STIGQter: STIG Summary: Oracle Database 12c Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021: STIGQter: STIG Summary: Oracle Database 12c Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:SV-220276r395739_rule
V-220276
SRG-APP-000101-DB-000044
O121-C2-008000
CAT II
10
Either configure the DBMS's auditing to audit organization-defined auditable events, or, if preferred, use a third-party or custom tool. The tool must provide the minimum capability to audit the required events.
If using a third-party product, proceed in accordance with the product documentation. If using Oracle's capabilities, proceed as follows.
If Standard Auditing is used:
Use this process to ensure auditable events are captured:
ALTER SYSTEM SET AUDIT_TRAIL=<audit trail type> SCOPE=SPFILE;
Audit trail type can be "OS", "DB", "DB,EXTENDED", "XML" or "XML,EXTENDED".
After executing this statement, it may be necessary to shut down and restart the Oracle database.
If the organization-defined additional audit requirements are not covered by the default audit options, deploy and configure Fine-Grained Auditing. For details, refer to Oracle documentation at the location below.
If the site-specific audit requirements are not covered by the default audit options, deploy and configure Fine-Grained Auditing. For details, refer to Oracle documentation, at the location below.
If Unified Auditing is used:
Use this process to ensure auditable events are captured:
SELECT * FROM V$OPTION WHERE PARAMETER = 'Unified Auditing';
If Oracle returns the value "TRUE", this is not a finding.
Otherwise,
Link the oracle binary with uniaud_on, and then restart the database. Oracle Database Upgrade Guide describes how to enable unified auditing.
If the organization-defined additional audit requirements are not covered by the default audit options, deploy and configure Fine-Grained Auditing. For details, refer to Oracle documentation at the location below.
If the site-specific audit requirements are not covered by the default audit options, deploy and configure Fine-Grained Auditing. For details, refer to Oracle documentation, at the location below.
For more information on the configuration of auditing, refer to the following documents:
"Auditing Database Activity" in the Oracle Database 2 Day + Security Guide:
http://docs.oracle.com/database/121/TDPSG/tdpsg_auditing.htm#TDPSG50000
"Monitoring Database Activity with Auditing" in the Oracle Database Security Guide:
http://docs.oracle.com/database/121/DBSEG/part_6.htm#CCHEHCGI
"DBMS_AUDIT_MGMT" in the Oracle Database PL/SQL Packages and Types Reference:
http://docs.oracle.com/database/121/ARPLS/d_audit_mgmt.htm#ARPLS241
Oracle Database Upgrade Guide:
http://docs.oracle.com/database/121/UPGRD/afterup.htm#UPGRD52810
Verify, using vendor and system documentation if necessary, that the DBMS is configured to use Oracle's auditing features, or that a third-party product or custom code is deployed and configured to satisfy this requirement.
If a third-party product or custom code is used, compare its current configuration with the audit requirements. If any of the requirements is not covered by the configuration, this is a finding.
The remainder of this Check is applicable specifically where Oracle auditing is in use.
If Standard Auditing is used:
To see if Oracle is configured to capture audit data, enter the following SQL*Plus command:
SHOW PARAMETER AUDIT_TRAIL
or the following SQL query:
SELECT * FROM SYS.V$PARAMETER WHERE NAME = 'audit_trail';
If Oracle returns the value "NONE", this is a finding.
Compare the organization-defined auditable events with the Oracle documentation to determine whether standard auditing covers all the requirements.
If it does, this is not a finding.
Compare those organization-defined auditable events that are not covered by the standard auditing, with the existing Fine-Grained Auditing (FGA) specifications returned by the following query:
SELECT * FROM SYS.DBA_FGA_AUDIT_TRAIL;
If any such auditable event is not covered by the existing FGA specifications, this is a finding.
If Unified Auditing is used:
To see if Oracle is configured to capture audit data, enter the following SQL*Plus command:
SELECT * FROM V$OPTION WHERE PARAMETER = 'Unified Auditing';
If Oracle returns the value "TRUE", this is not a finding.
Compare the organization-defined auditable events with the Oracle documentation to determine whether standard auditing covers all the requirements.
If it does, this is not a finding.
Compare those organization-defined auditable events that are not covered by unified auditing with the existing Fine-Grained Auditing (FGA) specifications returned by the following query:
SELECT * FROM SYS.UNIFIED_AUDIT_TRAIL WHERE AUDIT_TYPE = 'FineGrainedAudit';
If any such auditable event is not covered by the existing FGA specifications, this is a finding.
V-220276
False
O121-C2-008000
Verify, using vendor and system documentation if necessary, that the DBMS is configured to use Oracle's auditing features, or that a third-party product or custom code is deployed and configured to satisfy this requirement.
If a third-party product or custom code is used, compare its current configuration with the audit requirements. If any of the requirements is not covered by the configuration, this is a finding.
The remainder of this Check is applicable specifically where Oracle auditing is in use.
If Standard Auditing is used:
To see if Oracle is configured to capture audit data, enter the following SQL*Plus command:
SHOW PARAMETER AUDIT_TRAIL
or the following SQL query:
SELECT * FROM SYS.V$PARAMETER WHERE NAME = 'audit_trail';
If Oracle returns the value "NONE", this is a finding.
Compare the organization-defined auditable events with the Oracle documentation to determine whether standard auditing covers all the requirements.
If it does, this is not a finding.
Compare those organization-defined auditable events that are not covered by the standard auditing, with the existing Fine-Grained Auditing (FGA) specifications returned by the following query:
SELECT * FROM SYS.DBA_FGA_AUDIT_TRAIL;
If any such auditable event is not covered by the existing FGA specifications, this is a finding.
If Unified Auditing is used:
To see if Oracle is configured to capture audit data, enter the following SQL*Plus command:
SELECT * FROM V$OPTION WHERE PARAMETER = 'Unified Auditing';
If Oracle returns the value "TRUE", this is not a finding.
Compare the organization-defined auditable events with the Oracle documentation to determine whether standard auditing covers all the requirements.
If it does, this is not a finding.
Compare those organization-defined auditable events that are not covered by unified auditing with the existing Fine-Grained Auditing (FGA) specifications returned by the following query:
SELECT * FROM SYS.UNIFIED_AUDIT_TRAIL WHERE AUDIT_TYPE = 'FineGrainedAudit';
If any such auditable event is not covered by the existing FGA specifications, this is a finding.
M
4059