STIGQter STIGQter: STIG Summary: Oracle Database 11.2g Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:

The DBMS must restrict error messages, so only authorized personnel may view them.

DISA Rule

SV-219786r397846_rule

Vulnerability Number

V-219786

Group Title

SRG-APP-000267-DB-000163

Rule Version

O112-C2-020000

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

i) For each end-user-facing application that displays DBMS-generated error messages, configure or recode it to suppress these messages.

(If the application is coded in Oracle PL/SQL, the EXCEPTION block can be used to suppress or divert error messages. Most other programming languages provide comparable facilities, such as TRY ... CATCH.)

ii) For each unauthorized user of each tool, remove the ability to access it. For each tool where access to DBMS error messages is not required and can be configured, suppress the messages. For each role/user that needs access to the error messages, or needs a tool where the messages cannot be suppressed, document the need in the system security plan.

Check Contents

Check DBMS settings and custom database code to determine if error messages are ever displayed to unauthorized individuals:

i) Review all end-user-facing applications that use the database, to determine whether they display any DBMS-generated error messages to general users. If they do, this is a finding.

ii) Review whether the database is accessible to users who are not authorized system administrators or database administrators, via the following types of software:
iia) Oracle SQL*Plus
iib) Reporting and analysis tools
iic) Database management and/or development tools, such as, but not limited to, Toad.
iid) Application development tools, such as, but not limited to, Oracle JDeveloper, Microsoft Visual Studio, PowerBuilder, or Eclipse.

If the answer to the preceding question (ii through iid) is Yes, inquire whether, for each role or individual with respect to each tool, this access is required to enable the user(s) to perform authorized job duties. If No, this is a finding. If Yes, continue:

For each tool in use, determine whether it is capable of suppressing DBMS-generated error messages, and if it is, whether it is configured to do so.

Determine whether the role or individual, with respect to each tool, needs to see detailed DBMS-generated error messages. If No, and if the tool is not configured to suppress such messages, this is a finding. If Yes, determine whether the role/user's need to see such messages is documented in the System Security Plan. If so, this is not a finding. If not, this is a finding.

Vulnerability Number

V-219786

Documentable

False

Rule Version

O112-C2-020000

Severity Override Guidance

Check DBMS settings and custom database code to determine if error messages are ever displayed to unauthorized individuals:

i) Review all end-user-facing applications that use the database, to determine whether they display any DBMS-generated error messages to general users. If they do, this is a finding.

ii) Review whether the database is accessible to users who are not authorized system administrators or database administrators, via the following types of software:
iia) Oracle SQL*Plus
iib) Reporting and analysis tools
iic) Database management and/or development tools, such as, but not limited to, Toad.
iid) Application development tools, such as, but not limited to, Oracle JDeveloper, Microsoft Visual Studio, PowerBuilder, or Eclipse.

If the answer to the preceding question (ii through iid) is Yes, inquire whether, for each role or individual with respect to each tool, this access is required to enable the user(s) to perform authorized job duties. If No, this is a finding. If Yes, continue:

For each tool in use, determine whether it is capable of suppressing DBMS-generated error messages, and if it is, whether it is configured to do so.

Determine whether the role or individual, with respect to each tool, needs to see detailed DBMS-generated error messages. If No, and if the tool is not configured to suppress such messages, this is a finding. If Yes, determine whether the role/user's need to see such messages is documented in the System Security Plan. If so, this is not a finding. If not, this is a finding.

Check Content Reference

M

Target Key

4057

Comments