STIGQter STIGQter: STIG Summary: Oracle Database 11.2g Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:

Changes to DBMS security labels must be audited.

DISA Rule

SV-219742r401224_rule

Vulnerability Number

V-219742

Group Title

SRG-APP-000516-DB-000363

Rule Version

O112-BP-026200

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Define the policy for auditing changes to security labels defined for the data.

Document the audit requirements in the System Security Plan and configure database auditing in accordance with the policy.

Check Contents

If no data is identified as being sensitive or classified by the Information Owner, in the System Security Plan or in the AIS Functional Architecture documentation, this is not a finding.

If security labeling is not required, this is not a finding.

If no sensitive or classified data is identified by the Information Owner as requiring labeling in the System Security Plan and/or AIS Functional Architecture documentation, this is not a finding.

Run the SQL statement:
select * from dba_sa_audit_options;

If no records are returned or if output from the SQL statement above does not show classification labels being audited as required in the System Security Plan, this is a finding.

Vulnerability Number

V-219742

Documentable

False

Rule Version

O112-BP-026200

Severity Override Guidance

If no data is identified as being sensitive or classified by the Information Owner, in the System Security Plan or in the AIS Functional Architecture documentation, this is not a finding.

If security labeling is not required, this is not a finding.

If no sensitive or classified data is identified by the Information Owner as requiring labeling in the System Security Plan and/or AIS Functional Architecture documentation, this is not a finding.

Run the SQL statement:
select * from dba_sa_audit_options;

If no records are returned or if output from the SQL statement above does not show classification labels being audited as required in the System Security Plan, this is a finding.

Check Content Reference

M

Target Key

4057

Comments