CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored)

CISOracleDatabase12cBenchmarkv2.1.0–09-18-2018

1|P a g e

TermsofUsePlease see the below link for our current terms of use: https://www.cisecurity.org/cis-securesuite/cis-securesuite-membership-terms-of-use/

2|P a g e

TableofContentsTermsofUse...................................................................................................................................................................1

Overview...........................................................................................................................................................................9

IntendedAudience..................................................................................................................................................9

ConsensusGuidance...............................................................................................................................................9

TypographicalConventions.............................................................................................................................10

ScoringInformation............................................................................................................................................10

ProfileDefinitions................................................................................................................................................11

Acknowledgements.............................................................................................................................................13

Recommendations.....................................................................................................................................................14

1OracleDatabaseInstallationandPatchingRequirements...........................................................14

1.1EnsuretheAppropriateVersion/PatchesforOracleSoftwareIsInstalled(NotScored).............................................................................................................................................................14

1.2EnsureAllDefaultPasswordsAreChanged(Scored).......................................................16

1.3EnsureAllSampleDataAndUsersHaveBeenRemoved(Scored).............................18

2OracleParameterSettings............................................................................................................................20

2.1ListenerSettings.......................................................................................................................................21

2.1.1Ensure'SECURE_CONTROL_'IsSetIn'listener.ora'(Scored)...................................21

2.1.2Ensure'extproc'IsNotPresentin'listener.ora'(Scored)...........................................23

2.1.3Ensure'ADMIN_RESTRICTIONS_'IsSetto'ON'(Scored)............................................25

2.1.4Ensure'SECURE_REGISTER_'IsSetto'TCPS'or'IPC'(Scored)...............................27

2.2DatabaseSettings.....................................................................................................................................29

2.2.1Ensure'AUDIT_SYS_OPERATIONS'IsSetto'TRUE'(Scored)...................................29

2.2.2Ensure'AUDIT_TRAIL'IsSetto'DB','XML','OS','DB,EXTENDED',or'XML,EXTENDED'(Scored)....................................................................................................................31

2.2.3Ensure'GLOBAL_NAMES'IsSetto'TRUE'(Scored).......................................................33

2.2.4Ensure'O7_DICTIONARY_ACCESSIBILITY'IsSetto'FALSE'(Scored)..................34

2.2.5Ensure'OS_ROLES'IsSetto'FALSE'(Scored)..................................................................36

2.2.6Ensure'REMOTE_LISTENER'IsEmpty(Scored).............................................................37

2.2.7Ensure'REMOTE_LOGIN_PASSWORDFILE'IsSetto'NONE'(Scored).................39

3|P a g e

2.2.8Ensure'REMOTE_OS_AUTHENT'IsSetto'FALSE'(Scored)......................................40

2.2.9Ensure'REMOTE_OS_ROLES'IsSetto'FALSE'(Scored).............................................41

2.2.10Ensure'UTL_FILE_DIR'IsEmpty(Scored).......................................................................42

2.2.11Ensure'SEC_CASE_SENSITIVE_LOGON'IsSetto'TRUE'(Scored).......................43

2.2.12Ensure'SEC_MAX_FAILED_LOGIN_ATTEMPTS'Is'3'orLess(Scored).............44

2.2.13Ensure'SEC_PROTOCOL_ERROR_FURTHER_ACTION'IsSetto'DROP,3'(Scored)...........................................................................................................................................................46

2.2.14Ensure'SEC_PROTOCOL_ERROR_TRACE_ACTION'IsSetto'LOG'(Scored)...48

2.2.15Ensure'SEC_RETURN_SERVER_RELEASE_BANNER'IsSetto'FALSE'(Scored).............................................................................................................................................................................50

2.2.16Ensure'SQL92_SECURITY'IsSetto'TRUE'(Scored)..................................................52

2.2.17Ensure'_trace_files_public'IsSetto'FALSE'(Scored)...............................................54

2.2.18Ensure'RESOURCE_LIMIT'IsSetto'TRUE'(Scored).................................................56

3OracleConnectionandLoginRestrictions...........................................................................................58

3.1Ensure'FAILED_LOGIN_ATTEMPTS'IsLessthanorEqualto'5'(Scored)............58

3.2Ensure'PASSWORD_LOCK_TIME'IsGreaterthanorEqualto'1'(Scored)............60

3.3Ensure'PASSWORD_LIFE_TIME'IsLessthanorEqualto'90'(Scored)..................62

3.4Ensure'PASSWORD_REUSE_MAX'IsGreaterthanorEqualto'20'(Scored)........63

3.5Ensure'PASSWORD_REUSE_TIME'IsGreaterthanorEqualto'365'(Scored)...65

3.6Ensure'PASSWORD_GRACE_TIME'IsLessthanorEqualto'5'(Scored)...............67

3.7Ensure'DBA_USERS.PASSWORD'IsNotSetto'EXTERNAL'forAnyUser(Scored).............................................................................................................................................................................69

3.8Ensure'PASSWORD_VERIFY_FUNCTION'IsSetforAllProfiles(Scored)...............71

3.9Ensure'SESSIONS_PER_USER'IsLessthanorEqualto'10'(Scored).......................72

3.10EnsureNoUsersAreAssignedthe'DEFAULT'Profile(Scored)...............................74

4OracleUserAccessandAuthorizationRestrictions.........................................................................76

4.1DefaultPublicPrivilegesforPackagesandObjectTypes.....................................................77

4.1.1Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_ADVISOR'(Scored)...77

4.1.2Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_CRYPTO'(Scored).....79

4.1.3Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_JAVA'(Scored)............81

4|P a g e

4.1.4Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_JAVA_TEST'(Scored).............................................................................................................................................................................83

4.1.5Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_JOB'(Scored)...............85

4.1.6Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_LDAP'(Scored)...........87

4.1.7Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_LOB'(Scored)..............89

4.1.8Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_OBFUSCATION_TOOLKIT'(Scored)...................................................................................91

4.1.9Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_RANDOM'(Scored)...93

4.1.10Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_SCHEDULER'(Scored)...........................................................................................................................................................95

4.1.11Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_SQL'(Scored)............97

4.1.12Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_XMLGEN'(Scored).98

4.1.13Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_XMLQUERY'(Scored)..........................................................................................................................................................................100

4.1.14Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'UTL_FILE'(Scored)...........102

4.1.15Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'UTL_INADDR'(Scored)...103

4.1.16Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'UTL_TCP'(Scored)............105

4.1.17Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'UTL_MAIL'(Scored)..........106

4.1.18Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'UTL_SMTP'(Scored).........108

4.1.19Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'UTL_DBWS'(Scored)........110

4.1.20Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'UTL_ORAMTS'(Scored)..112

4.1.21Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'UTL_HTTP'(Scored).........114

4.1.22Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'HTTPURITYPE'(Scored)116

4.1.23Ensure'EXECUTE'isrevokedfrom'PUBLIC'on'DBMS_XMLSTORE'(Scored)..........................................................................................................................................................................117

4.1.24Ensure'EXECUTE'isrevokedfrom'PUBLIC'on'DBMS_XMLSAVE'(Scored)..........................................................................................................................................................................119

4.1.25Ensure'EXECUTE'isrevokedfrom'PUBLIC'on'DBMS_REDACT'(Scored)121

4.2RevokeNon-DefaultPrivilegesforPackagesandObjectTypes.....................................122

4.2.1Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_SYS_SQL'(Scored)..122

4.2.2Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_BACKUP_RESTORE'(Scored)........................................................................................................................................................124

5|P a g e

4.2.3Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_AQADM_SYSCALLS'(Scored)........................................................................................................................................................126

4.2.4Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_REPCAT_SQL_UTL'(Scored)........................................................................................................................................................127

4.2.5Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'INITJVMAUX'(Scored).......129

4.2.6Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_STREAMS_ADM_UTL'(Scored)........................................................................................................................................................130

4.2.7Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_AQADM_SYS'(Scored)..........................................................................................................................................................................132

4.2.8Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_STREAMS_RPC'(Scored)........................................................................................................................................................133

4.2.9Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_PRVTAQIM'(Scored)..........................................................................................................................................................................135

4.2.10Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'LTADM'(Scored)................137

4.2.11Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'WWV_DBMS_SQL'(Scored)..........................................................................................................................................................................138

4.2.12Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'WWV_EXECUTE_IMMEDIATE'(Scored).....................................................................................139

4.2.13Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_IJOB'(Scored)........141

4.2.14Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_FILE_TRANSFER'(Scored)........................................................................................................................................................142

4.3RevokeExcessiveSystemPrivileges............................................................................................144

4.3.1Ensure'SELECTANYDICTIONARY'IsRevokedfromUnauthorized'GRANTEE'(Scored)........................................................................................................................................................144

4.3.2Ensure'SELECTANYTABLE'IsRevokedfromUnauthorized'GRANTEE'(Scored)........................................................................................................................................................146

4.3.3Ensure'AUDITSYSTEM'IsRevokedfromUnauthorized'GRANTEE'(Scored)..........................................................................................................................................................................148

4.3.4Ensure'EXEMPTACCESSPOLICY'IsRevokedfromUnauthorized'GRANTEE'(Scored)........................................................................................................................................................150

4.3.5Ensure'BECOMEUSER'IsRevokedfromUnauthorized'GRANTEE'(Scored)..........................................................................................................................................................................152

4.3.6Ensure'CREATE_PROCEDURE'IsRevokedfromUnauthorized'GRANTEE'(Scored)........................................................................................................................................................153

6|P a g e

4.3.7Ensure'ALTERSYSTEM'IsRevokedfromUnauthorized'GRANTEE'(Scored)..........................................................................................................................................................................155

4.3.8Ensure'CREATEANYLIBRARY'IsRevokedfromUnauthorized'GRANTEE'(Scored)........................................................................................................................................................157

4.3.9Ensure'CREATELIBRARY'IsRevokedfromUnauthorized'GRANTEE'(Scored)..........................................................................................................................................................................159

4.3.10Ensure'GRANTANYOBJECTPRIVILEGE'IsRevokedfromUnauthorized'GRANTEE'(Scored)...............................................................................................................................161

4.3.11Ensure'GRANTANYROLE'IsRevokedfromUnauthorized'GRANTEE'(Scored)........................................................................................................................................................163

4.3.12Ensure'GRANTANYPRIVILEGE'IsRevokedfromUnauthorized'GRANTEE'(Scored)........................................................................................................................................................165

4.4RevokeRolePrivileges.......................................................................................................................167

4.4.1Ensure'DELETE_CATALOG_ROLE'IsRevokedfromUnauthorized'GRANTEE'(Scored)........................................................................................................................................................167

4.4.2Ensure'SELECT_CATALOG_ROLE'IsRevokedfromUnauthorized'GRANTEE'(Scored)........................................................................................................................................................169

4.4.3Ensure'EXECUTE_CATALOG_ROLE'IsRevokedfromUnauthorized'GRANTEE'(Scored)........................................................................................................................................................171

4.4.4Ensure'DBA'IsRevokedfromUnauthorized'GRANTEE'(Scored)....................173

4.5RevokeExcessiveTableandViewPrivileges..........................................................................175

4.5.1Ensure'ALL'IsRevokedfromUnauthorized'GRANTEE'on'AUD$'(Scored)175

4.5.2Ensure'ALL'IsRevokedfromUnauthorized'GRANTEE'on'USER_HISTORY$'(Scored)........................................................................................................................................................177

4.5.3Ensure'ALL'IsRevokedfromUnauthorized'GRANTEE'on'LINK$'(Scored)..........................................................................................................................................................................179

4.5.4Ensure'ALL'IsRevokedfromUnauthorized'GRANTEE'on'SYS.USER$'(Scored)........................................................................................................................................................181

4.5.5Ensure'ALL'IsRevokedfromUnauthorized'GRANTEE'on'DBA_%'(Scored)..........................................................................................................................................................................183

4.5.6Ensure'ALL'IsRevokedfromUnauthorized'GRANTEE'on'SYS.SCHEDULER$_CREDENTIAL'(Scored)................................................................................185

4.5.7Ensure'SYS.USER$MIG'HasBeenDropped(Scored)................................................187

4.6Ensure'%ANY%'IsRevokedfromUnauthorized'GRANTEE'(Scored)...............188

7|P a g e

4.7Ensure'DBA_SYS_PRIVS.%'IsRevokedfromUnauthorized'GRANTEE'with'ADMIN_OPTION'Setto'YES'(Scored).........................................................................................190

4.8EnsureProxyUsersHaveOnly'CONNECT'Privilege(Scored).................................191

4.9Ensure'EXECUTEANYPROCEDURE'IsRevokedfrom'OUTLN'(Scored)..........192

4.10Ensure'EXECUTEANYPROCEDURE'IsRevokedfrom'DBSNMP'(Scored)....193

5Audit/LoggingPoliciesandProcedures.............................................................................................194

5.1TraditionalAuditing............................................................................................................................195

5.1.1Ensurethe'USER'AuditOptionIsEnabled(Scored).................................................195

5.1.2Ensurethe'ROLE'AuditOptionIsEnabled(Scored).................................................197

5.1.3Ensurethe'SYSTEMGRANT'AuditOptionIsEnabled(Scored)..........................199

5.1.4Ensurethe'PROFILE'AuditOptionIsEnabled(Scored)..........................................200

5.1.5Ensurethe'DATABASELINK'AuditOptionIsEnabled(Scored).........................202

5.1.6Ensurethe'PUBLICDATABASELINK'AuditOptionIsEnabled(Scored)........204

5.1.7Ensurethe'PUBLICSYNONYM'AuditOptionIsEnabled(Scored).....................206

5.1.8Ensurethe'SYNONYM'AuditOptionIsEnabled(Scored).......................................208

5.1.9Ensurethe'DIRECTORY'AuditOptionIsEnabled(Scored)...................................210

5.1.10Ensurethe'SELECTANYDICTIONARY'AuditOptionIsEnabled(Scored)..212

5.1.11Ensurethe'GRANTANYOBJECTPRIVILEGE'AuditOptionIsEnabled(Scored)........................................................................................................................................................214

5.1.12Ensurethe'GRANTANYPRIVILEGE'AuditOptionIsEnabled(Scored).......216

5.1.13Ensurethe'DROPANYPROCEDURE'AuditOptionIsEnabled(Scored).......218

5.1.14Ensurethe'ALL'AuditOptionon'SYS.AUD$'IsEnabled(Scored)...................220

5.1.15Ensurethe'PROCEDURE'AuditOptionIsEnabled(Scored)...............................222

5.1.16Ensurethe'ALTERSYSTEM'AuditOptionIsEnabled(Scored).........................224

5.1.17Ensurethe'TRIGGER'AuditOptionIsEnabled(Scored)......................................226

5.1.18Ensurethe'CREATESESSION'AuditOptionIsEnabled(Scored).....................228

5.2UnifiedAuditing.....................................................................................................................................230

5.2.1Ensurethe'CREATEUSER'ActionAuditIsEnabled(Scored)...............................230

5.2.2Ensurethe'ALTERUSER'ActionAuditIsEnabled(Scored)..................................232

5.2.3Ensuethe'DROPUSER'AuditOptionIsEnabled(Scored)......................................234

5.2.4Ensurethe'CREATEROLE’ActionAuditIsEnabled(Scored)...............................236

8|P a g e

5.2.5Ensurethe'ALTERROLE’ActionAuditIsEnabled(Scored)..................................238

5.2.6Ensurethe'DROPROLE’ActionAuditIsEnabled(Scored)....................................240

5.2.7Ensurethe'GRANT'ActionAuditIsEnabled(Scored)..............................................242

5.2.8Ensurethe'REVOKE'ActionAuditIsEnabled(Scored)...........................................244

5.2.9Ensurethe'CREATEPROFILE’ActionAuditIsEnabled(Scored)........................246

5.2.10Ensurethe'ALTERPROFILE’ActionAuditIsEnabled(Scored)........................248

5.2.11Ensurethe'DROPPROFILE’ActionAuditIsEnabled(Scored)..........................250

5.2.12Ensurethe'CREATEDATABASELINK’ActionAuditIsEnabled(Scored)....252

5.2.13Ensurethe'ALTERDATABASELINK’ActionAuditIsEnabled(Scored).......254

5.2.14Ensurethe'DROPDATABASELINK’ActionAuditIsEnabled(Scored).........256

5.2.15Ensurethe'CREATESYNONYM’ActionAuditIsEnabled(Scored)..................258

5.2.16Ensurethe'ALTERSYNONYM’ActionAuditIsEnabled(Scored).....................260

5.2.17Ensurethe'DROPSYNONYM’ActionAuditIsEnabled(Scored).......................262

5.2.18Ensurethe'SELECTANYDICTIONARY’PrivilegeAuditIsEnabled(Scored)..........................................................................................................................................................................264

5.2.19Ensurethe'UNIFIED_AUDIT_TRAIL’AccessAuditIsEnabled(Scored)........266

5.2.20Ensurethe'CREATEPROCEDURE/FUNCTION/PACKAGE/PACKAGEBODY’ActionAuditIsEnabled(Scored).....................................................................................................268

5.2.21Ensurethe'ALTERPROCEDURE/FUNCTION/PACKAGE/PACKAGEBODY’ActionAuditIsEnabled(Scored).....................................................................................................270

5.2.22Ensurethe'DROPPROCEDURE/FUNCTION/PACKAGE/PACKAGEBODY’ActionAuditIsEnabled(Scored).....................................................................................................272

5.2.23Ensurethe'ALTERSYSTEM’PrivilegeAuditIsEnabled(Scored)....................274

5.2.24Ensurethe'CREATETRIGGER’ActionAuditIsEnabled(Scored)....................276

5.2.25Ensurethe'ALTERTRIGGER’ActionAuditISEnabled(Scored).......................278

5.2.26Ensurethe'DROPTRIGGER’ActionAuditIsEnabled(Scored)..........................280

5.2.27Ensurethe'LOGON’AND‘LOGOFF’ActionsAuditIsEnabled(Scored).........282

6Appendix:EstablishinganAudit/ScanUser.....................................................................................284

Appendix:SummaryTable.................................................................................................................................286

Appendix:ChangeHistory..................................................................................................................................293

9|P a g e

OverviewThisdocumentisintendedtoaddresstherecommendedsecuritysettingsforOracleDatabase12c.ThisguidewastestedagainstOracleDatabase12c(version12.1.0.2)installedwithoutpluggabledatabasesupportrunningonaWindowsServer2012R2instanceasastand-alonesystemandrunningonanOracleLinux7instancealsoasastand-alonesystem.FutureOracleDatabase12ccriticalpatchupdates(CPUs)mayimpacttherecommendationsincludedinthisdocument.

Toobtainthelatestversionofthisguide,pleasevisithttp://benchmarks.cisecurity.org.Ifyouhavequestions,comments,orhaveidentifiedwaystoimprovethisguide,[email protected].

Intended Audience

Thisbenchmarkisintendedforsystemandapplicationadministrators,securityspecialists,auditors,helpdesk,andplatformdeploymentpersonnelwhoplantodevelop,deploy,assess,orsecuresolutionsthatincorporateOracleDatabase12conOracleLinuxorMicrosoftWindowsServer.

Consensus Guidance

Thisbenchmarkwascreatedusingaconsensusreviewprocesscomprisedofsubjectmatterexperts.Consensusparticipantsprovideperspectivefromadiversesetofbackgroundsincludingconsulting,softwaredevelopment,auditandcompliance,securityresearch,operations,government,andlegal.

EachCISbenchmarkundergoestwophasesofconsensusreview.Thefirstphaseoccursduringinitialbenchmarkdevelopment.Duringthisphase,subjectmatterexpertsconvenetodiscuss,create,andtestworkingdraftsofthebenchmark.Thisdiscussionoccursuntilconsensushasbeenreachedonbenchmarkrecommendations.Thesecondphasebeginsafterthebenchmarkhasbeenpublished.Duringthisphase,allfeedbackprovidedbytheInternetcommunityisreviewedbytheconsensusteamforincorporationinthebenchmark.Ifyouareinterestedinparticipatingintheconsensusprocess,pleasevisithttps://workbench.cisecurity.org/.

10|P a g e

Typographical Conventions

Thefollowingtypographicalconventionsareusedthroughoutthisguide:

Convention Meaning

Stylized Monospace font Usedforblocksofcode,command,andscriptexamples.Textshouldbeinterpretedexactlyaspresented.

Monospace font Usedforinlinecode,commands,orexamples.Textshouldbeinterpretedexactlyaspresented.

<italicfontinbrackets> Italictextssetinanglebracketsdenoteavariablerequiringsubstitutionforarealvalue.

Italicfont Usedtodenotethetitleofabook,article,orotherpublication.

Note Additionalinformationorcaveats

Scoring Information

Ascoringstatusindicateswhethercompliancewiththegivenrecommendationimpactstheassessedtarget'sbenchmarkscore.Thefollowingscoringstatusesareusedinthisbenchmark:

Scored

Failuretocomplywith"Scored"recommendationswilldecreasethefinalbenchmarkscore.Compliancewith"Scored"recommendationswillincreasethefinalbenchmarkscore.

NotScored

Failuretocomplywith"NotScored"recommendationswillnotdecreasethefinalbenchmarkscore.Compliancewith"NotScored"recommendationswillnotincreasethefinalbenchmarkscore.

11|P a g e

Profile Definitions

ThefollowingconfigurationprofilesaredefinedbythisBenchmark:

• Level1-RDBMSusingTraditionalAuditing

ItemsinthisprofileapplytoOracleDatabase12cconfiguredtouseTraditionalAuditingandintendto:

o Bepracticalandprudent;o Provideaclearsecuritybenefit;ando Notinhibittheutilityofthetechnologybeyondacceptablemeans.

• Level1-LinuxHostOSusingTraditionalAuditing

Thisprofileextendsthe“RDBMSusingTraditionalAuditing”profile.ItemsinthisprofileapplytoRDBMSrunningonaLinuxHostoperatingsystemwithOracleDatabase12cconfiguredtouseTraditionalAuditingandintendto:


• Level1-WindowsServerHostOSusingTraditionalAuditing

Thisprofileextendsthe“RDBMSusingTraditionalAuditing”profile.ItemsinthisprofileapplytoRDBMSrunningonaWindowsServeroperatingsystemwithOracleDatabase12cconfiguredtouseTraditionalAuditingandintendto:


• Level1-RDBMSusingUnifiedAuditing

ItemsinthisprofileapplytoOracleDatabase12cconfiguredtouseUnifiedAuditingandintendto:


12|P a g e

• Level1-LinuxHostOSusingUnifiedAuditing

Thisprofileextendsthe“RDBMSusingUnifiedAuditing”profile.ItemsinthisprofileapplytoRDBMSrunningonaLinuxHostoperatingsystemwithOracleDatabase12cconfiguredtouseUnifiedandintendto:


• Level1-WindowsServerHostOSusingUnifiedAuditing

Thisprofileextendsthe“RDBMSusingUnifiedAuditing”profile.ItemsinthisprofileapplytoRDBMSrunningonaWindowsServeroperatingsystemwithOracleDatabase12cconfiguredtouseUnifiedandintendto:


13|P a g e

Acknowledgements

This benchmark exemplifies the great things a community of users, vendors, and subject matter experts can accomplish through consensus collaboration. The CIS community thanks the entire consensus team with special recognition to the following individuals who contributed greatly to the creation of this guide:

AuthorJayMehta

ContributorAlexanderKornbrustS.BrianSuddethPieterVanPuymbroeckArmanRawlsAdamMontvilleTungBuiVietJigneshPatelThanThiChamDeanLackeyKyleThomasonJustinBrownGijsHasselmanStephenDufourPhilippeLanglois

EditorAngeloMarcotullioTimHarrisonCISSP,ICP,CenterforInternetSecurityKarenScarfone

14|P a g e

Recommendations1 Oracle Database Installation and Patching Requirements

OneofthebestwaystoensuresecureOraclesecurityistoimplementCriticalPatchUpdates(CPUs)astheycomeout,alongwithanyapplicableOSpatchesthatwillnotinterferewithsystemoperations.ItisadditionallyprudenttoremoveOraclesampledatafromproductionenvironments.

1.1 Ensure the Appropriate Version/Patches for Oracle Software Is Installed (Not Scored)

ProfileApplicability:

• Level1-RDBMSusingTraditionalAuditing• Level1-RDBMSusingUnifiedAuditing

Description:

TheOracleinstallationversionandpatchesshouldbethemostrecentthatarecompatiblewiththeorganization'soperationalneeds.

Rationale:

UsingthemostrecentOracledatabasesoftware,alongwithallapplicablepatchescanhelplimitthepossibilitiesforvulnerabilitiesinthesoftware,theinstallationversionand/orpatchesappliedduringsetupshouldbeestablishedaccordingtotheneedsoftheorganization.EnsureyouareusingareleasethatiscoveredbyalevelofsupportthatincludesthegenerationofCriticalPatchUpdates.

Audit:

Toassessthisrecommendation,usethefollowingexampleshellcommandasappropriateforyourenvironment.

Forexample,onLinuxsystems:

opatch lsinventory | grep -e "^.*<latest_patch_version_numer>\s*.*$"

Forexample,onWindowssystems:

opatch lsinventory | find "<latest_patch_version_number>"

15|P a g e

Remediation:

Performthefollowingstepforremediation:

DownloadandapplythelatestquarterlyCriticalPatchUpdatepatches.

References:

1. http://www.oracle.com/us/support/assurance/fixing-policies/index.html2. http://www.oracle.com/technetwork/topics/security/alerts-086861.html3. http://www.oracle.com/us/support/library/lifetime-support-technology-

069183.pdf

CISControls:

Version6

2InventoryofAuthorizedandUnauthorizedSoftwareInventoryofAuthorizedandUnauthorizedSoftware

16|P a g e

1.2 Ensure All Default Passwords Are Changed (Scored)



Description:

DefaultpasswordsshouldnotbeusedbyOracledatabaseusers.

Rationale:

Defaultpasswordsshouldbeconsidered"wellknown"toattackers.Consequently,ifdefaultpasswordsremaininplace,anyattackerwithaccesstothedatabasecanauthenticateastheuserwiththatdefaultpassword.

Audit:

Toassessthisrecommendation,executethefollowingSQLstatement.

SELECT USERNAME FROM DBA_USERS_WITH_DEFPWD WHERE USERNAME NOT LIKE '%XS$NULL%';

TheviewcalledDBA_USERS_WITH_DEFPWDshowsalistofalldatabaseusersmakinguseofdefaultpasswords.Theassessmentfailsifresultsarereturned.

Note:PerOracleSupportDocument2173962.1,"aftercreationofanew12cdatabase,theSYSandSYSTEMaccountsarelistedinDBA_USERS_WITH_DEFPWDeventhoughtheaccountswerecreatedwithnon-defaultpasswords.SettingthesamepasswordsagainwithALTER USERcorrectlyrecognizesthattheaccountsdonothavedefaultpasswords."

Remediation:

Toremediatethisrecommendation,youmayperformeitherofthefollowingactions:

• ManuallyissuethefollowingSQLstatementforeachUSERNAMEreturnedintheAuditProcedure:

PASSWORD <username>

17|P a g e

• ExecutethefollowingSQLscripttoassignarandomlygeneratedpasswordtoeachaccountusingadefaultpassword:

begin for r_user in (select username from dba_users_with_defpwd where username not like '%XS$NULL%') loop DBMS_OUTPUT.PUT_LINE('Password for user '||r_user.username||' will be changed.'); execute immediate 'alter user "'||r_user.username||'" identified by "'||DBMS_RANDOM.string('a',16)||'"account lock password expire'; end loop; end;

References:

1. http://docs.oracle.com/database/121/TDPSG/GUID-3EC7A894-D620-4497-AFB1-64EB8C33D854.htm#TDPSG20021

2. https://support.oracle.com/epmos/faces/DocumentDisplay?id=2173962.1

CISControls:

Version6

5.3ChangeDefaultPasswordsOnAllNewDevicesBeforedeployinganynewdevicesinanetworkedenvironment,changealldefaultpasswordsforapplications,operatingsystems,routers,firewalls,wirelessaccesspoints,andothersystemstohavevaluesconsistentwithadministration-levelaccounts.

18|P a g e

1.3 Ensure All Sample Data And Users Have Been Removed (Scored)



Description:

Oraclesampleschemascanbeusedtocreatesampleusers(BI,HR,IX,OE,PM,SCOTT,SH),withwell-knowndefaultpasswords,particularviews,andprocedures/functions,inadditiontotablesandfictitiousdata.Thesampleschemasshouldberemoved.

Rationale:

Thesampleschemasaretypicallynotrequiredforproductionoperationsofthedatabase.Thedefaultusers,views,and/orprocedures/functionscreatedbysampleschemascouldbeusedtolaunchexploitsagainstproductionenvironments.

Audit:

Toassessthisrecommendation,checkforthepresenceofOraclesampleusersbyexecutingthefollowingSQLstatement.

SELECT USERNAME FROM ALL_USERS WHERE USERNAME IN ('BI','HR','IX','OE','PM','SCOTT','SH');"

Remediation:

Toremediatethissetting,executethefollowingSQLscript.

$ORACLE_HOME/demo/schema/drop_sch.sql

Then,executethefollowingSQLstatement.

DROP USER SCOTT CASCADE;

Note:TherecyclebinisnotsettoOFFwithinthedefaultdropscript,whichmeansthatthedatawillstillbepresentinyourenvironmentuntiltherecyclebinisemptied.

Impact:

TheOraclesampleusernamesmaybeinuseonaproductionbasis.ItisimportantthatyoufirstverifythatBI,HR,IX,OE,PM,SCOTT,and/orSHarenotvalidproductionusernames

19|P a g e

beforeexecutingthedroppingSQLscripts.ThismaybeparticularlytruewiththeHRandBIusers.Ifanyoftheseusersarepresent,itisimportanttobecautiousandconfirmtheschemaspresentare,infact,Oraclesampleschemasandnotproductionschemasbeingrelieduponbybusinessoperations.

References:

1. http://docs.oracle.com/database/121/COMSC/toc.htm

CISControls:

Version6

18.9SanitizeDeployedSoftwareOfDevelopmentArtifactsForin-housedevelopedapplications,ensurethatdevelopmentartifacts(sampledataandscripts;unusedlibraries,components,debugcode;ortools)arenotincludedinthedeployedsoftware,oraccessibleintheproductionenvironment.

20|P a g e

2 Oracle Parameter Settings

TheoperationoftheOracledatabaseinstanceisgovernedbynumerousparametersthataresetinspecificconfigurationfilesandareinstance-specificinscope.Asalterationsoftheseparameterscancauseproblemsrangingfromdenial-of-servicetotheftofproprietaryinformation,theseconfigurationsshouldbecarefullyconsideredandmaintained.

Note:ForallfilesthathaveparametersthatcanbemodifiedwiththeOSand/orSQLcommands/scripts,thesewillbothbelistedwhereappropriate.

21|P a g e

2.1 Listener Settings

ThissectiondefinesrecommendationsforthesettingsfortheTNSListenerlistener.orafile.

2.1.1 Ensure 'SECURE_CONTROL_' Is Set In 'listener.ora' (Scored)


• Level1-LinuxHostOSusingTraditionalAuditing• Level1-WindowsServerHostOSusingTraditionalAuditing• Level1-LinuxHostOSusingUnifiedAuditing• Level1-WindowsServerHostOSusingUnifiedAuditing

Description:

TheSECURE_CONTROL_<listener_name>settingdeterminesthetypeofcontrolconnectiontheOracleserverrequiresforremoteconfigurationofthelistener.

Rationale:

Listenerconfigurationchangesviaunencryptedremoteconnectionscanresultinunauthorizeduserssniffingcontrolconfigurationinformationfromthenetwork.

Audit:

Toauditthisrecommendation,followthesesteps:

1. Openthe$ORACLE_HOME/network/admin/listener.orafile(or%ORACLE_HOME%\network\admin\listener.oraonWindows)

2. EnsurethateachdefinedlistenerasanassociatedSECURE_CONTROL_<listener_name>directive.

Forexample:LISTENER1 = (DESCRIPTION= (ADDRESS=(PROTOCOL=TCP) (HOST=sales-server)(PORT=1521)) (ADDRESS=(PROTOCOL=IPC) (KEY=REGISTER)) (ADDRESS=(PROTOCOL=TCPS) (HOST=sales-server)(PORT=1522))) SECURE_CONTROL_LISTENER1=TCPS"

22|P a g e

Remediation:

Toremediatethisrecommendation:

SettheSECURE_CONTROL_<listener_name>foreachdefinedlistenerinthelistener.orafile.

References:

1. http://docs.oracle.com/database/121/NETRF/listener.htm#NETRF327

CISControls:

Version6

3.4UseOnlySecureChannelsForRemoteSystemAdministrationPerformallremoteadministrationofservers,workstation,networkdevices,andsimilarequipmentoversecurechannels.Protocolssuchastelnet,VNC,RDP,orothersthatdonotactivelysupportstrongencryptionshouldonlybeusediftheyareperformedoverasecondaryencryptionchannel,suchasSSL,TLSorIPSEC.

23|P a g e

2.1.2 Ensure 'extproc' Is Not Present in 'listener.ora' (Scored)



Description:

extprocshouldberemovedfromthelistener.oratomitigatetheriskthatOSlibrariescanbeinvokedbytheOracleinstance.

Rationale:

extprocallowsthedatabasetorunproceduresfromOSlibraries.Theselibrarycallscan,inturn,runanyOScommand.

Audit:

Toauditthisrecommendation,executethefollowingshellcommandsasappropriateforyourLinux/Windowsenvironment.

Linuxenvironment:

grep -i extproc $ORACLE_HOME/network/admin/listener.ora

Windowsenvironment:

find /I extproc %ORACLE_HOME%\network\admin\listener.ora

Ensureextprocdoesnotexist.

Remediation:


Removeextprocfromthelistener.orafile.

References:

1. http://docs.oracle.com/database/121/DBSEG/app_devs.htm#DBSEG656

24|P a g e

CISControls:

Version6


25|P a g e

2.1.3 Ensure 'ADMIN_RESTRICTIONS_' Is Set to 'ON' (Scored)



Description:

Theadmin_restrictions_<listener_name>settinginthelistener.orafilecanrequirethatanyattemptedreal-timealterationoftheparametersinthelistenerviathesetcommandfileberefusedunlessthelistener.orafileismanuallyaltered,thenrestartedbyaprivilegeduser.

Rationale:

Blockingunprivilegedusersfrommakingalterationsofthelistener.orafile,whereremotedata/servicesettingsarespecified,willhelpprotectdataconfidentiality.

Audit:


Linuxenvironment:

grep -i admin_restrictions $ORACLE_HOME/network/admin/listener.ora

Windowsenvironment:

find /I admin_restrictions %ORACLE_HOME%|\network\admin\listener.ora

Ensureadmin_restrictions_<listener_name>issettoONforalllisteners.

Remediation:


Useatexteditorsuchasvitosettheadmin_restrictions_<listener_name>tothevalueON.

DefaultValue:

26|P a g e

Notset.

References:

1. http://docs.oracle.com/database/121/NETRF/listener.htm#NETRF310

CISControls:

Version6

5.1MinimizeAndSparinglyUseAdministrativePrivilegesMinimizeadministrativeprivilegesandonlyuseadministrativeaccountswhentheyarerequired.Implementfocusedauditingontheuseofadministrativeprivilegedfunctionsandmonitorforanomalousbehavior.

27|P a g e

2.1.4 Ensure 'SECURE_REGISTER_' Is Set to 'TCPS' or 'IPC' (Scored)



Description:

TheSECURE_REGISTER_<listener_name>settingspecifiestheprotocolsusedtoconnecttotheTNSlistener.EachsettingshouldhaveavalueofeitherTCPSorIPCbasedontheneedsforitsprotocol.

Rationale:

Listenerconfigurationchangesviaunencryptedremoteconnectionscanresultinunauthorizeduserssniffingcontrolconfigurationinformationfromthenetwork.

Audit:


Linuxenvironment:

grep -i SECURE_REGISTER $ORACLE_HOME/network/admin/listener.ora

Windowsenvironment:

find /I SECURE_REGISTER %ORACLE_HOME%\network\admin\listener.ora

EnsureSECURE_REGISTER_<listener_name>issettoTCPSorIPC.

Remediation:


UseatexteditorsuchasvitosettheSECURE_REGISTER_<listener_name>=TCPSorSECURE_REGISTER_<listener_name>=IPCforeachlistenerfoundin$ORACLE_HOME/network/admin/listener.ora.

28|P a g e

References:

1. http://docs.oracle.com/database/121/NETRF/listener.htm#NETRF3282. https://support.oracle.com/epmos/faces/ui/km/DocumentDisplay.jspx?id=145388

3.13. https://support.oracle.com/epmos/faces/ui/km/DocumentDisplay.jspx?id=134083

1.14. http://www.joxeankoret.com/download/tnspoison.pdf

Notes:

OracleRealApplicationClusterrequiresadifferentapproachtofixtheTNSPoisoningproblem.SeeOraclesupportnote1453883.1fordetails.

CISControls:

Version6

14.2EncryptAllSensitiveInformationOverLess-trustedNetworksAllcommunicationofsensitiveinformationoverless-trustednetworksshouldbeencrypted.Wheneverinformationflowsoveranetworkwithalowertrustlevel,theinformationshouldbeencrypted.

29|P a g e

2.2 Database Settings

Thissectiondefinesrecommendationscoveringthegeneralsecurityconfigurationofthedatabaseinstance.Therecommendationsensureauditingisenabled,listenersareappropriatelyconfined,andauthenticationisappropriatelyconfigured.

Note:Theremediationproceduresassumetheuseofaserverparameterfile,whichisoftenapreferredmethodofstoringserverinitializationparameters.

Foryourenvironment,leavingofftheSCOPE = SPFILEdirectiveorsubstitutingitwithSCOPE = BOTHmightbepreferreddependingontherecommendation.

2.2.1 Ensure 'AUDIT_SYS_OPERATIONS' Is Set to 'TRUE' (Scored)



Description:

TheAUDIT_SYS_OPERATIONSsettingprovidesfortheauditingofalluseractivitiesconductedundertheSYSOPERandSYSDBAaccounts.ThesettingshouldbesettoTRUEtoenablethisauditing.

Rationale:

IftheparameterAUDIT_SYS_OPERATIONSisFALSE,allstatementsexceptforStartup/ShutdownandLogonbySYSDBA/SYSOPERusersarenotaudited.

Audit:


SELECT UPPER(VALUE) FROM V$PARAMETER WHERE UPPER(NAME) = 'AUDIT_SYS_OPERATIONS';

EnsureVALUEissettoTRUE.

Remediation:

Toremediatethissetting,executethefollowingSQLstatement.

ALTER SYSTEM SET AUDIT_SYS_OPERATIONS = TRUE SCOPE=SPFILE;

30|P a g e

References:

1. http://docs.oracle.com/database/121/REFRN/GUID-58176267-238C-40B5-B1F2-BB8BB9518950.htm#REFRN10005

CISControls:

Version6

5.4LogAdministrativeUserAdditionAndRemovalConfiguresystemstoissuealogentryandalertwhenanaccountisaddedtoorremovedfromadomainadministrators’group,orwhenanewlocaladministratoraccountisaddedonasystem.

6.2EnsureAuditLogSettingsSupportAppropriateLogEntryFormattingValidateauditlogsettingsforeachhardwaredeviceandthesoftwareinstalledonit,ensuringthatlogsincludeadate,timestamp,sourceaddresses,destinationaddresses,andvariousotherusefulelementsofeachpacketand/ortransaction.SystemsshouldrecordlogsinastandardizedformatsuchassyslogentriesorthoseoutlinedbytheCommonEventExpressioninitiative.Ifsystemscannotgeneratelogsinastandardizedformat,lognormalizationtoolscanbedeployedtoconvertlogsintosuchaformat.

31|P a g e

2.2.2 Ensure 'AUDIT_TRAIL' Is Set to 'DB', 'XML', 'OS', 'DB,EXTENDED', or 'XML,EXTENDED' (Scored)



Description:

Theaudit_trailsettingdetermineswhetherornotOracle'sbasicauditfeaturesareenabled.Itcanbesetto"OperatingSystem"(OS);DB;DB,EXTENDED;XML;orXML,EXTENDED.Thevalueshouldbesetaccordingtotheneedsoftheorganization.

Rationale:

EnablingthebasicauditingfeaturesfortheOracleinstancepermitsthecollectionofdatatotroubleshootproblems,aswellasprovidesvaluableforensiclogsinthecaseofasystembreachthisvalueshouldbesetaccordingtotheneedsoftheorganization.

Audit:


SELECT UPPER(VALUE) FROM V$PARAMETER WHERE UPPER(NAME)='AUDIT_TRAIL';

EnsureVALUEissettoDBorOSorXMLorDB,EXTENDEDorXML,EXTENDED.

Remediation:

Toremediatethissetting,executeoneofthefollowingSQLstatements.

ALTER SYSTEM SET AUDIT_TRAIL = DB, EXTENDED SCOPE = SPFILE;

ALTER SYSTEM SET AUDIT_TRAIL = OS SCOPE = SPFILE;

ALTER SYSTEM SET AUDIT_TRAIL = XML, EXTENDED SCOPE = SPFILE;

ALTER SYSTEM SET AUDIT_TRAIL = DB SCOPE = SPFILE;

ALTER SYSTEM SET AUDIT_TRAIL = XML SCOPE = SPFILE;

32|P a g e

References:

1. http://docs.oracle.com/database/121/REFRN/GUID-BD86F593-B606-4367-9FB6-8DAB2E47E7FA.htm#REFRN10006

2. http://www.oracle.com/technetwork/products/audit-vault/learnmore/twp-security-auditperformance-166655.pdf

CISControls:

Version6

6Maintenance,Monitoring,andAnalysisofAuditLogsMaintenance,Monitoring,andAnalysisofAuditLogs

33|P a g e

2.2.3 Ensure 'GLOBAL_NAMES' Is Set to 'TRUE' (Scored)



Description:

Theglobal_namessettingrequiresthatthenameofadatabaselinkmatchesthatoftheremotedatabaseitwillconnectto.ThissettingshouldhaveavalueofTRUE.

Rationale:

Notrequiringdatabaseconnectionstomatchthedomainthatisbeingcalledremotelycouldallowunauthorizeddomainsourcestopotentiallyconnectviabrute-forcetactics.

Audit:


SELECT UPPER(VALUE) FROM V$PARAMETER WHERE UPPER(NAME)='GLOBAL_NAMES';


Remediation:


ALTER SYSTEM SET GLOBAL_NAMES = TRUE SCOPE = SPFILE;

References:

1. http://docs.oracle.com/database/121/REFRN/GUID-221D0483-D814-4963-84E1-7D39A25048ED.htm#REFRN10065

CISControls:

Version6

9LimitationandControlofNetworkPorts,Protocols,andServicesLimitationandControlofNetworkPorts,Protocols,andServices

34|P a g e

2.2.4 Ensure 'O7_DICTIONARY_ACCESSIBILITY' Is Set to 'FALSE' (Scored)



Description:

TheO7_dictionary_accessibilitysettingisadatabaseinitializationparameterthatallows/disallowsaccesstoobjectswiththe* ANY *privileges(SELECT ANY TABLE,DELETE ANY TABLE,EXECUTE ANY PROCEDURE,etc.).ThisfunctionalitywascreatedfortheeaseofmigrationfromOracle7databasestolaterversions.ThesettingshouldhaveavalueofFALSE.

Rationale:

LeavingtheSYSschemasoopentoconnectioncouldpermitunauthorizedaccesstocriticaldatastructures.

Audit:


SELECT UPPER(VALUE) FROM V$PARAMETER WHERE UPPER(NAME)='O7_DICTIONARY_ACCESSIBILITY';

EnsureVALUEissettoFALSE.

Remediation:


ALTER SYSTEM SET O7_DICTIONARY_ACCESSIBILITY=FALSE SCOPE = SPFILE;

References:

1. http://docs.oracle.com/database/121/REFRN/GUID-1D1A88F1-B603-48FF-BD30-E6099DB1A1ED.htm#REFRN10133

35|P a g e

Notes:

Thevalueforthisis"O(oh)7"not"0(Zero)7"forO7.Also,for"OracleApplications"uptoversion11.5.9,thissettingisreversed;theO7_dictionary_accessibility=TRUEvalueisrequiredforcorrectoperations.

CISControls:

Version6

9.1LimitOpenPorts,Protocols,andServicesEnsurethatonlyports,protocols,andserviceswithvalidatedbusinessneedsarerunningoneachsystem.

36|P a g e

2.2.5 Ensure 'OS_ROLES' Is Set to 'FALSE' (Scored)



Description:

Theos_rolessettingpermitsexternallycreatedgroupstobeappliedtodatabasemanagement.

Rationale:

AllowingtheOStouseexternalgroupsfordatabasemanagementcouldcauseprivilegeoverlapsandgenerallyweakensecurity.

Audit:


SELECT UPPER(VALUE) FROM V$PARAMETER WHERE UPPER(NAME)='OS_ROLES';


Remediation:


ALTER SYSTEM SET OS_ROLES = FALSE SCOPE = SPFILE;

References:

1. http://docs.oracle.com/database/121/REFRN/GUID-51CCE2D6-F841-4E02-A89D-EA08FC110CF3.htm#REFRN10153

CISControls:

Version6

16AccountMonitoringandControlAccountMonitoringandControl

37|P a g e

2.2.6 Ensure 'REMOTE_LISTENER' Is Empty (Scored)



Description:

Theremote_listenersettingdetermineswhetherornotavalidlistenercanbeestablishedonasystemseparatefromthedatabaseinstance.Thissettingshouldbeemptyunlesstheorganizationspecificallyneedsavalidlisteneronaseparatesystem.

Rationale:

Permittingaremotelistenerforconnectionstothedatabaseinstancecanallowforthepotentialspoofingofconnectionsandthatcouldcompromisedataconfidentialityandintegrity.

Audit:


SELECT UPPER(VALUE) FROM V$PARAMETER WHERE UPPER(NAME)='REMOTE_LISTENER';

EnsureVALUEisempty.

Remediation:


ALTER SYSTEM SET REMOTE_LISTENER = '' SCOPE = SPFILE;

References:

1. http://docs.oracle.com/database/121/REFRN/GUID-FEE2E8B5-CE02-4158-A6B4-030E59316756.htm#REFRN10183

Notes:

Ifsetasremote_listener=true,theaddress/addresslististakenfromtheTNSNAMES.ORAfile.

38|P a g e

CISControls:

Version6


39|P a g e

2.2.7 Ensure 'REMOTE_LOGIN_PASSWORDFILE' Is Set to 'NONE' (Scored)



Description:

Theremote_login_passwordfilesettingspecifieswhetherornotOraclechecksforapasswordfileduringloginandhowmanydatabasescanusethepasswordfile.ThesettingshouldhaveavalueofNONE.

Rationale:

Theuseofthissortofpasswordloginfilecouldpermitunsecured,privilegedconnectionstothedatabase.

Audit:


SELECT UPPER(VALUE) FROM V$PARAMETER WHERE UPPER(NAME)='REMOTE_LOGIN_PASSWORDFILE';

EnsureVALUEissettoNONE.

Remediation:


ALTER SYSTEM SET REMOTE_LOGIN_PASSWORDFILE = 'NONE' SCOPE = SPFILE;

References:

1. http://docs.oracle.com/database/121/REFRN/GUID-6619299E-95E8-4821-B123-3B5899F046C7.htm#REFRN10184

CISControls:

Version6


40|P a g e

2.2.8 Ensure 'REMOTE_OS_AUTHENT' Is Set to 'FALSE' (Scored)



Description:

Theremote_os_authentsettingdetermineswhetherornotOS'roles'withtheattendantprivilegesareallowedforremoteclientconnections.ThissettingshouldhaveavalueofFALSE.

Rationale:

PermittingOSrolesfordatabaseconnectionstocanallowthespoofingofconnectionsandpermitgrantingtheprivilegesofanOSroletounauthorizeduserstomakeconnections,thisvalueshouldberestrictedaccordingtotheneedsoftheorganization.

Audit:


SELECT UPPER(VALUE) FROM V$PARAMETER WHERE UPPER(NAME)='REMOTE_OS_AUTHENT';


Remediation:


ALTER SYSTEM SET REMOTE_OS_AUTHENT = FALSE SCOPE = SPFILE;

References:

1. http://docs.oracle.com/database/121/REFRN/GUID-AB66C849-FE5A-4E06-A6E1-AEE775D55703.htm#REFRN10185

CISControls:

Version6


41|P a g e

2.2.9 Ensure 'REMOTE_OS_ROLES' Is Set to 'FALSE' (Scored)



Description:

Theremote_os_rolessettingpermitsremoteusers'OSrolestobeappliedtodatabasemanagement.ThissettingshouldhaveavalueofFALSE.

Rationale:

AllowingremoteclientsOSrolestohavepermissionsfordatabasemanagementcouldcauseprivilegeoverlapsandgenerallyweakensecurity.

Audit:


SELECT UPPER(VALUE) FROM V$PARAMETER WHERE UPPER(NAME)='REMOTE_OS_ROLES';


Remediation:


ALTER SYSTEM SET REMOTE_OS_ROLES = FALSE SCOPE = SPFILE;

References:

1. http://docs.oracle.com/database/121/REFRN/GUID-BAA83447-14C1-4BE7-BB5D-806ED3E00AED.htm#REFRN10186

CISControls:

Version6


42|P a g e

2.2.10 Ensure 'UTL_FILE_DIR' Is Empty (Scored)



Description:

Theutl_file_dirsettingallowspackageslikeutl_filetoaccess(read/write/modify/delete)filesspecifiedinutl_file_dir.Thissettingshouldhaveanemptyvalue.

Rationale:

Usingtheutl_file_dirtocreatedirectoriesallowsthemanipulationoffilesinthesedirectories.

Audit:


SELECT VALUE FROM V$PARAMETER WHERE UPPER(NAME)='UTL_FILE_DIR';

EnsureVALUEisempty.

Remediation:


ALTER SYSTEM SET UTL_FILE_DIR = '' SCOPE = SPFILE;

References:

1. http://docs.oracle.com/database/121/REFRN/GUID-DCA8A942-ACE1-46D6-876E-3244F390BCAE.htm#REFRN10230

CISControls:

Version6

18ApplicationSoftwareSecurityApplicationSoftwareSecurity

43|P a g e

2.2.11 Ensure 'SEC_CASE_SENSITIVE_LOGON' Is Set to 'TRUE' (Scored)



Description:

TheSEC_CASE_SENSITIVE_LOGONinformationdetermineswhetherornotcase-sensitivityisrequiredforpasswordsduringlogin.

Rationale:

Oracledatabasepasswordcase-sensitivityincreasesthepoolofcharactersthatcanbechosenforthepasswords,makingbrute-forcepasswordattacksquitedifficult.

Audit:


SELECT UPPER(VALUE) FROM V$PARAMETER WHERE UPPER(NAME)='SEC_CASE_SENSITIVE_LOGON';


Remediation:


ALTER SYSTEM SET SEC_CASE_SENSITIVE_LOGON = TRUE SCOPE = SPFILE;

References:

1. http://docs.oracle.com/database/121/REFRN/GUID-F464653A-0D43-4A70-8F05-0274A12C8578.htm#REFRN10299

CISControls:

Version6


44|P a g e

2.2.12 Ensure 'SEC_MAX_FAILED_LOGIN_ATTEMPTS' Is '3' or Less (Scored)



Description:

TheSEC_MAX_FAILED_LOGIN_ATTEMPTSparameterdetermineshowmanyfailedloginattemptsareallowedbeforeOracleclosestheloginconnection.

Rationale:

Allowinganunlimitednumberofloginattemptsforauserconnectioncanfacilitatebothbrute-forceloginattacksandtheoccurrenceofdenial-of-service.

Audit:


SELECT UPPER(VALUE) FROM V$PARAMETER WHERE UPPER(NAME)='SEC_MAX_FAILED_LOGIN_ATTEMPTS';

EnsureVALUEissetto3.

Remediation:


ALTER SYSTEM SET SEC_MAX_FAILED_LOGIN_ATTEMPTS = 3 SCOPE = SPFILE;

References:

1. http://docs.oracle.com/database/121/REFRN/GUID-DEC2A3B2-F49B-499E-A3CF-D097F3A5BA83.htm#REFRN10274

45|P a g e

CISControls:

Version6

16.7ConfigureAccountLockoutsUseandconfigureaccountlockoutssuchthatafterasetnumberoffailedloginattemptstheaccountislockedforastandardperiodoftime.

46|P a g e

2.2.13 Ensure 'SEC_PROTOCOL_ERROR_FURTHER_ACTION' Is Set to 'DROP,3' (Scored)



Description:

TheSEC_PROTOCOL_ERROR_FURTHER_ACTIONsettingdeterminestheOracle'sserver'sresponsetobad/malformedpacketsreceivedfromtheclient.ThissettingshouldhaveavalueofDROP,3,whichwillcauseaconnectiontobedroppedafterthreebad/malformedpackets.

Rationale:

Badpacketsreceivedfromtheclientcanpotentiallyindicatepacket-basedattacksonthesystem,suchas"TCPSYNFlood"or"Smurf"attacks,whichcouldresultinadenial-of-servicecondition,thisvalueshouldbesetaccordingtotheneedsoftheorganization.

Audit:


SELECT UPPER(VALUE) FROM V$PARAMETER WHERE UPPER(NAME)='SEC_PROTOCOL_ERROR_FURTHER_ACTION';

EnsureVALUEissettoDROP,3.

Remediation:

Toremediatethissetting,executeoneofthefollowingSQLstatement.

ALTER SYSTEM SET SEC_PROTOCOL_ERROR_FURTHER_ACTION = 'DROP,3' SCOPE = SPFILE;

References:

1. http://docs.oracle.com/database/121/REFRN/GUID-1E8D3C6E-C919-4218-8117-760D31BD0F95.htm#REFRN10282

47|P a g e

CISControls:

Version6


48|P a g e

2.2.14 Ensure 'SEC_PROTOCOL_ERROR_TRACE_ACTION' Is Set to 'LOG' (Scored)



Description:

TheSEC_PROTOCOL_ERROR_TRACE_ACTIONsettingdeterminestheOracle'sserver'sloggingresponseleveltobad/malformedpacketsreceivedfromtheclientbygeneratingALERT,LOG,orTRACElevelsofdetailinthelogfiles.ThissettingshouldhaveavalueofLOGunlesstheorganizationhasacompellingreasontouseadifferentvaluebecauseLOGshouldcausethenecessaryinformationtobelogged.SettingthevalueasTRACEcangenerateanenormousamountoflogoutputandshouldbereservedfordebuggingonly.

Rationale:

Badpacketsreceivedfromtheclientcanpotentiallyindicatepacket-basedattacksonthesystem,whichcouldresultinadenial-of-servicecondition.

Audit:


SELECT UPPER(VALUE) FROM V$PARAMETER WHERE UPPER(NAME)='SEC_PROTOCOL_ERROR_TRACE_ACTION';

EnsureVALUEissettoLOG.

Remediation:


ALTER SYSTEM SET SEC_PROTOCOL_ERROR_TRACE_ACTION=LOG SCOPE = SPFILE;

References:

1. http://docs.oracle.com/database/121/REFRN/GUID-AE811BC1-8CED-4B21-B16C-4B712B127535.htm#REFRN10283

49|P a g e

CISControls:

Version6


50|P a g e

2.2.15 Ensure 'SEC_RETURN_SERVER_RELEASE_BANNER' Is Set to 'FALSE' (Scored)



Description:

Theinformationaboutpatch/updatereleasenumberprovidesinformationabouttheexactpatch/updatereleasethatiscurrentlyrunningonthedatabase.Thisissensitiveinformationthatshouldnotberevealedtoanyonewhorequestsit.

Rationale:

Allowingthedatabasetoreturninformationaboutthepatch/updatereleasenumbercouldfacilitateunauthorizedusers'attemptstogainaccessbaseduponknownpatchweaknesses.

Audit:


SELECT UPPER(VALUE) FROM V$PARAMETER WHERE UPPER(NAME)='SEC_RETURN_SERVER_RELEASE_BANNER';


Remediation:


ALTER SYSTEM SET SEC_RETURN_SERVER_RELEASE_BANNER = FALSE SCOPE = SPFILE;

References:

1. http://docs.oracle.com/database/121/REFRN/GUID-688102A0-11F5-4F06-8868-934D65C4E878.htm#REFRN10275

51|P a g e

CISControls:

Version6


52|P a g e

2.2.16 Ensure 'SQL92_SECURITY' Is Set to 'TRUE' (Scored)



Description:

TheSQL92_SECURITYparametersettingTRUErequiresthatausermustalsobegrantedtheSELECTobjectprivilegebeforebeingabletoperformUPDATEorDELETEoperationsontablesthathaveWHEREorSETclauses.ThesettingshouldhaveavalueofTRUE.

Rationale:

AuserwithoutSELECTprivilegecanstillinferthevaluestoredinacolumnbyreferringtothatcolumninaDELETEorUPDATEstatement.ThissettingpreventsinadvertentinformationdisclosurebyensuringthatonlyuserswhoalreadyhaveSELECTprivilegecanexecutethestatementsthatwouldallowthemtoinferthestoredvalues.

Audit:


SELECT UPPER(VALUE) FROM V$PARAMETER WHERE UPPER(NAME)='SQL92_SECURITY';


Remediation:


ALTER SYSTEM SET SQL92_SECURITY = TRUE SCOPE = SPFILE;

DefaultValue:

FALSE

References:

1. http://docs.oracle.com/database/121/REFRN/GUID-E41087C2-250E-4201-908B-79E659B22A4B.htm#REFRN10210

53|P a g e

CISControls:

Version6


54|P a g e

2.2.17 Ensure '_trace_files_public' Is Set to 'FALSE' (Scored)



Description:

The_trace_files_publicsettingdetermineswhetherornotthesystem'stracefileisworldreadable.ThissettingshouldhaveavalueofFALSEtorestricttracefileaccess.

Rationale:

Makingthefileworldreadablemeansanyonecanreadtheinstance'stracefile,whichcouldcontainsensitiveinformationaboutinstanceoperations.

Audit:


SELECT VALUE FROM V$PARAMETER WHERE NAME='_trace_files_public';

AVALUEequaltoFALSEorlackofresultsimpliescompliance.

Remediation:


ALTER SYSTEM SET "_trace_files_public" = FALSE SCOPE = SPFILE;

References:

1. http://asktom.oracle.com/pls/asktom/f?p=100:11:0::::P11_QUESTION_ID:4295521746131

CISControls:

Version6

14.4ProtectInformationWithAccessControlListsAllinformationstoredonsystemsshallbeprotectedwithfilesystem,networkshare,claims,application,ordatabasespecificaccesscontrollists.Thesecontrolswillenforcetheprinciplethatonlyauthorizedindividualsshouldhaveaccessto

55|P a g e

theinformationbasedontheirneedtoaccesstheinformationasapartoftheirresponsibilities.

56|P a g e

2.2.18 Ensure 'RESOURCE_LIMIT' Is Set to 'TRUE' (Scored)



Description:

RESOURCE_LIMITdetermineswhetherresourcelimitsareenforcedindatabaseprofiles.ThissettingshouldhaveavalueofTRUE.

Rationale:

IfRESOURCE_LIMITissettoFALSE,noneofthesystemresourcelimitsthataresetinanydatabaseprofilesareenforced.IfRESOURCE_LIMITissettoTRUE,thelimitssetindatabaseprofilesareenforced.

Audit:


SELECT UPPER(VALUE) FROM V$PARAMETER WHERE UPPER(NAME)='RESOURCE_LIMIT';


Remediation:


ALTER SYSTEM SET RESOURCE_LIMIT = TRUE SCOPE = SPFILE;

DefaultValue:

FALSE

References:

1. http://docs.oracle.com/database/121/REFRN/GUID-BB0AB177-3867-4D0D-8700-A1AC8BDFEFC3.htm#REFRN10188

57|P a g e

CISControls:

Version6

14.4ProtectInformationWithAccessControlListsAllinformationstoredonsystemsshallbeprotectedwithfilesystem,networkshare,claims,application,ordatabasespecificaccesscontrollists.Thesecontrolswillenforcetheprinciplethatonlyauthorizedindividualsshouldhaveaccesstotheinformationbasedontheirneedtoaccesstheinformationasapartoftheirresponsibilities.

58|P a g e

3 Oracle Connection and Login Restrictions

TherestrictionsonClient/UserconnectionstotheOracledatabasehelpblockunauthorizedaccesstodataandservicesbysettingaccessrules.Thesesecuritymeasureshelptoensurethatsuccessfulloginscannotbeeasilymadethroughbrute-forcepasswordattacksorintuitedbycleversocialengineeringexploits.SettingsaregenerallyrecommendedtobeappliedtoalldefinedprofilesratherthanbyusingonlytheDEFAULTprofile.Allvaluesassignedbelowaretherecommendedminimumsormaximums;higher,morerestrictivevaluescanbeappliedatthediscretionoftheorganizationbycreatingaseparateprofiletoassigntoadifferentusergroup.

3.1 Ensure 'FAILED_LOGIN_ATTEMPTS' Is Less than or Equal to '5' (Scored)



Description:

TheFAILED_LOGIN_ATTEMPTSsettingdetermineshowmanyfailedloginattemptsarepermittedbeforethesystemlockstheuser'saccount.Whiledifferentprofilescanhavedifferentandmorerestrictivesettings,suchasUSERSandAPPS,theminimum(s)recommendedhereshouldbesetontheDEFAULTprofile.

Rationale:

Repeatedfailedloginattemptscanindicatetheinitiationofabrute-forceloginattack,thisvalueshouldbesetaccordingtotheneedsoftheorganization.(SeetheNotesforawarningonaknownbugthatcanmakethissecuritymeasurebackfire.)

Audit:


SELECT PROFILE, RESOURCE_NAME, LIMIT FROM DBA_PROFILES WHERE RESOURCE_NAME='FAILED_LOGIN_ATTEMPTS' AND ( LIMIT = 'DEFAULT' OR LIMIT = 'UNLIMITED'

59|P a g e

OR LIMIT > 5 );

Lackofresultsimpliescompliance.

Remediation:

RemediatethissettingbyexecutingthefollowingSQLstatementforeachPROFILEreturnedbytheauditprocedure.

ALTER PROFILE <profile_name> LIMIT FAILED_LOGIN_ATTEMPTS 5;

Notes:

Warning:OnegreatconcernwiththeaboveisthepossibilityofthissettingbeingexploitedtocraftaDDoSattackbyusingtherow-lockingdelaybetweenfailedloginattempts(see_OracleBug7715339–Logonfailurescauses“rowcachelock”waits–Allowdisableoflogondelay[ID7715339.8],sotheconfigurationofthissettingdependsonusingthebugworkaround).Also,whilethesettingfortheFAILED_LOGIN_ATTEMPTSvaluecanalsobesetinsqlnet.ora,thisonlyappliestolistedusers.ThesimilarsettingusedtoblockaDDoS,theSEC_MAX_FAILED_LOGIN_ATTEMPTSinitializationparameter,canbeusedtoprotectunauthorizedintrudersfromattackingtheserverprocessesforapplications,butthissettingdoesnotprotectagainstunauthorizedattemptsviavalidusernames.

CISControls:

Version6


60|P a g e

3.2 Ensure 'PASSWORD_LOCK_TIME' Is Greater than or Equal to '1' (Scored)



Description:

ThePASSWORD_LOCK_TIMEsettingdetermineshowmanydaysmustpassfortheuser'saccounttobeunlockedafterthesetnumberoffailedloginattemptshasoccurred.Thesuggestedvalueforthisisonedayorgreater.

Rationale:

Lockingtheuseraccountafterrepeatedfailedloginattemptscanblockfurtherbrute-forceloginattacks,butcancreateadministrativeheadachesasthisaccountunlockingprocessalwaysrequiresDBAintervention.

Audit:


SELECT PROFILE, RESOURCE_NAME, LIMIT FROM DBA_PROFILES WHERE RESOURCE_NAME='PASSWORD_LOCK_TIME' AND ( LIMIT = 'DEFAULT' OR LIMIT = 'UNLIMITED' OR LIMIT < 1 );


Remediation:


ALTER PROFILE <profile_name> LIMIT PASSWORD_LOCK_TIME 1;

61|P a g e

CISControls:

Version6


62|P a g e

3.3 Ensure 'PASSWORD_LIFE_TIME' Is Less than or Equal to '90' (Scored)



Description:

ThePASSWORD_LIFE_TIMEsettingdetermineshowlongapasswordmaybeusedbeforetheuserisrequiredtobechangeit.Thesuggestedvalueforthisis90daysorless.

Rationale:

Allowingpasswordstoremainunchangedforlongperiodsmakesthesuccessofbrute-forceloginattacksmorelikely.

Audit:


SELECT PROFILE, RESOURCE_NAME, LIMIT FROM DBA_PROFILES WHERE RESOURCE_NAME='PASSWORD_LIFE_TIME' AND ( LIMIT = 'DEFAULT' OR LIMIT = 'UNLIMITED' OR LIMIT > 90 );


Remediation:


ALTER PROFILE <profile_name> LIMIT PASSWORD_LIFE_TIME 90;

CISControls:

Version6


63|P a g e

3.4 Ensure 'PASSWORD_REUSE_MAX' Is Greater than or Equal to '20' (Scored)



Description:

ThePASSWORD_REUSE_MAXsettingdetermineshowmanydifferentpasswordsmustbeusedbeforetheuserisallowedtoreuseapriorpassword.Thesuggestedvalueforthisis20passwordsorgreater.

Rationale:

Allowingreuseofapasswordwithinashortperiodoftimeafterthepassword'sinitialusecanmakethesuccessofbothsocial-engineeringandbrute-forcepassword-basedattacksmorelikely.

Audit:


SELECT PROFILE, RESOURCE_NAME, LIMIT FROM DBA_PROFILES WHERE RESOURCE_NAME='PASSWORD_REUSE_MAX' AND ( LIMIT = 'DEFAULT' OR LIMIT = 'UNLIMITED' OR LIMIT < 20 );


Remediation:


ALTER PROFILE <profile_name> LIMIT PASSWORD_REUSE_MAX 20;

Notes:

TheaboverestrictionshouldbeappliedalongwiththePASSWORD_REUSE_TIMEsetting.

64|P a g e

CISControls:

Version6


65|P a g e

3.5 Ensure 'PASSWORD_REUSE_TIME' Is Greater than or Equal to '365' (Scored)



Description:

ThePASSWORD_REUSE_TIMEsettingdeterminestheamountoftimeindaysthatmustpassbeforethesamepasswordmaybereused.Thesuggestedvalueforthisis365daysorgreater.

Rationale:

Reusingthesamepasswordafteronlyashortperiodoftimehaspassedmakesthesuccessofbrute-forceloginattacksmorelikely.

Audit:


SELECT PROFILE, RESOURCE_NAME, LIMIT FROM DBA_PROFILES WHERE RESOURCE_NAME='PASSWORD_REUSE_TIME' AND ( LIMIT = 'DEFAULT' OR LIMIT = 'UNLIMITED' OR LIMIT < 365 );


Remediation:


ALTER PROFILE <profile_name> LIMIT PASSWORD_REUSE_TIME 365;

Notes:

TheaboverestrictionshouldbeappliedalongwiththePASSWORD_REUSE_MAXsetting.

66|P a g e

CISControls:

Version6


67|P a g e

3.6 Ensure 'PASSWORD_GRACE_TIME' Is Less than or Equal to '5' (Scored)



Description:

ThePASSWORD_GRACE_TIMEsettingdetermineshowmanydayscanpassaftertheuser'spasswordexpiresbeforetheuser'slogincapabilityisautomaticallylockedout.Thesuggestedvalueforthisisfivedaysorless.

Rationale:

Lockingtheuseraccountaftertheexpirationofthepasswordchangerequirement'sgraceperiodcanhelppreventpassword-basedattacksagainstanyforgottenordisusedaccounts,whilestillallowingtheaccountanditsinformationtobeaccessiblebyDBAintervention.

Audit:


SELECT PROFILE, RESOURCE_NAME, LIMIT FROM DBA_PROFILES WHERE RESOURCE_NAME='PASSWORD_GRACE_TIME' AND ( LIMIT = 'DEFAULT' OR LIMIT = 'UNLIMITED' OR LIMIT > 5 );


Remediation:


ALTER PROFILE <profile_name> LIMIT PASSWORD_GRACE_TIME 5;

68|P a g e

CISControls:

Version6


69|P a g e

3.7 Ensure 'DBA_USERS.PASSWORD' Is Not Set to 'EXTERNAL' for Any User (Scored)



Description:

Thepassword='EXTERNAL'settingdetermineswhetherornotausercanbeauthenticatedbyaremoteOStoallowaccesstothedatabasewithfullauthorization.Thissettingshouldnotbeused.

Rationale:

AllowingremoteOSauthenticationofausertothedatabasecanpotentiallyallowsupposed"privilegedusers"toconnectas"authenticated,"evenwhentheremotesystemiscompromised.

Audit:


SELECT USERNAME FROM DBA_USERS WHERE PASSWORD='EXTERNAL';


Remediation:

ToremediatethissettingexecutethefollowingSQLstatement.

ALTER USER <username> INDENTIFIED BY <password>;

Notes:

ThePASSWORDkeyword(column)usedintheSQLforpriorOracleversionshasbeendeprecatedfromversion11.2onwardinfavorofthenewAUTHENTICATION_TYPEkeyword(column)fortheDBA_USERStable.However,thePASSWORDcolumnhasstillbeenretainedforbackwardcompatibility.

70|P a g e

CISControls:

Version6


71|P a g e

3.8 Ensure 'PASSWORD_VERIFY_FUNCTION' Is Set for All Profiles (Scored)



Description:

ThePASSWORD_VERIFY_FUNCTIONdeterminespasswordsettingsrequirementswhenauserpasswordischangedattheSQLcommandprompt.Itshouldbesetforallprofiles.NotethatthissettingdoesnotapplyforusersmanagedbytheOraclepasswordfile.

Rationale:

Requiringuserstoapplythe12csecurityfeaturesinpasswordcreation,suchasforcingmixed-casecomplexity,blockingofsimplecombinations,andenforcingchange/historysettingscanpotentiallythwartloginsbyanunauthorizeduser.

Audit:


SELECT PROFILE, RESOURCE_NAME FROM DBA_PROFILES WHERE RESOURCE_NAME='PASSWORD_VERIFY_FUNCTION' AND (LIMIT = 'DEFAULT' OR LIMIT = 'NULL');


Remediation:

Createacustompasswordverificationfunctionwhichfulfillsthepasswordrequirementsoftheorganization.

CISControls:

Version6


72|P a g e

3.9 Ensure 'SESSIONS_PER_USER' Is Less than or Equal to '10' (Scored)



Description:

TheSESSIONS_PER_USERsettingdeterminesthemaximumnumberofusersessionsthatareallowedtobeopenconcurrently.Thesuggestedvalueforthisis10orless.

Rationale:

LimitingthenumberoftheSESSIONS_PER_USERcanhelppreventmemoryresourceexhaustionbypoorlyformedrequestsorintentionaldenial-of-serviceattacks.

Audit:


SELECT PROFILE, RESOURCE_NAME, LIMIT FROM DBA_PROFILES WHERE RESOURCE_NAME='SESSIONS_PER_USER' AND ( LIMIT = 'DEFAULT' OR LIMIT = 'UNLIMITED' OR LIMIT > 10 );


Remediation:

Toremediatethissetting,executethefollowingSQLstatementforeachPROFILEreturnedbytheauditprocedure.

ALTER PROFILE <profile_name> LIMIT SESSIONS_PER_USER 10;

Notes:

TheSESSIONS_PER_USERprofilemanagementcapabilitywascreatedtopreventresource(s)exhaustionatatimewhenresourceusagewasveryexpensive.Ascurrentdatabasedesignmayrequiremuchhigherlimitsonthisparameterifone"user"handlesallprocessingforspecifictypesofbatch/customerconnections,thismustbehandledviaanewuserprofile.

73|P a g e

CISControls:

Version6


74|P a g e

3.10 Ensure No Users Are Assigned the 'DEFAULT' Profile (Scored)



Description:

UponcreationdatabaseusersareassignedtotheDEFAULTprofileunlessotherwisespecified.Nousersshouldbeassignedtothatprofile.

Rationale:

Usersshouldbecreatedwithfunction-appropriateprofiles.TheDEFAULTprofile,beingdefinedbyOracle,issubjecttochangeatanytime(e.g.bypatchorversionupdate).TheDEFAULTprofilehasunlimitedsettingsthatareoftenrequiredbytheSYSuserwhenpatching;suchunlimitedsettingsshouldbetightlyreservedandnotappliedtounnecessaryusers.

Audit:


SELECT USERNAME FROM DBA_USERS WHERE PROFILE='DEFAULT' AND ACCOUNT_STATUS='OPEN' AND USERNAME NOT IN ('ANONYMOUS', 'CTXSYS', 'DBSNMP', 'EXFSYS', 'LBACSYS', 'MDSYS', 'MGMT_VIEW','OLAPSYS','OWBSYS', 'ORDPLUGINS', 'ORDSYS', 'OUTLN', 'SI_INFORMTN_SCHEMA','SYS', 'SYSMAN', 'SYSTEM', 'TSMSYS', 'WK_TEST', 'WKSYS', 'WKPROXY', 'WMSYS', 'XDB', 'CISSCAN');


Remediation:

Toremediatethisrecommendation,executethefollowingSQLstatementforeachuserreturnedbytheauditqueryusingafunctional-appropriateprofile.

ALTER USER <username> PROFILE <appropriate_profile>;

75|P a g e

CISControls:

Version6


76|P a g e

4 Oracle User Access and Authorization Restrictions

Thecapabilitytousedatabaseresourcesatagivenlevel,oruserauthorizationrules,allowsforusermanipulationofthevariouspartsoftheOracledatabase.Theseauthorizationsmustbestructuredtoblockunauthorizeduseand/orcorruptionofvitaldataandservicesbysettingrestrictionsonusercapabilities,particularlythoseoftheuserPUBLIC.Suchsecuritymeasureshelptoensuresuccessfulloginscannotbeeasilyredirected.

IMPORTANT:UsecautionwhenrevokingprivilegesfromPUBLIC.Oracleandthird-partyproductsexplicitlyrequiredefaultgrantstoPUBLICforcommonlyusedfunctions,objects,andinviewdefinitions.AfterrevokinganyprivilegefromPUBLIC,verifythatapplicationskeeprunningproperlyandrecompileinvaliddatabaseobjects.Specificgrantstousersandrolesmaybeneededtomakeallobjectsvalid.PleaseseethefollowingOraclesupportdocumentwhichprovidesfurtherinformationandSQLstatementsthatcanbeusedtodeterminedependenciesthatrequireexplicitgrants:BeCautiousWhenRevokingPrivilegesGrantedtoPUBLIC(DocID247093.1)Alwaystestdatabasechangesindevelopmentandtestenvironmentsbeforemakingchangestoproductiondatabases.

77|P a g e

4.1 Default Public Privileges for Packages and Object Types

Thissectioncontainsrecommendationsthatrevokedefaultpublicexecuteprivilegesfrompowerfulpackagesandobjecttypes.

4.1.1 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_ADVISOR' (Scored)



Description:

TheOracledatabaseDBMS_ADVISORpackagecanbeusedtowritefileslocatedontheserverwheretheOracleinstanceisinstalled.TheuserPUBLICshouldnotbeabletoexecuteDBMS_ADVISOR.

Rationale:

UseoftheDBMS_ADVISORpackagecouldallowanunauthorizedusertocorruptoperatingsystemfilesontheinstance'shost.

Audit:


SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_ADVISOR';

Theassessmentfailsifresultsarereturned.

Remediation:


REVOKE EXECUTE ON DBMS_ADVISOR FROM PUBLIC;

References:

1. http://docs.oracle.com/database/121/ARPLS/d_advis.htm#ARPLS350

78|P a g e

CISControls:

Version6


79|P a g e

4.1.2 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_CRYPTO' (Scored)



Description:

TheDBMS_CRYPTOsettingsprovideatoolsetthatdeterminesthestrengthoftheencryptionalgorithmusedtoencryptapplicationdataandispartoftheSYSschema.TheDES(56-bitkey),3DES(168-bitkey),3DES-2KEY(112-bitkey),AES(128/192/256-bitkeys),andRC4areavailable.TheuserPUBLICshouldnotbeabletoexecuteDBMS_CRYPTO.

Rationale:

ExecutionofthesecryptographyproceduresbytheuserPUBLICcanpotentiallyendangerportionsoforallofthedatastorage.

Audit:


SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND TABLE_NAME='DBMS_CRYPTO';


Remediation:


REVOKE EXECUTE ON DBMS_CRYPTO FROM PUBLIC;

References:

1. http://docs.oracle.com/database/121/ARPLS/d_crypto.htm#ARPLS664

80|P a g e

CISControls:

Version6


81|P a g e

4.1.3 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA' (Scored)



Description:

TheOracledatabaseDBMS_JAVApackagecanrunJavaclasses(e.g.OScommands)orgrantJavaprivileges.TheuserPUBLICshouldnotbeabletoexecuteDBMS_JAVA.

Rationale:

TheDBMS_JAVApackagecouldallowanattackertorunOScommandsfromthedatabase.

Audit:


SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_JAVA';


Remediation:


REVOKE EXECUTE ON DBMS_JAVA FROM PUBLIC;

References:

1. http://docs.oracle.com/database/121/JJDEV/appendixa.htm#JJDEV13000

CISControls:

Version6

18.9SanitizeDeployedSoftwareOfDevelopmentArtifactsForin-housedevelopedapplications,ensurethatdevelopmentartifacts(sample

82|P a g e

dataandscripts;unusedlibraries,components,debugcode;ortools)arenotincludedinthedeployedsoftware,oraccessibleintheproductionenvironment.

83|P a g e

4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored)



Description:

TheOracledatabaseDBMS_JAVA_TESTpackagecanrunJavaclasses(e.g.OScommands)orgrantJavaprivileges.TheuserPUBLICshouldnotbeabletoexecuteDBMS_JAVA_TEST.

Rationale:

TheDBMS_JAVA_TESTpackagecouldallowanattackertorunoperatingsystemcommandsfromthedatabase.

Audit:


SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_JAVA_TEST';


Remediation:


REVOKE EXECUTE ON DBMS_JAVA_TEST FROM PUBLIC;

Notes:

DBMS_JAVA_TESTisanundocumentedPL/SQLpackage,butthepublicgrantshouldberevoked.

84|P a g e

CISControls:

Version6


85|P a g e

4.1.5 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JOB' (Scored)



Description:

TheOracledatabaseDBMS_JOBpackageschedulesandmanagesthejobssenttothejobqueueandhasbeensupersededbytheDBMS_SCHEDULERpackage,eventhoughDBMS_JOBhasbeenretainedforbackwardscompatibility.TheuserPUBLICshouldnotbeabletoexecuteDBMS_JOB.

Rationale:

UseoftheDBMS_JOBpackagecouldallowanunauthorizedusertodisableoroverloadthejobqueue.IthasbeensupersededbytheDBMS_SCHEDULERpackage.

Audit:


SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_JOB';


Remediation:


REVOKE EXECUTE ON DBMS_JOB FROM PUBLIC;

References:

1. http://docs.oracle.com/database/121/ARPLS/d_job.htm#ARPLS019

86|P a g e

CISControls:

Version6


87|P a g e

4.1.6 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_LDAP' (Scored)



Description:

TheOracledatabaseDBMS_LDAPpackagecontainsfunctionsandproceduresthatenableprogrammerstoaccessdatafromLDAPservers.TheuserPUBLICshouldnotbeabletoexecuteDBMS_LDAP.

Rationale:

UseoftheDBMS_LDAPpackagecanbeusedtocreatespeciallycraftederrormessagesorsendinformationviaDNStotheoutside.

Audit:


SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_LDAP';


Remediation:


REVOKE EXECUTE ON DBMS_LDAP FROM PUBLIC;

References:

1. http://docs.oracle.com/database/121/ARPLS/d_ldap.htm#ARPLS360

88|P a g e

CISControls:

Version6


89|P a g e

4.1.7 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_LOB' (Scored)



Description:

TheOracledatabaseDBMS_LOBpackageprovidessubprogramsthatcanmanipulateandread/writeonBLOBs,CLOBs,NCLOBs,BFILEs,andtemporaryLOBs.TheuserPUBLICshouldnotbeabletoexecuteDBMS_LOB.

Rationale:

UseoftheDBMS_LOBpackagecouldallowanunauthorizedusertomanipulateBLOBs,CLOBs,NCLOBs,BFILEs,andtemporaryLOBsontheinstance,eitherdestroyingdataorcausingadenial-of-serviceconditionduetocorruptionofdiskspace.

Audit:


SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_LOB';


Remediation:


REVOKE EXECUTE ON DBMS_LOB FROM PUBLIC;

References:

1. http://docs.oracle.com/database/121/ARPLS/d_lob.htm#ARPLS600

90|P a g e

CISControls:

Version6


91|P a g e

4.1.8 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_OBFUSCATION_TOOLKIT' (Scored)



Description:

TheDBMS_OBFUSCATION_TOOLKITprovidesoneofthetoolsthatdeterminethestrengthoftheencryptionalgorithmusedtoencryptapplicationdataandispartoftheSYSschema.TheDES(56-bitkey)and3DES(168-bitkey)aretheonlytwotypesavailable.TheuserPUBLICshouldnotbeabletoexecuteDBMS_OBFUSCATION_TOOLKIT.

Rationale:

AllowingthePUBLICuserprivilegestoaccessthiscapabilitycanbepotentiallyharmdatastorage.

Audit:


SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_OBFUSCATION_TOOLKIT';


Remediation:


REVOKE EXECUTE ON DBMS_OBFUSCATION_TOOLKIT FROM PUBLIC;

CISControls:

Version6

5.1MinimizeAndSparinglyUseAdministrativePrivilegesMinimizeadministrativeprivilegesandonlyuseadministrativeaccountswhenthey

92|P a g e

arerequired.Implementfocusedauditingontheuseofadministrativeprivilegedfunctionsandmonitorforanomalousbehavior.

93|P a g e

4.1.9 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_RANDOM' (Scored)



Description:

TheOracledatabaseDBMS_RANDOMpackageisusedforgeneratingrandomnumbersbutshouldnotbeusedforcryptographicpurposes.TheuserPUBLICshouldnotbeabletoexecuteDBMS_RANDOM.

Rationale:

UseoftheDBMS_RANDOMpackagecanallowtheunauthorizedapplicationoftherandomnumber-generatingfunction.

Audit:


SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_RANDOM';


Remediation:


REVOKE EXECUTE ON DBMS_RANDOM FROM PUBLIC;

References:

1. http://docs.oracle.com/cd/E11882_01/appdev.112/e25788/d_random.htm

Notes:

TheOEMcautionsthatremovingthisfromPUBLICmaybreakcertainapplications.

94|P a g e

CISControls:

Version6


95|P a g e

4.1.10 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_SCHEDULER' (Scored)



Description:

TheOracledatabaseDBMS_SCHEDULERpackageschedulesandmanagesthedatabaseandoperatingsystemjobs.TheuserPUBLICshouldnotbeabletoexecuteDBMS_SCHEDULER.

Rationale:

UseoftheDBMS_SCHEDULERpackagecouldallowanunauthorizedusertorundatabaseoroperatingsystemjobs.

Audit:


SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_SCHEDULER';


Remediation:


REVOKE EXECUTE ON DBMS_SCHEDULER FROM PUBLIC;

References:

1. http://docs.oracle.com/database/121/ARPLS/d_sched.htm#ARPLS72235

CISControls:

Version6


96|P a g e


97|P a g e

4.1.11 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_SQL' (Scored)



Description:

TheOracledatabaseDBMS_SQLpackageisusedforrunningdynamicSQLstatements.TheuserPUBLICshouldnotbeabletoexecuteDBMS_SQL.

Rationale:

TheDBMS_SQLpackagecouldallowprivilegeescalationifinputvalidationisnotdoneproperly.

Audit:


SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_SQL';


Remediation:


REVOKE EXECUTE ON DBMS_SQL FROM PUBLIC;

References:

1. http://docs.oracle.com/database/121/ARPLS/d_sql.htm#ARPLS058

CISControls:

Version6


98|P a g e

4.1.12 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_XMLGEN' (Scored)



Description:

TheDBMS_XMLGENpackagetakesanarbitrarySQLqueryasinput,convertsittoXMLformat,andreturnstheresultasaCLOB.TheuserPUBLICshouldnotbeabletoexecuteDBMS_XMLGEN.

Rationale:

ThepackageDBMS_XMLGENcanbeusedtosearchtheentiredatabaseforsensitiveinformationlikecreditcardnumbers.

Audit:


SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_XMLGEN';


Remediation:


REVOKE EXECUTE ON DBMS_XMLGEN FROM PUBLIC;

References:

1. http://docs.oracle.com/database/121/ARPLS/d_xmlgen.htm#ARPLS3742. http://www.red-database-security.com/wp/confidence2009.pdf

99|P a g e

CISControls:

Version6

13DataProtectionDataProtection

100|P a g e

4.1.13 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_XMLQUERY' (Scored)



Description:

TheOraclepackageDBMS_XMLQUERYtakesanarbitrarySQLquery,convertsittoXMLformat,andreturnstheresult.ThispackageissimilartoDBMS_XMLGEN.TheuserPUBLICshouldnotbeabletoexecuteDBMS_XMLQUERY.

Rationale:

ThepackageDBMS_XMLQUERYcanbeusedtosearchtheentiredatabaseforsensitiveinformationlikecreditcardnumbers.MalicioususersmaybeabletoexploitthispackageasanauxiliaryinjectfunctioninaSQLinjectionattack.

Audit:


SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_XMLQUERY';


Remediation:


REVOKE EXECUTE ON DBMS_XMLQUERY FROM PUBLIC;

References:

1. http://docs.oracle.com/database/121/ARPLS/d_xmlque.htm#ARPLS376

101|P a g e

CISControls:

Version6

13DataProtectionDataProtection

102|P a g e

4.1.14 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'UTL_FILE' (Scored)



Description:

TheOracledatabaseUTL_FILEpackagecanbeusedtoread/writefileslocatedontheserverwheretheOracleinstanceisinstalled.TheuserPUBLICshouldnotbeabletoexecuteUTL_FILE.

Rationale:

UseoftheUTL_FILEpackagecouldallowanusertoreadOSfiles.Thesefilescouldcontainsensitiveinformation(e.g.passwordsin.bash_history).

Audit:


SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='UTL_FILE';


Remediation:


REVOKE EXECUTE ON UTL_FILE FROM PUBLIC;

References:

1. http://docs.oracle.com/database/121/ARPLS/u_file.htm#ARPLS069

CISControls:

Version6

14ControlledAccessBasedontheNeedtoKnowControlledAccessBasedontheNeedtoKnow

103|P a g e

4.1.15 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'UTL_INADDR' (Scored)



Description:

TheOracledatabaseUTL_INADDRpackagecanbeusedtocreatespeciallycraftederrormessagesorsendinformationviaDNStotheoutside.TheuserPUBLICshouldnotbeabletoexecuteUTL_INADDR.

Rationale:

TheUTL_INADDRpackageisoftenusedinSQLinjectionattacksfromthewebitshouldberevokedfrompublic.

Audit:


SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='UTL_INADDR';


Remediation:


REVOKE EXECUTE ON UTL_INADDR FROM PUBLIC;

References:

1. http://docs.oracle.com/database/121/ARPLS/u_inaddr.htm#ARPLS071

104|P a g e

CISControls:

Version6


105|P a g e

4.1.16 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'UTL_TCP' (Scored)



Description:

TheOracledatabaseUTL_TCPpackagecanbeusedtoread/writefiletoTCPsocketsontheserverwheretheOracleinstanceisinstalled.TheuserPUBLICshouldnotbeabletoexecuteUTL_TCP.

Rationale:

TheUTL_TCPpackagecouldallowanunauthorizedusertocorrupttheTCPstreamusedtocarrytheprotocolsthatcommunicatewiththeinstance'sexternalcommunications.

Audit:


SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='UTL_TCP';


Remediation:


REVOKE EXECUTE ON UTL_TCP FROM PUBLIC;

References:

1. http://docs.oracle.com/database/121/ARPLS/u_tcp.htm#ARPLS075

CISControls:

Version6


106|P a g e

4.1.17 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'UTL_MAIL' (Scored)



Description:

TheOracledatabaseUTL_MAILpackagecanbeusedtosendemailfromtheserverwheretheOracleinstanceisinstalled.TheuserPUBLICshouldnotbeabletoexecuteUTL_MAIL.

Rationale:

TheUTL_MAILpackagecouldallowanunauthorizedusertocorrupttheSMTPfunctiontoacceptorgeneratejunkmailthatcanresultinadenial-of-serviceconditionduetonetworksaturation.

Audit:


SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='UTL_MAIL';


Remediation:


REVOKE EXECUTE ON UTL_MAIL FROM PUBLIC;

References:

1. http://docs.oracle.com/database/121/ARPLS/u_mail.htm#ARPLS384

107|P a g e

CISControls:

Version6


108|P a g e

4.1.18 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'UTL_SMTP' (Scored)



Description:

TheOracledatabaseUTL_SMTPpackagecanbeusedtosendemailfromtheserverwheretheOracleinstanceisinstalled.TheuserPUBLICshouldnotbeabletoexecuteUTL_SMTP.

Rationale:

TheUTL_SMTPpackagecouldallowanunauthorizedusertocorrupttheSMTPfunctiontoacceptorgeneratejunkmailthatcanresultinadenial-of-serviceconditionduetonetworksaturation.

Audit:


SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='UTL_SMTP';


Remediation:


REVOKE EXECUTE ON UTL_SMTP FROM PUBLIC;

References:

1. http://docs.oracle.com/database/121/ARPLS/u_smtp.htm#ARPLS074

109|P a g e

CISControls:

Version6


110|P a g e

4.1.19 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'UTL_DBWS' (Scored)



Description:

TheOracledatabaseUTL_DBWSpackagecanbeusedtoread/writefiletoweb-basedapplicationsontheserverwheretheOracleinstanceisinstalled.Thispackageisnotautomaticallyinstalledforsecurityreasons.TheuserPUBLICshouldnotbeabletoexecuteUTL_DBWS.

Rationale:

TheUTL_DBWSpackagecouldallowanunauthorizedusertocorrupttheHTTPstreamusedtocarrytheprotocolsthatcommunicatefortheinstance'sweb-basedexternalcommunications.

Audit:


SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='UTL_DBWS';


Remediation:


REVOKE EXECUTE ON UTL_DBWS FROM 'PUBLIC';

References:

1. https://docs.oracle.com/database/121/JJPUB/intro.htm#BHCIBFGJ

CISControls:

111|P a g e

Version6


112|P a g e

4.1.20 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'UTL_ORAMTS' (Scored)



Description:

TheOracledatabaseUTL_ORAMTSpackagecanbeusedtoperformHTTPrequests.Thiscouldbeusedtosendinformationtotheoutside.TheuserPUBLICshouldnotbeabletoexecuteUTL_ORAMTS.

Rationale:

TheUTL_ORAMTSpackagecouldbeusedtosend(sensitive)informationtoexternalwebsites.Theuseofthispackageshouldberestrictedaccordingtotheneedsoftheorganization.

Audit:


SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='UTL_ORAMTS';


Remediation:


REVOKE EXECUTE ON UTL_ORAMTS FROM PUBLIC;

References:

1. http://docs.oracle.com/database/121/NTMTS/recovery.htm#sthref73

113|P a g e

CISControls:

Version6


114|P a g e

4.1.21 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'UTL_HTTP' (Scored)



Description:

TheOracledatabaseUTL_HTTPpackagecanbeusedtoperformHTTPrequests.Thiscouldbeusedtosendinformationtotheoutside.TheuserPUBLICshouldnotbeabletoexecuteUTL_HTTP.

Rationale:

TheUTL_HTTPpackagecouldbeusedtosend(sensitive)informationtoexternalwebsites.Theuseofthispackageshouldberestrictedaccordingtotheneedsoftheorganization.

Audit:


SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='UTL_HTTP';


Remediation:


REVOKE EXECUTE ON UTL_HTTP FROM PUBLIC;

References:

1. http://docs.oracle.com/database/121/ARPLS/u_http.htm#ARPLS070

115|P a g e

CISControls:

Version6


116|P a g e

4.1.22 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'HTTPURITYPE' (Scored)



Description:

TheOracledatabaseHTTPURITYPEobjecttypecanbeusedtoperformHTTPrequests.TheuserPUBLICshouldnotbeabletoexecuteHTTPURITYPE.

Rationale:

TheabilitytoperformHTTPrequestscouldbeusedtoleakinformationfromthedatabasetoanexternaldestination.

Audit:


SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='HTTPURITYPE';


Remediation:


REVOKE EXECUTE ON HTTPURITYPE FROM PUBLIC;

References:

1. http://docs.oracle.com/database/121/ARPLS/t_dburi.htm#ARPLS71705

CISControls:

Version6


117|P a g e

4.1.23 Ensure 'EXECUTE' is revoked from 'PUBLIC' on 'DBMS_XMLSTORE' (Scored)



Description:

TheDBMS_XLMSTOREpackageprovidesXMLfunctionality.ItacceptsatablenameandXMLasinputtoperformDMLoperationsagainstthetable.TheuserPUBLICshouldnotbeabletoexecuteDBMS_XLMSTORE.

Rationale:

MalicioususersmaybeabletoexploitthispackageasanauxiliaryinjectfunctioninaSQLinjectionattack.

Audit:


SELECT GRANTEE FROM DBA_TAB_PRIVS WHERE TABLE_NAME = 'DBMS_XMLSTORE' AND GRANTEE = 'PUBLIC' AND PRIVILEGE = 'EXECUTE';


Remediation:

Toremediatethissetting,executethefollowingSQLstatement:

REVOKE EXECUTE ON DBMS_XMLSTORE FROM PUBLIC;

References:

1. http://www.davidlitchfield.com/DBMS_XMLSTORE_PLSQL_Injection.pdf

118|P a g e

CISControls:

Version6

18.3SanitizeInputForIn-houseSoftwareForin-housedevelopedsoftware,ensurethatexpliciterrorcheckingisperformedanddocumentedforallinput,includingforsize,datatype,andacceptablerangesorformats.

119|P a g e

4.1.24 Ensure 'EXECUTE' is revoked from 'PUBLIC' on 'DBMS_XMLSAVE' (Scored)



Description:

TheDBMS_XLMSTOREpackageprovidesXMLfunctionality.ItacceptsatablenameandXMLasinputandtheninsertsintoorupdatesthattable.TheuserPUBLICshouldnotbeabletoexecuteDBMS_XLMSAVE.

Rationale:


Audit:

Toassessthisrecommendation,executethefollowingSQLstatement:

SELECT GRANTEE FROM DBA_TAB_PRIVS WHERE TABLE_NAME = 'DBMS_XMLSAVE' AND GRANTEE = 'PUBLIC' AND PRIVILEGE = 'EXECUTE';


Remediation:

Toremediatethissetting,executethefollowingSQLstatement

REVOKE EXECUTE ON DBMS_XMLSAVE FROM PUBLIC;

References:

1. http://www.davidlitchfield.com/DBMS_XMLSTORE_PLSQL_Injection.pdf

CISControls:

Version6

18.3SanitizeInputForIn-houseSoftwareForin-housedevelopedsoftware,ensurethatexpliciterrorcheckingisperformed

120|P a g e

anddocumentedforallinput,includingforsize,datatype,andacceptablerangesorformats.

121|P a g e

4.1.25 Ensure 'EXECUTE' is revoked from 'PUBLIC' on 'DBMS_REDACT' (Scored)



Description:

TheDBMS_REDACTpackageprovidesaninterfacetoOracleDataRedaction,whichenablesyoutomask(redact)datathatisreturnedfromqueriesissuedbylow-privilegedusersoranapplication.TheuserPUBLICshouldnotbeabletoexecuteDBMS_REDACT.

Rationale:


Audit:

Toassessthisrecommendation,executethefollowingSQLstatement

SELECT GRANTEE FROM DBA_TAB_PRIVS WHERE TABLE_NAME = 'DBMS_REDACT' AND GRANTEE = 'PUBLIC' AND PRIVILEGE = 'EXECUTE';


Remediation:

Toremediatethissetting,executethefollowingSQLstatement

REVOKE EXECUTE ON DBMS_REDACT FROM PUBLIC;

CISControls:

Version6

18.3SanitizeInputForIn-houseSoftwareForin-housedevelopedsoftware,ensurethatexpliciterrorcheckingisperformedanddocumentedforallinput,includingforsize,datatype,andacceptablerangesorformats.

122|P a g e

4.2 Revoke Non-Default Privileges for Packages and Object Types

Therecommendationswithinthissectionrevokeexcessiveprivilegesforpackagesandobjecttypes.

4.2.1 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_SYS_SQL' (Scored)



Description:

TheOracledatabaseDBMS_SYS_SQLpackageisshippedasundocumented.TheuserPUBLICshouldnotbeabletoexecuteDBMS_SYS_SQL.

Rationale:

TheDBMS_SYS_SQLpackagecouldallowanusertoruncodeasadifferentuserwithoutenteringvalidcredentials.

Audit:


SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_SYS_SQL';


Remediation:


REVOKE EXECUTE ON DBMS_SYS_SQL FROM PUBLIC;

123|P a g e

References:

1. http://asktom.oracle.com/pls/asktom/f?p=100:11:0::::P11_QUESTION_ID:1325202421535

CISControls:

Version6


124|P a g e

4.2.2 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_BACKUP_RESTORE' (Scored)



Description:

TheOracledatabaseDBMS_BACKUP_RESTOREpackageisusedforapplyingPL/SQLcommandstothenativeRMANsequences.TheuserPUBLICshouldnotbeabletoexecuteDBMS_BACKUP_RESTORE.

Rationale:

TheDBMS_BACKUP_RESTOREpackagecanallowaccesstoOSfiles.

Audit:


SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_BACKUP_RESTORE';


Remediation:


REVOKE EXECUTE ON DBMS_BACKUP_RESTORE FROM PUBLIC;

References:

1. http://psoug.org/reference/dbms_backup_restore.html2. http://davidalejomarcos.wordpress.com/2011/09/13/how-to-list-files-on-a-

directory-from-oracle-database/

125|P a g e

CISControls:

Version6


126|P a g e

4.2.3 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_AQADM_SYSCALLS' (Scored)



Description:

TheOracledatabaseDBMS_AQADM_SYSCALLSpackageisshippedasundocumented.TheuserPUBLICshouldnotbeabletoexecuteDBMS_AQADM_SYSCALLS.

Rationale:

TheDBMS_AQADM_SYSCALLSpackagecouldallowanunauthorizedusertorunSQLcommandsasuserSYS.

Audit:


SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_AQADM_SYSCALLS';


Remediation:


REVOKE EXECUTE ON DBMS_AQADM_SYSCALLS FROM PUBLIC;

References:

1. http://securityvulns.ru/files/ohh-indirect-privilege-escalation.pdf

CISControls:

Version6


127|P a g e

4.2.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_REPCAT_SQL_UTL' (Scored)



Description:

TheOracledatabaseDBMS_REPCAT_SQL_UTLpackageisshippedasundocumentedandallowstorunSQLcommandsasuserSYS.TheuserPUBLICshouldnotbeabletoexecuteDBMS_REPCAT_SQL_UTL.

Rationale:

TheDBMS_REPCAT_SQL_UTLpackagecouldallowanunauthorizedusertorunSQLcommandsasuserSYS.

Audit:


SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_REPCAT_SQL_UTL';


Remediation:


revoke execute on DBMS_REPCAT_SQL_UTL FROM PUBLIC;

References:


128|P a g e

CISControls:

Version6


129|P a g e

4.2.5 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'INITJVMAUX' (Scored)



Description:

TheOracledatabaseINITJVMAUXpackageisshippedasundocumentedandallowstorunSQLcommandsasuserSYS.TheuserPUBLICshouldnotbeabletoexecuteINITJVMAUX.

Rationale:

TheINITJVMAUXpackagecouldallowanunauthorizedusertorunSQLcommandsasuserSYS.

Audit:


SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='INITJVMAUX';


Remediation:


REVOKE EXECUTE ON INITJVMAUX FROM PUBLIC;

References:


CISControls:

Version6


130|P a g e

4.2.6 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_STREAMS_ADM_UTL' (Scored)



Description:

TheOracledatabaseDBMS_STREAMS_ADM_UTLpackageisshippedasundocumentedandallowstorunSQLcommandsasuserSYS.TheuserPUBLICshouldnotbeabletoexecuteDBMS_STREAMS_ADM_UTL.

Rationale:

TheDBMS_STREAMS_ADM_UTLpackagecouldallowanunauthorizedusertorunSQLcommandsasuserSYS.

Audit:


SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_STREAMS_ADM_UTL';


Remediation:


REVOKE EXECUTE ON DBMS_STREAMS_ADM_UTL FROM PUBLIC;

References:


131|P a g e

CISControls:

Version6


132|P a g e

4.2.7 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_AQADM_SYS' (Scored)



Description:

TheOracledatabaseDBMS_AQADM_SYSpackageisshippedasundocumentedandallowstorunSQLcommandsasuserSYS.TheuserPUBLICshouldnotbeabletoexecuteDBMS_AQADM_SYS.

Rationale:

TheDBMS_AQADM_SYSpackagecouldallowanunauthorizedusertorunSQLcommandsasuserSYS.

Audit:


SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_AQADM_SYS';


Remediation:


REVOKE EXECUTE ON DBMS_AQADM_SYS FROM PUBLIC;

CISControls:

Version6


133|P a g e

4.2.8 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_STREAMS_RPC' (Scored)



Description:

TheOracledatabaseDBMS_STREAMS_RPCpackageisshippedasundocumentedandallowstorunSQLcommandsasuserSYS.TheuserPUBLICshouldnotbeabletoexecuteDBMS_STREAMS_RPC.

Rationale:

TheDBMS_STREAMS_RPCpackagecouldallowanunauthorizedusertorunSQLcommandsasuserSYS.

Audit:


SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_STREAMS_RPC';


Remediation:


REVOKE EXECUTE ON DBMS_STREAMS_RPC FROM PUBLIC;

References:


134|P a g e

CISControls:

Version6


135|P a g e

4.2.9 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_PRVTAQIM' (Scored)



Description:

TheOracledatabaseDBMS_PRVTAQIMpackageisshippedasundocumentedandallowstorunSQLcommandsasuserSYS.TheuserPUBLICshouldnotbeabletoexecuteDBMS_PRVTAQIM.

Rationale:

TheDBMS_PRVTAQIMpackagecouldallowanunauthorizedusertoescalateprivilegesbecauseanySQLstatementscouldbeexecutedasuserSYS.

Audit:


SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_PRVTAQIM';


Remediation:


REVOKE EXECUTE ON DBMS_PRVTAQIM FROM PUBLIC;

References:


136|P a g e

CISControls:

Version6


137|P a g e

4.2.10 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'LTADM' (Scored)



Description:

TheOracledatabaseLTADMpackageisshippedasundocumented.Itallowsprivilegeescalationifgrantedtounprivilegedusers.TheuserPUBLICshouldnotbeabletoexecuteLTADM.

Rationale:

TheLTADMpackagecouldallowanunauthorizedusertorunanySQLcommandasuserSYS.

Audit:


SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='LTADM';


Remediation:


REVOKE EXECUTE ON LTADM FROM PUBLIC;

References:


CISControls:

Version6


138|P a g e

4.2.11 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'WWV_DBMS_SQL' (Scored)



Description:

TheOracledatabaseWWV_DBMS_SQLpackageisshippedasundocumented.ItallowsOracleApplicationExpresstorundynamicSQLstatements.

Rationale:

TheWWV_DBMS_SQLpackagecouldallowanunauthorizedusertorunSQLstatementsastheApplicationExpress(APEX)user.TheuserPUBLICshouldnotbeabletoexecuteWWV_DBMS_SQL.

Audit:


SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='WWV_DBMS_SQL';


Remediation:


REVOKE EXECUTE ON WWV_DBMS_SQL FROM PUBLIC;

CISControls:

Version6

14ControlledAccessBasedontheNeedtoKnowControlledAccessBasedontheNeedtoKnow

139|P a g e

4.2.12 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'WWV_EXECUTE_IMMEDIATE' (Scored)



Description:

TheOracledatabaseWWV_EXECUTE_IMMEDIATEpackageisshippedasundocumented.ItallowsOracleApplicationExpresstorundynamicSQLstatements.TheuserPUBLICshouldnotbeabletoexecuteWWV_EXECUTE_IMMEDIATE.

Rationale:

TheWWV_EXECUTE_IMMEDIATEpackagecouldallowanunauthorizedusertorunSQLstatementsastheApplicationExpress(APEX)user.

Audit:


SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='WWV_EXECUTE_IMMEDIATE';


Remediation:


REVOKE EXECUTE ON WWV_EXECUTE_IMMEDIATE FROM PUBLIC;

References:

1. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-1811

140|P a g e

CISControls:

Version6


141|P a g e

4.2.13 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_IJOB' (Scored)



Description:

TheOracledatabaseDBMS_IJOBpackageisshippedasundocumented.Itallowsausertorundatabasejobsinthecontextofanotheruser.TheuserPUBLICshouldnotbeabletoexecuteDBMS_IJOB.

Rationale:

TheDBMS_IJOBpackagecouldallowanattackertochangeidentitiesbyusingadifferentusernametoexecuteadatabasejob.

Audit:


SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_IJOB';


Remediation:


REVOKE EXECUTE ON DBMS_IJOB FROM PUBLIC;

CISControls:

Version6


142|P a g e

4.2.14 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_FILE_TRANSFER' (Scored)



Description:

TheOracledatabaseDBMS_FILE_TRANSFERpackageallowsausertotransferfilesfromonedatabaseservertoanother.TheuserPUBLICshouldnotbeabletoexecuteDBMS_FILE_TRANSFER.

Rationale:

TheDBMS_FILE_TRANSFERpackagecouldallowtotransferfilesfromonedatabaseservertoanotherwithoutauthorizationtodoso.

Audit:


SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_FILE_TRANSFER';


Remediation:


REVOKE EXECUTE ON DBMS_FILE_TRANSFER FROM PUBLIC;

References:

1. http://docs.oracle.com/database/121/ARPLS/d_ftran.htm#ARPLS095

143|P a g e

CISControls:

Version6


144|P a g e

4.3 Revoke Excessive System Privileges

Therecommendationswithinthissectionrevokeexcessivesystemprivileges.

4.3.1 Ensure 'SELECT ANY DICTIONARY' Is Revoked from Unauthorized 'GRANTEE' (Scored)



Description:

TheOracledatabaseSELECT ANY DICTIONARYprivilegeallowsthedesignatedusertoaccessSYSschemaobjects.Unauthorizedgranteesshouldnothavethatprivilege.

Rationale:

TheOraclepasswordhashesarepartoftheSYSschemaandcanbeselectedusingSELECT ANY DICTIONARYprivileges.

Audit:


SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE PRIVILEGE='SELECT ANY DICTIONARY' AND GRANTEE NOT IN ('DBA','DBSNMP','OEM_MONITOR', 'OLAPSYS','ORACLE_OCM','SYSMAN','WMSYS','SYSBACKUP','SYSDG');


Remediation:


REVOKE SELECT_ANY_DICTIONARY FROM <grantee>;

References:

1. http://docs.oracle.com/database/121/DBSEG/authorization.htm#DBSEG998702. http://docs.oracle.com/database/121/REFRN/GUID-10024282-6729-4C66-8679-

FD653C9C7DE7.htm#REFRN-GUID-10024282-6729-4C66-8679-FD653C9C7DE7

145|P a g e

3. http://arup.blogspot.de/2011/07/difference-between-select-any.html

CISControls:

Version6


146|P a g e

4.3.2 Ensure 'SELECT ANY TABLE' Is Revoked from Unauthorized 'GRANTEE' (Scored)



Description:

TheOracledatabaseSELECT ANY TABLEprivilegeallowsthedesignatedusertoopenanytable,exceptSYS,toviewit.Unauthorizedgranteesshouldnothavethatprivilege.

Rationale:

AssignmentoftheSELECT ANY TABLEprivilegecanallowtheunauthorizedviewingofsensitivedata.

Audit:


SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE PRIVILEGE='SELECT ANY TABLE' AND GRANTEE NOT IN ('DBA', 'MDSYS', 'SYS', 'IMP_FULL_DATABASE', 'EXP_FULL_DATABASE','DATAPUMP_IMP_FULL_DATABASE', 'WMSYS', 'SYSTEM','OLAP_DBA', 'DV_REALM_OWNER');


Remediation:


REVOKE SELECT ANY TABLE FROM <grantee>;

References:

1. http://docs.oracle.com/database/121/SQLRF/statements_10002.htm#SQLRF01702

Notes:

IfO7_DICTIONARY_ACCESSIBILITYhasbeensettoTRUE(non-defaultsetting)thentheSELECT ANY TABLEprivilegeprovidesaccesstoSYSobjects.

147|P a g e

CISControls:

Version6


148|P a g e

4.3.3 Ensure 'AUDIT SYSTEM' Is Revoked from Unauthorized 'GRANTEE' (Scored)



Description:

TheOracledatabaseAUDIT SYSTEMprivilegeallowschangestoauditingactivitiesonthesystem.Unauthorizedgranteesshouldnothavethatprivilege.

Rationale:

TheAUDIT SYSTEMprivilegecanallowtheunauthorizedalterationofsystemauditactivities,suchasdisablingthecreationofaudittrails.

Audit:

Toassesthisrecommendation,executethefollowingSQLstatement.

SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE PRIVILEGE='AUDIT SYSTEM' AND GRANTEE NOT IN ('DBA','DATAPUMP_IMP_FULL_DATABASE','IMP_FULL_DATABASE', 'SYS','AUDIT_ADMIN');


Remediation:


REVOKE AUDIT SYSTEM FROM <grantee>;

References:

1. http://docs.oracle.com/database/121/SQLRF/statements_4007.htm#SQLRF011072. http://docs.oracle.com/database/121/SQLRF/statements_4008.htm#SQLRF56110

149|P a g e

CISControls:

Version6


150|P a g e

4.3.4 Ensure 'EXEMPT ACCESS POLICY' Is Revoked from Unauthorized 'GRANTEE' (Scored)



Description:

TheOracledatabaseEXEMPT ACCESS POLICYkeywordprovidestheuserthecapabilitytoaccessallthetablerowsregardlessofrow-levelsecuritylockouts.Unauthorizedgranteesshouldnothavethatkeywordassignedtothem.

Rationale:

TheEXEMPT ACCESS POLICYprivilegecanallowanunauthorizedusertopotentiallyaccessandchangedata.

Audit:


SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE PRIVILEGE='EXEMPT ACCESS POLICY';


Remediation:


REVOKE EXEMPT ACCESS POLICY FROM <grantee>;

References:

1. http://docs.oracle.com/database/121/DBSEG/audit_config.htm#DBSEG7032. http://docs.oracle.com/database/121/DBSEG/vpd.htm#CIHEEAFJ

151|P a g e

CISControls:

Version6


152|P a g e

4.3.5 Ensure 'BECOME USER' Is Revoked from Unauthorized 'GRANTEE' (Scored)



Description:

TheOracledatabaseBECOME USERprivilegeallowsthedesignatedusertoinherittherightsofanotheruser.Unauthorizedgranteesshouldnothavethatprivilege.

Rationale:

TheBECOME USERprivilegecanallowtheunauthorizeduseofanotheruser'sprivileges,thiscapabilityshouldberestrictedaccordingtotheneedsoftheorganization.

Audit:


SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE PRIVILEGE='BECOME USER' AND GRANTEE NOT IN ('DBA','SYS','IMP_FULL_DATABASE');


Remediation:


REVOKE BECOME USER FROM <grantee>;

References:

1. http://docs.oracle.com/database/121/DBSEG/guidelines.htm#DBSEG499

CISControls:

Version6


153|P a g e

4.3.6 Ensure 'CREATE_PROCEDURE' Is Revoked from Unauthorized 'GRANTEE' (Scored)



Description:

TheOracledatabaseCREATE PROCEDUREprivilegeallowsthedesignatedusertocreateastoredprocedurethatwillfirewhengiventhecorrectcommandsequence.Unauthorizedgranteesshouldnothavethatprivilege.

Rationale:

TheCREATE PROCEDUREprivilegecanleadtosevereproblemsinunauthorizedhands,suchasrogueproceduresfacilitatingdatatheftordenial-of-servicebycorruptingdatatables.

Audit:


SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE PRIVILEGE='CREATE PROCEDURE' AND GRANTEE NOT IN ( 'DBA','DBSNMP','MDSYS','OLAPSYS','OWB$CLIENT', 'OWBSYS','RECOVERY_CATALOG_OWNER','SPATIAL_CSW_ADMIN_USR', 'SPATIAL_WFS_ADMIN_USR','SYS','APEX_030200','APEX_040000', 'APEX_040100','APEX_040200','DVF','RESOURCE','DV_REALM_RESOURCE', 'APEX_GRANTS_FOR_NEW_USERS_ROLE','APEX_050000','MGMT_VIEW', 'SYSMAN_MDS','SYSMAN_OPSS','SYSMAN_RO','SYSMAN_STB');


Remediation:


REVOKE CREATE PROCEDURE FROM <grantee>;

References:


154|P a g e

CISControls:

Version6


155|P a g e

4.3.7 Ensure 'ALTER SYSTEM' Is Revoked from Unauthorized 'GRANTEE' (Scored)



Description:

TheOracledatabaseALTER SYSTEMprivilegeallowsthedesignatedusertodynamicallyaltertheinstance'srunningoperations.Unauthorizedgranteesshouldnothavethatprivilege.

Rationale:

TheALTER SYSTEMprivilegecanleadtosevereproblems,suchastheinstance'ssessionbeingkilledorthestoppingofredologrecording,whichwouldmaketransactionsunrecoverable.

Audit:


SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE PRIVILEGE='ALTER SYSTEM' AND GRANTEE NOT IN ('SYS','SYSTEM','APEX_030200','APEX_040000', 'APEX_040100','APEX_040200','DBA','EM_EXPRESS_ALL','SYSBACKUP', 'GSMADMIN_ROLE','GSM_INTERNAL','SYSDG','GSMADMIN_INTERNAL');


Remediation:


REVOKE ALTER SYSTEM FROM <grantee>;

References:


156|P a g e

CISControls:

Version6


157|P a g e

4.3.8 Ensure 'CREATE ANY LIBRARY' Is Revoked from Unauthorized 'GRANTEE' (Scored)



Description:

TheOracledatabaseCREATE ANY LIBRARYprivilegeallowsthedesignatedusertocreateobjectsthatareassociatedtothesharedlibraries.Unauthorizedgranteesshouldnothavethatprivilege.

Rationale:

TheCREATE ANY LIBRARYprivilegecanallowthecreationofnumerouslibrary-associatedobjectsandpotentiallycorruptthelibraries'integrity.

Audit:


SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE PRIVILEGE='CREATE ANY LIBRARY' AND GRANTEE NOT IN ('SYS','SYSTEM','DBA','IMP_FULL_DATABASE');


Remediation:


REVOKE CREATE ANY LIBRARY FROM <grantee>;

References:

1. http://docs.oracle.com/database/121/DBSEG/guidelines.htm#DBSEG4992. http://docs.oracle.com/database/121/ADMIN/manproc.htm#ADMIN00501

Notes:

Oraclehastwoidenticalprivileges:CREATE LIBRARYandCREATE ANY LIBRARY.

158|P a g e

CISControls:

Version6


159|P a g e

4.3.9 Ensure 'CREATE LIBRARY' Is Revoked from Unauthorized 'GRANTEE' (Scored)



Description:

TheOracledatabaseCREATE LIBRARYprivilegeallowsthedesignatedusertocreateobjectsthatareassociatedtothesharedlibraries.Unauthorizedgranteesshouldnothavethatprivilege.

Rationale:

TheCREATE LIBRARYprivilegecanallowthecreationofnumerouslibrary-associatedobjectsandpotentiallycorruptthelibraries'integrity.

Audit:


SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE PRIVILEGE='CREATE LIBRARY' AND GRANTEE NOT IN ('SYS','SYSTEM','DBA','MDSYS','SPATIAL_WFS_ADMIN_USR', 'SPATIAL_CSW_ADMIN_USR','DVSYS','GSMADMIN_INTERNAL','XDB');


Remediation:


REVOKE CREATE LIBRARY FROM <grantee>;

References:

1. http://docs.oracle.com/database/121/DBSEG/guidelines.htm#DBSEG4992. http://docs.oracle.com/database/121/ADMIN/manproc.htm#ADMIN00501

Notes:

Oraclehastwoidenticalprivileges:CREATE LIBRARYandCREATE ANY LIBRARY.

160|P a g e

CISControls:

Version6


161|P a g e

4.3.10 Ensure 'GRANT ANY OBJECT PRIVILEGE' Is Revoked from Unauthorized 'GRANTEE' (Scored)



Description:

TheOracledatabaseGRANT ANY OBJECT PRIVILEGEkeywordprovidesthegranteethecapabilitytograntaccesstoanysingleormultiplecombinationsofobjectstoanygranteeinthecatalogofthedatabase.Unauthorizedgranteesshouldnothavethatkeywordassignedtothem.

Rationale:

TheGRANT ANY OBJECT PRIVILEGEcapabilitycanallowanunauthorizedusertopotentiallyaccessorchangeconfidentialdata,ordamagethedatacatalogduetopotentialcompleteinstanceaccess.

Audit:


SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE PRIVILEGE='GRANT ANY OBJECT PRIVILEGE' AND GRANTEE NOT IN ('DBA','SYS','IMP_FULL_DATABASE', 'DATAPUMP_IMP_FULL_DATABASE', 'EM_EXPRESS_ALL', 'DV_REALM_OWNER');


Remediation:


REVOKE GRANT ANY OBJECT PRIVILEGE FROM <grantee>;

References:

1. http://docs.oracle.com/database/121/DBSEG/authorization.htm#DBSEG99914

162|P a g e

CISControls:

Version6


163|P a g e

4.3.11 Ensure 'GRANT ANY ROLE' Is Revoked from Unauthorized 'GRANTEE' (Scored)



Description:

TheOracledatabaseGRANT ANY ROLEkeywordprovidesthegranteethecapabilitytograntanysingleroletoanygranteeinthecatalogofthedatabase.Unauthorizedgranteesshouldnothavethatkeywordassignedtothem.

Rationale:

TheGRANT ANY ROLEcapabilitycanallowanunauthorizedusertopotentiallyaccessorchangeconfidentialdataordamagethedatacatalogduetopotentialcompleteinstanceaccess.

Audit:


SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE PRIVILEGE='GRANT ANY ROLE' AND GRANTEE NOT IN ('DBA','SYS','DATAPUMP_IMP_FULL_DATABASE', 'IMP_FULL_DATABASE','SPATIAL_WFS_ADMIN_USR', 'SPATIAL_CSW_ADMIN_USR','GSMADMIN_INTERNAL', 'DV_REALM_OWNER', 'EM_EXPRESS_ALL', 'DV_OWNER');


Remediation:


REVOKE GRANT ANY ROLE FROM <grantee>;

References:


164|P a g e

CISControls:

Version6


165|P a g e

4.3.12 Ensure 'GRANT ANY PRIVILEGE' Is Revoked from Unauthorized 'GRANTEE' (Scored)



Description:

TheOracledatabaseGRANT ANY PRIVILEGEkeywordprovidesthegranteethecapabilitytograntanysingleprivilegetoanyiteminthecatalogofthedatabase.Unauthorizedgranteesshouldnothavethatprivilege.

Rationale:

TheGRANT ANY PRIVILEGEcapabilitycanallowanunauthorizedusertopotentiallyaccessorchangeconfidentialdataordamagethedatacatalogduetopotentialcompleteinstanceaccess.

Audit:


SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE PRIVILEGE='GRANT ANY PRIVILEGE' AND GRANTEE NOT IN ('DBA','SYS','IMP_FULL_DATABASE', 'DATAPUMP_IMP_FULL_DATABASE', 'DV_REALM_OWNER','EM_EXPRESS_ALL');


Remediation:


REVOKE GRANT ANY PRIVILEGE FROM <grantee>;

References:


166|P a g e

CISControls:

Version6


167|P a g e

4.4 Revoke Role Privileges

Therecommendationswithinthissectionintendtorevokepowerfulroleswheretheyarelikelynotneeded.

4.4.1 Ensure 'DELETE_CATALOG_ROLE' Is Revoked from Unauthorized 'GRANTEE' (Scored)



Description:

TheOracledatabaseDELETE_CATALOG_ROLEprovidesDELETEprivilegesfortherecordsinthesystem'saudittable(AUD$).Unauthorizedgranteesshouldnothavethatrole.

Rationale:

PermittingunauthorizedaccesstotheDELETE_CATALOG_ROLEcanallowthedestructionofauditrecordsvitaltotheforensicinvestigationofunauthorizedactivities.

Audit:


SELECT GRANTEE, GRANTED_ROLE FROM DBA_ROLE_PRIVS WHERE granted_role='DELETE_CATALOG_ROLE' AND GRANTEE NOT IN ('DBA','SYS');


Remediation:


REVOKE DELETE_CATALOG_ROLE FROM <grantee>;

References:

1. http://docs.oracle.com/database/121/DBSEG/authorization.htm#BABFCAFH

168|P a g e

CISControls:

Version6


169|P a g e

4.4.2 Ensure 'SELECT_CATALOG_ROLE' Is Revoked from Unauthorized 'GRANTEE' (Scored)



Description:

TheOracledatabaseSELECT_CATALOG_ROLEprovidesSELECTprivilegesonalldatadictionaryviewsheldintheSYSschema.Unauthorizedgranteesshouldnothavethatrole.

Rationale:

PermittingunauthorizedaccesstotheSELECT_CATALOG_ROLEcanallowthedisclosureofalldictionarydata.

Audit:


SELECT GRANTEE, GRANTED_ROLE FROM DBA_ROLE_PRIVS WHERE granted_role='SELECT_CATALOG_ROLE' AND grantee not in ('DBA','SYS','IMP_FULL_DATABASE','EXP_FULL_DATABASE', 'OEM_MONITOR', 'SYSBACKUP','EM_EXPRESS_BASIC','SYSMAN');


Remediation:


REVOKE SELECT_CATALOG_ROLE FROM <grantee>;

References:


CISControls:

Version6


170|P a g e


171|P a g e

4.4.3 Ensure 'EXECUTE_CATALOG_ROLE' Is Revoked from Unauthorized 'GRANTEE' (Scored)



Description:

TheOracledatabaseEXECUTE_CATALOG_ROLEprovidesEXECUTEprivilegesforanumberofpackagesandproceduresinthedatadictionaryintheSYSschema.Unauthorizedgranteesshouldnothavethatrole.

Rationale:

PermittingunauthorizedaccesstotheEXECUTE_CATALOG_ROLEcanallowthedisruptionofoperationsbyinitializationofrogueprocedures,thiscapabilityshouldberestrictedaccordingtotheneedsoftheorganization.

Audit:


SELECT GRANTEE, GRANTED_ROLE FROM DBA_ROLE_PRIVS WHERE granted_role='EXECUTE_CATALOG_ROLE' AND grantee not in ('DBA','SYS','IMP_FULL_DATABASE','EXP_FULL_DATABASE');


Remediation:


REVOKE EXECUTE_CATALOG_ROLE FROM <grantee>;

References:


172|P a g e

CISControls:

Version6


173|P a g e

4.4.4 Ensure 'DBA' Is Revoked from Unauthorized 'GRANTEE' (Scored)



Description:

TheOracledatabaseDBAroleisthedefaultdatabaseadministratorroleprovidedfortheallocationofadministrativeprivileges.Unauthorizedgranteesshouldnothavethatrole.

Rationale:

AssignmentoftheDBAroletoanordinaryusercanprovideagreatnumberofunnecessaryprivilegestothatuserandopenthedoortodatabreaches,integrityviolations,anddenial-of-serviceconditions.

Audit:


SELECT GRANTEE, GRANTED_ROLE FROM DBA_ROLE_PRIVS WHERE GRANTED_ROLE='DBA' AND GRANTEE NOT IN ('SYS','SYSTEM');


Remediation:


REVOKE DBA FROM <grantee>;

References:


CISControls:

Version6


174|P a g e


175|P a g e

4.5 Revoke Excessive Table and View Privileges

Therecommendationswithinthissectionintendtorevokeexcessivetableandviewprivileges.

4.5.1 Ensure 'ALL' Is Revoked from Unauthorized 'GRANTEE' on 'AUD$' (Scored)



Description:

TheOracledatabaseSYS.AUD$tablecontainsalltheauditrecordsforthedatabaseofthenon-DataManipulationLanguage(DML)events,suchasALTER,DROP,andCREATE,andsoforth.(DMLchangesneedtrigger-basedauditeventstorecorddataalterations.)Unauthorizedgranteesshouldnothavefullaccesstothattable.

Rationale:

Permittingnon-privilegeduserstheauthorizationtomanipulatetheSYS.AUD$tablecanallowdistortionoftheauditrecords,hidingunauthorizedactivities.

Audit:


SELECT GRANTEE, PRIVILEGE FROM DBA_TAB_PRIVS WHERE TABLE_NAME='AUD$' AND GRANTEE NOT IN ('DELETE_CATALOG_ROLE');


Remediation:


REVOKE ALL ON AUD$ FROM <grantee>;

References:

1. http://docs.oracle.com/database/121/DBSEG/audit_admin.htm#DBSEG629

176|P a g e

CISControls:

Version6


177|P a g e

4.5.2 Ensure 'ALL' Is Revoked from Unauthorized 'GRANTEE' on 'USER_HISTORY$' (Scored)



Description:

TheOracledatabaseSYS.USER_HISTORY$tablecontainsalltheauditrecordsfortheuser'spasswordchangehistory.(Thistablegetsupdatedbypasswordchangesiftheuserhasanassignedprofilethathasapasswordreuselimitset,e.g.,PASSWORD_REUSE_TIMEsettootherthanUNLIMITED.)Unauthorizedgranteesshouldnothavefullaccesstothattable.

Rationale:

Permittingnon-privilegeduserstheauthorizationtomanipulatetherecordsintheSYS.USER_HISTORY$tablecanallowdistortionoftheaudittrail,potentiallyhidingunauthorizeddataconfidentialityattacksorintegritychanges.

Audit:


SELECT GRANTEE, PRIVILEGE FROM DBA_TAB_PRIVS WHERE TABLE_NAME='USER_HISTORY$' AND OWNER = 'SYS';


Remediation:


REVOKE ALL ON USER_HISTORY$ FROM <grantee>;

References:

1. http://marcel.vandewaters.nl/oracle/database-oracle/password-history-reusing-a-password

Notes:

USER_HISTORY$containsonlytheold,case-insensitivepasswords.

178|P a g e

CISControls:

Version6


16.14Encrypt/HashAllAuthenticationFilesAndMonitorTheirAccessVerifythatallauthenticationfilesareencryptedorhashedandthatthesefilescannotbeaccessedwithoutrootoradministratorprivileges.Auditallaccesstopasswordfilesinthesystem.

179|P a g e

4.5.3 Ensure 'ALL' Is Revoked from Unauthorized 'GRANTEE' on 'LINK$' (Scored)



Description:

TheOracledatabaseSYS.LINK$tablecontainsalltheuser'spasswordinformationanddatatablelinkinformation.Unauthorizedgranteesshouldnothavefullaccesstothattable.

Rationale:

Permittingnon-privilegeduserstomanipulateorviewtheSYS.LINK$tablecanallowcaptureofpasswordinformationand/orcorrupttheprimarydatabaselinkages.

Audit:


SELECT GRANTEE, PRIVILEGE FROM DBA_TAB_PRIVS WHERE TABLE_NAME='LINK$' AND GRANTEE NOT IN ('DV_SECANALYST') AND OWNER='SYS';


Remediation:


REVOKE ALL ON LINK$ FROM <grantee>;

CISControls:

Version6


180|P a g e


181|P a g e

4.5.4 Ensure 'ALL' Is Revoked from Unauthorized 'GRANTEE' on 'SYS.USER$' (Scored)



Description:

TheOracledatabaseSYS.USER$tablecontainstheusers'hashedpasswordinformation.Unauthorizedgranteesshouldnothavefullaccesstothattable.

Rationale:

Permittingnon-privilegeduserstheauthorizationtoopentheSYS.USER$tablecanallowthecaptureofpasswordhashesforthelaterapplicationofpasswordcrackingalgorithmstobreachconfidentiality.

Audit:


SELECT GRANTEE, PRIVILEGE FROM DBA_TAB_PRIVS WHERE TABLE_NAME='USER$' AND OWNER='SYS' AND GRANTEE NOT IN ('CTXSYS','XDB','APEX_030200','SYSMAN','APEX_040000', 'APEX_040100','APEX_040200','DV_SECANALYST','DVSYS','ORACLE_OCM');


Remediation:


REVOKE ALL ON SYS.USER$ FROM <grantee>;

References:

1. http://dba.stackexchange.com/questions/17513/what-do-the-columns-in-sys-user-represent

182|P a g e

CISControls:

Version6



183|P a g e

4.5.5 Ensure 'ALL' Is Revoked from Unauthorized 'GRANTEE' on 'DBA_%' (Scored)



Description:

TheOracledatabaseDBA_viewsshowallinformationwhichisrelevanttoadministrativeaccounts.Unauthorizedgranteesshouldnothavefullaccesstothoseviews.

Rationale:

PermittinguserstheauthorizationtomanipulatetheDBA_viewscanexposesensitivedata.

Audit:


SELECT grantee||'.'||table_name FROM DBA_TAB_PRIVS WHERE TABLE_NAME LIKE 'DBA_%' AND GRANTEE NOT IN ('DBA','AUDIT_ADMIN','AUDIT_VIEWER','CAPTURE_ADMIN', 'DVSYS','SYSDG','DV_SECANALYST','SYSKM','DV_MONITOR', 'ORACLE_OCM','DV_ACCTMGR','GSMADMIN_INTERNAL','XDB', 'SYS','APPQOSSYS','AQ_ADMINISTRATOR_ROLE','CTXSYS', 'EXFSYS','MDSYS','OLAP_XS_ADMIN','OLAPSYS','ORDSYS', 'OWB$CLIENT','OWBSYS','SELECT_CATALOG_ROLE', 'WM_ADMIN_ROLE','WMSYS','XDBADMIN','LBACSYS', 'ADM_PARALLEL_EXECUTE_TASK','CISSCANROLE') AND NOT REGEXP_LIKE(grantee,'^APEX_0[3-9][0-9][0-9][0-9][0-9]$');


Note:AnorganizationshouldperformproperimpactanalysisbeforerevokinggrantsonDBA_objects.

Remediation:

Replace<Non-DBA/SYS grantee>inthequerybelow,withtheOraclelogin(s)orrole(s)returnedfromtheassociatedauditprocedureandexecute:

REVOKE ALL ON DBA_ FROM <NON-DBA/SYS grantee>;

184|P a g e

References:

1. http://docs.oracle.com/database/121/REFRN/GUID-10024282-6729-4C66-8679-FD653C9C7DE7.htm#REFRN-GUID-10024282-6729-4C66-8679-FD653C9C7DE7

CISControls:

Version6


185|P a g e

4.5.6 Ensure 'ALL' Is Revoked from Unauthorized 'GRANTEE' on 'SYS.SCHEDULER$_CREDENTIAL' (Scored)



Description:

TheOracledatabaseSCHEDULER$_CREDENTIALtablecontainsthedatabaseschedulercredentialinformation.Unauthorizedgranteesshouldnothavefullaccesstothattable.

Rationale:

Permittingnon-privilegeduserstheauthorizationtoopentheSYS.SCHEDULER$_CREDENTIALtablecouldexposethecredentialstocompromiseandreuse.

Audit:


SELECT GRANTEE, PRIVILEGE FROM DBA_TAB_PRIVS WHERE TABLE_NAME='SCHEDULER$_CREDENTIAL' AND OWNER='SYS';


Remediation:


REVOKE ALL ON SYS.SCHEDULER4_CREDENTIAL FROM <username>;

References:

1. http://docs.oracle.com/database/121/ADMIN/schedadmin.htm#ADMIN120732. http://berxblog.blogspot.de/2012/02/restore-dbmsschedulercreatecredential.html

Notes:

** *_SCHEDULER_CREDENTIALSisdeprecatedinOracleDatabase12c,butremainsavailableforreasonsofbackwardcompatibility.

186|P a g e

CISControls:

Version6



187|P a g e

4.5.7 Ensure 'SYS.USER$MIG' Has Been Dropped (Scored)



Description:

Thetablesys.user$migiscreatedduringmigrationandcontainstheOraclepasswordhashesbeforethemigrationstarts.Thistableshouldbedropped.

Rationale:

Thetablesys.user$migisnotdeletedafterthemigration.AnattackercouldaccessthetablecontainingtheOraclepasswordhashes.

Audit:


SELECT OWNER, TABLE_NAME FROM ALL_TABLES WHERE OWNER='SYS' AND TABLE_NAME='USER$MIG';


Remediation:


DROP TABLE SYS.USER$MIG;

CISControls:

Version6


188|P a g e

4.6 Ensure '%ANY%' Is Revoked from Unauthorized 'GRANTEE' (Scored)



Description:

TheOracledatabaseANYkeywordprovidestheuserthecapabilitytoalteranyiteminthecatalogofthedatabase.Unauthorizedgranteesshouldnothavethatkeywordassignedtothem.

Rationale:

AuthorizationtousetheANYexpansionofaprivilegecanallowanunauthorizedusertopotentiallychangeconfidentialdataordamagethedatacatalog.

Audit:


SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE PRIVILEGE LIKE '%ANY%' AND GRANTEE NOT IN ('AQ_ADMINISTRATOR_ROLE','DBA','DBSNMP','EXFSYS', 'EXP_FULL_DATABASE','IMP_FULL_DATABASE', 'DATAPUMP_IMP_FULL_DATABASE','JAVADEBUGPRIV','MDSYS', 'OEM_MONITOR','OLAPSYS','OLAP_DBA','ORACLE_OCM','OWB$CLIENT', 'OWBSYS','SCHEDULER_ADMIN','SPATIAL_CSW_ADMIN_USR', 'SPATIAL_WFS_ADMIN_USR','SYS','SYSMAN','SYSTEM','WMSYS', 'APEX_030200','APEX_040000','APEX_040100','APEX_040200','LBACSYS', 'SYSBACKUP','CTXSYS','OUTLN','DVSYS','ORDPLUGINS','ORDSYS', 'RECOVERY_CATALOG_OWNER_VPD','GSMADMIN_INTERNAL','XDB','SYSDG', 'AUDIT_ADMIN','DV_OWNER','DV_REALM_OWNER','EM_EXPRESS_ALL', 'RECOVERY_CATALOG_OWNER','APEX_050000','SYSMAN_STB', 'SYSMAN_TYPES');


Remediation:


REVOKE ‘<ANY Privilege>’ FROM <grantee>;

189|P a g e

References:


CISControls:

Version6


190|P a g e

4.7 Ensure 'DBA_SYS_PRIVS.%' Is Revoked from Unauthorized 'GRANTEE' with 'ADMIN_OPTION' Set to 'YES' (Scored)



Description:

TheOracledatabaseWITH_ADMINprivilegeallowsthedesignatedusertograntanotheruserthesameprivileges.Unauthorizedgranteesshouldnothavethatprivilege.

Rationale:

AssignmentoftheWITH_ADMINprivilegecanallowthegrantingofarestrictedprivilegetoanunauthorizeduser.

Audit:


SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE ADMIN_OPTION='YES' AND GRANTEE not in ('AQ_ADMINISTRATOR_ROLE','DBA','OWBSYS', 'SCHEDULER_ADMIN','SYS','SYSTEM','WMSYS', 'DVSYS','SYSKM','DV_ACCTMGR') AND NOT REGEXP_LIKE(grantee,'^APEX_0[3-9][0-9][0-9][0-9][0-9]$');


Remediation:


REVOKE <privilege> FROM <grantee>;

CISControls:

Version6


191|P a g e

4.8 Ensure Proxy Users Have Only 'CONNECT' Privilege (Scored)



Description:

DonotgrantprivilegesotherthanCONNECTdirectlytoproxyusers.

Rationale:

Aproxyusershouldonlyhavetheabilitytoconnecttothedatabaseorbasedontheneedsoftheorganization.

Audit:


SELECT GRANTEE,GRANTED_ROLE FROM DBA_ROLE_PRIVS WHERE GRANTEE IN (SELECT PROXY FROM DBA_PROXIES) AND GRANTED_ROLE NOT IN ('CONNECT') UNION SELECT GRANTEE,PRIVILEGE FROM DBA_SYS_PRIVS WHERE GRANTEE IN (SELECT PROXY FROM DBA_PROXIES) AND PRIVILEGE NOT IN ('CREATE SESSION') UNION SELECT GRANTEE,PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE IN (SELECT PROXY FROM DBA_PROXIES);


Remediation:

ToremediatethissettingexecutethefollowingSQLstatementforeach[PRIVILEGE]returned(otherthanCONNECT)byrunningtheauditprocedure.

REVOKE <privilege> FROM <proxy_user>;

CISControls:

Version6


192|P a g e

4.9 Ensure 'EXECUTE ANY PROCEDURE' Is Revoked from 'OUTLN' (Scored)



Description:

RemoveunneededEXECUTE ANY PROCEDUREprivilegesfromOUTLN.

Rationale:

MigratedOUTLNusershavemoreprivilegesthanrequired.

Audit:


SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE PRIVILEGE='EXECUTE ANY PROCEDURE' AND GRANTEE='OUTLN';


Remediation:


REVOKE EXECUTE ANY PROCEDURE FROM OUTLN;

CISControls:

Version6


193|P a g e

4.10 Ensure 'EXECUTE ANY PROCEDURE' Is Revoked from 'DBSNMP' (Scored)



Description:

RemoveunneededEXECUTE ANY PROCEDUREprivilegesfromDBSNMP.

Rationale:

MigratedDBSNMPusershavemoreprivilegesthanrequired.

Audit:


SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE PRIVILEGE='EXECUTE ANY PROCEDURE' AND GRANTEE='DBSNMP';


Remediation:


REVOKE EXECUTE ANY PROCEDURE FROM DBSNMP;

CISControls:

Version6


194|P a g e

5 Audit/Logging Policies and Procedures

Theabilitytoauditdatabaseactivitiesisamongthemostimportantofalldatabasesecurityfeatures.Decisionsmustbemaderegardingthescopeofauditingsinceauditinghascosts-instoragefortheaudittrailandinperformanceimpactonauditedoperations-andperhapseventhedatabaseorsystemingeneral.Thereisalsotheadditionalcosttomanage(store,backup,secure)andreviewthedataintheaudittrail.

Measuresmustbetakentoprotecttheaudittrailitself,foritmaybetargetedforalterationordestructiontohideunauthorizedactivity.Foranauditdestinationoutsidethedatabase,therecommendationsareelsewhereinthisdocument.Auditingrecommendationsforpotentialdatabaseauditdestinationsarebelow.

Auditing"bysession"typicallycreatesfewer(until11g)andslightlysmallerauditrecords,butisdiscouragedinmostsituationssincethereissomelossoffidelity(e.g.objectprivilegeGRANTEE).Moredetailedauditingcreateslargerauditrecords.TheAUDIT_TRAILinitializationparameter(forDB|XML,extended-ornot)isthemaindeterminingfactorforthesizeofagivenauditrecord-andanotablefactorintheperformancecost,althoughthelargestofthelatterisDBversusOSorXML.

ThissectiondealswithstandardOracleauditingsinceauditingofprivilegedconnections(assysdbaorsysoper)isconfiguredviatheAUDIT_SYS_OPERATIONSinitializationparameterandisotherwisenotconfigurable.Thebasictypesofstandardauditingareobject,statementandprivilegeauditing,andeachbehavesdifferently.

Objectauditingappliestospecificobjectsforwhichitisinvokedandalwaysappliestoallusers.Thistypeofauditingisusuallyemployedtoauditapplication-specificsensitiveobjects,butcanalsobeusedtoprotecttheaudittrailinthedatabase.

Privilegeauditingauditstheuseofspecificsystemprivileges,buttypicallyonlyiftheuseractuallypossessestheauditedprivilege.Attemptsthatfailforlackoftheauditedprivilegearetypicallynotaudited.Thisisthemainweaknessofprivilegeauditingandwhystatementauditingisusuallypreferred,iftheoptionexists.

Statementauditingauditstheissuanceofcertaintypesofstatements,usuallywithoutregardtoprivilegeorlackthereof.Bothprivilegeandstatementauditsmaybespecifiedforspecificusersorallusers(thedefault).

195|P a g e

5.1 Traditional Auditing

Therecommendationsinthissectionshouldbefollowediftraditionalauditingisimplemented.

5.1.1 Ensure the 'USER' Audit Option Is Enabled (Scored)



Description:

TheUSERobjectallowsforcreatingaccountsthatcaninteractwiththedatabaseaccordingtotherolesandprivilegesallottedtotheaccount.Itmayalsoowndatabaseobjects.Enablingtheauditoptioncausesauditingofallactivitiesandrequeststocreate,droporalterauser,includingauserchangingtheirownpassword.(Thelatterisnotauditedbyaudit ALTER USER.)

Rationale:

Anyunauthorizedattemptstocreate,droporalterausershouldcauseconcern,whethersuccessfulornot.Auditingcanalsobeusefulinforensicsifanaccountiscompromised,andauditingismandatedbymanycommonsecurityinitiatives.Anabnormallyhighnumberoftheseactivitiesinagivenperiodmightbeworthinvestigation.Anyfailedattempttodropauserorcreateausermaybeworthfurtherreview.

Audit:


SELECT AUDIT_OPTION, SUCCESS, FAILURE FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION='USER' AND USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = 'BY ACCESS' AND FAILURE = 'BY ACCESS';

Lackofresultsimpliesafinding.

Remediation:

ExecutethefollowingSQLstatementtoremediatethissetting.

AUDIT USER;

196|P a g e

CISControls:

Version6


197|P a g e

5.1.2 Ensure the 'ROLE' Audit Option Is Enabled (Scored)



Description:

TheROLEobjectallowsforthecreationofasetofprivilegesthatcanbegrantedtousersorotherroles.Enablingtheauditoptioncausesauditingofallattempts,successfulornot,tocreate,drop,alterorsetroles.

Rationale:

Rolesareakeydatabasesecurityinfrastructurecomponent.Anyattempttocreate,droporalteraroleshouldbeaudited.Thisstatementauditingoptionalsoauditsattempts,successfulornot,tosetaroleinasession.Anyunauthorizedattemptstocreate,droporalterarolemaybeworthyofinvestigation.Attemptstosetarolebyuserswithouttheroleprivilegemaywarrantinvestigation.

Audit:


SELECT AUDIT_OPTION, SUCCESS, FAILURE FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION='ROLE' AND USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = 'BY ACCESS' AND FAILURE = 'BY ACCESS';


Remediation:

ExecutethefollowingSQLstatementtoremediatethissetting:

AUDIT ROLE;

Notes:

Thisoptiondoesnotauditrolegrantsandrevokes.

198|P a g e

CISControls:

Version6


199|P a g e

5.1.3 Ensure the 'SYSTEM GRANT' Audit Option Is Enabled (Scored)



Description:

EnablingtheauditoptionfortheSYSTEM GRANTobjectcausesauditingofanyattempt,successfulornot,tograntorrevokeanysystemprivilegeorrole,regardlessofprivilegeheldbytheuserattemptingtheoperation.

Rationale:

Loggingofallgrantandrevokes(rolesandsystemprivileges)canprovideforensicevidenceaboutapatternofsuspect/unauthorizedactivities.Anyunauthorizedattemptmaybecauseforfurtherinvestigation.

Audit:


SELECT AUDIT_OPTION, SUCCESS, FAILURE FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION='SYSTEM GRANT' AND USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = 'BY ACCESS' AND FAILURE = 'BY ACCESS';


Remediation:


AUDIT SYSTEM GRANT;

CISControls:

Version6


200|P a g e

5.1.4 Ensure the 'PROFILE' Audit Option Is Enabled (Scored)



Description:

ThePROFILEobjectallowsforthecreationofasetofdatabaseresourcelimitsthatcanbeassignedtoauser,sothatthatusercannotexceedthoseresourcelimitations.Enablingtheauditoptioncausesauditingofallattempts,successfulornot,tocreate,droporalteranyprofile.

Rationale:

Asprofilesarepartofthedatabasesecurityinfrastructure,auditingthecreation,modification,anddeletionofprofilesisrecommended.

Audit:


SELECT AUDIT_OPTION, SUCCESS, FAILURE FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION='PROFILE' AND USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = 'BY ACCESS' AND FAILURE = 'BY ACCESS';


Remediation:


AUDIT PROFILE;

Notes:

Thestatementauditingoptionaudit PROFILEauditseverythingthatthethreeprivilegeauditsaudit CREATE PROFILE,audit DROP PROFILEandaudit ALTER PROFILEdo,butalsoaudits:

1. AttemptstocreateaprofilebyauserwithouttheCREATE PROFILEsystemprivilege.2. AttemptstodropaprofilebyauserwithouttheDROP PROFILEsystemprivilege

201|P a g e

3. AttemptstoalteraprofilebyauserwithouttheALTER PROFILEsystemprivilege.

CISControls:

Version6


202|P a g e

5.1.5 Ensure the 'DATABASE LINK' Audit Option Is Enabled (Scored)



Description:

EnablingtheauditoptionfortheDATABASELINKobjectcausesallactivitiesondatabaselinkstobeaudited.

Rationale:

AstheloggingofuseractivitiesinvolvingthecreationordroppingofaDATABASE LINKcanprovideforensicevidenceaboutapatternofunauthorizedactivities,theauditcapabilityshouldbeenabled.

Audit:


SELECT AUDIT_OPTION, SUCCESS, FAILURE FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION='DATABASE LINK' AND USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = 'BY ACCESS' AND FAILURE = 'BY ACCESS';


Remediation:


AUDIT DATABASE LINK;

References:

1. http://docs.oracle.com/database/121/DBSEG/audit_config.htm#DBSEG1115

CISControls:

Version6

6.2EnsureAuditLogSettingsSupportAppropriateLogEntryFormattingValidateauditlogsettingsforeachhardwaredeviceandthesoftwareinstalledonit,

203|P a g e

ensuringthatlogsincludeadate,timestamp,sourceaddresses,destinationaddresses,andvariousotherusefulelementsofeachpacketand/ortransaction.SystemsshouldrecordlogsinastandardizedformatsuchassyslogentriesorthoseoutlinedbytheCommonEventExpressioninitiative.Ifsystemscannotgeneratelogsinastandardizedformat,lognormalizationtoolscanbedeployedtoconvertlogsintosuchaformat.

204|P a g e

5.1.6 Ensure the 'PUBLIC DATABASE LINK' Audit Option Is Enabled (Scored)



Description:

ThePUBLIC DATABASE LINKobjectallowsforthecreationofapubliclinkforanapplication-based"user"toaccessthedatabaseforconnections/sessioncreation.Enablingtheauditoptioncausesalluseractivitiesinvolvingthecreation,alteration,ordroppingofpubliclinkstobeaudited.

Rationale:

Astheloggingofuseractivitiesinvolvingthecreation,alteration,ordroppingofaPUBLIC DATABASE LINKcanprovideforensicevidenceaboutapatternofunauthorizedactivities,theauditcapabilityshouldbeenabled.

Audit:


SELECT AUDIT_OPTION, SUCCESS, FAILURE FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION='PUBLIC DATABASE LINK' AND USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = 'BY ACCESS' AND FAILURE = 'BY ACCESS';


Remediation:


AUDIT PUBLIC DATABASE LINK;

CISControls:

Version6


205|P a g e


206|P a g e

5.1.7 Ensure the 'PUBLIC SYNONYM' Audit Option Is Enabled (Scored)



Description:

ThePUBLIC SYNONYMobjectallowsforthecreationofanalternatedescriptionofanobject.Publicsynonymsareaccessiblebyallusersthathavetheappropriateprivilegestotheunderlyingobject.Enablingtheauditoptioncausesalluseractivitiesinvolvingthecreationordroppingofpublicsynonymstobeaudited.

Rationale:

AstheloggingofuseractivitiesinvolvingthecreationordroppingofaPUBLIC SYNONYMcanprovideforensicevidenceaboutapatternofunauthorizedactivities,theauditcapabilityshouldbeenabled.

Audit:


SELECT AUDIT_OPTION, SUCCESS, FAILURE FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION='PUBLIC SYNONYM' AND USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = 'BY ACCESS' AND FAILURE = 'BY ACCESS';


Remediation:


AUDIT PUBLIC SYNONYM;

CISControls:

Version6

6.2EnsureAuditLogSettingsSupportAppropriateLogEntryFormattingValidateauditlogsettingsforeachhardwaredeviceandthesoftwareinstalledonit,ensuringthatlogsincludeadate,timestamp,sourceaddresses,destination

207|P a g e

addresses,andvariousotherusefulelementsofeachpacketand/ortransaction.SystemsshouldrecordlogsinastandardizedformatsuchassyslogentriesorthoseoutlinedbytheCommonEventExpressioninitiative.Ifsystemscannotgeneratelogsinastandardizedformat,lognormalizationtoolscanbedeployedtoconvertlogsintosuchaformat.

208|P a g e

5.1.8 Ensure the 'SYNONYM' Audit Option Is Enabled (Scored)



Description:

TheSYNONYMoperationallowsforthecreationofanalternativenameforadatabaseobjectsuchasaJavaclassschemaobject,materializedview,operator,package,procedure,sequence,storedfunction,table,view,user-definedobjecttype,orevenanothersynonym.Thissynonymputsadependencyonitstargetandisrenderedinvalidifthetargetobjectischanged/dropped.Enablingtheauditoptioncausesalluseractivitiesinvolvingthecreationordroppingofsynonymstobeaudited.

Rationale:

AstheloggingofuseractivitiesinvolvingthecreationordroppingofaSYNONYMcanprovideforensicevidenceaboutapatternofsuspect/unauthorizedactivities,theauditcapabilityshouldbeenabled.

Audit:


SELECT AUDIT_OPTION, SUCCESS, FAILURE FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION='SYNONYM' AND USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = 'BY ACCESS' AND FAILURE = 'BY ACCESS';


Remediation:


AUDIT SYNONYM;

References:

1. http://docs.oracle.com/database/121/DBSEG/audit_config.htm#DBSEG1115

209|P a g e

CISControls:

Version6


210|P a g e

5.1.9 Ensure the 'DIRECTORY' Audit Option Is Enabled (Scored)



Description:

TheDIRECTORYobjectallowsforthecreationofadirectoryobjectthatspecifiesanaliasforadirectoryontheserverfilesystem,wheretheexternalbinaryfileLOBs(BFILEs)/tabledataarelocated.Enablingthisauditoptioncausesalluseractivitiesinvolvingthecreationordroppingofadirectoryaliastobeaudited.

Rationale:

AstheloggingofuseractivitiesinvolvingthecreationordroppingofaDIRECTORYcanprovideforensicevidenceaboutapatternofunauthorizedactivities,theauditcapabilityshouldbeenabled.

Audit:


SELECT AUDIT_OPTION, SUCCESS, FAILURE FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION='DIRECTORY' AND USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = 'BY ACCESS' AND FAILURE = 'BY ACCESS';


Remediation:


AUDIT DIRECTORY;

References:

1. http://docs.oracle.com/database/121/SQLRF/statements_4007.htm#SQLRF01107

211|P a g e

CISControls:

Version6


212|P a g e

5.1.10 Ensure the 'SELECT ANY DICTIONARY' Audit Option Is Enabled (Scored)



Description:

TheSELECT ANY DICTIONARYcapabilityallowstheusertoviewthedefinitionsofallschemaobjectsinthedatabase.Enablingtheauditoptioncausesalluseractivitiesinvolvingthiscapabilitytobeaudited.

Rationale:

Astheloggingofuseractivitiesinvolvingthecapabilitytoaccessthedescriptionofallschemaobjectsinthedatabasecanprovideforensicevidenceaboutapatternofunauthorizedactivities,theauditcapabilityshouldbeenabled.

Audit:


SELECT AUDIT_OPTION, SUCCESS, FAILURE FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION='SELECT ANY DICTIONARY' AND USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = 'BY ACCESS' AND FAILURE = 'BY ACCESS';


Remediation:


AUDIT SELECT ANY DICTIONARY;

References:


213|P a g e

CISControls:

Version6


214|P a g e

5.1.11 Ensure the 'GRANT ANY OBJECT PRIVILEGE' Audit Option Is Enabled (Scored)



Description:

GRANT ANY OBJECT PRIVILEGEallowstheusertograntorrevokeanyobjectprivilege,whichincludesprivilegesontables,directories,miningmodels,etc.Enablingthisauditoptioncausesauditingofallusesofthatprivilege.

Rationale:

Loggingofprivilegegrantsthatcanleadtothecreation,alteration,ordeletionofcriticaldata,themodificationofobjects,objectprivilegepropagationandothersuchactivitiescanbecriticaltoforensicinvestigations.

Audit:


SELECT PRIVILEGE, SUCCESS, FAILURE FROM DBA_PRIV_AUDIT_OPTS WHERE PRIVILEGE='GRANT ANY OBJECT PRIVILEGE' AND USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = 'BY ACCESS' AND FAILURE = 'BY ACCESS';


Remediation:


AUDIT GRANT ANY OBJECT PRIVILEGE;

Notes:

ThisdoesNOTauditallattemptstograntorrevokeobjectprivilegessincethiscanalsobedonebyanyonewhowasgrantedanobjectprivilegewiththegrantoption.Also,thisnevercreatesanauditrecordforanyonewhodoesnotholdtheGRANT ANY OBJECT PRIVILEGEsystemprivilege.Therefore,manyattempts,successfulornot,tograntandrevokeobjectprivilegesarenotauditedbythis.

215|P a g e

CISControls:

Version6


216|P a g e

5.1.12 Ensure the 'GRANT ANY PRIVILEGE' Audit Option Is Enabled (Scored)



Description:

GRANT ANY PRIVILEGEallowsausertograntanysystemprivilege,includingthemostpowerfulprivilegestypicallyavailableonlytoadministrators-tochangethesecurityinfrastructure,todrop/add/modifyusersandmore.

Rationale:

Auditingtheuseofthisprivilegeispartofacomprehensiveauditingpolicythatcanhelpindetectingissuesandcanbeusefulinforensics.

Audit:


SELECT PRIVILEGE, SUCCESS, FAILURE FROM DBA_PRIV_AUDIT_OPTS WHERE PRIVILEGE='GRANT ANY PRIVILEGE' AND USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = 'BY ACCESS' AND FAILURE = 'BY ACCESS';


Remediation:


AUDIT GRANT ANY PRIVILEGE;

Notes:

ThisdoesNOTauditallattemptstograntorrevokesystemprivilegessincethiscanalsobedonebyanyonewhowasgrantedasystemprivilegewiththeadminoption.Also,thisnevercreatesanauditrecordforanyonewhodoesnotholdtheGRANT ANY PRIVILEGEsystemprivilege.Thus,manyattempts,successfulornot,tograntandrevokesystemprivilegesarenotauditedbythis.

217|P a g e

CISControls:

Version6



218|P a g e

5.1.13 Ensure the 'DROP ANY PROCEDURE' Audit Option Is Enabled (Scored)



Description:

TheAUDIT DROP ANY PROCEDUREcommandisauditingthedroppingofprocedures.Enablingtheoptioncausesauditingofallsuchactivities.

Rationale:

Droppingproceduresofanotherusercouldbepartofaprivilegeescalationexploitandshouldbeaudited.

Audit:


SELECT AUDIT_OPTION, SUCCESS, FAILURE FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION='DROP ANY PROCEDURE' AND USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = 'BY ACCESS' AND FAILURE = 'BY ACCESS';


Remediation:


AUDIT DROP ANY PROCEDURE;

CISControls:

Version6

6.2EnsureAuditLogSettingsSupportAppropriateLogEntryFormattingValidateauditlogsettingsforeachhardwaredeviceandthesoftwareinstalledonit,ensuringthatlogsincludeadate,timestamp,sourceaddresses,destinationaddresses,andvariousotherusefulelementsofeachpacketand/ortransaction.Systemsshouldrecordlogsinastandardizedformatsuchassyslogentriesorthose

219|P a g e

outlinedbytheCommonEventExpressioninitiative.Ifsystemscannotgeneratelogsinastandardizedformat,lognormalizationtoolscanbedeployedtoconvertlogsintosuchaformat.

220|P a g e

5.1.14 Ensure the 'ALL' Audit Option on 'SYS.AUD$' Is Enabled (Scored)



Description:

TheloggingofattemptstoaltertheaudittrailintheSYS.AUD$table(openforread/update/delete/view)willprovidearecordofanyactivitiesthatmayindicateunauthorizedattemptstoaccesstheaudittrail.Enablingtheauditoptionwillcausetheseactivitiestobeaudited.

Rationale:

AstheloggingofattemptstoaltertheSYS.AUD$tablecanprovideforensicevidenceoftheinitiationofapatternofunauthorizedactivities,thisloggingcapabilityshouldbeenabled.

Audit:


SELECT * FROM DBA_OBJ_AUDIT_OPTS WHERE OBJECT_NAME='AUD$' AND ALT='A/A' AND AUD='A/A' AND COM='A/A' AND DEL='A/A' AND GRA='A/A' AND IND='A/A' AND INS='A/A' AND LOC='A/A' AND REN='A/A' AND SEL='A/A' AND UPD='A/A' AND FBK='A/A';


Remediation:


AUDIT ALL ON SYS.AUD$ BY ACCESS;

221|P a g e

CISControls:

Version6


222|P a g e

5.1.15 Ensure the 'PROCEDURE' Audit Option Is Enabled (Scored)



Description:

Inthisstatementaudit,PROCEDUREmeansanyprocedure,function,packageorlibrary.Enablingthisauditoptioncausesanyattempt,successfulornot,tocreateordropanyofthesetypesofobjectstobeaudited,regardlessofprivilegeorlackthereof.Javaschemaobjects(sources,classes,andresources)areconsideredthesameasproceduresforthepurposesofauditingSQLstatements.

Rationale:

Anyunauthorizedattemptstocreateordropaprocedureinanother'sschemashouldcauseconcern,whethersuccessfulornot.Changestocriticalstoredcodecandramaticallychangethebehavioroftheapplicationandproduceserioussecurityconsequences,includingenablingprivilegeescalationandintroducingSQLinjectionvulnerabilities.Auditrecordsofsuchchangescanbehelpfulinforensics.

Audit:


SELECT AUDIT_OPTION, SUCCESS, FAILURE FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION='PROCEDURE' AND USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = 'BY ACCESS' AND FAILURE = 'BY ACCESS';


Remediation:


AUDIT PROCEDURE;"

Notes:

Notallauditingoptionsworkalike.Inparticular,thestatementauditingoptionaudit PROCEDUREdoesindeedauditcreateanddroplibraryaswellasalltypesofproceduresand

223|P a g e

javaschemaobjects.However,privilegeauditsdonotworkthisway.So,forexample,noneofaudit CREATE ANY PROCEDURE,audit DROP ANY PROCEDURE,oraudit CREATE PROCEDUREwillauditcreateordroplibraryactivities.Instatementauditing,PROCEDUREhasalargerscopethaninprivilegeauditing,whereitisspecifictofunctions,packagesandprocedures,butexcludeslibrariesandperhapsotherobjecttypes.

Audit PROCEDUREdoesnotauditalteringprocedures,eitherinyourownschemaorinanotherviatheALTER ANY PROCEDUREsystemprivilege.ThereseemstobenostatementauditthatisabetterreplacementforAudit ALTER ANY PROCEDURE,butbewarethatwillnotcreateanyauditrecordsforusersthatdonothavetheprivilege.Thus,attemptstoalterproceduresinone'sownschemaareneveraudited,andattemptstoalterproceduresinanother'sschemathatfailforlackoftheALTER ANY PROCEDUREprivilegearenotaudited.ThisissimplyaweaknessinthecurrentstateofOracleauditing.Fortunately,though,allthattheALTERcommandcanbeusedforregardingprocedures,functions,packagesandlibrariesiscompileoptions,sotheinabilitytocomprehensivelyauditalterprocedureactivitiesandrequestsisnotasbadasitwouldbeforotherobjecttypes(USER,PROFILE,etc.)

CISControls:

Version6


224|P a g e

5.1.16 Ensure the 'ALTER SYSTEM' Audit Option Is Enabled (Scored)



Description:

ALTER SYSTEMallowsonetochangeinstancesettings,includingsecuritysettingsandauditingoptions.Additionally,ALTER SYSTEMcanbeusedtorunoperatingsystemcommandsusingundocumentedOraclefunctionality.EnablingtheauditoptionwillauditallattemptstoperformALTER SYSTEM,whethersuccessfulornotandregardlessofwhetherornottheALTER SYSTEMprivilegeisheldbytheuserattemptingtheaction.

Rationale:

Anyunauthorizedattempttoalterthesystemshouldbecauseforconcern.Alterationsoutsideofsomespecifiedmaintenancewindowmaybeofconcern.Inforensics,theseauditrecordscouldbequiteuseful.

Audit:


SELECT AUDIT_OPTION, SUCCESS, FAILURE FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION='ALTER SYSTEM' AND USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = 'BY ACCESS' AND FAILURE = 'BY ACCESS';


Remediation:


AUDIT ALTER SYSTEM;

CISControls:

Version6


225|P a g e


226|P a g e

5.1.17 Ensure the 'TRIGGER' Audit Option Is Enabled (Scored)



Description:

ATRIGGERmaybeusedtomodifyDMLactionsorinvokeother(recursive)actionswhensometypesofuser-initiatedactionsoccur.Enablingthisauditoptionwillcauseauditingofanyattempt,successfulornot,tocreate,drop,enableordisableanyschematriggerinanyschemaregardlessofprivilegeorlackthereof.Forenablinganddisablingatrigger,itcoversbothALTER TRIGGERandALTER TABLE.

Rationale:

Triggersareoftenpartofschemasecurity,datavalidationandothercriticalconstraintsuponactionsanddata.Atriggerinanotherschemamaybeusedtoescalateprivileges,redirectoperations,transformdataandperformothersortsofperhapsundesiredactions.Anyunauthorizedattempttocreate,droporalteratriggerinanotherschemamaybecauseforinvestigation.

Audit:


SELECT AUDIT_OPTION, SUCCESS, FAILURE FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION='TRIGGER' AND USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = 'BY ACCESS' AND FAILURE = 'BY ACCESS';


Remediation:


AUDIT TRIGGER;

Notes:

ThereisnocurrentCISrecommendationtoaudittheuseofthesystemprivilegeCREATE TRIGGER,asthereisforCREATE SYNONYM,CREATE PROCEDUREandsomeothertypesof

227|P a g e

objects,sothisisactuallyascopeescalationalso-toauditsuchactionsinone'sownschema.However,thisistheonlywaytocomprehensivelyauditthingslikeattemptstocreate,droporaltertriggersinanother'sschemaiftheuserattemptingtooperationdoesnotholdtherequiredANYprivilege-andtheseareexactlythesortsofthingsthatshouldraisealargeredflag.

Thestatementauditingoptionaudit TRIGGERauditsalmosteverythingthatthethreeprivilegeauditsaudit CREATE ANY TRIGGER,audit ALTER ANY TRIGGERandaudit DROP ANY TRIGGERdo,butalsoaudits:

1. Statementstocreate,drop,enableordisableatriggerintheuser'sownschema.2. AttemptstocreateatriggerbyauserwithouttheCREATE TRIGGERsystemprivilege.3. AttemptstocreateatriggerinanotherschemabyuserswithouttheCREATE ANY

TRIGGERprivilege.4. AttemptstodropatriggerinanotherschemabyuserswithouttheDROP ANY

TRIGGERprivilege.5. Attemptstodisableorenableatriggerinanotherschemabyuserswithoutthe

ALTER ANY TRIGGERprivilege.

TheonethingisauditedbyanyofthethreeprivilegeauditsthatisnotauditedbythisisALTER TRIGGER ...COMPILEifthetriggerisinanother'sschema,whichisauditedbyaudit ALTER ANY TRIGGER,butonlyiftheuserattemptingthealterationactuallyholdstheALTER ANY TRIGGERsystemprivilege.Audit TRIGGERonlyauditsALTER TABLEorALTER TRIGGERstatementsusedtoenableordisabletriggers.ItdoesnotauditALTER TRIGGERorALTER TABLEstatementsusedonlywithcompileoptions.

CISControls:

Version6


228|P a g e

5.1.18 Ensure the 'CREATE SESSION' Audit Option Is Enabled (Scored)



Description:

Enablingthisauditoptionwillcauseauditingofallattemptstoconnecttothedatabase,whethersuccessfulornot,aswellasauditsessiondisconnects/logoffs.ThecommandstoauditSESSION,CONNECTorCREATE SESSIONallaccomplishthesamething-theyinitiatestatementauditingoftheconnectstatementusedtocreateadatabasesession.

Rationale:

Auditingattemptstoconnecttothedatabaseisbasicandmandatedbymostsecurityinitiatives.Anyattempttologontoalockedaccount,failedattemptstologontodefaultaccountsoranunusuallyhighnumberoffailedlogonattemptsofanysort,foranyuser,inaparticulartimeperiodmayindicateanintrusionattempt.Inforensics,thelogonrecordmaybefirstinachainofevidenceandcontaininformationfoundinnoothertypeofauditrecordforthesession.Logonandlogoffintheaudittraildefinetheperiodanddurationofthesession.

Audit:


SELECT AUDIT_OPTION, SUCCESS, FAILURE FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION='CREATE SESSION' AND USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = 'BY ACCESS' AND FAILURE = 'BY ACCESS';


Remediation:


AUDIT SESSION;

229|P a g e

Notes:

Althoughlistedinthedocumentationasaprivilegeaudit,audit CREATE SESSIONactuallyauditstheCONNECTstatement.Thisisevidencedbytheundocumentedaudit CONNECTwhichhasthesameresultasaudit SESSIONoraudit CREATE SESSION.ThereisnosystemprivilegenamedeitherSESSIONorCONNECT(CONNECTisarole,notasystemprivilege).Also,itbehavesasstatementauditingratherthanprivilegeauditinginthatitauditsallattemptstocreateasession,eveniftheuserdoesnotholdtheCREATE SESSIONsystemprivilege.

CISControls:

Version6


230|P a g e

5.2 Unified Auditing

Therecommendationsinthissectionshouldbefollowedifunifiedauditingisimplemented.

5.2.1 Ensure the 'CREATE USER' Action Audit Is Enabled (Scored)



Description:

TheCREATE USERstatementisusedtocreateOracledatabaseaccountsandassigndatabasepropertiestothem.EnablingthisunifiedactionauditcausesloggingofallCREATE USERstatements,whethersuccessfulorunsuccessful,issuedbytheusersregardlessoftheprivilegesheldbytheuserstoissuesuchstatements.

Rationale:

Loggingandmonitoringofallattemptstocreateuseraccounts,whethersuccessfulorunsuccessful,mayprovidecluesandforensicevidencesaboutpotentialsuspicious/unauthorizedactivities.Anysuchactivitiesmaybeacauseforfurtherinvestigation.Inaddition,organizationsecuritypoliciesandindustry/governmentregulationsmayrequireloggingofallactivitiesinvolvingCREATE USER.

Audit:


SELECT AUD.POLICY_NAME, AUD.AUDIT_OPTION, AUD.AUDIT_OPTION_TYPE FROM AUDIT_UNIFIED_POLICIES AUD, AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'CREATE USER' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION' AND ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS';


231|P a g e

Remediation:


ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS CREATE USER;

Note:IfyoudonothaveCIS_UNIFIED_AUDIT_POLICY,pleasecreateoneusingtheCREATE AUDIT POLICYstatement.

CISControls:

Version6



232|P a g e

5.2.2 Ensure the 'ALTER USER' Action Audit Is Enabled (Scored)



Description:

TheALTER USERstatementisusedtochangedatabaseusers’password,lockaccounts,andexpirepasswords.Inaddition,thisstatementisusedtochangedatabasepropertiesofuseraccountssuchasdatabaseprofiles,defaultandtemporarytablespaces,andtablespacequotas.ThisunifiedauditactionenablesloggingofallALTER USERstatements,whethersuccessfulorunsuccessful,issuedbytheusersregardlessoftheprivilegesheldbytheuserstoissuesuchstatements.

Rationale:

Loggingandmonitoringofallattemptstoalteruseraccounts,whethersuccessfulorunsuccessful,mayprovidecluesandforensicevidencesaboutpotentialsuspicious/unauthorizedactivities.Anysuchactivitiesmaybeacauseforfurtherinvestigation.Inaddition,organizationsecuritypoliciesandindustry/governmentregulationsmayrequireloggingofallactivitiesinvolvingALTER USER.

Audit:


SELECT AUD.POLICY_NAME, AUD.AUDIT_OPTION, AUD.AUDIT_OPTION_TYPE FROM AUDIT_UNIFIED_POLICIES AUD, AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'ALTER USER' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION' AND ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS';


Remediation:


ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS ALTER USER;

233|P a g e


CISControls:

Version6



234|P a g e

5.2.3 Ensue the 'DROP USER' Audit Option Is Enabled (Scored)



Description:

TheDROP USERstatementisusedtodropOracledatabaseaccountsandschemasassociatedwiththem.EnablingthisunifiedactionauditenablesloggingofallDROP USERstatements,whethersuccessfulorunsuccessful,issuedbytheusersregardlessoftheprivilegesheldbytheuserstoissuesuchstatements.

Rationale:

Loggingandmonitoringofallattemptstodropuser,whethersuccessfulorunsuccessful,mayprovidecluesandforensicevidenceaboutpotentialsuspicious/unauthorizedactivities.Anysuchactivitiesmaybeacauseforfurtherinvestigation.Inaddition,organizationsecuritypoliciesandindustry/governmentregulationsmayrequireloggingofallactivitiesinvolvingDROP USER.

Audit:


SELECT AUD.POLICY_NAME, AUD.AUDIT_OPTION, AUD.AUDIT_OPTION_TYPE FROM AUDIT_UNIFIED_POLICIES AUD, AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'DROP USER' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION' AND ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS';


Remediation:


ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS DROP USER;

235|P a g e


CISControls:

Version6



236|P a g e

5.2.4 Ensure the 'CREATE ROLE’ Action Audit Is Enabled (Scored)



Description:

AnOracledatabaseroleisacollectionorsetofprivilegesthatcanbegrantedtousersorotherroles.Rolesmayincludesystemprivileges,objectprivilegesorotherroles.EnablingthisunifiedauditactionenablesloggingofallCREATE ROLEstatements,whethersuccessfulorunsuccessful,issuedbytheusersregardlessoftheprivilegesheldbytheuserstoissuesuchstatements.

Rationale:

Loggingandmonitoringofallattemptstocreateroles,whethersuccessfulorunsuccessful,mayprovidecluesandforensicevidenceaboutpotentialsuspicious/unauthorizedactivities.Anysuchactivitiesmaybeacauseforfurtherinvestigation.Inaddition,organizationsecuritypoliciesandindustry/governmentregulationsmayrequireloggingofalluseractivitiesinvolvingCREATE ROLE.

Audit:


SELECT AUD.POLICY_NAME, AUD.AUDIT_OPTION, AUD.AUDIT_OPTION_TYPE FROM AUDIT_UNIFIED_POLICIES AUD, AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'CREATE ROLE' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION' AND ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS';


Remediation:


ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS CREATE ROLE;

237|P a g e


CISControls:

Version6



238|P a g e

5.2.5 Ensure the 'ALTER ROLE’ Action Audit Is Enabled (Scored)



Description:

AnOracledatabaseroleisacollectionorsetofprivilegesthatcanbegrantedtousersorotherroles.Rolesmayincludesystemprivileges,objectprivilegesorotherroles.TheALTER ROLEstatementisusedtochangetheauthorizationneededtoenablearole.EnablingthisunifiedactionauditcausesloggingofallALTER ROLEstatements,whethersuccessfulorunsuccessful,issuedbytheusersregardlessoftheprivilegesheldbytheuserstoissuesuchstatements.

Rationale:

Loggingandmonitoringofallattemptstoalterroles,whethersuccessfulorunsuccessful,mayprovidecluesandforensicevidenceaboutpotentialsuspicious/unauthorizedactivities.Anysuchactivitiesmaybeacauseforfurtherinvestigation.Inaddition,organizationsecuritypoliciesandindustry/governmentregulationsmayrequireloggingofalluseractivitiesinvolvingalterationofroles.

Audit:


SELECT AUD.POLICY_NAME, AUD.AUDIT_OPTION, AUD.AUDIT_OPTION_TYPE FROM AUDIT_UNIFIED_POLICIES AUD, AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'ALTER ROLE' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION' AND ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS';


Remediation:


ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS ALTER ROLE;

239|P a g e


CISControls:

Version6



240|P a g e

5.2.6 Ensure the 'DROP ROLE’ Action Audit Is Enabled (Scored)



Description:

AnOracledatabaseroleisacollectionorsetofprivilegesthatcanbegrantedtousersorotherroles.Rolesmayincludesystemprivileges,objectprivilegesorotherroles.EnablingthisunifiedauditactionenablesloggingofallDROP ROLEstatements,successfulorunsuccessful,issuedbytheusersregardlessoftheprivilegesheldbytheuserstoissuesuchstatements.

Rationale:

Loggingandmonitoringofallattemptstodroproles,whethersuccessfulorunsuccessful,mayprovidecluesandforensicevidenceaboutpotentialsuspicious/unauthorizedactivities.Anysuchactivitiesmaybeacauseforfurtherinvestigation.Inaddition,organizationsecuritypoliciesandindustry/governmentregulationsmayrequireloggingofalluseractivitiesinvolvingDROP ROLE.

Audit:


SELECT AUD.POLICY_NAME, AUD.AUDIT_OPTION, AUD.AUDIT_OPTION_TYPE FROM AUDIT_UNIFIED_POLICIES AUD, AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'DROP ROLE' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION' AND ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS';


Remediation:


ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS DROP ROLE;

241|P a g e


CISControls:

Version6



242|P a g e

5.2.7 Ensure the 'GRANT' Action Audit Is Enabled (Scored)



Description:

GRANTstatementsareusedtograntprivilegestoOracledatabaseusersandroles,includingthemostpowerfulprivilegesandrolestypicallyavailabletothedatabaseadministrators.EnablingthisunifiedactionauditenablesloggingofallGRANTstatements,whethersuccessfulorunsuccessful,issuedbytheusersregardlessoftheprivilegesheldbytheuserstoissuesuchstatements.

Rationale:

Withunauthorizedgrantsandpermissions,amalicioususermaybeabletochangethesecurityofthedatabase,access/updateconfidentialdata,orcompromisetheintegrityofthedatabase.Loggingandmonitoringofallattemptstograntsystemprivileges,objectprivilegesorroles,whethersuccessfulorunsuccessful,mayprovideforensicevidenceaboutpotentialsuspicious/unauthorizedactivitiesaswellasprivilegeescalationactivities.Anysuchactivitiesmaybeacauseforfurtherinvestigation.Inaddition,organizationsecuritypoliciesandindustry/governmentregulationsmayrequireloggingofalluseractivitiesinvolvingGRANT.

Audit:


SELECT AUD.POLICY_NAME, AUD.AUDIT_OPTION, AUD.AUDIT_OPTION_TYPE FROM AUDIT_UNIFIED_POLICIES AUD, AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'GRANT' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION' AND ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS';


Remediation:


243|P a g e

ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS GRANT;


CISControls:

Version6



244|P a g e

5.2.8 Ensure the 'REVOKE' Action Audit Is Enabled (Scored)



Description:

REVOKEstatementsareusedtorevokeprivilegesfromOracledatabaseusersandroles.EnablingthisunifiedactionauditenablesloggingofallREVOKEstatements,successfulorunsuccessful,issuedbytheusersregardlessoftheprivilegesheldbytheuserstoissuesuchstatements.

Rationale:

Loggingandmonitoringofallattemptstorevokesystemprivileges,objectprivilegesorroles,whethersuccessfulorunsuccessful,mayprovidecluesandforensicevidenceaboutpotentialsuspicious/unauthorizedactivities.Anysuchactivitiesmaybeacauseforfurtherinvestigation.Inaddition,organizationsecuritypoliciesandindustry/governmentregulationsmayrequireloggingofalluseractivitiesinvolvingREVOKE.

Audit:


SELECT AUD.POLICY_NAME, AUD.AUDIT_OPTION, AUD.AUDIT_OPTION_TYPE FROM AUDIT_UNIFIED_POLICIES AUD, AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'REVOKE' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION' AND ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS';


Remediation:


ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS REVOKE;

245|P a g e


CISControls:

Version6



246|P a g e

5.2.9 Ensure the 'CREATE PROFILE’ Action Audit Is Enabled (Scored)



Description:

Oracledatabaseprofilesareusedtoenforceresourceusagelimitsandimplementpasswordpoliciessuchaspasswordcomplexityrulesandreuserestrictions.EnablingthisunifiedactionauditenablesloggingofallCREATE PROFILEstatements,whethersuccessfulorunsuccessful,issuedbytheusersregardlessoftheprivilegesheldbytheuserstoissuesuchstatements.

Rationale:

Loggingandmonitoringofallattemptstocreateprofiles,whethersuccessfulorunsuccessful,mayprovidecluesandforensicevidenceaboutpotentialsuspicious/unauthorizedactivities.Anysuchactivitiesmaybeacauseforfurtherinvestigation.Inaddition,organizationsecuritypoliciesandindustry/governmentregulationsmayrequireloggingofalluseractivitiesinvolvingcreationofdatabaseprofiles.

Audit:


SELECT AUD.POLICY_NAME, AUD.AUDIT_OPTION, AUD.AUDIT_OPTION_TYPE FROM AUDIT_UNIFIED_POLICIES AUD, AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'CREATE PROFILE' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION' AND ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS';


Remediation:


ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS CREATE PROFILE;

247|P a g e


CISControls:

Version6


248|P a g e

5.2.10 Ensure the 'ALTER PROFILE’ Action Audit Is Enabled (Scored)



Description:

Oracledatabaseprofilesareusedtoenforceresourceusagelimitsandimplementpasswordpoliciessuchaspasswordcomplexityrulesandreuserestrictions.EnablingthisunifiedactionauditenablesloggingofallALTER PROFILEstatements,whethersuccessfulorunsuccessful,issuedbytheusersregardlessoftheprivilegesheldbytheuserstoissuesuchstatements.

Rationale:

Loggingandmonitoringofallattemptstoalterprofiles,whethersuccessfulorunsuccessful,mayprovideforensicevidenceaboutpotentialsuspicious/unauthorizedactivities.Anysuchactivitiesmaybeacauseforfurtherinvestigation.Inaddition,organizationsecuritypoliciesandindustry/governmentregulationsmayrequireloggingofalluseractivitiesinvolvingalterationofdatabaseprofiles.

Audit:


SELECT AUD.POLICY_NAME, AUD.AUDIT_OPTION, AUD.AUDIT_OPTION_TYPE FROM AUDIT_UNIFIED_POLICIES AUD, AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'ALTER PROFILE' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION' AND ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS';


Remediation:


ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS ALTER PROFILE;

249|P a g e


CISControls:

Version6


250|P a g e

5.2.11 Ensure the 'DROP PROFILE’ Action Audit Is Enabled (Scored)



Description:

Oracledatabaseprofilesareusedtoenforceresourceusagelimitsandimplementpasswordpoliciessuchaspasswordcomplexityrulesandreuserestrictions.EnablingthisunifiedactionauditenablesloggingofallDROP PROFILEstatements,whethersuccessfulorunsuccessful,issuedbytheusersregardlessoftheprivilegesheldbytheuserstoissuesuchstatements.

Rationale:

Loggingandmonitoringofallattemptstodropprofiles,whethersuccessfulorunsuccessful,mayprovidecluesandforensicevidenceaboutpotentialsuspicious/unauthorizedactivities.Anysuchactivitiesmaybeacauseforfurtherinvestigation.Inaddition,organizationsecuritypoliciesandindustry/governmentregulationsmayrequireloggingofalluseractivitiesinvolvingdroppingdatabaseprofiles.

Audit:


SELECT AUD.POLICY_NAME, AUD.AUDIT_OPTION, AUD.AUDIT_OPTION_TYPE FROM AUDIT_UNIFIED_POLICIES AUD, AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'DROP PROFILE' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION' AND ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS';


Remediation:


ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS DROP PROFILE;

251|P a g e


CISControls:

Version6


252|P a g e

5.2.12 Ensure the 'CREATE DATABASE LINK’ Action Audit Is Enabled (Scored)



Description:

Oracledatabaselinksareusedtoestablishdatabase-to-databaseconnectionstootherdatabases.Theseconnectionsareavailablewithoutfurtherauthenticationoncethelinkisestablished.EnablingthisunifiedactionauditcausesloggingofallCREATE DATABASEandCREATE PUBLIC DATABASEstatements,whethersuccessfulorunsuccessful,issuedbytheusersregardlessoftheprivilegesheldbytheuserstoissuesuchstatements.

Rationale:

Loggingandmonitoringofallattemptstocreatedatabaselinks,whethersuccessfulorunsuccessful,mayprovideforensicevidenceaboutpotentialsuspicious/unauthorizedactivities.Anysuchactivitiesmaybeacauseforfurtherinvestigation.Inaddition,organizationsecuritypoliciesandindustry/governmentregulationsmayrequireloggingofalluseractivitiesinvolvingcreationofdatabaselinks.

Audit:


SELECT AUD.POLICY_NAME, AUD.AUDIT_OPTION, AUD.AUDIT_OPTION_TYPE FROM AUDIT_UNIFIED_POLICIES AUD, AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'CREATE DATABASE LINK' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION' AND ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS';


253|P a g e

Remediation:


ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS CREATE DATABASE LINK;


CISControls:

Version6


254|P a g e

5.2.13 Ensure the 'ALTER DATABASE LINK’ Action Audit Is Enabled (Scored)



Description:

Oracledatabaselinksareusedtoestablishdatabase-to-databaseconnectionstootherdatabases.Theseconnectionsarealwaysavailablewithoutfurtherauthenticationoncethelinkisestablished.EnablingthisunifiedactionauditcausesloggingofallALTER DATABASEandALTER PUBLIC DATABASEstatements,whethersuccessfulorunsuccessful,issuedbytheusersregardlessoftheprivilegesheldbytheuserstoissuesuchstatements.

Rationale:

Loggingandmonitoringofallattemptstoalterdatabaselinks,whethersuccessfulorunsuccessful,mayprovideforensicevidenceaboutpotentialsuspicious/unauthorizedactivities.Anysuchactivitiesmaybeacauseforfurtherinvestigation.Inaddition,organizationsecuritypoliciesandindustry/governmentregulationsmayrequireloggingofalluseractivitiesinvolvingalterationofdatabaselinks.

Audit:


SELECT AUD.POLICY_NAME, AUD.AUDIT_OPTION, AUD.AUDIT_OPTION_TYPE FROM AUDIT_UNIFIED_POLICIES AUD, AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'ALTER DATABASE LINK' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION' AND ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS';


255|P a g e

Remediation:


ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS ALTER DATABASE LINK;


CISControls:

Version6


256|P a g e

5.2.14 Ensure the 'DROP DATABASE LINK’ Action Audit Is Enabled (Scored)



Description:

Oracledatabaselinksareusedtoestablishdatabase-to-databaseconnectionstootherdatabases.Theseconnectionsarealwaysavailablewithoutfurtherauthenticationoncethelinkisestablished.EnablingthisunifiedactionauditcausesloggingofallDROP DATABASEandDROP PUBLIC DATABASE,whethersuccessfulorunsuccessful,statementsissuedbytheusersregardlessoftheprivilegesheldbytheuserstoissuesuchstatements.

Rationale:

Loggingandmonitoringofallattemptstodropdatabaselinks,whethersuccessfulorunsuccessful,mayprovideforensicevidenceaboutpotentialsuspicious/unauthorizedactivities.Anysuchactivitiesmaybeacauseforfurtherinvestigation.Inaddition,organizationsecuritypoliciesandindustry/governmentregulationsmayrequireloggingofalluseractivitiesinvolvingdroppingdatabaselinks.

Audit:


SELECT AUD.POLICY_NAME, AUD.AUDIT_OPTION, AUD.AUDIT_OPTION_TYPE FROM AUDIT_UNIFIED_POLICIES AUD, AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'DROP DATABASE LINK' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION' AND ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS';


257|P a g e

Remediation:


ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS DROP DATABASE LINK;


CISControls:

Version6


258|P a g e

5.2.15 Ensure the 'CREATE SYNONYM’ Action Audit Is Enabled (Scored)



Description:

AnOracledatabasesynonymisusedtocreateanalternativenameforadatabaseobjectsuchastable,view,procedure,javaobjectorevenanothersynonym,etc.EnablingthisunifiedactionauditcausesloggingofallCREATE SYNONYMandCREATE PUBLIC SYNONYMstatements,whethersuccessfulorunsuccessful,issuedbytheusersregardlessoftheprivilegesheldbytheuserstoissuesuchstatements.

Rationale:

Loggingandmonitoringofallattemptstocreatesynonyms,whethersuccessfulorunsuccessful,mayprovidecluesandforensicevidenceaboutpotentialsuspicious/unauthorizedactivities.Anysuchactivitiesmaybeacauseforfurtherinvestigation.Inaddition,organizationsecuritypoliciesandindustry/governmentregulationsmayrequireloggingofalluseractivitiesinvolvingcreationofsynonymsorpublicsynonyms.

Audit:


SELECT AUD.POLICY_NAME, AUD.AUDIT_OPTION, AUD.AUDIT_OPTION_TYPE FROM AUDIT_UNIFIED_POLICIES AUD, AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'CREATE SYNONYM' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION' AND ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS';


Remediation:


ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS CREATE SYNONYM;

259|P a g e


CISControls:

Version6


260|P a g e

5.2.16 Ensure the 'ALTER SYNONYM’ Action Audit Is Enabled (Scored)



Description:

AnOracledatabasesynonymisusedtocreateanalternativenameforadatabaseobjectsuchastable,view,procedure,orjavaobject,orevenanothersynonym.EnablingthisunifiedactionauditcausesloggingofallALTER SYNONYMandALTER PUBLIC SYNONYMstatements,whethersuccessfulorunsuccessful,issuedbytheusersregardlessoftheprivilegesheldbytheuserstoissuesuchstatements.

Rationale:

Loggingandmonitoringofallattemptstoaltersynonyms,whethersuccessfulorunsuccessful,mayprovidecluesandforensicevidenceaboutpotentialsuspicious/unauthorizedactivities.Anysuchactivitiesmaybeacauseforfurtherinvestigation.Inaddition,organizationsecuritypoliciesandindustry/governmentregulationsmayrequireloggingofalluseractivitiesinvolvingalterationofsynonymsorpublicsynonyms.

Audit:


SELECT AUD.POLICY_NAME, AUD.AUDIT_OPTION, AUD.AUDIT_OPTION_TYPE FROM AUDIT_UNIFIED_POLICIES AUD, AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'ALTER SYNONYM' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION' AND ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS';


Remediation:


ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS ALTER SYNONYM;

261|P a g e


CISControls:

Version6


262|P a g e

5.2.17 Ensure the 'DROP SYNONYM’ Action Audit Is Enabled (Scored)



Description:

AnOracledatabasesynonymisusedtocreateanalternativenameforadatabaseobjectsuchastable,view,procedure,orjavaobject,orevenanothersynonym.EnablinghisunifiedactionauditcausesloggingofallDROP SYNONYMandDROP PUBLIC SYNONYMstatements,whethersuccessfulorunsuccessful,issuedbytheusersregardlessoftheprivilegesheldbytheuserstoissuesuchstatements.

Rationale:

Loggingandmonitoringofallattemptstodropsynonyms,whethersuccessfulorunsuccessful,mayprovideforensicevidenceaboutpotentialsuspicious/unauthorizedactivities.Anysuchactivitiesmaybeacauseforfurtherinvestigation.Inaddition,organizationsecuritypoliciesandindustry/governmentregulationsmayrequireloggingofalluseractivitiesinvolvingdroppingofsynonymsorpublicsynonyms.

Audit:


SELECT AUD.POLICY_NAME, AUD.AUDIT_OPTION, AUD.AUDIT_OPTION_TYPE FROM AUDIT_UNIFIED_POLICIES AUD, AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'DROP SYNONYM' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION' AND ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS';


Remediation:


ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS DROP SYNONYM;

263|P a g e


CISControls:

Version6


264|P a g e

5.2.18 Ensure the 'SELECT ANY DICTIONARY’ Privilege Audit Is Enabled (Scored)



Description:

TheSELECT ANY DICTIONARYsystemprivilegeallowstheusertoviewthedefinitionofallschemaobjectsinthedatabase.ItgrantsSELECTprivilegesonthedatadictionaryobjectstothegrantees,includingSELECTonDBA_views,V$views,X$viewsandunderlyingSYStablessuchasTAB$andOBJ$.Thisprivilegealsoallowsgranteestocreatestoredobjectssuchasprocedures,packagesandviewsontheunderlyingdatadictionaryobjects.PleasenotethatthisprivilegedoesnotgrantSELECTontableswithpasswordhashessuchasUSER$,DEFAULT_PWD$,LINK$,andUSER_HISTORY$.Enablingthisauditcausesloggingofactivitiesthatexercisethisprivilege.

Rationale:

Loggingandmonitoringofallattemptstoaccessadatadictionary,whethersuccessfulorunsuccessful,mayprovidecluesandforensicevidenceaboutpotentialsuspicious/unauthorizedactivities.Anysuchactivitiesmaybeacauseforfurtherinvestigation.Inaddition,organizationsecuritypoliciesandindustry/governmentregulationsmayrequireloggingofalluseractivitiesinvolvingaccesstothedatabase.

Audit:


SELECT AUD.POLICY_NAME, AUD.AUDIT_OPTION, AUD.AUDIT_OPTION_TYPE FROM AUDIT_UNIFIED_POLICIES AUD, AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'SELECT ANY DICTIONARY' AND AUD.AUDIT_OPTION_TYPE = 'SYSTEM PRIVILEGE' AND ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS';


265|P a g e

Remediation:


ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD PRIVILEGES SELECT ANY DICTIONARY;


CISControls:

Version6


266|P a g e

5.2.19 Ensure the 'UNIFIED_AUDIT_TRAIL’ Access Audit Is Enabled (Scored)



Description:

TheUNIFIED_AUDIT_TRAILviewholdsaudittrailrecordsgeneratedbythedatabase.EnablingthisauditactioncausesloggingofallaccessattemptstotheUNIFIED_AUDIT_TRAILview,whethersuccessfulorunsuccessful,regardlessoftheprivilegesheldbytheuserstoissuesuchstatements.

Rationale:

LoggingandmonitoringofallattemptstoaccesstheUNIFIED_AUDIT_TRAILview,whethersuccessfulorunsuccessful,mayprovidecluesandforensicevidenceaboutpotentialsuspicious/unauthorizedactivities.Anysuchactivitiesmaybeacauseforfurtherinvestigation.Inaddition,organizationsecuritypoliciesandindustry/governmentregulationsmayrequireloggingofalluseractivitiesinvolvingaccesstothisview.

Audit:


SELECT AUD.POLICY_NAME, AUD.AUDIT_OPTION, AUD.AUDIT_OPTION_TYPE FROM AUDIT_UNIFIED_POLICIES AUD, AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'ALL' AND AUD.AUDIT_OPTION_TYPE = 'OBJECT ACTION' AND AUD.OBJECT_SCHEMA = 'SYS' AND AUD.OBJECT_NAME = 'UNIFIED_AUDIT_TRAIL' AND ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS';


267|P a g e

Remediation:


ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS ALL on SYS.UNIFIED_AUDIT_TRAIL;


CISControls:

Version6


268|P a g e

5.2.20 Ensure the 'CREATE PROCEDURE/FUNCTION/PACKAGE/PACKAGE BODY’ Action Audit Is Enabled (Scored)



Description:

Oracledatabaseprocedures,function,packages,andpackagebodies,whicharestoredwithinthedatabase,arecreatedtoperformbusinessfunctionsandaccessdatabaseasdefinedbyPL/SQLcodeandSQLstatementscontainedwithintheseobjects.EnablingthisunifiedactionauditcausesloggingofallCREATE PROCEDURE,CREATE FUNCTION,CREATE PACKAGEandCREATE PACKAGE BODYstatements,successfulorunsuccessful,statementsissuedbytheusersregardlessoftheprivilegesheldbytheuserstoissuesuchstatements.

Rationale:

Loggingandmonitoringofallattemptstocreateprocedures,functions,packagesorpackagebodies,whethersuccessfulorunsuccessful,mayprovidecluesandforensicevidenceaboutpotentialsuspicious/unauthorizedactivities.Anysuchactivitiesmaybeacauseforfurtherinvestigation.Inaddition,organizationsecuritypoliciesandindustry/governmentregulationsmayrequireloggingofalluseractivitiesinvolvingcreationofprocedures,functions,packagesorpackagebodies.

Audit:


SELECT * FROM AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS' AND EXISTS ( SELECT 'x' FROM AUDIT_UNIFIED_POLICIES AUD WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'CREATE PROCEDURE' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION') AND EXISTS ( SELECT 'x' FROM AUDIT_UNIFIED_POLICIES AUD WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'CREATE FUNCTION' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION') AND EXISTS ( SELECT 'x' FROM AUDIT_UNIFIED_POLICIES AUD

269|P a g e

WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'CREATE PACKAGE' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION') AND EXISTS ( SELECT 'x' FROM AUDIT_UNIFIED_POLICIES AUD WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'CREATE PACKAGE BODY' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION');


Remediation:


ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS CREATE PROCEDURE, CREATE FUNCTION, CREATE PACKAGE, CREATE PACKAGE BODY;


CISControls:

Version6


270|P a g e

5.2.21 Ensure the 'ALTER PROCEDURE/FUNCTION/PACKAGE/PACKAGE BODY’ Action Audit Is Enabled (Scored)



Description:

Oracledatabaseprocedures,functions,packages,andpackagebodies,whicharestoredwithinthedatabase,arecreatedtocarryoutbusinessfunctionsandaccessdatabaseasdefinedbyPL/SQLcodeandSQLstatementscontainedwithintheseobjects.EnablingthisunifiedactionauditcausesloggingofallALTER PROCEDURE,ALTER FUNCTION,ALTER PACKAGEandALTER PACKAGE BODYstatements,successfulorunsuccessful,issuedbytheusersregardlessoftheprivilegesheldbytheuserstoissuesuchstatements.

Rationale:

Unauthorizedalterationofprocedures,functions,packagesorpackagebodiesmayimpactcriticalbusinessfunctionsorcompromiseintegrityofthedatabase.Loggingandmonitoringofallattempts,whethersuccessfulorunsuccessful,toalterprocedures,functions,packagesorpackagebodiesmayprovidecluesandforensicevidenceaboutpotentialsuspicious/unauthorizedactivities.Anysuchactivitiesmaybeacauseforfurtherinvestigation.Inaddition,organizationsecuritypoliciesandindustry/governmentregulationsmayrequireloggingofalluseractivitiesinvolvingalterationofprocedures,functions,packagesorpackagebodies.

Audit:


SELECT * FROM AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS' AND EXISTS ( SELECT 'x' FROM AUDIT_UNIFIED_POLICIES AUD WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'ALTER PROCEDURE' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION') AND EXISTS ( SELECT 'x' FROM AUDIT_UNIFIED_POLICIES AUD WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'ALTER FUNCTION'

271|P a g e

AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION') AND EXISTS ( SELECT 'x' FROM AUDIT_UNIFIED_POLICIES AUD WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'ALTER PACKAGE' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION') AND EXISTS ( SELECT 'x' FROM AUDIT_UNIFIED_POLICIES AUD WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'ALTER PACKAGE BODY' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION');


Remediation:


ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS ALTER PROCEDURE, ALTER FUNCTION, ALTER PACKAGE, ALTER PACKAGE BODY;


CISControls:

Version6


272|P a g e

5.2.22 Ensure the 'DROP PROCEDURE/FUNCTION/PACKAGE/PACKAGE BODY’ Action Audit Is Enabled (Scored)



Description:

Oracledatabaseprocedures,functions,packages,andpackagebodies,whicharestoredwithinthedatabase,arecreatedtocarryoutbusinessfunctionsandaccessdatabaseasdefinedbyPL/SQLcodeandSQLstatementscontainedwithintheseobjects.EnablingthisunifiedactionauditcausesloggingofallDROP PROCEDURE,DROP FUNCTION,DROP PACKAGEorDROP PACKAGE BODYstatements,successfulorunsuccessful,issuedbytheusersregardlessoftheprivilegesheldbytheuserstoissuesuchstatements.

Rationale:

Loggingandmonitoringofallattempts,whethersuccessfulorunsuccessful,todropprocedures,functions,packagesorpackagebodiesmayprovideforensicevidenceaboutpotentialsuspicious/unauthorizedactivities.Anysuchactivitiesmaybeacauseforfurtherinvestigation.Inaddition,organizationsecuritypoliciesandindustry/governmentregulationsmayrequireloggingofalluseractivitiesinvolvingdroppingprocedures,functions,packagesorpackagebodies.

Audit:


SELECT * FROM AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS' AND EXISTS ( SELECT 'x' FROM AUDIT_UNIFIED_POLICIES AUD WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'DROP PROCEDURE' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION') AND EXISTS ( SELECT 'x' FROM AUDIT_UNIFIED_POLICIES AUD WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'DROP FUNCTION' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION') AND EXISTS ( SELECT 'x' FROM AUDIT_UNIFIED_POLICIES AUD

273|P a g e

WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'DROP PACKAGE' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION') AND EXISTS ( SELECT 'x' FROM AUDIT_UNIFIED_POLICIES AUD WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'DROP PACKAGE BODY' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION');


Remediation:


ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS DROP PROCEDURE, DROP FUNCTION, DROP PACKAGE, DROP PACKAGE BODY;


CISControls:

Version6


274|P a g e

5.2.23 Ensure the 'ALTER SYSTEM’ Privilege Audit Is Enabled (Scored)



Description:

TheALTER SYSTEMprivilegeallowstheusertochangeinstancesettingswhichcouldimpactsecurityposture,performanceornormaloperationofthedatabase.Additionally,theALTER SYSTEMprivilegemaybeusedtorunoperatingsystemcommandsusingundocumentedOraclefunctionality.Enablingthisunifiedauditcausesloggingofactivitiesthatinvolveexerciseofthisprivilege,whethersuccessfulorunsuccessful,issuedbytheusersregardlessoftheprivilegesheldbytheuserstoissuesuchstatements.

Rationale:

LoggingandmonitoringofallattemptstoexecuteALTER SYSTEMstatements,whethersuccessfulorunsuccessful,mayprovideforensicevidenceaboutpotentialsuspicious/unauthorizedactivities.Anysuchactivitiesmaybeacauseforfurtherinvestigation.Inaddition,organizationsecuritypoliciesandindustry/governmentregulationsmayrequireloggingofalluseractivitiesthatinvolveALTER SYSTEMstatements.

Audit:


SELECT AUD.POLICY_NAME, AUD.AUDIT_OPTION, AUD.AUDIT_OPTION_TYPE FROM AUDIT_UNIFIED_POLICIES AUD, AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'ALTER SYSTEM' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION' AND ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS';


Remediation:


ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS ALTER SYSTEM;

275|P a g e


CISControls:

Version6


276|P a g e

5.2.24 Ensure the 'CREATE TRIGGER’ Action Audit Is Enabled (Scored)



Description:

Oracledatabasetriggersareexecutedautomaticallywhenspecifiedconditionsontheunderlyingobjectsoccur.Triggerbodiescontainthecode,quiteoftentoperformdatavalidation,ensuredataintegrity/securityorenforcecriticalconstraintsonallowableactionsondata.EnablingthisunifiedauditcausesloggingofallCREATE TRIGGERstatements,whethersuccessfulorunsuccessful,issuedbytheusersregardlessoftheprivilegesheldbytheuserstoissuesuchstatements.

Rationale:

Loggingandmonitoringofallattemptstocreatetriggers,whethersuccessfulorunsuccessful,mayprovidecluesandforensicevidenceaboutpotentialsuspicious/unauthorizedactivities.Anysuchactivitiesmaybeacauseforfurtherinvestigation.Inaddition,organizationsecuritypoliciesandindustry/governmentregulationsmayrequireloggingofalluseractivitiesinvolvingcreationoftriggers.

Audit:


SELECT AUD.POLICY_NAME, AUD.AUDIT_OPTION, AUD.AUDIT_OPTION_TYPE FROM AUDIT_UNIFIED_POLICIES AUD, AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'CREATE TRIGGER' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION' AND ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS';


Remediation:


ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS CREATE TRIGGER;

277|P a g e


CISControls:

Version6


278|P a g e

5.2.25 Ensure the 'ALTER TRIGGER’ Action Audit IS Enabled (Scored)



Description:

Oracledatabasetriggersareexecutedautomaticallywhenspecifiedconditionsontheunderlyingobjectsoccur.Triggerbodiescontainthecode,quiteoftentoperformdatavalidation,ensuredataintegrity/securityorenforcecriticalconstraintsonallowableactionsondata.EnablingthisunifiedauditcausesloggingofallALTER TRIGGERstatements,whethersuccessfulorunsuccessful,issuedbytheusersregardlessoftheprivilegesheldbytheuserstoissuesuchstatements.

Rationale:

Unauthorizedalterationoftriggersmayimpactcriticalbusinessfunctionsorcompromiseintegrity/securityofthedatabase.Loggingandmonitoringofallattemptstoaltertriggers,whethersuccessfulorunsuccessful,mayprovidecluesandforensicevidenceaboutpotentialsuspicious/unauthorizedactivities.Anysuchactivitiesmaybeacauseforfurtherinvestigation.Inaddition,organizationsecuritypoliciesandindustry/governmentregulationsmayrequireloggingofalluseractivitiesinvolvingalterationoftriggers.

Audit:


SELECT AUD.POLICY_NAME, AUD.AUDIT_OPTION, AUD.AUDIT_OPTION_TYPE FROM AUDIT_UNIFIED_POLICIES AUD, AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'ALTER TRIGGER' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION' AND ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS';


279|P a g e

Remediation:


ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS ALTER TRIGGER;


CISControls:

Version6


280|P a g e

5.2.26 Ensure the 'DROP TRIGGER’ Action Audit Is Enabled (Scored)



Description:

Oracledatabasetriggersareexecutedautomaticallywhenspecifiedconditionsontheunderlyingobjectsoccur.Triggerbodiescontainthecode,quiteoftentoperformdatavalidation,ensuredataintegrity/securityorenforcecriticalconstraintsonallowableactionsondata.EnablingthisunifiedauditcausesloggingofallDROP TRIGGERstatements,whethersuccessfulorunsuccessful,issuedbytheusersregardlessoftheprivilegesheldbytheuserstoissuesuchstatements.

Rationale:

Loggingandmonitoringofallattemptstodroptriggers,whethersuccessfulorunsuccessful,mayprovideforensicevidenceaboutpotentialsuspicious/unauthorizedactivities.Anysuchactivitiesmaybeacauseforfurtherinvestigation.Inaddition,organizationsecuritypoliciesandindustry/governmentregulationsmayrequireloggingofalluseractivitiesinvolvingdroppingtriggers.

Audit:


SELECT AUD.POLICY_NAME, AUD.AUDIT_OPTION, AUD.AUDIT_OPTION_TYPE FROM AUDIT_UNIFIED_POLICIES AUD, AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'DROP TRIGGER' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION' AND ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS';


Remediation:


ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS DROP TRIGGER;

281|P a g e


CISControls:

Version6


282|P a g e

5.2.27 Ensure the 'LOGON’ AND ‘LOGOFF’ Actions Audit Is Enabled (Scored)



Description:

Oracledatabaseuserslogontothedatabasetoperformtheirwork.EnablingthisunifiedauditcausesloggingofallLOGONactions,whethersuccessfulorunsuccessful,issuedbytheusersregardlessoftheprivilegesheldbytheuserstologintothedatabase.Inaddition,LOGOFFactionauditcaptureslogoffactivities.Thisauditactionalsocaptureslogon/logofftotheopendatabasebySYSDBAandSYSOPER.

Rationale:

Loggingandmonitoringofallattemptstologontothedatabase,whethersuccessfulorunsuccessful,mayprovideforensicevidenceaboutpotentialsuspicious/unauthorizedactivities.Anysuchactivitiesmaybeacauseforfurtherinvestigation.Inaddition,organizationsecuritypoliciesandindustry/governmentregulationsmayrequireloggingofalluseractivitiesinvolvingLOGONandLOGOFF.

Audit:


SELECT * FROM AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS' AND EXISTS ( SELECT 'x' FROM AUDIT_UNIFIED_POLICIES AUD WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'LOGON' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION') AND EXISTS ( SELECT 'x' FROM AUDIT_UNIFIED_POLICIES AUD WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'LOGOFF' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION');


283|P a g e

Remediation:


ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS LOGON, LOGOFF;


CISControls:

Version6



284|P a g e

6 Appendix: Establishing an Audit/Scan User

Thisdocumenthasbeenauthoredwiththeexpectationthatauserwithappropriatepermissionswillbeusedtoexecutethequeriesandperformotherassessmentactions.WhilethiscouldbeaccomplishedbygrantingDBAprivilegestoagivenuser,thepreferredapproachistocreateadedicateduserandgrantonlythespecificpermissionsrequiredtoperformtheassessmentsexpressedherein.DoingthisavoidsthenecessityforanyuserassessingthesystemtobegrantedDBAprivileges.

TherecommendationsexpressedinthisdocumentassumethepresenceofarolenamedCISSCANROLEandausernamedCISSCAN.ThisroleandusershouldbecreatedbyexecutingthefollowingSQLstatements,beingcarefultosubstituteanappropriatepasswordfor<password>.

-- Create the role CREATE ROLE CISSCANROLE; -- Grant necessary privileges to the role GRANT CREATE SESSION TO CISSCANROLE; GRANT SELECT ON V_$PARAMETER TO CISSCANROLE; GRANT SELECT ON DBA_TAB_PRIVS TO CISSCANROLE; GRANT SELECT ON DBA_PROFILES TO CISSCANROLE; GRANT SELECT ON DBA_SYS_PRIVS TO CISSCANROLE; GRANT SELECT ON DBA_STMT_AUDIT_OPTS TO CISSCANROLE; GRANT SELECT ON DBA_ROLE_PRIVS TO CISSCANROLE; GRANT SELECT ON DBA_OBJ_AUDIT_OPTS TO CISSCANROLE; GRANT SELECT ON DBA_PRIV_AUDIT_OPTS TO CISSCANROLE; GRANT SELECT ON DBA_PROXIES TO CISSCANROLE; GRANT SELECT ON DBA_USERS TO CISSCANROLE; GRANT SELECT ON DBA_USERS_WITH_DEFPWD TO CISSCANROLE; GRANT AUDIT_VIEWER TO CISSCANROLE; -- Create the user and assign the user to the role CREATE USER CISSCAN IDENTIFIED BY <password>; GRANT CISSCANROLE TO CISSCAN;

Ifyourelyonsimilarrolesand/orusers,buttheyarenotnamedCISSCANROLEorCISSCAN,orifyouhaverolesorusersnamedCISSCANROLEorCISSCANintendedtobeusedfordifferentpurposes,beawarethatsomerecommendationshereinexplicitlynameCISSCANROLEandCISSCAN.

Theseare:

• 3.10EnsureNoUsersAreAssignedtheDEFAULTProfile• 4.5.5Ensure'ALL'IsRevokedfromUnauthorizedGRANTEEonDBA_%

Note:Differentorganizationsmaywishtofollowtheinstructionsinthisappendixindifferentways.Formorepermanentorregularassessmentscans,itmaybeacceptabletoretaintheCISSCANROLEandCISSCANuserindefinitely.However,inaconsultativecontextwhereanassessmentisperhapsrunattheoutsetoftheconsultingengagementandagain

285|P a g e

closertotheend,afteranyremediationhasbeenperformed,theCISSCANROLEroleandCISSCANusermaybedropped.Suchadecisionisultimatelyleftuptotheimplementingorganization.

286|P a g e

Appendix:SummaryTableControl Set

CorrectlyYes No

1 OracleDatabaseInstallationandPatchingRequirements1.1 EnsuretheAppropriateVersion/PatchesforOracleSoftware

IsInstalled(NotScored) o o

1.2 EnsureAllDefaultPasswordsAreChanged(Scored) o o1.3 EnsureAllSampleDataAndUsersHaveBeenRemoved

(Scored) o o

2 OracleParameterSettings2.1 ListenerSettings2.1.1 Ensure'SECURE_CONTROL_<listener_name>'IsSetIn

'listener.ora'(Scored) o o

2.1.2 Ensure'extproc'IsNotPresentin'listener.ora'(Scored) o o2.1.3 Ensure'ADMIN_RESTRICTIONS_<listener_name>'IsSetto

'ON'(Scored) o o

2.1.4 Ensure'SECURE_REGISTER_<listener_name>'IsSetto'TCPS'or'IPC'(Scored) o o

2.2 DatabaseSettings2.2.1 Ensure'AUDIT_SYS_OPERATIONS'IsSetto'TRUE'(Scored) o o2.2.2 Ensure'AUDIT_TRAIL'IsSetto'DB','XML','OS',

'DB,EXTENDED',or'XML,EXTENDED'(Scored) o o

2.2.3 Ensure'GLOBAL_NAMES'IsSetto'TRUE'(Scored) o o2.2.4 Ensure'O7_DICTIONARY_ACCESSIBILITY'IsSetto'FALSE'

(Scored) o o

2.2.5 Ensure'OS_ROLES'IsSetto'FALSE'(Scored) o o2.2.6 Ensure'REMOTE_LISTENER'IsEmpty(Scored) o o2.2.7 Ensure'REMOTE_LOGIN_PASSWORDFILE'IsSetto'NONE'

(Scored) o o

2.2.8 Ensure'REMOTE_OS_AUTHENT'IsSetto'FALSE'(Scored) o o2.2.9 Ensure'REMOTE_OS_ROLES'IsSetto'FALSE'(Scored) o o2.2.10 Ensure'UTL_FILE_DIR'IsEmpty(Scored) o o2.2.11 Ensure'SEC_CASE_SENSITIVE_LOGON'IsSetto'TRUE'

(Scored) o o

2.2.12 Ensure'SEC_MAX_FAILED_LOGIN_ATTEMPTS'Is'3'orLess(Scored) o o

2.2.13 Ensure'SEC_PROTOCOL_ERROR_FURTHER_ACTION'IsSetto'DROP,3'(Scored) o o

2.2.14 Ensure'SEC_PROTOCOL_ERROR_TRACE_ACTION'IsSetto'LOG'(Scored) o o

287|P a g e

2.2.15 Ensure'SEC_RETURN_SERVER_RELEASE_BANNER'IsSetto'FALSE'(Scored) o o

2.2.16 Ensure'SQL92_SECURITY'IsSetto'TRUE'(Scored) o o2.2.17 Ensure'_trace_files_public'IsSetto'FALSE'(Scored) o o2.2.18 Ensure'RESOURCE_LIMIT'IsSetto'TRUE'(Scored) o o3 OracleConnectionandLoginRestrictions3.1 Ensure'FAILED_LOGIN_ATTEMPTS'IsLessthanorEqualto

'5'(Scored) o o

3.2 Ensure'PASSWORD_LOCK_TIME'IsGreaterthanorEqualto'1'(Scored) o o

3.3 Ensure'PASSWORD_LIFE_TIME'IsLessthanorEqualto'90'(Scored) o o

3.4 Ensure'PASSWORD_REUSE_MAX'IsGreaterthanorEqualto'20'(Scored) o o

3.5 Ensure'PASSWORD_REUSE_TIME'IsGreaterthanorEqualto'365'(Scored) o o

3.6 Ensure'PASSWORD_GRACE_TIME'IsLessthanorEqualto'5'(Scored) o o

3.7 Ensure'DBA_USERS.PASSWORD'IsNotSetto'EXTERNAL'forAnyUser(Scored) o o

3.8 Ensure'PASSWORD_VERIFY_FUNCTION'IsSetforAllProfiles(Scored) o o

3.9 Ensure'SESSIONS_PER_USER'IsLessthanorEqualto'10'(Scored) o o

3.10 EnsureNoUsersAreAssignedthe'DEFAULT'Profile(Scored) o o4 OracleUserAccessandAuthorizationRestrictions4.1 DefaultPublicPrivilegesforPackagesandObjectTypes4.1.1 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on

'DBMS_ADVISOR'(Scored) o o

4.1.2 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_CRYPTO'(Scored) o o

4.1.3 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_JAVA'(Scored) o o

4.1.4 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_JAVA_TEST'(Scored) o o

4.1.5 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_JOB'(Scored) o o

4.1.6 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_LDAP'(Scored) o o

4.1.7 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_LOB'(Scored) o o

288|P a g e

4.1.8 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_OBFUSCATION_TOOLKIT'(Scored) o o

4.1.9 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_RANDOM'(Scored) o o

4.1.10 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_SCHEDULER'(Scored) o o

4.1.11 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_SQL'(Scored) o o

4.1.12 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_XMLGEN'(Scored) o o

4.1.13 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_XMLQUERY'(Scored) o o

4.1.14 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'UTL_FILE'(Scored) o o

4.1.15 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'UTL_INADDR'(Scored) o o

4.1.16 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'UTL_TCP'(Scored) o o

4.1.17 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'UTL_MAIL'(Scored) o o

4.1.18 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'UTL_SMTP'(Scored) o o

4.1.19 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'UTL_DBWS'(Scored) o o

4.1.20 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'UTL_ORAMTS'(Scored) o o

4.1.21 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'UTL_HTTP'(Scored) o o

4.1.22 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'HTTPURITYPE'(Scored) o o

4.1.23 Ensure'EXECUTE'isrevokedfrom'PUBLIC'on'DBMS_XMLSTORE'(Scored) o o

4.1.24 Ensure'EXECUTE'isrevokedfrom'PUBLIC'on'DBMS_XMLSAVE'(Scored) o o

4.1.25 Ensure'EXECUTE'isrevokedfrom'PUBLIC'on'DBMS_REDACT'(Scored) o o

4.2 RevokeNon-DefaultPrivilegesforPackagesandObjectTypes4.2.1 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on

'DBMS_SYS_SQL'(Scored) o o

4.2.2 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_BACKUP_RESTORE'(Scored) o o

289|P a g e

4.2.3 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_AQADM_SYSCALLS'(Scored) o o

4.2.4 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_REPCAT_SQL_UTL'(Scored) o o

4.2.5 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'INITJVMAUX'(Scored) o o

4.2.6 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_STREAMS_ADM_UTL'(Scored) o o

4.2.7 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_AQADM_SYS'(Scored) o o

4.2.8 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_STREAMS_RPC'(Scored) o o

4.2.9 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_PRVTAQIM'(Scored) o o

4.2.10 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'LTADM'(Scored) o o

4.2.11 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'WWV_DBMS_SQL'(Scored) o o

4.2.12 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'WWV_EXECUTE_IMMEDIATE'(Scored) o o

4.2.13 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_IJOB'(Scored) o o

4.2.14 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_FILE_TRANSFER'(Scored) o o

4.3 RevokeExcessiveSystemPrivileges4.3.1 Ensure'SELECTANYDICTIONARY'IsRevokedfrom

Unauthorized'GRANTEE'(Scored) o o

4.3.2 Ensure'SELECTANYTABLE'IsRevokedfromUnauthorized'GRANTEE'(Scored) o o

4.3.3 Ensure'AUDITSYSTEM'IsRevokedfromUnauthorized'GRANTEE'(Scored) o o

4.3.4 Ensure'EXEMPTACCESSPOLICY'IsRevokedfromUnauthorized'GRANTEE'(Scored) o o

4.3.5 Ensure'BECOMEUSER'IsRevokedfromUnauthorized'GRANTEE'(Scored) o o

4.3.6 Ensure'CREATE_PROCEDURE'IsRevokedfromUnauthorized'GRANTEE'(Scored) o o

4.3.7 Ensure'ALTERSYSTEM'IsRevokedfromUnauthorized'GRANTEE'(Scored) o o

4.3.8 Ensure'CREATEANYLIBRARY'IsRevokedfromUnauthorized'GRANTEE'(Scored) o o

290|P a g e

4.3.9 Ensure'CREATELIBRARY'IsRevokedfromUnauthorized'GRANTEE'(Scored) o o

4.3.10 Ensure'GRANTANYOBJECTPRIVILEGE'IsRevokedfromUnauthorized'GRANTEE'(Scored) o o

4.3.11 Ensure'GRANTANYROLE'IsRevokedfromUnauthorized'GRANTEE'(Scored) o o

4.3.12 Ensure'GRANTANYPRIVILEGE'IsRevokedfromUnauthorized'GRANTEE'(Scored) o o

4.4 RevokeRolePrivileges4.4.1 Ensure'DELETE_CATALOG_ROLE'IsRevokedfrom

Unauthorized'GRANTEE'(Scored) o o

4.4.2 Ensure'SELECT_CATALOG_ROLE'IsRevokedfromUnauthorized'GRANTEE'(Scored) o o

4.4.3 Ensure'EXECUTE_CATALOG_ROLE'IsRevokedfromUnauthorized'GRANTEE'(Scored) o o

4.4.4 Ensure'DBA'IsRevokedfromUnauthorized'GRANTEE'(Scored) o o

4.5 RevokeExcessiveTableandViewPrivileges4.5.1 Ensure'ALL'IsRevokedfromUnauthorized'GRANTEE'on

'AUD$'(Scored) o o

4.5.2 Ensure'ALL'IsRevokedfromUnauthorized'GRANTEE'on'USER_HISTORY$'(Scored) o o

4.5.3 Ensure'ALL'IsRevokedfromUnauthorized'GRANTEE'on'LINK$'(Scored) o o

4.5.4 Ensure'ALL'IsRevokedfromUnauthorized'GRANTEE'on'SYS.USER$'(Scored) o o

4.5.5 Ensure'ALL'IsRevokedfromUnauthorized'GRANTEE'on'DBA_%'(Scored) o o

4.5.6 Ensure'ALL'IsRevokedfromUnauthorized'GRANTEE'on'SYS.SCHEDULER$_CREDENTIAL'(Scored) o o

4.5.7 Ensure'SYS.USER$MIG'HasBeenDropped(Scored) o o4.6 Ensure'%ANY%'IsRevokedfromUnauthorized'GRANTEE'

(Scored) o o

4.7 Ensure'DBA_SYS_PRIVS.%'IsRevokedfromUnauthorized'GRANTEE'with'ADMIN_OPTION'Setto'YES'(Scored) o o

4.8 EnsureProxyUsersHaveOnly'CONNECT'Privilege(Scored) o o4.9 Ensure'EXECUTEANYPROCEDURE'IsRevokedfrom

'OUTLN'(Scored) o o

4.10 Ensure'EXECUTEANYPROCEDURE'IsRevokedfrom'DBSNMP'(Scored) o o

5 Audit/LoggingPoliciesandProcedures5.1 TraditionalAuditing5.1.1 Ensurethe'USER'AuditOptionIsEnabled(Scored) o o5.1.2 Ensurethe'ROLE'AuditOptionIsEnabled(Scored) o o

291|P a g e

5.1.3 Ensurethe'SYSTEMGRANT'AuditOptionIsEnabled(Scored) o o

5.1.4 Ensurethe'PROFILE'AuditOptionIsEnabled(Scored) o o5.1.5 Ensurethe'DATABASELINK'AuditOptionIsEnabled

(Scored) o o

5.1.6 Ensurethe'PUBLICDATABASELINK'AuditOptionIsEnabled(Scored) o o

5.1.7 Ensurethe'PUBLICSYNONYM'AuditOptionIsEnabled(Scored) o o

5.1.8 Ensurethe'SYNONYM'AuditOptionIsEnabled(Scored) o o5.1.9 Ensurethe'DIRECTORY'AuditOptionIsEnabled(Scored) o o5.1.10 Ensurethe'SELECTANYDICTIONARY'AuditOptionIs

Enabled(Scored) o o

5.1.11 Ensurethe'GRANTANYOBJECTPRIVILEGE'AuditOptionIsEnabled(Scored) o o

5.1.12 Ensurethe'GRANTANYPRIVILEGE'AuditOptionIsEnabled(Scored) o o

5.1.13 Ensurethe'DROPANYPROCEDURE'AuditOptionIsEnabled(Scored) o o

5.1.14 Ensurethe'ALL'AuditOptionon'SYS.AUD$'IsEnabled(Scored) o o

5.1.15 Ensurethe'PROCEDURE'AuditOptionIsEnabled(Scored) o o5.1.16 Ensurethe'ALTERSYSTEM'AuditOptionIsEnabled(Scored) o o5.1.17 Ensurethe'TRIGGER'AuditOptionIsEnabled(Scored) o o5.1.18 Ensurethe'CREATESESSION'AuditOptionIsEnabled

(Scored) o o

5.2 UnifiedAuditing5.2.1 Ensurethe'CREATEUSER'ActionAuditIsEnabled(Scored) o o5.2.2 Ensurethe'ALTERUSER'ActionAuditIsEnabled(Scored) o o5.2.3 Ensuethe'DROPUSER'AuditOptionIsEnabled(Scored) o o5.2.4 Ensurethe'CREATEROLE’ActionAuditIsEnabled(Scored) o o5.2.5 Ensurethe'ALTERROLE’ActionAuditIsEnabled(Scored) o o5.2.6 Ensurethe'DROPROLE’ActionAuditIsEnabled(Scored) o o5.2.7 Ensurethe'GRANT'ActionAuditIsEnabled(Scored) o o5.2.8 Ensurethe'REVOKE'ActionAuditIsEnabled(Scored) o o5.2.9 Ensurethe'CREATEPROFILE’ActionAuditIsEnabled

(Scored) o o

5.2.10 Ensurethe'ALTERPROFILE’ActionAuditIsEnabled(Scored) o o5.2.11 Ensurethe'DROPPROFILE’ActionAuditIsEnabled(Scored) o o5.2.12 Ensurethe'CREATEDATABASELINK’ActionAuditIs

Enabled(Scored) o o

5.2.13 Ensurethe'ALTERDATABASELINK’ActionAuditIsEnabled(Scored) o o

292|P a g e

5.2.14 Ensurethe'DROPDATABASELINK’ActionAuditIsEnabled(Scored) o o

5.2.15 Ensurethe'CREATESYNONYM’ActionAuditIsEnabled(Scored) o o

5.2.16 Ensurethe'ALTERSYNONYM’ActionAuditIsEnabled(Scored) o o

5.2.17 Ensurethe'DROPSYNONYM’ActionAuditIsEnabled(Scored) o o

5.2.18 Ensurethe'SELECTANYDICTIONARY’PrivilegeAuditIsEnabled(Scored) o o

5.2.19 Ensurethe'UNIFIED_AUDIT_TRAIL’AccessAuditIsEnabled(Scored) o o

5.2.20 Ensurethe'CREATEPROCEDURE/FUNCTION/PACKAGE/PACKAGEBODY’ActionAuditIsEnabled(Scored)

o o

5.2.21 Ensurethe'ALTERPROCEDURE/FUNCTION/PACKAGE/PACKAGEBODY’ActionAuditIsEnabled(Scored)

o o

5.2.22 Ensurethe'DROPPROCEDURE/FUNCTION/PACKAGE/PACKAGEBODY’ActionAuditIsEnabled(Scored)

o o

5.2.23 Ensurethe'ALTERSYSTEM’PrivilegeAuditIsEnabled(Scored) o o

5.2.24 Ensurethe'CREATETRIGGER’ActionAuditIsEnabled(Scored) o o

5.2.25 Ensurethe'ALTERTRIGGER’ActionAuditISEnabled(Scored) o o

5.2.26 Ensurethe'DROPTRIGGER’ActionAuditIsEnabled(Scored) o o5.2.27 Ensurethe'LOGON’AND‘LOGOFF’ActionsAuditIsEnabled

(Scored) o o

6 Appendix:EstablishinganAudit/ScanUser

293|P a g e

Appendix:ChangeHistoryDate Version Changesforthisversion

Apr29,2015 1.0.0 InitialRelease

Apr29,2015 1.1.0 Ticket#216:Updatedremediationtoreference[PRIVILEGE]list

Apr30,2015 1.1.0 Ticket#204:Clarificationinoverviewforbenchmarknon-pluggableapplicability

Jun29,2015 1.1.0 Ticket#209:Addworkflowadvicetoappendixaboutscanuser

Jun29,2015 1.1.0 Ticket#217:Correctedtypeof"repact"with"repcat"

Jun29,2015 1.1.0 Ticket#213:UpdatedauditqueryforregexonAPEXusers

Jun29,2015 1.1.0 Ticket#212:CorrectedconfusionbetweenDBMS_RANDOMandDBMS_BACKUP_RESTORE

Jun29,2015 1.1.0 Ticket#211:Correctedincorrectrecommendationfrom'FALSE'to'TRUE'

Jun29,2015 1.1.0 Ticket#203:Updatedreferencesfrom11gR2to12cwherepossible

Mar31,2016 1.2.0 Ticket#259:AddedSYSMANtolistofauthorizedgranteesfor4.4.2

Mar31,2016 1.2.0 Ticket#258:AddedAPEX_050000;MGMT_VIEW;SYSMAN_MDS;SYSMAN_OPSS;SYSMAN_RO;SYSMAN_STBtolistofauthorizedgranteesin4.3.6

Mar31,2016 1.2.0 Ticket#256:AddedSYSBACKUPandSYSDGtogranteelistfor4.3.1

Mar31,2016 1.2.0 Ticket#254:Updatedrecommendationtexttosay'LessthanorEqualto10'on2.13

294|P a g e

Mar31,2016 1.2.0 Ticket#241:Addedmissingsemicoloninauditqueryon5.1

Mar31,2016 1.2.0 Ticket#253:Removedquotesfromremediationcommandon2.2.2

Mar31,2016 1.2.0 Ticket#261:AddedSYStotableownersandSYSMANtolistofauthorizedgranteesfor4.5.4

Mar31,2016 1.2.0 Ticket#263:AddedSYStolistoftableowners

Mar31,2016 1.2.0 Ticket#264:AddedAPEX_050000;SYSMAN_STB;SYSMAN_TYPEStolistofauthorizedgrantees

Mar31,2016 1.2.0 Ticket#225:Updateddescriptionandrationalefor2.2.17

Mar31,2016 1.2.0 Ticket#251:AddedAUDIT_ADMIN,AUDIT_VIEWER,CAPTURE_ADMIN,DBA,GSMADMIN_INTERNAL,ORACLE_OCM,SYSDG,SYSKM,XDBtolistofauthorizedgrantees

Mar31,2016 1.2.0 Ticket#215:RevisedLISTENERsectionsandincludedLISTENER_HOMEreferences

Mar31,2016 1.2.0 Ticket#242:Addedmissingsemicolonto4.1.4

Mar31,2016 1.2.0 Ticket#266:Updatedauditquerytocheckforallprivileges,notonlyroles

Mar31,2016 1.2.0 Ticket#265:AddedAPEX_050000tolistofauthorizedgranteeson4.7

Mar31,2016 1.2.0 Ticket#252:Updateprofiletext(minor)

Apr1,2016 2.0.0 Ticket#267:AddedacautionstatementaboutrevokingprivilegesfromPUBLIC.

Oct18,2016 2.0.0 Ticket#207:MovedexistingauditingrecommendationstoasubsectionnamedTraditionalAuditing(5.1)andaddedunifiedauditingrecommendationsunderasiblingsubsectioncalledUnifiedAuditing(5.2).

Oct18,2016 2.0.0 Ticket#275:Correctedreferenceincludedfor2.2.2

295|P a g e

Oct18,2016 2.0.0 Ticket#276:Added‘DB’and‘XML’asvalidparametervaluesfor2.2.2

Dec1,2016 2.0.0 Ticket#262:UpdatedGranteelistandaddedanotregardingPUBLICgrantsfor4.5.5

Dec1,2016 2.0.0 Ticket#282:Correctedtypoin2.2.11whereitspecifiedUTIL_FILE_DIRinsteadofUTL_FILE_DIR

Dec1,2016 2.0.0 Ticket#283:Updatedtitletoread“Ensure‘SEC_MAX_FAILED_LOGIN_ATTEMPTS’is‘10’”for2.2.13

Dec1,2016 2.0.0 Ticket#284:Added“andOWNER=’SYS’”tothequeryfor4.5.2




Dec28,2016 2.0.0 PlannedUpdate

Jan18,2017 2.1.0 Ticket#3934:#2924.3.12-Typoinauditprocedure

Jun22,2017 2.1.0 Ticket#3937:#295Remove"Level1-RDBMSusingUnifiedAuditing"from2.2.1

Sep14,2017 2.1.0 Ticket#4759:#297:2.2.13Ensure'SEC_MAX_FAILED_LOGIN_ATTEMPTS'Is'10'

Sep14,2017 2.1.0 Ticket#3938:#2961.2EnsureAllDefaultPasswordsAreChanged(Scored)-Addcomment

Sep14,2017 2.1.0 Ticket#3936:#294Titleof2.2.2isinconsistent

Sep14,2017 2.1.0 Ticket#3935:#293Changeupper(value)fromauditSQLquerytovalue

Sep28,2017 2.1.0 Ticket#3932:#290Reviseprofiledescriptionstoremoveanyambiguity

296|P a g e

Feb1,2018 2.1.0 Ticket#3928:#247Revokedangerouspublicprivileges

Feb1,2018 2.1.0 Ticket#3930:#250CheckforlatestPatchUpdateusingnewnamingformat

Mar16,2018 2.1.0 Ticket#6095:Remove'LOCAL_LISTENER'recommendationfrom12c

Jul10,2018 2.1.0 Editedtotheentirebenchmarktoaddresserrorsandclarifyrecommendations

Sep18,2018 2.1.0 PlannedUpdate

Documents

CIS Oracle Database 12c Benchmark v2.1.0 › Security › CIS › CIS_Oracle_Database_12c... · 4 | Page 4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored)