CIS Oracle Database 23ai v1.0.0 L1 RDBMS

Audit Details

Name: CIS Oracle Database 23ai v1.0.0 L1 RDBMS

Updated: 6/16/2025

Authority: CIS

Plugin: OracleDB

Revision: 1.0

Estimated Item Count: 78

File Details

Filename: CIS_Oracle_Database_23ai_v1.0.0_L1_RDBMS.audit

Size: 241 kB

MD5: 8aa286a1882e5edf238e01ae48fa567c
SHA256: 86655fd5b6381a88831c37b7f5406943a00084321e0d151b79ec397856e756d0

Audit Items

DescriptionCategories
1.1 Ensure The Appropriate Version/Patches For Oracle Software Is Installed

SYSTEM AND SERVICES ACQUISITION

2.3.1 Ensure 'BACKGROUND_CORE_DUMP' Is Not Set To 'Full'

MEDIA PROTECTION

2.3.2 Ensure 'SHADOW_CORE_DUMP' Is Not Set To 'Full'

MEDIA PROTECTION

2.3.3 Ensure 'MLE_PROG_LANGUAGES' Is Set To 'OFF'

CONFIGURATION MANAGEMENT

2.3.4 Ensure 'ALLOW_GROUP_ACCESS_TO_SGA' Is Set To `FALSE`

ACCESS CONTROL, MEDIA PROTECTION

2.3.5 Review Undocumented (Underscore) Parameters Not Set To 'DEFAULT' Values

CONFIGURATION MANAGEMENT

2.3.6 Ensure 'OS_ROLES' Is Set To 'FALSE'

ACCESS CONTROL, MEDIA PROTECTION

2.3.7 Ensure 'REMOTE_OS_ROLES' Is Set To 'FALSE'

ACCESS CONTROL

2.3.8 Ensure 'SEC_MAX_FAILED_LOGIN_ATTEMPTS' Is Set To '3' Or Less

ACCESS CONTROL

2.3.9 Ensure 'SEC_PROTOCOL_ERROR_FURTHER_ACTION' Is Set To '(DROP,3)'

SYSTEM AND COMMUNICATIONS PROTECTION

2.3.10 Ensure 'SEC_PROTOCOL_ERROR_TRACE_ACTION' Is Set To 'LOG'

AUDIT AND ACCOUNTABILITY

2.3.11 Ensure 'SEC_RETURN_SERVER_RELEASE_BANNER' Is Set To 'FALSE'

ACCESS CONTROL, MEDIA PROTECTION

2.3.12 Ensure 'REMOTE_LOGIN_PASSWORDFILE' Is Set To 'NONE'

ACCESS CONTROL

2.3.13 Ensure 'REMOTE_LISTENER' Is Empty

SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION

2.3.14 Ensure 'RESOURCE_LIMIT' Is Set To 'TRUE'

ACCESS CONTROL, MEDIA PROTECTION

3.1 Ensure 'FAILED_LOGIN_ATTEMPTS' Is Less Than Or Equal To '5'

ACCESS CONTROL

3.2 Ensure 'PASSWORD_LOCK_TIME' Is Greater Than Or Equal To '1'

ACCESS CONTROL

3.3 Ensure 'PASSWORD_LIFE_TIME + PASSWORD_GRACE_TIME' Is Less Than Or Equal To '365'

ACCESS CONTROL

3.4 Ensure 'PASSWORD_REUSE_MAX' Is Set To 'UNLIMITED'

IDENTIFICATION AND AUTHENTICATION

3.5 Ensure 'PASSWORD_VERIFY_FUNCTION' Is Set For All Profiles

IDENTIFICATION AND AUTHENTICATION

3.6 Ensure 'PASSWORD_VERIFY_FUNCTION' Is Configured Correctly

IDENTIFICATION AND AUTHENTICATION

3.7 Ensure 'PASSWORD_ROLLOVER_TIME' Is set to '0'

IDENTIFICATION AND AUTHENTICATION

3.8 Ensure 'INACTIVE_ACCOUNT_TIME' Is Less than or Equal to '120'

ACCESS CONTROL

4.1 Ensure All Default Passwords Are Changed

IDENTIFICATION AND AUTHENTICATION

4.2 Ensure No Custom 'ORACLE_MAINTAINED' Users Exist

ACCESS CONTROL

4.3 Review The Users Created Through Real Application Security

ACCESS CONTROL

4.4 Ensure Old Password Versions Are Not Used

IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

4.5 Ensure The Latest Version of The Password File Is Used

IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

4.6 Ensure That Users In Different RAC Instances Are Identical In PW Files

ACCESS CONTROL

4.7 Ensure No Public Database Links Exist

ACCESS CONTROL, MEDIA PROTECTION

4.8 Ensure That Database Link Passwords Are Using The Latest Encryption

IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

5.1 Ensure All Auditable System Actions Commands Are Audited

AUDIT AND ACCOUNTABILITY

5.2 Ensure the 'LOGON' AND 'LOGOFF' Actions Audit Is Enabled

AUDIT AND ACCOUNTABILITY

5.3 Ensure Critical Packages Are Audited

AUDIT AND ACCOUNTABILITY

5.4 Ensure All Export Activities Are Audited

AUDIT AND ACCOUNTABILITY

5.5 Ensure The Use Of SYS* Privileges Is Audited

AUDIT AND ACCOUNTABILITY

6.1.1 Ensure '%ANY%' Is Revoked from Unauthorized 'GRANTEE'

ACCESS CONTROL, MEDIA PROTECTION

6.1.2 Ensure Admin Privileges Are Revoked from Unauthorized 'GRANTEE'

ACCESS CONTROL

6.1.3 Ensure 'IMPORT' And 'EXPORT' 'FULL DATABASE' Is Revoked From Unauthorized 'GRANTEE'

ACCESS CONTROL, MEDIA PROTECTION

6.1.4 Ensure 'CREATE EXTERNAL JOB' Is Revoked From Unauthorized 'GRANTEE'

ACCESS CONTROL

6.1.5 Ensure 'BECOME USER' Is Revoked From Unauthorized 'GRANTEE'

ACCESS CONTROL, MEDIA PROTECTION

6.1.6 Ensure 'TEXT DATASTORE ACCESS' Is Revoked From Unauthorized 'GRANTEE'

ACCESS CONTROL, MEDIA PROTECTION

6.1.7 Ensure 'CREATE', 'ALTER', And 'DROP' 'PUBLIC DATABASE LINK' Is Revoked From Unauthorized 'GRANTEE'

ACCESS CONTROL, MEDIA PROTECTION

6.1.8 Ensure 'LOGMINING' Is Revoked From Unauthorized 'GRANTEE'

ACCESS CONTROL, MEDIA PROTECTION

6.1.9 Ensure 'ALTER SYSTEM' Is Revoked From Unauthorized 'GRANTEE'

ACCESS CONTROL, MEDIA PROTECTION

6.1.10 Ensure 'CREATE LIBRARY' Is Revoked From Unauthorized 'GRANTEE'

ACCESS CONTROL, MEDIA PROTECTION

6.1.11 Ensure All `SYSTEM` Privileges Are Revoked from Unauthorized 'GRANTEE'

ACCESS CONTROL

6.2.1 Ensure 'DBA' Is Revoked from Unauthorized 'GRANTEE'

ACCESS CONTROL, MEDIA PROTECTION

6.2.2 Ensure 'EXP_FULL_DATABASE' Is Revoked From Unauthorized 'GRANTEE'

ACCESS CONTROL, MEDIA PROTECTION

6.2.3 Ensure 'IMP_FULL_DATABASE' Is Revoked From Unauthorized 'GRANTEE'

ACCESS CONTROL, MEDIA PROTECTION