STIGQter STIGQter: STIG Summary: Oracle Database 11g Installation STIG Version: 8 Release: 20 Benchmark Date: 28 Jul 2017:

The DBMS should be periodically tested for vulnerability management and IA compliance.

DISA Rule

SV-24678r1_rule

Vulnerability Number

V-15112

Group Title

DBMS vulnerability mgmt and IA compliance testing

Rule Version

DG0088-ORACLE11

Severity

CAT III

CCI(s)

Weight

10

Fix Recommendation

Develop, document and implement procedures for periodic testing of the DBMS for current vulnerability management and security configuration compliance as stated in the check.

Coordinate 3rd-party validation testing for Classified systems.

Check Contents

Review procedures and evidence of implementation for DBMS IA and vulnerability management compliance.

This should include periodic, unannounced, in-depth monitoring and provide for specific penetration testing to ensure compliance with all vulnerability mitigation procedures such as the DoD IAVA or other DoD IA practices is planned, scheduled and conducted.

Testing is intended to ensure that the system's IA capabilities continue to provide adequate assurance against constantly evolving threats and vulnerabilities.

The results for Classified systems are required to be independently validated.

If the requirments listed above are not being met, this is a Finding.

Vulnerability Number

V-15112

Documentable

False

Rule Version

DG0088-ORACLE11

Severity Override Guidance

Review procedures and evidence of implementation for DBMS IA and vulnerability management compliance.

This should include periodic, unannounced, in-depth monitoring and provide for specific penetration testing to ensure compliance with all vulnerability mitigation procedures such as the DoD IAVA or other DoD IA practices is planned, scheduled and conducted.

Testing is intended to ensure that the system's IA capabilities continue to provide adequate assurance against constantly evolving threats and vulnerabilities.

The results for Classified systems are required to be independently validated.

If the requirments listed above are not being met, this is a Finding.

Check Content Reference

I

Responsibility

Information Assurance Officer

Target Key

1368

Comments