredonsystemsshallbeprotectedwithfilesystem,networkshare,claims,application,ordatabasespecificaccesscontrollists.Thesecontrolswillenforcetheprinciplethatonlyauthorizedindividualsshouldhaveaccesstotheinformationbasedontheirneedtoaccesstheinformationasapartoftheirresponsibilities.
![Page 59: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/59.jpg)
58|P a g e
3 Oracle Connection and Login Restrictions
TherestrictionsonClient/UserconnectionstotheOracledatabasehelpblockunauthorizedaccesstodataandservicesbysettingaccessrules.Thesesecuritymeasureshelptoensurethatsuccessfulloginscannotbeeasilymadethroughbrute-forcepasswordattacksorintuitedbycleversocialengineeringexploits.SettingsaregenerallyrecommendedtobeappliedtoalldefinedprofilesratherthanbyusingonlytheDEFAULTprofile.Allvaluesassignedbelowaretherecommendedminimumsormaximums;higher,morerestrictivevaluescanbeappliedatthediscretionoftheorganizationbycreatingaseparateprofiletoassigntoadifferentusergroup.
3.1 Ensure 'FAILED_LOGIN_ATTEMPTS' Is Less than or Equal to '5' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
TheFAILED_LOGIN_ATTEMPTSsettingdetermineshowmanyfailedloginattemptsarepermittedbeforethesystemlockstheuser'saccount.Whiledifferentprofilescanhavedifferentandmorerestrictivesettings,suchasUSERSandAPPS,theminimum(s)recommendedhereshouldbesetontheDEFAULTprofile.
Rationale:
Repeatedfailedloginattemptscanindicatetheinitiationofabrute-forceloginattack,thisvalueshouldbesetaccordingtotheneedsoftheorganization.(SeetheNotesforawarningonaknownbugthatcanmakethissecuritymeasurebackfire.)
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PROFILE, RESOURCE_NAME, LIMIT FROM DBA_PROFILES WHERE RESOURCE_NAME='FAILED_LOGIN_ATTEMPTS' AND ( LIMIT = 'DEFAULT' OR LIMIT = 'UNLIMITED'
![Page 60: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/60.jpg)
59|P a g e
OR LIMIT > 5 );
Lackofresultsimpliescompliance.
Remediation:
RemediatethissettingbyexecutingthefollowingSQLstatementforeachPROFILEreturnedbytheauditprocedure.
ALTER PROFILE <profile_name> LIMIT FAILED_LOGIN_ATTEMPTS 5;
Notes:
Warning:OnegreatconcernwiththeaboveisthepossibilityofthissettingbeingexploitedtocraftaDDoSattackbyusingtherow-lockingdelaybetweenfailedloginattempts(see_OracleBug7715339–Logonfailurescauses“rowcachelock”waits–Allowdisableoflogondelay[ID7715339.8],sotheconfigurationofthissettingdependsonusingthebugworkaround).Also,whilethesettingfortheFAILED_LOGIN_ATTEMPTSvaluecanalsobesetinsqlnet.ora,thisonlyappliestolistedusers.ThesimilarsettingusedtoblockaDDoS,theSEC_MAX_FAILED_LOGIN_ATTEMPTSinitializationparameter,canbeusedtoprotectunauthorizedintrudersfromattackingtheserverprocessesforapplications,butthissettingdoesnotprotectagainstunauthorizedattemptsviavalidusernames.
CISControls:
Version6
16.7ConfigureAccountLockoutsUseandconfigureaccountlockoutssuchthatafterasetnumberoffailedloginattemptstheaccountislockedforastandardperiodoftime.
![Page 61: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/61.jpg)
60|P a g e
3.2 Ensure 'PASSWORD_LOCK_TIME' Is Greater than or Equal to '1' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
ThePASSWORD_LOCK_TIMEsettingdetermineshowmanydaysmustpassfortheuser'saccounttobeunlockedafterthesetnumberoffailedloginattemptshasoccurred.Thesuggestedvalueforthisisonedayorgreater.
Rationale:
Lockingtheuseraccountafterrepeatedfailedloginattemptscanblockfurtherbrute-forceloginattacks,butcancreateadministrativeheadachesasthisaccountunlockingprocessalwaysrequiresDBAintervention.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PROFILE, RESOURCE_NAME, LIMIT FROM DBA_PROFILES WHERE RESOURCE_NAME='PASSWORD_LOCK_TIME' AND ( LIMIT = 'DEFAULT' OR LIMIT = 'UNLIMITED' OR LIMIT < 1 );
Lackofresultsimpliescompliance.
Remediation:
RemediatethissettingbyexecutingthefollowingSQLstatementforeachPROFILEreturnedbytheauditprocedure.
ALTER PROFILE <profile_name> LIMIT PASSWORD_LOCK_TIME 1;
![Page 62: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/62.jpg)
61|P a g e
CISControls:
Version6
16.7ConfigureAccountLockoutsUseandconfigureaccountlockoutssuchthatafterasetnumberoffailedloginattemptstheaccountislockedforastandardperiodoftime.
![Page 63: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/63.jpg)
62|P a g e
3.3 Ensure 'PASSWORD_LIFE_TIME' Is Less than or Equal to '90' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
ThePASSWORD_LIFE_TIMEsettingdetermineshowlongapasswordmaybeusedbeforetheuserisrequiredtobechangeit.Thesuggestedvalueforthisis90daysorless.
Rationale:
Allowingpasswordstoremainunchangedforlongperiodsmakesthesuccessofbrute-forceloginattacksmorelikely.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PROFILE, RESOURCE_NAME, LIMIT FROM DBA_PROFILES WHERE RESOURCE_NAME='PASSWORD_LIFE_TIME' AND ( LIMIT = 'DEFAULT' OR LIMIT = 'UNLIMITED' OR LIMIT > 90 );
Lackofresultsimpliescompliance.
Remediation:
RemediatethissettingbyexecutingthefollowingSQLstatementforeachPROFILEreturnedbytheauditprocedure.
ALTER PROFILE <profile_name> LIMIT PASSWORD_LIFE_TIME 90;
CISControls:
Version6
16AccountMonitoringandControlAccountMonitoringandControl
![Page 64: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/64.jpg)
63|P a g e
3.4 Ensure 'PASSWORD_REUSE_MAX' Is Greater than or Equal to '20' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
ThePASSWORD_REUSE_MAXsettingdetermineshowmanydifferentpasswordsmustbeusedbeforetheuserisallowedtoreuseapriorpassword.Thesuggestedvalueforthisis20passwordsorgreater.
Rationale:
Allowingreuseofapasswordwithinashortperiodoftimeafterthepassword'sinitialusecanmakethesuccessofbothsocial-engineeringandbrute-forcepassword-basedattacksmorelikely.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PROFILE, RESOURCE_NAME, LIMIT FROM DBA_PROFILES WHERE RESOURCE_NAME='PASSWORD_REUSE_MAX' AND ( LIMIT = 'DEFAULT' OR LIMIT = 'UNLIMITED' OR LIMIT < 20 );
Lackofresultsimpliescompliance.
Remediation:
RemediatethissettingbyexecutingthefollowingSQLstatementforeachPROFILEreturnedbytheauditprocedure.
ALTER PROFILE <profile_name> LIMIT PASSWORD_REUSE_MAX 20;
Notes:
TheaboverestrictionshouldbeappliedalongwiththePASSWORD_REUSE_TIMEsetting.
![Page 65: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/65.jpg)
64|P a g e
CISControls:
Version6
16AccountMonitoringandControlAccountMonitoringandControl
![Page 66: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/66.jpg)
65|P a g e
3.5 Ensure 'PASSWORD_REUSE_TIME' Is Greater than or Equal to '365' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
ThePASSWORD_REUSE_TIMEsettingdeterminestheamountoftimeindaysthatmustpassbeforethesamepasswordmaybereused.Thesuggestedvalueforthisis365daysorgreater.
Rationale:
Reusingthesamepasswordafteronlyashortperiodoftimehaspassedmakesthesuccessofbrute-forceloginattacksmorelikely.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PROFILE, RESOURCE_NAME, LIMIT FROM DBA_PROFILES WHERE RESOURCE_NAME='PASSWORD_REUSE_TIME' AND ( LIMIT = 'DEFAULT' OR LIMIT = 'UNLIMITED' OR LIMIT < 365 );
Lackofresultsimpliescompliance.
Remediation:
RemediatethissettingbyexecutingthefollowingSQLstatementforeachPROFILEreturnedbytheauditprocedure.
ALTER PROFILE <profile_name> LIMIT PASSWORD_REUSE_TIME 365;
Notes:
TheaboverestrictionshouldbeappliedalongwiththePASSWORD_REUSE_MAXsetting.
![Page 67: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/67.jpg)
66|P a g e
CISControls:
Version6
16AccountMonitoringandControlAccountMonitoringandControl
![Page 68: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/68.jpg)
67|P a g e
3.6 Ensure 'PASSWORD_GRACE_TIME' Is Less than or Equal to '5' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
ThePASSWORD_GRACE_TIMEsettingdetermineshowmanydayscanpassaftertheuser'spasswordexpiresbeforetheuser'slogincapabilityisautomaticallylockedout.Thesuggestedvalueforthisisfivedaysorless.
Rationale:
Lockingtheuseraccountaftertheexpirationofthepasswordchangerequirement'sgraceperiodcanhelppreventpassword-basedattacksagainstanyforgottenordisusedaccounts,whilestillallowingtheaccountanditsinformationtobeaccessiblebyDBAintervention.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PROFILE, RESOURCE_NAME, LIMIT FROM DBA_PROFILES WHERE RESOURCE_NAME='PASSWORD_GRACE_TIME' AND ( LIMIT = 'DEFAULT' OR LIMIT = 'UNLIMITED' OR LIMIT > 5 );
Lackofresultsimpliescompliance.
Remediation:
RemediatethissettingbyexecutingthefollowingSQLstatementforeachPROFILEreturnedbytheauditprocedure.
ALTER PROFILE <profile_name> LIMIT PASSWORD_GRACE_TIME 5;
![Page 69: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/69.jpg)
68|P a g e
CISControls:
Version6
16AccountMonitoringandControlAccountMonitoringandControl
![Page 70: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/70.jpg)
69|P a g e
3.7 Ensure 'DBA_USERS.PASSWORD' Is Not Set to 'EXTERNAL' for Any User (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
Thepassword='EXTERNAL'settingdetermineswhetherornotausercanbeauthenticatedbyaremoteOStoallowaccesstothedatabasewithfullauthorization.Thissettingshouldnotbeused.
Rationale:
AllowingremoteOSauthenticationofausertothedatabasecanpotentiallyallowsupposed"privilegedusers"toconnectas"authenticated,"evenwhentheremotesystemiscompromised.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT USERNAME FROM DBA_USERS WHERE PASSWORD='EXTERNAL';
Lackofresultsimpliescompliance.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
ALTER USER <username> INDENTIFIED BY <password>;
Notes:
ThePASSWORDkeyword(column)usedintheSQLforpriorOracleversionshasbeendeprecatedfromversion11.2onwardinfavorofthenewAUTHENTICATION_TYPEkeyword(column)fortheDBA_USERStable.However,thePASSWORDcolumnhasstillbeenretainedforbackwardcompatibility.
![Page 71: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/71.jpg)
70|P a g e
CISControls:
Version6
16AccountMonitoringandControlAccountMonitoringandControl
![Page 72: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/72.jpg)
71|P a g e
3.8 Ensure 'PASSWORD_VERIFY_FUNCTION' Is Set for All Profiles (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
ThePASSWORD_VERIFY_FUNCTIONdeterminespasswordsettingsrequirementswhenauserpasswordischangedattheSQLcommandprompt.Itshouldbesetforallprofiles.NotethatthissettingdoesnotapplyforusersmanagedbytheOraclepasswordfile.
Rationale:
Requiringuserstoapplythe12csecurityfeaturesinpasswordcreation,suchasforcingmixed-casecomplexity,blockingofsimplecombinations,andenforcingchange/historysettingscanpotentiallythwartloginsbyanunauthorizeduser.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PROFILE, RESOURCE_NAME FROM DBA_PROFILES WHERE RESOURCE_NAME='PASSWORD_VERIFY_FUNCTION' AND (LIMIT = 'DEFAULT' OR LIMIT = 'NULL');
Lackofresultsimpliescompliance.
Remediation:
Createacustompasswordverificationfunctionwhichfulfillsthepasswordrequirementsoftheorganization.
CISControls:
Version6
16AccountMonitoringandControlAccountMonitoringandControl
![Page 73: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/73.jpg)
72|P a g e
3.9 Ensure 'SESSIONS_PER_USER' Is Less than or Equal to '10' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
TheSESSIONS_PER_USERsettingdeterminesthemaximumnumberofusersessionsthatareallowedtobeopenconcurrently.Thesuggestedvalueforthisis10orless.
Rationale:
LimitingthenumberoftheSESSIONS_PER_USERcanhelppreventmemoryresourceexhaustionbypoorlyformedrequestsorintentionaldenial-of-serviceattacks.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PROFILE, RESOURCE_NAME, LIMIT FROM DBA_PROFILES WHERE RESOURCE_NAME='SESSIONS_PER_USER' AND ( LIMIT = 'DEFAULT' OR LIMIT = 'UNLIMITED' OR LIMIT > 10 );
Lackofresultsimpliescompliance.
Remediation:
Toremediatethissetting,executethefollowingSQLstatementforeachPROFILEreturnedbytheauditprocedure.
ALTER PROFILE <profile_name> LIMIT SESSIONS_PER_USER 10;
Notes:
TheSESSIONS_PER_USERprofilemanagementcapabilitywascreatedtopreventresource(s)exhaustionatatimewhenresourceusagewasveryexpensive.Ascurrentdatabasedesignmayrequiremuchhigherlimitsonthisparameterifone"user"handlesallprocessingforspecifictypesofbatch/customerconnections,thismustbehandledviaanewuserprofile.
![Page 74: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/74.jpg)
73|P a g e
CISControls:
Version6
18ApplicationSoftwareSecurityApplicationSoftwareSecurity
![Page 75: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/75.jpg)
74|P a g e
3.10 Ensure No Users Are Assigned the 'DEFAULT' Profile (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
UponcreationdatabaseusersareassignedtotheDEFAULTprofileunlessotherwisespecified.Nousersshouldbeassignedtothatprofile.
Rationale:
Usersshouldbecreatedwithfunction-appropriateprofiles.TheDEFAULTprofile,beingdefinedbyOracle,issubjecttochangeatanytime(e.g.bypatchorversionupdate).TheDEFAULTprofilehasunlimitedsettingsthatareoftenrequiredbytheSYSuserwhenpatching;suchunlimitedsettingsshouldbetightlyreservedandnotappliedtounnecessaryusers.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT USERNAME FROM DBA_USERS WHERE PROFILE='DEFAULT' AND ACCOUNT_STATUS='OPEN' AND USERNAME NOT IN ('ANONYMOUS', 'CTXSYS', 'DBSNMP', 'EXFSYS', 'LBACSYS', 'MDSYS', 'MGMT_VIEW','OLAPSYS','OWBSYS', 'ORDPLUGINS', 'ORDSYS', 'OUTLN', 'SI_INFORMTN_SCHEMA','SYS', 'SYSMAN', 'SYSTEM', 'TSMSYS', 'WK_TEST', 'WKSYS', 'WKPROXY', 'WMSYS', 'XDB', 'CISSCAN');
Lackofresultsimpliescompliance.
Remediation:
Toremediatethisrecommendation,executethefollowingSQLstatementforeachuserreturnedbytheauditqueryusingafunctional-appropriateprofile.
ALTER USER <username> PROFILE <appropriate_profile>;
![Page 76: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/76.jpg)
75|P a g e
CISControls:
Version6
16AccountMonitoringandControlAccountMonitoringandControl
![Page 77: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/77.jpg)
76|P a g e
4 Oracle User Access and Authorization Restrictions
Thecapabilitytousedatabaseresourcesatagivenlevel,oruserauthorizationrules,allowsforusermanipulationofthevariouspartsoftheOracledatabase.Theseauthorizationsmustbestructuredtoblockunauthorizeduseand/orcorruptionofvitaldataandservicesbysettingrestrictionsonusercapabilities,particularlythoseoftheuserPUBLIC.Suchsecuritymeasureshelptoensuresuccessfulloginscannotbeeasilyredirected.
IMPORTANT:UsecautionwhenrevokingprivilegesfromPUBLIC.Oracleandthird-partyproductsexplicitlyrequiredefaultgrantstoPUBLICforcommonlyusedfunctions,objects,andinviewdefinitions.AfterrevokinganyprivilegefromPUBLIC,verifythatapplicationskeeprunningproperlyandrecompileinvaliddatabaseobjects.Specificgrantstousersandrolesmaybeneededtomakeallobjectsvalid.PleaseseethefollowingOraclesupportdocumentwhichprovidesfurtherinformationandSQLstatementsthatcanbeusedtodeterminedependenciesthatrequireexplicitgrants:BeCautiousWhenRevokingPrivilegesGrantedtoPUBLIC(DocID247093.1)Alwaystestdatabasechangesindevelopmentandtestenvironmentsbeforemakingchangestoproductiondatabases.
![Page 78: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/78.jpg)
77|P a g e
4.1 Default Public Privileges for Packages and Object Types
Thissectioncontainsrecommendationsthatrevokedefaultpublicexecuteprivilegesfrompowerfulpackagesandobjecttypes.
4.1.1 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_ADVISOR' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseDBMS_ADVISORpackagecanbeusedtowritefileslocatedontheserverwheretheOracleinstanceisinstalled.TheuserPUBLICshouldnotbeabletoexecuteDBMS_ADVISOR.
Rationale:
UseoftheDBMS_ADVISORpackagecouldallowanunauthorizedusertocorruptoperatingsystemfilesontheinstance'shost.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_ADVISOR';
Theassessmentfailsifresultsarereturned.
Remediation:
Toremediatethissetting,executethefollowingSQLstatement.
REVOKE EXECUTE ON DBMS_ADVISOR FROM PUBLIC;
References:
1. http://docs.oracle.com/database/121/ARPLS/d_advis.htm#ARPLS350
![Page 79: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/79.jpg)
78|P a g e
CISControls:
Version6
5.1MinimizeAndSparinglyUseAdministrativePrivilegesMinimizeadministrativeprivilegesandonlyuseadministrativeaccountswhentheyarerequired.Implementfocusedauditingontheuseofadministrativeprivilegedfunctionsandmonitorforanomalousbehavior.
![Page 80: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/80.jpg)
79|P a g e
4.1.2 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_CRYPTO' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
TheDBMS_CRYPTOsettingsprovideatoolsetthatdeterminesthestrengthoftheencryptionalgorithmusedtoencryptapplicationdataandispartoftheSYSschema.TheDES(56-bitkey),3DES(168-bitkey),3DES-2KEY(112-bitkey),AES(128/192/256-bitkeys),andRC4areavailable.TheuserPUBLICshouldnotbeabletoexecuteDBMS_CRYPTO.
Rationale:
ExecutionofthesecryptographyproceduresbytheuserPUBLICcanpotentiallyendangerportionsoforallofthedatastorage.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND TABLE_NAME='DBMS_CRYPTO';
Theassessmentfailsifresultsarereturned.
Remediation:
Toremediatethissetting,executethefollowingSQLstatement.
REVOKE EXECUTE ON DBMS_CRYPTO FROM PUBLIC;
References:
1. http://docs.oracle.com/database/121/ARPLS/d_crypto.htm#ARPLS664
![Page 81: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/81.jpg)
80|P a g e
CISControls:
Version6
5.1MinimizeAndSparinglyUseAdministrativePrivilegesMinimizeadministrativeprivilegesandonlyuseadministrativeaccountswhentheyarerequired.Implementfocusedauditingontheuseofadministrativeprivilegedfunctionsandmonitorforanomalousbehavior.
![Page 82: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/82.jpg)
81|P a g e
4.1.3 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseDBMS_JAVApackagecanrunJavaclasses(e.g.OScommands)orgrantJavaprivileges.TheuserPUBLICshouldnotbeabletoexecuteDBMS_JAVA.
Rationale:
TheDBMS_JAVApackagecouldallowanattackertorunOScommandsfromthedatabase.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_JAVA';
Theassessmentfailsifresultsarereturned.
Remediation:
Toremediatethissetting,executethefollowingSQLstatement.
REVOKE EXECUTE ON DBMS_JAVA FROM PUBLIC;
References:
1. http://docs.oracle.com/database/121/JJDEV/appendixa.htm#JJDEV13000
CISControls:
Version6
18.9SanitizeDeployedSoftwareOfDevelopmentArtifactsForin-housedevelopedapplications,ensurethatdevelopmentartifacts(sample
![Page 83: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/83.jpg)
82|P a g e
dataandscripts;unusedlibraries,components,debugcode;ortools)arenotincludedinthedeployedsoftware,oraccessibleintheproductionenvironment.
![Page 84: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/84.jpg)
83|P a g e
4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseDBMS_JAVA_TESTpackagecanrunJavaclasses(e.g.OScommands)orgrantJavaprivileges.TheuserPUBLICshouldnotbeabletoexecuteDBMS_JAVA_TEST.
Rationale:
TheDBMS_JAVA_TESTpackagecouldallowanattackertorunoperatingsystemcommandsfromthedatabase.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_JAVA_TEST';
Theassessmentfailsifresultsarereturned.
Remediation:
Toremediatethissetting,executethefollowingSQLstatement.
REVOKE EXECUTE ON DBMS_JAVA_TEST FROM PUBLIC;
Notes:
DBMS_JAVA_TESTisanundocumentedPL/SQLpackage,butthepublicgrantshouldberevoked.
![Page 85: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/85.jpg)
84|P a g e
CISControls:
Version6
18.9SanitizeDeployedSoftwareOfDevelopmentArtifactsForin-housedevelopedapplications,ensurethatdevelopmentartifacts(sampledataandscripts;unusedlibraries,components,debugcode;ortools)arenotincludedinthedeployedsoftware,oraccessibleintheproductionenvironment.
![Page 86: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/86.jpg)
85|P a g e
4.1.5 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JOB' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseDBMS_JOBpackageschedulesandmanagesthejobssenttothejobqueueandhasbeensupersededbytheDBMS_SCHEDULERpackage,eventhoughDBMS_JOBhasbeenretainedforbackwardscompatibility.TheuserPUBLICshouldnotbeabletoexecuteDBMS_JOB.
Rationale:
UseoftheDBMS_JOBpackagecouldallowanunauthorizedusertodisableoroverloadthejobqueue.IthasbeensupersededbytheDBMS_SCHEDULERpackage.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_JOB';
Theassessmentfailsifresultsarereturned.
Remediation:
Toremediatethissetting,executethefollowingSQLstatement.
REVOKE EXECUTE ON DBMS_JOB FROM PUBLIC;
References:
1. http://docs.oracle.com/database/121/ARPLS/d_job.htm#ARPLS019
![Page 87: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/87.jpg)
86|P a g e
CISControls:
Version6
5.1MinimizeAndSparinglyUseAdministrativePrivilegesMinimizeadministrativeprivilegesandonlyuseadministrativeaccountswhentheyarerequired.Implementfocusedauditingontheuseofadministrativeprivilegedfunctionsandmonitorforanomalousbehavior.
![Page 88: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/88.jpg)
87|P a g e
4.1.6 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_LDAP' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseDBMS_LDAPpackagecontainsfunctionsandproceduresthatenableprogrammerstoaccessdatafromLDAPservers.TheuserPUBLICshouldnotbeabletoexecuteDBMS_LDAP.
Rationale:
UseoftheDBMS_LDAPpackagecanbeusedtocreatespeciallycraftederrormessagesorsendinformationviaDNStotheoutside.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_LDAP';
Theassessmentfailsifresultsarereturned.
Remediation:
Toremediatethissetting,executethefollowingSQLstatement.
REVOKE EXECUTE ON DBMS_LDAP FROM PUBLIC;
References:
1. http://docs.oracle.com/database/121/ARPLS/d_ldap.htm#ARPLS360
![Page 89: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/89.jpg)
88|P a g e
CISControls:
Version6
18ApplicationSoftwareSecurityApplicationSoftwareSecurity
![Page 90: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/90.jpg)
89|P a g e
4.1.7 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_LOB' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseDBMS_LOBpackageprovidessubprogramsthatcanmanipulateandread/writeonBLOBs,CLOBs,NCLOBs,BFILEs,andtemporaryLOBs.TheuserPUBLICshouldnotbeabletoexecuteDBMS_LOB.
Rationale:
UseoftheDBMS_LOBpackagecouldallowanunauthorizedusertomanipulateBLOBs,CLOBs,NCLOBs,BFILEs,andtemporaryLOBsontheinstance,eitherdestroyingdataorcausingadenial-of-serviceconditionduetocorruptionofdiskspace.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_LOB';
Theassessmentfailsifresultsarereturned.
Remediation:
Toremediatethissetting,executethefollowingSQLstatement.
REVOKE EXECUTE ON DBMS_LOB FROM PUBLIC;
References:
1. http://docs.oracle.com/database/121/ARPLS/d_lob.htm#ARPLS600
![Page 91: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/91.jpg)
90|P a g e
CISControls:
Version6
18ApplicationSoftwareSecurityApplicationSoftwareSecurity
![Page 92: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/92.jpg)
91|P a g e
4.1.8 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_OBFUSCATION_TOOLKIT' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
TheDBMS_OBFUSCATION_TOOLKITprovidesoneofthetoolsthatdeterminethestrengthoftheencryptionalgorithmusedtoencryptapplicationdataandispartoftheSYSschema.TheDES(56-bitkey)and3DES(168-bitkey)aretheonlytwotypesavailable.TheuserPUBLICshouldnotbeabletoexecuteDBMS_OBFUSCATION_TOOLKIT.
Rationale:
AllowingthePUBLICuserprivilegestoaccessthiscapabilitycanbepotentiallyharmdatastorage.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_OBFUSCATION_TOOLKIT';
Theassessmentfailsifresultsarereturned.
Remediation:
Toremediatethissetting,executethefollowingSQLstatement.
REVOKE EXECUTE ON DBMS_OBFUSCATION_TOOLKIT FROM PUBLIC;
CISControls:
Version6
5.1MinimizeAndSparinglyUseAdministrativePrivilegesMinimizeadministrativeprivilegesandonlyuseadministrativeaccountswhenthey
![Page 93: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/93.jpg)
92|P a g e
arerequired.Implementfocusedauditingontheuseofadministrativeprivilegedfunctionsandmonitorforanomalousbehavior.
![Page 94: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/94.jpg)
93|P a g e
4.1.9 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_RANDOM' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseDBMS_RANDOMpackageisusedforgeneratingrandomnumbersbutshouldnotbeusedforcryptographicpurposes.TheuserPUBLICshouldnotbeabletoexecuteDBMS_RANDOM.
Rationale:
UseoftheDBMS_RANDOMpackagecanallowtheunauthorizedapplicationoftherandomnumber-generatingfunction.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_RANDOM';
Theassessmentfailsifresultsarereturned.
Remediation:
Toremediatethissetting,executethefollowingSQLstatement.
REVOKE EXECUTE ON DBMS_RANDOM FROM PUBLIC;
References:
1. http://docs.oracle.com/cd/E11882_01/appdev.112/e25788/d_random.htm
Notes:
TheOEMcautionsthatremovingthisfromPUBLICmaybreakcertainapplications.
![Page 95: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/95.jpg)
94|P a g e
CISControls:
Version6
18ApplicationSoftwareSecurityApplicationSoftwareSecurity
![Page 96: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/96.jpg)
95|P a g e
4.1.10 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_SCHEDULER' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseDBMS_SCHEDULERpackageschedulesandmanagesthedatabaseandoperatingsystemjobs.TheuserPUBLICshouldnotbeabletoexecuteDBMS_SCHEDULER.
Rationale:
UseoftheDBMS_SCHEDULERpackagecouldallowanunauthorizedusertorundatabaseoroperatingsystemjobs.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_SCHEDULER';
Theassessmentfailsifresultsarereturned.
Remediation:
Toremediatethissetting,executethefollowingSQLstatement.
REVOKE EXECUTE ON DBMS_SCHEDULER FROM PUBLIC;
References:
1. http://docs.oracle.com/database/121/ARPLS/d_sched.htm#ARPLS72235
CISControls:
Version6
5.1MinimizeAndSparinglyUseAdministrativePrivilegesMinimizeadministrativeprivilegesandonlyuseadministrativeaccountswhenthey
![Page 97: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/97.jpg)
96|P a g e
arerequired.Implementfocusedauditingontheuseofadministrativeprivilegedfunctionsandmonitorforanomalousbehavior.
![Page 98: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/98.jpg)
97|P a g e
4.1.11 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_SQL' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseDBMS_SQLpackageisusedforrunningdynamicSQLstatements.TheuserPUBLICshouldnotbeabletoexecuteDBMS_SQL.
Rationale:
TheDBMS_SQLpackagecouldallowprivilegeescalationifinputvalidationisnotdoneproperly.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_SQL';
Theassessmentfailsifresultsarereturned.
Remediation:
Toremediatethissetting,executethefollowingSQLstatement.
REVOKE EXECUTE ON DBMS_SQL FROM PUBLIC;
References:
1. http://docs.oracle.com/database/121/ARPLS/d_sql.htm#ARPLS058
CISControls:
Version6
18ApplicationSoftwareSecurityApplicationSoftwareSecurity
![Page 99: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/99.jpg)
98|P a g e
4.1.12 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_XMLGEN' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
TheDBMS_XMLGENpackagetakesanarbitrarySQLqueryasinput,convertsittoXMLformat,andreturnstheresultasaCLOB.TheuserPUBLICshouldnotbeabletoexecuteDBMS_XMLGEN.
Rationale:
ThepackageDBMS_XMLGENcanbeusedtosearchtheentiredatabaseforsensitiveinformationlikecreditcardnumbers.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_XMLGEN';
Theassessmentfailsifresultsarereturned.
Remediation:
Toremediatethissetting,executethefollowingSQLstatement.
REVOKE EXECUTE ON DBMS_XMLGEN FROM PUBLIC;
References:
1. http://docs.oracle.com/database/121/ARPLS/d_xmlgen.htm#ARPLS3742. http://www.red-database-security.com/wp/confidence2009.pdf
![Page 100: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/100.jpg)
99|P a g e
CISControls:
Version6
13DataProtectionDataProtection
![Page 101: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/101.jpg)
100|P a g e
4.1.13 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_XMLQUERY' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
TheOraclepackageDBMS_XMLQUERYtakesanarbitrarySQLquery,convertsittoXMLformat,andreturnstheresult.ThispackageissimilartoDBMS_XMLGEN.TheuserPUBLICshouldnotbeabletoexecuteDBMS_XMLQUERY.
Rationale:
ThepackageDBMS_XMLQUERYcanbeusedtosearchtheentiredatabaseforsensitiveinformationlikecreditcardnumbers.MalicioususersmaybeabletoexploitthispackageasanauxiliaryinjectfunctioninaSQLinjectionattack.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_XMLQUERY';
Theassessmentfailsifresultsarereturned.
Remediation:
Toremediatethissetting,executethefollowingSQLstatement.
REVOKE EXECUTE ON DBMS_XMLQUERY FROM PUBLIC;
References:
1. http://docs.oracle.com/database/121/ARPLS/d_xmlque.htm#ARPLS376
![Page 102: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/102.jpg)
101|P a g e
CISControls:
Version6
13DataProtectionDataProtection
![Page 103: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/103.jpg)
102|P a g e
4.1.14 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'UTL_FILE' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseUTL_FILEpackagecanbeusedtoread/writefileslocatedontheserverwheretheOracleinstanceisinstalled.TheuserPUBLICshouldnotbeabletoexecuteUTL_FILE.
Rationale:
UseoftheUTL_FILEpackagecouldallowanusertoreadOSfiles.Thesefilescouldcontainsensitiveinformation(e.g.passwordsin.bash_history).
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='UTL_FILE';
Theassessmentfailsifresultsarereturned.
Remediation:
Toremediatethissetting,executethefollowingSQLstatement.
REVOKE EXECUTE ON UTL_FILE FROM PUBLIC;
References:
1. http://docs.oracle.com/database/121/ARPLS/u_file.htm#ARPLS069
CISControls:
Version6
14ControlledAccessBasedontheNeedtoKnowControlledAccessBasedontheNeedtoKnow
![Page 104: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/104.jpg)
103|P a g e
4.1.15 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'UTL_INADDR' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseUTL_INADDRpackagecanbeusedtocreatespeciallycraftederrormessagesorsendinformationviaDNStotheoutside.TheuserPUBLICshouldnotbeabletoexecuteUTL_INADDR.
Rationale:
TheUTL_INADDRpackageisoftenusedinSQLinjectionattacksfromthewebitshouldberevokedfrompublic.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='UTL_INADDR';
Theassessmentfailsifresultsarereturned.
Remediation:
Toremediatethissetting,executethefollowingSQLstatement.
REVOKE EXECUTE ON UTL_INADDR FROM PUBLIC;
References:
1. http://docs.oracle.com/database/121/ARPLS/u_inaddr.htm#ARPLS071
![Page 105: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/105.jpg)
104|P a g e
CISControls:
Version6
18ApplicationSoftwareSecurityApplicationSoftwareSecurity
![Page 106: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/106.jpg)
105|P a g e
4.1.16 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'UTL_TCP' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseUTL_TCPpackagecanbeusedtoread/writefiletoTCPsocketsontheserverwheretheOracleinstanceisinstalled.TheuserPUBLICshouldnotbeabletoexecuteUTL_TCP.
Rationale:
TheUTL_TCPpackagecouldallowanunauthorizedusertocorrupttheTCPstreamusedtocarrytheprotocolsthatcommunicatewiththeinstance'sexternalcommunications.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='UTL_TCP';
Theassessmentfailsifresultsarereturned.
Remediation:
Toremediatethissetting,executethefollowingSQLstatement.
REVOKE EXECUTE ON UTL_TCP FROM PUBLIC;
References:
1. http://docs.oracle.com/database/121/ARPLS/u_tcp.htm#ARPLS075
CISControls:
Version6
18ApplicationSoftwareSecurityApplicationSoftwareSecurity
![Page 107: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/107.jpg)
106|P a g e
4.1.17 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'UTL_MAIL' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseUTL_MAILpackagecanbeusedtosendemailfromtheserverwheretheOracleinstanceisinstalled.TheuserPUBLICshouldnotbeabletoexecuteUTL_MAIL.
Rationale:
TheUTL_MAILpackagecouldallowanunauthorizedusertocorrupttheSMTPfunctiontoacceptorgeneratejunkmailthatcanresultinadenial-of-serviceconditionduetonetworksaturation.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='UTL_MAIL';
Theassessmentfailsifresultsarereturned.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
REVOKE EXECUTE ON UTL_MAIL FROM PUBLIC;
References:
1. http://docs.oracle.com/database/121/ARPLS/u_mail.htm#ARPLS384
![Page 108: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/108.jpg)
107|P a g e
CISControls:
Version6
18ApplicationSoftwareSecurityApplicationSoftwareSecurity
![Page 109: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/109.jpg)
108|P a g e
4.1.18 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'UTL_SMTP' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseUTL_SMTPpackagecanbeusedtosendemailfromtheserverwheretheOracleinstanceisinstalled.TheuserPUBLICshouldnotbeabletoexecuteUTL_SMTP.
Rationale:
TheUTL_SMTPpackagecouldallowanunauthorizedusertocorrupttheSMTPfunctiontoacceptorgeneratejunkmailthatcanresultinadenial-of-serviceconditionduetonetworksaturation.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='UTL_SMTP';
Theassessmentfailsifresultsarereturned.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
REVOKE EXECUTE ON UTL_SMTP FROM PUBLIC;
References:
1. http://docs.oracle.com/database/121/ARPLS/u_smtp.htm#ARPLS074
![Page 110: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/110.jpg)
109|P a g e
CISControls:
Version6
18ApplicationSoftwareSecurityApplicationSoftwareSecurity
![Page 111: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/111.jpg)
110|P a g e
4.1.19 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'UTL_DBWS' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseUTL_DBWSpackagecanbeusedtoread/writefiletoweb-basedapplicationsontheserverwheretheOracleinstanceisinstalled.Thispackageisnotautomaticallyinstalledforsecurityreasons.TheuserPUBLICshouldnotbeabletoexecuteUTL_DBWS.
Rationale:
TheUTL_DBWSpackagecouldallowanunauthorizedusertocorrupttheHTTPstreamusedtocarrytheprotocolsthatcommunicatefortheinstance'sweb-basedexternalcommunications.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='UTL_DBWS';
Theassessmentfailsifresultsarereturned.
Remediation:
Toremediatethissetting,executethefollowingSQLstatement.
REVOKE EXECUTE ON UTL_DBWS FROM 'PUBLIC';
References:
1. https://docs.oracle.com/database/121/JJPUB/intro.htm#BHCIBFGJ
CISControls:
![Page 112: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/112.jpg)
111|P a g e
Version6
18ApplicationSoftwareSecurityApplicationSoftwareSecurity
![Page 113: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/113.jpg)
112|P a g e
4.1.20 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'UTL_ORAMTS' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseUTL_ORAMTSpackagecanbeusedtoperformHTTPrequests.Thiscouldbeusedtosendinformationtotheoutside.TheuserPUBLICshouldnotbeabletoexecuteUTL_ORAMTS.
Rationale:
TheUTL_ORAMTSpackagecouldbeusedtosend(sensitive)informationtoexternalwebsites.Theuseofthispackageshouldberestrictedaccordingtotheneedsoftheorganization.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='UTL_ORAMTS';
Theassessmentfailsifresultsarereturned.
Remediation:
Toremediatethissetting,executethefollowingSQLstatement.
REVOKE EXECUTE ON UTL_ORAMTS FROM PUBLIC;
References:
1. http://docs.oracle.com/database/121/NTMTS/recovery.htm#sthref73
![Page 114: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/114.jpg)
113|P a g e
CISControls:
Version6
18ApplicationSoftwareSecurityApplicationSoftwareSecurity
![Page 115: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/115.jpg)
114|P a g e
4.1.21 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'UTL_HTTP' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseUTL_HTTPpackagecanbeusedtoperformHTTPrequests.Thiscouldbeusedtosendinformationtotheoutside.TheuserPUBLICshouldnotbeabletoexecuteUTL_HTTP.
Rationale:
TheUTL_HTTPpackagecouldbeusedtosend(sensitive)informationtoexternalwebsites.Theuseofthispackageshouldberestrictedaccordingtotheneedsoftheorganization.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='UTL_HTTP';
Theassessmentfailsifresultsarereturned.
Remediation:
Toremediatethissetting,executethefollowingSQLstatement.
REVOKE EXECUTE ON UTL_HTTP FROM PUBLIC;
References:
1. http://docs.oracle.com/database/121/ARPLS/u_http.htm#ARPLS070
![Page 116: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/116.jpg)
115|P a g e
CISControls:
Version6
18ApplicationSoftwareSecurityApplicationSoftwareSecurity
![Page 117: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/117.jpg)
116|P a g e
4.1.22 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'HTTPURITYPE' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseHTTPURITYPEobjecttypecanbeusedtoperformHTTPrequests.TheuserPUBLICshouldnotbeabletoexecuteHTTPURITYPE.
Rationale:
TheabilitytoperformHTTPrequestscouldbeusedtoleakinformationfromthedatabasetoanexternaldestination.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='HTTPURITYPE';
Theassessmentfailsifresultsarereturned.
Remediation:
Toremediatethissetting,executethefollowingSQLstatement.
REVOKE EXECUTE ON HTTPURITYPE FROM PUBLIC;
References:
1. http://docs.oracle.com/database/121/ARPLS/t_dburi.htm#ARPLS71705
CISControls:
Version6
18ApplicationSoftwareSecurityApplicationSoftwareSecurity
![Page 118: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/118.jpg)
117|P a g e
4.1.23 Ensure 'EXECUTE' is revoked from 'PUBLIC' on 'DBMS_XMLSTORE' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
TheDBMS_XLMSTOREpackageprovidesXMLfunctionality.ItacceptsatablenameandXMLasinputtoperformDMLoperationsagainstthetable.TheuserPUBLICshouldnotbeabletoexecuteDBMS_XLMSTORE.
Rationale:
MalicioususersmaybeabletoexploitthispackageasanauxiliaryinjectfunctioninaSQLinjectionattack.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT GRANTEE FROM DBA_TAB_PRIVS WHERE TABLE_NAME = 'DBMS_XMLSTORE' AND GRANTEE = 'PUBLIC' AND PRIVILEGE = 'EXECUTE';
Lackofresultsimpliescompliance.
Remediation:
Toremediatethissetting,executethefollowingSQLstatement:
REVOKE EXECUTE ON DBMS_XMLSTORE FROM PUBLIC;
References:
1. http://www.davidlitchfield.com/DBMS_XMLSTORE_PLSQL_Injection.pdf
![Page 119: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/119.jpg)
118|P a g e
CISControls:
Version6
18.3SanitizeInputForIn-houseSoftwareForin-housedevelopedsoftware,ensurethatexpliciterrorcheckingisperformedanddocumentedforallinput,includingforsize,datatype,andacceptablerangesorformats.
![Page 120: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/120.jpg)
119|P a g e
4.1.24 Ensure 'EXECUTE' is revoked from 'PUBLIC' on 'DBMS_XMLSAVE' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
TheDBMS_XLMSTOREpackageprovidesXMLfunctionality.ItacceptsatablenameandXMLasinputandtheninsertsintoorupdatesthattable.TheuserPUBLICshouldnotbeabletoexecuteDBMS_XLMSAVE.
Rationale:
MalicioususersmaybeabletoexploitthispackageasanauxiliaryinjectfunctioninaSQLinjectionattack.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement:
SELECT GRANTEE FROM DBA_TAB_PRIVS WHERE TABLE_NAME = 'DBMS_XMLSAVE' AND GRANTEE = 'PUBLIC' AND PRIVILEGE = 'EXECUTE';
Lackofresultsimpliescompliance.
Remediation:
Toremediatethissetting,executethefollowingSQLstatement
REVOKE EXECUTE ON DBMS_XMLSAVE FROM PUBLIC;
References:
1. http://www.davidlitchfield.com/DBMS_XMLSTORE_PLSQL_Injection.pdf
CISControls:
Version6
18.3SanitizeInputForIn-houseSoftwareForin-housedevelopedsoftware,ensurethatexpliciterrorcheckingisperformed
![Page 121: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/121.jpg)
120|P a g e
anddocumentedforallinput,includingforsize,datatype,andacceptablerangesorformats.
![Page 122: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/122.jpg)
121|P a g e
4.1.25 Ensure 'EXECUTE' is revoked from 'PUBLIC' on 'DBMS_REDACT' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
TheDBMS_REDACTpackageprovidesaninterfacetoOracleDataRedaction,whichenablesyoutomask(redact)datathatisreturnedfromqueriesissuedbylow-privilegedusersoranapplication.TheuserPUBLICshouldnotbeabletoexecuteDBMS_REDACT.
Rationale:
MalicioususersmaybeabletoexploitthispackageasanauxiliaryinjectfunctioninaSQLinjectionattack.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement
SELECT GRANTEE FROM DBA_TAB_PRIVS WHERE TABLE_NAME = 'DBMS_REDACT' AND GRANTEE = 'PUBLIC' AND PRIVILEGE = 'EXECUTE';
Lackofresultsimpliescompliance.
Remediation:
Toremediatethissetting,executethefollowingSQLstatement
REVOKE EXECUTE ON DBMS_REDACT FROM PUBLIC;
CISControls:
Version6
18.3SanitizeInputForIn-houseSoftwareForin-housedevelopedsoftware,ensurethatexpliciterrorcheckingisperformedanddocumentedforallinput,includingforsize,datatype,andacceptablerangesorformats.
![Page 123: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/123.jpg)
122|P a g e
4.2 Revoke Non-Default Privileges for Packages and Object Types
Therecommendationswithinthissectionrevokeexcessiveprivilegesforpackagesandobjecttypes.
4.2.1 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_SYS_SQL' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseDBMS_SYS_SQLpackageisshippedasundocumented.TheuserPUBLICshouldnotbeabletoexecuteDBMS_SYS_SQL.
Rationale:
TheDBMS_SYS_SQLpackagecouldallowanusertoruncodeasadifferentuserwithoutenteringvalidcredentials.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_SYS_SQL';
Theassessmentfailsifresultsarereturned.
Remediation:
Toremediatethissetting,executethefollowingSQLstatement.
REVOKE EXECUTE ON DBMS_SYS_SQL FROM PUBLIC;
![Page 124: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/124.jpg)
123|P a g e
References:
1. http://asktom.oracle.com/pls/asktom/f?p=100:11:0::::P11_QUESTION_ID:1325202421535
CISControls:
Version6
16AccountMonitoringandControlAccountMonitoringandControl
![Page 125: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/125.jpg)
124|P a g e
4.2.2 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_BACKUP_RESTORE' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseDBMS_BACKUP_RESTOREpackageisusedforapplyingPL/SQLcommandstothenativeRMANsequences.TheuserPUBLICshouldnotbeabletoexecuteDBMS_BACKUP_RESTORE.
Rationale:
TheDBMS_BACKUP_RESTOREpackagecanallowaccesstoOSfiles.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_BACKUP_RESTORE';
Theassessmentfailsifresultsarereturned.
Remediation:
Toremediatethissetting,executethefollowingSQLstatement.
REVOKE EXECUTE ON DBMS_BACKUP_RESTORE FROM PUBLIC;
References:
1. http://psoug.org/reference/dbms_backup_restore.html2. http://davidalejomarcos.wordpress.com/2011/09/13/how-to-list-files-on-a-
directory-from-oracle-database/
![Page 126: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/126.jpg)
125|P a g e
CISControls:
Version6
18ApplicationSoftwareSecurityApplicationSoftwareSecurity
![Page 127: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/127.jpg)
126|P a g e
4.2.3 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_AQADM_SYSCALLS' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseDBMS_AQADM_SYSCALLSpackageisshippedasundocumented.TheuserPUBLICshouldnotbeabletoexecuteDBMS_AQADM_SYSCALLS.
Rationale:
TheDBMS_AQADM_SYSCALLSpackagecouldallowanunauthorizedusertorunSQLcommandsasuserSYS.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_AQADM_SYSCALLS';
Theassessmentfailsifresultsarereturned.
Remediation:
Toremediatethissetting,executethefollowingSQLstatement.
REVOKE EXECUTE ON DBMS_AQADM_SYSCALLS FROM PUBLIC;
References:
1. http://securityvulns.ru/files/ohh-indirect-privilege-escalation.pdf
CISControls:
Version6
18ApplicationSoftwareSecurityApplicationSoftwareSecurity
![Page 128: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/128.jpg)
127|P a g e
4.2.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_REPCAT_SQL_UTL' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseDBMS_REPCAT_SQL_UTLpackageisshippedasundocumentedandallowstorunSQLcommandsasuserSYS.TheuserPUBLICshouldnotbeabletoexecuteDBMS_REPCAT_SQL_UTL.
Rationale:
TheDBMS_REPCAT_SQL_UTLpackagecouldallowanunauthorizedusertorunSQLcommandsasuserSYS.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_REPCAT_SQL_UTL';
Theassessmentfailsifresultsarereturned.
Remediation:
Toremediatethissetting,executethefollowingSQLstatement.
revoke execute on DBMS_REPCAT_SQL_UTL FROM PUBLIC;
References:
1. http://securityvulns.ru/files/ohh-indirect-privilege-escalation.pdf
![Page 129: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/129.jpg)
128|P a g e
CISControls:
Version6
18ApplicationSoftwareSecurityApplicationSoftwareSecurity
![Page 130: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/130.jpg)
129|P a g e
4.2.5 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'INITJVMAUX' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseINITJVMAUXpackageisshippedasundocumentedandallowstorunSQLcommandsasuserSYS.TheuserPUBLICshouldnotbeabletoexecuteINITJVMAUX.
Rationale:
TheINITJVMAUXpackagecouldallowanunauthorizedusertorunSQLcommandsasuserSYS.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='INITJVMAUX';
Theassessmentfailsifresultsarereturned.
Remediation:
Toremediatethissetting,executethefollowingSQLstatement.
REVOKE EXECUTE ON INITJVMAUX FROM PUBLIC;
References:
1. http://securityvulns.ru/files/ohh-indirect-privilege-escalation.pdf
CISControls:
Version6
18ApplicationSoftwareSecurityApplicationSoftwareSecurity
![Page 131: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/131.jpg)
130|P a g e
4.2.6 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_STREAMS_ADM_UTL' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseDBMS_STREAMS_ADM_UTLpackageisshippedasundocumentedandallowstorunSQLcommandsasuserSYS.TheuserPUBLICshouldnotbeabletoexecuteDBMS_STREAMS_ADM_UTL.
Rationale:
TheDBMS_STREAMS_ADM_UTLpackagecouldallowanunauthorizedusertorunSQLcommandsasuserSYS.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_STREAMS_ADM_UTL';
Theassessmentfailsifresultsarereturned.
Remediation:
Toremediatethissetting,executethefollowingSQLstatement.
REVOKE EXECUTE ON DBMS_STREAMS_ADM_UTL FROM PUBLIC;
References:
1. http://securityvulns.ru/files/ohh-indirect-privilege-escalation.pdf
![Page 132: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/132.jpg)
131|P a g e
CISControls:
Version6
18ApplicationSoftwareSecurityApplicationSoftwareSecurity
![Page 133: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/133.jpg)
132|P a g e
4.2.7 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_AQADM_SYS' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseDBMS_AQADM_SYSpackageisshippedasundocumentedandallowstorunSQLcommandsasuserSYS.TheuserPUBLICshouldnotbeabletoexecuteDBMS_AQADM_SYS.
Rationale:
TheDBMS_AQADM_SYSpackagecouldallowanunauthorizedusertorunSQLcommandsasuserSYS.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_AQADM_SYS';
Theassessmentfailsifresultsarereturned.
Remediation:
Toremediatethissetting,executethefollowingSQLstatement.
REVOKE EXECUTE ON DBMS_AQADM_SYS FROM PUBLIC;
CISControls:
Version6
18ApplicationSoftwareSecurityApplicationSoftwareSecurity
![Page 134: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/134.jpg)
133|P a g e
4.2.8 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_STREAMS_RPC' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseDBMS_STREAMS_RPCpackageisshippedasundocumentedandallowstorunSQLcommandsasuserSYS.TheuserPUBLICshouldnotbeabletoexecuteDBMS_STREAMS_RPC.
Rationale:
TheDBMS_STREAMS_RPCpackagecouldallowanunauthorizedusertorunSQLcommandsasuserSYS.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_STREAMS_RPC';
Theassessmentfailsifresultsarereturned.
Remediation:
Toremediatethissetting,executethefollowingSQLstatement.
REVOKE EXECUTE ON DBMS_STREAMS_RPC FROM PUBLIC;
References:
1. http://securityvulns.ru/files/ohh-indirect-privilege-escalation.pdf
![Page 135: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/135.jpg)
134|P a g e
CISControls:
Version6
18ApplicationSoftwareSecurityApplicationSoftwareSecurity
![Page 136: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/136.jpg)
135|P a g e
4.2.9 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_PRVTAQIM' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseDBMS_PRVTAQIMpackageisshippedasundocumentedandallowstorunSQLcommandsasuserSYS.TheuserPUBLICshouldnotbeabletoexecuteDBMS_PRVTAQIM.
Rationale:
TheDBMS_PRVTAQIMpackagecouldallowanunauthorizedusertoescalateprivilegesbecauseanySQLstatementscouldbeexecutedasuserSYS.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_PRVTAQIM';
Theassessmentfailsifresultsarereturned.
Remediation:
Toremediatethissetting,executethefollowingSQLstatement.
REVOKE EXECUTE ON DBMS_PRVTAQIM FROM PUBLIC;
References:
1. http://securityvulns.ru/files/ohh-indirect-privilege-escalation.pdf
![Page 137: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/137.jpg)
136|P a g e
CISControls:
Version6
18ApplicationSoftwareSecurityApplicationSoftwareSecurity
![Page 138: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/138.jpg)
137|P a g e
4.2.10 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'LTADM' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseLTADMpackageisshippedasundocumented.Itallowsprivilegeescalationifgrantedtounprivilegedusers.TheuserPUBLICshouldnotbeabletoexecuteLTADM.
Rationale:
TheLTADMpackagecouldallowanunauthorizedusertorunanySQLcommandasuserSYS.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='LTADM';
Theassessmentfailsifresultsarereturned.
Remediation:
Toremediatethissetting,executethefollowingSQLstatement.
REVOKE EXECUTE ON LTADM FROM PUBLIC;
References:
1. http://securityvulns.ru/files/ohh-indirect-privilege-escalation.pdf
CISControls:
Version6
18ApplicationSoftwareSecurityApplicationSoftwareSecurity
![Page 139: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/139.jpg)
138|P a g e
4.2.11 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'WWV_DBMS_SQL' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseWWV_DBMS_SQLpackageisshippedasundocumented.ItallowsOracleApplicationExpresstorundynamicSQLstatements.
Rationale:
TheWWV_DBMS_SQLpackagecouldallowanunauthorizedusertorunSQLstatementsastheApplicationExpress(APEX)user.TheuserPUBLICshouldnotbeabletoexecuteWWV_DBMS_SQL.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='WWV_DBMS_SQL';
Theassessmentfailsifresultsarereturned.
Remediation:
Toremediatethissetting,executethefollowingSQLstatement.
REVOKE EXECUTE ON WWV_DBMS_SQL FROM PUBLIC;
CISControls:
Version6
14ControlledAccessBasedontheNeedtoKnowControlledAccessBasedontheNeedtoKnow
![Page 140: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/140.jpg)
139|P a g e
4.2.12 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'WWV_EXECUTE_IMMEDIATE' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseWWV_EXECUTE_IMMEDIATEpackageisshippedasundocumented.ItallowsOracleApplicationExpresstorundynamicSQLstatements.TheuserPUBLICshouldnotbeabletoexecuteWWV_EXECUTE_IMMEDIATE.
Rationale:
TheWWV_EXECUTE_IMMEDIATEpackagecouldallowanunauthorizedusertorunSQLstatementsastheApplicationExpress(APEX)user.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='WWV_EXECUTE_IMMEDIATE';
Theassessmentfailsifresultsarereturned.
Remediation:
Toremediatethissetting,executethefollowingSQLstatement.
REVOKE EXECUTE ON WWV_EXECUTE_IMMEDIATE FROM PUBLIC;
References:
1. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-1811
![Page 141: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/141.jpg)
140|P a g e
CISControls:
Version6
18ApplicationSoftwareSecurityApplicationSoftwareSecurity
![Page 142: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/142.jpg)
141|P a g e
4.2.13 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_IJOB' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseDBMS_IJOBpackageisshippedasundocumented.Itallowsausertorundatabasejobsinthecontextofanotheruser.TheuserPUBLICshouldnotbeabletoexecuteDBMS_IJOB.
Rationale:
TheDBMS_IJOBpackagecouldallowanattackertochangeidentitiesbyusingadifferentusernametoexecuteadatabasejob.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_IJOB';
Theassessmentfailsifresultsarereturned.
Remediation:
Toremediatethissetting,executethefollowingSQLstatement.
REVOKE EXECUTE ON DBMS_IJOB FROM PUBLIC;
CISControls:
Version6
18ApplicationSoftwareSecurityApplicationSoftwareSecurity
![Page 143: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/143.jpg)
142|P a g e
4.2.14 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_FILE_TRANSFER' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseDBMS_FILE_TRANSFERpackageallowsausertotransferfilesfromonedatabaseservertoanother.TheuserPUBLICshouldnotbeabletoexecuteDBMS_FILE_TRANSFER.
Rationale:
TheDBMS_FILE_TRANSFERpackagecouldallowtotransferfilesfromonedatabaseservertoanotherwithoutauthorizationtodoso.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_FILE_TRANSFER';
Theassessmentfailsifresultsarereturned.
Remediation:
Toremediatethissetting,executethefollowingSQLstatement.
REVOKE EXECUTE ON DBMS_FILE_TRANSFER FROM PUBLIC;
References:
1. http://docs.oracle.com/database/121/ARPLS/d_ftran.htm#ARPLS095
![Page 144: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/144.jpg)
143|P a g e
CISControls:
Version6
18ApplicationSoftwareSecurityApplicationSoftwareSecurity
![Page 145: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/145.jpg)
144|P a g e
4.3 Revoke Excessive System Privileges
Therecommendationswithinthissectionrevokeexcessivesystemprivileges.
4.3.1 Ensure 'SELECT ANY DICTIONARY' Is Revoked from Unauthorized 'GRANTEE' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseSELECT ANY DICTIONARYprivilegeallowsthedesignatedusertoaccessSYSschemaobjects.Unauthorizedgranteesshouldnothavethatprivilege.
Rationale:
TheOraclepasswordhashesarepartoftheSYSschemaandcanbeselectedusingSELECT ANY DICTIONARYprivileges.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE PRIVILEGE='SELECT ANY DICTIONARY' AND GRANTEE NOT IN ('DBA','DBSNMP','OEM_MONITOR', 'OLAPSYS','ORACLE_OCM','SYSMAN','WMSYS','SYSBACKUP','SYSDG');
Lackofresultsimpliescompliance.
Remediation:
Toremediatethissetting,executethefollowingSQLstatement.
REVOKE SELECT_ANY_DICTIONARY FROM <grantee>;
References:
1. http://docs.oracle.com/database/121/DBSEG/authorization.htm#DBSEG998702. http://docs.oracle.com/database/121/REFRN/GUID-10024282-6729-4C66-8679-
FD653C9C7DE7.htm#REFRN-GUID-10024282-6729-4C66-8679-FD653C9C7DE7
![Page 146: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/146.jpg)
145|P a g e
3. http://arup.blogspot.de/2011/07/difference-between-select-any.html
CISControls:
Version6
14.4ProtectInformationWithAccessControlListsAllinformationstoredonsystemsshallbeprotectedwithfilesystem,networkshare,claims,application,ordatabasespecificaccesscontrollists.Thesecontrolswillenforcetheprinciplethatonlyauthorizedindividualsshouldhaveaccesstotheinformationbasedontheirneedtoaccesstheinformationasapartoftheirresponsibilities.
![Page 147: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/147.jpg)
146|P a g e
4.3.2 Ensure 'SELECT ANY TABLE' Is Revoked from Unauthorized 'GRANTEE' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseSELECT ANY TABLEprivilegeallowsthedesignatedusertoopenanytable,exceptSYS,toviewit.Unauthorizedgranteesshouldnothavethatprivilege.
Rationale:
AssignmentoftheSELECT ANY TABLEprivilegecanallowtheunauthorizedviewingofsensitivedata.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE PRIVILEGE='SELECT ANY TABLE' AND GRANTEE NOT IN ('DBA', 'MDSYS', 'SYS', 'IMP_FULL_DATABASE', 'EXP_FULL_DATABASE','DATAPUMP_IMP_FULL_DATABASE', 'WMSYS', 'SYSTEM','OLAP_DBA', 'DV_REALM_OWNER');
Lackofresultsimpliescompliance.
Remediation:
Toremediatethissetting,executethefollowingSQLstatement.
REVOKE SELECT ANY TABLE FROM <grantee>;
References:
1. http://docs.oracle.com/database/121/SQLRF/statements_10002.htm#SQLRF01702
Notes:
IfO7_DICTIONARY_ACCESSIBILITYhasbeensettoTRUE(non-defaultsetting)thentheSELECT ANY TABLEprivilegeprovidesaccesstoSYSobjects.
![Page 148: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/148.jpg)
147|P a g e
CISControls:
Version6
14.4ProtectInformationWithAccessControlListsAllinformationstoredonsystemsshallbeprotectedwithfilesystem,networkshare,claims,application,ordatabasespecificaccesscontrollists.Thesecontrolswillenforcetheprinciplethatonlyauthorizedindividualsshouldhaveaccesstotheinformationbasedontheirneedtoaccesstheinformationasapartoftheirresponsibilities.
![Page 149: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/149.jpg)
148|P a g e
4.3.3 Ensure 'AUDIT SYSTEM' Is Revoked from Unauthorized 'GRANTEE' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseAUDIT SYSTEMprivilegeallowschangestoauditingactivitiesonthesystem.Unauthorizedgranteesshouldnothavethatprivilege.
Rationale:
TheAUDIT SYSTEMprivilegecanallowtheunauthorizedalterationofsystemauditactivities,suchasdisablingthecreationofaudittrails.
Audit:
Toassesthisrecommendation,executethefollowingSQLstatement.
SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE PRIVILEGE='AUDIT SYSTEM' AND GRANTEE NOT IN ('DBA','DATAPUMP_IMP_FULL_DATABASE','IMP_FULL_DATABASE', 'SYS','AUDIT_ADMIN');
Lackofresultsimpliescompliance.
Remediation:
Toremediatethissetting,executethefollowingSQLstatement.
REVOKE AUDIT SYSTEM FROM <grantee>;
References:
1. http://docs.oracle.com/database/121/SQLRF/statements_4007.htm#SQLRF011072. http://docs.oracle.com/database/121/SQLRF/statements_4008.htm#SQLRF56110
![Page 150: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/150.jpg)
149|P a g e
CISControls:
Version6
5.1MinimizeAndSparinglyUseAdministrativePrivilegesMinimizeadministrativeprivilegesandonlyuseadministrativeaccountswhentheyarerequired.Implementfocusedauditingontheuseofadministrativeprivilegedfunctionsandmonitorforanomalousbehavior.
![Page 151: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/151.jpg)
150|P a g e
4.3.4 Ensure 'EXEMPT ACCESS POLICY' Is Revoked from Unauthorized 'GRANTEE' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseEXEMPT ACCESS POLICYkeywordprovidestheuserthecapabilitytoaccessallthetablerowsregardlessofrow-levelsecuritylockouts.Unauthorizedgranteesshouldnothavethatkeywordassignedtothem.
Rationale:
TheEXEMPT ACCESS POLICYprivilegecanallowanunauthorizedusertopotentiallyaccessandchangedata.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE PRIVILEGE='EXEMPT ACCESS POLICY';
Lackofresultsimpliescompliance.
Remediation:
Toremediatethissetting,executethefollowingSQLstatement.
REVOKE EXEMPT ACCESS POLICY FROM <grantee>;
References:
1. http://docs.oracle.com/database/121/DBSEG/audit_config.htm#DBSEG7032. http://docs.oracle.com/database/121/DBSEG/vpd.htm#CIHEEAFJ
![Page 152: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/152.jpg)
151|P a g e
CISControls:
Version6
14.4ProtectInformationWithAccessControlListsAllinformationstoredonsystemsshallbeprotectedwithfilesystem,networkshare,claims,application,ordatabasespecificaccesscontrollists.Thesecontrolswillenforcetheprinciplethatonlyauthorizedindividualsshouldhaveaccesstotheinformationbasedontheirneedtoaccesstheinformationasapartoftheirresponsibilities.
![Page 153: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/153.jpg)
152|P a g e
4.3.5 Ensure 'BECOME USER' Is Revoked from Unauthorized 'GRANTEE' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseBECOME USERprivilegeallowsthedesignatedusertoinherittherightsofanotheruser.Unauthorizedgranteesshouldnothavethatprivilege.
Rationale:
TheBECOME USERprivilegecanallowtheunauthorizeduseofanotheruser'sprivileges,thiscapabilityshouldberestrictedaccordingtotheneedsoftheorganization.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE PRIVILEGE='BECOME USER' AND GRANTEE NOT IN ('DBA','SYS','IMP_FULL_DATABASE');
Lackofresultsimpliescompliance.
Remediation:
Toremediatethissetting,executethefollowingSQLstatement.
REVOKE BECOME USER FROM <grantee>;
References:
1. http://docs.oracle.com/database/121/DBSEG/guidelines.htm#DBSEG499
CISControls:
Version6
16AccountMonitoringandControlAccountMonitoringandControl
![Page 154: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/154.jpg)
153|P a g e
4.3.6 Ensure 'CREATE_PROCEDURE' Is Revoked from Unauthorized 'GRANTEE' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseCREATE PROCEDUREprivilegeallowsthedesignatedusertocreateastoredprocedurethatwillfirewhengiventhecorrectcommandsequence.Unauthorizedgranteesshouldnothavethatprivilege.
Rationale:
TheCREATE PROCEDUREprivilegecanleadtosevereproblemsinunauthorizedhands,suchasrogueproceduresfacilitatingdatatheftordenial-of-servicebycorruptingdatatables.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE PRIVILEGE='CREATE PROCEDURE' AND GRANTEE NOT IN ( 'DBA','DBSNMP','MDSYS','OLAPSYS','OWB$CLIENT', 'OWBSYS','RECOVERY_CATALOG_OWNER','SPATIAL_CSW_ADMIN_USR', 'SPATIAL_WFS_ADMIN_USR','SYS','APEX_030200','APEX_040000', 'APEX_040100','APEX_040200','DVF','RESOURCE','DV_REALM_RESOURCE', 'APEX_GRANTS_FOR_NEW_USERS_ROLE','APEX_050000','MGMT_VIEW', 'SYSMAN_MDS','SYSMAN_OPSS','SYSMAN_RO','SYSMAN_STB');
Lackofresultsimpliescompliance.
Remediation:
Toremediatethissetting,executethefollowingSQLstatement.
REVOKE CREATE PROCEDURE FROM <grantee>;
References:
1. http://docs.oracle.com/database/121/DBSEG/guidelines.htm#DBSEG499
![Page 155: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/155.jpg)
154|P a g e
CISControls:
Version6
5.1MinimizeAndSparinglyUseAdministrativePrivilegesMinimizeadministrativeprivilegesandonlyuseadministrativeaccountswhentheyarerequired.Implementfocusedauditingontheuseofadministrativeprivilegedfunctionsandmonitorforanomalousbehavior.
![Page 156: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/156.jpg)
155|P a g e
4.3.7 Ensure 'ALTER SYSTEM' Is Revoked from Unauthorized 'GRANTEE' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseALTER SYSTEMprivilegeallowsthedesignatedusertodynamicallyaltertheinstance'srunningoperations.Unauthorizedgranteesshouldnothavethatprivilege.
Rationale:
TheALTER SYSTEMprivilegecanleadtosevereproblems,suchastheinstance'ssessionbeingkilledorthestoppingofredologrecording,whichwouldmaketransactionsunrecoverable.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE PRIVILEGE='ALTER SYSTEM' AND GRANTEE NOT IN ('SYS','SYSTEM','APEX_030200','APEX_040000', 'APEX_040100','APEX_040200','DBA','EM_EXPRESS_ALL','SYSBACKUP', 'GSMADMIN_ROLE','GSM_INTERNAL','SYSDG','GSMADMIN_INTERNAL');
Lackofresultsimpliescompliance.
Remediation:
Toremediatethissetting,executethefollowingSQLstatement.
REVOKE ALTER SYSTEM FROM <grantee>;
References:
1. http://docs.oracle.com/database/121/DBSEG/guidelines.htm#DBSEG499
![Page 157: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/157.jpg)
156|P a g e
CISControls:
Version6
5.1MinimizeAndSparinglyUseAdministrativePrivilegesMinimizeadministrativeprivilegesandonlyuseadministrativeaccountswhentheyarerequired.Implementfocusedauditingontheuseofadministrativeprivilegedfunctionsandmonitorforanomalousbehavior.
![Page 158: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/158.jpg)
157|P a g e
4.3.8 Ensure 'CREATE ANY LIBRARY' Is Revoked from Unauthorized 'GRANTEE' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseCREATE ANY LIBRARYprivilegeallowsthedesignatedusertocreateobjectsthatareassociatedtothesharedlibraries.Unauthorizedgranteesshouldnothavethatprivilege.
Rationale:
TheCREATE ANY LIBRARYprivilegecanallowthecreationofnumerouslibrary-associatedobjectsandpotentiallycorruptthelibraries'integrity.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE PRIVILEGE='CREATE ANY LIBRARY' AND GRANTEE NOT IN ('SYS','SYSTEM','DBA','IMP_FULL_DATABASE');
Lackofresultsimpliescompliance.
Remediation:
Toremediatethissetting,executethefollowingSQLstatement.
REVOKE CREATE ANY LIBRARY FROM <grantee>;
References:
1. http://docs.oracle.com/database/121/DBSEG/guidelines.htm#DBSEG4992. http://docs.oracle.com/database/121/ADMIN/manproc.htm#ADMIN00501
Notes:
Oraclehastwoidenticalprivileges:CREATE LIBRARYandCREATE ANY LIBRARY.
![Page 159: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/159.jpg)
158|P a g e
CISControls:
Version6
5.1MinimizeAndSparinglyUseAdministrativePrivilegesMinimizeadministrativeprivilegesandonlyuseadministrativeaccountswhentheyarerequired.Implementfocusedauditingontheuseofadministrativeprivilegedfunctionsandmonitorforanomalousbehavior.
![Page 160: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/160.jpg)
159|P a g e
4.3.9 Ensure 'CREATE LIBRARY' Is Revoked from Unauthorized 'GRANTEE' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseCREATE LIBRARYprivilegeallowsthedesignatedusertocreateobjectsthatareassociatedtothesharedlibraries.Unauthorizedgranteesshouldnothavethatprivilege.
Rationale:
TheCREATE LIBRARYprivilegecanallowthecreationofnumerouslibrary-associatedobjectsandpotentiallycorruptthelibraries'integrity.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE PRIVILEGE='CREATE LIBRARY' AND GRANTEE NOT IN ('SYS','SYSTEM','DBA','MDSYS','SPATIAL_WFS_ADMIN_USR', 'SPATIAL_CSW_ADMIN_USR','DVSYS','GSMADMIN_INTERNAL','XDB');
Lackofresultsimpliescompliance.
Remediation:
Toremediatethissetting,executethefollowingSQLstatement.
REVOKE CREATE LIBRARY FROM <grantee>;
References:
1. http://docs.oracle.com/database/121/DBSEG/guidelines.htm#DBSEG4992. http://docs.oracle.com/database/121/ADMIN/manproc.htm#ADMIN00501
Notes:
Oraclehastwoidenticalprivileges:CREATE LIBRARYandCREATE ANY LIBRARY.
![Page 161: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/161.jpg)
160|P a g e
CISControls:
Version6
5.1MinimizeAndSparinglyUseAdministrativePrivilegesMinimizeadministrativeprivilegesandonlyuseadministrativeaccountswhentheyarerequired.Implementfocusedauditingontheuseofadministrativeprivilegedfunctionsandmonitorforanomalousbehavior.
![Page 162: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/162.jpg)
161|P a g e
4.3.10 Ensure 'GRANT ANY OBJECT PRIVILEGE' Is Revoked from Unauthorized 'GRANTEE' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseGRANT ANY OBJECT PRIVILEGEkeywordprovidesthegranteethecapabilitytograntaccesstoanysingleormultiplecombinationsofobjectstoanygranteeinthecatalogofthedatabase.Unauthorizedgranteesshouldnothavethatkeywordassignedtothem.
Rationale:
TheGRANT ANY OBJECT PRIVILEGEcapabilitycanallowanunauthorizedusertopotentiallyaccessorchangeconfidentialdata,ordamagethedatacatalogduetopotentialcompleteinstanceaccess.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE PRIVILEGE='GRANT ANY OBJECT PRIVILEGE' AND GRANTEE NOT IN ('DBA','SYS','IMP_FULL_DATABASE', 'DATAPUMP_IMP_FULL_DATABASE', 'EM_EXPRESS_ALL', 'DV_REALM_OWNER');
Lackofresultsimpliescompliance.
Remediation:
Toremediatethissetting,executethefollowingSQLstatement.
REVOKE GRANT ANY OBJECT PRIVILEGE FROM <grantee>;
References:
1. http://docs.oracle.com/database/121/DBSEG/authorization.htm#DBSEG99914
![Page 163: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/163.jpg)
162|P a g e
CISControls:
Version6
5.1MinimizeAndSparinglyUseAdministrativePrivilegesMinimizeadministrativeprivilegesandonlyuseadministrativeaccountswhentheyarerequired.Implementfocusedauditingontheuseofadministrativeprivilegedfunctionsandmonitorforanomalousbehavior.
![Page 164: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/164.jpg)
163|P a g e
4.3.11 Ensure 'GRANT ANY ROLE' Is Revoked from Unauthorized 'GRANTEE' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseGRANT ANY ROLEkeywordprovidesthegranteethecapabilitytograntanysingleroletoanygranteeinthecatalogofthedatabase.Unauthorizedgranteesshouldnothavethatkeywordassignedtothem.
Rationale:
TheGRANT ANY ROLEcapabilitycanallowanunauthorizedusertopotentiallyaccessorchangeconfidentialdataordamagethedatacatalogduetopotentialcompleteinstanceaccess.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE PRIVILEGE='GRANT ANY ROLE' AND GRANTEE NOT IN ('DBA','SYS','DATAPUMP_IMP_FULL_DATABASE', 'IMP_FULL_DATABASE','SPATIAL_WFS_ADMIN_USR', 'SPATIAL_CSW_ADMIN_USR','GSMADMIN_INTERNAL', 'DV_REALM_OWNER', 'EM_EXPRESS_ALL', 'DV_OWNER');
Lackofresultsimpliescompliance.
Remediation:
Toremediatethissetting,executethefollowingSQLstatement.
REVOKE GRANT ANY ROLE FROM <grantee>;
References:
1. http://docs.oracle.com/database/121/DBSEG/authorization.htm#DBSEG99945
![Page 165: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/165.jpg)
164|P a g e
CISControls:
Version6
5.1MinimizeAndSparinglyUseAdministrativePrivilegesMinimizeadministrativeprivilegesandonlyuseadministrativeaccountswhentheyarerequired.Implementfocusedauditingontheuseofadministrativeprivilegedfunctionsandmonitorforanomalousbehavior.
![Page 166: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/166.jpg)
165|P a g e
4.3.12 Ensure 'GRANT ANY PRIVILEGE' Is Revoked from Unauthorized 'GRANTEE' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseGRANT ANY PRIVILEGEkeywordprovidesthegranteethecapabilitytograntanysingleprivilegetoanyiteminthecatalogofthedatabase.Unauthorizedgranteesshouldnothavethatprivilege.
Rationale:
TheGRANT ANY PRIVILEGEcapabilitycanallowanunauthorizedusertopotentiallyaccessorchangeconfidentialdataordamagethedatacatalogduetopotentialcompleteinstanceaccess.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE PRIVILEGE='GRANT ANY PRIVILEGE' AND GRANTEE NOT IN ('DBA','SYS','IMP_FULL_DATABASE', 'DATAPUMP_IMP_FULL_DATABASE', 'DV_REALM_OWNER','EM_EXPRESS_ALL');
Lackofresultsimpliescompliance.
Remediation:
Toremediatethissetting,executethefollowingSQLstatement.
REVOKE GRANT ANY PRIVILEGE FROM <grantee>;
References:
1. http://docs.oracle.com/database/121/DBSEG/authorization.htm#DBSEG99945
![Page 167: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/167.jpg)
166|P a g e
CISControls:
Version6
5.1MinimizeAndSparinglyUseAdministrativePrivilegesMinimizeadministrativeprivilegesandonlyuseadministrativeaccountswhentheyarerequired.Implementfocusedauditingontheuseofadministrativeprivilegedfunctionsandmonitorforanomalousbehavior.
![Page 168: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/168.jpg)
167|P a g e
4.4 Revoke Role Privileges
Therecommendationswithinthissectionintendtorevokepowerfulroleswheretheyarelikelynotneeded.
4.4.1 Ensure 'DELETE_CATALOG_ROLE' Is Revoked from Unauthorized 'GRANTEE' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseDELETE_CATALOG_ROLEprovidesDELETEprivilegesfortherecordsinthesystem'saudittable(AUD$).Unauthorizedgranteesshouldnothavethatrole.
Rationale:
PermittingunauthorizedaccesstotheDELETE_CATALOG_ROLEcanallowthedestructionofauditrecordsvitaltotheforensicinvestigationofunauthorizedactivities.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT GRANTEE, GRANTED_ROLE FROM DBA_ROLE_PRIVS WHERE granted_role='DELETE_CATALOG_ROLE' AND GRANTEE NOT IN ('DBA','SYS');
Lackofresultsimpliescompliance.
Remediation:
Toremediatethissetting,executethefollowingSQLstatement.
REVOKE DELETE_CATALOG_ROLE FROM <grantee>;
References:
1. http://docs.oracle.com/database/121/DBSEG/authorization.htm#BABFCAFH
![Page 169: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/169.jpg)
168|P a g e
CISControls:
Version6
6Maintenance,Monitoring,andAnalysisofAuditLogsMaintenance,Monitoring,andAnalysisofAuditLogs
![Page 170: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/170.jpg)
169|P a g e
4.4.2 Ensure 'SELECT_CATALOG_ROLE' Is Revoked from Unauthorized 'GRANTEE' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseSELECT_CATALOG_ROLEprovidesSELECTprivilegesonalldatadictionaryviewsheldintheSYSschema.Unauthorizedgranteesshouldnothavethatrole.
Rationale:
PermittingunauthorizedaccesstotheSELECT_CATALOG_ROLEcanallowthedisclosureofalldictionarydata.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT GRANTEE, GRANTED_ROLE FROM DBA_ROLE_PRIVS WHERE granted_role='SELECT_CATALOG_ROLE' AND grantee not in ('DBA','SYS','IMP_FULL_DATABASE','EXP_FULL_DATABASE', 'OEM_MONITOR', 'SYSBACKUP','EM_EXPRESS_BASIC','SYSMAN');
Lackofresultsimpliescompliance.
Remediation:
Toremediatethissetting,executethefollowingSQLstatement.
REVOKE SELECT_CATALOG_ROLE FROM <grantee>;
References:
1. http://docs.oracle.com/database/121/DBSEG/authorization.htm#BABFCAFH
CISControls:
Version6
5.1MinimizeAndSparinglyUseAdministrativePrivilegesMinimizeadministrativeprivilegesandonlyuseadministrativeaccountswhenthey
![Page 171: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/171.jpg)
170|P a g e
arerequired.Implementfocusedauditingontheuseofadministrativeprivilegedfunctionsandmonitorforanomalousbehavior.
![Page 172: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/172.jpg)
171|P a g e
4.4.3 Ensure 'EXECUTE_CATALOG_ROLE' Is Revoked from Unauthorized 'GRANTEE' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseEXECUTE_CATALOG_ROLEprovidesEXECUTEprivilegesforanumberofpackagesandproceduresinthedatadictionaryintheSYSschema.Unauthorizedgranteesshouldnothavethatrole.
Rationale:
PermittingunauthorizedaccesstotheEXECUTE_CATALOG_ROLEcanallowthedisruptionofoperationsbyinitializationofrogueprocedures,thiscapabilityshouldberestrictedaccordingtotheneedsoftheorganization.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT GRANTEE, GRANTED_ROLE FROM DBA_ROLE_PRIVS WHERE granted_role='EXECUTE_CATALOG_ROLE' AND grantee not in ('DBA','SYS','IMP_FULL_DATABASE','EXP_FULL_DATABASE');
Lackofresultsimpliescompliance.
Remediation:
Toremediatethissetting,executethefollowingSQLstatement.
REVOKE EXECUTE_CATALOG_ROLE FROM <grantee>;
References:
1. http://docs.oracle.com/database/121/DBSEG/authorization.htm#BABFCAFH
![Page 173: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/173.jpg)
172|P a g e
CISControls:
Version6
5.1MinimizeAndSparinglyUseAdministrativePrivilegesMinimizeadministrativeprivilegesandonlyuseadministrativeaccountswhentheyarerequired.Implementfocusedauditingontheuseofadministrativeprivilegedfunctionsandmonitorforanomalousbehavior.
![Page 174: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/174.jpg)
173|P a g e
4.4.4 Ensure 'DBA' Is Revoked from Unauthorized 'GRANTEE' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseDBAroleisthedefaultdatabaseadministratorroleprovidedfortheallocationofadministrativeprivileges.Unauthorizedgranteesshouldnothavethatrole.
Rationale:
AssignmentoftheDBAroletoanordinaryusercanprovideagreatnumberofunnecessaryprivilegestothatuserandopenthedoortodatabreaches,integrityviolations,anddenial-of-serviceconditions.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT GRANTEE, GRANTED_ROLE FROM DBA_ROLE_PRIVS WHERE GRANTED_ROLE='DBA' AND GRANTEE NOT IN ('SYS','SYSTEM');
Lackofresultsimpliescompliance.
Remediation:
Toremediatethissetting,executethefollowingSQLstatement.
REVOKE DBA FROM <grantee>;
References:
1. http://docs.oracle.com/database/121/DBSEG/authorization.htm#DBSEG4414
CISControls:
Version6
5.1MinimizeAndSparinglyUseAdministrativePrivilegesMinimizeadministrativeprivilegesandonlyuseadministrativeaccountswhenthey
![Page 175: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/175.jpg)
174|P a g e
arerequired.Implementfocusedauditingontheuseofadministrativeprivilegedfunctionsandmonitorforanomalousbehavior.
![Page 176: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/176.jpg)
175|P a g e
4.5 Revoke Excessive Table and View Privileges
Therecommendationswithinthissectionintendtorevokeexcessivetableandviewprivileges.
4.5.1 Ensure 'ALL' Is Revoked from Unauthorized 'GRANTEE' on 'AUD$' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseSYS.AUD$tablecontainsalltheauditrecordsforthedatabaseofthenon-DataManipulationLanguage(DML)events,suchasALTER,DROP,andCREATE,andsoforth.(DMLchangesneedtrigger-basedauditeventstorecorddataalterations.)Unauthorizedgranteesshouldnothavefullaccesstothattable.
Rationale:
Permittingnon-privilegeduserstheauthorizationtomanipulatetheSYS.AUD$tablecanallowdistortionoftheauditrecords,hidingunauthorizedactivities.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT GRANTEE, PRIVILEGE FROM DBA_TAB_PRIVS WHERE TABLE_NAME='AUD$' AND GRANTEE NOT IN ('DELETE_CATALOG_ROLE');
Lackofresultsimpliescompliance.
Remediation:
Toremediatethissetting,executethefollowingSQLstatement.
REVOKE ALL ON AUD$ FROM <grantee>;
References:
1. http://docs.oracle.com/database/121/DBSEG/audit_admin.htm#DBSEG629
![Page 177: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/177.jpg)
176|P a g e
CISControls:
Version6
6Maintenance,Monitoring,andAnalysisofAuditLogsMaintenance,Monitoring,andAnalysisofAuditLogs
![Page 178: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/178.jpg)
177|P a g e
4.5.2 Ensure 'ALL' Is Revoked from Unauthorized 'GRANTEE' on 'USER_HISTORY$' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseSYS.USER_HISTORY$tablecontainsalltheauditrecordsfortheuser'spasswordchangehistory.(Thistablegetsupdatedbypasswordchangesiftheuserhasanassignedprofilethathasapasswordreuselimitset,e.g.,PASSWORD_REUSE_TIMEsettootherthanUNLIMITED.)Unauthorizedgranteesshouldnothavefullaccesstothattable.
Rationale:
Permittingnon-privilegeduserstheauthorizationtomanipulatetherecordsintheSYS.USER_HISTORY$tablecanallowdistortionoftheaudittrail,potentiallyhidingunauthorizeddataconfidentialityattacksorintegritychanges.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT GRANTEE, PRIVILEGE FROM DBA_TAB_PRIVS WHERE TABLE_NAME='USER_HISTORY$' AND OWNER = 'SYS';
Lackofresultsimpliescompliance.
Remediation:
Toremediatethissetting,executethefollowingSQLstatement.
REVOKE ALL ON USER_HISTORY$ FROM <grantee>;
References:
1. http://marcel.vandewaters.nl/oracle/database-oracle/password-history-reusing-a-password
Notes:
USER_HISTORY$containsonlytheold,case-insensitivepasswords.
![Page 179: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/179.jpg)
178|P a g e
CISControls:
Version6
5.1MinimizeAndSparinglyUseAdministrativePrivilegesMinimizeadministrativeprivilegesandonlyuseadministrativeaccountswhentheyarerequired.Implementfocusedauditingontheuseofadministrativeprivilegedfunctionsandmonitorforanomalousbehavior.
16.14Encrypt/HashAllAuthenticationFilesAndMonitorTheirAccessVerifythatallauthenticationfilesareencryptedorhashedandthatthesefilescannotbeaccessedwithoutrootoradministratorprivileges.Auditallaccesstopasswordfilesinthesystem.
![Page 180: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/180.jpg)
179|P a g e
4.5.3 Ensure 'ALL' Is Revoked from Unauthorized 'GRANTEE' on 'LINK$' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseSYS.LINK$tablecontainsalltheuser'spasswordinformationanddatatablelinkinformation.Unauthorizedgranteesshouldnothavefullaccesstothattable.
Rationale:
Permittingnon-privilegeduserstomanipulateorviewtheSYS.LINK$tablecanallowcaptureofpasswordinformationand/orcorrupttheprimarydatabaselinkages.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT GRANTEE, PRIVILEGE FROM DBA_TAB_PRIVS WHERE TABLE_NAME='LINK$' AND GRANTEE NOT IN ('DV_SECANALYST') AND OWNER='SYS';
Lackofresultsimpliescompliance.
Remediation:
Toremediatethissetting,executethefollowingSQLstatement.
REVOKE ALL ON LINK$ FROM <grantee>;
CISControls:
Version6
5.1MinimizeAndSparinglyUseAdministrativePrivilegesMinimizeadministrativeprivilegesandonlyuseadministrativeaccountswhentheyarerequired.Implementfocusedauditingontheuseofadministrativeprivilegedfunctionsandmonitorforanomalousbehavior.
![Page 181: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/181.jpg)
180|P a g e
16.14Encrypt/HashAllAuthenticationFilesAndMonitorTheirAccessVerifythatallauthenticationfilesareencryptedorhashedandthatthesefilescannotbeaccessedwithoutrootoradministratorprivileges.Auditallaccesstopasswordfilesinthesystem.
![Page 182: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/182.jpg)
181|P a g e
4.5.4 Ensure 'ALL' Is Revoked from Unauthorized 'GRANTEE' on 'SYS.USER$' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseSYS.USER$tablecontainstheusers'hashedpasswordinformation.Unauthorizedgranteesshouldnothavefullaccesstothattable.
Rationale:
Permittingnon-privilegeduserstheauthorizationtoopentheSYS.USER$tablecanallowthecaptureofpasswordhashesforthelaterapplicationofpasswordcrackingalgorithmstobreachconfidentiality.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT GRANTEE, PRIVILEGE FROM DBA_TAB_PRIVS WHERE TABLE_NAME='USER$' AND OWNER='SYS' AND GRANTEE NOT IN ('CTXSYS','XDB','APEX_030200','SYSMAN','APEX_040000', 'APEX_040100','APEX_040200','DV_SECANALYST','DVSYS','ORACLE_OCM');
Lackofresultsimpliescompliance.
Remediation:
Toremediatethissetting,executethefollowingSQLstatement.
REVOKE ALL ON SYS.USER$ FROM <grantee>;
References:
1. http://dba.stackexchange.com/questions/17513/what-do-the-columns-in-sys-user-represent
![Page 183: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/183.jpg)
182|P a g e
CISControls:
Version6
5.1MinimizeAndSparinglyUseAdministrativePrivilegesMinimizeadministrativeprivilegesandonlyuseadministrativeaccountswhentheyarerequired.Implementfocusedauditingontheuseofadministrativeprivilegedfunctionsandmonitorforanomalousbehavior.
16.14Encrypt/HashAllAuthenticationFilesAndMonitorTheirAccessVerifythatallauthenticationfilesareencryptedorhashedandthatthesefilescannotbeaccessedwithoutrootoradministratorprivileges.Auditallaccesstopasswordfilesinthesystem.
![Page 184: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/184.jpg)
183|P a g e
4.5.5 Ensure 'ALL' Is Revoked from Unauthorized 'GRANTEE' on 'DBA_%' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseDBA_viewsshowallinformationwhichisrelevanttoadministrativeaccounts.Unauthorizedgranteesshouldnothavefullaccesstothoseviews.
Rationale:
PermittinguserstheauthorizationtomanipulatetheDBA_viewscanexposesensitivedata.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT grantee||'.'||table_name FROM DBA_TAB_PRIVS WHERE TABLE_NAME LIKE 'DBA_%' AND GRANTEE NOT IN ('DBA','AUDIT_ADMIN','AUDIT_VIEWER','CAPTURE_ADMIN', 'DVSYS','SYSDG','DV_SECANALYST','SYSKM','DV_MONITOR', 'ORACLE_OCM','DV_ACCTMGR','GSMADMIN_INTERNAL','XDB', 'SYS','APPQOSSYS','AQ_ADMINISTRATOR_ROLE','CTXSYS', 'EXFSYS','MDSYS','OLAP_XS_ADMIN','OLAPSYS','ORDSYS', 'OWB$CLIENT','OWBSYS','SELECT_CATALOG_ROLE', 'WM_ADMIN_ROLE','WMSYS','XDBADMIN','LBACSYS', 'ADM_PARALLEL_EXECUTE_TASK','CISSCANROLE') AND NOT REGEXP_LIKE(grantee,'^APEX_0[3-9][0-9][0-9][0-9][0-9]$');
Lackofresultsimpliescompliance.
Note:AnorganizationshouldperformproperimpactanalysisbeforerevokinggrantsonDBA_objects.
Remediation:
Replace<Non-DBA/SYS grantee>inthequerybelow,withtheOraclelogin(s)orrole(s)returnedfromtheassociatedauditprocedureandexecute:
REVOKE ALL ON DBA_ FROM <NON-DBA/SYS grantee>;
![Page 185: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/185.jpg)
184|P a g e
References:
1. http://docs.oracle.com/database/121/REFRN/GUID-10024282-6729-4C66-8679-FD653C9C7DE7.htm#REFRN-GUID-10024282-6729-4C66-8679-FD653C9C7DE7
CISControls:
Version6
5.1MinimizeAndSparinglyUseAdministrativePrivilegesMinimizeadministrativeprivilegesandonlyuseadministrativeaccountswhentheyarerequired.Implementfocusedauditingontheuseofadministrativeprivilegedfunctionsandmonitorforanomalousbehavior.
![Page 186: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/186.jpg)
185|P a g e
4.5.6 Ensure 'ALL' Is Revoked from Unauthorized 'GRANTEE' on 'SYS.SCHEDULER$_CREDENTIAL' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseSCHEDULER$_CREDENTIALtablecontainsthedatabaseschedulercredentialinformation.Unauthorizedgranteesshouldnothavefullaccesstothattable.
Rationale:
Permittingnon-privilegeduserstheauthorizationtoopentheSYS.SCHEDULER$_CREDENTIALtablecouldexposethecredentialstocompromiseandreuse.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT GRANTEE, PRIVILEGE FROM DBA_TAB_PRIVS WHERE TABLE_NAME='SCHEDULER$_CREDENTIAL' AND OWNER='SYS';
Lackofresultsimpliescompliance.
Remediation:
Toremediatethissetting,executethefollowingSQLstatement.
REVOKE ALL ON SYS.SCHEDULER4_CREDENTIAL FROM <username>;
References:
1. http://docs.oracle.com/database/121/ADMIN/schedadmin.htm#ADMIN120732. http://berxblog.blogspot.de/2012/02/restore-dbmsschedulercreatecredential.html
Notes:
** *_SCHEDULER_CREDENTIALSisdeprecatedinOracleDatabase12c,butremainsavailableforreasonsofbackwardcompatibility.
![Page 187: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/187.jpg)
186|P a g e
CISControls:
Version6
5.1MinimizeAndSparinglyUseAdministrativePrivilegesMinimizeadministrativeprivilegesandonlyuseadministrativeaccountswhentheyarerequired.Implementfocusedauditingontheuseofadministrativeprivilegedfunctionsandmonitorforanomalousbehavior.
16.14Encrypt/HashAllAuthenticationFilesAndMonitorTheirAccessVerifythatallauthenticationfilesareencryptedorhashedandthatthesefilescannotbeaccessedwithoutrootoradministratorprivileges.Auditallaccesstopasswordfilesinthesystem.
![Page 188: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/188.jpg)
187|P a g e
4.5.7 Ensure 'SYS.USER$MIG' Has Been Dropped (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
Thetablesys.user$migiscreatedduringmigrationandcontainstheOraclepasswordhashesbeforethemigrationstarts.Thistableshouldbedropped.
Rationale:
Thetablesys.user$migisnotdeletedafterthemigration.AnattackercouldaccessthetablecontainingtheOraclepasswordhashes.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT OWNER, TABLE_NAME FROM ALL_TABLES WHERE OWNER='SYS' AND TABLE_NAME='USER$MIG';
Lackofresultsimpliescompliance.
Remediation:
Toremediatethissetting,executethefollowingSQLstatement.
DROP TABLE SYS.USER$MIG;
CISControls:
Version6
16.14Encrypt/HashAllAuthenticationFilesAndMonitorTheirAccessVerifythatallauthenticationfilesareencryptedorhashedandthatthesefilescannotbeaccessedwithoutrootoradministratorprivileges.Auditallaccesstopasswordfilesinthesystem.
![Page 189: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/189.jpg)
188|P a g e
4.6 Ensure '%ANY%' Is Revoked from Unauthorized 'GRANTEE' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseANYkeywordprovidestheuserthecapabilitytoalteranyiteminthecatalogofthedatabase.Unauthorizedgranteesshouldnothavethatkeywordassignedtothem.
Rationale:
AuthorizationtousetheANYexpansionofaprivilegecanallowanunauthorizedusertopotentiallychangeconfidentialdataordamagethedatacatalog.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE PRIVILEGE LIKE '%ANY%' AND GRANTEE NOT IN ('AQ_ADMINISTRATOR_ROLE','DBA','DBSNMP','EXFSYS', 'EXP_FULL_DATABASE','IMP_FULL_DATABASE', 'DATAPUMP_IMP_FULL_DATABASE','JAVADEBUGPRIV','MDSYS', 'OEM_MONITOR','OLAPSYS','OLAP_DBA','ORACLE_OCM','OWB$CLIENT', 'OWBSYS','SCHEDULER_ADMIN','SPATIAL_CSW_ADMIN_USR', 'SPATIAL_WFS_ADMIN_USR','SYS','SYSMAN','SYSTEM','WMSYS', 'APEX_030200','APEX_040000','APEX_040100','APEX_040200','LBACSYS', 'SYSBACKUP','CTXSYS','OUTLN','DVSYS','ORDPLUGINS','ORDSYS', 'RECOVERY_CATALOG_OWNER_VPD','GSMADMIN_INTERNAL','XDB','SYSDG', 'AUDIT_ADMIN','DV_OWNER','DV_REALM_OWNER','EM_EXPRESS_ALL', 'RECOVERY_CATALOG_OWNER','APEX_050000','SYSMAN_STB', 'SYSMAN_TYPES');
Lackofresultsimpliescompliance.
Remediation:
Toremediatethissetting,executethefollowingSQLstatement.
REVOKE ‘<ANY Privilege>’ FROM <grantee>;
![Page 190: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/190.jpg)
189|P a g e
References:
1. http://docs.oracle.com/database/121/DBSEG/authorization.htm#DBSEG99877
CISControls:
Version6
14.4ProtectInformationWithAccessControlListsAllinformationstoredonsystemsshallbeprotectedwithfilesystem,networkshare,claims,application,ordatabasespecificaccesscontrollists.Thesecontrolswillenforcetheprinciplethatonlyauthorizedindividualsshouldhaveaccesstotheinformationbasedontheirneedtoaccesstheinformationasapartoftheirresponsibilities.
![Page 191: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/191.jpg)
190|P a g e
4.7 Ensure 'DBA_SYS_PRIVS.%' Is Revoked from Unauthorized 'GRANTEE' with 'ADMIN_OPTION' Set to 'YES' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
TheOracledatabaseWITH_ADMINprivilegeallowsthedesignatedusertograntanotheruserthesameprivileges.Unauthorizedgranteesshouldnothavethatprivilege.
Rationale:
AssignmentoftheWITH_ADMINprivilegecanallowthegrantingofarestrictedprivilegetoanunauthorizeduser.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE ADMIN_OPTION='YES' AND GRANTEE not in ('AQ_ADMINISTRATOR_ROLE','DBA','OWBSYS', 'SCHEDULER_ADMIN','SYS','SYSTEM','WMSYS', 'DVSYS','SYSKM','DV_ACCTMGR') AND NOT REGEXP_LIKE(grantee,'^APEX_0[3-9][0-9][0-9][0-9][0-9]$');
Lackofresultsimpliescompliance.
Remediation:
Toremediatethissetting,executethefollowingSQLstatement.
REVOKE <privilege> FROM <grantee>;
CISControls:
Version6
5.1MinimizeAndSparinglyUseAdministrativePrivilegesMinimizeadministrativeprivilegesandonlyuseadministrativeaccountswhentheyarerequired.Implementfocusedauditingontheuseofadministrativeprivilegedfunctionsandmonitorforanomalousbehavior.
![Page 192: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/192.jpg)
191|P a g e
4.8 Ensure Proxy Users Have Only 'CONNECT' Privilege (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
DonotgrantprivilegesotherthanCONNECTdirectlytoproxyusers.
Rationale:
Aproxyusershouldonlyhavetheabilitytoconnecttothedatabaseorbasedontheneedsoftheorganization.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT GRANTEE,GRANTED_ROLE FROM DBA_ROLE_PRIVS WHERE GRANTEE IN (SELECT PROXY FROM DBA_PROXIES) AND GRANTED_ROLE NOT IN ('CONNECT') UNION SELECT GRANTEE,PRIVILEGE FROM DBA_SYS_PRIVS WHERE GRANTEE IN (SELECT PROXY FROM DBA_PROXIES) AND PRIVILEGE NOT IN ('CREATE SESSION') UNION SELECT GRANTEE,PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE IN (SELECT PROXY FROM DBA_PROXIES);
Lackofresultsimpliescompliance.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatementforeach[PRIVILEGE]returned(otherthanCONNECT)byrunningtheauditprocedure.
REVOKE <privilege> FROM <proxy_user>;
CISControls:
Version6
16AccountMonitoringandControlAccountMonitoringandControl
![Page 193: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/193.jpg)
192|P a g e
4.9 Ensure 'EXECUTE ANY PROCEDURE' Is Revoked from 'OUTLN' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
RemoveunneededEXECUTE ANY PROCEDUREprivilegesfromOUTLN.
Rationale:
MigratedOUTLNusershavemoreprivilegesthanrequired.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE PRIVILEGE='EXECUTE ANY PROCEDURE' AND GRANTEE='OUTLN';
Lackofresultsimpliescompliance.
Remediation:
Toremediatethissetting,executethefollowingSQLstatement.
REVOKE EXECUTE ANY PROCEDURE FROM OUTLN;
CISControls:
Version6
5.1MinimizeAndSparinglyUseAdministrativePrivilegesMinimizeadministrativeprivilegesandonlyuseadministrativeaccountswhentheyarerequired.Implementfocusedauditingontheuseofadministrativeprivilegedfunctionsandmonitorforanomalousbehavior.
![Page 194: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/194.jpg)
193|P a g e
4.10 Ensure 'EXECUTE ANY PROCEDURE' Is Revoked from 'DBSNMP' (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing
Description:
RemoveunneededEXECUTE ANY PROCEDUREprivilegesfromDBSNMP.
Rationale:
MigratedDBSNMPusershavemoreprivilegesthanrequired.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE PRIVILEGE='EXECUTE ANY PROCEDURE' AND GRANTEE='DBSNMP';
Lackofresultsimpliescompliance.
Remediation:
Toremediatethissetting,executethefollowingSQLstatement.
REVOKE EXECUTE ANY PROCEDURE FROM DBSNMP;
CISControls:
Version6
5.1MinimizeAndSparinglyUseAdministrativePrivilegesMinimizeadministrativeprivilegesandonlyuseadministrativeaccountswhentheyarerequired.Implementfocusedauditingontheuseofadministrativeprivilegedfunctionsandmonitorforanomalousbehavior.
![Page 195: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/195.jpg)
194|P a g e
5 Audit/Logging Policies and Procedures
Theabilitytoauditdatabaseactivitiesisamongthemostimportantofalldatabasesecurityfeatures.Decisionsmustbemaderegardingthescopeofauditingsinceauditinghascosts-instoragefortheaudittrailandinperformanceimpactonauditedoperations-andperhapseventhedatabaseorsystemingeneral.Thereisalsotheadditionalcosttomanage(store,backup,secure)andreviewthedataintheaudittrail.
Measuresmustbetakentoprotecttheaudittrailitself,foritmaybetargetedforalterationordestructiontohideunauthorizedactivity.Foranauditdestinationoutsidethedatabase,therecommendationsareelsewhereinthisdocument.Auditingrecommendationsforpotentialdatabaseauditdestinationsarebelow.
Auditing"bysession"typicallycreatesfewer(until11g)andslightlysmallerauditrecords,butisdiscouragedinmostsituationssincethereissomelossoffidelity(e.g.objectprivilegeGRANTEE).Moredetailedauditingcreateslargerauditrecords.TheAUDIT_TRAILinitializationparameter(forDB|XML,extended-ornot)isthemaindeterminingfactorforthesizeofagivenauditrecord-andanotablefactorintheperformancecost,althoughthelargestofthelatterisDBversusOSorXML.
ThissectiondealswithstandardOracleauditingsinceauditingofprivilegedconnections(assysdbaorsysoper)isconfiguredviatheAUDIT_SYS_OPERATIONSinitializationparameterandisotherwisenotconfigurable.Thebasictypesofstandardauditingareobject,statementandprivilegeauditing,andeachbehavesdifferently.
Objectauditingappliestospecificobjectsforwhichitisinvokedandalwaysappliestoallusers.Thistypeofauditingisusuallyemployedtoauditapplication-specificsensitiveobjects,butcanalsobeusedtoprotecttheaudittrailinthedatabase.
Privilegeauditingauditstheuseofspecificsystemprivileges,buttypicallyonlyiftheuseractuallypossessestheauditedprivilege.Attemptsthatfailforlackoftheauditedprivilegearetypicallynotaudited.Thisisthemainweaknessofprivilegeauditingandwhystatementauditingisusuallypreferred,iftheoptionexists.
Statementauditingauditstheissuanceofcertaintypesofstatements,usuallywithoutregardtoprivilegeorlackthereof.Bothprivilegeandstatementauditsmaybespecifiedforspecificusersorallusers(thedefault).
![Page 196: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/196.jpg)
195|P a g e
5.1 Traditional Auditing
Therecommendationsinthissectionshouldbefollowediftraditionalauditingisimplemented.
5.1.1 Ensure the 'USER' Audit Option Is Enabled (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing
Description:
TheUSERobjectallowsforcreatingaccountsthatcaninteractwiththedatabaseaccordingtotherolesandprivilegesallottedtotheaccount.Itmayalsoowndatabaseobjects.Enablingtheauditoptioncausesauditingofallactivitiesandrequeststocreate,droporalterauser,includingauserchangingtheirownpassword.(Thelatterisnotauditedbyaudit ALTER USER.)
Rationale:
Anyunauthorizedattemptstocreate,droporalterausershouldcauseconcern,whethersuccessfulornot.Auditingcanalsobeusefulinforensicsifanaccountiscompromised,andauditingismandatedbymanycommonsecurityinitiatives.Anabnormallyhighnumberoftheseactivitiesinagivenperiodmightbeworthinvestigation.Anyfailedattempttodropauserorcreateausermaybeworthfurtherreview.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT AUDIT_OPTION, SUCCESS, FAILURE FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION='USER' AND USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = 'BY ACCESS' AND FAILURE = 'BY ACCESS';
Lackofresultsimpliesafinding.
Remediation:
ExecutethefollowingSQLstatementtoremediatethissetting.
AUDIT USER;
![Page 197: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/197.jpg)
196|P a g e
CISControls:
Version6
6.2EnsureAuditLogSettingsSupportAppropriateLogEntryFormattingValidateauditlogsettingsforeachhardwaredeviceandthesoftwareinstalledonit,ensuringthatlogsincludeadate,timestamp,sourceaddresses,destinationaddresses,andvariousotherusefulelementsofeachpacketand/ortransaction.SystemsshouldrecordlogsinastandardizedformatsuchassyslogentriesorthoseoutlinedbytheCommonEventExpressioninitiative.Ifsystemscannotgeneratelogsinastandardizedformat,lognormalizationtoolscanbedeployedtoconvertlogsintosuchaformat.
![Page 198: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/198.jpg)
197|P a g e
5.1.2 Ensure the 'ROLE' Audit Option Is Enabled (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing
Description:
TheROLEobjectallowsforthecreationofasetofprivilegesthatcanbegrantedtousersorotherroles.Enablingtheauditoptioncausesauditingofallattempts,successfulornot,tocreate,drop,alterorsetroles.
Rationale:
Rolesareakeydatabasesecurityinfrastructurecomponent.Anyattempttocreate,droporalteraroleshouldbeaudited.Thisstatementauditingoptionalsoauditsattempts,successfulornot,tosetaroleinasession.Anyunauthorizedattemptstocreate,droporalterarolemaybeworthyofinvestigation.Attemptstosetarolebyuserswithouttheroleprivilegemaywarrantinvestigation.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT AUDIT_OPTION, SUCCESS, FAILURE FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION='ROLE' AND USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = 'BY ACCESS' AND FAILURE = 'BY ACCESS';
Lackofresultsimpliesafinding.
Remediation:
ExecutethefollowingSQLstatementtoremediatethissetting:
AUDIT ROLE;
Notes:
Thisoptiondoesnotauditrolegrantsandrevokes.
![Page 199: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/199.jpg)
198|P a g e
CISControls:
Version6
6.2EnsureAuditLogSettingsSupportAppropriateLogEntryFormattingValidateauditlogsettingsforeachhardwaredeviceandthesoftwareinstalledonit,ensuringthatlogsincludeadate,timestamp,sourceaddresses,destinationaddresses,andvariousotherusefulelementsofeachpacketand/ortransaction.SystemsshouldrecordlogsinastandardizedformatsuchassyslogentriesorthoseoutlinedbytheCommonEventExpressioninitiative.Ifsystemscannotgeneratelogsinastandardizedformat,lognormalizationtoolscanbedeployedtoconvertlogsintosuchaformat.
![Page 200: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/200.jpg)
199|P a g e
5.1.3 Ensure the 'SYSTEM GRANT' Audit Option Is Enabled (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing
Description:
EnablingtheauditoptionfortheSYSTEM GRANTobjectcausesauditingofanyattempt,successfulornot,tograntorrevokeanysystemprivilegeorrole,regardlessofprivilegeheldbytheuserattemptingtheoperation.
Rationale:
Loggingofallgrantandrevokes(rolesandsystemprivileges)canprovideforensicevidenceaboutapatternofsuspect/unauthorizedactivities.Anyunauthorizedattemptmaybecauseforfurtherinvestigation.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT AUDIT_OPTION, SUCCESS, FAILURE FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION='SYSTEM GRANT' AND USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = 'BY ACCESS' AND FAILURE = 'BY ACCESS';
Lackofresultsimpliesafinding.
Remediation:
ExecutethefollowingSQLstatementtoremediatethissetting.
AUDIT SYSTEM GRANT;
CISControls:
Version6
5.4LogAdministrativeUserAdditionAndRemovalConfiguresystemstoissuealogentryandalertwhenanaccountisaddedtoorremovedfromadomainadministrators’group,orwhenanewlocaladministratoraccountisaddedonasystem.
![Page 201: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/201.jpg)
200|P a g e
5.1.4 Ensure the 'PROFILE' Audit Option Is Enabled (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing
Description:
ThePROFILEobjectallowsforthecreationofasetofdatabaseresourcelimitsthatcanbeassignedtoauser,sothatthatusercannotexceedthoseresourcelimitations.Enablingtheauditoptioncausesauditingofallattempts,successfulornot,tocreate,droporalteranyprofile.
Rationale:
Asprofilesarepartofthedatabasesecurityinfrastructure,auditingthecreation,modification,anddeletionofprofilesisrecommended.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT AUDIT_OPTION, SUCCESS, FAILURE FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION='PROFILE' AND USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = 'BY ACCESS' AND FAILURE = 'BY ACCESS';
Lackofresultsimpliesafinding.
Remediation:
ExecutethefollowingSQLstatementtoremediatethissetting.
AUDIT PROFILE;
Notes:
Thestatementauditingoptionaudit PROFILEauditseverythingthatthethreeprivilegeauditsaudit CREATE PROFILE,audit DROP PROFILEandaudit ALTER PROFILEdo,butalsoaudits:
1. AttemptstocreateaprofilebyauserwithouttheCREATE PROFILEsystemprivilege.2. AttemptstodropaprofilebyauserwithouttheDROP PROFILEsystemprivilege
![Page 202: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/202.jpg)
201|P a g e
3. AttemptstoalteraprofilebyauserwithouttheALTER PROFILEsystemprivilege.
CISControls:
Version6
6.2EnsureAuditLogSettingsSupportAppropriateLogEntryFormattingValidateauditlogsettingsforeachhardwaredeviceandthesoftwareinstalledonit,ensuringthatlogsincludeadate,timestamp,sourceaddresses,destinationaddresses,andvariousotherusefulelementsofeachpacketand/ortransaction.SystemsshouldrecordlogsinastandardizedformatsuchassyslogentriesorthoseoutlinedbytheCommonEventExpressioninitiative.Ifsystemscannotgeneratelogsinastandardizedformat,lognormalizationtoolscanbedeployedtoconvertlogsintosuchaformat.
![Page 203: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/203.jpg)
202|P a g e
5.1.5 Ensure the 'DATABASE LINK' Audit Option Is Enabled (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing
Description:
EnablingtheauditoptionfortheDATABASELINKobjectcausesallactivitiesondatabaselinkstobeaudited.
Rationale:
AstheloggingofuseractivitiesinvolvingthecreationordroppingofaDATABASE LINKcanprovideforensicevidenceaboutapatternofunauthorizedactivities,theauditcapabilityshouldbeenabled.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT AUDIT_OPTION, SUCCESS, FAILURE FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION='DATABASE LINK' AND USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = 'BY ACCESS' AND FAILURE = 'BY ACCESS';
Lackofresultsimpliesafinding.
Remediation:
ExecutethefollowingSQLstatementtoremediatethissetting.
AUDIT DATABASE LINK;
References:
1. http://docs.oracle.com/database/121/DBSEG/audit_config.htm#DBSEG1115
CISControls:
Version6
6.2EnsureAuditLogSettingsSupportAppropriateLogEntryFormattingValidateauditlogsettingsforeachhardwaredeviceandthesoftwareinstalledonit,
![Page 204: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/204.jpg)
203|P a g e
ensuringthatlogsincludeadate,timestamp,sourceaddresses,destinationaddresses,andvariousotherusefulelementsofeachpacketand/ortransaction.SystemsshouldrecordlogsinastandardizedformatsuchassyslogentriesorthoseoutlinedbytheCommonEventExpressioninitiative.Ifsystemscannotgeneratelogsinastandardizedformat,lognormalizationtoolscanbedeployedtoconvertlogsintosuchaformat.
![Page 205: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/205.jpg)
204|P a g e
5.1.6 Ensure the 'PUBLIC DATABASE LINK' Audit Option Is Enabled (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing
Description:
ThePUBLIC DATABASE LINKobjectallowsforthecreationofapubliclinkforanapplication-based"user"toaccessthedatabaseforconnections/sessioncreation.Enablingtheauditoptioncausesalluseractivitiesinvolvingthecreation,alteration,ordroppingofpubliclinkstobeaudited.
Rationale:
Astheloggingofuseractivitiesinvolvingthecreation,alteration,ordroppingofaPUBLIC DATABASE LINKcanprovideforensicevidenceaboutapatternofunauthorizedactivities,theauditcapabilityshouldbeenabled.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT AUDIT_OPTION, SUCCESS, FAILURE FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION='PUBLIC DATABASE LINK' AND USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = 'BY ACCESS' AND FAILURE = 'BY ACCESS';
Lackofresultsimpliesafinding.
Remediation:
ExecutethefollowingSQLstatementtoremediatethissetting.
AUDIT PUBLIC DATABASE LINK;
CISControls:
Version6
6.2EnsureAuditLogSettingsSupportAppropriateLogEntryFormattingValidateauditlogsettingsforeachhardwaredeviceandthesoftwareinstalledonit,
![Page 206: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/206.jpg)
205|P a g e
ensuringthatlogsincludeadate,timestamp,sourceaddresses,destinationaddresses,andvariousotherusefulelementsofeachpacketand/ortransaction.SystemsshouldrecordlogsinastandardizedformatsuchassyslogentriesorthoseoutlinedbytheCommonEventExpressioninitiative.Ifsystemscannotgeneratelogsinastandardizedformat,lognormalizationtoolscanbedeployedtoconvertlogsintosuchaformat.
![Page 207: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/207.jpg)
206|P a g e
5.1.7 Ensure the 'PUBLIC SYNONYM' Audit Option Is Enabled (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing
Description:
ThePUBLIC SYNONYMobjectallowsforthecreationofanalternatedescriptionofanobject.Publicsynonymsareaccessiblebyallusersthathavetheappropriateprivilegestotheunderlyingobject.Enablingtheauditoptioncausesalluseractivitiesinvolvingthecreationordroppingofpublicsynonymstobeaudited.
Rationale:
AstheloggingofuseractivitiesinvolvingthecreationordroppingofaPUBLIC SYNONYMcanprovideforensicevidenceaboutapatternofunauthorizedactivities,theauditcapabilityshouldbeenabled.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT AUDIT_OPTION, SUCCESS, FAILURE FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION='PUBLIC SYNONYM' AND USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = 'BY ACCESS' AND FAILURE = 'BY ACCESS';
Lackofresultsimpliesafinding.
Remediation:
ExecutethefollowingSQLstatementtoremediatethissetting.
AUDIT PUBLIC SYNONYM;
CISControls:
Version6
6.2EnsureAuditLogSettingsSupportAppropriateLogEntryFormattingValidateauditlogsettingsforeachhardwaredeviceandthesoftwareinstalledonit,ensuringthatlogsincludeadate,timestamp,sourceaddresses,destination
![Page 208: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/208.jpg)
207|P a g e
addresses,andvariousotherusefulelementsofeachpacketand/ortransaction.SystemsshouldrecordlogsinastandardizedformatsuchassyslogentriesorthoseoutlinedbytheCommonEventExpressioninitiative.Ifsystemscannotgeneratelogsinastandardizedformat,lognormalizationtoolscanbedeployedtoconvertlogsintosuchaformat.
![Page 209: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/209.jpg)
208|P a g e
5.1.8 Ensure the 'SYNONYM' Audit Option Is Enabled (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing
Description:
TheSYNONYMoperationallowsforthecreationofanalternativenameforadatabaseobjectsuchasaJavaclassschemaobject,materializedview,operator,package,procedure,sequence,storedfunction,table,view,user-definedobjecttype,orevenanothersynonym.Thissynonymputsadependencyonitstargetandisrenderedinvalidifthetargetobjectischanged/dropped.Enablingtheauditoptioncausesalluseractivitiesinvolvingthecreationordroppingofsynonymstobeaudited.
Rationale:
AstheloggingofuseractivitiesinvolvingthecreationordroppingofaSYNONYMcanprovideforensicevidenceaboutapatternofsuspect/unauthorizedactivities,theauditcapabilityshouldbeenabled.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT AUDIT_OPTION, SUCCESS, FAILURE FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION='SYNONYM' AND USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = 'BY ACCESS' AND FAILURE = 'BY ACCESS';
Lackofresultsimpliesafinding.
Remediation:
ExecutethefollowingSQLstatementtoremediatethissetting.
AUDIT SYNONYM;
References:
1. http://docs.oracle.com/database/121/DBSEG/audit_config.htm#DBSEG1115
![Page 210: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/210.jpg)
209|P a g e
CISControls:
Version6
6.2EnsureAuditLogSettingsSupportAppropriateLogEntryFormattingValidateauditlogsettingsforeachhardwaredeviceandthesoftwareinstalledonit,ensuringthatlogsincludeadate,timestamp,sourceaddresses,destinationaddresses,andvariousotherusefulelementsofeachpacketand/ortransaction.SystemsshouldrecordlogsinastandardizedformatsuchassyslogentriesorthoseoutlinedbytheCommonEventExpressioninitiative.Ifsystemscannotgeneratelogsinastandardizedformat,lognormalizationtoolscanbedeployedtoconvertlogsintosuchaformat.
![Page 211: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/211.jpg)
210|P a g e
5.1.9 Ensure the 'DIRECTORY' Audit Option Is Enabled (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing
Description:
TheDIRECTORYobjectallowsforthecreationofadirectoryobjectthatspecifiesanaliasforadirectoryontheserverfilesystem,wheretheexternalbinaryfileLOBs(BFILEs)/tabledataarelocated.Enablingthisauditoptioncausesalluseractivitiesinvolvingthecreationordroppingofadirectoryaliastobeaudited.
Rationale:
AstheloggingofuseractivitiesinvolvingthecreationordroppingofaDIRECTORYcanprovideforensicevidenceaboutapatternofunauthorizedactivities,theauditcapabilityshouldbeenabled.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT AUDIT_OPTION, SUCCESS, FAILURE FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION='DIRECTORY' AND USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = 'BY ACCESS' AND FAILURE = 'BY ACCESS';
Lackofresultsimpliesafinding.
Remediation:
ExecutethefollowingSQLstatementtoremediatethissetting.
AUDIT DIRECTORY;
References:
1. http://docs.oracle.com/database/121/SQLRF/statements_4007.htm#SQLRF01107
![Page 212: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/212.jpg)
211|P a g e
CISControls:
Version6
6.2EnsureAuditLogSettingsSupportAppropriateLogEntryFormattingValidateauditlogsettingsforeachhardwaredeviceandthesoftwareinstalledonit,ensuringthatlogsincludeadate,timestamp,sourceaddresses,destinationaddresses,andvariousotherusefulelementsofeachpacketand/ortransaction.SystemsshouldrecordlogsinastandardizedformatsuchassyslogentriesorthoseoutlinedbytheCommonEventExpressioninitiative.Ifsystemscannotgeneratelogsinastandardizedformat,lognormalizationtoolscanbedeployedtoconvertlogsintosuchaformat.
![Page 213: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/213.jpg)
212|P a g e
5.1.10 Ensure the 'SELECT ANY DICTIONARY' Audit Option Is Enabled (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing
Description:
TheSELECT ANY DICTIONARYcapabilityallowstheusertoviewthedefinitionsofallschemaobjectsinthedatabase.Enablingtheauditoptioncausesalluseractivitiesinvolvingthiscapabilitytobeaudited.
Rationale:
Astheloggingofuseractivitiesinvolvingthecapabilitytoaccessthedescriptionofallschemaobjectsinthedatabasecanprovideforensicevidenceaboutapatternofunauthorizedactivities,theauditcapabilityshouldbeenabled.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT AUDIT_OPTION, SUCCESS, FAILURE FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION='SELECT ANY DICTIONARY' AND USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = 'BY ACCESS' AND FAILURE = 'BY ACCESS';
Lackofresultsimpliesafinding.
Remediation:
ExecutethefollowingSQLstatementtoremediatethissetting.
AUDIT SELECT ANY DICTIONARY;
References:
1. http://docs.oracle.com/database/121/DBSEG/guidelines.htm#DBSEG500
![Page 214: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/214.jpg)
213|P a g e
CISControls:
Version6
6.2EnsureAuditLogSettingsSupportAppropriateLogEntryFormattingValidateauditlogsettingsforeachhardwaredeviceandthesoftwareinstalledonit,ensuringthatlogsincludeadate,timestamp,sourceaddresses,destinationaddresses,andvariousotherusefulelementsofeachpacketand/ortransaction.SystemsshouldrecordlogsinastandardizedformatsuchassyslogentriesorthoseoutlinedbytheCommonEventExpressioninitiative.Ifsystemscannotgeneratelogsinastandardizedformat,lognormalizationtoolscanbedeployedtoconvertlogsintosuchaformat.
![Page 215: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/215.jpg)
214|P a g e
5.1.11 Ensure the 'GRANT ANY OBJECT PRIVILEGE' Audit Option Is Enabled (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing
Description:
GRANT ANY OBJECT PRIVILEGEallowstheusertograntorrevokeanyobjectprivilege,whichincludesprivilegesontables,directories,miningmodels,etc.Enablingthisauditoptioncausesauditingofallusesofthatprivilege.
Rationale:
Loggingofprivilegegrantsthatcanleadtothecreation,alteration,ordeletionofcriticaldata,themodificationofobjects,objectprivilegepropagationandothersuchactivitiescanbecriticaltoforensicinvestigations.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PRIVILEGE, SUCCESS, FAILURE FROM DBA_PRIV_AUDIT_OPTS WHERE PRIVILEGE='GRANT ANY OBJECT PRIVILEGE' AND USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = 'BY ACCESS' AND FAILURE = 'BY ACCESS';
Lackofresultsimpliesafinding.
Remediation:
ExecutethefollowingSQLstatementtoremediatethissetting.
AUDIT GRANT ANY OBJECT PRIVILEGE;
Notes:
ThisdoesNOTauditallattemptstograntorrevokeobjectprivilegessincethiscanalsobedonebyanyonewhowasgrantedanobjectprivilegewiththegrantoption.Also,thisnevercreatesanauditrecordforanyonewhodoesnotholdtheGRANT ANY OBJECT PRIVILEGEsystemprivilege.Therefore,manyattempts,successfulornot,tograntandrevokeobjectprivilegesarenotauditedbythis.
![Page 216: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/216.jpg)
215|P a g e
CISControls:
Version6
6.2EnsureAuditLogSettingsSupportAppropriateLogEntryFormattingValidateauditlogsettingsforeachhardwaredeviceandthesoftwareinstalledonit,ensuringthatlogsincludeadate,timestamp,sourceaddresses,destinationaddresses,andvariousotherusefulelementsofeachpacketand/ortransaction.SystemsshouldrecordlogsinastandardizedformatsuchassyslogentriesorthoseoutlinedbytheCommonEventExpressioninitiative.Ifsystemscannotgeneratelogsinastandardizedformat,lognormalizationtoolscanbedeployedtoconvertlogsintosuchaformat.
![Page 217: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/217.jpg)
216|P a g e
5.1.12 Ensure the 'GRANT ANY PRIVILEGE' Audit Option Is Enabled (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing
Description:
GRANT ANY PRIVILEGEallowsausertograntanysystemprivilege,includingthemostpowerfulprivilegestypicallyavailableonlytoadministrators-tochangethesecurityinfrastructure,todrop/add/modifyusersandmore.
Rationale:
Auditingtheuseofthisprivilegeispartofacomprehensiveauditingpolicythatcanhelpindetectingissuesandcanbeusefulinforensics.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PRIVILEGE, SUCCESS, FAILURE FROM DBA_PRIV_AUDIT_OPTS WHERE PRIVILEGE='GRANT ANY PRIVILEGE' AND USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = 'BY ACCESS' AND FAILURE = 'BY ACCESS';
Lackofresultsimpliesafinding.
Remediation:
ExecutethefollowingSQLstatementtoremediatethissetting.
AUDIT GRANT ANY PRIVILEGE;
Notes:
ThisdoesNOTauditallattemptstograntorrevokesystemprivilegessincethiscanalsobedonebyanyonewhowasgrantedasystemprivilegewiththeadminoption.Also,thisnevercreatesanauditrecordforanyonewhodoesnotholdtheGRANT ANY PRIVILEGEsystemprivilege.Thus,manyattempts,successfulornot,tograntandrevokesystemprivilegesarenotauditedbythis.
![Page 218: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/218.jpg)
217|P a g e
CISControls:
Version6
5.4LogAdministrativeUserAdditionAndRemovalConfiguresystemstoissuealogentryandalertwhenanaccountisaddedtoorremovedfromadomainadministrators’group,orwhenanewlocaladministratoraccountisaddedonasystem.
6.2EnsureAuditLogSettingsSupportAppropriateLogEntryFormattingValidateauditlogsettingsforeachhardwaredeviceandthesoftwareinstalledonit,ensuringthatlogsincludeadate,timestamp,sourceaddresses,destinationaddresses,andvariousotherusefulelementsofeachpacketand/ortransaction.SystemsshouldrecordlogsinastandardizedformatsuchassyslogentriesorthoseoutlinedbytheCommonEventExpressioninitiative.Ifsystemscannotgeneratelogsinastandardizedformat,lognormalizationtoolscanbedeployedtoconvertlogsintosuchaformat.
![Page 219: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/219.jpg)
218|P a g e
5.1.13 Ensure the 'DROP ANY PROCEDURE' Audit Option Is Enabled (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing
Description:
TheAUDIT DROP ANY PROCEDUREcommandisauditingthedroppingofprocedures.Enablingtheoptioncausesauditingofallsuchactivities.
Rationale:
Droppingproceduresofanotherusercouldbepartofaprivilegeescalationexploitandshouldbeaudited.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT AUDIT_OPTION, SUCCESS, FAILURE FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION='DROP ANY PROCEDURE' AND USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = 'BY ACCESS' AND FAILURE = 'BY ACCESS';
Lackofresultsimpliesafinding.
Remediation:
ExecutethefollowingSQLstatementtoremediatethissetting.
AUDIT DROP ANY PROCEDURE;
CISControls:
Version6
6.2EnsureAuditLogSettingsSupportAppropriateLogEntryFormattingValidateauditlogsettingsforeachhardwaredeviceandthesoftwareinstalledonit,ensuringthatlogsincludeadate,timestamp,sourceaddresses,destinationaddresses,andvariousotherusefulelementsofeachpacketand/ortransaction.Systemsshouldrecordlogsinastandardizedformatsuchassyslogentriesorthose
![Page 220: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/220.jpg)
219|P a g e
outlinedbytheCommonEventExpressioninitiative.Ifsystemscannotgeneratelogsinastandardizedformat,lognormalizationtoolscanbedeployedtoconvertlogsintosuchaformat.
![Page 221: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/221.jpg)
220|P a g e
5.1.14 Ensure the 'ALL' Audit Option on 'SYS.AUD$' Is Enabled (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing
Description:
TheloggingofattemptstoaltertheaudittrailintheSYS.AUD$table(openforread/update/delete/view)willprovidearecordofanyactivitiesthatmayindicateunauthorizedattemptstoaccesstheaudittrail.Enablingtheauditoptionwillcausetheseactivitiestobeaudited.
Rationale:
AstheloggingofattemptstoaltertheSYS.AUD$tablecanprovideforensicevidenceoftheinitiationofapatternofunauthorizedactivities,thisloggingcapabilityshouldbeenabled.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT * FROM DBA_OBJ_AUDIT_OPTS WHERE OBJECT_NAME='AUD$' AND ALT='A/A' AND AUD='A/A' AND COM='A/A' AND DEL='A/A' AND GRA='A/A' AND IND='A/A' AND INS='A/A' AND LOC='A/A' AND REN='A/A' AND SEL='A/A' AND UPD='A/A' AND FBK='A/A';
Lackofresultsimpliesafinding.
Remediation:
ExecutethefollowingSQLstatementtoremediatethissetting.
AUDIT ALL ON SYS.AUD$ BY ACCESS;
![Page 222: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/222.jpg)
221|P a g e
CISControls:
Version6
6.2EnsureAuditLogSettingsSupportAppropriateLogEntryFormattingValidateauditlogsettingsforeachhardwaredeviceandthesoftwareinstalledonit,ensuringthatlogsincludeadate,timestamp,sourceaddresses,destinationaddresses,andvariousotherusefulelementsofeachpacketand/ortransaction.SystemsshouldrecordlogsinastandardizedformatsuchassyslogentriesorthoseoutlinedbytheCommonEventExpressioninitiative.Ifsystemscannotgeneratelogsinastandardizedformat,lognormalizationtoolscanbedeployedtoconvertlogsintosuchaformat.
![Page 223: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/223.jpg)
222|P a g e
5.1.15 Ensure the 'PROCEDURE' Audit Option Is Enabled (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing
Description:
Inthisstatementaudit,PROCEDUREmeansanyprocedure,function,packageorlibrary.Enablingthisauditoptioncausesanyattempt,successfulornot,tocreateordropanyofthesetypesofobjectstobeaudited,regardlessofprivilegeorlackthereof.Javaschemaobjects(sources,classes,andresources)areconsideredthesameasproceduresforthepurposesofauditingSQLstatements.
Rationale:
Anyunauthorizedattemptstocreateordropaprocedureinanother'sschemashouldcauseconcern,whethersuccessfulornot.Changestocriticalstoredcodecandramaticallychangethebehavioroftheapplicationandproduceserioussecurityconsequences,includingenablingprivilegeescalationandintroducingSQLinjectionvulnerabilities.Auditrecordsofsuchchangescanbehelpfulinforensics.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT AUDIT_OPTION, SUCCESS, FAILURE FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION='PROCEDURE' AND USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = 'BY ACCESS' AND FAILURE = 'BY ACCESS';
Lackofresultsimpliesafinding.
Remediation:
ExecutethefollowingSQLstatementtoremediatethissetting.
AUDIT PROCEDURE;"
Notes:
Notallauditingoptionsworkalike.Inparticular,thestatementauditingoptionaudit PROCEDUREdoesindeedauditcreateanddroplibraryaswellasalltypesofproceduresand
![Page 224: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/224.jpg)
223|P a g e
javaschemaobjects.However,privilegeauditsdonotworkthisway.So,forexample,noneofaudit CREATE ANY PROCEDURE,audit DROP ANY PROCEDURE,oraudit CREATE PROCEDUREwillauditcreateordroplibraryactivities.Instatementauditing,PROCEDUREhasalargerscopethaninprivilegeauditing,whereitisspecifictofunctions,packagesandprocedures,butexcludeslibrariesandperhapsotherobjecttypes.
Audit PROCEDUREdoesnotauditalteringprocedures,eitherinyourownschemaorinanotherviatheALTER ANY PROCEDUREsystemprivilege.ThereseemstobenostatementauditthatisabetterreplacementforAudit ALTER ANY PROCEDURE,butbewarethatwillnotcreateanyauditrecordsforusersthatdonothavetheprivilege.Thus,attemptstoalterproceduresinone'sownschemaareneveraudited,andattemptstoalterproceduresinanother'sschemathatfailforlackoftheALTER ANY PROCEDUREprivilegearenotaudited.ThisissimplyaweaknessinthecurrentstateofOracleauditing.Fortunately,though,allthattheALTERcommandcanbeusedforregardingprocedures,functions,packagesandlibrariesiscompileoptions,sotheinabilitytocomprehensivelyauditalterprocedureactivitiesandrequestsisnotasbadasitwouldbeforotherobjecttypes(USER,PROFILE,etc.)
CISControls:
Version6
6.2EnsureAuditLogSettingsSupportAppropriateLogEntryFormattingValidateauditlogsettingsforeachhardwaredeviceandthesoftwareinstalledonit,ensuringthatlogsincludeadate,timestamp,sourceaddresses,destinationaddresses,andvariousotherusefulelementsofeachpacketand/ortransaction.SystemsshouldrecordlogsinastandardizedformatsuchassyslogentriesorthoseoutlinedbytheCommonEventExpressioninitiative.Ifsystemscannotgeneratelogsinastandardizedformat,lognormalizationtoolscanbedeployedtoconvertlogsintosuchaformat.
![Page 225: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/225.jpg)
224|P a g e
5.1.16 Ensure the 'ALTER SYSTEM' Audit Option Is Enabled (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing
Description:
ALTER SYSTEMallowsonetochangeinstancesettings,includingsecuritysettingsandauditingoptions.Additionally,ALTER SYSTEMcanbeusedtorunoperatingsystemcommandsusingundocumentedOraclefunctionality.EnablingtheauditoptionwillauditallattemptstoperformALTER SYSTEM,whethersuccessfulornotandregardlessofwhetherornottheALTER SYSTEMprivilegeisheldbytheuserattemptingtheaction.
Rationale:
Anyunauthorizedattempttoalterthesystemshouldbecauseforconcern.Alterationsoutsideofsomespecifiedmaintenancewindowmaybeofconcern.Inforensics,theseauditrecordscouldbequiteuseful.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT AUDIT_OPTION, SUCCESS, FAILURE FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION='ALTER SYSTEM' AND USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = 'BY ACCESS' AND FAILURE = 'BY ACCESS';
Lackofresultsimpliesafinding.
Remediation:
ExecutethefollowingSQLstatementtoremediatethissetting.
AUDIT ALTER SYSTEM;
CISControls:
Version6
6.2EnsureAuditLogSettingsSupportAppropriateLogEntryFormattingValidateauditlogsettingsforeachhardwaredeviceandthesoftwareinstalledonit,
![Page 226: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/226.jpg)
225|P a g e
ensuringthatlogsincludeadate,timestamp,sourceaddresses,destinationaddresses,andvariousotherusefulelementsofeachpacketand/ortransaction.SystemsshouldrecordlogsinastandardizedformatsuchassyslogentriesorthoseoutlinedbytheCommonEventExpressioninitiative.Ifsystemscannotgeneratelogsinastandardizedformat,lognormalizationtoolscanbedeployedtoconvertlogsintosuchaformat.
![Page 227: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/227.jpg)
226|P a g e
5.1.17 Ensure the 'TRIGGER' Audit Option Is Enabled (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing
Description:
ATRIGGERmaybeusedtomodifyDMLactionsorinvokeother(recursive)actionswhensometypesofuser-initiatedactionsoccur.Enablingthisauditoptionwillcauseauditingofanyattempt,successfulornot,tocreate,drop,enableordisableanyschematriggerinanyschemaregardlessofprivilegeorlackthereof.Forenablinganddisablingatrigger,itcoversbothALTER TRIGGERandALTER TABLE.
Rationale:
Triggersareoftenpartofschemasecurity,datavalidationandothercriticalconstraintsuponactionsanddata.Atriggerinanotherschemamaybeusedtoescalateprivileges,redirectoperations,transformdataandperformothersortsofperhapsundesiredactions.Anyunauthorizedattempttocreate,droporalteratriggerinanotherschemamaybecauseforinvestigation.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT AUDIT_OPTION, SUCCESS, FAILURE FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION='TRIGGER' AND USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = 'BY ACCESS' AND FAILURE = 'BY ACCESS';
Lackofresultsimpliesafinding.
Remediation:
ExecutethefollowingSQLstatementtoremediatethissetting.
AUDIT TRIGGER;
Notes:
ThereisnocurrentCISrecommendationtoaudittheuseofthesystemprivilegeCREATE TRIGGER,asthereisforCREATE SYNONYM,CREATE PROCEDUREandsomeothertypesof
![Page 228: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/228.jpg)
227|P a g e
objects,sothisisactuallyascopeescalationalso-toauditsuchactionsinone'sownschema.However,thisistheonlywaytocomprehensivelyauditthingslikeattemptstocreate,droporaltertriggersinanother'sschemaiftheuserattemptingtooperationdoesnotholdtherequiredANYprivilege-andtheseareexactlythesortsofthingsthatshouldraisealargeredflag.
Thestatementauditingoptionaudit TRIGGERauditsalmosteverythingthatthethreeprivilegeauditsaudit CREATE ANY TRIGGER,audit ALTER ANY TRIGGERandaudit DROP ANY TRIGGERdo,butalsoaudits:
1. Statementstocreate,drop,enableordisableatriggerintheuser'sownschema.2. AttemptstocreateatriggerbyauserwithouttheCREATE TRIGGERsystemprivilege.3. AttemptstocreateatriggerinanotherschemabyuserswithouttheCREATE ANY
TRIGGERprivilege.4. AttemptstodropatriggerinanotherschemabyuserswithouttheDROP ANY
TRIGGERprivilege.5. Attemptstodisableorenableatriggerinanotherschemabyuserswithoutthe
ALTER ANY TRIGGERprivilege.
TheonethingisauditedbyanyofthethreeprivilegeauditsthatisnotauditedbythisisALTER TRIGGER ...COMPILEifthetriggerisinanother'sschema,whichisauditedbyaudit ALTER ANY TRIGGER,butonlyiftheuserattemptingthealterationactuallyholdstheALTER ANY TRIGGERsystemprivilege.Audit TRIGGERonlyauditsALTER TABLEorALTER TRIGGERstatementsusedtoenableordisabletriggers.ItdoesnotauditALTER TRIGGERorALTER TABLEstatementsusedonlywithcompileoptions.
CISControls:
Version6
6.2EnsureAuditLogSettingsSupportAppropriateLogEntryFormattingValidateauditlogsettingsforeachhardwaredeviceandthesoftwareinstalledonit,ensuringthatlogsincludeadate,timestamp,sourceaddresses,destinationaddresses,andvariousotherusefulelementsofeachpacketand/ortransaction.SystemsshouldrecordlogsinastandardizedformatsuchassyslogentriesorthoseoutlinedbytheCommonEventExpressioninitiative.Ifsystemscannotgeneratelogsinastandardizedformat,lognormalizationtoolscanbedeployedtoconvertlogsintosuchaformat.
![Page 229: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/229.jpg)
228|P a g e
5.1.18 Ensure the 'CREATE SESSION' Audit Option Is Enabled (Scored)
ProfileApplicability:
• Level1-RDBMSusingTraditionalAuditing
Description:
Enablingthisauditoptionwillcauseauditingofallattemptstoconnecttothedatabase,whethersuccessfulornot,aswellasauditsessiondisconnects/logoffs.ThecommandstoauditSESSION,CONNECTorCREATE SESSIONallaccomplishthesamething-theyinitiatestatementauditingoftheconnectstatementusedtocreateadatabasesession.
Rationale:
Auditingattemptstoconnecttothedatabaseisbasicandmandatedbymostsecurityinitiatives.Anyattempttologontoalockedaccount,failedattemptstologontodefaultaccountsoranunusuallyhighnumberoffailedlogonattemptsofanysort,foranyuser,inaparticulartimeperiodmayindicateanintrusionattempt.Inforensics,thelogonrecordmaybefirstinachainofevidenceandcontaininformationfoundinnoothertypeofauditrecordforthesession.Logonandlogoffintheaudittraildefinetheperiodanddurationofthesession.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT AUDIT_OPTION, SUCCESS, FAILURE FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION='CREATE SESSION' AND USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = 'BY ACCESS' AND FAILURE = 'BY ACCESS';
Lackofresultsimpliesafinding.
Remediation:
ExecutethefollowingSQLstatementtoremediatethissetting.
AUDIT SESSION;
![Page 230: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/230.jpg)
229|P a g e
Notes:
Althoughlistedinthedocumentationasaprivilegeaudit,audit CREATE SESSIONactuallyauditstheCONNECTstatement.Thisisevidencedbytheundocumentedaudit CONNECTwhichhasthesameresultasaudit SESSIONoraudit CREATE SESSION.ThereisnosystemprivilegenamedeitherSESSIONorCONNECT(CONNECTisarole,notasystemprivilege).Also,itbehavesasstatementauditingratherthanprivilegeauditinginthatitauditsallattemptstocreateasession,eveniftheuserdoesnotholdtheCREATE SESSIONsystemprivilege.
CISControls:
Version6
6.2EnsureAuditLogSettingsSupportAppropriateLogEntryFormattingValidateauditlogsettingsforeachhardwaredeviceandthesoftwareinstalledonit,ensuringthatlogsincludeadate,timestamp,sourceaddresses,destinationaddresses,andvariousotherusefulelementsofeachpacketand/ortransaction.SystemsshouldrecordlogsinastandardizedformatsuchassyslogentriesorthoseoutlinedbytheCommonEventExpressioninitiative.Ifsystemscannotgeneratelogsinastandardizedformat,lognormalizationtoolscanbedeployedtoconvertlogsintosuchaformat.
![Page 231: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/231.jpg)
230|P a g e
5.2 Unified Auditing
Therecommendationsinthissectionshouldbefollowedifunifiedauditingisimplemented.
5.2.1 Ensure the 'CREATE USER' Action Audit Is Enabled (Scored)
ProfileApplicability:
• Level1-RDBMSusingUnifiedAuditing
Description:
TheCREATE USERstatementisusedtocreateOracledatabaseaccountsandassigndatabasepropertiestothem.EnablingthisunifiedactionauditcausesloggingofallCREATE USERstatements,whethersuccessfulorunsuccessful,issuedbytheusersregardlessoftheprivilegesheldbytheuserstoissuesuchstatements.
Rationale:
Loggingandmonitoringofallattemptstocreateuseraccounts,whethersuccessfulorunsuccessful,mayprovidecluesandforensicevidencesaboutpotentialsuspicious/unauthorizedactivities.Anysuchactivitiesmaybeacauseforfurtherinvestigation.Inaddition,organizationsecuritypoliciesandindustry/governmentregulationsmayrequireloggingofallactivitiesinvolvingCREATE USER.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT AUD.POLICY_NAME, AUD.AUDIT_OPTION, AUD.AUDIT_OPTION_TYPE FROM AUDIT_UNIFIED_POLICIES AUD, AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'CREATE USER' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION' AND ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS';
Lackofresultsimpliesafinding.
![Page 232: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/232.jpg)
231|P a g e
Remediation:
ExecutethefollowingSQLstatementtoremediatethissetting.
ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS CREATE USER;
Note:IfyoudonothaveCIS_UNIFIED_AUDIT_POLICY,pleasecreateoneusingtheCREATE AUDIT POLICYstatement.
CISControls:
Version6
6.2EnsureAuditLogSettingsSupportAppropriateLogEntryFormattingValidateauditlogsettingsforeachhardwaredeviceandthesoftwareinstalledonit,ensuringthatlogsincludeadate,timestamp,sourceaddresses,destinationaddresses,andvariousotherusefulelementsofeachpacketand/ortransaction.SystemsshouldrecordlogsinastandardizedformatsuchassyslogentriesorthoseoutlinedbytheCommonEventExpressioninitiative.Ifsystemscannotgeneratelogsinastandardizedformat,lognormalizationtoolscanbedeployedtoconvertlogsintosuchaformat.
16AccountMonitoringandControlAccountMonitoringandControl
![Page 233: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/233.jpg)
232|P a g e
5.2.2 Ensure the 'ALTER USER' Action Audit Is Enabled (Scored)
ProfileApplicability:
• Level1-RDBMSusingUnifiedAuditing
Description:
TheALTER USERstatementisusedtochangedatabaseusers’password,lockaccounts,andexpirepasswords.Inaddition,thisstatementisusedtochangedatabasepropertiesofuseraccountssuchasdatabaseprofiles,defaultandtemporarytablespaces,andtablespacequotas.ThisunifiedauditactionenablesloggingofallALTER USERstatements,whethersuccessfulorunsuccessful,issuedbytheusersregardlessoftheprivilegesheldbytheuserstoissuesuchstatements.
Rationale:
Loggingandmonitoringofallattemptstoalteruseraccounts,whethersuccessfulorunsuccessful,mayprovidecluesandforensicevidencesaboutpotentialsuspicious/unauthorizedactivities.Anysuchactivitiesmaybeacauseforfurtherinvestigation.Inaddition,organizationsecuritypoliciesandindustry/governmentregulationsmayrequireloggingofallactivitiesinvolvingALTER USER.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT AUD.POLICY_NAME, AUD.AUDIT_OPTION, AUD.AUDIT_OPTION_TYPE FROM AUDIT_UNIFIED_POLICIES AUD, AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'ALTER USER' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION' AND ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS';
Lackofresultsimpliesafinding.
Remediation:
ExecutethefollowingSQLstatementtoremediatethissetting.
ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS ALTER USER;
![Page 234: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/234.jpg)
233|P a g e
Note:IfyoudonothaveCIS_UNIFIED_AUDIT_POLICY,pleasecreateoneusingtheCREATE AUDIT POLICYstatement.
CISControls:
Version6
6.2EnsureAuditLogSettingsSupportAppropriateLogEntryFormattingValidateauditlogsettingsforeachhardwaredeviceandthesoftwareinstalledonit,ensuringthatlogsincludeadate,timestamp,sourceaddresses,destinationaddresses,andvariousotherusefulelementsofeachpacketand/ortransaction.SystemsshouldrecordlogsinastandardizedformatsuchassyslogentriesorthoseoutlinedbytheCommonEventExpressioninitiative.Ifsystemscannotgeneratelogsinastandardizedformat,lognormalizationtoolscanbedeployedtoconvertlogsintosuchaformat.
16AccountMonitoringandControlAccountMonitoringandControl
![Page 235: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/235.jpg)
234|P a g e
5.2.3 Ensue the 'DROP USER' Audit Option Is Enabled (Scored)
ProfileApplicability:
• Level1-RDBMSusingUnifiedAuditing
Description:
TheDROP USERstatementisusedtodropOracledatabaseaccountsandschemasassociatedwiththem.EnablingthisunifiedactionauditenablesloggingofallDROP USERstatements,whethersuccessfulorunsuccessful,issuedbytheusersregardlessoftheprivilegesheldbytheuserstoissuesuchstatements.
Rationale:
Loggingandmonitoringofallattemptstodropuser,whethersuccessfulorunsuccessful,mayprovidecluesandforensicevidenceaboutpotentialsuspicious/unauthorizedactivities.Anysuchactivitiesmaybeacauseforfurtherinvestigation.Inaddition,organizationsecuritypoliciesandindustry/governmentregulationsmayrequireloggingofallactivitiesinvolvingDROP USER.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT AUD.POLICY_NAME, AUD.AUDIT_OPTION, AUD.AUDIT_OPTION_TYPE FROM AUDIT_UNIFIED_POLICIES AUD, AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'DROP USER' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION' AND ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS';
Lackofresultsimpliesafinding.
Remediation:
ExecutethefollowingSQLstatementtoremediatethissetting.
ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS DROP USER;
![Page 236: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/236.jpg)
235|P a g e
Note:IfyoudonothaveCIS_UNIFIED_AUDIT_POLICY,pleasecreateoneusingtheCREATE AUDIT POLICYstatement.
CISControls:
Version6
6.2EnsureAuditLogSettingsSupportAppropriateLogEntryFormattingValidateauditlogsettingsforeachhardwaredeviceandthesoftwareinstalledonit,ensuringthatlogsincludeadate,timestamp,sourceaddresses,destinationaddresses,andvariousotherusefulelementsofeachpacketand/ortransaction.SystemsshouldrecordlogsinastandardizedformatsuchassyslogentriesorthoseoutlinedbytheCommonEventExpressioninitiative.Ifsystemscannotgeneratelogsinastandardizedformat,lognormalizationtoolscanbedeployedtoconvertlogsintosuchaformat.
16AccountMonitoringandControlAccountMonitoringandControl
![Page 237: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/237.jpg)
236|P a g e
5.2.4 Ensure the 'CREATE ROLE’ Action Audit Is Enabled (Scored)
ProfileApplicability:
• Level1-RDBMSusingUnifiedAuditing
Description:
AnOracledatabaseroleisacollectionorsetofprivilegesthatcanbegrantedtousersorotherroles.Rolesmayincludesystemprivileges,objectprivilegesorotherroles.EnablingthisunifiedauditactionenablesloggingofallCREATE ROLEstatements,whethersuccessfulorunsuccessful,issuedbytheusersregardlessoftheprivilegesheldbytheuserstoissuesuchstatements.
Rationale:
Loggingandmonitoringofallattemptstocreateroles,whethersuccessfulorunsuccessful,mayprovidecluesandforensicevidenceaboutpotentialsuspicious/unauthorizedactivities.Anysuchactivitiesmaybeacauseforfurtherinvestigation.Inaddition,organizationsecuritypoliciesandindustry/governmentregulationsmayrequireloggingofalluseractivitiesinvolvingCREATE ROLE.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT AUD.POLICY_NAME, AUD.AUDIT_OPTION, AUD.AUDIT_OPTION_TYPE FROM AUDIT_UNIFIED_POLICIES AUD, AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'CREATE ROLE' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION' AND ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS';
Lackofresultsimpliesafinding.
Remediation:
ExecutethefollowingSQLstatementtoremediatethissetting.
ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS CREATE ROLE;
![Page 238: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/238.jpg)
237|P a g e
Note:IfyoudonothaveCIS_UNIFIED_AUDIT_POLICY,pleasecreateoneusingtheCREATE AUDIT POLICYstatement.
CISControls:
Version6
6.2EnsureAuditLogSettingsSupportAppropriateLogEntryFormattingValidateauditlogsettingsforeachhardwaredeviceandthesoftwareinstalledonit,ensuringthatlogsincludeadate,timestamp,sourceaddresses,destinationaddresses,andvariousotherusefulelementsofeachpacketand/ortransaction.SystemsshouldrecordlogsinastandardizedformatsuchassyslogentriesorthoseoutlinedbytheCommonEventExpressioninitiative.Ifsystemscannotgeneratelogsinastandardizedformat,lognormalizationtoolscanbedeployedtoconvertlogsintosuchaformat.
16AccountMonitoringandControlAccountMonitoringandControl
![Page 239: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/239.jpg)
238|P a g e
5.2.5 Ensure the 'ALTER ROLE’ Action Audit Is Enabled (Scored)
ProfileApplicability:
• Level1-RDBMSusingUnifiedAuditing
Description:
AnOracledatabaseroleisacollectionorsetofprivilegesthatcanbegrantedtousersorotherroles.Rolesmayincludesystemprivileges,objectprivilegesorotherroles.TheALTER ROLEstatementisusedtochangetheauthorizationneededtoenablearole.EnablingthisunifiedactionauditcausesloggingofallALTER ROLEstatements,whethersuccessfulorunsuccessful,issuedbytheusersregardlessoftheprivilegesheldbytheuserstoissuesuchstatements.
Rationale:
Loggingandmonitoringofallattemptstoalterroles,whethersuccessfulorunsuccessful,mayprovidecluesandforensicevidenceaboutpotentialsuspicious/unauthorizedactivities.Anysuchactivitiesmaybeacauseforfurtherinvestigation.Inaddition,organizationsecuritypoliciesandindustry/governmentregulationsmayrequireloggingofalluseractivitiesinvolvingalterationofroles.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT AUD.POLICY_NAME, AUD.AUDIT_OPTION, AUD.AUDIT_OPTION_TYPE FROM AUDIT_UNIFIED_POLICIES AUD, AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'ALTER ROLE' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION' AND ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS';
Lackofresultsimpliesafinding.
Remediation:
ExecutethefollowingSQLstatementtoremediatethissetting.
ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS ALTER ROLE;
![Page 240: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/240.jpg)
239|P a g e
Note:IfyoudonothaveCIS_UNIFIED_AUDIT_POLICY,pleasecreateoneusingtheCREATE AUDIT POLICYstatement.
CISControls:
Version6
6.2EnsureAuditLogSettingsSupportAppropriateLogEntryFormattingValidateauditlogsettingsforeachhardwaredeviceandthesoftwareinstalledonit,ensuringthatlogsincludeadate,timestamp,sourceaddresses,destinationaddresses,andvariousotherusefulelementsofeachpacketand/ortransaction.SystemsshouldrecordlogsinastandardizedformatsuchassyslogentriesorthoseoutlinedbytheCommonEventExpressioninitiative.Ifsystemscannotgeneratelogsinastandardizedformat,lognormalizationtoolscanbedeployedtoconvertlogsintosuchaformat.
16AccountMonitoringandControlAccountMonitoringandControl
![Page 241: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/241.jpg)
240|P a g e
5.2.6 Ensure the 'DROP ROLE’ Action Audit Is Enabled (Scored)
ProfileApplicability:
• Level1-RDBMSusingUnifiedAuditing
Description:
AnOracledatabaseroleisacollectionorsetofprivilegesthatcanbegrantedtousersorotherroles.Rolesmayincludesystemprivileges,objectprivilegesorotherroles.EnablingthisunifiedauditactionenablesloggingofallDROP ROLEstatements,successfulorunsuccessful,issuedbytheusersregardlessoftheprivilegesheldbytheuserstoissuesuchstatements.
Rationale:
Loggingandmonitoringofallattemptstodroproles,whethersuccessfulorunsuccessful,mayprovidecluesandforensicevidenceaboutpotentialsuspicious/unauthorizedactivities.Anysuchactivitiesmaybeacauseforfurtherinvestigation.Inaddition,organizationsecuritypoliciesandindustry/governmentregulationsmayrequireloggingofalluseractivitiesinvolvingDROP ROLE.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT AUD.POLICY_NAME, AUD.AUDIT_OPTION, AUD.AUDIT_OPTION_TYPE FROM AUDIT_UNIFIED_POLICIES AUD, AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'DROP ROLE' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION' AND ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS';
Lackofresultsimpliesafinding.
Remediation:
ExecutethefollowingSQLstatementtoremediatethissetting.
ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS DROP ROLE;
![Page 242: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/242.jpg)
241|P a g e
Note:IfyoudonothaveCIS_UNIFIED_AUDIT_POLICY,pleasecreateoneusingtheCREATE AUDIT POLICYstatement.
CISControls:
Version6
6.2EnsureAuditLogSettingsSupportAppropriateLogEntryFormattingValidateauditlogsettingsforeachhardwaredeviceandthesoftwareinstalledonit,ensuringthatlogsincludeadate,timestamp,sourceaddresses,destinationaddresses,andvariousotherusefulelementsofeachpacketand/ortransaction.SystemsshouldrecordlogsinastandardizedformatsuchassyslogentriesorthoseoutlinedbytheCommonEventExpressioninitiative.Ifsystemscannotgeneratelogsinastandardizedformat,lognormalizationtoolscanbedeployedtoconvertlogsintosuchaformat.
16AccountMonitoringandControlAccountMonitoringandControl
![Page 243: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/243.jpg)
242|P a g e
5.2.7 Ensure the 'GRANT' Action Audit Is Enabled (Scored)
ProfileApplicability:
• Level1-RDBMSusingUnifiedAuditing
Description:
GRANTstatementsareusedtograntprivilegestoOracledatabaseusersandroles,includingthemostpowerfulprivilegesandrolestypicallyavailabletothedatabaseadministrators.EnablingthisunifiedactionauditenablesloggingofallGRANTstatements,whethersuccessfulorunsuccessful,issuedbytheusersregardlessoftheprivilegesheldbytheuserstoissuesuchstatements.
Rationale:
Withunauthorizedgrantsandpermissions,amalicioususermaybeabletochangethesecurityofthedatabase,access/updateconfidentialdata,orcompromisetheintegrityofthedatabase.Loggingandmonitoringofallattemptstograntsystemprivileges,objectprivilegesorroles,whethersuccessfulorunsuccessful,mayprovideforensicevidenceaboutpotentialsuspicious/unauthorizedactivitiesaswellasprivilegeescalationactivities.Anysuchactivitiesmaybeacauseforfurtherinvestigation.Inaddition,organizationsecuritypoliciesandindustry/governmentregulationsmayrequireloggingofalluseractivitiesinvolvingGRANT.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT AUD.POLICY_NAME, AUD.AUDIT_OPTION, AUD.AUDIT_OPTION_TYPE FROM AUDIT_UNIFIED_POLICIES AUD, AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'GRANT' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION' AND ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS';
Lackofresultsimpliesafinding.
Remediation:
ExecutethefollowingSQLstatementtoremediatethissetting.
![Page 244: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/244.jpg)
243|P a g e
ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS GRANT;
Note:IfyoudonothaveCIS_UNIFIED_AUDIT_POLICY,pleasecreateoneusingtheCREATE AUDIT POLICYstatement.
CISControls:
Version6
6.2EnsureAuditLogSettingsSupportAppropriateLogEntryFormattingValidateauditlogsettingsforeachhardwaredeviceandthesoftwareinstalledonit,ensuringthatlogsincludeadate,timestamp,sourceaddresses,destinationaddresses,andvariousotherusefulelementsofeachpacketand/ortransaction.SystemsshouldrecordlogsinastandardizedformatsuchassyslogentriesorthoseoutlinedbytheCommonEventExpressioninitiative.Ifsystemscannotgeneratelogsinastandardizedformat,lognormalizationtoolscanbedeployedtoconvertlogsintosuchaformat.
16AccountMonitoringandControlAccountMonitoringandControl
![Page 245: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/245.jpg)
244|P a g e
5.2.8 Ensure the 'REVOKE' Action Audit Is Enabled (Scored)
ProfileApplicability:
• Level1-RDBMSusingUnifiedAuditing
Description:
REVOKEstatementsareusedtorevokeprivilegesfromOracledatabaseusersandroles.EnablingthisunifiedactionauditenablesloggingofallREVOKEstatements,successfulorunsuccessful,issuedbytheusersregardlessoftheprivilegesheldbytheuserstoissuesuchstatements.
Rationale:
Loggingandmonitoringofallattemptstorevokesystemprivileges,objectprivilegesorroles,whethersuccessfulorunsuccessful,mayprovidecluesandforensicevidenceaboutpotentialsuspicious/unauthorizedactivities.Anysuchactivitiesmaybeacauseforfurtherinvestigation.Inaddition,organizationsecuritypoliciesandindustry/governmentregulationsmayrequireloggingofalluseractivitiesinvolvingREVOKE.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT AUD.POLICY_NAME, AUD.AUDIT_OPTION, AUD.AUDIT_OPTION_TYPE FROM AUDIT_UNIFIED_POLICIES AUD, AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'REVOKE' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION' AND ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS';
Lackofresultsimpliesafinding.
Remediation:
ExecutethefollowingSQLstatementtoremediatethissetting.
ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS REVOKE;
![Page 246: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/246.jpg)
245|P a g e
Note:IfyoudonothaveCIS_UNIFIED_AUDIT_POLICY,pleasecreateoneusingtheCREATE AUDIT POLICYstatement.
CISControls:
Version6
6.2EnsureAuditLogSettingsSupportAppropriateLogEntryFormattingValidateauditlogsettingsforeachhardwaredeviceandthesoftwareinstalledonit,ensuringthatlogsincludeadate,timestamp,sourceaddresses,destinationaddresses,andvariousotherusefulelementsofeachpacketand/ortransaction.SystemsshouldrecordlogsinastandardizedformatsuchassyslogentriesorthoseoutlinedbytheCommonEventExpressioninitiative.Ifsystemscannotgeneratelogsinastandardizedformat,lognormalizationtoolscanbedeployedtoconvertlogsintosuchaformat.
16AccountMonitoringandControlAccountMonitoringandControl
![Page 247: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/247.jpg)
246|P a g e
5.2.9 Ensure the 'CREATE PROFILE’ Action Audit Is Enabled (Scored)
ProfileApplicability:
• Level1-RDBMSusingUnifiedAuditing
Description:
Oracledatabaseprofilesareusedtoenforceresourceusagelimitsandimplementpasswordpoliciessuchaspasswordcomplexityrulesandreuserestrictions.EnablingthisunifiedactionauditenablesloggingofallCREATE PROFILEstatements,whethersuccessfulorunsuccessful,issuedbytheusersregardlessoftheprivilegesheldbytheuserstoissuesuchstatements.
Rationale:
Loggingandmonitoringofallattemptstocreateprofiles,whethersuccessfulorunsuccessful,mayprovidecluesandforensicevidenceaboutpotentialsuspicious/unauthorizedactivities.Anysuchactivitiesmaybeacauseforfurtherinvestigation.Inaddition,organizationsecuritypoliciesandindustry/governmentregulationsmayrequireloggingofalluseractivitiesinvolvingcreationofdatabaseprofiles.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT AUD.POLICY_NAME, AUD.AUDIT_OPTION, AUD.AUDIT_OPTION_TYPE FROM AUDIT_UNIFIED_POLICIES AUD, AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'CREATE PROFILE' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION' AND ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS';
Lackofresultsimpliesafinding.
Remediation:
ExecutethefollowingSQLstatementtoremediatethissetting.
ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS CREATE PROFILE;
![Page 248: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/248.jpg)
247|P a g e
Note:IfyoudonothaveCIS_UNIFIED_AUDIT_POLICY,pleasecreateoneusingtheCREATE AUDIT POLICYstatement.
CISControls:
Version6
6.2EnsureAuditLogSettingsSupportAppropriateLogEntryFormattingValidateauditlogsettingsforeachhardwaredeviceandthesoftwareinstalledonit,ensuringthatlogsincludeadate,timestamp,sourceaddresses,destinationaddresses,andvariousotherusefulelementsofeachpacketand/ortransaction.SystemsshouldrecordlogsinastandardizedformatsuchassyslogentriesorthoseoutlinedbytheCommonEventExpressioninitiative.Ifsystemscannotgeneratelogsinastandardizedformat,lognormalizationtoolscanbedeployedtoconvertlogsintosuchaformat.
![Page 249: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/249.jpg)
248|P a g e
5.2.10 Ensure the 'ALTER PROFILE’ Action Audit Is Enabled (Scored)
ProfileApplicability:
• Level1-RDBMSusingUnifiedAuditing
Description:
Oracledatabaseprofilesareusedtoenforceresourceusagelimitsandimplementpasswordpoliciessuchaspasswordcomplexityrulesandreuserestrictions.EnablingthisunifiedactionauditenablesloggingofallALTER PROFILEstatements,whethersuccessfulorunsuccessful,issuedbytheusersregardlessoftheprivilegesheldbytheuserstoissuesuchstatements.
Rationale:
Loggingandmonitoringofallattemptstoalterprofiles,whethersuccessfulorunsuccessful,mayprovideforensicevidenceaboutpotentialsuspicious/unauthorizedactivities.Anysuchactivitiesmaybeacauseforfurtherinvestigation.Inaddition,organizationsecuritypoliciesandindustry/governmentregulationsmayrequireloggingofalluseractivitiesinvolvingalterationofdatabaseprofiles.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT AUD.POLICY_NAME, AUD.AUDIT_OPTION, AUD.AUDIT_OPTION_TYPE FROM AUDIT_UNIFIED_POLICIES AUD, AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'ALTER PROFILE' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION' AND ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS';
Lackofresultsimpliesafinding.
Remediation:
ExecutethefollowingSQLstatementtoremediatethissetting.
ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS ALTER PROFILE;
![Page 250: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/250.jpg)
249|P a g e
Note:IfyoudonothaveCIS_UNIFIED_AUDIT_POLICY,pleasecreateoneusingtheCREATE AUDIT POLICYstatement.
CISControls:
Version6
6.2EnsureAuditLogSettingsSupportAppropriateLogEntryFormattingValidateauditlogsettingsforeachhardwaredeviceandthesoftwareinstalledonit,ensuringthatlogsincludeadate,timestamp,sourceaddresses,destinationaddresses,andvariousotherusefulelementsofeachpacketand/ortransaction.SystemsshouldrecordlogsinastandardizedformatsuchassyslogentriesorthoseoutlinedbytheCommonEventExpressioninitiative.Ifsystemscannotgeneratelogsinastandardizedformat,lognormalizationtoolscanbedeployedtoconvertlogsintosuchaformat.
![Page 251: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/251.jpg)
250|P a g e
5.2.11 Ensure the 'DROP PROFILE’ Action Audit Is Enabled (Scored)
ProfileApplicability:
• Level1-RDBMSusingUnifiedAuditing
Description:
Oracledatabaseprofilesareusedtoenforceresourceusagelimitsandimplementpasswordpoliciessuchaspasswordcomplexityrulesandreuserestrictions.EnablingthisunifiedactionauditenablesloggingofallDROP PROFILEstatements,whethersuccessfulorunsuccessful,issuedbytheusersregardlessoftheprivilegesheldbytheuserstoissuesuchstatements.
Rationale:
Loggingandmonitoringofallattemptstodropprofiles,whethersuccessfulorunsuccessful,mayprovidecluesandforensicevidenceaboutpotentialsuspicious/unauthorizedactivities.Anysuchactivitiesmaybeacauseforfurtherinvestigation.Inaddition,organizationsecuritypoliciesandindustry/governmentregulationsmayrequireloggingofalluseractivitiesinvolvingdroppingdatabaseprofiles.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT AUD.POLICY_NAME, AUD.AUDIT_OPTION, AUD.AUDIT_OPTION_TYPE FROM AUDIT_UNIFIED_POLICIES AUD, AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'DROP PROFILE' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION' AND ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS';
Lackofresultsimpliesafinding.
Remediation:
ExecutethefollowingSQLstatementtoremediatethissetting.
ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS DROP PROFILE;
![Page 252: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/252.jpg)
251|P a g e
Note:IfyoudonothaveCIS_UNIFIED_AUDIT_POLICY,pleasecreateoneusingtheCREATE AUDIT POLICYstatement.
CISControls:
Version6
6.2EnsureAuditLogSettingsSupportAppropriateLogEntryFormattingValidateauditlogsettingsforeachhardwaredeviceandthesoftwareinstalledonit,ensuringthatlogsincludeadate,timestamp,sourceaddresses,destinationaddresses,andvariousotherusefulelementsofeachpacketand/ortransaction.SystemsshouldrecordlogsinastandardizedformatsuchassyslogentriesorthoseoutlinedbytheCommonEventExpressioninitiative.Ifsystemscannotgeneratelogsinastandardizedformat,lognormalizationtoolscanbedeployedtoconvertlogsintosuchaformat.
![Page 253: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/253.jpg)
252|P a g e
5.2.12 Ensure the 'CREATE DATABASE LINK’ Action Audit Is Enabled (Scored)
ProfileApplicability:
• Level1-RDBMSusingUnifiedAuditing
Description:
Oracledatabaselinksareusedtoestablishdatabase-to-databaseconnectionstootherdatabases.Theseconnectionsareavailablewithoutfurtherauthenticationoncethelinkisestablished.EnablingthisunifiedactionauditcausesloggingofallCREATE DATABASEandCREATE PUBLIC DATABASEstatements,whethersuccessfulorunsuccessful,issuedbytheusersregardlessoftheprivilegesheldbytheuserstoissuesuchstatements.
Rationale:
Loggingandmonitoringofallattemptstocreatedatabaselinks,whethersuccessfulorunsuccessful,mayprovideforensicevidenceaboutpotentialsuspicious/unauthorizedactivities.Anysuchactivitiesmaybeacauseforfurtherinvestigation.Inaddition,organizationsecuritypoliciesandindustry/governmentregulationsmayrequireloggingofalluseractivitiesinvolvingcreationofdatabaselinks.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT AUD.POLICY_NAME, AUD.AUDIT_OPTION, AUD.AUDIT_OPTION_TYPE FROM AUDIT_UNIFIED_POLICIES AUD, AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'CREATE DATABASE LINK' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION' AND ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS';
Lackofresultsimpliesafinding.
![Page 254: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/254.jpg)
253|P a g e
Remediation:
ExecutethefollowingSQLstatementtoremediatethissetting.
ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS CREATE DATABASE LINK;
Note:IfyoudonothaveCIS_UNIFIED_AUDIT_POLICY,pleasecreateoneusingtheCREATE AUDIT POLICYstatement.
CISControls:
Version6
6.2EnsureAuditLogSettingsSupportAppropriateLogEntryFormattingValidateauditlogsettingsforeachhardwaredeviceandthesoftwareinstalledonit,ensuringthatlogsincludeadate,timestamp,sourceaddresses,destinationaddresses,andvariousotherusefulelementsofeachpacketand/ortransaction.SystemsshouldrecordlogsinastandardizedformatsuchassyslogentriesorthoseoutlinedbytheCommonEventExpressioninitiative.Ifsystemscannotgeneratelogsinastandardizedformat,lognormalizationtoolscanbedeployedtoconvertlogsintosuchaformat.
![Page 255: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/255.jpg)
254|P a g e
5.2.13 Ensure the 'ALTER DATABASE LINK’ Action Audit Is Enabled (Scored)
ProfileApplicability:
• Level1-RDBMSusingUnifiedAuditing
Description:
Oracledatabaselinksareusedtoestablishdatabase-to-databaseconnectionstootherdatabases.Theseconnectionsarealwaysavailablewithoutfurtherauthenticationoncethelinkisestablished.EnablingthisunifiedactionauditcausesloggingofallALTER DATABASEandALTER PUBLIC DATABASEstatements,whethersuccessfulorunsuccessful,issuedbytheusersregardlessoftheprivilegesheldbytheuserstoissuesuchstatements.
Rationale:
Loggingandmonitoringofallattemptstoalterdatabaselinks,whethersuccessfulorunsuccessful,mayprovideforensicevidenceaboutpotentialsuspicious/unauthorizedactivities.Anysuchactivitiesmaybeacauseforfurtherinvestigation.Inaddition,organizationsecuritypoliciesandindustry/governmentregulationsmayrequireloggingofalluseractivitiesinvolvingalterationofdatabaselinks.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT AUD.POLICY_NAME, AUD.AUDIT_OPTION, AUD.AUDIT_OPTION_TYPE FROM AUDIT_UNIFIED_POLICIES AUD, AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'ALTER DATABASE LINK' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION' AND ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS';
Lackofresultsimpliesafinding.
![Page 256: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/256.jpg)
255|P a g e
Remediation:
ExecutethefollowingSQLstatementtoremediatethissetting.
ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS ALTER DATABASE LINK;
Note:IfyoudonothaveCIS_UNIFIED_AUDIT_POLICY,pleasecreateoneusingtheCREATE AUDIT POLICYstatement.
CISControls:
Version6
6.2EnsureAuditLogSettingsSupportAppropriateLogEntryFormattingValidateauditlogsettingsforeachhardwaredeviceandthesoftwareinstalledonit,ensuringthatlogsincludeadate,timestamp,sourceaddresses,destinationaddresses,andvariousotherusefulelementsofeachpacketand/ortransaction.SystemsshouldrecordlogsinastandardizedformatsuchassyslogentriesorthoseoutlinedbytheCommonEventExpressioninitiative.Ifsystemscannotgeneratelogsinastandardizedformat,lognormalizationtoolscanbedeployedtoconvertlogsintosuchaformat.
![Page 257: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/257.jpg)
256|P a g e
5.2.14 Ensure the 'DROP DATABASE LINK’ Action Audit Is Enabled (Scored)
ProfileApplicability:
• Level1-RDBMSusingUnifiedAuditing
Description:
Oracledatabaselinksareusedtoestablishdatabase-to-databaseconnectionstootherdatabases.Theseconnectionsarealwaysavailablewithoutfurtherauthenticationoncethelinkisestablished.EnablingthisunifiedactionauditcausesloggingofallDROP DATABASEandDROP PUBLIC DATABASE,whethersuccessfulorunsuccessful,statementsissuedbytheusersregardlessoftheprivilegesheldbytheuserstoissuesuchstatements.
Rationale:
Loggingandmonitoringofallattemptstodropdatabaselinks,whethersuccessfulorunsuccessful,mayprovideforensicevidenceaboutpotentialsuspicious/unauthorizedactivities.Anysuchactivitiesmaybeacauseforfurtherinvestigation.Inaddition,organizationsecuritypoliciesandindustry/governmentregulationsmayrequireloggingofalluseractivitiesinvolvingdroppingdatabaselinks.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT AUD.POLICY_NAME, AUD.AUDIT_OPTION, AUD.AUDIT_OPTION_TYPE FROM AUDIT_UNIFIED_POLICIES AUD, AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'DROP DATABASE LINK' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION' AND ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS';
Lackofresultsimpliesafinding.
![Page 258: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/258.jpg)
257|P a g e
Remediation:
ExecutethefollowingSQLstatementtoremediatethissetting.
ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS DROP DATABASE LINK;
Note:IfyoudonothaveCIS_UNIFIED_AUDIT_POLICY,pleasecreateoneusingtheCREATE AUDIT POLICYstatement.
CISControls:
Version6
6.2EnsureAuditLogSettingsSupportAppropriateLogEntryFormattingValidateauditlogsettingsforeachhardwaredeviceandthesoftwareinstalledonit,ensuringthatlogsincludeadate,timestamp,sourceaddresses,destinationaddresses,andvariousotherusefulelementsofeachpacketand/ortransaction.SystemsshouldrecordlogsinastandardizedformatsuchassyslogentriesorthoseoutlinedbytheCommonEventExpressioninitiative.Ifsystemscannotgeneratelogsinastandardizedformat,lognormalizationtoolscanbedeployedtoconvertlogsintosuchaformat.
![Page 259: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/259.jpg)
258|P a g e
5.2.15 Ensure the 'CREATE SYNONYM’ Action Audit Is Enabled (Scored)
ProfileApplicability:
• Level1-RDBMSusingUnifiedAuditing
Description:
AnOracledatabasesynonymisusedtocreateanalternativenameforadatabaseobjectsuchastable,view,procedure,javaobjectorevenanothersynonym,etc.EnablingthisunifiedactionauditcausesloggingofallCREATE SYNONYMandCREATE PUBLIC SYNONYMstatements,whethersuccessfulorunsuccessful,issuedbytheusersregardlessoftheprivilegesheldbytheuserstoissuesuchstatements.
Rationale:
Loggingandmonitoringofallattemptstocreatesynonyms,whethersuccessfulorunsuccessful,mayprovidecluesandforensicevidenceaboutpotentialsuspicious/unauthorizedactivities.Anysuchactivitiesmaybeacauseforfurtherinvestigation.Inaddition,organizationsecuritypoliciesandindustry/governmentregulationsmayrequireloggingofalluseractivitiesinvolvingcreationofsynonymsorpublicsynonyms.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT AUD.POLICY_NAME, AUD.AUDIT_OPTION, AUD.AUDIT_OPTION_TYPE FROM AUDIT_UNIFIED_POLICIES AUD, AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'CREATE SYNONYM' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION' AND ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS';
Lackofresultsimpliesafinding.
Remediation:
ExecutethefollowingSQLstatementtoremediatethissetting.
ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS CREATE SYNONYM;
![Page 260: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/260.jpg)
259|P a g e
Note:IfyoudonothaveCIS_UNIFIED_AUDIT_POLICY,pleasecreateoneusingtheCREATE AUDIT POLICYstatement.
CISControls:
Version6
6.2EnsureAuditLogSettingsSupportAppropriateLogEntryFormattingValidateauditlogsettingsforeachhardwaredeviceandthesoftwareinstalledonit,ensuringthatlogsincludeadate,timestamp,sourceaddresses,destinationaddresses,andvariousotherusefulelementsofeachpacketand/ortransaction.SystemsshouldrecordlogsinastandardizedformatsuchassyslogentriesorthoseoutlinedbytheCommonEventExpressioninitiative.Ifsystemscannotgeneratelogsinastandardizedformat,lognormalizationtoolscanbedeployedtoconvertlogsintosuchaformat.
![Page 261: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/261.jpg)
260|P a g e
5.2.16 Ensure the 'ALTER SYNONYM’ Action Audit Is Enabled (Scored)
ProfileApplicability:
• Level1-RDBMSusingUnifiedAuditing
Description:
AnOracledatabasesynonymisusedtocreateanalternativenameforadatabaseobjectsuchastable,view,procedure,orjavaobject,orevenanothersynonym.EnablingthisunifiedactionauditcausesloggingofallALTER SYNONYMandALTER PUBLIC SYNONYMstatements,whethersuccessfulorunsuccessful,issuedbytheusersregardlessoftheprivilegesheldbytheuserstoissuesuchstatements.
Rationale:
Loggingandmonitoringofallattemptstoaltersynonyms,whethersuccessfulorunsuccessful,mayprovidecluesandforensicevidenceaboutpotentialsuspicious/unauthorizedactivities.Anysuchactivitiesmaybeacauseforfurtherinvestigation.Inaddition,organizationsecuritypoliciesandindustry/governmentregulationsmayrequireloggingofalluseractivitiesinvolvingalterationofsynonymsorpublicsynonyms.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT AUD.POLICY_NAME, AUD.AUDIT_OPTION, AUD.AUDIT_OPTION_TYPE FROM AUDIT_UNIFIED_POLICIES AUD, AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'ALTER SYNONYM' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION' AND ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS';
Lackofresultsimpliesafinding.
Remediation:
ExecutethefollowingSQLstatementtoremediatethissetting.
ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS ALTER SYNONYM;
![Page 262: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/262.jpg)
261|P a g e
Note:IfyoudonothaveCIS_UNIFIED_AUDIT_POLICY,pleasecreateoneusingtheCREATE AUDIT POLICYstatement.
CISControls:
Version6
6.2EnsureAuditLogSettingsSupportAppropriateLogEntryFormattingValidateauditlogsettingsforeachhardwaredeviceandthesoftwareinstalledonit,ensuringthatlogsincludeadate,timestamp,sourceaddresses,destinationaddresses,andvariousotherusefulelementsofeachpacketand/ortransaction.SystemsshouldrecordlogsinastandardizedformatsuchassyslogentriesorthoseoutlinedbytheCommonEventExpressioninitiative.Ifsystemscannotgeneratelogsinastandardizedformat,lognormalizationtoolscanbedeployedtoconvertlogsintosuchaformat.
![Page 263: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/263.jpg)
262|P a g e
5.2.17 Ensure the 'DROP SYNONYM’ Action Audit Is Enabled (Scored)
ProfileApplicability:
• Level1-RDBMSusingUnifiedAuditing
Description:
AnOracledatabasesynonymisusedtocreateanalternativenameforadatabaseobjectsuchastable,view,procedure,orjavaobject,orevenanothersynonym.EnablinghisunifiedactionauditcausesloggingofallDROP SYNONYMandDROP PUBLIC SYNONYMstatements,whethersuccessfulorunsuccessful,issuedbytheusersregardlessoftheprivilegesheldbytheuserstoissuesuchstatements.
Rationale:
Loggingandmonitoringofallattemptstodropsynonyms,whethersuccessfulorunsuccessful,mayprovideforensicevidenceaboutpotentialsuspicious/unauthorizedactivities.Anysuchactivitiesmaybeacauseforfurtherinvestigation.Inaddition,organizationsecuritypoliciesandindustry/governmentregulationsmayrequireloggingofalluseractivitiesinvolvingdroppingofsynonymsorpublicsynonyms.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT AUD.POLICY_NAME, AUD.AUDIT_OPTION, AUD.AUDIT_OPTION_TYPE FROM AUDIT_UNIFIED_POLICIES AUD, AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'DROP SYNONYM' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION' AND ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS';
Lackofresultsimpliesafinding.
Remediation:
ExecutethefollowingSQLstatementtoremediatethissetting.
ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS DROP SYNONYM;
![Page 264: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/264.jpg)
263|P a g e
Note:IfyoudonothaveCIS_UNIFIED_AUDIT_POLICY,pleasecreateoneusingtheCREATE AUDIT POLICYstatement.
CISControls:
Version6
6.2EnsureAuditLogSettingsSupportAppropriateLogEntryFormattingValidateauditlogsettingsforeachhardwaredeviceandthesoftwareinstalledonit,ensuringthatlogsincludeadate,timestamp,sourceaddresses,destinationaddresses,andvariousotherusefulelementsofeachpacketand/ortransaction.SystemsshouldrecordlogsinastandardizedformatsuchassyslogentriesorthoseoutlinedbytheCommonEventExpressioninitiative.Ifsystemscannotgeneratelogsinastandardizedformat,lognormalizationtoolscanbedeployedtoconvertlogsintosuchaformat.
![Page 265: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/265.jpg)
264|P a g e
5.2.18 Ensure the 'SELECT ANY DICTIONARY’ Privilege Audit Is Enabled (Scored)
ProfileApplicability:
• Level1-RDBMSusingUnifiedAuditing
Description:
TheSELECT ANY DICTIONARYsystemprivilegeallowstheusertoviewthedefinitionofallschemaobjectsinthedatabase.ItgrantsSELECTprivilegesonthedatadictionaryobjectstothegrantees,includingSELECTonDBA_views,V$views,X$viewsandunderlyingSYStablessuchasTAB$andOBJ$.Thisprivilegealsoallowsgranteestocreatestoredobjectssuchasprocedures,packagesandviewsontheunderlyingdatadictionaryobjects.PleasenotethatthisprivilegedoesnotgrantSELECTontableswithpasswordhashessuchasUSER$,DEFAULT_PWD$,LINK$,andUSER_HISTORY$.Enablingthisauditcausesloggingofactivitiesthatexercisethisprivilege.
Rationale:
Loggingandmonitoringofallattemptstoaccessadatadictionary,whethersuccessfulorunsuccessful,mayprovidecluesandforensicevidenceaboutpotentialsuspicious/unauthorizedactivities.Anysuchactivitiesmaybeacauseforfurtherinvestigation.Inaddition,organizationsecuritypoliciesandindustry/governmentregulationsmayrequireloggingofalluseractivitiesinvolvingaccesstothedatabase.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT AUD.POLICY_NAME, AUD.AUDIT_OPTION, AUD.AUDIT_OPTION_TYPE FROM AUDIT_UNIFIED_POLICIES AUD, AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'SELECT ANY DICTIONARY' AND AUD.AUDIT_OPTION_TYPE = 'SYSTEM PRIVILEGE' AND ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS';
Lackofresultsimpliesafinding.
![Page 266: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/266.jpg)
265|P a g e
Remediation:
ExecutethefollowingSQLstatementtoremediatethissetting.
ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD PRIVILEGES SELECT ANY DICTIONARY;
Note:IfyoudonothaveCIS_UNIFIED_AUDIT_POLICY,pleasecreateoneusingtheCREATE AUDIT POLICYstatement.
CISControls:
Version6
6.2EnsureAuditLogSettingsSupportAppropriateLogEntryFormattingValidateauditlogsettingsforeachhardwaredeviceandthesoftwareinstalledonit,ensuringthatlogsincludeadate,timestamp,sourceaddresses,destinationaddresses,andvariousotherusefulelementsofeachpacketand/ortransaction.SystemsshouldrecordlogsinastandardizedformatsuchassyslogentriesorthoseoutlinedbytheCommonEventExpressioninitiative.Ifsystemscannotgeneratelogsinastandardizedformat,lognormalizationtoolscanbedeployedtoconvertlogsintosuchaformat.
![Page 267: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/267.jpg)
266|P a g e
5.2.19 Ensure the 'UNIFIED_AUDIT_TRAIL’ Access Audit Is Enabled (Scored)
ProfileApplicability:
• Level1-RDBMSusingUnifiedAuditing
Description:
TheUNIFIED_AUDIT_TRAILviewholdsaudittrailrecordsgeneratedbythedatabase.EnablingthisauditactioncausesloggingofallaccessattemptstotheUNIFIED_AUDIT_TRAILview,whethersuccessfulorunsuccessful,regardlessoftheprivilegesheldbytheuserstoissuesuchstatements.
Rationale:
LoggingandmonitoringofallattemptstoaccesstheUNIFIED_AUDIT_TRAILview,whethersuccessfulorunsuccessful,mayprovidecluesandforensicevidenceaboutpotentialsuspicious/unauthorizedactivities.Anysuchactivitiesmaybeacauseforfurtherinvestigation.Inaddition,organizationsecuritypoliciesandindustry/governmentregulationsmayrequireloggingofalluseractivitiesinvolvingaccesstothisview.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT AUD.POLICY_NAME, AUD.AUDIT_OPTION, AUD.AUDIT_OPTION_TYPE FROM AUDIT_UNIFIED_POLICIES AUD, AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'ALL' AND AUD.AUDIT_OPTION_TYPE = 'OBJECT ACTION' AND AUD.OBJECT_SCHEMA = 'SYS' AND AUD.OBJECT_NAME = 'UNIFIED_AUDIT_TRAIL' AND ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS';
Lackofresultsimpliesafinding.
![Page 268: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/268.jpg)
267|P a g e
Remediation:
ExecutethefollowingSQLstatementtoremediatethissetting.
ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS ALL on SYS.UNIFIED_AUDIT_TRAIL;
Note:IfyoudonothaveCIS_UNIFIED_AUDIT_POLICY,pleasecreateoneusingtheCREATE AUDIT POLICYstatement.
CISControls:
Version6
6.2EnsureAuditLogSettingsSupportAppropriateLogEntryFormattingValidateauditlogsettingsforeachhardwaredeviceandthesoftwareinstalledonit,ensuringthatlogsincludeadate,timestamp,sourceaddresses,destinationaddresses,andvariousotherusefulelementsofeachpacketand/ortransaction.SystemsshouldrecordlogsinastandardizedformatsuchassyslogentriesorthoseoutlinedbytheCommonEventExpressioninitiative.Ifsystemscannotgeneratelogsinastandardizedformat,lognormalizationtoolscanbedeployedtoconvertlogsintosuchaformat.
![Page 269: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/269.jpg)
268|P a g e
5.2.20 Ensure the 'CREATE PROCEDURE/FUNCTION/PACKAGE/PACKAGE BODY’ Action Audit Is Enabled (Scored)
ProfileApplicability:
• Level1-RDBMSusingUnifiedAuditing
Description:
Oracledatabaseprocedures,function,packages,andpackagebodies,whicharestoredwithinthedatabase,arecreatedtoperformbusinessfunctionsandaccessdatabaseasdefinedbyPL/SQLcodeandSQLstatementscontainedwithintheseobjects.EnablingthisunifiedactionauditcausesloggingofallCREATE PROCEDURE,CREATE FUNCTION,CREATE PACKAGEandCREATE PACKAGE BODYstatements,successfulorunsuccessful,statementsissuedbytheusersregardlessoftheprivilegesheldbytheuserstoissuesuchstatements.
Rationale:
Loggingandmonitoringofallattemptstocreateprocedures,functions,packagesorpackagebodies,whethersuccessfulorunsuccessful,mayprovidecluesandforensicevidenceaboutpotentialsuspicious/unauthorizedactivities.Anysuchactivitiesmaybeacauseforfurtherinvestigation.Inaddition,organizationsecuritypoliciesandindustry/governmentregulationsmayrequireloggingofalluseractivitiesinvolvingcreationofprocedures,functions,packagesorpackagebodies.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT * FROM AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS' AND EXISTS ( SELECT 'x' FROM AUDIT_UNIFIED_POLICIES AUD WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'CREATE PROCEDURE' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION') AND EXISTS ( SELECT 'x' FROM AUDIT_UNIFIED_POLICIES AUD WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'CREATE FUNCTION' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION') AND EXISTS ( SELECT 'x' FROM AUDIT_UNIFIED_POLICIES AUD
![Page 270: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/270.jpg)
269|P a g e
WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'CREATE PACKAGE' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION') AND EXISTS ( SELECT 'x' FROM AUDIT_UNIFIED_POLICIES AUD WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'CREATE PACKAGE BODY' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION');
Lackofresultsimpliesafinding.
Remediation:
ExecutethefollowingSQLstatementtoremediatethissetting.
ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS CREATE PROCEDURE, CREATE FUNCTION, CREATE PACKAGE, CREATE PACKAGE BODY;
Note:IfyoudonothaveCIS_UNIFIED_AUDIT_POLICY,pleasecreateoneusingtheCREATE AUDIT POLICYstatement.
CISControls:
Version6
6.2EnsureAuditLogSettingsSupportAppropriateLogEntryFormattingValidateauditlogsettingsforeachhardwaredeviceandthesoftwareinstalledonit,ensuringthatlogsincludeadate,timestamp,sourceaddresses,destinationaddresses,andvariousotherusefulelementsofeachpacketand/ortransaction.SystemsshouldrecordlogsinastandardizedformatsuchassyslogentriesorthoseoutlinedbytheCommonEventExpressioninitiative.Ifsystemscannotgeneratelogsinastandardizedformat,lognormalizationtoolscanbedeployedtoconvertlogsintosuchaformat.
![Page 271: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/271.jpg)
270|P a g e
5.2.21 Ensure the 'ALTER PROCEDURE/FUNCTION/PACKAGE/PACKAGE BODY’ Action Audit Is Enabled (Scored)
ProfileApplicability:
• Level1-RDBMSusingUnifiedAuditing
Description:
Oracledatabaseprocedures,functions,packages,andpackagebodies,whicharestoredwithinthedatabase,arecreatedtocarryoutbusinessfunctionsandaccessdatabaseasdefinedbyPL/SQLcodeandSQLstatementscontainedwithintheseobjects.EnablingthisunifiedactionauditcausesloggingofallALTER PROCEDURE,ALTER FUNCTION,ALTER PACKAGEandALTER PACKAGE BODYstatements,successfulorunsuccessful,issuedbytheusersregardlessoftheprivilegesheldbytheuserstoissuesuchstatements.
Rationale:
Unauthorizedalterationofprocedures,functions,packagesorpackagebodiesmayimpactcriticalbusinessfunctionsorcompromiseintegrityofthedatabase.Loggingandmonitoringofallattempts,whethersuccessfulorunsuccessful,toalterprocedures,functions,packagesorpackagebodiesmayprovidecluesandforensicevidenceaboutpotentialsuspicious/unauthorizedactivities.Anysuchactivitiesmaybeacauseforfurtherinvestigation.Inaddition,organizationsecuritypoliciesandindustry/governmentregulationsmayrequireloggingofalluseractivitiesinvolvingalterationofprocedures,functions,packagesorpackagebodies.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT * FROM AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS' AND EXISTS ( SELECT 'x' FROM AUDIT_UNIFIED_POLICIES AUD WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'ALTER PROCEDURE' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION') AND EXISTS ( SELECT 'x' FROM AUDIT_UNIFIED_POLICIES AUD WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'ALTER FUNCTION'
![Page 272: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/272.jpg)
271|P a g e
AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION') AND EXISTS ( SELECT 'x' FROM AUDIT_UNIFIED_POLICIES AUD WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'ALTER PACKAGE' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION') AND EXISTS ( SELECT 'x' FROM AUDIT_UNIFIED_POLICIES AUD WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'ALTER PACKAGE BODY' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION');
Lackofresultsimpliesafinding.
Remediation:
ExecutethefollowingSQLstatementtoremediatethissetting.
ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS ALTER PROCEDURE, ALTER FUNCTION, ALTER PACKAGE, ALTER PACKAGE BODY;
Note:IfyoudonothaveCIS_UNIFIED_AUDIT_POLICY,pleasecreateoneusingtheCREATE AUDIT POLICYstatement.
CISControls:
Version6
6.2EnsureAuditLogSettingsSupportAppropriateLogEntryFormattingValidateauditlogsettingsforeachhardwaredeviceandthesoftwareinstalledonit,ensuringthatlogsincludeadate,timestamp,sourceaddresses,destinationaddresses,andvariousotherusefulelementsofeachpacketand/ortransaction.SystemsshouldrecordlogsinastandardizedformatsuchassyslogentriesorthoseoutlinedbytheCommonEventExpressioninitiative.Ifsystemscannotgeneratelogsinastandardizedformat,lognormalizationtoolscanbedeployedtoconvertlogsintosuchaformat.
![Page 273: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/273.jpg)
272|P a g e
5.2.22 Ensure the 'DROP PROCEDURE/FUNCTION/PACKAGE/PACKAGE BODY’ Action Audit Is Enabled (Scored)
ProfileApplicability:
• Level1-RDBMSusingUnifiedAuditing
Description:
Oracledatabaseprocedures,functions,packages,andpackagebodies,whicharestoredwithinthedatabase,arecreatedtocarryoutbusinessfunctionsandaccessdatabaseasdefinedbyPL/SQLcodeandSQLstatementscontainedwithintheseobjects.EnablingthisunifiedactionauditcausesloggingofallDROP PROCEDURE,DROP FUNCTION,DROP PACKAGEorDROP PACKAGE BODYstatements,successfulorunsuccessful,issuedbytheusersregardlessoftheprivilegesheldbytheuserstoissuesuchstatements.
Rationale:
Loggingandmonitoringofallattempts,whethersuccessfulorunsuccessful,todropprocedures,functions,packagesorpackagebodiesmayprovideforensicevidenceaboutpotentialsuspicious/unauthorizedactivities.Anysuchactivitiesmaybeacauseforfurtherinvestigation.Inaddition,organizationsecuritypoliciesandindustry/governmentregulationsmayrequireloggingofalluseractivitiesinvolvingdroppingprocedures,functions,packagesorpackagebodies.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT * FROM AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS' AND EXISTS ( SELECT 'x' FROM AUDIT_UNIFIED_POLICIES AUD WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'DROP PROCEDURE' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION') AND EXISTS ( SELECT 'x' FROM AUDIT_UNIFIED_POLICIES AUD WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'DROP FUNCTION' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION') AND EXISTS ( SELECT 'x' FROM AUDIT_UNIFIED_POLICIES AUD
![Page 274: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/274.jpg)
273|P a g e
WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'DROP PACKAGE' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION') AND EXISTS ( SELECT 'x' FROM AUDIT_UNIFIED_POLICIES AUD WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'DROP PACKAGE BODY' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION');
Lackofresultsimpliesafinding.
Remediation:
ExecutethefollowingSQLstatementtoremediatethissetting.
ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS DROP PROCEDURE, DROP FUNCTION, DROP PACKAGE, DROP PACKAGE BODY;
Note:IfyoudonothaveCIS_UNIFIED_AUDIT_POLICY,pleasecreateoneusingtheCREATE AUDIT POLICYstatement.
CISControls:
Version6
6.2EnsureAuditLogSettingsSupportAppropriateLogEntryFormattingValidateauditlogsettingsforeachhardwaredeviceandthesoftwareinstalledonit,ensuringthatlogsincludeadate,timestamp,sourceaddresses,destinationaddresses,andvariousotherusefulelementsofeachpacketand/ortransaction.SystemsshouldrecordlogsinastandardizedformatsuchassyslogentriesorthoseoutlinedbytheCommonEventExpressioninitiative.Ifsystemscannotgeneratelogsinastandardizedformat,lognormalizationtoolscanbedeployedtoconvertlogsintosuchaformat.
![Page 275: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/275.jpg)
274|P a g e
5.2.23 Ensure the 'ALTER SYSTEM’ Privilege Audit Is Enabled (Scored)
ProfileApplicability:
• Level1-RDBMSusingUnifiedAuditing
Description:
TheALTER SYSTEMprivilegeallowstheusertochangeinstancesettingswhichcouldimpactsecurityposture,performanceornormaloperationofthedatabase.Additionally,theALTER SYSTEMprivilegemaybeusedtorunoperatingsystemcommandsusingundocumentedOraclefunctionality.Enablingthisunifiedauditcausesloggingofactivitiesthatinvolveexerciseofthisprivilege,whethersuccessfulorunsuccessful,issuedbytheusersregardlessoftheprivilegesheldbytheuserstoissuesuchstatements.
Rationale:
LoggingandmonitoringofallattemptstoexecuteALTER SYSTEMstatements,whethersuccessfulorunsuccessful,mayprovideforensicevidenceaboutpotentialsuspicious/unauthorizedactivities.Anysuchactivitiesmaybeacauseforfurtherinvestigation.Inaddition,organizationsecuritypoliciesandindustry/governmentregulationsmayrequireloggingofalluseractivitiesthatinvolveALTER SYSTEMstatements.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT AUD.POLICY_NAME, AUD.AUDIT_OPTION, AUD.AUDIT_OPTION_TYPE FROM AUDIT_UNIFIED_POLICIES AUD, AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'ALTER SYSTEM' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION' AND ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS';
Lackofresultsimpliesafinding.
Remediation:
ExecutethefollowingSQLstatementtoremediatethissetting.
ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS ALTER SYSTEM;
![Page 276: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/276.jpg)
275|P a g e
Note:IfyoudonothaveCIS_UNIFIED_AUDIT_POLICY,pleasecreateoneusingtheCREATE AUDIT POLICYstatement.
CISControls:
Version6
6.2EnsureAuditLogSettingsSupportAppropriateLogEntryFormattingValidateauditlogsettingsforeachhardwaredeviceandthesoftwareinstalledonit,ensuringthatlogsincludeadate,timestamp,sourceaddresses,destinationaddresses,andvariousotherusefulelementsofeachpacketand/ortransaction.SystemsshouldrecordlogsinastandardizedformatsuchassyslogentriesorthoseoutlinedbytheCommonEventExpressioninitiative.Ifsystemscannotgeneratelogsinastandardizedformat,lognormalizationtoolscanbedeployedtoconvertlogsintosuchaformat.
![Page 277: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/277.jpg)
276|P a g e
5.2.24 Ensure the 'CREATE TRIGGER’ Action Audit Is Enabled (Scored)
ProfileApplicability:
• Level1-RDBMSusingUnifiedAuditing
Description:
Oracledatabasetriggersareexecutedautomaticallywhenspecifiedconditionsontheunderlyingobjectsoccur.Triggerbodiescontainthecode,quiteoftentoperformdatavalidation,ensuredataintegrity/securityorenforcecriticalconstraintsonallowableactionsondata.EnablingthisunifiedauditcausesloggingofallCREATE TRIGGERstatements,whethersuccessfulorunsuccessful,issuedbytheusersregardlessoftheprivilegesheldbytheuserstoissuesuchstatements.
Rationale:
Loggingandmonitoringofallattemptstocreatetriggers,whethersuccessfulorunsuccessful,mayprovidecluesandforensicevidenceaboutpotentialsuspicious/unauthorizedactivities.Anysuchactivitiesmaybeacauseforfurtherinvestigation.Inaddition,organizationsecuritypoliciesandindustry/governmentregulationsmayrequireloggingofalluseractivitiesinvolvingcreationoftriggers.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT AUD.POLICY_NAME, AUD.AUDIT_OPTION, AUD.AUDIT_OPTION_TYPE FROM AUDIT_UNIFIED_POLICIES AUD, AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'CREATE TRIGGER' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION' AND ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS';
Lackofresultsimpliesafinding.
Remediation:
ExecutethefollowingSQLstatementtoremediatethissetting.
ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS CREATE TRIGGER;
![Page 278: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/278.jpg)
277|P a g e
Note:IfyoudonothaveCIS_UNIFIED_AUDIT_POLICY,pleasecreateoneusingtheCREATE AUDIT POLICYstatement.
CISControls:
Version6
6.2EnsureAuditLogSettingsSupportAppropriateLogEntryFormattingValidateauditlogsettingsforeachhardwaredeviceandthesoftwareinstalledonit,ensuringthatlogsincludeadate,timestamp,sourceaddresses,destinationaddresses,andvariousotherusefulelementsofeachpacketand/ortransaction.SystemsshouldrecordlogsinastandardizedformatsuchassyslogentriesorthoseoutlinedbytheCommonEventExpressioninitiative.Ifsystemscannotgeneratelogsinastandardizedformat,lognormalizationtoolscanbedeployedtoconvertlogsintosuchaformat.
![Page 279: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/279.jpg)
278|P a g e
5.2.25 Ensure the 'ALTER TRIGGER’ Action Audit IS Enabled (Scored)
ProfileApplicability:
• Level1-RDBMSusingUnifiedAuditing
Description:
Oracledatabasetriggersareexecutedautomaticallywhenspecifiedconditionsontheunderlyingobjectsoccur.Triggerbodiescontainthecode,quiteoftentoperformdatavalidation,ensuredataintegrity/securityorenforcecriticalconstraintsonallowableactionsondata.EnablingthisunifiedauditcausesloggingofallALTER TRIGGERstatements,whethersuccessfulorunsuccessful,issuedbytheusersregardlessoftheprivilegesheldbytheuserstoissuesuchstatements.
Rationale:
Unauthorizedalterationoftriggersmayimpactcriticalbusinessfunctionsorcompromiseintegrity/securityofthedatabase.Loggingandmonitoringofallattemptstoaltertriggers,whethersuccessfulorunsuccessful,mayprovidecluesandforensicevidenceaboutpotentialsuspicious/unauthorizedactivities.Anysuchactivitiesmaybeacauseforfurtherinvestigation.Inaddition,organizationsecuritypoliciesandindustry/governmentregulationsmayrequireloggingofalluseractivitiesinvolvingalterationoftriggers.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT AUD.POLICY_NAME, AUD.AUDIT_OPTION, AUD.AUDIT_OPTION_TYPE FROM AUDIT_UNIFIED_POLICIES AUD, AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'ALTER TRIGGER' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION' AND ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS';
Lackofresultsimpliesafinding.
![Page 280: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/280.jpg)
279|P a g e
Remediation:
ExecutethefollowingSQLstatementtoremediatethissetting.
ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS ALTER TRIGGER;
Note:IfyoudonothaveCIS_UNIFIED_AUDIT_POLICY,pleasecreateoneusingtheCREATE AUDIT POLICYstatement.
CISControls:
Version6
6.2EnsureAuditLogSettingsSupportAppropriateLogEntryFormattingValidateauditlogsettingsforeachhardwaredeviceandthesoftwareinstalledonit,ensuringthatlogsincludeadate,timestamp,sourceaddresses,destinationaddresses,andvariousotherusefulelementsofeachpacketand/ortransaction.SystemsshouldrecordlogsinastandardizedformatsuchassyslogentriesorthoseoutlinedbytheCommonEventExpressioninitiative.Ifsystemscannotgeneratelogsinastandardizedformat,lognormalizationtoolscanbedeployedtoconvertlogsintosuchaformat.
![Page 281: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/281.jpg)
280|P a g e
5.2.26 Ensure the 'DROP TRIGGER’ Action Audit Is Enabled (Scored)
ProfileApplicability:
• Level1-RDBMSusingUnifiedAuditing
Description:
Oracledatabasetriggersareexecutedautomaticallywhenspecifiedconditionsontheunderlyingobjectsoccur.Triggerbodiescontainthecode,quiteoftentoperformdatavalidation,ensuredataintegrity/securityorenforcecriticalconstraintsonallowableactionsondata.EnablingthisunifiedauditcausesloggingofallDROP TRIGGERstatements,whethersuccessfulorunsuccessful,issuedbytheusersregardlessoftheprivilegesheldbytheuserstoissuesuchstatements.
Rationale:
Loggingandmonitoringofallattemptstodroptriggers,whethersuccessfulorunsuccessful,mayprovideforensicevidenceaboutpotentialsuspicious/unauthorizedactivities.Anysuchactivitiesmaybeacauseforfurtherinvestigation.Inaddition,organizationsecuritypoliciesandindustry/governmentregulationsmayrequireloggingofalluseractivitiesinvolvingdroppingtriggers.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT AUD.POLICY_NAME, AUD.AUDIT_OPTION, AUD.AUDIT_OPTION_TYPE FROM AUDIT_UNIFIED_POLICIES AUD, AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'DROP TRIGGER' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION' AND ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS';
Lackofresultsimpliesafinding.
Remediation:
ExecutethefollowingSQLstatementtoremediatethissetting.
ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS DROP TRIGGER;
![Page 282: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/282.jpg)
281|P a g e
Note:IfyoudonothaveCIS_UNIFIED_AUDIT_POLICY,pleasecreateoneusingtheCREATE AUDIT POLICYstatement.
CISControls:
Version6
6.2EnsureAuditLogSettingsSupportAppropriateLogEntryFormattingValidateauditlogsettingsforeachhardwaredeviceandthesoftwareinstalledonit,ensuringthatlogsincludeadate,timestamp,sourceaddresses,destinationaddresses,andvariousotherusefulelementsofeachpacketand/ortransaction.SystemsshouldrecordlogsinastandardizedformatsuchassyslogentriesorthoseoutlinedbytheCommonEventExpressioninitiative.Ifsystemscannotgeneratelogsinastandardizedformat,lognormalizationtoolscanbedeployedtoconvertlogsintosuchaformat.
![Page 283: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/283.jpg)
282|P a g e
5.2.27 Ensure the 'LOGON’ AND ‘LOGOFF’ Actions Audit Is Enabled (Scored)
ProfileApplicability:
• Level1-RDBMSusingUnifiedAuditing
Description:
Oracledatabaseuserslogontothedatabasetoperformtheirwork.EnablingthisunifiedauditcausesloggingofallLOGONactions,whethersuccessfulorunsuccessful,issuedbytheusersregardlessoftheprivilegesheldbytheuserstologintothedatabase.Inaddition,LOGOFFactionauditcaptureslogoffactivities.Thisauditactionalsocaptureslogon/logofftotheopendatabasebySYSDBAandSYSOPER.
Rationale:
Loggingandmonitoringofallattemptstologontothedatabase,whethersuccessfulorunsuccessful,mayprovideforensicevidenceaboutpotentialsuspicious/unauthorizedactivities.Anysuchactivitiesmaybeacauseforfurtherinvestigation.Inaddition,organizationsecuritypoliciesandindustry/governmentregulationsmayrequireloggingofalluseractivitiesinvolvingLOGONandLOGOFF.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT * FROM AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS' AND EXISTS ( SELECT 'x' FROM AUDIT_UNIFIED_POLICIES AUD WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'LOGON' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION') AND EXISTS ( SELECT 'x' FROM AUDIT_UNIFIED_POLICIES AUD WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'LOGOFF' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION');
Lackofresultsimpliesafinding.
![Page 284: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/284.jpg)
283|P a g e
Remediation:
ExecutethefollowingSQLstatementtoremediatethissetting.
ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS LOGON, LOGOFF;
Note:IfyoudonothaveCIS_UNIFIED_AUDIT_POLICY,pleasecreateoneusingtheCREATE AUDIT POLICYstatement.
CISControls:
Version6
6.2EnsureAuditLogSettingsSupportAppropriateLogEntryFormattingValidateauditlogsettingsforeachhardwaredeviceandthesoftwareinstalledonit,ensuringthatlogsincludeadate,timestamp,sourceaddresses,destinationaddresses,andvariousotherusefulelementsofeachpacketand/ortransaction.SystemsshouldrecordlogsinastandardizedformatsuchassyslogentriesorthoseoutlinedbytheCommonEventExpressioninitiative.Ifsystemscannotgeneratelogsinastandardizedformat,lognormalizationtoolscanbedeployedtoconvertlogsintosuchaformat.
16AccountMonitoringandControlAccountMonitoringandControl
![Page 285: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/285.jpg)
284|P a g e
6 Appendix: Establishing an Audit/Scan User
Thisdocumenthasbeenauthoredwiththeexpectationthatauserwithappropriatepermissionswillbeusedtoexecutethequeriesandperformotherassessmentactions.WhilethiscouldbeaccomplishedbygrantingDBAprivilegestoagivenuser,thepreferredapproachistocreateadedicateduserandgrantonlythespecificpermissionsrequiredtoperformtheassessmentsexpressedherein.DoingthisavoidsthenecessityforanyuserassessingthesystemtobegrantedDBAprivileges.
TherecommendationsexpressedinthisdocumentassumethepresenceofarolenamedCISSCANROLEandausernamedCISSCAN.ThisroleandusershouldbecreatedbyexecutingthefollowingSQLstatements,beingcarefultosubstituteanappropriatepasswordfor<password>.
-- Create the role CREATE ROLE CISSCANROLE; -- Grant necessary privileges to the role GRANT CREATE SESSION TO CISSCANROLE; GRANT SELECT ON V_$PARAMETER TO CISSCANROLE; GRANT SELECT ON DBA_TAB_PRIVS TO CISSCANROLE; GRANT SELECT ON DBA_PROFILES TO CISSCANROLE; GRANT SELECT ON DBA_SYS_PRIVS TO CISSCANROLE; GRANT SELECT ON DBA_STMT_AUDIT_OPTS TO CISSCANROLE; GRANT SELECT ON DBA_ROLE_PRIVS TO CISSCANROLE; GRANT SELECT ON DBA_OBJ_AUDIT_OPTS TO CISSCANROLE; GRANT SELECT ON DBA_PRIV_AUDIT_OPTS TO CISSCANROLE; GRANT SELECT ON DBA_PROXIES TO CISSCANROLE; GRANT SELECT ON DBA_USERS TO CISSCANROLE; GRANT SELECT ON DBA_USERS_WITH_DEFPWD TO CISSCANROLE; GRANT AUDIT_VIEWER TO CISSCANROLE; -- Create the user and assign the user to the role CREATE USER CISSCAN IDENTIFIED BY <password>; GRANT CISSCANROLE TO CISSCAN;
Ifyourelyonsimilarrolesand/orusers,buttheyarenotnamedCISSCANROLEorCISSCAN,orifyouhaverolesorusersnamedCISSCANROLEorCISSCANintendedtobeusedfordifferentpurposes,beawarethatsomerecommendationshereinexplicitlynameCISSCANROLEandCISSCAN.
Theseare:
• 3.10EnsureNoUsersAreAssignedtheDEFAULTProfile• 4.5.5Ensure'ALL'IsRevokedfromUnauthorizedGRANTEEonDBA_%
Note:Differentorganizationsmaywishtofollowtheinstructionsinthisappendixindifferentways.Formorepermanentorregularassessmentscans,itmaybeacceptabletoretaintheCISSCANROLEandCISSCANuserindefinitely.However,inaconsultativecontextwhereanassessmentisperhapsrunattheoutsetoftheconsultingengagementandagain
![Page 286: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/286.jpg)
285|P a g e
closertotheend,afteranyremediationhasbeenperformed,theCISSCANROLEroleandCISSCANusermaybedropped.Suchadecisionisultimatelyleftuptotheimplementingorganization.
![Page 287: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/287.jpg)
286|P a g e
Appendix:SummaryTableControl Set
CorrectlyYes No
1 OracleDatabaseInstallationandPatchingRequirements1.1 EnsuretheAppropriateVersion/PatchesforOracleSoftware
IsInstalled(NotScored) o o
1.2 EnsureAllDefaultPasswordsAreChanged(Scored) o o1.3 EnsureAllSampleDataAndUsersHaveBeenRemoved
(Scored) o o
2 OracleParameterSettings2.1 ListenerSettings2.1.1 Ensure'SECURE_CONTROL_<listener_name>'IsSetIn
'listener.ora'(Scored) o o
2.1.2 Ensure'extproc'IsNotPresentin'listener.ora'(Scored) o o2.1.3 Ensure'ADMIN_RESTRICTIONS_<listener_name>'IsSetto
'ON'(Scored) o o
2.1.4 Ensure'SECURE_REGISTER_<listener_name>'IsSetto'TCPS'or'IPC'(Scored) o o
2.2 DatabaseSettings2.2.1 Ensure'AUDIT_SYS_OPERATIONS'IsSetto'TRUE'(Scored) o o2.2.2 Ensure'AUDIT_TRAIL'IsSetto'DB','XML','OS',
'DB,EXTENDED',or'XML,EXTENDED'(Scored) o o
2.2.3 Ensure'GLOBAL_NAMES'IsSetto'TRUE'(Scored) o o2.2.4 Ensure'O7_DICTIONARY_ACCESSIBILITY'IsSetto'FALSE'
(Scored) o o
2.2.5 Ensure'OS_ROLES'IsSetto'FALSE'(Scored) o o2.2.6 Ensure'REMOTE_LISTENER'IsEmpty(Scored) o o2.2.7 Ensure'REMOTE_LOGIN_PASSWORDFILE'IsSetto'NONE'
(Scored) o o
2.2.8 Ensure'REMOTE_OS_AUTHENT'IsSetto'FALSE'(Scored) o o2.2.9 Ensure'REMOTE_OS_ROLES'IsSetto'FALSE'(Scored) o o2.2.10 Ensure'UTL_FILE_DIR'IsEmpty(Scored) o o2.2.11 Ensure'SEC_CASE_SENSITIVE_LOGON'IsSetto'TRUE'
(Scored) o o
2.2.12 Ensure'SEC_MAX_FAILED_LOGIN_ATTEMPTS'Is'3'orLess(Scored) o o
2.2.13 Ensure'SEC_PROTOCOL_ERROR_FURTHER_ACTION'IsSetto'DROP,3'(Scored) o o
2.2.14 Ensure'SEC_PROTOCOL_ERROR_TRACE_ACTION'IsSetto'LOG'(Scored) o o
![Page 288: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/288.jpg)
287|P a g e
2.2.15 Ensure'SEC_RETURN_SERVER_RELEASE_BANNER'IsSetto'FALSE'(Scored) o o
2.2.16 Ensure'SQL92_SECURITY'IsSetto'TRUE'(Scored) o o2.2.17 Ensure'_trace_files_public'IsSetto'FALSE'(Scored) o o2.2.18 Ensure'RESOURCE_LIMIT'IsSetto'TRUE'(Scored) o o3 OracleConnectionandLoginRestrictions3.1 Ensure'FAILED_LOGIN_ATTEMPTS'IsLessthanorEqualto
'5'(Scored) o o
3.2 Ensure'PASSWORD_LOCK_TIME'IsGreaterthanorEqualto'1'(Scored) o o
3.3 Ensure'PASSWORD_LIFE_TIME'IsLessthanorEqualto'90'(Scored) o o
3.4 Ensure'PASSWORD_REUSE_MAX'IsGreaterthanorEqualto'20'(Scored) o o
3.5 Ensure'PASSWORD_REUSE_TIME'IsGreaterthanorEqualto'365'(Scored) o o
3.6 Ensure'PASSWORD_GRACE_TIME'IsLessthanorEqualto'5'(Scored) o o
3.7 Ensure'DBA_USERS.PASSWORD'IsNotSetto'EXTERNAL'forAnyUser(Scored) o o
3.8 Ensure'PASSWORD_VERIFY_FUNCTION'IsSetforAllProfiles(Scored) o o
3.9 Ensure'SESSIONS_PER_USER'IsLessthanorEqualto'10'(Scored) o o
3.10 EnsureNoUsersAreAssignedthe'DEFAULT'Profile(Scored) o o4 OracleUserAccessandAuthorizationRestrictions4.1 DefaultPublicPrivilegesforPackagesandObjectTypes4.1.1 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on
'DBMS_ADVISOR'(Scored) o o
4.1.2 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_CRYPTO'(Scored) o o
4.1.3 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_JAVA'(Scored) o o
4.1.4 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_JAVA_TEST'(Scored) o o
4.1.5 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_JOB'(Scored) o o
4.1.6 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_LDAP'(Scored) o o
4.1.7 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_LOB'(Scored) o o
![Page 289: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/289.jpg)
288|P a g e
4.1.8 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_OBFUSCATION_TOOLKIT'(Scored) o o
4.1.9 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_RANDOM'(Scored) o o
4.1.10 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_SCHEDULER'(Scored) o o
4.1.11 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_SQL'(Scored) o o
4.1.12 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_XMLGEN'(Scored) o o
4.1.13 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_XMLQUERY'(Scored) o o
4.1.14 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'UTL_FILE'(Scored) o o
4.1.15 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'UTL_INADDR'(Scored) o o
4.1.16 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'UTL_TCP'(Scored) o o
4.1.17 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'UTL_MAIL'(Scored) o o
4.1.18 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'UTL_SMTP'(Scored) o o
4.1.19 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'UTL_DBWS'(Scored) o o
4.1.20 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'UTL_ORAMTS'(Scored) o o
4.1.21 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'UTL_HTTP'(Scored) o o
4.1.22 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'HTTPURITYPE'(Scored) o o
4.1.23 Ensure'EXECUTE'isrevokedfrom'PUBLIC'on'DBMS_XMLSTORE'(Scored) o o
4.1.24 Ensure'EXECUTE'isrevokedfrom'PUBLIC'on'DBMS_XMLSAVE'(Scored) o o
4.1.25 Ensure'EXECUTE'isrevokedfrom'PUBLIC'on'DBMS_REDACT'(Scored) o o
4.2 RevokeNon-DefaultPrivilegesforPackagesandObjectTypes4.2.1 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on
'DBMS_SYS_SQL'(Scored) o o
4.2.2 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_BACKUP_RESTORE'(Scored) o o
![Page 290: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/290.jpg)
289|P a g e
4.2.3 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_AQADM_SYSCALLS'(Scored) o o
4.2.4 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_REPCAT_SQL_UTL'(Scored) o o
4.2.5 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'INITJVMAUX'(Scored) o o
4.2.6 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_STREAMS_ADM_UTL'(Scored) o o
4.2.7 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_AQADM_SYS'(Scored) o o
4.2.8 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_STREAMS_RPC'(Scored) o o
4.2.9 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_PRVTAQIM'(Scored) o o
4.2.10 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'LTADM'(Scored) o o
4.2.11 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'WWV_DBMS_SQL'(Scored) o o
4.2.12 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'WWV_EXECUTE_IMMEDIATE'(Scored) o o
4.2.13 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_IJOB'(Scored) o o
4.2.14 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_FILE_TRANSFER'(Scored) o o
4.3 RevokeExcessiveSystemPrivileges4.3.1 Ensure'SELECTANYDICTIONARY'IsRevokedfrom
Unauthorized'GRANTEE'(Scored) o o
4.3.2 Ensure'SELECTANYTABLE'IsRevokedfromUnauthorized'GRANTEE'(Scored) o o
4.3.3 Ensure'AUDITSYSTEM'IsRevokedfromUnauthorized'GRANTEE'(Scored) o o
4.3.4 Ensure'EXEMPTACCESSPOLICY'IsRevokedfromUnauthorized'GRANTEE'(Scored) o o
4.3.5 Ensure'BECOMEUSER'IsRevokedfromUnauthorized'GRANTEE'(Scored) o o
4.3.6 Ensure'CREATE_PROCEDURE'IsRevokedfromUnauthorized'GRANTEE'(Scored) o o
4.3.7 Ensure'ALTERSYSTEM'IsRevokedfromUnauthorized'GRANTEE'(Scored) o o
4.3.8 Ensure'CREATEANYLIBRARY'IsRevokedfromUnauthorized'GRANTEE'(Scored) o o
![Page 291: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/291.jpg)
290|P a g e
4.3.9 Ensure'CREATELIBRARY'IsRevokedfromUnauthorized'GRANTEE'(Scored) o o
4.3.10 Ensure'GRANTANYOBJECTPRIVILEGE'IsRevokedfromUnauthorized'GRANTEE'(Scored) o o
4.3.11 Ensure'GRANTANYROLE'IsRevokedfromUnauthorized'GRANTEE'(Scored) o o
4.3.12 Ensure'GRANTANYPRIVILEGE'IsRevokedfromUnauthorized'GRANTEE'(Scored) o o
4.4 RevokeRolePrivileges4.4.1 Ensure'DELETE_CATALOG_ROLE'IsRevokedfrom
Unauthorized'GRANTEE'(Scored) o o
4.4.2 Ensure'SELECT_CATALOG_ROLE'IsRevokedfromUnauthorized'GRANTEE'(Scored) o o
4.4.3 Ensure'EXECUTE_CATALOG_ROLE'IsRevokedfromUnauthorized'GRANTEE'(Scored) o o
4.4.4 Ensure'DBA'IsRevokedfromUnauthorized'GRANTEE'(Scored) o o
4.5 RevokeExcessiveTableandViewPrivileges4.5.1 Ensure'ALL'IsRevokedfromUnauthorized'GRANTEE'on
'AUD$'(Scored) o o
4.5.2 Ensure'ALL'IsRevokedfromUnauthorized'GRANTEE'on'USER_HISTORY$'(Scored) o o
4.5.3 Ensure'ALL'IsRevokedfromUnauthorized'GRANTEE'on'LINK$'(Scored) o o
4.5.4 Ensure'ALL'IsRevokedfromUnauthorized'GRANTEE'on'SYS.USER$'(Scored) o o
4.5.5 Ensure'ALL'IsRevokedfromUnauthorized'GRANTEE'on'DBA_%'(Scored) o o
4.5.6 Ensure'ALL'IsRevokedfromUnauthorized'GRANTEE'on'SYS.SCHEDULER$_CREDENTIAL'(Scored) o o
4.5.7 Ensure'SYS.USER$MIG'HasBeenDropped(Scored) o o4.6 Ensure'%ANY%'IsRevokedfromUnauthorized'GRANTEE'
(Scored) o o
4.7 Ensure'DBA_SYS_PRIVS.%'IsRevokedfromUnauthorized'GRANTEE'with'ADMIN_OPTION'Setto'YES'(Scored) o o
4.8 EnsureProxyUsersHaveOnly'CONNECT'Privilege(Scored) o o4.9 Ensure'EXECUTEANYPROCEDURE'IsRevokedfrom
'OUTLN'(Scored) o o
4.10 Ensure'EXECUTEANYPROCEDURE'IsRevokedfrom'DBSNMP'(Scored) o o
5 Audit/LoggingPoliciesandProcedures5.1 TraditionalAuditing5.1.1 Ensurethe'USER'AuditOptionIsEnabled(Scored) o o5.1.2 Ensurethe'ROLE'AuditOptionIsEnabled(Scored) o o
![Page 292: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/292.jpg)
291|P a g e
5.1.3 Ensurethe'SYSTEMGRANT'AuditOptionIsEnabled(Scored) o o
5.1.4 Ensurethe'PROFILE'AuditOptionIsEnabled(Scored) o o5.1.5 Ensurethe'DATABASELINK'AuditOptionIsEnabled
(Scored) o o
5.1.6 Ensurethe'PUBLICDATABASELINK'AuditOptionIsEnabled(Scored) o o
5.1.7 Ensurethe'PUBLICSYNONYM'AuditOptionIsEnabled(Scored) o o
5.1.8 Ensurethe'SYNONYM'AuditOptionIsEnabled(Scored) o o5.1.9 Ensurethe'DIRECTORY'AuditOptionIsEnabled(Scored) o o5.1.10 Ensurethe'SELECTANYDICTIONARY'AuditOptionIs
Enabled(Scored) o o
5.1.11 Ensurethe'GRANTANYOBJECTPRIVILEGE'AuditOptionIsEnabled(Scored) o o
5.1.12 Ensurethe'GRANTANYPRIVILEGE'AuditOptionIsEnabled(Scored) o o
5.1.13 Ensurethe'DROPANYPROCEDURE'AuditOptionIsEnabled(Scored) o o
5.1.14 Ensurethe'ALL'AuditOptionon'SYS.AUD$'IsEnabled(Scored) o o
5.1.15 Ensurethe'PROCEDURE'AuditOptionIsEnabled(Scored) o o5.1.16 Ensurethe'ALTERSYSTEM'AuditOptionIsEnabled(Scored) o o5.1.17 Ensurethe'TRIGGER'AuditOptionIsEnabled(Scored) o o5.1.18 Ensurethe'CREATESESSION'AuditOptionIsEnabled
(Scored) o o
5.2 UnifiedAuditing5.2.1 Ensurethe'CREATEUSER'ActionAuditIsEnabled(Scored) o o5.2.2 Ensurethe'ALTERUSER'ActionAuditIsEnabled(Scored) o o5.2.3 Ensuethe'DROPUSER'AuditOptionIsEnabled(Scored) o o5.2.4 Ensurethe'CREATEROLE’ActionAuditIsEnabled(Scored) o o5.2.5 Ensurethe'ALTERROLE’ActionAuditIsEnabled(Scored) o o5.2.6 Ensurethe'DROPROLE’ActionAuditIsEnabled(Scored) o o5.2.7 Ensurethe'GRANT'ActionAuditIsEnabled(Scored) o o5.2.8 Ensurethe'REVOKE'ActionAuditIsEnabled(Scored) o o5.2.9 Ensurethe'CREATEPROFILE’ActionAuditIsEnabled
(Scored) o o
5.2.10 Ensurethe'ALTERPROFILE’ActionAuditIsEnabled(Scored) o o5.2.11 Ensurethe'DROPPROFILE’ActionAuditIsEnabled(Scored) o o5.2.12 Ensurethe'CREATEDATABASELINK’ActionAuditIs
Enabled(Scored) o o
5.2.13 Ensurethe'ALTERDATABASELINK’ActionAuditIsEnabled(Scored) o o
![Page 293: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/293.jpg)
292|P a g e
5.2.14 Ensurethe'DROPDATABASELINK’ActionAuditIsEnabled(Scored) o o
5.2.15 Ensurethe'CREATESYNONYM’ActionAuditIsEnabled(Scored) o o
5.2.16 Ensurethe'ALTERSYNONYM’ActionAuditIsEnabled(Scored) o o
5.2.17 Ensurethe'DROPSYNONYM’ActionAuditIsEnabled(Scored) o o
5.2.18 Ensurethe'SELECTANYDICTIONARY’PrivilegeAuditIsEnabled(Scored) o o
5.2.19 Ensurethe'UNIFIED_AUDIT_TRAIL’AccessAuditIsEnabled(Scored) o o
5.2.20 Ensurethe'CREATEPROCEDURE/FUNCTION/PACKAGE/PACKAGEBODY’ActionAuditIsEnabled(Scored)
o o
5.2.21 Ensurethe'ALTERPROCEDURE/FUNCTION/PACKAGE/PACKAGEBODY’ActionAuditIsEnabled(Scored)
o o
5.2.22 Ensurethe'DROPPROCEDURE/FUNCTION/PACKAGE/PACKAGEBODY’ActionAuditIsEnabled(Scored)
o o
5.2.23 Ensurethe'ALTERSYSTEM’PrivilegeAuditIsEnabled(Scored) o o
5.2.24 Ensurethe'CREATETRIGGER’ActionAuditIsEnabled(Scored) o o
5.2.25 Ensurethe'ALTERTRIGGER’ActionAuditISEnabled(Scored) o o
5.2.26 Ensurethe'DROPTRIGGER’ActionAuditIsEnabled(Scored) o o5.2.27 Ensurethe'LOGON’AND‘LOGOFF’ActionsAuditIsEnabled
(Scored) o o
6 Appendix:EstablishinganAudit/ScanUser
![Page 294: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/294.jpg)
293|P a g e
Appendix:ChangeHistoryDate Version Changesforthisversion
Apr29,2015 1.0.0 InitialRelease
Apr29,2015 1.1.0 Ticket#216:Updatedremediationtoreference[PRIVILEGE]list
Apr30,2015 1.1.0 Ticket#204:Clarificationinoverviewforbenchmarknon-pluggableapplicability
Jun29,2015 1.1.0 Ticket#209:Addworkflowadvicetoappendixaboutscanuser
Jun29,2015 1.1.0 Ticket#217:Correctedtypeof"repact"with"repcat"
Jun29,2015 1.1.0 Ticket#213:UpdatedauditqueryforregexonAPEXusers
Jun29,2015 1.1.0 Ticket#212:CorrectedconfusionbetweenDBMS_RANDOMandDBMS_BACKUP_RESTORE
Jun29,2015 1.1.0 Ticket#211:Correctedincorrectrecommendationfrom'FALSE'to'TRUE'
Jun29,2015 1.1.0 Ticket#203:Updatedreferencesfrom11gR2to12cwherepossible
Mar31,2016 1.2.0 Ticket#259:AddedSYSMANtolistofauthorizedgranteesfor4.4.2
Mar31,2016 1.2.0 Ticket#258:AddedAPEX_050000;MGMT_VIEW;SYSMAN_MDS;SYSMAN_OPSS;SYSMAN_RO;SYSMAN_STBtolistofauthorizedgranteesin4.3.6
Mar31,2016 1.2.0 Ticket#256:AddedSYSBACKUPandSYSDGtogranteelistfor4.3.1
Mar31,2016 1.2.0 Ticket#254:Updatedrecommendationtexttosay'LessthanorEqualto10'on2.13
![Page 295: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/295.jpg)
294|P a g e
Mar31,2016 1.2.0 Ticket#241:Addedmissingsemicoloninauditqueryon5.1
Mar31,2016 1.2.0 Ticket#253:Removedquotesfromremediationcommandon2.2.2
Mar31,2016 1.2.0 Ticket#261:AddedSYStotableownersandSYSMANtolistofauthorizedgranteesfor4.5.4
Mar31,2016 1.2.0 Ticket#263:AddedSYStolistoftableowners
Mar31,2016 1.2.0 Ticket#264:AddedAPEX_050000;SYSMAN_STB;SYSMAN_TYPEStolistofauthorizedgrantees
Mar31,2016 1.2.0 Ticket#225:Updateddescriptionandrationalefor2.2.17
Mar31,2016 1.2.0 Ticket#251:AddedAUDIT_ADMIN,AUDIT_VIEWER,CAPTURE_ADMIN,DBA,GSMADMIN_INTERNAL,ORACLE_OCM,SYSDG,SYSKM,XDBtolistofauthorizedgrantees
Mar31,2016 1.2.0 Ticket#215:RevisedLISTENERsectionsandincludedLISTENER_HOMEreferences
Mar31,2016 1.2.0 Ticket#242:Addedmissingsemicolonto4.1.4
Mar31,2016 1.2.0 Ticket#266:Updatedauditquerytocheckforallprivileges,notonlyroles
Mar31,2016 1.2.0 Ticket#265:AddedAPEX_050000tolistofauthorizedgranteeson4.7
Mar31,2016 1.2.0 Ticket#252:Updateprofiletext(minor)
Apr1,2016 2.0.0 Ticket#267:AddedacautionstatementaboutrevokingprivilegesfromPUBLIC.
Oct18,2016 2.0.0 Ticket#207:MovedexistingauditingrecommendationstoasubsectionnamedTraditionalAuditing(5.1)andaddedunifiedauditingrecommendationsunderasiblingsubsectioncalledUnifiedAuditing(5.2).
Oct18,2016 2.0.0 Ticket#275:Correctedreferenceincludedfor2.2.2
![Page 296: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/296.jpg)
295|P a g e
Oct18,2016 2.0.0 Ticket#276:Added‘DB’and‘XML’asvalidparametervaluesfor2.2.2
Dec1,2016 2.0.0 Ticket#262:UpdatedGranteelistandaddedanotregardingPUBLICgrantsfor4.5.5
Dec1,2016 2.0.0 Ticket#282:Correctedtypoin2.2.11whereitspecifiedUTIL_FILE_DIRinsteadofUTL_FILE_DIR
Dec1,2016 2.0.0 Ticket#283:Updatedtitletoread“Ensure‘SEC_MAX_FAILED_LOGIN_ATTEMPTS’is‘10’”for2.2.13
Dec1,2016 2.0.0 Ticket#284:Added“andOWNER=’SYS’”tothequeryfor4.5.2
Dec1,2016 2.0.0 Ticket#285:Added“andOWNER=’SYS’”tothequeryfor4.5.3
Dec1,2016 2.0.0 Ticket#286:Added“andOWNER=’SYS’”tothequeryfor4.5.4
Dec1,2016 2.0.0 Ticket#287:Added“andOWNER=’SYS’”tothequeryfor4.5.6
Dec28,2016 2.0.0 PlannedUpdate
Jan18,2017 2.1.0 Ticket#3934:#2924.3.12-Typoinauditprocedure
Jun22,2017 2.1.0 Ticket#3937:#295Remove"Level1-RDBMSusingUnifiedAuditing"from2.2.1
Sep14,2017 2.1.0 Ticket#4759:#297:2.2.13Ensure'SEC_MAX_FAILED_LOGIN_ATTEMPTS'Is'10'
Sep14,2017 2.1.0 Ticket#3938:#2961.2EnsureAllDefaultPasswordsAreChanged(Scored)-Addcomment
Sep14,2017 2.1.0 Ticket#3936:#294Titleof2.2.2isinconsistent
Sep14,2017 2.1.0 Ticket#3935:#293Changeupper(value)fromauditSQLquerytovalue
Sep28,2017 2.1.0 Ticket#3932:#290Reviseprofiledescriptionstoremoveanyambiguity
![Page 297: CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored).....](https://reader036.fdocuments.in/reader036/viewer/2022070817/5f11d6b8c9f393730f5346cd/html5/thumbnails/297.jpg)
296|P a g e
Feb1,2018 2.1.0 Ticket#3928:#247Revokedangerouspublicprivileges
Feb1,2018 2.1.0 Ticket#3930:#250CheckforlatestPatchUpdateusingnewnamingformat
Mar16,2018 2.1.0 Ticket#6095:Remove'LOCAL_LISTENER'recommendationfrom12c
Jul10,2018 2.1.0 Editedtotheentirebenchmarktoaddresserrorsandclarifyrecommendations
Sep18,2018 2.1.0 PlannedUpdate