Upload
trinhnhi
View
280
Download
1
Embed Size (px)
Citation preview
CISOracleDatabase11gR2Benchmark
v2.2.0-05-31-2016
1|P a g e
ThisworkislicensedunderaCreativeCommonsAttribution-NonCommercial-ShareAlike4.0InternationalPublicLicense.Thelinktothelicensetermscanbefoundathttps://creativecommons.org/licenses/by-nc-sa/4.0/legalcode.
TofurtherclarifytheCreativeCommonslicenserelatedtoCISBenchmarkcontent,youareauthorizedtocopyandredistributethecontentforusebyyou,withinyourorganizationandoutsideyourorganizationfornon-commercialpurposesonly,providedthat(i)appropriatecreditisgiventoCIS,(ii)alinktothelicenseisprovided.Additionally,ifyouremix,transformorbuildupontheCISBenchmark(s),youmayonlydistributethemodifiedmaterialsiftheyaresubjecttothesamelicensetermsastheoriginalBenchmarklicenseandyourderivativewillnolongerbeaCISBenchmark.CommercialuseofCISBenchmarksissubjecttothepriorapprovaloftheCenterforInternetSecurity.
2|P a g e
TableofContents
Overview......................................................................................................................................................................8
IntendedAudience..............................................................................................................................................8
ConsensusGuidance...........................................................................................................................................8
TypographicalConventions............................................................................................................................9
ScoringInformation............................................................................................................................................9
ProfileDefinitions.............................................................................................................................................10
Acknowledgements..........................................................................................................................................11
Recommendations.................................................................................................................................................12
1OracleDatabaseInstallationandPatchingRequirements..........................................................12
1.1EnsuretheAppropriateVersion/PatchesforOracleSoftwareIsInstalled(Scored).......................................................................................................................................................12
1.2EnsureAllDefaultPasswordsAreChanged(Scored).....................................................14
1.3EnsureAllSampleDataAndUsersHaveBeenRemoved(Scored)............................16
2OracleParameterSettings.........................................................................................................................17
2.1ListenerSettings...................................................................................................................................18
2.1.1Ensure'SECURE_CONTROL_<listener_name>'IsSetIn'listener.ora'(Scored)18
2.1.2Ensure'extproc'IsNotPresentin'listener.ora'(Scored)..........................................20
2.1.3Ensure'ADMIN_RESTRICTIONS_<listener_name>'IsSetto'ON'(Scored)........21
2.1.4Ensure'SECURE_REGISTER_<listener_name>'IsSetto'TCPS'or'IPC'(Scored).........................................................................................................................................................................23
2.2Databasesettings..................................................................................................................................25
2.2.1Ensure'AUDIT_SYS_OPERATIONS'IsSetto'TRUE'(Scored)..................................25
2.2.2Ensure'AUDIT_TRAIL'IsSetto'OS','DB','XML','DB,EXTENDED',or'XML,EXTENDED'(Scored).................................................................................................................27
2.2.3Ensure'GLOBAL_NAMES'IsSetto'TRUE'(Scored).....................................................28
2.2.4Ensure'LOCAL_LISTENER'IsSetAppropriately(Scored)........................................29
2.2.5Ensure'O7_DICTIONARY_ACCESSIBILITY'IsSetto'FALSE'(Scored).................31
2.2.6Ensure'OS_ROLES'IsSetto'FALSE'(Scored).................................................................32
2.2.7Ensure'REMOTE_LISTENER'IsEmpty(Scored)...........................................................33
2.2.8Ensure'REMOTE_LOGIN_PASSWORDFILE'IsSetto'NONE'(Scored).................34
3|P a g e
2.2.9Ensure'REMOTE_OS_AUTHENT'IsSetto'FALSE'(Scored).....................................35
2.2.10Ensure'REMOTE_OS_ROLES'IsSetto'FALSE'(Scored).........................................36
2.2.11Ensure'UTIL_FILE_DIR'IsEmpty(Scored)...................................................................37
2.2.12Ensure'SEC_CASE_SENSITIVE_LOGON'IsSetto'TRUE'(Scored).......................38
2.2.13Ensure'SEC_MAX_FAILED_LOGIN_ATTEMPTS'IsSetto'10'(Scored).............40
2.2.14Ensure'SEC_PROTOCOL_ERROR_FURTHER_ACTION'IsSetto'DELAY,3'or'DROP,3'(Scored)....................................................................................................................................41
2.2.15Ensure'SEC_PROTOCOL_ERROR_TRACE_ACTION'IsSetto'LOG'(Scored)...42
2.2.16Ensure'SEC_RETURN_SERVER_RELEASE_BANNER'IsSetto'FALSE'(Scored).........................................................................................................................................................................43
2.2.17Ensure'SQL92_SECURITY'IsSetto'TRUE'(Scored)................................................44
2.2.18Ensure'_TRACE_FILES_PUBLIC'IsSetto'FALSE'(Scored)....................................45
2.2.19Ensure'RESOURCE_LIMIT'IsSetto'TRUE'(Scored)...............................................46
3OracleConnectionandLoginRestrictions.........................................................................................47
3.1Ensure'FAILED_LOGIN_ATTEMPTS'IsLessthanorEqualto'5'(Scored)............47
3.2Ensure'PASSWORD_LOCK_TIME'IsGreaterthanorEqualto'1'(Scored)...........49
3.3Ensure'PASSWORD_LIFE_TIME'IsLessthanorEqualto'90'(Scored).................50
3.4Ensure'PASSWORD_REUSE_MAX'IsGreaterthanorEqualto'20'(Scored).......51
3.5Ensure'PASSWORD_REUSE_TIME'IsGreaterthanorEqualto'365'(Scored)...52
3.6Ensure'PASSWORD_GRACE_TIME'IsLessthanorEqualto'5'(Scored)...............53
3.7Ensure'DBA_USERS.PASSWORD'IsNotSetto'EXTERNAL'forAnyUser(Scored).........................................................................................................................................................................54
3.8Ensure'PASSWORD_VERIFY_FUNCTION'IsSetforAllProfiles(Scored)..............55
3.9Ensure'SESSIONS_PER_USER'IsLessthanorEqualto'10'(Scored)......................56
3.10EnsureNoUsersAreAssignedthe'DEFAULT'Profile(Scored)..............................57
4OracleUserAccessandAuthorizationRestrictions.......................................................................58
4.1DefaultPublicPrivilegesforPackagesandObjectTypes...................................................59
4.1.1Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_ADVISOR'(Scored)...59
4.1.2Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_CRYPTO'(Scored).....60
4.1.3Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_JAVA'(Scored)............61
4|P a g e
4.1.4Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_JAVA_TEST'(Scored).........................................................................................................................................................................62
4.1.5Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_JOB'(Scored)..............63
4.1.6Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_LDAP'(Scored)..........64
4.1.7Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_LOB'(Scored).............65
4.1.8Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_OBFUSCATION_TOOLKIT'(Scored).................................................................................67
4.1.9Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_RANDOM'(Scored)..69
4.1.10Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_SCHEDULER'(Scored).......................................................................................................................................................70
4.1.11Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_SQL'(Scored)...........71
4.1.12Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_XMLGEN'(Scored).72
4.1.13Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_XMLQUERY'(Scored).........................................................................................................................................................................73
4.1.14Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'UTL_FILE'(Scored)..............74
4.1.15Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'UTL_INADDR'(Scored)......75
4.1.16Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'UTL_TCP'(Scored)...............76
4.1.17Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'UTL_MAIL'(Scored)............77
4.1.18Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'UTL_SMTP'(Scored)...........78
4.1.19Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'UTL_DBWS'(Scored)..........79
4.1.20Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'UTL_ORAMTS'(Scored).....80
4.1.21Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'UTL_HTTP'(Scored)...........81
4.1.22Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'HTTPURITYPE'(Scored)...82
4.2RevokeNon-DefaultPrivilegesforPackagesandObjectTypes.......................................83
4.2.1Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_SYS_SQL'(Scored)....83
4.2.2Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_BACKUP_RESTORE'(Scored).......................................................................................................................................................84
4.2.3Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_AQADM_SYSCALLS'(Scored).......................................................................................................................................................85
4.2.4Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_REPCAT_SQL_UTL'(Scored).......................................................................................................................................................86
4.2.5Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'INITJVMAUX'(Scored)..........87
5|P a g e
4.2.6Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_STREAMS_ADM_UTL'(Scored).......................................................................................................................................................88
4.2.7Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_AQADM_SYS'(Scored).........................................................................................................................................................................89
4.2.8Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_STREAMS_RPC'(Scored).......................................................................................................................................................90
4.2.9Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_PRVTAQIM'(Scored).........................................................................................................................................................................91
4.2.10Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'LTADM'(Scored)..................92
4.2.11Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'WWV_DBMS_SQL'(Scored).........................................................................................................................................................................93
4.2.12Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'WWV_EXECUTE_IMMEDIATE'(Scored)......................................................................................94
4.2.13Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_IJOB'(Scored)..........95
4.2.14Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_FILE_TRANSFER'(Scored).......................................................................................................................................................96
4.3RevokeExcessiveSystemPrivileges............................................................................................97
4.3.1Ensure'SELECT_ANY_DICTIONARY'IsRevokedfromUnauthorized'GRANTEE'(Scored).......................................................................................................................................................97
4.3.2Ensure'SELECTANYTABLE'IsRevokedfromUnauthorized'GRANTEE'(Scored).......................................................................................................................................................98
4.3.3Ensure'AUDITSYSTEM'IsRevokedfromUnauthorized'GRANTEE'(Scored)99
4.3.4Ensure'EXEMPTACCESSPOLICY'IsRevokedfromUnauthorized'GRANTEE'(Scored)....................................................................................................................................................100
4.3.5Ensure'BECOMEUSER'IsRevokedfromUnauthorized'GRANTEE'(Scored)......................................................................................................................................................................101
4.3.6Ensure'CREATE_PROCEDURE'IsRevokedfromUnauthorized'GRANTEE'(Scored)....................................................................................................................................................102
4.3.7Ensure'ALTERSYSTEM'IsRevokedfromUnauthorized'GRANTEE'(Scored)......................................................................................................................................................................103
4.3.8Ensure'CREATEANYLIBRARY'IsRevokedfromUnauthorized'GRANTEE'(Scored)....................................................................................................................................................104
4.3.9Ensure'CREATELIBRARY'IsRevokedfromUnauthorized'GRANTEE'(Scored)......................................................................................................................................................................105
6|P a g e
4.3.10Ensure'GRANTANYOBJECTPRIVILEGE'IsRevokedfromUnauthorized'GRANTEE'(Scored)............................................................................................................................106
4.3.11Ensure'GRANTANYROLE'IsRevokedfromUnauthorized'GRANTEE'(Scored)....................................................................................................................................................107
4.3.12Ensure'GRANTANYPRIVILEGE'IsRevokedfromUnauthorized'GRANTEE'(Scored)....................................................................................................................................................108
4.4RevokeRolePrivileges....................................................................................................................109
4.4.1Ensure'DELETE_CATALOG_ROLE'IsRevokedfromUnauthorized'GRANTEE'(Scored)....................................................................................................................................................109
4.4.2Ensure'SELECT_CATALOG_ROLE'IsRevokedfromUnauthorized'GRANTEE'(Scored)....................................................................................................................................................110
4.4.3Ensure'EXECUTE_CATALOG_ROLE'IsRevokedfromUnauthorized'GRANTEE'(Scored)....................................................................................................................................................111
4.4.4Ensure'DBA'IsRevokedfromUnauthorized'GRANTEE'(Scored)...................112
4.5RevokeExcessiveTableandViewPrivileges........................................................................113
4.5.1Ensure'ALL'IsRevokedfromUnauthorized'GRANTEE'on'AUD$'(Scored)113
4.5.2Ensure'ALL'IsRevokedfromUnauthorized'GRANTEE'on'USER_HISTORY$'(Scored)....................................................................................................................................................114
4.5.3Ensure'ALL'IsRevokedfromUnauthorized'GRANTEE'on'LINK$'(Scored)......................................................................................................................................................................115
4.5.4Ensure'ALL'IsRevokedfromUnauthorized'GRANTEE'on'SYS.USER$'(Scored)....................................................................................................................................................116
4.5.5Ensure'ALL'IsRevokedfromUnauthorized'GRANTEE'on'DBA_%'(Scored)......................................................................................................................................................................117
4.5.6Ensure'ALL'IsRevokedfromUnauthorized'GRANTEE'on'SYS.SCHEDULER$_CREDENTIAL'(Scored).............................................................................118
4.5.7Ensure'SYS.USER$MIG'HasBeenDropped(Scored)...............................................119
4.6Ensure'%ANY%'IsRevokedfromUnauthorized'GRANTEE'(Scored)..............120
4.7Ensure'DBA_SYS_PRIVS.%'IsRevokedfromUnauthorized'GRANTEE'with'ADMIN_OPTION'Setto'YES'(Scored)......................................................................................121
4.8EnsureProxyUsersHaveOnly'CONNECT'Privilege(Scored)................................122
4.9Ensure'EXECUTEANYPROCEDURE'IsRevokedfrom'OUTLN'(Scored)..........123
4.10Ensure'EXECUTEANYPROCEDURE'IsRevokedfrom'DBSNMP'(Scored)...124
7|P a g e
5Audit/LoggingPoliciesandProcedures...........................................................................................125
5.1Enable'USER'AuditOption(Scored)..................................................................................126
5.2Enable'ALTERUSER'AuditOption(Scored)...................................................................128
5.3Enable'DROPUSER'AuditOption(Scored).....................................................................129
5.4Enable'ROLE'AuditOption(Scored)..................................................................................130
5.5Enable'SYSTEMGRANT'AuditOption(Scored)............................................................131
5.6Enable'PROFILE'AuditOption(Scored)...........................................................................132
5.7Enable'ALTERPROFILE'AuditOption(Scored)............................................................133
5.8Enable'DROPPROFILE'AuditOption(Scored)..............................................................134
5.9Enable'DATABASELINK'AuditOption(Scored)...........................................................135
5.10Enable'PUBLICDATABASELINK'AuditOption(Scored).......................................136
5.11Enable'PUBLICSYNONYM'AuditOption(Scored)....................................................137
5.12Enable'SYNONYM'AuditOption(Scored).....................................................................138
5.13Enable'GRANTDIRECTORY'AuditOption(Scored)..................................................139
5.14Enable'SELECTANYDICTIONARY'AuditOption(Scored)....................................140
5.15Enable'GRANTANYOBJECTPRIVILEGE'AuditOption(Scored)........................141
5.16Enable'GRANTANYPRIVILEGE'AuditOption(Scored)..........................................143
5.17Enable'DROPANYPROCEDURE'AuditOption(Scored).........................................144
5.18Enable'ALL'AuditOptionon'SYS.AUD$'(Scored).....................................................145
5.19Enable'PROCEDURE'AuditOption(Scored)................................................................146
5.20Enable'ALTERSYSTEM'AuditOption(Scored)..........................................................147
5.21Enable'TRIGGER'AuditOption(Scored)........................................................................148
5.22Enable'CREATESESSION'AuditOption(Scored).......................................................150
6Appendix:EstablishinganAudit/ScanUser..................................................................................152
Appendix:ChangeHistory..............................................................................................................................159
8|P a g e
OverviewThisdocumentisintendedtoaddresstherecommendedsecuritysettingsforOracleDatabase11gR2.ThisguidewastestedagainstOracleDatabase11gR2(11.2.0.4)runningonaWindowsServer2012R2instanceasastand-alonesystem,andrunningonanOracleLinux6.5instancealsoasastand-alonesystem.FutureOracleDatabase11gR2criticalpatchupdates(CPUs)mayimpacttherecommendationsincludedinthisdocument.
Toobtainthelatestversionofthisguide,pleasevisithttp://benchmarks.cisecurity.org.Ifyouhavequestions,comments,orhaveidentifiedwaystoimprovethisguide,[email protected].
IntendedAudience
Thisbenchmarkisintendedforsystemandapplicationadministrators,securityspecialists,auditors,helpdesk,andplatformdeploymentpersonnelwhoplantodevelop,deploy,assess,orsecuresolutionsthatincorporateOracleDatabase11gR2onOracleLinuxorMicrosoftWindowsServer.
ConsensusGuidance
Thisbenchmarkwascreatedusingaconsensusreviewprocesscomprisedofsubjectmatterexperts.Consensusparticipantsprovideperspectivefromadiversesetofbackgroundsincludingconsulting,softwaredevelopment,auditandcompliance,securityresearch,operations,government,andlegal.
EachCISbenchmarkundergoestwophasesofconsensusreview.Thefirstphaseoccursduringinitialbenchmarkdevelopment.Duringthisphase,subjectmatterexpertsconvenetodiscuss,create,andtestworkingdraftsofthebenchmark.Thisdiscussionoccursuntilconsensushasbeenreachedonbenchmarkrecommendations.Thesecondphasebeginsafterthebenchmarkhasbeenpublished.Duringthisphase,allfeedbackprovidedbytheInternetcommunityisreviewedbytheconsensusteamforincorporationinthebenchmark.Ifyouareinterestedinparticipatingintheconsensusprocess,pleasevisithttps://community.cisecurity.org.
9|P a g e
TypographicalConventions
Thefollowingtypographicalconventionsareusedthroughoutthisguide:
Convention Meaning
Stylized Monospace font Usedforblocksofcode,command,andscriptexamples.Textshouldbeinterpretedexactlyaspresented.
Monospacefont Usedforinlinecode,commands,orexamples.Textshouldbeinterpretedexactlyaspresented.
<italicfontinbrackets> Italictextssetinanglebracketsdenoteavariablerequiringsubstitutionforarealvalue.
Italicfont Usedtodenotethetitleofabook,article,orotherpublication.
Note Additionalinformationorcaveats
ScoringInformation
Ascoringstatusindicateswhethercompliancewiththegivenrecommendationimpactstheassessedtarget'sbenchmarkscore.Thefollowingscoringstatusesareusedinthisbenchmark:
Scored
Failuretocomplywith"Scored"recommendationswilldecreasethefinalbenchmarkscore.Compliancewith"Scored"recommendationswillincreasethefinalbenchmarkscore.
NotScored
Failuretocomplywith"NotScored"recommendationswillnotdecreasethefinalbenchmarkscore.Compliancewith"NotScored"recommendationswillnotincreasethefinalbenchmarkscore.
10|P a g e
ProfileDefinitions
ThefollowingconfigurationprofilesaredefinedbythisBenchmark:
• Level1-RDBMS
ItemsinthisprofileapplytoOracleDatabase11gR2andintendto:
o Bepracticalandprudent;o Provideaclearsecuritybenefit;ando Notinhibittheutilityofthetechnologybeyondacceptablemeans.
• Level1-LinuxHostOS
ItemsinthisprofileapplytoLinuxHostoperatingsystemsandintendto:
o Bepracticalandprudent;o Provideaclearsecuritybenefit;ando Notinhibittheutilityofthetechnologybeyondacceptablemeans.
• Level1-WindowsServerHostOS
ItemsinthisprofileapplytoWindowsServeroperatingsystemsandintendto:
o Bepracticalandprudent;o Provideaclearsecuritybenefit;ando Notinhibittheutilityofthetechnologybeyondacceptablemeans.
11|P a g e
Acknowledgements
Thisbenchmarkexemplifiesthegreatthingsacommunityofusers,vendors,andsubjectmatterexpertscanaccomplishthroughconsensuscollaboration.TheCIScommunitythankstheentireconsensusteamwithspecialrecognitiontothefollowingindividualswhocontributedgreatlytothecreationofthisguide:
ContributorArmanRawlsAdamMontvilleAlexeyAristovDeanLackeyJayMehtaSamirSayedScottRotondoThanThiChamTimothyHarrisonEditorAngeloMarcotullio
12|P a g e
Recommendations1OracleDatabaseInstallationandPatchingRequirements
OneofthebestwaystoensuresecureOraclesecurityistoimplementCriticalPatchUpdates(CPUs)astheycomeout,alongwithanyapplicableOSpatchesthatwillnotinterferewithsystemoperations.ItisadditionallyprudenttoremoveOraclesampledatafromproductionenvironments.
1.1EnsuretheAppropriateVersion/PatchesforOracleSoftwareIsInstalled(Scored)
ProfileApplicability:
•Level1-RDBMS
Description:
TheOracleinstallationshouldbesupportedwithsecuritypatchesandthelatestCriticalPatchUpdatesshouldbeappliedquarterly.
Rationale:
AsusingthemostrecentOracledatabasesoftware,alongwithallapplicablepatchescanhelplimitthepossibilitiesforvulnerabilitiesinthesoftware,theinstallationversionand/orpatchesappliedduringsetupshouldbeestablishedaccordingtotheneedsoftheorganization.EnsureyouareusingareleasethatiscoveredbyalevelofsupportthatincludesthegenerationofCriticalPatchUpdates.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatements.
TocheckforasupportedversionofOracleDatabase11gR2:
SELECT PRODUCT, VERSION FROM PRODUCT_COMPONENT_VERSION WHERE PRODUCT LIKE '%Database%' AND VERSION LIKE '11.2.0.4%';
13|P a g e
TocheckforapplicationofquarterlyCriticalPatchUpdates:
SELECT ACTION, VERSION,ID FROM DBA_REGISTRY_HISTORY WHERE TO_DATE(TRIM(TO_CHAR(ID)), 'YYMMDD') > SYSDATE-90 AND ID > 160000;
ArowreturnedbyeachSQLstatementwouldbeapassfortherecommendation.
Remediation:
DownloadandapplythelatestquarterlyCriticalPatchUpdatepatches.
References:
1. http://www.oracle.com/us/support/assurance/fixing-policies/index.html2. http://www.oracle.com/technetwork/topics/security/alerts-086861.html3. http://www.oracle.com/us/support/library/lifetime-support-technology-
069183.pdf4. http://docs.oracle.com/cd/E11882_01/server.112/e40402/statviews_4212.htm#R
EFRN23549
14|P a g e
1.2EnsureAllDefaultPasswordsAreChanged(Scored)
ProfileApplicability:
•Level1-RDBMS
Description:
TheOracleinstallationhasaviewcalledDBA_USERS_WITH_DEFPWD,whichkeepsalistofalldatabaseusersmakinguseofdefaultpasswords.
Rationale:
Defaultpasswordsshouldbeconsidered"wellknown"toattackers.Consequently,ifdefaultpasswordsremaininplaceanyattackerwithaccesstothedatabasethenhastheabilitytoauthenticateastheuserwiththatdefaultpassword.Whendefaultpasswordsarealtered,thiscircumstanceismitigated.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT USERNAME FROM DBA_USERS_WITH_DEFPWD WHERE USERNAME NOT LIKE '%XS$NULL%';
Theassessmentfailsifresultsarereturned.
Remediation:
Toremediatethisrecommendation,youmayperformeitherofthefollowingactions.
• ManuallyissuethefollowingSQLstatementforeachUSERNAMEreturnedintheAuditProcedure:
PASSWORD <username>
15|P a g e
• ExecutethefollowingSQLscripttorandomlyassignpasswords:
begin for r_user in (select username from dba_users_with_defpwd where username not like '%XS$NULL%') loop DBMS_OUTPUT.PUT_LINE('Password for user '||r_user.username||' will be changed.'); execute immediate 'alter user "'||r_user.username||'" identified by "'||DBMS_RANDOM.string('a',16)||'"account lock password expire'; end loop; end; /
References:
1. http://docs.oracle.com/cd/E11882_01/server.112/e10575/tdpsg_user_accounts.htm#TDPSG20000
16|P a g e
1.3EnsureAllSampleDataAndUsersHaveBeenRemoved(Scored)
ProfileApplicability:
•Level1-RDBMS
Description:
Oraclesampleschemasarenotneededfortheoperationofthedatabase.Theseinclude,amongothers,informationpertainingtoasampleschemaspertainingtoHumanResources,BusinessIntelligence,OrderEntry,andthelike.Thesesamplescreatesampleusers(BI,HR,OE,PM,IX,SH,SCOTT),inadditiontotablesandfictitiousdata.
Rationale:
Thesampledataistypicallynotrequiredforproductionoperationsofthedatabaseandprovidesuserswithwell-knowndefaultpasswords,particularviews,andprocedures/functions.Suchusers,views,and/orprocedures/functionscouldbeusedtolaunchexploitsagainstproductionenvironments.
Audit:
Toassessthisrecommendation,checkforthepresenceofOraclesampleusersbyexecutingthefollowingSQLstatement.
SELECT USERNAME FROM ALL_USERS WHERE USERNAME IN ('BI','HR','IX','OE','PM','SCOTT','SH');
Remediation:
Toremediatethissetting,itisrecommendedthatyouexecutethefollowingSQLscript.
$ORACLE_HOME/demo/schema/drop_sch.sql
NOTE:Therecyclebin isnotsettoOFF withinthedefaultdropscript,whichmeansthatthedatawillstillbepresentinyourenvironmentuntiltherecyclebin isemptied.
Impact:
TheOraclesampleusernamesmaybeinuseonaproductionbasis.ItisimportantthatyoufirstverifythatBI,HR,IX,OE,PM,SCOTT,and/orSH arenotvalidproductionusernamesbeforeexecutingthedroppingSQLscripts.ThismaybeparticularlytruewiththeHR andBI users.Ifanyoftheseusersarepresent,itisimportanttobecautiousandconfirmtheschemaspresentare,infact,Oraclesampleschemasandnotproductionschemasbeingrelieduponbybusinessoperations.
17|P a g e
References:
1. http://docs.oracle.com/cd/E11882_01/server.112/e10831/toc.htm
2OracleParameterSettings
TheoperationoftheOracledatabaseinstanceisgovernedbynumerousparametersthataresetinspecificconfigurationfilesandareinstance-specificinscope.Asalterationsoftheseparameterscancauseproblemsrangingfromdenial-of-servicetotheftofproprietaryinformation,theseconfigurationsshouldbecarefullyconsideredandmaintained.
Note:
ForallfilesthathaveparametersthatcanbemodifiedwiththeOSand/orSQLcommands/scripts,thesewillbothbelistedwhereappropriate.
18|P a g e
2.1ListenerSettings
SettingsfortheTNSListenerlistener.orafile.
2.1.1Ensure'SECURE_CONTROL_<listener_name>'IsSetIn'listener.ora'(Scored)
ProfileApplicability:
•Level1-LinuxHostOS
•Level1-WindowsServerHostOS
Description:
TheSECURE_CONTROL_<listener_name>settingdeterminesthetypeofcontrolconnectiontheOracleserverrequiresforremoteconfigurationofthelistener.
Rationale:
Aslistenerconfigurationchangesviaunencryptedremoteconnectionscanresultinunauthorizeduserssniffingthecontrolconfigurationinformationfromthenetwork,thesecontrolvaluesshouldbesetaccordingtotheneedsoftheorganization.
Audit:
Toauditthisrecommendationfollowthesesteps:
• Openthe $ORACLE_HOME/network/admin/listener.orafile(or%ORACLE_HOME%\network\admin\listener.oraonWindows)
• EnsurethateachdefinedlistenerasanassociatedSECURE_CONTROL_<listener_name>directive.
Forexample:
LISTENER1 = (DESCRIPTION= (ADDRESS=(PROTOCOL=TCP) (HOST=sales-server)(PORT=1521)) (ADDRESS=(PROTOCOL=IPC) (KEY=REGISTER)) (ADDRESS=(PROTOCOL=TCPS) (HOST=sales-server)(PORT=1522))) SECURE_CONTROL_LISTENER1=TCPS
19|P a g e
Remediation:
SettheSECURE_CONTROL_<listener_name>foreachdefinedlistenerinthelistener.orafile,accordingtotheneedsoftheorganization.
References:
1. http://docs.oracle.com/cd/E11882_01/network.112/e10835/listener.htm#NETRF327
20|P a g e
2.1.2Ensure'extproc'IsNotPresentin'listener.ora'(Scored)
ProfileApplicability:
•Level1-LinuxHostOS
•Level1-WindowsServerHostOS
Description:
Oracleextprocallowsthedatabasetorunproceduresfromoperatingsystemlibraries.Theselibrarycallscan,inturn,runanyoperatingsystemcommand.
Rationale:
extprocshouldberemovedfromthelistener.oratomitigatetheriskthatOSlibrariescanbeinvokedbytheOracleinstance.
Audit:
ToauditthisrecommendationexecutethefollowingshellcommandsasappropriateforyourUnix/Windowsenvironment.
Unixenvironment:
grep -i extproc $ORACLE_HOME/network/admin/listener.ora
Windowsenvironment:
find /I extproc %ORACLE_HOME%\network\admin\listener.ora
Ensureextprocdoesnotexist.
Remediation:
Removeextprocfromthelistener.orafile.
References:
1. http://docs.oracle.com/cd/E11882_01/network.112/e10836/advcfg.htm#NETAG0132
21|P a g e
2.1.3Ensure'ADMIN_RESTRICTIONS_<listener_name>'IsSetto'ON'(Scored)
ProfileApplicability:
•Level1-LinuxHostOS
•Level1-WindowsServerHostOS
Description:
Theadmin_restrictions_<listener_name>settinginthelistener.orafilecanrequirethatanyattemptedreal-timealterationoftheparametersinthelistenerviathesetcommandfileberefusedunlessthelistener.orafileismanuallyalteredthenrestartedbyaprivilegeduser.
Rationale:
Asblockingunprivilegedusersfrommakingalterationsofthelistener.orafile,whereremotedata/servicesarespecified,willhelpprotectdataconfidentiality,thisvalueshouldbesettotheneedsoftheorganization.
Audit:
ToauditthisrecommendationexecutethefollowingshellcommandsasappropriateforyourUnix/Windowsenvironment.
Unixenvironment:
grep -i admin_restrictions $ORACLE_HOME/network/admin/listener.ora
Windowsenvironment:
find /I admin_restrictions %ORACLE_HOME%|\network\admin\listener.ora
EnsureADMIN_RESTRICTIONS_<listener_name>issettoONforalllisteners.
Remediation:
UseatexteditorsuchasvitosettheADMIN_RESTRICTIONS_<listener_name>tothevalueON.
DefaultValue:
Notset.
22|P a g e
References:
1. http://docs.oracle.com/cd/E11882_01/network.112/e10835/listener.htm#NETRF310
23|P a g e
2.1.4Ensure'SECURE_REGISTER_<listener_name>'IsSetto'TCPS'or'IPC'(Scored)
ProfileApplicability:
•Level1-LinuxHostOS
•Level1-WindowsServerHostOS
Description:
TheSECURE_REGISTER_<listener_name>settingspecifiestheprotocolswhichareusedtoconnecttotheTNSlistener.
Rationale:
Aslistenerconfigurationchangesviaunencryptedremoteconnectionscanresultinunauthorizeduserssniffingthecontrolconfigurationinformationfromthenetwork,thesecontrolvaluesshouldbesetaccordingtotheneedsoftheorganization.
Audit:
ToauditthisrecommendationexecutethefollowingshellcommandsasappropriateforyourUnix/Windowsenvironment.
Unixenvironment:
grep -i SECURE_REGISTER $ORACLE_HOME/network/admin/listener.ora
Windowsenvironment:
find /I SECURE_REGISTER %ORACLE_HOME%\network\admin\listener.ora
EnsureSECURE_REGISTER_<listener_name>issettoTCPS orIPC.
Remediation:
UseatexteditorsuchasvitosettheSECURE_REGISTER_<listener_name>=TCPSorSECURE_REGISTER_<listener_name>=IPCforeachlistenerfoundin$ORACLE_HOME/network/admin/listener.ora.
References:
1. http://docs.oracle.com/cd/E11882_01/network.112/e10835/listener.htm#NETRF328
2. https://support.oracle.com/epmos/faces/ui/km/DocumentDisplay.jspx?id=1453883.1
24|P a g e
3. https://support.oracle.com/epmos/faces/ui/km/DocumentDisplay.jspx?id=1340831.1
4. http://www.joxeankoret.com/download/tnspoison.pdf
25|P a g e
2.2Databasesettings
Thissectiondefinesrecommendationscoveringthegeneralsecurityconfigurationofthedatabaseinstance.Thelistedrecommendationsensureauditingisenabled,listenersareappropriatelyconfined,andauthenticationisappropriatelyconfigured.
NOTE:Theremediationproceduresassumetheuseofaserverparameterfile,whichisoftenapreferredmethodofstoringserverinitializationparameters.
ALTER SYSTEM SET <configuration_item> = <value> SCOPE = SPFILE;
Foryourenvironment,leavingofftheSCOPE = SPFILEdirectiveorsubstitutingthatwithSCOPE = BOTHmightbepreferreddependingontherecommendation.
2.2.1Ensure'AUDIT_SYS_OPERATIONS'IsSetto'TRUE'(Scored)
ProfileApplicability:
•Level1-RDBMS
Description:
TheAUDIT_SYS_OPERATIONSsettingprovidesfortheauditingofalluseractivitiesconductedundertheSYSOPERandSYSDBAaccounts.
Rationale:
IftheparameterAUDIT_SYS_OPERATIONSisFALSEallstatementsexceptofStartup/ShutdownandLogonbySYSDBA/SYSOPERusersarenotaudited.
Audit:
ToassessthisrecommendationexecutethefollowingSQLstatement.
SELECT UPPER(VALUE) FROM V$PARAMETER WHERE UPPER(NAME) = 'AUDIT_SYS_OPERATIONS';
EnsureVALUE issettoTRUE.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
ALTER SYSTEM SET AUDIT_SYS_OPERATIONS = TRUE SCOPE=SPFILE;
26|P a g e
References:
1. http://docs.oracle.com/cd/E11882_01/server.112/e25513/initparams015.htm#REFRN10005
27|P a g e
2.2.2Ensure'AUDIT_TRAIL'IsSetto'OS','DB','XML','DB,EXTENDED',or'XML,EXTENDED'(Scored)
ProfileApplicability:
•Level1-RDBMS
Description:
Theaudit_trail settingdetermineswhetherornotOracle'sbasicauditfeaturesareenabled.Thesecanbesetto"OperatingSystem"(OS),"DB","DB,EXTENDED","XML"or"XML,EXTENDED".
Rationale:
AsenablingthebasicauditingfeaturesfortheOracleinstancepermitsthecollectionofdatatotroubleshootproblems,aswellasprovidingvalueforensiclogsinthecaseofasystembreach,thisvalueshouldbesetaccordingtotheneedsoftheorganization.
Audit:
ToassessthisrecommendationexecutethefollowingSQLstatement.
SELECT UPPER(VALUE) FROM V$PARAMETER WHERE UPPER(NAME)='AUDIT_TRAIL';
EnsureVALUE issettoOS orDBorDB,EXTENDEDorXMLorXML,EXTENDED.
Remediation:
ToremediatethissettingexecuteoneofthefollowingSQLstatements.
ALTER SYSTEM SET AUDIT_TRAIL = DB SCOPE = SPFILE; ALTER SYSTEM SET AUDIT_TRAIL = DB, EXTENDED SCOPE = SPFILE; ALTER SYSTEM SET AUDIT_TRAIL = OS SCOPE = SPFILE; ALTER SYSTEM SET AUDIT_TRAIL = XML SCOPE = SPFILE; ALTER SYSTEM SET AUDIT_TRAIL = XML, EXTENDED SCOPE = SPFILE;
References:
1. https://docs.oracle.com/cd/E11882_01/server.112/e40402/initparams017.htm#REFRN10006
2. http://www.oracle.com/technetwork/products/audit-vault/learnmore/twp-security-auditperformance-166655.pdf
28|P a g e
2.2.3Ensure'GLOBAL_NAMES'IsSetto'TRUE'(Scored)
ProfileApplicability:
•Level1-RDBMS
Description:
Theglobal_names settingrequiresthatthenameofadatabaselinkmatchesthatoftheremotedatabaseitwillconnectto.
Rationale:
Asnotrequiringdatabaseconnectionstomatchthedomainthatisbeingcalledremotelycouldallowunauthorizeddomainsourcestopotentiallyconnectviabrute-forcetactics,thisvalueshouldbesetaccordingtotheneedsoftheorganization.
Audit:
ToassessthisrecommendationexecutethefollowingSQLstatement.
SELECT UPPER(VALUE) FROM V$PARAMETER WHERE UPPER(NAME)='GLOBAL_NAMES';
EnsureVALUE issettoTRUE.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
ALTER SYSTEM SET GLOBAL_NAMES = TRUE SCOPE = SPFILE;
References:
1. http://docs.oracle.com/cd/E11882_01/server.112/e25513/initparams096.htm#REFRN10065
29|P a g e
2.2.4Ensure'LOCAL_LISTENER'IsSetAppropriately(Scored)
ProfileApplicability:
•Level1-RDBMS
Description:
Thelocal_listenersettingspecifiesanetworknamethatresolvestoanaddressoftheOracleTNSlistener.
Rationale:
TheTNSpoisoningattackallowstoredirectTNSnetworktraffictoanothersystembyregisteringalistenertotheTNSlistener.Thisattackcanbeperformedbyunauthorizeduserswithnetworkaccess.ByspecifyingtheIPCprotocolitisnolongerpossibletoregisterlistenersviaTCP/IP.
Audit:
ToassessthisrecommendationexecutethefollowingSQLstatement.
SELECT UPPER(VALUE) FROM V$PARAMETER WHERE UPPER(NAME)='LOCAL_LISTENER';
EnsureVALUEissetto(DESCRIPTION=(ADDRESS= (PROTOCOL=IPC)(KEY=REGISTER))).
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
ALTER SYSTEM SET LOCAL_LISTENER='[description]' SCOPE = BOTH;
Replace[description]withtheappropriatedescriptionfromyourlistener.orafile,wherethatdescriptionsetsthePROTOCOLparametertoIPC.Forexample:
ALTER SYSTEM SET LOCAL_LISTENER='(DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=REGISTER)))' SCOPE=BOTH;
References:
1. http://docs.oracle.com/cd/E11882_01/server.112/e25513/initparams118.htm#REFRN10082
2. https://support.oracle.com/epmos/faces/ui/km/DocumentDisplay.jspx?id=1453883.1
30|P a g e
3. https://support.oracle.com/epmos/faces/ui/km/DocumentDisplay.jspx?id=1340831.1
4. http://www.joxeankoret.com/download/tnspoison.pdf
31|P a g e
2.2.5Ensure'O7_DICTIONARY_ACCESSIBILITY'IsSetto'FALSE'(Scored)
ProfileApplicability:
•Level1-RDBMS
Description:
TheO7_dictionary_accessibility settingisadatabaseinitializationsparameterthatallows/disallowswiththeEXECUTEANYPROCEDUREandSELECTANYDICTIONARYaccesstoobjectsintheSYSschema;thisfunctionalitywascreatedfortheeaseofmigrationfromOracle7databasestolaterversions.
Rationale:
AsleavingtheSYSschemasoopentoconnectioncouldpermitunauthorizedaccesstocriticaldatastructures,thisvalueshouldbesetaccordingtotheneedsoftheorganization.
Audit:
ToassessthisrecommendationexecutethefollowingSQLstatement.
SELECT UPPER(VALUE) FROM V$PARAMETER WHERE UPPER(NAME)='O7_DICTIONARY_ACCESSIBILITY';
EnsureVALUE issettoFALSE.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
ALTER SYSTEM SET O7_DICTIONARY_ACCESSIBILITY=FALSE SCOPE = SPFILE;
References:
1. http://docs.oracle.com/cd/E11882_01/server.112/e25513/initparams157.htm#REFRN10133
32|P a g e
2.2.6Ensure'OS_ROLES'IsSetto'FALSE'(Scored)
ProfileApplicability:
•Level1-RDBMS
Description:
Theos_roles settingpermitsexternallycreatedgroupstobeappliedtodatabasemanagement.
Rationale:
AsallowingtheOSuseexternalgroupsfordatabasemanagementcouldcauseprivilegeoverlapsandgenerallyweakensecurity,thisvalueshouldbesetaccordingtotheneedsoftheorganization.
Audit:
ToassessthisrecommendationexecutethefollowingSQLstatement.
SELECT UPPER(VALUE) FROM V$PARAMETER WHERE UPPER(NAME)='OS_ROLES';
EnsureVALUE issettoFALSE.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
ALTER SYSTEM SET OS_ROLES = FALSE SCOPE = SPFILE;
References:
1. http://docs.oracle.com/cd/E11882_01/server.112/e25513/initparams175.htm#REFRN10153
33|P a g e
2.2.7Ensure'REMOTE_LISTENER'IsEmpty(Scored)
ProfileApplicability:
•Level1-RDBMS
Description:
Theremote_listenersettingdetermineswhetherornotavalidlistenercanbeestablishedonasystemseparatefromthedatabaseinstance.
Rationale:
Aspermittingaremotelistenerforconnectionstothedatabaseinstancecanallowforthepotentialspoofingofconnectionsandthatcouldcompromisedataconfidentialityandintegrity,thisvalueshouldbedisabled/restrictedaccordingtotheneedsoftheorganization.
Audit:
ToassessthisrecommendationexecutethefollowingSQLstatement.
SELECT UPPER(VALUE) FROM V$PARAMETER WHERE UPPER(NAME)='REMOTE_LISTENER';
EnsureVALUE isempty.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
ALTER SYSTEM SET REMOTE_LISTENER = '' SCOPE = SPFILE;
References:
1. http://docs.oracle.com/cd/E11882_01/server.112/e25513/initparams208.htm#REFRN10183
34|P a g e
2.2.8Ensure'REMOTE_LOGIN_PASSWORDFILE'IsSetto'NONE'(Scored)
ProfileApplicability:
•Level1-RDBMS
Description:
Theremote_login_passwordfile settingspecifieswhetherornotOraclechecksforapasswordfileduringloginandhowmanydatabasescanusethepasswordfile.
Rationale:
Astheuseofthissortofpasswordloginfilecouldpermitunsecured,privilegedconnectionstothedatabase,thisvalueshouldbesetaccordingtotheneedsoftheorganization.
Audit:
ToassessthisrecommendationexecutethefollowingSQLstatement.
SELECT UPPER(VALUE) FROM V$PARAMETER WHERE UPPER(NAME)='REMOTE_LOGIN_PASSWORDFILE';
EnsureVALUE issettoNONE.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
ALTER SYSTEM SET REMOTE_LOGIN_PASSWORDFILE = 'NONE' SCOPE = SPFILE;
References:
1. http://docs.oracle.com/cd/E11882_01/server.112/e40402/initparams212.htm#REFRN10184
2. http://docs.oracle.com/cd/B28359_01/server.111/b28320/initparams198.htm#REFRN10184
35|P a g e
2.2.9Ensure'REMOTE_OS_AUTHENT'IsSetto'FALSE'(Scored)
ProfileApplicability:
•Level1-RDBMS
Description:
Theremote_os_authentsettingdetermineswhetherornotOS'roles'withtheattendantprivilegesareallowedforremoteclientconnections.
Rationale:
AspermittingOSrolesfordatabaseconnectionstocanallowthespoofingofconnectionsandpermitgrantingtheprivilegesofanOSroletounauthorizeduserstomakeconnections,thisvalueshouldberestrictedaccordingtotheneedsoftheorganization.
Audit:
ToassessthisrecommendationexecutethefollowingSQLstatement.
SELECT UPPER(VALUE) FROM V$PARAMETER WHERE UPPER(NAME)='REMOTE_OS_AUTHENT';
EnsureVALUE issettoFALSE.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
ALTER SYSTEM SET REMOTE_OS_AUTHENT = FALSE SCOPE = SPFILE;
References:
1. http://docs.oracle.com/cd/E11882_01/server.112/e25513/initparams210.htm#REFRN10185
36|P a g e
2.2.10Ensure'REMOTE_OS_ROLES'IsSetto'FALSE'(Scored)
ProfileApplicability:
•Level1-RDBMS
Description:
Theremote_os_rolessettingpermitsremoteusers'OSrolestobeappliedtodatabasemanagement.
Rationale:
AsallowingremoteclientsOSrolestohavepermissionsfordatabasemanagementcouldcauseprivilegeoverlapsandgenerallyweakensecurity,thisvalueshouldbesetaccordingtotheneedsoftheorganization.
Audit:
ToassessthisrecommendationexecutethefollowingSQLstatement.
SELECT UPPER(VALUE) FROM V$PARAMETER WHERE UPPER(NAME)='REMOTE_OS_ROLES';
EnsureVALUE issettoFALSE.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
ALTER SYSTEM SET REMOTE_OS_ROLES = FALSE SCOPE = SPFILE;
References:
1. http://docs.oracle.com/cd/E11882_01/server.112/e25513/initparams211.htm#REFRN10186
37|P a g e
2.2.11Ensure'UTIL_FILE_DIR'IsEmpty(Scored)
ProfileApplicability:
•Level1-RDBMS
Description:
Theutl_file_dirsettingallowspackageslikeutl_filetoaccess(read/write/modify/delete)filesspecifiedinutl_file_dir.(Thisisdeprecatedbutusablein11g.)
Rationale:
Asusingtheutl_file_dirtocreatedirectoriesallowsthemanipulationoffilesinthesedirectories.
Audit:
ToassessthisrecommendationexecutethefollowingSQLstatement.
SELECT UPPER(VALUE) FROM V$PARAMETER WHERE UPPER(NAME)='UTIL_FILE_DIR';
EnsureVALUE isempty.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
ALTER SYSTEM SET UTIL_FILE_DIR = '' SCOPE = SPFILE;
References:
1. http://docs.oracle.com/cd/E11882_01/server.112/e25513/initparams266.htm#REFRN10230
38|P a g e
2.2.12Ensure'SEC_CASE_SENSITIVE_LOGON'IsSetto'TRUE'(Scored)
ProfileApplicability:
•Level1-RDBMS
Description:
TheSEC_CASE_SENSITIVE_LOGON informationdetermineswhetherornotcase-sensitivityisrequiredforpasswordsduringlogin.
DuetothesecuritybugCVE-2012-3137itisrecommendedtosetthisparametertoTRUEiftheOctober2012CPU/PSUorlaterwasapplied.
IfthepatchwasnotapplieditisrecommendedtosetthisparametertoFALSEtoavoidthatthevulnerabilitycouldbeabused.
Rationale:
Oracle11gdatabaseswithoutCPUOctober2012patchorlaterarevulnerabletoCVE-2012-3137ifcase-sensitiveSHA-1passwordhashesareused.ToavoidthiskindofattacktheoldDES-hasheshavetobeused.
Audit:
ToassessthisrecommendationexecutethefollowingSQLstatement.
SELECT UPPER(VALUE) FROM V$PARAMETER WHERE UPPER(NAME)='SEC_CASE_SENSITIVE_LOGON';
EnsureVALUE issettoTRUE.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
ALTER SYSTEM SET SEC_CASE_SENSITIVE_LOGON = TRUE SCOPE = SPFILE;
Impact:
IfSEC_CASE_SENSITIVE_LOGONisFALSE,alluserwithSHA-1hashesonly("select name,password,spare4 from sys.user$ where password is null and spare4 is not
null")arenolongerabletoconnecttothedatabase.InthiscasethepasswordforalluserswithoutDEShashhavetosetagain.
39|P a g e
References:
1. http://docs.oracle.com/cd/E11882_01/server.112/e25513/initparams222.htm#REFRN10299
2. https://support.oracle.com/epmos/faces/DocumentDisplay?id=1492721.13. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3137
40|P a g e
2.2.13Ensure'SEC_MAX_FAILED_LOGIN_ATTEMPTS'IsSetto'10'(Scored)
ProfileApplicability:
•Level1-RDBMS
Description:
TheSEC_MAX_FAILED_LOGIN_ATTEMPTS parameterdetermineshowmanyfailedloginattemptsareallowedbeforeOracleclosestheloginconnection.
Rationale:
Asallowinganunlimitednumberofloginattemptsforauserconnectioncanfacilitatebothbrute-forceloginattacksandtheoccurrenceofDenial-of-Service,thisvalue(10)shouldbesetaccordingtotheneedsoftheorganization.
Audit:
ToassessthisrecommendationexecutethefollowingSQLstatement.
SELECT UPPER(VALUE) FROM V$PARAMETER WHERE UPPER(NAME)='SEC_MAX_FAILED_LOGIN_ATTEMPTS';
EnsureVALUE issetto10.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
ALTER SYSTEM SET SEC_MAX_FAILED_LOGIN_ATTEMPTS = 10 SCOPE = SPFILE;
References:
1. http://docs.oracle.com/cd/E11882_01/server.112/e25513/initparams223.htm#REFRN10274
41|P a g e
2.2.14Ensure'SEC_PROTOCOL_ERROR_FURTHER_ACTION'IsSetto'DELAY,3'or'DROP,3'(Scored)
ProfileApplicability:
•Level1-RDBMS
Description:
TheSEC_PROTOCOL_ERROR_FURTHER_ACTION settingdeterminestheOracle'sserver'sresponsetobad/malformedpacketsreceivedfromtheclient.
Rationale:
Asbadpacketsreceivedfromtheclientcanpotentiallyindicatepacket-basedattacksonthesystem,suchas"TCPSYNFlood"or"Smurf"attacks,whichcouldresultinaDenial-of-Servicecondition,thisvalueshouldbesetaccordingtotheneedsoftheorganization.
Audit:
ToassessthisrecommendationexecutethefollowingSQLstatement.
SELECT UPPER(VALUE) FROM V$PARAMETER WHERE UPPER(NAME)='SEC_PROTOCOL_ERROR_FURTHER_ACTION';
EnsureVALUE issettoDELAY,3orDROP,3.
Remediation:
ToremediatethissettingexecuteoneofthefollowingSQLstatements.
ALTER SYSTEM SET SEC_PROTOCOL_ERROR_FURTHER_ACTION = 'DELAY,3' SCOPE = SPFILE; ALTER SYSTEM SET SEC_PROTOCOL_ERROR_FURTHER_ACTION = 'DROP,3' SCOPE = SPFILE;
References:
1. http://docs.oracle.com/cd/E11882_01/server.112/e25513/initparams224.htm#REFRN10282
42|P a g e
2.2.15Ensure'SEC_PROTOCOL_ERROR_TRACE_ACTION'IsSetto'LOG'(Scored)
ProfileApplicability:
•Level1-RDBMS
Description:
TheSEC_PROTOCOL_ERROR_TRACE_ACTION settingdeterminestheOracle'sserver'sloggingresponseleveltobad/malformedpacketsreceivedfromtheclient,bygeneratingALERT,LOG,orTRACE levelsofdetailinthelogfiles.
Rationale:
Asbadpacketsreceivedfromtheclientcanpotentiallyindicatepacket-basedattacksonthesystem,suchas"TCPSYNFlood"or"Smurf"attacks,whichcouldresultinaDenial-of-Servicecondition,thisdiagnostic/loggingvalueforALERT,LOG,orTRACE conditionsshouldbesetaccordingtotheneedsoftheorganization.
Audit:
ToassessthisrecommendationexecutethefollowingSQLstatement.
SELECT UPPER(VALUE) FROM V$PARAMETER WHERE UPPER(NAME)='SEC_PROTOCOL_ERROR_TRACE_ACTION';
EnsureVALUE issettoLOG.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
ALTER SYSTEM SET SEC_PROTOCOL_ERROR_TRACE_ACTION=LOG SCOPE = SPFILE;
References:
1. http://docs.oracle.com/cd/B28359_01/server.111/b28320/initparams214.htm
43|P a g e
2.2.16Ensure'SEC_RETURN_SERVER_RELEASE_BANNER'IsSetto'FALSE'(Scored)
ProfileApplicability:
•Level1-RDBMS
Description:
Theinformationaboutpatch/updatereleasenumberprovidesinformationabouttheexactpatch/updatereleasethatiscurrentlyrunningonthedatabase.
Rationale:
Asallowingthedatabasetoreturninformationaboutthepatch/updatereleasenumbercouldfacilitateunauthorizedusers'attemptstogainaccessbaseduponknownpatchweaknesses,thisvalueshouldbesetaccordingtotheneedsoftheorganization.
Audit:
ToassessthisrecommendationexecutethefollowingSQLstatement.
SELECT UPPER(VALUE) FROM V$PARAMETER WHERE UPPER(NAME)='SEC_RETURN_SERVER_RELEASE_BANNER';
EnsureVALUEissettoFALSE.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
ALTER SYSTEM SET SEC_RETURN_SERVER_RELEASE_BANNER = FALSE SCOPE = SPFILE;
References:
1. http://docs.oracle.com/cd/E11882_01/server.112/e25513/initparams226.htm#REFRN10275
44|P a g e
2.2.17Ensure'SQL92_SECURITY'IsSetto'TRUE'(Scored)
ProfileApplicability:
•Level1-RDBMS
Description:
Thesql92_securityparametersettingTRUErequiresausertohaveSELECTprivilegeonacolumninordertoreferenceitintheWHEREclauseofaDELETEorUPDATEstatementorontherighthandsideofaSETclauseinanUPDATEstatement.
Rationale:
AuserwithoutSELECTprivilegecanstillinferthevaluestoredinacolumnbyreferringtothatcolumninaDELETEorUPDATEstatement.ThissettingpreventsinadvertentinformationdisclosurebyensuringthatonlyuserswhoalreadyhaveSELECTprivilegecanexecutethestatementsthatwouldallowthemtoinferthestoredvalues.
Audit:
ToassessthisrecommendationexecutethefollowingSQLstatement.
SELECT UPPER(VALUE) FROM V$PARAMETER WHERE UPPER(NAME)='SQL92_SECURITY';
EnsureVALUE issettoTRUE.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
ALTER SYSTEM SET SQL92_SECURITY = TRUE SCOPE = SPFILE;
References:
1. http://docs.oracle.com/cd/E11882_01/server.112/e25513/initparams246.htm#REFRN10210
45|P a g e
2.2.18Ensure'_TRACE_FILES_PUBLIC'IsSetto'FALSE'(Scored)
ProfileApplicability:
•Level1-RDBMS
Description:
The_trace_files_publicsettingdetermineswhetherornotthesystem'stracefileisworldreadable.
Rationale:
Aspermittingthereadpermissiontootheranyonecanreadtheinstance'stracefilesfilewhichcouldcontainsensitiveinformationaboutinstanceoperations,thisvalueshouldberestrictedaccordingtotheneedsoftheorganization.
Audit:
ToassessthisrecommendationexecutethefollowingSQLstatement.
SELECT VALUE FROM V$PARAMETER WHERE NAME='_trace_files_public';
AVALUE equaltoFALSE orlackofresultsimpliescompliance.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
ALTER SYSTEM SET "_trace_files_public" = FALSE SCOPE = SPFILE;
References:
1. http://asktom.oracle.com/pls/asktom/f?p=100:11:0::::P11_QUESTION_ID:4295521746131
46|P a g e
2.2.19Ensure'RESOURCE_LIMIT'IsSetto'TRUE'(Scored)
ProfileApplicability:
•Level1-RDBMS
Description:
RESOURCE_LIMITdetermineswhetherresourcelimitsareenforcedindatabaseprofiles
Rationale:
Ifresource_limitissettoFALSE,noneofthesystemresourcelimitsthataresetinanydatabaseprofilesareenforced.Ifresource_limitissettoTRUE,thenthelimitssetindatabaseprofilesareenforced.
Audit:
ToassessthisrecommendationexecutethefollowingSQLstatement.
SELECT UPPER(VALUE) FROM V$PARAMETER WHERE UPPER(NAME)='RESOURCE_LIMIT';
EnsureVALUE issettoTRUE.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
ALTER SYSTEM SET RESOURCE_LIMIT = TRUE SCOPE = SPFILE;
DefaultValue:
FALSE
References:
1. http://docs.oracle.com/cd/E11882_01/server.112/e25513/initparams214.htm#REFRN10188
47|P a g e
3OracleConnectionandLoginRestrictions
TherestrictionsonClient/UserconnectionstotheOracledatabasehelpblockunauthorizedaccesstodataandservicesbysettingaccessrules.Thesesecuritymeasureshelptoensurethatsuccessfulloginscannotbeeasilymadethroughbrute-forcepasswordattacksorintuitedbycleversocialengineeringexploits.SettingsaregenerallyrecommendedtobeappliedtoalldefinedprofilesratherthanbyusingonlytheDEFAULTprofile.Allvaluesassignedbelowaretherecommendedminimumsormaximums;higher,morerestrictivevaluescanbeappliedatthediscretionoftheorganizationbycreatingaseparateprofiletoassigntoadifferentusergroup.
3.1Ensure'FAILED_LOGIN_ATTEMPTS'IsLessthanorEqualto'5'(Scored)
ProfileApplicability:
•Level1-RDBMS
Description:
Thefailed_login_attemptssettingdetermineshowmanyfailedloginattemptsarepermittedbeforethesystemlockstheuser'saccount.Whiledifferentprofilescanhavedifferentandmorerestrictivesettings,suchasUSERSandAPPS,theminimum(s)recommendedhereshouldbesetontheDEFAULTprofile.
Rationale:
Asrepeatedfailedloginattemptscanindicatetheinitiationofabrute-forceloginattack,thisvalueshouldbesetaccordingtotheneedsoftheorganization(seewarningbelowonaknownbugthatcanmakethissecuritymeasurebackfire).
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PROFILE, RESOURCE_NAME, LIMIT FROM DBA_PROFILES WHERE RESOURCE_NAME='FAILED_LOGIN_ATTEMPTS' AND ( LIMIT = 'DEFAULT' OR LIMIT = 'UNLIMITED' OR LIMIT > 5 );
Lackofresultsimpliescompliance.
48|P a g e
Remediation:
RemediatethissettingbyexecutingthefollowingSQLstatement.
ALTER PROFILE DEFAULT LIMIT FAILED_LOGIN_ATTEMPTS 5;
49|P a g e
3.2Ensure'PASSWORD_LOCK_TIME'IsGreaterthanorEqualto'1'(Scored)
ProfileApplicability:
•Level1-RDBMS
Description:
ThePASSWORD_LOCK_TIME settingdetermineshowmanydaysmustpassfortheuser'saccounttobeunlockedafterthesetnumberoffailedloginattemptshasoccurred.
Rationale:
Aslockingtheuseraccountafterrepeatedfailedloginattemptscanblockfurtherbrute-forceloginattacks,butcancreateadministrativeheadachesasthisaccountunlockingprocessalwaysrequiresDBAintervention,thisvalueshouldbesetaccordingtotheneedsoftheorganization.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PROFILE, RESOURCE_NAME, LIMIT FROM DBA_PROFILES WHERE RESOURCE_NAME='PASSWORD_LOCK_TIME' AND ( LIMIT = 'DEFAULT' OR LIMIT = 'UNLIMITED' OR LIMIT < 1 );
Lackofresultsimpliescompliance.
Remediation:
RemediatethissettingbyexecutingthefollowingSQLstatement.
ALTER PROFILE DEFAULT LIMIT PASSWORD_LOCK_TIME 1;
50|P a g e
3.3Ensure'PASSWORD_LIFE_TIME'IsLessthanorEqualto'90'(Scored)
ProfileApplicability:
•Level1-RDBMS
Description:
Thepassword_life_timesettingdetermineshowlongapasswordmaybeusedbeforetheuserisrequiredtobechangeit.
Rationale:
Asallowingpasswordstoremainunchangedforlongperiodsmakesthesuccessofbrute-forceloginattacksmorelikely,thisvalueshouldbesetaccordingtotheneedsoftheorganization.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PROFILE, RESOURCE_NAME, LIMIT FROM DBA_PROFILES WHERE RESOURCE_NAME='PASSWORD_LIFE_TIME' AND ( LIMIT = 'DEFAULT' OR LIMIT = 'UNLIMITED' OR LIMIT > 90 );
Lackofresultsimpliescompliance.
Remediation:
RemediatethissettingbyexecutingthefollowingSQLstatement.
ALTER PROFILE DEFAULT LIMIT PASSWORD_LIFE_TIME 90;
51|P a g e
3.4Ensure'PASSWORD_REUSE_MAX'IsGreaterthanorEqualto'20'(Scored)
ProfileApplicability:
•Level1-RDBMS
Description:
Thepassword_reuse_max settingdetermineshowmanydifferentpasswordsmustbeusedbeforetheuserisallowedtoreuseapriorpassword.
Rationale:
Asallowingreuseofapasswordwithinashortperiodoftimeafterthepassword'sinitialusecanmakethesuccessofbothsocial-engineeringandbrute-forcepassword-basedattacksmorelikely,thisvalueshouldbesetaccordingtotheneedsoftheorganization.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PROFILE, RESOURCE_NAME, LIMIT FROM DBA_PROFILES WHERE RESOURCE_NAME='PASSWORD_REUSE_MAX' AND ( LIMIT = 'DEFAULT' OR LIMIT = 'UNLIMITED' OR LIMIT < 20 );
Lackofresultsimpliescompliance.
Remediation:
RemediatethissettingbyexecutingthefollowingSQLstatement.
ALTER PROFILE DEFAULT LIMIT PASSWORD_REUSE_MAX 20;
52|P a g e
3.5Ensure'PASSWORD_REUSE_TIME'IsGreaterthanorEqualto'365'(Scored)
ProfileApplicability:
•Level1-RDBMS
Description:
Thepassword_reuse_time settingdeterminestheamountoftimeindaysthatmustpassbeforethesamepasswordmaybereused.
Rationale:
Asreusingthesamepasswordafteronlyashortperiodoftimehaspassedmakesthesuccessofbrute-forceloginattacksmorelikely,thisvalueshouldbesetaccordingtotheneedsoftheorganization.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PROFILE, RESOURCE_NAME, LIMIT FROM DBA_PROFILES WHERE RESOURCE_NAME='PASSWORD_REUSE_TIME' AND ( LIMIT = 'DEFAULT' OR LIMIT = 'UNLIMITED' OR LIMIT < 365 );
Lackofresultsimpliescompliance.
Remediation:
RemediatethissettingbyexecutingthefollowingSQLstatement.
ALTER PROFILE DEFAULT LIMIT PASSWORD_REUSE_TIME 365;
53|P a g e
3.6Ensure'PASSWORD_GRACE_TIME'IsLessthanorEqualto'5'(Scored)
ProfileApplicability:
•Level1-RDBMS
Description:
Thepassword_grace_time settingdetermineshowmanydayscanpassaftertheuser'spasswordexpiresbeforetheuser'slogincapabilityisautomaticallylockedout.
Rationale:
Aslockingtheuseraccountaftertheexpirationofthepasswordchangerequirement'sgraceperiodcanhelppreventpassword-basedattackagainstaforgottenordisusedaccounts,whilestillallowingtheaccountanditsinformationtobeaccessiblebyDBAintervention,thisvalueshouldbesetaccordingtotheneedsoftheorganization.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PROFILE, RESOURCE_NAME, LIMIT FROM DBA_PROFILES WHERE RESOURCE_NAME='PASSWORD_GRACE_TIME' AND ( LIMIT = 'DEFAULT' OR LIMIT = 'UNLIMITED' OR LIMIT > 5 );
Lackofresultsimpliescompliance.
Remediation:
RemediatethissettingbyexecutingthefollowingSQLstatement.
ALTER PROFILE DEFAULT LIMIT PASSWORD_GRACE_TIME 5;
54|P a g e
3.7Ensure'DBA_USERS.PASSWORD'IsNotSetto'EXTERNAL'forAnyUser(Scored)
ProfileApplicability:
•Level1-RDBMS
Description:
Thepassword='EXTERNAL' settingdetermineswhetherornotausercanbeauthenticatedbyaremoteOStoallowaccesstothedatabasewithfullauthorization.
Rationale:
AsallowingremoteOSauthenticationofausertothedatabasecanpotentiallyallowsupposed"privilegedusers"toconnectas"authenticated,"evenwhentheremotesystemiscompromised,theseloginsshouldbedisabled/restrictedaccordingtotheneedsoftheorganization.
Audit:
ToassessthisrecommendationexecutethefollowingSQLstatement.
SELECT USERNAME FROM DBA_USERS WHERE PASSWORD='EXTERNAL';
Lackofresultsimpliescompliance.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
ALTER USER <username> IDENTIFIED BY <password>;
55|P a g e
3.8Ensure'PASSWORD_VERIFY_FUNCTION'IsSetforAllProfiles(Scored)
ProfileApplicability:
•Level1-RDBMS
Description:
Thepassword_verify_function determinespasswordsettingsrequirementswhenauserpasswordischangedattheSQLcommandprompt.ThissettingdoesnotapplyforusersmanagedbytheOraclepasswordfile.
Rationale:
Asrequiringuserstoapplythe11gr2securityfeaturesinpasswordcreation,suchasforcingmixed-casecomplexity,theblockingofsimplecombinations,andchange/historysettingscanpotentiallythwartloginsbyunauthorizedusers,thisfunctionshouldbeapplied/enabledaccordingtotheneedsoftheorganization.
Audit:
ToassessthisrecommendationexecutethefollowingSQLstatement.
SELECT PROFILE, RESOURCE_NAME FROM DBA_PROFILES WHERE RESOURCE_NAME='PASSWORD_VERIFY_FUNCTION' AND (LIMIT = 'DEFAULT' OR LIMIT = 'NULL');
Lackofresultsimpliescompliance.
Remediation:
Createacustompasswordverificationfunctionwhichfulfillsthepasswordrequirementsoftheorganization.FromOracledocumentation:OracleDatabaseprovidesasamplepasswordverificationfunctioninthePL/SQLscriptUTLPWDMG.SQL(locatedinORACLE_BASE/ORACLE_HOME/RDBMS/ADMIN)that,whenenabled,checkswhetherusersarecorrectlycreatingormodifyingtheirpasswords.TheUTLPWDMG.SQLscriptprovidestwopasswordverificationfunctions:oneforpreviousreleasesofOracleDatabaseandanupdatedversionforOracleDatabaseRelease11g.http://docs.oracle.com/cd/E25054_01/network.1111/e16543/authentication.htm
56|P a g e
3.9Ensure'SESSIONS_PER_USER'IsLessthanorEqualto'10'(Scored)
ProfileApplicability:
•Level1-RDBMS
Description:
TheSESSIONS_PER_USER (Numberofsessionsallowed)determinesthemaximumnumberofusersessionsthatareallowedtobeopenconcurrently.
Rationale:
AslimitingthenumberoftheSESSIONS_PER_USER canhelppreventmemoryresourceexhaustionbypoorlyformedrequestsorintentionalDenial-of-Serviceattacks,thisvalueshouldbesetaccordingtotheneedsoftheorganization.
Audit:
ToassessthisrecommendationexecutethefollowingSQLstatement.
SELECT PROFILE, RESOURCE_NAME, LIMIT FROM DBA_PROFILES WHERE RESOURCE_NAME='SESSIONS_PER_USER' AND ( LIMIT = 'DEFAULT' OR LIMIT = 'UNLIMITED' OR LIMIT > 10 );
Lackofresultsimpliescompliance.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
ALTER PROFILE DEFAULT LIMIT SESSIONS_PER_USER 10;
57|P a g e
3.10EnsureNoUsersAreAssignedthe'DEFAULT'Profile(Scored)
ProfileApplicability:
•Level1-RDBMS
Description:
UponcreationdatabaseusersareassignedtotheDEFAULTprofileunlessotherwisespecified.
Rationale:
Itisrecommendedthatusersbecreatedwithfunction-appropriateprofiles.TheDEFAULTprofile,beingdefinedbyOracle,issubjecttochangeatanytime(e.g.bypatchorversionupdate).TheDEFAULTprofilehasunlimitedsettingsthatareoftenrequiredbytheSYSuserwhenpatching;suchunlimitedsettingsshouldbetightlyreservedandnotappliedtounnecessaryusers.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT USERNAME FROM DBA_USERS WHERE PROFILE='DEFAULT' AND ACCOUNT_STATUS='OPEN' AND USERNAME NOT IN ('ANONYMOUS', 'CTXSYS', 'DBSNMP', 'EXFSYS', 'LBACSYS', 'MDSYS', 'MGMT_VIEW','OLAPSYS','OWBSYS', 'ORDPLUGINS', 'ORDSYS', 'OUTLN', 'SI_INFORMTN_SCHEMA','SYS', 'SYSMAN', 'SYSTEM', 'TSMSYS', 'WK_TEST', 'WKSYS', 'WKPROXY', 'WMSYS', 'XDB', 'CISSCAN');
Lackofresultsimpliescompliance.
Remediation:
ToremediatethisrecommendationexecutethefollowingSQLstatementforeachuserreturnedbytheauditqueryusingafunctional-appropriateprofile.
ALTER USER <username> PROFILE <appropriate_profile>
58|P a g e
4OracleUserAccessandAuthorizationRestrictions
Thecapabilitytousedatabaseresourcesatagivenlevel,oruserauthorizationrules,allowsforusermanipulationofthevariouspartsoftheOracledatabase.Theseauthorizationsmustbestructuredtoblockunauthorizeduseand/orcorruptionofvitaldataandservicesbysettingrestrictionsonusercapabilities,particularlythoseoftheuserPUBLIC.Suchsecuritymeasureshelptoensurethatsuccessfulloginscannotbeeasilyredirected.IMPORTANT:UsecautionwhenrevokingprivilegesfromPUBLIC.Oracleandthird-partyproductsexplicitlyrequiredefaultgrantstoPUBLICforcommonlyusedfunctions,objects,andinviewdefinitions.AfterrevokinganyprivilegefromPUBLIC,verifythatapplicationskeeprunningproperly.AfterrevokingprivilegesfromPUBLIC,recompileinvaliddatabaseobjects.Specificgrantstousersandrolesmaybeneededtomakeallobjectsvalid.PleaseseethefollowingOraclesupportdocumentwhichprovidesfurtherinformationandSQLstatementsthatcanbeusedtodeterminedependenciesthatrequireexplicitgrants.BeCautiousWhenRevokingPrivilegesGrantedtoPUBLIC(DocID247093.1)AlwaystestdatabasechangesinDevelopmentandTestenvironmentsbeforemakingchangestoProductiondatabases.
59|P a g e
4.1DefaultPublicPrivilegesforPackagesandObjectTypes
Revokedefaultpublicexecuteprivilegesfrompowerfulpackagesandobjecttypes.
4.1.1Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_ADVISOR'(Scored)
ProfileApplicability:
•Level1-RDBMS
Description:
TheOracledatabaseDBMS_ADVISORpackagecanbeusedtowritefileslocatedontheserverwheretheOracleinstanceisinstalled.
Rationale:
AsuseoftheDBMS_ADVISORpackagecouldallowanunauthorizedusertocorruptoperatingsystemfilesontheinstance'shost,useofthispackageshouldberestrictedaccordingtotheneedsoftheorganization.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_ADVISOR';
Theassessmentfailsifresultsarereturned.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
REVOKE EXECUTE ON DBMS_ADVISOR FROM PUBLIC;
References:
1. http://docs.oracle.com/cd/E11882_01/appdev.112/e25788/d_advis.htm
60|P a g e
4.1.2Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_CRYPTO'(Scored)
ProfileApplicability:
•Level1-RDBMS
Description:
TheDBMS_CRYPTOsettingsprovideatoolsetthatdeterminesthestrengthoftheencryptionalgorithmusedtoencryptapplicationdataandispartoftheSYSschema.TheDES(56-bitkey),3DES(168-bitkey),3DES-2KEY(112-bitkey),AES(128/192/256-bitkeys),andRC4areavailable.
Rationale:
AsexecutionofthesecryptographyproceduresbytheuserPUBLICcanpotentiallyendangerportionsoforallofthedatastorage,thisvalueshouldbesetaccordingtotheneedsoftheorganization.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND TABLE_NAME='DBMS_CRYPTO';
Theassessmentfailsifresultsarereturned.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
REVOKE EXECUTE ON DBMS_CRYPTO FROM PUBLIC;
References:
1. http://docs.oracle.com/cd/E11882_01/appdev.112/e25788/d_crypto.htm#ARPLS664
61|P a g e
4.1.3Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_JAVA'(Scored)
ProfileApplicability:
•Level1-RDBMS
Description:
TheOracledatabaseDBMS_JAVApackagecanrunJavaclasses(e.g.OScommands)orgrantJavaprivileges.
Rationale:
The DBMS_JAVApackagecouldallowanattackertorunoperatingsystemcommandsfromthedatabase.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_JAVA';
Theassessmentfailsifresultsarereturned.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
REVOKE EXECUTE ON DBMS_JAVA FROM PUBLIC;
References:
1. http://docs.oracle.com/cd/E11882_01/java.112/e10588/appendixa.htm#JJDEV13000
62|P a g e
4.1.4Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_JAVA_TEST'(Scored)
ProfileApplicability:
•Level1-RDBMS
Description:
TheOracledatabaseDBMS_JAVA_TESTpackagecanrunJavaclasses(e.g.OScommands)orgrantJavaprivileges.
Rationale:
TheDBMS_JAVA_TESTpackagecouldallowanattackertorunoperatingsystemcommandsfromthedatabase.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_JAVA_TEST'
Theassessmentfailsifresultsarereturned.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
REVOKE EXECUTE ON DBMS_JAVA_TEST FROM PUBLIC;
References:
1. http://www.databasesecurity.com/HackingAurora.pdf
63|P a g e
4.1.5Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_JOB'(Scored)
ProfileApplicability:
•Level1-RDBMS
Description:
TheOracledatabaseDBMS_JOBpackageschedulesandmanagesthejobssenttothejobqueueandhasbeensupersededbytheDBMS_SCHEDULERpackage,eventhoughDBMS_JOBhasbeenretainedforbackwardscompatibility.
Rationale:
AsuseoftheDBMS_JOBpackagecouldallowanunauthorizedusertodisableoroverloadthejobqueueandhasbeensupersededbytheDBMS_SCHEDULERpackage,thispackageshouldbedisabledorrestrictedaccordingtotheneedsoftheorganization.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_JOB';
Theassessmentfailsifresultsarereturned.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
REVOKE EXECUTE ON DBMS_JOB FROM PUBLIC;
Impact:
UsecautionwhenrevokingprivilegesfromPUBLIC.AfterrevokingprivilegesfromPUBLIC,recompileanyinvaliddatabaseobjects.Specificgrantstousersandrolesmaybeneededtomakeobjectsvalid.SeeIMPORTANTinformationatthestartofthissectionformoredetails.
References:
1. http://docs.oracle.com/cd/E11882_01/appdev.112/e25788/d_job.htm
64|P a g e
4.1.6Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_LDAP'(Scored)
ProfileApplicability:
•Level1-RDBMS
Description:
TheOracledatabaseDBMS_LDAPpackagecontainsfunctionsandproceduresthatenableprogrammerstoaccessdatafromLDAPservers.
Rationale:
AsuseoftheDBMS_LDAPpackagecanbeusedtocreatespeciallycraftederrormessagesorsendinformationviaDNStotheoutside.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_LDAP';
Theassessmentfailsifresultsarereturned.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
REVOKE EXECUTE ON DBMS_LDAP FROM PUBLIC;
References:
1. http://docs.oracle.com/cd/E23943_01/oid.1111/e10186/dbmsldap_ref.htm#OIMAD009
65|P a g e
4.1.7Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_LOB'(Scored)
ProfileApplicability:
•Level1-RDBMS
Description:
TheOracledatabaseDBMS_LOBpackageprovidessubprogramsthatcanmanipulateandread/writeonBLOBs,CLOBs,NCLOBs,BFILEs,andtemporaryLOBs.
Rationale:
AsuseoftheDBMS_LOBpackagecouldallowanunauthorizedusertomanipulateBLOBs,CLOBs,NCLOBs,BFILEs,andtemporaryLOBsontheinstance,eitherdestroyingdataorcausingaDenial-of-Serviceconditionduetocorruptionofdiskspace,useofthispackageshouldberestrictedaccordingtotheneedsoftheorganization.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_LOB';
Theassessmentfailsifresultsarereturned.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
REVOKE EXECUTE ON DBMS_LOB FROM PUBLIC;
Impact:
UsecautionwhenrevokingprivilegesfromPUBLIC.AfterrevokingprivilegesfromPUBLIC,recompileanyinvaliddatabaseobjects.Specificgrantstousersandrolesmaybeneededtomakeobjectsvalid.SeeIMPORTANTinformationatthestartofthissectionformoredetails.
66|P a g e
References:
1. http://docs.oracle.com/cd/E11882_01/appdev.112/e25788/d_lob.htm
67|P a g e
4.1.8Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_OBFUSCATION_TOOLKIT'(Scored)
ProfileApplicability:
•Level1-RDBMS
Description:
TheDBMS_OBFUSCATION_TOOLKITsettingsprovideoneofthetoolsthatdeterminethestrengthoftheencryptionalgorithmusedtoencryptapplicationdataandispartoftheSYSschema.TheDES(56-bitkey)and3DES(168-bitkey)aretheonlytwotypesavailable.
Rationale:
AsallowingthePUBLICuserprivilegestoaccessthiscapabilitycanbepotentiallyharmthedatastorage,thisaccessshouldbesetaccordingtotheneedsoftheorganization.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_OBFUSCATION_TOOLKIT';
Theassessmentfailsifresultsarereturned.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
REVOKE EXECUTE ON DBMS_OBFUSCATION_TOOLKIT FROM PUBLIC;
Impact:
UsecautionwhenrevokingprivilegesfromPUBLIC.AfterrevokingprivilegesfromPUBLIC,recompileanyinvaliddatabaseobjects.Specificgrantstousersandrolesmaybeneededtomakeobjectsvalid.SeeIMPORTANTinformationatthestartofthissectionformoredetails.
68|P a g e
References:
1. http://docs.oracle.com/cd/E11882_01/appdev.112/e25788/d_obtool.htm#ARPLS028
69|P a g e
4.1.9Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_RANDOM'(Scored)
ProfileApplicability:
•Level1-RDBMS
Description:
TheOracledatabaseDBMS_RANDOMpackageisusedforgeneratingrandomnumbersbutshouldnotbeusedforcryptographicpurposes.
Rationale:
AsassignmentofuseoftheDBMS_RANDOMpackagecanallowtheunauthorizedapplicationoftherandomnumber-generatingfunction,thiscapabilityshouldberestrictedaccordingtotheneedsoftheorganization.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_RANDOM';
Theassessmentfailsifresultsarereturned.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
REVOKE EXECUTE ON DBMS_RANDOM FROM PUBLIC;
Impact:
UsecautionwhenrevokingprivilegesfromPUBLIC.AfterrevokingprivilegesfromPUBLIC,recompileanyinvaliddatabaseobjects.Specificgrantstousersandrolesmaybeneededtomakeobjectsvalid.SeeIMPORTANTinformationatthestartofthissectionformoredetails.
References:
1. http://docs.oracle.com/cd/E11882_01/appdev.112/e25788/d_random.htm
70|P a g e
4.1.10Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_SCHEDULER'(Scored)
ProfileApplicability:
•Level1-RDBMS
Description:
TheOracledatabaseDBMS_SCHEDULERpackageschedulesandmanagesthedatabaseandoperatingsystemjobs.
Rationale:
AsuseoftheDBMS_SCHEDULERpackagecouldallowanunauthorizedusertorundatabaseoroperatingsystemjobs.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_SCHEDULER';
Theassessmentfailsifresultsarereturned.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
REVOKE EXECUTE ON DBMS_SCHEDULER FROM PUBLIC;
Impact:
UsecautionwhenrevokingprivilegesfromPUBLIC.AfterrevokingprivilegesfromPUBLIC,recompileanyinvaliddatabaseobjects.Specificgrantstousersandrolesmaybeneededtomakeobjectsvalid.SeeIMPORTANTinformationatthestartofthissectionformoredetails.
References:
1. http://docs.oracle.com/cd/E11882_01/appdev.112/e25788/d_sched.htm
71|P a g e
4.1.11Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_SQL'(Scored)
ProfileApplicability:
•Level1-RDBMS
Description:
TheOracledatabaseDBMS_SQLpackageisusedforrunningdynamicSQLstatements.
Rationale:
TheDBMS_SQLpackagecouldallowprivilegeescalationiftheinputvalidationisnotdoneproperly.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_SQL';
Theassessmentfailsifresultsarereturned.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
REVOKE EXECUTE ON DBMS_SQL FROM PUBLIC;
Impact:
UsecautionwhenrevokingprivilegesfromPUBLIC.AfterrevokingprivilegesfromPUBLIC,recompileanyinvaliddatabaseobjects.Specificgrantstousersandrolesmaybeneededtomakeobjectsvalid.SeeIMPORTANTinformationatthestartofthissectionformoredetails.
References:
1. http://docs.oracle.com/cd/E11882_01/appdev.112/e25788/d_sql.htm
72|P a g e
4.1.12Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_XMLGEN'(Scored)
ProfileApplicability:
•Level1-RDBMS
Description:
TheDBMS_XMLGENpackagetakesanarbitrarySQLqueryasinput,convertsittoXMLformat,andreturnstheresultasaCLOB.
Rationale:
ThepackageDBMS_XMLGEN canbeusedtosearchtheentiredatabaseforcriticalinformationlikecreditcardnumbers,andothersensitiveinformation.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_XMLGEN';
Theassessmentfailsifresultsarereturned.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
REVOKE EXECUTE ON DBMS_XMLGEN FROM PUBLIC;
Impact:
UsecautionwhenrevokingprivilegesfromPUBLIC.AfterrevokingprivilegesfromPUBLIC,recompileanyinvaliddatabaseobjects.Specificgrantstousersandrolesmaybeneededtomakeobjectsvalid.SeeIMPORTANTinformationatthestartofthissectionformoredetails.
References:
1. http://docs.oracle.com/cd/E11882_01/appdev.112/e25788/d_xmlgen.htm2. http://www.red-database-security.com/wp/confidence2009.pdf
73|P a g e
4.1.13Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_XMLQUERY'(Scored)
ProfileApplicability:
•Level1-RDBMS
Description:
TheOraclepackageDBMS_XMLQUERYtakesanarbitrarySQLquery,convertsittoXMLformat,andreturnstheresult.ThispackageissimilartoDBMS_XMLGEN.
Rationale:
ThepackageDBMS_XMLQUERYcanbeusedtosearchtheentiredatabaseforcriticalinformationlikecreditcardnumbersandothersensitiveinformation.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_XMLQUERY';
Theassessmentfailsifresultsarereturned.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
REVOKE EXECUTE ON DBMS_XMLQUERY FROM PUBLIC;
References:
1. http://docs.oracle.com/cd/E11882_01/appdev.112/e25788/d_xmlque.htm
74|P a g e
4.1.14Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'UTL_FILE'(Scored)
ProfileApplicability:
•Level1-RDBMS
Description:
TheOracledatabaseUTL_FILEpackagecanbeusedtoread/writefileslocatedontheserverwheretheOracleinstanceisinstalled.
Rationale:
AsuseoftheUTL_FILEpackagecouldallowausertoreadfilesattheoperatingsystem.Thesefilescouldcontainsensitiveinformation(e.g.passwordsin.bash_history).
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='UTL_FILE';
Theassessmentfailsifresultsarereturned.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
REVOKE EXECUTE ON UTL_FILE FROM PUBLIC;
Impact:
UsecautionwhenrevokingprivilegesfromPUBLIC.AfterrevokingprivilegesfromPUBLIC,recompileanyinvaliddatabaseobjects.Specificgrantstousersandrolesmaybeneededtomakeobjectsvalid.SeeIMPORTANTinformationatthestartofthissectionformoredetails.
References:
1. http://docs.oracle.com/cd/E11882_01/appdev.112/e25788/u_file.htm#ARPLS70896
75|P a g e
4.1.15Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'UTL_INADDR'(Scored)
ProfileApplicability:
•Level1-RDBMS
Description:
TheOracledatabaseUTL_INADDRpackagecanbeusedtocreatespeciallycraftederrormessagesorsendinformationviaDNStotheoutside.
Rationale:
AsuseoftheUTL_INADDRpackageisoftenusedinSQLInjectionattacksfromthewebitshouldberevokedfrompublic.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='UTL_INADDR';
Theassessmentfailsifresultsarereturned.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
REVOKE EXECUTE ON UTL_INADDR FROM PUBLIC;
References:
1. http://docs.oracle.com/cd/E11882_01/appdev.112/e25788/u_inaddr.htm
76|P a g e
4.1.16Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'UTL_TCP'(Scored)
ProfileApplicability:
•Level1-RDBMS
Description:
TheOracledatabaseUTL_TCPpackagecanbeusedtoread/writefiletoTCPsocketsontheserverwheretheOracleinstanceisinstalled.
Rationale:
AsuseoftheUTL_TCPpackagecouldallowanunauthorizedusertocorrupttheTCPstreamusedforcarrytheprotocolsthatcommunicatewiththeinstance'sexternalcommunications,useofthispackageshouldberestrictedaccordingtotheneedsoftheorganization.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='UTL_TCP';
Theassessmentfailsifresultsarereturned.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
REVOKE EXECUTE ON UTL_TCP FROM PUBLIC;
References:
1. http://docs.oracle.com/cd/E11882_01/appdev.112/e25788/u_tcp.htm#ARPLS71533
77|P a g e
4.1.17Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'UTL_MAIL'(Scored)
ProfileApplicability:
•Level1-RDBMS
Description:
TheOracledatabaseUTL_MAILpackagecanbeusedtosendemailfromtheserverwheretheOracleinstanceisinstalled.
Rationale:
AsuseoftheUTL_MAILpackagecouldallowanunauthorizedusertocorrupttheSMTPfunctiontoacceptorgeneratejunkmailthatcanresultinaDenial-of-Serviceconditionduetonetworksaturation,useofthispackageshouldberestrictedaccordingtotheneedsoftheorganization.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='UTL_MAIL';
Theassessmentfailsifresultsarereturned.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
REVOKE EXECUTE ON UTL_MAIL FROM PUBLIC;
References:
1. http://docs.oracle.com/cd/E11882_01/appdev.112/e25788/u_mail.htm
78|P a g e
4.1.18Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'UTL_SMTP'(Scored)
ProfileApplicability:
•Level1-RDBMS
Description:
TheOracledatabaseUTL_SMTPpackagecanbeusedtosendemailfromtheserverwheretheOracleinstanceisinstalled.
Rationale:
AsuseoftheUTL_SMTPpackagecouldallowanunauthorizedusertocorrupttheSMTPfunctiontoacceptorgeneratejunkmailthatcanresultinaDenial-of-Serviceconditionduetonetworksaturation,useofthispackageshouldberestrictedaccordingtotheneedsoftheorganization.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='UTL_SMTP';
Theassessmentfailsifresultsarereturned.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
REVOKE EXECUTE ON UTL_SMTP FROM PUBLIC;
References:
1. http://docs.oracle.com/cd/E11882_01/appdev.112/e25788/u_smtp.htm
79|P a g e
4.1.19Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'UTL_DBWS'(Scored)
ProfileApplicability:
•Level1-RDBMS
Description:
TheOracledatabaseUTL_DBWSpackagecanbeusedtoread/writefiletoweb-basedapplicationsontheserverwheretheOracleinstanceisinstalled.
Rationale:
AsuseoftheUTL_DBWSpackagecouldallowanunauthorizedusertocorrupttheHTTPstreamusedforcarrytheprotocolsthatcommunicatewiththeinstance'sweb-basedexternalcommunications,useofthispackageshouldberestrictedaccordingtotheneedsoftheorganization.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='UTL_DBWS';
Theassessmentfailsifresultsarereturned.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
REVOKE EXECUTE ON UTL_DBWS FROM 'PUBLIC';
References:
1. http://docs.oracle.com/cd/B19306_01/appdev.102/b14258/u_dbws.htm
80|P a g e
4.1.20Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'UTL_ORAMTS'(Scored)
ProfileApplicability:
•Level1-RDBMS
Description:
TheOracledatabaseUTL_ORAMTSpackagecanbeusedtoperformHTTP-requests.Thiscouldbeusedtosendinformationtotheoutside.
Rationale:
AsuseoftheUTL_ORAMTSpackagecouldbeusedtosend(sensitive)informationtoexternalwebsites.Theuseofthispackageshouldberestrictedaccordingtotheneedsoftheorganization.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='UTL_ORAMTS';
Theassessmentfailsifresultsarereturned.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
REVOKE EXECUTE ON UTL_ORAMTS FROM PUBLIC;
References:
1. http://docs.oracle.com/cd/E11882_01/win.112/e26104/recovery.htm#NTMTS139
81|P a g e
4.1.21Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'UTL_HTTP'(Scored)
ProfileApplicability:
•Level1-RDBMS
Description:
TheOracledatabaseUTL_HTTPpackagecanbeusedtoperformHTTP-requests.Thiscouldbeusedtosendinformationtotheoutside.
Rationale:
AsuseoftheUTL_HTTPpackagecouldbeusedtosend(sensitive)informationtoexternalwebsites.Theuseofthispackageshouldberestrictedaccordingtotheneedsoftheorganization.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='UTL_HTTP';
Theassessmentfailsifresultsarereturned.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
REVOKE EXECUTE ON UTL_HTTP FROM PUBLIC;
Impact:
UsecautionwhenrevokingprivilegesfromPUBLIC.AfterrevokingprivilegesfromPUBLIC,recompileanyinvaliddatabaseobjects.Specificgrantstousersandrolesmaybeneededtomakeobjectsvalid.SeeIMPORTANTinformationatthestartofthissectionformoredetails.
References:
1. http://docs.oracle.com/cd/E11882_01/appdev.112/e25788/u_http.htm
82|P a g e
4.1.22Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'HTTPURITYPE'(Scored)
ProfileApplicability:
•Level1-RDBMS
Description:
TheOracledatabaseHTTPURITYPEobjecttypecanbeusedtoperformHTTP-requests.
Rationale:
TheabilitytoperformHTTPrequestscouldbeusedtoleakinformationfromthedatabasetoanexternaldestination.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='HTTPURITYPE';
Theassessmentfailsifresultsarereturned.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
REVOKE EXECUTE ON HTTPURITYPE FROM PUBLIC;
References:
1. http://docs.oracle.com/cd/E11882_01/appdev.112/e25788/t_dburi.htm#ARPLS71705
83|P a g e
4.2RevokeNon-DefaultPrivilegesforPackagesandObjectTypes
Therecommendationswithinthissectionrevokeexcessiveprivilegesforpackagesandobjecttypes.
4.2.1Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_SYS_SQL'(Scored)
ProfileApplicability:
•Level1-RDBMS
Description:
TheOracledatabaseDBMS_SYS_SQLpackageisshippedasundocumented.
Rationale:
AsuseoftheDBMS_SYS_SQLpackagecouldallowausertoruncodeasadifferentuserwithoutenteringusercredentials.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_SYS_SQL';
Theassessmentfailsifresultsarereturned.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
REVOKE EXECUTE ON DBMS_SYS_SQL FROM PUBLIC;
References:
1. http://docs.oracle.com/cd/E11882_01/network.112/e16543/guidelines.htm#DBSEG499
2. http://asktom.oracle.com/pls/asktom/f?p=100:11:0::::P11_QUESTION_ID:1325202421535
84|P a g e
4.2.2Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_BACKUP_RESTORE'(Scored)
ProfileApplicability:
•Level1-RDBMS
Description:
TheOracledatabaseDBMS_BACKUP_RESTOREpackageisusedforapplyingPL/SQLcommandstothenativeRMANsequences.
Rationale:
AsassignmentofuseoftheDBMS_BACKUP_RESTOREpackagecanallowtoaccessfilepermissionsonoperatingsystemlevel.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_BACKUP_RESTORE';
Theassessmentfailsifresultsarereturned.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
REVOKE EXECUTE ON DBMS_BACKUP_RESTORE FROM PUBLIC;
References:
1. http://psoug.org/reference/dbms_backup_restore.html2. http://davidalejomarcos.wordpress.com/2011/09/13/how-to-list-files-on-a-
directory-from-oracle-database/
85|P a g e
4.2.3Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_AQADM_SYSCALLS'(Scored)
ProfileApplicability:
•Level1-RDBMS
Description:
TheOracledatabaseDBMS_AQADM_SYSCALLSpackageisshippedasundocumentedandallowstorunSQLcommandsasuserSYS.
Rationale:
AsuseoftheDBMS_AQADM_SYSCALLSpackagecouldallowanunauthorizedusertorunSQLcommandsasuserSYS.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_AQADM_SYSCALLS';
Theassessmentfailsifresultsarereturned.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
REVOKE EXECUTE ON DBMS_AQADM_SYSCALLS FROM PUBLIC;
References:
1. http://www.databasesecurity.com/dbsec/ohh-indirect-privilege-escalation.pdf
86|P a g e
4.2.4Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_REPCAT_SQL_UTL'(Scored)
ProfileApplicability:
•Level1-RDBMS
Description:
TheOracledatabaseDBMS_REPCAT_SQL_UTLpackageisshippedasundocumentedandallowstorunSQLcommandsasuserSYS.
Rationale:
As use of the DBMS_REPCAT_SQL_UTL package could allow an unauthorized user to run SQL commands as user SYS.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_REPCAT_SQL_UTL';
Theassessmentfailsifresultsarereturned.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
revoke execute on DBMS_REPCAT_SQL_UTL FROM PUBLIC;
References:
1. http://www.databasesecurity.com/dbsec/ohh-indirect-privilege-escalation.pdf
87|P a g e
4.2.5Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'INITJVMAUX'(Scored)
ProfileApplicability:
•Level1-RDBMS
Description:
TheOracledatabaseINITJVMAUXpackageisshippedasundocumentedandallowstorunSQLcommandsasuserSYS.
Rationale:
As use of the INITJVMAUX package could allow an unauthorized user to run SQL commands as user SYS.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='INITJVMAUX';
Theassessmentfailsifresultsarereturned.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
REVOKE EXECUTE ON INITJVMAUX FROM PUBLIC;
References:
1. http://www.databasesecurity.com/dbsec/ohh-indirect-privilege-escalation.pdf
88|P a g e
4.2.6Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_STREAMS_ADM_UTL'(Scored)
ProfileApplicability:
•Level1-RDBMS
Description:
TheOracledatabaseDBMS_STREAMS_ADM_UTLpackageisshippedasundocumentedandallowstorunSQLcommandsasuserSYS.
Rationale:
As use of the DBMS_STREAMS_ADM_UTL package could allow an unauthorized user to run SQL commands as user SYS.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_STREAMS_ADM_UTL';
Theassessmentfailsifresultsarereturned.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
REVOKE EXECUTE ON DBMS_STREAMS_ADM_UTL FROM PUBLIC;
References:
1. http://www.databasesecurity.com/dbsec/ohh-indirect-privilege-escalation.pdf
89|P a g e
4.2.7Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_AQADM_SYS'(Scored)
ProfileApplicability:
•Level1-RDBMS
Description:
TheOracledatabaseDBMS_AQADM_SYSpackageisshippedasundocumentedandallowstorunSQLcommandsasuserSYS.
Rationale:
As use of the DBMS_AQADM_SYS package could allow an unauthorized user to run SQL commands as user SYS.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_AQADM_SYS';
Theassessmentfailsifresultsarereturned.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
REVOKE EXECUTE ON DBMS_AQADM_SYS FROM PUBLIC;
References:
1. http://www.google.de/#hl=de&safe=off&sclient=psy-ab&q=DBMS_STREAMS_ADM_UTL&oq=DBMS_STREAMS_ADM_UTL&gs_l=serp.3..0i10i30.38260.38260.0.38463.1.1.0.0.0.0.105.105.0j1.1.0...0.0...1c.2.1-46wqcQeow&pbx=1&bav=on.2,or.r_gc.r_pw.r_cp.r_qf.&fp=2569366ac9a6532d&bpc
90|P a g e
4.2.8Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_STREAMS_RPC'(Scored)
ProfileApplicability:
•Level1-RDBMS
Description:
TheOracledatabaseDBMS_STREAMS_RPCpackageisshippedasundocumentedandallowstorunSQLcommandsasuserSYS.
Rationale:
As use of the DBMS_STREAMS_RPC package could allow an unauthorized user to run SQL commands as user SYS.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_STREAMS_RPC';
Theassessmentfailsifresultsarereturned.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
REVOKE EXECUTE ON DBMS_STREAMS_RPC FROM PUBLIC;
References:
1. http://www.databasesecurity.com/dbsec/ohh-indirect-privilege-escalation.pdf
91|P a g e
4.2.9Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_PRVTAQIM'(Scored)
ProfileApplicability:
•Level1-RDBMS
Description:
TheOracledatabaseDBMS_PRVTAQIMpackageisshippedasundocumentedandallowstorunSQLcommandsasuserSYS.
Rationale:
As use of the DBMS_PRVTAQIM package could allow an unauthorized user to escalate privileges because any SQL statements could be executed as user SYS.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_PRVTAQIM';
Theassessmentfailsifresultsarereturned.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
REVOKE EXECUTE ON DBMS_PRVTAQIM FROM PUBLIC;
References:
1. http://www.databasesecurity.com/dbsec/ohh-indirect-privilege-escalation.pdf
92|P a g e
4.2.10Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'LTADM'(Scored)
ProfileApplicability:
•Level1-RDBMS
Description:
TheOracledatabaseLTADMpackageisshippedasundocumentedandallowsprivilegeescalationifgrantedtounprivilegedusers.
Rationale:
As use of the LTADM package could allow an unauthorized user to run any SQL command as user SYS.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='LTADM';
Theassessmentfailsifresultsarereturned.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
REVOKE EXECUTE ON LTADM FROM PUBLIC;
References:
1. http://www.databasesecurity.com/dbsec/ohh-indirect-privilege-escalation.pdf
93|P a g e
4.2.11Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'WWV_DBMS_SQL'(Scored)
ProfileApplicability:
•Level1-RDBMS
Description:
TheOracledatabaseWWV_DBMS_SQLpackageisshippedasundocumentedandallowsOracleApplicationExpresstorundynamicSQLstatements.
Rationale:
As use of the WWV_DBMS_SQL package could allow an unauthorized user to run SQL statements as Application Express (APEX) user.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='WWV_DBMS_SQL';
Theassessmentfailsifresultsarereturned.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
REVOKE EXECUTE ON WWV_DBMS_SQL FROM PUBLIC;
References:
1. http://docs.oracle.com/cd/E11882_01/install.112/e12196/trouble.htm#HTMIG267
94|P a g e
4.2.12Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'WWV_EXECUTE_IMMEDIATE'(Scored)
ProfileApplicability:
•Level1-RDBMS
Description:
TheOracledatabaseWWV_EXECUTE_IMMEDIATEpackageisshippedasundocumentedandallowsOracleApplicationExpresstorundynamicSQLstatements.
Rationale:
As use of the WWV_EXECUTE_IMMEDIATE package could allow an unauthorized user to run SQL statements as Application Express (APEX) user.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='WWV_EXECUTE_IMMEDIATE';
Theassessmentfailsifresultsarereturned.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
REVOKE EXECUTE ON WWV_EXECUTE_IMMEDIATE FROM PUBLIC;
References:
1. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-18112. https://forums.oracle.com/forums/thread.jspa?threadID=953790
95|P a g e
4.2.13Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_IJOB'(Scored)
ProfileApplicability:
•Level1-RDBMS
Description:
TheOracledatabaseDBMS_IJOBpackageisshippedasundocumentedandallowstorundatabasejobsinthecontextofanotheruser.
Rationale:
As use of the DBMS_IJOB package could allow an attacker to change identities by using a different username to execute a database job.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_IJOB';
Theassessmentfailsifresultsarereturned.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
REVOKE EXECUTE ON DBMS_IJOB FROM PUBLIC;
96|P a g e
4.2.14Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_FILE_TRANSFER'(Scored)
ProfileApplicability:
•Level1-RDBMS
Description:
TheOracledatabaseDBMS_FILE_TRANSFERpackageallowstotransferfilesfromonedatabaseservertoanother.
Rationale:
As use of the DBMS_FILE_TRANSFER package could allow to transfer files from one database server to another.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatement.
SELECT PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_FILE_TRANSFER';
Theassessmentfailsifresultsarereturned.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
REVOKE EXECUTE ON DBMS_FILE_TRANSFER FROM PUBLIC;
References:
1. http://docs.oracle.com/cd/E11882_01/appdev.112/e25788/d_ftran.htm#ARPLS095
97|P a g e
4.3RevokeExcessiveSystemPrivileges
Therecommendationswithinthissectionrevokeexcessivesystemprivileges.
4.3.1Ensure'SELECT_ANY_DICTIONARY'IsRevokedfromUnauthorized'GRANTEE'(Scored)
ProfileApplicability:
•Level1-RDBMS
Description:
TheOracledatabaseSELECT ANY DICTIONARYprivilegeallowsthedesignatedusertoaccessSYSschemaobjects.
Rationale:
TheOracledatabaseSELECT ANY DICTIONARYprivilegeallowsthedesignatedusertoaccessSYSschemaobjects.TheOraclepasswordhashesarepartoftheSYSschemaandcanbeselectedusingSELECTANYDICTIONARYprivileges.
Audit:
ToassessthisrecommendationexecutethefollowingSQLstatement.
SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE PRIVILEGE='SELECT ANY DICTIONARY' AND GRANTEE NOT IN ('DBA','DBSNMP','OEM_MONITOR', 'OLAPSYS','ORACLE_OCM','SYSMAN','WMSYS');
Lackofresultsimpliescompliance.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
REVOKE SELECT_ANY_DICTIONARY FROM <grantee>;
References:
1. http://docs.oracle.com/cd/E11882_01/network.112/e16543/authorization.htm#BABHFJFJ
2. http://docs.oracle.com/cd/E11882_01/server.112/e25513/initparams157.htm#REFRN10133
3. http://arup.blogspot.de/2011/07/difference-between-select-any.html
98|P a g e
4.3.2Ensure'SELECTANYTABLE'IsRevokedfromUnauthorized'GRANTEE'(Scored)
ProfileApplicability:
•Level1-RDBMS
Description:
TheOracledatabaseSELECT ANY TABLEprivilegeallowsthedesignatedusertoopenanytable,exceptofSYS,toviewit.
Rationale:
AsassignmentoftheSELECT ANY TABLEprivilegecanallowtheunauthorizedviewingofsensitivedata,thiscapabilityshouldberestrictedaccordingtotheneedsoftheorganization.
Audit:
ToassessthisrecommendationexecutethefollowingSQLstatement.
SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE PRIVILEGE='SELECT ANY TABLE' AND GRANTEE NOT IN ('DBA', 'MDSYS', 'SYS', 'IMP_FULL_DATABASE', 'EXP_FULL_DATABASE', 'DATAPUMP_IMP_FULL_DATABASE', 'WMSYS', 'SYSTEM','OLAP_DBA','OLAPSYS');
Lackofresultsimpliescompliance.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
REVOKE SELECT ANY TABLE FROM <grantee>;
References:
1. http://docs.oracle.com/cd/E11882_01/server.112/e26088/statements_10002.htm#SQLRF01702
99|P a g e
4.3.3Ensure'AUDITSYSTEM'IsRevokedfromUnauthorized'GRANTEE'(Scored)
ProfileApplicability:
•Level1-RDBMS
Description:
TheOracledatabaseAUDIT SYSTEMprivilegeallowsthechangeauditingactivitiesonthesystem.
Rationale:
AsassignmentoftheAUDIT SYSTEMprivilegecanallowtheunauthorizedalterationofsystemauditactivities,disablingthecreationofaudittrails,thiscapabilityshouldberestrictedaccordingtotheneedsoftheorganization.
Audit:
ToassesthisrecommendationexecutethefollowingSQLstatement.
SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE PRIVILEGE='AUDIT SYSTEM' AND GRANTEE NOT IN ('DBA','DATAPUMP_IMP_FULL_DATABASE','IMP_FULL_DATABASE','SYS');
Lackofresultsimpliescompliance.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
REVOKE AUDIT SYSTEM FROM <grantee>;
References:
1. http://docs.oracle.com/cd/E11882_01/server.112/e26088/statements_4007.htm#SQLRF01107
100|P a g e
4.3.4Ensure'EXEMPTACCESSPOLICY'IsRevokedfromUnauthorized'GRANTEE'(Scored)
ProfileApplicability:
•Level1-RDBMS
Description:
TheOracledatabaseEXEMPT ACCESS POLICYkeywordprovidestheuserthecapabilitytoaccessallthetablerowsregardlessofrow-levelsecuritylockouts.
Rationale:
AsassignmentoftheEXEMPT ACCESS POLICYprivilegecanallowanunauthorizedusertopotentiallyaccess/changeconfidentialdata,thiscapabilityshouldberestrictedaccordingtotheneedsoftheorganization.
Audit:
ToassessthisrecommendationexecutethefollowingSQLstatement.
SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE PRIVILEGE='EXEMPT ACCESS POLICY';
Lackofresultsimpliescompliance.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
REVOKE EXEMPT ACCESS POLICY FROM <grantee>;
References:
1. http://docs.oracle.com/cd/E11882_01/network.112/e16543/auditing.htm#DBSEG419
2. http://docs.oracle.com/cd/E11882_01/network.112/e16543/vpd.htm#DBSEG309
101|P a g e
4.3.5Ensure'BECOMEUSER'IsRevokedfromUnauthorized'GRANTEE'(Scored)
ProfileApplicability:
•Level1-RDBMS
Description:
TheOracledatabaseBECOME USERprivilegeallowsthedesignatedusertoinherittherightsofanotheruser.
Rationale:
AsassignmentoftheBECOME USERprivilegecanallowtheunauthorizeduseofanotheruser'sprivileges,thiscapabilityshouldberestrictedaccordingtotheneedsoftheorganization.
Audit:
ToassessthisrecommendationexecutethefollowingSQLstatement.
SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE PRIVILEGE='BECOME USER' AND GRANTEE NOT IN ('DBA','SYS','IMP_FULL_DATABASE');
Lackofresultsimpliescompliance.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
REVOKE BECOME USER FROM <grantee>;
References:
1. http://docs.oracle.com/cd/B19306_01/network.102/b14266/cfgaudit.htm
102|P a g e
4.3.6Ensure'CREATE_PROCEDURE'IsRevokedfromUnauthorized'GRANTEE'(Scored)
ProfileApplicability:
•Level1-RDBMS
Description:
TheOracledatabaseCREATE PROCEDUREprivilegeallowsthedesignatedusertocreateastoredprocedurethatwillfirewhengiventhecorrectcommandsequence.
Rationale:
AsassignmentoftheCREATE PROCEDUREprivilegecanleadtosevereproblemsinunauthorizedhands,suchasrogueproceduresfacilitatingdatatheftorDenial-of-Servicebycorruptingdatatables,thiscapabilityshouldberestrictedaccordingtotheneedsoftheorganization.
Audit:
ToassessthisrecommendationexecutethefollowingSQLstatement.
SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE PRIVILEGE='CREATE PROCEDURE' AND GRANTEE NOT IN ( 'DBA','DBSNMP','MDSYS','OLAPSYS','OWB$CLIENT', 'OWBSYS','RECOVERY_CATALOG_OWNER','SPATIAL_CSW_ADMIN_USR', 'SPATIAL_WFS_ADMIN_USR','SYS','APEX_030200','APEX_040000', 'APEX_040100','APEX_040200','RESOURCE');
Lackofresultsimpliescompliance.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
REVOKE CREATE PROCEDURE FROM <grantee>;
References:
1. http://docs.oracle.com/cd/E11882_01/server.112/e26088/statements_6009.htm#SQLRF01309
103|P a g e
4.3.7Ensure'ALTERSYSTEM'IsRevokedfromUnauthorized'GRANTEE'(Scored)
ProfileApplicability:
•Level1-RDBMS
Description:
TheOracledatabaseALTER SYSTEMprivilegeallowsthedesignatedusertodynamicallyaltertheinstance'srunningoperations.
Rationale:
AsassignmentoftheALTER SYSTEMprivilegecanleadtosevereproblems,suchastheinstance'ssessionbeingkilledorthestoppingofredologrecording,whichwouldmaketransactionsunrecoverable,thiscapabilityshouldbeseverelyrestrictedaccordingtotheneedsoftheorganization.
Audit:
ToassessthisrecommendationexecutethefollowingSQLstatement.
SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE PRIVILEGE='ALTER SYSTEM' AND GRANTEE NOT IN ('SYS','SYSTEM','APEX_030200','APEX_040000', 'APEX_040100','APEX_040200','DBA');
Lackofresultsimpliescompliance.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
REVOKE ALTER SYSTEM FROM <grantee>;
References:
1. http://docs.oracle.com/cd/E11882_01/server.112/e26088/statements_2014.htm#SQLRF00902
104|P a g e
4.3.8Ensure'CREATEANYLIBRARY'IsRevokedfromUnauthorized'GRANTEE'(Scored)
ProfileApplicability:
•Level1-RDBMS
Description:
TheOracledatabaseCREATE ANY LIBRARYprivilegeallowsthedesignatedusertocreateobjectsthatareassociatedtothesharedlibraries.
Rationale:
AsassignmentoftheCREATE ANY LIBRARYprivilegecanallowthecreationofnumerouslibrary-associatedobjectsandpotentiallycorruptthelibraries'integrity,thiscapabilityshouldberestrictedaccordingtotheneedsoftheorganization.
Audit:
ToassessthisrecommendationexecutethefollowingSQLstatement.
SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE PRIVILEGE='CREATE ANY LIBRARY' AND GRANTEE NOT IN ('SYS','SYSTEM','DBA','IMP_FULL_DATABASE');
Lackofresultsimpliescompliance.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
REVOKE CREATE ANY LIBRARY FROM <grantee>;
References:
1. http://docs.oracle.com/cd/E11882_01/server.112/e26088/statements_6001.htm#SQLRF01301
2. http://docs.oracle.com/cd/E18283_01/server.112/e17120/manproc007.htm
105|P a g e
4.3.9Ensure'CREATELIBRARY'IsRevokedfromUnauthorized'GRANTEE'(Scored)
ProfileApplicability:
•Level1-RDBMS
Description:
TheOracledatabaseCREATE LIBRARYprivilegeallowsthedesignatedusertocreateobjectsthatareassociatedtothesharedlibraries.
Rationale:
AsassignmentoftheCREATE LIBRARYprivilegecanallowthecreationofnumerouslibrary-associatedobjectsandpotentiallycorruptthelibraries'integrity,thiscapabilityshouldberestrictedaccordingtotheneedsoftheorganization.
Audit:
ToassessthisrecommendationexecutethefollowingSQLstatement.
SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE PRIVILEGE='CREATE LIBRARY' AND GRANTEE NOT IN ('SYS','SYSTEM','DBA','SPATIAL_CSW_ADMIN_USR','XDB','EXFSYS','MDSYS','SPATIAL_WFS_ADMIN_USR');
Lackofresultsimpliescompliance.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
REVOKE CREATE LIBRARY FROM <grantee>;
References:
1. http://docs.oracle.com/cd/E11882_01/server.112/e26088/statements_6001.htm#SQLRF01301
2. http://docs.oracle.com/cd/E18283_01/server.112/e17120/manproc007.htm
106|P a g e
4.3.10Ensure'GRANTANYOBJECTPRIVILEGE'IsRevokedfromUnauthorized'GRANTEE'(Scored)
ProfileApplicability:
•Level1-RDBMS
Description:
TheOracledatabaseGRANT ANY OBJECT PRIVILEGEkeywordprovidesthegranteethecapabilitytograntaccesstoanysingleormultiplecombinationsofobjectstoanygranteeinthecatalogofthedatabase.
Rationale:
AsauthorizationtousetheGRANT ANY OBJECT PRIVILEGEcapabilitycanallowanunauthorizedusertopotentiallyaccess/changeconfidentialdataordamagethedatacatalogduetopotentialcompleteinstanceaccess,thiscapabilityshouldberestrictedaccordingtotheneedsoftheorganization.
Audit:
ToassessthisrecommendationexecutethefollowingSQLstatement.
SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE PRIVILEGE='GRANT ANY OBJECT PRIVILEGE' AND GRANTEE NOT IN ('DBA','SYS','IMP_FULL_DATABASE','DATAPUMP_IMP_FULL_DATABASE');
Lackofresultsimpliescompliance.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
REVOKE GRANT ANY OBJECT PRIVILEGE FROM <grantee>;
References:
1. http://docs.oracle.com/cd/E11882_01/network.112/e16543/authorization.htm#DBSEG99914
107|P a g e
4.3.11Ensure'GRANTANYROLE'IsRevokedfromUnauthorized'GRANTEE'(Scored)
ProfileApplicability:
•Level1-RDBMS
Description:
TheOracledatabaseGRANT ANY ROLEkeywordprovidesthegranteethecapabilitytograntanysingleroletoanygranteeinthecatalogofthedatabase.
Rationale:
AsauthorizationtousetheGRANT ANY ROLEcapabilitycanallowanunauthorizedusertopotentiallyaccess/changeconfidentialdataordamagethedatacatalogduetopotentialcompleteinstanceaccess,thiscapabilityshouldberestrictedaccordingtotheneedsoftheorganization.
Audit:
ToassessthisrecommendationexecutethefollowingSQLstatement.
SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE PRIVILEGE='GRANT ANY ROLE' AND GRANTEE NOT IN ('DBA','SYS','DATAPUMP_IMP_FULL_DATABASE','IMP_FULL_DATABASE', 'SPATIAL_WFS_ADMIN_USR','SPATIAL_CSW_ADMIN_USR');
Lackofresultsimpliescompliance.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
REVOKE GRANT ANY ROLE FROM <grantee>;
References:
1. http://docs.oracle.com/cd/E11882_01/network.112/e16543/authorization.htm#DBSEG99903
108|P a g e
4.3.12Ensure'GRANTANYPRIVILEGE'IsRevokedfromUnauthorized'GRANTEE'(Scored)
ProfileApplicability:
•Level1-RDBMS
Description:
TheOracledatabaseGRANT ANY PRIVILEGEkeywordprovidesthegranteethecapabilitytograntanysingleprivilegetoanyiteminthecatalogofthedatabase.
Rationale:
AsauthorizationtousetheGRANT ANY PRIVILEGEcapabilitycanallowanunauthorizedusertopotentiallyaccess/changeconfidentialdataordamagethedatacatalogduetopotentialcompleteinstanceaccess,thiscapabilityshouldberestrictedaccordingtotheneedsoftheorganization.
Audit:
ToassessthisrecommendationexecutethefollowingSQLstatement.
SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE PRIVILEGE='GRANT ANY PRIVILEGE' AND GRANTEE NOT IN ('DBA','SYS','IMP_FULL_DATABASE','DATAPUMP_IMP_FULL_DATABASE');
Lackofresultsimpliescompliance.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
REVOKE GRANT ANY PRIVILEGE FROM <grantee>;
References:
1. http://docs.oracle.com/cd/E11882_01/network.112/e16543/authorization.htm#DBSEG99876
109|P a g e
4.4RevokeRolePrivileges
Therecommendationswithinthissectionintendtorevokepowerfulroleswheretheyarelikelynotneeded.
4.4.1Ensure'DELETE_CATALOG_ROLE'IsRevokedfromUnauthorized'GRANTEE'(Scored)
ProfileApplicability:
•Level1-RDBMS
Description:
TheOracledatabaseDELETE_CATALOG_ROLEprovidesDELETEprivilegesfortherecordsinthesystem'saudittable(AUD$).
Rationale:
AspermittingunauthorizedaccesstotheDELETE_CATALOG_ROLEcanallowthedestructionofauditrecordsvitaltotheforensicinvestigationofunauthorizedactivities,thiscapabilityshouldberestrictedaccordingtotheneedsoftheorganization.
Audit:
ToassessthisrecommendationexecutethefollowingSQLstatement.
SELECT GRANTEE, GRANTED_ROLE FROM DBA_ROLE_PRIVS WHERE granted_role='DELETE_CATALOG_ROLE' AND GRANTEE NOT IN ('DBA','SYS');
Lackofresultsimpliescompliance.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
REVOKE DELETE_CATALOG_ROLE FROM <grantee>;
References:
1. http://docs.oracle.com/cd/E11882_01/network.112/e16543/authorization.htm#DBSEG99873
2. http://docs.oracle.com/cd/E11882_01/network.112/e16543/authorization.htm#DBSEG4414
110|P a g e
4.4.2Ensure'SELECT_CATALOG_ROLE'IsRevokedfromUnauthorized'GRANTEE'(Scored)
ProfileApplicability:
•Level1-RDBMS
Description:
TheOracledatabaseSELECT_CATALOG_ROLEprovidesSELECTprivilegesonalldatadictionaryviewsheldintheSYSschema.
Rationale:
AspermittingunauthorizedaccesstotheSELECT_CATALOG_ROLEcanallowthedisclosureofalldictionarydata,thiscapabilityshouldberestrictedaccordingtotheneedsoftheorganization.
Audit:
ToassessthisrecommendationexecutethefollowingSQLstatement.
SELECT GRANTEE, GRANTED_ROLE FROM DBA_ROLE_PRIVS WHERE granted_role='SELECT_CATALOG_ROLE' AND grantee not in ('DBA','SYS','IMP_FULL_DATABASE','EXP_FULL_DATABASE','OEM_MONITOR','SYSMAN');
Lackofresultsimpliescompliance.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
REVOKE SELECT_CATALOG_ROLE FROM <grantee>;
References:
1. http://docs.oracle.com/cd/E11882_01/network.112/e16543/authorization.htm#DBSEG99873
2. http://docs.oracle.com/cd/E11882_01/network.112/e16543/authorization.htm#DBSEG4414
111|P a g e
4.4.3Ensure'EXECUTE_CATALOG_ROLE'IsRevokedfromUnauthorized'GRANTEE'(Scored)
ProfileApplicability:
•Level1-RDBMS
Description:
TheOracledatabaseEXECUTE_CATALOG_ROLEprovidesEXECUTEprivilegesforanumberofpackagesandproceduresinthedatadictionaryintheSYSschema.
Rationale:
AspermittingunauthorizedaccesstotheEXECUTE_CATALOG_ROLEcanallowthedisruptionofoperationsbyinitializationofrogueprocedures,thiscapabilityshouldberestrictedaccordingtotheneedsoftheorganization.
Audit:
ToassessthisrecommendationexecutethefollowingSQLstatement.
SELECT GRANTEE, GRANTED_ROLE FROM DBA_ROLE_PRIVS WHERE granted_role='EXECUTE_CATALOG_ROLE' AND grantee not in ('DBA','SYS','IMP_FULL_DATABASE','EXP_FULL_DATABASE');
Lackofresultsimpliescompliance.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
REVOKE EXECUTE_CATALOG_ROLE FROM <grantee>;
References:
1. http://docs.oracle.com/cd/E11882_01/network.112/e16543/authorization.htm#DBSEG99873
2. http://docs.oracle.com/cd/E11882_01/network.112/e16543/authorization.htm#DBSEG4414
112|P a g e
4.4.4Ensure'DBA'IsRevokedfromUnauthorized'GRANTEE'(Scored)
ProfileApplicability:
•Level1-RDBMS
Description:
TheOracledatabaseDBAroleisthedefaultdatabaseadministratorroleprovidedfortheallocationofadministrativeprivileges.
Rationale:
AsassignmentoftheDBAroletoanordinaryusercanprovideagreatnumberofunnecessaryprivilegestothatuserandopensthedoortodatabreaches,integrityviolations,andDenial-of-Serviceconditions,applicationofthisroleshouldberestrictedaccordingtotheneedsoftheorganization.
Audit:
ToassessthisrecommendationexecutethefollowingSQLstatement.
SELECT GRANTEE, GRANTED_ROLE FROM DBA_ROLE_PRIVS WHERE GRANTED_ROLE='DBA' AND GRANTEE NOT IN ('SYS','SYSTEM');
Lackofresultsimpliescompliance.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
REVOKE DBA FROM <grantee>;
References:
1. http://docs.oracle.com/cd/E11882_01/network.112/e16543/authorization.htm#DBSEG4414
113|P a g e
4.5RevokeExcessiveTableandViewPrivileges
Therecommendationswithinthissectionintendtorevokeexcessivetableandviewprivileges.
4.5.1Ensure'ALL'IsRevokedfromUnauthorized'GRANTEE'on'AUD$'(Scored)
ProfileApplicability:
•Level1-RDBMS
Description:
TheOracledatabaseSYS.AUD$tablecontainsalltheauditrecordsforthedatabaseofthenon-DataManipulationLanguage(DML)events,suchasALTER, DROP, CREATE,andsoforth.(DMLchangesneedtrigger-basedauditeventstorecorddataalterations.)
Rationale:
Aspermittingnon-privilegeduserstheauthorizationtomanipulatetheSYS_AUD$tablecanallowdistortionoftheauditrecords,hidingunauthorizedactivities,thiscapabilityshouldberestrictedaccordingtotheneedsoftheorganization.
Audit:
ToassessthisrecommendationexecutethefollowingSQLstatement.
SELECT GRANTEE, PRIVILEGE FROM DBA_TAB_PRIVS WHERE TABLE_NAME='AUD$' AND GRANTEE NOT IN ('DELETE_CATALOG_ROLE');
Lackofresultsimpliescompliance.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
REVOKE ALL ON AUD$ FROM <grantee>;
References:
1. http://docs.oracle.com/cd/E11882_01/network.112/e16543/auditing.htm#CEGDGIAF
114|P a g e
4.5.2Ensure'ALL'IsRevokedfromUnauthorized'GRANTEE'on'USER_HISTORY$'(Scored)
ProfileApplicability:
•Level1-RDBMS
Description:
TheOracledatabaseSYS.USER_HISTORY$tablecontainsalltheauditrecordsfortheuser'spasswordchangehistory.(Thistablegetsupdatedbypasswordchangesiftheuserhasanassignedprofilethathaspasswordreuselimitset,e.g.,PASSWORD_REUSE_TIMEsettootherthanUNLIMITED.)
Rationale:
Aspermittingnon-privilegeduserstheauthorizationtomanipulatetherecordsintheSYS.USER_HISTORY$tablecanallowdistortionoftheaudittrail,potentiallyhidingunauthorizeddataconfidentialityattacksorintegritychanges,thiscapabilityshouldberestrictedaccordingtotheneedsoftheorganization.
Audit:
ToassessthisrecommendationexecutethefollowingSQLstatement.
SELECT GRANTEE, PRIVILEGE FROM DBA_TAB_PRIVS WHERE TABLE_NAME='USER_HISTORY$';
Lackofresultsimpliescompliance.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
REVOKE ALL ON USER_HISTORY$ FROM <grantee>;
References:
1. http://marcel.vandewaters.nl/oracle/database-oracle/password-history-reusing-a-password
115|P a g e
4.5.3Ensure'ALL'IsRevokedfromUnauthorized'GRANTEE'on'LINK$'(Scored)
ProfileApplicability:
•Level1-RDBMS
Description:
TheOracledatabaseSYS.LINK$tablecontainsalltheuser'spasswordinformationanddatatablelinkinformation.
Rationale:
Aspermittingnon-privilegeduserstomanipulateorviewtheSYS.LINK$tablecanallowcaptureofpasswordinformationand/orcorrupttheprimarydatabaselinkages,thiscapabilityshouldberestrictedaccordingtotheneedsoftheorganization.
Audit:
ToassessthisrecommendationexecutethefollowingSQLstatement.
SELECT GRANTEE, PRIVILEGE FROM DBA_TAB_PRIVS WHERE TABLE_NAME='LINK$';
Lackofresultsimpliescompliance.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
REVOKE ALL ON LINK$ FROM <grantee>;
116|P a g e
4.5.4Ensure'ALL'IsRevokedfromUnauthorized'GRANTEE'on'SYS.USER$'(Scored)
ProfileApplicability:
•Level1-RDBMS
Description:
TheOracledatabaseSYS.USER$tablecontainstheusers'hashedpasswordinformation.
Rationale:
Aspermittingnon-privilegeduserstheauthorizationtoopentheSYS.USER$tablecanallowthecaptureofpasswordhashesforthelaterapplicationofpasswordcrackingalgorithmstobreachconfidentiality,thiscapabilityshouldberestrictedaccordingtotheneedsoftheorganization.
Audit:
ToassessthisrecommendationexecutethefollowingSQLstatement.
SELECT GRANTEE, PRIVILEGE FROM DBA_TAB_PRIVS WHERE TABLE_NAME='USER$' AND GRANTEE NOT IN ('CTXSYS','XDB','APEX_030200', 'APEX_040000','APEX_040100','APEX_040200','ORACLE_OCM');
Lackofresultsimpliescompliance.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
REVOKE ALL ON SYS.USER$ FROM <username>;
References:
1. http://dba.stackexchange.com/questions/17513/what-do-the-columns-in-sys-user-represent
117|P a g e
4.5.5Ensure'ALL'IsRevokedfromUnauthorized'GRANTEE'on'DBA_%'(Scored)
ProfileApplicability:
•Level1-RDBMS
Description:
TheOracledatabaseDBA_viewsshowallinformationwhichisrelevanttoadministrativeaccounts.
Rationale:
AspermittinguserstheauthorizationtomanipulatetheDBA_viewscanexposesensitivedata.
Audit:
ToassessthisrecommendationexecutethefollowingSQLstatement.
SELECT * FROM DBA_TAB_PRIVS WHERE TABLE_NAME LIKE 'DBA_%' AND GRANTEE NOT IN ('APPQOSSYS','AQ_ADMINISTRATOR_ROLE','CTXSYS', 'EXFSYS','MDSYS','OLAP_XS_ADMIN','OLAPSYS','ORDSYS','OWB$CLIENT','OWBSYS', 'SELECT_CATALOG_ROLE','WM_ADMIN_ROLE','WMSYS','XDBADMIN','LBACSYS', 'ADM_PARALLEL_EXECUTE_TASK','CISSCANROLE') AND NOT REGEXP_LIKE(grantee,'^APEX_0[3-9][0-9][0-9][0-9][0-9]$');
Lackofresultsimpliescompliance.
Remediation:
Replace <non-DBA/SYS grantee>, in the query below, with the Oracle login(s) or role(s) returned from the associated audit procedure and execute:
REVOKE ALL ON DBA_ FROM <Non-DBA/SYS grantee>;
References:
1. http://docs.oracle.com/cd/E11882_01/server.112/e25789/datadict.htm#autoId2
118|P a g e
4.5.6Ensure'ALL'IsRevokedfromUnauthorized'GRANTEE'on'SYS.SCHEDULER$_CREDENTIAL'(Scored)
ProfileApplicability:
•Level1-RDBMS
Description:
TheOracledatabaseSCHEDULER$_CREDENTIALtablecontainsthedatabaseschedulercredentialinformation.
Rationale:
Aspermittingnon-privilegeduserstheauthorizationtoopentheSYS.SCHEDULER$_CREDENTIALtable.
Audit:
ToassessthisrecommendationexecutethefollowingSQLstatement.
SELECT GRANTEE, PRIVILEGE FROM DBA_TAB_PRIVS WHERE TABLE_NAME='SCHEDULER$_CREDENTIAL';
Lackofresultsimpliescompliance.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
REVOKE ALL ON SYS.SCHEDULER$_CREDENTIAL FROM <username>;
References:
1. http://docs.oracle.com/cd/E11882_01/appdev.112/e25788/d_sched.htm#ARPLS72292
2. http://berxblog.blogspot.de/2012/02/restore-dbmsschedulercreatecredential.html
119|P a g e
4.5.7Ensure'SYS.USER$MIG'HasBeenDropped(Scored)
ProfileApplicability:
•Level1-RDBMS
Description:
Thetablesys.user$migiscreatedduringmigrationandcontainstheOraclepasswordhashesbeforethemigrationstarts.
Rationale:
Thetablesys.user$migisnotdeletedafterthemigration.AnattackercouldaccessthetablecontainingtheOraclepasswordhashes.
Audit:
ToassessthisrecommendationexecutethefollowingSQLstatement.
SELECT OWNER, TABLE_NAME FROM ALL_TABLES WHERE OWNER='SYS' AND TABLE_NAME='USER$MIG';
Lackofresultsimpliescompliance.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
DROP TABLE SYS.USER$MIG;
120|P a g e
4.6Ensure'%ANY%'IsRevokedfromUnauthorized'GRANTEE'(Scored)
ProfileApplicability:
•Level1-RDBMS
Description:
TheOracledatabaseANYkeywordprovidestheuserthecapabilitytoalteranyiteminthecatalogofthedatabase.
Rationale:
AsauthorizationtousetheANY expansionofaprivilegecanallowanunauthorizedusertopotentiallychangeconfidentialdataordamagethedatacatalog,thiscapabilityshouldberestrictedaccordingtotheneedsoftheorganization.
Audit:
ToassessthisrecommendationexecutethefollowingSQLstatement.
SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE PRIVILEGE LIKE '%ANY%' AND GRANTEE NOT IN ('AQ_ADMINISTRATOR_ROLE','DBA','DBSNMP','EXFSYS', 'EXP_FULL_DATABASE','IMP_FULL_DATABASE','DATAPUMP_IMP_FULL_DATABASE', 'JAVADEBUGPRIV','MDSYS','OEM_MONITOR','OLAPSYS','OLAP_DBA','ORACLE_OCM', 'OWB$CLIENT','OWBSYS','SCHEDULER_ADMIN','SPATIAL_CSW_ADMIN_USR', 'SPATIAL_WFS_ADMIN_USR','SYS','SYSMAN','SYSTEM','WMSYS','APEX_030200', 'APEX_040000','APEX_040100','APEX_040200','LBACSYS','OUTLN');
Lackofresultsimpliescompliance.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
REVOKE '<ANY Privilege>' FROM <grantee>;
References:
1. http://docs.oracle.com/cd/E11882_01/network.112/e16543/authorization.htm#DBSEG99877
121|P a g e
4.7Ensure'DBA_SYS_PRIVS.%'IsRevokedfromUnauthorized'GRANTEE'with'ADMIN_OPTION'Setto'YES'(Scored)
ProfileApplicability:
•Level1-RDBMS
Description:
TheOracledatabaseWITH_ADMINprivilegeallowsthedesignatedusertograntanotheruserthesameprivileges.
Rationale:
AsassignmentoftheWITH_ADMINprivilegecanallowthegrantingofarestrictedprivilegetoanunauthorizeduser,thiscapabilityshouldberestrictedaccordingtotheneedsoftheorganization.
Audit:
ToassessthisrecommendationexecutethefollowingSQLstatement.
SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE ADMIN_OPTION='YES' AND GRANTEE not in ('AQ_ADMINISTRATOR_ROLE','DBA','OWBSYS', 'SCHEDULER_ADMIN','SYS','SYSTEM','WMSYS', 'APEX_030200','APEX_040000','APEX_040100','APEX_040200');
Lackofresultsimpliescompliance.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
REVOKE <privilege> FROM <grantee>;
122|P a g e
4.8EnsureProxyUsersHaveOnly'CONNECT'Privilege(Scored)
ProfileApplicability:
•Level1-RDBMS
Description:
Donotgrantprivilegesdirectlytoproxyusers
Rationale:
Aproxyusershouldonlyhavetheabilitytoconnecttothedatabase.
Audit:
ToassessthisrecommendationexecutethefollowingSQLstatement.
SELECT GRANTEE, GRANTED_ROLE FROM DBA_ROLE_PRIVS WHERE GRANTEE IN ( SELECT PROXY FROM DBA_PROXIES ) AND GRANTED_ROLE NOT IN ('CONNECT');
Lackofresultsimpliescompliance.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
REVOKE [PRIVILEGE] FROM <proxy_user>;
123|P a g e
4.9Ensure'EXECUTEANYPROCEDURE'IsRevokedfrom'OUTLN'(Scored)
ProfileApplicability:
•Level1-RDBMS
Description:
RemoveunneededprivilegesfromOUTLN
Rationale:
MigratedOUTLNusershavemoreprivilegesthanrequired.
Audit:
ToassessthisrecommendationexecutethefollowingSQLstatement.
SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE PRIVILEGE='EXECUTE ANY PROCEDURE' AND GRANTEE='OUTLN';
Lackofresultsimpliescompliance.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
REVOKE EXECUTE ANY PROCEDURE FROM OUTLN;
124|P a g e
4.10Ensure'EXECUTEANYPROCEDURE'IsRevokedfrom'DBSNMP'(Scored)
ProfileApplicability:
•Level1-RDBMS
Description:
RemoveunneededprivilegesfromDBSNMP
Rationale:
MigratedDBSNMPusershavemoreprivilegesthanrequired.
Audit:
ToassessthisrecommendationexecutethefollowingSQLstatement.
SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE PRIVILEGE='EXECUTE ANY PROCEDURE' AND GRANTEE='DBSNMP';
Lackofresultsimpliescompliance.
Remediation:
ToremediatethissettingexecutethefollowingSQLstatement.
REVOKE EXECUTE ANY PROCEDURE FROM DBSNMP;
125|P a g e
5Audit/LoggingPoliciesandProcedures
Theabilitytoauditdatabaseactivitiesisamongthemostimportantofalldatabasesecurityfeatures.Decisionsmustbemaderegardingthescopeofauditingsinceauditinghascosts-instoragefortheaudittrailandinperformanceimpactonauditedoperations-andperhapseventhedatabaseorsystemingeneral.Thereisalsotheadditionalcosttomanage(store,backup,secure)andreviewthedatainaudittrail.
Measuresmustbetakentoprotecttheaudittrailitself,foritmaybetargetedforalterationordestructiontohideunauthorizedactivity.Foranauditdestinationoutsidethedatabase,therecommendationsareelsewhereinthisdocument.Auditingrecommendationsforpotentialdatabaseauditdestinationsisbelow.
Auditing"bysession"typicallycreatesfewer(until11g)andslightlysmallerauditrecords,butisdiscouragedinmostsituationssincethereissomelossoffidelity(e.g.objectprivilegeGRANTEE).Moredetailedauditingcreateslargerauditrecords.TheAUDIT_TRAILinitializationparameter(forDB|XML,extended-ornot)isthemaindeterminingfactorforthesizeofagivenauditrecord-andanotablefactorintheperformancecost,althoughthelargestofthelatterisDBversusOSorXML.
ThissectiondealswithstandardOracleauditingsinceauditingofprivilegedconnections(assysdbaorsysoper)isconfiguredviatheAUDIT_SYS_OPERATIONSinitializationparameterandisotherwisenotconfigurable.Thebasictypesofstandardauditingareobjectauditing,statementauditingandprivilegeauditingandeachbehavesdifferently.
Objectauditingappliestospecificobjectsforwhichitisinvokedandalwaysappliestoallusers.Thistypeofauditingisusuallyemployedtoauditapplication-specificsensitiveobjects,butcanbeusedtoprotecttheaudittrailinthedatabase.
Privilegeauditingauditstheuseofspecificsystemprivileges,buttypicallyonlyiftheuseractuallypossessestheauditedprivilege.Attemptsthatfailforlackoftheauditedprivilegearetypicallynotaudited.Thisisthemainweaknessofprivilegeauditingandwhystatementauditingisusuallypreferred,iftheoptionexists.
Statementauditingauditstheissuanceofcertaintypesofstatements,usuallywithoutregardtoprivilegeorlackthereof.Bothprivilegeandstatementauditsmaybespecifiedforspecificusersorallusers(thedefault).
126|P a g e
5.1Enable'USER'AuditOption(Scored)
ProfileApplicability:
•Level1-RDBMS
Description:
TheUSERobjectintheOracledatabaseanaccountthroughwhichaconnectionmaybemadetointeractwiththedatabaseaccordingtotherolesandprivilegesallottedtoaccount.Itisalsoaschemawithmayowndatabaseobjects.Thisauditsallactivitiesandrequeststocreate,droporalterauser,includingauserchangingtheirownpassword.(Thelatterisnotauditedby'auditALTERUSER'.)
Rationale:
Anyunauthorizedattemptstocreate,droporalterausershouldcauseconcern,whethersuccessfulornot.Itcanalsobeusefulinforensicsifanaccountiscompromisedandismandatedbymanycommonsecurityinitiatives.Anabnormallyhighnumberoftheseactivitiesinagivenperiodmightbeworthinvestigation.Anyfailedattempttodropauserorcreateausermaybeworthfurtherreview.
Audit:
ToassessthisrecommendationexecutethefollowingSQLStatement.
SELECT AUDIT_OPTION, SUCCESS, FAILURE FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION='USER' AND USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = 'BY ACCESS' AND FAILURE = 'BY ACCESS'
Lackofresultsimpliesafinding.
Remediation:
ExecutethefollowingSQLstatementtoremediatethissetting.
AUDIT USER;
127|P a g e
Impact:
Thiswouldthecurrent5.2(auditCREATEUSER),5.3(auditALTERUSER),and5.4(auditDROPUSER)privilegeauditswiththesinglestatementauditingoption"auditUSER".Anyactionauditedbythosethreeprivilegeauditswouldalsobeauditedbythis.Inaddition,thiswouldaudit:1)AttemptstocreateuserbyanyonewithouttheCREATEUSERsystemprivilege2)AttemptstodropuserbyanyonewithouttheDROPUSERsystemprivilege3)AttemptstoalteruserbyanyonewithouttheALTERUSERsystemprivilege4)Userschangingorattemptingtochangetheirownpasswords(whichisnotdonebyauditingALTERUSER).
128|P a g e
5.2Enable'ALTERUSER'AuditOption(Scored)
ProfileApplicability:
•Level1-RDBMS
Description:
TheUSER objectfortheOracledatabaseisaspecificationofanobjectwhichisanaccountthroughwhicheitherahumanoranapplicationcanconnectto,viaaJDBCorloginto,viaaCLI,andinteractwiththedatabaseinstanceaccordingtotherolesandprivilegesallottedtoaccount.
Rationale:
Astheloggingofuseractivitiesinvolvingthecreation,alteration,ordroppingofaUSERcanprovideforensicevidenceaboutapatternofsuspect/unauthorizedactivities,theauditcapabilityshouldbesetaccordingtotheneedsoftheorganization.
Audit:
ToassessthisrecommendationexecutethefollowingSQLstatement.
SELECT AUDIT_OPTION, SUCCESS, FAILURE FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION='ALTER USER' AND USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = 'BY ACCESS' AND FAILURE = 'BY ACCESS';
Lackofresultsimpliesafinding.
Remediation:
ExecutethefollowingSQLstatementtoremediatethissetting.
AUDIT ALTER USER;
129|P a g e
5.3Enable'DROPUSER'AuditOption(Scored)
ProfileApplicability:
•Level1-RDBMS
Description:
TheUSER objectfortheOracledatabaseisaspecificationofanobjectwhichisanaccountthroughwhicheitherahumanoranapplicationcanconnectto,viaaJDBCorloginto,viaaCLI,andinteractwiththedatabaseinstanceaccordingtotherolesandprivilegesallottedtoaccount.
Rationale:
Astheloggingofuseractivitiesinvolvingthecreation,alteration,ordroppingofaUSERcanprovideforensicevidenceaboutapatternofsuspect/unauthorizedactivities,theauditcapabilityshouldbesetaccordingtotheneedsoftheorganization.
Audit:
ToassessthisrecommendationexecutethefollowingSQLstatement.
SELECT AUDIT_OPTION, SUCCESS, FAILURE FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION='DROP USER' AND USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = 'BY ACCESS' AND FAILURE = 'BY ACCESS';
Lackofresultsimpliesafinding.
Remediation:
ExecutethefollowingSQLstatementtoremediatethissetting.
AUDIT DROP USER;
130|P a g e
5.4Enable'ROLE'AuditOption(Scored)
ProfileApplicability:
•Level1-RDBMS
Description:
TheROLEobjectallowsforthecreationofasetofprivilegesthatcanbegrantedtousersorotherroles.Thisauditsallattempts,successfulornot,tocreate,drop,alterorsetroles.
Rationale:
Roles are a key database security infrastructure component. Any attempt to create, drop or alter a role should be audited. This statement auditing option also audits attempts, successful or not, to set a role in a session. Any unauthorized attempts to create, drop or alter a role may be worthy of investigation. Attempts to set a role by users without the role privilege may warrant investigation.
Audit:
ToassessthisrecommendationexecutethefollowingSQLstatement.
SELECT AUDIT_OPTION, SUCCESS, FAILURE FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION='ROLE' AND USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = 'BY ACCESS' AND FAILURE = 'BY ACCESS';
Lackofresultsimpliesafinding.
Remediation:
ExecutethefollowingSQLstatementtoremediatethissetting:
AUDIT ROLE;
Impact:
Thechangetotheaudit/checkistoensurethattheauditisineffectforallusers,regardlessofproxyorsuccess.
Thechangetothetitle,descriptionandrationalearetobetterclarifywhatitactuallydoes.(e.g.ItdoesNOTaudit"allROLEactivities/requests".Forexample,itdoesnotauditrolegrantsandrevokes.)
131|P a g e
5.5Enable'SYSTEMGRANT'AuditOption(Scored)
ProfileApplicability:
•Level1-RDBMS
Description:
Thiswillauditanyattempt,successfulornot,tograntorrevokeanysystemprivilegeorrole-regardlessofprivilegeheldbytheuserattemptingtheoperation.
Rationale:
Loggingofallgrantandrevokes(rolesandsystemprivileges)canprovideforensicevidenceaboutapatternofsuspect/unauthorizedactivities.Anyunauthorizedattemptmaybecauseforfurtherinvestigation.
Audit:
ToassessthisrecommendationexecutethefollowingSQLstatement.
SELECT AUDIT_OPTION, SUCCESS, FAILURE FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION='SYSTEM GRANT' AND USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = 'BY ACCESS' AND FAILURE = 'BY ACCESS';
Lackofresultsimpliesafinding.
Remediation:
ExecutethefollowingSQLstatementtoremediatethissetting.
AUDIT SYSTEM GRANT;
132|P a g e
5.6Enable'PROFILE'AuditOption(Scored)
ProfileApplicability:
•Level1-RDBMS
Description:
ThePROFILEobjectallowsforthecreationofasetofdatabaseresourcelimitsthatcanbeassignedtoauser,sothatthatusercannotexceedthoseresourcelimitations.Thiswillauditallattempts,successfulornot,tocreate,droporalteranyprofile.
Rationale:
Asprofilesarepartofthedatabasesecurityinfrastructure,auditingthemodificationofprofilesisrecommended.
Audit:
ToassessthisrecommendationexecutethefollowingSQLstatement.
SELECT AUDIT_OPTION, SUCCESS, FAILURE FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION='PROFILE' AND USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = 'BY ACCESS' AND FAILURE = 'BY ACCESS';
Lackofresultsimpliesafinding.
Remediation:
ExecutethefollowingSQLstatementtoremediatethissetting.
AUDIT PROFILE;
Impact:
Thestatementauditingoption'auditPROFILE'auditseverythingthatthethreeprivilegeaudits'auditCREATEPROFILE','auditDROPPROFILE'and'auditALTERPROFILE'do,butalsoaudits:
1)AttemptstocreateaprofilebyauserwithouttheCREATEPROFILEsystemprivilege.
2)AttemptstodropaprofilebyauserwithouttheDROPPROFILEsystemprivilege
3)AttemptstoalteraprofilebyauserwithouttheALTERPROFILEsystemprivilege.
133|P a g e
5.7Enable'ALTERPROFILE'AuditOption(Scored)
ProfileApplicability:
•Level1-RDBMS
Description:
ThePROFILE objectallowsforthecreationofasetofdatabaseresourcelimitsthatcanbeassignedtoauser,sothatthatusercannotexceedthoseresourcelimitations.
Rationale:
Astheloggingofuseractivitiesinvolvingthecreation,alteration,ordroppingofaPROFILE canprovideforensicevidenceaboutapatternofunauthorizedactivities,theauditcapabilityshouldbesetaccordingtotheneedsoftheorganization.
Audit:
ToassessthisrecommendationexecutethefollowingSQLstatement.
SELECT AUDIT_OPTION, SUCCESS, FAILURE FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION='ALTER PROFILE' AND USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = 'BY ACCESS' AND FAILURE = 'BY ACCESS';
Lackofresultsimpliesafinding.
Remediation:
ExecutethefollowingSQLstatementtoremediatethissetting.
AUDIT ALTER PROFILE;
134|P a g e
5.8Enable'DROPPROFILE'AuditOption(Scored)
ProfileApplicability:
•Level1-RDBMS
Description:
ThePROFILE objectallowsforthecreationofasetofdatabaseresourcelimitsthatcanbeassignedtoauser,sothatthatusercannotexceedthoseresourcelimitations.
Rationale:
Astheloggingofuseractivitiesinvolvingthecreation,alteration,ordroppingofaPROFILE canprovideforensicevidenceaboutapatternofunauthorizedactivities,theauditcapabilityshouldbesetaccordingtotheneedsoftheorganization.
Audit:
ToassessthisrecommendationexecutethefollowingSQLstatement.
SELECT AUDIT_OPTION, SUCCESS, FAILURE FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION='DROP PROFILE' AND USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = 'BY ACCESS' AND FAILURE = 'BY ACCESS';
Lackofresultsimpliesafinding.
Remediation:
ExecutethefollowingSQLstatementtoremediatethissetting.
AUDIT DROP PROFILE;
135|P a g e
5.9Enable'DATABASELINK'AuditOption(Scored)
ProfileApplicability:
•Level1-RDBMS
Description:
Allactivitiesondatabaselinksshouldbeaudited.
Rationale:
AstheloggingofuseractivitiesinvolvingthecreationordroppingofaDATABASE LINKcanprovideforensicevidenceaboutapatternofunauthorizedactivities,theauditcapabilityshouldbesetaccordingtotheneedsoftheorganization.
Audit:
ToassessthisrecommendationexecutethefollowingSQLstatement.
SELECT AUDIT_OPTION, SUCCESS, FAILURE FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION='DATABASE LINK' AND USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = 'BY ACCESS' AND FAILURE = 'BY ACCESS';
Lackofresultsimpliesafinding.
Remediation:
ExecutethefollowingSQLstatementtoremediatethissetting.
AUDIT DATABASE LINK;
References:
1. http://docs.oracle.com/cd/E11882_01/server.112/e26088/statements_4007.htm#SQLRF01107
136|P a g e
5.10Enable'PUBLICDATABASELINK'AuditOption(Scored)
ProfileApplicability:
•Level1-RDBMS
Description:
ThePUBLIC DATABASE LINKobjectallowsforthecreationofapubliclinkforanapplication-based"user"toaccessthedatabaseforconnections/sessioncreation.
Rationale:
Astheloggingofuseractivitiesinvolvingthecreation,alteration,ordroppingofaPUBLIC DATABASE LINKcanprovideforensicevidenceaboutapatternofunauthorizedactivities,theauditcapabilityshouldbesetaccordingtotheneedsoftheorganization.
Audit:
ToassessthisrecommendationexecutethefollowingSQLstatement.
SELECT AUDIT_OPTION, SUCCESS, FAILURE FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION='PUBLIC DATABASE LINK' AND USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = 'BY ACCESS' AND FAILURE = 'BY ACCESS';
Lackofresultsimpliesafinding.
Remediation:
ExecutethefollowingSQLstatementtoremediatethissetting.
AUDIT PUBLIC DATABASE LINK;
137|P a g e
5.11Enable'PUBLICSYNONYM'AuditOption(Scored)
ProfileApplicability:
•Level1-RDBMS
Description:
ThePUBLIC SYNONYMobjectallowsforthecreationofanalternatedescriptionofanobjectandpublicsynonymsareaccessiblebyallusersthathavetheappropriateprivilegestotheunderlyingobject.
Rationale:
AstheloggingofuseractivitiesinvolvingthecreationordroppingofaPUBLIC SYNONYMcanprovideforensicevidenceaboutapatternofunauthorizedactivities,theauditcapabilityshouldbesetaccordingtotheneedsoftheorganization.
Audit:
ToassessthisrecommendationexecutethefollowingSQLstatement.
SELECT AUDIT_OPTION, SUCCESS, FAILURE FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION='PUBLIC SYNONYM' AND USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = 'BY ACCESS' AND FAILURE = 'BY ACCESS';
Lackofresultsimpliesafinding.
Remediation:
ExecutethefollowingSQLstatementtoremediatethissetting.
AUDIT PUBLIC SYNONYM;
138|P a g e
5.12Enable'SYNONYM'AuditOption(Scored)
ProfileApplicability:
•Level1-RDBMS
Description:
TheSYNONYM operationallowsforthecreationofaanalternativenameforadatabaseobjectsuchasaJavaclassschemaobject,materializedview,operator,package,procedure,sequence,storedfunction,table,view,user-definedobjecttype,evenanothersynonym;thissynonymputsadependencyonitstargetandisrenderedinvalidifthetargetobjectischanged/dropped.
Rationale:
AstheloggingofuseractivitiesinvolvingthecreationordroppingofaSYNONYM canprovideforensicevidenceaboutapatternofsuspect/unauthorizedactivities,theauditcapabilityshouldbesetaccordingtotheneedsoftheorganization.
Audit:
ToassessthisrecommendationexecutethefollowingSQLstatement.
SELECT AUDIT_OPTION, SUCCESS, FAILURE FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION='SYNONYM' AND USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = 'BY ACCESS' AND FAILURE = 'BY ACCESS';
Lackofresultsimpliesafinding.
Remediation:
ExecutethefollowingSQLstatementtoremediatethissetting.
AUDIT SYNONYM;
References:
1. http://docs.oracle.com/cd/E11882_01/server.112/e26088/statements_4007.htm#SQLRF01107
139|P a g e
5.13Enable'GRANTDIRECTORY'AuditOption(Scored)
ProfileApplicability:
•Level1-RDBMS
Description:
TheDIRECTORY objectallowsforthecreationofadirectoryobjectthatspecifiesanaliasforadirectoryontheserverfilesystem,wheretheexternalbinaryfileLOBs(BFILEs)/tabledataarelocated.
Rationale:
AstheloggingofuseractivitiesinvolvingthecreationordroppingofaDIRECTORYcanprovideforensicevidenceaboutapatternofunauthorizedactivities,theauditcapabilityshouldbesetaccordingtotheneedsoftheorganization.
Audit:
ToassessthisrecommendationexecutethefollowingSQLstatement.
SELECT AUDIT_OPTION, SUCCESS, FAILURE FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION='GRANT DIRECTORY' AND USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = 'BY ACCESS' AND FAILURE = 'BY ACCESS';
Lackofresultsimpliesafinding.
Remediation:
ExecutethefollowingSQLstatementtoremediatethissetting.
AUDIT GRANT DIRECTORY;
References:
1. http://docs.oracle.com/cd/E11882_01/server.112/e26088/statements_4007.htm#SQLRF01107
140|P a g e
5.14Enable'SELECTANYDICTIONARY'AuditOption(Scored)
ProfileApplicability:
•Level1-RDBMS
Description:
TheSELECT ANY DICTIONARYcapabilityallowstheusertoviewthedefinitionsofallschemaobjectsinthedatabase.
Rationale:
Astheloggingofuseractivitiesinvolvingthecapabilitytoaccessthedescriptionofallschemaobjectsinthedatabasecanprovideforensicevidenceaboutapatternofunauthorizedactivities,theauditcapabilityshouldbesetaccordingtotheneedsoftheorganization.
Audit:
ToassessthisrecommendationexecutethefollowingSQLstatement.
SELECT AUDIT_OPTION, SUCCESS, FAILURE FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION='SELECT ANY DICTIONARY' AND USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = 'BY ACCESS' AND FAILURE = 'BY ACCESS';
Lackofresultsimpliesafinding.
Remediation:
ExecutethefollowingSQLstatementtoremediatethissetting.
AUDIT SELECT ANY DICTIONARY;
References:
1. http://docs.oracle.com/cd/E11882_01/server.112/e26088/statements_4007.htm#SQLRF01107
141|P a g e
5.15Enable'GRANTANYOBJECTPRIVILEGE'AuditOption(Scored)
ProfileApplicability:
•Level1-RDBMS
Description:
GRANT ANY OBJECT PRIVILEGEallowstheusertograntorrevokeanyobjectprivilege,whichincludesprivilegesontables,directories,miningmodels,etc.Thisauditsallusesofthatprivilege.
Rationale:
Loggingofprivilegegrantsthatcanleadtothecreation,alteration,ordeletionofcriticaldata,themodificationofobjects,objectprivilegepropagationandothersuchactivitiescanbecriticaltoforensicinvestigations.
Audit:
ToassessthisrecommendationexecutethefollowingSQLstatement.
SELECT PRIVILEGE, SUCCESS, FAILURE FROM DBA_PRIV_AUDIT_OPTS WHERE PRIVILEGE='GRANT ANY OBJECT PRIVILEGE' AND USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = 'BY ACCESS' AND FAILURE = 'BY ACCESS';
Lackofresultsimpliesafinding.
Remediation:
ExecutethefollowingSQLstatementtoremediatethissetting.
AUDIT GRANT ANY OBJECT PRIVILEGE;
142|P a g e
Impact:
Thechangetothecheck/auditinsuresthatitisineffectforallusersregardlessofproxyorsuccess.Thechangetothetitlemoreaccuratelyreflectswhatitactuallydoes.Thepreviousreferencetobeingabletodropormodify"usersandothercriticalsystemcomponents"isessentiallywrong.ThereisnoobjectprivilegeIknowofthatcanbeuseddirectlytodroporcreateauser.Theremaybesomeconfusionduetodocumentationbugs(seenotes),butthisallowsoneonlytograntobjectprivileges,notsystemprivilegeslikeDROPANYTABLE,DROPUSERorALTERPROFILE.(Ofcourse,onecouldconstructscenarioswheregrantingexecuteonsomethingmightenableonetodoso.)
143|P a g e
5.16Enable'GRANTANYPRIVILEGE'AuditOption(Scored)
ProfileApplicability:
•Level1-RDBMS
Description:
ThisauditsallusesofthesystemprivilegenamedGRANTANYPRIVILEGE.Actionsbyusersnotholdingthisprivilegearenotaudited.
Rationale:
GRANTANYPRIVILEGEallowsausertograntanysystemprivilege,includingthemostpowerfulprivilegestypicallyavailableonlytoadministrators-tochangethesecurityinfrastructure,todrop/add/modifyusersandmore.Auditingtheuseofthisprivilegeispartofacomprehensiveauditingpolicythatcanhelpindetectingissuesandcanbeusefulinforensics.
Audit:
ToassessthisrecommendationexecutethefollowingSQLstatement.
SELECT PRIVILEGE, SUCCESS, FAILURE FROM DBA_PRIV_AUDIT_OPTS WHERE PRIVILEGE='GRANT ANY PRIVILEGE' AND USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = 'BY ACCESS' AND FAILURE = 'BY ACCESS';
Lackofresultsimpliesafinding.
Remediation:
ExecutethefollowingSQLstatementtoremediatethissetting.
AUDIT GRANT ANY PRIVILEGE;
References:
1. http://docs.oracle.com/cd/E11882_01/server.112/e26088/statements_4007.htm#SQLRF01107
144|P a g e
5.17Enable'DROPANYPROCEDURE'AuditOption(Scored)
ProfileApplicability:
•Level1-RDBMS
Description:
TheAUDIT DROP ANY PROCEDUREcommandisauditingthecreationofproceduresinotherschema.
Rationale:
Droppingproceduresofanotherusercouldbepartofaprivilegeescalationexploitandshouldbeaudited.
Audit:
ToassessthisrecommendationexecutethefollowingSQLstatement.
SELECT AUDIT_OPTION, SUCCESS, FAILURE FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION='DROP ANY PROCEDURE' AND USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = 'BY ACCESS' AND FAILURE = 'BY ACCESS';
Lackofresultsimpliesafinding.
Remediation:
ExecutethefollowingSQLstatementtoremediatethissetting.
AUDIT DROP ANY PROCEDURE;
145|P a g e
5.18Enable'ALL'AuditOptionon'SYS.AUD$'(Scored)
ProfileApplicability:
•Level1-RDBMS
Description:
TheloggingofattemptstoaltertheaudittrailintheSYS.AUD$table(openforread/update/delete/view)willprovidearecordofanyactivitiesthatmayindicateunauthorizedattemptstoaccesstheaudittrail.
Rationale:
AstheloggingofattemptstoaltertheSYS.AUD$tablecanprovideforensicevidenceoftheinitiationofapatternofunauthorizedactivities,thisloggingcapabilityshouldbesetaccordingtotheneedsoftheorganization.
Audit:
ToassessthisrecommendationexecutethefollowingSQLstatement.
SELECT * FROM DBA_OBJ_AUDIT_OPTS WHERE OBJECT_NAME='AUD$' AND ALT='A/A' AND AUD='A/A' AND COM='A/A' AND DEL='A/A' AND GRA='A/A' AND IND='A/A' AND INS='A/A' AND LOC='A/A' AND REN='A/A' AND SEL='A/A' AND UPD='A/A' AND FBK='A/A';
Lackofresultsimpliesafinding.
Remediation:
ExecutethefollowingSQLstatementtoremediatethissetting.
AUDIT ALL ON SYS.AUD$ BY ACCESS;
146|P a g e
5.19Enable'PROCEDURE'AuditOption(Scored)
ProfileApplicability:
•Level1-RDBMS
Description:
Inthisstatementaudit,"PROCEDURE"meansanyprocedure,function,packageorlibrary.Anyattempt,successfulornot,tocreateordropanyofthesetypesofobjectsisaudited,regardlessofprivilegeorlackthereof.Javaschemaobjects(sources,classes,andresources)areconsideredthesameasproceduresforpurposesofauditingSQLstatements.
Rationale:
Anyunauthorizedattemptstocreateordropaprocedureinanother'sschemashouldcauseconcern,whethersuccessfulornot.Changestocriticalstorecodecandramaticallychangethebehavioroftheapplicationandproduceserioussecurityconsequences,includingprivilegeescalationandintroducingSQLinjectionvulnerabilities.Auditrecordsofsuchchangescanbehelpfulinforensics.
Audit:
ToassessthisrecommendationexecutethefollowingSQLstatement.
SELECT AUDIT_OPTION, SUCCESS, FAILURE FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION='PROCEDURE' AND USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = 'BY ACCESS' AND FAILURE = 'BY ACCESS';
Lackofresultsimpliesafinding.
Remediation:
ExecutethefollowingSQLstatementtoremediatethissetting.
AUDIT PROCEDURE;
147|P a g e
5.20Enable'ALTERSYSTEM'AuditOption(Scored)
ProfileApplicability:
•Level1-RDBMS
Description:
ThiswillauditallattemptstoALTERSYSTEM,whethersuccessfulornotandregardlessofwhetherornottheALTERSYSTEMprivilegeisheldbytheuserattemptingtheaction.
Rationale:
Altersystemallowsonetochangeinstancesettings,includingsecuritysettingsandauditingoptions.Additionally,altersystemcanbeusedtorunoperatingsystemcommandsusingundocumentedOraclefunctionality.Anyunauthorizedattempttoalterthesystemshouldbecauseforconcern.Alterationsoutsideofsomespecifiedmaintenancewindowmaybeofconcern.Inforensics,theseauditrecordscouldbequiteuseful.
Audit:
ToassessthisrecommendationexecutethefollowingSQLstatement.
SELECT AUDIT_OPTION, SUCCESS, FAILURE FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION='ALTER SYSTEM' AND USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = 'BY ACCESS' AND FAILURE = 'BY ACCESS';
Lackofresultsimpliesafinding.
Remediation:
ExecutethefollowingSQLstatementtoremediatethissetting.
AUDIT ALTER SYSTEM;
Impact:
Thechangetothecheck/auditistoensurethattheauditisineffectforallusersregardlessofproxy,whethersuccessfulornot.
ThepreviousDescriptionwaswrong-itisnot"auditing"that"allowstomodifythedatabasesettings".
148|P a g e
5.21Enable'TRIGGER'AuditOption(Scored)
ProfileApplicability:
•Level1-RDBMS
Description:
ATRIGGERmaybeusedtomodifyDMLactionsorinvokeother(recursive)actionswhensometypesofuser-initiatedactionsoccur.Thiswillauditanyattempt,successfulornot,tocreate,drop,enableordisableanyschematriggerinanyschemaregardlessofprivilegeorlackthereof.Forenablinganddisablingatrigger,itcoversbothaltertriggerandaltertable.
Rationale:
Triggersareoftenpartofschemasecurity,datavalidationandothercriticalconstraintsuponactionsanddata.Atriggerinanotherschemamaybeusedtoescalateprivileges,redirectoperations,transformdataandperformothersortsofperhapsundesiredactions.Anyunauthorizedattempttocreate,droporalteratriggerinanotherschemamaybecauseforinvestigation.
Audit:
ToassessthisrecommendationexecutethefollowingSQLstatement.
SELECT AUDIT_OPTION, SUCCESS, FAILURE FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION='TRIGGER' AND USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = 'BY ACCESS' AND FAILURE = 'BY ACCESS';
Lackofresultsimpliesafinding.
Remediation:
ExecutethefollowingSQLstatementtoremediatethissetting.
AUDIT TRIGGER;
149|P a g e
Impact:
Thestatementauditingoption'auditTRIGGER'auditsalmosteverythingthatthethreeprivilegeaudits"auditCREATEANYTRIGGER","auditALTERANYTRIGGER"and"auditDROPANYTRIGGER"audit,butalsoaudits:
1. Statementstocreate,drop,enableordisableatriggerintheuser'sownschema.2. AttemptstocreateatriggerbyauserwithouttheCREATETRIGGERsystem
privilege.3. AttemptstocreateatriggerinanotherschemabyuserswithouttheCREATEANY
TRIGGERprivilege.4. AttemptstodropatriggerinanotherschemabyuserswithouttheDROPANY
TRIGGERprivilege.5. Attemptstodisableorenableatriggerinanotherschemabyuserswithoutthe
ALTERANYTRIGGERprivilege.
Theonethingisauditedbyanyofthethreeprivilegeauditsthatisnotauditedbythisis"altertrigger...compile"ifthetriggerisinanother'sschema,whichisauditedby"auditALTERANYTRIGGER"',butonlyiftheuserattemptingthealterationactuallyholdstheALTERANYTRIGGERsystemprivilege."AuditTRIGGER"onlyaudits"altertable"or"altertrigger"statementsusedtoenableordisabletriggers.Itdoesnotauditaltertriggeroraltertablestatementsusedonlywithcompileoptions.
150|P a g e
5.22Enable'CREATESESSION'AuditOption(Scored)
ProfileApplicability:
•Level1-RDBMS
Description:
Auditallattemptstoconnecttothedatabase,whethersuccessfulornot.Alsoauditssessiondisconnects/logoffs.ThecommandstoauditSESSION,CONNECTorCREATESESSIONallaccomplishexactlythesamething-theyinitiatestatementauditingoftheconnectstatementusedtocreateadatabasesession.
Rationale:
Auditingattemptstoconnecttothedatabaseisbasicandmandatedbymostsecurityinitiatives.Anyattempttologontoalockedaccount,failedattemptstologontodefaultaccountsoranunusuallyhighnumberoffailedlogonattemptsofanysort,foranyuser,inaparticulartimeperiodmayindicateanintrusionattempt.Inforensics,thelogonrecordmaybefirstinachainofevidenceandcontainsinformationfoundinnoothertypeofauditrecordforthesession.Logonandlogoffintheaudittraildefinetheperiodanddurationofthesession.
Audit:
To assess this recommendation execute the following SQL statement.
SELECT AUDIT_OPTION, SUCCESS, FAILURE FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION='CREATE SESSION' AND USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = 'BY ACCESS' AND FAILURE = 'BY ACCESS';
Lack of results implies a finding.
Remediation:
ExecutethefollowingSQLstatementtoremediatethissetting.
AUDIT SESSION;
151|P a g e
Impact:
Thisisjustaclarification.Thereisnochangethewhatisactuallyaudited.Thecheckdoesnowincludedconditionstoinsurethatthisauditingappliesregardlessofuserorproxyandthatitmustincludeauditingbothsuccessandfailure.
152|P a g e
6Appendix:EstablishinganAudit/ScanUser
Thisdocumenthasbeenauthoredwiththeexpectationthatauserwithappropriatepermissionswillbeusedtoexecutethequeriesandperformotherassessmentactions.WhilethiscouldbeaccomplishedbygrantingDBAprivilegestoagivenuser,thepreferredapproachistocreateadedicateduserandgrantingonlythespecificpermissionsrequiredtoperformtheassessmentsexpressedherein.DoingthisavoidsthenecessityforanyuserassessingthesystemneedstobegrantedDBAprivileges.
TherecommendationsexpressedinthisdocumentassumethepresenceofarolenamedCISSCANROLEandausernamedCISSCAN.ThisroleandusershouldbecreatedbyexecutingthefollowingSQLstatements,beingcarefultosubstituteanappropriatepasswordfor<password>.
-- Create the role CREATE ROLE CISSCANROLE; -- Grant necessary privileges to the role GRANT CREATE SESSION TO CISSCANROLE; GRANT SELECT ON V_$PARAMETER TO CISSCANROLE; GRANT SELECT ON DBA_TAB_PRIVS TO CISSCANROLE; GRANT SELECT ON DBA_PROFILES TO CISSCANROLE; GRANT SELECT ON DBA_SYS_PRIVS TO CISSCANROLE; GRANT SELECT ON DBA_STMT_AUDIT_OPTS TO CISSCANROLE; GRANT SELECT ON DBA_ROLE_PRIVS TO CISSCANROLE; GRANT SELECT ON DBA_OBJ_AUDIT_OPTS TO CISSCANROLE; GRANT SELECT ON DBA_PRIV_AUDIT_OPTS TO CISSCANROLE; GRANT SELECT ON DBA_PROXIES TO CISSCANROLE; GRANT SELECT ON DBA_USERS TO CISSCANROLE; GRANT SELECT ON DBA_USERS_WITH_DEFPWD TO CISSCANROLE; -- Create the user and assign the user to the role CREATE USER CISSCAN IDENTIFIED BY C1ph3r00; GRANT CISSCANROLE TO CISSCAN;
Ifyourelyonsimilarrolesand/orusers,butwhicharenotnamedasCISSCANROLEorCISSCAN,orifyouhaverolesorusersnamedCISSCANROLEorCISSCANintendedtobeusedfordifferentpurposes,beawarethatsomerecommendationshereinexplicitlynameCISSCANROLEandCISSCAN.
Theseare:
• 3.10EnsureNoUsersAreAssignedthe'DEFAULT'Profile• 4.5.5Ensure'ALL'IsRevokedfromUnauthorized'GRANTEE'on'DBA_%'
153|P a g e
Control SetCorrectlyYes No
1 OracleDatabaseInstallationandPatchingRequirements1.1 EnsuretheAppropriateVersion/PatchesforOracleSoftware
IsInstalled(Scored) o o
1.2 EnsureAllDefaultPasswordsAreChanged(Scored) o o1.3 EnsureAllSampleDataAndUsersHaveBeenRemoved
(Scored) o o
2 OracleParameterSettings2.1 ListenerSettings2.1.1 Ensure'SECURE_CONTROL_<listener_name>'IsSetIn
'listener.ora'(Scored) o o
2.1.2 Ensure'extproc'IsNotPresentin'listener.ora'(Scored) o o2.1.3 Ensure'ADMIN_RESTRICTIONS_<listener_name>'IsSet
to'ON'(Scored) o o
2.1.4 Ensure'SECURE_REGISTER_<listener_name>'IsSetto'TCPS'or'IPC'(Scored) o o
2.2 Databasesettings2.2.1 Ensure'AUDIT_SYS_OPERATIONS'IsSetto'TRUE'(Scored) o o2.2.2 Ensure'AUDIT_TRAIL'IsSetto'OS','DB','XML',
'DB,EXTENDED',or'XML,EXTENDED'(Scored) o o
2.2.3 Ensure'GLOBAL_NAMES'IsSetto'TRUE'(Scored) o o2.2.4 Ensure'LOCAL_LISTENER'IsSetAppropriately(Scored) o o2.2.5 Ensure'O7_DICTIONARY_ACCESSIBILITY'IsSetto'FALSE'
(Scored) o o
2.2.6 Ensure'OS_ROLES'IsSetto'FALSE'(Scored) o o2.2.7 Ensure'REMOTE_LISTENER'IsEmpty(Scored) o o2.2.8 Ensure'REMOTE_LOGIN_PASSWORDFILE'IsSetto'NONE'
(Scored) o o
2.2.9 Ensure'REMOTE_OS_AUTHENT'IsSetto'FALSE'(Scored) o o2.2.10 Ensure'REMOTE_OS_ROLES'IsSetto'FALSE'(Scored) o o2.2.11 Ensure'UTIL_FILE_DIR'IsEmpty(Scored) o o2.2.12 Ensure'SEC_CASE_SENSITIVE_LOGON'IsSetto'TRUE'
(Scored) o o
2.2.13 Ensure'SEC_MAX_FAILED_LOGIN_ATTEMPTS'IsSetto'10'(Scored) o o
2.2.14 Ensure'SEC_PROTOCOL_ERROR_FURTHER_ACTION'IsSetto'DELAY,3'or'DROP,3'(Scored) o o
2.2.15 Ensure'SEC_PROTOCOL_ERROR_TRACE_ACTION'IsSetto'LOG'(Scored) o o
2.2.16 Ensure'SEC_RETURN_SERVER_RELEASE_BANNER'IsSetto'FALSE'(Scored) o o
154|P a g e
2.2.17 Ensure'SQL92_SECURITY'IsSetto'TRUE'(Scored) o o2.2.18 Ensure'_TRACE_FILES_PUBLIC'IsSetto'FALSE'(Scored) o o2.2.19 Ensure'RESOURCE_LIMIT'IsSetto'TRUE'(Scored) o o3 OracleConnectionandLoginRestrictions3.1 Ensure'FAILED_LOGIN_ATTEMPTS'IsLessthanorEqualto
'5'(Scored) o o
3.2 Ensure'PASSWORD_LOCK_TIME'IsGreaterthanorEqualto'1'(Scored) o o
3.3 Ensure'PASSWORD_LIFE_TIME'IsLessthanorEqualto'90'(Scored) o o
3.4 Ensure'PASSWORD_REUSE_MAX'IsGreaterthanorEqualto'20'(Scored) o o
3.5 Ensure'PASSWORD_REUSE_TIME'IsGreaterthanorEqualto'365'(Scored) o o
3.6 Ensure'PASSWORD_GRACE_TIME'IsLessthanorEqualto'5'(Scored) o o
3.7 Ensure'DBA_USERS.PASSWORD'IsNotSetto'EXTERNAL'forAnyUser(Scored) o o
3.8 Ensure'PASSWORD_VERIFY_FUNCTION'IsSetforAllProfiles(Scored) o o
3.9 Ensure'SESSIONS_PER_USER'IsLessthanorEqualto'10'(Scored) o o
3.10 EnsureNoUsersAreAssignedthe'DEFAULT'Profile(Scored) o o4 OracleUserAccessandAuthorizationRestrictions4.1 DefaultPublicPrivilegesforPackagesandObjectTypes4.1.1 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on
'DBMS_ADVISOR'(Scored) o o
4.1.2 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_CRYPTO'(Scored) o o
4.1.3 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_JAVA'(Scored) o o
4.1.4 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_JAVA_TEST'(Scored) o o
4.1.5 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_JOB'(Scored) o o
4.1.6 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_LDAP'(Scored) o o
4.1.7 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_LOB'(Scored) o o
4.1.8 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_OBFUSCATION_TOOLKIT'(Scored) o o
4.1.9 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_RANDOM'(Scored) o o
4.1.10 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on o o
155|P a g e
'DBMS_SCHEDULER'(Scored)4.1.11 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_SQL'
(Scored) o o
4.1.12 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_XMLGEN'(Scored) o o
4.1.13 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_XMLQUERY'(Scored) o o
4.1.14 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'UTL_FILE'(Scored) o o
4.1.15 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'UTL_INADDR'(Scored) o o
4.1.16 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'UTL_TCP'(Scored) o o
4.1.17 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'UTL_MAIL'(Scored) o o
4.1.18 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'UTL_SMTP'(Scored) o o
4.1.19 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'UTL_DBWS'(Scored) o o
4.1.20 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'UTL_ORAMTS'(Scored) o o
4.1.21 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'UTL_HTTP'(Scored) o o
4.1.22 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'HTTPURITYPE'(Scored) o o
4.2 RevokeNon-DefaultPrivilegesforPackagesandObjectTypes4.2.1 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on
'DBMS_SYS_SQL'(Scored) o o
4.2.2 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_BACKUP_RESTORE'(Scored) o o
4.2.3 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_AQADM_SYSCALLS'(Scored) o o
4.2.4 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_REPCAT_SQL_UTL'(Scored) o o
4.2.5 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'INITJVMAUX'(Scored) o o
4.2.6 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_STREAMS_ADM_UTL'(Scored) o o
4.2.7 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_AQADM_SYS'(Scored) o o
4.2.8 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_STREAMS_RPC'(Scored) o o
4.2.9 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_PRVTAQIM'(Scored) o o
156|P a g e
4.2.10 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'LTADM'(Scored) o o
4.2.11 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'WWV_DBMS_SQL'(Scored) o o
4.2.12 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'WWV_EXECUTE_IMMEDIATE'(Scored) o o
4.2.13 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_IJOB'(Scored) o o
4.2.14 Ensure'EXECUTE'IsRevokedfrom'PUBLIC'on'DBMS_FILE_TRANSFER'(Scored) o o
4.3 RevokeExcessiveSystemPrivileges4.3.1 Ensure'SELECT_ANY_DICTIONARY'IsRevokedfrom
Unauthorized'GRANTEE'(Scored) o o
4.3.2 Ensure'SELECTANYTABLE'IsRevokedfromUnauthorized'GRANTEE'(Scored) o o
4.3.3 Ensure'AUDITSYSTEM'IsRevokedfromUnauthorized'GRANTEE'(Scored) o o
4.3.4 Ensure'EXEMPTACCESSPOLICY'IsRevokedfromUnauthorized'GRANTEE'(Scored) o o
4.3.5 Ensure'BECOMEUSER'IsRevokedfromUnauthorized'GRANTEE'(Scored) o o
4.3.6 Ensure'CREATE_PROCEDURE'IsRevokedfromUnauthorized'GRANTEE'(Scored) o o
4.3.7 Ensure'ALTERSYSTEM'IsRevokedfromUnauthorized'GRANTEE'(Scored) o o
4.3.8 Ensure'CREATEANYLIBRARY'IsRevokedfromUnauthorized'GRANTEE'(Scored) o o
4.3.9 Ensure'CREATELIBRARY'IsRevokedfromUnauthorized'GRANTEE'(Scored) o o
4.3.10 Ensure'GRANTANYOBJECTPRIVILEGE'IsRevokedfromUnauthorized'GRANTEE'(Scored) o o
4.3.11 Ensure'GRANTANYROLE'IsRevokedfromUnauthorized'GRANTEE'(Scored) o o
4.3.12 Ensure'GRANTANYPRIVILEGE'IsRevokedfromUnauthorized'GRANTEE'(Scored) o o
4.4 RevokeRolePrivileges4.4.1 Ensure'DELETE_CATALOG_ROLE'IsRevokedfrom
Unauthorized'GRANTEE'(Scored) o o
4.4.2 Ensure'SELECT_CATALOG_ROLE'IsRevokedfromUnauthorized'GRANTEE'(Scored) o o
4.4.3 Ensure'EXECUTE_CATALOG_ROLE'IsRevokedfromUnauthorized'GRANTEE'(Scored) o o
4.4.4 Ensure'DBA'IsRevokedfromUnauthorized'GRANTEE'(Scored) o o
157|P a g e
4.5 RevokeExcessiveTableandViewPrivileges4.5.1 Ensure'ALL'IsRevokedfromUnauthorized'GRANTEE'on
'AUD$'(Scored) o o
4.5.2 Ensure'ALL'IsRevokedfromUnauthorized'GRANTEE'on'USER_HISTORY$'(Scored) o o
4.5.3 Ensure'ALL'IsRevokedfromUnauthorized'GRANTEE'on'LINK$'(Scored) o o
4.5.4 Ensure'ALL'IsRevokedfromUnauthorized'GRANTEE'on'SYS.USER$'(Scored) o o
4.5.5 Ensure'ALL'IsRevokedfromUnauthorized'GRANTEE'on'DBA_%'(Scored) o o
4.5.6 Ensure'ALL'IsRevokedfromUnauthorized'GRANTEE'on'SYS.SCHEDULER$_CREDENTIAL'(Scored) o o
4.5.7 Ensure'SYS.USER$MIG'HasBeenDropped(Scored) o o4.6 Ensure'%ANY%'IsRevokedfromUnauthorized'GRANTEE'
(Scored) o o
4.7 Ensure'DBA_SYS_PRIVS.%'IsRevokedfromUnauthorized'GRANTEE'with'ADMIN_OPTION'Setto'YES'(Scored) o o
4.8 EnsureProxyUsersHaveOnly'CONNECT'Privilege(Scored) o o4.9 Ensure'EXECUTEANYPROCEDURE'IsRevokedfrom
'OUTLN'(Scored) o o
4.10 Ensure'EXECUTEANYPROCEDURE'IsRevokedfrom'DBSNMP'(Scored) o o
5 Audit/LoggingPoliciesandProcedures5.1 Enable'USER'AuditOption(Scored) o o5.2 Enable'ALTERUSER'AuditOption(Scored) o o5.3 Enable'DROPUSER'AuditOption(Scored) o o5.4 Enable'ROLE'AuditOption(Scored) o o5.5 Enable'SYSTEMGRANT'AuditOption(Scored) o o5.6 Enable'PROFILE'AuditOption(Scored) o o5.7 Enable'ALTERPROFILE'AuditOption(Scored) o o5.8 Enable'DROPPROFILE'AuditOption(Scored) o o5.9 Enable'DATABASELINK'AuditOption(Scored) o o5.10 Enable'PUBLICDATABASELINK'AuditOption(Scored) o o5.11 Enable'PUBLICSYNONYM'AuditOption(Scored) o o5.12 Enable'SYNONYM'AuditOption(Scored) o o5.13 Enable'GRANTDIRECTORY'AuditOption(Scored) o o5.14 Enable'SELECTANYDICTIONARY'AuditOption(Scored) o o5.15 Enable'GRANTANYOBJECTPRIVILEGE'AuditOption
(Scored) o o
5.16 Enable'GRANTANYPRIVILEGE'AuditOption(Scored) o o5.17 Enable'DROPANYPROCEDURE'AuditOption(Scored) o o5.18 Enable'ALL'AuditOptionon'SYS.AUD$'(Scored) o o
158|P a g e
5.19 Enable'PROCEDURE'AuditOption(Scored) o o5.20 Enable'ALTERSYSTEM'AuditOption(Scored) o o5.21 Enable'TRIGGER'AuditOption(Scored) o o5.22 Enable'CREATESESSION'AuditOption(Scored) o o6 Appendix:EstablishinganAudit/ScanUser
159|P a g e
Appendix:ChangeHistoryDate Version Changesforthisversion
02-27-2015 2.0.0 Initialrelease.
09-08-2015 2.1.0 Ticket#179:Corrected4.1.9toapplytoDBMS_RANDOM
09-08-2015 2.1.0 Ticket#219:Replaced"REPACT"with"REPCAT"
09-29-2015 2.1.0 Ticket#218:Updatedremediationprocedurein4.8
09-29-2015 2.1.0 Ticket#177:UpdatedauditSQLtouseREGEXP_LIKE
09-29-2015 2.1.0 Ticket#202:Included"RESOURCE"asvalidresultforaudit.
09-29-2015 2.1.0 Ticket#206:Updatedrecommendationtoset'SQL92_SECURITY'to'TRUE'
10-06-2015 2.1.0 Ticket#224:Updateddescriptionandrationalefor2.2.17
10-19-2015 2.1.0 Ticket#230:AddedDBAroletolistofauthorizedgrantees
10-19-2015 2.1.0 Ticket#228:Fixedtyposinremediation
10-19-2015 2.1.0 Ticket#239:AddedOLAP_DBA,OLAPSYStoaudit
10-19-2015 2.1.0 Ticket#238:AddedAPEXtolistofauthorizedgrantees
160|P a g e
10-19-2015 2.1.0 Ticket#237:AddedOUTLNtolistofauthorizedgrantees
10-19-2015 2.1.0 Ticket#229:Updatedremediationproceduretoincludeuseofutlpwdmg.sql
10-19-2015 2.1.0 Ticket#234:AddedSYSMANtolistofauthorizedgrantees
10-19-2015 2.1.0 Ticket#233:AddedSPATIAL_CSW_ADMIN_USR,XDB,EXFSYS,MDSYS,SPATIAL_WFS_ADMIN_USRtolistofauthorizedgrantees
10-19-2015 2.1.0 Ticket#232:AddedIMP_FULL_DATABASEroletoauthorizedgranteelist
10-19-2015 2.1.0 Ticket#235:AddedORACLE_OCMtolistofauthorizedgrantees
11-19-2015 2.1.0 Ticket#236:Fixedtypoinaudit
5-12-2016 2.2.0 Ticket#271audit_trailsettings-Added'DB'and'XML'asallowablesettings.
5-12-2016 2.2.0 Ticket#2742.2.2Ensure'AUDIT_TRAIL'-correctreferenceslinks
5-12-2016 2.2.0 #272AddedcheckforsupportedversionOracleDatabase