Hardening Document

ORACLE

DOCUMENT RELEASE NOTICE

This Oracle Database Hardening Document Control Procedure.

Approved By: Santanu Roy

Authorized By: Ashish Faujdar

1|Page
Table of Contents
1 Oracle Database Installation and Patching Requirements ............................................................. 6
1.1 Ensure the Appropriate Version/Patches for Oracle Software Is Installed......................... 7
2 Oracle Parameter Settings .............................................................................................................. 7
2.1 Listener Settings ...................................................................................................................... 7
2.1.1 Ensure 'extproc' Is Not Present in 'listener.ora'.............................................................. 7
2.1.2 Ensure 'ADMIN_RESTRICTIONS_' Is Set to 'ON' .............................................................. 8
2.2 Database Settings ................................................................................................................... 8
2.2.1 Ensure 'AUDIT_SYS_OPERATIONS' Is Set to 'TRUE' ......................................................... 8
2.2.2 Ensure 'AUDIT_TRAIL' Is Set to 'DB', 'XML', 'OS', 'DB,EXTENDED', or 'XML,EXTENDED' . 9
2.2.3 Ensure 'GLOBAL_NAMES' Is Set to 'TRUE'..................................................................... 10
2.2.4 Ensure 'OS_ROLES' Is Set to 'FALSE' .............................................................................. 10
2.2.5 Ensure 'REMOTE_LISTENER' Is Empty ........................................................................... 11
2.2.6 Ensure 'REMOTE_LOGIN_PASSWORDFILE' Is Set to 'NONE' ......................................... 11
2.2.7 Ensure 'REMOTE_OS_AUTHENT' Is Set to 'FALSE' ........................................................ 12
2.2.8 Ensure 'REMOTE_OS_ROLES' Is Set to 'FALSE' .............................................................. 12
2.2.9 Ensure 'SEC_CASE_SENSITIVE_LOGON' Is Set to 'TRUE' ............................................... 13
2.2.10 Ensure 'SEC_MAX_FAILED_LOGIN_ATTEMPTS' Is '3' or Less ........................................ 13
2.2.11 Ensure 'SEC_PROTOCOL_ERROR_FURTHER_ACTION' Is Set to '(DROP,3)' ................... 14
2.2.12 Ensure 'SEC_PROTOCOL_ERROR_TRACE_ACTION' Is Set to 'LOG'................................ 14
2.2.13 Ensure 'SEC_RETURN_SERVER_RELEASE_BANNER' Is Set to 'FALSE' ............................ 15
2.2.14 Ensure 'SQL92_SECURITY' Is Set to 'TRUE' .................................................................... 15
2.2.15 Ensure '_trace_files_public' Is Set to 'FALSE' ................................................................ 16
2.2.16 Ensure 'RESOURCE_LIMIT' Is Set to 'TRUE' ................................................................... 16
2.2.17 Ensure 'PDB_OS_CREDENTIAL' is NOT null ................................................................... 17
2.3 SQLNET.ORA Settings ............................................................................................................ 17
2.3.1 Ensure 'ENCRYPTION_SERVER' Is Set to 'REQUIRED' .................................................... 17
2.3.2 Ensure 'SQLNET.CRYPTO_CHECKSUM_SERVER' Is Set to 'REQUIRED' .......................... 18
3 Oracle Connection and Login Restrictions .................................................................................... 18
3.1 Ensure 'FAILED_LOGIN_ATTEMPTS' Is Less than or Equal to '5' ....................................... 18
3.2 Ensure 'PASSWORD_LOCK_TIME' Is Greater than or Equal to '1' ..................................... 19
3.3 Ensure 'PASSWORD_LIFE_TIME' Is Less than or Equal to '90' .......................................... 19
3.4 Ensure 'PASSWORD_REUSE_MAX' Is Greater than or Equal to '20' ................................. 20
3.5 Ensure 'PASSWORD_REUSE_TIME' Is Greater than or Equal to '365' ............................... 20
3.6 Ensure 'PASSWORD_GRACE_TIME' Is Less than or Equal to '5' ........................................ 21
3.7 Ensure 'PASSWORD_VERIFY_FUNCTION' Is Set for All Profiles ........................................ 21

2|Page
 3.8 Ensure 'SESSIONS_PER_USER' Is Less than or Equal to '10' .............................................. 22
3.9 Ensure 'INACTIVE_ACCOUNT_TIME' Is Less than or Equal to '120' .................................. 22
4 Users ............................................................................................................................................. 23
4.1 Ensure All Default Passwords Are Changed ...................................................................... 23
4.2 Ensure All Sample Data And Users Have Been Removed ................................................. 24
4.3 Ensure 'DBA_USERS.AUTHENTICATION_TYPE' Is Not Set to 'EXTERNAL' for Any User .... 24
4.4 Ensure No Users Are Assigned the 'DEFAULT' Profile ....................................................... 25
4.5 Ensure 'SYS.USER$MIG' Has Been Dropped...................................................................... 25
4.6 Ensure No Public Database Links Exist .............................................................................. 26
5 Privileges & Grants & ACLs............................................................................................................ 26
5.1 Excessive Table, View and Package Privileges ...................................................................... 26
5.1.1 Public Privileges ................................................................................................................ 26
5.1.1.1 Ensure 'EXECUTE' is revoked from 'PUBLIC' on "Network" Packages ........................... 26
5.1.1.2 Ensure 'EXECUTE' is revoked from 'PUBLIC' on "File System" Packages ....................... 27
5.1.1.3 Ensure 'EXECUTE' is revoked from 'PUBLIC' on "Encryption" Packages ....................... 28
5.1.1.4 Ensure 'EXECUTE' is revoked from 'PUBLIC' on "Java" Packages .................................. 28
5.1.1.5 Ensure 'EXECUTE' is revoked from 'PUBLIC' on "Job Scheduler" Packages .................. 29
5.1.1.6 Ensure 'EXECUTE' is revoked from 'PUBLIC' on "SQL Injection Helper" Packages ........ 29
5.1.1.7 Ensure 'EXECUTE' is revoked from 'PUBLIC' on "DBMS_CREDENTIAL" Package .......... 30
5.1.2 Non-Default Privileges ...................................................................................................... 31
5.1.2.1 Ensure 'EXECUTE' is not granted to 'PUBLIC' on "Non default" Packages .................... 31
5.1.3 Other Privileges ................................................................................................................. 31
5.1.3.1 Ensure 'ALL' Is Revoked from Unauthorized 'GRANTEE' on 'AUD$' .............................. 31
5.1.3.2 Ensure 'ALL' Is Revoked from Unauthorized 'GRANTEE' on 'DBA_%' ........................... 32
5.1.3.3 Ensure 'ALL' Is Revoked on 'Sensitive' Tables ............................................................... 32
5.2 Excessive System Privileges .................................................................................................. 33
5.2.1 Ensure '%ANY%' Is Revoked from Unauthorized 'GRANTEE' ........................................ 33
5.2.2 Ensure 'DBA_SYS_PRIVS.%' Is Revoked from Unauthorized 'GRANTEE' with
'ADMIN_OPTION' Set to 'YES' ....................................................................................................... 34
5.2.3 Ensure 'EXECUTE ANY PROCEDURE' Is Revoked from 'OUTLN' .................................... 34
5.2.4 Ensure 'EXECUTE ANY PROCEDURE' Is Revoked from 'DBSNMP' ................................. 35
5.2.5 Ensure 'SELECT ANY DICTIONARY' Is Revoked from Unauthorized 'GRANTEE' ............ 35
5.2.6 Ensure 'SELECT ANY TABLE' Is Revoked from Unauthorized 'GRANTEE' ...................... 36
5.2.7 Ensure 'AUDIT SYSTEM' Is Revoked from Unauthorized 'GRANTEE'............................. 36
5.2.8 Ensure 'EXEMPT ACCESS POLICY' Is Revoked from Unauthorized 'GRANTEE' .............. 37
5.2.9 Ensure 'BECOME USER' Is Revoked from Unauthorized 'GRANTEE' ............................. 37

3|Page
 5.2.10 Ensure 'CREATE PROCEDURE' Is Revoked from Unauthorized 'GRANTEE' ................... 38
5.2.11 Ensure 'ALTER SYSTEM' Is Revoked from Unauthorized 'GRANTEE' ............................. 38
5.2.12 Ensure 'CREATE ANY LIBRARY' Is Revoked from Unauthorized 'GRANTEE' .................. 39
5.2.13 Ensure 'CREATE LIBRARY' Is Revoked from Unauthorized 'GRANTEE' .......................... 39
5.2.14 Ensure 'GRANT ANY OBJECT PRIVILEGE' Is Revoked from Unauthorized 'GRANTEE' ... 40
5.2.15 Ensure 'GRANT ANY ROLE' Is Revoked from Unauthorized 'GRANTEE' ........................ 40
5.2.16 Ensure 'GRANT ANY PRIVILEGE' Is Revoked from Unauthorized 'GRANTEE' ................ 41
5.3 Excessive Role Privileges ....................................................................................................... 41
5.3.1 Ensure 'SELECT_CATALOG_ROLE' Is Revoked from Unauthorized 'GRANTEE' ............. 41
5.3.2 Ensure 'EXECUTE_CATALOG_ROLE' Is Revoked from Unauthorized 'GRANTEE' .......... 42
5.3.3 Ensure 'DBA' Is Revoked from Unauthorized 'GRANTEE' .............................................. 42
5.3.4 Ensure AUDIT_ADMIN' Is Revoked from Unauthorized 'GRANTEE'.............................. 43
6 Audit/Logging Policies and Procedures ........................................................................................ 43
6.1 Traditional Auditing .............................................................................................................. 43
6.1.1 Ensure the 'USER' Audit Option Is Enabled ................................................................... 43
6.1.2 Ensure the 'ROLE' Audit Option Is Enabled ................................................................... 44
6.1.3 Ensure the 'SYSTEM GRANT' Audit Option Is Enabled .................................................. 44
6.1.4 Ensure the 'PROFILE' Audit Option Is Enabled .............................................................. 45
6.1.5 Ensure the 'DATABASE LINK' Audit Option Is Enabled .................................................. 45
6.1.6 Ensure the 'PUBLIC DATABASE LINK' Audit Option Is Enabled ..................................... 46
6.1.7 Ensure the 'PUBLIC SYNONYM' Audit Option Is Enabled .............................................. 46
6.1.8 Ensure the 'SYNONYM' Audit Option Is Enabled .......................................................... 47
6.1.9 Ensure the 'DIRECTORY' Audit Option Is Enabled ......................................................... 47
6.1.10 Ensure the 'SELECT ANY DICTIONARY' Audit Option Is Enabled ................................... 48
6.1.11 Ensure the 'GRANT ANY OBJECT PRIVILEGE' Audit Option Is Enabled .......................... 48
6.1.12 Ensure the 'GRANT ANY PRIVILEGE' Audit Option Is Enabled ....................................... 49
6.1.13 Ensure the 'DROP ANY PROCEDURE' Audit Option Is Enabled ..................................... 49
6.1.14 Ensure the 'ALL' Audit Option on 'SYS.AUD$' Is Enabled .............................................. 50
6.1.15 Ensure the 'PROCEDURE' Audit Option Is Enabled ....................................................... 50
6.1.16 Ensure the 'ALTER SYSTEM' Audit Option Is Enabled.................................................... 51
6.1.17 Ensure the 'TRIGGER' Audit Option Is Enabled ............................................................. 51
6.1.18 Ensure the 'CREATE SESSION' Audit Option Is Enabled ................................................ 52
6.2 Unified Auditing .................................................................................................................... 52
6.2.1 Ensure the 'CREATE USER' Action Audit Is Enabled ...................................................... 52
6.2.2 Ensure the 'ALTER USER' Action Audit Is Enabled ......................................................... 53
6.2.3 Ensure the 'DROP USER' Audit Option Is Enabled......................................................... 53

4|Page
 6.2.4 Ensure the 'CREATE ROLE' Action Audit Is Enabled ...................................................... 54
6.2.5 Ensure the 'ALTER ROLE' Action Audit Is Enabled ......................................................... 54
6.2.6 Ensure the 'DROP ROLE' Action Audit Is Enabled ......................................................... 55
6.2.7 Ensure the 'GRANT' Action Audit Is Enabled................................................................. 56
6.2.8 Ensure the 'REVOKE' Action Audit Is Enabled ............................................................... 56
6.2.9 Ensure the 'CREATE PROFILE' Action Audit Is Enabled ................................................. 57
6.2.10 Ensure the 'ALTER PROFILE' Action Audit Is Enabled .................................................... 57
6.2.11 Ensure the 'DROP PROFILE' Action Audit Is Enabled..................................................... 58
6.2.12 Ensure the 'CREATE DATABASE LINK' Action Audit Is Enabled ..................................... 58
6.2.13 Ensure the 'ALTER DATABASE LINK' Action Audit Is Enabled ........................................ 59
6.2.14 Ensure the 'DROP DATABASE LINK' Action Audit Is Enabled ........................................ 60
6.2.15 Ensure the 'CREATE SYNONYM' Action Audit Is Enabled .............................................. 60
6.2.16 Ensure the 'ALTER SYNONYM' Action Audit Is Enabled ................................................ 61
6.2.17 Ensure the 'DROP SYNONYM' Action Audit Is Enabled ................................................. 61
6.2.18 Ensure the 'SELECT ANY DICTIONARY' Privilege Audit Is Enabled ................................ 62
6.2.19 Ensure the 'AUDSYS.AUD$UNIFIED' Access Audit Is Enabled ....................................... 62
6.2.20 Ensure the 'CREATE PROCEDURE/ FUNCTION/ PACKAGE/ PACKAGE BODY' Action
Audit Is Enabled ............................................................................................................................ 63
6.2.21 Ensure the 'ALTER PROCEDURE/ FUNCTION/ PACKAGE/ PACKAGE BODY' Action Audit
Is Enabled ...................................................................................................................................... 64
6.2.22 Ensure the 'DROP PROCEDURE/ FUNCTION/ PACKAGE/ PACKAGE BODY' Action Audit
Is Enabled ...................................................................................................................................... 64
6.2.23 Ensure the 'ALTER SYSTEM' Action Audit Is Enabled .................................................... 65
6.2.24 Ensure the 'CREATE TRIGGER' Action Audit Is Enabled ................................................ 66
6.2.25 Ensure the 'ALTER TRIGGER' Action Audit Is Enabled ................................................... 66
6.2.26 Ensure the 'DROP TRIGGER' Action Audit Is Enabled.................................................... 67
6.2.27 Ensure the 'LOGON' AND 'LOGOFF' Actions Audit Is Enabled ...................................... 67
7 Exceptions: .................................................................................................................................... 68

5|Page
 Note
Hardening configurations recommended in this document are to be considered as
mandatory, based the applicability of the underlying services, and should be configured as
per organization’s security policy. All the configurations should be first tested in lower
environment before directly deploying on production systems. Any exceptions to this can be
documented in the exception section with relevant approvals.

6|Page
1 Oracle Database Installation and Patching Requirements
1.1 Ensure the Appropriate Version/Patches for Oracle Software Is
Installed

Applicable Versions:
- Oracle_Database_11g_R2
- Oracle_Database_12c
- Oracle_Database_18c
- Oracle_Database_19c

Description:
The Oracle installation version and patches should be the most recent that are compatible
with the organization's operational needs. Ensure you are using a release that is covered by a
level of support that includes the generation of Critical Patch Updates.

Implementation:
To assess this recommendation, on Linux systems:
opatch lsinventory | grep -e "^.*<latest_patch_version_numer>\s*.*$"
On Windows systems:
opatch lsinventory | find "<latest_patch_version_number>"
Perform the following step for remediation:
Download and apply the latest quarterly Critical Patch Update patches.

2 Oracle Parameter Settings

2.1 Listener Settings
2.1.1 Ensure 'extproc' Is Not Present in 'listener.ora'

Applicable Versions:
- Oracle_Database_11g_R2
- Oracle_Database_12c
- Oracle_Database_18c
- Oracle_Database_19c

7|Page
Description:
extproc should be removed from the listener.ora to mitigate the risk that OS libraries can be
invoked by the Oracle instance. extproc allows the database to run procedures from OS
libraries. These library call scan, in turn, run any OS command.

Implementation:
To assess this recommendation on Linux environment:
grep -i extproc $ORACLE_HOME/network/admin/listener.ora
Windows environment:
find /I "extproc" %ORACLE_HOME%\network\admin\listener.ora
To remediate this recommendation:
Remove extproc from the listener.ora file.

2.1.2 Ensure 'ADMIN_RESTRICTIONS_' Is Set to 'ON'

Applicable Versions:
- Oracle_Database_11g_R2
- Oracle_Database_12c
- Oracle_Database_18c
- Oracle_Database_19c

Description:
The admin_restrictions_<listener_name> setting in the listener.ora file can require that any
attempted real-time alteration of the parameters in the listener via the set command file be
refused unless the listener.ora file is manually altered, then restarted by a privileged user.

Implementation:
Use a text editor such as vi to set the admin_restrictions_<listener_name> to the value ON.

2.2 Database Settings

2.2.1 Ensure 'AUDIT_SYS_OPERATIONS' Is Set to 'TRUE'

Applicable Versions:
- Oracle_Database_11g_R2
- Oracle_Database_12c

8|Page
 - Oracle_Database_18c
- Oracle_Database_19c

Description:
The AUDIT_SYS_OPERATIONS setting provides for the auditing of all user activities conducted
under the SYSOPER and SYSDBA accounts. The setting should be set to TRUE to enable this
auditing. If the parameter AUDIT_SYS_OPERATIONS is FALSE, all statements except for
Startup/Shutdown and Logon by SYSDBA/SYSOPER users are not audited.

Implementation:
Execute the following SQL statement and restart the instance.
ALTER SYSTEM SET AUDIT_SYS_OPERATIONS = TRUE SCOPE=SPFILE;

2.2.2 Ensure 'AUDIT_TRAIL' Is Set to 'DB', 'XML', 'OS', 'DB,EXTENDED',

or 'XML,EXTENDED'

Applicable Versions:
- Oracle_Database_11g_R2
- Oracle_Database_12c
- Oracle_Database_18c
- Oracle_Database_19c

Description:
The audit_trail setting determines whether or not Oracle's basic audit features areenabled. It
can be set to "Operating System"(OS); DB; DB,EXTENDED; XML; or XML,EXTENDED. The value
should be set according to the needs of the organization.

Implementation:
Execute one of the following SQL statements and restart the instance.
ALTER SYSTEM SET AUDIT_TRAIL = DB, EXTENDED SCOPE = SPFILE;
ALTER SYSTEM SET AUDIT_TRAIL = OS SCOPE = SPFILE;
ALTER SYSTEM SET AUDIT_TRAIL = XML, EXTENDED SCOPE = SPFILE;
ALTER SYSTEM SET AUDIT_TRAIL = DB SCOPE = SPFILE;
ALTER SYSTEM SET AUDIT_TRAIL = XML SCOPE = SPFILE;

9|Page
2.2.3 Ensure 'GLOBAL_NAMES' Is Set to 'TRUE'

Applicable Versions:
- Oracle_Database_11g_R2
- Oracle_Database_12c
- Oracle_Database_18c
- Oracle_Database_19c

Description:
The global_names setting requires that the name of a database link matches that of the
remote database it will connect to. This setting should have a value of TRUE. Not requiring
database connections to match the domain that is being called remotely could allow
unauthorized domain sources to potentially connect via brute-force tactics.

Implementation:
Execute the following SQL statement.
ALTER SYSTEM SET GLOBAL_NAMES = TRUE SCOPE = SPFILE;

2.2.4 Ensure 'OS_ROLES' Is Set to 'FALSE'

Applicable Versions:
- Oracle_Database_11g_R2
- Oracle_Database_12c
- Oracle_Database_18c
- Oracle_Database_19c

Description:
The os_roles setting permits externally created groups to be applied to database
management. Allowing the OS to use external groups for database management could cause
privilege overlaps and generally weaken security.

Implementation:
Execute the following SQL statement.
ALTER SYSTEM SET OS_ROLES = FALSE SCOPE = SPFILE;

10 | P a g e
2.2.5 Ensure 'REMOTE_LISTENER' Is Empty

Applicable Versions:
- Oracle_Database_11g_R2
- Oracle_Database_12c
- Oracle_Database_18c
- Oracle_Database_19c

Description:
The remote_listener setting determines whether or not a valid listener can be established on
a system separate from the database instance. This setting should be empty unless the
organization specifically needs a valid listener on a separate system or on nodes running
Oracle RAC instances.

Implementation:
Execute the following SQL statement.
ALTER SYSTEM SET REMOTE_LISTENER = '' SCOPE = SPFILE;

2.2.6 Ensure 'REMOTE_LOGIN_PASSWORDFILE' Is Set to 'NONE'

Applicable Versions:
- Oracle_Database_11g_R2
- Oracle_Database_12c
- Oracle_Database_18c
- Oracle_Database_19c

Description:
The remote_login_passwordfile setting specifies whether or not Oracle checks for a password
file during login and how many databases can use the password file. The setting should have
a value of NONE or in the event you are running DR/Data Guard, EXCLUSIVE is an allowable
value. The use of this sort of password login file could permit unsecured, privileged
connections to the database.

Implementation:
Execute the following SQL statement.
ALTER SYSTEM SET REMOTE_LOGIN_PASSWORDFILE = 'NONE' SCOPE = SPFILE;

11 | P a g e
2.2.7 Ensure 'REMOTE_OS_AUTHENT' Is Set to 'FALSE'

Applicable Versions:
- Oracle_Database_11g_R2
- Oracle_Database_12c
- Oracle_Database_18c
- Oracle_Database_19c

Description:
The remote_os_authent setting determines whether or not OS 'roles' with the attendant
privileges are allowed for remote client connections. This setting should have a value of
FALSE.

Implementation:
Execute the following SQL statement.
ALTER SYSTEM SET REMOTE_OS_AUTHENT = FALSE SCOPE = SPFILE;

2.2.8 Ensure 'REMOTE_OS_ROLES' Is Set to 'FALSE'

Applicable Versions:
- Oracle_Database_11g_R2
- Oracle_Database_12c
- Oracle_Database_18c
- Oracle_Database_19c

Description:
The remote_os_roles setting permits remote users' OS roles to be applied to database
management. This setting should have a value of FALSE. Allowing remote clients OS roles to
have permissions for database management could cause privilege overlaps and generally
weaken security.

Implementation:
Execute the following SQL statement.
ALTER SYSTEM SET REMOTE_OS_ROLES = FALSE SCOPE = SPFILE;

12 | P a g e
2.2.9 Ensure 'SEC_CASE_SENSITIVE_LOGON' Is Set to 'TRUE'

Applicable Versions:
- Oracle_Database_11g_R2
- Oracle_Database_12c
- Oracle_Database_18c
- Oracle_Database_19c

Description:
The SEC_CASE_SENSITIVE_LOGON information determines whether or not case-sensitivity is
required for passwords during login. Oracle database password case-sensitivity increases the
pool of characters that can be chosen for the passwords, making brute-force password attacks
quite difficult.

Implementation:
Execute the following SQL statement.
ALTER SYSTEM SET SEC_CASE_SENSITIVE_LOGON = TRUE SCOPE = SPFILE;

2.2.10 Ensure 'SEC_MAX_FAILED_LOGIN_ATTEMPTS' Is '3' or

Less

Applicable Versions:
- Oracle_Database_12c
- Oracle_Database_18c
- Oracle_Database_19c

Description:
The SEC_MAX_FAILED_LOGIN_ATTEMPTS parameter determines how many failed login
attempts are allowed before Oracle closes the login connection. Allowing an unlimited
number of login attempts for a user connection can facilitate both brute-force login attacks
and the occurrence of denial-of-service.

Implementation:
Execute the following SQL statement.
ALTER SYSTEM SET SEC_MAX_FAILED_LOGIN_ATTEMPTS = 3 SCOPE = SPFILE;

13 | P a g e
2.2.11 Ensure 'SEC_PROTOCOL_ERROR_FURTHER_ACTION' Is Set
to '(DROP,3)'

Applicable Versions:
- Oracle_Database_11g_R2
- Oracle_Database_12c
- Oracle_Database_18c
- Oracle_Database_19c

Description:
The SEC_PROTOCOL_ERROR_FURTHER_ACTION setting determines the Oracle server's
response to bad/malformed packets received from the client. This setting should have a
value of (DROP,3) or (DROP, 3), which will cause a connection to be dropped after three
bad/malformed packets.

Implementation:
Execute the following SQL statement.
ALTER SYSTEM SET SEC_PROTOCOL_ERROR_FURTHER_ACTION = '(DROP,3)' SCOPE = SPFILE;

2.2.12 Ensure 'SEC_PROTOCOL_ERROR_TRACE_ACTION' Is Set to

'LOG'

Applicable Versions:
- Oracle_Database_11g_R2
- Oracle_Database_12c
- Oracle_Database_18c
- Oracle_Database_19c

Description:
The SEC_PROTOCOL_ERROR_TRACE_ACTION setting determines the Oracle's server's logging
response level to bad/malformed packets received from the client by generating ALERT, LOG,
or TRACE levels of detail in the log files. This setting should have a value of LOG unless the
organization has a compelling reason to use a different value because LOG should cause the
necessary information to be logged.

Implementation:
Execute the following SQL statement.

14 | P a g e
ALTER SYSTEM SET SEC_PROTOCOL_ERROR_TRACE_ACTION=LOG SCOPE = SPFILE;

2.2.13 Ensure 'SEC_RETURN_SERVER_RELEASE_BANNER' Is Set

to 'FALSE'

Applicable Versions:
- Oracle_Database_11g_R2
- Oracle_Database_12c
- Oracle_Database_18c
- Oracle_Database_19c

Description:
The information about patch/update release number provides information about the exact
patch/update release that is currently running on the database. This is sensitive information
that should not be revealed to anyone who requests it.

Implementation:
Execute the following SQL statement.
ALTER SYSTEM SET SEC_RETURN_SERVER_RELEASE_BANNER = FALSE SCOPE = SPFILE;

2.2.14 Ensure 'SQL92_SECURITY' Is Set to 'TRUE'

Applicable Versions:
- Oracle_Database_11g_R2
- Oracle_Database_12c
- Oracle_Database_18c
- Oracle_Database_19c

Description:
The SQL92_SECURITY parameter setting TRUE requires that a user must also be granted the
SELECT object privilege before being able to perform UPDATE or DELETE operations on tables
that have WHERE or SET clauses. The setting should have a value of TRUE.

Implementation:
Execute the following SQL statement.
ALTER SYSTEM SET SQL92_SECURITY = TRUE SCOPE = SPFILE;

15 | P a g e
2.2.15 Ensure '_trace_files_public' Is Set to 'FALSE'

Applicable Versions:
- Oracle_Database_11g_R2
- Oracle_Database_12c
- Oracle_Database_18c
- Oracle_Database_19c

Description:
The _trace_files_public setting determines whether or not the system's trace file is world
readable. This setting should have a value of FALSE to restrict trace file access. Making the file
world readable means anyone can read the instance's trace file, which could contain sensitive
information about instance operations.

Implementation:
Execute the following SQL statement.

ALTER SYSTEM SET "_trace_files_public" = FALSE SCOPE = SPFILE;

2.2.16 Ensure 'RESOURCE_LIMIT' Is Set to 'TRUE'

Applicable Versions:
- Oracle_Database_11g_R2
- Oracle_Database_12c
- Oracle_Database_18c
- Oracle_Database_19c

Description:
RESOURCE_LIMIT determines whether resource limits are enforced in database profiles. This
setting should have a value of TRUE.

Implementation:
Execute the following SQL statement.
ALTER SYSTEM SET RESOURCE_LIMIT = TRUE SCOPE = SPFILE;

16 | P a g e
2.2.17 Ensure 'PDB_OS_CREDENTIAL' is NOT null

Applicable Versions:
- Oracle_Database_19c

Description:
The pdb_os_credential setting determines what OS user will be utilized to run jobs at the OS
level from within the Oracle database. Permitting a job to run at the OS level with default
credential, Oracle OS user, can allow for excessive privileges that a job should not have.

Implementation:
Using the DBMS_CREDENTIAL package, ensure credentials are set for stand alone, container
and pluggable databases.

2.3 SQLNET.ORA Settings

2.3.1 Ensure 'ENCRYPTION_SERVER' Is Set to 'REQUIRED'

Applicable Versions:
- Oracle_Database_19c

Description:
The setting sqlnet.encryption_server=required requires that the connections to the database
are encrypted through Oracle SQL*Net native encryption. The encryption setting implements
data-in-transit encryption for the Oracle database connections. This setting is configured in
the sqlnet.ora file on the database server.

Implementation:
Use a text editor such as vi to set the sqlnet.
encryption_server = required
Note: The setting sqlnet.encryption_server=required could reject/deny connection requests
from those database users who don’t support the Oracle native network encryption.

17 | P a g e
 2.3.2 Ensure 'SQLNET.CRYPTO_CHECKSUM_SERVER' Is Set to
'REQUIRED'

Applicable Versions:
- Oracle_Database_19c

Description:
The setting sqlnet.crypto_checksum_server=required requires that the connections to the
database are encrypted through Oracle SQL*Net native encryption. The encryption setting
implements data-in-transit encryption for the Oracle database connections. This setting is
configured in the sqlnet.ora file on the database server.

Implementation:
Use a text editor such as vi to set:
sqlnet.crypto_checksum_server = required
Note: The setting sqlnet.encryption_server=required could reject/deny connection requests
from those database users who don’t support the Oracle native network encryption.

3 Oracle Connection and Login Restrictions

3.1 Ensure 'FAILED_LOGIN_ATTEMPTS' Is Less than or Equal to '5'

Applicable Versions:
- Oracle_Database_11g_R2
- Oracle_Database_12c
- Oracle_Database_18c
- Oracle_Database_19c

Description:
The FAILED_LOGIN_ATTEMPTS setting determines how many failed login attempts are
permitted before the system locks the user's account. While different profiles can have
different and more restrictive settings, such as USERS and APPS, the minimum(s)
recommended here should be set on the DEFAULT profile.

Implementation:
Execute the following SQL statement for each PROFILE returned by the audit procedure.
ALTER PROFILE <profile_name> LIMIT FAILED_LOGIN_ATTEMPTS 5;

18 | P a g e
Note: This setting can be exploited to craft a DDoS attack by using the row-locking delay
between failed login attempts (see Oracle Bug 7715339 – Logon failures causes “row cache
lock” waits – Allow disable of logon delay [ID 7715339.8], so the configuration of this setting
depends on using the bug workaround like patch 7715339 or anything else that the
organisation implements).
Repeated failed login attempts can indicate the initiation of a brute-force login attack, this
value should be set according to the needs of the organization.

3.2 Ensure 'PASSWORD_LOCK_TIME' Is Greater than or Equal to '1'

Applicable Versions:
- Oracle_Database_11g_R2
- Oracle_Database_12c
- Oracle_Database_18c
- Oracle_Database_19c

Description:
The PASSWORD_LOCK_TIME setting determines how many days must pass for the user's
account to be unlocked after the set number of failed login attempts has occurred. The
suggested value for this is one day or greater.

Implementation:
Execute the following SQL statement for each PROFILE returned by the audit procedure.
ALTER PROFILE <profile_name> LIMIT PASSWORD_LOCK_TIME 1;

3.3 Ensure 'PASSWORD_LIFE_TIME' Is Less than or Equal to '90'

Applicable Versions:
- Oracle_Database_11g_R2
- Oracle_Database_12c
- Oracle_Database_18c
- Oracle_Database_19c

Description:
The PASSWORD_LIFE_TIME setting determines how long a password may be used before the
user is required to be change it. The suggested value for this is 90 days or less. Allowing

19 | P a g e
passwords to remain unchanged for long periods makes the success of brute-force login
attacks more likely.

Implementation:
Execute the following SQL statement for each PROFILE returned by the audit procedure.
ALTER PROFILE <profile_name> LIMIT PASSWORD_LIFE_TIME 90;

3.4 Ensure 'PASSWORD_REUSE_MAX' Is Greater than or Equal to

'20'

Applicable Versions:
- Oracle_Database_11g_R2
- Oracle_Database_12c
- Oracle_Database_18c
- Oracle_Database_19c

Description:
The PASSWORD_REUSE_MAX setting determines how many different passwords must be
used before the user is allowed to reuse a prior password. The suggested value for this is 20
passwords or greater.

Implementation:
Execute the following SQL statement for each PROFILE returned by the audit procedure.

ALTER PROFILE <profile_name> LIMIT PASSWORD_REUSE_MAX 20;

3.5 Ensure 'PASSWORD_REUSE_TIME' Is Greater than or Equal to

'365'

Applicable Versions:
- Oracle_Database_11g_R2
- Oracle_Database_12c
- Oracle_Database_18c
- Oracle_Database_19c

Description:
The PASSWORD_REUSE_TIME setting determines the amount of time in days that must pass
before the same password may be reused. The suggested value for this is 365 days or greater.

20 | P a g e
Implementation:
Execute the following SQL statement for each PROFILE returned by the audit procedure.
ALTER PROFILE <profile_name> LIMIT PASSWORD_REUSE_TIME 365;

3.6 Ensure 'PASSWORD_GRACE_TIME' Is Less than or Equal to '5'

Applicable Versions:
- Oracle_Database_11g_R2
- Oracle_Database_12c
- Oracle_Database_18c
- Oracle_Database_19c

Description:
The PASSWORD_GRACE_TIME setting determines how many days can pass after the user's
password expires before the user's login capability is automatically locked out. The
suggested value for this is five days or less.

Implementation:
Execute the following SQL statement for each PROFILE returned by the audit procedure.
ALTER PROFILE <profile_name> LIMIT PASSWORD_GRACE_TIME 5;

3.7 Ensure 'PASSWORD_VERIFY_FUNCTION' Is Set for All Profiles

Applicable Versions:
- Oracle_Database_11g_R2
- Oracle_Database_12c
- Oracle_Database_18c
- Oracle_Database_19c

Description:
The PASSWORD_VERIFY_FUNCTION determines password settings requirements when a user
password is changed at the SQL command prompt. It should be set for all profiles. Note that
this setting does not apply for users managed by the Oracle password file.

Implementation:
Create a custom password verification function which fulfils the password requirements of
the organization.

21 | P a g e
 3.8 Ensure 'SESSIONS_PER_USER' Is Less than or Equal to '10'

Applicable Versions:
- Oracle_Database_11g_R2
- Oracle_Database_12c
- Oracle_Database_18c
- Oracle_Database_19c

Description:
The SESSIONS_PER_USER setting determines the maximum number of user sessions that are
allowed to be open concurrently. The suggested value for this is 10 or less. Limiting the
number of the SESSIONS_PER_USER can help prevent memory resource exhaustion by poorly
formed requests or intentional denial-of-service attacks.

Implementation:
Execute the following SQL statement for each PROFILE returned by the audit procedure.
ALTER PROFILE <profile_name> LIMIT SESSIONS_PER_USER 10;

3.9 Ensure 'INACTIVE_ACCOUNT_TIME' Is Less than or Equal to

'120'

Applicable Versions:
- Oracle_Database_12c
- Oracle_Database_18c
- Oracle_Database_19c

Description:
The INACTIVE_ACCOUNT_TIME setting determines the maximum number of days of
inactivity (no logins at all) after which the account will be locked. The suggested value for
this is 120 or less.

Implementation:
Execute the following SQL statement for each PROFILE returned by the audit procedure.
ALTER PROFILE <profile_name> LIMIT INACTIVE_ACCOUNT_TIME 120;

22 | P a g e
4 Users
4.1 Ensure All Default Passwords Are Changed

Applicable Versions:
- Oracle_Database_11g_R2
- Oracle_Database_12c
- Oracle_Database_18c
- Oracle_Database_19c

Description:
Default passwords should not be used by Oracle database users. Default passwords should
be considered "well known" to attackers. Consequently, if default passwords remain in place,
any attacker with access to the database can authenticate as the user with that default
password.

Implementation:
Execute the following SQL script to assign a randomly generated password to each account
using a default password:
begin
for r_user in (select username
from dba_users_with_defpwd
where username not like '%XS$NULL%')
loop
DBMS_OUTPUT.PUT_LINE('Password for user '||r_user.username||'
will be changed.');
execute immediate 'alter user "'||r_user.username||'"
identified by "'||
DBMS_RANDOM.string('a',16)||'"account lock password expire';
end loop;
end;

23 | P a g e
 4.2 Ensure All Sample Data And Users Have Been Removed

Applicable Versions:
- Oracle_Database_11g_R2
- Oracle_Database_12c
- Oracle_Database_18c
- Oracle_Database_19c

Description:
Oracle sample schemas can be used to create sample users (BI, HR, IX, OE,PM, SCOTT,
SH),with well-known default passwords, particular views, and procedures/functions, in
addition to tables and fictitious data. The sample schemas should be removed.

Implementation:
Execute the following SQL statement, keeping in mind if this is granted in both container and
pluggable database, you must connect to both places to run the drop script.
$ORACLE_HOME/demo/schema/drop_sch.sql
Then, execute the following SQL statement.
DROP USER SCOTT CASCADE;
Note: It is important that you first verify that BI, HR, IX, OE, PM, SCOTT, and/or SH are not
valid production usernames before executing the dropping SQL scripts.
If any of these users are present, it is important to be cautious and confirm the schemas
present are, in fact, Oracle sample schemas and not production schemas being relied upon
by business operations.

4.3 Ensure 'DBA_USERS.AUTHENTICATION_TYPE' Is Not Set to

'EXTERNAL' for Any User

Applicable Versions:
- Oracle_Database_12c
- Oracle_Database_18c
- Oracle_Database_19c

Description:
The authentication_type='EXTERNAL' setting determines whether or not a user can be
authenticated by a remote OS to allow access to the database with full authorization.

24 | P a g e
Implementation:
Execute the following SQL statement, keeping in mind if this is granted in both container
and pluggable database, you must connect to both places to revoke.
ALTER USER <username> IDENTIFIED BY <password>;

4.4 Ensure No Users Are Assigned the 'DEFAULT' Profile

Applicable Versions:
- Oracle_Database_11g_R2
- Oracle_Database_12c
- Oracle_Database_18c
- Oracle_Database_19c

Description:
Users should be created with function-appropriate profiles. The DEFAULT profile, being
defined by Oracle, is subject to change at any time (e.g. by patch or version update). The
DEFAULT profile has unlimited settings that are often required by the SYS user when patching;
such unlimited settings should be tightly reserved and not applied to unnecessary users.

Implementation:
Execute the following SQL statement for each user
ALTER USER <username> PROFILE <appropriate_profile>;

4.5 Ensure 'SYS.USER$MIG' Has Been Dropped

Applicable Versions:
- Oracle_Database_11g_R2
- Oracle_Database_12c
- Oracle_Database_18c
- Oracle_Database_19c

Description:
The table sys.user$mig is created during migration and contains the Oracle password hashes
before the migration starts. This table should be dropped.

25 | P a g e
Implementation:
Execute the following SQL statement
DROP TABLE SYS.USER$MIG;

4.6 Ensure No Public Database Links Exist

Applicable Versions:
- Oracle_Database_12c
- Oracle_Database_18c
- Oracle_Database_19c

Description:
Public Database links are used to allow connections between databases. Using public
database links in the database can allow anyone with a connection to the database to query,
update, insert, delete data on a remote database depending on the userid that is part of the
link.

Implementation:
Execute the following SQL statement
DROP PUBLIC DATABASE LINK <DB_LINK>;

5 Privileges & Grants & ACLs

5.1 Excessive Table, View and Package Privileges
5.1.1 Public Privileges
5.1.1.1 Ensure 'EXECUTE' is revoked from 'PUBLIC' on "Network"
Packages

Applicable Versions:
- Oracle_Database_12c
- Oracle_Database_18c
- Oracle_Database_19c

Description:
Oracle Database PL/SQL packages - DBMS_LDAP, UTL_INADDR, UTL_TCP, UTL_MAIL,
UTL_SMTP, UTL_DBWS, UTL_ORAMTS, UTL_HTTP and type HTTPURITYPE can be used by

26 | P a g e
unauthorized users to create specially crafted error messages or send information to external
servers. The PUBLIC should not be able to execute these packages.

Implementation:
Execute the following SQL statement,
REVOKE EXECUTE ON DBMS_LDAP FROM PUBLIC;
REVOKE EXECUTE ON UTL_INADDR FROM PUBLIC;
REVOKE EXECUTE ON UTL_TCP FROM PUBLIC;
REVOKE EXECUTE ON UTL_MAIL FROM PUBLIC;
REVOKE EXECUTE ON UTL_SMTP FROM PUBLIC;
REVOKE EXECUTE ON UTL_DBWS FROM PUBLIC;
REVOKE EXECUTE ON UTL_ORAMTS FROM PUBLIC;
REVOKE EXECUTE ON UTL_HTTP FROM PUBLIC;
REVOKE EXECUTE ON HTTPURITYPE FROM PUBLIC;

5.1.1.2 Ensure 'EXECUTE' is revoked from 'PUBLIC' on "File

System" Packages

Applicable Versions:
- Oracle_Database_11g_R2
- Oracle_Database_12c
- Oracle_Database_18c
- Oracle_Database_19c

Description:
Oracle Database PL/SQL "File System" packages - DBMS_ADVISOR, DBMS_LOB and UTL_FILE
– provide PL/SQL APIs to access files on the servers. The user PUBLIC should not be able to
execute these packages.

Implementation:
Execute the following SQL statement,
REVOKE EXECUTE ON DBMS_ADVISOR FROM PUBLIC;
REVOKE EXECUTE ON DBMS_LOB FROM PUBLIC;

27 | P a g e
REVOKE EXECUTE ON UTL_FILE FROM PUBLIC;

5.1.1.3 Ensure 'EXECUTE' is revoked from 'PUBLIC' on

"Encryption" Packages

Applicable Versions:
- Oracle_Database_12c
- Oracle_Database_18c
- Oracle_Database_19c

Description:
Oracle Database PL/SQL "Encryption" packages - DBMS_CRYPTO,
BMS_OBFUSCATION_TOOLKIT and DBMS_RANDOM – provide PL/SQL APIs to perform
functions related to cryptography. The PUBLIC should not be able to execute these
packages.

Implementation:
Execute the following SQL statement,
REVOKE EXECUTE ON DBMS_CRYPTO FROM PUBLIC;
REVOKE EXECUTE ON DBMS_OBFUSCATION_TOOLKIT FROM PUBLIC;
REVOKE EXECUTE ON DBMS_RANDOM FROM PUBLIC;

5.1.1.4 Ensure 'EXECUTE' is revoked from 'PUBLIC' on "Java"

Packages

Applicable Versions:
- Oracle_Database_12c
- Oracle_Database_18c
- Oracle_Database_19c

Description:
Oracle Database PL/SQL "Java" packages - DBMS_JAVA and DBMS_JAVA_TEST – provide APIs
to run Java classes or grant Java packages. The user PUBLIC should not be able to execute
these packages.

28 | P a g e
Implementation:
Execute the following SQL statement
REVOKE EXECUTE ON DBMS_JAVA FROM PUBLIC;
REVOKE EXECUTE ON DBMS_JAVA_TEST FROM PUBLIC;

5.1.1.5 Ensure 'EXECUTE' is revoked from 'PUBLIC' on "Job

Scheduler" Packages

Applicable Versions:
- Oracle_Database_12c
- Oracle_Database_18c
- Oracle_Database_19c

Description:
Oracle Database PL/SQL "Job Scheduler" packages - DBMS_SCHEDULER and DBMS_JOB –
provide APIs to schedule jobs. The user PUBLIC should not be able to execute these packages.

Implementation:
Execute the following SQL statement
REVOKE EXECUTE ON DBMS_JOB FROM PUBLIC;
REVOKE EXECUTE ON DBMS_SCHEDULER FROM PUBLIC;

5.1.1.6 Ensure 'EXECUTE' is revoked from 'PUBLIC' on "SQL

Injection Helper" Packages

Applicable Versions:
- Oracle_Database_12c
- Oracle_Database_18c
- Oracle_Database_19c

Description:
Oracle Database PL/SQL "SQL Injection Helper Packages" packages - DBMS_SQL,
BMS_XMLGEN, DBMS_XMLQUERY, DBMS_XLMSTORE, DBMS_XLMSAVE and DBMS_REDACT
– provide APIs to schedule jobs. The user PUBLIC should not be able to execute these
packages.

29 | P a g e
Implementation:
Execute the following SQL statement,
REVOKE EXECUTE ON DBMS_SQL FROM PUBLIC;
REVOKE EXECUTE ON DBMS_XMLGEN FROM PUBLIC;
REVOKE EXECUTE ON DBMS_XMLQUERY FROM PUBLIC;
REVOKE EXECUTE ON DBMS_XMLSAVE FROM PUBLIC;
REVOKE EXECUTE ON DBMS_XMLSTORE FROM PUBLIC;
REVOKE EXECUTE ON DBMS_AW FROM PUBLIC;
REVOKE EXECUTE ON OWA_UTIL FROM PUBLIC;

REVOKE EXECUTE ON DBMS_REDACT FROM PUBLIC;

5.1.1.7 Ensure 'EXECUTE' is revoked from 'PUBLIC' on

"DBMS_CREDENTIAL" Package

Applicable Versions:
- Oracle_Database_19c

Description:
Oracle Database PL/SQL "DBMS_CREDENTIAL" package –should not be granted to PUBLIC.
Use of the DBMS_CREDENTIAL package could allow an unauthorized user to add, create, drop,
enable and update credentials allowing jobs to run on the operating system.

Implementation:
Execute the following SQL statement
REVOKE EXECUTE ON DBMS_CREDENTIAL FROM PUBLIC;

30 | P a g e
 5.1.2 Non-Default Privileges
5.1.2.1 Ensure 'EXECUTE' is not granted to 'PUBLIC' on "Non
default" Packages

Applicable Versions:
- Oracle_Database_12c
- Oracle_Database_18c
- Oracle_Database_19c

Description:
These "non-default" group of PL/SQL packages, which are not granted to PUBLIC by default,
packages should not be granted to PUBLIC. The DBMS_BACKUP_RESTORE package can allow
access to OS files. The DBMS_FILE_TRANSFER package could allow to transfer files from one
database server to another without authorization to do so.

Implementation:
Execute the following SQL statement,
REVOKE EXECUTE ON DBMS_BACKUP_RESTORE FROM PUBLIC;
REVOKE EXECUTE ON DBMS_FILE_TRANSFER FROM PUBLIC;
REVOKE EXECUTE ON DBMS_SYS_SQL FROM PUBLIC;
REVOKE EXECUTE ON DBMS_REPCAT_SQL_UTL FROM PUBLIC;
REVOKE EXECUTE ON INITJVMAUX FROM PUBLIC;
REVOKE EXECUTE ON DBMS_AQADM_SYS FROM PUBLIC;
REVOKE EXECUTE ON DBMS_STREAMS_RPC FROM PUBLIC;

5.1.3 Other Privileges

5.1.3.1 Ensure 'ALL' Is Revoked from Unauthorized 'GRANTEE' on
'AUD$'

Applicable Versions:
- Oracle_Database_11g_R2
- Oracle_Database_12c
- Oracle_Database_18c
- Oracle_Database_19c

31 | P a g e
Description:
The Oracle database SYS.AUD$ table contains all the audit records for the database of the
non-Data Manipulation Language (DML) events, such as ALTER, DROP, and CREATE, and so
forth. (DML changes need trigger-based audit events to record data alterations.)
Unauthorized grantees should not have full access to that table.

Implementation:
Execute the following SQL statement
REVOKE ALL ON AUD$ FROM <grantee>;

5.1.3.2 Ensure 'ALL' Is Revoked from Unauthorized 'GRANTEE' on

'DBA_%'

Applicable Versions:
- Oracle_Database_11g_R2
- Oracle_Database_12c
- Oracle_Database_18c
- Oracle_Database_19c

Description:
The Oracle database DBA_ views show all information which is relevant to administrative
accounts. Unauthorized grantees should not have full access to those views. Permitting users
the authorization to manipulate the DBA_ views can expose sensitive data.

Implementation:
Replace <Non-DBA/SYS grantee> in the query below, with the Oracle login(s) or role(s)
returned from the associated audit procedure and execute, keeping in mind if this is granted
in both container and pluggable database, you must connect to both places to revoke:
REVOKE ALL ON <DBA_%> FROM <Non-DBA/SYS grantee>;

5.1.3.3 Ensure 'ALL' Is Revoked on 'Sensitive' Tables

Applicable Versions:
- Oracle_Database_12c
- Oracle_Database_18c
- Oracle_Database_19c

32 | P a g e
Description:
The Oracle database tables listed below may contain sensitive information, and should not be
accessible to unauthorized users. Access to sensitive information such as hashed passwords
may allow unauthorized users to decrypt the passwords hashes which could potentially result
in complete compromise of the database.

Implementation:
Execute applicable SQLs listed below:
REVOKE ALL ON SYS.CDB_LOCAL_ADMINAUTH$ FROM <grantee>;
REVOKE ALL ON SYS.DEFAULT_PWD$ FROM <grantee>;
REVOKE ALL ON SYS.ENC$ FROM <grantee>;
REVOKE ALL ON SYS.HISTGRM$ FROM <grantee>;
REVOKE ALL ON SYS.HIST_HEAD$ FROM <grantee>;
REVOKE ALL ON SYS.LINK$ FROM <grantee>;
REVOKE ALL ON SYS.PDB_SYNC$ FROM <grantee>;
REVOKE ALL ON SYS.SCHEDULER$_CREDENTIAL FROM <grantee>;
REVOKE ALL ON SYS.USER$ FROM <grantee>;
REVOKE ALL ON SYS.USER_HISTORY$ FROM <grantee>;
REVOKE ALL ON SYS.XS$VERIFIERS FROM <grantee>;

5.2 Excessive System Privileges

5.2.1 Ensure '%ANY%' Is Revoked from Unauthorized 'GRANTEE'

Applicable Versions:
- Oracle_Database_11g_R2
- Oracle_Database_12c
- Oracle_Database_18c
- Oracle_Database_19c

Description:
The Oracle database ANY keyword provides the user the capability to alter any item in the
catalogue of the database. Unauthorized grantees should not have that keyword assigned to
them.

33 | P a g e
Implementation:
Execute the following SQL statement,
REVOKE '<ANY Privilege>' FROM <grantee>;

5.2.2 Ensure 'DBA_SYS_PRIVS.%' Is Revoked from Unauthorized

'GRANTEE' with 'ADMIN_OPTION' Set to 'YES'

Applicable Versions:
- Oracle_Database_11g_R2
- Oracle_Database_12c
- Oracle_Database_18c
- Oracle_Database_19c

Description:
The Oracle database WITH_ADMIN privilege allows the designated user to grant another user
the same privileges. Unauthorized grantees should not have that privilege.

Implementation:
Execute the following SQL statement,
REVOKE <privilege> FROM <grantee>;

5.2.3 Ensure 'EXECUTE ANY PROCEDURE' Is Revoked from

'OUTLN'

Applicable Versions:
- Oracle_Database_11g_R2
- Oracle_Database_12c
- Oracle_Database_18c
- Oracle_Database_19c

Description:
Remove unneeded EXECUTE ANY PROCEDURE privileges from OUTLN. Migrated OUTLN users
have more privileges than required.

Implementation:
Execute the following SQL statement.

34 | P a g e
REVOKE EXECUTE ANY PROCEDURE FROM OUTLN;

5.2.4 Ensure 'EXECUTE ANY PROCEDURE' Is Revoked from

'DBSNMP'

Applicable Versions:
- Oracle_Database_11g_R2
- Oracle_Database_12c
- Oracle_Database_18c
- Oracle_Database_19c

Description:
Remove unneeded EXECUTE ANY PROCEDURE privileges from DBSNMP. Migrated DBSNMP
users have more privileges than required.

Implementation:
Execute the following SQL statement
REVOKE EXECUTE ANY PROCEDURE FROM DBSNMP;

5.2.5 Ensure 'SELECT ANY DICTIONARY' Is Revoked from

Unauthorized 'GRANTEE'

Applicable Versions:
- Oracle_Database_11g_R2
- Oracle_Database_12c
- Oracle_Database_18c
- Oracle_Database_19c

Description:
The Oracle database SELECT ANY DICTIONARY privilege allows the designated user to access
SYS schema objects. Unauthorized grantees should not have that privilege.

Implementation:
Execute the following SQL statement
REVOKE SELECT ANY DICTIONARY FROM <grantee>;

35 | P a g e
 5.2.6 Ensure 'SELECT ANY TABLE' Is Revoked from Unauthorized
'GRANTEE'

Applicable Versions:
- Oracle_Database_11g_R2
- Oracle_Database_12c
- Oracle_Database_18c
- Oracle_Database_19c

Description:
The Oracle database SELECT ANY TABLE privilege allows the designated user to open any
table, except SYS, to view it. Unauthorized grantees should not have that privilege.

Implementation:
Execute the following SQL statement,
REVOKE SELECT ANY TABLE FROM <grantee>;

5.2.7 Ensure 'AUDIT SYSTEM' Is Revoked from Unauthorized

'GRANTEE'

Applicable Versions:
- Oracle_Database_11g_R2
- Oracle_Database_12c
- Oracle_Database_18c
- Oracle_Database_19c

Description:
The Oracle database AUDIT SYSTEM privilege allows changes to auditing activities on the
system. Unauthorized grantees should not have that privilege.

Implementation:
Execute the following SQL statement
REVOKE AUDIT SYSTEM FROM <grantee>;

36 | P a g e
 5.2.8 Ensure 'EXEMPT ACCESS POLICY' Is Revoked from
Unauthorized 'GRANTEE'

Applicable Versions:
- Oracle_Database_11g_R2
- Oracle_Database_12c
- Oracle_Database_18c
- Oracle_Database_19c

Description:
The Oracle database EXEMPT ACCESS POLICY keyword provides the user the capability to
access all the table rows regardless of row-level security lockouts. Unauthorized grantees
should not have that keyword assigned to them.

Implementation:
Execute the following SQL statement
REVOKE EXEMPT ACCESS POLICY FROM <grantee>;

5.2.9 Ensure 'BECOME USER' Is Revoked from Unauthorized

'GRANTEE'

Applicable Versions:
- Oracle_Database_11g_R2
- Oracle_Database_12c
- Oracle_Database_18c
- Oracle_Database_19c

Description:
The Oracle database BECOME USER privilege allows the designated user to inherit the rights
of another user. Unauthorized grantees should not have that privilege.

Implementation:
Execute the following SQL statement,
REVOKE BECOME USER FROM <grantee>;

37 | P a g e
 5.2.10 Ensure 'CREATE PROCEDURE' Is Revoked from
Unauthorized 'GRANTEE'

Applicable Versions:
- Oracle_Database_11g_R2
- Oracle_Database_12c
- Oracle_Database_18c
- Oracle_Database_19c

Description:
The Oracle database CREATE PROCEDURE privilege allows the designated user to create a
stored procedure that will fire when given the correct command sequence. Unauthorized
grantees should not have that privilege.

Implementation:
Execute the following SQL statement
REVOKE CREATE PROCEDURE FROM <grantee>;

5.2.11 Ensure 'ALTER SYSTEM' Is Revoked from Unauthorized

'GRANTEE'

Applicable Versions:
- Oracle_Database_11g_R2
- Oracle_Database_12c
- Oracle_Database_18c
- Oracle_Database_19c

Description:
The Oracle database ALTER SYSTEM privilege allows the designated user to dynamically alter
the instance's running operations. Unauthorized grantees should not have that privilege.

Implementation:
Execute the following SQL statement
REVOKE ALTER SYSTEM FROM <grantee>;

38 | P a g e
 5.2.12 Ensure 'CREATE ANY LIBRARY' Is Revoked from
Unauthorized 'GRANTEE'

Applicable Versions:
- Oracle_Database_11g_R2
- Oracle_Database_12c
- Oracle_Database_18c
- Oracle_Database_19c

Description:
The Oracle database CREATE ANY LIBRARY privilege allows the designated user to create
objects that are associated to the shared libraries. Unauthorized grantees should not have
that privilege.

Implementation:
Execute the following SQL statement,
REVOKE CREATE ANY LIBRARY FROM <grantee>;

5.2.13 Ensure 'CREATE LIBRARY' Is Revoked from Unauthorized

'GRANTEE'

Applicable Versions:
- Oracle_Database_11g_R2
- Oracle_Database_12c
- Oracle_Database_18c
- Oracle_Database_19c

Description:
The Oracle database CREATE LIBRARY privilege allows the designated user to create objects
that are associated to the shared libraries. Unauthorized grantees should not have that
privilege.

Implementation:
Execute the following SQL statement
REVOKE CREATE LIBRARY FROM <grantee>;

39 | P a g e
 5.2.14 Ensure 'GRANT ANY OBJECT PRIVILEGE' Is Revoked from
Unauthorized 'GRANTEE'

Applicable Versions:
- Oracle_Database_11g_R2
- Oracle_Database_12c
- Oracle_Database_18c
- Oracle_Database_19c

Description:
The Oracle database GRANT ANY OBJECT PRIVILEGE keyword provides the grantee the
capability to grant access to any single or multiple combinations of objects to any grantee in
the catalogue of the database. Unauthorized grantee should not have that keyword assigned
to them.

Implementation:
Execute the following SQL statement
REVOKE GRANT ANY OBJECT PRIVILEGE FROM <grantee>;

5.2.15 Ensure 'GRANT ANY ROLE' Is Revoked from Unauthorized

'GRANTEE'

Applicable Versions:
- Oracle_Database_11g_R2
- Oracle_Database_12c
- Oracle_Database_18c
- Oracle_Database_19c

Description:
The Oracle database GRANT ANY ROLE keyword provides the grantee the capability to grant
any single role to any grantee in the catalogue of the database. Unauthorized grantees should
not have that keyword assigned to them.

Implementation:
Execute the following SQL statement,
REVOKE GRANT ANY ROLE FROM <grantee>;

40 | P a g e
 5.2.16 Ensure 'GRANT ANY PRIVILEGE' Is Revoked from
Unauthorized 'GRANTEE'

Applicable Versions:
- Oracle_Database_11g_R2
- Oracle_Database_12c
- Oracle_Database_18c
- Oracle_Database_19c

Description:
The Oracle database GRANT ANY PRIVILEGE keyword provides the grantee the capability to
grant any single privilege to any item in the catalogue of the database. Unauthorized grantees
should not have that privilege.

Implementation:
Execute the following SQL statement
REVOKE GRANT ANY PRIVILEGE FROM <grantee>;

5.3 Excessive Role Privileges

5.3.1 Ensure 'SELECT_CATALOG_ROLE' Is Revoked from
Unauthorized 'GRANTEE'

Applicable Versions:
- Oracle_Database_11g_R2
- Oracle_Database_12c
- Oracle_Database_18c
- Oracle_Database_19c

Description:
The Oracle database SELECT_CATALOG_ROLE provides SELECT privileges on all data dictionary
views held in the SYS schema. Unauthorized grantees should not have that role.

Implementation:
Execute the following SQL statement
REVOKE SELECT_CATALOG_ROLE FROM <grantee>;

41 | P a g e
 5.3.2 Ensure 'EXECUTE_CATALOG_ROLE' Is Revoked from
Unauthorized 'GRANTEE'

Applicable Versions:
- Oracle_Database_11g_R2
- Oracle_Database_12c
- Oracle_Database_18c
- Oracle_Database_19c

Description:
The Oracle database EXECUTE_CATALOG_ROLE provides EXECUTE privileges for a number of
packages and procedures in the data dictionary in the SYS schema. Unauthorized grantees
should not have that role.

Implementation:
Execute the following SQL statement
REVOKE EXECUTE_CATALOG_ROLE FROM <grantee>;

5.3.3 Ensure 'DBA' Is Revoked from Unauthorized 'GRANTEE'

Applicable Versions:
- Oracle_Database_11g_R2
- Oracle_Database_12c
- Oracle_Database_18c
- Oracle_Database_19c

Description:
The Oracle database DBA role is the default database administrator role provided for the
allocation of administrative privileges. Unauthorized grantees should not have that role.

Implementation:
Execute the following SQL statement
REVOKE DBA FROM <grantee>;

42 | P a g e
 5.3.4 Ensure AUDIT_ADMIN' Is Revoked from Unauthorized
'GRANTEE'

Applicable Versions:
- Oracle_Database_19c

Description:
The Oracle database AUDIT_ADMIN enables you to create unified and fine-grained audit
policies, use the AUDIT and NOAUDIT SQL statements, view audit data, and manage the audit
trail administration. Grant this role only to trusted users. Unauthorized grantees should not
have this role.

Implementation:
Execute the following SQL statement
REVOKE AUDIT_ADMIN FROM <grantee>;

6 Audit/Logging Policies and Procedures

6.1 Traditional Auditing
6.1.1 Ensure the 'USER' Audit Option Is Enabled

Applicable Versions:
- Oracle_Database_12c
- Oracle_Database_18c
- Oracle_Database_19c

Description:
The USER object allows for creating accounts that can interact with the database according
to the roles and privileges allotted to the account. It may also own database objects. Enabling
the audit option causes auditing of all activities and requests to create, drop or alter a user,
including a user changing their own password.

Implementation:
Execute the following SQL statement in either the non multi-tenant or container database, it
does NOT need run in the pluggable.
AUDIT USER;

43 | P a g e
6.1.2 Ensure the 'ROLE' Audit Option Is Enabled

Applicable Versions:
- Oracle_Database_12c
- Oracle_Database_18c
- Oracle_Database_19c

Description:
The ROLE object allows for the creation of a set of privileges that can be granted to users or
other roles. Enabling the audit option causes auditing of all attempts, successful or not, to
create, drop, alter or set roles.

Implementation:
Execute the following SQL statement
AUDIT ROLE;

6.1.3 Ensure the 'SYSTEM GRANT' Audit Option Is Enabled

Applicable Versions:
- Oracle_Database_12c
- Oracle_Database_18c
- Oracle_Database_19c

Description:
Enabling the audit option for the SYSTEM GRANT object causes auditing of any attempt,
successful or not, to grant or revoke any system privilege or role, regardless of privilege held
by the user attempting the operation.

Implementation:
Execute the following SQL statement
AUDIT SYSTEM GRANT;

44 | P a g e
6.1.4 Ensure the 'PROFILE' Audit Option Is Enabled

Applicable Versions:
- Oracle_Database_12c
- Oracle_Database_18c
- Oracle_Database_19c

Description:
The PROFILE object allows for the creation of a set of database resource limits that can be
assigned to a user, so that that user cannot exceed those resource limitations. Enabling the
audit option causes auditing of all attempts, successful or not, to create, drop or alter any
profile.

Implementation:
Execute the following SQL statement
AUDIT PROFILE;

6.1.5 Ensure the 'DATABASE LINK' Audit Option Is Enabled

Applicable Versions:
- Oracle_Database_12c
- Oracle_Database_18c
- Oracle_Database_19c

Description:
Enabling the audit option for the DATABASE LINK object causes all activities on database links
to be audited. As the logging of user activities involving the creation or dropping of a
DATABASE LINK can provide forensic evidence about a pattern of unauthorized activities, the
audit capability should be enabled.

Implementation:
Execute the following SQL statement
AUDIT DATABASE LINK;

45 | P a g e
6.1.6 Ensure the 'PUBLIC DATABASE LINK' Audit Option Is Enabled

Applicable Versions:
- Oracle_Database_12c
- Oracle_Database_18c
- Oracle_Database_19c

Description:
The PUBLIC DATABASE LINK object allows for the creation of a public link for an application-
based "user" to access the database for connections/session creation. Enabling the audit
option causes all user activities involving the creation, alteration, or dropping of public links
to be audited.

Implementation:
Execute the following SQL statement
AUDIT PUBLIC DATABASE LINK;

6.1.7 Ensure the 'PUBLIC SYNONYM' Audit Option Is Enabled

Applicable Versions:
- Oracle_Database_12c
- Oracle_Database_18c
- Oracle_Database_19c

Description:
The PUBLIC SYNONYM object allows for the creation of an alternate description of an object.
Public synonyms are accessible by all users that have the appropriate privileges to the
underlying object. Enabling the audit option causes all user activities involving the creation or
dropping of public synonyms to be audited.

Implementation:
Execute the following SQL statement
AUDIT PUBLIC SYNONYM;

46 | P a g e
6.1.8 Ensure the 'SYNONYM' Audit Option Is Enabled

Applicable Versions:
- Oracle_Database_12c
- Oracle_Database_18c
- Oracle_Database_19c

Description:
The SYNONYM operation allows for the creation of an alternative name for a database object
such as a Java class schema object, materialized view, operator, package, procedure,
sequence, stored function, table, view, user-defined object type, or even another synonym.
This synonym puts a dependency on its target and is rendered invalid if the target object is
changed/dropped.

Implementation:
Execute the following SQL statement
AUDIT SYNONYM;

6.1.9 Ensure the 'DIRECTORY' Audit Option Is Enabled

Applicable Versions:
- Oracle_Database_12c
- Oracle_Database_18c
- Oracle_Database_19c

Description:
The DIRECTORY object allows for the creation of a directory object that specifies an alias for
a directory on the server file system, where the external binary file LOBs (BFILEs)/ table data
are located. Enabling this audit option causes all user activities involving the creation or
dropping of a directory alias to be audited.

Implementation:
Execute the following SQL statement
AUDIT DIRECTORY;

47 | P a g e
6.1.10 Ensure the 'SELECT ANY DICTIONARY' Audit Option Is
Enabled

Applicable Versions:
- Oracle_Database_12c
- Oracle_Database_18c
- Oracle_Database_19c

Description:
The SELECT ANY DICTIONARY capability allows the user to view the definitions of all schema
objects in the database. Enabling the audit option causes all user activities involving this
capability to be audited.

Implementation:
Execute the following SQL statement
AUDIT SELECT ANY DICTIONARY;

6.1.11 Ensure the 'GRANT ANY OBJECT PRIVILEGE' Audit Option

Is Enabled

Applicable Versions:
- Oracle_Database_12c
- Oracle_Database_18c
- Oracle_Database_19c

Description:
GRANT ANY OBJECT PRIVILEGE allows the user to grant or revoke any object privilege, which
includes privileges on tables, directories, mining models, etc. Enabling this audit option causes
auditing of all uses of that privilege.

Implementation:
Execute the following SQL statement,
AUDIT GRANT ANY OBJECT PRIVILEGE;

48 | P a g e
6.1.12 Ensure the 'GRANT ANY PRIVILEGE' Audit Option Is
Enabled

Applicable Versions:
- Oracle_Database_12c
- Oracle_Database_18c
- Oracle_Database_19c

Description:
GRANT ANY PRIVILEGE allows a user to grant any system privilege, including the most
powerful privileges typically available only to administrators - to change the security
infrastructure, to drop/add/modify users and more.

Implementation:
Execute the following SQL statement
AUDIT GRANT ANY PRIVILEGE;

6.1.13 Ensure the 'DROP ANY PROCEDURE' Audit Option Is

Enabled

Applicable Versions:
- Oracle_Database_12c
- Oracle_Database_18c
- Oracle_Database_19c

Description:
The AUDIT DROP ANY PROCEDURE command is auditing the dropping of procedures. Enabling
the option causes auditing of all such activities.

Implementation:
Execute the following SQL statement
AUDIT DROP ANY PROCEDURE;

49 | P a g e
6.1.14 Ensure the 'ALL' Audit Option on 'SYS.AUD$' Is Enabled

Applicable Versions:
- Oracle_Database_12c
- Oracle_Database_18c
- Oracle_Database_19c

Description:
The logging of attempts to alter the audit trail in the SYS.AUD$ table (open for
read/update/delete/view) will provide a record of any activities that may indicate
unauthorized attempts to access the audit trail. Enabling the audit option will cause these
activities to be audited.

Implementation:
Execute the following SQL statement
AUDIT ALL ON SYS.AUD$ BY ACCESS;

6.1.15 Ensure the 'PROCEDURE' Audit Option Is Enabled

Applicable Versions:
- Oracle_Database_12c
- Oracle_Database_18c
- Oracle_Database_19c

Description:
In this statement audit, PROCEDURE means any procedure, function, package or library.
Enabling this audit option causes any attempt, successful or not, to create or drop any of these
types of objects to be audited, regardless of privilege or lack thereof. Java schema objects
(sources, classes, and resources) are considered the same as procedures for the purposes of
auditing SQL statements.

Implementation:
Execute the following SQL statement
AUDIT PROCEDURE;

50 | P a g e
6.1.16 Ensure the 'ALTER SYSTEM' Audit Option Is Enabled

Applicable Versions:
- Oracle_Database_12c
- Oracle_Database_18c
- Oracle_Database_19c

Description:
ALTER SYSTEM allows one to change instance settings, including security settings and auditing
options. Enabling the audit option will audit all attempts to perform ALTER SYSTEM, whether
successful or not and regardless of whether or not the ALTER SYSTEM privilege is held by the
user attempting the action.

Implementation:
Execute the following SQL statement
AUDIT ALTER SYSTEM;

6.1.17 Ensure the 'TRIGGER' Audit Option Is Enabled

Applicable Versions:
- Oracle_Database_12c
- Oracle_Database_18c
- Oracle_Database_19c

Description:
A TRIGGER may be used to modify DML actions or invoke other (recursive) actions when some
types of user-initiated actions occur. Enabling this audit option will cause auditing of any
attempt, successful or not, to create, drop, enable or disable any schema trigger in any
schema regardless of privilege or lack thereof. For enabling and disabling a trigger, it covers
both ALTER TRIGGER and ALTER TABLE.

Implementation:
Execute the following SQL statement
AUDIT TRIGGER;

51 | P a g e
6.1.18 Ensure the 'CREATE SESSION' Audit Option Is Enabled

Applicable Versions:
- Oracle_Database_12c
- Oracle_Database_18c
- Oracle_Database_19c

Description:
Enabling this audit option will cause auditing of all attempts to connect to the database,
whether successful or not, as well as audit session disconnects/logoffs. The commands to
audit SESSION, CONNECT or CREATE SESSION all accomplish the same thing - they initiate
statement auditing of the connect statement used to create a database session.

Implementation:
Execute the following SQL statement
AUDIT SESSION;

6.2 Unified Auditing

6.2.1 Ensure the 'CREATE USER' Action Audit Is Enabled

Applicable Versions:
- Oracle_Database_12c
- Oracle_Database_18c
- Oracle_Database_19c

Description:
The CREATE USER statement is used to create Oracle database accounts and assign database
properties to them. Enabling this unified action audit causes logging of all CREATE USER
statements, whether successful or unsuccessful, issued by the users regardless of the
privileges held by the users to issue such statements.

Implementation:
Execute the following SQL statement
ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY
ADD
ACTIONS

52 | P a g e
CREATE USER;

6.2.2 Ensure the 'ALTER USER' Action Audit Is Enabled

Applicable Versions:
- Oracle_Database_12c
- Oracle_Database_18c
- Oracle_Database_19c

Description:
The ALTER USER statement is used to change database users’ password, lock accounts, and
expire passwords. This unified audit action enables logging of all ALTER USER statements,
whether successful or unsuccessful, issued by the users regardless of the privileges held by
the users to issue such statements.

Implementation:
Execute the following SQL statement.
ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY
ADD
ACTIONS
ALTER USER;

6.2.3 Ensure the 'DROP USER' Audit Option Is Enabled

Applicable Versions:
- Oracle_Database_12c
- Oracle_Database_18c
- Oracle_Database_19c

Description:
Enabling this unified action audit enables logging of all DROP USER statements, whether
successful or unsuccessful, issued by the users regardless of the privileges held by the users
to issue such statements.

Implementation:
Execute the following SQL statement.

53 | P a g e
ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY
ADD
ACTIONS
DROP USER;

6.2.4 Ensure the 'CREATE ROLE' Action Audit Is Enabled

Applicable Versions:
- Oracle_Database_12c
- Oracle_Database_18c
- Oracle_Database_19c

Description:
An Oracle database role is a collection or set of privileges that can be granted to users or other
roles. Roles may include system privileges, object privileges or other roles. Enabling this
unified audit action enables logging of all CREATE ROLE statements, whether successful or
unsuccessful, issued by the users regardless of the privilege held by the users to issue such
statements.

Implementation:
Execute the following SQL statement.
ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY
ADD
ACTIONS
CREATE ROLE;

6.2.5 Ensure the 'ALTER ROLE' Action Audit Is Enabled

Applicable Versions:
- Oracle_Database_12c
- Oracle_Database_18c
- Oracle_Database_19c

54 | P a g e
Description:
An Oracle database role is a collection or set of privileges that can be granted to users or other
roles. Roles may include system privileges, object privileges or other roles. The ALTER ROLE
statement is used to change the authorization needed to enable a role.

Implementation:
Execute the following SQL statement.
ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY
ADD
ACTIONS
ALTER ROLE;

6.2.6 Ensure the 'DROP ROLE' Action Audit Is Enabled

Applicable Versions:
- Oracle_Database_12c
- Oracle_Database_18c
- Oracle_Database_19c

Description:
An Oracle database role is a collection or set of privileges that can be granted to users or other
roles. Roles may include system privileges, object privileges or other roles.

Implementation:
Execute the following SQL statement.
ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY
ADD
ACTIONS
DROP ROLE;

55 | P a g e
6.2.7 Ensure the 'GRANT' Action Audit Is Enabled

Applicable Versions:
- Oracle_Database_12c
- Oracle_Database_18c
- Oracle_Database_19c

Description:
GRANT statements are used to grant privileges to Oracle database users and roles, including
the most powerful privileges and roles typically available to the database administrators.
Enabling this unified action audit enables logging of all GRANT statements, whether successful
or unsuccessful, issued by the users regardless of the privileges held by the users to issue such
statements.

Implementation:
Execute the following SQL statement.
ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY
ADD
ACTIONS
GRANT;

6.2.8 Ensure the 'REVOKE' Action Audit Is Enabled

Applicable Versions:
- Oracle_Database_12c
- Oracle_Database_18c
- Oracle_Database_19c

Description:
REVOKE statements are used to revoke privileges from Oracle database users and roles.
Enabling this unified action audit enables logging of all REVOKE statements, successful or
unsuccessful, issued by the users regardless of the privileges held by the users to issue such
statements.

Implementation:
Execute the following SQL statement.
ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY

56 | P a g e
ADD
ACTIONS
REVOKE;

6.2.9 Ensure the 'CREATE PROFILE' Action Audit Is Enabled

Applicable Versions:
- Oracle_Database_12c
- Oracle_Database_18c
- Oracle_Database_19c

Description:
Oracle database profiles are used to enforce resource usage limits and implement password
policies such as password complexity rules and reuse restrictions. Enabling this unified action
audit enables logging of all CREATE PROFILE statements, whether successful or unsuccessful,
issued by the users regardless of the privileges held by the users to issue such statements.

Implementation:
Execute the following SQL statement.
ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY
ADD
ACTIONS
CREATE PROFILE;

6.2.10 Ensure the 'ALTER PROFILE' Action Audit Is Enabled

Applicable Versions:
- Oracle_Database_12c
- Oracle_Database_18c
- Oracle_Database_19c

Description:
Oracle database profiles are used to enforce resource usage limits and implement password
policies such as password complexity rules and reuse restrictions.

Implementation:

57 | P a g e
Execute the following SQL statement.
ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY
ADD ACTIONS
ALTER PROFILE;

6.2.11 Ensure the 'DROP PROFILE' Action Audit Is Enabled

Applicable Versions:
- Oracle_Database_12c
- Oracle_Database_18c
- Oracle_Database_19c

Description:
Oracle database profiles are used to enforce resource usage limits and implement password
policies such as password complexity rules and reuse restrictions. Enabling this unified action
audit enables logging of all DROP PROFILE statements, whether successful or unsuccessful,
issued by the users regardless of the privileges held by the users to issue such statements.

Implementation:
Execute the following SQL statement.
ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY
ADD
ACTIONS
DROP PROFILE;

6.2.12 Ensure the 'CREATE DATABASE LINK' Action Audit Is

Enabled

Applicable Versions:
- Oracle_Database_12c
- Oracle_Database_18c
- Oracle_Database_19c

58 | P a g e
Description:
Oracle database links are used to establish database-to-database connections to other data
bases. These connections are available without further authentication once the link is
established. Enabling this unified action audit causes logging of all CREATE DATABASE and
CREATE PUBLIC DATABASE statements, whether successful or unsuccessful, issued by the
users regardless of the privileges held by the users to issue such statements.

Implementation:
Execute the following SQL statement.
ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY
ADD ACTIONS CREATE DATABASE LINK;

6.2.13 Ensure the 'ALTER DATABASE LINK' Action Audit Is

Enabled

Applicable Versions:
- Oracle_Database_12c
- Oracle_Database_18c
- Oracle_Database_19c

Description:
Oracle database links are used to establish database-to-database connections to other data
bases. These connections are always available without further authentication once the link is
established. Enabling this unified action audit causes logging of all ALTER DATABASE and
ALTER PUBLIC DATABASE statements, whether successful or unsuccessful, issued by the users
regardless of the privileges held by the users to issue such statements.

Implementation:
Execute the following SQL statement.
ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY
ADD ACTIONS ALTER DATABASE LINK;

59 | P a g e
6.2.14 Ensure the 'DROP DATABASE LINK' Action Audit Is Enabled

Applicable Versions:
- Oracle_Database_12c
- Oracle_Database_18c
- Oracle_Database_19c

Description:
Oracle database links are used to establish database-to-database connections to other
databases. These connections are always available without further authentication once the
link is established. Enabling this unified action audit causes logging of all DROP DATABASE and
DROP PUBLIC DATABASE, whether successful or unsuccessful, statements issued by the users
regardless of the privileges held by the users to issue such statements.

Implementation:
Execute the following SQL statement.
ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY
ADD ACTIONS DROP DATABASE LINK;

6.2.15 Ensure the 'CREATE SYNONYM' Action Audit Is Enabled

Applicable Versions:
- Oracle_Database_12c
- Oracle_Database_18c
- Oracle_Database_19c

Description:
Enabling this unified action audit causes logging of all CREATE SYNONYM and CREATE PUBLIC
SYNONYM statements, whether successful or unsuccessful, issued by the users regardless of
the privileges held by the users to issue such statements.

Implementation:
Execute the following SQL statement.
ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY
ADD ACTIONS CREATE SYNONYM;

60 | P a g e
6.2.16 Ensure the 'ALTER SYNONYM' Action Audit Is Enabled

Applicable Versions:
- Oracle_Database_12c
- Oracle_Database_18c
- Oracle_Database_19c

Description:
An Oracle database synonym is used to create an alternative name for a database object such
as table, view, procedure, or java object, or even another synonym.

Implementation:
Execute the following SQL statement.
ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY
ADD
ACTIONS
ALTER SYNONYM;

6.2.17 Ensure the 'DROP SYNONYM' Action Audit Is Enabled

Applicable Versions:
- Oracle_Database_12c
- Oracle_Database_18c
- Oracle_Database_19c

Description:
Enabling his unified action audit causes logging of all DROP SYNONYM and DROP
PUBLICSYNONYM statements, whether successful or unsuccessful, issued by the users
regardless of the privileges held by the users to issue such statements.

Implementation:
Execute the following SQL statement.
ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY
ADD ACTIONS DROP SYNONYM;

61 | P a g e
6.2.18 Ensure the 'SELECT ANY DICTIONARY' Privilege Audit Is
Enabled

Applicable Versions:
- Oracle_Database_12c
- Oracle_Database_18c
- Oracle_Database_19c

Description:
The SELECT ANY DICTIONARY system privilege allows the user to view the definition of all
schema objects in the database. It grants SELECT privileges on the data dictionary objects to
the grantees, including SELECT on DBA_ views, V$ views, X$ views and underlying SYS tables
such as TAB$ and OBJ$. This privilege also allows grantees to create stored objects such as
procedures, packages and views on the underlying data dictionary objects.

Implementation:
Execute the following SQL statement.
ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY
ADD
PRIVILEGES
SELECT ANY DICTIONARY;

6.2.19 Ensure the 'AUDSYS.AUD$UNIFIED' Access Audit Is

Enabled

Applicable Versions:
- Oracle_Database_12c
- Oracle_Database_18c
- Oracle_Database_19c

Description:
The AUDSYS.AUD$UNIFIED holds audit trail records generated by the database. Enabling this
audit action causes logging of all access attempts to the AUDSYS.AUD$UNIFIED, whether
successful or unsuccessful, regardless of the privileges held by the users to issue such
statements.

62 | P a g e
Implementation:
Execute the following SQL statement.
ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY
ADD
ACTIONS
ALL on AUDSYS.AUD$UNIFIED;

6.2.20 Ensure the 'CREATE PROCEDURE/ FUNCTION/ PACKAGE/

PACKAGE BODY' Action Audit Is Enabled

Applicable Versions:
- Oracle_Database_12c
- Oracle_Database_18c
- Oracle_Database_19c

Description:
Oracle database procedures, function, packages, and package bodies, which are stored within
the database, are created to perform business functions and access database as defined by
PL/SQL code and SQL statements contained within these objects.

Implementation:
Execute the following SQL statement.
ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY
ADD
ACTIONS
CREATE PROCEDURE,
CREATE FUNCTION,
CREATE PACKAGE,
CREATE PACKAGE BODY;

63 | P a g e
6.2.21 Ensure the 'ALTER PROCEDURE/ FUNCTION/ PACKAGE/
PACKAGE BODY' Action Audit Is Enabled

Applicable Versions:
- Oracle_Database_12c
- Oracle_Database_18c
- Oracle_Database_19c

Description:
Oracle database procedures, functions, packages, and package bodies, which are stored
within the database, are created to carry out business functions and access database as
defined by PL/SQL code and SQL statements contained within these objects.

Implementation:
Execute the following SQL statement.
ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY
ADD ACTIONS
ALTER PROCEDURE,
ALTER FUNCTION,
ALTER PACKAGE,

ALTER PACKAGE BODY;

6.2.22 Ensure the 'DROP PROCEDURE/ FUNCTION/ PACKAGE/

PACKAGE BODY' Action Audit Is Enabled

Applicable Versions:
- Oracle_Database_12c
- Oracle_Database_18c
- Oracle_Database_19c

Description:
Oracle database procedures, functions, packages, and package bodies, which are stored
within the database, are created to carry out business functions and access database as
defined by PL/SQL code and SQL statements contained within these objects.

64 | P a g e
Implementation:
Execute the following SQL statement.
ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY
ADD
ACTIONS
DROP PROCEDURE,
DROP FUNCTION,
DROP PACKAGE,
DROP PACKAGE BODY;

6.2.23 Ensure the 'ALTER SYSTEM' Action Audit Is Enabled

Applicable Versions:
- Oracle_Database_12c
- Oracle_Database_18c
- Oracle_Database_19c

Description:
The ALTER SYSTEM privilege allows the user to change instance settings which could impact
security posture, performance or normal operation of the database. Additionally, the ALTER
SYSTEM privilege may be used to run operating system commands using undocumented
Oracle functionality.

Implementation:
Execute the following SQL statement.
ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY
ADD
ACTIONS
ALTER SYSTEM;

65 | P a g e
6.2.24 Ensure the 'CREATE TRIGGER' Action Audit Is Enabled

Applicable Versions:
- Oracle_Database_12c
- Oracle_Database_18c
- Oracle_Database_19c

Description:
Oracle database triggers are executed automatically when specified conditions on the
underlying objects occur. Trigger bodies contain the code, quite often to perform data
validation, ensure data integrity/security or enforce critical constraints on allowable actions
on data.

Implementation:
Execute the following SQL statement.
ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY
ADD ACTIONS CREATE TRIGGER;

6.2.25 Ensure the 'ALTER TRIGGER' Action Audit Is Enabled

Applicable Versions:
- Oracle_Database_12c
- Oracle_Database_18c
- Oracle_Database_19c

Description:
Oracle database triggers are executed automatically when specified conditions on the
underlying objects occur. Trigger bodies contain the code, quite often to perform data
validation, ensure data integrity/security or enforce critical constraints on allowable actions
on data.

Implementation:
Execute the following SQL statement.
ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY
ADD ACTIONS ALTER TRIGGER;

66 | P a g e
6.2.26 Ensure the 'DROP TRIGGER' Action Audit Is Enabled

Applicable Versions:
- Oracle_Database_12c
- Oracle_Database_18c
- Oracle_Database_19c

Description:
Oracle database triggers are executed automatically when specified conditions on the
underlying objects occur. Trigger bodies contain the code, quite often to perform data
validation, ensure data integrity/security or enforce critical constraints on allowable actions
on data.

Implementation:
Execute the following SQL statement.
ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY
ADD
ACTIONS
DROP TRIGGER;

6.2.27 Ensure the 'LOGON' AND 'LOGOFF' Actions Audit Is

Enabled

Applicable Versions:
- Oracle_Database_12c
- Oracle_Database_18c
- Oracle_Database_19c

Description:
Oracle database users log on to the database to perform their work. Enabling this unified
audit causes logging of all LOGON actions, whether successful or unsuccessful, issued by the
users regardless of the privileges held by the users to log into the database. In addition,
LOGOFF action audit captures logoff activities. This audit action also captures logon/logoff to
the open database by SYSDBA and SYSOPER.

Implementation:
Execute the following SQL statement.

67 | P a g e
 ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY
ADD ACTIONS
LOGON,
LOGOFF;

7 Exceptions:

Sr.No Control No Comments Bifurcation Mitigati Covera Approv

on ge ed by
2.2.3 All database names and Can't
Ensure database links differ because Implement
'GLOBAL_NAMES' the database links are used for
Is Set to 'TRUE' different modules.
Remote login password file Can't
Ensure cannot be set to none for a Implement
'REMOTE_LOGIN database having a data guard
_PASSWORDFILE it needs to be in exclusive
2.2.6 ' Is Set to 'NONE' mode
Ensure Can't
'PDB_OS_CREDEN Can be implemented only on Implement
2.2.17 TIAL' is NOT null CDB PDB
Ensure Can’t
'ENCRYPTION_SE Both database and client implement
RVER' Is Set to sqlnet. Ora needs to be
2.3.1 'REQUIRED' change for connection
Ensure Can’t
'SQLNET.CRYPTO_ implement
CHECKSUM_SERV Both database and client
ER' Is Set to sqlnet. Ora needs to be
2.3.2 'REQUIRED' change for connection
Implement
Ensure but long time
'PASSWORD_VERI Need to set rules for the ((Application
FY_FUNCTION' Is password verify function dependency)
3.7 Set for All Profiles common for all database )
Cannot be implemented as the Can't
Ensure application user can create Implement
'SESSIONS_PER_U more than 10 sessions and if
SER' Is Less than restricted the application will
3.8 or Equal to '10' crash or work abnormally
Ensure Can't
'INACTIVE_ACCO Inactive session timeout needs Implement
UNT_TIME' Is Less to be discussed as application
than or Equal to session can become inactive
3.9 '120' after 120s.

68 | P a g e
 All application users and their Implement
passwords need to alter that but long time
contain default password and (Application
Ensure All Default also passwords need to be dependency)
Passwords Are changed in dependent jobs
4.1 Changed and scripts
All the default users have Implement
expired and locked state (not but long time
Ensure All Sample recommended to drop and it (Proper
Data and Users won’t affect the environment approval
Have Been as it is in expired and locked
needed)
4.2 Removed state)
A new profile needs to be Implement
Ensure No Users created for all app users and but long time
Are Assigned the remove the default profile for (Application
4.4 'DEFAULT' Profile all users dependency)
Ensure Can't
'SYS.USER$MIG' Implement
Has Been Only applicable if migration if
4.5 Dropped done on database
Cannot drop public database Can't
Ensure No Public links as it is used by many Implement
Database Links application schema (might be
4.6 Exist used for application)
Ensure 'EXECUTE' Can't
is revoked from Implement
'PUBLIC' on
"Network" cannot revoke any privileges
5.1.1 Packages given to public(dependencies)
Non-Default cannot revoke any privileges Can't
5.1.2 Privileges given to public(dependencies) Implement
Ensure 'SELECT Implement
ANY TABLE' Is but long time
Revoked from (Application
Unauthorized cannot revoke select rights on dependency)
5.2.6 'GRANTEE' table for specific users

69 | P a g e