# (C) 2015 Tenable Network Security, Inc.
#
# This script is released under the Tenable Subscription License and
# may not be used from within scripts released under another license
# without authorization from Tenable Network Security, Inc.
#
# See the following licenses for details:
#
# http://static.tenable.com/prod_docs/Nessus_6_SLA_and_Subscription_Agreement.pdf
#
# @PROFESSIONALFEED@
# $Revision: 1.0 $
# $Date: Tue Nov 17 16:49:50 2015 -0500 $
#
# Description:
#
# This document consists of a list of Oracle Database 12c security settings as suggested by
# the CIS Oracle Database 12c Benchmark v1.1.0.
#
# Tenable has made a best effort to map the settings specified in the standard to a proprietary
# .audit format that will be used by the Database compliance module to perform the audit.
#
# See Also :
# https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_12c_Benchmark_v1.1.0.pdf
#
#<ui_metadata>
#<display_name>CIS Oracle Server 12c DB v1.1.0</display_name>
#<spec>
#  <type>CIS</type>
#  <name>Oracle Server 12c DB</name>
#  <version>1.1.0</version>
#  <link>https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_12c_Benchmark_v1.1.0.pdf</link>
#</spec>
#<labels>database,cis,oracle,oracle_12c</labels>
#</ui_metadata>

<check_type:"Database" db_type:"Oracle" version:"1">
<group_policy: "CIS Oracle Database 12c v1.1.0 - Database - Level 1">

## 1 Oracle Database Installation and Patching Requirements

<custom_item>
 type           : SQL_POLICY
 description    : "1.2 Ensure All Default Passwords Are Changed"
 info           : "The Oracle installation has a view called DBA_USERS_WITH_DEFPWD, which keeps a list of all database users making use of default passwords."
 solution       : "To remediate this recommendation, you may perform either of the following actions.
- Manually issue the following SQL statement for each USERNAME returned in the Audit Procedure:
PASSWORD <username>

- Execute the following SQL script to randomly assign passwords:
begin for r_user in (select username from dba_users_with_defpwd where username not like '%XS$NULL%') loop DBMS_OUTPUT.PUT_LINE('Password for user '||r_user.username||' will be changed.'); execute immediate 'alter user ''||r_user.username||'' identified by ''||DBMS_RANDOM.string('a',16)||''account lock password expire'; end loop; end;"
 reference      : "LEVEL|1S,PCI-DSS-3.0|2.1,PCI-DSS-3.1|2.1,HIPAA|164.312(a)(2)(i),800-53|AC-2,SANS-CSC|12-4,CSF|PR.AC-1"
 see_also       : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_12c_Benchmark_v1.1.0.pdf"
 sql_request    : "SELECT USERNAME FROM DBA_USERS_WITH_DEFPWD WHERE USERNAME NOT LIKE '%XS$NULL%';"
 sql_types      : POLICY_VARCHAR
 sql_expect     : NULL
</custom_item>

<custom_item>
 type           : SQL_POLICY
 description    : "1.3 Ensure All Sample Data And Users Have Been Removed"
 info           : "Oracle sample schemas are not needed for the operation of the database. These include, among others, information pertaining to a sample schemas pertaining to Human Resources, Business Intelligence, Order Entry, and the like. These samples create sample users (BI,HR,OE,PM,IX,SH, SCOTT), in addition to tables and fictitious data."
 solution       : "To remediate this setting, it is recommended that you execute the following SQL script.
$ORACLE_HOME/demo/schema/drop_sch.sql

Then, execute the following SQL statement.
DROP USER SCOTT CASCADE;

NOTE: The recyclebin is not set to OFF within the default drop script, which means that the data will still be present in your environment until the recyclebin is emptied."
 reference      : "LEVEL|1S,PCI-DSS-3.0|6.3.1,PCI-DSS-3.0|6.4.4,PCI-DSS-3.1|6.3.1,PCI-DSS-3.1|6.4.4,HIPAA|164.308(a)(4)(ii)(B),800-53|CM-7,SANS-CSC|3-1,CSF|PR.IP-1"
 see_also       : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_12c_Benchmark_v1.1.0.pdf"
 sql_request    : "SELECT USERNAME FROM ALL_USERS WHERE USERNAME IN ('BI','HR','IX','OE','PM','SCOTT','SH');"
 sql_types      : POLICY_VARCHAR
 sql_expect     : NULL
</custom_item>

## 2 Oracle Parameter Settings

### 2.1 Listener Settings

### 2.2 Database settings

<custom_item>
 type           : SQL_POLICY
 description    : "2.2.1 Ensure 'AUDIT_SYS_OPERATIONS' Is Set to 'TRUE'"
 info           : "The AUDIT_SYS_OPERATIONS setting provides for the auditing of all user activities conducted under the SYSOPER and SYSDBA accounts."
 solution       : "To remediate this setting execute the following SQL statement.
ALTER SYSTEM SET AUDIT_SYS_OPERATIONS = TRUE SCOPE=SPFILE;"
 reference      : "LEVEL|1S,PCI-DSS-3.0|10.1,PCI-DSS-3.1|10.1,HIPAA|164.312(b),800-53|AU-2,SANS-CSC|14-2,CSF|PR.PT-1"
 see_also       : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_12c_Benchmark_v1.1.0.pdf"
 sql_request    : "SELECT UPPER(VALUE) FROM V$PARAMETER WHERE UPPER(NAME) = 'AUDIT_SYS_OPERATIONS';"
 sql_types      : POLICY_VARCHAR
 sql_expect     : "TRUE"
</custom_item>

<custom_item>
 type           : SQL_POLICY
 description    : "2.2.2 Ensure 'AUDIT_TRAIL' Is Set to 'OS', 'DB,EXTENDED', or 'XML,EXTENDED'"
 info           : "The audit_trail setting determines whether or not Oracle's basic audit features are enabled. These can be set to 'Operating System'(OS), 'DB,', 'DB,EXTENDED', 'XML' or 'XML,EXTENDED'."
 solution       : "To remediate this setting execute one of the following SQL statements.
ALTER SYSTEM SET AUDIT_TRAIL = 'DB,EXTENDED' SCOPE = SPFILE;
ALTER SYSTEM SET AUDIT_TRAIL = 'OS' SCOPE = SPFILE;
ALTER SYSTEM SET AUDIT_TRAIL = 'XML,EXTENDED' SCOPE = SPFILE;"
 reference      : "LEVEL|1S,PCI-DSS-3.0|10.1,PCI-DSS-3.1|10.1,HIPAA|164.312(b),800-53|AU-2,SANS-CSC|14-2,CSF|PR.PT-1"
 see_also       : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_12c_Benchmark_v1.1.0.pdf"
 sql_request    : "SELECT UPPER(VALUE) FROM V$PARAMETER WHERE UPPER(NAME)='AUDIT_TRAIL';"
 sql_types      : POLICY_VARCHAR
 sql_expect     : "(OS|DB,EXTENDED|XML,EXTENDED)"
</custom_item>

<custom_item>
 type           : SQL_POLICY
 description    : "2.2.3 Ensure 'GLOBAL_NAMES' Is Set to 'TRUE'"
 info           : "The global_names setting requires that the name of a database link matches that of the remote database it will connect to."
 solution       : "To remediate this setting execute the following SQL statement.
ALTER SYSTEM SET GLOBAL_NAMES = TRUE SCOPE = SPFILE;"
 reference      : "LEVEL|1S,PCI-DSS-3.0|2.2.4,PCI-DSS-3.1|2.2.4,HIPAA|164.312(c)(1),800-53|CM-2,SANS-CSC|3-1,CSF|PR.IP-1"
 see_also       : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_12c_Benchmark_v1.1.0.pdf"
 sql_request    : "SELECT UPPER(VALUE) FROM V$PARAMETER WHERE UPPER(NAME)='GLOBAL_NAMES';"
 sql_types      : POLICY_VARCHAR
 sql_expect     : "TRUE"
</custom_item>

<custom_item>
 type           : SQL_POLICY
 description    : "2.2.4 Ensure 'LOCAL_LISTENER' Is Set Appropriately"
 info           : "The local_listener setting specifies a network name that resolves to an address of the Oracle TNS listener."
 solution       : "To remediate this setting execute the following SQL statement.
ALTER SYSTEM SET LOCAL_LISTENER='[description]' SCOPE = BOTH;

Replace [description] with the appropriate description from your listener.ora file, where that description sets the PROTOCOL parameter to IPC. For example:
ALTER SYSTEM SET LOCAL_LISTENER='(DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=REGISTER)))' SCOPE=BOTH;"
 reference      : "LEVEL|1S,PCI-DSS-3.0|2.2.2,PCI-DSS-3.1|2.2.2,HIPAA|164.308(a)(1)(i)(ii)(B),800-53|CM-2,800-53|CM-6,800-53|CM-7,SANS-CSC|3-1,CSF|PR.IP-1"
 see_also       : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_12c_Benchmark_v1.1.0.pdf"
 sql_request    : "SELECT UPPER(VALUE) FROM V$PARAMETER WHERE UPPER(NAME)='LOCAL_LISTENER';"
 sql_types      : POLICY_VARCHAR
 sql_expect     : NULL
</custom_item>

<custom_item>
 type           : SQL_POLICY
 description    : "2.2.5 Ensure 'O7_DICTIONARY_ACCESSIBILITY' Is Set to 'FALSE'"
 info           : "The O7_dictionary_accessibility setting is a database initializations parameter that allows/disallows with the EXECUTE ANY PROCEDURE and SELECT ANY DICTIONARY access to objects in the SYS schema; this functionality was created for the ease of migration from Oracle 7 databases to later versions."
 solution       : "To remediate this setting execute the following SQL statement.
ALTER SYSTEM SET O7_DICTIONARY_ACCESSIBILITY=FALSE SCOPE = SPFILE;"
 reference      : "LEVEL|1S,PCI-DSS-3.0|2.2.4,PCI-DSS-3.1|2.2.4,HIPAA|164.312(c)(1),800-53|CM-2,SANS-CSC|3-1,CSF|PR.IP-1"
 see_also       : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_12c_Benchmark_v1.1.0.pdf"
 sql_request    : "SELECT UPPER(VALUE) FROM V$PARAMETER WHERE UPPER(NAME)='O7_DICTIONARY_ACCESSIBILITY';"
 sql_types      : POLICY_VARCHAR
 sql_expect     : "FALSE"
</custom_item>

<custom_item>
 type           : SQL_POLICY
 description    : "2.2.6 Ensure 'OS_ROLES' Is Set to 'FALSE'"
 info           : "The os_roles setting permits externally created groups to be applied to database management."
 solution       : "To remediate this setting execute the following SQL statement.
ALTER SYSTEM SET OS_ROLES = FALSE SCOPE = SPFILE;"
 reference      : "LEVEL|1S,PCI-DSS-3.0|2.2.4,PCI-DSS-3.1|2.2.4,HIPAA|164.312(c)(1),800-53|CM-2,SANS-CSC|3-1,CSF|PR.IP-1"
 see_also       : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_12c_Benchmark_v1.1.0.pdf"
 sql_request    : "SELECT UPPER(VALUE) FROM V$PARAMETER WHERE UPPER(NAME)='OS_ROLES';"
 sql_types      : POLICY_VARCHAR
 sql_expect     : "FALSE"
</custom_item>

<custom_item>
 type           : SQL_POLICY
 description    : "2.2.7 Ensure 'REMOTE_LISTENER' Is Empty"
 info           : "The remote_listener setting determines whether or not a valid listener can be established on a system separate from the database instance."
 solution       : "To remediate this setting execute the following SQL statement.
ALTER SYSTEM SET REMOTE_LISTENER = '' SCOPE = SPFILE;"
 reference      : "LEVEL|1S,PCI-DSS-3.0|2.2.2,PCI-DSS-3.1|2.2.2,HIPAA|164.308(a)(1)(i)(ii)(B),800-53|CM-2,800-53|CM-6,800-53|CM-7,SANS-CSC|3-1,CSF|PR.IP-1"
 see_also       : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_12c_Benchmark_v1.1.0.pdf"
 sql_request    : "SELECT UPPER(VALUE) FROM V$PARAMETER WHERE UPPER(NAME)='REMOTE_LISTENER';"
 sql_types      : POLICY_VARCHAR
 sql_expect     : NULL
</custom_item>

<custom_item>
 type           : SQL_POLICY
 description    : "2.2.8 Ensure 'REMOTE_LOGIN_PASSWORDFILE' Is Set to 'NONE'"
 info           : "The remote_login_passwordfile setting specifies whether or not Oracle checks for a passwd-file during login and how many databases can use the passwd-file."
 solution       : "To remediate this setting execute the following SQL statement.
ALTER SYSTEM SET REMOTE_LOGIN_PASSWORDFILE = 'NONE' SCOPE = SPFILE;"
 reference      : "LEVEL|1S,PCI-DSS-3.0|2.2.4,PCI-DSS-3.1|2.2.4,HIPAA|164.312(c)(1),800-53|CM-2,SANS-CSC|3-1,CSF|PR.IP-1"
 see_also       : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_12c_Benchmark_v1.1.0.pdf"
 sql_request    : "SELECT UPPER(VALUE) FROM V$PARAMETER WHERE UPPER(NAME)='REMOTE_LOGIN_PASSWORDFILE';"
 sql_types      : POLICY_VARCHAR
 sql_expect     : "NONE"
</custom_item>

<custom_item>
 type           : SQL_POLICY
 description    : "2.2.9 Ensure 'REMOTE_OS_AUTHENT' Is Set to 'FALSE'"
 info           : "The remote_os_authent setting determines whether or not OS 'roles' with the attendant privileges are allowed for remote client connections."
 solution       : "To remediate this setting execute the following SQL statement.
ALTER SYSTEM SET REMOTE_OS_AUTHENT = FALSE SCOPE = SPFILE;"
 reference      : "LEVEL|1S,PCI-DSS-3.0|2.2.2,PCI-DSS-3.1|2.2.2,HIPAA|164.308(a)(1)(i)(ii)(B),800-53|CM-2,800-53|CM-6,800-53|CM-7,SANS-CSC|3-1,CSF|PR.IP-1"
 see_also       : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_12c_Benchmark_v1.1.0.pdf"
 sql_request    : "SELECT UPPER(VALUE) FROM V$PARAMETER WHERE UPPER(NAME)='REMOTE_OS_AUTHENT';"
 sql_types      : POLICY_VARCHAR
 sql_expect     : "FALSE"
</custom_item>

<custom_item>
 type           : SQL_POLICY
 description    : "2.2.10 Ensure 'REMOTE_OS_ROLES' Is Set to 'FALSE'"
 info           : "The remote_os_roles setting permits remote users' OS roles to be applied to database management."
 solution       : "To remediate this setting execute the following SQL statement.
ALTER SYSTEM SET REMOTE_OS_ROLES = FALSE SCOPE = SPFILE;"
 reference      : "LEVEL|1S,PCI-DSS-3.0|2.2.4,PCI-DSS-3.1|2.2.4,HIPAA|164.312(c)(1),800-53|CM-2,SANS-CSC|3-1,CSF|PR.IP-1"
 see_also       : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_12c_Benchmark_v1.1.0.pdf"
 sql_request    : "SELECT UPPER(VALUE) FROM V$PARAMETER WHERE UPPER(NAME)='REMOTE_OS_ROLES';"
 sql_types      : POLICY_VARCHAR
 sql_expect     : "FALSE"
</custom_item>

<custom_item>
 type           : SQL_POLICY
 description    : "2.2.11 Ensure 'UTIL_FILE_DIR' Is Empty"
 info           : "The utl_file_dir setting allows packages like utl_file to access (read/write/modify/delete) files specified in utl_file_dir."
 solution       : "To remediate this setting execute the following SQL statement. ALTER SYSTEM SET UTIL_FILE_DIR = '' SCOPE = SPFILE;"
 reference      : "LEVEL|1S,PCI-DSS-3.0|2.2.4,PCI-DSS-3.1|2.2.4,HIPAA|164.312(c)(1),800-53|CM-2,SANS-CSC|3-1,CSF|PR.IP-1"
 see_also       : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_12c_Benchmark_v1.1.0.pdf"
 sql_request    : "SELECT UPPER(VALUE) FROM V$PARAMETER WHERE UPPER(NAME)='UTIL_FILE_DIR';"
 sql_types      : POLICY_VARCHAR
 sql_expect     : NULL || ""
</custom_item>

<custom_item>
 type           : SQL_POLICY
 description    : "2.2.12 Ensure 'SEC_CASE_SENSITIVE_LOGON' Is Set to 'TRUE'"
 info           : "The SEC_CASE_SENSITIVE_LOGON information determines whether or not case-sensitivity is required for passwords during login. Due to the security bug CVE-2012-3137 it is recommended to set this parameter to TRUE if the October 2012 CPU/PSU or later was applied. If the patch was not applied it is recommended to set this parameter to FALSE to avoid that the vulnerability could be abused."
 solution       : "To remediate this setting execute the following SQL statement.
ALTER SYSTEM SET SEC_CASE_SENSITIVE_LOGON = TRUE SCOPE = SPFILE;"
 reference      : "LEVEL|1S,PCI-DSS-3.0|2.2.4,PCI-DSS-3.1|2.2.4,HIPAA|164.312(c)(1),800-53|CM-2,SANS-CSC|3-1,CSF|PR.IP-1"
 see_also       : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_12c_Benchmark_v1.1.0.pdf"
 sql_request    : "SELECT UPPER(VALUE) FROM V$PARAMETER WHERE UPPER(NAME)='SEC_CASE_SENSITIVE_LOGON';"
 sql_types      : POLICY_VARCHAR
 sql_expect     : "TRUE"
</custom_item>

<custom_item>
 type           : SQL_POLICY
 description    : "2.2.13 Ensure 'SEC_MAX_FAILED_LOGIN_ATTEMPTS' Is Set to '10'"
 info           : "The SEC_MAX_FAILED_LOGIN_ATTEMPTS parameter determines how many failed login attempts are allowed before Oracle closes the login connection."
 solution       : "To remediate this setting execute the following SQL statement. ALTER SYSTEM SET SEC_MAX_FAILED_LOGIN_ATTEMPTS = 10 SCOPE = SPFILE;"
 reference      : "LEVEL|1S,PCI-DSS-3.0|8.1.6,PCI-DSS-3.1|8.1.6,HIPAA|164.308(a)(5)(ii)(D),800-53|AC-7,SANS-CSC|16-9,CSF|PR.AC-1"
 see_also       : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_12c_Benchmark_v1.1.0.pdf"
 sql_request    : "SELECT UPPER(VALUE) FROM V$PARAMETER WHERE UPPER(NAME)='SEC_MAX_FAILED_LOGIN_ATTEMPTS';"
 sql_types      : POLICY_VARCHAR
 sql_expect     : regex:"^([1-9]|10)$"
</custom_item>

<custom_item>
 type           : SQL_POLICY
 description    : "2.2.14 Ensure 'SEC_PROTOCOL_ERROR_FURTHER_ACTION' Is Set to 'DELAY,3' or 'DROP,3'"
 info           : "The SEC_PROTOCOL_ERROR_FURTHER_ACTION setting determines the Oracle's server's response to bad/malformed packets received from the client."
 solution       : "To remediate this setting execute one of the following SQL statements.
ALTER SYSTEM SET SEC_PROTOCOL_ERROR_FURTHER_ACTION = 'DELAY,3' SCOPE = SPFILE;
ALTER SYSTEM SET SEC_PROTOCOL_ERROR_FURTHER_ACTION = 'DROP,3' SCOPE = SPFILE;"
 reference      : "LEVEL|1S,PCI-DSS-3.0|2.2.4,PCI-DSS-3.1|2.2.4,HIPAA|164.312(c)(1),800-53|CM-2,SANS-CSC|3-1,CSF|PR.IP-1"
 see_also       : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_12c_Benchmark_v1.1.0.pdf"
 sql_request    : "SELECT UPPER(VALUE) FROM V$PARAMETER WHERE UPPER(NAME)='SEC_PROTOCOL_ERROR_FURTHER_ACTION';"
 sql_types      : POLICY_VARCHAR
 sql_expect     : "(DELAY,3)" || "(DROP,3)"
</custom_item>

<custom_item>
 type           : SQL_POLICY
 description    : "2.2.15 Ensure 'SEC_PROTOCOL_ERROR_TRACE_ACTION' Is Set to 'LOG'"
 info           : "The SEC_PROTOCOL_ERROR_TRACE_ACTION setting determines the Oracle's server's logging response level to bad/malformed packets received from the client, by generating ALERT, LOG, or TRACE levels of detail in the log files."
 solution       : "To remediate this setting execute the following SQL statement.
ALTER SYSTEM SET SEC_PROTOCOL_ERROR_TRACE_ACTION=LOG SCOPE = SPFILE;"
 reference      : "LEVEL|1S,PCI-DSS-3.0|2.2.4,PCI-DSS-3.1|2.2.4,HIPAA|164.312(c)(1),800-53|CM-2,SANS-CSC|3-1,CSF|PR.IP-1"
 see_also       : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_12c_Benchmark_v1.1.0.pdf"
 sql_request    : "SELECT UPPER(VALUE) FROM V$PARAMETER WHERE UPPER(NAME)='SEC_PROTOCOL_ERROR_TRACE_ACTION';"
 sql_types      : POLICY_VARCHAR
 sql_expect     : "LOG" || "TRACE"
</custom_item>

<custom_item>
 type           : SQL_POLICY
 description    : "2.2.16 Ensure 'SEC_RETURN_SERVER_RELEASE_BANNER' Is Set to 'FALSE'"
 info           : "The information about patch/update release number provides information about the exact patch/update release that is currently running on the database."
 solution       : "To remediate this setting execute the following SQL statement.
ALTER SYSTEM SET SEC_RETURN_SERVER_RELEASE_BANNER = FALSE SCOPE = SPFILE;"
 reference      : "LEVEL|1S,PCI-DSS-3.0|2.2.4,PCI-DSS-3.1|2.2.4,HIPAA|164.312(c)(1),800-53|CM-2,SANS-CSC|3-1,CSF|PR.IP-1"
 see_also       : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_12c_Benchmark_v1.1.0.pdf"
 sql_request    : "SELECT UPPER(VALUE) FROM V$PARAMETER WHERE UPPER(NAME)='SEC_RETURN_SERVER_RELEASE_BANNER';"
 sql_types      : POLICY_VARCHAR
 sql_expect     : "FALSE"
</custom_item>

<custom_item>
 type           : SQL_POLICY
 description    : "2.2.17 Ensure 'SQL92_SECURITY' Is Set to 'TRUE'"
 info           : "The sql92_security parameter setting FALSE allows to grant only UPDATE or DELETE privileges without the need to grant SELECT privileges."
 solution       : "To remediate this setting execute the following SQL statement.
ALTER SYSTEM SET SQL92_SECURITY = TRUE SCOPE = SPFILE;"
 reference      : "LEVEL|1S,PCI-DSS-3.0|2.2.4,PCI-DSS-3.1|2.2.4,HIPAA|164.312(c)(1),800-53|CM-2,SANS-CSC|3-1,CSF|PR.IP-1"
 see_also       : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_12c_Benchmark_v1.1.0.pdf"
 sql_request    : "SELECT UPPER(VALUE) FROM V$PARAMETER WHERE UPPER(NAME)='SQL92_SECURITY';"
 sql_types      : POLICY_VARCHAR
 sql_expect     : "TRUE"
</custom_item>

<custom_item>
 type           : SQL_POLICY
 description    : "2.2.18 Ensure '_TRACE_FILES_PUBLIC' Is Set to 'FALSE'"
 info           : "The _trace_files_public setting determines whether or not the system's trace file is world readable."
 solution       : "To remediate this setting execute the following SQL statement.
ALTER SYSTEM SET '_trace_files_public' = FALSE SCOPE = SPFILE;"
 reference      : "LEVEL|1S,PCI-DSS-3.0|2.2.4,PCI-DSS-3.1|2.2.4,HIPAA|164.312(c)(1),800-53|CM-2,SANS-CSC|3-1,CSF|PR.IP-1"
 see_also       : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_12c_Benchmark_v1.1.0.pdf"
 sql_request    : "SELECT VALUE FROM V$PARAMETER WHERE NAME='_trace_files_public';"
 sql_types      : POLICY_VARCHAR
 sql_expect     : NULL || "FALSE"
</custom_item>

<custom_item>
 type           : SQL_POLICY
 description    : "2.2.19 Ensure 'RESOURCE_LIMIT' Is Set to 'TRUE'"
 info           : "RESOURCE_LIMIT determines whether resource limits are enforced in database profiles"
 solution       : "To remediate this setting execute the following SQL statement.
ALTER SYSTEM SET RESOURCE_LIMIT = TRUE SCOPE = SPFILE;"
 reference      : "LEVEL|1S,PCI-DSS-3.0|2.2.4,PCI-DSS-3.1|2.2.4,HIPAA|164.312(c)(1),800-53|CM-2,SANS-CSC|3-1,CSF|PR.IP-1"
 see_also       : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_12c_Benchmark_v1.1.0.pdf"
 sql_request    : "SELECT UPPER(VALUE) FROM V$PARAMETER WHERE UPPER(NAME)='RESOURCE_LIMIT';"
 sql_types      : POLICY_VARCHAR
 sql_expect     : "TRUE"
</custom_item>

## 3 Oracle Connection and Login Restrictions

<custom_item>
 type           : SQL_POLICY
 description    : "3.1 Ensure 'FAILED_LOGIN_ATTEMPTS' Is Less than or Equal to '3'"
 info           : "The failed_login_attempts setting determines how many failed login attempts are permitted before the system locks the user's account. While different profiles can have different and more restrictive settings, such as USERS and APPS, the minimum(s) recommended here should be set on the DEFAULT profile."
 solution       : "Remediate this setting by executing the following SQL statement for each PROFILE returned by the audit procedure.
ALTER PROFILE <profile_name> LIMIT FAILED_LOGIN_ATTEMPTS 5;"
 reference      : "LEVEL|1S,PCI-DSS-3.0|8.1.6,PCI-DSS-3.1|8.1.6,HIPAA|164.308(a)(5)(ii)(D),800-53|AC-7,SANS-CSC|16-9,CSF|PR.AC-1"
 see_also       : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_12c_Benchmark_v1.1.0.pdf"
 sql_request    : "SELECT PROFILE, RESOURCE_NAME, LIMIT FROM DBA_PROFILES WHERE RESOURCE_NAME='FAILED_LOGIN_ATTEMPTS' AND ( LIMIT = 'DEFAULT' OR LIMIT = 'UNLIMITED' OR LIMIT > 3 );"
 sql_types      : POLICY_VARCHAR, POLICY_VARCHAR, POLICY_INTEGER
 sql_expect     : NULL, NULL, NULL
</custom_item>

<custom_item>
 type           : SQL_POLICY
 description    : "3.2 Ensure 'PASSWORD_LOCK_TIME' Is Greater than or Equal to '1'"
 info           : "The PASSWORD_LOCK_TIME setting determines how many days must pass for the user's account to be unlocked after the set number of failed login attempts has occurred."
 solution       : "Remediate this setting by executing the following SQL statement for each PROFILE returned by the audit procedure.
ALTER PROFILE <profile_name> LIMIT PASSWORD_LOCK_TIME 1;"
 reference      : "LEVEL|1S,PCI-DSS-3.0|8.1.7,PCI-DSS-3.1|8.1.7,HIPAA|164.308(a)(5)(ii)(D),800-53|AC-7,SANS-CSC|16-9,CSF|PR.AC-1"
 see_also       : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_12c_Benchmark_v1.1.0.pdf"
 sql_request    : "SELECT PROFILE, RESOURCE_NAME, LIMIT FROM DBA_PROFILES WHERE RESOURCE_NAME='PASSWORD_LOCK_TIME' AND ( LIMIT = 'DEFAULT' OR LIMIT = 'UNLIMITED' OR LIMIT < 1 );"
 sql_types      : POLICY_VARCHAR, POLICY_VARCHAR, POLICY_INTEGER
 sql_expect     : NULL, NULL, NULL
</custom_item>

<custom_item>
 type           : SQL_POLICY
 description    : "3.3 Ensure 'PASSWORD_LIFE_TIME' Is Less than or Equal to '90'"
 info           : "The password_life_time setting determines how long a password may be used before the user is required to be change it."
 solution       : "Remediate this setting by executing the following SQL statement for each PROFILE returned by the audit procedure.
ALTER PROFILE <profile_name> LIMIT PASSWORD_LIFE_TIME 90;"
 reference      : "LEVEL|1S,PCI-DSS-3.0|8.2.4,PCI-DSS-3.1|8.2.4,HIPAA|164.308(a)(5)(ii)(D),800-53|AC-2,SANS-CSC|16-8,CSF|PR.AC-1"
 see_also       : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_12c_Benchmark_v1.1.0.pdf"
 sql_request    : "SELECT PROFILE, RESOURCE_NAME, LIMIT FROM DBA_PROFILES WHERE RESOURCE_NAME='PASSWORD_LIFE_TIME' AND ( LIMIT = 'DEFAULT' OR LIMIT = 'UNLIMITED' OR LIMIT > 90 );"
 sql_types      : POLICY_VARCHAR, POLICY_VARCHAR, POLICY_INTEGER
 sql_expect     : NULL, NULL, NULL
</custom_item>

<custom_item>
 type           : SQL_POLICY
 description    : "3.4 Ensure 'PASSWORD_REUSE_MAX' Is Greater than or Equal to '24'"
 info           : "The password_reuse_max setting determines how many different passwords must be used before the user is allowed to reuse a prior password."
 solution       : "Remediate this setting by executing the following SQL statement for each PROFILE returned by the audit procedure.
ALTER PROFILE <profile_name> LIMIT PASSWORD_REUSE_MAX 24;"
 reference      : "LEVEL|1S,PCI-DSS-3.0|8.2.5,PCI-DSS-3.1|8.2.5,HIPAA|164.308(a)(5)(ii)(D),800-53|AC-2,SANS-CSC|16-8,CSF|PR.AC-1"
 see_also       : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_12c_Benchmark_v1.1.0.pdf"
 sql_request    : "SELECT PROFILE, RESOURCE_NAME, LIMIT FROM DBA_PROFILES WHERE PROFILE='DEFAULT' AND RESOURCE_NAME='PASSWORD_REUSE_MAX';"
 sql_types      : POLICY_VARCHAR,POLICY_VARCHAR,POLICY_INTEGER
 sql_expect     : 'DEFAULT','PASSWORD_REUSE_MAX',24
</custom_item>

<custom_item>
 type           : SQL_POLICY
 description    : "3.5 Ensure 'PASSWORD_REUSE_TIME' Is Greater than or Equal to '365'"
 info           : "The password_reuse_time setting determines the amount of time in days that must pass before the same password may be reused."
 solution       : "Remediate this setting by executing the following SQL statement for each PROFILE returned by the audit procedure. ALTER PROFILE <profile_name> LIMIT PASSWORD_REUSE_TIME 365;"
 reference      : "LEVEL|1S,PCI-DSS-3.0|8.2.5,PCI-DSS-3.1|8.2.5,HIPAA|164.308(a)(5)(ii)(D),800-53|AC-2,SANS-CSC|16-8,CSF|PR.AC-1"
 see_also       : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_12c_Benchmark_v1.1.0.pdf"
 sql_request    : "SELECT PROFILE, RESOURCE_NAME, LIMIT FROM DBA_PROFILES WHERE RESOURCE_NAME='PASSWORD_REUSE_TIME' AND ( LIMIT = 'DEFAULT' OR LIMIT = 'UNLIMITED' OR LIMIT < 365 );"
 sql_types      : POLICY_VARCHAR, POLICY_VARCHAR, POLICY_INTEGER
 sql_expect     : NULL, NULL, NULL
</custom_item>

<custom_item>
 type           : SQL_POLICY
 description    : "3.6 Ensure 'PASSWORD_GRACE_TIME' Is Less than or Equal to '0'"
 info           : "The password_grace_time setting determines how many days can pass after the user's password expires before the user's login capability is automatically locked out."
 solution       : "Remediate this setting by executing the following SQL statement for each PROFILE returned by the audit procedure.
ALTER PROFILE <profile_name> LIMIT PASSWORD_GRACE_TIME 5;"
 reference      : "LEVEL|1S,PCI-DSS-3.0|8.2.4,PCI-DSS-3.1|8.2.4,HIPAA|164.308(a)(5)(ii)(D),800-53|AC-2,SANS-CSC|16-8,CSF|PR.AC-1"
 see_also       : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_12c_Benchmark_v1.1.0.pdf"
 sql_request    : "SELECT PROFILE, RESOURCE_NAME, LIMIT FROM DBA_PROFILES WHERE RESOURCE_NAME='PASSWORD_GRACE_TIME' AND ( LIMIT = 'DEFAULT' OR LIMIT = 'UNLIMITED' OR LIMIT > 1 );"
 sql_types      : POLICY_VARCHAR, POLICY_VARCHAR, POLICY_INTEGER
 sql_expect     : NULL, NULL, NULL
</custom_item>

<custom_item>
 type           : SQL_POLICY
 description    : "3.7 Ensure 'DBA_USERS.PASSWORD' Is Not Set to 'EXTERNAL' for Any User"
 info           : "The password='EXTERNAL' setting determines whether or not a user can be authenticated by a remote OS to allow access to the database with full authorization."
 solution       : "To remediate this setting execute the following SQL statement.
ALTER USER <username> IDENTIFIED BY <password>;"
 reference      : "LEVEL|1S,PCI-DSS-3.0|2.2.4,PCI-DSS-3.1|2.2.4,HIPAA|164.312(c)(1),800-53|CM-2,SANS-CSC|3-1,CSF|PR.IP-1"
 see_also       : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_12c_Benchmark_v1.1.0.pdf"
 sql_request    : "SELECT USERNAME FROM DBA_USERS WHERE PASSWORD='EXTERNAL';"
 sql_types      : POLICY_VARCHAR
 sql_expect     : NULL
</custom_item>

<custom_item>
 type           : SQL_POLICY
 description    : "3.8 Ensure 'PASSWORD_VERIFY_FUNCTION' Is Set for All Profiles"
 info           : "The password_verify_function determines password settings requirements when a user password is changed at the SQL command prompt. This setting does not apply for users managed by the Oracle passwd-file."
 solution       : "Create a custom password verification function which fulfills the password requirements of the organization."
 reference      : "LEVEL|1S,PCI-DSS-3.0|8.5,PCI-DSS-3.1|8.5,HIPAA|164.308(a)(3)(i),HIPAA|164.312(a)(1),800-53|AC-2,SANS-CSC|16-8,CSF|PR.AC-1"
 see_also       : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_12c_Benchmark_v1.1.0.pdf"
 sql_request    : "SELECT PROFILE, RESOURCE_NAME FROM DBA_PROFILES WHERE RESOURCE_NAME='PASSWORD_VERIFY_FUNCTION' AND (LIMIT = 'DEFAULT' OR LIMIT = 'NULL');"
 sql_types      : POLICY_VARCHAR, POLICY_VARCHAR
 sql_expect     : NULL, NULL
</custom_item>

<custom_item>
 type           : SQL_POLICY
 description    : "3.9 Ensure 'SESSIONS_PER_USER' Is Less than or Equal to '10'"
 info           : "The SESSIONS_PER_USER (Number of sessions allowed) determines the maximum number of user sessions that are allowed to be open concurrently."
 solution       : "To remediate this setting execute the following SQL statement for each PROFILE returned by the audit procedure.
ALTER PROFILE <profile_name> LIMIT SESSIONS_PER_USER 10;"
 reference      : "LEVEL|1S,PCI-DSS-3.0|2.2.4,PCI-DSS-3.1|2.2.4,HIPAA|164.312(c)(1),800-53|CM-2,SANS-CSC|3-1,CSF|PR.IP-1"
 see_also       : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_12c_Benchmark_v1.1.0.pdf"
 sql_request    : "SELECT PROFILE, RESOURCE_NAME, LIMIT FROM DBA_PROFILES WHERE RESOURCE_NAME='SESSIONS_PER_USER' AND ( LIMIT = 'DEFAULT' OR LIMIT = 'UNLIMITED' OR LIMIT > 10 );"
 sql_types      : POLICY_VARCHAR, POLICY_VARCHAR, POLICY_INTEGER
 sql_expect     : NULL, NULL, NULL
</custom_item>

<custom_item>
 type           : SQL_POLICY
 description    : "3.10 Ensure No Users Are Assigned the 'DEFAULT' Profile"
 info           : "Upon creation database users are assigned to the DEFAULT profile unless otherwise specified."
 solution       : "To remediate this recommendation execute the following SQL statement for each user returned by the audit query using a functional-appropriate profile.
ALTER USER <username> PROFILE <appropriate_profile>"
 reference      : "LEVEL|1S,PCI-DSS-3.0|2.2.4,PCI-DSS-3.1|2.2.4,HIPAA|164.312(c)(1),800-53|CM-2,SANS-CSC|3-1,CSF|PR.IP-1"
 see_also       : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_12c_Benchmark_v1.1.0.pdf"
 sql_request    : "SELECT USERNAME FROM DBA_USERS WHERE PROFILE='DEFAULT' AND ACCOUNT_STATUS='OPEN' AND USERNAME NOT IN ('ANONYMOUS', 'CTXSYS', 'DBSNMP', 'EXFSYS', 'LBACSYS', 'MDSYS', 'MGMT_VIEW','OLAPSYS','OWBSYS', 'ORDPLUGINS', 'ORDSYS', 'OUTLN', 'SI_INFORMTN_SCHEMA','SYS', 'SYSMAN', 'SYSTEM', 'TSMSYS', 'WK_TEST', 'WKSYS', 'WKPROXY', 'WMSYS', 'XDB', 'CISSCAN');"
 sql_types      : POLICY_VARCHAR
 sql_expect     : NULL
</custom_item>

## 4 Oracle User Access and Authorization Restrictions

### 4.1 Default Public Privileges for Packages and Object Types

<custom_item>
 type           : SQL_POLICY
 description    : "4.1.1 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_ADVISOR'"
 info           : "The Oracle database DBMS_ADVISOR package can be used to write files located on the server where the Oracle instance is installed."
 solution       : "To remediate this setting execute the following SQL statement.
REVOKE EXECUTE ON DBMS_ADVISOR FROM PUBLIC;"
 reference      : "LEVEL|1S,PCI-DSS-3.0|2.2.4,PCI-DSS-3.1|2.2.4,HIPAA|164.312(c)(1),800-53|CM-2,SANS-CSC|3-1,CSF|PR.IP-1"
 see_also       : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_12c_Benchmark_v1.1.0.pdf"
 sql_request    : "SELECT TABLE_NAME, PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_ADVISOR';"
 sql_types      : POLICY_VARCHAR, POLICY_VARCHAR
 sql_expect     : NULL, NULL
</custom_item>

<custom_item>
 type           : SQL_POLICY
 description    : "4.1.2 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_CRYPTO'"
 info           : "The DBMS_CRYPTO settings provide a toolset that determines the strength of the encryption algorithm used to encrypt application data and is part of the SYS schema. The DES (56-bit key), 3DES (168-bit key), 3DES-2KEY (112-bit key), AES (128/192/256-bit keys), and RC4 are available."
 solution       : "To remediate this setting execute the following SQL statement.
REVOKE EXECUTE ON DBMS_CRYPTO FROM PUBLIC;"
 reference      : "LEVEL|1S,PCI-DSS-3.0|2.2.4,PCI-DSS-3.1|2.2.4,HIPAA|164.312(c)(1),800-53|CM-2,SANS-CSC|3-1,CSF|PR.IP-1"
 see_also       : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_12c_Benchmark_v1.1.0.pdf"
 sql_request    : "SELECT TABLE_NAME, PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND TABLE_NAME='DBMS_CRYPTO';"
 sql_types      : POLICY_VARCHAR, POLICY_VARCHAR
 sql_expect     : NULL, NULL
</custom_item>

<custom_item>
 type           : SQL_POLICY
 description    : "4.1.3 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA'"
 info           : "The Oracle database DBMS_JAVA package can run Java classes (e.g. OS commands) or grant Java privileges."
 solution       : "To remediate this setting execute the following SQL statement. REVOKE EXECUTE ON DBMS_JAVA FROM PUBLIC;"
 reference      : "LEVEL|1S,PCI-DSS-3.0|2.2.4,PCI-DSS-3.1|2.2.4,HIPAA|164.312(c)(1),800-53|CM-2,SANS-CSC|3-1,CSF|PR.IP-1"
 see_also       : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_12c_Benchmark_v1.1.0.pdf"
 sql_request    : "SELECT TABLE_NAME, PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_JAVA';"
 sql_types      : POLICY_VARCHAR, POLICY_VARCHAR
 sql_expect     : NULL, NULL
</custom_item>

<custom_item>
 type           : SQL_POLICY
 description    : "4.1.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JAVA_TEST'"
 info           : "The Oracle database DBMS_JAVA_TEST package can run Java classes (e.g. OS commands) or grant Java privileges."
 solution       : "To remediate this setting execute the following SQL statement.
REVOKE EXECUTE ON DBMS_JAVA_TEST FROM PUBLIC;"
 reference      : "LEVEL|1S,PCI-DSS-3.0|2.2.4,PCI-DSS-3.1|2.2.4,HIPAA|164.312(c)(1),800-53|CM-2,SANS-CSC|3-1,CSF|PR.IP-1"
 see_also       : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_12c_Benchmark_v1.1.0.pdf"
 sql_request    : "SELECT TABLE_NAME, PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_JAVA_TEST';"
 sql_types      : POLICY_VARCHAR, POLICY_VARCHAR
 sql_expect     : NULL, NULL
</custom_item>

<custom_item>
 type           : SQL_POLICY
 description    : "4.1.5 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_JOB'"
 info           : "The Oracle database DBMS_JOB package schedules and manages the jobs sent to the job queue and has been superseded by the DBMS_SCHEDULER package, even though DBMS_JOB has been retained for backwards compatibility."
 solution       : "To remediate this setting execute the following SQL statement.
REVOKE EXECUTE ON DBMS_JOB FROM PUBLIC;"
 reference      : "LEVEL|1S,PCI-DSS-3.0|2.2.4,PCI-DSS-3.1|2.2.4,HIPAA|164.312(c)(1),800-53|CM-2,SANS-CSC|3-1,CSF|PR.IP-1"
 see_also       : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_12c_Benchmark_v1.1.0.pdf"
 sql_request    : "SELECT TABLE_NAME, PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_JOB';"
 sql_types      : POLICY_VARCHAR, POLICY_VARCHAR
 sql_expect     : NULL, NULL
</custom_item>

<custom_item>
 type           : SQL_POLICY
 description    : "4.1.6 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_LDAP'"
 info           : "The Oracle database DBMS_LDAP package contains functions and procedures that enable programmers to access data from LDAP servers."
 solution       : "To remediate this setting execute the following SQL statement.
REVOKE EXECUTE ON DBMS_LDAP FROM PUBLIC;"
 reference      : "LEVEL|1S,PCI-DSS-3.0|2.2.4,PCI-DSS-3.1|2.2.4,HIPAA|164.312(c)(1),800-53|CM-2,SANS-CSC|3-1,CSF|PR.IP-1"
 see_also       : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_12c_Benchmark_v1.1.0.pdf"
 sql_request    : "SELECT TABLE_NAME, PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_LDAP';"
 sql_types      : POLICY_VARCHAR, POLICY_VARCHAR
 sql_expect     : NULL, NULL
</custom_item>

<custom_item>
 type           : SQL_POLICY
 description    : "4.1.7 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_LOB'"
 info           : "The Oracle database DBMS_LOB package provides subprograms that can manipulate and read/write on BLOBs, CLOBs, NCLOBs, BFILEs, and temporary LOBs."
 solution       : "To remediate this setting execute the following SQL statement.
REVOKE EXECUTE ON DBMS_LOB FROM PUBLIC;"
 reference      : "LEVEL|1S,PCI-DSS-3.0|2.2.4,PCI-DSS-3.1|2.2.4,HIPAA|164.312(c)(1),800-53|CM-2,SANS-CSC|3-1,CSF|PR.IP-1"
 see_also       : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_12c_Benchmark_v1.1.0.pdf"
 sql_request    : "SELECT TABLE_NAME, PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_LOB';"
 sql_types      : POLICY_VARCHAR, POLICY_VARCHAR
 sql_expect     : NULL, NULL
</custom_item>

<custom_item>
 type           : SQL_POLICY
 description    : "4.1.8 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_OBFUSCATION_TOOLKIT'"
 info           : "The DBMS_OBFUSCATION_TOOLKIT settings provide one of the tools that determine the strength of the encryption algorithm used to encrypt application data and is part of the SYS schema. The DES (56-bit key) and 3DES (168-bit key) are the only two types available."
 solution       : "To remediate this setting execute the following SQL statement.
REVOKE EXECUTE ON DBMS_OBFUSCATION_TOOLKIT FROM PUBLIC;"
 reference      : "LEVEL|1S,PCI-DSS-3.0|2.2.4,PCI-DSS-3.1|2.2.4,HIPAA|164.312(c)(1),800-53|CM-2,SANS-CSC|3-1,CSF|PR.IP-1"
 see_also       : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_12c_Benchmark_v1.1.0.pdf"
 sql_request    : "SELECT TABLE_NAME, PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_OBFUSCATION_TOOLKIT';"
 sql_types      : POLICY_VARCHAR, POLICY_VARCHAR
 sql_expect     : NULL, NULL
</custom_item>

<custom_item>
 type           : SQL_POLICY
 description    : "4.1.9 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_RANDOM'"
 info           : "The Oracle database DBMS_RANDOM package is used for generating random numbers but should not be used for cryptographic purposes."
 solution       : "To remediate this setting execute the following SQL statement.
REVOKE EXECUTE ON DBMS_RANDOM FROM PUBLIC;"
 reference      : "LEVEL|1S,PCI-DSS-3.0|2.2.4,PCI-DSS-3.1|2.2.4,HIPAA|164.312(c)(1),800-53|CM-2,SANS-CSC|3-1,CSF|PR.IP-1"
 see_also       : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_12c_Benchmark_v1.1.0.pdf"
 sql_request    : "SELECT TABLE_NAME, PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_RANDOM';"
 sql_types      : POLICY_VARCHAR, POLICY_VARCHAR
 sql_expect     : NULL, NULL
</custom_item>

<custom_item>
 type           : SQL_POLICY
 description    : "4.1.10 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_SCHEDULER'"
 info           : "The Oracle database DBMS_SCHEDULER package schedules and manages the database and operating system jobs ."
 solution       : "To remediate this setting execute the following SQL statement.
REVOKE EXECUTE ON DBMS_SCHEDULER FROM PUBLIC;"
 reference      : "LEVEL|1S,PCI-DSS-3.0|2.2.4,PCI-DSS-3.1|2.2.4,HIPAA|164.312(c)(1),800-53|CM-2,SANS-CSC|3-1,CSF|PR.IP-1"
 see_also       : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_12c_Benchmark_v1.1.0.pdf"
 sql_request    : "SELECT TABLE_NAME, PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_SCHEDULER';"
 sql_types      : POLICY_VARCHAR, POLICY_VARCHAR
 sql_expect     : NULL, NULL
</custom_item>

<custom_item>
 type           : SQL_POLICY
 description    : "4.1.11 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_SQL'"
 info           : "The Oracle database DBMS_SQL package is used for running dynamic SQL statements."
 solution       : "To remediate this setting execute the following SQL statement. REVOKE EXECUTE ON DBMS_SQL FROM PUBLIC;"
 reference      : "LEVEL|1S,PCI-DSS-3.0|2.2.4,PCI-DSS-3.1|2.2.4,HIPAA|164.312(c)(1),800-53|CM-2,SANS-CSC|3-1,CSF|PR.IP-1"
 see_also       : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_12c_Benchmark_v1.1.0.pdf"
 sql_request    : "SELECT TABLE_NAME, PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_SQL';"
 sql_types      : POLICY_VARCHAR, POLICY_VARCHAR
 sql_expect     : NULL, NULL
</custom_item>

<custom_item>
 type           : SQL_POLICY
 description    : "4.1.12 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_XMLGEN'"
 info           : "The DBMS_XMLGEN package takes an arbitrary SQL query as input, converts it to XML format, and returns the result as a CLOB."
 solution        : "To remediate this setting execute the following SQL statement.
REVOKE EXECUTE ON DBMS_XMLGEN FROM PUBLIC;"
 reference      : "LEVEL|1S,PCI-DSS-3.0|2.2.4,PCI-DSS-3.1|2.2.4,HIPAA|164.312(c)(1),800-53|CM-2,SANS-CSC|3-1,CSF|PR.IP-1"
 see_also       : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_12c_Benchmark_v1.1.0.pdf"
 sql_request    : "SELECT TABLE_NAME, PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_XMLGEN';"
 sql_types      : POLICY_VARCHAR, POLICY_VARCHAR
 sql_expect     : NULL, NULL
</custom_item>

<custom_item>
 type           : SQL_POLICY
 description    : "4.1.13 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_XMLQUERY'"
 info           : "The Oracle package DBMS_XMLQUERY takes an arbitrary SQL query, converts it to XML format, and returns the result. This package is similar to DBMS_XMLGEN."
 solution       : "To remediate this setting execute the following SQL statement. REVOKE EXECUTE ON DBMS_XMLQUERY FROM PUBLIC;"
 reference      : "LEVEL|1S,PCI-DSS-3.0|2.2.4,PCI-DSS-3.1|2.2.4,HIPAA|164.312(c)(1),800-53|CM-2,SANS-CSC|3-1,CSF|PR.IP-1"
 see_also       : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_12c_Benchmark_v1.1.0.pdf"
 sql_request    : "SELECT TABLE_NAME, PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_XMLQUERY';"
 sql_types      : POLICY_VARCHAR, POLICY_VARCHAR
 sql_expect     : NULL, NULL
</custom_item>

<custom_item>
 type           : SQL_POLICY
 description    : "4.1.14 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'UTL_FILE'"
 info           : "The Oracle database UTL_FILE package can be used to read/write files located on the server where the Oracle instance is installed."
 solution       : "To remediate this setting execute the following SQL statement. REVOKE EXECUTE ON UTL_FILE FROM PUBLIC;"
 reference      : "LEVEL|1S,PCI-DSS-3.0|2.2.4,PCI-DSS-3.1|2.2.4,HIPAA|164.312(c)(1),800-53|CM-2,SANS-CSC|3-1,CSF|PR.IP-1"
 see_also       : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_12c_Benchmark_v1.1.0.pdf"
 sql_request    : "SELECT TABLE_NAME, PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='UTL_FILE';"
 sql_types      : POLICY_VARCHAR, POLICY_VARCHAR
 sql_expect     : NULL, NULL
</custom_item>

<custom_item>
 type           : SQL_POLICY
 description    : "4.1.15 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'UTL_INADDR'"
 info           : "The Oracle database UTL_INADDR package can be used to create specially crafted error messages or send information via DNS to the outside."
 solution       : "To remediate this setting execute the following SQL statement. REVOKE EXECUTE ON UTL_INADDR FROM PUBLIC;"
 reference      : "LEVEL|1S,PCI-DSS-3.0|2.2.4,PCI-DSS-3.1|2.2.4,HIPAA|164.312(c)(1),800-53|CM-2,SANS-CSC|3-1,CSF|PR.IP-1"
 see_also       : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_12c_Benchmark_v1.1.0.pdf"
 sql_request    : "SELECT TABLE_NAME, PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='UTL_INADDR';"
 sql_types      : POLICY_VARCHAR, POLICY_VARCHAR
 sql_expect     : NULL, NULL
</custom_item>

<custom_item>
 type           : SQL_POLICY
 description    : "4.1.16 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'UTL_TCP'"
 info           : "The Oracle database UTL_TCP package can be used to read/write file to TCP sockets on the server where the Oracle instance is installed."
 solution       : "To remediate this setting execute the following SQL statement. REVOKE EXECUTE ON UTL_TCP FROM PUBLIC;"
 reference      : "LEVEL|1S,PCI-DSS-3.0|2.2.4,PCI-DSS-3.1|2.2.4,HIPAA|164.312(c)(1),800-53|CM-2,SANS-CSC|3-1,CSF|PR.IP-1"
 see_also       : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_12c_Benchmark_v1.1.0.pdf"
 sql_request    : "SELECT TABLE_NAME, PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='UTL_TCP';"
 sql_types      : POLICY_VARCHAR, POLICY_VARCHAR
 sql_expect     : NULL, NULL
</custom_item>

<custom_item>
 type           : SQL_POLICY
 description    : "4.1.17 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'UTL_MAIL'"
 info           : "The Oracle database UTL_MAIL package can be used to send email from the server where the Oracle instance is installed."
 solution        : "To remediate this setting execute the following SQL statement.
REVOKE EXECUTE ON UTL_MAIL FROM PUBLIC;"
 reference      : "LEVEL|1S,PCI-DSS-3.0|2.2.4,PCI-DSS-3.1|2.2.4,HIPAA|164.312(c)(1),800-53|CM-2,SANS-CSC|3-1,CSF|PR.IP-1"
 see_also       : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_12c_Benchmark_v1.1.0.pdf"
 sql_request    : "SELECT TABLE_NAME, PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='UTL_MAIL';"
 sql_types      : POLICY_VARCHAR, POLICY_VARCHAR
 sql_expect     : NULL, NULL
</custom_item>

<custom_item>
 type           : SQL_POLICY
 description    : "4.1.18 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'UTL_SMTP'"
 info           : "The Oracle database UTL_SMTP package can be used to send email from the server where the Oracle instance is installed."
 solution       : "To remediate this setting execute the following SQL statement. REVOKE EXECUTE ON UTL_SMTP FROM PUBLIC;"
 reference      : "LEVEL|1S,PCI-DSS-3.0|2.2.4,PCI-DSS-3.1|2.2.4,HIPAA|164.312(c)(1),800-53|CM-2,SANS-CSC|3-1,CSF|PR.IP-1"
 see_also       : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_12c_Benchmark_v1.1.0.pdf"
 sql_request    : "SELECT TABLE_NAME, PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='UTL_SMTP';"
 sql_types      : POLICY_VARCHAR, POLICY_VARCHAR
 sql_expect     : NULL, NULL
</custom_item>

<custom_item>
 type           : SQL_POLICY
 description    : "4.1.19 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'UTL_DBWS'"
 info           : "The Oracle database UTL_DBWS package can be used to read/write file to web-based applications on the server where the Oracle instance is installed."
 solution       : "To remediate this setting execute the following SQL statement.
REVOKE EXECUTE ON UTL_DBWS FROM 'PUBLIC';"
 reference      : "LEVEL|1S,PCI-DSS-3.0|2.2.4,PCI-DSS-3.1|2.2.4,HIPAA|164.312(c)(1),800-53|CM-2,SANS-CSC|3-1,CSF|PR.IP-1"
 see_also       : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_12c_Benchmark_v1.1.0.pdf"
 sql_request    : "SELECT TABLE_NAME, PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='UTL_DBWS';"
 sql_types      : POLICY_VARCHAR, POLICY_VARCHAR
 sql_expect     : NULL, NULL
</custom_item>

<custom_item>
 type           : SQL_POLICY
 description    : "4.1.20 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'UTL_ORAMTS'"
 info           : "The Oracle database UTL_ORAMTS package can be used to perform HTTP-requests. This could be used to send information to the outside."
 solution       : "To remediate this setting execute the following SQL statement.
REVOKE EXECUTE ON UTL_ORAMTS FROM PUBLIC;"
 reference      : "LEVEL|1S,PCI-DSS-3.0|2.2.4,PCI-DSS-3.1|2.2.4,HIPAA|164.312(c)(1),800-53|CM-2,SANS-CSC|3-1,CSF|PR.IP-1"
 see_also       : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_12c_Benchmark_v1.1.0.pdf"
 sql_request    : "SELECT TABLE_NAME, PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='UTL_ORAMTS';"
 sql_types      : POLICY_VARCHAR, POLICY_VARCHAR
 sql_expect     : NULL, NULL
</custom_item>

<custom_item>
 type           : SQL_POLICY
 description    : "4.1.21 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'UTL_HTTP'"
 info           : "The Oracle database UTL_HTTP package can be used to perform HTTP-requests. This could be used to send information to the outside."
 solution       : "To remediate this setting execute the following SQL statement.
REVOKE EXECUTE ON UTL_HTTP FROM PUBLIC;"
 reference      : "LEVEL|1S,PCI-DSS-3.0|2.2.4,PCI-DSS-3.1|2.2.4,HIPAA|164.312(c)(1),800-53|CM-2,SANS-CSC|3-1,CSF|PR.IP-1"
 see_also       : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_12c_Benchmark_v1.1.0.pdf"
 sql_request    : "SELECT TABLE_NAME, PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='UTL_HTTP';"
 sql_types      : POLICY_VARCHAR, POLICY_VARCHAR
 sql_expect     : NULL, NULL
</custom_item>

<custom_item>
 type           : SQL_POLICY
 description    : "4.1.22 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'HTTPURITYPE'"
 info           : "The Oracle database HTTPURITYPE object type can be used to perform HTTP-requests."
 solution       : "To remediate this setting execute the following SQL statement.
REVOKE EXECUTE ON HTTPURITYPE FROM PUBLIC;"
 reference      : "LEVEL|1S,PCI-DSS-3.0|2.2.4,PCI-DSS-3.1|2.2.4,HIPAA|164.312(c)(1),800-53|CM-2,SANS-CSC|3-1,CSF|PR.IP-1"
 see_also       : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_12c_Benchmark_v1.1.0.pdf"
 sql_request    : "SELECT TABLE_NAME, PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='HTTPURITYPE';"
 sql_types      : POLICY_VARCHAR, POLICY_VARCHAR
 sql_expect     : NULL, NULL
</custom_item>

### 4.2 Revoke Non-Default Privileges for Packages and Object Types

<custom_item>
 type           : SQL_POLICY
 description    : "4.2.1 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_SYS_SQL'"
 info           : "The Oracle database DBMS_SYS_SQL package is shipped as undocumented."
 solution       : "To remediate this setting execute the following SQL statement. REVOKE EXECUTE ON DBMS_SYS_SQL FROM PUBLIC;"
 reference      : "LEVEL|1S,PCI-DSS-3.0|2.2.4,PCI-DSS-3.1|2.2.4,HIPAA|164.312(c)(1),800-53|CM-2,SANS-CSC|3-1,CSF|PR.IP-1"
 see_also       : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_12c_Benchmark_v1.1.0.pdf"
 sql_request    : "SELECT TABLE_NAME, PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_SYS_SQL';"
 sql_types      : POLICY_VARCHAR, POLICY_VARCHAR
 sql_expect     : NULL, NULL
</custom_item>

<custom_item>
 type           : SQL_POLICY
 description    : "4.2.2 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_BACKUP_RESTORE'"
 info           : "The Oracle database DBMS_BACKUP_RESTORE package is used for applying PL/SQL commands to the native RMAN sequences."
 solution       : "To remediate this setting execute the following SQL statement.
REVOKE EXECUTE ON DBMS_BACKUP_RESTORE FROM PUBLIC;"
 reference      : "LEVEL|1S,PCI-DSS-3.0|2.2.4,PCI-DSS-3.1|2.2.4,HIPAA|164.312(c)(1),800-53|CM-2,SANS-CSC|3-1,CSF|PR.IP-1"
 see_also       : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_12c_Benchmark_v1.1.0.pdf"
 sql_request    : "SELECT TABLE_NAME, PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_BACKUP_RESTORE';"
 sql_types      : POLICY_VARCHAR, POLICY_VARCHAR
 sql_expect     : NULL, NULL
</custom_item>

<custom_item>
 type           : SQL_POLICY
 description    : "4.2.3 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_AQADM_SYSCALLS'"
 info           : "The Oracle database DBMS_AQADM_SYSCALLS package is shipped as undocumented and allows to run SQL commands as user SYS."
 solution       : "To remediate this setting execute the following SQL statement.
REVOKE EXECUTE ON DBMS_AQADM_SYSCALLS FROM PUBLIC;"
 reference      : "LEVEL|1S,PCI-DSS-3.0|2.2.4,PCI-DSS-3.1|2.2.4,HIPAA|164.312(c)(1),800-53|CM-2,SANS-CSC|3-1,CSF|PR.IP-1"
 see_also       : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_12c_Benchmark_v1.1.0.pdf"
 sql_request    : "SELECT TABLE_NAME, PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_AQADM_SYSCALLS';"
 sql_types      : POLICY_VARCHAR, POLICY_VARCHAR
 sql_expect     : NULL, NULL
</custom_item>

<custom_item>
 type           : SQL_POLICY
 description    : "4.2.4 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_REPCAT_SQL_UTL'"
 info           : "The Oracle database DBMS_REPCAT_SQL_UTL package is shipped as undocumented and allows to run SQL commands as user SYS."
 solution       : "To remediate this setting execute the following SQL statement. revoke execute on
DBMS_REPCAT_SQL_UTL FROM PUBLIC;"
 reference      : "LEVEL|1S,PCI-DSS-3.0|2.2.4,PCI-DSS-3.1|2.2.4,HIPAA|164.312(c)(1),800-53|CM-2,SANS-CSC|3-1,CSF|PR.IP-1"
 see_also       : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_12c_Benchmark_v1.1.0.pdf"
 sql_request    : "SELECT TABLE_NAME, PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_REPCAT_SQL_UTL';"
 sql_types      : POLICY_VARCHAR, POLICY_VARCHAR
 sql_expect     : NULL, NULL
</custom_item>

<custom_item>
 type           : SQL_POLICY
 description    : "4.2.5 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'INITJVMAUX'"
 info           : "The Oracle database INITJVMAUX package is shipped as undocumented and allows to run SQL commands as user SYS."
 solution       : "To remediate this setting execute the following SQL statement.
REVOKE EXECUTE ON INITJVMAUX FROM PUBLIC;"
 reference      : "LEVEL|1S,PCI-DSS-3.0|2.2.4,PCI-DSS-3.1|2.2.4,HIPAA|164.312(c)(1),800-53|CM-2,SANS-CSC|3-1,CSF|PR.IP-1"
 see_also       : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_12c_Benchmark_v1.1.0.pdf"
 sql_request    : "SELECT TABLE_NAME, PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='INITJVMAUX';"
 sql_types      : POLICY_VARCHAR, POLICY_VARCHAR
 sql_expect     : NULL, NULL
</custom_item>

<custom_item>
 type           : SQL_POLICY
 description    : "4.2.6 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_STREAMS_ADM_UTL'"
 info           : "The Oracle database DBMS_STREAMS_ADM_UTL package is shipped as undocumented and allows to run SQL commands as user SYS."
 solution       : "To remediate this setting execute the following SQL statement.
REVOKE EXECUTE ON DBMS_STREAMS_ADM_UTL FROM PUBLIC;"
 reference      : "LEVEL|1S,PCI-DSS-3.0|2.2.4,PCI-DSS-3.1|2.2.4,HIPAA|164.312(c)(1),800-53|CM-2,SANS-CSC|3-1,CSF|PR.IP-1"
 see_also       : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_12c_Benchmark_v1.1.0.pdf"
 sql_request    : "SELECT TABLE_NAME, PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_STREAMS_ADM_UTL';"
 sql_types      : POLICY_VARCHAR, POLICY_VARCHAR
 sql_expect     : NULL, NULL
</custom_item>

<custom_item>
 type           : SQL_POLICY
 description    : "4.2.7 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_AQADM_SYS'"
 info           : "The Oracle database DBMS_AQADM_SYS package is shipped as undocumented and allows to run SQL commands as user SYS."
 solution       : "To remediate this setting execute the following SQL statement.
REVOKE EXECUTE ON DBMS_AQADM_SYS FROM PUBLIC;"
 reference      : "LEVEL|1S,PCI-DSS-3.0|2.2.4,PCI-DSS-3.1|2.2.4,HIPAA|164.312(c)(1),800-53|CM-2,SANS-CSC|3-1,CSF|PR.IP-1"
 see_also       : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_12c_Benchmark_v1.1.0.pdf"
 sql_request    : "SELECT TABLE_NAME, PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_AQADM_SYS';"
 sql_types      : POLICY_VARCHAR, POLICY_VARCHAR
 sql_expect     : NULL, NULL
</custom_item>

<custom_item>
 type           : SQL_POLICY
 description    : "4.2.8 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_STREAMS_RPC'"
 info           : "The Oracle database DBMS_STREAMS_RPC package is shipped as undocumented and allows to run SQL commands as user SYS."
 solution       : "To remediate this setting execute the following SQL statement.
REVOKE EXECUTE ON DBMS_STREAMS_RPC FROM PUBLIC;"
 reference      : "LEVEL|1S,PCI-DSS-3.0|2.2.4,PCI-DSS-3.1|2.2.4,HIPAA|164.312(c)(1),800-53|CM-2,SANS-CSC|3-1,CSF|PR.IP-1"
 see_also       : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_12c_Benchmark_v1.1.0.pdf"
 sql_request    : "SELECT TABLE_NAME, PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_STREAMS_RPC';"
 sql_types      : POLICY_VARCHAR, POLICY_VARCHAR
 sql_expect     : NULL, NULL
</custom_item>

<custom_item>
 type           : SQL_POLICY
 description    : "4.2.9 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_PRVTAQIM'"
 info           : "The Oracle database DBMS_PRVTAQIM package is shipped as undocumented and allows to run SQL commands as user SYS."
 solution       : "To remediate this setting execute the following SQL statement.
REVOKE EXECUTE ON DBMS_PRVTAQIM FROM PUBLIC;"
 reference      : "LEVEL|1S,PCI-DSS-3.0|2.2.4,PCI-DSS-3.1|2.2.4,HIPAA|164.312(c)(1),800-53|CM-2,SANS-CSC|3-1,CSF|PR.IP-1"
 see_also       : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_12c_Benchmark_v1.1.0.pdf"
 sql_request    : "SELECT TABLE_NAME, PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_PRVTAQIM';"
 sql_types      : POLICY_VARCHAR, POLICY_VARCHAR
 sql_expect     : NULL, NULL
</custom_item>

<custom_item>
 type           : SQL_POLICY
 description    : "4.2.10 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'LTADM'"
 info           : "The Oracle database LTADM package is shipped as undocumented and allows privilege escalation if granted to unprivileged users."
 solution       : "To remediate this setting execute the following SQL statement.
REVOKE EXECUTE ON LTADM FROM PUBLIC;"
 reference      : "LEVEL|1S,PCI-DSS-3.0|2.2.4,PCI-DSS-3.1|2.2.4,HIPAA|164.312(c)(1),800-53|CM-2,SANS-CSC|3-1,CSF|PR.IP-1"
 see_also       : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_12c_Benchmark_v1.1.0.pdf"
 sql_request    : "SELECT TABLE_NAME, PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='LTADM';"
 sql_types      : POLICY_VARCHAR, POLICY_VARCHAR
 sql_expect     : NULL, NULL
</custom_item>

<custom_item>
 type           : SQL_POLICY
 description    : "4.2.11 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'WWV_DBMS_SQL'"
 info           : "The Oracle database WWV_DBMS_SQL package is shipped as undocumented and allows Oracle Application Express to run dynamic SQL statements."
 solution       : "To remediate this setting execute the following SQL statement.
REVOKE EXECUTE ON WWV_DBMS_SQL FROM PUBLIC;"
 reference      : "LEVEL|1S,PCI-DSS-3.0|2.2.4,PCI-DSS-3.1|2.2.4,HIPAA|164.312(c)(1),800-53|CM-2,SANS-CSC|3-1,CSF|PR.IP-1"
 see_also       : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_12c_Benchmark_v1.1.0.pdf"
 sql_request    : "SELECT TABLE_NAME, PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='WWV_DBMS_SQL';"
 sql_types      : POLICY_VARCHAR, POLICY_VARCHAR
 sql_expect     : NULL, NULL
</custom_item>

<custom_item>
 type           : SQL_POLICY
 description    : "4.2.12 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'WWV_EXECUTE_IMMEDIATE'"
 info           : "The Oracle database WWV_EXECUTE_IMMEDIATE package is shipped as undocumented and allows Oracle Application Express to run dynamic SQL statements."
 solution       : "To remediate this setting execute the following SQL statement.
REVOKE EXECUTE ON WWV_EXECUTE_IMMEDIATE FROM PUBLIC;"
 reference      : "LEVEL|1S,PCI-DSS-3.0|2.2.4,PCI-DSS-3.1|2.2.4,HIPAA|164.312(c)(1),800-53|CM-2,SANS-CSC|3-1,CSF|PR.IP-1"
 see_also       : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_12c_Benchmark_v1.1.0.pdf"
 sql_request    : "SELECT TABLE_NAME, PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='WWV_EXECUTE_IMMEDIATE';"
 sql_types      : POLICY_VARCHAR, POLICY_VARCHAR
 sql_expect     : NULL, NULL
</custom_item>

<custom_item>
 type           : SQL_POLICY
 description    : "4.2.13 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_IJOB'"
 info           : "The Oracle database DBMS_IJOB package is shipped as undocumented and allows to run database jobs in the context of another user."
 solution       : "To remediate this setting execute the following SQL statement.
REVOKE EXECUTE ON DBMS_IJOB FROM PUBLIC;"
 reference      : "LEVEL|1S,PCI-DSS-3.0|2.2.4,PCI-DSS-3.1|2.2.4,HIPAA|164.312(c)(1),800-53|CM-2,SANS-CSC|3-1,CSF|PR.IP-1"
 see_also       : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_12c_Benchmark_v1.1.0.pdf"
 sql_request    : "SELECT TABLE_NAME, PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_IJOB';"
 sql_types      : POLICY_VARCHAR, POLICY_VARCHAR
 sql_expect     : NULL, NULL
</custom_item>

<custom_item>
 type           : SQL_POLICY
 description    : "4.2.14 Ensure 'EXECUTE' Is Revoked from 'PUBLIC' on 'DBMS_FILE_TRANSFER'"
 info           : "The Oracle database DBMS_FILE_TRANSFER package allows to transfer files from one database server to another."
 solution       : "To remediate this setting execute the following SQL statement.
REVOKE EXECUTE ON DBMS_FILE_TRANSFER FROM PUBLIC;"
 reference      : "LEVEL|1S,PCI-DSS-3.0|2.2.4,PCI-DSS-3.1|2.2.4,HIPAA|164.312(c)(1),800-53|CM-2,SANS-CSC|3-1,CSF|PR.IP-1"
 see_also       : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_12c_Benchmark_v1.1.0.pdf"
 sql_request    : "SELECT TABLE_NAME, PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_FILE_TRANSFER';"
 sql_types      : POLICY_VARCHAR, POLICY_VARCHAR
 sql_expect     : NULL, NULL
</custom_item>

### 4.3 Revoke Excessive System Privileges

<custom_item>
 type           : SQL_POLICY
 description    : "4.3.1 Ensure 'SELECT_ANY_DICTIONARY' Is Revoked from Unauthorized 'GRANTEE'"
 info           : "The Oracle database SELECT ANY DICTIONARY privilege allows the designated user to access SYS schema objects."
 solution       : "To remediate this setting execute the following SQL statement.
REVOKE SELECT_ANY_DICTIONARY FROM <grantee>;"
 reference      : "LEVEL|1S,PCI-DSS-3.0|2.2.4,PCI-DSS-3.1|2.2.4,HIPAA|164.312(c)(1),800-53|CM-2,SANS-CSC|3-1,CSF|PR.IP-1"
 see_also       : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_12c_Benchmark_v1.1.0.pdf"
 sql_request    : "SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE PRIVILEGE='SELECT ANY DICTIONARY' AND GRANTEE NOT IN ('DBA','DBSNMP','OEM_MONITOR', 'OLAPSYS','ORACLE_OCM','SYSMAN','WMSYS');"
 sql_types      : POLICY_VARCHAR, POLICY_VARCHAR
 sql_expect     : NULL, NULL
</custom_item>

<custom_item>
 type           : SQL_POLICY
 description    : "4.3.2 Ensure 'SELECT ANY TABLE' Is Revoked from Unauthorized 'GRANTEE'"
 info           : "The Oracle database SELECT ANY TABLE privilege allows the designated user to open any table, except of SYS, to view it."
 solution       : "To remediate this setting execute the following SQL statement. REVOKE SELECT ANY TABLE FROM <grantee>;"
 reference      : "LEVEL|1S,PCI-DSS-3.0|2.2.4,PCI-DSS-3.1|2.2.4,HIPAA|164.312(c)(1),800-53|CM-2,SANS-CSC|3-1,CSF|PR.IP-1"
 see_also       : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_12c_Benchmark_v1.1.0.pdf"
 sql_request    : "SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE PRIVILEGE='SELECT ANY TABLE' AND GRANTEE NOT IN ('DBA', 'MDSYS', 'SYS', 'IMP_FULL_DATABASE', 'EXP_FULL_DATABASE', 'DATAPUMP_IMP_FULL_DATABASE', 'WMSYS', 'SYSTEM','OLAP_DBA', 'DV_REALM_OWNER');"
 sql_types      : POLICY_VARCHAR, POLICY_VARCHAR
 sql_expect     : NULL, NULL
</custom_item>

<custom_item>
 type           : SQL_POLICY
 description    : "4.3.3 Ensure 'AUDIT SYSTEM' Is Revoked from Unauthorized 'GRANTEE'"
 info           : "The Oracle database AUDIT SYSTEM privilege allows the change auditing activities on the system."
 solution       : "To remediate this setting execute the following SQL statement.
REVOKE AUDIT SYSTEM FROM <grantee>;"
 reference      : "LEVEL|1S,PCI-DSS-3.0|2.2.4,PCI-DSS-3.1|2.2.4,HIPAA|164.312(c)(1),800-53|CM-2,SANS-CSC|3-1,CSF|PR.IP-1"
 see_also       : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_12c_Benchmark_v1.1.0.pdf"
 sql_request    : "SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE PRIVILEGE='AUDIT SYSTEM' AND GRANTEE NOT IN ('DBA','DATAPUMP_IMP_FULL_DATABASE','IMP_FULL_DATABASE', 'SYS','AUDIT_ADMIN');"
 sql_types      : POLICY_VARCHAR, POLICY_VARCHAR
 sql_expect     : NULL, NULL
</custom_item>

<custom_item>
 type           : SQL_POLICY
 description    : "4.3.4 Ensure 'EXEMPT ACCESS POLICY' Is Revoked from Unauthorized 'GRANTEE'"
 info           : "The Oracle database EXEMPT ACCESS POLICY keyword provides the user the capability to access all the table rows regardless of row-level security lockouts."
 solution       : "To remediate this setting execute the following SQL statement. REVOKE EXEMPT ACCESS POLICY FROM <grantee>;"
 reference      : "LEVEL|1S,PCI-DSS-3.0|2.2.4,PCI-DSS-3.1|2.2.4,HIPAA|164.312(c)(1),800-53|CM-2,SANS-CSC|3-1,CSF|PR.IP-1"
 see_also       : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_12c_Benchmark_v1.1.0.pdf"
 sql_request    : "SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE PRIVILEGE='EXEMPT ACCESS POLICY';"
 sql_types      : POLICY_VARCHAR, POLICY_VARCHAR
 sql_expect     : NULL, NULL
</custom_item>

<custom_item>
 type           : SQL_POLICY
 description    : "4.3.5 Ensure 'BECOME USER' Is Revoked from Unauthorized 'GRANTEE'"
 info           : "The Oracle database BECOME USER privilege allows the designated user to inherit the rights of another user."
 solution       : "To remediate this setting execute the following SQL statement. REVOKE BECOME USER FROM <grantee>;"
 reference      : "LEVEL|1S,PCI-DSS-3.0|2.2.4,PCI-DSS-3.1|2.2.4,HIPAA|164.312(c)(1),800-53|CM-2,SANS-CSC|3-1,CSF|PR.IP-1"
 see_also       : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_12c_Benchmark_v1.1.0.pdf"
 sql_request    : "SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE PRIVILEGE='BECOME USER' AND GRANTEE NOT IN ('DBA','SYS','IMP_FULL_DATABASE');"
 sql_types      : POLICY_VARCHAR, POLICY_VARCHAR
 sql_expect     : NULL, NULL
</custom_item>

<custom_item>
 type           : SQL_POLICY
 description    : "4.3.6 Ensure 'CREATE_PROCEDURE' Is Revoked from Unauthorized 'GRANTEE'"
 info           : "The Oracle database CREATE PROCEDURE privilege allows the designated user to create a stored procedure that will fire when given the correct command sequence."
 solution       : "To remediate this setting execute the following SQL statement.
REVOKE CREATE_PROCEDURE FROM <grantee>;"
 reference      : "LEVEL|1S,PCI-DSS-3.0|2.2.4,PCI-DSS-3.1|2.2.4,HIPAA|164.312(c)(1),800-53|CM-2,SANS-CSC|3-1,CSF|PR.IP-1"
 see_also       : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_12c_Benchmark_v1.1.0.pdf"
 sql_request    : "SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE PRIVILEGE='CREATE PROCEDURE' AND GRANTEE NOT IN ( 'DBA','DBSNMP','MDSYS','OLAPSYS','OWB$CLIENT', 'OWBSYS','RECOVERY_CATALOG_OWNER','SPATIAL_CSW_ADMIN_USR', 'SPATIAL_WFS_ADMIN_USR','SYS','APEX_030200','APEX_040000', 'APEX_040100','APEX_040200','DVF','RESOURCE','DV_REALM_RESOURCE', 'APEX_GRANTS_FOR_NEW_USERS_ROLE');"
 sql_types      : POLICY_VARCHAR, POLICY_VARCHAR
 sql_expect     : NULL, NULL
</custom_item>

<custom_item>
 type           : SQL_POLICY
 description    : "4.3.7 Ensure 'ALTER SYSTEM' Is Revoked from Unauthorized 'GRANTEE'"
 info           : "The Oracle database ALTER SYSTEM privilege allows the designated user to dynamically alter the instance's running operations."
 solution       : "To remediate this setting execute the following SQL statement.
REVOKE ALTER SYSTEM FROM <grantee>;"
 reference      : "LEVEL|1S,PCI-DSS-3.0|2.2.4,PCI-DSS-3.1|2.2.4,HIPAA|164.312(c)(1),800-53|CM-2,SANS-CSC|3-1,CSF|PR.IP-1"
 see_also       : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_12c_Benchmark_v1.1.0.pdf"
 sql_request    : "SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE PRIVILEGE='ALTER SYSTEM' AND GRANTEE NOT IN ('SYS','SYSTEM','APEX_030200','APEX_040000', 'APEX_040100','APEX_040200','DBA','EM_EXPRESS_ALL','SYSBACKUP','GSMADMIN_ROLE', 'GSM_INTERNAL','SYSDG','GSMADMIN_INTERNAL');"
 sql_types      : POLICY_VARCHAR, POLICY_VARCHAR
 sql_expect     : NULL, NULL
</custom_item>

<custom_item>
 type           : SQL_POLICY
 description    : "4.3.8 Ensure 'CREATE ANY LIBRARY' Is Revoked from Unauthorized 'GRANTEE'"
 info           : "The Oracle database CREATE ANY LIBRARY privilege allows the designated user to create objects that are associated to the shared libraries."
 solution       : "To remediate this setting execute the following SQL statement.
REVOKE CREATE ANY LIBRARY FROM <grantee>;"
 reference      : "LEVEL|1S,PCI-DSS-3.0|2.2.4,PCI-DSS-3.1|2.2.4,HIPAA|164.312(c)(1),800-53|CM-2,SANS-CSC|3-1,CSF|PR.IP-1"
 see_also       : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_12c_Benchmark_v1.1.0.pdf"
 sql_request    : "SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE PRIVILEGE='CREATE ANY LIBRARY' AND GRANTEE NOT IN ('SYS','SYSTEM','DBA','IMP_FULL_DATABASE');"
 sql_types      : POLICY_VARCHAR, POLICY_VARCHAR
 sql_expect     : NULL, NULL
</custom_item>

<custom_item>
 type           : SQL_POLICY
 description    : "4.3.9 Ensure 'CREATE LIBRARY' Is Revoked from Unauthorized 'GRANTEE'"
 info           : "The Oracle database CREATE LIBRARY privilege allows the designated user to create objects that are associated to the shared libraries."
 solution       : "To remediate this setting execute the following SQL statement.
REVOKE CREATE LIBRARY FROM <grantee>;"
 reference      : "LEVEL|1S,PCI-DSS-3.0|2.2.4,PCI-DSS-3.1|2.2.4,HIPAA|164.312(c)(1),800-53|CM-2,SANS-CSC|3-1,CSF|PR.IP-1"
 see_also       : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_12c_Benchmark_v1.1.0.pdf"
 sql_request    : "SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE PRIVILEGE='CREATE LIBRARY' AND GRANTEE NOT IN ('SYS','SYSTEM','DBA','MDSYS','SPATIAL_WFS_ADMIN_USR', 'SPATIAL_CSW_ADMIN_USR','DVSYS','GSMADMIN_INTERNAL','XDB');"
 sql_types      : POLICY_VARCHAR, POLICY_VARCHAR
 sql_expect     : NULL, NULL
</custom_item>

<custom_item>
 type           : SQL_POLICY
 description    : "4.3.10 Ensure 'GRANT ANY OBJECT PRIVILEGE' Is Revoked from Unauthorized 'GRANTEE'"
 info           : "The Oracle database GRANT ANY OBJECT PRIVILEGE keyword provides the grantee the capability to grant access to any single or multiple combinations of objects to any grantee in the catalog of the database."
 solution       : "To remediate this setting execute the following SQL statement.
REVOKE GRANT ANY OBJECT PRIVILEGE FROM <grantee>;"
 reference      : "LEVEL|1S,PCI-DSS-3.0|2.2.4,PCI-DSS-3.1|2.2.4,HIPAA|164.312(c)(1),800-53|CM-2,SANS-CSC|3-1,CSF|PR.IP-1"
 see_also       : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_12c_Benchmark_v1.1.0.pdf"
 sql_request    : "SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE PRIVILEGE='GRANT ANY OBJECT PRIVILEGE' AND GRANTEE NOT IN ('DBA','SYS','IMP_FULL_DATABASE','DATAPUMP_IMP_FULL_DATABASE', 'EM_EXPRESS_ALL', 'DV_REALM_OWNER');"
 sql_types      : POLICY_VARCHAR, POLICY_VARCHAR
 sql_expect     : NULL, NULL
</custom_item>

<custom_item>
 type           : SQL_POLICY
 description    : "4.3.11 Ensure 'GRANT ANY ROLE' Is Revoked from Unauthorized 'GRANTEE'"
 info           : "The Oracle database GRANT ANY ROLE keyword provides the grantee the capability to grant any single role to any grantee in the catalog of the database."
 solution       : "To remediate this setting execute the following SQL statement.
REVOKE GRANT ANY ROLE FROM <grantee>;"
 reference      : "LEVEL|1S,PCI-DSS-3.0|2.2.4,PCI-DSS-3.1|2.2.4,HIPAA|164.312(c)(1),800-53|CM-2,SANS-CSC|3-1,CSF|PR.IP-1"
 see_also       : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_12c_Benchmark_v1.1.0.pdf"
 sql_request    : "SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE PRIVILEGE='GRANT ANY ROLE' AND GRANTEE NOT IN ('DBA','SYS','DATAPUMP_IMP_FULL_DATABASE','IMP_FULL_DATABASE', 'SPATIAL_WFS_ADMIN_USR','SPATIAL_CSW_ADMIN_USR', 'GSMADMIN_INTERNAL','DV_REALM_OWNER', 'EM_EXPRESS_ALL', 'DV_OWNER');"
 sql_types      : POLICY_VARCHAR, POLICY_VARCHAR
 sql_expect     : NULL, NULL
</custom_item>

<custom_item>
 type           : SQL_POLICY
 description    : "4.3.12 Ensure 'GRANT ANY PRIVILEGE' Is Revoked from Unauthorized 'GRANTEE'"
 info           : "The Oracle database GRANT ANY PRIVILEGE keyword provides the grantee the capability to grant any single privilege to any item in the catalog of the database."
 solution       : "To remediate this setting execute the following SQL statement.
REVOKE GRANT ANY PRIVILEGE FROM <grantee>;"
 reference      : "LEVEL|1S,PCI-DSS-3.0|2.2.4,PCI-DSS-3.1|2.2.4,HIPAA|164.312(c)(1),800-53|CM-2,SANS-CSC|3-1,CSF|PR.IP-1"
 see_also       : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_12c_Benchmark_v1.1.0.pdf"
 sql_request    : "SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE PRIVILEGE='GRANT ANY PRIVILEGE' AND GRANTEE NOT IN ('DBA','SYS','IMP_FULL_DATABASE','DATAPUMP_IMP_FULL_DATABASE', 'DV_REALM_OWNER', 'EM_EXPRESS_ALL');"
 sql_types      : POLICY_VARCHAR, POLICY_VARCHAR
 sql_expect     : NULL, NULL
</custom_item>

### 4.4 Revoke Role Privileges

<custom_item>
 type           : SQL_POLICY
 description    : "4.4.1 Ensure 'DELETE_CATALOG_ROLE' Is Revoked from Unauthorized 'GRANTEE'"
 info           : "The Oracle database DELETE_CATALOG_ROLE provides DELETE privileges for the records in the system's audit table (AUD$)."
 solution       : "To remediate this setting execute the following SQL statement.
REVOKE DELETE_CATALOG_ROLE FROM <grantee>;"
 reference      : "LEVEL|1S,PCI-DSS-3.0|2.2.4,PCI-DSS-3.1|2.2.4,HIPAA|164.312(c)(1),800-53|CM-2,SANS-CSC|3-1,CSF|PR.IP-1"
 see_also       : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_12c_Benchmark_v1.1.0.pdf"
 sql_request    : "SELECT GRANTEE, GRANTED_ROLE FROM DBA_ROLE_PRIVS WHERE granted_role='DELETE_CATALOG_ROLE' AND GRANTEE NOT IN ('DBA','SYS');"
 sql_types      : POLICY_VARCHAR, POLICY_VARCHAR
 sql_expect     : NULL, NULL
</custom_item>

<custom_item>
 type           : SQL_POLICY
 description    : "4.4.2 Ensure 'SELECT_CATALOG_ROLE' Is Revoked from Unauthorized 'GRANTEE'"
 info           : "The Oracle database SELECT_CATALOG_ROLE provides SELECT privileges on all data dictionary views held in the SYS schema."
 solution       : "To remediate this setting execute the following SQL statement.
REVOKE SELECT_CATALOG_ROLE FROM <grantee>;"
 reference      : "LEVEL|1S,PCI-DSS-3.0|2.2.4,PCI-DSS-3.1|2.2.4,HIPAA|164.312(c)(1),800-53|CM-2,SANS-CSC|3-1,CSF|PR.IP-1"
 see_also       : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_12c_Benchmark_v1.1.0.pdf"
 sql_request    : "SELECT GRANTEE, GRANTED_ROLE FROM DBA_ROLE_PRIVS WHERE granted_role='SELECT_CATALOG_ROLE' AND grantee not in ('DBA','SYS','IMP_FULL_DATABASE','EXP_FULL_DATABASE', 'OEM_MONITOR', 'SYSBACKUP','EM_EXPRESS_BASIC');"
 sql_types      : POLICY_VARCHAR, POLICY_VARCHAR
 sql_expect     : NULL, NULL
</custom_item>

<custom_item>
 type           : SQL_POLICY
 description    : "4.4.3 Ensure 'EXECUTE_CATALOG_ROLE' Is Revoked from Unauthorized 'GRANTEE'"
 info           : "The Oracle database EXECUTE_CATALOG_ROLE provides EXECUTE privileges for a number of packages and procedures in the data dictionary in the SYS schema."
 solution       : "To remediate this setting execute the following SQL statement.
REVOKE EXECUTE_CATALOG_ROLE FROM <grantee>;"
 reference      : "LEVEL|1S,PCI-DSS-3.0|2.2.4,PCI-DSS-3.1|2.2.4,HIPAA|164.312(c)(1),800-53|CM-2,SANS-CSC|3-1,CSF|PR.IP-1"
 see_also       : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_12c_Benchmark_v1.1.0.pdf"
 sql_request    : "SELECT GRANTEE, GRANTED_ROLE FROM DBA_ROLE_PRIVS WHERE granted_role='EXECUTE_CATALOG_ROLE' AND grantee not in ('DBA','SYS','IMP_FULL_DATABASE','EXP_FULL_DATABASE');"
 sql_types      : POLICY_VARCHAR, POLICY_VARCHAR
 sql_expect     : NULL, NULL
</custom_item>

<custom_item>
 type           : SQL_POLICY
 description    : "4.4.4 Ensure 'DBA' Is Revoked from Unauthorized 'GRANTEE'"
 info           : "The Oracle database DBA role is the default database administrator role provided for the allocation of administrative privileges."
 solution       : "To remediate this setting execute the following SQL statement.
REVOKE DBA FROM <grantee>;"
 reference      : "LEVEL|1S,PCI-DSS-3.0|2.2.4,PCI-DSS-3.1|2.2.4,HIPAA|164.312(c)(1),800-53|CM-2,SANS-CSC|3-1,CSF|PR.IP-1"
 see_also       : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_12c_Benchmark_v1.1.0.pdf"
 sql_request    : "SELECT GRANTEE, GRANTED_ROLE FROM DBA_ROLE_PRIVS WHERE GRANTED_ROLE='DBA' AND GRANTEE NOT IN ('SYS','SYSTEM');"
 sql_types      : POLICY_VARCHAR, POLICY_VARCHAR
 sql_expect     : NULL, NULL
</custom_item>

### 4.5 Revoke Excessive Table and View Privileges

<custom_item>
 type           : SQL_POLICY
 description    : "4.5.1 Ensure 'ALL' Is Revoked from Unauthorized 'GRANTEE' on 'AUD$'"
 info           : "The Oracle database SYS.AUD$ table contains all the audit records for the database of the non-Data Manipulation Language (DML) events, such as ALTER, DROP, CREATE, and so forth. (DML changes need trigger-based audit events to record data alterations.)"
 solution       : "To remediate this setting execute the following SQL statement.
REVOKE ALL ON AUD$ FROM <grantee>;"
 reference      : "LEVEL|1S,PCI-DSS-3.0|2.2.4,PCI-DSS-3.1|2.2.4,HIPAA|164.312(c)(1),800-53|CM-2,SANS-CSC|3-1,CSF|PR.IP-1"
 see_also       : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_12c_Benchmark_v1.1.0.pdf"
 sql_request    : "SELECT TABLE_NAME, GRANTEE, PRIVILEGE FROM DBA_TAB_PRIVS WHERE TABLE_NAME='AUD$' AND GRANTEE NOT IN ('DELETE_CATALOG_ROLE');"
 sql_types      : POLICY_VARCHAR, POLICY_VARCHAR, POLICY_VARCHAR
 sql_expect     : NULL, NULL, NULL
</custom_item>

<custom_item>
 type           : SQL_POLICY
 description    : "4.5.2 Ensure 'ALL' Is Revoked from Unauthorized 'GRANTEE' on 'USER_HISTORY$'"
 info           : "The Oracle database SYS.USER_HISTORY$ table contains all the audit records for the user's password change history. (This table gets updated by password changes if the user has an assigned profile that has password reuse limit set, e.g., PASSWORD_REUSE_TIME set to other than UNLIMITED.)"
 solution       : "To remediate this setting execute the following SQL statement.
REVOKE ALL ON USER_HISTORY$ FROM <grantee>;"
 reference      : "LEVEL|1S,PCI-DSS-3.0|2.2.4,PCI-DSS-3.1|2.2.4,HIPAA|164.312(c)(1),800-53|CM-2,SANS-CSC|3-1,CSF|PR.IP-1"
 see_also       : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_12c_Benchmark_v1.1.0.pdf"
 sql_request    : "SELECT TABLE_NAME, GRANTEE, PRIVILEGE FROM DBA_TAB_PRIVS WHERE TABLE_NAME='USER_HISTORY$';"
 sql_types      : POLICY_VARCHAR, POLICY_VARCHAR, POLICY_VARCHAR
 sql_expect     : NULL, NULL, NULL
</custom_item>

<custom_item>
 type           : SQL_POLICY
 description    : "4.5.3 Ensure 'ALL' Is Revoked from Unauthorized 'GRANTEE' on 'LINK$'"
 info           : "The Oracle database SYS.LINK$ table contains all the user's password information and data table link information."
 solution       : "To remediate this setting execute the following SQL statement. REVOKE ALL ON LINK$ FROM <grantee>;"
 reference      : "LEVEL|1S,PCI-DSS-3.0|2.2.4,PCI-DSS-3.1|2.2.4,HIPAA|164.312(c)(1),800-53|CM-2,SANS-CSC|3-1,CSF|PR.IP-1"
 see_also       : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_12c_Benchmark_v1.1.0.pdf"
 sql_request    : "SELECT TABLE_NAME, GRANTEE, PRIVILEGE FROM DBA_TAB_PRIVS WHERE TABLE_NAME='LINK$' AND GRANTEE NOT IN ('DV_SECANALYST');"
 sql_types      : POLICY_VARCHAR, POLICY_VARCHAR, POLICY_VARCHAR
 sql_expect     : NULL, NULL, NULL
</custom_item>

<custom_item>
 type           : SQL_POLICY
 description    : "4.5.4 Ensure 'ALL' Is Revoked from Unauthorized 'GRANTEE' on 'SYS.USER$'"
 info           : "The Oracle database SYS.USER$ table contains the users' hashed password information."
 solution       : "To remediate this setting execute the following SQL statement. REVOKE ALL ON SYS.USER$ FROM <username>;"
 reference      : "LEVEL|1S,PCI-DSS-3.0|2.2.4,PCI-DSS-3.1|2.2.4,HIPAA|164.312(c)(1),800-53|CM-2,SANS-CSC|3-1,CSF|PR.IP-1"
 see_also       : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_12c_Benchmark_v1.1.0.pdf"
 sql_request    : "SELECT TABLE_NAME, GRANTEE, PRIVILEGE FROM DBA_TAB_PRIVS WHERE TABLE_NAME='USER$' AND GRANTEE NOT IN ('CTXSYS','XDB','APEX_030200', 'APEX_040000','APEX_040100','APEX_040200','DV_SECANALYST','DVSYS','ORACLE_OCM');"
 sql_types      : POLICY_VARCHAR, POLICY_VARCHAR, POLICY_VARCHAR
 sql_expect     : NULL, NULL, NULL
</custom_item>

<custom_item>
 type           : SQL_POLICY
 description    : "4.5.5 Ensure 'ALL' Is Revoked from Unauthorized 'GRANTEE' on 'DBA_%'"
 info           : "The Oracle database DBA_ views show all information which is relevant to administrative accounts."
 solution        : "Replace <non-DBA/SYS grantee>, in the query below, with the Oracle login(s) or role(s) returned from the associated audit procedure and execute:
REVOKE ALL ON DBA_ FROM <Non-DBA/SYS grantee>;"
 reference      : "LEVEL|1S,PCI-DSS-3.0|2.2.4,PCI-DSS-3.1|2.2.4,HIPAA|164.312(c)(1),800-53|CM-2,SANS-CSC|3-1,CSF|PR.IP-1"
 see_also       : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_12c_Benchmark_v1.1.0.pdf"
 sql_request    : "SELECT TABLE_NAME, GRANTEE, PRIVILEGE FROM DBA_TAB_PRIVS WHERE TABLE_NAME LIKE 'DBA_%' AND GRANTEE NOT IN ('APPQOSSYS','AQ_ADMINISTRATOR_ROLE','CTXSYS', 'EXFSYS','MDSYS','OLAP_XS_ADMIN','OLAPSYS','ORDSYS','OWB$CLIENT','OWBSYS', 'SELECT_CATALOG_ROLE','WM_ADMIN_ROLE','WMSYS','XDBADMIN','LBACSYS', 'ADM_PARALLEL_EXECUTE_TASK','CISSCANROLE') AND NOT REGEXP_LIKE(grantee,'^APEX_0[3-9][0-9][0-9][0-9][0-9]$');"
 sql_types      : POLICY_VARCHAR, POLICY_VARCHAR, POLICY_VARCHAR
 sql_expect     : NULL, NULL, NULL
</custom_item>

<custom_item>
 type           : SQL_POLICY
 description    : "4.5.6 Ensure 'ALL' Is Revoked from Unauthorized 'GRANTEE' on 'SYS.SCHEDULER$_CREDENTIAL'"
 info           : "The Oracle database SCHEDULER$_CREDENTIAL table contains the database scheduler credential information."
 solution       : "To remediate this setting execute the following SQL statement. REVOKE ALL ON SYS.SCHEDULER$_CREDENTIAL FROM <username>;"
 reference      : "LEVEL|1S,PCI-DSS-3.0|2.2.4,PCI-DSS-3.1|2.2.4,HIPAA|164.312(c)(1),800-53|CM-2,SANS-CSC|3-1,CSF|PR.IP-1"
 see_also       : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_12c_Benchmark_v1.1.0.pdf"
 sql_request    : "SELECT GRANTEE, PRIVILEGE FROM DBA_TAB_PRIVS WHERE TABLE_NAME='SCHEDULER$_CREDENTIAL';"
 sql_types      : POLICY_VARCHAR, POLICY_VARCHAR
 sql_expect     : NULL, NULL
</custom_item>

<custom_item>
 type           : SQL_POLICY
 description    : "4.5.7 Ensure 'SYS.USER$MIG' Has Been Dropped"
 info           : "The table sys.user$mig is created during migration and contains the Oracle password hashes before the migration starts."
 solution       : "To remediate this setting execute the following SQL statement.
DROP TABLE SYS.USER$MIG;"
 reference      : "LEVEL|1S,PCI-DSS-3.0|2.2.4,PCI-DSS-3.1|2.2.4,HIPAA|164.312(c)(1),800-53|CM-2,SANS-CSC|3-1,CSF|PR.IP-1"
 see_also       : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_12c_Benchmark_v1.1.0.pdf"
 sql_request    : "SELECT OWNER, TABLE_NAME FROM ALL_TABLES WHERE OWNER='SYS' AND TABLE_NAME='USER$MIG';"
 sql_types      : POLICY_VARCHAR, POLICY_VARCHAR
 sql_expect     : NULL, NULL
</custom_item>

<custom_item>
 type           : SQL_POLICY
 description    : "4.6 Ensure '%ANY%' Is Revoked from Unauthorized 'GRANTEE'"
 info           : "The Oracle database ANY keyword provides the user the capability to alter any item in the catalog of the database."
 solution       : "To remediate this setting execute the following SQL statement.
REVOKE '<ANY Privilege>' FROM <grantee>;"
 reference      : "LEVEL|1S,PCI-DSS-3.0|2.2.4,PCI-DSS-3.1|2.2.4,HIPAA|164.312(c)(1),800-53|CM-2,SANS-CSC|3-1,CSF|PR.IP-1"
 see_also       : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_12c_Benchmark_v1.1.0.pdf"
 sql_request    : "SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE PRIVILEGE LIKE '%ANY%' AND GRANTEE NOT IN ('AQ_ADMINISTRATOR_ROLE','DBA','DBSNMP','EXFSYS', 'EXP_FULL_DATABASE','IMP_FULL_DATABASE','DATAPUMP_IMP_FULL_DATABASE', 'JAVADEBUGPRIV','MDSYS','OEM_MONITOR','OLAPSYS','OLAP_DBA','ORACLE_OCM', 'OWB$CLIENT','OWBSYS','SCHEDULER_ADMIN','SPATIAL_CSW_ADMIN_USR', 'SPATIAL_WFS_ADMIN_USR','SYS','SYSMAN','SYSTEM','WMSYS','APEX_030200', 'APEX_040000','APEX_040100','APEX_040200','LBACSYS', 'SYSBACKUP','CTXSYS','OUTLN','DVSYS','ORDPLUGINS','ORDSYS', 'GSMADMIN_INTERNAL','XDB','SYSDG','AUDIT_ADMIN','DV_OWNER','DV_REALM_OWNER', 'EM_EXPRESS_ALL', 'RECOVERY_CATALOG_OWNER');"
 sql_types      : POLICY_VARCHAR, POLICY_VARCHAR
 sql_expect     : NULL, NULL
</custom_item>

<custom_item>
 type           : SQL_POLICY
 description    : "4.7 Ensure 'DBA_SYS_PRIVS.%' Is Revoked from Unauthorized 'GRANTEE' with 'ADMIN_OPTION' Set to 'YES'"
 info           : "The Oracle database WITH_ADMIN privilege allows the designated user to grant another user the same privileges."
 solution       : "To remediate this setting execute the following SQL statement.
REVOKE <privilege> FROM <grantee>;"
 reference      : "LEVEL|1S,PCI-DSS-3.0|2.2.4,PCI-DSS-3.1|2.2.4,HIPAA|164.312(c)(1),800-53|CM-2,SANS-CSC|3-1,CSF|PR.IP-1"
 see_also       : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_12c_Benchmark_v1.1.0.pdf"
 sql_request    : "SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE ADMIN_OPTION='YES' AND GRANTEE not in ('AQ_ADMINISTRATOR_ROLE','DBA','OWBSYS', 'SCHEDULER_ADMIN','SYS','SYSTEM','WMSYS', 'APEX_040200','DVSYS','SYSKM','DV_ACCTMGR');"
 sql_types      : POLICY_VARCHAR, POLICY_VARCHAR
 sql_expect     : NULL, NULL
</custom_item>

<custom_item>
 type           : SQL_POLICY
 description    : "4.8 Ensure Proxy Users Have Only 'CONNECT' Privilege"
 info           : "Do not grant privileges directly to proxy users."
 solution       : "To remediate this setting execute the following SQL statement.
REVOKE [PRIVILEGE] FROM <proxy_user>;"
 reference      : "LEVEL|1S,PCI-DSS-3.0|2.2.4,PCI-DSS-3.1|2.2.4,HIPAA|164.312(c)(1),800-53|CM-2,SANS-CSC|3-1,CSF|PR.IP-1"
 see_also       : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_12c_Benchmark_v1.1.0.pdf"
 sql_request    : "SELECT GRANTEE, GRANTED_ROLE FROM DBA_ROLE_PRIVS WHERE GRANTEE IN ( SELECT PROXY FROM DBA_PROXIES ) AND GRANTED_ROLE NOT IN ('CONNECT');"
 sql_types      : POLICY_VARCHAR, POLICY_VARCHAR
 sql_expect     : NULL, NULL
</custom_item>

<custom_item>
 type           : SQL_POLICY
 description    : "4.9 Ensure 'EXECUTE ANY PROCEDURE' Is Revoked from 'OUTLN'"
 info           : "Remove unneeded privileges from OUTLN"
 solution       : "To remediate this setting execute the following SQL statement.
REVOKE EXECUTE ANY PROCEDURE FROM OUTLN;"
 reference      : "LEVEL|1S,PCI-DSS-3.0|2.2.4,PCI-DSS-3.1|2.2.4,HIPAA|164.312(c)(1),800-53|CM-2,SANS-CSC|3-1,CSF|PR.IP-1"
 see_also       : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_12c_Benchmark_v1.1.0.pdf"
 sql_request    : "SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE PRIVILEGE='EXECUTE ANY PROCEDURE' AND GRANTEE='OUTLN';"
 sql_types      : POLICY_VARCHAR, POLICY_VARCHAR
 sql_expect     : NULL, NULL
</custom_item>

<custom_item>
 type           : SQL_POLICY
 description    : "4.10 Ensure 'EXECUTE ANY PROCEDURE' Is Revoked from 'DBSNMP'"
 info           : "Remove unneeded privileges from DBSNMP"
 solution       : "To remediate this setting execute the following SQL statement.
REVOKE EXECUTE ANY PROCEDURE FROM DBSNMP;"
 reference      : "LEVEL|1S,PCI-DSS-3.0|2.2.4,PCI-DSS-3.1|2.2.4,HIPAA|164.312(c)(1),800-53|CM-2,SANS-CSC|3-1,CSF|PR.IP-1"
 see_also       : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_12c_Benchmark_v1.1.0.pdf"
 sql_request    : "SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE PRIVILEGE='EXECUTE ANY PROCEDURE' AND GRANTEE='DBSNMP';"
 sql_types      : POLICY_VARCHAR, POLICY_VARCHAR
 sql_expect     : NULL, NULL
</custom_item>

## 5 Audit/Logging Policies and Procedures

<custom_item>
 type           : SQL_POLICY
 description    : "5.1 Enable 'USER' Audit Option"
 info           : "The USER object in the Oracle database an account through which a connection may be made to interact with the database according to the roles and privileges allotted to account. It is also a schema with may own database objects. This audits all activities and requests to create, drop or alter a user, including a user changing their own password. (The latter is not audited by 'audit ALTER USER'.)"
 solution       : "Execute the following SQL statement to remediate this setting.
AUDIT USER;"
 reference      : "LEVEL|1S,PCI-DSS-3.0|10.2,PCI-DSS-3.1|10.2,HIPAA|164.312(b),800-53|AU-2,SANS-CSC|14-2,CSF|PR.PT-1"
 see_also       : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_12c_Benchmark_v1.1.0.pdf"
 sql_request    : "SELECT AUDIT_OPTION, SUCCESS, FAILURE FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION='USER' AND USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = 'BY ACCESS' AND FAILURE = 'BY ACCESS';"
 sql_types      : POLICY_VARCHAR, POLICY_VARCHAR, POLICY_VARCHAR
 sql_expect     : "USER", "BY ACCESS", "BY ACCESS"
</custom_item>

<custom_item>
 type           : SQL_POLICY
 description    : "5.2 Enable 'ALTER USER' Audit Option"
 info           : "The USER object for the Oracle database is a specification of an object which is an account through which either a human or an application can connect to, via a JDBC or log into, via a CLI, and interact with the database instance according to the roles and privileges allotted to account."
 solution       : "Execute the following SQL statement to remediate this setting.
AUDIT ALTER USER;"
 reference      : "LEVEL|1S,PCI-DSS-3.0|10.2,PCI-DSS-3.1|10.2,HIPAA|164.312(b),800-53|AU-2,SANS-CSC|14-2,CSF|PR.PT-1"
 see_also       : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_12c_Benchmark_v1.1.0.pdf"
 sql_request    : "SELECT AUDIT_OPTION, SUCCESS, FAILURE FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION='ALTER USER' AND USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = 'BY ACCESS' AND FAILURE = 'BY ACCESS';"
 sql_types      : POLICY_VARCHAR, POLICY_VARCHAR, POLICY_VARCHAR
 sql_expect     : "ALTER USER", "BY ACCESS", "BY ACCESS"
</custom_item>

<custom_item>
 type           : SQL_POLICY
 description    : "5.3 Enable 'DROP USER' Audit Option"
 info           : "The USER object for the Oracle database is a specification of an object which is an account through which either a human or an application can connect to, via a JDBC or log into, via a CLI, and interact with the database instance according to the roles and privileges allotted to account."
 solution       : "Execute the following SQL statement to remediate this setting.
AUDIT DROP USER;"
 reference      : "LEVEL|1S,PCI-DSS-3.0|10.2,PCI-DSS-3.1|10.2,HIPAA|164.312(b),800-53|AU-2,SANS-CSC|14-2,CSF|PR.PT-1"
 see_also       : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_12c_Benchmark_v1.1.0.pdf"
 sql_request    : "SELECT AUDIT_OPTION, SUCCESS, FAILURE FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION='DROP USER' AND USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = 'BY ACCESS' AND FAILURE = 'BY ACCESS';"
 sql_types      : POLICY_VARCHAR, POLICY_VARCHAR, POLICY_VARCHAR
 sql_expect     : "DROP USER", "BY ACCESS", "BY ACCESS"
</custom_item>

<custom_item>
 type           : SQL_POLICY
 description    : "5.4 Enable 'ROLE' Audit Option"
 info           : "The ROLE object allows for the creation of a set of privileges that can be granted to users or other roles. This audits all attempts, successful or not, to create, drop, alter or set roles."
 solution       : "Execute the following SQL statement to remediate this setting:
AUDIT ROLE;"
 reference      : "LEVEL|1S,PCI-DSS-3.0|10.2,PCI-DSS-3.1|10.2,HIPAA|164.312(b),800-53|AU-2,SANS-CSC|14-2,CSF|PR.PT-1"
 see_also       : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_12c_Benchmark_v1.1.0.pdf"
 sql_request    : "SELECT AUDIT_OPTION, SUCCESS, FAILURE FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION='ROLE' AND USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = 'BY ACCESS' AND FAILURE = 'BY ACCESS';"
 sql_types      : POLICY_VARCHAR, POLICY_VARCHAR, POLICY_VARCHAR
 sql_expect     : "ROLE", "BY ACCESS", "BY ACCESS"
</custom_item>

<custom_item>
 type           : SQL_POLICY
 description    : "5.5 Enable 'SYSTEM GRANT' Audit Option"
 info           : "This will audit any attempt, successful or not, to grant or revoke any system privilege or role - regardless of privilege held by the user attempting the operation."
 solution       : "Execute the following SQL statement to remediate this setting.
AUDIT SYSTEM GRANT;"
 reference      : "LEVEL|1S,PCI-DSS-3.0|10.2,PCI-DSS-3.1|10.2,HIPAA|164.312(b),800-53|AU-2,SANS-CSC|14-2,CSF|PR.PT-1"
 see_also       : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_12c_Benchmark_v1.1.0.pdf"
 sql_request    : "SELECT AUDIT_OPTION, SUCCESS, FAILURE FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION='SYSTEM GRANT' AND USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = 'BY ACCESS' AND FAILURE = 'BY ACCESS';"
 sql_types      : POLICY_VARCHAR, POLICY_VARCHAR, POLICY_VARCHAR
 sql_expect     : "SYSTEM GRANT", "BY ACCESS", "BY ACCESS"
</custom_item>

<custom_item>
 type           : SQL_POLICY
 description    : "5.6 Enable 'PROFILE' Audit Option"
 info           : "The PROFILE object allows for the creation of a set of database resource limits that can be assigned to a user, so that that user cannot exceed those resource limitations. This will audit all attempts, successful or not, to create, drop or alter any profile."
 solution       : "Execute the following SQL statement to remediate this setting.
AUDIT PROFILE;"
 reference      : "LEVEL|1S,PCI-DSS-3.0|10.2,PCI-DSS-3.1|10.2,HIPAA|164.312(b),800-53|AU-2,SANS-CSC|14-2,CSF|PR.PT-1"
 see_also       : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_12c_Benchmark_v1.1.0.pdf"
 sql_request    : "SELECT AUDIT_OPTION, SUCCESS, FAILURE FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION='PROFILE' AND USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = 'BY ACCESS' AND FAILURE = 'BY ACCESS';"
 sql_types      : POLICY_VARCHAR, POLICY_VARCHAR, POLICY_VARCHAR
 sql_expect     : "PROFILE", "BY ACCESS", "BY ACCESS"
</custom_item>

<custom_item>
 type           : SQL_POLICY
 description    : "5.7 Enable 'ALTER PROFILE' Audit Option"
 info           : "The PROFILE object allows for the creation of a set of database resource limits that can be assigned to a user, so that that user cannot exceed those resource limitations."
 solution       : "Execute the following SQL statement to remediate this setting.
AUDIT ALTER PROFILE;"
 reference      : "LEVEL|1S,PCI-DSS-3.0|10.2,PCI-DSS-3.1|10.2,HIPAA|164.312(b),800-53|AU-2,SANS-CSC|14-2,CSF|PR.PT-1"
 see_also       : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_12c_Benchmark_v1.1.0.pdf"
 sql_request    : "SELECT AUDIT_OPTION, SUCCESS, FAILURE FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION='ALTER PROFILE' AND USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = 'BY ACCESS' AND FAILURE = 'BY ACCESS';"
 sql_types      : POLICY_VARCHAR, POLICY_VARCHAR, POLICY_VARCHAR
 sql_expect     : "ALTER PROFILE", "BY ACCESS", "BY ACCESS"
</custom_item>

<custom_item>
 type           : SQL_POLICY
 description    : "5.8 Enable 'DROP PROFILE' Audit Option"
 info           : "The PROFILE object allows for the creation of a set of database resource limits that can be assigned to a user, so that that user cannot exceed those resource limitations."
 solution       : "Execute the following SQL statement to remediate this setting.
AUDIT DROP PROFILE;"
 reference      : "LEVEL|1S,PCI-DSS-3.0|10.2,PCI-DSS-3.1|10.2,HIPAA|164.312(b),800-53|AU-2,SANS-CSC|14-2,CSF|PR.PT-1"
 see_also       : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_12c_Benchmark_v1.1.0.pdf"
 sql_request    : "SELECT AUDIT_OPTION, SUCCESS, FAILURE FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION='DROP PROFILE' AND USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = 'BY ACCESS' AND FAILURE = 'BY ACCESS';"
 sql_types      : POLICY_VARCHAR, POLICY_VARCHAR, POLICY_VARCHAR
 sql_expect     : "DROP PROFILE", "BY ACCESS", "BY ACCESS"
</custom_item>

<custom_item>
 type           : SQL_POLICY
 description    : "5.9 Enable 'DATABASE LINK' Audit Option"
 info           : "All activities on database links should be audited."
 solution       : "Execute the following SQL statement to remediate this setting.
AUDIT DATABASE LINK;"
 reference      : "LEVEL|1S,PCI-DSS-3.0|10.2,PCI-DSS-3.1|10.2,HIPAA|164.312(b),800-53|AU-2,SANS-CSC|14-2,CSF|PR.PT-1"
 see_also       : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_12c_Benchmark_v1.1.0.pdf"
 sql_request    : "SELECT AUDIT_OPTION, SUCCESS, FAILURE FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION='DATABASE LINK' AND USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = 'BY ACCESS' AND FAILURE = 'BY ACCESS';"
 sql_types      : POLICY_VARCHAR, POLICY_VARCHAR, POLICY_VARCHAR
 sql_expect     : "DATABASE LINK", "BY ACCESS", "BY ACCESS"
</custom_item>

<custom_item>
 type           : SQL_POLICY
 description    : "5.10 Enable 'PUBLIC DATABASE LINK' Audit Option"
 info           : "The PUBLIC DATABASE LINK object allows for the creation of a public link for an application-based 'user' to access the database for connections/session creation ."
 solution       : "Execute the following SQL statement to remediate this setting.
AUDIT PUBLIC DATABASE LINK;"
 reference      : "LEVEL|1S,PCI-DSS-3.0|10.2,PCI-DSS-3.1|10.2,HIPAA|164.312(b),800-53|AU-2,SANS-CSC|14-2,CSF|PR.PT-1"
 see_also       : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_12c_Benchmark_v1.1.0.pdf"
 sql_request    : "SELECT AUDIT_OPTION, SUCCESS, FAILURE FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION='PUBLIC DATABASE LINK' AND USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = 'BY ACCESS' AND FAILURE = 'BY ACCESS';"
 sql_types      : POLICY_VARCHAR, POLICY_VARCHAR, POLICY_VARCHAR
 sql_expect     : "PUBLIC DATABASE LINK", "BY ACCESS", "BY ACCESS"
</custom_item>

<custom_item>
 type           : SQL_POLICY
 description    : "5.11 Enable 'PUBLIC SYNONYM' Audit Option"
 info           : "The PUBLIC SYNONYM object allows for the creation of an alternate description of an object and public synonyms are accessible by all users that have the appropriate privileges to the underlying object."
 solution       : "Execute the following SQL statement to remediate this setting.
AUDIT PUBLIC SYNONYM;"
 reference      : "LEVEL|1S,PCI-DSS-3.0|10.2,PCI-DSS-3.1|10.2,HIPAA|164.312(b),800-53|AU-2,SANS-CSC|14-2,CSF|PR.PT-1"
 see_also       : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_12c_Benchmark_v1.1.0.pdf"
 sql_request    : "SELECT AUDIT_OPTION, SUCCESS, FAILURE FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION='PUBLIC SYNONYM' AND USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = 'BY ACCESS' AND FAILURE = 'BY ACCESS';"
 sql_types      : POLICY_VARCHAR, POLICY_VARCHAR, POLICY_VARCHAR
 sql_expect     : "PUBLIC SYNONYM", "BY ACCESS", "BY ACCESS"
</custom_item>

<custom_item>
 type           : SQL_POLICY
 description    : "5.12 Enable 'SYNONYM' Audit Option"
 info           : "The SYNONYM operation allows for the creation of a an alternative name for a database object such as a Java class schema object, materialized view, operator, package, procedure, sequence, stored function, table, view, user-defined object type, even another synonym; this synonym puts a dependency on its target and is rendered invalid if the target object is changed/dropped."
 solution       : "Execute the following SQL statement to remediate this setting.
AUDIT SYNONYM;"
 reference      : "LEVEL|1S,PCI-DSS-3.0|10.2,PCI-DSS-3.1|10.2,HIPAA|164.312(b),800-53|AU-2,SANS-CSC|14-2,CSF|PR.PT-1"
 see_also       : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_12c_Benchmark_v1.1.0.pdf"
 sql_request    : "SELECT AUDIT_OPTION, SUCCESS, FAILURE FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION='SYNONYM' AND USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = 'BY ACCESS' AND FAILURE = 'BY ACCESS';"
 sql_types      : POLICY_VARCHAR, POLICY_VARCHAR, POLICY_VARCHAR
 sql_expect     : "SYNONYM", "BY ACCESS", "BY ACCESS"
</custom_item>

<custom_item>
 type           : SQL_POLICY
 description    : "5.13 Enable 'GRANT DIRECTORY' Audit Option"
 info           : "The DIRECTORY object allows for the creation of a directory object that specifies an alias for a directory on the server file system, where the external binary file LOBs (BFILEs)/ table data are located."
 solution       : "Execute the following SQL statement to remediate this setting.
AUDIT GRANT DIRECTORY;"
 reference      : "LEVEL|1S,PCI-DSS-3.0|10.2,PCI-DSS-3.1|10.2,HIPAA|164.312(b),800-53|AU-2,SANS-CSC|14-2,CSF|PR.PT-1"
 see_also       : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_12c_Benchmark_v1.1.0.pdf"
 sql_request    : "SELECT AUDIT_OPTION, SUCCESS, FAILURE FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION='GRANT DIRECTORY' AND USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = 'BY ACCESS' AND FAILURE = 'BY ACCESS';"
 sql_types      : POLICY_VARCHAR, POLICY_VARCHAR, POLICY_VARCHAR
 sql_expect     : "GRANT DIRECTORY", "BY ACCESS", "BY ACCESS"
</custom_item>

<custom_item>
 type           : SQL_POLICY
 description    : "5.14 Enable 'SELECT ANY DICTIONARY' Audit Option"
 info           : "The SELECT ANY DICTIONARY capability allows the user to view the definitions of all schema objects in the database."
 solution       : "Execute the following SQL statement to remediate this setting.
AUDIT SELECT ANY DICTIONARY;"
 reference      : "LEVEL|1S,PCI-DSS-3.0|10.2,PCI-DSS-3.1|10.2,HIPAA|164.312(b),800-53|AU-2,SANS-CSC|14-2,CSF|PR.PT-1"
 see_also       : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_12c_Benchmark_v1.1.0.pdf"
 sql_request    : "SELECT AUDIT_OPTION, SUCCESS, FAILURE FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION='SELECT ANY DICTIONARY' AND USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = 'BY ACCESS' AND FAILURE = 'BY ACCESS';"
 sql_types      : POLICY_VARCHAR, POLICY_VARCHAR, POLICY_VARCHAR
 sql_expect     : "SELECT ANY DICTIONARY", "BY ACCESS", "BY ACCESS"
</custom_item>

<custom_item>
 type           : SQL_POLICY
 description    : "5.15 Enable 'GRANT ANY OBJECT PRIVILEGE' Audit Option"
 info           : "GRANT ANY OBJECT PRIVILEGE allows the user to grant or revoke any object privilege, which includes privileges on tables, directories, mining models, etc. This audits all uses of that privilege."
 solution       : "Execute the following SQL statement to remediate this setting.
AUDIT GRANT ANY OBJECT PRIVILEGE;"
 reference      : "LEVEL|1S,PCI-DSS-3.0|10.2,PCI-DSS-3.1|10.2,HIPAA|164.312(b),800-53|AU-2,SANS-CSC|14-2,CSF|PR.PT-1"
 see_also       : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_12c_Benchmark_v1.1.0.pdf"
 sql_request    : "SELECT PRIVILEGE, SUCCESS, FAILURE FROM DBA_PRIV_AUDIT_OPTS WHERE PRIVILEGE='GRANT ANY OBJECT PRIVILEGE' AND USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = 'BY ACCESS' AND FAILURE = 'BY ACCESS';"
 sql_types      : POLICY_VARCHAR, POLICY_VARCHAR, POLICY_VARCHAR
 sql_expect     : "GRANT ANY OBJECT PRIVILEGE", "BY ACCESS", "BY ACCESS"
</custom_item>

<custom_item>
 type           : SQL_POLICY
 description    : "5.16 Enable 'GRANT ANY PRIVILEGE' Audit Option"
 info           : "This audits all uses of the system privilege named GRANT ANY PRIVILEGE. Actions by users not holding this privilege are not audited."
 solution       : "Execute the following SQL statement to remediate this setting.
AUDIT GRANT ANY PRIVILEGE;"
 reference      : "LEVEL|1S,PCI-DSS-3.0|10.2,PCI-DSS-3.1|10.2,HIPAA|164.312(b),800-53|AU-2,SANS-CSC|14-2,CSF|PR.PT-1"
 see_also       : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_12c_Benchmark_v1.1.0.pdf"
 sql_request    : "SELECT PRIVILEGE, SUCCESS, FAILURE FROM DBA_PRIV_AUDIT_OPTS WHERE PRIVILEGE='GRANT ANY PRIVILEGE' AND USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = 'BY ACCESS' AND FAILURE = 'BY ACCESS';"
 sql_types      : POLICY_VARCHAR, POLICY_VARCHAR, POLICY_VARCHAR
 sql_expect     : "GRANT ANY PRIVILEGE", "BY ACCESS", "BY ACCESS"
</custom_item>

<custom_item>
 type           : SQL_POLICY
 description    : "5.17 Enable 'DROP ANY PROCEDURE' Audit Option"
 info           : "The AUDIT DROP ANY PROCEDURE command is auditing the creation of procedures in other schema."
 solution       : "Execute the following SQL statement to remediate this setting.
AUDIT DROP ANY PROCEDURE;"
 reference      : "LEVEL|1S,PCI-DSS-3.0|10.2,PCI-DSS-3.1|10.2,HIPAA|164.312(b),800-53|AU-2,SANS-CSC|14-2,CSF|PR.PT-1"
 see_also       : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_12c_Benchmark_v1.1.0.pdf"
 sql_request    : "SELECT AUDIT_OPTION, SUCCESS, FAILURE FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION='DROP ANY PROCEDURE' AND USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = 'BY ACCESS' AND FAILURE = 'BY ACCESS';"
 sql_types      : POLICY_VARCHAR, POLICY_VARCHAR, POLICY_VARCHAR
 sql_expect     : "DROP ANY PROCEDURE", "BY ACCESS", "BY ACCESS"
</custom_item>

<custom_item>
 type           : SQL_POLICY
 description    : "5.18 Enable 'ALL' Audit Option on 'SYS.AUD$'"
 info           : "The logging of attempts to alter the audit trail in the SYS.AUD$ table (open for read/update/delete/view) will provide a record of any activities that may indicate unauthorized attempts to access the audit trail."
 solution       : "Execute the following SQL statement to remediate this setting.
AUDIT ALL ON SYS.AUD$ BY ACCESS;"
 reference      : "LEVEL|1S,PCI-DSS-3.0|10.2,PCI-DSS-3.1|10.2,HIPAA|164.312(b),800-53|AU-2,SANS-CSC|14-2,CSF|PR.PT-1"
 see_also       : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_12c_Benchmark_v1.1.0.pdf"
 sql_request    : "SELECT * FROM DBA_OBJ_AUDIT_OPTS WHERE OBJECT_NAME='AUD$' AND ALT='A/A' AND AUD='A/A' AND COM='A/A' AND DEL='A/A' AND GRA='A/A' AND IND='A/A' AND INS='A/A' AND LOC='A/A' AND REN='A/A' AND SEL='A/A' AND UPD='A/A' AND FBK='A/A';"
 sql_types      : POLICY_VARCHAR, POLICY_VARCHAR, POLICY_VARCHAR
 sql_expect     : "SYS", "AUD$", "TABLE"
</custom_item>

<custom_item>
 type           : SQL_POLICY
 description    : "5.19 Enable 'PROCEDURE' Audit Option"
 info           : "In this statement audit, 'PROCEDURE' means any procedure, function, package or library. Any attempt, successful or not, to create or drop any of these types of objects is audited, regardless of privilege or lack thereof. Java schema objects (sources, classes, and resources) are considered the same as procedures for purposes of auditing SQL statements."
 solution       : "Execute the following SQL statement to remediate this setting.
AUDIT PROCEDURE;"
 reference      : "LEVEL|1S,PCI-DSS-3.0|10.2,PCI-DSS-3.1|10.2,HIPAA|164.312(b),800-53|AU-2,SANS-CSC|14-2,CSF|PR.PT-1"
 see_also       : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_12c_Benchmark_v1.1.0.pdf"
 sql_request    : "SELECT AUDIT_OPTION, SUCCESS, FAILURE FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION='PROCEDURE' AND USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = 'BY ACCESS' AND FAILURE = 'BY ACCESS';"
 sql_types      : POLICY_VARCHAR, POLICY_VARCHAR, POLICY_VARCHAR
 sql_expect     : "PROCEDURE", "BY ACCESS", "BY ACCESS"
</custom_item>

<custom_item>
 type           : SQL_POLICY
 description    : "5.20 Enable 'ALTER SYSTEM' Audit Option"
 info           : "This will audit all attempts to ALTER SYSTEM, whether successful or not and regardless of whether or not the ALTER SYSTEM privilege is held by the user attempting the action."
 solution       : "Execute the following SQL statement to remediate this setting. AUDIT ALTER SYSTEM;"
 reference      : "LEVEL|1S,PCI-DSS-3.0|10.2,PCI-DSS-3.1|10.2,HIPAA|164.312(b),800-53|AU-2,SANS-CSC|14-2,CSF|PR.PT-1"
 see_also       : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_12c_Benchmark_v1.1.0.pdf"
 sql_request    : "SELECT AUDIT_OPTION, SUCCESS, FAILURE FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION='ALTER SYSTEM' AND USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = 'BY ACCESS' AND FAILURE = 'BY ACCESS';"
 sql_types      : POLICY_VARCHAR, POLICY_VARCHAR, POLICY_VARCHAR
 sql_expect     : "ALTER SYSTEM", "BY ACCESS", "BY ACCESS"
</custom_item>

<custom_item>
 type           : SQL_POLICY
 description    : "5.21 Enable 'TRIGGER' Audit Option"
 info           : "A TRIGGER may be used to modify DML actions or invoke other (recursive) actions when some types of user-initiated actions occur. This will audit any attempt, successful or not, to create, drop, enable or disable any schema trigger in any schema regardless of privilege or lack thereof. For enabling and disabling a trigger, it covers both alter trigger and alter table."
 solution       : "Execute the following SQL statement to remediate this setting.
AUDIT TRIGGER;"
 reference      : "LEVEL|1S,PCI-DSS-3.0|10.2,PCI-DSS-3.1|10.2,HIPAA|164.312(b),800-53|AU-2,SANS-CSC|14-2,CSF|PR.PT-1"
 see_also       : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_12c_Benchmark_v1.1.0.pdf"
 sql_request    : "SELECT AUDIT_OPTION, SUCCESS, FAILURE FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION='TRIGGER' AND USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = 'BY ACCESS' AND FAILURE = 'BY ACCESS';"
 sql_types      : POLICY_VARCHAR, POLICY_VARCHAR, POLICY_VARCHAR
 sql_expect     : "TRIGGER", "BY ACCESS", "BY ACCESS"
</custom_item>

<custom_item>
 type           : SQL_POLICY
 description    : "5.22 Enable 'CREATE SESSION' Audit Option"
 info           : "Audit all attempts to connect to the database, whether successful or not. Also audits session disconnects/logoffs. The commands to audit SESSION, CONNECT or CREATE SESSION all accomplish exactly the same thing - they initiate statement auditing of the connect statement used to create a database session."
 solution       : "Execute the following SQL statement to remediate this setting.
AUDIT SESSION;"
 reference      : "LEVEL|1S,PCI-DSS-3.0|10.2,PCI-DSS-3.1|10.2,HIPAA|164.312(b),800-53|AU-2,SANS-CSC|14-2,CSF|PR.PT-1"
 see_also         : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Database_12c_Benchmark_v1.1.0.pdf"
 sql_request    : "SELECT AUDIT_OPTION, SUCCESS, FAILURE FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION='CREATE SESSION' AND USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = 'BY ACCESS' AND FAILURE = 'BY ACCESS';"
 sql_types      : POLICY_VARCHAR, POLICY_VARCHAR, POLICY_VARCHAR
 sql_expect     : "CRATE SESSION", "BY ACCESS", "BY ACCESS"
</custom_item>

</group_policy>
</check_type>