Qualys Blog

www.qualys.com
Tim White

Qualys Policy Compliance Notification: Changes Required for Oracle Assessments

We will be releasing new controls that will require some customers to make changes to their Oracle targets.

For customers that grant granular permissions to allow access to our Oracle assessment capabilities, new CID’s are being released that require additional rights to be granted.  Failure to grant the new rights will result in an error when you assess your Oracle environment.

We are providing advanced notice to give you time to implement these changes.  If you use an account with full read privileges or broader permissions than the minimum privileges recommended in the documentation, you will likely not be affected by this change.

This update will occur no earlier than March 31, 2015 to allow time for updates to your Oracle environment.

Please contact your TAM or technical support if you have any concerns or questions.

New Controls

9118 -  Status of the Fine Grained access control within objects.
9168 – Access to database objects by a fixed user link must be allowed and users must not have execute

8005 – Status of the OWBSYS default password
8006 – Status of the SI_INFORMTN_SCHEMA default password
8007 – Status of the SPATIAL_CSW_ADMIN_USR default password
8008 – Status of the SPATIAL_WFS_ADMIN_USR default password
8009 – Status of the SYS default password
8010 – Status of the SYSTEM default password
8011 – Status of the default password – WK_TEST
8012 – Status of the WKPROXY default password
8013 – Status of the WKSYS default password
8014 – Status of the WMSYS default password
8015 – Status of the XDB default password
8339 – Status of the Oracle control file permissions
8340 – Status of the Oracle 'log_archive_dest_n' file permissions
8343 – Status of the Oracle datafiles permissions
8353 – Status of the access to the DBMS_CRYPTO package
8354 – Status of the NOLOGGING setting
8412 – Status of third-party application 'default passwords' in the dba_users table on the Oracle instance

Rights Required

The GRANT statements needed to allow the scan user SELECT access to these underlying signatures are:

GRANT SELECT ON DBA_POLICIES TO QUALYS_ROLE;

GRANT SELECT ON DBA_FGA_AUDIT_TRAIL TO QUALYS_ROLE;

GRANT SELECT ON DBA_TABLES TO QUALYS_ROLE;

GRANT SELECT ON SYS.USER$ TO QUALYS_ROLE;

GRANT SELECT ON DBA_PROXIES TO QUALYS_ROLE;

GRANT SELECT ON V_$ARCHIVE_DEST TO QUALYS_ROLE;

GRANT SELECT ON V_$CONTROLFILE TO QUALYS_ROLE;

GRANT SELECT ON DBA_DATA_FILES TO QUALYS_ROLE;

GRANT SELECT ON DBA_USERS_WITH_DEFPWD TO QUALYS_ROLE;

GRANT EXECUTE ON DBMS_CRYPTO TO QUALYS_ROLE;

Please see the attached Example Query for Verifying Required Rights

*PLEASE NOTE*  This SQL Script assumes that you are leveraging our scanning document and have created a QUALYS_ROLE.  If a different role name was used, please replace QUALYS_ROLE accordingly.

Attachments

Example Query for Verifying Required Rights 11G+ 720.0 bytes

Example Query for Verifying Required Rights 9-10 610.0 bytes

Leave a Reply