CIS Oracle Server 12c DB Traditional Auditing v3.0.0

Audit Details

Name: CIS Oracle Server 12c DB Traditional Auditing v3.0.0

Updated: 6/17/2024

Authority: CIS

Plugin: OracleDB

Revision: 1.4

Estimated Item Count: 82

File Details

Filename: CIS_Oracle_Server_12c_v3.0.0_L1_Database_Traditional.audit

Size: 316 kB

MD5: d42baf8f3d498fe123b2befc330c3c1d
SHA256: 89fedeed985ae4c4072939a7f8f23f9cc1acdf9e957cb383fb4fef2e20a69475

Audit Items

DescriptionCategories
1.1 Ensure the Appropriate Version/Patches for Oracle Software Is Installed

CONFIGURATION MANAGEMENT

2.2.1 Ensure 'AUDIT_SYS_OPERATIONS' Is Set to 'TRUE'

AUDIT AND ACCOUNTABILITY

2.2.2 Ensure 'AUDIT_TRAIL' Is Set to 'DB', 'XML', 'OS', 'DB,EXTENDED', or 'XML,EXTENDED'

AUDIT AND ACCOUNTABILITY

2.2.3 Ensure 'GLOBAL_NAMES' Is Set to 'TRUE'

ACCESS CONTROL

2.2.4 Ensure 'O7_DICTIONARY_ACCESSIBILITY' Is Set to 'FALSE'

SYSTEM AND INFORMATION INTEGRITY

2.2.5 Ensure 'OS_ROLES' Is Set to 'FALSE'

ACCESS CONTROL

2.2.6 Ensure 'REMOTE_LISTENER' Is Empty

ACCESS CONTROL, SYSTEM AND INFORMATION INTEGRITY

2.2.7 Ensure 'REMOTE_LOGIN_PASSWORDFILE' Is Set to 'NONE'

ACCESS CONTROL

2.2.8 Ensure 'REMOTE_OS_AUTHENT' Is Set to 'FALSE'

IDENTIFICATION AND AUTHENTICATION

2.2.9 Ensure 'REMOTE_OS_ROLES' Is Set to 'FALSE'

IDENTIFICATION AND AUTHENTICATION

2.2.10 Ensure 'UTL_FILE_DIR' Is Empty

ACCESS CONTROL

2.2.11 Ensure 'SEC_CASE_SENSITIVE_LOGON' Is Set to 'TRUE'

IDENTIFICATION AND AUTHENTICATION

2.2.12 Ensure 'SEC_MAX_FAILED_LOGIN_ATTEMPTS' Is '3' or Less

ACCESS CONTROL

2.2.13 Ensure 'SEC_PROTOCOL_ERROR_FURTHER_ACTION' Is Set to 'DROP,3'

ACCESS CONTROL

2.2.14 Ensure 'SEC_PROTOCOL_ERROR_TRACE_ACTION' Is Set to 'LOG'

AUDIT AND ACCOUNTABILITY

2.2.15 Ensure 'SEC_RETURN_SERVER_RELEASE_BANNER' Is Set to 'FALSE'

ACCESS CONTROL

2.2.16 Ensure 'SQL92_SECURITY' Is Set to 'TRUE'

ACCESS CONTROL

2.2.17 Ensure '_trace_files_public' Is Set to 'FALSE'

ACCESS CONTROL

2.2.18 Ensure 'RESOURCE_LIMIT' Is Set to 'TRUE'

ACCESS CONTROL

3.1 Ensure 'FAILED_LOGIN_ATTEMPTS' Is Less than or Equal to '5'

ACCESS CONTROL

3.2 Ensure 'PASSWORD_LOCK_TIME' Is Greater than or Equal to '1'

ACCESS CONTROL

3.3 Ensure 'PASSWORD_LIFE_TIME' Is Less than or Equal to '90'

ACCESS CONTROL

3.4 Ensure 'PASSWORD_REUSE_MAX' Is Greater than or Equal to '20'

IDENTIFICATION AND AUTHENTICATION

3.5 Ensure 'PASSWORD_REUSE_TIME' Is Greater than or Equal to '365'

IDENTIFICATION AND AUTHENTICATION

3.6 Ensure 'PASSWORD_GRACE_TIME' Is Less than or Equal to '5'

ACCESS CONTROL

3.7 Ensure 'PASSWORD_VERIFY_FUNCTION' Is Set for All Profiles

IDENTIFICATION AND AUTHENTICATION

3.8 Ensure 'SESSIONS_PER_USER' Is Less than or Equal to '10'

ACCESS CONTROL

3.9 Ensure 'INACTIVE_ACCOUNT_TIME' Is Less than or Equal to '120'

ACCESS CONTROL

4.1 Ensure All Default Passwords Are Changed

ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION

4.2 Ensure All Sample Data And Users Have Been Removed

ACCESS CONTROL

4.3 Ensure 'DBA_USERS.AUTHENTICATION_TYPE' Is Not Set to 'EXTERNAL' for Any User

IDENTIFICATION AND AUTHENTICATION

4.4 Ensure No Users Are Assigned the 'DEFAULT' Profile

ACCESS CONTROL

4.5 Ensure 'SYS.USER$MIG' Has Been Dropped

IDENTIFICATION AND AUTHENTICATION

4.6 Ensure No Public Database Links Exist

ACCESS CONTROL

5.1.1.1 Ensure 'EXECUTE' is revoked from 'PUBLIC' on 'Network' Packages

ACCESS CONTROL

5.1.1.2 Ensure 'EXECUTE' is revoked from 'PUBLIC' on 'File System' Packages

ACCESS CONTROL

5.1.1.3 Ensure 'EXECUTE' is revoked from 'PUBLIC' on 'Encryption' Packages

ACCESS CONTROL

5.1.1.4 Ensure 'EXECUTE' is revoked from 'PUBLIC' on 'Java' Packages

ACCESS CONTROL

5.1.1.5 Ensure 'EXECUTE' is revoked from 'PUBLIC' on 'Job Scheduler' Packages

ACCESS CONTROL

5.1.1.6 Ensure 'EXECUTE' is revoked from 'PUBLIC' on 'SQL Injection Helper' Packages

ACCESS CONTROL

5.1.2.1 Ensure 'EXECUTE' is not granted to 'PUBLIC' on 'Non-default' Packages

ACCESS CONTROL

5.1.3.1 Ensure 'ALL' Is Revoked from Unauthorized 'GRANTEE' on 'AUD$'

ACCESS CONTROL

5.1.3.2 Ensure 'ALL' Is Revoked from Unauthorized 'GRANTEE' on 'DBA_%'

ACCESS CONTROL

5.1.3.3 Ensure 'ALL' Is Revoked on 'Sensitive' Tables

ACCESS CONTROL

5.2.1 Ensure '%ANY%' Is Revoked from Unauthorized 'GRANTEE'

ACCESS CONTROL

5.2.2 Ensure 'DBA_SYS_PRIVS.%' Is Revoked from Unauthorized 'GRANTEE' with 'ADMIN_OPTION' Set to 'YES'

ACCESS CONTROL

5.2.3 Ensure 'EXECUTE ANY PROCEDURE' Is Revoked from 'OUTLN'

ACCESS CONTROL

5.2.4 Ensure 'EXECUTE ANY PROCEDURE' Is Revoked from 'DBSNMP'

ACCESS CONTROL

5.2.5 Ensure 'SELECT ANY DICTIONARY' Is Revoked from Unauthorized 'GRANTEE'

ACCESS CONTROL

5.2.6 Ensure 'SELECT ANY TABLE' Is Revoked from Unauthorized 'GRANTEE'

ACCESS CONTROL