SV-238458r667548_rule
V-238458
SRG-APP-000023-DB-000001
O112-C2-012900
CAT I
10
Configure DBMS, OS and/or enterprise-level authentication/access mechanism to require multifactor authentication for user accounts.
If appropriate, enable support for Transport Layer Security (TLS) protocols and multifactor authentication through the use of Smart Cards (CAC/PIV).
Oracle Database is capable of being configured to integrate users with an enterprise-level authentication/access mechanism.
The directions are in the Oracle Database Security Guide, Section 6
https://docs.oracle.com/en/database/oracle/oracle-database/19/dbseg/database-security-guide.pdf#page=318
This section will give detailed step-by-step directions to configure authentication using PKI Certificates for centrally managed users by configuring Secure Sockets Layer in the Oracle database and integrating with LDAP.
If all user accounts are authenticated by the organization-level authentication/access mechanism and not by the DBMS, this is not a finding.
Review DBMS settings, OS settings, and/or enterprise-level authentication/access mechanism settings to determine whether user accounts are required to use multifactor authentication.
If user accounts are not required to use multifactor authentication, this is a finding.
If the $ORACLE_HOME/network/admin/sqlnet.ora contains entries similar to the following, TLS is enabled. (Note: This assumes that a single sqlnet.ora file, in the default location, is in use. Please see the supplemental file "Non-default sqlnet.ora configurations.pdf" for how to find multiple and/or differently located sqlnet.ora files.)
SQLNET.AUTHENTICATION_SERVICES= (BEQ, TCPS)
SSL_VERSION = 1.2
SSL_CLIENT_AUTHENTICATION = TRUE
WALLET_LOCATION =
(SOURCE =
(METHOD = FILE)
(METHOD_DATA =
(DIRECTORY = /u01/app/oracle/product/12.1.0/dbhome_1/owm/wallets)
)
)
SSL_CIPHER_SUITES= (SSL_RSA_WITH_AES_256_CBC_SHA384)
ADR_BASE = /u01/app/oracle
V-238458
False
O112-C2-012900
If all user accounts are authenticated by the organization-level authentication/access mechanism and not by the DBMS, this is not a finding.
Review DBMS settings, OS settings, and/or enterprise-level authentication/access mechanism settings to determine whether user accounts are required to use multifactor authentication.
If user accounts are not required to use multifactor authentication, this is a finding.
If the $ORACLE_HOME/network/admin/sqlnet.ora contains entries similar to the following, TLS is enabled. (Note: This assumes that a single sqlnet.ora file, in the default location, is in use. Please see the supplemental file "Non-default sqlnet.ora configurations.pdf" for how to find multiple and/or differently located sqlnet.ora files.)
SQLNET.AUTHENTICATION_SERVICES= (BEQ, TCPS)
SSL_VERSION = 1.2
SSL_CLIENT_AUTHENTICATION = TRUE
WALLET_LOCATION =
(SOURCE =
(METHOD = FILE)
(METHOD_DATA =
(DIRECTORY = /u01/app/oracle/product/12.1.0/dbhome_1/owm/wallets)
)
)
SSL_CIPHER_SUITES= (SSL_RSA_WITH_AES_256_CBC_SHA384)
ADR_BASE = /u01/app/oracle
M
4057