The DBMS must prevent access to organization defined security-relevant information except during secure, non-operable system states.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-32207	SRG-APP-000037-DB-000008	SV-42524r1_rule		Medium

Description
Security-relevant information is any information within the information system that can potentially impact the operation of security functions in a manner possibly resulting in failure to enforce the system security policy or maintain isolation of code and data. Organizations may define specific security relevant information requiring protection. Filtering rules for routers and firewalls, cryptographic key management information, key configuration parameters for security services, and access control lists are examples of security-relevant information. Secure, non-operable system states are states in which the information system is not performing mission/business related processing (e.g., the system is off-line for maintenance, troubleshooting, boot-up, shutdown). Access to these types of data is to be prevented unless the system is in a maintenance mode or has otherwise been brought off-line. The goal is to minimize the potential a security configuration or data may be dynamically and perhaps, surreptitiously overwritten or changed (without going through a formal system change process that can document the changes).

Description

Security-relevant information is any information within the information system that can potentially impact the operation of security functions in a manner possibly resulting in failure to enforce the system security policy or maintain isolation of code and data. Organizations may define specific security relevant information requiring protection. Filtering rules for routers and firewalls, cryptographic key management information, key configuration parameters for security services, and access control lists are examples of security-relevant information. Secure, non-operable system states are states in which the information system is not performing mission/business related processing (e.g., the system is off-line for maintenance, troubleshooting, boot-up, shutdown). Access to these types of data is to be prevented unless the system is in a maintenance mode or has otherwise been brought off-line. The goal is to minimize the potential a security configuration or data may be dynamically and perhaps, surreptitiously overwritten or changed (without going through a formal system change process that can document the changes).

STIG	Date
Database Security Requirements Guide	2012-07-02

Details

Check Text ( C-40712r1_chk )
Check DBMS to determine if the security settings or security relevant data in the organization defined list is only accessible when the database is in a secure, non-operable state. If administrators or users can access the defined settings when the system is in an operable state, this is a finding.

Fix Text (F-36131r2_fix)
Modify DBMS settings to allow access to security relevant, organization defined settings only when the system is in a secure non-operable state.