AssessmentDate&Time

DatabaseIdentity

Item ID Status ResultDatabaseVersion

SecurityFeatures Feature Currently Used------------------------------------- --------------AUTHORIZATION CONTROL Database Vault No Privilege Analysis No DATA ENCRYPTION Column Encryption No Tablespace Encryption No Network Encryption No FINE-GRAINED ACCESS CONTROL Data Redaction No Virtual Private Database Yes Real Application Security No Label Security No Transparent Sensitive Data Protection No AUDITING Traditional Audit Yes Fine Grained Audit No Unified Audit Yes USER AUTHENTICATION External Authentication No Global Authentication No

OracleDatabaseSecurityRiskAssessment-HighlyConfidential

Date of Data Collection Date of Report Reporter Version ------------------------ ------------------------ ---------------------------Wed Feb 01 2017 22:18:00 Wed Feb 01 2017 22:22:18 1.0.2 (October 2016) - 7409Name Platform Database Role Log Mode Created Container Database Container ID Container Name---- ---------------- ------------- ---------- ------------------------ ------------

BasicInformation

Oracle Database 12c Enterprise Edition Release 12.1.0.2.0 - 64bit ProductionSecurity options used: (none)

PatchCheck INFO.PATCH SevereRisk LatestOracleDatabasePSUnotfound.

Item ID Status ResultUserAccounts

UserAccountsinSYSTEMorSYSAUXTablespace

USER.TBLSPACE Pass NouserusesSYSTEMorSYSAUXtablespace.

SampleSchemas USER.SAMPLE Pass Nosampleschemasfound.

InactiveUsers USER.INACTIVE SomeRisk Found2unlockedusersinactiveformorethan30days.

UserAccounts

User Name Status Profile Tablespace Predefined Type --------- ------ ------- ---------- ---------- --------DBSNMP OPEN DEFAULT SYSAUX Yes PASSWORDSYS OPEN DEFAULT SYSTEM Yes PASSWORDSYSTEM OPEN DEFAULT SYSTEM Yes PASSWORD

Case-SensitivePasswords USER.CASE Pass Case-sensitivepasswordsareused.

UserswithExpiredPasswords

USER.EXPIRED Pass Nounlockeduserswithpasswordexpiredformorethan30daysfound.

UserswithDefaultPasswords

USER.DEFPWD SevereRisk Found1unlockeduseraccountwithdefaultpassword.

MinimumClientAuthenticationVersion

USER.AUTHVERS SomeRisk Minimumclientversionisnotconfiguredcorrectly.

PasswordVerifiers USER.VERIFIER Pass Alluseraccountssupportthelatestpasswordversion.NouseraccountshaveHTTPverifiers.

UserProfiles

UserswithUnlimitedPasswordLifetime

USER.NOEXPIRE Pass Passwordexpirationisconfiguredforallusers.

Profile Name Resource Value ---------------- ------------------------ -----------------------------DEFAULT (Number of Users) 3 DEFAULT CONNECT_TIME UNLIMITED DEFAULT FAILED_LOGIN_ATTEMPTS 10 DEFAULT IDLE_TIME UNLIMITED DEFAULT PASSWORD_GRACE_TIME 7 DEFAULT PASSWORD_LIFE_TIME 180 DEFAULT PASSWORD_LOCK_TIME 1 DEFAULT PASSWORD_REUSE_MAX UNLIMITED DEFAULT PASSWORD_REUSE_TIME UNLIMITED DEFAULT PASSWORD_VERIFY_FUNCTION NULL ORA_STIG_PROFILE (Number of Users) 0 ORA_STIG_PROFILE CONNECT_TIME UNLIMITED (DEFAULT) ORA_STIG_PROFILE FAILED_LOGIN_ATTEMPTS 3 ORA_STIG_PROFILE IDLE_TIME 15 ORA_STIG_PROFILE PASSWORD_GRACE_TIME 5 ORA_STIG_PROFILE PASSWORD_LIFE_TIME 60 ORA_STIG_PROFILE PASSWORD_LOCK_TIME UNLIMITED ORA_STIG_PROFILE PASSWORD_REUSE_MAX 10 ORA_STIG_PROFILE PASSWORD_REUSE_TIME 365 ORA_STIG_PROFILE PASSWORD_VERIFY_FUNCTION ORA12C_STRONG_VERIFY_FUNCTION

UserswithUnlimitedFailedLoginAttempts

USER.NOLOCK Pass Nousershaveunlimitedfailedloginattempts.

PasswordVerificationFunctions

USER.PASSWD SignificantRisk Found3usersnotusingpasswordverificationfunction.

Item ID Status ResultAllSystemPrivileges PRIV.SYSTEM Evaluate 234grantsofsystemprivileges

AllRoles PRIV.ROLES Evaluate 30grantsofroles

PrivilegesandRoles

AccountManagementPrivileges

PRIV.ACCT Evaluate 16grantsofaccountmanagementprivileges

PrivilegeManagementPrivileges

PRIV.MGMT Evaluate 32grantsofprivilegemanagementprivileges

AuditManagementPrivileges

PRIV.AUDIT Evaluate 10grantsofauditprivilege

DataAccessPrivileges PRIV.DATA Evaluate 52grantsofdataaccessprivileges

AccessControlExemptionPrivileges

PRIV.EXEMPT Evaluate 3grantsofaccesscontrolexemptionprivileges

AccesstoPasswordVerifierTables

PRIV.PASSWD Evaluate 8grantsofobjectprivilegesonrestrictedobjects

AccesstoRestrictedObjects

PRIV.OBJ Evaluate 66grantsofobjectprivilegesonrestrictedobjects

UserImpersonation PRIV.USER Pass NograntsofEXECUTEonrestrictedpackages

DataExfiltration PRIV.EXFIL Pass NograntsofEXECUTEonrestrictedpackages

SystemPrivilegesGrantedtoPUBLIC

PRIV.SYSPUB Pass NograntsofsystemprivilegestoPUBLIC

RolesGrantedtoPUBLIC PRIV.ROLEPUB Pass NograntsofrolestoPUBLIC

ColumnPrivilegesGrantedtoPUBLIC

PRIV.COLPUB Pass NograntsofcolumnprivilegestoPUBLIC

DBARole PRIV.DBA Evaluate 1grantofDBArole

OtherPowerfulRoles PRIV.BIGROLES Evaluate 9grantsofpowerfulroles(1withadminoption)

JavaPermissions PRIV.JAVA Evaluate Found4usersorroleswithJavapermission.

UserswithAdministrativePrivileges

PRIV.ADMIN SomeRisk Found1usergrantedadministrativeprivileges.Found3administrativeprivilegesnotgrantedtoanyuser.

Item ID Status ResultDatabaseVault AUTH.DV Opportunity DatabaseVaultisnotenabled.

PrivilegeAnalysis AUTH.PRIV Opportunity Noprivilegeanalysispoliciesfound.

Item ID Status Result

AuthorizationControl

DataEncryption

TransparentDataEncryption

CRYPT.TDE Opportunity Noencryptedtablespacesfound.Noencryptedcolumnsfound.

EncryptionKeyWallet CRYPT.WALLET Evaluate Found1wallet.Nowalletsarestoredinthedatafiledirectory.

Item ID Status ResultDataRedaction ACCESS.REDACT Opportunity Nodataredactionpoliciesfound.

Fine-GrainedAccessControl

VirtualPrivateDatabase ACCESS.VPD Evaluate Found1VPDpolicyprotecting51objects.

RealApplicationSecurity ACCESS.RAS Opportunity NoRASpoliciesfound.

LabelSecurity ACCESS.OLS Opportunity LabelSecurityisnotenabled.

TransparentSensitiveDataProtection

ACCESS.TSDP Opportunity Nosensitivetypesandcolumnsfound.Found0TSDPpolicies.

Item ID Status ResultAuditRecords AUDIT.RECORDS Evaluate Examined3audittrails.Found

recordsin1audittrail.Noerrorsfoundinauditinitializationparameters.

StatementAudit AUDIT.STMT Evaluate Auditingenabledfor17statements.

ObjectAudit AUDIT.OBJ Evaluate Auditingenabledfor223objects.

PrivilegeAudit AUDIT.PRIV Evaluate Auditingenabledfor29privileges.

AdministrativeUserAudit AUDIT.ADMIN Pass ActionsoftheSYSuserareaudited.

PrivilegeManagementAudit

AUDIT.PRIVMGMT Pass Actionsrelatedtoprivilegemanagementaresufficientlyaudited.

AccountManagementAudit

AUDIT.ACCTMGMT Pass Actionsrelatedtoaccountmanagementaresufficientlyaudited.

Auditing

DatabaseManagementAudit

AUDIT.DBMGMT SignificantRisk Actionsrelatedtodatabasemanagementarenotsufficientlyaudited.

PrivilegeUsageAudit AUDIT.PRIVUSE SignificantRisk Usagesofpowerfulsystemprivilegesarenotsufficientlyaudited.

DatabaseConnectionAudit

AUDIT.CONN Pass Databaseconnectionsaresufficientlyaudited.

FineGrainedAudit AUDIT.FGA Opportunity Nofinegrainedauditpoliciesfound.

UnifiedAudit AUDIT.UNIFIED Evaluate Found8unifiedauditpolicies.Found47objectsorstatementsbeingaudited.

Item ID Status ResultDatabaseConfiguration

InitializationParametersforSecurity

AccesstoDictionaryObjects

CONF.SYSOBJ Pass Accesstodictionaryobjectsisproperlylimited.

InferenceofTableData CONF.INFER SignificantRisk UPDATEandDELETEstatementscanbeusedtoinferdatavalues.

Name Value --------------------------------- --------------------------------AUDIT_FILE_DEST /u01/app/oracle/admin/orcl/adumpAUDIT_SYSLOG_LEVEL AUDIT_SYS_OPERATIONS TRUE AUDIT_TRAIL DB COMPATIBLE 12.1.0.2.0 DBFIPS_140 FALSE DISPATCHERS (PROTOCOL=TCP) (SERVICE=orclXDB)GLOBAL_NAMES FALSE LDAP_DIRECTORY_ACCESS NONE LDAP_DIRECTORY_SYSAUTH no O7_DICTIONARY_ACCESSIBILITY FALSE OS_AUTHENT_PREFIX ops$ OS_ROLES FALSE PDB_LOCKDOWN PDB_OS_CREDENTIAL REMOTE_LISTENER REMOTE_LOGIN_PASSWORDFILE EXCLUSIVE REMOTE_OS_AUTHENT FALSE REMOTE_OS_ROLES FALSE RESOURCE_LIMIT TRUE SEC_CASE_SENSITIVE_LOGON TRUE SEC_MAX_FAILED_LOGIN_ATTEMPTS 3 SEC_PROTOCOL_ERROR_FURTHER_ACTION (DROP,3) SEC_PROTOCOL_ERROR_TRACE_ACTION TRACE SEC_RETURN_SERVER_RELEASE_BANNER FALSE SQL92_SECURITY FALSE UNIFIED_AUDIT_SGA_QUEUE_SIZE 1048576 UTL_FILE_DIR

NetworkCommunications CONF.NETCOM Pass Examined3initializationparameters.Noissuesfound.

ExternalAuthorization CONF.EXTAUTH Pass Examined2initializationparameters.Noissuesfound.

FileSystemAccess CONF.FILESYS Pass Examined1initializationparameter.Noissuesfound.

Triggers CONF.TRIG Pass Nologontriggersfound.Nodisabledtriggersfound.

DisabledConstraints CONF.CONST Pass Nodisabledconstraintsfound.

ExternalProcedures CONF.EXTPROC Evaluate Found3externalprocedures.Noexternalservicesfound.

DirectoryObjects CONF.DIR Evaluate Found10directoryobjects.NodirectoryobjectsallowaccesstorestrictedOracledirectorypaths.Nodirectoryobjectsallowbothwriteandexecuteaccess.

DatabaseLinks CONF.LINKS Pass Nodatabaselinksfound.

NetworkAccessControl CONF.NETACL Evaluate Found1networkACL.

XMLDatabaseAccessControl

CONF.XMLACL Evaluate Found9XMLDatabaseACLs.

Item ID Status ResultNetworkEncryption NET.CRYPT SignificantRisk Nativeencryptionispartially

enabled.Integritycheckusingchecksumsispartiallyenabled.

ClientNodes NET.CLIENTS SignificantRisk Validnodecheckisnotenabled.NeitherTCP.INVITED_NODESnorTCP.EXCLUDED_NODESisset.

SQLNETBanners NET.BANNER SomeRisk Connectbannersarenotfullyconfigured.

NetworkConfiguration

NetworkListenerConfiguration

NET.COST SignificantRisk Examined1listener.Found1listenernotconfiguredproperly.

ListenerLoggingControl NET.LISTENLOG Pass Examined1listener.Found0listenersnotconfiguredproperly.

Item ID Status ResultOSAuthentication OS.AUTH Evaluate 1OSusercanconnecttothe

databaseviaOSauthentication.

ProcessMonitorProcess OS.PMON Pass Found1PMONprocess.TheownerofthePMONprocessmatchestheORACLE_HOMEowner.

AgentProcesses OS.AGENT SomeRisk SomeAgentprocessownersoverlapwithListenerorPMONprocessowners.

ListenerProcesses OS.LISTEN SomeRisk Found1Listenerprocess.SomeListenerprocessownersoverlapwithAgentorPMONprocessowners.

OperatingSystem

Thisreportisfocusedondetectingareasofpotentialsecurityvulnerabilitiesormisconfigurationsandprovidingrecommendationsonhowtomitigatethosepotentialvulnerabilities.

Thereportprovidesaviewonthecurrentstatus.Theserecommendationsareprovidedforinformationalpurposesonlyandshouldnotbeusedasasubstituteforathoroughanalysisorinterpretedtocontainanylegalorregulatoryadviceorguidance.

Youaresolelyresponsibleforyoursystem,andthedataandinformationgatheredduringtheproductionofthisreport.Youarealsosolelyresponsiblefortheexecutionofsoftwaretoproducethisreport,andfortheeffectandresultsoftheexecutionofanymitigatingactionsidentifiedherein.

Oracleprovidesthisanalysisonan"asis"basiswithoutwarrantyofanykindandOracleherebydisclaimsallwarrantiesandconditionswhetherexpress,impliedorstatutory.

Remarks

Feature Currently Used------------------------------------- --------------AUTHORIZATION CONTROL Database Vault No Privilege Analysis No DATA ENCRYPTION Column Encryption No Tablespace Encryption No Network Encryption No FINE-GRAINED ACCESS CONTROL Data Redaction No Virtual Private Database Yes Real Application Security No Label Security No Transparent Sensitive Data Protection No AUDITING Traditional Audit Yes Fine Grained Audit No Unified Audit Yes USER AUTHENTICATION External Authentication No Global Authentication No

OracleDatabaseSecurityRiskAssessment-HighlyConfidential

Date of Data Collection Date of Report Reporter Version ------------------------ ------------------------ ---------------------------Wed Feb 01 2017 22:18:00 Wed Feb 01 2017 22:22:18 1.0.2 (October 2016) - 7409Name Platform Database Role Log Mode Created Container Database Container ID Container Name---- ---------------- ------------- ---------- ------------------------ ------------

BasicInformation

Oracle Database 12c Enterprise Edition Release 12.1.0.2.0 - 64bit ProductionSecurity options used: (none)

Itisvitaltokeepthedatabasesoftwareup-to-datewithsecurityfixesastheyarereleased.OracleissuesPatchSetUpdates(PSU)onaregularquarterlyschedule.Theseupdatesshouldbeappliedassoonastheyareavailable.ForreleasespriortoOracleDatabase12c,quarterlyupdatesmaybedeliveredbypatchesnotmarkedasPSUs.

Remarks

TheSYSTEMandSYSAUXtablespacesarereservedforOracle-supplieduseraccounts.Toavoidapossibledenialofservicecausedbyexhaustingtheseresources,regularuseraccountsshouldnotusethesetablespaces.PriortoOracleDatabase12.2,theSYSTEMtablespacecannotbeencrypted,andthisisanotherreasontoavoiduserschemasinthistablespace.Sampleschemasarewell-knownaccountsprovidedbyOracletoserveassimpleexamplesfordevelopers.Theygenerallyservenopurposeinaproductiondatabaseandshouldberemovedbecausetheyunnecessarilyincreasetheattacksurfaceofthedatabase.Ifauseraccountisnolongerinuse,itincreasestheattacksurfaceofthesystemunnecessarilywhileprovidingnocorrespondingbenefit.Furthermore,unauthorizeduseislesslikelytobenoticedwhennooneisregularlyusingtheaccount.Accountsthathavebeenunusedformorethan30daysshouldbeinvestigatedtodeterminewhethertheyshouldremainactive.

UserAccounts

User Name Status Profile Tablespace Predefined Type --------- ------ ------- ---------- ---------- --------DBSNMP OPEN DEFAULT SYSAUX Yes PASSWORDSYS OPEN DEFAULT SYSTEM Yes PASSWORDSYSTEM OPEN DEFAULT SYSTEM Yes PASSWORD

Case-sensitivepasswordsarerecommendedbecauseincludingbothupperandlower-caselettersgreatlyincreasesthesetofpossiblepasswordsthatmustbesearchedbyanattackerwhoisattemptingtoguessapasswordbyexhaustivesearch.SettingSEC_CASE_SENSITIVE_LOGONtoTRUEensuresthatthedatabasedistinguishesbetweenupperandlower-caselettersinpasswords.

Passwordexpirationisusedtoensurethatuserschangetheirpasswordsonaregularbasis.Ifauser'spasswordhasbeenexpiredformorethan30days,itindicatesthattheuserhasnotloggedinforatleastthatlong.Accountsthathavebeenunusedforanextendedperiodoftimeshouldbeinvestigatedtodeterminewhethertheyshouldremainactive.DefaultaccountpasswordsforpredefinedOracleaccountsarewellknown.Openaccountswithdefaultpasswordsprovideatrivialmeansofentryforattackers,butwell-knownpasswordsshouldbechangedforlockedaccountsaswell.Overtime,Oraclereleaseshaveaddedsupportforincreasinglysecureversionsofthealgorithmusedforpasswordauthenticationofuseraccounts.Inordertoremaincompatiblewitholderclientsoftware,thedatabasecontinuestosupportpreviouspasswordversionsaswell.Thesqlnet.oraparameterALLOWED_LOGON_VERSION_SERVERdeterminestheminimumpasswordversionthatthedatabasewillaccept.Formaximumsecurity,thisparametershouldbesettothehighestvaluesupportedbythedatabaseonceallclientsystemshavebeenupgraded.

Foreachuseraccount,thedatabasemaystoremultipleverifiers,whicharehashesoftheuserpassword.Eachverifiersupportsadifferentversionofthepasswordauthenticationalgorithm.Everyuseraccountshouldincludeaverifierforthelatestpasswordversionsupportedbythedatabasesothattheusercanbeauthenticatedusingthelatestalgorithmsupportedbytheclient.Whenallclientshavebeenupdated,thesecurityofuseraccountscanbeimprovedbyremovingtheobsoleteverifiers.HTTPpasswordverifiersareusedforXMLDatabaseauthentication.UsetheALTERUSERcommandtoremovetheseverifiersfromuseraccountsthatdonotrequirethisaccess.

Passwordexpirationisusedtoensurethatuserschangetheirpasswordsonaregularbasis.Passwordsthatneverexpiremayremainunchangedforanextendedperiodoftime.Whenpasswordsdonothavetobechangedregularly,usersarealsomorelikelytousethesamepasswordsformultipleaccounts.

Profile Name Resource Value ---------------- ------------------------ -----------------------------DEFAULT (Number of Users) 3 DEFAULT CONNECT_TIME UNLIMITED DEFAULT FAILED_LOGIN_ATTEMPTS 10 DEFAULT IDLE_TIME UNLIMITED DEFAULT PASSWORD_GRACE_TIME 7 DEFAULT PASSWORD_LIFE_TIME 180 DEFAULT PASSWORD_LOCK_TIME 1 DEFAULT PASSWORD_REUSE_MAX UNLIMITED DEFAULT PASSWORD_REUSE_TIME UNLIMITED DEFAULT PASSWORD_VERIFY_FUNCTION NULL ORA_STIG_PROFILE (Number of Users) 0 ORA_STIG_PROFILE CONNECT_TIME UNLIMITED (DEFAULT) ORA_STIG_PROFILE FAILED_LOGIN_ATTEMPTS 3 ORA_STIG_PROFILE IDLE_TIME 15 ORA_STIG_PROFILE PASSWORD_GRACE_TIME 5 ORA_STIG_PROFILE PASSWORD_LIFE_TIME 60 ORA_STIG_PROFILE PASSWORD_LOCK_TIME UNLIMITED ORA_STIG_PROFILE PASSWORD_REUSE_MAX 10 ORA_STIG_PROFILE PASSWORD_REUSE_TIME 365 ORA_STIG_PROFILE PASSWORD_VERIFY_FUNCTION ORA12C_STRONG_VERIFY_FUNCTION

Attackerssometimesattempttoguessauser'spasswordbysimplytryingallpossibilitiesfromasetofcommonpasswords.Todefendagainstthisattack,itisadvisabletolockauseraccountwhentherearemultiplefailedloginattemptswithoutasuccessfullogin.

Passwordverificationfunctionsareusedtoensurethatuserpasswordsmeetminimumrequirementsforcomplexity,whichmayincludefactorssuchaslength,useofnumbersorpunctuationcharacters,differencefrompreviouspasswords,etc.Oraclesuppliesseveralpredefinedfunctions,oracustomPL/SQLfunctioncanbeused.Everyuserprofileshouldincludeapasswordverificationfunction.

RemarksSystemprivilegesprovidetheabilitytoaccessdataorperformadministrativeoperationsfortheentiredatabase.Consistentwiththeprincipleofleastprivilege,theseprivilegesshouldbegrantedsparingly.ThePrivilegeAnalysisfeatureofDatabaseVaultmaybehelpfultodeterminetheminimumsetofprivilegesrequiredbyauserorrole.Insomecases,itmaybepossibletosubstituteamorelimitedobjectprivilegegrantinplaceofasystemprivilegegrantthatappliestoallobjects.Systemprivilegesshouldbegrantedwithadminoptiononlywhentherecipientneedstheabilitytogranttheprivilegetoothers.Rolesareaconvenientwaytomanagegroupsofrelatedprivileges,especiallywhentheprivilegesarerequiredforaparticulartaskorjobfunction.Bewareofbroadlydefinedroles,whichmayconfermoreprivilegesthananindividualrecipientrequires.Rolesshouldbegrantedwithadminoptiononlywhentherecipientneedstheabilitytomodifytheroleorgrantittoothers.

PrivilegesandRoles

Usermanagementprivileges(ALTERUSER,CREATEUSER,DROPUSER)canbeusedtocreateandmodifyotheruseraccounts,includingchangingpasswords.Thispowercanbeabusedtogainaccesstoanotheruser'saccount,whichmayhavegreaterprivileges.Userswithprivilegemanagementprivileges(ALTERANYROLE,CREATEROLE,DROPANYROLE,GRANTANYOBJECTPRIVILEGE,GRANTANYPRIVILEGE,GRANTANYROLE)canchangethesetofprivilegesgrantedtothemselvesandotherusers.Thisabilityshouldbegrantedsparingly,sinceitcanbeusedtocircumventmanysecuritycontrolsinthedatabase.Auditmanagementprivileges(AUDITANY,AUDITSYSTEM)canbeusedtochangetheauditpoliciesforthedatabase.Thisabilityshouldbegrantedsparingly,sinceitmaybeusedtohidemaliciousactivity.Userswithdataaccessprivileges(ALTERANYTABLE,ALTERANYTRIGGER,CREATEANYINDEX,CREATEANYPROCEDURE,CREATEANYTRIGGER,DELETEANYTABLE,INSERTANYTABLE,READANYTABLE,SELECTANYDICTIONARY,SELECTANYTABLE,UPDATEANYTABLE)canoverridevariousaccesscontrolsondata.Mostadministrativetasksdonotrequireaccesstothedataitself,sotheseprivilegesshouldbegrantedrarelyeventoadministrators.Inadditiontominimizinggrantsoftheseprivileges,considertheuseofDatabaseVaultrealmstolimittheuseoftheseprivilegestoaccesssensitivedata.Userswithexemptionprivileges(EXEMPTACCESSPOLICY,EXEMPTREDACTIONPOLICY)canbypasstheaccesscontrolpoliciescreatedusingVirtualPrivateDatabaseandDataRedaction.Mostadministrativetasksdonotrequireaccesstothedataitself,sotheseprivilegesshouldbegrantedrarelyeventoadministrators.Userswiththeseprivilegescanaccessobjectsthatcontainuserpasswordverifiers.Theverifierscanbeusedinofflineattackstodiscoveruserpasswords.

UserswiththeseprivilegescandirectlymodifyobjectsintheSYS,DVSYS,orLBACSYSschemas.Manipulatingthesesystemobjectsmayallowsecurityprotectionstobecircumventedorotherwiseinterferewithnormaloperationofthedatabase.ThesePL/SQLpackages(DBMS_SCHEDULER,DBMS_SYS_SQL)allowforexecutionofSQLcodeorexternaljobsusingtheidentityofadifferentuser.Accessshouldbestrictlylimitedandgrantedonlytouserswithalegitimateneedforthisfunctionality.ThesePL/SQLpackages(DBMS_BACKUP_RESTORE)cansenddatafromthedatabaseusingthenetworkorfilesystem.Accessshouldbegrantedonlytouserswithalegitimateneedforthisfunctionality.

PrivilegesgrantedtoPUBLICareavailabletoallusers.Thisgenerallyshouldincludefew,ifany,systemprivilegessincethesewillnotbeneededbyordinaryuserswhoarenotadministrators.RolesgrantedtoPUBLICareavailabletoallusers.Mostrolescontainprivilegesthatarenotappropriateforallusers.PrivilegesgrantedtoPUBLICareavailabletoallusers.Thisshouldincludecolumnprivilegesonlyfordatathatisintendedtobeaccessibletoeveryone.TheDBAroleisverypowerfulandcanbeusedtobypassmanysecurityprotections.Itshouldbegrantedtoonlyasmallnumberoftrustedadministrators.Furthermore,eachtrustedusershouldhaveanindividualaccountforaccountabilityreasons.Aswithanypowerfulrole,avoidgrantingtheDBArolewithadminoptionunlessabsolutelynecessary.LiketheDBArole,theseroles(AQ_ADMINISTRATOR_ROLE,EM_EXPRESS_ALL,EXP_FULL_DATABASE,IMP_FULL_DATABASE,OEM_MONITOR)containpowerfulprivilegesthatcanbeusedtobypasssecurityprotections.Theyshouldbegrantedonlytoasmallnumberoftrustedadministrators.

JavapermissiongrantscontroltheabilityofdatabaseuserstoexecuteJavaclasseswithinthedatabaseserver.AdatabaseuserexecutingJavacodemusthavebothJavasecuritypermissionsanddatabaseprivilegestoaccessresourceswithinthedatabase.Theseresourcesincludedatabaseresources,suchastablesandPL/SQLpackages,operatingsystemresources,suchasfilesandsockets,OracleJVMclasses,anduser-loadedclasses.Makesurethatthesepermissionsarelimitedtotheminimumrequiredbyeachuser.Administrativeprivilegesallowausertoperformmaintenanceoperations,includingsomethatmayoccurwhilethedatabaseisnotopen.TheSYSDBAprivilegeallowstheusertorunasSYSandperformvirtuallyallprivilegedoperations.StartingwithOracleDatabase12.1,lesspowerfuladministrativeprivilegeswereintroducedtoallowuserstoperformcommonadministrativetaskswithlessthanfullSYSDBAprivileges.Toachievethebenefitofthisseparationofduty,eachoftheseadministrativeprivilegesshouldbegrantedtoatleastoneuseraccount.

RemarksDatabaseVaultprovidesforconfigurablepoliciestocontroltheactionsofprivilegedadministrativeusers,inordertoprotectagainstinsiderthreats,stolencredentials,andhumanerror.Datarealmspreventunauthorizedaccesstosensitivedataobjects,evenbyuserswithsystemprivileges.CommandruleslimittheSQLcommandsandoptionsthatadministratorscanexecute.PrivilegeAnalysisrecordstheprivilegesusedduringarealorsimulatedworkload.Aftercollectingdataabouttheprivilegesthatareactuallyused,thisinformationcanbeusedtorevokeprivilegegrantsthatarenolongerneeded.

Remarks

AuthorizationControl

DataEncryption

Encryptionofsomesensitivedataisarequirementincertainregulatedenvironments.TransparentDataEncryptionautomaticallyencryptsdataasitisstoredanddecryptsituponretrieval.Thisprotectssensitivedatafromattacksthatbypassthedatabasetoreaddatafilesdirectly.Encryptionkeysmaybestoredinwalletsonthedatabaseserveritself,orstoredremotelyinOracleKeyVaultforimprovedsecurity.Walletsareencryptedfilesusedtostoreencryptionkeys,passwords,andothersensitivedata.Walletfilesshouldnotbestoredinthesamedirectorywithdatabasedatafiles,toavoidaccidentallycreatingbackupsthatincludebothencrypteddatafilesandthewalletcontainingthemasterkeyprotectingthosefiles.Formaximumseparationofkeysanddata,considerstoringencryptionkeysinOracleKeyVaultinsteadofwalletfiles.

RemarksDataRedactionautomaticallymaskssensitivedatafoundintheresultsofadatabasequery.Thedataismaskedimmediatelybeforeitisreturnedaspartoftheresultset,soitdoesnotinterferewithanyconditionsspecifiedaspartofthequery.AccessbyuserswiththeEXEMPTREDACTIONPOLICYprivilegewillnotbeaffectedbytheredactionpolicy.UserswhocanexecutetheDBMS_REDACTpackageareabletocreateandmodifyredactionpolicies.AlsoconsidertheuseofOracleDataMaskingandSubsettingtopermanentlymasksensitivedatawhenmakingcopiesfortestordevelopmentuse.

Fine-GrainedAccessControl

VirtualPrivateDatabase(VPD)allowsforfine-grainedcontroloverwhichrowsandcolumnsofatablearevisibletoaSQLstatement.AccesscontrolusingVPDlimitseachdatabasesessiontoonlythespecificdataitshouldbeabletoaccess.AccessbyuserswiththeEXEMPTACCESSPOLICYprivilegewillnotbeaffectedbyVPDpolicies.UserswhocanexecutetheDBMS_RLSpackageareabletocreateandmodifythesepolicies.LikeVirtualPrivateDatabase,RealApplicationSecurity(RAS)providesfine-grainedcontrolovertherowsandcolumnsofatablethatarevisibletoaSQLstatement.SpecificationofRASdataaccesspoliciesusesadeclarativesyntaxbasedonaccesscontrollists.AccessbyuserswiththeEXEMPTACCESSPOLICYprivilegewillnotbeaffectedbyRASaccesspolicies.UserswithADMIN_SEC_POLICYandAPPLY_SEC_POLICYprivilegesareabletocreateandmodifythesepolicies.OracleLabelSecurityprovidestheabilitytotagdatawithadatalabeloradataclassification.Accesstosensitivedataiscontrolledbycomparingthedatalabelwiththerequestinguser'slabelorsecurityclearance.Auserlabelorsecurityclearancecanbethoughtofasanextensiontostandarddatabaseprivilegesandroles.AccessbyuserswiththeEXEMPTACCESSPOLICYprivilegewillnotbeaffectedbytheLabelSecuritypolicies.Eachpolicyhasacorrespondingrole;userswhohavethisroleareabletoadministerthepolicy.TransparentSensitiveDataProtection(TSDP),introducedinOracleDatabase12.1,allowsadatatypetobeassociatedwitheachcolumnthatcontainssensitivedata.TSDPcanthenapplyvariousdatasecurityfeaturestoallinstancesofaparticulartypesothatprotectionisuniformandconsistent.Datafromcolumnsmarkedassensitiveisalsoautomaticallyredactedinthedatabaseaudittrailandtracelogs.UserswhocanexecutetheDBMS_TSDP_MANAGEandDBMS_TSDP_PROTECTpackagesareabletomanagesensitivedatatypesandtheprotectionactionsthatareappliedtothem.

RemarksAuditingisanessentialcomponentforsecuringanysystem.Theaudittrailallowsformonitoringtheactivitiesofhighlyprivilegedusers.Foranyattackthatexploitsgapsinothersecuritypolicies,auditingcannotpreventtheattackbutitformsthecriticallastlineofdefensebydetectingthemaliciousactivity.Sendingauditdatatoaremotesystemisrecommendedinordertopreventanypossibletamperingwiththeauditrecords.TheAUDIT_SYSLOG_LEVELparametercanbesettosendanabbreviatedversionofsomeauditrecordstoaremotesyslogcollector.AbettersolutionistouseOracleAuditVaultandDatabaseFirewalltocentrallycollectfullauditrecordsfrommultipledatabases.

ThisfindingshowstheSQLstatementsthatareauditedbyenabledauditpolicies.Thisfindingshowstheobjectaccessesthatareauditedbyenabledauditpolicies.Thisfindingshowstheprivilegesthatareauditedbyenabledauditpolicies.ItisimportanttoauditadministrativeactionsperformedbytheSYSuser.TraditionalauditpoliciesdonotapplytoSYS,sotheAUDIT_SYS_OPERATIONSparametermustbesettorecordSYSactionstoaseparateaudittrail.BeginningwithOracle12c,thesameUnifiedAuditpoliciescanbeappliedtoSYSthatareusedtomonitorotherusers.Grantingadditionalprivilegestousersorrolespotentiallyaffectsmostsecurityprotectionsandshouldbeaudited.Eachactionorprivilegelistedhereshouldbeincludedinatleastoneenabledauditpolicy.Creationofnewuseraccountsormodificationofexistingaccountscanbeusedtogainaccesstotheprivilegesofthoseaccountsandshouldbeaudited.Eachactionorprivilegelistedhereshouldbeincludedinatleastoneenabledauditpolicy.

Auditing

Actionsthataffectthemanagementofdatabasefeaturesshouldalwaysbeaudited.Eachactionorprivilegelistedhereshouldbeincludedinatleastoneenabledauditpolicy.Usageofpowerfulsystemprivilegesshouldalwaysbeaudited.Eachprivilegelistedhereshouldbeincludedinatleastoneenabledauditpolicy.Successfuluserconnectionstothedatabaseshouldbeauditedtoassistwithfutureforensicanalysis.Unsuccessfulconnectionattemptscanprovideearlywarningofanattacker'sattempttogainaccesstothedatabase.FineGrainedAuditpoliciescanrecordhighlyspecificactivity,suchasaccesstoparticulartablecolumnsoraccessthatoccursunderspecifiedconditions.Thisisausefulwaytomonitorunexpecteddataaccesswhileavoidingunnecessaryauditrecordsthatcorrespondtonormalactivity.UnifiedAudit,availableinOracleDatabase12.1andlaterreleases,combinesmultipleaudittrailsintoasingleunifiedview.Italsointroducesnewsyntaxforspecifyingeffectiveauditpolicies.

RemarksDatabaseConfiguration

WhenO7_DICTIONARY_ACCESSIBILITYissettoFALSE,tablesownedbySYSarenotaffectedbytheANYTABLEsystemprivileges.ThisparametershouldalwaysbesettoFALSEbecausetablesownedbySYScontroltheoverallstateofthedatabaseandshouldnotbesubjecttomanipulationbyuserswithANYTABLEprivileges.WhenSQL92_SECURITYissettoTRUE,UPDATEandDELETEstatementsthatrefertoacolumnintheirWHEREclauseswillsucceedonlywhentheuserhastheprivilegetoSELECTfromthesamecolumn.ThisparametershouldbesettoTRUEsothatthisrequirementisenforcedinordertopreventusersfrominferringthevalueofacolumnwhichtheydonothavetheprivilegetoview.

Name Value --------------------------------- --------------------------------AUDIT_FILE_DEST /u01/app/oracle/admin/orcl/adumpAUDIT_SYSLOG_LEVEL AUDIT_SYS_OPERATIONS TRUE AUDIT_TRAIL DB COMPATIBLE 12.1.0.2.0 DBFIPS_140 FALSE DISPATCHERS (PROTOCOL=TCP) (SERVICE=orclXDB)GLOBAL_NAMES FALSE LDAP_DIRECTORY_ACCESS NONE LDAP_DIRECTORY_SYSAUTH no O7_DICTIONARY_ACCESSIBILITY FALSE OS_AUTHENT_PREFIX ops$ OS_ROLES FALSE PDB_LOCKDOWN PDB_OS_CREDENTIAL REMOTE_LISTENER REMOTE_LOGIN_PASSWORDFILE EXCLUSIVE REMOTE_OS_AUTHENT FALSE REMOTE_OS_ROLES FALSE RESOURCE_LIMIT TRUE SEC_CASE_SENSITIVE_LOGON TRUE SEC_MAX_FAILED_LOGIN_ATTEMPTS 3 SEC_PROTOCOL_ERROR_FURTHER_ACTION (DROP,3) SEC_PROTOCOL_ERROR_TRACE_ACTION TRACE SEC_RETURN_SERVER_RELEASE_BANNER FALSE SQL92_SECURITY FALSE UNIFIED_AUDIT_SGA_QUEUE_SIZE 1048576 UTL_FILE_DIR

TheSEC_PROTOCOL_ERRORparameterscontrolthedatabaseserver'sresponsewhenitreceivesmalformednetworkpacketsfromaclient.Becausethesemalformedpacketsmayindicateanattemptedattackbyamaliciousclient,theparametersshouldbesettologtheincidentandterminatetheconnection.SEC_RETURN_SERVER_RELEASE_BANNERshouldbesettoFALSEtolimittheinformationthatisreturnedtoanunauthenticatedclient,whichcouldbeusedtohelpdeterminetheserver'svulnerabilitytoaremoteattack.

TheOS_ROLESandREMOTE_OS_ROLESparametersdeterminewhetherrolesgrantedtousersarecontrolledbyGRANTstatementsinthedatabaseorbytheoperatingsystemenvironment.BothparametersshouldbesettoFALSEsothattheauthorizationsofdatabaseusersaremanagedbythedatabaseitself.TheUTL_FILE_DIRparametercontrolswhichpartoftheserver'sfilesystemcanbeaccessedbyPL/SQLcode.NotethatasthedirectoriesspecifiedintheUTL_FILE_DIRparametermaybeaccessedbyanydatabaseuser,itshouldbesettospecifyoneormoresafedirectoriesthatdonotcontainrestrictedfilessuchastheconfigurationordatafilesforthedatabase.Formaximumsecurity,usedirectoryobjectswhichallowfinergrainedcontrolofaccess,ratherthanrelyingonthisparameter.

Atriggeriscodethatexecuteswheneveraspecificeventoccurs,suchasinsertingdatainatableorconnectingtothedatabase.Disabledtriggersareapotentialcauseforconcernbecausewhateverprotectionormonitoringtheymaybeexpectedtoprovideisnotactive.Constraintsareusedtoenforceandguaranteespecificrelationshipsbetweendataitemsstoredinthedatabase.Disabledconstraintsareapotentialcauseforconcernbecausetheconditionstheyensurearenotenforced.

ExternalproceduresallowcodewritteninotherlanguagestobeexecutedfromPL/SQL.Notethatmodificationstoexternalcodecannotbecontrolledbythedatabase.Becarefultoensurethatonlytrustedcodelibrariesareavailabletobeexecuted.Althoughthedatabasecanspawnitsownprocesstoexecutetheexternalprocedure,itisadvisabletoconfigurealistenerserviceforthispurposesothattheexternalcodecanrunasaless-privilegedOSuser.ThelistenerconfigurationshouldsetEXTPROC_DLLStoidentifythespecificsharedlibrarycodethatcanbeexecutedratherthanusingthedefaultvalueANY.Directoryobjectsallowaccesstotheserver'sfilesystemfromPL/SQLcodewithinthedatabase.Accesstofilesthatareusedbythedatabasekernelitselfshouldnotbepermitted,asthismayaltertheoperationofthedatabaseandbypassitsaccesscontrols.DatabaselinksallowuserstoexecuteSQLstatementsthataccesstablesinotherdatabases.Thisallowsforbothqueryingandstoringdataontheremotedatabase.NetworkACLscontroltheexternalserversthatdatabaseuserscanaccessusingnetworkpackagessuchasUTL_TCPandUTL_HTTP.Specifically,adatabaseuserneedstheconnectprivilegetoanexternalnetworkhostcomputerifheorsheisconnectingusingtheUTL_TCP,UTL_HTTP,UTL_SMTP,andUTL_MAILutilitypackages.ToconvertbetweenahostnameanditsIPaddressusingtheUTL_INADDRpackage,theresolveprivilegeisrequired.Makesurethatthesepermissionsarelimitedtotheminimumrequiredbyeachuser.

XMLACLscontrolaccesstodatabaseresourcesusingtheXMLDBfeature.EveryresourceintheOracleXMLDBRepositoryhierarchyhasanassociatedACL.TheACLmechanismspecifiesaprivilege-basedaccesscontrolforresourcestoprincipals,whicharedatabaseusersorroles.Wheneveraresourceisaccessed,asecuritycheckisperformed,andtheACLdeterminesiftherequestinguserhassufficientprivilegestoaccesstheresource.Makesurethattheseprivilegesarelimitedtotheminimumrequiredbyeachuser.

RemarksNetworkencryptionprotectstheconfidentialityandintegrityofcommunicationbetweenthedatabaseserveranditsclients.EitherNativeEncryptionorTLSshouldbeenabled.ForNativeEncryption,bothENCRYPTION_SERVERandCRYPTO_CHECKSUM_SERVERshouldbesettoREQUIRED.IfTLSisused,TCPSshouldbespecifiedforallnetworkportsandSSL_CERT_REVOCATIONshouldbesettoREQUIRED.TCP.VALIDNODE_CHECKINGshouldbeenabledtocontrolwhichclientnodescanconnecttothedatabaseserver.Eitherawhitelistofclientnodesallowedtoconnect(TCP.INVITED_NODES)orablacklistofnodesthatarenotallowed(TCP.EXCLUDED_NODES)maybespecified.Configuringbothlistsisanerror;onlytheinvitednodelistwillbeusedinthiscase.Thesebannermessagesareusedtowarnconnectingusersthatunauthorizedaccessisnotpermittedandthattheiractivitiesmaybeaudited.

NetworkConfiguration

Theseparametersareusedtolimitchangestothenetworklistenerconfiguration.Oneofthefollowingrestrictionsshouldbeimplemented:(a)preventchangesbydisablingDYNAMIC_REGISTRATION,(b)limitthenodesthatcanmakechangesbyenablingVALID_NODE_CHECKING_REGISTRATION,or(c)limitthenetworksourcesforchangesusingtheCOSTparametersSECURE_PROTOCOL,SECURE_CONTROL,andSECURE_REGISTER.

Thisparameterenablesloggingoflisteneractivity.Loginformationcanbeusefulfortroubleshootingandtoprovideearlywarningofattemptedattacks.

RemarksOSauthenticationallowsoperatingsystemuserswithinthespecifiedusergrouptoconnecttothedatabasewithadministrativeprivileges.ThisshowstheOSgroupnamesandusersthatcanexerciseeachadministrativeprivilege.ThePMONprocessmonitorsuserprocessesandfreesresourceswhentheyterminate.ThisprocessshouldrunwiththeuserIDoftheORACLE_HOMEowner.AgentprocessesareusedbyOracleEnterpriseManagertomonitorandmanagethedatabase.TheseprocessesshouldrunwithauserIDseparatefromthedatabaseandlistenerprocesses.Listenerprocessesacceptincomingnetworkconnectionsandconnectthemtotheappropriatedatabaseserverprocess.TheseprocessesshouldrunwithauserIDseparatefromthedatabaseandagentprocesses.

OperatingSystem

Thisreportisfocusedondetectingareasofpotentialsecurityvulnerabilitiesormisconfigurationsandprovidingrecommendationsonhowtomitigatethosepotentialvulnerabilities.

Thereportprovidesaviewonthecurrentstatus.Theserecommendationsareprovidedforinformationalpurposesonlyandshouldnotbeusedasasubstituteforathoroughanalysisorinterpretedtocontainanylegalorregulatoryadviceorguidance.

Youaresolelyresponsibleforyoursystem,andthedataandinformationgatheredduringtheproductionofthisreport.Youarealsosolelyresponsiblefortheexecutionofsoftwaretoproducethisreport,andfortheeffectandresultsoftheexecutionofanymitigatingactionsidentifiedherein.

Oracleprovidesthisanalysisonan"asis"basiswithoutwarrantyofanykindandOracleherebydisclaimsallwarrantiesandconditionswhetherexpress,impliedorstatutory.