Reference

Table of Contents

Defined types

• ora_secured::controls::access_to_dbms_software_files_and_directories_must_not_be_granted_to_unauthorized_users: For UNIX Systems:
• ora_secured::controls::access_to_default_accounts_used_to_support_replication_must_be_restricted_to_authorized_dbas: From SQL*Plus:
• ora_secured::controls::access_to_external_executables_must_be_disabled_or_restricted: Review the System Security Plan to determine if the use of the external procedure agent is authorized.
• ora_secured::controls::admin_restrictions_is_set_to_on: The admin_restrictions_<listener_name> setting in the `listener.
• ora_secured::controls::administrative_privileges_must_be_assigned_to_database_accounts_via_database_roles: Review accounts for direct assignment of administrative privileges.
• ora_secured::controls::admins_must_utilize_a_separate_distinct_administrative_accnt_when_performing_administrative_act_a: Review permissions for objects owned by DBA or other administrative accounts.
• ora_secured::controls::all_audit_option_on_sys_aud_is_enabled: The logging of attempts to alter the audit trail in the `SYS.
• ora_secured::controls::all_default_passwords_are_changed: Default passwords should not be used by Oracle database users.
• ora_secured::controls::all_is_revoked_from_unauthorized_grantee_on_aud: The Oracle database `SYS.
• ora_secured::controls::all_is_revoked_from_unauthorized_grantee_on_dba: The Oracle database DBA_ views show all information which is relevant to
• ora_secured::controls::all_is_revoked_on_sensitive_tables: The Oracle database tables listed below may contain sensitive information, and
• ora_secured::controls::all_sample_data_and_users_have_been_removed: Oracle sample schemas can be used to create sample users
• ora_secured::controls::all_use_of_privileged_accounts_must_be_audited: Review auditing configuration.
• ora_secured::controls::allocate_audit_record_storage_capacity_in_acc_with_org_def_audit_record_storage_reqs: Review the DBMS settings to determine whether audit logging is configured to produce logs consistent with the amount of space allocated for logging.
• ora_secured::controls::allow_designated_org_personnel_to_select_which_auditable_events_are_to_be_audited_by_db: Check DBMS settings and documentation to determine whether designated personnel are able to select which auditable events are being audited.
• ora_secured::controls::alter_database_link_action_audit_is_enabled: Oracle database links are used to establish database-to-database connections to
• ora_secured::controls::alter_procedure_function_package_package_body_action_audit_is_enabled: Oracle database procedures, functions, packages, and package bodies, which are
• ora_secured::controls::alter_profile_action_audit_is_enabled: Oracle database profiles are used to enforce resource usage limits and implement
• ora_secured::controls::alter_role_action_audit_is_enabled: An Oracle database role is a collection or set of privileges that can be granted
• ora_secured::controls::alter_synonym_action_audit_is_enabled: An Oracle database synonym is used to create an alternative name for a database
• ora_secured::controls::alter_system_audit_option_is_enabled: ALTER SYSTEM allows one to change instance settings, including security settings
• ora_secured::controls::alter_system_is_revoked_from_unauthorized_grantee: The Oracle database ALTER SYSTEM privilege allows the designated user to
• ora_secured::controls::alter_system_privilege_audit_is_enabled: The ALTER SYSTEM privilege allows the user to change instance settings which
• ora_secured::controls::alter_trigger_action_audit_is_enabled: Oracle database triggers are executed automatically when specified conditions on
• ora_secured::controls::alter_user_action_audit_is_enabled: The ALTER USER statement is used to change database users’ password, lock
• ora_secured::controls::any_is_revoked_from_unauthorized_grantee: The Oracle database ANY keyword provides the user the capability to alter any
• ora_secured::controls::app_object_owner_accnts_must_be_disabled_when_not_performing_installation_or_maint_actions: Run the SQL query:
• ora_secured::controls::app_user_priv_assignment_must_be_reviewed_monthly_or_more_frequently_to_ensure_compliance_with_le: Review policy, procedures and implementation evidence to determine if periodic reviews of user privileges by the ISSO are being performed.
• ora_secured::controls::application_owner_accounts_must_have_a_dedicated_application_tablespace: Run the SQL query:
• ora_secured::controls::application_role_permissions_must_not_be_assigned_to_the_oracle_public_role: From SQL*Plus:
• ora_secured::controls::apps_must_obscure_feedback_of_auth_info_during_auth_proc_to_prot_info_frm_possible_exploitation_u: Interview the DBA to determine if any applications that access the database allow for entry of the account name and password on the command line.
• ora_secured::controls::attempts_to_bypass_access_controls_must_be_audited: Review any audit settings for:
• ora_secured::controls::audit_sys_operations_is_set_to_true: The AUDIT_SYS_OPERATIONS setting provides for the auditing of all user
• ora_secured::controls::audit_system_is_revoked_from_unauthorized_grantee: The Oracle database AUDIT SYSTEM privilege allows changes to auditing activities on the system.
• ora_secured::controls::audit_trail_data_must_be_retained_for_at_least_one_year: Review and verify the implementation of an audit trail retention policy.
• ora_secured::controls::audit_trail_data_must_be_reviewed_daily_or_more_frequently: If the database being reviewed is not a production database, this check is not a finding.
• ora_secured::controls::audit_trail_is_set_to_db_xml_os_dbextended_or_xmlextended: The audit_trail setting determines whether or not Oracle's basic audit features
• ora_secured::controls::audsys_aud_unified_access_audit_is_enabled: The `AUDSYS.
• ora_secured::controls::autom_term_emergency_accnts_after_an_org_def_time_period_for_each_type_of_accnt: If the organization has a policy, consistently enforced, forbidding the creation of emergency or temporary accounts, this is not a finding.
• ora_secured::controls::automatically_audit_account_creation: Check Oracle settings (and also OS settings and/or enterprise-level authentication/access mechanisms settings) to determine if account creation is being audited.
• ora_secured::controls::automatically_audit_account_disabling_actions_to_the_extent_such_information_is_available: Check Oracle settings (and also OS settings and/or enterprise-level authentication/access mechanisms settings) to determine if account disabling actions are being audited.
• ora_secured::controls::automatically_audit_account_modification: Check Oracle settings (and also OS settings and/or enterprise-level authentication/access mechanisms settings) to determine if account modification is being audited.
• ora_secured::controls::automatically_audit_account_termination: Check Oracle settings (and also OS settings and/or enterprise-level authentication/access mechanisms settings) to determine if account termination actions are being audited.
• ora_secured::controls::be_prot_frm_unauth_acc_by_devs_on_shared_prod_dev_host_syss: Identify whether any hosts contain both development and production databases.
• ora_secured::controls::be_protected_from_unauthorized_access_by_developers: Check the production system to ensure no developer accounts have rights to modify the production database structure or alter production data.
• ora_secured::controls::become_user_is_revoked_from_unauthorized_grantee: The Oracle database BECOME USER privilege allows the designated user to
• ora_secured::controls::changes_to_configuration_options_must_be_audited: From SQL*Plus:
• ora_secured::controls::changes_to_dbms_security_labels_must_be_audited: If no data is identified as being sensitive or classified by the Information Owner, in the System Security Plan or in the AIS Functional Architecture documentation, this is not a finding.
• ora_secured::controls::check_the_validity_of_data_inputs: Review DBMS code, settings, field definitions, constraints, and triggers to determine whether or not data being input into the database is validated.
• ora_secured::controls::conduct_backups_of_sys_level_info_per_org_def_frequency_that_is_consistent_with_recovery_time_and: Review DBMS and OS backup configuration to determine that system-level data is backed up in according with organization-defined frequency.
• ora_secured::controls::connss_by_mid_tr_web_and_app_syss_to_orcl_dbms_frm_a_dmz_or_ext_netw_must_be_encrpted: Review the System Security Plan for remote applications that access and use the database.
• ora_secured::controls::create_any_library_is_revoked_from_unauthorized_grantee: The Oracle database CREATE ANY LIBRARY privilege allows the designated user to
• ora_secured::controls::create_database_link_action_audit_is_enabled: Oracle database links are used to establish database-to-database connections to
• ora_secured::controls::create_library_is_revoked_from_unauthorized_grantee: The Oracle database CREATE LIBRARY privilege allows the designated user to
• ora_secured::controls::create_procedure_function_package_package_body_action_audit_is_enabled: Oracle database procedures, function, packages, and package bodies, which are
• ora_secured::controls::create_procedure_is_revoked_from_unauthorized_grantee: The Oracle database CREATE PROCEDURE privilege allows the designated user to
• ora_secured::controls::create_profile_action_audit_is_enabled: Oracle database profiles are used to enforce resource usage limits and implement
• ora_secured::controls::create_role_action_audit_is_enabled: An Oracle database role is a collection or set of privileges that can be granted
• ora_secured::controls::create_session_audit_option_is_enabled: Enabling this audit option will cause auditing of all attempts to connect to the
• ora_secured::controls::create_synonym_action_audit_is_enabled: An Oracle database synonym is used to create an alternative name for a database
• ora_secured::controls::create_trigger_action_audit_is_enabled: Oracle database triggers are executed automatically when specified conditions on
• ora_secured::controls::create_user_action_audit_is_enabled: The CREATE USER statement is used to create Oracle database accounts and
• ora_secured::controls::creds_strd_and_used_by_dbms_to_acc_rmt_dbs_or_apps_must_be_auth_and_rstrcted_to_auth_users: Review the list of defined database links generated from the DBMS.
• ora_secured::controls::database_backup_procedures_must_be_defined_documented_and_implemented: Review the database backup procedures and implementation evidence.
• ora_secured::controls::database_data_files_containing_sensitive_information_must_be_encrypted: If the database does not handle sensitive information, this is not a finding.
• ora_secured::controls::database_link_audit_option_is_enabled: Enabling the audit option for the DATABASE LINK object causes all activities on
• ora_secured::controls::database_must_not_be_directly_accessible_from_public_or_unauthorized_networks: Review the System Security Plan to determine if the DBMS serves data to users or applications outside the local enclave.
• ora_secured::controls::database_objects_must_be_owned_by_accounts_authorized_for_ownership: Review system documentation to identify accounts authorized to own database objects.
• ora_secured::controls::database_recovery_procedures_must_be_developed_documented_implemented_and_periodically_tested: Review the testing and verification procedures documented in the system documentation.
• ora_secured::controls::db_job_batch_queues_must_be_reviewed_regularly_to_detect_unauth_db_job_submissions: The DBMS_JOB PL/SQL package has been replaced by DBMS_SCHEDULER in Oracle versions 10.
• ora_secured::controls::db_sw_apps_and_config_files_must_be_mon_to_disc_unauth_changes: Review monitoring procedures and implementation evidence to verify that monitoring of changes to database software libraries, related applications, and configuration files is done.
• ora_secured::controls::db_sw_dirs_including_dbms_config_files_must_be_strd_in_dedicated_dirs_or_dasd_pools_separate_frm: Review the DBMS software library directory and note other root directories located on the same disk directory or any subdirectories.
• ora_secured::controls::dba_is_revoked_from_unauthorized_grantee: The Oracle database DBA role is the default database administrator role
• ora_secured::controls::dba_os_accnts_must_be_grnted_only_those_host_sys_privs_necessary_for_admin_of_dbms: Review host system privileges assigned to the Oracle DBA group and all individual Oracle DBA accounts.
• ora_secured::controls::dba_role_must_not_be_assigned_excessive_or_unauthorized_privileges: Review access permissions for objects owned by application owners or other non-administrative users.
• ora_secured::controls::dba_sys_privs_is_revoked_from_unauthorized_grantee_with_admin_option_set_to_yes: The Oracle database WITH_ADMIN privilege allows the designated user to grant
• ora_secured::controls::dba_users_authentication_type_is_not_set_to_external_for_any_user: The authentication_type='EXTERNAL' setting determines whether or not a user
• ora_secured::controls::dbms_backup_and_restoration_files_must_be_protected_from_unauthorized_access: Review file protections assigned to online backup and restoration files.
• ora_secured::controls::dbms_data_files_transaction_logs_and_audit_files_must_be_strd_in_dedicated_dirs_or_disk_partition: Review the disk/directory specification where database data, transaction log and audit files are stored.
• ora_secured::controls::dbms_default_accounts_must_be_assigned_custom_passwords: Use this query to identify the Oracle-supplied accounts that still have their default passwords:
• ora_secured::controls::dbms_default_accounts_must_be_protected_from_misuse: Review the use of the essential system accounts with the DBA(s).
• ora_secured::controls::dbms_host_plfrm_and_other_dependent_apps_must_be_configed_in_compliance_with_applicable_stig_reqs: If the DBMS host being reviewed is not a production DBMS host, this check is not a finding.
• ora_secured::controls::dbms_itself_or_logging_or_alerting_mechanism_app_utilizes_must_prov_a_warning_when_allocated_audi: Review DBMS, OS, or third-party logging application settings to determine whether a warning will be provided when a specific percentage of log storage capacity is reached.
• ora_secured::controls::dbms_processes_or_services_must_run_under_custom_dedicated_os_accounts: Check OS settings to determine whether DBMS processes are running under a dedicated OS account.
• ora_secured::controls::dbms_prod_app_and_data_dirs_must_be_prot_frm_devs_on_shared_prod_dev_dbms_host_syss: If the DBMS or DBMS host is not shared by production and development activities, this check is not a finding.
• ora_secured::controls::dbms_pwds_must_not_be_strd_in_compiled_encoded_or_encrpted_batch_jobs_or_compiled_encoded_or_encr: Review application source code required to be encoded or encrypted for database accounts used by applications or batch jobs to access the database.
• ora_secured::controls::dbms_software_installation_account_must_be_restricted_to_authorized_users: Review procedures for controlling and granting access to use of the DBMS software installation account.
• ora_secured::controls::dbms_software_libraries_must_be_periodically_backed_up: Review evidence of inclusion of the DBMS libraries in current backup records.
• ora_secured::controls::dbms_symmetric_keys_must_be_prot_in_acc_with_nsa_or_nist_apprvd_key_mgmt_technology_or_procs: If the symmetric key management procedures and configuration settings for the DBMS are not specified in the System Security Plan, this is a finding.
• ora_secured::controls::dbms_utlzng_dac_must_enforce_a_policy_that_incl_or_excl_acc_to_granularity_of_a_single_user: Check DBMS settings and documentation to determine if users are able to assign and revoke rights to the objects and information they own.
• ora_secured::controls::dbms_when_using_pki_based_auth_must_enforce_auth_acc_to_corresponding_private_key: If PKI is not enabled in Oracle Database, this is not a finding.
• ora_secured::controls::dbms_when_utlzng_pki_based_auth_must_validate_certificates_by_constructing_a_certification_path_w: If PKI is not enabled in the Oracle Database, this is not a finding.
• ora_secured::controls::dbs_employed_to_write_data_to_portable_dig_med_must_use_cryptographic_mechs_to_prot_and_rstrct_ac: If data is written to portable media, the data must be protected and access restricted via cryptographic mechanisms.
• ora_secured::controls::dbs_utlzng_dac_must_enforce_a_policy_that_lmts_propagation_of_acc_rights: Verify the DBMS has the ability to grant permissions without the grantee receiving the right to grant those same permissions to another user.
• ora_secured::controls::default_demonstration_and_sample_databases_database_objects_and_applications_must_be_removed: If Oracle is hosted on a server that does not support production systems, and is designated for the deployment of samples and demonstrations, this is not applicable (NA).
• ora_secured::controls::delete_catalog_role_is_revoked_from_unauthorized_grantee: **THIS ROLE IS DEPRECATED IN V12.
• ora_secured::controls::diag_subdir_under_dir_assigned_to_diag_dest_parameter_must_be_prot_frm_unauth_acc: From SQL*Plus:
• ora_secured::controls::dir_assigned_to_audit_file_dest_parameter_must_be_prot_frm_unauth_acc_and_must_be_strd_in_a_dedic: If Standard Auditing is used:
• ora_secured::controls::directory_audit_option_is_enabled: The DIRECTORY object allows for the creation of a directory object that
• ora_secured::controls::dirs_assigned_to_log_archive_dest_parameters_must_be_prot_frm_unauth_acc: From SQL*Plus:
• ora_secured::controls::disable_user_accounts_after_35_days_of_inactivity: If all user accounts are managed and authenticated by the OS or an enterprise-level authentication/access mechanism, and not by Oracle, this is not a finding.
• ora_secured::controls::drop_any_procedure_audit_option_is_enabled: The AUDIT DROP ANY PROCEDURE command is auditing the dropping of procedures.
• ora_secured::controls::drop_database_link_action_audit_is_enabled: Oracle database links are used to establish database-to-database connections to
• ora_secured::controls::drop_procedure_function_package_package_body_action_audit_is_enabled: Oracle database procedures, functions, packages, and package bodies, which are
• ora_secured::controls::drop_profile_action_audit_is_enabled: Oracle database profiles are used to enforce resource usage limits and implement
• ora_secured::controls::drop_role_action_audit_is_enabled: An Oracle database role is a collection or set of privileges that can be granted
• ora_secured::controls::drop_synonym_action_audit_is_enabled: An Oracle database synonym is used to create an alternative name for a database
• ora_secured::controls::drop_trigger_action_audit_is_enabled: Oracle database triggers are executed automatically when specified conditions on
• ora_secured::controls::drop_user_audit_option_is_enabled: The DROP USER statement is used to drop Oracle database accounts and schemas associated with them.
• ora_secured::controls::employ_autom_mechs_to_alert_sec_personnel_of_inappr_or_unusual_act_with_sec_implications: Check DBMS settings to determine whether security personnel are alerted automatically when unusual or security-related activities (threats identified by authoritative sources (e.
• ora_secured::controls::employ_automated_mechanisms_for_supporting_oracle_user_account_management: If all user accounts are authenticated by the OS or an enterprise-level authentication/access mechanism, and not by Oracle, this is not a finding.
• ora_secured::controls::employ_cryptographic_mechs_preventing_unauth_disclosure_of_info_during_transmission_unless_transm: Check DBMS settings to determine whether cryptographic mechanisms are used to prevent the unauthorized disclosure of information during transmission.
• ora_secured::controls::employ_cryptographic_mechs_to_prot_int_and_conf_of_nonlocal_maint_and_diag_comms: Review DBMS configuration to determine if cryptographic mechanisms are being utilized to protect the integrity and confidentiality of nonlocal maintenance and diagnostic communications.
• ora_secured::controls::employ_strong_ident_and_auth_techs_when_esting_nonlocal_maint_and_diag_sess: Review DBMS settings to determine whether strong identification and authentication techniques are required for nonlocal maintenance and diagnostic sessions.
• ora_secured::controls::enforce_apprvd_auths_for_log_acc_to_sys_in_acc_with_applicable_policy: Check DBMS settings to determine whether users are restricted from accessing objects and data they are not authorized to access.
• ora_secured::controls::enforce_dac_policy_allowing_users_to_specify_and_control_sharing_by_named_indivs_groups_of_indivs: Check DBMS settings to determine if users are able to assign and revoke rights to the objects and information that they own.
• ora_secured::controls::enforce_password_maximum_lifetime_restrictions: If all user accounts are authenticated by the OS or an enterprise-level authentication/access mechanism, and not by Oracle, this is not a finding.
• ora_secured::controls::enforce_requirements_for_remote_connections_to_the_information_system: Review organization's access control policies and procedures addressing remote access to the information system.
• ora_secured::controls::ensure_rmt_sess_that_acc_an_org_def_lst_of_sec_funcs_and_sec_rel_info_are_audited: Verify, using vendor and system documentation if necessary, that the DBMS is configured to use Oracle's auditing features, or that a third-party product or custom code is deployed and configured to satisfy this requirement.
• ora_secured::controls::ensure_users_are_auth_with_an_indiv_authenticator_prior_to_using_a_shared_authenticator: Review DBMS settings, OS settings, and/or enterprise-level authentication/access mechanism settings to determine whether shared accounts exist.
• ora_secured::controls::execute_any_procedure_is_revoked_from_dbsnmp: Remove unneeded EXECUTE ANY PROCEDURE privileges from DBSNMP.
• ora_secured::controls::execute_any_procedure_is_revoked_from_outln: Remove unneeded EXECUTE ANY PROCEDURE privileges from OUTLN.
• ora_secured::controls::execute_catalog_role_is_revoked_from_unauthorized_grantee: The Oracle database EXECUTE_CATALOG_ROLE provides EXECUTE privileges for a
• ora_secured::controls::execute_is_not_granted_to_public_on_non_default_packages: The packages described in this control are not granted to PUBLIC by default
• ora_secured::controls::execute_is_revoked_from_public_on_encryption_packages: As described below, Oracle Database PL/SQL "Encryption" packages -
• ora_secured::controls::execute_is_revoked_from_public_on_file_system_packages: As described below, Oracle Database PL/SQL "File System" packages -
• ora_secured::controls::execute_is_revoked_from_public_on_java_packages: As described below, Oracle Database PL/SQL "Java" packages - DBMS_JAVAand
• ora_secured::controls::execute_is_revoked_from_public_on_job_scheduler_packages: As described below, Oracle Database PL/SQL "Job Scheduler" packages -
• ora_secured::controls::execute_is_revoked_from_public_on_network_packages: As described below, Oracle Database PL/SQL "Network" packages - DBMS_LDAP,
• ora_secured::controls::execute_is_revoked_from_public_on_sql_injection_helper_packages: As described below, Oracle Database PL/SQL "SQL Injection Helper Packages"
• ora_secured::controls::exempt_access_policy_is_revoked_from_unauthorized_grantee: The Oracle database EXEMPT ACCESS POLICY keyword provides the user the
• ora_secured::controls::extproc_is_not_present_in_listener_ora: extproc should be removed from the `listener.
• ora_secured::controls::failed_login_attempts_is_less_than_or_equal_to_5: The FAILED_LOGIN_ATTEMPTS setting determines how many failed login attempts
• ora_secured::controls::fixed_user_and_public_database_links_must_be_authorized_for_use: From SQL*Plus:
• ora_secured::controls::gen_audit_recs_for_dod_selected_lst_of_auditable_events_to_extent_such_info_is_avail: Check DBMS settings to determine if auditing is being performed on the events on the DoD-selected list of auditable events that lie within the scope of Oracle audit capabilities:
• ora_secured::controls::global_names_is_set_to_true: The global_names setting requires that the name of a database link matches that
• ora_secured::controls::grant_action_audit_is_enabled: GRANT statements are used to grant privileges to Oracle database users and
• ora_secured::controls::grant_any_object_privilege_audit_option_is_enabled: GRANT ANY OBJECT PRIVILEGE allows the user to grant or revoke any object
• ora_secured::controls::grant_any_object_privilege_is_revoked_from_unauthorized_grantee: The Oracle database GRANT ANY OBJECT PRIVILEGE keyword provides the grantee
• ora_secured::controls::grant_any_privilege_audit_option_is_enabled: GRANT ANY PRIVILEGE allows a user to grant any system privilege, including the
• ora_secured::controls::grant_any_privilege_is_revoked_from_unauthorized_grantee: The Oracle database GRANT ANY PRIVILEGE keyword provides the grantee the
• ora_secured::controls::grant_any_role_is_revoked_from_unauthorized_grantee: The Oracle database GRANT ANY ROLE keyword provides the grantee the capability
• ora_secured::controls::have_its_auditing_configured_to_reduce_the_likelihood_of_storage_capacity_being_exceeded: Review the DBMS settings to determine whether audit logging is configured to produce logs consistent with the amount of space allocated for logging.
• ora_secured::controls::identify_potentially_security_relevant_error_conditions: Check DBMS settings to determine whether security-related error conditions are monitored for, and whether appropriate personnel are notified.
• ora_secured::controls::implement_required_cryptographic_protions_using_cryptographic_modules_complying_with_applicable_f: If encryption is not required for the database, this is not a finding.
• ora_secured::controls::implement_separation_of_duties_through_assigned_information_access_authorizations: Obtain a list of privileges assigned to the DBMS user accounts.
• ora_secured::controls::inactive_account_time_is_less_than_or_equal_to_120: The INACTIVE_ACCOUNT_TIME setting determines the maximum number of days of
• ora_secured::controls::incl_org_def_add_more_det_info_in_audit_recs_for_audit_events_idntfd_by_type_location_or_subject: Verify, using vendor and system documentation if necessary, that the DBMS is configured to use Oracle's auditing features, or that a third-party product or custom code is deployed and configured to satisfy this requirement.
• ora_secured::controls::isolate_security_functions_from_nonsecurity_functions_by_means_of_separate_security_domains: Check DBMS settings to determine whether objects or code implementing security functionality are located in a separate security domain, such as a separate database or schema created specifically for security functionality.
• ora_secured::controls::issm_must_review_changes_to_dba_role_assignments: Review policy and procedures documented or noted in the System Security Plan as well as evidence of implementation for monitoring changes to DBA role assignments and procedures for notifying the ISSM of the changes for review.
• ora_secured::controls::lmt_number_of_concurrent_sess_for_each_sys_accnt_to_an_org_def_number_of_sess: Retrieve the settings for concurrent sessions for each profile with the query:
• ora_secured::controls::lmt_use_of_resources_by_prio_and_not_impede_host_frm_servicing_procs_designated_as_a_higher_prio: Review DBMS settings and documentation to determine if the DBMS restricts resource usage by priority.
• ora_secured::controls::logic_modules_within_db_to_incl_pkgs_procs_funcs_and_trggrs_must_be_mon_to_disc_unauth_changes: Review monitoring procedures and implementation evidence to verify that monitoring of changes to database logic modules is done.
• ora_secured::controls::logon_and_logoff_actions_audit_is_enabled: Oracle database users log on to the database to perform their work.
• ora_secured::controls::manage_resources_to_lmt_effects_of_info_flooding_types_of_denial_of_service_dos_incidents: Review Oracle user profiles.
• ora_secured::controls::map_the_authenticated_identity_to_the_user_account_using_pki_based_authentication: Review DBMS configuration to verify DBMS user accounts are being mapped directly to authenticated identity information being passed via the PKI.
• ora_secured::controls::minimum_of_two_orcl_control_files_must_be_def_and_configed_to_be_strd_on_separate_archived_disks: From SQL*Plus:
• ora_secured::controls::minimum_of_two_orcl_redo_log_groups_files_must_be_def_and_configed_to_be_strd_on_separate_archive: From SQL*Plus:
• ora_secured::controls::network_access_to_the_dbms_must_be_restricted_to_authorized_personnel: IP address restriction may be defined for the database listener, by use of the Oracle Connection Manager or by an external network device.
• ora_secured::controls::network_client_connections_must_be_restricted_to_supported_versions: ora_secured::controls::network_client_connections_must_be_restricted_to_supported_versions Note: The SQLNET.ALLOWED_LOGON_VERSION parameter
• ora_secured::controls::no_public_database_links_exist: Public Database links are used to allow connections between databases.
• ora_secured::controls::no_users_are_assigned_the_default_profile: Upon creation database users are assigned to the DEFAULT profile unless
• ora_secured::controls::not_share_a_host_supporting_an_independent_security_service: Review the services and processes active on the DBMS host system.
• ora_secured::controls::notify_appropriate_individuals_when_account_disabling_actions_are_taken: Check DBMS settings to determine whether it will notify appropriate individuals when account disabling actions are taken.
• ora_secured::controls::notify_appropriate_individuals_when_accounts_are_created: Check DBMS settings to determine whether it will notify appropriate individuals when accounts are created.
• ora_secured::controls::notify_appropriate_individuals_when_accounts_are_modified: Check DBMS settings to determine whether it will notify appropriate individuals when accounts are modified.
• ora_secured::controls::notify_appropriate_individuals_when_accounts_are_terminated: Check DBMS settings to determine whether it will notify appropriate individuals when accounts are terminated.
• ora_secured::controls::o7_dictionary_accessibility_is_set_to_false: The O7_dictionary_accessibility setting is a database initialization parameter
• ora_secured::controls::object_permissions_granted_to_public_must_be_restricted: A default Oracle Database installation provides a set of predefined administrative accounts and non-administrative accounts.
• ora_secured::controls::only_auth_sys_accnts_must_have_sys_tablespace_specified_as_default_tablespace: Run the query:
• ora_secured::controls::only_gen_error_messages_that_prov_info_necessary_for_corrective_actions_without_revealing_org_def: Check DBMS settings and custom database and application code to verify error messages do not contain information beyond what is needed for troubleshooting the issue.
• ora_secured::controls::oracle_application_administration_roles_must_be_disabled_if_not_required_and_authorized: Run the SQL query:
• ora_secured::controls::oracle_instance_names_must_not_contain_oracle_version_numbers: From SQL*Plus:
• ora_secured::controls::oracle_listener_must_be_configured_to_require_administration_authentication: If a listener is not running on the local database host server, this check is not a finding.
• ora_secured::controls::oracle_must_back_up_user_level_information_per_a_defined_frequency: Review DBMS settings and site documentation to determine whether Oracle is configured to back up user-level data according to a defined frequency.
• ora_secured::controls::oracle_remote_os_authent_parameter_must_be_set_to_false: From SQL*Plus:
• ora_secured::controls::oracle_remote_os_roles_parameter_must_be_set_to_false: From SQL*Plus:
• ora_secured::controls::oracle_roles_granted_using_the_with_admin_option_must_not_be_granted_to_unauthorized_accounts: A default Oracle Database installation provides a set of predefined administrative accounts and non-administrative accounts.
• ora_secured::controls::oracle_software_must_be_evaluated_and_patched_against_newly_found_vulnerabilities: When the Quarterly CPU is released, check the CPU Notice and note the specific patch number for the system.
• ora_secured::controls::oracle_sql92_security_parameter_must_be_set_to_true: From SQL*Plus:
• ora_secured::controls::oracle_trace_files_public_parameter_if_present_must_be_set_to_false: From SQL*Plus:
• ora_secured::controls::orcl_db_must_off_load_audit_data_to_a_separate_log_mgmt_facility_this_must_be_continuous_and_in_n: Review the system documentation for a description of how audit records are off-loaded.
• ora_secured::controls::orcl_pwd_file_ownership_and_permissions_should_be_lmted_and_rmt_login_pwdfile_parameter_must_be_s: From SQL*Plus:
• ora_secured::controls::orcl_with_grnt_option_priv_must_not_be_grnted_to_non_dba_or_non_app_admin_user_accnts: Execute the query:
• ora_secured::controls::os_accounts_utilized_to_run_external_procedures_called_by_the_dbms_must_have_limited_privileges: Determine which OS accounts are used by the DBMS to run external procedures.
• ora_secured::controls::os_must_lmt_privs_to_change_dbms_sw_resident_within_sw_libs_including_privd_programs: Review permissions that control access to the DBMS software libraries.
• ora_secured::controls::os_roles_is_set_to_false: The os_roles setting permits externally created groups to be applied to database management.
• ora_secured::controls::owners_of_privileged_accounts_must_use_non_privileged_accounts_for_non_administrative_activities: Review procedures and practices.
• ora_secured::controls::password_grace_time_is_less_than_or_equal_to_5: The PASSWORD_GRACE_TIME setting determines how many days can pass after the
• ora_secured::controls::password_life_time_is_less_than_or_equal_to_90: The PASSWORD_LIFE_TIME setting determines how long a password may be used
• ora_secured::controls::password_lock_time_is_greater_than_or_equal_to_1: The PASSWORD_LOCK_TIME setting determines how many days must pass for the
• ora_secured::controls::password_reuse_max_is_greater_than_or_equal_to_20: The PASSWORD_REUSE_MAX setting determines how many different passwords must be
• ora_secured::controls::password_reuse_time_is_greater_than_or_equal_to_365: The PASSWORD_REUSE_TIME setting determines the amount of time in days that
• ora_secured::controls::password_verify_function_is_set_for_all_profiles: The PASSWORD_VERIFY_FUNCTION determines password settings requirements when a
• ora_secured::controls::plans_and_procs_for_testing_dbms_installations_upgrades_and_patches_must_be_def_and_followed_prio: Review policy and procedures documented or noted in the System Security Plan and evidence of implementation for testing DBMS installations, upgrades and patches prior to production deployment.
• ora_secured::controls::preserve_any_organization_defined_system_state_information_in_the_event_of_a_system_failure: If the database is used solely for transient data (such as one dedicated to Extract-Transform-Load (ETL)), and a clear plan exists for the recovery of the database by means other than archiving, this is not a finding.
• ora_secured::controls::prevent_presentation_of_info_sys_mgmt_related_functionality_at_an_interface_utilized_by_general_i: Check DBMS settings and vendor documentation to verify administrative functionality is separate from user functionality.
• ora_secured::controls::prevent_unauthorized_and_unintended_information_transfer_via_shared_system_resources: Verify there are proper procedures in place for the refreshing of development/test data from production.
• ora_secured::controls::procedure_audit_option_is_enabled: In this statement audit, PROCEDURE means any procedure, function, package or
• ora_secured::controls::procs_and_rstctns_for_import_of_prod_data_to_dev_dbs_must_be_doc_impl_and_followed: If the database being reviewed is not a production database or does not contain sensitive data, this check is not a finding.
• ora_secured::controls::procs_for_esting_tmp_pwds_that_meet_dod_pwd_reqs_for_new_accnts_must_be_def_doc_and_impl: If all user accounts are authenticated by the OS or an enterprise-level authentication/access mechanism, and not by Oracle, this is not a finding.
• ora_secured::controls::procs_services_apps_etc_that_connect_to_dbms_independently_of_indiv_users_must_use_valid_current: Review configuration to confirm that accounts used by processes to connect to the DBMS are authenticated using valid, current DoD-issued PKI certificates.
• ora_secured::controls::produce_audit_records_containing_sufficient_information_to_establish_where_the_events_occurred: Verify, using vendor and system documentation if necessary, that the DBMS is configured to use Oracle's auditing features, or that a third-party product or custom code is deployed and configured to satisfy this requirement.
• ora_secured::controls::produce_audit_recs_cont_suff_info_to_est_id_of_any_user_subject_or_proc_ass_with_event: Verify, using vendor and system documentation if necessary, that the DBMS is configured to use Oracle's auditing features, or that a third-party product or custom code is deployed and configured to satisfy this requirement.
• ora_secured::controls::produce_audit_recs_cont_suff_info_to_est_outcome_success_or_failure_of_events: Verify, using vendor and system documentation if necessary, that the DBMS is configured to use Oracle's auditing features, or that a third-party product or custom code is deployed and configured to satisfy this requirement.
• ora_secured::controls::produce_audit_recs_cont_suff_info_to_est_sources_origins_of_events: Verify, using vendor and system documentation if necessary, that the DBMS is configured to use Oracle's auditing features, or that a third-party product or custom code is deployed and configured to satisfy this requirement.
• ora_secured::controls::produce_audit_recs_cont_suff_info_to_est_what_type_of_events_occurred: Verify, using vendor and system documentation if necessary, that the DBMS is configured to use Oracle's auditing features, or that a third-party product or custom code is deployed and configured to satisfy this requirement.
• ora_secured::controls::produce_audit_recs_cont_suff_info_to_est_when_date_and_time_events_occurred: Verify, using vendor and system documentation if necessary, that the DBMS is configured to use Oracle's auditing features, or that a third-party product or custom code is deployed and configured to satisfy this requirement.
• ora_secured::controls::profile_audit_option_is_enabled: The PROFILE object allows for the creation of a set of database resource
• ora_secured::controls::prot_against_an_indiv_who_uses_a_shared_accnt_falsely_denying_having_perfd_a_particular_action: If there are no shared accounts available to more than one user, this is not a finding.
• ora_secured::controls::prot_against_or_lmt_effects_of_org_def_types_of_denial_of_service_dos_attacks: Review DBMS settings to verify the DBMS implements measures to limit the effects of the organization-defined types of Denial of Service (DoS) attacks.
• ora_secured::controls::prot_audit_recs_gen_as_a_result_of_rmt_acc_to_privd_accnts_and_execution_of_privd_funcs: If Standard Auditing is used:
• ora_secured::controls::protect_audit_data_records_and_integrity_by_using_cryptographic_mechanisms: Review DBMS settings to determine whether the DBMS is using cryptographic mechanisms to protect audit data records and integrity.
• ora_secured::controls::protect_audit_information_from_any_type_of_unauthorized_access: Review locations of audit logs, both internal to the database and database audit logs located at the operating system-level.
• ora_secured::controls::protect_audit_information_from_unauthorized_deletion: Review locations of audit logs, both internal to the database and database audit logs located at the operating system-level.
• ora_secured::controls::protect_audit_information_from_unauthorized_modification: Review locations of audit logs, both internal to the database and database audit logs located at the operating system-level.
• ora_secured::controls::protect_audit_tools_from_unauthorized_access: Review access permissions to tools used to view or modify audit log data.
• ora_secured::controls::protect_audit_tools_from_unauthorized_deletion: Review access permissions to tools used to view or modify audit log data.
• ora_secured::controls::protect_audit_tools_from_unauthorized_modification: Review access permissions to tools used to view or modify audit log data.
• ora_secured::controls::protect_the_integrity_of_publicly_available_information_and_applications: Determine whether the database houses and distributes information to the public.
• ora_secured::controls::prov_a_mechanism_to_autom_identify_accnts_designated_as_tmp_or_emergency_accnts: : If the organization has a policy, consistently enforced, forbidding the creation of emergency or temporary accounts, this is not a finding.
• ora_secured::controls::prov_audit_record_generation_cap_for_org_def_auditable_events_within_db: Verify, using vendor and system documentation if necessary, that the DBMS is configured to use Oracle's auditing features, or that a third-party product or custom code is deployed and configured to satisfy this requirement.
• ora_secured::controls::prov_cap_to_autom_proc_audit_recs_for_events_of_interest_based_upon_selectable_event_criteria: Review the system (OS, applications external to Oracle, and/or a separate log aggregation and query server) to determine whether it provides the ability to automatically process audit records for events based on selectable event criteria.
• ora_secured::controls::provide_a_mechanism_to_automatically_remove_or_disable_temporary_user_accounts_after_72_hours: If the organization has a policy, consistently enforced, forbidding the creation of emergency or temporary accounts, this is not a finding.
• ora_secured::controls::provide_a_real_time_alert_when_organization_defined_audit_failure_events_occur: Review Oracle Corp.
• ora_secured::controls::provide_a_report_generation_capability_for_audit_reduction_data: Verify that audit reduction capabilities are in place for the Oracle audit data.
• ora_secured::controls::provide_an_audit_log_reduction_capability: Verify that audit reduction capabilities are in place for the Oracle audit data.
• ora_secured::controls::public_database_link_audit_option_is_enabled: The PUBLIC DATABASE LINK object allows for the creation of a public link for
• ora_secured::controls::public_synonym_audit_option_is_enabled: The PUBLIC SYNONYM object allows for the creation of an alternate description of
• ora_secured::controls::recovery_procs_and_technical_sys_features_must_exist_to_ensure_recovery_is_done_in_a_secure_and_v: Review DBMS recovery procedures and technical system features to determine if mechanisms exist and are in place to specify use of trusted files during DBMS recovery.
• ora_secured::controls::remote_administration_must_be_disabled_for_the_oracle_connection_manager: View the cman.
• ora_secured::controls::remote_administrative_access_to_the_database_must_be_monitored_by_the_isso_or_issm: If remote administrative access to the database is prohibited and is disabled, this check is not a finding.
• ora_secured::controls::remote_database_or_other_external_access_must_use_fully_qualified_names: From SQL*Plus:
• ora_secured::controls::remote_dbms_administration_must_be_documented_and_authorized_or_disabled: Review the System Security Plan for authorization, assignments and usage procedures for remote DBMS administration.
• ora_secured::controls::remote_listener_is_empty: The remote_listener setting determines whether or not a valid listener can be
• ora_secured::controls::remote_login_passwordfile_is_set_to_none: The remote_login_passwordfile setting specifies whether or not Oracle checks
• ora_secured::controls::remote_os_authent_is_set_to_false: The remote_os_authent setting determines whether or not OS 'roles' with the
• ora_secured::controls::remote_os_roles_is_set_to_false: The remote_os_roles setting permits remote users' OS roles to be applied to
• ora_secured::controls::replication_accounts_must_not_be_granted_dba_privileges: If a review of the System Security Plan confirms the use of replication is not required, not permitted and the database is not configured for replication, this check is not a finding.
• ora_secured::controls::resource_limit_is_set_to_true: RESOURCE_LIMIT determines whether resource limits are enforced in database
• ora_secured::controls::restrict_error_messages_so_only_authorized_personnel_may_view_them: Check DBMS settings and custom database code to determine if error messages are ever displayed to unauthorized individuals:
• ora_secured::controls::restrict_grants_to_sensitive_information_to_authorized_user_roles: Obtain a list of privileges assigned to user accounts.
• ora_secured::controls::revoke_action_audit_is_enabled: REVOKE statements are used to revoke privileges from Oracle database users and
• ora_secured::controls::role_audit_option_is_enabled: The ROLE object allows for the creation of a set of privileges that can be
• ora_secured::controls::rstrct_ability_of_users_to_launch_denial_of_service_dos_attacks_against_other_info_syss_or_netws: Review DBMS settings and custom database code to determine whether the DBMS or database application code could be used to launch DoS attacks.
• ora_secured::controls::rstrct_acc_to_sys_tables_and_other_config_info_or_metadata_to_dbas_or_other_auth_users: Review user privileges to system tables and configuration data stored in the Oracle database.
• ora_secured::controls::sec_case_sensitive_logon_is_set_to_true: The SEC_CASE_SENSITIVE_LOGON information determines whether or not
• ora_secured::controls::sec_max_failed_login_attempts_is_3_or_less: The SEC_MAX_FAILED_LOGIN_ATTEMPTS parameter determines how many failed login
• ora_secured::controls::sec_protocol_error_further_action_is_set_to_drop3: The SEC_PROTOCOL_ERROR_FURTHER_ACTION setting determines the Oracle server's
• ora_secured::controls::sec_protocol_error_trace_action_is_set_to_log: The SEC_PROTOCOL_ERROR_TRACE_ACTION setting determines the Oracle's server's
• ora_secured::controls::sec_return_server_release_banner_is_set_to_false: The information about patch/update release number provides information about the
• ora_secured::controls::secure_control_is_set_in_listener_ora: The SECURE_CONTROL_<listener_name> setting determines the type of control
• ora_secured::controls::secure_register_is_set_to_tcps_or_ipc: The SECURE_REGISTER_<listener_name> setting specifies the protocols used to
• ora_secured::controls::select_any_dictionary_audit_option_is_enabled: The SELECT ANY DICTIONARY capability allows the user to view the definitions of
• ora_secured::controls::select_any_dictionary_is_revoked_from_unauthorized_grantee: The Oracle database SELECT ANY DICTIONARY privilege allows the designated user
• ora_secured::controls::select_any_dictionary_privilege_audit_is_enabled: The SELECT ANY DICTIONARY system privilege allows the user to view the
• ora_secured::controls::select_any_table_is_revoked_from_unauthorized_grantee: The Oracle database SELECT ANY TABLE privilege allows the designated user to
• ora_secured::controls::select_catalog_role_is_revoked_from_unauthorized_grantee: The Oracle database SELECT_CATALOG_ROLE provides SELECT privileges on all
• ora_secured::controls::sensitive_data_strd_in_db_must_be_idntfd_in_sys_sec_plan_and_ais_functional_arch_doc: If no sensitive or classified data is stored in the database, listed in the System Security Plan and listed in the AIS Functional Architecture documentation, this check is not a finding.
• ora_secured::controls::sensitive_info_frm_prod_db_exports_must_be_modified_before_import_to_a_dev_db: If the database being reviewed is a production database, this check is not a finding.
• ora_secured::controls::separate_user_functionality_including_user_interface_services_frm_db_mgmt_functionality: Check DBMS settings and vendor documentation to verify administrative functionality is separate from user functionality.
• ora_secured::controls::sessions_per_user_is_less_than_or_equal_to_10: The SESSIONS_PER_USER setting determines the maximum number of user sessions
• ora_secured::controls::set_the_maximum_number_of_consecutive_invalid_logon_attempts_to_three: The limit on the number of consecutive failed logon attempts is defined in the profile assigned to a user.
• ora_secured::controls::single_database_connection_configuration_file_must_not_be_used_to_configure_all_database_clients: Review procedures for providing database connection information to users/user workstations.
• ora_secured::controls::sql92_security_is_set_to_true: The SQL92_SECURITY parameter setting TRUE requires that a user must also be
• ora_secured::controls::supp_enforcement_of_log_acc_rstctns_ass_with_changes_to_dbms_config_and_to_db_itself: Review DBMS settings and vendor documentation to ensure the database supports and does not interfere with enforcement of logical access restrictions associated with changes to the DBMS configuration and to the database itself.
• ora_secured::controls::supp_org_reqs_to_encrpt_info_strd_in_db_and_info_extr_or_dervd_frm_db_and_strd_on_dig_med: If encryption is not required for the database and data derived from it, this is not a finding.
• ora_secured::controls::supp_org_reqs_to_enforce_number_of_characters_that_get_changed_when_pwds_are_changed: If all user accounts are managed and authenticated by the OS or an enterprise-level authentication/access mechanism, and not by Oracle, this is not a finding.
• ora_secured::controls::supp_org_reqs_to_enforce_pwd_complexity_by_number_of_lower_case_characters_used: If all user accounts are managed and authenticated by the OS or an enterprise-level authentication/access mechanism, and not by Oracle, this is not a finding.
• ora_secured::controls::supp_org_reqs_to_enforce_pwd_complexity_by_number_of_numeric_characters_used: If all user accounts are managed and authenticated by the OS or an enterprise-level authentication/access mechanism, and not by Oracle, this is not a finding.
• ora_secured::controls::supp_org_reqs_to_enforce_pwd_complexity_by_number_of_special_characters_used: If all user accounts are managed and authenticated by the OS or an enterprise-level authentication/access mechanism, and not by Oracle, this is not a finding.
• ora_secured::controls::supp_org_reqs_to_enforce_pwd_complexity_by_number_of_upper_case_characters_used: If all user accounts are managed and authenticated by the OS or an enterprise-level authentication/access mechanism, and not by Oracle, this is not a finding.
• ora_secured::controls::supp_org_reqs_to_prhbt_pwd_reuse_for_org_def_number_of_generations: If all user accounts are authenticated by the OS or an enterprise-level authentication/access mechanism, and not by Oracle, this is not a finding.
• ora_secured::controls::supp_org_reqs_to_spec_prhbt_or_rstrct_use_of_unauth_funcs_ports_protocols_and_or_services: Review the DBMS settings for functions, ports, protocols, and services that are not approved.
• ora_secured::controls::supp_req_to_back_up_audit_data_and_recs_onto_a_diff_sys_or_med_than_sys_being_audited_on_an_org_d: Check with the database administrator, storage administrator or system administrator, as applicable at the site, to verify that Oracle is configured EITHER to perform backups of the audit data specifically, OR, with appropriate permissions granted, to permit a third-party tool to do so.
• ora_secured::controls::supp_taking_org_def_lst_of_least_disruptive_actions_to_term_suspicious_events: Obtain the CC/S/A/FA's list of suspicious event types and the actions to be taken in response, ordered from least disruptive to last resort.
• ora_secured::controls::support_organizational_requirements_to_enforce_minimum_password_length: If all user accounts are authenticated by the OS or an enterprise-level authentication/access mechanism, and not by Oracle, this is not a finding.
• ora_secured::controls::support_organizational_requirements_to_enforce_password_encryption_for_storage: (Oracle stores and displays its passwords in encrypted form.
• ora_secured::controls::support_the_disabling_of_network_protocols_deemed_by_the_organization_to_be_nonsecure: Review the PPSM Technical Assurance List to acquire an up-to-date list of network protocols deemed nonsecure.
• ora_secured::controls::synonym_audit_option_is_enabled: The SYNONYM operation allows for the creation of an alternative name for a
• ora_secured::controls::sys_privs_grnted_using_with_admin_option_must_not_be_grnted_to_unauth_user_accnts: A default Oracle Database installation provides a set of predefined administrative accounts and non-administrative accounts.
• ora_secured::controls::sys_user_mig_has_been_dropped: The table `sys.
• ora_secured::controls::system_grant_audit_option_is_enabled: Enabling the audit option for the SYSTEM GRANT object causes auditing of any
• ora_secured::controls::system_privileges_must_not_be_granted_to_public: From SQL*Plus:
• ora_secured::controls::take_needed_steps_to_prot_data_at_rest_and_ensure_conf_and_int_of_app_data: If the application owner and Authorizing Official have determined that encryption of data at rest is NOT required, this is not a finding.
• ora_secured::controls::term_netw_conns_ass_with_a_comms_session_at_end_of_session_or_15_minutes_of_inactivity: Review DBMS settings, OS settings, and vendor documentation to verify network connections are terminated when a database communications session is ended or after 15 minutes of inactivity.
• ora_secured::controls::term_user_sess_upon_user_logoff_or_any_other_org_or_policy_def_session_termination_events_such_as: Review DBMS settings and vendor documentation to verify user sessions are terminated upon user logout.
• ora_secured::controls::trace_files_public_is_set_to_false: The _trace_files_public setting determines whether or not the system's trace
• ora_secured::controls::trigger_audit_option_is_enabled: A TRIGGER may be used to modify DML actions or invoke other (recursive)
• ora_secured::controls::unauthorized_database_links_must_not_be_defined_and_active: From SQL*Plus:
• ora_secured::controls::uniquely_identify_and_authenticate_non_org_users_or_procs_acting_on_behalf_of_non_org_users: Review DBMS settings to determine whether non-organizational users are uniquely identified and authenticated when logging onto the system.
• ora_secured::controls::uniquely_identify_and_authenticate_org_users_or_procs_acting_on_behalf_of_org_users: Review DBMS settings, OS settings, and/or enterprise-level authentication/access mechanism settings, and site practices, to determine whether organizational users are uniquely identified and authenticated when logging on to the system.
• ora_secured::controls::unused_database_components_dbms_software_and_database_objects_must_be_removed: Run this query to produce a list of components and features installed with the database:
• ora_secured::controls::unused_db_components_that_are_integrated_in_dbms_and_cannot_be_uninstalled_must_be_disabled: Run this query to check to see what integrated components are installed in the database:
• ora_secured::controls::use_multifactor_authentication_for_local_access_to_non_privileged_accounts: Review DBMS settings, OS settings, and/or enterprise-level authentication/access mechanism settings to determine whether users logging on to non-privileged accounts locally are required to use multifactor authentication.
• ora_secured::controls::use_multifactor_authentication_for_local_access_to_privileged_accounts: Review DBMS settings, OS settings, and/or enterprise-level authentication/access mechanism settings to determine whether users logging on to privileged accounts locally are required to use multifactor authentication.
• ora_secured::controls::use_multifactor_authentication_for_network_access_to_non_privileged_accounts: Review DBMS settings, OS settings, and/or enterprise-level authentication/access mechanism settings to determine whether users logging on to non-privileged accounts via a network are required to use multifactor authentication.
• ora_secured::controls::use_multifactor_authentication_for_network_access_to_privileged_accounts: Review DBMS settings, OS settings, and/or enterprise-level authentication/access mechanism settings to determine whether users logging on to privileged accounts via a network are required to use multifactor authentication.
• ora_secured::controls::use_nist_validated_fips_140_2_compliant_cryptography_for_authentication_mechanisms: Check the following settings to see if FIPS 140-2 authentication/encryption is configured.
• ora_secured::controls::use_of_external_executables_must_be_authorized: Review the database for definitions of application executable objects stored external to the database.
• ora_secured::controls::use_of_the_dbms_installation_account_must_be_logged: Review documented and implemented procedures for monitoring the use of the DBMS software installation account in the System Security Plan.
• ora_secured::controls::use_of_the_dbms_software_installation_account_must_be_restricted: Review system documentation to identify the installation account.
• ora_secured::controls::use_org_def_replay_resistant_auth_mechs_for_netw_acc_to_non_privd_accnts: Review DBMS settings to determine whether organization-defined replay-resistant authentication mechanisms for network access to non-privileged accounts exist.
• ora_secured::controls::use_org_def_replay_resistant_auth_mechs_for_netw_acc_to_privd_accnts: Review DBMS settings, OS settings, and/or enterprise-level authentication/access mechanism settings to determine whether organization-defined replay-resistant authentication mechanisms for network access to privileged accounts exist.
• ora_secured::controls::user_audit_option_is_enabled: The USER object allows for creating accounts that can interact with the
• ora_secured::controls::utl_file_dir_is_empty
• ora_secured::controls::verify_account_lockouts_persist_until_reset_by_an_administrator: The account lockout duration is defined in the profile assigned to a user.
• ora_secured::controls::verify_there_have_not_been_unauthorized_changes_to_the_dbms_software_and_information: Verify the DBMS system initialization/parameter files and software is included in the configuration of any third-party software or custom scripting at the OS level to perform integrity verification.
• ora_secured::controls::when_using_command_line_tools_such_as_orcl_sqlplus_which_can_accept_a_plain_text_pwd_users_must_u: For Oracle SQL*Plus, which cannot be configured not to accept a plain-text password, and any other essential tool with the same limitation, verify that the system documentation explains the need for the tool, who uses it, and any relevant mitigations; and that AO approval has been obtained.
• ora_secured::ensure_cis: defined type ora_secured::ensure_cis
• ora_secured::ensure_set: defined type ora_secured::ensure_set
• ora_secured::ensure_stig: defined type ora_secured
• ora_secured::internal::audit_option: See the file "LICENSE" for the full license governing this code. Set the init.ora param to the specfied value $title audit option inc
• ora_secured::internal::audit_policy: See the file "LICENSE" for the full license governing this code. Set the specific property of a profile $title iprofile setting inclu
• ora_secured::internal::parameter: See the file "LICENSE" for the full license governing this code. Set the init.ora param to the specfied value $title init,.ora parame
• ora_secured::internal::profile_setting: See the file "LICENSE" for the full license governing this code. Set the specific property of a profile $title iprofile setting inclu
• ora_secured::internal::revoke_admin_role_grants: See the file "LICENSE" for the full license governing this code. Revoke specific system grants to the specfied resources $sid the gra
• ora_secured::internal::revoke_admin_user_grants: See the file "LICENSE" for the full license governing this code. Revoke specific system grants to the specfied resources $sid the gra
• ora_secured::internal::revoke_public_grants: See the file "LICENSE" for the full license governing this code. Revoke public grants to the specfied resources $title the grant incl
• ora_secured::internal::revoke_role_rights: See the file "LICENSE" for the full license governing this code. Revoke public grants to the specfied resources $title the grant incl
• ora_secured::internal::revoke_specific_system_grant: See the file "LICENSE" for the full license governing this code. Revoke specific system grants to the specfied resources $sid the gra
• ora_secured::internal::revoke_user_rights: See the file "LICENSE" for the full license governing this code. Revoke public grants to the specfied resources $title the grant incl

Resource types

• ora_secured_setup: Start the setup for applying ora_secured classes.

Functions

• ora_secured::default_doc_version: Determins the CIS default doc_version based on the product_version.
• ora_secured::default_product_version: : determine the benchmark to be used for the manifest
• ora_secured::filter_controls: Filter the list of controls based on the which database it will be applied to
• ora_secured::lookup_setting: This function uses its current scope te infer what CIS rule is called on what SID.
• ora_secured::random_id: Create a random id based on letters.
• ora_secured::validate_cis_versions: Validate if the specified product_version and doc_version is an existing combination.
• ora_secured::validate_stig_versions: Validate if the specified product_version and doc_version is an existing combination.

Defined types

ora_secured::controls::access_to_dbms_software_files_and_directories_must_not_be_granted_to_unauthorized_users

ora_secured::controls::access_to_dbms_software_files_and_directories_must_not_be_granted_to_unauthorized_users

log on using the Oracle software owner account and enter the command:

umask

If the value returned is 022 or more restrictive, this is not a finding.

If the value returned is less restrictive than 022, this is a finding.

The first number sets the mask for user/owner file permissions. The second number sets the mask for group file permissions. The third number sets file permission mask for other users. The list below shows the available settings:

0 = read/write/execute 1 = read/write 2 = read/execute 3 = read 4 = write/execute 5 = write 6 = execute 7 = no permissions

Setting the umask to 022 effectively sets files for user/owner to read/write, group to read and other to read. Directories are set for user/owner to read/write/execute, group to read/execute and other to read/execute.

For Windows Systems: Review the permissions that control access to the Oracle installation software directories (e.g. \Program Files\Oracle).

DBA accounts, the DBMS process account, the DBMS software installation/maintenance account, SA accounts if access by them is required for some operational level of support such as backups, and the host system itself require access.

Compare the access control employed with that documented in the System Security Plan.

If access controls do not match the documented requirement, this is a finding.

If access controls appear excessive without justification, this is a finding.

Set the umask of the Oracle software owner account to 022. Determine the shell being used for the Oracle software owner account:

env | grep -i shell

Startup files for each shell are as follows (located in users $HOME directory):

C-Shell (CSH) = .cshrc Bourne Shell (SH) = .profile Korn Shell (KSH) = .kshrc TC Shell (TCS) = .tcshrc BASH Shell = .bash_profile or .bashrc

Edit the shell startup file for the account and add or modify the line:

umask 022

Log off and logon, then enter the umask command to confirm the setting.

Note: To effect this change for all Oracle processes, a reboot of the DBMS server may be required.

For Windows Systems: Restrict access to the DBMS software libraries to the fewest accounts that clearly require access based on job function.

Document authorized access controls and justify any access grants that do not fall under DBA, DBMS process, ownership, or SA accounts.

Skipping

To deliberately skip this control (e.g. meaning don't use Puppet to enforce this setting), we provide you with three ways:

1) Add ora_secured::controls::access_to_dbms_software_files_and_directories_must_not_be_granted_to_unauthorized_users: skip to your hiera data. This will skip this control for ALL databases. 2) Add ora_secured::controls::access_to_dbms_software_files_and_directories_must_not_be_granted_to_unauthorized_users::dbname: skip to your hiera data. This will skip this control for specified database only. 3) Add an entry with the content access_to_dbms_software_files_and_directories_must_not_be_granted_to_unauthorized_users to the array value ora_secured::skip_list in your hiera data.

Benchmarks

This control is used in the following benchmarks:

• Oracle Database 12c CIS V1 - id V-61511

See the file "LICENSE" for the full license governing this code.

Parameters

The following parameters are available in the ora_secured::controls::access_to_dbms_software_files_and_directories_must_not_be_granted_to_unauthorized_users defined type:

• title

title

The SID to apply the control to. All controls need an SID to apply the control to. Here is a simple example:

ora_secured::controls::control_name { 'DBSID':}

In this example, the string DBSID is the sid to apply the control to.

ora_secured::controls::access_to_default_accounts_used_to_support_replication_must_be_restricted_to_authorized_dbas

ora_secured::controls::access_to_default_accounts_used_to_support_replication_must_be_restricted_to_authorized_dbas

select 'The number of replication objects defined is: '|| count(*) from all_tables where table_name like 'REPCAT%';

If the count returned is 0, then Oracle Replication is not installed and this check is not a finding.

Otherwise:

select count(*) from sys.dba_repcatlog;

If the count returned is 0, then Oracle Replication is not in use and this check is not a finding.

If any results are returned, ask the ISSO or DBA if the replication account (the default is REPADMIN, but may be customized) is restricted to ISSO-authorized personnel only.

If it is not, this is a finding.

If there are multiple replication accounts, confirm that all are justified and documented with the ISSO.

If they are not, this is a finding.

Note: Oracle Database Advanced Replication is deprecated in Oracle Database 12c. Use Oracle GoldenGate to replace all features of Advanced Replication, including multimaster replication, updatable materialized views, hierarchical materialized views, and deployment templates.

Change the password for default and custom replication accounts and provide the password to ISSO-authorized users only.

Skipping

To deliberately skip this control (e.g. meaning don't use Puppet to enforce this setting), we provide you with three ways:

1) Add ora_secured::controls::access_to_default_accounts_used_to_support_replication_must_be_restricted_to_authorized_dbas: skip to your hiera data. This will skip this control for ALL databases. 2) Add ora_secured::controls::access_to_default_accounts_used_to_support_replication_must_be_restricted_to_authorized_dbas::dbname: skip to your hiera data. This will skip this control for specified database only. 3) Add an entry with the content access_to_default_accounts_used_to_support_replication_must_be_restricted_to_authorized_dbas to the array value ora_secured::skip_list in your hiera data.

Benchmarks

This control is used in the following benchmarks:

• Oracle Database 12c CIS V1 - id V-61411

See the file "LICENSE" for the full license governing this code.

Parameters

The following parameters are available in the ora_secured::controls::access_to_default_accounts_used_to_support_replication_must_be_restricted_to_authorized_dbas defined type:

• title

title

The SID to apply the control to. All controls need an SID to apply the control to. Here is a simple example:

ora_secured::controls::control_name { 'DBSID':}

In this example, the string DBSID is the sid to apply the control to.

ora_secured::controls::access_to_external_executables_must_be_disabled_or_restricted

ora_secured::controls::access_to_external_executables_must_be_disabled_or_restricted

Review the ORACLE_HOME/bin directory or search the ORACLE_BASE path for the executable extproc (UNIX) or extproc.exe (Windows).

If external procedure agent is not authorized for use in the System Security Plan and the executable file does not exist or is restricted, this is not a finding.

If external procedure agent is not authorized for use in the System Security Plan and the executable file exists and is not restricted, this is a finding.

If use of the external procedure agent is authorized, ensure extproc is restricted to execution of authorized applications.

External jobs are run using the account nobody by default.

Review the contents of the file ORACLE_HOME/rdbms/admin/externaljob.ora for the lines run_user= and run_group=.

If the user assigned to these parameters is not "nobody", this is a finding.

For versions 11.1 and later, the external procedure agent (extproc executable) is available directly from the database and does not require definition in the listener.ora file for use.

Review the contents of the file ORACLE_HOME/hs/admin/extproc.ora.

If the file does not exist, this is a finding.

If the following entry does not appear in the file, this is a finding:

EXTPROC_DLLS=ONLY:[dll full file name1]:[dll full file name2]:..

[dll full file name] represents a full path and file name.

This list of file names is separated by ":".