STIGQter STIGQter: STIG Summary: Oracle Database 12c Security Technical Implementation Guide Version: 1 Release: 16 Benchmark Date: 24 Jan 2020: The DBMS must use multifactor authentication for network access to non-privileged accounts.

DISA Rule

SV-76195r3_rule

Vulnerability Number

V-61705

Group Title

SRG-APP-000150-DB-000105

Rule Version

O121-C2-013000

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Configure DBMS, OS and/or enterprise-level authentication/access mechanism to require multifactor authentication for network users logging on to non-privileged accounts.

If appropriate, enable support for Transport Layer Security (TLS) protocols and multifactor authentication through the use of Smart Cards (CAC/PIV).

Check Contents

Review DBMS settings, OS settings, and/or enterprise-level authentication/access mechanism settings to determine whether users logging on to non-privileged accounts via a network are required to use multifactor authentication.

If users logging on to non-privileged accounts via a network are not required to use multifactor authentication, this is a finding.

Use authentication to prove the identities of users who are attempting to log on to the database. Authenticating user identity is imperative in distributed environments, without which there can be little confidence in network security. Passwords are the most common means of authentication. Oracle Database enables strong authentication with Oracle authentication adapters that support various third-party authentication services, including TLS with digital certificates.

If the $ORACLE_HOME/network/admin/sqlnet.ora contains entries similar to the following, TLS is enabled.
(Note: This assumes that a single sqlnet.ora file, in the default location, is in use. Please see the supplemental file "Non-default sqlnet.ora configurations.pdf" for how to find multiple and/or differently located sqlnet.ora files.)

SQLNET.AUTHENTICATION_SERVICES= (BEQ, TCPS)
SSL_VERSION = 1.2
SSL_CLIENT_AUTHENTICATION = TRUE
WALLET_LOCATION =
(SOURCE =
(METHOD = FILE)
(METHOD_DATA =
(DIRECTORY = /u01/app/oracle/product/12.1.0/dbhome_1/owm/wallets)
)
)

SSL_CIPHER_SUITES= (SSL_RSA_WITH_AES_256_CBC_SHA384)
ADR_BASE = /u01/app/oracle

Vulnerability Number

V-61705

Documentable

False

Rule Version

O121-C2-013000

Severity Override Guidance

Review DBMS settings, OS settings, and/or enterprise-level authentication/access mechanism settings to determine whether users logging on to non-privileged accounts via a network are required to use multifactor authentication.

If users logging on to non-privileged accounts via a network are not required to use multifactor authentication, this is a finding.

Use authentication to prove the identities of users who are attempting to log on to the database. Authenticating user identity is imperative in distributed environments, without which there can be little confidence in network security. Passwords are the most common means of authentication. Oracle Database enables strong authentication with Oracle authentication adapters that support various third-party authentication services, including TLS with digital certificates.

If the $ORACLE_HOME/network/admin/sqlnet.ora contains entries similar to the following, TLS is enabled.
(Note: This assumes that a single sqlnet.ora file, in the default location, is in use. Please see the supplemental file "Non-default sqlnet.ora configurations.pdf" for how to find multiple and/or differently located sqlnet.ora files.)

SQLNET.AUTHENTICATION_SERVICES= (BEQ, TCPS)
SSL_VERSION = 1.2
SSL_CLIENT_AUTHENTICATION = TRUE
WALLET_LOCATION =
(SOURCE =
(METHOD = FILE)
(METHOD_DATA =
(DIRECTORY = /u01/app/oracle/product/12.1.0/dbhome_1/owm/wallets)
)
)

SSL_CIPHER_SUITES= (SSL_RSA_WITH_AES_256_CBC_SHA384)
ADR_BASE = /u01/app/oracle

Check Content Reference

M

Target Key

2679

Comments