Detections
Analytics

CIS Oracle Database 23ai v1.1.0 L1 RDBMS

Audit Details

Name: CIS Oracle Database 23ai v1.1.0 L1 RDBMS

Updated: 10/27/2025

Authority: CIS

Plugin: OracleDB

Revision: 1.0

Estimated Item Count: 78

File Details

Filename: CIS_Oracle_Database_23ai_v1.1.0_L1_RDBMS.audit

Size: 241 kB

MD5: 9de402304486d27f205f7045a37f91e3
SHA256: 375d2a0024fca4113dd0378f25d8c964e70f3a94f51cc81f37a1efa54625b355

Audit Items

DescriptionCategories
1.1 Ensure That Appropriate Version/Patches For Oracle Software Are Installed

SYSTEM AND SERVICES ACQUISITION

2.3.1 Ensure 'BACKGROUND_CORE_DUMP' Is Not Set To 'Full'

MEDIA PROTECTION

2.3.2 Ensure 'SHADOW_CORE_DUMP' Is Not Set To 'Full'

MEDIA PROTECTION

2.3.3 Ensure 'MLE_PROG_LANGUAGES' Is Set To 'OFF'

CONFIGURATION MANAGEMENT

2.3.4 Ensure 'ALLOW_GROUP_ACCESS_TO_SGA' Is Set To `FALSE`

ACCESS CONTROL, MEDIA PROTECTION

2.3.5 Review Undocumented (Underscore) Parameters Not Set To 'DEFAULT' Values

CONFIGURATION MANAGEMENT

2.3.6 Ensure 'OS_ROLES' Is Set To 'FALSE'

ACCESS CONTROL, MEDIA PROTECTION

2.3.7 Ensure 'REMOTE_OS_ROLES' Is Set To 'FALSE'

ACCESS CONTROL

2.3.8 Ensure 'SEC_MAX_FAILED_LOGIN_ATTEMPTS' Is Set To '3' Or Less

ACCESS CONTROL

2.3.9 Ensure 'SEC_PROTOCOL_ERROR_FURTHER_ACTION' Is Set To '(DROP,3)'

CONFIGURATION MANAGEMENT

2.3.10 Ensure 'SEC_PROTOCOL_ERROR_TRACE_ACTION' Is Set To 'LOG'

AUDIT AND ACCOUNTABILITY

2.3.11 Ensure 'SEC_RETURN_SERVER_RELEASE_BANNER' Is Set To 'FALSE'

ACCESS CONTROL, MEDIA PROTECTION

2.3.12 Ensure 'REMOTE_LOGIN_PASSWORDFILE' Is Set To 'NONE'

ACCESS CONTROL

2.3.13 Ensure 'REMOTE_LISTENER' Is Empty

CONFIGURATION MANAGEMENT

2.3.14 Ensure 'RESOURCE_LIMIT' Is Set To 'TRUE'

ACCESS CONTROL, MEDIA PROTECTION

3.1 Ensure 'FAILED_LOGIN_ATTEMPTS' Is Less Than Or Equal To '5'

ACCESS CONTROL

3.2 Ensure 'PASSWORD_LOCK_TIME' Is Greater Than Or Equal To '1'

ACCESS CONTROL

3.3 Ensure 'PASSWORD_LIFE_TIME + PASSWORD_GRACE_TIME' Is Less Than Or Equal To '365'

ACCESS CONTROL

3.4 Ensure 'PASSWORD_REUSE_MAX' Is Set To 'UNLIMITED'

IDENTIFICATION AND AUTHENTICATION

3.5 Ensure 'PASSWORD_VERIFY_FUNCTION' Is Set For All Profiles

IDENTIFICATION AND AUTHENTICATION

3.6 Ensure 'PASSWORD_VERIFY_FUNCTION' Is Configured Correctly

IDENTIFICATION AND AUTHENTICATION

3.7 Ensure 'PASSWORD_ROLLOVER_TIME' Is set to '0'

IDENTIFICATION AND AUTHENTICATION

3.8 Ensure 'INACTIVE_ACCOUNT_TIME' Is Less than or Equal to '120'

ACCESS CONTROL

4.1 Ensure All Default Passwords Are Changed

IDENTIFICATION AND AUTHENTICATION

4.2 Ensure No Custom 'ORACLE_MAINTAINED' Users Exist

ACCESS CONTROL

4.3 Review The Users Created Through Real Application Security

ACCESS CONTROL

4.4 Ensure Old Password Versions Are Not Used

IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

4.5 Ensure The Latest Version of The Password File Is Used

IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

4.6 Ensure That Users In Different RAC Instances Are Identical In PW Files

IDENTIFICATION AND AUTHENTICATION

4.7 Ensure No Public Database Links Exist

ACCESS CONTROL, MEDIA PROTECTION

4.8 Ensure That Database Link Passwords Are Using The Latest Encryption

IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

5.1 Ensure All Auditable System Actions Commands Are Audited

AUDIT AND ACCOUNTABILITY

5.2 Ensure the 'LOGON' AND 'LOGOFF' Actions Audit Is Enabled

AUDIT AND ACCOUNTABILITY

5.3 Ensure Critical Packages Are Audited

AUDIT AND ACCOUNTABILITY

5.4 Ensure All Export Activities Are Audited

AUDIT AND ACCOUNTABILITY

5.5 Ensure The Use Of SYS* Privileges Is Audited

AUDIT AND ACCOUNTABILITY

6.1.1 Ensure '%ANY%' Is Revoked from Unauthorized 'GRANTEE'

ACCESS CONTROL, MEDIA PROTECTION

6.1.2 Ensure Admin Privileges Are Revoked from Unauthorized 'GRANTEE'

ACCESS CONTROL

6.1.3 Ensure 'IMPORT' And 'EXPORT' 'FULL DATABASE' Is Revoked From Unauthorized 'GRANTEE'

ACCESS CONTROL, MEDIA PROTECTION

6.1.4 Ensure 'CREATE EXTERNAL JOB' Is Revoked From Unauthorized 'GRANTEE'

ACCESS CONTROL

6.1.5 Ensure 'BECOME USER' Is Revoked From Unauthorized 'GRANTEE'

ACCESS CONTROL, MEDIA PROTECTION

6.1.6 Ensure 'TEXT DATASTORE ACCESS' Is Revoked From Unauthorized 'GRANTEE'

ACCESS CONTROL, MEDIA PROTECTION

6.1.7 Ensure 'CREATE', 'ALTER', And 'DROP' 'PUBLIC DATABASE LINK' Is Revoked From Unauthorized 'GRANTEE'

ACCESS CONTROL, MEDIA PROTECTION

6.1.8 Ensure 'LOGMINING' Is Revoked From Unauthorized 'GRANTEE'

ACCESS CONTROL, MEDIA PROTECTION

6.1.9 Ensure 'ALTER SYSTEM' Is Revoked From Unauthorized 'GRANTEE'

ACCESS CONTROL, MEDIA PROTECTION

6.1.10 Ensure 'CREATE LIBRARY' Is Revoked From Unauthorized 'GRANTEE'

ACCESS CONTROL, MEDIA PROTECTION

6.1.11 Ensure All `SYSTEM` Privileges Are Revoked from Unauthorized 'GRANTEE'

ACCESS CONTROL

6.2.1 Ensure 'DBA' Is Revoked from Unauthorized 'GRANTEE'

ACCESS CONTROL, MEDIA PROTECTION

6.2.2 Ensure 'EXP_FULL_DATABASE' Is Revoked From Unauthorized 'GRANTEE'

ACCESS CONTROL, MEDIA PROTECTION

6.2.3 Ensure 'IMP_FULL_DATABASE' Is Revoked From Unauthorized 'GRANTEE'

ACCESS CONTROL, MEDIA PROTECTION