STIGQter STIGQter: STIG Summary: Oracle Database 11g Instance STIG Version: 8 Release: 20 Benchmark Date: 28 Jul 2017: Asymmetric keys should use DoD PKI Certificates and be protected in accordance with NIST (unclassified data) or NSA (classified data) approved key management and processes.

DISA Rule

SV-24819r1_rule

Vulnerability Number

V-15142

Group Title

DBMS asymmetric key management

Rule Version

DG0166-ORACLE11

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Use DoD code-signing certificates to create asymmetric keys stored in the database that are used to encrypt sensitive data stored in the database.

Assign the application object owner account as the owner of asymmetric keys used by the application.

Create audit events for access to the key by other than the application owner account or approved application objects.

Revoke any privileges assigned to the asymmetric key to other than the application object owner account and authorized users.

Protect the private key by encrypting it with the database system master key where available.

Where available, store encryption keys and certificates on hardware security modules (HSM).

Oracle Advanced Security is required to provide asymmetric key management features.

Check Contents

If Asymmetric keys are present and Oracle Advanced Security is not installed and operational on the DBMS host, this is a Finding.

For each asymmetric key identified as being used to encrypt sensitive data, verify the key owner is an application object owner or other non-DBA account.

If the key owner listed is a DBA, this is a Finding.

If any key owner is not the application object owner account or an account specific to the application as documented in the System Security Plan, this is a Finding.

If any asymmetric keys whose private key is not encrypted exist in the database, this is a Finding.

Review the access permissions to asymmetric keys.

Verify that any permission granted is authorized in the System Security Plan for access to the key.

Examine evidence that an audit record is created whenever the asymmetric key is accessed by other than authorized users. In particular, view evidence that access by a DBA or other system privileged account results in the generation of an audit record.

This is required because system privileges that allow access to encryption keys may be used to access sensitive data where the privileged user does not have a job function need-to-know the data.

If an audit record is not generated for unauthorized access to the asymmetric key, this is a Finding.

Vulnerability Number

V-15142

Documentable

False

Rule Version

DG0166-ORACLE11

Severity Override Guidance

If Asymmetric keys are present and Oracle Advanced Security is not installed and operational on the DBMS host, this is a Finding.

For each asymmetric key identified as being used to encrypt sensitive data, verify the key owner is an application object owner or other non-DBA account.

If the key owner listed is a DBA, this is a Finding.

If any key owner is not the application object owner account or an account specific to the application as documented in the System Security Plan, this is a Finding.

If any asymmetric keys whose private key is not encrypted exist in the database, this is a Finding.

Review the access permissions to asymmetric keys.

Verify that any permission granted is authorized in the System Security Plan for access to the key.

Examine evidence that an audit record is created whenever the asymmetric key is accessed by other than authorized users. In particular, view evidence that access by a DBA or other system privileged account results in the generation of an audit record.

This is required because system privileges that allow access to encryption keys may be used to access sensitive data where the privileged user does not have a job function need-to-know the data.

If an audit record is not generated for unauthorized access to the asymmetric key, this is a Finding.

Check Content Reference

M

Responsibility

Database Administrator

Target Key

1367

Comments