#
# This script is Copyright (C) 2004-2021 and is owned by Tenable, Inc. or an Affiliate thereof.
#
# This script is released under the Tenable Subscription License and
# may not be used from within scripts released under another license
# without authorization from Tenable, Inc.
#
# See the following licenses for details:
#
# http://static.tenable.com/prod_docs/Nessus_6_SLA_and_Subscription_Agreement.pdf
#
# @PROFESSIONALFEED@
# $Revision: 1.3 $
# $Date: 2021/06/23 $
#
# description : This document implements the security configuration as recommended by the
# CIS Oracle Database 12c Benchmark v3.0.0
#
# https://workbench.cisecurity.org/files/2741
#
#
#CIS Oracle Server 12c DB Unified Auditing v3.0.0
#
# CIS
# Oracle Server 12c DB Unified Auditing
# 3.0.0
# https://workbench.cisecurity.org/files/2741
#
#database,cis,oracle,oracle_12c
#LEVEL,CSCv6,CSCv7,CIS_Recommendation
#
description : "1.1 Ensure the Appropriate Version/Patches for Oracle Software Is Installed"
info : "The Oracle installation version and patches should be the most recent that are compatible with the organization's operational needs.
Rationale:
Using the most recent Oracle database software, along with all applicable patches can help limit the possibilities for vulnerabilities in the software, the installation version and/or patches applied during setup should be established according to the needs of the organization. Ensure you are using a release that is covered by a level of support that includes the generation of Critical Patch Updates.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance."
solution : "Perform the following step for remediation:
Download and apply the latest quarterly Critical Patch Update patches.
References:
http://www.oracle.com/us/support/assurance/fixing-policies/index.html
http://www.oracle.com/technetwork/topics/security/alerts-086861.html
http://www.oracle.com/us/support/library/lifetime-support-technology-069183.pdf"
see_also : "https://workbench.cisecurity.org/files/2741"
reference : "CSCv6|2,CSCv7|2.2,LEVEL|1NS,800-53|CM-8,CIS_Recommendation|1.1"
type : SQL_POLICY
description : "2.2.3 Ensure 'GLOBAL_NAMES' Is Set to 'TRUE'"
info : "The global_names setting requires that the name of a database link matches that of the remote database it will connect to. This setting should have a value of TRUE.
Rationale:
Not requiring database connections to match the domain that is being called remotely could allow unauthorized domain sources to potentially connect via brute-force tactics."
solution : "To remediate this setting, execute the following SQL statement.
ALTER SYSTEM SET GLOBAL_NAMES = TRUE SCOPE = SPFILE;
References:
http://docs.oracle.com/database/121/REFRN/GUID-221D0483-D814-4963-84E1-7D39A25048ED.htm#REFRN10065"
see_also : "https://workbench.cisecurity.org/files/2741"
reference : "800-171|3.4.2,800-53|CM-6b.,CIS_Recommendation|2.2.3,CN-L3|8.1.10.6(d),CSCv6|3.1,CSCv6|9,CSCv7|14.6,CSF|PR.IP-1,ITSG-33|CM-6b.,LEVEL|1S,NESA|T3.2.1,PCI-DSSv3.1|2.2.4,PCI-DSSv3.2|2.2.4,SWIFT-CSCv1|2.3"
sql_request : "SELECT UPPER(VALUE) FROM V$PARAMETER WHERE UPPER(NAME)='GLOBAL_NAMES';"
sql_types : POLICY_VARCHAR
sql_expect : "TRUE"
type : SQL_POLICY
description : "2.2.4 Ensure 'O7_DICTIONARY_ACCESSIBILITY' Is Set to 'FALSE'"
info : "The O7_dictionary_accessibility setting is a database initialization parameter that allows/disallows access to objects with the ANY privileges (SELECT ANY TABLE, DELETE ANY TABLE, EXECUTE ANY PROCEDURE, etc.). This functionality was created for the ease of migration from Oracle 7 databases to later versions. The setting should have a value of FALSE.
Note: The O7_dictionary_accessibility parameter has been deprecated in 12.2 and higher versions.
Rationale:
Leaving the SYS schema so open to connection could permit unauthorized access to critical data structures."
solution : "To remediate this setting, execute the following SQL statement.
ALTER SYSTEM SET O7_DICTIONARY_ACCESSIBILITY=FALSE SCOPE = SPFILE;
References:
http://docs.oracle.com/database/121/REFRN/GUID-1D1A88F1-B603-48FF-BD30-E6099DB1A1ED.htm#REFRN10133
Notes:
The value for this is 'O(oh)7' not '0(Zero)7' for O7. Also, for 'Oracle Applications' up to version 11.5.9, this setting is reversed; the O7_dictionary_accessibility=TRUE value is required for correct operations."
see_also : "https://workbench.cisecurity.org/files/2741"
reference : "800-171|3.1.5,800-53|AC-6.,CIS_Recommendation|2.2.4,CN-L3|7.1.3.2(b),CN-L3|7.1.3.2(g),CN-L3|8.1.4.2(d),CN-L3|8.1.10.6(a),CSCv6|9.1,CSCv7|9.2,CSF|PR.AC-4,CSF|PR.DS-5,ITSG-33|AC-6,LEVEL|1S,NESA|T5.1.1,NESA|T5.2.2,NESA|T5.4.1,NESA|T5.4.4,NESA|T5.4.5,NESA|T5.5.4,NESA|T5.6.1,NESA|T7.5.3,NIAv2|AM1,NIAv2|AM23f,NIAv2|SS13c,NIAv2|SS15c,PCI-DSSv3.1|7.1.2,PCI-DSSv3.2|7.1.2,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|13.2,SWIFT-CSCv1|5.1,TBA-FIISB|31.4.2,TBA-FIISB|31.4.3"
sql_request : "SELECT UPPER(VALUE) FROM V$PARAMETER WHERE UPPER(NAME)='O7_DICTIONARY_ACCESSIBILITY';"
sql_types : POLICY_VARCHAR
sql_expect : "FALSE"
type : SQL_POLICY
description : "2.2.5 Ensure 'OS_ROLES' Is Set to 'FALSE'"
info : "The os_roles setting permits externally created groups to be applied to database management.
Rationale:
Allowing the OS to use external groups for database management could cause privilege overlaps and generally weaken security."
solution : "To remediate this setting, execute the following SQL statement.
ALTER SYSTEM SET OS_ROLES = FALSE SCOPE = SPFILE;
References:
http://docs.oracle.com/database/121/REFRN/GUID-51CCE2D6-F841-4E02-A89D-EA08FC110CF3.htm#REFRN10153"
see_also : "https://workbench.cisecurity.org/files/2741"
reference : "800-171|3.1.1,800-171|3.1.2,800-53|AC-2(7),800-53|AC-17.,CIP|005-5-R2,CIS_Recommendation|2.2.5,CN-L3|7.1.3.2(d),CN-L3|8.1.4.4(c),CN-L3|8.1.10.6(i),CSCv6|16,CSCv7|14.6,CSF|PR.AC-1,CSF|PR.AC-3,CSF|PR.AC-4,CSF|PR.PT-4,ISO/IEC-27001|A.6.2.2,ISO/IEC-27001|A.9.2.1,ITSG-33|AC-2(7),ITSG-33|AC-17,LEVEL|1S,NESA|M5.3.1,NESA|T5.4.5,NIAv2|AM28,NIAv2|NS5j,NIAv2|SS14e,QCSC-v1|3.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|8.2.1,QCSC-v1|13.2,QCSC-v1|15.2,SWIFT-CSCv1|2.6"
sql_request : "SELECT UPPER(VALUE) FROM V$PARAMETER WHERE UPPER(NAME)='OS_ROLES';"
sql_types : POLICY_VARCHAR
sql_expect : "FALSE"
type : SQL_POLICY
description : "2.2.6 Ensure 'REMOTE_LISTENER' Is Empty"
info : "The remote_listener setting determines whether or not a valid listener can be established on a system separate from the database instance. This setting should be empty unless the organization specifically needs a valid listener on a separate system or on nodes running Oracle RAC instances.
Rationale:
Permitting a remote listener for connections to the database instance can allow for the potential spoofing of connections and that could compromise data confidentiality and integrity."
solution : "To remediate this setting, execute the following SQL statement.
ALTER SYSTEM SET REMOTE_LISTENER = '' SCOPE = SPFILE;
References:
http://docs.oracle.com/database/121/REFRN/GUID-FEE2E8B5-CE02-4158-A6B4-030E59316756.htm#REFRN10183
Notes:
If set as remote_listener=true, the address/address list is taken from the TNSNAMES.ORA file."
see_also : "https://workbench.cisecurity.org/files/2741"
reference : "800-171|3.1.1,800-171|3.1.2,800-53|AC-17a.,CIS_Recommendation|2.2.6,CN-L3|7.1.2.2(h),CN-L3|7.1.3.7(a),CSCv6|9,CSCv7|9.2,CSF|PR.AC-3,CSF|PR.PT-4,ISO/IEC-27001|A.6.2.2,ITSG-33|AC-17a.,ITSG-33|AC-17b.,ITSG-33|AC-17e.,LEVEL|1S,NESA|T4.2.1,NESA|T4.5.1,NESA|T5.1.1,NESA|T5.4.1,NESA|T5.4.4,NESA|T5.4.5,NESA|T5.7.1,NESA|T5.7.2,NIAv2|AM40,NIAv2|AM41,NIAv2|NS5g,NIAv2|NS5h,NIAv2|NS48,NIAv2|NS51,QCSC-v1|3.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,SWIFT-CSCv1|2.6"
sql_request : "SELECT UPPER(VALUE) FROM V$PARAMETER WHERE UPPER(NAME)='REMOTE_LISTENER';"
sql_types : POLICY_VARCHAR
sql_expect : NULL
type : SQL_POLICY
description : "2.2.7 Ensure 'REMOTE_LOGIN_PASSWORDFILE' Is Set to 'NONE'"
info : "The remote_login_passwordfile setting specifies whether or not Oracle checks for a password file during login and how many databases can use the password file. The setting should have a value of NONE or in the event you are running DR/Data Guard, EXCLUSIVE is an allowable value.
Rationale:
The use of this sort of password login file could permit unsecured, privileged connections to the database."
solution : "To remediate this setting, execute the following SQL statement.
ALTER SYSTEM SET REMOTE_LOGIN_PASSWORDFILE = 'NONE' SCOPE = SPFILE;
References:
http://docs.oracle.com/database/121/REFRN/GUID-6619299E-95E8-4821-B123-3B5899F046C7.htm#REFRN10184"
see_also : "https://workbench.cisecurity.org/files/2741"
reference : "800-171|3.1.1,800-171|3.1.5,800-53|AC-3.,800-53|AC-6.,CIS_Recommendation|2.2.7,CN-L3|7.1.3.2(b),CN-L3|7.1.3.2(g),CN-L3|8.1.4.2(d),CN-L3|8.1.4.2(f),CN-L3|8.1.4.11(b),CN-L3|8.1.10.2(c),CN-L3|8.1.10.6(a),CN-L3|8.5.3.1,CN-L3|8.5.4.1(a),CSCv6|16,CSCv6|9.2,CSCv7|16.2,CSF|PR.AC-4,CSF|PR.DS-5,CSF|PR.PT-3,ISO/IEC-27001|A.9.4.1,ISO/IEC-27001|A.9.4.5,ITSG-33|AC-3,ITSG-33|AC-6,LEVEL|1S,NESA|T4.2.1,NESA|T5.1.1,NESA|T5.2.2,NESA|T5.4.1,NESA|T5.4.4,NESA|T5.4.5,NESA|T5.5.4,NESA|T5.6.1,NESA|T7.5.2,NESA|T7.5.3,NIAv2|AM1,NIAv2|AM3,NIAv2|AM23f,NIAv2|SS13c,NIAv2|SS15c,NIAv2|SS29,PCI-DSSv3.1|7.1.2,PCI-DSSv3.2|7.1.2,QCSC-v1|3.2,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|13.2,SWIFT-CSCv1|5.1,TBA-FIISB|31.1,TBA-FIISB|31.4.2,TBA-FIISB|31.4.3"
sql_request : "SELECT UPPER(VALUE) FROM V$PARAMETER WHERE UPPER(NAME)='REMOTE_LOGIN_PASSWORDFILE';"
sql_types : POLICY_VARCHAR
sql_expect : "NONE"
type : SQL_POLICY
description : "2.2.8 Ensure 'REMOTE_OS_AUTHENT' Is Set to 'FALSE'"
info : "The remote_os_authent setting determines whether or not OS 'roles' with the attendant privileges are allowed for remote client connections. This setting should have a value of FALSE.
Note: This parameter has been deprecated in 12.1 and higher versions.
Rationale:
Permitting OS roles for database connections can allow the spoofing of connections and permit granting the privileges of an OS role to unauthorized users to make connections, this value should be restricted according to the needs of the organization."
solution : "To remediate this setting, execute the following SQL statement.
ALTER SYSTEM SET REMOTE_OS_AUTHENT = FALSE SCOPE = SPFILE;
References:
http://docs.oracle.com/database/121/REFRN/GUID-AB66C849-FE5A-4E06-A6E1-AEE775D55703.htm#REFRN10185"
see_also : "https://workbench.cisecurity.org/files/2741"
reference : "800-171|3.5.2,800-53|IA-5(8),CIS_Recommendation|2.2.8,CSCv6|16,CSCv7|16.2,CSF|PR.AC-1,ITSG-33|IA-5(8),LEVEL|1S,NESA|T5.2.3,QCSC-v1|5.2.2,QCSC-v1|13.2,SWIFT-CSCv1|5.1"
sql_request : "SELECT UPPER(VALUE) FROM V$PARAMETER WHERE UPPER(NAME)='REMOTE_OS_AUTHENT';"
sql_types : POLICY_VARCHAR
sql_expect : "FALSE"
type : SQL_POLICY
description : "2.2.9 Ensure 'REMOTE_OS_ROLES' Is Set to 'FALSE'"
info : "The remote_os_roles setting permits remote users' OS roles to be applied to database management. This setting should have a value of FALSE.
Rationale:
Allowing remote clients OS roles to have permissions for database management could cause privilege overlaps and generally weaken security."
solution : "To remediate this setting, execute the following SQL statement.
ALTER SYSTEM SET REMOTE_OS_ROLES = FALSE SCOPE = SPFILE;
References:
http://docs.oracle.com/database/121/REFRN/GUID-BAA83447-14C1-4BE7-BB5D-806ED3E00AED.htm#REFRN10186"
see_also : "https://workbench.cisecurity.org/files/2741"
reference : "800-171|3.1.1,800-171|3.1.2,800-53|AC-2(7),800-53|AC-17.,CIP|005-5-R2,CIS_Recommendation|2.2.9,CN-L3|7.1.3.2(d),CN-L3|8.1.4.4(c),CN-L3|8.1.10.6(i),CSCv6|16,CSCv7|16.2,CSF|PR.AC-1,CSF|PR.AC-3,CSF|PR.AC-4,CSF|PR.PT-4,ISO/IEC-27001|A.6.2.2,ISO/IEC-27001|A.9.2.1,ITSG-33|AC-2(7),ITSG-33|AC-17,LEVEL|1S,NESA|M5.3.1,NESA|T5.4.5,NIAv2|AM28,NIAv2|NS5j,NIAv2|SS14e,QCSC-v1|3.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|8.2.1,QCSC-v1|13.2,QCSC-v1|15.2,SWIFT-CSCv1|2.6"
sql_request : "SELECT UPPER(VALUE) FROM V$PARAMETER WHERE UPPER(NAME)='REMOTE_OS_ROLES';"
sql_types : POLICY_VARCHAR
sql_expect : "FALSE"
type : SQL_POLICY
description : "2.2.10 Ensure 'UTL_FILE_DIR' Is Empty"
info : "The utl_file_dir setting allows packages like utl_file to access (read/write/modify/delete) files specified in utl_file_dir. This setting should have an empty value.
Note: The utl_file_dir parameter has been deprecated in 12.2 and higher versions.
Rationale:
Using the utl_file_dir to create directories allows the manipulation of files in these directories."
solution : "To remediate this setting, execute the following SQL statement.
ALTER SYSTEM SET UTL_FILE_DIR = '' SCOPE = SPFILE;
References:
http://docs.oracle.com/database/121/REFRN/GUID-DCA8A942-ACE1-46D6-876E-3244F390BCAE.htm#REFRN10230"
see_also : "https://workbench.cisecurity.org/files/2741"
reference : "800-171|3.4.2,800-53|CM-6b.,CIS_Recommendation|2.2.10,CN-L3|8.1.10.6(d),CSCv6|18,CSCv6|8.4,CSCv7|4.7,CSF|PR.IP-1,ITSG-33|CM-6b.,LEVEL|1S,NESA|T3.2.1,PCI-DSSv3.1|2.2.4,PCI-DSSv3.2|2.2.4,SWIFT-CSCv1|2.3"
sql_request : "SELECT VALUE FROM V$PARAMETER WHERE UPPER(NAME)='UTL_FILE_DIR';"
sql_types : POLICY_VARCHAR
sql_expect : NULL
type : SQL_POLICY
description : "2.2.11 Ensure 'SEC_CASE_SENSITIVE_LOGON' Is Set to 'TRUE'"
info : "The SEC_CASE_SENSITIVE_LOGON information determines whether or not case-sensitivity is required for passwords during login.
Note: This parameter has been deprecated in 12.1 and higher versions.
Rationale:
Oracle database password case-sensitivity increases the pool of characters that can be chosen for the passwords, making brute-force password attacks quite difficult."
solution : "To remediate this setting, execute the following SQL statement.
ALTER SYSTEM SET SEC_CASE_SENSITIVE_LOGON = TRUE SCOPE = SPFILE;
References:
http://docs.oracle.com/database/121/REFRN/GUID-F464653A-0D43-4A70-8F05-0274A12C8578.htm#REFRN10299"
see_also : "https://workbench.cisecurity.org/files/2741"
reference : "800-171|3.5.2,800-53|IA-5c.,CIS_Recommendation|2.2.11,CN-L3|7.1.2.7(d),CN-L3|8.1.4.1(a),CSCv6|16,CSCv7|4.4,CSF|PR.AC-1,HIPAA|164.308(a)(5)(ii)(D),ISO/IEC-27001|A.9.4.3,ITSG-33|IA-5c.,LEVEL|1S,NESA|T5.2.1,NESA|T5.2.3,NESA|T5.5.2,NESA|T5.5.3,QCSC-v1|5.2.2,QCSC-v1|13.2"
sql_request : "SELECT UPPER(VALUE) FROM V$PARAMETER WHERE UPPER(NAME)='SEC_CASE_SENSITIVE_LOGON';"
sql_types : POLICY_VARCHAR
sql_expect : "TRUE"
type : SQL_POLICY
description : "2.2.12 Ensure 'SEC_MAX_FAILED_LOGIN_ATTEMPTS' Is '3' or Less"
info : "The SEC_MAX_FAILED_LOGIN_ATTEMPTS parameter determines how many failed login attempts are allowed before Oracle closes the login connection.
Rationale:
Allowing an unlimited number of login attempts for a user connection can facilitate both brute-force login attacks and the occurrence of denial-of-service."
solution : "To remediate this setting, execute the following SQL statement.
ALTER SYSTEM SET SEC_MAX_FAILED_LOGIN_ATTEMPTS = 3 SCOPE = SPFILE;
References:
http://docs.oracle.com/database/121/REFRN/GUID-DEC2A3B2-F49B-499E-A3CF-D097F3A5BA83.htm#REFRN10274"
see_also : "https://workbench.cisecurity.org/files/2741"
reference : "800-171|3.1.8,800-53|AC-7a.,800-53|SC-5.,CIS_Recommendation|2.2.12,CN-L3|8.1.4.1(b),CSCv6|16.7,CSCv7|16.7,CSF|DE.CM-1,CSF|PR.DS-4,ITSG-33|AC-7a.,ITSG-33|SC-5,ITSG-33|SC-5a.,LEVEL|1S,NESA|T3.3.1,NESA|T5.5.1,NIAv2|AM24,NIAv2|GS8e,NIAv2|GS10c,QCSC-v1|8.2.1,TBA-FIISB|45.1.2,TBA-FIISB|45.2.1,TBA-FIISB|45.2.2"
sql_request : "SELECT UPPER(VALUE) FROM V$PARAMETER WHERE UPPER(NAME)='SEC_MAX_FAILED_LOGIN_ATTEMPTS';"
sql_types : POLICY_VARCHAR
sql_expect : regex:"^([1-3])$"
type : SQL_POLICY
description : "2.2.13 Ensure 'SEC_PROTOCOL_ERROR_FURTHER_ACTION' Is Set to 'DROP,3'"
info : "The SEC_PROTOCOL_ERROR_FURTHER_ACTION setting determines the Oracle server's response to bad/malformed packets received from the client. This setting should have a value of DROP,3, which will cause a connection to be dropped after three bad/malformed packets.
Rationale:
Bad packets received from the client can potentially indicate packet-based attacks on the system, such as 'TCP SYN Flood' or 'Smurf' attacks, which could result in a denial-of-service condition, this value should be set according to the needs of the organization."
solution : "To remediate this setting, execute the following SQL statement.
ALTER SYSTEM SET SEC_PROTOCOL_ERROR_FURTHER_ACTION = 'DROP,3' SCOPE = SPFILE;
References:
http://docs.oracle.com/database/121/REFRN/GUID-1E8D3C6E-C919-4218-8117-760D31BD0F95.htm#REFRN10282"
reference : "800-53|SC-5.,CIS_Recommendation|2.2.13,CSCv6|18,CSF|DE.CM-1,CSF|PR.DS-4,ITSG-33|SC-5,ITSG-33|SC-5a.,LEVEL|1S,NESA|T3.3.1,NIAv2|GS8e,NIAv2|GS10c,QCSC-v1|8.2.1"
see_also : "https://workbench.cisecurity.org/files/2741"
sql_request : "SELECT UPPER(VALUE) FROM V$PARAMETER WHERE UPPER(NAME)='SEC_PROTOCOL_ERROR_FURTHER_ACTION';"
sql_types : POLICY_VARCHAR
sql_expect : regex:"^\(DROP,\s*3\)$"
type : SQL_POLICY
description : "2.2.14 Ensure 'SEC_PROTOCOL_ERROR_TRACE_ACTION' Is Set to 'LOG'"
info : "The SEC_PROTOCOL_ERROR_TRACE_ACTION setting determines the Oracle's server's logging response level to bad/malformed packets received from the client by generating ALERT, LOG, or TRACE levels of detail in the log files. This setting should have a value of LOG unless the organization has a compelling reason to use a different value because LOG should cause the necessary information to be logged. Setting the value as TRACE can generate an enormous amount of log output and should be reserved for debugging only.
Rationale:
Bad packets received from the client can potentially indicate packet-based attacks on the system, which could result in a denial-of-service condition."
solution : "To remediate this setting, execute the following SQL statement.
ALTER SYSTEM SET SEC_PROTOCOL_ERROR_TRACE_ACTION=LOG SCOPE = SPFILE;
References:
http://docs.oracle.com/database/121/REFRN/GUID-AE811BC1-8CED-4B21-B16C-
4B712B127535.htm#REFRN10283"
see_also : "https://workbench.cisecurity.org/files/2741"
reference : "800-171|3.3.1,800-171|3.3.2,800-53|AU-12c.,800-53|SC-5.,CIS_Recommendation|2.2.14,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|6.2,CSCv7|6.2,CSCv7|6.3,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.DS-4,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12c.,ITSG-33|SC-5,ITSG-33|SC-5a.,LEVEL|1S,NESA|T3.3.1,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|GS8e,NIAv2|GS10c,NIAv2|SM8,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,QCSC-v1|13.2,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1"
sql_request : "SELECT UPPER(VALUE) FROM V$PARAMETER WHERE UPPER(NAME)='SEC_PROTOCOL_ERROR_TRACE_ACTION';"
sql_types : POLICY_VARCHAR
sql_expect : "LOG"
type : SQL_POLICY
description : "2.2.15 Ensure 'SEC_RETURN_SERVER_RELEASE_BANNER' Is Set to 'FALSE'"
info : "The information about patch/update release number provides information about the exact patch/update release that is currently running on the database. This is sensitive information that should not be revealed to anyone who requests it.
Rationale:
Allowing the database to return information about the patch/update release number could facilitate unauthorized users' attempts to gain access based upon known patch weaknesses."
solution : "To remediate this setting, execute the following SQL statement.
ALTER SYSTEM SET SEC_RETURN_SERVER_RELEASE_BANNER = FALSE SCOPE = SPFILE;
References:
http://docs.oracle.com/database/121/REFRN/GUID-688102A0-11F5-4F06-8868-934D65C4E878.htm#REFRN10275"
see_also : "https://workbench.cisecurity.org/files/2741"
reference : "800-171|3.4.6,800-171|3.4.7,800-53|CM-7b.,CIP|007-6-R1,CIS_Recommendation|2.2.15,CN-L3|7.1.3.5(c),CN-L3|7.1.3.7(d),CN-L3|8.1.4.4(b),CSCv6|9,CSCv6|9.1,CSCv7|14.6,CSF|PR.IP-1,CSF|PR.PT-3,ITSG-33|CM-7a.,LEVEL|1S,NIAv2|SS13b,NIAv2|SS14a,NIAv2|SS14c,PCI-DSSv3.1|2.2.2,PCI-DSSv3.1|2.2.3,PCI-DSSv3.2|2.2.2,PCI-DSSv3.2|2.2.3,QCSC-v1|3.2,SWIFT-CSCv1|2.3"
sql_request : "SELECT UPPER(VALUE) FROM V$PARAMETER WHERE UPPER(NAME)='SEC_RETURN_SERVER_RELEASE_BANNER';"
sql_types : POLICY_VARCHAR
sql_expect : "FALSE"
type : SQL_POLICY
description : "2.2.16 Ensure 'SQL92_SECURITY' Is Set to 'TRUE'"
info : "The SQL92_SECURITY parameter setting TRUE requires that a user must also be granted the SELECT object privilege before being able to perform UPDATE or DELETE operations on tables that have WHERE or SET clauses. The setting should have a value of TRUE.
Rationale:
A user without SELECT privilege can still infer the value stored in a column by referring to that column in a DELETE or UPDATE statement. This setting prevents inadvertent information disclosure by ensuring that only users who already have SELECT privilege can execute the statements that would allow them to infer the stored values."
solution : "To remediate this setting, execute the following SQL statement.
ALTER SYSTEM SET SQL92_SECURITY = TRUE SCOPE = SPFILE;
Default Value:
FALSE
References:
http://docs.oracle.com/database/121/REFRN/GUID-E41087C2-250E-4201-908B-79E659B22A4B.htm#REFRN10210"
see_also : "https://workbench.cisecurity.org/files/2741"
reference : "800-171|3.1.5,800-53|AC-6.,CIS_Recommendation|2.2.16,CN-L3|7.1.3.2(b),CN-L3|7.1.3.2(g),CN-L3|8.1.4.2(d),CN-L3|8.1.10.6(a),CSCv6|18,CSCv7|14.6,CSF|PR.AC-4,CSF|PR.DS-5,ITSG-33|AC-6,LEVEL|1S,NESA|T5.1.1,NESA|T5.2.2,NESA|T5.4.1,NESA|T5.4.4,NESA|T5.4.5,NESA|T5.5.4,NESA|T5.6.1,NESA|T7.5.3,NIAv2|AM1,NIAv2|AM23f,NIAv2|SS13c,NIAv2|SS15c,PCI-DSSv3.1|7.1.2,PCI-DSSv3.2|7.1.2,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|13.2,SWIFT-CSCv1|5.1,TBA-FIISB|31.4.2,TBA-FIISB|31.4.3"
sql_request : "SELECT UPPER(VALUE) FROM V$PARAMETER WHERE UPPER(NAME)='SQL92_SECURITY';"
sql_types : POLICY_VARCHAR
sql_expect : "TRUE"
type : SQL_POLICY
description : "2.2.17 Ensure '_trace_files_public' Is Set to 'FALSE'"
info : "The _trace_files_public setting determines whether or not the system's trace file is world readable. This setting should have a value of FALSE to restrict trace file access.
Rationale:
Making the file world readable means anyone can read the instance's trace file, which could contain sensitive information about instance operations."
solution : "To remediate this setting, execute the following SQL statement.
ALTER SYSTEM SET '_trace_files_public' = FALSE SCOPE = SPFILE;
References:
http://asktom.oracle.com/pls/asktom/f?p=100:11:0::::P11_QUESTION_ID:4295521746131"
see_also : "https://workbench.cisecurity.org/files/2741"
reference : "800-171|3.1.5,800-53|AC-6.,CIS_Recommendation|2.2.17,CN-L3|7.1.3.2(b),CN-L3|7.1.3.2(g),CN-L3|8.1.4.2(d),CN-L3|8.1.10.6(a),CSCv6|14.4,CSCv7|14.6,CSF|PR.AC-4,CSF|PR.DS-5,ITSG-33|AC-6,LEVEL|1S,NESA|T5.1.1,NESA|T5.2.2,NESA|T5.4.1,NESA|T5.4.4,NESA|T5.4.5,NESA|T5.5.4,NESA|T5.6.1,NESA|T7.5.3,NIAv2|AM1,NIAv2|AM23f,NIAv2|SS13c,NIAv2|SS15c,PCI-DSSv3.1|7.1.2,PCI-DSSv3.2|7.1.2,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|13.2,SWIFT-CSCv1|5.1,TBA-FIISB|31.4.2,TBA-FIISB|31.4.3"
sql_request : "SELECT VALUE FROM V$PARAMETER WHERE UPPER(NAME)='_TRACE_FILES_PUBLIC';"
sql_types : POLICY_VARCHAR
sql_expect : NULL || "FALSE"
check_option : CAN_BE_NULL
type : SQL_POLICY
description : "2.2.18 Ensure 'RESOURCE_LIMIT' Is Set to 'TRUE'"
info : "RESOURCE_LIMIT determines whether resource limits are enforced in database profiles. This setting should have a value of TRUE.
Rationale:
If RESOURCE_LIMIT is set to FALSE, none of the system resource limits that are set in any database profiles are enforced. If RESOURCE_LIMIT is set to TRUE, the limits set in database profiles are enforced."
solution : "To remediate this setting, execute the following SQL statement.
ALTER SYSTEM SET RESOURCE_LIMIT = TRUE SCOPE = SPFILE;
Default Value:
FALSE
References:
http://docs.oracle.com/database/121/REFRN/GUID-BB0AB177-3867-4D0D-8700-A1AC8BDFEFC3.htm#REFRN10188"
see_also : "https://workbench.cisecurity.org/files/2741"
reference : "800-53|SC-6.,CIS_Recommendation|2.2.18,CN-L3|7.1.3.7(c),CN-L3|7.1.3.7(d),CSCv6|14.4,CSCv7|14.6,ITSG-33|SC-6,ITSG-33|SC-6a.,LEVEL|1S,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|6.2"
sql_request : "SELECT UPPER(VALUE) FROM V$PARAMETER WHERE UPPER(NAME)='RESOURCE_LIMIT';"
sql_types : POLICY_VARCHAR
sql_expect : "TRUE"
type : SQL_POLICY
description : "3.1 Ensure 'FAILED_LOGIN_ATTEMPTS' Is Less than or Equal to '3'"
info : "The FAILED_LOGIN_ATTEMPTS setting determines how many failed login attempts are permitted before the system locks the user's account. While different profiles can have different and more restrictive settings, such as USERS and APPS, the minimum(s) recommended here should be set on the DEFAULT profile.
Rationale:
Repeated failed login attempts can indicate the initiation of a brute-force login attack, this value should be set according to the needs of the organization. (See the Notes for a warning on a known bug that can make this security measure backfire.)"
solution : "Remediate this setting by executing the following SQL statement for each PROFILE returned by the audit procedure.
ALTER PROFILE LIMIT FAILED_LOGIN_ATTEMPTS 3;
Notes:
Warning: One great concern with the above is the possibility of this setting being exploited to craft a DDoS attack by using the row-locking delay between failed login attempts (see Oracle Bug 7715339 - Logon failures causes 'row cache lock' waits - Allow disable of logon delay [ID 7715339.8], so the configuration of this setting depends on using the bug workaround). Also, while the setting for the FAILED_LOGIN_ATTEMPTS value can also be set in sqlnet.ora, this only applies to listed users. The similar setting used to block a DDoS, the SEC_MAX_FAILED_LOGIN_ATTEMPTS initialization parameter, can be used to protect unauthorized intruders from attacking the server processes for applications, but this setting does not protect against unauthorized attempts via valid usernames."
see_also : "https://workbench.cisecurity.org/files/2741"
reference : "800-171|3.1.8,800-53|AC-7.,CIP|007-6-R5.7,CIS_Recommendation|3.1,CN-L3|8.1.4.1(b),CSCv6|16.7,CSCv7|16.7,ITSG-33|AC-7,LEVEL|1S,NIAv2|AM24,PCI-DSSv3.1|8.1.6,PCI-DSSv3.2|8.1.6,TBA-FIISB|36.2.4,TBA-FIISB|45.1.2"
sql_request : "SELECT PROFILE, RESOURCE_NAME, LIMIT FROM DBA_PROFILES WHERE RESOURCE_NAME='FAILED_LOGIN_ATTEMPTS' AND (LIMIT = 'DEFAULT' OR LIMIT = 'UNLIMITED' OR LIMIT > 3);"
sql_types : POLICY_VARCHAR, POLICY_VARCHAR, POLICY_INTEGER
sql_expect : NULL, NULL, NULL
type : SQL_POLICY
description : "3.2 Ensure 'PASSWORD_LOCK_TIME' Is Greater than or Equal to '15'"
info : "The PASSWORD_LOCK_TIME setting determines how many days must pass for the user's account to be unlocked after the set number of failed login attempts has occurred. The suggested value for this is one day or greater.
Rationale:
Locking the user account after repeated failed login attempts can block further brute-force login attacks, but can create administrative headaches as this account unlocking process always requires DBA intervention."
solution : "Remediate this setting by executing the following SQL statement for each PROFILE returned by the audit procedure.
ALTER PROFILE LIMIT PASSWORD_LOCK_TIME 15;"
see_also : "https://workbench.cisecurity.org/files/2741"
reference : "800-171|3.1.8,800-53|AC-7a.,CIS_Recommendation|3.2,CN-L3|8.1.4.1(b),CSCv6|16.7,CSCv7|16.7,ITSG-33|AC-7a.,LEVEL|1S,NESA|T5.5.1,NIAv2|AM24,TBA-FIISB|45.1.2,TBA-FIISB|45.2.1,TBA-FIISB|45.2.2"
sql_request : "SELECT PROFILE, RESOURCE_NAME, LIMIT FROM DBA_PROFILES WHERE RESOURCE_NAME='PASSWORD_LOCK_TIME' AND (LIMIT = 'DEFAULT' OR LIMIT = 'UNLIMITED' OR LIMIT < 15)"
sql_types : POLICY_VARCHAR, POLICY_VARCHAR, POLICY_INTEGER
sql_expect : NULL, NULL, NULL
type : SQL_POLICY
description : "3.3 Ensure 'PASSWORD_LIFE_TIME' Is Less than or Equal to '90'"
info : "The PASSWORD_LIFE_TIME setting determines how long a password may be used before the user is required to be change it. The suggested value for this is 90 days or less.
Rationale:
Allowing passwords to remain unchanged for long periods makes the success of brute-force login attacks more likely."
solution : "Remediate this setting by executing the following SQL statement for each PROFILE returned by the audit procedure.
ALTER PROFILE LIMIT PASSWORD_LIFE_TIME 90;"
see_also : "https://workbench.cisecurity.org/files/2741"
reference : "800-171|3.5.2,800-53|IA-5(1)(d),CIP|007-6-R5.6,CIS_Recommendation|3.3,CN-L3|7.1.2.7(e),CN-L3|7.1.3.1(b),CSCv6|16,CSF|PR.AC-1,HIPAA|164.308(a)(5)(ii)(D),ISO/IEC-27001|A.9.4.3,ITSG-33|IA-5(1)(d),LEVEL|1S,NESA|T5.2.3,NIAv2|AM20,NIAv2|AM21,PCI-DSSv3.1|8.2.4,PCI-DSSv3.2|8.2.4,QCSC-v1|5.2.2,QCSC-v1|13.2,SWIFT-CSCv1|4.1,TBA-FIISB|26.2.2"
sql_request : "SELECT PROFILE, RESOURCE_NAME, LIMIT FROM DBA_PROFILES WHERE RESOURCE_NAME='PASSWORD_LIFE_TIME' AND (LIMIT = 'DEFAULT' OR LIMIT = 'UNLIMITED' OR LIMIT > 90)"
sql_types : POLICY_VARCHAR, POLICY_VARCHAR, POLICY_INTEGER
sql_expect : NULL, NULL, NULL
type : SQL_POLICY
description : "3.4 Ensure 'PASSWORD_REUSE_MAX' Is Greater than or Equal to '24'"
info : "The PASSWORD_REUSE_MAX setting determines how many different passwords must be used before the user is allowed to reuse a prior password. The suggested value for this is 24 passwords or greater.
Rationale:
Allowing reuse of a password within a short period of time after the password's initial use can make the success of both social-engineering and brute-force password-based attacks more likely."
solution : "Remediate this setting by executing the following SQL statement for each PROFILE returned by the audit procedure.
ALTER PROFILE LIMIT PASSWORD_REUSE_MAX 24;
Notes:
The above restriction should be applied along with the PASSWORD_REUSE_TIME setting."
see_also : "https://workbench.cisecurity.org/files/2741"
reference : "800-171|3.5.8,800-53|IA-5(1)(e),CIS_Recommendation|3.4,CSCv6|16,CSCv7|4.4,CSF|PR.AC-1,HIPAA|164.308(a)(5)(ii)(D),ISO/IEC-27001|A.9.4.3,ITSG-33|IA-5(1)(e),LEVEL|1S,NESA|T5.2.3,NIAv2|AM22c,PCI-DSSv3.1|8.2.5,PCI-DSSv3.2|8.2.5,QCSC-v1|5.2.2,QCSC-v1|13.2,SWIFT-CSCv1|4.1,TBA-FIISB|26.2.3"
sql_request : "SELECT P.PROFILE, P.RESOURCE_NAME, P.LIMIT FROM DBA_PROFILES P WHERE TO_NUMBER(DECODE(P.LIMIT,'DEFAULT',(SELECT DISTINCT DECODE(LIMIT,'UNLIMITED',9999,LIMIT) FROM DBA_PROFILES WHERE PROFILE='DEFAULT' AND RESOURCE_NAME='PASSWORD_REUSE_MAX'),'UNLIMITED','9999',P.LIMIT)) < 24 AND P.RESOURCE_NAME = 'PASSWORD_REUSE_MAX' AND EXISTS ( SELECT 'X' FROM DBA_USERS U WHERE U.PROFILE = P.PROFILE );"
sql_types : POLICY_VARCHAR, POLICY_VARCHAR, POLICY_INTEGER
sql_expect : NULL, NULL, NULL
type : SQL_POLICY
description : "3.5 Ensure 'PASSWORD_REUSE_TIME' Is Greater than or Equal to '365'"
info : "The PASSWORD_REUSE_TIME setting determines the amount of time in days that must pass before the same password may be reused. The suggested value for this is 365 days or greater.
Rationale:
Reusing the same password after only a short period of time has passed makes the success of brute-force login attacks more likely."
solution : "Remediate this setting by executing the following SQL statement for each PROFILE returned by the audit procedure.
ALTER PROFILE LIMIT PASSWORD_REUSE_TIME 365;
Notes:
The above restriction should be applied along with the PASSWORD_REUSE_MAX setting."
see_also : "https://workbench.cisecurity.org/files/2741"
reference : "800-171|3.5.8,800-53|IA-5(1)(e),CIS_Recommendation|3.5,CSCv6|16,CSCv7|4.4,CSF|PR.AC-1,HIPAA|164.308(a)(5)(ii)(D),ISO/IEC-27001|A.9.4.3,ITSG-33|IA-5(1)(e),LEVEL|1S,NESA|T5.2.3,NIAv2|AM22c,PCI-DSSv3.1|8.2.5,PCI-DSSv3.2|8.2.5,QCSC-v1|5.2.2,QCSC-v1|13.2,SWIFT-CSCv1|4.1,TBA-FIISB|26.2.3"
sql_request : "SELECT P.PROFILE, P.RESOURCE_NAME, P.LIMIT FROM DBA_PROFILES P WHERE TO_NUMBER(DECODE(P.LIMIT,'DEFAULT',(SELECT DISTINCT DECODE(LIMIT,'UNLIMITED',9999,LIMIT) FROM DBA_PROFILES WHERE PROFILE='DEFAULT' AND RESOURCE_NAME='PASSWORD_REUSE_TIME'),'UNLIMITED','9999',P.LIMIT)) < 365 AND P.RESOURCE_NAME = 'PASSWORD_REUSE_TIME' AND EXISTS ( SELECT 'X' FROM DBA_USERS U WHERE U.PROFILE = P.PROFILE );"
sql_types : POLICY_VARCHAR, POLICY_VARCHAR, POLICY_INTEGER
sql_expect : NULL, NULL, NULL
type : SQL_POLICY
description : "3.6 Ensure 'PASSWORD_GRACE_TIME' Is Less than or Equal to '0'"
info : "The PASSWORD_GRACE_TIME setting determines how many days can pass after the user's password expires before the user's login capability is automatically locked out. The suggested value for this is five days or less.
Rationale:
Locking the user account after the expiration of the password change requirement's grace period can help prevent password-based attacks against any forgotten or disused accounts, while still allowing the account and its information to be accessible by DBA intervention."
solution : "Remediate this setting by executing the following SQL statement for each PROFILE returned by the audit procedure.
ALTER PROFILE LIMIT PASSWORD_GRACE_TIME 0;"
see_also : "https://workbench.cisecurity.org/files/2741"
reference : "800-171|3.5.2,800-53|IA-5(1)(d),CIS_Recommendation|3.6,CN-L3|7.1.2.7(e),CN-L3|7.1.3.1(b),CSCv6|16,CSCv7|16.9,CSCv7|16.10,CSF|PR.AC-1,ISO/IEC-27001|A.9.4.3,ITSG-33|IA-5(1)(d),LEVEL|1S,NESA|T5.2.3,NIAv2|AM20,NIAv2|AM21,QCSC-v1|5.2.2,QCSC-v1|13.2,SWIFT-CSCv1|4.1,TBA-FIISB|26.2.2"
sql_request : "SELECT P.PROFILE, P.RESOURCE_NAME, P.LIMIT FROM DBA_PROFILES P WHERE TO_NUMBER(DECODE(P.LIMIT,'DEFAULT',(SELECT DISTINCT DECODE(LIMIT,'UNLIMITED',9999,LIMIT) FROM DBA_PROFILES WHERE PROFILE='DEFAULT' AND RESOURCE_NAME='PASSWORD_GRACE_TIME'),'UNLIMITED','9999',P.LIMIT)) > 0 AND P.RESOURCE_NAME = 'PASSWORD_GRACE_TIME' AND EXISTS ( SELECT 'X' FROM DBA_USERS U WHERE U.PROFILE = P.PROFILE );"
sql_types : POLICY_VARCHAR, POLICY_VARCHAR, POLICY_INTEGER
sql_expect : NULL, NULL, NULL
type : SQL_POLICY
description : "3.7 Ensure 'PASSWORD_VERIFY_FUNCTION' Is Set for All Profiles"
info : "The PASSWORD_VERIFY_FUNCTION determines password settings requirements when a user password is changed at the SQL command prompt. It should be set for all profiles. Note that this setting does not apply for users managed by the Oracle password file.
Rationale:
Requiring users to apply the 12c security features in password creation, such as forcing mixed-case complexity, blocking of simple combinations, and enforcing change/history settings can potentially thwart logins by an unauthorized user."
solution : "Create a custom password verification function which fulfills the password requirements of the organization."
see_also : "https://workbench.cisecurity.org/files/2741"
reference : "800-171|3.5.7,800-53|IA-5(1)(a),CIP|007-6-R5.5,CIS_Recommendation|3.7,CN-L3|7.1.2.7(e),CN-L3|7.1.3.1(b),CSCv6|16,CSCv7|4.4,CSF|PR.AC-1,HIPAA|164.308(a)(5)(ii)(D),ISO/IEC-27001|A.9.4.3,ITSG-33|IA-5(1)(a),LEVEL|1S,NESA|T5.2.3,NIAv2|AM19a,NIAv2|AM19b,NIAv2|AM19c,NIAv2|AM19d,NIAv2|AM22a,PCI-DSSv3.1|8.2.3,PCI-DSSv3.2|8.2.3,QCSC-v1|5.2.2,QCSC-v1|13.2,SWIFT-CSCv1|4.1,TBA-FIISB|26.2.1,TBA-FIISB|26.2.4"
sql_request : "SELECT P.PROFILE, P.RESOURCE_NAME, P.LIMIT FROM DBA_PROFILES P WHERE DECODE(P.LIMIT,'DEFAULT',(SELECT LIMIT FROM DBA_PROFILES WHERE PROFILE='DEFAULT' AND RESOURCE_NAME = P.RESOURCE_NAME), LIMIT) = 'NULL' AND P.RESOURCE_NAME = 'PASSWORD_VERIFY_FUNCTION' AND EXISTS ( SELECT 'X' FROM DBA_USERS U WHERE U.PROFILE = P.PROFILE );"
sql_types : POLICY_VARCHAR, POLICY_VARCHAR
sql_expect : NULL, NULL
type : SQL_POLICY
description : "3.8 Ensure 'SESSIONS_PER_USER' Is Less than or Equal to '10'"
info : "The SESSIONS_PER_USER setting determines the maximum number of user sessions that are allowed to be open concurrently. The suggested value for this is 10 or less.
Rationale:
Limiting the number of the SESSIONS_PER_USER can help prevent memory resource exhaustion by poorly formed requests or intentional denial-of-service attacks."
solution : "To remediate this setting, execute the following SQL statement for each PROFILE returned by the audit procedure.
ALTER PROFILE LIMIT SESSIONS_PER_USER 10;
Notes:
The SESSIONS_PER_USER profile management capability was created to prevent resource(s) exhaustion at a time when resource usage was very expensive. As current database design may require much higher limits on this parameter if one 'user' handles all processing for specific types of batch/customer connections, this must be handled via a new user profile."
see_also : "https://workbench.cisecurity.org/files/2741"
reference : "800-53|AC-10.,CIS_Recommendation|3.8,CSCv6|18,CSCv7|16.7,ITSG-33|AC-10,LEVEL|1S,NESA|T5.5.1,QCSC-v1|5.2.1,QCSC-v1|5.2.2"
sql_request : "SELECT P.PROFILE, P.RESOURCE_NAME, P.LIMIT FROM DBA_PROFILES P WHERE TO_NUMBER(DECODE(P.LIMIT,'DEFAULT',(SELECT DISTINCT DECODE(LIMIT,'UNLIMITED',9999,LIMIT) FROM DBA_PROFILES WHERE PROFILE='DEFAULT' AND RESOURCE_NAME='SESSIONS_PER_USER'), 'UNLIMITED','9999',P.LIMIT)) > 10 AND P.RESOURCE_NAME = 'SESSIONS_PER_USER' AND EXISTS ( SELECT 'X' FROM DBA_USERS U WHERE U.PROFILE = P.PROFILE );"
sql_types : POLICY_VARCHAR, POLICY_VARCHAR, POLICY_INTEGER
sql_expect : NULL, NULL, NULL
type : SQL_POLICY
description : "3.9 Ensure 'INACTIVE_ACCOUNT_TIME' Is Less than or Equal to '120'"
info : "The 'INACTIVE_ACCOUNT_TIME' setting determines the maximum number of days of inactivity (no logins at all) after which the account will be locked. The suggested value for this is 120 or less.
Rationale:
Setting 'INACTIVE_ACCOUNT_TIME' can help with deactivation of 'inactive' or 'unused' accounts."
solution : "To remediate this setting, execute the following SQL statement for each PROFILE returned by the audit procedure.
ALTER PROFILE LIMIT INACTIVE_ACCOUNT_TIME 120;
Notes:
The SESSIONS_PER_USER profile management capability was created to prevent resource(s) exhaustion at a time when resource usage was very expensive. As current database design may require much higher limits on this parameter if one 'user' handles all processing for specific types of batch/customer connections, this must be handled via a new user profile."
reference : "800-171|3.1.11,800-53|AC-12.,CIS_Recommendation|3.9,CN-L3|7.1.2.2(d),CN-L3|7.1.3.7(b),CN-L3|8.1.4.1(b),CSCv6|18,CSCv7|16.9,ITSG-33|AC-12,LEVEL|1S,NIAv2|NS49"
see_also : "https://workbench.cisecurity.org/files/2741"
sql_request : "SELECT P.PROFILE, P.RESOURCE_NAME, P.LIMIT FROM DBA_PROFILES P WHERE TO_NUMBER(DECODE(P.LIMIT,'DEFAULT',(SELECT DISTINCT DECODE(LIMIT,'UNLIMITED',9999,LIMIT) FROM DBA_PROFILES WHERE PROFILE='DEFAULT' AND RESOURCE_NAME='INACTIVE_ACCOUNT_TIME'), 'UNLIMITED','9999', P.LIMIT)) > 120 AND P.RESOURCE_NAME = 'INACTIVE_ACCOUNT_TIME' AND EXISTS ( SELECT 'X' FROM DBA_USERS U WHERE U.PROFILE = P.PROFILE );"
sql_types : POLICY_VARCHAR
sql_expect : NULL
type : SQL_POLICY
description : "4.1 Ensure All Default Passwords Are Changed"
info : "Default passwords should not be used by Oracle database users.
Rationale:
Default passwords should be considered 'well known' to attackers. Consequently, if default passwords remain in place, any attacker with access to the database can authenticate as the user with that default password."
solution : "To remediate this setting, execute the following SQL statement, keeping in mind if this is granted in both container and pluggable database, you must connect to both places to revoke.
Manually issue the following SQL statement for each USERNAME returned in the Audit Procedure:
Execute the following SQL script to assign a randomly generated password to each account using a default password:
begin
for r_user in (select username
from dba_users_with_defpwd
where username not like '%XS$NULL%')
loop
DBMS_OUTPUT.PUT_LINE('Password for user '||r_user.username||' will be changed.');
execute immediate 'alter user ''||r_user.username||'' identified by ''||
DBMS_RANDOM.string('a',16)||''account lock password expire';
end loop;
end;
References:
http://docs.oracle.com/database/121/TDPSG/GUID-3EC7A894-D620-4497-AFB1-64EB8C33D854.htm#TDPSG20021
https://support.oracle.com/epmos/faces/DocumentDisplay?id=2173962.1"
see_also : "https://workbench.cisecurity.org/files/2741"
reference : "800-171|3.5.7,800-53|IA-5(1)(a),CIS_Recommendation|4.1,CN-L3|7.1.2.7(e),CN-L3|7.1.3.1(b),CSCv6|5.3,CSCv7|4.2,CSF|PR.AC-1,ISO/IEC-27001|A.9.4.3,ITSG-33|IA-5(1)(a),LEVEL|1S,NESA|T5.2.3,NIAv2|AM19a,NIAv2|AM19b,NIAv2|AM19c,NIAv2|AM19d,NIAv2|AM22a,QCSC-v1|5.2.2,QCSC-v1|13.2,SWIFT-CSCv1|4.1,TBA-FIISB|26.2.1,TBA-FIISB|26.2.4"
sql_request : "SELECT DISTINCT A.USERNAME FROM DBA_USERS_WITH_DEFPWD A, DBA_USERS B WHERE A.USERNAME = B.USERNAME AND B.ACCOUNT_STATUS = 'OPEN';"
sql_types : POLICY_VARCHAR
sql_expect : NULL
type : SQL_POLICY
description : "4.2 Ensure All Sample Data And Users Have Been Removed"
info : "Oracle sample schemas can be used to create sample users (BI,HR,IX,OE,PM,SCOTT,SH), with well-known default passwords, particular views, and procedures/functions, in addition to tables and fictitious data. The sample schemas should be removed.
Rationale:
The sample schemas are typically not required for production operations of the database. The default users, views, and/or procedures/functions created by sample schemas could be used to launch exploits against production environments."
solution : "To remediate this setting, execute the following SQL statement, keeping in mind if this is granted in both container and pluggable database, you must connect to both places to run the drop script.
$ORACLE_HOME/demo/schema/drop_sch.sql
Then, execute the following SQL statement.
DROP USER SCOTT CASCADE;
Note: The recyclebin is not set to OFF within the default drop script, which means that the data will still be present in your environment until the recyclebin is emptied.
Impact:
The Oracle sample usernames may be in use on a production basis. It is important that you first verify that BI, HR, IX, OE, PM, SCOTT, and/or SH are not valid production usernames before executing the dropping SQL scripts. This may be particularly true with the HR and BI users. If any of these users are present, it is important to be cautious and confirm the schemas present are, in fact, Oracle sample schemas and not production schemas being relied upon by business operations.
References:
http://docs.oracle.com/database/121/COMSC/toc.htm"
see_also : "https://workbench.cisecurity.org/files/2741"
reference : "800-171|3.4.6,800-171|3.4.7,800-53|CM-7b.,CIP|007-6-R1,CIS_Recommendation|4.2,CN-L3|7.1.3.5(c),CN-L3|7.1.3.7(d),CN-L3|8.1.4.4(b),CSCv6|9.1,CSCv6|18.9,CSCv7|4.7,CSF|PR.IP-1,CSF|PR.PT-3,ITSG-33|CM-7a.,LEVEL|1S,NIAv2|SS13b,NIAv2|SS14a,NIAv2|SS14c,PCI-DSSv3.1|2.2.2,PCI-DSSv3.1|2.2.3,PCI-DSSv3.2|2.2.2,PCI-DSSv3.2|2.2.3,QCSC-v1|3.2,SWIFT-CSCv1|2.3"
sql_request : "SELECT USERNAME FROM ALL_USERS WHERE USERNAME IN ('BI','HR','IX','OE','PM','SCOTT','SH');"
sql_types : POLICY_VARCHAR
sql_expect : NULL
type : SQL_POLICY
description : "4.3 Ensure 'DBA_USERS.AUTHENTICATION_TYPE' Is Not Set to 'EXTERNAL' for Any User"
info : "The authentication_type='EXTERNAL' setting determines whether or not a user can be authenticated by a remote OS to allow access to the database with full authorization. This setting should not be used.
Rationale:
Allowing remote OS authentication of a user to the database can potentially allow supposed 'privileged users' to connect as 'authenticated,' even when the remote system is compromised."
solution : "To remediate this setting, execute the following SQL statement, keeping in mind if this is granted in both container and pluggable database, you must connect to both places to revoke.
ALTER USER IDENTIFIED BY ;
Notes:
The PASSWORD keyword (column) used in the SQL for prior Oracle versions has been deprecated from version 11.2 onward in favor of the new AUTHENTICATION_TYPE keyword (column) for the DBA_USERS table. However, the PASSWORD column has still been retained for backward compatibility."
reference : "800-171|3.1.1,800-53|AC-2.,CIS_Recommendation|4.3,CN-L3|7.1.3.2(d),CSCv6|16,CSCv7|16.2,CSF|DE.CM-1,CSF|DE.CM-3,CSF|PR.AC-1,CSF|PR.AC-4,ISO/IEC-27001|A.9.2.1,ITSG-33|AC-2,LEVEL|1S,NIAv2|AM28,NIAv2|NS5j,NIAv2|SS14e,QCSC-v1|5.2.2,QCSC-v1|8.2.1,QCSC-v1|13.2,QCSC-v1|15.2"
see_also : "https://workbench.cisecurity.org/files/2741"
sql_request : "SELECT USERNAME FROM DBA_USERS WHERE AUTHENTICATION_TYPE = 'EXTERNAL';"
sql_types : POLICY_VARCHAR
sql_expect : NULL
type : SQL_POLICY
description : "4.4 Ensure No Users Are Assigned the 'DEFAULT' Profile"
info : "Upon creation database users are assigned to the DEFAULT profile unless otherwise specified. No users should be assigned to that profile.
Rationale:
Users should be created with function-appropriate profiles. The DEFAULT profile, being defined by Oracle, is subject to change at any time (e.g. by patch or version update). The DEFAULT profile has unlimited settings that are often required by the SYS user when patching; such unlimited settings should be tightly reserved and not applied to unnecessary users."
solution : "To remediate this recommendation, execute the following SQL statement for each user returned by the audit query using a functional-appropriate profile, keeping in mind if this is granted in both container and pluggable database, you must connect to both places to revoke.
ALTER USER PROFILE ;"
see_also : "https://workbench.cisecurity.org/files/2741"
reference : "800-171|3.1.5,800-53|AC-6.,CIS_Recommendation|4.4,CN-L3|7.1.3.2(b),CN-L3|7.1.3.2(g),CN-L3|8.1.4.2(d),CN-L3|8.1.10.6(a),CSCv6|16,CSCv7|4.3,CSF|PR.AC-4,CSF|PR.DS-5,ITSG-33|AC-6,LEVEL|1S,NESA|T5.1.1,NESA|T5.2.2,NESA|T5.4.1,NESA|T5.4.4,NESA|T5.4.5,NESA|T5.5.4,NESA|T5.6.1,NESA|T7.5.3,NIAv2|AM1,NIAv2|AM23f,NIAv2|SS13c,NIAv2|SS15c,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|13.2,SWIFT-CSCv1|5.1,TBA-FIISB|31.4.2,TBA-FIISB|31.4.3"
sql_request : "SELECT USERNAME FROM DBA_USERS WHERE PROFILE='DEFAULT' AND ACCOUNT_STATUS='OPEN' AND ORACLE_MAINTAINED = 'N';"
sql_types : POLICY_VARCHAR
sql_expect : NULL
type : SQL_POLICY
description : "4.5 Ensure 'SYS.USER$MIG' Has Been Dropped"
info : "The table sys.user$mig is created during migration and contains the Oracle password hashes before the migration starts. This table should be dropped.
Rationale:
The table sys.user$mig is not deleted after the migration. An attacker could access the table containing the Oracle password hashes."
solution : "To remediate this setting, execute the following SQL statement, keeping in mind if this is granted in both container and pluggable database, you must connect to both places to revoke.
DROP TABLE SYS.USER$MIG;"
see_also : "https://workbench.cisecurity.org/files/2741"
reference : "800-171|3.4.6,800-171|3.4.7,800-53|CM-7b.,CIP|007-6-R1,CIS_Recommendation|4.5,CN-L3|7.1.3.5(c),CN-L3|7.1.3.7(d),CN-L3|8.1.4.4(b),CSCv6|9.1,CSCv6|16.14,CSCv7|16.4,CSF|PR.IP-1,CSF|PR.PT-3,ITSG-33|CM-7a.,LEVEL|1S,NIAv2|SS13b,NIAv2|SS14a,NIAv2|SS14c,PCI-DSSv3.1|2.2.2,PCI-DSSv3.1|2.2.3,PCI-DSSv3.2|2.2.2,PCI-DSSv3.2|2.2.3,QCSC-v1|3.2,SWIFT-CSCv1|2.3"
sql_request : "SELECT OWNER, TABLE_NAME FROM ALL_TABLES WHERE OWNER='SYS' AND TABLE_NAME='USER$MIG';"
sql_types : POLICY_VARCHAR, POLICY_VARCHAR
sql_expect : NULL, NULL
type : SQL_POLICY
description : "5.1.1.1 Ensure 'EXECUTE' is revoked from 'PUBLIC' on 'Network' Packages"
info : "As described below, Oracle Database PL/SQL 'Network' packages - DBMS_LDAP, UTL_INADDR, UTL_TCP, UTL_MAIL, UTL_SMTP, UTL_DBWS, UTL_ORAMTS, UTL_HTTP and type HTTPURITYPE - provide PL/SQL APIs to interact or access remote servers. The PUBLIC should not be able to execute these packages.
The Oracle database DBMS_LDAP package contains functions and procedures that enable programmers to access data from LDAP servers.
The Oracle database UTL_INADDR package provides an API to retrieve host names and IP addresses of local and remote hosts.
The Oracle database UTL_TCP package can be used to read/write file to TCP sockets on the server where the Oracle instance is installed.
The Oracle database UTL_MAIL package can be used to send email from the server where the Oracle instance is installed.
The Oracle database UTL_SMTP package can be used to send email from the server where the Oracle instance is installed. The user PUBLIC should not be able to execute UTL_SMTP.
The Oracle database UTL_DBWS package can be used to read/write file to web-based applications on the server where the Oracle instance is installed. This package is not automatically installed for security reasons.
The Oracle database UTL_ORAMTS package can be used to perform HTTP requests. This could be used to send information to the outside.
The Oracle database UTL_HTTP package can be used to perform HTTP requests. This could be used to send information to the outside.
The Oracle database HTTPURITYPE object type can be used to perform HTTP requests.
Rationale:
As described below, Oracle Database PL/SQL packages - DBMS_LDAP, UTL_INADDR, UTL_TCP, UTL_MAIL, UTL_SMTP, UTL_DBWS, UTL_ORAMTS, UTL_HTTP and type HTTPURITYPE can be used by unauthorized users to create specially crafted error messages or send information to external servers. The PUBLIC should not be able to execute these packages.
The use of the DBMS_LDAP package can be used to create specially crafted error messages or send information via DNS to the outside.
The UTL_INADDR package can be used to create specially crafted error messages or send information via DNS to the outside.
The UTL_TCP package could allow an unauthorized user to corrupt the TCP stream used to carry the protocols that communicate with the instance's external communications.
The UTL_MAIL package could allow an unauthorized user to corrupt the SMTP function to accept or generate junk mail that can result in a denial-of-service condition due to network saturation.
The UTL_SMTP package could allow an unauthorized user to corrupt the SMTP function to accept or generate junk mail that can result in a denial-of-service condition due to network saturation.
The UTL_DBWS package could allow an unauthorized user to corrupt the HTTP stream used to carry the protocols that communicate for the instance's web-based external communications.
The UTL_ORAMTS package could be used to send (sensitive) information to external websites. The use of this package should be restricted according to the needs of the organization.
The UTL_HTTP package could be used to send (sensitive) information to external websites.
The use of this package should be restricted according to the needs of the organization.
The ability to perform HTTP requests could be used to leak information from the database to an external destination."
solution : "To remediate this setting, execute the following SQL statement, keeping in mind if this is granted in both container and pluggable database, you must connect to both places to revoke.
REVOKE EXECUTE ON DBMS_LDAP FROM PUBLIC;
REVOKE EXECUTE ON UTL_INADDR FROM PUBLIC;
REVOKE EXECUTE ON UTL_TCP FROM PUBLIC;
REVOKE EXECUTE ON UTL_MAIL FROM PUBLIC;
REVOKE EXECUTE ON UTL_SMTP FROM PUBLIC;
REVOKE EXECUTE ON UTL_DBWS FROM PUBLIC;
REVOKE EXECUTE ON UTL_ORAMTS FROM PUBLIC;
REVOKE EXECUTE ON UTL_HTTP FROM PUBLIC;
REVOKE EXECUTE ON HTTPURITYPE FROM PUBLIC;"
reference : "800-171|3.1.5,800-53|AC-6.,CIS_Recommendation|5.1.1.1,CN-L3|7.1.3.2(b),CN-L3|7.1.3.2(g),CN-L3|8.1.4.2(d),CN-L3|8.1.10.6(a),CSCv6|5.1,CSCv7|14.6,CSF|PR.AC-4,CSF|PR.DS-5,ITSG-33|AC-6,LEVEL|1S,NESA|T5.1.1,NESA|T5.2.2,NESA|T5.4.1,NESA|T5.4.4,NESA|T5.4.5,NESA|T5.5.4,NESA|T5.6.1,NESA|T7.5.3,NIAv2|AM1,NIAv2|AM23f,NIAv2|SS13c,NIAv2|SS15c,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|13.2,SWIFT-CSCv1|5.1,TBA-FIISB|31.4.2,TBA-FIISB|31.4.3"
see_also : "https://workbench.cisecurity.org/files/2741"
sql_request : "SELECT TABLE_NAME, PRIVILEGE, GRANTEE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME IN ('DBMS_LDAP','UTL_INADDR','UTL_TCP','UTL_MAIL','UTL_SMTP','UTL_DBWS','UTL_ORAMTS','UTL_HTTP','HTTPURITYPE');"
sql_types : POLICY_VARCHAR
sql_expect : NULL
type : SQL_POLICY
description : "5.1.1.2 Ensure 'EXECUTE' is revoked from 'PUBLIC' on 'ob体育 System' Packages"
info : "As described below, Oracle Database PL/SQL 'ob体育 System' packages - DBMS_ADVISOR, DBMS_LOB and UTL_FILE - provide PL/SQL APIs to access files on the servers. The user PUBLIC should not be able to execute these packages.
The Oracle database DBMS_ADVISOR package can be used to write files located on the server where the Oracle instance is installed. The user PUBLIC should not be able to execute DBMS_ADVISOR.
The Oracle database DBMS_LOB package provides subprograms that can manipulate and read/write on BLOB's, CLOB's, NCLOB's, BFILE's, and temporary LOB's. The user PUBLIC should not be able to execute DBMS_LOB.
The Oracle database UTL_FILE package can be used to read/write files located on the server where the Oracle instance is installed. The user PUBLIC should not be able to execute UTL_FILE.
Rationale:
As described below, Oracle Database PL/SQL 'ob体育 System' packages - DBMS_ADVISOR, DBMS_LOB and UTL_FILE - should not be granted to PUBLIC.
Use of the DBMS_ADVISOR package could allow an unauthorized user to corrupt operating system files on the instance's host.
Use of the DBMS_LOB package could allow an unauthorized user to manipulate BLOB's, CLOB's, NCLOB's, BFILE's, and temporary LOBs on the instance, either destroying data or causing a denial-of-service condition due to corruption of disk space.
Use of the UTL_FILE package could allow a user to read OS files. These files could contain sensitive information (e.g. passwords in .bash_history)"
solution : "To remediate this setting, execute the following SQL statement, keeping in mind if this is granted in both container and pluggable database, you must connect to both places to revoke.
REVOKE EXECUTE ON DBMS_ADVISOR FROM PUBLIC;
REVOKE EXECUTE ON DBMS_LOB FROM PUBLIC;
REVOKE EXECUTE ON UTL_FILE FROM PUBLIC;"
reference : "800-171|3.1.5,800-53|AC-6.,CIS_Recommendation|5.1.1.2,CN-L3|7.1.3.2(b),CN-L3|7.1.3.2(g),CN-L3|8.1.4.2(d),CN-L3|8.1.10.6(a),CSCv6|5.1,CSCv7|14.6,CSF|PR.AC-4,CSF|PR.DS-5,ITSG-33|AC-6,LEVEL|1S,NESA|T5.1.1,NESA|T5.2.2,NESA|T5.4.1,NESA|T5.4.4,NESA|T5.4.5,NESA|T5.5.4,NESA|T5.6.1,NESA|T7.5.3,NIAv2|AM1,NIAv2|AM23f,NIAv2|SS13c,NIAv2|SS15c,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|13.2,SWIFT-CSCv1|5.1,TBA-FIISB|31.4.2,TBA-FIISB|31.4.3"
see_also : "https://workbench.cisecurity.org/files/2741"
sql_request : "SELECT TABLE_NAME, PRIVILEGE, GRANTEE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME IN ('DBMS_ADVISOR','DBMS_LOB','UTL_FILE');"
sql_types : POLICY_VARCHAR
sql_expect : NULL
type : SQL_POLICY
description : "5.1.1.3 Ensure 'EXECUTE' is revoked from 'PUBLIC' on 'Encryption' Packages"
info : "As described below, Oracle Database PL/SQL 'Encryption' packages - DBMS_CRYPTO, DBMS_OBFUSCATION_TOOLKIT and DBMS_RANDOM - provide PL/SQL APIs to perform functions related to cryptography. The PUBLIC should not be able to execute these packages.
The DBMS_CRYPTO settings provide a toolset that determines the strength of the encryption algorithm used to encrypt application data and is part of the SYS schema. The DES (56-bit key), 3DES (168-bit key), 3DES-2KEY (112-bit key), AES (128/192/256-bit keys), and RC4 are available.
The DBMS_OBFUSCATION_TOOLKIT provides one of the tools that determine the strength of the encryption algorithm used to encrypt application data and is part of the SYS schema. The DES (56-bit key) and 3DES (168-bit key) are the only two types available.
The Oracle database DBMS_RANDOM package is used for generating random numbers but should not be used for cryptographic purposes.
Rationale:
As described below, Oracle Database PL/SQL Encryption packages - DBMS_CRYPTO, DBMS_OBFUSCATION_TOOLKIT and DBMS_RANDOM - should not be granted to PUBLIC.
Execution of the DBMS_CRYPTO procedures by the PUBLIC can potentially endanger portions of or all of the data storage.
Allowing the PUBLIC privileges to access this capability can be potentially harm data storage.
Use of the DBMS_RANDOM package can allow the unauthorized application of the random number-generating function."
solution : "To remediate this setting, execute the following SQL statement, keeping in mind if this is granted in both container and pluggable database, you must connect to both places to revoke.
REVOKE EXECUTE ON DBMS_CRYPTO FROM PUBLIC;
REVOKE EXECUTE ON DBMS_OBFUSCATION_TOOLKIT FROM PUBLIC;
REVOKE EXECUTE ON DBMS_RANDOM FROM PUBLIC;"
reference : "800-171|3.1.5,800-53|AC-6.,CIS_Recommendation|5.1.1.3,CN-L3|7.1.3.2(b),CN-L3|7.1.3.2(g),CN-L3|8.1.4.2(d),CN-L3|8.1.10.6(a),CSCv6|5.1,CSCv7|14.6,CSF|PR.AC-4,CSF|PR.DS-5,ITSG-33|AC-6,LEVEL|1S,NESA|T5.1.1,NESA|T5.2.2,NESA|T5.4.1,NESA|T5.4.4,NESA|T5.4.5,NESA|T5.5.4,NESA|T5.6.1,NESA|T7.5.3,NIAv2|AM1,NIAv2|AM23f,NIAv2|SS13c,NIAv2|SS15c,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|13.2,SWIFT-CSCv1|5.1,TBA-FIISB|31.4.2,TBA-FIISB|31.4.3"
see_also : "https://workbench.cisecurity.org/files/2741"
sql_request : "SELECT TABLE_NAME, PRIVILEGE, GRANTEE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME IN ('DBMS_CRYPTO','DBMS_OBFUSCATION_TOOLKIT', 'DBMS_RANDOM');"
sql_types : POLICY_VARCHAR
sql_expect : NULL
type : SQL_POLICY
description : "5.1.1.4 Ensure 'EXECUTE' is revoked from 'PUBLIC' on 'Java' Packages"
info : "As described below, Oracle Database PL/SQL 'Java' packages - DBMS_JAVA and DBMS_JAVA_TEST - provide APIs to run Java classes or grant Java packages. The user PUBLIC should not be able to execute these packages.
The Oracle database DBMS_JAVA package can run Java classes (e.g. OS commands) or grant Java privileges. The user PUBLIC should not be able to execute DBMS_JAVA.
The Oracle database DBMS_JAVA_TEST package can run Java classes (e.g. OS commands) or grant Java privileges. The user PUBLIC should not be able to execute DBMS_JAVA_TEST.
Rationale:
As described below, Oracle Database PL/SQL 'Java' packages - DBMS_JAVA and DBMS_JAVA_TEST - should not be granted to PUBLIC.
The DBMS_JAVA package could allow an attacker to run OS commands from the database.
The DBMS_JAVA_TEST package could allow an attacker to run operating system commands from the database."
solution : "To remediate this setting, execute the following SQL statement, keeping in mind if this is granted in both container and pluggable database, you must connect to both places to revoke.
REVOKE EXECUTE ON DBMS_JAVA FROM PUBLIC;
REVOKE EXECUTE ON DBMS_JAVA_TEST FROM PUBLIC;"
reference : "800-171|3.1.5,800-53|AC-6.,CIS_Recommendation|5.1.1.4,CN-L3|7.1.3.2(b),CN-L3|7.1.3.2(g),CN-L3|8.1.4.2(d),CN-L3|8.1.10.6(a),CSCv6|5.1,CSCv7|14.6,CSF|PR.AC-4,CSF|PR.DS-5,ITSG-33|AC-6,LEVEL|1S,NESA|T5.1.1,NESA|T5.2.2,NESA|T5.4.1,NESA|T5.4.4,NESA|T5.4.5,NESA|T5.5.4,NESA|T5.6.1,NESA|T7.5.3,NIAv2|AM1,NIAv2|AM23f,NIAv2|SS13c,NIAv2|SS15c,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|13.2,SWIFT-CSCv1|5.1,TBA-FIISB|31.4.2,TBA-FIISB|31.4.3"
see_also : "https://workbench.cisecurity.org/files/2741"
sql_request : "SELECT TABLE_NAME, PRIVILEGE, GRANTEE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME IN ('DBMS_JAVA','DBMS_JAVA_TEST');"
sql_types : POLICY_VARCHAR
sql_expect : NULL
type : SQL_POLICY
description : "5.1.1.5 Ensure 'EXECUTE' is revoked from 'PUBLIC' on 'Job Scheduler' Packages"
info : "As described below, Oracle Database PL/SQL 'Job Scheduler' packages - DBMS_SCHEDULER and DBMS_JOB - provide APIs to schedule jobs. The user PUBLIC should not be able to execute these packages.
The Oracle database DBMS_SCHEDULER package schedules and manages the database and operating system jobs. The user PUBLIC should not be able to execute DBMS_SCHEDULER.
The Oracle database DBMS_JOB package schedules and manages the jobs sent to the job queue and has been superseded by the DBMS_SCHEDULER package, even though DBMS_JOB has been retained for backwards compatibility. The user PUBLIC should not be able to execute DBMS_JOB.
Rationale:
As described below, Oracle Database PL/SQL 'Job Scheduler' packages - DBMS_SCHEDULER and DBMS_JOB - should not be granted to the user PUBLIC.
Use of the DBMS_SCHEDULER package could allow an unauthorized user to run database or operating system jobs.
Use of the DBMS_JOB package could allow an unauthorized user to disable or overload the job queue. It has been superseded by the DBMS_SCHEDULER package."
solution : "To remediate this setting, execute the following SQL statement, keeping in mind if this is granted in both container and pluggable database, you must connect to both places to revoke.
REVOKE EXECUTE ON DBMS_JOB FROM PUBLIC;
REVOKE EXECUTE ON DBMS_SCHEDULER FROM PUBLIC;"
reference : "800-171|3.1.5,800-53|AC-6.,CIS_Recommendation|5.1.1.5,CN-L3|7.1.3.2(b),CN-L3|7.1.3.2(g),CN-L3|8.1.4.2(d),CN-L3|8.1.10.6(a),CSCv6|5.1,CSCv7|14.6,CSF|PR.AC-4,CSF|PR.DS-5,ITSG-33|AC-6,LEVEL|1S,NESA|T5.1.1,NESA|T5.2.2,NESA|T5.4.1,NESA|T5.4.4,NESA|T5.4.5,NESA|T5.5.4,NESA|T5.6.1,NESA|T7.5.3,NIAv2|AM1,NIAv2|AM23f,NIAv2|SS13c,NIAv2|SS15c,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|13.2,SWIFT-CSCv1|5.1,TBA-FIISB|31.4.2,TBA-FIISB|31.4.3"
see_also : "https://workbench.cisecurity.org/files/2741"
sql_request : "SELECT TABLE_NAME, PRIVILEGE, GRANTEE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME IN ('DBMS_SCHEDULER','DBMS_JOB');"
sql_types : POLICY_VARCHAR
sql_expect : NULL
type : SQL_POLICY
description : "5.1.1.6 Ensure 'EXECUTE' is revoked from 'PUBLIC' on 'SQL Injection Helper' Packages"
info : "As described below, Oracle Database PL/SQL 'SQL Injection Helper Packages' packages - DBMS_SQL, DBMS_XMLGEN, DBMS_XMLQUERY, DBMS_XLMSTORE, DBMS_XLMSAVE and DBMS_REDACT - provide APIs to schedule jobs. The user PUBLIC should not be able to execute these packages.
The Oracle database DBMS_SQL package is used for running dynamic SQL statements.
The DBMS_XMLGEN package takes an arbitrary SQL query as input, converts it to XML format, and returns the result as a CLOB.
The Oracle package DBMS_XMLQUERY takes an arbitrary SQL query, converts it to XML format, and returns the result. This package is similar to DBMS_XMLGEN.
The DBMS_XLMSTORE package provides XML functionality. It accepts a table name and XML as input to perform DML operations against the table.
The DBMS_XLMSAVE package provides XML functionality. It accepts a table name and XML as input and then inserts into or updates that table.
The DBMS_REDACT package provides an interface to Oracle Data Redaction, which enables you to mask (redact) data that is returned from queries issued by low-privileged users or an application.
Rationale:
As described below, Oracle Database PL/SQL 'SQL Injection Helper Packages' packages - DBMS_SQL, DBMS_XMLGEN, DBMS_XMLQUERY, DBMS_XLMSTORE, DBMS_XLMSAVE and 'DBMS_REDACT' - should not be granted to PUBLIC.
The DBMS_SQL package could allow privilege escalation if input validation is not done properly.
The package DBMS_XMLGEN can be used to search the entire database for sensitive information like credit card numbers
The package DBMS_XMLQUERY can be used to search the entire database for sensitive information like credit card numbers. Malicious users may be able to exploit this package as an auxiliary inject function in a SQL injection attack.
Malicious users may be able to exploit the DBMS_XLMSTORE package as an auxiliary inject function in a SQL injection attack.
Malicious users may be able to exploit the DBMS_XLMSAVE package as an auxiliary inject function in a SQL injection attack.
Malicious users may be able to exploit DBMS_REDACT as an auxiliary inject function in a SQL injection attack."
solution : "To remediate this setting, execute the following SQL statement, keeping in mind if this is granted in both container and pluggable database, you must connect to both places to revoke.
REVOKE EXECUTE ON DBMS_SQL FROM PUBLIC;
REVOKE EXECUTE ON DBMS_XMLGEN FROM PUBLIC;
REVOKE EXECUTE ON DBMS_XMLQUERY FROM PUBLIC;
REVOKE EXECUTE ON DBMS_XMLSAVE FROM PUBLIC;
REVOKE EXECUTE ON DBMS_XMLSTORE FROM PUBLIC;
REVOKE EXECUTE ON DBMS_AW FROM PUBLIC;
REVOKE EXECUTE ON OWA_UTIL FROM PUBLIC;
REVOKE EXECUTE ON DBMS_REDACT FROM PUBLIC;"
reference : "800-171|3.1.5,800-53|AC-6.,CIS_Recommendation|5.1.1.6,CN-L3|7.1.3.2(b),CN-L3|7.1.3.2(g),CN-L3|8.1.4.2(d),CN-L3|8.1.10.6(a),CSCv6|5.1,CSCv7|14.6,CSF|PR.AC-4,CSF|PR.DS-5,ITSG-33|AC-6,LEVEL|1S,NESA|T5.1.1,NESA|T5.2.2,NESA|T5.4.1,NESA|T5.4.4,NESA|T5.4.5,NESA|T5.5.4,NESA|T5.6.1,NESA|T7.5.3,NIAv2|AM1,NIAv2|AM23f,NIAv2|SS13c,NIAv2|SS15c,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|13.2,SWIFT-CSCv1|5.1,TBA-FIISB|31.4.2,TBA-FIISB|31.4.3"
see_also : "https://workbench.cisecurity.org/files/2741"
sql_request : "SELECT TABLE_NAME, PRIVILEGE, GRANTEE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME IN ('DBMS_SQL','DBMS_XMLGEN','DBMS_XMLQUERY','DBMS_XMLSTORE','DBMS_XMLSAVE','DBMS_AW','OWA_UTIL','DBMS_REDACT');"
sql_types : POLICY_VARCHAR
sql_expect : NULL
type : SQL_POLICY
description : "5.1.2.1 Ensure 'EXECUTE' is not granted to 'PUBLIC' on 'Non-default' Packages"
info : "The packages described in this control are not granted to PUBLIC by default ('Non-default' packages). These packages should not be granted to PUBLIC.
The Oracle database DBMS_BACKUP_RESTORE package is used for applying PL/SQL commands to the native RMAN sequences.
The Oracle database DBMS_FILE_TRANSFER package allows a user to transfer files from one database server to another.
The Oracle database DBMS_SYS_SQL, DBMS_AQADM_SYSCALLS, DBMS_REPCAT_SQL_UTL, INITJVMAUX, DBMS_STREAMS_ADM_UTL, DBMS_AQADM_SYS, DBMS_STREAMS_RPC, DBMS_PRVTAQIM, LTADM, WWV_DBMS_SQL, WWV_EXECUTE_IMMEDIATE and DBMS_IJOB packages are shipped as undocumented.
Rationale:
As described below, these 'non-default' group of PL/SQL packages, which are not granted to PUBLIC by default, packages should not be granted to PUBLIC.
The DBMS_BACKUP_RESTORE package can allow access to OS files.
The DBMS_FILE_TRANSFER package could allow to transfer files from one database server to another without authorization to do so.
The DBMS_SYS_SQL package could allow a user to run code as a different user without entering valid credentials.
The DBMS_AQADM_SYSCALLS package could allow an unauthorized user to run SQL commands as user SYS.
The DBMS_REPCAT_SQL_UTL package could allow an unauthorized user to run SQL commands as user SYS.
The INITJVMAUX package could allow an unauthorized user to run SQL commands as user SYS.
The DBMS_STREAMS_ADM_UTL package could allow an unauthorized user to run SQL commands as user SYS.
The DBMS_AQADM_SYS package could allow an unauthorized user to run SQL commands as user SYS.
The DBMS_STREAMS_RPC package could allow an unauthorized user to run SQL commands as user SYS.
The DBMS_PRVTAQIM package could allow an unauthorized user to escalate privileges because any SQL statements could be executed as user SYS.
The LTADM package could allow an unauthorized user to run any SQL command as user SYS. It allows privilege escalation if granted to unprivileged users.
The WWV_DBMS_SQL package could allow an unauthorized user to run SQL statements as the Application Express (APEX) user. The user PUBLIC should not be able to execute WWV_DBMS_SQL.
The WWV_EXECUTE_IMMEDIATE package could allow an unauthorized user to run SQL statements as the Application Express (APEX) user.
The DBMS_IJOB package could allow an attacker to change identities by using a different username to execute a database job. It allows a user to run database jobs in the context of another user."
solution : "To remediate this setting, execute the following SQL statement, keeping in mind if this is granted in both container and pluggable database, you must connect to both places to revoke.
REVOKE EXECUTE ON DBMS_BACKUP_RESTORE FROM PUBLIC;
REVOKE EXECUTE ON DBMS_FILE_TRANSFER FROM PUBLIC;
REVOKE EXECUTE ON DBMS_SYS_SQL FROM PUBLIC;
REVOKE EXECUTE ON DBMS_AQADM_SYSCALLS FROM PUBLIC;
REVOKE EXECUTE ON DBMS_REPCAT_SQL_UTL FROM PUBLIC;
REVOKE EXECUTE ON INITJVMAUX FROM PUBLIC;
REVOKE EXECUTE ON DBMS_STREAMS_ADM_UTL FROM PUBLIC;
REVOKE EXECUTE ON DBMS_AQADM_SYS FROM PUBLIC;
REVOKE EXECUTE ON DBMS_STREAMS_RPC FROM PUBLIC;
REVOKE EXECUTE ON DBMS_PRVTAQIM FROM PUBLIC;
REVOKE EXECUTE ON LTADM FROM PUBLIC;
REVOKE EXECUTE ON WWV_DBMS_SQL FROM PUBLIC;
REVOKE EXECUTE ON WWV_EXECUTE_IMMEDIATE FROM PUBLIC;
REVOKE EXECUTE ON DBMS_IJOB FROM PUBLIC;
REVOKE EXECUTE ON DBMS_PDB_EXEC_SQL FROM PUBLIC;"
reference : "800-171|3.1.5,800-53|AC-6.,CIS_Recommendation|5.1.2.1,CN-L3|7.1.3.2(b),CN-L3|7.1.3.2(g),CN-L3|8.1.4.2(d),CN-L3|8.1.10.6(a),CSCv6|18,CSCv7|14.6,CSF|PR.AC-4,CSF|PR.DS-5,ITSG-33|AC-6,LEVEL|1S,NESA|T5.1.1,NESA|T5.2.2,NESA|T5.4.1,NESA|T5.4.4,NESA|T5.4.5,NESA|T5.5.4,NESA|T5.6.1,NESA|T7.5.3,NIAv2|AM1,NIAv2|AM23f,NIAv2|SS13c,NIAv2|SS15c,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|13.2,SWIFT-CSCv1|5.1,TBA-FIISB|31.4.2,TBA-FIISB|31.4.3"
see_also : "https://workbench.cisecurity.org/files/2741"
sql_request : "SELECT TABLE_NAME, PRIVILEGE, GRANTEE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME IN ('DBMS_BACKUP_RESTORE','DBMS_FILE_TRANSFER','DBMS_SYS_SQL','DBMS_AQADM_SYSCALLS','DBMS_REPCAT_SQL_UTL','INITJVMAUX','DBMS_STREAMS_ADM_UTL','DBMS_AQADM_SYS','DBMS_STREAMS_RPC','DBMS_PRVTAQIM','LTADM','WWV_DBMS_SQL', 'WWV_EXECUTE_IMMEDIATE','DBMS_IJOB','DBMS_PDB_EXEC_SQL');"
sql_types : POLICY_VARCHAR
sql_expect : NULL
type : SQL_POLICY
description : "5.1.3.1 Ensure 'ALL' Is Revoked from Unauthorized 'GRANTEE' on 'AUD$'"
info : "The Oracle database SYS.AUD$ table contains all the audit records for the database of the non-Data Manipulation Language (DML) events, such as ALTER, DROP, and CREATE, and so forth. (DML changes need trigger-based audit events to record data alterations.) Unauthorized grantees should not have full access to that table.
Rationale:
Permitting non-privileged users the authorization to manipulate the SYS.AUD$ table can allow distortion of the audit records, hiding unauthorized activities."
solution : "To remediate this setting, execute the following SQL statement, keeping in mind if this is granted in both container and pluggable database, you must connect to both places to revoke.
REVOKE ALL ON AUD$ FROM ;
References:
http://docs.oracle.com/database/121/DBSEG/audit_admin.htm#DBSEG629"
see_also : "https://workbench.cisecurity.org/files/2741"
reference : "800-171|3.1.5,800-53|AC-6.,CIS_Recommendation|5.1.3.1,CN-L3|7.1.3.2(b),CN-L3|7.1.3.2(g),CN-L3|8.1.4.2(d),CN-L3|8.1.10.6(a),CSCv6|5.1,CSCv7|14.6,CSF|PR.AC-4,CSF|PR.DS-5,ITSG-33|AC-6,LEVEL|1S,NESA|T5.1.1,NESA|T5.2.2,NESA|T5.4.1,NESA|T5.4.4,NESA|T5.4.5,NESA|T5.5.4,NESA|T5.6.1,NESA|T7.5.3,NIAv2|AM1,NIAv2|AM23f,NIAv2|SS13c,NIAv2|SS15c,PCI-DSSv3.1|7.1.2,PCI-DSSv3.2|7.1.2,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|13.2,SWIFT-CSCv1|5.1,TBA-FIISB|31.4.2,TBA-FIISB|31.4.3"
sql_request : "SELECT GRANTEE, PRIVILEGE FROM DBA_TAB_PRIVS WHERE TABLE_NAME='AUD$' AND OWNER = 'SYS';"
sql_types : POLICY_VARCHAR, POLICY_VARCHAR
sql_expect : NULL, NULL
type : SQL_POLICY
description : "5.1.3.2 Ensure 'ALL' Is Revoked from Unauthorized 'GRANTEE' on 'DBA_%'"
info : "The Oracle database DBA_ views show all information which is relevant to administrative accounts. Unauthorized grantees should not have full access to those views.
Rationale:
Permitting users the authorization to manipulate the DBA_ views can expose sensitive data."
solution : "Replace in the query below, with the Oracle login(s) or role(s) returned from the associated audit procedure and execute, keeping in mind if this is granted in both container and pluggable database, you must connect to both places to revoke:
REVOKE ALL ON FROM ;
References:
http://docs.oracle.com/database/121/REFRN/GUID-10024282-6729-4C66-8679-FD653C9C7DE7.htm#REFRN-GUID-10024282-6729-4C66-8679-FD653C9C7DE7"
see_also : "https://workbench.cisecurity.org/files/2741"
reference : "800-171|3.1.5,800-53|AC-6.,CIS_Recommendation|5.1.3.2,CN-L3|7.1.3.2(b),CN-L3|7.1.3.2(g),CN-L3|8.1.4.2(d),CN-L3|8.1.10.6(a),CSCv6|5.1,CSCv7|14.6,CSF|PR.AC-4,CSF|PR.DS-5,ITSG-33|AC-6,LEVEL|1S,NESA|T5.1.1,NESA|T5.2.2,NESA|T5.4.1,NESA|T5.4.4,NESA|T5.4.5,NESA|T5.5.4,NESA|T5.6.1,NESA|T7.5.3,NIAv2|AM1,NIAv2|AM23f,NIAv2|SS13c,NIAv2|SS15c,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|13.2,SWIFT-CSCv1|5.1,TBA-FIISB|31.4.2,TBA-FIISB|31.4.3"
sql_request : "SELECT GRANTEE,TABLE_NAME FROM DBA_TAB_PRIVS WHERE TABLE_NAME LIKE 'DBA_%' AND OWNER = 'SYS' AND GRANTEE NOT IN (SELECT USERNAME FROM DBA_USERS WHERE ORACLE_MAINTAINED='Y') AND GRANTEE NOT IN (SELECT ROLE FROM DBA_ROLES WHERE ORACLE_MAINTAINED='Y');"
sql_types : POLICY_VARCHAR
sql_expect : NULL
type : SQL_POLICY
description : "5.1.3.3 Ensure 'ALL' Is Revoked on 'Sensitive' Tables"
info : "The Oracle database tables listed below may contain sensitive information, and should not be accessible to unauthorized users.
USER$, USER_HISTORY$, XS$VERIFIERS and DEFAULT_PWD$ may contain password hashes.
CDB_LOCAL_ADMINAUTH$ and PDB_SYNC$ may contain DDLs.
LINK$ and SCHEDULER$_CREDENTIAL may contain encrypted passwords.
ENC$ may contains encryption keys.
HISTGRM$ and HIST_HEAD$ may contain sensitive data.
Rationale:
Access to sensitive information such as hashed passwords may allow unauthorized users to decrypt the passwords hashes which could potentially result in complete compromise of the database."
solution : "Execute applicable SQLs listed below to remediate:
REVOKE ALL ON SYS.CDB_LOCAL_ADMINAUTH$ FROM ;
REVOKE ALL ON SYS.DEFAULT_PWD$ FROM ;
REVOKE ALL ON SYS.ENC$ FROM ;
REVOKE ALL ON SYS.HISTGRM$ FROM ;
REVOKE ALL ON SYS.HIST_HEAD$ FROM ;
REVOKE ALL ON SYS.LINK$ FROM ;
REVOKE ALL ON SYS.PDB_SYNC$ FROM ;
REVOKE ALL ON SYS.SCHEDULER$_CREDENTIAL FROM ;
REVOKE ALL ON SYS.USER$ FROM ;
REVOKE ALL ON SYS.USER_HISTORY$ FROM ;
REVOKE ALL ON SYS.XS$VERIFIERS FROM ;"
reference : "800-171|3.1.5,800-53|AC-6.,CIS_Recommendation|5.1.3.3,CN-L3|7.1.3.2(b),CN-L3|7.1.3.2(g),CN-L3|8.1.4.2(d),CN-L3|8.1.10.6(a),CSCv6|5.1,CSCv7|14.6,CSF|PR.AC-4,CSF|PR.DS-5,ITSG-33|AC-6,LEVEL|1S,NESA|T5.1.1,NESA|T5.2.2,NESA|T5.4.1,NESA|T5.4.4,NESA|T5.4.5,NESA|T5.5.4,NESA|T5.6.1,NESA|T7.5.3,NIAv2|AM1,NIAv2|AM23f,NIAv2|SS13c,NIAv2|SS15c,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|13.2,SWIFT-CSCv1|5.1,TBA-FIISB|31.4.2,TBA-FIISB|31.4.3"
see_also : "https://workbench.cisecurity.org/files/2741"
sql_request : "SELECT GRANTEE, PRIVILEGE, TABLE_NAME FROM DBA_TAB_PRIVS WHERE TABLE_NAME in ('CDB_LOCAL_ADMINAUTH$','DEFAULT_PWD$','ENC$','HISTGRM$','HIST_HEAD$','LINK$','PDB_SYNC$','SCHEDULER$_CREDENTIAL','USER$','USER_HISTORY$','XS$VERIFIERS') AND OWNER = 'SYS' AND GRANTEE NOT IN (SELECT USERNAME FROM DBA_USERS WHERE ORACLE_MAINTAINED='Y') AND GRANTEE NOT IN (SELECT ROLE FROM DBA_ROLES WHERE ORACLE_MAINTAINED='Y');"
sql_types : POLICY_VARCHAR
sql_expect : NULL
type : SQL_POLICY
description : "5.2.1 Ensure '%ANY%' Is Revoked from Unauthorized 'GRANTEE'"
info : "The Oracle database ANY keyword provides the user the capability to alter any item in the catalog of the database. Unauthorized grantees should not have that keyword assigned to them.
Rationale:
Authorization to use the ANY expansion of a privilege can allow an unauthorized user to potentially change confidential data or damage the data catalog."
solution : "To remediate this setting, execute the following SQL statement, keeping in mind if this is granted in both container and pluggable database, you must connect to both places to revoke.
REVOKE '' FROM ;
References:
http://docs.oracle.com/database/121/DBSEG/authorization.htm#DBSEG99877"
see_also : "https://workbench.cisecurity.org/files/2741"
reference : "800-171|3.1.5,800-53|AC-6.,CIS_Recommendation|5.2.1,CN-L3|7.1.3.2(b),CN-L3|7.1.3.2(g),CN-L3|8.1.4.2(d),CN-L3|8.1.10.6(a),CSCv6|14.4,CSCv7|14.6,CSF|PR.AC-4,CSF|PR.DS-5,ITSG-33|AC-6,LEVEL|1S,NESA|T5.1.1,NESA|T5.2.2,NESA|T5.4.1,NESA|T5.4.4,NESA|T5.4.5,NESA|T5.5.4,NESA|T5.6.1,NESA|T7.5.3,NIAv2|AM1,NIAv2|AM23f,NIAv2|SS13c,NIAv2|SS15c,PCI-DSSv3.1|7.1.2,PCI-DSSv3.2|7.1.2,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|13.2,SWIFT-CSCv1|5.1,TBA-FIISB|31.4.2,TBA-FIISB|31.4.3"
sql_request : "SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE PRIVILEGE LIKE '%ANY%' AND GRANTEE NOT IN (SELECT USERNAME FROM DBA_USERS WHERE ORACLE_MAINTAINED='Y') AND GRANTEE NOT IN (SELECT ROLE FROM DBA_ROLES WHERE ORACLE_MAINTAINED='Y');"
sql_types : POLICY_VARCHAR, POLICY_VARCHAR
sql_expect : NULL, NULL
type : SQL_POLICY
description : "5.2.2 Ensure 'DBA_SYS_PRIVS.%' Is Revoked from Unauthorized 'GRANTEE' with 'ADMIN_OPTION' Set to 'YES'"
info : "The Oracle database WITH_ADMIN privilege allows the designated user to grant another user the same privileges. Unauthorized grantees should not have that privilege.
Rationale:
Assignment of the WITH_ADMIN privilege can allow the granting of a restricted privilege to an unauthorized user."
solution : "To remediate this setting, execute the following SQL statement, keeping in mind if this is granted in both container and pluggable database, you must connect to both places to revoke.
REVOKE FROM ;"
see_also : "https://workbench.cisecurity.org/files/2741"
reference : "800-171|3.1.5,800-53|AC-6.,CIS_Recommendation|5.2.2,CN-L3|7.1.3.2(b),CN-L3|7.1.3.2(g),CN-L3|8.1.4.2(d),CN-L3|8.1.10.6(a),CSCv6|5.1,CSCv7|14.6,CSF|PR.AC-4,CSF|PR.DS-5,ITSG-33|AC-6,LEVEL|1S,NESA|T5.1.1,NESA|T5.2.2,NESA|T5.4.1,NESA|T5.4.4,NESA|T5.4.5,NESA|T5.5.4,NESA|T5.6.1,NESA|T7.5.3,NIAv2|AM1,NIAv2|AM23f,NIAv2|SS13c,NIAv2|SS15c,PCI-DSSv3.1|7.1.2,PCI-DSSv3.2|7.1.2,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|13.2,SWIFT-CSCv1|5.1,TBA-FIISB|31.4.2,TBA-FIISB|31.4.3"
sql_request : "SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE ADMIN_OPTION='YES' AND GRANTEE NOT IN (SELECT USERNAME FROM DBA_USERS WHERE ORACLE_MAINTAINED='Y') AND GRANTEE NOT IN (SELECT ROLE FROM DBA_ROLES WHERE ORACLE_MAINTAINED='Y');"
sql_types : POLICY_VARCHAR, POLICY_VARCHAR
sql_expect : NULL, NULL
type : SQL_POLICY
description : "5.2.3 Ensure 'EXECUTE ANY PROCEDURE' Is Revoked from 'OUTLN'"
info : "Remove unneeded EXECUTE ANY PROCEDURE privileges from OUTLN.
Rationale:
Migrated OUTLN users have more privileges than required."
solution : "To remediate this setting, execute the following SQL statement, keeping in mind if this is granted in both container and pluggable database, you must connect to both places to revoke.
REVOKE EXECUTE ANY PROCEDURE FROM OUTLN;"
see_also : "https://workbench.cisecurity.org/files/2741"
reference : "800-171|3.1.5,800-53|AC-6.,CIS_Recommendation|5.2.3,CN-L3|7.1.3.2(b),CN-L3|7.1.3.2(g),CN-L3|8.1.4.2(d),CN-L3|8.1.10.6(a),CSCv6|5.1,CSCv7|14.6,CSF|PR.AC-4,CSF|PR.DS-5,ITSG-33|AC-6,LEVEL|1S,NESA|T5.1.1,NESA|T5.2.2,NESA|T5.4.1,NESA|T5.4.4,NESA|T5.4.5,NESA|T5.5.4,NESA|T5.6.1,NESA|T7.5.3,NIAv2|AM1,NIAv2|AM23f,NIAv2|SS13c,NIAv2|SS15c,PCI-DSSv3.1|7.1.2,PCI-DSSv3.2|7.1.2,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|13.2,SWIFT-CSCv1|5.1,TBA-FIISB|31.4.2,TBA-FIISB|31.4.3"
sql_request : "SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE PRIVILEGE='EXECUTE ANY PROCEDURE' AND GRANTEE='OUTLN';"
sql_types : POLICY_VARCHAR, POLICY_VARCHAR
sql_expect : NULL, NULL
type : SQL_POLICY
description : "5.2.4 Ensure 'EXECUTE ANY PROCEDURE' Is Revoked from 'DBSNMP'"
info : "Remove unneeded EXECUTE ANY PROCEDURE privileges from DBSNMP.
Rationale:
Migrated DBSNMP users have more privileges than required."
solution : "To remediate this setting, execute the following SQL statement, keeping in mind if this is granted in both container and pluggable database, you must connect to both places to revoke.
REVOKE EXECUTE ANY PROCEDURE FROM DBSNMP;"
see_also : "https://workbench.cisecurity.org/files/2741"
reference : "800-171|3.1.5,800-53|AC-6.,CIS_Recommendation|5.2.4,CN-L3|7.1.3.2(b),CN-L3|7.1.3.2(g),CN-L3|8.1.4.2(d),CN-L3|8.1.10.6(a),CSCv6|5.1,CSCv7|14.6,CSF|PR.AC-4,CSF|PR.DS-5,ITSG-33|AC-6,LEVEL|1S,NESA|T5.1.1,NESA|T5.2.2,NESA|T5.4.1,NESA|T5.4.4,NESA|T5.4.5,NESA|T5.5.4,NESA|T5.6.1,NESA|T7.5.3,NIAv2|AM1,NIAv2|AM23f,NIAv2|SS13c,NIAv2|SS15c,PCI-DSSv3.1|7.1.2,PCI-DSSv3.2|7.1.2,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|13.2,SWIFT-CSCv1|5.1,TBA-FIISB|31.4.2,TBA-FIISB|31.4.3"
sql_request : "SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE PRIVILEGE='EXECUTE ANY PROCEDURE' AND GRANTEE='DBSNMP';"
sql_types : POLICY_VARCHAR, POLICY_VARCHAR
sql_expect : NULL, NULL
type : SQL_POLICY
description : "5.2.5 Ensure 'SELECT ANY DICTIONARY' Is Revoked from Unauthorized 'GRANTEE'"
info : "The Oracle database SELECT ANY DICTIONARY privilege allows the designated user to access SYS schema objects. Unauthorized grantees should not have that privilege.
Rationale:
SELECT ANY DICTIONARY is a powerful system privilege which would allow an unauthorized user to gather information about the database through data dictionary objects. Information collected could potentially be used to exploit the database."
solution : "To remediate this setting, execute the following SQL statement, keeping in mind if this is granted in both container and pluggable database, you must connect to both places to revoke.
REVOKE SELECT ANY DICTIONARY FROM ;
References:
http://docs.oracle.com/database/121/DBSEG/authorization.htm#DBSEG99870
http://docs.oracle.com/database/121/REFRN/GUID-10024282-6729-4C66-8679-FD653C9C7DE7.htm#REFRN-GUID-10024282-6729-4C66-8679-FD653C9C7DE7
http://arup.blogspot.de/2011/07/difference-between-select-any.html"
see_also : "https://workbench.cisecurity.org/files/2741"
reference : "800-171|3.1.5,800-53|AC-6.,CIS_Recommendation|5.2.5,CN-L3|7.1.3.2(b),CN-L3|7.1.3.2(g),CN-L3|8.1.4.2(d),CN-L3|8.1.10.6(a),CSCv6|14.4,CSCv7|14.6,CSF|PR.AC-4,CSF|PR.DS-5,ITSG-33|AC-6,LEVEL|1S,NESA|T5.1.1,NESA|T5.2.2,NESA|T5.4.1,NESA|T5.4.4,NESA|T5.4.5,NESA|T5.5.4,NESA|T5.6.1,NESA|T7.5.3,NIAv2|AM1,NIAv2|AM23f,NIAv2|SS13c,NIAv2|SS15c,PCI-DSSv3.1|7.1.2,PCI-DSSv3.2|7.1.2,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|13.2,SWIFT-CSCv1|5.1,TBA-FIISB|31.4.2,TBA-FIISB|31.4.3"
sql_request : "SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE PRIVILEGE='SELECT ANY DICTIONARY' AND GRANTEE NOT IN (SELECT USERNAME FROM DBA_USERS WHERE ORACLE_MAINTAINED='Y') AND GRANTEE NOT IN (SELECT ROLE FROM DBA_ROLES WHERE ORACLE_MAINTAINED='Y');"
sql_types : POLICY_VARCHAR, POLICY_VARCHAR
sql_expect : NULL, NULL
type : SQL_POLICY
description : "5.2.6 Ensure 'SELECT ANY TABLE' Is Revoked from Unauthorized 'GRANTEE'"
info : "The Oracle database SELECT ANY TABLE privilege allows the designated user to open any table, except SYS, to view it. Unauthorized grantees should not have that privilege.
Rationale:
Assignment of the SELECT ANY TABLE privilege can allow the unauthorized viewing of sensitive data."
solution : "To remediate this setting, execute the following SQL statement, keeping in mind if this is granted in both container and pluggable database, you must connect to both places to revoke.
REVOKE SELECT ANY TABLE FROM ;
References:
http://docs.oracle.com/database/121/SQLRF/statements_10002.htm#SQLRF01702
Notes:
If O7_DICTIONARY_ACCESSIBILITY has been set to TRUE (non-default setting) then the SELECT ANY TABLE privilege provides access to SYS objects."
see_also : "https://workbench.cisecurity.org/files/2741"
reference : "800-171|3.1.5,800-53|AC-6.,CIS_Recommendation|5.2.6,CN-L3|7.1.3.2(b),CN-L3|7.1.3.2(g),CN-L3|8.1.4.2(d),CN-L3|8.1.10.6(a),CSCv6|14.4,CSCv7|14.6,CSF|PR.AC-4,CSF|PR.DS-5,ITSG-33|AC-6,LEVEL|1S,NESA|T5.1.1,NESA|T5.2.2,NESA|T5.4.1,NESA|T5.4.4,NESA|T5.4.5,NESA|T5.5.4,NESA|T5.6.1,NESA|T7.5.3,NIAv2|AM1,NIAv2|AM23f,NIAv2|SS13c,NIAv2|SS15c,PCI-DSSv3.1|7.1.2,PCI-DSSv3.2|7.1.2,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|13.2,SWIFT-CSCv1|5.1,TBA-FIISB|31.4.2,TBA-FIISB|31.4.3"
sql_request : "SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE PRIVILEGE='SELECT ANY TABLE' AND GRANTEE NOT IN (SELECT USERNAME FROM DBA_USERS WHERE ORACLE_MAINTAINED='Y') AND GRANTEE NOT IN (SELECT ROLE FROM DBA_ROLES WHERE ORACLE_MAINTAINED='Y');"
sql_types : POLICY_VARCHAR, POLICY_VARCHAR
sql_expect : NULL, NULL
type : SQL_POLICY
description : "5.2.7 Ensure 'AUDIT SYSTEM' Is Revoked from Unauthorized 'GRANTEE'"
info : "The Oracle database AUDIT SYSTEM privilege allows changes to auditing activities on the system. Unauthorized grantees should not have that privilege.
Rationale:
The AUDIT SYSTEM privilege can allow the unauthorized alteration of system audit activities, such as disabling the creation of audit trails."
solution : "To remediate this setting, execute the following SQL statement, keeping in mind if this is granted in both container and pluggable database, you must connect to both places to revoke.
REVOKE AUDIT SYSTEM FROM ;
References:
http://docs.oracle.com/database/121/SQLRF/statements_4007.htm#SQLRF01107
http://docs.oracle.com/database/121/SQLRF/statements_4008.htm#SQLRF56110"
see_also : "https://workbench.cisecurity.org/files/2741"
reference : "800-171|3.1.5,800-53|AC-6.,CIS_Recommendation|5.2.7,CN-L3|7.1.3.2(b),CN-L3|7.1.3.2(g),CN-L3|8.1.4.2(d),CN-L3|8.1.10.6(a),CSCv6|5.1,CSCv7|14.6,CSF|PR.AC-4,CSF|PR.DS-5,ITSG-33|AC-6,LEVEL|1S,NESA|T5.1.1,NESA|T5.2.2,NESA|T5.4.1,NESA|T5.4.4,NESA|T5.4.5,NESA|T5.5.4,NESA|T5.6.1,NESA|T7.5.3,NIAv2|AM1,NIAv2|AM23f,NIAv2|SS13c,NIAv2|SS15c,PCI-DSSv3.1|7.1.2,PCI-DSSv3.2|7.1.2,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|13.2,SWIFT-CSCv1|5.1,TBA-FIISB|31.4.2,TBA-FIISB|31.4.3"
sql_request : "SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE PRIVILEGE='AUDIT SYSTEM' AND GRANTEE NOT IN (SELECT USERNAME FROM DBA_USERS WHERE ORACLE_MAINTAINED='Y') AND GRANTEE NOT IN (SELECT ROLE FROM DBA_ROLES WHERE ORACLE_MAINTAINED='Y');"
sql_types : POLICY_VARCHAR, POLICY_VARCHAR
sql_expect : NULL, NULL
type : SQL_POLICY
description : "5.2.8 Ensure 'EXEMPT ACCESS POLICY' Is Revoked from Unauthorized 'GRANTEE'"
info : "The Oracle database EXEMPT ACCESS POLICY keyword provides the user the capability to access all the table rows regardless of row-level security lockouts. Unauthorized grantees should not have that keyword assigned to them.
Rationale:
The EXEMPT ACCESS POLICY privilege can allow an unauthorized user to potentially access and change data."
solution : "To remediate this setting, execute the following SQL statement, keeping in mind if this is granted in both container and pluggable database, you must connect to both places to revoke.
REVOKE EXEMPT ACCESS POLICY FROM ;
References:
http://docs.oracle.com/database/121/DBSEG/audit_config.htm#DBSEG703
http://docs.oracle.com/database/121/DBSEG/vpd.htm#CIHEEAFJ"
see_also : "https://workbench.cisecurity.org/files/2741"
reference : "800-171|3.1.5,800-53|AC-6.,CIS_Recommendation|5.2.8,CN-L3|7.1.3.2(b),CN-L3|7.1.3.2(g),CN-L3|8.1.4.2(d),CN-L3|8.1.10.6(a),CSCv6|14.4,CSCv7|14.6,CSF|PR.AC-4,CSF|PR.DS-5,ITSG-33|AC-6,LEVEL|1S,NESA|T5.1.1,NESA|T5.2.2,NESA|T5.4.1,NESA|T5.4.4,NESA|T5.4.5,NESA|T5.5.4,NESA|T5.6.1,NESA|T7.5.3,NIAv2|AM1,NIAv2|AM23f,NIAv2|SS13c,NIAv2|SS15c,PCI-DSSv3.1|7.1.2,PCI-DSSv3.2|7.1.2,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|13.2,SWIFT-CSCv1|5.1,TBA-FIISB|31.4.2,TBA-FIISB|31.4.3"
sql_request : "SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE PRIVILEGE='EXEMPT ACCESS POLICY' AND GRANTEE NOT IN (SELECT USERNAME FROM DBA_USERS WHERE ORACLE_MAINTAINED='Y') AND GRANTEE NOT IN (SELECT ROLE FROM DBA_ROLES WHERE ORACLE_MAINTAINED='Y');"
sql_types : POLICY_VARCHAR, POLICY_VARCHAR
sql_expect : NULL, NULL
type : SQL_POLICY
description : "5.2.9 Ensure 'BECOME USER' Is Revoked from Unauthorized 'GRANTEE'"
info : "The Oracle database BECOME USER privilege allows the designated user to inherit the rights of another user. Unauthorized grantees should not have that privilege.
Rationale:
The BECOME USER privilege can allow the unauthorized use of another user's privileges, this capability should be restricted according to the needs of the organization."
solution : "To remediate this setting, execute the following SQL statement, keeping in mind if this is granted in both container and pluggable database, you must connect to both places to revoke.
REVOKE BECOME USER FROM ;
References:
http://docs.oracle.com/database/121/DBSEG/guidelines.htm#DBSEG499"
see_also : "https://workbench.cisecurity.org/files/2741"
reference : "800-171|3.1.5,800-53|AC-6.,CIS_Recommendation|5.2.9,CN-L3|7.1.3.2(b),CN-L3|7.1.3.2(g),CN-L3|8.1.4.2(d),CN-L3|8.1.10.6(a),CSCv6|5.1,CSCv7|14.6,CSF|PR.AC-4,CSF|PR.DS-5,ITSG-33|AC-6,LEVEL|1S,NESA|T5.1.1,NESA|T5.2.2,NESA|T5.4.1,NESA|T5.4.4,NESA|T5.4.5,NESA|T5.5.4,NESA|T5.6.1,NESA|T7.5.3,NIAv2|AM1,NIAv2|AM23f,NIAv2|SS13c,NIAv2|SS15c,PCI-DSSv3.1|7.1.2,PCI-DSSv3.2|7.1.2,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|13.2,SWIFT-CSCv1|5.1,TBA-FIISB|31.4.2,TBA-FIISB|31.4.3"
sql_request : "SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE PRIVILEGE='BECOME USER' AND GRANTEE NOT IN (SELECT USERNAME FROM DBA_USERS WHERE ORACLE_MAINTAINED='Y') AND GRANTEE NOT IN (SELECT ROLE FROM DBA_ROLES WHERE ORACLE_MAINTAINED='Y');"
sql_types : POLICY_VARCHAR, POLICY_VARCHAR
sql_expect : NULL, NULL
type : SQL_POLICY
description : "5.2.10 Ensure 'CREATE PROCEDURE' Is Revoked from Unauthorized 'GRANTEE'"
info : "The Oracle database CREATE PROCEDURE privilege allows the designated user to create a stored procedure that will fire when given the correct command sequence. Unauthorized grantees should not have that privilege.
Rationale:
The CREATE PROCEDURE privilege can lead to severe problems in unauthorized hands, such as rogue procedures facilitating data theft or denial-of-service by corrupting data tables."
solution : "To remediate this setting, execute the following SQL statement, keeping in mind if this is granted in both container and pluggable database, you must connect to both places to revoke.
REVOKE CREATE PROCEDURE FROM ;
References:
http://docs.oracle.com/database/121/DBSEG/guidelines.htm#DBSEG499"
reference : "800-171|3.1.5,800-53|AC-6.,CIS_Recommendation|5.2.10,CN-L3|7.1.3.2(b),CN-L3|7.1.3.2(g),CN-L3|8.1.4.2(d),CN-L3|8.1.10.6(a),CSCv6|5.1,CSCv7|14.6,CSF|PR.AC-4,CSF|PR.DS-5,ITSG-33|AC-6,LEVEL|1S,NESA|T5.1.1,NESA|T5.2.2,NESA|T5.4.1,NESA|T5.4.4,NESA|T5.4.5,NESA|T5.5.4,NESA|T5.6.1,NESA|T7.5.3,NIAv2|AM1,NIAv2|AM23f,NIAv2|SS13c,NIAv2|SS15c,PCI-DSSv3.1|7.1.2,PCI-DSSv3.2|7.1.2,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|13.2,SWIFT-CSCv1|5.1,TBA-FIISB|31.4.2,TBA-FIISB|31.4.3"
see_also : "https://workbench.cisecurity.org/files/2741"
sql_request : "SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE PRIVILEGE='CREATE PROCEDURE' AND GRANTEE NOT IN (SELECT USERNAME FROM DBA_USERS WHERE ORACLE_MAINTAINED='Y') AND GRANTEE NOT IN (SELECT ROLE FROM DBA_ROLES WHERE ORACLE_MAINTAINED='Y');"
sql_types : POLICY_VARCHAR
sql_expect : NULL
type : SQL_POLICY
description : "5.2.11 Ensure 'ALTER SYSTEM' Is Revoked from Unauthorized 'GRANTEE'"
info : "The Oracle database ALTER SYSTEM privilege allows the designated user to dynamically alter the instance's running operations. Unauthorized grantees should not have that privilege.
Rationale:
The ALTER SYSTEM privilege can lead to severe problems, such as the instance's session being killed or the stopping of redo log recording, which would make transactions unrecoverable."
solution : "To remediate this setting, execute the following SQL statement, keeping in mind if this is granted in both container and pluggable database, you must connect to both places to revoke.
REVOKE ALTER SYSTEM FROM ;
References:
http://docs.oracle.com/database/121/DBSEG/guidelines.htm#DBSEG499"
see_also : "https://workbench.cisecurity.org/files/2741"
reference : "800-171|3.1.5,800-53|AC-6.,CIS_Recommendation|5.2.11,CN-L3|7.1.3.2(b),CN-L3|7.1.3.2(g),CN-L3|8.1.4.2(d),CN-L3|8.1.10.6(a),CSCv6|5.1,CSCv7|14.6,CSF|PR.AC-4,CSF|PR.DS-5,ITSG-33|AC-6,LEVEL|1S,NESA|T5.1.1,NESA|T5.2.2,NESA|T5.4.1,NESA|T5.4.4,NESA|T5.4.5,NESA|T5.5.4,NESA|T5.6.1,NESA|T7.5.3,NIAv2|AM1,NIAv2|AM23f,NIAv2|SS13c,NIAv2|SS15c,PCI-DSSv3.1|7.1.2,PCI-DSSv3.2|7.1.2,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|13.2,SWIFT-CSCv1|5.1,TBA-FIISB|31.4.2,TBA-FIISB|31.4.3"
sql_request : "SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE PRIVILEGE='ALTER SYSTEM' AND GRANTEE NOT IN (SELECT USERNAME FROM DBA_USERS WHERE ORACLE_MAINTAINED='Y') AND GRANTEE NOT IN (SELECT ROLE FROM DBA_ROLES WHERE ORACLE_MAINTAINED='Y');"
sql_types : POLICY_VARCHAR, POLICY_VARCHAR
sql_expect : NULL, NULL
type : SQL_POLICY
description : "5.2.12 Ensure 'CREATE ANY LIBRARY' Is Revoked from Unauthorized 'GRANTEE'"
info : "The Oracle database CREATE ANY LIBRARY privilege allows the designated user to create objects that are associated to the shared libraries. Unauthorized grantees should not have that privilege.
Rationale:
The CREATE ANY LIBRARY privilege can allow the creation of numerous library-associated objects and potentially corrupt the libraries' integrity."
solution : "To remediate this setting, execute the following SQL statement, keeping in mind if this is granted in both container and pluggable database, you must connect to both places to revoke.
REVOKE CREATE ANY LIBRARY FROM ;
References:
http://docs.oracle.com/database/121/DBSEG/guidelines.htm#DBSEG499
http://docs.oracle.com/database/121/ADMIN/manproc.htm#ADMIN00501
Notes:
Oracle has two identical privileges: CREATE LIBRARY and CREATE ANY LIBRARY."
see_also : "https://workbench.cisecurity.org/files/2741"
reference : "800-171|3.1.5,800-53|AC-6.,CIS_Recommendation|5.2.12,CN-L3|7.1.3.2(b),CN-L3|7.1.3.2(g),CN-L3|8.1.4.2(d),CN-L3|8.1.10.6(a),CSCv6|5.1,CSCv7|14.6,CSF|PR.AC-4,CSF|PR.DS-5,ITSG-33|AC-6,LEVEL|1S,NESA|T5.1.1,NESA|T5.2.2,NESA|T5.4.1,NESA|T5.4.4,NESA|T5.4.5,NESA|T5.5.4,NESA|T5.6.1,NESA|T7.5.3,NIAv2|AM1,NIAv2|AM23f,NIAv2|SS13c,NIAv2|SS15c,PCI-DSSv3.1|7.1.2,PCI-DSSv3.2|7.1.2,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|13.2,SWIFT-CSCv1|5.1,TBA-FIISB|31.4.2,TBA-FIISB|31.4.3"
sql_request : "SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE PRIVILEGE='CREATE ANY LIBRARY' AND GRANTEE NOT IN (SELECT USERNAME FROM DBA_USERS WHERE ORACLE_MAINTAINED='Y') AND GRANTEE NOT IN (SELECT ROLE FROM DBA_ROLES WHERE ORACLE_MAINTAINED='Y');"
sql_types : POLICY_VARCHAR, POLICY_VARCHAR
sql_expect : NULL, NULL
type : SQL_POLICY
description : "5.2.13 Ensure 'CREATE LIBRARY' Is Revoked from Unauthorized 'GRANTEE'"
info : "The Oracle database CREATE LIBRARY privilege allows the designated user to create objects that are associated to the shared libraries. Unauthorized grantees should not have that privilege.
Rationale:
The CREATE LIBRARY privilege can allow the creation of numerous library-associated objects and potentially corrupt the libraries' integrity."
solution : "To remediate this setting, execute the following SQL statement, keeping in mind if this is granted in both container and pluggable database, you must connect to both places to revoke.
REVOKE CREATE LIBRARY FROM ;
References:
http://docs.oracle.com/database/121/DBSEG/guidelines.htm#DBSEG499
http://docs.oracle.com/database/121/ADMIN/manproc.htm#ADMIN00501
Notes:
Oracle has two identical privileges: CREATE LIBRARY and CREATE ANY LIBRARY."
see_also : "https://workbench.cisecurity.org/files/2741"
reference : "800-171|3.1.5,800-53|AC-6.,CIS_Recommendation|5.2.13,CN-L3|7.1.3.2(b),CN-L3|7.1.3.2(g),CN-L3|8.1.4.2(d),CN-L3|8.1.10.6(a),CSCv6|5.1,CSCv7|14.6,CSF|PR.AC-4,CSF|PR.DS-5,ITSG-33|AC-6,LEVEL|1S,NESA|T5.1.1,NESA|T5.2.2,NESA|T5.4.1,NESA|T5.4.4,NESA|T5.4.5,NESA|T5.5.4,NESA|T5.6.1,NESA|T7.5.3,NIAv2|AM1,NIAv2|AM23f,NIAv2|SS13c,NIAv2|SS15c,PCI-DSSv3.1|7.1.2,PCI-DSSv3.2|7.1.2,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|13.2,SWIFT-CSCv1|5.1,TBA-FIISB|31.4.2,TBA-FIISB|31.4.3"
sql_request : "SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE PRIVILEGE='CREATE LIBRARY' AND GRANTEE NOT IN (SELECT USERNAME FROM DBA_USERS WHERE ORACLE_MAINTAINED='Y') AND GRANTEE NOT IN (SELECT ROLE FROM DBA_ROLES WHERE ORACLE_MAINTAINED='Y');"
sql_types : POLICY_VARCHAR, POLICY_VARCHAR
sql_expect : NULL, NULL
type : SQL_POLICY
description : "5.2.14 Ensure 'GRANT ANY OBJECT PRIVILEGE' Is Revoked from Unauthorized 'GRANTEE'"
info : "The Oracle database GRANT ANY OBJECT PRIVILEGE keyword provides the grantee the capability to grant access to any single or multiple combinations of objects to any grantee in the catalog of the database. Unauthorized grantees should not have that keyword assigned to them.
Rationale:
The GRANT ANY OBJECT PRIVILEGE capability can allow an unauthorized user to potentially access or change confidential data, or damage the data catalog due to potential complete instance access."
solution : "To remediate this setting, execute the following SQL statement, keeping in mind if this is granted in both container and pluggable database, you must connect to both places to revoke.
REVOKE GRANT ANY OBJECT PRIVILEGE FROM ;
References:
http://docs.oracle.com/database/121/DBSEG/authorization.htm#DBSEG99914"
see_also : "https://workbench.cisecurity.org/files/2741"
reference : "800-171|3.1.5,800-53|AC-6.,CIS_Recommendation|5.2.14,CN-L3|7.1.3.2(b),CN-L3|7.1.3.2(g),CN-L3|8.1.4.2(d),CN-L3|8.1.10.6(a),CSCv6|5.1,CSCv7|14.6,CSF|PR.AC-4,CSF|PR.DS-5,ITSG-33|AC-6,LEVEL|1S,NESA|T5.1.1,NESA|T5.2.2,NESA|T5.4.1,NESA|T5.4.4,NESA|T5.4.5,NESA|T5.5.4,NESA|T5.6.1,NESA|T7.5.3,NIAv2|AM1,NIAv2|AM23f,NIAv2|SS13c,NIAv2|SS15c,PCI-DSSv3.1|7.1.2,PCI-DSSv3.2|7.1.2,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|13.2,SWIFT-CSCv1|5.1,TBA-FIISB|31.4.2,TBA-FIISB|31.4.3"
sql_request : "SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE PRIVILEGE='GRANT ANY OBJECT PRIVILEGE' AND GRANTEE NOT IN (SELECT USERNAME FROM DBA_USERS WHERE ORACLE_MAINTAINED='Y') AND GRANTEE NOT IN (SELECT ROLE FROM DBA_ROLES WHERE ORACLE_MAINTAINED='Y');"
sql_types : POLICY_VARCHAR, POLICY_VARCHAR
sql_expect : NULL, NULL
type : SQL_POLICY
description : "5.2.15 Ensure 'GRANT ANY ROLE' Is Revoked from Unauthorized 'GRANTEE'"
info : "The Oracle database GRANT ANY ROLE keyword provides the grantee the capability to grant any single role to any grantee in the catalog of the database. Unauthorized grantees should not have that keyword assigned to them.
Rationale:
The GRANT ANY ROLE capability can allow an unauthorized user to potentially access or change confidential data or damage the data catalog due to potential complete instance access."
solution : "To remediate this setting, execute the following SQL statement, keeping in mind if this is granted in both container and pluggable database, you must connect to both places to revoke.
REVOKE GRANT ANY ROLE FROM ;
References:
http://docs.oracle.com/database/121/DBSEG/authorization.htm#DBSEG99945"
see_also : "https://workbench.cisecurity.org/files/2741"
reference : "800-171|3.1.5,800-53|AC-6.,CIS_Recommendation|5.2.15,CN-L3|7.1.3.2(b),CN-L3|7.1.3.2(g),CN-L3|8.1.4.2(d),CN-L3|8.1.10.6(a),CSCv6|5.1,CSCv7|14.6,CSF|PR.AC-4,CSF|PR.DS-5,ITSG-33|AC-6,LEVEL|1S,NESA|T5.1.1,NESA|T5.2.2,NESA|T5.4.1,NESA|T5.4.4,NESA|T5.4.5,NESA|T5.5.4,NESA|T5.6.1,NESA|T7.5.3,NIAv2|AM1,NIAv2|AM23f,NIAv2|SS13c,NIAv2|SS15c,PCI-DSSv3.1|7.1.2,PCI-DSSv3.2|7.1.2,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|13.2,SWIFT-CSCv1|5.1,TBA-FIISB|31.4.2,TBA-FIISB|31.4.3"
sql_request : "SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE PRIVILEGE='GRANT ANY ROLE' AND GRANTEE NOT IN (SELECT USERNAME FROM DBA_USERS WHERE ORACLE_MAINTAINED='Y') AND GRANTEE NOT IN (SELECT ROLE FROM DBA_ROLES WHERE ORACLE_MAINTAINED='Y');"
sql_types : POLICY_VARCHAR, POLICY_VARCHAR
sql_expect : NULL, NULL
type : SQL_POLICY
description : "5.2.16 Ensure 'GRANT ANY PRIVILEGE' Is Revoked from Unauthorized 'GRANTEE'"
info : "The Oracle database GRANT ANY PRIVILEGE keyword provides the grantee the capability to grant any single privilege to any item in the catalog of the database. Unauthorized grantees should not have that privilege.
Rationale:
The GRANT ANY PRIVILEGE capability can allow an unauthorized user to potentially access or change confidential data or damage the data catalog due to potential complete instance access."
solution : "To remediate this setting, execute the following SQL statement, keeping in mind if this is granted in both container and pluggable database, you must connect to both places to revoke.
REVOKE GRANT ANY PRIVILEGE FROM ;
References:
http://docs.oracle.com/database/121/DBSEG/authorization.htm#DBSEG99945"
see_also : "https://workbench.cisecurity.org/files/2741"
reference : "800-171|3.1.5,800-53|AC-6.,CIS_Recommendation|5.2.16,CN-L3|7.1.3.2(b),CN-L3|7.1.3.2(g),CN-L3|8.1.4.2(d),CN-L3|8.1.10.6(a),CSCv6|5.1,CSCv7|14.6,CSF|PR.AC-4,CSF|PR.DS-5,ITSG-33|AC-6,LEVEL|1S,NESA|T5.1.1,NESA|T5.2.2,NESA|T5.4.1,NESA|T5.4.4,NESA|T5.4.5,NESA|T5.5.4,NESA|T5.6.1,NESA|T7.5.3,NIAv2|AM1,NIAv2|AM23f,NIAv2|SS13c,NIAv2|SS15c,PCI-DSSv3.1|7.1.2,PCI-DSSv3.2|7.1.2,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|13.2,SWIFT-CSCv1|5.1,TBA-FIISB|31.4.2,TBA-FIISB|31.4.3"
sql_request : "SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE PRIVILEGE='GRANT ANY PRIVILEGE' AND GRANTEE NOT IN (SELECT USERNAME FROM DBA_USERS WHERE ORACLE_MAINTAINED='Y') AND GRANTEE NOT IN (SELECT ROLE FROM DBA_ROLES WHERE ORACLE_MAINTAINED='Y');"
sql_types : POLICY_VARCHAR, POLICY_VARCHAR
sql_expect : NULL, NULL
type : SQL_POLICY
description : "5.3.1 Ensure 'DELETE_CATALOG_ROLE' Is Revoked from Unauthorized 'GRANTEE'"
info : "THIS ROLE IS DEPRECATED IN V12. The Oracle database DELETE_CATALOG_ROLE provides DELETE privileges for the records in the system's audit table (AUD$). Unauthorized grantees should not have that role.
Rationale:
Permitting unauthorized access to the DELETE_CATALOG_ROLE can allow the destruction of audit records vital to the forensic investigation of unauthorized activities."
solution : "To remediate this setting, execute the following SQL statement, keeping in mind if this is granted in both container and pluggable database, you must connect to both places to revoke.
REVOKE DELETE_CATALOG_ROLE FROM ;
References:
http://docs.oracle.com/database/121/DBSEG/authorization.htm#BABFCAFH"
see_also : "https://workbench.cisecurity.org/files/2741"
reference : "800-171|3.1.5,800-53|AC-6(5),CIS_Recommendation|5.3.1,CN-L3|8.1.10.6(a),CSCv6|5.1,CSCv7|14.6,CSF|PR.AC-4,ISO/IEC-27001|A.9.2.3,ITSG-33|AC-6(5),LEVEL|1S,NESA|T5.1.1,NESA|T5.2.2,NESA|T5.6.1,NIAv2|AM32,NIAv2|AM33,NIAv2|VL3a,QCSC-v1|5.2.2,QCSC-v1|6.2,SWIFT-CSCv1|1.2,TBA-FIISB|31.4.2,TBA-FIISB|31.4.3"
sql_request : "SELECT GRANTEE, GRANTED_ROLE FROM DBA_ROLE_PRIVS WHERE GRANTED_ROLE='DELETE_CATALOG_ROLE' AND GRANTEE NOT IN (SELECT USERNAME FROM DBA_USERS WHERE ORACLE_MAINTAINED='Y') AND GRANTEE NOT IN (SELECT ROLE FROM DBA_ROLES WHERE ORACLE_MAINTAINED='Y');"
sql_types : POLICY_VARCHAR, POLICY_VARCHAR
sql_expect : NULL, NULL
type : SQL_POLICY
description : "5.3.2 Ensure 'SELECT_CATALOG_ROLE' Is Revoked from Unauthorized 'GRANTEE'"
info : "The Oracle database SELECT_CATALOG_ROLE provides SELECT privileges on all data dictionary views held in the SYS schema. Unauthorized grantees should not have that role.
Rationale:
Permitting unauthorized access to the SELECT_CATALOG_ROLE can allow the disclosure of all dictionary data."
solution : "To remediate this setting, execute the following SQL statement, keeping in mind if this is granted in both container and pluggable database, you must connect to both places to revoke.
REVOKE SELECT_CATALOG_ROLE FROM ;
References:
http://docs.oracle.com/database/121/DBSEG/authorization.htm#BABFCAFH"
see_also : "https://workbench.cisecurity.org/files/2741"
reference : "800-171|3.1.5,800-53|AC-6(5),CIS_Recommendation|5.3.2,CN-L3|8.1.10.6(a),CSCv6|5.1,CSCv7|14.6,CSF|PR.AC-4,ISO/IEC-27001|A.9.2.3,ITSG-33|AC-6(5),LEVEL|1S,NESA|T5.1.1,NESA|T5.2.2,NESA|T5.6.1,NIAv2|AM32,NIAv2|AM33,NIAv2|VL3a,QCSC-v1|5.2.2,QCSC-v1|6.2,SWIFT-CSCv1|1.2,TBA-FIISB|31.4.2,TBA-FIISB|31.4.3"
sql_request : "SELECT GRANTEE, GRANTED_ROLE FROM DBA_ROLE_PRIVS WHERE GRANTED_ROLE='SELECT_CATALOG_ROLE' AND GRANTEE NOT IN (SELECT USERNAME FROM DBA_USERS WHERE ORACLE_MAINTAINED='Y') AND GRANTEE NOT IN (SELECT ROLE FROM DBA_ROLES WHERE ORACLE_MAINTAINED='Y');"
sql_types : POLICY_VARCHAR, POLICY_VARCHAR
sql_expect : NULL, NULL
type : SQL_POLICY
description : "5.3.3 Ensure 'EXECUTE_CATALOG_ROLE' Is Revoked from Unauthorized 'GRANTEE'"
info : "The Oracle database EXECUTE_CATALOG_ROLE provides EXECUTE privileges for a number of packages and procedures in the data dictionary in the SYS schema. Unauthorized grantees should not have that role.
Rationale:
Permitting unauthorized access to the EXECUTE_CATALOG_ROLE can allow the disruption of operations by initialization of rogue procedures, this capability should be restricted according to the needs of the organization."
solution : "To remediate this setting, execute the following SQL statement, keeping in mind if this is granted in both container and pluggable database, you must connect to both places to revoke.
REVOKE EXECUTE_CATALOG_ROLE FROM ;
References:
http://docs.oracle.com/database/121/DBSEG/authorization.htm#BABFCAFH"
see_also : "https://workbench.cisecurity.org/files/2741"
reference : "800-171|3.1.5,800-53|AC-6(5),CIS_Recommendation|5.3.3,CN-L3|8.1.10.6(a),CSCv6|5.1,CSCv7|14.6,CSF|PR.AC-4,ISO/IEC-27001|A.9.2.3,ITSG-33|AC-6(5),LEVEL|1S,NESA|T5.1.1,NESA|T5.2.2,NESA|T5.6.1,NIAv2|AM32,NIAv2|AM33,NIAv2|VL3a,QCSC-v1|5.2.2,QCSC-v1|6.2,SWIFT-CSCv1|1.2,TBA-FIISB|31.4.2,TBA-FIISB|31.4.3"
sql_request : "SELECT GRANTEE, GRANTED_ROLE FROM DBA_ROLE_PRIVS WHERE GRANTED_ROLE='EXECUTE_CATALOG_ROLE' AND GRANTEE NOT IN (SELECT USERNAME FROM DBA_USERS WHERE ORACLE_MAINTAINED='Y') AND GRANTEE NOT IN (SELECT ROLE FROM DBA_ROLES WHERE ORACLE_MAINTAINED='Y');"
sql_types : POLICY_VARCHAR, POLICY_VARCHAR
sql_expect : NULL, NULL
type : SQL_POLICY
description : "5.3.4 Ensure 'DBA' Is Revoked from Unauthorized 'GRANTEE'"
info : "The Oracle database DBA role is the default database administrator role provided for the allocation of administrative privileges. Unauthorized grantees should not have that role.
Rationale:
Assignment of the DBA role to an ordinary user can provide a great number of unnecessary privileges to that user and open the door to data breaches, integrity violations, and denial-of-service conditions."
solution : "To remediate this setting, execute the following SQL statement, keeping in mind if this is granted in both container and pluggable database, you must connect to both places to revoke.
REVOKE DBA FROM ;
References:
http://docs.oracle.com/database/121/DBSEG/authorization.htm#DBSEG4414"
see_also : "https://workbench.cisecurity.org/files/2741"
reference : "800-171|3.1.5,800-53|AC-6.,CIS_Recommendation|5.3.4,CN-L3|7.1.3.2(b),CN-L3|7.1.3.2(g),CN-L3|8.1.4.2(d),CN-L3|8.1.10.6(a),CSCv6|5.1,CSCv7|14.6,CSF|PR.AC-4,CSF|PR.DS-5,ITSG-33|AC-6,LEVEL|1S,NESA|T5.1.1,NESA|T5.2.2,NESA|T5.4.1,NESA|T5.4.4,NESA|T5.4.5,NESA|T5.5.4,NESA|T5.6.1,NESA|T7.5.3,NIAv2|AM1,NIAv2|AM23f,NIAv2|SS13c,NIAv2|SS15c,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|13.2,SWIFT-CSCv1|5.1,TBA-FIISB|31.4.2,TBA-FIISB|31.4.3"
sql_request : "SELECT 'GRANT' AS PATH, GRANTEE, GRANTED_ROLE FROM DBA_ROLE_PRIVS WHERE GRANTED_ROLE = 'DBA' AND GRANTEE NOT IN ('SYS', 'SYSTEM') UNION SELECT 'PROXY', PROXY || '-' || CLIENT, 'DBA' FROM DBA_PROXIES WHERE CLIENT IN (SELECT GRANTEE FROM DBA_ROLE_PRIVS WHERE GRANTED_ROLE = 'DBA');"
sql_types : POLICY_VARCHAR, POLICY_VARCHAR
sql_expect : NULL, NULL
type : SQL_POLICY
description : "6.2.1 Ensure the 'CREATE USER' Action Audit Is Enabled"
info : "The CREATE USER statement is used to create Oracle database accounts and assign database properties to them. Enabling this unified action audit causes logging of all CREATE USER statements, whether successful or unsuccessful, issued by the users regardless of the privileges held by the users to issue such statements.
Rationale:
Logging and monitoring of all attempts to create user accounts, whether successful or unsuccessful, may provide clues and forensic evidences about potential suspicious/unauthorized activities. Any such activities may be a cause for further investigation. In addition, organization security policies and industry/government regulations may require logging of all activities involving CREATE USER."
solution : "Execute the following SQL statement to remediate this setting.
ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY
ADD
ACTIONS
CREATE USER;
Note: If you do not have CIS_UNIFIED_AUDIT_POLICY, please create one using the CREATE AUDIT POLICY statement."
see_also : "https://workbench.cisecurity.org/files/2741"
reference : "800-171|3.3.1,800-171|3.3.2,800-53|AU-12c.,CIS_Recommendation|6.2.1,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|16,CSCv6|6.2,CSCv7|6.2,CSCv7|6.3,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12c.,LEVEL|1S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,QCSC-v1|13.2,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1"
sql_request : "SELECT AUD.POLICY_NAME, AUD.AUDIT_OPTION, AUD.AUDIT_OPTION_TYPE FROM AUDIT_UNIFIED_POLICIES AUD, AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'CREATE USER' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION' AND ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS';"
sql_types : POLICY_VARCHAR, POLICY_VARCHAR, POLICY_VARCHAR
sql_expect : regex:".*", "CREATE USER", "STANDARD ACTION"
type : SQL_POLICY
description : "6.2.2 Ensure the 'ALTER USER' Action Audit Is Enabled"
info : "The ALTER USER statement is used to change database users' password, lock accounts, and expire passwords. In addition, this statement is used to change database properties of user accounts such as database profiles, default and temporary tablespaces, and tablespace quotas. This unified audit action enables logging of all ALTER USER statements, whether successful or unsuccessful, issued by the users regardless of the privileges held by the users to issue such statements.
Rationale:
Logging and monitoring of all attempts to alter user accounts, whether successful or unsuccessful, may provide clues and forensic evidences about potential suspicious/unauthorized activities. Any such activities may be a cause for further investigation. In addition, organization security policies and industry/government regulations may require logging of all activities involving ALTER USER."
solution : "Execute the following SQL statement to remediate this setting.
ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY
ADD
ACTIONS
ALTER USER;
Note: If you do not have CIS_UNIFIED_AUDIT_POLICY, please create one using the CREATE AUDIT POLICY statement."
see_also : "https://workbench.cisecurity.org/files/2741"
reference : "800-171|3.3.1,800-171|3.3.2,800-53|AU-12c.,CIS_Recommendation|6.2.2,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|16,CSCv6|6.2,CSCv7|6.2,CSCv7|6.3,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12c.,LEVEL|1S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,QCSC-v1|13.2,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1"
sql_request : "SELECT AUD.POLICY_NAME, AUD.AUDIT_OPTION, AUD.AUDIT_OPTION_TYPE FROM AUDIT_UNIFIED_POLICIES AUD, AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'ALTER USER' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION' AND ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS';"
sql_types : POLICY_VARCHAR, POLICY_VARCHAR, POLICY_VARCHAR
sql_expect : regex:".*", "ALTER USER", "STANDARD ACTION"
type : SQL_POLICY
description : "6.2.3 Ensure the 'DROP USER' Audit Option Is Enabled"
info : "The DROP USER statement is used to drop Oracle database accounts and schemas associated with them. Enabling this unified action audit enables logging of all DROP USER statements, whether successful or unsuccessful, issued by the users regardless of the privileges held by the users to issue such statements.
Rationale:
Logging and monitoring of all attempts to drop user, whether successful or unsuccessful, may provide clues and forensic evidence about potential suspicious/unauthorized activities. Any such activities may be a cause for further investigation. In addition, organization security policies and industry/government regulations may require logging of all activities involving DROP USER."
solution : "Execute the following SQL statement to remediate this setting.
ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY
ADD
ACTIONS
DROP USER;
Note: If you do not have CIS_UNIFIED_AUDIT_POLICY, please create one using the CREATE AUDIT POLICY statement."
see_also : "https://workbench.cisecurity.org/files/2741"
reference : "800-171|3.3.1,800-171|3.3.2,800-53|AU-12c.,CIS_Recommendation|6.2.3,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|16,CSCv6|6.2,CSCv7|6.2,CSCv7|6.3,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12c.,LEVEL|1S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,QCSC-v1|13.2,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1"
sql_request : "SELECT AUD.POLICY_NAME, AUD.AUDIT_OPTION, AUD.AUDIT_OPTION_TYPE FROM AUDIT_UNIFIED_POLICIES AUD, AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'DROP USER' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION' AND ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS';"
sql_types : POLICY_VARCHAR, POLICY_VARCHAR, POLICY_VARCHAR
sql_expect : regex:".*", "DROP USER", "STANDARD ACTION"
type : SQL_POLICY
description : "6.2.4 Ensure the 'CREATE ROLE' Action Audit Is Enabled"
info : "An Oracle database role is a collection or set of privileges that can be granted to users or other roles. Roles may include system privileges, object privileges or other roles. Enabling this unified audit action enables logging of all CREATE ROLE statements, whether successful or unsuccessful, issued by the users regardless of the privileges held by the users to issue such statements.
Rationale:
Logging and monitoring of all attempts to create roles, whether successful or unsuccessful, may provide clues and forensic evidence about potential suspicious/unauthorized activities. Any such activities may be a cause for further investigation. In addition, organization security policies and industry/government regulations may require logging of all user activities involving CREATE ROLE."
solution : "Execute the following SQL statement to remediate this setting.
ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY
ADD
ACTIONS
CREATE ROLE;
Note: If you do not have CIS_UNIFIED_AUDIT_POLICY, please create one using the CREATE AUDIT POLICY statement."
see_also : "https://workbench.cisecurity.org/files/2741"
reference : "800-171|3.3.1,800-171|3.3.2,800-53|AU-12c.,CIS_Recommendation|6.2.4,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|16,CSCv6|6.2,CSCv7|6.2,CSCv7|6.3,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12c.,LEVEL|1S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,QCSC-v1|13.2,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1"
sql_request : "SELECT AUD.POLICY_NAME, AUD.AUDIT_OPTION, AUD.AUDIT_OPTION_TYPE FROM AUDIT_UNIFIED_POLICIES AUD, AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'CREATE ROLE' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION' AND ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS';"
sql_types : POLICY_VARCHAR, POLICY_VARCHAR, POLICY_VARCHAR
sql_expect : regex:".*", "CREATE ROLE", "STANDARD ACTION"
type : SQL_POLICY
description : "6.2.5 Ensure the 'ALTER ROLE' Action Audit Is Enabled"
info : "An Oracle database role is a collection or set of privileges that can be granted to users or other roles. Roles may include system privileges, object privileges or other roles. The ALTER ROLE statement is used to change the authorization needed to enable a role. Enabling this unified action audit causes logging of all ALTER ROLE statements, whether successful or unsuccessful, issued by the users regardless of the privileges held by the users to issue such statements.
Rationale:
Logging and monitoring of all attempts to alter roles, whether successful or unsuccessful, may provide clues and forensic evidence about potential suspicious/unauthorized activities. Any such activities may be a cause for further investigation. In addition, organization security policies and industry/government regulations may require logging of all user activities involving alteration of roles."
solution : "Execute the following SQL statement to remediate this setting.
ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY
ADD
ACTIONS
ALTER ROLE;
Note: If you do not have CIS_UNIFIED_AUDIT_POLICY, please create one using the CREATE AUDIT POLICY statement."
see_also : "https://workbench.cisecurity.org/files/2741"
reference : "800-171|3.3.1,800-171|3.3.2,800-53|AU-12c.,CIS_Recommendation|6.2.5,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|16,CSCv6|6.2,CSCv7|6.2,CSCv7|6.3,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12c.,LEVEL|1S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,QCSC-v1|13.2,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1"
sql_request : "SELECT AUD.POLICY_NAME, AUD.AUDIT_OPTION, AUD.AUDIT_OPTION_TYPE FROM AUDIT_UNIFIED_POLICIES AUD, AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'ALTER ROLE' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION' AND ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS';"
sql_types : POLICY_VARCHAR, POLICY_VARCHAR, POLICY_VARCHAR
sql_expect : regex:".*", "ALTER ROLE", "STANDARD ACTION"
type : SQL_POLICY
description : "6.2.6 Ensure the 'DROP ROLE' Action Audit Is Enabled"
info : "An Oracle database role is a collection or set of privileges that can be granted to users or other roles. Roles may include system privileges, object privileges or other roles. Enabling this unified audit action enables logging of all DROP ROLE statements, successful or unsuccessful, issued by the users regardless of the privileges held by the users to issue such statements.
Rationale:
Logging and monitoring of all attempts to drop roles, whether successful or unsuccessful, may provide clues and forensic evidence about potential suspicious/unauthorized activities. Any such activities may be a cause for further investigation. In addition, organization security policies and industry/government regulations may require logging of all user activities involving DROP ROLE."
solution : "Execute the following SQL statement to remediate this setting.
ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY
ADD
ACTIONS
DROP ROLE;
Note: If you do not have CIS_UNIFIED_AUDIT_POLICY, please create one using the CREATE AUDIT POLICY statement."
see_also : "https://workbench.cisecurity.org/files/2741"
reference : "800-171|3.3.1,800-171|3.3.2,800-53|AU-12c.,CIS_Recommendation|6.2.6,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|16,CSCv6|6.2,CSCv7|6.2,CSCv7|6.3,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12c.,LEVEL|1S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,QCSC-v1|13.2,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1"
sql_request : "SELECT AUD.POLICY_NAME, AUD.AUDIT_OPTION, AUD.AUDIT_OPTION_TYPE FROM AUDIT_UNIFIED_POLICIES AUD, AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'DROP ROLE' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION' AND ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS';"
sql_types : POLICY_VARCHAR, POLICY_VARCHAR, POLICY_VARCHAR
sql_expect : regex:".*", "DROP ROLE", "STANDARD ACTION"
type : SQL_POLICY
description : "6.2.7 Ensure the 'GRANT' Action Audit Is Enabled"
info : "GRANT statements are used to grant privileges to Oracle database users and roles, including the most powerful privileges and roles typically available to the database administrators. Enabling this unified action audit enables logging of all GRANT statements, whether successful or unsuccessful, issued by the users regardless of the privileges held by the users to issue such statements.
Rationale:
With unauthorized grants and permissions, a malicious user may be able to change the security of the database, access/update confidential data, or compromise the integrity of the database. Logging and monitoring of all attempts to grant system privileges, object privileges or roles, whether successful or unsuccessful, may provide forensic evidence about potential suspicious/unauthorized activities as well as privilege escalation activities. Any such activities may be a cause for further investigation. In addition, organization security policies and industry/government regulations may require logging of all user activities involving GRANT."
solution : "Execute the following SQL statement to remediate this setting.
ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY
ADD
ACTIONS
GRANT;
Note: If you do not have CIS_UNIFIED_AUDIT_POLICY, please create one using the CREATE AUDIT POLICY statement."
see_also : "https://workbench.cisecurity.org/files/2741"
reference : "800-171|3.3.1,800-171|3.3.2,800-53|AU-12c.,CIS_Recommendation|6.2.7,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|16,CSCv6|6.2,CSCv7|6.2,CSCv7|6.3,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12c.,LEVEL|1S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,QCSC-v1|13.2,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1"
sql_request : "SELECT AUD.POLICY_NAME, AUD.AUDIT_OPTION, AUD.AUDIT_OPTION_TYPE FROM AUDIT_UNIFIED_POLICIES AUD, AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'GRANT' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION' AND ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS';"
sql_types : POLICY_VARCHAR, POLICY_VARCHAR, POLICY_VARCHAR
sql_expect : regex:".*", "GRANT", "STANDARD ACTION"
type : SQL_POLICY
description : "6.2.8 Ensure the 'REVOKE' Action Audit Is Enabled"
info : "REVOKE statements are used to revoke privileges from Oracle database users and roles. Enabling this unified action audit enables logging of all REVOKE statements, successful or unsuccessful, issued by the users regardless of the privileges held by the users to issue such statements.
Rationale:
Logging and monitoring of all attempts to revoke system privileges, object privileges or roles, whether successful or unsuccessful, may provide clues and forensic evidence about potential suspicious/unauthorized activities. Any such activities may be a cause for further investigation. In addition, organization security policies and industry/government regulations may require logging of all user activities involving REVOKE."
solution : "Execute the following SQL statement to remediate this setting.
ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY
ADD
ACTIONS
REVOKE;
Note: If you do not have CIS_UNIFIED_AUDIT_POLICY, please create one using the CREATE AUDIT POLICY statement."
see_also : "https://workbench.cisecurity.org/files/2741"
reference : "800-171|3.3.1,800-171|3.3.2,800-53|AU-12c.,CIS_Recommendation|6.2.8,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|16,CSCv6|6.2,CSCv7|6.2,CSCv7|6.3,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12c.,LEVEL|1S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,QCSC-v1|13.2,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1"
sql_request : "SELECT AUD.POLICY_NAME, AUD.AUDIT_OPTION, AUD.AUDIT_OPTION_TYPE FROM AUDIT_UNIFIED_POLICIES AUD, AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'REVOKE' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION' AND ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS';"
sql_types : POLICY_VARCHAR, POLICY_VARCHAR, POLICY_VARCHAR
sql_expect : regex:".*", "REVOKE", "STANDARD ACTION"
type : SQL_POLICY
description : "6.2.9 Ensure the 'CREATE PROFILE' Action Audit Is Enabled"
info : "Oracle database profiles are used to enforce resource usage limits and implement password policies such as password complexity rules and reuse restrictions. Enabling this unified action audit enables logging of all CREATE PROFILE statements, whether successful or unsuccessful, issued by the users regardless of the privileges held by the users to issue such statements.
Rationale:
Logging and monitoring of all attempts to create profiles, whether successful or unsuccessful, may provide clues and forensic evidence about potential suspicious/unauthorized activities. Any such activities may be a cause for further investigation. In addition, organization security policies and industry/government regulations may require logging of all user activities involving creation of database profiles."
solution : "Execute the following SQL statement to remediate this setting.
ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY
ADD
ACTIONS
CREATE PROFILE;
Note: If you do not have CIS_UNIFIED_AUDIT_POLICY, please create one using the CREATE AUDIT POLICY statement."
see_also : "https://workbench.cisecurity.org/files/2741"
reference : "800-171|3.3.1,800-171|3.3.2,800-53|AU-12c.,CIS_Recommendation|6.2.9,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|6.2,CSCv7|6.2,CSCv7|6.3,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12c.,LEVEL|1S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,QCSC-v1|13.2,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1"
sql_request : "SELECT AUD.POLICY_NAME, AUD.AUDIT_OPTION, AUD.AUDIT_OPTION_TYPE FROM AUDIT_UNIFIED_POLICIES AUD, AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'CREATE PROFILE' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION' AND ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS';"
sql_types : POLICY_VARCHAR, POLICY_VARCHAR, POLICY_VARCHAR
sql_expect : regex:".*", "CREATE PROFILE", "STANDARD ACTION"
type : SQL_POLICY
description : "6.2.10 Ensure the 'ALTER PROFILE' Action Audit Is Enabled"
info : "Oracle database profiles are used to enforce resource usage limits and implement password policies such as password complexity rules and reuse restrictions. Enabling this unified action audit enables logging of all ALTER PROFILE statements, whether successful or unsuccessful, issued by the users regardless of the privileges held by the users to issue such statements.
Rationale:
Logging and monitoring of all attempts to alter profiles, whether successful or unsuccessful, may provide forensic evidence about potential suspicious/unauthorized activities. Any such activities may be a cause for further investigation. In addition, organization security policies and industry/government regulations may require logging of all user activities involving alteration of database profiles."
solution : "Execute the following SQL statement to remediate this setting.
ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY
ADD
ACTIONS
ALTER PROFILE;
Note: If you do not have CIS_UNIFIED_AUDIT_POLICY, please create one using the CREATE AUDIT POLICY statement."
see_also : "https://workbench.cisecurity.org/files/2741"
reference : "800-171|3.3.1,800-171|3.3.2,800-53|AU-12c.,CIS_Recommendation|6.2.10,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|6.2,CSCv7|6.2,CSCv7|6.3,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12c.,LEVEL|1S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,QCSC-v1|13.2,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1"
sql_request : "SELECT AUD.POLICY_NAME, AUD.AUDIT_OPTION, AUD.AUDIT_OPTION_TYPE FROM AUDIT_UNIFIED_POLICIES AUD, AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'ALTER PROFILE' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION' AND ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS';"
sql_types : POLICY_VARCHAR, POLICY_VARCHAR, POLICY_VARCHAR
sql_expect : regex:".*", "ALTER PROFILE", "STANDARD ACTION"
type : SQL_POLICY
description : "6.2.11 Ensure the 'DROP PROFILE' Action Audit Is Enabled"
info : "Oracle database profiles are used to enforce resource usage limits and implement password policies such as password complexity rules and reuse restrictions. Enabling this unified action audit enables logging of all DROP PROFILE statements, whether successful or unsuccessful, issued by the users regardless of the privileges held by the users to issue such statements.
Rationale:
Logging and monitoring of all attempts to drop profiles, whether successful or unsuccessful, may provide clues and forensic evidence about potential suspicious/unauthorized activities. Any such activities may be a cause for further investigation. In addition, organization security policies and industry/government regulations may require logging of all user activities involving dropping database profiles."
solution : "Execute the following SQL statement to remediate this setting.
ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY
ADD
ACTIONS
DROP PROFILE;
Note: If you do not have CIS_UNIFIED_AUDIT_POLICY, please create one using the CREATE AUDIT POLICY statement."
see_also : "https://workbench.cisecurity.org/files/2741"
reference : "800-171|3.3.1,800-171|3.3.2,800-53|AU-12c.,CIS_Recommendation|6.2.11,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|6.2,CSCv7|6.2,CSCv7|6.3,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12c.,LEVEL|1S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,QCSC-v1|13.2,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1"
sql_request : "SELECT AUD.POLICY_NAME, AUD.AUDIT_OPTION, AUD.AUDIT_OPTION_TYPE FROM AUDIT_UNIFIED_POLICIES AUD, AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'DROP PROFILE' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION' AND ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS';"
sql_types : POLICY_VARCHAR, POLICY_VARCHAR, POLICY_VARCHAR
sql_expect : regex:".*", "DROP PROFILE", "STANDARD ACTION"
type : SQL_POLICY
description : "6.2.12 Ensure the 'CREATE DATABASE LINK' Action Audit Is Enabled"
info : "Oracle database links are used to establish database-to-database connections to other databases. These connections are available without further authentication once the link is established. Enabling this unified action audit causes logging of all CREATE DATABASE and CREATE PUBLIC DATABASE statements, whether successful or unsuccessful, issued by the users regardless of the privileges held by the users to issue such statements.
Rationale:
Logging and monitoring of all attempts to create database links, whether successful or unsuccessful, may provide forensic evidence about potential suspicious/unauthorized activities. Any such activities may be a cause for further investigation. In addition, organization security policies and industry/government regulations may require logging of all user activities involving creation of database links."
solution : "Execute the following SQL statement to remediate this setting.
ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY
ADD
ACTIONS
CREATE DATABASE LINK;
Note: If you do not have CIS_UNIFIED_AUDIT_POLICY, please create one using the CREATE AUDIT POLICY statement."
see_also : "https://workbench.cisecurity.org/files/2741"
reference : "800-171|3.3.1,800-171|3.3.2,800-53|AU-12c.,CIS_Recommendation|6.2.12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|6.2,CSCv7|6.2,CSCv7|6.3,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12c.,LEVEL|1S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,QCSC-v1|13.2,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1"
sql_request : "SELECT AUD.POLICY_NAME, AUD.AUDIT_OPTION, AUD.AUDIT_OPTION_TYPE FROM AUDIT_UNIFIED_POLICIES AUD, AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'CREATE DATABASE LINK' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION' AND ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS';"
sql_types : POLICY_VARCHAR, POLICY_VARCHAR, POLICY_VARCHAR
sql_expect : regex:".*", "CREATE DATABASE LINK", "STANDARD ACTION"
type : SQL_POLICY
description : "6.2.13 Ensure the 'ALTER DATABASE LINK' Action Audit Is Enabled"
info : "Oracle database links are used to establish database-to-database connections to other databases. These connections are always available without further authentication once the link is established. Enabling this unified action audit causes logging of all ALTER DATABASE and ALTER PUBLIC DATABASE statements, whether successful or unsuccessful, issued by the users regardless of the privileges held by the users to issue such statements.
Rationale:
Logging and monitoring of all attempts to alter database links, whether successful or unsuccessful, may provide forensic evidence about potential suspicious/unauthorized activities. Any such activities may be a cause for further investigation. In addition, organization security policies and industry/government regulations may require logging of all user activities involving alteration of database links."
solution : "Execute the following SQL statement to remediate this setting.
ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY
ADD
ACTIONS
ALTER DATABASE LINK;
Note: If you do not have CIS_UNIFIED_AUDIT_POLICY, please create one using the CREATE AUDIT POLICY statement."
see_also : "https://workbench.cisecurity.org/files/2741"
reference : "800-171|3.3.1,800-171|3.3.2,800-53|AU-12c.,CIS_Recommendation|6.2.13,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|6.2,CSCv7|6.2,CSCv7|6.3,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12c.,LEVEL|1S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,QCSC-v1|13.2,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1"
sql_request : "SELECT AUD.POLICY_NAME, AUD.AUDIT_OPTION, AUD.AUDIT_OPTION_TYPE FROM AUDIT_UNIFIED_POLICIES AUD, AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'ALTER DATABASE LINK' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION' AND ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS';"
sql_types : POLICY_VARCHAR, POLICY_VARCHAR, POLICY_VARCHAR
sql_expect : regex:".*", "ALTER DATABASE LINK", "STANDARD ACTION"
type : SQL_POLICY
description : "6.2.14 Ensure the 'DROP DATABASE LINK' Action Audit Is Enabled"
info : "Oracle database links are used to establish database-to-database connections to other databases. These connections are always available without further authentication once the link is established. Enabling this unified action audit causes logging of all DROP DATABASE and DROP PUBLIC DATABASE, whether successful or unsuccessful, statements issued by the users regardless of the privileges held by the users to issue such statements.
Rationale:
Logging and monitoring of all attempts to drop database links, whether successful or unsuccessful, may provide forensic evidence about potential suspicious/unauthorized activities. Any such activities may be a cause for further investigation. In addition, organization security policies and industry/government regulations may require logging of all user activities involving dropping database links."
solution : "Execute the following SQL statement to remediate this setting.
ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY
ADD
ACTIONS
DROP DATABASE LINK;
Note: If you do not have CIS_UNIFIED_AUDIT_POLICY, please create one using the CREATE AUDIT POLICY statement."
see_also : "https://workbench.cisecurity.org/files/2741"
reference : "800-171|3.3.1,800-171|3.3.2,800-53|AU-12c.,CIS_Recommendation|6.2.14,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|6.2,CSCv7|6.2,CSCv7|6.3,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12c.,LEVEL|1S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,QCSC-v1|13.2,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1"
sql_request : "SELECT AUD.POLICY_NAME, AUD.AUDIT_OPTION, AUD.AUDIT_OPTION_TYPE FROM AUDIT_UNIFIED_POLICIES AUD, AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'DROP DATABASE LINK' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION' AND ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS';"
sql_types : POLICY_VARCHAR, POLICY_VARCHAR, POLICY_VARCHAR
sql_expect : regex:".*", "DROP DATABASE LINK", "STANDARD ACTION"
type : SQL_POLICY
description : "6.2.15 Ensure the 'CREATE SYNONYM' Action Audit Is Enabled"
info : "An Oracle database synonym is used to create an alternative name for a database object such as table, view, procedure, java object or even another synonym, etc. Enabling this unified action audit causes logging of all CREATE SYNONYM and CREATE PUBLIC SYNONYM statements, whether successful or unsuccessful, issued by the users regardless of the privileges held by the users to issue such statements.
Rationale:
Logging and monitoring of all attempts to create synonyms, whether successful or unsuccessful, may provide clues and forensic evidence about potential suspicious/unauthorized activities. Any such activities may be a cause for further investigation. In addition, organization security policies and industry/government regulations may require logging of all user activities involving creation of synonyms or public synonyms."
solution : "Execute the following SQL statement to remediate this setting.
ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY
ADD
ACTIONS
CREATE SYNONYM;
Note: If you do not have CIS_UNIFIED_AUDIT_POLICY, please create one using the CREATE AUDIT POLICY statement."
see_also : "https://workbench.cisecurity.org/files/2741"
reference : "800-171|3.3.1,800-171|3.3.2,800-53|AU-12c.,CIS_Recommendation|6.2.15,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|6.2,CSCv7|6.2,CSCv7|6.3,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12c.,LEVEL|1S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,QCSC-v1|13.2,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1"
sql_request : "SELECT AUD.POLICY_NAME, AUD.AUDIT_OPTION, AUD.AUDIT_OPTION_TYPE FROM AUDIT_UNIFIED_POLICIES AUD, AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'CREATE SYNONYM' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION' AND ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS';"
sql_types : POLICY_VARCHAR, POLICY_VARCHAR, POLICY_VARCHAR
sql_expect : regex:".*", "CREATE SYNONYM", "STANDARD ACTION"
type : SQL_POLICY
description : "6.2.16 Ensure the 'ALTER SYNONYM' Action Audit Is Enabled"
info : "An Oracle database synonym is used to create an alternative name for a database object such as table, view, procedure, or java object, or even another synonym. Enabling this unified action audit causes logging of all ALTER SYNONYM and ALTER PUBLIC SYNONYM statements, whether successful or unsuccessful, issued by the users regardless of the privileges held by the users to issue such statements.
Rationale:
Logging and monitoring of all attempts to alter synonyms, whether successful or unsuccessful, may provide clues and forensic evidence about potential suspicious/unauthorized activities. Any such activities may be a cause for further investigation. In addition, organization security policies and industry/government regulations may require logging of all user activities involving alteration of synonyms or public synonyms."
solution : "Execute the following SQL statement to remediate this setting.
ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY
ADD
ACTIONS
ALTER SYNONYM;
Note: If you do not have CIS_UNIFIED_AUDIT_POLICY, please create one using the CREATE AUDIT POLICY statement."
see_also : "https://workbench.cisecurity.org/files/2741"
reference : "800-171|3.3.1,800-171|3.3.2,800-53|AU-12c.,CIS_Recommendation|6.2.16,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|6.2,CSCv7|6.2,CSCv7|6.3,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12c.,LEVEL|1S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,QCSC-v1|13.2,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1"
sql_request : "SELECT AUD.POLICY_NAME, AUD.AUDIT_OPTION, AUD.AUDIT_OPTION_TYPE FROM AUDIT_UNIFIED_POLICIES AUD, AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'ALTER SYNONYM' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION' AND ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS';"
sql_types : POLICY_VARCHAR, POLICY_VARCHAR, POLICY_VARCHAR
sql_expect : regex:".*", "ALTER SYNONYM", "STANDARD ACTION"
type : SQL_POLICY
description : "6.2.17 Ensure the 'DROP SYNONYM' Action Audit Is Enabled"
info : "An Oracle database synonym is used to create an alternative name for a database object such as table, view, procedure, or java object, or even another synonym. Enabling his unified action audit causes logging of all DROP SYNONYM and DROP PUBLIC SYNONYM statements, whether successful or unsuccessful, issued by the users regardless of the privileges held by the users to issue such statements.
Rationale:
Logging and monitoring of all attempts to drop synonyms, whether successful or unsuccessful, may provide forensic evidence about potential suspicious/unauthorized activities. Any such activities may be a cause for further investigation. In addition, organization security policies and industry/government regulations may require logging of all user activities involving dropping of synonyms or public synonyms."
solution : "Execute the following SQL statement to remediate this setting.
ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY
ADD
ACTIONS
DROP SYNONYM;
Note: If you do not have CIS_UNIFIED_AUDIT_POLICY, please create one using the CREATE AUDIT POLICY statement."
see_also : "https://workbench.cisecurity.org/files/2741"
reference : "800-171|3.3.1,800-171|3.3.2,800-53|AU-12c.,CIS_Recommendation|6.2.17,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|6.2,CSCv7|6.2,CSCv7|6.3,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12c.,LEVEL|1S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,QCSC-v1|13.2,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1"
sql_request : "SELECT AUD.POLICY_NAME, AUD.AUDIT_OPTION, AUD.AUDIT_OPTION_TYPE FROM AUDIT_UNIFIED_POLICIES AUD, AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'DROP SYNONYM' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION' AND ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS';"
sql_types : POLICY_VARCHAR, POLICY_VARCHAR, POLICY_VARCHAR
sql_expect : regex:".*", "DROP SYNONYM", "STANDARD ACTION"
type : SQL_POLICY
description : "6.2.18 Ensure the 'SELECT ANY DICTIONARY' Privilege Audit Is Enabled"
info : "The SELECT ANY DICTIONARY system privilege allows the user to view the definition of all schema objects in the database. It grants SELECT privileges on the data dictionary objects to the grantees, including SELECTon DBA_ views, V$ views, X$ views and underlying SYS tables such as TAB$ and OBJ$. This privilege also allows grantees to create stored objects such as procedures, packages and views on the underlying data dictionary objects. Please note that this privilege does not grant SELECT on tables with password hashes such as USER$, DEFAULT_PWD$, LINK$, and USER_HISTORY$. Enabling this audit causes logging of activities that exercise this privilege.
Rationale:
Logging and monitoring of all attempts to access a data dictionary, whether successful or unsuccessful, may provide clues and forensic evidence about potential suspicious/unauthorized activities. Any such activities may be a cause for further investigation. In addition, organization security policies and industry/government regulations may require logging of all user activities involving access to the database."
solution : "Execute the following SQL statement to remediate this setting.
ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY
ADD
PRIVILEGES
SELECT ANY DICTIONARY;
Note: If you do not have CIS_UNIFIED_AUDIT_POLICY, please create one using the CREATE AUDIT POLICY statement."
see_also : "https://workbench.cisecurity.org/files/2741"
reference : "800-171|3.3.1,800-171|3.3.2,800-53|AU-12c.,CIS_Recommendation|6.2.18,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|6.2,CSCv7|6.2,CSCv7|6.3,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12c.,LEVEL|1S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,QCSC-v1|13.2,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1"
sql_request : "SELECT AUD.POLICY_NAME, AUD.AUDIT_OPTION, AUD.AUDIT_OPTION_TYPE FROM AUDIT_UNIFIED_POLICIES AUD, AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'SELECT ANY DICTIONARY' AND AUD.AUDIT_OPTION_TYPE = 'SYSTEM PRIVILEGE' AND ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS';"
sql_types : POLICY_VARCHAR, POLICY_VARCHAR, POLICY_VARCHAR
sql_expect : regex:".*", "SELECT ANY DICTIONARY", "SYSTEM PRIVILEGE"
type : SQL_POLICY
description : "6.2.19 Ensure the 'AUDSYS.AUD$UNIFIED' Access Audit Is Enabled"
info : "The AUDSYS.AUD$UNIFIED holds audit trail records generated by the database. Enabling this audit action causes logging of all access attempts to the AUDSYS.AUD$UNIFIED, whether successful or unsuccessful, regardless of the privileges held by the users to issue such statements.
Rationale:
Logging and monitoring of all attempts to access the AUDSYS.AUD$UNIFIED, whether successful or unsuccessful, may provide clues and forensic evidence about potential suspicious/unauthorized activities. Any such activities may be a cause for further investigation. In addition, organization security policies and industry/government regulations may require logging of all user activities involving access to this table."
solution : "For Oracle 12.2 and above, execute the following SQL statement to remediate this setting.
ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY
ADD
ACTIONS
ALL on AUDSYS.AUD$UNIFIED;
Note: If you do not have CIS_UNIFIED_AUDIT_POLICY, please create one using the CREATE AUDIT POLICY statement."
reference : "800-171|3.3.1,800-171|3.3.2,800-53|AU-12c.,CIS_Recommendation|6.2.19,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|6.2,CSCv7|6.2,CSCv7|6.3,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12c.,LEVEL|1S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,QCSC-v1|13.2,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1"
see_also : "https://workbench.cisecurity.org/files/2741"
sql_request : "SELECT AUD.POLICY_NAME, AUD.AUDIT_OPTION, AUD.AUDIT_OPTION_TYPE FROM AUDIT_UNIFIED_POLICIES AUD, AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'ALL' AND AUD.AUDIT_OPTION_TYPE = 'OBJECT ACTION' AND (AUD.OBJECT_SCHEMA = 'SYS' OR AUD.OBJECT_SCHEMA = 'AUDSYS') AND AUD.OBJECT_NAME = 'AUD$UNIFIED' AND ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS';"
sql_types : POLICY_VARCHAR, POLICY_VARCHAR, POLICY_VARCHAR
sql_expect : regex:".*", "ALL", "OBJECT ACTION"
type : SQL_POLICY
description : "6.2.20 Ensure the 'CREATE PROCEDURE/FUNCTION/PACKAGE/PACKAGE BODY' Action Audit Is Enabled"
info : "Oracle database procedures, function, packages, and package bodies, which are stored within the database, are created to perform business functions and access database as defined by PL/SQL code and SQL statements contained within these objects. Enabling this unified action audit causes logging of all CREATE PROCEDURE, CREATE FUNCTION, CREATE PACKAGE and CREATE PACKAGE BODY statements, successful or unsuccessful, statements issued by the users regardless of the privileges held by the users to issue such statements.
Rationale:
Logging and monitoring of all attempts to create procedures, functions, packages or package bodies, whether successful or unsuccessful, may provide clues and forensic evidence about potential suspicious/unauthorized activities. Any such activities may be a cause for further investigation. In addition, organization security policies and industry/government regulations may require logging of all user activities involving creation of procedures, functions, packages or package bodies."
solution : "Execute the following SQL statement to remediate this setting.
ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY
ADD
ACTIONS
CREATE PROCEDURE,
CREATE FUNCTION,
CREATE PACKAGE,
CREATE PACKAGE BODY;
Note: If you do not have CIS_UNIFIED_AUDIT_POLICY, please create one using the CREATE AUDIT POLICY statement."
see_also : "https://workbench.cisecurity.org/files/2741"
reference : "800-171|3.3.1,800-171|3.3.2,800-53|AU-12c.,CIS_Recommendation|6.2.20,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|6.2,CSCv7|6.2,CSCv7|6.3,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12c.,LEVEL|1S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,QCSC-v1|13.2,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1"
sql_request : "SELECT ENABLED.POLICY_NAME FROM AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS' AND ( SELECT COUNT(*) FROM AUDIT_UNIFIED_POLICIES AUD WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION IN ('CREATE PROCEDURE', 'CREATE FUNCTION','CREATE PACKAGE', 'CREATE PACKAGE BODY') AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION') = 4;"
sql_types : POLICY_VARCHAR
sql_expect : regex:".+"
type : SQL_POLICY
description : "6.2.21 Ensure the 'ALTER PROCEDURE/FUNCTION/PACKAGE/PACKAGE BODY' Action Audit Is Enabled"
info : "Oracle database procedures, functions, packages, and package bodies, which are stored within the database, are created to carry out business functions and access database as defined by PL/SQL code and SQL statements contained within these objects. Enabling this unified action audit causes logging of all ALTER PROCEDURE, ALTER FUNCTION, ALTER PACKAGE and ALTER PACKAGE BODY statements, successful or unsuccessful, issued by the users regardless of the privileges held by the users to issue such statements.
Rationale:
Unauthorized alteration of procedures, functions, packages or package bodies may impact critical business functions or compromise integrity of the database. Logging and monitoring of all attempts, whether successful or unsuccessful, to alter procedures, functions, packages or package bodies may provide clues and forensic evidence about potential suspicious/unauthorized activities. Any such activities may be a cause for further investigation. In addition, organization security policies and industry/government regulations may require logging of all user activities involving alteration of procedures, functions, packages or package bodies."
solution : "Execute the following SQL statement to remediate this setting.
ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY
ADD
ACTIONS
ALTER PROCEDURE,
ALTER FUNCTION,
ALTER PACKAGE,
ALTER PACKAGE BODY;
Note: If you do not have CIS_UNIFIED_AUDIT_POLICY, please create one using the CREATE AUDIT POLICY statement."
see_also : "https://workbench.cisecurity.org/files/2741"
reference : "800-171|3.3.1,800-171|3.3.2,800-53|AU-12c.,CIS_Recommendation|6.2.21,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|6.2,CSCv7|6.2,CSCv7|6.3,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12c.,LEVEL|1S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,QCSC-v1|13.2,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1"
sql_request : "SELECT enabled.policy_name FROM AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS' AND ( SELECT COUNT(*) FROM AUDIT_UNIFIED_POLICIES AUD WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION IN ('ALTER PROCEDURE','ALTER FUNCTION','ALTER PACKAGE','ALTER PACKAGE BODY') AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION') = 4;"
sql_types : POLICY_VARCHAR
sql_expect : regex:".+"
type : SQL_POLICY
description : "6.2.22 Ensure the 'DROP PROCEDURE/FUNCTION/PACKAGE/PACKAGE BODY' Action Audit Is Enabled"
info : "Oracle database procedures, functions, packages, and package bodies, which are stored within the database, are created to carry out business functions and access database as defined by PL/SQL code and SQL statements contained within these objects. Enabling this unified action audit causes logging of all DROP PROCEDURE, DROP FUNCTION, DROP PACKAGE or DROP PACKAGE BODY statements, successful or unsuccessful, issued by the users regardless of the privileges held by the users to issue such statements.
Rationale:
Logging and monitoring of all attempts, whether successful or unsuccessful, to drop procedures, functions, packages or package bodies may provide forensic evidence about potential suspicious/unauthorized activities. Any such activities may be a cause for further investigation. In addition, organization security policies and industry/government regulations may require logging of all user activities involving dropping procedures, functions, packages or package bodies."
solution : "Execute the following SQL statement to remediate this setting.
ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY
ADD
ACTIONS
DROP PROCEDURE,
DROP FUNCTION,
DROP PACKAGE,
DROP PACKAGE BODY;
Note: If you do not have CIS_UNIFIED_AUDIT_POLICY, please create one using the CREATE AUDIT POLICY statement."
see_also : "https://workbench.cisecurity.org/files/2741"
reference : "800-171|3.3.1,800-171|3.3.2,800-53|AU-12c.,CIS_Recommendation|6.2.22,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|6.2,CSCv7|6.2,CSCv7|6.3,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12c.,LEVEL|1S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,QCSC-v1|13.2,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1"
sql_request : "SELECT enabled.policy_name FROM AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS' AND ( SELECT COUNT(*) FROM AUDIT_UNIFIED_POLICIES AUD WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION IN ('DROP PROCEDURE','DROP FUNCTION','DROP PACKAGE','DROP PACKAGE BODY') AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION') = 4;"
sql_types : POLICY_VARCHAR
sql_expect : regex:".+"
type : SQL_POLICY
description : "6.2.23 Ensure the 'ALTER SYSTEM' Privilege Audit Is Enabled"
info : "The ALTER SYSTEM privilege allows the user to change instance settings which could impact security posture, performance or normal operation of the database. Additionally, the ALTER SYSTEM privilege may be used to run operating system commands using undocumented Oracle functionality. Enabling this unified audit causes logging of activities that involve exercise of this privilege, whether successful or unsuccessful, issued by the users regardless of the privileges held by the users to issue such statements.
Rationale:
Logging and monitoring of all attempts to execute ALTER SYSTEM statements, whether successful or unsuccessful, may provide forensic evidence about potential suspicious/unauthorized activities. Any such activities may be a cause for further investigation. In addition, organization security policies and industry/government regulations may require logging of all user activities that involve ALTER SYSTEM statements."
solution : "Execute the following SQL statement to remediate this setting.
ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY
ADD
ACTIONS
ALTER SYSTEM;
Note: If you do not have CIS_UNIFIED_AUDIT_POLICY, please create one using the CREATE AUDIT POLICY statement."
see_also : "https://workbench.cisecurity.org/files/2741"
reference : "800-171|3.3.1,800-171|3.3.2,800-53|AU-12c.,CIS_Recommendation|6.2.23,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|6.2,CSCv7|6.2,CSCv7|6.3,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12c.,LEVEL|1S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,QCSC-v1|13.2,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1"
sql_request : "SELECT AUD.POLICY_NAME, AUD.AUDIT_OPTION, AUD.AUDIT_OPTION_TYPE FROM AUDIT_UNIFIED_POLICIES AUD, AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'ALTER SYSTEM' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION' AND ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS';"
sql_types : POLICY_VARCHAR, POLICY_VARCHAR, POLICY_VARCHAR
sql_expect : regex:".*", "ALTER SYSTEM", "STANDARD ACTION"
type : SQL_POLICY
description : "6.2.24 Ensure the 'CREATE TRIGGER' Action Audit Is Enabled"
info : "Oracle database triggers are executed automatically when specified conditions on the underlying objects occur. Trigger bodies contain the code, quite often to perform data validation, ensure data integrity/security or enforce critical constraints on allowable actions on data. Enabling this unified audit causes logging of all CREATE TRIGGER statements, whether successful or unsuccessful, issued by the users regardless of the privileges held by the users to issue such statements.
Rationale:
Logging and monitoring of all attempts to create triggers, whether successful or unsuccessful, may provide clues and forensic evidence about potential suspicious/unauthorized activities. Any such activities may be a cause for further investigation. In addition, organization security policies and industry/government regulations may require logging of all user activities involving creation of triggers."
solution : "Execute the following SQL statement to remediate this setting.
ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY
ADD
ACTIONS
CREATE TRIGGER;
Note: If you do not have CIS_UNIFIED_AUDIT_POLICY, please create one using the CREATE AUDIT POLICY statement."
see_also : "https://workbench.cisecurity.org/files/2741"
reference : "800-171|3.3.1,800-171|3.3.2,800-53|AU-12c.,CIS_Recommendation|6.2.24,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|6.2,CSCv7|6.2,CSCv7|6.3,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12c.,LEVEL|1S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,QCSC-v1|13.2,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1"
sql_request : "SELECT AUD.POLICY_NAME, AUD.AUDIT_OPTION, AUD.AUDIT_OPTION_TYPE FROM AUDIT_UNIFIED_POLICIES AUD, AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'CREATE TRIGGER' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION' AND ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS';"
sql_types : POLICY_VARCHAR, POLICY_VARCHAR, POLICY_VARCHAR
sql_expect : regex:".*", "CREATE TRIGGER", "STANDARD ACTION"
type : SQL_POLICY
description : "6.2.25 Ensure the 'ALTER TRIGGER' Action Audit IS Enabled"
info : "Oracle database triggers are executed automatically when specified conditions on the underlying objects occur. Trigger bodies contain the code, quite often to perform data validation, ensure data integrity/security or enforce critical constraints on allowable actions on data. Enabling this unified audit causes logging of all ALTER TRIGGER statements, whether successful or unsuccessful, issued by the users regardless of the privileges held by the users to issue such statements.
Rationale:
Unauthorized alteration of triggers may impact critical business functions or compromise integrity/security of the database. Logging and monitoring of all attempts to alter triggers, whether successful or unsuccessful, may provide clues and forensic evidence about potential suspicious/unauthorized activities. Any such activities may be a cause for further investigation. In addition, organization security policies and industry/government regulations may require logging of all user activities involving alteration of triggers."
solution : "Execute the following SQL statement to remediate this setting.
ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY
ADD
ACTIONS
ALTER TRIGGER;
Note: If you do not have CIS_UNIFIED_AUDIT_POLICY, please create one using the CREATE AUDIT POLICY statement."
reference : "800-171|3.3.1,800-171|3.3.2,800-53|AU-12c.,CIS_Recommendation|6.2.25,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|6.2,CSCv7|6.2,CSCv7|6.3,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12c.,LEVEL|1S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,QCSC-v1|13.2,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1"
see_also : "https://workbench.cisecurity.org/files/2741"
sql_request : "SELECT AUD.POLICY_NAME, AUD.AUDIT_OPTION, AUD.AUDIT_OPTION_TYPE FROM AUDIT_UNIFIED_POLICIES AUD, AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'ALTER TRIGGER' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION' AND ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS';"
sql_types : POLICY_VARCHAR, POLICY_VARCHAR, POLICY_VARCHAR
sql_expect : regex:".*", "ALTER TRIGGER", "STANDARD ACTION"
type : SQL_POLICY
description : "6.2.26 Ensure the 'DROP TRIGGER' Action Audit Is Enabled"
info : "Oracle database triggers are executed automatically when specified conditions on the underlying objects occur. Trigger bodies contain the code, quite often to perform data validation, ensure data integrity/security or enforce critical constraints on allowable actions on data. Enabling this unified audit causes logging of all DROP TRIGGER statements, whether successful or unsuccessful, issued by the users regardless of the privileges held by the users to issue such statements.
Rationale:
Logging and monitoring of all attempts to drop triggers, whether successful or unsuccessful, may provide forensic evidence about potential suspicious/unauthorized activities. Any such activities may be a cause for further investigation. In addition, organization security policies and industry/government regulations may require logging of all user activities involving dropping triggers."
solution : "Execute the following SQL statement to remediate this setting.
ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY
ADD
ACTIONS
DROP TRIGGER;
Note: If you do not have CIS_UNIFIED_AUDIT_POLICY, please create one using the CREATE AUDIT POLICY statement."
see_also : "https://workbench.cisecurity.org/files/2741"
reference : "800-171|3.3.1,800-171|3.3.2,800-53|AU-12c.,CIS_Recommendation|6.2.26,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|6.2,CSCv7|6.2,CSCv7|6.3,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12c.,LEVEL|1S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,QCSC-v1|13.2,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1"
sql_request : "SELECT AUD.POLICY_NAME, AUD.AUDIT_OPTION, AUD.AUDIT_OPTION_TYPE FROM AUDIT_UNIFIED_POLICIES AUD, AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION = 'DROP TRIGGER' AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION' AND ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS';"
sql_types : POLICY_VARCHAR, POLICY_VARCHAR, POLICY_VARCHAR
sql_expect : regex:".*", "DROP TRIGGER", "STANDARD ACTION"
type : SQL_POLICY
description : "6.2.27 Ensure the 'LOGON' AND 'LOGOFF' Actions Audit Is Enabled"
info : "Oracle database users log on to the database to perform their work. Enabling this unified audit causes logging of all LOGON actions, whether successful or unsuccessful, issued by the users regardless of the privileges held by the users to log into the database. In addition, LOGOFF action audit captures logoff activities. This audit action also captures logon/logoff to the open database by SYSDBA and SYSOPER.
Rationale:
Logging and monitoring of all attempts to logon to the database, whether successful or unsuccessful, may provide forensic evidence about potential suspicious/unauthorized activities. Any such activities may be a cause for further investigation. In addition, organization security policies and industry/government regulations may require logging of all user activities involving LOGON and LOGOFF."
solution : "Execute the following SQL statement to remediate this setting.
ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY
ADD
ACTIONS
LOGON,
LOGOFF;
Note: If you do not have CIS_UNIFIED_AUDIT_POLICY, please create one using the CREATE AUDIT POLICY statement."
see_also : "https://workbench.cisecurity.org/files/2741"
reference : "800-171|3.3.1,800-171|3.3.2,800-53|AU-12c.,CIS_Recommendation|6.2.27,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|16,CSCv6|6.2,CSCv7|6.2,CSCv7|6.3,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12c.,LEVEL|1S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,QCSC-v1|13.2,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1"
sql_request : "SELECT ENABLED.POLICY_NAME FROM AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE ENABLED.SUCCESS = 'YES' AND ENABLED.FAILURE = 'YES' AND ENABLED.ENABLED_OPT = 'BY' AND ENABLED.USER_NAME = 'ALL USERS' AND ( SELECT COUNT(*) FROM AUDIT_UNIFIED_POLICIES AUD WHERE AUD.POLICY_NAME = ENABLED.POLICY_NAME AND AUD.AUDIT_OPTION IN ('LOGOFF', 'LOGON') AND AUD.AUDIT_OPTION_TYPE = 'STANDARD ACTION') = 2;"
sql_types : POLICY_VARCHAR
sql_expect : regex:".+"