https://docs.oracle.com/cd/E24628_01/doc.121/e36074/rac_db.htm#EMDBC582
Oracle Real Application Cluster Database Compliance Standards
These are the compliance rules for the Oracle Application Cluster Database compliance standards. The compliance standards are:3.1 Basic Security Configuration for Oracle Cluster Database
The compliance rules for the Basic Security Configuration for Oracle Cluster Database standard follow.3.1.1 Oracle Net Client Log Directory Permission
Description: Ensures that the client log directory is a valid directory owned by Oracle set with no permissions to public.Severity: Critical
Rationale: Log files provide information contained in an error stack. An error stack refers to the information that is produced by each layer in an Oracle communications stack as the result of a network error. The information in log files can reveal important network and database connection details. Allowing access to the log directory can expose the log files to public scrutiny.
3.1.2 Oracle Net Client Trace Directory Permission
Description: Ensures that the client trace directory is a valid directory owned by Oracle set with no permissions to public.Severity: Critical
Rationale: Tracing produces a detailed sequence of statements that describe network events as they are executed. Tracing an operation enables you to obtain more information on the internal operations of the components of Oracle Net Services than is provided in a log file. The information in this file can reveal important network and database connection details. Allowing access to the log directory can expose the log files to public scrutiny.
3.1.3 Oracle Home File Permission
Description: Ensures that all files in the ORACLE_HOME directories (except for ORACLE_HOME/bin) do not have public read, write, and execute permissions.Severity: Warning
Rationale: Incorrect file permissions on some of the Oracle files can cause major security issues.
3.1.4 Audit File Destination (Windows)
Description: Ensures that access to the audit files directory is restricted to the owner of the Oracle software set and the DBA group.Severity: Critical
Rationale: The AUDIT_FILE_DEST initialization parameter specifies the directory where the Oracle auditing facility creates the audit files. Giving public read permission to this directory may reveal important information such as logging information of startup, shutdown, and privileged connections.
3.1.5 Oracle Net Client Trace Directory Permission (Windows)
Description: Ensures that the client trace directory is a valid directory owned by Oracle set with no permissions to public.Severity: Critical
Rationale: Tracing produces a detailed sequence of statements that describe network events as they are executed. Tracing an operation enables you to obtain more information on the internal operations of the components of Oracle Net Services than is provided in a log file. The information in this file can reveal important network and database connection details. Allowing access to the log directory can expose the log files to public scrutiny.
3.1.6 Remote OS Authentication
Description: Ensures REMOTE_OS_AUTHENT initialization parameter is set to FALSE.Severity: Critical
Rationale: A malicious user can gain access to the database if remote OS authentication is allowed.
3.1.7 PROTOCOL ERROR TRACE ACTION
Description: Ensures that the sec_protocol_error_trace_action parameter is set to either LOG or ALERT.Severity: Critical
Rationale: SEC_PROTOCOL_ERROR_TRACE_ACTION specifies the action that the database should take when bad packets are received from a possibly malicious client. NONE should not be used as the database server ignores the bad packets and does not generate any trace files or log messages. If default value TRACE is used then the database server generates a detailed trace file and should only be used when debugging.
3.1.8 Password Locking Time
Description: Ensures PASSWORD_LOCK_TIME is set to a reasonable number of days for all profiles.Severity: Warning
Rationale: Having a low value increases the likelihood of Denial of Service attacks.
3.1.9 Access to SYS.USER_HISTORY$ Table
Description: Ensures restricted access to SYS.USER_HISTORY$ table.Severity: Minor Warning
Rationale: User name and password hash may be read from the SYS.USER_HISTORY$ table, enabling a hacker to launch a brute-force attack.
3.1.10 Access to SYS.USER$ Table
Description: Ensures restricted access to SYS.USER$ table.Severity: Minor Warning
Rationale: User name and password hash may be read from the SYS.USER$ table, enabling a hacker to launch a brute-force attack.
3.1.11 Access to SYS.SOURCE$ Table
Description: Ensures restricted access to SYS.SOURCE$ table.Severity: Minor Warning
Rationale: Contains source of all stored packages units in the database.
3.1.12 Restricted Privilege to Execute UTL_HTTP
Description: Ensures PUBLIC does not have execute privileges on the UTL_HTTP package.Severity: Critical
Rationale: Privileges granted to the PUBLIC role automatically apply to all users. A malicious user can gain access to email, network, and http modules using the EXECUTE privilege.
3.1.13 IDLE TIME
Description: Ensures that users profile settings IDLE_TIME have appropriate value set for the particular database and application.Severity: Critical
Rationale: Idle sessions held open for excessive periods of time can consume system resources and cause a denial of service for other users of the Oracle database. Limit the maximum number of minutes a session can idle.
3.1.14 Oracle Home Executable Files Owner
Description: Ensures that the ownership of all files and directories in the ORACLE_HOME/bin folder is the same as the Oracle software installation owner.Severity: Critical
Rationale: Incorrect file permissions on some of the Oracle files can cause major security issues.
3.1.15 Oracle Home File Permission
Description: Ensures that all files in the ORACLE_HOME directories (except for ORACLE_HOME/bin) do not have public read, write and execute permissions.Severity: Warning
Rationale: Incorrect file permissions on some of the Oracle files can cause major security issues.
3.1.16 Oracle Net Server Trace Directory Permission
Description: Ensures that the server trace directory is a valid directory owned by Oracle set with no permissions to public.Severity: Critical
Rationale: Tracing produces a detailed sequence of statements that describe network events as they are executed. Tracing an operation enables you to obtain more information on the internal operations of the components of Oracle Net Services than is provided in a log file. The information in this file can reveal important network and database connection details. Allowing access to the log directory can expose the log files to public scrutiny.
3.1.17 Enable Database Auditing
Description: Ensures database auditing is enabled.Severity: Minor Warning
Rationale: The AUDIT_TRAIL parameter enables or disables database auditing. Auditing enhances security because it enforces accountability, provides evidence of misuse, and is frequently required for regulatory compliance. Auditing also enables system administrators to implement enhanced protections, early detection of suspicious activities, and finely-tuned security responses.
3.1.18 Oracle Home Datafile Permission
Description: Ensures that access to the datafiles is restricted to the owner of the Oracle software set and the DBA groupSeverity: Critical
Rationale: The datafiles contain all the database data. If datafiles are readable to public, they can be read by a user who has no database privileges on the data.
3.1.19 Oracle Home Datafile Permission (Windows)
Description: Ensures that access to the datafiles is restricted to the owner of the Oracle software set and the DBA group.Severity: Critical
Rationale: The datafiles contain all the database data. If datafiles are readable to public, they can be read by a user who has no database privileges on the data.
3.1.20 Control File Permission (Windows)
Description: Ensures that access to the control files directory is restricted to the owner of the Oracle software set and the DBA group.Severity: Critical
Rationale: Control files are binary configuration files that control access to data files. Control files are stored in the directory specified by the CONTROL_FILES initialization parameter. A public write privilege on this directory could pose a serious security risk.
3.1.21 Access to DBA_ROLES View
Description: Ensures restricted access to DBA_ROLES view.Severity: Minor Warning
Rationale: DBA_ROLES view contains details of all roles in the database. Knowledge of the structure of roles in the database can be taken advantage of by a malicious user.
3.1.22 Server Parameter File Permission
Description: Ensures that access to the server parameter file is restricted to the owner of the Oracle software set and the DBA group.Severity: Critical
Rationale: A server parameter file (SPFILE) lets you store and manage your initialization parameters persistently in a server-side disk file. A publicly accessible SPFILE can be scanned for sensitive initialization parameters exposing the security policies of the database. The SPFILE can also be searched for the weaknesses of the Oracle database configuration setting.
3.1.23 Core Dump Destination
Description: Ensures that access to the core dump files directory is restricted to the owner of the Oracle software set and the DBA group.Severity: Critical
Rationale: Core dump files are stored in the directory specified by the CORE_DUMP_DEST initialization parameter. A public read privilege on this directory could expose sensitive information from the core dump files.
3.1.24 Initialization Parameter File Permission (Windows)
Description: Ensures that access to the initialization parameter file is restricted to the owner of the Oracle software set and the DBA group.Severity: Warning
Rationale: Oracle traditionally stores initialization parameters in a text initialization parameter file. A publicly accessible initialization parameter file can be scanned for sensitive initialization parameters exposing the security policies of the database. The IFILE can also be searched for the weaknesses of the Oracle database configuration setting.
3.1.25 User Dump Destination (Windows)
Description: Ensures that access to the trace files directory is restricted to the owner of the Oracle software set and the DBA group.Severity: Critical
Rationale: The trace files for server processes are stored in the directory specified by the USER_DUMP_DEST initialization parameter. Giving public read permission to this directory may reveal important and sensitive internal details of the database and applications.
3.1.26 Oracle Net Server Trace Directory Permission (Windows)
Description: Ensures that the server trace directory is a valid directory owned by Oracle set with no permissions to public.Severity: Critical
Rationale: Tracing produces a detailed sequence of statements that describe network events as they are executed. Tracing an operation enables you to obtain more information on the internal operations of the components of Oracle Net Services than is provided in a log file. The information in this file can reveal important network and database connection details. Allowing access to the log directory can expose the log files to public scrutiny.
3.1.27 Auditing of SYS Operations Enabled
Description: Ensures sessions for users who connect as SYS are fully audited.Severity: Warning
Rationale: The AUDIT_SYS_OPERATIONS parameter enables or disables the auditing of operations issued by user SYS, and users connecting with SYSDBA or SYSOPER privileges.
3.1.28 Utility File Directory Initialization Parameter Setting
Description: Ensures that the Utility File Directory (UTL_FILE_DIR) initialization parameter is not set to one of '*', '.', core dump trace file locations.Severity: Critical
Rationale: Specifies the directories which the UTL_FILE package can access. Having the parameter set to asterisk (*), period (.), or to sensitive directories, could expose them to all users having execute privilege on the UTL_FILE package.
3.1.29 Password Life Time
Description: Ensures that all profiles have PASSWORD_LIFE_TIME set to a reasonable number of days.Severity: Warning
Rationale: A long password life time gives hackers a long time to try and cook the password. May cause serious database security issues.
3.1.30 Access to DBA_USERS View
Description: Ensures restricted access to DBA_USERS view.Severity: Minor Warning
Rationale: Contains user password hashes and other account information. Access to this information can be used to mount brute-force attacks.
3.1.31 Server Parameter File Permission (Windows)
Description: Ensures that access to the server parameter file is restricted to the owner of the Oracle software set and the DBA group.Severity: Critical
Rationale: A server parameter file (SPFILE) lets you store and manage your initialization parameters persistently in a server-side disk file. A publicly accessible SPFILE can be scanned for sensitive initialization parameters exposing the security policies of the database. The SPFILE can also be searched for the weaknesses of the Oracle database configuration setting.
3.1.32 Oracle Net Client Log Directory Permission (Windows)
Description: Ensures that the client log directory is a valid directory owned by Oracle set with no permissions to public.Severity: Critical
Rationale: Log files provide information contained in an error stack. An error stack refers to the information that is produced by each layer in an Oracle communications stack as the result of a network error. The information in log files can reveal important network and database connection details. Allowing access to the log directory can expose the log files to public scrutiny.
3.1.33 Using Externally Identified Accounts
Description: Ensures that the OS authentication prefix is set to a value other than OPS$.Severity: Warning
Rationale: The OS_AUTHENT_PREFIX parameter specifies a prefix used to authenticate users attempting to connect to the server. When a connection request is attempted, Oracle compares the prefixed user name with user names in the database. Using a prefix, especially OPS$, tends to result in an insecure configuration as an account can be authenticated either as an operating system user or with the password used in the IDENTIFIED BY clause. Attackers are aware of this and will attack these accounts.
3.1.34 Control File Permission
Description: Ensures that access to the control files directory is restricted to the owner of the Oracle software set and the DBA group.Severity: Critical
Rationale: Control files are binary configuration files that control access to data files. Control files are stored in the directory specified by the CONTROL_FILES initialization parameter. A public write privilege on this directory could pose a serious security risk.
3.1.35 Access to STATS$SQLTEXT Table
Description: Ensures restricted access to STATS$SQLTEXT table.Severity: Minor Warning
Rationale: This table provides full text of the recently-executed SQL statements. The SQL statements can reveal sensitive information.
3.1.36 Initialization Parameter File Permission
Description: Ensures that access to the initialization parameter file is restricted to the owner of the Oracle software set and the DBA group.Severity: Warning
Rationale: Oracle traditionally stores initialization parameters in a text initialization parameter file. A publicly accessible initialization parameter file can be scanned for sensitive initialization parameters exposing the security policies of the database. The IFILE can also be searched for the weaknesses of the Oracle database configuration setting.
3.1.37 Audit File Destination
Description: Ensures that access to the audit files directory is restricted to the owner of the Oracle software set and the DBA group.Severity: Critical
Rationale: The AUDIT_FILE_DEST initialization parameter specifies the directory where the Oracle auditing facility creates the audit files. Giving public read permission to this directory may reveal important information such as logging information of startup, shutdown, and privileged connections.
3.1.38 Background Dump Destination (Windows)
Description: Ensures that access to the trace files directory is restricted to the owner of the Oracle software set and the DBA group.Severity: Critical
Rationale: Background processes such as the log writer process and the database writer process use trace files to record occurrences and exceptions of database operations, as well as errors. The trace files are stored in the directory specified by the BACKGROUND_DUMP_DEST initialization parameter. Giving public read permission to this directory may reveal important and sensitive internal details of the database and applications.
3.1.39 PROTOCOL ERROR FURTHER ACTION
Description: Ensures that the SEC_PROTOCOL_ERROR_FURTHER_ACTION parameter is set to either DROP or DELAY.Severity: Critical
Rationale: If default value CONTINUE is used the server process continues execution even if bad packets are received. The database server may be subject to a Denial of Service (DoS) if bad packets continue to be sent by a malicious client.
3.1.40 Access to DBA_TAB_PRIVS View
Description: Ensures restricted access to DBA_TAB_PRIVS view.Severity: Minor Warning
Rationale: Lists privileges granted to users or roles on objects in the database. Knowledge of the structure of roles in the database can be taken advantage of by a malicious user.
3.1.41 Access to STATS$SQL_SUMMARY Table
Description: Ensures that access to the trace files directory is restricted to the owner of the Oracle software set and the DBA group.Severity: Critical
Rationale: The trace files for server processes are stored in the directory specified by the USER_DUMP_DEST initialization parameter. Giving public read permission to this directory may reveal important and sensitive internal details of the database and applications.
3.1.42 Allowed Logon Version
Description: Ensures that the server allows logon from clients with a matching version or higher only.Severity: Warning
Rationale: Setting the parameter SQLNET.ALLOWED_LOGON_VERSION in sqlnet.ora to a version lower than the server version will force the server to use a less secure authentication protocol.
3.1.43 Well Known Accounts
Description: Checks for accessibility of well-known accounts.Severity: Warning
Rationale: A knowledgeable malicious user can gain access to the database using a well-known account.
3.1.44 Access to DBA_ROLE_PRIVS View
Description: Ensures restricted access to DBA_ROLE_PRIVS view.Severity: Minor Warning
Rationale: The DBA_ROLE_PRIVS view lists the roles granted to users and other roles. Knowledge of the structure of roles in the database can be taken advantage of by a malicious user.
3.1.45 Access to SYS.AUD$ Table
Description: Ensures restricted access to SYS.AUD$ table.Severity: Minor Warning
Rationale: A knowledgeable and malicious user can gain access to sensitive audit information.
3.1.46 Access to STATS$SQL_SUMMARY Table
Description: Ensures restricted access to STATS$SQL_SUMMARY table.Severity: Minor Warning
Rationale: Contains first few lines of SQL text of the most resource intensive commands given to the server. SQL statements executed without bind variables can show up here exposing privileged information.
3.1.47 Use of Appropriate Umask on UNIX systems
Description: On UNIX systems, ensures that the owner of the Oracle software has an appropriate umask value of 022 set.Severity: Warning
Rationale: If umask is not set to an appropriate value (like 022), log or trace files might become accessible to public exposing sensitive information.
3.1.48 Core Dump Destination (Windows)
Description: Ensures that access to the core dump files directory is restricted to the owner of the Oracle software set and the DBA group.Severity: Critical
Rationale: Core dump files are stored in the directory specified by the CORE_DUMP_DEST initialization parameter. A public read privilege on this directory could expose sensitive information from the core dump files.
3.1.49 Data Dictionary Protected
Description: Ensures data dictionary protection is enabled.Severity: Critical
Rationale: The 07_DICTIONARY_ACCESSIBILITY parameter controls access to the data dictionary. Setting the 07_DICTIONARY_ACCESSIBILITY to TRUE allows users with ANY system privileges to access the data dictionary. As a result, these user accounts can be exploited to gain unauthorized access to data.
3.1.50 Default Passwords
Description: Ensures there are no default passwords for known accounts.Severity: Warning
Rationale: A malicious user can gain access to the database using default passwords.
3.1.51 Password Complexity Verification Function Usage
Description: Ensures PASSWORD_VERIFY_FUNCTION resource for the profile is set.Severity: Critical
Rationale: Having passwords that do not meet minimum complexity requirements offer substantially less protection than complex passwords.
3.1.52 Access to DBA_SYS_PRIVS View
Description: Ensures restricted access to DBA_SYS_PRIVS view.Severity: Minor Warning
Rationale: DBA_SYS_PRIVS view can be queried to find system privileges granted to roles and users. Knowledge of the structure of roles in the database can be taken advantage of by a malicious user.
3.1.53 Execute Privileges on DBMS_JOB to PUBLIC
Description: Ensures PUBLIC is not granted EXECUTE privileges on DBMS_JOB package.Severity: Critical
Rationale: Granting EXECUTE privilege to PUBLIC on DBMS_JOB package allows users to schedule jobs on the database.
3.1.54 Execute Privileges on DBMS_SYS_SQL to PUBLIC
Description: Ensures PUBLIC is not granted EXECUTE privileges on DBMS_SYS_SQL package.Severity: Critical
Rationale: The DBMS_SYS_SQL package can be used to run PL/SQL and SQL as the owner of the procedure rather than the caller.
3.1.55 Restricted Privilege to Execute UTL_TCP
Description: Ensures PUBLIC does not have execute privileges on the UTL_TCP package.Severity: Critical
Rationale: Privileges granted to the PUBLIC role automatically apply to all users. A malicious user can gain access to email, network, and http modules using the EXECUTE privilege.
3.1.56 Oracle Net Server Log Directory Permission
Description: Ensures that the server log directory is a valid directory owned by Oracle set with no permissions to public.Severity: Critical
Rationale: Log files provide information contained in an error stack. An error stack refers to the information that is produced by each layer in an Oracle communications stack as the result of a network error. The information in log files can reveal important network and database connection details. Allowing access to the log directory can expose the log files to public scrutiny.
3.1.57 Oracle Net Server Log Directory Permission (Windows)
Description: Ensures that the server log directory is a valid directory owned by Oracle set with no permissions to public.Severity: Critical
Rationale: Log files provide information contained in an error stack. An error stack refers to the information that is produced by each layer in an Oracle communications stack as the result of a network error. The information in log files can reveal important network and database connection details. Allowing access to the log directory can expose the log files to public scrutiny.
3.1.58 Remote OS Role
Description: Ensures REMOTE_OS_ROLES initialization parameter is set to FALSE.Severity: Critical
Rationale: A malicious user can gain access to the database if remote users can be granted privileged roles.
3.1.59 Public Trace Files
Description: Ensures database trace files are not public readable.Severity: Critical
Rationale: If trace files are readable by the PUBLIC group, a malicious user may attempt to read the trace files that could lead to sensitive information being exposed.
3.1.60 Use of Remote Listener Instances
Description: Ensures listener instances on a remote machine separate from the database instance are not used.Severity: Warning
Rationale: The REMOTE_LISTENER initialization parameter can be used to allow a listener on a remote machine to access the database. This parameter is not applicable in a multi-master replication or Real Application Cluster environment where this setting provides a load balancing mechanism for the listener.
3.1.61 Password Grace Time
Description: Ensures that all profiles have PASSWORD_GRACE_TIME set to a reasonable number of days.Severity: Critical
Rationale: A high value for the PASSWORD_GRACE_TIME parameter may cause serious database security issues by allowing the user to keep the same password for a long time.
3.1.62 Use of Database Links with Cleartext Password
Description: Ensures database links with clear text passwords are not used.Severity: Warning
Rationale: The table SYS.LINK$ contains the clear text password used by the database link. A malicious user can read clear text password from SYS.LINK$ table that can lead to undesirable consequences.
3.1.63 Restricted Privilege to Execute UTL_SMTP
Description: Ensures PUBLIC does not have execute privileges on the UTL_SMTP package.Severity: Critical
Rationale: Privileges granted to the PUBLIC role automatically apply to all users. A malicious user can gain access to email, network and http modules using the EXECUTE privilege.
3.2 Configuration Best Practices for Oracle Real Application Cluster Database
The compliance standard rules for the Configuration Best Practices for Oracle Real Application Cluster Database compliance standard follow.3.2.1 Insufficient Number of Control Files
Description: Checks for use of a single control file.Severity: Critical
Rationale: The control file is one of the most important files in an Oracle database. It maintains many physical characteristics and important recovery information about the database. If you lose the only copy of the control file due to a media error, there will be unnecessary down time and other risks.
3.2.2 Force Logging Disabled
Description: When Data Guard is being used, checks the primary database for disabled force logging.Severity: Warning
Rationale: The primary database is not in force logging mode. As a result unlogged direct writes in the primary database cannot be propagated to the standby database.
3.2.3 Fast Recovery Area Not Set
Description: Checks whether recovery area is set.Severity: Warning
Rationale: NO_RECOVERY_AREA_IMPACT
Using a fast recovery area minimizes the need to manually manage disk space for your backup-related files and balance the use of space among the different types of files. Oracle recommends that you enable a fast recovery area to simplify your backup management.
3.3 High Security Configuration for Oracle Cluster Database
The compliance rules for the High Security Configuration for Oracle Cluster Database standard follow.3.3.1 $ORACLE_HOME/network/admin Directory Owner
Description: Ensures $ORACLE_HOME/network/admin ownership is restricted to the Oracle software set and DBA groupSeverity: Warning
Rationale: Not restricting ownership of network/admin to the Oracle software set and DBA group may cause security issues by exposing net configuration data to malicious users.
3.3.2 Oracle Home Executable Files Permission
Description: Ensures that all files in the ORACLE_HOME/bin folder do not have public write permission.Severity: Warning
Rationale: Incorrect file permissions on some of the Oracle files can cause major security issues.
3.3.3 Oracle XSQL Configuration File Owner
Description: Ensures Oracle XSQL configuration file (XSQLConfig.xml) is owned by Oracle software owner.Severity: Warning
Rationale: The Oracle XSQL configuration file (XSQLConfig.xml) contains sensitive database connection information. A publicly accessible XSQL configuration file can expose the database user name and password that can be used access sensitive data or to launch further attacks.
3.3.4 Log Archive Duplex Destination Owner
Description: Ensures that the server's archive logs directory is a valid directory owned by Oracle software owner.Severity: Critical
Rationale: LogMiner can be used to extract database information from the archive logs if the directory specified by LOG_ARCHIVE_DUPLEX_DEST parameter (in init.ora file) is not owned by the owner of the Oracle software installation or has permissions for others.
3.3.5 Oracle Agent SNMP Read-Only Configuration File Owner
Description: Ensures Oracle Agent SNMP read-only configuration file (snmp_ro.ora) is owned by Oracle software owner.Severity: Warning
Rationale: The Oracle Agent SNMP read-only configuration file (snmp_ro.ora) contains the listening address of the agent, the names of SQL*Net listener and Oracle database services it knows about, plus tracing parameters. A publicly accessible SNMP read-only configuration file can be used to extract sensitive data like the tracing directory location, dbsnmp address, and so on.
3.3.6 Log Archive Destination Permission (Windows)
Description: Ensures that the server's archive logs are not accessible to public.Severity: Critical
Rationale: LogMiner can be used to extract database information from the archive logs if the directory specified by LOG_ARCHIVE_DEST parameter (in init.ora file) is not owned by the owner of the Oracle software installation or has permissions for others.
3.3.7 Log Archive Duplex Destination Permission (Windows)
Description: Ensures that the server's archive logs are not accessible to public.Severity: Critical
Rationale: LogMiner can be used to extract database information from the archive logs if the directory specified by LOG_ARCHIVE_DUPLEX_DEST parameter (in init.ora file) is not owned by the owner of the Oracle software installation or has permissions for others.
3.3.8 DISPATCHERS
Description: Ensures that the DISPATCHERS parameter is not set.Severity: Critical
Rationale: This will disable default ports ftp: 2100 and http: 8080. Removing the XDB ports will reduce the attack surface of the Oracle server. It is recommended to disable these ports if production usage is not required.
3.3.9 Execute Privileges on UTL_FILE To PUBLIC
Description: Ensures PUBLIC does not have EXECUTE privilege on the UTL_FILE package,Severity: Critical
Rationale: Privileges granted to the PUBLIC role automatically apply to all users. A malicious user can read and write arbitrary files in the system when granted the UTL_FILE privilege.
3.3.10 CPU PER SESSION
Description: Ensures that all profiles have CPU_PER_SESSION set to a reasonable number of CPU cycles.Severity: Critical
Rationale: Allowing a single application or user to consume excessive CPU resources will result in a denial of service to the Oracle database.
3.3.11 Audit EXECUTE PROCEDURE Privilege
Description: Ensures EXECUTE ANY PROCEDURE Privilege is being audited by access for all users.Severity: Critical
Rationale: Auditing the creation of roles will provide a record to ensure the appropriate use of account administration privileges. This information is also useful when investigating certain security events.
3.3.12 Audit SELECT ANY DICTIONARY Privilege
Description: Ensures SELECT ANY DICTIONARY Privilege is being audited by access for all users.Severity: Critical
Rationale: Auditing SELECT ANY DICTIONARY will provide a record to ensure the appropriate use of account administration privileges. This information is also useful when investigating certain security events.
3.3.13 IFILE Referenced File Permission
Description: Ensures that access to the files referenced by the IFILE parameter is restricted to the owner of the Oracle software set and the DBA group.Severity: Critical
Rationale: The IFILE initialization parameter can be used to embed the contents of another initialization parameter file into the current initialization parameter file. A publicly accessible initialization parameter file can be scanned for sensitive initialization parameters exposing the security policies of the database. Initialization parameter file can also be searched for the weaknesses of the Oracle database configuration setting.
3.3.14 Log Archive Destination Owner
Description: Ensures that the server's archive logs directory is a valid directory owned by Oracle software owner.Severity: Critical
Rationale: LogMiner can be used to extract database information from the archive logs if the directory specified by LOG_ARCHIVE_DEST parameter (in init.ora file) is not owned by the owner of the Oracle software installation or has permissions for others.
3.3.15 Log Archive Destination Permission
Description: Ensures that the server's archive logs are not accessible to public.Severity: Critical
Rationale: LogMiner can be used to extract database information from the archive logs if the directory specified by LOG_ARCHIVE_DEST parameter (in init.ora file) is not owned by the owner of the Oracle software installation or has permissions for others.
3.3.16 Oracle XSQL Configuration File Permission
Description: Ensures Oracle XSQL configuration file (XSQLConfig.xml) permissions are limited to the Oracle software set and DBA group.Severity: Warning
Rationale: The Oracle XSQL configuration file (XSQLConfig.xml) contains sensitive database connection information. A publicly accessible XSQL configuration file can expose the database user name and password that can be used to access sensitive data or to launch further attacks.
3.3.17 Webcache Initialization File Permissions
Description: Ensures the Webcache initialization file (webcache.xml) permissions are limited to the Oracle software set and DBA group.Severity: Warning
Rationale: Webcache stores sensitive information in the initialization file (webcache.xml). A publicly accessible Webcache initialization file can be used to extract sensitive data like the administrator password hash.
3.3.18 Oracle HTTP Server Distributed Configuration File Owner
Description: Ensures Oracle HTTP Server distributed configuration file ownership is restricted to the Oracle software set and DBA group.Severity: Warning
Rationale: The Oracle HTTP Server distributed configuration file (usually .htaccess) is used for access control and authentication of web folders. This file can be modified to gain access to pages containing sensitive information.
3.3.19 Oracle HTTP Server mod_plsql Configuration File Permission
Description: Ensures Oracle Agent SNMP read-only configuration file (snmp_ro.ora) permissions are limited to the Oracle software set and DBA group.Severity: Warning
Rationale: The Oracle Agent SNMP read-only configuration file (snmp_ro.ora) contains the listening address of the agent, the names of SQL*Net listener and Oracle database services it knows about, plus tracing parameters. A publicly accessible SNMP read-only configuration file can be used to extract sensitive data like the tracing directory location, dbsnmp address, and so on.
3.3.20 RETURN SERVER RELEASE BANNER
Description: Ensures that value of parameter SEC_RETURN_SERVER_RELEASE_BANNER is FALSE.Severity: Critical
Rationale: If the Parameter SEC_RETURN_SERVER_RELEASE_BANNER is TRUE Oracle database returns complete database version information to clients. Knowing the exact patch set can aid an attacker.
3.3.21 Restrict Permissions of the tkprof Executable to the Owner of the Oracle Software Set and the DBA Group
Description: Ensures tkprof executable file is owned by Oracle software owner.Severity: Warning
Rationale: Not restricting ownership of tkprof to the Oracle software set and DBA group may cause information leaks.
3.3.22 SESSIONS_PER_USER
Description: Ensures that all profiles have SESSIONS_PER_USER set to a reasonable number.Severity: Critical
Rationale: Allowing an unlimited amount of sessions per user can consume Oracle resources and cause a denial of service. Limit the number of sessions for each individual user.
3.3.23 Audit DROP ANY ROLE Privilege
Description: Ensures DROP ANY ROLE Privilege is being audited by access for all users.Severity: Critical
Rationale: Auditing the creation of roles will provide a record to ensure the appropriate use of account administration privileges. This information is also useful when investigating certain security events.
3.3.24 Use of Windows NT Domain Prefix
Description: Ensures externally identified users specify the domain while connecting.Severity: Critical
Rationale: This setting is only applicable to Windows systems. If externally identified accounts are required, setting OSAUTH_PREFIX_DOMAIN to TRUE in the registry forces the account to specify the domain. This prevents spoofing of user access from an alternate domain or local system.
3.3.25 "Domain Users" Group Member of Local "Users" Group
Description: Ensures domain server local Users group does not have Domain Users group,Severity: Warning
Rationale: Including Domain Users group in local Users group of a domain server can cause serious security issues.
3.3.26 Oracle HTTP Server mod_plsql Configuration File Owner
Description: Ensures Oracle HTTP Server mod_plsql configuration file (wdbsvr.app) is owned by Oracle software owner.Severity: Warning
Rationale: The Oracle Agent SNMP read-write configuration file (snmp_rw.ora) contains the listening address of the agent, the names of SQL*Net listener and Oracle database services it knows about, plus tracing parameters. A publicly accessible SNMP read-write configuration file can be used to extract sensitive data like the tracing directory location, dbsnmp address, and so on.
3.3.27 Oracle Agent SNMP Read-Write Configuration File Permission
Description: Ensures Oracle Agent SNMP read-write configuration file (snmp_rw.ora) permissions are limited to the Oracle software set and DBA group.Severity: Warning
Rationale: The Oracle Agent SNMP read-write configuration file (snmp_ro.ora) contains the listening address of the agent, the names of SQL*Net listener and Oracle database services it knows about, plus tracing parameters. A publicly accessible SNMP read-write configuration file can be used to extract sensitive data like the tracing directory location, dbsnmp address, and so on.
3.3.28 Use of SQL92 Security Features
Description: Ensures use of SQL92 security.Severity: Warning
Rationale: If SQL92 security features are not enabled, a user might be able to execute an UPDATE or DELETE statement using a WHERE clause without having select privilege on a table.
3.3.29 Remote Password File
Description: Ensures privileged users are authenticated by the operating system; that is, Oracle ignores any password file.Severity: Minor Warning
Rationale: The REMOTE_LOGIN_PASSWORDFILE parameter specifies whether or not Oracle checks for a password file. Because password files contain the passwords for users, including SYS, the most secure way of preventing an attacker from connecting through brute-force password-related attacks is to require privileged users be authenticated by the operating system.
3.3.30 DB SECUREFILE
Description: Ensures that all LOB files created by Oracle are created as SecureFiles.Severity: Critical
Rationale: For LOBs to get treated as SecureFiles, set COMPATIBILE Initialization Param to 11.1 or higher. If there is a LOB column with two partitions (one that has a tablespace for which ASSM is enabled and one that has a tablespace for which ASSM is not enabled), then LOBs in the partition with the ASSM-enabled tablespace will be treated as SecureFiles and LOBs in the other partition will be treated as BasicFile LOBs. Setting db_securefile to ALWAYS makes sure that any LOB file created is a secure file.
3.3.31 Tkprof Executable Permission
Description: Ensures tkprof executable file permissions are restricted to read and execute for the group, and inaccessible to public.Severity: Warning
Rationale: Excessive permission for tkprof leaves information within, unprotected.
3.3.32 Execute Privileges on DBMS_LOB to PUBLIC
Description: Ensures PUBLIC group is not granted EXECUTE privileges to the DBMS_LOB package.Severity: Critical
Rationale: The DBMS_LOB package can be used to access any file on the system as the owner of the Oracle software installation.
3.3.33 Execute Privilege on SYS.DBMS_EXPORT_EXTENSION to PUBLIC
Description: Ensures PUBLIC does not have execute privileges on the SYS.DBMS_EXPORT_EXTENSION package.Severity: Critical
Rationale: Privileges granted to the PUBLIC role automatically apply to all users. DBMS_EXPORT_EXTENSION can allow SQL injection. Thus a malicious user will be able to take advantage.
3.3.34 Access to %_CATALOG% Roles
Description: Ensures grant of %_CATALOG_% is restricted.Severity: Critical
Rationale: %_CATALOG_% Roles have critical access to database objects, that can lead to exposure of vital information in the database system.
3.3.35 Password Reuse Time
Description: Ensures that all profiles have PASSWORD_REUSE_TIME set to a reasonable number of days.Severity: Critical
Rationale: A low value for the PASSWORD_REUSE_TIME parameter may cause serious database security issues by allowing users to reuse their old passwords more often.
3.3.36 PRIVATE SGA
Description: Ensures that users PRIVATE_SGA profile settings have appropriate values set for the particular database and application.Severity: Critical
Rationale: Allowing a single application or user to consume the excessive amounts of the System Global Area will result in a denial of service to the Oracle database.
3.3.37 Audit GRANT ANY OBJECT Privilege
Description: Ensures SELECT ANY DICTIONARY Privilege is being audited by access for all users.Severity: Critical
Rationale: Auditing SELECT ANY DICTIONARY will provide a record to ensure the appropriate use of account administration privileges. This information is also useful when investigating certain security events.
3.3.38 Audit AUD$ Privilege
Description: Ensures AUD$ is being audited by access for all users.Severity: Critical
Rationale: Auditing AUD$ will provide a record to ensure the appropriate use of account administration privileges. This information is also useful when investigating certain security events.
3.3.39 Audit CREATE USER Privilege
Description: Ensures CREATE USER Privilege is being audited by access for all users.Severity: Critical
Rationale: Auditing CREATE USER will provide a record to ensure the appropriate use of account administration privileges. This information is also useful when investigating certain security events.
3.3.40 Audit DROP ANY TABLE Privilege
Description: Ensures DROP ANY TABLE Privilege is being audited by access for all users.Severity: Critical
Rationale: Auditing DROP ANY TABLE will provide a record to ensure the appropriate use of account administration privileges. This information is also useful when investigating certain security events.
3.3.41 Installed Oracle Home Drive Permissions
Description: On Windows, ensures that the installed Oracle Home drive is not accessible to Everyone Group.Severity: Warning
Rationale: Giving permission of Oracle installed drive to everyone can cause serious security issues.
3.3.42 Windows Tools Permission
Description: Ensures Oracle service does not have permissions on Windows tools.Severity: Warning
Rationale: Granting Oracle service the permissions of Windows tools may cause serious security issues.
3.3.43 Oracle Agent SNMP Read-Write Configuration File Owner
Description: Ensures Oracle Agent SNMP read-write configuration file (snmp_rw.ora) is owned by Oracle software owner.Severity: Warning
Rationale: The Oracle Agent SNMP read-write configuration file (snmp_ro.ora) contains the listening address of the agent, the names of SQL*Net listener and Oracle database services it knows about, plus tracing parameters. A publicly accessible SNMP read-write configuration file can be used to extract sensitive data like the tracing directory location, dbsnmp address, and so on.
3.3.44 Use of Automatic Log Archival Features
Description: Ensures that archiving of redo logs is done automatically and prevents suspension of instance operations when redo logs fill. Only applicable if database is in archivelog mode.Severity: Critical
Rationale: Setting the LOG_ARCHIVE_START initialization parameter to TRUE ensures that the archiving of redo logs is done automatically and prevents suspension of instance operations when redo logs fill. This feature is only applicable if the database is in archivelog mode.
3.3.45 Webcache Initialization File Permission (Windows)
Description: Ensures the Webcache initialization file (webcache.xml) permissions are limited to the Oracle software set and DBA group.Severity: Warning
Rationale: Webcache stores sensitive information in the initialization file (webcache.xml). A publicly accessible Webcache initialization file can be used to extract sensitive data like the administrator password hash.
3.3.46 Oracle HTTP Server mod_plsql Configuration File Permission (Windows)
Description: Oracle HTTP Server mod_plsql Configuration file (wdbsvr.app) permissions are limited to the Oracle software set and DBA group.Severity: Warning
Rationale: The Oracle HTTP Server mod_plsql configuration file (wdbsvr.app) contains the Database Access Descriptors used for authentication. A publicly accessible mod_plsql configuration file can allow a malicious user to modify the Database Access Descriptor settings to gain access to PL/SQL applications or launch a Denial Of Service attack.
3.3.47 Granting SELECT ANY TABLE Privilege
Description: Ensures SELECT ANY PRIVILEGE is never granted to any user or role.Severity: Warning
Rationale: The SELECT ANY TABLE privilege can be used to grant users or roles with the ability to view data in tables that are not owned by them. A malicious user with access to any user account that has this privilege can use this to gain access to sensitive data.
3.3.48 System Privileges to Public
Description: Ensures system privileges are not granted to PUBLIC.Severity: Critical
Rationale: Privileges granted to the public role automatically apply to all users. There are security risks granting SYSTEM privileges to all users.
3.3.49 Access to V$ Synonyms Roles
Description: Ensures SELECT privilege is not granted to V$ synonyms.Severity: Critical
Rationale: V$ tables contain sensitive information about Oracle database and should only be accessible by system administrators. Check for any user that has access and revoke when possible.
3.3.50 Audit CREATE ANY LIBRARY Privilege
Description: Ensures CREATE ANY LIBRARY is being audited by access for all users.Severity: Critical
Rationale: Auditing CREATE ANY LIBRARY will provide a record to ensure the appropriate use of account administration privileges. This information is also useful when investigating certain security events.
3.3.51 Installation on Domain Controller
Description: Ensures that Oracle is not installed on a domain controller.Severity: Warning
Rationale: Installing Oracle on a domain controller can cause serious security issues.
3.3.52 Unlimited Tablespace Quota
Description: Ensures database users are allocated a limited tablespace quota.Severity: Warning
Rationale: Granting unlimited tablespace quotas can cause the filling up of the allocated disk space. This can lead to an unresponsive database.
3.3.53 SQL*Plus Executable Permission
Description: Ensures that SQL*Plus executable file permissions are limited to the Oracle software set and DBA group.Severity: Warning
Rationale: SQL*Plus allows a user to execute any SQL on the database. Public execute permissions on SQL*Plus can cause security issues by exposing sensitive data to malicious users.
3.3.54 Webcache Initialization File Owner
Description: Ensures Webcache initialization file (webcache.xml) is owned by Oracle software owner.Severity: Warning
Rationale: Webcache stores sensitive information in the initialization file (webcache.xml). A publicly accessible Webcache initialization file can be used to extract sensitive data like the administrator password hash.
3.3.55 Oracle Agent SNMP Read-Only Configuration File Permission
Description: Ensures Oracle Agent SNMP read-only configuration file (snmp_ro.ora) permissions are limited to the Oracle software set and DBA group.Severity: Warning
Rationale: The Oracle Agent SNMP read-only configuration file (snmp_ro.ora) contains the listening address of the agent, the names of SQL*Net listener and Oracle database services it knows about, plus tracing parameters. A publicly accessible SNMP read-only configuration file can be used to extract sensitive data like the tracing directory location, dbsnmp address, and so on.
3.3.56 Log Archive Duplex Destination Permission
Description: Ensures that the server's archive logs are not accessible to public.Severity: Critical
Rationale: LogMiner can be used to extract database information from the archive logs if the directory specified by LOG_ARCHIVE_DUPLEX_DEST parameter (in init.ora file) is not owned by the owner of the Oracle software installation or has permissions for others.
3.3.57 $ORACLE_HOME/network/admin File Permission (Windows)
Description: Ensures the files in $ORACLE_HOME/network/admin ownership is restricted to the Oracle software set, group is restricted to DBA group and Public does not have write permission.Severity: Warning
Rationale: Not restricting ownership of network/admin to the Oracle software set and DBA group may cause security issues by exposing net configuration data to malicious users.
3.3.58 Access to X_$Views
Description: Ensures access on X$ views is restricted.Severity: Critical
Rationale: This can lead to revealing of internal database structure information.
3.3.59 Access to ROLE_ROLE_PRIVS View
Description: Ensures restricted access to ROLE_ROLE_PRIVS view.Severity: Minor Warning
Rationale: Lists roles granted to other roles. Knowledge of the structure of roles in the database can be taken advantage of by a malicious user.
3.3.60 Access to USER_ROLE_PRIVS View
Description: Ensures restricted access to USER_ROLE_PRIVS view.Severity: Minor Warning
Rationale: Lists the roles granted to the current user. Knowledge of the structure of roles in the database can be taken advantage of by a malicious user.
3.3.61 Execute Privilege on SYS.DBMS_RANDOM PUBLIC
Description: Ensures PUBLIC does not have execute privileges on the SYS.DBMS_RANDOM package.Severity: Critical
Rationale: Privileges granted to the PUBLIC role automatically apply to all users. DBMS_RANDOM can allow SQL injection. Thus a malicious will be able to take advantage.
3.3.62 Audit CREATE Role Privilege
Description: Ensures CREATE ROLE Privilege is being audited by access for all users.Severity: Critical
Rationale: Auditing the creation of roles will provide a record to ensure the appropriate use of account administration privileges. This information is also useful when investigating certain security events.
3.3.63 Audit CREATE LIBRARY Privilege
Description: Ensures CREATE LIBRARY Privilege is being audited by access for all users.Severity: Critical
Rationale: Auditing CREATE LIBRARY will provide a record to ensure the appropriate use of account administration privileges. This information is also useful when investigating certain security events.
3.3.64 Proxy Account
Description: Ensures that the proxy accounts have limited privileges.Severity: Warning
Rationale: The proxy user only needs to connect to the database. Once connected it will use the privileges of the user it is connecting on behalf of. Granting any other privilege than the CREATE SESSION privilege to the proxy user is unnecessary and open to misuse.
3.3.65 Utility File Directory Initialization Parameter Setting in Oracle 9i Release 1 and Later
Description: Ensures that the UTL_FILE_DIR initialization parameter is not used in Oracle9i Release 1 and later.Severity: Critical
Rationale: Specifies the directories which UTL_FILE package can access. Having the parameter set to asterisk (*), period (.), or to sensitive directories could expose them to all users having execute privilege on UTL_FILE package.
3.3.66 IFILE Referenced File Permission (Windows)
Description: Ensures that access to the files referenced by the IFILE parameter is restricted to the owner of the Oracle software set and the DBA group.Severity: Critical
Rationale: The IFILE initialization parameter can be used to embed the contents of another initialization parameter file into the current initialization parameter file. A publicly accessible initialization parameter file can be scanned for sensitive initialization parameters exposing the security policies of the database. Initialization parameter file can also be searched for the weaknesses of the Oracle database configuration setting.
3.3.67 SQL*Plus Executable Permission (Windows)
Description: Ensures that SQL*Plus executable file permissions are limited to the Oracle software set and DBA group.Severity: Warning
Rationale: SQL*Plus allows a user to execute any SQL on the database. Public execute permissions on SQL*Plus can cause security issues by exposing sensitive data to malicious users.
3.3.68 Oracle XSQL Configuration File Permission (Windows)
Description: Ensures Oracle XSQL Configuration File (XSQLConfig.xml) permissions are limited to the Oracle software set and DBA group.Severity: Warning
Rationale: The Oracle XSQL configuration file (XSQLConfig.xml) contains sensitive database connection information. A publicly accessible XSQL configuration file can expose the database user name and password that can be used access sensitive data or to launch further attacks.
3.3.69 OS ROLES
Description: Ensures roles are stored, managed, and protected in the database rather than files external to the DBMS.Severity: Warning
Rationale: If Roles are managed by OS, can cause serious security issues.
3.3.70 Tkprof Executable Permission (Windows)
Description: Ensures tkprof executable file permissions are restricted to read and execute for the group, and inaccessible to public.Severity: Warning
Rationale: Excessive permission for tkprof leaves information within, unprotected.
3.3.71 Access to SYS.LINK$ Table
Description: Ensures restricted access to SYS.LINK$ table.Severity: Minor Warning
Rationale: A knowledgeable and malicious user can gain access to user passwords from the SYS.LINK$ table.
3.3.72 Access to ALL_SOURCE View
Description: Ensures restricted access to ALL_SOURCE view.Severity: Minor Warning
Rationale: ALL_SOURCE view contains source of all stored packages in the database.
3.3.73 Password Reuse Max
Description: Ensures that all profiles have PASSWORD_REUSE_MAX set to a reasonable number of times.Severity: Warning
Rationale: Old passwords are usually the best guesses for the current password. A low value for the PASSWORD_REUSE_MAX parameter may cause serious database security issues by allowing users to reuse their old passwords more often.
3.3.74 Audit ALTER USER Privilege
Description: Ensures ALTER USER Privilege is being audited by access for all users.Severity: Critical
Rationale: Auditing ALTER USER will provide a record to ensure the appropriate use of account administration privileges. This information is also useful when investigating certain security events.
3.3.75 Audit GRANT ANY PRIVILEGE
Description: Ensures GRANT ANY PRIVILEGE is being audited by access for all users.Severity: Critical
Rationale: Auditing GRANT ANY PRIVILEGE will provide a record to ensure the appropriate use of account administration privileges. This information is also useful when investigating certain security events.
3.3.76 $ORACLE_HOME/network/admin File Permission
Description: Ensures the files in $ORACLE_HOME/network/admin ownership is restricted to the Oracle software set, group is restricted to DBA group and Public does not have write permission.Severity: Warning
Rationale: Not restricting ownership of network/admin to the Oracle software set and DBA group may cause security issues by exposing net configuration data to malicious users.
3.3.77 Oracle HTTP Server mod_plsql Configuration File Permission
Description: Ensures Oracle HTTP Server mod_plsql Configuration file (wdbsvr.app) permissions are limited to the Oracle software set and DBA group.Severity: Warning
Rationale: The Oracle Agent SNMP read-write configuration file (snmp_rw.ora) contains the listening address of the agent, the names of SQL*Net listener and Oracle database services it knows about, plus tracing parameters. A publicly accessible SNMP read-write configuration file can be used to extract sensitive data like the tracing directory location, dbsnmp address, and so on.
3.3.78 Oracle Agent SNMP Read-Write Configuration File Permission (Windows)
Description: Ensures Oracle Agent SNMP read-write configuration file (snmp_rw.ora) permissions are limited to the Oracle software set and DBA group.Severity: Warning
Rationale: The Oracle Agent SNMP read-write configuration file (snmp_ro.ora) contains the listening address of the agent, the names of SQL*Net listener and Oracle database services it knows about, plus tracing parameters. A publicly accessible SNMP read-only configuration file can be used to extract sensitive data like the tracing directory location, dbsnmp address, and so on.
3.3.79 CASE SENSITIVE LOGON
Description: Ensures that the sec_case_sensitive_logon parameter is set to true.Severity: Critical
Rationale: This increases the complexity of passwords and helps defend against brute force password attacks.
3.3.80 Otrace Data File
Description: Avoids negative impact on database performance and disk space usage, caused by data collected by otrace.Severity: Warning
Rationale: Performance and resource utilization data collection can have a negative impact on database performance and disk space usage.
3.3.81 Access to DBA_* Views
Description: Ensures SELECT privilege is never granted to any DBA_ view.Severity: Warning
Rationale: The DBA_* views provide access to privileges and policy settings of the database. Some of these views also allow viewing of sensitive PL/SQL code that can be used to understand the security policies.
3.3.82 Access to USER_TAB_PRIVS View
Description: Ensures restricted access to USER_TAB_PRIVS view.Severity: Minor Warning
Rationale: Lists the grants on objects for which the user is the owner, grantor or grantee. Knowledge of the grants in the database can be taken advantage of by a malicious user.
3.3.83 LOGICAL READS PER SESSION
Description: Ensures that users profile settings LOGICAL_READS_ PER_SESSION have appropriate value set for the particular database and application.Severity: Critical
Rationale: Allowing a single application or user to perform excessive amounts of reads to disk will result in a denial of service to the Oracle database.
3.3.84 Audit ALTER ANY TABLE Privilege
Description: Ensures ALTER ANY TABLE Privilege is being audited by access for all users.Severity: Critical
Rationale: Auditing ALTER ANY TABLE will provide a record to ensure the appropriate use of account administration privileges. This information is also useful when investigating certain security events.
3.3.85 Audit CREATE SESSION Privilege
Description: Ensures CREATE SESSION Privilege is being audited by access for all users.Severity: Critical
Rationale: Auditing CREATE SESSION will provide a record to ensure the appropriate use of account administration privileges. This information is also useful when investigating certain security events.
3.3.86 Limit OS Authentication
Description: Ensures database accounts do not rely on OS authentication.Severity: Critical
Rationale: If the host operating system has a required user ID for database account for which password is set EXTERNAL, then Oracle does not check its credentials anymore. It simply assumes the host must have done its authentication and lets the user into the database without any further checking.
3.3.87 Background Dump Destination
Description: Ensures that access to the trace files directory is restricted to the owner of the Oracle software set and the DBA group.Severity: Critical
Rationale: Background processes such as the log writer process and the database writer process use trace files to record occurrences and exceptions of database operations, as well as errors. The trace files are stored in the directory specified by the BACKGROUND_DUMP_DEST initialization parameter. Giving public read permission to this directory may reveal important and sensitive internal details of the database and applications.
3.3.88 SQL*Plus Executable Owner
Description: Ensures SQL*Plus ownership is restricted to the Oracle software set and DBA group.Severity: Warning
Rationale: SQL*Plus allows a user to execute any SQL on the database. Not restricting ownership of SQL*Plus to the Oracle software set and DBA group may cause security issues by exposing sensitive data to malicious users.
3.3.89 Oracle HTTP Server Distributed Configuration Files Permission
Description: Ensures Oracle HTTP Server Distributed Configuration Files permissions are limited to the Oracle software set and DBA group.Severity: Warning
Rationale: The Oracle HTTP Server distributed configuration file (usually .htaccess) is used for access control and authentication of web folders. This file can be modified to gain access to pages containing sensitive information.
3.3.90 Oracle Home Executable Files Permission (Windows)
Description: Ensures that all files in the ORACLE_HOME/bin folder do not have public write permission.Severity: Warning
Rationale: Incorrect file permissions on some of the Oracle files can cause major security issues.
3.3.91 Naming Database Links
Description: Ensures that the name of a database link is the same as that of the remote database.Severity: Warning
Rationale: Database link names that do not match the global names of the databases to which they are connecting can cause an administrator to inadvertently give access to a production server from a test or development server. Knowledge of this can be used by a malicious user to gain access to the target database.
3.3.92 Secure OS Audit Level
Description: On UNIX systems, ensures that AUDIT_SYSLOG_LEVEL is set to a non-default value when OS-level auditing is enabled.Severity: Warning
Rationale: Setting the AUDIT_SYSLOG_LEVEL initialization parameter to the default value (NONE) will result in DBAs gaining access to the OS audit records.
3.3.93 CONNECT TIME
Description: Ensures that users profile settings CONNECT_TIME have appropriate value set for the particular database and application.Severity: Critical
Rationale: Sessions held open for excessive periods of time can consume system resources and cause a denial of service for other users of the Oracle database. The CONNECT_TIME parameter limits the upper bound on how long a session can be held open. This parameter is specified in minutes. Sessions that have exceeded their connect time are aborted and rolled back.
3.3.94 Audit Insert Failure
Description: Ensures that insert failures are audited for critical data objects.Severity: Warning
Rationale: Not auditing insert failures for critical data objects may allow a malicious user to infiltrate system security.
3.3.95 Audit DROP ANY PROCEDURE Privilege
Description: Ensures DROP ANY PROCEDURE Privilege is being audited by access for all users.Severity: Critical
Rationale: Auditing DROP ANY PROCEDURE will provide a record to ensure the appropriate use of account administration privileges. This information is also useful when investigating certain security events.
3.4 Patchable Configuration for Real Application Cluster Database
The compliance rules for the Patchable Configuration for Oracle Database standard follow.3.5 Storage Best Practices for Oracle Real Application Database
The compliance rules for the Storage Best Practices for Oracle Real Application Database compliance standard follow.3.5.1 Users with Permanent Tablespace as Temporary Tablespace
Description: Checks for users using a permanent tablespace as the temporary tablespace.Severity: Minor Warning
Rationale: These users use a permanent tablespace as the temporary tablespace. Using temporary tablespaces allows space management for sort operations to be more efficient. Using a permanent tablespace for these operations may result in performance degradation, especially for Real Application Clusters. There is an additional security concern. This makes it possible for users to use all available space in the system tablespace, causing the database to stop working.
3.5.2 Non-Uniform Default Extent Size for Tablespaces
Description: Checks for dictionary managed or migrated locally managed tablespaces with non-uniform default extent size.Severity: Minor Warning
Rationale: Dictionary managed or migrated locally managed tablespaces using non-uniform default extent sizes have been found. This means that the extents in a single tablespace will vary in size leading to fragmentation, inefficient space usage and performance degradation.
3.5.3 Database Rollback Segment in SYSTEM Tablespace
Description: Checks for rollback segments in SYSTEM tablespace.Severity: Minor Warning
Rationale: The SYSTEM tablespace should be reserved only for the Oracle data dictionary and its associated objects. It should NOT be used to store any other types of objects such as user tables, user indexes, user views, rollback segments, undo segments, or temporary segments.
3.5.4 Non-System Data Segments in System Tablespaces
Description: Checks for data segments owned by non-system users located in tablespaces SYSTEM and SYSAUX.Severity: Minor Warning
Rationale: These segments belonging to non-system users are stored in system tablespaces SYSTEM or SYSAUX. This violation makes it more difficult to manage these data segments and may result in performance degradation in the system tablespace. This is also a security issue. If non-system users are storing data in a system tablespace it is possible that all available space in the system tablespace may be consumed, thus causing the database to stop working.
3.5.5 Insufficient Number of Redo Logs
Description: Checks for use of less than three redo logs.Severity: Warning
Rationale: The online redo log files are used to record changes in the database. When archiving is enabled, these online redo logs need to be archived before they can be reused. Every database requires at least two online redo log groups to be up and running. When the size and number of online redo logs are inadequate, LGWR will wait for ARCH to complete its writing to the archived log destination, before it overwrites that log. This can cause severe performance slowdowns during peak activity periods.
3.5.6 Insufficient Redo Log Size
Description: Checks for redo log files less than 1 MB.Severity: Critical
Rationale: Small redo logs cause system checkpoints to continuously put a high load on the buffer cache and I/O system.
3.5.7 Tablespace Containing Rollback and Data Segments
Description: Checks for tablespaces containing both rollback and data segments.Severity: Minor Warning
Rationale: These tablespaces contain both rollback and data segments. Mixing segment types in this way makes it more difficult to manage space and may degrade performance in the tablespace. Use of a dedicated tablespace for rollback segments enhances availability and performance.
3.5.8 Segment with Extent Growth Policy Violation
Description: Checks for segments in dictionary managed or migrated locally managed tablespaces having irregular extent sizes and/or non-zero Percent Increase settings.Severity: Minor Warning
Rationale: These segments have extents with sizes that are not multiples of the initial extent or have a non-zero Percent Increase setting. This can result in inefficient reuse of space and fragmentation problems.
3.5.9 Non-System Users with System Tablespace as Default Tablespace
Description: Checks for non-system users using SYSTEM or SYSAUX as the default tablespace.Severity: Minor Warning
Rationale: These non-system users use a system tablespace as the default tablespace. This violation will result in non-system data segments being added to the system tablespace, making it more difficult to manage these data segments and possibly resulting in performance degradation in the system tablespace. This is also a security issue. All Available space in the system tablespace may be consumed, thus causing the database to stop working.
3.5.10 Tablespace Not Using Automatic Segment-Space Management
Description: Checks for locally managed tablespaces that are using MANUAL segment space management.Severity: Minor Warning
Rationale: Automatic segment-space management is a simpler and more efficient way of managing space within a segment. It completely eliminates any need to specify and tune the PCTUSED, FREELISTS and FREELIST GROUPS storage parameters for schema objects created in the tablespace. In a Real Application Cluster environment there is the additional benefit of avoiding the hard partitioning of space inherent with using free list groups.
3.5.11 Default Temporary Tablespace Set to a System Tablespace
Description: Checks if the DEFAULT_TEMP_TABLESPACE database property is set to a system tablespace.Severity: Warning
Rationale: If not specified explicitly, DEFAULT_TEMP_TABLESPACE would default to SYSTEM tablespace and this is not a recommended setting. With this setting, any user that is not explicitly assigned a temporary tablespace uses the system tablespace as their temporary tablespace. System tablespaces should not be used to store temporary data. This is also a security issue. Non-system users may store data and consume all available space in the system tablespace, thus causing the database to stop working.
3.5.12 Default Permanent Tablespace Set to a System Tablespace
Description: Checks if the DEFAULT_PERMANENT_TABLESPACE database property is set to a system tablespace.Severity: Warning
Rationale: If not specified explicitly, DEFAULT_PERMANENT_TABLESPACE is defaulted to the SYSTEM tablespace. This is not the recommended setting. With this setting, any user that is not explicitly assigned a tablespace uses the system tablespace. Doing so may result in performance degradation for the database. This is also a security issue. Non-system users may store data and consume all available space in the system tablespace, thus causing the database to stop working.
3.5.13 Dictionary Managed Tablespaces
Description: Checks for dictionary managed tablespaces.Severity: Minor Warning
Rationale: These tablespaces are dictionary managed. Oracle recommends using locally managed tablespaces, with AUTO segment-space management, to enhance performance and ease of space management.
3.6 Basic Security Configuration for Oracle Cluster Database Instance
The compliance rules for the Basic Security Configuration for Oracle Cluster Database Instance compliance standard follow.3.6.1 Oracle Net Client Log Directory Permission
Description: Ensures that the client log directory is a valid directory owned by Oracle set with no permissions to public.Severity: Critical
Rationale: Log files provide information contained in an error stack. An error stack refers to the information that is produced by each layer in an Oracle communications stack as the result of a network error. The information in log files can reveal important network and database connection details. Allowing access to the log directory can expose the log files to public scrutiny.
3.6.2 Oracle Net Client Trace Directory Permission
Description: Ensures that the client trace directory is a valid directory owned by Oracle set with no permissions to public.Severity: Critical
Rationale: Tracing produces a detailed sequence of statements that describe network events as they are executed. Tracing an operation enables you to obtain more information on the internal operations of the components of Oracle Net Services than is provided in a log file. The information in this file can reveal important network and database connection details. Allowing access to the log directory can expose the log files to public scrutiny.
3.6.3 Oracle Home File Permission
Description: Ensures that all files in the ORACLE_HOME directories (except for ORACLE_HOME/bin) do not have public read, write, and execute permissions.Severity: Warning
Rationale: Incorrect file permissions on some of the Oracle files can cause major security issues.
3.6.4 Audit File Destination (Windows)
Description: Ensures that access to the audit files directory is restricted to the owner of the Oracle software set and the DBA group.Severity: Critical
Rationale: The AUDIT_FILE_DEST initialization parameter specifies the directory where the Oracle auditing facility creates the audit files. Giving public read permission to this directory may reveal important information such as logging information of startup, shutdown, and privileged connections.
3.6.5 Oracle Net Client Trace Directory Permission (Windows)
Description: Ensures that the client trace directory is a valid directory owned by Oracle set with no permissions to public.Severity: Critical
Rationale: Tracing produces a detailed sequence of statements that describe network events as they are executed. Tracing an operation enables you to obtain more information on the internal operations of the components of Oracle Net Services than is provided in a log file. The information in this file can reveal important network and database connection details. Allowing access to the log directory can expose the log files to public scrutiny.
3.6.6 Remote OS Authentication
Description: Ensures REMOTE_OS_AUTHENT initialization parameter is set to FALSE.Severity: Critical
Rationale: A malicious user can gain access to the database if remote OS authentication is allowed.
3.6.7 PROTOCOL ERROR TRACE ACTION
Description: Ensures that the sec_protocol_error_trace_action parameter is set to either LOG or ALERT.Severity: Critical
Rationale: SEC_PROTOCOL_ERROR_TRACE_ACTION specifies the action that the database should take when bad packets are received from a possibly malicious client. NONE should not be used as the database server ignores the bad packets and does not generate any trace files or log messages. If default value TRACE is used then the database server generates a detailed trace file and should only be used when debugging.
3.6.8 Oracle Home Executable Files Owner
Description: Ensures that the ownership of all files and directories in the ORACLE_HOME/bin folder is the same as the Oracle software installation owner.Severity: Critical
Rationale: Incorrect file permissions on some of the Oracle files can cause major security issues.
3.6.9 Oracle Home File Permission
Description: Ensures that all files in the ORACLE_HOME directories (except for ORACLE_HOME/bin) do not have public read, write, and execute permissions.Severity: Warning
Rationale: Incorrect file permissions on some of the Oracle files can cause major security issues.
3.6.10 Oracle Net Server Trace Directory Permission
Description: Ensures that the server trace directory is a valid directory owned by Oracle set with no permissions to public.Severity: Critical
Rationale: Tracing produces a detailed sequence of statements that describe network events as they are executed. Tracing an operation enables you to obtain more information on the internal operations of the components of Oracle Net Services than is provided in a log file. The information in this file can reveal important network and database connection details. Allowing access to the log directory can expose the log files to public scrutiny.
3.6.11 Enable Database Auditing
Description: Ensures database auditing is enabled.Severity: Minor Warning
Rationale: The AUDIT_TRAIL parameter enables or disables database auditing. Auditing enhances security because it enforces accountability, provides evidence of misuse, and is frequently required for regulatory compliance. Auditing also enables system administrators to implement enhanced protections, early detection of suspicious activities, and finely-tuned security responses.
3.6.12 Server Parameter File Permission
Description: Ensures that access to the server parameter file is restricted to the owner of the Oracle software set and the DBA group.Severity: Critical
Rationale: A server parameter file (SPFILE) lets you store and manage your initialization parameters persistently in a server-side disk file. A publicly accessible SPFILE can be scanned for sensitive initialization parameters exposing the security policies of the database. The SPFILE can also be searched for the weaknesses of the Oracle database configuration setting.
3.6.13 Core Dump Destination
Description: Ensures that access to the core dump files directory is restricted to the owner of the Oracle software set and the DBA group.Severity: Critical
Rationale: Core dump files are stored in the directory specified by the CORE_DUMP_DEST initialization parameter. A public read privilege on this directory could expose sensitive information from the core dump files.
3.6.14 Initialization Parameter File Permission (Windows)
Description: Ensures that access to the initialization parameter file is restricted to the owner of the Oracle software set and the DBA group.Severity: Warning
Rationale: Oracle traditionally stores initialization parameters in a text initialization parameter file. A publicly accessible initialization parameter file can be scanned for sensitive initialization parameters exposing the security policies of the database. The IFILE can also be searched for the weaknesses of the Oracle database configuration setting.
3.6.15 User Dump Destination (Windows)
Description: Ensures that access to the trace files directory is restricted to the owner of the Oracle software set and the DBA group.Severity: Critical
Rationale: The trace files for server processes are stored in the directory specified by the USER_DUMP_DEST initialization parameter. Giving public read permission to this directory may reveal important and sensitive internal details of the database and applications.
3.6.16 Oracle Net Server Trace Directory Permission (Windows)
Description: Ensures that the server trace directory is a valid directory owned by Oracle set with no permissions to public.Severity: Critical
Rationale: Tracing produces a detailed sequence of statements that describe network events as they are executed. Tracing an operation enables you to obtain more information on the internal operations of the components of Oracle Net Services than is provided in a log file. The information in this file can reveal important network and database connection details. Allowing access to the log directory can expose the log files to public scrutiny.
3.6.17 Auditing of SYS Operations Enabled
Description: Ensures sessions for users who connect as SYS are fully audited.Severity: Warning
Rationale: The AUDIT_SYS_OPERATIONS parameter enables or disables the auditing of operations issued by user SYS, and users connecting with SYSDBA or SYSOPER privileges.
3.6.18 Utility File Directory Initialization Parameter Setting
Description: Ensures that the Utility File Directory (UTL_FILE_DIR) initialization parameter is not set to one of '*', '.', core dump trace file locations.Severity: Critical
Rationale: Specifies the directories which the UTL_FILE package can access. Having the parameter set to asterisk (*), period (.), or to sensitive directories, could expose them to all users having execute privilege on the UTL_FILE package.
3.6.19 Server Parameter File Permission (Windows)
Description: Ensures that access to the server parameter file is restricted to the owner of the Oracle software set and the DBA group.Severity: Critical
Rationale: A server parameter file (SPFILE) lets you store and manage your initialization parameters persistently in a server-side disk file. A publicly accessible SPFILE can be scanned for sensitive initialization parameters exposing the security policies of the database. The SPFILE can also be searched for the weaknesses of the Oracle database configuration setting.
3.6.20 Oracle Net Client Log Directory Permission (Windows)
Description: Ensures that the client log directory is a valid directory owned by Oracle set with no permissions to public.Severity: Critical
Rationale: Log files provide information contained in an error stack. An error stack refers to the information that is produced by each layer in an Oracle communications stack as the result of a network error. The information in log files can reveal important network and database connection details. Allowing access to the log directory can expose the log files to public scrutiny.
3.6.21 Using Externally Identified Accounts
Description: Ensures that the OS authentication prefix is set to a value other than OPS$.Severity: Warning
Rationale: The OS_AUTHENT_PREFIX parameter specifies a prefix used to authenticate users attempting to connect to the server. When a connection request is attempted, Oracle compares the prefixed user name with user names in the database. Using a prefix, especially OPS$, tends to result in an insecure configuration as an account can be authenticated either as an operating system user or with the password used in the IDENTIFIED BY clause. Attackers are aware of this and will attack these accounts.
3.6.22 Initialization Parameter File Permission
Description: Ensures that access to the initialization parameter file is restricted to the owner of the Oracle software set and the DBA group.Severity: Warning
Rationale: Oracle traditionally stores initialization parameters in a text initialization parameter file. A publicly accessible initialization parameter file can be scanned for sensitive initialization parameters exposing the security policies of the database. The IFILE can also be searched for the weaknesses of the Oracle database configuration setting.
3.6.23 Audit File Destination
Description: Ensures that access to the audit files directory is restricted to the owner of the Oracle software set and the DBA group.Severity: Critical
Rationale: The AUDIT_FILE_DEST initialization parameter specifies the directory where the Oracle auditing facility creates the audit files. Giving public read permission to this directory may reveal important information such as logging information of startup, shutdown, and privileged connections.
3.6.24 Background Dump Destination (Windows)
Description: Ensures that access to the trace files directory is restricted to the owner of the Oracle software set and the DBA group.Severity: Critical
Rationale: Background processes such as the log writer process and the database writer process use trace files to record occurrences and exceptions of database operations, as well as errors. The trace files are stored in the directory specified by the BACKGROUND_DUMP_DEST initialization parameter. Giving public read permission to this directory may reveal important and sensitive internal details of the database and applications.
3.6.25 PROTOCOL ERROR FURTHER ACTION
Description: Ensures that the SEC_PROTOCOL_ERROR_FURTHER_ACTION parameter is set to either DROP or DELAY.Severity: Critical
Rationale: If default value CONTINUE is used the server process continues execution even if bad packets are received. The database server may be subject to a Denial of Service (DoS) if bad packets continue to be sent by a malicious client
3.6.26 Access to STATS$SQL_SUMMARY Table
Description: Ensures that access to the trace files directory is restricted to the owner of the Oracle software set and the DBA group.Severity: Critical
Rationale: The trace files for server processes are stored in the directory specified by the USER_DUMP_DEST initialization parameter. Giving public read permission to this directory may reveal important and sensitive internal details of the database and applications.
3.6.27 Allowed Logon Version
Description: Ensures that the server allows logon from clients with a matching version or higher only.Severity: Warning
Rationale: Setting the parameter SQLNET.ALLOWED_LOGON_VERSION in sqlnet.ora to a version lower than the server version will force the server to use a less secure authentication protocol.
3.6.28 Use of Appropriate Umask on UNIX Systems
Description: On UNIX systems, ensures that the owner of the Oracle software has an appropriate umask value of 022 set.Severity: Warning
Rationale: If umask is not set to an appropriate value (like 022), log or trace files might become accessible to public exposing sensitive information.
3.6.29 Core Dump Destination (Windows)
Description: Ensures that access to the core dump files directory is restricted to the owner of the Oracle software set and the DBA group.Severity: Critical
Rationale: Core dump files are stored in the directory specified by the CORE_DUMP_DEST initialization parameter. A public read privilege on this directory could expose sensitive information from the core dump files.
3.6.30 Data Dictionary Protected
Description: Ensures data dictionary protection is enabled.Severity: Critical
Rationale: The 07_DICTIONARY_ACCESSIBILITY parameter controls access to the data dictionary. Setting the 07_DICTIONARY_ACCESSIBILITY to TRUE allows users with ANY system privileges to access the data dictionary. As a result, these user accounts can be exploited to gain unauthorized access to data.
3.6.31 Oracle Net Server Log Directory Permission
Description: Ensures that the server log directory is a valid directory owned by Oracle set with no permissions to public.Severity: Critical
Rationale: Log files provide information contained in an error stack. An error stack refers to the information that is produced by each layer in an Oracle communications stack as the result of a network error. The information in log files can reveal important network and database connection details. Allowing access to the log directory can expose the log files to public scrutiny.
3.6.32 Oracle Net Server Log Directory Permission (Windows)
Description: Ensures that the server log directory is a valid directory owned by Oracle set with no permissions to public.Severity: Critical
Rationale: Log files provide information contained in an error stack. An error stack refers to the information that is produced by each layer in an Oracle communications stack as the result of a network error. The information in log files can reveal important network and database connection details. Allowing access to the log directory can expose the log files to public scrutiny.
3.6.33 Remote OS Role
Description: Ensures REMOTE_OS_ROLES initialization parameter is set to FALSE.Severity: Critical
Rationale: A malicious user can gain access to the database if remote users can be granted privileged roles.
3.6.34 Public Trace Files
Description: Ensures database trace files are not public readable.Severity: Critical
Rationale: If trace files are readable by the PUBLIC group, a malicious user may attempt to read the trace files that could lead to sensitive information being exposed.
3.6.35 Use of Remote Listener Instances
Description: Ensures listener instances on a remote machine separate from the database instance are not used.Severity: Warning
Rationale: The REMOTE_LISTENER initialization parameter can be used to allow a listener on a remote machine to access the database. This parameter is not applicable in a multi-master replication or Real Application Cluster environment where this setting provides a load balancing mechanism for the listener.
3.7 High Security Configuration for Oracle Cluster Database Instance
The compliance rules for the High Security Configuration for Oracle Cluster Database Instance compliance standard follow.3.7.1 $ORACLE_HOME/network/admin Directory Owner
Description: Ensures $ORACLE_HOME/network/admin ownership is restricted to the Oracle software set and DBA group.Severity: Warning
Rationale: Not restricting ownership of network/admin to the Oracle software set and DBA group may cause security issues by exposing net configuration data to malicious users.
3.7.2 Oracle Home Executable Files Permission
Description: Ensures that all files in the ORACLE_HOME/bin folder do not have public write permission.Severity: Warning
Rationale: Incorrect file permissions on some of the Oracle files can cause major security issues.
3.7.3 Oracle XSQL Configuration File Owner
Description: Ensures Oracle XSQL configuration file (XSQLConfig.xml) is owned by Oracle software owner.Severity: Warning
Rationale: The Oracle XSQL configuration file (XSQLConfig.xml) contains sensitive database connection information. A publicly accessible XSQL configuration file can expose the database user name and password that can be used access sensitive data or to launch further attacks.
3.7.4 Log Archive Duplex Destination Owner
Description: Ensures that the server's archive logs directory is a valid directory owned by Oracle software owner.Severity: Critical
Rationale: LogMiner can be used to extract database information from the archive logs if the directory specified by LOG_ARCHIVE_DUPLEX_DEST parameter (in init.ora file) is not owned by the owner of the Oracle software installation or has permissions for others.
3.7.5 Oracle Agent SNMP Read-Only Configuration File Owner
Description: Ensures Oracle Agent SNMP read-only configuration file (snmp_ro.ora) is owned by Oracle software owner.Severity: Warning
Rationale: The Oracle Agent SNMP read-only configuration file (snmp_ro.ora) contains the listening address of the agent, the names of SQL*Net listener and Oracle database services it knows about, plus tracing parameters. A publicly accessible SNMP read-only configuration file can be used to extract sensitive data like the tracing directory location, dbsnmp address, and so on.
3.7.6 Log Archive Destination Permission (Windows)
Description: Ensures that the server's archive logs are not accessible to public.Severity: Critical
Rationale: LogMiner can be used to extract database information from the archive logs if the directory specified by LOG_ARCHIVE_DEST parameter (in init.ora file) is not owned by the owner of the Oracle software installation or has permissions for others.
3.7.7 Log Archive Duplex Destination Permission (Windows)
Description: Ensures that the server's archive logs are not accessible to public.Severity: Critical
Rationale: LogMiner can be used to extract database information from the archive logs if the directory specified by LOG_ARCHIVE_DUPLEX_DEST parameter (in init.ora file) is not owned by the owner of the Oracle software installation or has permissions for others.
3.7.8 DISPATCHERS
Description: Ensures that the DISPATCHERS parameter is not set.Severity: Critical
Rationale: This will disable default ports ftp: 2100 and http: 8080. Removing the XDB ports will reduce the attack surface of the Oracle server. It is recommended to disable these ports if production usage is not required.
3.7.9 IFILE Referenced File Permission
Description: Ensures that access to the files referenced by the IFILE parameter is restricted to the owner of the Oracle software set and the DBA group.Severity: Critical
Rationale: The IFILE initialization parameter can be used to embed the contents of another initialization parameter file into the current initialization parameter file. A publicly accessible initialization parameter file can be scanned for sensitive initialization parameters exposing the security policies of the database. Initialization parameter file can also be searched for the weaknesses of the Oracle database configuration setting.
3.7.10 Log Archive Destination Owner
Description: Ensures that the server's archive logs directory is a valid directory owned by Oracle software owner.Severity: Critical
Rationale: LogMiner can be used to extract database information from the archive logs if the directory specified by LOG_ARCHIVE_DEST parameter (in init.ora file) is not owned by the owner of the Oracle software installation or has permissions for others.
3.7.11 Log Archive Destination Permission
Description: Ensures that the server's archive logs are not accessible to public.Severity: Critical
Rationale: LogMiner can be used to extract database information from the archive logs if the directory specified by LOG_ARCHIVE_DEST parameter (in init.ora file) is not owned by the owner of the Oracle software installation or has permissions for others.
3.7.12 Oracle XSQL Configuration File Permission
Description: Ensures Oracle XSQL configuration file (XSQLConfig.xml) permissions are limited to the Oracle software set and DBA group.Severity: Warning
Rationale: The Oracle XSQL configuration file (XSQLConfig.xml) contains sensitive database connection information. A publicly accessible XSQL configuration file can expose the database user name and password that can be used to access sensitive data or to launch further attacks.
3.7.13 Webcache Initialization File Permission
Description: Ensures the Webcache initialization file (webcache.xml) permissions are limited to the Oracle software set and DBA group.Severity: Warning
Rationale: Webcache stores sensitive information in the initialization file (webcache.xml). A publicly accessible Webcache initialization file can be used to extract sensitive data like the administrator password hash.
3.7.14 Oracle HTTP Server Distributed Configuration File Owner
Description: Ensures Oracle HTTP Server distributed configuration file ownership is restricted to the Oracle software set and DBA group.Severity: Warning
Rationale: The Oracle HTTP Server distributed configuration file (usually .htaccess) is used for access control and authentication of web folders. This file can be modified to gain access to pages containing sensitive information.
3.7.15 Oracle HTTP Server mod_plsql Configuration File Permission
Description: Ensures Oracle Agent SNMP read-only configuration file (snmp_ro.ora) permissions are limited to the Oracle software set and DBA group.Severity: Warning
Rationale: The Oracle Agent SNMP read-only configuration file (snmp_ro.ora) contains the listening address of the agent, the names of SQL*Net listener and Oracle database services it knows about, plus tracing parameters. A publicly accessible SNMP read-only configuration file can be used to extract sensitive data like the tracing directory location, dbsnmp address, and so on.
3.7.16 RETURN SERVER RELEASE BANNER
Description: Ensures that value of parameter SEC_RETURN_SERVER_RELEASE_BANNER is FALSE.Severity: Critical
Rationale: If the Parameter SEC_RETURN_SERVER_RELEASE_BANNER is TRUE Oracle database returns complete database version information to clients. Knowing the exact patch set can aid an attacker.
3.7.17 Restrict Permissions of the tkprof Executable to the Owner of the Oracle Software Set and the DBA Group
Description: Ensures tkprof executable file is owned by Oracle software owner.Severity: Warning
Rationale: Not restricting ownership of tkprof to the Oracle software set and DBA group may cause information leaks.
3.7.18 Oracle HTTP Server mod_plsql Configuration File Owner
Description: Ensures Oracle HTTP Server mod_plsql configuration file (wdbsvr.app) is owned by Oracle software owner.Severity: Warning
Rationale: The Oracle Agent SNMP read-write configuration file (snmp_rw.ora) contains the listening address of the agent, the names of SQL*Net listener and Oracle database services it knows about, plus tracing parameters. A publicly accessible SNMP read-write configuration file can be used to extract sensitive data like the tracing directory location, dbsnmp address, and so on.
3.7.19 Oracle Agent SNMP Read-Write Configuration File Permission
Description: Ensures Oracle Agent SNMP read-write configuration file (snmp_rw.ora) permissions are limited to the Oracle software set and DBA group.Severity: Warning
Rationale: The Oracle Agent SNMP read-write configuration file (snmp_ro.ora) contains the listening address of the agent, the names of SQL*Net listener and Oracle database services it knows about, plus tracing parameters. A publicly accessible SNMP read-write configuration file can be used to extract sensitive data like the tracing directory location, dbsnmp address, and so on.
3.7.20 Use of SQL 92 Security Features
Description: Ensures use of SQL92 security features.Severity: Warning
Rationale: If SQL92 security features are not enabled, a user might be able to execute an UPDATE or DELETE statement using a WHERE clause without having select privilege on a table.
3.7.21 Remote Password File
Description: Ensures privileged users are authenticated by the operating system; that is, Oracle ignores any password file.Severity: Minor Warning
Rationale: The REMOTE_LOGIN_PASSWORDFILE parameter specifies whether or not Oracle checks for a password file. Because password files contain the passwords for users, including SYS, the most secure way of preventing an attacker from connecting through brute-force password-related attacks is to require privileged users be authenticated by the operating system.
3.7.22 DB SECUREFILE
Description: Ensures that all LOB files created by Oracle are created as SecureFiles.Severity: Critical
Rationale: For LOBs to get treated as SecureFiles, set COMPATIBILE Initialization Param to 11.1 or higher. If there is a LOB column with two partitions (one that has a tablespace for which ASSM is enabled and one that has a tablespace for which ASSM is not enabled), then LOBs in the partition with the ASSM-enabled tablespace will be treated as SecureFiles and LOBs in the other partition will be treated as BasicFile LOBs. Setting db_securefile to ALWAYS makes sure that any LOB file created is a secure file.
3.7.23 Tkprof Executable Permission
Description: Ensures tkprof executable file permissions are restricted to read and execute for the group, and inaccessible to public.Severity: Warning
Rationale: Excessive permission for tkprof leaves information within, unprotected.
3.7.24 Oracle Agent SNMP Read-Write Configuration File Owner
Description: Ensures Oracle Agent SNMP read-write configuration file (snmp_rw.ora) is owned by Oracle software owner.Severity: Warning
Rationale: The Oracle Agent SNMP read-write configuration file (snmp_ro.ora) contains the listening address of the agent, the names of SQL*Net listener and Oracle database services it knows about, plus tracing parameters. A publicly accessible SNMP read-write configuration file can be used to extract sensitive data like the tracing directory location, dbsnmp address, and so on.
3.7.25 Use of Automatic Log Archival Features
Description: Ensures that archiving of redo logs is done automatically and prevents suspension of instance operations when redo logs fill. Only applicable if the database is in archivelog mode.Severity: Critical
Rationale: Setting the LOG_ARCHIVE_START initialization parameter to TRUE ensures that the archiving of redo logs is done automatically and prevents suspension of instance operations when redo logs fill. This feature is only applicable if the database is in archivelog mode.
3.7.26 Webcache Initialization File Permission (Windows)
Description: Ensures the Webcache initialization file (webcache.xml) permissions are limited to the Oracle software set and DBA group.Severity: Warning
Rationale: Webcache stores sensitive information in the initialization file (webcache.xml). A publicly accessible Webcache initialization file can be used to extract sensitive data like the administrator password hash.
3.7.27 Oracle HTTP Server mod_plsql Configuration File Permission (Windows)
Description: Oracle HTTP Server mod_plsql Configuration file (wdbsvr.app) permissions are limited to the Oracle software set and DBA group.Severity: Warning
Rationale: The Oracle HTTP Server mod_plsql configuration file (wdbsvr.app) contains the Database Access Descriptors used for authentication. A publicly accessible mod_plsql configuration file can allow a malicious user to modify the Database Access Descriptor settings to gain access to PL/SQL applications or launch a Denial Of Service attack.
3.7.28 SQL*Plus Executable Permission
Description: Ensures that SQL*Plus executable file permissions are limited to the Oracle software set and DBA group.Severity: Warning
Rationale: SQL*Plus allows a user to execute any SQL on the database. Public execute permissions on SQL*Plus can cause security issues by exposing sensitive data to malicious users.
3.7.29 Webcache Initialization File Owner
Description: Ensures Webcache initialization file (webcache.xml) is owned by Oracle software owner.Severity: Warning
Rationale: Webcache stores sensitive information in the initialization file (webcache.xml). A publicly accessible Webcache initialization file can be used to extract sensitive data like the administrator password hash.
3.7.30 Oracle Agent SNMP Read-Only Configuration File Permission
Description: Ensures Oracle Agent SNMP read-only configuration file (snmp_ro.ora) permissions are limited to the Oracle software set and DBA group.Severity: Warning
Rationale: The Oracle Agent SNMP read-only configuration file (snmp_ro.ora) contains the listening address of the agent, the names of SQL*Net listener and Oracle database services it knows about, plus tracing parameters. A publicly accessible SNMP read-only configuration file can be used to extract sensitive data like the tracing directory location, dbsnmp address, and so on.
3.7.31 Log Archive Duplex Destination Permission
Description: Ensures that the server's archive logs are not accessible to public.Severity: Critical
Rationale: LogMiner can be used to extract database information from the archive logs if the directory specified by LOG_ARCHIVE_DUPLEX_DEST parameter (in init.ora file) is not owned by the owner of the Oracle software installation or has permissions for others.
3.7.32 $ORACLE_HOME/network/admin File Permission (Windows)
Description: Ensures the files in $ORACLE_HOME/network/admin ownership is restricted to the Oracle software set, group is restricted to DBA group and Public does not have write permission.Severity: Warning
Rationale: Not restricting ownership of network/admin to the Oracle software set and DBA group may cause security issues by exposing net configuration data to malicious users.
3.7.33 Utility File Directory Initialization Parameter Setting in Oracle 9i Release 1 and Later
Description: Ensures that the UTL_FILE_DIR initialization parameter is not used in Oracle9i Release 1 and later.Severity: Critical
Rationale: Specifies the directories which UTL_FILE package can access. Having the parameter set to asterisk (*), period (.), or to sensitive directories could expose them to all users having execute privilege on UTL_FILE package.
3.7.34 IFILE Referenced File Permission (Windows)
Description: Ensures that access to the files referenced by the IFILE parameter is restricted to the owner of the Oracle software set and the DBA group.Severity: Critical
Rationale: The IFILE initialization parameter can be used to embed the contents of another initialization parameter file into the current initialization parameter file. A publicly accessible initialization parameter file can be scanned for sensitive initialization parameters exposing the security policies of the database. Initialization parameter file can also be searched for the weaknesses of the Oracle database configuration setting.
3.7.35 SQL*Plus Executable Permission (Windows)
Description: Ensures that SQL*Plus executable file permissions are limited to the Oracle software set and DBA group.Severity: Warning
Rationale: SQL*Plus allows a user to execute any SQL on the database. Public execute permissions on SQL*Plus can cause security issues by exposing sensitive data to malicious users.
3.7.36 Oracle XSQL Configuration File Permission (Windows)
Description: Ensures Oracle XSQL Configuration File (XSQLConfig.xml) permissions are limited to the Oracle software set and DBA group.Severity: Warning
Rationale: The Oracle XSQL configuration file (XSQLConfig.xml) contains sensitive database connection information. A publicly accessible XSQL configuration file can expose the database user name and password that can be used access sensitive data or to launch further attacks.
3.7.37 OS ROLES
Description: Ensures roles are stored, managed, and protected in the database rather than files external to the DBMS.Severity: Warning
Rationale: If Roles are managed by OS, can cause serious security issues.
3.7.38 Tkprof Executable Permission (Windows)
Description: Ensures tkprof executable file permissions are restricted to read and execute for the group, and inaccessible to public.Severity: Warning
Rationale: Excessive permission for tkprof leaves information within, unprotected.
3.7.39 $ORACLE_HOME/network/admin File Permission
Description: Ensures the files in $ORACLE_HOME/network/admin ownership is restricted to the Oracle software set, group is restricted to DBA group and Public does not have write permission.Severity: Warning
Rationale: Not restricting ownership of network/admin to the Oracle software set and DBA group may cause security issues by exposing net configuration data to malicious users.
3.7.40 Oracle HTTP Server mod_plsql Configuration File Permission
Description: Ensures Oracle HTTP Server mod_plsql Configuration file (wdbsvr.app) permissions are limited to the Oracle software set and DBA group.Severity: Warning
Rationale: The Oracle Agent SNMP read-write configuration file (snmp_rw.ora) contains the listening address of the agent, the names of SQL*Net listener and Oracle database services it knows about, plus tracing parameters. A publicly accessible SNMP read-write configuration file can be used to extract sensitive data like the tracing directory location, dbsnmp address, and so on.
3.7.41 Oracle Agent SNMP Read-Write Configuration File Permission (Windows)
Description: Ensures Oracle Agent SNMP read-write configuration file (snmp_rw.ora) permissions are limited to the Oracle software set and DBA group.Severity: Warning
Rationale: The Oracle Agent SNMP read-write configuration file (snmp_ro.ora) contains the listening address of the agent, the names of SQL*Net listener and Oracle database users it knows about, plus tracing parameters. A publicly accessible SNMP read-write configuration file can be used to extract sensitive data like the tracing directory location, dbsnmp address, and so on.
3.7.42 CASE SENSITIVE LOGON
Description: Ensures that the sec_case_sensitive_logon parameter is set to true.Severity: Critical
Rationale: This increases the complexity of passwords and helps defend against brute-force password attacks.
3.7.43 Otrace Data File
Description: Avoids negative impact on database performance and disk space usage, caused by data collected by otrace.Severity: Warning
Rationale: Performance and resource utilization data collection can have a negative impact on database performance and disk space usage.
3.7.44 Background Dump Destination
Description: Ensures that access to the trace files directory is restricted to the owner of the Oracle software set and the DBA group.Severity: Critical
Rationale: Background processes such as the log writer process and the database writer process use trace files to record occurrences and exceptions of database operations, as well as errors. The trace files are stored in the directory specified by the BACKGROUND_DUMP_DEST initialization parameter. Giving public read permission to this directory may reveal important and sensitive internal details of the database and applications.
3.7.45 SQL*Plus Executable Owner
Description: Ensures SQL*Plus ownership is restricted to the Oracle software set and DBA group.Severity: Warning
Rationale: SQL*Plus allows a user to execute any SQL on the database. Not restricting ownership of SQL*Plus to the Oracle software set and DBA group may cause security issues by exposing sensitive data to malicious users.
3.7.46 Oracle HTTP Server Distributed Configuration Files Permission
Description: Ensures Oracle HTTP Server Distributed Configuration Files permissions are limited to the Oracle software set and DBA group.Severity: Warning
Rationale: The Oracle HTTP Server distributed configuration file (usually .htaccess) is used for access control and authentication of web folders. This file can be modified to gain access to pages containing sensitive information.
3.7.47 Oracle Home Executable Files Permission (Windows)
Description: Ensures that all files in the ORACLE_HOME/bin folder do not have public write permission.Severity: Warning
Rationale: Incorrect file permissions on some of the Oracle files can cause major security issues.
3.7.48 Naming Database Links
Description: Ensures that the name of a database link is the same as that of the remote database.Severity: Warning
Rationale: Database link names that do not match the global names of the databases to which they are connecting can cause an administrator to inadvertently give access to a production server from a test or development server. Knowledge of this can be used by a malicious user to gain access to the target database.
3.7.49 Secure OS Audit Level
Description: On UNIX systems, ensures that AUDIT_SYSLOG_LEVEL is set to a non-default value when OS-level auditing is enabled.Severity: Warning
Rationale: Setting the AUDIT_SYSLOG_LEVEL initialization parameter to the default value (NONE) will result in DBAs gaining access to the OS audit records.
