V-219871

Discussion

Some DBMS systems provide the feature to assign security labels to data elements. If labeling is required, implementation options include the Oracle Label Security package, or a third-party product, or custom-developed functionality. The confidentiality and integrity of the data depends upon the security label assignment where this feature is in use. Changes to security label assignment may indicate suspicious activity.

Check Content

If no data has been identified as being sensitive or classified in the system documentation, this is not a finding.

If security labeling is not required, this is not a finding.

If Standard Auditing is used, run the SQL query:

select * from dba_sa_audit_options;

If no records are returned or if output from the SQL statement above does not show classification labels being audited as required in the System Security Plan, this is a finding.

If Unified Auditing is used:
To see if Oracle is configured to capture audit data including changes to security label assignment, enter the following SQL*Plus command:
SELECT 'Changes to security label assignment is not being audited. ' 
FROM   dual 
WHERE  (SELECT Count(*)
        FROM   (select policy_name , audit_option from audit_unified_policies
        WHERE  audit_option = 'ALL'
	  AND audit_option_type = 'OLS ACTION'
        AND policy_name in (select policy_name from audit_unified_enabled_policies where user_name='ALL USERS'))) = 0
        OR (SELECT value 
            FROM   v$option 
            WHERE  parameter = 'Unified Auditing') != 'TRUE';  

If Oracle returns "no rows selected", this is not a finding.

To confirm that Oracle audit is capturing sufficient information to establish that changes to classification labels are being audited, perform a successful auditable action and an auditable action that results in an SQL error, and then view the results in the SYS.UNIFIED_AUDIT_TRAIL view.

If no ACTION#, or the wrong value, is returned for the auditable actions, this is a finding.