STIGQter STIGQter: STIG Summary: Oracle Database 11g Installation STIG

Version: 8

Release: 20 Benchmark Date: 28 Jul 2017

CheckedNameTitle
SV-24597r1_ruleDatabase executable and configuration files should be monitored for unauthorized modifications.
SV-24374r2_ruleThe DBMS software installation account should be restricted to authorized users.
SV-24383r1_ruleDatabase software, applications and configuration files should be monitored to discover unauthorized changes.
SV-24934r1_ruleThe Oracle Listener should be configured to require administration authentication.
SV-24946r1_ruleOracle SQLNet and listener log files should not be accessible to unauthorized users.
SV-24537r3_ruleConnections by mid-tier web and application systems to the Oracle DBMS should be protected, encrypted and authenticated according to database, web, application, enclave and network requirements.
SV-24949r1_ruleThe Oracle Listener ADMIN_RESTRICTIONS parameter if present should be set to ON.
SV-24599r1_ruleConfiguration management procedures should be defined and implemented for database software modifications.
SV-24359r2_ruleUnused database components, database application software, and database objects should be removed from the DBMS system.
SV-24606r1_ruleA production DBMS installation should not coexist on the same DBMS host with other, non-production DBMS installations.
SV-24363r1_ruleApplication software should be owned by a Software Application account.
SV-24610r1_ruleA baseline of database application software should be documented and maintained.
SV-24626r1_ruleAll applications that access the database should be logged in the audit trail.
SV-24628r1_ruleA single database connection configuration file should not be used to configure all database clients.
SV-24639r1_ruleProcedures for establishing temporary passwords that meet DoD password requirements for new accounts should be defined, documented and implemented.
SV-24641r1_ruleDatabase account passwords should be stored in encoded or encrypted format whether stored in database objects, external host files, environment variables or any other storage locations.
SV-24643r1_ruleDBMS tools or applications that echo or require a password entry in clear text should be protected from password display.
SV-24687r1_ruleRemote adminstrative connections to the database should be encrypted.
SV-24405r1_ruleAudit trail data should be reviewed daily or more frequently.
SV-24465r1_ruleThe Oracle software installation account should not be granted excessive host system privileges.
SV-24853r1_ruleOS DBA group membership should be restricted to authorized accounts.
SV-24890r1_ruleThe Oracle INBOUND_CONNECT_TIMEOUT and SQLNET.INBOUND_CONNECT_TIMEOUT parameters should be set to a value greater than 0.
SV-24893r1_ruleThe Oracle SQLNET.EXPIRE_TIME parameter should be set to a value greater than 0.
SV-24546r1_ruleThe Oracle Management Agent should be uninstalled if not required and authorized or is installed on a database accessible from the Internet.
SV-24350r1_ruleDatabase software directories including DBMS configuration files are stored in dedicated directories separate from the host OS and other applications.
SV-24339r2_ruleVendor supported software is evaluated and patched against newly found vulnerabilities.
SV-24342r1_ruleThe latest security patches should be installed.
SV-24346r1_ruleOnly necessary privileges to the host system should be granted to DBA OS accounts.
SV-30742r1_ruleThe database should be secured in accordance with DoD, vendor and/or commercially accepted practices where applicable.
SV-24670r1_ruleAutomated notification of suspicious activity detected in the audit trail should be implemented.
SV-24815r1_ruleAn automated tool that monitors audit data and immediately reports suspicious activity should be employed for the DBMS.
SV-24821r1_ruleSensitive data served by the DBMS should be protected by encryption when transmitted across the network.
SV-24750r1_ruleUnauthorized access to external database objects should be removed from application user roles.
SV-24675r1_ruleDBA roles should be periodically monitored to detect assignment of unauthorized or excess privileges.
SV-24635r2_ruleDBMS privileges to restore database data or other DBMS configurations, features, or objects should be restricted to authorized DBMS accounts.
SV-24840r1_rulePrivileges assigned to developers on shared production and development DBMS hosts and the DBMS should be monitored every three months or more frequently for unauthorized changes.
SV-24842r1_ruleDBMS production application and data directories should be protected from developers on shared production/development DBMS host systems.
SV-24377r1_ruleUse of the DBMS installation account should be logged.
SV-24379r1_ruleUse of the DBMS software installation account should be restricted to DBMS software installation, upgrade and maintenance actions.
SV-24678r1_ruleThe DBMS should be periodically tested for vulnerability management and IA compliance.
SV-24823r1_ruleThe DBMS host platform and other dependent applications should be configured in compliance with applicable STIG requirements.
SV-24825r1_ruleThe DBMS audit logs should be included in backup operations.
SV-24810r1_ruleRemote administrative access to the database should be monitored by the IAO or IAM.
SV-24637r1_ruleDBMS backup and restoration files should be protected from unauthorized access.
SV-24832r1_ruleDBMS software libraries should be periodically backed up.
SV-24449r1_ruleThe database should not be directly accessible from public or unauthorized networks.
SV-30765r1_ruleDatabase backup procedures should be defined, documented and implemented.
SV-24742r1_ruleThe IAM should review changes to DBA role assignments.
SV-24608r1_ruleBackup and recovery procedures should be developed, documented, implemented and periodically tested.
SV-24397r1_ruleSensitive information stored in the database should be protected by encryption.
SV-24684r1_ruleDatabase data files containing sensitive information should be encrypted.
SV-24689r1_ruleThe DBMS IA policies and procedures should be reviewed annually or more frequently.
SV-24691r1_rulePlans and procedures for testing DBMS installations, upgrades and patches should be defined and followed prior to production implementation.
SV-24645r1_ruleProcedures and restrictions for import of production data to development databases should be documented, implemented and followed.
SV-24707r1_ruleDatabase data encryption controls should be configured in accordance with application requirements.
SV-24710r1_ruleSensitive data is stored in the database and should be identified in the System Security Plan and AIS Functional Architecture documentation.
SV-24713r1_ruleThe DBMS restoration priority should be assigned.
SV-24715r1_ruleThe DBMS should not be operated without authorization on a host system supporting other application services.
SV-24808r1_ruleDBMS network communications should comply with PPS usage restrictions.
SV-24437r1_ruleThe DBMS requires a System Security Plan containing all required information.
SV-24717r1_ruleThe DBMS should not share a host supporting an independent security service.
SV-24595r1_ruleAccess to DBMS software files and directories should not be granted to unauthorized users.
SV-24630r1_ruleThe audit logs should be periodically monitored to discover DBMS access using unauthorized applications.
SV-24698r1_ruleAccess to external DBMS executables should be disabled or restricted.
SV-25054r1_ruleOS accounts used to execute external procedures should be assigned minimum privileges.
SV-24410r2_ruleNetwork access to the DBMS must be restricted to authorized personnel.
SV-24415r1_ruleDBMS service identification should be unique and clearly identifies the service.
SV-28967r1_ruleRecovery procedures and technical system features exist to ensure that recovery is done in a secure and verifiable manner.
SV-24967r1_rulePasswords should be encrypted when transmitted across the network.
SV-24432r1_ruleAccess to DBMS security data should be audited.
SV-25385r1_ruleThe DBMS should have configured all applicable settings to use trusted files, functions, features, or other components during startup, shutdown, aborts, or other unplanned interruptions.
SV-24982r1_ruleRemote DBMS administration should be documented and authorized or disabled.
SV-24985r1_ruleDBMS remote administration should be audited.
SV-25075r1_ruleThe DBMS should not have a connection defined to access or be accessed by a DBMS at a different classification level.
SV-24835r1_ruleCredentials used to access remote databases should be protected by encryption and restricted to authorized users.
SV-24844r1_ruleRemote administration of the DBMS should be restricted to known, dedicated and encrypted network addresses and ports.
SV-24952r1_ruleThe Oracle listener.ora file should specify IP addresses rather than host names to identify hosts.
SV-24955r1_ruleRemote administration should be disabled for the Oracle connection manager.
SV-24959r2_ruleThe Oracle SEC_PROTOCOL_ERROR_TRACE_ACTION parameter should not be set to NONE.
SV-24961r1_ruleOracle Application Express or Oracle HTML DB should not be installed on a production database.
SV-24963r1_ruleOracle Configuration Manager should not remain installed on a production system.
SV-24958r2_ruleThe SQLNet SQLNET.ALLOWED_LOGON_VERSION parameter must be set to a value of 11 or higher.
SV-55867r1_ruleDBMS cryptography must be NIST FIPS 140-2 validated.
SV-72019r1_ruleThe directory assigned to the AUDIT_FILE_DEST parameter must be protected from unauthorized access and must be stored in a dedicated directory or disk partition separate from software or other application files.
SV-72021r2_ruleA minimum of two Oracle control files must be defined and configured to be stored on separate, archived disks (physical or virtual) or archived partitions on a RAID device.
SV-72023r1_ruleA minimum of two Oracle redo log groups/files must be defined and configured to be stored on separate, archived physical disks or archived directories on a RAID device.