API tools faq
paste
Advertisement
Guest User

Untitled

a guest
May 27th, 2016
146
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 49.86 KB | None | 0 0
raw download clone embed print report
  1. #
  2. # (C) 2014-2015 Tenable Network Security, Inc.
  3. #
  4. # This script is released under the Tenable Subscription License and
  5. # may not be used from within scripts released under another license
  6. # without authorization from Tenable Network Security, Inc.
  7. #
  8. # See the following licenses for details:
  9. #
  10. # http://static.tenable.com/prod_docs/Nessus_6_SLA_and_Subscription_Agreement.pdf
  11. #
  12. # @PROFESSIONALFEED@
  13. # $Revision: 1.6 $
  14. # $Date: Tue Apr 26 10:32:13 2016 -0400 $
  15. #
  16. # Description:
  17. #
  18. # This document consists of a list of Oracle 9i/10g Database security settings as suggested by
  19. # the CIS Benchmark for Oracle 9i/10g v2.01.
  20. #
  21. # The audits contained in this document are for Level 1 items of the CIS Oracle Database
  22. # Server 9i/10g and are specific to the database itself and not the operating system.
  23. #
  24. # See Also:
  25. # https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Benchmark_v2.01.pdf
  26. #
  27. #<ui_metadata>
  28. #<display_name>CIS Oracle 9 10 DB Level1 v2.01</display_name>
  29. #<spec>
  30. # <type>CIS</type>
  31. # <name>Oracle 9 10 DB Level1</name>
  32. # <version>2.1.0</version>
  33. # <link>https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Benchmark_v2.01.pdf</link>
  34. #</spec>
  35. #<labels>database,cis,oracle,oracle_9,oracle_10</labels>
  36. #</ui_metadata>
  37.  
  38. <check_type: "Database" db_type:"Oracle" version:"1">
  39. <group_policy: "CIS v2.01 Oracle 9i/10g Level 1 and 2">
  40.  
  41. #
  42. ## 4. Oracle Parmeter Settings
  43. #
  44.  
  45. <custom_item>
  46. type : SQL_POLICY
  47. description : "4.02 init.ora (global_names = TRUE)"
  48. info : "This parameter ensures that Oracle will check that the name of a database link is the same as the remote database."
  49. info : "Default is FALSE."
  50. reference : "LEVEL|1S"
  51. see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Benchmark_v2.01.pdf"
  52. solution : "global_names = TRUE"
  53. sql_request : "select value from v$parameter where name like 'global_names'"
  54. sql_types : POLICY_VARCHAR
  55. sql_expect : regex: "[Ff][Aa][Ll][Ss][Ee]"
  56. </custom_item>
  57.  
  58. <custom_item>
  59. type : SQL_POLICY
  60. description : "4.04 init.ora (remote_os_authent = false)"
  61. info : "Connection without a password must be prevented."
  62. info : "Default is FALSE."
  63. reference : "LEVEL|1S"
  64. see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Benchmark_v2.01.pdf"
  65. solution : "remote_os_authent = false"
  66. sql_request : "select value from v$parameter where name like 'remote_os_authent'"
  67. sql_types : POLICY_VARCHAR
  68. sql_expect : regex: "[Ff][Aa][Ll][Ss][Ee]"
  69. </custom_item>
  70.  
  71. <custom_item>
  72. type : SQL_POLICY
  73. description : "4.05 init.ora (remote_os_roles = false)"
  74. info : "Connection spoofing must be prevented. Default is FALSE."
  75. reference : "LEVEL|1S"
  76. see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Benchmark_v2.01.pdf"
  77. solution : "remote_os_roles = false"
  78. sql_request : "select value from v$parameter where name like 'remote_os_roles'"
  79. sql_types : POLICY_VARCHAR
  80. sql_expect : regex: "[Ff][Aa][Ll][Ss][Ee]"
  81. </custom_item>
  82.  
  83. <custom_item>
  84. type : SQL_POLICY
  85. description : "4.06 init.ora (remote_listener = NULL)"
  86. info : "Prevent the use of a listener on a remote machine separate from the database instance. Default is '' (A null string)"
  87. info : "NOTE: the field should be left empty. A space is not a null string."
  88. reference : "LEVEL|1S"
  89. see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Benchmark_v2.01.pdf"
  90. solution : "remote_listener = NULL"
  91. sql_request : "select value from v$parameter where name like 'remote_listener'"
  92. sql_types : POLICY_VARCHAR
  93. sql_expect : NULL
  94. </custom_item>
  95.  
  96. <custom_item>
  97. type : SQL_POLICY
  98. description : "4.07 init.ora (audit_trail = OS, DB, or TRUE)"
  99. info : "Ensures that basic audit features are used. Ensures that basic audit features are used. Recommend setting audit_trail"
  100. info : "to OS as it reduces the likelihood of a Denial of Service attack and it is easier to secure the audit trail. OS is"
  101. info : "required if the auditor is distinct from the DBA. Any auditing information stored in the database is viewable and"
  102. info : "modifiable by the DBA. Even with the AUDIT_TRAIL value set to FALSE, an audit session will report, 'Audit succeeded'."
  103. reference : "LEVEL|1S"
  104. see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Benchmark_v2.01.pdf"
  105. solution : "Audit_trail parameter set to OS, DB, or TRUE"
  106. sql_request : "select value from v$parameter where name like 'audit_trail'"
  107. sql_types : POLICY_VARCHAR
  108. sql_expect : regex: "[Oo][Ss]" || regex: "[Dd][Bb]" || regex: "[Tt][Rr][Uu][Ee]"
  109. </custom_item>
  110.  
  111. <custom_item>
  112. type : SQL_POLICY
  113. description : "4.08 init.ora (os_authent_prefix = A NULL STRING)"
  114. info : "It must be set to limit the external use of an account to an IDENTIFIED EXTERNALLY specified user."
  115. info : "Default is set to OPS$, which is for backward compatibility to previous versions. Null is recommended."
  116. reference : "LEVEL|1S"
  117. see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Benchmark_v2.01.pdf"
  118. solution : "os_authent_prefix = A NULL STRING"
  119. sql_request : "select value from v$parameter where name like 'os_authent_prefix'"
  120. sql_types : POLICY_VARCHAR
  121. sql_expect : NULL
  122. </custom_item>
  123.  
  124. <custom_item>
  125. type : SQL_POLICY
  126. description : "4.09 init.ora (os_roles = FALSE)"
  127. info : "O/S roles are subject to control outside the database. The duties and responsibilities of DBAs and system"
  128. info : "administrators must be separated. Default is FALSE."
  129. reference : "PCI-DSS|6.4.2,LEVEL|1S"
  130. see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Benchmark_v2.01.pdf"
  131. solution : "os_roles = FALSE"
  132. sql_request : "select value from v$parameter where name like 'os_roles'"
  133. sql_types : POLICY_VARCHAR
  134. sql_expect : regex: "[Ff][Aa][Ll][Ss][Ee]"
  135. </custom_item>
  136.  
  137. <custom_item>
  138. type : SQL_POLICY
  139. description : "4.10 init.ora (Avoid using utl_file_dir parameters)"
  140. info : "Do not use the utl_file_dir parameter. Specify directories using CREATE DIRECTORY. Default is not to have it set."
  141. reference : "LEVEL|1S"
  142. see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Benchmark_v2.01.pdf"
  143. solution : "Avoid using utl_file_dir parameters"
  144. sql_request : "select value from v$parameter where name like 'utl_file_dir'"
  145. sql_types : POLICY_VARCHAR
  146. sql_expect : NULL
  147. </custom_item>
  148.  
  149. <custom_item>
  150. type : SQL_POLICY
  151. description : "4.11 init.ora (Use LOG_ARCHIVE_DUPLEX_DEST to establish a redundant location for the redo logs)"
  152. info : "Redundancy for the redo logs can prevent catastrophic loss in the event of a single physical drive failure."
  153. info : "If this parameter is used, it must be set to a valid directory owned by oracle set with owner and group read/write"
  154. info : "permissions only. For complex configurations where different groups need access to the directory, access control"
  155. info : "lists must be used. Default is '' (A null string). Not set up by default."
  156. reference : "LEVEL|1S"
  157. see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Benchmark_v2.01.pdf"
  158. solution : "Establish redundant physically separate locations for redo log files.Use LOG_ARCHIVE_DUPLEX_DEST to establish a redundant location for the redo logs."
  159. sql_request : "select count(value) from v$parameter where name like 'log_archive_duplex_dest'"
  160. sql_types : POLICY_INTEGER
  161. sql_expect : regex: "[1-9]+"
  162. </custom_item>
  163.  
  164. <custom_item>
  165. type : SQL_POLICY
  166. description : "4.12 init.ora (Use LOG_ARCHIVE_MIN_SUCCEED_DEST to ensure the successful logging of the redo files)"
  167. info : "Specifying that the logging must succeed in one or more locations ensures redundancy of the redo logs. Default is 1"
  168. reference : "LEVEL|1S"
  169. see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Benchmark_v2.01.pdf"
  170. solution : "Specify redo logging must be successful. Use LOG_ARCHIVE_MIN_SUCCEED_DEST to ensure the successful logging of the redo files."
  171. sql_request : "select count(value) from v$parameter where name like 'log_archive_min_succeed_dest'"
  172. sql_types : POLICY_INTEGER
  173. sql_expect : regex: "[1-9]+"
  174. </custom_item>
  175.  
  176. <custom_item>
  177. type : SQL_POLICY
  178. description : "4.13 init.ora - 'sql92_security = TRUE'"
  179. info : "Enforce the requirement that a user must have SELECT privilege on a table in order to be able to execute UPDATE and DELETE"
  180. info : "statements using WHERE clauses on a given table. Default is FALSE"
  181. reference : "LEVEL|1S"
  182. see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Benchmark_v2.01.pdf"
  183. solution : "sql92_security = TRUE"
  184. sql_request : "select value from v$parameter where name like 'sql92_security'"
  185. sql_types : POLICY_VARCHAR
  186. sql_expect : regex: "[Tt][Rr][Uu][Ee]"
  187. </custom_item>
  188.  
  189. <report type: "WARNING">
  190. description : "4.17 SQL key word NOLOGGING - 'Be aware of the potential for malicious code that can be performed without an audit trail under the key word NOLOGGING.'"
  191. info : "The NOLOGGING keyword instructs Oracle Database Server to forego writing essential recovery information to the redo log when performing certain actions."
  192. info : "Note that UNRECOVERABLE, which was replaced by NOLOGGING is no longer supported in 10g."
  193. reference : "LEVEL|1S"
  194. see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Benchmark_v2.01.pdf"
  195. solution : "Be aware of the potential for malicious code that can be performed without an audit trail under the key word NOLOGGING."
  196. info : "NOTE: Nessus did not perform this check as it requires manual verification that no database objects are operating in NOLOGGING mode"
  197. </report>
  198.  
  199. #
  200. ## 6. Startup and Shutdown
  201. #
  202.  
  203. <report type: "WARNING">
  204. description : "6.01 Advanced queuing in asynchronous messaging - Empty queue at shutdown of Oracle"
  205. info : "Information in queue may be accessed outside of Oracle and beyond the control of the security parameters."
  206. info : "It should be subject to the same security precautions as other tables."
  207. reference : "LEVEL|1S"
  208. see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Benchmark_v2.01.pdf"
  209. solution : "Empty queue at shutdown of Oracle"
  210. info : "NOTE: Nessus did not perform this check as it requires manual verification that the system is configured to purge the queue at shutdown."
  211. </report>
  212.  
  213. <report type: "WARNING">
  214. description : "6.02 Cache - Cache must be emptied at shutdown of Oracle"
  215. info : "Information in caches may be accessed outside of Oracle and beyond the controls of the security parameters."
  216. reference : "LEVEL|1S"
  217. see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Benchmark_v2.01.pdf"
  218. solution : "Cache must be emptied at shutdown of Oracle"
  219. info : "NOTE: Nessus did not perform this check as it requires manual verification that the system is configured to flush the BUFFER_CACHE"
  220. </report>
  221.  
  222. #
  223. ## 8. Oracle Profile (User) Setup Settings
  224. #
  225.  
  226. <custom_item>
  227. type : SQL_POLICY
  228. description : "8.01 Database Profiles (failed_login_attempts=3)"
  229. info : "Local policy may override the recommended setting. This setting may not be applicable for middle tier application accounts that access the database."
  230. info : "Application accounts must be set for failed_login_attempts=1."
  231. reference : "PCI-DSS|8.5.13,LEVEL|1S"
  232. see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Benchmark_v2.01.pdf"
  233. solution : "Create a profile then assign it to a user account. Default profile has this setting at 10."
  234. sql_request : "select PROFILE,LIMIT from DBA_PROFILES where RESOURCE_NAME = 'FAILED_LOGIN_ATTEMPTS' and LIMIT > '3' AND LIMIT != 'DEFAULT'"
  235. sql_types : POLICY_VARCHAR,POLICY_INTEGER
  236. sql_expect : NULL,NULL
  237. </custom_item>
  238.  
  239. <custom_item>
  240. type : SQL_POLICY
  241. description : "8.02 Database Profiles (password_life_time=90)"
  242. info : "Local policy may not override the setting. This setting may not be applicable for middle tier application accounts that access the database."
  243. reference : "PCI-DSS|8.5.12,LEVEL|1S"
  244. see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Benchmark_v2.01.pdf"
  245. solution : "Create a profile then assign it to a user account. Default profile has this setting not set."
  246. sql_request : "select PROFILE,LIMIT from DBA_PROFILES where RESOURCE_NAME = 'PASSWORD_LIFE_TIME' AND LIMIT > '90' AND LIMIT != 'DEFAULT'"
  247. sql_types : POLICY_VARCHAR,POLICY_INTEGER
  248. sql_expect : NULL,NULL
  249. </custom_item>
  250.  
  251. <custom_item>
  252. type : SQL_POLICY
  253. description : "8.03 Database Profiles (password_reuse_max=20)"
  254. info : "Local policy may override the recommended setting. This setting may not be applicable for middle tier application accounts that access the database."
  255. reference : "PCI-DSS|8.5.12,LEVEL|1S"
  256. see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Benchmark_v2.01.pdf"
  257. solution : "Create a profile then assign it to a user account. Default profile has this setting not set."
  258. sql_request : "select PROFILE,LIMIT from DBA_PROFILES where RESOURCE_NAME = 'PASSWORD_REUSE_MAX' and LIMIT < '20' AND LIMIT != 'DEFAULT'"
  259. sql_types : POLICY_VARCHAR,POLICY_INTEGER
  260. sql_expect : NULL,NULL
  261. </custom_item>
  262.  
  263. <custom_item>
  264. type : SQL_POLICY
  265. description : "8.04 Database Profiles (password_reuse_time=365)"
  266. info : "Local policy may not override the setting. This setting must be set to unlimited if a password_reuse_max value other than unlimited is defined"
  267. info : "for Oracle versions earlier than 9i. See Metalink DocID 228991.1 to see the Oracle version-specific relationship of this setting with the"
  268. info : "password_reuse_max setting."
  269. reference : "PCI-DSS|8.5.9,LEVEL|1S"
  270. see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Benchmark_v2.01.pdf"
  271. solution : "Create a profile then assign it to a user account. Default profile has this setting not set."
  272. sql_request : "select PROFILE,LIMIT from DBA_PROFILES where RESOURCE_NAME = 'PASSWORD_REUSE_TIME' and LIMIT < '365' AND LIMIT != 'DEFAULT'"
  273. sql_types : POLICY_VARCHAR,POLICY_INTEGER
  274. sql_expect : NULL,NULL
  275. </custom_item>
  276.  
  277. <custom_item>
  278. type : SQL_POLICY
  279. description : "8.05 Database Profiles (password_lock_time=1)"
  280. info : "Local policy may not override the setting. This setting may not be applicable for middle tier application accounts that access the database."
  281. reference : "PCI-DSS|8.5.14,LEVEL|1S"
  282. see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Benchmark_v2.01.pdf"
  283. solution : "Create a profile then assign it to a user account. Default profile has this set to unlimited."
  284. sql_request : "select PROFILE,LIMIT from DBA_PROFILES where RESOURCE_NAME = 'PASSWORD_LOCK_TIME' and LIMIT < '1' AND LIMIT != 'DEFAULT'"
  285. sql_types : POLICY_VARCHAR,POLICY_INTEGER
  286. sql_expect : NULL,NULL
  287. </custom_item>
  288.  
  289. <custom_item>
  290. type : SQL_POLICY
  291. description : "8.06 Database Profiles (password_grace_time=3)"
  292. info : "Local policy may not override the setting. This setting may not be applicable for middle tier application accounts that access the database."
  293. reference : "LEVEL|1S"
  294. see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Benchmark_v2.01.pdf"
  295. solution : "Create a profile then assign it to a user account. Default profile has this setting not set."
  296. sql_request : "select PROFILE,LIMIT from DBA_PROFILES where RESOURCE_NAME = 'PASSWORD_GRACE_TIME' and LIMIT < '3' AND LIMIT != 'DEFAULT'"
  297. sql_types : POLICY_VARCHAR,POLICY_INTEGER
  298. sql_expect : NULL,NULL
  299. </custom_item>
  300.  
  301. #
  302. ## 9. Oracle Profile (User) Access Settings
  303. #
  304.  
  305. <custom_item>
  306. type : SQL_POLICY
  307. description : "9.01 Tablespaces - Do not have default_tablespace set to SYSTEM for user accounts"
  308. info : "Only SYS should have a default tablespace of SYSTEM. This prevents administrative users from altering system objects."
  309. info : "Note it may be difficult or impossible to move some objects."
  310. reference : "LEVEL|1S"
  311. see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Benchmark_v2.01.pdf"
  312. solution : "Do not have default_tablespace set to SYSTEM for user accounts"
  313. sql_request : "select USERNAME from DBA_USERS where USERNAME not in ('SYS', 'SYSTEM', 'OUTLN', 'MGMT_VIEW') and DEFAULT_TABLESPACE = 'SYSTEM'"
  314. sql_types : POLICY_VARCHAR
  315. sql_expect : NULL
  316. </custom_item>
  317.  
  318. <custom_item>
  319. type : SQL_POLICY
  320. description : "9.02 Tablespaces - Ensure application users have not been granted quotas on tablespaces."
  321. info : "Set quotas for developers on shared production/development systems to prevent space resource contentions."
  322. reference : "LEVEL|1S"
  323. see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Benchmark_v2.01.pdf"
  324. solution : "Ensure application users have not been granted quotas on tablespaces"
  325. sql_request : "select username from DBA_TS_QUOTAS where max_bytes = '-1' and username not in ('OLAPSYS', 'WK_TEST', 'SYSMAN')"
  326. sql_types : POLICY_VARCHAR
  327. sql_expect : NULL
  328. </custom_item>
  329.  
  330. <report type: "WARNING">
  331. description : "9.03 Any dictionary object (Review access and revoke access where possible)"
  332. info : "Check for any user that has access to any dictionary object and revoke where possible."
  333. reference : "LEVEL|1R"
  334. see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Benchmark_v2.01.pdf"
  335. solution : "Review access and revoke access where possible"
  336. info : "NOTE: Nessus did not perform this check as it requires manual verification to determine what access is required for each user."
  337. </report>
  338.  
  339. <custom_item>
  340. type : SQL_POLICY
  341. description : "9.04 Tables - Prevent access to SYS.AUD$"
  342. info : "Check for any user accounts that have access and revoke where possible."
  343. info : "This is only applicable if the audit trail parameter is set to DB or TRUE."
  344. reference : "LEVEL|1S"
  345. see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Benchmark_v2.01.pdf"
  346. solution : "Prevent access to SYS.AUD$"
  347. sql_request : "select GRANTEE from DBA_TAB_PRIVS where OWNER = 'SYS' and TABLE_NAME = 'AUD$' and GRANTEE not in ('SYS','DBA')"
  348. sql_types : POLICY_VARCHAR
  349. sql_expect : NULL
  350. </custom_item>
  351.  
  352. <custom_item>
  353. type : SQL_POLICY
  354. description : "9.05 Tables (Prevent access to SYS.USERS_HISTORY$)"
  355. info : "Revoke access to this table from all users and roles except for SYS and DBA accounts."
  356. reference : "LEVEL|1S"
  357. see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Benchmark_v2.01.pdf"
  358. solution : "Prevent access to SYS.USERS_HISTORY$"
  359. sql_request : "select GRANTEE from DBA_TAB_PRIVS where OWNER = 'SYS' and TABLE_NAME = 'USER_HISTORY$' and GRANTEE not in ('SYS', 'DBA')"
  360. sql_types : POLICY_VARCHAR
  361. sql_expect : NULL
  362. </custom_item>
  363.  
  364. <custom_item>
  365. type : SQL_POLICY
  366. description : "9.06 Tables (Prevent access to SYS.LINK$)"
  367. info : "Check for any user that has access and revoke where possible."
  368. reference : "LEVEL|1S"
  369. see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Benchmark_v2.01.pdf"
  370. solution : "Prevent access to SYS.LINK$"
  371. sql_request : "select GRANTEE from DBA_TAB_PRIVS where owner = 'SYS' and TABLE_NAME = 'LINK$' and grantee not in ('SYS', 'DBA')"
  372. sql_types : POLICY_VARCHAR
  373. sql_expect : NULL
  374. </custom_item>
  375.  
  376. <custom_item>
  377. type : SQL_POLICY
  378. description : "9.07 Tables (Prevent access to SYS.USER$)"
  379. info : "Check for any user that has access and revoke where possible."
  380. reference : "LEVEL|1S"
  381. see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Benchmark_v2.01.pdf"
  382. solution : "Prevent access to SYS.USER$"
  383. sql_request : "select GRANTEE from DBA_TAB_PRIVS where OWNER = 'SYS' and TABLE_NAME = 'USER$' and grantee not in ('CTXSYS', 'SYS', 'DBA', 'OLAPSYS', 'XDB', 'WKSYS')"
  384. sql_types : POLICY_VARCHAR
  385. sql_expect : NULL
  386. </custom_item>
  387.  
  388. <custom_item>
  389. type : SQL_POLICY
  390. description : "9.08 Tables (Prevent access to SYS.SOURCES$)"
  391. info : "Check for any user accounts that have access and revoke where possible."
  392. reference : "LEVEL|1S"
  393. see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Benchmark_v2.01.pdf"
  394. solution : "Prevent access to SYS.SOURCES$"
  395. sql_request : "select GRANTEE from DBA_TAB_PRIVS where OWNER = 'SYS' and TABLE_NAME = 'SOURCE$' and grantee not in ('SYS', 'DBA')"
  396. sql_types : POLICY_VARCHAR
  397. sql_expect : NULL
  398. </custom_item>
  399.  
  400. <custom_item>
  401. type : SQL_POLICY
  402. description : "9.09 Tables (Prevent access to PREFSTAT.STATS$SQLTEXT)"
  403. info : "Check for any user that has access and revoke where possible."
  404. reference : "LEVEL|1S"
  405. see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Benchmark_v2.01.pdf"
  406. solution : "Prevent access to PREFSTAT.STATS$SQLTEXT"
  407. sql_request : "select GRANTEE from DBA_TAB_PRIVS where TABLE_NAME = 'STATS$SQLTEXT'"
  408. sql_types : POLICY_VARCHAR
  409. sql_expect : NULL
  410. </custom_item>
  411.  
  412. <custom_item>
  413. type : SQL_POLICY
  414. description : "9.10 Tables (Prevent access to PERFSTAT.STATS$SQL_SUMMARY)"
  415. info : "Check for any user that has access and revoke where possible."
  416. reference : "LEVEL|1S"
  417. see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Benchmark_v2.01.pdf"
  418. solution : "Prevent access to PERFSTAT.STATS$SQL_SUMMARY"
  419. sql_request : "select GRANTEE from DBA_TAB_PRIVS where TABLE_NAME = 'STATS$SQL_SUMMARY'"
  420. sql_types : POLICY_VARCHAR
  421. sql_expect : NULL
  422. </custom_item>
  423.  
  424. <custom_item>
  425. type : SQL_POLICY
  426. description : "9.11 Tables (Prevent access to X$ table)"
  427. info : "Check for any user that has access and revoke where possible."
  428. reference : "LEVEL|1S"
  429. see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Benchmark_v2.01.pdf"
  430. solution : "Prevent access to X$ table"
  431. sql_request : "select GRANTEE from DBA_TAB_PRIVS where OWNER = 'SYS' and table_name like 'X$_%' and grantee not in ('SYS', 'DBA')"
  432. sql_types : POLICY_VARCHAR
  433. sql_expect : NULL
  434. </custom_item>
  435.  
  436. <custom_item>
  437. type : SQL_POLICY
  438. description : "9.12 Views (Prevent access to any DBA_ views)"
  439. info : "Check for any user that has access and revoke where possible."
  440. reference : "LEVEL|1S"
  441. see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Benchmark_v2.01.pdf"
  442. solution : "Prevent access to any DBA_ views"
  443. sql_request : "select distinct GRANTEE from DBA_TAB_PRIVS where OWNER = 'SYS' and table_name LIKE 'DBA_%' and grantee not in ('AQ_ADMINISTRATOR_ROLE', 'SYS', 'DBA', 'WKSYS','MDSYS', 'CTXSYS', 'OLAPSYS', 'OWBSYS', 'OWB$CLIENT', 'XDBADMIN', 'SELECT_CATALOG_ROLE')"
  444. sql_types : POLICY_VARCHAR
  445. sql_expect : NULL
  446. </custom_item>
  447.  
  448. <custom_item>
  449. type : SQL_POLICY
  450. description : "9.13 Views (Prevent access to v$ views)"
  451. info : "Check for any user that has access and revoke where possible."
  452. reference : "LEVEL|1S"
  453. see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Benchmark_v2.01.pdf"
  454. solution : "Prevent access to v$ views"
  455. sql_request : "select distinct GRANTEE from DBA_TAB_PRIVS where OWNER = 'SYS' and table_name like 'V$%' and grantee not in ('AQ_ADMINISTRATOR_ROLE', 'SYS', 'DBA', 'WKSYS', 'CTXSYS', 'OLAPSYS', 'OWBSYS', 'OWB$CLIENT', 'SELECT_CATALOG_ROLE')"
  456. sql_types : POLICY_VARCHAR
  457. sql_expect : NULL
  458. </custom_item>
  459.  
  460. <custom_item>
  461. type : SQL_POLICY
  462. description : "9.14 Views (Prevent access to ALL_SOURCE)"
  463. info : "Check for any user that has access and revoke where possible."
  464. reference : "LEVEL|1S"
  465. see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Benchmark_v2.01.pdf"
  466. solution : "Prevent access to ALL_SOURCE"
  467. sql_request : "select GRANTEE from DBA_TAB_PRIVS where OWNER = 'SYS' and TABLE_NAME = 'ALL_SOURCE' and grantee not in ('SYS')"
  468. sql_types : POLICY_VARCHAR
  469. sql_expect : NULL
  470. </custom_item>
  471.  
  472. <custom_item>
  473. type : SQL_POLICY
  474. description : "9.15 Views (Prevent access to DBA_ROLES)"
  475. info : "Allowing the user to alter the DBA_ROLES can result in privilege escalation or system instability."
  476. info : "Restrict access to this view to all users except SYS and DBAs."
  477. reference : "LEVEL|1S"
  478. see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Benchmark_v2.01.pdf"
  479. solution : "Prevent access to DBA_ROLES"
  480. sql_request : "select GRANTEE from DBA_TAB_PRIVS where OWNER = 'SYS' and TABLE_NAME = 'DBA_ROLES' and grantee not in ('SYS', 'DBA')"
  481. sql_types : POLICY_VARCHAR
  482. sql_expect : NULL
  483. </custom_item>
  484.  
  485. <custom_item>
  486. type : SQL_POLICY
  487. description : "9.16 Views (Prevent access to DBA_SYS_PRIVS)"
  488. info : "Restrict access to this view to all users except SYS and DBAs."
  489. reference : "LEVEL|1S"
  490. see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Benchmark_v2.01.pdf"
  491. solution : "Prevent access to DBA_SYS_PRIVS"
  492. sql_request : "select GRANTEE from DBA_TAB_PRIVS where OWNER = 'SYS' and TABLE_NAME = 'DBA_SYS_PRIVS' and grantee not in ('SYS', 'DBA')"
  493. sql_types : POLICY_VARCHAR
  494. sql_expect : NULL
  495. </custom_item>
  496.  
  497. <custom_item>
  498. type : SQL_POLICY
  499. description : "9.17 Views (Prevent access to DBA_ROLE_PRIVS)"
  500. info : "Restrict access to this view to all users except SYS and DBAs."
  501. reference : "LEVEL|1S"
  502. see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Benchmark_v2.01.pdf"
  503. solution : "Prevent access to DBA_ROLE_PRIVS"
  504. sql_request : "select GRANTEE from DBA_TAB_PRIVS where OWNER = 'SYS' and TABLE_NAME = 'DBA_ROLE_PRIVS' and grantee not in ('SYS', 'DBA')"
  505. sql_types : POLICY_VARCHAR
  506. sql_expect : NULL
  507. </custom_item>
  508.  
  509. <custom_item>
  510. type : SQL_POLICY
  511. description : "9.18 Views (Prevent access to DBA_TAB_PRIVS)"
  512. info : "Restrict access to this view to all users except SYS and DBAs."
  513. reference : "LEVEL|1S"
  514. see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Benchmark_v2.01.pdf"
  515. solution : "Prevent access to DBA_TAB_PRIVS"
  516. sql_request : "select GRANTEE from DBA_TAB_PRIVS where OWNER = 'SYS' and TABLE_NAME = 'DBA_TAB_PRIVS' and grantee not in ('SYS', 'DBA')"
  517. sql_types : POLICY_VARCHAR
  518. sql_expect : NULL
  519. </custom_item>
  520.  
  521. <custom_item>
  522. type : SQL_POLICY
  523. description : "9.19 Views (Prevent access to DBA_USERS)"
  524. info : "Restrict access to this view to all users except SYS and DBAs."
  525. reference : "LEVEL|1S"
  526. see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Benchmark_v2.01.pdf"
  527. solution : "Prevent access to DBA_USERS"
  528. sql_request : "select GRANTEE from DBA_TAB_PRIVS where OWNER = 'SYS' and TABLE_NAME = 'DBA_USERS' and grantee not in ('SYS', 'DBA')"
  529. sql_types : POLICY_VARCHAR
  530. sql_expect : NULL
  531. </custom_item>
  532.  
  533. <custom_item>
  534. type : SQL_POLICY
  535. description : "9.20 Views (Prevent access to ROLE_ROLE_PRIVS)"
  536. info : "Restrict access to this view to all users except SYS and DBAs."
  537. reference : "LEVEL|1S"
  538. see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Benchmark_v2.01.pdf"
  539. solution : "Prevent access to ROLE_ROLE_PRIVS"
  540. sql_request : "select GRANTEE from DBA_TAB_PRIVS where OWNER = 'SYS' and TABLE_NAME = 'ROLE_ROLE_PRIVS' and grantee not in ('SYS', 'DBA')"
  541. sql_types : POLICY_VARCHAR
  542. sql_expect : NULL
  543. </custom_item>
  544.  
  545. <custom_item>
  546. type : SQL_POLICY
  547. description : "9.21 Views (Prevent access to USER_TAB_PRIVS)"
  548. info : "Restrict access to this view to all users except SYS and DBAs."
  549. reference : "LEVEL|1S"
  550. see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Benchmark_v2.01.pdf"
  551. solution : "Prevent access to USER_TAB_PRIVS"
  552. sql_request : "select GRANTEE from DBA_TAB_PRIVS where OWNER = 'SYS' and TABLE_NAME = 'USER_TAB_PRIVS' and grantee not in ('SYS', 'DBA')"
  553. sql_types : POLICY_VARCHAR
  554. sql_expect : NULL
  555. </custom_item>
  556.  
  557. <custom_item>
  558. type : SQL_POLICY
  559. description : "9.22 Views (Prevent access to USER_ROLE_PRIVS)"
  560. info : "Restrict access to this view to all users except SYS and DBAs."
  561. reference : "LEVEL|1S"
  562. see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Benchmark_v2.01.pdf"
  563. solution : "Prevent access to USER_ROLE_PRIVS"
  564. sql_request : "select GRANTEE from DBA_TAB_PRIVS where OWNER = 'SYS' and TABLE_NAME = 'USER_ROLE_PRIVS' and grantee not in ('SYS', 'DBA')"
  565. sql_types : POLICY_VARCHAR
  566. sql_expect : NULL
  567. </custom_item>
  568.  
  569. <custom_item>
  570. type : SQL_POLICY
  571. description : "9.23 Roles (Prevent assignment of roles that have _CATALOG_)"
  572. info : "Revoke any catalog roles from those roles and users that do not need them."
  573. info : "These roles are SELECT_CATALOG_ROLE, EXECUTE_CATALOG_ROLE, DELETE_CATALOG_ROLE, and RECOVERY_CATALOG_OWNER."
  574. reference : "LEVEL|1S"
  575. see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Benchmark_v2.01.pdf"
  576. solution : "Prevent assignment of roles that have _CATALOG_"
  577. sql_request : "select GRANTEE from DBA_ROLE_PRIVS where GRANTED_ROLE like '%_CATALOG_%' and GRANTEE not in ( 'DBA','EXP_FULL_DATABASE', 'IMP_FULL_DATABASE', 'IX', 'MDSYS', 'OLAP_DBA', 'OLAP_USER', 'SH', 'SYS', 'WKUSER' )"
  578. sql_types : POLICY_VARCHAR
  579. sql_expect : NULL
  580. </custom_item>
  581.  
  582. <custom_item>
  583. type : SQL_POLICY
  584. description : "9.24 Synonyms (Prevent access to any V$ synonym)"
  585. info : "Check for any user that has access and revoke where possible."
  586. reference : "LEVEL|1R"
  587. see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Benchmark_v2.01.pdf"
  588. solution : "Prevent access to any V$ synonym"
  589. sql_request : "select distinct GRANTEE from DBA_TAB_PRIVS where OWNER = 'SYS' and table_name like 'V$%' and grantee not in ('SYS', 'DBA')"
  590. sql_types : POLICY_VARCHAR
  591. sql_expect : NULL
  592. </custom_item>
  593.  
  594. <report type: "WARNING">
  595. description : "9.25 Synonyms (When dropping synonyms, ensure privileges granted to the synonyms, if not required, are removed from the base object)"
  596. info : "Granting privileges to synonyms actaully grants privileges to the base objects."
  597. reference : "LEVEL|1S"
  598. see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Benchmark_v2.01.pdf"
  599. solution : "When dropping synonyms, ensure privileges granted to the synonyms, if not required, are removed from the base object"
  600. info : "NOTE: Nessus did not perform this check as it requires manual verification to determine what synonyms are being used and if the base object's privileges have been removed."
  601. </report>
  602.  
  603. <custom_item>
  604. type : SQL_POLICY
  605. description : "9.26 Privileges (Restrict system privileges)"
  606. info : "All system privileges except for CREATE SESSION must be restricted to DBAs, application object owner accounts/schemas,"
  607. info : "(locked accounts) and default Oracle accounts."
  608. info : "Developers may be granted limited system privileges as required on development databases."
  609. reference : "LEVEL|1S"
  610. see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Benchmark_v2.01.pdf"
  611. solution : "Restrict system privileges"
  612. sql_request : "select GRANTEE,PRIVILEGE from DBA_SYS_PRIVS where privilege != 'CREATE SESSION' and GRANTEE not in ('AQ_ADMINISTRATOR_ROLE', 'DBA', 'DBSNMP', 'EXFSYS','EXP_FULL_DATABASE', 'IMP_FULL_DATABASE', 'IX','JAVADEBUGPRIV', 'MDSYS', 'HR', 'OE', 'OEM_MONITOR', 'OLAPSYS', 'OLAP_DBA', 'ORDPLUGINS','ORDSYS', 'OUTLN','SCHEDULER_ADMIN', 'SYS', 'SYSMAN', 'SYSTEM', 'WKSYS', 'BI', 'CTXSYS', 'DATAPUMP_EXP_FULL_DATABASE', 'FLOWS_0300000','OLAP_USER', 'OWBSYS', 'XDB', 'WMSYS', 'WKUSER', 'TSMSYS' ) order by GRANTEE"
  613. sql_types : POLICY_VARCHAR,POLICY_VARCHAR
  614. sql_expect : NULL,NULL
  615. </custom_item>
  616.  
  617. <custom_item>
  618. type : SQL_POLICY
  619. description : "9.27 Privileges (Prevent granting of privileges that contain the keyword ANY)"
  620. info : "The ANY keyword grants the ability for the user to set privileges for the entire catalogue of objects in the database."
  621. reference : "LEVEL|1S"
  622. see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Benchmark_v2.01.pdf"
  623. solution : "Prevent granting of privileges that contain the keyword ANY"
  624. sql_request : "select GRANTEE from DBA_SYS_PRIVS where privilege like '%ANY%' and GRANTEE not in ('AQ_ADMINISTRATOR_ROLE', 'DATAPUMP_IMP_FULL_DATABASE', 'DBA','DBSNMP', 'EXFSYS', 'EXP_FULL_DATABASE', 'IMP_FULL_DATABASE', 'IX','JAVADEBUGPRIV', 'MDSYS', 'ORACLE_OCM', 'OEM_MONITOR', 'OLAPSYS','OLAP_DBA','ORDPLUGINS', 'ORDSYS', 'OUTLN', 'OWBSYS','SCHEDULER_ADMIN', 'SPATIAL_WFS_ADMIN_USR', 'SPATIAL_CSW_ADMIN_USR', 'SYS','SYSMAN','SYSTEM', 'WKSYS', 'WMSYS' )"
  625. sql_types : POLICY_VARCHAR
  626. sql_expect : NULL
  627. </custom_item>
  628.  
  629. <custom_item>
  630. type : SQL_POLICY
  631. description : "9.28 Privileges - Prevent granting of all privileges"
  632. info : "The GRANT ALL PRIVILEGES must not be used."
  633. reference : "LEVEL|1S"
  634. see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Benchmark_v2.01.pdf"
  635. solution : "Prevent granting of all privileges"
  636. sql_request : "select GRANTEE from DBA_SYS_PRIVS where PRIVILEGE = 'GRANT ANY PRIVILEGE'"
  637. sql_types : POLICY_VARCHAR
  638. sql_expect : NULL
  639. </custom_item>
  640.  
  641. <custom_item>
  642. type : SQL_POLICY
  643. description : "9.29 Privileges (Prevent granting of EXEMPT ACCESS POLICY(EAP))"
  644. info : "Revoke this privilege if not necessary.The EAP privilege provides access to all rows"
  645. info : "regardless of Row Level Security assigned to specific rows."
  646. reference : "LEVEL|1S"
  647. see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Benchmark_v2.01.pdf"
  648. solution : "Prevent granting of EXEMPT ACCESS POLICY(EAP)"
  649. sql_request : "select GRANTEE from DBA_SYS_PRIVS where PRIVILEGE = 'EXEMPT ACCESS POLICY'"
  650. sql_types : POLICY_VARCHAR
  651. sql_expect : NULL
  652. </custom_item>
  653.  
  654. <custom_item>
  655. type : SQL_POLICY
  656. description : "9.30 Privileges (Prevent granting of privileges that have WITH ADMIN)"
  657. info : "Check for any user or role that has been granted privileges WITH ADMIN and revoke where possible."
  658. info : "The WITH ADMIN privilege allows a user to grant the same privileges they possess."
  659. reference : "LEVEL|1S"
  660. see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Benchmark_v2.01.pdf"
  661. solution : "Prevent granting of privileges that have WITH ADMIN"
  662. sql_request : "select GRANTEE,PRIVILEGE from DBA_SYS_PRIVS where ADMIN_OPTION = 'YES' and GRANTEE not in ('AQ_ADMINISTRATOR_ROLE','DBA', 'SCHEDULER_ADMIN', 'SYS', 'SYSTEM','OWBSYS', 'WMSYS' )"
  663. sql_types : POLICY_VARCHAR,POLICY_VARCHAR
  664. sql_expect : NULL,NULL
  665. </custom_item>
  666.  
  667. <custom_item>
  668. type : SQL_POLICY
  669. description : "9.31 Privileges (Prevent granting of privileges that have WITH GRANT)"
  670. info : "Check for any user or role that has been granted privileges WITH GRANT and revoke where possible."
  671. info : "The WITH GRANT privilege allows a user to grant the same privilege to other users."
  672. reference : "LEVEL|1S"
  673. see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Benchmark_v2.01.pdf"
  674. solution : "Prevent granting of privileges that have WITH GRANT"
  675. sql_request : "select GRANTEE,PRIVILEGE from DBA_TAB_PRIVS where GRANTABLE = 'YES' and GRANTEE not in ( 'CTXSYS', 'MDSYS', 'OLAPSYS', 'ORDSYS', 'PUBLIC', 'SYS', 'SYSMAN', 'SYSTEM', 'WMSYS', 'OWBSYS', 'OE')"
  676. sql_types : POLICY_VARCHAR,POLICY_VARCHAR
  677. sql_expect : NULL,NULL
  678. </custom_item>
  679.  
  680. <custom_item>
  681. type : SQL_POLICY
  682. description : "9.32 Privileges (Prevent granting of privileges that have CREATE)"
  683. info : "Check for any user that has object creation privileges and revoke where possible."
  684. reference : "LEVEL|1S"
  685. see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Benchmark_v2.01.pdf"
  686. solution : "Prevent granting of privileges that have CREATE"
  687. sql_request : "select GRANTEE,PRIVILEGE from DBA_SYS_PRIVS where privilege like 'CREATE%' and GRANTEE not in ( 'ANONYMOUS','AQ_ADMINISTRATOR_ROLE', 'CONNECT', 'CTXSYS', 'DBA','DIP','DMSYS', 'EXFSYS', 'IMP_FULL_DATABASE', 'IX','MDSYS', 'MGMT_USER', 'OE', 'OEM_MONITOR', 'OLAPSYS', 'OLAP_DBA', 'OLAP_USER', 'ORDPLUGINS','ORDSYS', 'OWBSYS', 'OWB$CLIENT','RECOVERY_CATALOG_OWNER', 'RESOURCE', 'SCHEDULER_ADMIN', 'SH', 'SPATIAL_CSW_ADMIN_USR','SPATIAL_WFS_ADMIN_USR', 'SYS', 'SYSMAN', 'SYSTEM', 'WKPROXY', 'WKSYS','WKUSER', 'WMSYS', 'XDB' )"
  688. sql_types : POLICY_VARCHAR,POLICY_VARCHAR
  689. sql_expect : NULL,NULL
  690. </custom_item>
  691.  
  692. <custom_item>
  693. type : SQL_POLICY
  694. description : "9.33 Privileges (Prevent granting of CREATE LIBRARY)"
  695. info : "Check for any user or role that has this privilege and revoke where possible."
  696. reference : "LEVEL|1S"
  697. see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Benchmark_v2.01.pdf"
  698. solution : "Prevent granting of CREATE LIBRARY"
  699. sql_request : "select GRANTEE from DBA_SYS_PRIVS where privilege = 'CREATE LIBRARY' and GRANTEE not in ( 'DBA', 'EXFSYS', 'MDSYS', 'OLAPSYS', 'ORDPLUGINS', 'ORDSYS', 'SPATIAL_CSW_ADMIN_USR', 'SPATIAL_WFS_ADMIN_USR', 'SYS', 'WKSYS', 'XDB' )"
  700. sql_types : POLICY_VARCHAR
  701. sql_expect : NULL
  702. </custom_item>
  703.  
  704. <custom_item>
  705. type : SQL_POLICY
  706. description : "9.34 Privileges (Prevent granting of ALTER SYSTEM)"
  707. info : "Check for any user or role that has this privilege and revoke where possible."
  708. reference : "LEVEL|1S"
  709. see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Benchmark_v2.01.pdf"
  710. solution : "Prevent granting of ALTER SYSTEM"
  711. sql_request : "select GRANTEE from DBA_SYS_PRIVS where privilege = 'ALTER SYSTEM' and GRANTEE not in ('DBA', 'DMSYS', 'SYS', 'WKSYS' )"
  712. sql_types : POLICY_VARCHAR
  713. sql_expect : NULL
  714. </custom_item>
  715.  
  716. <custom_item>
  717. type : SQL_POLICY
  718. description : "9.35 Privileges (Prevent granting of CREATE PROCEDURE)"
  719. info : "Check for any user or role that has this privilege and revoke where possible."
  720. reference : "LEVEL|1S"
  721. see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Benchmark_v2.01.pdf"
  722. solution : "Prevent granting of CREATE PROCEDURE"
  723. sql_request : "select GRANTEE from DBA_SYS_PRIVS where privilege = 'CREATE PROCEDURE' and GRANTEE not in ( 'DBA','DMSYS', 'IX', 'MDSYS', 'OLAPSYS', 'OLAP_USER', 'ORDPLUGINS', 'ORDSYS', 'OWBSYS', 'RECOVERY_CATALOG_OWNER', 'RESOURCE', 'SYS', 'WKSYS' )"
  724. sql_types : POLICY_VARCHAR
  725. sql_expect : NULL
  726. </custom_item>
  727.  
  728. <custom_item>
  729. type : SQL_POLICY
  730. description : "9.36 Privileges (Prevent granting of BECOME USER)"
  731. info : "Check for any user or role that has this privilege and revoke where possible."
  732. reference : "LEVEL|1S"
  733. see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Benchmark_v2.01.pdf"
  734. solution : "Prevent granting of BECOME USER"
  735. sql_request : "select GRANTEE from DBA_SYS_PRIVS where privilege = 'BECOME USER' and GRANTEE not in ( 'DBA', 'IMP_FULL_DATABASE', 'SYS', 'WKSYS' )"
  736. sql_types : POLICY_VARCHAR
  737. sql_expect : NULL
  738. </custom_item>
  739.  
  740. <custom_item>
  741. type : SQL_POLICY
  742. description : "9.37 Privileges (Prevent granting of SELECT ANY TABLE)"
  743. info : "Check for any user that has access and revoke where possible."
  744. info : "If application data is sensitive, and it is possible, revoke this privilege from the DBA accounts as well."
  745. reference : "LEVEL|1S"
  746. see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Benchmark_v2.01.pdf"
  747. solution : "Prevent granting of SELECT ANY TABLE"
  748. sql_request : "select GRANTEE from DBA_SYS_PRIVS where privilege = 'SELECT ANY TABLE' and GRANTEE not in ('DBA','EXP_FULL_DATABASE', 'IMP_FULL_DATABASE', 'MDSYS', 'OLAPSYS', 'OLAP_DBA', 'SYS', 'SYSTEM', 'WKSYS', 'WMSYS' )"
  749. sql_types : POLICY_VARCHAR
  750. sql_expect : NULL
  751. </custom_item>
  752.  
  753. <custom_item>
  754. type : SQL_POLICY
  755. description : "9.38 Privileges (Prevent granting of AUDIT SYSTEM)"
  756. info : "Review which users have audit system privileges and limit as much as possible to ensure audit commands are not revoked."
  757. reference : "LEVEL|1S"
  758. see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Benchmark_v2.01.pdf"
  759. solution : "Prevent granting of AUDIT SYSTEM"
  760. sql_request : "select GRANTEE from DBA_SYS_PRIVS where privilege = 'AUDIT SYSTEM' and GRANTEE not in ('DBA', 'SYS', 'WKSYS', 'IMP_FULL_DATABASE', 'DATAPUMP_IMP_FULL_DATABASE' )"
  761. sql_types : POLICY_VARCHAR
  762. sql_expect : NULL
  763. </custom_item>
  764.  
  765. <custom_item>
  766. type : SQL_POLICY
  767. description : "9.39 Privileges (Grant privileges only to roles)"
  768. info : "Grant privileges only to roles. Do not grant privileges to individual users."
  769. reference : "LEVEL|1S"
  770. see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Benchmark_v2.01.pdf"
  771. solution : "Grant privileges only to roles"
  772. sql_request : "select distinct GRANTEE from DBA_ROLE_PRIVS where GRANTEE in (select USERNAME from DBA_USERS) and GRANTEE not in ( 'BI', 'CTXSYS', 'DBSNMP', 'DIP', 'DMSYS', 'EXFSYS', 'HR', 'IX','MDDATA', 'MDSYS', 'MGMT_VIEW', 'OE', 'OLAPSYS', 'ORDPLUGINS', 'ORDSYS', 'OUTLN', 'OWBSYS', 'PM', 'SH', 'SI_INFORMTN_SCHEMA', 'SPATIAL_CSW_ADMIN_USR', 'SPATIAL_WFS_ADMIN_USR', 'SYS', 'SYSMAN', 'TSMSYS', 'WKSYS', 'WK_TEST', 'WMSYS', 'XDB' )"
  773. sql_types : POLICY_VARCHAR
  774. sql_expect : NULL
  775. </custom_item>
  776.  
  777. <custom_item>
  778. type : SQL_POLICY
  779. description : "9.40 Privileges (Review pivileges granted to PUBLIC)"
  780. info : "Review all privileges granted to PUBLIC. Limit or revoke unnecessary PUBLIC privileges."
  781. reference : "LEVEL|1R"
  782. see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Benchmark_v2.01.pdf"
  783. solution : "Review pivileges granted to PUBLIC"
  784. sql_request : "select GRANTEE,PRIVILEGE from DBA_SYS_PRIVS where GRANTEE = 'PUBLIC'"
  785. sql_types : POLICY_VARCHAR
  786. sql_expect : NULL
  787. </custom_item>
  788.  
  789. <custom_item>
  790. type : SQL_POLICY
  791. description : "9.41 Roles (Prevent assignment of RESOURCE)"
  792. info : "Revoke the resource role from normal application user accounts."
  793. reference : "LEVEL|1S"
  794. see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Benchmark_v2.01.pdf"
  795. solution : "Prevent assignment of RESOURCE"
  796. sql_request : "select GRANTEE from DBA_SYS_PRIVS where privilege = 'RESOURCE'"
  797. sql_types : POLICY_VARCHAR
  798. sql_expect : NULL
  799. </custom_item>
  800.  
  801. <custom_item>
  802. type : SQL_POLICY
  803. description : "9.42 Roles - Prevent assignment of CONNECT"
  804. info : "Revoke the connect role from normal application user accounts."
  805. reference : "LEVEL|1S"
  806. see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Benchmark_v2.01.pdf"
  807. solution : "Prevent assignment of CONNECT"
  808. sql_request : "select GRANTEE from DBA_ROLE_PRIVS where GRANTED_ROLE = 'CONNECT' AND GRANTEE NOT IN ( SELECT ROLE FROM DBA_ROLES ) and GRANTEE not in ( 'SYS','SYSTEM','CTXSYS' );"
  809. sql_types : POLICY_VARCHAR
  810. sql_expect : NULL
  811. </custom_item>
  812.  
  813. <custom_item>
  814. type : SQL_POLICY
  815. description : "9.43 Roles (Prevent assignment of DBA)"
  816. info : "Assigning the DBA role to users provides unnecessary access and control of the Oracle database."
  817. info : "Revoke dba role from users who do not require it."
  818. reference : "LEVEL|1R"
  819. see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Benchmark_v2.01.pdf"
  820. solution : "Prevent assignment of DBA"
  821. sql_request : "select GRANTEE from DBA_ROLE_PRIVS where GRANTED_ROLE='DBA' and GRANTEE in (select USERNAME from DBA_USERS) and GRANTEE not in ('SYS', 'SYSMAN', 'SYSTEM')"
  822. sql_types : POLICY_VARCHAR
  823. sql_expect : NULL
  824. </custom_item>
  825.  
  826. <custom_item>
  827. type : SQL_POLICY
  828. description : "9.44 Packages (Deny access to UTL_FILE)"
  829. info : "Review the ACL for usage of the UTL_FILE package. Revoke the public execute privilege on UTL_FILE as it can be used to access O/S."
  830. reference : "LEVEL|1S"
  831. see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Benchmark_v2.01.pdf"
  832. solution : "Deny access to UTL_FILE"
  833. sql_request : "select GRANTEE,PRIVILEGE from DBA_TAB_PRIVS where OWNER = 'SYS' and TABLE_NAME = 'UTL_FILE' and GRANTEE = 'PUBLIC'"
  834. sql_types : POLICY_VARCHAR,POLICY_VARCHAR
  835. sql_expect : NULL,NULL
  836. </custom_item>
  837.  
  838. <custom_item>
  839. type : SQL_POLICY
  840. description : "9.45 Packages (Deny access to UTL_TCP)"
  841. info : "Revoke the public execute privilege on UTL_TCP as it can write and read sockets."
  842. reference : "LEVEL|1S"
  843. see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Benchmark_v2.01.pdf"
  844. solution : "Deny access to UTL_TCP"
  845. sql_request : "select GRANTEE,PRIVILEGE from DBA_TAB_PRIVS where OWNER = 'SYS' and TABLE_NAME = 'UTL_TCP' and GRANTEE = 'PUBLIC'"
  846. sql_types : POLICY_VARCHAR,POLICY_VARCHAR
  847. sql_expect : NULL,NULL
  848. </custom_item>
  849.  
  850. <custom_item>
  851. type : SQL_POLICY
  852. description : "9.46 Packages (Deny access to UTL_HTTP)"
  853. info : "Revoke the public execute privilege on UTL_HTTP as it can write content to a web browser."
  854. reference : "LEVEL|1S"
  855. see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Benchmark_v2.01.pdf"
  856. solution : "Deny access to UTL_HTTP"
  857. sql_request : "select GRANTEE,PRIVILEGE from DBA_TAB_PRIVS where OWNER = 'SYS' and TABLE_NAME = 'UTL_HTTP' and GRANTEE = 'PUBLIC'"
  858. sql_types : POLICY_VARCHAR,POLICY_VARCHAR
  859. sql_expect : NULL,NULL
  860. </custom_item>
  861.  
  862. <custom_item>
  863. type : SQL_POLICY
  864. description : "9.47 Packages (ACL or Deny access to UTL_SMTP)"
  865. info : "Review the ACL for usage of the UTL_SMTP packageRevoke the public execute privilege"
  866. info : "on UTL_SMTP as it can send mail from the database server."
  867. reference : "LEVEL|1S"
  868. see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Benchmark_v2.01.pdf"
  869. solution : "ACL or Deny access to UTL_SMTP"
  870. sql_request : "select GRANTEE,PRIVILEGE from DBA_TAB_PRIVS where OWNER = 'SYS' and TABLE_NAME = 'UTL_SMTP' and GRANTEE = 'PUBLIC'"
  871. sql_types : POLICY_VARCHAR,POLICY_VARCHAR
  872. sql_expect : NULL,NULL
  873. </custom_item>
  874.  
  875. <custom_item>
  876. type : SQL_POLICY
  877. description : "9.48 Packages (Deny access to DBMS_LOB)"
  878. info : "Revoke the public execute privilege."
  879. reference : "LEVEL|1S"
  880. see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Benchmark_v2.01.pdf"
  881. solution : "Deny access to DBMS_LOB"
  882. sql_request : "select GRANTEE,PRIVILEGE from DBA_TAB_PRIVS where OWNER = 'SYS' and TABLE_NAME = 'DBMS_LOB' and GRANTEE = 'PUBLIC'"
  883. sql_types : POLICY_VARCHAR,POLICY_VARCHAR
  884. sql_expect : NULL,NULL
  885. </custom_item>
  886.  
  887. <custom_item>
  888. type : SQL_POLICY
  889. description : "9.49 Packages (Deny access to DBMS_SYS_SQL)"
  890. info : "Revoke the public execute privilege."
  891. reference : "LEVEL|1S"
  892. see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Benchmark_v2.01.pdf"
  893. solution : "Deny access to DBMS_SYS_SQL"
  894. sql_request : "select GRANTEE,PRIVILEGE from DBA_TAB_PRIVS where OWNER = 'SYS' and TABLE_NAME = 'DBMS_SYS_SQL' and GRANTEE = 'PUBLIC'"
  895. sql_types : POLICY_VARCHAR,POLICY_VARCHAR
  896. sql_expect : NULL,NULL
  897. </custom_item>
  898.  
  899. <custom_item>
  900. type : SQL_POLICY
  901. description : "9.50 Packages (Deny access to DBMS_JOB)"
  902. info : "Revoke the public execute privilege."
  903. reference : "LEVEL|1S"
  904. see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Benchmark_v2.01.pdf"
  905. solution : "Deny access to DBMS_JOB"
  906. sql_request : "select GRANTEE,PRIVILEGE from DBA_TAB_PRIVS where OWNER = 'SYS' and TABLE_NAME = 'DBMS_JOB' and GRANTEE = 'PUBLIC'"
  907. sql_types : POLICY_VARCHAR,POLICY_VARCHAR
  908. sql_expect : NULL,NULL
  909. </custom_item>
  910.  
  911. <custom_item>
  912. type : SQL_POLICY
  913. description : "9.51 Proxy Authentication (Limit the user schema privileges to CREATE SESSION only)"
  914. info : "The proxy account should only have the ability to connect to the database. No other privileges should be granted to this account."
  915. reference : "LEVEL|1S"
  916. see_also : "https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_Benchmark_v2.01.pdf"
  917. solution : "Limit the user schema privileges to CREATE SESSION only"
  918. sql_request : "select distinct GRANTEE from DBA_ROLE_PRIVS where GRANTED_ROLE != 'CREATE SESSION' and GRANTEE in (select USERNAME from DBA_USERS) and GRANTEE not in ( 'BI', 'CTXSYS', 'DBSNMP', 'DIP', 'DMSYS', 'EXFSYS', 'HR', 'IX', 'MDDATA', 'MDSYS', 'MGMT_VIEW', 'OE', 'OLAPSYS', 'ORDPLUGINS', 'ORDSYS', 'OUTLN', 'OWBSYS', 'PM', 'SH', 'SI_INFORMTN_SCHEMA', 'SPATIAL_CSW_ADMIN_USR', 'SPATIAL_WFS_ADMIN_USR', 'SYS', 'SYSMAN', 'TSMSYS', 'WKSYS', 'WK_TEST', 'WMSYS', 'XDB' )"
  919. sql_types : POLICY_VARCHAR
  920. sql_expect : NULL
  921. </custom_item>
  922.  
  923.  
  924. </group_policy>
  925. </check_type>
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!