STIGQter STIGQter: STIG Summary: Oracle Database 11.2g Security Technical Implementation Guide

Version: 1

Release: 17 Benchmark Date: 24 Jan 2020

CheckedNameTitle
SV-66341r2_ruleDBA OS accounts must be granted only those host system privileges necessary for the administration of the DBMS.
SV-66349r1_ruleThe DBMS must protect the integrity of publicly available information and applications.
SV-66351r2_ruleThe DBMS must terminate user sessions upon user logout or any other organization or policy-defined session termination events, such as idle time limit exceeded.
SV-66353r2_ruleThe DBMS must provide a logout functionality to allow the user to manually terminate the session.
SV-66357r3_ruleThe DBMS must preserve any organization-defined system state information in the event of a system failure.
SV-66359r2_ruleThe DBMS must take needed steps to protect data at rest and ensure confidentiality and integrity of application data.
SV-66361r3_ruleThe DBMS must employ cryptographic mechanisms preventing the unauthorized disclosure of information at rest.
SV-66363r1_ruleThe DBMS must isolate security functions from non-security functions by means of separate security domains.
SV-66365r2_ruleThe DBMS must automatically terminate emergency accounts after an organization-defined time period for each type of account.
SV-66367r2_ruleThe DBMS must produce audit records containing sufficient information to establish the identity of any user/subject or process associated with the event.
SV-66369r1_ruleThe DBMS must employ automated mechanisms to alert security personnel of inappropriate or unusual activities with security implications.
SV-66371r2_ruleThe DBMS must include organization-defined additional, more detailed information in the audit records for audit events identified by type, location, or subject.
SV-66373r1_ruleThe DBMS must prevent unauthorized and unintended information transfer via shared system resources.
SV-66375r2_ruleThe DBMS itself, or the logging or alerting mechanism the application utilizes, must provide a warning when allocated audit record storage volume reaches an organization-defined percentage of maximum audit record storage capacity.
SV-66377r1_ruleThe DBMS must protect against or limit the effects of the organization-defined types of Denial of Service (DoS) attacks.
SV-66379r2_ruleThe DBMS must provide a real-time alert when organization-defined audit failure events occur.
SV-66381r2_ruleThe DBMS must check the validity of data inputs.
SV-66383r2_ruleThe DBMS must alert designated organizational officials in the event of an audit processing failure.
SV-66385r1_ruleThe DBMS must verify there have not been unauthorized changes to the DBMS software and information.
SV-66387r2_ruleThe system must provide the capability to automatically process audit records for events of interest based upon selectable event criteria.
SV-66389r1_ruleThe DBMS must identify potentially security-relevant error conditions.
SV-66391r1_ruleAttempts to bypass access controls must be audited.
SV-66393r2_ruleThe DBMS must only generate error messages that provide information necessary for corrective actions without revealing organization-defined sensitive or potentially harmful information in error logs and administrative messages that could be exploited.
SV-66395r2_ruleThe DBMS must protect audit information from any type of unauthorized access.
SV-66397r2_ruleThe DBMS must restrict error messages, so only authorized personnel may view them.
SV-66399r1_ruleThe DBMS must support taking organization-defined list of least disruptive actions to terminate suspicious events.
SV-66401r1_ruleThe DBMS must protect audit information from unauthorized modification.
SV-66403r2_ruleThe DBMS must notify appropriate individuals when accounts are created.
SV-66405r1_ruleThe DBMS must protect audit information from unauthorized deletion.
SV-66407r2_ruleThe DBMS must notify appropriate individuals when accounts are modified.
SV-66409r1_ruleThe DBMS must protect audit tools from unauthorized access.
SV-66411r3_ruleThe DBMS must notify appropriate individuals when account disabling actions are taken.
SV-66413r1_ruleThe DBMS must protect audit tools from unauthorized modification.
SV-66415r3_ruleThe DBMS must notify appropriate individuals when accounts are terminated.
SV-66417r1_ruleThe DBMS must protect audit tools from unauthorized deletion.
SV-66419r3_ruleThe DBMS must implement separation of duties through assigned information access authorizations.
SV-66421r1_ruleThe DBMS must support the requirement to back up audit data and records onto a different system or media than the system being audited on an organization-defined frequency.
SV-66425r1_ruleThe DBMS must provide an audit log reduction capability.
SV-66427r3_ruleThe DBMS must protect audit data records and integrity by using cryptographic mechanisms.
SV-66429r1_ruleThe DBMS must provide a report generation capability for audit reduction data.
SV-66431r2_ruleThe DBMS must protect the audit records generated, as a result of remote access to privileged accounts, and the execution of privileged functions.
SV-66433r6_ruleThe DBMS must restrict the ability of users to launch Denial of Service (DoS) attacks against other information systems or networks.
SV-66435r1_ruleThe DBMS must support enforcement of logical access restrictions associated with changes to the DBMS configuration and to the database itself.
SV-66437r2_ruleThe DBMS must manage resources to limit the effects of information flooding types of Denial of Service (DoS) incidents.
SV-66439r3_ruleDatabase objects must be owned by accounts authorized for ownership.
SV-66441r1_ruleThe DBMS must limit the use of resources by priority and not impede the host from servicing processes designated as a higher-priority.
SV-66443r2_ruleThe DBMS must support organizational requirements to employ automated patch management tools to facilitate flaw remediation to organization-defined information system components.
SV-66445r2_ruleThe DBMS must enforce requirements for remote connections to the information system.
SV-66447r3_ruleDefault demonstration and sample databases, database objects, and applications must be removed.
SV-66449r3_ruleUnused database components, DBMS software, and database objects must be removed.
SV-66451r3_ruleUnused database components that are integrated in the DBMS and cannot be uninstalled must be disabled.
SV-66453r4_ruleUse of external executables must be authorized.
SV-66455r1_ruleThe DBMS must support the organizational requirements to specifically prohibit or restrict the use of unauthorized functions, ports, protocols, and/or services.
SV-66457r1_ruleRecovery procedures and technical system features must exist to ensure recovery is done in a secure and verifiable manner.
SV-66461r2_ruleOracle must back up user-level information per a defined frequency.
SV-66463r1_ruleDatabase backup procedures must be defined, documented, and implemented.
SV-66465r1_ruleDatabase recovery procedures must be developed, documented, implemented, and periodically tested.
SV-66467r1_ruleDBMS backup and restoration files must be protected from unauthorized access.
SV-66469r1_ruleDBMS must conduct backups of system-level information per organization-defined frequency that is consistent with recovery time and recovery point objectives.
SV-66471r5_ruleThe DBMS must use multifactor authentication for network access to privileged accounts.
SV-66473r5_ruleThe DBMS must use multifactor authentication for network access to non-privileged accounts.
SV-66475r5_ruleThe DBMS must use multifactor authentication for local access to privileged accounts.
SV-66479r1_ruleThe DBMS must ensure users are authenticated with an individual authenticator prior to using a group authenticator.
SV-66481r5_ruleThe DBMS must use organization-defined replay-resistant authentication mechanisms for network access to privileged accounts.
SV-66483r5_ruleThe DBMS must use organization-defined replay-resistant authentication mechanisms for network access to non-privileged accounts.
SV-66485r2_ruleThe DBMS must disable user accounts after 35 days of inactivity.
SV-66487r1_ruleThe DBMS must support organizational requirements to enforce minimum password length.
SV-66489r2_ruleThe DBMS must support organizational requirements to prohibit password reuse for the organization-defined number of generations.
SV-66491r1_ruleThe DBMS must support organizational requirements to enforce password complexity by the number of upper-case characters used.
SV-66493r1_ruleThe DBMS must support organizational requirements to enforce password complexity by the number of lower-case characters used.
SV-66495r1_ruleThe DBMS must support organizational requirements to enforce password complexity by the number of numeric characters used.
SV-66497r1_ruleThe DBMS must support organizational requirements to enforce password complexity by the number of special characters used.
SV-66499r2_ruleThe DBMS must support organizational requirements to enforce the number of characters that get changed when passwords are changed.
SV-66501r4_ruleThe DBMS must support organizational requirements to enforce password encryption for storage.
SV-66503r1_ruleProcedures for establishing temporary passwords that meet DoD password requirements for new accounts must be defined, documented, and implemented.
SV-66505r5_ruleDBMS passwords must not be stored in compiled, encoded, or encrypted batch jobs or compiled, encoded, or encrypted application source code.
SV-66507r3_ruleThe DBMS must enforce password maximum lifetime restrictions.
SV-66509r5_ruleThe DBMS, when utilizing PKI-based authentication, must validate certificates by constructing a certification path with status information to an accepted trust anchor.
SV-66511r4_ruleThe DBMS must ensure that PKI-based authentication maps the authenticated identity to the user account.
SV-66513r3_ruleThe DBMS must use NIST-validated FIPS 140-2-compliant cryptography for authentication mechanisms.
SV-66515r1_ruleThe DBMS must employ cryptographic mechanisms to protect the integrity and confidentiality of non-local maintenance and diagnostic communications.
SV-66517r1_ruleThe DBMS must employ strong identification and authentication techniques when establishing non-local maintenance and diagnostic sessions.
SV-66519r2_ruleDatabases employed to write data to portable digital media must use cryptographic mechanisms to protect and restrict access to information on portable digital media.
SV-66521r4_ruleThe DBMS must support organizational requirements to encrypt information stored in the database, and information extracted or derived from the database and stored on digital media.
SV-66523r2_ruleThe DBMS must terminate the network connection associated with a communications session at the end of the session or after 15 minutes of inactivity.
SV-66525r2_ruleThe DBMS must implement required cryptographic protections using cryptographic modules complying with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.
SV-66527r1_ruleDatabase data files containing sensitive information must be encrypted.
SV-66543r3_ruleVendor-supported software must be evaluated and patched against newly found vulnerabilities.
SV-66545r2_ruleDBMS default accounts must be assigned custom passwords.
SV-66547r5_ruleThe DBMS, when using PKI-based authentication, must enforce authorized access to the corresponding private key.
SV-66549r6_ruleThe DBMS must employ cryptographic mechanisms preventing the unauthorized disclosure of information during transmission unless the transmitted data is otherwise protected by alternative physical measures.
SV-66553r2_ruleThe DBMS must limit the number of concurrent sessions for each system account to an organization-defined number of sessions.
SV-66561r4_ruleThe DBMS must ensure remote sessions that access an organization-defined list of security functions and security-relevant information are audited.
SV-66563r1_ruleThe DBMS must support the disabling of network protocols deemed by the organization to be non-secure.
SV-66565r2_ruleThe system must employ automated mechanisms for supporting Oracle user account management.
SV-66567r5_ruleThe DBMS must provide a mechanism to automatically identify accounts designated as temporary or emergency accounts.
SV-66569r3_ruleThe DBMS must provide a mechanism to automatically terminate accounts designated as temporary or emergency accounts after an organization-defined time period.
SV-66573r3_ruleThe DBMS must support the requirement to automatically audit account creation.
SV-66575r2_ruleThe DBMS must support the requirement to automatically audit account modification.
SV-66577r3_ruleThe DBMS must automatically audit account disabling actions, to the extent such information is available.
SV-66579r2_ruleThe DBMS must automatically audit account termination.
SV-66581r1_ruleThe DBMS must enforce approved authorizations for logical access to the system in accordance with applicable policy.
SV-66583r1_ruleThe DBMS must enforce Discretionary Access Control (DAC) policy allowing users to specify and control sharing by named individuals, groups of individuals, or by both, limiting propagation of access rights and includes or excludes access to the granularity of a single user.
SV-66585r1_ruleDBMS processes or services must run under custom, dedicated OS accounts.
SV-66587r1_ruleThe DBMS must restrict grants to sensitive information to authorized user roles.
SV-66589r1_ruleA single database connection configuration file must not be used to configure all database clients.
SV-66591r1_ruleThe DBMS must be protected from unauthorized access by developers.
SV-66593r1_ruleThe DBMS must be protected from unauthorized access by developers on shared production/development host systems.
SV-66595r3_ruleThe DBMS must restrict access to system tables and other configuration information or metadata to DBAs or other authorized users.
SV-66599r2_ruleAdministrative privileges must be assigned to database accounts via database roles.
SV-66603r2_ruleAdministrators must utilize a separate, distinct administrative account when performing administrative activities, accessing database security functions, or accessing security-relevant information.
SV-66605r2_ruleAll use of privileged accounts must be audited.
SV-66609r2_ruleThe DBA role must not be assigned excessive or unauthorized privileges.
SV-66611r2_ruleApplications must obscure feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals.
SV-66613r4_ruleWhen using command-line tools such as Oracle SQL*Plus, which can accept a plain-text password, users must use an alternative login method that does not expose the password.
SV-66615r2_ruleOS accounts utilized to run external procedures called by the DBMS must have limited privileges.
SV-66621r1_ruleDBMS default accounts must be protected from misuse.
SV-66623r3_ruleThe DBMS must specify an account lockout duration that is greater than or equal to the organization-approved minimum.
SV-66625r1_ruleDisk space used by audit trail(s) must be monitored; audit records must be regularly or continuously offloaded to a centralized log management system.
SV-66641r2_ruleUse of the DBMS software installation account must be restricted.
SV-66643r2_ruleDatabase software, applications, and configuration files must be monitored to discover unauthorized changes.
SV-66645r1_ruleThe OS must limit privileges to change the DBMS software resident within software libraries (including privileged programs).
SV-66647r2_ruleThe DBMS must have the capability to limit the number of failed login attempts based upon an organization-defined number of consecutive invalid attempts occurring within an organization-defined time period.
SV-66649r1_ruleThe DBMS must provide the ability to write specified audit record content to a centralized audit log repository.
SV-66651r2_ruleThe DBMS, when the maximum number of unsuccessful attempts is exceeded, must automatically lock the account/node for an organization-defined time period or lock the account/node until released by an administrator IAW organizational policy.
SV-66653r1_ruleThe DBMS software installation account must be restricted to authorized users.
SV-66657r1_ruleDatabase software directories, including DBMS configuration files, must be stored in dedicated directories, or DASD pools, separate from the host OS and other applications.
SV-66661r1_ruleThe DBMS software libraries must be periodically backed up.
SV-66663r1_ruleThe DBMS must have its auditing configured to reduce the likelihood of storage capacity being exceeded.
SV-66665r1_ruleThe DBMS must have allocated audit record storage capacity.
SV-66667r1_ruleThe DBMS must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).
SV-66669r1_ruleDatabases utilizing Discretionary Access Control (DAC) must enforce a policy that limits propagation of access rights.
SV-66671r1_ruleThe DBMS must uniquely identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users).
SV-66673r1_ruleA DBMS utilizing Discretionary Access Control (DAC) must enforce a policy that includes or excludes access to the granularity of a single user.
SV-66675r1_ruleThe DBMS must separate user functionality (including user interface services) from database management functionality.
SV-66677r1_ruleThe DBMS must prevent the presentation of information system management-related functionality at an interface utilized by general (i.e., non-privileged) users.
SV-66679r2_ruleThe DBMS must provide audit record generation capability for organization-defined auditable events within the database.
SV-66681r3_ruleThe DBMS must protect against an individual using a group account from falsely denying having performed a particular action.
SV-66683r1_ruleThe DBMS must allow designated organizational personnel to select which auditable events are to be audited by the database.
SV-66685r3_ruleThe DBMS must generate audit records for the DoD-selected list of auditable events, to the extent such information is available.
SV-66687r2_ruleThe DBMS must produce audit records containing sufficient information to establish what type of events occurred.
SV-66689r2_ruleThe DBMS must produce audit records containing sufficient information to establish when (date and time) the events occurred.
SV-66691r2_ruleThe DBMS must produce audit records containing sufficient information to establish where the events occurred.
SV-66693r2_ruleThe DBMS must produce audit records containing sufficient information to establish the sources (origins) of the events.
SV-66695r2_ruleThe DBMS must produce audit records containing sufficient information to establish the outcome (success or failure) of the events.
SV-67497r2_ruleProcesses (services, applications, etc.) that connect to the DBMS independently of individual users, must use valid, current DoD-issued PKI certificates for authentication to the DBMS.
SV-68199r1_ruleAudit trail data must be retained for one year.
SV-68201r1_ruleAccess to default accounts used to support replication must be restricted to authorized DBAs.
SV-68203r1_ruleOracle instance names must not contain Oracle version numbers.
SV-68205r1_ruleFixed user and public database links must be authorized for use.
SV-68207r3_ruleA minimum of two Oracle control files must be defined and configured to be stored on separate, archived disks (physical or virtual) or archived partitions on a RAID device.
SV-68209r1_ruleA minimum of two Oracle redo log groups/files must be defined and configured to be stored on separate, archived physical disks or archived directories on a RAID device.
SV-68211r2_ruleThe Oracle WITH GRANT OPTION privilege must not be granted to non-DBA or non-Application administrator user accounts.
SV-68213r1_ruleExecute permission must be revoked from PUBLIC for restricted Oracle packages.
SV-68215r1_ruleThe Oracle REMOTE_OS_AUTHENT parameter must be set to FALSE.
SV-68217r1_ruleThe Oracle REMOTE_OS_ROLES parameter must be set to FALSE.
SV-68219r2_ruleThe Oracle SQL92_SECURITY parameter must be set to TRUE.
SV-68221r3_ruleThe Oracle password file ownership and permissions should be limited to the Oracle installation account and REMOTE_LOGIN_PASSWORDFILE parameter must be set to EXCLUSIVE or NONE.
SV-68223r3_ruleSystem privileges granted using the WITH ADMIN OPTION must not be granted to unauthorized user accounts.
SV-68225r1_ruleSystem Privileges must not be granted to PUBLIC.
SV-68227r2_ruleOracle roles granted using the WITH ADMIN OPTION must not be granted to unauthorized accounts.
SV-68229r3_ruleObject permissions granted to PUBLIC must be restricted.
SV-68231r2_ruleThe Oracle Listener must be configured to require administration authentication.
SV-68233r1_ruleApplication role permissions must not be assigned to the Oracle PUBLIC role.
SV-68235r3_ruleOracle application administration roles must be disabled if not required and authorized.
SV-68237r3_ruleConnections by mid-tier web and application systems to the Oracle DBMS from a DMZ or external network must be encrypted.
SV-68239r4_ruleDatabase job/batch queues must be reviewed regularly to detect unauthorized database job submissions.
SV-68241r1_ruleUnauthorized database links must not be defined and active.
SV-68243r2_ruleSensitive information from production database exports must be modified before being imported into a development database.
SV-68245r1_ruleApplication user privilege assignment must be reviewed monthly or more frequently to ensure compliance with least privilege and documented policy.
SV-68247r1_ruleAudit trail data must be reviewed daily or more frequently.
SV-68249r2_ruleOnly authorized system accounts must have the SYSTEM tablespace specified as the default tablespace.
SV-68251r3_ruleApplication owner accounts must have a dedicated application tablespace.
SV-68253r1_ruleThe directories assigned to the LOG_ARCHIVE_DEST* parameters must be protected from unauthorized access.
SV-68255r1_ruleThe Oracle _TRACE_FILES_PUBLIC parameter if present must be set to FALSE.
SV-68257r3_ruleApplication object owner accounts must be disabled when not performing installation or maintenance actions.
SV-68259r1_ruleDBMS production application and data directories must be protected from developers on shared production/development DBMS host systems.
SV-68261r1_ruleUse of the DBMS installation account must be logged.
SV-68263r1_ruleRemote administrative access to the database must be monitored by the IAO or IAM.
SV-68265r1_ruleThe database must not be directly accessible from public or unauthorized networks.
SV-68267r1_ruleThe IAM must review changes to DBA role assignments.
SV-68269r1_rulePlans and procedures for testing DBMS installations, upgrades and patches must be defined and followed prior to production implementation.
SV-68271r1_ruleProcedures and restrictions for import of production data to development databases must be documented, implemented, and followed.
SV-68273r1_ruleSensitive data stored in the database must be identified in the System Security Plan and AIS Functional Architecture documentation.
SV-68279r1_ruleCredentials stored and used by the DBMS to access remote databases or applications must be authorized and restricted to authorized users.
SV-68281r1_ruleThe DBMS must not share a host supporting an independent security service.
SV-68283r1_ruleAccess to DBMS software files and directories must not be granted to unauthorized users.
SV-68285r1_ruleReplication accounts must not be granted DBA privileges.
SV-68287r2_ruleNetwork access to the DBMS must be restricted to authorized personnel.
SV-68291r1_ruleChanges to configuration options must be audited.
SV-68295r3_ruleRemote DBMS administration must be documented and authorized or disabled.
SV-68307r2_ruleDBMS symmetric keys must be protected in accordance with NSA- or NIST-approved key management technology or processes.
SV-68309r3_ruleChanges to DBMS security labels must be audited.
SV-68311r1_ruleRemote database or other external access must use fully-qualified names.
SV-68313r2_ruleThe /diag subdirectory under the directory assigned to the DIAGNOSTIC_DEST parameter must be protected from unauthorized access.
SV-68315r1_ruleRemote administration must be disabled for the Oracle connection manager.
SV-68317r4_ruleThe SQLNet SQLNET.ALLOWED_LOGON_VERSION parameter must be set to a value of 12 or higher.
SV-68319r1_ruleThe DBMS host platform and other dependent applications must be configured in compliance with applicable STIG requirements.
SV-72025r3_ruleThe directory assigned to the AUDIT_FILE_DEST parameter must be protected from unauthorized access and must be stored in a dedicated directory or disk partition separate from software or other application files.
SV-74285r1_ruleOwners of privileged accounts must use non-privileged accounts for non-administrative activities.
SV-74571r2_ruleAccess to external executables must be disabled or restricted.
SV-83465r1_ruleLogic modules within the database (to include packages, procedures, functions and triggers) must be monitored to discover unauthorized changes.
SV-89705r3_ruleThe DBMS must use multifactor authentication for local access to non-privileged accounts.