CIS Oracle 11g Benchmark v1.0.1

Security Configuration Benchmark ForOracle Database Server 11g Version 1.0.1 January 2009 Copyright 2001-2009, The Center for Internet Security http://cisecurity.org [email protected] Leader: Adam Cecchetti Leviathan Security Group, Inc. Terms of Use Agreement Background. CIS provides benchmarks, scoring tools, software, data, information, suggestions, ideas, and other seivices anu mateiials fiom the CIS website oi elsewheie ȋDzProductsdzȌ as a public seivice to Internet users worldwide. Recommendations containeu in the Piouucts ȋDzRecommendationsdzȌ result from a consensus-building process that involves many security experts and are generally generic in nature. The Recommendations are intended to provide helpful information to organizations attempting to evaluate or improve the security of their networks, systems and devices. Proper use of the Recommendations requires careful analysis and adaptation to specific usei iequiiementsǤ The Recommenuations aie not in any way intenueu to be a Dzquick fixdz foi anyoneǯs infoimation secuiity neeusǤ No representations, warranties and covenants. CIS makes no representations, warranties or covenants whatsoever as to (i) the positive or negative effect of the Products or the Recommendations on the operation or the security of any particular network, computer system, network device, software, hardware, or any component of any of the foregoing or (ii) the accuracy, reliability, timeliness or completeness of any Product or Recommendation. CIS is providing the Products and the Recommenuations Dzas isdz anu Dzas availabledz without iepiesentationsǡ waiianties oi covenants of any kinuǤ User agreements. By using the Piouucts anuȀoi the Recommenuationsǡ I anuȀoi my oiganization ȋDzwedzȌ agiee anu acknowledge that: No network, system, device, hardware, software or component can be made fully secure; We are using the Products and the Recommendations solely at our own risk; We are not compensating CIS to assume any liabilities associated with our use of the Products or the Recommendationsǡ even iisks that iesult fiom CISǯs negligence oi failuie to peifoimǢ We have the sole responsibility to evaluate the risks and benefits of the Products and Recommendations to us and to adapt the Products and the Recommendations to our particular circumstances and requirements; Neither CIS, nor any CIS Party (defined below) has any responsibility to make any corrections, updates, upgrades or bug fixes or to notify us if it chooses at it sole option to do so; and Neither CIS nor any CIS Party has or will have any liability to us whatsoever (whether based in contract, tort, strict liability or otherwise) for any direct, indirect, incidental, consequential, or special damages (including without limitation loss of profits, loss of sales, loss of or damage to reputation, loss of customers, loss of software, data, information or emails, loss of privacy, loss of use of any computer or other equipment, business interruption, wasted management or other staff resources or claims of any kind against us from third parties) arising out of or in any way connected with our use of or our inability to use any of the Products or Recommendations (even if CIS has been advised of the possibility of such damages), including without limitation any liability associated with infringement of intellectual property, defects, bugs, errors, omissions, viruses, worms, backdoors, Trojan horses or other harmful items. Grant of limited rights. CIS hereby grants each user the following rights, but only so long as the user complies with all of the terms of these Agreed Terms of Use: Except to the extent that we may have received additional authorization pursuant to a written agreement with CIS, each user may download, install and use each of the Products on a single computer; Each user may print one or more copies of any Product or any component of a Product that is in a .txt, .pdf, .doc, .mcw, or .rtf format, provided that all such copies are printed in full and are kept intact, including without limitation the text of this Agreed Terms of Use in its entirety. Retention of intellectual property rights; limitations on distribution. The Products are protected by copyright and other intellectual property laws and by international treaties. We acknowledge and agree that we are not acquiring title to any intellectual property rights in the Products and that full title and all ownership rights to the Products will remain the exclusive property of CIS or CIS Parties. CIS reserves all rights not expressly granted to users in the preceding section entitleu Dzuiant of limiteu iightsǤdz Subject to the paiagiaph entitleu DzSpecial Rulesdz ȋwhich incluues a waiveiǡ gianteu to some classes of CIS Nembeisǡ of ceitain limitations in this paragraph), and except as we may have otherwise agreed in a written agreement with CIS, we agree that we will not (i) decompile, disassemble, reverse engineer, or otherwise attempt to derive the source code for any software Product that is not already in the form of source code; (ii) distribute, redistribute, encumber, sell, rent, lease, lend, sublicense, or otherwise transfer or exploit rights to any Product or any component of a Product; (iii) post any Product or any component of a Product on any website, bulletin board, ftp server, newsgroup, or other similar mechanism or device, without regard to whether such mechanism or device is internal or external, (iv) remove or alter trademark, logo, copyright or other proprietary notices, legends, symbols or labels in any Product or any component of a Product; (v) remove these Agreed Terms of Use from, or alter these Agreed Terms of Use as they appear in, any Product or any component of a Product; (vi) use any Product or any component of a Product with any derivative works based directly on a Product or any component of a Product; (vii) use any Product or any component of a Product with other products or applications that are directly and specifically dependent on such Product or any component for any part of their functionality, or (viii) represent or claim a particular level of compliance with a CIS Benchmark, scoring tool or other Product. We will not facilitate or otherwise aid other individuals or entities in any of the activities listed in this paragraph. We hereby agree to indemnify, defend and hold CIS and all of its officers, directors, members, contributors, employees, authors, developers, agents, affiliates, licensors, information and service providers, software suppliers, hardware suppliers, and all other persons who aided CIS in the creation, development or maintenance of the Piouucts oi Recommenuations ȋDzCIS PartiesdzȌ harmless from and against any and all liability, losses, costs and expenses (including attorneys' fees and court costs) incurred by CIS or any CIS Party in connection with any claim arising out of any violation by us of the pieceuing paiagiaphǡ incluuing without limitation CISǯs iightǡ at oui expenseǡ to assume the exclusive defense and control of any matter subject to this indemnification, and in such case, we agree to cooperate with CIS in its defense of such claim. We further agree that all CIS Parties are third-party beneficiaries of our undertakings in these Agreed Terms of Use. Special rules. CIS has created and will from time to time create special rules for its members and for other persons and organizations with which CIS has a written contractual relationship. Those special rules will override and supersede these Agreed Terms of Use with respect to the users who are covered by the special rules. CIS hereby grants each CIS Security Consulting or Software Vendor Member and each CIS Organizational User Member, but only so long as such Member remains in good standing with CIS and complies with all of the terms of these Agreed Terms of Use, the right to distribute the Products and Recommendations within such Nembeiǯs own oiganizationǡ whethei by manual or electronic means. Each such Member acknowledges and agrees that the foregoing grant is subject to the teims of such Nembeiǯs membeiship aiiangement with CIS anu mayǡ theiefoieǡ be modified or terminated by CIS at any time. Choice of law; jurisdiction; venue. We acknowledge and agree that these Agreed Terms of Use will be governed by and construed in accordance with the laws of the State of Maryland, that any action at law or in equity arising out of or relating to these Agreed Terms of Use shall be filed only in the courts located in the State of Maryland, that we hereby consent and submit to the personal jurisdiction of such courts for the purposes of litigating any such action. If any of these Agreed Terms of Use shall be determined to be unlawful, void, or for any reason unenforceable, then such terms shall be deemed severable and shall not affect the validity and enforceability of any remaining provisions. We acknowledge and agree that we have read these Agreed Terms of Use in their entirety, understand them and agree to be bound by them in all respects. Table of Contents Terms of Use Agreement .............................................................................................................................. a Background ................................................................................................................................................... 1 CONSENSUS GUIDANCE ................................................................................................................................... 1 CONFIGURATION LEVELS ................................................................................................................................. 1 Level-I Benchmark settings/actions ....................................................................................................... 1 Level-II Benchmark settings/actions ...................................................................................................... 1 SCORING LEVELS ............................................................................................................................................ 1 Scorable ................................................................................................................................................. 1 Not Scorable .......................................................................................................................................... 1 Introduction.................................................................................................................................................... 2 1. Operating System Specific Settings .......................................................................................................... 3 2. Installation and Patch .............................................................................................................................. 10 3. Oracle Directory and File Permissions .................................................................................................... 18 4. Oracle Parameter Settings ...................................................................................................................... 31 5. Encryption Specific Settings.................................................................................................................... 53 6. Startup and Shutdown ............................................................................................................................. 65 7. Backup and Disaster Recovery ............................................................................................................... 66 8. Oracle Profile (User) Setup Settings ....................................................................................................... 70 9. Oracle Profile (User) Access Settings ..................................................................................................... 80 10. Enterprise Manager / Grid Control / Agents ........................................................................................ 106 11. Specific Systems ................................................................................................................................. 109 12. General Policy and Procedures .......................................................................................................... 111 13. Auditing Policy and Procedures .......................................................................................................... 134 Appendix A: Additional Settings (not scored)............................................................................................ 145 Appendix B: Enterprise Manager Grid Control for Patch and Policy Management .................................. 151 Appendix C: Acknowledgments ................................................................................................................ 151 Appendix D: Change History ..................................................................................................................... 152 1 | P a g e Background Consensus Guidance This guide was created using a consensus process comprised of volunteer and contract subject matter experts. Consensus participants provide perspective from a diverse set of backgrounds including consulting, software development, auditing and compliance, security research, operations, government, and legal. Configuration Levels Level-I Benchmark settings/actions System administrators with any level of security knowledge and experience can understand and perform the specified actions. The action is unlikely to cause an interruption of service to the operating system or the applications that run on it. The actions can be automatically monitored, and the configuration verified, by Scoring Tools that are available from the Center or by CIS-certified Scoring Tools. Level-II Benchmark settings/actions Level-II security configurations vary depending on network architecture and server function. These are of greatest value to system administrators who have sufficient security knowledge to apply them with consideration to the operating systems and applications running in their particular environments. Scoring Levels This section defines the various scoring levels used within this document. Scorable This setting or recommendation is able to be assessed by scoring tools or commandǦline arguments. Not Scorable This setting or recommendation requires complex checking that is not feasible with basic audit methods. 2 | P a g e Introduction This uocument is ueiiveu fiom ieseaich conuucteu utilizing the 0iacle ͳͳg piogiamǡ the 0iacleǯs Technology Network (otn.oracle.com), various published books and the Oracle 11g Database Security Guidelines. This document provides the necessary settings and procedures for the secure installation, setup, configuration, and operation of an Oracle 11g database environment. With the use of the settings and procedures in this document, an Oracle database may be secured from conventional Dzout of the boxdz thieatsǤ Recognizing the natuie of secuiity cannot and should not be limited to only the application, the scope of this document is not limited to only Oracle specific settings oi configuiationsǡ but also auuiesses backupsǡ aichive logsǡ Dzbest piacticesdz piocesses anu procedures that are applicable to general software and hardware security. Applicable items were verified and tested against an Oracle 11g default install on a Redhat Enterprise Sever 5. The Oracle version used was 11.1.0.6.0. Where the default setting is less secure than the recommended setting a caution has been provided in the comment section below the separator bar or as a note below a chapter heading. Default installs for both the operating system and the database may differ dependent on versions and options installed so this is to be used as a general guide only. Linux settings should translate to other varieties of Linux, but were only tested against RHEL5. If any differences are found, please contact the CIS team. Under the Level heading, scoring data has been included: S Ȃ To be scored. N Ȃ Not to be scored. It is extremely important to conduct testing of security configurations on non-production systems prior to implementing them on production systems. 3 | P a g e 1. Operating System Specific Settings Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score 1.01 Windows platform Do not install Oracle on a domain controller Rationale: This action will reduce the attack surface of the Domain Controller and the Oracle server. Remediation: Create a standalone server for the Oracle install. Audit: Execute the following WMI Query: Select DomainRole from \ Win32_ComputerSystem If the above returns a 4 or 5 the system is a Domain Controller. \ 1 S 1.02 Windows Oracle Local Account Use Restricted Service Account (RSA) Rationale: Adding an additional administrative account to the system increases the attack surface of the Windows server. Creating a local administrator with restricted access mitigates this risk. Remediation: Run the Oracle services using a local administrator account created specifically for Oracle. Use the account created to install the product. Deny log on locally to this account. Audit: None \ 1 N 4 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score 1.03 Windows Oracle Domain Account Use Restricted Service Account (RSA) Rationale: If the Oracle services require domain resources, then the server must be a domain server and the Oracle services must be run using a Restricted Service Account, i.e., restricted domain user account. Remediation: Add the account to the local administrators group on the server running the Oracle services. Audit: None \ 1 N 1.04 Windows Oracle Account Deny Log on Locally Right Rationale: The RSA must have limited access requirements. Remediation: Deny the Log on Locally right to the RSA. Audit: Ensure the Oracle account is listed beneath Local Policies\User Rights Assignments\Deny Log on Locally in the Windows Local Security Policy \ 1 S 1.05 Windows Oracle Domain Global Group Create a global group for the RSA and make it the RSA's primary group Rationale: The RSA account should not have access to resources that all domain users need to access. Remediation: Do not assign any rights to the group. Audit: None \ 1 N 5 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score 1.06 Windows Oracle Account Domain Users Group Membership Remove the RSA from the Domain Users group Rationale: The RSA must have limited access requirements. Granting the RSA domain level privileges negates the purpose of the RSA. Remediation: Remove the RSA from the Domain Users group. Audit: On the domain controller, execute the following: dsget user <OracleUserDN> -memberof Ensure Domain Users is not listed. For more information on the dsget command, see http://technet.microsoft.com/en- us/library/cc755876.aspx \ 1 S 1.07 Windows Oracle Domain Network Resource Permissions Verify and set permissions Rationale: The RSA must have limited access requirements. Remediation: Give the appropriate permissions to the RSA or global group for the network resources that are required. Audit: None \ 1 N 6 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score 1.08 Windows Oracle Domain Account Logon to. Value Limit to machine running Oracle services Rationale: The RSA must have limited access requirements and be limited to authenticating to the Oracle server. Remediation: Configure the RSA to only log on to the computer that is running the Oracle services. Audit: None \ 1 S 1.09 Windows Program Folder Permissions Verify and set permissions Rationale: The Oracle program installation folder must allow only limited access. Global access or unrestricted folder permissions will allow an attacker to alter Oracle resources and possibly compromise the security of the Oracle system. Remediation: Remove permissions for the Users group from the %ProgramFiles%\Oracle folder. Audit: Execute the following command: cacls °%ProgramFiles%\Oracle¨ and ensure BUILTIN\Users is not listed. \ 1 S 7 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score 1.10 Windows Oracle Registry Key Permissions Verify and set permissions Rationale: Access to the Oracle registry key must be limited to those users that require it. Unrestricted access to the Oracle registry entries will allow non-administrative users to alter settings and create an insecure environment. Remediation: Give Full Control over the HKEY_LOCAL_MACHINE\SOFTWARE\ORACLE key to the account that will run the Oracle services and remove the local Users group. Give read permissions to those users that require it. Audit: In regedit, browse to the HKEY_LOCAL_MACHINE\SOFTWARE\ORACLE key, right click, select Permissions, and ensure the Users group is not granted access. \ 1 S 1.11 Windows Oracle Registry Key Setting Set OSAUTH_PREFIX_DOMAIN registry value to TRUE Rationale:This configuration strengthens the authentication process by requiring that the domain name be part of the username for externally authenticated accounts. Remediation: Set the HKEY_LOCAL_MACHINE\ SOFTWARE\ORACLE\ALL_HOMES\OSAUTH_PREFIX_D OMAIN value to TRUE Note: This is the default configuration. Audit: In regedit, ensure the HKEY_LOCAL_MACHINE\ SOFTWARE\ORACLE\ALL_HOMES\OSAUTH_PREFIX_D OMAIN value set to TRUE. \ 1 S 8 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score 1.12 Windows registry Set USE_SHARED_SOCKET registry value to TRUE Rationale: Confines client connections to the same port as the listener. This allows connection and firewall management to be performed in a more consistent and refined manner. Remediation: Set the HKEY_LOCAL_MACHINE\ SOFTWARE\ORACLE\HOME<#>\USE_SHARED_SOCKET registry key to TRUE. If random port reassignment is undesired, such as if there is a need to pipe through a firewall. See Oracle Metalink note 124140.1 for details. Note: This is the default configuration. Audit: In regedit, Ensure the HKEY_LOCAL_MACHINE\ SOFTWARE\ORACLE\HOME<#>\USE_SHARED_SOCKET registry key is set to TRUE. \ 2 S 1.13 Oracle software owner host account Lock account Rationale: Locking the user account will deter attackers from leveraging this account in brute force authentication attacks. Remediation: On Unix systems, lock the Oracle software owner account. If the account cannot be locked, use a very strong password for the account. Account can be unlocked if system maintenance is required. This is not recommended for Windows environments. Audit: grep -i account_name /etc/password \ 2 S 9 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score 1.14 All associated application files Verify permissions Rationale: Allowing improper access to binaries that directly interface with the Oracle database adds unnecessary risk and increases the attack surface of the database. Remediation: Check the file permissions for all application files for proper ownership and minimal file permissions. This includes all 3 rd party application files on the server that access the database. Any 3 rd party applications must be installed on a separate server from the database. If this is not possible in the environment, ensure that the 3 rd party applications are installed on separate partitions from the Oracle software and associated data files. Audit: None \ \ 2 N 10 | P a g e 2. Installation and Patch Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 2.01 Installation Try to ensure that no other users are connected while installing Oracle 11g. Rationale: The Oracle 11g installer application could potentially create files, accounts, or setting with public privileges. An attacker may leverage these to compromise the integrity of the system or database before the installation is complete. Remediation: The Oracle 11g installer application could potentially create files in a temporary directory with public privileges. It would be possible for any local user to delete, overwrite or corrupt these files during the installation process. Try to ensure that no other users are connected while installing Oracle 11g. Also set the $TMP and $TMPDIR environment variables to a protected directory with access given only to the Oracle software owner and the ORA_INSTALL group. If possible install Oracle while the server is disconnected from the network. If the server must be installed remotely temporarily stop inbound remote connections via administration protocols ex. SSH, Terminal Service, VNC. Audit: None \ \ 1 N 11 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 2.02 Version/Patches Ensure the latest version of Oracle software is being used, and that the latest patches from Oracle Metalink have been applied. Rationale: Using outdated or unpatched software will put the Oracle database and host system at unnecessary risk and violates security best practices. Remediation: Check Oracle's site to ensure the latest versions: http://www.oracle.com/technology/software/index.html and latest patches: http://metalink.oracle.com/metalink/plsql/ml2_gui.startup Audit: opatch lsinventory -detail \ \ 1 S 2.03 Minimal Install Ensure that only the Oracle components necessary to your environment are selected for installation. Rationale: Installing components that are not used increases the attack surface of the database server. Remediation: Install only components needed to satisfy operational requirements. Remove components that may have been installed during a previous installation but are not required. Audit: None \ \ 1 N 12 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 2.04 tkprof Remove from system Rationale: The tkprof utility must be removed from production environments; it is a powerful tool for an attacker to find issues in the running database. If tkprof must remain on the production system, it must be protected by proper permissions. Remediation: Set file permissions of 0750 or less on Unix systems. On Windows systems, restrict access to only those users requiring access and verify that "Everyone¨ does not have access. Go to the $ORACLE_HOME/bin directory and remove or change the permissions of the utility. Audit: $ORACLE_HOME/bin/tkprof \ \ 1 S 2.05 listener.ora Change default name of listener Rationale: The listener must not be called by the default name as it is commonly known. A distinct name must be selected. Remediation: Edit $ORACLE_HOME/network/admin/listener.ora and change the default name. Audit: grep default $ORACLE_HOME/network/admin/listener.ora \ \ 1 S 13 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 2.06 listener.ora Use IP addresses rather than hostnames Rationale: IP addresses instead of host names in the listener.ora file must be used. This prevents a compromised or spoofed DNS server from causing Oracle outages or man in the middle attacks. Hostnames are used by default. Remediation: Edit $ORACLE_HOME/network/admin/listener.ora and replace DNS names with IP addresses. Audit: grep -i HOST $ORACLE_HOME/network/admin/listener.ora \ \ 2 S 2.07 otrace Disable Rationale: otrace can leak sensitive information useful for an attacker. Remediation: Go to the $ORACLE_HOME/otrace/admin directory of your instance and remove or delete the .dat files related to otrace. Do this for all *.dat files in this directory. Note that this directory is installed for the Enterprise Manager Grid Controller. It is not installed with a default 11g database installation. Audit: ls $ORACLE_HOME/otrace/admin/*.dat \ \ 1 S 14 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 2.08 Listener password Use OS Authentication Rationale: It is more secure to use OS authentication as setting a password on the listener will enable remote administration of the listener. Remediation: OS Authentication is enabled by default.. If additional users require remote access to the listener, set an encrypted password using the set password command via the lsnrctl tool. Be aware, setting a password in the listener.ora file will set an unencrypted password on the listener. Audit: grep -i PASSWORD \ $ORACLE_HOME/network/admin/listener.ora \ \ 1 S 2.09 Default Accounts (created by Oracle) The following actions are recommended in order of preference for default accounts: 1. Drop the user 2. Lock the user account 3. Change the default password Rationale: The default Oracle installation locks and expires the installation accounts. These accounts should be left locked and expired unless absolutely necessary. Check to ensure these accounts have not been unlocked. Remediation: Lock and expire the system accounts. Audit: SELECT * FROM DBA_USERS_WITH_DEFPWD; \ \ 2 S 15 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 2.10 OEM objects Remove if OEM not used Rationale: Removing the OEM will reduce the Oracle attack surface. Remediation: Execute $ORACLE_HOME/rdbms/admin/catnsnmp.sql to remove all the objects and delete the file $ORACLE_HOME/bin/dbsnmp. Note: Database statistics will be unavailable in Enterprise Manager if this is set. $ORACLE_HOME/rdbms/admin/catnsmp.sql rm $ORACLE_HOME/bin/dbsnmp Audit: ls -al $ORACLE_HOME/bin/dbsnmp \ \ 2 S 2.11 listener.ora Change standard ports Rationale: Standard ports are used in automated attacks and by attackers to verify applications running on a server. Remediation: Alter the listener.ora file and change the PORT setting. Note: This may break applications that hard code the default port number. Audit: grep 1521 \ $ORACLE_HOME/network/admin/listener.ora grep 1526 \ $ORACLE_HOME/network/admin/listener.ora \ \ 2 S 16 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 2.12 Third party default passwords Set all default account passwords to non-default strong passwords Rationale: When installed, some third party applications create well-known default accounts in an Oracle database. Remediation: The default passwords for these accounts must be changed or the account must be locked. ALTER USER <USERNAME> IDENTIFIED BY <PASSWORD>; ALTER USER <USERNAME> ACCOUNT LOCK PASSWORD EXPIRE; Audit: SELECT * FROM DBA_USERS_WITH_DEFPWD; SELECT USERNAME, ACCOUNT_STATUS FROM DBA_USERS; \ \ 2 S 2.13 Service or SID name Non-default Rationale: Do not use the default SID or service name of ORCL. It is commonly know and used in many automated attacks. Remediation: Alter the listener.ora file SID setting to a value other than the default. Ensure the SID is at least 7 characters long to prevent successful brute force attacks. Audit: grep -i ORCL \ $ORACLE_HOME/network/admin/listener.ora \ \ 1 S 17 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 2.14 Oracle Installation Oracle software owner account name NOT 'oracle' Rationale: Do not name the Oracle software owner account 'oracle' as it is very well known and can be leveraged by an attacker in a brute force attack. Remediation: Change the user used for the oracle software. Audit: grep -i oracle /etc/password \ \ 2 S 2.15 Oracle Installation Separate users for different components of Oracle Rationale: The user for the intelligent agent, the listener, and the database must be separated. This setup may cause unknown or unexpected errors and should be extensively tested before deployment into production. This is not recommended for Windows environments. Remediation: For Unix systems, create unique user accounts for each Oracle process/service in order to differentiate accountability and file access controls. Audit: None \ 2 N 18 | P a g e 3. Oracle Directory and File Permissions Note: The Oracle software owner in Windows is the account used to install the product. This account must be a member of the local Administrators group. The Windows System account is granted access to Oracle files/directories/registry keys. This account is not restated in the comments section below, but must not be removed. Removal of the System account will cause Oracle to stop functioning. Note: Some Unix operating systems make use of extended ACL's which may contain permissions more secure then the recommendations listed here. Please be sure to fully examine and test permissions before implementing them on production systems. Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 3.01 Files in $ORACLE_HOME/bin Verify and set ownership Rationale: All files in the $ORACLE_HOME/bin must be owned by the Oracle software account to prevent a system-wide compromise in the event the Oracle account is compromised. In Windows, this account must be part of the Administrators group. Remediation: Change the ownership of the binaries to the appropriate account. Audit: ls -al $ORACLE_HOME/bin/* \ \ 1 S 3.02 Files in $ORACLE_HOME/bin Permissions set to 0755 or less Rationale: Incorrect permissions could allow an attacker to replace a binary with a malicious version. Remediation: All files in the $ORACLE_HOME/bin directory must have permissions set to 0755 or less. chmod 0755 $ORACLE_HOME/bin/* Audit: ls -al $ORACLE_HOME/bin/* \ 1 S 19 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 3.03 Files in $ORACLE_HOME (not including $ORACLE_HOME/bin) Permissions set to 0750 or less on Unix systems Rationale: Incorrect permissions could allow an attacker to execute or replace a command with a malicious version. Remediation: All files in $ORACLE_HOME directories (except for $ORACLE_HOME/bin) must have permission set to 0750 or less. chmod 750 $ORACLE_HOME/* Audit: ls -al $ORACLE_HOME \ 1 S 3.04 Oracle account .profile file Unix systems umask 022 Rationale: Regardless of where the umask is set, umask must be set to 022 before installing Oracle. Ad improper umask can lead to unrestrictive permissions and open the oracle server file system to attack. Remediation: Ensure the umask value is 022 for the owner of the Oracle software before installing Oracle. Audit: umask \ 1 S 20 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 3.05 init.ora Verify and restrict permissions Rationale: File permissions must be restricted to the owner of the Oracle software and the dba group. If unprivileged users can alter the init.ora configuration the security of the oracle server can be compromised. Remediation: chgrp oracle_grp init.ora chown oracleuser init.ora chmod 644 init.ora Audit: ls -al $ORACLE_HOME/dbs/init.ora \ \ 1 S 3.06 spfile.ora Verify and restrict permissions Rationale: File permissions must be restricted to the owner of the Oracle software and the dba group. If unprivileged users can alter the spfile.ora configuration the security of the oracle server can be compromised. Remediation: chgrp oracle_grp spfile.ora chown oracleuser spfile.ora chmod 640 spfile.ora Audit: ls -al $ORACLE_HOME/dbs/spfile.ora \ \ 1 S 21 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 3.07 Database datafiles Verify and restrict permissions Rationale: File permissions must be restricted to the owner of the Oracle software and the dba group. If unprivileged users can read or alter the dbs files the security of the oracle server can be compromised. Remediation: chown oracleuser $ORACLE_HOME/dbs/* chgrp oraclegroup $ORACLE_HOME/dbs/* Audit: ls -al $ORACLE_HOME/dbs/* \ \ 1 S 3.08 init.ora Verify permissions of file referenced by ifile parameter Rationale: File permissions must be restricted to the owner of the Oracle software and the dba group. If the ifile functionality is used, the file permissions of the referenced ifile must be restricted to the Oracle software owner and the dba group. Remediation: chmod 750 ifile chown oracleuser.oraclegroup ifile Audit: grep ifile init.ora ls -al <result> \ \ 1 S 22 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 3.09 init.ora audit_file_dest parameter settings Rationale: The destination for the audit file must be set to a valid directory owned by oracle and set with owner read/write permissions only. Remediation: chmod 600 auditfile chown oracleuser.oraclegroup auditfile Audit: grep -i audit_file_dest init.ora ls -al <result> \ \ 1 S 3.10 init.ora diagonostic_dest parameter settings Rationale: The destination for the user dump must be set to a valid directory with permissions restricted to the owner of the Oracle software and the dba group. Remediation: chmod 660 diag_file chown oracleuser.oraclegroup diag_file Audit: grep -i diagonostic_dest init.ora ls -al <result> \ \ 1 S 23 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 3.11 init.ora control_files parameter settings Rationale: The permissions must be restricted to only the owner of the Oracle software and the dba group. Remediation: chmod 640 control_file chown oracleuser.oraclegroup control_file Audit: grep -i control_files init.ora ls -al <result> select name from V$controlfile; \ \ 1 S 3.12 init.ora log_archive_dest_n parameter settings Rationale: File permissions must be restricted to the owner of the Oracle software and the dba group. For complex configurations where different groups need access to the directory, access control lists must be used. Note: If Oracle Enterprise Edition is installed, and no log_archive_dest_n parameters are set, the deprecated form of log_archive_dest must be used. Remediation: Default is " " (A null string) for all. Must configure and set paths, then ensure those directories are secure. chmod 750 file_file_dest chown oracleuser.oraclegroup \ log_file_dest Audit: grep -i log_archive_dest init.ora ls -al <result> \ \ 1 S 24 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 3.13 Files in $ORACLE_HOME/ network/admin directory Verify and set permissions Rationale: Permissions for all files must be restricted to the owner of the Oracle software and the dba group. Note: If an application that requires access to the database is also installed on the database server, the user the application runs as must have read access to the tnsnames.ora and sqlnet.ora files. Remediation: chmod 644 $ORACLE/network/admin/* chown oracleuser.oraclegroup \ $ORACLE_HOME/network/admin/* Audit: ls -al $ORACLE_HOME/network/admin/* \ \ 1 S 3.14 sqlnet.ora Verify and set permissions with read permissions for everyone. Rationale: The sqlnet.ora contains the configuration files for the communication between the user and the server including the level of required encryption. Remediation: chmod 644 sqlnet.ora chown oracleuser.oraclegroup sqlnet.ora Note: If encryption is used, the key is stored in the parameter SQLNET.CRYPTO_SEED in the sqlnet.ora file. In such scenarios, access to this file should be limited. Audit: ls -al sqlnet.ora \ \ 1 S 25 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 3.15 sqlnet.ora log_directory_client parameter settings Rationale: The log_directory_client must be set to a valid directory owned by the Oracle account and permissions restricted to read/write only for the owner and dba group. Remediation: chmod 640 log_directory_client chown oracleuser.oraclegroup \ log_directory_client Audit: grep -i log_directory_client sqlnet.ora \ \ 1 S 3.16 sqlnet.ora log_directory_server parameter settings Rationale: The log_directory_server must be set to a valid directory owned by the Oracle account and set with owner and group read/write permissions only. Remediation: chmod 640 log_directory_client chown oracleuser.oraclegroup \ log_directory_client Audit: grep -i log_directory_client sqlnet.ora \ \ 1 S 26 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 3.17 sqlnet.ora trace_directory_client parameter settings Rationale: The trace_directory_client parameter settings must be set to a valid directory owned by the Oracle account and permissions restricted to read/write only for the owner and read for the dba group.. By default this is not set. Be aware, this is usually set to $ORACLE_HOME/network/trace, with permissions set as: Remediation: chmod 640 log_directory_client chown oracleuser.oraclegroup \ log_directory_client Audit: grep -i trace_directory_client sqlnet.ora \ \ 1 S 3.18 sqlnet.ora trace_directory_server parameter settings Rationale: The trace_directory_server must be set to a valid directory owned by the Oracle account and permissions restricted to read/write only for the owner and read for the dba group. By default this is not set. Be aware, this is usually set to $ORACLE_HOME/network/trace. Remediation: chmod 640 trace_directory_server chown oracleuser.oraclegroup trace_directory_server Audit: grep -i trace_directory_server sqlnet.ora \ \ 1 S 27 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 3.19 listener.ora Verify and set permissions Rationale: File permissions must be restricted to the owner of the Oracle software and the dba group. If backup copies of the listener.ora file are created these backup files must be removed or they must have their permissions restricted to the owner of the Oracle software and the dba group. Remediation: chmod 660 \ $ORACLE_HOME/network/admin/listener.ora chown oracleuser.oraclegroup \ $ORACLE_HOME/network/admin/listener.ora Audit: ls -al \ $ORACLE_HOME/network/admin/listener.ora \ \ 1 S 3.20 listener.ora log_file_listener parameter settings Rationale: The log_file_listener file must be set to a valid directory owned by the Oracle account and permissions restricted to read/write only for the owner and read for the dba group. By default this is not set. Be aware, this is usually set to $ORACLE_HOME/network/log/listener.log. Remediation: chmod 640 \ $ORACLE_HOME/network/log/listener.log chown oracleuser.oraclegroup \ $ORACLE_HOME/network/log/listener.log Audit: grep -i log_file_listener \ $ORACLE_HOME/network/admin/listener.ora \ \ 1 S 28 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 3.21 listener.ora trace_directory_listener _name parameter settings Rationale: The trace_directory_listener_name must be set to a valid directory owned by the Oracle account and permissions restricted to read/write only for the owner and dba group. Remediation: chmod 660 trace_dir chown oracleuser.oraclegroup trace_dir Audit: grep -i trace-directory \ $ORACLE_HOME/network/admin/listener.ora \ \ 1 S 3.22 listener.ora trace_file_listener_name parameter settings Rationale: This file must be owned by the Oracle account and permissions restricted to read/write only for the owner and dba group. By default this is not set. Be aware, this is usually set to $ORACLE_HOME/network/trace. Remediation: chown oracleuser.oraclegroup \ $ORACLE_HOME/network/trace chmod 660 $ORACLE_HOME/network/trace Audit: grep -i trace_file \ $ORACLE_HOME/network/admin/listener.ora ls -al <result> \ \ 1 S 29 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 3.23 sqlplus Verify and set permissions Rationale: The permissions of the binaries for sqlplus on the server must be restricted to the owner of the Oracle software and the dba group. Remediation: chown oracleuser.oraclegroup sqlplus chmod 750 sqlplus Audit: which -a sqlplus ls -al <result(s)> \ \ 1 S 3.24 .htaccess Verify and set permissions Rationale: File permissions must be restricted to the owner of the Oracle software and the dba group. Remediation: chown oracleuser.oraclegroup .htaccess chmod 644 .htaccess Audit: ls -al .htaccess Note: Only applicable for environments using the Oracle HTTP Server. Additionally, ensure all configuration changes have been made within .htaccess prior to implementing this recommendation. \ \ 1 S 30 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 3.25 dads.conf Verify and set permissions Rationale: File permissions must be restricted to the owner of the Oracle software and the dba group. Remediation: chown oracleuser.oraclegroup dads.conf chmod 644 dads.conf Audit: ls -al dads.conf Note: Only applicable for environments using the Oracle HTTP Server. Additionally, ensure all configuration changes have been made within dads.conf prior to implementing this recommendation. \ \ 1 S 3.26 xsqlconfig.xml Verify and set permissions Rationale: File permissions must be restricted to the owner of the Oracle software and the dba group. Remediation: chown oracleuser.oraclegroup \ xsqlconfig.xml chmod 640 xsqlconfig.xml Audit: ls -al \ $ORACLE_HOME/xdk/admin/XSQLConfig.xml \ \ 1 S 31 | P a g e 4. Oracle Parameter Settings Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 4.01 init.ora _trace_files_public= FALSE Rationale: Prevents users from having the ability to read trace files which may contain sensitive information about the running Oracle instance. This is an internal Oracle parameter. Do NOT use it unless instructed to do so by Oracle Support. Remediation: Set _trace_files_public= FALSE Note: Default is FALSE. Audit: grep -i _trace_files_public init.ora \ \ 1 S 4.02 init.ora global_names= TRUE Rationale: This parameter ensures that Oracle will check that the name of a database link is the same as that of the remote database. Default is TRUE. Remediation: Set global_names= TRUE in init.ora Audit: grep -i global_names init.ora \ \ 1 S 32 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 4.03 Init.ora remote_os_authent=FALSE Rationale: This setting has been deprecated, however is maintained for backwards compatibility. If this setting is used it is recommended to be set to FALSE. remote_os_authent will allow a user that is authenticated to the network domain to access the database without DB credentials. Remediation: Set remote_os_authent=FALSE. Audit: grep -i remote_os_authent init.ora \ \ 1 S 4.04 init.ora remote_os_roles= FALSE Rationale: Connection spoofing must be prevented. Default is FALSE. Remediation: Set remote_os_roles= FALSE. Audit: grep -i remote_os_roles init.ora \ \ 1 S 4.05 init.ora remote_listener=°° (A null string) Rationale: Prevent the use of a listener on a remote machine separate from the database instance. Remediation: Set remote_listener=°¨. Audit: grep -i remote_listener init.ora \ \ 1 S 33 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 4.06 init.ora audit_trail parameter set to OS, DB, DB_EXTENDED, XML, or XML, EXTENDED Rationale: Ensures that basic audit features are used. Recommend setting audit_trail to OS as it reduces the likelihood of a Denial of Service attack and it is easier to secure the audit trail. OS is required if the auditor is distinct from the DBA. Any auditing information stored in the database is viewable and modifiable by the DBA if set to DB or DB_EXTENDED. Even with the audit_trail value set to FALSE, an audit session will report, "Audit succeeded." The default is DB. Remediation: Alter the init.ora file and set audit_trail=OS Audit: grep -i audit_trail init.ora \ \ 1 S 4.07 init.ora os_authent_prefix=°° (A null string) Rationale: OS roles are subject to control outside the database. The duties and responsibilities of DBAs and system administrators must be separated. It must be set to limit the external use of an account to an IDENTIFIED EXTERNALLY specified user. Remediation: Set os_authent_prefix=°° Audit: grep -i os_authent_prefix init.ora \ \ 1 S 34 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 4.08 init.ora os_roles=FALSE Rationale: os_roles allows externally created groups to be used to manage database roles. This can lead to misaligned or inherited permissions. Remediation: Set os_roles=FALSE Audit: grep -i os_roles init.ora \ \ 1 S 4.09 init.ora Avoid using utl_file_dir parameters Rationale: Do not use the utl_file_dir parameter directories created with utl_file_dir as they can be read and written to by all users. Specify directories using CREATE DIRECTORY which requires granting of privileges to each user. This function has been deprecated since version 9.2 migration is recommended. Remediation: Use CREATE DIRECTORY Audit: grep -i utl_file_dir init.ora \ \ 1 S 35 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 4.10 init.ora Establish redundant physically separate locations for redo log files. Use "LOG_ARCHIVE_DUPLEX_DEST¨ to establish a redundant location for the redo logs. Rationale: Redundancy for the redo logs can prevent catastrophic loss in the event of a single physical drive failure. If this parameter is used, it must be set to a valid directory owned by oracle set with owner and group read/write permissions only. For complex configurations where different groups need access to the directory, access control lists must be used. Remediation: Set LOG_ARCHIVE_DUPLEX_DEST to a valid, properly secured, directory. Audit: grep -i log_archive_duplex_dest init.ora \ \ 1 S 4.11 init.ora Specify redo logging must be successful. Use "LOG_ARCHIVE_MIN_SUCCEED _DEST¨ to ensure the successful logging of the redo files. Rationale: Specifying that the logging must succeed in one or more locations ensures redundancy of the redo logs. Remediation: Set LOG_ARCHIVE_MIN_SUCCEED_DEST to 1 or greater. Audit: grep -i LOG_ARCHIVE_MIN_SUCCEED_DEST \ init.ora \ \ 1 S 36 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 4.12 init.ora sql92_security= TRUE Rationale: Enforce the requirement that a user must have SELECT privilege on a table in order to be able to execute UPDATE and DELETE statements using WHERE clauses on a given table. WARNING: This will likely result in many applications failing and should not be enabled in production without thorough testing. Remediation: Set sql92_security= TRUE Audit: grep -i sql92_security init.ora \ \ 2 S 4.13 listener.ora admin_restrictions_liste ner_name=on Rationale: Replace listener_name with the actual name of your listener(s) for this parameter setting. This requires the administrator to have write privileges to listener.ora. This setting will cause the listener to refuse set commands that alter its parameters without a restart of the listener. Not set and turned off by default. Remediation: Set admin_restrictions_listener_name = on Audit: grep -i admin_restrictions listener.ora \ \ 2 S 37 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 4.14 listener.ora logging_listener=ON Rationale: Logging of all listener actions will create an audit trail in the event that a listener is attacked or needs to be debugged. This setting is not set, but is enabled by default. Remediation: Set logging_listener=ON Audit: grep -i logging_listener listener.ora \ \ 1 S 4.15 Database object definition NOLOGGING clause Do not leave database objects in NOLOGGING mode in production environments. Rationale: The NOLOGGING keyword instructs Oracle Database Server to forego writing essential recovery information to the redo log when performing certain actions, including but not limited to ALTER INDEX, CREATE INDEX, CREATE TABLE, and ALTER TABLE. Given this, improper use of NOLOGGING may introduce data continuity exposures in the absence of a full backup. Remediation: Ensure database objects, such as tables and indexes, are not operating in NOLOGGING mode. Audit: None \ \ 1 N 38 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 4.16 init.ora o7_dictionary_accessibil ity= FALSE Rationale: This is a database initialization parameter that controls access to objects in the SYS schema. Set this to FALSE to prevent users with EXECUTE ANY PROCEDURE and SELECT ANY DICTIONARY from accessing objects in the SYS schema. If access to these objects is required, the following roles can be assigned, SELECT_CATALOG_ROLE, EXECUTE_CATALOG_ROLE, DELETE_CATALOG_ROLE. If set to TRUE, accounts with "ANY" privileges could get access to objects in the SYS schema. Default setting is FALSE. Note: In Oracle Applications 11.5.9 and lower, O7_DICTIONARY_ACCESSIBILITY must be set to TRUE. This is required for proper functioning of the application and Oracle does not support setting it to FALSE. In Apps 11.5.10 and higher, O7_DICTIONARY_ACCESSIBILITY should be set to FALSE. See Oracle Metalink Note ID 216205.1 for more information. Remediation: Set o7_dictionary_accessibility= FALSE Audit: grep -i o7_dictionary_accessibility \ init.ora \ \ 2 S 39 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 4.17 spfile<sid>.ora Remove the following from the spfile: dispatchers= (PROTOCOL= TCP) (SERVICE= <oracle_sid>XDB) Rationale: This will disable default ports ftp: 2100 and http: 8080. Removing the XDB ports will reduce the attack surface of the Oracle server. It is recommended to disable these ports if production usage is not required. Remediation: Remove the following from spfile: dispatchers= (PROTOCOL= TCP)(SERVICE= <oracle_sid>XDB) Audit: grep -i XDB spfile<sid>.ora \ \ 2 S 4.18 Init.ora or spfile<sid>.ora AUDIT_SYS_OPERATIONS =TRUE Rationale: Auditing of the users authenticated as the SYSDBA or the SYSOPER provides an oversight of the most privileged of users. It is important that the database user should not have access to the system directories where the audits will be recorded. Ensure this by setting the AUDIT_SYS_OPERATIONS to TRUE. Remediation: Set AUDIT_SYS_OPERATIONS=TRUE. The default value is FALSE within spfile. Set AUDIT_FILE_DEST to your designated logging directory. Windows: Default is Event Viewer log file Unix: Default is $ORACLE_HOME/rdbms/audit By default this is set in spfile. Audit: grep -i AUDIT_SYS_OPERATIONS init.ora \ \ 2 S 40 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 4.19 listener.ora inbound_connect_ timeout_listener=2 Rationale: Allowing inbound connections to hold open half connections consumes database resources and can lead to denial of service. Set the initial value low and adjust upward if normal clients are unable to connect within the time allocated. Remediation: Set inbound_connect_timeout_listener=2 Audit: grep -i inbound_connect_timeout \ listener.ora \ \ 2 S 4.20 sqlnet.ora tcp.validnode_checking= YES Rationale: This parameter enables the listener to check incoming connections for matches in the invited and excluded nodes list. Remediation: Set tcp.validnode_checking=YES in $ORACLE_HOME/network/admin/sqlnet.ora. Note: The default value is No Audit: grep -i tcp.validnode_checking sqlnet.ora \ \ 2 S 41 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 4.21 sqlnet.ora Set tcp.invited_nodes to valid values Rationale: This creates a list of trusted nodes that can connect to the listener. The excluded_nodes value is ignored if this is set and a default deny policy is created only allowing the listed trusted nodes to connect to the listener. Remediation: Use IP addresses of authorized hosts to set this parameter in the sqlnet.ora file. Set tcp.invited_nodes to valid values tcp.invited_nodes =(10.1.1.1, 10.1.1.2) Audit: grep -i tcp.invited_nodes sqlnet.ora Note: This is not set by default. \ \ 2 S 4.22 sqlnet.ora Set tcp.excluded_nodes to valid values Rationale: Excluded nodes will prevent malicious or untrusted hosts from connecting to the listener. Remediation: Use IP addresses of unauthorized hosts to set this parameter in the sqlnet.ora file. Note: If the tcp.invited_nodes is set, the tcp.excluded_nodes values are ignored and only hosts specified in the invited_nodes will be allowed to connect to the listener. Set tcp.excluded_nodes to valid values Audit: grep -i tcp.excluded_nodes sqlnet.ora \ \ 2 S 42 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 4.23 sqlnet.ora sqlnet.inbound_ connect_timeout=3 Rationale: Allowing inbound connections to hold open half connections consumes database resource and can lead to denial of service. Suggestion is to set to a low initial value and adjust upward if normal clients are unable to connect within the time allocated. Remediation: Set sqlnet.inbound_connect_timeout=3 Audit: grep -i inbound_connect_timeout \ sqlnet.ora \ \ 2 S 4.24 sqlnet.ora sqlnet.expire_time= 10 Rationale: If this is not set in the sqlnet.ora file, the default is never to expire. Allowing a connection to idle indefinitely will consume system resources leading to a denial of service. It is recommended to set this to a low value initially, then increase if clients experience timeout issues. Remediation: Set sqlnet.expire_time= 10 Audit: grep -i expire_time sqlnet.ora \ \ 2 S 43 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 4.25 Accounts Lock account access for application schema owners Rationale: Lock the account for the application schema owner. Users must not connect to the database as the application owner. Remediation: ALTER USER <USERNAME> ACCOUNT LOCK PASSWORD EXPIRE Audit: SELECT USERNAME, ACCOUNT_STATUS FROM DBA_USERS; \ \ 2 S 44 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 4.26 init.ora remote_login_passwordfil e=none Rationale: Prevents remote privileged connections to the database. This suggests that remote administration should be performed by remotely logging into the database server via a secured connection. Alternately, an administrative listener could be created, the remote_login_passwordfile set to exclusive, and logging of the administrative listener implemented. Remediation: For Windows: Set remote_login_passwordfile setting to none. Implement remote management to a Windows based host viaTerminal Server and IPSec. For Unix: Set remote_login_passwordfile setting to none. Implement SSH or other secure shell method to remotely administer the Oracle server. Remote Administration of Oracle via Administrative Listener: Admin Listener = Required remote_login_passwordfile setting = exclusive Require logging be enabled for the Admin and Client Listeners if remote access is provided. Audit: grep -i remote_login_passwordfile \ init.ora \ \ 2 S 45 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 4.27 sqlnet.ora SQLNET.ALLOWED_LOGON_VER SION=11 Rationale: Set the login version to the 11. The higher setting prevents logins by older version clients that do not use strong authentication to pass the login credentials. The default setting is 10,9,8. Remediation: SQLNET.ALLOWED_LOGON_VERSION=11 Audit: grep -i ALLOWED_LOGIN_VERSION sqlnet.ora \ \ 2 S 4.28 listener.ora Use absolute paths in ENVS parameters. Rationale: Allowing overly broad PATH and CLASSPATH variables could allow an attacker to leverage pathing issues and load malicious binaries or classes. Remediation: Remove broad path or classpath variables and ensure only absolute paths are used. Note: The ENVS SID_DESC parameter is not supported on Windows however the environment variables can be defined for the listener. Audit: grep -i ENVS listener.ora . \ \ 2 N 4.29 cman.ora REMOTE_ADMIN=NO Rationale: Ensure remote administration is not left enabled. Default is NO. Remediation: Set REMOTE_ADMIN = NO. Audit: grep -i REMOTE_ADMIN cman.ora \ \ 2 S 46 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 4.30 listener.ora, tnsnames.ora Disable external procedures Rationale: Remove entries for external procedures from listener.ora or tnsnames.ora file. External procedures can call shared libraries on the host system from the $ORACLE_HOME/lib or $ORACLE_HOME/bin directories. This creates a dangerous condition. If not required disable their usage. Remediation: Remove external shared libraries from $ORACLE_HOME/lib Audit: None \ \ 2 N 4.31 init.ora SEC_RETURN_SERVER_RELEAS E_BANNER = false Rationale: Ensure the oracle database is not returning complete database information to clients. Knowing the exact patch set can aid an attacker. Remediation: SEC_RETURN_SERVER_RELEASE_BANNER = false Audit: grep -i \ SEC_RETURN_SERVER_RELEASE_BANNER init.ora \ \ 2 S 47 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 4.32 init.ora DB_SECUREFILE=ALWAYS Rationale: Ensure that all LOB files created by Oracle are created as SecureFiles. Remediation: DB_SECUREFILE=ALWAYS Audit: grep -i DB_SECUREFILE init.ora \ \ 2 N 4.33 init.ora SEC_CASE_SENSITIVE_LOGON =TRUE Rationale: Set Oracle database password to be case sensitive. This increases the complexity of passwords and helps defend against brute force password attacks. Remediation: SEC_CASE_SENSITIVE_LOGON=TRUE Audit: grep -i SEC_CASE_SENSITIVE_LOGO init.ora \ \ 1 S 48 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 4.34 init.ora SEC_MAX_FAILED_LOGIN_ATT EMPTS=3 Rationale: Set the maximum number of failed login attempts to be 3 or in sync with established password policies. This will reduce the effectiveness of a password brute force attack. Note: Setting SEC_MAX_FAILED_LOGIN_ATTEMPTS to a value other than UNLIMITED may increase an attacker's ability to intentionally lockout sensitive accounts, such as those used by middle-tier applications. Given this, implementer's should consider connectivity restrictions to the Oracle instance backing the application and the determinism of usernames used by such applications. Remediation: SEC_MAX_FAILED_LOGIN_ATTEMPTS=3 Audit: grep -i SEC_MAX_FAILED_LOGIN_ATTEMPTS \ init.ora \ \ 1 S 4.35 init.ora SEC_PROTOCOL_ERROR_FURTH ER_ACTION=DELAY <seconds>or DROP<seconds> Rationale: When bad packets are received from a client the server will wait the specified number of seconds before allowing a connection from the same client. This help mitigate malicious connections or DOS conditions. Remediation: SEC_PROTOCOL_ERROR_FURTHER_ACTION=DELAY <seconds>or DROP<seconds> Audit: grep -i \ SEC_PROTOCOL_ERROR_FURTHER_ACTION \ init.ora \ \ 1 S 49 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 4.36 init.ora SEC_PROTOCOL_ERROR_TRACE _ACTION=LOG or ALERT Rationale: Specify the action a database should take when a bad packet is received. TRACE generates a detailed trace file and should only be used when debugging. ALERT or LOG should be used to capture the event. Use currently established procedures for checking console or log file data to monitor these events. Remediation: SEC_PROTOCOL_ERROR_TRACE_ACTION= {LOG|ALERT} Audit: grep -i \ SEC_PROTOCOL_ERROR_TRACE_ACTION init.ora \ \ 1 S 4.37 sqlnet.ora SEC_USER_AUDIT_ACTION_BA NNER=/path/to/warning.tx t Rationale: A banner should be set to warn a user about the possible audit actions that are taken when using the system. Set the complete path to the file that contains the warning. Remediation: SEC_USER_AUDIT_ACTION_BANNER=/path/to/war ning.txt Audit: grep -i \ SEC_USER_AUDIT_ACTION_BANNER sqlnet.ora \ \ 1 N 50 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 4.38 sqlnet.ora SEC_USER_UNAUTHORIZED_AC CESS_BANNER=/path/to/war ning.txt Rationale: A banner should be set to warn a user about unauthorized access to the database that is in line with current policy or language. Set the complete path to the file that contains the warning. OCI and other custom applications must make use of this parameter before it is displayed to the user. Remediation: SEC_USER_UNAUTHORIZED_ACCESS_BANNER=/path /to/warning.txt Audit: grep -i \ SEC_USER_UNAUTHORIZED_ACCESS_BANNER \ sqlnet.ora \ \ 1 N 4.39 listener.ora SECURE_CONTROL_listener_ name=(TCPS,IPC) Rationale: If remote administration of the listener is required configure the listener for secure control. If no values are entered for this parameter, the listener will accept registration request from any transport. If only IPC or TCPS is required then set the value to TCPS or IPC. Remediation: SECURE_CONTROL_listener_name=(TCPS,IPC) Audit: grep -i SECURE_CONTROL listener.ora \ \ 2 S 51 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 4.40 listener.ora SECURE_PROTOCOL_listener _name=(TCP,IPC) Rationale: Ensure that any administration requests are accepted only over secure transport. If only IPC or TCP is required then set the value to TCPS or IPC. Remediation: SECURE_PROTOCOL_listener_name=(TCPS,IPC) Audit: grep -i SECURE_PROTOCOL listener.ora \ \ 1 S 4.41 listener.ora SECURE_REGISTER_listener _name=(TCP,IPC) Rationale: Ensure that any registration requests are accepted over secure transport. If only IPC or TCP is required then set the value to TCPS or IPC. Remediation: SECURE_REGISTER_listener_name=(TCPS,IPC) Audit: grep -i SECURE_REGISTER listener.ora \ \ 2 S 4.42 listener.ora DYNAMIC_REGISTRATION_lis tener_name=OFF Rationale: If DYNAMIC_REGISTRATION is turned on all registration connections are accepted by the listener. It is recommended that only static registrations be used by the listener. Turning off dynamic registration may not be possible in larger or more dynamic environments. Ensure proper testing is done before turning off dynamic registration in production. Remediation: DYNAMIC_REGISTRATION_listener_name=OFF Audit: grep -i DYNAMIC_REGISTRATION listener.ora \ \ 2 S 52 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 4.43 listener.ora EXTPROC_DLLS=ONLY Rationale: Where use of external procedures is required, specify the EXTPROC_DLLS=ONLY in the parameter to limit calls to the specific DLLS. This prevents external DLLs and libraries from being loaded by the Oracle database. An attacker that can load an external library into the Oracle running instance can take control or compromise system security. If external DLLs must be used specify the ONLY parameter and an absolute path for each required DLL. Remediation: EXTPROC_DLLS=ONLY Audit: grep -i EXTPROCS_DLLS listener.ora \ \ 1 S 53 | P a g e 5. Encryption Specific Settings Note: OAS is installed by default even if it is not licensed. Therefore, it must be configured even if it is not used. Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 5.01 OAS - General Review requirement for integrity and confidentiality requirements. Rationale: Only implement OAS if a local integrity/encryption policy does not already exist, e.g., IPSec or other means for providing integrity/confidentiality services. Remediation: Review requirement for integrity and confidentiality requirements. Audit: None \ \ 2 N 5.02 OAS ÷ Encryption Type SQLNET.ENCRYPTION_SERVER =REQUIRED Rationale: This ensures that regardless of the settings on the user, if communication takes place it must be encrypted. Default is accepted. Remediation: SQLNET.ENCRYPTION_SERVER=REQUIRED Audit: grep -i ENCRYPTION_SERVER sqlnet.ora \ \ 2 S 54 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 5.03 OAS ÷ Encryption Type SQLNET.ENCRYPTION_CLIENT =(ACCEPTED|REQUESTED|REQ UIRED) Rationale: Communication is only possible on the basis of an agreement between the client and the server regarding the connection encryption. To ensure encrypted communication, set the value to REQUIRED. With the server set to REQUIRED the client must match the encryption for valid communication to take place. Default is accepted. Note: Failure to specify one of the values will result in an error when an attempt is made to connect to a FIPS 140-1 compliant server. Remediation: SQLNET.ENCRYPTION_CLIENT=REQUIRED Audit: grep -i ENCRYPTION_CLIENT sqlnet.ora \ \ 2 S 5.04 OAS ÷ FIPS Compliance SSLFIPS_140 =TRUE Rationale: For FIPS 140-2 compliance, the FIPS value must be set to TRUE. The default value for this setting is FALSE. NOTE: This value is not settable using the Oracle Net Manager. To set this value you must use a text editor and modify the sqlnet.ora file. Remediation: SSLFIPS_140 =TRUE Audit: grep -i SSL_FIPS fips.ora \ \ 2 S 55 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 5.05 OAS ÷ Integrity Protection Integrity check for communication between the server and the client must be established. °SQLNET.CRYPTO_CHECKSUM_ SERVER=REQUIRED¨ °SQLNET.CRYPTO_CHECKSUM_ CLIENT=REQUIRED¨ Rationale: The integrity check for communication can prevent data modifications. Two check sum algorithms are available; SHA-1 and MD5. Default is accepted. Remediation: Set SQLNET.CRYPTO_CHECKSUM_SERVER=REQUIRED SQLNET.CRYPTO_CHECKSUM_CLIENT=REQUIRED Audit: grep -i CRYPTO_CHECKSUM_SERVER sqlnet.ora grep -i CRYPTO_CHECKSUM_CLIENT sqlnet.ora \ \ 2 S 5.06 OAS ÷ Integrity Protection Set SQLNET.CRYPTO_CHECKSUM_T YPES_SERVER=(SHA1) Rationale: If possible, use SHA1 instead of MD5. MD5 has documented weaknesses and is prone to collisions. Usage of SHA-1 is recommended. Default is all. Remediation: Set SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER=(SHA1 ) Audit: grep -i CHECKSUM_TYPES_SERVER sqlnet.ora \ \ 2 S 56 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 5.07 OAS ÷ Oracle Wallet Owner Permissions Set configuration method for Oracle Wallet. Ensure only the appropriate Oracle user account has access to the wallet. Rationale: The Oracle service account must have access to the wallet. Remediation: None Audit: None \ \ 2 N 5.08 OAS ÷ Oracle Wallet Trusted Certificates Remove certificate authorities (CAs) that are not required. Rationale: Trust only those CAs that are required by clients and servers. Remediation: Remove certificate authorities (CAs) that are not required. Audit: orapki wallet display -wallet \ wallet_location \ \ 2 S 5.09 OAS ÷ Oracle Wallet Trusted Certificates Import When adding CAs, verify fingerprint of CA certificates. Rationale: When adding CA certificates via out-of-band methods, use fingerprints to verify the certificate. Failure to verify fingerprints can lead to compromise of the certificate chain. Remediation: When adding CAs, verify fingerprint of CA certificates. Audit: None \ \ 2 N 57 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 5.10 OAS ÷ Certificate Request Key Size Request the maximum key size available. Rationale: Select the largest key size available that is compatible with the network environment. 2048 or 4096 are recommended sizes. Remediation: orapki wallet add -wallet \ wallet_location -dn user_dn -keySize 2048 Audit: orapki wallet display -wallet \ wallet_location \ \ 2 S 5.11 OAS ÷ Server Oracle Wallet Auto Login Allow Auto Login for the server's Oracle Wallet Rationale: For Windows Oracle database servers, SSL will not work unless Auto Login is set. Remediation: To enable auto login from the Oracle Wallet Manager. Choose Wallet from the menu bar. Check Auto Login. A message at the bottom of the window indicates that auto login is enabled. Audit: Choose Wallet from the menu bar. Check Auto Login. \ \ 2 S 5.12 OAS ÷ SSL Tab SSL is preferred method. If PKI is not possible, use OAS Integrity/Encryption. Rationale: OAS Integrity/Encryption should only be used if required because of non-SSL clients. Remediation: Use OAS Integrity/Encryption only if SSL is unavailable. Audit: None \ \ 2 N 58 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 5.13 OAS ÷ SSL Version Set SSL version. SSL_VERSION = 3.0 Rationale: Usage of the most current version of SSL is recommended older versions of the SSL protocol are prone to attack or roll back. Do not set this parameter with "Any¨. Remediation: SSL_VERSION = 3.0 Audit: grep -i SSL_VERSION sqlnet.ora \ \ 2 S 5.14 OAS ÷ SSL Cipher Suite Set SSL Cipher Suite. SSL_CIPHER_SUITES = SSL_RSA_WITH_3DES_EDE_CB C_SHA) Rationale: SSL_CIPHER_SUITES are automatically set to FIPS140-2 approved suites by Oracle 11g. The following is for reference. Remediation: SSL_CIPHER_SUITES =( SSL_DH_anon_WITH_3DES_EDE_CBC_SHA, SSL_DH_anon_WITH_DES_CBC_SHA, SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA) Audit: grep -i SSL_CIPHER_SUITES sqlnet.ora \ \ 2 S 59 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 5.15 OAS ÷ SSL Client DN Match Set tnsnames file to include SSL_SERVER_CERT_DN parameter with the distinguished name (DN) of the certificate. Rationale: This will reduce the possibility of certificate masquerading which can lead to man in the middle attacks and compromise the security provided by the SSL protocol. Remediation: SSL_SERVER_CERT_DN= \ "cn=dept,cn=OracleContext,dc=us,dc=acme,\ dc=com" Audit: grep -i SSL_SERVER_CERT_DN tnsnames.ora \ \ 2 S 5.16 OAS ÷ SSL Client Authentication SSL_CLIENT_ AUTHENTICATION=TRUE Rationale: It is preferable to have mutually authenticated SSL connections verifying the identity of both parties. If possible use client and server certificates for SSL connections. If client certificates are not supported in the enterprise, then set to FALSE. Remediation: SSL_CLIENT_AUTHENTICATION=true Audit: grep -i SSL_CLIENT_AUTHENTICATION \ sqlnet.ora \ \ 2 S 5.17 OAS ÷ Encryption Tab Use OAS encryption only if SSL is not feasible. Rationale: OAS Integrity/Encryption should only be used if required because of non-SSL clients. Remediation: None Audit: None \ \ 2 N 60 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 5.18 Encryption Where possible, use a procedure that employs a content data element as the encryption key that is unique for each record. Rationale: By employing a procedure that uses data elements that change for each record the resulting ciphertext will be unique. As an example if the same value, key, and encryption are used for a value in a record the resulting ciphertext will be identical. Someone knowing the value of one of the records independent of the ciphertext can by inference know the value of other records that display the same ciphertext. Remediation: None Audit: None \ \ 2 N 5.19 Encryption Use RAW or BLOB for the storage of encrypted data. Rationale: Storing data in CLOB may result in a failure in decryption if the same number letter symbol set is not used. The use of RAW or BLOBs prevents this error and preserves the data. Remediation: None Audit: None \ \ 2 N 61 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 5.20 Encryption If keys are stored in a table with the database, access to the keys should be limited and under the protection of a secure role with fine grain auditing in place for the table. The column name should be obscure and should not reveal the role of the column. Rows should be protected with both VPD and OLS (OLS included VPD) and the keys themselves should be encrypted with a master key. If the keys are managed by an application or generated as computed keys the procedures should be wrapped. All package bodies, procedures, and functions should be wrapped. Rationale: Assign multiple layers of protection, within the limits of what can be managed, to ensure the security of the encryption keys. The combination of methods will be dependent on how and where the keys are stored. Remediation: Use multiple layers of protection when storing keys with the data in a separate database. Employ wrapping to protect all code used to protect, generate keys for, or encrypt keys. If security dictates, hardware devices can be used for encryption key storage. Keys, at minimum, should follow password selection standards in areas of minimum length, use of special characters and non-dictionary words. Audit: None \ \ 2 N 62 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 5.21 Encryption Revoke the PUBLIC execute privileges from the DBMS_OBFUSCATION_TOOLKIT . Rationale: The DBMS_OBFUSCATION_TOOLKIT has been replaced with the DBMS_CRYPTO package, but the DBMS_OBFUSCATION_TOOLKIT is still needed for some tasks that are not available in the DBMS_CRYPTO package. As an example; the generation of a pseudorandom string requires the DBMS_OBFUSCATION_TOOLKIT. By removing public access to the DBMS_OBFUSCATION_TOOLKIT the means to decrypt the data is not available for malicious use. Remediation: REVOKE EXECUTE ON DBMS_OBFUSCATION_TOOLKIT TO PUBLIC; Audit: SELECT TABLE_NAME FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_OBFUSCATION_TOOLKIT'; \ \ 2 S 5.22 Encryption Use HSM for storage of master key. Rationale: Where possible use an HSM to store the master keys for Transparent Data Encryption. All encryption and decryption operations that use the master encryption key are performed inside the HSM. This means that the master encryption key is never exposed in insecure memory. Remediation: None Audit: None \ \ 2 N 63 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 5.23 Encryption Tablespace Encryption Rationale: When a table contains a large number of columns of PII it can be beneficial to encrypt an entire tablespace rather than columns. Remediation: Use tablespace encryption . Audit: None \ \ 2 N 5.24 Radiuskey Verify and set permissions on radius.key file Rationale: File permissions must be restricted to the owner of the Oracle software and dba group. Ensure proper permissions are set on $ORACLE_HOME/network/security/radius.key Remediation: chmod 440 \ $ORACLE_HOME/network/security/radius.key Audit: ls -al \ $ORACLE_HOME/network/security/radius.key \ \ 1 S 5.25 sqlnet.ora SSL_CERT_REVOCATION=requ ired Rationale: Ensure revocation is required for checking CRLs for client certificate authentication. Revoked certificates can pose a threat to the integrity of the SSL channel and should not be trusted. Remediation: SSL_CERT_REVOCATION=required Audit: grep -i SSL_CERT_REVOCATION sqlnet.ora \ \ 2 S 64 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 5.26 sqlnet.ora SSL_SERVER_DN_MATCH=yes Rationale: Ensure the DN string of the certificate matches the expected value. Remediation: SSL_SERVER_DN_MATCH=yes Audit: grep -i SSL_SERVER_DN_MATCH sqlnet.ora \ \ 2 S 65 | P a g e 6. Startup and Shutdown Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 6.01 Advanced queuing in asynchronous messaging Empty queue at shut down of Oracle. Rationale: Information in queue may be accessed outside of Oracle and beyond the control of the security parameters. It should be subject to the same security precautions as other tables. Remediation: Empty queues at the shutdown of the Oracle instances. DBMS_AQADM.PURGE_QUEUE_TABLE( queue_table => 'name.obj_qtab', purge_condition => NULL, purge_options => po); DBMS_AQADM.PURGE_QUEUE_TABLE( queue_table => 'bane.obj_qtab', purge_condition => 'qtview.queue = ''NAME.OBJ_QUEUE''', purge_options => po); Audit: None \ \ 1 N 6.02 Cache Cache must be emptied at shut down of Oracle. Rationale: Information in caches may be accessed outside of Oracle and beyond the controls of the security parameters. Remediation: ALTER SYSTEM FLUSH BUFFER_CACHE; Audit: None \ \ 1 N 66 | P a g e 7. Backup and Disaster Recovery Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 7.01 Redo logs Mirror Rationale: Redundancy for the redo logs can prevent catastrophic loss in the event of a disk or system failure. Remediation: Mirror on-line redo logs and ensure that more than one group exists. Audit: None \ \ 1 N 7.02 Control files Multiplex control files to multiple physical disks. Rationale: Redundancy for the control files can prevent catastrophic loss in the event of a single physical drive failure Remediation: Store control files on a RAID or other redundant disk system. Audit: None . \ \ 1 N 67 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 7.03 Control files Mirror Rationale: Mirror the Oracle control files. In the event that the control files become corrupted or a system failure mirroring will help ensure recovery is possible. Remediation: Mirror control files to multiple separate physical partitions. Audit: None \ \ 1 N 7.04 Archive logs Ensure there is sufficient space for the archive logging process. Rationale: Without adequate space for the archive logs the system will hang resulting in a denial of service. Remediation: Allocate more disk space to redo log partitions. Audit: None \ \ 1 N 7.05 Redo logs Multiplex redo logs to multiple physical disks. Rationale: Redundancy for the redo logs can prevent catastrophic loss in the event of a single physical drive failure. Remediation: None Audit: None \ \ 1 N 68 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 7.06 Archive log files Backup Rationale: Archived logs contain sensitive information and must be properly handled. Remediation: If archive log mode is used the archive log files must be saved on tape or to a separate disk. File permissions must be restricted to the owner of the Oracle software and the dba group. The archive logs must be secured. Audit: None \ \ 1 N 7.07 Backup Automated backups should be verified. Rationale: Backups should be verified by performing recoveries to ensure newer automated backups function properly. Failure to ensure this could cause inability to recover data, leading to data loss. Remediation: Backups should be verified by performing recoveries to ensure newer automated backups function properly. Failure to ensure this could cause inability to recover data, leading to data loss. The improved RMAN (Recovery Manager) capabilities (i.e., incremental backup process) can be used to facilitate backups and recovery. Audit: None \ \ 1 N 69 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 7.08 Failsafe Failsafe must be engaged. Rationale: Failsafe uses the cluster server interface to provide the failover protection previously provided by hardware interfaces. Remediation: Engage failsafe. Audit: None \ 2 N 70 | P a g e 8. Oracle Profile (User) Setup Settings Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 8.01 Database Profiles failed_login_attempts=3 Rationale: Restricting the number of login attempts will help deter brute force attacks against profiles. Remediation: Application accounts must be set for failed_login_attempts=3 Local policy may override the recommended setting. This setting may not be applicable for middle tier application accounts that access the database. Create a profile then assign it to a user account. Default profile has this setting at 10. ALTER PROFILE profile_name LIMIT FAILED_LOGIN_ATTEMPTS 3 PASSWORD_LOCK_TIME 1; Note: It is recommended to create three separate profiles: Application accounts, system accounts, and user accounts instead of using the default for all. Audit: SELECT PROFILE, RESOURCE_NAME, LIMIT FROM DBA_PROFILES WHERE RESOURCE_NAME='FAILED_LOGIN_ATTEMPTS' \ \ 1 S 71 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 8.02 Database Profiles password_life_time= 90 Rationale: Restricting the password lifetime will help deter brute force attacks against user accounts and refresh passwords. Local policy may not override the setting. This setting may not be applicable for middle tier application accounts that access the database. Create a profile then assign it to a user account. Default profile has a setting of 180 Remediation: ALTER PROFILE profile_name LIMIT password_life_time 90; Audit: SELECT PROFILE, RESOURCE_NAME, LIMIT FROM DBA_PROFILES WHERE RESOURCE_NAME='PASSWORD_LIFE_TIME' \ \ 1 S 72 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 8.03 Database Profiles password_reuse_max=20 Rationale: password_reuse_max sets the number of different passwords that must be rotated by the user before the current password can be reused. This prevents users from cycling through a few common passwords and helps ensure the integrity and strength of user credentials. Local policy may override the recommended setting. This setting may not be applicable for middle tier application accounts that access the database. Create a profile then assign it to a user account. Default profile has a setting of UNLIMITED. Remediation: ALTER PROFILE profile_name LIMIT password_reuse_max 20; Audit: SELECT PROFILE, RESOURCE_NAME, LIMIT FROM DBA_PROFILES WHERE RESOURCE_NAME='PASSWORD_REUSE_MAX' \ \ 1 S 73 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 8.04 Database Profiles password_reuse_time= 365 Rationale: password_reuse_time sets the amount of time that must pass before a password can be reused. Creating a long window before password reuse helps protect from password brute force attacks and helps the strength and integrity of the user credential. Local policy may not override the setting. Create a profile then assign it to a user account. Default profile has this setting as UNLIMITED Remediation: ALTER PROFILE profile_name LIMIT password_reuse_time 365; Audit: SELECT PROFILE, RESOURCE_NAME, LIMIT FROM DBA_PROFILES WHERE RESOURCE_NAME='PASSWORD_REUSE_TIME' \ \ 1 S 8.05 Database Profiles password_lock_time=1 Rationale: password_lock_time specifies the amount of time in days that the account will be locked out if the maximum number of authentication attempts has been reached. Local policy may not override the setting. This setting may not be applicable for middle tier application accounts that access the database. Remediation: ALTER PROFILE profile_name LIMIT password_lock_time 1; Audit: SELECT PROFILE, RESOURCE_NAME, LIMIT FROM DBA_PROFILES WHERE RESOURCE_NAME='PASSWORD_LOCK_TIME' \ \ 1 S 74 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 8.06 Database Profiles password_grace_time=3 Rationale: password_grace_time specified in days the amount of time that the user is warned to change their password before their password expires. Local policy may not override the setting. This setting may not be applicable for middle tier application accounts that access the database. Remediation: ALTER PROFILE profile_name LIMIT password_grace_time 3; Audit: SELECT PROFILE, RESOURCE_NAME, LIMIT FROM DBA_PROFILES WHERE RESOURCE_NAME='PASSWORD_GRACE_TIME' \ \ 1 S 8.07 Database Profiles Review accounts where PASSWORD= 'EXTERNAL' Rationale: Check and review any user who has password='EXTERNAL'. Do not allow remote OS authentication to the database. Remediation: ALTER USER <username> IDENTIFIED BY <new_password>; Audit: SELECT USERNAME FROM DBA_USERS WHERE PASSWORD='EXTERNAL'; \ \ 2 N 75 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 8.08 Database Profiles Set password_verify_function to a verification function Rationale: Allow password_verification_function to be called when passwords are changed. This always works for password changes via the "password¨ command at an SQL prompt. Remediation: Oracle provides utlpwdmg.sql which can be used to create a password verification function. If using this script to create a password verification function, make the following changes at the bottom of the utlpwdmg.sql file: PASSWORD_GRACE_TIME 3 PASSWORD_REUSE_TIME 365 PASSWORD_REUSE_MAX 20 FAILED_LOGIN_ATTEMPTS 3 PASSWORD_LOCK_TIME 1 Modify the line: IF length(password) < 4 by changing the minimum password length to 8. Do not use the verify_function_11G as it sets password settings to the defaults listed above. Audit: SELECT PROFILE, RESOURCE_NAME FROM DBA_PROFILES WHERE RESOURCE_NAME='PASSWORD_VERIFY_FUNCTION'; \ \ 2 S 76 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 8.09 Database Profiles Set CPU_PER_SESSION as appropriate Rationale: Allowing a single application or user to consume excessive CPU resources will result in a denial of service to the Oracle database. Ensure that users profile settings have appropriate values set for the particular database and application. Remediation: ALTER PROFILE profile_name LIMIT CPU_PER_SESSION <value>; Audit: SELECT PROFILE, RESOURCE_NAME, LIMIT FROM DBA_PROFILES WHERE RESOURCE_NAME='CPU_PER_SESSION'; \ \ 2 S 8.10 Database Profiles Set PRIVATE_SGA as appropriate Rationale: Allowing a single application or user to consume the excessive amounts of the System Global Area will result in a denial of service to the Oracle database. Ensure that users profile settings have appropriate values set for the particular database and application. Remediation: ALTER PROFILE profile_name LIMIT PRIVATE_SGA <value>; Audit: SELECT PROFILE, RESOURCE_NAME, LIMIT FROM DBA_PROFILES WHERE RESOURCE_NAME=' PRIVATE_SGA'; \ \ 2 S 77 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 8.11 Database Profiles Set LOGICAL_READS_ PER_SESSION as appropriate Rationale: Allowing a single application or user to perform excessive amounts of reads to disk will result in a denial of service to the Oracle database. Ensure that users profile settings have appropriate values set for the particular database and application. Remediation: ALTER PROFILE profile_name LIMIT LOGICAL_READS_ PER_SESSION <value>; Audit: SELECT PROFILE, RESOURCE_NAME, LIMIT FROM DBA_PROFILES WHERE RESOURCE_NAME=' LOGICAL_READS_PER_SESSION'; \ \ 2 S 8.12 Database Profiles Set SESSIONS_PER_USER as appropriate Rationale: Allowing an unlimited amount of sessions per user can consume Oracle resources and cause a denial of service. Limit the number of session for each individual user. Ensure that users profile settings have appropriate values set for the particular database and application. Remediation: ALTER PROFILE profile_name LIMIT SESSIONS_PER_USER <value>; Audit: SELECT PROFILE, RESOURCE_NAME, LIMIT FROM DBA_PROFILES WHERE RESOURCE_NAME=' SESSIONS_PER_USER'; \ \ 2 S 78 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 8.13 Database Profiles Set CONNECT_TIME as appropriate Rationale: Sessions held open for excessive periods of time can consume system resources and cause a denial of service for other users of the Oracle database. The CONNECT_TIME parameter limits the upper bound on how long a session can be held open. This parameter is specified in minutes. Sessions that have exceeded their connect time are aborted and rolled back. Note: Oracle does not do strict monitoring of connect times and sessions can exceed this time limit by up to a few minutes. Ensure that users profile settings have appropriate values set for the particular database and application. Remediation: ALTER PROFILE profile_name LIMIT CONNECT_TIME <value>; Audit: SELECT PROFILE, RESOURCE_NAME, LIMIT FROM DBA_PROFILES WHERE RESOURCE_NAME=' CONNECT_TIME'; \ \ 2 N 79 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 8.14 Database Profiles Set IDLE_TIME as appropriate Rationale: Idle sessions held open for excessive periods of time can consume system resources and cause a denial of service for other users of the Oracle database. Limit the maximum number of minutes a session can idle. Ensure that users profile settings have appropriate values set for the particular database and application. Remediation: ALTER PROFILE profile_name LIMIT IDLE_TIME <value>; Audit: SELECT PROFILE, RESOURCE_NAME, LIMIT FROM DBA_PROFILES WHERE RESOURCE_NAME=' IDLE_TIME'; \ \ 2 N 80 | P a g e 9. Oracle Profile (User) Access Settings Note: Security recommendations for Tablespaces, Tables, Views, Roles, Synonyms, Privileges, Roles and Packages need to be followed for all new users that might be created. By default SYS and DBA have most of these accesses and privileges, and should be the only users granted permissions. Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 9.01 Tablespaces Do not have default_tablespace set to SYSTEM for user accounts Rationale: Only SYS should have a default tablespace of SYSTEM. This prevents administrative users from altering system objects. Note it may be difficult or impossible to move some objects. Remediation: ALTER USER DEFAULT_TABLESPACE table; Audit: SELECT USERNAME, DEFAULT_TABLESPACE FROM DBA_USERS; \ \ 2 S 9.02 Tablespaces Ensure application users have not been granted quotas on tablespaces. Rationale: Set quotas for developers on shared production/development systems to prevent space resource contentions. Application users should be granted quotas on a case by case basis to avoid application failure. Remediation: ALTER USER <USER_NAME> QUOTA <VALUE> ON <TABLESPACE_NAME>; Audit: SELECT <USERNAME> FROM DBA_TS_QUOTAS WHERE USERNAME='USER' AND TABLESPACE_NAME='TABLESPACE_NAME'; \ \ 1 S 81 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 9.03 Any dictionary object Review access and revoke access where possible Rationale: Check for any user that has access to any dictionary object and revoke where possible. This reduces the overall privileges of the user base and reduces the attack surface of the Oracle database. Remediation: Review access rights and revoke privileges where possible. Audit: None \ \ 1 N 9.04 Tables Prevent access to SYS.AUD$ Rationale: Check for any user accounts that have access and revoke where possible. This is only applicable if the audit trail parameter is set to db or db_extended. Allowing users to alter the AUD$ table can compromise the audit trail or integrity of the Oracle database. Remediation: REVOKE ALL ON SYS.AUD$ FROM <USER>; Audit: SELECT GRANTEE, PRIVILEGE FROM DBA_TAB_PRIVS WHERE TABLE_NAME='AUD$' \ \ 2 S 82 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 9.05 Tables Prevent access to SYS.USER_HISTORY$ Rationale: Revoke access to this table from all users and roles except for SYS and DBA accounts. Allowing users to alter the USER_HISTORY$ table can compromise the audit trail or integrity of the Oracle database. Remediation: REVOKE ALL ON SYS.USER_HISTROY$ FROM <USER>; Audit: SELECT GRANTEE, PRIVILEGE FROM DBA_TAB_PRIVS WHERE TABLE_NAME='USER_HISTORY$'; \ \ 1 S 9.06 Tables Prevent access to SYS.LINK$ Rationale: Sensitive user and password data is stored in the LINK$ table. Non administrative or system users should be prevented from accessing this table. Check for any user that has access and revoke where possible. Remediation: REVOKE ALL ON SYS.LINK$ FROM <USER>; Audit: SELECT GRANTEE, PRIVILEGE FROM DBA_TAB_PRIVS WHERE TABLE_NAME='LINK$'; \ \ 1 S 83 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 9.07 Tables Prevent access to SYS.USER$ Rationale: Sensitive user and password data is stored in the USER$ table. Only administrative or system users should have rights to access this table. Check for any user that has access and revoke where possible. Remediation: REVOKE ALL ON SYS.USER$ FROM <USER>; Audit: SELECT GRANTEE, PRIVILEGE FROM DBA_TAB_PRIVS WHERE TABLE_NAME='USER$'; \ \ 1 S 9.08 Tables Prevent access to SYS.SOURCE$ Rationale: Allowing users to alter codes in the SOURCE$ table can compromise the security and integrity of the Oracle database. Check for any user accounts that have access and revoke where possible. Remediation: REVOKE ALL ON SYS.SOURCE$ FROM <USER> ; Audit: SELECT GRANTEE, PRIVILEGE FROM DBA_TAB_PRIVS WERE TABLE_NAME='SOURCE$'; \ \ 1 S 84 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 9.09 Tables Prevent access to PERFSTAT.STATS$SQLTEXT Rationale: Check for any user that has access and revoke where possible. SQLTEXT stores the full text of SQL statements that have been executed and can contain sensitive information. Remediation: REVOKE ALL ON PERFSTAT.STATS$SQLTEXT; Audit: SELECT GRANTEE, PRIVILEGE, TABLE_NAME FROM DBA_TAB_PRIVS WHERE TABLE_NAME=' STATS$SQLTEXT'; \ \ 1 S 9.10 Tables Prevent access to PERFSTAT.STATS$SQL_SUMMA RY Rationale: Check for any user that has access and revoke where possible. SQL_SUMMARY contains the first few lines of the executed SQL statements and can contain sensitive information. Remediation: REVOKE ALL ON PERFSTAT.STATS$SQLSUM; Audit: SELECT GRANTEE, PRIVILEGE, TABLE_NAME FROM DBA_TAB_PRIVS WHERE TABLE_NAME='STATS$SQLSUM'; \ \ 1 S 85 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 9.11 Tables Prevent access to any X$ table Rationale: X$ tables are kernel tables used by Oracle internals and should not be accessed by users. Check for any user that has access and revoke where possible. Remediation: REVOKE ALL ON X$<TABLENAME> FROM <USER>; Audit: SELECT GRANTEE, PRIVILEGE, TABLE_NAME FROM DBA_TAB_PRIVS WHERE TABLE_NAME LIKE(`X$%'); \ \ 1 S 9.12 Views Prevent access to any DBA_ views Rationale: DBA views return information about all objects and should only be accessible by administrators. Check for any user that has access and revoke where possible. Remediation: REVOKE ALL ON DBA_<TABLENAME> FROM <USER>; Audit: SELECT GRANTEE, PRIVILEGE, TABLE_NAME FROM DBA_TAB_PRIVS WHERE TABLE_NAME LIKE(`DBA_$%'); \ \ 1 S 86 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 9.13 Views Prevent access to any V$ views Rationale: V$ tables contain sensitive information about Oracle database and should only be accessible by system administrators. Check for any user that has access and revoke where possible. Remediation: REVOKE ALL ON TABLE_NAME FROM <USER>; Audit: SELECT GRANTEE, PRIVILEGE, TABLE_NAME FROM DBA_TAB_PRIVS WHERE TABLE_NAME LIKE(`V$%'); \ \ 1 S 9.14 Views Prevent access to ALL_SOURCE Rationale: ALL_SOURCE contains the text source for all of the user's objects. Check for any user that has access and revoke where possible. Remediation: REVOKE ALL ON ALL_ SOURCE FROM <USER>; Audit: SELECT GRANTEE, PRIVILEGE, TABLE_NAME FROM DBA_TAB_PRIVS WHERE TABLE_NAME='ALL_SOURCE'; \ \ 1 S 87 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 9.15 Views Prevent access to DBA_ROLES Rationale: Allowing the user to alter the DBA_ROLES can result in privilege escalation or system instability. Restrict access to this view to all users except SYS and DBAs. Remediation: REVOKE ALL ON DBA _ROLES FROM <USER>; Audit: SELECT GRANTEE, PRIVILEGE, TABLE_NAME FROM DBA_TAB_PRIVS WHERE TABLE_NAME=DBA_ROLES'; \ \ 1 S 9.16 Views Prevent access to DBA_SYS_PRIVS Rationale: Allowing a user to access the dba_sys_privs table will show the users' privileges for all users in the Oracle database. Restrict access to this view to all users except SYS and DBAs. Remediation: REVOKE ALL ON DBA_SYS_PRIVS FROM <USER>; Audit: SELECT GRANTEE, PRIVILEGE, TABLE_NAME FROM DBA_TAB_PRIVS WHERE TABLE_NAME=DBA_SYS_PRIVS'; \ \ 1 S 88 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 9.17 Views Prevent access to DBA_ROLE_PRIVS Rationale: Allowing a user to access the dba_role_privs view will show the role privileges for all roles in the Oracle database. Restrict access to this view to all users except SYS and DBAs. Remediation: REVOKE ALL ON DBA_ROLE_PRIVS FROM <USER>; Audit: SELECT GRANTEE, PRIVILEGE, TABLE_NAME FROM DBA_TAB_PRIVS WHERE TABLE_NAME=DBA_ROLE_PRIVS'; \ \ 1 S 9.18 Views Prevent access to DBA_TAB_PRIVS Rationale: Allowing a user to access the dba_tab_privs view will show the table privileges for all users in the Oracle database. Restrict access to this view to all users except SYS and DBAs. Remediation: REVOKE ALL ON DBA_TAB_PRIVS FROM <USER>; Audit: SELECT GRANTEE, PRIVILEGE, TABLE_NAME FROM DBA_TAB_PRIVS WHERE TABLE_NAME=DBA_ TAB _PRIVS'; \ \ 1 S 89 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 9.19 Views Prevent access to DBA_USERS Rationale: Allowing a user to access the dba_users view will show the role privileges for all users in the Oracle database. Restrict access to this view to all users except SYS and DBAs. Remediation: REVOKE ALL ON DBA_USERS FROM <USER>; Audit: SELECT GRANTEE, PRIVILEGE, TABLE_NAME FROM DBA_TAB_PRIVS WHERE TABLE_NAME=DBA_USERS'; \ \ 1 S 9.20 Views Prevent access to ROLE_ROLE_PRIVS Rationale: Allowing a user to access the dba_role_privs view will show the role grants for all roles in the Oracle database. Restrict access to this view to all users except SYS and DBAs. Remediation: REVOKE ALL ON ROLE_ROLE_PRIVS FROM <USER>; Audit: SELECT GRANTEE, PRIVILEGE, TABLE_NAME FROM DBA_TAB_PRIVS WHERE TABLE_NAME=' ROLE_ROLE_PRIVS; \ \ 1 S 90 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 9.21 Views Prevent access to USER_TAB_PRIVS Rationale: Allowing a user to access the user_tab_privs view will show the granted table privileges for all users in the Oracle database. Restrict access to this view to all users except SYS and DBAs. Remediation: REVOKE ALL ON USER_TAB_PRIVS FROM <USER>; Audit: SELECT GRANTEE, PRIVILEGE, TABLE_NAME FROM DBA_TAB_PRIVS WHERE TABLE_NAME='USER_TAB_PRIVS; \ \ 1 S 9.22 Views Prevent access to USER_ROLE_PRIVS Rationale: Allowing a user to access the user_role_privs view will show the granted role privileges for all users in the Oracle database. Restrict access to this view to all users except SYS and DBAs. Remediation: REVOKE ALL ON USER_ROLE_PRIVS TO <USER>; Audit: SELECT GRANTEE, PRIVILEGE, TABLE_NAME FROM DBA_TAB_PRIVS WHERE TABLE_NAME=' USER_ROLE_PRIVS; \ \ 1 S 91 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 9.23 Roles Prevent assignment of roles that have _CATALOG_ Rationale: Revoke any catalog roles from those roles and users that do not need them. These roles are SELECT_CATALOG_ROLE, EXECUTE_CATALOG_ROLE, DELETE_CATALOG_ROLE, and RECOVERY_CATALOG_OWNER. Remediation: REVOKE ALL ON <ROLE> FROM <USER>; Audit: SELECT GRANTEE, PRIVILEGE, TABLE_NAME FROM DBA_TAB_PRIVS WHERE TABLE_NAME LIKE(`%_CATALOG_%'); \ \ 1 S 9.24 Synonyms Prevent access to any V$ synonym Rationale: Check for any user that has access and revoke where possible. Remediation: Delete the synonym or revoke the privileges Audit: SELECT SYNONYM_NAME, TABLE_NAME FROM ALL_SYNONYMS WHERE TABLE_NAME LIKE(`V$%'); \ \ 1 S 9.25 Synonyms When dropping synonyms, ensure privileges granted to the synonyms, if not required, are removed from the base objects. Rationale: Granting privileges to synonyms actually grants privileges to the base objects. Remediation: If necessary, ensure that privileges from the base objects are removed when the synonyms are dropped. Audit: None \ \ 1 N 92 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 9.26 Privileges Restrict system privileges Rationale: All system privileges except for CREATE SESSION must be restricted to DBAs, application object owner accounts/schemas (locked accounts) and default Oracle accounts. Developers may be granted limited system privileges as required on development databases. Remediation: REVOKE ALL <PRIVS> FROM <USER>; Audit: SELECT * FROM DBA_SYS_PRIVS; \ \ 1 S 9.27 Privileges Prevent granting of privileges that contain the keyword ANY Rationale: The ANY keyword grants the ability for the user to set privileges for the entire catalogue of objects in the database. Remediation: Check for any user or role that has the ANY keyword and revoke this role where possible. Audit: SELECT * FROM DBA_SYS_PRIVILEGES WHERE PRIVILEGE LIKE(`%ANY%'); \ \ 1 S 93 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 9.28 Privileges Prevent granting of all privileges Rationale: The GRANT ALL PRIVILEGES must not be used; it gives full access to all tables, views and objects to the user or role it is granted to. Remediation: REVOKE ALL PRIVILEGES FROM <USER/ROLE> GRANT <SPECIFIC PRIVILEGES> TO <USER/ROLE>; Audit: SELECT * FROM DBA_SYS_PRIVS WHERE PRIVILEGE='GRANT ANY PRIVILEGE'; SELECT * FROM DBA_SYS_PRIVS WHERE PRIVILEGE='GRANT ANY OBJECT PRIVILEGE'; \ \ 2 N 9.29 Privileges Prevent granting of EXEMPT ACCESS POLICY (EAP) Rationale: Revoke this privilege if not necessary. The EAP privilege provides access to all rows regardless of Row Level Security assigned to specific rows. Remediation: REVOKE EXEMPT ACCESS POLICY FROM <USER>; Audit: SELECT * FROM DBA_SYS_PRIVS WHERE PRIVILEGE='EXEMPT ACCESS POLICY'; \ \ 1 S 94 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 9.30 Privileges Prevent granting of privileges that have WITH ADMIN Rationale: Check for any user or role that has been granted privileges WITH ADMIN and revoke where possible. The WITH ADMIN privilege allows a user to grant the same privileges they possess. Remediation: REVOKE <ROLE> FROM <USER>; GRANT <ROLE> TO <USER>; Audit: SELECT * FROM DBA_SYS_PRIVS WHERE ADMIN_OPTION=¨YES¨; \ \ 1 S 9.31 Privileges Prevent granting of privileges that have WITH GRANT Rationale: Check for any user or role that has been granted privileges WITH GRANT and revoke where possible. The WITH GRANT privilege allows a user to grant the same privilege to other users. Remediation: REVOKE GRANT OPTION FOR <PRIV> ON <TABLE> FROM <USER>; Audit: SELECT * FROM DBA_TAB_PRIVS WHERE GRANTABLE='YES'; \ \ 1 S 95 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 9.32 Privileges Prevent granting of privileges that have CREATE Rationale: Check for any user that has object creation privileges and revoke where possible. Excessive create privileges can allow an attack to create arbitrary objects, tables, and views. Remediation: REVOKE CREATE <PRIV> FROM <USER/ROLE> Audit: SELECT * FROM DBA_SYS_PRIV FROM PRIVILEGE LIKE(`CREATE %'); \ \ 1 S 9.33 Privileges Prevent granting of CREATE LIBRARY Rationale: Check for any user or role that has this privilege and revoke where possible. The CREATE LIBRARY privilege allows a user to create an object associated with a shared library. Allowing arbitrary library creation can compromise the integrity and security of the Oracle database. Remediation: REVOKE CREATE LIBRARY FROM <USER/ROLE>; Audit: SELECT * FROM DBA_SYS_PRIVS WHERE PRIVILEGE='CREATE LIBRARY'; \ \ 1 S 96 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 9.34 Privileges Prevent granting of ALTER SYSTEM Rationale: Check for any user or role that has this privilege and revoke where possible. The alter system privilege allows a user to dynamically alter the Oracle instance. Remediation: REVOKE ALTER SYSTEM FROM <USER/ROLE>; Audit: SELECT * FROM DBA_SYS_PRIVS WHERE PRIVILEGE='ALTER SYSTEM'; \ \ 1 S 9.35 Privileges Prevent granting of CREATE PROCEDURE Rationale: CREATE PROCEDURE allows a user to create a stored procedure in the database and should be restricted to administrative or development users. Check for any user or role that has this privilege and revoke where possible. Remediation: REVOKE CREATE PROCEDURE FROM <USER/ROLE>; Audit: SELECT * FROM DBA_SYS_PRIVS WHERE PRIVILEGE='CREATE PROCEDURE'; \ \ 1 S 9.36 Privileges Prevent granting of BECOME USER Rationale: BECOME USER allows a user to inherit the rights of another oracle system user and should not be used if possible. Remediation: REVOKE BECOME USER FROM <USER/ROLE> Audit: SELECT * FROM DBA_SYS_PRIVS WHERE PRIVILEGE LIKE(`BECOME USER'); \ \ 1 S 97 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 9.37 Privileges Prevent granting of SELECT ANY TABLE Rationale: Check for any user that has access and revoke where possible. If application data is sensitive, and it is possible, revoke this privilege from the DBA accounts as well. Remediation: REVOKE SELECT ANY <OBJECT> FROM <USER>; Audit: SELECT * FROM DBA_SYS_PRIVS WHERE PRIVILEGE LIKE(`SELECT ANY%'); \ \ 1 S 9.38 Privileges Prevent granting of AUDIT SYSTEM Rationale: Review which users have audit system privileges and limit as much as possible to ensure audit commands are not revoked. Remediation: REVOKE <PRITILEGE> FROM <USER>; Audit: SELECT * FROM DBA_SYS_PRIVS WHERE PRIVILEGE='AUDIT SYSTEM'; \ \ 1 S 9.39 Privileges Grant privileges only to roles Rationale: Grant privileges only to roles. Do not grant privileges to individual users. Remediation: Revoke all individual privileges from users. Create a role defining the needed privileges. Grant the role to the users. Audit: None \ \ 1 N 98 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 9.40 Privileges Review privileges granted to PUBLIC Rationale: Review all privileges granted to PUBLIC. Limit or revoke unnecessary PUBLIC privileges. Remediation: REVOKE PUBLIC FROM <USER/ROLE>; Audit: SELECT * FROM DBA_ROLE_PRIVS WHERE GRANTED_ROLE='PUBLIC'; \ \ 1 S 9.41 Roles Prevent assignment of RESOURCE Rationale: Revoke the resource role from normal application user accounts. Remediation: REVOKE RESOURCE FROM <USER/ROLE>; Audit: SELECT * FROM DBA_ROLE_PRIVS WHERE GRANTED_ROLE='RESOURCE'; \ \ 1 S 9.42 Roles Prevent assignment of DBA Rationale: Assigning the DBA role to users provides unnecessary access and control of the Oracle database. Remediation: Revoke DBA role from users who do not require it. REVOKE DBA FROM <USER/ROLE> Audit: SELECT * FROM DBA_ROLE_PRIVS WHERE GRANTED_ROLE='DBA'; \ \ 1 S 99 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 9.43 Packages ACL or Deny access to UTL_FILE Rationale: Review the ACL for usage of the UTL_FILE package. Revoke the public execute privilege on UTL_FILE as it can be used to access O/S. Remediation: REVOKE EXECUTE ON UTL_FILE FROM PUBLIC; Audit: SELECT GRANTEE, TABLE_NAME FROM DBA_TAB_PRIVS WHERE TABLE_NAME='UTL_FILE'; \ \ 1 S 9.44 Packages ACL or Deny access to UTL_TCP Rationale: Review the ACL for usage of the UTL_TCP package. Revoke the public execute privilege on UTL_TCP as it can write and read sockets. Remediation: REVOKE EXECUTE ON UTL_TCP FROM PUBLIC; Audit: SELECT GRANTEE, TABLE_NAME FROM DBA_TAB_PRIVS WHERE TABLE_NAME='UTL_TCP'; \ \ 1 S 9.45 Packages ACL or Deny access to UTL_HTTP Rationale: Review the ACL for usage of the UTL_HTTP package. Revoke the public execute privilege on UTL_HTTP as it can write content to a web browser. Remediation: REVOKE EXECUTE ON UTL_HTTP FROM PUBLIC; Audit: SELECT GRANTEE, TABLE_NAME FROM DBA_TAB_PRIVS WHERE TABLE_NAME='UTL_HTTP'; \ \ 1 S 100 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 9.46 Packages ACL or Deny access to UTL_SMTP Rationale: Review the ACL for usage of the UTL_SMTP packageRevoke the public execute privilege on UTL_SMTP as it can send mail from the database server. Remediation: REVOKE EXECUTE ON UTL_SMTP FROM PUBLIC; Audit: SELECT GRANTEE, TABLE_NAME FROM DBA_TAB_PRIVS WHERE TABLE_NAME='UTL_SMTP'; \ \ 1 S 9.47 Packages Deny access to DBMS_LOB Rationale Revoke the public execute privilege. This procedure allows the manipulation of large objects and BFILE file read access. If not required its usage should be revoked. Remediation: REVOKE EXECUTE ON DBMS_LOB FROM PUBLIC; Audit: SELECT GRANTEE, TABLE_NAME FROM DBA_TAB_PRIVS WHERE TABLE_NAME='DBMS_LOB'; \ \ 1 S 101 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 9.48 Packages Deny access to DBMS_SYS_SQL Rationale Revoke the public execute privilege. If public permissions are granted on DBMS_SYS_SQL a user can acquire an administrative cursor and act with DBA permissions. Remediation: REVOKE EXECUTE ON DBMS_SQL FROM PUBLIC; Audit: SELECT GRANTEE, TABLE_NAME FROM DBA_TAB_PRIVS WHERE TABLE_NAME='DBMS_SYS_SQL'; \ \ 1 S 9.49 Packages Deny access to DBMS_JOB Rationale Revoke the public execute privilege. DBMS_JOB is a backwards compatible job scheduler for Oracle. If no longer required its usage should be disabled to reduce Oracle's attack surface. Remediation: REVOKE EXECUTE ON DBMS_JOB TO PUBLIC; Audit: SELECT GRANTEE, TABLE_NAME FROM DBA_TAB_PRIVS WHERE TABLE_NAME='DBMS_JOB'; \ \ 1 S 102 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 9.50 Proxy Authentication Limit the user schema privileges to CREATE SESSION only. Rationale The proxy account should only have the ability to connect to the database. No other privileges should be granted to this account. Remediation: REVOKE ALL ON <USER>; GRANT CREATE SESSION TO <USER>; Audit: SELECT * FROM DBA_ROLE_PRIVS WHERE GRANTEE='<PROXY ACCOUNT>'; SELECT * FROM DBA_TAB_PRIVS WHERE GRANTEE='<PROXY ACCOUNT>'; SELECT * FROM DBA_SYS_PRIVS WHERE GRANTEE='<PROXY ACCOUNT>'; \ \ 1 S 9.51 Proxy role Restrict the roles that can be enabled when privileges are granted in the database. Rationale If application roles have been granted to user then these roles need to be prevented from being enabled by default on the subsequent logins. Remediation: CREATE ROLE `X' ; GRANT `X' TO JOHN_SMITH; ALTER USER JOHN_SMITH DEFAULT ROLE ALL EXCEPT X; Audit: None \ \ 1 N 103 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 9.52 Views Revoke public access to all public views that start with ALL_ Rationale Revoke access to these views when possible to prevent unauthorized access to data that could be sensitive. Note: This may interfere with some applications. Remediation: REVOKE ALL ON ALL_<NAME> FROM PUBLIC; Audit: SELECT TABLE_NAME FROM DBA_TAB_PRIVS WHERE TABLE_NAME LIKE(`ALL_%') AND GRANTEE='PUBLIC'; \ \ 2 S 9.53 Roles and Privileges When dropping a user, ensure roles and privileges created by that user, if not required, are deleted. Rationale Dropping a user (i.e., DROP USER X CASCADE) doesn't delete roles and privileges created by the user. Remediation: If a user is dropped, ensure that the roles and privileges created by that user, if not required, are deleted. Audit: None \ \ 2 N 104 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 9.54 Packages Limit or deny access to DBMS_BACKUP_RESTORE Rationale Provides file system functions such as copying files, altering control files, accessing devices, and deleting files. Remediation: REVOKE EXECUTE ON DBMS_BACKUP_RESTORE TO PUBLIC; REVOKE EXECUTE ON DBMS_BACKUP_RESTORE TO <USER>; Audit: SELECT GRANTEE FROM DBA_TAB_PRIVS WHERE TABLE_NAME='DBMS_BACKUP_RESTORE'; \ \ R 9.55 Packages Audit usage of DBMS_RANDOM Rationale Audit the DBMS_RANDOM function in applications for improper usage. DBMS_RANDOM should not be used for critical functions related to cryptography, session id generation or other areas where a high degree of entropy is required. Replace calls to these functions with RANDOMBYTES, Revoking the public privilege may cause some applications to fail it is suggested that if the public execute permission cannot be revoked the applications that utilize DBMS_RANDOM are carefully audited. Remediation: REVOKE EXECUTE ON DBMS_RANDOM TO PUBLIC; Audit: SELECT GRANTEE FROM DBA_TAB_PRIVS WHERE TABLE_NAME='DBMS_RANDOM'; \ \ 2 S 105 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 9.56 Roles Password protect roles Rationale Role passwords are useful when an application controls whether or not a role is turned on. This prevents a user directly accessing the database via SQL (rather than through the application) from being able to enable the privileges associated with the role. Remediation: SET ROLE <ROLE_NAME> IDENTIFIED BY <ROLE_PASSWORD>; Audit: SELECT * FROM DBA_ROLES; \ \ 2 S 106 | P a g e 10. Enterprise Manager / Grid Control / Agents Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 10.01 Enterprise Management studio mode Access to the enterprise management in studio must be limited. Rationale: Without limitations on the enterprise management access to the remote agents is virtually unlimited. Remediation: Limit access to the Oracle Enterprise Management studio. Audit: None \ \ 1 N 10.02 Enterprise Manager Agent File uploads Monitor the size of file uploads from the enterprise agent. Rationale: The following lines are some of the output from the ./emctl status agent command containing information regarding the agents uploading files: Total Megabytes of XML files uploaded so far : Number of XML files pending upload: Size of XML files pending upload(MB): Discovering unusual or increased size of file uploads could indicate a malicious agent. Remediation: Create a monitor to track the size of file uploads from the enterprise agent. Audit: None \ \ 1 N 107 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 10.03 Enterprise Manager Framework Security Where possible, utilize Enterprise Manager Framework Security Functionality. Rationale: Enterprise Manager Framework security employs secure communication between the various Enterprise Manager Components, i.e., Remediation: Enable HTTPS between management agents and management services. Audit: None \ \ 1 N 10.04 Grid Control TimeOut Value Configure an appropriate value for Grid Control Timeout value in the Oracle Application Server. File: $IAS_HOME/sysman/config/ emoms.properties Value: oracle.sysman.eml.maxIna ctiveTime=time_in_minute s Rationale: To prevent unauthorized access to the Grid Control via browser, set an appropriate timeout value. A value of 30 minutes or less is recommended. The default is 45 minutes. Remediation: Edit the $IAS_HOME/sysman/config/emoms.properties file and set the value to 30 Audit: grep -i maxInactiveTime \ $IAS_HOME/sysman/config/emoms.properties \ \ 1 S 108 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 10.05 Enterprise Manager Framework Security In command line mode, avoid using commands that contain passwords in the arguments. Rationale: While registering an agent to utilize the enterprise manager framework security, avoid using sensitive command line arguments for emctl. The command can be captured by other users with access to Unix (via ps) command or can be prone to shoulder surfing. Some Unix shells, like bash, log command history as well. This may be another exposure. Remediation: In command line mode, avoid using commands that contain passwords in the arguments. Audit: None \ \ 1 N 10.06 Oracle Installation Separate user account for Management/Intelligent Agent Rationale: The agent database accounts must be separated. This will isolate the Agent from the rest of the Oracle server in the event that is compromised. Remediation: For Unix systems, create a unique user account for the management/Intelligent Agent process in order to differentiate accountability and file access controls. Separate accounts are not recommended for Windows environments. Audit: None \ 2 N 109 | P a g e 11. Specific Systems Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 11.01 ADDM Verify ADDM suggestions Rationale: Automatic Database Diagnostic Monitor (ADDM), should not blindly replace the DBA's knowledge. Remediation: DBA's should verify the applicability of ADDM suggestions based on their knowledge of the database. Audit: None \ \ 1 N 11.02 AMM Monitor AMM Rationale: Automated Memory Manager (AMM), should not blindly replace the DBA's knowledge. Remediation: DBA's should monitor AMM to ensure memory is being properly allocated. Audit: None \ \ 1 N 110 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 11.03 AWR Implement AWR to record all database performance statistics (related to object usage, SQL statement efficiency, session history, etc) over a defined time period. Rationale: Automatic Workload repository (AWR) is central to the whole framework of self and automatic management. It works with internal Oracle database components to process, maintain, and access performance statistics for problem detection and self-tuning. The statistics are available to external users or performance monitoring tools, routines, or scripts. Trends analysis can be done with AWR data. Queries that overtax the system could be a security threat. Remediation: Implement AWR to record all database performance statistics (related to object usage, SQL statement efficiency, session history, etc) over a defined time period. Audit: None \ \ 1 N 11.04 Fine grained access Use fine grain access control within objects. Rationale: Fine grained access control can provide both column and row level security. This can provide an additional layer of access control to objects by limiting the access (select, update, insert, delete) within the object and should be used wherever possible. For fine grained access to function properly, use the cost-based optimizer. Remediation: Evaluate sensitive areas of the Oracle database and enable fine grain access control . Audit: None \ \ 2 N 111 | P a g e 12. General Policy and Procedures Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 12.00 Oracle Installation Do not install Oracle on an Internet facing server. Rationale: Oracle must only be installed on a backend system behind appropriate firewalling or other network protection systems. Remediation: Do not install Oracle on an Internet facing server migrate internet facing oracle servers to a backend or protected environment. Audit: None \ \ 1 N 12.01 Oracle alert log file Review contents Rationale: The Oracle alert log file must be regularly reviewed for errors. Periodically review logs for errors, large numbers or exotic errors can be an indicator of a system under attack. Remediation: Assign an administrator or DBA to review the log files. Audit: None \ \ 1 N 112 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 12.02 Database creation scripts on host Remove or secure Rationale: System creation scripts can provide an attacker with valuable information about the Oracle setup or instance and often contain errors. Remediation: Delete the scripts from the database host. After the database has been created, remove the scripts or at a minimum move them to a safe repository area. Audit: None \ \ 1 N 12.03 Unix root group members on host Disallow 'oracle' as member of root group Rationale: The Oracle software owner account must not be a member of the root group on Unix systems. Having the Oracle account part of the root group breaks privilege separation and best security practices. Remediation: Edit /etc/group remove the oracle_account from the root group Audit: grep oracle_account /etc/group \ 1 N 12.04 Oracle DBA group membership on host Review Rationale: Review the membership of the DBA group on the host to ensure that only authorized accounts are included. This must be limited to users who require DBA access. Remediation: Remove unnecessary users from the DBA group. Audit: cat /etc/group \ \ 1 N 113 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 12.05 Sensitive information in process list on host Avoid or encrypt Rationale: Revealing username and password information in the process list will give anyone able to perform a process listing a valid set of user credentials for the Oracle database. Remediation: An enforced policy must exist to ensure that no scripts are running that display sensitive information in the process list such as the Oracle username and password. A privileged process must be used to get and decrypt encrypted passwords. Audit: None \ \ 1 N 12.06 Sensitive information in cron jobs on host Avoid or encrypt Rationale: An enforced policy must exist to ensure that no cron jobs have sensitive information such as database username and passwords. A privileged process must be used to get and decrypt encrypted passwords. Remediation: Encrypt passwords used in cron on batch jobs. Audit: None \ 1 N 114 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 12.07 Sensitive information in at jobs (or jobs in Windows scheduler) on host Avoid or encrypt Rationale: An enforced policy must exist to ensure that no at jobs (or jobs in Windows scheduler) have sensitive information such as database username and passwords. A privileged process must be used to get and decrypt encrypted passwords. Remediation: Encrypt password used for scheduled jobs and scripts. Audit: None \ \ 1 N 12.08 Sensitive information in environment variables on host Avoid or encrypt Rationale: An enforced policy must exist to ensure that no users have unencrypted sensitive information such as database username and passwords set in environment variables. A privileged process must be used to get and decrypt encrypted passwords. Remediation: Do not store sensitive password in environment variables on the host. Audit: None \ \ 1 N 115 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 12.09 Sensitive information in batch files on host Avoid or encrypt Rationale: An enforced policy must exist to ensure that no batch files have sensitive information such as database usernames and passwords. A privileged process must be used to get and decrypt encrypted passwords. Remediation: Do not store sensitive passwords in batch scripts on the host. Audit: None \ \ 1 N 12.10 Oracle file locations Separate for performance Rationale: If the redo, data, and index files are not properly distributed a single disk failure will cause an Oracle outage and make recovery difficult. Remediation: Split the location of the Oracle software distribution, redo logs, data files, and indexes onto separate disks and controllers for resilience. Audit: None \ \ 1 S 12.11 File systems Separate Oracle files from non- Oracle files Rationale: Isolating the Oracle files onto a separate partition enables easier privilege and permissions management. Remediation: Only put database files on file systems exclusively used by Oracle. Oracle files must not be on the same partition as the operating system. Audit: None \ \ 1 S 116 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 12.12 Optimal Flexible Architecture Implement Rationale: Systems that are flexible and easy to understand reduce administration complexity and increase overall manageability and security. Remediation: Follow the Oracle Optimal Flexible Architecture guidelines to provide for consistency and ease of administration. Audit: None \ \ 1 N 12.13 Checksum PL/SQL code Implement Rationale: Maliciously altered stored procedures can compromise Oracle or system security and can go undetected if not properly audited. Store the checksum results upon creation and update of the stored procedure, periodically check for alterations. Remediation: sha1sum pl_file.psql Audit: sha1sum pl_file.psql \ \ 1 N 117 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 12.14 All database objects Monitor Rationale: Maliciously altered objects can compromise Oracle or system security and can go undetected if not properly audited. Remediation: Store the results of the time stamps of the creation, reload, and compilation of database objects and review the results regularly to ensure no unauthorized changes have occurred. Audit: None \ \ 1 N 12.15 Ad-hoc queries on production databases Avoid Rationale: Ad-hoc queries are a direct vector for creating denial of service conditions and possible exploitation of the Oracle database. Remediation: Disallow ad-hoc queries on production databases. This recommendation may not be suitable for all environments, for example, data warehouses. Test all queries and provide an application interface for exercising queries on production databases. Audit: None \ \ 1 N 118 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 12.16 Remote shell access on host Encrypt session Rationale: All remote access from users and administrators to the Oracle host must be encrypted. An attacker on the local network can sniff or intercept unencrypted sessions. Remediation: If remote shell access is required, use SSH or a VPN solution to ensure that session traffic is encrypted. In a cluster environment (RAC or OPS) RSH and RCP are required between the nodes for the Oracle software owner. In the case of a cluster environment, the access must be restricted by user and host. Audit: None \ \ 1 N 12.17 Applications with database access Review Rationale: Allowing unauthorized application access will result in information theft and possible remote compromise of the Oracle database. Remediation: Review and control which applications access the database. Audit: None \ \ 1 N 119 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 12.18 Location of development database Separate server from production database Rationale: Regulatory, compliance, and security best practices require production and test environments to be separate. Test environments generally have lax security and mirror production systems. These can provide a staging point or attack vector for a malicious user if hosted in a single environment. Remediation: Test and development databases must not be located on the same server as the production system. Audit: None \ \ 1 N 12.19 Network location of production and development databases Separate Rationale: Regulatory, compliance, and security best practices require production and test environments to be separate. Test environments generally have lax security and mirror production systems. These can provide a staging point or attack vector for a malicious user if hosted in a single network. Remediation: If possible, place production databases on a different network segment from test and development databases. Audit: None \ \ 1 N 120 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 12.20 Monitor for development on production databases Prevent development on production databases Rationale: Development of applications on production databases violates security best practices and leaves debugging and other information useful to an attacker on the production host. Remediation: Check for evidence of development occurring on production databases. Audit: None \ \ 1 N 12.21 Access to production databases Avoid access from development or test databases Rationale: Allowing a user to alter a production database from a development or test environment creates a vector for an attacker. Production and test database should remain separate then synced when necessary. Remediation: Database access from development and test databases to production databases must be prohibited. Audit: None \ \ 1 N 12.22 Developer access to production databases Disallow Rationale: Developers must not have direct access to production databases. Allowing developers direct access to production databases violates regulator, compliance, and security best practices. Remediation: Remove login or authentication means for direct developer access. Audit: None \ \ 1 N 121 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 12.23 Developer accounts on production databases Remove developer accounts Rationale: Remove any developer accounts that exist in the production database. Remediation: userdel <account> Audit: cat /etc/passwd \ \ 1 N 12.24 Databases created from production exports Change passwords Rationale: If test or development databases are created from backups or exports of the production system, all passwords must be changed before granting access to developers or testers. Remediation: Maintain separate user accounts for test and production databases and hosts. Audit: None \ \ 1 N 12.25 Databases created from production systems Remove sensitive data Rationale: If test or development databases are created from backups or exports of the production system, all sensitive data (such as payroll information) must be removed before granting access to developers or testers. Remediation: Remove all sensitive data from production hosts before granting access to tester and developers. Clear tables that contain PII, password hashes, or other sensitive data. Audit: None \ \ 1 N 122 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 12.26 Account Management Document and enforce account management procedures Rationale: Create and regularly review procedures for account management. This must include the creation of new user accounts, moving a user to a new group or role, and handling of dormant or inactive accounts. Remediation: Document the system of controls and checks that surround management procedures. Audit: None \ \ 1 N 12.27 Change Control Document and enforce change control procedures Rationale: Create and regularly review procedures for new applications that access the database and change control management procedures for releasing development code into production. Monitor the addition of new users and access rights. Utilization of ticketing system or other Change management system will help facilitate this process. Remediation: Adoption of a change management system. Audit: None \ \ 1 N 12.28 Disaster recovery procedures Review Rationale: Disaster recovery procedures must be fully documented and regularly tested. Remediation: Review the disaster recovery procedures. Audit: None \ \ 1 N 123 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 12.29 Backdoors Eliminate Rationale: Tight change control management procedures and checksums of the source code can help prevent backdoors into the database. Remediation: Review or audit source code both in development and deployed to production systems. Audit: None \ \ 1 N 12.30 Public dissemination of database information Disallow Rationale: Exposing internal configuration information gives an attacker a list of targets and vectors into the Oracle environment. Remediation: The posting of database information such as SIDs, hostnames, and IP addresses to newsgroups and mailing lists must not be allowed. Audit: None \ \ 1 N 12.31 Screen saver Set screen saver/lock with password protection of 15 minutes. Rationale: Desktop screens left unlocked create a vector for attacker to take control of the access granted to the user. Remediation: If an organizational policy does not exist, 15 minutes must be set as the standard. Audit: None \ \ 1 N 124 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 12.32 Distribution of tnsnames.ora files to clients Include only necessary tnsnames.ora when distributing to clients Rationale: If clients connect to the database using tnsnames.ora files, ensure that only necessary entries are included in the file when distributing to clients. Providing additional information about database configuration provides a list of hosts and instances to target and violates security best practices. Remediation: Remove entries from tnsnames.ora Audit: None \ \ 1 N 12.33 Event and System Logs Monitor Rationale: Excessive or exotic errors may be an indicator of a system or database under attack. Proper log auditing and review is a must to maintain system integrity. Remediation: Windows Event Logs and Unix System logs must be regularly monitored for errors related to the Oracle database. Audit: None \ \ 1 N 12.34 Access to database objects by a fixed user link Disallow Rationale: Fixed user database links that have a hard coded username and password must be avoided. Anyone with permissions or rights to view the hard coded username or password exposes that account to unnecessary risk. Remediation: Remove username and password Audit: None \ \ 1 N 125 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 12.35 Oracle Installation Oracle software owner account name NOT 'oracle' Rationale: Do not name the Oracle software owner account 'oracle' as it is very well known and used in many automated attacks and brute forcing tools. Remediation: Upon oracle installation create a separate user account with the username other than Oracle. Audit: None \ \ 2 S 12.36 Oracle Installation Separate users for different components of Oracle Rationale: Properly privilege separate user accounts associated with each Oracle service. In the event that an Oracle service is compromised privilege separating each service will help reduce the damage an attacker can perform. Remediation: For Unix systems, create unique user accounts for each Oracle process/service in order to differentiate accountability and file access controls. The listener, the Oracle http server, and the database process accounts must be separate. Separate accounts are not recommended for Windows environments. The requirement for the Management/Intelligent Agent process is listed in section 10 of this document. Audit: None \ 2 N 126 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 12.37 Alerts on high priority incidents Create processes to alert Rationale: Monitoring high priority incidents will help in the event of a security incident. Remediation: Create processes to monitor and alert on high priority incidents. Audit: None \ \ 2 N 12.38 Intelligent agent Do not use Rationale: Intelligent agents provide a direct management interface to the Oracle database. Remediation: If the database server is accessible via the Internet, do not use the Intelligent Agent. This may not be practical for OEM or SNMP monitored databases. Audit: None \ \ 2 N 12.39 Network Implement if appropriate Rationale: Traffic sent unencrypted across a network can be monitored and intercepted Remediation: If appropriate to the environment, implement Oracle Advanced Security to encrypt all traffic between the client and server, OAS solutions include IPSec and mutually authenticated SSL. Audit: None \ \ 2 N 127 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 12.40 Application PL/SQL code Encrypt Rationale: The wrap program provided by Oracle encodes the PL/SQL source code but does not encrypt it. Remediation: Encrypt the PL/SQL code, do not rely on the wrap functionality to protect highly sensitive information. Audit: None \ \ 2 N 12.41 Hard coded data in PL/SQL and application source code Avoid or encrypt Rationale: Do not use unencrypted hard coded usernames, passwords, or other critical data in the PL/SQL code. PL/SQL code is often viewable by many users of the Oracle system and stored in code repositories. Remediation: Avoid hardcoded data in code. Use a secure data storage mechanism. Strip all sensitive information from PL/SQL code before storage into a repository. Audit: None \ \ 2 N 12.42 Decommissioned applications Remove all components Rationale: Failure to remove all privileges once an application has been removed from an Oracle database widens the attack surface and can provide unmonitored access for an attacker. Remediation: Ensure that all associated binaries, users, batch process, and access rights are removed when applications are decommissioned. Audit: None \ \ 2 N 128 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 12.43 DDL statements in application Disallow Rationale: Applications must not alter the database schema. Remediation: Only allow updates of the database schema though a DBA or approved change management system. Audit: None \ \ 2 N 12.44 Host and Application Monitoring Software. Review Rationale: Any remote access to the database host must be controlled by an application level firewall. Remediation: Block unnecessary ports used for monitoring and remote interfaces to the Database. This includes operations management consolidation suites. Audit: None \ \ 2 N 12.45 Enabling of batch process account Time enabled Rationale: Allowing the batch account to remain active widens the system attack surface and may lead to unauthorized access of the Oracle database. Remediation: The account that is used to run batch processes must be enabled only during the time that the batch processes run. Audit: None \ \ 2 N 129 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 12.46 Passwords for batch processes Secure Rationale: Passwords for batch processes must not be a command line parameter or an environment variable. Remediation: Remove passwords from batch files and scripts; ensure that passwords are not set as environment variables. Audit: None \ \ 2 N 12.47 External account access for batch processes Disallow Rationale: External accounts used for batch processes allow a simple way to access the database. Remediation: Forbid the usage of batch process to access the Oracle database. Audit: None \ \ 2 N 12.48 User permissions Review Rationale: Review and test development databases for users with excess permissions not granted in production. Remediation: Restrict test development databases. Audit: None \ \ 2 N 130 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 12.49 Procedures for backup tape retrieval Review Rationale: Loss of a tape can compromise other measures taken to protect database information. Remediation: Ensure the procedures for backup tape retrieval are documented and are adequate to prevent social engineering attacks to steal data. Audit: None \ \ 2 N 12.50 Intrusion detection system on host Utilize Rationale: A host based intrusion detection system provides another layer of defense for the Oracle server. Remediation: Use a host based Intrusion Detection System on the server hosting the Oracle database. Audit: None \ \ 2 N 12.51 Remote Administration of Listener Use encryption if remote administration is required. Rationale: If remote administration of a listener via the listener utility is required, e.g., no administration through SSH or MS Terminal Server, configure the listener to have a TCPS (SSL) port. If the listener is configured to use multiple protocols, set the SSL protocol as the first protocol in listener.ora. Remediation: SECURE_CONTROL_listener_name=(TCPS,IPC) Audit: None \ \ 2 N 131 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 12.52 Multiple listeners Create separate listeners for clients and administration. Protect the administrative listener with IPSec ESP or OAS SSL and a host-based firewall. Rationale: An administrative listener, protected by IPSec, could allow administrators access to the server if the client listener(s) fail.. Preference of implementation is IPSec ESP, otherwise SSL and host-based firewall. If SSL is not possible, use OAS native encryption/integrity with a host firewall.. Access must be limited to specific administrative workstations. Remediation: Create separate listeners for clients and administration. Protect the administrative listener with IPSec ESP, SSL or OAS . and a host firewall. Audit: None \ \ 2 N 12.53 Policy Caching Policy caches must be purged. Rationale: Policy caches can potentially store information that could be used to compromise the database and may accessible outside of Oracle and beyond the control of the security parameters. Hence this can defeat row level security. Remediation: Purge policy caches. Audit: None \ \ 2 N 132 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 12.54 Policy Functions Users should not have execute, alter or drop privileges on policy functions. Rationale: The ability to manipulate policy functions could be used to defeat row level security. Remediation: Users should not have EXECUTE, ALTER or DROP privileges on policy functions. Audit: None \ \ 2 N 12.55 Passwords Remove password parameters from configuration files utilized for Silent Installations. Rationale: Whenever utilizing silent installs, i.e., Oracle Installer, ensure configuration files do not contain password values after the installation completes. Remediation: Remove all passwords post installation. Audit: None \ \ 2 N 12.56 DataGuard Auth Authenticate Data Guard with SSL Certificates Rationale: Strong authentication using certificates provides both security and identification of endpoints for the DataGuard service. Remediation: Connections between Data Guard servers should be authenticated using SSL certificates Audit: None \ \ 2 N 133 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 12.57 Data Guard Mode Select Maximum Protection Rationale: Loss of data can result in the loss of system integrity or audit trails. Setting Data Guard to maximum mode ensures no information is lost in the event of a failure. Remediation: If possible configure Data Guard for Maximum Protection to ensure that zero data loss occurs if a primary database fails. Audit: None \ \ 2 N 12.58 Data Guard Redo Authenticate Redo Transport Services using SSL Certificates Rationale: Connections sent across the network unencrypted can be monitored and intercepted exposing sensitive information. Remediation: Connections for Redo services should be authenticated using SSL certificates. Audit: None \ \ 2 N 12.59 Incident Packages Ensure Incident Packages are destroyed or properly protected after upload to Oracle. Rationale: Sensitive information may be contained in incident packages. Not sanitizing packages may result in leaking of sensitive information to Oracle. Remediation: Ensure the minimal amount of sensitive information is sent to Oracle and destroy Incident Packages after submission. Audit: None \ \ 2 N 134 | P a g e 13. Auditing Policy and Procedures Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 13.01 Auditing Unused schemas should be dropped Rationale: Leaving additional schemas in the database can provide an attacker with additional details about the currently used Oracle system or contain sensitive information. Remediation: Unused schemas should be first audited to ensure that they are in fact unused. After verification, they should be dropped. Audit: None \ \ 2 N 13.02 Auditing Trap autonomous transactions Rationale: This will ensure that audit captures actions performed by users even if they are later rolled back. Remediation: None Audit: None \ \ 2 N 135 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 13.03 Auditing Audit all logons and logoffs. Rationale: Auditing logon and logoff events may provide additional information for isolating the cause of security incidents. Remediation: AUDIT CREATE SESSION Audit: SELECT USER_NAME, SUCCESS, FAILURE FROM DBA_PRIV_AUDIT_OPTS WHERE PRIVILEGE='CREATE SESSION' Note: This is audited by default when default security settings are enabled. \ \ 2 S 13.04 Auditing Audit for unsuccessful attempts. Audit by ACCESS WHENEVER NOT SUCCESSFUL. Rationale: Auditing by SESSION will only show a single audit event for an attempt. By logging unsuccessful attempts any SQL statement attempting to access the table will be recorded. This could provide a record of unauthorized attempts to access sensitive data. Remediation: Ex. AUDIT SELECT ON TABLE WHENEVER NOT SUCCESSFUL Audit: SELECT * FROM DBA_OBJ_AUDIT_OPTS WHERE OBJECT_NAME='<OBJECT_NAME>'; \ \ 2 S 136 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 13.05 Auditing Where appropriate or required by security or legal requirements, engage and use the Fine-Grained Auditing (FGA) feature. Rationale: The flexibility, column specific sensitivity, SQL capturing, and event handler capabilities of FGA provide auditors and security personnel with valuable information. Note: The FGA record entry can be pre-qualified. Therefore, it should not add a significant burden to the size of audit records. Remediation: DBMS_FGA.ADD_POLICY( <Policy config> ); Audit: SELECT policy_name FROM DBA_AUDIT_POLICIES; \ \ 2 S 13.06 Auditing Where appropriate or required by security or legal requirements, use enhanced capabilities of Fine-Grained Auditing. Rationale: FGA has the ability to execute event driven procedures that may allow security and operations teams to receive real time indications of threats. For instance, a procedure could perform an action such as sending an e-mail alert to an auditor when a user selects a certain row from a table, or it could write to a different audit trail. Remediation: DBMS_FGA.ADD_POLICY( <Policy config> ); Audit: SELECT policy_name FROM DBA_AUDIT_POLICIES \ \ 2 S 137 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 13.07 Auditing Audit ALTER ANY TABLE Rationale: Unauthorized table alters can results in application failures or be the precursor to an attack. Remediation: Audit ALTER ANY table; Audit: SELECT * FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION='ALTER ANY TABLE'; \ \ 2 S 13.08 Auditing Audit ALTER USER Rationale: Unauthorized user alters can results in application failures, hijacked credentials, or be the precursor to an attack. Remediation: AUDIT ALTER USER; Audit: SELECT * FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION='ALTER USER'; \ \ 2 S 13.09 Auditing Audit any CREATE statement Rationale: Auditing the creation of objects, such as tables or databases, will provide a record of events that may be useful when investigating security events. Remediation: AUDIT CREATE ANY <object>; Audit: SELECT * FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION LIKE(`CREATE%'); \ \ 2 S 138 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 13.10 Auditing Audit CREATE ROLE Rationale: Auditing the creation of roles will provide a record to ensure the appropriate use of account administration privileges. This information is also useful when investigating certain security events. Remediation: AUDIT CREATE ROLE; Audit: SELECT * FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION='CREATE ROLE'; \ \ 2 S 13.11 Auditing Audit CREATE USER Rationale: Auditing the creation of users will provide a record to ensure the appropriate use of account administration privileges. This information is also useful when investigating certain security events. Remediation: AUDIT CREATE USER; Audit: SELECT * FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION='CREATE USER'; \ \ 2 S 13.12 Auditing Audit CREATE SESSION Rationale: Audit the use of CREATE SESSION for successful or unsuccessful operations. This information is also useful for debugging application and user session failures. Remediation: AUDIT CREATE SESSION; Audit: SELECT * FROM DBA_STMT_AUDIT_OPTS WHERE UDIT_OPTION='CREATE SESSION; \ \ 2 S 139 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 13.13 Auditing Audit any DROP statement Rationale: Auditing the removal of database objects, such as tables or databases, will provide a record of events that may be useful when investigating security events. Remediation: AUDIT DROP {PRIV}; Audit: SELECT * FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION LIKE(`DROP%'); \ \ 2 S 13.14 Auditing Audit DROP ANY PROCEDURE Rationale: Audit the use of DROP ANY PROCEDURE. Auditing the removal of database procedures, will provide a record of actions that may be useful when investigating security events. Remediation: AUDIT DROP ANY PROCEDURE; Audit: SELECT * FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION=`DROP PROCEDURE'; \ \ 2 S 13.15 Auditing Audit DROP ANY TABLE Rationale: Audit the use of DROP ANY TABLE. Auditing the removal of database tables, will provide a record of actions that may be useful when investigating security events. Remediation: AUDIT DROP ANY TABLE; Audit: SELECT * FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION=`DROP ANY TABLE'; \ \ 2 S 140 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 13.16 Auditing Audit GRANT ANY PRIVILEGE Rationale: Auditing the grants will provide a record to ensure the appropriate use of account administration privileges. This information is also useful when investigating certain security events. Remediation: audit GRANT ANY PRIVILEGE; Audit: SELECT * FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION=`GRANT ANY PRIVILEGE'; \ \ 2 S 13.17 Auditing Audit GRANT ANY ROLE Rationale: Auditing the grants will provide a record to ensure the appropriate use of account administration privileges. This information is also useful when investigating certain security events. Remediation: AUDIT GRANT ANY ROLE; Audit: SELECT * FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION=`GRANT ANY ROLE'; \ \ 2 S 13.18 Auditing Audit INSERT failures Rationale: Auditing failed inserts may provide be useful when investigating certain security events, such as SQL injections attempts. Remediation: AUDIT INSERT ON objectname WHENEVER NOT SUCCESSFUL; Audit: SELECT OBJECT_NAME, INS, FROM DBA_OBJ_AUDIT_OPTS; \ \ 2 S 141 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 13.19 Auditing Audit EXECUTE PROCEDURE Rationale: Audit EXECUTE PROCEDURE failures attempted into critical data objects. Auditing the EXECUTE PROCEDURE will provide a record of the procedures that were executed and by whom. This information is also useful when investigating a security event Remediation: AUDIT EXECUTE PROCEDURE; Audit: SELECT * FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION=`EXECUTE PROCEDURE'; \ \ 2 S 13.20 Auditing Audit SELECT ANY DICTIONARY Rationale: Audit the use of the SELECT ANY DICTIONARY. Auditing SELECT ANY DICTIONARY will provide a record of access to DICTIONARY views. This information is also useful when investigating a security event. Remediation: AUDIT SELECT ANY DICTIONARY; Audit: SELECT * FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION='SELECT ANY DICTIONARY'; \ \ 2 S 142 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 13.21 Auditing Audit GRANT ANY OBJECT Rationale: Audit the use of the GRANT ANY OBJECT. Auditing the grants will provide a record of the scope of the user object rights to ensure the appropriate use of account administration privileges. This information is also useful when investigating certain security events. Remediation: AUDIT GRANT ANY OBJECT; Audit: SELECT * FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION='GRANT ANY OBJECT'; \ \ 2 S 13.22 Auditing Audit CREATE {ANY} LIBRARY Rationale: Audit the use of the CREATE LIBRARY PRIVILAGE Remediation: AUDIT CREATE LIBRARY; Audit: SELECT * FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION='CREATE LIBRARY'; \ \ 2 S 13.23 Auditing Logon, logoff, database start or stop, and other information. Rationale: Specific database application components may contain sensitive information and require more scrutiny or certain events to alarm when triggered. Evaluate applications on a case by case basis and create where appropriate. Remediation: Create triggers against all tables and system events that are meaningful to the database and application. Audit: None \ \ 2 N 143 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 13.24 Auditing Use triggers to implement row level auditing Rationale: If specific rows of data need to be audited create triggers to alarm on auditable events. This will reduce the overall system resources for auditing specific tables and help reduce false alarms. Remediation: Use triggers to enforce row level auditing for important data. Audit: None \ \ 2 N 13.25 Auditing Review procedures and reports to review audit logs Rationale: Regular, timely reviews of the collected audit information must be done to ensure system security and integrity. Remediation: Assign administrative or DBA time to review report generation logic. Audit: None \ \ 2 N 13.26 Auditing Set AUDIT ALL ON SYS.AUD$ BY ACCESS Rationale: By setting AUDIT ALL ON SYS.AUD$ BY ACCESS, attempts to alter the audit trail will be audited. Only applicable if the audit trail parameter is set to DB or TRUE. Remediation: AUDIT ALL ON SYS.AUD$ BY ACCESS; Audit: SELECT * FROM DBA_OBJ_AUDIT_OPTS WHERE OBJECT_NAME='AUD$'; \ \ 2 S 144 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 13.27 Auditing Regularly purge the audit trail Rationale: Archive and delete the audit trail as necessary or in line with local data administration policies. The audit trail can consume substantial system resources leading to a denial of services. Remediation: Review the purging procedures to ensure that the audit trail is purged regularly. Audit: None \ \ 2 N 13.28 Auditing Audit Exposed Web Services Rationale: Legacy procedures that are designed for internal usage only are often exposed as web services. Both the legacy status and expansion of the attack surface can lead to their exploitation. Remediation: Audit any XML DB or PL/SQL procedures that have been exposed as web services. Audit: None \ \ 2 N 145 | P a g e Appendix A: Additional Settings (not scored) Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 14.01 Oracle Label Security Where possible use Oracle Label Security. Rationale: OLS is a strong additional layer of security that can be used to create a Virtual Private database (VPD). OLS allows data of varying sensitivities to be stored in a single database and access to the data to be restricted using security clearances as defined by role level. Remediation: Where possible enable and apply Oracle label security. This can be cost prohibitive depending on licensing with Oracle. Audit: None \ \ 2 N 146 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 14.02 Oracle Label Security Hide label column. Rationale: If the status of the hidden label column needs to be changed, the values of the label column may be copied to an added column, then the hidden column can be removed, the column copies, and then removes the policy dropping the row label column. Reinstate the policy and then copy the values from the added column to the row label column and then remove the added column. Remediation: Where possible, when using OLS, hide the label column. This can be done by passing the HIDE directive to the DEFAULT_OPTIONS parameter of the SA_SYSDBA.CREATE_POLICY (globally) or to the TABLE_OPTIONS parameter of the APPLY_TABLE_POLICY procedure (for a specific table). Note: After applying a OLS policy to a table, the hidden status of the labels cannot be revoked without the loss of the labels. Audit: None \ \ 2 N 147 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 14.03 Oracle Label Security Include LABEL_UPDATE Rationale: This ensures the user cannot reclassify the data in the record by changing the label. Remediation: Include the LABEL_UPDATE as a value for TABLE_OPTIONS parameter when the OLS policy is applied to a table. Audit: None \ \ 2 N 14.04 Oracle Label Security Limit manipulation. Rationale: By the creation of a procedure, direct manipulation by database users of the labels is prevented and an additional level of security is provided. This can provide a separation of responsibility between the DBA and the security administrators. Remediation: Where possible, use a trusted procedure to limit and control the manipulation of the labels. Audit: None \ \ 2 N 148 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 14.05 Oracle Label Security Backup data. Rationale: OLS introduces an additional hidden column into a table. For some tables the addition of a column or a hidden column may render the table unusable. For applications that expect to see all the data, OLS may be interpreted as corrupt data. Remediation: Have a secure and separate data copy before implementing OLS. Audit: None \ \ 2 N 14.06 Oracle Label Security Where applicable and possible, store labels in the Oracle Internet Directory (OID). Rationale: In the context of the Enterprise User Security option, this provides a centralized management method for user passwords, enterprise roles, and OLS authorization. Under the control of the OID, policies cannot be manipulated within the databases. Remediation: Where applicable and possible, store labels in the Oracle Internet Directory (OID). Audit: None \ \ 2 N 14.07 RAID file systems Implement Rationale: File systems holding the Oracle data should be on RAID volumes for resilience. Remediation: Create RAID partitions for the Oracle database and files. Audit: None \ \ 2 N 149 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 14.08 Magnetically wipe failed disks Implement Rationale: Sensitive data or information can be recovered from magnetic or data media if not properly erased. Remediation: Magnetically wipe old, no longer used, or failed disks. This issue is most likely handled by system administrators. Audit: None \ \ 2 N 14.09 Backups on system disks Verify permissions Rationale: In many environments, database backups are written to system disks. In this type of environment, ensure that the backup files are protected. Files should be owned by oracle software owner set with owner read/write permissions only. Remediation: Set proper permissions on oracle data files stored on backup tapes. Audit: None \ \ 2 N 14.10 Off site backup storage Implement Rationale: It is a best practice to have redundant offsite backups in the event of a physical catastrophe. Remediation: Implement off site backup storage procedures. Audit: None \ \ 2 N 150 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 14.11 Recovery procedures Document and Test Rationale: Failure to properly implement and test recovery procedures can result in loss of data and compromise system integrity. Remediation: Ensure that database recovery procedures are fully documented and regularly tested. Audit: None \ \ 2 N 14.12 Screening router Implement to restrict access to database host Rationale: Unrestricted access to the database widens the attack surface. Network access should be limited to application and administrative hosts. Remediation: Implement a screening router to restrict access to the database host. Audit: None \ \ 2 N 14.13 Host-based firewall Implement on database administration machines Rationale: Use a host based firewall on all computers used to remotely administer databases. Remediation: None Audit: None \ \ 2 N 151 | P a g e Appendix B: Enterprise Manager Grid Control for Patch and Policy Management The Oracle 11g Enterprise Manager Grid Control application has two functions directly related to securing Oracle and its host. If the Oracle Enterprise Manager Grid Control application is deployed, follow these recommendations. For more detailed information of this functionality please refer to the Oracle documentation, Oracle® Database 2 Day DBA 11g Release 1 (11.1) Part Number B28301-02 Patching Setup The Oracle 11g Enterprise Manager Grid Control application can be set up to automatically access Oracle MetaLink to search for and download any new patches available for your Oracle installs. The administrator can then schedule and apply the patch(es) to any host in the enterprise. Policy Violations The Oracle 11g Enterprise Manager Grid Control application can show policy violations for any database or host in the enterprise. The violations can be fixed or ignored so they will not show up in future reports. Appendix C: Acknowledgments The contributions to the consensus process made by the following people were instrumental in the creation of this guide: x Sheila Christman x Dana Hemlock x Sheilah Scheurich x Tran Thanh Chien x Johan Verbrugghen x Alf-Ivar Holm x David W Blaine x Adam Cecchetti x Brian P. McDonald x Chad Hughes x Rick Wessman x Dave Shackleford x Alf-Ivar Holm x Blake Frantz x Don Granaman x Nancy Whitney x John Banghart x Gary Gapinski x Clint Kreitner x Richard A. Haas x Brian Denny x Carol Bales x Rick Wessman x Melissa McAvoy x Alan Klink x Ray Stell x James Hayes x Bert Miuccio x Chuck Earle x Jeremy Terk x Cesar Quebral x George Colt x Phil Curran x Michael Anderson x Tom L. Finn x Mark Rakozy x David Waltermire 152 | P a g e Appendix D: Change History Date Version Changes for this version 8/12/2008 1.0.0 - Initial Public Release 1/23/2009 1.0.1 - Resolved number sequencing issue (5.5, 5.6 were absent) - Updated 4.15 (NOLOGGING) to articulate this clause has continuity concerns, not repudiation or audit concerns. - Added Background Section - Updated Acknowledgements Section - Update Section heading styles   Terms  of  Use  Agreement       Background.     CIS  provides  benchmarks,  scoring  tools,  software,  data,  information,  suggestions,  ideas,  and  other   Products Internet  users  worldwide.  Recommendatio Recommendations result  from  a  consensus-­‐building  process  that  involves  many  security  experts  and  are  generally   generic  in  nature.  The  Recommendations  are  intended  to  provide  helpful  information  to   organizations  attempting  to  evaluate  or  improve  the  security  of  their  networks,  systems  and   devices.  Proper  use  of  the  Recommendations  requires  careful  analysis  and  adaptation  to  specific   any     No  representations,  warranties  and  covenants.     CIS  makes  no  representations,  warranties  or  covenants  whatsoever  as  to  (i)  the  positive  or  negative   effect  of  the  Products  or  the  Recommendations  on  the  operation  or  the  security  of  any  particular   network,  computer  system,  network  device,  software,  hardware,  or  any  component  of  any  of  the   foregoing  or  (ii)  the  accuracy,  reliability,  timeliness  or  completeness  of  any  Product  or   Recommendation.    CIS  is  providing  the  Products  and       User  agreements.     we acknowledge  that:     No  network,  system,  device,  hardware,  software  or  component  can  be  made  fully  secure;   We  are  using  the  Products  and  the  Recommendations  solely  at  our  own  risk;     We  are  not  compensating  CIS  to  assume  any  liabilities  associated  with  our  use  of  the  Products  or   the  Recommenda     We  have  the  sole  responsibility  to  evaluate  the  risks  and  benefits  of  the  Products  and   Recommendations  to  us  and  to  adapt  the  Products  and  the  Recommendations  to  our  particular   circumstances  and  requirements;     Neither  CIS,  nor  any  CIS  Party  (defined  below)  has  any  responsibility  to  make  any  corrections,   updates,  upgrades  or  bug  fixes  or  to  notify  us  if  it  chooses  at  it  sole  option  to  do  so;  and     Neither  CIS  nor  any  CIS  Party  has  or  will  have  any  liability  to  us  whatsoever  (whether  based  in   contract,  tort,  strict  liability  or  otherwise)  for  any  direct,  indirect,  incidental,  consequential,  or   special  damages  (including  without  limitation  loss  of  profits,  loss  of  sales,  loss  of  or  damage  to   reputation,  loss  of  customers,  loss  of  software,  data,  information  or  emails,  loss  of  privacy,  loss  of   use  of  any  computer  or  other  equipment,  business  interruption,  wasted  management  or  other  staff   resources  or  claims  of  any  kind  against  us  from  third  parties)  arising  out  of  or  in  any  way  connected   with  our  use  of  or  our  inability  to  use  any  of  the  Products  or  Recommendations  (even  if  CIS  has   been  advised  of  the  possibility  of  such  damages),  including  without  limitation  any  liability   associated  with  infringement  of  intellectual  property,  defects,  bugs,  errors,  omissions,  viruses,   worms,  backdoors,  Trojan  horses  or  other  harmful  items.           Grant  of  limited  rights.     CIS  hereby  grants  each  user  the  following  rights,  but  only  so  long  as  the  user  complies  with  all  of  the   terms  of  these  Agreed  Terms  of  Use:     Except  to  the  extent  that  we  may  have  received  additional  authorization  pursuant  to  a  written   agreement  with  CIS,  each  user  may  download,  install  and  use  each  of  the  Products  on  a  single   computer;     Each  user  may  print  one  or  more  copies  of  any  Product  or  any  component  of  a  Product  that  is  in  a   .txt,  .pdf,  .doc,  .mcw,  or  .rtf  format,  provided  that  all  such  copies  are  printed  in  full  and  are  kept   intact,  including  without  limitation  the  text  of  this  Agreed  Terms  of  Use  in  its  entirety.     Retention  of  intellectual  property  rights;  limitations  on  distribution.     The  Products  are  protected  by  copyright  and  other  intellectual  property  laws  and  by  international   treaties.  We  acknowledge  and  agree  that  we  are  not  acquiring  title  to  any  intellectual  property   rights  in  the  Products  and  that  full  title  and  all  ownership  rights  to  the  Products  will  remain  the   exclusive  property  of  CIS  or  CIS  Parties.  CIS  reserves  all  rights  not  expressly  granted  to  users  in  the   precedi this  paragraph),  and  except  as  we  may  have  otherwise  agreed  in  a  written  agreement  with  CIS,  we   agree  that  we  will  not  (i)  decompile,  disassemble,  reverse  engineer,  or  otherwise  attempt  to  derive   the  source  code  for  any  software  Product  that  is  not  already  in  the  form  of  source  code;  (ii)   distribute,  redistribute,  encumber,  sell,  rent,  lease,  lend,  sublicense,  or  otherwise  transfer  or  exploit   rights  to  any  Product  or  any  component  of  a  Product;  (iii)  post  any  Product  or  any  component  of  a   Product  on  any  website,  bulletin  board,  ftp  server,  newsgroup,  or  other  similar  mechanism  or   device,  without  regard  to  whether  such  mechanism  or  device  is  internal  or  external,  (iv)  remove  or   alter  trademark,  logo,  copyright  or  other  proprietary  notices,  legends,  symbols  or  labels  in  any   Product  or  any  component  of  a  Product;  (v)  remove  these  Agreed  Terms  of  Use  from,  or  alter  these   Agreed  Terms  of  Use  as  they  appear  in,  any  Product  or  any  component  of  a  Product;  (vi)  use  any   Product  or  any  component  of  a  Product  with  any  derivative  works  based  directly  on  a  Product  or   any  component  of  a  Product;  (vii)  use  any  Product  or  any  component  of  a  Product  with  other   products  or  applications  that  are  directly  and  specifically  dependent  on  such  Product  or  any   component  for  any  part  of  their  functionality,  or  (viii)  represent  or  claim  a  particular  level  of   compliance  with  a  CIS  Benchmark,  scoring  tool  or  other  Product.  We  will  not  facilitate  or  otherwise   aid  other  individuals  or  entities  in  any  of  the  activities  listed  in  this  paragraph.     We  hereby  agree  to  indemnify,  defend  and  hold  CIS  and  all  of  its  officers,  directors,  members,   contributors,  employees,  authors,  developers,  agents,  affiliates,  licensors,  information  and  service   providers,  software  suppliers,  hardware  suppliers,  and  all  other  persons  who  aided  CIS  in  the   creation,  development  or  maint CIS  Parties harmless  from  and  against  any  and  all  liability,  losses,  costs  and  expenses  (including  attorneys'  fees   and  court  costs)  incurred  by  CIS  or  any  CIS  Party  in  connection  with  any  claim  arising  out  of  any   to  assume  the  exclusive  defense  and  control  of  any  matter  subject  to  this  indemnification,  and  in   such  case,  we  agree  to  cooperate  with  CIS  in  its  defense  of  such  claim.  We  further  agree  that  all  CIS   Parties  are  third-­‐party  beneficiaries  of  our  undertakings  in  these  Agreed  Terms  of  Use.     Special  rules.     CIS  has  created  and  will  from  time  to  time  create  special  rules  for  its  members  and  for  other        If  any  of  these  Agreed  Terms  of  Use  shall  be  determined  to  be   unlawful.  venue.  or  for  any  reason  unenforceable.   persons  and  organizations  with  which  CIS  has  a  written  contractual  relationship.    CIS  hereby  grants  each  CIS  Security  Consulting  or  Software  Vendor   Member  and  each  CIS  Organizational  User  Member.  void.  then  such  terms  shall  be  deemed  severable  and   shall  not  affect  the  validity  and  enforceability  of  any  remaining  provisions.  that  any  action  at  law  or  in  equity  arising  out  of   or  relating  to  these  Agreed  Terms  of  Use  shall  be  filed  only  in  the  courts  located  in  the  State  of   Maryland.  that  we  hereby  consent  and  submit  to  the  personal  jurisdiction  of  such  courts  for  the   purposes  of  litigating  any  such  action.  but  only  so  long  as  such  Member  remains  in   good  standing  with  CIS  and  complies  with  all  of  the  terms  of  these  Agreed  Terms  of  Use.     We  acknowledge  and  agree  that  these  Agreed  Terms  of  Use  will  be  governed  by  and  construed  in   accordance  with  the  laws  of  the  State  of  Maryland.  jurisdiction.           .  understand  them  and  agree  to   be  bound  by  them  in  all  respects.  Each  such  Member  acknowledges  and  agrees  that  the  foregoing  grant   modified  or  terminated  by  CIS  at  any  time.    We  acknowledge  and   agree  that  we  have  read  these  Agreed  Terms  of  Use  in  their  entirety.  the  right  to   distribute  the  Products  and  Recommendation manual  or  electronic  means.     Choice  of  law.  Those  special   rules  will  override  and  supersede  these  Agreed  Terms  of  Use  with  respect  to  the  users  who  are   covered  by  the  special  rules. ......................  31   ..........................................................................................  1   CONFIGURATION  LEVELS  .............................................................  1   Scorable  ............................................................................................................................................................................................................................. 3................. 8.........................................................  Backup  and  Disaster  Recovery   ....................................................................................................  65   7................................  1   Level-­I  Benchmark  settings/actions  .........................  106   ..........................  111   13...................................................................................................................................................................................................................................................................  152   ................................................  10   .....  151   Appendix  D:  Change  History   .  Installation  and  Patch   ..................................................................................           .........................................................  3   2........................  Encryption  Specific  Settings.........................  145   Appendix  B:  Enterprise  Manager  Grid  Control  for  Patch  and  Policy  Management  ................................ 5...................................................................................................................................  2   1...........................  Oracle  Profile  (User)  Access  Settings   .............  18   4......................................  109   12................................  1   Introduction....................................  Startup  and  Shutdown   ............................................................  Oracle  Parameter  Settings   ....  Oracle  Directory  and  File  Permissions   .........................................  1   Not  Scorable  .......................................................................................................................................................................................................................................................  1   CONSENSUS  GUIDANCE  ......................................................................  70   9..............  General  Policy  and  Procedures  ........................................................  80   10................................................  1   SCORING  LEVELS  ............................................................................  a   Background  .........................................................................................................................  134   Appendix  A:  Additional  Settings  (not  scored)................................................................................................................................................................................  1   Level-­II  Benchmark  settings/actions  ..................................................  Enterprise  Manager  /  Grid  Control  /  Agents   .............................................................................  Specific  Systems  ....................................................................     Table  of  Contents     Terms  of  Use  Agreement  ............................. 11............................................................  Auditing  Policy  and  Procedures  ..........  53   6.....................................................................................................................................................  Oracle  Profile  (User)  Setup  Settings  ..  66   ........................................................................................................................................................................................  151   Appendix  C:  Acknowledgments  ............................................................................................  Operating  System  Specific  Settings   ..................  software  development.  by  Scoring  Tools  that   are  available  from  the  Center  or  by  CIS-­‐certified  Scoring  Tools.  government.  and  the  configuration  verified.   Scorable     This  setting  or  recommendation  is  able  to  be  assessed  by  scoring  tools  or  command line   arguments.         1  |  P a g e     .   Not  Scorable   This  setting  or  recommendation  requires  complex  checking  that  is  not  feasible  with  basic  audit   methods.  Consensus  participants  provide  perspective  from  a  diverse  set  of  backgrounds   including  consulting.   Background   Consensus  Guidance   This  guide  was  created  using  a  consensus  process  comprised  of  volunteer  and  contract  subject   matter  experts.  and  legal.   These  are  of  greatest  value  to  system  administrators  who  have  sufficient  security  knowledge  to   apply  them  with  consideration  to  the  operating  systems  and  applications  running  in  their   particular  environments.     Level-­II  Benchmark  settings/actions     Level-­‐II  security  configurations  vary  depending  on  network  architecture  and  server  function.       The  actions  can  be  automatically  monitored.   Configuration  Levels   Level-­I  Benchmark  settings/actions     System  administrators  with  any  level  of  security  knowledge  and  experience  can  understand  and   perform  the  specified  actions.   operations.  auditing  and  compliance.  security  research.       The  action  is  unlikely  to  cause  an  interruption  of  service  to  the  operating  system  or  the   applications  that  run  on  it.   Scoring  Levels   This  section  defines  the  various  scoring  levels  used  within  this  document. 0.   Introduction   Technology  Network  (otn.    If  any  differences  are  found.  the  scope  of  this  document  is  not  limited  to  only  Oracle  specific   procedures  that  are  applicable  to  general  software  and  hardware  security.  an  Oracle  database  may  be  secured  from   annot  and  should  not  be   limited  to  only  the  application.           2  |  P a g e     .    Linux  settings  should  translate  to  other  varieties  of  Linux.  please  contact  the  CIS  team.6.  various  published  books  and  the  Oracle  11g  Database   Security  Guidelines.oracle.     Applicable  items  were  verified  and  tested  against  an  Oracle  11g  default  install  on  a  Redhat   Enterprise  Sever  5.  Where  the  default  setting  is  less   secure  than  the  recommended  setting  a  caution  has  been  provided  in  the  comment  section  below   the  separator  bar  or  as  a  note  below  a  chapter  heading.     It  is  extremely  important  to  conduct  testing  of  security  configurations  on  non-­production   systems  prior  to  implementing  them  on  production  systems.  but  were   only  tested  against  RHEL5.  scoring  data  has  been  included:     S    To  be  scored.0.  setup.   N    Not  to  be  scored.  and  operation  of  an  Oracle  11g  database  environment.    The  Oracle  version  used  was  11.com).  With  the   use  of  the  settings  and  procedures  in  this  document.    Default  installs  for  both  the  operating   system  and  the  database  may  differ  dependent  on  versions  and  options  installed  so  this  is  to  be   used  as  a  general  guide  only.  configuration.     Under  the  Level  heading.  This  document  provides  the  necessary  settings  and  procedures  for  the  secure   installation.1.     Rationale:   Adding  an  additional  administrative  account  to  the   system  increases  the  attack  surface  of  the  Windows   server.  Operating  System  Specific  Settings     Rationale/Remediation   Item   Configuration  Item    #   1.02   Windows  Oracle  Local   Account   Use  Restricted  Service  Account   (RSA)   Rationale:   This  action  will  reduce  the  attack  surface  of  the  Domain   Controller  and  the  Oracle  server.  Use  the   account  created  to  install  the  product.       Remediation:   Run  the  Oracle  services  using  a  local  administrator   account  created  specifically  for  Oracle.  Deny  log  on   locally  to  this  account.       1.     Remediation:   Create  a  standalone  server  for  the  Oracle  install.     Audit:   Execute  the  following  WMI  Query:       Select  DomainRole  from  \   Win32_ComputerSystem     If  the  above  returns  a  4  or  5  the  system  is  a  Domain   Controller.01   Windows  platform   Action  /  Recommended   Parameters   Do  not  install  Oracle  on  a   domain  controller   W   I   n   d   o   w   s   U   n   I   x     Level   &   Score 1.     Audit:   None       1   S       1   N   3  |  P a g e     .  Creating  a  local  administrator  with  restricted   access  mitigates  this  risk. e.  then     the  server  must  be  a  domain  server  and  the  Oracle   services  must  be  run  using  a  Restricted  Service   Account.     Audit:   None     Rationale:       The  RSA  must  have  limited  access  requirements.         Remediation:   Add  the  account  to  the  local  administrators  group  on   the  server  running  the  Oracle  services.  restricted  domain  user  account.     Audit:   None     1   N   1   S   1   N   4  |  P a g e     .   Item   Configuration  Item    #   1.04   Windows  Oracle   Account     Deny  Log  on  Locally  Right   1.     Audit:   Ensure  the  Oracle  account  is  listed  beneath  Local   Policies\User  Rights  Assignments\Deny  Log   on  Locally  in  the  Windows  Local  Security  Policy     Rationale:       The  RSA  account  should  not  have  access  to  resources     that  all  domain  users  need  to  access..         Remediation:   Do  not  assign  any  rights  to  the  group.05   Windows  Oracle   Domain  Global  Group   Create  a  global  group  for  the   primary  group       Rationale:       If  the  Oracle  services  require  domain  resources.       Remediation:   Deny  the  Log  on  Locally  right  to  the  RSA.  i.03   Windows  Oracle   Domain  Account   Action  /  Recommended   Parameters   Use  Restricted  Service  Account   (RSA)   Rationale/Remediation   W   I   n   d   o   w   s   U   n   I   x     Level   &   Score 1.   Item   Configuration  Item    #   1.com/en-­ us/library/cc755876.     Remediation:   Remove  the  RSA  from  the  Domain  Users  group.06   Windows  Oracle   Account  Domain  Users   Group  Membership   Action  /  Recommended   Parameters   Remove  the  RSA  from  the   Domain  Users  group   Rationale/Remediation   W   I   n   d   o   w   s   U   n   I   x     Level   &   Score 1.     Remediation:   Give  the  appropriate  permissions  to  the  RSA  or  global   group  for  the  network  resources  that  are  required.     Audit:   On  the  domain  controller.       Audit:   None           1   S       1   N   5  |  P a g e     .   Granting  the  RSA  domain  level  privileges  negates  the   purpose  of  the  RSA.aspx             Rationale:   The  RSA  must  have  limited  access  requirements.microsoft.     For  more  information  on  the  dsget  command.07   Windows  Oracle   Domain  Network   Resource  Permissions   Verify  and  set  permissions     Rationale:   The  RSA  must  have  limited  access  requirements.  execute  the  following:     dsget  user  <OracleUserDN>  -­memberof     Ensure  Domain  Users  is  not  listed.  see     http://technet. 08   Action  /  Recommended   Parameters   Rationale/Remediation   W   I   n   d   o   w   s   U   n   I   x     Level   &   Score Windows  Oracle   Limit  to  machine  running  Oracle   Domain  Account  Logon   services     1.   Item   Configuration  Item    #   1.       Remediation:   Configure  the  RSA  to  only  log  on  to  the  computer  that   is  running  the  Oracle  services.       Audit:   None     Rationale:   The  Oracle  program  installation  folder  must  allow  only   limited  access.         Audit:   Execute  the  following  command:     %ProgramFiles%\     and  ensure  BUILTIN\Users  is  not  listed.  Global  access  or  unrestricted  folder   permissions  will  allow  an  attacker  to  alter  Oracle   resources  and  possibly  compromise  the  security  of  the   Oracle  system.     Remediation:   Remove  permissions  for  the  Users  group  from  the   %ProgramFiles%\Oracle  folder.09   Windows  Program   Folder  Permissions     Verify  and  set  permissions     Rationale:   The  RSA  must  have  limited  access  requirements  and   be  limited  to  authenticating  to  the  Oracle  server.         1   S         1   S   6  |  P a g e     .     Audit:   In  regedit.  Unrestricted  access  to  the   Oracle  registry  entries  will  allow  non-­administrative   users  to  alter  settings  and  create  an  insecure   environment.  browse  to  the   HKEY_LOCAL_MACHINE\SOFTWARE\ORACLE  key.     Remediation:   Set  the  HKEY_LOCAL_MACHINE\   SOFTWARE\ORACLE\ALL_HOMES\OSAUTH_PREFIX_D OMAIN  value  to  TRUE     Note:  This  is  the  default  configuration.  select  Permissions.  ensure  the  HKEY_LOCAL_MACHINE\   SOFTWARE\ORACLE\ALL_HOMES\OSAUTH_PREFIX_D OMAIN  value  set  to  TRUE.10   Windows  Oracle   Registry  Key   Permissions   Action  /  Recommended   Parameters   Verify  and  set  permissions     Rationale/Remediation   W   I   n   d   o   w   s   U   n   I   x     Level   &   Score 1.     Audit:   In  regedit.               1   S         1   S   7  |  P a g e   .   right  click.  Give  read  permissions   to  those  users  that  require  it.  and  ensure  the   Users  group  is  not  granted  access.     Remediation:   Give  Full  Control  over  the   HKEY_LOCAL_MACHINE\SOFTWARE\ORACLE  key  to   the  account  that  will  run  the  Oracle  services  and   remove  the  local  Users  group.     Rationale:This  configuration  strengthens  the   authentication  process  by  requiring  that  the  domain   name  be  part  of  the  username  for  externally   authenticated  accounts.11   Windows  Oracle     Registry  Key  Setting   Set  OSAUTH_PREFIX_DOMAIN   registry  value  to  TRUE   Rationale:   Access  to  the  Oracle  registry  key  must  be  limited  to   those  users  that  require  it.   Item   Configuration  Item    #   1.    See  Oracle   Metalink  note  124140.12   Windows  registry   Action  /  Recommended   Parameters   Set  USE_SHARED_SOCKET   registry  value  to  TRUE   Rationale/Remediation   W   I   n   d   o   w   s   U   n   I   x     Level   &   Score 1.       If  random  port  reassignment  is  undesired.    This  is  not   recommended  for  Windows  environments.  Ensure  the  HKEY_LOCAL_MACHINE\   SOFTWARE\ORACLE\HOME<#>\USE_SHARED_SOCKET   registry  key  is  set  to  TRUE.   Item   Configuration  Item    #   1.1  for  details.       Remediation:   On  Unix  systems.13   Oracle  software  owner   host  account   Lock  account     Rationale:   2     Confines  client  connections  to  the  same  port  as  the   S     listener.       Remediation:   Set  the     HKEY_LOCAL_MACHINE\   SOFTWARE\ORACLE\HOME<#>\USE_SHARED_SOCKET   registry  key  to  TRUE.  use  a  very   strong  password  for  the  account.       Note:  This  is  the  default  configuration.    Account  can  be   unlocked  if  system  maintenance  is  required.  lock  the  Oracle  software  owner   account.     Audit:   grep   i  account_name  /etc/password       8  |  P a g e     .       Rationale:       2   Locking  the  user  account  will  deter  attackers  from   S     leveraging  this  account  in  brute  force  authentication   attacks.  This  allows  connection  and  firewall   management  to  be  performed  in  a  more  consistent  and   refined  manner.  such  as  if   there  is  a  need  to  pipe  through  a  firewall.    If  the  account  cannot  be  locked.     Audit:   In  regedit.  ensure  that  the   rd 3  party  applications  are  installed  on  separate   partitions  from  the  Oracle  software  and  associated  data   files.       Remediation:   Check  the  file  permissions  for  all  application  files  for   proper  ownership  and  minimal  file  permissions.     Audit:   None         9  |  P a g e     .    This   rd includes  all  3  party  application  files  on  the  server  that   rd access  the  database.    Any  3  party  applications  must   be  installed  on  a  separate  server  from  the  database.   Item   Configuration  Item    #   1.14   All  associated     application  files   Action  /  Recommended   Parameters   Verify  permissions   Rationale/Remediation   W   I   n   d   o   w   s   U   n   I   x     Level   &   Score Rationale:       2   Allowing  improper  access  to  binaries  that  directly   N       interface  with  the  Oracle  database  adds  unnecessary   risk  and  increases  the  attack  surface  of  the  database.    If   this  is  not  possible  in  the  environment.  accounts.01   Installation   Action  /  Recommended   Parameters   Rationale/Remediation   W   I   n   d   o   w   s   U   n   I   x   Level   &   Score   Status   Try  to  ensure  that  no  other  users   Rationale:       1   are  connected  while  installing   The  Oracle  11g  installer  application  could  potentially   N       Oracle  11g.   An  attacker  may  leverage  these  to  compromise  the   integrity  of  the  system  or  database  before  the   installation  is  complete.  If  the  server  must  be   installed  remotely  temporarily  stop  inbound  remote   connections  via  administration  protocols  ex.       If  possible  install  Oracle  while  the  server  is   disconnected  from  the  network.    It  would  be  possible  for  any  local  user  to   delete.       create  files.  overwrite  or  corrupt  these  files  during  the   installation  process.  or  setting  with  public  privileges.    Also  set  the   $TMP  and  $TMPDIR  environment  variables  to  a   protected  directory  with  access  given  only  to  the  Oracle   software  owner  and  the  ORA_INSTALL  group.  SSH.  Installation  and  Patch     Item   Configuration  Item    #   2.  VNC.    Try  to  ensure  that  no  other  users   are  connected  while  installing  Oracle  11g.       Remediation:   The  Oracle  11g  installer  application  could  potentially   create  files  in  a  temporary  directory  with  public   privileges.     2.   Terminal  Service.     Audit:   None     10  |  P a g e     . html   and  latest  patches:   http://metalink.com/technology/software/index.03   Minimal  Install   Ensure  that  only  the  Oracle   components  necessary  to  your   environment  are  selected  for   installation.oracle.   and  that  the  latest  patches  from   Oracle  Metalink  have  been   applied.   Item   Configuration  Item    #   2.     Audit:   None             1   S           1   N   11  |  P a g e     .oracle.  Remove  components  that  may  have   been  installed  during  a  previous  installation  but  are  not   required.       Remediation:   Install  only  components  needed  to  satisfy  operational   requirements.     Rationale:   Using  outdated  or  unpatched  software  will  put  the   Oracle  database  and  host  system  at  unnecessary  risk   and  violates  security  best  practices.       Remediation:     http://www.startup       Audit:   opatch  lsinventory  -­detail     Rationale:   Installing  components  that  are  not  used  increases  the   attack  surface  of  the  database  server.02   Version/Patches   Action  /  Recommended   Parameters   Ensure  the  latest  version  of   Oracle  software  is  being  used.com/metalink/plsql/ml2_gui.   Rationale/Remediation   W   I   n   d   o   w   s   U   n   I   x   Level   &   Score   Status   2.       Remediation:     Edit   $ORACLE_HOME/network/admin/listener.ora   and  change  the  default  name.  it  must  be  protected  by   proper  permissions.  restrict  access  to  only  those   es   not  have  access.    If  tkprof  must  remain   on  the  production  system.         Remediation:   Set  file  permissions  of  0750  or  less  on  Unix  systems.  Go  to  the  $ORACLE_HOME/bin   directory  and  remove  or  change  the  permissions  of  the   utility.     On  Windows  systems.   Item   Configuration  Item    #   2.;  it  is  a  powerful  tool  for  an  attacker  to  find   issues  in  the  running  database.04   tkprof   Action  /  Recommended   Parameters   Remove  from  system   Rationale/Remediation   W   I   n   d   o   w   s   U   n   I   x   Level   &   Score   Status   2.ora   Change  default  name  of  listener   Rationale:       1   S   The  tkprof  utility  must  be  removed  from  production       environments.       Audit:   $ORACLE_HOME/bin/tkprof       Rationale:       1   The  listener  must  not  be  called  by  the  default  name  as   S   it  is  commonly  known.  A  distinct  name  must  be   selected.ora     12  |  P a g e     .     Audit:   grep  default   $ORACLE_HOME/network/admin/listener.05   listener.     Remediation:     Edit   $ORACLE_HOME/network/admin/listener.      Do  this  for  all  *.07   otrace   Disable   Rationale:       2   IP  addresses  instead  of  host  names  in  the  listener.ora   S       file  must  be  used.ora   and  replace  DNS  names  with  IP  addresses.    It  is  not  installed   with  a  default  11g  database  installation.  Note  that  this  directory  is  installed  for  the   Enterprise  Manager  Grid  Controller.  Hostnames  are  used  by   default.dat       13  |  P a g e     .     Remediation:     Go  to  the  $ORACLE_HOME/otrace/admin  directory  of   your  instance  and  remove  or  delete  the  .ora       Rationale:       1   otrace  can  leak  sensitive  information  useful  for  an   S       attacker.dat  files  in  this   directory.06   listener.     Audit:   ls  $ORACLE_HOME/otrace/admin/*.  This  prevents  a  compromised  or   spoofed  DNS  server  from  causing  Oracle  outages  or   man  in  the  middle  attacks.ora   Action  /  Recommended   Parameters   Use  IP  addresses  rather  than   hostnames   Rationale/Remediation   W   I   n   d   o   w   s   U   n   I   x   Level   &   Score   Status   2.   Item   Configuration  Item    #   2.     Audit:   grep  -­i  HOST   $ORACLE_HOME/network/admin/listener.dat  files   related  to  otrace.  These  accounts  should  be  left   locked  and  expired  unless  absolutely  necessary.       Audit:   SELECT  *  FROM  DBA_USERS_WITH_DEFPWD.   Lock  the  user  account   3.ora  file  will   set  an  unencrypted  password  on  the  listener.08   Listener  password   Action  /  Recommended   Parameters   Use  OS  Authentication   Rationale/Remediation   W   I   n   d   o   w   s   U   n   I   x   Level   &   Score   Status   2..  set  an   encrypted  password  using  the  set  password   command  via  the  lsnrctl  tool.   Change  the  default   password   Rationale:   It  is  more  secure  to  use  OS  authentication  as  setting  a   password  on  the  listener  will  enable  remote   administration  of  the  listener.     Audit:   grep  -­i  PASSWORD  \   $ORACLE_HOME/network/admin/listener.09   Default  Accounts   (created  by  Oracle)   The  following  actions  are   recommended  in  order  of   preference  for  default  accounts:   1.  Check   to  ensure  these  accounts  have  not  been  unlocked.   Item   Configuration  Item    #   2.  If  additional   users  require  remote  access  to  the  listener.  setting  a  password  in  the  listener.ora         Rationale:   The  default  Oracle  installation  locks  and  expires  the   installation  accounts.     Remediation:     OS  Authentication  is  enabled  by  default.       Remediation:     Lock  and  expire  the  system  accounts.     Be  aware.;         1   S         2   S   14  |  P a g e     .   Drop  the  user   2.     $ORACLE_HOME/rdbms/admin/catnsmp.   Item   Configuration  Item    #   2.ora   Change  standard  ports   Rationale:   Removing  the  OEM  will  reduce  the  Oracle  attack   surface.sql  to   remove  all  the  objects  and  delete  the  file   $ORACLE_HOME/bin/dbsnmp.       Note:  Database  statistics  will  be  unavailable  in   Enterprise  Manager  if  this  is  set.ora  file  and  change  the  PORT   setting.sql     rm  $ORACLE_HOME/bin/dbsnmp     Audit:     ls   al  $ORACLE_HOME/bin/dbsnmp     Rationale:   Standard  ports  are  used  in  automated  attacks  and  by   attackers  to  verify  applications  running  on  a  server.     Audit:     grep  1521  \   $ORACLE_HOME/network/admin/listener.10   OEM  objects   Action  /  Recommended   Parameters   Remove  if  OEM  not  used   Rationale/Remediation   W   I   n   d   o   w   s   U   n   I   x   Level   &   Score   Status   2.     Remediation:     Execute   $ORACLE_HOME/rdbms/admin/catnsnmp.     Remediation:     Alter  the  listener.ora             2   S           2   S   15  |  P a g e     .11   listener.     Note:  This  may  break  applications  that  hard  code  the   default  port  number.ora       grep  1526  \   $ORACLE_HOME/network/admin/listener. ;     ALTER  USER  <USERNAME>  ACCOUNT  LOCK   PASSWORD  EXPIRE.  Ensure  the  SID  is  at  least  7  characters   long  to  prevent  successful  brute  force  attacks.  some  third  party  applications  create   S       well-­known  default  accounts  in  an  Oracle  database.     ALTER  USER  <USERNAME>  IDENTIFIED  BY   <PASSWORD>.;       Audit:     SELECT  *  FROM  DBA_USERS_WITH_DEFPWD.   Item   Configuration  Item    #   2.12   Third  party  default   passwords   Action  /  Recommended   Parameters   Set  all  default  account   passwords  to  non-­default  strong   passwords   Rationale/Remediation   W   I   n   d   o   w   s   U   n   I   x   Level   &   Score   Status   2.     Remediation:   The  default  passwords  for  these  accounts  must  be   changed  or  the  account  must  be  locked.       Remediation:     Alter  the  listener.ora     16  |  P a g e     .13   Service  or  SID  name   Non-­default   Rationale:       2   When  installed.  It   S   is  commonly  know  and  used  in  many  automated   attacks.ora  file  SID  setting  to  a  value  other   than  the  default.;   SELECT  USERNAME.;     Rationale:       1     Do  not  use  the  default  SID  or  service  name  of  ORCL.  ACCOUNT_STATUS  FROM   DBA_USERS.     Audit:     grep  -­i  ORCL  \   $ORACLE_HOME/network/admin/listener.  and  the   database  must  be  separated.   Item   Configuration  Item    #   2.     Remediation:     For  Unix  systems.  create  unique  user  accounts  for   each  Oracle  process/service  in  order  to  differentiate   accountability  and  file  access  controls.  This  setup  may  cause   unknown  or  unexpected  errors  and  should  be   extensively  tested  before  deployment  into  production.       Audit:     None         2   S       2   N         17  |  P a g e     .   This  is  not  recommended  for  Windows  environments.       Audit:     grep  -­i  oracle  /etc/password       Rationale:   The  user  for  the  intelligent  agent.15   Oracle  Installation   Separate  users  for  different   components  of  Oracle   Rationale:   Do  not  name  the  Oracle  software  owner  account   as  it  is  very  well  known  and  can  be  leveraged   by  an  attacker  in  a  brute  force  attack.14   Oracle  Installation   Action  /  Recommended   Parameters   Oracle  software  owner  account     Rationale/Remediation   W   I   n   d   o   w   s   U   n   I   x   Level   &   Score   Status   2.     Remediation:     Change  the  user  used  for  the  oracle  software.  the  listener.     3.  Removal  of  the  System  account  will  cause  Oracle  to  stop  functioning.  but  must  not  be   removed.  In  Windows.  The   Windows  System  account  is  granted  access  to  Oracle  files/directories/registry  keys.     s  more  secure  then  the  recommendations  listed  here.       Remediation:     All  files  in  the  $ORACLE_HOME/bin  directory  must   have  permissions  set  to  0755  or  less.  Oracle  Directory  and  File  Permissions   Note:  The  Oracle  software  owner  in  Windows  is  the  account  used  to  install  the  product.  This  account  is  not  restated  in  the  comments  section  below.     chmod  0755  $ORACLE_HOME/bin/*     Audit:     ls  -­al  $ORACLE_HOME/bin/*     18  |  P a g e     .    Please  be   sure  to  fully  examine  and  test  permissions  before  implementing  them  on  production  systems.  This  account  must  be  a  member  of  the  local  Administrators  group.     W   U   Level   Item   Configuration  Item   Action  /  Recommended   Rationale/Remediation   I   &   n   n    #   Parameters   d   I   Score   o   w   s   x   Status   3.01   Files  in   $ORACLE_HOME/bin   Verify  and  set  ownership   3.02   Files  in   $ORACLE_HOME/bin   Permissions  set  to  0755  or  less     Rationale:       1   S   All  files  in  the  $ORACLE_HOME/bin  must  be  owned  by       the  Oracle  software  account  to  prevent  a  system-­wide   compromise  in  the  event  the  Oracle  account  is   compromised.       Audit:     ls  -­al  $ORACLE_HOME/bin/*     Rationale:       1   Incorrect  permissions  could  allow  an  attacker  to  replace   S     a  binary  with  a  malicious  version.  this  account  must  be  part  of   the  Administrators  group.       Remediation:     Change  the  ownership  of  the  binaries  to  the  appropriate   account.  umask  must  be   set  to  022  before  installing  Oracle.   Item   Configuration  Item    #   Action  /  Recommended   Parameters   Rationale/Remediation   W   I   n   d   o   w   s   U   n   I   x   Level   &   Score   Status   3.     chmod  750  $ORACLE_HOME/*     Audit:     ls   al  $ORACLE_HOME     Rationale:   Regardless  of  where  the  umask  is  set.03   Files  in   $ORACLE_HOME  (not   including   $ORACLE_HOME/bin)   Permissions  set  to  0750  or  less   on  Unix  systems   3.  Ad  improper  umask   can  lead  to  unrestrictive  permissions  and  open  the   oracle  server  file  system  to  attack.       Remediation:     All  files  in  $ORACLE_HOME  directories  (except  for   $ORACLE_HOME/bin)  must  have  permission  set  to   0750  or  less.04   Oracle  account  .profile   file   Unix  systems  umask  022   Rationale:   Incorrect  permissions  could  allow  an  attacker  to   execute  or  replace  a  command  with  a  malicious   version.         Audit:     umask           1   S         1   S   19  |  P a g e     .       Remediation:     Ensure  the  umask  value  is  022  for  the  owner  of  the   Oracle  software  before  installing  Oracle. ora     chmod  644  init.ora     chmod  640  spfile.ora  configuration  the  security   of  the  oracle  server  can  be  compromised.       Remediation:     chgrp  oracle_grp  init.ora     Rationale:   File  permissions  must  be  restricted  to  the  owner  of  the   Oracle  software  and  the  dba  group.  If  unprivileged   users  can  alter  the  init.ora             1   S           1   S   20  |  P a g e     .     Remediation:     chgrp  oracle_grp  spfile.ora  configuration  the  security  of   the  oracle  server  can  be  compromised.ora       Audit:     ls  -­al  $ORACLE_HOME/dbs/spfile.05   init.ora       Audit:     ls  -­al  $ORACLE_HOME/dbs/init.   Item   Configuration  Item    #   Action  /  Recommended   Parameters   Rationale/Remediation   W   I   n   d   o   w   s   U   n   I   x   Level   &   Score   Status   3.ora   chown  oracleuser  init.  If  unprivileged   users  can  alter  the  spfile.ora   Verify  and  restrict  permissions   Rationale:   File  permissions  must  be  restricted  to  the  owner  of  the   Oracle  software  and  the  dba  group.ora   Verify  and  restrict  permissions   3.ora   chown  oracleuser  spfile.06   spfile. oraclegroup  ifile     Audit:   grep  ifile  init.       Remediation:     chown  oracleuser  $ORACLE_HOME/dbs/*   chgrp  oraclegroup  $ORACLE_HOME/dbs/*     Audit:   ls  -­al  $ORACLE_HOME/dbs/*     Rationale:   File  permissions  must  be  restricted  to  the  owner  of  the   Oracle  software  and  the  dba  group.   Item   Configuration  Item    #   Action  /  Recommended   Parameters   Rationale/Remediation   W   I   n   d   o   w   s   U   n   I   x   Level   &   Score   Status   3.  If  unprivileged   users  can  read  or  alter  the  dbs  files  the  security  of  the   oracle  server  can  be  compromised.07   Database  datafiles   Verify  and  restrict  permissions   3.ora     ls  -­al  <result>             1   S           1   S   21  |  P a g e     .  the  file  permissions  of  the   referenced  ifile  must  be  restricted  to  the  Oracle   software  owner  and  the  dba  group.     Remediation:     chmod  750  ifile     chown  oracleuser.08   init.ora   Verify  permissions  of  file   referenced  by  ifile  parameter   Rationale:   File  permissions  must  be  restricted  to  the  owner  of  the   Oracle  software  and  the  dba  group.  If  the  ifile   functionality  is  used. 10   init.         Remediation:     chmod  660  diag_file     chown  oracleuser.09   init.oraclegroup  diag_file     Audit:   grep  -­i  diagonostic_dest  init.     Remediation:     chmod  600  auditfile     chown  oracleuser.ora   ls  -­al  <result>       audit_file_dest  parameter   settings   22  |  P a g e     .   Item   Configuration  Item    #   Action  /  Recommended   Parameters   Rationale/Remediation   W   I   n   d   o   w   s   U   n   I   x   Level   &   Score   Status   3.ora   Rationale:       1   The  destination  for  the  audit  file  must  be  set  to  a  valid   S       directory  owned  by  oracle  and  set  with  owner  read/write   permissions  only.ora   3.oraclegroup  auditfile     Audit:   grep  -­i  audit_file_dest  init.ora     ls  -­al  <result>     diagonostic_dest  parameter   Rationale:       1   The  destination  for  the  user  dump  must  be  set  to  a  valid     S   settings     directory  with  permissions  restricted  to  the  owner  of  the   Oracle  software  and  the  dba  group.  and  no   log_archive_dest_n  parameters  are  set.12   init.ora   log_archive_dest_n   parameter  settings   Rationale:       1   The  permissions  must  be  restricted  to  only  the  owner  of     S     the  Oracle  software  and  the  dba  group.oraclegroup  \   log_file_dest       Audit:     grep  -­i  log_archive_dest  init.ora     ls  -­al  <result>     23  |  P a g e     .   Item   Configuration  Item    #   Action  /  Recommended   Parameters   Rationale/Remediation   W   I   n   d   o   w   s   U   n   I   x   Level   &   Score   Status   3.  access  control  lists  must  be  used.  the   deprecated  form  of  log_archive_dest  must  be   used.       Remediation:     chmod  640  control_file     chown  oracleuser.oraclegroup  control_file     Audit:   grep  -­i  control_files  init.    For  complex   configurations  where  different  groups  need  access  to   the  directory.     chmod    750  file_file_dest   chown  oracleuser.  then  ensure  those  directories  are  secure.    Note:     If  Oracle  Enterprise  Edition  is  installed.11   init.ora   control_files  parameter   settings   3.       Remediation:     set  paths.;       Rationale:       1   File  permissions  must  be  restricted  to  the  owner  of  the   S       Oracle  software  and  the  dba  group.ora     ls  -­al  <result>   select  name  from  V$controlfile. ora  and  sqlnet.  access  to  this  file  should  be   limited.         1   Rationale:   S       Permissions  for  all  files  must  be  restricted  to  the  owner   of  the  Oracle  software  and  the  dba  group.     Remediation:   chmod  644  sqlnet.    Note:  If  an   application  that  requires  access  to  the  database  is  also   installed  on  the  database  server.ora  contains  the  configuration  files  for       the  communication  between  the  user  and  the  server   including  the  level  of  required  encryption.ora  files.  the  user  the   application  runs  as  must  have  read  access  to  the   tnsnames.ora       24  |  P a g e     .oraclegroup  sqlnet.oraclegroup  \   $ORACLE_HOME/network/admin/*     Audit:   ls  -­al  $ORACLE_HOME/network/admin/*     Rationale:       1   S   The  sqlnet.ora   Verify  and  set  permissions    with   read  permissions  for  everyone.CRYPTO_SEED  in  the  sqlnet.ora   file.14   sqlnet.     Audit:   ls   al  sqlnet.  the  key  is  stored  in  the   parameter  SQLNET.   Item   Configuration  Item    #   Action  /  Recommended   Parameters   Rationale/Remediation   W   I   n   d   o   w   s   U   n   I   x   Level   &   Score   Status   3.  In  such  scenarios.13   Files  in   $ORACLE_HOME/   network/admin   directory   Verify  and  set  permissions     3.ora   chown  oracleuser.ora     Note:  If  encryption  is  used.     Remediation:   chmod  644  $ORACLE/network/admin/*   chown  oracleuser.   Item   Configuration  Item    #   Action  /  Recommended   Parameters   Rationale/Remediation   W   I   n   d   o   w   s   U   n   I   x   Level   &   Score   Status   3.     Remediation:   chmod  640  log_directory_client   chown  oracleuser.ora     25  |  P a g e     .ora   log_directory_server   parameter  settings   Rationale:       1   S   The  log_directory_client  must  be  set  to  a  valid       directory  owned  by  the  Oracle  account  and  permissions   restricted  to  read/write  only  for  the  owner  and  dba   group.16   sqlnet.15   sqlnet.oraclegroup  \   log_directory_client     Audit:   grep  -­i  log_directory_client  sqlnet.ora   log_directory_client   parameter  settings   3.     Remediation:   chmod  640  log_directory_client   chown  oracleuser.ora     Rationale:       1   S   The  log_directory_server  must  be  set  to  a  valid       directory  owned  by  the  Oracle  account  and  set  with   owner  and  group  read/write  permissions  only.oraclegroup  \   log_directory_client     Audit:   grep  -­i  log_directory_client  sqlnet.  with  permissions   set  as:     Remediation:   chmod  640  log_directory_client   chown  oracleuser.ora     26  |  P a g e     .       By  default  this  is  not  set.   Item   Configuration  Item    #   Action  /  Recommended   Parameters   Rationale/Remediation   W   I   n   d   o   w   s   U   n   I   x   Level   &   Score   Status   3.ora   trace_directory_client   parameter  settings   3.  this  is  usually  set  to     $ORACLE_HOME/network/trace.    Be  aware.  this  is  usually  set   to  $ORACLE_HOME/network/trace.17   sqlnet.ora   trace_directory_server   parameter  settings   Rationale:       1   S   The  trace_directory_client  parameter  settings       must  be  set  to  a  valid  directory  owned  by  the  Oracle   account  and  permissions  restricted  to  read/write  only   for  the  owner  and  read  for  the  dba  group.     Remediation:   chmod  640  trace_directory_server   chown  oracleuser.oraclegroup  \   log_directory_client     Audit:   grep  -­i  trace_directory_client  sqlnet.    Be  aware.ora     Rationale:       1   S   The  trace_directory_server  must  be  set  to  a       valid  directory  owned  by  the  Oracle  account  and   permissions  restricted  to  read/write  only  for  the  owner   and  read  for  the  dba  group.18   sqlnet.oraclegroup   trace_directory_server     Audit:   grep  -­i  trace_directory_server  sqlnet..  By  default   this  is  not  set. 20   listener.oraclegroup  \   $ORACLE_HOME/network/log/listener.log     chown  oracleuser.  this   is  usually  set  to   $ORACLE_HOME/network/log/listener.ora   log_file_listener   parameter  settings   Rationale:       1   File  permissions  must  be  restricted  to  the  owner  of  the   S       Oracle  software  and  the  dba  group.         Remediation:   chmod  660  \   $ORACLE_HOME/network/admin/listener.     Remediation:   chmod  640  \   $ORACLE_HOME/network/log/listener.ora  file  are  created  these  backup  files  must   be  removed  or  they  must  have  their  permissions   restricted  to  the  owner  of  the  Oracle  software  and  the   dba  group.oraclegroup  \   $ORACLE_HOME/network/admin/listener.log     Audit:   grep  -­i  log_file_listener  \   $ORACLE_HOME/network/admin/listener.ora     Audit:   ls  -­al  \   $ORACLE_HOME/network/admin/listener.  Be  aware.ora     Rationale:       1   S   The  log_file_listener  file  must  be  set  to  a  valid       directory  owned  by  the  Oracle  account  and  permissions   restricted  to  read/write  only  for  the  owner  and  read  for   the  dba  group.ora   Verify  and  set  permissions     3.log.  By  default  this  is  not  set.ora         27  |  P a g e     .19   listener.ora       chown  oracleuser.   Item   Configuration  Item    #   Action  /  Recommended   Parameters   Rationale/Remediation   W   I   n   d   o   w   s   U   n   I   x   Level   &   Score   Status   3.    If  backup  copies  of   the  listener. 21   listener.oraclegroup  trace_dir     Audit:   grep  -­i  trace-­directory  \   $ORACLE_HOME/network/admin/listener.oraclegroup  \   $ORACLE_HOME/network/trace   chmod  660  $ORACLE_HOME/network/trace     Audit:   grep  -­i  trace_file  \   $ORACLE_HOME/network/admin/listener.    Be  aware.ora     ls   al  <result>   trace_directory_listener _name  parameter  settings           1   S           1   S   28  |  P a g e     .   this  is  usually  set  to   $ORACLE_HOME/network/trace.  By  default  this  is  not  set.   Item   Configuration  Item    #   Action  /  Recommended   Parameters   Rationale/Remediation   W   I   n   d   o   w   s   U   n   I   x   Level   &   Score   Status   3.ora   Rationale:   The  trace_directory_listener_name  must  be   set  to  a  valid  directory  owned  by  the  Oracle  account   and  permissions  restricted  to  read/write  only  for  the   owner  and  dba  group.       Remediation:   chmod  660  trace_dir   chown  oracleuser.ora   3.     Remediation:   chown  oracleuser.22   listener.ora       trace_file_listener_name   Rationale:   parameter  settings   This  file  must  be  owned  by  the  Oracle  account  and   permissions  restricted  to  read/write  only  for  the  owner   and  dba  group.       Remediation:   chown  oracleuser.htaccess     Audit:   ls   al  .oraclegroup  sqlplus   chmod  750  sqlplus     Audit:   which  -­a  sqlplus   ls  -­al  <result(s)>     Rationale:   File  permissions  must  be  restricted  to  the  owner  of  the   Oracle  software  and  the  dba  group.htaccess  prior  to  implementing  this   recommendation.htaccess   Verify  and  set  permissions     Rationale:   The  permissions  of  the  binaries  for  sqlplus  on  the   server  must  be  restricted  to  the  owner  of  the  Oracle   software  and  the  dba  group.  Additionally.oraclegroup  .23   sqlplus   Verify  and  set  permissions     3.     Remediation:   chown  oracleuser.   Item   Configuration  Item    #   Action  /  Recommended   Parameters   Rationale/Remediation   W   I   n   d   o   w   s   U   n   I   x   Level   &   Score   Status   3.  ensure  all   configuration  changes  have  been  made  within   .24   .htaccess         Note:  Only  applicable  for  environments  using  the   Oracle  HTTP  Server.             1   S           1   S   29  |  P a g e     .htaccess   chmod  644  .   Item   Configuration  Item    #   Action  /  Recommended   Parameters   Rationale/Remediation   W   I   n   d   o   w   s   U   n   I   x   Level   &   Score   Status   3.25   dads.conf   Verify  and  set  permissions     3.26   xsqlconfig.xml   Verify  and  set  permissions     Rationale:   File  permissions  must  be  restricted  to  the  owner  of  the   Oracle  software  and  the  dba  group.     Remediation:   chown  oracleuser.oraclegroup  dads.conf   chmod  644  dads.conf         Audit:   ls   al  dads.conf     Note:  Only  applicable  for  environments  using  the   Oracle  HTTP  Server.  Additionally,  ensure  all   configuration  changes  have  been  made  within   dads.conf  prior  to  implementing  this   recommendation.     Rationale:   File  permissions  must  be  restricted  to  the  owner  of  the   Oracle  software  and  the  dba  group.     Remediation:   chown  oracleuser.oraclegroup  \   xsqlconfig.xml   chmod  640  xsqlconfig.xml     Audit:   ls  -­al  \   $ORACLE_HOME/xdk/admin/XSQLConfig.xml             1   S           1   S       30  |  P a g e         4.  Oracle  Parameter  Settings       Item   Configuration  Item    #   4.01   init.ora   Action  /  Recommended   Parameters   _trace_files_public=   FALSE   Rationale/Remediation   W   I   n   d   o   w   s   U   n   I   x   Level   &   Score   Status   4.02   init.ora   global_names=  TRUE   Rationale:       1   Prevents  users  from  having  the  ability  to  read  trace  files     S     which  may  contain  sensitive  information  about  the   running  Oracle  instance.  This  is  an  internal  Oracle   parameter.    Do  NOT  use  it  unless  instructed  to  do  so  by   Oracle  Support.     Remediation:   Set  _trace_files_public=  FALSE     Note:  Default  is  FALSE.     Audit:   grep   i  _trace_files_public  init.ora     Rationale:       1   This  parameter  ensures  that  Oracle  will  check  that  the   S       name  of  a  database  link  is  the  same  as  that  of  the   remote  database.  Default  is  TRUE.     Remediation:   Set  global_names=  TRUE  in  init.ora       Audit:   grep  -­i  global_names  init.ora     31  |  P a g e       Item   Configuration  Item    #   4.03   Init.ora   Action  /  Recommended   Parameters   remote_os_authent=FALSE   Rationale/Remediation   W   I   n   d   o   w   s   U   n   I   x   Level   &   Score   Status   4.04   init.ora   remote_os_roles=  FALSE   4.05   init.ora   string)    (A  null   Rationale:   This  setting  has  been  deprecated,  however  is   maintained  for  backwards  compatibility.  If  this  setting  is   used  it  is  recommended  to  be  set  to  FALSE.   remote_os_authent  will  allow  a  user  that  is   authenticated  to  the  network  domain  to  access  the   database  without  DB  credentials.       Remediation:   Set  remote_os_authent=FALSE.     Audit:   grep  -­i  remote_os_authent  init.ora     Rationale:   Connection  spoofing  must  be  prevented.  Default  is   FALSE.     Remediation:   Set  remote_os_roles=  FALSE.     Audit:       grep  -­i  remote_os_roles  init.ora       Rationale:   Prevent  the  use  of  a  listener  on  a  remote  machine   separate  from  the  database  instance.     Remediation:   Set       Audit:       grep  -­i  remote_listener  init.ora             1   S         1   S           1   S   32  |  P a g e       Item   Configuration  Item    #   4.     Remediation:   Alter  the  init.   S       Recommend  setting  audit_trail  to  OS  as  it  reduces   the  likelihood  of  a  Denial  of  Service  attack  and  it  is   easier  to  secure  the  audit  trail.  or  XML.     Even  with  the  audit_trail  value  set  to  FALSE.       S       The  duties  and  responsibilities  of  DBAs  and  system   administrators  must  be  separated.  Any  auditing   information  stored  in  the  database  is  viewable  and   modifiable  by  the  DBA  if  set  to  DB  or  DB_EXTENDED.06   init.   XML.  DB.ora  file  and  set  audit_trail=OS     Audit:       grep  -­i  audit_trail  init.  DB_EXTENDED.07   init.  It  must  be  set  to  limit   the  external  use  of  an  account  to  an  IDENTIFIED   EXTERNALLY  specified  user.ora   null  string)    (A   Rationale:       1   Ensures  that  basic  audit  features  are  used."  The  default   is  DB.     Remediation:   Set       Audit:       grep  -­i  os_authent_prefix  init.  OS  is  required  if  the   auditor  is  distinct  from  the  DBA.  EXTENDED   Rationale/Remediation   W   I   n   d   o   w   s   U   n   I   x   Level   &   Score   Status   4.  an   audit  session  will  report.ora   Action  /  Recommended   Parameters   audit_trail  parameter  set  to   OS.  "Audit  succeeded.ora     Rationale:       1   OS  roles  are  subject  to  control  outside  the  database.ora       33  |  P a g e     . ora   Action  /  Recommended   Parameters   os_roles=FALSE   Rationale/Remediation   W   I   n   d   o   w   s   U   n   I   x   Level   &   Score   Status   4.ora     Rationale:       1   S   Do  not  use  the  utl_file_dir  parameter  directories       created  with  utl_file_dir  as  they  can  be  read  and   written  to  by  all  users.2  migration  is  recommended.  This  can  lead  to  misaligned   or  inherited  permissions.         Remediation:   Set  os_roles=FALSE     Audit:       grep  -­i  os_roles  init.     Remediation:   Use  CREATE  DIRECTORY     Audit:       grep  -­i  utl_file_dir  init.  This  function  has  been  deprecated  since   version  9.ora   Avoid  using  utl_file_dir   parameters   Rationale:       1   S   os_roles  allows  externally  created  groups  to  be  used       to  manage  database  roles.  Specify  directories  using  CREATE   DIRECTORY  which  requires  granting  of  privileges  to   each  user.09   init.ora     34  |  P a g e     .   Item   Configuration  Item    #   4.08   init.  directory.10   init.       Audit:       grep  -­i  log_archive_duplex_dest  init.     Remediation:   Set  LOG_ARCHIVE_DUPLEX_DEST  to  a  valid.  Use   LOG_ARCHIVE_MIN_SUCCEED _DEST logging  of  the  redo  files.    For  complex  configurations  where   different  groups  need  access  to  the  directory.   Rationale:       1   Redundancy  for  the  redo  logs  can  prevent  catastrophic     S     loss  in  the  event  of  a  single  physical  drive  failure.     Remediation:   Set  LOG_ARCHIVE_MIN_SUCCEED_DEST  to  1  or   greater.  access   control  lists  must  be  used.ora   Action  /  Recommended   Parameters   Establish  redundant  physically   separate  locations  for  redo  log   files.   Item   Configuration  Item    #   4.  Use   LOG_ARCHIVE_DUPLEX_DEST to  establish  a  redundant  location   for  the  redo  logs.ora     35  |  P a g e     .   Rationale/Remediation   W   I   n   d   o   w   s   U   n   I   x   Level   &   Score   Status   4.11       init.ora   Specify  redo  logging  must  be   successful.  properly   secured.ora     Rationale:       1   Specifying  that  the  logging  must  succeed  in  one  or   S       more  locations  ensures  redundancy  of  the  redo  logs.    If  this   parameter  is  used.       Audit:       grep  -­i  LOG_ARCHIVE_MIN_SUCCEED_DEST  \   init.  it  must  be  set  to  a  valid  directory   owned  by  oracle  set  with  owner  and  group  read/write   permissions  only. ora     36  |  P a g e     .   This  setting  will  cause  the  listener  to  refuse  set   commands  that  alter  its  parameters  without  a  restart  of   the  listener.  Not  set  and  turned  off  by  default.     Remediation:   Set  admin_restrictions_listener_name  =  on       Audit:       grep  -­i  admin_restrictions  listener.13   listener.ora     Rationale:       2   S   Replace  listener_name  with  the  actual  name  of       your  listener(s)  for  this  parameter  setting.ora   admin_restrictions_liste ner_name=on   Rationale:       2   S   Enforce  the  requirement  that  a  user  must  have  SELECT       privilege  on  a  table  in  order  to  be  able  to  execute   UPDATE  and  DELETE  statements  using  WHERE   clauses  on  a  given  table.   Item   Configuration  Item    #   4.       Remediation:   Set  sql92_security=  TRUE     Audit:       grep  -­i  sql92_security  init.ora.12   init.       WARNING:  This  will  likely  result  in  many  applications   failing  and  should  not  be  enabled  in  production  without   thorough  testing.  This  requires   the  administrator  to  have  write  privileges  to  listener.ora   Action  /  Recommended   Parameters   sql92_security=  TRUE   Rationale/Remediation   W   I   n   d   o   w   s   U   n   I   x   Level   &   Score   Status   4. 15   Database  object   definition  NOLOGGING   clause   Rationale:   Logging  of  all  listener  actions  will  create  an  audit  trail  in   the  event  that  a  listener  is  attacked  or  needs  to  be   debugged.  improper  use  of  NOLOGGING  may  introduce   data  continuity  exposures  in  the  absence  of  a  full   backup.   Server  to  forego  writing  essential  recovery  information   to  the  redo  log  when  performing  certain  actions.  CREATE   INDEX.  but  is  enabled  by   default.  and  ALTER  TABLE.  such  as  tables  and  indexes.     Remediation:   Set  logging_listener=ON     Audit:       grep  -­i  logging_listener  listener.   are  not  operating  in  NOLOGGING  mode.   Item   Configuration  Item    #   4.   including  but  not  limited  to  ALTER  INDEX.ora   Action  /  Recommended   Parameters   logging_listener=ON   Rationale/Remediation   W   I   n   d   o   w   s   U   n   I   x   Level   &   Score   Status   4.     Remediation:   Ensure  database  objects.   Given  this.14   listener.ora     Do  not  leave  database  objects  in   Rationale:   NOLOGGING  mode  in  production   The  NOLOGGING  keyword  instructs  Oracle  Database   environments.  This  setting  is  not  set.  CREATE  TABLE.     Audit:       None             1   S           1   N   37  |  P a g e     .    In  Apps  11.  the  following  roles  can  be   assigned.  If  access  to   these  objects  is  required.     Note:  In  Oracle  Applications  11.16   init.1  for   more  information.  accounts  with  "ANY"  privileges  could  get   access  to  objects  in  the  SYS  schema.10  and  higher.ora             2   S   38  |  P a g e     .     Remediation:   Set  o7_dictionary_accessibility=  FALSE     Audit:       grep   i  o7_dictionary_accessibility  \   init.5.  SELECT_CATALOG_ROLE.  DELETE_CATALOG_ROLE.   Item   Configuration  Item    #   4.    See  Oracle  Metalink  Note  ID  216205.   EXECUTE_CATALOG_ROLE.  Set  this  to   FALSE  to  prevent  users  with  EXECUTE  ANY   PROCEDURE  and  SELECT  ANY  DICTIONARY  from   accessing  objects  in  the  SYS  schema.9  and  lower.   O7_DICTIONARY_ACCESSIBILITY  should  be  set  to   FALSE.  Default  setting  is   FALSE.    This  is  required  for  proper  functioning  of  the   application  and  Oracle  does  not  support  setting  it  to   FALSE.   O7_DICTIONARY_ACCESSIBILITY  must  be  set  to   TRUE.ora   Action  /  Recommended   Parameters   o7_dictionary_accessibil ity=  FALSE   Rationale/Remediation   W   I   n   d   o   w   s   U   n   I   x   Level   &   Score   Status   Rationale:   This  is  a  database  initialization  parameter  that  controls   access  to  objects  in  the  SYS  schema.   If  set  to  TRUE.5.   Item   Configuration  Item    #   4.ora             2   S           2   S   39  |  P a g e     .ora  or   spfile<sid>.     Remediation:   Remove  the  following  from  spfile:     dispatchers=  (PROTOCOL=  TCP)(SERVICE=   <oracle_sid>XDB)     Audit:       grep  -­i  XDB  spfile<sid>.ora   Action  /  Recommended   Parameters   Remove  the  following  from  the   spfile:   dispatchers=  (PROTOCOL=   TCP)    (SERVICE=   <oracle_sid>XDB)   Rationale/Remediation   W   I   n   d   o   w   s   U   n   I   x   Level   &   Score   Status   4.     Audit:       grep  -­i  AUDIT_SYS_OPERATIONS  init.ora   AUDIT_SYS_OPERATIONS   =TRUE     Rationale:   This  will  disable  default  ports  ftp:  2100  and  http:  8080.     Windows:  Default  is  Event  Viewer  log  file   Unix:  Default  is  $ORACLE_HOME/rdbms/audit     By  default  this  is  set  in  spfile.   Removing  the  XDB  ports  will  reduce  the  attack  surface   of  the  Oracle  server.ora     Rationale:   Auditing  of  the  users  authenticated  as  the  SYSDBA  or   the  SYSOPER  provides  an  oversight  of  the  most   privileged  of  users.  Set   AUDIT_FILE_DEST  to  your  designated  logging   directory.18   Init.    Ensure  this  by   setting  the  AUDIT_SYS_OPERATIONS  to  TRUE.  It  is  recommended  to  disable   these  ports  if  production  usage  is  not  required.  It  is  important  that  the  database   user  should  not  have  access  to  the  system  directories   where  the  audits  will  be  recorded.17   spfile<sid>.  The  default   value  is  FALSE  within  spfile.     Remediation:   Set  AUDIT_SYS_OPERATIONS=TRUE. ora.validnode_checking  sqlnet.ora   Action  /  Recommended   Parameters   inbound_connect_   timeout_listener=2   Rationale/Remediation   W   I   n   d   o   w   s   U   n   I   x   Level   &   Score   Status   4.validnode_checking=YES   in  $ORACLE_HOME/network/admin/sqlnet.19   listener.ora   tcp.validnode_checking=   YES   Rationale:       2   Allowing  inbound  connections  to  hold  open  half   S       connections  consumes  database  resources  and  can   lead  to  denial  of  service.20   sqlnet.     Remediation:   Set  inbound_connect_timeout_listener=2     Audit:       grep  -­i  inbound_connect_timeout  \   listener.   Item   Configuration  Item    #   4.  Set  the  initial  value  low  and   adjust  upward  if  normal  clients  are  unable  to  connect   within  the  time  allocated.ora     40  |  P a g e     .     Note:  The  default  value  is  No     Audit:       grep  -­i  tcp.       Remediation:   Set  tcp.ora     Rationale:       2   This  parameter  enables  the  listener  to  check  incoming   S     connections  for  matches  in  the  invited  and  excluded   nodes  list. invited_nodes  to   valid  values   Rationale/Remediation   W   I   n   d   o   w   s   U   n   I   x   Level   &   Score   Status   4.  The  excluded_nodes  value  is  ignored  if   this  is  set  and  a  default  deny  policy  is  created  only   allowing  the  listed  trusted  nodes  to  connect  to  the   listener.invited_nodes  to  valid  values   tcp.1.ora               2   S           2   S   41  |  P a g e     .excluded_nodes  to   valid  values   Rationale:   This  creates  a  list  of  trusted  nodes  that  can  connect  to   the  listener.1.1.1.ora  file.excluded_nodes  values  are  ignored  and  only   hosts  specified  in  the  invited_nodes  will  be  allowed   to  connect  to  the  listener.excluded_nodes  sqlnet.invited_nodes  sqlnet.21   sqlnet.  10.invited_nodes  is  set.   Item   Configuration  Item    #   4.       Set  tcp.ora   Set  tcp.ora       Note:  This  is  not  set  by  default.ora  file.invited_nodes  =(10.1.         Note:  If  the  tcp.22   sqlnet.     Rationale:   Excluded  nodes  will  prevent  malicious  or  untrusted   hosts  from  connecting  to  the  listener.excluded_nodes  to  valid  values     Audit:       grep  -­i  tcp.ora   Action  /  Recommended   Parameters   Set  tcp.       Remediation:   Use  IP  addresses  of  authorized  hosts  to  set  this   parameter  in  the  sqlnet.2)     Audit:       grep  -­i  tcp.       Remediation:   Use  IP  addresses  of  unauthorized  hosts  to  set  this   parameter  in  the  sqlnet.       Set  tcp.  the   tcp.  Allowing  a  connection  to  idle  indefinitely  will   consume  system  resources  leading  to  a  denial  of   service.     Remediation:   Set  sqlnet.  the  default  is  never     S     to  expire. Suggestion  is  to  set  to  a  low   initial  value  and  adjust  upward  if  normal  clients  are   unable  to  connect  within  the  time  allocated.inbound_connect_timeout=3     Audit:       grep  -­i  inbound_connect_timeout  \   sqlnet.inbound_   connect_timeout=3   Rationale/Remediation   W   I   n   d   o   w   s   U   n   I   x   Level   &   Score   Status   4.ora  file.  It  is  recommended  to  set  this  to  a  low  value   initially.     Remediation:    Set  sqlnet.ora   sqlnet.ora     Rationale:       2   If  this  is  not  set  in  the  sqlnet.24   sqlnet.  then  increase  if  clients  experience  timeout   issues.23   sqlnet.expire_time=  10   Rationale:       2   Allowing  inbound  connections  to  hold  open  half   S       connections  consumes  database  resource  and  can   lead  to  denial  of  service.expire_time=  10     Audit:       grep  -­i  expire_time  sqlnet.ora     42  |  P a g e     .   Item   Configuration  Item    #   4.ora   Action  /  Recommended   Parameters   sqlnet. ;             2   S   43  |  P a g e     .25   Accounts   Action  /  Recommended   Parameters   Lock  account  access  for   application  schema  owners   Rationale/Remediation   W   I   n   d   o   w   s   U   n   I   x   Level   &   Score   Status   Rationale:   Lock  the  account  for  the  application  schema  owner.     Users  must  not  connect  to  the  database  as  the   application  owner.     Remediation:   ALTER  USER  <USERNAME>  ACCOUNT  LOCK   PASSWORD  EXPIRE     Audit:       SELECT  USERNAME.  ACCOUNT_STATUS  FROM   DBA_USERS.   Item   Configuration  Item    #   4.  the   remote_login_passwordfile  set  to  exclusive.     For  Unix:  Set  remote_login_passwordfile  setting   to  none.26   init.  Implement  SSH  or  other  secure  shell  method   to  remotely  administer  the  Oracle  server.ora   Action  /  Recommended   Parameters   remote_login_passwordfil e=none   Rationale/Remediation   W   I   n   d   o   w   s   U   n   I   x   Level   &   Score   Status   Rationale:   Prevents  remote  privileged  connections  to  the   database.     Remote  Administration  of  Oracle  via  Administrative   Listener:   Admin  Listener  =  Required   remote_login_passwordfile  setting  =   exclusive     Require  logging  be  enabled  for  the  Admin  and  Client   Listeners  if  remote  access  is  provided.  This  suggests  that  remote  administration   should  be  performed  by  remotely  logging  into  the   database  server  via  a  secured  connection.     Implement  remote  management  to  a  Windows  based   host    viaTerminal  Server  and  IPSec.       Remediation:   For  Windows:  Set  remote_login_passwordfile   setting  to  none.  Alternately.   Item   Configuration  Item    #   4.     Audit:     grep   i  remote_login_passwordfile  \   init.  and   logging  of  the  administrative  listener  implemented.ora           2   S   44  |  P a g e     .   an  administrative  listener  could  be  created. ora     Rationale:       2   N   Allowing  overly  broad  PATH  and  CLASSPATH  variables       could  allow  an  attacker  to  leverage  pathing  issues  and   load  malicious  binaries  or  classes.27   sqlnet.ora   .9.8.ALLOWED_LOGON_VER SION=11   Rationale/Remediation   W   I   n   d   o   w   s   U   n   I   x   Level   &   Score   Status   4.ora         45  |  P a g e     .     Remediation:   SQLNET.ora   REMOTE_ADMIN=NO   Rationale:       2   Set  the  login  version  to  the  11.29   cman.       Remediation:   Set  REMOTE_ADMIN  =  NO.   Item   Configuration  Item    #   4.28   listener.       Note:  The  ENVS  SID_DESC  parameter  is  not  supported   on  Windows  however  the  environment  variables  can  be   defined  for  the  listener.       Remediation:   Remove  broad  path  or  classpath  variables  and  ensure   only  absolute  paths  are  used.     Audit:       grep   i  ENVS  listener.     4.   S     Default  is  NO.    The   default  setting  is  10.     Rationale:       2   Ensure  remote  administration  is  not  left  enabled.  The  higher  setting   S     prevents  logins  by  older  version  clients  that  do  not  use   strong  authentication  to  pass  the  login  credentials.ora   Action  /  Recommended   Parameters   SQLNET.ALLOWED_LOGON_VERSION=11     Audit:       grep  -­i  ALLOWED_LOGIN_VERSION  sqlnet.       Audit:       grep   i  REMOTE_ADMIN  cman.ora   Use  absolute  paths  in  ENVS   parameters. ora   SEC_RETURN_SERVER_RELEAS E_BANNER  =  false   Rationale:   Remove  entries  for  external  procedures  from   listener.ora  file.   tnsnames.  If  not  required  disable  their   usage.  This  creates  a   dangerous  condition.  External   procedures  can  call  shared  libraries  on  the  host  system   from  the  $ORACLE_HOME/lib  or   $ORACLE_HOME/bin  directories.ora           2   N         2   S   46  |  P a g e     .31   init.       Remediation:   Remove  external  shared  libraries  from   $ORACLE_HOME/lib     Audit:       None       Rationale:   Ensure  the  oracle  database  is  not  returning  complete   database  information  to  clients.       Remediation:   SEC_RETURN_SERVER_RELEASE_BANNER  =  false     Audit:       grep  -­i  \   SEC_RETURN_SERVER_RELEASE_BANNER  init.ora   Action  /  Recommended   Parameters   Disable  external  procedures   Rationale/Remediation   W   I   n   d   o   w   s   U   n   I   x   Level   &   Score   Status   4.30   listener.  Knowing  the  exact   patch  set  can  aid  an  attacker.   Item   Configuration  Item    #   4.ora.ora  or  tnsnames.       Remediation:   SEC_CASE_SENSITIVE_LOGON=TRUE       Audit:       grep  -­i  SEC_CASE_SENSITIVE_LOGO  init.ora   Action  /  Recommended   Parameters   DB_SECUREFILE=ALWAYS   Rationale/Remediation   W   I   n   d   o   w   s   U   n   I   x   Level   &   Score   Status   4.   This  increases  the  complexity  of  passwords  and  helps   defend  against  brute  force  password  attacks.   Item   Configuration  Item    #   4.32   init.33   init.ora           2   N         1   S   47  |  P a g e     .     Remediation:   DB_SECUREFILE=ALWAYS       Audit:       grep  -­i  DB_SECUREFILE  init.ora   SEC_CASE_SENSITIVE_LOGON =TRUE   Rationale:   Ensure  that  all  LOB  files  created  by  Oracle  are  created   as  SecureFiles.ora     Rationale:   Set  Oracle  database  password  to  be  case  sensitive.     Remediation:   SEC_MAX_FAILED_LOGIN_ATTEMPTS=3     Audit:       grep  -­i  SEC_MAX_FAILED_LOGIN_ATTEMPTS  \   init.   Item   Configuration  Item    #   4.ora           1   S   4.  This   will  reduce  the  effectiveness  of  a  password  brute  force   attack.  This  help   mitigate  malicious  connections  or  DOS  conditions.34   init.ora   Action  /  Recommended   Parameters   SEC_MAX_FAILED_LOGIN_ATT EMPTS=3   Rationale/Remediation   W   I   n   d   o   w   s   U   n   I   x   Level   &   Score   Status   Rationale:   Set  the  maximum  number  of  failed  login  attempts  to  be   3  or  in  sync  with  established  password  policies.       Remediation:   SEC_PROTOCOL_ERROR_FURTHER_ACTION=DELAY   <seconds>or  DROP<seconds>     Audit:       grep   i  \   SEC_PROTOCOL_ERROR_FURTHER_ACTION  \   init.ora   SEC_PROTOCOL_ERROR_FURTH ER_ACTION=DELAY   <seconds>or   DROP<seconds>         1   S   48  |  P a g e     .35     init.ora     Rationale:   When  bad  packets  are  received  from  a  client  the  server   will  wait  the  specified  number  of  seconds  before   allowing  a  connection  from  the  same  client.  such  as  those  used  by  middle-­tier   connectivity  restrictions  to  the  Oracle  instance  backing   the  application  and  the  determinism  of  usernames  used   by  such  applications.     Note:  Setting  SEC_MAX_FAILED_LOGIN_ATTEMPTS   to  a  value  other  than  UNLIMITED  may  increase  an   accounts.   Item   Configuration  Item    #   4.37   sqlnet.       Remediation:   SEC_USER_AUDIT_ACTION_BANNER=/path/to/war ning.tx t   Rationale:   Specify  the  action  a  database  should  take  when  a  bad   packet  is  received.ora           1   S         1   N   49  |  P a g e     .txt       Audit:       grep   i  \   SEC_USER_AUDIT_ACTION_BANNER  sqlnet.  TRACE  generates  a  detailed  trace   file  and  should  only  be  used  when  debugging.ora   Action  /  Recommended   Parameters   SEC_PROTOCOL_ERROR_TRACE _ACTION=LOG  or  ALERT   Rationale/Remediation   W   I   n   d   o   w   s   U   n   I   x   Level   &   Score   Status   4.   Use  currently  established  procedures  for  checking   console  or  log  file  data  to  monitor  these  events.  Set  the  complete  path  to  the  file  that  contains   the  warning.36   init.     ALERT  or  LOG  should  be  used  to  capture  the  event.     Remediation:   SEC_PROTOCOL_ERROR_TRACE_ACTION=   {LOG|ALERT}     Audit:       grep   i  \     SEC_PROTOCOL_ERROR_TRACE_ACTION  init.ora   SEC_USER_AUDIT_ACTION_BA NNER=/path/to/warning.ora     Rationale:   A  banner  should  be  set  to  warn  a  user  about  the   possible  audit  actions  that  are  taken  when  using  the   system.   Item   Configuration  Item    #   4.38   sqlnet.ora   Action  /  Recommended   Parameters   SEC_USER_UNAUTHORIZED_AC CESS_BANNER=/path/to/war ning.txt   Rationale/Remediation   W   I   n   d   o   w   s   U   n   I   x   Level   &   Score   Status   4.39     listener.ora   SECURE_CONTROL_listener_ name=(TCPS,IPC)   Rationale:   A  banner  should  be  set  to  warn  a  user  about   unauthorized  access  to  the  database  that  is  in  line  with   current  policy  or  language.  Set  the  complete  path  to  the   file  that  contains  the  warning.  OCI  and  other  custom   applications  must  make  use  of  this  parameter  before  it   is  displayed  to  the  user.     Remediation:   SEC_USER_UNAUTHORIZED_ACCESS_BANNER=/path /to/warning.txt       Audit:       grep  -­i  \   SEC_USER_UNAUTHORIZED_ACCESS_BANNER  \   sqlnet.ora       Rationale:   If  remote  administration  of  the  listener  is  required   configure  the  listener  for  secure  control.    If  no  values   are  entered  for  this  parameter,  the  listener  will  accept   registration  request  from  any  transport.  If  only  IPC  or   TCPS  is  required  then  set  the  value  to  TCPS  or  IPC.     Remediation:   SECURE_CONTROL_listener_name=(TCPS,IPC)     Audit:       grep  -­i  SECURE_CONTROL  listener.ora           1   N         2   S   50  |  P a g e       Item   Configuration  Item    #   4.40   listener.ora   Action  /  Recommended   Parameters   SECURE_PROTOCOL_listener _name=(TCP,IPC)   Rationale/Remediation   W   I   n   d   o   w   s   U   n   I   x   Level   &   Score   Status   4.41   listener.ora   SECURE_REGISTER_listener _name=(TCP,IPC)   4.42   listener.ora   DYNAMIC_REGISTRATION_lis tener_name=OFF   Rationale:   Ensure  that  any  administration  requests  are  accepted   only  over  secure  transport.  If  only  IPC  or  TCP  is   required  then  set  the  value  to  TCPS  or  IPC.     Remediation:   SECURE_PROTOCOL_listener_name=(TCPS,IPC)     Audit:       grep  -­i  SECURE_PROTOCOL  listener.ora     Rationale:   Ensure  that  any  registration  requests  are  accepted  over   secure  transport.  If  only  IPC  or  TCP  is  required  then  set   the  value  to  TCPS  or  IPC.     Remediation:   SECURE_REGISTER_listener_name=(TCPS,IPC)     Audit:       grep  -­i  SECURE_REGISTER  listener.ora     Rationale:   If  DYNAMIC_REGISTRATION  is  turned  on  all   registration  connections  are  accepted  by  the  listener.  It   is  recommended  that  only  static  registrations  be  used   by  the  listener.       Turning  off  dynamic  registration  may  not  be  possible  in   larger  or  more  dynamic  environments.  Ensure  proper   testing  is  done  before  turning  off  dynamic  registration  in   production.       Remediation:   DYNAMIC_REGISTRATION_listener_name=OFF       Audit:       grep   i  DYNAMIC_REGISTRATION  listener.ora               1   S         2   S         2   S   51  |  P a g e     Item   Configuration  Item    #   4.43   listener.ora   Action  /  Recommended   Parameters   EXTPROC_DLLS=ONLY   Rationale/Remediation   W   I   n   d   o   w   s   U   n   I   x   Level   &   Score   Status   Rationale:   Where  use  of  external  procedures  is  required,  specify   the  EXTPROC_DLLS=ONLY  in  the  parameter  to  limit   calls  to  the  specific  DLLS.  This  prevents  external  DLLs   and  libraries  from  being  loaded  by  the  Oracle  database.   An  attacker  that  can  load  an  external  library  into  the   Oracle  running  instance  can  take  control  or   compromise  system  security.  If  external  DLLs  must  be   used  specify  the  ONLY  parameter  and  an  absolute   path  for  each  required  DLL.         Remediation:   EXTPROC_DLLS=ONLY       Audit:       grep   i  EXTPROCS_DLLS  listener.ora           1   S       52  |  P a g e      e.  Therefore.     Remediation:   SQLNET.  it  must  be  configured  even  if  it  is  not  used.01   OAS  -­  General   Review  requirement  for  integrity   Rationale:   and  confidentiality  requirements.ENCRYPTION_SERVER Rationale:   =REQUIRED   This  ensures  that  regardless  of  the  settings  on  the   user.     Audit:       None     SQLNET..02   OAS    Encryption   Type               2   S   53  |  P a g e     .ENCRYPTION_SERVER=REQUIRED       Audit:       grep   i  ENCRYPTION_SERVER  sqlnet.g.  IPSec  or  other   means  for  providing  integrity/confidentiality  services.     5.ora     W   I   n   d   o   w   s   U   n   I   x   Level   &   Score   Status       2   N   5.  Encryption  Specific  Settings     Note:  OAS  is  installed  by  default  even  if  it  is  not  licensed.   Only  implement  OAS  if  a  local  integrity/encryption   policy  does  not  already  exist.     Remediation:   Review  requirement  for  integrity  and  confidentiality   requirements.  Default  is  accepted.  if  communication  takes  place  it  must  be   encrypted.     Item   Configuration  Item   Action  /  Recommended   Rationale/Remediation    #   Parameters   5. 04   OAS    FIPS   Compliance     SSLFIPS_140  =TRUE   Rationale:   Communication  is  only  possible  on  the  basis  of  an   agreement  between  the  client  and  the  server  regarding   the  connection  encryption.     NOTE:  This  value  is  not  settable  using  the  Oracle  Net   Manager.ora             2   S           2   S   54  |  P a g e     .  the  FIPS  value  must  be   set  to  TRUE.  set  the  value  to  REQUIRED.03   OAS    Encryption   Type       Action  /  Recommended   Parameters   SQLNET.ora  file.  To  ensure  encrypted   communication.ENCRYPTION_CLIENT =(ACCEPTED|REQUESTED|REQ UIRED)   Rationale/Remediation   W   I   n   d   o   w   s   U   n   I   x   Level   &   Score   Status   5.   With  the  server  set  to  REQUIRED  the  client  must  match   the  encryption  for  valid  communication  to  take  place.     Remediation:   SQLNET.     Note:  Failure  to  specify  one  of  the  values  will  result  in   an  error  when  an  attempt  is  made  to  connect  to  a  FIPS   140-­1  compliant  server.ora     Rationale:   For  FIPS  140-­2  compliance.  To  set  this  value  you  must  use  a  text  editor   and  modify  the  sqlnet.  The  default  value  for  this  setting  is  FALSE.ENCRYPTION_CLIENT=REQUIRED     Audit:       grep   i  ENCRYPTION_CLIENT  sqlnet.     Remediation:   SSLFIPS_140  =TRUE     Audit:       grep   i  SSL_FIPS  fips.   Default  is  accepted.   Item   Configuration  Item    #   5.  Default  is  all.  use  SHA1  instead  of  MD5.   Item   Configuration  Item    #   5.         Remediation:   Set   SQLNET.CRYPTO_CHECKSUM_T YPES_SERVER=(SHA1)   55  |  P a g e     .05   OAS    Integrity   Protection     Action  /  Recommended   Parameters   Integrity  check  for   communication  between  the   server  and  the  client  must  be   established.06   OAS    Integrity   Protection     Set   SQLNET.     Default  is  accepted.             Rationale/Remediation   W   I   n   d   o   w   s   U   n   I   x   Level   &   Score   Status   Rationale:       2   The  integrity  check  for  communication  can  prevent  data     S     modifications.;   SHA-­1  and  MD5.ora   grep   i  CRYPTO_CHECKSUM_CLIENT  sqlnet.CRYPTO_CHECKSUM_TYPES_SERVER=(SHA1 )     Audit:       grep   i  CHECKSUM_TYPES_SERVER  sqlnet.ora     5.CRYPTO_CHECKSUM_SERVER=REQUIRED   SQLNET.CRYPTO_CHECKSUM_CLIENT=REQUIRED     Audit:       grep   i  CRYPTO_CHECKSUM_SERVER  sqlnet.       Remediation:   Set     SQLNET.  MD5  has   S       documented  weaknesses  and  is  prone  to  collisions.   Usage  of  SHA-­1  is  recommended.  Two  check  sum  algorithms  are  available.ora     Rationale:       2   If  possible.  verify  fingerprint  of  CA  certificates.   use  fingerprints  to  verify  the  certificate.   Item   Configuration  Item    #   5.   5.     Audit:       None         2   N       2   S       2   N   56  |  P a g e     .     Audit:       orapki  wallet  display  -­wallet  \   wallet_location     Rationale:   When  adding  CA  certificates  via  out-­of-­band  methods.    Ensure  only  the   appropriate  Oracle  user  account   has  access  to  the  wallet.08   OAS      Oracle  Wallet   Trusted  Certificates   Remove  certificate  authorities   (CAs)  that  are  not  required.   Rationale/Remediation   W   I   n   d   o   w   s   U   n   I   x   Level   &   Score   Status   5.     Remediation:   None     Audit:       None       Rationale:   Trust  only  those  CAs  that  are  required  by  clients  and   servers.   Rationale:   The  Oracle  service  account  must  have  access  to  the   wallet.  Failure  to  verify   fingerprints  can  lead  to  compromise  of  the  certificate   chain.09   OAS      Oracle  Wallet   Trusted  Certificates   Import   When  adding  CAs.  verify   fingerprint  of  CA  certificates.     Remediation:   Remove  certificate  authorities  (CAs)  that  are  not   required.       Remediation:   When  adding  CAs.07   OAS      Oracle  Wallet   Owner  Permissions   Action  /  Recommended   Parameters   Set  configuration  method  for   Oracle  Wallet.     Remediation:   Use  OAS  Integrity/Encryption  only  if  SSL  is   unavailable.       Remediation:   orapki  wallet  add  -­wallet  \   wallet_location  -­dn  user_dn   keySize  2048     Audit:       orapki  wallet  display  -­wallet  \   wallet_location     Rationale:   For  Windows  Oracle  database  servers.     Remediation:   To  enable  auto  login  from  the  Oracle  Wallet  Manager.     Audit:       Choose  Wallet  from  the  menu  bar.10   OAS      Certificate   Request  Key  Size   Action  /  Recommended   Parameters   Request  the  maximum  key  size   available.  SSL  will  not   work  unless  Auto  Login  is  set.  use  OAS   Integrity/Encryption.    2048  or  4096  are   recommended  sizes.12   OAS      SSL  Tab   SSL  is  preferred  method.   Rationale:   Select  the  largest  key  size  available  that  is  compatible   with  the  network  environment.   Rationale/Remediation   W   I   n   d   o   w   s   U   n   I   x   Level   &   Score   Status   5.    If  PKI   is  not  possible.   Check  Auto  Login.     Audit:       None         2   S       2   S       2   N   57  |  P a g e     .   Item   Configuration  Item    #   5.   Check  Auto  Login.       Rationale:   OAS  Integrity/Encryption  should  only  be  used  if   required  because  of  non-­SSL  clients.   Choose  Wallet  from  the  menu  bar.11   OAS      Server  Oracle   Wallet  Auto  Login   Oracle  Wallet   5.  A  message  at  the  bottom  of  the   window  indicates  that  auto  login  is  enabled.   SSL_DH_anon_WITH_DES_CBC_SHA.14   OAS      SSL  Cipher   Suite   Set  SSL  Cipher  Suite.13   OAS      SSL  Version   Action  /  Recommended   Parameters   Set  SSL  version.0   Rationale/Remediation   W   I   n   d   o   w   s   U   n   I   x   Level   &   Score   Status   5.     SSL_CIPHER_SUITES  =   SSL_RSA_WITH_3DES_EDE_CB C_SHA)   Rationale:   Usage  of  the  most  current  version  of  SSL  is   recommended  older  versions  of  the  SSL  protocol  are   prone  to  attack  or  roll  back.0     Audit:       grep   i  SSL_VERSION  sqlnet.   SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA.  The   following  is  for  reference.       Remediation:   SSL_CIPHER_SUITES  =(           SSL_DH_anon_WITH_3DES_EDE_CBC_SHA.ora           2   S       2   S   58  |  P a g e     .  Do  not  set  this  parameter       Remediation:   SSL_VERSION  =  3.   SSL_RSA_WITH_3DES_EDE_CBC_SHA.   SSL_RSA_WITH_DES_CBC_SHA.     SSL_VERSION  =  3.ora     Rationale:   SSL_CIPHER_SUITES  are  automatically  set  to   FIPS140-­2  approved  suites  by  Oracle  11g.   SSL_RSA_EXPORT_WITH_DES40_CBC_SHA)     Audit:       grep   i  SSL_CIPHER_SUITES  sqlnet.   Item   Configuration  Item    #   5.     Remediation:   SSL_SERVER_CERT_DN=  \   "cn=dept.   Rationale/Remediation   W   I   n   d   o   w   s   U   n   I   x   Level   &   Score   Status   5.ora       Rationale:   It  is  preferable  to  have  mutually  authenticated  SSL   connections  verifying  the  identity  of  both  parties.17   OAS      Encryption  Tab   Use  OAS  encryption  only  if  SSL   is  not  feasible.  If  client  certificates  are  not  supported  in   the  enterprise.  then  set  to  FALSE.dc=us.     Remediation:   None       Audit:       None         2   S       2   S       2   N   59  |  P a g e     .dc=acme.     Remediation:   SSL_CLIENT_AUTHENTICATION=true     Audit:       grep   i  SSL_CLIENT_AUTHENTICATION  \   sqlnet.  If   possible  use  client  and  server  certificates  for  SSL   connections.16   OAS      SSL  Client   Authentication   SSL_CLIENT_   AUTHENTICATION=TRUE   5.15   OAS      SSL  Client  DN   Match   Action  /  Recommended   Parameters   Set  tnsnames  file  to  include   SSL_SERVER_CERT_DN   parameter  with  the  distinguished   name  (DN)  of  the  certificate.   Rationale:   This  will  reduce  the  possibility  of  certificate   masquerading  which  can  lead  to  man  in  the  middle   attacks  and  compromise  the  security  provided  by  the   SSL  protocol.\ dc=com"     Audit:       grep   i  SSL_SERVER_CERT_DN  tnsnames.cn=OracleContext.   Item   Configuration  Item    #   5.ora     Rationale:   OAS  Integrity/Encryption  should  only  be  used  if   required  because  of  non-­SSL  clients. 18   Encryption   Action  /  Recommended   Parameters   Where  possible.   Rationale:       2   By  employing  a  procedure  that  uses  data  elements  that     N     change  for  each  record  the  resulting  ciphertext  will  be   unique.   Item   Configuration  Item    #   5.  Someone  knowing  the  value   of  one  of  the  records  independent  of  the  ciphertext  can   by  inference  know  the  value  of  other  records  that   display  the  same  ciphertext.  The  use  of  RAW  or  BLOBs  prevents  this  error   and  preserves  the  data.     Remediation:   None     Audit:       None     Rationale:       2   Storing  data  in  CLOB  may  result  in  a  failure  in   N       decryption  if  the  same  number  letter  symbol  set  is  not   used.19   Encryption   Use  RAW  or  BLOB  for  the   storage  of  encrypted  data.  and   encryption  are  used  for  a  value  in  a  record  the  resulting   ciphertext  will  be  identical.  key.     Remediation:   None       Audit:       None     60  |  P a g e     .   Rationale/Remediation   W   I   n   d   o   w   s   U   n   I   x   Level   &   Score   Status   5.  As  an  example  if  the  same  value.  use  a   procedure  that  employs  a   content  data  element  as  the   encryption  key  that  is  unique  for   each  record.     Employ  wrapping  to  protect  all  code  used  to  protect.   The  column  name  should  be   obscure  and  should  not  reveal   the  role  of  the  column.  or  encrypt  keys.     If  security  dictates.   Rows  should  be  protected  with   both  VPD  and  OLS  (OLS   included  VPD)  and  the  keys   themselves  should  be  encrypted   with  a  master  key.  within  the  limits  of   N       what  can  be  managed.  hardware  devices  can  be  used  for   encryption  key  storage.  to  ensure  the  security  of  the   encryption  keys.  at  minimum.   Rationale/Remediation   W   I   n   d   o   w   s   U   n   I   x   Level   &   Score   Status   Rationale:       2   Assign  multiple  layers  of  protection.   generate  keys  for.   Item   Configuration  Item    #   5.  procedures.     Keys.       Remediation:   Use  multiple  layers  of  protection  when  storing  keys  with   the  data  in  a  separate  database.   and  functions  should  be   wrapped.20   Encryption   Action  /  Recommended   Parameters   If  keys  are  stored  in  a  table  with   the  database.    The  combination  of  methods  will  be   dependent  on  how  and  where  the  keys  are  stored.     Audit:       None     61  |  P a g e     .  access  to  the   keys  should  be  limited  and   under  the  protection  of  a  secure   role  with  fine  grain  auditing  in   place  for  the  table.     If  the  keys  are  managed  by  an   application  or  generated  as   computed  keys  the  procedures   should  be  wrapped.  use  of  special   characters  and  non-­dictionary  words.   All  package  bodies.  should  follow  password  selection   standards  in  areas  of  minimum  length.  As  an  example.  This  means  that  the   master  encryption  key  is  never  exposed  in  insecure   memory.;     Rationale:       2   Where  possible  use  an  HSM  to  store  the  master  keys   N       for  Transparent  Data  Encryption.21   Encryption   Action  /  Recommended   Parameters   Revoke  the  PUBLIC  execute   privileges  from  the   DBMS_OBFUSCATION_TOOLKIT .  but  the   DBMS_OBFUSCATION_TOOLKIT  is  still  needed  for   some  tasks  that  are  not  available  in  the  DBMS_CRYPTO   package.;     Audit:       SELECT  TABLE_NAME  FROM  DBA_TAB_PRIVS   WHERE  GRANTEE='PUBLIC'  AND   PRIVILEGE='EXECUTE'  AND   TABLE_NAME='DBMS_OBFUSCATION_TOOLKIT'.  All  encryption  and   decryption  operations  that  use  the  master  encryption   key  are  performed  inside  the  HSM.     Remediation:   REVOKE  EXECUTE  ON   DBMS_OBFUSCATION_TOOLKIT  TO  PUBLIC.  By  removing  public   access  to  the  DBMS_OBFUSCATION_TOOLKIT  the   means  to  decrypt  the  data  is  not  available  for  malicious   use.     Rationale:       2   S   The  DBMS_OBFUSCATION_TOOLKIT  has  been       replaced  with  the  DBMS_CRYPTO  package.22   Encryption   Use  HSM  for  storage  of  master   key.   Rationale/Remediation   W   I   n   d   o   w   s   U   n   I   x   Level   &   Score   Status   5.;  the  generation  of  a   pseudorandom  string  requires  the   DBMS_OBFUSCATION_TOOLKIT.   Item   Configuration  Item    #   5.     Remediation:   None     Audit:       None     62  |  P a g e     . 23   Encryption   Action  /  Recommended   Parameters   Tablespace  Encryption   Rationale/Remediation   W   I   n   d   o   w   s   U   n   I   x   Level   &   Score   Status   5.   Item   Configuration  Item    #   5.key     Audit:       ls   al  \   $ORACLE_HOME/network/security/radius.  Ensure  proper   permissions  are  set  on   $ORACLE_HOME/network/security/radius.     Audit:       None     Rationale:   File  permissions  must  be  restricted  to  the  owner  of  the   Oracle  software  and  dba  group.       Remediation:   Use  tablespace  encryption  .24   Radiuskey   Verify  and  set  permissions  on   radius.ora   SSL_CERT_REVOCATION=requ ired   Rationale:   When  a  table  contains  a  large  number  of  columns  of   PII  it  can  be  beneficial  to  encrypt  an  entire  tablespace   rather  than  columns.  Revoked  certificates   can  pose  a  threat  to  the  integrity  of  the  SSL  channel   and  should  not  be  trusted.key  file   5.key     Remediation:   chmod  440  \   $ORACLE_HOME/network/security/radius.     Remediation:   SSL_CERT_REVOCATION=required     Audit:       grep   i  SSL_CERT_REVOCATION  sqlnet.25   sqlnet.ora               2   N           1   S         2   S   63  |  P a g e     .key     Rationale:   Ensure  revocation  is  required  for  checking  CRLs  for   client  certificate  authentication. ora   Action  /  Recommended   Parameters   SSL_SERVER_DN_MATCH=yes   Rationale/Remediation   W   I   n   d   o   w   s   U   n   I   x   Level   &   Score   Status   Rationale:   Ensure  the  DN  string  of  the  certificate  matches  the   expected  value.     Remediation:   SSL_SERVER_DN_MATCH=yes     Audit:       grep   i  SSL_SERVER_DN_MATCH  sqlnet.26   sqlnet.   Item   Configuration  Item    #   5.ora           2   S         64  |  P a g e     .     6.  Startup  and  Shutdown     Item   Configuration  Item    #   6.01   Advanced  queuing  in   asynchronous   messaging   Action  /  Recommended   Parameters   Empty  queue  at  shut  down  of   Oracle.   Rationale/Remediation   W   I   n   d   o   w   s   U   n   I   x   Level   &   Score   Status   6.02   Cache   Cache  must  be  emptied  at  shut   down  of  Oracle.   Rationale:   Information  in  queue  may  be  accessed  outside  of   Oracle  and  beyond  the  control  of  the  security   parameters.    It  should  be  subject  to  the  same  security   precautions  as  other  tables.     Remediation:   Empty  queues  at  the  shutdown  of  the  Oracle  instances.   DBMS_AQADM.PURGE_QUEUE_TABLE(            queue_table          =>  'name.obj_qtab',            purge_condition  =>  NULL,            purge_options      =>  po);;     DBMS_AQADM.PURGE_QUEUE_TABLE(            queue_table          =>  'bane.obj_qtab',            purge_condition  =>  'qtview.queue  =   ''NAME.OBJ_QUEUE''',            purge_options      =>  po);;     Audit:       None     Rationale:   Information  in  caches  may  be  accessed  outside  of   Oracle  and  beyond  the  controls  of  the  security   parameters.     Remediation:   ALTER  SYSTEM  FLUSH  BUFFER_CACHE;;     Audit:       None         1   N       1   N       65  |  P a g e         7.  Backup  and  Disaster  Recovery     Item   Configuration  Item    #   7.01   Redo  logs   Action  /  Recommended   Parameters   Mirror   Rationale/Remediation   W   I   n   d   o   w   s   U   n   I   x   Level   &   Score   Status   7.02   Control  files   Multiplex  control  files  to  multiple   physical  disks.   Rationale:   Redundancy  for  the  redo  logs  can  prevent  catastrophic   loss  in  the  event  of  a  disk  or  system  failure.       Remediation:   Mirror  on-­line  redo  logs  and  ensure  that  more  than  one   group  exists.     Audit:       None     Rationale:   Redundancy  for  the  control  files  can  prevent   catastrophic  loss  in  the  event  of  a  single  physical  drive   failure       Remediation:   Store  control  files  on  a  RAID  or  other  redundant  disk   system.       Audit:       None   .       1   N       1   N   66  |  P a g e       Item   Configuration  Item    #   7.03   Control  files   Action  /  Recommended   Parameters   Mirror   Rationale/Remediation   W   I   n   d   o   w   s   U   n   I   x   Level   &   Score   Status   7.04   Archive  logs   Ensure  there  is  sufficient  space   for  the  archive  logging  process.   7.05   Redo  logs   Multiplex  redo  logs  to  multiple   physical  disks.   Rationale:   Mirror  the  Oracle  control  files.  In  the  event  that  the   control  files  become  corrupted  or  a  system  failure   mirroring  will  help  ensure  recovery  is  possible.     Remediation:   Mirror  control  files  to  multiple  separate  physical   partitions.       Audit:       None     Rationale:   Without  adequate  space  for  the  archive  logs  the  system   will  hang  resulting  in  a  denial  of  service.     Remediation:   Allocate  more  disk  space  to  redo  log  partitions.       Audit:       None     Rationale:   Redundancy  for  the  redo  logs  can  prevent  catastrophic   loss  in  the  event  of  a  single  physical  drive  failure.     Remediation:   None     Audit:       None           1     N       1   N       1   N   67  |  P a g e         Failure  to  ensure  this  could  cause  inability  to  recover   data.     Failure  to  ensure  this  could  cause  inability  to  recover   data.  File  permissions   must  be  restricted  to  the  owner  of  the  Oracle  software   and  the  dba  group.07   Backup   Automated  backups  should  be   verified.   Item   Configuration  Item    #   7..06   Archive  log  files   Action  /  Recommended   Parameters   Backup   Rationale/Remediation   W   I   n   d   o   w   s   U   n   I   x   Level   &   Score   Status   7.    The  archive  logs  must  be  secured.     Remediation:   If  archive  log  mode  is  used  the  archive  log  files  must  be   saved  on  tape  or  to  a  separate  disk.    The  improved  RMAN   (Recovery  Manager)  capabilities  (i.           Audit:       None         1   N       1   N   68  |  P a g e     .  leading  to  data  loss.e.     Audit:       None     Rationale:   Backups  should  be  verified  by  performing  recoveries  to   ensure  newer  automated  backups  function  properly.   Rationale:   Archived  logs  contain  sensitive  information  and  must   be  properly  handled.         Remediation:   Backups  should  be  verified  by  performing  recoveries  to   ensure  newer  automated  backups  function  properly.  leading  to  data  loss.  incremental   backup  process)  can  be  used  to  facilitate  backups  and   recovery.     Remediation:   Engage  failsafe.   Item   Configuration  Item    #   7.   Rationale/Remediation   W   I   n   d   o   w   s   U   n   I   x   Level   &   Score   Status   Rationale:   Failsafe  uses  the  cluster  server  interface  to  provide  the   failover  protection  previously  provided  by  hardware   interfaces.       Audit:       None         2   N         69  |  P a g e     .08   Failsafe   Action  /  Recommended   Parameters   Failsafe  must  be  engaged.   This  setting  may  not  be  applicable  for  middle  tier   application  accounts  that  access  the  database.;     Note:  It  is  recommended  to  create  three  separate   profiles:  Application  accounts.       Remediation:   Application  accounts  must  be  set  for   failed_login_attempts=3     Local  policy  may  override  the  recommended  setting.  RESOURCE_NAME.  and   user  accounts  instead  of  using  the  default  for  all.01   Database  Profiles   Action  /  Recommended   Parameters   failed_login_attempts=3   Rationale/Remediation   W   I   n   d   o   w   s   U   n   I   x   Level   &   Score   Status   Rationale:     Restricting  the  number  of  login  attempts  will  help  deter   brute  force  attacks  against  profiles.  system  accounts.         Create  a  profile  then  assign  it  to  a  user  account.     Audit:       SELECT  PROFILE.     Default  profile  has  this  setting  at  10.  Oracle  Profile  (User)  Setup  Settings     Item   Configuration  Item    #   8.     ALTER  PROFILE  profile_name  LIMIT   FAILED_LOGIN_ATTEMPTS  3   PASSWORD_LOCK_TIME  1.     8.  LIMIT  FROM   DBA_PROFILES  WHERE           1   S   70  |  P a g e     . 02   Database  Profiles   Action  /  Recommended   Parameters   password_life_time=  90   Rationale/Remediation   W   I   n   d   o   w   s   U   n   I   x   Level   &   Score   Status   Rationale:   Restricting  the  password  lifetime  will  help  deter  brute   force  attacks  against  user  accounts  and  refresh   passwords.  RESOURCE_NAME.  LIMIT  FROM   DBA_PROFILES  WHERE           1   S   71  |  P a g e     .    This  setting   may  not  be  applicable  for  middle  tier  application   accounts  that  access  the  database.;     Audit:       SELECT  PROFILE.   Create  a  profile  then  assign  it  to  a  user  account.       Local  policy  may  not  override  the  setting.     Default  profile  has  a  setting  of  180     Remediation:   ALTER  PROFILE  profile_name  LIMIT   password_life_time  90.   Item   Configuration  Item    #   8.     Create  a  profile  then  assign  it  to  a  user  account.;     Audit:       SELECT  PROFILE.   Item   Configuration  Item    #   8.     Remediation:     ALTER  PROFILE  profile_name  LIMIT   password_reuse_max  20.  RESOURCE_NAME.       Local  policy  may  override  the  recommended  setting.  This  prevents  users   from  cycling  through  a  few  common  passwords  and   helps  ensure  the  integrity  and  strength  of  user   credentials.03   Database  Profiles   Action  /  Recommended   Parameters   password_reuse_max=20   Rationale/Remediation   W   I   n   d   o   w   s   U   n   I   x   Level   &   Score   Status   Rationale:   password_reuse_max  sets  the  number  of  different   passwords  that  must  be  rotated  by  the  user  before  the   current  password  can  be  reused.     Default  profile  has  a  setting  of  UNLIMITED.  LIMIT  FROM   DBA_PROFILES  WHERE           1   S   72  |  P a g e     .   This  setting  may  not  be  applicable  for  middle  tier   application  accounts  that  access  the  database.  RESOURCE_NAME.  Creating   a  long  window  before  password  reuse  helps  protect   from  password  brute  force  attacks  and  helps  the   strength  and  integrity  of  the  user  credential.05   Database  Profiles   password_reuse_time=  365   Rationale:   password_reuse_time  sets  the  amount  of  time  that   must  pass  before  a  password  can  be  reused.  Create  a   profile  then  assign  it  to  a  user  account.   Item   Configuration  Item    #   8.;     Audit:       SELECT  PROFILE.    Default  profile   has  this  setting  as  UNLIMITED     Remediation:   ALTER  PROFILE  profile_name  LIMIT   password_reuse_time  365.     Remediation:     ALTER  PROFILE  profile_name  LIMIT   password_lock_time  1.       Local  policy  may  not  override  the  setting.  RESOURCE_NAME.       Local  policy  may  not  override  the  setting.  LIMIT  FROM   DBA_PROFILES  WHERE           1   S       1   S   73  |  P a g e     .04   Database  Profiles   Action  /  Recommended   Parameters   Rationale/Remediation   W   I   n   d   o   w   s   U   n   I   x   Level   &   Score   Status   8.  LIMIT  FROM   DBA_PROFILES  WHERE       password_lock_time=1   Rationale:   password_lock_time  specifies  the  amount  of  time  in   days  that  the  account  will  be  locked  out  if  the  maximum   number  of  authentication  attempts  has  been  reached.  This  setting   may  not  be  applicable  for  middle  tier  application   accounts  that  access  the  database.;     Audit:       SELECT  PROFILE. ;     Audit:     SELECT  USERNAME  FROM  DBA_USERS  WHERE   PASSWORD='EXTERNAL'.   Item   Configuration  Item    #   8.  RESOURCE_NAME.06   Database  Profiles   Action  /  Recommended   Parameters   password_grace_time=3   Rationale/Remediation   W   I   n   d   o   w   s   U   n   I   x   Level   &   Score   Status   8.  LIMIT  FROM   DBA_PROFILES  WHERE       Rationale:   Check  and  review  any  user  who  has   .     Remediation:   ALTER  PROFILE  profile_name  LIMIT   password_grace_time    3.  This  setting   may  not  be  applicable  for  middle  tier  application   accounts  that  access  the  database.    Do  not  allow  remote  OS   authentication  to  the  database.;     Audit:       SELECT  PROFILE.07   Database  Profiles   Review  accounts  where   PASSWORD=  'EXTERNAL'   Rationale:   password_grace_time  specified  in  days  the  amount   of  time  that  the  user  is  warned  to  change  their   password  before  their  password  expires.     Remediation:   ALTER  USER  <username>  IDENTIFIED  BY   <new_password>.       Local  policy  may  not  override  the  setting.;         1   S       2   N   74  |  P a g e     .  make   the  following  changes  at  the  bottom  of  the   utlpwdmg.;       2   S   75  |  P a g e     .   Do  not  use  the  verify_function_11G  as  it  sets   password  settings  to  the  defaults  listed  above.sql  file:     PASSWORD_GRACE_TIME  3   PASSWORD_REUSE_TIME  365   PASSWORD_REUSE_MAX  20   FAILED_LOGIN_ATTEMPTS  3   PASSWORD_LOCK_TIME  1       Modify  the  line:     IF  length(password)  <  4   by  changing  the  minimum  password  length  to  8.08   Database  Profiles   Action  /  Recommended   Parameters   Rationale/Remediation   W   I   n   d   o   w   s   U   n   I   x   Level   &   Score   Status   Rationale:   Set   password_verify_function   Allow  password_verification_function  to  be   to  a  verification  function   called  when  passwords  are  changed.   Item   Configuration  Item    #   8.       Audit:   SELECT  PROFILE.         Remediation:   Oracle  provides  utlpwdmg.sql  which  can  be  used  to   create  a  password  verification  function.    This  always   command  at  an  SQL  prompt.  RESOURCE_NAME  FROM   DBA_PROFILES  WHERE   RESOURCE_NAME='PASSWORD_VERIFY_FUNCTION'.    If  using  this   script  to  create  a  password  verification  function. ;         2   S       2   S   76  |  P a g e     .09   Database  Profiles   Action  /  Recommended   Parameters   Set  CPU_PER_SESSION  as   appropriate   Rationale/Remediation   W   I   n   d   o   w   s   U   n   I   x   Level   &   Score   Status   8.   Item   Configuration  Item    #   8.;     Audit:   SELECT  PROFILE.;     Audit:   SELECT  PROFILE.  Ensure  that  users   profile  settings  have  appropriate  values  set  for  the   particular  database  and  application.  RESOURCE_NAME.  LIMIT  FROM   DBA_PROFILES  WHERE   .     Remediation:   ALTER  PROFILE  profile_name  LIMIT   PRIVATE_SGA    <value>.   Ensure  that  users  profile  settings  have  appropriate   values  set  for  the  particular  database  and  application.10   Database  Profiles   Set  PRIVATE_SGA  as   appropriate   Rationale:   Allowing  a  single  application  or  user  to  consume   excessive  CPU  resources  will  result  in  a  denial  of   service  to  the  Oracle  database.     Remediation:   ALTER  PROFILE  profile_name  LIMIT   CPU_PER_SESSION  <value>.  RESOURCE_NAME.  LIMIT  FROM   DBA_PROFILES   .;     Rationale:   Allowing  a  single  application  or  user  to  consume  the   excessive  amounts  of  the  System  Global  Area  will   result  in  a  denial  of  service  to  the  Oracle  database.  Ensure  that  users  profile  settings  have   appropriate  values  set  for  the  particular  database  and   application.;     Rationale:   Allowing  an  unlimited  amount  of  sessions  per  user  can   consume  Oracle  resources  and  cause  a  denial  of   service.   Ensure  that  users  profile  settings  have  appropriate   values  set  for  the  particular  database  and  application.     Remediation:   ALTER  PROFILE  profile_name  LIMIT   SESSIONS_PER_USER  <value>.11   Database  Profiles   Action  /  Recommended   Parameters   Set  LOGICAL_READS_   PER_SESSION  as  appropriate   Rationale/Remediation   W   I   n   d   o   w   s   U   n   I   x   Level   &   Score   Status   8.   Item   Configuration  Item    #   8.;         2   S       2   S   77  |  P a g e     .12   Database  Profiles   Set  SESSIONS_PER_USER  as   appropriate   Rationale:   Allowing  a  single  application  or  user  to  perform   excessive  amounts  of  reads  to  disk  will  result  in  a   denial  of  service  to  the  Oracle  database.  LIMIT  FROM   DBA_PROFILES   .  Limit  the  number  of  session  for  each  individual   user.;     Audit:   SELECT  PROFILE.;     Audit:   SELECT  PROFILE.     Remediation:   ALTER  PROFILE  profile_name  LIMIT   LOGICAL_READS_  PER_SESSION  <value>.  RESOURCE_NAME.  RESOURCE_NAME.  LIMIT  FROM   DBA_PROFILES   . 13   Database  Profiles   Action  /  Recommended   Parameters   Set  CONNECT_TIME  as   appropriate   Rationale/Remediation   W   I   n   d   o   w   s   U   n   I   x   Level   &   Score   Status   Rationale:   Sessions  held  open  for  excessive  periods  of  time  can   consume  system  resources  and  cause  a  denial  of   service  for  other  users  of  the  Oracle  database.;         2   N   78  |  P a g e     .  The   CONNECT_TIME  parameter  limits  the  upper  bound  on   how  long  a  session  can  be  held  open.  Note:   Oracle  does  not  do  strict  monitoring  of  connect  times   and  sessions  can  exceed  this  time  limit  by  up  to  a  few   minutes.  Ensure  that  users  profile  settings  have   appropriate  values  set  for  the  particular  database  and   application.  This  parameter   is  specified  in  minutes.  Sessions  that  have  exceeded   their  connect  time  are  aborted  and  rolled  back.  LIMIT  FROM   DBA_PROFILES   .     Remediation:   ALTER  PROFILE  profile_name  LIMIT   CONNECT_TIME  <value>.  RESOURCE_NAME.;     Audit:   SELECT  PROFILE.   Item   Configuration  Item    #   8.  LIMIT  FROM   DBA_PROFILES   .   Item   Configuration  Item    #   8.     Ensure  that  users  profile  settings  have  appropriate   values  set  for  the  particular  database  and  application.     Remediation:   ALTER  PROFILE  profile_name  LIMIT   IDLE_TIME  <value>.14   Database  Profiles   Action  /  Recommended   Parameters   Set  IDLE_TIME  as  appropriate   Rationale/Remediation   W   I   n   d   o   w   s   U   n   I   x   Level   &   Score   Status   Rationale:   Idle  sessions  held  open  for  excessive  periods  of  time   can  consume  system  resources  and  cause  a  denial  of   service  for  other  users  of  the  Oracle  database.;         2   N         79  |  P a g e     .  RESOURCE_NAME.  Limit  the   maximum  number  of  minutes  a  session  can  idle.;     Audit:   SELECT  PROFILE. ;     Audit:   SELECT  USERNAME.  Tables.;     Audit:   SELECT  <USERNAME>  FROM  DBA_TS_QUOTAS       .     Remediation:   ALTER  USER  <USER_NAME>  QUOTA  <VALUE>  ON   <TABLESPACE_NAME>.01   Tablespaces   Do  not  have   default_tablespace  set  to   SYSTEM  for  user  accounts   9.  Privileges.  Roles  and  Packages  need  to  be  followed  for  all  new  users  that   might  be  created.  Note  it  may  be  difficult  or  impossible  to  move   some  objects.;       Rationale:   Set  quotas  for  developers  on  shared   production/development  systems  to  prevent  space   resource  contentions.02   Tablespaces   Ensure  application  users  have   not  been  granted  quotas  on   tablespaces.       9.  DEFAULT_TABLESPACE  FROM   DBA_USERS.  and  should  be  the  only  users  granted  permissions.     Remediation:   ALTER  USER  DEFAULT_TABLESPACE  table.  Synonyms.   This  prevents  administrative  users  from  altering  system   objects.     W   U   Level   Item   Configuration  Item   Action  /  Recommended   Rationale/Remediation   I   &   n   n    #   Parameters   d   o   w   s   I   x   Score   Status   9.;       2   S       1   S   80  |  P a g e     .  Application  users  should  be   granted  quotas  on  a  case  by  case  basis  to  avoid   application  failure.    By  default  SYS  and  DBA  have  most  of  these  accesses  and  privileges.  Roles.   Rationale:   Only  SYS  should  have  a  default  tablespace  of  SYSTEM.  Oracle  Profile  (User)  Access  Settings   Note:  Security  recommendations  for  Tablespaces.  Views. 04   Tables   Prevent  access  to  SYS.AUD$   Rationale:   Check  for  any  user  that  has  access  to  any  dictionary   object  and  revoke  where  possible.03   Any  dictionary  object   Action  /  Recommended   Parameters   Review  access  and  revoke   access  where  possible   Rationale/Remediation   W   I   n   d   o   w   s   U   n   I   x   Level   &   Score   Status   9.   Item   Configuration  Item    #   9.;     Audit:   SELECT  GRANTEE.    This  is  only  applicable  if  the   audit  trail  parameter  is  set  to  db  or  db_extended.       Remediation:   Review  access  rights  and  revoke  privileges  where   possible.   Allowing  users  to  alter  the  AUD$  table  can  compromise   the  audit  trail  or  integrity  of  the  Oracle  database.       Remediation:   REVOKE  ALL  ON  SYS.  This  reduces  the   overall  privileges  of  the  user  base  and  reduces  the   attack  surface  of  the  Oracle  database.AUD$  FROM  <USER>.       Audit:   None     Rationale:   Check  for  any  user  accounts  that  have  access  and   revoke  where  possible.  PRIVILEGE  FROM           1   N       2   S   81  |  P a g e     . ;     Rationale:   Sensitive  user  and  password  data  is  stored  in  the   LINK$  table.;     Audit:   SELECT  GRANTEE.USER_HISTORY$   Rationale/Remediation   W   I   n   d   o   w   s   U   n   I   x   Level   &   Score   Status   9.   Item   Configuration  Item    #   9.USER_HISTROY$  FROM   <USER>.LINK$  FROM  <USER>.  Check   for  any  user  that  has  access  and  revoke  where   possible.06   Tables   Prevent  access  to  SYS.  Non  administrative  or  system  users   should  be  prevented  from  accessing  this  table.     Remediation:   REVOKE  ALL  ON  SYS.     Remediation:   REVOKE  ALL  ON  SYS.LINK$   Rationale:   Revoke  access  to  this  table  from  all  users  and  roles   except  for  SYS  and  DBA  accounts.;     Audit:   SELECT  GRANTEE.  Allowing  users  to   alter  the  USER_HISTORY$  table  can  compromise  the   audit  trail  or  integrity  of  the  Oracle  database.  PRIVILEGE  FROM   DBA_TAB_PRIVS   .05   Tables   Action  /  Recommended   Parameters   Prevent  access  to   SYS.;         1   S       1   S   82  |  P a g e     .  PRIVILEGE  FROM   DBA_TAB_PRIVS  WHERE   .  PRIVILEGE  FROM   .;     Rationale:   Allowing  users  to  alter  codes  in  the  SOURCE$  table  can   compromise  the  security  and  integrity  of  the  Oracle   database.  Check  for  any   user  that  has  access  and  revoke  where  possible.SOURCE$   Rationale:   Sensitive  user  and  password  data  is  stored  in  the   USER$  table.;     Audit:   SELECT  GRANTEE.     Remediation:   REVOKE  ALL  ON  SYS.USER$   Rationale/Remediation   W   I   n   d   o   w   s   U   n   I   x   Level   &   Score   Status   9.;         1   S       1   S   83  |  P a g e     .SOURCE$  FROM  <USER>  .USER$  FROM  <USER>.  Check  for  any  user  accounts  that  have   access  and  revoke  where  possible.  Only  administrative  or  system  users   should  have  rights  to  access  this  table.;     Audit:   SELECT  GRANTEE.08   Tables   Prevent  access  to   SYS.   Item   Configuration  Item    #   9.  PRIVILEGE  FROM   .         Remediation:   REVOKE  ALL  ON  SYS.07   Tables   Action  /  Recommended   Parameters   Prevent  access  to  SYS.   Item   Configuration  Item    #   9.       Remediation:   REVOKE  ALL  ON  PERFSTAT.STATS$SQL_SUMMA RY       1   S   84  |  P a g e     .  TABLE_NAME   FROM  DBA_TAB_PRIVS  WHERE           1   S   9.  PRIVILEGE.10   Tables   Prevent  access  to   PERFSTAT.09   Tables   Action  /  Recommended   Parameters   Prevent  access  to   PERFSTAT.  SQL_SUMMARY  contains  the  first  few  lines  of   the  executed  SQL  statements  and  can  contain   sensitive  information.  TABLE_NAME   .STATS$SQLTEXT   Rationale/Remediation   W   I   n   d   o   w   s   U   n   I   x   Level   &   Score   Status   Rationale:   Check  for  any  user  that  has  access  and  revoke  where   possible.STATS$SQLTEXT.;     Audit:   SELECT  GRANTEE.  PRIVILEGE.;     Rationale:   Check  for  any  user  that  has  access  and  revoke  where   possible.;     Audit:   SELECT  GRANTEE.  SQLTEXT  stores  the  full  text  of  SQL   statements  that  have  been  executed  and  can  contain   sensitive  information.STATS$SQLSUM.     Remediation:   REVOKE  ALL  ON  PERFSTAT.     Remediation:   REVOKE  ALL  ON  DBA_<TABLENAME>  FROM   <USER>.     Remediation:   REVOKE  ALL  ON  X$<TABLENAME>  FROM  <USER>.12   Views   Prevent  access  to  any  DBA_   views   Rationale:   X$  tables  are  kernel  tables  used  by  Oracle  internals   and  should  not  be  accessed  by  users.   Item   Configuration  Item    #   9.  TABLE_NAME   FROM  DBA_TAB_PRIVS  WHERE  TABLE_NAME           1   S       1   S   85  |  P a g e     .11   Tables   Action  /  Recommended   Parameters   Prevent  access  to  any  X$  table   Rationale/Remediation   W   I   n   d   o   w   s   U   n   I   x   Level   &   Score   Status   9.;     Audit:   SELECT  GRANTEE.  PRIVILEGE.;     Audit:   SELECT  GRANTEE.  Check  for   any  user  that  has  access  and  revoke  where  possible.  PRIVILEGE.  Check  for  any   user  that  has  access  and  revoke  where  possible.  TABLE_NAME   FROM  DBA_TAB_PRIVS  WHERE  TABLE_NAME       Rationale:   DBA  views  return  information  about  all  objects  and   should  only  be  accessible  by  administrators.  Check  for  any  user  that  has  access  and   revoke  where  possible.  PRIVILEGE.     Remediation:   REVOKE  ALL  ON  ALL_  SOURCE  FROM  <USER>.     Remediation:   REVOKE  ALL  ON  TABLE_NAME  FROM  <USER>.  TABLE_NAME   FROM  DBA_TAB_PRIVS  WHERE  TABLE_NAME       Rationale:   ALL_SOURCE  contains  the  text  source  for  all  of  the   user s  objects.  Check  for  any  user  that  has  access  and   revoke  where  possible.  PRIVILEGE.13   Views   Action  /  Recommended   Parameters   Prevent  access  to  any  V$  views   Rationale/Remediation   W   I   n   d   o   w   s   U   n   I   x   Level   &   Score   Status   9.14   Views   Prevent  access  to  ALL_SOURCE   Rationale:   V$  tables  contain  sensitive  information  about  Oracle   database  and  should  only  be  accessible  by  system   administrators.   Item   Configuration  Item    #   9.;     Audit:   SELECT  GRANTEE.  TABLE_NAME   FROM  DBA_TAB_PRIVS  WHERE           1   S       1   S   86  |  P a g e     .;       Audit:   SELECT  GRANTEE.     Remediation:   REVOKE  ALL  ON  DBA_SYS_PRIVS  FROM  <USER>.16   Views   Prevent  access  to   DBA_SYS_PRIVS   Rationale:   Allowing  the  user  to  alter  the  DBA_ROLES  can  result  in   privilege  escalation  or  system  instability.  Restrict  access  to  this  view  to  all  users   except  SYS  and  DBAs.  TABLE_NAME   FROM  DBA_TAB_PRIVS  WHERE       Rationale:   Allowing  a  user  to  access  the  dba_sys_privs  table   will  show  the  users  privileges  for  all  users  in  the  Oracle   database.     Remediation:   REVOKE  ALL  ON  DBA  _ROLES  FROM  <USER>.;     Audit:   SELECT  GRANTEE.  Restrict   access  to  this  view  to  all  users  except  SYS  and  DBAs.   Item   Configuration  Item    #   9.  TABLE_NAME   FROM  DBA_TAB_PRIVS  WHERE           1   S       1   S   87  |  P a g e     .;     Audit:   SELECT  GRANTEE.  PRIVILEGE.  PRIVILEGE.15   Views   Action  /  Recommended   Parameters   Prevent  access  to  DBA_ROLES   Rationale/Remediation   W   I   n   d   o   w   s   U   n   I   x   Level   &   Score   Status   9.  TABLE_NAME   FROM  DBA_TAB_PRIVS  WHERE  TABLE_NAME=DBA_           1   S       1   S   88  |  P a g e     .  TABLE_NAME   FROM  DBA_TAB_PRIVS  WHERE       Rationale:   Allowing  a  user  to  access  the  dba_tab_privs  view   will  show  the  table  privileges  for  all  users  in  the  Oracle   database.  PRIVILEGE.     Remediation:   REVOKE  ALL  ON  DBA_ROLE_PRIVS  FROM  <USER>.  PRIVILEGE.     Remediation:   REVOKE  ALL  ON  DBA_TAB_PRIVS  FROM  <USER>.  Restrict  access  to  this  view  to  all  users   except  SYS  and  DBAs.   Item   Configuration  Item    #   9.;     Audit:   SELECT  GRANTEE.17   Views   Action  /  Recommended   Parameters   Prevent  access  to   DBA_ROLE_PRIVS   Rationale/Remediation   W   I   n   d   o   w   s   U   n   I   x   Level   &   Score   Status   9.18   Views   Prevent  access  to   DBA_TAB_PRIVS   Rationale:   Allowing  a  user  to  access  the  dba_role_privs  view   will  show  the  role  privileges  for  all  roles  in  the  Oracle   database.;     Audit:   SELECT  GRANTEE.  Restrict  access  to  this  view  to  all  users   except  SYS  and  DBAs. 20   Views   Prevent  access  to   ROLE_ROLE_PRIVS   Rationale:   Allowing  a  user  to  access  the  dba_users  view  will   show  the  role  privileges  for  all  users  in  the  Oracle   database.  Restrict  access  to  this  view  to  all  users   except  SYS  and  DBAs.  TABLE_NAME   FROM  DBA_TAB_PRIVS   ROLE_ROLE_PRIVS.;     Audit:   SELECT  GRANTEE.;         1   S       1   S   89  |  P a g e     .     Remediation:   REVOKE  ALL  ON  DBA_USERS  FROM  <USER>.         Remediation:   REVOKE  ALL  ON  ROLE_ROLE_PRIVS  FROM   <USER>.  PRIVILEGE.  TABLE_NAME   FROM  DBA_TAB_PRIVS  WHERE       Rationale:   Allowing  a  user  to  access  the  dba_role_privs  view   will  show  the  role  grants  for  all  roles  in  the  Oracle   database.  Restrict  access  to  this  view  to  all  users   except  SYS  and  DBAs.;     Audit:   SELECT  GRANTEE.   Item   Configuration  Item    #   9.19   Views   Action  /  Recommended   Parameters   Prevent  access  to  DBA_USERS   Rationale/Remediation   W   I   n   d   o   w   s   U   n   I   x   Level   &   Score   Status   9.  PRIVILEGE.   Item   Configuration  Item    #   9.  TABLE_NAME   USER_ROLE_PRIVS.;     Audit:   SELECT  GRANTEE.         Remediation:   REVOKE  ALL  ON  USER_ROLE_PRIVS  TO  <USER>.;         1   S       1   S   90  |  P a g e     .;     Audit:   SELECT  GRANTEE.21   Views   Action  /  Recommended   Parameters   Prevent  access  to   USER_TAB_PRIVS   Rationale/Remediation   W   I   n   d   o   w   s   U   n   I   x   Level   &   Score   Status   9.  PRIVILEGE.  Restrict  access  to  this  view  to  all   users  except  SYS  and  DBAs.  PRIVILEGE.  Restrict  access  to  this  view  to  all   users  except  SYS  and  DBAs.22   Views   Prevent  access  to   USER_ROLE_PRIVS   Rationale:   Allowing  a  user  to  access  the  user_tab_privs  view   will  show  the  granted  table  privileges  for  all  users  in  the   Oracle  database.  TABLE_NAME   FROM  DBA_TAB_PRIVS  WHERE       Rationale:   Allowing  a  user  to  access  the  user_role_privs  view   will  show  the  granted  role  privileges  for  all  users  in  the   Oracle  database.         Remediation:   REVOKE  ALL  ON  USER_TAB_PRIVS  FROM  <USER>.  are   removed  from  the  base  objects.  TABLE_NAME  FROM   ALL_SYNONYMS  WHERE  TABLE_NAME       Rationale:   Granting  privileges  to  synonyms  actually  grants   privileges  to  the  base  objects.  TABLE_NAME   FROM  DBA_TAB_PRIVS  WHERE  TABLE_NAME       Rationale:   Check  for  any  user  that  has  access  and  revoke  where   possible.     Remediation:   Delete  the  synonym  or  revoke  the  privileges     Audit:   SELECT  SYNONYM_NAME.    These  roles  are   SELECT_CATALOG_ROLE.   ensure  privileges  granted  to  the   synonyms.;     Audit:   SELECT  GRANTEE.   Item   Configuration  Item    #   9.   and  RECOVERY_CATALOG_OWNER.  ensure  that  privileges  from  the  base   objects  are  removed  when  the  synonyms  are  dropped.23   Roles   Action  /  Recommended   Parameters   Prevent  assignment  of  roles  that   have  _CATALOG_   Rationale/Remediation   W   I   n   d   o   w   s   U   n   I   x   Level   &   Score   Status   9.     Audit:   None         1   S       1   S       1   N   91  |  P a g e     .   Rationale:   Revoke  any  catalog  roles  from  those  roles  and  users   that  do  not  need  them.   EXECUTE_CATALOG_ROLE.  PRIVILEGE.           Remediation:   If  necessary.25   Synonyms   When  dropping  synonyms.  if  not  required.     Remediation:   REVOKE  ALL  ON  <ROLE>  FROM  <USER>.  DELETE_CATALOG_ROLE.24   Synonyms   Prevent  access  to  any  V$   synonym   9. ;       Rationale:   The  ANY  keyword  grants  the  ability  for  the  user  to  set   privileges  for  the  entire  catalogue  of  objects  in  the   database.    Developers  may  be  granted  limited   system  privileges  as  required  on  development   databases.27   Privileges   Prevent  granting  of  privileges   that  contain  the  keyword  ANY   Rationale:   All  system  privileges  except  for  CREATE  SESSION   must  be  restricted  to  DBAs.   Item   Configuration  Item    #   9.26   Privileges   Action  /  Recommended   Parameters   Restrict  system  privileges   Rationale/Remediation   W   I   n   d   o   w   s   U   n   I   x   Level   &   Score   Status   9.  application  object  owner   accounts/schemas  (locked  accounts)  and  default   Oracle  accounts.     Remediation:   REVOKE  ALL  <PRIVS>  FROM  <USER>.       Remediation:   Check  for  any  user  or  role  that  has  the  ANY  keyword   and  revoke  this  role  where  possible.;       Audit:   SELECT  *  FROM  DBA_SYS_PRIVS.     Audit:   SELECT  *  FROM  DBA_SYS_PRIVILEGES  WHERE           1   S       1   S   92  |  P a g e     .     Remediation:   REVOKE  EXEMPT  ACCESS  POLICY  FROM  <USER>.       Remediation:   REVOKE  ALL  PRIVILEGES  FROM  <USER/ROLE>     GRANT  <SPECIFIC  PRIVILEGES>  TO   <USER/ROLE>.;  it   gives  full  access  to  all  tables.  views  and  objects  to  the   user  or  role  it  is  granted  to.;     Audit:   SELECT  *  FROM  DBA_SYS_PRIVS  WHERE   PRIVILEGE='EXEMPT  ACCESS  POLICY'.;     Audit:   SELECT  *  FROM  DBA_SYS_PRIVS  WHERE       SELECT  *  FROM  DBA_SYS_PRIVS  WHERE         Rationale:   Revoke  this  privilege  if  not  necessary.29   Privileges   Prevent  granting  of  EXEMPT   ACCESS  POLICY  (EAP)   Rationale:   The  GRANT  ALL  PRIVILEGES  must  not  be  used.   The  EAP  privilege  provides  access  to  all  rows   regardless  of  Row  Level  Security  assigned  to  specific   rows.   Item   Configuration  Item    #   9.;         2   N       1   S   93  |  P a g e     .28   Privileges   Action  /  Recommended   Parameters   Prevent  granting  of  all  privileges   Rationale/Remediation   W   I   n   d   o   w   s   U   n   I   x   Level   &   Score   Status   9. ;         1   S       1   S   94  |  P a g e     .31   Privileges   Prevent  granting  of  privileges   that  have  WITH  GRANT   Rationale:   Check  for  any  user  or  role  that  has  been  granted   privileges  WITH  ADMIN  and  revoke  where  possible.;       Audit:   SELECT  *  FROM  DBA_SYS_PRIVS  WHERE       Rationale:   Check  for  any  user  or  role  that  has  been  granted   privileges  WITH  GRANT  and  revoke  where  possible.;     Audit:   SELECT  *  FROM  DBA_TAB_PRIVS  WHERE   .   Item   Configuration  Item    #   9.30   Privileges   Action  /  Recommended   Parameters   Prevent  granting  of  privileges   that  have  WITH  ADMIN   Rationale/Remediation   W   I   n   d   o   w   s   U   n   I   x   Level   &   Score   Status   9.;   GRANT  <ROLE>  TO  <USER>.   The  WITH  ADMIN  privilege  allows  a  user  to  grant  the   same  privileges  they  possess.   The  WITH  GRANT  privilege  allows  a  user  to  grant  the   same  privilege  to  other  users.     Remediation:   REVOKE  <ROLE>  FROM  <USER>.       Remediation:   REVOKE  GRANT  OPTION  FOR  <PRIV>  ON  <TABLE>   FROM  <USER>.  tables.32   Privileges   Action  /  Recommended   Parameters   Prevent  granting  of  privileges   that  have  CREATE   Rationale/Remediation   W   I   n   d   o   w   s   U   n   I   x   Level   &   Score   Status   9.   and  views.       Remediation:   REVOKE  CREATE  LIBRARY  FROM  <USER/ROLE>.  Excessive  create  privileges   can  allow  an  attack  to  create  arbitrary  objects.  The  CREATE  LIBRARY   privilege  allows  a  user  to  create  an  object  associated   with  a  shared  library.       Remediation:   REVOKE  CREATE  <PRIV>  FROM  <USER/ROLE>     Audit:   SELECT  *  FROM  DBA_SYS_PRIV  FROM  PRIVILEGE       Rationale:   Check  for  any  user  or  role  that  has  this  privilege  and   revoke  where  possible.33   Privileges   Prevent  granting  of  CREATE   LIBRARY   Rationale:   Check  for  any  user  that  has  object  creation  privileges   and  revoke  where  possible.;     Audit:   SELECT  *  FROM  DBA_SYS_PRIVS  WHERE           1   S       1   S   95  |  P a g e     .  Allowing  arbitrary  library  creation   can  compromise  the  integrity  and  security  of  the  Oracle   database.   Item   Configuration  Item    #   9.       Remediation:   REVOKE  BECOME  USER  FROM  <USER/ROLE>     Audit:   SELECT  *  FROM  DBA_SYS_PRIVS  WHERE           1   S       1   S       1   S   96  |  P a g e     .;     Audit:   SELECT  *  FROM  DBA_SYS_PRIVS  WHERE       Rationale:   CREATE  PROCEDURE  allows  a  user  to  create  a  stored   procedure  in  the  database  and  should  be  restricted  to   administrative  or  development  users.  Check  for  any   user  or  role  that  has  this  privilege  and  revoke  where   possible.     Remediation:   REVOKE  CREATE  PROCEDURE  FROM  <USER/ROLE>.36   Privileges   Prevent  granting  of  BECOME   USER   Rationale:   Check  for  any  user  or  role  that  has  this  privilege  and   revoke  where  possible.;     Audit:   SELECT  *  FROM  DBA_SYS_PRIVS  WHERE       Rationale:   BECOME  USER  allows  a  user  to  inherit  the  rights  of   another  oracle  system  user  and  should  not  be  used  if   possible.     Remediation:   REVOKE  ALTER  SYSTEM  FROM  <USER/ROLE>.   Item   Configuration  Item    #   9.34   Privileges   Action  /  Recommended   Parameters   Prevent  granting  of  ALTER   SYSTEM   Rationale/Remediation   W   I   n   d   o   w   s   U   n   I   x   Level   &   Score   Status   9.  The  alter  system  privilege   allows  a  user  to  dynamically  alter  the  Oracle  instance.35   Privileges   Prevent  granting  of  CREATE   PROCEDURE   9.     Remediation:   REVOKE  <PRITILEGE>  FROM  <USER>.;     Audit:   SELECT  *  FROM  DBA_SYS_PRIVS  WHERE       Rationale:   Grant  privileges  only  to  roles   Grant  privileges  only  to  roles.     Remediation:   Revoke  all  individual  privileges  from  users.39   Privileges   Prevent  granting  of  SELECT  ANY   Rationale:   Check  for  any  user  that  has  access  and  revoke  where   TABLE   possible.38   Privileges   9.   Item   Configuration  Item    #   9.    If  application  data  is  sensitive.       Audit:   None         1   S       1   S       1   N   97  |  P a g e     .  and  it  is   possible.     Create  a  role  defining  the  needed  privileges.   Grant  the  role  to  the  users.37   Privileges   Action  /  Recommended   Parameters   Rationale/Remediation   W   I   n   d   o   w   s   U   n   I   x   Level   &   Score   Status   9.  Do  not  grant  privileges  to   individual  users.  revoke  this  privilege  from  the  DBA  accounts   as  well.;     Audit:   SELECT  *  FROM  DBA_SYS_PRIVS  WHERE       Rationale:   Prevent  granting  of  AUDIT   Review  which  users  have  audit  system  privileges  and   SYSTEM   limit  as  much  as  possible  to  ensure  audit  commands   are  not  revoked.     Remediation:   REVOKE  SELECT  ANY  <OBJECT>  FROM  <USER>. ;     Audit:   SELECT  *  FROM  DBA_ROLE_PRIVS  WHERE       Rationale:   Revoke  the  resource  role  from  normal  application  user   accounts.    Limit  or   revoke  unnecessary  PUBLIC  privileges.     Remediation:   REVOKE  PUBLIC  FROM  <USER/ROLE>.;     Audit:   SELECT  *  FROM  DBA_ROLE_PRIVS  WHERE       Rationale:   Assigning  the  DBA  role  to  users  provides  unnecessary   access  and  control  of  the  Oracle  database.42   Roles   Prevent  assignment  of  DBA   Rationale:   Review  all  privileges  granted  to  PUBLIC.     Remediation:   REVOKE  RESOURCE  FROM  <USER/ROLE>.   REVOKE  DBA  FROM  <USER/ROLE>     Audit:   SELECT  *  FROM  DBA_ROLE_PRIVS  WHERE           1   S       1   S       1     S   98  |  P a g e     .   Item   Configuration  Item    #   9.40   Privileges   Action  /  Recommended   Parameters   Review  privileges  granted  to   PUBLIC   Rationale/Remediation   W   I   n   d   o   w   s   U   n   I   x   Level   &   Score   Status   9.41   Roles   Prevent  assignment  of   RESOURCE   9.       Remediation:   Revoke  DBA  role  from  users  who  do  not  require  it.  TABLE_NAME  FROM     Rationale:   Review  the  ACL  for  usage  of  the  UTL_HTTP  package.     Remediation:   REVOKE  EXECUTE  ON  UTL_HTTP  FROM  PUBLIC.  TABLE_NAME  FROM   DBA_TAB_PRIVS  WHERE               1   S       1   S   9.   Item   Configuration  Item    #   9.;     Audit:   SELECT  GRANTEE.;     Audit:   SELECT  GRANTEE.   Revoke  the  public  execute  privilege  on  UTL_FILE  as  it   can  be  used  to  access  O/S.     Remediation:   REVOKE  EXECUTE  ON  UTL_FILE  FROM  PUBLIC.   Revoke  the  public  execute  privilege  on  UTL_HTTP  as  it   can  write  content  to  a  web  browser.     Remediation:   REVOKE  EXECUTE  ON  UTL_TCP  FROM  PUBLIC.  TABLE_NAME  FROM   DBA_TAB_PRIVS  WHERE       Rationale:   Review  the  ACL  for  usage  of  the  UTL_TCP  package.45   Packages   ACL  or  Deny  access  to   UTL_HTTP       1   S   99  |  P a g e   .;     Audit:   SELECT  GRANTEE.43   Packages   Action  /  Recommended   Parameters   ACL  or  Deny  access  to   UTL_FILE   Rationale/Remediation   W   I   n   d   o   w   s   U   n   I   x   Level   &   Score   Status   9.44   Packages   ACL  or  Deny  access  to   UTL_TCP   Rationale:   Review  the  ACL  for  usage  of  the  UTL_FILE  package.   Revoke  the  public  execute  privilege  on  UTL_TCP  as  it   can  write  and  read  sockets. 47   Packages   Deny  access  to  DBMS_LOB   Rationale:   Review  the  ACL  for  usage  of  the  UTL_SMTP   packageRevoke  the  public  execute  privilege  on   UTL_SMTP  as  it  can  send  mail  from  the  database   server.   Item   Configuration  Item    #   9.  This  procedure   allows  the  manipulation  of  large  objects  and  BFILE  file   read  access.;     Audit:   SELECT  GRANTEE.     Remediation:   REVOKE  EXECUTE  ON  UTL_SMTP  FROM  PUBLIC.  TABLE_NAME  FROM   DBA_TAB_PRIVS  WHERE           1   S       1   S   100  |  P a g e     .     Remediation:   REVOKE  EXECUTE  ON  DBMS_LOB  FROM  PUBLIC.  If  not  required  its  usage  should  be   revoked.46   Packages   Action  /  Recommended   Parameters   ACL  or  Deny  access  to   UTL_SMTP   Rationale/Remediation   W   I   n   d   o   w   s   U   n   I   x   Level   &   Score   Status   9.;     Audit:   SELECT  GRANTEE.  TABLE_NAME  FROM   DBA_TAB_PRIVS  WHERE       Rationale   Revoke  the  public  execute  privilege.   Item   Configuration  Item    #   9.       Remediation:   REVOKE  EXECUTE  ON  DBMS_SQL  FROM  PUBLIC.  TABLE_NAME  FROM   DBA_TAB_PRIVS  WHERE           1   S       1     S   101  |  P a g e     .;     Audit:   SELECT  GRANTEE.  TABLE_NAME  FROM   DBA_TAB_PRIVS  WHERE       Rationale   Revoke  the  public  execute  privilege.  If  public   permissions  are  granted  on  DBMS_SYS_SQL  a  user   can  acquire  an  administrative  cursor  and  act  with  DBA   permissions.49   Packages   Deny  access  to  DBMS_JOB   Rationale   Revoke  the  public  execute  privilege.;     Audit:   SELECT  GRANTEE.  DBMS_JOB  is  a   backwards  compatible  job  scheduler  for  Oracle.  If  no   longer  required  its  usage  should  be  disabled  to  reduce       Remediation:   REVOKE  EXECUTE  ON  DBMS_JOB  TO  PUBLIC.48   Packages   Action  /  Recommended   Parameters   Deny  access  to  DBMS_SYS_SQL   Rationale/Remediation   W   I   n   d   o   w   s   U   n   I   x   Level   &   Score   Status   9.       Remediation:       ALTER  USER  JOHN_SMITH  DEFAULT  ROLE  ALL   EXCEPT  X.;     GRANT  CREATE  SESSION  TO  <USER>.   Item   Configuration  Item    #   9.;     Audit:   None         1   S       1   N   102  |  P a g e     .   Rationale/Remediation   W   I   n   d   o   w   s   U   n   I   x   Level   &   Score   Status   9.;       Audit:   SELECT  *  FROM  DBA_ROLE_PRIVS  WHERE     SELECT  *  FROM  DBA_TAB_PRIVS  WHERE     SELECT  *  FROM  DBA_SYS_PRIVS  WHERE       Rationale   If  application  roles  have  been  granted  to  user  then   these  roles  need  to  be  prevented  from  being  enabled   by  default  on  the  subsequent    logins.50   Proxy  Authentication   Action  /  Recommended   Parameters   Limit  the  user  schema  privileges   to  CREATE  SESSION  only.         Rationale   The  proxy  account  should  only  have  the  ability  to   connect  to  the  database.51   Proxy  role   Restrict  the  roles  that  can  be   enabled  when  privileges  are   granted  in  the  database.  No  other  privileges  should  be   granted  to  this  account.     Remediation:   REVOKE  ALL  ON  <USER>.  ensure   roles  and  privileges  created  by   that  user.e.52   Views   Action  /  Recommended   Parameters   Revoke  public  access  to  all   public  views  that  start  with  ALL_   Rationale/Remediation   W   I   n   d   o   w   s   U   n   I   x   Level   &   Score   Status   Rationale   Revoke  access  to  these  views  when  possible  to   prevent  unauthorized  access  to  data  that  could  be   sensitive.  are   deleted.  are   deleted.  if  not  required.  ensure  that  the  roles  and   privileges  created  by  that  user.     Remediation:   REVOKE  ALL  ON  ALL_<NAME>  FROM  PUBLIC.53   Roles  and  Privileges   When  dropping  a  user.;     Audit:   SELECT  TABLE_NAME  FROM  DBA_TAB_PRIVS       Rationale   Dropping  a  user  (i..  if  not  required.         Note:  This  may  interfere  with  some  applications.   Item   Configuration  Item    #   9.         Audit:   None         2   S   9.       2   N   103  |  P a g e     .  DROP  USER  X  CASCADE)       Remediation:   If  a  user  is  dropped. ;     Audit:   SELECT  GRANTEE  FROM  DBA_TAB_PRIVS  WHERE       Rationale   Audit  the  DBMS_RANDOM  function  in  applications  for   improper  usage.  accessing  devices.  and  deleting   files.55   Packages   Audit  usage  of  DBMS_RANDOM   Rationale   Provides  file  system  functions  such  as  copying  files.   Item   Configuration  Item    #   9.       Remediation:   REVOKE  EXECUTE  ON  DBMS_RANDOM  TO  PUBLIC.  Replace  calls  to  these  functions   with  RANDOMBYTES.;   REVOKE  EXECUTE  ON  DBMS_BACKUP_RESTORE  TO   <USER>.54   Packages   Action  /  Recommended   Parameters   Limit  or  deny  access  to   DBMS_BACKUP_RESTORE   Rationale/Remediation   W   I   n   d   o   w   s   U   n   I   x   Level   &   Score   Status   9.   altering  control  files.  Revoking  the  public  privilege  may   cause  some  applications  to  fail  it  is  suggested  that  if   the  public  execute  permission  cannot  be  revoked  the   applications  that  utilize  DBMS_RANDOM  are  carefully   audited.  session  id   generation  or  other  areas  where  a  high  degree  of   entropy  is  required.  DBMS_RANDOM  should  not  be  used  for   critical  functions  related  to  cryptography.     Remediation:   REVOKE  EXECUTE  ON  DBMS_BACKUP_RESTORE  TO   PUBLIC.;       Audit:   SELECT  GRANTEE  FROM  DBA_TAB_PRIVS  WHERE           R       2   S   104  |  P a g e     . ;     Audit:   SELECT  *  FROM  DBA_ROLES.56   Roles   Action  /  Recommended   Parameters   Password  protect  roles   Rationale/Remediation   W   I   n   d   o   w   s   U   n   I   x   Level   &   Score   Status   Rationale   Role  passwords  are  useful  when  an  application   controls  whether  or  not  a  role  is  turned  on.     Remediation:   SET  ROLE  <ROLE_NAME>  IDENTIFIED  BY     <ROLE_PASSWORD>.;         2   S       105  |  P a g e     .   Item   Configuration  Item    #   9.    This   prevents  a  user  directly  accessing  the  database  via   SQL  (rather  than  through  the  application)  from  being   able  to  enable  the  privileges  associated  with  the  role.  Enterprise  Manager  /  Grid  Control  /  Agents     Item    #   10.     Remediation:   Create  a  monitor  to  track  the  size  of  file  uploads  from   the  enterprise  agent.     10.02   Enterprise  Manager   Agent  File  uploads   Monitor  the  size  of  file  uploads   from  the  enterprise  agent./emctl  status  agent  command  containing  information   regarding  the  agents  uploading  files:     Total  Megabytes  of  XML  files  uploaded  so  far  :     Number  of  XML  files  pending  upload:   Size  of  XML  files  pending  upload(MB):     Discovering  unusual  or  increased  size  of  file  uploads   could  indicate  a  malicious  agent.     Remediation:   Limit  access  to  the  Oracle  Enterprise  Management   studio.   Rationale/Remediation   W   I   n   d   o   w   s   U   n   I   x   Level   &   Score   Status   Enterprise   Management  studio   mode   10.       Audit:   None     Rationale:   The  following  lines  are  some  of  the  output  from  the   .       Audit:   None         1   N       1   N   106  |  P a g e     .01   Configuration  Item   Action  /  Recommended   Parameters   Access  to  the  enterprise   management  in  studio  must  be   limited.     Rationale:   Without  limitations  on  the  enterprise  management   access  to  the  remote  agents  is  virtually  unlimited.   Item    #   10.   $IAS_HOME/sysman/config/   emoms.  i.properties         1   N       1   S   107  |  P a g e     .     browser..maxIna file  and  set  the  value  to  30     ctiveTime=time_in_minute   s   Audit:   grep   i    maxInactiveTime  \   $IAS_HOME/sysman/config/emoms.         Audit:   None     Rationale:   Configure  an  appropriate  value   for  Grid  Control  Timeout  value  in   To  prevent  unauthorized  access  to  the  Grid  Control  via   the  Oracle  Application  Server.sysman.e.    A  value  of     30  minutes  or  less  is  recommended.  utilize   Enterprise  Manager  Framework   Security  Functionality.properties   Remediation:     Edit  the   $IAS_HOME/sysman/config/emoms.       Remediation:   Enable  HTTPS  between  management  agents  and   management  services.properties   Value:   oracle.  The  default  is  45   File:   minutes.04   Grid  Control  TimeOut   Value   Rationale:   Enterprise  Manager  Framework  security  employs   secure  communication  between  the  various  Enterprise   Manager  Components.eml.       Rationale/Remediation   W   I   n   d   o   w   s   U   n   I   x   Level   &   Score   Status   Enterprise  Manager   Framework  Security   10.03   Configuration  Item   Action  /  Recommended   Parameters   Where  possible.  set  an  appropriate  timeout  value.  Some  Unix  shells.         Remediation:   For  Unix  systems.     Audit:   None         1   N       2   N         108  |  P a g e     .  This   will  isolate  the  Agent  from  the  rest  of  the  Oracle  server   in  the  event  that  is  compromised.       Separate  accounts  are  not  recommended  for  Windows   environments.  avoid   using  commands  that  contain   passwords  in  the  arguments.   Item    #   10.     Remediation:   In  command  line  mode.06   Oracle  Installation   Separate  user  account  for   Management/Intelligent  Agent     Rationale:   While  registering  an  agent  to  utilize  the  enterprise   manager  framework  security.  This  may  be  another   exposure.     Audit:   None     Rationale:   The  agent  database  accounts  must  be  separated.       Rationale/Remediation   W   I   n   d   o   w   s   U   n   I   x   Level   &   Score   Status   Enterprise  Manager   Framework  Security   10.  log   command  history  as  well.  create  a  unique  user  account  for  the   management/Intelligent  Agent  process  in  order  to   differentiate  accountability  and  file  access  controls.         The  command  can  be  captured  by  other  users  with   access  to  Unix  (via  ps)  command  or  can  be  prone  to   shoulder  surfing.  avoid  using  sensitive   command  line  arguments  for  emctl.05   Configuration  Item   Action  /  Recommended   Parameters   In  command  line  mode.  avoid  using  commands  that   contain  passwords  in  the  arguments.  like  bash.     Audit:   None     Rationale:   Automated  Memory  Manager  (AMM).01   Configuration  Item   Action  /  Recommended   Parameters   Verify  ADDM  suggestions   Rationale/Remediation   W   I   n   d   o   w   s   U   n   I   x   Level   &   Score   Status   ADDM   11.  Specific  Systems     Item    #   11.  should  not  blindly   replace  the  DBA's  knowledge.     11.02   AMM   Monitor  AMM   Rationale:   Automatic  Database  Diagnostic  Monitor  (ADDM).   should  not  blindly  replace  the  DBA's  knowledge.       Remediation:   DBA's  should  verify  the  applicability  of  ADDM   suggestions  based  on  their  knowledge  of  the  database.     Audit:   None         1   N       1   N   109  |  P a g e     .         Remediation:   DBA's  should  monitor  AMM  to  ensure  memory  is  being   properly  allocated.   Rationale/Remediation   W   I   n   d   o   w   s   U   n   I   x   Level   &   Score   Status   AWR   11.  update.  session   history.   Rationale:   Automatic  Workload  repository  (AWR)  is  central  to  the   whole  framework  of  self  and  automatic  management.  This  can  provide  an  additional   layer  of  access  control  to  objects  by  limiting  the  access   (select.  insert.    Trends  analysis  can  be  done   with  AWR  data.  SQL  statement   efficiency.  maintain.     Remediation:   Implement  AWR  to  record  all  database  performance   statistics  (related  to  object  usage.  SQL   statement  efficiency.     Audit:   None     Rationale:   Fine  grained  access  control  can  provide  both  column   and  row  level  security.    It   works  with  internal  Oracle  database  components  to   process.03   Configuration  Item   Action  /  Recommended   Parameters   Implement  AWR  to  record  all   database  performance  statistics   (related  to  object  usage.   Item    #   11.  delete)  within  the  object  and   should  be  used  wherever  possible.  etc)  over  a  defined  time   period.  or  scripts.     Remediation:   Evaluate  sensitive  areas  of  the  Oracle  database  and   enable  fine  grain  access  control  .    For  fine  grained   access  to  function  properly.    Queries  that  overtax  the  system  could   be  a  security  threat.  use  the  cost-­based   optimizer.04   Fine  grained  access   Use  fine  grain  access  control   within  objects.  routines.  session  history.       Audit:   None         1   N       2   N         110  |  P a g e     .  and  access  performance  statistics   for  problem  detection  and  self-­tuning.    The  statistics  are   available  to  external  users  or  performance  monitoring   tools.  etc)  over  a  defined  time   period.       Remediation:   Assign  an  administrator  or  DBA  to  review  the  log  files.  Periodically  review  logs  for  errors.  General  Policy  and  Procedures     Item    #   12.     Remediation:   Do  not  install  Oracle  on  an  Internet  facing  server   migrate  internet  facing  oracle  servers  to  a  backend  or   protected  environment.01   Oracle  alert  log  file   Review  contents   Rationale:   Oracle  must  only  be  installed  on  a  backend  system   behind  appropriate  firewalling  or  other  network   protection  systems.  large   numbers  or  exotic  errors  can  be  an  indicator  of  a   system  under  attack.     Audit:   None     Rationale:   The  Oracle  alert  log  file  must  be  regularly  reviewed  for   errors.       Audit:   None         1   N       1   N   111  |  P a g e     .00   Configuration  Item   Action  /  Recommended   Parameters   Do  not  install  Oracle  on  an   Internet  facing  server.   Rationale/Remediation   W   I   n   d   o   w   s   U   n   I   x   Level   &   Score   Status   Oracle  Installation   12.     12.         Remediation:   Delete  the  scripts  from  the  database  host.     Audit:   cat  /etc/group     1   N     1   N     1   N   112  |  P a g e     .       Remediation:   Edit  /etc/group  remove  the  oracle_account  from   the  root  group     Audit:   grep  oracle_account  /etc/group     Rationale:     Review  the  membership  of  the  DBA  group  on  the  host   to  ensure  that  only  authorized  accounts  are  included.       This  must  be  limited  to  users  who  require  DBA  access.  After  the   database  has  been  created.  Having  the   Oracle  account  part  of  the  root  group  breaks  privilege   separation  and  best  security  practices.   Item    #   12.03   Unix  root  group   members  on  host   of   root  group   12.     Remediation:   Remove  unnecessary  users  from  the  DBA  group.  remove  the  scripts  or  at  a   minimum  move  them  to  a  safe  repository  area.02   Configuration  Item   Action  /  Recommended   Parameters   Remove  or  secure   Rationale/Remediation   W   I   n   d   o   w   s   U   n   I   x   Level   &   Score   Status   Database  creation   scripts  on  host   12.     Audit:   None       Rationale:   The  Oracle  software  owner  account  must  not  be  a   member  of  the  root  group  on  Unix  systems.04   Oracle  DBA  group   membership  on  host   Review   Rationale:     System  creation  scripts  can  provide  an  attacker  with   valuable  information  about  the  Oracle  setup  or  instance   and  often  contain  errors.     Audit:   None     Rationale:   An  enforced  policy  must  exist  to  ensure  that  no  cron   jobs  have  sensitive  information  such  as  database   username  and  passwords.    A  privileged  process  must  be  used  to  get   and  decrypt  encrypted  passwords.06   Sensitive  information  in   Avoid  or  encrypt   cron  jobs  on  host   Rationale:   Revealing  username  and  password  information  in  the   process  list  will  give  anyone  able  to  perform  a  process   listing  a  valid  set  of  user  credentials  for  the  Oracle   database.       Audit:   None         1   N       1   N   113  |  P a g e     .     Remediation:   Encrypt  passwords  used  in  cron  on  batch  jobs.05   Configuration  Item   Action  /  Recommended   Parameters   Rationale/Remediation   W   I   n   d   o   w   s   U   n   I   x   Level   &   Score   Status   Sensitive  information  in   Avoid  or  encrypt   process  list  on  host   12.    A  privileged  process  must   be  used  to  get  and  decrypt  encrypted  passwords.       Remediation:   An  enforced  policy  must  exist  to  ensure  that  no  scripts   are  running  that  display  sensitive  information  in  the   process  list  such  as  the  Oracle  username  and   password.   Item    #   12. 08   Sensitive  information  in   Avoid  or  encrypt   environment  variables   on  host   Rationale:   An  enforced  policy  must  exist  to  ensure  that  no  at  jobs   (or  jobs  in  Windows  scheduler)  have  sensitive   information  such  as  database  username  and   passwords.     Audit:   None     Rationale:   An  enforced  policy  must  exist  to  ensure  that  no  users   have  unencrypted  sensitive  information  such  as   database  username  and  passwords  set  in  environment   variables.     Remediation:   Encrypt  password  used  for  scheduled  jobs  and  scripts.       Audit:   None         1   N       1   N   114  |  P a g e     .     Remediation:   Do  not  store  sensitive  password  in  environment   variables  on  the  host.   Item    #   12.07   Configuration  Item   Action  /  Recommended   Parameters   Rationale/Remediation   W   I   n   d   o   w   s   U   n   I   x   Level   &   Score   Status   Sensitive  information  in   Avoid  or  encrypt   at  jobs  (or  jobs  in   Windows  scheduler)  on   host     12.    A  privileged  process  must  be  used  to  get   and  decrypt  encrypted  passwords.    A  privileged  process  must  be  used  to  get   and  decrypt  encrypted  passwords.       Remediation:   Only  put  database  files  on  file  systems  exclusively  used   by  Oracle.09   Configuration  Item   Action  /  Recommended   Parameters   Rationale/Remediation   W   I   n   d   o   w   s   U   n   I   x   Level   &   Score   Status   Sensitive  information  in   Avoid  or  encrypt   batch  files  on  host   12.     Audit:   None         1   N       1   S       1   S   115  |  P a g e     .     Remediation:   Do  not  store  sensitive  passwords  in  batch  scripts  on   the  host.11   File  systems   Separate  Oracle  files  from  non-­ Oracle  files   Rationale:   An  enforced  policy  must  exist  to  ensure  that  no  batch   files  have  sensitive  information  such  as  database   usernames  and  passwords.   redo  logs.  data  files.       Remediation:   Split  the  location  of  the  Oracle  software  distribution.  Oracle  files  must  not  be  on  the  same   partition  as  the  operating  system.10   Oracle  file  locations   Separate  for  performance   12.  and  index  files  are  not  properly   distributed  a  single  disk  failure  will  cause  an  Oracle   outage  and  make  recovery  difficult.   Item    #   12.  data.  and  indexes  onto  separate  disks   and  controllers  for  resilience.       Audit:   None     Rationale:   If  the  redo.    A  privileged  process  must   be  used  to  get  and  decrypt  encrypted  passwords.     Audit:   None     Rationale:   Isolating  the  Oracle  files  onto  a  separate  partition   enables  easier  privilege  and  permissions  management.  Store  the  checksum  results  upon   creation  and  update  of  the  stored  procedure.12   Configuration  Item   Action  /  Recommended   Parameters   Implement   Rationale/Remediation   W   I   n   d   o   w   s   U   n   I   x   Level   &   Score   Status   Optimal  Flexible   Architecture   12.psql     Audit:   sha1sum  pl_file.psql         1   N       1   N   116  |  P a g e     .   periodically  check  for  alterations.     Remediation:   sha1sum    pl_file.   Item    #   12.     Audit:   None     Rationale:   Maliciously  altered  stored  procedures  can  compromise   Oracle  or  system  security  and  can  go  undetected  if  not   properly  audited.13   Checksum  PL/SQL   code   Implement   Rationale:   Systems  that  are  flexible  and  easy  to  understand   reduce  administration  complexity  and  increase  overall   manageability  and  security.       Remediation:   Follow  the  Oracle  Optimal  Flexible  Architecture   guidelines  to  provide  for  consistency  and  ease  of   administration.  data  warehouses.15   Ad-­hoc  queries  on   production  databases   Avoid   Rationale:   Maliciously  altered  objects  can  compromise  Oracle  or   system  security  and  can  go  undetected  if  not  properly   audited.    This   recommendation  may  not  be  suitable  for  all   environments.   reload.  for  example.  Test  all   queries  and  provide  an  application  interface  for   exercising  queries  on  production  databases.     Audit:   None     Rationale:   Ad-­hoc  queries  are  a  direct  vector  for  creating  denial  of   service  conditions  and  possible  exploitation  of  the   Oracle  database.   Item    #   12.     Remediation:   Store  the  results  of  the  time  stamps  of  the  creation.       Audit:   None         1   N       1   N   117  |  P a g e     .       Remediation:   Disallow  ad-­hoc  queries  on  production  databases.  and  compilation  of  database  objects  and  review   the  results  regularly  to  ensure  no  unauthorized   changes  have  occurred.14   Configuration  Item   Action  /  Recommended   Parameters   Monitor   Rationale/Remediation   W   I   n   d   o   w   s   U   n   I   x   Level   &   Score   Status   All  database  objects   12.     Audit:   None       Rationale:   Allowing  unauthorized  application  access  will  result  in   information  theft  and  possible  remote  compromise  of   the  Oracle  database.    In  a   cluster  environment  (RAC  or  OPS)  RSH  and  RCP  are   required  between  the  nodes  for  the  Oracle  software   owner.17   Applications  with   database  access   Review   Rationale:   All  remote  access  from  users  and  administrators  to  the   Oracle  host  must  be  encrypted.       Remediation:   If  remote  shell  access  is  required.  the   access  must  be  restricted  by  user  and  host.     Audit:   None         1   N       1   N   118  |  P a g e     .   Item    #   12.16   Configuration  Item   Action  /  Recommended   Parameters   Encrypt  session   Rationale/Remediation   W   I   n   d   o   w   s   U   n   I   x   Level   &   Score   Status   Remote  shell  access   on  host   12.  use  SSH  or  a  VPN   solution  to  ensure  that  session  traffic  is  encrypted.    In  the  case  of  a  cluster  environment.  An  attacker  on  the  local   network  can  sniff  or  intercept  unencrypted  sessions.       Remediation:   Review  and  control  which  applications  access  the   database.     Audit:   None       1   N       1   N   119  |  P a g e     .18   Configuration  Item   Action  /  Recommended   Parameters   Separate  server  from  production   database   Rationale/Remediation   W   I   n   d   o   w   s   U   n   I   x   Level   &   Score   Status   Location  of   development  database   12.  Test  environments  generally  have  lax   security  and  mirror  production  systems.  and  security  best  practices   require  production  and  test  environments  to  be   separate.     Audit:   None     Rationale:   Regulatory.  place  production  databases  on  a  different   network  segment  from  test  and  development   databases.   Item    #   12.       Remediation:   Test  and  development  databases  must  not  be  located   on  the  same  server  as  the  production  system.19   Network  location  of   production  and   development   databases   Separate   Rationale:   Regulatory.  and  security  best  practices   require  production  and  test  environments  to  be   separate.  compliance.       Remediation:   If  possible.  Test  environments  generally  have  lax   security  and  mirror  production  systems.  These  can   provide  a  staging  point  or  attack  vector  for  a  malicious   user  if  hosted  in  a  single  network.  These  can   provide  a  staging  point  or  attack  vector  for  a  malicious   user  if  hosted  in  a  single  environment.  compliance. 21   Access  to  production   databases   Avoid  access  from  development   or  test  databases   12.   and  security  best  practices.       Audit:   None           1   N       1   N       1   N   120  |  P a g e   .   Item    #   12.       Remediation:   Database  access  from  development  and  test   databases  to  production  databases  must  be  prohibited.     Audit:   None     Rationale:   Developers  must  not  have  direct  access  to  production   databases.       Remediation:   Remove  login  or  authentication  means  for  direct   developer  access.  Production  and  test  database  should   remain  separate  then  synced  when  necessary.       Remediation:   Check  for  evidence  of  development  occurring  on   production  databases.22   Developer  access  to   production  databases   Disallow   Rationale:   Development  of  applications  on  production  databases   violates  security  best  practices  and  leaves  debugging   and  other  information  useful  to  an  attacker  on  the   production  host.20   Configuration  Item   Action  /  Recommended   Parameters   Prevent  development  on   production  databases   Rationale/Remediation   W   I   n   d   o   w   s   U   n   I   x   Level   &   Score   Status   Monitor  for   development  on   production  databases   12.  Allowing  developers  direct  access  to   production  databases  violates  regulator.  compliance.     Audit:   None     Rationale:   Allowing  a  user  to  alter  a  production  database  from  a   development  or  test  environment  creates  a  vector  for   an  attacker.     Remediation:   userdel  <account>     Audit:   cat  /etc/passwd     Rationale:   If  test  or  development  databases  are  created  from   backups  or  exports  of  the  production  system.   Item    #   12.     Remediation:   Maintain  separate  user  accounts  for  test  and   production  databases  and  hosts.25   Databases  created   from  production   systems   Remove  sensitive  data   Rationale:   Remove  any  developer  accounts  that  exist  in  the   production  database.24   Databases  created   from  production   exports   Change  passwords   12.       Audit:   None     Rationale:   If  test  or  development  databases  are  created  from   backups  or  exports  of  the  production  system.     Audit:   None           1   N       1   N       1   N   121  |  P a g e   .  or  other  sensitive   data.  all   passwords  must  be  changed  before  granting  access  to   developers  or  testers.23   Configuration  Item   Action  /  Recommended   Parameters   Remove  developer  accounts   Rationale/Remediation   W   I   n   d   o   w   s   U   n   I   x   Level   &   Score   Status   Developer  accounts  on   production  databases   12.  Clear  tables   that  contain  PII.  password  hashes.     Remediation:   Remove  all  sensitive  data  from  production  hosts  before   granting  access  to  tester  and  developers.  all   sensitive  data  (such  as  payroll  information)  must  be   removed  before  granting  access  to  developers  or   testers. 28   Disaster  recovery   procedures   Review   Rationale:   Create  and  regularly  review  procedures  for  account   management.    This  must  include  the  creation  of  new   user  accounts.       Remediation:   Adoption  of  a  change  management  system.   Item    #   12.   and  handling  of  dormant  or  inactive  accounts.     Remediation:   Review  the  disaster  recovery  procedures.27   Change  Control   Document  and  enforce  change   control  procedures   12.26   Configuration  Item   Action  /  Recommended   Parameters   Document  and  enforce  account   management  procedures   Rationale/Remediation   W   I   n   d   o   w   s   U   n   I   x   Level   &   Score   Status   Account  Management   12.     Remediation:   Document  the  system  of  controls  and  checks  that   surround  management  procedures.  moving  a  user  to  a  new  group  or  role.       Audit:   None     Rationale:   Disaster  recovery  procedures  must  be  fully   documented  and  regularly  tested.       Audit:   None     Rationale:   Create  and  regularly  review  procedures  for  new   applications  that  access  the  database  and  change   control  management  procedures  for  releasing   development  code  into  production.  Utilization  of  ticketing   system  or  other  Change  management  system  will  help   facilitate  this  process.       Audit:   None         1   N       1   N       1   N   122  |  P a g e     .    Monitor  the  addition   of  new  users  and  access  rights. 31   Screen  saver   Set  screen  saver/lock  with   password  protection  of  15   minutes.     Audit:   None         1   N       1   N       1   N   123  |  P a g e     .29   Configuration  Item   Action  /  Recommended   Parameters   Eliminate   Rationale/Remediation   W   I   n   d   o   w   s   U   n   I   x   Level   &   Score   Status   Backdoors   12.     Audit:   None     Rationale:   Desktop  screens  left  unlocked  create  a  vector  for   attacker  to  take  control  of  the  access  granted  to  the   user.  and  IP  addresses  to  newsgroups  and   mailing  lists  must  not  be  allowed.  15  minutes   must  be  set  as  the  standard.   Rationale:   Tight  change  control  management  procedures  and   checksums  of  the  source  code  can  help  prevent   backdoors  into  the  database.30   Public  dissemination  of   database  information   Disallow   12.       Remediation:   The  posting  of  database  information  such  as  SIDs.     Remediation:   Review  or  audit  source  code  both  in  development  and   deployed  to  production  systems.       Remediation:   If  an  organizational  policy  does  not  exist.       Audit:   None     Rationale:   Exposing  internal  configuration  information  gives  an   attacker  a  list  of  targets  and  vectors  into  the  Oracle   environment.   hostnames.   Item    #   12. ora       Audit:   None     Rationale:   Excessive  or  exotic  errors  may  be  an  indicator  of  a   system  or  database  under  attack.  Proper  log  auditing   and  review  is  a  must  to  maintain  system  integrity.ora  when   distributing  to  clients   Rationale/Remediation   W   I   n   d   o   w   s   U   n   I   x   Level   &   Score   Status   Distribution  of   tnsnames.  ensure  that  only  necessary  entries  are  included  in   the  file  when  distributing  to  clients.34   Access  to  database   objects  by  a  fixed  user   link   Disallow   Rationale:   If  clients  connect  to  the  database  using  tnsnames.33   Event  and  System   Logs   Monitor   12.  Providing  additional   information  about  database  configuration  provides  a  list   of  hosts  and  instances  to  target  and  violates  security   best  practices.ora  files  to   clients   12.       Remediation:   Remove  username  and  password       Audit:   None           1   N       1   N       1   N   124  |  P a g e   .       Remediation:   Remove  entries  from  tnsnames.       Remediation:   Windows  Event  Logs  and  Unix  System  logs  must  be   regularly  monitored  for  errors  related  to  the  Oracle   database.   Item    #   12.32   Configuration  Item   Action  /  Recommended   Parameters   Include  only  necessary   tnsnames.ora   files.  Anyone  with   permissions  or  rights  to  view  the  hard  coded  username   or  password  exposes  that  account  to  unnecessary  risk.     Audit:   None     Rationale:   Fixed  user  database  links  that  have  a  hard  coded   username  and  password  must  be  avoided. 35   Configuration  Item   Action  /  Recommended   Parameters   Oracle  software  owner  account   name  NOT     Rationale/Remediation   W   I   n   d   o   w   s   U   n   I   x   Level   &   Score   Status   Oracle  Installation   12.    The   requirement  for  the  Management/Intelligent  Agent   process  is  listed  in  section  10  of  this  document.   the  Oracle  http  server.  and  the  database  process   accounts  must  be  separate.36   Oracle  Installation   Separate  users  for  different   components  of  Oracle   Rationale:     Do  not  name  the  Oracle  software  owner  account    and  used  in  many   automated  attacks  and  brute  forcing  tools.     Audit:   None       2   S     2   N   125  |  P a g e     .   Item    #   12.  In  the  event  that  an  Oracle   service  is  compromised  privilege  separating  each   service  will  help  reduce  the  damage  an  attacker  can   perform.    The  listener.       Remediation:   For  Unix  systems.  create  unique  user  accounts  for   each  Oracle  process/service  in  order  to  differentiate   accountability  and  file  access  controls.    Separate  accounts  are  not   recommended  for  Windows  environments.     Remediation:   Upon  oracle  installation  create  a  separate  user  account   with  the  username  other  than  Oracle.       Audit:   None       Rationale:   Properly  privilege  separate  user  accounts  associated   with  each  Oracle  service. 37   Configuration  Item   Action  /  Recommended   Parameters   Create  processes  to  alert   Rationale/Remediation   W   I   n   d   o   w   s   U   n   I   x   Level   &   Score   Status   Alerts  on  high  priority   incidents   12.   Item    #   12.  OAS  solutions  include  IPSec  and   mutually  authenticated  SSL.     Audit:   None     Rationale:   Traffic  sent  unencrypted  across  a  network  can  be   monitored  and  intercepted       Remediation:   If  appropriate  to  the  environment.       Audit:   None         2   N       2   N       2   N   126  |  P a g e     .  do   not  use  the  Intelligent  Agent.  implement  Oracle   Advanced  Security  to  encrypt  all  traffic  between  the   client  and  server.       Remediation:   If  the  database  server  is  accessible  via  the  Internet.     Remediation:   Create  processes  to  monitor  and  alert  on  high  priority   incidents.     Audit:   None     Rationale:   Intelligent  agents  provide  a  direct  management   interface  to  the  Oracle  database.39   Network   Implement  if  appropriate   Rationale:   Monitoring  high  priority  incidents  will  help  in  the  event   of  a  security  incident.    This  may  not  be  practical   for  OEM  or  SNMP  monitored  databases.38   Intelligent  agent   Do  not  use   12. 42   Decommissioned   applications   Remove  all  components   Rationale:   The  wrap  program  provided  by  Oracle  encodes  the   PL/SQL  source  code  but  does  not  encrypt  it.       Remediation:   Ensure  that  all  associated  binaries.     Remediation:   Encrypt  the  PL/SQL  code.       Audit:   None     Rationale:   Failure  to  remove  all  privileges  once  an  application  has   been  removed  from  an  Oracle  database  widens  the   attack  surface  and  can  provide  unmonitored  access  for   an  attacker.   Item    #   12.   passwords.40   Configuration  Item   Action  /  Recommended   Parameters   Encrypt   Rationale/Remediation   W   I   n   d   o   w   s   U   n   I   x   Level   &   Score   Status   Application  PL/SQL   code   12.       Remediation:   Avoid  hardcoded  data  in  code.     Audit:   None         2   N       2   N       2   N   127  |  P a g e     .  Strip  all  sensitive  information  from   PL/SQL  code  before  storage  into  a  repository.   PL/SQL  code  is  often  viewable  by  many  users  of  the   Oracle  system  and  stored  in  code  repositories.41   Hard  coded  data  in   PL/SQL  and   application  source   code   Avoid  or  encrypt   12.  and  access  rights  are  removed  when   applications  are  decommissioned.  batch   process.  do  not  rely  on  the  wrap   functionality  to  protect  highly  sensitive  information.  or  other  critical  data  in  the  PL/SQL  code.  users.  Use  a  secure  data   storage  mechanism.       Audit:   None   Rationale:   Do  not  use  unencrypted  hard  coded  usernames. 45   Enabling  of  batch   process  account   Time  enabled   Rationale:   Applications  must  not  alter  the  database  schema.44   Host  and  Application   Monitoring  Software.     Remediation:   Only  allow  updates  of  the  database  schema  though  a   DBA  or  approved  change  management  system.       Remediation:   The  account  that  is  used  to  run  batch  processes  must   be  enabled  only  during  the  time  that  the  batch   processes  run.  This  includes   operations  management  consolidation  suites.   Review   12.43   Configuration  Item   Action  /  Recommended   Parameters   Disallow   Rationale/Remediation   W   I   n   d   o   w   s   U   n   I   x   Level   &   Score   Status   DDL  statements  in   application   12.         Audit:   None     Rationale:   Allowing  the  batch  account  to  remain  active  widens  the   system  attack  surface  and  may  lead  to  unauthorized   access  of  the  Oracle  database.       Audit:   None     Rationale:   Any  remote  access  to  the  database  host  must  be   controlled  by  an  application  level  firewall.   Item    #   12.     Audit:   None         2   N       2   N       2   N   128  |  P a g e     .     Remediation:   Block  unnecessary  ports  used  for  monitoring  and   remote  interfaces  to  the  Database. 46   Configuration  Item   Action  /  Recommended   Parameters   Secure   Rationale/Remediation   W   I   n   d   o   w   s   U   n   I   x   Level   &   Score   Status   Passwords  for  batch   processes   12.     Remediation:   Remove  passwords  from  batch  files  and  scripts.       Audit:   None         2   N       2   N       2   N   129  |  P a g e     .48   User  permissions   Review   Rationale:   Passwords  for  batch  processes  must  not  be  a   command  line  parameter  or  an  environment  variable.   Item    #   12.     Remediation:   Restrict  test  development  databases.       Audit:   None     Rationale:   Review  and  test  development  databases  for  users  with   excess  permissions  not  granted  in  production.;  ensure   that  passwords  are  not  set  as  environment  variables.       Audit:   None     Rationale:   External  accounts  used  for  batch  processes  allow  a   simple  way  to  access  the  database.47   External  account   access  for  batch   processes   Disallow   12.     Remediation:   Forbid  the  usage  of  batch  process  to  access  the  Oracle   database. 51   Remote  Administration   of  Listener   Use  encryption  if  remote   administration  is  required.       Remediation:   Use  a  host  based  Intrusion  Detection  System  on  the   server  hosting  the  Oracle  database.49   Configuration  Item   Action  /  Recommended   Parameters   Review   Rationale/Remediation   W   I   n   d   o   w   s   U   n   I   x   Level   &   Score   Status   Procedures  for  backup   tape  retrieval   12.  set  the  SSL  protocol  as  the  first   protocol  in  listener.ora.   Item    #   12.       Remediation:   Ensure  the  procedures  for  backup  tape  retrieval  are   documented  and  are  adequate  to  prevent  social   engineering  attacks  to  steal  data.  configure  the  listener  to  have  a   TCPS  (SSL)  port.g.IPC)     Audit:   None         2   N       2   N       2   N   130  |  P a g e     .     Remediation:   SECURE_CONTROL_listener_name=(TCPS.   Rationale:   Loss  of  a  tape  can  compromise  other  measures  taken   to  protect  database  information.     Audit:   None     Rationale:   A  host  based  intrusion  detection  system  provides   another  layer  of  defense  for  the  Oracle  server.50   Intrusion  detection   system  on  host   Utilize   12.     Audit:   None     Rationale:   If  remote  administration  of  a  listener  via  the  listener   utility  is  required.  e.  no  administration  through  SSH   or  MS  Terminal  Server..    If  the  listener  is  configured  to  use   multiple  protocols.    If  SSL  is   not  possible.53   Policy  Caching   Policy  caches  must  be  purged.   Item    #   12.  use  OAS  native  encryption/integrity  with  a   host  firewall.     Audit:   None     Rationale:   Policy  caches  can  potentially  store  information  that   could  be  used  to  compromise  the  database  and  may   accessible  outside  of  Oracle  and  beyond  the  control  of   the  security  parameters.       Audit:   None         2   N       2   N   131  |  P a g e     .  SSL   or  OAS  .     Protect  the  administrative  listener  with  IPSec  ESP.  and  a  host  firewall..  otherwise  SSL  and  host-­based  firewall.    Preference  of  implementation  is  IPSec   ESP.  protected  by  IPSec.     Remediation:   Purge  policy  caches.     Protect  the  administrative   listener  with  IPSec  ESP  or  OAS   SSL  and  a  host-­based  firewall.     Remediation:   Create  separate  listeners  for  clients  and  administration.  could   allow  administrators  access  to  the  server  if  the  client   listener(s)  fail.      Access  must  be  limited  to  specific   administrative  workstations.  Hence  this  can  defeat  row   level  security..   Rationale/Remediation   W   I   n   d   o   w   s   U   n   I   x   Level   &   Score   Status   Multiple  listeners   12.52   Configuration  Item   Action  /  Recommended   Parameters   Create  separate  listeners  for   clients  and  administration.   Rationale:   An  administrative  listener.   12.     Audit:   None     Rationale:   Whenever  utilizing  silent  installs.   Rationale/Remediation   W   I   n   d   o   w   s   U   n   I   x   Level   &   Score   Status   Policy  Functions   12.     Remediation:   Users  should  not  have  EXECUTE.   alter  or  drop  privileges  on  policy   functions.       Remediation:   Connections  between  Data  Guard  servers  should  be   authenticated  using  SSL  certificates     Audit:   None         2   N       2   N       2   N   132  |  P a g e     .  Oracle  Installer.     Remediation:   Remove  all  passwords  post  installation.       Audit:   None     Rationale:   Strong  authentication  using  certificates  provides  both   security  and  identification  of  endpoints  for  the   DataGuard  service.   Item    #   12.   ensure  configuration  files  do  not  contain  password   values  after  the  installation  completes.54   Configuration  Item   Action  /  Recommended   Parameters   Users  should  not  have  execute.e.  ALTER  or  DROP   privileges  on  policy  functions.56   DataGuard  Auth   Authenticate  Data  Guard  with   SSL  Certificates   Rationale:   The  ability  to  manipulate  policy  functions  could  be  used   to  defeat  row  level  security.55   Passwords   Remove  password  parameters   from  configuration  files  utilized   for  Silent  Installations.  i..  Not  sanitizing  packages  may  result  in   leaking  of  sensitive  information  to  Oracle.     Audit:   None     Rationale:   Connections  sent  across  the  network  unencrypted  can   be  monitored  and  intercepted  exposing  sensitive   information.       Remediation:   If  possible  configure  Data  Guard  for  Maximum   Protection  to  ensure  that  zero  data  loss  occurs  if  a   primary  database  fails.       Remediation:   Ensure  the  minimal  amount  of  sensitive  information  is   sent  to  Oracle  and  destroy  Incident  Packages  after   submission.   Item    #   12.57   Configuration  Item   Action  /  Recommended   Parameters   Select  Maximum  Protection     Rationale/Remediation   W   I   n   d   o   w   s   U   n   I   x   Level   &   Score   Status   Data  Guard  Mode   12.59   Incident  Packages   Ensure  Incident  Packages  are   destroyed  or  properly  protected   after  upload  to  Oracle.       Audit:   None     Rationale:   Sensitive  information  may  be  contained  in  incident   packages.       Audit:   None         2   N       2   N       2   N     133  |  P a g e     .     Rationale:   Loss  of  data  can  result  in  the  loss  of  system  integrity  or   audit  trails.       Remediation:   Connections  for  Redo  services  should  be  authenticated   using  SSL  certificates.  Setting  Data  Guard  to  maximum  mode   ensures  no  information  is  lost  in  the  event  of  a  failure.58   Data  Guard  Redo   Authenticate  Redo  Transport   Services  using  SSL  Certificates   12.  they  should   be  dropped.01   Auditing   13.02   Auditing   Trap  autonomous  transactions   Rationale:   Leaving  additional  schemas  in  the  database  can   provide  an  attacker  with  additional  details  about  the   currently  used  Oracle  system  or  contain  sensitive   information.  After  verification.       13.     Remediation:   Unused  schemas  should  be  first  audited  to  ensure  that   they  are  in  fact  unused.     Remediation:   None     Audit:   None         2   N       2   N   134  |  P a g e     .  Auditing  Policy  and  Procedures     Item    #   Configuration  Item   Action  /  Recommended   Parameters   Unused  schemas  should  be   dropped   Rationale/Remediation   W   I   n   d   o   w   s   U   n   I   x   Level   &   Score   Status   13.         Audit:   None     Rationale:   This  will  ensure  that  audit  captures  actions  performed   by  users  even  if  they  are  later  rolled  back.  AUDIT  SELECT  ON  TABLE  WHENEVER  NOT   SUCCESSFUL     Audit:   SELECT  *  FROM  DBA_OBJ_AUDIT_OPTS  WHERE           2   S       2   S   135  |  P a g e     .   Item    #   Configuration  Item   Action  /  Recommended   Parameters   Audit  all  logons  and  logoffs.   Audit  by  ACCESS  WHENEVER   NOT  SUCCESSFUL.     Rationale:   Auditing  by  SESSION  will  only  show  a  single  audit   event  for  an  attempt.  By  logging  unsuccessful  attempts   any  SQL  statement  attempting  to  access  the  table  will   be  recorded.  SUCCESS.   Rationale/Remediation   W   I   n   d   o   w   s   U   n   I   x   Level   &   Score   Status   13.  This  could  provide  a  record  of   unauthorized  attempts  to  access  sensitive  data.03   Auditing   13.     Remediation:   Ex.   Rationale:   Auditing  logon  and  logoff  events  may  provide  additional   information  for  isolating  the  cause  of  security  incidents.  FAILURE  FROM   DBA_PRIV_AUDIT_OPTS  WHERE       Note:  This  is  audited  by  default  when  default  security   settings  are  enabled.04   Auditing   Audit  for  unsuccessful  attempts.       Remediation:   AUDIT  CREATE  SESSION     Audit:   SELECT  USER_NAME. ;     Audit:   SELECT  policy_name  FROM   DBA_AUDIT_POLICIES.  a   procedure  could  perform  an  action  such  as  sending  an   e-­mail  alert  to  an  auditor  when  a  user  selects  a  certain   row  from  a  table.ADD_POLICY(   <Policy  config>   ).    For  instance.  column  specific  sensitivity.   Rationale/Remediation   W   I   n   d   o   w   s   U   n   I   x   Level   &   Score   Status   13.  use  enhanced   capabilities  of  Fine-­Grained   Auditing.  engage  and  use   the  Fine-­Grained  Auditing  (FGA)   feature.  SQL   capturing.   Rationale:   The  flexibility.ADD_POLICY(   <Policy  config>   ).05   Auditing   13.   Therefore.  and  event  handler  capabilities  of  FGA   provide  auditors  and  security  personnel  with  valuable   information.  it  should  not  add  a  significant  burden  to  the   size  of  audit  records.06   Auditing   Where  appropriate  or  required   by  security  or  legal   requirements.   Item    #   Configuration  Item   Action  /  Recommended   Parameters   Where  appropriate  or  required   by  security  or  legal   requirements.     Remediation:   DBMS_FGA.  or  it  could  write  to  a  different  audit   trail.     Remediation:   DBMS_FGA.;     Rationale:   FGA  has  the  ability  to  execute  event  driven  procedures   that  may  allow  security  and  operations  teams  to  receive   real  time  indications  of  threats.     Note:  The  FGA  record  entry  can  be  pre-­qualified.;     Audit:   SELECT  policy_name  FROM   DBA_AUDIT_POLICIES       2   S       2   S   136  |  P a g e     . 09   Auditing   Audit  any  CREATE  statement   Rationale:   Unauthorized  table  alters  can  results  in  application   failures  or  be  the  precursor  to  an  attack.       Remediation:   AUDIT  ALTER  USER.  will  provide  a  record  of  events  that  may  be   useful  when  investigating  security  events.07   Auditing   13.;     Audit:   SELECT  *  FROM  DBA_STMT_AUDIT_OPTS  WHERE           2     S       2     S       2     S   137  |  P a g e     .;     Rationale:   Auditing  the  creation  of  objects.       Remediation:   Audit  ALTER  ANY  table.;     Audit:   SELECT  *  FROM  DBA_STMT_AUDIT_OPTS  WHERE   .       Remediation:     AUDIT  CREATE  ANY  <object>.08   Auditing   Audit  ALTER  USER   13.;     Audit:   SELECT  *  FROM  DBA_STMT_AUDIT_OPTS  WHERE   .   Item    #   Configuration  Item   Action  /  Recommended   Parameters   Audit  ALTER  ANY  TABLE   Rationale/Remediation   W   I   n   d   o   w   s   U   n   I   x   Level   &   Score   Status   13.;       Rationale:   Unauthorized  user  alters  can  results  in  application   failures.  such  as  tables  or   databases.  hijacked  credentials.  or  be  the  precursor  to  an   attack. ;     Audit:   SELECT  *  FROM  DBA_STMT_AUDIT_OPTS  WHERE       Rationale:     Auditing  the  creation  of  users  will  provide  a  record  to   ensure  the  appropriate  use  of  account  administration   privileges.  This  information  is  also  useful  when   investigating  certain  security  events.11   Auditing   Audit  CREATE  USER   13.  This  information  is  also  useful   for  debugging  application  and  user  session  failures.  This  information  is  also  useful  when   investigating  certain  security  events.;     Audit:   SELECT  *  FROM  DBA_STMT_AUDIT_OPTS  WHERE             2     S       2     S       2   S   138  |  P a g e     .;     Audit:   SELECT  *  FROM  DBA_STMT_AUDIT_OPTS  WHERE       Rationale:     Audit  the  use  of  CREATE  SESSION  for  successful  or   unsuccessful  operations.       Remediation:   AUDIT  CREATE  USER.   Item    #   Configuration  Item   Action  /  Recommended   Parameters   Audit  CREATE  ROLE   Rationale/Remediation   W   I   n   d   o   w   s   U   n   I   x   Level   &   Score   Status   13.10   Auditing   13.     Remediation:   AUDIT  CREATE  SESSION.       Remediation:   AUDIT  CREATE  ROLE.12   Auditing   Audit  CREATE  SESSION   Rationale:   Auditing  the  creation  of  roles  will  provide  a  record  to   ensure  the  appropriate  use  of  account  administration   privileges.   Item    #   Configuration  Item   Action  /  Recommended   Parameters   Audit  any  DROP  statement   Rationale/Remediation   W   I   n   d   o   w   s   U   n   I   x   Level   &   Score   Status   13.  Auditing  the   removal  of  database  procedures.15   Auditing   Audit  DROP  ANY  TABLE   Rationale:     Auditing  the  removal  of  database  objects.     Remediation:   AUDIT  DROP  ANY  PROCEDURE.14   Auditing   Audit  DROP  ANY  PROCEDURE   13.     Remediation:   AUDIT  DROP  {PRIV}.;     Audit:   SELECT  *  FROM  DBA_STMT_AUDIT_OPTS  WHERE             2     S       2   S       2   S   139  |  P a g e     .13   Auditing   13.  will  provide  a  record  of  events  that   may  be  useful  when  investigating  security  events.  Auditing  the   removal  of  database  tables.  will  provide  a  record  of   actions  that  may  be  useful  when  investigating  security   events.;     Audit:   SELECT  *  FROM  DBA_STMT_AUDIT_OPTS  WHERE       Rationale:   Audit  the  use  of  DROP  ANY  PROCEDURE.;     Audit:   SELECT  *  FROM  DBA_STMT_AUDIT_OPTS  WHERE       Rationale:   Audit  the  use  of  DROP  ANY  TABLE.  will  provide  a  record   of  actions  that  may  be  useful  when  investigating   security  events.     Remediation:   AUDIT  DROP  ANY  TABLE.  such  as   tables  or  databases. ;     Audit:   SELECT  OBJECT_NAME.16   Auditing   13.  INS.;     Audit:   SELECT  *  FROM  DBA_STMT_AUDIT_OPTS  WHERE       Rationale:   Auditing  failed  inserts  may  provide  be  useful  when   investigating  certain  security  events.     Remediation:   AUDIT  INSERT  ON  objectname  WHENEVER  NOT   SUCCESSFUL.   Item    #   Configuration  Item   Action  /  Recommended   Parameters   Audit  GRANT  ANY  PRIVILEGE   Rationale/Remediation   W   I   n   d   o   w   s   U   n   I   x   Level   &   Score   Status   13.;           2     S       2     S       2   S   140  |  P a g e   .   This  information  is  also  useful  when  investigating   certain  security  events.17   Auditing   Audit  GRANT  ANY  ROLE   13.  such  as  SQL   injections  attempts.  FROM   DBA_OBJ_AUDIT_OPTS.   This  information  is  also  useful  when  investigating   certain  security  events.       Remediation:   AUDIT  GRANT  ANY  ROLE.;     Audit:   SELECT  *  FROM  DBA_STMT_AUDIT_OPTS  WHERE       Rationale:   Auditing  the  grants  will  provide  a  record  to  ensure  the   appropriate  use  of  account  administration  privileges.18   Auditing   Audit  INSERT  failures   Rationale:   Auditing  the  grants  will  provide  a  record  to  ensure  the   appropriate  use  of  account  administration  privileges.       Remediation:   audit  GRANT  ANY  PRIVILEGE. 20   Auditing   Audit  SELECT  ANY   DICTIONARY   Rationale:   Audit  EXECUTE  PROCEDURE  failures  attempted  into   critical  data  objects.;     Audit:   SELECT  *  FROM  DBA_STMT_AUDIT_OPTS  WHERE   AUDIT_OPTI     Rationale:   Audit  the  use  of  the  SELECT  ANY  DICTIONARY.19   Auditing   13.     Remediation:   AUDIT  SELECT  ANY  DICTIONARY.   Auditing  SELECT  ANY  DICTIONARY  will  provide  a   record  of  access  to  DICTIONARY  views.;     Audit:   SELECT  *  FROM  DBA_STMT_AUDIT_OPTS  WHERE           2   S       2   S   141  |  P a g e     .   Item    #   Configuration  Item   Action  /  Recommended   Parameters   Audit  EXECUTE  PROCEDURE   Rationale/Remediation   W   I   n   d   o   w   s   U   n   I   x   Level   &   Score   Status   13.  Auditing  the  EXECUTE   PROCEDURE  will  provide  a  record  of  the  procedures   that  were  executed  and  by  whom.  This  information  is   also  useful  when  investigating  a  security  event       Remediation:   AUDIT  EXECUTE  PROCEDURE.  This   information  is  also  useful  when  investigating  a  security   event.   Specific  database  application  components  may  contain   sensitive  information  and  require  more  scrutiny  or   certain  events  to  alarm  when  triggered.22   Auditing   13.  Evaluate   applications  on  a  case  by  case  basis  and  create  where   appropriate.23   Auditing   Rationale:   Audit  the  use  of  the  GRANT  ANY  OBJECT.  This  information  is  also  useful   when  investigating  certain  security  events.  logoff.  Auditing  the   grants  will  provide  a  record  of  the  scope  of  the  user   object  rights  to  ensure  the  appropriate  use  of  account   administration  privileges.;     Audit:   SELECT  *  FROM  DBA_STMT_AUDIT_OPTS  WHERE       Rationale:   Logon.  and  other  information.   Item    #   Configuration  Item   Action  /  Recommended   Parameters   Audit  GRANT  ANY  OBJECT   Rationale/Remediation   W   I   n   d   o   w   s   U   n   I   x   Level   &   Score   Status   13.         Remediation:   AUDIT  GRANT  ANY  OBJECT.  database  start  or   stop.21   Auditing   13.     Audit:     None         2   S       2   S       2   N   142  |  P a g e     .       Remediation:   Create  triggers  against  all  tables  and  system  events   that  are  meaningful  to  the  database  and  application.;     Audit:   SELECT  *  FROM  DBA_STMT_AUDIT_OPTS  WHERE       Audit  CREATE  {ANY}  LIBRARY   Rationale:   Audit  the  use  of  the  CREATE  LIBRARY  PRIVILAGE     Remediation:   AUDIT  CREATE  LIBRARY. AUD$  BY  ACCESS.     Remediation:   AUDIT  ALL  ON  SYS.  timely  reviews  of  the  collected  audit   information  must  be  done  to  ensure  system  security   and  integrity.24   Auditing   13.;     Audit:   SELECT  *  FROM  DBA_OBJ_AUDIT_OPTS  WHERE           2   N       2   N       2   S   143  |  P a g e     .26   Auditing   Rationale:   If  specific  rows  of  data  need  to  be  audited  create   triggers  to  alarm  on  auditable  events.       Remediation:   Assign  administrative  or  DBA  time  to  review  report   generation  logic.       Audit:   None     Set  AUDIT  ALL  ON  SYS.     Audit:     None     Rationale:   Review  procedures  and  reports   to  review  audit  logs   Regular.AUD$  BY  ACCESS.   Item    #   Configuration  Item   Action  /  Recommended   Parameters   Use  triggers  to  implement  row   level  auditing   Rationale/Remediation   W   I   n   d   o   w   s   U   n   I   x   Level   &   Score   Status   13.  This  will  reduce   the  overall  system  resources  for  auditing  specific  tables   and  help  reduce  false  alarms.       Remediation:   Use  triggers  to  enforce  row  level  auditing  for  important   data.   attempts  to  alter  the  audit  trail  will  be  audited.25   Auditing   13.AUD$   Rationale:   BY  ACCESS   By  setting  AUDIT  ALL  ON  SYS.    Only   applicable  if  the  audit  trail  parameter  is  set  to  DB  or   TRUE.     Audit:   None         2   N       2   N         144  |  P a g e     .       Remediation:   Audit  any  XML  DB  or  PL/SQL  procedures  that  have   been  exposed  as  web  services.27   Auditing   13.     Audit:   None     Rationale:   Legacy  procedures  that  are  designed  for  internal  usage   only  are  often  exposed  as  web  services.  Both  the   legacy  status  and  expansion  of  the  attack  surface  can   lead  to  their  exploitation.28   Auditing   Audit  Exposed  Web  Services   Rationale:   Archive  and  delete  the  audit  trail  as  necessary  or  in  line   with  local  data  administration  policies.       Remediation:   Review  the  purging  procedures  to  ensure  that  the  audit   trail  is  purged  regularly.  The  audit  trail   can  consume  substantial  system  resources  leading  to  a   denial  of  services.   Item    #   Configuration  Item   Action  /  Recommended   Parameters   Regularly  purge  the  audit  trail   Rationale/Remediation   W   I   n   d   o   w   s   U   n   I   x   Level   &   Score   Status   13.   Rationale/Remediation   W   I   n   d   o   w   s   U   n   I   x   Level   &   Score   Status   14.     Remediation:   Where  possible  enable  and  apply  Oracle  label  security.     Audit:   None         2   N   145  |  P a g e     .     Appendix  A:  Additional  Settings  (not  scored)     Item    #   Configuration  Item   Action  /  Recommended   Parameters   Where  possible  use  Oracle   Label  Security.01   Oracle  Label  Security   Rationale:   OLS  is  a  strong  additional  layer  of  security  that  can  be   used  to  create  a  Virtual  Private  database  (VPD).   This  can  be  cost  prohibitive  depending  on  licensing   with  Oracle.    OLS   allows  data  of  varying  sensitivities  to  be  stored  in  a   single  database  and  access  to  the  data  to  be  restricted   using  security  clearances  as  defined  by  role  level.  the  values  of  the  label  column  may  be  copied   to  an  added  column.     Remediation:   Where  possible.02   Oracle  Label  Security   Rationale:   If  the  status  of  the  hidden  label  column  needs  to  be   changed.    Reinstate  the   policy  and  then  copy  the  values  from  the  added  column   to  the  row  label  column  and  then  remove  the  added   column.  then  the  hidden  column  can  be   removed.  the  column  copies.   Item    #   Configuration  Item   Action  /  Recommended   Parameters   Hide  label  column.     Note:  After  applying  a  OLS  policy  to  a  table.  hide  the  label   column.  the  hidden   status  of  the  labels  cannot  be  revoked  without  the  loss   of  the  labels.   Rationale/Remediation   W   I   n   d   o   w   s   U   n   I   x   Level   &   Score   Status   14.     Audit:   None         2   N   146  |  P a g e     .  when  using  OLS.  and  then  removes  the   policy  dropping  the  row  label  column.CREATE_POLICY  (globally)  or  to  the   TABLE_OPTIONS  parameter  of  the   APPLY_TABLE_POLICY  procedure  (for  a  specific   table).     This  can  be  done  by  passing  the  HIDE  directive  to  the   DEFAULT_OPTIONS  parameter  of  the   SA_SYSDBA.   Item    #   Configuration  Item   Action  /  Recommended   Parameters   Include  LABEL_UPDATE   Rationale/Remediation   W   I   n   d   o   w   s   U   n   I   x   Level   &   Score   Status   14.03   Oracle  Label  Security   14.04   Oracle  Label  Security   Limit  manipulation.     Rationale:   This  ensures  the  user  cannot  reclassify  the  data  in  the   record  by  changing  the  label.     Remediation:   Include  the  LABEL_UPDATE  as  a  value  for   TABLE_OPTIONS  parameter  when  the  OLS  policy  is   applied  to  a  table.     Audit:   None     Rationale:   By  the  creation  of  a  procedure,  direct  manipulation  by   database  users  of  the  labels  is  prevented  and  an   additional  level  of  security  is  provided.    This  can   provide  a  separation  of  responsibility  between  the  DBA   and  the  security  administrators.     Remediation:   Where  possible,  use  a  trusted  procedure  to  limit  and   control  the  manipulation  of  the  labels.     Audit:   None         2   N       2   N   147  |  P a g e       Item    #   Configuration  Item   Action  /  Recommended   Parameters   Backup  data.   Rationale/Remediation   W   I   n   d   o   w   s   U   n   I   x   Level   &   Score   Status   14.05   Oracle  Label  Security   14.06   Oracle  Label  Security   Where  applicable  and  possible,   store  labels  in  the  Oracle   Internet  Directory  (OID).   14.07   RAID  file  systems   Implement   Rationale:   OLS  introduces  an  additional  hidden  column  into  a   table.  For  some  tables  the  addition  of  a  column  or  a   hidden  column  may  render  the  table  unusable.  For   applications  that  expect  to  see  all  the  data,  OLS  may   be  interpreted  as  corrupt  data.     Remediation:   Have  a  secure  and  separate  data  copy  before   implementing  OLS.     Audit:   None     Rationale:   In  the  context  of  the  Enterprise  User  Security  option,   this  provides  a  centralized  management  method  for   user  passwords,  enterprise  roles,  and  OLS   authorization.  Under  the  control  of  the  OID,  policies   cannot  be  manipulated  within  the  databases.     Remediation:   Where  applicable  and  possible,  store  labels  in  the   Oracle  Internet  Directory  (OID).     Audit:   None     Rationale:   File  systems  holding  the  Oracle  data  should  be  on   RAID  volumes  for  resilience.     Remediation:   Create  RAID  partitions  for  the  Oracle  database  and   files.       Audit:   None           2   N       2   N       2   N   148  |  P a g e     Item    #   Configuration  Item   Action  /  Recommended   Parameters   Implement   Rationale/Remediation   W   I   n   d   o   w   s   U   n   I   x   Level   &   Score   Status   14.08   Magnetically  wipe   failed  disks   14.09   Backups  on  system   disks   Verify  permissions   14.10   Off  site  backup  storage   Implement   Rationale:   Sensitive  data  or  information  can  be  recovered  from   magnetic  or  data  media  if  not  properly  erased.       Remediation:   Magnetically  wipe  old,  no  longer  used,  or  failed  disks.     This  issue  is  most  likely  handled  by  system   administrators.     Audit:   None     Rationale:   In  many  environments,  database  backups  are  written  to   system  disks.    In  this  type  of  environment,  ensure  that   the  backup  files  are  protected.    Files  should  be  owned   by  oracle  software  owner  set  with  owner  read/write   permissions  only.       Remediation:   Set  proper  permissions  on  oracle  data  files  stored  on   backup  tapes.       Audit:   None     Rationale:   It  is  a  best  practice  to  have  redundant  offsite  backups   in  the  event  of  a  physical  catastrophe.       Remediation:   Implement  off  site  backup  storage  procedures.     Audit:   None         2   N         2   N       2   N   149  |  P a g e         Remediation:   None     Audit:   None         2   N       2   N       2   N         150  |  P a g e     .11   Recovery  procedures   14.  Network  access  should  be  limited  to   application  and  administrative  hosts.     Remediation:   Implement  a  screening  router  to  restrict  access  to  the   database  host.     Audit:   None     Rationale:   Use  a  host  based  firewall  on  all  computers  used  to   remotely  administer  databases.     Audit:   None     Rationale:   Unrestricted  access  to  the  database  widens  the  attack   surface.12   Screening  router   Implement  to  restrict  access  to   database  host   14.       Remediation:   Ensure  that  database  recovery  procedures  are  fully   documented  and  regularly  tested.   Item    #   Configuration  Item   Action  /  Recommended   Parameters   Document  and  Test   Rationale/Remediation   W   I   n   d   o   w   s   U   n   I   x   Level   &   Score   Status   14.13   Host-­based  firewall   Implement  on  database   administration  machines   Rationale:   Failure  to  properly  implement  and  test  recovery   procedures  can  result  in  loss  of  data  and  compromise   system  integrity.   Appendix  C:  Acknowledgments     The  contributions  to  the  consensus  process  made  by  the  following  people  were  instrumental  in   the  creation  of  this  guide:       Sheila  Christman     Richard  A.    The  violations  can  be  fixed  or  ignored  so  they  will  not  show  up   in  future  reports.  Finn     John  Banghart     Mark  Rakozy     Gary  Gapinski     David  Waltermire     Clint  Kreitner       151  |  P a g e     .    For  more  detailed  information  of  this  functionality   please  refer  to  the  Oracle  documentation.     The  administrator  can  then  schedule  and  apply  the  patch(es)  to  any  host  in  the  enterprise.       Policy  Violations   The  Oracle  11g  Enterprise  Manager  Grid  Control  application  can  show  policy  violations  for  any   database  or  host  in  the  enterprise.    If  the  Oracle  Enterprise  Manager  Grid  Control  application  is   deployed.     Appendix  B:  Enterprise  Manager  Grid  Control  for  Patch  and   Policy  Management     The  Oracle  11g  Enterprise  Manager  Grid  Control  application  has  two  functions  directly  related  to   securing  Oracle  and  its  host.     Oracle®  Database  2  Day  DBA  11g  Release  1  (11.1)  Part  Number  B28301-­02     Patching  Setup   The  Oracle  11g  Enterprise  Manager  Grid  Control  application  can  be  set  up  to  automatically  access   Oracle  MetaLink  to  search  for  and  download  any  new  patches  available  for  your  Oracle  installs.  follow  these  recommendations.  McDonald     Bert  Miuccio     Chad  Hughes     Chuck  Earle     Rick  Wessman     Jeremy  Terk     Dave  Shackleford     Cesar  Quebral     Alf-­‐Ivar  Holm     George  Colt     Blake  Frantz     Phil  Curran     Don  Granaman     Michael  Anderson     Nancy  Whitney     Tom  L.  Haas     Dana  Hemlock     Brian  Denny     Sheilah  Scheurich     Carol  Bales     Tran  Thanh  Chien     Rick  Wessman     Johan  Verbrugghen     Melissa  McAvoy     Alf-­‐Ivar  Holm     Alan  Klink     David  W  Blaine     Ray  Stell     Adam  Cecchetti     James  Hayes     Brian  P.   -­   Added  Background  Section   -­   Updated  Acknowledgements  Section   -­   Update  Section  heading  styles           152  |  P a g e     .6  were  absent)   -­   Updated  4.0.  not  repudiation  or  audit  concerns.  5.15  (NOLOGGING)  to  articulate  this  clause  has   continuity  concerns.0.1   -­   Resolved  number  sequencing  issue  (5.0   -­   Initial  Public  Release   1.   Appendix  D:  Change  History   Date   8/12/2008   1/23/2009   Version   Changes  for  this  version   1.5.