Detections
Analytics

5.5 Ensure The Use Of SYS* Privileges Is Audited

Information

The usage of the SYS* ( SYS SYSKM SYSBACKUP SYSRAC SYSDG PUBLICSYS SYSKM SYSBACKUP SYSRAC SYSDG PUBLIC ) privileges should always be audited.

Under Oracle classic auditing, this was the case with the parameter AUDIT_SYS_OPERATIONS = TRUE To achieve the same behavior with Unified Auditing, it is necessary to audit all users who use SYS* privileges.

As the SYS* privileges have the special feature of being used first, it is necessary to audit them separately, as otherwise they will not be taken into account by the other audit policies.

Example:A user with SYSDBA privileges accesses a table (e.g. HR.EMP ). In this case, not the SELECT ANY TABLE privilege, but the SYSDBA privilege is used. As a result, audit rule 5.1 does not fire.

With unified auditing, it must always be ensured that the privileges are used for object access in the following order (if available):

 - SYS* privileges (e.g. SYSDBA)
 - Direct access rights (e.g. direct object grant or public grant)
 - ANY rights

All users using the SYS* -Privilege should be audited to avoid that the highest privileged user is not audited.

Solution

Execute the following SQL statement in the CDB and in each PDB to remediate this recommendation:

CREATE AUDIT POLICY CIS_CDB_ALL_ACTIONS_BY_PRIVILEGED_USERS
ACTIONS ALL
WHEN q'! (SYS_CONTEXT('USERENV','CLIENT_PROGRAM_NAME') NOT IN ('emagent') AND INSTR(UPPER(SYS_CONTEXT('USERENV','CLIENT_PROGRAM_NAME')),'PERL') = 0 AND INSTR(UPPER(SYS_CONTEXT('USERENV','CLIENT_PROGRAM_NAME')),'RMAN') = 0 AND INSTR(UPPER(SYS_CONTEXT('USERENV','CLIENT_PROGRAM_NAME')),'OMS') = 0)!'
EVALUATE PER SESSION
ONLY TOPLEVEL;

AUDIT POLICY CIS_CDB_ALL_ACTIONS_BY_PRIVILEGED_USERS BY SYS, SYSKM, SYSBACKUP, SYSRAC, SYSDG, PUBLIC;

Note: If you do not have CIS_CDB_ALL_ACTIONS_BY_PRIVILEGED_USERS please create one using the CREATE AUDIT POLICY statement. Refer to Section 8.5 where a PL/SQL block is provided to help create or modify the audit policy to remediate this item in both container and pluggable database.

For legacy reasons the SYSOPER privilege is using the name PUBLIC The used privilege in the unified audit log is SYSOPR Emagent OMS RMAN and Perl have been excluded to prevent an excessive number of events and issues with spillover files.

Impact:

SYS* performs critical system-level operations, and auditing every action can add considerable performance overhead. SYS operations generate a large volume of audit logs, especially in high-transaction environments. Too much logging can make it difficult to identify critical security events among routine activities especially in Oracle Dataguard environments.

See Also

https://workbench.cisecurity.org/benchmarks/16474

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-3, 800-53|AU-3(1), 800-53|AU-7, 800-53|AU-12, CSCv7|6.3

Plugin: OracleDB

Control ID: 1c604ebf3e1594a0e195e9692399a481f87deb7c8003fd98e0e8a7cbfc95eea5