Profile ApplicaDescription: Rationale: Audit: Remediation:Default ValueImpact:

1  Oracle Database Installation and Patching Requirements

To assess
this
recommend
ation, use
the
following
example
shell
command as
appropriate
for your
environmen
t.
For
example, on
Linux
systems:

opatch
lsinventory
| grep -e
"^.*<latest_
patch_versi
on_numer>\ Perform the
s*.*$" following
step for
• Level 1 - For remediation
RDBMS example, on :
using Windows Download
Traditional systems: and apply
Auditing opatch the latest
• Level 1 - lsinventory quarterly
RDBMS | find Critical
using "<latest_pat Patch
Unified ch_version_ Update
Auditing number>" patches.
1.1  Ensure the AppropriateThe
Version/Patches
Oracle inUsingfor
theOracle
most Software Is Installed (Not Scored)
2  Oracle Parameter Settings
2.1  Listener Settings
 listener as
an
associated
SECURE_CO
NTROL_<list
ener_name>
directive.

For
example:

LISTENER1 =
(DESCRIPTIO
N=
• Level 1 - (ADDRESS=(
Linux Host PROTOCOL=
OS using TCP)
Traditional (HOST=sales
Auditing -server)
• Level 1 - (PORT=1521
Windows ))
Server Host (ADDRESS=( To
OS using PROTOCOL= remediate
Traditional IPC) this
Auditing (KEY=REGIST recommend
• Level 1 - ER)) ation:
Linux Host (ADDRESS=( Set the
OS using PROTOCOL= SECURE_CO
Unified TCPS) NTROL_<list
Auditing (HOST=sales ener_name>
• Level 1 - -server) for each
Windows (PORT=1522 defined
Server Host ))) listener in
OS using SECURE_CO the
Unified NTROL_LIST listener.ora
Auditing ENER1=TCPS file.
2.1.1  Ensure 'SECURE_CONTROL_'
The SECURE_CO
Is SetListener
In 'listener.ora'
conf (Scored)
 commands
as
appropriate
for your
Linux/Wind
ows
environmen
t.
Linux
environmen
t:
grep -i
extproc
$ORACLE_H
• Level 1 - OME/netwo
Linux Host rk/admin/lis
OS using tener.ora
Traditional
Auditing
• Level 1 -
Windows Windows
Server Host environmen
OS using t:
Traditional find /I
Auditing "extproc"
• Level 1 - %ORACLE_H
Linux Host OME%\ To
OS using network\ remediate
Unified admin\ this
Auditing listener.ora recommend
• Level 1 - ation:
Windows Remove
Server Host Ensure extproc
OS using extproc from the
Unified does not listener.ora
Auditing exist. file.
2.1.2  Ensure 'extproc' Is Not
extproc
Present
shoulextproc
in 'listener.ora'
allow(Scored)
 Linux/Wind
ows
environmen
t.
Linux
environmen
t:
grep -i
admin_restr
ictions
$ORACLE_H
OME/netwo
rk/admin/lis
tener.ora
• Level 1 -
Linux Host
OS using Windows
Traditional environmen
Auditing t:
• Level 1 - find /I
Windows "admin_rest
Server Host rictions"
OS using %ORACLE_H To
Traditional OME%|\ remediate
Auditing network\ this
• Level 1 - admin\ recommend
Linux Host listener.ora ation:
OS using Use a text
Unified editor such
Auditing Ensure as vi to set
• Level 1 - admin_restr the
Windows ictions_<list admin_restr
Server Host ener_name> ictions_<list
OS using is set to ON ener_name>
Unified for all to the value
Auditing listeners. ON.
2.1.3  Ensure 'ADMIN_RESTRICTIONS_'
The admin_rest
IsBlocking
Set to 'ON'
unpri
(Scored) Not set.
 for your
Linux/Wind
ows
environmen
t.
Linux
environmen
t:
grep -i
SECURE_RE
GISTER
$ORACLE_H To
OME/netwo remediate
rk/admin/lis this
• Level 1 - tener.ora recommend
Linux Host ation:
OS using Use a text
Traditional Windows editor such
Auditing environmen as vi to set
• Level 1 - t: the
Windows find /I SECURE_RE
Server Host "SECURE_RE GISTER_<list
OS using GISTER" ener_name>
Traditional %ORACLE_H =TCPS or
Auditing OME%\ SECURE_RE
• Level 1 - network\ GISTER_<list
Linux Host admin\ ener_name>
OS using listener.ora =IPC for
Unified each
Auditing listener
• Level 1 - Ensure found in
Windows SECURE_RE $ORACLE_H
Server Host GISTER_<list OME/
OS using ener_name> network/
Unified is set to admin/
Auditing TCPS or IPC. listener.ora.
2.1.4  Ensure 'SECURE_REGISTER_'
The SECURE_RE
Is SetListener
to 'TCPS'
conf
or 'IPC' (Scored)
2.2  Database Settings
 To assess
this
recommend
ation,
execute the
following
SQL
statement. To
SELECT remediate
UPPER(VAL this setting,
UE) FROM execute the
V$SYSTEM_ following
PARAMETER SQL
WHERE statement
UPPER(NAM and restart
E) = the
'AUDIT_SYS instance.
_OPERATIO ALTER
NS'; SYSTEM SET
AUDIT_SYS_
• Level 1 - OPERATION
RDBMS Ensure S = TRUE
using VALUE is set SCOPE=SPFI
Traditional to TRUE. LE;
2.2.1  Ensure Auditing
'AUDIT_SYS_OPERATIONS'
The AUDIT_SYS
IfIsthe
Setparam
to 'TRUE' (Scored)
 statements
and restart
the
instance.
ALTER
SYSTEM SET
AUDIT_TRAI
L = DB,
EXTENDED
SCOPE =
SPFILE;
ALTER
To assess SYSTEM SET
this AUDIT_TRAI
recommend L = OS
ation, SCOPE =
execute the SPFILE;
following ALTER
SQL SYSTEM SET
statement. AUDIT_TRAI
SELECT L = XML,
UPPER(VAL EXTENDED
UE) FROM SCOPE =
V$SYSTEM_ SPFILE;
PARAMETER ALTER
WHERE SYSTEM SET
UPPER(NAM AUDIT_TRAI
E)='AUDIT_T L = DB
RAIL'; SCOPE =
Ensure SPFILE;
VALUE is set ALTER
to DB or OS SYSTEM SET
• Level 1 - or XML or AUDIT_TRAI
RDBMS DB,EXTENDE L = XML
using D or SCOPE =
Traditional XML,EXTEN SPFILE;
2.2.2  Ensure Auditing
'AUDIT_TRAIL'
The
Is Set
audit_traEnabling
to 'DB', 'XML', 'OS',
the bDED.
'DB,EXTENDED', or 'XML,EXTENDED' (Scored)
 SELECT
DISTINCT
UPPER(V.VA
LUE),
DECODE
(V.CON_ID,0
,(SELECT
NAME
FROM
V$DATABAS
E),
1,(SELECT
NAME
FROM
V$DATABAS
E), (SELECT
NAME
FROM
V$PDBS B
WHERE
V.CON_ID =
B.CON_ID))
FROM
V$SYSTEM_
PARAMETER To
V remediate
• Level 1 - WHERE this setting,
RDBMS UPPER(NAM execute the
using E) = following
Traditional 'GLOBAL_NA SQL
Auditing MES'; statement.
• Level 1 - ALTER
RDBMS SYSTEM SET
using Ensure GLOBAL_NA
Unified VALUE is set MES = TRUE
Auditing to TRUE. SCOPE =
2.2.3  Ensure 'GLOBAL_NAMES'
The global_na
Is Set toNot
'TRUE'
requiring
(Scored) SPFILE;
 allows/disall DISTINCT
ows access UPPER(V.VA
to objects LUE),
with the DECODE
ANY (V.CON_ID,0
privileges ,(SELECT
(SELECT ANY NAME
TABLE, FROM
DELETE ANY V$DATABAS
TABLE, E),
EXECUTE 1,(SELECT
ANY NAME
PROCEDURE FROM
, etc.). This V$DATABAS
functionality E), (SELECT
was created NAME
for the ease FROM
of migration V$PDBS B
from Oracle WHERE
7 databases V.CON_ID =
to later B.CON_ID))
versions. FROM
The setting V$SYSTEM_ To
should have PARAMETER remediate
a value of V this setting,
FALSE. WHERE execute the
• Level 1 - Note: The UPPER(NAM following
RDBMS O7_dictiona E) = SQL
using ry_accessibil 'O7_DICTIO statement.
Traditional ity NARY_ACCE ALTER
Auditing parameter SSIBILITY'; SYSTEM SET
• Level 1 - has been O7_DICTION
RDBMS deprecated ARY_ACCESS
using in 12.2 and Ensure IBILITY=FALS
Unified higher VALUE is set E SCOPE =
Auditing versions. to FALSE. SPFILE;
2.2.4  Ensure 'O7_DICTIONARY_ACCESSIBILITY'
LeavingIsthe
SetS to 'FALSE' (Scored)
 statement.
SELECT
DISTINCT
UPPER(V.VA
LUE),
DECODE
(V.CON_ID,0
,(SELECT
NAME
FROM
V$DATABAS
E),
1,(SELECT
NAME
FROM
V$DATABAS
E), (SELECT
NAME
FROM
V$PDBS B
WHERE
V.CON_ID =
B.CON_ID)) To
FROM remediate
V$SYSTEM_ this setting,
PARAMETER execute the
• Level 1 - V following
RDBMS WHERE SQL
using UPPER(NAM statement.
Traditional E) =
Auditing 'OS_ROLES'; ALTER
• Level 1 - SYSTEM SET
RDBMS OS_ROLES =
using Ensure FALSE
Unified VALUE is set SCOPE =
Auditing to FALSE. SPFILE;
2.2.5  Ensure 'OS_ROLES' IsThe
Setos_roles
to 'FALSE'
Allowing
(Scored)the
 SELECT
DISTINCT
UPPER(V.VA
LUE),
DECODE
(V.CON_ID,0
,(SELECT
NAME
FROM
V$DATABAS
E),
1,(SELECT
NAME
FROM
V$DATABAS
E), (SELECT
NAME
FROM
V$PDBS B
WHERE
V.CON_ID =
B.CON_ID))
FROM
V$SYSTEM_ To
PARAMETER remediate
V this setting,
• Level 1 - WHERE execute the
RDBMS UPPER(NAM following
using E) = SQL
Traditional 'REMOTE_LI statement.
Auditing STENER'; ALTER
• Level 1 - SYSTEM SET
RDBMS REMOTE_LIS
using Ensure TENER = ''
Unified VALUE is set SCOPE =
Auditing to empty. SPFILE;
2.2.6  Ensure 'REMOTE_LISTENER'
The remote_li
Is Empty
Permitting
(Scored)a
 To assess
this
recommend
ation,
execute the
following
SQL
statement.
SELECT
UPPER(VAL
UE) FROM
V$SYSTEM_
PARAMETER
WHERE
UPPER(NAM
E)='REMOTE
_LOGIN_PAS
SWORDFILE'
; To
remediate
this setting,
Ensure execute the
VALUE is set following
• Level 1 - to NONE or SQL
RDBMS in the event statement.
using you are ALTER
Traditional running SYSTEM SET
Auditing DR/Data REMOTE_LO
• Level 1 - Guard, GIN_PASSW
RDBMS EXCLUSIVE ORDFILE =
using is an 'NONE'
Unified allowable SCOPE =
Auditing VALUE. SPFILE;
2.2.7  Ensure 'REMOTE_LOGIN_PASSWORDFILE'
The remote_lo
The use of
Is Set
th to 'NONE' (Scored)
 The
remote_os_
authent
setting To assess
determines this
whether or recommend
not OS ation,
'roles' with execute the
the following
attendant SQL
privileges statement.
are allowed SELECT
for remote UPPER(VAL To
client UE) FROM remediate
connections. V$SYSTEM_ this setting,
This setting PARAMETER execute the
• Level 1 - should have WHERE following
RDBMS a value of UPPER(NAM SQL
using FALSE. E)='REMOTE statement.
Traditional Note: This _OS_AUTHE ALTER
Auditing parameter NT'; SYSTEM SET
• Level 1 - has been REMOTE_OS
RDBMS deprecated _AUTHENT =
using in 12.1 and Ensure FALSE
Unified higher VALUE is set SCOPE =
Auditing versions. to FALSE. SPFILE;
2.2.8  Ensure 'REMOTE_OS_AUTHENT' IsPermitting
Set to 'FALSE'
OS (Scored)
 To assess
this
recommend
ation,
execute the
following
SQL
statement.
SELECT To
UPPER(VAL remediate
UE) FROM this setting,
V$SYSTEM_ execute the
• Level 1 - PARAMETER following
RDBMS WHERE SQL
using UPPER(NAM statement.
Traditional E)='REMOTE ALTER
Auditing _OS_ROLES'; SYSTEM SET
• Level 1 - REMOTE_OS
RDBMS _ROLES =
using Ensure FALSE
Unified VALUE is set SCOPE =
Auditing to FALSE. SPFILE;
2.2.9  Ensure 'REMOTE_OS_ROLES'
The remote_os
Is SetAllowing
to 'FALSE'
remo
(Scored)
 To assess
this
recommend
ation,
execute the
The following
utl_file_dir SQL
setting statement
allows (keep in
packages mind this is
like utl_file unsupporte
to access d in 18c+ so
(read/write/ it will always
modify/dele pass)
te) files SELECT
specified in VALUE
utl_file_dir. FROM
This setting V$SYSTEM_ To
should have PARAMETER remediate
• Level 1 - an empty WHERE this setting,
RDBMS value. UPPER(NAM execute the
using Note: The E)='UTL_FILE following
Traditional utl_file_dir _DIR'; SQL
Auditing parameter statement.
• Level 1 - has been ALTER
RDBMS deprecated Ensure SYSTEM SET
using in 12.2 and VALUE is UTL_FILE_DI
Unified higher empty. R = '' SCOPE
Auditing versions. = SPFILE;
2.2.10  Ensure 'UTL_FILE_DIR' Is Empty (Scored)
Using the utl_
 To assess
this
recommend
ation,
The execute the
SEC_CASE_S following
ENSITIVE_L SQL
OGON statement.
information SELECT
determines UPPER(VAL To
whether or UE) FROM remediate
not case- V$SYSTEM_ this setting,
sensitivity is PARAMETER execute the
• Level 1 - required for WHERE following
RDBMS passwords UPPER(NAM SQL
using during login. E)='SEC_CAS statement.
Traditional Note: This E_SENSITIVE ALTER
Auditing parameter _LOGON'; SYSTEM SET
• Level 1 - has been SEC_CASE_S
RDBMS deprecated ENSITIVE_L
using in 12.1 and Ensure OGON =
Unified higher VALUE is set TRUE SCOPE
Auditing versions. to TRUE. = SPFILE;
2.2.11  Ensure 'SEC_CASE_SENSITIVE_LOGON'
Oracle Isdataba
Set to 'TRUE' (Scored)
 To assess
this
recommend
ation,
execute the
following
SQL
statement.
SELECT
UPPER(VAL
The UE) FROM To
SEC_MAX_F V$SYSTEM_ remediate
AILED_LOGI PARAMETER this setting,
N_ATTEMPT WHERE execute the
• Level 1 - S parameter UPPER(NAM following
RDBMS determines E)='SEC_MA SQL
using how many X_FAILED_L statement.
Traditional failed login OGIN_ATTE ALTER
Auditing attempts MPTS'; SYSTEM SET
• Level 1 - are allowed SEC_MAX_F
RDBMS before AILED_LOGI
using Oracle Ensure N_ATTEMPT
Unified closes the VALUE is set S = 3 SCOPE
Auditing login to 3. = SPFILE;
2.2.12  Ensure 'SEC_MAX_FAILED_LOGIN_ATTEMPTS'
connection. Allowing an u Is '3' or Less (Scored)
 The
SEC_PROTO
COL_ERROR To assess
_FURTHER_ this
ACTION recommend
setting ation,
determines execute the
the Oracle following
server's SQL
response to statement.
bad/malfor SELECT
med packets UPPER(VAL To
received UE) FROM remediate
from the V$SYSTEM_ this setting,
client. This PARAMETER execute the
setting WHERE following
should have UPPER(NAM SQL
• Level 1 - a value of E)='SEC_PR statement.
RDBMS DROP,3, OTOCOL_ER ALTER
using which will ROR_FURTH SYSTEM SET
Traditional cause a ER_ACTION'; SEC_PROTO
Auditing connection COL_ERROR
• Level 1 - to be _FURTHER_
RDBMS dropped Ensure ACTION =
using after three VALUE is set 'DROP,3'
Unified bad/malfor to DROP,3. SCOPE =
Auditing med SPFILE;
2.2.13  Ensure 'SEC_PROTOCOL_ERROR_FURTHER_ACTION'
packets. Bad packets r Is Set to 'DROP,3' (Scored)
 generating
ALERT, LOG,
or TRACE
levels of
detail in the
log files.
This setting
should have
a value of
LOG unless
the
organization To assess
has a this
compelling recommend
reason to ation,
use a execute the
different following
value SQL
because statement.
LOG should SELECT
cause the UPPER(VAL
necessary UE) FROM To
information V$SYSTEM_ remediate
to be PARAMETER this setting,
logged. WHERE execute the
Setting the UPPER(NAM following
• Level 1 - value as E)='SEC_PR SQL
RDBMS TRACE can OTOCOL_ER statement.
using generate an ROR_TRACE ALTER
Traditional enormous _ACTION'; SYSTEM SET
Auditing amount of SEC_PROTO
• Level 1 - log output COL_ERROR
RDBMS and should Ensure _TRACE_AC
using be reserved VALUE is set TION=LOG
Unified for to LOG. SCOPE =
Auditing debugging SPFILE;
2.2.14  Ensure 'SEC_PROTOCOL_ERROR_TRACE_ACTION'
only. Bad packets r Is Set to 'LOG' (Scored)
 The To assess
information this
about recommend
patch/updat ation,
e release execute the
number following
provides SQL
information statement.
about the SELECT To
exact UPPER(VAL remediate
patch/updat UE) FROM this setting,
e release V$SYSTEM_ execute the
that is PARAMETER following
currently WHERE SQL
• Level 1 - running on UPPER(NAM statement.
RDBMS the E)='SEC_RET ALTER
using database. URN_SERVE SYSTEM SET
Traditional This is R_RELEASE_ SEC_RETUR
Auditing sensitive BANNER'; N_SERVER_
• Level 1 - information RELEASE_BA
RDBMS that should NNER =
using not be Ensure FALSE
Unified revealed to VALUE is set SCOPE =
Auditing anyone who to FALSE. SPFILE;
2.2.15  Ensure 'SEC_RETURN_SERVER_RELEASE_BANNER'
requests it. Allowing the Is Set to 'FALSE' (Scored)
 execute the
following
SQL
statement.

SELECT
DISTINCT
UPPER(V.VA
LUE),
DECODE
(V.CON_ID,0
The ,(SELECT
SQL92_SEC NAME
URITY FROM
parameter V$DATABAS
setting TRUE E),
requires 1,(SELECT
that a user NAME
must also be FROM
granted the V$DATABAS
SELECT E), (SELECT
object NAME
privilege FROM
before being V$PDBS B To
able to WHERE remediate
perform V.CON_ID = this setting,
• Level 1 - UPDATE or B.CON_ID)) execute the
RDBMS DELETE FROM following
using operations V$SYSTEM_ SQL
Traditional on tables PARAMETER statement.
Auditing that have V ALTER
• Level 1 - WHERE or WHERE SYSTEM SET
RDBMS SET clauses. UPPER(NAM SQL92_SEC
using The setting E) = URITY =
Unified should have 'SQL92_SEC TRUE SCOPE
Auditing a value of URITY'; = SPFILE;
2.2.16  Ensure 'SQL92_SECURITY'
TRUE. Is Set to
A user
'TRUE'
withou
(Scored) FALSE
 A VALUE
equal to
FALSE or
lack of
results
implies
compliance.
Please note
that the
assessment
SQL relies
on X_$
views which
should be
created per
Appendix 8.
BELOW SQL
The NO LONGER
_trace_files WORKS FOR
_public Oracle12c To
setting FOR remediate
determines UNDOCUME this setting,
whether or NTED execute the
not the PARAMETER following
• Level 1 - system's S. SQL
RDBMS trace file is SELECT statement.
using world VALUE
Traditional readable. FROM ALTER
Auditing This setting V$SYSTEM_ SYSTEM SET
• Level 1 - should have PARAMETER "_trace_files
RDBMS a value of WHERE _public" =
using FALSE to NAME='_tra FALSE
Unified restrict ce_files_pub SCOPE =
Auditing trace file lic'; SPFILE;
2.2.17  Ensure '_trace_files_public'
access. Is SetMaking
to 'FALSE'
the (Scored)
fi
 SELECT
DISTINCT
UPPER(V.VA
LUE),
DECODE
(V.CON_ID,0
,(SELECT
NAME
FROM
V$DATABAS
E),
1,(SELECT
NAME
FROM
V$DATABAS
E), (SELECT
NAME
FROM
V$PDBS B
WHERE
V.CON_ID =
B.CON_ID))
FROM To
V$SYSTEM_ remediate
RESOURCE_ PARAMETER this setting,
LIMIT V execute the
• Level 1 - determines WHERE following
RDBMS whether UPPER(NAM SQL
using resource E) = statement.
Traditional limits are 'RESOURCE_
Auditing enforced in LIMIT'; ALTER
• Level 1 - database SYSTEM SET
RDBMS profiles. This RESOURCE_
using setting Ensure LIMIT =
Unified should have VALUE is set TRUE SCOPE
Auditing a value of to TRUE. = SPFILE;
2.2.18  Ensure 'RESOURCE_LIMIT'
TRUE. Is Set IftoRESOURCE_L
'TRUE' (Scored) FALSE
3  Oracle Connection and Login Restrictions
 FAULT' IN_ATTEMP
AND TS value can
RESOURCE_ also be set
NAME='FAIL in
ED_LOGIN_ sqlnet.ora,
The ATTEMPTS' this only
FAILED_LOG AND applies to
IN_ATTEMP CON_ID = listed users.
TS setting P.CON_ID), The similar
determines 'UNLIMITED' setting used
how many ,'9999',P.LI to block a
failed login MIT)) > 5 DDoS, the
attempts AND SEC_MAX_F
are P.RESOURCE AILED_LOGI
permitted _NAME = N_ATTEMPT
before the 'FAILED_LO S
system locks GIN_ATTEM initialization
the user's PTS' parameter,
account. AND EXISTS can be used
While ( SELECT 'X' to protect
different FROM unauthorize
profiles can CDB_USERS d intruders
have U WHERE from
different U.PROFILE = attacking
and more P.PROFILE ) the server
restrictive ORDER BY processes
• Level 1 - settings, CON_ID, for
RDBMS such as PROFILE, applications,
using USERS and RESOURCE_ but this
Traditional APPS, the NAME; setting does
Auditing minimum(s) not protect
• Level 1 - recommend against
RDBMS ed here Lack of unauthorize
using should be results d attempts
Unified set on the implies via valid
Auditing DEFAULT compliance. usernames.
3.1  Ensure 'FAILED_LOGIN_ATTEMPTS'
profile. Repeated
Is Less than
failor Equal to '5' (Scored)
 FAULT'
AND
RESOURCE_
NAME='PAS
SWORD_LO
CK_TIME'
AND
CON_ID =
P.CON_ID),
'UNLIMITED'
,'9999',P.LI
MIT)) < 1
AND
P.RESOURCE
The _NAME =
PASSWORD 'PASSWORD
_LOCK_TIM _LOCK_TIM
E setting E' Remediate
determines AND EXISTS this setting
how many ( SELECT 'X' by executing
days must FROM the
pass for the CDB_USERS following
user's U WHERE SQL
account to U.PROFILE = statement
be unlocked P.PROFILE ) for each
after the set ORDER BY PROFILE
• Level 1 - number of CON_ID, returned by
RDBMS failed login PROFILE, the audit
using attempts RESOURCE_ procedure.
Traditional has NAME; ALTER
Auditing occurred. PROFILE
• Level 1 - The <profile_na
RDBMS suggested Lack of me> LIMIT
using value for results PASSWORD
Unified this is one implies _LOCK_TIM
Auditing day or compliance. E 1;
3.2  Ensure 'PASSWORD_LOCK_TIME'
greater. Is Locking
Greater the
thanu or Equal to '1' (Scored)
 AND
RESOURCE_
NAME='PAS
SWORD_LIF
E_TIME'
AND
CON_ID =
P.CON_ID),
'UNLIMITED'
,'9999',
P.LIMIT)) >
90
AND
P.RESOURCE
_NAME =
'PASSWORD
_LIFE_TIME' Remediate
AND EXISTS this setting
( SELECT 'X' by executing
The FROM the
PASSWORD CDB_USERS following
_LIFE_TIME U WHERE SQL
setting U.PROFILE = statement
determines P.PROFILE ) for each
how long a ORDER BY PROFILE
• Level 1 - password CON_ID, returned by
RDBMS may be used PROFILE, the audit
using before the RESOURCE_ procedure.
Traditional user is NAME; ALTER
Auditing required to PROFILE
• Level 1 - be change <profile_na
RDBMS it. The Lack of me> LIMIT
using suggested results PASSWORD
Unified value for implies _LIFE_TIME
Auditing this is 90 compliance. 90;
3.3  Ensure 'PASSWORD_LIFE_TIME'
days or less.
Is Less
Allowing
than or
pass
Equal to '90' (Scored)
 FAULT'
AND
RESOURCE_
NAME='PAS
SWORD_RE
USE_MAX'
AND
CON_ID =
P.CON_ID),
'UNLIMITED'
,'9999',P.LI
MIT)) < 20
AND
P.RESOURCE
_NAME =
'PASSWORD
_REUSE_MA
The X' Remediate
PASSWORD AND EXISTS this setting
_REUSE_MA ( SELECT 'X' by executing
X setting FROM the
determines CDB_USERS following
how many U WHERE SQL
different U.PROFILE = statement
passwords P.PROFILE ) for each
must be ORDER BY PROFILE
• Level 1 - used before CON_ID, returned by
RDBMS the user is PROFILE, the audit
using allowed to RESOURCE_ procedure.
Traditional reuse a prior NAME; ALTER
Auditing password. PROFILE
• Level 1 - The <profile_na
RDBMS suggested Lack of me> LIMIT
using value for results PASSWORD
Unified this is 20 implies _REUSE_MA
Auditing passwords compliance. X 20;
3.4  Ensure 'PASSWORD_REUSE_MAX'
or greater. IsAllowing
Greater reus
than or Equal to '20' (Scored)
 FAULT'
AND
RESOURCE_
NAME='PAS
SWORD_RE
USE_TIME'
AND
CON_ID =
P.CON_ID),
'UNLIMITED'
,'9999',P.LI
MIT)) < 365
AND
P.RESOURCE
_NAME =
'PASSWORD
_REUSE_TI
ME' Remediate
The AND EXISTS this setting
PASSWORD ( SELECT 'X' by executing
_REUSE_TI FROM the
ME setting CDB_USERS following
determines U WHERE SQL
the amount U.PROFILE = statement
of time in P.PROFILE ) for each
days that ORDER BY PROFILE
• Level 1 - must pass CON_ID, returned by
RDBMS before the PROFILE, the audit
using same RESOURCE_ procedure.
Traditional password NAME; ALTER
Auditing may be PROFILE
• Level 1 - reused. The <profile_na
RDBMS suggested Lack of me> LIMIT
using value for results PASSWORD
Unified this is 365 implies _REUSE_TI
Auditing days or compliance. ME 365;
3.5  Ensure 'PASSWORD_REUSE_TIME'
greater. IsReusing
Greaterthe
than
s or Equal to '365' (Scored)
 FAULT'
AND
RESOURCE_
NAME='PAS
SWORD_GR
ACE_TIME'
AND
CON_ID =
P.CON_ID),
'UNLIMITED'
,'9999',P.LI
MIT)) > 5
AND
P.RESOURCE
_NAME =
'PASSWORD
The _GRACE_TI
PASSWORD ME' Remediate
_GRACE_TI AND EXISTS this setting
ME setting ( SELECT 'X' by executing
determines FROM the
how many CDB_USERS following
days can U WHERE SQL
pass after U.PROFILE = statement
the user's P.PROFILE ) for each
password ORDER BY PROFILE
• Level 1 - expires CON_ID, returned by
RDBMS before the PROFILE, the audit
using user's login RESOURCE_ procedure.
Traditional capability is NAME; ALTER
Auditing automaticall PROFILE
• Level 1 - y locked <profile_na
RDBMS out. The Lack of me> LIMIT
using suggested results PASSWORD
Unified value for implies _GRACE_TI
Auditing this is five compliance. ME 5;
3.6  Ensure 'PASSWORD_GRACE_TIME'
days or less. IsLocking
Less than
the or
u Equal to '5' (Scored)
 PROFILE='DE
FAULT'
AND
RESOURCE_
NAME =
P.RESOURCE
_NAME AND
CON_ID =
P.CON_ID),
LIMIT) =
The 'NULL'
PASSWORD AND
_VERIFY_FU P.RESOURCE
NCTION _NAME =
determines 'PASSWORD
password _VERIFY_FU
settings NCTION'
requirement AND EXISTS
s when a ( SELECT 'X'
user FROM
password is CDB_USERS
changed at U
the SQL WHERE
command U.PROFILE =
prompt. It P.PROFILE )
should be ORDER BY Create a
• Level 1 - set for all CON_ID, custom
RDBMS profiles. PROFILE, password
using Note that RESOURCE_ verification
Traditional this setting NAME; function
Auditing does not which fulfills
• Level 1 - apply for the
RDBMS users Lack of password
using managed by results requirement
Unified the Oracle implies s of the
Auditing password compliance. organization
3.7  Ensure 'PASSWORD_VERIFY_FUNCTION'
file. Requiring
Is Setuse
for All Profiles (Scored)
.
 PROFILE='DE
FAULT'

AND
RESOURCE_
NAME='SESS
IONS_PER_
USER' AND
CON_ID =
P.CON_ID),
'UNLIMITED'
,'9999',P.LI
MIT)) > 10
AND
P.RESOURCE
_NAME =
'SESSIONS_P
ER_USER'
The AND EXISTS To
SESSIONS_P ( SELECT 'X' remediate
ER_USER FROM this setting,
setting CDB_USERS execute the
determines U WHERE following
the U.PROFILE = SQL
maximum P.PROFILE ) statement
number of ORDER BY for each
• Level 1 - user CON_ID, PROFILE
RDBMS sessions PROFILE, returned by
using that are RESOURCE_ the audit
Traditional allowed to NAME; procedure.
Auditing be open ALTER
• Level 1 - concurrently PROFILE
RDBMS . The Lack of <profile_na
using suggested results me> LIMIT
Unified value for implies SESSIONS_P
Auditing this is 10 or compliance. ER_USER 10;
3.8  Ensure 'SESSIONS_PER_USER'
less. Is LessLimiting
than orthe
Equal to '10' (Scored)
 CDB_PROFIL
ES
WHERE
PROFILE='DE
FAULT'
AND
RESOURCE_
NAME='INA
CTIVE_ACCO
UNT_TIME'
AND
CON_ID =
P.CON_ID),
'UNLIMITED'
,'9999',
P.LIMIT)) >
120
The AND To
'INACTIVE_A P.RESOURCE remediate
CCOUNT_TI _NAME = this setting,
ME' setting 'INACTIVE_A execute the
determines CCOUNT_TI following
the ME' SQL
maximum AND EXISTS statement
number of ( SELECT 'X' for each
days of FROM PROFILE
• Level 1 - inactivity CDB_USERS returned by
RDBMS (no logins at U WHERE the audit
using all) after U.PROFILE = procedure.
Traditional which the P.PROFILE ); ALTER
Auditing account will PROFILE
• Level 1 - be locked. <profile_na
RDBMS The Lack of me> LIMIT
using suggested results INACTIVE_A
Unified value for implies CCOUNT_TI
Auditing this is 120 or compliance. ME 10;
3.9  Ensure 'INACTIVE_ACCOUNT_TIME'
less. Setting
Is Less than
'INACor Equal to '120' (Scored) 76
4  Users
 Note: Per from
Oracle dba_users_
Support with_defpw
Document d
2173962.1, where
"after username
creation of a not like
new 12c '%XS$NULL
database, %')
the loop
DBMS_OUT
SYS and PUT.PUT_LI
SYSTEM NE('Passwor
accounts are d for user
listed in '||
DBA_USERS r_user.usern
_WITH_DEF ame||' will
PWD even be
though the changed.');
accounts execute
were immediate
created with 'alter user
non-default "'||
passwords. r_user.usern
Setting the ame||'"
same identified by
• Level 1 - passwords "'||
RDBMS again with DBMS_RAN
using ALTER USER DOM.string(
Traditional correctly 'a',16)||'"ac
Auditing Default recognizes count lock
• Level 1 - passwords that the password
RDBMS should not accounts do expire'; end
using be used by not have loop;
Unified Oracle default end;
Auditing database passwords."
4.1  Ensure All Default Passwords
users. Are Changed
Default(Scored)
passw
 A.USERNAM first verify
E, To that BI, HR,
DECODE remediate IX, OE, PM,
(A.CON_ID,0 this setting, SCOTT,
,(SELECT execute the and/or SH
NAME following are not valid
FROM SQL production
V$DATABAS statement, usernames
E), keeping in before
1,(SELECT mind if this executing
NAME is granted in the
FROM both dropping
Oracle V$DATABAS container SQL scripts.
sample E), and This may be
schemas can (SELECT pluggable particularly
be used to NAME database, true with
create FROM you must the HR and
sample V$PDBS B connect to BI users. If
users WHERE both places any of these
(BI,HR,IX,OE, A.CON_ID = to run the users are
PM,SCOTT,S B.CON_ID)) drop script. present, it is
H), with FROM $ORACLE_H important to
well-known CDB_USERS OME/ be cautious
default A demo/ and confirm
passwords, WHERE schema/ the schemas
particular A.USERNAM drop_sch.sql present are,
• Level 1 - views, and E IN in fact,
RDBMS procedures/ ('BI','HR','IX', Oracle
using functions, in 'OE','PM','SC Then, sample
Traditional addition to OTT','SH'); execute the schemas
Auditing tables and following and not
• Level 1 - fictitious SQL production
RDBMS data. The Lack of statement. schemas
using sample results DROP USER being relied
Unified schemas implies SCOTT upon by
Auditing should be compliance. CASCADE; business
4.2  Ensure All Sample Dataremoved.
And Users Have
The sample
Been Removed
sc (Scored) operations.
 statement.
SELECT
A.USERNAM
E,
DECODE
(A.CON_ID,0
,(SELECT
NAME
FROM
V$DATABAS
E),
1,(SELECT
NAME To
FROM remediate
V$DATABAS this setting,
The E), (SELECT execute the
authenticati NAME following
on_type='EX FROM SQL
TERNAL' V$PDBS B statement,
setting WHERE keeping in
determines A.CON_ID = mind if this
whether or B.CON_ID)) is granted in
not a user FROM both
can be CDB_USERS container
authenticate A and
d by a WHERE pluggable
• Level 1 - remote OS AUTHENTIC database,
RDBMS to allow ATION_TYPE you must
using access to = connect to
Traditional the 'EXTERNAL'; both places
Auditing database to revoke.
• Level 1 - with full ALTER USER
RDBMS authorizatio Lack of <username>
using n. This results IDENTIFIED
Unified setting implies BY
Auditing should not compliance. <password>;
4.3  Ensure 'DBA_USERS.AUTHENTICATION_TYPE'
be used. Allowing remo
Is Not Set to 'EXTERNAL' for Any User (Scored)
 NAME
FROM
V$DATABAS To
E), remediate
1,(SELECT this
NAME recommend
FROM ation,
V$DATABAS execute the
E), following
(SELECT SQL
NAME statement
FROM for each
V$PDBS B user
WHERE returned by
A.CON_ID = the audit
B.CON_ID)) query using
FROM a functional-
CDB_USERS appropriate
A profile,
WHERE keeping in
A.PROFILE=' mind if this
DEFAULT' is granted in
Upon AND both
creation A.ACCOUNT container
database _STATUS='O and
users are PEN' pluggable
• Level 1 - assigned to AND database,
RDBMS the A.ORACLE_ you must
using DEFAULT MAINTAINE connect to
Traditional profile D = 'N'; both places
Auditing unless to revoke.
• Level 1 - otherwise ALTER USER
RDBMS specified. Lack of <username>
using No users results PROFILE
Unified should be implies <appropriat
Auditing assigned to compliance. e_profile>;
4.4  Ensure No Users Are Assigned
that profile.
the 'DEFAULT'
Users should
Profile (Scored)
 TABLE_NAM
E,
DECODE
(A.CON_ID,0
,(SELECT
NAME
FROM
V$DATABAS
E),
1,(SELECT
NAME
FROM
V$DATABAS
E),
(SELECT
NAME To
FROM remediate
V$PDBS B this setting,
WHERE execute the
A.CON_ID = following
B.CON_ID)) SQL
FROM statement,
The table CDB_TABLES keeping in
sys.user$mi A mind if this
g is created WHERE is granted in
during TABLE_NAM both
• Level 1 - migration E='USER$MI container
RDBMS and G' AND and
using contains the OWNER='SY pluggable
Traditional Oracle S'; database,
Auditing password you must
• Level 1 - hashes connect to
RDBMS before the Lack of both places
using migration results to revoke.
Unified starts. This implies DROP TABLE
Auditing table should compliance. SYS.USER$M
4.5  Ensure 'SYS.USER$MIG'beHas
dropped.
Been Dropped
The table
(Scored)
sys IG;
 SQL
statement.
SELECT
DB_LINK,
HOST,
DECODE
(A.CON_ID,0
,(SELECT
NAME
FROM
V$DATABAS
E),
1,(SELECT To
NAME remediate
FROM this setting,
V$DATABAS execute the
E), following
(SELECT SQL
NAME statement,
FROM keeping in
V$PDBS B mind if this
WHERE is granted in
A.CON_ID = both
B.CON_ID)) container
FROM and
CDB_DB_LIN pluggable
KS A database,
WHERE you must
OWNER = connect to
Public 'PUBLIC'; both places
Database to revoke.
links are DROP
• Level 1 - used to Lack of PUBLIC
RDBMS allow results DATABASE
using connections implies LINK
Traditional between compliance. <DB_LINK>;
4.6  Ensure No Auditing
Public Database
databases.
Links Exist
Using
(Scored)
public
5  Privileges & Grants & ACLs
5.1  Excessive Table, View and Package Privileges
5.1.1  Public Privileges
 database according to FROM PUBLIC;
UTL_ORAMT the needs of V$PDBS B REVOKE
S package the WHERE EXECUTE ON
can be used organization A.CON_ID = UTL_TCP
to perform . B.CON_ID)) FROM
HTTP • The FROM PUBLIC;
requests. UTL_HTTP CDB_TAB_P REVOKE
This could package RIVS A EXECUTE ON
be used to could be WHERE UTL_MAIL
send used to GRANTEE='P FROM
information send UBLIC' AND PUBLIC;
to the (sensitive) PRIVILEGE=' REVOKE
outside. information EXECUTE' EXECUTE ON
• The Oracle to external AND UTL_SMTP
database websites. TABLE_NAM FROM
UTL_HTTP • The use of E IN PUBLIC;
package can this package ('DBMS_LDA REVOKE
be used to should be P','UTL_INA EXECUTE ON
perform restricted DDR','UTL_T UTL_DBWS
HTTP according to CP','UTL_M FROM
requests. the needs of AIL','UTL_S PUBLIC;
This could the MTP','UTL_ REVOKE
be used to organization DBWS','UTL EXECUTE ON
send . _ORA UTL_ORAMT
information • The ability MTS','UTL_H S FROM
to the to perform TTP','HTTPU PUBLIC;
• Level 1 - outside. HTTP RITYPE') REVOKE
RDBMS • The Oracle requests ORDER BY EXECUTE ON
using database could be CON_ID, UTL_HTTP
Traditional HTTPURITYP used to leak TABLE_NAM FROM
Auditing E object information E; PUBLIC;
• Level 1 - type can be from the REVOKE
RDBMS used to database to Lack of EXECUTE ON
using perform an external results HTTPURITYP
Unified HTTP destination. implies E FROM
Auditing requests. compliance. PUBLIC;
5.1.1.1  Ensure 'EXECUTE' is revoked from 'PUBLIC' on "Network" Packages (Scored)
 provides unauthorize 1,(SELECT
subprogram d user to NAME
s that can manipulate FROM To
manipulate BLOB's, V$DATABAS remediate
and CLOB's, E), this setting,
read/write NCLOB's, (SELECT execute the
on BLOB's, BFILE's, and NAME following
CLOB's, temporary FROM SQL
NCLOB's, LOBs on the V$PDBS B statement,
BFILE's, and instance, WHERE keeping in
temporary either A.CON_ID = mind if this
LOB's. The destroying B.CON_ID)) is granted in
user PUBLIC data or FROM both
should not causing a CDB_TAB_P container
be able to denial-of- RIVS A and
execute service WHERE pluggable
DBMS_LOB. condition GRANTEE='P database,
• The Oracle due to UBLIC' AND you must
database corruption PRIVILEGE=' connect to
UTL_FILE of disk EXECUTE' both places
package can space. AND to revoke.
be used to • Use of the TABLE_NAM REVOKE
read/write UTL_FILE E IN EXECUTE ON
files located package ('DBMS_AD DBMS_ADVI
on the could allow VISOR','DBM SOR FROM
server a user to S_LOB','UTL PUBLIC;
• Level 1 - where the read OS _FILE') REVOKE
RDBMS Oracle files. These ORDER BY EXECUTE ON
using instance is files could CON_ID, DBMS_LOB
Traditional installed. contain TABLE_NAM FROM
Auditing The user sensitive E; PUBLIC;
• Level 1 - PUBLIC information REVOKE
RDBMS should not (e.g. Lack of EXECUTE ON
using be able to passwords results UTL_FILE
Unified execute in .bash_hist implies FROM
Auditing UTL_FILE. ory) compliance. PUBLIC;
5.1.1.2  Ensure 'EXECUTE' is revoked from 'PUBLIC' on "File System" Packages (Scored)
 TOOLKIT • Execution E), To
provides of the (SELECT remediate
one of the DBMS_CRYP NAME this setting,
tools that TO FROM execute the
determine procedures V$PDBS B following
the strength by the WHERE SQL
of the PUBLIC can A.CON_ID = statement,
encryption potentially B.CON_ID)) keeping in
algorithm endanger FROM mind if this
used to portions of CDB_TAB_P is granted in
encrypt or all of the RIVS A both
application data WHERE container
data and is storage. GRANTEE='P and
part of the • Allowing UBLIC' AND pluggable
SYS schema. the PUBLIC PRIVILEGE=' database,
The DES (56- privileges to EXECUTE' you must
bit key) and access this AND connect to
3DES (168- capability TABLE_NAM both places
bit key) are can be E IN to revoke.
the only two potentially ('DBMS_CRY REVOKE
types harm data PTO','DBMS EXECUTE ON
available. storage. _OBFUSCATI DBMS_CRYP
• The Oracle • Use of the ON_TOOLKI TO FROM
database DBMS_RAN T', PUBLIC;
DBMS_RAN DOM 'DBMS_RAN REVOKE
DOM package can DOM') EXECUTE ON
• Level 1 - package is allow the ORDER BY DBMS_OBF
RDBMS used for unauthorize CON_ID, USCATION_
using generating d TABLE_NAM TOOLKIT
Traditional random application E; FROM
Auditing numbers of the PUBLIC;
• Level 1 - but should random REVOKE
RDBMS not be used number- Lack of EXECUTE ON
using for generating results DBMS_RAN
Unified cryptographi function. implies DOM FROM
Auditing c purposes. compliance. PUBLIC;
5.1.1.3  Ensure 'EXECUTE' is revoked from 'PUBLIC' on "Encryption" Packages (Scored)
 DBMS_JAVA As described 1,(SELECT
package can below, NAME
run Java Oracle FROM
classes (e.g. Database V$DATABAS
OS PL/SQL E),
commands) "Java" (SELECT
or grant packages - NAME
Java DBMS_JAVA FROM To
privileges. and V$PDBS B remediate
The user DBMS_JAVA WHERE this setting,
PUBLIC _TEST – A.CON_ID = execute the
should not should not B.CON_ID)) following
be able to be granted FROM SQL
execute to PUBLIC. CDB_TAB_P statement,
DBMS_JAVA RIVS A keeping in
. • The WHERE mind if this
• The Oracle DBMS_JAVA GRANTEE='P is granted in
database package UBLIC' AND both
DBMS_JAVA could allow PRIVILEGE=' container
_TEST an attacker EXECUTE' and
package can to run OS AND pluggable
run Java commands TABLE_NAM database,
classes (e.g. from the E IN you must
OS database. ('DBMS_JAV connect to
commands) • The A','DBMS_JA both places
or grant DBMS_JAVA VA_TEST') to revoke.
• Level 1 - Java _TEST ORDER BY REVOKE
RDBMS privileges. package CON_ID, EXECUTE ON
using The user could allow TABLE_NAM DBMS_JAVA
Traditional PUBLIC an attacker E; FROM
Auditing should not to run PUBLIC;
• Level 1 - be able to operating REVOKE
RDBMS execute system Lack of EXECUTE ON
using DBMS_JAVA commands results DBMS_JAVA
Unified _TEST. from the implies _TEST FROM
Auditing database. compliance. PUBLIC;
5.1.1.4  Ensure 'EXECUTE' is revoked from 'PUBLIC' on "Java" Packages (Scored)
 PUBLIC DULER 1,(SELECT
should not and NAME
be able to DBMS_JOB FROM
execute – should not V$DATABAS
DBMS_SCHE be granted E),
DULER. to the user (SELECT
• The Oracle PUBLIC. NAME To
database FROM remediate
DBMS_JOB • Use of the V$PDBS B this setting,
package DBMS_SCHE WHERE execute the
schedules DULER A.CON_ID = following
and package B.CON_ID)) SQL
manages could allow FROM statement,
the jobs an CDB_TAB_P keeping in
sent to the unauthorize RIVS A mind if this
job queue d user to WHERE is granted in
and has run GRANTEE='P both
been database or UBLIC' AND container
superseded operating PRIVILEGE=' and
by the system jobs. EXECUTE' pluggable
DBMS_SCHE • Use of the AND database,
DULER DBMS_JOB TABLE_NAM you must
package, package E IN connect to
even though could allow ('DBMS_SCH both places
DBMS_JOB an EDULER','DB to revoke.
has been unauthorize MS_JOB') REVOKE
• Level 1 - retained for d user to ORDER BY EXECUTE ON
RDBMS backwards disable or CON_ID, DBMS_JOB
using compatibilit overload the TABLE_NAM FROM
Traditional y. The user job queue. It E; PUBLIC;
Auditing PUBLIC has been REVOKE
• Level 1 - should not superseded EXECUTE ON
RDBMS be able to by the Lack of DBMS_SCHE
using execute DBMS_SCHE results DULER
Unified DBMS_JOB. DULER implies FROM
Auditing package. compliance. PUBLIC;
5.1.1.5  Ensure 'EXECUTE' is revoked from 'PUBLIC' on "Job Scheduler" Packages (Scored)
 functionality exploit the A.CON_ID = REVOKE
. It accepts a DBMS_XLM B.CON_ID)) EXECUTE ON
table name STORE FROM DBMS_XML
and XML as package as CDB_TAB_P GEN FROM
input to an auxiliary RIVS A PUBLIC;
perform inject WHERE REVOKE
DML function in a GRANTEE='P EXECUTE ON
operations SQL UBLIC' AND DBMS_XML
against the injection PRIVILEGE=' QUERY
table. attack. EXECUTE' FROM
• The AND PUBLIC;
DBMS_XLM • Malicious TABLE_NAM REVOKE
SAVE users may E IN EXECUTE ON
package be able to ('DBMS_SQL DBMS_XML
provides exploit the ', SAVE FROM
XML DBMS_XLM 'DBMS_XML PUBLIC;
functionality SAVE GEN', REVOKE
. It accepts a package as 'DBMS_XML EXECUTE ON
table name an auxiliary QUERY','DB DBMS_XML
and XML as inject MS_XMLST STORE
input and function in a ORE','DBMS FROM
then inserts SQL _XMLSAVE',' PUBLIC;
into or injection DBMS_AW',' REVOKE
updates that attack. OWA_UTIL',' EXECUTE ON
table. • Malicious DBMS_RED DBMS_AW
• The users may ACT') FROM
• Level 1 - DBMS_RED be able to ORDER BY PUBLIC;
RDBMS ACT package exploit CON_ID, REVOKE
using provides an DBMS_RED TABLE_NAM EXECUTE ON
Traditional interface to ACT as an E; OWA_UTIL
Auditing Oracle Data auxiliary FROM
• Level 1 - Redaction, inject PUBLIC;
RDBMS which function in a Lack of REVOKE
using enables you SQL results EXECUTE ON
Unified to mask injection implies DBMS_RED
Auditing (redact) attack. compliance. ACT FROM
5.1.1.6  Ensure 'EXECUTE' isdata
revoked
that isfrom 'PUBLIC' on "SQL Injection
PUBLIC;
Helper" Packages (Scored)
5.1.2  Non-Default Privileges
 database WWV_DBM ER','DBMS_S AMS_RPC
server to S_SQL. YS_SQL','DB FROM
another. • The MS_AQADM PUBLIC;
• The Oracle WWV_EXEC _SYSCAL REVOKE
database UTE_IMMED LS','DBMS_R EXECUTE ON
DBMS_SYS_ IATE EPCAT_SQL_ DBMS_PRVT
SQL, package UTL','INITJV AQIM FROM
DBMS_AQA could allow MAUX', PUBLIC;
DM_SYSCAL an 'DBMS_STRE REVOKE
LS, unauthorize AMS_ADM_ EXECUTE ON
DBMS_REPC d user to UTL','DBMS LTADM
AT_SQL_UTL run SQL _AQADM_S FROM
, statements YS','DBMS_S PUBLIC;
INITJVMAUX as the TREAMS_RP REVOKE
, Application C','DBMS_P EXECUTE ON
DBMS_STRE Express RVTAQIM','L WWV_DBM
AMS_ADM_ (APEX) user. S_SQL
UTL, • The TADM','WW FROM
DBMS_AQA DBMS_IJOB V_DBMS_SQ PUBLIC;
DM_SYS, package L', REVOKE
DBMS_STRE could allow 'WWV_EXEC EXECUTE ON
AMS_RPC, an attacker UTE_IMMED WWV_EXEC
DBMS_PRVT to change IATE','DBMS UTE_IMMED
AQIM, identities by _IJOB','DBM IATE FROM
LTADM, using a S_PDB_EXEC PUBLIC;
WWV_DBM different _SQL') REVOKE
• Level 1 - S_SQL, username to ORDER BY EXECUTE ON
RDBMS WWV_EXEC execute a CON_ID, DBMS_IJOB
using UTE_IMMED database TABLE_NAM FROM
Traditional IATE and job. It allows E; PUBLIC;
Auditing DBMS_IJOB a user to run REVOKE
• Level 1 - packages database EXECUTE ON
RDBMS are shipped jobs in the Lack of DBMS_PDB_
using as context of results EXEC_SQL
Unified undocumen another implies FROM
Auditing ted. user. compliance. PUBLIC;
5.1.2.1  Ensure 'EXECUTE' is not granted to 'PUBLIC' on "Non-default" Packages (Scored)
5.1.3  Other Privileges
 SELECT
GRANTEE,
PRIVILEGE,
DECODE
The Oracle (A.CON_ID,0
database ,(SELECT
SYS.AUD$ NAME
table FROM
contains all V$DATABAS
the audit E),
records for 1,(SELECT
the NAME
database of FROM
the non- V$DATABAS To
Data E), remediate
Manipulatio (SELECT this setting,
n Language NAME execute the
(DML) FROM following
events, such V$PDBS B SQL
as ALTER, WHERE statement,
DROP, and Permitting A.CON_ID = keeping in
CREATE, and non- B.CON_ID)) mind if this
so forth. privileged FROM is granted in
(DML users the CDB_TAB_P both
changes authorizatio RIVS A container
need n to WHERE and
• Level 1 - trigger- manipulate TABLE_NAM pluggable
RDBMS based audit the E='AUD$' database,
using events to SYS.AUD$ AND you must
Traditional record data table can OWNER = connect to
Auditing alterations.) allow 'SYS'; both places
• Level 1 - Unauthorize distortion of to revoke.
RDBMS d grantees the audit Lack of REVOKE ALL
using should not records, results ON AUD$
Unified have full hiding implies FROM
Auditing access to unauthorize compliance. <grantee>;
5.1.3.1  Ensure 'ALL' Is Revoked
that table.
from Unauthorized
d activities. 'GRANTEE' on 'AUD$' (Scored)
 FROM
CDB_TAB_P
RIVS A
WHERE Replace
TABLE_NAM <Non-DBA/S
E LIKE 'DBA_ YS grantee>
%' AND in the query
OWNER = below, with
'SYS' the Oracle
AND login(s) or
GRANTEE role(s)
NOT IN returned
(SELECT from the
USERNAME associated
FROM audit
CDB_USERS procedure
WHERE and
ORACLE_MA execute,
INTAINED='Y keeping in
') mind if this
AND is granted in
GRANTEE both
NOT IN container
(SELECT and
ROLE FROM pluggable
CDB_ROLES database,
• Level 1 - WHERE you must
RDBMS ORACLE_MA connect to
using INTAINED='Y both places
Traditional '); to revoke:
Auditing REVOKE ALL
• Level 1 - ON <DBA_
RDBMS Lack of %> FROM
using results <Non-DBA/S
Unified implies YS grantee>;
Auditing compliance.
5.1.3.2  Ensure 'ALL' Is Revoked
The Oracle
from Unauthorized
daPermitting us
'GRANTEE' on 'DBA_%' (Scored)
 d users. R$','USER_H ON
ISTORY$','XS SYS.HIST_HE
• USER$, $VERIFIERS') AD$ FROM
USER_HISTO AND <grantee>;
RY$, OWNER = REVOKE ALL
XS$VERIFIER 'SYS' ON
S and AND SYS.LINK$
DEFAULT_P GRANTEE FROM
WD$ may NOT IN <grantee>;
contain (SELECT REVOKE ALL
password USERNAME ON
hashes. FROM SYS.PDB_SY
• DBA_USERS NC$ FROM
CDB_LOCAL WHERE <grantee>;
_ADMINAUT ORACLE_MA REVOKE ALL
H$ and INTAINED='Y ON
PDB_SYNC$ ') SYS.SCHEDU
may contain AND LER$_CREDE
DDLs. Access to GRANTEE NTIAL FROM
• LINK$ and sensitive NOT IN <grantee>;
SCHEDULER information (SELECT REVOKE ALL
$_CREDENTI such as ROLE FROM ON
AL may hashed DBA_ROLES SYS.USER$
contain passwords WHERE FROM
encrypted may allow ORACLE_MA <grantee>;
passwords. unauthorize INTAINED='Y REVOKE ALL
• Level 1 - • ENC$ may d users to ') ORDER BY ON
RDBMS contains decrypt the CON_ID, SYS.USER_HI
using encryption passwords TABLE_NAM STORY$
Traditional keys. hashes E; FROM
Auditing • HISTGRM$ which could <grantee>;
• Level 1 - and potentially REVOKE ALL
RDBMS HIST_HEAD$ result in Lack of ON
using may contain complete results SYS.XS$VERI
Unified sensitive compromise implies FIERS FROM
Auditing data. of the compliance. <grantee>;
5.1.3.3  Ensure 'ALL' Is Revoked on 'Sensitive'
database.
Tables (Scored)
5.2  Excessive System Privileges
 FROM
CDB_SYS_PR
IVS A
WHERE
PRIVILEGE
LIKE '%ANY
%'
AND
GRANTEE
NOT IN
(SELECT
USERNAME
FROM To
CDB_USERS remediate
WHERE this setting,
execute the
ORACLE_MA following
INTAINED='Y SQL
The Oracle ') statement,
database AND keeping in
ANY GRANTEE mind if this
keyword Authorizatio NOT IN is granted in
provides the n to use the (SELECT both
user the ANY ROLE FROM container
capability to expansion CDB_ROLES and
alter any of a WHERE pluggable
• Level 1 - item in the privilege can ORACLE_MA database,
RDBMS catalog of allow an INTAINED='Y you must
using the unauthorize '); connect to
Traditional database. d user to both places
Auditing Unauthorize potentially to revoke.
• Level 1 - d grantees change REVOKE
RDBMS should not confidential Lack of '<ANY
using have that data or results Privilege>'
Unified keyword damage the implies FROM
Auditing assigned to data compliance. <grantee>;
5.2.1  Ensure '%ANY%' Is Revoked
them. from Unauthorized
catalog. 'GRANTEE' (Scored)
 WHERE
A.CON_ID =
B.CON_ID))
FROM
CDB_SYS_PR
IVS A
WHERE
ADMIN_OPT
ION='YES'
AND
GRANTEE
NOT IN
(SELECT
USERNAME To
FROM remediate
CDB_USERS this setting,
WHERE execute the
ORACLE_MA following
INTAINED='Y SQL
') statement,
AND keeping in
GRANTEE mind if this
NOT IN is granted in
(SELECT both
ROLE FROM container
CDB_ROLES and
• Level 1 - WHERE pluggable
RDBMS ORACLE_MA database,
using INTAINED='Y you must
Traditional '); connect to
Auditing both places
• Level 1 - to revoke.
RDBMS Lack of REVOKE
using results <privilege>
Unified implies FROM
Auditing compliance. <grantee>;
5.2.2  Ensure 'DBA_SYS_PRIVS.%'
The Oracle
Is Revoked
daAssignment
from Unauthorized
of 'GRANTEE' with 'ADMIN_OPTION' Set to 'YES' (Scored)
 DECODE
(A.CON_ID,0
,(SELECT
NAME
FROM
V$DATABAS
E),
1,(SELECT
NAME
FROM
V$DATABAS
E),
(SELECT To
NAME remediate
FROM this setting,
V$PDBS B execute the
WHERE following
A.CON_ID = SQL
B.CON_ID)) statement,
FROM keeping in
CDB_SYS_PR mind if this
IVS A is granted in
WHERE both
PRIVILEGE=' container
EXECUTE and
ANY pluggable
• Level 1 - PROCEDURE database,
RDBMS ' AND you must
using GRANTEE=' connect to
Traditional Remove OUTLN'; both places
Auditing unneeded Migrated to revoke.
• Level 1 - EXECUTE OUTLN REVOKE
RDBMS ANY users have Lack of EXECUTE
using PROCEDURE more results ANY
Unified privileges privileges implies PROCEDURE
Auditing from than compliance. FROM
5.2.3  Ensure 'EXECUTE ANYOUTLN.
PROCEDURE'
required.
Is Revoked from 'OUTLN'OUTLN;
(Scored). 120
 DECODE
(A.CON_ID,0
,(SELECT
NAME
FROM
V$DATABAS
E),
1,(SELECT
NAME
FROM
V$DATABAS
E),
(SELECT To
NAME remediate
FROM this setting,
V$PDBS B execute the
WHERE following
A.CON_ID = SQL
B.CON_ID)) statement,
FROM keeping in
CDB_SYS_PR mind if this
IVS A is granted in
WHERE both
PRIVILEGE=' container
EXECUTE and
ANY pluggable
• Level 1 - PROCEDURE database,
RDBMS ' AND you must
using GRANTEE=' connect to
Traditional DBSNMP'; both places
Auditing to revoke.
• Level 1 - REVOKE
RDBMS Lack of EXECUTE
using results ANY
Unified implies PROCEDURE
Auditing compliance. FROM
5.2.4  Ensure 'EXECUTE ANYRemove
PROCEDURE'
unneMigrated
Is Revoked
DBSfrom 'DBSNMP'
DBSNMP;
(Scored)
 B.CON_ID))
FROM
CDB_SYS_PR
IVS A
WHERE
PRIVILEGE='
SELECT ANY
DICTIONARY
'
AND
GRANTEE
NOT IN
SELECT ANY (SELECT To
DICTIONARY USERNAME remediate
is a FROM this setting,
powerful CDB_USERS execute the
system WHERE following
privilege ORACLE_MA SQL
which would INTAINED='Y statement,
allow an ') keeping in
The Oracle unauthorize AND mind if this
database d user to GRANTEE is granted in
SELECT ANY gather NOT IN both
DICTIONARY information (SELECT container
privilege about the ROLE FROM and
allows the database CDB_ROLES pluggable
• Level 1 - designated through WHERE database,
RDBMS user to data ORACLE_MA you must
using access dictionary INTAINED='Y connect to
Traditional SYS schema objects. '); both places
Auditing objects. Information to revoke.
• Level 1 - Unauthorize collected REVOKE
RDBMS d grantees could Lack of SELECT ANY
using should not potentially results DICTIONARY
Unified have that be used to implies FROM
Auditing privilege. exploit the compliance. <grantee>;
5.2.5  Ensure 'SELECT ANY DICTIONARY' database.
Is Revoked from Unauthorized 'GRANTEE' (Scored)
 A.CON_ID =
B.CON_ID))
FROM
CDB_SYS_PR
IVS A
WHERE
PRIVILEGE='
SELECT ANY
TABLE'
AND
GRANTEE
NOT IN
(SELECT To
USERNAME remediate
FROM this setting,
CDB_USERS execute the
WHERE following
ORACLE_MA SQL
INTAINED='Y statement,
') keeping in
AND mind if this
GRANTEE is granted in
NOT IN both
(SELECT container
ROLE FROM and
CDB_ROLES pluggable
• Level 1 - WHERE database,
RDBMS ORACLE_MA you must
using INTAINED='Y connect to
Traditional '); both places
Auditing to revoke.
• Level 1 - REVOKE
RDBMS Lack of SELECT ANY
using results TABLE
Unified implies FROM
Auditing compliance. <grantee>;
5.2.6  Ensure 'SELECT ANY TABLE'
The Oracle
Is Revoked
daAssignment
from Unauthorized
of 'GRANTEE' (Scored)
 A.CON_ID =
B.CON_ID))
FROM
CDB_SYS_PR
IVS A
WHERE
PRIVILEGE='
AUDIT
SYSTEM'
AND
GRANTEE
NOT IN
(SELECT To
USERNAME remediate
FROM this setting,
CDB_USERS execute the
WHERE following
ORACLE_MA SQL
INTAINED='Y statement,
') keeping in
AND mind if this
GRANTEE is granted in
The Oracle NOT IN both
database (SELECT container
AUDIT The AUDIT ROLE FROM and
SYSTEM SYSTEM CDB_ROLES pluggable
• Level 1 - privilege privilege can WHERE database,
RDBMS allows allow the ORACLE_MA you must
using changes to unauthorize INTAINED='Y connect to
Traditional auditing d alteration '); both places
Auditing activities on of system to revoke.
• Level 1 - the system. audit REVOKE
RDBMS Unauthorize activities, Lack of AUDIT
using d grantees such as results SYSTEM
Unified should not disabling the implies FROM
Auditing have that creation of compliance. <grantee>;
5.2.7  Ensure 'AUDIT SYSTEM'
privilege.
Is Revokedaudit
fromtrails.
Unauthorized 'GRANTEE' (Scored)
 B.CON_ID))
FROM
CDB_SYS_PR
IVS A
WHERE
PRIVILEGE='
EXEMPT
ACCESS
POLICY'
AND
GRANTEE
NOT IN To
(SELECT remediate
USERNAME this setting,
FROM execute the
CDB_USERS following
WHERE SQL
ORACLE_MA statement,
INTAINED='Y keeping in
') mind if this
AND is granted in
GRANTEE both
NOT IN container
(SELECT and
ROLE FROM pluggable
CDB_ROLES database,
• Level 1 - WHERE you must
RDBMS ORACLE_MA connect to
using INTAINED='Y both places
Traditional '); to revoke.
Auditing REVOKE
• Level 1 - EXEMPT
RDBMS Lack of ACCESS
using results POLICY
Unified implies FROM
Auditing compliance. <grantee>;
5.2.8  Ensure 'EXEMPT ACCESS
The Oracle
POLICY'daIsThe
Revoked
EXEMPT
from
AC Unauthorized 'GRANTEE' (Scored)
 A.CON_ID =
B.CON_ID))
FROM
CDB_SYS_PR
IVS A
WHERE
PRIVILEGE='
BECOME
USER'
AND
GRANTEE
NOT IN
(SELECT
USERNAME To
FROM remediate
CDB_USERS this setting,
WHERE execute the
ORACLE_MA following
The INTAINED='Y SQL
BECOME ') statement,
The Oracle USER AND keeping in
database privilege can GRANTEE mind if this
BECOME allow the NOT IN is granted in
USER unauthorize (SELECT both
privilege d use of ROLE FROM container
allows the another CDB_ROLES and
• Level 1 - designated user's WHERE pluggable
RDBMS user to privileges, ORACLE_MA database,
using inherit the this INTAINED='Y you must
Traditional rights of capability '); connect to
Auditing another should be both places
• Level 1 - user. restricted to revoke.
RDBMS Unauthorize according to Lack of REVOKE
using d grantees the needs of results BECOME
Unified should not the implies USER FROM
Auditing have that organization compliance. <grantee>;
5.2.9  Ensure 'BECOME USER'
privilege.
Is Revoked. from Unauthorized 'GRANTEE' (Scored)
 B.CON_ID))
FROM
CDB_SYS_PR
IVS A
WHERE
PRIVILEGE='
CREATE
PROCEDURE
'
AND
GRANTEE
NOT IN
(SELECT To
USERNAME remediate
FROM this setting,
CDB_USERS execute the
WHERE following
ORACLE_MA SQL
INTAINED='Y statement,
') keeping in
AND mind if this
GRANTEE is granted in
NOT IN both
(SELECT container
ROLE FROM and
CDB_ROLES pluggable
• Level 1 - WHERE database,
RDBMS ORACLE_MA you must
using INTAINED='Y connect to
Traditional '); both places
Auditing to revoke.
• Level 1 - REVOKE
RDBMS Lack of CREATE
using results PROCEDURE
Unified implies FROM
Auditing compliance. <grantee>;
5.2.10  Ensure 'CREATE PROCEDURE'
The OracleIsdaRevoked
The CREATE
fromPRUnauthorized 'GRANTEE' (Scored)
 WHERE
A.CON_ID =
B.CON_ID))
FROM
CDB_SYS_PR
IVS A
WHERE
PRIVILEGE='
ALTER
SYSTEM'
AND
GRANTEE
NOT IN To
(SELECT remediate
USERNAME this setting,
FROM execute the
CDB_USERS following
WHERE SQL
The ALTER ORACLE_MA statement,
The Oracle SYSTEM INTAINED='Y keeping in
database privilege can ') mind if this
ALTER lead to AND is granted in
SYSTEM severe GRANTEE both
privilege problems, NOT IN container
allows the such as the (SELECT and
designated instance's ROLE FROM pluggable
• Level 1 - user to session CDB_ROLES database,
RDBMS dynamically being killed WHERE you must
using alter the or the ORACLE_MA connect to
Traditional instance's stopping of INTAINED='Y both places
Auditing running redo log '); to revoke.
• Level 1 - operations. recording, REVOKE
RDBMS Unauthorize which would Lack of ALTER
using d grantees make results SYSTEM
Unified should not transactions implies FROM
Auditing have that unrecoverab compliance. <grantee>;
5.2.11  Ensure 'ALTER SYSTEM'
privilege.
Is Revoked
le. from Unauthorized 'GRANTEE' (Scored)
 A.CON_ID =
B.CON_ID))
FROM
CDB_SYS_PR
IVS A
WHERE
PRIVILEGE='
CREATE ANY
LIBRARY'
AND
GRANTEE
NOT IN
(SELECT To
USERNAME remediate
FROM this setting,
CDB_USERS execute the
WHERE following
ORACLE_MA SQL
INTAINED='Y statement,
') keeping in
AND mind if this
GRANTEE is granted in
NOT IN both
(SELECT container
ROLE FROM and
CDB_ROLES pluggable
• Level 1 - WHERE database,
RDBMS ORACLE_MA you must
using INTAINED='Y connect to
Traditional '); both places
Auditing to revoke.
• Level 1 - REVOKE
RDBMS Lack of CREATE ANY
using results LIBRARY
Unified implies FROM
Auditing compliance. <grantee>;
5.2.12  Ensure 'CREATE ANY
The
LIBRARY'
Oracle Is
daThe
Revoked
CREATE
from
ANUnauthorized 'GRANTEE' (Scored)
 A.CON_ID =
B.CON_ID))
FROM
CDB_SYS_PR
IVS A
WHERE
PRIVILEGE='
CREATE
LIBRARY'
AND
GRANTEE
NOT IN
(SELECT To
USERNAME remediate
FROM this setting,
CDB_USERS execute the
WHERE following
The Oracle ORACLE_MA SQL
database INTAINED='Y statement,
CREATE ') keeping in
LIBRARY AND mind if this
privilege GRANTEE is granted in
allows the NOT IN both
designated (SELECT container
user to The CREATE ROLE FROM and
create LIBRARY CDB_ROLES pluggable
• Level 1 - objects that privilege can WHERE database,
RDBMS are allow the ORACLE_MA you must
using associated creation of INTAINED='Y connect to
Traditional to the numerous '); both places
Auditing shared library- to revoke.
• Level 1 - libraries. associated REVOKE
RDBMS Unauthorize objects and Lack of CREATE
using d grantees potentially results LIBRARY
Unified should not corrupt the implies FROM
Auditing have that libraries' compliance. <grantee>;
5.2.13  Ensure 'CREATE LIBRARY'
privilege.
Is Revoked
integrity.
from Unauthorized 'GRANTEE' (Scored)
 A.CON_ID =
B.CON_ID))
FROM
CDB_SYS_PR
IVS A
WHERE
PRIVILEGE='
GRANT ANY
OBJECT
PRIVILEGE'
AND
GRANTEE To
NOT IN remediate
(SELECT this setting,
USERNAME execute the
FROM following
CDB_USERS SQL
WHERE statement,
ORACLE_MA keeping in
INTAINED='Y mind if this
') is granted in
AND both
GRANTEE container
NOT IN and
(SELECT pluggable
ROLE FROM database,
• Level 1 - CDB_ROLES you must
RDBMS WHERE connect to
using ORACLE_MA both places
Traditional INTAINED='Y to revoke.
Auditing '); REVOKE
• Level 1 - GRANT ANY
RDBMS Lack of OBJECT
using results PRIVILEGE
Unified implies FROM
Auditing compliance. <grantee>;
5.2.14  Ensure 'GRANT ANYThe
OBJECT
Oracle
PRIVILEGE'
daThe GRANT
Is Revoked
ANY from Unauthorized 'GRANTEE' (Scored)
 WHERE
A.CON_ID =
B.CON_ID))
FROM
CDB_SYS_PR
IVS A
WHERE
PRIVILEGE='
GRANT ANY
ROLE'
AND
GRANTEE
NOT IN
(SELECT To
USERNAME remediate
The Oracle FROM this setting,
database CDB_USERS execute the
GRANT ANY WHERE following
ROLE ORACLE_MA SQL
keyword The GRANT INTAINED='Y statement,
provides the ANY ROLE ') keeping in
grantee the capability AND mind if this
capability to can allow an GRANTEE is granted in
grant any unauthorize NOT IN both
single role d user to (SELECT container
to any potentially ROLE FROM and
• Level 1 - grantee in access or CDB_ROLES pluggable
RDBMS the catalog change WHERE database,
using of the confidential ORACLE_MA you must
Traditional database. data or INTAINED='Y connect to
Auditing Unauthorize damage the '); both places
• Level 1 - d grantees data catalog to revoke.
RDBMS should not due to Lack of REVOKE
using have that potential results GRANT ANY
Unified keyword complete implies ROLE FROM
Auditing assigned to instance compliance. <grantee>;
5.2.15  Ensure 'GRANT ANYthem.
ROLE' Is Revoked
access.
from Unauthorized 'GRANTEE' (Scored)
 WHERE
A.CON_ID =
B.CON_ID))
FROM
CDB_SYS_PR
IVS A
WHERE
PRIVILEGE='
GRANT ANY
PRIVILEGE'
AND
GRANTEE
NOT IN To
(SELECT remediate
USERNAME this setting,
FROM execute the
CDB_USERS following
WHERE SQL
ORACLE_MA statement,
INTAINED='Y keeping in
') mind if this
AND is granted in
GRANTEE both
NOT IN container
(SELECT and
ROLE FROM pluggable
• Level 1 - CDB_ROLES database,
RDBMS WHERE you must
using ORACLE_MA connect to
Traditional INTAINED='Y both places
Auditing '); to revoke.
• Level 1 - REVOKE
RDBMS Lack of GRANT ANY
using results PRIVILEGE
Unified implies FROM
Auditing compliance. <grantee>;
5.2.16  Ensure 'GRANT ANYThe PRIVILEGE'
Oracle da
IsThe
Revoked
GRANTfrom
ANYUnauthorized 'GRANTEE' (Scored)
5.3  Excessive Role Privileges
 B.CON_ID))
FROM
CDB_ROLE_
PRIVS A
WHERE
GRANTED_R
OLE='DELET
E_CATALOG
_ROLE'
AND
GRANTEE
NOT IN
(SELECT To
USERNAME remediate
FROM this setting,
CDB_USERS execute the
WHERE following
ORACLE_MA SQL
INTAINED='Y statement,
') keeping in
AND mind if this
GRANTEE is granted in
NOT IN both
(SELECT container
ROLE FROM and
CDB_ROLES pluggable
• Level 1 - WHERE database,
RDBMS ORACLE_MA you must
using INTAINED='Y connect to
Traditional '); both places
Auditing to revoke.
• Level 1 - REVOKE
RDBMS Lack of DELETE_CAT
using results ALOG_ROLE
Unified implies FROM
Auditing compliance. <grantee>;
5.3.1  Ensure 'DELETE_CATALOG_ROLE'
THIS ROLE IS Is
Permitting
Revoked un
from Unauthorized 'GRANTEE' (Scored)
 B.CON_ID))
FROM
CDB_ROLE_
PRIVS A
WHERE
GRANTED_R
OLE='SELECT
_CATALOG_
ROLE'
AND
GRANTEE
NOT IN
(SELECT To
USERNAME remediate
FROM this setting,
CDB_USERS execute the
WHERE following
ORACLE_MA SQL
INTAINED='Y statement,
') keeping in
AND mind if this
GRANTEE is granted in
NOT IN both
(SELECT container
ROLE FROM and
CDB_ROLES pluggable
• Level 1 - WHERE database,
RDBMS ORACLE_MA you must
using INTAINED='Y connect to
Traditional '); both places
Auditing to revoke.
• Level 1 - REVOKE
RDBMS Lack of SELECT_CAT
using results ALOG_ROLE
Unified implies FROM
Auditing compliance. <grantee>;
5.3.2  Ensure 'SELECT_CATALOG_ROLE'
The Oracle daIs
Permitting
Revoked un
from Unauthorized 'GRANTEE' (Scored)
 WHERE
A.CON_ID =
B.CON_ID))
FROM
CDB_ROLE_
PRIVS A
WHERE
GRANTED_R
OLE='EXECU
TE_CATALO
G_ROLE'
AND
GRANTEE To
NOT IN remediate
(SELECT this setting,
USERNAME execute the
FROM following
CDB_USERS SQL
WHERE statement,
ORACLE_MA keeping in
INTAINED='Y mind if this
') is granted in
AND both
GRANTEE container
NOT IN and
(SELECT pluggable
• Level 1 - ROLE FROM database,
RDBMS CDB_ROLES you must
using WHERE connect to
Traditional ORACLE_MA both places
Auditing INTAINED='Y to revoke.
• Level 1 - '); REVOKE
RDBMS Lack of EXECUTE_C
using results ATALOG_RO
Unified implies LE FROM
Auditing compliance. <grantee>;
5.3.3  Ensure 'EXECUTE_CATALOG_ROLE'
The Oracle daPermitting
Is Revokedunfrom Unauthorized 'GRANTEE' (Scored)
 E),
1,(SELECT
NAME
FROM
V$DATABAS
E),
(SELECT
NAME
FROM
V$PDBS B
WHERE
A.CON_ID =
B.CON_ID))
CON
FROM To
CDB_PROXIE remediate
SA this setting,
WHERE execute the
CLIENT IN following
(SELECT SQL
GRANTEE statement,
FROM keeping in
CDB_ROLE_ mind if this
PRIVS B is granted in
WHERE both
GRANTED_R container
• Level 1 - OLE = 'DBA' and
RDBMS AND pluggable
using A.CON_ID = database,
Traditional B.CON_ID); you must
Auditing connect to
• Level 1 - both places
RDBMS Lack of to revoke.
using results REVOKE
Unified implies DBA FROM
Auditing compliance. <grantee>;
5.3.4  Ensure 'DBA' Is Revoked
The from
OracleUnauthorized
daAssignment'GRANTEE'
of (Scored)
6  Audit/Logging Policies and Procedures
6.1  Traditional Auditing
 creating FROM
accounts V$DATABAS
that can E),
interact (SELECT
with the NAME
database FROM
according to V$PDBS B
the roles WHERE
and A.CON_ID =
privileges B.CON_ID))
allotted to FROM
the account. CDB_STMT_
It may also AUDIT_OPT
own SA
database WHERE
objects. USER_NAM
Enabling the E IS NULL
audit option AND
causes PROXY_NA To
auditing of ME IS NULL remediate
all activities AND this setting,
and SUCCESS = execute the
requests to 'BY ACCESS' following
create, drop AND SQL
or alter a FAILURE = statement in
user, 'BY ACCESS' either the
including a AND non multi-
user AUDIT_OPTI tenant or
changing ON='USER'; container
their own database, it
password. does NOT
(The latter is need run in
• Level 1 - not audited Lack of the
RDBMS by audit results pluggable.
using ALTER implies a AUDIT
Traditional USER.) finding. USER;
6.1.1  Ensure Auditing
the 'USER' Audit Option Is Any
Enabled
unauthori
(Scored)
 NAME
FROM
V$DATABAS
E),
(SELECT
NAME
FROM
V$PDBS B
WHERE
A.CON_ID =
B.CON_ID))
FROM
CDB_STMT_
AUDIT_OPT
SA
WHERE
USER_NAM
E IS NULL
AND
PROXY_NA To
ME IS NULL remediate
AND this setting,
SUCCESS = execute the
'BY ACCESS' following
AND SQL
FAILURE = statement in
'BY ACCESS' either the
AND non multi-
AUDIT_OPTI tenant or
ON='ROLE'; container
database, it
does NOT
• Level 1 - Lack of need run in
RDBMS results the
using implies a pluggable.
Traditional finding. AUDIT ROLE;
6.1.2  Ensure Auditing
the 'ROLE' Audit
TheOption
ROLE objec
Is Roles
Enabled
are(Scored)
ak
 FROM
V$DATABAS
E),
(SELECT
NAME
FROM
V$PDBS B
WHERE
A.CON_ID =
B.CON_ID))
FROM
CDB_STMT_
AUDIT_OPT
SA
WHERE
USER_NAM
E IS NULL
AND To
PROXY_NA remediate
ME IS NULL this setting,
AND execute the
SUCCESS = following
'BY ACCESS' SQL
AND statement in
FAILURE = either the
'BY ACCESS' non multi-
AND tenant or
AUDIT_OPTI container
ON='SYSTE database, it
M GRANT'; does NOT
need run in
the
• Level 1 - Lack of pluggable.
RDBMS results AUDIT
using implies a SYSTEM
Traditional finding. GRANT;
6.1.3  Ensure Auditing
the 'SYSTEM GRANT'
EnablingAudit
the Logging
Option of
Is Enabled
al (Scored)
 FROM
V$DATABAS
E),
(SELECT
NAME
FROM
V$PDBS B
WHERE
A.CON_ID =
B.CON_ID))
FROM
CDB_STMT_
AUDIT_OPT
SA
WHERE
USER_NAM
E IS NULL
AND To
PROXY_NA remediate
ME IS NULL this setting,
AND execute the
SUCCESS = following
'BY ACCESS' SQL
AND statement in
FAILURE = either the
'BY ACCESS' non multi-
AND tenant or
AUDIT_OPTI container
ON='PROFIL database, it
E'; does NOT
need run in
the
• Level 1 - Lack of pluggable.
RDBMS results AUDIT
using implies a PROFILE;
Traditional finding.
6.1.4  Ensure Auditing
the 'PROFILE'The
Audit
PROFILE
Optionob
As
Is profiles
Enabledar(Scored)
 FROM
V$DATABAS
E),
(SELECT
NAME
FROM
V$PDBS B
WHERE
A.CON_ID =
B.CON_ID))
FROM
CDB_STMT_
AUDIT_OPT
SA
WHERE
USER_NAM
E IS NULL
AND To
PROXY_NA remediate
ME IS NULL this setting,
AND execute the
SUCCESS = following
'BY ACCESS' SQL
AND statement in
FAILURE = either the
'BY ACCESS' non multi-
AND tenant or
AUDIT_OPTI container
ON='DATAB database, it
ASE LINK'; does NOT
need run in
the
• Level 1 - Lack of pluggable.
RDBMS results AUDIT
using implies a DATABASE
Traditional finding. LINK;
6.1.5  Ensure Auditing
the 'DATABASE
Enabling
LINK' Audit
the As
Option
the loggin
Is Enabled (Scored)
 E),
(SELECT
NAME
FROM
V$PDBS B
WHERE
A.CON_ID =
B.CON_ID))
FROM
CDB_STMT_
AUDIT_OPT
SA
WHERE
USER_NAM
E IS NULL
AND
PROXY_NA To
ME IS NULL remediate
AND this setting,
SUCCESS = execute the
'BY ACCESS' following
AND SQL
FAILURE = statement in
'BY ACCESS' either the
AND non multi-
AUDIT_OPTI tenant or
ON='PUBLIC container
DATABASE database, it
LINK'; does NOT
need run in
the
Lack of pluggable.
• Level 1 - results AUDIT
RDBMS implies a PUBLIC
using finding. DATABASE
Traditional LINK;
6.1.6  Ensure Auditing
the 'PUBLIC DATABASE
The PUBLICLINK'
DAT
As Audit
the loggin
Option Is Enabled (Scored)
 1,(SELECT
NAME
FROM
V$DATABAS
E),
(SELECT
NAME
FROM
V$PDBS B
WHERE
A.CON_ID =
B.CON_ID))
FROM
CDB_STMT_
AUDIT_OPT
SA
WHERE
USER_NAM To
E IS NULL remediate
AND this setting,
PROXY_NA execute the
ME IS NULL following
AND SQL
SUCCESS = statement in
'BY ACCESS' either the
AND non multi-
FAILURE = tenant or
'BY ACCESS' container
AND database, it
AUDIT_OPTI does NOT
ON='PUBLIC need run in
SYNONYM'; the
• Level 1 - Lack of pluggable.
RDBMS results AUDIT
using implies a PUBLIC
Traditional finding. SYNONYM;
6.1.7  Ensure Auditing
the 'PUBLIC SYNONYM'
The PUBLICAudit
SYAs the
Option
loggin
Is Enabled (Scored)
 FROM
V$DATABAS
E),
(SELECT
NAME
FROM
V$PDBS B
WHERE
A.CON_ID =
B.CON_ID))
FROM
CDB_STMT_
AUDIT_OPT
SA
WHERE
USER_NAM
E IS NULL
AND
PROXY_NA To
ME IS NULL remediate
AND this setting,
SUCCESS = execute the
'BY ACCESS' following
AND SQL
FAILURE = statement in
'BY ACCESS' either the
AND non multi-
AUDIT_OPTI tenant or
ON='SYNON container
YM'; database, it
does NOT
need run in
• Level 1 - Lack of the
RDBMS results pluggable.
using implies a AUDIT
Traditional finding. SYNONYM;
6.1.8  Ensure Auditing
the 'SYNONYM'
TheAudit
SYNONYM
Option
Asothe
Is Enabled
loggin (Scored)
 1,(SELECT
NAME
FROM
V$DATABAS
E),
(SELECT
NAME
FROM
V$PDBS B
WHERE
A.CON_ID =
B.CON_ID))
FROM
CDB_STMT_
AUDIT_OPT
SA
WHERE
USER_NAM
E IS NULL To
AND remediate
PROXY_NA this setting,
ME IS NULL execute the
AND following
SUCCESS = SQL
'BY ACCESS' statement in
AND either the
FAILURE = non multi-
'BY ACCESS' tenant or
AND container
AUDIT_OPTI database, it
ON='DIRECT does NOT
ORY'; need run in
• Level 1 - Lack of the
RDBMS results pluggable.
using implies a AUDIT
Traditional finding. DIRECTORY;
6.1.9  Ensure Auditing
the 'DIRECTORY'
The Audit
DIRECTORY
Option
As the
Is Enabled
loggin (Scored)
 FROM
V$DATABAS
E),
(SELECT
NAME
FROM
V$PDBS B
WHERE
A.CON_ID =
B.CON_ID))
FROM
CDB_STMT_
AUDIT_OPT
SA
WHERE
USER_NAM
E IS NULL To
AND remediate
PROXY_NA this setting,
ME IS NULL execute the
AND following
SUCCESS = SQL
'BY ACCESS' statement in
AND either the
FAILURE = non multi-
'BY ACCESS' tenant or
AND container
AUDIT_OPTI database, it
ON='SELECT does NOT
ANY need run in
DICTIONARY the
'; pluggable.
• Level 1 - Lack of AUDIT
RDBMS results SELECT ANY
using implies a DICTIONARY
Traditional finding. ;
6.1.10  EnsureAuditing
the 'SELECT The
ANYSELECT
DICTIONARY'
ANY
As theAudit
logging
Option Is Enabled (Scored)
 NAME
FROM
V$DATABAS
E),
(SELECT
NAME
FROM
V$PDBS B
WHERE
A.CON_ID =
B.CON_ID)) To
FROM remediate
CDB_STMT_ this setting,
AUDIT_OPT execute the
SA following
WHERE SQL
USER_NAM statement,
E IS NULL keeping in
AND mind if this
PROXY_NA needs to be
ME IS NULL done in
AND both
SUCCESS = container
'BY ACCESS' and
AND pluggable
FAILURE = database,
'BY ACCESS' you must
AND connect to
AUDIT_OPTI both places
ON='GRANT to do the
ANY OBJECT audit
PRIVILEGE'; statement.
• Level 1 - Lack of AUDIT
RDBMS results GRANT ANY
using implies a OBJECT
Traditional finding. PRIVILEGE;
6.1.11  EnsureAuditing
the 'GRANT GRANT
ANY OBJECT
ANY OBJE
PRIVILEGE'
Logging of pri
Audit Option Is Enabled (Scored)
 NAME
FROM
V$DATABAS
E),
(SELECT
NAME
FROM
V$PDBS B
WHERE
A.CON_ID =
B.CON_ID))
FROM
CDB_STMT_
AUDIT_OPT
SA
WHERE
USER_NAM
E IS NULL To
AND remediate
PROXY_NA this setting,
ME IS NULL execute the
AND following
SUCCESS = SQL
'BY ACCESS' statement in
AND either the
FAILURE = non multi-
'BY ACCESS' tenant or
AND container
AUDIT_OPTI database, it
ON='GRANT does NOT
ANY need run in
PRIVILEGE'; the
• Level 1 - Lack of pluggable.
RDBMS results AUDIT
using implies a GRANT ANY
Traditional finding. PRIVILEGE;
6.1.12  EnsureAuditing
the 'GRANT GRANT
ANY PRIVILEGE'
ANY PRI
Auditing
Audit the
Option
u Is Enabled (Scored)
 E),
(SELECT
NAME
FROM
V$PDBS B
WHERE
A.CON_ID =
B.CON_ID))
FROM
CDB_STMT_
AUDIT_OPT
SA
WHERE
USER_NAM
E IS NULL
AND
PROXY_NA To
ME IS NULL remediate
AND this setting,
SUCCESS = execute the
'BY ACCESS' following
AND SQL
FAILURE = statement in
'BY ACCESS' either the
AND non multi-
AUDIT_OPTI tenant or
ON='DROP container
ANY database, it
PROCEDURE does NOT
'; need run in
the
pluggable.
• Level 1 - Lack of AUDIT DROP
RDBMS results ANY
using implies a PROCEDURE
Traditional finding. ;
6.1.13  EnsureAuditing
the 'DROP ANY
ThePROCEDURE'
AUDIT DRO
Dropping
Audit proc
Option Is Enabled (Scored) . 182
 FROM
CDB_OBJ_A
UDIT_OPTS
WHERE
OBJECT_NA
ME='AUD$'
AND
ALT='A/A'
AND
AUD='A/A'
AND
COM='A/A'
AND
DEL='A/A'
AND
GRA='A/A'
AND To
IND='A/A' remediate
AND this setting,
INS='A/A' execute the
AND following
LOC='A/A' SQL
AND statement in
REN='A/A' either the
AND non multi-
SEL='A/A' tenant or
AND container
UPD='A/A' database, it
AND does NOT
FBK='A/A'; need run in
the
pluggable.
• Level 1 - Lack of AUDIT ALL
RDBMS results ON
using implies a SYS.AUD$
Traditional finding. BY ACCESS;
6.1.14  EnsureAuditing
the 'ALL' Audit
TheOption
loggingonofA'SYS.AUD$'
s the logging
Is Enabled (Scored)
 FROM
V$DATABAS
E),
(SELECT
NAME
FROM
V$PDBS B
WHERE
A.CON_ID =
B.CON_ID))
FROM
CDB_STMT_
AUDIT_OPT
SA
WHERE
USER_NAM
E IS NULL
AND To
PROXY_NA remediate
ME IS NULL this setting,
AND execute the
SUCCESS = following
'BY ACCESS' SQL
AND statement in
FAILURE = either the
'BY ACCESS' non multi-
AND tenant or
AUDIT_OPTI container
ON='PROCE database, it
DURE'; does NOT
need run in
the
• Level 1 - Lack of pluggable.
RDBMS results AUDIT
using implies a PROCEDURE
Traditional finding. ;
6.1.15  EnsureAuditing
the 'PROCEDURE'
In this Audit
state Option
Any unauthori
Is Enabled (Scored)
 FROM
V$DATABAS
E),
(SELECT
NAME
FROM
V$PDBS B
WHERE
A.CON_ID =
B.CON_ID))
FROM
CDB_STMT_
AUDIT_OPT
SA
WHERE
USER_NAM
E IS NULL
AND To
PROXY_NA remediate
ME IS NULL this setting,
AND execute the
SUCCESS = following
'BY ACCESS' SQL
AND statement in
FAILURE = either the
'BY ACCESS' non multi-
AND tenant or
AUDIT_OPTI container
ON='ALTER database, it
SYSTEM'; does NOT
need run in
the
• Level 1 - Lack of pluggable.
RDBMS results AUDIT
using implies a ALTER
Traditional finding. SYSTEM;
6.1.16  EnsureAuditing
the 'ALTER SYSTEM'
ALTER SYSTEM
AuditAny
Option
unauthori
Is Enabled (Scored)
 FROM
V$DATABAS
E),
(SELECT
NAME
FROM
V$PDBS B
WHERE
A.CON_ID =
B.CON_ID))
FROM
CDB_STMT_
AUDIT_OPT
SA
WHERE
USER_NAM
E IS NULL
AND
PROXY_NA To
ME IS NULL remediate
AND this setting,
SUCCESS = execute the
'BY ACCESS' following
AND SQL
FAILURE = statement in
'BY ACCESS' either the
AND non multi-
AUDIT_OPTI tenant or
ON='TRIGGE container
R'; database, it
does NOT
need run in
• Level 1 - Lack of the
RDBMS results pluggable.
using implies a AUDIT
Traditional finding. TRIGGER;
6.1.17  EnsureAuditing
the 'TRIGGER'
A TRIGGER
Audit Option
may
Triggers
Is Enabled
are (Scored)
 V$DATABAS
E),
(SELECT
NAME
FROM
V$PDBS B
WHERE
A.CON_ID =
B.CON_ID))
FROM
CDB_STMT_
AUDIT_OPT
SA

WHERE
USER_NAM
E IS NULL
AND
PROXY_NA To
ME IS NULL remediate
AND this setting,
SUCCESS = execute the
'BY ACCESS' following
AND SQL
FAILURE = statement in
'BY ACCESS' either the
AND non multi-
AUDIT_OPTI tenant or
ON='CREATE container
SESSION'; database, it
does NOT
need run in
• Level 1 - Lack of the
RDBMS results pluggable.
using implies a AUDIT
Traditional finding. SESSION;
6.1.18  EnsureAuditing
the 'CREATEEnabling
SESSION'this
Audit
Auditing
Optionatte
Is Enabled (Scored)
6.2  Unified Auditing
 _NAME =
ENABLED.P
OLICY_NAM
E
AND
AUD.AUDIT_ Execute the
OPTION = following
'CREATE SQL
USER' statement
AND to
AUD.AUDIT_ remediate
OPTION_TY this setting.
PE =
'STANDARD ALTER
ACTION' AUDIT
AND POLICY
ENABLED.SU CIS_UNIFIED
CCESS = _AUDIT_POL
'YES' ICY ADD
AND ACTIONS
ENABLED.FA CREATE
ILURE = 'YES' USER;
AND
ENABLED.EN
ABLED_OPT
= 'BY' Note: If you
AND do not have
ENABLED.US CIS_UNIFIED
ER_NAME = _AUDIT_POL
'ALL USERS'; ICY, please
create one
using the
• Level 1 - Lack of CREATE
RDBMS results AUDIT
using implies a POLICY
Unified finding. statement.
6.2.1  Ensure Auditing
the 'CREATE USER'
The CREATE
ActionUS
Audit
Logging
Is Enabled
and m (Scored)
 _NAME =
ENABLED.P
OLICY_NAM
E
AND
AUD.AUDIT_
OPTION =
'ALTER
USER'
AND
AUD.AUDIT_
OPTION_TY
PE =
'STANDARD
ACTION'
AND
ENABLED.SU
CCESS =
'YES'
AND
ENABLED.FA Execute the
ILURE = 'YES' following
AND SQL
ENABLED.EN statement
ABLED_OPT to
= 'BY' remediate
AND this setting.
ENABLED.US
ER_NAME = ALTER
'ALL USERS'; AUDIT
POLICY
CIS_UNIFIED
• Level 1 - Lack of _AUDIT_POL
RDBMS results ICY ADD
using implies a ACTIONS
Unified finding. ALTER USER;
6.2.2  Ensure Auditing
the 'ALTER USER'
The ALTER
ActionUSE
Audit
Logging
Is Enabled
and m (Scored)
 AUD.POLICY
_NAME =
ENABLED.P
OLICY_NAM
E
AND
AUD.AUDIT_
OPTION =
'DROP USER'
AND
AUD.AUDIT_
OPTION_TY
PE =
'STANDARD
ACTION'
AND
ENABLED.SU
CCESS =
'YES'
AND
ENABLED.FA
ILURE = 'YES' Execute the
AND following
ENABLED.EN SQL
ABLED_OPT statement
= 'BY' to
AND remediate
ENABLED.US this setting.
ER_NAME = ALTER
'ALL USERS'; AUDIT
POLICY
CIS_UNIFIED
• Level 1 - Lack of _AUDIT_POL
RDBMS results ICY ADD
using implies a ACTIONS
Unified finding. DROP USER;
6.2.3  Ensure Auditing
the 'DROP USER'
The Audit
DROPOption
USER
Logging
Is Enabled
and m (Scored)
 _NAME =
ENABLED.P
OLICY_NAM
E
AND
AUD.AUDIT_
OPTION =
'CREATE
ROLE'
AND
AUD.AUDIT_
OPTION_TY
PE =
'STANDARD
ACTION'
AND
ENABLED.SU
CCESS =
'YES'
AND Execute the
ENABLED.FA following
ILURE = 'YES' SQL
AND statement
ENABLED.EN to
ABLED_OPT remediate
= 'BY' this setting.
AND
ENABLED.US ALTER
ER_NAME = AUDIT
'ALL USERS'; POLICY
CIS_UNIFIED
_AUDIT_POL
• Level 1 - Lack of ICY ADD
RDBMS results ACTIONS
using implies a CREATE
Unified finding. ROLE;
6.2.4  Ensure Auditing
the 'CREATE ROLE'
An Oracle
Action
data
Audit
Logging
Is Enabled
and m (Scored)
 ENABLED
WHERE
AUD.POLICY
_NAME =
ENABLED.P
OLICY_NAM
E
AND
AUD.AUDIT_
OPTION =
'ALTER
ROLE'
AND
AUD.AUDIT_
OPTION_TY
PE =
'STANDARD
ACTION'
AND
ENABLED.SU
CCESS = Execute the
'YES' following
AND SQL
ENABLED.FA statement
ILURE = 'YES' to
AND remediate
ENABLED.EN this setting.
ABLED_OPT
= 'BY' ALTER
AND AUDIT
ENABLED.US POLICY
ER_NAME = CIS_UNIFIED
• Level 1 - 'ALL USERS'; _AUDIT_POL
RDBMS Lack of ICY ADD
using results ACTIONS
Unified implies a ALTER ROLE;
6.2.5  Ensure Auditing
the 'ALTER ROLE'
An Oracle
ActiondatLogging
Audit Is Enabled
and mo
finding.
(Scored)
 AUD.POLICY
_NAME =
ENABLED.P
OLICY_NAM
E
AND
AUD.AUDIT_
OPTION =
'DROP ROLE'
AND
AUD.AUDIT_
OPTION_TY
PE =
'STANDARD
ACTION'
AND
ENABLED.SU
CCESS =
'YES'
AND
ENABLED.FA Execute the
ILURE = 'YES' following
AND SQL
ENABLED.EN statement
ABLED_OPT to
= 'BY' remediate
AND this setting.
ENABLED.US
ER_NAME = ALTER
'ALL USERS'; AUDIT
POLICY
CIS_UNIFIED
• Level 1 - Lack of _AUDIT_POL
RDBMS results ICY ADD
using implies a ACTIONS
Unified finding. DROP ROLE;
6.2.6  Ensure Auditing
the 'DROP ROLE'
An Oracle
Actiondata
Audit
Logging
Is Enabled
and m(Scored)
 AUD.POLICY
_NAME =
ENABLED.P
OLICY_NAM
E
AND
AUD.AUDIT_
OPTION =
'GRANT'
AND
AUD.AUDIT_
OPTION_TY
PE =
'STANDARD
ACTION'
AND
ENABLED.SU
CCESS =
'YES'
AND
ENABLED.FA
ILURE = 'YES' Execute the
AND following
ENABLED.EN SQL
ABLED_OPT statement
= 'BY' to
AND remediate
ENABLED.US this setting.
ER_NAME = ALTER
'ALL USERS'; AUDIT
POLICY
CIS_UNIFIED
• Level 1 - Lack of _AUDIT_POL
RDBMS results ICY ADD
using implies a ACTIONS
Unified finding. GRANT;
6.2.7  Ensure Auditing
the 'GRANT' Action
GRANTAudit
stateme
IsWith
Enabled
unauthor
(Scored)
 AUD.POLICY
_NAME =
ENABLED.P
OLICY_NAM
E
AND
AUD.AUDIT_
OPTION =
'REVOKE'
AND
AUD.AUDIT_
OPTION_TY
PE =
'STANDARD
ACTION'
AND
ENABLED.SU
CCESS =
'YES'
AND
ENABLED.FA
ILURE = 'YES' Execute the
AND following
ENABLED.EN SQL
ABLED_OPT statement
= 'BY' to
AND remediate
ENABLED.US this setting.
ER_NAME = ALTER
'ALL USERS'; AUDIT
POLICY
CIS_UNIFIED
• Level 1 - Lack of _AUDIT_POL
RDBMS results ICY ADD
using implies a ACTIONS
Unified finding. REVOKE;
6.2.8  Ensure Auditing
the 'REVOKE'REVOKE
Action Audit
statem
Logging
Is Enabled
and(Scored)
m
 ENABLED.P
OLICY_NAM
E
AND
AUD.AUDIT_
OPTION =
'CREATE
PROFILE'
AND
AUD.AUDIT_
OPTION_TY
PE =
'STANDARD
ACTION'
AND
ENABLED.SU
CCESS =
'YES'
AND
ENABLED.FA Execute the
ILURE = 'YES' following
AND SQL
ENABLED.EN statement
ABLED_OPT to
= 'BY' remediate
AND this setting.
ENABLED.US
ER_NAME = ALTER
'ALL USERS'; AUDIT
POLICY
CIS_UNIFIED
Lack of _AUDIT_POL
• Level 1 - results ICY ADD
RDBMS implies a ACTIONS
using finding. CREATE
Unified PROFILE;
6.2.9  Ensure Auditing
the 'CREATE PROFILE'
Oracle databa
Action
Logging
Auditand
Is Enabled
mo (Scored)
 _NAME =
ENABLED.P
OLICY_NAM
E
AND
AUD.AUDIT_
OPTION =
'ALTER
PROFILE'
AND
AUD.AUDIT_
OPTION_TY
PE =
'STANDARD
ACTION'
AND
ENABLED.SU
CCESS =
'YES'
AND Execute the
ENABLED.FA following
ILURE = 'YES' SQL
AND statement
ENABLED.EN to
ABLED_OPT remediate
= 'BY' this setting.
AND
ENABLED.US ALTER
ER_NAME = AUDIT
'ALL USERS'; POLICY
CIS_UNIFIED
_AUDIT_POL
• Level 1 - Lack of ICY ADD
RDBMS results ACTIONS
using implies a ALTER
Unified finding. PROFILE;
6.2.10  EnsureAuditing
the 'ALTER PROFILE'
Oracle databa
Action
Logging
Audit and
Is Enabled
mo (Scored)
 AUDIT_UNIF
IED_ENABLE
D_POLICIES
ENABLED
WHERE
AUD.POLICY
_NAME =
ENABLED.P
OLICY_NAM
E
AND
AUD.AUDIT_
OPTION =
'DROP
PROFILE'
AND
AUD.AUDIT_
OPTION_TY
PE =
'STANDARD Execute the
ACTION' following
AND SQL
ENABLED.SU statement
CCESS = to
'YES' remediate
AND this setting.
ENABLED.FA
ILURE = 'YES' ALTER
AND AUDIT
ENABLED.EN POLICY
ABLED_OPT CIS_UNIFIED
= 'BY' _AUDIT_POL
• Level 1 - AND ICY ADD
RDBMS ENABLED.US ACTIONS
using ER_NAME = DROP
Unified 'ALL USERS'; PROFILE;
6.2.11  EnsureAuditing
the 'DROP PROFILE'
Oracle databa
Action
Logging
Audit Is
andEnabled
m (Scored)
 _NAME =
ENABLED.P
OLICY_NAM
E
AND
AUD.AUDIT_
OPTION =
'CREATE
DATABASE
LINK' AND
AUD.AUDIT_
OPTION_TY
PE =
'STANDARD
ACTION'
AND
ENABLED.SU
CCESS =
'YES' Execute the
AND following
ENABLED.FA SQL
ILURE = 'YES' statement
AND to
ENABLED.EN remediate
ABLED_OPT this setting.
= 'BY'
AND ALTER
ENABLED.US AUDIT
ER_NAME = POLICY
'ALL USERS'; CIS_UNIFIED
_AUDIT_POL
ICY ADD
• Level 1 - Lack of ACTIONS
RDBMS results CREATE
using implies a DATABASE
Unified finding. LINK;
6.2.12nsure tAuditing Oracle databaLogging and mo
 _NAME =
ENABLED.P
OLICY_NAM
E
AND
AUD.AUDIT_
OPTION =
'ALTER
DATABASE
LINK' AND
AUD.AUDIT_
OPTION_TY
PE =
'STANDARD
ACTION'
AND
ENABLED.SU
CCESS =
'YES' Execute the
AND following
ENABLED.FA SQL
ILURE = 'YES' statement
AND to
ENABLED.EN remediate
ABLED_OPT this setting.
= 'BY'
AND ALTER
ENABLED.US AUDIT
ER_NAME = POLICY
'ALL USERS'; CIS_UNIFIED
_AUDIT_POL
ICY ADD
• Level 1 - Lack of ACTIONS
RDBMS results ALTER
using implies a DATABASE
Unified finding. LINK;
6.2.13  EnsureAuditing
the 'ALTER DATABASE
Oracle databa
LINK'
Logging
Action
and
Audit
mo Is Enabled (Scored)
 _NAME =
ENABLED.P
OLICY_NAM
E
AND
AUD.AUDIT_
OPTION =
'DROP
DATABASE
LINK' AND
AUD.AUDIT_
OPTION_TY
PE =
'STANDARD
ACTION'
AND
ENABLED.SU
CCESS =
'YES' Execute the
AND following
ENABLED.FA SQL
ILURE = 'YES' statement
AND to
ENABLED.EN remediate
ABLED_OPT this setting.
= 'BY'
AND ALTER
ENABLED.US AUDIT
ER_NAME = POLICY
'ALL USERS'; CIS_UNIFIED
_AUDIT_POL
ICY ADD
• Level 1 - Lack of ACTIONS
RDBMS results DROP
using implies a DATABASE
Unified finding. LINK;
6.2.14  EnsureAuditing
the 'DROP DATABASE
Oracle databa
LINK'
Logging
Actionand
Audit
m Is Enabled (Scored)
 _NAME =
ENABLED.P
OLICY_NAM
E
AND
AUD.AUDIT_
OPTION =
'CREATE
SYNONYM'
AND
AUD.AUDIT_
OPTION_TY
PE =
'STANDARD
ACTION'
AND
ENABLED.SU
CCESS =
'YES'
AND Execute the
ENABLED.FA following
ILURE = 'YES' SQL
AND statement
ENABLED.EN to
ABLED_OPT remediate
= 'BY' this setting.
AND
ENABLED.US ALTER
ER_NAME = AUDIT
'ALL USERS'; POLICY
CIS_UNIFIED
_AUDIT_POL
• Level 1 - Lack of ICY ADD
RDBMS results ACTIONS
using implies a CREATE
Unified finding. SYNONYM;
6.2.15  EnsureAuditing
the 'CREATEAn
SYNONYM'
Oracle datLogging
Action Audit
and IsmEnabled (Scored)
 ENABLED.P
OLICY_NAM
E
AND
AUD.AUDIT_
OPTION =
'ALTER
SYNONYM'
AND
AUD.AUDIT_
OPTION_TY
PE =
'STANDARD
ACTION'
AND
ENABLED.SU
CCESS =
'YES'
AND
ENABLED.FA Execute the
ILURE = 'YES' following
AND SQL
ENABLED.EN statement
ABLED_OPT to
= 'BY' remediate
AND this setting.
ENABLED.US
ER_NAME = ALTER
'ALL USERS'; AUDIT
POLICY
CIS_UNIFIED
Lack of _AUDIT_POL
• Level 1 - results ICY ADD
RDBMS implies a ACTIONS
using finding. ALTER
Unified SYNONYM;
6.2.16  EnsureAuditing
the 'ALTER SYNONYM'
An Oracle datLogging
Action Audit
andIs m
Enabled (Scored)
 _NAME =
ENABLED.P
OLICY_NAM
E
AND
AUD.AUDIT_
OPTION =
'DROP
SYNONYM'
AND
AUD.AUDIT_
OPTION_TY
PE =
'STANDARD
ACTION'
AND
ENABLED.SU
CCESS =
'YES'
AND Execute the
ENABLED.FA following
ILURE = 'YES' SQL
AND statement
ENABLED.EN to
ABLED_OPT remediate
= 'BY' this setting.
AND
ENABLED.US ALTER
ER_NAME = AUDIT
'ALL USERS'; POLICY
CIS_UNIFIED
_AUDIT_POL
• Level 1 - Lack of ICY ADD
RDBMS results ACTIONS
using implies a DROP
Unified finding. SYNONYM;
6.2.17  EnsureAuditing
the 'DROP SYNONYM'
An Oracle datLogging
Action Audit
and
Is Enabled
m (Scored)
 _NAME =
ENABLED.P
OLICY_NAM
E
AND
AUD.AUDIT_
OPTION =
'SELECT ANY
DICTIONARY
' AND
AUD.AUDIT_
OPTION_TY
PE =
'SYSTEM
PRIVILEGE'
AND
ENABLED.SU
CCESS =
'YES'
AND Execute the
ENABLED.FA following
ILURE = 'YES' SQL
AND statement
ENABLED.EN to
ABLED_OPT remediate
= 'BY' this setting.
AND ALTER
ENABLED.US AUDIT
ER_NAME = POLICY
'ALL USERS'; CIS_UNIFIED
_AUDIT_POL
ICY ADD
• Level 1 - Lack of PRIVILEGES
RDBMS results SELECT ANY
using implies a DICTIONARY
Unified finding. ;
6.2.18  EnsureAuditing
the 'SELECT The
ANYSELECT
DICTIONARY'
AN
Logging
Privilege
and mAudit Is Enabled (Scored)
 OPTION_TY
PE =
'OBJECT
ACTION'
AND
(AUD.OBJEC
T_SCHEMA
= 'SYS' OR
AUD.OBJECT
_SCHEMA =
'AUDSYS')
AND
AUD.OBJECT
_NAME =
'AUD$UNIFI
ED' For Oracle
AND 12.2 and
ENABLED.SU above,
CCESS = execute the
'YES' AND following
ENABLED.FA SQL
ILURE = 'YES' statement
AND to
ENABLED.EN remediate
ABLED_OPT this setting.
= 'BY'
AND ALTER
ENABLED.US AUDIT
ER_NAME = POLICY
'ALL USERS'; CIS_UNIFIED
_AUDIT_POL
ICY ADD
• Level 1 - Lack of ACTIONS
RDBMS results ALL on
using implies a AUDSYS.AU
Unified finding. D$UNIFIED;
6.2.19  EnsureAuditing
the 'AUDSYS.AUD$UNIFIED'
The AUDSYS.AU
Logging
Access
and
Audit
m Is Enabled (Scored)
 ( SELECT
COUNT(*)
FROM
AUDIT_UNIF
IED_POLICIE
S AUD
WHERE
AUD.POLICY
_NAME =
ENABLED.P
OLICY_NAM
E AND
AUD.AUDIT_
OPTION IN Execute the
('CREATE following
PROCEDURE SQL
', 'CREATE statement
FUNCTION', to
'CREATE remediate
PACKAGE', this setting.
'CREATE ALTER
PACKAGE AUDIT
BODY') POLICY
AND CIS_UNIFIED
AUD.AUDIT_ _AUDIT_POL
OPTION_TY ICY ADD
PE = ACTIONS
'STANDARD CREATE
ACTION') = PROCEDURE
4; , CREATE
FUNCTION,
CREATE
• Level 1 - Lack of PACKAGE,
RDBMS results CREATE
using implies a PACKAGE
Unified finding. BODY;
6.2.20  EnsureAuditing
the 'CREATEOracle
PROCEDURE/FUNCTION/PACKAGE/PACKAGE
databaLogging and m BODY' Action Audit Is Enabled (Scored)
 ( SELECT
COUNT(*)
FROM
AUDIT_UNIF
IED_POLICIE
S AUD
WHERE
AUD.POLICY
_NAME =
ENABLED.P
OLICY_NAM
E AND
AUD.AUDIT_
OPTION IN Execute the
('ALTER following
PROCEDURE SQL
', statement
'ALTER to
FUNCTION', remediate
'ALTER this setting.
PACKAGE', ALTER
'ALTER AUDIT
PACKAGE POLICY
BODY') AND CIS_UNIFIED
AUD.AUDIT_ _AUDIT_POL
OPTION_TY ICY ADD
PE = ACTIONS
'STANDARD ALTER
ACTION') = PROCEDURE
4; , ALTER
FUNCTION,
ALTER
• Level 1 - Lack of PACKAGE,
RDBMS results ALTER
using implies a PACKAGE
Unified finding. BODY;
6.2.21  EnsureAuditing
the 'ALTER PROCEDURE/FUNCTION/PACKAGE/PACKAGE
Oracle databaUnauthorized BODY' Action Audit Is Enabled (Scored)
 ( SELECT
COUNT(*)
FROM
AUDIT_UNIF
IED_POLICIE
S AUD
WHERE
AUD.POLICY
_NAME =
ENABLED.P
OLICY_NAM
E AND
AUD.AUDIT_
OPTION IN Execute the
('DROP following
PROCEDURE SQL
', statement
'DROP to
FUNCTION', remediate
'DROP this setting.
PACKAGE', ALTER
'DROP AUDIT
PACKAGE POLICY
BODY') AND CIS_UNIFIED
AUD.AUDIT_ _AUDIT_POL
OPTION_TY ICY ADD
PE = ACTIONS
'STANDARD DROP
ACTION') = PROCEDURE
4; , DROP
FUNCTION,
DROP
• Level 1 - Lack of PACKAGE,
RDBMS results DROP
using implies a PACKAGE
Unified finding. BODY;
6.2.22  EnsureAuditing
the 'DROP PROCEDURE/FUNCTION/PACKAGE/PACKAGE
Oracle databaLogging and m BODY' Action Audit Is Enabled (Scored)
 _NAME =
ENABLED.P
OLICY_NAM
E
AND
AUD.AUDIT_
OPTION =
'ALTER
SYSTEM'
AND
AUD.AUDIT_
OPTION_TY
PE =
'STANDARD
ACTION'
AND
ENABLED.SU
CCESS =
'YES'
AND Execute the
ENABLED.FA following
ILURE = 'YES' SQL
AND statement
ENABLED.EN to
ABLED_OPT remediate
= 'BY' this setting.
AND
ENABLED.US ALTER
ER_NAME = AUDIT
'ALL USERS'; POLICY
CIS_UNIFIED
_AUDIT_POL
• Level 1 - Lack of ICY ADD
RDBMS results ACTIONS
using implies a ALTER
Unified finding. SYSTEM;
6.2.23  EnsureAuditing
the 'ALTER SYSTEM'
The ALTER
Privilege
SYSLogging
Audit
and
Is Enabled
m (Scored)
 _NAME =
ENABLED.P
OLICY_NAM
E
AND
AUD.AUDIT_
OPTION =
'CREATE
TRIGGER'
AND
AUD.AUDIT_
OPTION_TY
PE =
'STANDARD
ACTION'
AND
ENABLED.SU
CCESS =
'YES'
AND Execute the
ENABLED.FA following
ILURE = 'YES' SQL
AND statement
ENABLED.EN to
ABLED_OPT remediate
= 'BY' this setting.
AND
ENABLED.US ALTER
ER_NAME = AUDIT
'ALL USERS'; POLICY
CIS_UNIFIED
_AUDIT_POL
• Level 1 - Lack of ICY ADD
RDBMS results ACTIONS
using implies a CREATE
Unified finding. TRIGGER;
6.2.24  EnsureAuditing
the 'CREATEOracle
TRIGGER'
databa
Action
Logging
Audit
andIs mo
Enabled (Scored)
 _NAME =
ENABLED.P
OLICY_NAM
E
AND
AUD.AUDIT_
OPTION =
'ALTER
TRIGGER'
AND
AUD.AUDIT_
OPTION_TY
PE =
'STANDARD
ACTION'
AND
ENABLED.SU
CCESS =
'YES'
AND Execute the
ENABLED.FA following
ILURE = 'YES' SQL
AND statement
ENABLED.EN to
ABLED_OPT remediate
= 'BY' this setting.
AND
ENABLED.US ALTER
ER_NAME = AUDIT
'ALL USERS'; POLICY
CIS_UNIFIED
_AUDIT_POL
• Level 1 - Lack of ICY ADD
RDBMS results ACTIONS
using implies a ALTER
Unified finding. TRIGGER;
6.2.25  EnsureAuditing
the 'ALTER TRIGGER'
Oracle databa
Action
Unauthorized
Audit IS Enabled
a (Scored)
 ENABLED.P
OLICY_NAM
E
AND
AUD.AUDIT_
OPTION =
'DROP
TRIGGER'
AND
AUD.AUDIT_
OPTION_TY
PE =
'STANDARD
ACTION'
AND
ENABLED.SU
CCESS =
'YES'
AND
ENABLED.FA Execute the
ILURE = 'YES' following
AND SQL
ENABLED.EN statement
ABLED_OPT to
= 'BY' remediate
AND this setting.
ENABLED.US
ER_NAME = ALTER
'ALL USERS'; AUDIT
POLICY
CIS_UNIFIED
Lack of _AUDIT_POL
• Level 1 - results ICY ADD
RDBMS implies a ACTIONS
using finding. DROP
Unified TRIGGER;
6.2.26  EnsureAuditing
the 'DROP TRIGGER'
Oracle databa
Action
Logging
Audit and
Is Enabled
mo (Scored)
 = 'BY USER'
AND
ENABLED.US
ER_NAME =
'ALL USERS'
AND
( SELECT
COUNT(*)
FROM
AUDIT_UNIF
IED_POLICIE
S AUD
WHERE
AUD.POLICY
_NAME =
ENABLED.P
OLICY_NAM
E
AND
AUD.AUDIT_
OPTION IN Execute the
('LOGOFF', following
'LOGON') SQL
AND statement
AUD.AUDIT_ to
OPTION_TY remediate
PE = this setting.
'STANDARD ALTER
ACTION') = AUDIT
2; POLICY
CIS_UNIFIED
_AUDIT_POL
• Level 1 - Lack of ICY ADD
RDBMS results ACTIONS
using implies a LOGON,
Unified finding. LOGOFF;
6.2.27  EnsureAuditing
the 'LOGON'Oracle
AND 'LOGOFF'
databaLogging
Actions
and
Audit
m Is Enabled (Scored)
7  Appendix: Establishing an Audit/Scan User
8  Appendix: Establishing a Unified Audit Policy