USR_DFLT_TBSPC_NAME
POLICY
Default Table Space
USR_DFLT_TBSPC_DESC
POLICY
Ensures users are not assigned SYSTEM or SYSAUX as their default tablespace
USR_DFLT_TBSPC_IMPACT
POLICY
Users objects are created in the default tablespaces. An incorrectly set default tablespace (SYSTEM or SYSAUX) for a user can consume all available space thus causing the database to stop working.
USR_DFLT_TBSPC_RECOMM
POLICY
Reassign the tablespace of users having SYSTEM or SYSAUX defined as their default tablespace.
USR_TEMP_TABSPC_NAME
POLICY
User Temporary Table Space
USR_TEMP_TABSPC_DESC
POLICY
Ensures users are not assigned SYSTEM or SYSAUX as their temporary tablespace
USR_TEMP_TABSPC_IMPACT
POLICY
The user's temporary objects are created in the temporary tablespace. An incorrectly set temporary tablespace (SYSTEM or SYSAUX) for a user can consume all available space thus causing the database to stop working.
USR_TEMP_TABSPC_RECOMM
POLICY
Reassign the tablespace of users having SYSTEM or SYSAUX defined as their default temporary tablespace.
TABLESPACE_QUOTA_NAME
POLICY
Unlimited Tablespace Quota
TABLESPACE_QUOTA_DESC
POLICY
Ensures database users are allocated a limited tablespace quota
TABLESPACE_QUOTA_IMPACT
POLICY
Granting unlimited tablespace quotas can cause the filling up of the allocated disk space. This can lead to an unresponsive database.
TABLESPACE_QUOTA_REOMM
POLICY
For users with an unlimited tablespace quota, reallocate their tablespace quotas to a specific limit.
AUDIT_FILE_DEST_NAME
POLICY
Audit File Destination
AUDIT_FILE_DEST_NAME_NT
POLICY
Audit File Destination (Windows)
AUDIT_FILE_DEST_DESC
POLICY
Ensures that access to the audit files directory is restricted to the owner of the Oracle software set and the DBA group.
AUDIT_FILE_DEST_IMPACT
POLICY
The AUDIT_FILE_DEST initialization parameter specifies the directory where the Oracle auditing facility creates the audit files. Giving public read permission to this directory may reveal important information such as logging information of startup, shutdown, and privileged connections.
AUDIT_FILE_DEST_RECOMM
POLICY
Restrict permissions to the Audit File directory to the owner of the Oracle software set and DBA group. Do not give read, write, and execute permissions to public.
USER_DUMP_DEST_NAME
POLICY
User Dump Destination
USER_DUMP_DEST_NAME_NT
POLICY
User Dump Destination (Windows)
USER_DUMP_DEST_DESC
POLICY
Ensures that access to the trace files directory is restricted to the owner of the Oracle software set and the DBA group
USER_DUMP_DEST_IMPACT
POLICY
The trace files for server processes are stored in the directory specified by the USER_DUMP_DEST initialization parameter. Giving public read permission to this directory may reveal important and sensitive internal details of the database and applications.
USER_DUMP_DEST_RECOMM
POLICY
Restrict permissions to the user dump directory to the owner of the Oracle software set and DBA group. Do not give read, write, and execute permissions to public.
BKGRND_DUMP_DEST_NAME
POLICY
Background Dump Destination
BKGRND_DUMP_DEST_NAME_NT
POLICY
Background Dump Destination (Windows)
BKGRND_DUMP_DEST_DESC
POLICY
Ensures that access to the trace files directory is restricted to the owner of the Oracle software set and the DBA group
BKGRND_DUMP_DEST_IMPACT
POLICY
Background processes such as the log writer process and the database writer process use trace files to record occurrences and exceptions of database operations, as well as errors. The trace files are stored in the directory specified by the BACKGROUND_DUMP_DEST initialization parameter. Giving public read permission to this directory may reveal important and sensitive internal details of the database and applications.
BKGRND_DUMP_DEST_RECOMM
POLICY
Restrict permissions to the background dump directory to the owner of the Oracle software set and DBA group. Do not give read, write, and execute permissions to public.
CORE_DUMP_DEST_NAME
POLICY
Core Dump Destination
CORE_DUMP_DEST_NAME_NT
POLICY
Core Dump Destination (Windows)
CORE_DUMP_DEST_DESC
POLICY
Ensures that access to the core dump files directory is restricted to the owner of the Oracle software set and the DBA group
CORE_DUMP_DEST_IMPACT
POLICY
Core dump files are stored in the directory specified by the CORE_DUMP_DEST initialization parameter. A public read privilege on this directory could expose sensitive information from the core dump files.
CORE_DUMP_DEST_RECOMM
POLICY
Restrict permissions to the core dump directory to the owner of the Oracle software set and DBA group. Do not give read, write, and execute permissions to public.
CONTROL_FILES_NAME
POLICY
Control File Permission
CONTROL_FILES_NAME_NT
POLICY
Control File Permission (Windows)
CONTROL_FILES_DESC
POLICY
Ensures that access to the control files directory is restricted to the owner of the Oracle software set and the DBA group
CONTROL_FILES_IMPACT
POLICY
Control files are binary configuration files that control access to data files. Control files are stored in the directory specified by the CONTROL_FILES initialization parameter. A public write privilege on this directory could pose a serious security risk.
CONTROL_FILES_RECOMM
POLICY
Restrict permissions to the control files directory to the owner of the Oracle software set and DBA group. Do not give read and write permissions to public.
OH_DATAFILES_PERM_NAME
POLICY
Oracle Home Datafile Permission
OH_DATAFILES_PERM_NAME_NT
POLICY
Oracle Home Datafile Permission (Windows)
OH_DATAFILES_PERM_DESC
POLICY
Ensures that access to the datafiles is restricted to the owner of the Oracle software set and the DBA group
OH_DATAFILES_PERM_IMPACT
POLICY
The datafiles contain all the database data. If datafiles are readable to public, they can be read by a user who has no database privileges on the data.
OH_DATAFILES_PERM_RECOMM
POLICY
Restrict permissions to the datafiles to the owner of the Oracle software set and DBA group. Do not give read and write permissions to public.
OH_SPFILE_PERM_NAME
POLICY
Server Parameter File Permission
OH_SPFILE_PERM_NAME_NT
POLICY
Server Parameter File Permission (Windows)
OH_SPFILE_PERM_DESC
POLICY
Ensures that access to the server paramater file is restricted to the owner of the Oracle software set and the DBA group
OH_SPFILE_PERM_IMPACT
POLICY
A server parameter file (SPFILE) lets you store and manage your initialization parameters persistently in a server-side disk file. A publicly accessible SPFILE can be scanned for sensitive initialization parameters exposing the security policies of the database. The SPFILE can also be searched for the weaknesses of the Oracle database configuration setting.
OH_SPFILE_PERM_RECOMM
POLICY
Restrict permissions to the server parameter file (SPFILE) to the owner of the Oracle software set and DBA group. Do not give read and write permissions to public.
OH_INITORA_PERM_NAME
POLICY
Initialization Parameter File Permission
OH_INITORA_PERM_NAME_NT
POLICY
Initialization Parameter File Permission (Windows)
OH_INITORA_PERM_DESC
POLICY
Ensures that access to the initialization paramater file is restricted to the owner of the Oracle software set and the DBA group
OH_INITORA_PERM_IMPACT
POLICY
Oracle traditionally stores initialization parameters in a text initialization parameter file. A publicly accessible initialization parameter file can be scanned for sensitive initialization parameters exposing the security policies of the database. The IFILE can also be searched for the weaknesses of the Oracle database configuration setting.
OH_INITORA_PERM_RECOMM
POLICY
Restrict permissions to the initialization parameter file to the owner of the Oracle software set and DBA group. Do not give read and write permissions to public.
OH_IFILE_PERM_NAME
POLICY
IFILE Referenced File Permission
OH_IFILE_PERM_NAME_NT
POLICY
IFILE Referenced File Permission (Windows)
OH_IFILE_PERM_DESC
POLICY
Ensures that access to the files referenced by the IFILE parameter is restricted to the owner of the Oracle software set and the DBA group
OH_IFILE_PERM_IMPACT
POLICY
The IFILE initialization parameter can be used to embed the contents of another initialization parameter file into the current initialization parameter file. A publicly accessible initialization parameter file can be scanned for sensitive initialization parameters exposing the security policies of the database. Initialization parameter file can also be searched for the weaknesses of the Oracle database configuration setting.
OH_IFILE_PERM_RECOMM
POLICY
Restrict permissions to the files referenced by the IFILE initialization parameter file to the owner of the Oracle software set and DBA group. Do not give read, write, and execute permissions to public.
OH_BIN_FILE_OWNER_NAME
POLICY
Oracle Home Executable Files Owner
OH_BIN_FILE_OWNER_DESC
POLICY
Ensures that the ownership of all files and directories in the ORACLE_HOME/bin folder is the same as the Oracle software installation owner
OH_BIN_FILE_OWNER_IMPACT
POLICY
Incorrect file permissions on some of the Oracle files can cause major security issues.
OH_BIN_FILE_OWNER_RECOMM
POLICY
For files and directories in the ORACLE_HOME/bin folder that do not have the same owner as the Oracle software installation, change their owner to the installation owner.
EXE_FILE_PERM_NAME
POLICY
Oracle Home Executable Files Permission
EXE_FILE_PERM_NAME_NT
POLICY
Oracle Home Executable Files Permission (Windows)
EXE_FILE_PERM_DESC
POLICY
Ensures that all files in the ORACLE_HOME/bin folder do not have public write permission
EXE_FILE_PERM_IMPACT
POLICY
Incorrect file permissions on some of the Oracle files can cause major security issues.
EXE_FILE_PERM_RECOMM
POLICY
Restrict permissions to all files in the ORACLE_HOME/bin to the owner of the Oracle software set and DBA group. Do not give write permission to public.
OH_FILEPERM_NAME
POLICY
Oracle Home File Permission
OH_FILEPERM_NAME_NT
POLICY
Oracle Home File Permission (Windows)
OH_FILEPERM_DESC
POLICY
Ensures that all files in the ORACLE_HOME directories (except for ORACLE_HOME/bin) do not have public read, write and execute permissions
OH_FILEPERM_IMPACT
POLICY
Incorrect file permissions on some of the Oracle files can cause major security issues.
OH_FILEPERM_RECOMM
POLICY
Restrict permissions to all files in the ORACLE_HOME directories (except for ORACLE_HOME/bin) to the owner of the Oracle software set and DBA group. Do not give read, write, and execute permissions to public.
LOG_ARCH_DEST_NAME
POLICY
Log Archive Destination Permission
LOG_ARCH_DEST_NAME_NT
POLICY
Log Archive Destination Permission (Windows)
LOG_ARCH_DEST_DESC
POLICY
Ensures that the server's archive logs are not accessible to public
LOG_ARCH_DEST_IMPACT
POLICY
LogMiner can be used to extract database information from the archive logs if the directory specified by LOG_ARCHIVE_DEST parameter (in init.ora file) is not owned by the owner of the Oracle software installation or has permissions for others.
LOG_ARCH_DEST_RECOMM
POLICY
Permissions of the directory specified by LOG_ARCHIVE_DEST parameter should be restricted to the owner of the Oracle software set and DBA group with no permissions to public.
LOG_ARCH_DEST_OWNER_NAME
POLICY
Log Archive Destination Owner
LOG_ARCH_DEST_OWNER_DESC
POLICY
Ensures that the server's archive logs directory is a valid directory owned by Oracle software owner
LOG_ARCH_DEST_OWNER_IMPACT
POLICY
LogMiner can be used to extract database information from the archive logs if the directory specified by LOG_ARCHIVE_DEST parameter (in init.ora file) is not owned by the owner of the Oracle software installation or has permissions for others.
LOG_ARCH_DEST_OWNER_RECOMM
POLICY
Directory specified by LOG_ARCHIVE_DEST parameter should be owned by the Oracle software set.
LOG_ARCHV_DUP_PERM_NAME
POLICY
Log Archive Duplex Destination Permission
LOG_ARCHV_DUP_PERM_NAME_NT
POLICY
Log Archive Duplex Destination Permission (Windows)
LOG_ARCHV_DUP_PERM_DESC
POLICY
Ensures that the server's archive logs are not accessible to public
LOG_ARCHV_DUP_PERM_IMPACT
POLICY
LogMiner can be used to extract database information from the archive logs if the directory specified by LOG_ARCHIVE_DUPLEX_DEST parameter (in init.ora file) is not owned by the owner of the Oracle software installation or has permissions for others.
LOG_ARCHV_DUP_PERM_RECOMM
POLICY
Permissions of the directory specified by LOG_ARCHIVE_DUPLEX_DEST parameter should be restricted to the owner of the Oracle software set and DBA group with no permissions to public.
LOG_ARCHV_DUP_OWNER_NAME
POLICY
Log Archive Duplex Destination Owner
LOG_ARCHV_DUP_OWNER_DESC
POLICY
Ensures that the server's archive logs directory is a valid directory owned by Oracle software owner
LOG_ARCHV_DUP_OWNER_IMPACT
POLICY
LogMiner can be used to extract database information from the archive logs if the directory specified by LOG_ARCHIVE_DUPLEX_DEST parameter (in init.ora file) is not owned by the owner of the Oracle software installation or has permissions for others.
LOG_ARCHV_DUP_OWNER_RECOMM
POLICY
Directory specified by LOG_ARCHIVE_DUPLEX_DEST parameter should be owned by the Oracle software set.
LOG_ARCHIVE_START_NAME
POLICY
Use of Automatic Log Archival Features
LOG_ARCHIVE_START_DESC
POLICY
Ensures that archiving of redo logs is done automatically and prevents suspension of instance operations when redo logs fill. Only applicable if database is in archivelog mode
LOG_ARCHIVE_START_IMPACT
POLICY
Setting the LOG_ARCHIVE_START initialization parameter to TRUE ensures that the archiving of redo logs is done automatically and prevents suspension of instance operations when redo logs fill. This feature is only applicable if the database is in archivelog mode.
LOG_ARCHIVE_START_RECOMM
POLICY
Set LOG_ARCHIVE_START initialization parameter to TRUE.
UTL_FILE_NAME
POLICY
Utility File Directory Initialization Parameter Setting
UTL_FILE_DESC
POLICY
Ensures that the Utility File Directory (UTL_FILE_DIR) initialization parameter is not set to one of '*', '.', core dump trace file locations
UTL_FILE_IMPACT
POLICY
Specifies the directories which the UTL_FILE package can access. Having the parameter set to asterisk (*), period (.), or to sensitive directories, could expose them to all users having execute privilege on the UTL_FILE package.
UTL_FILE_RECOMM
POLICY
Change the UTL_FILE_DIR initialization parameter to a value other than asterisk (*), or period (.), or to core dump trace locations.
UTL_FILE_9IPLUS_NAME
POLICY
Utility File Directory Initialization Parameter Setting in Oracle9i Release 1 and Later
UTL_FILE_9IPLUS_DESC
POLICY
Ensure that the UTL_FILE_DIR initialization parameter is not used in Oracle9i Release 1 and later
UTL_FILE_9IPLUS_IMPACT
POLICY
Specifies the directories which UTL_FILE package can access. Having the parameter set to asterisk (*), period (.), or to sensitive directories could expose them to all users having execute privilege on UTL_FILE package.
UTL_FILE_9IPLUS_RECOMM
POLICY
For Oracle 9i Release 1 and later, remove the UTL_FILE_DIR initialization parameter. Instead, use the CREATE DIRECTORY feature.
OS_AUTH_PRFX_DOM_NAME
POLICY
Use of Windows NT Domain Prefix
OS_AUTH_PRFX_DOM_DESC
POLICY
Ensures externally identified users specify the domain while connecting
OS_AUTH_PRFX_DOM_IMPACT
POLICY
This setting is only applicable to Windows systems. If externally identified accounts are required, setting OSAUTH_PREFIX_DOMAIN to TRUE in the registry forces the account to specify the domain. This prevents spoofing of user access from an alternate domain or local system.
OS_AUTH_PRFX_DOM_RECOMM
POLICY
For externally identified users from Windows systems, set the OSAUTH_PREFIX_DOMAIN initialization parameter to TRUE.
PWD_LOCK_TIME_NAME
POLICY
Password Locking Time
PWD_LOCK_TIME_DESC
POLICY
Ensures PASSWORD_LOCK_TIME is set to a reasonable number of days for all profiles
PWD_LOCK_TIME_IMPACT
POLICY
Having a low value increases the likelihood of Denial of Service attacks.
PWD_LOCK_TIME_RECOMM
POLICY
Set the PASSWORD_LOCK_TIME parameter to no less than 1 for all the profiles.
MIN_PWD_LOCK_TIME_PNAME
POLICY
MIN_PASSWORD_LOCK_TIME
PWD_GRACE_TIME_NAME
POLICY
Password Grace Time
PWD_GRACE_TIME_DESC
POLICY
Ensures that all profiles have PASSWORD_GRACE_TIME set to a reasonable number of days
PWD_GRACE_TIME_IMPACT
POLICY
A high value for the PASSWORD_GRACE_TIME parameter may cause serious database security issues by allowing the user to keep the same password for a long time.
PWD_GRACE_TIME_RECOMM
POLICY
Set the PASSWORD_GRACE_TIME parameter to no more than 7 days for all profiles.
MAX_PWD_GRACE_TIME_PNAME
POLICY
MAX_PASSWORD_GRACE_TIME
PWD_LIFE_TIME_NAME
POLICY
Password Life Time
PWD_LIFE_TIME_DESC
POLICY
Ensures that all profiles have PASSWORD_LIFE_TIME set to a reasonable number of days
PWD_LIFE_TIME_IMPACT
POLICY
A long password life time gives hackers a long time to try and cook the password. May cause serious database security issues.
PWD_LIFE_TIME_RECOMM
POLICY
Set the PASSWORD_LIFE_TIME parameter to no more than 180 days for all profiles.
MAX_PWD_LIFE_TIME_PNAME
POLICY
MAX_PASSWORD_LIFE_TIME
PWD_REUSE_MAX_NAME
POLICY
Password Reuse Max
PWD_REUSE_MAX_DESC
POLICY
Ensures that all profiles have PASSWORD_REUSE_MAX set to a reasonable number of times
PWD_REUSE_MAX_IMPACT
POLICY
Old passwords are usually the best guesses for the current password. A low value for the PASSWORD_REUSE_MAX parameter may cause serious database security issues by allowing users to reuse their old passwords more often.
PWD_REUSE_MAX_RECOMM
POLICY
Set the PASSWORD_REUSE_MAX parameter to UNLIMITED for all profiles.
MIN_PWD_REUSE_MAX_PNAME
POLICY
MIN_PASSWORD_REUSE_MAX
PWD_REUSE_TIME_NAME
POLICY
Password Reuse Time
PWD_REUSE_TIME_DESC
POLICY
Ensures that all profiles have PASSWORD_REUSE_TIME set to a reasonable number of days
PWD_REUSE_TIME_IMPACT
POLICY
A low value for the PASSWORD_REUSE_TIME parameter may cause serious database security issues by allowing users to reuse their old passwords more often.
PWD_REUSE_TIME_RECOMM
POLICY
Set the PASSWORD_REUSE_TIME parameter to UNLIMITED for all profiles.
MIN_PWD_REUSE_TIME_PNAME
POLICY
MIN_PASSWORD_REUSE_TIME
PWD_CMPLX_FN_NAME
POLICY
Password Complexity Verification Function Usage
PWD_CMPLX_FN_DESC
POLICY
Ensures PASSWORD_VERIFY_FUNCTION resource for the profile is set
PWD_CMPLX_FN_IMPACT
POLICY
Having passwords that do not meet minimum complexity requirements offer substantially less protection than complex passwords.
PWD_CMPLX_FN_RECOMM
POLICY
Set the PASSWORD_VERIFY_FUNCTION resource of the profile.
TRACE_FILES_PUB_NAME
POLICY
Public Trace Files
TRACE_FILES_PUBLIC_DESC
POLICY
Ensures database trace files are not public readable
TRACE_FILES_PUBLIC_IMPACT
POLICY
If trace files are readable by the PUBLIC group, a malicious user may attempt to read the trace files that could lead to sensitive information being exposed.
TRACE_FILES_PUBLIC_RECOMM
POLICY
Set the initialization parameter _TRACE_FILES_PUBLIC to FALSE.
AUDIT_TRAIL_NAME
POLICY
Enable Database Auditing
AUDIT_TRAIL_DESC
POLICY
Ensures database auditing is enabled
AUDIT_TRAIL_IMPACT
POLICY
The AUDIT_TRAIL parameter enables or disables database auditing. Auditing enhances security because it enforces accountability, provides evidence of misuse, and is frequently required for regulatory compliance. Auditing also enables system administrators to implement enhanced protections, early detection of suspicious activities, and finely-tuned security responses.
AUDIT_TRAIL_RECOMM
POLICY
Set AUDIT_TRAIL to either DB, default, or OS. Database-stored audit records can be easier to review and manage than OS-stored audit records. However, audit records stored in operating system files can be protected from DBAs via appropriate file permissions, and will remain available even if the database is temporarily inaccessible.
RMT_LSNR_NAME
POLICY
Use of Remote Listener Instances
RMT_LSNR_DESC
POLICY
Ensures listener instances on a remote machine separate from the database instance are not used
RMT_LSNR_IMPACT
POLICY
The REMOTE_LISTENER initialization parameter can be used to allow a listener on a remote machine to access the database. This parameter is not applicable in a multi-master replication or RAC environment where this setting provides a load balancing mechanism for the listener.
RMT_LSNR_RECOMM
POLICY
REMOTE_LISTENER should be set null string. This parameter is not applicable in a multi-master replication or RAC environment where this setting provides a load balancing mechanism for the listener.
OS_AUTH_PREFIX_NAME
POLICY
Using Externally Identified Accounts
OS_AUTH_PREFIX_DESC
POLICY
Ensures that the OS authentication prefix is set to a value other than OPS$
OS_AUTH_PREFIX_IMPACT
POLICY
The OS_AUTHENT_PREFIX parameter specifies a prefix used to authenticate users attempting to connect to the server. When a connection request is attempted, Oracle compares the prefixed username with usernames in the database. Using a prefix, especially OPS$, tends to result in an insecure configuration as an account can be authenticated either as an operating system user or with the password used in the IDENTIFIED BY clause. Attackers are aware of this and will attack these accounts.
OS_AUTH_PREFIX_RECOMM
POLICY
Set OS_AUTHENT_PREFIX to a value other than OPS$.
SQL92_SECURITY_NAME
POLICY
Use of SQL92 Security Features
SQL92_SECURITY_DESC
POLICY
Ensures use of SQL92 security features
SQL92_SECURITY_IMPACT
POLICY
If SQL92 security features are not enabled, a user might be able to execute an UPDATE or DELETE statement using a WHERE clause without having select privilege on a table.
SQL92_SECURITY_RECOMM
POLICY
Enable SQL92 security features by setting the initialization parameter SQL92_SECURITY to TRUE.
GLOBAL_NAME_NAME
POLICY
Naming Database Links
GLOBAL_NAME_DESC
POLICY
Ensures that the name of a database link is the same as that of the remote database
GLOBAL_NAME_IMPACT
POLICY
Database link names that do not match the global names of the databases to which they are connecting can cause an administrator to inadvertently give access to a production server from a test or development server. Knowledge of this can be used by a malicious user to gain access to the target database.
GLOBAL_NAME_RECOMM
POLICY
If you use or plan to use distributed processing, Oracle Corporation recommends that you set the GLOBAL_NAMES initialization parameter to TRUE to ensure the use of consistent naming conventions for databases and links in a networked environment.
DB_LINK_WITH_PWD_NAME
POLICY
Use of Database Links with Cleartext Password
DB_LINK_WITH_PWD_DESC
POLICY
Ensures database links with clear text passwords are not used
DB_LINK_WITH_PWD_IMPACT
POLICY
The table SYS.LINK$ contains the clear text password used by the database link. A malicious user can read clear text password from SYS.LINK$ table that can lead to undesirable consequences.
DB_LINK_WITH_PWD_RECOMM
POLICY
Avoid creating fixed user database links.
UMASK_SETTING_NAME
POLICY
Use of Appropriate Umask on UNIX Systems
UMASK_SETTING_DESC
POLICY
On UNIX systems, ensure that the owner of the Oracle software has an appropriate umask value of 022 set
UMASK_SETTING_IMPACT
POLICY
If umask is not set to an appropriate value (like 022), log or trace files might become accessible to public exposing sensitive information.
UMASK_SETTING_RECOMM
POLICY
Set umask to 022 for the owner of Oracle software.
UNLMT_FAILED_LGIN_NAME
POLICY
Users with Excessive Allowed Failed Login Attempts
PROFILE_UNLMTED_FAILED_NAME
POLICY
Profiles with Excessive Allowed Failed Login Attempts
UNLMT_FAILED_LGIN_DESC
POLICY
Ensure that the number of allowed failed login attempts is set to a reasonable number of login attempts for all profiles
USR_UNLMT_FAILED_LGIN_DESC
POLICY
Ensure that the number of allowed failed login attempts is set to a reasonable number of login attempts for all users
UNLMT_FAILED_LGIN_IMPACT
POLICY
Permits manual and automated password guessing by a malicious user.
UNLMT_FAILED_LGIN_RECOMM
POLICY
Set FAILED_LOGIN_ATTEMPTS in user profiles to no more than 10.
MAX_FAILED_LOGIN_ATTEMPTS_PNAME
POLICY
MAX_FAILED_LOGIN_ATTEMPTS
UTL_TCP_PUB_EXE_PRIV_NAME
POLICY
Restricted Privilege to Execute UTL_TCP
UTL_TCP_PUB_EXE_PRIV_DESC
POLICY
Ensure PUBLIC does not have execute privileges on the UTL_TCP package
PUB_EXE_PRIV_IMPACT
POLICY
Privileges granted to the PUBLIC role automatically apply to all users. A malicious user can gain access to email, network and http modules using the EXECUTE privilege.
UTL_TCP_PUB_EXE_PRIV_RECOMM
POLICY
Revoke EXECUTE privileges on the UTL_TCP package.
UTL_HTTP_PUB_EXE_PRIV_NAME
POLICY
Restricted Privilege to Execute UTL_HTTP
UTL_HTTP_PUB_EXE_PRIV_DESC
POLICY
Ensure PUBLIC does not have execute privileges on the UTL_HTTP package
UTL_HTTP_PUB_EXE_PRIV_RECOMM
POLICY
Revoke EXECUTE privileges on the UTL_HTTP package.
UTL_SMTP_PUB_EXE_PRIV_NAME
POLICY
Restricted Privilege to Execute UTL_SMTP
UTL_SMTP_PUB_EXE_PRIV_DESC
POLICY
Ensure PUBLIC does not have execute privileges on the UTL_SMTP package
UTL_SMTP_PUB_EXE_PRIV_RECOMM
POLICY
Revoke EXECUTE privileges on the UTL_SMTP package.
UTL_FILE_PKG_NAME
POLICY
Execute Privileges on UTL_FILE To PUBLIC
UTL_FILE_PKG_DESC
POLICY
Ensure PUBLIC does not have EXECUTE privilege on the UTL_FILE package
UTL_FILE_PKG_IMPACT
POLICY
Privileges granted to the PUBLIC role automatically apply to all users. A malicious user can read and write arbitrary files in the system when granted the UTL_FILE privilege.
UTL_FILE_PKG_RECOMM
POLICY
Revoke EXECUTE privileges granted to UTL_FILE package from PUBLIC.
DBMS_JOB_PKG_NAME
POLICY
Execute Privileges on DBMS_JOB to PUBLIC
DBMS_JOB_PKG_DESC
POLICY
Ensures PUBLIC is not granted EXECUTE privileges on DBMS_JOB package
DBMS_JOB_PKG_IMPACT
POLICY
Granting EXECUTE privilege to PUBLIC on DBMS_JOB package allows users to schedule jobs on the database.
DBMS_JOB_PKG_RECOMM
POLICY
PUBLIC must not be granted EXECUTE privileges on DBMS_JOB package.
DBMS_SYS_SQL_PKG_NAME
POLICY
Execute Privileges on DBMS_SYS_SQL to PUBLIC
DBMS_SYS_SQL_PKG_DESC
POLICY
Ensures PUBLIC is not granted EXECUTE privileges on DBMS_SYS_SQL package
DBMS_SYS_SQL_PKG_IMPACT
POLICY
The DBMS_SYS_SQL package can be used to run PL/SQL and SQL as the owner of the procedure rather than the caller.
DBMS_SYS_SQL_PKG_RECOMM
POLICY
Revoke the EXECUTE privileges on DBMS_SYS_SQL package from the PUBLIC group.
DBMS_LOB_PKG_NAME
POLICY
Execute Privileges on DBMS_LOB to PUBLIC
DBMS_LOB_PKG_DESC
POLICY
Ensures PUBLIC group is not granted EXECUTE privileges to the DBMS_LOB package
DBMS_LOB_PKG_IMPACT
POLICY
The DBMS_LOB package can be used to access any file on the system as the owner of the Oracle software installation.
DBMS_LOB_PKG_RECOMM
POLICY
Revoke the EXECUTE privileges on DBMS_LOB package from the PUBLIC group.
PUB_SYSPRIV_NAME
POLICY
System Privileges to Public
PUB_SYSPRIV_DESC
POLICY
Ensure system privileges are not granted to PUBLIC
PUB_SYSPRIV_IMPACT
POLICY
Privileges granted to the public role automatically apply to all users. there are security risks granting SYSTEM privileges to all
users.
PUB_SYSPRIV_RECOMM
POLICY
Revoke SYSTEM privileges from public.
DFLT_ACT_PWD_NAME
POLICY
Default Passwords
DFLT_ACT_PWD_DESC
POLICY
Ensure there are no default passwords for known accounts
DFLT_ACT_PWD_IMPACT
POLICY
A malicious user can gain access to the database using default passwords.
DFLT_ACT_PWD_RECOMM
POLICY
All default passwords should be changed.
WELL_KNOWN_ACCOUNT1_NAME
POLICY
Well Known Accounts (Status)
WELL_KNOWN_ACCOUNT2_NAME
POLICY
Well Known Accounts
WELL_KNOWN_ACCOUNT_DESC
POLICY
Ensure well-known accounts are expired and locked
WELL_KNOWN_ACCOUNT_IMPACT
POLICY
A knowledgeable malicious user can gain access to the database using a well-known account.
WELL_KNOWN_ACCOUNT_RECOMM
POLICY
Expire and lock well-known accounts.
RMT_LGIN_NAME
POLICY
Remote Password File
RMT_LGIN_DESC
POLICY
Ensures privileged users are authenticated by the operating system; that is, Oracle ignores any password file
RMT_LGIN_IMPACT
POLICY
The REMOTE_LOGIN_PASSWORDFILE parameter specifies whether or not Oracle checks for a password file. Because password files contain the passwords for users, including SYS, the most secure way of preventing an attacker from connecting through brute-force password-related attacks is to require privileged users be authenticated by the operating system.
RMT_LGIN_RECOMM
POLICY
Remove the password file and to set REMOTE_LOGIN_PASSWORDFILE to NONE.
RMT_ROLE_AUTH_NAME
POLICY
Remote OS Authentication
RMT_ROLE_AUTH_DESC
POLICY
Ensure REMOTE_OS_AUTHENT initialization parameter is set to FALSE
RMT_ROLE_AUTH_IMPACT
POLICY
A malicious user can gain access to the database if remote OS authentication is allowed.
RMT_ROLE_AUTH_RECOMM
POLICY
Set the REMOTE_OS_AUTHENT initialization parameter to FALSE.
RMT_OS_ROLE_NAME
POLICY
Remote OS Role
RMT_OS_ROLE_DESC
POLICY
Ensure REMOTE_OS_ROLES initialization parameter is set to FALSE
RMT_OS_ROLE_IMPACT
POLICY
A malicious user can gain access to the database if remote users can be granted privileged roles.
RMT_OS_ROLE_RECOMM
POLICY
Set the REMOTE_OS_ROLES initialization parameter to FALSE.
USR_ACCSS_AUD_NAME
POLICY
Access to SYS.AUD$ Table
USR_ACCSS_AUD_DESC
POLICY
Ensures restricted access to SYS.AUD$ table
USR_ACCSS_AUD_IMPACT
POLICY
A knowlegeable and malicious user can gain access to sensitive audit information.
USR_ACCSS_AUD_RECOMM
POLICY
Revoke access to SYS.AUD$ table from the non-DBA/SYS database users.
ACCESS_USER_HIST_NAME
POLICY
Access to SYS.USER_HISTORY$ Table
ACCESS_USER_HIST_DESC
POLICY
Ensures restricted access to SYS.USER_HISTORY$ table
ACCESS_USER_HIST_IMPACT
POLICY
Username and password hash may be read from the SYS.USER_HISTORY$ table, enabling a hacker to launch a brute-force attack.
ACCESS_USER_HIST_RECOMM
POLICY
Revoke access to SYS.USER_HISTORY$ table from the non-DBA/SYS database users.
ACSS_SRC_TAB_NAME
POLICY
Access to SYS.SOURCE$ Table
ACSS_SRC_TAB_DESC
POLICY
Ensures restricted access to SYS.SOURCE$ table
ACSS_SRC_TAB_IMPACT
POLICY
Contains source of all stored packages units in the database.
ACSS_SRC_TAB_RECOMM
POLICY
Revoke access to SYS.SOURCE$ table from the non-SYS/DBA database users.
ACCSS_LINK_TAB_NAME
POLICY
Access to SYS.LINK$ Table
ACCSS_LINK_TAB_DESC
POLICY
Ensures restricted access to LINK$ table
ACCSS_LINK_TAB_IMPACT
POLICY
A knowlegeable and malicious user can gain access to user passwords from the SYS.LINK$ table.
ACCSS_LINK_TAB_RECOMM
POLICY
Restrict access to SYS.LINK$ table.
ACCSS_USER_TAB_NAME
POLICY
Access to SYS.USER$ Table
ACCSS_USER_TAB_DESC
POLICY
Ensures restricted access to SYS.USER$ table
ACCSS_USER_TAB_IMPACT
POLICY
Username and password hash may be read from the SYS.USER$ table, enabling a hacker to launch a brute-force attack.
ACCSS_USER_TAB_RECOMM
POLICY
Restrict access to SYS.USER$ table.
ACCSS_SQLTEXT_TAB_NAME
POLICY
Access to STATS$SQLTEXT Table
ACCSS_SQLTEXT_TAB_DESC
POLICY
Ensures restricted access to STATS$SQLTEXT table
ACCSS_SQLTEXT_TAB_IMPACT
POLICY
This table provides full text of the recently-executed SQL statements. The SQL statements can reveal sensitive information.
ACCSS_SQLTEXT_TAB_RECOMM
POLICY
Restrict access to STATS$SQLTEXT table.
ACCSS_SQLSUM_TAB_NAME
POLICY
Access to STATS$SQL_SUMMARY Table
ACCSS_SQLSUM_TAB_DESC
POLICY
Ensures restricted access to STATS$SQL_SUMMARY table
ACCSS_SQLSUM_TAB_IMPACT
POLICY
Contains first few lines of SQL text of the most resource intensive commands given to the server. Sql statements executed without bind variables can show up here exposing privileged information.
ACCSS_SQLSUM_TAB_RECOMM
POLICY
Restrict access to STATS$SQL_SUMMARY table.
ACCSS_ALL_SRC_NAME
POLICY
Access to ALL_SOURCE View
ACCSS_ALL_SRC_DESC
POLICY
Ensures restricted access to ALL_SOURCE view
ACCSS_ALL_SRC_IMPACT
POLICY
ALL_SOURCE view contains source of all stored packages in the database.
ACCSS_ALL_SRC_RECOMM
POLICY
Revoke access to ALL_SOURCE view from the non-SYS database users.
ACCSS_DBA_ROLES_NAME
POLICY
Access to DBA_ROLES View
ACCSS_DBA_ROLES_DESC
POLICY
Ensures restricted access to DBA_ROLES view
ACCSS_DBA_ROLES_IMPACT
POLICY
DBA_ROLES view contains details of all roles in the database. Knowledge of the structure of roles in the database can be taken advantage of by a malicious user.
ACCSS_DBA_ROLES_RECOMM
POLICY
Restrict access to DBA_ROLES view.
ACCSS_DBA_SYSPRIVS_NAME
POLICY
Access to DBA_SYS_PRIVS View
ACCSS_DBA_SYSPRIVS_DESC
POLICY
Ensures restricted access to DBA_SYS_PRIVS view
ACCSS_DBA_SYSPRIVS_IMPACT
POLICY
DBA_SYS_PRIVS view can be queried to find system privileges granted to roles and users. Knowledge of the structure of roles in the database can be taken advantage of by a malicious user.
ACCSS_DBA_SYSPRIVS_RECOMM
POLICY
Restrict access to DBA_SYS_PRIVS view.
ACCSS_DBA_ROLEPRIVS_NAME
POLICY
Access to DBA_ROLE_PRIVS View
ACCSS_DBA_ROLEPRIVS_DESC
POLICY
Ensures restricted access to DBA_ROLE_PRIVS view
ACCSS_DBA_ROLEPRIVS_IMPACT
POLICY
The DBA_ROLE_PRIVS view lists the roles granted to users and other roles. Knowledge of the structure of roles in the database can be taken advantage of by a malicious user.
ACCSS_DBA_ROLEPRIVS_RECOMM
POLICY
Restrict access to DBA_ROLE_PRIVS view.
ACCSS_DBA_TABPRIVS_NAME
POLICY
Access to DBA_TAB_PRIVS View
ACCSS_DBA_TABPRIVS_DESC
POLICY
Ensures restricted access to DBA_TAB_PRIVS view
ACCSS_DBA_TABPRIVS_IMPACT
POLICY
Lists privileges granted to users or roles on objects in the database. Knowledge of the structure of roles in the database can be taken advantage of by a malicious user.
ACCSS_DBA_TABPRIVS_RECOMM
POLICY
Restrict access to DBA_TAB_PRIVS view.
ACCSS_DBA_USERS_NAME
POLICY
Access to DBA_USERS View
ACCSS_DBA_USERS_DESC
POLICY
Ensures restricted access to DBA_USERS view
ACCSS_DBA_USERS_IMPACT
POLICY
Contains user password hashes and other account information. Access to this information can be used to mount brute-force attacks.
ACCSS_DBA_USERS_RECOMM
POLICY
Restrict access to DBA_USERS view.
ACCSS_ROLE_ROLE_NAME
POLICY
Access to ROLE_ROLE_PRIVS View
ACCSS_ROLE_ROLE_DESC
POLICY
Ensures restricted access to ROLE_ROLE_PRIVS view
ACCSS_ROLE_ROLE_IMPACT
POLICY
Lists roles granted to other roles. Knowledge of the structure of roles in the database can be taken advantage of by a malicious user.
ACCSS_ROLE_ROLE_RECOMM
POLICY
Restrict access to ROLE_ROLE_PRIVS view.
ACCSS_USER_TAB_PRIVS_NAME
POLICY
Access to USER_TAB_PRIVS View
ACCSS_USER_TAB_PRIVS_DESC
POLICY
Ensures restricted access to USER_TAB_PRIVS view
ACCSS_USER_TAB_PRIVS_IMPACT
POLICY
Lists the grants on objects for which the user is the owner, grantor or grantee. Knowledge of the grants in the database can be taken advantage of by a malicious user.
ACCSS_USER_TAB_PRIVS_RECOMM
POLICY
Restrict access to USER_TAB_PRIVS view.
ACCSS_USER_ROLE_PRIV_NAME
POLICY
Access to USER_ROLE_PRIVS View
ACCSS_USER_ROLE_PRIV_DESC
POLICY
Ensures restricted access to USER_ROLE_PRIVS view
ACCSS_USER_ROLE_PRIV_IMPACT
POLICY
Lists the roles granted to the current user. Knowledge of the structure of roles in the database can be taken advantage of by a malicious user.
ACCSS_USER_ROLE_PRIV_RECOMM
POLICY
Restrict access to USER_ROLE_PRIVS view.
SECURE_OS_AUDIT_LEVEL_NAME
POLICY
Secure Os Audit Level
SECURE_OS_AUDIT_LEVEL_DESC
POLICY
On UNIX systems, ensures that AUDIT_SYSLOG_LEVEL is set to a non-default value when OS-level auditing is enabled
SECURE_OS_AUDIT_LEVEL_IMPACT
POLICY
Setting the AUDIT_SYSLOG_LEVEL initialization parameter to the default value (NONE) will result in DBAs gaining access to the OS audit records.
SECURE_OS_AUDIT_LEVEL_RECOM
POLICY
When operating system auditing is enabled, set the AUDIT_SYSLOG_LEVEL initialization parameter to a valid value and configure /etc/syslog.conf so that Oracle OS audit records are written to a seperate file.
DATA_DICTIONARY_PROTECTED_NAME
POLICY
Data Dictionary Protected
DATA_DICTIONARY_PROTECTED_DESC
POLICY
Ensures data dictionary protection is enabled
DATA_DICTIONARY_PROTECTED_IMPACT
POLICY
The 07_DICTIONARY_ACCESSIBILITY parameter controls access to the data dictionary. Setting the 07_DICTIONARY_ACCESSIBILITY to TRUE allows users with ANY system privileges to access the data dictionary. As a result, these user accounts can be exploited to gain unauthorized access to data.
DATA_DICTIONARY_PROTECTED_RECOM
POLICY
Set 07_DICTIONARY_ACCESSIBILITY to FALSE.
AUDIT_SYS_OPS_NAME
POLICY
Auditing of SYS Operations Enabled
AUDIT_SYS_OPS_DESC
POLICY
Ensures sessions for users who connect as SYS are fully audited
AUDIT_SYS_OPS_IMPACT
POLICY
The AUDIT_SYS_OPERATIONS parameter enables or disables the auditing of operations issued by user SYS, and users connecting with SYSDBA or SYSOPER privileges.
AUDIT_SYS_OPS_RECOM
POLICY
Set AUDIT_SYS_OPERATIONS to TRUE.
PROXY_ACCOUNT_NAME
POLICY
Proxy Account
PROXY_ACCOUNT_DESC
POLICY
Ensures that the proxy accounts have limited privileges
PROXY_ACCOUNT_IMPACT
POLICY
The proxy user only needs to connect to the database. Once connected it will use the privileges of the user it is connecting on behalf of. Granting any other privilege than the CREATE SESSION privilege to the proxy user is unnecessary and open to misuse.
PROXY_ACCOUNT_RECOMM
POLICY
Limit the privileges of the proxy accounts to CREATE SESSION.
RBS_IN_SYSTEM_NAME
POLICY
Rollback in SYSTEM Tablespace
RBS_IN_SYSTEM_DESC
POLICY
Checks for rollback segments in SYSTEM tablespace
RBS_IN_SYSTEM_IMPACT
POLICY
The SYSTEM tablespace should be reserved only for the Oracle data dictionary and its associated objects. It should NOT be used to store any other types of objects such as user tables, user indexes, user views, rollback segments, undo segments or temporary segments.
RBS_IN_SYSTEM_RECOM
POLICY
Use a tablespace dedicated to undo instead of the SYSTEM tablespace.
RBS_TBSP_TR_NLSID
POLICY
Rollback Segment Tablespace Name
PERM_AS_TEMP_TBSP_NAME
POLICY
Users with Permanent Tablespace as Temporary Tablespace
PERM_AS_TEMP_TBSP_DESC
POLICY
Checks for users using a permanent tablespace as the temporary tablespace
PERM_AS_TEMP_TBSP_IMPACT
POLICY
These users use a permanent tablespace as the temporary tablespace. Using temporary tablespaces allows space management for sort operations to be more efficient. Using a permanent tablespace for these operations may result in performance degradation, especially for Real Application Clusters. If the user is using a system tablespace as the temporary tablespace, there is an additional security concern. This makes it possible for users to use all available space in the system tablespace, causing the database to stop working.
PERM_AS_TEMP_TBSP_RECOM
POLICY
Change the temporary tablespace for these users to specify a tablespace of type TEMPORARY.
SYSTEM_AS_DEFAULT_TBSP_NAME
POLICY
Non-System Users with System Tablespace as Default Tablespace
SYSTEM_AS_DEFAULT_TBSP_DESC
POLICY
Checks for non-system users using SYSTEM or SYSAUX as the default tablespace
SYSTEM_AS_DEFAULT_TBSP_IMPACT
POLICY
These non-system users use a system tablespace as the default tablespace. This violation will result in non-system data segments being added to the system tablespace, making it more difficult to manage these data segments and possibly resulting in performance degradation in the system tablespace. This is also a security issue. All Available space in the system tablespace may be consumed, thus causing the database to stop working.
SYSTEM_AS_DEFAULT_TBSP_RECOM
POLICY
Change the default tablespace for these users to specify a non-system tablespace.
TBSP_SEGSPACE_MGMT_NAME
POLICY
Tablespace Not Using Automatic Segment-Space Management
TBSP_SEGSPACE_MGMT_DESC
POLICY
Checks for locally managed tablespaces that are using MANUAL segment space management. The SYSTEM and SYSAUX tablespace are excluded from this check.
TBSP_SEGSPACE_MGMT_IMPACT
POLICY
Automatic segment-space management is a simpler and more efficient way of managing space within a segment. It completely eliminates any need to specify and tune the PCTUSED, FREELISTS and FREELIST GROUPS storage parameters for schema objects created in the tablespace. In a RAC environment there is the additional benefit of avoiding the hard partitioning of space inherent with using free list groups.
TBSP_SEGSPACE_MGMT_RECOM
POLICY
Oracle recommends changing MANUAL segment-space management settings of all permanent locally managed tablespaces to AUTO. The tablespace must be reorganized to change this setting.
TBSP_DICTIONARY_NAME
POLICY
Dictionary Managed Tablespaces
TBSP_DICTIONARY_DESC
POLICY
Checks for dictionary managed tablespaces
TBSP_DICTIONARY_IMPACT
POLICY
These tablespaces are dictionary managed. Oracle recommends using locally managed tablespaces, with AUTO segment-space management, to enhance performance and ease of space management.
TBSP_DICTIONARY_RECOM
POLICY
Redefine these tablespaces to be locally managed.
TBSP_MIXED_SEGS_NAME
POLICY
Tablespaces Containing Rollback and Data Segments
TBSP_MIXED_SEGS_DESC
POLICY
Checks for tablespaces containing both rollback and data segments
TBSP_MIXED_SEGS_IMPACT
POLICY
These tablespaces contain both rollback and data segments. Mixing segment types in this way makes it more difficult to manage space and may degrade performance in the tablespace. Use of a dedicated tablespace for rollback segments enhances availability and performance.
TBSP_MIXED_SEGS_RECOM
POLICY
Use Automatic Undo Management (in Oracle 9.0.1 or greater) and drop the rollback segments from this tablespace; or, create one or more tablespaces dedicated to rollback segments and drop the rollback segments from this tablespace; or, dedicate this tablespace to rollback segments and move the data segments to another tablespace.
DEFAULT_TEMP_TBSP_NAME
POLICY
Default Temporary Tablespace Set to a System Tablespace
DEFAULT_TEMP_TBSP_DESC
POLICY
Checks if the DEFAULT_TEMP_TABLESPACE database property is set to a system tablespace
DEFAULT_TEMP_TBSP_IMPACT
POLICY
If not specified explicitly, the DEFAULT_TEMP_TABLESPACE would default to the SYSTEM tablespace. This is not the recommended setting. The default temporary tablespace is used as the temporary tablespace for any users that are not explicitly assigned a temporary tablespace. If the database default temporary tablespace is set to a system tablespace, then any user that is not explicitly assigned a temporary tablespace uses the system tablespace as their temporary tablespace. System tablespaces should not be used to store temporary data. Doing so may result in performance degradation for the database. This is also a security issue. If non-system users are storing data in a system tablespace it is possible that all available space in the system tablespace may be consumed, thus causing the database to stop working.
DEFAULT_TEMP_TBSP_RECOM
POLICY
Oracle strongly recommends setting the DEFAULT_TEMP_TABLESPACE to a non-system temporary tablespace. In the 10g version of the database, the DEFAULT_TEMP_TABLESPACE can also be set to a temporary tablespace group. Create or edit a temporary tablespace, or temporary tablespace group, and set it to be the default temporary tablespace.
DEFAULT_PERMANENT_TBSP_NAME
POLICY
Default Permanent Tablespace Set to a System Tablespace
DEFAULT_PERMANENT_TBSP_DESC
POLICY
Checks if the DEFAULT_PERMANENT_TABLESPACE database property is set to a system tablespace
DEFAULT_PERMANENT_TBSP_IMPACT
POLICY
If not specified explicitly, the DEFAULT_PERMANENT_TABLESPACE is defaulted to the SYSTEM tablespace. This is not the recommended setting. The default permanent tablespace for the database is used as the permanent tablespace for any non-system users that are not explicitly assigned a permanent tablespace. If the database default permanent tablespace is set to a system tablespace, then any user that is not explicitly assigned a tablespace uses the system tablespace. Non-system users should not be using a system tablespaces to store data. Doing so may result in performance degradation for the database. This is also a security issue. If non-system users are storing data in a system tablespace it is possible that all available space in the system tablespace may be consumed, thus causing the database to stop working.
DEFAULT_PERMANENT_TBSP_RECOM
POLICY
Oracle strongly recommends that you set the DEFAULT_PERMANENT_TABLESPACE to a non-system tablespace. Select a different tablespace to be the DEFAULT_PERMANENT_TABLESPACE. To do this, create or edit a tablespace and set it to be the default permanent tablespace.
NO_UNDO_TBSP_NAME
POLICY
Not Using Automatic Undo Management
NO_UNDO_TBSP_DESC
POLICY
Checks for automatic undo space management not being used
NO_UNDO_TBSP_IMPACT
POLICY
Not using automatic undo management can cause unnecessary contention and performance issues in your database. This may include among other issues, contention for the rollback segment header blocks, in the form of buffer busy waits and increased probability of ORA-1555s (Snapshot Too Old).
NO_UNDO_TBSP_RECOM
POLICY
Use automatic undo space management instead of manual undo or rollback segments.
NO_SPFILE_NAME
POLICY
Not Using Spfile
NO_SPFILE_DESC
POLICY
Checks for spfile not being used
NO_SPFILE_IMPACT
POLICY
The SPFILE (server parameter file) enables you persist any dynamic changes to the Oracle initialization parameters using ALTER SYSTEM commands. This persistence is provided across database shutdowns. When a database has an SPFILE configured, you don't have to remember to make the corresponding changes to the Oracle init.ora file. Plus, any changes that are made via ALTER SYSTEM commands are not lost after an shutdown and restart.
NO_SPFILE_RECOM
POLICY
Use server side parameter file to update changes dynamically.
NON_UNIFORM_TBSP_NAME
POLICY
Non-uniform Default Extent Size for Tablespaces
NON_UNIFORM_TBSP_DESC
POLICY
Checks for dictionary managed or migrated locally managed tablespaces with non-uniform default extent size
NON_UNIFORM_TBSP_IMPACT
POLICY
Dictionary managed or migrated locally managed tablespaces using non-uniform default extent sizes have been found. This means that the extents in a single tablespace will vary in size leading to fragmentation, inefficient space usage and performance degradation.
NON_UNIFORM_TBSP_RECOM
POLICY
To ensure uniform extent sizes, set the storage attributes for each tablespace such that Next Size is equal to or a multiple of the Initial Size, and the Increment Size (%) is set to zero. Do not explicitly specify storage attributes at the segment level. Instead, let the storage values for the segments be inherited from the default storage attributes of the tablespace.
SEG_NONSYS_SEG_IN_SYS_TS_NAME
POLICY
Non-System Data Segments in System Tablespaces
SEG_NONSYS_SEG_IN_SYS_TS_DESC
POLICY
Checks for data segments owned by non-system users located in tablespaces SYSTEM and SYSAUX
SEG_NONSYS_SEG_IN_SYS_TS_IMPACT
POLICY
These segments belonging to non-system users are stored in system tablespaces SYSTEM or SYSAUX. This violation makes it more difficult to manage these data segments and may result in performance degradation in the system tablespace. This is also a security issue. If non-system users are storing data in a system tablespace it is possible that all available space in the system tablespace may be consumed, thus causing the database to stop working. System users include users that are part of the DBMS such as SYS and SYSTEM, or that are part of Oracle-supplied facilities: for example, CTXSYS, SYSMAN, and OLAPSYS.
SEG_NONSYS_SEG_IN_SYS_TS_RECOM
POLICY
Relocate the non-system segments to a non-system tablespace.
SEG_EXT_GROWTH_VIO_NAME
POLICY
Segment with Extent Growth Policy Violation
SEG_EXT_GROWTH_VIO_DESC
POLICY
Checks for segments in dictionary managed or migrated locally managed tablespaces having irregular extent sizes and/or non-zero Percent Increase settings
SEG_EXT_GROWTH_VIO_IMPACT
POLICY
These segments have extents with sizes that are not multiples of the initial extent or have a non-zero Percent Increase setting. This can result in inefficient reuse of space and fragmentation problems.
SEG_EXT_GROWTH_VIO_RECOM
POLICY
Implement either of these two recommendations: 1) Create a locally managed tablespace and reorganize these segments into it. 2) Or, reorganize these segments, specifying a Next Extent value that is a multiple of Initial Extent, and a Percent Increase value of 0.
HIDDEN_PARAMS_NAME
POLICY
Use of Non-Standard Initialization Parameters
HIDDEN_PARAMS_DESC
POLICY
Checks for use of non-standard initialization parameters
HIDDEN_PARAMS_IMPACT
POLICY
Non-standard initialization parameters are being used. These may have been implemented based on poor advice or incorrect assumptions. In particular, parameters associated with SPIN_COUNT on latches and undocumented optimizer features can cause a great deal of problems that can require considerable investigation.
HIDDEN_PARAMS_RECOM
POLICY
Avoid use of non-standard initialization parameters.
STATISTICS_LEVEL_HIGH_NAME
POLICY
STATISTICS_LEVEL Parameter Set to ALL
STATISTICS_LEVEL_HIGH_DESC
POLICY
Checks if the STATISTICS_LEVEL initialization parameter is set to ALL
STATISTICS_LEVEL_HIGH_IMPACT
POLICY
Automatic statistics collection allows the optimizer to generate accurate execution plans and is essential for identifying and correcting performance problems. The STATISTICS_LEVEL initialization parameter is currently set to ALL, meaning additional timed OS and plan execution statistics are being collected. These statistics are not necessary and create additional overhead on the system.
STATISTICS_LEVEL_HIGH_RECOM
POLICY
Oracle recommends that you set the STATISTICS_LEVEL initialization parameter to TYPICAL.
STATISTICS_LEVEL_NAME
POLICY
Disabled Automatic Statistics Collection
STATISTICS_LEVEL_DESC
POLICY
Checks if the STATISTICS_LEVEL initialization parameter is set to BASIC
STATISTICS_LEVEL_IMPACT
POLICY
Automatic statistics collection allows the optimizer to generate accurate execution plans and is essential for identifying and correcting performance problems. By default, STATISTICS_LEVEL is set to TYPICAL. If the STATISTICS_LEVEL initialization parameter is set to BASIC the collection of many important statistics, required by Oracle database features and functionality, are disabled.
STATISTICS_LEVEL_RECOM
POLICY
Oracle strongly recommends that you set the STATISTICS_LEVEL initialization parameter to TYPICAL.
TIMED_STATISTICS_NAME
POLICY
TIMED_STATISTICS set to FALSE
TIMED_STATISTICS_DESC
POLICY
Checks if the TIMED_STATISTICS initialization parameter is set to FALSE.
TIMED_STATISTICS_IMPACT
POLICY
Setting TIMED_STATISTICS to FALSE prevents time related statistics, e.g. execution time for various internal operations, from being collected. These statistics are useful for diagnosing and performance tuning. Setting TIMED_STATISTICS to TRUE will allow time related statistics to be collected, and will also provide more value to the trace file and generates more accurate statistics for long-running operations.
TIMED_STATISTICS_RECOM
POLICY
Oracle strongly recommends setting the TIMED_STATISTICS initialization parameter to TRUE. TIMED_STATISTICS can be set either on a system level or on a session level.
TIMED_STATISTICS_MESSAGE
POLICY
TIMED_STATISTICS is set to FALSE.
TIMED_STATISTICS_CLEAR_MESSAGE
POLICY
TIMED_STATISTICS is set to TRUE.
TIMED_STATISTICS_FIX
POLICY
Edit TIMED_STATISTICS Initialization Parameter
AUTO_PGA_NAME
POLICY
Not Using Automatic PGA Management
AUTO_PGA_DESC
POLICY
Checks if the PGA_AGGREGATE_TARGET initialization parameter has a value of 0 or if WORKAREA_SIZE_POLICY has value of MANUAL.
AUTO_PGA_IMPACT
POLICY
Automatic PGA memory management simplifies and improves the way PGA memory is allocated. When enabled, Oracle can dynamically adjust the portion of the PGA memory dedicated to work areas while honoring the PGA_AGGREGATE_TARGET limit set by the DBA.
AUTO_PGA_RECOM
POLICY
Oracle strongly recommends that you enable Automatic PGA Memory Management and set the PGA_AGGREGATE_TARGET initialization parameter to a non-zero number. Use Oracle PGA advice to help set PGA_AGGREGATE_TARGET to the best size.
SMALL_REDO_LOGS_NAME
POLICY
Insufficient Redo Log Size
SMALL_REDO_LOGS_DESC
POLICY
Checks for redo log files less than 1 Mb
SMALL_REDO_LOGS_IMPACT
POLICY
Small redo logs cause system checkpoints to continuously put a high load on the buffer cache and I/O system.
SMALL_REDO_LOGS_RECOM
POLICY
Increase size of the redo logs to at least 1 Mb.
REDO_LOG_SIZE_TR_NLSID
POLICY
Redo Log File Size (MB)
INSUFF_REDO_LOGS_NAME
POLICY
Insufficient Number of Redo Logs
INSUFF_REDO_LOGS_DESC
POLICY
Checks for use of less than three redo logs
INSUFF_REDO_LOGS_IMPACT
POLICY
The online redo log files are used to record changes in the database for the purposes of recoverability. When archiving is enabled, these online redo logs need to be archived before they can be reused. Every database requires at least two online redo log groups to be up and running. When the size and number of online redo logs are inadequate, LGWR will wait for ARCH to complete its writing to the archived log destination, before it overwrites that log. This can cause severe performance slowdowns during peak activity periods.
INSUFF_REDO_LOGS_RECOM
POLICY
Oracle recommends having at least three online redo log groups with at least two members in each group. For obvious reasons, members of the same group must be on different disk drives.
REDO_LOG_COUNT_TR_NLSID
POLICY
Redo Log Count
INSUFF_CONTROL_FILES_NAME
POLICY
Insufficient Number of Control Files
INSUFF_CONTROL_FILES_DESC
POLICY
Checks for use of a single control file
INSUFF_CONTROL_FILES_IMPACT
POLICY
The control file is one of the most important files in an Oracle database. It maintains many physical characteristics and important recovery information about the database. If you lose the only copy of the control file due to a media error, there will be unnecessary down time and other risks.
INSUFF_CONTROL_FILES_RECOM
POLICY
Use at least two control files that are multiplexed on different disks.
CONTROL_FILE_COUNT_TR_NLSID
POLICY
Control File Count
ASM_DISK_SIZE_NAME
POLICY
Disk Group Contains Disks of Significantly Different Sizes
ASM_DISK_SIZE_DESC
POLICY
Checks the disk group for disks with disk sizes which vary by more than 5%.
ASM_DISK_SIZE_IMPACT
POLICY
Disks in a disk group should have sizes within 5% of each other, unless data migration is in progress. Automatic Storage Management distributes data uniformly proportional to the size of the disks. For balanced I/O and optimal performance, disks in a given disk group should have similar size and performance characteristics.
ASM_DISK_SIZE_RECOM
POLICY
Remove, replace or resize disks in the disk group so the size difference between disks is less than 5%.
ASM_DATA_PROTECTION_NAME
POLICY
Disk Group Depends on External Redundancy and has Unprotected Disks
ASM_DATA_PROTECTION_DESC
POLICY
Checks the disk group, which depends on external redundancy, for disks that are not mirrored or parity protected.
ASM_DATA_PROTECTION_IMPACT
POLICY
Data loss can occur if the disk group depends on external redundancy and disks are not mirrored or parity protected.
ASM_DATA_PROTECTION_RECOM
POLICY
Replace problem disks with mirrored or parity protected disks, or move unprotected disks into a disk group with NORMAL or HIGH redundancy.
ASM_MIXED_REDUNDANCY_NAME
POLICY
Disk Group Contains Disks with Different Redundancy Attributes
ASM_MIXED_REDUNDANCY_DESC
POLICY
Checks the disk group for disks that have different redundancy attributes.
ASM_MIXED_REDUNDANCY_IMPACT
POLICY
Disks in the same disk group with different redundancy attributes may offer inconsistent levels of data protection.
ASM_MIXED_REDUNDANCY_RECOM
POLICY
Move disks with different redundancy attributes into separate disk groups.
ASM_UNNEEDED_REDUNDANCY_NAME
POLICY
Disk Group with NORMAL or HIGH Redundancy has Mirrored or Parity Protected Disks
ASM_UNNEEDED_REDUNDANCY_DESC
POLICY
Checks the disk group, with NORMAL or HIGH redundancy, for disks that are mirrored or parity protected.
ASM_UNNEEDED_REDUNDANCY_IMPACT
POLICY
Disk resources are wasted, and performance may be unnecessarily affected when both a disk and its owning disk group are providing data redundancy.
ASM_UNNEEDED_REDUNDANCY_RECOM
POLICY
Replace disks in the NORMAL or HIGH redundancy disk group with unprotected disks.
NO_RECOVERY_AREA_NAME
POLICY
Recovery Area Location Not Set
NO_RECOVERY_AREA_DESC
POLICY
Checks for recovery area not set
NO_RECOVERY_AREA_IMPACT
POLICY
Not setting the recovery area location will result in a divided storage location for all recovery components.
NO_RECOVERY_AREA_RECOM
POLICY
It is recommended the recovery area location be set to provide a unified storage location for all recovery components.
NO_FORCE_LOGGING_NAME
POLICY
Force Logging Disabled
NO_FORCE_LOGGING_DESC
POLICY
When Data Guard Broker is being used, checks the primary database for disabled force logging
NO_FORCE_LOGGING_IMPACT
POLICY
The primary database is not in force logging mode. As a result unlogged direct writes in the primary database cannot be propagated to the standby database.
NO_FORCE_LOGGING_RECOM
POLICY
The primary database should be put in force logging mode using ALTER DATABASE FORCE LOGGING.
TKPROF_NAME
POLICY
TKPROF Executable Permission
TKPROF_NAME_NT
POLICY
TKPROF Executable Permission (Windows)
TKPROF_DESC
POLICY
Ensures tkprof executable file permissions are restricted to read and execute for the group, and inaccessible to public
TKPROF_IMPACT
POLICY
Excessive permission for tkprof leaves information within, unprotected.
TKPROF_RECOM
POLICY
Remove tkprof executable if not required. Otherwise, file permissions for tkprof executable should be restricted to read and execute for the group, and inaccessible to public.
TKPROF_OWNER_NAME
POLICY
TKPROF Executable Owner
TKPROF_OWNER_DESC
POLICY
Ensures tkprof executable file is owned by Oracle software owner
TKPROF_OWNER_IMPACT
POLICY
Not restricting ownership of tkprof to the Oracle software set and DBA group may cause information leak.
TKPROF_OWNER_RECOM
POLICY
Restrict permissions of the tkprof executable to the owner of the Oracle software set and the DBA group.
OTRACE_NAME
POLICY
Otrace Data Files
OTRACE_DESC
POLICY
Avoids negative impact on database performance and disk space usage, caused by data collected by otrace
OTRACE_IMPACT
POLICY
Performance and resource utilization data collection can have a negative impact on database performance and disk space usage.
OTRACE_RECOM
POLICY
Otrace should be disabled.
SQLPLUS_NAME
POLICY
SQL*Plus Executable Permission
SQLPLUS_NAME_NT
POLICY
SQL*Plus Executable Permission (Windows)
SQLPLUS_DESC
POLICY
Ensures that SQL*Plus executable file permissions are limited to the Oracle software set and DBA group
SQLPLUS_IMPACT
POLICY
SQL*Plus allows a user to execute any SQL on the database provided the user has an account with appropriate privileges. Public execute permissions on SQL*Plus can cause security issues by exposing sensitive data to malicious users.
SQLPLUS_RECOMM
POLICY
Restrict file permissions for SQL*Plus executable to the Oracle software set and DBA group.
SQLPLUS_OWNER_NAME
POLICY
SQL*Plus Executable Owner
SQLPLUS_OWNER_DESC
POLICY
Ensures SQL*Plus ownership is restricted to the Oracle software set and DBA group
SQLPLUS_OWNER_IMPACT
POLICY
SQL*Plus allows a user to execute any SQL on the database provided the user has an account with appropriate privileges. Not restricting ownership of SQL*Plus to the Oracle software set and DBA group may cause security issues by exposing sensitive data to malicious users.
SQLPLUS_OWNER_RECOM
POLICY
Restrict SQL*Plus ownership to the Oracle software set and DBA group.
WIN_PLATFORM_NAME
POLICY
Installation on Domain Controller
WIN_PLATFORM_DESC
POLICY
Ensures that Oracle is not installed on a domain controller
WIN_PLATFORM_IMPACT
POLICY
Installing Oracle on a domain controller can cause serious security issues.
WIN_PLATFORM_RECOMM
POLICY
Oracle must only be installed on a domain member server or a standalone server.
DRIVE_PERM_NAME
POLICY
Installed Oracle Home Drive Permissions
DRIVE_PERM_DESC
POLICY
On Windows, ensures that the installed Oracle Home drive is not accessible to Everyone Group
DRIVE_PERM_IMPACT
POLICY
Giving permission of Oracle installed drive to everyone can cause serious security issues.
DRIVE_PERM_RECOMM
POLICY
The installed Oracle Home drive should not be accessible to Everyone Group.
DOMAIN_USERS_NAME
POLICY
Domain Users Group Member of Local Users Group
DOMAIN_USERS_DESC
POLICY
Ensures domain server local Users group does not have Domain Users group
DOMAIN_USERS_IMPACT
POLICY
Including Domain Users group in local Users group of a domain server can cause serious security issues.
DOMAIN_USERS_RECOMM
POLICY
Remove Domain Users group form local Users group.
WIN_TOOLS_NAME
POLICY
Windows Tools Permission
WIN_TOOLS_DESC
POLICY
Ensures Oracle service does not have permissions on windows tools
WIN_TOOLS_IMPACT
POLICY
Granting Oracle service the permissions of windows tools may cause serious securty issues.
WIN_TOOLS_RECOMM
POLICY
Remove permission to oracle service account of windows tools.
WEBCACHE_NAME
POLICY
Web Cache Initialization File Permission
WEBCACHE_NAME_NT
POLICY
Web Cache Initialization File Permission (Windows)
WEBCACHE_DESC
POLICY
Ensures the Web Cache initialization file (webcache.xml) permissions are limited to the Oracle software set and DBA group
WEBCACHE_IMPACT
POLICY
Web Cache stores sensitive information in the initialization file (webcache.xml). A publicly accessible Web Cache initialization file can be used to extract sensitive data like the administrator password hash.
WEBCACHE_RECOMM
POLICY
Restrict Web Cache initialization file (webcache.xml) access to the Oracle software set and DBA group.
SNMP_RO_NAME
POLICY
Oracle Agent SNMP Read-Only Configuration File Permission
SNMP_RO_NAME_NT
POLICY
Oracle Agent SNMP Read-Only Configuration File Permission (Windows)
SNMP_RO_DESC
POLICY
Ensures Oracle Agent SNMP read-only configuration file (snmp_ro.ora) permissions are limited to the Oracle software set and DBA group
SNMP_RO_IMPACT
POLICY
The Oracle Agent SNMP read-only configuration file (snmp_ro.ora) contains the listening address of the agent, the names of SQL*Net listener and Oracle database services it knows about, plus tracing parameters. A publicly accessible SNMP read-only configuration file can be used to extract sensitive data like the tracing directory location, dbsnmp address, etc.
SNMP_RO_RECOMM
POLICY
Restrict Oracle Agent SNMP read-only configuration file (snmp_ro.ora) access to the Oracle software set and DBA group.
SNMP_RW_NAME
POLICY
Oracle Agent SNMP Read-Write Configuration File Permission
SNMP_RW_NAME_NT
POLICY
Oracle Agent SNMP Read-Write Configuration File Permission (Windows)
SNMP_RW_DESC
POLICY
Ensures Oracle Agent SNMP read-write configuration file (snmp_rw.ora) permissions are limited to the Oracle software set and DBA group
SNMP_RW_IMPACT
POLICY
The Oracle Agent SNMP read-write configuration file (snmp_rw.ora) contains the listening address of the agent, the names of SQL*Net listener and Oracle database services it knows about, plus tracing parameters. A publicly accessible SNMP read-write configuration file can be used to extract sensitive data like the tracing directory location, dbsnmp address, etc.
SNMP_RW_RECOMM
POLICY
Restrict Oracle Agent SNMP read-write configuration file (snmp_rw.ora) access to the Oracle software set and DBA group.
WDBSVR_NAME
POLICY
Oracle HTTP Server mod_plsql Configuration File Permission
WDBSVR_NAME_NT
POLICY
Oracle HTTP Server mod_plsql Configuration File Permission (Windows)
WDBSVR_DESC
POLICY
Ensures Oracle HTTP Server mod_plsql Configuration file (wdbsvr.app) permissions are limited to the Oracle software set and DBA group
WDBSVR_IMPACT
POLICY
The Oracle HTTP Server mod_plsql configuration file (wdbsvr.app) contains the Database Access Descriptors used for authentication. A publicly accessible mod_plsql configuration file can allow a malicious user to modify the Database Access Descriptor settings to gain access to PL/SQL applications or launch a Denial Of Service attack.
WDBSVR_RECOMM
POLICY
Restrict Oracle HTTP Server mod_plsql configuration file (wdbsvr.app) access to the Oracle software set and DBA group.
XSQL_NAME
POLICY
Oracle XSQL Configuration File Permission
XSQL_NAME_NT
POLICY
Oracle XSQL Configuration File Permission (Windows)
XSQL_DESC
POLICY
Ensures Oracle XSQL configuration file (XSQLConfig.xml) permissions are limited to the Oracle software set and DBA group
XSQL_IMPACT
POLICY
The Oracle XSQL configuration file (XSQLConfig.xml) contains sensitive database connection information. A publicly accessible XSQL configuration file can expose the database username and password that can be used access sensitive data or to launch further attacks.
XSQL_RECOMM
POLICY
Restrict Oracle XSQL configuration file (XSQLConfig.xml) access to the Oracle software set and DBA group.
HTACCESS_NAME
POLICY
Oracle HTTP Server Distributed Configuration Files Permission
HTACCESS_NAME_NT
POLICY
Oracle HTTP Server Distributed Configuration Files Permission (Windows)
HTACCESS_DESC
POLICY
Ensures Oracle HTTP Server Distributed Configuration Files permissions are limited to the Oracle software set and DBA group
HTACCESS_IMPACT
POLICY
The Oracle HTTP Server distributed configuration file (usually .htaccess) is used for access control and authentication of web folders. This file can be modified to gain access to pages containing sensitive information.
HTACCESS_RECOMM
POLICY
Restrict Oracle HTTP Server Distributed configuration files access to the Oracle software set and DBA group.
WEBCACHE_OWNER_NAME
POLICY
Web Cache Initialization File Owner
WEBCACHE_OWNER_DESC
POLICY
Ensures Web Cache initialization file (webcache.xml) is owned by Oracle software owner
WEBCACHE_OWNER_IMPACT
POLICY
Web Cache stores sensitive information in the initialization file (webcache.xml). A publicly accessible Web Cache initialization file can be used to extract sensitive data like the administrator password hash.
WEBCACHE_OWNER_RECOMM
POLICY
Restrict permission of Web Cache initialization file (webcache.xml) to the owner of Oracle software set and DBA group.
SNMP_RO_OWNER_NAME
POLICY
Oracle Agent SNMP Read-Only Configuration File Owner
SNMP_RO_OWNER_DESC
POLICY
Ensures Oracle Agent SNMP read-only configuration file (snmp_ro.ora) is owned by Oracle software owner
SNMP_RO_OWNER_IMPACT
POLICY
The Oracle Agent SNMP read-only configuration file (snmp_ro.ora) contains the listening address of the agent, the names of SQL*Net listener and Oracle database services it knows about, plus tracing parameters. A publicly accessible SNMP read-only configuration file can be used to extract sensitive data like the tracing directory location, dbsnmp address, etc.
SNMP_RO_OWNER_RECOMM
POLICY
Restrict permissions of Oracle Agent SNMP read-only configuration file (snmp_ro.ora) to the owner of Oracle software set and DBA group.
SNMP_RW_OWNER_NAME
POLICY
Oracle Agent SNMP Read-Write Configuration File Owner
SNMP_RW_OWNER_DESC
POLICY
Ensures Oracle Agent SNMP read-write configuration file (snmp_rw.ora) is owned by Oracle software owner
SNMP_RW_OWNER_IMPACT
POLICY
The Oracle Agent SNMP read-write configuration file (snmp_rw.ora) contains the listening address of the agent, the names of SQL*Net listener and Oracle database services it knows about, plus tracing parameters. A publicly accessible SNMP read-write configuration file can be used to extract sensitive data like the tracing directory location, dbsnmp address, etc.
SNMP_RW_OWNER_RECOMM
POLICY
Restrict permissions of Oracle Agent SNMP read-write configuration file (snmp_rw.ora) to the owner of Oracle software set and DBA group
WDBSVR_OWNER_NAME
POLICY
Oracle HTTP Server mod_plsql Configuration File Owner
WDBSVR_OWNER_DESC
POLICY
Ensures Oracle HTTP Server mod_plsql configuration file (wdbsvr.app) is owned by Oracle software owner
WDBSVR_OWNER_IMPACT
POLICY
The Oracle HTTP Server mod_plsql configuration file (wdbsvr.app) contains the Database Access Descriptors used for authentication. A publicly accessible mod_plsql configuration file can allow a malicious user to modify the Database Access Descriptor settings to gain access to PL/SQL applications or launch a Denial Of Service attack.
WDBSVR_OWNER_RECOMM
POLICY
Restrict permissions of Oracle HTTP Server mod_plsql configuration file (wdbsvr.app) to the owner of Oracle software set and DBA group.
XSQL_OWNER_NAME
POLICY
Oracle XSQL Configuration File Owner
XSQL_OWNER_DESC
POLICY
Ensures Oracle XSQL configuration file (XSQLConfig.xml) is owned by Oracle software owner
XSQL_OWNER_IMPACT
POLICY
The Oracle XSQL configuration file (XSQLConfig.xml) contains sensitive database connection information. A publicly accessible XSQL configuration file can expose the database username and password that can be used access sensitive data or to launch further attacks.
XSQL_OWNER_RECOMM
POLICY
Restrict permissions of Oracle XSQL configuration file (XSQLConfig.xml) to the owner of Oracle software set and DBA group.
HTACCESS_OWNER_NAME
POLICY
Oracle HTTP Server Distributed Configuration File Owner
HTACCESS_OWNER_DESC
POLICY
Ensures Oracle HTTP Server distributed configuration file ownership is restricted to the Oracle software set and DBA group
HTACCESS_OWNER_IMPACT
POLICY
The Oracle HTTP Server distributed configuration file (usually .htaccess) is used for access control and authentication of web folders. This file can be modified to gain access to pages containing sensitive information.
HTACCESS_OWNER_RECOMM
POLICY
Restrict Oracle HTTP Server distributed configuration file ownership to the Oracle software set and DBA group.
ALL_PRIVILEGE_NAME
POLICY
Granting of ALL PRIVILEGES
ALL_PRIVILEGE_DESC
POLICY
Ensures ALL PRIVILEGES is never granted to any user or role
ALL_PRIVILEGE_IMPACT
POLICY
A privilege can be granted to any user or role. Excessive privileges can be misused. Never grant ALL PRIVILEGES to any user or role.
ALL_PRIVILEGE_RECOMM
POLICY
A privilege can be granted to any user or role. Excessive privileges can be misused. Never grant ALL PRIVILEGES to any user or role.
SELECT_ANY_TABLE_NAME
POLICY
Granting SELECT ANY TABLE Privilege
SELECT_ANY_TABLE_DESC
POLICY
Ensures SELECT ANY PRIVILEGE is never granted to any user or role
SELECT_ANY_TABLE_IMPACT
POLICY
The SELECT ANY TABLE privilege can be used to grant users or roles with the ability to view data in tables that are not owned by them. A malicious user with access to any user account that has this privilege can use this to gain access to sensitive data.
SELECT_ANY_TABLE_RECOMM
POLICY
Never grant SELECT ANY TABLE privilege.
SELECT_PRIVILEGE_NAME
POLICY
Access to DBA_* Views
SELECT_PRIVILEGE_DESC
POLICY
Ensures Select privilege is never granted to any DBA_ view
SELECT_PRIVILEGE_IMPACT
POLICY
The DBA_* views provide access to privileges and policy settings of the database. Some of these views also allow viewing of sensitive PL/SQL code that can be used to understand the security policies.
SELECT_PRIVILEGE_RECOMM
POLICY
None of the DBA_ views should be granted SELECT privileges. If there are users with the SELECT privilege, ensure all access to the DBA_ view is audited.
INSERT_FAILURE_NAME
POLICY
Audit Insert Failure
INSERT_FAILURE_DESC
POLICY
Ensures that insert failures are audited for critical data objects
INSERT_FAILURE_IMPACT
POLICY
Not auditing insert failures for critical data objects may allow a malicious user to infiltrate system security.
INSERT_FAILURE_RECOMM
POLICY
Audit insert failures for critical data objects.
EXECUTE_AND_OTHER_PRIVLEGES_NAME
POLICY
EXECUTE and READ/WRITE privileges on Directory Objects
EXECUTE_AND_OTHER_PRIVLEGES_DESC
POLICY
Ensures that one user does not have EXECUTE and READ/WRITE privileges on the same directory object
EXECUTE_AND_OTHER_PRIVLEGES_IMPACT
POLICY
A knowledgeable malicious user can take advantage of directory object which is provided with EXECUTE along with READ/WRITE privilege.
EXECUTE_AND_OTHER_PRIVLEGES_RECOMM
POLICY
Oracle recommends that no user should be provided with EXECUTE along with READ/WRITE privilege on a particular directory object.
PUBLIC_EXECUTE_PRIV_DIROBJ_NAME
POLICY
EXECUTE privileges on Directory Objects to PUBLIC
PUBLIC_EXECUTE_PRIV_DIROBJ_DESC
POLICY
Ensures that PUBLIC does not have EXECUTE privilges on directory objects.
PUBLIC_EXECUTE_PRIV_DIROBJ_IMPACT
POLICY
A knowledgeable malicious user can take advantage of directory object which has granted EXECUTE privilege to PUBLIC.
PUBLIC_EXECUTE_PRIV_DIROBJ_RECOMM
POLICY
Oracle recommends that PUBLIC be not granted with EXECUTE privilege on directory objects.