STIGQter: STIG Summary: Oracle Database 11g Instance STIG Version: 8 Release: 20 Benchmark Date: 28 Jul 2017:

DBMS authentication should require use of a DoD PKI certificate.

DISA Rule

SV-25026r1_rule

Vulnerability Number

V-3810

Group Title

DBMS PKI authentication

Rule Version

DG0065-ORACLE11

Severity

CAT II

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

Implement PKI authentication for all accounts defined within the database where applicable.

Applications may use host system (server) certificates to authenticate.

For MAC 3 systems, use of the DoD PKI Class 3 certificate and hardware security token (when available) at minimum is required.

For MAC 1 and 2 systems, use of the DoD PKI Class 3 or 4 certificate and hardware security token (when available) or an NSA-certified product at minimum is required.

Check Contents

If user access to the DBMS is via a portal or mid-tier system or product and PKI-authentication occurs at the portal/mid-tier, this check is Not a Finding.

Review the list of all DBMS accounts and their authentication methods.

This list is usually available from a system view or table and is easily gained from a simple SQL query.

If any accounts are listed with an authentication method other than a PKI certificate, this is a Finding.

For MAC 3 systems, if identification and authentication is not accomplished using the DoD PKI Class 3 certificate and hardware security token (when available) at minimum, this is a Finding.

For MAC 1 and 2 systems, if identification and authentication is not accomplished using the DoD PKI Class 3 or 4 certificate and hardware security token (when available) or an NSA-certified product at minimum, this is a Finding.

Vulnerability Number

V-3810

Documentable

False

Rule Version

DG0065-ORACLE11

Severity Override Guidance

If user access to the DBMS is via a portal or mid-tier system or product and PKI-authentication occurs at the portal/mid-tier, this check is Not a Finding.

Review the list of all DBMS accounts and their authentication methods.

This list is usually available from a system view or table and is easily gained from a simple SQL query.

If any accounts are listed with an authentication method other than a PKI certificate, this is a Finding.

For MAC 3 systems, if identification and authentication is not accomplished using the DoD PKI Class 3 certificate and hardware security token (when available) at minimum, this is a Finding.

For MAC 1 and 2 systems, if identification and authentication is not accomplished using the DoD PKI Class 3 or 4 certificate and hardware security token (when available) or an NSA-certified product at minimum, this is a Finding.

Check Content Reference

I

Responsibility

Information Assurance Officer

Target Key

1367

Comments