STIGQter STIGQter: STIG Summary:

Oracle Database 11.2g Security Technical Implementation Guide

Version: 2

Release: 1 Benchmark Date: 23 Apr 2021

CheckedNameTitle
SV-219695r401224_ruleAccess to default accounts used to support replication must be restricted to authorized DBAs.
SV-219696r401224_ruleOracle instance names must not contain Oracle version numbers.
SV-219697r401224_ruleFixed user and public database links must be authorized for use.
SV-219698r401224_ruleA minimum of two Oracle control files must be defined and configured to be stored on separate, archived disks (physical or virtual) or archived partitions on a RAID device.
SV-219699r401224_ruleA minimum of two Oracle redo log groups/files must be defined and configured to be stored on separate, archived physical disks or archived directories on a RAID device.
SV-219700r401224_ruleThe Oracle WITH GRANT OPTION privilege must not be granted to non-DBA or non-Application administrator user accounts.
SV-219701r401224_ruleExecute permission must be revoked from PUBLIC for restricted Oracle packages.
SV-219702r401224_ruleThe Oracle REMOTE_OS_AUTHENT parameter must be set to FALSE.
SV-219703r401224_ruleThe Oracle REMOTE_OS_ROLES parameter must be set to FALSE.
SV-219704r401224_ruleThe Oracle SQL92_SECURITY parameter must be set to TRUE.
SV-219705r401224_ruleThe Oracle password file ownership and permissions should be limited and the REMOTE_LOGIN_PASSWORDFILE parameter must be set to EXCLUSIVE or NONE.
SV-219706r401224_ruleSystem privileges granted using the WITH ADMIN OPTION must not be granted to unauthorized user accounts.
SV-219707r401224_ruleSystem Privileges must not be granted to PUBLIC.
SV-219708r401224_ruleOracle roles granted using the WITH ADMIN OPTION must not be granted to unauthorized accounts.
SV-219709r401224_ruleObject permissions granted to PUBLIC must be restricted.
SV-219710r401224_ruleThe Oracle Listener must be configured to require administration authentication.
SV-219711r401224_ruleApplication role permissions must not be assigned to the Oracle PUBLIC role.
SV-219712r401224_ruleOracle application administration roles must be disabled if not required and authorized.
SV-219713r401224_ruleConnections by mid-tier web and application systems to the Oracle DBMS from a DMZ or external network must be encrypted.
SV-219714r401224_ruleDatabase job/batch queues must be reviewed regularly to detect unauthorized database job submissions.
SV-219715r401224_ruleUnauthorized database links must not be defined and active.
SV-219716r401224_ruleSensitive information from production database exports must be modified before being imported into a development database.
SV-219719r401224_ruleOnly authorized system accounts must have the SYSTEM tablespace specified as the default tablespace.
SV-219720r401224_ruleApplication owner accounts must have a dedicated application tablespace.
SV-219721r401224_ruleThe directories assigned to the LOG_ARCHIVE_DEST* parameters must be protected from unauthorized access.
SV-219722r401224_ruleThe Oracle _TRACE_FILES_PUBLIC parameter if present must be set to FALSE.
SV-219723r401224_ruleApplication object owner accounts must be disabled when not performing installation or maintenance actions.
SV-219724r401224_ruleDBMS production application and data directories must be protected from developers on shared production/development DBMS host systems.
SV-219725r401224_ruleUse of the DBMS installation account must be logged.
SV-219733r401224_ruleThe directory assigned to the AUDIT_FILE_DEST parameter must be protected from unauthorized access and must be stored in a dedicated directory or disk partition separate from software or other application files.
SV-219736r401224_ruleAccess to DBMS software files and directories must not be granted to unauthorized users.
SV-219737r401224_ruleReplication accounts must not be granted DBA privileges.
SV-219738r401224_ruleNetwork access to the DBMS must be restricted to authorized personnel.
SV-219739r401224_ruleChanges to configuration options must be audited.
SV-219742r401224_ruleChanges to DBMS security labels must be audited.
SV-219743r401224_ruleRemote database or other external access must use fully-qualified names.
SV-219744r401224_ruleThe /diag subdirectory under the directory assigned to the DIAGNOSTIC_DEST parameter must be protected from unauthorized access.
SV-219745r401224_ruleRemote administration must be disabled for the Oracle connection manager.
SV-219746r401224_ruleThe SQLNet SQLNET.ALLOWED_LOGON_VERSION parameter must be set to a value of 12 or higher.
SV-219747r397597_ruleThe DBMS, when using PKI-based authentication, must enforce authorized access to the corresponding private key.
SV-219748r395442_ruleThe DBMS must limit the number of concurrent sessions for each system account to an organization-defined number of sessions.
SV-219749r395475_ruleThe system must employ automated mechanisms for supporting Oracle user account management.
SV-219750r395499_ruleThe DBMS must enforce approved authorizations for logical access to the system in accordance with applicable policy.
SV-219751r395706_ruleThe DBMS must provide audit record generation capability for organization-defined auditable events within the database.
SV-219752r395709_ruleThe DBMS must allow designated organizational personnel to select which auditable events are to be audited by the database.
SV-219753r395712_ruleThe DBMS must generate audit records for the DoD-selected list of auditable events, to the extent such information is available.
SV-219754r395721_ruleThe DBMS must produce audit records containing sufficient information to establish what type of events occurred.
SV-219755r395724_ruleThe DBMS must produce audit records containing sufficient information to establish when (date and time) the events occurred.
SV-219756r395727_ruleThe DBMS must produce audit records containing sufficient information to establish where the events occurred.
SV-219757r395730_ruleThe DBMS must produce audit records containing sufficient information to establish the sources (origins) of the events.
SV-219758r395733_ruleThe DBMS must produce audit records containing sufficient information to establish the outcome (success or failure) of the events.
SV-219759r395736_ruleThe DBMS must produce audit records containing sufficient information to establish the identity of any user/subject or process associated with the event.
SV-219760r395739_ruleThe DBMS must include organization-defined additional, more detailed information in the audit records for audit events identified by type, location, or subject.
SV-219761r395820_ruleThe DBMS must protect audit information from any type of unauthorized access.
SV-219762r395823_ruleThe DBMS must protect audit information from unauthorized modification.
SV-219763r395826_ruleThe DBMS must protect audit information from unauthorized deletion.
SV-219764r395829_ruleThe DBMS must protect audit tools from unauthorized access.
SV-219765r395832_ruleThe DBMS must protect audit tools from unauthorized modification.
SV-219766r395835_ruleThe DBMS must protect audit tools from unauthorized deletion.
SV-219767r395850_ruleDatabase objects must be owned by accounts authorized for ownership.
SV-219768r395853_ruleDefault demonstration and sample databases, database objects, and applications must be removed.
SV-219769r395853_ruleUnused database components, DBMS software, and database objects must be removed.
SV-219770r395853_ruleUnused database components that are integrated in the DBMS and cannot be uninstalled must be disabled.
SV-219771r395853_ruleUse of external executables must be authorized.
SV-219772r395853_ruleAccess to external executables must be disabled or restricted.
SV-219773r395856_ruleThe DBMS must support the organizational requirements to specifically prohibit or restrict the use of unauthorized functions, ports, protocols, and/or services.
SV-219774r397522_ruleThe DBMS must support organizational requirements to enforce password encryption for storage.
SV-219775r397594_ruleThe DBMS, when utilizing PKI-based authentication, must validate certificates by constructing a certification path with status information to an accepted trust anchor.
SV-219776r397600_ruleThe DBMS must ensure that PKI-based authentication maps the authenticated identity to the user account.
SV-219777r397600_ruleProcesses (services, applications, etc.) that connect to the DBMS independently of individual users, must use valid, current DoD-issued PKI certificates for authentication to the DBMS.
SV-219778r397606_ruleThe DBMS must use NIST-validated FIPS 140-2-compliant cryptography for authentication mechanisms.
SV-219779r397729_ruleThe DBMS must terminate user sessions upon user logout or any other organization or policy-defined session termination events, such as idle time limit exceeded.
SV-219780r397741_ruleThe DBMS must preserve any organization-defined system state information in the event of a system failure.
SV-219781r397744_ruleThe DBMS must take needed steps to protect data at rest and ensure confidentiality and integrity of application data.
SV-219782r397747_ruleThe DBMS must isolate security functions from non-security functions by means of separate security domains.
SV-219783r397765_ruleThe DBMS must prevent unauthorized and unintended information transfer via shared system resources.
SV-219784r397834_ruleThe DBMS must check the validity of data inputs.
SV-219785r397843_ruleThe DBMS must only generate error messages that provide information necessary for corrective actions without revealing organization-defined sensitive or potentially harmful information in error logs and administrative messages that could be exploited.
SV-219786r397846_ruleThe DBMS must restrict error messages, so only authorized personnel may view them.
SV-219787r397603_ruleApplications must obscure feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals.
SV-219788r397603_ruleWhen using command-line tools such as Oracle SQL*Plus, which can accept a plain-text password, users must use an alternative login method that does not expose the password.
SV-219789r395805_ruleDisk space used by audit trail(s) must be monitored; audit records must be regularly or continuously offloaded to a centralized log management system.
SV-219790r395850_ruleDatabase software, applications, and configuration files must be monitored to discover unauthorized changes.
SV-219791r395850_ruleLogic modules within the database (to include packages, procedures, functions and triggers) must be monitored to discover unauthorized changes.
SV-219792r395850_ruleThe DBMS software installation account must be restricted to authorized users.
SV-219793r395850_ruleDatabase software directories, including DBMS configuration files, must be stored in dedicated directories, or DASD pools, separate from the host OS and other applications.
SV-219794r395859_ruleThe DBMS must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).
SV-219795r397609_ruleThe DBMS must uniquely identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users).
SV-219796r397711_ruleThe DBMS must separate user functionality (including user interface services) from database management functionality.
SV-219797r395691_ruleThe DBMS must protect against an individual using a group account from falsely denying having performed a particular action.
SV-237753r667296_ruleOracle database products must be a version supported by the vendor.
SV-238431r667467_ruleDBA OS accounts must be granted only those host system privileges necessary for the administration of the DBMS.
SV-238432r667470_ruleVendor-supported software must be evaluated and patched against newly found vulnerabilities.
SV-238433r667473_ruleDBMS default accounts must be assigned custom passwords.
SV-238434r667476_ruleThe DBMS must employ cryptographic mechanisms preventing the unauthorized disclosure of information during transmission unless the transmitted data is otherwise protected by alternative physical measures.
SV-238435r667479_ruleThe DBMS must support the disabling of network protocols deemed by the organization to be non-secure.
SV-238436r667482_ruleThe DBMS must provide a mechanism to automatically identify accounts designated as temporary or emergency accounts.
SV-238437r667485_ruleThe DBMS must provide a mechanism to automatically terminate accounts designated as temporary or emergency accounts after an organization-defined time period.
SV-238438r667488_ruleThe DBMS must enforce Discretionary Access Control (DAC) policy allowing users to specify and control sharing by named individuals, groups of individuals, or by both, limiting propagation of access rights and includes or excludes access to the granularity of a single user.
SV-238439r667491_ruleThe DBMS must restrict grants to sensitive information to authorized user roles.
SV-238440r667494_ruleA single database connection configuration file must not be used to configure all database clients.
SV-238441r667497_ruleThe DBMS must be protected from unauthorized access by developers.
SV-238442r667500_ruleThe DBMS must be protected from unauthorized access by developers on shared production/development host systems.
SV-238443r667503_ruleThe DBMS must restrict access to system tables and other configuration information or metadata to DBAs or other authorized users.
SV-238444r667506_ruleAdministrative privileges must be assigned to database accounts via database roles.
SV-238445r667509_ruleAdministrators must utilize a separate, distinct administrative account when performing administrative activities, accessing database security functions, or accessing security-relevant information.
SV-238446r667512_ruleThe DBA role must not be assigned excessive or unauthorized privileges.
SV-238447r667515_ruleOS accounts utilized to run external procedures called by the DBMS must have limited privileges.
SV-238448r667518_ruleThe DBMS must specify an account lockout duration that is greater than or equal to the organization-approved minimum.
SV-238449r667521_ruleThe DBMS must have the capability to limit the number of failed login attempts based upon an organization-defined number of consecutive invalid attempts occurring within an organization-defined time period.
SV-238450r667524_ruleDatabases utilizing Discretionary Access Control (DAC) must enforce a policy that limits propagation of access rights.
SV-238451r667527_ruleA DBMS utilizing Discretionary Access Control (DAC) must enforce a policy that includes or excludes access to the granularity of a single user.
SV-238452r667530_ruleThe DBMS itself, or the logging or alerting mechanism the application utilizes, must provide a warning when allocated audit record storage volume reaches an organization-defined percentage of maximum audit record storage capacity.
SV-238453r667533_ruleThe DBMS must provide a real-time alert when organization-defined audit failure events occur.
SV-238454r667536_ruleThe DBMS must support enforcement of logical access restrictions associated with changes to the DBMS configuration and to the database itself.
SV-238455r667539_ruleDatabase backup procedures must be defined, documented, and implemented.
SV-238456r667542_ruleDatabase recovery procedures must be developed, documented, implemented, and periodically tested.
SV-238457r667545_ruleDBMS backup and restoration files must be protected from unauthorized access.
SV-238458r667548_ruleThe DBMS must use multifactor authentication for access to user accounts.
SV-238459r667551_ruleThe DBMS must ensure users are authenticated with an individual authenticator prior to using a group authenticator.
SV-238460r667554_ruleThe DBMS must disable user accounts after 35 days of inactivity.
SV-238461r667557_ruleThe DBMS must support organizational requirements to enforce minimum password length.
SV-238462r667560_ruleThe DBMS must support organizational requirements to prohibit password reuse for the organization-defined number of generations.
SV-238463r667563_ruleThe DBMS must support organizational requirements to enforce password complexity by the number of upper-case characters used.
SV-238464r667566_ruleThe DBMS must support organizational requirements to enforce password complexity by the number of lower-case characters used.
SV-238465r667569_ruleThe DBMS must support organizational requirements to enforce password complexity by the number of numeric characters used.
SV-238466r667572_ruleThe DBMS must support organizational requirements to enforce password complexity by the number of special characters used.
SV-238467r667575_ruleThe DBMS must support organizational requirements to enforce the number of characters that get changed when passwords are changed.
SV-238468r667578_ruleProcedures for establishing temporary passwords that meet DoD password requirements for new accounts must be defined, documented, and implemented.
SV-238469r667581_ruleDBMS passwords must not be stored in compiled, encoded, or encrypted batch jobs or compiled, encoded, or encrypted application source code.
SV-238470r708144_ruleThe DBMS must enforce password maximum lifetime restrictions.
SV-238471r667587_ruleThe DBMS must employ cryptographic mechanisms to protect the integrity and confidentiality of non-local maintenance and diagnostic communications.
SV-238472r667590_ruleThe DBMS must employ strong identification and authentication techniques when establishing non-local maintenance and diagnostic sessions.
SV-238473r667593_ruleThe DBMS must terminate the network connection associated with a communications session at the end of the session or after 15 minutes of inactivity.
SV-238474r667596_ruleThe DBMS must implement required cryptographic protections using cryptographic modules complying with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.
SV-238475r667599_ruleDatabase data files containing sensitive information must be encrypted.
SV-238476r667602_ruleThe DBMS must automatically terminate emergency accounts after an organization-defined time period for each type of account.
SV-238477r667605_ruleThe DBMS must protect against or limit the effects of the organization-defined types of Denial of Service (DoS) attacks.
SV-238478r667608_ruleThe DBMS must verify there have not been unauthorized changes to the DBMS software and information.
SV-238479r667611_ruleThe DBMS must support taking organization-defined list of least disruptive actions to terminate suspicious events.
SV-238480r667614_ruleUse of the DBMS software installation account must be restricted.
SV-238481r667617_ruleThe OS must limit privileges to change the DBMS software resident within software libraries (including privileged programs).