Defined Type: ora_secured::controls::db_job_batch_queues_must_be_reviewed_regularly_to_detect_unauth_db_job_submissions

Defined in:
manifests/controls/db_job_batch_queues_must_be_reviewed_regularly_to_detect_unauth_db_job_submissions.pp

Summary

The DBMS_JOB PL/SQL package has been replaced by DBMS_SCHEDULER in Oracle versions 10.

Overview

ora_secured::controls::db_job_batch_queues_must_be_reviewed_regularly_to_detect_unauth_db_job_submissions

1 and higher, though it continues to be supported for backward compatibility.

Run this query:

select value from v$parameter where name = 'job_queue_processes';

Run this query:

select value from all_scheduler_global_attribute
where ATTRIBUTE_NAME = 'MAX_JOB_SLAVE_PROCESSES';

To understand the relationship between these settings, review: docs.oracle.com/database/121/ADMIN/appendix_a.htm#ADMIN11002

Review documented and implemented procedures for monitoring the Oracle DBMS job/batch queues for unauthorized submissions. If procedures for job queue review are not defined, documented or evidence of implementation does not exist, this is a finding.

Job queue information is available from the DBA_JOBS view. The following command lists jobs submitted to the queue. DBMS_JOB does not generate a ‘history’ of previous job executions.

Run this query:

select job, next_date, next_sec, failures, broken from dba_jobs;

Scheduler queue information is available from the DBA_SCHEDULER_JOBS view. The following command lists jobs submitted to the queue.

Run this query: select owner, job_name, state, job_class, job_type, job_action from dba_scheduler_jobs;

Develop, document and implement procedures to monitor the database job queues for unauthorized job submissions.

Develop, document and implement a formal migration plan to convert jobs using DBMS_JOB to use DBMS_SCHEDULER instead for Oracle versions 10.1 and higher. (This does not apply to DBMS_JOB jobs generated by Oracle itself, such as those for refreshing materialized views.)

Set the value of the job_queue_processes parameter to a low value to restrict concurrent DBMS_JOB executions.

Use auditing to capture use of the DBMS_JOB package in the audit trail. Review the audit trail for unauthorized use of the DBMS_JOB package.

## Skipping

To deliberately skip this control (e.g. meaning don’t use Puppet to enforce this setting), we provide you with three ways:

1) Add ‘ora_secured::controls::db_job_batch_queues_must_be_reviewed_regularly_to_detect_unauth_db_job_submissions: skip` to your hiera data. This will skip this control for ALL databases. 2) Add `ora_secured::controls::db_job_batch_queues_must_be_reviewed_regularly_to_detect_unauth_db_job_submissions::dbname: skip` to your hiera data. This will skip this control for specified database only. 3) Add an entry with the content `db_job_batch_queues_must_be_reviewed_regularly_to_detect_unauth_db_job_submissions` to the array value `ora_secured::skip_list` in your hiera data.

## Benchmarks

This control is used in the following benchmarks:

  • [Oracle Database 12c CIS V1](/docs/ora_secured/stig/db12c_V1.html) - id V-61449

See the file “LICENSE” for the full license governing this code.

Parameters:

  • title

    The SID to apply the control to. All controls need an SID to apply the control to. Here is a simple example: “‘ puppet ora_secured::controls::control_name { ’DBSID’:} “‘ In this example, the string DBSID is the sid to apply the control to.



66
67
68
69
70
71
72
73
 
# File 'manifests/controls/db_job_batch_queues_must_be_reviewed_regularly_to_detect_unauth_db_job_submissions.pp', line 66

define ora_secured::controls::db_job_batch_queues_must_be_reviewed_regularly_to_detect_unauth_db_job_submissions
{
  ora_secured_setup { "db_job_batch_queues_must_be_reviewed_regularly_to_detect_unauth_db_job_submissions on ${title}":
    ensure => 'present',
  }

  alert('Specified STIG control is not yet automatically enforced.')
}