Oracle Database 18c CIS V1.0.0

Here is a list of all controls implemented in this puppet module. The link takes you to the documentation of the implementation class.

1 Oracle Database Installation and Patching Requirements

1.1 Ensure the Appropriate Version/Patches for Oracle Software Is Installed (Unscored)

2 Oracle Parameter Settings

2.1 Listener Settings
2.1.1 Ensure ‘SECURE_CONTROL_’ Is Set In ‘listener.ora’ (Automated)
2.1.2 Ensure ‘extproc’ Is Not Present in ‘listener.ora’ (Automated)
2.1.3 Ensure ‘ADMIN_RESTRICTIONS_’ Is Set to ‘ON’ (Automated)
2.1.4 Ensure ‘SECURE_REGISTER_’ Is Set to ‘TCPS’ or ‘IPC’ (Automated)
2.2 Database Settings
2.2.1 Ensure ‘AUDIT_SYS_OPERATIONS’ Is Set to ‘TRUE’ (Automated)
2.2.2 Ensure ‘AUDIT_TRAIL’ Is Set to ‘DB’, ‘XML’, ‘OS’, ‘DB,EXTENDED’, or ‘XML,EXTENDED’ (Automated)
2.2.3 Ensure ‘GLOBAL_NAMES’ Is Set to ‘TRUE’ (Automated)
2.2.4 Ensure ‘O7_DICTIONARY_ACCESSIBILITY’ Is Set to ‘FALSE’ (Automated)
2.2.5 Ensure ‘OS_ROLES’ Is Set to ‘FALSE’ (Automated)
2.2.6 Ensure ‘REMOTE_LISTENER’ Is Empty (Automated)
2.2.7 Ensure ‘REMOTE_LOGIN_PASSWORDFILE’ Is Set to ‘NONE’ (Automated)
2.2.8 Ensure ‘REMOTE_OS_AUTHENT’ Is Set to ‘FALSE’ (Automated)
2.2.9 Ensure ‘REMOTE_OS_ROLES’ Is Set to ‘FALSE’ (Automated)
2.2.10 Ensure ‘SEC_CASE_SENSITIVE_LOGON’ Is Set to ‘TRUE’ (Automated)
2.2.11 Ensure ‘SEC_MAX_FAILED_LOGIN_ATTEMPTS’ Is ‘3’ or Less (Automated)
2.2.12 Ensure ‘SEC_PROTOCOL_ERROR_FURTHER_ACTION’ Is Set to ‘(DROP,3)’ (Automated)
2.2.13 Ensure ‘SEC_PROTOCOL_ERROR_TRACE_ACTION’ Is Set to ‘LOG’ (Automated)
2.2.14 Ensure ‘SEC_RETURN_SERVER_RELEASE_BANNER’ Is Set to ‘FALSE’ (Automated)
2.2.15 Ensure ‘SQL92_SECURITY’ Is Set to ‘TRUE’ (Automated)
2.2.16 Ensure ‘_trace_files_public’ Is Set to ‘FALSE’ (Automated)
2.2.17 Ensure ‘RESOURCE_LIMIT’ Is Set to ‘TRUE’ (Automated)

3 Oracle Connection and Login Restrictions

3.1 Ensure ‘FAILED_LOGIN_ATTEMPTS’ Is Less than or Equal to ‘5’ (Automated)
3.2 Ensure ‘PASSWORD_LOCK_TIME’ Is Greater than or Equal to ‘1’ (Automated)
3.3 Ensure ‘PASSWORD_LIFE_TIME’ Is Less than or Equal to ‘90’ (Automated)
3.4 Ensure ‘PASSWORD_REUSE_MAX’ Is Greater than or Equal to ‘20’ (Automated)
3.5 Ensure ‘PASSWORD_REUSE_TIME’ Is Greater than or Equal to ‘365’ (Automated)
3.6 Ensure ‘PASSWORD_GRACE_TIME’ Is Less than or Equal to ‘5’ (Automated)
3.7 Ensure ‘PASSWORD_VERIFY_FUNCTION’ Is Set for All Profiles (Automated)
3.8 Ensure ‘SESSIONS_PER_USER’ Is Less than or Equal to ‘10’ (Automated)
3.9 Ensure ‘INACTIVE_ACCOUNT_TIME’ Is Less than or Equal to ‘120’ (Automated)

4 Users

4.1 Ensure All Default Passwords Are Changed (Automated)
4.2 Ensure All Sample Data And Users Have Been Removed (Automated)
4.3 Ensure ‘DBA_USERS.AUTHENTICATION_TYPE’ Is Not Set to ‘EXTERNAL’ for Any User (Automated)
4.4 Ensure No Users Are Assigned the ‘DEFAULT’ Profile (Automated)
4.5 Ensure ‘SYS.USER$MIG’ Has Been Dropped (Automated)
4.6 Ensure No Public Database Links Exist (Automated)

5 Privileges & Grants & ACLs

5.1 Excessive Table, View and Package Privileges
5.1.1 Public Privileges
5.1.1.1 Ensure ‘EXECUTE’ is revoked from ‘PUBLIC’ on “Network” Packages (Automated)
5.1.1.2 Ensure ‘EXECUTE’ is revoked from ‘PUBLIC’ on “File System” Packages (Automated)
5.1.1.3 Ensure ‘EXECUTE’ is revoked from ‘PUBLIC’ on “Encryption” Packages (Automated)
5.1.1.4 Ensure ‘EXECUTE’ is revoked from ‘PUBLIC’ on “Java” Packages (Automated)
5.1.1.5 Ensure ‘EXECUTE’ is revoked from ‘PUBLIC’ on “Job Scheduler” Packages (Automated)
5.1.1.6 Ensure ‘EXECUTE’ is revoked from ‘PUBLIC’ on “SQL Injection Helper” Packages (Automated)
5.1.2 Non-Default Privileges
5.1.2.1 Ensure ‘EXECUTE’ is not granted to ‘PUBLIC’ on “Non-default” Packages (Automated)
5.1.3 Other Privileges
5.1.3.1 Ensure ‘ALL’ Is Revoked from Unauthorized ‘GRANTEE’ on ‘AUD$’ (Automated)
5.1.3.2 Ensure ‘ALL’ Is Revoked from Unauthorized ‘GRANTEE’ on ‘DBA_%’ (Automated)
5.1.3.3 Ensure ‘ALL’ Is Revoked on ‘Sensitive’ Tables (Automated)
5.2 Excessive System Privileges
5.2.1 Ensure ‘%ANY%’ Is Revoked from Unauthorized ‘GRANTEE’ (Automated)
5.2.2 Ensure ‘DBA_SYS_PRIVS.%’ Is Revoked from Unauthorized ‘GRANTEE’ with ‘ADMIN_OPTION’ Set to ‘YES’ (Automated)
5.2.3 Ensure ‘EXECUTE ANY PROCEDURE’ Is Revoked from ‘OUTLN’ (Automated)
5.2.4 Ensure ‘EXECUTE ANY PROCEDURE’ Is Revoked from ‘DBSNMP’ (Automated)
5.2.5 Ensure ‘SELECT ANY DICTIONARY’ Is Revoked from Unauthorized ‘GRANTEE’ (Automated)
5.2.6 Ensure ‘SELECT ANY TABLE’ Is Revoked from Unauthorized ‘GRANTEE’ (Automated)
5.2.7 Ensure ‘AUDIT SYSTEM’ Is Revoked from Unauthorized ‘GRANTEE’ (Automated)
5.2.8 Ensure ‘EXEMPT ACCESS POLICY’ Is Revoked from Unauthorized ‘GRANTEE’ (Automated)
5.2.9 Ensure ‘BECOME USER’ Is Revoked from Unauthorized ‘GRANTEE’ (Automated)
5.2.10 Ensure ‘CREATE PROCEDURE’ Is Revoked from Unauthorized ‘GRANTEE’ (Automated)
5.2.11 Ensure ‘ALTER SYSTEM’ Is Revoked from Unauthorized ‘GRANTEE’ (Automated)
5.2.12 Ensure ‘CREATE ANY LIBRARY’ Is Revoked from Unauthorized ‘GRANTEE’ (Automated)
5.2.13 Ensure ‘CREATE LIBRARY’ Is Revoked from Unauthorized ‘GRANTEE’ (Automated)
5.2.14 Ensure ‘GRANT ANY OBJECT PRIVILEGE’ Is Revoked from Unauthorized ‘GRANTEE’ (Automated)
5.2.15 Ensure ‘GRANT ANY ROLE’ Is Revoked from Unauthorized ‘GRANTEE’ (Automated)
5.2.16 Ensure ‘GRANT ANY PRIVILEGE’ Is Revoked from Unauthorized ‘GRANTEE’ (Automated)
5.3 Excessive Role Privileges
5.3.1 Ensure ‘SELECT_CATALOG_ROLE’ Is Revoked from Unauthorized ‘GRANTEE’ (Automated)
5.3.2 Ensure ‘EXECUTE_CATALOG_ROLE’ Is Revoked from Unauthorized ‘GRANTEE’ (Automated)
5.3.3 Ensure ‘DBA’ Is Revoked from Unauthorized ‘GRANTEE’ (Automated)

6 Audit/Logging Policies and Procedures

6.1 Traditional Auditing
6.1.1 Ensure the ‘USER’ Audit Option Is Enabled (Automated)
6.1.2 Ensure the ‘ROLE’ Audit Option Is Enabled (Automated)
6.1.3 Ensure the ‘SYSTEM GRANT’ Audit Option Is Enabled (Automated)
6.1.4 Ensure the ‘PROFILE’ Audit Option Is Enabled (Automated)
6.1.5 Ensure the ‘DATABASE LINK’ Audit Option Is Enabled (Automated)
6.1.6 Ensure the ‘PUBLIC DATABASE LINK’ Audit Option Is Enabled (Automated)
6.1.7 Ensure the ‘PUBLIC SYNONYM’ Audit Option Is Enabled (Automated)
6.1.8 Ensure the ‘SYNONYM’ Audit Option Is Enabled (Automated)
6.1.9 Ensure the ‘DIRECTORY’ Audit Option Is Enabled (Automated)
6.1.10 Ensure the ‘SELECT ANY DICTIONARY’ Audit Option Is Enabled (Automated)
6.1.11 Ensure the ‘GRANT ANY OBJECT PRIVILEGE’ Audit Option Is Enabled (Automated)
6.1.12 Ensure the ‘GRANT ANY PRIVILEGE’ Audit Option Is Enabled (Automated)
6.1.13 Ensure the ‘DROP ANY PROCEDURE’ Audit Option Is Enabled (Automated)
6.1.14 Ensure the ‘ALL’ Audit Option on ‘SYS.AUD$’ Is Enabled (Automated)
6.1.15 Ensure the ‘PROCEDURE’ Audit Option Is Enabled (Automated)
6.1.16 Ensure the ‘ALTER SYSTEM’ Audit Option Is Enabled (Automated)
6.1.17 Ensure the ‘TRIGGER’ Audit Option Is Enabled (Automated)
6.1.18 Ensure the ‘CREATE SESSION’ Audit Option Is Enabled (Automated)
6.2 Unified Auditing
6.2.1 Ensure the ‘CREATE USER’ Action Audit Is Enabled (Automated)
6.2.2 Ensure the ‘ALTER USER’ Action Audit Is Enabled (Automated)
6.2.3 Ensure the ‘DROP USER’ Audit Option Is Enabled (Automated)
6.2.4 Ensure the ‘CREATE ROLE’ Action Audit Is Enabled (Automated)
6.2.5 Ensure the ‘ALTER ROLE’ Action Audit Is Enabled (Automated)
6.2.6 Ensure the ‘DROP ROLE’ Action Audit Is Enabled (Automated)
6.2.7 Ensure the ‘GRANT’ Action Audit Is Enabled (Automated)
6.2.8 Ensure the ‘REVOKE’ Action Audit Is Enabled (Automated)
6.2.9 Ensure the ‘CREATE PROFILE’ Action Audit Is Enabled (Automated)
6.2.10 Ensure the ‘ALTER PROFILE’ Action Audit Is Enabled (Automated)
6.2.11 Ensure the ‘DROP PROFILE’ Action Audit Is Enabled (Automated)
6.2.12 Ensure the ‘CREATE DATABASE LINK’ Action Audit Is Enabled (Automated)
6.2.13 Ensure the ‘ALTER DATABASE LINK’ Action Audit Is Enabled (Automated)
6.2.14 Ensure the ‘DROP DATABASE LINK’ Action Audit Is Enabled (Automated)
6.2.15 Ensure the ‘CREATE SYNONYM’ Action Audit Is Enabled (Automated)
6.2.16 Ensure the ‘ALTER SYNONYM’ Action Audit Is Enabled (Automated)
6.2.17 Ensure the ‘DROP SYNONYM’ Action Audit Is Enabled (Automated)
6.2.18 Ensure the ‘SELECT ANY DICTIONARY’ Privilege Audit Is Enabled (Automated)
6.2.19 Ensure the ‘AUDSYS.AUD$UNIFIED’ Access Audit Is Enabled (Automated)
6.2.20 Ensure the ‘CREATE PROCEDURE/FUNCTION/PACKAGE/PACKAGE BODY’ Action Audit Is Enabled (Automated)
6.2.21 Ensure the ‘ALTER PROCEDURE/FUNCTION/PACKAGE/PACKAGE BODY’ Action Audit Is Enabled (Automated)
6.2.22 Ensure the ‘DROP PROCEDURE/FUNCTION/PACKAGE/PACKAGE BODY’ Action Audit Is Enabled (Automated)
6.2.23 Ensure the ‘ALTER SYSTEM’ Privilege Audit Is Enabled (Automated)
6.2.24 Ensure the ‘CREATE TRIGGER’ Action Audit Is Enabled (Automated)
6.2.25 Ensure the ‘ALTER TRIGGER’ Action Audit IS Enabled (Automated)
6.2.26 Ensure the ‘DROP TRIGGER’ Action Audit Is Enabled (Automated)
6.2.27 Ensure the ‘LOGON’ AND ‘LOGOFF’ Actions Audit Is Enabled (Automated)