STIGQter: STIG Summary: Oracle Database 11.2g Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:

The DBMS must use multifactor authentication for access to user accounts.

DISA Rule

SV-238458r667548_rule

Vulnerability Number

V-238458

Group Title

SRG-APP-000023-DB-000001

Rule Version

O112-C2-012900

Severity

CAT I

CCI(s)

• CCI-000765 - The information system implements multifactor authentication for network access to privileged accounts.
• CCI-000766 - The information system implements multifactor authentication for network access to non-privileged accounts.
• CCI-000767 - The information system implements multifactor authentication for local access to privileged accounts.
• CCI-000768 - The information system implements multifactor authentication for local access to non-privileged accounts.

Weight

10

Fix Recommendation

Configure DBMS, OS and/or enterprise-level authentication/access mechanism to require multifactor authentication for user accounts.

If appropriate, enable support for Transport Layer Security (TLS) protocols and multifactor authentication through the use of Smart Cards (CAC/PIV).
Oracle Database is capable of being configured to integrate users with an enterprise-level authentication/access mechanism.

The directions are in the Oracle Database Security Guide, Section 6

https://docs.oracle.com/en/database/oracle/oracle-database/19/dbseg/database-security-guide.pdf#page=318

This section will give detailed step-by-step directions to configure authentication using PKI Certificates for centrally managed users by configuring Secure Sockets Layer in the Oracle database and integrating with LDAP.

Check Contents

If all user accounts are authenticated by the organization-level authentication/access mechanism and not by the DBMS, this is not a finding.
Review DBMS settings, OS settings, and/or enterprise-level authentication/access mechanism settings to determine whether user accounts are required to use multifactor authentication.

If user accounts are not required to use multifactor authentication, this is a finding.



If the $ORACLE_HOME/network/admin/sqlnet.ora contains entries similar to the following, TLS is enabled. (Note: This assumes that a single sqlnet.ora file, in the default location, is in use. Please see the supplemental file "Non-default sqlnet.ora configurations.pdf" for how to find multiple and/or differently located sqlnet.ora files.)

SQLNET.AUTHENTICATION_SERVICES= (BEQ, TCPS)
SSL_VERSION = 1.2
SSL_CLIENT_AUTHENTICATION = TRUE
WALLET_LOCATION =
(SOURCE =
(METHOD = FILE)
(METHOD_DATA =
(DIRECTORY = /u01/app/oracle/product/12.1.0/dbhome_1/owm/wallets)
)
)

SSL_CIPHER_SUITES= (SSL_RSA_WITH_AES_256_CBC_SHA384)
ADR_BASE = /u01/app/oracle

Vulnerability Number

V-238458

Documentable

False

Rule Version

O112-C2-012900

Severity Override Guidance

If all user accounts are authenticated by the organization-level authentication/access mechanism and not by the DBMS, this is not a finding.
Review DBMS settings, OS settings, and/or enterprise-level authentication/access mechanism settings to determine whether user accounts are required to use multifactor authentication.

If user accounts are not required to use multifactor authentication, this is a finding.



If the $ORACLE_HOME/network/admin/sqlnet.ora contains entries similar to the following, TLS is enabled. (Note: This assumes that a single sqlnet.ora file, in the default location, is in use. Please see the supplemental file "Non-default sqlnet.ora configurations.pdf" for how to find multiple and/or differently located sqlnet.ora files.)

SQLNET.AUTHENTICATION_SERVICES= (BEQ, TCPS)
SSL_VERSION = 1.2
SSL_CLIENT_AUTHENTICATION = TRUE
WALLET_LOCATION =
(SOURCE =
(METHOD = FILE)
(METHOD_DATA =
(DIRECTORY = /u01/app/oracle/product/12.1.0/dbhome_1/owm/wallets)
)
)

SSL_CIPHER_SUITES= (SSL_RSA_WITH_AES_256_CBC_SHA384)
ADR_BASE = /u01/app/oracle

Check Content Reference

M

Target Key

4057

Comments