Detections
Analytics

CIS Oracle 9 10 Windows Level2 v2.01

Warning! Audit Deprecated

This audit file has been deprecated and will be removed in a future update.

View Next Version

Audit Details

Name: CIS Oracle 9 10 Windows Level2 v2.01

Updated: 7/30/2020

Authority: CIS

Plugin: Windows

Revision: 1.20

Estimated Item Count: 84

Audit Items

DescriptionCategories
1.18 Windows registry - 'use_shared_socket=TRUE'

CONFIGURATION MANAGEMENT

1.20 All associated application files - 'Verify permissions'
2.09 OEM objects - 'Remove if OEM not used'

CONFIGURATION MANAGEMENT

2.10 listener.ora - 'Change standard ports'

CONFIGURATION MANAGEMENT

2.11 Third party default passwords - 'Set all default account passwords to non-default strong password'
2.13 Oracle Installation - 'Oracle software owner account name NOT 'oracle''

ACCESS CONTROL

4.18 init.ora - 'o7_dictionary_accessibility=FALSE'

ACCESS CONTROL

4.19 init.ora - 'Remove the following line from the init.ora or spfile: dispatcher= (PROTOCOL= TCP) (SERVICE= <oracle_sid>XDB)'

CONFIGURATION MANAGEMENT

4.20 init.ora - 'audit_sys_operations= TRUE'

ACCESS CONTROL

4.21 listener.ora - 'inbound_connect_timeout_listener=2'

ACCESS CONTROL

4.22 sqlnet.ora - 'tcp.validnode_checking= YES'

CONFIGURATION MANAGEMENT

4.23 sqlnet.ora - 'Set tcp.invited_nodes to valid values.'

SYSTEM AND COMMUNICATIONS PROTECTION

4.24 sqlnet.ora - 'Set tcp.excluded_nodes to valid values'

SYSTEM AND COMMUNICATIONS PROTECTION

4.25 sqlnet.ora - 'sqlnet.inbound_connect_timeout = 3'

ACCESS CONTROL

4.26 sqlnet.ora - 'sqlnet.expire_time= 10'

ACCESS CONTROL

4.27 Accounts - 'Lock account access for application schema owners'
4.28 init.ora - 'remote_login_passwordfile = NONE'

ACCESS CONTROL

4.29 $ORACLE_HOME/bin/extproc - 'Remove binary from host'

CONFIGURATION MANAGEMENT

4.30 tnsnames.ora - 'Remove extproc entry'

CONFIGURATION MANAGEMENT

4.31 listener.ora - 'Remove extproc entry'

CONFIGURATION MANAGEMENT

5.01 OAS - 'General - Review requirement for integrity and confidentiality requirements'
5.02 OAS - 'Encryption Type - sqlnet.encryption_server = REQUIRED'

ACCESS CONTROL

5.03 OAS - 'Encryption Type - sqlnet.encryption_client = (ACCEPTED|REQUESTED|REQUIRED)'

ACCESS CONTROL

5.05 OAS - 'FIPS Compliance - sslfips_140 = TRUE'

SYSTEM AND COMMUNICATIONS PROTECTION

5.06 OAS - Encryption Method (FIPS 140) - 'SQLNET.ENCRYPTION_TYPES_SERVER=(DES|DES40)'

SYSTEM AND COMMUNICATIONS PROTECTION

5.07 OAS - Encryption Methods - 'Encryption keys for both client and server must be set to the maximum feasible value.'
5.08 OAS - 'Integrity Protection - sqlnet.crypto_checksum_server=REQUIRED sqlnet.crypto_checksum_client=REQUIRED'

ACCESS CONTROL

5.09 OAS - 'Integrity Protection - sqlnet.crypto_checksum_types_server = (SHA1)'

ACCESS CONTROL

5.10 OAS - 'Oracle Wallet Owner Permissions - Set Configuration method for Oracle Wallet. '
5.11 OAS - 'Oracle Wallet Trusted Certificates - Remove certificate authorities (CAs) that are not required.'
5.12 OAS - 'Oracle Wallet Trusted Certificates Import - When adding CAs, verify fingerprint of CA certificates'
5.13 OAS - 'Certificate Request Key Size - Request the maximum key size.'
5.14 OAS - 'Server Oracle Wallet Auto Login - Allow Auto Login for the server's Oracle Wallet'
5.15 OAS - 'SSL Tab - SSL is preferred method. If PKI is not possible, use OAS Integrity/Encryption.'
5.16 OAS - 'SSL Version - Set SSL version ssl_version = 3.0'

CONFIGURATION MANAGEMENT, SYSTEM AND INFORMATION INTEGRITY

5.17 OAS - 'SSL Cipher Suite - Set SSL Cipher Suite. ssl_cipher_suites = SSL_RSA_WITH_3DES_EDE_CBC_SHA'

ACCESS CONTROL

5.18 OAS - 'SSL Client DN Match - Set tnsnames file to include ssl_server_cert_dn parameter with the DN of the certificate'

CONFIGURATION MANAGEMENT

5.19 OAS - 'SSL Client Authentication - ssl_client_authentication = TRUE'

ACCESS CONTROL

5.20 OAS - 'Encryption Tab - Use OAS encryption only if SSL is not feasible'
5.21 Encryption - 'Use a procedure that employs a content data element as the encryption key that is unique for each record.'
5.22 Encryption - 'Use RAW or BLOB for the storage of encrypted data'
5.23 Encryption - 'Use a virtual private database (VPD) to protect rows by implementing Oracle Label Security(OLS).'
7.08 Failsafe - 'Failsafe must be engaged'
11.04 Fine grained access - 'Use fine grain access control within objects'
12.37 Oracle Installation - 'Oracle software owner account name NOT 'oracle''
12.39 Alerts on high priority incidents - 'Create processes to alert'
12.40 Intelligent agent - 'Do not use'
12.41 Oracle Advanced Security- 'Implement if appropriate'
12.42 Application PL/SQL code- 'Wrap'
12.43 PL/SQL code variables and constants- 'Obscure'