STIGQter: STIG Summary: Oracle Database 11g Installation STIG Version: 8 Release: 20 Benchmark Date: 28 Jul 2017:

Connections by mid-tier web and application systems to the Oracle DBMS should be protected, encrypted and authenticated according to database, web, application, enclave and network requirements.

DISA Rule

SV-24537r3_rule

Vulnerability Number

V-3440

Group Title

DBMS mid-tier application account access

Rule Version

DO0360-ORACLE11

Severity

CAT II

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

Configure PKI authentication to help protect access to the shared account.

PKI authentication may be accomplished using Oracle Advanced Security on most platforms.

On a Windows host, user authentication using PKI may be used with Active Directory or NTS authentication using the DoD CAC.

On UNIX and other hosts, Oracle Advanced Security may be used to authenticate via LDAP or SSL.

The application may require storage of the authentication certificate in the Oracle Wallet or on a hardware security module (HSM) to authenticate.

Please see the Oracle Security Guides and the Oracle Advanced Security Guides for instructions on configuring PKI authentication.

Check Contents

Review the System Security Plan for remote applications that access and use the database.

If none of the applications accessing the database uses a single account for access by multiple persons or processes, this check is Not a Finding.

Verify that the application account uses PKI authentication:

From SQL*Plus:
select name, ext_username from user$ where ext_username is not null;

If the ext_username indicates a directory name, then verify that the directory name is authenticated using PKI.

You may require the DBA or directory server administrator to display the username definition in the directory service to you.

If the ext_username does not specify a certificate or PKI-authenticated user account, this is a Finding.

Vulnerability Number

V-3440

Documentable

True

Rule Version

DO0360-ORACLE11

Severity Override Guidance

Review the System Security Plan for remote applications that access and use the database.

If none of the applications accessing the database uses a single account for access by multiple persons or processes, this check is Not a Finding.

Verify that the application account uses PKI authentication:

From SQL*Plus:
select name, ext_username from user$ where ext_username is not null;

If the ext_username indicates a directory name, then verify that the directory name is authenticated using PKI.

You may require the DBA or directory server administrator to display the username definition in the directory service to you.

If the ext_username does not specify a certificate or PKI-authenticated user account, this is a Finding.

Check Content Reference

M

Responsibility

Database Administrator

Target Key

1368

Comments