CIS v1.1.0 Oracle 11g OS L2

Audit Details

Name: CIS v1.1.0 Oracle 11g OS L2

Updated: 4/25/2022

Authority: CIS

Plugin: Unix

Revision: 1.27

Estimated Item Count: 95

File Details

Filename: CIS_v1.1.0_Oracle_11g_OS_Unix_Linux_Level_2.audit

Size: 81.8 kB

MD5: 91bcb60ec569abf02ea3366d8f24e27a
SHA256: 01af7099a7377f6e37c3044e6cec4d1019de05b83e1d1b75ddc7166ad80a9051

Audit Items

DescriptionCategories
1.13 Oracle software owner host account - 'Lock account'

ACCESS CONTROL

1.14 All associated application files - 'Verify permissions'
2.06 listener.ora - 'Use IP addresses rather than hostnames'

CONFIGURATION MANAGEMENT

2.10 OEM objects - 'Remove if OEM not used'

CONFIGURATION MANAGEMENT

2.11 listener.ora - 'Change standard ports'

CONFIGURATION MANAGEMENT

2.14 Oracle Installation - 'Oracle software owner account name NOT oracle'

ACCESS CONTROL

2.15 Oracle Installation - 'Separate users for different components of Oracle'
4.12 init.ora - 'sql92_security = TRUE'

ACCESS CONTROL

4.13 listener.ora - 'admin_restrictions_listener_name = on'

ACCESS CONTROL

4.16 init.ora - 'o7_dictionary_accessibility = FALSE'

ACCESS CONTROL

4.17 spfile<sid>.ora - 'Remove the following from the spfile: dispatches= (PROTOCOL=TCP) (SERVICE=<sid>XDB)'

CONFIGURATION MANAGEMENT

4.18 init.ora - 'audit_sys_operations = TRUE'

ACCESS CONTROL, AUDIT AND ACCOUNTABILITY

4.18 spfile<sid>.ora - 'audit_sys_operations = TRUE'

AUDIT AND ACCOUNTABILITY

4.19 listener.ora - 'inbound_connect_timeout_listener = 2'

ACCESS CONTROL, SYSTEM AND COMMUNICATIONS PROTECTION

4.20 sqlnet.ora - 'tcp.validnode_checking = YES'

SYSTEM AND COMMUNICATIONS PROTECTION

4.21 sqlnet.ora - 'Set tcp.invited_nodes to valid values'

SYSTEM AND COMMUNICATIONS PROTECTION

4.22 sqlnet.ora - 'Set tcp.excluded_nodes to valid values'

SYSTEM AND COMMUNICATIONS PROTECTION

4.23 sqlnet.ora - 'sqlnet.inbound_connect_timeout = 3'

SYSTEM AND COMMUNICATIONS PROTECTION

4.24 sqlnet.ora - 'sqlnet.expire_time = 10'

ACCESS CONTROL

4.26 init.ora - 'remote_login_passwordfile = NONE'

ACCESS CONTROL

4.27 sqlnet.ora - 'sqlnet.allowed_logon_version = 11'

CONFIGURATION MANAGEMENT, SYSTEM AND INFORMATION INTEGRITY

4.28 listener.ora - 'Use absolute paths in ENVS parameters'

CONFIGURATION MANAGEMENT

4.29 cman.ora - 'remote_admin = NO'

CONFIGURATION MANAGEMENT

4.30 listener.ora, tnsnames.ora - 'Disable external procedures'
4.31 init.ora - 'sec_return_server_release_banner = FALSE'

CONFIGURATION MANAGEMENT

4.32 init.ora - 'db_securefile = ALWAYS'

CONFIGURATION MANAGEMENT

4.39 listener.ora - 'secure_control_listener_name = (TCP,IPC)'

ACCESS CONTROL

4.41 listener.ora - 'secure_register_listener_name = (TCP,IPC)'

ACCESS CONTROL

4.42 listener.ora - 'dynamic_registration_listener_name = OFF'

ACCESS CONTROL

5.01 OAS - 'General - Review requirement for integrity and confidentiality requirements'
5.02 OAS - 'Encryption Type - sqlnet.encryption_server = REQUIRED'

ACCESS CONTROL

5.03 OAS - 'Encryption Type - sqlnet.encryption_client = REQUIRED'

ACCESS CONTROL

5.04 OAS - 'FIPS Compliance - sslfips_140 = TRUE'

SYSTEM AND COMMUNICATIONS PROTECTION

5.05 OAS - 'Integrity Protection - sqlnet.crypto_checksum_client = REQUIRED'

ACCESS CONTROL

5.05 OAS - 'Integrity Protection - sqlnet.crypto_checksum_server = REQUIRED'

ACCESS CONTROL

5.06 OAS - 'Integrity Protection - sqlnet.crypto_checksum_types_server = (SHA1)'

ACCESS CONTROL

5.07 OAS - 'Oracle Wallet Owner Permissions - Set Configuration method for Oracle Wallet.'
5.08 OAS - 'Oracle Wallet Trusted Certificates - Remove certificate authorities (CAs) that are not required.'

SYSTEM AND COMMUNICATIONS PROTECTION

5.09 OAS - 'Oracle Wallet Trusted Certificates Import - When adding CAs, verify fingerprint of CA certificates'
5.10 OAS - 'Certificate Request Key Size - Request the maximum key size.'
5.11 OAS - 'Server Oracle Wallet Auto Login - Allow Auto Login for the server's Oracle Wallet'
5.12 OAS - 'SSL Tab - SSL is preferred method. If PKI is not possible, use OAS Integrity/Encryption.'
5.13 OAS - 'SSL Version - Set SSL version ssl_version = 3.0'

CONFIGURATION MANAGEMENT

5.14 OAS - 'SSL Cipher Suite - Set SSL Cipher Suite. ssl_cipher_suites = SSL_RSA_WITH_3DES_EDE_CBC_SHA'

SYSTEM AND COMMUNICATIONS PROTECTION

5.15 OAS - 'SSL Client DN Match - Set tnsnames file to include ssl_server_cert_dn parameter with the DN of the certificate'

CONFIGURATION MANAGEMENT

5.16 OAS - 'SSL Client Authentication - ssl_client_authentication = TRUE'

ACCESS CONTROL

5.17 OAS - 'Encryption Tab - Use OAS encryption only if SSL is not feasible'
5.18 Encryption - 'Where possible, use a procedure that employs a content data element as the encryption key that is unique for each record'
5.19 Encryption - 'Use RAW or BLOB for the storage of encrypted data'
5.20 Encryption - 'If keys are stored in a table in the database, access to the keys should be limited under a secure role'