STIGQter STIGQter: STIG Summary: Oracle Database 11g Installation STIG Version: 8 Release: 20 Benchmark Date: 28 Jul 2017: Remote adminstrative connections to the database should be encrypted.

DISA Rule

SV-24687r1_rule

Vulnerability Number

V-3825

Group Title

Remote administrative connection encryption

Rule Version

DG0093-ORACLE11

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Where remote access to DBA accounts is not allowed, develop, document and implement policies and train DBAs that remote access to DBA accounts is prohibited.

Where remote access to DBA accounts is allowed, the remote connection must be encrypted.

Ensure unclassified, sensitive data transmitted through a commercial or wireless network are encrypted using NIST-certified cryptography.

If remote access is established via the database listener, then install a dedicated listener configured to encrypt all traffic for use by DBAs for remote access.

This requires use of Oracle Advanced Security and Oracle Wallet Manager.

See the Oracle Advanced Security Guide, Configuring Network Data Encryption and Integrity for Oracle Servers and Clients for details.

Configure the listener to require SSL for the DBA connections by specifying the TCPS as the network protocol.

Sample listener.ora entries:

DBALSNR =
(DESCRIPTION =
(ADDRESS = (PROTOCOL = TCPS) (HOST = [IP]) (PORT = 1575))
(CONNECT_DATA =
(SERVER = DEDICATED)
(SERVICE_NAME = [SID])
)
)

Configure the server's FIPS.ORA file to use FIPS 140-2 compliant settings to encrypt the traffic and ensure integrity of the transmission.

In the FIPS.ORA file in the $ORACLE_HOME/ldap/admin directory or the directory specified in the FIPS_HOME environment variable for the dedicated listener on the server, add the following line:

SSLFIPS_140=TRUE

Monitor the listener log files for evidence of any unencrypted remote access to DBA accounts.

Check Contents

Ask the DBA if the DBMS is accessed remotely for administration purposes.

If it is not, this check is Not a Finding.

If it is, ask the DBA if the remote access to DBA accounts is made using remote access to the DBMS host or made directly to the database from a remote database client.

If administration is performed using remote access to the DBMS host, review policy and procedures documented or noted in the System Security Plan, along with evidence that remote administration of the DBMS is performed only via an encrypted connection protocol such as SSH or IPSec.

If it is not, this is a Finding.

If administration is performed from a remote database client, confirm that a dedicated database listener that encrypts communications exists for remote administrative communications.

If a DBMS listener that encrypts traffic is not configured, this is a Finding.

If any listeners on the DBMS host are configured to accept unencrypted traffic, review documented policy, procedures and evidence of training DBAs not to use the unencrypted listener for remote access to DBA accounts.

If no such policy exists or the DBAs have not been instructed not to use the unencrypted connections, this is a Finding.

Note: Out-Of-Band (OOB) is allowed for remote administration, however, OOB alone does not maintain encryption of network traffic from source to destination and is a Finding for this check.

Ensure unclassified, sensitive data transmitted through a commercial or wireless network are encrypted using NIST-certified cryptography.

Vulnerability Number

V-3825

Documentable

False

Rule Version

DG0093-ORACLE11

Severity Override Guidance

Ask the DBA if the DBMS is accessed remotely for administration purposes.

If it is not, this check is Not a Finding.

If it is, ask the DBA if the remote access to DBA accounts is made using remote access to the DBMS host or made directly to the database from a remote database client.

If administration is performed using remote access to the DBMS host, review policy and procedures documented or noted in the System Security Plan, along with evidence that remote administration of the DBMS is performed only via an encrypted connection protocol such as SSH or IPSec.

If it is not, this is a Finding.

If administration is performed from a remote database client, confirm that a dedicated database listener that encrypts communications exists for remote administrative communications.

If a DBMS listener that encrypts traffic is not configured, this is a Finding.

If any listeners on the DBMS host are configured to accept unencrypted traffic, review documented policy, procedures and evidence of training DBAs not to use the unencrypted listener for remote access to DBA accounts.

If no such policy exists or the DBAs have not been instructed not to use the unencrypted connections, this is a Finding.

Note: Out-Of-Band (OOB) is allowed for remote administration, however, OOB alone does not maintain encryption of network traffic from source to destination and is a Finding for this check.

Ensure unclassified, sensitive data transmitted through a commercial or wireless network are encrypted using NIST-certified cryptography.

Check Content Reference

I

Responsibility

Database Administrator

Target Key

1368

Comments