CIS Oracle Server 19c DB Unified Auditing v1.2.0

Audit Details

Name: CIS Oracle Server 19c DB Unified Auditing v1.2.0

Updated: 7/15/2024

Authority: CIS

Plugin: OracleDB

Revision: 1.2

Estimated Item Count: 88

File Details

Filename: CIS_Oracle_Server_19c_v1.2.0_L1_Database_Unified.audit

Size: 355 kB

MD5: 63d72dbf684c2fc6489eb0108fe8fd84
SHA256: ed61b9eb24aa6cfda671de4b124c32ac8041262d8a4f16fdf17bb589e2f3f70c

Audit Items

DescriptionCategories
1.1 Ensure the Appropriate Version/Patches for Oracle Software Is Installed

SYSTEM AND SERVICES ACQUISITION

2.2.3 Ensure 'GLOBAL_NAMES' Is Set to 'TRUE'

ACCESS CONTROL, MEDIA PROTECTION

2.2.4 Ensure 'OS_ROLES' Is Set to 'FALSE'

ACCESS CONTROL, MEDIA PROTECTION

2.2.5 Ensure 'REMOTE_LISTENER' Is Empty

SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION

2.2.6 Ensure 'REMOTE_LOGIN_PASSWORDFILE' Is Set to 'NONE'

ACCESS CONTROL

2.2.7 Ensure 'REMOTE_OS_AUTHENT' Is Set to 'FALSE'

ACCESS CONTROL

2.2.8 Ensure 'REMOTE_OS_ROLES' Is Set to 'FALSE'

ACCESS CONTROL

2.2.9 Ensure 'SEC_CASE_SENSITIVE_LOGON' Is Set to 'TRUE'

IDENTIFICATION AND AUTHENTICATION

2.2.10 Ensure 'SEC_MAX_FAILED_LOGIN_ATTEMPTS' Is '3' or Less

ACCESS CONTROL

2.2.11 Ensure 'SEC_PROTOCOL_ERROR_FURTHER_ACTION' Is Set to '(DROP,3)'

SYSTEM AND COMMUNICATIONS PROTECTION

2.2.12 Ensure 'SEC_PROTOCOL_ERROR_TRACE_ACTION' Is Set to 'LOG'

AUDIT AND ACCOUNTABILITY

2.2.13 Ensure 'SEC_RETURN_SERVER_RELEASE_BANNER' Is Set to 'FALSE'

ACCESS CONTROL, MEDIA PROTECTION

2.2.14 Ensure 'SQL92_SECURITY' Is Set to 'TRUE'

ACCESS CONTROL, MEDIA PROTECTION

2.2.15 Ensure '_trace_files_public' Is Set to 'FALSE'

ACCESS CONTROL, MEDIA PROTECTION

2.2.16 Ensure 'RESOURCE_LIMIT' Is Set to 'TRUE'

ACCESS CONTROL, MEDIA PROTECTION

2.2.17 Ensure 'PDB_OS_CREDENTIAL' is NOT null

ACCESS CONTROL

3.1 Ensure 'FAILED_LOGIN_ATTEMPTS' Is Less than or Equal to '5'

ACCESS CONTROL

3.2 Ensure 'PASSWORD_LOCK_TIME' Is Greater than or Equal to '1'

ACCESS CONTROL

3.3 Ensure 'PASSWORD_LIFE_TIME' Is Less than or Equal to '90'

ACCESS CONTROL

3.4 Ensure 'PASSWORD_REUSE_MAX' Is Greater than or Equal to '20'

IDENTIFICATION AND AUTHENTICATION

3.5 Ensure 'PASSWORD_REUSE_TIME' Is Greater than or Equal to '365'

IDENTIFICATION AND AUTHENTICATION

3.6 Ensure 'PASSWORD_GRACE_TIME' Is Less than or Equal to '5'

ACCESS CONTROL

3.7 Ensure 'PASSWORD_VERIFY_FUNCTION' Is Set for All Profiles

IDENTIFICATION AND AUTHENTICATION

3.8 Ensure 'SESSIONS_PER_USER' Is Less than or Equal to '10'

ACCESS CONTROL

3.9 Ensure 'INACTIVE_ACCOUNT_TIME' Is Less than or Equal to '120'

ACCESS CONTROL

4.1 Ensure All Default Passwords Are Changed

IDENTIFICATION AND AUTHENTICATION

4.2 Ensure All Sample Data And Users Have Been Removed

CONFIGURATION MANAGEMENT, SYSTEM AND INFORMATION INTEGRITY

4.3 Ensure 'DBA_USERS.AUTHENTICATION_TYPE' Is Not Set to 'EXTERNAL' for Any User

ACCESS CONTROL

4.4 Ensure No Users Are Assigned the 'DEFAULT' Profile

ACCESS CONTROL

4.5 Ensure 'SYS.USER$MIG' Has Been Dropped

IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

5.1.1.1 Ensure 'EXECUTE' is revoked from 'PUBLIC' on "Network" Packages

ACCESS CONTROL, MEDIA PROTECTION

5.1.1.2 Ensure 'EXECUTE' is revoked from 'PUBLIC' on "File System" Packages

ACCESS CONTROL, MEDIA PROTECTION

5.1.1.3 Ensure 'EXECUTE' is revoked from 'PUBLIC' on "Encryption" Packages

ACCESS CONTROL, MEDIA PROTECTION

5.1.1.4 Ensure 'EXECUTE' is revoked from 'PUBLIC' on "Java" Packages

ACCESS CONTROL, MEDIA PROTECTION

5.1.1.5 Ensure 'EXECUTE' is revoked from 'PUBLIC' on "Job Scheduler" Packages

ACCESS CONTROL, MEDIA PROTECTION

5.1.1.6 Ensure 'EXECUTE' is revoked from 'PUBLIC' on "SQL Injection Helper" Packages

ACCESS CONTROL, MEDIA PROTECTION

5.1.1.7 Ensure 'EXECUTE' is revoked from 'PUBLIC' on "DBMS_CREDENTIAL" Package

ACCESS CONTROL, AUDIT AND ACCOUNTABILITY

5.1.2.1 Ensure 'EXECUTE' is not granted to 'PUBLIC' on "Non-default" Packages

ACCESS CONTROL, MEDIA PROTECTION

5.1.3.1 Ensure 'ALL' Is Revoked from Unauthorized 'GRANTEE' on 'AUD$'

ACCESS CONTROL, MEDIA PROTECTION

5.1.3.2 Ensure 'ALL' Is Revoked from Unauthorized 'GRANTEE' on 'DBA_%'

ACCESS CONTROL, MEDIA PROTECTION

5.1.3.3 Ensure 'ALL' Is Revoked on 'Sensitive' Tables

ACCESS CONTROL, MEDIA PROTECTION

5.2.1 Ensure '%ANY%' Is Revoked from Unauthorized 'GRANTEE'

ACCESS CONTROL, MEDIA PROTECTION

5.2.2 Ensure 'DBA_SYS_PRIVS.%' Is Revoked from Unauthorized 'GRANTEE' with 'ADMIN_OPTION' Set to 'YES'

ACCESS CONTROL, MEDIA PROTECTION

5.2.3 Ensure 'EXECUTE ANY PROCEDURE' Is Revoked from 'OUTLN'

ACCESS CONTROL, MEDIA PROTECTION

5.2.4 Ensure 'EXECUTE ANY PROCEDURE' Is Revoked from 'DBSNMP'

ACCESS CONTROL, MEDIA PROTECTION

5.2.5 Ensure 'SELECT ANY DICTIONARY' Is Revoked from Unauthorized 'GRANTEE'

ACCESS CONTROL, MEDIA PROTECTION

5.2.6 Ensure 'SELECT ANY TABLE' Is Revoked from Unauthorized 'GRANTEE'

ACCESS CONTROL, MEDIA PROTECTION

5.2.7 Ensure 'AUDIT SYSTEM' Is Revoked from Unauthorized 'GRANTEE'

ACCESS CONTROL, MEDIA PROTECTION

5.2.8 Ensure 'EXEMPT ACCESS POLICY' Is Revoked from Unauthorized 'GRANTEE'

ACCESS CONTROL, MEDIA PROTECTION

5.2.9 Ensure 'BECOME USER' Is Revoked from Unauthorized 'GRANTEE'

ACCESS CONTROL, MEDIA PROTECTION