STIGQter STIGQter: STIG Summary: Oracle Database 11g Installation STIG Version: 8 Release: 20 Benchmark Date: 28 Jul 2017:

DBMS cryptography must be NIST FIPS 140-2 validated.

DISA Rule

SV-55867r1_rule

Vulnerability Number

V-43137

Group Title

DBMS encryption compliance

Rule Version

DG0025-ORACLE11

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Obtain and utilize native or third-party NIST FIPS 140-2 validated cryptography solution for the DBMS.

Installation of Oracle Advanced Security product (which may require additional Oracle licensing consideration) is required to use native Oracle encryption.

Please see the Oracle Advanced Security Administrator's Guide for configuration and use of encryption in the database. The Oracle Advanced Security Administrator's Guide provides references to the encryption features provided by Oracle Advanced Security.

Instructions for the configuration of FIPS 140-2 compliance for encryption of network communications are provided in a dedicated appendix of the Oracle Advanced Security Administrator's Guide.

All cipher suites listed above include FIPS 140-2 validated algorithms available for data encryption.

Encryption of data stored within the database is available only in Oracle versions 11.1 and later. View Data Encryption and Integrity in the Oracle Advanced Security Administration Guide for configuration details.

Note: FIPS 140-2 compliance or non-compliance for the host and network is outside the purview of the Database STIG. FIPS 140-2 non-compliance at the host/network level does not negate this requirement.

Check Contents

Verify organizational requirements for encryption based on the system's data classification. If DBMS encryption is not required, this check is not a finding.

If DBMS encryption is required and cryptography is either not being used or is not NIST FIPS 140-2 certified, this is a Finding.

Maintain a copy of the FIPS 140-2 Validation Certificate for the cryptographic modules in use as proof of certification.

Detailed information on the NIST Cryptographic Module Validation Program (CMVP) is available at the following website:

http://csrc.nist.gov/groups/STM/cmvp/index.html

--

Review the DBMS documentation to determine where cryptography may be used and/or configured.

Review network communication encryption options, data object encryption (both tables and application code objects), and encryption key management.

For UNIX systems:
$ORACLE_HOME/OPatch/opatch lsinventory –detail | grep “Oracle Advanced Security”

For Windows Systems:
%ORACLE_HOME%/OPatch/opatch lsinventory –detail | find “Oracle Advanced Security”

If DBMS data/network encryption is required and Oracle Advanced Security is not installed, this is a Finding.

View the SQLNET.ORA file.

If SQLNET.SSLFIPS_140 = TRUE is not set, this is a Finding.

If SSL_CIPHER_SUITES is not defined, this is a Finding.

If any cipher suites listed in SSL_CIPHER_SUITES value list is not included in the cipher suite list included below (and in this order), this is a Finding.

FIPS 140-2 validated cipher suites for the Oracle SSL Libraries in the order of strongest to weakest:

SSL_RSA_WITH_AES_256_CBC_SHA
SSL_RSA_WITH_AES_128_CBC_SHA
SSL_RSA_WITH_3DES_EDE_CBC_SHA
SSL_RSA_WITH_RC4_128_SHA
SSL_RSA_WITH_RC4_128_MD5
SSL_RSA_WITH_DES_CBC_SHA
SSL_DH_anon_WITH_3DES_EDE_CBC_SHA
SSL_DH_anon_WITH_RC4_128_MD5
SSL_DH_anon_WITH_DES_CBC_SHA

Detailed information on the FIPS 140-2 standard is available at the following website:

http://csrc.nist.gov/groups/SMA/index.html

Vulnerability Number

V-43137

Documentable

False

Rule Version

DG0025-ORACLE11

Severity Override Guidance

Verify organizational requirements for encryption based on the system's data classification. If DBMS encryption is not required, this check is not a finding.

If DBMS encryption is required and cryptography is either not being used or is not NIST FIPS 140-2 certified, this is a Finding.

Maintain a copy of the FIPS 140-2 Validation Certificate for the cryptographic modules in use as proof of certification.

Detailed information on the NIST Cryptographic Module Validation Program (CMVP) is available at the following website:

http://csrc.nist.gov/groups/STM/cmvp/index.html

--

Review the DBMS documentation to determine where cryptography may be used and/or configured.

Review network communication encryption options, data object encryption (both tables and application code objects), and encryption key management.

For UNIX systems:
$ORACLE_HOME/OPatch/opatch lsinventory –detail | grep “Oracle Advanced Security”

For Windows Systems:
%ORACLE_HOME%/OPatch/opatch lsinventory –detail | find “Oracle Advanced Security”

If DBMS data/network encryption is required and Oracle Advanced Security is not installed, this is a Finding.

View the SQLNET.ORA file.

If SQLNET.SSLFIPS_140 = TRUE is not set, this is a Finding.

If SSL_CIPHER_SUITES is not defined, this is a Finding.

If any cipher suites listed in SSL_CIPHER_SUITES value list is not included in the cipher suite list included below (and in this order), this is a Finding.

FIPS 140-2 validated cipher suites for the Oracle SSL Libraries in the order of strongest to weakest:

SSL_RSA_WITH_AES_256_CBC_SHA
SSL_RSA_WITH_AES_128_CBC_SHA
SSL_RSA_WITH_3DES_EDE_CBC_SHA
SSL_RSA_WITH_RC4_128_SHA
SSL_RSA_WITH_RC4_128_MD5
SSL_RSA_WITH_DES_CBC_SHA
SSL_DH_anon_WITH_3DES_EDE_CBC_SHA
SSL_DH_anon_WITH_RC4_128_MD5
SSL_DH_anon_WITH_DES_CBC_SHA

Detailed information on the FIPS 140-2 standard is available at the following website:

http://csrc.nist.gov/groups/SMA/index.html

Check Content Reference

M

Responsibility

Database Administrator

Target Key

1368

Comments