6.2.18 Ensure the 'SELECT ANY DICTIONARY' Privilege Audit Is Enabled

Information

The SELECT ANY DICTIONARY system privilege allows the user to view the definition of all schema objects in the database. It grants SELECT privileges on the data dictionary objects to the grantees, including SELECTon DBA_ views, V$ views, X$ views and underlying SYS tables such as TAB$ and OBJ$. This privilege also allows grantees to create stored objects such as procedures, packages and views on the underlying data dictionary objects. Please note that this privilege does not grant SELECT on tables with password hashes such as USER$, DEFAULT_PWD$, LINK$, and USER_HISTORY$. Enabling this audit causes logging of activities that exercise this privilege.

Rationale:

Logging and monitoring of all attempts to access a data dictionary, whether successful or unsuccessful, may provide clues and forensic evidence about potential suspicious/unauthorized activities. Any such activities may be a cause for further investigation. In addition, organization security policies and industry/government regulations may require logging of all user activities involving access to the database.

Solution

Execute the following SQL statement to remediate this setting.

ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY
ADD
PRIVILEGES
SELECT ANY DICTIONARY;

Note: If you do not have CIS_UNIFIED_AUDIT_POLICY, please create one using the CREATE AUDIT POLICY statement.

See Also

https://workbench.cisecurity.org/benchmarks/13413