6.1.2 Ensure the 'ROLE' Audit Option Is Enabled

Information

The ROLE object allows for the creation of a set of privileges that can be granted to users or other roles. Enabling the audit option causes auditing of all attempts, successful or not, to create, drop, alter or set roles.

Roles are a key database security infrastructure component. Any attempt to create, drop or alter a role should be audited. This statement auditing option also audits attempts, successful or not, to set a role in a session. Any unauthorized attempts to create, drop or alter a role may be worthy of investigation. Attempts to set a role by users without the role privilege may warrant investigation.

Solution

To remediate this setting, execute the following SQL statement in either the non multi-tenant or container database, it does NOT need run in the pluggable.

AUDIT ROLE;

See Also

https://workbench.cisecurity.org/benchmarks/11760