CIS Oracle Server 18c DB Traditional Auditing v1.1.0

Audit Details

Name: CIS Oracle Server 18c DB Traditional Auditing v1.1.0

Updated: 6/17/2024

Authority: CIS

Plugin: OracleDB

Revision: 1.2

Estimated Item Count: 82

File Details

Filename: CIS_Oracle_Server_18c_v1.1.0_L1_Database_Traditional.audit

Size: 308 kB

MD5: 26d9206c673c2794102c88e4287756bf
SHA256: e60a60e9996f5ac2a1d3ccf61bceb193bbc2ed9e926ecbbbc84da0816b91eacc

Audit Items

DescriptionCategories
1.1 Ensure the Appropriate Version/Patches for Oracle Software Is Installed

CONFIGURATION MANAGEMENT

2.2.1 Ensure 'AUDIT_SYS_OPERATIONS' Is Set to 'TRUE'

AUDIT AND ACCOUNTABILITY

2.2.2 Ensure 'AUDIT_TRAIL' Is Set to 'DB', 'XML', 'OS', 'DB,EXTENDED', or 'XML,EXTENDED'

AUDIT AND ACCOUNTABILITY

2.2.3 Ensure 'GLOBAL_NAMES' Is Set to 'TRUE'

ACCESS CONTROL

2.2.4 Ensure 'OS_ROLES' Is Set to 'FALSE'

ACCESS CONTROL

2.2.5 Ensure 'REMOTE_LISTENER' Is Empty

SYSTEM AND INFORMATION INTEGRITY

2.2.6 Ensure 'REMOTE_LOGIN_PASSWORDFILE' Is Set to 'NONE'

IDENTIFICATION AND AUTHENTICATION

2.2.7 Ensure 'REMOTE_OS_AUTHENT' Is Set to 'FALSE'

IDENTIFICATION AND AUTHENTICATION

2.2.8 Ensure 'REMOTE_OS_ROLES' Is Set to 'FALSE'

IDENTIFICATION AND AUTHENTICATION

2.2.9 Ensure 'SEC_CASE_SENSITIVE_LOGON' Is Set to 'TRUE'

IDENTIFICATION AND AUTHENTICATION

2.2.10 Ensure 'SEC_MAX_FAILED_LOGIN_ATTEMPTS' Is '3' or Less

ACCESS CONTROL

2.2.11 Ensure 'SEC_PROTOCOL_ERROR_FURTHER_ACTION' Is Set to '(DROP,3)'

ACCESS CONTROL

2.2.12 Ensure 'SEC_PROTOCOL_ERROR_TRACE_ACTION' Is Set to 'LOG'

AUDIT AND ACCOUNTABILITY

2.2.13 Ensure 'SEC_RETURN_SERVER_RELEASE_BANNER' Is Set to 'FALSE'

ACCESS CONTROL

2.2.14 Ensure 'SQL92_SECURITY' Is Set to 'TRUE'

ACCESS CONTROL

2.2.15 Ensure '_trace_files_public' Is Set to 'FALSE'

ACCESS CONTROL

2.2.16 Ensure 'RESOURCE_LIMIT' Is Set to 'TRUE'

ACCESS CONTROL

2.2.17 Ensure 'PDB_OS_CREDENTIAL' is NOT null

ACCESS CONTROL

3.1 Ensure 'FAILED_LOGIN_ATTEMPTS' Is Less than or Equal to '5'

ACCESS CONTROL

3.2 Ensure 'PASSWORD_LOCK_TIME' Is Greater than or Equal to '1'

ACCESS CONTROL

3.3 Ensure 'PASSWORD_LIFE_TIME' Is Less than or Equal to '90'

ACCESS CONTROL

3.4 Ensure 'PASSWORD_REUSE_MAX' Is Greater than or Equal to '20'

IDENTIFICATION AND AUTHENTICATION

3.5 Ensure 'PASSWORD_REUSE_TIME' Is Greater than or Equal to '365'

IDENTIFICATION AND AUTHENTICATION

3.6 Ensure 'PASSWORD_GRACE_TIME' Is Less than or Equal to '5'

ACCESS CONTROL

3.7 Ensure 'PASSWORD_VERIFY_FUNCTION' Is Set for All Profiles

IDENTIFICATION AND AUTHENTICATION

3.8 Ensure 'SESSIONS_PER_USER' Is Less than or Equal to '10'

ACCESS CONTROL

3.9 Ensure 'INACTIVE_ACCOUNT_TIME' Is Less than or Equal to '120'

ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION

4.1 Ensure All Default Passwords Are Changed

IDENTIFICATION AND AUTHENTICATION

4.2 Ensure All Sample Data And Users Have Been Removed

ACCESS CONTROL

4.3 Ensure 'DBA_USERS.AUTHENTICATION_TYPE' Is Not Set to 'EXTERNAL' for Any User

IDENTIFICATION AND AUTHENTICATION

4.4 Ensure No Users Are Assigned the 'DEFAULT' Profile

ACCESS CONTROL

4.5 Ensure 'SYS.USER$MIG' Has Been Dropped

IDENTIFICATION AND AUTHENTICATION

4.6 Ensure No Public Database Links Exist

ACCESS CONTROL

5.1.1.1 Ensure 'EXECUTE' is revoked from 'PUBLIC' on 'Network' Packages - Network Packages

ACCESS CONTROL

5.1.1.2 Ensure 'EXECUTE' is revoked from 'PUBLIC' on 'File System' Packages - File System Packages

ACCESS CONTROL

5.1.1.3 Ensure 'EXECUTE' is revoked from 'PUBLIC' on 'Encryption' Packages - Encryption Packages

ACCESS CONTROL

5.1.1.4 Ensure 'EXECUTE' is revoked from 'PUBLIC' on 'Java' Packages - Java Packages

ACCESS CONTROL

5.1.1.5 Ensure 'EXECUTE' is revoked from 'PUBLIC' on 'Job Scheduler' Packages - Job Scheduler Packages

ACCESS CONTROL

5.1.1.6 Ensure 'EXECUTE' is revoked from 'PUBLIC' on 'SQL Injection Helper' Packages - SQL Injection Helper Packages

ACCESS CONTROL

5.1.1.7 Ensure 'EXECUTE' is revoked from 'PUBLIC' on 'DBMS_CREDENTIAL' Package

ACCESS CONTROL, AUDIT AND ACCOUNTABILITY

5.1.2.1 Ensure 'EXECUTE' is not granted to 'PUBLIC' on 'Non-default' Packages - Non-default Packages

ACCESS CONTROL

5.1.3.1 Ensure 'ALL' Is Revoked from Unauthorized 'GRANTEE' on 'AUD$'

ACCESS CONTROL

5.1.3.2 Ensure 'ALL' Is Revoked from Unauthorized 'GRANTEE' on 'DBA_%'

ACCESS CONTROL

5.1.3.3 Ensure 'ALL' Is Revoked on 'Sensitive' Tables

ACCESS CONTROL

5.2.1 Ensure '%ANY%' Is Revoked from Unauthorized 'GRANTEE'

ACCESS CONTROL

5.2.2 Ensure 'DBA_SYS_PRIVS.%' Is Revoked from Unauthorized 'GRANTEE' with 'ADMIN_OPTION' Set to 'YES'

ACCESS CONTROL

5.2.3 Ensure 'EXECUTE ANY PROCEDURE' Is Revoked from 'OUTLN'

ACCESS CONTROL

5.2.4 Ensure 'EXECUTE ANY PROCEDURE' Is Revoked from 'DBSNMP'

ACCESS CONTROL

5.2.5 Ensure 'SELECT ANY DICTIONARY' Is Revoked from Unauthorized 'GRANTEE'

ACCESS CONTROL

5.2.6 Ensure 'SELECT ANY TABLE' Is Revoked from Unauthorized 'GRANTEE'

ACCESS CONTROL