| Checked | Name | Title |
|---|
| ☐ | SV-24632r1_rule | All database non-interactive, n-tier connection, and shared accounts that exist should be documented and approved by the IAO. |
| ☐ | SV-24368r1_rule | Audit trail data should be retained for one year. |
| ☐ | SV-24647r1_rule | Unauthorized user accounts should not exist. |
| ☐ | SV-24850r1_rule | Access to the Oracle SYS and SYSTEM accounts should be restricted to authorized DBAs. |
| ☐ | SV-24859r2_rule | The audit table should be owned by SYS or SYSTEM. |
| ☐ | SV-24862r1_rule | Access to default accounts used to support replication should be restricted to authorized DBAs. |
| ☐ | SV-24865r1_rule | Oracle instance names should not contain Oracle version numbers. |
| ☐ | SV-24881r2_rule | The Oracle OS_ROLES parameter should be set to FALSE. |
| ☐ | SV-24519r2_rule | Fixed user and public database links should be authorized for use. |
| ☐ | SV-24887r1_rule | A minimum of two Oracle control files should be defined and configured to be stored on separate, archived physical disks or archived directories on a RAID device. |
| ☐ | SV-24522r2_rule | A minimum of two Oracle redo log groups/files should be defined and configured to be stored on separate, archived physical disks or archived directories on a RAID device. |
| ☐ | SV-24549r2_rule | The DBA role should not be granted to unauthorized user accounts. |
| ☐ | SV-24902r2_rule | The Oracle OS_AUTHENT_PREFIX parameter should be changed from the default value of OPS$. |
| ☐ | SV-24905r3_rule | The Oracle WITH GRANT OPTION privilege should not be granted to non-DBA or non-Application administrator user accounts. |
| ☐ | SV-24908r2_rule | Execute permission should be revoked from PUBLIC for restricted Oracle packages. |
| ☐ | SV-24564r2_rule | The IDLE_TIME profile parameter should be set for Oracle profiles IAW DoD policy. |
| ☐ | SV-24911r2_rule | The Oracle REMOTE_OS_AUTHENT parameter should be set to FALSE. |
| ☐ | SV-24916r2_rule | The Oracle REMOTE_OS_ROLES parameter should be set to FALSE. |
| ☐ | SV-24919r2_rule | The Oracle SQL92_SECURITY parameter should be set to TRUE. |
| ☐ | SV-24922r2_rule | The Oracle REMOTE_LOGIN_PASSWORDFILE parameter should be set to EXCLUSIVE or NONE. |
| ☐ | SV-24925r2_rule | System privileges granted using the WITH ADMIN OPTION should not be granted to unauthorized user accounts. |
| ☐ | SV-24928r2_rule | Required object auditing should be configured. |
| ☐ | SV-24931r2_rule | System Privileges should not be granted to PUBLIC. |
| ☐ | SV-24570r2_rule | Oracle roles granted using the WITH ADMIN OPTION should not be granted to unauthorized accounts. |
| ☐ | SV-24937r2_rule | The Oracle O7_DICTIONARY_ACCESSIBILITY parameter should be set to FALSE. |
| ☐ | SV-24573r2_rule | Object permissions granted to PUBLIC should be restricted. |
| ☐ | SV-24942r2_rule | The Oracle RESOURCE_LIMIT parameter should be set to TRUE. |
| ☐ | SV-24896r2_rule | Application role permissions should not be assigned to the Oracle PUBLIC role. |
| ☐ | SV-24531r2_rule | Oracle application administration roles should be disabled if not required and authorized. |
| ☐ | SV-24534r2_rule | Oracle system privileges should not be directly assigned to unauthorized accounts. |
| ☐ | SV-24355r2_rule | Database applications should be restricted from using static DDL statements to modify the application schema. |
| ☐ | SV-60353r2_rule | Database job/batch queues should be reviewed regularly to detect unauthorized database job submissions. |
| ☐ | SV-25026r1_rule | DBMS authentication should require use of a DoD PKI certificate. |
| ☐ | SV-24387r3_rule | New passwords must be required to differ from old passwords by more than four characters. |
| ☐ | SV-24650r2_rule | Database accounts should not specify account lock times less than the site-approved minimum. |
| ☐ | SV-24389r2_rule | Unauthorized database links should not be defined and active. |
| ☐ | SV-24654r3_rule | Sensitive information from production database exports must be modified before import to a development database. |
| ☐ | SV-24391r2_rule | Production databases should be protected from unauthorized access by developers on shared production/development host systems. |
| ☐ | SV-24668r1_rule | Application user privilege assignment should be reviewed monthly or more frequently to ensure compliance with least privilege and documented policy. |
| ☐ | SV-28568r2_rule | Custom and GOTS application source code stored in the database should be protected with encryption or encoding. |
| ☐ | SV-24856r4_rule | Only authorized system accounts should have the SYSTEM tablespace specified as the default tablespace. |
| ☐ | SV-24501r2_rule | Database application user accounts should be denied storage usage for object creation within the database. |
| ☐ | SV-24868r2_rule | The Oracle SID should not be the default SID. |
| ☐ | SV-24510r3_rule | Application owner accounts should have a dedicated application tablespace. |
| ☐ | SV-24872r1_rule | The directory assigned to the AUDIT_FILE_DEST parameter should be protected from unauthorized access. |
| ☐ | SV-24513r1_rule | The directories assigned to the LOG_ARCHIVE_DEST* parameters should be protected from unauthorized access. |
| ☐ | SV-24884r2_rule | The Oracle _TRACE_FILES_PUBLIC parameter if present should be set to FALSE. |
| ☐ | SV-24899r1_rule | The XDB Protocol server should be uninstalled if not required and authorized for use. |
| ☐ | SV-24589r2_rule | Application object owner accounts should be disabled when not performing installation or maintenance actions. |
| ☐ | SV-24615r2_rule | Required auditing parameters for database auditing should be set. |
| ☐ | SV-24622r2_rule | Audit records should be restricted to authorized individuals. |
| ☐ | SV-24395r1_rule | Developers should not be assigned excessive privileges on production databases. |
| ☐ | SV-24705r1_rule | DBMS application user roles should not be assigned unauthorized privileges. |
| ☐ | SV-24652r1_rule | Unapproved inactive or expired database accounts should not be found on the database. |
| ☐ | SV-28970r1_rule | Transaction logs should be periodically reviewed for unauthorized modification of data. |
| ☐ | SV-24702r2_rule | DBMS processes or services should run under custom, dedicated OS accounts. |
| ☐ | SV-24819r1_rule | Asymmetric keys should use DoD PKI Certificates and be protected in accordance with NIST (unclassified data) or NSA (classified data) approved key management and processes. |
| ☐ | SV-24979r1_rule | DBA roles assignments should be assigned and authorized by the IAO. |
| ☐ | SV-24666r2_rule | DBMS login accounts require passwords to meet complexity requirements. |
| ☐ | SV-24780r2_rule | DBMS account passwords should be set to expire every 60 days or more frequently. |
| ☐ | SV-25082r1_rule | Credentials stored and used by the DBMS to access remote databases or applications should be authorized and restricted to authorized users. |
| ☐ | SV-24592r2_rule | Application objects should be owned by accounts authorized for ownership. |
| ☐ | SV-24604r2_rule | Default demonstration and sample database objects and applications should be removed. |
| ☐ | SV-24663r1_rule | Each database user, application or process should have an individually assigned account. |
| ☐ | SV-24673r2_rule | The DBA role should not be assigned excessive or unauthorized privileges. |
| ☐ | SV-24393r2_rule | Sensitive data should be labeled. |
| ☐ | SV-24694r1_rule | ccess to external objects should be disabled if not required and authorized. |
| ☐ | SV-24407r1_rule | Replication accounts should not be granted DBA privileges. |
| ☐ | SV-24419r1_rule | DBMS system data files should be stored in dedicated disk directories. |
| ☐ | SV-24723r2_rule | Database privileged role assignments should be restricted to IAO-authorized DBMS accounts. |
| ☐ | SV-24422r2_rule | Administrative privileges should be assigned to database accounts via database roles. |
| ☐ | SV-24746r2_rule | DBMS application users should not be granted administrative privileges to the DBMS. |
| ☐ | SV-24755r2_rule | Application users privileges should be restricted to assignment using application user roles. |
| ☐ | SV-24764r1_rule | Access to sensitive data should be restricted to authorized users identified by the Information Owner. |
| ☐ | SV-24772r2_rule | Access to DBMS system tables and other configuration or metadata should be restricted to DBAs. |
| ☐ | SV-24775r1_rule | Use of DBA accounts should be restricted to administrative activities. |
| ☐ | SV-24787r2_rule | Password reuse should be prevented where supported by the DBMS. |
| ☐ | SV-24792r1_rule | DBMS account passwords should not be set to easily guessed words or values. |
| ☐ | SV-24796r3_rule | DBMS default accounts should be assigned custom passwords. |
| ☐ | SV-24968r2_rule | DBMS passwords should not be stored in compiled, encoded or encrypted batch jobs or compiled, encoded or encrypted application source code. |
| ☐ | SV-24426r2_rule | Unlimited account lock times should be specified for locked accounts. |
| ☐ | SV-24429r1_rule | Users should be alerted upon login of previous successful connections or unsuccessful attempts to access their account. |
| ☐ | SV-24798r1_rule | Access grants to sensitive data should be restricted to authorized user roles. |
| ☐ | SV-24801r3_rule | Attempts to bypass access controls should be audited. |
| ☐ | SV-24805r3_rule | Changes to configuration options must be audited. |
| ☐ | SV-30881r1_rule | Audit records should contain required information. |
| ☐ | SV-24976r1_rule | Audit records should include the reason for blacklisting or disabling DBMS connections or accounts. |
| ☐ | SV-24817r1_rule | DBMS symmetric keys should be protected in accordance with NSA or NIST-approved key management technology or processes. |
| ☐ | SV-24442r2_rule | Changes to DBMS security labels should be audited. |
| ☐ | SV-24838r2_rule | Remote database or other external access should use fully-qualified names. |
| ☐ | SV-24869r2_rule | The /diag subdirectory under the directory assigned to the DIAGNOSTIC_DEST parameter must be protected from unauthorized access. |
| ☐ | SV-60351r1_rule | Case sensitivity for passwords should be enabled. |
| ☐ | SV-55939r2_rule | The Oracle SEC_MAX_FAILED_LOGIN_ATTEMPTS parameter should be set to an ISSO-approved value between 1 and 3. |
| ☐ | SV-55940r2_rule | The Oracle SEC_PROTOCOL_ERROR_FURTHER_ACTION parameter should be set to a value of DELAY or DROP. |
STIGQter: STIG Summary: