STIGQter: STIG Summary: Oracle Database 11g Installation STIG Version: 8 Release: 20 Benchmark Date: 28 Jul 2017:

Configuration management procedures should be defined and implemented for database software modifications.

DISA Rule

SV-24599r1_rule

Vulnerability Number

V-3726

Group Title

DBMS Configuration Management

Rule Version

DG0011-ORACLE11

Severity

CAT III

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

Develop, document and implement configuration management procedures or processes.

Ensure the 4 major requirements listed in the check are documented at a minimum.

Assign responsibilities for oversight and approval for any and all changes made to DBMS software and configuration.

Check Contents

Interview the IAO and review documentation to determine if a configuration management (CM) process is implemented for the DBMS system that includes requirements for:
(1) Formally documented CM roles, responsibilities, and procedures to include the management of IA information and documentation;
(2) A configuration control board that implements procedures to ensure a security review and approval of all proposed DoD information system changes, to include interconnections to other DoD information systems;
(3) A testing process to verify proposed configuration changes prior to implementation in the operational environment; and
(4) A verification process to provide additional assurance that the CM process is working effectively and that changes outside the CM process are technically or procedurally not permitted.

If documented evidence for procedures or processes outlined above are not present or are incomplete, this is a Finding.

Vulnerability Number

V-3726

Documentable

False

Rule Version

DG0011-ORACLE11

Severity Override Guidance

Interview the IAO and review documentation to determine if a configuration management (CM) process is implemented for the DBMS system that includes requirements for:
(1) Formally documented CM roles, responsibilities, and procedures to include the management of IA information and documentation;
(2) A configuration control board that implements procedures to ensure a security review and approval of all proposed DoD information system changes, to include interconnections to other DoD information systems;
(3) A testing process to verify proposed configuration changes prior to implementation in the operational environment; and
(4) A verification process to provide additional assurance that the CM process is working effectively and that changes outside the CM process are technically or procedurally not permitted.

If documented evidence for procedures or processes outlined above are not present or are incomplete, this is a Finding.

Check Content Reference

I

Responsibility

Information Assurance Officer

Target Key

1368

Comments