Detections
Analytics

5.3 Ensure Critical Packages Are Audited

Information

Auditing critical packages in Oracle is essential to ensure database security, maintain accountability, and support compliance with regulatory requirements. These packages provide powerful functionality, such as scheduling jobs, performing cryptographic operations, or handling web-based utilities where, if misused or exploited, can compromise the integrity, confidentiality, and availability of the database.

Auditing these critical packages is recommended; however, it should be enabled based on the specific needs and requirements of the organization:

 - SYS.DBMS_AW
 - SYS.DBMS_CRYPTO
 - SYS.DBMS_FGA
 - SYS.DBMS_JAVA_TEST
 - SYS.DBMS_JOB
 - SYS.DBMS_LOGMNR
 - SYS.DBMS_NETWORK_ACL_ADMIN
 - SYS.DBMS_REDACT
 - SYS.DBMS_REDEFINITION
 - SYS.DBMS_RLS
 - SYS.DBMS_SCHEDULER
 - SYS.DBMS_SQL_TRANSLATOR
 - SYS.DBMS_SYS_SQL
 - SYS.DBMS_TSDP_MANAGE
 - SYS.DBMS_TSDP_PROTECT
 - SYS.DBMS_XMLGEN
 - SYS.DBMS_XMLSTORE
 - SYS.OWA_UTIL

Auditing these packages helps monitor their usage, detect unauthorized access, and prevent potential misuse or security breaches. This practice also supports incident response and forensic investigations by maintaining a detailed record of package invocation, ensuring that critical operations are tracked and controlled in high-security environments.

Solution

Execute the following SQL statement to remediate this recommendation:

CREATE AUDIT POLICY CIS_CDB_CRITICAL_PACKAGES
ACTIONS
EXECUTE ON SYS.DBMS_AW,
EXECUTE ON SYS.DBMS_CRYPTO,
EXECUTE ON SYS.DBMS_FGA,
EXECUTE ON SYS.DBMS_JAVA_TEST,
EXECUTE ON SYS.DBMS_JOB,
EXECUTE ON SYS.DBMS_LOGMNR,
EXECUTE ON SYS.DBMS_NETWORK_ACL_ADMIN,
EXECUTE ON SYS.DBMS_OBFUSCATION_TOOLKIT,
EXECUTE ON SYS.DBMS_REDACT,
EXECUTE ON SYS.DBMS_REDEFINITION,
EXECUTE ON SYS.DBMS_RLS,
EXECUTE ON SYS.DBMS_SCHEDULER,
EXECUTE ON SYS.DBMS_SQL_TRANSLATOR,
EXECUTE ON SYS.DBMS_SYS_SQL,
EXECUTE ON SYS.DBMS_TSDP_MANAGE,
EXECUTE ON SYS.DBMS_TSDP_PROTECT,
EXECUTE ON SYS.DBMS_XMLGEN,
EXECUTE ON SYS.DBMS_XMLSTORE,
EXECUTE ON SYS.OWA_UTIL
ONLY TOPLEVEL;

AUDIT POLICY CIS_CDB_CRITICAL_PACKAGES;

Note: If you do not have CIS_CDB_CRITICAL_PACKAGES please create one using the CREATE AUDIT POLICY statement. Refer to Section 8.3 where a PL/SQL block is provided to help create or modify the audit policy to remediate this item in both container and pluggable database.

Impact:

Auditing system packages generates additional logs, which can impact system performance, especially in high-transaction environments. Auditing can introduce slight delays in query execution due to the extra logging steps.

See Also

https://workbench.cisecurity.org/benchmarks/16474

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-3, 800-53|AU-3(1), 800-53|AU-7, 800-53|AU-12, CSCv7|6.3

Plugin: OracleDB

Control ID: 3160dd06ce967a6b89a9749057d964e3bd863a7c2be421e8f18fd1f4bc7a0a31