STIGQter STIGQter: STIG Summary: Oracle Database 11g Instance STIG

Version: 8

Release: 20 Benchmark Date: 28 Jul 2017

CheckedNameTitle
SV-24632r1_ruleAll database non-interactive, n-tier connection, and shared accounts that exist should be documented and approved by the IAO.
SV-24368r1_ruleAudit trail data should be retained for one year.
SV-24647r1_ruleUnauthorized user accounts should not exist.
SV-24850r1_ruleAccess to the Oracle SYS and SYSTEM accounts should be restricted to authorized DBAs.
SV-24859r2_ruleThe audit table should be owned by SYS or SYSTEM.
SV-24862r1_ruleAccess to default accounts used to support replication should be restricted to authorized DBAs.
SV-24865r1_ruleOracle instance names should not contain Oracle version numbers.
SV-24881r2_ruleThe Oracle OS_ROLES parameter should be set to FALSE.
SV-24519r2_ruleFixed user and public database links should be authorized for use.
SV-24887r1_ruleA minimum of two Oracle control files should be defined and configured to be stored on separate, archived physical disks or archived directories on a RAID device.
SV-24522r2_ruleA minimum of two Oracle redo log groups/files should be defined and configured to be stored on separate, archived physical disks or archived directories on a RAID device.
SV-24549r2_ruleThe DBA role should not be granted to unauthorized user accounts.
SV-24902r2_ruleThe Oracle OS_AUTHENT_PREFIX parameter should be changed from the default value of OPS$.
SV-24905r3_ruleThe Oracle WITH GRANT OPTION privilege should not be granted to non-DBA or non-Application administrator user accounts.
SV-24908r2_ruleExecute permission should be revoked from PUBLIC for restricted Oracle packages.
SV-24564r2_ruleThe IDLE_TIME profile parameter should be set for Oracle profiles IAW DoD policy.
SV-24911r2_ruleThe Oracle REMOTE_OS_AUTHENT parameter should be set to FALSE.
SV-24916r2_ruleThe Oracle REMOTE_OS_ROLES parameter should be set to FALSE.
SV-24919r2_ruleThe Oracle SQL92_SECURITY parameter should be set to TRUE.
SV-24922r2_ruleThe Oracle REMOTE_LOGIN_PASSWORDFILE parameter should be set to EXCLUSIVE or NONE.
SV-24925r2_ruleSystem privileges granted using the WITH ADMIN OPTION should not be granted to unauthorized user accounts.
SV-24928r2_ruleRequired object auditing should be configured.
SV-24931r2_ruleSystem Privileges should not be granted to PUBLIC.
SV-24570r2_ruleOracle roles granted using the WITH ADMIN OPTION should not be granted to unauthorized accounts.
SV-24937r2_ruleThe Oracle O7_DICTIONARY_ACCESSIBILITY parameter should be set to FALSE.
SV-24573r2_ruleObject permissions granted to PUBLIC should be restricted.
SV-24942r2_ruleThe Oracle RESOURCE_LIMIT parameter should be set to TRUE.
SV-24896r2_ruleApplication role permissions should not be assigned to the Oracle PUBLIC role.
SV-24531r2_ruleOracle application administration roles should be disabled if not required and authorized.
SV-24534r2_ruleOracle system privileges should not be directly assigned to unauthorized accounts.
SV-24355r2_ruleDatabase applications should be restricted from using static DDL statements to modify the application schema.
SV-60353r2_ruleDatabase job/batch queues should be reviewed regularly to detect unauthorized database job submissions.
SV-25026r1_ruleDBMS authentication should require use of a DoD PKI certificate.
SV-24387r3_ruleNew passwords must be required to differ from old passwords by more than four characters.
SV-24650r2_ruleDatabase accounts should not specify account lock times less than the site-approved minimum.
SV-24389r2_ruleUnauthorized database links should not be defined and active.
SV-24654r3_ruleSensitive information from production database exports must be modified before import to a development database.
SV-24391r2_ruleProduction databases should be protected from unauthorized access by developers on shared production/development host systems.
SV-24668r1_ruleApplication user privilege assignment should be reviewed monthly or more frequently to ensure compliance with least privilege and documented policy.
SV-28568r2_ruleCustom and GOTS application source code stored in the database should be protected with encryption or encoding.
SV-24856r4_ruleOnly authorized system accounts should have the SYSTEM tablespace specified as the default tablespace.
SV-24501r2_ruleDatabase application user accounts should be denied storage usage for object creation within the database.
SV-24868r2_ruleThe Oracle SID should not be the default SID.
SV-24510r3_ruleApplication owner accounts should have a dedicated application tablespace.
SV-24872r1_ruleThe directory assigned to the AUDIT_FILE_DEST parameter should be protected from unauthorized access.
SV-24513r1_ruleThe directories assigned to the LOG_ARCHIVE_DEST* parameters should be protected from unauthorized access.
SV-24884r2_ruleThe Oracle _TRACE_FILES_PUBLIC parameter if present should be set to FALSE.
SV-24899r1_ruleThe XDB Protocol server should be uninstalled if not required and authorized for use.
SV-24589r2_ruleApplication object owner accounts should be disabled when not performing installation or maintenance actions.
SV-24615r2_ruleRequired auditing parameters for database auditing should be set.
SV-24622r2_ruleAudit records should be restricted to authorized individuals.
SV-24395r1_ruleDevelopers should not be assigned excessive privileges on production databases.
SV-24705r1_ruleDBMS application user roles should not be assigned unauthorized privileges.
SV-24652r1_ruleUnapproved inactive or expired database accounts should not be found on the database.
SV-28970r1_ruleTransaction logs should be periodically reviewed for unauthorized modification of data.
SV-24702r2_ruleDBMS processes or services should run under custom, dedicated OS accounts.
SV-24819r1_ruleAsymmetric keys should use DoD PKI Certificates and be protected in accordance with NIST (unclassified data) or NSA (classified data) approved key management and processes.
SV-24979r1_ruleDBA roles assignments should be assigned and authorized by the IAO.
SV-24666r2_ruleDBMS login accounts require passwords to meet complexity requirements.
SV-24780r2_ruleDBMS account passwords should be set to expire every 60 days or more frequently.
SV-25082r1_ruleCredentials stored and used by the DBMS to access remote databases or applications should be authorized and restricted to authorized users.
SV-24592r2_ruleApplication objects should be owned by accounts authorized for ownership.
SV-24604r2_ruleDefault demonstration and sample database objects and applications should be removed.
SV-24663r1_ruleEach database user, application or process should have an individually assigned account.
SV-24673r2_ruleThe DBA role should not be assigned excessive or unauthorized privileges.
SV-24393r2_ruleSensitive data should be labeled.
SV-24694r1_ruleccess to external objects should be disabled if not required and authorized.
SV-24407r1_ruleReplication accounts should not be granted DBA privileges.
SV-24419r1_ruleDBMS system data files should be stored in dedicated disk directories.
SV-24723r2_ruleDatabase privileged role assignments should be restricted to IAO-authorized DBMS accounts.
SV-24422r2_ruleAdministrative privileges should be assigned to database accounts via database roles.
SV-24746r2_ruleDBMS application users should not be granted administrative privileges to the DBMS.
SV-24755r2_ruleApplication users privileges should be restricted to assignment using application user roles.
SV-24764r1_ruleAccess to sensitive data should be restricted to authorized users identified by the Information Owner.
SV-24772r2_ruleAccess to DBMS system tables and other configuration or metadata should be restricted to DBAs.
SV-24775r1_ruleUse of DBA accounts should be restricted to administrative activities.
SV-24787r2_rulePassword reuse should be prevented where supported by the DBMS.
SV-24792r1_ruleDBMS account passwords should not be set to easily guessed words or values.
SV-24796r3_ruleDBMS default accounts should be assigned custom passwords.
SV-24968r2_ruleDBMS passwords should not be stored in compiled, encoded or encrypted batch jobs or compiled, encoded or encrypted application source code.
SV-24426r2_ruleUnlimited account lock times should be specified for locked accounts.
SV-24429r1_ruleUsers should be alerted upon login of previous successful connections or unsuccessful attempts to access their account.
SV-24798r1_ruleAccess grants to sensitive data should be restricted to authorized user roles.
SV-24801r3_ruleAttempts to bypass access controls should be audited.
SV-24805r3_ruleChanges to configuration options must be audited.
SV-30881r1_ruleAudit records should contain required information.
SV-24976r1_ruleAudit records should include the reason for blacklisting or disabling DBMS connections or accounts.
SV-24817r1_ruleDBMS symmetric keys should be protected in accordance with NSA or NIST-approved key management technology or processes.
SV-24442r2_ruleChanges to DBMS security labels should be audited.
SV-24838r2_ruleRemote database or other external access should use fully-qualified names.
SV-24869r2_ruleThe /diag subdirectory under the directory assigned to the DIAGNOSTIC_DEST parameter must be protected from unauthorized access.
SV-60351r1_ruleCase sensitivity for passwords should be enabled.
SV-55939r2_ruleThe Oracle SEC_MAX_FAILED_LOGIN_ATTEMPTS parameter should be set to an ISSO-approved value between 1 and 3.
SV-55940r2_ruleThe Oracle SEC_PROTOCOL_ERROR_FURTHER_ACTION parameter should be set to a value of DELAY or DROP.