Top

Oracle Database Security Risk Assessment

Highly Confidential

Assessment Date & Time

Date of Data Collection Date of Report Reporter Version
Tue May 23 2017 11:00:00 Tue May 23 2017 11:05:19 1.0.2 (October 2016) - 7409

Database Identity

Name Platform Database Role Log Mode Created Container Database Container ID Container Name
CDB3 Linux x86 64-bit PRIMARY NOARCHIVELOG Mon Mar 13 2017 11:01:00 True 3 PDB1

Summary

Section Pass Evaluate Opportunity Some Risk Significant Risk Severe Risk Total Findings
Basic Information 0 0 0 0 0 1 1
User Accounts 8 0 0 2 1 0 11
Privileges and Roles 6 10 0 1 0 0 17
Authorization Control 0 1 1 0 0 0 2
Data Encryption 0 1 1 0 0 0 2
Fine-Grained Access Control 0 2 3 0 0 0 5
Auditing 5 5 1 0 1 0 12
Database Configuration 6 4 0 1 0 1 12
Network Configuration 1 0 0 1 3 0 5
Operating System 1 1 0 2 0 0 4
Total 27 24 6 7 5 2 71

Basic Information

Database Version

Oracle Database 12c Enterprise Edition Release 12.2.0.1.0 - 64bit Production
Security options used: Advanced Security, Database Vault, Label Security

Security Features

Feature Currently Used
AUTHORIZATION CONTROL
Database Vault Yes
Privilege Analysis No
DATA ENCRYPTION
Column Encryption No
Tablespace Encryption Yes
Network Encryption Yes
FINE-GRAINED ACCESS CONTROL
Data Redaction Yes
Virtual Private Database Yes
Real Application Security No
Label Security Yes
Transparent Sensitive Data Protection No
AUDITING
Traditional Audit No
Fine Grained Audit No
Unified Audit Yes
USER AUTHENTICATION
External Authentication No
Global Authentication Yes

Patch Check

User Accounts

Note: Predefined Oracle accounts which are locked are not included in this report. To include all user accounts, run the report with the -a option.

User Accounts

User Name Status Profile Tablespace Predefined Type
C##AVAGENT OPEN DEFAULT USERS No PASSWORD
C##DVAM OPEN DEFAULT USERS No PASSWORD
C##DVO OPEN DEFAULT USERS No PASSWORD
C##HR_ADMIN OPEN DEFAULT USERS No PASSWORD
DBSFWUSER OPEN DEFAULT SYSAUX Yes PASSWORD
DBSNMP OPEN DEFAULT SYSAUX Yes PASSWORD
DEMOAPPS OPEN DEFAULT USERDATA No PASSWORD
DVF OPEN DEFAULT SYSAUX Yes PASSWORD
EUS_GLOBAL OPEN DEFAULT USERS No GLOBAL
LBACSYS OPEN DEFAULT SYSTEM Yes PASSWORD
PDBADMIN OPEN DEFAULT USERS No PASSWORD
SECADMIN OPEN DEFAULT USERS No PASSWORD
SYS OPEN DEFAULT SYSTEM Yes PASSWORD
SYSKM OPEN DEFAULT USERS Yes PASSWORD
SYSTEM OPEN DEFAULT SYSTEM Yes PASSWORD

User Accounts in SYSTEM or SYSAUX Tablespace

Sample Schemas

Inactive Users

Case-Sensitive Passwords

Users with Expired Passwords

Users with Default Passwords

Minimum Client Authentication Version

Password Verifiers

User Profiles

Profile Name Resource Value
DEFAULT (Number of Users) 15
DEFAULT CONNECT_TIME UNLIMITED
DEFAULT FAILED_LOGIN_ATTEMPTS 10
DEFAULT IDLE_TIME UNLIMITED
DEFAULT PASSWORD_GRACE_TIME 7
DEFAULT PASSWORD_LIFE_TIME 180
DEFAULT PASSWORD_LOCK_TIME 1
DEFAULT PASSWORD_REUSE_MAX UNLIMITED
DEFAULT PASSWORD_REUSE_TIME UNLIMITED
DEFAULT PASSWORD_VERIFY_FUNCTION ORA12C_STRONG_VERIFY_FUNCTION
ORA_STIG_PROFILE (Number of Users) 0
ORA_STIG_PROFILE CONNECT_TIME UNLIMITED (DEFAULT)
ORA_STIG_PROFILE FAILED_LOGIN_ATTEMPTS 3
ORA_STIG_PROFILE IDLE_TIME 15
ORA_STIG_PROFILE PASSWORD_GRACE_TIME 5
ORA_STIG_PROFILE PASSWORD_LIFE_TIME 60
ORA_STIG_PROFILE PASSWORD_LOCK_TIME UNLIMITED
ORA_STIG_PROFILE PASSWORD_REUSE_MAX 10
ORA_STIG_PROFILE PASSWORD_REUSE_TIME 365
ORA_STIG_PROFILE PASSWORD_VERIFY_FUNCTION ORA12C_STIG_VERIFY_FUNCTION

Users with Unlimited Password Lifetime

Users with Unlimited Failed Login Attempts

Password Verification Functions

Privileges and Roles

All System Privileges

All Roles

Account Management Privileges

Privilege Management Privileges

Audit Management Privileges

Data Access Privileges

Access Control Exemption Privileges

Access to Password Verifier Tables

Access to Restricted Objects

User Impersonation

Data Exfiltration

System Privileges Granted to PUBLIC

Roles Granted to PUBLIC

Column Privileges Granted to PUBLIC

DBA Role

Other Powerful Roles

Users with Administrative Privileges

Authorization Control

Database Vault

Privilege Analysis

Data Encryption

Transparent Data Encryption

Encryption Key Wallet

Fine-Grained Access Control

Data Redaction

Virtual Private Database

Real Application Security

Label Security

Transparent Sensitive Data Protection

Auditing

Audit Records

Statement Audit

Object Audit

Privilege Audit

Administrative User Audit

Privilege Management Audit

Account Management Audit

Database Management Audit

Privilege Usage Audit

Database Connection Audit

Fine Grained Audit

Unified Audit

Database Configuration

Initialization Parameters for Security

Name Value
AUDIT_FILE_DEST /u01/oracle/db/admin/cdb3/adump
AUDIT_SYSLOG_LEVEL
AUDIT_SYS_OPERATIONS TRUE
AUDIT_TRAIL DB
COMPATIBLE 12.2.0
DBFIPS_140 FALSE
DISPATCHERS (PROTOCOL=TCP) (SERVICE=cdb3XDB)
ENCRYPT_NEW_TABLESPACES DDL
GLOBAL_NAMES FALSE
LDAP_DIRECTORY_ACCESS PASSWORD
LDAP_DIRECTORY_SYSAUTH NO
O7_DICTIONARY_ACCESSIBILITY FALSE
OS_AUTHENT_PREFIX ops$
OS_ROLES FALSE
PDB_LOCKDOWN
PDB_OS_CREDENTIAL
REMOTE_LISTENER
REMOTE_LOGIN_PASSWORDFILE EXCLUSIVE
REMOTE_OS_AUTHENT FALSE
REMOTE_OS_ROLES FALSE
RESOURCE_LIMIT TRUE
SEC_CASE_SENSITIVE_LOGON TRUE
SEC_MAX_FAILED_LOGIN_ATTEMPTS 3
SEC_PROTOCOL_ERROR_FURTHER_ACTION (DROP,3)
SEC_PROTOCOL_ERROR_TRACE_ACTION TRACE
SEC_RETURN_SERVER_RELEASE_BANNER FALSE
SQL92_SECURITY TRUE
UNIFIED_AUDIT_SGA_QUEUE_SIZE 1048576
UTL_FILE_DIR

Access to Dictionary Objects

Inference of Table Data

Network Communications

External Authorization

File System Access

Triggers

Disabled Constraints

External Procedures

Directory Objects

Database Links

Network Access Control

XML Database Access Control

Network Configuration

Network Encryption

Client Nodes

SQLNET Banners

Network Listener Configuration

Listener Logging Control

Operating System

OS Authentication

Process Monitor Process

Agent Processes

Listener Processes

Diagnostics

Skipped Java Permissions


This report is focused on detecting areas of potential security vulnerabilities or misconfigurations and providing recommendations on how to mitigate those potential vulnerabilities.

The report provides a view on the current status. These recommendations are provided for informational purposes only and should not be used as a substitute for a thorough analysis or interpreted to contain any legal or regulatory advice or guidance.

You are solely responsible for your system, and the data and information gathered during the production of this report. You are also solely responsible for the execution of software to produce this report, and for the effect and results of the execution of any mitigating actions identified herein.

Oracle provides this analysis on an "as is" basis without warranty of any kind and Oracle hereby disclaims all warranties and conditions whether express, implied or statutory.