Security Configuration Benchmark ForOracle Database Server 11g Version 1.0.1 January 2009 Copyright 2001-2009, The Center for Internet Security http://cisecurity.org
[email protected] Leader: Adam Cecchetti Leviathan Security Group, Inc. Terms of Use Agreement Background. CIS provides benchmarks, scoring tools, software, data, information, suggestions, ideas, and other seivices anu mateiials fiom the CIS website oi elsewheie ȋDzProductsdzȌ as a public seivice to Internet users worldwide. Recommendations containeu in the Piouucts ȋDzRecommendationsdzȌ result from a consensus-building process that involves many security experts and are generally generic in nature. The Recommendations are intended to provide helpful information to organizations attempting to evaluate or improve the security of their networks, systems and devices. Proper use of the Recommendations requires careful analysis and adaptation to specific usei iequiiementsǤ The Recommenuations aie not in any way intenueu to be a Dzquick fixdz foi anyoneǯs infoimation secuiity neeusǤ No representations, warranties and covenants. CIS makes no representations, warranties or covenants whatsoever as to (i) the positive or negative effect of the Products or the Recommendations on the operation or the security of any particular network, computer system, network device, software, hardware, or any component of any of the foregoing or (ii) the accuracy, reliability, timeliness or completeness of any Product or Recommendation. CIS is providing the Products and the Recommenuations Dzas isdz anu Dzas availabledz without iepiesentationsǡ waiianties oi covenants of any kinuǤ User agreements. By using the Piouucts anuȀoi the Recommenuationsǡ I anuȀoi my oiganization ȋDzwedzȌ agiee anu acknowledge that: No network, system, device, hardware, software or component can be made fully secure; We are using the Products and the Recommendations solely at our own risk; We are not compensating CIS to assume any liabilities associated with our use of the Products or the Recommendationsǡ even iisks that iesult fiom CISǯs negligence oi failuie to peifoimǢ We have the sole responsibility to evaluate the risks and benefits of the Products and Recommendations to us and to adapt the Products and the Recommendations to our particular circumstances and requirements; Neither CIS, nor any CIS Party (defined below) has any responsibility to make any corrections, updates, upgrades or bug fixes or to notify us if it chooses at it sole option to do so; and Neither CIS nor any CIS Party has or will have any liability to us whatsoever (whether based in contract, tort, strict liability or otherwise) for any direct, indirect, incidental, consequential, or special damages (including without limitation loss of profits, loss of sales, loss of or damage to reputation, loss of customers, loss of software, data, information or emails, loss of privacy, loss of use of any computer or other equipment, business interruption, wasted management or other staff resources or claims of any kind against us from third parties) arising out of or in any way connected with our use of or our inability to use any of the Products or Recommendations (even if CIS has been advised of the possibility of such damages), including without limitation any liability associated with infringement of intellectual property, defects, bugs, errors, omissions, viruses, worms, backdoors, Trojan horses or other harmful items. Grant of limited rights. CIS hereby grants each user the following rights, but only so long as the user complies with all of the terms of these Agreed Terms of Use: Except to the extent that we may have received additional authorization pursuant to a written agreement with CIS, each user may download, install and use each of the Products on a single computer; Each user may print one or more copies of any Product or any component of a Product that is in a .txt, .pdf, .doc, .mcw, or .rtf format, provided that all such copies are printed in full and are kept intact, including without limitation the text of this Agreed Terms of Use in its entirety. Retention of intellectual property rights; limitations on distribution. The Products are protected by copyright and other intellectual property laws and by international treaties. We acknowledge and agree that we are not acquiring title to any intellectual property rights in the Products and that full title and all ownership rights to the Products will remain the exclusive property of CIS or CIS Parties. CIS reserves all rights not expressly granted to users in the preceding section entitleu Dzuiant of limiteu iightsǤdz Subject to the paiagiaph entitleu DzSpecial Rulesdz ȋwhich incluues a waiveiǡ gianteu to some classes of CIS Nembeisǡ of ceitain limitations in this paragraph), and except as we may have otherwise agreed in a written agreement with CIS, we agree that we will not (i) decompile, disassemble, reverse engineer, or otherwise attempt to derive the source code for any software Product that is not already in the form of source code; (ii) distribute, redistribute, encumber, sell, rent, lease, lend, sublicense, or otherwise transfer or exploit rights to any Product or any component of a Product; (iii) post any Product or any component of a Product on any website, bulletin board, ftp server, newsgroup, or other similar mechanism or device, without regard to whether such mechanism or device is internal or external, (iv) remove or alter trademark, logo, copyright or other proprietary notices, legends, symbols or labels in any Product or any component of a Product; (v) remove these Agreed Terms of Use from, or alter these Agreed Terms of Use as they appear in, any Product or any component of a Product; (vi) use any Product or any component of a Product with any derivative works based directly on a Product or any component of a Product; (vii) use any Product or any component of a Product with other products or applications that are directly and specifically dependent on such Product or any component for any part of their functionality, or (viii) represent or claim a particular level of compliance with a CIS Benchmark, scoring tool or other Product. We will not facilitate or otherwise aid other individuals or entities in any of the activities listed in this paragraph. We hereby agree to indemnify, defend and hold CIS and all of its officers, directors, members, contributors, employees, authors, developers, agents, affiliates, licensors, information and service providers, software suppliers, hardware suppliers, and all other persons who aided CIS in the creation, development or maintenance of the Piouucts oi Recommenuations ȋDzCIS PartiesdzȌ harmless from and against any and all liability, losses, costs and expenses (including attorneys' fees and court costs) incurred by CIS or any CIS Party in connection with any claim arising out of any violation by us of the pieceuing paiagiaphǡ incluuing without limitation CISǯs iightǡ at oui expenseǡ to assume the exclusive defense and control of any matter subject to this indemnification, and in such case, we agree to cooperate with CIS in its defense of such claim. We further agree that all CIS Parties are third-party beneficiaries of our undertakings in these Agreed Terms of Use. Special rules. CIS has created and will from time to time create special rules for its members and for other persons and organizations with which CIS has a written contractual relationship. Those special rules will override and supersede these Agreed Terms of Use with respect to the users who are covered by the special rules. CIS hereby grants each CIS Security Consulting or Software Vendor Member and each CIS Organizational User Member, but only so long as such Member remains in good standing with CIS and complies with all of the terms of these Agreed Terms of Use, the right to distribute the Products and Recommendations within such Nembeiǯs own oiganizationǡ whethei by manual or electronic means. Each such Member acknowledges and agrees that the foregoing grant is subject to the teims of such Nembeiǯs membeiship aiiangement with CIS anu mayǡ theiefoieǡ be modified or terminated by CIS at any time. Choice of law; jurisdiction; venue. We acknowledge and agree that these Agreed Terms of Use will be governed by and construed in accordance with the laws of the State of Maryland, that any action at law or in equity arising out of or relating to these Agreed Terms of Use shall be filed only in the courts located in the State of Maryland, that we hereby consent and submit to the personal jurisdiction of such courts for the purposes of litigating any such action. If any of these Agreed Terms of Use shall be determined to be unlawful, void, or for any reason unenforceable, then such terms shall be deemed severable and shall not affect the validity and enforceability of any remaining provisions. We acknowledge and agree that we have read these Agreed Terms of Use in their entirety, understand them and agree to be bound by them in all respects. Table of Contents Terms of Use Agreement .............................................................................................................................. a Background ................................................................................................................................................... 1 CONSENSUS GUIDANCE ................................................................................................................................... 1 CONFIGURATION LEVELS ................................................................................................................................. 1 Level-I Benchmark settings/actions ....................................................................................................... 1 Level-II Benchmark settings/actions ...................................................................................................... 1 SCORING LEVELS ............................................................................................................................................ 1 Scorable ................................................................................................................................................. 1 Not Scorable .......................................................................................................................................... 1 Introduction.................................................................................................................................................... 2 1. Operating System Specific Settings .......................................................................................................... 3 2. Installation and Patch .............................................................................................................................. 10 3. Oracle Directory and File Permissions .................................................................................................... 18 4. Oracle Parameter Settings ...................................................................................................................... 31 5. Encryption Specific Settings.................................................................................................................... 53 6. Startup and Shutdown ............................................................................................................................. 65 7. Backup and Disaster Recovery ............................................................................................................... 66 8. Oracle Profile (User) Setup Settings ....................................................................................................... 70 9. Oracle Profile (User) Access Settings ..................................................................................................... 80 10. Enterprise Manager / Grid Control / Agents ........................................................................................ 106 11. Specific Systems ................................................................................................................................. 109 12. General Policy and Procedures .......................................................................................................... 111 13. Auditing Policy and Procedures .......................................................................................................... 134 Appendix A: Additional Settings (not scored)............................................................................................ 145 Appendix B: Enterprise Manager Grid Control for Patch and Policy Management .................................. 151 Appendix C: Acknowledgments ................................................................................................................ 151 Appendix D: Change History ..................................................................................................................... 152 1 | P a g e Background Consensus Guidance This guide was created using a consensus process comprised of volunteer and contract subject matter experts. Consensus participants provide perspective from a diverse set of backgrounds including consulting, software development, auditing and compliance, security research, operations, government, and legal. Configuration Levels Level-I Benchmark settings/actions System administrators with any level of security knowledge and experience can understand and perform the specified actions. The action is unlikely to cause an interruption of service to the operating system or the applications that run on it. The actions can be automatically monitored, and the configuration verified, by Scoring Tools that are available from the Center or by CIS-certified Scoring Tools. Level-II Benchmark settings/actions Level-II security configurations vary depending on network architecture and server function. These are of greatest value to system administrators who have sufficient security knowledge to apply them with consideration to the operating systems and applications running in their particular environments. Scoring Levels This section defines the various scoring levels used within this document. Scorable This setting or recommendation is able to be assessed by scoring tools or commandǦline arguments. Not Scorable This setting or recommendation requires complex checking that is not feasible with basic audit methods. 2 | P a g e Introduction This uocument is ueiiveu fiom ieseaich conuucteu utilizing the 0iacle ͳͳg piogiamǡ the 0iacleǯs Technology Network (otn.oracle.com), various published books and the Oracle 11g Database Security Guidelines. This document provides the necessary settings and procedures for the secure installation, setup, configuration, and operation of an Oracle 11g database environment. With the use of the settings and procedures in this document, an Oracle database may be secured from conventional Dzout of the boxdz thieatsǤ Recognizing the natuie of secuiity cannot and should not be limited to only the application, the scope of this document is not limited to only Oracle specific settings oi configuiationsǡ but also auuiesses backupsǡ aichive logsǡ Dzbest piacticesdz piocesses anu procedures that are applicable to general software and hardware security. Applicable items were verified and tested against an Oracle 11g default install on a Redhat Enterprise Sever 5. The Oracle version used was 11.1.0.6.0. Where the default setting is less secure than the recommended setting a caution has been provided in the comment section below the separator bar or as a note below a chapter heading. Default installs for both the operating system and the database may differ dependent on versions and options installed so this is to be used as a general guide only. Linux settings should translate to other varieties of Linux, but were only tested against RHEL5. If any differences are found, please contact the CIS team. Under the Level heading, scoring data has been included: S Ȃ To be scored. N Ȃ Not to be scored. It is extremely important to conduct testing of security configurations on non-production systems prior to implementing them on production systems. 3 | P a g e 1. Operating System Specific Settings Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score 1.01 Windows platform Do not install Oracle on a domain controller Rationale: This action will reduce the attack surface of the Domain Controller and the Oracle server. Remediation: Create a standalone server for the Oracle install. Audit: Execute the following WMI Query: Select DomainRole from \ Win32_ComputerSystem If the above returns a 4 or 5 the system is a Domain Controller. \ 1 S 1.02 Windows Oracle Local Account Use Restricted Service Account (RSA) Rationale: Adding an additional administrative account to the system increases the attack surface of the Windows server. Creating a local administrator with restricted access mitigates this risk. Remediation: Run the Oracle services using a local administrator account created specifically for Oracle. Use the account created to install the product. Deny log on locally to this account. Audit: None \ 1 N 4 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score 1.03 Windows Oracle Domain Account Use Restricted Service Account (RSA) Rationale: If the Oracle services require domain resources, then the server must be a domain server and the Oracle services must be run using a Restricted Service Account, i.e., restricted domain user account. Remediation: Add the account to the local administrators group on the server running the Oracle services. Audit: None \ 1 N 1.04 Windows Oracle Account Deny Log on Locally Right Rationale: The RSA must have limited access requirements. Remediation: Deny the Log on Locally right to the RSA. Audit: Ensure the Oracle account is listed beneath Local Policies\User Rights Assignments\Deny Log on Locally in the Windows Local Security Policy \ 1 S 1.05 Windows Oracle Domain Global Group Create a global group for the RSA and make it the RSA's primary group Rationale: The RSA account should not have access to resources that all domain users need to access. Remediation: Do not assign any rights to the group. Audit: None \ 1 N 5 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score 1.06 Windows Oracle Account Domain Users Group Membership Remove the RSA from the Domain Users group Rationale: The RSA must have limited access requirements. Granting the RSA domain level privileges negates the purpose of the RSA. Remediation: Remove the RSA from the Domain Users group. Audit: On the domain controller, execute the following: dsget user <OracleUserDN> -memberof Ensure Domain Users is not listed. For more information on the dsget command, see http://technet.microsoft.com/en- us/library/cc755876.aspx \ 1 S 1.07 Windows Oracle Domain Network Resource Permissions Verify and set permissions Rationale: The RSA must have limited access requirements. Remediation: Give the appropriate permissions to the RSA or global group for the network resources that are required. Audit: None \ 1 N 6 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score 1.08 Windows Oracle Domain Account Logon to. Value Limit to machine running Oracle services Rationale: The RSA must have limited access requirements and be limited to authenticating to the Oracle server. Remediation: Configure the RSA to only log on to the computer that is running the Oracle services. Audit: None \ 1 S 1.09 Windows Program Folder Permissions Verify and set permissions Rationale: The Oracle program installation folder must allow only limited access. Global access or unrestricted folder permissions will allow an attacker to alter Oracle resources and possibly compromise the security of the Oracle system. Remediation: Remove permissions for the Users group from the %ProgramFiles%\Oracle folder. Audit: Execute the following command: cacls °%ProgramFiles%\Oracle¨ and ensure BUILTIN\Users is not listed. \ 1 S 7 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score 1.10 Windows Oracle Registry Key Permissions Verify and set permissions Rationale: Access to the Oracle registry key must be limited to those users that require it. Unrestricted access to the Oracle registry entries will allow non-administrative users to alter settings and create an insecure environment. Remediation: Give Full Control over the HKEY_LOCAL_MACHINE\SOFTWARE\ORACLE key to the account that will run the Oracle services and remove the local Users group. Give read permissions to those users that require it. Audit: In regedit, browse to the HKEY_LOCAL_MACHINE\SOFTWARE\ORACLE key, right click, select Permissions, and ensure the Users group is not granted access. \ 1 S 1.11 Windows Oracle Registry Key Setting Set OSAUTH_PREFIX_DOMAIN registry value to TRUE Rationale:This configuration strengthens the authentication process by requiring that the domain name be part of the username for externally authenticated accounts. Remediation: Set the HKEY_LOCAL_MACHINE\ SOFTWARE\ORACLE\ALL_HOMES\OSAUTH_PREFIX_D OMAIN value to TRUE Note: This is the default configuration. Audit: In regedit, ensure the HKEY_LOCAL_MACHINE\ SOFTWARE\ORACLE\ALL_HOMES\OSAUTH_PREFIX_D OMAIN value set to TRUE. \ 1 S 8 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score 1.12 Windows registry Set USE_SHARED_SOCKET registry value to TRUE Rationale: Confines client connections to the same port as the listener. This allows connection and firewall management to be performed in a more consistent and refined manner. Remediation: Set the HKEY_LOCAL_MACHINE\ SOFTWARE\ORACLE\HOME<#>\USE_SHARED_SOCKET registry key to TRUE. If random port reassignment is undesired, such as if there is a need to pipe through a firewall. See Oracle Metalink note 124140.1 for details. Note: This is the default configuration. Audit: In regedit, Ensure the HKEY_LOCAL_MACHINE\ SOFTWARE\ORACLE\HOME<#>\USE_SHARED_SOCKET registry key is set to TRUE. \ 2 S 1.13 Oracle software owner host account Lock account Rationale: Locking the user account will deter attackers from leveraging this account in brute force authentication attacks. Remediation: On Unix systems, lock the Oracle software owner account. If the account cannot be locked, use a very strong password for the account. Account can be unlocked if system maintenance is required. This is not recommended for Windows environments. Audit: grep -i account_name /etc/password \ 2 S 9 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score 1.14 All associated application files Verify permissions Rationale: Allowing improper access to binaries that directly interface with the Oracle database adds unnecessary risk and increases the attack surface of the database. Remediation: Check the file permissions for all application files for proper ownership and minimal file permissions. This includes all 3 rd party application files on the server that access the database. Any 3 rd party applications must be installed on a separate server from the database. If this is not possible in the environment, ensure that the 3 rd party applications are installed on separate partitions from the Oracle software and associated data files. Audit: None \ \ 2 N 10 | P a g e 2. Installation and Patch Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 2.01 Installation Try to ensure that no other users are connected while installing Oracle 11g. Rationale: The Oracle 11g installer application could potentially create files, accounts, or setting with public privileges. An attacker may leverage these to compromise the integrity of the system or database before the installation is complete. Remediation: The Oracle 11g installer application could potentially create files in a temporary directory with public privileges. It would be possible for any local user to delete, overwrite or corrupt these files during the installation process. Try to ensure that no other users are connected while installing Oracle 11g. Also set the $TMP and $TMPDIR environment variables to a protected directory with access given only to the Oracle software owner and the ORA_INSTALL group. If possible install Oracle while the server is disconnected from the network. If the server must be installed remotely temporarily stop inbound remote connections via administration protocols ex. SSH, Terminal Service, VNC. Audit: None \ \ 1 N 11 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 2.02 Version/Patches Ensure the latest version of Oracle software is being used, and that the latest patches from Oracle Metalink have been applied. Rationale: Using outdated or unpatched software will put the Oracle database and host system at unnecessary risk and violates security best practices. Remediation: Check Oracle's site to ensure the latest versions: http://www.oracle.com/technology/software/index.html and latest patches: http://metalink.oracle.com/metalink/plsql/ml2_gui.startup Audit: opatch lsinventory -detail \ \ 1 S 2.03 Minimal Install Ensure that only the Oracle components necessary to your environment are selected for installation. Rationale: Installing components that are not used increases the attack surface of the database server. Remediation: Install only components needed to satisfy operational requirements. Remove components that may have been installed during a previous installation but are not required. Audit: None \ \ 1 N 12 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 2.04 tkprof Remove from system Rationale: The tkprof utility must be removed from production environments; it is a powerful tool for an attacker to find issues in the running database. If tkprof must remain on the production system, it must be protected by proper permissions. Remediation: Set file permissions of 0750 or less on Unix systems. On Windows systems, restrict access to only those users requiring access and verify that "Everyone¨ does not have access. Go to the $ORACLE_HOME/bin directory and remove or change the permissions of the utility. Audit: $ORACLE_HOME/bin/tkprof \ \ 1 S 2.05 listener.ora Change default name of listener Rationale: The listener must not be called by the default name as it is commonly known. A distinct name must be selected. Remediation: Edit $ORACLE_HOME/network/admin/listener.ora and change the default name. Audit: grep default $ORACLE_HOME/network/admin/listener.ora \ \ 1 S 13 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 2.06 listener.ora Use IP addresses rather than hostnames Rationale: IP addresses instead of host names in the listener.ora file must be used. This prevents a compromised or spoofed DNS server from causing Oracle outages or man in the middle attacks. Hostnames are used by default. Remediation: Edit $ORACLE_HOME/network/admin/listener.ora and replace DNS names with IP addresses. Audit: grep -i HOST $ORACLE_HOME/network/admin/listener.ora \ \ 2 S 2.07 otrace Disable Rationale: otrace can leak sensitive information useful for an attacker. Remediation: Go to the $ORACLE_HOME/otrace/admin directory of your instance and remove or delete the .dat files related to otrace. Do this for all *.dat files in this directory. Note that this directory is installed for the Enterprise Manager Grid Controller. It is not installed with a default 11g database installation. Audit: ls $ORACLE_HOME/otrace/admin/*.dat \ \ 1 S 14 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 2.08 Listener password Use OS Authentication Rationale: It is more secure to use OS authentication as setting a password on the listener will enable remote administration of the listener. Remediation: OS Authentication is enabled by default.. If additional users require remote access to the listener, set an encrypted password using the set password command via the lsnrctl tool. Be aware, setting a password in the listener.ora file will set an unencrypted password on the listener. Audit: grep -i PASSWORD \ $ORACLE_HOME/network/admin/listener.ora \ \ 1 S 2.09 Default Accounts (created by Oracle) The following actions are recommended in order of preference for default accounts: 1. Drop the user 2. Lock the user account 3. Change the default password Rationale: The default Oracle installation locks and expires the installation accounts. These accounts should be left locked and expired unless absolutely necessary. Check to ensure these accounts have not been unlocked. Remediation: Lock and expire the system accounts. Audit: SELECT * FROM DBA_USERS_WITH_DEFPWD; \ \ 2 S 15 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 2.10 OEM objects Remove if OEM not used Rationale: Removing the OEM will reduce the Oracle attack surface. Remediation: Execute $ORACLE_HOME/rdbms/admin/catnsnmp.sql to remove all the objects and delete the file $ORACLE_HOME/bin/dbsnmp. Note: Database statistics will be unavailable in Enterprise Manager if this is set. $ORACLE_HOME/rdbms/admin/catnsmp.sql rm $ORACLE_HOME/bin/dbsnmp Audit: ls -al $ORACLE_HOME/bin/dbsnmp \ \ 2 S 2.11 listener.ora Change standard ports Rationale: Standard ports are used in automated attacks and by attackers to verify applications running on a server. Remediation: Alter the listener.ora file and change the PORT setting. Note: This may break applications that hard code the default port number. Audit: grep 1521 \ $ORACLE_HOME/network/admin/listener.ora grep 1526 \ $ORACLE_HOME/network/admin/listener.ora \ \ 2 S 16 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 2.12 Third party default passwords Set all default account passwords to non-default strong passwords Rationale: When installed, some third party applications create well-known default accounts in an Oracle database. Remediation: The default passwords for these accounts must be changed or the account must be locked. ALTER USER <USERNAME> IDENTIFIED BY <PASSWORD>; ALTER USER <USERNAME> ACCOUNT LOCK PASSWORD EXPIRE; Audit: SELECT * FROM DBA_USERS_WITH_DEFPWD; SELECT USERNAME, ACCOUNT_STATUS FROM DBA_USERS; \ \ 2 S 2.13 Service or SID name Non-default Rationale: Do not use the default SID or service name of ORCL. It is commonly know and used in many automated attacks. Remediation: Alter the listener.ora file SID setting to a value other than the default. Ensure the SID is at least 7 characters long to prevent successful brute force attacks. Audit: grep -i ORCL \ $ORACLE_HOME/network/admin/listener.ora \ \ 1 S 17 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 2.14 Oracle Installation Oracle software owner account name NOT 'oracle' Rationale: Do not name the Oracle software owner account 'oracle' as it is very well known and can be leveraged by an attacker in a brute force attack. Remediation: Change the user used for the oracle software. Audit: grep -i oracle /etc/password \ \ 2 S 2.15 Oracle Installation Separate users for different components of Oracle Rationale: The user for the intelligent agent, the listener, and the database must be separated. This setup may cause unknown or unexpected errors and should be extensively tested before deployment into production. This is not recommended for Windows environments. Remediation: For Unix systems, create unique user accounts for each Oracle process/service in order to differentiate accountability and file access controls. Audit: None \ 2 N 18 | P a g e 3. Oracle Directory and File Permissions Note: The Oracle software owner in Windows is the account used to install the product. This account must be a member of the local Administrators group. The Windows System account is granted access to Oracle files/directories/registry keys. This account is not restated in the comments section below, but must not be removed. Removal of the System account will cause Oracle to stop functioning. Note: Some Unix operating systems make use of extended ACL's which may contain permissions more secure then the recommendations listed here. Please be sure to fully examine and test permissions before implementing them on production systems. Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 3.01 Files in $ORACLE_HOME/bin Verify and set ownership Rationale: All files in the $ORACLE_HOME/bin must be owned by the Oracle software account to prevent a system-wide compromise in the event the Oracle account is compromised. In Windows, this account must be part of the Administrators group. Remediation: Change the ownership of the binaries to the appropriate account. Audit: ls -al $ORACLE_HOME/bin/* \ \ 1 S 3.02 Files in $ORACLE_HOME/bin Permissions set to 0755 or less Rationale: Incorrect permissions could allow an attacker to replace a binary with a malicious version. Remediation: All files in the $ORACLE_HOME/bin directory must have permissions set to 0755 or less. chmod 0755 $ORACLE_HOME/bin/* Audit: ls -al $ORACLE_HOME/bin/* \ 1 S 19 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 3.03 Files in $ORACLE_HOME (not including $ORACLE_HOME/bin) Permissions set to 0750 or less on Unix systems Rationale: Incorrect permissions could allow an attacker to execute or replace a command with a malicious version. Remediation: All files in $ORACLE_HOME directories (except for $ORACLE_HOME/bin) must have permission set to 0750 or less. chmod 750 $ORACLE_HOME/* Audit: ls -al $ORACLE_HOME \ 1 S 3.04 Oracle account .profile file Unix systems umask 022 Rationale: Regardless of where the umask is set, umask must be set to 022 before installing Oracle. Ad improper umask can lead to unrestrictive permissions and open the oracle server file system to attack. Remediation: Ensure the umask value is 022 for the owner of the Oracle software before installing Oracle. Audit: umask \ 1 S 20 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 3.05 init.ora Verify and restrict permissions Rationale: File permissions must be restricted to the owner of the Oracle software and the dba group. If unprivileged users can alter the init.ora configuration the security of the oracle server can be compromised. Remediation: chgrp oracle_grp init.ora chown oracleuser init.ora chmod 644 init.ora Audit: ls -al $ORACLE_HOME/dbs/init.ora \ \ 1 S 3.06 spfile.ora Verify and restrict permissions Rationale: File permissions must be restricted to the owner of the Oracle software and the dba group. If unprivileged users can alter the spfile.ora configuration the security of the oracle server can be compromised. Remediation: chgrp oracle_grp spfile.ora chown oracleuser spfile.ora chmod 640 spfile.ora Audit: ls -al $ORACLE_HOME/dbs/spfile.ora \ \ 1 S 21 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 3.07 Database datafiles Verify and restrict permissions Rationale: File permissions must be restricted to the owner of the Oracle software and the dba group. If unprivileged users can read or alter the dbs files the security of the oracle server can be compromised. Remediation: chown oracleuser $ORACLE_HOME/dbs/* chgrp oraclegroup $ORACLE_HOME/dbs/* Audit: ls -al $ORACLE_HOME/dbs/* \ \ 1 S 3.08 init.ora Verify permissions of file referenced by ifile parameter Rationale: File permissions must be restricted to the owner of the Oracle software and the dba group. If the ifile functionality is used, the file permissions of the referenced ifile must be restricted to the Oracle software owner and the dba group. Remediation: chmod 750 ifile chown oracleuser.oraclegroup ifile Audit: grep ifile init.ora ls -al <result> \ \ 1 S 22 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 3.09 init.ora audit_file_dest parameter settings Rationale: The destination for the audit file must be set to a valid directory owned by oracle and set with owner read/write permissions only. Remediation: chmod 600 auditfile chown oracleuser.oraclegroup auditfile Audit: grep -i audit_file_dest init.ora ls -al <result> \ \ 1 S 3.10 init.ora diagonostic_dest parameter settings Rationale: The destination for the user dump must be set to a valid directory with permissions restricted to the owner of the Oracle software and the dba group. Remediation: chmod 660 diag_file chown oracleuser.oraclegroup diag_file Audit: grep -i diagonostic_dest init.ora ls -al <result> \ \ 1 S 23 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 3.11 init.ora control_files parameter settings Rationale: The permissions must be restricted to only the owner of the Oracle software and the dba group. Remediation: chmod 640 control_file chown oracleuser.oraclegroup control_file Audit: grep -i control_files init.ora ls -al <result> select name from V$controlfile; \ \ 1 S 3.12 init.ora log_archive_dest_n parameter settings Rationale: File permissions must be restricted to the owner of the Oracle software and the dba group. For complex configurations where different groups need access to the directory, access control lists must be used. Note: If Oracle Enterprise Edition is installed, and no log_archive_dest_n parameters are set, the deprecated form of log_archive_dest must be used. Remediation: Default is " " (A null string) for all. Must configure and set paths, then ensure those directories are secure. chmod 750 file_file_dest chown oracleuser.oraclegroup \ log_file_dest Audit: grep -i log_archive_dest init.ora ls -al <result> \ \ 1 S 24 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 3.13 Files in $ORACLE_HOME/ network/admin directory Verify and set permissions Rationale: Permissions for all files must be restricted to the owner of the Oracle software and the dba group. Note: If an application that requires access to the database is also installed on the database server, the user the application runs as must have read access to the tnsnames.ora and sqlnet.ora files. Remediation: chmod 644 $ORACLE/network/admin/* chown oracleuser.oraclegroup \ $ORACLE_HOME/network/admin/* Audit: ls -al $ORACLE_HOME/network/admin/* \ \ 1 S 3.14 sqlnet.ora Verify and set permissions with read permissions for everyone. Rationale: The sqlnet.ora contains the configuration files for the communication between the user and the server including the level of required encryption. Remediation: chmod 644 sqlnet.ora chown oracleuser.oraclegroup sqlnet.ora Note: If encryption is used, the key is stored in the parameter SQLNET.CRYPTO_SEED in the sqlnet.ora file. In such scenarios, access to this file should be limited. Audit: ls -al sqlnet.ora \ \ 1 S 25 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 3.15 sqlnet.ora log_directory_client parameter settings Rationale: The log_directory_client must be set to a valid directory owned by the Oracle account and permissions restricted to read/write only for the owner and dba group. Remediation: chmod 640 log_directory_client chown oracleuser.oraclegroup \ log_directory_client Audit: grep -i log_directory_client sqlnet.ora \ \ 1 S 3.16 sqlnet.ora log_directory_server parameter settings Rationale: The log_directory_server must be set to a valid directory owned by the Oracle account and set with owner and group read/write permissions only. Remediation: chmod 640 log_directory_client chown oracleuser.oraclegroup \ log_directory_client Audit: grep -i log_directory_client sqlnet.ora \ \ 1 S 26 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 3.17 sqlnet.ora trace_directory_client parameter settings Rationale: The trace_directory_client parameter settings must be set to a valid directory owned by the Oracle account and permissions restricted to read/write only for the owner and read for the dba group.. By default this is not set. Be aware, this is usually set to $ORACLE_HOME/network/trace, with permissions set as: Remediation: chmod 640 log_directory_client chown oracleuser.oraclegroup \ log_directory_client Audit: grep -i trace_directory_client sqlnet.ora \ \ 1 S 3.18 sqlnet.ora trace_directory_server parameter settings Rationale: The trace_directory_server must be set to a valid directory owned by the Oracle account and permissions restricted to read/write only for the owner and read for the dba group. By default this is not set. Be aware, this is usually set to $ORACLE_HOME/network/trace. Remediation: chmod 640 trace_directory_server chown oracleuser.oraclegroup trace_directory_server Audit: grep -i trace_directory_server sqlnet.ora \ \ 1 S 27 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 3.19 listener.ora Verify and set permissions Rationale: File permissions must be restricted to the owner of the Oracle software and the dba group. If backup copies of the listener.ora file are created these backup files must be removed or they must have their permissions restricted to the owner of the Oracle software and the dba group. Remediation: chmod 660 \ $ORACLE_HOME/network/admin/listener.ora chown oracleuser.oraclegroup \ $ORACLE_HOME/network/admin/listener.ora Audit: ls -al \ $ORACLE_HOME/network/admin/listener.ora \ \ 1 S 3.20 listener.ora log_file_listener parameter settings Rationale: The log_file_listener file must be set to a valid directory owned by the Oracle account and permissions restricted to read/write only for the owner and read for the dba group. By default this is not set. Be aware, this is usually set to $ORACLE_HOME/network/log/listener.log. Remediation: chmod 640 \ $ORACLE_HOME/network/log/listener.log chown oracleuser.oraclegroup \ $ORACLE_HOME/network/log/listener.log Audit: grep -i log_file_listener \ $ORACLE_HOME/network/admin/listener.ora \ \ 1 S 28 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 3.21 listener.ora trace_directory_listener _name parameter settings Rationale: The trace_directory_listener_name must be set to a valid directory owned by the Oracle account and permissions restricted to read/write only for the owner and dba group. Remediation: chmod 660 trace_dir chown oracleuser.oraclegroup trace_dir Audit: grep -i trace-directory \ $ORACLE_HOME/network/admin/listener.ora \ \ 1 S 3.22 listener.ora trace_file_listener_name parameter settings Rationale: This file must be owned by the Oracle account and permissions restricted to read/write only for the owner and dba group. By default this is not set. Be aware, this is usually set to $ORACLE_HOME/network/trace. Remediation: chown oracleuser.oraclegroup \ $ORACLE_HOME/network/trace chmod 660 $ORACLE_HOME/network/trace Audit: grep -i trace_file \ $ORACLE_HOME/network/admin/listener.ora ls -al <result> \ \ 1 S 29 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 3.23 sqlplus Verify and set permissions Rationale: The permissions of the binaries for sqlplus on the server must be restricted to the owner of the Oracle software and the dba group. Remediation: chown oracleuser.oraclegroup sqlplus chmod 750 sqlplus Audit: which -a sqlplus ls -al <result(s)> \ \ 1 S 3.24 .htaccess Verify and set permissions Rationale: File permissions must be restricted to the owner of the Oracle software and the dba group. Remediation: chown oracleuser.oraclegroup .htaccess chmod 644 .htaccess Audit: ls -al .htaccess Note: Only applicable for environments using the Oracle HTTP Server. Additionally, ensure all configuration changes have been made within .htaccess prior to implementing this recommendation. \ \ 1 S 30 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 3.25 dads.conf Verify and set permissions Rationale: File permissions must be restricted to the owner of the Oracle software and the dba group. Remediation: chown oracleuser.oraclegroup dads.conf chmod 644 dads.conf Audit: ls -al dads.conf Note: Only applicable for environments using the Oracle HTTP Server. Additionally, ensure all configuration changes have been made within dads.conf prior to implementing this recommendation. \ \ 1 S 3.26 xsqlconfig.xml Verify and set permissions Rationale: File permissions must be restricted to the owner of the Oracle software and the dba group. Remediation: chown oracleuser.oraclegroup \ xsqlconfig.xml chmod 640 xsqlconfig.xml Audit: ls -al \ $ORACLE_HOME/xdk/admin/XSQLConfig.xml \ \ 1 S 31 | P a g e 4. Oracle Parameter Settings Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 4.01 init.ora _trace_files_public= FALSE Rationale: Prevents users from having the ability to read trace files which may contain sensitive information about the running Oracle instance. This is an internal Oracle parameter. Do NOT use it unless instructed to do so by Oracle Support. Remediation: Set _trace_files_public= FALSE Note: Default is FALSE. Audit: grep -i _trace_files_public init.ora \ \ 1 S 4.02 init.ora global_names= TRUE Rationale: This parameter ensures that Oracle will check that the name of a database link is the same as that of the remote database. Default is TRUE. Remediation: Set global_names= TRUE in init.ora Audit: grep -i global_names init.ora \ \ 1 S 32 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 4.03 Init.ora remote_os_authent=FALSE Rationale: This setting has been deprecated, however is maintained for backwards compatibility. If this setting is used it is recommended to be set to FALSE. remote_os_authent will allow a user that is authenticated to the network domain to access the database without DB credentials. Remediation: Set remote_os_authent=FALSE. Audit: grep -i remote_os_authent init.ora \ \ 1 S 4.04 init.ora remote_os_roles= FALSE Rationale: Connection spoofing must be prevented. Default is FALSE. Remediation: Set remote_os_roles= FALSE. Audit: grep -i remote_os_roles init.ora \ \ 1 S 4.05 init.ora remote_listener=°° (A null string) Rationale: Prevent the use of a listener on a remote machine separate from the database instance. Remediation: Set remote_listener=°¨. Audit: grep -i remote_listener init.ora \ \ 1 S 33 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 4.06 init.ora audit_trail parameter set to OS, DB, DB_EXTENDED, XML, or XML, EXTENDED Rationale: Ensures that basic audit features are used. Recommend setting audit_trail to OS as it reduces the likelihood of a Denial of Service attack and it is easier to secure the audit trail. OS is required if the auditor is distinct from the DBA. Any auditing information stored in the database is viewable and modifiable by the DBA if set to DB or DB_EXTENDED. Even with the audit_trail value set to FALSE, an audit session will report, "Audit succeeded." The default is DB. Remediation: Alter the init.ora file and set audit_trail=OS Audit: grep -i audit_trail init.ora \ \ 1 S 4.07 init.ora os_authent_prefix=°° (A null string) Rationale: OS roles are subject to control outside the database. The duties and responsibilities of DBAs and system administrators must be separated. It must be set to limit the external use of an account to an IDENTIFIED EXTERNALLY specified user. Remediation: Set os_authent_prefix=°° Audit: grep -i os_authent_prefix init.ora \ \ 1 S 34 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 4.08 init.ora os_roles=FALSE Rationale: os_roles allows externally created groups to be used to manage database roles. This can lead to misaligned or inherited permissions. Remediation: Set os_roles=FALSE Audit: grep -i os_roles init.ora \ \ 1 S 4.09 init.ora Avoid using utl_file_dir parameters Rationale: Do not use the utl_file_dir parameter directories created with utl_file_dir as they can be read and written to by all users. Specify directories using CREATE DIRECTORY which requires granting of privileges to each user. This function has been deprecated since version 9.2 migration is recommended. Remediation: Use CREATE DIRECTORY Audit: grep -i utl_file_dir init.ora \ \ 1 S 35 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 4.10 init.ora Establish redundant physically separate locations for redo log files. Use "LOG_ARCHIVE_DUPLEX_DEST¨ to establish a redundant location for the redo logs. Rationale: Redundancy for the redo logs can prevent catastrophic loss in the event of a single physical drive failure. If this parameter is used, it must be set to a valid directory owned by oracle set with owner and group read/write permissions only. For complex configurations where different groups need access to the directory, access control lists must be used. Remediation: Set LOG_ARCHIVE_DUPLEX_DEST to a valid, properly secured, directory. Audit: grep -i log_archive_duplex_dest init.ora \ \ 1 S 4.11 init.ora Specify redo logging must be successful. Use "LOG_ARCHIVE_MIN_SUCCEED _DEST¨ to ensure the successful logging of the redo files. Rationale: Specifying that the logging must succeed in one or more locations ensures redundancy of the redo logs. Remediation: Set LOG_ARCHIVE_MIN_SUCCEED_DEST to 1 or greater. Audit: grep -i LOG_ARCHIVE_MIN_SUCCEED_DEST \ init.ora \ \ 1 S 36 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 4.12 init.ora sql92_security= TRUE Rationale: Enforce the requirement that a user must have SELECT privilege on a table in order to be able to execute UPDATE and DELETE statements using WHERE clauses on a given table. WARNING: This will likely result in many applications failing and should not be enabled in production without thorough testing. Remediation: Set sql92_security= TRUE Audit: grep -i sql92_security init.ora \ \ 2 S 4.13 listener.ora admin_restrictions_liste ner_name=on Rationale: Replace listener_name with the actual name of your listener(s) for this parameter setting. This requires the administrator to have write privileges to listener.ora. This setting will cause the listener to refuse set commands that alter its parameters without a restart of the listener. Not set and turned off by default. Remediation: Set admin_restrictions_listener_name = on Audit: grep -i admin_restrictions listener.ora \ \ 2 S 37 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 4.14 listener.ora logging_listener=ON Rationale: Logging of all listener actions will create an audit trail in the event that a listener is attacked or needs to be debugged. This setting is not set, but is enabled by default. Remediation: Set logging_listener=ON Audit: grep -i logging_listener listener.ora \ \ 1 S 4.15 Database object definition NOLOGGING clause Do not leave database objects in NOLOGGING mode in production environments. Rationale: The NOLOGGING keyword instructs Oracle Database Server to forego writing essential recovery information to the redo log when performing certain actions, including but not limited to ALTER INDEX, CREATE INDEX, CREATE TABLE, and ALTER TABLE. Given this, improper use of NOLOGGING may introduce data continuity exposures in the absence of a full backup. Remediation: Ensure database objects, such as tables and indexes, are not operating in NOLOGGING mode. Audit: None \ \ 1 N 38 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 4.16 init.ora o7_dictionary_accessibil ity= FALSE Rationale: This is a database initialization parameter that controls access to objects in the SYS schema. Set this to FALSE to prevent users with EXECUTE ANY PROCEDURE and SELECT ANY DICTIONARY from accessing objects in the SYS schema. If access to these objects is required, the following roles can be assigned, SELECT_CATALOG_ROLE, EXECUTE_CATALOG_ROLE, DELETE_CATALOG_ROLE. If set to TRUE, accounts with "ANY" privileges could get access to objects in the SYS schema. Default setting is FALSE. Note: In Oracle Applications 11.5.9 and lower, O7_DICTIONARY_ACCESSIBILITY must be set to TRUE. This is required for proper functioning of the application and Oracle does not support setting it to FALSE. In Apps 11.5.10 and higher, O7_DICTIONARY_ACCESSIBILITY should be set to FALSE. See Oracle Metalink Note ID 216205.1 for more information. Remediation: Set o7_dictionary_accessibility= FALSE Audit: grep -i o7_dictionary_accessibility \ init.ora \ \ 2 S 39 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 4.17 spfile<sid>.ora Remove the following from the spfile: dispatchers= (PROTOCOL= TCP) (SERVICE= <oracle_sid>XDB) Rationale: This will disable default ports ftp: 2100 and http: 8080. Removing the XDB ports will reduce the attack surface of the Oracle server. It is recommended to disable these ports if production usage is not required. Remediation: Remove the following from spfile: dispatchers= (PROTOCOL= TCP)(SERVICE= <oracle_sid>XDB) Audit: grep -i XDB spfile<sid>.ora \ \ 2 S 4.18 Init.ora or spfile<sid>.ora AUDIT_SYS_OPERATIONS =TRUE Rationale: Auditing of the users authenticated as the SYSDBA or the SYSOPER provides an oversight of the most privileged of users. It is important that the database user should not have access to the system directories where the audits will be recorded. Ensure this by setting the AUDIT_SYS_OPERATIONS to TRUE. Remediation: Set AUDIT_SYS_OPERATIONS=TRUE. The default value is FALSE within spfile. Set AUDIT_FILE_DEST to your designated logging directory. Windows: Default is Event Viewer log file Unix: Default is $ORACLE_HOME/rdbms/audit By default this is set in spfile. Audit: grep -i AUDIT_SYS_OPERATIONS init.ora \ \ 2 S 40 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 4.19 listener.ora inbound_connect_ timeout_listener=2 Rationale: Allowing inbound connections to hold open half connections consumes database resources and can lead to denial of service. Set the initial value low and adjust upward if normal clients are unable to connect within the time allocated. Remediation: Set inbound_connect_timeout_listener=2 Audit: grep -i inbound_connect_timeout \ listener.ora \ \ 2 S 4.20 sqlnet.ora tcp.validnode_checking= YES Rationale: This parameter enables the listener to check incoming connections for matches in the invited and excluded nodes list. Remediation: Set tcp.validnode_checking=YES in $ORACLE_HOME/network/admin/sqlnet.ora. Note: The default value is No Audit: grep -i tcp.validnode_checking sqlnet.ora \ \ 2 S 41 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 4.21 sqlnet.ora Set tcp.invited_nodes to valid values Rationale: This creates a list of trusted nodes that can connect to the listener. The excluded_nodes value is ignored if this is set and a default deny policy is created only allowing the listed trusted nodes to connect to the listener. Remediation: Use IP addresses of authorized hosts to set this parameter in the sqlnet.ora file. Set tcp.invited_nodes to valid values tcp.invited_nodes =(10.1.1.1, 10.1.1.2) Audit: grep -i tcp.invited_nodes sqlnet.ora Note: This is not set by default. \ \ 2 S 4.22 sqlnet.ora Set tcp.excluded_nodes to valid values Rationale: Excluded nodes will prevent malicious or untrusted hosts from connecting to the listener. Remediation: Use IP addresses of unauthorized hosts to set this parameter in the sqlnet.ora file. Note: If the tcp.invited_nodes is set, the tcp.excluded_nodes values are ignored and only hosts specified in the invited_nodes will be allowed to connect to the listener. Set tcp.excluded_nodes to valid values Audit: grep -i tcp.excluded_nodes sqlnet.ora \ \ 2 S 42 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 4.23 sqlnet.ora sqlnet.inbound_ connect_timeout=3 Rationale: Allowing inbound connections to hold open half connections consumes database resource and can lead to denial of service. Suggestion is to set to a low initial value and adjust upward if normal clients are unable to connect within the time allocated. Remediation: Set sqlnet.inbound_connect_timeout=3 Audit: grep -i inbound_connect_timeout \ sqlnet.ora \ \ 2 S 4.24 sqlnet.ora sqlnet.expire_time= 10 Rationale: If this is not set in the sqlnet.ora file, the default is never to expire. Allowing a connection to idle indefinitely will consume system resources leading to a denial of service. It is recommended to set this to a low value initially, then increase if clients experience timeout issues. Remediation: Set sqlnet.expire_time= 10 Audit: grep -i expire_time sqlnet.ora \ \ 2 S 43 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 4.25 Accounts Lock account access for application schema owners Rationale: Lock the account for the application schema owner. Users must not connect to the database as the application owner. Remediation: ALTER USER <USERNAME> ACCOUNT LOCK PASSWORD EXPIRE Audit: SELECT USERNAME, ACCOUNT_STATUS FROM DBA_USERS; \ \ 2 S 44 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 4.26 init.ora remote_login_passwordfil e=none Rationale: Prevents remote privileged connections to the database. This suggests that remote administration should be performed by remotely logging into the database server via a secured connection. Alternately, an administrative listener could be created, the remote_login_passwordfile set to exclusive, and logging of the administrative listener implemented. Remediation: For Windows: Set remote_login_passwordfile setting to none. Implement remote management to a Windows based host viaTerminal Server and IPSec. For Unix: Set remote_login_passwordfile setting to none. Implement SSH or other secure shell method to remotely administer the Oracle server. Remote Administration of Oracle via Administrative Listener: Admin Listener = Required remote_login_passwordfile setting = exclusive Require logging be enabled for the Admin and Client Listeners if remote access is provided. Audit: grep -i remote_login_passwordfile \ init.ora \ \ 2 S 45 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 4.27 sqlnet.ora SQLNET.ALLOWED_LOGON_VER SION=11 Rationale: Set the login version to the 11. The higher setting prevents logins by older version clients that do not use strong authentication to pass the login credentials. The default setting is 10,9,8. Remediation: SQLNET.ALLOWED_LOGON_VERSION=11 Audit: grep -i ALLOWED_LOGIN_VERSION sqlnet.ora \ \ 2 S 4.28 listener.ora Use absolute paths in ENVS parameters. Rationale: Allowing overly broad PATH and CLASSPATH variables could allow an attacker to leverage pathing issues and load malicious binaries or classes. Remediation: Remove broad path or classpath variables and ensure only absolute paths are used. Note: The ENVS SID_DESC parameter is not supported on Windows however the environment variables can be defined for the listener. Audit: grep -i ENVS listener.ora . \ \ 2 N 4.29 cman.ora REMOTE_ADMIN=NO Rationale: Ensure remote administration is not left enabled. Default is NO. Remediation: Set REMOTE_ADMIN = NO. Audit: grep -i REMOTE_ADMIN cman.ora \ \ 2 S 46 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 4.30 listener.ora, tnsnames.ora Disable external procedures Rationale: Remove entries for external procedures from listener.ora or tnsnames.ora file. External procedures can call shared libraries on the host system from the $ORACLE_HOME/lib or $ORACLE_HOME/bin directories. This creates a dangerous condition. If not required disable their usage. Remediation: Remove external shared libraries from $ORACLE_HOME/lib Audit: None \ \ 2 N 4.31 init.ora SEC_RETURN_SERVER_RELEAS E_BANNER = false Rationale: Ensure the oracle database is not returning complete database information to clients. Knowing the exact patch set can aid an attacker. Remediation: SEC_RETURN_SERVER_RELEASE_BANNER = false Audit: grep -i \ SEC_RETURN_SERVER_RELEASE_BANNER init.ora \ \ 2 S 47 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 4.32 init.ora DB_SECUREFILE=ALWAYS Rationale: Ensure that all LOB files created by Oracle are created as SecureFiles. Remediation: DB_SECUREFILE=ALWAYS Audit: grep -i DB_SECUREFILE init.ora \ \ 2 N 4.33 init.ora SEC_CASE_SENSITIVE_LOGON =TRUE Rationale: Set Oracle database password to be case sensitive. This increases the complexity of passwords and helps defend against brute force password attacks. Remediation: SEC_CASE_SENSITIVE_LOGON=TRUE Audit: grep -i SEC_CASE_SENSITIVE_LOGO init.ora \ \ 1 S 48 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 4.34 init.ora SEC_MAX_FAILED_LOGIN_ATT EMPTS=3 Rationale: Set the maximum number of failed login attempts to be 3 or in sync with established password policies. This will reduce the effectiveness of a password brute force attack. Note: Setting SEC_MAX_FAILED_LOGIN_ATTEMPTS to a value other than UNLIMITED may increase an attacker's ability to intentionally lockout sensitive accounts, such as those used by middle-tier applications. Given this, implementer's should consider connectivity restrictions to the Oracle instance backing the application and the determinism of usernames used by such applications. Remediation: SEC_MAX_FAILED_LOGIN_ATTEMPTS=3 Audit: grep -i SEC_MAX_FAILED_LOGIN_ATTEMPTS \ init.ora \ \ 1 S 4.35 init.ora SEC_PROTOCOL_ERROR_FURTH ER_ACTION=DELAY <seconds>or DROP<seconds> Rationale: When bad packets are received from a client the server will wait the specified number of seconds before allowing a connection from the same client. This help mitigate malicious connections or DOS conditions. Remediation: SEC_PROTOCOL_ERROR_FURTHER_ACTION=DELAY <seconds>or DROP<seconds> Audit: grep -i \ SEC_PROTOCOL_ERROR_FURTHER_ACTION \ init.ora \ \ 1 S 49 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 4.36 init.ora SEC_PROTOCOL_ERROR_TRACE _ACTION=LOG or ALERT Rationale: Specify the action a database should take when a bad packet is received. TRACE generates a detailed trace file and should only be used when debugging. ALERT or LOG should be used to capture the event. Use currently established procedures for checking console or log file data to monitor these events. Remediation: SEC_PROTOCOL_ERROR_TRACE_ACTION= {LOG|ALERT} Audit: grep -i \ SEC_PROTOCOL_ERROR_TRACE_ACTION init.ora \ \ 1 S 4.37 sqlnet.ora SEC_USER_AUDIT_ACTION_BA NNER=/path/to/warning.tx t Rationale: A banner should be set to warn a user about the possible audit actions that are taken when using the system. Set the complete path to the file that contains the warning. Remediation: SEC_USER_AUDIT_ACTION_BANNER=/path/to/war ning.txt Audit: grep -i \ SEC_USER_AUDIT_ACTION_BANNER sqlnet.ora \ \ 1 N 50 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 4.38 sqlnet.ora SEC_USER_UNAUTHORIZED_AC CESS_BANNER=/path/to/war ning.txt Rationale: A banner should be set to warn a user about unauthorized access to the database that is in line with current policy or language. Set the complete path to the file that contains the warning. OCI and other custom applications must make use of this parameter before it is displayed to the user. Remediation: SEC_USER_UNAUTHORIZED_ACCESS_BANNER=/path /to/warning.txt Audit: grep -i \ SEC_USER_UNAUTHORIZED_ACCESS_BANNER \ sqlnet.ora \ \ 1 N 4.39 listener.ora SECURE_CONTROL_listener_ name=(TCPS,IPC) Rationale: If remote administration of the listener is required configure the listener for secure control. If no values are entered for this parameter, the listener will accept registration request from any transport. If only IPC or TCPS is required then set the value to TCPS or IPC. Remediation: SECURE_CONTROL_listener_name=(TCPS,IPC) Audit: grep -i SECURE_CONTROL listener.ora \ \ 2 S 51 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 4.40 listener.ora SECURE_PROTOCOL_listener _name=(TCP,IPC) Rationale: Ensure that any administration requests are accepted only over secure transport. If only IPC or TCP is required then set the value to TCPS or IPC. Remediation: SECURE_PROTOCOL_listener_name=(TCPS,IPC) Audit: grep -i SECURE_PROTOCOL listener.ora \ \ 1 S 4.41 listener.ora SECURE_REGISTER_listener _name=(TCP,IPC) Rationale: Ensure that any registration requests are accepted over secure transport. If only IPC or TCP is required then set the value to TCPS or IPC. Remediation: SECURE_REGISTER_listener_name=(TCPS,IPC) Audit: grep -i SECURE_REGISTER listener.ora \ \ 2 S 4.42 listener.ora DYNAMIC_REGISTRATION_lis tener_name=OFF Rationale: If DYNAMIC_REGISTRATION is turned on all registration connections are accepted by the listener. It is recommended that only static registrations be used by the listener. Turning off dynamic registration may not be possible in larger or more dynamic environments. Ensure proper testing is done before turning off dynamic registration in production. Remediation: DYNAMIC_REGISTRATION_listener_name=OFF Audit: grep -i DYNAMIC_REGISTRATION listener.ora \ \ 2 S 52 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 4.43 listener.ora EXTPROC_DLLS=ONLY Rationale: Where use of external procedures is required, specify the EXTPROC_DLLS=ONLY in the parameter to limit calls to the specific DLLS. This prevents external DLLs and libraries from being loaded by the Oracle database. An attacker that can load an external library into the Oracle running instance can take control or compromise system security. If external DLLs must be used specify the ONLY parameter and an absolute path for each required DLL. Remediation: EXTPROC_DLLS=ONLY Audit: grep -i EXTPROCS_DLLS listener.ora \ \ 1 S 53 | P a g e 5. Encryption Specific Settings Note: OAS is installed by default even if it is not licensed. Therefore, it must be configured even if it is not used. Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 5.01 OAS - General Review requirement for integrity and confidentiality requirements. Rationale: Only implement OAS if a local integrity/encryption policy does not already exist, e.g., IPSec or other means for providing integrity/confidentiality services. Remediation: Review requirement for integrity and confidentiality requirements. Audit: None \ \ 2 N 5.02 OAS ÷ Encryption Type SQLNET.ENCRYPTION_SERVER =REQUIRED Rationale: This ensures that regardless of the settings on the user, if communication takes place it must be encrypted. Default is accepted. Remediation: SQLNET.ENCRYPTION_SERVER=REQUIRED Audit: grep -i ENCRYPTION_SERVER sqlnet.ora \ \ 2 S 54 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 5.03 OAS ÷ Encryption Type SQLNET.ENCRYPTION_CLIENT =(ACCEPTED|REQUESTED|REQ UIRED) Rationale: Communication is only possible on the basis of an agreement between the client and the server regarding the connection encryption. To ensure encrypted communication, set the value to REQUIRED. With the server set to REQUIRED the client must match the encryption for valid communication to take place. Default is accepted. Note: Failure to specify one of the values will result in an error when an attempt is made to connect to a FIPS 140-1 compliant server. Remediation: SQLNET.ENCRYPTION_CLIENT=REQUIRED Audit: grep -i ENCRYPTION_CLIENT sqlnet.ora \ \ 2 S 5.04 OAS ÷ FIPS Compliance SSLFIPS_140 =TRUE Rationale: For FIPS 140-2 compliance, the FIPS value must be set to TRUE. The default value for this setting is FALSE. NOTE: This value is not settable using the Oracle Net Manager. To set this value you must use a text editor and modify the sqlnet.ora file. Remediation: SSLFIPS_140 =TRUE Audit: grep -i SSL_FIPS fips.ora \ \ 2 S 55 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 5.05 OAS ÷ Integrity Protection Integrity check for communication between the server and the client must be established. °SQLNET.CRYPTO_CHECKSUM_ SERVER=REQUIRED¨ °SQLNET.CRYPTO_CHECKSUM_ CLIENT=REQUIRED¨ Rationale: The integrity check for communication can prevent data modifications. Two check sum algorithms are available; SHA-1 and MD5. Default is accepted. Remediation: Set SQLNET.CRYPTO_CHECKSUM_SERVER=REQUIRED SQLNET.CRYPTO_CHECKSUM_CLIENT=REQUIRED Audit: grep -i CRYPTO_CHECKSUM_SERVER sqlnet.ora grep -i CRYPTO_CHECKSUM_CLIENT sqlnet.ora \ \ 2 S 5.06 OAS ÷ Integrity Protection Set SQLNET.CRYPTO_CHECKSUM_T YPES_SERVER=(SHA1) Rationale: If possible, use SHA1 instead of MD5. MD5 has documented weaknesses and is prone to collisions. Usage of SHA-1 is recommended. Default is all. Remediation: Set SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER=(SHA1 ) Audit: grep -i CHECKSUM_TYPES_SERVER sqlnet.ora \ \ 2 S 56 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 5.07 OAS ÷ Oracle Wallet Owner Permissions Set configuration method for Oracle Wallet. Ensure only the appropriate Oracle user account has access to the wallet. Rationale: The Oracle service account must have access to the wallet. Remediation: None Audit: None \ \ 2 N 5.08 OAS ÷ Oracle Wallet Trusted Certificates Remove certificate authorities (CAs) that are not required. Rationale: Trust only those CAs that are required by clients and servers. Remediation: Remove certificate authorities (CAs) that are not required. Audit: orapki wallet display -wallet \ wallet_location \ \ 2 S 5.09 OAS ÷ Oracle Wallet Trusted Certificates Import When adding CAs, verify fingerprint of CA certificates. Rationale: When adding CA certificates via out-of-band methods, use fingerprints to verify the certificate. Failure to verify fingerprints can lead to compromise of the certificate chain. Remediation: When adding CAs, verify fingerprint of CA certificates. Audit: None \ \ 2 N 57 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 5.10 OAS ÷ Certificate Request Key Size Request the maximum key size available. Rationale: Select the largest key size available that is compatible with the network environment. 2048 or 4096 are recommended sizes. Remediation: orapki wallet add -wallet \ wallet_location -dn user_dn -keySize 2048 Audit: orapki wallet display -wallet \ wallet_location \ \ 2 S 5.11 OAS ÷ Server Oracle Wallet Auto Login Allow Auto Login for the server's Oracle Wallet Rationale: For Windows Oracle database servers, SSL will not work unless Auto Login is set. Remediation: To enable auto login from the Oracle Wallet Manager. Choose Wallet from the menu bar. Check Auto Login. A message at the bottom of the window indicates that auto login is enabled. Audit: Choose Wallet from the menu bar. Check Auto Login. \ \ 2 S 5.12 OAS ÷ SSL Tab SSL is preferred method. If PKI is not possible, use OAS Integrity/Encryption. Rationale: OAS Integrity/Encryption should only be used if required because of non-SSL clients. Remediation: Use OAS Integrity/Encryption only if SSL is unavailable. Audit: None \ \ 2 N 58 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 5.13 OAS ÷ SSL Version Set SSL version. SSL_VERSION = 3.0 Rationale: Usage of the most current version of SSL is recommended older versions of the SSL protocol are prone to attack or roll back. Do not set this parameter with "Any¨. Remediation: SSL_VERSION = 3.0 Audit: grep -i SSL_VERSION sqlnet.ora \ \ 2 S 5.14 OAS ÷ SSL Cipher Suite Set SSL Cipher Suite. SSL_CIPHER_SUITES = SSL_RSA_WITH_3DES_EDE_CB C_SHA) Rationale: SSL_CIPHER_SUITES are automatically set to FIPS140-2 approved suites by Oracle 11g. The following is for reference. Remediation: SSL_CIPHER_SUITES =( SSL_DH_anon_WITH_3DES_EDE_CBC_SHA, SSL_DH_anon_WITH_DES_CBC_SHA, SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA) Audit: grep -i SSL_CIPHER_SUITES sqlnet.ora \ \ 2 S 59 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 5.15 OAS ÷ SSL Client DN Match Set tnsnames file to include SSL_SERVER_CERT_DN parameter with the distinguished name (DN) of the certificate. Rationale: This will reduce the possibility of certificate masquerading which can lead to man in the middle attacks and compromise the security provided by the SSL protocol. Remediation: SSL_SERVER_CERT_DN= \ "cn=dept,cn=OracleContext,dc=us,dc=acme,\ dc=com" Audit: grep -i SSL_SERVER_CERT_DN tnsnames.ora \ \ 2 S 5.16 OAS ÷ SSL Client Authentication SSL_CLIENT_ AUTHENTICATION=TRUE Rationale: It is preferable to have mutually authenticated SSL connections verifying the identity of both parties. If possible use client and server certificates for SSL connections. If client certificates are not supported in the enterprise, then set to FALSE. Remediation: SSL_CLIENT_AUTHENTICATION=true Audit: grep -i SSL_CLIENT_AUTHENTICATION \ sqlnet.ora \ \ 2 S 5.17 OAS ÷ Encryption Tab Use OAS encryption only if SSL is not feasible. Rationale: OAS Integrity/Encryption should only be used if required because of non-SSL clients. Remediation: None Audit: None \ \ 2 N 60 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 5.18 Encryption Where possible, use a procedure that employs a content data element as the encryption key that is unique for each record. Rationale: By employing a procedure that uses data elements that change for each record the resulting ciphertext will be unique. As an example if the same value, key, and encryption are used for a value in a record the resulting ciphertext will be identical. Someone knowing the value of one of the records independent of the ciphertext can by inference know the value of other records that display the same ciphertext. Remediation: None Audit: None \ \ 2 N 5.19 Encryption Use RAW or BLOB for the storage of encrypted data. Rationale: Storing data in CLOB may result in a failure in decryption if the same number letter symbol set is not used. The use of RAW or BLOBs prevents this error and preserves the data. Remediation: None Audit: None \ \ 2 N 61 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 5.20 Encryption If keys are stored in a table with the database, access to the keys should be limited and under the protection of a secure role with fine grain auditing in place for the table. The column name should be obscure and should not reveal the role of the column. Rows should be protected with both VPD and OLS (OLS included VPD) and the keys themselves should be encrypted with a master key. If the keys are managed by an application or generated as computed keys the procedures should be wrapped. All package bodies, procedures, and functions should be wrapped. Rationale: Assign multiple layers of protection, within the limits of what can be managed, to ensure the security of the encryption keys. The combination of methods will be dependent on how and where the keys are stored. Remediation: Use multiple layers of protection when storing keys with the data in a separate database. Employ wrapping to protect all code used to protect, generate keys for, or encrypt keys. If security dictates, hardware devices can be used for encryption key storage. Keys, at minimum, should follow password selection standards in areas of minimum length, use of special characters and non-dictionary words. Audit: None \ \ 2 N 62 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 5.21 Encryption Revoke the PUBLIC execute privileges from the DBMS_OBFUSCATION_TOOLKIT . Rationale: The DBMS_OBFUSCATION_TOOLKIT has been replaced with the DBMS_CRYPTO package, but the DBMS_OBFUSCATION_TOOLKIT is still needed for some tasks that are not available in the DBMS_CRYPTO package. As an example; the generation of a pseudorandom string requires the DBMS_OBFUSCATION_TOOLKIT. By removing public access to the DBMS_OBFUSCATION_TOOLKIT the means to decrypt the data is not available for malicious use. Remediation: REVOKE EXECUTE ON DBMS_OBFUSCATION_TOOLKIT TO PUBLIC; Audit: SELECT TABLE_NAME FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_OBFUSCATION_TOOLKIT'; \ \ 2 S 5.22 Encryption Use HSM for storage of master key. Rationale: Where possible use an HSM to store the master keys for Transparent Data Encryption. All encryption and decryption operations that use the master encryption key are performed inside the HSM. This means that the master encryption key is never exposed in insecure memory. Remediation: None Audit: None \ \ 2 N 63 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 5.23 Encryption Tablespace Encryption Rationale: When a table contains a large number of columns of PII it can be beneficial to encrypt an entire tablespace rather than columns. Remediation: Use tablespace encryption . Audit: None \ \ 2 N 5.24 Radiuskey Verify and set permissions on radius.key file Rationale: File permissions must be restricted to the owner of the Oracle software and dba group. Ensure proper permissions are set on $ORACLE_HOME/network/security/radius.key Remediation: chmod 440 \ $ORACLE_HOME/network/security/radius.key Audit: ls -al \ $ORACLE_HOME/network/security/radius.key \ \ 1 S 5.25 sqlnet.ora SSL_CERT_REVOCATION=requ ired Rationale: Ensure revocation is required for checking CRLs for client certificate authentication. Revoked certificates can pose a threat to the integrity of the SSL channel and should not be trusted. Remediation: SSL_CERT_REVOCATION=required Audit: grep -i SSL_CERT_REVOCATION sqlnet.ora \ \ 2 S 64 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 5.26 sqlnet.ora SSL_SERVER_DN_MATCH=yes Rationale: Ensure the DN string of the certificate matches the expected value. Remediation: SSL_SERVER_DN_MATCH=yes Audit: grep -i SSL_SERVER_DN_MATCH sqlnet.ora \ \ 2 S 65 | P a g e 6. Startup and Shutdown Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 6.01 Advanced queuing in asynchronous messaging Empty queue at shut down of Oracle. Rationale: Information in queue may be accessed outside of Oracle and beyond the control of the security parameters. It should be subject to the same security precautions as other tables. Remediation: Empty queues at the shutdown of the Oracle instances. DBMS_AQADM.PURGE_QUEUE_TABLE( queue_table => 'name.obj_qtab', purge_condition => NULL, purge_options => po); DBMS_AQADM.PURGE_QUEUE_TABLE( queue_table => 'bane.obj_qtab', purge_condition => 'qtview.queue = ''NAME.OBJ_QUEUE''', purge_options => po); Audit: None \ \ 1 N 6.02 Cache Cache must be emptied at shut down of Oracle. Rationale: Information in caches may be accessed outside of Oracle and beyond the controls of the security parameters. Remediation: ALTER SYSTEM FLUSH BUFFER_CACHE; Audit: None \ \ 1 N 66 | P a g e 7. Backup and Disaster Recovery Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 7.01 Redo logs Mirror Rationale: Redundancy for the redo logs can prevent catastrophic loss in the event of a disk or system failure. Remediation: Mirror on-line redo logs and ensure that more than one group exists. Audit: None \ \ 1 N 7.02 Control files Multiplex control files to multiple physical disks. Rationale: Redundancy for the control files can prevent catastrophic loss in the event of a single physical drive failure Remediation: Store control files on a RAID or other redundant disk system. Audit: None . \ \ 1 N 67 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 7.03 Control files Mirror Rationale: Mirror the Oracle control files. In the event that the control files become corrupted or a system failure mirroring will help ensure recovery is possible. Remediation: Mirror control files to multiple separate physical partitions. Audit: None \ \ 1 N 7.04 Archive logs Ensure there is sufficient space for the archive logging process. Rationale: Without adequate space for the archive logs the system will hang resulting in a denial of service. Remediation: Allocate more disk space to redo log partitions. Audit: None \ \ 1 N 7.05 Redo logs Multiplex redo logs to multiple physical disks. Rationale: Redundancy for the redo logs can prevent catastrophic loss in the event of a single physical drive failure. Remediation: None Audit: None \ \ 1 N 68 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 7.06 Archive log files Backup Rationale: Archived logs contain sensitive information and must be properly handled. Remediation: If archive log mode is used the archive log files must be saved on tape or to a separate disk. File permissions must be restricted to the owner of the Oracle software and the dba group. The archive logs must be secured. Audit: None \ \ 1 N 7.07 Backup Automated backups should be verified. Rationale: Backups should be verified by performing recoveries to ensure newer automated backups function properly. Failure to ensure this could cause inability to recover data, leading to data loss. Remediation: Backups should be verified by performing recoveries to ensure newer automated backups function properly. Failure to ensure this could cause inability to recover data, leading to data loss. The improved RMAN (Recovery Manager) capabilities (i.e., incremental backup process) can be used to facilitate backups and recovery. Audit: None \ \ 1 N 69 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 7.08 Failsafe Failsafe must be engaged. Rationale: Failsafe uses the cluster server interface to provide the failover protection previously provided by hardware interfaces. Remediation: Engage failsafe. Audit: None \ 2 N 70 | P a g e 8. Oracle Profile (User) Setup Settings Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 8.01 Database Profiles failed_login_attempts=3 Rationale: Restricting the number of login attempts will help deter brute force attacks against profiles. Remediation: Application accounts must be set for failed_login_attempts=3 Local policy may override the recommended setting. This setting may not be applicable for middle tier application accounts that access the database. Create a profile then assign it to a user account. Default profile has this setting at 10. ALTER PROFILE profile_name LIMIT FAILED_LOGIN_ATTEMPTS 3 PASSWORD_LOCK_TIME 1; Note: It is recommended to create three separate profiles: Application accounts, system accounts, and user accounts instead of using the default for all. Audit: SELECT PROFILE, RESOURCE_NAME, LIMIT FROM DBA_PROFILES WHERE RESOURCE_NAME='FAILED_LOGIN_ATTEMPTS' \ \ 1 S 71 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 8.02 Database Profiles password_life_time= 90 Rationale: Restricting the password lifetime will help deter brute force attacks against user accounts and refresh passwords. Local policy may not override the setting. This setting may not be applicable for middle tier application accounts that access the database. Create a profile then assign it to a user account. Default profile has a setting of 180 Remediation: ALTER PROFILE profile_name LIMIT password_life_time 90; Audit: SELECT PROFILE, RESOURCE_NAME, LIMIT FROM DBA_PROFILES WHERE RESOURCE_NAME='PASSWORD_LIFE_TIME' \ \ 1 S 72 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 8.03 Database Profiles password_reuse_max=20 Rationale: password_reuse_max sets the number of different passwords that must be rotated by the user before the current password can be reused. This prevents users from cycling through a few common passwords and helps ensure the integrity and strength of user credentials. Local policy may override the recommended setting. This setting may not be applicable for middle tier application accounts that access the database. Create a profile then assign it to a user account. Default profile has a setting of UNLIMITED. Remediation: ALTER PROFILE profile_name LIMIT password_reuse_max 20; Audit: SELECT PROFILE, RESOURCE_NAME, LIMIT FROM DBA_PROFILES WHERE RESOURCE_NAME='PASSWORD_REUSE_MAX' \ \ 1 S 73 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 8.04 Database Profiles password_reuse_time= 365 Rationale: password_reuse_time sets the amount of time that must pass before a password can be reused. Creating a long window before password reuse helps protect from password brute force attacks and helps the strength and integrity of the user credential. Local policy may not override the setting. Create a profile then assign it to a user account. Default profile has this setting as UNLIMITED Remediation: ALTER PROFILE profile_name LIMIT password_reuse_time 365; Audit: SELECT PROFILE, RESOURCE_NAME, LIMIT FROM DBA_PROFILES WHERE RESOURCE_NAME='PASSWORD_REUSE_TIME' \ \ 1 S 8.05 Database Profiles password_lock_time=1 Rationale: password_lock_time specifies the amount of time in days that the account will be locked out if the maximum number of authentication attempts has been reached. Local policy may not override the setting. This setting may not be applicable for middle tier application accounts that access the database. Remediation: ALTER PROFILE profile_name LIMIT password_lock_time 1; Audit: SELECT PROFILE, RESOURCE_NAME, LIMIT FROM DBA_PROFILES WHERE RESOURCE_NAME='PASSWORD_LOCK_TIME' \ \ 1 S 74 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 8.06 Database Profiles password_grace_time=3 Rationale: password_grace_time specified in days the amount of time that the user is warned to change their password before their password expires. Local policy may not override the setting. This setting may not be applicable for middle tier application accounts that access the database. Remediation: ALTER PROFILE profile_name LIMIT password_grace_time 3; Audit: SELECT PROFILE, RESOURCE_NAME, LIMIT FROM DBA_PROFILES WHERE RESOURCE_NAME='PASSWORD_GRACE_TIME' \ \ 1 S 8.07 Database Profiles Review accounts where PASSWORD= 'EXTERNAL' Rationale: Check and review any user who has password='EXTERNAL'. Do not allow remote OS authentication to the database. Remediation: ALTER USER <username> IDENTIFIED BY <new_password>; Audit: SELECT USERNAME FROM DBA_USERS WHERE PASSWORD='EXTERNAL'; \ \ 2 N 75 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 8.08 Database Profiles Set password_verify_function to a verification function Rationale: Allow password_verification_function to be called when passwords are changed. This always works for password changes via the "password¨ command at an SQL prompt. Remediation: Oracle provides utlpwdmg.sql which can be used to create a password verification function. If using this script to create a password verification function, make the following changes at the bottom of the utlpwdmg.sql file: PASSWORD_GRACE_TIME 3 PASSWORD_REUSE_TIME 365 PASSWORD_REUSE_MAX 20 FAILED_LOGIN_ATTEMPTS 3 PASSWORD_LOCK_TIME 1 Modify the line: IF length(password) < 4 by changing the minimum password length to 8. Do not use the verify_function_11G as it sets password settings to the defaults listed above. Audit: SELECT PROFILE, RESOURCE_NAME FROM DBA_PROFILES WHERE RESOURCE_NAME='PASSWORD_VERIFY_FUNCTION'; \ \ 2 S 76 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 8.09 Database Profiles Set CPU_PER_SESSION as appropriate Rationale: Allowing a single application or user to consume excessive CPU resources will result in a denial of service to the Oracle database. Ensure that users profile settings have appropriate values set for the particular database and application. Remediation: ALTER PROFILE profile_name LIMIT CPU_PER_SESSION <value>; Audit: SELECT PROFILE, RESOURCE_NAME, LIMIT FROM DBA_PROFILES WHERE RESOURCE_NAME='CPU_PER_SESSION'; \ \ 2 S 8.10 Database Profiles Set PRIVATE_SGA as appropriate Rationale: Allowing a single application or user to consume the excessive amounts of the System Global Area will result in a denial of service to the Oracle database. Ensure that users profile settings have appropriate values set for the particular database and application. Remediation: ALTER PROFILE profile_name LIMIT PRIVATE_SGA <value>; Audit: SELECT PROFILE, RESOURCE_NAME, LIMIT FROM DBA_PROFILES WHERE RESOURCE_NAME=' PRIVATE_SGA'; \ \ 2 S 77 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 8.11 Database Profiles Set LOGICAL_READS_ PER_SESSION as appropriate Rationale: Allowing a single application or user to perform excessive amounts of reads to disk will result in a denial of service to the Oracle database. Ensure that users profile settings have appropriate values set for the particular database and application. Remediation: ALTER PROFILE profile_name LIMIT LOGICAL_READS_ PER_SESSION <value>; Audit: SELECT PROFILE, RESOURCE_NAME, LIMIT FROM DBA_PROFILES WHERE RESOURCE_NAME=' LOGICAL_READS_PER_SESSION'; \ \ 2 S 8.12 Database Profiles Set SESSIONS_PER_USER as appropriate Rationale: Allowing an unlimited amount of sessions per user can consume Oracle resources and cause a denial of service. Limit the number of session for each individual user. Ensure that users profile settings have appropriate values set for the particular database and application. Remediation: ALTER PROFILE profile_name LIMIT SESSIONS_PER_USER <value>; Audit: SELECT PROFILE, RESOURCE_NAME, LIMIT FROM DBA_PROFILES WHERE RESOURCE_NAME=' SESSIONS_PER_USER'; \ \ 2 S 78 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 8.13 Database Profiles Set CONNECT_TIME as appropriate Rationale: Sessions held open for excessive periods of time can consume system resources and cause a denial of service for other users of the Oracle database. The CONNECT_TIME parameter limits the upper bound on how long a session can be held open. This parameter is specified in minutes. Sessions that have exceeded their connect time are aborted and rolled back. Note: Oracle does not do strict monitoring of connect times and sessions can exceed this time limit by up to a few minutes. Ensure that users profile settings have appropriate values set for the particular database and application. Remediation: ALTER PROFILE profile_name LIMIT CONNECT_TIME <value>; Audit: SELECT PROFILE, RESOURCE_NAME, LIMIT FROM DBA_PROFILES WHERE RESOURCE_NAME=' CONNECT_TIME'; \ \ 2 N 79 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 8.14 Database Profiles Set IDLE_TIME as appropriate Rationale: Idle sessions held open for excessive periods of time can consume system resources and cause a denial of service for other users of the Oracle database. Limit the maximum number of minutes a session can idle. Ensure that users profile settings have appropriate values set for the particular database and application. Remediation: ALTER PROFILE profile_name LIMIT IDLE_TIME <value>; Audit: SELECT PROFILE, RESOURCE_NAME, LIMIT FROM DBA_PROFILES WHERE RESOURCE_NAME=' IDLE_TIME'; \ \ 2 N 80 | P a g e 9. Oracle Profile (User) Access Settings Note: Security recommendations for Tablespaces, Tables, Views, Roles, Synonyms, Privileges, Roles and Packages need to be followed for all new users that might be created. By default SYS and DBA have most of these accesses and privileges, and should be the only users granted permissions. Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 9.01 Tablespaces Do not have default_tablespace set to SYSTEM for user accounts Rationale: Only SYS should have a default tablespace of SYSTEM. This prevents administrative users from altering system objects. Note it may be difficult or impossible to move some objects. Remediation: ALTER USER DEFAULT_TABLESPACE table; Audit: SELECT USERNAME, DEFAULT_TABLESPACE FROM DBA_USERS; \ \ 2 S 9.02 Tablespaces Ensure application users have not been granted quotas on tablespaces. Rationale: Set quotas for developers on shared production/development systems to prevent space resource contentions. Application users should be granted quotas on a case by case basis to avoid application failure. Remediation: ALTER USER <USER_NAME> QUOTA <VALUE> ON <TABLESPACE_NAME>; Audit: SELECT <USERNAME> FROM DBA_TS_QUOTAS WHERE USERNAME='USER' AND TABLESPACE_NAME='TABLESPACE_NAME'; \ \ 1 S 81 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 9.03 Any dictionary object Review access and revoke access where possible Rationale: Check for any user that has access to any dictionary object and revoke where possible. This reduces the overall privileges of the user base and reduces the attack surface of the Oracle database. Remediation: Review access rights and revoke privileges where possible. Audit: None \ \ 1 N 9.04 Tables Prevent access to SYS.AUD$ Rationale: Check for any user accounts that have access and revoke where possible. This is only applicable if the audit trail parameter is set to db or db_extended. Allowing users to alter the AUD$ table can compromise the audit trail or integrity of the Oracle database. Remediation: REVOKE ALL ON SYS.AUD$ FROM <USER>; Audit: SELECT GRANTEE, PRIVILEGE FROM DBA_TAB_PRIVS WHERE TABLE_NAME='AUD$' \ \ 2 S 82 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 9.05 Tables Prevent access to SYS.USER_HISTORY$ Rationale: Revoke access to this table from all users and roles except for SYS and DBA accounts. Allowing users to alter the USER_HISTORY$ table can compromise the audit trail or integrity of the Oracle database. Remediation: REVOKE ALL ON SYS.USER_HISTROY$ FROM <USER>; Audit: SELECT GRANTEE, PRIVILEGE FROM DBA_TAB_PRIVS WHERE TABLE_NAME='USER_HISTORY$'; \ \ 1 S 9.06 Tables Prevent access to SYS.LINK$ Rationale: Sensitive user and password data is stored in the LINK$ table. Non administrative or system users should be prevented from accessing this table. Check for any user that has access and revoke where possible. Remediation: REVOKE ALL ON SYS.LINK$ FROM <USER>; Audit: SELECT GRANTEE, PRIVILEGE FROM DBA_TAB_PRIVS WHERE TABLE_NAME='LINK$'; \ \ 1 S 83 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 9.07 Tables Prevent access to SYS.USER$ Rationale: Sensitive user and password data is stored in the USER$ table. Only administrative or system users should have rights to access this table. Check for any user that has access and revoke where possible. Remediation: REVOKE ALL ON SYS.USER$ FROM <USER>; Audit: SELECT GRANTEE, PRIVILEGE FROM DBA_TAB_PRIVS WHERE TABLE_NAME='USER$'; \ \ 1 S 9.08 Tables Prevent access to SYS.SOURCE$ Rationale: Allowing users to alter codes in the SOURCE$ table can compromise the security and integrity of the Oracle database. Check for any user accounts that have access and revoke where possible. Remediation: REVOKE ALL ON SYS.SOURCE$ FROM <USER> ; Audit: SELECT GRANTEE, PRIVILEGE FROM DBA_TAB_PRIVS WERE TABLE_NAME='SOURCE$'; \ \ 1 S 84 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 9.09 Tables Prevent access to PERFSTAT.STATS$SQLTEXT Rationale: Check for any user that has access and revoke where possible. SQLTEXT stores the full text of SQL statements that have been executed and can contain sensitive information. Remediation: REVOKE ALL ON PERFSTAT.STATS$SQLTEXT; Audit: SELECT GRANTEE, PRIVILEGE, TABLE_NAME FROM DBA_TAB_PRIVS WHERE TABLE_NAME=' STATS$SQLTEXT'; \ \ 1 S 9.10 Tables Prevent access to PERFSTAT.STATS$SQL_SUMMA RY Rationale: Check for any user that has access and revoke where possible. SQL_SUMMARY contains the first few lines of the executed SQL statements and can contain sensitive information. Remediation: REVOKE ALL ON PERFSTAT.STATS$SQLSUM; Audit: SELECT GRANTEE, PRIVILEGE, TABLE_NAME FROM DBA_TAB_PRIVS WHERE TABLE_NAME='STATS$SQLSUM'; \ \ 1 S 85 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 9.11 Tables Prevent access to any X$ table Rationale: X$ tables are kernel tables used by Oracle internals and should not be accessed by users. Check for any user that has access and revoke where possible. Remediation: REVOKE ALL ON X$<TABLENAME> FROM <USER>; Audit: SELECT GRANTEE, PRIVILEGE, TABLE_NAME FROM DBA_TAB_PRIVS WHERE TABLE_NAME LIKE(`X$%'); \ \ 1 S 9.12 Views Prevent access to any DBA_ views Rationale: DBA views return information about all objects and should only be accessible by administrators. Check for any user that has access and revoke where possible. Remediation: REVOKE ALL ON DBA_<TABLENAME> FROM <USER>; Audit: SELECT GRANTEE, PRIVILEGE, TABLE_NAME FROM DBA_TAB_PRIVS WHERE TABLE_NAME LIKE(`DBA_$%'); \ \ 1 S 86 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 9.13 Views Prevent access to any V$ views Rationale: V$ tables contain sensitive information about Oracle database and should only be accessible by system administrators. Check for any user that has access and revoke where possible. Remediation: REVOKE ALL ON TABLE_NAME FROM <USER>; Audit: SELECT GRANTEE, PRIVILEGE, TABLE_NAME FROM DBA_TAB_PRIVS WHERE TABLE_NAME LIKE(`V$%'); \ \ 1 S 9.14 Views Prevent access to ALL_SOURCE Rationale: ALL_SOURCE contains the text source for all of the user's objects. Check for any user that has access and revoke where possible. Remediation: REVOKE ALL ON ALL_ SOURCE FROM <USER>; Audit: SELECT GRANTEE, PRIVILEGE, TABLE_NAME FROM DBA_TAB_PRIVS WHERE TABLE_NAME='ALL_SOURCE'; \ \ 1 S 87 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 9.15 Views Prevent access to DBA_ROLES Rationale: Allowing the user to alter the DBA_ROLES can result in privilege escalation or system instability. Restrict access to this view to all users except SYS and DBAs. Remediation: REVOKE ALL ON DBA _ROLES FROM <USER>; Audit: SELECT GRANTEE, PRIVILEGE, TABLE_NAME FROM DBA_TAB_PRIVS WHERE TABLE_NAME=DBA_ROLES'; \ \ 1 S 9.16 Views Prevent access to DBA_SYS_PRIVS Rationale: Allowing a user to access the dba_sys_privs table will show the users' privileges for all users in the Oracle database. Restrict access to this view to all users except SYS and DBAs. Remediation: REVOKE ALL ON DBA_SYS_PRIVS FROM <USER>; Audit: SELECT GRANTEE, PRIVILEGE, TABLE_NAME FROM DBA_TAB_PRIVS WHERE TABLE_NAME=DBA_SYS_PRIVS'; \ \ 1 S 88 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 9.17 Views Prevent access to DBA_ROLE_PRIVS Rationale: Allowing a user to access the dba_role_privs view will show the role privileges for all roles in the Oracle database. Restrict access to this view to all users except SYS and DBAs. Remediation: REVOKE ALL ON DBA_ROLE_PRIVS FROM <USER>; Audit: SELECT GRANTEE, PRIVILEGE, TABLE_NAME FROM DBA_TAB_PRIVS WHERE TABLE_NAME=DBA_ROLE_PRIVS'; \ \ 1 S 9.18 Views Prevent access to DBA_TAB_PRIVS Rationale: Allowing a user to access the dba_tab_privs view will show the table privileges for all users in the Oracle database. Restrict access to this view to all users except SYS and DBAs. Remediation: REVOKE ALL ON DBA_TAB_PRIVS FROM <USER>; Audit: SELECT GRANTEE, PRIVILEGE, TABLE_NAME FROM DBA_TAB_PRIVS WHERE TABLE_NAME=DBA_ TAB _PRIVS'; \ \ 1 S 89 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 9.19 Views Prevent access to DBA_USERS Rationale: Allowing a user to access the dba_users view will show the role privileges for all users in the Oracle database. Restrict access to this view to all users except SYS and DBAs. Remediation: REVOKE ALL ON DBA_USERS FROM <USER>; Audit: SELECT GRANTEE, PRIVILEGE, TABLE_NAME FROM DBA_TAB_PRIVS WHERE TABLE_NAME=DBA_USERS'; \ \ 1 S 9.20 Views Prevent access to ROLE_ROLE_PRIVS Rationale: Allowing a user to access the dba_role_privs view will show the role grants for all roles in the Oracle database. Restrict access to this view to all users except SYS and DBAs. Remediation: REVOKE ALL ON ROLE_ROLE_PRIVS FROM <USER>; Audit: SELECT GRANTEE, PRIVILEGE, TABLE_NAME FROM DBA_TAB_PRIVS WHERE TABLE_NAME=' ROLE_ROLE_PRIVS; \ \ 1 S 90 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 9.21 Views Prevent access to USER_TAB_PRIVS Rationale: Allowing a user to access the user_tab_privs view will show the granted table privileges for all users in the Oracle database. Restrict access to this view to all users except SYS and DBAs. Remediation: REVOKE ALL ON USER_TAB_PRIVS FROM <USER>; Audit: SELECT GRANTEE, PRIVILEGE, TABLE_NAME FROM DBA_TAB_PRIVS WHERE TABLE_NAME='USER_TAB_PRIVS; \ \ 1 S 9.22 Views Prevent access to USER_ROLE_PRIVS Rationale: Allowing a user to access the user_role_privs view will show the granted role privileges for all users in the Oracle database. Restrict access to this view to all users except SYS and DBAs. Remediation: REVOKE ALL ON USER_ROLE_PRIVS TO <USER>; Audit: SELECT GRANTEE, PRIVILEGE, TABLE_NAME FROM DBA_TAB_PRIVS WHERE TABLE_NAME=' USER_ROLE_PRIVS; \ \ 1 S 91 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 9.23 Roles Prevent assignment of roles that have _CATALOG_ Rationale: Revoke any catalog roles from those roles and users that do not need them. These roles are SELECT_CATALOG_ROLE, EXECUTE_CATALOG_ROLE, DELETE_CATALOG_ROLE, and RECOVERY_CATALOG_OWNER. Remediation: REVOKE ALL ON <ROLE> FROM <USER>; Audit: SELECT GRANTEE, PRIVILEGE, TABLE_NAME FROM DBA_TAB_PRIVS WHERE TABLE_NAME LIKE(`%_CATALOG_%'); \ \ 1 S 9.24 Synonyms Prevent access to any V$ synonym Rationale: Check for any user that has access and revoke where possible. Remediation: Delete the synonym or revoke the privileges Audit: SELECT SYNONYM_NAME, TABLE_NAME FROM ALL_SYNONYMS WHERE TABLE_NAME LIKE(`V$%'); \ \ 1 S 9.25 Synonyms When dropping synonyms, ensure privileges granted to the synonyms, if not required, are removed from the base objects. Rationale: Granting privileges to synonyms actually grants privileges to the base objects. Remediation: If necessary, ensure that privileges from the base objects are removed when the synonyms are dropped. Audit: None \ \ 1 N 92 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 9.26 Privileges Restrict system privileges Rationale: All system privileges except for CREATE SESSION must be restricted to DBAs, application object owner accounts/schemas (locked accounts) and default Oracle accounts. Developers may be granted limited system privileges as required on development databases. Remediation: REVOKE ALL <PRIVS> FROM <USER>; Audit: SELECT * FROM DBA_SYS_PRIVS; \ \ 1 S 9.27 Privileges Prevent granting of privileges that contain the keyword ANY Rationale: The ANY keyword grants the ability for the user to set privileges for the entire catalogue of objects in the database. Remediation: Check for any user or role that has the ANY keyword and revoke this role where possible. Audit: SELECT * FROM DBA_SYS_PRIVILEGES WHERE PRIVILEGE LIKE(`%ANY%'); \ \ 1 S 93 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 9.28 Privileges Prevent granting of all privileges Rationale: The GRANT ALL PRIVILEGES must not be used; it gives full access to all tables, views and objects to the user or role it is granted to. Remediation: REVOKE ALL PRIVILEGES FROM <USER/ROLE> GRANT <SPECIFIC PRIVILEGES> TO <USER/ROLE>; Audit: SELECT * FROM DBA_SYS_PRIVS WHERE PRIVILEGE='GRANT ANY PRIVILEGE'; SELECT * FROM DBA_SYS_PRIVS WHERE PRIVILEGE='GRANT ANY OBJECT PRIVILEGE'; \ \ 2 N 9.29 Privileges Prevent granting of EXEMPT ACCESS POLICY (EAP) Rationale: Revoke this privilege if not necessary. The EAP privilege provides access to all rows regardless of Row Level Security assigned to specific rows. Remediation: REVOKE EXEMPT ACCESS POLICY FROM <USER>; Audit: SELECT * FROM DBA_SYS_PRIVS WHERE PRIVILEGE='EXEMPT ACCESS POLICY'; \ \ 1 S 94 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 9.30 Privileges Prevent granting of privileges that have WITH ADMIN Rationale: Check for any user or role that has been granted privileges WITH ADMIN and revoke where possible. The WITH ADMIN privilege allows a user to grant the same privileges they possess. Remediation: REVOKE <ROLE> FROM <USER>; GRANT <ROLE> TO <USER>; Audit: SELECT * FROM DBA_SYS_PRIVS WHERE ADMIN_OPTION=¨YES¨; \ \ 1 S 9.31 Privileges Prevent granting of privileges that have WITH GRANT Rationale: Check for any user or role that has been granted privileges WITH GRANT and revoke where possible. The WITH GRANT privilege allows a user to grant the same privilege to other users. Remediation: REVOKE GRANT OPTION FOR <PRIV> ON <TABLE> FROM <USER>; Audit: SELECT * FROM DBA_TAB_PRIVS WHERE GRANTABLE='YES'; \ \ 1 S 95 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 9.32 Privileges Prevent granting of privileges that have CREATE Rationale: Check for any user that has object creation privileges and revoke where possible. Excessive create privileges can allow an attack to create arbitrary objects, tables, and views. Remediation: REVOKE CREATE <PRIV> FROM <USER/ROLE> Audit: SELECT * FROM DBA_SYS_PRIV FROM PRIVILEGE LIKE(`CREATE %'); \ \ 1 S 9.33 Privileges Prevent granting of CREATE LIBRARY Rationale: Check for any user or role that has this privilege and revoke where possible. The CREATE LIBRARY privilege allows a user to create an object associated with a shared library. Allowing arbitrary library creation can compromise the integrity and security of the Oracle database. Remediation: REVOKE CREATE LIBRARY FROM <USER/ROLE>; Audit: SELECT * FROM DBA_SYS_PRIVS WHERE PRIVILEGE='CREATE LIBRARY'; \ \ 1 S 96 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 9.34 Privileges Prevent granting of ALTER SYSTEM Rationale: Check for any user or role that has this privilege and revoke where possible. The alter system privilege allows a user to dynamically alter the Oracle instance. Remediation: REVOKE ALTER SYSTEM FROM <USER/ROLE>; Audit: SELECT * FROM DBA_SYS_PRIVS WHERE PRIVILEGE='ALTER SYSTEM'; \ \ 1 S 9.35 Privileges Prevent granting of CREATE PROCEDURE Rationale: CREATE PROCEDURE allows a user to create a stored procedure in the database and should be restricted to administrative or development users. Check for any user or role that has this privilege and revoke where possible. Remediation: REVOKE CREATE PROCEDURE FROM <USER/ROLE>; Audit: SELECT * FROM DBA_SYS_PRIVS WHERE PRIVILEGE='CREATE PROCEDURE'; \ \ 1 S 9.36 Privileges Prevent granting of BECOME USER Rationale: BECOME USER allows a user to inherit the rights of another oracle system user and should not be used if possible. Remediation: REVOKE BECOME USER FROM <USER/ROLE> Audit: SELECT * FROM DBA_SYS_PRIVS WHERE PRIVILEGE LIKE(`BECOME USER'); \ \ 1 S 97 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 9.37 Privileges Prevent granting of SELECT ANY TABLE Rationale: Check for any user that has access and revoke where possible. If application data is sensitive, and it is possible, revoke this privilege from the DBA accounts as well. Remediation: REVOKE SELECT ANY <OBJECT> FROM <USER>; Audit: SELECT * FROM DBA_SYS_PRIVS WHERE PRIVILEGE LIKE(`SELECT ANY%'); \ \ 1 S 9.38 Privileges Prevent granting of AUDIT SYSTEM Rationale: Review which users have audit system privileges and limit as much as possible to ensure audit commands are not revoked. Remediation: REVOKE <PRITILEGE> FROM <USER>; Audit: SELECT * FROM DBA_SYS_PRIVS WHERE PRIVILEGE='AUDIT SYSTEM'; \ \ 1 S 9.39 Privileges Grant privileges only to roles Rationale: Grant privileges only to roles. Do not grant privileges to individual users. Remediation: Revoke all individual privileges from users. Create a role defining the needed privileges. Grant the role to the users. Audit: None \ \ 1 N 98 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 9.40 Privileges Review privileges granted to PUBLIC Rationale: Review all privileges granted to PUBLIC. Limit or revoke unnecessary PUBLIC privileges. Remediation: REVOKE PUBLIC FROM <USER/ROLE>; Audit: SELECT * FROM DBA_ROLE_PRIVS WHERE GRANTED_ROLE='PUBLIC'; \ \ 1 S 9.41 Roles Prevent assignment of RESOURCE Rationale: Revoke the resource role from normal application user accounts. Remediation: REVOKE RESOURCE FROM <USER/ROLE>; Audit: SELECT * FROM DBA_ROLE_PRIVS WHERE GRANTED_ROLE='RESOURCE'; \ \ 1 S 9.42 Roles Prevent assignment of DBA Rationale: Assigning the DBA role to users provides unnecessary access and control of the Oracle database. Remediation: Revoke DBA role from users who do not require it. REVOKE DBA FROM <USER/ROLE> Audit: SELECT * FROM DBA_ROLE_PRIVS WHERE GRANTED_ROLE='DBA'; \ \ 1 S 99 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 9.43 Packages ACL or Deny access to UTL_FILE Rationale: Review the ACL for usage of the UTL_FILE package. Revoke the public execute privilege on UTL_FILE as it can be used to access O/S. Remediation: REVOKE EXECUTE ON UTL_FILE FROM PUBLIC; Audit: SELECT GRANTEE, TABLE_NAME FROM DBA_TAB_PRIVS WHERE TABLE_NAME='UTL_FILE'; \ \ 1 S 9.44 Packages ACL or Deny access to UTL_TCP Rationale: Review the ACL for usage of the UTL_TCP package. Revoke the public execute privilege on UTL_TCP as it can write and read sockets. Remediation: REVOKE EXECUTE ON UTL_TCP FROM PUBLIC; Audit: SELECT GRANTEE, TABLE_NAME FROM DBA_TAB_PRIVS WHERE TABLE_NAME='UTL_TCP'; \ \ 1 S 9.45 Packages ACL or Deny access to UTL_HTTP Rationale: Review the ACL for usage of the UTL_HTTP package. Revoke the public execute privilege on UTL_HTTP as it can write content to a web browser. Remediation: REVOKE EXECUTE ON UTL_HTTP FROM PUBLIC; Audit: SELECT GRANTEE, TABLE_NAME FROM DBA_TAB_PRIVS WHERE TABLE_NAME='UTL_HTTP'; \ \ 1 S 100 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 9.46 Packages ACL or Deny access to UTL_SMTP Rationale: Review the ACL for usage of the UTL_SMTP packageRevoke the public execute privilege on UTL_SMTP as it can send mail from the database server. Remediation: REVOKE EXECUTE ON UTL_SMTP FROM PUBLIC; Audit: SELECT GRANTEE, TABLE_NAME FROM DBA_TAB_PRIVS WHERE TABLE_NAME='UTL_SMTP'; \ \ 1 S 9.47 Packages Deny access to DBMS_LOB Rationale Revoke the public execute privilege. This procedure allows the manipulation of large objects and BFILE file read access. If not required its usage should be revoked. Remediation: REVOKE EXECUTE ON DBMS_LOB FROM PUBLIC; Audit: SELECT GRANTEE, TABLE_NAME FROM DBA_TAB_PRIVS WHERE TABLE_NAME='DBMS_LOB'; \ \ 1 S 101 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 9.48 Packages Deny access to DBMS_SYS_SQL Rationale Revoke the public execute privilege. If public permissions are granted on DBMS_SYS_SQL a user can acquire an administrative cursor and act with DBA permissions. Remediation: REVOKE EXECUTE ON DBMS_SQL FROM PUBLIC; Audit: SELECT GRANTEE, TABLE_NAME FROM DBA_TAB_PRIVS WHERE TABLE_NAME='DBMS_SYS_SQL'; \ \ 1 S 9.49 Packages Deny access to DBMS_JOB Rationale Revoke the public execute privilege. DBMS_JOB is a backwards compatible job scheduler for Oracle. If no longer required its usage should be disabled to reduce Oracle's attack surface. Remediation: REVOKE EXECUTE ON DBMS_JOB TO PUBLIC; Audit: SELECT GRANTEE, TABLE_NAME FROM DBA_TAB_PRIVS WHERE TABLE_NAME='DBMS_JOB'; \ \ 1 S 102 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 9.50 Proxy Authentication Limit the user schema privileges to CREATE SESSION only. Rationale The proxy account should only have the ability to connect to the database. No other privileges should be granted to this account. Remediation: REVOKE ALL ON <USER>; GRANT CREATE SESSION TO <USER>; Audit: SELECT * FROM DBA_ROLE_PRIVS WHERE GRANTEE='<PROXY ACCOUNT>'; SELECT * FROM DBA_TAB_PRIVS WHERE GRANTEE='<PROXY ACCOUNT>'; SELECT * FROM DBA_SYS_PRIVS WHERE GRANTEE='<PROXY ACCOUNT>'; \ \ 1 S 9.51 Proxy role Restrict the roles that can be enabled when privileges are granted in the database. Rationale If application roles have been granted to user then these roles need to be prevented from being enabled by default on the subsequent logins. Remediation: CREATE ROLE `X' ; GRANT `X' TO JOHN_SMITH; ALTER USER JOHN_SMITH DEFAULT ROLE ALL EXCEPT X; Audit: None \ \ 1 N 103 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 9.52 Views Revoke public access to all public views that start with ALL_ Rationale Revoke access to these views when possible to prevent unauthorized access to data that could be sensitive. Note: This may interfere with some applications. Remediation: REVOKE ALL ON ALL_<NAME> FROM PUBLIC; Audit: SELECT TABLE_NAME FROM DBA_TAB_PRIVS WHERE TABLE_NAME LIKE(`ALL_%') AND GRANTEE='PUBLIC'; \ \ 2 S 9.53 Roles and Privileges When dropping a user, ensure roles and privileges created by that user, if not required, are deleted. Rationale Dropping a user (i.e., DROP USER X CASCADE) doesn't delete roles and privileges created by the user. Remediation: If a user is dropped, ensure that the roles and privileges created by that user, if not required, are deleted. Audit: None \ \ 2 N 104 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 9.54 Packages Limit or deny access to DBMS_BACKUP_RESTORE Rationale Provides file system functions such as copying files, altering control files, accessing devices, and deleting files. Remediation: REVOKE EXECUTE ON DBMS_BACKUP_RESTORE TO PUBLIC; REVOKE EXECUTE ON DBMS_BACKUP_RESTORE TO <USER>; Audit: SELECT GRANTEE FROM DBA_TAB_PRIVS WHERE TABLE_NAME='DBMS_BACKUP_RESTORE'; \ \ R 9.55 Packages Audit usage of DBMS_RANDOM Rationale Audit the DBMS_RANDOM function in applications for improper usage. DBMS_RANDOM should not be used for critical functions related to cryptography, session id generation or other areas where a high degree of entropy is required. Replace calls to these functions with RANDOMBYTES, Revoking the public privilege may cause some applications to fail it is suggested that if the public execute permission cannot be revoked the applications that utilize DBMS_RANDOM are carefully audited. Remediation: REVOKE EXECUTE ON DBMS_RANDOM TO PUBLIC; Audit: SELECT GRANTEE FROM DBA_TAB_PRIVS WHERE TABLE_NAME='DBMS_RANDOM'; \ \ 2 S 105 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 9.56 Roles Password protect roles Rationale Role passwords are useful when an application controls whether or not a role is turned on. This prevents a user directly accessing the database via SQL (rather than through the application) from being able to enable the privileges associated with the role. Remediation: SET ROLE <ROLE_NAME> IDENTIFIED BY <ROLE_PASSWORD>; Audit: SELECT * FROM DBA_ROLES; \ \ 2 S 106 | P a g e 10. Enterprise Manager / Grid Control / Agents Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 10.01 Enterprise Management studio mode Access to the enterprise management in studio must be limited. Rationale: Without limitations on the enterprise management access to the remote agents is virtually unlimited. Remediation: Limit access to the Oracle Enterprise Management studio. Audit: None \ \ 1 N 10.02 Enterprise Manager Agent File uploads Monitor the size of file uploads from the enterprise agent. Rationale: The following lines are some of the output from the ./emctl status agent command containing information regarding the agents uploading files: Total Megabytes of XML files uploaded so far : Number of XML files pending upload: Size of XML files pending upload(MB): Discovering unusual or increased size of file uploads could indicate a malicious agent. Remediation: Create a monitor to track the size of file uploads from the enterprise agent. Audit: None \ \ 1 N 107 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 10.03 Enterprise Manager Framework Security Where possible, utilize Enterprise Manager Framework Security Functionality. Rationale: Enterprise Manager Framework security employs secure communication between the various Enterprise Manager Components, i.e., Remediation: Enable HTTPS between management agents and management services. Audit: None \ \ 1 N 10.04 Grid Control TimeOut Value Configure an appropriate value for Grid Control Timeout value in the Oracle Application Server. File: $IAS_HOME/sysman/config/ emoms.properties Value: oracle.sysman.eml.maxIna ctiveTime=time_in_minute s Rationale: To prevent unauthorized access to the Grid Control via browser, set an appropriate timeout value. A value of 30 minutes or less is recommended. The default is 45 minutes. Remediation: Edit the $IAS_HOME/sysman/config/emoms.properties file and set the value to 30 Audit: grep -i maxInactiveTime \ $IAS_HOME/sysman/config/emoms.properties \ \ 1 S 108 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 10.05 Enterprise Manager Framework Security In command line mode, avoid using commands that contain passwords in the arguments. Rationale: While registering an agent to utilize the enterprise manager framework security, avoid using sensitive command line arguments for emctl. The command can be captured by other users with access to Unix (via ps) command or can be prone to shoulder surfing. Some Unix shells, like bash, log command history as well. This may be another exposure. Remediation: In command line mode, avoid using commands that contain passwords in the arguments. Audit: None \ \ 1 N 10.06 Oracle Installation Separate user account for Management/Intelligent Agent Rationale: The agent database accounts must be separated. This will isolate the Agent from the rest of the Oracle server in the event that is compromised. Remediation: For Unix systems, create a unique user account for the management/Intelligent Agent process in order to differentiate accountability and file access controls. Separate accounts are not recommended for Windows environments. Audit: None \ 2 N 109 | P a g e 11. Specific Systems Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 11.01 ADDM Verify ADDM suggestions Rationale: Automatic Database Diagnostic Monitor (ADDM), should not blindly replace the DBA's knowledge. Remediation: DBA's should verify the applicability of ADDM suggestions based on their knowledge of the database. Audit: None \ \ 1 N 11.02 AMM Monitor AMM Rationale: Automated Memory Manager (AMM), should not blindly replace the DBA's knowledge. Remediation: DBA's should monitor AMM to ensure memory is being properly allocated. Audit: None \ \ 1 N 110 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 11.03 AWR Implement AWR to record all database performance statistics (related to object usage, SQL statement efficiency, session history, etc) over a defined time period. Rationale: Automatic Workload repository (AWR) is central to the whole framework of self and automatic management. It works with internal Oracle database components to process, maintain, and access performance statistics for problem detection and self-tuning. The statistics are available to external users or performance monitoring tools, routines, or scripts. Trends analysis can be done with AWR data. Queries that overtax the system could be a security threat. Remediation: Implement AWR to record all database performance statistics (related to object usage, SQL statement efficiency, session history, etc) over a defined time period. Audit: None \ \ 1 N 11.04 Fine grained access Use fine grain access control within objects. Rationale: Fine grained access control can provide both column and row level security. This can provide an additional layer of access control to objects by limiting the access (select, update, insert, delete) within the object and should be used wherever possible. For fine grained access to function properly, use the cost-based optimizer. Remediation: Evaluate sensitive areas of the Oracle database and enable fine grain access control . Audit: None \ \ 2 N 111 | P a g e 12. General Policy and Procedures Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 12.00 Oracle Installation Do not install Oracle on an Internet facing server. Rationale: Oracle must only be installed on a backend system behind appropriate firewalling or other network protection systems. Remediation: Do not install Oracle on an Internet facing server migrate internet facing oracle servers to a backend or protected environment. Audit: None \ \ 1 N 12.01 Oracle alert log file Review contents Rationale: The Oracle alert log file must be regularly reviewed for errors. Periodically review logs for errors, large numbers or exotic errors can be an indicator of a system under attack. Remediation: Assign an administrator or DBA to review the log files. Audit: None \ \ 1 N 112 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 12.02 Database creation scripts on host Remove or secure Rationale: System creation scripts can provide an attacker with valuable information about the Oracle setup or instance and often contain errors. Remediation: Delete the scripts from the database host. After the database has been created, remove the scripts or at a minimum move them to a safe repository area. Audit: None \ \ 1 N 12.03 Unix root group members on host Disallow 'oracle' as member of root group Rationale: The Oracle software owner account must not be a member of the root group on Unix systems. Having the Oracle account part of the root group breaks privilege separation and best security practices. Remediation: Edit /etc/group remove the oracle_account from the root group Audit: grep oracle_account /etc/group \ 1 N 12.04 Oracle DBA group membership on host Review Rationale: Review the membership of the DBA group on the host to ensure that only authorized accounts are included. This must be limited to users who require DBA access. Remediation: Remove unnecessary users from the DBA group. Audit: cat /etc/group \ \ 1 N 113 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 12.05 Sensitive information in process list on host Avoid or encrypt Rationale: Revealing username and password information in the process list will give anyone able to perform a process listing a valid set of user credentials for the Oracle database. Remediation: An enforced policy must exist to ensure that no scripts are running that display sensitive information in the process list such as the Oracle username and password. A privileged process must be used to get and decrypt encrypted passwords. Audit: None \ \ 1 N 12.06 Sensitive information in cron jobs on host Avoid or encrypt Rationale: An enforced policy must exist to ensure that no cron jobs have sensitive information such as database username and passwords. A privileged process must be used to get and decrypt encrypted passwords. Remediation: Encrypt passwords used in cron on batch jobs. Audit: None \ 1 N 114 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 12.07 Sensitive information in at jobs (or jobs in Windows scheduler) on host Avoid or encrypt Rationale: An enforced policy must exist to ensure that no at jobs (or jobs in Windows scheduler) have sensitive information such as database username and passwords. A privileged process must be used to get and decrypt encrypted passwords. Remediation: Encrypt password used for scheduled jobs and scripts. Audit: None \ \ 1 N 12.08 Sensitive information in environment variables on host Avoid or encrypt Rationale: An enforced policy must exist to ensure that no users have unencrypted sensitive information such as database username and passwords set in environment variables. A privileged process must be used to get and decrypt encrypted passwords. Remediation: Do not store sensitive password in environment variables on the host. Audit: None \ \ 1 N 115 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 12.09 Sensitive information in batch files on host Avoid or encrypt Rationale: An enforced policy must exist to ensure that no batch files have sensitive information such as database usernames and passwords. A privileged process must be used to get and decrypt encrypted passwords. Remediation: Do not store sensitive passwords in batch scripts on the host. Audit: None \ \ 1 N 12.10 Oracle file locations Separate for performance Rationale: If the redo, data, and index files are not properly distributed a single disk failure will cause an Oracle outage and make recovery difficult. Remediation: Split the location of the Oracle software distribution, redo logs, data files, and indexes onto separate disks and controllers for resilience. Audit: None \ \ 1 S 12.11 File systems Separate Oracle files from non- Oracle files Rationale: Isolating the Oracle files onto a separate partition enables easier privilege and permissions management. Remediation: Only put database files on file systems exclusively used by Oracle. Oracle files must not be on the same partition as the operating system. Audit: None \ \ 1 S 116 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 12.12 Optimal Flexible Architecture Implement Rationale: Systems that are flexible and easy to understand reduce administration complexity and increase overall manageability and security. Remediation: Follow the Oracle Optimal Flexible Architecture guidelines to provide for consistency and ease of administration. Audit: None \ \ 1 N 12.13 Checksum PL/SQL code Implement Rationale: Maliciously altered stored procedures can compromise Oracle or system security and can go undetected if not properly audited. Store the checksum results upon creation and update of the stored procedure, periodically check for alterations. Remediation: sha1sum pl_file.psql Audit: sha1sum pl_file.psql \ \ 1 N 117 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 12.14 All database objects Monitor Rationale: Maliciously altered objects can compromise Oracle or system security and can go undetected if not properly audited. Remediation: Store the results of the time stamps of the creation, reload, and compilation of database objects and review the results regularly to ensure no unauthorized changes have occurred. Audit: None \ \ 1 N 12.15 Ad-hoc queries on production databases Avoid Rationale: Ad-hoc queries are a direct vector for creating denial of service conditions and possible exploitation of the Oracle database. Remediation: Disallow ad-hoc queries on production databases. This recommendation may not be suitable for all environments, for example, data warehouses. Test all queries and provide an application interface for exercising queries on production databases. Audit: None \ \ 1 N 118 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 12.16 Remote shell access on host Encrypt session Rationale: All remote access from users and administrators to the Oracle host must be encrypted. An attacker on the local network can sniff or intercept unencrypted sessions. Remediation: If remote shell access is required, use SSH or a VPN solution to ensure that session traffic is encrypted. In a cluster environment (RAC or OPS) RSH and RCP are required between the nodes for the Oracle software owner. In the case of a cluster environment, the access must be restricted by user and host. Audit: None \ \ 1 N 12.17 Applications with database access Review Rationale: Allowing unauthorized application access will result in information theft and possible remote compromise of the Oracle database. Remediation: Review and control which applications access the database. Audit: None \ \ 1 N 119 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 12.18 Location of development database Separate server from production database Rationale: Regulatory, compliance, and security best practices require production and test environments to be separate. Test environments generally have lax security and mirror production systems. These can provide a staging point or attack vector for a malicious user if hosted in a single environment. Remediation: Test and development databases must not be located on the same server as the production system. Audit: None \ \ 1 N 12.19 Network location of production and development databases Separate Rationale: Regulatory, compliance, and security best practices require production and test environments to be separate. Test environments generally have lax security and mirror production systems. These can provide a staging point or attack vector for a malicious user if hosted in a single network. Remediation: If possible, place production databases on a different network segment from test and development databases. Audit: None \ \ 1 N 120 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 12.20 Monitor for development on production databases Prevent development on production databases Rationale: Development of applications on production databases violates security best practices and leaves debugging and other information useful to an attacker on the production host. Remediation: Check for evidence of development occurring on production databases. Audit: None \ \ 1 N 12.21 Access to production databases Avoid access from development or test databases Rationale: Allowing a user to alter a production database from a development or test environment creates a vector for an attacker. Production and test database should remain separate then synced when necessary. Remediation: Database access from development and test databases to production databases must be prohibited. Audit: None \ \ 1 N 12.22 Developer access to production databases Disallow Rationale: Developers must not have direct access to production databases. Allowing developers direct access to production databases violates regulator, compliance, and security best practices. Remediation: Remove login or authentication means for direct developer access. Audit: None \ \ 1 N 121 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 12.23 Developer accounts on production databases Remove developer accounts Rationale: Remove any developer accounts that exist in the production database. Remediation: userdel <account> Audit: cat /etc/passwd \ \ 1 N 12.24 Databases created from production exports Change passwords Rationale: If test or development databases are created from backups or exports of the production system, all passwords must be changed before granting access to developers or testers. Remediation: Maintain separate user accounts for test and production databases and hosts. Audit: None \ \ 1 N 12.25 Databases created from production systems Remove sensitive data Rationale: If test or development databases are created from backups or exports of the production system, all sensitive data (such as payroll information) must be removed before granting access to developers or testers. Remediation: Remove all sensitive data from production hosts before granting access to tester and developers. Clear tables that contain PII, password hashes, or other sensitive data. Audit: None \ \ 1 N 122 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 12.26 Account Management Document and enforce account management procedures Rationale: Create and regularly review procedures for account management. This must include the creation of new user accounts, moving a user to a new group or role, and handling of dormant or inactive accounts. Remediation: Document the system of controls and checks that surround management procedures. Audit: None \ \ 1 N 12.27 Change Control Document and enforce change control procedures Rationale: Create and regularly review procedures for new applications that access the database and change control management procedures for releasing development code into production. Monitor the addition of new users and access rights. Utilization of ticketing system or other Change management system will help facilitate this process. Remediation: Adoption of a change management system. Audit: None \ \ 1 N 12.28 Disaster recovery procedures Review Rationale: Disaster recovery procedures must be fully documented and regularly tested. Remediation: Review the disaster recovery procedures. Audit: None \ \ 1 N 123 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 12.29 Backdoors Eliminate Rationale: Tight change control management procedures and checksums of the source code can help prevent backdoors into the database. Remediation: Review or audit source code both in development and deployed to production systems. Audit: None \ \ 1 N 12.30 Public dissemination of database information Disallow Rationale: Exposing internal configuration information gives an attacker a list of targets and vectors into the Oracle environment. Remediation: The posting of database information such as SIDs, hostnames, and IP addresses to newsgroups and mailing lists must not be allowed. Audit: None \ \ 1 N 12.31 Screen saver Set screen saver/lock with password protection of 15 minutes. Rationale: Desktop screens left unlocked create a vector for attacker to take control of the access granted to the user. Remediation: If an organizational policy does not exist, 15 minutes must be set as the standard. Audit: None \ \ 1 N 124 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 12.32 Distribution of tnsnames.ora files to clients Include only necessary tnsnames.ora when distributing to clients Rationale: If clients connect to the database using tnsnames.ora files, ensure that only necessary entries are included in the file when distributing to clients. Providing additional information about database configuration provides a list of hosts and instances to target and violates security best practices. Remediation: Remove entries from tnsnames.ora Audit: None \ \ 1 N 12.33 Event and System Logs Monitor Rationale: Excessive or exotic errors may be an indicator of a system or database under attack. Proper log auditing and review is a must to maintain system integrity. Remediation: Windows Event Logs and Unix System logs must be regularly monitored for errors related to the Oracle database. Audit: None \ \ 1 N 12.34 Access to database objects by a fixed user link Disallow Rationale: Fixed user database links that have a hard coded username and password must be avoided. Anyone with permissions or rights to view the hard coded username or password exposes that account to unnecessary risk. Remediation: Remove username and password Audit: None \ \ 1 N 125 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 12.35 Oracle Installation Oracle software owner account name NOT 'oracle' Rationale: Do not name the Oracle software owner account 'oracle' as it is very well known and used in many automated attacks and brute forcing tools. Remediation: Upon oracle installation create a separate user account with the username other than Oracle. Audit: None \ \ 2 S 12.36 Oracle Installation Separate users for different components of Oracle Rationale: Properly privilege separate user accounts associated with each Oracle service. In the event that an Oracle service is compromised privilege separating each service will help reduce the damage an attacker can perform. Remediation: For Unix systems, create unique user accounts for each Oracle process/service in order to differentiate accountability and file access controls. The listener, the Oracle http server, and the database process accounts must be separate. Separate accounts are not recommended for Windows environments. The requirement for the Management/Intelligent Agent process is listed in section 10 of this document. Audit: None \ 2 N 126 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 12.37 Alerts on high priority incidents Create processes to alert Rationale: Monitoring high priority incidents will help in the event of a security incident. Remediation: Create processes to monitor and alert on high priority incidents. Audit: None \ \ 2 N 12.38 Intelligent agent Do not use Rationale: Intelligent agents provide a direct management interface to the Oracle database. Remediation: If the database server is accessible via the Internet, do not use the Intelligent Agent. This may not be practical for OEM or SNMP monitored databases. Audit: None \ \ 2 N 12.39 Network Implement if appropriate Rationale: Traffic sent unencrypted across a network can be monitored and intercepted Remediation: If appropriate to the environment, implement Oracle Advanced Security to encrypt all traffic between the client and server, OAS solutions include IPSec and mutually authenticated SSL. Audit: None \ \ 2 N 127 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 12.40 Application PL/SQL code Encrypt Rationale: The wrap program provided by Oracle encodes the PL/SQL source code but does not encrypt it. Remediation: Encrypt the PL/SQL code, do not rely on the wrap functionality to protect highly sensitive information. Audit: None \ \ 2 N 12.41 Hard coded data in PL/SQL and application source code Avoid or encrypt Rationale: Do not use unencrypted hard coded usernames, passwords, or other critical data in the PL/SQL code. PL/SQL code is often viewable by many users of the Oracle system and stored in code repositories. Remediation: Avoid hardcoded data in code. Use a secure data storage mechanism. Strip all sensitive information from PL/SQL code before storage into a repository. Audit: None \ \ 2 N 12.42 Decommissioned applications Remove all components Rationale: Failure to remove all privileges once an application has been removed from an Oracle database widens the attack surface and can provide unmonitored access for an attacker. Remediation: Ensure that all associated binaries, users, batch process, and access rights are removed when applications are decommissioned. Audit: None \ \ 2 N 128 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 12.43 DDL statements in application Disallow Rationale: Applications must not alter the database schema. Remediation: Only allow updates of the database schema though a DBA or approved change management system. Audit: None \ \ 2 N 12.44 Host and Application Monitoring Software. Review Rationale: Any remote access to the database host must be controlled by an application level firewall. Remediation: Block unnecessary ports used for monitoring and remote interfaces to the Database. This includes operations management consolidation suites. Audit: None \ \ 2 N 12.45 Enabling of batch process account Time enabled Rationale: Allowing the batch account to remain active widens the system attack surface and may lead to unauthorized access of the Oracle database. Remediation: The account that is used to run batch processes must be enabled only during the time that the batch processes run. Audit: None \ \ 2 N 129 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 12.46 Passwords for batch processes Secure Rationale: Passwords for batch processes must not be a command line parameter or an environment variable. Remediation: Remove passwords from batch files and scripts; ensure that passwords are not set as environment variables. Audit: None \ \ 2 N 12.47 External account access for batch processes Disallow Rationale: External accounts used for batch processes allow a simple way to access the database. Remediation: Forbid the usage of batch process to access the Oracle database. Audit: None \ \ 2 N 12.48 User permissions Review Rationale: Review and test development databases for users with excess permissions not granted in production. Remediation: Restrict test development databases. Audit: None \ \ 2 N 130 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 12.49 Procedures for backup tape retrieval Review Rationale: Loss of a tape can compromise other measures taken to protect database information. Remediation: Ensure the procedures for backup tape retrieval are documented and are adequate to prevent social engineering attacks to steal data. Audit: None \ \ 2 N 12.50 Intrusion detection system on host Utilize Rationale: A host based intrusion detection system provides another layer of defense for the Oracle server. Remediation: Use a host based Intrusion Detection System on the server hosting the Oracle database. Audit: None \ \ 2 N 12.51 Remote Administration of Listener Use encryption if remote administration is required. Rationale: If remote administration of a listener via the listener utility is required, e.g., no administration through SSH or MS Terminal Server, configure the listener to have a TCPS (SSL) port. If the listener is configured to use multiple protocols, set the SSL protocol as the first protocol in listener.ora. Remediation: SECURE_CONTROL_listener_name=(TCPS,IPC) Audit: None \ \ 2 N 131 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 12.52 Multiple listeners Create separate listeners for clients and administration. Protect the administrative listener with IPSec ESP or OAS SSL and a host-based firewall. Rationale: An administrative listener, protected by IPSec, could allow administrators access to the server if the client listener(s) fail.. Preference of implementation is IPSec ESP, otherwise SSL and host-based firewall. If SSL is not possible, use OAS native encryption/integrity with a host firewall.. Access must be limited to specific administrative workstations. Remediation: Create separate listeners for clients and administration. Protect the administrative listener with IPSec ESP, SSL or OAS . and a host firewall. Audit: None \ \ 2 N 12.53 Policy Caching Policy caches must be purged. Rationale: Policy caches can potentially store information that could be used to compromise the database and may accessible outside of Oracle and beyond the control of the security parameters. Hence this can defeat row level security. Remediation: Purge policy caches. Audit: None \ \ 2 N 132 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 12.54 Policy Functions Users should not have execute, alter or drop privileges on policy functions. Rationale: The ability to manipulate policy functions could be used to defeat row level security. Remediation: Users should not have EXECUTE, ALTER or DROP privileges on policy functions. Audit: None \ \ 2 N 12.55 Passwords Remove password parameters from configuration files utilized for Silent Installations. Rationale: Whenever utilizing silent installs, i.e., Oracle Installer, ensure configuration files do not contain password values after the installation completes. Remediation: Remove all passwords post installation. Audit: None \ \ 2 N 12.56 DataGuard Auth Authenticate Data Guard with SSL Certificates Rationale: Strong authentication using certificates provides both security and identification of endpoints for the DataGuard service. Remediation: Connections between Data Guard servers should be authenticated using SSL certificates Audit: None \ \ 2 N 133 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 12.57 Data Guard Mode Select Maximum Protection Rationale: Loss of data can result in the loss of system integrity or audit trails. Setting Data Guard to maximum mode ensures no information is lost in the event of a failure. Remediation: If possible configure Data Guard for Maximum Protection to ensure that zero data loss occurs if a primary database fails. Audit: None \ \ 2 N 12.58 Data Guard Redo Authenticate Redo Transport Services using SSL Certificates Rationale: Connections sent across the network unencrypted can be monitored and intercepted exposing sensitive information. Remediation: Connections for Redo services should be authenticated using SSL certificates. Audit: None \ \ 2 N 12.59 Incident Packages Ensure Incident Packages are destroyed or properly protected after upload to Oracle. Rationale: Sensitive information may be contained in incident packages. Not sanitizing packages may result in leaking of sensitive information to Oracle. Remediation: Ensure the minimal amount of sensitive information is sent to Oracle and destroy Incident Packages after submission. Audit: None \ \ 2 N 134 | P a g e 13. Auditing Policy and Procedures Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 13.01 Auditing Unused schemas should be dropped Rationale: Leaving additional schemas in the database can provide an attacker with additional details about the currently used Oracle system or contain sensitive information. Remediation: Unused schemas should be first audited to ensure that they are in fact unused. After verification, they should be dropped. Audit: None \ \ 2 N 13.02 Auditing Trap autonomous transactions Rationale: This will ensure that audit captures actions performed by users even if they are later rolled back. Remediation: None Audit: None \ \ 2 N 135 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 13.03 Auditing Audit all logons and logoffs. Rationale: Auditing logon and logoff events may provide additional information for isolating the cause of security incidents. Remediation: AUDIT CREATE SESSION Audit: SELECT USER_NAME, SUCCESS, FAILURE FROM DBA_PRIV_AUDIT_OPTS WHERE PRIVILEGE='CREATE SESSION' Note: This is audited by default when default security settings are enabled. \ \ 2 S 13.04 Auditing Audit for unsuccessful attempts. Audit by ACCESS WHENEVER NOT SUCCESSFUL. Rationale: Auditing by SESSION will only show a single audit event for an attempt. By logging unsuccessful attempts any SQL statement attempting to access the table will be recorded. This could provide a record of unauthorized attempts to access sensitive data. Remediation: Ex. AUDIT SELECT ON TABLE WHENEVER NOT SUCCESSFUL Audit: SELECT * FROM DBA_OBJ_AUDIT_OPTS WHERE OBJECT_NAME='<OBJECT_NAME>'; \ \ 2 S 136 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 13.05 Auditing Where appropriate or required by security or legal requirements, engage and use the Fine-Grained Auditing (FGA) feature. Rationale: The flexibility, column specific sensitivity, SQL capturing, and event handler capabilities of FGA provide auditors and security personnel with valuable information. Note: The FGA record entry can be pre-qualified. Therefore, it should not add a significant burden to the size of audit records. Remediation: DBMS_FGA.ADD_POLICY( <Policy config> ); Audit: SELECT policy_name FROM DBA_AUDIT_POLICIES; \ \ 2 S 13.06 Auditing Where appropriate or required by security or legal requirements, use enhanced capabilities of Fine-Grained Auditing. Rationale: FGA has the ability to execute event driven procedures that may allow security and operations teams to receive real time indications of threats. For instance, a procedure could perform an action such as sending an e-mail alert to an auditor when a user selects a certain row from a table, or it could write to a different audit trail. Remediation: DBMS_FGA.ADD_POLICY( <Policy config> ); Audit: SELECT policy_name FROM DBA_AUDIT_POLICIES \ \ 2 S 137 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 13.07 Auditing Audit ALTER ANY TABLE Rationale: Unauthorized table alters can results in application failures or be the precursor to an attack. Remediation: Audit ALTER ANY table; Audit: SELECT * FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION='ALTER ANY TABLE'; \ \ 2 S 13.08 Auditing Audit ALTER USER Rationale: Unauthorized user alters can results in application failures, hijacked credentials, or be the precursor to an attack. Remediation: AUDIT ALTER USER; Audit: SELECT * FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION='ALTER USER'; \ \ 2 S 13.09 Auditing Audit any CREATE statement Rationale: Auditing the creation of objects, such as tables or databases, will provide a record of events that may be useful when investigating security events. Remediation: AUDIT CREATE ANY <object>; Audit: SELECT * FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION LIKE(`CREATE%'); \ \ 2 S 138 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 13.10 Auditing Audit CREATE ROLE Rationale: Auditing the creation of roles will provide a record to ensure the appropriate use of account administration privileges. This information is also useful when investigating certain security events. Remediation: AUDIT CREATE ROLE; Audit: SELECT * FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION='CREATE ROLE'; \ \ 2 S 13.11 Auditing Audit CREATE USER Rationale: Auditing the creation of users will provide a record to ensure the appropriate use of account administration privileges. This information is also useful when investigating certain security events. Remediation: AUDIT CREATE USER; Audit: SELECT * FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION='CREATE USER'; \ \ 2 S 13.12 Auditing Audit CREATE SESSION Rationale: Audit the use of CREATE SESSION for successful or unsuccessful operations. This information is also useful for debugging application and user session failures. Remediation: AUDIT CREATE SESSION; Audit: SELECT * FROM DBA_STMT_AUDIT_OPTS WHERE UDIT_OPTION='CREATE SESSION; \ \ 2 S 139 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 13.13 Auditing Audit any DROP statement Rationale: Auditing the removal of database objects, such as tables or databases, will provide a record of events that may be useful when investigating security events. Remediation: AUDIT DROP {PRIV}; Audit: SELECT * FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION LIKE(`DROP%'); \ \ 2 S 13.14 Auditing Audit DROP ANY PROCEDURE Rationale: Audit the use of DROP ANY PROCEDURE. Auditing the removal of database procedures, will provide a record of actions that may be useful when investigating security events. Remediation: AUDIT DROP ANY PROCEDURE; Audit: SELECT * FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION=`DROP PROCEDURE'; \ \ 2 S 13.15 Auditing Audit DROP ANY TABLE Rationale: Audit the use of DROP ANY TABLE. Auditing the removal of database tables, will provide a record of actions that may be useful when investigating security events. Remediation: AUDIT DROP ANY TABLE; Audit: SELECT * FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION=`DROP ANY TABLE'; \ \ 2 S 140 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 13.16 Auditing Audit GRANT ANY PRIVILEGE Rationale: Auditing the grants will provide a record to ensure the appropriate use of account administration privileges. This information is also useful when investigating certain security events. Remediation: audit GRANT ANY PRIVILEGE; Audit: SELECT * FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION=`GRANT ANY PRIVILEGE'; \ \ 2 S 13.17 Auditing Audit GRANT ANY ROLE Rationale: Auditing the grants will provide a record to ensure the appropriate use of account administration privileges. This information is also useful when investigating certain security events. Remediation: AUDIT GRANT ANY ROLE; Audit: SELECT * FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION=`GRANT ANY ROLE'; \ \ 2 S 13.18 Auditing Audit INSERT failures Rationale: Auditing failed inserts may provide be useful when investigating certain security events, such as SQL injections attempts. Remediation: AUDIT INSERT ON objectname WHENEVER NOT SUCCESSFUL; Audit: SELECT OBJECT_NAME, INS, FROM DBA_OBJ_AUDIT_OPTS; \ \ 2 S 141 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 13.19 Auditing Audit EXECUTE PROCEDURE Rationale: Audit EXECUTE PROCEDURE failures attempted into critical data objects. Auditing the EXECUTE PROCEDURE will provide a record of the procedures that were executed and by whom. This information is also useful when investigating a security event Remediation: AUDIT EXECUTE PROCEDURE; Audit: SELECT * FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION=`EXECUTE PROCEDURE'; \ \ 2 S 13.20 Auditing Audit SELECT ANY DICTIONARY Rationale: Audit the use of the SELECT ANY DICTIONARY. Auditing SELECT ANY DICTIONARY will provide a record of access to DICTIONARY views. This information is also useful when investigating a security event. Remediation: AUDIT SELECT ANY DICTIONARY; Audit: SELECT * FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION='SELECT ANY DICTIONARY'; \ \ 2 S 142 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 13.21 Auditing Audit GRANT ANY OBJECT Rationale: Audit the use of the GRANT ANY OBJECT. Auditing the grants will provide a record of the scope of the user object rights to ensure the appropriate use of account administration privileges. This information is also useful when investigating certain security events. Remediation: AUDIT GRANT ANY OBJECT; Audit: SELECT * FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION='GRANT ANY OBJECT'; \ \ 2 S 13.22 Auditing Audit CREATE {ANY} LIBRARY Rationale: Audit the use of the CREATE LIBRARY PRIVILAGE Remediation: AUDIT CREATE LIBRARY; Audit: SELECT * FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION='CREATE LIBRARY'; \ \ 2 S 13.23 Auditing Logon, logoff, database start or stop, and other information. Rationale: Specific database application components may contain sensitive information and require more scrutiny or certain events to alarm when triggered. Evaluate applications on a case by case basis and create where appropriate. Remediation: Create triggers against all tables and system events that are meaningful to the database and application. Audit: None \ \ 2 N 143 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 13.24 Auditing Use triggers to implement row level auditing Rationale: If specific rows of data need to be audited create triggers to alarm on auditable events. This will reduce the overall system resources for auditing specific tables and help reduce false alarms. Remediation: Use triggers to enforce row level auditing for important data. Audit: None \ \ 2 N 13.25 Auditing Review procedures and reports to review audit logs Rationale: Regular, timely reviews of the collected audit information must be done to ensure system security and integrity. Remediation: Assign administrative or DBA time to review report generation logic. Audit: None \ \ 2 N 13.26 Auditing Set AUDIT ALL ON SYS.AUD$ BY ACCESS Rationale: By setting AUDIT ALL ON SYS.AUD$ BY ACCESS, attempts to alter the audit trail will be audited. Only applicable if the audit trail parameter is set to DB or TRUE. Remediation: AUDIT ALL ON SYS.AUD$ BY ACCESS; Audit: SELECT * FROM DBA_OBJ_AUDIT_OPTS WHERE OBJECT_NAME='AUD$'; \ \ 2 S 144 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 13.27 Auditing Regularly purge the audit trail Rationale: Archive and delete the audit trail as necessary or in line with local data administration policies. The audit trail can consume substantial system resources leading to a denial of services. Remediation: Review the purging procedures to ensure that the audit trail is purged regularly. Audit: None \ \ 2 N 13.28 Auditing Audit Exposed Web Services Rationale: Legacy procedures that are designed for internal usage only are often exposed as web services. Both the legacy status and expansion of the attack surface can lead to their exploitation. Remediation: Audit any XML DB or PL/SQL procedures that have been exposed as web services. Audit: None \ \ 2 N 145 | P a g e Appendix A: Additional Settings (not scored) Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 14.01 Oracle Label Security Where possible use Oracle Label Security. Rationale: OLS is a strong additional layer of security that can be used to create a Virtual Private database (VPD). OLS allows data of varying sensitivities to be stored in a single database and access to the data to be restricted using security clearances as defined by role level. Remediation: Where possible enable and apply Oracle label security. This can be cost prohibitive depending on licensing with Oracle. Audit: None \ \ 2 N 146 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 14.02 Oracle Label Security Hide label column. Rationale: If the status of the hidden label column needs to be changed, the values of the label column may be copied to an added column, then the hidden column can be removed, the column copies, and then removes the policy dropping the row label column. Reinstate the policy and then copy the values from the added column to the row label column and then remove the added column. Remediation: Where possible, when using OLS, hide the label column. This can be done by passing the HIDE directive to the DEFAULT_OPTIONS parameter of the SA_SYSDBA.CREATE_POLICY (globally) or to the TABLE_OPTIONS parameter of the APPLY_TABLE_POLICY procedure (for a specific table). Note: After applying a OLS policy to a table, the hidden status of the labels cannot be revoked without the loss of the labels. Audit: None \ \ 2 N 147 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 14.03 Oracle Label Security Include LABEL_UPDATE Rationale: This ensures the user cannot reclassify the data in the record by changing the label. Remediation: Include the LABEL_UPDATE as a value for TABLE_OPTIONS parameter when the OLS policy is applied to a table. Audit: None \ \ 2 N 14.04 Oracle Label Security Limit manipulation. Rationale: By the creation of a procedure, direct manipulation by database users of the labels is prevented and an additional level of security is provided. This can provide a separation of responsibility between the DBA and the security administrators. Remediation: Where possible, use a trusted procedure to limit and control the manipulation of the labels. Audit: None \ \ 2 N 148 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 14.05 Oracle Label Security Backup data. Rationale: OLS introduces an additional hidden column into a table. For some tables the addition of a column or a hidden column may render the table unusable. For applications that expect to see all the data, OLS may be interpreted as corrupt data. Remediation: Have a secure and separate data copy before implementing OLS. Audit: None \ \ 2 N 14.06 Oracle Label Security Where applicable and possible, store labels in the Oracle Internet Directory (OID). Rationale: In the context of the Enterprise User Security option, this provides a centralized management method for user passwords, enterprise roles, and OLS authorization. Under the control of the OID, policies cannot be manipulated within the databases. Remediation: Where applicable and possible, store labels in the Oracle Internet Directory (OID). Audit: None \ \ 2 N 14.07 RAID file systems Implement Rationale: File systems holding the Oracle data should be on RAID volumes for resilience. Remediation: Create RAID partitions for the Oracle database and files. Audit: None \ \ 2 N 149 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 14.08 Magnetically wipe failed disks Implement Rationale: Sensitive data or information can be recovered from magnetic or data media if not properly erased. Remediation: Magnetically wipe old, no longer used, or failed disks. This issue is most likely handled by system administrators. Audit: None \ \ 2 N 14.09 Backups on system disks Verify permissions Rationale: In many environments, database backups are written to system disks. In this type of environment, ensure that the backup files are protected. Files should be owned by oracle software owner set with owner read/write permissions only. Remediation: Set proper permissions on oracle data files stored on backup tapes. Audit: None \ \ 2 N 14.10 Off site backup storage Implement Rationale: It is a best practice to have redundant offsite backups in the event of a physical catastrophe. Remediation: Implement off site backup storage procedures. Audit: None \ \ 2 N 150 | P a g e Item # Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 14.11 Recovery procedures Document and Test Rationale: Failure to properly implement and test recovery procedures can result in loss of data and compromise system integrity. Remediation: Ensure that database recovery procedures are fully documented and regularly tested. Audit: None \ \ 2 N 14.12 Screening router Implement to restrict access to database host Rationale: Unrestricted access to the database widens the attack surface. Network access should be limited to application and administrative hosts. Remediation: Implement a screening router to restrict access to the database host. Audit: None \ \ 2 N 14.13 Host-based firewall Implement on database administration machines Rationale: Use a host based firewall on all computers used to remotely administer databases. Remediation: None Audit: None \ \ 2 N 151 | P a g e Appendix B: Enterprise Manager Grid Control for Patch and Policy Management The Oracle 11g Enterprise Manager Grid Control application has two functions directly related to securing Oracle and its host. If the Oracle Enterprise Manager Grid Control application is deployed, follow these recommendations. For more detailed information of this functionality please refer to the Oracle documentation, Oracle® Database 2 Day DBA 11g Release 1 (11.1) Part Number B28301-02 Patching Setup The Oracle 11g Enterprise Manager Grid Control application can be set up to automatically access Oracle MetaLink to search for and download any new patches available for your Oracle installs. The administrator can then schedule and apply the patch(es) to any host in the enterprise. Policy Violations The Oracle 11g Enterprise Manager Grid Control application can show policy violations for any database or host in the enterprise. The violations can be fixed or ignored so they will not show up in future reports. Appendix C: Acknowledgments The contributions to the consensus process made by the following people were instrumental in the creation of this guide: x Sheila Christman x Dana Hemlock x Sheilah Scheurich x Tran Thanh Chien x Johan Verbrugghen x Alf-Ivar Holm x David W Blaine x Adam Cecchetti x Brian P. McDonald x Chad Hughes x Rick Wessman x Dave Shackleford x Alf-Ivar Holm x Blake Frantz x Don Granaman x Nancy Whitney x John Banghart x Gary Gapinski x Clint Kreitner x Richard A. Haas x Brian Denny x Carol Bales x Rick Wessman x Melissa McAvoy x Alan Klink x Ray Stell x James Hayes x Bert Miuccio x Chuck Earle x Jeremy Terk x Cesar Quebral x George Colt x Phil Curran x Michael Anderson x Tom L. Finn x Mark Rakozy x David Waltermire 152 | P a g e Appendix D: Change History Date Version Changes for this version 8/12/2008 1.0.0 - Initial Public Release 1/23/2009 1.0.1 - Resolved number sequencing issue (5.5, 5.6 were absent) - Updated 4.15 (NOLOGGING) to articulate this clause has continuity concerns, not repudiation or audit concerns. - Added Background Section - Updated Acknowledgements Section - Update Section heading styles Terms of Use Agreement Background. CIS provides benchmarks, scoring tools, software, data, information, suggestions, ideas, and other Products Internet users worldwide. Recommendatio Recommendations result from a consensus-‐building process that involves many security experts and are generally generic in nature. The Recommendations are intended to provide helpful information to organizations attempting to evaluate or improve the security of their networks, systems and devices. Proper use of the Recommendations requires careful analysis and adaptation to specific any No representations, warranties and covenants. CIS makes no representations, warranties or covenants whatsoever as to (i) the positive or negative effect of the Products or the Recommendations on the operation or the security of any particular network, computer system, network device, software, hardware, or any component of any of the foregoing or (ii) the accuracy, reliability, timeliness or completeness of any Product or Recommendation. CIS is providing the Products and User agreements. we acknowledge that: No network, system, device, hardware, software or component can be made fully secure; We are using the Products and the Recommendations solely at our own risk; We are not compensating CIS to assume any liabilities associated with our use of the Products or the Recommenda We have the sole responsibility to evaluate the risks and benefits of the Products and Recommendations to us and to adapt the Products and the Recommendations to our particular circumstances and requirements; Neither CIS, nor any CIS Party (defined below) has any responsibility to make any corrections, updates, upgrades or bug fixes or to notify us if it chooses at it sole option to do so; and Neither CIS nor any CIS Party has or will have any liability to us whatsoever (whether based in contract, tort, strict liability or otherwise) for any direct, indirect, incidental, consequential, or special damages (including without limitation loss of profits, loss of sales, loss of or damage to reputation, loss of customers, loss of software, data, information or emails, loss of privacy, loss of use of any computer or other equipment, business interruption, wasted management or other staff resources or claims of any kind against us from third parties) arising out of or in any way connected with our use of or our inability to use any of the Products or Recommendations (even if CIS has been advised of the possibility of such damages), including without limitation any liability associated with infringement of intellectual property, defects, bugs, errors, omissions, viruses, worms, backdoors, Trojan horses or other harmful items. Grant of limited rights. CIS hereby grants each user the following rights, but only so long as the user complies with all of the terms of these Agreed Terms of Use: Except to the extent that we may have received additional authorization pursuant to a written agreement with CIS, each user may download, install and use each of the Products on a single computer; Each user may print one or more copies of any Product or any component of a Product that is in a .txt, .pdf, .doc, .mcw, or .rtf format, provided that all such copies are printed in full and are kept intact, including without limitation the text of this Agreed Terms of Use in its entirety. Retention of intellectual property rights; limitations on distribution. The Products are protected by copyright and other intellectual property laws and by international treaties. We acknowledge and agree that we are not acquiring title to any intellectual property rights in the Products and that full title and all ownership rights to the Products will remain the exclusive property of CIS or CIS Parties. CIS reserves all rights not expressly granted to users in the precedi this paragraph), and except as we may have otherwise agreed in a written agreement with CIS, we agree that we will not (i) decompile, disassemble, reverse engineer, or otherwise attempt to derive the source code for any software Product that is not already in the form of source code; (ii) distribute, redistribute, encumber, sell, rent, lease, lend, sublicense, or otherwise transfer or exploit rights to any Product or any component of a Product; (iii) post any Product or any component of a Product on any website, bulletin board, ftp server, newsgroup, or other similar mechanism or device, without regard to whether such mechanism or device is internal or external, (iv) remove or alter trademark, logo, copyright or other proprietary notices, legends, symbols or labels in any Product or any component of a Product; (v) remove these Agreed Terms of Use from, or alter these Agreed Terms of Use as they appear in, any Product or any component of a Product; (vi) use any Product or any component of a Product with any derivative works based directly on a Product or any component of a Product; (vii) use any Product or any component of a Product with other products or applications that are directly and specifically dependent on such Product or any component for any part of their functionality, or (viii) represent or claim a particular level of compliance with a CIS Benchmark, scoring tool or other Product. We will not facilitate or otherwise aid other individuals or entities in any of the activities listed in this paragraph. We hereby agree to indemnify, defend and hold CIS and all of its officers, directors, members, contributors, employees, authors, developers, agents, affiliates, licensors, information and service providers, software suppliers, hardware suppliers, and all other persons who aided CIS in the creation, development or maint CIS Parties harmless from and against any and all liability, losses, costs and expenses (including attorneys' fees and court costs) incurred by CIS or any CIS Party in connection with any claim arising out of any to assume the exclusive defense and control of any matter subject to this indemnification, and in such case, we agree to cooperate with CIS in its defense of such claim. We further agree that all CIS Parties are third-‐party beneficiaries of our undertakings in these Agreed Terms of Use. Special rules. CIS has created and will from time to time create special rules for its members and for other If any of these Agreed Terms of Use shall be determined to be unlawful. venue. or for any reason unenforceable. persons and organizations with which CIS has a written contractual relationship. CIS hereby grants each CIS Security Consulting or Software Vendor Member and each CIS Organizational User Member. void. then such terms shall be deemed severable and shall not affect the validity and enforceability of any remaining provisions. that any action at law or in equity arising out of or relating to these Agreed Terms of Use shall be filed only in the courts located in the State of Maryland. that we hereby consent and submit to the personal jurisdiction of such courts for the purposes of litigating any such action. but only so long as such Member remains in good standing with CIS and complies with all of the terms of these Agreed Terms of Use. We acknowledge and agree that these Agreed Terms of Use will be governed by and construed in accordance with the laws of the State of Maryland. jurisdiction. . understand them and agree to be bound by them in all respects. Each such Member acknowledges and agrees that the foregoing grant modified or terminated by CIS at any time. We acknowledge and agree that we have read these Agreed Terms of Use in their entirety. the right to distribute the Products and Recommendation manual or electronic means. Choice of law. Those special rules will override and supersede these Agreed Terms of Use with respect to the users who are covered by the special rules. ...................... 31 .......................................................................................... 1 CONFIGURATION LEVELS ............................................................. 1 Scorable ............................................................................................................................................................................................................................. 3................. 8......................................................... Backup and Disaster Recovery .................................................................................................... 65 7................................ 1 Level-I Benchmark settings/actions ......................... 106 .......................... 111 13................................................................................................................................................................................................................................................................... 152 ................................................ 10 ..... 151 Appendix D: Change History . Installation and Patch .................................................................................. ......................................................... 3 2........................ Encryption Specific Settings......................... 145 Appendix B: Enterprise Manager Grid Control for Patch and Policy Management ................................ 5................................................................................................................................... 2 1........................... Oracle Profile (User) Access Settings ............. 18 4...................................... 109 12................................ 1 Introduction.................................... Startup and Shutdown ............................................................ Oracle Parameter Settings .... Oracle Directory and File Permissions ......................................... 1 Not Scorable ....................................................................................................................................................................................................................................................... 1 CONSENSUS GUIDANCE ...................................................................... 70 9.............. General Policy and Procedures ........................................................ 80 10................................................ 1 SCORING LEVELS ............................................................................ a Background ......................................................................................................................... 134 Appendix A: Additional Settings (not scored)................................................................................................................................................................................ 1 Level-II Benchmark settings/actions .................................................. Enterprise Manager / Grid Control / Agents ............................................................................. Specific Systems .................................................................... Table of Contents Terms of Use Agreement ............................. 11............................................................ Auditing Policy and Procedures .......... 53 6..................................................................................................................................................... Oracle Profile (User) Setup Settings .. 66 ........................................................................................................................................................................................ 151 Appendix C: Acknowledgments ............................................................................................ Operating System Specific Settings .................. software development. by Scoring Tools that are available from the Center or by CIS-‐certified Scoring Tools. government. and the configuration verified. Scorable This setting or recommendation is able to be assessed by scoring tools or command line arguments. 1 | P a g e . Not Scorable This setting or recommendation requires complex checking that is not feasible with basic audit methods. Consensus participants provide perspective from a diverse set of backgrounds including consulting. Background Consensus Guidance This guide was created using a consensus process comprised of volunteer and contract subject matter experts. and legal. These are of greatest value to system administrators who have sufficient security knowledge to apply them with consideration to the operating systems and applications running in their particular environments. Level-II Benchmark settings/actions Level-‐II security configurations vary depending on network architecture and server function. The actions can be automatically monitored. Configuration Levels Level-I Benchmark settings/actions System administrators with any level of security knowledge and experience can understand and perform the specified actions. operations. auditing and compliance. security research. The action is unlikely to cause an interruption of service to the operating system or the applications that run on it. Scoring Levels This section defines the various scoring levels used within this document. 0. Introduction Technology Network (otn. If any differences are found. the scope of this document is not limited to only Oracle specific procedures that are applicable to general software and hardware security. an Oracle database may be secured from annot and should not be limited to only the application. 2 | P a g e . Linux settings should translate to other varieties of Linux. please contact the CIS team.6. various published books and the Oracle 11g Database Security Guidelines.oracle. Applicable items were verified and tested against an Oracle 11g default install on a Redhat Enterprise Sever 5. Where the default setting is less secure than the recommended setting a caution has been provided in the comment section below the separator bar or as a note below a chapter heading. It is extremely important to conduct testing of security configurations on non-production systems prior to implementing them on production systems. but were only tested against RHEL5. scoring data has been included: S To be scored.0. setup. N Not to be scored. and operation of an Oracle 11g database environment. The Oracle version used was 11.com). With the use of the settings and procedures in this document. Default installs for both the operating system and the database may differ dependent on versions and options installed so this is to be used as a general guide only. configuration. Under the Level heading. This document provides the necessary settings and procedures for the secure installation.1. Rationale: Adding an additional administrative account to the system increases the attack surface of the Windows server. Operating System Specific Settings Rationale/Remediation Item Configuration Item # 1.02 Windows Oracle Local Account Use Restricted Service Account (RSA) Rationale: This action will reduce the attack surface of the Domain Controller and the Oracle server. Use the account created to install the product. Remediation: Run the Oracle services using a local administrator account created specifically for Oracle. Deny log on locally to this account. 1. Remediation: Create a standalone server for the Oracle install. Audit: Execute the following WMI Query: Select DomainRole from \ Win32_ComputerSystem If the above returns a 4 or 5 the system is a Domain Controller.01 Windows platform Action / Recommended Parameters Do not install Oracle on a domain controller W I n d o w s U n I x Level & Score 1. Audit: None 1 S 1 N 3 | P a g e . Creating a local administrator with restricted access mitigates this risk. e. then the server must be a domain server and the Oracle services must be run using a Restricted Service Account. Audit: None Rationale: The RSA must have limited access requirements. Remediation: Add the account to the local administrators group on the server running the Oracle services. restricted domain user account. Audit: None 1 N 1 S 1 N 4 | P a g e . Item Configuration Item # 1.04 Windows Oracle Account Deny Log on Locally Right 1. Audit: Ensure the Oracle account is listed beneath Local Policies\User Rights Assignments\Deny Log on Locally in the Windows Local Security Policy Rationale: The RSA account should not have access to resources that all domain users need to access.. Remediation: Do not assign any rights to the group.05 Windows Oracle Domain Global Group Create a global group for the primary group Rationale: If the Oracle services require domain resources. Remediation: Deny the Log on Locally right to the RSA. i.03 Windows Oracle Domain Account Action / Recommended Parameters Use Restricted Service Account (RSA) Rationale/Remediation W I n d o w s U n I x Level & Score 1. Item Configuration Item # 1.com/en- us/library/cc755876. Remediation: Remove the RSA from the Domain Users group.06 Windows Oracle Account Domain Users Group Membership Action / Recommended Parameters Remove the RSA from the Domain Users group Rationale/Remediation W I n d o w s U n I x Level & Score 1. Remediation: Give the appropriate permissions to the RSA or global group for the network resources that are required. Audit: On the domain controller. Audit: None 1 S 1 N 5 | P a g e . Granting the RSA domain level privileges negates the purpose of the RSA.aspx Rationale: The RSA must have limited access requirements.microsoft. For more information on the dsget command.07 Windows Oracle Domain Network Resource Permissions Verify and set permissions Rationale: The RSA must have limited access requirements. execute the following: dsget user <OracleUserDN> -memberof Ensure Domain Users is not listed. see http://technet. 08 Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Windows Oracle Limit to machine running Oracle Domain Account Logon services 1. Item Configuration Item # 1. Remediation: Configure the RSA to only log on to the computer that is running the Oracle services. Audit: None Rationale: The Oracle program installation folder must allow only limited access. Audit: Execute the following command: %ProgramFiles%\ and ensure BUILTIN\Users is not listed. Global access or unrestricted folder permissions will allow an attacker to alter Oracle resources and possibly compromise the security of the Oracle system. Remediation: Remove permissions for the Users group from the %ProgramFiles%\Oracle folder.09 Windows Program Folder Permissions Verify and set permissions Rationale: The RSA must have limited access requirements and be limited to authenticating to the Oracle server. 1 S 1 S 6 | P a g e . Audit: In regedit. Unrestricted access to the Oracle registry entries will allow non-administrative users to alter settings and create an insecure environment. browse to the HKEY_LOCAL_MACHINE\SOFTWARE\ORACLE key. Remediation: Set the HKEY_LOCAL_MACHINE\ SOFTWARE\ORACLE\ALL_HOMES\OSAUTH_PREFIX_D OMAIN value to TRUE Note: This is the default configuration. select Permissions. ensure the HKEY_LOCAL_MACHINE\ SOFTWARE\ORACLE\ALL_HOMES\OSAUTH_PREFIX_D OMAIN value set to TRUE.10 Windows Oracle Registry Key Permissions Action / Recommended Parameters Verify and set permissions Rationale/Remediation W I n d o w s U n I x Level & Score 1. Audit: In regedit. 1 S 1 S 7 | P a g e . right click. Give read permissions to those users that require it. and ensure the Users group is not granted access. Remediation: Give Full Control over the HKEY_LOCAL_MACHINE\SOFTWARE\ORACLE key to the account that will run the Oracle services and remove the local Users group. Rationale:This configuration strengthens the authentication process by requiring that the domain name be part of the username for externally authenticated accounts.11 Windows Oracle Registry Key Setting Set OSAUTH_PREFIX_DOMAIN registry value to TRUE Rationale: Access to the Oracle registry key must be limited to those users that require it. Item Configuration Item # 1. See Oracle Metalink note 124140.12 Windows registry Action / Recommended Parameters Set USE_SHARED_SOCKET registry value to TRUE Rationale/Remediation W I n d o w s U n I x Level & Score 1. If random port reassignment is undesired. This is not recommended for Windows environments. Ensure the HKEY_LOCAL_MACHINE\ SOFTWARE\ORACLE\HOME<#>\USE_SHARED_SOCKET registry key is set to TRUE. Item Configuration Item # 1.1 for details. Remediation: On Unix systems.13 Oracle software owner host account Lock account Rationale: 2 Confines client connections to the same port as the S listener. Remediation: Set the HKEY_LOCAL_MACHINE\ SOFTWARE\ORACLE\HOME<#>\USE_SHARED_SOCKET registry key to TRUE. use a very strong password for the account. Note: This is the default configuration. Account can be unlocked if system maintenance is required. lock the Oracle software owner account. Audit: grep i account_name /etc/password 8 | P a g e . Rationale: 2 Locking the user account will deter attackers from S leveraging this account in brute force authentication attacks. This allows connection and firewall management to be performed in a more consistent and refined manner. such as if there is a need to pipe through a firewall. If the account cannot be locked. Audit: In regedit. ensure that the rd 3 party applications are installed on separate partitions from the Oracle software and associated data files. Remediation: Check the file permissions for all application files for proper ownership and minimal file permissions. Audit: None 9 | P a g e . This rd includes all 3 party application files on the server that rd access the database. Any 3 party applications must be installed on a separate server from the database. Item Configuration Item # 1.14 All associated application files Action / Recommended Parameters Verify permissions Rationale/Remediation W I n d o w s U n I x Level & Score Rationale: 2 Allowing improper access to binaries that directly N interface with the Oracle database adds unnecessary risk and increases the attack surface of the database. If this is not possible in the environment. accounts.01 Installation Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status Try to ensure that no other users Rationale: 1 are connected while installing The Oracle 11g installer application could potentially N Oracle 11g. An attacker may leverage these to compromise the integrity of the system or database before the installation is complete. If the server must be installed remotely temporarily stop inbound remote connections via administration protocols ex. If possible install Oracle while the server is disconnected from the network. It would be possible for any local user to delete. create files. overwrite or corrupt these files during the installation process. or setting with public privileges. Also set the $TMP and $TMPDIR environment variables to a protected directory with access given only to the Oracle software owner and the ORA_INSTALL group. SSH. Installation and Patch Item Configuration Item # 2. VNC. Try to ensure that no other users are connected while installing Oracle 11g. Remediation: The Oracle 11g installer application could potentially create files in a temporary directory with public privileges. 2. Terminal Service. Audit: None 10 | P a g e . html and latest patches: http://metalink.com/technology/software/index.03 Minimal Install Ensure that only the Oracle components necessary to your environment are selected for installation.oracle. and that the latest patches from Oracle Metalink have been applied. Item Configuration Item # 2. Audit: None 1 S 1 N 11 | P a g e .oracle. Remove components that may have been installed during a previous installation but are not required. Remediation: Install only components needed to satisfy operational requirements. Rationale: Using outdated or unpatched software will put the Oracle database and host system at unnecessary risk and violates security best practices. Remediation: http://www.startup Audit: opatch lsinventory -detail Rationale: Installing components that are not used increases the attack surface of the database server.02 Version/Patches Action / Recommended Parameters Ensure the latest version of Oracle software is being used.com/metalink/plsql/ml2_gui. Rationale/Remediation W I n d o w s U n I x Level & Score Status 2. Remediation: Edit $ORACLE_HOME/network/admin/listener.ora and change the default name. it must be protected by proper permissions. restrict access to only those es not have access. If tkprof must remain on the production system. Remediation: Set file permissions of 0750 or less on Unix systems. Go to the $ORACLE_HOME/bin directory and remove or change the permissions of the utility. On Windows systems. Item Configuration Item # 2.; it is a powerful tool for an attacker to find issues in the running database.04 tkprof Action / Recommended Parameters Remove from system Rationale/Remediation W I n d o w s U n I x Level & Score Status 2.ora Change default name of listener Rationale: 1 S The tkprof utility must be removed from production environments. Audit: $ORACLE_HOME/bin/tkprof Rationale: 1 The listener must not be called by the default name as S it is commonly known. A distinct name must be selected.ora 12 | P a g e . Audit: grep default $ORACLE_HOME/network/admin/listener.05 listener. Remediation: Edit $ORACLE_HOME/network/admin/listener. Do this for all *.07 otrace Disable Rationale: 2 IP addresses instead of host names in the listener.ora S file must be used.ora and replace DNS names with IP addresses. It is not installed with a default 11g database installation. Note that this directory is installed for the Enterprise Manager Grid Controller. Hostnames are used by default.dat 13 | P a g e . Remediation: Go to the $ORACLE_HOME/otrace/admin directory of your instance and remove or delete the .ora Rationale: 1 otrace can leak sensitive information useful for an S attacker.dat files in this directory.06 listener. Audit: ls $ORACLE_HOME/otrace/admin/*. This prevents a compromised or spoofed DNS server from causing Oracle outages or man in the middle attacks.ora Action / Recommended Parameters Use IP addresses rather than hostnames Rationale/Remediation W I n d o w s U n I x Level & Score Status 2. Item Configuration Item # 2. Audit: grep -i HOST $ORACLE_HOME/network/admin/listener.dat files related to otrace. These accounts should be left locked and expired unless absolutely necessary. Audit: SELECT * FROM DBA_USERS_WITH_DEFPWD. Lock the user account 3.ora file will set an unencrypted password on the listener.08 Listener password Action / Recommended Parameters Use OS Authentication Rationale/Remediation W I n d o w s U n I x Level & Score Status 2.. set an encrypted password using the set password command via the lsnrctl tool. Change the default password Rationale: It is more secure to use OS authentication as setting a password on the listener will enable remote administration of the listener. Audit: grep -i PASSWORD \ $ORACLE_HOME/network/admin/listener.09 Default Accounts (created by Oracle) The following actions are recommended in order of preference for default accounts: 1. Check to ensure these accounts have not been unlocked. Item Configuration Item # 2. If additional users require remote access to the listener. setting a password in the listener.ora Rationale: The default Oracle installation locks and expires the installation accounts. Remediation: OS Authentication is enabled by default. Remediation: Lock and expire the system accounts. Be aware.; 1 S 2 S 14 | P a g e . Drop the user 2. $ORACLE_HOME/rdbms/admin/catnsmp. Item Configuration Item # 2.ora Change standard ports Rationale: Removing the OEM will reduce the Oracle attack surface.sql to remove all the objects and delete the file $ORACLE_HOME/bin/dbsnmp. Note: Database statistics will be unavailable in Enterprise Manager if this is set.ora file and change the PORT setting.sql rm $ORACLE_HOME/bin/dbsnmp Audit: ls al $ORACLE_HOME/bin/dbsnmp Rationale: Standard ports are used in automated attacks and by attackers to verify applications running on a server. Audit: grep 1521 \ $ORACLE_HOME/network/admin/listener.10 OEM objects Action / Recommended Parameters Remove if OEM not used Rationale/Remediation W I n d o w s U n I x Level & Score Status 2. Remediation: Execute $ORACLE_HOME/rdbms/admin/catnsnmp. Remediation: Alter the listener.ora 2 S 2 S 15 | P a g e .11 listener. Note: This may break applications that hard code the default port number.ora grep 1526 \ $ORACLE_HOME/network/admin/listener. ; ALTER USER <USERNAME> ACCOUNT LOCK PASSWORD EXPIRE. Ensure the SID is at least 7 characters long to prevent successful brute force attacks. some third party applications create S well-known default accounts in an Oracle database. ALTER USER <USERNAME> IDENTIFIED BY <PASSWORD>.; Audit: SELECT * FROM DBA_USERS_WITH_DEFPWD. Item Configuration Item # 2.12 Third party default passwords Action / Recommended Parameters Set all default account passwords to non-default strong passwords Rationale/Remediation W I n d o w s U n I x Level & Score Status 2. Remediation: The default passwords for these accounts must be changed or the account must be locked. Remediation: Alter the listener.ora 16 | P a g e .13 Service or SID name Non-default Rationale: 2 When installed. It S is commonly know and used in many automated attacks.ora file SID setting to a value other than the default.; SELECT USERNAME.; Rationale: 1 Do not use the default SID or service name of ORCL. ACCOUNT_STATUS FROM DBA_USERS. Audit: grep -i ORCL \ $ORACLE_HOME/network/admin/listener. and the database must be separated. Item Configuration Item # 2. Remediation: For Unix systems. create unique user accounts for each Oracle process/service in order to differentiate accountability and file access controls. This setup may cause unknown or unexpected errors and should be extensively tested before deployment into production. Audit: None 2 S 2 N 17 | P a g e . This is not recommended for Windows environments. Audit: grep -i oracle /etc/password Rationale: The user for the intelligent agent.15 Oracle Installation Separate users for different components of Oracle Rationale: Do not name the Oracle software owner account as it is very well known and can be leveraged by an attacker in a brute force attack.14 Oracle Installation Action / Recommended Parameters Oracle software owner account Rationale/Remediation W I n d o w s U n I x Level & Score Status 2. Remediation: Change the user used for the oracle software. the listener. 3. Removal of the System account will cause Oracle to stop functioning. but must not be removed. In Windows. The Windows System account is granted access to Oracle files/directories/registry keys. s more secure then the recommendations listed here. Remediation: All files in the $ORACLE_HOME/bin directory must have permissions set to 0755 or less. Oracle Directory and File Permissions Note: The Oracle software owner in Windows is the account used to install the product. This account is not restated in the comments section below. chmod 0755 $ORACLE_HOME/bin/* Audit: ls -al $ORACLE_HOME/bin/* 18 | P a g e . Please be sure to fully examine and test permissions before implementing them on production systems. This account must be a member of the local Administrators group. W U Level Item Configuration Item Action / Recommended Rationale/Remediation I & n n # Parameters d I Score o w s x Status 3.01 Files in $ORACLE_HOME/bin Verify and set ownership 3.02 Files in $ORACLE_HOME/bin Permissions set to 0755 or less Rationale: 1 S All files in the $ORACLE_HOME/bin must be owned by the Oracle software account to prevent a system-wide compromise in the event the Oracle account is compromised. Audit: ls -al $ORACLE_HOME/bin/* Rationale: 1 Incorrect permissions could allow an attacker to replace S a binary with a malicious version. this account must be part of the Administrators group. Remediation: Change the ownership of the binaries to the appropriate account. umask must be set to 022 before installing Oracle. Item Configuration Item # Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 3. chmod 750 $ORACLE_HOME/* Audit: ls al $ORACLE_HOME Rationale: Regardless of where the umask is set.03 Files in $ORACLE_HOME (not including $ORACLE_HOME/bin) Permissions set to 0750 or less on Unix systems 3. Ad improper umask can lead to unrestrictive permissions and open the oracle server file system to attack. Remediation: All files in $ORACLE_HOME directories (except for $ORACLE_HOME/bin) must have permission set to 0750 or less.04 Oracle account .profile file Unix systems umask 022 Rationale: Incorrect permissions could allow an attacker to execute or replace a command with a malicious version. Audit: umask 1 S 1 S 19 | P a g e . Remediation: Ensure the umask value is 022 for the owner of the Oracle software before installing Oracle. ora chmod 644 init.ora chmod 640 spfile.ora configuration the security of the oracle server can be compromised. Remediation: chgrp oracle_grp init.ora Rationale: File permissions must be restricted to the owner of the Oracle software and the dba group. If unprivileged users can alter the init.ora 1 S 1 S 20 | P a g e . Remediation: chgrp oracle_grp spfile.ora configuration the security of the oracle server can be compromised.ora Audit: ls -al $ORACLE_HOME/dbs/spfile.05 init.ora Audit: ls -al $ORACLE_HOME/dbs/init. Item Configuration Item # Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 3.ora chown oracleuser init. If unprivileged users can alter the spfile.ora Verify and restrict permissions Rationale: File permissions must be restricted to the owner of the Oracle software and the dba group.ora Verify and restrict permissions 3.ora chown oracleuser spfile.06 spfile. oraclegroup ifile Audit: grep ifile init. Remediation: chown oracleuser $ORACLE_HOME/dbs/* chgrp oraclegroup $ORACLE_HOME/dbs/* Audit: ls -al $ORACLE_HOME/dbs/* Rationale: File permissions must be restricted to the owner of the Oracle software and the dba group. Item Configuration Item # Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 3. If unprivileged users can read or alter the dbs files the security of the oracle server can be compromised.07 Database datafiles Verify and restrict permissions 3.ora ls -al <result> 1 S 1 S 21 | P a g e . the file permissions of the referenced ifile must be restricted to the Oracle software owner and the dba group. Remediation: chmod 750 ifile chown oracleuser.08 init.ora Verify permissions of file referenced by ifile parameter Rationale: File permissions must be restricted to the owner of the Oracle software and the dba group. If the ifile functionality is used. 10 init. Remediation: chmod 660 diag_file chown oracleuser.09 init.oraclegroup diag_file Audit: grep -i diagonostic_dest init. Remediation: chmod 600 auditfile chown oracleuser.ora ls -al <result> audit_file_dest parameter settings 22 | P a g e . Item Configuration Item # Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 3.ora Rationale: 1 The destination for the audit file must be set to a valid S directory owned by oracle and set with owner read/write permissions only.ora 3.oraclegroup auditfile Audit: grep -i audit_file_dest init.ora ls -al <result> diagonostic_dest parameter Rationale: 1 The destination for the user dump must be set to a valid S settings directory with permissions restricted to the owner of the Oracle software and the dba group. and no log_archive_dest_n parameters are set.12 init.ora log_archive_dest_n parameter settings Rationale: 1 The permissions must be restricted to only the owner of S the Oracle software and the dba group.oraclegroup \ log_file_dest Audit: grep -i log_archive_dest init.ora ls -al <result> 23 | P a g e . Item Configuration Item # Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 3. access control lists must be used. the deprecated form of log_archive_dest must be used. Remediation: chmod 640 control_file chown oracleuser.oraclegroup control_file Audit: grep -i control_files init. For complex configurations where different groups need access to the directory. chmod 750 file_file_dest chown oracleuser. then ensure those directories are secure. Note: If Oracle Enterprise Edition is installed.11 init.ora control_files parameter settings 3. Remediation: set paths.; Rationale: 1 File permissions must be restricted to the owner of the S Oracle software and the dba group.ora ls -al <result> select name from V$controlfile. ora and sqlnet. access to this file should be limited. 1 Rationale: S Permissions for all files must be restricted to the owner of the Oracle software and the dba group. Remediation: chmod 644 sqlnet. Note: If an application that requires access to the database is also installed on the database server.ora contains the configuration files for the communication between the user and the server including the level of required encryption.ora files. the user the application runs as must have read access to the tnsnames.ora 24 | P a g e .oraclegroup sqlnet.oraclegroup \ $ORACLE_HOME/network/admin/* Audit: ls -al $ORACLE_HOME/network/admin/* Rationale: 1 S The sqlnet.ora Verify and set permissions with read permissions for everyone.CRYPTO_SEED in the sqlnet.ora file.14 sqlnet. Audit: ls al sqlnet. the key is stored in the parameter SQLNET. Item Configuration Item # Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 3. In such scenarios.13 Files in $ORACLE_HOME/ network/admin directory Verify and set permissions 3.ora chown oracleuser.ora Note: If encryption is used. Remediation: chmod 644 $ORACLE/network/admin/* chown oracleuser. Item Configuration Item # Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 3. Remediation: chmod 640 log_directory_client chown oracleuser.ora 25 | P a g e .ora log_directory_server parameter settings Rationale: 1 S The log_directory_client must be set to a valid directory owned by the Oracle account and permissions restricted to read/write only for the owner and dba group.16 sqlnet.15 sqlnet.oraclegroup \ log_directory_client Audit: grep -i log_directory_client sqlnet.ora log_directory_client parameter settings 3. Remediation: chmod 640 log_directory_client chown oracleuser.ora Rationale: 1 S The log_directory_server must be set to a valid directory owned by the Oracle account and set with owner and group read/write permissions only.oraclegroup \ log_directory_client Audit: grep -i log_directory_client sqlnet. with permissions set as: Remediation: chmod 640 log_directory_client chown oracleuser.ora 26 | P a g e . By default this is not set. Item Configuration Item # Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 3.ora trace_directory_client parameter settings 3. this is usually set to $ORACLE_HOME/network/trace. Be aware. this is usually set to $ORACLE_HOME/network/trace.17 sqlnet.ora trace_directory_server parameter settings Rationale: 1 S The trace_directory_client parameter settings must be set to a valid directory owned by the Oracle account and permissions restricted to read/write only for the owner and read for the dba group. Remediation: chmod 640 trace_directory_server chown oracleuser.oraclegroup \ log_directory_client Audit: grep -i trace_directory_client sqlnet. Be aware.ora Rationale: 1 S The trace_directory_server must be set to a valid directory owned by the Oracle account and permissions restricted to read/write only for the owner and read for the dba group.18 sqlnet.oraclegroup trace_directory_server Audit: grep -i trace_directory_server sqlnet.. By default this is not set. 20 listener.oraclegroup \ $ORACLE_HOME/network/log/listener.log chown oracleuser. this is usually set to $ORACLE_HOME/network/log/listener.ora log_file_listener parameter settings Rationale: 1 File permissions must be restricted to the owner of the S Oracle software and the dba group. Remediation: chmod 660 \ $ORACLE_HOME/network/admin/listener. Remediation: chmod 640 \ $ORACLE_HOME/network/log/listener.ora file are created these backup files must be removed or they must have their permissions restricted to the owner of the Oracle software and the dba group.oraclegroup \ $ORACLE_HOME/network/admin/listener.log Audit: grep -i log_file_listener \ $ORACLE_HOME/network/admin/listener.ora Audit: ls -al \ $ORACLE_HOME/network/admin/listener. Be aware.ora Rationale: 1 S The log_file_listener file must be set to a valid directory owned by the Oracle account and permissions restricted to read/write only for the owner and read for the dba group.ora Verify and set permissions 3.log. By default this is not set.ora 27 | P a g e .19 listener.ora chown oracleuser. Item Configuration Item # Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 3. If backup copies of the listener. 21 listener.oraclegroup trace_dir Audit: grep -i trace-directory \ $ORACLE_HOME/network/admin/listener.oraclegroup \ $ORACLE_HOME/network/trace chmod 660 $ORACLE_HOME/network/trace Audit: grep -i trace_file \ $ORACLE_HOME/network/admin/listener. Be aware.ora ls al <result> trace_directory_listener _name parameter settings 1 S 1 S 28 | P a g e . this is usually set to $ORACLE_HOME/network/trace. By default this is not set. Item Configuration Item # Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 3.ora Rationale: The trace_directory_listener_name must be set to a valid directory owned by the Oracle account and permissions restricted to read/write only for the owner and dba group. Remediation: chmod 660 trace_dir chown oracleuser.ora 3. Remediation: chown oracleuser.22 listener.ora trace_file_listener_name Rationale: parameter settings This file must be owned by the Oracle account and permissions restricted to read/write only for the owner and dba group. Remediation: chown oracleuser.htaccess Audit: ls al .oraclegroup sqlplus chmod 750 sqlplus Audit: which -a sqlplus ls -al <result(s)> Rationale: File permissions must be restricted to the owner of the Oracle software and the dba group.htaccess prior to implementing this recommendation.htaccess Verify and set permissions Rationale: The permissions of the binaries for sqlplus on the server must be restricted to the owner of the Oracle software and the dba group. Additionally.oraclegroup .23 sqlplus Verify and set permissions 3. Remediation: chown oracleuser. Item Configuration Item # Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 3. ensure all configuration changes have been made within .24 .htaccess Note: Only applicable for environments using the Oracle HTTP Server. 1 S 1 S 29 | P a g e .htaccess chmod 644 . Item Configuration Item # Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 3.25 dads.conf Verify and set permissions 3.26 xsqlconfig.xml Verify and set permissions Rationale: File permissions must be restricted to the owner of the Oracle software and the dba group. Remediation: chown oracleuser.oraclegroup dads.conf chmod 644 dads.conf Audit: ls al dads.conf Note: Only applicable for environments using the Oracle HTTP Server. Additionally, ensure all configuration changes have been made within dads.conf prior to implementing this recommendation. Rationale: File permissions must be restricted to the owner of the Oracle software and the dba group. Remediation: chown oracleuser.oraclegroup \ xsqlconfig.xml chmod 640 xsqlconfig.xml Audit: ls -al \ $ORACLE_HOME/xdk/admin/XSQLConfig.xml 1 S 1 S 30 | P a g e 4. Oracle Parameter Settings Item Configuration Item # 4.01 init.ora Action / Recommended Parameters _trace_files_public= FALSE Rationale/Remediation W I n d o w s U n I x Level & Score Status 4.02 init.ora global_names= TRUE Rationale: 1 Prevents users from having the ability to read trace files S which may contain sensitive information about the running Oracle instance. This is an internal Oracle parameter. Do NOT use it unless instructed to do so by Oracle Support. Remediation: Set _trace_files_public= FALSE Note: Default is FALSE. Audit: grep i _trace_files_public init.ora Rationale: 1 This parameter ensures that Oracle will check that the S name of a database link is the same as that of the remote database. Default is TRUE. Remediation: Set global_names= TRUE in init.ora Audit: grep -i global_names init.ora 31 | P a g e Item Configuration Item # 4.03 Init.ora Action / Recommended Parameters remote_os_authent=FALSE Rationale/Remediation W I n d o w s U n I x Level & Score Status 4.04 init.ora remote_os_roles= FALSE 4.05 init.ora string) (A null Rationale: This setting has been deprecated, however is maintained for backwards compatibility. If this setting is used it is recommended to be set to FALSE. remote_os_authent will allow a user that is authenticated to the network domain to access the database without DB credentials. Remediation: Set remote_os_authent=FALSE. Audit: grep -i remote_os_authent init.ora Rationale: Connection spoofing must be prevented. Default is FALSE. Remediation: Set remote_os_roles= FALSE. Audit: grep -i remote_os_roles init.ora Rationale: Prevent the use of a listener on a remote machine separate from the database instance. Remediation: Set Audit: grep -i remote_listener init.ora 1 S 1 S 1 S 32 | P a g e Item Configuration Item # 4. Remediation: Alter the init. S Recommend setting audit_trail to OS as it reduces the likelihood of a Denial of Service attack and it is easier to secure the audit trail. or XML. Even with the audit_trail value set to FALSE. S The duties and responsibilities of DBAs and system administrators must be separated. Any auditing information stored in the database is viewable and modifiable by the DBA if set to DB or DB_EXTENDED.06 init. XML. DB.ora file and set audit_trail=OS Audit: grep -i audit_trail init. DB_EXTENDED.07 init. It must be set to limit the external use of an account to an IDENTIFIED EXTERNALLY specified user.ora null string) (A Rationale: 1 Ensures that basic audit features are used." The default is DB. Remediation: Set Audit: grep -i os_authent_prefix init. OS is required if the auditor is distinct from the DBA. EXTENDED Rationale/Remediation W I n d o w s U n I x Level & Score Status 4. an audit session will report.ora Action / Recommended Parameters audit_trail parameter set to OS. "Audit succeeded.ora Rationale: 1 OS roles are subject to control outside the database.ora 33 | P a g e . ora Action / Recommended Parameters os_roles=FALSE Rationale/Remediation W I n d o w s U n I x Level & Score Status 4.ora Rationale: 1 S Do not use the utl_file_dir parameter directories created with utl_file_dir as they can be read and written to by all users.2 migration is recommended. This can lead to misaligned or inherited permissions. Remediation: Set os_roles=FALSE Audit: grep -i os_roles init. Remediation: Use CREATE DIRECTORY Audit: grep -i utl_file_dir init. This function has been deprecated since version 9.ora Avoid using utl_file_dir parameters Rationale: 1 S os_roles allows externally created groups to be used to manage database roles. Specify directories using CREATE DIRECTORY which requires granting of privileges to each user.09 init.ora 34 | P a g e . Item Configuration Item # 4.08 init. directory.10 init. Audit: grep -i log_archive_duplex_dest init. Remediation: Set LOG_ARCHIVE_DUPLEX_DEST to a valid. Use LOG_ARCHIVE_MIN_SUCCEED _DEST logging of the redo files. For complex configurations where different groups need access to the directory. Rationale: 1 Redundancy for the redo logs can prevent catastrophic S loss in the event of a single physical drive failure. Remediation: Set LOG_ARCHIVE_MIN_SUCCEED_DEST to 1 or greater. access control lists must be used.ora Action / Recommended Parameters Establish redundant physically separate locations for redo log files. Item Configuration Item # 4. Use LOG_ARCHIVE_DUPLEX_DEST to establish a redundant location for the redo logs.ora 35 | P a g e . Rationale/Remediation W I n d o w s U n I x Level & Score Status 4.11 init.ora Specify redo logging must be successful. properly secured.ora Rationale: 1 Specifying that the logging must succeed in one or S more locations ensures redundancy of the redo logs. If this parameter is used. Audit: grep -i LOG_ARCHIVE_MIN_SUCCEED_DEST \ init. it must be set to a valid directory owned by oracle set with owner and group read/write permissions only. ora 36 | P a g e . This setting will cause the listener to refuse set commands that alter its parameters without a restart of the listener. Not set and turned off by default. Remediation: Set admin_restrictions_listener_name = on Audit: grep -i admin_restrictions listener.13 listener.ora Rationale: 2 S Replace listener_name with the actual name of your listener(s) for this parameter setting.ora admin_restrictions_liste ner_name=on Rationale: 2 S Enforce the requirement that a user must have SELECT privilege on a table in order to be able to execute UPDATE and DELETE statements using WHERE clauses on a given table. Item Configuration Item # 4. Remediation: Set sql92_security= TRUE Audit: grep -i sql92_security init.ora.12 init. WARNING: This will likely result in many applications failing and should not be enabled in production without thorough testing. This requires the administrator to have write privileges to listener.ora Action / Recommended Parameters sql92_security= TRUE Rationale/Remediation W I n d o w s U n I x Level & Score Status 4. 15 Database object definition NOLOGGING clause Rationale: Logging of all listener actions will create an audit trail in the event that a listener is attacked or needs to be debugged. improper use of NOLOGGING may introduce data continuity exposures in the absence of a full backup. Server to forego writing essential recovery information to the redo log when performing certain actions. CREATE INDEX. but is enabled by default. and ALTER TABLE. such as tables and indexes. Remediation: Set logging_listener=ON Audit: grep -i logging_listener listener. are not operating in NOLOGGING mode. Item Configuration Item # 4. including but not limited to ALTER INDEX.ora Action / Recommended Parameters logging_listener=ON Rationale/Remediation W I n d o w s U n I x Level & Score Status 4. Remediation: Ensure database objects. Given this.14 listener.ora Do not leave database objects in Rationale: NOLOGGING mode in production The NOLOGGING keyword instructs Oracle Database environments. This setting is not set. CREATE TABLE. Audit: None 1 S 1 N 37 | P a g e . In Apps 11. the following roles can be assigned. If access to these objects is required. Note: In Oracle Applications 11.16 init.1 for more information. accounts with "ANY" privileges could get access to objects in the SYS schema.10 and higher.ora 2 S 38 | P a g e . Remediation: Set o7_dictionary_accessibility= FALSE Audit: grep i o7_dictionary_accessibility \ init.5. SELECT_CATALOG_ROLE. DELETE_CATALOG_ROLE. Item Configuration Item # 4. See Oracle Metalink Note ID 216205. EXECUTE_CATALOG_ROLE. Set this to FALSE to prevent users with EXECUTE ANY PROCEDURE and SELECT ANY DICTIONARY from accessing objects in the SYS schema.9 and lower. O7_DICTIONARY_ACCESSIBILITY should be set to FALSE. Default setting is FALSE. This is required for proper functioning of the application and Oracle does not support setting it to FALSE. O7_DICTIONARY_ACCESSIBILITY must be set to TRUE.ora Action / Recommended Parameters o7_dictionary_accessibil ity= FALSE Rationale/Remediation W I n d o w s U n I x Level & Score Status Rationale: This is a database initialization parameter that controls access to objects in the SYS schema. If set to TRUE.5. Item Configuration Item # 4.ora 2 S 2 S 39 | P a g e .ora or spfile<sid>. Remediation: Remove the following from spfile: dispatchers= (PROTOCOL= TCP)(SERVICE= <oracle_sid>XDB) Audit: grep -i XDB spfile<sid>.ora Action / Recommended Parameters Remove the following from the spfile: dispatchers= (PROTOCOL= TCP) (SERVICE= <oracle_sid>XDB) Rationale/Remediation W I n d o w s U n I x Level & Score Status 4. Audit: grep -i AUDIT_SYS_OPERATIONS init.ora AUDIT_SYS_OPERATIONS =TRUE Rationale: This will disable default ports ftp: 2100 and http: 8080. Windows: Default is Event Viewer log file Unix: Default is $ORACLE_HOME/rdbms/audit By default this is set in spfile. Removing the XDB ports will reduce the attack surface of the Oracle server.ora Rationale: Auditing of the users authenticated as the SYSDBA or the SYSOPER provides an oversight of the most privileged of users. Set AUDIT_FILE_DEST to your designated logging directory.18 Init. Ensure this by setting the AUDIT_SYS_OPERATIONS to TRUE. It is recommended to disable these ports if production usage is not required. It is important that the database user should not have access to the system directories where the audits will be recorded.17 spfile<sid>. The default value is FALSE within spfile. Remediation: Set AUDIT_SYS_OPERATIONS=TRUE. ora.validnode_checking sqlnet.ora Action / Recommended Parameters inbound_connect_ timeout_listener=2 Rationale/Remediation W I n d o w s U n I x Level & Score Status 4.validnode_checking=YES in $ORACLE_HOME/network/admin/sqlnet.19 listener.ora tcp.validnode_checking= YES Rationale: 2 Allowing inbound connections to hold open half S connections consumes database resources and can lead to denial of service.20 sqlnet. Remediation: Set inbound_connect_timeout_listener=2 Audit: grep -i inbound_connect_timeout \ listener. Item Configuration Item # 4. Set the initial value low and adjust upward if normal clients are unable to connect within the time allocated.ora 40 | P a g e . Note: The default value is No Audit: grep -i tcp. Remediation: Set tcp.ora Rationale: 2 This parameter enables the listener to check incoming S connections for matches in the invited and excluded nodes list. invited_nodes to valid values Rationale/Remediation W I n d o w s U n I x Level & Score Status 4. The excluded_nodes value is ignored if this is set and a default deny policy is created only allowing the listed trusted nodes to connect to the listener.invited_nodes to valid values tcp.1.ora 2 S 2 S 41 | P a g e .excluded_nodes to valid values Rationale: This creates a list of trusted nodes that can connect to the listener.1.1.1.ora file.excluded_nodes values are ignored and only hosts specified in the invited_nodes will be allowed to connect to the listener.excluded_nodes sqlnet.invited_nodes sqlnet.21 sqlnet. 10.invited_nodes is set. Item Configuration Item # 4. Set tcp.ora Set tcp.ora Note: This is not set by default.ora file.invited_nodes =(10.1. Note: If the tcp.22 sqlnet. Rationale: Excluded nodes will prevent malicious or untrusted hosts from connecting to the listener.excluded_nodes to valid values Audit: grep -i tcp.ora Action / Recommended Parameters Set tcp. Remediation: Use IP addresses of authorized hosts to set this parameter in the sqlnet.2) Audit: grep -i tcp. Remediation: Use IP addresses of unauthorized hosts to set this parameter in the sqlnet. Set tcp. the tcp. Allowing a connection to idle indefinitely will consume system resources leading to a denial of service. Remediation: Set sqlnet. the default is never S to expire. Suggestion is to set to a low initial value and adjust upward if normal clients are unable to connect within the time allocated.inbound_connect_timeout=3 Audit: grep -i inbound_connect_timeout \ sqlnet.inbound_ connect_timeout=3 Rationale/Remediation W I n d o w s U n I x Level & Score Status 4.ora file. It is recommended to set this to a low value initially. Remediation: Set sqlnet.ora sqlnet.ora Rationale: 2 If this is not set in the sqlnet.24 sqlnet. then increase if clients experience timeout issues.23 sqlnet.expire_time= 10 Rationale: 2 Allowing inbound connections to hold open half S connections consumes database resource and can lead to denial of service.expire_time= 10 Audit: grep -i expire_time sqlnet.ora 42 | P a g e . Item Configuration Item # 4.ora Action / Recommended Parameters sqlnet. ; 2 S 43 | P a g e .25 Accounts Action / Recommended Parameters Lock account access for application schema owners Rationale/Remediation W I n d o w s U n I x Level & Score Status Rationale: Lock the account for the application schema owner. Users must not connect to the database as the application owner. Remediation: ALTER USER <USERNAME> ACCOUNT LOCK PASSWORD EXPIRE Audit: SELECT USERNAME. ACCOUNT_STATUS FROM DBA_USERS. Item Configuration Item # 4. the remote_login_passwordfile set to exclusive. For Unix: Set remote_login_passwordfile setting to none.26 init. Implement SSH or other secure shell method to remotely administer the Oracle server.ora Action / Recommended Parameters remote_login_passwordfil e=none Rationale/Remediation W I n d o w s U n I x Level & Score Status Rationale: Prevents remote privileged connections to the database. Remote Administration of Oracle via Administrative Listener: Admin Listener = Required remote_login_passwordfile setting = exclusive Require logging be enabled for the Admin and Client Listeners if remote access is provided. This suggests that remote administration should be performed by remotely logging into the database server via a secured connection. Implement remote management to a Windows based host viaTerminal Server and IPSec. Remediation: For Windows: Set remote_login_passwordfile setting to none. Alternately. Item Configuration Item # 4. Audit: grep i remote_login_passwordfile \ init. and logging of the administrative listener implemented.ora 2 S 44 | P a g e . an administrative listener could be created. ora Rationale: 2 N Allowing overly broad PATH and CLASSPATH variables could allow an attacker to leverage pathing issues and load malicious binaries or classes.27 sqlnet.ora .9.8.ALLOWED_LOGON_VER SION=11 Rationale/Remediation W I n d o w s U n I x Level & Score Status 4.ora 45 | P a g e . Remediation: SQLNET.ora REMOTE_ADMIN=NO Rationale: 2 Set the login version to the 11.29 cman. Remediation: Set REMOTE_ADMIN = NO. Item Configuration Item # 4.28 listener. Note: The ENVS SID_DESC parameter is not supported on Windows however the environment variables can be defined for the listener. Remediation: Remove broad path or classpath variables and ensure only absolute paths are used. Audit: grep i ENVS listener. 4. S Default is NO. The default setting is 10. Rationale: 2 Ensure remote administration is not left enabled. The higher setting S prevents logins by older version clients that do not use strong authentication to pass the login credentials.ora Action / Recommended Parameters SQLNET.ALLOWED_LOGON_VERSION=11 Audit: grep -i ALLOWED_LOGIN_VERSION sqlnet. Audit: grep i REMOTE_ADMIN cman.ora Use absolute paths in ENVS parameters. ora SEC_RETURN_SERVER_RELEAS E_BANNER = false Rationale: Remove entries for external procedures from listener.ora file. tnsnames. If not required disable their usage. This creates a dangerous condition. External procedures can call shared libraries on the host system from the $ORACLE_HOME/lib or $ORACLE_HOME/bin directories.ora 2 N 2 S 46 | P a g e .31 init. Remediation: Remove external shared libraries from $ORACLE_HOME/lib Audit: None Rationale: Ensure the oracle database is not returning complete database information to clients. Remediation: SEC_RETURN_SERVER_RELEASE_BANNER = false Audit: grep -i \ SEC_RETURN_SERVER_RELEASE_BANNER init.ora Action / Recommended Parameters Disable external procedures Rationale/Remediation W I n d o w s U n I x Level & Score Status 4.30 listener. Knowing the exact patch set can aid an attacker. Item Configuration Item # 4.ora.ora or tnsnames. Remediation: SEC_CASE_SENSITIVE_LOGON=TRUE Audit: grep -i SEC_CASE_SENSITIVE_LOGO init.ora Action / Recommended Parameters DB_SECUREFILE=ALWAYS Rationale/Remediation W I n d o w s U n I x Level & Score Status 4. This increases the complexity of passwords and helps defend against brute force password attacks. Item Configuration Item # 4.32 init.33 init.ora 2 N 1 S 47 | P a g e . Remediation: DB_SECUREFILE=ALWAYS Audit: grep -i DB_SECUREFILE init.ora SEC_CASE_SENSITIVE_LOGON =TRUE Rationale: Ensure that all LOB files created by Oracle are created as SecureFiles.ora Rationale: Set Oracle database password to be case sensitive. Remediation: SEC_MAX_FAILED_LOGIN_ATTEMPTS=3 Audit: grep -i SEC_MAX_FAILED_LOGIN_ATTEMPTS \ init. Item Configuration Item # 4.ora 1 S 4. This will reduce the effectiveness of a password brute force attack. This help mitigate malicious connections or DOS conditions.34 init.ora Action / Recommended Parameters SEC_MAX_FAILED_LOGIN_ATT EMPTS=3 Rationale/Remediation W I n d o w s U n I x Level & Score Status Rationale: Set the maximum number of failed login attempts to be 3 or in sync with established password policies. Remediation: SEC_PROTOCOL_ERROR_FURTHER_ACTION=DELAY <seconds>or DROP<seconds> Audit: grep i \ SEC_PROTOCOL_ERROR_FURTHER_ACTION \ init.ora SEC_PROTOCOL_ERROR_FURTH ER_ACTION=DELAY <seconds>or DROP<seconds> 1 S 48 | P a g e .35 init.ora Rationale: When bad packets are received from a client the server will wait the specified number of seconds before allowing a connection from the same client. such as those used by middle-tier connectivity restrictions to the Oracle instance backing the application and the determinism of usernames used by such applications. Note: Setting SEC_MAX_FAILED_LOGIN_ATTEMPTS to a value other than UNLIMITED may increase an accounts. Item Configuration Item # 4.37 sqlnet. Remediation: SEC_USER_AUDIT_ACTION_BANNER=/path/to/war ning.tx t Rationale: Specify the action a database should take when a bad packet is received.ora 1 S 1 N 49 | P a g e .txt Audit: grep i \ SEC_USER_AUDIT_ACTION_BANNER sqlnet. TRACE generates a detailed trace file and should only be used when debugging.ora Action / Recommended Parameters SEC_PROTOCOL_ERROR_TRACE _ACTION=LOG or ALERT Rationale/Remediation W I n d o w s U n I x Level & Score Status 4. Use currently established procedures for checking console or log file data to monitor these events. Set the complete path to the file that contains the warning.36 init. ALERT or LOG should be used to capture the event. Remediation: SEC_PROTOCOL_ERROR_TRACE_ACTION= {LOG|ALERT} Audit: grep i \ SEC_PROTOCOL_ERROR_TRACE_ACTION init.ora SEC_USER_AUDIT_ACTION_BA NNER=/path/to/warning.ora Rationale: A banner should be set to warn a user about the possible audit actions that are taken when using the system. Item Configuration Item # 4.38 sqlnet.ora Action / Recommended Parameters SEC_USER_UNAUTHORIZED_AC CESS_BANNER=/path/to/war ning.txt Rationale/Remediation W I n d o w s U n I x Level & Score Status 4.39 listener.ora SECURE_CONTROL_listener_ name=(TCPS,IPC) Rationale: A banner should be set to warn a user about unauthorized access to the database that is in line with current policy or language. Set the complete path to the file that contains the warning. OCI and other custom applications must make use of this parameter before it is displayed to the user. Remediation: SEC_USER_UNAUTHORIZED_ACCESS_BANNER=/path /to/warning.txt Audit: grep -i \ SEC_USER_UNAUTHORIZED_ACCESS_BANNER \ sqlnet.ora Rationale: If remote administration of the listener is required configure the listener for secure control. If no values are entered for this parameter, the listener will accept registration request from any transport. If only IPC or TCPS is required then set the value to TCPS or IPC. Remediation: SECURE_CONTROL_listener_name=(TCPS,IPC) Audit: grep -i SECURE_CONTROL listener.ora 1 N 2 S 50 | P a g e Item Configuration Item # 4.40 listener.ora Action / Recommended Parameters SECURE_PROTOCOL_listener _name=(TCP,IPC) Rationale/Remediation W I n d o w s U n I x Level & Score Status 4.41 listener.ora SECURE_REGISTER_listener _name=(TCP,IPC) 4.42 listener.ora DYNAMIC_REGISTRATION_lis tener_name=OFF Rationale: Ensure that any administration requests are accepted only over secure transport. If only IPC or TCP is required then set the value to TCPS or IPC. Remediation: SECURE_PROTOCOL_listener_name=(TCPS,IPC) Audit: grep -i SECURE_PROTOCOL listener.ora Rationale: Ensure that any registration requests are accepted over secure transport. If only IPC or TCP is required then set the value to TCPS or IPC. Remediation: SECURE_REGISTER_listener_name=(TCPS,IPC) Audit: grep -i SECURE_REGISTER listener.ora Rationale: If DYNAMIC_REGISTRATION is turned on all registration connections are accepted by the listener. It is recommended that only static registrations be used by the listener. Turning off dynamic registration may not be possible in larger or more dynamic environments. Ensure proper testing is done before turning off dynamic registration in production. Remediation: DYNAMIC_REGISTRATION_listener_name=OFF Audit: grep i DYNAMIC_REGISTRATION listener.ora 1 S 2 S 2 S 51 | P a g e Item Configuration Item # 4.43 listener.ora Action / Recommended Parameters EXTPROC_DLLS=ONLY Rationale/Remediation W I n d o w s U n I x Level & Score Status Rationale: Where use of external procedures is required, specify the EXTPROC_DLLS=ONLY in the parameter to limit calls to the specific DLLS. This prevents external DLLs and libraries from being loaded by the Oracle database. An attacker that can load an external library into the Oracle running instance can take control or compromise system security. If external DLLs must be used specify the ONLY parameter and an absolute path for each required DLL. Remediation: EXTPROC_DLLS=ONLY Audit: grep i EXTPROCS_DLLS listener.ora 1 S 52 | P a g e e. Therefore. Remediation: SQLNET. it must be configured even if it is not used.01 OAS - General Review requirement for integrity Rationale: and confidentiality requirements.ENCRYPTION_SERVER Rationale: =REQUIRED This ensures that regardless of the settings on the user. Audit: None SQLNET..02 OAS Encryption Type 2 S 53 | P a g e .ENCRYPTION_SERVER=REQUIRED Audit: grep i ENCRYPTION_SERVER sqlnet.g. IPSec or other means for providing integrity/confidentiality services. 5.ora W I n d o w s U n I x Level & Score Status 2 N 5. Encryption Specific Settings Note: OAS is installed by default even if it is not licensed. Only implement OAS if a local integrity/encryption policy does not already exist. Remediation: Review requirement for integrity and confidentiality requirements. Default is accepted. if communication takes place it must be encrypted. Item Configuration Item Action / Recommended Rationale/Remediation # Parameters 5. 04 OAS FIPS Compliance SSLFIPS_140 =TRUE Rationale: Communication is only possible on the basis of an agreement between the client and the server regarding the connection encryption. NOTE: This value is not settable using the Oracle Net Manager.ora 2 S 2 S 54 | P a g e . the FIPS value must be set to TRUE. set the value to REQUIRED.03 OAS Encryption Type Action / Recommended Parameters SQLNET.ora file. To ensure encrypted communication.ENCRYPTION_CLIENT =(ACCEPTED|REQUESTED|REQ UIRED) Rationale/Remediation W I n d o w s U n I x Level & Score Status 5. With the server set to REQUIRED the client must match the encryption for valid communication to take place. Remediation: SQLNET. Note: Failure to specify one of the values will result in an error when an attempt is made to connect to a FIPS 140-1 compliant server.ora Rationale: For FIPS 140-2 compliance. To set this value you must use a text editor and modify the sqlnet. The default value for this setting is FALSE.ENCRYPTION_CLIENT=REQUIRED Audit: grep i ENCRYPTION_CLIENT sqlnet. Remediation: SSLFIPS_140 =TRUE Audit: grep i SSL_FIPS fips. Default is accepted. Item Configuration Item # 5. Default is all. use SHA1 instead of MD5. Item Configuration Item # 5. Remediation: Set SQLNET.CRYPTO_CHECKSUM_T YPES_SERVER=(SHA1) 55 | P a g e .05 OAS Integrity Protection Action / Recommended Parameters Integrity check for communication between the server and the client must be established.06 OAS Integrity Protection Set SQLNET. Default is accepted. Rationale/Remediation W I n d o w s U n I x Level & Score Status Rationale: 2 The integrity check for communication can prevent data S modifications.; SHA-1 and MD5.ora grep i CRYPTO_CHECKSUM_CLIENT sqlnet.CRYPTO_CHECKSUM_TYPES_SERVER=(SHA1 ) Audit: grep i CHECKSUM_TYPES_SERVER sqlnet.ora 5.CRYPTO_CHECKSUM_SERVER=REQUIRED SQLNET.CRYPTO_CHECKSUM_CLIENT=REQUIRED Audit: grep i CRYPTO_CHECKSUM_SERVER sqlnet. Remediation: Set SQLNET. MD5 has S documented weaknesses and is prone to collisions. Usage of SHA-1 is recommended. Two check sum algorithms are available.ora Rationale: 2 If possible. verify fingerprint of CA certificates. use fingerprints to verify the certificate. Item Configuration Item # 5. 5. Audit: None 2 N 2 S 2 N 56 | P a g e . Audit: orapki wallet display -wallet \ wallet_location Rationale: When adding CA certificates via out-of-band methods. Ensure only the appropriate Oracle user account has access to the wallet.08 OAS Oracle Wallet Trusted Certificates Remove certificate authorities (CAs) that are not required. Rationale/Remediation W I n d o w s U n I x Level & Score Status 5. Remediation: None Audit: None Rationale: Trust only those CAs that are required by clients and servers. Rationale: The Oracle service account must have access to the wallet. Failure to verify fingerprints can lead to compromise of the certificate chain.09 OAS Oracle Wallet Trusted Certificates Import When adding CAs. verify fingerprint of CA certificates. Remediation: Remove certificate authorities (CAs) that are not required. Remediation: When adding CAs.07 OAS Oracle Wallet Owner Permissions Action / Recommended Parameters Set configuration method for Oracle Wallet. Remediation: Use OAS Integrity/Encryption only if SSL is unavailable. Remediation: orapki wallet add -wallet \ wallet_location -dn user_dn keySize 2048 Audit: orapki wallet display -wallet \ wallet_location Rationale: For Windows Oracle database servers. Remediation: To enable auto login from the Oracle Wallet Manager. Audit: Choose Wallet from the menu bar.10 OAS Certificate Request Key Size Action / Recommended Parameters Request the maximum key size available. SSL will not work unless Auto Login is set. use OAS Integrity/Encryption. 2048 or 4096 are recommended sizes.12 OAS SSL Tab SSL is preferred method. Rationale: Select the largest key size available that is compatible with the network environment. Rationale/Remediation W I n d o w s U n I x Level & Score Status 5. If PKI is not possible. Check Auto Login. Audit: None 2 S 2 S 2 N 57 | P a g e . Item Configuration Item # 5. Check Auto Login. Rationale: OAS Integrity/Encryption should only be used if required because of non-SSL clients. Choose Wallet from the menu bar.11 OAS Server Oracle Wallet Auto Login Oracle Wallet 5. A message at the bottom of the window indicates that auto login is enabled. SSL_DH_anon_WITH_DES_CBC_SHA.14 OAS SSL Cipher Suite Set SSL Cipher Suite.13 OAS SSL Version Action / Recommended Parameters Set SSL version.0 Rationale/Remediation W I n d o w s U n I x Level & Score Status 5. SSL_CIPHER_SUITES = SSL_RSA_WITH_3DES_EDE_CB C_SHA) Rationale: Usage of the most current version of SSL is recommended older versions of the SSL protocol are prone to attack or roll back.0 Audit: grep i SSL_VERSION sqlnet. SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA. The following is for reference. Remediation: SSL_CIPHER_SUITES =( SSL_DH_anon_WITH_3DES_EDE_CBC_SHA.ora 2 S 2 S 58 | P a g e . Do not set this parameter Remediation: SSL_VERSION = 3. SSL_RSA_WITH_3DES_EDE_CBC_SHA. SSL_RSA_WITH_DES_CBC_SHA. SSL_VERSION = 3.ora Rationale: SSL_CIPHER_SUITES are automatically set to FIPS140-2 approved suites by Oracle 11g. SSL_RSA_EXPORT_WITH_DES40_CBC_SHA) Audit: grep i SSL_CIPHER_SUITES sqlnet. Item Configuration Item # 5. Remediation: SSL_SERVER_CERT_DN= \ "cn=dept. Rationale/Remediation W I n d o w s U n I x Level & Score Status 5.ora Rationale: It is preferable to have mutually authenticated SSL connections verifying the identity of both parties.17 OAS Encryption Tab Use OAS encryption only if SSL is not feasible. If client certificates are not supported in the enterprise. then set to FALSE.dc=us. Remediation: None Audit: None 2 S 2 S 2 N 59 | P a g e .dc=acme. Remediation: SSL_CLIENT_AUTHENTICATION=true Audit: grep i SSL_CLIENT_AUTHENTICATION \ sqlnet. If possible use client and server certificates for SSL connections.16 OAS SSL Client Authentication SSL_CLIENT_ AUTHENTICATION=TRUE 5.15 OAS SSL Client DN Match Action / Recommended Parameters Set tnsnames file to include SSL_SERVER_CERT_DN parameter with the distinguished name (DN) of the certificate. Rationale: This will reduce the possibility of certificate masquerading which can lead to man in the middle attacks and compromise the security provided by the SSL protocol.\ dc=com" Audit: grep i SSL_SERVER_CERT_DN tnsnames.cn=OracleContext. Item Configuration Item # 5.ora Rationale: OAS Integrity/Encryption should only be used if required because of non-SSL clients. 18 Encryption Action / Recommended Parameters Where possible. Rationale: 2 By employing a procedure that uses data elements that N change for each record the resulting ciphertext will be unique. Item Configuration Item # 5. Someone knowing the value of one of the records independent of the ciphertext can by inference know the value of other records that display the same ciphertext. The use of RAW or BLOBs prevents this error and preserves the data. Remediation: None Audit: None Rationale: 2 Storing data in CLOB may result in a failure in N decryption if the same number letter symbol set is not used.19 Encryption Use RAW or BLOB for the storage of encrypted data. and encryption are used for a value in a record the resulting ciphertext will be identical. key. Remediation: None Audit: None 60 | P a g e . Rationale/Remediation W I n d o w s U n I x Level & Score Status 5. As an example if the same value. use a procedure that employs a content data element as the encryption key that is unique for each record. Employ wrapping to protect all code used to protect. The column name should be obscure and should not reveal the role of the column. or encrypt keys. If security dictates. Rows should be protected with both VPD and OLS (OLS included VPD) and the keys themselves should be encrypted with a master key. within the limits of N what can be managed. hardware devices can be used for encryption key storage. to ensure the security of the encryption keys. at minimum. Rationale/Remediation W I n d o w s U n I x Level & Score Status Rationale: 2 Assign multiple layers of protection. generate keys for. Item Configuration Item # 5. procedures. Keys. Remediation: Use multiple layers of protection when storing keys with the data in a separate database. and functions should be wrapped.20 Encryption Action / Recommended Parameters If keys are stored in a table with the database. The combination of methods will be dependent on how and where the keys are stored. Audit: None 61 | P a g e . access to the keys should be limited and under the protection of a secure role with fine grain auditing in place for the table. If the keys are managed by an application or generated as computed keys the procedures should be wrapped. use of special characters and non-dictionary words. All package bodies. should follow password selection standards in areas of minimum length. As an example. This means that the master encryption key is never exposed in insecure memory.; Rationale: 2 Where possible use an HSM to store the master keys N for Transparent Data Encryption.21 Encryption Action / Recommended Parameters Revoke the PUBLIC execute privileges from the DBMS_OBFUSCATION_TOOLKIT . but the DBMS_OBFUSCATION_TOOLKIT is still needed for some tasks that are not available in the DBMS_CRYPTO package.; Audit: SELECT TABLE_NAME FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND TABLE_NAME='DBMS_OBFUSCATION_TOOLKIT'. All encryption and decryption operations that use the master encryption key are performed inside the HSM. Remediation: REVOKE EXECUTE ON DBMS_OBFUSCATION_TOOLKIT TO PUBLIC. By removing public access to the DBMS_OBFUSCATION_TOOLKIT the means to decrypt the data is not available for malicious use. Rationale: 2 S The DBMS_OBFUSCATION_TOOLKIT has been replaced with the DBMS_CRYPTO package.22 Encryption Use HSM for storage of master key. Rationale/Remediation W I n d o w s U n I x Level & Score Status 5.; the generation of a pseudorandom string requires the DBMS_OBFUSCATION_TOOLKIT. Item Configuration Item # 5. Remediation: None Audit: None 62 | P a g e . 23 Encryption Action / Recommended Parameters Tablespace Encryption Rationale/Remediation W I n d o w s U n I x Level & Score Status 5. Item Configuration Item # 5.key Audit: ls al \ $ORACLE_HOME/network/security/radius. Ensure proper permissions are set on $ORACLE_HOME/network/security/radius. Audit: None Rationale: File permissions must be restricted to the owner of the Oracle software and dba group. Remediation: Use tablespace encryption .24 Radiuskey Verify and set permissions on radius.ora SSL_CERT_REVOCATION=requ ired Rationale: When a table contains a large number of columns of PII it can be beneficial to encrypt an entire tablespace rather than columns. Revoked certificates can pose a threat to the integrity of the SSL channel and should not be trusted.key file 5.key Remediation: chmod 440 \ $ORACLE_HOME/network/security/radius. Remediation: SSL_CERT_REVOCATION=required Audit: grep i SSL_CERT_REVOCATION sqlnet.25 sqlnet.ora 2 N 1 S 2 S 63 | P a g e .key Rationale: Ensure revocation is required for checking CRLs for client certificate authentication. ora Action / Recommended Parameters SSL_SERVER_DN_MATCH=yes Rationale/Remediation W I n d o w s U n I x Level & Score Status Rationale: Ensure the DN string of the certificate matches the expected value. Remediation: SSL_SERVER_DN_MATCH=yes Audit: grep i SSL_SERVER_DN_MATCH sqlnet.26 sqlnet. Item Configuration Item # 5.ora 2 S 64 | P a g e . 6. Startup and Shutdown Item Configuration Item # 6.01 Advanced queuing in asynchronous messaging Action / Recommended Parameters Empty queue at shut down of Oracle. Rationale/Remediation W I n d o w s U n I x Level & Score Status 6.02 Cache Cache must be emptied at shut down of Oracle. Rationale: Information in queue may be accessed outside of Oracle and beyond the control of the security parameters. It should be subject to the same security precautions as other tables. Remediation: Empty queues at the shutdown of the Oracle instances. DBMS_AQADM.PURGE_QUEUE_TABLE( queue_table => 'name.obj_qtab', purge_condition => NULL, purge_options => po);; DBMS_AQADM.PURGE_QUEUE_TABLE( queue_table => 'bane.obj_qtab', purge_condition => 'qtview.queue = ''NAME.OBJ_QUEUE''', purge_options => po);; Audit: None Rationale: Information in caches may be accessed outside of Oracle and beyond the controls of the security parameters. Remediation: ALTER SYSTEM FLUSH BUFFER_CACHE;; Audit: None 1 N 1 N 65 | P a g e 7. Backup and Disaster Recovery Item Configuration Item # 7.01 Redo logs Action / Recommended Parameters Mirror Rationale/Remediation W I n d o w s U n I x Level & Score Status 7.02 Control files Multiplex control files to multiple physical disks. Rationale: Redundancy for the redo logs can prevent catastrophic loss in the event of a disk or system failure. Remediation: Mirror on-line redo logs and ensure that more than one group exists. Audit: None Rationale: Redundancy for the control files can prevent catastrophic loss in the event of a single physical drive failure Remediation: Store control files on a RAID or other redundant disk system. Audit: None . 1 N 1 N 66 | P a g e Item Configuration Item # 7.03 Control files Action / Recommended Parameters Mirror Rationale/Remediation W I n d o w s U n I x Level & Score Status 7.04 Archive logs Ensure there is sufficient space for the archive logging process. 7.05 Redo logs Multiplex redo logs to multiple physical disks. Rationale: Mirror the Oracle control files. In the event that the control files become corrupted or a system failure mirroring will help ensure recovery is possible. Remediation: Mirror control files to multiple separate physical partitions. Audit: None Rationale: Without adequate space for the archive logs the system will hang resulting in a denial of service. Remediation: Allocate more disk space to redo log partitions. Audit: None Rationale: Redundancy for the redo logs can prevent catastrophic loss in the event of a single physical drive failure. Remediation: None Audit: None 1 N 1 N 1 N 67 | P a g e Failure to ensure this could cause inability to recover data. Failure to ensure this could cause inability to recover data. File permissions must be restricted to the owner of the Oracle software and the dba group.07 Backup Automated backups should be verified. Item Configuration Item # 7..06 Archive log files Action / Recommended Parameters Backup Rationale/Remediation W I n d o w s U n I x Level & Score Status 7. The archive logs must be secured. Remediation: If archive log mode is used the archive log files must be saved on tape or to a separate disk. The improved RMAN (Recovery Manager) capabilities (i. Audit: None 1 N 1 N 68 | P a g e . leading to data loss.e. Audit: None Rationale: Backups should be verified by performing recoveries to ensure newer automated backups function properly. Rationale: Archived logs contain sensitive information and must be properly handled. Remediation: Backups should be verified by performing recoveries to ensure newer automated backups function properly. leading to data loss. incremental backup process) can be used to facilitate backups and recovery. Remediation: Engage failsafe. Item Configuration Item # 7. Rationale/Remediation W I n d o w s U n I x Level & Score Status Rationale: Failsafe uses the cluster server interface to provide the failover protection previously provided by hardware interfaces. Audit: None 2 N 69 | P a g e .08 Failsafe Action / Recommended Parameters Failsafe must be engaged. This setting may not be applicable for middle tier application accounts that access the database.; Note: It is recommended to create three separate profiles: Application accounts. Remediation: Application accounts must be set for failed_login_attempts=3 Local policy may override the recommended setting. RESOURCE_NAME. and user accounts instead of using the default for all.01 Database Profiles Action / Recommended Parameters failed_login_attempts=3 Rationale/Remediation W I n d o w s U n I x Level & Score Status Rationale: Restricting the number of login attempts will help deter brute force attacks against profiles. system accounts. Create a profile then assign it to a user account. Audit: SELECT PROFILE. Default profile has this setting at 10. Oracle Profile (User) Setup Settings Item Configuration Item # 8. ALTER PROFILE profile_name LIMIT FAILED_LOGIN_ATTEMPTS 3 PASSWORD_LOCK_TIME 1. 8. LIMIT FROM DBA_PROFILES WHERE 1 S 70 | P a g e . 02 Database Profiles Action / Recommended Parameters password_life_time= 90 Rationale/Remediation W I n d o w s U n I x Level & Score Status Rationale: Restricting the password lifetime will help deter brute force attacks against user accounts and refresh passwords. RESOURCE_NAME. LIMIT FROM DBA_PROFILES WHERE 1 S 71 | P a g e . This setting may not be applicable for middle tier application accounts that access the database.; Audit: SELECT PROFILE. Create a profile then assign it to a user account. Local policy may not override the setting. Default profile has a setting of 180 Remediation: ALTER PROFILE profile_name LIMIT password_life_time 90. Item Configuration Item # 8. Create a profile then assign it to a user account.; Audit: SELECT PROFILE. Item Configuration Item # 8. Remediation: ALTER PROFILE profile_name LIMIT password_reuse_max 20. RESOURCE_NAME. Local policy may override the recommended setting. This prevents users from cycling through a few common passwords and helps ensure the integrity and strength of user credentials.03 Database Profiles Action / Recommended Parameters password_reuse_max=20 Rationale/Remediation W I n d o w s U n I x Level & Score Status Rationale: password_reuse_max sets the number of different passwords that must be rotated by the user before the current password can be reused. Default profile has a setting of UNLIMITED. LIMIT FROM DBA_PROFILES WHERE 1 S 72 | P a g e . This setting may not be applicable for middle tier application accounts that access the database. RESOURCE_NAME. Creating a long window before password reuse helps protect from password brute force attacks and helps the strength and integrity of the user credential.05 Database Profiles password_reuse_time= 365 Rationale: password_reuse_time sets the amount of time that must pass before a password can be reused. Create a profile then assign it to a user account. Item Configuration Item # 8.; Audit: SELECT PROFILE. Default profile has this setting as UNLIMITED Remediation: ALTER PROFILE profile_name LIMIT password_reuse_time 365. Remediation: ALTER PROFILE profile_name LIMIT password_lock_time 1. Local policy may not override the setting. RESOURCE_NAME. Local policy may not override the setting. LIMIT FROM DBA_PROFILES WHERE 1 S 1 S 73 | P a g e .04 Database Profiles Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 8. LIMIT FROM DBA_PROFILES WHERE password_lock_time=1 Rationale: password_lock_time specifies the amount of time in days that the account will be locked out if the maximum number of authentication attempts has been reached. This setting may not be applicable for middle tier application accounts that access the database.; Audit: SELECT PROFILE. ; Audit: SELECT USERNAME FROM DBA_USERS WHERE PASSWORD='EXTERNAL'. Item Configuration Item # 8. RESOURCE_NAME.06 Database Profiles Action / Recommended Parameters password_grace_time=3 Rationale/Remediation W I n d o w s U n I x Level & Score Status 8. LIMIT FROM DBA_PROFILES WHERE Rationale: Check and review any user who has . Remediation: ALTER PROFILE profile_name LIMIT password_grace_time 3. This setting may not be applicable for middle tier application accounts that access the database. Do not allow remote OS authentication to the database.; Audit: SELECT PROFILE.07 Database Profiles Review accounts where PASSWORD= 'EXTERNAL' Rationale: password_grace_time specified in days the amount of time that the user is warned to change their password before their password expires. Remediation: ALTER USER <username> IDENTIFIED BY <new_password>. Local policy may not override the setting.; 1 S 2 N 74 | P a g e . make the following changes at the bottom of the utlpwdmg.; 2 S 75 | P a g e . Do not use the verify_function_11G as it sets password settings to the defaults listed above.sql file: PASSWORD_GRACE_TIME 3 PASSWORD_REUSE_TIME 365 PASSWORD_REUSE_MAX 20 FAILED_LOGIN_ATTEMPTS 3 PASSWORD_LOCK_TIME 1 Modify the line: IF length(password) < 4 by changing the minimum password length to 8.08 Database Profiles Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status Rationale: Set password_verify_function Allow password_verification_function to be to a verification function called when passwords are changed. Item Configuration Item # 8. Audit: SELECT PROFILE. Remediation: Oracle provides utlpwdmg.sql which can be used to create a password verification function. This always command at an SQL prompt. RESOURCE_NAME FROM DBA_PROFILES WHERE RESOURCE_NAME='PASSWORD_VERIFY_FUNCTION'. If using this script to create a password verification function. ; 2 S 2 S 76 | P a g e .09 Database Profiles Action / Recommended Parameters Set CPU_PER_SESSION as appropriate Rationale/Remediation W I n d o w s U n I x Level & Score Status 8. Item Configuration Item # 8.; Audit: SELECT PROFILE.; Audit: SELECT PROFILE. Ensure that users profile settings have appropriate values set for the particular database and application. RESOURCE_NAME. LIMIT FROM DBA_PROFILES WHERE . Remediation: ALTER PROFILE profile_name LIMIT PRIVATE_SGA <value>. Ensure that users profile settings have appropriate values set for the particular database and application.10 Database Profiles Set PRIVATE_SGA as appropriate Rationale: Allowing a single application or user to consume excessive CPU resources will result in a denial of service to the Oracle database. Remediation: ALTER PROFILE profile_name LIMIT CPU_PER_SESSION <value>. RESOURCE_NAME. LIMIT FROM DBA_PROFILES .; Rationale: Allowing a single application or user to consume the excessive amounts of the System Global Area will result in a denial of service to the Oracle database. Ensure that users profile settings have appropriate values set for the particular database and application.; Rationale: Allowing an unlimited amount of sessions per user can consume Oracle resources and cause a denial of service. Ensure that users profile settings have appropriate values set for the particular database and application. Remediation: ALTER PROFILE profile_name LIMIT SESSIONS_PER_USER <value>.11 Database Profiles Action / Recommended Parameters Set LOGICAL_READS_ PER_SESSION as appropriate Rationale/Remediation W I n d o w s U n I x Level & Score Status 8. Item Configuration Item # 8.; 2 S 2 S 77 | P a g e .12 Database Profiles Set SESSIONS_PER_USER as appropriate Rationale: Allowing a single application or user to perform excessive amounts of reads to disk will result in a denial of service to the Oracle database. LIMIT FROM DBA_PROFILES . Limit the number of session for each individual user.; Audit: SELECT PROFILE.; Audit: SELECT PROFILE. Remediation: ALTER PROFILE profile_name LIMIT LOGICAL_READS_ PER_SESSION <value>. RESOURCE_NAME. RESOURCE_NAME. LIMIT FROM DBA_PROFILES . 13 Database Profiles Action / Recommended Parameters Set CONNECT_TIME as appropriate Rationale/Remediation W I n d o w s U n I x Level & Score Status Rationale: Sessions held open for excessive periods of time can consume system resources and cause a denial of service for other users of the Oracle database.; 2 N 78 | P a g e . The CONNECT_TIME parameter limits the upper bound on how long a session can be held open. Note: Oracle does not do strict monitoring of connect times and sessions can exceed this time limit by up to a few minutes. Ensure that users profile settings have appropriate values set for the particular database and application. This parameter is specified in minutes. Sessions that have exceeded their connect time are aborted and rolled back. LIMIT FROM DBA_PROFILES . Remediation: ALTER PROFILE profile_name LIMIT CONNECT_TIME <value>. RESOURCE_NAME.; Audit: SELECT PROFILE. Item Configuration Item # 8. LIMIT FROM DBA_PROFILES . Item Configuration Item # 8. Ensure that users profile settings have appropriate values set for the particular database and application. Remediation: ALTER PROFILE profile_name LIMIT IDLE_TIME <value>.14 Database Profiles Action / Recommended Parameters Set IDLE_TIME as appropriate Rationale/Remediation W I n d o w s U n I x Level & Score Status Rationale: Idle sessions held open for excessive periods of time can consume system resources and cause a denial of service for other users of the Oracle database.; 2 N 79 | P a g e . RESOURCE_NAME. Limit the maximum number of minutes a session can idle.; Audit: SELECT PROFILE. ; Audit: SELECT USERNAME. Tables.; Audit: SELECT <USERNAME> FROM DBA_TS_QUOTAS . Remediation: ALTER USER <USER_NAME> QUOTA <VALUE> ON <TABLESPACE_NAME>.01 Tablespaces Do not have default_tablespace set to SYSTEM for user accounts 9. Privileges. Roles and Packages need to be followed for all new users that might be created. Note it may be difficult or impossible to move some objects.; Rationale: Set quotas for developers on shared production/development systems to prevent space resource contentions.02 Tablespaces Ensure application users have not been granted quotas on tablespaces. 9. DEFAULT_TABLESPACE FROM DBA_USERS. and should be the only users granted permissions. Remediation: ALTER USER DEFAULT_TABLESPACE table. Synonyms. This prevents administrative users from altering system objects. W U Level Item Configuration Item Action / Recommended Rationale/Remediation I & n n # Parameters d o w s I x Score Status 9.; 2 S 1 S 80 | P a g e . Application users should be granted quotas on a case by case basis to avoid application failure. By default SYS and DBA have most of these accesses and privileges. Roles. Rationale: Only SYS should have a default tablespace of SYSTEM. Oracle Profile (User) Access Settings Note: Security recommendations for Tablespaces. Views. 04 Tables Prevent access to SYS.AUD$ Rationale: Check for any user that has access to any dictionary object and revoke where possible.03 Any dictionary object Action / Recommended Parameters Review access and revoke access where possible Rationale/Remediation W I n d o w s U n I x Level & Score Status 9. Item Configuration Item # 9.; Audit: SELECT GRANTEE. This is only applicable if the audit trail parameter is set to db or db_extended. Remediation: Review access rights and revoke privileges where possible. Allowing users to alter the AUD$ table can compromise the audit trail or integrity of the Oracle database. Remediation: REVOKE ALL ON SYS. This reduces the overall privileges of the user base and reduces the attack surface of the Oracle database.AUD$ FROM <USER>. Audit: None Rationale: Check for any user accounts that have access and revoke where possible. PRIVILEGE FROM 1 N 2 S 81 | P a g e . ; Rationale: Sensitive user and password data is stored in the LINK$ table.; Audit: SELECT GRANTEE.USER_HISTORY$ Rationale/Remediation W I n d o w s U n I x Level & Score Status 9. Item Configuration Item # 9.USER_HISTROY$ FROM <USER>.LINK$ FROM <USER>. Check for any user that has access and revoke where possible.06 Tables Prevent access to SYS. Non administrative or system users should be prevented from accessing this table. Remediation: REVOKE ALL ON SYS. Remediation: REVOKE ALL ON SYS.LINK$ Rationale: Revoke access to this table from all users and roles except for SYS and DBA accounts.; Audit: SELECT GRANTEE. Allowing users to alter the USER_HISTORY$ table can compromise the audit trail or integrity of the Oracle database. PRIVILEGE FROM DBA_TAB_PRIVS .05 Tables Action / Recommended Parameters Prevent access to SYS.; 1 S 1 S 82 | P a g e . PRIVILEGE FROM DBA_TAB_PRIVS WHERE . PRIVILEGE FROM .; Rationale: Allowing users to alter codes in the SOURCE$ table can compromise the security and integrity of the Oracle database. Check for any user that has access and revoke where possible.SOURCE$ Rationale: Sensitive user and password data is stored in the USER$ table.; Audit: SELECT GRANTEE. Remediation: REVOKE ALL ON SYS.USER$ Rationale/Remediation W I n d o w s U n I x Level & Score Status 9.; 1 S 1 S 83 | P a g e .SOURCE$ FROM <USER> .USER$ FROM <USER>. Check for any user accounts that have access and revoke where possible. Only administrative or system users should have rights to access this table.; Audit: SELECT GRANTEE.08 Tables Prevent access to SYS. Item Configuration Item # 9. PRIVILEGE FROM . Remediation: REVOKE ALL ON SYS.07 Tables Action / Recommended Parameters Prevent access to SYS. Item Configuration Item # 9. Remediation: REVOKE ALL ON PERFSTAT.STATS$SQL_SUMMA RY 1 S 84 | P a g e . TABLE_NAME FROM DBA_TAB_PRIVS WHERE 1 S 9. PRIVILEGE.10 Tables Prevent access to PERFSTAT.09 Tables Action / Recommended Parameters Prevent access to PERFSTAT. SQL_SUMMARY contains the first few lines of the executed SQL statements and can contain sensitive information. TABLE_NAME .STATS$SQLTEXT Rationale/Remediation W I n d o w s U n I x Level & Score Status Rationale: Check for any user that has access and revoke where possible.STATS$SQLTEXT.; Audit: SELECT GRANTEE. PRIVILEGE.; Rationale: Check for any user that has access and revoke where possible.; Audit: SELECT GRANTEE. SQLTEXT stores the full text of SQL statements that have been executed and can contain sensitive information.STATS$SQLSUM. Remediation: REVOKE ALL ON PERFSTAT. Remediation: REVOKE ALL ON DBA_<TABLENAME> FROM <USER>. Remediation: REVOKE ALL ON X$<TABLENAME> FROM <USER>.12 Views Prevent access to any DBA_ views Rationale: X$ tables are kernel tables used by Oracle internals and should not be accessed by users. Item Configuration Item # 9. TABLE_NAME FROM DBA_TAB_PRIVS WHERE TABLE_NAME 1 S 1 S 85 | P a g e .11 Tables Action / Recommended Parameters Prevent access to any X$ table Rationale/Remediation W I n d o w s U n I x Level & Score Status 9.; Audit: SELECT GRANTEE. PRIVILEGE.; Audit: SELECT GRANTEE. Check for any user that has access and revoke where possible. PRIVILEGE. Check for any user that has access and revoke where possible. TABLE_NAME FROM DBA_TAB_PRIVS WHERE TABLE_NAME Rationale: DBA views return information about all objects and should only be accessible by administrators. Check for any user that has access and revoke where possible. PRIVILEGE. Remediation: REVOKE ALL ON ALL_ SOURCE FROM <USER>. Remediation: REVOKE ALL ON TABLE_NAME FROM <USER>. TABLE_NAME FROM DBA_TAB_PRIVS WHERE TABLE_NAME Rationale: ALL_SOURCE contains the text source for all of the user s objects. Check for any user that has access and revoke where possible. PRIVILEGE.13 Views Action / Recommended Parameters Prevent access to any V$ views Rationale/Remediation W I n d o w s U n I x Level & Score Status 9.14 Views Prevent access to ALL_SOURCE Rationale: V$ tables contain sensitive information about Oracle database and should only be accessible by system administrators. Item Configuration Item # 9.; Audit: SELECT GRANTEE. TABLE_NAME FROM DBA_TAB_PRIVS WHERE 1 S 1 S 86 | P a g e .; Audit: SELECT GRANTEE. Remediation: REVOKE ALL ON DBA_SYS_PRIVS FROM <USER>.16 Views Prevent access to DBA_SYS_PRIVS Rationale: Allowing the user to alter the DBA_ROLES can result in privilege escalation or system instability. Restrict access to this view to all users except SYS and DBAs. TABLE_NAME FROM DBA_TAB_PRIVS WHERE Rationale: Allowing a user to access the dba_sys_privs table will show the users privileges for all users in the Oracle database. Remediation: REVOKE ALL ON DBA _ROLES FROM <USER>.; Audit: SELECT GRANTEE. Restrict access to this view to all users except SYS and DBAs. Item Configuration Item # 9. TABLE_NAME FROM DBA_TAB_PRIVS WHERE 1 S 1 S 87 | P a g e .; Audit: SELECT GRANTEE. PRIVILEGE. PRIVILEGE.15 Views Action / Recommended Parameters Prevent access to DBA_ROLES Rationale/Remediation W I n d o w s U n I x Level & Score Status 9. TABLE_NAME FROM DBA_TAB_PRIVS WHERE TABLE_NAME=DBA_ 1 S 1 S 88 | P a g e . TABLE_NAME FROM DBA_TAB_PRIVS WHERE Rationale: Allowing a user to access the dba_tab_privs view will show the table privileges for all users in the Oracle database. PRIVILEGE. Remediation: REVOKE ALL ON DBA_ROLE_PRIVS FROM <USER>. PRIVILEGE. Remediation: REVOKE ALL ON DBA_TAB_PRIVS FROM <USER>. Restrict access to this view to all users except SYS and DBAs. Item Configuration Item # 9.; Audit: SELECT GRANTEE.17 Views Action / Recommended Parameters Prevent access to DBA_ROLE_PRIVS Rationale/Remediation W I n d o w s U n I x Level & Score Status 9.18 Views Prevent access to DBA_TAB_PRIVS Rationale: Allowing a user to access the dba_role_privs view will show the role privileges for all roles in the Oracle database.; Audit: SELECT GRANTEE. Restrict access to this view to all users except SYS and DBAs. 20 Views Prevent access to ROLE_ROLE_PRIVS Rationale: Allowing a user to access the dba_users view will show the role privileges for all users in the Oracle database. Restrict access to this view to all users except SYS and DBAs. TABLE_NAME FROM DBA_TAB_PRIVS ROLE_ROLE_PRIVS.; Audit: SELECT GRANTEE.; 1 S 1 S 89 | P a g e . Remediation: REVOKE ALL ON DBA_USERS FROM <USER>. Remediation: REVOKE ALL ON ROLE_ROLE_PRIVS FROM <USER>. PRIVILEGE. TABLE_NAME FROM DBA_TAB_PRIVS WHERE Rationale: Allowing a user to access the dba_role_privs view will show the role grants for all roles in the Oracle database. Restrict access to this view to all users except SYS and DBAs.; Audit: SELECT GRANTEE. Item Configuration Item # 9.19 Views Action / Recommended Parameters Prevent access to DBA_USERS Rationale/Remediation W I n d o w s U n I x Level & Score Status 9. PRIVILEGE. Item Configuration Item # 9. TABLE_NAME USER_ROLE_PRIVS.; Audit: SELECT GRANTEE. Remediation: REVOKE ALL ON USER_ROLE_PRIVS TO <USER>.; 1 S 1 S 90 | P a g e .; Audit: SELECT GRANTEE.21 Views Action / Recommended Parameters Prevent access to USER_TAB_PRIVS Rationale/Remediation W I n d o w s U n I x Level & Score Status 9. PRIVILEGE. Restrict access to this view to all users except SYS and DBAs. PRIVILEGE. Restrict access to this view to all users except SYS and DBAs.22 Views Prevent access to USER_ROLE_PRIVS Rationale: Allowing a user to access the user_tab_privs view will show the granted table privileges for all users in the Oracle database. TABLE_NAME FROM DBA_TAB_PRIVS WHERE Rationale: Allowing a user to access the user_role_privs view will show the granted role privileges for all users in the Oracle database. Remediation: REVOKE ALL ON USER_TAB_PRIVS FROM <USER>. are removed from the base objects. TABLE_NAME FROM ALL_SYNONYMS WHERE TABLE_NAME Rationale: Granting privileges to synonyms actually grants privileges to the base objects. TABLE_NAME FROM DBA_TAB_PRIVS WHERE TABLE_NAME Rationale: Check for any user that has access and revoke where possible. Remediation: Delete the synonym or revoke the privileges Audit: SELECT SYNONYM_NAME. These roles are SELECT_CATALOG_ROLE. ensure privileges granted to the synonyms.; Audit: SELECT GRANTEE. Item Configuration Item # 9. and RECOVERY_CATALOG_OWNER. ensure that privileges from the base objects are removed when the synonyms are dropped.23 Roles Action / Recommended Parameters Prevent assignment of roles that have _CATALOG_ Rationale/Remediation W I n d o w s U n I x Level & Score Status 9. Audit: None 1 S 1 S 1 N 91 | P a g e . Rationale: Revoke any catalog roles from those roles and users that do not need them. EXECUTE_CATALOG_ROLE. PRIVILEGE. Remediation: If necessary.25 Synonyms When dropping synonyms. if not required. Remediation: REVOKE ALL ON <ROLE> FROM <USER>. DELETE_CATALOG_ROLE.24 Synonyms Prevent access to any V$ synonym 9. ; Rationale: The ANY keyword grants the ability for the user to set privileges for the entire catalogue of objects in the database. Developers may be granted limited system privileges as required on development databases.27 Privileges Prevent granting of privileges that contain the keyword ANY Rationale: All system privileges except for CREATE SESSION must be restricted to DBAs. Item Configuration Item # 9.26 Privileges Action / Recommended Parameters Restrict system privileges Rationale/Remediation W I n d o w s U n I x Level & Score Status 9. application object owner accounts/schemas (locked accounts) and default Oracle accounts. Remediation: REVOKE ALL <PRIVS> FROM <USER>. Remediation: Check for any user or role that has the ANY keyword and revoke this role where possible.; Audit: SELECT * FROM DBA_SYS_PRIVS. Audit: SELECT * FROM DBA_SYS_PRIVILEGES WHERE 1 S 1 S 92 | P a g e . Remediation: REVOKE EXEMPT ACCESS POLICY FROM <USER>. Remediation: REVOKE ALL PRIVILEGES FROM <USER/ROLE> GRANT <SPECIFIC PRIVILEGES> TO <USER/ROLE>.; it gives full access to all tables. views and objects to the user or role it is granted to.; Audit: SELECT * FROM DBA_SYS_PRIVS WHERE PRIVILEGE='EXEMPT ACCESS POLICY'.; Audit: SELECT * FROM DBA_SYS_PRIVS WHERE SELECT * FROM DBA_SYS_PRIVS WHERE Rationale: Revoke this privilege if not necessary.29 Privileges Prevent granting of EXEMPT ACCESS POLICY (EAP) Rationale: The GRANT ALL PRIVILEGES must not be used. The EAP privilege provides access to all rows regardless of Row Level Security assigned to specific rows. Item Configuration Item # 9.; 2 N 1 S 93 | P a g e .28 Privileges Action / Recommended Parameters Prevent granting of all privileges Rationale/Remediation W I n d o w s U n I x Level & Score Status 9. ; 1 S 1 S 94 | P a g e .31 Privileges Prevent granting of privileges that have WITH GRANT Rationale: Check for any user or role that has been granted privileges WITH ADMIN and revoke where possible.; Audit: SELECT * FROM DBA_SYS_PRIVS WHERE Rationale: Check for any user or role that has been granted privileges WITH GRANT and revoke where possible.; Audit: SELECT * FROM DBA_TAB_PRIVS WHERE . Item Configuration Item # 9.30 Privileges Action / Recommended Parameters Prevent granting of privileges that have WITH ADMIN Rationale/Remediation W I n d o w s U n I x Level & Score Status 9.; GRANT <ROLE> TO <USER>. The WITH ADMIN privilege allows a user to grant the same privileges they possess. The WITH GRANT privilege allows a user to grant the same privilege to other users. Remediation: REVOKE <ROLE> FROM <USER>. Remediation: REVOKE GRANT OPTION FOR <PRIV> ON <TABLE> FROM <USER>. tables.32 Privileges Action / Recommended Parameters Prevent granting of privileges that have CREATE Rationale/Remediation W I n d o w s U n I x Level & Score Status 9. and views. Remediation: REVOKE CREATE LIBRARY FROM <USER/ROLE>. Excessive create privileges can allow an attack to create arbitrary objects. The CREATE LIBRARY privilege allows a user to create an object associated with a shared library. Remediation: REVOKE CREATE <PRIV> FROM <USER/ROLE> Audit: SELECT * FROM DBA_SYS_PRIV FROM PRIVILEGE Rationale: Check for any user or role that has this privilege and revoke where possible.33 Privileges Prevent granting of CREATE LIBRARY Rationale: Check for any user that has object creation privileges and revoke where possible.; Audit: SELECT * FROM DBA_SYS_PRIVS WHERE 1 S 1 S 95 | P a g e . Allowing arbitrary library creation can compromise the integrity and security of the Oracle database. Item Configuration Item # 9. Remediation: REVOKE BECOME USER FROM <USER/ROLE> Audit: SELECT * FROM DBA_SYS_PRIVS WHERE 1 S 1 S 1 S 96 | P a g e .; Audit: SELECT * FROM DBA_SYS_PRIVS WHERE Rationale: CREATE PROCEDURE allows a user to create a stored procedure in the database and should be restricted to administrative or development users. Check for any user or role that has this privilege and revoke where possible. Remediation: REVOKE CREATE PROCEDURE FROM <USER/ROLE>.36 Privileges Prevent granting of BECOME USER Rationale: Check for any user or role that has this privilege and revoke where possible.; Audit: SELECT * FROM DBA_SYS_PRIVS WHERE Rationale: BECOME USER allows a user to inherit the rights of another oracle system user and should not be used if possible. Remediation: REVOKE ALTER SYSTEM FROM <USER/ROLE>. Item Configuration Item # 9.34 Privileges Action / Recommended Parameters Prevent granting of ALTER SYSTEM Rationale/Remediation W I n d o w s U n I x Level & Score Status 9. The alter system privilege allows a user to dynamically alter the Oracle instance.35 Privileges Prevent granting of CREATE PROCEDURE 9. Remediation: REVOKE <PRITILEGE> FROM <USER>.; Audit: SELECT * FROM DBA_SYS_PRIVS WHERE Rationale: Grant privileges only to roles Grant privileges only to roles. Remediation: Revoke all individual privileges from users.39 Privileges Prevent granting of SELECT ANY Rationale: Check for any user that has access and revoke where TABLE possible.38 Privileges 9. Item Configuration Item # 9. If application data is sensitive. Audit: None 1 S 1 S 1 N 97 | P a g e . and it is possible. Create a role defining the needed privileges. Grant the role to the users.37 Privileges Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status 9. Do not grant privileges to individual users. revoke this privilege from the DBA accounts as well.; Audit: SELECT * FROM DBA_SYS_PRIVS WHERE Rationale: Prevent granting of AUDIT Review which users have audit system privileges and SYSTEM limit as much as possible to ensure audit commands are not revoked. Remediation: REVOKE SELECT ANY <OBJECT> FROM <USER>. ; Audit: SELECT * FROM DBA_ROLE_PRIVS WHERE Rationale: Revoke the resource role from normal application user accounts. Limit or revoke unnecessary PUBLIC privileges. Remediation: REVOKE PUBLIC FROM <USER/ROLE>.; Audit: SELECT * FROM DBA_ROLE_PRIVS WHERE Rationale: Assigning the DBA role to users provides unnecessary access and control of the Oracle database.42 Roles Prevent assignment of DBA Rationale: Review all privileges granted to PUBLIC. Remediation: REVOKE RESOURCE FROM <USER/ROLE>. REVOKE DBA FROM <USER/ROLE> Audit: SELECT * FROM DBA_ROLE_PRIVS WHERE 1 S 1 S 1 S 98 | P a g e . Item Configuration Item # 9.40 Privileges Action / Recommended Parameters Review privileges granted to PUBLIC Rationale/Remediation W I n d o w s U n I x Level & Score Status 9.41 Roles Prevent assignment of RESOURCE 9. Remediation: Revoke DBA role from users who do not require it. TABLE_NAME FROM Rationale: Review the ACL for usage of the UTL_HTTP package. Remediation: REVOKE EXECUTE ON UTL_HTTP FROM PUBLIC. TABLE_NAME FROM DBA_TAB_PRIVS WHERE 1 S 1 S 9. Item Configuration Item # 9.; Audit: SELECT GRANTEE.; Audit: SELECT GRANTEE. Revoke the public execute privilege on UTL_FILE as it can be used to access O/S. Remediation: REVOKE EXECUTE ON UTL_FILE FROM PUBLIC. Revoke the public execute privilege on UTL_HTTP as it can write content to a web browser. Remediation: REVOKE EXECUTE ON UTL_TCP FROM PUBLIC. TABLE_NAME FROM DBA_TAB_PRIVS WHERE Rationale: Review the ACL for usage of the UTL_TCP package.45 Packages ACL or Deny access to UTL_HTTP 1 S 99 | P a g e .; Audit: SELECT GRANTEE.43 Packages Action / Recommended Parameters ACL or Deny access to UTL_FILE Rationale/Remediation W I n d o w s U n I x Level & Score Status 9.44 Packages ACL or Deny access to UTL_TCP Rationale: Review the ACL for usage of the UTL_FILE package. Revoke the public execute privilege on UTL_TCP as it can write and read sockets. 47 Packages Deny access to DBMS_LOB Rationale: Review the ACL for usage of the UTL_SMTP packageRevoke the public execute privilege on UTL_SMTP as it can send mail from the database server. Item Configuration Item # 9. This procedure allows the manipulation of large objects and BFILE file read access.; Audit: SELECT GRANTEE. Remediation: REVOKE EXECUTE ON UTL_SMTP FROM PUBLIC. TABLE_NAME FROM DBA_TAB_PRIVS WHERE 1 S 1 S 100 | P a g e . Remediation: REVOKE EXECUTE ON DBMS_LOB FROM PUBLIC. If not required its usage should be revoked.46 Packages Action / Recommended Parameters ACL or Deny access to UTL_SMTP Rationale/Remediation W I n d o w s U n I x Level & Score Status 9.; Audit: SELECT GRANTEE. TABLE_NAME FROM DBA_TAB_PRIVS WHERE Rationale Revoke the public execute privilege. Item Configuration Item # 9. Remediation: REVOKE EXECUTE ON DBMS_SQL FROM PUBLIC. TABLE_NAME FROM DBA_TAB_PRIVS WHERE 1 S 1 S 101 | P a g e .; Audit: SELECT GRANTEE. TABLE_NAME FROM DBA_TAB_PRIVS WHERE Rationale Revoke the public execute privilege. If public permissions are granted on DBMS_SYS_SQL a user can acquire an administrative cursor and act with DBA permissions.49 Packages Deny access to DBMS_JOB Rationale Revoke the public execute privilege.; Audit: SELECT GRANTEE. DBMS_JOB is a backwards compatible job scheduler for Oracle. If no longer required its usage should be disabled to reduce Remediation: REVOKE EXECUTE ON DBMS_JOB TO PUBLIC.48 Packages Action / Recommended Parameters Deny access to DBMS_SYS_SQL Rationale/Remediation W I n d o w s U n I x Level & Score Status 9. Remediation: ALTER USER JOHN_SMITH DEFAULT ROLE ALL EXCEPT X.; GRANT CREATE SESSION TO <USER>. Item Configuration Item # 9.; Audit: None 1 S 1 N 102 | P a g e . Rationale/Remediation W I n d o w s U n I x Level & Score Status 9.; Audit: SELECT * FROM DBA_ROLE_PRIVS WHERE SELECT * FROM DBA_TAB_PRIVS WHERE SELECT * FROM DBA_SYS_PRIVS WHERE Rationale If application roles have been granted to user then these roles need to be prevented from being enabled by default on the subsequent logins.50 Proxy Authentication Action / Recommended Parameters Limit the user schema privileges to CREATE SESSION only. Rationale The proxy account should only have the ability to connect to the database.51 Proxy role Restrict the roles that can be enabled when privileges are granted in the database. No other privileges should be granted to this account. Remediation: REVOKE ALL ON <USER>. ensure roles and privileges created by that user.e.52 Views Action / Recommended Parameters Revoke public access to all public views that start with ALL_ Rationale/Remediation W I n d o w s U n I x Level & Score Status Rationale Revoke access to these views when possible to prevent unauthorized access to data that could be sensitive. are deleted. are deleted. if not required. ensure that the roles and privileges created by that user. Remediation: REVOKE ALL ON ALL_<NAME> FROM PUBLIC.53 Roles and Privileges When dropping a user.; Audit: SELECT TABLE_NAME FROM DBA_TAB_PRIVS Rationale Dropping a user (i.. if not required. Note: This may interfere with some applications. Item Configuration Item # 9. Audit: None 2 S 9. 2 N 103 | P a g e . DROP USER X CASCADE) Remediation: If a user is dropped. ; Audit: SELECT GRANTEE FROM DBA_TAB_PRIVS WHERE Rationale Audit the DBMS_RANDOM function in applications for improper usage. accessing devices. and deleting files.55 Packages Audit usage of DBMS_RANDOM Rationale Provides file system functions such as copying files. Item Configuration Item # 9. Remediation: REVOKE EXECUTE ON DBMS_RANDOM TO PUBLIC. Replace calls to these functions with RANDOMBYTES.; REVOKE EXECUTE ON DBMS_BACKUP_RESTORE TO <USER>.54 Packages Action / Recommended Parameters Limit or deny access to DBMS_BACKUP_RESTORE Rationale/Remediation W I n d o w s U n I x Level & Score Status 9. altering control files. Revoking the public privilege may cause some applications to fail it is suggested that if the public execute permission cannot be revoked the applications that utilize DBMS_RANDOM are carefully audited. session id generation or other areas where a high degree of entropy is required. DBMS_RANDOM should not be used for critical functions related to cryptography. Remediation: REVOKE EXECUTE ON DBMS_BACKUP_RESTORE TO PUBLIC.; Audit: SELECT GRANTEE FROM DBA_TAB_PRIVS WHERE R 2 S 104 | P a g e . ; Audit: SELECT * FROM DBA_ROLES.56 Roles Action / Recommended Parameters Password protect roles Rationale/Remediation W I n d o w s U n I x Level & Score Status Rationale Role passwords are useful when an application controls whether or not a role is turned on. Remediation: SET ROLE <ROLE_NAME> IDENTIFIED BY <ROLE_PASSWORD>.; 2 S 105 | P a g e . Item Configuration Item # 9. This prevents a user directly accessing the database via SQL (rather than through the application) from being able to enable the privileges associated with the role. Enterprise Manager / Grid Control / Agents Item # 10. Remediation: Create a monitor to track the size of file uploads from the enterprise agent. 10.02 Enterprise Manager Agent File uploads Monitor the size of file uploads from the enterprise agent./emctl status agent command containing information regarding the agents uploading files: Total Megabytes of XML files uploaded so far : Number of XML files pending upload: Size of XML files pending upload(MB): Discovering unusual or increased size of file uploads could indicate a malicious agent. Remediation: Limit access to the Oracle Enterprise Management studio. Rationale/Remediation W I n d o w s U n I x Level & Score Status Enterprise Management studio mode 10. Audit: None Rationale: The following lines are some of the output from the . Audit: None 1 N 1 N 106 | P a g e .01 Configuration Item Action / Recommended Parameters Access to the enterprise management in studio must be limited. Rationale: Without limitations on the enterprise management access to the remote agents is virtually unlimited. Item # 10. $IAS_HOME/sysman/config/ emoms. i.properties 1 N 1 S 107 | P a g e . browser..maxIna file and set the value to 30 ctiveTime=time_in_minute s Audit: grep i maxInactiveTime \ $IAS_HOME/sysman/config/emoms. Audit: None Rationale: Configure an appropriate value for Grid Control Timeout value in To prevent unauthorized access to the Grid Control via the Oracle Application Server.sysman.e. A value of 30 minutes or less is recommended. utilize Enterprise Manager Framework Security Functionality.properties Remediation: Edit the $IAS_HOME/sysman/config/emoms. Remediation: Enable HTTPS between management agents and management services.properties Value: oracle. The default is 45 File: minutes.04 Grid Control TimeOut Value Rationale: Enterprise Manager Framework security employs secure communication between the various Enterprise Manager Components.eml. Rationale/Remediation W I n d o w s U n I x Level & Score Status Enterprise Manager Framework Security 10.03 Configuration Item Action / Recommended Parameters Where possible. set an appropriate timeout value. Some Unix shells. Remediation: For Unix systems. Audit: None 1 N 2 N 108 | P a g e . This will isolate the Agent from the rest of the Oracle server in the event that is compromised. Separate accounts are not recommended for Windows environments. avoid using commands that contain passwords in the arguments. Item # 10. Remediation: In command line mode.06 Oracle Installation Separate user account for Management/Intelligent Agent Rationale: While registering an agent to utilize the enterprise manager framework security. This may be another exposure. Audit: None Rationale: The agent database accounts must be separated. Rationale/Remediation W I n d o w s U n I x Level & Score Status Enterprise Manager Framework Security 10. log command history as well. create a unique user account for the management/Intelligent Agent process in order to differentiate accountability and file access controls. The command can be captured by other users with access to Unix (via ps) command or can be prone to shoulder surfing. avoid using sensitive command line arguments for emctl.05 Configuration Item Action / Recommended Parameters In command line mode. avoid using commands that contain passwords in the arguments. like bash. Audit: None Rationale: Automated Memory Manager (AMM).01 Configuration Item Action / Recommended Parameters Verify ADDM suggestions Rationale/Remediation W I n d o w s U n I x Level & Score Status ADDM 11. Specific Systems Item # 11. should not blindly replace the DBA's knowledge. 11.02 AMM Monitor AMM Rationale: Automatic Database Diagnostic Monitor (ADDM). should not blindly replace the DBA's knowledge. Remediation: DBA's should verify the applicability of ADDM suggestions based on their knowledge of the database. Audit: None 1 N 1 N 109 | P a g e . Remediation: DBA's should monitor AMM to ensure memory is being properly allocated. Rationale/Remediation W I n d o w s U n I x Level & Score Status AWR 11. update. session history. Rationale: Automatic Workload repository (AWR) is central to the whole framework of self and automatic management. This can provide an additional layer of access control to objects by limiting the access (select. insert. Trends analysis can be done with AWR data. SQL statement efficiency. maintain. Remediation: Implement AWR to record all database performance statistics (related to object usage. SQL statement efficiency. Audit: None Rationale: Fine grained access control can provide both column and row level security. It works with internal Oracle database components to process.03 Configuration Item Action / Recommended Parameters Implement AWR to record all database performance statistics (related to object usage. Item # 11. delete) within the object and should be used wherever possible. etc) over a defined time period. or scripts. Remediation: Evaluate sensitive areas of the Oracle database and enable fine grain access control . For fine grained access to function properly. Queries that overtax the system could be a security threat. use the cost-based optimizer.04 Fine grained access Use fine grain access control within objects. routines. session history. Audit: None 1 N 2 N 110 | P a g e . and access performance statistics for problem detection and self-tuning. The statistics are available to external users or performance monitoring tools. etc) over a defined time period. Remediation: Assign an administrator or DBA to review the log files. Periodically review logs for errors. General Policy and Procedures Item # 12. Remediation: Do not install Oracle on an Internet facing server migrate internet facing oracle servers to a backend or protected environment.01 Oracle alert log file Review contents Rationale: Oracle must only be installed on a backend system behind appropriate firewalling or other network protection systems. large numbers or exotic errors can be an indicator of a system under attack. Audit: None Rationale: The Oracle alert log file must be regularly reviewed for errors. Audit: None 1 N 1 N 111 | P a g e .00 Configuration Item Action / Recommended Parameters Do not install Oracle on an Internet facing server. Rationale/Remediation W I n d o w s U n I x Level & Score Status Oracle Installation 12. 12. Remediation: Delete the scripts from the database host. Audit: cat /etc/group 1 N 1 N 1 N 112 | P a g e . Remediation: Edit /etc/group remove the oracle_account from the root group Audit: grep oracle_account /etc/group Rationale: Review the membership of the DBA group on the host to ensure that only authorized accounts are included. This must be limited to users who require DBA access. After the database has been created. Having the Oracle account part of the root group breaks privilege separation and best security practices. Item # 12.03 Unix root group members on host of root group 12. Remediation: Remove unnecessary users from the DBA group. remove the scripts or at a minimum move them to a safe repository area.02 Configuration Item Action / Recommended Parameters Remove or secure Rationale/Remediation W I n d o w s U n I x Level & Score Status Database creation scripts on host 12. Audit: None Rationale: The Oracle software owner account must not be a member of the root group on Unix systems.04 Oracle DBA group membership on host Review Rationale: System creation scripts can provide an attacker with valuable information about the Oracle setup or instance and often contain errors. Audit: None Rationale: An enforced policy must exist to ensure that no cron jobs have sensitive information such as database username and passwords. A privileged process must be used to get and decrypt encrypted passwords.06 Sensitive information in Avoid or encrypt cron jobs on host Rationale: Revealing username and password information in the process list will give anyone able to perform a process listing a valid set of user credentials for the Oracle database. Audit: None 1 N 1 N 113 | P a g e . Remediation: Encrypt passwords used in cron on batch jobs.05 Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status Sensitive information in Avoid or encrypt process list on host 12. A privileged process must be used to get and decrypt encrypted passwords. Remediation: An enforced policy must exist to ensure that no scripts are running that display sensitive information in the process list such as the Oracle username and password. Item # 12. 08 Sensitive information in Avoid or encrypt environment variables on host Rationale: An enforced policy must exist to ensure that no at jobs (or jobs in Windows scheduler) have sensitive information such as database username and passwords. Audit: None Rationale: An enforced policy must exist to ensure that no users have unencrypted sensitive information such as database username and passwords set in environment variables. Remediation: Encrypt password used for scheduled jobs and scripts. Audit: None 1 N 1 N 114 | P a g e . Remediation: Do not store sensitive password in environment variables on the host. Item # 12.07 Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status Sensitive information in Avoid or encrypt at jobs (or jobs in Windows scheduler) on host 12. A privileged process must be used to get and decrypt encrypted passwords. A privileged process must be used to get and decrypt encrypted passwords. Remediation: Only put database files on file systems exclusively used by Oracle.09 Configuration Item Action / Recommended Parameters Rationale/Remediation W I n d o w s U n I x Level & Score Status Sensitive information in Avoid or encrypt batch files on host 12. Audit: None 1 N 1 S 1 S 115 | P a g e . Remediation: Do not store sensitive passwords in batch scripts on the host.11 File systems Separate Oracle files from non- Oracle files Rationale: An enforced policy must exist to ensure that no batch files have sensitive information such as database usernames and passwords. redo logs. data files. Remediation: Split the location of the Oracle software distribution. Oracle files must not be on the same partition as the operating system.10 Oracle file locations Separate for performance 12. and index files are not properly distributed a single disk failure will cause an Oracle outage and make recovery difficult. Item # 12. data. and indexes onto separate disks and controllers for resilience. Audit: None Rationale: If the redo. A privileged process must be used to get and decrypt encrypted passwords. Audit: None Rationale: Isolating the Oracle files onto a separate partition enables easier privilege and permissions management. Store the checksum results upon creation and update of the stored procedure.12 Configuration Item Action / Recommended Parameters Implement Rationale/Remediation W I n d o w s U n I x Level & Score Status Optimal Flexible Architecture 12.psql Audit: sha1sum pl_file.psql 1 N 1 N 116 | P a g e . periodically check for alterations. Remediation: sha1sum pl_file. Item # 12. Audit: None Rationale: Maliciously altered stored procedures can compromise Oracle or system security and can go undetected if not properly audited.13 Checksum PL/SQL code Implement Rationale: Systems that are flexible and easy to understand reduce administration complexity and increase overall manageability and security. Remediation: Follow the Oracle Optimal Flexible Architecture guidelines to provide for consistency and ease of administration. data warehouses.15 Ad-hoc queries on production databases Avoid Rationale: Maliciously altered objects can compromise Oracle or system security and can go undetected if not properly audited. This recommendation may not be suitable for all environments. reload. for example. Test all queries and provide an application interface for exercising queries on production databases. Audit: None Rationale: Ad-hoc queries are a direct vector for creating denial of service conditions and possible exploitation of the Oracle database. Item # 12. Remediation: Store the results of the time stamps of the creation. Audit: None 1 N 1 N 117 | P a g e . Remediation: Disallow ad-hoc queries on production databases. and compilation of database objects and review the results regularly to ensure no unauthorized changes have occurred.14 Configuration Item Action / Recommended Parameters Monitor Rationale/Remediation W I n d o w s U n I x Level & Score Status All database objects 12. Audit: None Rationale: Allowing unauthorized application access will result in information theft and possible remote compromise of the Oracle database. In a cluster environment (RAC or OPS) RSH and RCP are required between the nodes for the Oracle software owner.17 Applications with database access Review Rationale: All remote access from users and administrators to the Oracle host must be encrypted. Remediation: If remote shell access is required. the access must be restricted by user and host. Audit: None 1 N 1 N 118 | P a g e . Item # 12.16 Configuration Item Action / Recommended Parameters Encrypt session Rationale/Remediation W I n d o w s U n I x Level & Score Status Remote shell access on host 12. use SSH or a VPN solution to ensure that session traffic is encrypted. In the case of a cluster environment. An attacker on the local network can sniff or intercept unencrypted sessions. Remediation: Review and control which applications access the database. Audit: None 1 N 1 N 119 | P a g e .18 Configuration Item Action / Recommended Parameters Separate server from production database Rationale/Remediation W I n d o w s U n I x Level & Score Status Location of development database 12. Test environments generally have lax security and mirror production systems. and security best practices require production and test environments to be separate. Audit: None Rationale: Regulatory. place production databases on a different network segment from test and development databases. Item # 12. Remediation: Test and development databases must not be located on the same server as the production system.19 Network location of production and development databases Separate Rationale: Regulatory. and security best practices require production and test environments to be separate. compliance. Remediation: If possible. Test environments generally have lax security and mirror production systems. These can provide a staging point or attack vector for a malicious user if hosted in a single network. These can provide a staging point or attack vector for a malicious user if hosted in a single environment. compliance. 21 Access to production databases Avoid access from development or test databases 12. and security best practices. Audit: None 1 N 1 N 1 N 120 | P a g e . Item # 12. Remediation: Database access from development and test databases to production databases must be prohibited. Audit: None Rationale: Developers must not have direct access to production databases. Remediation: Remove login or authentication means for direct developer access. Production and test database should remain separate then synced when necessary. Remediation: Check for evidence of development occurring on production databases.22 Developer access to production databases Disallow Rationale: Development of applications on production databases violates security best practices and leaves debugging and other information useful to an attacker on the production host.20 Configuration Item Action / Recommended Parameters Prevent development on production databases Rationale/Remediation W I n d o w s U n I x Level & Score Status Monitor for development on production databases 12. Allowing developers direct access to production databases violates regulator. compliance. Audit: None Rationale: Allowing a user to alter a production database from a development or test environment creates a vector for an attacker. Remediation: userdel <account> Audit: cat /etc/passwd Rationale: If test or development databases are created from backups or exports of the production system. Item # 12. Remediation: Maintain separate user accounts for test and production databases and hosts.25 Databases created from production systems Remove sensitive data Rationale: Remove any developer accounts that exist in the production database.24 Databases created from production exports Change passwords 12. Audit: None Rationale: If test or development databases are created from backups or exports of the production system. Audit: None 1 N 1 N 1 N 121 | P a g e . or other sensitive data. all passwords must be changed before granting access to developers or testers.23 Configuration Item Action / Recommended Parameters Remove developer accounts Rationale/Remediation W I n d o w s U n I x Level & Score Status Developer accounts on production databases 12. Clear tables that contain PII. password hashes. Remediation: Remove all sensitive data from production hosts before granting access to tester and developers. all sensitive data (such as payroll information) must be removed before granting access to developers or testers. 28 Disaster recovery procedures Review Rationale: Create and regularly review procedures for account management. This must include the creation of new user accounts. Remediation: Adoption of a change management system. Item # 12. and handling of dormant or inactive accounts. Remediation: Review the disaster recovery procedures.27 Change Control Document and enforce change control procedures 12.26 Configuration Item Action / Recommended Parameters Document and enforce account management procedures Rationale/Remediation W I n d o w s U n I x Level & Score Status Account Management 12. Remediation: Document the system of controls and checks that surround management procedures. moving a user to a new group or role. Audit: None Rationale: Disaster recovery procedures must be fully documented and regularly tested. Audit: None Rationale: Create and regularly review procedures for new applications that access the database and change control management procedures for releasing development code into production. Utilization of ticketing system or other Change management system will help facilitate this process. Audit: None 1 N 1 N 1 N 122 | P a g e . Monitor the addition of new users and access rights. 31 Screen saver Set screen saver/lock with password protection of 15 minutes. Audit: None 1 N 1 N 1 N 123 | P a g e .29 Configuration Item Action / Recommended Parameters Eliminate Rationale/Remediation W I n d o w s U n I x Level & Score Status Backdoors 12. Audit: None Rationale: Desktop screens left unlocked create a vector for attacker to take control of the access granted to the user. and IP addresses to newsgroups and mailing lists must not be allowed. 15 minutes must be set as the standard. Rationale: Tight change control management procedures and checksums of the source code can help prevent backdoors into the database.30 Public dissemination of database information Disallow 12. Remediation: The posting of database information such as SIDs. Remediation: Review or audit source code both in development and deployed to production systems. Remediation: If an organizational policy does not exist. Audit: None Rationale: Exposing internal configuration information gives an attacker a list of targets and vectors into the Oracle environment. hostnames. Item # 12. ora Audit: None Rationale: Excessive or exotic errors may be an indicator of a system or database under attack. Proper log auditing and review is a must to maintain system integrity.ora when distributing to clients Rationale/Remediation W I n d o w s U n I x Level & Score Status Distribution of tnsnames. ensure that only necessary entries are included in the file when distributing to clients.34 Access to database objects by a fixed user link Disallow Rationale: If clients connect to the database using tnsnames.33 Event and System Logs Monitor 12. Providing additional information about database configuration provides a list of hosts and instances to target and violates security best practices.ora files to clients 12. Remediation: Remove username and password Audit: None 1 N 1 N 1 N 124 | P a g e . Remediation: Remove entries from tnsnames. Remediation: Windows Event Logs and Unix System logs must be regularly monitored for errors related to the Oracle database. Item # 12.32 Configuration Item Action / Recommended Parameters Include only necessary tnsnames.ora files. Anyone with permissions or rights to view the hard coded username or password exposes that account to unnecessary risk. Audit: None Rationale: Fixed user database links that have a hard coded username and password must be avoided. 35 Configuration Item Action / Recommended Parameters Oracle software owner account name NOT Rationale/Remediation W I n d o w s U n I x Level & Score Status Oracle Installation 12. The requirement for the Management/Intelligent Agent process is listed in section 10 of this document. the Oracle http server. and the database process accounts must be separate.36 Oracle Installation Separate users for different components of Oracle Rationale: Do not name the Oracle software owner account and used in many automated attacks and brute forcing tools. Audit: None 2 S 2 N 125 | P a g e . Item # 12. In the event that an Oracle service is compromised privilege separating each service will help reduce the damage an attacker can perform. The listener. Remediation: For Unix systems. create unique user accounts for each Oracle process/service in order to differentiate accountability and file access controls. Separate accounts are not recommended for Windows environments. Remediation: Upon oracle installation create a separate user account with the username other than Oracle. Audit: None Rationale: Properly privilege separate user accounts associated with each Oracle service. 37 Configuration Item Action / Recommended Parameters Create processes to alert Rationale/Remediation W I n d o w s U n I x Level & Score Status Alerts on high priority incidents 12. Item # 12. OAS solutions include IPSec and mutually authenticated SSL. Audit: None Rationale: Traffic sent unencrypted across a network can be monitored and intercepted Remediation: If appropriate to the environment. Audit: None 2 N 2 N 2 N 126 | P a g e . do not use the Intelligent Agent. implement Oracle Advanced Security to encrypt all traffic between the client and server. Remediation: If the database server is accessible via the Internet. Remediation: Create processes to monitor and alert on high priority incidents. Audit: None Rationale: Intelligent agents provide a direct management interface to the Oracle database.39 Network Implement if appropriate Rationale: Monitoring high priority incidents will help in the event of a security incident. This may not be practical for OEM or SNMP monitored databases.38 Intelligent agent Do not use 12. 42 Decommissioned applications Remove all components Rationale: The wrap program provided by Oracle encodes the PL/SQL source code but does not encrypt it. Remediation: Ensure that all associated binaries. Remediation: Encrypt the PL/SQL code. Audit: None Rationale: Failure to remove all privileges once an application has been removed from an Oracle database widens the attack surface and can provide unmonitored access for an attacker. Item # 12. passwords.40 Configuration Item Action / Recommended Parameters Encrypt Rationale/Remediation W I n d o w s U n I x Level & Score Status Application PL/SQL code 12. Remediation: Avoid hardcoded data in code. Audit: None 2 N 2 N 2 N 127 | P a g e . Strip all sensitive information from PL/SQL code before storage into a repository. PL/SQL code is often viewable by many users of the Oracle system and stored in code repositories.41 Hard coded data in PL/SQL and application source code Avoid or encrypt 12. and access rights are removed when applications are decommissioned. batch process. do not rely on the wrap functionality to protect highly sensitive information. or other critical data in the PL/SQL code. users. Use a secure data storage mechanism. Audit: None Rationale: Do not use unencrypted hard coded usernames. 45 Enabling of batch process account Time enabled Rationale: Applications must not alter the database schema.44 Host and Application Monitoring Software. Remediation: Only allow updates of the database schema though a DBA or approved change management system. Remediation: The account that is used to run batch processes must be enabled only during the time that the batch processes run. This includes operations management consolidation suites. Review 12.43 Configuration Item Action / Recommended Parameters Disallow Rationale/Remediation W I n d o w s U n I x Level & Score Status DDL statements in application 12. Audit: None Rationale: Allowing the batch account to remain active widens the system attack surface and may lead to unauthorized access of the Oracle database. Audit: None Rationale: Any remote access to the database host must be controlled by an application level firewall. Item # 12. Audit: None 2 N 2 N 2 N 128 | P a g e . Remediation: Block unnecessary ports used for monitoring and remote interfaces to the Database. 46 Configuration Item Action / Recommended Parameters Secure Rationale/Remediation W I n d o w s U n I x Level & Score Status Passwords for batch processes 12. Remediation: Remove passwords from batch files and scripts. Audit: None 2 N 2 N 2 N 129 | P a g e .48 User permissions Review Rationale: Passwords for batch processes must not be a command line parameter or an environment variable. Item # 12. Remediation: Restrict test development databases. Audit: None Rationale: Review and test development databases for users with excess permissions not granted in production.; ensure that passwords are not set as environment variables. Audit: None Rationale: External accounts used for batch processes allow a simple way to access the database.47 External account access for batch processes Disallow 12. Remediation: Forbid the usage of batch process to access the Oracle database. 51 Remote Administration of Listener Use encryption if remote administration is required. Remediation: Use a host based Intrusion Detection System on the server hosting the Oracle database.49 Configuration Item Action / Recommended Parameters Review Rationale/Remediation W I n d o w s U n I x Level & Score Status Procedures for backup tape retrieval 12. set the SSL protocol as the first protocol in listener.ora. Item # 12. Remediation: Ensure the procedures for backup tape retrieval are documented and are adequate to prevent social engineering attacks to steal data. configure the listener to have a TCPS (SSL) port.g.IPC) Audit: None 2 N 2 N 2 N 130 | P a g e . Remediation: SECURE_CONTROL_listener_name=(TCPS. Rationale: Loss of a tape can compromise other measures taken to protect database information. Audit: None Rationale: A host based intrusion detection system provides another layer of defense for the Oracle server.50 Intrusion detection system on host Utilize 12. Audit: None Rationale: If remote administration of a listener via the listener utility is required. e. no administration through SSH or MS Terminal Server.. If the listener is configured to use multiple protocols. If SSL is not possible.53 Policy Caching Policy caches must be purged. Item # 12. use OAS native encryption/integrity with a host firewall. Audit: None Rationale: Policy caches can potentially store information that could be used to compromise the database and may accessible outside of Oracle and beyond the control of the security parameters. Audit: None 2 N 2 N 131 | P a g e . SSL or OAS . Protect the administrative listener with IPSec ESP. and a host firewall.. otherwise SSL and host-based firewall. Preference of implementation is IPSec ESP. protected by IPSec. Remediation: Purge policy caches. Protect the administrative listener with IPSec ESP or OAS SSL and a host-based firewall. Remediation: Create separate listeners for clients and administration. could allow administrators access to the server if the client listener(s) fail. Access must be limited to specific administrative workstations. Hence this can defeat row level security.. Rationale/Remediation W I n d o w s U n I x Level & Score Status Multiple listeners 12.52 Configuration Item Action / Recommended Parameters Create separate listeners for clients and administration. Rationale: An administrative listener. 12. Audit: None Rationale: Whenever utilizing silent installs. Rationale/Remediation W I n d o w s U n I x Level & Score Status Policy Functions 12. Remediation: Users should not have EXECUTE. alter or drop privileges on policy functions. Remediation: Connections between Data Guard servers should be authenticated using SSL certificates Audit: None 2 N 2 N 2 N 132 | P a g e . Oracle Installer. Remediation: Remove all passwords post installation. Audit: None Rationale: Strong authentication using certificates provides both security and identification of endpoints for the DataGuard service. Item # 12. ensure configuration files do not contain password values after the installation completes.54 Configuration Item Action / Recommended Parameters Users should not have execute.e. ALTER or DROP privileges on policy functions.56 DataGuard Auth Authenticate Data Guard with SSL Certificates Rationale: The ability to manipulate policy functions could be used to defeat row level security.55 Passwords Remove password parameters from configuration files utilized for Silent Installations. i.. Not sanitizing packages may result in leaking of sensitive information to Oracle. Audit: None Rationale: Connections sent across the network unencrypted can be monitored and intercepted exposing sensitive information. Remediation: If possible configure Data Guard for Maximum Protection to ensure that zero data loss occurs if a primary database fails. Remediation: Ensure the minimal amount of sensitive information is sent to Oracle and destroy Incident Packages after submission. Item # 12.57 Configuration Item Action / Recommended Parameters Select Maximum Protection Rationale/Remediation W I n d o w s U n I x Level & Score Status Data Guard Mode 12.59 Incident Packages Ensure Incident Packages are destroyed or properly protected after upload to Oracle. Audit: None Rationale: Sensitive information may be contained in incident packages. Audit: None 2 N 2 N 2 N 133 | P a g e . Rationale: Loss of data can result in the loss of system integrity or audit trails. Remediation: Connections for Redo services should be authenticated using SSL certificates. Setting Data Guard to maximum mode ensures no information is lost in the event of a failure.58 Data Guard Redo Authenticate Redo Transport Services using SSL Certificates 12. they should be dropped.01 Auditing 13.02 Auditing Trap autonomous transactions Rationale: Leaving additional schemas in the database can provide an attacker with additional details about the currently used Oracle system or contain sensitive information. After verification. 13. Remediation: Unused schemas should be first audited to ensure that they are in fact unused. Remediation: None Audit: None 2 N 2 N 134 | P a g e . Auditing Policy and Procedures Item # Configuration Item Action / Recommended Parameters Unused schemas should be dropped Rationale/Remediation W I n d o w s U n I x Level & Score Status 13. Audit: None Rationale: This will ensure that audit captures actions performed by users even if they are later rolled back. AUDIT SELECT ON TABLE WHENEVER NOT SUCCESSFUL Audit: SELECT * FROM DBA_OBJ_AUDIT_OPTS WHERE 2 S 2 S 135 | P a g e . Item # Configuration Item Action / Recommended Parameters Audit all logons and logoffs. Audit by ACCESS WHENEVER NOT SUCCESSFUL. Rationale: Auditing by SESSION will only show a single audit event for an attempt. By logging unsuccessful attempts any SQL statement attempting to access the table will be recorded. SUCCESS. Rationale/Remediation W I n d o w s U n I x Level & Score Status 13. This could provide a record of unauthorized attempts to access sensitive data.03 Auditing 13. Remediation: Ex. Rationale: Auditing logon and logoff events may provide additional information for isolating the cause of security incidents. FAILURE FROM DBA_PRIV_AUDIT_OPTS WHERE Note: This is audited by default when default security settings are enabled.04 Auditing Audit for unsuccessful attempts. Remediation: AUDIT CREATE SESSION Audit: SELECT USER_NAME. ; Audit: SELECT policy_name FROM DBA_AUDIT_POLICIES. a procedure could perform an action such as sending an e-mail alert to an auditor when a user selects a certain row from a table.ADD_POLICY( <Policy config> ). For instance. column specific sensitivity. Rationale/Remediation W I n d o w s U n I x Level & Score Status 13. use enhanced capabilities of Fine-Grained Auditing. engage and use the Fine-Grained Auditing (FGA) feature. SQL capturing. Rationale: The flexibility.ADD_POLICY( <Policy config> ).05 Auditing 13. Therefore. and event handler capabilities of FGA provide auditors and security personnel with valuable information. it should not add a significant burden to the size of audit records.06 Auditing Where appropriate or required by security or legal requirements. Item # Configuration Item Action / Recommended Parameters Where appropriate or required by security or legal requirements. Remediation: DBMS_FGA. or it could write to a different audit trail. Remediation: DBMS_FGA.; Rationale: FGA has the ability to execute event driven procedures that may allow security and operations teams to receive real time indications of threats. Note: The FGA record entry can be pre-qualified.; Audit: SELECT policy_name FROM DBA_AUDIT_POLICIES 2 S 2 S 136 | P a g e . 09 Auditing Audit any CREATE statement Rationale: Unauthorized table alters can results in application failures or be the precursor to an attack. Remediation: AUDIT ALTER USER. will provide a record of events that may be useful when investigating security events.07 Auditing 13.; Audit: SELECT * FROM DBA_STMT_AUDIT_OPTS WHERE 2 S 2 S 2 S 137 | P a g e .; Rationale: Auditing the creation of objects. Remediation: Audit ALTER ANY table.; Audit: SELECT * FROM DBA_STMT_AUDIT_OPTS WHERE . Remediation: AUDIT CREATE ANY <object>.08 Auditing Audit ALTER USER 13.; Audit: SELECT * FROM DBA_STMT_AUDIT_OPTS WHERE . Item # Configuration Item Action / Recommended Parameters Audit ALTER ANY TABLE Rationale/Remediation W I n d o w s U n I x Level & Score Status 13.; Rationale: Unauthorized user alters can results in application failures. such as tables or databases. hijacked credentials. or be the precursor to an attack. ; Audit: SELECT * FROM DBA_STMT_AUDIT_OPTS WHERE Rationale: Auditing the creation of users will provide a record to ensure the appropriate use of account administration privileges. This information is also useful when investigating certain security events.11 Auditing Audit CREATE USER 13. This information is also useful for debugging application and user session failures. This information is also useful when investigating certain security events.; Audit: SELECT * FROM DBA_STMT_AUDIT_OPTS WHERE 2 S 2 S 2 S 138 | P a g e .; Audit: SELECT * FROM DBA_STMT_AUDIT_OPTS WHERE Rationale: Audit the use of CREATE SESSION for successful or unsuccessful operations. Remediation: AUDIT CREATE USER. Item # Configuration Item Action / Recommended Parameters Audit CREATE ROLE Rationale/Remediation W I n d o w s U n I x Level & Score Status 13.10 Auditing 13. Remediation: AUDIT CREATE SESSION. Remediation: AUDIT CREATE ROLE.12 Auditing Audit CREATE SESSION Rationale: Auditing the creation of roles will provide a record to ensure the appropriate use of account administration privileges. Item # Configuration Item Action / Recommended Parameters Audit any DROP statement Rationale/Remediation W I n d o w s U n I x Level & Score Status 13. Auditing the removal of database procedures.15 Auditing Audit DROP ANY TABLE Rationale: Auditing the removal of database objects. Remediation: AUDIT DROP ANY PROCEDURE.14 Auditing Audit DROP ANY PROCEDURE 13. Remediation: AUDIT DROP {PRIV}.; Audit: SELECT * FROM DBA_STMT_AUDIT_OPTS WHERE 2 S 2 S 2 S 139 | P a g e .13 Auditing 13. will provide a record of events that may be useful when investigating security events. Auditing the removal of database tables. will provide a record of actions that may be useful when investigating security events.; Audit: SELECT * FROM DBA_STMT_AUDIT_OPTS WHERE Rationale: Audit the use of DROP ANY PROCEDURE.; Audit: SELECT * FROM DBA_STMT_AUDIT_OPTS WHERE Rationale: Audit the use of DROP ANY TABLE. will provide a record of actions that may be useful when investigating security events. Remediation: AUDIT DROP ANY TABLE. such as tables or databases. ; Audit: SELECT OBJECT_NAME.16 Auditing 13. INS.; Audit: SELECT * FROM DBA_STMT_AUDIT_OPTS WHERE Rationale: Auditing failed inserts may provide be useful when investigating certain security events. Remediation: AUDIT INSERT ON objectname WHENEVER NOT SUCCESSFUL. Item # Configuration Item Action / Recommended Parameters Audit GRANT ANY PRIVILEGE Rationale/Remediation W I n d o w s U n I x Level & Score Status 13.; 2 S 2 S 2 S 140 | P a g e . This information is also useful when investigating certain security events.17 Auditing Audit GRANT ANY ROLE 13. such as SQL injections attempts. FROM DBA_OBJ_AUDIT_OPTS. This information is also useful when investigating certain security events. Remediation: AUDIT GRANT ANY ROLE.; Audit: SELECT * FROM DBA_STMT_AUDIT_OPTS WHERE Rationale: Auditing the grants will provide a record to ensure the appropriate use of account administration privileges.18 Auditing Audit INSERT failures Rationale: Auditing the grants will provide a record to ensure the appropriate use of account administration privileges. Remediation: audit GRANT ANY PRIVILEGE. 20 Auditing Audit SELECT ANY DICTIONARY Rationale: Audit EXECUTE PROCEDURE failures attempted into critical data objects.; Audit: SELECT * FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTI Rationale: Audit the use of the SELECT ANY DICTIONARY.19 Auditing 13. Remediation: AUDIT SELECT ANY DICTIONARY. Auditing SELECT ANY DICTIONARY will provide a record of access to DICTIONARY views.; Audit: SELECT * FROM DBA_STMT_AUDIT_OPTS WHERE 2 S 2 S 141 | P a g e . Item # Configuration Item Action / Recommended Parameters Audit EXECUTE PROCEDURE Rationale/Remediation W I n d o w s U n I x Level & Score Status 13. Auditing the EXECUTE PROCEDURE will provide a record of the procedures that were executed and by whom. This information is also useful when investigating a security event Remediation: AUDIT EXECUTE PROCEDURE. This information is also useful when investigating a security event. Specific database application components may contain sensitive information and require more scrutiny or certain events to alarm when triggered.22 Auditing 13. Evaluate applications on a case by case basis and create where appropriate.23 Auditing Rationale: Audit the use of the GRANT ANY OBJECT. This information is also useful when investigating certain security events. logoff. Auditing the grants will provide a record of the scope of the user object rights to ensure the appropriate use of account administration privileges.; Audit: SELECT * FROM DBA_STMT_AUDIT_OPTS WHERE Rationale: Logon. and other information. Item # Configuration Item Action / Recommended Parameters Audit GRANT ANY OBJECT Rationale/Remediation W I n d o w s U n I x Level & Score Status 13. Remediation: AUDIT GRANT ANY OBJECT. database start or stop.21 Auditing 13. Audit: None 2 S 2 S 2 N 142 | P a g e . Remediation: Create triggers against all tables and system events that are meaningful to the database and application.; Audit: SELECT * FROM DBA_STMT_AUDIT_OPTS WHERE Audit CREATE {ANY} LIBRARY Rationale: Audit the use of the CREATE LIBRARY PRIVILAGE Remediation: AUDIT CREATE LIBRARY. AUD$ BY ACCESS. Remediation: AUDIT ALL ON SYS. timely reviews of the collected audit information must be done to ensure system security and integrity.24 Auditing 13.; Audit: SELECT * FROM DBA_OBJ_AUDIT_OPTS WHERE 2 N 2 N 2 S 143 | P a g e .26 Auditing Rationale: If specific rows of data need to be audited create triggers to alarm on auditable events. Remediation: Assign administrative or DBA time to review report generation logic. Audit: None Set AUDIT ALL ON SYS. Audit: None Rationale: Review procedures and reports to review audit logs Regular.AUD$ BY ACCESS. Item # Configuration Item Action / Recommended Parameters Use triggers to implement row level auditing Rationale/Remediation W I n d o w s U n I x Level & Score Status 13. This will reduce the overall system resources for auditing specific tables and help reduce false alarms. Remediation: Use triggers to enforce row level auditing for important data. attempts to alter the audit trail will be audited.25 Auditing 13.AUD$ Rationale: BY ACCESS By setting AUDIT ALL ON SYS. Only applicable if the audit trail parameter is set to DB or TRUE. Audit: None 2 N 2 N 144 | P a g e . Remediation: Audit any XML DB or PL/SQL procedures that have been exposed as web services.27 Auditing 13. Audit: None Rationale: Legacy procedures that are designed for internal usage only are often exposed as web services. Both the legacy status and expansion of the attack surface can lead to their exploitation.28 Auditing Audit Exposed Web Services Rationale: Archive and delete the audit trail as necessary or in line with local data administration policies. Remediation: Review the purging procedures to ensure that the audit trail is purged regularly. The audit trail can consume substantial system resources leading to a denial of services. Item # Configuration Item Action / Recommended Parameters Regularly purge the audit trail Rationale/Remediation W I n d o w s U n I x Level & Score Status 13. Rationale/Remediation W I n d o w s U n I x Level & Score Status 14. Remediation: Where possible enable and apply Oracle label security. Audit: None 2 N 145 | P a g e . Appendix A: Additional Settings (not scored) Item # Configuration Item Action / Recommended Parameters Where possible use Oracle Label Security.01 Oracle Label Security Rationale: OLS is a strong additional layer of security that can be used to create a Virtual Private database (VPD). This can be cost prohibitive depending on licensing with Oracle. OLS allows data of varying sensitivities to be stored in a single database and access to the data to be restricted using security clearances as defined by role level. the values of the label column may be copied to an added column. Remediation: Where possible.02 Oracle Label Security Rationale: If the status of the hidden label column needs to be changed. Reinstate the policy and then copy the values from the added column to the row label column and then remove the added column. then the hidden column can be removed. the column copies. Item # Configuration Item Action / Recommended Parameters Hide label column. Note: After applying a OLS policy to a table. hide the label column. the hidden status of the labels cannot be revoked without the loss of the labels. Rationale/Remediation W I n d o w s U n I x Level & Score Status 14. Audit: None 2 N 146 | P a g e . when using OLS. and then removes the policy dropping the row label column.CREATE_POLICY (globally) or to the TABLE_OPTIONS parameter of the APPLY_TABLE_POLICY procedure (for a specific table). This can be done by passing the HIDE directive to the DEFAULT_OPTIONS parameter of the SA_SYSDBA. Item # Configuration Item Action / Recommended Parameters Include LABEL_UPDATE Rationale/Remediation W I n d o w s U n I x Level & Score Status 14.03 Oracle Label Security 14.04 Oracle Label Security Limit manipulation. Rationale: This ensures the user cannot reclassify the data in the record by changing the label. Remediation: Include the LABEL_UPDATE as a value for TABLE_OPTIONS parameter when the OLS policy is applied to a table. Audit: None Rationale: By the creation of a procedure, direct manipulation by database users of the labels is prevented and an additional level of security is provided. This can provide a separation of responsibility between the DBA and the security administrators. Remediation: Where possible, use a trusted procedure to limit and control the manipulation of the labels. Audit: None 2 N 2 N 147 | P a g e Item # Configuration Item Action / Recommended Parameters Backup data. Rationale/Remediation W I n d o w s U n I x Level & Score Status 14.05 Oracle Label Security 14.06 Oracle Label Security Where applicable and possible, store labels in the Oracle Internet Directory (OID). 14.07 RAID file systems Implement Rationale: OLS introduces an additional hidden column into a table. For some tables the addition of a column or a hidden column may render the table unusable. For applications that expect to see all the data, OLS may be interpreted as corrupt data. Remediation: Have a secure and separate data copy before implementing OLS. Audit: None Rationale: In the context of the Enterprise User Security option, this provides a centralized management method for user passwords, enterprise roles, and OLS authorization. Under the control of the OID, policies cannot be manipulated within the databases. Remediation: Where applicable and possible, store labels in the Oracle Internet Directory (OID). Audit: None Rationale: File systems holding the Oracle data should be on RAID volumes for resilience. Remediation: Create RAID partitions for the Oracle database and files. Audit: None 2 N 2 N 2 N 148 | P a g e Item # Configuration Item Action / Recommended Parameters Implement Rationale/Remediation W I n d o w s U n I x Level & Score Status 14.08 Magnetically wipe failed disks 14.09 Backups on system disks Verify permissions 14.10 Off site backup storage Implement Rationale: Sensitive data or information can be recovered from magnetic or data media if not properly erased. Remediation: Magnetically wipe old, no longer used, or failed disks. This issue is most likely handled by system administrators. Audit: None Rationale: In many environments, database backups are written to system disks. In this type of environment, ensure that the backup files are protected. Files should be owned by oracle software owner set with owner read/write permissions only. Remediation: Set proper permissions on oracle data files stored on backup tapes. Audit: None Rationale: It is a best practice to have redundant offsite backups in the event of a physical catastrophe. Remediation: Implement off site backup storage procedures. Audit: None 2 N 2 N 2 N 149 | P a g e Remediation: None Audit: None 2 N 2 N 2 N 150 | P a g e .11 Recovery procedures 14. Network access should be limited to application and administrative hosts. Remediation: Implement a screening router to restrict access to the database host. Audit: None Rationale: Use a host based firewall on all computers used to remotely administer databases. Audit: None Rationale: Unrestricted access to the database widens the attack surface.12 Screening router Implement to restrict access to database host 14. Remediation: Ensure that database recovery procedures are fully documented and regularly tested. Item # Configuration Item Action / Recommended Parameters Document and Test Rationale/Remediation W I n d o w s U n I x Level & Score Status 14.13 Host-based firewall Implement on database administration machines Rationale: Failure to properly implement and test recovery procedures can result in loss of data and compromise system integrity. Appendix C: Acknowledgments The contributions to the consensus process made by the following people were instrumental in the creation of this guide: Sheila Christman Richard A. The violations can be fixed or ignored so they will not show up in future reports. Finn John Banghart Mark Rakozy Gary Gapinski David Waltermire Clint Kreitner 151 | P a g e . For more detailed information of this functionality please refer to the Oracle documentation. The administrator can then schedule and apply the patch(es) to any host in the enterprise. Policy Violations The Oracle 11g Enterprise Manager Grid Control application can show policy violations for any database or host in the enterprise. If the Oracle Enterprise Manager Grid Control application is deployed. Appendix B: Enterprise Manager Grid Control for Patch and Policy Management The Oracle 11g Enterprise Manager Grid Control application has two functions directly related to securing Oracle and its host. Oracle® Database 2 Day DBA 11g Release 1 (11.1) Part Number B28301-02 Patching Setup The Oracle 11g Enterprise Manager Grid Control application can be set up to automatically access Oracle MetaLink to search for and download any new patches available for your Oracle installs. follow these recommendations. McDonald Bert Miuccio Chad Hughes Chuck Earle Rick Wessman Jeremy Terk Dave Shackleford Cesar Quebral Alf-‐Ivar Holm George Colt Blake Frantz Phil Curran Don Granaman Michael Anderson Nancy Whitney Tom L. Haas Dana Hemlock Brian Denny Sheilah Scheurich Carol Bales Tran Thanh Chien Rick Wessman Johan Verbrugghen Melissa McAvoy Alf-‐Ivar Holm Alan Klink David W Blaine Ray Stell Adam Cecchetti James Hayes Brian P. - Added Background Section - Updated Acknowledgements Section - Update Section heading styles 152 | P a g e .6 were absent) - Updated 4.0. not repudiation or audit concerns. 5.15 (NOLOGGING) to articulate this clause has continuity concerns.0.1 - Resolved number sequencing issue (5.0 - Initial Public Release 1. Appendix D: Change History Date 8/12/2008 1/23/2009 Version Changes for this version 1.5.