SV-24835r1_rule
V-15659
DBMS credential protection
DG0191-ORACLE11
CAT II
10
Consider alternate methods for database connections to avoid custom storage of local connection credentials.
Develop and document use of locally stored credentials and their authorized use and access in the System Security Plan.
Restrict access and use of the credentials to authorized users using host file permissions and any other available method to restrict access.
Review the System Security Plan to discover any external storage of passwords used by applications, batch jobs or users to connect to the database.
If no database passwords or credentials are stored outside of the database including use of Oracle Wallets and the Oracle password file (pwd*.ora or orapwd*.ora), this check is Not a Finding.
View the sqlnet.ora file to determine if Oracle Wallets are used for authentication.
If the "WALLET_LOCATION" entry exists in the file, then view permissions on the directory and contents.
If access to this directory and these files is not restricted to the Oracle database and listener services, DBA's, and other authorized system and administrative accounts this is a Finding.
From SQL*Plus:
select value from v$parameter where name = 'remote_login_passwordfile';
If the command returns the value NONE, this is not a Finding.
If it returns the value SHARED, this is a Finding.
If it returns the value EXCLUSIVE, view access permissions to the Oracle password file.
The default name for Windows is pwd[SID].ora and is located in the ORACLE_HOME\database directory.
On UNIX hosts, the file is named orapw[SID] and stored in the $ORACLE_HOME/dbs directory.
If access to this file is not restricted to the Oracle database, DBA's, and other authorized system and administrative accounts, this is a Finding.
For other password or credential stores, interview the DBA to ask what restrictions to the storage location of passwords have been assigned.
If accounts other than those that require access to the storage location have been granted permissions, this is a Finding.
V-15659
False
DG0191-ORACLE11
Review the System Security Plan to discover any external storage of passwords used by applications, batch jobs or users to connect to the database.
If no database passwords or credentials are stored outside of the database including use of Oracle Wallets and the Oracle password file (pwd*.ora or orapwd*.ora), this check is Not a Finding.
View the sqlnet.ora file to determine if Oracle Wallets are used for authentication.
If the "WALLET_LOCATION" entry exists in the file, then view permissions on the directory and contents.
If access to this directory and these files is not restricted to the Oracle database and listener services, DBA's, and other authorized system and administrative accounts this is a Finding.
From SQL*Plus:
select value from v$parameter where name = 'remote_login_passwordfile';
If the command returns the value NONE, this is not a Finding.
If it returns the value SHARED, this is a Finding.
If it returns the value EXCLUSIVE, view access permissions to the Oracle password file.
The default name for Windows is pwd[SID].ora and is located in the ORACLE_HOME\database directory.
On UNIX hosts, the file is named orapw[SID] and stored in the $ORACLE_HOME/dbs directory.
If access to this file is not restricted to the Oracle database, DBA's, and other authorized system and administrative accounts, this is a Finding.
For other password or credential stores, interview the DBA to ask what restrictions to the storage location of passwords have been assigned.
If accounts other than those that require access to the storage location have been granted permissions, this is a Finding.
M
Database Administrator
1368