Oracle Single Instance Database Compliance Standards

12 Oracle Single Instance Database Compliance Standards

These are the compliance rules for the Oracle Single Instance Database compliance standards

Basic Security Configuration For Oracle Cluster Database Instance

The compliance rules for the Basic Security Configuration For Oracle Cluster Database Instance standard follow.

Allowed Logon Version

Description: Ensures that the server allows logon from clients with a matching version or higher only.

Severity: Warning

Rationale: Setting the parameter SQLNET.ALLOWED_LOGON_VERSION in sqlnet.ora to a version lower than the server version will force the server to use a less secure authentication protocol

Audit File Destination

Description: Ensures that access to the audit files directory is restricted to the owner of the Oracle software set and the DBA group.

Severity: Critical

Rationale: The AUDIT_FILE_DEST initialization parameter specifies the directory where the Oracle auditing facility creates the audit files. Giving public read permission to this directory may reveal important information such as logging information of startup, shutdown, and privileged connections.

Audit File Destination(Windows)

Description: Ensures that access to the audit files directory is restricted to the owner of the Oracle software set and the DBA group.

Severity: Critical

Auditing Of Sys Operations Enabled

Description: Ensures sessions for users who connect as SYS are fully audited

Severity: Warning

Rationale: The AUDIT_SYS_OPERATIONS parameter enables or disables the auditing of operations issued by user SYS, and users connecting with SYSDBA or SYSOPER privileges.

Background Dump Destination(Windows)

Description: Ensures that access to the trace files directory is restricted to the owner of the Oracle software set and the DBA group

Severity: Critical

Rationale: Background processes such as the log writer process and the database writer process use trace files to record occurrences and exceptions of database operations, as well as errors. The trace files are stored in the directory specified by the BACKGROUND_DUMP_DEST initialization parameter. Giving public read permission to this directory may reveal important and sensitive internal details of the database and applications.

Check Network Data Integrity On Server

Description: Ensures that the crypto_checksum_server parameter is set to recommended value in sqlnet.ora.

Severity: Warning

Rationale: This option ensures the integrity check for communication to prevent data modification.

Core Dump Destination

Description: Ensures that access to the core dump files directory is restricted to the owner of the Oracle software set and the DBA group

Severity: Critical

Rationale: Core dump files are stored in the directory specified by the CORE_DUMP_DEST initialization parameter. A public read privilege on this directory could expose sensitive information from the core dump files.

Core Dump Destination(Windows)

Description: Ensures that access to the core dump files directory is restricted to the owner of the Oracle software set and the DBA group

Severity: Critical

Data Dictionary Protected

Description: Ensures data dictionary protection is enabled

Severity: Critical

Rationale: The 07_DICTIONARY_ACCESSIBILITY parameter controls access to the data dictionary. Setting the 07_DICTIONARY_ACCESSIBILITY to TRUE allows users with ANY system privileges to access the data dictionary. As a result, these user accounts can be exploited to gain unauthorized access to data.

Enable Database Auditing

Description: Ensures database auditing is enabled

Severity: Minor Warning

Rationale: The AUDIT_TRAIL parameter enables or disables database auditing. For database version 12c and above Unified Auditing can be used. Auditing enhances security because it enforces accountability, provides evidence of misuse, and is frequently required for regulatory compliance. Auditing also enables system administrators to implement enhanced protections, early detection of suspicious activities, and finely-tuned security responses.

Encrypt Network Communication On Server

Description: Ensures that the encryption_server parameter is set to recommended value in sqlnet.ora

Severity: Warning

Rationale: This option ensures that regardless of the settings on the user, if communication takes place it must be encrypted

Force Client Ssl Authentication

Description: Ensures that the ssl_client_authentication parameter is set to TRUE

Severity: Warning

Rationale: If TRUE Both the client and server authenticate to each other using certificates.It is preferable to have mutually authenticated SSL connections verifying the identity of both parties. If possible use client and server certificates for SSL connections. If client certificates are not supported in the enterprise, then set to FALSE.

Initialization Parameter File Permission

Description: Ensures that access to the initialization paramater file is restricted to the owner of the Oracle software set and the DBA group

Severity: Warning

Rationale: Oracle traditionally stores initialization parameters in a text initialization parameter file. A publicly accessible initialization parameter file can be scanned for sensitive initialization parameters exposing the security policies of the database. The IFILE can also be searched for the weaknesses of the Oracle database configuration setting.

Initialization Parameter File Permission(Windows)

Description: Ensures that access to the initialization paramater file is restricted to the owner of the Oracle software set and the DBA group

Severity: Warning

Oracle Home Executable Files Owner

Description: Ensures that the ownership of all files and directories in the ORACLE_HOME/bin folder is the same as the Oracle software installation owner

Severity: Critical

Rationale: Incorrect file permissions on some of the Oracle files can cause major security issues.

Oracle Home File Permission

Description: Ensures that all files in the ORACLE_HOME directories (except for ORACLE_HOME/bin) do not have public read, write and execute permissions

Severity: Warning

Rationale: Incorrect file permissions on some of the Oracle files can cause major security issues.

Oracle Home File Permission(Windows)

Description: Ensures that all files in the ORACLE_HOME directories (except for ORACLE_HOME/bin) do not have public read, write and execute permissions

Severity: Warning

Rationale: Incorrect file permissions on some of the Oracle files can cause major security issues.

Oracle Net Client Log Directory Permission

Description: Ensures that the client log directory is a valid directory owned by Oracle set with no permissions to public

Severity: Critical

Rationale: Log files provide information contained in an error stack. An error stack refers to the information that is produced by each layer in an Oracle communications stack as the result of a network error. The information in log files can reveal important network and database connection details. Allowing access to the log directory can expose the log files to public scrutiny.

Oracle Net Client Log Directory Permission(Windows)

Description: Ensures that the client log directory is a valid directory owned by Oracle set with no permissions to public

Severity: Critical

Oracle Net Client Trace Directory Permission

Description: Ensures that the client trace directory is a valid directory owned by Oracle set with no permissions to public

Severity: Critical

Rationale: Tracing produces a detailed sequence of statements that describe network events as they are executed. Tracing an operation enables you to obtain more information on the internal operations of the components of Oracle Net Services than is provided in a log file. The information in this file can reveal important network and database connection details. Allowing access to the log directory can expose the log files to public scrutiny.

Oracle Net Client Trace Directory Permission(Windows)

Description: Ensures that the client trace directory is a valid directory owned by Oracle set with no permissions to public

Severity: Critical

Oracle Net Server Log Directory Permission

Description: Ensures that the server log directory is a valid directory owned by Oracle set with no permissions to public

Severity: Critical

Oracle Net Server Log Directory Permission(Windows)

Description: Ensures that the server log directory is a valid directory owned by Oracle set with no permissions to public

Severity: Critical

Oracle Net Server Trace Directory Permission

Description: Ensures that the server trace directory is a valid directory owned by Oracle set with no permissions to public

Severity: Critical

Oracle Net Server Trace Directory Permission(Windows)

Description: Ensures that the server trace directory is a valid directory owned by Oracle set with no permissions to public

Severity: Critical

Protocol Error Further Action

Description: Ensures that the SEC_PROTOCOL_ERROR_FURTHER_ACTION parameter is set to either DROP or DELAY

Severity: Critical

Rationale: If default value CONTINUE is used, the server process continues execution even if bad packets are received. The database server may be subject to a Denial of Service (DoS) if bad packets continue to be sent by a malicious client

Protocol Error Trace Action

Description: Ensures that the sec_protocol_error_trace_action parameter is set to either LOG or ALERT

Severity: Critical

Rationale: SEC_PROTOCOL_ERROR_TRACE_ACTION specifies the action that the database should take when bad packets are received from a possibly malicious client. NONE should not be used as the database server ignores the bad packets and does not generate any trace files or log messages. If default value TRACE is used then the database server generates a detailed trace file and should only be used when debugging

Public Trace Files

Description: Ensures database trace files are not public readable

Severity: Critical

Rationale: If trace files are readable by the PUBLIC group, a malicious user may attempt to read the trace files that could lead to sensitive information being exposed.

Remote Os Authentication

Description: Ensure REMOTE_OS_AUTHENT initialization parameter is set to FALSE

Severity: Critical

Rationale: A malicious user can gain access to the database if remote OS authentication is allowed.

Remote Os Role

Description: Ensure REMOTE_OS_ROLES initialization parameter is set to FALSE

Severity: Critical

Rationale: A malicious user can gain access to the database if remote users can be granted privileged roles.

Ssl Cipher Suites Supported

Description: Ensures that the ssl_cipher_suites parameter is set to recommended value in sqlnet.ora

Severity: Warning

Rationale: This option is used to specify a cipher suite that will be used by the SSL connection. If the recommended cipher suite is not used, the SSL connection could be compromised.

Ssl Versions Supported

Description: Ensures that the ssl_version parameter is set to latest version .

Severity: Warning

Rationale: Usage of the most current version of SSL is recommended older versions of the SSL protocol are prone to attack or roll back. Do not set this parameter with Any.

Server Parameter File Permission

Description: Ensures that access to the server paramater file is restricted to the owner of the Oracle software set and the DBA group

Severity: Critical

Rationale: A server parameter file (SPFILE) lets you store and manage your initialization parameters persistently in a server-side disk file. A publicly accessible SPFILE can be scanned for sensitive initialization parameters exposing the security policies of the database. The SPFILE can also be searched for the weaknesses of the Oracle database configuration setting.

Server Parameter File Permission(Windows)

Description: Ensures that access to the server paramater file is restricted to the owner of the Oracle software set and the DBA group

Severity: Critical

Use Of Appropriate Umask On Unix Systems

Description: On UNIX systems, ensure that the owner of the Oracle software has an appropriate umask value of 022 set

Severity: Warning

Rationale: If umask is not set to an appropriate value (like 022), log or trace files might become accessible to public exposing sensitive information.

User Dump Destination

Description: Ensures that access to the trace files directory is restricted to the owner of the Oracle software set and the DBA group

Severity: Critical

Rationale: The trace files for server processes are stored in the directory specified by the USER_DUMP_DEST initialization parameter. Giving public read permission to this directory may reveal important and sensitive internal details of the database and applications.

User Dump Destination(Windows)

Description: Ensures that access to the trace files directory is restricted to the owner of the Oracle software set and the DBA group

Severity: Critical

Using Externally Identified Accounts

Description: Ensures that the OS authentication prefix is set to a value other than OPS$

Severity: Warning

Rationale: The OS_AUTHENT_PREFIX parameter specifies a prefix used to authenticate users attempting to connect to the server. When a connection request is attempted, Oracle compares the prefixed username with usernames in the database. Using a prefix, especially OPS$, tends to result in an insecure configuration as an account can be authenticated either as an operating system user or with the password used in the IDENTIFIED BY clause. Attackers are aware of this and will attack these accounts.

Utility File Directory Initialization Parameter Setting

Description: Ensures that the Utility File Directory (UTL_FILE_DIR) initialization parameter is not set to one of '*', '.', core dump trace file locations

Severity: Critical

Rationale: Specifies the directories which the UTL_FILE package can access. Having the parameter set to asterisk (*), period (.), or to sensitive directories, could expose them to all users having execute privilege on the UTL_FILE package.

Basic Security Configuration For Oracle Database

The compliance rules for the Basic Security Configuration For Oracle Database standard follow.

Access To Dba_Roles View

Description: Ensures restricted access to DBA_ROLES view

Severity: Minor Warning

Rationale: DBA_ROLES view contains details of all roles in the database. Knowledge of the structure of roles in the database can be taken advantage of by a malicious user.

Access To Dba_Role_Privs View

Description: Ensures restricted access to DBA_ROLE_PRIVS view

Severity: Minor Warning

Rationale: The DBA_ROLE_PRIVS view lists the roles granted to users and other roles. Knowledge of the structure of roles in the database can be taken advantage of by a malicious user.

Access To Dba_Sys_Privs View

Description: Ensures restricted access to DBA_SYS_PRIVS view

Severity: Minor Warning

Rationale: DBA_SYS_PRIVS view can be queried to find system privileges granted to roles and users. Knowledge of the structure of roles in the database can be taken advantage of bya malicious user.

Access To Dba_Tab_Privs View

Description: Ensures restricted access to DBA_TAB_PRIVS view

Severity: Minor Warning

Rationale: Lists privileges granted to users or roles on objects in the database. Knowledge of the structure of roles in the database can be taken advantage of by a malicious user.

Access To Dba_Users View

Description: Ensures restricted access to DBA_USERS view

Severity: Minor Warning

Rationale: Contains user password hashes and other account information. Access to this information can be used to mount brute-force attacks.

Access To Stats$Sqltext Table

Description: Ensures restricted access to STATS$SQLTEXT table

Severity: Minor Warning

Rationale: This table provides full text of the recently-executed SQL statements. The SQL statements can reveal sensitive information.

Access To Stats$Sql_Summary Table

Description: Ensures restricted access to STATS$SQL_SUMMARY table

Severity: Minor Warning

Rationale: Contains first few lines of SQL text of the most resource intensive commands given to the server. Sql statements executed without bind variables can show up here exposing privileged information.

Access To Sys.Aud$ Table

Description: Ensures restricted access to SYS.AUD$ table

Severity: Minor Warning

Rationale: A knowlegeable and malicious user can gain access to sensitive audit information.

Access To Sys.Source$ Table

Description: Ensures restricted access to SYS.SOURCE$ table

Severity: Minor Warning

Rationale: Contains source of all stored packages units in the database.

Access To Sys.User$ Table

Description: Ensures restricted access to SYS.USER$ table

Severity: Minor Warning

Rationale: Username and password hash may be read from the SYS.USER$ table, enabling a hacker to launch a brute-force attack.

Access To Sys.User_History$ Table

Description: Ensures restricted access to SYS.USER_HISTORY$ table

Severity: Minor Warning

Rationale: Username and password hash may be read from the SYS.USER_HISTORY$ table, enabling a hacker to launch a brute-force attack.

Allowed Logon Version

Description: Ensures that the server allows logon from clients with a matching version or higher only.

Severity: Warning

Rationale: Setting the parameter SQLNET.ALLOWED_LOGON_VERSION in sqlnet.ora to a version lower than the server version will force the server to use a less secure authentication protocol

Audit File Destination

Description: Ensures that access to the audit files directory is restricted to the owner of the Oracle software set and the DBA group.

Severity: Critical

Audit File Destination(Windows)

Description: Ensures that access to the audit files directory is restricted to the owner of the Oracle software set and the DBA group.

Severity: Critical

Auditing Of Sys Operations Enabled

Description: Ensures sessions for users who connect as SYS are fully audited

Severity: Warning

Rationale: The AUDIT_SYS_OPERATIONS parameter enables or disables the auditing of operations issued by user SYS, and users connecting with SYSDBA or SYSOPER privileges.

Background Dump Destination(Windows)

Description: Ensures that access to the trace files directory is restricted to the owner of the Oracle software set and the DBA group

Severity: Critical

Check Network Data Integrity On Server

Description: Ensures that the crypto_checksum_server parameter is set to recommended value in sqlnet.ora.

Severity: Warning

Rationale: This option ensures the integrity check for communication to prevent data modification.

Control File Permission

Description: Ensures that access to the control files directory is restricted to the owner of the Oracle software set and the DBA group

Severity: Critical

Rationale: Control files are binary configuration files that control access to data files. Control files are stored in the directory specified by the CONTROL_FILES initialization parameter. A public write privilege on this directory could pose a serious security risk.

Control File Permission(Windows)

Description: Ensures that access to the control files directory is restricted to the owner of the Oracle software set and the DBA group

Severity: Critical

Core Dump Destination

Description: Ensures that access to the core dump files directory is restricted to the owner of the Oracle software set and the DBA group

Severity: Critical

Core Dump Destination(Windows)

Description: Ensures that access to the core dump files directory is restricted to the owner of the Oracle software set and the DBA group

Severity: Critical

Data Dictionary Protected

Description: Ensures data dictionary protection is enabled

Severity: Critical

Default Passwords

Description: Ensure there are no default passwords for known accounts

Severity: Warning

Rationale: A malicious user can gain access to the database using default passwords.

Enable Database Auditing

Description: Ensures database auditing is enabled

Severity: Minor Warning

Encrypt Network Communication On Server

Description: Ensures that the encryption_server parameter is set to recommended value in sqlnet.ora

Severity: Warning

Rationale: This option ensures that regardless of the settings on the user, if communication takes place it must be encrypted

Execute Privileges On Dbms_Job To Public

Description: Ensures PUBLIC is not granted EXECUTE privileges on DBMS_JOB package

Severity: Critical

Rationale: Granting EXECUTE privilege to PUBLIC on DBMS_JOB package allows users to schedule jobs on the database.

Execute Privileges On Dbms_Sys_Sql To Public

Description: Ensures PUBLIC is not granted EXECUTE privileges on DBMS_SYS_SQL package

Severity: Critical

Rationale: The DBMS_SYS_SQL package can be used to run PL/SQL and SQL as the owner of the procedure rather than the caller.

Force Client Ssl Authentication

Description: Ensures that the ssl_client_authentication parameter is set to TRUE

Severity: Warning

Initialization Parameter File Permission

Description: Ensures that access to the initialization paramater file is restricted to the owner of the Oracle software set and the DBA group

Severity: Warning

Initialization Parameter File Permission(Windows)

Description: Ensures that access to the initialization paramater file is restricted to the owner of the Oracle software set and the DBA group

Severity: Warning

Oracle Home Datafile Permission

Description: Ensures that access to the datafiles is restricted to the owner of the Oracle software set and the DBA group

Severity: Critical

Rationale: The datafiles contain all the database data. If datafiles are readable to public, they can be read by a user who has no database privileges on the data.

Oracle Home Datafile Permission(Windows)

Description: Ensures that access to the datafiles is restricted to the owner of the Oracle software set and the DBA group

Severity: Critical

Rationale: The datafiles contain all the database data. If datafiles are readable to public, they can be read by a user who has no database privileges on the data.

Oracle Home Executable Files Owner

Description: Ensures that the ownership of all files and directories in the ORACLE_HOME/bin folder is the same as the Oracle software installation owner

Severity: Critical

Rationale: Incorrect file permissions on some of the Oracle files can cause major security issues.

Oracle Home File Permission

Description: Ensures that all files in the ORACLE_HOME directories (except for ORACLE_HOME/bin) do not have public read, write and execute permissions

Severity: Warning

Rationale: Incorrect file permissions on some of the Oracle files can cause major security issues.

Oracle Home File Permission(Windows)

Description: Ensures that all files in the ORACLE_HOME directories (except for ORACLE_HOME/bin) do not have public read, write and execute permissions

Severity: Warning

Rationale: Incorrect file permissions on some of the Oracle files can cause major security issues.

Oracle Net Client Log Directory Permission

Description: Ensures that the client log directory is a valid directory owned by Oracle set with no permissions to public

Severity: Critical

Oracle Net Client Log Directory Permission(Windows)

Description: Ensures that the client log directory is a valid directory owned by Oracle set with no permissions to public

Severity: Critical

Oracle Net Client Trace Directory Permission

Description: Ensures that the client trace directory is a valid directory owned by Oracle set with no permissions to public

Severity: Critical

Oracle Net Client Trace Directory Permission(Windows)

Description: Ensures that the client trace directory is a valid directory owned by Oracle set with no permissions to public

Severity: Critical

Oracle Net Server Log Directory Permission

Description: Ensures that the server log directory is a valid directory owned by Oracle set with no permissions to public

Severity: Critical

Oracle Net Server Log Directory Permission(Windows)

Description: Ensures that the server log directory is a valid directory owned by Oracle set with no permissions to public

Severity: Critical

Oracle Net Server Trace Directory Permission

Description: Ensures that the server trace directory is a valid directory owned by Oracle set with no permissions to public

Severity: Critical

Oracle Net Server Trace Directory Permission(Windows)

Description: Ensures that the server trace directory is a valid directory owned by Oracle set with no permissions to public

Severity: Critical

Protocol Error Further Action

Description: Ensures that the SEC_PROTOCOL_ERROR_FURTHER_ACTION parameter is set to either DROP or DELAY

Severity: Critical

Protocol Error Trace Action

Description: Ensures that the sec_protocol_error_trace_action parameter is set to either LOG or ALERT

Severity: Critical

Password Complexity Verification Function Usage

Description: Ensures PASSWORD_VERIFY_FUNCTION resource for the profile is set

Severity: Critical

Rationale: Having passwords that do not meet minimum complexity requirements offer substantially less protection than complex passwords.

Password Grace Time

Description: Ensures that all profiles have PASSWORD_GRACE_TIME set to a reasonable number of days

Severity: Critical

Rationale: A high value for the PASSWORD_GRACE_TIME parameter may cause serious database security issues by allowing the user to keep the same password for a long time.

Password Lifetime

Description: Ensures that all profiles have PASSWORD_LIFE_TIME set to a reasonable number of days

Severity: Warning

Rationale: A long password life time gives hackers a long time to try and cook the password. May cause serious database security issues.

Password Locking Time

Description: Ensures PASSWORD_LOCK_TIME is set to a reasonable number of days for all profiles

Severity: Warning

Rationale: Having a low value increases the likelihood of Denial of Service attacks.

Public Trace Files

Description: Ensures database trace files are not public readable

Severity: Critical

Rationale: If trace files are readable by the PUBLIC group, a malicious user may attempt to read the trace files that could lead to sensitive information being exposed.

Remote Os Authentication

Description: Ensure REMOTE_OS_AUTHENT initialization parameter is set to FALSE

Severity: Critical

Rationale: A malicious user can gain access to the database if remote OS authentication is allowed.

Remote Os Role

Description: Ensure REMOTE_OS_ROLES initialization parameter is set to FALSE

Severity: Critical

Rationale: A malicious user can gain access to the database if remote users can be granted privileged roles.

Restricted Privilege To Execute Utl_Http

Description: Ensure PUBLIC does not have execute privileges on the UTL_HTTP package

Severity: Critical

Rationale: Privileges granted to the PUBLIC role automatically apply to all users. A malicious user can gain access to email, network and http modules using the EXECUTE privilege.

Restricted Privilege To Execute Utl_Smtp

Description: Ensure PUBLIC does not have execute privileges on the UTL_SMTP package

Severity: Critical

Rationale: Privileges granted to the PUBLIC role automatically apply to all users. A malicious user can gain access to email, network and http modules using the EXECUTE privilege.

Restricted Privilege To Execute Utl_Tcp

Description: Ensure PUBLIC does not have execute privileges on the UTL_TCP package

Severity: Critical

Rationale: Privileges granted to the PUBLIC role automatically apply to all users. A malicious user can gain access to email, network and http modules using the EXECUTE privilege.

Ssl Cipher Suites Supported

Description: Ensures that the ssl_cipher_suites parameter is set to recommended value in sqlnet.ora

Severity: Warning

Rationale: This option is used to specify a cipher suite that will be used by the SSL connection. If the recommended cipher suite is not used, the SSL connection could be compromised.

Ssl Versions Supported

Description: Ensures that the ssl_version parameter is set to latest version .

Severity: Warning

Rationale: Usage of the most current version of SSL is recommended older versions of the SSL protocol are prone to attack or roll back. Do not set this parameter with Any.

Server Parameter File Permission

Description: Ensures that access to the server paramater file is restricted to the owner of the Oracle software set and the DBA group

Severity: Critical

Server Parameter File Permission(Windows)

Description: Ensures that access to the server paramater file is restricted to the owner of the Oracle software set and the DBA group

Severity: Critical

Use Of Appropriate Umask On Unix Systems

Description: On UNIX systems, ensure that the owner of the Oracle software has an appropriate umask value of 022 set

Severity: Warning

Rationale: If umask is not set to an appropriate value (like 022), log or trace files might become accessible to public exposing sensitive information.

Use Of Database Links With Cleartext Password

Description: Ensures database links with clear text passwords are not used

Severity: Warning

Rationale: The table SYS.LINK$ contains the clear text password used by the database link. A malicious user can read clear text password from SYS.LINK$ table that can lead to undesirable consequences.

Use Of Remote Listener Instances

Description: Ensures listener instances on a remote machine separate from the database instance are not used

Severity: Warning

Rationale: The REMOTE_LISTENER initialization parameter can be used to allow a listener on a remote machine to access the database. This parameter is not applicable in a multi-master replication or RAC environment where this setting provides a load balancing mechanism for the listener.

User Dump Destination

Description: Ensures that access to the trace files directory is restricted to the owner of the Oracle software set and the DBA group

Severity: Critical

User Dump Destination(Windows)

Description: Ensures that access to the trace files directory is restricted to the owner of the Oracle software set and the DBA group

Severity: Critical

Using Externally Identified Accounts

Description: Ensures that the OS authentication prefix is set to a value other than OPS$

Severity: Warning

Utility File Directory Initialization Parameter Setting

Description: Ensures that the Utility File Directory (UTL_FILE_DIR) initialization parameter is not set to one of '*', '.', core dump trace file locations

Severity: Critical

Well Known Accounts

Description: Checks for accessibility of well-known accounts

Severity: Warning

Rationale: A knowledgeable malicious user can gain access to the database using a well-known account.

Configuration Best Practices For Oracle Database

The compliance rules for the Configuration Best Practices For Oracle Database standard follow.

Disabled Automatic Statistics Collection

Description: Checks if the STATISTICS_LEVEL initialization parameter is set to BASIC

Severity: Critical

Rationale: Automatic statistics collection allows the optimizer to generate accurate execution plans and is essential for identifying and correcting performance problems. By default, STATISTICS_LEVEL is set to TYPICAL. If the STATISTICS_LEVEL initialization parameter is set to BASIC the collection of many important statistics, required by Oracle database features and functionality, are disabled.

Fast Recovery Area Location Not Set

Description: Checks whether recovery area is set

Severity: Warning

Rationale: NO_RECOVERY_AREA_IMPACT

Force Logging Disabled

Description: Checks the database for disabled force logging.

Severity: Warning

Rationale: The database is not in force logging mode. If the database is a Data Guard primary database, unlogged direct writes will not be propagated to the standby database.

Insufficient Number Of Control Files

Description: Checks for use of a single control file

Severity: Critical

Rationale: The control file is one of the most important files in an Oracle database. It maintains many physical characteristics and important recovery information about the database. If youlose the only copy of the control file due to a media error, there will be unnecessary down time and other risks.

Not Using Automatic Pga Management

Description: Checks if the PGA_AGGREGATE_TARGET initialization parameter has a value of 0 or if WORKAREA_SIZE_POLICY has value of MANUAL.

Severity: Warning

Rationale: Automatic PGA memory management simplifies and improves the way PGA memory is allocated. When enabled, Oracle can dynamically adjust the portion of the PGA memory dedicated to work areas while honoring the PGA_AGGREGATE_TARGET limit set by the DBA.'

Not Using Automatic Undo Management

Description: Checks for automatic undo space management not being used

Severity: Minor Warning

Rationale: Not using automatic undo management can cause unnecessary contention and performance issues in your database. This may include among other issues, contention for the rollback segment header blocks, in the form of buffer busy waits and increased probability of ORA-1555s (Snapshot Too Old).

Not Using Spfile

Description: Checks for spfile not being used

Severity: Minor Warning

Rationale: The SPFILE (server parameter file) enables you persist any dynamic changes to the Oracle initialization parameters using ALTER SYSTEM commands. This persistence is provided acrossdatabase shutdowns. When a database has an SPFILE configured, you do not have to remember to make the corresponding changes to the Oracle init.ora file. Plus, any changes that are made via ALTER SYSTEM commands are not lost after an shutdown and restart.

Statistics_Level Parameter Set To All

Description: Checks if the STATISTICS_LEVEL initialization parameter is set to ALL

Severity: Minor Warning

Rationale: Automatic statistics collection allows the optimizer to generate accurate execution plans and is essential for identifying and correcting performance problems. The STATISTICS_LEVEL initialization parameter is currently set to ALL, meaning additional timed OS and plan execution statistics are being collected. These statistics are not necessary and create additional overhead on the system.

Timed_Statistics Set To False

Description: Checks if the TIMED_STATISTICS initialization parameter is set to FALSE.

Severity: Critical

Rationale: Setting TIMED_STATISTICS to FALSE prevents time related statistics, e.g. execution time for various internal operations, from being collected. These statistics are useful for diagnosing and performance tuning. Setting TIMED_STATISTICS to TRUE will allow time related statistics to be collected, and will also provide more value to the trace file and generates more accurate statistics for long-running operations.

Use Of Non-Standard Initialization Parameters

Description: Checks for use of non-standard initialization parameters

Severity: Minor Warning

Rationale: Non-standard initialization parameters are being used. These may have been implemented based on poor advice or incorrect assumptions. In particular, parameters associated with SPIN_COUNT on latches and undocumented optimizer features can cause a great deal of problems that can require considerable investigation.

High Security Configuration For Oracle Cluster Database Instance

The compliance rules for the High Security Configuration For Oracle Cluster Database Instance standard follow.

$Oracle_Home/Network/Admin File Permission

Description: Ensures the files in $ORACLE_HOME/network/admin ownership is restricted to the Oracle software set, group is restricted to DBA group and Public does not have write permission

Severity: Warning

Rationale: Not restricting ownership of network/admin to the Oracle software set and DBA group may cause security issues by exposing net configuration data to malicious users

$Oracle_Home/Network/Admin File Permission(Windows)

Description: Ensures the files in $ORACLE_HOME/network/admin ownership is restricted to the Oracle software set, group is restricted to DBA group and Public does not have write permission

Severity: Warning

Rationale: Not restricting ownership of network/admin to the Oracle software set and DBA group may cause security issues by exposing net configuration data to malicious users

Algorithm For Network Data Integrity Check On Server

Description: Ensures that the crypto_checksum_type_server parameter is set to SHA1 in sqlnet.ora

Severity: Warning

Rationale: This option ensures the integrity check for communication is done using SHA1 Algorithm

Background Dump Destination

Description: Ensures that access to the trace files directory is restricted to the owner of the Oracle software set and the DBA group

Severity: Critical

Case Sensitive Logon

Description: Ensures that the sec_case_sensitive_logon parameter is set to true

Severity: Critical

Rationale: This increases the complexity of passwords and helps defend against brute force password attacks

Db Securefile

Description: Ensure that all LOB files created by Oracle are created as SecureFiles

Severity: Critical

Rationale: For LOBs to get treated as SecureFiles, set COMPATIBILE Initialization Param to 11.1 or higher. If there is a LOB column with two partitions (one that has a tablespace for which ASSM is enabled and one that has a tablespace for which ASSM is not enabled), then LOBs in the partition with the ASSM-enabled tablespace will be treated as SecureFiles and LOBs in the other partition will be treated as BasicFile LOBs. Setting db_securefile to ALWAYS makes sure that any LOB file created is a secure file

Dispatchers

Description: Ensures that the DISPATCHERS parameter is not set

Severity: Critical

Rationale: This will disable default ports ftp: 2100 and http: 8080. Removing the XDB ports will reduce the attack surface of the Oracle server. It is recommended to disable these ports if production usage is not required

Ifile Referenced File Permission

Description: Ensures that access to the files referenced by the IFILE parameter is restricted to the owner of the Oracle software set and the DBA group

Severity: Critical

Rationale: The IFILE initialization parameter can be used to embed the contents of another initialization parameter file into the current initialization parameter file. A publicly accessible initialization parameter file can be scanned for sensitive initialization parameters exposing the security policies of the database. Initialization parameter file can also be searched for the weaknesses of the Oracle database configuration setting.

Ifile Referenced File Permission(Windows)

Description: Ensures that access to the files referenced by the IFILE parameter is restricted to the owner of the Oracle software set and the DBA group

Severity: Critical

Log Archive Destination Owner

Description: Ensures that the server's archive logs directory is a valid directory owned by Oracle software owner

Severity: Critical

Rationale: LogMiner can be used to extract database information from the archive logs if the directory specified by LOG_ARCHIVE_DEST parameter (in init.ora file) is not owned by the owner of the Oracle software installation or has permissions for others.

Log Archive Destination Permission

Description: Ensures that the server's archive logs are not accessible to public

Severity: Critical

Log Archive Destination Permission(Windows)

Description: Ensures that the server's archive logs are not accessible to public

Severity: Critical

Log Archive Duplex Destination Owner

Description: Ensures that the server's archive logs directory is a valid directory owned by Oracle software owner

Severity: Critical

Rationale: LogMiner can be used to extract database information from the archive logs if the directory specified by LOG_ARCHIVE_DUPLEX_DEST parameter (in init.ora file) is not owned by the owner of the Oracle software installation or has permissions for others.

Log Archive Duplex Destination Permission

Description: Ensures that the server's archive logs are not accessible to public

Severity: Critical

Log Archive Duplex Destination Permission(Windows)

Description: Ensures that the server's archive logs are not accessible to public

Severity: Critical

Naming Database Links

Description: Ensures that the name of a database link is the same as that of the remote database

Severity: Warning

Rationale: Database link names that do not match the global names of the databases to which they are connecting can cause an administrator to inadvertently give access to a production server from a test or development server. Knowledge of this can be used by a malicious user to gain access to the target database.

Oracle_Home Network Admin Owner

Description: Ensures $ORACLE_HOME/network/admin ownership is restricted to the Oracle software set and DBA group

Severity: Warning

Rationale: Not restricting ownership of network/admin to the Oracle software set and DBA group may cause security issues by exposing net configuration data to malicious users

Os Roles

Description: Ensure roles are stored, managed, and protected in the database rather than files external to the DBMS.

Severity: Warning

Rationale: If Roles are managed by OS, it can cause serious security issues.

Oracle Agent Snmp Read-Only Configuration File Owner

Description: Ensures Oracle Agent SNMP read-only configuration file (snmp_ro.ora) is owned by Oracle software owner

Severity: Warning

Rationale: The Oracle Agent SNMP read-only configuration file (snmp_ro.ora) contains the listening address of the agent, the names of SQL*Net listener and Oracle database servicesit knows about, plus tracing parameters. A publicly accessible SNMP read-only configuration file can be used to extract sensitive data like the tracing directory location, dbsnmp address, etc.

Oracle Agent Snmp Read-Only Configuration File Permission

Description: Ensures Oracle Agent SNMP read-only configuration file (snmp_ro.ora) permissions are limited to the Oracle software set and DBA group

Severity: Warning

Oracle Agent Snmp Read-Only Configuration File Permission(Windows)

Description: Ensures Oracle Agent SNMP read-only configuration file (snmp_ro.ora) permissions are limited to the Oracle software set and DBA group

Severity: Warning

Oracle Agent Snmp Read-Write Configuration File Owner

Description: Ensures Oracle Agent SNMP read-write configuration file (snmp_rw.ora) is owned by Oracle software owner

Severity: Warning

Rationale: The Oracle Agent SNMP read-write configuration file (snmp_ro.ora) contains the listening address of the agent, the names of SQL*Net listener and Oracle database services it knows about, plus tracing parameters. A publicly accessible SNMP read-write configuration file can be used to extract sensitive data like the tracing directory location, dbsnmp address, etc.

Oracle Agent Snmp Read-Write Configuration File Permission

Description: Ensures Oracle Agent SNMP read-write configuration file (snmp_rw.ora) permissions are limited to the Oracle software set and DBA group

Severity: Warning

Oracle Agent Snmp Read-Write Configuration File Permission(Windows)

Description: Ensures Oracle Agent SNMP read-write configuration file (snmp_rw.ora) permissions are limited to the Oracle software set and DBA group

Severity: Warning

Oracle Http Server Distributed Configuration File Owner

Description: Ensures Oracle HTTP Server distributed configuration file ownership is restricted to the Oracle software set and DBA group

Severity: Warning

Rationale: The Oracle HTTP Server distributed configuration file (usually .htaccess) is used for access control and authentication of web folders. This file can be modified to gain access to pages containing sensitive information.

Oracle Http Server Distributed Configuration Files Permission

Description: Ensures Oracle HTTP Server Distributed Configuration Files permissions are limited to the Oracle software set and DBA group

Severity: Warning

Oracle Http Server Mod_Plsql Configuration File Owner

Description: Ensures Oracle HTTP Server mod_plsql configuration file (wdbsvr.app) is owned by Oracle software owner

Severity: Warning

Rationale: The Oracle Agent SNMP read-write configuration file (snmp_rw.ora) contains the listening address of the agent, the names of SQL*Net listener and Oracle database services it knows about, plus tracing parameters. A publicly accessible SNMP read-write configuration file can be used to extract sensitive data like the tracing directory location, dbsnmp address, etc.

Oracle Http Server Mod_Plsql Configuration File Permission

Description: Ensures Oracle HTTP Server mod_plsql Configuration file (wdbsvr.app) permissions are limited to the Oracle software set and DBA group

Severity: Warning

Oracle Http Server Mod_Plsql Configuration File Permission(Windows)

Description: Oracle HTTP Server mod_plsql Configuration file (wdbsvr.app) permissions are limited to the Oracle software set and DBA group

Severity: Warning

Rationale: The Oracle HTTP Server mod_plsql configuration file (wdbsvr.app) contains the Database Access Descriptors used for authentication. A publicly accessible mod_plsql configuration file can allow a malicious user to modify the Database Access Descriptor settings to gain access to PL/SQL applications or launch a Denial Of Service attack.

Oracle Home Executable Files Permission

Description: Ensures that all files in the ORACLE_HOME/bin folder do not have public write permission

Severity: Warning

Rationale: Incorrect file permissions on some of the Oracle files can cause major security issues.

Oracle Home Executable Files Permission(Windows)

Description: Ensures that all files in the ORACLE_HOME/bin folder do not have public write permission

Severity: Warning

Rationale: Incorrect file permissions on some of the Oracle files can cause major security issues.

Oracle Net Client Log Directory Owner

Description: Ensures that the client log directory is a valid directory owned by Oracle set

Severity: Critical

Oracle Net Client Trace Directory Owner

Description: Ensures that the client trace directory is a valid directory owned by Oracle set

Severity: Critical

Oracle Net Inbound Connect Timeout

Description: Ensures that all incomplete inbound connections to Oracle Net has a limited lifetime

Severity: Warning

Rationale: Without this parameter or assigning it with a higher value , a client connection to the database server can stay open indefinitely or for the specified duration without authentication. Connections without authentication can introduce possible denial-of-service attacks, whereby malicious clients attempt to flood database servers with connect requests that consume resources.

Oracle Net Ssl_Cert_Revocation

Description: Ensures that the ssl_cert_revocation parameter is set to recommended value in sqlnet.ora

Severity: Warning

Rationale: This option Ensures revocation is required for checking CRLs for client certificate authentication. Revoked certificates can pose a threat to the integrity of the SSL channel and should not be trusted

Oracle Net Ssl_Server_Dn_Match

Description: Ensures ssl_server_dn_match is enabled in sqlnet.ora and in turn SSL ensures that the certificate is from the server

Severity: Warning

Rationale: If ssl_server_dn_match parameter is disabled, then SSL performs the check but allows the connection, regardless if there is a match. Not enforcing the match allows the server to potentially fake its identity.

Oracle Net Server Log Directory Owner

Description: Ensures that the server log directory is a valid directory owned by Oracle set

Severity: Critical

Oracle Net Server Trace Directory Owner

Description: Ensures that the server trace directory is a valid directory owned by Oracle set

Severity: Critical

Oracle Net Sqlnet Expire Time

Description: Ensures that sqlnet.expire_time parameter is set to recommended value.

Severity: Warning

Rationale: if sqlnet.expire_time is not set or set to 0, then database never checks for dead connection and they keeps consuming database server resources.

Oracle Net Tcp Validnode Checking

Description: Ensures that tcp.validnode_checking parameter is set to yes.

Severity: Minor Warning

Rationale: Not setting valid node check can potentially allow anyone to connect to the sever, including a malicious user.

Oracle Xsql Configuration File Owner

Description: Ensures Oracle XSQL configuration file (XSQLConfig.xml) is owned by Oracle software owner

Severity: Warning

Rationale: The Oracle XSQL configuration file (XSQLConfig.xml) contains sensitive database connection information. A publicly accessible XSQL configuration file can expose the database username and password that can be used access sensitive data or to launch further attacks.

Oracle Xsql Configuration File Permission

Description: Ensures Oracle XSQL configuration file (XSQLConfig.xml) permissions are limited to the Oracle software set and DBA group

Severity: Warning

Oracle Xsql Configuration File Permission(Windows)

Description: Ensures Oracle XSQL Configuration File (XSQLConfig.xml) permissions are limited to the Oracle software set and DBA group

Severity: Warning

Otrace Data Files

Description: Avoids negative impact on database performance and disk space usage, caused by data collected by otrace

Severity: Warning

Rationale: Performance and resource utilization data collection can have a negative impact on database performance and disk space usage.

Return Server Release Banner

Description: Ensures that value of parameter SEC_RETURN_SERVER_RELEASE_BANNER is FALSE

Severity: Critical

Rationale: If the Parameter SEC_RETURN_SERVER_RELEASE_BANNER is TRUE oracle database returns complete database version information to clients. Knowing the exact patch set can aid an attacker

Remote Password File

Description: Ensures privileged users are authenticated by the operating system; that is, Oracle ignores any password file

Severity: Minor Warning

Rationale: The REMOTE_LOGIN_PASSWORDFILE parameter specifies whether or not Oracle checks for a password file. Because password files contain the passwords for users, including SYS, the most secure way of preventing an attacker from connecting through brute-force password-related attacks is to require privileged users be authenticated by the operating system.

Restrict Sqlnet.Ora Permission

Description: Ensures that the sqlnet.ora file is not accessible to public

Severity: Critical

Rationale: If sqlnet.ora is public readable a malicious user may attempt to read this hence could lead to sensitive information getting exposed .For example, log and trace destination information of the client and server.

Restrict Sqlnet.Ora Permission(Windows)

Description: Ensures that the sqlnet.ora file is not accessible to public

Severity: Critical

Sql*Plus Executable Owner

Description: Ensures SQL*Plus ownership is restricted to the Oracle software set and DBA group

Severity: Warning

Rationale: SQL*Plus allows a user to execute any SQL on the database. Not restricting ownership of SQL*Plus to the Oracle software set and DBA group may cause security issues by exposing sensitive data to malicious users.

Sql*Plus Executable Permission

Description: Ensures that SQL*Plus executable file permissions are limited to the Oracle software set and DBA group

Severity: Warning

Rationale: SQL*Plus allows a user to execute any SQL on the database. Public execute permissions on SQL*Plus can cause security issues by exposing sensitive data to malicious users.

Sql*Plus Executable Permission(Windows)

Description: Ensures that SQL*Plus executable file permissions are limited to the Oracle software set and DBA group

Severity: Warning

Rationale: SQL*Plus allows a user to execute any SQL on the database. Public execute permissions on SQL*Plus can cause security issues by exposing sensitive data to malicious users.

Secure Os Audit Level

Description: On UNIX systems, ensures that AUDIT_SYSLOG_LEVEL is set to a non-default value when OS-level auditing is enabled.

Severity: Warning

Rationale: Setting the AUDIT_SYSLOG_LEVEL initialization parameter to the default value (NONE) will result in DBAs gaining access to the OS audit records

Tkprof Executable Owner

Description: Ensures tkprof executable file is owned by Oracle software owner

Severity: Warning

Rationale: Not restricting ownership of tkprof to the Oracle software set and DBA group may cause information leak.

Tkprof Executable Permission

Description: Ensures tkprof executable file permissions are restricted to read and execute for the group, and inaccessible to public

Severity: Warning

Rationale: Excessive permission for tkprof leaves information within, unprotected.

Tkprof Executable Permission(Windows)

Description: Ensures tkprof executable file permissions are restricted to read and execute for the group, and inaccessible to public

Severity: Warning

Rationale: Excessive permission for tkprof leaves information within, unprotected.

Use Of Automatic Log Archival Features

Description: Ensures that archiving of redo logs is done automatically and prevents suspension of instance operations when redo logs fill. Only applicable if database is in archivelog mode

Severity: Critical

Rationale: Setting the LOG_ARCHIVE_START initialization parameter to TRUE ensures that the archiving of redo logs is done automatically and prevents suspension of instance operations when redo logs fill. This feature is only applicable if the database is in archivelog mode.

Use Of Sql92 Security Features

Description: Ensures use of SQL92 security features

Severity: Warning

Rationale: If SQL92 security features are not enabled, a user might be able to execute an UPDATE or DELETE statement using a WHERE clause without having select privilege on a table.

Utility File Directory Initialization Parameter Setting In Oracle9I Release 1 And Later

Description: Ensure that the UTL_FILE_DIR initialization parameter is not used in Oracle9i Release 1 and later

Severity: Critical

Rationale: Specifies the directories which UTL_FILE package can access. Having the parameter set to asterisk (*), period (.), or to sensitive directories could expose them to all users having execute privilege on UTL_FILE package.

Webcache Initialization File Owner

Description: Ensures Webcache initialization file (webcache.xml) is owned by Oracle software owner

Severity: Warning

Rationale: Webcache stores sensitive information in the initialization file (webcache.xml). A publicly accessible Webcache initialization file can be used to extract sensitive data like the administrator password hash.

Webcache Initialization File Permission

Description: Ensures the Webcache initialization file (webcache.xml) permissions are limited to the Oracle software set and DBA group

Severity: Warning

Webcache Initialization File Permission(Windows)

Description: Ensures the Webcache initialization file (webcache.xml) permissions are limited to the Oracle software set and DBA group

Severity: Warning

Tcp.Excludeded_Nodes

Description: Ensures that tcp.excludeded_nodes parameter is set.

Severity: Warning

Rationale: Not setting valid node check can potentially allow anyone to connect to the sever, including a malicious user.

Tcp.Invited_Nodes

Description: Ensures that tcp.invited_nodes parameter is set.

Severity: Warning

Rationale: Not setting valid node check can potentially allow anyone to connect to the sever, including a malicious user.

High Security Configuration For Oracle Database

The compliance rules for the High Security Configuration For Oracle Database standard follow.

"Domain Users" Group Member Of Local "Users" Group

Description: Ensures domain server local Users group does not have Domain Users group

Severity: Warning

Rationale: Including Domain Users group in local Users group of a domain server can cause serious security issues.

$Oracle_Home/Network/Admin File Permission

Description: Ensures the files in $ORACLE_HOME/network/admin ownership is restricted to the Oracle software set, group is restricted to DBA group and Public does not have write permission

Severity: Warning

Rationale: Not restricting ownership of network/admin to the Oracle software set and DBA group may cause security issues by exposing net configuration data to malicious users

$Oracle_Home/Network/Admin File Permission(Windows)

Description: Ensures the files in $ORACLE_HOME/network/admin ownership is restricted to the Oracle software set, group is restricted to DBA group and Public does not have write permission

Severity: Warning

Rationale: Not restricting ownership of network/admin to the Oracle software set and DBA group may cause security issues by exposing net configuration data to malicious users

Access To _Catalog_ Roles

Description: Ensure grant of *_CATALOG_* is restricted

Severity: Critical

Rationale: *_CATALOG_* Roles have critical access to database objects, that can lead to exposure of vital information in database system.

Access To All_Source View

Description: Ensures restricted access to ALL_SOURCE view

Severity: Minor Warning

Rationale: ALL_SOURCE view contains source of all stored packages in the database.

Access To Dba_* Views

Description: Ensures SELECT privilege is never granted to any DBA_ view

Severity: Warning

Rationale: The DBA_* views provide access to privileges and policy settings of the database. Some of these views also allow viewing of sensitive PL/SQL code that can be used to understand the security policies.

Access To Role_Role_Privs View

Description: Ensures restricted access to ROLE_ROLE_PRIVS view

Severity: Minor Warning

Rationale: Lists roles granted to other roles. Knowledge of the structure of roles in the database can be taken advantage of by a malicious user.

Access To Sys.Link$ Table

Description: Ensures restricted access to LINK$ table

Severity: Minor Warning

Rationale: A knowlegeable and malicious user can gain access to user passwords from the SYS.LINK$ table.

Access To User_Role_Privs View

Description: Ensures restricted access to USER_ROLE_PRIVS view

Severity: Minor Warning

Rationale: Lists the roles granted to the current user. Knowledge of the structure of roles in the database can be taken advantage of by a malicious user.

Access To User_Tab_Privs View

Description: Ensures restricted access to USER_TAB_PRIVS view

Severity: Minor Warning

Rationale: Lists the grants on objects for which the user is the owner, grantor or grantee. Knowledge of the grants in the database can be taken advantage of by a malicious user.

Access To V$ Synonyms

Description: Ensures SELECT privilege is not granted to any V$ synonyms

Severity: Critical

Rationale: V$ tables contain sensitive information about Oracle database and should only be accessible by system administrators. Check for any user that has access and revoke where possible

Access To V$ Views

Description: Ensures SELECT privilege is not granted to any V$ Views

Severity: Critical

Rationale: V$ tables contain sensitive information about Oracle database and should only be accessible by system administrators. Check for any user that has access and revoke where possible

Access To X_$ Views

Description: Ensure access on X$ views is restricted

Severity: Critical

Rationale: This can lead to revealing of internal database structure information.

Algorithm For Network Data Integrity Check On Server

Description: Ensures that the crypto_checksum_type_server parameter is set to SHA1 in sqlnet.ora

Severity: Warning

Rationale: This option ensures the integrity check for communication is done using SHA1 Algorithm

Audit Alter Any Table Privilege

Description: Ensures ALTER ANY TABLE Privilege is being audited by access for all users

Severity: Critical

Rationale: Auditing ALTER ANY TABLE will provide a record to ensure the appropriate use of account administration privileges. This information is also useful when investigating certain security events

Audit Alter User Privilege

Description: Ensures ALTER USER Privilege is being audited by access for all users

Severity: Critical

Rationale: Auditing ALTER USER will provide a record to ensure the appropriate use of account administration privileges. This information is also useful when investigating certain security events

Audit Aud$ Privilege

Description: Ensures AUD$ is being audited by access for all users

Severity: Critical

Rationale: Auditing AUD$ will provide a record to ensure the appropriate use of account administration privileges. This information is also useful when investigating certain security events

Audit Create Any Library Privilege

Description: Ensures CREATE ANY LIBRARY is being audited by access for all users

Severity: Critical

Rationale: Auditing CREATE ANY LIBRARY will provide a record to ensure the appropriate use of account administration privileges. This information is also useful when investigating certain security events

Audit Create Library Privilege

Description: Ensures CREATE LIBRARY Privilege is being audited by access for all users

Severity: Critical

Rationale: Auditing CREATE LIBRARY will provide a record to ensure the appropriate use of account administration privileges. This information is also useful when investigating certain security events

Audit Create Role Privilege

Description: Ensures CREATE ROLE Privilege is being audited by access for all users

Severity: Critical

Rationale: Auditing the creation of roles will provide a record to ensure the appropriate use of account administration privileges. This information is also useful when investigating certain security events

Audit Create Session Privilege

Description: Ensures CREATE SESSION Privilege is being audited by access for all users

Severity: Critical

Rationale: Auditing CREATE SESSION will provide a record to ensure the appropriate use of account administration privileges. This information is also useful when investigating certain security events

Audit Create User Privilege

Description: Ensures CREATE USER Privilege is being audited by access for all users

Severity: Critical

Rationale: Auditing CREATE USER will provide a record to ensure the appropriate use of account administration privileges. This information is also useful when investigating certain security events

Audit Drop Any Procedure Privilege

Description: Ensures DROP ANY PROCEDURE Privilege is being audited by access for all users

Severity: Critical

Rationale: Auditing DROP ANY PROCEDURE will provide a record to ensure the appropriate use of account administration privileges. This information is also useful when investigating certain security events

Audit Drop Any Role Privilege

Description: Ensures DROP ANY ROLE Privilege is being audited by access for all users

Severity: Critical

Audit Drop Any Table Privilege

Description: Ensures DROP ANY TABLE Privilege is being audited by access for all users

Severity: Critical

Rationale: Auditing DROP ANY TABLE will provide a record to ensure the appropriate use of account administration privileges. This information is also useful when investigating certain security events

Audit Execute Any Procedure Privilege

Description: Ensures EXECUTE ANY PROCEDURE Privilege is being audited by access for all users

Severity: Critical

Audit Grant Any Object Privilege

Description: Ensures every use of GRANT ANY OBJECT privilege is being audited for non-Administrative (SYSDBA) users.

Severity: Critical

Rationale: Auditing GRANT ANY OBJECT privilege will provide a record to ensure the appropriate use of account administration privileges. This information is also useful when investigating certain security events

Audit Grant Any Privilege

Description: Ensures GRANT ANY PRIVILEGE is being audited by access for all users

Severity: Critical

Rationale: Auditing GRANT ANY PRIVILEGE will provide a record to ensure the appropriate use of account administration privileges. This information is also useful when investigating certain security events

Audit Insert Failure

Description: Ensures that insert failures are audited for critical data objects

Severity: Warning

Rationale: Not auditing insert failures for critical data objects may allow a malicious user to infiltrate system security..

Audit Select Any Dictionary Privilege

Description: Ensures SELECT ANY DICTIONARY Privilege is being audited by access for all users

Severity: Critical

Rationale: Auditing SELECT ANY DICTIONARY will provide a record to ensure the appropriate use of account administration privileges. This information is also useful when investigating certain security events

Background Dump Destination

Description: Ensures that access to the trace files directory is restricted to the owner of the Oracle software set and the DBA group

Severity: Critical

Case Sensitive Logon

Description: Ensures that the sec_case_sensitive_logon parameter is set to true

Severity: Critical

Rationale: This increases the complexity of passwords and helps defend against brute force password attacks

Connect Time

Description: Ensure that users profile settings CONNECT_TIME have appropriate value set for the particular database and application

Severity: Critical

Rationale: Sessions held open for excessive periods of time can consume system resources and cause a denial of service for other users of the Oracle database. The CONNECT_TIME parameter limits the upper bound on how long a session can be held open. This parameter is specified in minutes. Sessions that have exceeded their connect time are aborted and rolled back

Cpu Per Session

Description: Ensures that all profiles have CPU_PER_SESSION set to a reasonable number of CPU cycles

Severity: Critical

Rationale: Allowing a single application or user to consume excessive CPU resources will result in a denial of service to the Oracle database

Db Securefile

Description: Ensure that all LOB files created by Oracle are created as SecureFiles

Severity: Critical

Dispatchers

Description: Ensures that the DISPATCHERS parameter is not set

Severity: Critical

Execute Privileges On Dbms_Lob To Public

Description: Ensures PUBLIC group is not granted EXECUTE privileges to the DBMS_LOB package

Severity: Critical

Rationale: The DBMS_LOB package can be used to access any file on the system as the owner of the Oracle software installation.

Execute Privileges On Utl_File To Public

Description: Ensure PUBLIC does not have EXECUTE privilege on the UTL_FILE package

Severity: Critical

Rationale: Privileges granted to the PUBLIC role automatically apply to all users. A malicious user can read and write arbitrary files in the system when granted the UTL_FILE privilege.

Execute Privilege On Sys.Dbms_Export_Extension To Public

Description: Ensure PUBLIC does not have execute privileges on the SYS.DBMS_EXPORT_EXTENSION package

Severity: Critical

Rationale: Privileges granted to the PUBLIC role automatically apply to all users. DBMS_EXPORT_EXTENSION can allow sql injection. Thus a malicious will be able to take advantage.

Execute Privilege On Sys.Dbms_Random Public

Description: Ensure PUBLIC does not have execute privileges on the SYS.DBMS_RANDOM package

Severity: Critical

Rationale: Privileges granted to the PUBLIC role automatically apply to all users. DBMS_RANDOM can allow sql injection. Thus a malicious will be able to take advantage.

Granting Select Any Table Privilege

Description: Ensures SELECT ANY PRIVILEGE is never granted to any user or role

Severity: Warning

Rationale: The SELECT ANY TABLE privilege can be used to grant users or roles with the ability to view data in tables that are not owned by them. A malicious user with access to any user account that has this privilege can use this to gain access to sensitive data.

Ifile Referenced File Permission

Description: Ensures that access to the files referenced by the IFILE parameter is restricted to the owner of the Oracle software set and the DBA group

Severity: Critical

Ifile Referenced File Permission(Windows)

Description: Ensures that access to the files referenced by the IFILE parameter is restricted to the owner of the Oracle software set and the DBA group

Severity: Critical

Installation On Domain Controller

Description: Ensures that Oracle is not installed on a domain controller

Severity: Warning

Rationale: Installing Oracle on a domain controller can cause serious security issues.

Installed Oracle Home Drive Permissions

Description: On Windows, ensures that the installed Oracle Home drive is not accessible to Everyone Group

Severity: Warning

Rationale: Giving permission of Oracle installed drive to everyone can cause serious security issues.

Logical Reads Per Session

Description: Ensure that users profile settings LOGICAL_READS_ PER_SESSION have appropriate value set for the particular database and application

Severity: Critical

Rationale: Allowing a single application or user to perform excessive amounts of reads to disk will result in a denial of service to the Oracle database

Limit Os Authentication

Description: Ensures database accounts does not rely on OS authentication

Severity: Critical

Rationale: If the host operating system has a required userid for database account for which password is set EXTERNAL, then Oracle does not check its credentials anymore. It simplyassumes the host must have done its authentication and lets the user into the database without any further checking.

Log Archive Destination Owner

Description: Ensures that the server's archive logs directory is a valid directory owned by Oracle software owner

Severity: Critical

Log Archive Destination Permission

Description: Ensures that the server's archive logs are not accessible to public

Severity: Critical

Log Archive Destination Permission(Windows)

Description: Ensures that the server's archive logs are not accessible to public

Severity: Critical

Log Archive Duplex Destination Owner

Description: Ensures that the server's archive logs directory is a valid directory owned by Oracle software owner

Severity: Critical

Log Archive Duplex Destination Permission

Description: Ensures that the server's archive logs are not accessible to public

Severity: Critical

Log Archive Duplex Destination Permission(Windows)

Description: Ensures that the server's archive logs are not accessible to public

Severity: Critical

Naming Database Links

Description: Ensures that the name of a database link is the same as that of the remote database

Severity: Warning

Oracle_Home Network Admin Owner

Description: Ensures $ORACLE_HOME/network/admin ownership is restricted to the Oracle software set and DBA group

Severity: Warning

Rationale: Not restricting ownership of network/admin to the Oracle software set and DBA group may cause security issues by exposing net configuration data to malicious users

Os Roles

Description: Ensure roles are stored, managed, and protected in the database rather than files external to the DBMS.

Severity: Warning

Rationale: If Roles are managed by OS, it can cause serious security issues.

Oracle Agent Snmp Read-Only Configuration File Owner

Description: Ensures Oracle Agent SNMP read-only configuration file (snmp_ro.ora) is owned by Oracle software owner

Severity: Warning

Oracle Agent Snmp Read-Only Configuration File Permission

Description: Ensures Oracle Agent SNMP read-only configuration file (snmp_ro.ora) permissions are limited to the Oracle software set and DBA group

Severity: Warning

Oracle Agent Snmp Read-Only Configuration File Permission(Windows)

Description: Ensures Oracle Agent SNMP read-only configuration file (snmp_ro.ora) permissions are limited to the Oracle software set and DBA group

Severity: Warning

Oracle Agent Snmp Read-Write Configuration File Owner

Description: Ensures Oracle Agent SNMP read-write configuration file (snmp_rw.ora) is owned by Oracle software owner

Severity: Warning

Oracle Agent Snmp Read-Write Configuration File Permission

Description: Ensures Oracle Agent SNMP read-write configuration file (snmp_rw.ora) permissions are limited to the Oracle software set and DBA group

Severity: Warning

Oracle Agent Snmp Read-Write Configuration File Permission(Windows)

Description: Ensures Oracle Agent SNMP read-write configuration file (snmp_rw.ora) permissions are limited to the Oracle software set and DBA group

Severity: Warning

Oracle Http Server Distributed Configuration File Owner

Description: Ensures Oracle HTTP Server distributed configuration file ownership is restricted to the Oracle software set and DBA group

Severity: Warning

Oracle Http Server Distributed Configuration Files Permission

Description: Ensures Oracle HTTP Server Distributed Configuration Files permissions are limited to the Oracle software set and DBA group

Severity: Warning

Oracle Http Server Mod_Plsql Configuration File Owner

Description: Ensures Oracle HTTP Server mod_plsql configuration file (wdbsvr.app) is owned by Oracle software owner

Severity: Warning

Oracle Http Server Mod_Plsql Configuration File Permission

Description: Ensures Oracle HTTP Server mod_plsql Configuration file (wdbsvr.app) permissions are limited to the Oracle software set and DBA group

Severity: Warning

Oracle Http Server Mod_Plsql Configuration File Permission(Windows)

Description: Oracle HTTP Server mod_plsql Configuration file (wdbsvr.app) permissions are limited to the Oracle software set and DBA group

Severity: Warning

Oracle Home Executable Files Permission

Description: Ensures that all files in the ORACLE_HOME/bin folder do not have public write permission

Severity: Warning

Rationale: Incorrect file permissions on some of the Oracle files can cause major security issues.

Oracle Home Executable Files Permission(Windows)

Description: Ensures that all files in the ORACLE_HOME/bin folder do not have public write permission

Severity: Warning

Rationale: Incorrect file permissions on some of the Oracle files can cause major security issues.

Oracle Net Client Log Directory Owner

Description: Ensures that the client log directory is a valid directory owned by Oracle set

Severity: Critical

Oracle Net Client Trace Directory Owner

Description: Ensures that the client trace directory is a valid directory owned by Oracle set

Severity: Critical

Oracle Net Inbound Connect Timeout

Description: Ensures that all incomplete inbound connections to Oracle Net has a limited lifetime

Severity: Warning

Oracle Net Ssl_Cert_Revocation

Description: Ensures that the ssl_cert_revocation parameter is set to recommended value in sqlnet.ora

Severity: Warning

Oracle Net Ssl_Server_Dn_Match

Description: Ensures ssl_server_dn_match is enabled in sqlnet.ora and in turn SSL ensures that the certificate is from the server

Severity: Warning

Oracle Net Server Log Directory Owner

Description: Ensures that the server log directory is a valid directory owned by Oracle set

Severity: Critical

Oracle Net Server Trace Directory Owner

Description: Ensures that the server trace directory is a valid directory owned by Oracle set

Severity: Critical

Oracle Net Sqlnet Expire Time

Description: Ensures that sqlnet.expire_time parameter is set to recommended value.

Severity: Warning

Rationale: if sqlnet.expire_time is not set or set to 0, then database never checks for dead connection and they keeps consuming database server resources.

Oracle Net Tcp Validnode Checking

Description: Ensures that tcp.validnode_checking parameter is set to yes.

Severity: Minor Warning

Rationale: Not setting valid node check can potentially allow anyone to connect to the sever, including a malicious user.

Oracle Xsql Configuration File Owner

Description: Ensures Oracle XSQL configuration file (XSQLConfig.xml) is owned by Oracle software owner

Severity: Warning

Oracle Xsql Configuration File Permission

Description: Ensures Oracle XSQL configuration file (XSQLConfig.xml) permissions are limited to the Oracle software set and DBA group

Severity: Warning

Oracle Xsql Configuration File Permission(Windows)

Description: Ensures Oracle XSQL Configuration File (XSQLConfig.xml) permissions are limited to the Oracle software set and DBA group

Severity: Warning

Otrace Data Files

Description: Avoids negative impact on database performance and disk space usage, caused by data collected by otrace

Severity: Warning

Rationale: Performance and resource utilization data collection can have a negative impact on database performance and disk space usage.

Private Sga

Description: Ensure that users PRIVATE_SGA profile settings have appropriate values set for the particular database and application

Severity: Critical

Rationale: Allowing a single application or user to consume the excessive amounts of the System Global Area will result in a denial of service to the Oracle database

Password Reuse Max

Description: Ensures that all profiles have PASSWORD_REUSE_MAX set to a reasonable number of times

Severity: Warning

Rationale: Old passwords are usually the best guesses for the current password. A low value for the PASSWORD_REUSE_MAX parameter may cause serious database security issues by allowing users to reuse their old passwords more often.

Password Reuse Time

Description: Ensures that all profiles have PASSWORD_REUSE_TIME set to a reasonable number of days

Severity: Critical

Rationale: A low value for the PASSWORD_REUSE_TIME parameter may cause serious database security issues by allowing users to reuse their old passwords more often.

Proxy Account

Description: Ensures that the proxy accounts have limited privileges

Severity: Warning

Rationale: The proxy user only needs to connect to the database. Once connected it will use the privileges of the user it is connecting on behalf of. Granting any other privilege than the CREATE SESSION privilege to the proxy user is unnecessary and open to misuse.

Return Server Release Banner

Description: Ensures that value of parameter SEC_RETURN_SERVER_RELEASE_BANNER is FALSE

Severity: Critical

Rationale: If the Parameter SEC_RETURN_SERVER_RELEASE_BANNER is TRUE oracle database returns complete database version information to clients. Knowing the exact patch set can aid an attacker

Remote Password File

Description: Ensures privileged users are authenticated by the operating system; that is, Oracle ignores any password file

Severity: Minor Warning

Restrict Sqlnet.Ora Permission

Description: Ensures that the sqlnet.ora file is not accessible to public

Severity: Critical

Restrict Sqlnet.Ora Permission(Windows)

Description: Ensures that the sqlnet.ora file is not accessible to public

Severity: Critical

Sessions_Per_User

Description: Ensures that all profiles have SESSIONS_PER_USER set to a reasonable number

Severity: Critical

Rationale: Allowing an unlimited amount of sessions per user can consume Oracle resources and cause a denial of service. Limit the number of session for each individual user

Sql*Plus Executable Owner

Description: Ensures SQL*Plus ownership is restricted to the Oracle software set and DBA group

Severity: Warning

Sql*Plus Executable Permission

Description: Ensures that SQL*Plus executable file permissions are limited to the Oracle software set and DBA group

Severity: Warning

Rationale: SQL*Plus allows a user to execute any SQL on the database. Public execute permissions on SQL*Plus can cause security issues by exposing sensitive data to malicious users.

Sql*Plus Executable Permission(Windows)

Description: Ensures that SQL*Plus executable file permissions are limited to the Oracle software set and DBA group

Severity: Warning

Rationale: SQL*Plus allows a user to execute any SQL on the database. Public execute permissions on SQL*Plus can cause security issues by exposing sensitive data to malicious users.

Secure Os Audit Level

Description: On UNIX systems, ensures that AUDIT_SYSLOG_LEVEL is set to a non-default value when OS-level auditing is enabled.

Severity: Warning

Rationale: Setting the AUDIT_SYSLOG_LEVEL initialization parameter to the default value (NONE) will result in DBAs gaining access to the OS audit records

System Privileges To Public

Description: Ensure system privileges are not granted to PUBLIC

Severity: Critical

Rationale: Privileges granted to the public role automatically apply to all users. There are security risks granting SYSTEM privileges to all users.

Tkprof Executable Owner

Description: Ensures tkprof executable file is owned by Oracle software owner

Severity: Warning

Rationale: Not restricting ownership of tkprof to the Oracle software set and DBA group may cause information leak.

Tkprof Executable Permission

Description: Ensures tkprof executable file permissions are restricted to read and execute for the group, and inaccessible to public

Severity: Warning

Rationale: Excessive permission for tkprof leaves information within, unprotected.

Tkprof Executable Permission(Windows)

Description: Ensures tkprof executable file permissions are restricted to read and execute for the group, and inaccessible to public

Severity: Warning

Rationale: Excessive permission for tkprof leaves information within, unprotected.

Unlimited Tablespace Quota

Description: Ensures database users are allocated a limited tablespace quota

Severity: Warning

Rationale: Granting unlimited tablespace quotas can cause the filling up of the allocated disk space. This can lead to an unresponsive database.

Use Of Automatic Log Archival Features

Description: Ensures that archiving of redo logs is done automatically and prevents suspension of instance operations when redo logs fill. Only applicable if database is in archivelog mode

Severity: Critical

Use Of Sql92 Security Features

Description: Ensures use of SQL92 security features

Severity: Warning

Rationale: If SQL92 security features are not enabled, a user might be able to execute an UPDATE or DELETE statement using a WHERE clause without having select privilege on a table.

Use Of Windows Nt Domain Prefix

Description: Ensures externally identified users specify the domain while connecting

Severity: Critical

Rationale: This setting is only applicable to Windows systems. If externally identified accounts are required, setting OSAUTH_PREFIX_DOMAIN to TRUE in the registry forces the account to specify the domain. This prevents spoofing of user access from an alternate domain or local system.

Utility File Directory Initialization Parameter Setting In Oracle9I Release 1 And Later

Description: Ensure that the UTL_FILE_DIR initialization parameter is not used in Oracle9i Release 1 and later

Severity: Critical

Webcache Initialization File Owner

Description: Ensures Webcache initialization file (webcache.xml) is owned by Oracle software owner

Severity: Warning

Webcache Initialization File Permission

Description: Ensures the Webcache initialization file (webcache.xml) permissions are limited to the Oracle software set and DBA group

Severity: Warning

Webcache Initialization File Permission(Windows)

Description: Ensures the Webcache initialization file (webcache.xml) permissions are limited to the Oracle software set and DBA group

Severity: Warning

Windows Tools Permission

Description: Ensures Oracle service does not have permissions on windows tools

Severity: Warning

Rationale: Granting Oracle service the permissions of windows tools may cause serious securty issues.

Tcp.Excludeded_Nodes

Description: Ensures that tcp.excludeded_nodes parameter is set.

Severity: Warning

Rationale: Not setting valid node check can potentially allow anyone to connect to the sever, including a malicious user.

Tcp.Invited_Nodes

Description: Ensures that tcp.invited_nodes parameter is set.

Severity: Warning

Rationale: Not setting valid node check can potentially allow anyone to connect to the sever, including a malicious user.

Patchable Configuration For Oracle Database

The compliance rules for the Patchable Configuration For Oracle Database standard follow.

Patchability

Description: Ensure the Oracle Database target has a patchable configuration

Severity: Warning

Rationale: Unpatchable Oracle Database target could not be patched by using the provided EM Patching feature

Storage Best Practices For Oracle Database

The compliance rules for the Storage Best Practices For Oracle Database standard follow.

Default Permanent Tablespace Set To A System Tablespace

Description: Checks if the DEFAULT_PERMANENT_TABLESPACE database property is set to a system tablespace

Severity: Warning

Rationale: If not specified explicitly, DEFAULT_PERMANENT_TABLESPACE is defaulted to the SYSTEM tablespace. This is not the recommended setting. With this setting, any user that is not explicitly assigned a tablespace uses the system tablespace. Doing so may result in performance degradation for the database. This is also a security issue. Non-system users may store data and consume all available space in the system tablespace, thus causing the database to stop working.

Default Temporary Tablespace Set To A System Tablespace

Description: Checks if the DEFAULT_TEMP_TABLESPACE database property is set to a system tablespace

Severity: Warning

Rationale: If not specified explicitly, DEFAULT_TEMP_TABLESPACE would default to SYSTEM tablespace and this is not a recommended setting. With this setting, any user that is not explicitly assigned a temporary tablespace uses the system tablespace as their temporary tablespace. System tablespaces should not be used to store temporary data. This is also a security issue. Non-system users may store data and consume all available space in the system tablespace, thus causing the database to stop working.

Dictionary Managed Tablespaces

Description: Checks for dictionary managed tablespaces

Severity: Minor Warning

Rationale: These tablespaces are dictionary managed. Oracle recommends using locally managed tablespaces, with AUTO segment-space management, to enhance performance and ease of space management.

Insufficient Number Of Redo Logs

Description: Checks for use of less than three redo logs

Severity: Warning

Rationale: The online redo log files are used to record changes in the database. When archiving is enabled, these online redo logs need to be archived before they can be reused. Every database requires at least two online redo log groups to be up and running. When the size and number of online redo logs are inadequate, LGWR will wait for ARCH to complete its writing to the archived log destination, before it overwrites that log. This can cause severe performance slowdowns during peak activity periods.

Insufficient Redo Log Size

Description: Checks for redo log files less than 1 Mb

Severity: Critical

Rationale: Small redo logs cause system checkpoints to continuously put a high load on the buffer cache and I/O system.

Non-System Data Segments In System Tablespaces

Description: Checks for data segments owned by non-system users located in tablespaces SYSTEM, SYSAUX and SYSEXT.

Severity: Minor Warning

Rationale: These segments belonging to non-system users are stored in system tablespaces SYSTEM or SYSAUX or SYSEXT. This violation makes it more difficult to manage these data segments and may result in performance degradation in the system tablespace. This is also a security issue. If non-system users are storing data in a system tablespace it is possible that all available space in the system tablespace may be consumed, thus causing the database to stop working.

Non-System Users With System Tablespace As Default Tablespace

Description: Checks for non-system users using SYSTEM or SYSAUX as the default tablespace

Severity: Minor Warning

Rationale: These non-system users use a system tablespace as the default tablespace. This violation will result in non-system data segments being added to the system tablespace, making it more difficult to manage these data segments and possibly resulting in performance degradation in the system tablespace. This is also a security issue. All Available space in the system tablespace may beconsumed, thus causing the database to stop working.

Non-Uniform Default Extent Size For Tablespaces

Description: Checks for dictionary managed or migrated locally managed tablespaces with non-uniform default extent size

Severity: Minor Warning

Rationale: Dictionary managed or migrated locally managed tablespaces using non-uniform default extent sizes have been found. This means that the extents in a single tablespace will vary insize leading to fragmentation, inefficient space usage and performance degradation.

Rollback In System Tablespace

Description: Checks for rollback segments in SYSTEM tablespace

Severity: Minor Warning

Rationale: The SYSTEM tablespace should be reserved only for the Oracle data dictionary and its associated objects. It should NOT be used to store any other types of objects such as user tables, user indexes, user views, rollback segments, undo segments or temporary segments.

Tablespace Not Using Automatic Segment-Space Management

Description: Checks for locally managed tablespaces that are using MANUAL segment space management

Severity: Minor Warning

Rationale: Automatic segment-space management is a simpler and more efficient way of managing space within a segment. It completely eliminates any need to specify and tune the PCTUSED, FREELISTS and FREELIST GROUPS storage parameters for schema objects created in the tablespace. In a RAC environment there is the additional benefit of avoiding the hard partitioning of space inherent with using free list groups.

Tablespaces Containing Rollback And Data Segments

Description: Checks for tablespaces containing both rollback and data segments

Severity: Minor Warning

Rationale: These tablespaces contain both rollback and data segments. Mixing segment types in this way makes it more difficult to manage space and may degrade performance in the tablespace. Use of a dedicated tablespace for rollback segments enhances availability and performance.

Users With Permanent Tablespace As Temporary Tablespace

Description: Checks for users using a permanent tablespace as the temporary tablespace

Severity: Minor Warning

Rationale: These users use a permanent tablespace as the temporary tablespace. Using temporary tablespaces allows space management for sort operations to be more efficient. Using a permanent tablespace for these operations may result in performance degradation, especially for Real Application Clusters. There is an additional security concern. This makes it possible for users to use all available space in the system tablespace, causing the database to stop working.