STIGQter STIGQter: STIG Summary: Oracle Database 11g Instance STIG Version: 8 Release: 20 Benchmark Date: 28 Jul 2017: DBMS symmetric keys should be protected in accordance with NSA or NIST-approved key management technology or processes.

DISA Rule

SV-24817r1_rule

Vulnerability Number

V-15654

Group Title

DBMS symmetric key management

Rule Version

DG0165-ORACLE11

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Symmetric and other encryption keys require the following:
- protection from unauthorized access in transit and in storage
- utilization of accepted algorithms
- generation in accordance with required standards for the key's use
- expiration date
- continuity - key backup and recovery
- key change
- archival key storage (as necessary)

Details for key management requirements are provided by FIPS 140-2 key management standards available from NIST.

Oracle Advanced Security is required to provide symmetric key management features.

Check Contents

If Symmetric keys are present and Oracle Advanced Security is not installed and operational on the DBMS host, this is a Finding.

If the symmetric key management procedures and configuration settings for the DBMS are not specified in the System Security Plan, this is a Finding.

If the procedures are not followed with evidence for audit, this is a Finding.

NOTE: This check does not include a review of the key management procedures for validity. Specific key management requirements may be covered under separate checks.

Vulnerability Number

V-15654

Documentable

False

Rule Version

DG0165-ORACLE11

Severity Override Guidance

If Symmetric keys are present and Oracle Advanced Security is not installed and operational on the DBMS host, this is a Finding.

If the symmetric key management procedures and configuration settings for the DBMS are not specified in the System Security Plan, this is a Finding.

If the procedures are not followed with evidence for audit, this is a Finding.

NOTE: This check does not include a review of the key management procedures for validity. Specific key management requirements may be covered under separate checks.

Check Content Reference

I

Responsibility

Database Administrator

Target Key

1367

Comments