Top

Oracle Database Security Assessment

Highly Confidential

Assessment Date & Time

Date of Data Collection Date of Report Reporter Version
Mon Feb 26 2018 09:27:00 Mon Feb 26 2018 09:29:30 2.0.1 (December 2017) - d526

Database Identity

Name Platform Database Role Log Mode Created
TVDNCDB Linux x86 64-bit PRIMARY ARCHIVELOG Fri Mar 10 2017 12:08:00

Summary

Section Pass Evaluate Advisory Low Risk Medium Risk High Risk Total Findings
Basic Information 0 0 0 0 0 1 1
User Accounts 5 0 0 3 3 1 12
Privileges and Roles 4 15 0 0 0 0 19
Authorization Control 0 0 2 0 0 0 2
Data Encryption 0 1 1 0 0 0 2
Fine-Grained Access Control 0 0 5 0 0 0 5
Auditing 3 4 2 0 3 0 12
Database Configuration 6 4 0 2 0 1 13
Network Configuration 1 0 0 1 3 0 5
Operating System 2 1 0 1 1 0 5
Total 21 25 10 7 10 3 76

Basic Information

Database Version

Oracle Database 12c Enterprise Edition Release 12.2.0.1.0 - 64bit Production
Security options used: (none)

Security Features

Feature Currently Used
AUTHORIZATION CONTROL
Database Vault No
Privilege Analysis No
DATA ENCRYPTION
Column Encryption No
Tablespace Encryption No
Network Encryption No
FINE-GRAINED ACCESS CONTROL
Data Redaction No
Virtual Private Database No
Real Application Security No
Label Security No
Transparent Sensitive Data Protection No
AUDITING
Traditional Audit No
Fine Grained Audit No
Unified Audit Yes
USER AUTHENTICATION
External Authentication No
Global Authentication No

Patch Check

User Accounts

User Accounts

User Name Status Profile Tablespace Predefined Type
ANONYMOUS EXPIRED & LOCKED DEFAULT SYSAUX Yes PASSWORD
APPQOSSYS EXPIRED & LOCKED DEFAULT SYSAUX Yes PASSWORD
AUDSYS EXPIRED & LOCKED DEFAULT USERS Yes PASSWORD
BI OPEN DEFAULT EXAMPLE No PASSWORD
CTXSYS EXPIRED & LOCKED DEFAULT SYSAUX Yes PASSWORD
DBSFWUSER EXPIRED & LOCKED DEFAULT SYSAUX Yes PASSWORD
DBSNMP EXPIRED & LOCKED DEFAULT SYSAUX Yes PASSWORD
DIP EXPIRED & LOCKED DEFAULT USERS Yes PASSWORD
GGSYS EXPIRED & LOCKED DEFAULT SYSAUX Yes PASSWORD
GSMADMIN_INTERNAL EXPIRED & LOCKED DEFAULT SYSAUX Yes PASSWORD
GSMCATUSER EXPIRED & LOCKED DEFAULT USERS Yes PASSWORD
GSMUSER EXPIRED & LOCKED GSM_PROF USERS Yes PASSWORD
HR OPEN DEFAULT EXAMPLE Yes PASSWORD
IX OPEN DEFAULT EXAMPLE Yes PASSWORD
MDDATA EXPIRED & LOCKED DEFAULT USERS Yes PASSWORD
MDSYS EXPIRED & LOCKED DEFAULT SYSAUX Yes PASSWORD
O12TEST OPEN DEFAULT USERS No PASSWORD
OE OPEN DEFAULT EXAMPLE Yes PASSWORD
OJVMSYS EXPIRED & LOCKED DEFAULT SYSTEM Yes PASSWORD
OLAPSYS EXPIRED & LOCKED DEFAULT SYSAUX Yes PASSWORD
ORACLE_OCM EXPIRED & LOCKED DEFAULT USERS Yes PASSWORD
ORDDATA EXPIRED & LOCKED DEFAULT SYSAUX Yes PASSWORD
ORDPLUGINS EXPIRED & LOCKED DEFAULT SYSAUX Yes PASSWORD
ORDSYS EXPIRED & LOCKED DEFAULT SYSAUX Yes PASSWORD
OUTLN EXPIRED & LOCKED DEFAULT SYSTEM Yes PASSWORD
PM OPEN DEFAULT EXAMPLE Yes PASSWORD
REMOTE_SCHEDULER_AGENT EXPIRED & LOCKED DEFAULT USERS Yes PASSWORD
SCOTT OPEN DEFAULT USERS Yes PASSWORD
SH OPEN DEFAULT EXAMPLE Yes PASSWORD
SI_INFORMTN_SCHEMA EXPIRED & LOCKED DEFAULT SYSAUX Yes PASSWORD
SPATIAL_CSW_ADMIN_USR EXPIRED & LOCKED DEFAULT USERS Yes PASSWORD
SYS LOCKED DEFAULT SYSTEM Yes PASSWORD
SYS$UMF EXPIRED & LOCKED DEFAULT SYSTEM Yes PASSWORD
SYSBACKUP EXPIRED & LOCKED DEFAULT USERS Yes PASSWORD
SYSDG EXPIRED & LOCKED DEFAULT USERS Yes PASSWORD
SYSKM EXPIRED & LOCKED DEFAULT USERS Yes PASSWORD
SYSRAC EXPIRED & LOCKED DEFAULT USERS Yes PASSWORD
SYSTEM OPEN DEFAULT SYSTEM Yes PASSWORD
TEST2 LOCKED DEFAULT USERS No PASSWORD
WMSYS EXPIRED & LOCKED DEFAULT SYSAUX Yes PASSWORD
XDB EXPIRED & LOCKED DEFAULT SYSAUX Yes PASSWORD

User Accounts in SYSTEM or SYSAUX Tablespace

Sample Schemas

Inactive Users

Case-Sensitive Passwords

Users with Expired Passwords

Users with Default Passwords

Minimum Client Authentication Version

Password Verifiers

User Parameters

User Profiles

Profile Name Resource Value
DEFAULT (Number of Users) 40
DEFAULT CONNECT_TIME UNLIMITED
DEFAULT FAILED_LOGIN_ATTEMPTS 10
DEFAULT IDLE_TIME UNLIMITED
DEFAULT PASSWORD_GRACE_TIME 7
DEFAULT PASSWORD_LIFE_TIME UNLIMITED
DEFAULT PASSWORD_LOCK_TIME 1
DEFAULT PASSWORD_REUSE_MAX UNLIMITED
DEFAULT PASSWORD_REUSE_TIME UNLIMITED
DEFAULT PASSWORD_VERIFY_FUNCTION NULL
GSM_PROF (Number of Users) 1
GSM_PROF CONNECT_TIME UNLIMITED (DEFAULT)
GSM_PROF FAILED_LOGIN_ATTEMPTS 10000000
GSM_PROF IDLE_TIME UNLIMITED (DEFAULT)
GSM_PROF PASSWORD_GRACE_TIME 7 (DEFAULT)
GSM_PROF PASSWORD_LIFE_TIME UNLIMITED (DEFAULT)
GSM_PROF PASSWORD_LOCK_TIME 1 (DEFAULT)
GSM_PROF PASSWORD_REUSE_MAX UNLIMITED (DEFAULT)
GSM_PROF PASSWORD_REUSE_TIME UNLIMITED (DEFAULT)
GSM_PROF PASSWORD_VERIFY_FUNCTION NULL (DEFAULT)
ORA_STIG_PROFILE (Number of Users) 0
ORA_STIG_PROFILE CONNECT_TIME UNLIMITED (DEFAULT)
ORA_STIG_PROFILE FAILED_LOGIN_ATTEMPTS 3
ORA_STIG_PROFILE IDLE_TIME 15
ORA_STIG_PROFILE PASSWORD_GRACE_TIME 5
ORA_STIG_PROFILE PASSWORD_LIFE_TIME 60
ORA_STIG_PROFILE PASSWORD_LOCK_TIME UNLIMITED
ORA_STIG_PROFILE PASSWORD_REUSE_MAX 10
ORA_STIG_PROFILE PASSWORD_REUSE_TIME 365
ORA_STIG_PROFILE PASSWORD_VERIFY_FUNCTION ORA12C_STIG_VERIFY_FUNCTION

Users with Unlimited Password Lifetime

Account Locking after Failed Login Attempts

Password Verification Functions

Privileges and Roles

All System Privileges

All Roles

Account Management Privileges

Privilege Management Privileges

Database Management Privileges

Audit Management Privileges

Data Access Privileges

Access Control Exemption Privileges

Access to Password Verifier Tables

Access to Restricted Objects

User Impersonation

Data Exfiltration

System Privileges Granted to PUBLIC

Roles Granted to PUBLIC

Column Privileges Granted to PUBLIC

DBA Role

Other Powerful Roles

Java Permissions

Users with Administrative Privileges

Authorization Control

Database Vault

Privilege Analysis

Data Encryption

Transparent Data Encryption

Encryption Key Wallet

Fine-Grained Access Control

Data Redaction

Virtual Private Database

Real Application Security

Label Security

Transparent Sensitive Data Protection

Auditing

Audit Records

Statement Audit

Object Audit

Privilege Audit

Administrative User Audit

Privilege Management Audit

Account Management Audit

Database Management Audit

Privilege Usage Audit

Database Connection Audit

Fine Grained Audit

Unified Audit

Database Configuration

Initialization Parameters for Security

Name Value
AUDIT_FILE_DEST /u00/app/oracle/admin/TVDNCDB/adump
AUDIT_SYSLOG_LEVEL
AUDIT_SYS_OPERATIONS TRUE
AUDIT_TRAIL DB
COMPATIBLE 12.2.0
CURSOR_BIND_CAPTURE_DESTINATION memory+disk
DBFIPS_140 FALSE
DISPATCHERS (PROTOCOL=TCP) (SERVICE=TVDNCDBXDB)
ENCRYPT_NEW_TABLESPACES CLOUD_ONLY
GLOBAL_NAMES FALSE
LDAP_DIRECTORY_ACCESS NONE
LDAP_DIRECTORY_SYSAUTH no
O7_DICTIONARY_ACCESSIBILITY FALSE
OS_AUTHENT_PREFIX ops$
OS_ROLES FALSE
PDB_LOCKDOWN
PDB_OS_CREDENTIAL
REMOTE_LISTENER
REMOTE_LOGIN_PASSWORDFILE EXCLUSIVE
REMOTE_OS_AUTHENT FALSE
REMOTE_OS_ROLES FALSE
RESOURCE_LIMIT TRUE
SEC_CASE_SENSITIVE_LOGON TRUE
SEC_MAX_FAILED_LOGIN_ATTEMPTS 3
SEC_PROTOCOL_ERROR_FURTHER_ACTION (DROP,3)
SEC_PROTOCOL_ERROR_TRACE_ACTION TRACE
SEC_RETURN_SERVER_RELEASE_BANNER FALSE
SQL92_SECURITY TRUE
UNIFIED_AUDIT_SGA_QUEUE_SIZE 1048576
UTL_FILE_DIR

Access to Dictionary Objects

Inference of Table Data

Network Communications

External Authorization

File System Access

Trace Files

Triggers

Disabled Constraints

External Procedures

Directory Objects

Database Links

Network Access Control

XML Database Access Control

Network Configuration

Network Encryption

Client Nodes

SQLNET Banners

Network Listener Configuration

Listener Logging Control

Operating System

OS Authentication

Process Monitor Process

Agent Processes

Listener Processes

File Permissions in ORACLE_HOME


This report provides information and recommendations that may be helpful in securing your Oracle database system. These recommendations reflect best practices for database security and should be part of any strategy for Data Protection by Design and by Default. These practices may help in addressing Articles 25 and 32 of the EU General Data Protection Regulation as well as other data privacy regulations. Technical controls alone are not sufficient for compliance. Passing all findings does not guarantee compliance.

The report provides a view on the current status. The results shown are provided for informational purposes only and should not be used as a substitute for a thorough analysis or interpreted to contain any legal or regulatory advice or guidance.

You are solely responsible for your system, and the data and information gathered during the production of this report. You are also solely responsible for the execution of software to produce this report, and for the effect and results of the execution of any mitigating actions identified herein.

Oracle provides this analysis on an "as is" basis without warranty of any kind and Oracle hereby disclaims all warranties and conditions whether express, implied or statutory.