Detections
Analytics

6.1.17 Ensure the 'TRIGGER' Audit Option Is Enabled

Information

A TRIGGER may be used to modify DML actions or invoke other (recursive) actions when some types of user-initiated actions occur. Enabling this audit option will cause auditing of any attempt, successful or not, to create, drop, enable or disable any schema trigger in any schema regardless of privilege or lack thereof. For enabling and disabling a trigger, it covers both ALTER TRIGGER and ALTER TABLE.

Rationale:

Triggers are often part of schema security, data validation and other critical constraints upon actions and data. A trigger in another schema may be used to escalate privileges, redirect operations, transform data and perform other sorts of perhaps undesired actions. Any unauthorized attempt to create, drop or alter a trigger in another schema may be cause for investigation.

Solution

To remediate this setting, execute the following SQL statement in either the non multi-tenant or container database, it does NOT need run in the pluggable.

AUDIT TRIGGER;

Notes:

There is no current CIS recommendation to audit the use of the system privilege CREATE TRIGGER, as there is for CREATE SYNONYM, CREATE PROCEDURE and some other types of objects, so this is actually a scope escalation also - to audit such actions in one's own schema. However, this is the only way to comprehensively audit things like attempts to create, drop or alter triggers in another's schema if the user attempting to operation does not hold the required ANY privilege - and these are exactly the sorts of things that should raise a large red flag.

The statement auditing option audit TRIGGER audits almost everything that the three privilege audits audit CREATE ANY TRIGGER, audit ALTER ANY TRIGGER and audit DROP ANY TRIGGER do, but also audits:

Statements to create, drop, enable or disable a trigger in the user's own schema.

Attempts to create a trigger by a user without the CREATE TRIGGER system privilege.

Attempts to create a trigger in another schema by users without the CREATE ANY TRIGGER privilege.

Attempts to drop a trigger in another schema by users without the DROP ANY TRIGGER privilege.

Attempts to disable or enable a trigger in another schema by users without the ALTER ANY TRIGGER privilege.

The one thing is audited by any of the three privilege audits that is not audited by this is ALTER TRIGGER ...COMPILE if the trigger is in another's schema, which is audited by audit ALTER ANY TRIGGER, but only if the user attempting the alteration actually holds the ALTER ANY TRIGGER system privilege. Audit TRIGGER only audits ALTER TABLE or ALTER TRIGGER statements used to enable or disable triggers. It does not audit ALTER TRIGGER or ALTER TABLE statements used only with compile options.

See Also

https://workbench.cisecurity.org/benchmarks/13413

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-3, 800-53|AU-12, CSCv6|6.2, CSCv7|6.2, CSCv7|6.3

Plugin: OracleDB

Control ID: 1bf5f0b8978ba0989edfe07f7024f9425d333e9a20da48d6ebdaa36f23aa1cd9