Detections
Analytics

DG0141-ORACLE11 - Attempts to bypass access controls should be audited.

Information

Configuring proper auditing is critical to recording any malicious events or detecting when attacks on the database occur. Auditing can be turned on for any SQL statement or any use of a system privilege. Auditing can be enabled for all users (system wide) or for specific users. You may indicate whether one audit record for each access to an object or one audit record for the entire session is generated. You can enable auditing for commands that result in success, commands that result in failure, or both. Not all audit options can be audited by session. Audit options set using the BY SESSION clause for those actions that will not produce a session audit record will default to BY ACCESS.

Solution

There are three types of auditable events: 1) Use of system privileges, 2) Use of object privileges, and 3) Issuance of statements. Activating some auditing options sometimes activates others. For example, the use of a system privilege requires the issuance of a system command. Auditing for use of the privilege also audits for the statement.

Configure auditing for Oracle using the following script. If the Check reports audit option names not included in this script, augment it with one additional statement per option reported:

From SQL*Plus:
 audit all by access;
 audit all privileges by access;
 audit alter database link by access;
 audit alter java class by access;
 audit alter java resource by access;
 audit alter java source by access;
 audit alter mining model by access;
 audit alter public database link by access;
 audit alter sequence by access;
 audit alter table by access;
 audit comment edition by access;
 audit comment mining model by access;
 audit comment table by access;
 audit create java class by access;
 audit create java resource by access;
 audit create java source by access;
 audit debug procedure by access;
 audit drop java class by access;
 audit drop java resource by access;
 audit drop java source by access;
 audit execute assembly;
 audit exempt access policy by access;
 audit exempt identity policy by access;
 audit grant directory by access;
 audit grant edition by access;
 audit grant mining model by access;
 audit grant procedure by access;
 audit grant sequence by access;
 audit grant table by access;
 audit grant type by access;
 audit sysdba by access;
 audit sysoper by access;

The following SQL statements will disable audits set by the commands above that are not required:

 noaudit execute library;
 audit rename on default by access;

If application objects have already been created, then the audit rename on object statement should be issued for all application objects.

From SQL*Plus:

 audit rename on [application object name] by access;

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Oracle_Database_11g_Y21M10_STIG.zip

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-12c., CAT|II, Rule-ID|SV-24801r3_rule, STIG-ID|DG0141-ORACLE11, Vuln-ID|V-15644

Plugin: OracleDB

Control ID: 71872c142826079f3039e7a113f5baf3fc05326e8250ae4057fadc27c1017305