24 CIS Compliance Standards
This section explains how to use the Center for Internet Security (CIS) Benchmarks in Enterprise Manager Cloud Control. CIS Benchmarks are the only consensus-based, best-practice security configuration guides both developed and accepted by government, business, industry, and academia.
About CIS Compliance Standards
Enterprise Manager supports an implementation in the form of compliance standards. These standards consist of CIS Profiles with traditional or unified auditing. The currently available CIS based compliance standards are:
Table 24-1 CIS Standards for Oracle Database 19c
| CIS Version for Oracle Database 19c | CIS Standard Available for Enterprise Manager |
|---|---|
| CIS Oracle Database 19c Benchmark V1.0.0 |
|
Table 24-2 CIS Standards for Oracle Database 12c
| CIS Version for Oracle Database 12c | CIS Standard Available for Enterprise Manager |
|---|---|
| CIS Oracle Database 12c Benchmark V2.1.0 |
|
| CIS Oracle Database 12c Benchmark V3.0.0 |
|
Associating CIS Compliance Standards Targets
Associate the target to the CIS compliance standard to determine whether the target satisfies to the CIS compliance standard.
- From the Enterprise menu, select Compliance, then select Library.
- Select the Compliance Standards tab and select the CIS standard.
- Select the Oracle Database or RAC and click Associate Targets.
- Click Add and select the targets you want to monitor. The targets appear in the table after you close the selector dialog.
- Click OK then confirm that you want to save the association. The association internally deploys the necessary configuration extensions to the appropriate Management Agents.
- After deployment and subsequent configuration collection occurs, you can view the results. From the Enterprise menu, select Compliance, then select either Dashboard or Results.
Oracle Database Installation and Patching Requirements
One of the best ways to ensure secure Oracle security is to implement Critical Patch Updates (CPUs) as they come out, along with any applicable OS patches that will not interfere with system operations. It is additionally prudent to remove Oracle sample data from production environments.
Ensure All Default Passwords Are Changed (Scored)
Default passwords should not be used by Oracle database users.
Remediation
To remediate this recommendation, you may perform either of the following actions:
- Manually issue the following SQL statement for each USERNAME returned in the
Audit Procedure:
PASSWORD <username>
- Execute the following SQL script to assign a randomly generated password to
each account using a default
password:
begin for r_user in (select username from dba_users_with_defpwd where username not like '%XS$NULL%') loop DBMS_OUTPUT.PUT_LINE('Password for user '||r_user.username||' will be changed.'); execute immediate 'alter user "'||r_user.username||'" identified by "'||DBMS_RANDOM.string('a',16)||'"account lock password expire'; end loop; end;
Ensure All Sample Data And Users Have Been Removed (Scored)
Oracle sample schemas can be used to create sample users (BI,HR,IX,OE,PM,SCOTT,SH), with well-known default passwords, particular views, and procedures/functions, in addition to tables and fictitious data. The sample schemas should be removed.
Remediation
To remediate this setting, execute the following SQL script:
$ORACLE_HOME/demo/schema/drop_sch.sql
Then, execute the following SQL statement.
DROP USER SCOTT CASCADE;
Note:
The recyclebin is not set to OFF within the default drop script, which means that the data will still be present in your environment until the recyclebin is emptied.Impact
The Oracle sample usernames may be in use on a production basis. It is important that you first verify that BI, HR, IX, OE, PM, SCOTT, and/or SH are not valid production usernames before executing the dropping SQL scripts. This may be particularly true with the HR and BI users. If any of these users are present, it is important to be cautious and confirm the schemas present are, in fact, Oracle sample schemas and not production schemas being relied upon by business operations.
Oracle Parameter Settings
The operation of the Oracle database instance is governed by numerous parameters that are set in specific configuration files and are instance-specific in scope. As alterations of these parameters can cause problems ranging from denial-of-service to theft of proprietary information, these configurations should be carefully considered and maintained.
Note:
For all files that have parameters that can be modified with the OS and/or SQL commands/scripts, these will both be listed where appropriate.Listener Settings
This section defines recommendations for the settings for the TNS Listener listener.ora file.
Ensure 'SECURE_CONTROL_' Is Set In 'listener.ora' (Scored)
The SECURE_CONTROL_<listener_name> setting determines the type of control connection the Oracle server requires for remote configuration of the listener.
Remediation
To remediate this recommendation:
Set the SECURE_CONTROL_<listener_name> for each defined listener in the listener.ora file.
Ensure 'extproc' Is Not Present in 'listener.ora' (Scored)
extproc should be removed from the listener.ora to mitigate the risk that OS libraries can be invoked by the Oracle instance.
Remediation
To remediate this recommendation:
Remove extproc from the listener.ora file.
Ensure 'ADMIN_RESTRICTIONS_' Is Set to 'ON' (Scored)
The admin_restrictions_<listener_name> setting in the listener.ora file can require that any attempted real-time alteration of the parameters in the listener via the set command file be refused unless the listener.ora file is manually altered, then restarted by a privileged user.
Remediation
To remediate this recommendation:
Use a text editor such as vi to set the admin_restrictions_<listener_name> to the value ON.
Ensure 'SECURE_REGISTER_' Is Set to 'TCPS' or 'IPC' (Scored)
The SECURE_REGISTER_<listener_name> setting specifies the protocols used to connect to the TNS listener. Each setting should have a value of either TCPS or IPC based on the needs for its protocol.
Remediation
To remediate this recommendation:
Use a text editor such as vi to set the SECURE_REGISTER_<listener_name>=TCPS or SECURE_REGISTER_<listener_name>=IPC for each listener found in $ORACLE_HOME/network/admin/listener.ora.
Database Settings
This section defines recommendations covering the general security configuration of the database instance. The recommendations ensure auditing is enabled, listeners are appropriately confined, and authentication is appropriately configured.
Note:
The remediation procedures assume the use of a server parameter file, which is often a preferred method of storing server initialization parameters.
For your environment, leaving off the SCOPE = SPFILE directive or substituting it with SCOPE = BOTH might be preferred depending on the recommendation.
Ensure 'AUDIT_SYS_OPERATIONS' Is Set to 'TRUE' (Scored)
The AUDIT_SYS_OPERATIONS setting provides for the auditing of all user activities conducted under the SYSOPER and SYSDBA accounts. The setting should be set to TRUE to enable this auditing.
Remediation
To remediate this setting, execute the following SQL statement:
ALTER SYSTEM SET AUDIT_SYS_OPERATIONS = TRUE SCOPE=SPFILE;
Ensure 'AUDIT_TRAIL' Is Set to 'DB', 'XML', 'OS', 'DB,EXTENDED', or 'XML,EXTENDED' (Scored)
The audit_trail setting determines whether or not Oracle's basic audit features are enabled. It can be set to "Operating System"(OS); DB; DB,EXTENDED; XML; or XML,EXTENDED. The value should be set according to the needs of the organization.
Remediation
To remediate this setting, execute one of the following SQL statements.
ALTER SYSTEM SET AUDIT_TRAIL = DB, EXTENDED SCOPE = SPFILE;
ALTER SYSTEM SET AUDIT_TRAIL = OS SCOPE = SPFILE;
ALTER SYSTEM SET AUDIT_TRAIL = XML, EXTENDED SCOPE = SPFILE;
ALTER SYSTEM SET AUDIT_TRAIL = DB SCOPE = SPFILE;
ALTER SYSTEM SET AUDIT_TRAIL = XML SCOPE = SPFILE;
Ensure 'GLOBAL_NAMES' Is Set to 'TRUE' (Scored)
The global_names setting requires that the name of a database link matches that of the remote database it will connect to. This setting should have a value of TRUE.
Remediation
To remediate this setting, execute the following SQL statement:
ALTER SYSTEM SET GLOBAL_NAMES = TRUE SCOPE = SPFILE;
Ensure 'O7_DICTIONARY_ACCESSIBILITY' Is Set to 'FALSE' (Scored)
The O7_dictionary_accessibility setting is a database initialization parameter that allows/disallows access to objects with the * ANY * privileges (SELECT ANY TABLE, DELETE ANY TABLE, EXECUTE ANY PROCEDURE, etc.). This functionality was created for the ease of migration from Oracle 7 databases to later versions. The setting should have a value of FALSE.
Remediation
To remediate this setting, execute the following SQL statement:
ALTER SYSTEM SET O7_DICTIONARY_ACCESSIBILITY=FALSE SCOPE = SPFILE;
Note:
The value for this is "O(oh)7" not "0(Zero)7" for O7. Also, for "Oracle Applications" up to version 11.5.9, this setting is reversed; the O7_dictionary_accessibility=TRUE value is required for correct operations.Ensure 'OS_ROLES' Is Set to 'FALSE' (Scored)
The os_roles setting permits externally created groups to be applied to database management.
Remediation
To remediate this setting, execute the following SQL statement:
ALTER SYSTEM SET OS_ROLES = FALSE SCOPE = SPFILE;
Ensure 'REMOTE_LISTENER' Is Empty (Scored)
The remote_listener setting determines whether or not a valid listener can be established on a system separate from the database instance. This setting should be empty unless the organization specifically needs a valid listener on a separate system.
Remediation
To remediate this setting, execute the following SQL statement.
ALTER SYSTEM SET REMOTE_LISTENER = '' SCOPE = SPFILE;
Note:
If set as remote_listener=true, the address/address list is taken from the TNSNAMES.ORA file.Ensure 'REMOTE_LOGIN_PASSWORDFILE' Is Set to 'NONE' (Scored)
The remote_login_passwordfile setting specifies whether or not Oracle checks for a password file during login and how many databases can use the password file. The setting should have a value of NONE.
Remediation
To remediate this setting, execute the following SQL statement.
ALTER SYSTEM SET REMOTE_LOGIN_PASSWORDFILE = 'NONE' SCOPE = SPFILE;
Ensure 'REMOTE_OS_AUTHENT' Is Set to 'FALSE' (Scored)
The remote_os_authent setting determines whether or not OS 'roles' with the attendant privileges are allowed for remote client connections. This setting should have a value of FALSE.
Remediation
To remediate this setting, execute the following SQL statement.
ALTER SYSTEM SET REMOTE_OS_AUTHENT = FALSE SCOPE = SPFILE;
Ensure 'REMOTE_OS_ROLES' Is Set to 'FALSE' (Scored)
The remote_os_roles setting permits remote users' OS roles to be applied to database management. This setting should have a value of FALSE.
Remediation
To remediate this setting, execute the following SQL statement.
ALTER SYSTEM SET REMOTE_OS_ROLES = FALSE SCOPE = SPFILE;
Ensure 'UTL_FILE_DIR' Is Empty (Scored)
The utl_file_dir setting allows packages like utl_file to access (read/write/modify/delete) files specified in utl_file_dir. This setting should have an empty value.
Remediation
To remediate this setting, execute the following SQL statement.
ALTER SYSTEM SET UTL_FILE_DIR = '' SCOPE = SPFILE;
Ensure 'SEC_CASE_SENSITIVE_LOGON' Is Set to 'TRUE' (Scored)
The SEC_CASE_SENSITIVE_LOGON information determines whether or not case-sensitivity is required for passwords during login.
Remediation
To remediate this setting, execute the following SQL statement.
ALTER SYSTEM SET SEC_CASE_SENSITIVE_LOGON = TRUE SCOPE = SPFILE;
Ensure 'SEC_MAX_FAILED_LOGIN_ATTEMPTS' Is '3' or Less (Scored)
The SEC_MAX_FAILED_LOGIN_ATTEMPTS parameter determines how many failed login attempts are allowed before Oracle closes the login connection.
Remediation
To remediate this setting, execute the following SQL statement.
ALTER SYSTEM SET SEC_MAX_FAILED_LOGIN_ATTEMPTS = 3 SCOPE = SPFILE;
Ensure 'SEC_PROTOCOL_ERROR_FURTHER_ACTION' Is Set to 'DROP,3' (Scored)
The SEC_PROTOCOL_ERROR_FURTHER_ACTION setting determines the Oracle's server's response to bad/malformed packets received from the client. This setting should have a value of DROP,3, which will cause a connection to be dropped after three bad/malformed packets.
Remediation
To remediate this setting, execute the following SQL statement.
ALTER SYSTEM SET SEC_PROTOCOL_ERROR_FURTHER_ACTION = 'DROP,3' SCOPE = SPFILE;
Ensure 'SEC_PROTOCOL_ERROR_TRACE_ACTION' Is Set to 'LOG' (Scored)
The SEC_PROTOCOL_ERROR_TRACE_ACTION setting determines the Oracle's server's logging response level to bad/malformed packets received from the client by generating ALERT, LOG, or TRACE levels of detail in the log files. This setting should have a value of LOG unless the organization has a compelling reason to use a different value because LOG should cause the necessary information to be logged. Setting the value as TRACE can generate an enormous amount of log output and should be reserved for debugging only.
Remediation
To remediate this setting, execute the following SQL statement.
ALTER SYSTEM SET SEC_PROTOCOL_ERROR_TRACE_ACTION=LOG SCOPE = SPFILE;
Ensure 'SEC_RETURN_SERVER_RELEASE_BANNER' Is Set to 'FALSE' (Scored)
The information about patch/update release number provides information about the exact patch/update release that is currently running on the database. This is sensitive information that should not be revealed to anyone who requests it.
Remediation
To remediate this setting, execute the following SQL statement.
ALTER SYSTEM SET SEC_RETURN_SERVER_RELEASE_BANNER = FALSE SCOPE = SPFILE;
Ensure 'SQL92_SECURITY' Is Set to 'TRUE' (Scored)
The SQL92_SECURITY parameter setting TRUE requires that a user must also be granted the SELECT object privilege before being able to perform UPDATE or DELETE operations on tables that have WHERE or SET clauses. The setting should have a value of TRUE.
Remediation
To remediate this setting, execute the following SQL statement.
ALTER SYSTEM SET SQL92_SECURITY = TRUE SCOPE = SPFILE;
Ensure '_trace_files_public' Is Set to 'FALSE' (Scored)
The _trace_files_public setting determines whether or not the system's trace file is world readable. This setting should have a value of FALSE to restrict trace file access.
Remediation
To remediate this setting, execute the following SQL statement.
ALTER SYSTEM SET "_trace_files_public" = FALSE SCOPE = SPFILE;
Ensure 'RESOURCE_LIMIT' Is Set to 'TRUE' (Scored)
RESOURCE_LIMIT determines whether resource limits are enforced in database profiles. This setting should have a value of TRUE.
Remediation
To remediate this setting, execute the following SQL statement.
ALTER SYSTEM SET RESOURCE_LIMIT = TRUE SCOPE = SPFILE;
Default Value: FALSE
Oracle Connection and Login Restrictions
The restrictions on Client/User connections to the Oracle database help block unauthorized access to data and services by setting access rules. These security measures help to ensure that successful logins cannot be easily made through brute-force password attacks or intuited by clever social engineering exploits. Settings are generally recommended to be applied to all defined profiles rather than by using only the DEFAULT profile. All values assigned below are the recommended minimums or maximums; higher, more restrictive values can be applied at the discretion of the organization by creating a separate profile to assign to a different user group.
Ensure 'FAILED_LOGIN_ATTEMPTS' Is Less than or Equal to '5' (Scored)
The FAILED_LOGIN_ATTEMPTS setting determines how many failed login attempts are permitted before the system locks the user's account. While different profiles can have different and more restrictive settings, such as USERS and APPS, the minimum(s) recommended here should be set on the DEFAULT profile.
Remediation
Remediate this setting by executing the following SQL statement for each PROFILE returned by the audit procedure.
ALTER PROFILE <profile_name> LIMIT FAILED_LOGIN_ATTEMPTS 5;
Note:
One great concern with the above is the possibility of this setting being exploited to craft a DDoS attack by using the row-locking delay between failed login attempts (see _Oracle Bug 7715339 – Logon failures causes “row cache lock” waits – Allow disable of logon delay [ID 7715339.8], so the configuration of this setting depends on using the bug workaround). Also, while the setting for the FAILED_LOGIN_ATTEMPTS value can also be set in sqlnet.ora, this only applies to listed users. The similar setting used to block a DDoS, the SEC_MAX_FAILED_LOGIN_ATTEMPTS initialization parameter, can be used to protect unauthorized intruders from attacking the server processes for applications, but this setting does not protect against unauthorized attempts via valid usernames.Ensure 'PASSWORD_LOCK_TIME' Is Greater than or Equal to '1' (Scored)
The PASSWORD_LOCK_TIME setting determines how many days must pass for the user's account to be unlocked after the set number of failed login attempts has occurred. The suggested value for this is one day or greater.
Remediation
Remediate this setting by executing the following SQL statement for each PROFILE returned by the audit procedure.
ALTER PROFILE <profile_name> LIMIT PASSWORD_LOCK_TIME 1;
Ensure 'PASSWORD_LIFE_TIME' Is Less than or Equal to '90' (Scored)
The PASSWORD_LIFE_TIME setting determines how long a password may be used before the user is required to be change it. The suggested value for this is 90 days or less.
Remediation
Remediate this setting by executing the following SQL statement for each PROFILE returned by the audit procedure.
ALTER PROFILE <profile_name> LIMIT PASSWORD_LIFE_TIME 90;
Ensure 'PASSWORD_REUSE_MAX' Is Greater than or Equal to '20' (Scored)
The PASSWORD_REUSE_MAX setting determines how many different passwords must be used before the user is allowed to reuse a prior password. The suggested value for this is 20 passwords or greater.
Remediation
Remediate this setting by executing the following SQL statement for each PROFILE returned by the audit procedure.
ALTER PROFILE <profile_name> LIMIT PASSWORD_REUSE_MAX 20;
Ensure 'PASSWORD_REUSE_TIME' Is Greater than or Equal to '365' (Scored)
The PASSWORD_REUSE_TIME setting determines the amount of time in days that must pass before the same password may be reused. The suggested value for this is 365 days or greater.
Remediation
Remediate this setting by executing the following SQL statement for each PROFILE returned by the audit procedure.
ALTER PROFILE <profile_name> LIMIT PASSWORD_REUSE_TIME 365;
Ensure 'PASSWORD_GRACE_TIME' Is Less than or Equal to '5' (Scored)
The PASSWORD_GRACE_TIME setting determines how many days can pass after the user's password expires before the user's login capability is automatically locked out. The suggested value for this is five days or less.
Remediation
Remediate this setting by executing the following SQL statement for each PROFILE returned by the audit procedure.
ALTER PROFILE <profile_name> LIMIT PASSWORD_GRACE_TIME 5;
Ensure 'DBA_USERS.PASSWORD' Is Not Set to 'EXTERNAL' for Any User (Scored)
The password='EXTERNAL' setting determines whether or not a user can be authenticated by a remote OS to allow access to the database with full authorization. This setting should not be used.
Remediation
Remediate this setting by executing the following SQL statement for each PROFILE returned by the audit procedure.
ALTER USER <username> INDENTIFIED BY <password>;
Note:
The PASSWORD keyword (column) used in the SQL for prior Oracle versions has been deprecated from version 11.2 onward in favor of the new AUTHENTICATION_TYPE keyword (column) for the DBA_USERS table. However, the PASSWORD column has still been retained for backward compatibility.Ensure 'PASSWORD_VERIFY_FUNCTION' Is Set for All Profiles (Scored)
The PASSWORD_VERIFY_FUNCTION determines password settings requirements when a user password is changed at the SQL command prompt. It should be set for all profiles. Note that this setting does not apply for users managed by the Oracle password file.
Remediation
Create a custom password verification function which fulfills the password requirements of the organization.
Ensure 'SESSIONS_PER_USER' Is Less than or Equal to '10' (Scored)
The SESSIONS_PER_USER setting determines the maximum number of user sessions that are allowed to be open concurrently. The suggested value for this is 10 or less.
Remediation
To remediate this setting, execute the following SQL statement for each PROFILE returned by the audit procedure.
ALTER PROFILE <profile_name> LIMIT SESSIONS_PER_USER 10;
Note:
The SESSIONS_PER_USER profile management capability was created to prevent resource(s) exhaustion at a time when resource usage was very expensive. As current database design may require much higher limits on this parameter if one "user" handles all processing for specific types of batch/customer connections, this must be handled via a new user profile.Oracle User Access and Authorization Restrictions
The capability to use database resources at a given level, or user authorization rules, allows for user manipulation of the various parts of the Oracle database. These authorizations must be structured to block unauthorized use and/or corruption of vital data and services by setting restrictions on user capabilities, particularly those of the user PUBLIC. Such security measures help to ensure successful logins cannot be easily redirected.
Note:
Use caution when revoking privileges from PUBLIC. Oracle and third-party products explicitly require default grants to PUBLIC for commonly used functions, objects, and in view definitions. After revoking any privilege from PUBLIC, verify that applications keep running properly and recompile invalid database objects. Specific grants to users and roles may be needed to make all objects valid. Please see the following Oracle support document which provides further information and SQL statements that can be used to determine dependencies that require explicit grants: Be Cautious When Revoking Privileges Granted to PUBLIC (Doc ID 247093.1) Always test database changes in development and test environments before making changes to production databases.Default Public Privileges for Packages and Object Types
This section contains recommendations that revoke default public execute privileges from powerful packages and object types.
Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_ADVISOR' (Scored)
The Oracle database DBMS_ADVISOR package can be used to write files located on the server where the Oracle instance is installed. The user PUBLIC should not be able to execute DBMS_ADVISOR.
Remediation
To remediate this setting, execute the following SQL statement.
REVOKE EXECUTE ON DBMS_ADVISOR FROM PUBLIC;
Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_CRYPTO' (Scored)
The DBMS_CRYPTO settings provide a toolset that determines the strength of the encryption algorithm used to encrypt application data and is part of the SYS schema. The DES (56-bit key), 3DES (168-bit key), 3DES-2KEY (112-bit key), AES (128/192/256-bit keys), and RC4 are available. The user PUBLIC should not be able to execute DBMS_CRYPTO.
Remediation
To remediate this setting, execute the following SQL statement.
REVOKE EXECUTE ON DBMS_CRYPTO FROM PUBLIC;
Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA' (Scored)
The Oracle database DBMS_JAVA package can run Java classes (e.g. OS commands) or grant Java privileges. The user PUBLIC should not be able to execute DBMS_JAVA.
Remediation
To remediate this setting, execute the following SQL statement.
REVOKE EXECUTE ON DBMS_JAVA FROM PUBLIC;
Note:
DBMS_JAVA_TEST is an undocumented PL/SQL package, but the public grant should be revoked.Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST' (Scored)
The Oracle database DBMS_JAVA_TEST package can run Java classes (e.g. OS commands) or grant Java privileges. The user PUBLIC should not be able to execute DBMS_JAVA_TEST.
Remediation
To remediate this setting, execute the following SQL statement.
REVOKE EXECUTE ON DBMS_JAVA_TEST FROM PUBLIC;
Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JOB' (Scored)
The Oracle database DBMS_JOB package schedules and manages the jobs sent to the job queue and has been superseded by the DBMS_SCHEDULER package, even though DBMS_JOB has been retained for backwards compatibility. The user PUBLIC should not be able to execute DBMS_JOB.
Remediation
To remediate this setting, execute the following SQL statement.
REVOKE EXECUTE ON DBMS_JOB FROM PUBLIC
Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_LDAP' (Scored)
The Oracle database DBMS_LDAP package contains functions and procedures that enable programmers to access data from LDAP servers. The user PUBLIC should not be able to execute DBMS_LDAP.
Remediation
To remediate this setting, execute the following SQL statement.
REVOKE EXECUTE ON DBMS_LDAP FROM PUBLIC;
Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_LOB' (Scored)
The Oracle database DBMS_LOB package provides subprograms that can manipulate and read/write on BLOBs, CLOBs, NCLOBs, BFILEs, and temporary LOBs. The user PUBLIC should not be able to execute DBMS_LOB.
Remediation
To remediate this setting, execute the following SQL statement.
REVOKE EXECUTE ON DBMS_LOB FROM PUBLIC;
Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_OBFUSCATION_TOOLKIT' (Scored)
The DBMS_OBFUSCATION_TOOLKIT provides one of the tools that determine the strength of the encryption algorithm used to encrypt application data and is part of the SYS schema. The DES (56-bit key) and 3DES (168-bit key) are the only two types available. The user PUBLIC should not be able to execute DBMS_OBFUSCATION_TOOLKIT.
Remediation
To remediate this setting, execute the following SQL statement.
REVOKE EXECUTE ON DBMS_OBFUSCATION_TOOLKIT FROM PUBLIC;
Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_RANDOM' (Scored)
The Oracle database DBMS_RANDOM package is used for generating random numbers but should not be used for cryptographic purposes. The user PUBLIC should not be able to execute DBMS_RANDOM.
Remediation
To remediate this setting, execute the following SQL statement.
REVOKE EXECUTE ON DBMS_RANDOM FROM PUBLIC;
Note:
The OEM cautions that removing this from PUBLIC may break certain applications.Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_SCHEDULER' (Scored)
The Oracle database DBMS_SCHEDULER package schedules and manages the database and operating system jobs. The user PUBLIC should not be able to execute DBMS_SCHEDULER.
Remediation
To remediate this setting, execute the following SQL statement.
REVOKE EXECUTE ON DBMS_SCHEDULER FROM PUBLIC;
Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_SQL' (Scored)
The Oracle database DBMS_SQL package is used for running dynamic SQL statements. The user PUBLIC should not be able to execute DBMS_SQL.
Remediation
To remediate this setting, execute the following SQL statement.
REVOKE EXECUTE ON DBMS_SQL FROM PUBLIC;
Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_XMLGEN' (Scored)
The DBMS_XMLGEN package takes an arbitrary SQL query as input, converts it to XML format, and returns the result as a CLOB. The user PUBLIC should not be able to execute DBMS_XMLGEN.
Remediation
To remediate this setting, execute the following SQL statement.
REVOKE EXECUTE ON DBMS_XMLGEN FROM PUBLIC;
Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_XMLQUERY' (Scored)
The Oracle package DBMS_XMLQUERY takes an arbitrary SQL query, converts it to XML format, and returns the result. This package is similar to DBMS_XMLGEN. The user PUBLIC should not be able to execute DBMS_XMLQUERY.
Remediation
To remediate this setting, execute the following SQL statement.
REVOKE EXECUTE ON DBMS_XMLQUERY FROM PUBLIC;
Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'UTL_FILE' (Scored)
The Oracle database UTL_FILE package can be used to read/write files located on the server where the Oracle instance is installed. The user PUBLIC should not be able to execute UTL_FILE.
Remediation
To remediate this setting, execute the following SQL statement.
REVOKE EXECUTE ON UTL_FILE FROM PUBLIC;
Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'UTL_INADDR' (Scored)
The Oracle database UTL_INADDR package can be used to create specially crafted error messages or send information via DNS to the outside. The user PUBLIC should not be able to execute UTL_INADDR.
Remediation
To remediate this setting, execute the following SQL statement.
REVOKE EXECUTE ON UTL_INADDR FROM PUBLIC;
Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'UTL_TCP' (Scored)
The Oracle database UTL_TCP package can be used to read/write file to TCP sockets on the server where the Oracle instance is installed. The user PUBLIC should not be able to execute UTL_TCP.
Remediation
To remediate this setting, execute the following SQL statement.
REVOKE EXECUTE ON UTL_TCP FROM PUBLIC;
Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'UTL_MAIL' (Scored)
The Oracle database UTL_MAIL package can be used to send email from the server where the Oracle instance is installed. The user PUBLIC should not be able to execute UTL_MAIL.
Remediation
To remediate this setting, execute the following SQL statement.
REVOKE EXECUTE ON UTL_MAIL FROM PUBLIC;
Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'UTL_SMTP' (Scored)
The Oracle database UTL_SMTP package can be used to send email from the server where the Oracle instance is installed. The user PUBLIC should not be able to execute UTL_SMTP.
Remediation
To remediate this setting, execute the following SQL statement.
REVOKE EXECUTE ON UTL_SMTP FROM PUBLIC;
Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'UTL_DBWS' (Scored)
The Oracle database UTL_DBWS package can be used to read/write file to web-based applications on the server where the Oracle instance is installed. This package is not automatically installed for security reasons. The user PUBLIC should not be able to execute UTL_DBWS.
Remediation
To remediate this setting, execute the following SQL statement.
REVOKE EXECUTE ON UTL_DBWS FROM PUBLIC;
Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'UTL_ORAMTS' (Scored)
The Oracle database UTL_ORAMTS package can be used to perform HTTP requests. This could be used to send information to the outside. The user PUBLIC should not be able to execute UTL_ORAMTS.
Remediation
To remediate this setting, execute the following SQL statement.
REVOKE EXECUTE ON UTL_ORAMTS FROM PUBLIC;
Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'UTL_HTTP' (Scored)
The Oracle database UTL_HTTP package can be used to perform HTTP requests. This could be used to send information to the outside. The user PUBLIC should not be able to execute UTL_HTTP.
Remediation
To remediate this setting, execute the following SQL statement.
REVOKE EXECUTE ON UTL_HTTP FROM PUBLIC;
Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'HTTPURITYPE' (Scored)
The Oracle database HTTPURITYPE object type can be used to perform HTTP requests. The user PUBLIC should not be able to execute HTTPURITYPE.
Remediation
To remediate this setting, execute the following SQL statement.
REVOKE EXECUTE ON HTTPURITYPE FROM PUBLIC;
Ensure 'EXECUTE' is revoked from 'PUBLIC' on 'DBMS_XMLSTORE' (Scored)
The DBMS_XLMSTORE package provides XML functionality. It accepts a table name and XML as input to perform DML operations against the table. The user PUBLIC should not be able to execute DBMS_XLMSTORE.
Remediation
To remediate this setting, execute the following SQL statement.
REVOKE EXECUTE ON DBMS_XMLSTORE FROM PUBLIC;
Ensure 'EXECUTE' is revoked from 'PUBLIC' on 'DBMS_XMLSAVE' (Scored)
The DBMS_XLMSTORE package provides XML functionality. It accepts a table name and XML as input and then inserts into or updates that table. The user PUBLIC should not be able to execute DBMS_XLMSAVE.
Remediation
To remediate this setting, execute the following SQL statement.
REVOKE EXECUTE ON DBMS_XMLSAVE FROM PUBLIC;
Ensure 'EXECUTE' is revoked from 'PUBLIC' on 'DBMS_REDACT' (Scored)
The DBMS_REDACT package provides an interface to Oracle Data Redaction, which enables you to mask (redact) data that is returned from queries issued by low-privileged users or an application. The user PUBLIC should not be able to execute DBMS_REDACT.
Remediation
To remediate this setting, execute the following SQL statement.
REVOKE EXECUTE ON DBMS_REDACT FROM PUBLIC;
Revoke Non-Default Privileges for Packages and Object Types
The recommendations within this section revoke excessive privileges for packages and object types.
Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_SYS_SQL' (Scored)
The Oracle database DBMS_SYS_SQL package is shipped as undocumented. The user PUBLIC should not be able to execute DBMS_SYS_SQL.
Remediation
To remediate this setting, execute the following SQL statement.
REVOKE EXECUTE ON DBMS_SYS_SQL FROM PUBLIC;
Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_BACKUP_RESTORE' (Scored)
The Oracle database DBMS_BACKUP_RESTORE package is used for applying PL/SQL commands to the native RMAN sequences. The user PUBLIC should not be able to execute DBMS_BACKUP_RESTORE.
Remediation
To remediate this setting, execute the following SQL statement.
REVOKE EXECUTE ON DBMS_BACKUP_RESTORE FROM PUBLIC;
Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_AQADM_SYSCALLS' (Scored)
The Oracle database DBMS_AQADM_SYSCALLS package is shipped as undocumented. The user PUBLIC should not be able to execute DBMS_AQADM_SYSCALLS.
Remediation
To remediate this setting, execute the following SQL statement.
REVOKE EXECUTE ON DBMS_AQADM_SYSCALLS FROM PUBLIC;
Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_REPCAT_SQL_UTL' (Scored)
The Oracle database DBMS_REPCAT_SQL_UTL package is shipped as undocumented and allows to run SQL commands as user SYS. The user PUBLIC should not be able to execute DBMS_REPCAT_SQL_UTL.
Remediation
To remediate this setting, execute the following SQL statement.
REVOKE EXECUTE ON DBMS_REPCAT_SQL_UTL FROM PUBLIC;
Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'INITJVMAUX' (Scored)
The Oracle database INITJVMAUX package is shipped as undocumented and allows to run SQL commands as user SYS. The user PUBLIC should not be able to execute INITJVMAUX.
Remediation
To remediate this setting, execute the following SQL statement.
REVOKE EXECUTE ON INITJVMAUX FROM PUBLIC;
Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_STREAMS_ADM_UTL' (Scored)
The Oracle database DBMS_STREAMS_ADM_UTL package is shipped as undocumented and allows to run SQL commands as user SYS. The user PUBLIC should not be able to execute DBMS_STREAMS_ADM_UTL.
Remediation
To remediate this setting, execute the following SQL statement.
REVOKE EXECUTE ON DBMS_STREAMS_ADM_UTL FROM PUBLIC;
Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_AQADM_SYS' (Scored)
The Oracle database DBMS_AQADM_SYS package is shipped as undocumented and allows to run SQL commands as user SYS. The user PUBLIC should not be able to execute DBMS_AQADM_SYS.
Remediation
To remediate this setting, execute the following SQL statement.
REVOKE EXECUTE ON DBMS_AQADM_SYS FROM PUBLIC;
Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_STREAMS_RPC' (Scored)
The Oracle database DBMS_STREAMS_RPC package is shipped as undocumented and allows to run SQL commands as user SYS. The user PUBLIC should not be able to execute DBMS_STREAMS_RPC.
Remediation
To remediate this setting, execute the following SQL statement.
REVOKE EXECUTE ON DBMS_STREAMS_RPC FROM PUBLIC;
Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'LTADM' (Scored)
The Oracle database LTADM package is shipped as undocumented. It allows privilege escalation if granted to unprivileged users. The user PUBLIC should not be able to execute LTADM.
Remediation
To remediate this setting, execute the following SQL statement.
REVOKE EXECUTE ON LTADM FROM PUBLIC;
Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'WWV_DBMS_SQL' (Scored)
The Oracle database WWV_DBMS_SQL package is shipped as undocumented. It allows Oracle Application Express to run dynamic SQL statements.
Remediation
To remediate this setting, execute the following SQL statement.
REVOKE EXECUTE ON WWV_DBMS_SQL FROM PUBLIC;
Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'WWV_EXECUTE_IMMEDIATE' (Scored)
The Oracle database WWV_EXECUTE_IMMEDIATE package is shipped as undocumented. It allows Oracle Application Express to run dynamic SQL statements. The user PUBLIC should not be able to execute WWV_EXECUTE_IMMEDIATE.
Remediation
To remediate this setting, execute the following SQL statement.
REVOKE EXECUTE ON WWV_EXECUTE_IMMEDIATE FROM PUBLIC;
Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_IJOB' (Scored)
The Oracle database DBMS_IJOB package is shipped as undocumented. It allows a user to run database jobs in the context of another user. The user PUBLIC should not be able to execute DBMS_IJOB.
Remediation
To remediate this setting, execute the following SQL statement.
REVOKE EXECUTE ON DBMS_IJOB FROM PUBLIC;
Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_FILE_TRANSFER' (Scored)
The Oracle database DBMS_FILE_TRANSFER package allows a user to transfer files from one database server to another. The user PUBLIC should not be able to execute DBMS_FILE_TRANSFER.
Remediation
To remediate this setting, execute the following SQL statement.
REVOKE EXECUTE ON DBMS_FILE_TRANSFER FROM PUBLIC;
Revoke Excessive System Privileges
The recommendations within this section revoke excessive system privileges.
Ensure 'SELECT ANY DICTIONARY' Is Revoked from Unauthorized 'GRANTEE' (Scored)
The Oracle database SELECT ANY DICTIONARY privilege allows the designated user to access SYS schema objects. Unauthorized grantees should not have that privilege.
Remediation
To remediate this setting, execute the following SQL statement.
REVOKE SELECT_ANY_DICTIONARY FROM <grantee>;
Ensure 'SELECT ANY TABLE' Is Revoked from Unauthorized 'GRANTEE' (Scored)
The Oracle database SELECT ANY TABLE privilege allows the designated user to open any table, except SYS, to view it. Unauthorized grantees should not have that privilege.
Remediation
To remediate this setting, execute the following SQL statement.
REVOKE SELECT ANY TABLE FROM <grantee>;
Note:
If O7_DICTIONARY_ACCESSIBILITY has been set to TRUE (non-default setting) then the SELECT ANY TABLE privilege provides access to SYS objects.Ensure 'AUDIT SYSTEM' Is Revoked from Unauthorized 'GRANTEE' (Scored)
The Oracle database AUDIT SYSTEM privilege allows changes to auditing activities on the system. Unauthorized grantees should not have that privilege.
Remediation
To remediate this setting, execute the following SQL statement.
REVOKE AUDIT SYSTEM FROM <grantee>;
Ensure 'EXEMPT ACCESS POLICY' Is Revoked from Unauthorized 'GRANTEE' (Scored)
The Oracle database EXEMPT ACCESS POLICY keyword provides the user the capability to access all the table rows regardless of row-level security lockouts. Unauthorized grantees should not have that keyword assigned to them.
Remediation
To remediate this setting, execute the following SQL statement.
REVOKE EXEMPT ACCESS POLICY FROM <grantee>;
Ensure 'BECOME USER' Is Revoked from Unauthorized 'GRANTEE' (Scored)
The Oracle database BECOME USER privilege allows the designated user to inherit the rights of another user. Unauthorized grantees should not have that privilege.
Remediation
To remediate this setting, execute the following SQL statement.
REVOKE BECOME USER FROM <grantee>;
Ensure 'CREATE_PROCEDURE' Is Revoked from Unauthorized 'GRANTEE' (Scored)
The Oracle database CREATE PROCEDURE privilege allows the designated user to create a stored procedure that will fire when given the correct command sequence. Unauthorized grantees should not have that privilege.
Remediation
To remediate this setting, execute the following SQL statement.
REVOKE CREATE PROCEDURE FROM <grantee>;
Ensure 'ALTER SYSTEM' Is Revoked from Unauthorized 'GRANTEE' (Scored)
The Oracle database ALTER SYSTEM privilege allows the designated user to dynamically alter the instance's running operations. Unauthorized grantees should not have that privilege.
Remediation
To remediate this setting, execute the following SQL statement.
REVOKE ALTER SYSTEM FROM <grantee>;
Ensure 'CREATE ANY LIBRARY' Is Revoked from Unauthorized 'GRANTEE' (Scored)
The Oracle database CREATE ANY LIBRARY privilege allows the designated user to create objects that are associated to the shared libraries. Unauthorized grantees should not have that privilege.
Remediation
To remediate this setting, execute the following SQL statement.
REVOKE CREATE ANY LIBRARY FROM <grantee>;
Note:
Oracle has two identical privileges: CREATE LIBRARY and CREATE ANY LIBRARY.Ensure 'CREATE LIBRARY' Is Revoked from Unauthorized 'GRANTEE' (Scored)
The Oracle database CREATE LIBRARY privilege allows the designated user to create objects that are associated to the shared libraries. Unauthorized grantees should not have that privilege.
Remediation
To remediate this setting, execute the following SQL statement.
REVOKE CREATE LIBRARY FROM <grantee>;
Note:
Oracle has two identical privileges: CREATE LIBRARY and CREATE ANY LIBRARY.Ensure 'GRANT ANY OBJECT PRIVILEGE' Is Revoked from Unauthorized 'GRANTEE' (Scored)
The Oracle database GRANT ANY OBJECT PRIVILEGE keyword provides the grantee the capability to grant access to any single or multiple combinations of objects to any grantee in the catalog of the database. Unauthorized grantees should not have that keyword assigned to them.
Remediation
To remediate this setting, execute the following SQL statement.
REVOKE GRANT ANY OBJECT PRIVILEGE FROM <grantee>;
Ensure 'GRANT ANY ROLE' Is Revoked from Unauthorized 'GRANTEE' (Scored)
The Oracle database GRANT ANY ROLE keyword provides the grantee the capability to grant any single role to any grantee in the catalog of the database. Unauthorized grantees should not have that keyword assigned to them.
Remediation
To remediate this setting, execute the following SQL statement.
REVOKE GRANT ANY ROLE FROM <grantee>;
Ensure 'GRANT ANY PRIVILEGE' Is Revoked from Unauthorized 'GRANTEE' (Scored)
The Oracle database GRANT ANY PRIVILEGE keyword provides the grantee the capability to grant any single privilege to any item in the catalog of the database. Unauthorized grantees should not have that privilege.
Remediation
To remediate this setting, execute the following SQL statement.
REVOKE GRANT ANY PRIVILEGE FROM <grantee>;
Revoke Role Privileges
The recommendations within this section intend to revoke powerful roles where they are likely not needed.
Ensure 'DELETE_CATALOG_ROLE' Is Revoked from Unauthorized 'GRANTEE' (Scored)
The Oracle database DELETE_CATALOG_ROLE provides DELETE privileges for the records in the system's audit table (AUD$). Unauthorized grantees should not have that role.
Remediation
To remediate this setting, execute the following SQL statement.
REVOKE DELETE_CATALOG_ROLE FROM <grantee>;
Ensure 'SELECT_CATALOG_ROLE' Is Revoked from Unauthorized 'GRANTEE' (Scored)
The Oracle database SELECT_CATALOG_ROLE provides SELECT privileges on all data dictionary views held in the SYS schema. Unauthorized grantees should not have that role.
Remediation
To remediate this setting, execute the following SQL statement.
REVOKE SELECT_CATALOG_ROLE FROM <grantee>;
Ensure 'EXECUTE_CATALOG_ROLE' Is Revoked from Unauthorized 'GRANTEE' (Scored)
The Oracle database EXECUTE_CATALOG_ROLE provides EXECUTE privileges for a number of packages and procedures in the data dictionary in the SYS schema. Unauthorized grantees should not have that role.
Remediation
To remediate this setting, execute the following SQL statement.
REVOKE EXECUTE_CATALOG_ROLE FROM <grantee>;
Ensure 'DBA' Is Revoked from Unauthorized 'GRANTEE' (Scored)
The Oracle database DBA role is the default database administrator role provided for the allocation of administrative privileges. Unauthorized grantees should not have that role.
Remediation
To remediate this setting, execute the following SQL statement.
REVOKE DBA FROM <grantee>;
Revoke Excessive Table and View Privileges
The recommendations within this section intend to revoke excessive table and view privileges.
Ensure 'ALL' Is Revoked from Unauthorized 'GRANTEE' on 'AUD$' (Scored)
The Oracle database SYS.AUD$ table contains all the audit records for the database of the non-Data Manipulation Language (DML) events, such as ALTER, DROP, and CREATE, and so forth. (DML changes need trigger-based audit events to record data alterations.) Unauthorized grantees should not have full access to that table.
Remediation
To remediate this setting, execute the following SQL statement.
REVOKE ALL ON AUD$ FROM <grantee>;
Ensure 'ALL' Is Revoked from Unauthorized 'GRANTEE' on 'USER_HISTORY$' (Scored)
The Oracle database SYS.USER_HISTORY$ table contains all the audit records for the user's password change history. (This table gets updated by password changes if the user has an assigned profile that has a password reuse limit set, e.g., PASSWORD_REUSE_TIME set to other than UNLIMITED.) Unauthorized grantees should not have full access to that table.
Remediation
To remediate this setting, execute the following SQL statement.
REVOKE ALL ON USER_HISTORY$ FROM <grantee>;
Note:
USER_HISTORY$ contains only the old, case-insensitive passwords.Ensure 'ALL' Is Revoked from Unauthorized 'GRANTEE' on 'LINK$' (Scored)
The Oracle database SYS.LINK$ table contains all the user's password information and data table link information. Unauthorized grantees should not have full access to that table.
Remediation
To remediate this setting, execute the following SQL statement.
REVOKE ALL ON LINK$ FROM <grantee>;
Ensure 'ALL' Is Revoked from Unauthorized 'GRANTEE' on 'SYS.USER$' (Scored)
The Oracle database SYS.USER$ table contains the users' hashed password information. Unauthorized grantees should not have full access to that table.
Remediation
To remediate this setting, execute the following SQL statement.
REVOKE ALL ON SYS.USER$ FROM <grantee>;
Ensure 'ALL' Is Revoked from Unauthorized 'GRANTEE' on 'DBA_%' (Scored)
The Oracle database DBA_% views show all information which is relevant to administrative accounts. Unauthorized grantees should not have full access to those views.
Remediation
Replace <Non-DBA/SYS grantee> in the query below, with the Oracle login(s) or role(s) returned from the associated audit procedure and execute:
REVOKE ALL ON DBA_ FROM <NON-DBA/SYS grantee>;
Ensure 'ALL' Is Revoked from Unauthorized 'GRANTEE' on 'SYS.SCHEDULER$_CREDENTIAL' (Scored)
The Oracle database SCHEDULER$_CREDENTIAL table contains the database scheduler credential information. Unauthorized grantees should not have full access to that table.
Remediation
To remediate this setting, execute the following SQL statement.
REVOKE ALL ON SYS.SCHEDULER4_CREDENTIAL FROM <username>;
Note:
*_SCHEDULER_CREDENTIALS is deprecated in Oracle Database 12c, but remains available for reasons of backward compatibility.Ensure 'SYS.USER$MIG' Has Been Dropped (Scored)
The table sys.user$mig is created during migration and contains the Oracle password hashes before the migration starts. This table should be dropped.
Remediation
To remediate this setting, execute the following SQL statement.
DROP TABLE SYS.USER$MIG;
Ensure '%ANY%' Is Revoked from Unauthorized 'GRANTEE' (Scored)
The Oracle database ANY keyword provides the user the capability to alter any item in the catalog of the database. Unauthorized grantees should not have that keyword assigned to them.
Remediation
To remediate this setting, execute the following SQL statement.
REVOKE ‘<ANY Privilege>’ FROM <grantee>;
Ensure 'DBA_SYS_PRIVS.%' Is Revoked from Unauthorized 'GRANTEE' with 'ADMIN_OPTION' Set to 'YES' (Scored)
The Oracle database WITH_ADMIN privilege allows the designated user to grant another user the same privileges. Unauthorized grantees should not have that privilege.
Remediation
To remediate this setting, execute the following SQL statement.
REVOKE <privilege> FROM <grantee>;
Ensure Proxy Users Have Only 'CONNECT' Privilege (Scored)
Do not grant privileges other than CONNECT directly to proxy users.
Remediation
To remediate this setting execute the following SQL statement for each [PRIVILEGE] returned (other than CONNECT) by running the audit procedure.
REVOKE <privilege> FROM <proxy_user>;
Audit/Logging Policies and Procedures
The ability to audit database activities is among the most important of all database security features. Decisions must be made regarding the scope of auditing since auditing has costs - in storage for the audit trail and in performance impact on audited operations - and perhaps even the database or system in general. There is also the additional cost to manage (store, backup, secure) and review the data in the audit trail.
Measures must be taken to protect the audit trail itself, for it may be targeted for alteration or destruction to hide unauthorized activity. For an audit destination outside the database, the recommendations are elsewhere in this document. Auditing recommendations for potential database audit destinations are below.
Auditing "by session" typically creates fewer (until 11g) and slightly smaller audit records, but is discouraged in most situations since there is some loss of fidelity (e.g. object privilege GRANTEE). More detailed auditing creates larger audit records. The AUDIT_TRAIL initialization parameter (for DB|XML, extended - or not) is the main determining factor for the size of a given audit record - and a notable factor in the performance cost, although the largest of the latter is DB versus OS or XML.
This section deals with standard Oracle auditing since auditing of privileged connections (as sysdba or sysoper) is configured via the AUDIT_SYS_OPERATIONS initialization parameter and is otherwise not configurable. The basic types of standard auditing are object, statement and privilege auditing, and each behaves differently.
Object auditing applies to specific objects for which it is invoked and always applies to all users. This type of auditing is usually employed to audit application-specific sensitive objects, but can also be used to protect the audit trail in the database.
Privilege auditing audits the use of specific system privileges, but typically only if the user actually possesses the audited privilege. Attempts that fail for lack of the audited privilege are typically not audited. This is the main weakness of privilege auditing and why statement auditing is usually preferred, if the option exists.
Statement auditing audits the issuance of certain types of statements, usually without regard to privilege or lack thereof. Both privilege and statement audits may be specified for specific users or all users (the default).
Traditional Auditing
The recommendations in this section should be followed if traditional auditing is implemented.
Ensure the 'USER' Audit Option Is Enabled (Scored)
The USER object allows for creating accounts that can interact with the database according to the roles and privileges allotted to the account. It may also own database objects. Enabling the audit option causes auditing of all activities and requests to create, drop or alter a user, including a user changing their own password. (The latter is not audited by audit ALTER USER.)
Remediation
Execute the following SQL statement to remediate this setting.
AUDIT USER;
Ensure the 'ROLE' Audit Option Is Enabled (Scored)
The ROLE object allows for the creation of a set of privileges that can be granted to users or other roles. Enabling the audit option causes auditing of all attempts, successful or not, to create, drop, alter or set roles.
Remediation
Execute the following SQL statement to remediate this setting.
AUDIT ROLE;
Ensure the 'SYSTEM GRANT' Audit Option Is Enabled (Scored)
Enabling the audit option for the SYSTEM GRANT object causes auditing of any attempt, successful or not, to grant or revoke any system privilege or role, regardless of privilege held by the user attempting the operation.
Remediation
Execute the following SQL statement to remediate this setting.
AUDIT SYSTEM GRANT;
Ensure the 'PROFILE' Audit Option Is Enabled (Scored)
The PROFILE object allows for the creation of a set of database resource limits that can be assigned to a user, so that user cannot exceed those resource limitations. Enabling the audit option causes auditing of all attempts, successful or not, to create, drop or alter any profile.
Remediation
Execute the following SQL statement to remediate this setting.
AUDIT PROFILE;
Note:
The statement auditing option audit PROFILE audits everything that the three privilege audits audit CREATE PROFILE, audit DROP PROFILE and audit ALTER PROFILE do, but also audits:- Attempts to create a profile by a user without the CREATE PROFILE system privilege.
- Attempts to drop a profile by a user without the DROP PROFILE system privilege
- Attempts to alter a profile by a user without the ALTER PROFILE system privilege.
Ensure the 'DATABASE LINK' Audit Option Is Enabled (Scored)
Enabling the audit option for the DATABASE LINK object causes all activities on database links to be audited.
Remediation
Execute the following SQL statement to remediate this setting.
AUDIT DATABASE LINK;
Ensure the 'PUBLIC DATABASE LINK' Audit Option Is Enabled (Scored)
The PUBLIC DATABASE LINK object allows for the creation of a public link for an application-based "user" to access the database for connections/session creation. Enabling the audit option causes all user activities involving the creation, alteration, or dropping of public links to be audited.
Remediation
Execute the following SQL statement to remediate this setting.
AUDIT PUBLIC DATABASE LINK;
Ensure the 'PUBLIC SYNONYM' Audit Option Is Enabled (Scored)
The PUBLIC SYNONYM object allows for the creation of an alternate description of an object. Public synonyms are accessible by all users that have the appropriate privileges to the underlying object. Enabling the audit option causes all user activities involving the creation or dropping of public synonyms to be audited.
Remediation
Execute the following SQL statement to remediate this setting.
AUDIT PUBLIC SYNONYM;
Ensure the 'SYNONYM' Audit Option Is Enabled (Scored)
The SYNONYM operation allows for the creation of an alternative name for a database object such as a Java class schema object, materialized view, operator, package, procedure, sequence, stored function, table, view, user-defined object type, or even another synonym. This synonym puts a dependency on its target and is rendered invalid if the target object is changed/dropped. Enabling the audit option causes all user activities involving the creation or dropping of synonyms to be audited.
Remediation
Execute the following SQL statement to remediate this setting.
AUDIT SYNONYM;
Ensure the 'DIRECTORY' Audit Option Is Enabled (Scored)
The DIRECTORY object allows for the creation of a directory object that specifies an alias for a directory on the server file system, where the external binary file LOBs (BFILEs)/ table data are located. Enabling this audit option causes all user activities involving the creation or dropping of a directory alias to be audited.
Remediation
Execute the following SQL statement to remediate this setting.
AUDIT DIRECTORY;
Ensure the 'SELECT ANY DICTIONARY' Audit Option Is Enabled (Scored)
The SELECT ANY DICTIONARY capability allows the user to view the definitions of all schema objects in the database. Enabling the audit option causes all user activities involving this capability to be audited.
Remediation
Execute the following SQL statement to remediate this setting.
AUDIT SELECT ANY DICTIONARY;
Ensure the 'GRANT ANY OBJECT PRIVILEGE' Audit Option Is Enabled (Scored)
GRANT ANY OBJECT PRIVILEGE allows the user to grant or revoke any object privilege, which includes privileges on tables, directories, mining models, etc. Enabling this audit option causes auditing of all uses of that privilege.
Remediation
Execute the following SQL statement to remediate this setting.
AUDIT GRANT ANY OBJECT PRIVILEGE;
Note:
This does NOT audit all attempts to grant or revoke object privileges since this can also be done by anyone who was granted an object privilege with the grant option. Also, this never creates an audit record for anyone who does not hold the GRANT ANY OBJECT PRIVILEGE system privilege. Therefore, many attempts, successful or not, to grant and revoke object privileges are not audited by this.Ensure the 'GRANT ANY PRIVILEGE' Audit Option Is Enabled (Scored)
GRANT ANY PRIVILEGE allows a user to grant any system privilege, including the most powerful privileges typically available only to administrators - to change the security infrastructure, to drop/add/modify users and more.
Remediation
Execute the following SQL statement to remediate this setting.
AUDIT GRANT ANY PRIVILEGE;
Note:
This does NOT audit all attempts to grant or revoke system privileges since this can also be done by anyone who was granted a system privilege with the admin option. Also, this never creates an audit record for anyone who does not hold the GRANT ANY PRIVILEGE system privilege. Thus, many attempts, successful or not, to grant and revoke system privileges are not audited by this.Ensure the 'DROP ANY PROCEDURE' Audit Option Is Enabled (Scored)
The AUDIT DROP ANY PROCEDURE command is auditing the dropping of procedures. Enabling the option causes auditing of all such activities.
Remediation
Execute the following SQL statement to remediate this setting.
AUDIT DROP ANY PROCEDURE;
Ensure the 'ALL' Audit Option on 'SYS.AUD$' Is Enabled (Scored)
The logging of attempts to alter the audit trail in the SYS.AUD$ table (open for read/update/delete/view) will provide a record of any activities that may indicate unauthorized attempts to access the audit trail. Enabling the audit option will cause these activities to be audited.
Remediation
Execute the following SQL statement to remediate this setting.
AUDIT ALL ON SYS.AUD$ BY ACCESS;
Ensure the 'PROCEDURE' Audit Option Is Enabled (Scored)
In this statement audit, PROCEDURE means any procedure, function, package or library. Enabling this audit option causes any attempt, successful or not, to create or drop any of these types of objects to be audited, regardless of privilege or lack thereof. Java schema objects (sources, classes, and resources) are considered the same as procedures for the purposes of auditing SQL statements.
Remediation
Execute the following SQL statement to remediate this setting.
AUDIT PROCEDURE;
Note:
Not all auditing options work alike. In particular, the statement auditing option audit PROCEDURE does indeed audit create and drop library as well as all types of procedures and java schema objects. However, privilege audits do not work this way. So, for example, none of audit CREATE ANY PROCEDURE, audit DROP ANY PROCEDURE, or audit CREATE PROCEDURE will audit create or drop library activities. In statement auditing, PROCEDURE has a larger scope than in privilege auditing, where it is specific to functions, packages and procedures, but excludes libraries and perhaps other object types. Audit PROCEDURE does not audit altering procedures, either in your own schema or in another via the ALTER ANY PROCEDURE system privilege. There seems to be no statement audit that is a better replacement for Audit ALTER ANY PROCEDURE, but beware that will not create any audit records for users that do not have the privilege. Thus, attempts to alter procedures in one's own schema are never audited, and attempts to alter procedures in another's schema that fail for lack of the ALTER ANY PROCEDURE privilege are not audited. This is simply a weakness in the current state of Oracle auditing. Fortunately, though, all that the ALTER command can be used for regarding procedures, functions, packages and libraries is compile options, so the inability to comprehensively audit alter procedure activities and requests is not as bad as it would be for other object types (USER, PROFILE, etc.)Ensure the 'ALTER SYSTEM' Audit Option Is Enabled (Scored)
ALTER SYSTEM allows one to change instance settings, including security settings and auditing options. Additionally, ALTER SYSTEM can be used to run operating system commands using undocumented Oracle functionality. Enabling the audit option will audit all attempts to perform ALTER SYSTEM, whether successful or not and regardless of whether or not the ALTER SYSTEM privilege is held by the user attempting the action.
Remediation
Execute the following SQL statement to remediate this setting.
AUDIT ALTER SYSTEM;
Ensure the 'TRIGGER' Audit Option Is Enabled (Scored)
A TRIGGER may be used to modify DML actions or invoke other (recursive) actions when some types of user-initiated actions occur. Enabling this audit option will cause auditing of any attempt, successful or not, to create, drop, enable or disable any schema trigger in any schema regardless of privilege or lack thereof. For enabling and disabling a trigger, it covers both ALTER TRIGGER and ALTER TABLE.
Remediation
Execute the following SQL statement to remediate this setting.
AUDIT TRIGGER;
Note:
There is no current CIS recommendation to audit the use of the system privilege CREATE TRIGGER, as there is for CREATE SYNONYM, CREATE PROCEDURE and some other types of objects, so this is actually a scope escalation also - to audit such actions in one's own schema. However, this is the only way to comprehensively audit things like attempts to create, drop or alter triggers in another's schema if the user attempting to operation does not hold the required ANY privilege - and these are exactly the sorts of things that should raise a large red flag. The statement auditing option audit TRIGGER audits almost everything that the three privilege audits audit CREATE ANY TRIGGER, audit ALTER ANY TRIGGER and audit DROP ANY TRIGGER do, but also audits:- Statements to create, drop, enable or disable a trigger in the user's own schema.
- 2. Attempts to create a trigger by a user without the CREATE TRIGGER system privilege.
- 3. Attempts to create a trigger in another schema by users without the CREATE ANY TRIGGER privilege.
- 4. Attempts to drop a trigger in another schema by users without the DROP ANY TRIGGER privilege.
- 5. Attempts to disable or enable a trigger in another schema by users without the ALTER ANY TRIGGER privilege.
The one thing is audited by any of the three privilege audits that is not audited by this is ALTER TRIGGER ...COMPILE if the trigger is in another's schema, which is audited by audit ALTER ANY TRIGGER, but only if the user attempting the alteration actually holds the ALTER ANY TRIGGER system privilege. Audit TRIGGER only audits ALTER TABLE or ALTER TRIGGER statements used to enable or disable triggers. It does not audit ALTER TRIGGER or ALTER TABLE statements used only with compile options.
Ensure the 'CREATE SESSION' Audit Option Is Enabled (Scored)
Enabling this audit option will cause auditing of all attempts to connect to the database, whether successful or not, as well as audit session disconnects/logoffs. The commands to audit SESSION, CONNECT or CREATE SESSION all accomplish the same thing - they initiate statement auditing of the connect statement used to create a database session.
Remediation
Execute the following SQL statement to remediate this setting.
AUDIT SESSION;
Note:
Although listed in the documentation as a privilege audit, audit CREATE SESSION actually audits the CONNECT statement. This is evidenced by the undocumented audit CONNECT which has the same result as audit SESSION or audit CREATE SESSION. There is no system privilege named either SESSION or CONNECT (CONNECT is a role, not a system privilege). Also, it behaves as statement auditing rather than privilege auditing in that it audits all attempts to create a session, even if the user does not hold the CREATE SESSION system privilege.PDB Specific Remediation
The recommendations in this section should be followed if a PDB with traditional auditing is used.
3.10 Ensure No Users Are Assigned the 'DEFAULT' Profile
Will continue to display a violation even after performing remediation action.
This is because a user "PDBADMIN" is created for each PDB and assigned DEFAULT Profile
5.1.14 Ensure the 'ALL' Audit Option on 'SYS.AUD$' Is Enabled
This cannot be remediated for PDB by executing the command specified in CIS documentation. It will continue to show a violation.
Rules to Remediate from a CDB
The following rules cannot be remediated from inside the PDB. The user must remediate them by connecting to CDB and performing the remediation action specified in CIS documentation:
- Rule 2.2.1 Ensure 'AUDIT_SYS_OPERATIONS' Is Set to 'TRUE' (Compliance Standard Rule)
- Rule 2.2.2 Ensure 'AUDIT_TRAIL' Is Set to 'DB', 'XML', 'OS', 'DB,EXTENDED', or 'XML,EXTENDED' (Compliance Standard Rule)
- Rule 2.2.5 Ensure 'OS_ROLES' Is Set to 'FALSE' (Compliance Standard Rule)
- Rule 2.2.6 Ensure 'REMOTE_LISTENER' Is Empty (Compliance Standard Rule)
- Rule 2.2.8 Ensure 'REMOTE_OS_AUTHENT' Is Set to 'FALSE' (Compliance Standard Rule)
- Rule 2.2.9 Ensure 'REMOTE_OS_ROLES' Is Set to 'FALSE' (Compliance Standard Rule)
- Rule 2.2.10 Ensure 'UTL_FILE_DIR' Is Empty (Compliance Standard Rule)
- Rule 2.2.11 Ensure 'SEC_CASE_SENSITIVE_LOGON' Is Set to 'TRUE' (Compliance Standard Rule)
- Rule 2.2.12 Ensure 'SEC_MAX_FAILED_LOGIN_ATTEMPTS' Is '3' or Less (Compliance Standard Rule)
- Rule 2.2.15 Ensure 'SEC_RETURN_SERVER_RELEASE_BANNER' Is Set to 'FALSE' (Compliance Standard Rule)
- Rule 2.2.17 Ensure '_trace_files_public' Is Set to 'FALSE' (Compliance Standard Rule)
- Rule 2.2.13 Ensure 'SEC_PROTOCOL_ERROR_FURTHER_ACTION' Is Set to 'DROP,3' (Compliance Standard Rule)
- Rule 2.2.14 Ensure 'SEC_PROTOCOL_ERROR_TRACE_ACTION' Is Set to 'LOG' (Compliance Standard Rule)
- Rule 2.2.16 Ensure 'SQL92_SECURITY' Is Set to 'TRUE' (Compliance Standard Rule)
Unified Auditing
The recommendations in this section should be followed if unified auditing is implemented.
Ensure the 'CREATE USER' Action Audit Is Enabled (Scored)
The CREATE USER statement is used to create Oracle database accounts and assign database properties to them. Enabling this unified action audit causes logging of all CREATE USER statements, whether successful or unsuccessful, issued by the users regardless of the privileges held by the users to issue such statements.
Remediation
Execute the following SQL statement to remediate this setting.
ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS CREATE USER;
Note:
If you do not have CIS_UNIFIED_AUDIT_POLICY, please create one using the CREATE AUDIT POLICY statement.Ensure the 'ALTER USER' Action Audit Is Enabled (Scored)
The ALTER USER statement is used to change database users’ password, lock accounts, and expire passwords. In addition, this statement is used to change database properties of user accounts such as database profiles, default and temporary tablespaces, and tablespace quotas. This unified audit action enables logging of all ALTER USER statements, whether successful or unsuccessful, issued by the users regardless of the privileges held by the users to issue such statements.
Remediation
Execute the following SQL statement to remediate this setting.
ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS ALTER USER;
Note:
If you do not have CIS_UNIFIED_AUDIT_POLICY, please create one using the CREATE AUDIT POLICY statement.Ensure the 'DROP USER' Audit Option Is Enabled (Scored)
The DROP USER statement is used to drop Oracle database accounts and schemas associated with them. Enabling this unified action audit enables logging of all DROP USER statements, whether successful or unsuccessful, issued by the users regardless of the privileges held by the users to issue such statements.
Remediation
Execute the following SQL statement to remediate this setting.
ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS DROP USER;
Note:
If you do not have CIS_UNIFIED_AUDIT_POLICY, please create one using the CREATE AUDIT POLICY statement.Ensure the 'CREATE ROLE’ Action Audit Is Enabled (Scored)
An Oracle database role is a collection or set of privileges that can be granted to users or other roles. Roles may include system privileges, object privileges or other roles. Enabling this unified audit action enables logging of all CREATE ROLE statements, whether successful or unsuccessful, issued by the users regardless of the privileges held by the users to issue such statements.
Remediation
Execute the following SQL statement to remediate this setting.
ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS CREATE ROLE;
Note:
If you do not have CIS_UNIFIED_AUDIT_POLICY, please create one using the CREATE AUDIT POLICY statement.Ensure the 'ALTER ROLE’ Action Audit Is Enabled (Scored)
An Oracle database role is a collection or set of privileges that can be granted to users or other roles. Roles may include system privileges, object privileges or other roles. The ALTER ROLE statement is used to change the authorization needed to enable a role. Enabling this unified action audit causes logging of all ALTER ROLE statements, whether successful or unsuccessful, issued by the users regardless of the privileges held by the users to issue such statements.
Remediation
Execute the following SQL statement to remediate this setting.
ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS ALTER ROLE;
Note:
If you do not have CIS_UNIFIED_AUDIT_POLICY, please create one using the CREATE AUDIT POLICY statement.Ensure the 'DROP ROLE’ Action Audit Is Enabled (Scored)
An Oracle database role is a collection or set of privileges that can be granted to users or other roles. Roles may include system privileges, object privileges or other roles. Enabling this unified audit action enables logging of all DROP ROLE statements, successful or unsuccessful, issued by the users regardless of the privileges held by the users to issue such statements.
Remediation
Execute the following SQL statement to remediate this setting.
ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS DROP ROLE;
Note:
If you do not have CIS_UNIFIED_AUDIT_POLICY, please create one using the CREATE AUDIT POLICY statement.Ensure the 'GRANT' Action Audit Is Enabled (Scored)
GRANT statements are used to grant privileges to Oracle database users and roles, including the most powerful privileges and roles typically available to the database administrators. Enabling this unified action audit enables logging of all GRANT statements, whether successful or unsuccessful, issued by the users regardless of the privileges held by the users to issue such statements.
Remediation
Execute the following SQL statement to remediate this setting.
ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS GRANT;
Note:
If you do not have CIS_UNIFIED_AUDIT_POLICY, please create one using the CREATE AUDIT POLICY statement.Ensure the 'REVOKE' Action Audit Is Enabled (Scored)
REVOKE statements are used to revoke privileges from Oracle database users and roles. Enabling this unified action audit enables logging of all REVOKE statements, successful or unsuccessful, issued by the users regardless of the privileges held by the users to issue such statements.
Remediation
Execute the following SQL statement to remediate this setting.
ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS REVOKE;
Note:
If you do not have CIS_UNIFIED_AUDIT_POLICY, please create one using the CREATE AUDIT POLICY statement.Ensure the 'CREATE PROFILE’ Action Audit Is Enabled (Scored)
Oracle database profiles are used to enforce resource usage limits and implement password policies such as password complexity rules and reuse restrictions. Enabling this unified action audit enables logging of all CREATE PROFILE statements, whether successful or unsuccessful, issued by the users regardless of the privileges held by the users to issue such statements.
Remediation
Execute the following SQL statement to remediate this setting.
ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS CREATE PROFILE;
Note:
If you do not have CIS_UNIFIED_AUDIT_POLICY, please create one using the CREATE AUDIT POLICY statement.Ensure the 'ALTER PROFILE’ Action Audit Is Enabled (Scored)
Oracle database profiles are used to enforce resource usage limits and implement password policies such as password complexity rules and reuse restrictions. Enabling this unified action audit enables logging of all ALTER PROFILE statements, whether successful or unsuccessful, issued by the users regardless of the privileges held by the users to issue such statements.
Remediation
Execute the following SQL statement to remediate this setting.
ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS ALTER PROFILE;
Note:
If you do not have CIS_UNIFIED_AUDIT_POLICY, please create one using the CREATE AUDIT POLICY statement.Ensure the 'DROP PROFILE’ Action Audit Is Enabled (Scored)
Oracle database profiles are used to enforce resource usage limits and implement password policies such as password complexity rules and reuse restrictions. Enabling this unified action audit enables logging of all DROP PROFILE statements, whether successful or unsuccessful, issued by the users regardless of the privileges held by the users to issue such statements.
Remediation
Execute the following SQL statement to remediate this setting.
ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS DROP PROFILE;
Note:
If you do not have CIS_UNIFIED_AUDIT_POLICY, please create one using the CREATE AUDIT POLICY statement.Ensure the 'CREATE DATABASE LINK’ Action Audit Is Enabled (Scored)
Oracle database links are used to establish database-to-database connections to other databases. These connections are available without further authentication once the link is established. Enabling this unified action audit causes logging of all CREATE DATABASE and CREATE PUBLIC DATABASE statements, whether successful or unsuccessful, issued by the users regardless of the privileges held by the users to issue such statements.
Remediation
Execute the following SQL statement to remediate this setting.
ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS CREATE DATABASE LINK;
Note:
If you do not have CIS_UNIFIED_AUDIT_POLICY, please create one using the CREATE AUDIT POLICY statement.Ensure the 'ALTER DATABASE LINK’ Action Audit Is Enabled (Scored)
Oracle database links are used to establish database-to-database connections to other databases. These connections are always available without further authentication once the link is established. Enabling this unified action audit causes logging of all ALTER DATABASE and ALTER PUBLIC DATABASE statements, whether successful or unsuccessful, issued by the users regardless of the privileges held by the users to issue such statements.
Remediation
Execute the following SQL statement to remediate this setting.
ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS ALTER DATABASE LINK;
Note:
If you do not have CIS_UNIFIED_AUDIT_POLICY, please create one using the CREATE AUDIT POLICY statement.Ensure the 'DROP DATABASE LINK’ Action Audit Is Enabled (Scored)
Oracle database links are used to establish database-to-database connections to other databases. These connections are always available without further authentication once the link is established. Enabling this unified action audit causes logging of all DROP DATABASE and DROP PUBLIC DATABASE, whether successful or unsuccessful, statements issued by the users regardless of the privileges held by the users to issue such statements.
Remediation
Execute the following SQL statement to remediate this setting.
ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS DROP DATABASE LINK;
Note:
If you do not have CIS_UNIFIED_AUDIT_POLICY, please create one using the CREATE AUDIT POLICY statement.Ensure the 'CREATE SYNONYM’ Action Audit Is Enabled (Scored)
An Oracle database synonym is used to create an alternative name for a database object such as table, view, procedure, java object or even another synonym, etc. Enabling this unified action audit causes logging of all CREATE SYNONYM and CREATE PUBLIC SYNONYM statements, whether successful or unsuccessful, issued by the users regardless of the privileges held by the users to issue such statements.
Remediation
Execute the following SQL statement to remediate this setting.
ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS CREATE SYNONYM;
Note:
If you do not have CIS_UNIFIED_AUDIT_POLICY, please create one using the CREATE AUDIT POLICY statement.Ensure the 'ALTER SYNONYM’ Action Audit Is Enabled (Scored)
An Oracle database synonym is used to create an alternative name for a database object such as table, view, procedure, or java object, or even another synonym. Enabling this unified action audit causes logging of all ALTER SYNONYM and ALTER PUBLIC SYNONYM statements, whether successful or unsuccessful, issued by the users regardless of the privileges held by the users to issue such statements.
Remediation
Execute the following SQL statement to remediate this setting.
ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS ALTER SYNONYM;
Note:
If you do not have CIS_UNIFIED_AUDIT_POLICY, please create one using the CREATE AUDIT POLICY statement.Ensure the 'DROP SYNONYM’ Action Audit Is Enabled (Scored)
An Oracle database synonym is used to create an alternative name for a database object such as table, view, procedure, or java object, or even another synonym. Enabling his unified action audit causes logging of all DROP SYNONYM and DROP PUBLIC SYNONYM statements, whether successful or unsuccessful, issued by the users regardless of the privileges held by the users to issue such statements.
Remediation
Execute the following SQL statement to remediate this setting.
ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS DROP SYNONYM;
Note:
If you do not have CIS_UNIFIED_AUDIT_POLICY, please create one using the CREATE AUDIT POLICY statement.Ensure the 'SELECT ANY DICTIONARY’ Privilege Audit Is Enabled (Scored)
The SELECT ANY DICTIONARY system privilege allows the user to view the definition of all schema objects in the database. It grants SELECT privileges on the data dictionary objects to the grantees, including SELECT on DBA_ views, V$ views, X$ views and underlying SYS tables such as TAB$ and OBJ$. This privilege also allows grantees to create stored objects such as procedures, packages and views on the underlying data dictionary objects. Please note that this privilege does not grant SELECT on tables with password hashes such as USER$, DEFAULT_PWD$, LINK$, and USER_HISTORY$. Enabling this audit causes logging of activities that exercise this privilege.
Remediation
Execute the following SQL statement to remediate this setting.
ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD PRIVILEGES SELECT ANY DICTIONARY;
Note:
If you do not have CIS_UNIFIED_AUDIT_POLICY, please create one using the CREATE AUDIT POLICY statement.Ensure the 'UNIFIED_AUDIT_TRAIL’ Access Audit Is Enabled (Scored)
The UNIFIED_AUDIT_TRAIL view holds audit trail records generated by the database. Enabling this audit action causes logging of all access attempts to the UNIFIED_AUDIT_TRAIL view, whether successful or unsuccessful, regardless of the privileges held by the users to issue such statements.
Remediation
Execute the following SQL statement to remediate this setting.
ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS ALL on SYS.UNIFIED_AUDIT_TRAIL;
Note:
If you do not have CIS_UNIFIED_AUDIT_POLICY, please create one using the CREATE AUDIT POLICY statement.Ensure the 'CREATE PROCEDURE/FUNCTION/PACKAGE/PACKAGE BODY’ Action Audit Is Enabled (Scored)
Oracle database procedures, function, packages, and package bodies, which are stored within the database, are created to perform business functions and access database as defined by PL/SQL code and SQL statements contained within these objects. Enabling this unified action audit causes logging of all CREATE PROCEDURE, CREATE FUNCTION, CREATE PACKAGE and CREATE PACKAGE BODY statements, successful or unsuccessful, statements issued by the users regardless of the privileges held by the users to issue such statements.
Remediation
Execute the following SQL statement to remediate this setting.
ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS CREATE PROCEDURE, CREATE FUNCTION, CREATE PACKAGE, CREATE PACKAGE BODY;
Note:
If you do not have CIS_UNIFIED_AUDIT_POLICY, please create one using the CREATE AUDIT POLICY statement.Ensure the 'ALTER PROCEDURE/FUNCTION/PACKAGE/PACKAGE BODY’ Action Audit Is Enabled (Scored)
Oracle database procedures, functions, packages, and package bodies, which are stored within the database, are created to carry out business functions and access database as defined by PL/SQL code and SQL statements contained within these objects. Enabling this unified action audit causes logging of all ALTER PROCEDURE, ALTER FUNCTION, ALTER PACKAGE and ALTER PACKAGE BODY statements, successful or unsuccessful, issued by the users regardless of the privileges held by the users to issue such statements.
Remediation
Execute the following SQL statement to remediate this setting.
ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS ALTER PROCEDURE, ALTER FUNCTION, ALTER PACKAGE, ALTER PACKAGE BODY;
Note:
If you do not have CIS_UNIFIED_AUDIT_POLICY, please create one using the CREATE AUDIT POLICY statement.Ensure the 'DROP PROCEDURE/FUNCTION/PACKAGE/PACKAGE BODY’ Action Audit Is Enabled (Scored)
Oracle database procedures, functions, packages, and package bodies, which are stored within the database, are created to carry out business functions and access database as defined by PL/SQL code and SQL statements contained within these objects. Enabling this unified action audit causes logging of all DROP PROCEDURE, DROP FUNCTION, DROP PACKAGE or DROP PACKAGE BODY statements, successful or unsuccessful, issued by the users regardless of the privileges held by the users to issue such statements.
Remediation
Execute the following SQL statement to remediate this setting.
ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS DROP PROCEDURE, DROP FUNCTION, DROP PACKAGE, DROP PACKAGE BODY;
Note:
If you do not have CIS_UNIFIED_AUDIT_POLICY, please create one using the CREATE AUDIT POLICY statement.Ensure the 'ALTER SYSTEM’ Privilege Audit Is Enabled (Scored)
The ALTER SYSTEM privilege allows the user to change instance settings which could impact security posture, performance or normal operation of the database. Additionally, the ALTER SYSTEM privilege may be used to run operating system commands using undocumented Oracle functionality. Enabling this unified audit causes logging of activities that involve exercise of this privilege, whether successful or unsuccessful, issued by the users regardless of the privileges held by the users to issue such statements.
Remediation
Execute the following SQL statement to remediate this setting.
ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS ALTER SYSTEM;
Note:
If you do not have CIS_UNIFIED_AUDIT_POLICY, please create one using the CREATE AUDIT POLICY statement.Ensure the 'CREATE TRIGGER’ Action Audit Is Enabled (Scored)
Oracle database triggers are executed automatically when specified conditions on the underlying objects occur. Trigger bodies contain the code, quite often to perform data validation, ensure data integrity/security or enforce critical constraints on allowable actions on data. Enabling this unified audit causes logging of all CREATE TRIGGER statements, whether successful or unsuccessful, issued by the users regardless of the privileges held by the users to issue such statements.
Remediation
Execute the following SQL statement to remediate this setting.
ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS CREATE TRIGGER;
Note:
If you do not have CIS_UNIFIED_AUDIT_POLICY, please create one using the CREATE AUDIT POLICY statement.Ensure the 'ALTER TRIGGER’ Action Audit IS Enabled (Scored)
Oracle database triggers are executed automatically when specified conditions on the underlying objects occur. Trigger bodies contain the code, quite often to perform data validation, ensure data integrity/security or enforce critical constraints on allowable actions on data. Enabling this unified audit causes logging of all ALTER TRIGGER statements, whether successful or unsuccessful, issued by the users regardless of the privileges held by the users to issue such statements.
Remediation
Execute the following SQL statement to remediate this setting.
ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS ALTER TRIGGER;
Note:
If you do not have CIS_UNIFIED_AUDIT_POLICY, please create one using the CREATE AUDIT POLICY statement.Ensure the 'DROP TRIGGER’ Action Audit Is Enabled (Scored)
Oracle database triggers are executed automatically when specified conditions on the underlying objects occur. Trigger bodies contain the code, quite often to perform data validation, ensure data integrity/security or enforce critical constraints on allowable actions on data. Enabling this unified audit causes logging of all DROP TRIGGER statements, whether successful or unsuccessful, issued by the users regardless of the privileges held by the users to issue such statements.
Remediation
Execute the following SQL statement to remediate this setting.
ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS DROP TRIGGER;
Note:
If you do not have CIS_UNIFIED_AUDIT_POLICY, please create one using the CREATE AUDIT POLICY statement.Ensure the 'LOGON’ AND ‘LOGOFF’ Actions Audit Is Enabled (Scored)
Oracle database users log on to the database to perform their work. Enabling this unified audit causes logging of all LOGON actions, whether successful or unsuccessful, issued by the users regardless of the privileges held by the users to log into the database. In addition, LOGOFF action audit captures logoff activities. This audit action also captures logon/logoff to the open database by SYSDBA and SYSOPER.
Remediation
Execute the following SQL statement to remediate this setting.
ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS LOGON, LOGOFF;
Note:
If you do not have CIS_UNIFIED_AUDIT_POLICY, please create one using the CREATE AUDIT POLICY statement.PDB Specific Remediation
The recommendations in this section should be followed if a PDB with unified auditing is used.
Rules to Remediate from a CDB
The following rules cannot be remediated from inside the PDB. The user must remediate them by connecting to CDB and performing the remediation action specified in CIS documentation:
- Rule 2.2.1 Ensure 'AUDIT_SYS_OPERATIONS' Is Set to 'TRUE' (Compliance Standard Rule)
- Rule 2.2.2 Ensure 'AUDIT_TRAIL' Is Set to 'DB', 'XML', 'OS', 'DB,EXTENDED', or 'XML,EXTENDED' (Compliance Standard Rule)
- Rule 2.2.5 Ensure 'OS_ROLES' Is Set to 'FALSE' (Compliance Standard Rule)
- Rule 2.2.6 Ensure 'REMOTE_LISTENER' Is Empty (Compliance Standard Rule)
- Rule 2.2.8 Ensure 'REMOTE_OS_AUTHENT' Is Set to 'FALSE' (Compliance Standard Rule)
- Rule 2.2.9 Ensure 'REMOTE_OS_ROLES' Is Set to 'FALSE' (Compliance Standard Rule)
- Rule 2.2.10 Ensure 'UTL_FILE_DIR' Is Empty (Compliance Standard Rule)
- Rule 2.2.11 Ensure 'SEC_CASE_SENSITIVE_LOGON' Is Set to 'TRUE' (Compliance Standard Rule)
- Rule 2.2.12 Ensure 'SEC_MAX_FAILED_LOGIN_ATTEMPTS' Is '3' or Less (Compliance Standard Rule)
- Rule 2.2.15 Ensure 'SEC_RETURN_SERVER_RELEASE_BANNER' Is Set to 'FALSE' (Compliance Standard Rule)
- Rule 2.2.17 Ensure '_trace_files_public' Is Set to 'FALSE' (Compliance Standard Rule)
- Rule 2.2.13 Ensure 'SEC_PROTOCOL_ERROR_FURTHER_ACTION' Is Set to 'DROP,3' (Compliance Standard Rule)
- Rule 2.2.14 Ensure 'SEC_PROTOCOL_ERROR_TRACE_ACTION' Is Set to 'LOG' (Compliance Standard Rule)
- Rule 2.2.16 Ensure 'SQL92_SECURITY' Is Set to 'TRUE' (Compliance Standard Rule)