CIS Oracle Database Compliance

Customizations
1

Friends, I need your help and knowledge.
The standard for the databases we have in the company, although based on CIS, has several exceptions.
When I make a copy of the “CIS Checkist for Oracle Database 19” site, for example, we have the “Environment Setup Task,” which runs on the instance and server I need, but the query scripts are the CIS defaults. So, when I run the analysis, in many cases it returns that it is NOT compliant, and that’s where I need an exception.

Do you know how I could handle these cases?

I leave 2 examples:

  1. Ensure ‘%ANY%’ Is Revoked from Unauthorized ‘GRANTEE’
    CIS indicates the following query:
    SELECT GRANTEE, PRIVILEGE
    FROM DBA_SYS_PRIVS
    WHERE PRIVILEGE LIKE ‘%ANY%’
    AND GRANTEE NOT IN (SELECT USERNAME FROM DBA_USERS WHERE
    ORACLE_MAINTAINED=‘Y’)
    AND GRANTEE NOT IN (SELECT ROLE FROM DBA_ROLES WHERE ORACLE_MAINTAINED=‘Y’);

We need it to be:
SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE PRIVILEGE LIKE ‘%ANY%’ AND GRANTEE NOT IN (SELECT USERNAME FROM DBA_USERS WHERE ORACLE_MAINTAINED=‘Y’) AND GRANTEE NOT IN (SELECT ROLE FROM DBA_ROLES WHERE ORACLE_MAINTAINED=‘Y’) AND GRANTEE NOT IN ({w_list_users})

  1. Ensure ‘SELECT ANY DICTIONARY’ Is Revoked from Unauthorized ‘GRANTEE’
    CIS indicates the following query:
    SELECT GRANTEE, PRIVILEGE
    FROM DBA_SYS_PRIVS
    WHERE PRIVILEGE=‘SELECT ANY DICTIONARY’
    AND GRANTEE NOT IN (SELECT USERNAME FROM DBA_USERS WHERE
    ORACLE_MAINTAINED=‘Y’)
    AND GRANTEE NOT IN (SELECT ROLE FROM DBA_ROLES WHERE ORACLE_MAINTAINED=‘Y’);

We need it to be:
SELECT grantee, privilege FROM dba_sys_privs WHERE privilege=‘SELECT ANY DICTIONARY’
AND grantee NOT IN (SELECT username FROM dba_users WHERE oracle_maintained=‘Y’)
AND grantee NOT IN (SELECT role FROM dba_roles WHERE oracle_maintained=‘Y’)
AND grant NOT IN ({ora_users},{w_list_users})

2

If the check is not exactly like the CIS Compliance itself you can -

  • Remove it from the Checklist
  • Add “Exception” on the Web interface

If you want to you can create a Custom Check and add it to a different Checklist which will contain Custom Compliance which are not part of the CIS Checklist

So as I understand you want to create a new Check and you need help with Relevance and Actionscript

3

But how do I create a new check using the same connection as the “Environment Setup Task”?
Could you help me with the two examples I left?
If that works, I could do the rest.

note: clarification “ora_users are those of the engine and w_list_users is the white list of users/roles to be excluded from my company.”

In the “Add “Exception” on the Web interface” section, you only see that I can except endpoints to a check, but I can’t except part of the result… right?