# # (C) 2014 Tenable Network Security, Inc. # # This script is released under the Tenable Subscription License and # may not be used from within scripts released under another license # without authorization from Tenable Network Security, Inc. # # See the following licenses for details: # # http://static.tenable.com/prod_docs/Nessus_5_SLA_and_Subscription_Agreement.pdf # http://static.tenable.com/prod_docs/Subscription_Agreement.pdf # # @PROFESSIONALFEED@ # $Revision: 1.8 $ # $Date: 2014/03/24 19:59:17 $ # # Description: # # This document consists of a list of Oracle 11g, R2 Database security settings as suggested by # the CIS Oracle Database Server 11 - 11g R2 benchmark v1.0.0. # # Tenable has made a best effort to map the settings specified in the standard to a proprietary # .audit format that will be used by the Database compliance module to perform the audit. # # See Also : # https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_Server_11_-_11g_R2_Benchmark_v1.0.0.pdf # ## 1 Oracle Database Installation and Patching Requirements # 1.1 Change the Oracle default account passwords type : SQL_POLICY description : "1.1.1 Default account passwords - 'Change the default password for APEX_040000'" info : "Some pre-installed versions of APEX 4.0 come with a default password and can provide a point for database" info : "access/control by unauthorized users, opening up the tables, views, etc.." solution : "Execute the following command to change the password. 'SQL> password apex_040000;'" reference : "Level|1S,PCI|2.1" see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_Server_11_-_11g_R2_Benchmark_v1.0.0.pdf" sql_request : "select 'defaultpwd' as defaultpassword from sys.user$ where name='APEX_040000'and substr(spare4,3,40)=rawtohex(utl_raw.cast_to_varchar2(sys.dbms_crypto.hash(utl_raw.cast_to_raw('oracle')||hextoraw(substr(spare4,43,20)), 3))) union select 'defaultpwd' from sys.user$ where name='APEX_040000' and password='EE7785338B8FFE3D';" sql_types : POLICY_VARCHAR sql_expect : NULL type : SQL_POLICY description : "1.1.2 Default account passwords - 'Change the default password for APPQOSSYS'" info : "As the default APPQOSSYS account created by Oracle has a well-known password and can provide a point for database access" info : "by unauthorized users if left at the default setting, this value should be changed according to the needs of the organization." solution : "SQL> password appoqssys" reference : "Level|1S,PCI|2.1" see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_Server_11_-_11g_R2_Benchmark_v1.0.0.pdf" sql_request : "select 'defaultpwd' as defaultpassword from sys.user$ where name='APPQOSSYS' and substr(spare4,3,40)=rawtohex(utl_raw.cast_to_varchar2(sys.dbms_crypto.hash(utl_raw.cast_to_raw('appqossys')||hextoraw(substr(spare4,43,20)), 3))) union select 'defaultpwd' from dba_users_with_defpwd where username='APPQOSSYS';" sql_types : POLICY_VARCHAR sql_expect : NULL type : SQL_POLICY description : "1.1.3 Default account passwords - 'Change the default password for CTXSYS'" info : "As the default CTXSYS account created by Oracle has a well-known password and can provide a point for database access" info : "by unauthorized users if left at the default setting, this value should be changed according to the needs of the organization." solution : "SQL> password ctxsys" reference : "Level|1S,PCI|2.1" see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_Server_11_-_11g_R2_Benchmark_v1.0.0.pdf" see_also : "http://docs.oracle.com/cd/E11882_01/server.112/e10575/tdpsg_user_accounts.htm#TDPSG20030" sql_request : "select 'defaultpwd' as defaultpassword from sys.user$ where name='CTXSYS' and substr(spare4,3,40)=rawtohex(utl_raw.cast_to_varchar2(sys.dbms_crypto.hash(utl_raw.cast_to_raw('ctxsys')||hextoraw(substr(spare4,43,20)), 3))) union select 'defaultpwd' as defaultpassword from sys.user$ where name='CTXSYS' and substr(spare4,3,40)=rawtohex(utl_raw.cast_to_varchar2(sys.dbms_crypto.hash(utl_raw.cast_to_raw('change_on_install')||hextoraw(substr(spare4,43,20)), 3))) union select 'defaultpwd' from dba_users_with_defpwd where username='CTXSYS';" sql_types : POLICY_VARCHAR sql_expect : NULL type : SQL_POLICY description : "1.1.4 Default account passwords - 'Change the default password for DBSNMP'" info : "Depending from the installation, the default DBSNMP account created by Oracle could have a well-known password and can be potentially" info : "used to retrieve the Oracle password hashes." solution : "Execute the following command to change the password: SQL> password dbsnmp" reference : "Level|1S,PCI|2.1" see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_Server_11_-_11g_R2_Benchmark_v1.0.0.pdf" see_also : "http://docs.oracle.com/cd/E11882_01/server.112/e10575/tdpsg_user_accounts.htm#TDPSG20030" sql_request : "select 'defaultpwd' as defaultpassword from sys.user$ where name='DBSNMP' and substr(spare4,3,40)=rawtohex(utl_raw.cast_to_varchar2(sys.dbms_crypto.hash(utl_raw.cast_to_raw('dbsnmp')||hextoraw(substr(spare4,43,20)), 3))) union select 'defaultpwd' from dba_users_with_defpwd where username='DBSNMP';" sql_types : POLICY_VARCHAR sql_expect : NULL type : SQL_POLICY description : "1.1.5 Default account passwords - 'Change the default password for DIP'" info : "As the default DIP account created by Oracle has a well-known password and can provide a point for database access by unauthorized users" info : "if left at the default setting, this value should be changed according to the needs of the organization." solution : "Execute the following command to change the password: SQL> password DIP" reference : "Level|1S,PCI|2.1" see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_Server_11_-_11g_R2_Benchmark_v1.0.0.pdf" see_also : "http://docs.oracle.com/cd/E11882_01/server.112/e25513/statviews_5082.htm#REFRN23725" sql_request : "select 'defaultpwd' as defaultpassword from sys.user$ where name='DIP' and substr(spare4,3,40)=rawtohex(utl_raw.cast_to_varchar2(sys.dbms_crypto.hash(utl_raw.cast_to_raw('dip')||hextoraw(substr(spare4,43,20)), 3))) union select 'defaultpwd' from dba_users_with_defpwd where username='DIP';" sql_types : POLICY_VARCHAR sql_expect : NULL type : SQL_POLICY description : "1.1.6 Default account passwords - 'Change the default password for EXFSYS'" info : "As the default EXFSYS account created by Oracle has a well-known password and can provide a point for database access by unauthorized users" info : "if left at the default setting, this value should be changed according to the needs of the organization." solution : "Execute the following command to change the password: SQL> password exfsys" reference : "Level|1S,PCI|2.1" see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_Server_11_-_11g_R2_Benchmark_v1.0.0.pdf" sql_request : "select 'defaultpwd' as defaultpassword from sys.user$ where name='EXFSYS' and substr(spare4,3,40)=rawtohex(utl_raw.cast_to_varchar2(sys.dbms_crypto.hash(utl_raw.cast_to_raw('dip')||hextoraw(substr(spare4,43,20)), 3))) union select 'defaultpwd' from dba_users_with_defpwd where username='EXFSYS';" sql_types : POLICY_VARCHAR sql_expect : NULL type : SQL_POLICY description : "1.1.7 Default account passwords - 'Change the default password for MDDATA'" info : "As the default MDDATA account created by Oracle has a well-known password and can be potentially corrupted to allow the installation of malware" info : "disguised as a business process, this value should be reset according to the needs of the organization." solution : "Execute the following command to change the password: SQL> password mddata" reference : "Level|1S,PCI|2.1" see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_Server_11_-_11g_R2_Benchmark_v1.0.0.pdf" sql_request : "select 'defaultpwd' as defaultpassword from sys.user$ where name='MDDATA' and substr(spare4,3,40)=rawtohex(utl_raw.cast_to_varchar2(sys.dbms_crypto.hash(utl_raw.cast_to_raw('dip')||hextoraw(substr(spare4,43,20)), 3))) union select 'defaultpwd' from dba_users_with_defpwd where username='MDDATA';" sql_types : POLICY_VARCHAR sql_expect : NULL type : SQL_POLICY description : "1.1.8 Default account passwords - 'Change the default password for MDSYS'" info : "As the default MDSYS account created by Oracle has a well-known password and can be potentially corrupted to allow the installation of malware" info : "disguised and AV plugins, this value should be reset according to the needs of the organization" solution : "Execute the following command to change the password: SQL> password mdsys" reference : "Level|1S,PCI|2.1" see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_Server_11_-_11g_R2_Benchmark_v1.0.0.pdf" sql_request : "select 'defaultpwd' as defaultpassword from sys.user$ where name='MDSYS'and substr(spare4,3,40)=rawtohex(utl_raw.cast_to_varchar2(sys.dbms_crypto.hash(utl_raw.cast_to_raw('sys')||hextoraw(substr(spare4,43,20)), 3))) union select 'defaultpwd' as defaultpassword from sys.user$ where name='MDSYS' and substr(spare4,3,40)=rawtohex(utl_raw.cast_to_varchar2(sys.dbms_crypto.hash(utl_raw.cast_to_raw('mdsys')||hextoraw(substr(spare4,43,20)), 3))) union select 'defaultpwd' from dba_users_with_defpwd where username='MDSYS';" sql_types : POLICY_VARCHAR sql_expect : NULL type : SQL_POLICY description : "1.1.9 Default account passwords - 'Change the default password for LBACSYS'" info : "As the default LBACSYS account created by Oracle has a well-known password and can provide a point for database access/control by unauthorized" info : "users, opening up the tables, views, etc. This value should be changed according to the needs of the organization." solution : "Execute the following command to change the password: SQL> password lbacsys" reference : "Level|1S,PCI|2.1" see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_Server_11_-_11g_R2_Benchmark_v1.0.0.pdf" sql_request : "select 'defaultpwd' as defaultpassword from sys.user$ where name='LBACSYS' and substr(spare4,3,40)=rawtohex(utl_raw.cast_to_varchar2(sys.dbms_crypto.hash(utl_raw.cast_to_raw('lbacsys')||hextoraw(substr(spare4,43,20)), 3))) union select 'defaultpwd' from dba_users_with_defpwd where username='LBACSYS';" sql_types : POLICY_VARCHAR sql_expect : NULL type : SQL_POLICY description : "1.1.10 Default account passwords - 'Change the default password for OLAPSYS'" info : "As the default OLAPSYS account created by Oracle has a well-known password and can be potentially corrupted to allow the installation of malware" info : "disguised as a business process, this value should be reset according to the needs of the organization." solution : "Execute the following command to change the password: SQL> password olapsys" reference : "Level|1S,PCI|2.1" see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_Server_11_-_11g_R2_Benchmark_v1.0.0.pdf" sql_request : "select 'defaultpwd' as defaultpassword from sys.user$ where name='OLAPSYS' and substr(spare4,3,40)=rawtohex(utl_raw.cast_to_varchar2(sys.dbms_crypto.hash(utl_raw.cast_to_raw('manager')||hextoraw(substr(spare4,43,20)), 3))) union select 'defaultpwd' from dba_users_with_defpwd where username='OLAPSYS';" sql_types : POLICY_VARCHAR sql_expect : NULL type : SQL_POLICY description : "1.1.11 Default account passwords - 'Change the default password for 'ORACLE_OCM'" info : "As the default ORACLE_OCM account created by Oracle has a well-known password and can provide a point for database access" info : "by unauthorized users if left at the default setting, this value should be changed according to the needs of the organization." solution : "Execute the following command to change the password: SQL> password oracle_ocm" reference : "Level|1S,PCI|2.1" see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_Server_11_-_11g_R2_Benchmark_v1.0.0.pdf" see_also : "http://docs.oracle.com/cd/E11882_01/server.112/e25513/statviews_5082.htm#REFRN23725" sql_request : "select 'defaultpwd' as defaultpassword from sys.user$ where name='ORACLE_OCM'and substr(spare4,3,40)=rawtohex(utl_raw.cast_to_varchar2(sys.dbms_crypto.hash(utl_raw.cast_to_raw('sys')||hextoraw(substr(spare4,43,20)), 3))) union select 'defaultpwd' as defaultpassword from sys.user$ where name='MDSYS' and substr(spare4,3,40)=rawtohex(utl_raw.cast_to_varchar2(sys.dbms_crypto.hash(utl_raw.cast_to_raw('mdsys')||hextoraw(substr(spare4,43,20)), 3))) union select 'defaultpwd' from dba_users_with_defpwd where username='ORACLE_OCM';" sql_types : POLICY_VARCHAR sql_expect : NULL type : SQL_POLICY description : "1.1.12 Default account passwords - 'Change the default password for 'ORDDATA'" info : "As the default ORDDATA account created by Oracle has a well-known password and can be potentially corrupted to allow" info : "the installation of malware disguised as AV plugins, or cause a Denial-of-Service condition by deleting the account," info : "this value should be reset according to the needs of the organization." solution : "Execute the following command to change the password: SQL> password orddata" reference : "Level|1S,PCI|2.1" see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_Server_11_-_11g_R2_Benchmark_v1.0.0.pdf" sql_request : "select 'defaultpwd' as defaultpassword from sys.user$ where name='ORDDATA'and substr(spare4,3,40)=rawtohex(utl_raw.cast_to_varchar2(sys.dbms_crypto.hash(utl_raw.cast_to_raw('sys')||hextoraw(substr(spare4,43,20)), 3))) union select 'defaultpwd' as defaultpassword from sys.user$ where name='MDSYS' and substr(spare4,3,40)=rawtohex(utl_raw.cast_to_varchar2(sys.dbms_crypto.hash(utl_raw.cast_to_raw('mdsys')||hextoraw(substr(spare4,43,20)), 3))) union select 'defaultpwd' from dba_users_with_defpwd where username='ORDDATA';" sql_types : POLICY_VARCHAR sql_expect : NULL type : SQL_POLICY description : "1.1.13 Default account passwords - 'Change the default password for 'ORDPLUGINS'" info : "As the default ORDPLUGINS account created by Oracle has a well-known password and can be potentially corrupted" info : "to allow the installation of malware disguised as AV plugins, this value should be reset according to the needs" info : "of the organization." solution : "Execute the following command to change the password: SQL> password ordplugins" reference : "Level|1S,PCI|2.1" see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_Server_11_-_11g_R2_Benchmark_v1.0.0.pdf" sql_request : "select 'defaultpwd' as defaultpassword from sys.user$ where name='ORDPLUGINS'and substr(spare4,3,40)=rawtohex(utl_raw.cast_to_varchar2(sys.dbms_crypto.hash(utl_raw.cast_to_raw('sys')||hextoraw(substr(spare4,43,20)), 3))) union select 'defaultpwd' as defaultpassword from sys.user$ where name='MDSYS' and substr(spare4,3,40)=rawtohex(utl_raw.cast_to_varchar2(sys.dbms_crypto.hash(utl_raw.cast_to_raw('mdsys')||hextoraw(substr(spare4,43,20)), 3))) union select 'defaultpwd' from dba_users_with_defpwd where username='ORDPLUGINS';" sql_types : POLICY_VARCHAR sql_expect : NULL type : SQL_POLICY description : "1.1.14 Default account passwords - 'Change the default password for 'ORDSYS'" info : "As the default ORDSYS account created by Oracle has a well-known password and can be potentially corrupted" info : "to allow the installation of malware disguised as AV plugins, or cause a Denial-of-Service condition by deleting" info : "the account, this value should be reset according to the needs of the organization." solution : "Execute the following command to change the password: SQL> password ordsys" reference : "Level|1S,PCI|2.1" see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_Server_11_-_11g_R2_Benchmark_v1.0.0.pdf" sql_request : "select 'defaultpwd' as defaultpassword from sys.user$ where name='ORDSYS'and substr(spare4,3,40)=rawtohex(utl_raw.cast_to_varchar2(sys.dbms_crypto.hash(utl_raw.cast_to_raw('sys')||hextoraw(substr(spare4,43,20)), 3))) union select 'defaultpwd' as defaultpassword from sys.user$ where name='MDSYS' and substr(spare4,3,40)=rawtohex(utl_raw.cast_to_varchar2(sys.dbms_crypto.hash(utl_raw.cast_to_raw('mdsys')||hextoraw(substr(spare4,43,20)), 3))) union select 'defaultpwd' from dba_users_with_defpwd where username='ORDSYS';" sql_types : POLICY_VARCHAR sql_expect : NULL type : SQL_POLICY description : "1.1.15 Default account passwords - 'Change the default password for 'OUTLN'" info : "As the default OUTLN account created by Oracle has a well-known password and can provide a point for database" info : "access by unauthorized users if left at the default setting, this value should be changed according to the needs" info : "of the organization." solution : "Execute the following command to change the password: SQL> password outln" reference : "Level|1S,PCI|2.1" see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_Server_11_-_11g_R2_Benchmark_v1.0.0.pdf" see_also : "http://docs.oracle.com/cd/E11882_01/server.112/e25513/statviews_5082.htm#REFRN23725" sql_request : "select 'defaultpwd' as defaultpassword from sys.user$ where name='OUTLN'and substr(spare4,3,40)=rawtohex(utl_raw.cast_to_varchar2(sys.dbms_crypto.hash(utl_raw.cast_to_raw('sys')||hextoraw(substr(spare4,43,20)), 3))) union select 'defaultpwd' as defaultpassword from sys.user$ where name='MDSYS' and substr(spare4,3,40)=rawtohex(utl_raw.cast_to_varchar2(sys.dbms_crypto.hash(utl_raw.cast_to_raw('mdsys')||hextoraw(substr(spare4,43,20)), 3))) union select 'defaultpwd' from dba_users_with_defpwd where username='OUTLN';" sql_types : POLICY_VARCHAR sql_expect : NULL type : SQL_POLICY description : "1.1.16 Default account passwords - 'Change the default password for 'OWBSYS_AUDIT'" info : "As the default OWBSYS_UDIT account created by Oracle has a well-known password and can be potentially used" info : "to take alter the audit/logging tables to alter/delete forensic data that can reveal unauthorized access/alteration" info : "of data, this value should be reset according to the needs of the organization." solution : "Execute the following command to change the password: SQL> password owbsys_audit" reference : "Level|1S,PCI|2.1" see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_Server_11_-_11g_R2_Benchmark_v1.0.0.pdf" sql_request : "select 'defaultpwd' as defaultpassword from sys.user$ where name='OWBSYS_AUDIT'and substr(spare4,3,40)=rawtohex(utl_raw.cast_to_varchar2(sys.dbms_crypto.hash(utl_raw.cast_to_raw('sys')||hextoraw(substr(spare4,43,20)), 3))) union select 'defaultpwd' as defaultpassword from sys.user$ where name='MDSYS' and substr(spare4,3,40)=rawtohex(utl_raw.cast_to_varchar2(sys.dbms_crypto.hash(utl_raw.cast_to_raw('mdsys')||hextoraw(substr(spare4,43,20)), 3))) union select 'defaultpwd' from dba_users_with_defpwd where username='OWBSYS_AUDIT';" sql_types : POLICY_VARCHAR sql_expect : NULL type : SQL_POLICY description : "1.1.17 Default account passwords - 'Change the default password for 'OWBSYS'" info : "As the default OWBSYS account created by Oracle has a well-known password and can be potentially" info : "used to take over the database warehouse structures or access user queries, this value should be reset" info : "according to the needs of the organization." solution : "Execute the following command to change the password: SQL> password owbsys" reference : "Level|1S,PCI|2.1" see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_Server_11_-_11g_R2_Benchmark_v1.0.0.pdf" sql_request : "select 'defaultpwd' as defaultpassword from sys.user$ where name='OWBSYS'and substr(spare4,3,40)=rawtohex(utl_raw.cast_to_varchar2(sys.dbms_crypto.hash(utl_raw.cast_to_raw('sys')||hextoraw(substr(spare4,43,20)), 3))) union select 'defaultpwd' as defaultpassword from sys.user$ where name='MDSYS' and substr(spare4,3,40)=rawtohex(utl_raw.cast_to_varchar2(sys.dbms_crypto.hash(utl_raw.cast_to_raw('mdsys')||hextoraw(substr(spare4,43,20)), 3))) union select 'defaultpwd' from dba_users_with_defpwd where username='OWBSYS';" sql_types : POLICY_VARCHAR sql_expect : NULL type : SQL_POLICY description : "1.1.18 Default account passwords - 'Change the default password for 'SI_INFORMTN_SCHEMA'" info : "As the default SI_INFORMTN_SCHEMA account created by Oracle has a well-known password and can be potentially corrupted" info : "to allow the installation of malware disguised as third party multimedia plugins, this value should be reset according" info : "to the needs of the organization." solution : "Execute the following command to change the password: SQL> password si_informtn_schema" reference : "Level|1S,PCI|2.1" see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_Server_11_-_11g_R2_Benchmark_v1.0.0.pdf" sql_request : "select 'defaultpwd' as defaultpassword from sys.user$ where name='SI_INFORMTN_SCHEMA'and substr(spare4,3,40)=rawtohex(utl_raw.cast_to_varchar2(sys.dbms_crypto.hash(utl_raw.cast_to_raw('sys')||hextoraw(substr(spare4,43,20)), 3))) union select 'defaultpwd' as defaultpassword from sys.user$ where name='MDSYS' and substr(spare4,3,40)=rawtohex(utl_raw.cast_to_varchar2(sys.dbms_crypto.hash(utl_raw.cast_to_raw('mdsys')||hextoraw(substr(spare4,43,20)), 3))) union select 'defaultpwd' from dba_users_with_defpwd where username='SI_INFORMTN_SCHEMA';" sql_types : POLICY_VARCHAR sql_expect : NULL type : SQL_POLICY description : "1.1.19 Default account passwords - 'Change the default password for 'SPATIAL_CSW_ADMIN_USR'" info : "As the default SPATIAL_CSW_ADMIN_USR account created by Oracle has a well-known password and can be potentially" info : "corrupted to allow the installation of malware disguised as a business process, this value should be reset according" info : "to the needs of the organization." solution : "Execute the following command to change the password: SQL> password spatila_csw_admin_usr" reference : "Level|1S,PCI|2.1" see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_Server_11_-_11g_R2_Benchmark_v1.0.0.pdf" sql_request : "select 'defaultpwd' as defaultpassword from sys.user$ where name='SPATIAL_CSW_ADMIN_USR'and substr(spare4,3,40)=rawtohex(utl_raw.cast_to_varchar2(sys.dbms_crypto.hash(utl_raw.cast_to_raw('sys')||hextoraw(substr(spare4,43,20)), 3))) union select 'defaultpwd' as defaultpassword from sys.user$ where name='MDSYS' and substr(spare4,3,40)=rawtohex(utl_raw.cast_to_varchar2(sys.dbms_crypto.hash(utl_raw.cast_to_raw('mdsys')||hextoraw(substr(spare4,43,20)), 3))) union select 'defaultpwd' from dba_users_with_defpwd where username='SPATIAL_CSW_ADMIN_USR';" sql_types : POLICY_VARCHAR sql_expect : NULL type : SQL_POLICY description : "1.1.20 Default account passwords - 'Change the default password for 'SPATIAL_WFS_ADMIN_USR'" info : "As the default SPATIAL_WFS_ADMIN_USR account created by Oracle has a well-known password and can be potentially" info : "corrupted to allow the installation of malware disguised as a business process, this value should be reset according" info : "to the needs of the organization." solution : "Execute the following command to change the password: SQL> password spatial_wfs_admin_usr" reference : "Level|1S,PCI|2.1" see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_Server_11_-_11g_R2_Benchmark_v1.0.0.pdf" sql_request : "select 'defaultpwd' as defaultpassword from sys.user$ where name='SPATIAL_WFS_ADMIN_USR'and substr(spare4,3,40)=rawtohex(utl_raw.cast_to_varchar2(sys.dbms_crypto.hash(utl_raw.cast_to_raw('sys')||hextoraw(substr(spare4,43,20)), 3))) union select 'defaultpwd' as defaultpassword from sys.user$ where name='MDSYS' and substr(spare4,3,40)=rawtohex(utl_raw.cast_to_varchar2(sys.dbms_crypto.hash(utl_raw.cast_to_raw('mdsys')||hextoraw(substr(spare4,43,20)), 3))) union select 'defaultpwd' from dba_users_with_defpwd where username='SPATIAL_WFS_ADMIN_USR';" sql_types : POLICY_VARCHAR sql_expect : NULL type : SQL_POLICY description : "1.1.21 Default account passwords - 'Change the default password for 'SYS'" info : "Older versions of Oracle had a well-known password and with the 'SYS and SYSDBA' login provides the" info : "most powerful a point for an unauthorized user if left at the default setting, this value should be" info : "changed according to the needs of the organization." solution : "Execute the following command to change the password: SQL> password sys" reference : "Level|1S,PCI|2.1" see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_Server_11_-_11g_R2_Benchmark_v1.0.0.pdf" see_also : "http://docs.oracle.com/cd/E11882_01/server.112/e25513/statviews_5082.htm#REFRN23725" see_also : "http://www.oracleforensics.com/wordpress/index.php/2012/10/24/sys_throttler-and-distributed-database-forensics/" sql_request : "select 'defaultpwd' as defaultpassword from sys.user$ where name='SYS' and substr(spare4,3,40)=rawtohex(utl_raw.cast_to_varchar2(sys.dbms_crypto.hash(utl_raw.cast_to_raw('manager')||hextoraw(substr(spare4,43,20)), 3)))union select 'defaultpwd' as defaultpassword from sys.user$ where name='SYS' and substr(spare4,3,40)=rawtohex(utl_raw.cast_to_varchar2(sys.dbms_crypto.hash(utl_raw.cast_to_raw('change_on_install')||hextoraw(substr(spare4,43,20)), 3))) union select 'defaultpwd' as defaultpassword from sys.user$ where name='SYS' and substr(spare4,3,40)=rawtohex(utl_raw.cast_to_varchar2(sys.dbms_crypto.hash(utl_raw.cast_to_raw('d_syspw')||hextoraw(substr(spare4,43,20)), 3))) union select 'defaultpwd' from dba_users_with_defpwd where username='SYS';" sql_types : POLICY_VARCHAR sql_expect : NULL type : SQL_POLICY description : "1.1.22 Default account passwords - 'Change the default password for 'SYSTEM'" info : "In older versions of Oracle the default SYSTEM account had a well-known password and can provide" info : "a point for full dba access by unauthorized users if left at the default setting, this value should" info : "be changed according to the needs of the organization." solution : "Execute the following command to change the password: SQL> password system" reference : "Level|1S,PCI|2.1" see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_Server_11_-_11g_R2_Benchmark_v1.0.0.pdf" see_also : "http://docs.oracle.com/cd/E11882_01/server.112/e25513/statviews_5082.htm#REFRN23725" sql_request : "select 'defaultpwd' as defaultpassword from sys.user$ where name='SYSTEM'and substr(spare4,3,40)=rawtohex(utl_raw.cast_to_varchar2(sys.dbms_crypto.hash(utl_raw.cast_to_raw('sys')||hextoraw(substr(spare4,43,20)), 3))) union select 'defaultpwd' as defaultpassword from sys.user$ where name='MDSYS' and substr(spare4,3,40)=rawtohex(utl_raw.cast_to_varchar2(sys.dbms_crypto.hash(utl_raw.cast_to_raw('mdsys')||hextoraw(substr(spare4,43,20)), 3))) union select 'defaultpwd' from dba_users_with_defpwd where username='SYSTEM';" sql_types : POLICY_VARCHAR sql_expect : NULL type : SQL_POLICY description : "1.1.23 Default account passwords - 'Change the default password for 'WK_TEST'" info : "As the default WK_TEST account created by Oracle has a well-known password and can be potentially" info : "used to take alter the tables or alter/delete forensic data, this value should be reset according" info : "to the needs of the organization." solution : "Execute the following command to change the password: SQL> password wk_test" reference : "Level|1S,PCI|2.1" see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_Server_11_-_11g_R2_Benchmark_v1.0.0.pdf" sql_request : "select 'defaultpwd' as defaultpassword from sys.user$ where name='WK_TEST'and substr(spare4,3,40)=rawtohex(utl_raw.cast_to_varchar2(sys.dbms_crypto.hash(utl_raw.cast_to_raw('sys')||hextoraw(substr(spare4,43,20)), 3))) union select 'defaultpwd' as defaultpassword from sys.user$ where name='MDSYS' and substr(spare4,3,40)=rawtohex(utl_raw.cast_to_varchar2(sys.dbms_crypto.hash(utl_raw.cast_to_raw('mdsys')||hextoraw(substr(spare4,43,20)), 3))) union select 'defaultpwd' from dba_users_with_defpwd where username='WK_TEST';" sql_types : POLICY_VARCHAR sql_expect : NULL type : SQL_POLICY description : "1.1.24 Default account passwords - 'Change the default password for 'WKPROXY'" info : "As the default WKPROXY account created by Oracle has a well-known password and can be potentially" info : "used to take alter the tables or alter/delete forensic data, this value should be reset according to" info : "the needs of the organization." solution : "Execute the following command to change the password: SQL> password wkproxy" reference : "Level|1S,PCI|2.1" see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_Server_11_-_11g_R2_Benchmark_v1.0.0.pdf" sql_request : "select 'defaultpwd' as defaultpassword from sys.user$ where name='WKPROXY' and substr(spare4,3,40)=rawtohex(utl_raw.cast_to_varchar2(sys.dbms_crypto.hash(utl_raw.cast_to_raw('change_on_install')||hextoraw(substr(spare4,43,20)), 3))) union select 'defaultpwd' as defaultpassword from sys.user$ where name='WKPROXY' and substr(spare4,3,40)=rawtohex(utl_raw.cast_to_varchar2(sys.dbms_crypto.hash(utl_raw.cast_to_raw('wkproxy')||hextoraw(substr(spare4,43,20)), 3))) union select 'defaultpwd' from dba_users_with_defpwd where username='WKPROXY';" sql_types : POLICY_VARCHAR sql_expect : NULL type : SQL_POLICY description : "1.1.25 Default account passwords - 'Change the default password for 'WKSYS'" info : "As the default WKSYS account created by Oracle has a well-known password and can provide a point for database" info : "access by unauthorized users if left at the default setting, this value should be changed according to the" info : "needs of the organization." solution : "Execute the following command to change the password: SQL> password wksys" reference : "Level|1S,PCI|2.1" see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_Server_11_-_11g_R2_Benchmark_v1.0.0.pdf" sql_request : "select 'defaultpwd' as defaultpassword from sys.user$ where name='WKSYS'and substr(spare4,3,40)=rawtohex(utl_raw.cast_to_varchar2(sys.dbms_crypto.hash(utl_raw.cast_to_raw('sys')||hextoraw(substr(spare4,43,20)), 3))) union select 'defaultpwd' as defaultpassword from sys.user$ where name='MDSYS' and substr(spare4,3,40)=rawtohex(utl_raw.cast_to_varchar2(sys.dbms_crypto.hash(utl_raw.cast_to_raw('mdsys')||hextoraw(substr(spare4,43,20)), 3))) union select 'defaultpwd' from dba_users_with_defpwd where username='WKSYS';" sql_types : POLICY_VARCHAR sql_expect : NULL type : SQL_POLICY description : "1.1.26 Default account passwords - 'Change the default password for 'WMSYS'" info : "As the default WMSYS account created by Oracle has a well-known password and can provide a point for database" info : "access by unauthorized users if left at the default setting, this value should be changed according to the" info : "needs of the organization." solution : "Execute the following command to change the password: SQL> password wmsys" reference : "Level|1S,PCI|2.1" see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_Server_11_-_11g_R2_Benchmark_v1.0.0.pdf" sql_request : "select 'defaultpwd' as defaultpassword from sys.user$ where name='WMSYS'and substr(spare4,3,40)=rawtohex(utl_raw.cast_to_varchar2(sys.dbms_crypto.hash(utl_raw.cast_to_raw('sys')||hextoraw(substr(spare4,43,20)), 3))) union select 'defaultpwd' as defaultpassword from sys.user$ where name='MDSYS' and substr(spare4,3,40)=rawtohex(utl_raw.cast_to_varchar2(sys.dbms_crypto.hash(utl_raw.cast_to_raw('mdsys')||hextoraw(substr(spare4,43,20)), 3))) union select 'defaultpwd' from dba_users_with_defpwd where username='WMSYS';" sql_types : POLICY_VARCHAR sql_expect : NULL type : SQL_POLICY description : "1.1.27 Default account passwords - 'Change the default password for 'XDB'" info : "As the default XDB account created by Oracle has a well-known password and can provide a point for database" info : "access by unauthorized users if left at the default setting, this value should be changed according to the" info : "needs of the organization." solution : "Execute the following command to change the password: SQL> password xdb" reference : "Level|1S,PCI|2.1" see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_Server_11_-_11g_R2_Benchmark_v1.0.0.pdf" sql_request : "select 'defaultpwd' as defaultpassword from sys.user$ where name='XDB' and substr(spare4,3,40)=rawtohex(utl_raw.cast_to_varchar2(sys.dbms_crypto.hash(utl_raw.cast_to_raw('xdb')||hextoraw(substr(spare4,43,20)), 3))) union select 'defaultpwd' as defaultpassword from sys.user$ where name='XDB' and substr(spare4,3,40)=rawtohex(utl_raw.cast_to_varchar2(sys.dbms_crypto.hash(utl_raw.cast_to_raw('change_on_install')||hextoraw(substr(spare4,43,20)), 3))) union select 'defaultpwd' from dba_users_with_defpwd where username='XDB';" sql_types : POLICY_VARCHAR sql_expect : NULL # 1.2 Remove Oracle Sample Users type : SQL_POLICY description : "1.2.1 Remove Oracle Sample Users - 'Remove the sample user BI'" info : "As the default BI account created by Oracle has a well-known password and can be potentially used" info : "to alter the database to launch exploits against Production to gain unauthorized access to user data," info : "this value should be reset according to the needs of the organization." solution : "SQL> DROP USER BI CASCADE;" reference : "Level|1S,PCI|6.3.1,PCI|6.4.4" see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_Server_11_-_11g_R2_Benchmark_v1.0.0.pdf" see_also : "http://docs.oracle.com/cd/E11882_01/server.112/e10575/tdpsg_user_accounts.htm#TDPSG20303" sql_request : "SELECT username FROM ALL_USERS WHERE USERNAME='BI';" sql_types : POLICY_VARCHAR sql_expect : NULL type : SQL_POLICY description : "1.2.2 Remove Oracle Sample Users - 'Remove the sample user HR'" info : "As the default HR account created by Oracle has a well-known password and can be potentially" info : "used to alter the database to launch exploits against Production to gain unauthorized access to" info : "user data, this value should be reset according to the needs of the organization." solution : "SQL> DROP USER HR CASCADE;" reference : "Level|1S,PCI|6.3.1,PCI|6.4.4" see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_Server_11_-_11g_R2_Benchmark_v1.0.0.pdf" see_also : "http://docs.oracle.com/cd/E11882_01/server.112/e10831/scripts.htm#autoId3" see_also : "http://docs.oracle.com/cd/E11882_01/server.112/e10575/tdpsg_user_accounts.htm#TDPSG20303" sql_request : "SELECT username FROM ALL_USERS WHERE USERNAME='HR';" sql_types : POLICY_VARCHAR sql_expect : NULL type : SQL_POLICY description : "1.2.3 Remove Oracle Sample Users - 'Remove the sample user IX'" info : "As the default IX account created by Oracle has a well-known password and can be potentially" info : "used to alter the database to launch exploits against Production to gain unauthorized access to" info : "user data, this value should be reset according to the needs of the organization." solution : "SQL> DROP USER IX CASCADE;" reference : "Level|1S,PCI|6.3.1,PCI|6.4.4" see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_Server_11_-_11g_R2_Benchmark_v1.0.0.pdf" see_also : "http://docs.oracle.com/cd/E11882_01/server.112/e10831/scripts.htm#autoId9" see_also : "http://docs.oracle.com/cd/E11882_01/server.112/e10575/tdpsg_user_accounts.htm#TDPSG20303" sql_request : "SELECT username FROM ALL_USERS WHERE USERNAME='IX';" sql_types : POLICY_VARCHAR sql_expect : NULL type : SQL_POLICY description : "1.2.4 Remove Oracle Sample Users - 'Remove the sample user OE'" info : "As the default OE account created by Oracle has a well-known password and can be potentially" info : "used to alter the database to launch exploits against Production to gain unauthorized access to" info : "user data, this value should be reset according to the needs of the organization." solution : "SQL> DROP USER OE CASCADE;" reference : "Level|1S,PCI|6.3.1,PCI|6.4.4" see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_Server_11_-_11g_R2_Benchmark_v1.0.0.pdf" see_also : "http://docs.oracle.com/cd/E11882_01/server.112/e10831/scripts.htm#autoId5" see_also : "http://docs.oracle.com/cd/E11882_01/server.112/e10575/tdpsg_user_accounts.htm#TDPSG20303" sql_request : "SELECT username FROM ALL_USERS WHERE USERNAME='OE';" sql_types : POLICY_VARCHAR sql_expect : NULL type : SQL_POLICY description : "1.2.5 Remove Oracle Sample Users - 'Remove the sample user PM'" info : "As the default PM account created by Oracle has a well-known password and can be potentially" info : "used to alter the database to launch exploits against Production to gain unauthorized access to" info : "user data, this value should be reset according to the needs of the organization." solution : "SQL> DROP USER PM CASCADE;" reference : "Level|1S,PCI|6.3.1,PCI|6.4.4" see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_Server_11_-_11g_R2_Benchmark_v1.0.0.pdf" see_also : "http://docs.oracle.com/cd/E11882_01/server.112/e10831/scripts.htm#autoId7" see_also : "http://docs.oracle.com/cd/E11882_01/server.112/e10575/tdpsg_user_accounts.htm#TDPSG20303" sql_request : "SELECT username FROM ALL_USERS WHERE USERNAME='PM';" sql_types : POLICY_VARCHAR sql_expect : NULL type : SQL_POLICY description : "1.2.6 Remove Oracle Sample Users - 'Remove the sample user SCOTT'" info : "As the default SCOTT account created by Oracle has a well-known password and can be potentially" info : "used to alter the database to launch exploits against Production to gain unauthorized access to" info : "user data, this value should be reset according to the needs of the organization." solution : "SQL> DROP USER SCOTT CASCADE;" reference : "Level|1S,PCI|6.3.1,PCI|6.4.4" see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_Server_11_-_11g_R2_Benchmark_v1.0.0.pdf" see_also : "http://docs.oracle.com/cd/E11882_01/server.112/e10575/tdpsg_user_accounts.htm#TDPSG20303" sql_request : "SELECT username FROM ALL_USERS WHERE USERNAME='SCOTT';" sql_types : POLICY_VARCHAR sql_expect : NULL type : SQL_POLICY description : "1.2.7 Remove Oracle Sample Users - 'Remove the sample user SH'" info : "As the default SH account created by Oracle has a well-known password and can be potentially" info : "used to alter the database to launch exploits against Production to gain unauthorized access to" info : "user data, this value should be reset according to the needs of the organization." solution : "SQL> DROP USER SH CASCADE;" reference : "Level|1S,PCI|6.3.1,PCI|6.4.4" see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_Server_11_-_11g_R2_Benchmark_v1.0.0.pdf" see_also : "http://docs.oracle.com/cd/E11882_01/server.112/e10831/scripts.htm#autoId11" see_also : "http://docs.oracle.com/cd/E11882_01/server.112/e10575/tdpsg_user_accounts.htm#TDPSG20303" sql_request : "SELECT username FROM ALL_USERS WHERE USERNAME='SH';" sql_types : POLICY_VARCHAR sql_expect : NULL ## 2 Oracle Parameter Settings # 2.1 listener.ora settings - SEE CIS_Oracle_Server_11g_R2_Unix_v1.0.0.audit and CIS_Oracle_Server_11g_R2_Windows_1.0.0.audit # 2.2 sqlnet.ora settings type : SQL_POLICY description : "2.3 sqlnet.ora settings - 'Setting for parameter audit_sys_operations parameter'" info : "If the parameter AUDIT_SYS_OPERATIONS is FALSE all statements except of Startup/Shutdown and Logon" info : "by SYSDBA/SYSOPER users are not audited." solution : "SQL> ALTER SYSTEM SET AUDIT_SYS_OPERATIONS = true SCOPE=SPFILE;" reference : "Level|1S,PCI|10.1" see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_Server_11_-_11g_R2_Benchmark_v1.0.0.pdf" see_also : "http://docs.oracle.com/cd/E11882_01/server.112/e25513/initparams015.htm#REFRN10005" sql_request : "select value from v$parameter where upper(name)='AUDIT_SYS_OPERATIONS';" sql_types : POLICY_VARCHAR sql_expect : "TRUE" type : SQL_POLICY description : "2.4 sqlnet.ora settings - 'Setting for the audit_trail parameter'" info : "Enabling the basic auditing features for the Oracle instance permits the collection of data to troubleshoot problems," info : "as well as providing value forensic logs in the case of a system breach, this value should be set according" info : "to the needs of the organization." solution : "SQL> alter system set audit_trail = DB,EXTENDED scope = spfile; OR SQL> alter system set audit_trail = OS scope = spfile; OR SQL> alter system set audit_trail = XML,EXTENDED scope = spfile;" reference : "Level|1S,PCI|10.1" see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_Server_11_-_11g_R2_Benchmark_v1.0.0.pdf" see_also : "http://docs.oracle.com/cd/E11882_01/server.112/e25513/initparams017.htm#REFRN10006" see_also : "http://www.oracle.com/technetwork/database/audit-vault/learnmore/twpsecurity-auditperformance-166655.pdf" sql_request : "select value from v$parameter where upper(name)='AUDIT_TRAIL';" sql_types : POLICY_VARCHAR sql_expect : "DB,EXTENDED" type : SQL_POLICY description : "2.5 sqlnet.ora settings - 'Setting for the global_names parameter'" info : "As not requiring database connections to match the domain that is being called remotely could allow unauthorized" info : "domain sources to potentially connect via brute-force tactics, this value should be set according to" info : "the needs of the organization." solution : "SQL> alter system set global_names = true scope = spfile;" reference : "Level|1S" see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_Server_11_-_11g_R2_Benchmark_v1.0.0.pdf" see_also : "http://docs.oracle.com/cd/E11882_01/server.112/e25513/initparams096.htm#REFRN10065" sql_request : "select value from v$parameter where upper(name)='GLOBAL_NAMES';" sql_types : POLICY_VARCHAR sql_expect : "TRUE" type : SQL_POLICY description : "2.6 sqlnet.ora settings - 'Setting for the local_listener parameter'" info : "The TNS poisoning attack allows to redirect TNS network traffic to another system by registering a listener" info : "to the TNS listener. This attack can be performed by unauthorized users with network access. By specifying the" info : "IPC protocol it is no longer possible to register listeners via TCP/IP." solution : "SQL> alter system set local_listener='(DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=REGISTER)))' scope = both;" reference : "Level|1S,PCI|2.2.2" see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_Server_11_-_11g_R2_Benchmark_v1.0.0.pdf" see_also : "http://docs.oracle.com/cd/E11882_01/server.112/e25513/initparams118.htm#REFRN10082" see_also : "https://support.oracle.com/epmos/faces/ui/km/DocumentDisplay.jspx?id=1453883.1" see_also : "https://support.oracle.com/epmos/faces/ui/km/DocumentDisplay.jspx?id=1340831.1" see_also : "http://www.joxeankoret.com/download/tnspoison.pdf" sql_request : "select value from v$parameter where upper(name)='LOCAL_LISTENER';" sql_types : POLICY_VARCHAR sql_expect : NULL type : SQL_POLICY description : "2.7 sqlnet.ora settings - 'Setting for the o7_dictionary_accessibility parameter'" info : "As leaving the SYS schema so open to connection could permit unauthorized access to critical data structures," info : "this value should be set according to the needs of the organization." solution : "SQL> ALTER SYSTEM SET O7_DICTIONARY_ACCESSIBILITY=FALSE scope=spfile;" reference : "Level|1S" see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_Server_11_-_11g_R2_Benchmark_v1.0.0.pdf" see_also : "http://docs.oracle.com/cd/E11882_01/server.112/e25513/initparams157.htm#REFRN10133" sql_request : "select value from v$parameter where upper(name)='O7_DICTIONARY_ACCESSIBILITY';" sql_types : POLICY_VARCHAR sql_expect : "FALSE" type : SQL_POLICY description : "2.8 sqlnet.ora settings - 'Setting for the os_roles parameter'" info : "As allowing the OS use external groups for database management could cause privilege overlaps and generally weaken" info : "security, this value should be set according to the needs of the organization." solution : "SQL> ALTER SYSTEM SET OS_ROLES=false SCOPE=SPFILE;" reference : "Level|1S" see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_Server_11_-_11g_R2_Benchmark_v1.0.0.pdf" see_also : "http://docs.oracle.com/cd/E11882_01/server.112/e25513/initparams175.htm#REFRN10153" sql_request : "select value from v$parameter where upper(name)='OS_ROLES';" sql_types : POLICY_VARCHAR sql_expect : "FALSE" type : SQL_POLICY description : "2.9 sqlnet.ora settings - 'Setting for the remote_listener parameter'" info : "As permitting a remote listener for connections to the database instance can allow for the potential spoofing of" info : "connections and that could compromise data confidentiality and integrity, this value should be disabled/restricted" info : "according to the needs of the organization." solution : "SQL> alter system set remote_listener ='' scope = spfile;" reference : "Level|1S,PCI|2.2.2" see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_Server_11_-_11g_R2_Benchmark_v1.0.0.pdf" see_also : "http://docs.oracle.com/cd/E11882_01/server.112/e25513/initparams208.htm#REFRN10183" sql_request : "select value from v$parameter where upper(name)='REMOTE_LISTENER';" sql_types : POLICY_VARCHAR sql_expect : NULL type : SQL_POLICY description : "2.10 sqlnet.ora settings - 'Setting for the remote_login_passwordfile parameter'" info : "As the use of this sort of password login file could permit unsecured, privileged connections to the database," info : "this value should be set according to the needs of the organization." solution : "SQL> ALTER SYSTEM SET remote_login_passwordfile = none scope = spfile;" reference : "Level|1S" see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_Server_11_-_11g_R2_Benchmark_v1.0.0.pdf" see_also : "http://docs.oracle.com/cd/E11882_01/server.112/e25513/initparams209.htm#REFRN10184" sql_request : "select value from v$parameter where upper(name)='REMOTE_LOGIN_PASSWORDFILE';" sql_types : POLICY_VARCHAR sql_expect : "NONE" type : SQL_POLICY description : "2.11 sqlnet.ora settings - 'Setting for the remote_os_authent parameter'" info : "As permitting OS roles for database connections to can allow the spoofing of connections and permit granting" info : "the privileges of an OS role to unauthorized users to make connections, this value should be restricted according" info : "to the needs of the organization." solution : "SQL> alter system set remote_os_authent = false scope = spfile;" reference : "Level|1S,PCI|2.2.2" see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_Server_11_-_11g_R2_Benchmark_v1.0.0.pdf" see_also : "http://docs.oracle.com/cd/E11882_01/server.112/e25513/initparams210.htm#REFRN10185" sql_request : "select value from v$parameter where upper(name)='REMOTE_OS_AUTHENT';" sql_types : POLICY_VARCHAR sql_expect : "FALSE" type : SQL_POLICY description : "2.12 sqlnet.ora settings - 'Setting for the remote_os_roles parameter'" info : "As allowing remote clients OS roles to have permissions for database management could cause privilege overlaps" info : "and generally weaken security, this value should be set according to the needs of the organization." solution : "SQL> ALTER SYSTEM SET REMOTE_OS_ROLES=false SCOPE=SPFILE;" reference : "Level|1S" see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_Server_11_-_11g_R2_Benchmark_v1.0.0.pdf" see_also : "http://docs.oracle.com/cd/E11882_01/server.112/e25513/initparams210.htm#REFRN10186" sql_request : "select value from v$parameter where upper(name)='REMOTE_OS_ROLES';" sql_types : POLICY_VARCHAR sql_expect : "FALSE" type : SQL_POLICY description : "2.13 sqlnet.ora settings - 'Setting for the utl_file_dir parameter'" info : "As using the utl_file_dir to create directories allows the manipulation of files in these directories." solution : "SQL> ALTER SYSTEM SET UTIL_FILE_DIR = '' SCOPE=SPFILE;" reference : "Level|1S" see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_Server_11_-_11g_R2_Benchmark_v1.0.0.pdf" see_also : "http://docs.oracle.com/cd/E11882_01/server.112/e25513/initparams266.htm#REFRN10230" sql_request : "select value from v$parameter where upper(name)='UTL_FILE_DIR';" sql_types : POLICY_VARCHAR sql_expect : "" type : SQL_POLICY description : "2.14 'Setting for the sec_case_sensitive_logon parameter'" info : "Oracle 11g databases without CPU October 2012 patch or later are vulnerable to CVE-2012-3137 if case-sensisitve" info : "SHA-1 password hashes are used. To avoid this kind of attack the old DES-hashes have to be used." solution : "SQL> ALTER SYSTEM SET SEC_CASE_SENSITIVE_LOGON=TRUE scope=spfile;" reference : "Level|1S" info : "" info : "IMPACT: If SEC_CASE_SENSITIVE_LOGON is FALSE, all user with SHA-1 hashes only" info : "(select name,password,spare4 from sys.user$ where password is null and spare4 is not null) are no longer able to connect" info : "to the database. In this case the password for all users without DES hash have to set again." see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_Server_11_-_11g_R2_Benchmark_v1.0.0.pdf" see_also : "http://docs.oracle.com/cd/E11882_01/server.112/e25513/initparams222.htm#REFRN10299" see_also : "https://support.oracle.com/epmos/faces/DocumentDisplay?id=1492721.1" see_also : "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3137" sql_request : "select value from v$parameter where upper(name)='SEC_CASE_SENSITIVE_LOGON';" sql_types : POLICY_VARCHAR sql_expect : "FALSE" type : SQL_POLICY description : "2.15 sqlnet.ora settings - 'Setting for the sec_max_failed_login_attempts parameter'" info : "As allowing an unlimited number of login attempts for a user connection can facilitate both brute-force" info : "login attacks and the occurrence of Denial-of-Service, this value (3) should be set according to the" info : "needs of the organization." solution : "SQL> ALTER SYSTEM SET SEC_MAX_FAILED_LOGIN_ATTEMPTS = 3 scope=spfile;" reference : "Level|1S,PCI|8.5.13" see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_Server_11_-_11g_R2_Benchmark_v1.0.0.pdf" see_also : "http://docs.oracle.com/cd/E11882_01/server.112/e25513/initparams223.htm#REFRN10274" sql_request : "select value from v$parameter where upper(name)='SEC_MAX_FAILED_LOGIN_ATTEMPTS';" sql_types : POLICY_INTEGER sql_expect : regex:'([1-3])' type : SQL_POLICY description : "2.16 sqlnet.ora settings - 'Setting for the SEC_PROTOCOL_ERROR_FURTHER_ACTION parameter'" info : "As bad packets received from the client can potentially indicate packet-based attacks on the system," info : "such as 'TCP SYN Flood' or 'Smurf' attacks, which could result in a Denial-of-Service condition, this" info : "value should be set according to the needs of the organization." solution : "SQL> ALTER SYSTEM SET SEC_PROTOCOL_ERROR_FURTHER_ACTION = delay,3 scope=spfile; OR SQL> ALTER SYSTEM SET SEC_PROTOCOL_ERROR_FURTHER_ACTION = drop,3 scope=spfile;" reference : "Level|1S" see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_Server_11_-_11g_R2_Benchmark_v1.0.0.pdf" see_also : "http://docs.oracle.com/cd/E11882_01/server.112/e25513/initparams224.htm#REFRN10282" sql_request : "select value from v$parameter where upper(name)='SEC_PROTOCOL_ERROR_FURTHER_ACTION';" sql_types : POLICY_VARCHAR sql_expect : "DELAY,3" && "DROP,3" type : SQL_POLICY description : "2.17 sqlnet.ora settings - 'Setting for the sec_protocol_error_trace_action parameter'" info : "As bad packets received from the client can potentially indicate packet-based attacks on the system," info : "such as 'TCP SYN Flood' or 'Smurf' attacks, which could result in a Denial-of-Service condition, this" info : "diagnostic/logging value for ALERT, LOG, or TRACE conditions should be set according to the needs" info : "of the organization." solution : "SQL> ALTER SYSTEM SET SEC_PROTOCOL_ERROR_TRACE_ACTION=LOG scope=spfile;" reference : "Level|1S" see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_Server_11_-_11g_R2_Benchmark_v1.0.0.pdf" see_also : "http://docs.oracle.com/cd/E11882_01/server.112/e25513/initparams224.htm#REFRN10283" sql_request : "select value from v$parameter where upper(name)='SEC_PROTOCOL_ERROR_TRACE_ACTION';" sql_types : POLICY_VARCHAR sql_expect : NULL type : SQL_POLICY description : "2.18 sqlnet.ora settings - 'Setting for the sec_return_server_release_banner parameter'" info : "As allowing the database to return information about the patch/update release number could facilitate" info : "unauthorized users' attempts to gain access based upon known patch weaknesses, this value should be set" info : "according to the needs of the organization." solution : "SQL> ALTER SYSTEM SET sec_return_server_release_banner=false scope=spfile;" reference : "Level|1S" see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_Server_11_-_11g_R2_Benchmark_v1.0.0.pdf" see_also : "http://docs.oracle.com/cd/E11882_01/server.112/e25513/initparams226.htm#REFRN10275" sql_request : "select value from v$parameter where upper(name)='SEC_RETURN_SERVER_RELEASE_BANNER';" sql_types : POLICY_VARCHAR sql_expect : NULL type : SQL_POLICY description : "2.19 sqlnet.ora settings - 'Setting for the sql92_security parameter'" info : "The default value FALSE of the parameter sql92_security is secure out-of-the-box. Several security guides" info : "recommend the unsecure setting TRUE. This unsecure setting TRUE allows users which need only UPDATE/DELETE" info : "privileges to select data directly instead of guessing it." solution : "SQL> ALTER SYSTEM SET sql92_security=FALSE SCOPE=SPFILE;" reference : "Level|1S" see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_Server_11_-_11g_R2_Benchmark_v1.0.0.pdf" see_also : "http://docs.oracle.com/cd/E11882_01/server.112/e25513/initparams246.htm#REFRN10210" sql_request : "select value from v$parameter where upper(name)='SQL92_SECURITY';" sql_types : POLICY_VARCHAR sql_expect : "FALSE" type : SQL_POLICY description : "2.20 sqlnet.ora settings - 'Setting for the _trace_files_public parameter'" info : "As permitting the unix read permission to other anyone can read the instance's trace files file" info : "which could contain sensitive information about instance operations, this value should be restricted" info : "according to the needs of the organization." solution : "SQL> alter system set '_trace_files_public'=false scope=spfile;" reference : "Level|1S" see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_Server_11_-_11g_R2_Benchmark_v1.0.0.pdf" see_also : "http://asktom.oracle.com/pls/asktom/f?p=100:11:0::::P11_QUESTION_ID:4295521746131" sql_request : "select value from v$parameter where upper(name)='_trace_files_public';" sql_types : POLICY_VARCHAR sql_expect : "FALSE" ## 3 Oracle client/user connection and login restrictions type : SQL_POLICY description : "3.1 client/user connection and login restrictions - 'Restrictions on failed login attempts via the default DB profile'" info : "As repeated failed login attempts can indicate the initiation of a brute-force login attack," info : "this value should be set according to the needs of the organization." solution : "SQL> ALTER PROFILE DEFAULT LIMIT FAILED_LOGIN_ATTEMPTS 3;" reference : "Level|1S,PCI|8.5.13" see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_Server_11_-_11g_R2_Benchmark_v1.0.0.pdf" sql_request : "SELECT PROFILE, RESOURCE_NAME, LIMIT FROM DBA_PROFILES WHERE PROFILE='DEFAULT' AND RESOURCE_NAME='FAILED_LOGIN_ATTEMPTS';" sql_types : POLICY_VARCHAR, POLICY_VARCHAR, POLICY_INTEGER sql_expect : 'DEFAULT','FAILED_LOGIN_ATTEMPTS',regex:'([1-3])' type : SQL_POLICY description : "3.2 client/user connection and login restrictions - 'Requirements for account locking via on the default DB profile'" info : "As locking the user account after repeated failed login attempts can block further brute force login attacks, but can" info : "create administrative headaches as this account unlocking process always requires DBA intervention, this value should" info : "be set according to the needs of the organization." solution : "SQL> ALTER PROFILE DEFAULT LIMIT PASSWORD_LOCK_TIME UNLIMITED;" reference : "Level|1S,PCI|8.5.14" see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_Server_11_-_11g_R2_Benchmark_v1.0.0.pdf" sql_request : "SELECT PROFILE, RESOURCE_NAME, LIMIT FROM DBA_PROFILES WHERE PROFILE='DEFAULT' AND RESOURCE_NAME='PASSWORD_LOCK_TIME';" sql_types : POLICY_VARCHAR sql_expect : "1" type : SQL_POLICY description : "3.4 client/user connection and login restrictions - 'Restrictions on password history via the default DB profile'" info : "As allowing reuse of a password within a short period of time after the password's initial use can make" info : "the success of both social-engineering and brute-force password-based attacks more likely, this value" info : "should be set according to the needs of the organization." solution : "SQL> ALTER PROFILE DEFAULT LIMIT PASSWORD_REUSE_MAX 24;" reference : "Level|1S,PCI|8.5.12" see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_Server_11_-_11g_R2_Benchmark_v1.0.0.pdf" sql_request : "SELECT PROFILE, RESOURCE_NAME, LIMIT FROM DBA_PROFILES WHERE PROFILE='DEFAULT' AND RESOURCE_NAME='PASSWORD_REUSE_MAX';" sql_types : POLICY_VARCHAR,POLICY_VARCHAR,POLICY_INTEGER sql_expect : 'DEFAULT','PASSWORD_REUSE_MAX',24 type : SQL_POLICY description : "3.5 client/user connection and login restrictions - 'Restrictions on password use (reuse) via a DB profile'" info : "As reusing the same password after only a short period of time has passed makes the success of brute-force" info : "login attacks more likely, this value should be set according to the needs of the organization." solution : "SQL> ALTER PROFILE DEFAULT LIMIT PASSWORD_REUSE_TIME 365;" reference : "Level|1S,PCI|8.5.12" see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_Server_11_-_11g_R2_Benchmark_v1.0.0.pdf" sql_request : "SELECT PROFILE, RESOURCE_NAME, LIMIT FROM DBA_PROFILES WHERE PROFILE='DEFAULT' AND RESOURCE_NAME='PASSWORD_REUSE_TIME';" sql_types : POLICY_VARCHAR,POLICY_VARCHAR,POLICY_INTEGER sql_expect : 'DEFAULT','PASSWORD_REUSE_TIME',365 type : SQL_POLICY description : "3.6 client/user connection and login restrictions - 'Requirements for account locking (grace time) via a DB profile'" info : "As locking the user account after the expiration of the password change requirement's grace period can" info : "help prevent password -based attack against a forgotten or disused accounts, while still allowing the" info : "account and its information to be accessible by DBA intervention, this value should be set according" info : "to the needs of the organization." solution : "SQL> ALTER PROFILE DEFAULT LIMIT PASSWORD_GRACE_TIME 0;" reference : "Level|1S,PCI|8.5.13" see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_Server_11_-_11g_R2_Benchmark_v1.0.0.pdf" sql_request : "SELECT PROFILE, RESOURCE_NAME, LIMIT FROM DBA_PROFILES WHERE PROFILE='DEFAULT' AND RESOURCE_NAME='PASSWORD_GRACE_TIME';" sql_types : POLICY_VARCHAR,POLICY_VARCHAR,POLICY_INTEGER sql_expect : 'DEFAULT','PASSWORD_GRACE_TIME',0 type : SQL_POLICY description : "3.7 client/user connection and login restrictions - 'Requirements for limiting EXTERNAL user login capability'" info : "As allowing remote OS authentication of a user to the database can potentially allow supposed 'privileged users'" info : "to connect as authenticated, even when the remote system is compromised, these logins should be disabled/restricted" info : "according to the needs of the organization." solution : "SQL> ALTER USER username IDENTIFIED BY password;" reference : "Level|1S" see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_Server_11_-_11g_R2_Benchmark_v1.0.0.pdf" sql_request : "SELECT USERNAME FROM DBA_USERS WHERE AUTHENTICATION_TYPE='EXTERNAL';" sql_types : POLICY_VARCHAR sql_expect : NULL type : SQL_POLICY description : "3.9 client/user connection and login restrictions - 'Requirements for limiting the number of sessions per user'" info : "As limiting the number of the SESSIONS_PER_USER can help prevent memory resource exhaustion by poorly formed requests" info : "or intentional Denial-of-Service attacks, this value should be set according to the needs of the organization." info : "To enable this setting it is necessary to enable the RESOURCE_LIMIT (ALTER SYSTEM SET RESOURCE_LIMIT = TRUE;)." solution : "SQL> ALTER PROFILE DEFAULT LIMIT SESSIONS_PER_USER 10;" reference : "Level|1S" see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_Server_11_-_11g_R2_Benchmark_v1.0.0.pdf" sql_request : "SELECT PROFILE, RESOURCE_NAME, LIMIT FROM DBA_PROFILES WHERE RESOURCE_NAME='SESSIONS_PER_USER' AND PROFILE='DEFAULT';" sql_types : POLICY_VARCHAR,POLICY_VARCHAR,POLICY_INTEGER sql_expect : 'DEFAULT','SESSIONS_PER_USER',10 ## 4 Oracle user access and authorization restrictions # 4.1 Default Public Privileges for Packages and Object Types type : SQL_POLICY description : "4.1.1 Default Public Privileges for Packages and Object Types - 'Limit public access to the DBMS_ADVISOR package'" info : "As use of the DBMS_ADVISOR package could allow an unauthorized user to corrupt operating system files on the instance's host," info : "use of this package should be restricted according to the needs of the organization." solution : "SQL> REVOKE EXECUTE ON DBMS_ADVISOR FROM PUBLIC;" reference : "Level|1S" see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_Server_11_-_11g_R2_Benchmark_v1.0.0.pdf" see_also : "http://docs.oracle.com/cd/E11882_01/appdev.112/e25788/d_advis.htm" sql_request : "SELECT GRANTEE, TABLE_NAME FROM DBA_TAB_PRIVS where TABLE_NAME='DBMS_ADVISOR' AND GRANTEE ='PUBLIC';" sql_types : POLICY_VARCHAR sql_expect : NULL type : SQL_POLICY description : "4.1.2 Default Public Privileges for Packages and Object Types - 'Limit public access to the DBMS_CRYPTO package '" info : "As execution of these cryptography procedures by the user PUBLIC can potentially endanger portions of or all of the data storage," info : "this value should be set according to the needs of the organization." solution : "SQL> REVOKE EXECUTE ON DBMS_CRYPTO FROM PUBLIC;" reference : "Level|1S" see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_Server_11_-_11g_R2_Benchmark_v1.0.0.pdf" see_also : "http://docs.oracle.com/cd/E11882_01/appdev.112/e25788/d_crypto.htm#ARPLS664" sql_request : "SELECT GRANTEE, PRIVILEGE, TABLE_NAME FROM DBA_TAB_PRIVS WHERE TABLE_NAME='DBMS_CRYPTO';" sql_types : POLICY_VARCHAR sql_expect : NULL type : SQL_POLICY description : "4.1.3 Default Public Privileges for Packages and Object Types - 'Limit public access to the DBMS_JAVA package'" info : "The DBMS_JAVA package could allow an attacker to run operating system commands from the database." solution : "SQL> REVOKE EXECUTE ON DBMS_JAVA FROM PUBLIC;" reference : "Level|1S" see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_Server_11_-_11g_R2_Benchmark_v1.0.0.pdf" see_also : "http://docs.oracle.com/cd/E11882_01/java.112/e10588/appendixa.htm#JJDEV13000" sql_request : "SELECT GRANTEE, TABLE_NAME FROM DBA_TAB_PRIVS where TABLE_NAME='DBMS_JAVA' AND GRANTEE = 'PUBLIC';" sql_types : POLICY_VARCHAR sql_expect : NULL type : SQL_POLICY description : "4.1.4 Default Public Privileges for Packages and Object Types - 'Limit public access to the DBMS_JAVA_TEST package'" info : "The DBMS_JAVA_TEST package could allow an attacker to run operating system commands from the database." solution : "SQL> REVOKE EXECUTE ON DBMS_JAVA_TEST FROM PUBLIC;" reference : "Level|1S" see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_Server_11_-_11g_R2_Benchmark_v1.0.0.pdf" see_also : "http://www.databasesecurity.com/HackingAurora.pdf" sql_request : "SELECT GRANTEE, TABLE_NAME FROM DBA_TAB_PRIVS where TABLE_NAME='DBMS_JAVA_TEST' AND GRANTEE = 'PUBLIC';" sql_types : POLICY_VARCHAR sql_expect : NULL type : SQL_POLICY description : "4.1.5 Default Public Privileges for Packages and Object Types - 'Limit public access to the DBMS_JOB package'" info : "As use of the DBMS_JOB package could allow an unauthorized user to disable or overload the job queue and has been" info : "superseded by the DBMS_SCHEDULER package, this package should be disabled or restricted according to the needs of" info : "the organization." solution : "SQL> REVOKE EXECUTE ON DBMS_JOB FROM PUBLIC;" reference : "Level|1S" see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_Server_11_-_11g_R2_Benchmark_v1.0.0.pdf" see_also : "http://docs.oracle.com/cd/E11882_01/appdev.112/e25788/d_job.htm" sql_request : "SELECT GRANTEE, TABLE_NAME FROM DBA_TAB_PRIVS WHERE TABLE_NAME='DBMS_JOB' AND GRANTEE='PUBLIC';" sql_types : POLICY_VARCHAR sql_expect : NULL type : SQL_POLICY description : "4.1.6 Default Public Privileges for Packages and Object Types - 'Limit public access to the DBMS_LDAP package'" info : "As use of the DBMS_LDAP package can be used to create specially crafted error messages or send information via DNS to the outside." solution : "SQL> REVOKE EXECUTE ON DBMS_LDAP FROM PUBLIC;" reference : "Level|1S" see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_Server_11_-_11g_R2_Benchmark_v1.0.0.pdf" see_also : "http://docs.oracle.com/cd/E23943_01/oid.1111/e10186/dbmsldap_ref.htm#OIMAD009" sql_request : "SELECT GRANTEE, TABLE_NAME FROM DBA_TAB_PRIVS where TABLE_NAME='DBMS_LDAP' AND GRANTEE ='PUBLIC';" sql_types : POLICY_VARCHAR sql_expect : NULL type : SQL_POLICY description : "4.1.7 Default Public Privileges for Packages and Object Types - 'Limit public access to the DBMS_LOB package'" info : "As use of the DBMS_LOB package could allow an unauthorized user to manipulate BLOBs, CLOBs, NCLOBs, BFILEs, and temporary" info : "LOBs on the instance, either destroying data or causing a Denial-of-Service condition due to corruption of disk space, use" info : "of this package should be restricted according to the needs of the organization." solution : "SQL> REVOKE EXECUTE ON DBMS_LOB FROM PUBLIC;" reference : "Level|1S" see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_Server_11_-_11g_R2_Benchmark_v1.0.0.pdf" see_also : "http://docs.oracle.com/cd/E11882_01/appdev.112/e25788/d_lob.htm" sql_request : "SELECT GRANTEE, TABLE_NAME FROM DBA_TAB_PRIVS where TABLE_NAME='DBMS_LOB' AND GRANTEE ='PUBLIC';" sql_types : POLICY_VARCHAR sql_expect : NULL type : SQL_POLICY description : "4.1.8 Default Public Privileges for Packages and Object Types - 'Limit public access to the DBMS_OBFUSCATION_TOOLKIT package'" info : "As allowing the PUBLIC user privileges to access this capability can be potentially harm the data storage, this access should" info : "be set according to the needs of the organization." solution : "SQL> REVOKE EXECUTE ON DBMS_OBFUSCATION_TOOLKIT FROM PUBLIC;" reference : "Level|1S" see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_Server_11_-_11g_R2_Benchmark_v1.0.0.pdf" see_also : "http://docs.oracle.com/cd/E11882_01/appdev.112/e25788/d_obtool.htm#ARPLS028" sql_request : "SELECT GRANTEE, TABLE_NAME FROM DBA_TAB_PRIVS where TABLE_NAME='DBMS_OBFUSCATION_TOOLKIT';" sql_types : POLICY_VARCHAR sql_expect : NULL type : SQL_POLICY description : "4.1.9 Default Public Privileges for Packages and Object Types - 'Limit public access to the DBMS_SCHEDULER package'" info : "As assignment of use of the DBMS_RANDOM package can allow the unauthorized application of the random number-generating" info : "function, this capability should be restricted according to the needs of the organization." solution : "SQL> REVOKE EXECUTE ON DBMS_BACKUP_RESTORE FROM PUBLIC;" reference : "Level|1S" see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_Server_11_-_11g_R2_Benchmark_v1.0.0.pdf" see_also : "http://docs.oracle.com/cd/E11882_01/appdev.112/e25788/d_random.htm" sql_request : "SELECT GRANTEE FROM DBA_TAB_PRIVS WHERE TABLE_NAME= 'DBMS_RANDOM' AND GRANTEE='PUBLIC';" sql_types : POLICY_VARCHAR sql_expect : NULL type : SQL_POLICY description : "4.1.10 Default Public Privileges for Packages and Object Types - 'Limit public access to the DBMS_RANDOM package'" info : "Use of the DBMS_SCHEDULER package could allow an unauthorized user to run database or operating system jobs." solution : "SQL> REVOKE EXECUTE ON DBMS_SCHEDULER FROM PUBLIC;" reference : "Level|1S" see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_Server_11_-_11g_R2_Benchmark_v1.0.0.pdf" see_also : "http://docs.oracle.com/cd/E11882_01/appdev.112/e25788/d_sched.htm" sql_request : "SELECT GRANTEE, TABLE_NAME FROM DBA_TAB_PRIVS WHERE TABLE_NAME='DBMS_SCHEDULER' AND GRANTEE='PUBLIC';" sql_types : POLICY_VARCHAR sql_expect : NULL type : SQL_POLICY description : "4.1.11 Default Public Privileges for Packages and Object Types - 'Limit public access to the DBMS_SQL package'" info : "The DBMS_SQL package could allow privilege escalation if the input validation is not done properly." solution : "SQL> REVOKE EXECUTE ON DBMS_SQL FROM PUBLIC;" reference : "Level|1S" see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_Server_11_-_11g_R2_Benchmark_v1.0.0.pdf" see_also : "http://docs.oracle.com/cd/E11882_01/appdev.112/e25788/d_sched.htm" sql_request : "SELECT GRANTEE, TABLE_NAME FROM DBA_TAB_PRIVS WHERE TABLE_NAME='DBMS_SQL' AND GRANTEE='PUBLIC';" sql_types : POLICY_VARCHAR sql_expect : NULL type : SQL_POLICY description : "4.1.12 Default Public Privileges for Packages and Object Types - 'Limit public access to the DBMS_XMLGEN package'" info : "The package DBMS_XMLGEN can be used to search the entire database for critical information like credit card numbers, ..." info : "SQL> REVOKE EXECUTE ON DBMS_XMLGEN FROM PUBLIC;" reference : "Level|1S" see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_Server_11_-_11g_R2_Benchmark_v1.0.0.pdf" see_also : "http://docs.oracle.com/cd/E11882_01/appdev.112/e25788/d_xmlgen.htm" see_also : "http://www.red-database-security.com/wp/confidence2009.pdf" sql_request : "SELECT GRANTEE, TABLE_NAME FROM DBA_TAB_PRIVS WHERE TABLE_NAME='DBMS_XMLGEN' AND GRANTEE='PUBLIC';" sql_types : POLICY_VARCHAR sql_expect : NULL type : SQL_POLICY description : "4.1.13 Default Public Privileges for Packages and Object Types - 'Limit public access to the DBMS_XMLQUERY package'" info : "The package DBMS_XMLQUERY can be used to search the entire database for critical information like credit card numbers, ..." solution : "SQL> REVOKE EXECUTE ON DBMS_XMLQUERY FROM PUBLIC;" reference : "Level|1S" see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_Server_11_-_11g_R2_Benchmark_v1.0.0.pdf" see_also : "http://docs.oracle.com/cd/E11882_01/appdev.112/e25788/d_xmlque.htm" sql_request : "SELECT GRANTEE, TABLE_NAME FROM DBA_TAB_PRIVS WHERE TABLE_NAME='DBMS_XMLQUERY' AND GRANTEE='PUBLIC';" sql_types : POLICY_VARCHAR sql_expect : NULL type : SQL_POLICY description : "4.1.14 Default Public Privileges for Packages and Object Types - 'Limit public access to the UTL_FILE package'" info : "As use of the UTL_FILE package could allow a user to read files at the operating system. These files could contain" info : "sensitive information (e.g. passwords in .bash_history)." solution : "SQL> REVOKE EXECUTE ON UTL_FILE FROM PUBLIC;" reference : "Level|1S" see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_Server_11_-_11g_R2_Benchmark_v1.0.0.pdf" see_also : "http://docs.oracle.com/cd/E11882_01/appdev.112/e25788/u_file.htm#ARPLS70896" sql_request : "SELECT GRANTEE, TABLE_NAME FROM DBA_TAB_PRIVS where TABLE_NAME='UTL_FILE' AND GRANTEE = ('PUBLIC');" sql_types : POLICY_VARCHAR sql_expect : NULL type : SQL_POLICY description : "4.1.15 Default Public Privileges for Packages and Object Types - 'Limit public access to the UTL_INADDR package'" info : "As use of the UTL_INADDR package is often used in SQL Injection attacks from the web it should be revoked from public." solution : "SQL> REVOKE EXECUTE ON UTL_INADDR FROM PUBLIC;" reference : "Level|1S" see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_Server_11_-_11g_R2_Benchmark_v1.0.0.pdf" see_also : "http://docs.oracle.com/cd/E11882_01/appdev.112/e25788/u_inaddr.htm" sql_request : "SELECT GRANTEE, TABLE_NAME FROM DBA_TAB_PRIVS where TABLE_NAME='UTL_INADDR' AND GRANTEE ='PUBLIC';" sql_types : POLICY_VARCHAR sql_expect : NULL type : SQL_POLICY description : "4.1.16 Default Public Privileges for Packages and Object Types - 'Limit public access to the UTL_TCP package'" info : "As use of the UTL_INADDR package is often used in SQL Injection attacks from the web it should be revoked from public." solution : "SQL> REVOKE EXECUTE ON UTL_TCP FROM PUBLIC;" reference : "Level|1S" see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_Server_11_-_11g_R2_Benchmark_v1.0.0.pdf" see_also : "http://docs.oracle.com/cd/E11882_01/appdev.112/e25788/u_tcp.htm#ARPLS71533" sql_request : "SELECT GRANTEE, TABLE_NAME FROM DBA_TAB_PRIVS where TABLE_NAME='UTL_INADDR' AND GRANTEE ='PUBLIC';" sql_types : POLICY_VARCHAR sql_expect : NULL type : SQL_POLICY description : "4.1.17 Default Public Privileges for Packages and Object Types - 'Limit public access to the UTL_MAIL package'" info : "As use of the UTL_MAIL package could allow an unauthorized user to corrupt the SMTP function to accept or generate junk" info : "mail that can result in a Denial-of-Service condition due to network saturation, use of this package should be restricted" info : "according to the needs of the organization." solution : "SQL> REVOKE EXECUTE ON UTL_MAIL FROM PUBLIC;" reference : "Level|1S" see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_Server_11_-_11g_R2_Benchmark_v1.0.0.pdf" see_also : "http://docs.oracle.com/cd/E11882_01/appdev.112/e25788/u_mail.htm" sql_request : "SELECT GRANTEE, TABLE_NAME FROM DBA_TAB_PRIVS where TABLE_NAME='UTL_MAIL' and GRANTEE ='PUBLIC';" sql_types : POLICY_VARCHAR sql_expect : NULL type : SQL_POLICY description : "4.1.18 Default Public Privileges for Packages and Object Types - 'Limit public access to the UTL_SMTP package'" info : "As use of the UTL_SMTP package could allow an unauthorized user to corrupt the SMTP function to accept or generate junk" info : "mail that can result in a Denial-of-Service condition due to network saturation, use of this package should be restricted" info : "according to the needs of the organization." solution : "SQL> REVOKE EXECUTE ON UTL_SMTP FROM PUBLIC;" reference : "Level|1S" see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_Server_11_-_11g_R2_Benchmark_v1.0.0.pdf" see_also : "http://docs.oracle.com/cd/E11882_01/appdev.112/e25788/u_smtp.htm" sql_request : "SELECT GRANTEE, TABLE_NAME FROM DBA_TAB_PRIVS where TABLE_NAME='UTL_SMTP' and GRANTEE ='PUBLIC';" sql_types : POLICY_VARCHAR sql_expect : NULL type : SQL_POLICY description : "4.1.19 Default Public Privileges for Packages and Object Types - 'Limit public access to the UTL_DBWS package'" info : "As use of the UTL_DBWS package could allow an unauthorized user to corrupt the HTTP stream used for carry the protocols" info : "that communicate with the instance's web-based external communications, use of this package should be restricted" info : "according to the needs of the organization." solution : "SQL> REVOKE EXECUTE ON UTL_DBWS FROM 'PUBLIC';" reference : "Level|1S" see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_Server_11_-_11g_R2_Benchmark_v1.0.0.pdf" see_also : "http://docs.oracle.com/cd/B19306_01/appdev.102/b14258/u_dbws.htm" sql_request : "SELECT GRANTEE, TABLE_NAME FROM DBA_TAB_PRIVS where TABLE_NAME='UTL_DBWS' and GRANTEE ='PUBLIC';" sql_types : POLICY_VARCHAR sql_expect : NULL type : SQL_POLICY description : "4.1.20 Default Public Privileges for Packages and Object Types - 'Limit public access to the UTL_ORAMTS package'" info : "As use of the UTL_ORAMTS package could be used to send (sensitive) information to external websites. The use of this package" info : "should be restricted according to the needs of the organization." solution : "SQL> REVOKE EXECUTE ON UTL_ORAMTS FROM PUBLIC;" reference : "Level|1S" see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_Server_11_-_11g_R2_Benchmark_v1.0.0.pdf" see_also : "http://docs.oracle.com/cd/E11882_01/win.112/e26104/recovery.htm#NTMTS139" sql_request : "SELECT GRANTEE, TABLE_NAME FROM DBA_TAB_PRIVS where TABLE_NAME='UTL_ORAMTS' and GRANTEE ='PUBLIC';" sql_types : POLICY_VARCHAR sql_expect : NULL type : SQL_POLICY description : "4.1.21 Default Public Privileges for Packages and Object Types - 'Limit public access to the UTL_HTTP package'" info : "As use of the UTL_HTTP package could be used to send (sensitive) information to external websites. The use of this package" info : "should be restricted according to the needs of the organization." solution : "SQL> REVOKE EXECUTE ON UTL_HTTP FROM PUBLIC;" reference : "Level|1S" see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_Server_11_-_11g_R2_Benchmark_v1.0.0.pdf" see_also : "http://docs.oracle.com/cd/E11882_01/appdev.112/e25788/u_http.htm" sql_request : "SELECT GRANTEE, TABLE_NAME FROM DBA_TAB_PRIVS where TABLE_NAME='UTL_HTTP' and GRANTEE ='PUBLIC';" sql_types : POLICY_VARCHAR sql_expect : NULL type : SQL_POLICY description : "4.1.22 Default Public Privileges for Packages and Object Types - 'Limit public access to the HTTPURITYPE package'" info : "The Oracle database HTTPURITYPE object type can be used to perform HTTP-requests. This could be used to send" info : "information to the outside." solution : "SQL> REVOKE EXECUTE ON HTTPURITYPE FROM PUBLIC;" reference : "Level|1S" see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_Server_11_-_11g_R2_Benchmark_v1.0.0.pdf" see_also : "http://docs.oracle.com/cd/E11882_01/appdev.112/e25788/t_dburi.htm#ARPLS71705" sql_request : "SELECT GRANTEE, TABLE_NAME FROM DBA_TAB_PRIVS where TABLE_NAME='HTTPURITYPE' and GRANTEE ='PUBLIC';" sql_types : POLICY_VARCHAR sql_expect : NULL #4.2 Non-Default Public Privileges for Packages and Object Types type : SQL_POLICY description : "4.2.1 Non-Default Public Privileges for Packages and Object Types - 'Limiting public user access to the DBMS_SYS_SQL package'" info : "As use of the DBMS_SYS_SQL package could allow a user to run code as a different user without entering user credentials." solution : "SQL> REVOKE EXECUTE ON DBMS_SYS_SQL FROM PUBLIC;" reference : "Level|1S" see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_Server_11_-_11g_R2_Benchmark_v1.0.0.pdf" see_also : "http://docs.oracle.com/cd/E11882_01/network.112/e16543/guidelines.htm#DBSEG499" see_also : "http://asktom.oracle.com/pls/asktom/f?p=100:11:0::::P11_QUESTION_ID:1325202421535" sql_request : "SELECT GRANTEE, TABLE_NAME FROM DBA_TAB_PRIVS where TABLE_NAME='DBMS_SYS_SQL' and GRANTEE ='PUBLIC';" sql_types : POLICY_VARCHAR sql_expect : NULL type : SQL_POLICY description : "4.2.2 Non-Default Public Privileges for Packages and Object Types - 'Limiting public user access to the DBMS_BACKUP_RESTORE package'" info : "As assignment of use of the DBMS_BACKUP_RESTORE package can allow to access file permissions on operating system level." solution : "SQL> REVOKE EXECUTE ON DBMS_BACKUP_RESTORE FROM PUBLIC;" reference : "Level|1S" see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_Server_11_-_11g_R2_Benchmark_v1.0.0.pdf" see_also : "http://psoug.org/reference/dbms_backup_restore.html" see_also : "http://davidalejomarcos.wordpress.com/2011/09/13/how-to-list-files-on-adirectory-from-oracle-database/" sql_request : "SELECT GRANTEE, TABLE_NAME FROM DBA_TAB_PRIVS where TABLE_NAME='DBMS_BACKUP_RESTORE' and GRANTEE ='PUBLIC';" sql_types : POLICY_VARCHAR sql_expect : NULL type : SQL_POLICY description : "4.2.3 Non-Default Public Privileges for Packages and Object Types - 'Limiting public user access to the DBMS_AQADM_SYSCALLS package'" info : "As use of the DBMS_AQADM_SYSCALLS package could allow an unauthorized user to run SQL commands as user SYS." solution : "SQL> REVOKE EXECUTE ON DBMS_AQADM_SYSCALLS FROM PUBLIC;" reference : "Level|1S" see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_Server_11_-_11g_R2_Benchmark_v1.0.0.pdf" see_also : "http://www.databasesecurity.com/dbsec/ohh-indirect-privilege-escalation.pdf" sql_request : "SELECT GRANTEE, TABLE_NAME FROM DBA_TAB_PRIVS where TABLE_NAME='DBMS_AQADM_SYSCALLS' and GRANTEE ='PUBLIC';" sql_types : POLICY_VARCHAR sql_expect : NULL type : SQL_POLICY description : "4.2.4 Non-Default Public Privileges for Packages and Object Types - 'Limiting public user access to the DBMS_REPACT_SQL_UTL package'" info : "As use of the DBMS_REPACT_SQL_UTL package could allow an unauthorized user to run SQL commands as user SYS." solution : "SQL> revoke execute on DBMS_REPACT_SQL_UTL from PUBLIC;" reference : "Level|1S" see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_Server_11_-_11g_R2_Benchmark_v1.0.0.pdf" see_also : "http://www.databasesecurity.com/dbsec/ohh-indirect-privilege-escalation.pdf" sql_request : "SELECT GRANTEE, TABLE_NAME FROM DBA_TAB_PRIVS where TABLE_NAME='DBMS_REPACT_SQL_UTL' and GRANTEE ='PUBLIC';" sql_types : POLICY_VARCHAR sql_expect : NULL type : SQL_POLICY description : "4.2.5 Non-Default Public Privileges for Packages and Object Types - 'Limiting public user access to the INITJVMAUX package'" info : "As use of the INITJVMAUX package could allow an unauthorized user to run SQL commands as user SYS." solution : "SQL> Revoke execute on INITJVMAUX from PUBLIC;" reference : "Level|1S" see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_Server_11_-_11g_R2_Benchmark_v1.0.0.pdf" see_also : "http://www.databasesecurity.com/dbsec/ohh-indirect-privilege-escalation.pdf" sql_request : "SELECT GRANTEE, TABLE_NAME FROM DBA_TAB_PRIVS where TABLE_NAME='INITJVMAUX' and GRANTEE ='PUBLIC';" sql_types : POLICY_VARCHAR sql_expect : NULL type : SQL_POLICY description : "4.2.6 Non-Default Public Privileges for Packages and Object Types - 'Limiting public user access to the DBMS_STREAMS_ADM_UTL package'" info : "As use of the DBMS_STREAMS_ADM_UTL package could allow an unauthorized user to run SQL commands as user SYS." solution : "SQL> Revoke execute on DBMS_STREAMS_ADM_UTL from PUBLIC;" reference : "Level|1S" see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_Server_11_-_11g_R2_Benchmark_v1.0.0.pdf" see_also : "http://www.databasesecurity.com/dbsec/ohh-indirect-privilege-escalation.pdf" sql_request : "SELECT GRANTEE, TABLE_NAME FROM DBA_TAB_PRIVS where TABLE_NAME='DBMS_STREAMS_ADM_UTL' and GRANTEE ='PUBLIC';" sql_types : POLICY_VARCHAR sql_expect : NULL type : SQL_POLICY description : "4.2.7 Non-Default Public Privileges for Packages and Object Types - 'Limiting public user access to the DBMS_AQADM_SYS package'" info : "As use of the DBMS_AQADM_SYS package could allow an unauthorized user to run SQL commands as user SYS." solution : "SQL> Revoke execute on DBMS_AQADM_SYS from PUBLIC;" reference : "Level|1S" see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_Server_11_-_11g_R2_Benchmark_v1.0.0.pdf" see_also : "http://www.google.de/#hl=de&safe=off&sclient=psyab&q=DBMS_STREAMS_ADM_UTL&oq=DBMS_STREAMS_ADM_UTL&gs_l=serp.3..0i10i30.38260.38260.0.38463.1.1.0.0.0.0.105.105.0j1.1.0...0.0...1c.2.1-46wqcQeow&pbx=1&bav=on.2,or.r_gc.r_pw.r_cp.r_qf.&fp=2569366ac9a6532d&bpc" sql_request : "SELECT GRANTEE, TABLE_NAME FROM DBA_TAB_PRIVS where TABLE_NAME='DBMS_AQADM_SYS' and GRANTEE ='PUBLIC';" sql_types : POLICY_VARCHAR sql_expect : NULL type : SQL_POLICY description : "4.2.8 Non-Default Public Privileges for Packages and Object Types - 'Limiting public user access to the DBMS_STREAMS_RPC package'" info : "As use of the DBMS_STREAMS_RPC package could allow an unauthorized user to run SQL commands as user SYS." solution : "SQL> Revoke execute on DBMS_STREAMS_RPC from PUBLIC;" reference : "Level|1S" see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_Server_11_-_11g_R2_Benchmark_v1.0.0.pdf" see_also : "http://www.databasesecurity.com/dbsec/ohh-indirect-privilege-escalation.pdf" sql_request : "SELECT GRANTEE, TABLE_NAME FROM DBA_TAB_PRIVS where TABLE_NAME='DBMS_STREAMS_RPC' and GRANTEE ='PUBLIC';" sql_types : POLICY_VARCHAR sql_expect : NULL type : SQL_POLICY description : "4.2.9 Non-Default Public Privileges for Packages and Object Types - 'Limiting public user access to the DBMS_AQADM_SYS package'" info : "As use of the DBMS_AQADM_SYS package could allow an unauthorized user to run SQL commands as user SYS." solution : "SQL> Revoke execute on DBMS_AQADM_SYS from PUBLIC;" reference : "Level|1S" see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_Server_11_-_11g_R2_Benchmark_v1.0.0.pdf" sql_request : "SELECT GRANTEE, TABLE_NAME FROM DBA_TAB_PRIVS where TABLE_NAME='DBMS_AQADM_SYS' and GRANTEE ='PUBLIC';" sql_types : POLICY_VARCHAR sql_expect : NULL type : SQL_POLICY description : "4.2.10 Non-Default Public Privileges for Packages and Object Types - 'Limiting public user access to the DBMS_PRVTAQIM package'" info : "As use of the DBMS_PRVTAQIM package could allow an unauthorized user to run SQL commands as user SYS." solution : "SQL> Revoke execute on DBMS_PRVTAQIM from PUBLIC;" reference : "Level|1S" see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_Server_11_-_11g_R2_Benchmark_v1.0.0.pdf" see_also : "http://www.databasesecurity.com/dbsec/ohh-indirect-privilege-escalation.pdf" sql_request : "SELECT GRANTEE, TABLE_NAME FROM DBA_TAB_PRIVS where TABLE_NAME='DBMS_PRVTAQIM' and GRANTEE ='PUBLIC';" sql_types : POLICY_VARCHAR sql_expect : NULL type : SQL_POLICY description : "4.2.11 Non-Default Public Privileges for Packages and Object Types - 'Limiting public user access to the LTADM package'" info : "As use of the LTADM package could allow an unauthorized user to run SQL commands as user SYS." solution : "SQL> Revoke execute on LTADM from PUBLIC;" reference : "Level|1S" see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_Server_11_-_11g_R2_Benchmark_v1.0.0.pdf" see_also : "http://www.databasesecurity.com/dbsec/ohh-indirect-privilege-escalation.pdf" sql_request : "SELECT GRANTEE, TABLE_NAME FROM DBA_TAB_PRIVS where TABLE_NAME='LTADM' and GRANTEE ='PUBLIC';" sql_types : POLICY_VARCHAR sql_expect : NULL type : SQL_POLICY description : "4.2.12 Non-Default Public Privileges for Packages and Object Types - 'Limiting public user access to the WWV_DBMS_SQL package'" info : "As use of the WWV_DBMS_SQL package could allow an unauthorized user to run SQL statements as Application Express (APEX) user." solution : "SQL> Revoke execute on WWV_DBMS_SQL from PUBLIC;" reference : "Level|1S" see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_Server_11_-_11g_R2_Benchmark_v1.0.0.pdf" see_also : "http://docs.oracle.com/cd/E11882_01/install.112/e12196/trouble.htm#HTMIG267" sql_request : "SELECT GRANTEE, TABLE_NAME FROM DBA_TAB_PRIVS where TABLE_NAME='WWV_DBMS_SQL' and GRANTEE ='PUBLIC';" sql_types : POLICY_VARCHAR sql_expect : NULL type : SQL_POLICY description : "4.2.13 Non-Default Public Privileges for Packages and Object Types - 'Limiting public user access to the WWV_EXECUTE_IMMEDIATE package'" info : "As use of the WWV_EXECUTE_IMMEDIATE package could allow an unauthorized user to run SQL statements as Application Express (APEX) user." solution : "SQL> Revoke execute on WWV_EXECUTE_IMMEDIATE from PUBLIC;" reference : "Level|1S" see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_Server_11_-_11g_R2_Benchmark_v1.0.0.pdf" see_also : "hhttp://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-1811" see_also : "https://forums.oracle.com/forums/thread.jspa?threadID=953790" sql_request : "SELECT GRANTEE, TABLE_NAME FROM DBA_TAB_PRIVS where TABLE_NAME='WWV_EXECUTE_IMMEDIATE' and GRANTEE ='PUBLIC';" sql_types : POLICY_VARCHAR sql_expect : NULL type : SQL_POLICY description : "4.2.14 Non-Default Public Privileges for Packages and Object Types - 'Limiting public user access to the DBMS_IJOB package'" info : "As use of the DBMS_IJOB package could allow an attacker to change identities by using a different username to execute a database job." solution : "SQL> Revoke execute on DBMS_IJOB from PUBLIC;" reference : "Level|1S" see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_Server_11_-_11g_R2_Benchmark_v1.0.0.pdf" sql_request : "SELECT GRANTEE, TABLE_NAME FROM DBA_TAB_PRIVS where TABLE_NAME='DBMS_IJOB' and GRANTEE ='PUBLIC';" sql_types : POLICY_VARCHAR sql_expect : NULL type : SQL_POLICY description : "4.2.15 Non-Default Public Privileges for Packages and Object Types - 'Limiting public user access to the DBMS_FILE_TRANSFER package'" info : "As use of the DBMS_FILE_TRANSFER package could allow to transfer files from one database server to another." solution : "SQL> Revoke execute on DBMS_FILE_TRANSFER from PUBLIC;" reference : "Level|1S" see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_Server_11_-_11g_R2_Benchmark_v1.0.0.pdf" see_also : "http://docs.oracle.com/cd/E11882_01/appdev.112/e25788/d_ftran.htm#ARPLS095" sql_request : "SELECT GRANTEE, TABLE_NAME FROM DBA_TAB_PRIVS where TABLE_NAME='DBMS_FILE_TRANSFER' and GRANTEE ='PUBLIC';" sql_types : POLICY_VARCHAR sql_expect : NULL # 4.3 System Privileges type : SQL_POLICY description : "4.3.1 System Privileges - 'Limiting users by restricting the SELECT ANY DICTIONARY' privilege" info : "The Oracle database SELECT ANY DICTIONARY privilege allows the designated user to access SYS schema objects." info : "The Oracle password hashes are part of the SYS schema and can be selected using SELECT ANY DICTIONARY privileges." solution : "SQL>REVOKE SELECT_ANY_DICTIONARY from ;" reference : "Level|1S" see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_Server_11_-_11g_R2_Benchmark_v1.0.0.pdf" see_also : "http://docs.oracle.com/cd/E11882_01/network.112/e16543/authorization.htm#BABHFJFJ" see_also : "http://docs.oracle.com/cd/E11882_01/server.112/e25513/initparams157.htm#REFRN10133" see_also : "http://arup.blogspot.de/2011/07/difference-between-select-any.html" sql_request : "SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS where PRIVILEGE='SELECT ANY DICTIONARY' AND GRANTEE NOT IN ('DBA','DBSNMP','OEM_MONITOR','OLAPSYS','ORACLE_OCM','SYSMAN','WMSYS');" sql_types : POLICY_VARCHAR sql_expect : NULL type : SQL_POLICY description : "4.3.2 System Privileges - 'Limiting users by restricting the SELECT ANY TABLE' privilege" info : "As assignment of the SELECT ANY TABLE privilege can allow the unauthorized viewing of sensitive data, this capability" info : "should be restricted according to the needs of the organization." solution : "SQL> REVOKE SELECT_ANY_TABLE from ;" reference : "Level|1S" see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_Server_11_-_11g_R2_Benchmark_v1.0.0.pdf" see_also : "http://docs.oracle.com/cd/E11882_01/server.112/e26088/statements_10002.htm#SQLRF01702" sql_request : "SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS where PRIVILEGE='SELECT_ANY_TABLE';" sql_types : POLICY_VARCHAR sql_expect : NULL type : SQL_POLICY description : "4.3.3 System Privileges - 'Limiting users by restricting the AUDIT SYSTEM' privilege" info : "As assignment of the AUDIT SYSTEM privilege can allow the unauthorized alteration of system audit activities, disabling" info : "the creation of audit trails, this capability should be restricted according to the needs of the organization." solution : "SQL> REVOKE AUDIT SYSTEM from ;" reference : "Level|1S" see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_Server_11_-_11g_R2_Benchmark_v1.0.0.pdf" see_also : "http://docs.oracle.com/cd/E11882_01/server.112/e26088/statements_4007.htm#SQLRF01107" sql_request : "SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS where PRIVILEGE='AUDIT SYSTEM' AND GRANTEE NOT IN ('DBA','DATAPUMP_IMP_FULL_DATABASE','IMP_FULL_DATABASE','SYS');" sql_types : POLICY_VARCHAR sql_expect : NULL type : SQL_POLICY description : "4.3.4 System Privileges - 'Limiting users by restricting the EXEMPT ACCESS POLICY'" info : "As assignment of the EXEMPT ACCESS POLICY privilege can allow an unauthorized user to potentially access/change" info : "confidential data, this capability should be restricted according to the needs of the organization." solution : "SQL> REVOKE EXEMPT ACCESS POLICY FROM ;" reference : "Level|1S" see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_Server_11_-_11g_R2_Benchmark_v1.0.0.pdf" see_also : "http://docs.oracle.com/cd/E11882_01/network.112/e16543/auditing.htm#DBSEG419" see_also : "http://docs.oracle.com/cd/E11882_01/network.112/e16543/vpd.htm#DBSEG309" sql_request : "select * FROM DBA_SYS_PRIVS WHERE PRIVILEGE='EXEMPT ACCESS POLICY';" sql_types : POLICY_VARCHAR sql_expect : NULL type : SQL_POLICY description : "4.3.5 System Privileges - 'Limiting users by restricting the BECOME USER privilege'" info : "As assignment of the BECOME USER privilege can allow the unauthorized use of another user's privileges, this capability" info : "should be restricted according to the needs of the organization." solution : "SQL> REVOKE BECOME USER from ;" reference : "Level|1S" see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_Server_11_-_11g_R2_Benchmark_v1.0.0.pdf" see_also : "http://docs.oracle.com/cd/B19306_01/network.102/b14266/cfgaudit.htm" sql_request : "SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS where PRIVILEGE='BECOME USER' AND GRANTEE NOT IN ('DBA','SYS','IMP_FULL_DATABASE');" sql_types : POLICY_VARCHAR sql_expect : NULL type : SQL_POLICY description : "4.3.6 System Privileges - 'Limiting users by restricting the CREATE PROCEDURE privilege'" info : "As assignment of the CREATE PROCEDURE privilege can lead to severe problems in unauthorized hands, such as rogue procedures" info : "facilitating data theft or Denial-of-Service by corrupting data tables, this capability should be restricted according to the" info : "needs of the organization." solution : "SQL> REVOKE CREATE_PROCEDURE from ;" reference : "Level|1S" see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_Server_11_-_11g_R2_Benchmark_v1.0.0.pdf" see_also : "http://docs.oracle.com/cd/E11882_01/server.112/e26088/statements_6009.htm#SQLRF01309" sql_request : "SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS where PRIVILEGE='CREATE PROCEDURE' and GRANTEE NOT IN ('DBA','DBSNMP','MDSYS','OLAPSYS','OWB$CLIENT','OWBSYS','RECOVERY_CATALOG_OWNER','SPATIAL_CSW_ADMIN_USR','SPATIAL_WFS_ADMIN_USR','SYS','APEX_030200','APEX_040000','APEX_040100','APEX_040200');" sql_types : POLICY_VARCHAR sql_expect : NULL type : SQL_POLICY description : "4.3.7 System Priveleges - 'Limiting users by restricting the ALTER SYSTEM privilege'" info : "As assignment of the ALTER SYSTEM privilege can lead to severe problems, such as the instance's session being killed" info : "or the stopping of redo log recording, which would make transactions unrecoverable, this capability should be severely" info : "restricted according to the needs of the organization." solution : "SQL> REVOKE ALTER SYSTEM from ;" reference : "Level|1S" see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_Server_11_-_11g_R2_Benchmark_v1.0.0.pdf" see_also : "http://docs.oracle.com/cd/E11882_01/server.112/e26088/statements_2014.htm#SQLRF00902" sql_request : "select GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE PRIVILEGE='ALTER SYSTEM' and GRANTEE NOT IN ('SYS','SYSTEM','APEX_030200','APEX_040000','APEX_040100','APEX_040200');" sql_types : POLICY_VARCHAR sql_expect : NULL type : SQL_POLICY description : "4.3.8 System Priveleges - 'Limiting users by restricting the CREATE ANY LIBRARY privilege'" info : "As assignment of the CREATE (ANY) LIBRARY privilege can allow the creation of numerous library-associated objects and" info : "potentially corrupt the libraries' integrity, this capability should be restricted according to the needs of the organization." solution : "SQL> REVOKE CREATE LIBRARY FROM ; OR SQL> REVOKE CREATE ANY LIBRARY FROM ;" reference : "Level|1S" see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_Server_11_-_11g_R2_Benchmark_v1.0.0.pdf" see_also : "http://docs.oracle.com/cd/E11882_01/server.112/e26088/statements_6001.htm#SQLRF01301" see_also : "http://docs.oracle.com/cd/E18283_01/server.112/e17120/manproc007.htm" sql_request : "SELECT GRANTEE FROM DBA_SYS_PRIVS where (PRIVILEGE='CREATE LIBRARY' or PRIVILEGE='CREATE ANY LIBRARY') AND GRANTEE NOT IN ('SYS','SYSTEM','DBA');" sql_types : POLICY_VARCHAR sql_expect : NULL type : SQL_POLICY description : "4.3.9 System Priveleges - 'Limiting users by restricting the GRANT ANY OBJECT PRIVILEGE privilege'" info : "As authorization to use the GRANT ANY OBJECT PRIVILEGE capability can allow an unauthorized user to potentially access/change" info : "confidential data or damage the data catalog due to potential complete instance access, this capability should be restricted" info : "according to the needs of the organization." solution : "SQL> REVOKE GRANT ANY OBJECT PRIVILEGE FROM ; " reference : "Level|1S" see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_Server_11_-_11g_R2_Benchmark_v1.0.0.pdf" see_also : "http://docs.oracle.com/cd/E11882_01/network.112/e16543/authorization.htm#DBSEG99914" sql_request : "SELECT GRANTEE FROM DBA_SYS_PRIVS WHERE PRIVILEGE='GRANT ANY OBJECT PRIVILEGE' AND GRANTEE NOT IN ('DBA','SYS','IMP_FULL_DATABASE','DATAPUMP_IMP_FULL_DATABASE');" sql_types : POLICY_VARCHAR sql_expect : NULL type : SQL_POLICY description : "4.3.10 System Priveleges - 'Limiting users by restricting the GRANT ANY ROLE privilege'" info : "As authorization to use the GRANT ANY ROLE capability can allow an unauthorized user to potentially access/change" info : "confidential data or damage the data catalog due to potential complete instance access, this capability should be restricted" info : "according to the needs of the organization." solution : "SQL> REVOKE GRANT ANY ROLE FROM ;" reference : "Level|1S" see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_Server_11_-_11g_R2_Benchmark_v1.0.0.pdf" see_also : "http://docs.oracle.com/cd/E11882_01/network.112/e16543/authorization.htm#DBSEG99903" sql_request : "SELECT GRANTEE FROM DBA_SYS_PRIVS WHERE PRIVILEGE='GRANT ANY ROLE' AND GRANTEE NOT IN ('DBA','SYS','DATAPUMP_IMP_FULL_DATABASE','IMP_FULL_DATABASE','SPATIAL_WFS_ADMIN_USR','SPATIAL_CSW_ADMIN_USR');" sql_types : POLICY_VARCHAR sql_expect : NULL type : SQL_POLICY description : "4.3.11 System Priveleges - 'Limiting users by restricting the GRANT ANY PRIVILEGE privilege'" info : "As authorization to use the GRANT ANY PRIVILEGE capability can allow an unauthorized user to potentially access/change" info : "confidential data or damage the data catalog due to potential complete instance access, this capability should be restricted" info : "according to the needs of the organization." solution : "SQL> REVOKE GRANT ANY PRIVILEGE FROM ; " reference : "Level|1S" see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_Server_11_-_11g_R2_Benchmark_v1.0.0.pdf" see_also : "http://docs.oracle.com/cd/E11882_01/network.112/e16543/authorization.htm#DBSEG99876" sql_request : "SELECT GRANTEE FROM DBA_SYS_PRIVS WHERE PRIVILEGE='GRANT ANY PRIVILEGE' AND GRANTEE NOT IN ('DBA','SYS','IMP_FULL_DATABASE','DATAPUMP_IMP_FULL_DATABASE');" sql_types : POLICY_VARCHAR sql_expect : NULL # 4.5 Table and View privileges type : SQL_POLICY description : "4.5.1 Table and View privileges - 'Limiting authorizations for the SYS.AUD$ table'" info : "As permitting non-privileged users the authorization to manipulate the SYS_AUD$ table can allow distortion of the audit records, hiding" info : "unauthorized activities, this capability should be restricted according to the needs of the organization." solution : "SQL> REVOKE ALL ON AUD$ FROM ;" reference : "Level|1S" see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_Server_11_-_11g_R2_Benchmark_v1.0.0.pdf" see_also : "http://docs.oracle.com/cd/E11882_01/network.112/e16543/auditing.htm#CEGDGIAF" sql_request : "SELECT GRANTEE, PRIVILEGE FROM DBA_TAB_PRIVS WHERE TABLE_NAME='AUD$' and grantee not in ('DELETE_CATALOG_ROLE');" sql_types : POLICY_VARCHAR sql_expect : NULL type : SQL_POLICY description : "4.5.2 Table and View privileges - 'Limiting authorizations for the SYS.USER_HISTORY$ table'" info : "As permitting non-privileged users the authorization to manipulate the records in the SYS.USER_HISTORY$ table can allow distortion of" info : "the audit trail, potentially hiding unauthorized data confidentiality attacks or integrity changes, this capability should be" info : "restricted according to the needs of the organization." solution : "SQL> REVOKE ALL ON USER_HISTORY$ FROM ;" reference : "Level|1S" see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_Server_11_-_11g_R2_Benchmark_v1.0.0.pdf" see_also : "http://marcel.vandewaters.nl/oracle/database-oracle/password-history-reusing-a-password" sql_request : "SELECT GRANTEE, PRIVILEGE FROM DBA_TAB_PRIVS WHERE TABLE_NAME='USER_HISTORY$';" sql_types : POLICY_VARCHAR sql_expect : NULL type : SQL_POLICY description : "4.5.3 Table and View privileges - 'Limiting authorizations for the SYS.LINK$ table'" info : "As permitting non-privileged users to manipulate or view the SYS.LINK$ table can allow capture of password information and/or" info : "corrupt the primary database linkages, this capability should be restricted according to the needs of the organization." solution : "SQL> REVOKE ALL ON LINK$ FROM ;" reference : "Level|1S" see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_Server_11_-_11g_R2_Benchmark_v1.0.0.pdf" sql_request : "SELECT GRANTEE, PRIVILEGE FROM DBA_TAB_PRIVS WHERE TABLE_NAME='LINK$';" sql_types : POLICY_VARCHAR sql_expect : NULL type : SQL_POLICY description : "4.5.4 Table and View privileges - 'Limiting authorizations for the SYS.USERS$ table'" info : "As permitting non-privileged users the authorization to open the SYS.USER$ table can allow the capture of password hashes for" info : "the later application of password cracking algorithms to breach confidentiality, this capability should be restricted according" info : "to the needs of the organization." solution : "SQL> REVOKE ALL ON SYS.USER$ FROM ;" reference : "Level|1S" see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_Server_11_-_11g_R2_Benchmark_v1.0.0.pdf" see_also : "http://dba.stackexchange.com/questions/17513/what-do-the-columns-in-sysuser-represent" sql_request : "SELECT GRANTEE, PRIVILEGE FROM DBA_TAB_PRIVS WHERE TABLE_NAME='USER$' and grantee not in ('CTXSYS','XDB','APEX_030200', 'APEX_040000','APEX_040100','APEX_040200');" sql_types : POLICY_VARCHAR sql_expect : NULL type : SQL_POLICY description : "4.5.5 Table and View privileges - 'Limiting authorizations for the DBA_% views'" info : "As permitting users the authorization to manipulate the DBA_ views can expose sensitive data." solution : "Replace ,with the Oracle login(s) or role(s) returned from the associated audit procedure and execute: SQL> REVOKE ALL ON DBA_ FROM ;" reference : "Level|1S" see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_Server_11_-_11g_R2_Benchmark_v1.0.0.pdf" see_also : "http://docs.oracle.com/cd/E11882_01/server.112/e25789/datadict.htm#autoId2" sql_request : "SELECT GRANTEE FROM dba_tab_privs WHERE TABLE_NAME LIKE 'DBA_%' and grantee not in ('APEX_030200','APPQOSSYS','AQ_ADMINISTRATOR_ROLE','CTXSYS','EXFSYS','MDSYS','OLAP_XS_ADMIN','OLAPSYS','ORDSYS','OWB$CLIENT','OWBSYS','SELECT_CATALOG_ROLE','WM_ADMIN_ROLE','WMSYS','XDBADMIN') and table_name not in ('DBA_SDO_MAPS','DBA_SDO_STYLES','DBA_SDO_THEMES','LBACSYS','ADM_PARALLEL_EXECUTE_TASK');" sql_types : POLICY_VARCHAR sql_expect : NULL type : SQL_POLICY description : "4.5.6 Table and View privileges - 'Limiting authorizations for the SCHEDULER$_CREDENTIAL table'" info : "As permitting non-privileged users the authorization to open the SYS.SCHEDULER$_CREDENTIAL table." solution : "SQL> REVOKE ALL ON SYS.SCHEDULER$_CREDENTIAL FROM ;" reference : "Level|1S" see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_Server_11_-_11g_R2_Benchmark_v1.0.0.pdf" see_also : "http://docs.oracle.com/cd/E11882_01/appdev.112/e25788/d_sched.htm#ARPLS72292" see_also : "http://berxblog.blogspot.de/2012/02/restore-dbmsschedulercreatecredential.html" sql_request : "SELECT GRANTEE, PRIVILEGE FROM DBA_TAB_PRIVS WHERE TABLE_NAME='SCHEDULER$_CREDENTIAL';" sql_types : POLICY_VARCHAR sql_expect : NULL type : SQL_POLICY description : "4.5.7 Table and View privileges - 'Drop table sys.user$mig'" info : "The table sys.user$mig is not deleted after the migration. An attacker could access the table containing the Oracle password hashes." solution : "SQL> drop table sys.user$mig;" reference : "Level|1S" see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_Server_11_-_11g_R2_Benchmark_v1.0.0.pdf" sql_request : "select owner,table_name from all_tables where owner='SYS' and table_name='USER$MIG';" sql_types : POLICY_VARCHAR sql_expect : NULL type : SQL_POLICY description : "4.6 Table and View privileges - 'Limiting basic user privileges to restrict the ANY keyword'" info : "As authorization to use the ANY expansion of a privilege can allow an unauthorized user to potentially change confidential data" info : "or damage the data catalog, this capability should be restricted according to the needs of the organization." solution : "SQL> REVOKE ALL ON '' FROM ;" reference : "Level|1S" see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_Server_11_-_11g_R2_Benchmark_v1.0.0.pdf" see_also : "http://docs.oracle.com/cd/E11882_01/network.112/e16543/authorization.htm#DBSEG99877" sql_request : "SELECT * FROM DBA_SYS_PRIVS WHERE PRIVILEGE LIKE '%ANY%' AND GRANTEE NOT IN ('AQ_ADMINISTRATOR_ROLE','DBA','DBSNMP','EXFSYS','EXP_FULL_DATABASE','IMP_FULL_DATABASE','DATAPUMP_IMP_FULL_DATABASE','JAVADEBUGPRIV','MDSYS','OEM_MONITOR','OLAPSYS','OLAP_DBA','ORACLE_OCM','OWB$CLIENT','OWBSYS','SCHEDULER_ADMIN','SPATIAL_CSW_ADMIN_USR','SPATIAL_WFS_ADMIN_USR','SYS','SYSMAN','SYSTEM','WMSYS','APEX_030200','APEX_040000','APEX_040100','APEX_040200','LBACSYS');" sql_types : POLICY_VARCHAR sql_expect : NULL type : SQL_POLICY description : "4.7 Table and View privileges - 'Limiting users by restricting the WITH_ADMIN privilege'" info : "As assignment of the WITH_ADMIN privilege can allow the granting of a restricted privilege to an unauthorized user, this capability" info : "should be restricted according to the needs of the organization." solution : "SQL> REVOKE FROM ;" reference : "Level|1S" see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_Server_11_-_11g_R2_Benchmark_v1.0.0.pdf" sql_request : "SELECT GRANTEE FROM DBA_SYS_PRIVS WHERE ADMIN_OPTION='YES' and GRANTEE not in ('AQ_ADMINISTRATOR_ROLE','DBA','OWBSYS', 'SCHEDULER_ADMIN','SYS','SYSTEM','WMSYS');" sql_types : POLICY_VARCHAR sql_expect : NULL type : SQL_POLICY description : "4.8 Table and View privileges - 'Limit direct privileges for proxy user'" info : "A proxy user should only have the ability to connect to the database." solution : "SQL> revoke privilege from ;" reference : "Level|1S" see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_Server_11_-_11g_R2_Benchmark_v1.0.0.pdf" sql_request : "select grantee from dba_role_privs where grantee in (select proxy from dba_proxies) and granted_role not in ('CONNECT');" sql_types : POLICY_VARCHAR sql_expect : NULL type : SQL_POLICY description : "4.8 Table and View privileges - 'Limit direct privileges for proxy user'" info : "A proxy user should only have the ability to connect to the database." solution : "SQL> revoke privilege from ;" reference : "Level|1S" see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_Server_11_-_11g_R2_Benchmark_v1.0.0.pdf" sql_request : "select grantee from dba_sys_privs where grantee in (select proxy from dba_proxies) and privilege not in ('CREATE SESSION');" sql_types : POLICY_VARCHAR sql_expect : NULL type : SQL_POLICY description : "4.8 Table and View privileges - 'Limit direct privileges for proxy user'" info : "A proxy user should only have the ability to connect to the database." solution : "SQL> revoke privilege from ;" reference : "Level|1S" see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_Server_11_-_11g_R2_Benchmark_v1.0.0.pdf" sql_request : "select grantee from dba_tab_privs where grantee in (select proxy from dba_proxies);" sql_types : POLICY_VARCHAR sql_expect : NULL type : SQL_POLICY description : "4.9 Table and View privileges - 'Revoke execute any procedure from user OUTLN'" info : "Migrated OUTLN users have more privileges than required." solution : "SQL> revoke EXECUTE ANY PROCEDURE from OUTLN;" reference : "Level|1S" see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_Server_11_-_11g_R2_Benchmark_v1.0.0.pdf" sql_request : "SELECT * FROM DBA_SYS_PRIVS where privilege='EXECUTE ANY PROCEDURE' and grantee='OUTLN';" sql_types : POLICY_VARCHAR sql_expect : NULL type : SQL_POLICY description : "4.10 Table and View privileges - 'Revoke execute any procedure from user DBSNMP'" info : "Migrated DBSNMP users have more privileges than required." solution : "SQL> revoke EXECUTE ANY PROCEDURE from DBSNMP;" reference : "Level|1S" see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_Server_11_-_11g_R2_Benchmark_v1.0.0.pdf" sql_request : "SELECT grantee FROM DBA_SYS_PRIVS where privilege='EXECUTE ANY PROCEDURE' and grantee='DBSNMP';" sql_types : POLICY_VARCHAR sql_expect : NULL ## 5 Audit/Logging Policies and Procedures type : SQL_POLICY description : "5.1 Audit/Logging Policies and Procedures - 'Audit all CREATE SESSION (logon/logoff) activities'" info : "As the logging of user connections to the database via logon/logoff activity can provide forensic evidence of the" info : "initiation of a pattern of unauthorized activities, this capability should be set according to the needs of the" info : "organization." solution : "SQL> AUDIT CREATE SESSION;" reference : "Level|1S,PCI|10.2" see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_Server_11_-_11g_R2_Benchmark_v1.0.0.pdf" sql_request : "SELECT USER_NAME, SUCCESS, FAILURE FROM DBA_PRIV_AUDIT_OPTS WHERE PRIVILEGE='CREATE SESSION';" sql_types : POLICY_VARCHAR sql_expect : NULL type : SQL_POLICY description : "5.2 Audit/Logging Policies and Procedures - 'Audit all CREATE USER object activities/requests'" info : "As the logging of user activities involving the creation, alteration, or dropping of a USER can provide forensic evidence" info : "about a pattern of suspect/unauthorized activities, the audit capability should be set according to the needs of" info : "the organization." solution : "SQL> AUDIT CREATE USER;" reference : "Level|1S,PCI|10.2" see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_Server_11_-_11g_R2_Benchmark_v1.0.0.pdf" sql_request : "select USER_NAME, SUCCESS, FAILURE from DBA_STMT_AUDIT_OPTS where AUDIT_OPTION in ('CREATE USER','USER');" sql_types : POLICY_VARCHAR sql_expect : NULL type : SQL_POLICY description : "5.3 Audit/Logging Policies and Procedures - 'Audit all ALTER USER object activities/requests'" info : "As the logging of user activities involving the creation, alteration, or dropping of a USER can provide forensic evidence" info : "about a pattern of suspect/unauthorized activities, the audit capability should be set according to the needs of" info : "the organization." solution : "SQL> AUDIT ALTER USER;" reference : "Level|1S,PCI|10.2" see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_Server_11_-_11g_R2_Benchmark_v1.0.0.pdf" sql_request : "select USER_NAME, SUCCESS, FAILURE from DBA_STMT_AUDIT_OPTS where AUDIT_OPTION in ('ALTER USER', 'USER');" sql_types : POLICY_VARCHAR sql_expect : NULL type : SQL_POLICY description : "5.4 Audit/Logging Policies and Procedures - 'Audit all DROP USER object activities/requests'" info : "As the logging of user activities involving the creation, alteration, or dropping of a USER can provide forensic evidence" info : "about a pattern of suspect/unauthorized activities, the audit capability should be set according to the needs of" info : "the organization." solution : "SQL> AUDIT DROP USER;" reference : "Level|1S,PCI|10.2" see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_Server_11_-_11g_R2_Benchmark_v1.0.0.pdf" sql_request : "select USER_NAME, SUCCESS, FAILURE from DBA_STMT_AUDIT_OPTS where AUDIT_OPTION in ('DROP USER','USER');" sql_types : POLICY_VARCHAR sql_expect : NULL type : SQL_POLICY description : "5.5 Audit/Logging Policies and Procedures - 'Audit all user ROLE activities/requests'" info : "As the logging of user activities involving the creation, alteration, or dropping of a ROLE can provide forensic evidence" info : "about a pattern of suspect/unauthorized activities, the audit capability should be set according to the needs of" info : "the organization." solution : "SQL> AUDIT ROLE;" reference : "Level|1S,PCI|10.2" see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_Server_11_-_11g_R2_Benchmark_v1.0.0.pdf" sql_request : "select USER_NAME, SUCCESS, FAILURE from DBA_STMT_AUDIT_OPTS where AUDIT_OPTION in ('ROLE');" sql_types : POLICY_VARCHAR sql_expect : NULL type : SQL_POLICY description : "5.6 Audit/Logging Policies and Procedures - 'Audit all user GRANT ROLE activities/requests'" info : "As the logging of all grant and revokes (roles and system privileges) can provide forensic evidence about a pattern of" info : "suspect/unauthorized activities, the audit capability should be set according to the needs of the organization." solution : "SQL> AUDIT SYSTEM GRANT;" reference : "Level|1S,PCI|10.2" see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_Server_11_-_11g_R2_Benchmark_v1.0.0.pdf" sql_request : "select USER_NAME, SUCCESS, FAILURE from DBA_STMT_AUDIT_OPTS where AUDIT_OPTION='SYSTEM GRANT';" sql_types : POLICY_VARCHAR sql_expect : NULL type : SQL_POLICY description : "5.7 Audit/Logging Policies and Procedures - 'Audit all user CREATE PROFILE activities/requests'" info : "As the logging of user activities involving the creation, alteration, or dropping of a PROFILE can provide forensic" info : "evidence about a pattern of unauthorized activities, the audit capability should be set according to the needs of" info : "the organization." solution : "SQL> AUDIT CREATE PROFILE;" reference : "Level|1S,PCI|10.2" see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_Server_11_-_11g_R2_Benchmark_v1.0.0.pdf" sql_request : "select USER_NAME, SUCCESS, FAILURE from DBA_STMT_AUDIT_OPTS where AUDIT_OPTION in ('CREATE PROFILE','PROFILE');" sql_types : POLICY_VARCHAR sql_expect : NULL type : SQL_POLICY description : "5.8 Audit/Logging Policies and Procedures - 'Audit all user ALTER PROFILE activities/requests'" info : "As the logging of user activities involving the creation, alteration, or dropping of a PROFILE can provide forensic" info : "evidence about a pattern of unauthorized activities, the audit capability should be set according to the needs of" info : "the organization." solution : "SQL> AUDIT ALTER PROFILE;" reference : "Level|1S,PCI|10.2" see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_Server_11_-_11g_R2_Benchmark_v1.0.0.pdf" sql_request : "select USER_NAME, SUCCESS, FAILURE from DBA_STMT_AUDIT_OPTS where AUDIT_OPTION in ('ALTER PROFILE','PROFILE');" sql_types : POLICY_VARCHAR sql_expect : NULL type : SQL_POLICY description : "5.9 Audit/Logging Policies and Procedures - 'Audit all user DROP PROFILE activities/requests'" info : "As the logging of user activities involving the creation, alteration, or dropping of a PROFILE can provide forensic" info : "evidence about a pattern of unauthorized activities, the audit capability should be set according to the needs of" info : "the organization." solution : "SQL> AUDIT DROP PROFILE;" reference : "Level|1S,PCI|10.2" see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_Server_11_-_11g_R2_Benchmark_v1.0.0.pdf" sql_request : "select USER_NAME, SUCCESS, FAILURE from DBA_STMT_AUDIT_OPTS where AUDIT_OPTION in ('DROP PROFILE','PROFILE');" sql_types : POLICY_VARCHAR sql_expect : NULL type : SQL_POLICY description : "5.10 Audit/Logging Policies and Procedures - 'Audit all DATABASE LINK activities/requests'" info : "As the logging of user activities involving the creation or dropping of a DATABASE LINK can provide forensic evidence about" info : "a pattern of unauthorized activities, the audit capability should be set according to the needs of the organization." solution : "SQL> AUDIT DATABASE LINK;" reference : "Level|1S,PCI|10.2" see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_Server_11_-_11g_R2_Benchmark_v1.0.0.pdf" sql_request : "select * from dba_stmt_audit_opts where audit_option='DATABASE LINK';" sql_types : POLICY_VARCHAR sql_expect : NULL type : SQL_POLICY description : "5.11 Audit/Logging Policies and Procedures - 'Audit all PUBLIC DATABASE LINK activities/requests'" info : "As the logging of user activities involving the creation, alteration, or dropping of a PUBLIC DATABASE LINK can provide" info : "forensic evidence about a pattern of unauthorized activities, the audit capability should be set according to the needs" info : "of the organization." solution : "SQL> audit public database link;" reference : "Level|1S,PCI|10.2" see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_Server_11_-_11g_R2_Benchmark_v1.0.0.pdf" sql_request : "select * from dba_stmt_audit_opts where audit_option='PUBLIC DATABASE LINK';" sql_types : POLICY_VARCHAR sql_expect : NULL type : SQL_POLICY description : "5.12 Audit/Logging Policies and Procedures - 'Audit all PUBLIC SYNONYM activities/requests'" info : "As the logging of user activities involving the creation, alteration, or dropping of a PUBLIC SYNONYM can provide" info : "forensic evidence about a pattern of unauthorized activities, the audit capability should be set according to the needs" info : "of the organization." solution : "SQL> AUDIT PUBLIC SYNONYM;" reference : "Level|1S,PCI|10.2" see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_Server_11_-_11g_R2_Benchmark_v1.0.0.pdf" sql_request : "select * from dba_stmt_audit_opts where audit_option='PUBLIC SYNONYM';" sql_types : POLICY_VARCHAR sql_expect : NULL type : SQL_POLICY description : "5.13 Audit/Logging Policies and Procedures - 'Audit all user SYNONYM activities/requests'" info : "As the logging of user activities involving the creation or dropping of a SYNONYM can provide forensic evidence about" info : "a pattern of suspect/unauthorized activities, the audit capability should be set according to the needs of the organization." solution : "SQL> AUDIT SYNONYM;" reference : "Level|1S,PCI|10.2" see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_Server_11_-_11g_R2_Benchmark_v1.0.0.pdf" see_also : "http://docs.oracle.com/cd/E11882_01/server.112/e26088/statements_4007.htm#SQLRF01107" sql_request : "select * from dba_stmt_audit_opts where audit_option='SYNONYM';" sql_types : POLICY_VARCHAR sql_expect : NULL type : SQL_POLICY description : "5.14 Audit/Logging Policies and Procedures - 'Audit all grants and revokes of privileges on directories'" info : "As the logging of user activities involving the creation or dropping of a DIRECTORY can provide forensic evidence about a" info : "pattern of unauthorized activities, the audit capability should be set according to the needs of the organization." solution : "SQL> AUDIT GRANT DIRECTORY;" reference : "Level|1S,PCI|10.2" see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_Server_11_-_11g_R2_Benchmark_v1.0.0.pdf" see_also : "http://docs.oracle.com/cd/E11882_01/server.112/e26088/statements_4007.htm#SQLRF01107" sql_request : "select * from dba_stmt_audit_opts where audit_option='GRANT DIRECTORY';" sql_types : POLICY_VARCHAR sql_expect : NULL type : SQL_POLICY description : "5.15 Audit/Logging Policies and Procedures - 'Audit all grants and revokes of privileges on directories'" info : "As the logging of user activities involving the capability to access the description of all schema objects in the database" info : "can provide forensic evidence about a pattern of unauthorized activities, the audit capability should be set according to" info : "the needs of the organization." solution : "SQL> AUDIT SELECT ANY DICTIONARY;" reference : "Level|1S,PCI|10.2" see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_Server_11_-_11g_R2_Benchmark_v1.0.0.pdf" see_also : "http://docs.oracle.com/cd/E11882_01/server.112/e26088/statements_4007.htm#SQLRF01107" sql_request : "SELECT * FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION='SELECT ANY DICTIONARY';" sql_types : POLICY_VARCHAR sql_expect : NULL type : SQL_POLICY description : "5.16 Audit/Logging Policies and Procedures - 'Audit all user GRANT ANY OBJECT PRIVILEGE activities/requests'" info : "As the logging of privilege grants that can lead to the creation, alteration, or dropping of tables, users and other critical" info : "system components is critical to forensic investigations, this audit capability should be set according to the needs of" info : "the organization." solution : "SQL> AUDIT GRANT ANY OBJECT PRIVILEGE;" reference : "Level|1S,PCI|10.2" see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_Server_11_-_11g_R2_Benchmark_v1.0.0.pdf" see_also : "http://docs.oracle.com/cd/E11882_01/server.112/e26088/statements_4007.htm#SQLRF01107" sql_request : "select * from DBA_PRIV_AUDIT_OPTS where privilege='GRANT ANY OBJECT PRIVILEGE';" sql_types : POLICY_VARCHAR sql_expect : NULL type : SQL_POLICY description : "5.17 Audit/Logging Policies and Procedures - 'Audit all user GRANT ANY PRIVILEGE activities/requests'" info : "As the logging of privilege grants that can lead to the creation, alteration, or dropping of tables, users and other critical" info : "system components, this audit capability should be set according to the needs of the organization." solution : "SQL> AUDIT GRANT ANY PRIVILEGE;" reference : "Level|1S,PCI|10.2" see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_Server_11_-_11g_R2_Benchmark_v1.0.0.pdf" see_also : "http://docs.oracle.com/cd/E11882_01/server.112/e26088/statements_4007.htm#SQLRF01107" sql_request : "select * from DBA_PRIV_AUDIT_OPTS where privilege='GRANT ANY PRIVILEGE';" sql_types : POLICY_VARCHAR sql_expect : NULL type : SQL_POLICY description : "5.18 Audit/Logging Policies and Procedures - 'Audit all user CREATE PROCEDURE activities/requests'" info : "As the logging of user activities involving the creation, alteration, or dropping of a PROCEDURE and its related activities" info : "can provide forensic evidence about a pattern of unauthorized activities, this audit capability should be set according to" info : "the needs of the organization." solution : "SQL> AUDIT CREATE PROCEDURE;" reference : "Level|1S,PCI|10.2" see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_Server_11_-_11g_R2_Benchmark_v1.0.0.pdf" sql_request : "SELECT USER_NAME, SUCCESS, FAILURE FROM DBA_PRIV_AUDIT_OPTS WHERE PRIVILEGE='CREATE PROCEDURE';" sql_types : POLICY_VARCHAR sql_expect : NULL type : SQL_POLICY description : "5.19 Audit/Logging Policies and Procedures - 'Audit all user CREATE ANY PROCEDURE activities/requests'" info : "As the logging of user activities involving the creation, alteration, or dropping of a PROCEDURE and its related activities" info : "can provide forensic evidence about a pattern of unauthorized activities, this audit capability should be set according to" info : "the needs of the organization." solution : "SQL> AUDIT CREATE ANY PROCEDURE;" reference : "Level|1S,PCI|10.2" see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_Server_11_-_11g_R2_Benchmark_v1.0.0.pdf" sql_request : "select * from dba_stmt_audit_opts where audit_option = 'CREATE ANY PROCEDURE';" sql_types : POLICY_VARCHAR sql_expect : NULL type : SQL_POLICY description : "5.20 Audit/Logging Policies and Procedures - 'Audit all user ALTER ANY PROCEDURE activities/requests'" info : "As the logging of user activities involving the creation, alteration, or dropping of a PROCEDURE and its related activities" info : "can provide forensic evidence about a pattern of unauthorized activities, this audit capability should be set according to" info : "the needs of the organization." solution : "SQL> AUDIT ALTER ANY PROCEDURE;" reference : "Level|1S,PCI|10.2" see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_Server_11_-_11g_R2_Benchmark_v1.0.0.pdf" sql_request : "select * from dba_stmt_audit_opts where audit_option = 'ALTER ANY PROCEDURE';" sql_types : POLICY_VARCHAR sql_expect : NULL type : SQL_POLICY description : "5.21 Audit/Logging Policies and Procedures - 'Audit all user DROP ANY PROCEDURE activities/requests'" info : "Dropping procedures of another user could be part of an privilege escalation exploit and should be audited." solution : "SQL> AUDIT DROP ANY PROCEDURE;" reference : "Level|1S,PCI|10.2" see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_Server_11_-_11g_R2_Benchmark_v1.0.0.pdf" sql_request : "select * from dba_stmt_audit_opts where audit_option = 'DROP ANY PROCEDURE';" sql_types : POLICY_VARCHAR sql_expect : NULL type : SQL_POLICY description : "5.22 Audit/Logging Policies and Procedures - 'Audit all user CREATE ANY LIBRARY activities/requests'" info : "Dropping procedures of another user could be part of an privilege escalation exploit and should be audited." solution : "SQL> AUDIT CREATE ANY LIBRARY;" reference : "Level|1S,PCI|10.2" see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_Server_11_-_11g_R2_Benchmark_v1.0.0.pdf" sql_request : "select * from dba_stmt_audit_opts where audit_option='PROCEDURE' or audit_option= 'CREATE ANY LIBRARY' or audit_option = 'CREATE LIBRARY';" sql_types : POLICY_VARCHAR sql_expect : NULL type : SQL_POLICY description : "5.23 Audit/Logging Policies and Procedures - 'Audit all user DROP ANY LIBRARY activities/requests'" info : "As the logging of user activities involving the creation, alteration, or dropping of a PROCEDURE and its related activities" info : "can provide forensic evidence about a pattern of unauthorized activities, this audit capability should be set according to" info : "the needs of the organization." solution : "SQL> AUDIT DROP ANY LIBRARY;" reference : "Level|1S,PCI|10.2" see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_Server_11_-_11g_R2_Benchmark_v1.0.0.pdf" sql_request : "SELECT USER_NAME, SUCCESS, FAILURE FROM DBA_PRIV_AUDIT_OPTS WHERE PRIVILEGE='DROP ANY LIBRARY';" sql_types : POLICY_VARCHAR sql_expect : NULL type : SQL_POLICY description : "5.23 Audit/Logging Policies and Procedures - 'Audit all user DROP ANY LIBRARY activities/requests'" info : "As the logging of user activities involving the creation, alteration, or dropping of a PROCEDURE and its related activities" info : "can provide forensic evidence about a pattern of unauthorized activities, this audit capability should be set according to" info : "the needs of the organization." reference : "Level|1S,PCI|10.2" see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_Server_11_-_11g_R2_Benchmark_v1.0.0.pdf" sql_request : "SELECT USER_NAME, SUCCESS, FAILURE FROM DBA_PRIV_AUDIT_OPTS WHERE PRIVILEGE='DROP ANY LIBRARY';" sql_types : POLICY_VARCHAR sql_expect : NULL type : SQL_POLICY description : "5.24 Audit/Logging Policies and Procedures - 'Audit all user CREATE ANY TRIGGER activities/requests'" info : "Trigger in other schema can be used to escalate privileges." solution : "SQL> AUDIT CREATE ANY TRIGGER;" reference : "Level|1S,PCI|10.2" see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_Server_11_-_11g_R2_Benchmark_v1.0.0.pdf" sql_request : "SELECT USER_NAME, SUCCESS, FAILURE FROM DBA_PRIV_AUDIT_OPTS WHERE PRIVILEGE='CREATE ANY TRIGGER';" sql_types : POLICY_VARCHAR sql_expect : NULL type : SQL_POLICY description : "5.25 Audit/Logging Policies and Procedures - 'Audit all user ALTER ANY TRIGGER activities/requests'" info : "Trigger in other schema can be used to escalate privileges." solution : "SQL> AUDIT ALTER ANY TRIGGER;" reference : "Level|1S,PCI|10.2" see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_Server_11_-_11g_R2_Benchmark_v1.0.0.pdf" sql_request : "SELECT USER_NAME, SUCCESS, FAILURE FROM DBA_PRIV_AUDIT_OPTS WHERE PRIVILEGE='ALTER ANY TRIGGER';" sql_types : POLICY_VARCHAR sql_expect : NULL type : SQL_POLICY description : "5.26 Audit/Logging Policies and Procedures - 'Audit all user DROP ANY TRIGGER activities/requests'" info : "Dropping Trigger in other schema can be used to remove restrictions on a schema or an object." solution : "SQL> AUDIT DROP ANY TRIGGER BY ACCESS;" reference : "Level|1S,PCI|10.2" see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_Server_11_-_11g_R2_Benchmark_v1.0.0.pdf" sql_request : "SELECT USER_NAME, SUCCESS, FAILURE FROM DBA_PRIV_AUDIT_OPTS WHERE PRIVILEGE='DROP ANY TRIGGER';" sql_types : POLICY_VARCHAR sql_expect : NULL type : SQL_POLICY description : "5.27 Audit/Logging Policies and Procedures - 'Set AUDIT ALL ON SYS.AUD$ activities'" info : "As the logging of attempts to alter the SYS.AUD$ table can provide forensic evidence of the initiation of a pattern of" info : "unauthorized activities, this logging capability should be set according to the needs of the organization." solution : "SQL> AUDIT ALL on SYS.AUD$;" reference : "Level|1S,PCI|10.2" see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_Server_11_-_11g_R2_Benchmark_v1.0.0.pdf" sql_request : "SELECT * from DBA_OBJ_AUDIT_OPTS where OBJECT_NAME='AUD$';" sql_types : POLICY_VARCHAR sql_expect : NULL type : SQL_POLICY description : "5.28 Audit/Logging Policies and Procedures - 'Audit all user ALTER SYSTEM activities/requests'" info : "Alter system allows one to change instance settings, including security settings and auditing options. Additionally alter" info : "system can be used to run operating system commands using undocumented Oracle functionality." solution : "SQL> AUDIT ALTER SYSTEM;" reference : "Level|1S,PCI|10.2" see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_Server_11_-_11g_R2_Benchmark_v1.0.0.pdf" sql_request : "SELECT USER_NAME, SUCCESS, FAILURE FROM DBA_PRIV_AUDIT_OPTS WHERE PRIVILEGE='ALTER SYSTEM'; " sql_types : POLICY_VARCHAR sql_expect : NULL