UCF STIG Viewer Logo

Attempts to bypass access controls should be audited.


Overview

Finding ID Version Rule ID IA Controls Severity
V-15644 DG0141-ORACLE10 SV-24800r1_rule ECAR-2 ECAR-3 Medium
Description
Configuring proper auditing is critical to recording any malicious events or detecting when attacks on the database occur. Auditing can be turned on for any SQL statement or any use of a system privilege. Auditing can be enabled for all users (system wide) or for specific users. You may indicate whether one audit record for each access to an object or one audit record for the entire session is generated. You can enable auditing for commands that result in success, commands that result in failure, or both. Not all audit options can be audited by session. Audit options set using the BY SESSION clause for those actions that will not produce a session audit record will default to BY ACCESS.
STIG Date
Oracle 10 Database Instance STIG 2014-01-14

Details

Check Text ( None )
None
Fix Text (F-22790r1_fix)
There are three (3) types of auditable events: 1) Use of system privileges, 2) Use of object privileges, and 3) Issuance of statements. Activating some auditing options sometimes activates others. For example, the use of a system privilege requires the issuance of a system command. Auditing for use of the privilege also audits for the statement.

Configure auditing for Oracle as follows:

From SQL*Plus:
audit all by access;
audit all privileges by access;
audit alter java class by access;
audit alter java resource by access;
audit alter java source by access;
audit alter sequence by access;
audit alter table by access;
audit comment table by access;
audit create java class by access;
audit create java resource by access;
audit create java source by access;
audit debug procedure by access;
audit drop java class by access;
audit drop java resource by access;
audit drop java source by access;
audit exempt access policy by access;
audit exempt identity policy by access;
audit grant directory by access;
audit grant procedure by access;
audit grant sequence by access;
audit grant table by access;
audit grant type by access;
audit sysdba by access;
audit sysoper by access;

The following SQL statements will disable audits set by the commands above that are not required:

noaudit execute library;
audit rename on default by access;

If application objects have already been created, then the audit rename on object statement should be issued for all application objects.

From SQL*Plus:
audit rename on [application object name] by access;