| Checked | Name | Title |
|---|
| ☐ | SV-24597r1_rule | Database executable and configuration files should be monitored for unauthorized modifications. |
| ☐ | SV-24374r2_rule | The DBMS software installation account should be restricted to authorized users. |
| ☐ | SV-24383r1_rule | Database software, applications and configuration files should be monitored to discover unauthorized changes. |
| ☐ | SV-24934r1_rule | The Oracle Listener should be configured to require administration authentication. |
| ☐ | SV-24946r1_rule | Oracle SQLNet and listener log files should not be accessible to unauthorized users. |
| ☐ | SV-24537r3_rule | Connections by mid-tier web and application systems to the Oracle DBMS should be protected, encrypted and authenticated according to database, web, application, enclave and network requirements. |
| ☐ | SV-24949r1_rule | The Oracle Listener ADMIN_RESTRICTIONS parameter if present should be set to ON. |
| ☐ | SV-24599r1_rule | Configuration management procedures should be defined and implemented for database software modifications. |
| ☐ | SV-24359r2_rule | Unused database components, database application software, and database objects should be removed from the DBMS system. |
| ☐ | SV-24606r1_rule | A production DBMS installation should not coexist on the same DBMS host with other, non-production DBMS installations. |
| ☐ | SV-24363r1_rule | Application software should be owned by a Software Application account. |
| ☐ | SV-24610r1_rule | A baseline of database application software should be documented and maintained. |
| ☐ | SV-24626r1_rule | All applications that access the database should be logged in the audit trail. |
| ☐ | SV-24628r1_rule | A single database connection configuration file should not be used to configure all database clients. |
| ☐ | SV-24639r1_rule | Procedures for establishing temporary passwords that meet DoD password requirements for new accounts should be defined, documented and implemented. |
| ☐ | SV-24641r1_rule | Database account passwords should be stored in encoded or encrypted format whether stored in database objects, external host files, environment variables or any other storage locations. |
| ☐ | SV-24643r1_rule | DBMS tools or applications that echo or require a password entry in clear text should be protected from password display. |
| ☐ | SV-24687r1_rule | Remote adminstrative connections to the database should be encrypted. |
| ☐ | SV-24405r1_rule | Audit trail data should be reviewed daily or more frequently. |
| ☐ | SV-24465r1_rule | The Oracle software installation account should not be granted excessive host system privileges. |
| ☐ | SV-24853r1_rule | OS DBA group membership should be restricted to authorized accounts. |
| ☐ | SV-24890r1_rule | The Oracle INBOUND_CONNECT_TIMEOUT and SQLNET.INBOUND_CONNECT_TIMEOUT parameters should be set to a value greater than 0. |
| ☐ | SV-24893r1_rule | The Oracle SQLNET.EXPIRE_TIME parameter should be set to a value greater than 0. |
| ☐ | SV-24546r1_rule | The Oracle Management Agent should be uninstalled if not required and authorized or is installed on a database accessible from the Internet. |
| ☐ | SV-24350r1_rule | Database software directories including DBMS configuration files are stored in dedicated directories separate from the host OS and other applications. |
| ☐ | SV-24339r2_rule | Vendor supported software is evaluated and patched against newly found vulnerabilities. |
| ☐ | SV-24342r1_rule | The latest security patches should be installed. |
| ☐ | SV-24346r1_rule | Only necessary privileges to the host system should be granted to DBA OS accounts. |
| ☐ | SV-30742r1_rule | The database should be secured in accordance with DoD, vendor and/or commercially accepted practices where applicable. |
| ☐ | SV-24670r1_rule | Automated notification of suspicious activity detected in the audit trail should be implemented. |
| ☐ | SV-24815r1_rule | An automated tool that monitors audit data and immediately reports suspicious activity should be employed for the DBMS. |
| ☐ | SV-24821r1_rule | Sensitive data served by the DBMS should be protected by encryption when transmitted across the network. |
| ☐ | SV-24750r1_rule | Unauthorized access to external database objects should be removed from application user roles. |
| ☐ | SV-24675r1_rule | DBA roles should be periodically monitored to detect assignment of unauthorized or excess privileges. |
| ☐ | SV-24635r2_rule | DBMS privileges to restore database data or other DBMS configurations, features, or objects should be restricted to authorized DBMS accounts. |
| ☐ | SV-24840r1_rule | Privileges assigned to developers on shared production and development DBMS hosts and the DBMS should be monitored every three months or more frequently for unauthorized changes. |
| ☐ | SV-24842r1_rule | DBMS production application and data directories should be protected from developers on shared production/development DBMS host systems. |
| ☐ | SV-24377r1_rule | Use of the DBMS installation account should be logged. |
| ☐ | SV-24379r1_rule | Use of the DBMS software installation account should be restricted to DBMS software installation, upgrade and maintenance actions. |
| ☐ | SV-24678r1_rule | The DBMS should be periodically tested for vulnerability management and IA compliance. |
| ☐ | SV-24823r1_rule | The DBMS host platform and other dependent applications should be configured in compliance with applicable STIG requirements. |
| ☐ | SV-24825r1_rule | The DBMS audit logs should be included in backup operations. |
| ☐ | SV-24810r1_rule | Remote administrative access to the database should be monitored by the IAO or IAM. |
| ☐ | SV-24637r1_rule | DBMS backup and restoration files should be protected from unauthorized access. |
| ☐ | SV-24832r1_rule | DBMS software libraries should be periodically backed up. |
| ☐ | SV-24449r1_rule | The database should not be directly accessible from public or unauthorized networks. |
| ☐ | SV-30765r1_rule | Database backup procedures should be defined, documented and implemented. |
| ☐ | SV-24742r1_rule | The IAM should review changes to DBA role assignments. |
| ☐ | SV-24608r1_rule | Backup and recovery procedures should be developed, documented, implemented and periodically tested. |
| ☐ | SV-24397r1_rule | Sensitive information stored in the database should be protected by encryption. |
| ☐ | SV-24684r1_rule | Database data files containing sensitive information should be encrypted. |
| ☐ | SV-24689r1_rule | The DBMS IA policies and procedures should be reviewed annually or more frequently. |
| ☐ | SV-24691r1_rule | Plans and procedures for testing DBMS installations, upgrades and patches should be defined and followed prior to production implementation. |
| ☐ | SV-24645r1_rule | Procedures and restrictions for import of production data to development databases should be documented, implemented and followed. |
| ☐ | SV-24707r1_rule | Database data encryption controls should be configured in accordance with application requirements. |
| ☐ | SV-24710r1_rule | Sensitive data is stored in the database and should be identified in the System Security Plan and AIS Functional Architecture documentation. |
| ☐ | SV-24713r1_rule | The DBMS restoration priority should be assigned. |
| ☐ | SV-24715r1_rule | The DBMS should not be operated without authorization on a host system supporting other application services. |
| ☐ | SV-24808r1_rule | DBMS network communications should comply with PPS usage restrictions. |
| ☐ | SV-24437r1_rule | The DBMS requires a System Security Plan containing all required information. |
| ☐ | SV-24717r1_rule | The DBMS should not share a host supporting an independent security service. |
| ☐ | SV-24595r1_rule | Access to DBMS software files and directories should not be granted to unauthorized users. |
| ☐ | SV-24630r1_rule | The audit logs should be periodically monitored to discover DBMS access using unauthorized applications. |
| ☐ | SV-24698r1_rule | Access to external DBMS executables should be disabled or restricted. |
| ☐ | SV-25054r1_rule | OS accounts used to execute external procedures should be assigned minimum privileges. |
| ☐ | SV-24410r2_rule | Network access to the DBMS must be restricted to authorized personnel. |
| ☐ | SV-24415r1_rule | DBMS service identification should be unique and clearly identifies the service. |
| ☐ | SV-28967r1_rule | Recovery procedures and technical system features exist to ensure that recovery is done
in a secure and verifiable manner. |
| ☐ | SV-24967r1_rule | Passwords should be encrypted when transmitted across the network. |
| ☐ | SV-24432r1_rule | Access to DBMS security data should be audited. |
| ☐ | SV-25385r1_rule | The DBMS should have configured all applicable settings to use trusted files, functions, features, or other components during startup, shutdown, aborts, or other unplanned interruptions. |
| ☐ | SV-24982r1_rule | Remote DBMS administration should be documented and authorized or disabled. |
| ☐ | SV-24985r1_rule | DBMS remote administration should be audited. |
| ☐ | SV-25075r1_rule | The DBMS should not have a connection defined to access or be accessed by a DBMS at a different classification level. |
| ☐ | SV-24835r1_rule | Credentials used to access remote databases should be protected by encryption and restricted to authorized users. |
| ☐ | SV-24844r1_rule | Remote administration of the DBMS should be restricted to known, dedicated and encrypted network addresses and ports. |
| ☐ | SV-24952r1_rule | The Oracle listener.ora file should specify IP addresses rather than host names to identify hosts. |
| ☐ | SV-24955r1_rule | Remote administration should be disabled for the Oracle connection manager. |
| ☐ | SV-24959r2_rule | The Oracle SEC_PROTOCOL_ERROR_TRACE_ACTION parameter should not be set to NONE. |
| ☐ | SV-24961r1_rule | Oracle Application Express or Oracle HTML DB should not be installed on a production database. |
| ☐ | SV-24963r1_rule | Oracle Configuration Manager should not remain installed on a production system. |
| ☐ | SV-24958r2_rule | The SQLNet SQLNET.ALLOWED_LOGON_VERSION parameter must be set to a value of 11 or higher. |
| ☐ | SV-55867r1_rule | DBMS cryptography must be NIST FIPS 140-2 validated. |
| ☐ | SV-72019r1_rule | The directory assigned to the AUDIT_FILE_DEST parameter must be protected from unauthorized access and must be stored in a dedicated directory or disk partition separate from software or other application files. |
| ☐ | SV-72021r2_rule | A minimum of two Oracle control files must be defined and configured to be stored on separate, archived disks (physical or virtual) or archived partitions on a RAID device. |
| ☐ | SV-72023r1_rule | A minimum of two Oracle redo log groups/files must be defined and configured to be stored on separate, archived physical disks or archived directories on a RAID device. |
STIGQter: STIG Summary: