STIGQter STIGQter: STIG Summary: Oracle Database 12c Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:

Changes to DBMS security labels must be audited.

DISA Rule

SV-219871r401224_rule

Vulnerability Number

V-219871

Group Title

SRG-APP-000516-DB-000363

Rule Version

O121-BP-026200

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Define the policy for auditing changes to security labels defined for the data.

Document the audit requirements in the System Security Plan and configure database auditing in accordance with the policy.

If using Standard Auditing:
If there is no Unified Auditing policy deployed to audit changes to security labels, the create one using the following syntax:
SA_AUDIT_ADMIN.AUDIT (
policy_name IN VARCHAR2,
users IN VARCHAR2 DEFAULT NULL,
audit_option IN VARCHAR2 DEFAULT NULL,
audit_type IN VARCHAR2 DEFAULT NULL,
success IN VARCHAR2 DEFAULT NULL);

For additional information on creating audit policies, refer to the Oracle Database Security Guide
http://docs.oracle.com/database/121/OLSAG/packages.htm#i1011868

If Unified Auditing is used:
To ensure auditable events are captured:
Link the oracle binary with uniaud_on, and then restart the database. Oracle Database Upgrade Guide describes how to enable unified auditing.
Reference V-61625 for information on how to configure a policy to audit changes to security label assignments.

For additional information on creating audit policies, refer to the Oracle Database Security Guide
http://docs.oracle.com/database/121/DBSEG/audit_config.htm#CHDGBAAC

Check Contents

If no data is identified as being sensitive or classified by the Information Owner, in the System Security Plan or in the AIS Functional Architecture documentation, this is not a finding.

If security labeling is not required, this is not a finding.

If Standard Auditing is used, run the SQL query:

select * from dba_sa_audit_options;

If no records are returned or if output from the SQL statement above does not show classification labels being audited as required in the System Security Plan, this is a finding.

If Unified Auditing is used:
To see if Oracle is configured to capture audit data including changes to security label assignment, enter the following SQL*Plus command:
SELECT 'Changes to security label assignment is not being audited. '
FROM dual
WHERE (SELECT Count(*)
FROM (select policy_name , audit_option from audit_unified_policies
WHERE audit_option = 'ALL'
AND audit_option_type = 'OLS ACTION'
AND policy_name in (select policy_name from audit_unified_enabled_policies where user_name='ALL USERS'))) = 0
OR (SELECT value
FROM v$option
WHERE parameter = 'Unified Auditing') != 'TRUE';

If Oracle returns "no rows selected", this is not a finding.

To confirm that Oracle audit is capturing sufficient information to establish that changes to classification labels are being audited, perform a successful auditable action and an auditable action that results in an SQL error, and then view the results in the SYS.UNIFIED_AUDIT_TRAIL view.

If no ACTION#, or the wrong value, is returned for the auditable actions, this is a finding.

Vulnerability Number

V-219871

Documentable

False

Rule Version

O121-BP-026200

Severity Override Guidance

If no data is identified as being sensitive or classified by the Information Owner, in the System Security Plan or in the AIS Functional Architecture documentation, this is not a finding.

If security labeling is not required, this is not a finding.

If Standard Auditing is used, run the SQL query:

select * from dba_sa_audit_options;

If no records are returned or if output from the SQL statement above does not show classification labels being audited as required in the System Security Plan, this is a finding.

If Unified Auditing is used:
To see if Oracle is configured to capture audit data including changes to security label assignment, enter the following SQL*Plus command:
SELECT 'Changes to security label assignment is not being audited. '
FROM dual
WHERE (SELECT Count(*)
FROM (select policy_name , audit_option from audit_unified_policies
WHERE audit_option = 'ALL'
AND audit_option_type = 'OLS ACTION'
AND policy_name in (select policy_name from audit_unified_enabled_policies where user_name='ALL USERS'))) = 0
OR (SELECT value
FROM v$option
WHERE parameter = 'Unified Auditing') != 'TRUE';

If Oracle returns "no rows selected", this is not a finding.

To confirm that Oracle audit is capturing sufficient information to establish that changes to classification labels are being audited, perform a successful auditable action and an auditable action that results in an SQL error, and then view the results in the SYS.UNIFIED_AUDIT_TRAIL view.

If no ACTION#, or the wrong value, is returned for the auditable actions, this is a finding.

Check Content Reference

M

Target Key

4059

Comments