STIGQter STIGQter: STIG Summary: Oracle Database 12c Security Technical Implementation Guide Version: 1 Release: 16 Benchmark Date: 24 Jan 2020: The DBMS must automatically audit account creation.

DISA Rule

SV-76055r2_rule

Vulnerability Number

V-61565

Group Title

SRG-APP-000026-DB-000005

Rule Version

O121-C2-002200

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Configure Oracle to audit account creation activities.

If Standard Auditing is used:
Use this process to ensure auditable events are captured:
ALTER SYSTEM SET AUDIT_TRAIL=<audit trail type> SCOPE=SPFILE;
Audit trail type can be 'OS', 'DB', 'DB,EXTENDED', 'XML' or 'XML,EXTENDED'.
After executing this statement, it may be necessary to shut down and restart the Oracle database.

If Unified Auditing is used:
To ensure auditable events are captured:
Link the oracle binary with uniaud_on, and then restart the database. Oracle Database Upgrade Guide describes how to enable unified auditing. Reference V-61625 for information on how to configure a policy to audit account creation.

For more information on the configuration of auditing, refer to the following documents:
"Auditing Database Activity" in the Oracle Database 2 Day + Security Guide:
http://docs.oracle.com/database/121/TDPSG/tdpsg_auditing.htm#TDPSG50000
"Monitoring Database Activity with Auditing" in the Oracle Database Security Guide:
http://docs.oracle.com/database/121/DBSEG/part_6.htm#CCHEHCGI
"DBMS_AUDIT_MGMT" in the Oracle Database PL/SQL Packages and Types Reference:
http://docs.oracle.com/database/121/ARPLS/d_audit_mgmt.htm#ARPLS241
Oracle Database Upgrade Guide:
http://docs.oracle.com/database/121/UPGRD/afterup.htm#UPGRD52810

Check Contents

Check Oracle settings (and also OS settings and/or enterprise-level authentication/access mechanisms settings) to determine if account creation is being audited. If account creation is not being audited by Oracle, this is a finding.

If Standard Auditing is used:
To see if Oracle is configured to capture audit data, enter the following SQL*Plus command:
SHOW PARAMETER AUDIT_TRAIL
or the following SQL query:
SELECT * FROM SYS.V$PARAMETER WHERE NAME = 'audit_trail';
If Oracle returns the value 'NONE', this is a finding.

If Unified Auditing is used:
To see if Oracle is configured to capture audit data including account creation, enter the following SQL*Plus command:
SELECT ' Account creation is not being audited. '
FROM dual
WHERE (SELECT Count(*)
FROM (select policy_name , audit_option from audit_unified_policies
WHERE audit_option = 'CREATE USER'
and policy_name in (select policy_name from audit_unified_enabled_policies where user_name='ALL USERS'))) = 0
OR (SELECT value
FROM v$option
WHERE parameter = 'Unified Auditing') != 'TRUE';

If Oracle returns "no rows selected", this is not a finding.

Vulnerability Number

V-61565

Documentable

False

Rule Version

O121-C2-002200

Severity Override Guidance

Check Oracle settings (and also OS settings and/or enterprise-level authentication/access mechanisms settings) to determine if account creation is being audited. If account creation is not being audited by Oracle, this is a finding.

If Standard Auditing is used:
To see if Oracle is configured to capture audit data, enter the following SQL*Plus command:
SHOW PARAMETER AUDIT_TRAIL
or the following SQL query:
SELECT * FROM SYS.V$PARAMETER WHERE NAME = 'audit_trail';
If Oracle returns the value 'NONE', this is a finding.

If Unified Auditing is used:
To see if Oracle is configured to capture audit data including account creation, enter the following SQL*Plus command:
SELECT ' Account creation is not being audited. '
FROM dual
WHERE (SELECT Count(*)
FROM (select policy_name , audit_option from audit_unified_policies
WHERE audit_option = 'CREATE USER'
and policy_name in (select policy_name from audit_unified_enabled_policies where user_name='ALL USERS'))) = 0
OR (SELECT value
FROM v$option
WHERE parameter = 'Unified Auditing') != 'TRUE';

If Oracle returns "no rows selected", this is not a finding.

Check Content Reference

M

Target Key

2679

Comments