STIGQter STIGQter: STIG Summary: Oracle Database 11g Installation STIG Version: 8 Release: 20 Benchmark Date: 28 Jul 2017: Remote administration of the DBMS should be restricted to known, dedicated and encrypted network addresses and ports.

DISA Rule

SV-24844r1_rule

Vulnerability Number

V-15662

Group Title

DBMS remote administration encryption

Rule Version

DG0198-ORACLE11

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Disable remote administration where it is not required.

Consider restricting administrative access to local connections only.

Where necessary, configure the DBMS network communications to provide an encrypted, dedicated port for remote administration access.

Develop and provide procedures for remote administrative access to DBAs that have been authorized for remote administration.

Verify during audit reviews that DBAs do not access the database remotely except through the dedicated and encrypted port.

Check Contents

Ask the DBA if the DBMS is accessed remotely for administration purposes. If it is not, this check is Not a Finding.

Check DG0093 specifies remote administration encryption for confidentiality.

This check should confirm the use of dedicated and encrypted network addresses and ports.

Review configured network access interfaces for remote DBMS administration.

These may be host-based encryptions such as IPSec or may be configured for the DBMS as part of the network communications and/or in the DBMS listening process.

For DBMS listeners, verify that encrypted ports exist and are restricted to specific network addresses to access the DBMS.

View the System Security Plan to review the authorized procedures and access for remote administration.

If the configuration does not match the specifications in the System Security Plan, this is a Finding.

Note: Out-Of-Band (OOB) is allowed for remote administration, however, OOB alone does not maintain encryption of network traffic from source to destination and is a Finding for this check.

Vulnerability Number

V-15662

Documentable

False

Rule Version

DG0198-ORACLE11

Severity Override Guidance

Ask the DBA if the DBMS is accessed remotely for administration purposes. If it is not, this check is Not a Finding.

Check DG0093 specifies remote administration encryption for confidentiality.

This check should confirm the use of dedicated and encrypted network addresses and ports.

Review configured network access interfaces for remote DBMS administration.

These may be host-based encryptions such as IPSec or may be configured for the DBMS as part of the network communications and/or in the DBMS listening process.

For DBMS listeners, verify that encrypted ports exist and are restricted to specific network addresses to access the DBMS.

View the System Security Plan to review the authorized procedures and access for remote administration.

If the configuration does not match the specifications in the System Security Plan, this is a Finding.

Note: Out-Of-Band (OOB) is allowed for remote administration, however, OOB alone does not maintain encryption of network traffic from source to destination and is a Finding for this check.

Check Content Reference

I

Responsibility

Database Administrator

Target Key

1368

Comments